memflow_win32::win32::kernel_builder

Struct Win32KernelBuilder

Source 
pub struct Win32KernelBuilder<T, TK, VK> { /* private fields */ }
Expand description

Builder for a Windows Kernel structure.

This function encapsulates the entire setup process for a Windows target and will make sure the user gets a properly initialized object at the end.

This function is a high level abstraction over the individual parts of initialization a Windows target:

  • Scanning for the ntoskrnl and retrieving the Win32KernelInfo struct.
  • Retrieving the Offsets for the target Windows version.
  • Creating a struct which implements VirtualTranslate2 for virtual to physical address translations.
  • Optionally wrapping the Connector or the VirtualTranslate2 object into a cached object.
  • Initialization of the Kernel structure itself.

§Examples

Using the builder with default values:

use memflow::mem::PhysicalMemory;
use memflow_win32::win32::Win32Kernel;

fn test<T: 'static + PhysicalMemory + Clone>(connector: T) {
    let _kernel = Win32Kernel::builder(connector)
        .build()
        .unwrap();
}

Using the builder with default cache configurations:

use memflow::mem::PhysicalMemory;
use memflow_win32::win32::Win32Kernel;

fn test<T: 'static + PhysicalMemory + Clone>(connector: T) {
    let _kernel = Win32Kernel::builder(connector)
        .build_default_caches()
        .build()
        .unwrap();
}

Customizing the caches:

use memflow::mem::{PhysicalMemory, CachedPhysicalMemory, CachedVirtualTranslate};
use memflow_win32::win32::Win32Kernel;

fn test<T: 'static + PhysicalMemory + Clone>(connector: T) {
    let _kernel = Win32Kernel::builder(connector)
    .build_page_cache(|connector, arch| {
        CachedPhysicalMemory::builder(connector)
            .arch(arch)
            .build()
            .unwrap()
    })
    .build_vat_cache(|vat, arch| {
        CachedVirtualTranslate::builder(vat)
            .arch(arch)
            .build()
            .unwrap()
    })
    .build()
    .unwrap();
}

§Remarks

Manual initialization of the above examples would look like the following:

use memflow::prelude::v1::*;
use memflow_win32::prelude::{
    Win32KernelInfo,
    Win32Offsets,
    Win32Kernel,
    offset_builder_with_kernel_info
};

fn test<T: 'static + PhysicalMemory + Clone>(mut connector: T) {
    // Use the ntoskrnl scanner to find the relevant KernelInfo (start_block, arch, dtb, ntoskrnl, etc)
    let kernel_info = Win32KernelInfo::scanner(connector.forward_mut()).scan().unwrap();
    // Download the corresponding pdb from the default symbol store
    let offsets = offset_builder_with_kernel_info(&kernel_info).build().unwrap();

    // Create a struct for doing virtual to physical memory translations
    let vat = DirectTranslate::new();

    // Create a Page Cache layer with default values
    let mut connector_cached = CachedPhysicalMemory::builder(connector)
        .arch(kernel_info.os_info.arch)
        .build()
        .unwrap();

    // Create a Tlb Cache layer with default values
    let vat_cached = CachedVirtualTranslate::builder(vat)
        .arch(kernel_info.os_info.arch)
        .build()
        .unwrap();

    // Initialize the final Kernel object
    let _kernel = Win32Kernel::new(connector_cached, vat_cached, offsets, kernel_info);
}

Implementations§

Source§

impl<T> Win32KernelBuilder<T, T, DirectTranslate>
where T: PhysicalMemory,

Source

pub fn new(connector: T) -> Win32KernelBuilder<T, T, DirectTranslate>

Source§

impl<'a, T, TK, VK> Win32KernelBuilder<T, TK, VK>
where T: PhysicalMemory, TK: 'static + PhysicalMemory + Clone, VK: 'static + VirtualTranslate2 + Clone,

Source

pub fn build(self) -> Result<Win32Kernel<TK, VK>>

Source

pub fn arch(self, arch: ArchitectureIdent) -> Self

Source

pub fn kernel_hint(self, kernel_hint: Address) -> Self

Source

pub fn dtb(self, dtb: Address) -> Self

Source

pub fn symbol_store(self, symbol_store: SymbolStore) -> Self

Configures the symbol store to be used when constructing the Kernel. This will override the default symbol store that is being used if no other setting is configured.

§Examples
use memflow::mem::PhysicalMemory;
use memflow_win32::prelude::{Win32Kernel, SymbolStore};

fn test<T: 'static + PhysicalMemory + Clone>(connector: T) {
    let _kernel = Win32Kernel::builder(connector)
        .symbol_store(SymbolStore::new().no_cache())
        .build()
        .unwrap();
}
Source

pub fn no_symbol_store(self) -> Self

Disables the symbol store when constructing the Kernel. By default a default symbol store will be used when constructing a kernel. This option allows the user to disable the symbol store alltogether and fall back to the built-in offsets table.

§Examples
use memflow::mem::PhysicalMemory;
use memflow_win32::win32::Win32Kernel;
use memflow_win32::offsets::SymbolStore;

fn test<T: 'static + PhysicalMemory + Clone>(connector: T) {
    let _kernel = Win32Kernel::builder(connector)
        .no_symbol_store()
        .build()
        .unwrap();
}
Source

pub fn build_default_caches( self, ) -> Win32KernelBuilder<T, CachedPhysicalMemory<'a, T, DefaultCacheValidator>, CachedVirtualTranslate<DirectTranslate, DefaultCacheValidator>>

Creates the Kernel structure with default caching enabled.

If this option is specified, the Kernel structure is generated with a (page level cache)[../index.html] with default settings. On top of the page level cache a vat cache will be setupped.

§Examples
use memflow::mem::PhysicalMemory;
use memflow_win32::win32::Win32Kernel;

fn test<T: 'static + PhysicalMemory + Clone>(connector: T) {
    let _kernel = Win32Kernel::builder(connector)
        .build_default_caches()
        .build()
        .unwrap();
}
Source

pub fn build_page_cache<TKN, F: FnOnce(T, ArchitectureIdent) -> TKN + 'static>( self, func: F, ) -> Win32KernelBuilder<T, TKN, VK>
where TKN: PhysicalMemory,

Creates a Kernel structure by constructing the page cache from the given closure.

This function accepts a FnOnce closure that is being evaluated after the ntoskrnl has been found.

§Examples
use memflow::mem::{PhysicalMemory, CachedPhysicalMemory};
use memflow_win32::win32::Win32Kernel;

fn test<T: 'static + PhysicalMemory + Clone>(connector: T) {
    let _kernel = Win32Kernel::builder(connector)
        .build_page_cache(|connector, arch| {
            CachedPhysicalMemory::builder(connector)
                .arch(arch)
                .build()
                .unwrap()
        })
        .build()
        .unwrap();
}
Source

pub fn build_vat_cache<VKN, F: FnOnce(DirectTranslate, ArchitectureIdent) -> VKN + 'static>( self, func: F, ) -> Win32KernelBuilder<T, TK, VKN>
where VKN: VirtualTranslate2,

Creates a Kernel structure by constructing the vat cache from the given closure.

This function accepts a FnOnce closure that is being evaluated after the ntoskrnl has been found.

§Examples
use memflow::mem::{PhysicalMemory, CachedVirtualTranslate};
use memflow_win32::win32::Win32Kernel;

fn test<T: 'static + PhysicalMemory + Clone>(connector: T) {
    let _kernel = Win32Kernel::builder(connector)
        .build_vat_cache(|vat, arch| {
            CachedVirtualTranslate::builder(vat)
                .arch(arch)
                .build()
                .unwrap()
        })
        .build()
        .unwrap();
}

Auto Trait Implementations§

§

impl<T, TK, VK> Freeze for Win32KernelBuilder<T, TK, VK>
where T: Freeze,

§

impl<T, TK, VK> !RefUnwindSafe for Win32KernelBuilder<T, TK, VK>

§

impl<T, TK, VK> !Send for Win32KernelBuilder<T, TK, VK>

§

impl<T, TK, VK> !Sync for Win32KernelBuilder<T, TK, VK>

§

impl<T, TK, VK> Unpin for Win32KernelBuilder<T, TK, VK>
where T: Unpin,

§

impl<T, TK, VK> !UnwindSafe for Win32KernelBuilder<T, TK, VK>

Blanket Implementations§

Source§

impl<T> Any for T
where T: 'static + ?Sized,

Source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
Source§

impl<T> Borrow<T> for T
where T: ?Sized,

Source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
Source§

impl<T> BorrowMut<T> for T
where T: ?Sized,

Source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
Source§

impl<T> From<T> for T

Source§

fn from(t: T) -> T

Returns the argument unchanged.

Source§

impl<T, F> From2<T> for F
where T: Into<F>,

Source§

fn from2(other: T) -> F

Source§

impl<T> GetWithMetadata for T

Source§

type ForSelf = WithMetadata_<T, T>

This is always WithMetadata_<Self, Self>
Source§

impl<T, U> Into<U> for T
where U: From<T>,

Source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

Source§

impl<T> IntoEither for T

Source§

fn into_either(self, into_left: bool) -> Either<Self, Self>

Converts self into a Left variant of Either<Self, Self> if into_left is true. Converts self into a Right variant of Either<Self, Self> otherwise. Read more
Source§

fn into_either_with<F>(self, into_left: F) -> Either<Self, Self>
where F: FnOnce(&Self) -> bool,

Converts self into a Left variant of Either<Self, Self> if into_left(&self) returns true. Converts self into a Right variant of Either<Self, Self> otherwise. Read more
Source§

impl<S> ROExtAcc for S

Source§

fn f_get<F>(&self, offset: FieldOffset<S, F, Aligned>) -> &F

Gets a reference to a field, determined by offset. Read more
Source§

fn f_get_mut<F>(&mut self, offset: FieldOffset<S, F, Aligned>) -> &mut F

Gets a muatble reference to a field, determined by offset. Read more
Source§

fn f_get_ptr<F, A>(&self, offset: FieldOffset<S, F, A>) -> *const F

Gets a const pointer to a field, the field is determined by offset. Read more
Source§

fn f_get_mut_ptr<F, A>(&mut self, offset: FieldOffset<S, F, A>) -> *mut F

Gets a mutable pointer to a field, determined by offset. Read more
Source§

impl<S> ROExtOps<Aligned> for S

Source§

fn f_replace<F>(&mut self, offset: FieldOffset<S, F, Aligned>, value: F) -> F

Replaces a field (determined by offset) with value, returning the previous value of the field. Read more
Source§

fn f_swap<F>(&mut self, offset: FieldOffset<S, F, Aligned>, right: &mut S)

Swaps a field (determined by offset) with the same field in right. Read more
Source§

fn f_get_copy<F>(&self, offset: FieldOffset<S, F, Aligned>) -> F
where F: Copy,

Gets a copy of a field (determined by offset). The field is determined by offset. Read more
Source§

impl<S> ROExtOps<Unaligned> for S

Source§

fn f_replace<F>(&mut self, offset: FieldOffset<S, F, Unaligned>, value: F) -> F

Replaces a field (determined by offset) with value, returning the previous value of the field. Read more
Source§

fn f_swap<F>(&mut self, offset: FieldOffset<S, F, Unaligned>, right: &mut S)

Swaps a field (determined by offset) with the same field in right. Read more
Source§

fn f_get_copy<F>(&self, offset: FieldOffset<S, F, Unaligned>) -> F
where F: Copy,

Gets a copy of a field (determined by offset). The field is determined by offset. Read more
Source§

impl<T> SelfOps for T
where T: ?Sized,

Source§

fn eq_id(&self, other: &Self) -> bool

Compares the address of self with the address of other. Read more
Source§

fn piped<F, U>(self, f: F) -> U
where F: FnOnce(Self) -> U, Self: Sized,

Emulates the pipeline operator, allowing method syntax in more places. Read more
Source§

fn piped_ref<'a, F, U>(&'a self, f: F) -> U
where F: FnOnce(&'a Self) -> U,

The same as piped except that the function takes &Self Useful for functions that take &Self instead of Self. Read more
Source§

fn piped_mut<'a, F, U>(&'a mut self, f: F) -> U
where F: FnOnce(&'a mut Self) -> U,

The same as piped, except that the function takes &mut Self. Useful for functions that take &mut Self instead of Self.
Source§

fn mutated<F>(self, f: F) -> Self
where F: FnOnce(&mut Self), Self: Sized,

Mutates self using a closure taking self by mutable reference, passing it along the method chain. Read more
Source§

fn observe<F>(self, f: F) -> Self
where F: FnOnce(&Self), Self: Sized,

Observes the value of self, passing it along unmodified. Useful in long method chains. Read more
Source§

fn into_<T>(self) -> T
where Self: Into<T>,

Performs a conversion with Into. using the turbofish .into_::<_>() syntax. Read more
Source§

fn as_ref_<T>(&self) -> &T
where Self: AsRef<T>, T: ?Sized,

Performs a reference to reference conversion with AsRef, using the turbofish .as_ref_::<_>() syntax. Read more
Source§

fn as_mut_<T>(&mut self) -> &mut T
where Self: AsMut<T>, T: ?Sized,

Performs a mutable reference to mutable reference conversion with AsMut, using the turbofish .as_mut_::<_>() syntax. Read more
Source§

fn drop_(self)
where Self: Sized,

Drops self using method notation. Alternative to std::mem::drop. Read more
Source§

impl<This> TransmuteElement for This
where This: ?Sized,

Source§

unsafe fn transmute_element<T>(self) -> Self::TransmutedPtr
where Self: CanTransmuteElement<T>,

Transmutes the element type of this pointer.. Read more
Source§

impl<T, U> TryFrom<U> for T
where U: Into<T>,

Source§

type Error = Infallible

The type returned in the event of a conversion error.
Source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
Source§

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

Source§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
Source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.
Source§

impl<T> TypeIdentity for T
where T: ?Sized,

Source§

type Type = T

This is always Self.
Source§

fn into_type(self) -> Self::Type
where Self: Sized, Self::Type: Sized,

Converts a value back to the original type.
Source§

fn as_type(&self) -> &Self::Type

Converts a reference back to the original type.
Source§

fn as_type_mut(&mut self) -> &mut Self::Type

Converts a mutable reference back to the original type.
Source§

fn into_type_box(self: Box<Self>) -> Box<Self::Type>

Converts a box back to the original type.
Source§

fn into_type_arc(this: Arc<Self>) -> Arc<Self::Type>

Converts an Arc back to the original type. Read more
Source§

fn into_type_rc(this: Rc<Self>) -> Rc<Self::Type>

Converts an Rc back to the original type. Read more
Source§

fn from_type(this: Self::Type) -> Self
where Self: Sized, Self::Type: Sized,

Converts a value back to the original type.
Source§

fn from_type_ref(this: &Self::Type) -> &Self

Converts a reference back to the original type.
Source§

fn from_type_mut(this: &mut Self::Type) -> &mut Self

Converts a mutable reference back to the original type.
Source§

fn from_type_box(this: Box<Self::Type>) -> Box<Self>

Converts a box back to the original type.
Source§

fn from_type_arc(this: Arc<Self::Type>) -> Arc<Self>

Converts an Arc back to the original type.
Source§

fn from_type_rc(this: Rc<Self::Type>) -> Rc<Self>

Converts an Rc back to the original type.
Source§

impl<T> ErasedDestructor for T
where T: 'static,