vmi_os_linux

Struct LinuxOs

Source 
pub struct LinuxOs<Driver>
where
    Driver: VmiDriver,
{ /* private fields */ }
Expand description

VMI operations for the Linux operating system.

LinuxOs provides methods and utilities for introspecting a Linux-based virtual machine. It encapsulates Linux-specific knowledge and operations, allowing for high-level interactions with the guest OS structures and processes.

Implementations§

Source§

impl<Driver> LinuxOs<Driver>
where Driver: VmiDriver, Driver::Architecture: Architecture + ArchAdapter<Driver>,

Source

pub fn new(profile: &Profile<'_>) -> Result<Self, VmiError>

Creates a new LinuxOs instance.

Source

pub fn find_banner( vmi: &VmiCore<Driver>, registers: &<Driver::Architecture as Architecture>::Registers, ) -> Result<Option<String>, VmiError>

Locates and retrieves the Linux banner string from kernel memory.

The banner string typically contains kernel version information and build details.

Source

pub fn kaslr_offset(vmi: VmiState<'_, Driver, Self>) -> Result<u64, VmiError>

Returns the KASLR (Kernel Address Space Layout Randomization) offset.

This value represents the randomized offset applied to the kernel’s base address when KASLR is enabled.

Source

pub fn per_cpu(vmi: VmiState<'_, Driver, Self>) -> Va

Retrieves the per-CPU base address for the current CPU.

Linux maintains per-CPU data structures, and this method returns the base address for accessing such data on the current processor.

Source

pub fn linked_list<'a>( vmi: VmiState<'a, Driver, Self>, list_head: Va, offset: u64, ) -> Result<impl Iterator<Item = Result<Va, VmiError>> + 'a, VmiError>

Returns an iterator over a doubly-linked list of LIST_ENTRY structures.

This method is used to iterate over a doubly-linked list of LIST_ENTRY structures in memory. It returns an iterator that yields the virtual addresses of each LIST_ENTRY structure in the list.

Source

pub fn construct_path( _vmi: VmiState<'_, Driver, Self>, path: &LinuxPath<'_, Driver>, root: &LinuxPath<'_, Driver>, ) -> Result<String, VmiError>

Constructs a file path string from path components in the kernel.

This method walks the dentry chain to build a complete path, handling mount points and filesystem boundaries appropriately. Both the path and root arguments should be pointers to struct path objects.

Trait Implementations§

Source§

impl<Driver> VmiOs<Driver> for LinuxOs<Driver>
where Driver: VmiDriver, Driver::Architecture: Architecture + ArchAdapter<Driver>,

Source§

type Process<'a> = LinuxTaskStruct<'a, Driver>

The process type.
Source§

type Thread<'a> = LinuxThread

The thread type.
Source§

type Image<'a> = LinuxImage

The image type.
Source§

type Module<'a> = LinuxModule

The kernel module type.
Source§

type Region<'a> = LinuxVmAreaStruct<'a, Driver>

The memory region type.
Source§

type Mapped<'a> = LinuxMapped

The memory mapped region type.
Source§

fn kernel_image_base(_vmi: VmiState<'_, Driver, Self>) -> Result<Va, VmiError>

Retrieves the base address of the kernel image. Read more
Source§

fn kernel_information_string( _vmi: VmiState<'_, Driver, Self>, ) -> Result<String, VmiError>

Retrieves an implementation-specific string containing kernel information. Read more
Source§

fn kpti_enabled(_vmi: VmiState<'_, Driver, Self>) -> Result<bool, VmiError>

Checks if Kernel Page Table Isolation (KPTI) is enabled. Read more
Source§

fn modules( _vmi: VmiState<'_, Driver, Self>, ) -> Result<impl Iterator<Item = Result<Self::Module<'_>, VmiError>> + '_, VmiError>

Returns an iterator over the loaded kernel modules. Read more
Source§

fn processes( vmi: VmiState<'_, Driver, Self>, ) -> Result<impl Iterator<Item = Result<Self::Process<'_>, VmiError>> + '_, VmiError>

Returns an iterator over the processes. Read more
Source§

fn process( vmi: VmiState<'_, Driver, Self>, process: ProcessObject, ) -> Result<Self::Process<'_>, VmiError>

Returns the process corresponding to the given process object.
Source§

fn current_process( vmi: VmiState<'_, Driver, Self>, ) -> Result<Self::Process<'_>, VmiError>

Returns the currently executing process.
Source§

fn system_process( vmi: VmiState<'_, Driver, Self>, ) -> Result<Self::Process<'_>, VmiError>

Returns the system process object. Read more
Source§

fn thread( _vmi: VmiState<'_, Driver, Self>, _thread: ThreadObject, ) -> Result<Self::Thread<'_>, VmiError>

Returns the thread corresponding to the given thread object.
Source§

fn current_thread( _vmi: VmiState<'_, Driver, Self>, ) -> Result<Self::Thread<'_>, VmiError>

Returns the currently executing thread.
Source§

fn image( _vmi: VmiState<'_, Driver, Self>, _image_base: Va, ) -> Result<Self::Image<'_>, VmiError>

Returns the image corresponding to the given base address.
Source§

fn module( _vmi: VmiState<'_, Driver, Self>, _module: Va, ) -> Result<Self::Module<'_>, VmiError>

Returns the kernel module corresponding to the given base address.
Source§

fn region( vmi: VmiState<'_, Driver, Self>, region: Va, ) -> Result<Self::Region<'_>, VmiError>

Returns the memory region corresponding to the given address. Read more
Source§

fn syscall_argument( vmi: VmiState<'_, Driver, Self>, index: u64, ) -> Result<u64, VmiError>

Retrieves a specific syscall argument according to the system call ABI. Read more
Source§

fn function_argument( vmi: VmiState<'_, Driver, Self>, index: u64, ) -> Result<u64, VmiError>

Retrieves a specific function argument according to the calling convention of the operating system. Read more
Source§

fn function_return_value( vmi: VmiState<'_, Driver, Self>, ) -> Result<u64, VmiError>

Retrieves the return value of a function. Read more
Source§

fn last_error(_vmi: VmiState<'_, Driver, Self>) -> Result<Option<u32>, VmiError>

Retrieves the last error value. Read more

Auto Trait Implementations§

§

impl<Driver> !Freeze for LinuxOs<Driver>

§

impl<Driver> !RefUnwindSafe for LinuxOs<Driver>

§

impl<Driver> Send for LinuxOs<Driver>
where Driver: Send,

§

impl<Driver> !Sync for LinuxOs<Driver>

§

impl<Driver> Unpin for LinuxOs<Driver>
where Driver: Unpin,

§

impl<Driver> UnwindSafe for LinuxOs<Driver>
where Driver: UnwindSafe,

Blanket Implementations§

Source§

impl<T> Any for T
where T: 'static + ?Sized,

Source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
Source§

impl<T> Borrow<T> for T
where T: ?Sized,

Source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
Source§

impl<T> BorrowMut<T> for T
where T: ?Sized,

Source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
Source§

impl<T> From<T> for T

Source§

fn from(t: T) -> T

Returns the argument unchanged.

Source§

impl<T> Instrument for T

Source§

fn instrument(self, span: Span) -> Instrumented<Self>

Instruments this type with the provided Span, returning an Instrumented wrapper. Read more
Source§

fn in_current_span(self) -> Instrumented<Self>

Instruments this type with the current Span, returning an Instrumented wrapper. Read more
Source§

impl<T, U> Into<U> for T
where U: From<T>,

Source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

Source§

impl<T, U> TryFrom<U> for T
where U: Into<T>,

Source§

type Error = Infallible

The type returned in the event of a conversion error.
Source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
Source§

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

Source§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
Source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.
Source§

impl<T> WithSubscriber for T

Source§

fn with_subscriber<S>(self, subscriber: S) -> WithDispatch<Self>
where S: Into<Dispatch>,

Attaches the provided Subscriber to this type, returning a WithDispatch wrapper. Read more
Source§

fn with_current_subscriber(self) -> WithDispatch<Self>

Attaches the current default Subscriber to this type, returning a WithDispatch wrapper. Read more