Struct VmiOsState

pub struct VmiOsState<'a, Driver, Os>(/* private fields */)
where
    Driver: VmiDriver,
    Os: VmiOs<Driver>;

Wrapper providing access to OS-specific operations.

Implementations

impl<'a, Driver, Os> VmiOsState<'a, Driver, Os>

where Driver: VmiDriver, Os: VmiOs<Driver>,

pub fn core(&self) -> &'a VmiCore<Driver>

Returns the VMI core.

pub fn underlying_os(&self) -> &'a Os

Returns the underlying OS-specific implementation.

pub fn session(&self) -> &VmiSession<'a, Driver, Os>

Returns the VMI session.

pub fn state(&self) -> VmiState<'a, Driver, Os>

Returns the VMI state.

pub fn registers(&self) -> &<Driver::Architecture as Architecture>::Registers

Returns the CPU registers associated with the current event.

pub fn function_argument_for_registers( &self, registers: &<Driver::Architecture as Architecture>::Registers, index: u64, ) -> Result<u64, VmiError>

Retrieves a specific function argument according to the calling convention of the operating system.

pub fn function_return_value_for_registers( &self, registers: &<Driver::Architecture as Architecture>::Registers, ) -> Result<u64, VmiError>

Retrieves the return value of a function.

impl<'__vmi, Driver, Os> VmiOsState<'__vmi, Driver, Os>

where Driver: VmiDriver, Os: VmiOs<Driver>,

pub fn kernel_image_base(&self) -> Result<Va, VmiError>

Retrieves the base address of the kernel image.

The kernel image base address is usually found using some special CPU register - for example, a register that contains the address of the system call handler. Such register is set by the operating system during boot and is left unchanged (unless some rootkits are involved).

Therefore, this function can accept the CPU registers from any point of the VM execution (except for the early boot stage).

For catching the exact moment when the kernel image base address is set, you can monitor the MSR_LSTAR register (on AMD64) for writes.

Architecture-specific

• AMD64: The kernel image base address is usually found using the MSR_LSTAR register.

Notes

A malicious code (such as a rootkit) could modify values of the registers, so the returned value might not be accurate.

pub fn kernel_information_string(&self) -> Result<String, VmiError>

Retrieves an implementation-specific string containing kernel information.

Platform-specific

• Windows: Retrieves the NtBuildLab string from the kernel image.
• Linux: Retrieves the linux_banner string from the kernel image.

pub fn kpti_enabled(&self) -> Result<bool, VmiError>

Checks if Kernel Page Table Isolation (KPTI) is enabled.

Platform-specific

• Windows: Retrieves the KiKvaShadow global variable, if it exists.

pub fn modules<'a>( &self, ) -> Result<impl Iterator<Item = Result<Os::Module<'a>, VmiError>> + 'a, VmiError>

where '__vmi: 'a,

Returns an iterator over the loaded kernel modules.

Platform-specific

• Windows: Retrieves information from the PsLoadedModuleList.
• Linux: Retrieves information from the modules list.

pub fn processes<'a>( &self, ) -> Result<impl Iterator<Item = Result<Os::Process<'a>, VmiError>> + 'a, VmiError>

where '__vmi: 'a,

Returns an iterator over the processes.

Platform-specific

• Windows: Retrieves information from the PsActiveProcessHead list.
• Linux: Retrieves information from the tasks list.

pub fn process<'a>( &self, process: ProcessObject, ) -> Result<Os::Process<'a>, VmiError>

where '__vmi: 'a,

Returns the process corresponding to the given process object.

pub fn current_process<'a>(&self) -> Result<Os::Process<'a>, VmiError>

where '__vmi: 'a,

Returns the currently executing process.

pub fn system_process<'a>(&self) -> Result<Os::Process<'a>, VmiError>

where '__vmi: 'a,

Returns the system process object.

The system process is the first process created by the kernel.

Platform-specific

• Windows: Retrieves the PsInitialSystemProcess global variable.
• Linux: Retrieves the init_task global variable.

pub fn thread<'a>( &self, thread: ThreadObject, ) -> Result<Os::Thread<'a>, VmiError>

where '__vmi: 'a,

Returns the thread corresponding to the given thread object.

pub fn current_thread<'a>(&self) -> Result<Os::Thread<'a>, VmiError>

where '__vmi: 'a,

Returns the currently executing thread.

pub fn image<'a>(&self, image_base: Va) -> Result<Os::Image<'a>, VmiError>

where '__vmi: 'a,

Returns the image corresponding to the given base address.

pub fn module<'a>(&self, module: Va) -> Result<Os::Module<'a>, VmiError>

where '__vmi: 'a,

Returns the kernel module corresponding to the given base address.

pub fn region<'a>(&self, region: Va) -> Result<Os::Region<'a>, VmiError>

where '__vmi: 'a,

Returns the memory region corresponding to the given address.

Platform-specific

• Windows: The region is represented by the _MMVAD structure.
• Linux: The region is represented by the vm_area_struct structure.

pub fn syscall_argument(&self, index: u64) -> Result<u64, VmiError>

Retrieves a specific syscall argument according to the system call ABI.

This function assumes that it is called in the prologue of the system call handler, i.e., the instruction pointer is pointing to the first instruction of the function.

pub fn function_argument(&self, index: u64) -> Result<u64, VmiError>

Retrieves a specific function argument according to the calling convention of the operating system.

This function assumes that it is called in the function prologue, i.e., the instruction pointer is pointing to the first instruction of the function.

Platform-specific

• Windows: Assumes that the function is using the stdcall calling convention.

pub fn function_return_value(&self) -> Result<u64, VmiError>

Retrieves the return value of a function.

This function assumes that it is called immediately after the function returns.

pub fn last_error(&self) -> Result<Option<u32>, VmiError>

Retrieves the last error value.

Platform-specific

• Windows: Retrieves the value of the NtCurrentTeb()->LastErrorValue field.
  • See also: WindowsOs::last_status()