vmi_os_windows

Struct WindowsProcess

Source 
pub struct WindowsProcess<'a, Driver>
where
    Driver: VmiDriver,
    Driver::Architecture: Architecture + ArchAdapter<Driver>,
{ /* private fields */ }
Expand description

A Windows process.

A process in Windows is represented by the _EPROCESS structure, which contains metadata about its execution state, memory layout, and handles.

§Implementation Details

Corresponds to _EPROCESS.

Implementations§

Source§

impl<'a, Driver> WindowsProcess<'a, Driver>
where Driver: VmiDriver, Driver::Architecture: Architecture + ArchAdapter<Driver>,

Source

pub fn new( vmi: VmiState<'a, Driver, WindowsOs<Driver>>, process: ProcessObject, ) -> Self

Creates a new Windows process.

Source

pub fn peb(&self) -> Result<Option<WindowsPeb<'a, Driver>>, VmiError>

Returns the process environment block (PEB).

§Implementation Details

The function first reads the _EPROCESS.WoW64Process field to determine if the process is a 32-bit process. If the field is NULL, the process is 64-bit. Otherwise, the function reads the _EWOW64PROCESS.Peb field to get the 32-bit PEB.

Source

pub fn session(&self) -> Result<Option<WindowsSession<'a, Driver>>, VmiError>

Returns the session of the process.

Source

pub fn handle_table( &self, ) -> Result<Option<WindowsHandleTable<'a, Driver>>, VmiError>

Returns the handle table of the process.

§Implementation Details

Corresponds to _EPROCESS.ObjectTable.

Source

pub fn vad_root(&self) -> Result<Option<WindowsRegion<'a, Driver>>, VmiError>

Returns the root of the virtual address descriptor (VAD) tree.

§Implementation Details

Corresponds to _EPROCESS.VadRoot->BalancedRoot for Windows 7 and _EPROCESS.VadRoot->Root for Windows 8.1 and later.

Source

pub fn vad_hint(&self) -> Result<Option<WindowsRegion<'a, Driver>>, VmiError>

Returns the VAD hint node.

The VAD hint is an optimization used by Windows to speed up VAD lookups. This method returns the address of the hint node in the VAD tree.

§Implementation Details

Corresponds to _EPROCESS.VadRoot->NodeHint for Windows 7 and _EPROCESS.VadRoot->Hint for Windows 8.1 and later.

Trait Implementations§

Source§

impl<'a, Driver> From<WindowsProcess<'a, Driver>> for WindowsObject<'a, Driver>
where Driver: VmiDriver, Driver::Architecture: Architecture + ArchAdapter<Driver>,

Source§

fn from(value: WindowsProcess<'a, Driver>) -> Self

Converts to this type from the input type.
Source§

impl<'a, Driver> VmiOsProcess<'a, Driver> for WindowsProcess<'a, Driver>
where Driver: VmiDriver, Driver::Architecture: Architecture + ArchAdapter<Driver>,

Source§

fn id(&self) -> Result<ProcessId, VmiError>

Returns the process ID.

§Implementation Details

Corresponds to _EPROCESS.UniqueProcessId.

Source§

fn object(&self) -> Result<ProcessObject, VmiError>

Returns the process object.

Source§

fn name(&self) -> Result<String, VmiError>

Returns the name of the process.

§Implementation Details

Corresponds to _EPROCESS.ImageFileName.

Source§

fn parent_id(&self) -> Result<ProcessId, VmiError>

Returns the parent process ID.

§Implementation Details

Corresponds to _EPROCESS.InheritedFromUniqueProcessId.

Source§

fn architecture(&self) -> Result<VmiOsImageArchitecture, VmiError>

Returns the architecture of the process.

§Implementation Details

The function reads the _EPROCESS.WoW64Process field to determine if the process is a 32-bit process. If the field is NULL, the process is 64-bit. Otherwise, the process is 32-bit.

Source§

fn translation_root(&self) -> Result<Pa, VmiError>

Returns the process’s page table translation root.

§Implementation Details

Corresponds to _KPROCESS.DirectoryTableBase.

Source§

fn user_translation_root(&self) -> Result<Pa, VmiError>

Returns the user-mode page table translation root.

If KPTI is disabled, this function will return the same value as translation_root.

§Implementation Details

Corresponds to _KPROCESS.UserDirectoryTableBase.

Source§

fn image_base(&self) -> Result<Va, VmiError>

Returns the base address of the process image.

§Implementation Details

Corresponds to _EPROCESS.SectionBaseAddress.

Source§

fn regions( &self, ) -> Result<impl Iterator<Item = Result<WindowsRegion<'a, Driver>, VmiError>>, VmiError>

Returns an iterator over the process’s memory regions (VADs).

§Implementation Details

The function iterates over the VAD tree of the process.

Source§

fn find_region( &self, address: Va, ) -> Result<Option<WindowsRegion<'a, Driver>>, VmiError>

Finds the memory region (VAD) containing the given address.

This method efficiently searches the VAD tree to find the VAD node that corresponds to the given virtual address within the process’s address space.

Returns the matching VAD if found, or None if the address is not within any VAD.

§Implementation Details

The functionality is similar to the Windows kernel’s internal MiLocateAddress() function.

Source§

fn threads( &self, ) -> Result<impl Iterator<Item = Result<<Self::Os as VmiOs<Driver>>::Thread<'a>, VmiError>>, VmiError>

Returns an iterator over the threads in the process.

§Notes

Both _EPROCESS and _KPROCESS structures contain the same list of threads.

§Implementation Details

Corresponds to _EPROCESS.ThreadListHead.

Source§

fn is_valid_address(&self, address: Va) -> Result<Option<bool>, VmiError>

Checks whether the given virtual address is valid in the process.

This method checks if page-faulting on the address would result in a successful access.

Source§

type Os = WindowsOs<Driver>

The VMI OS type.
Source§

impl<Driver> VmiVa for WindowsProcess<'_, Driver>
where Driver: VmiDriver, Driver::Architecture: Architecture + ArchAdapter<Driver>,

Source§

fn va(&self) -> Va

Returns the virtual address.

Auto Trait Implementations§

§

impl<'a, Driver> Freeze for WindowsProcess<'a, Driver>

§

impl<'a, Driver> !RefUnwindSafe for WindowsProcess<'a, Driver>

§

impl<'a, Driver> !Send for WindowsProcess<'a, Driver>

§

impl<'a, Driver> !Sync for WindowsProcess<'a, Driver>

§

impl<'a, Driver> Unpin for WindowsProcess<'a, Driver>

§

impl<'a, Driver> !UnwindSafe for WindowsProcess<'a, Driver>

Blanket Implementations§

Source§

impl<T> Any for T
where T: 'static + ?Sized,

Source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
Source§

impl<T> Borrow<T> for T
where T: ?Sized,

Source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
Source§

impl<T> BorrowMut<T> for T
where T: ?Sized,

Source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
Source§

impl<T> From<T> for T

Source§

fn from(t: T) -> T

Returns the argument unchanged.

Source§

impl<T> Instrument for T

Source§

fn instrument(self, span: Span) -> Instrumented<Self>

Instruments this type with the provided Span, returning an Instrumented wrapper. Read more
Source§

fn in_current_span(self) -> Instrumented<Self>

Instruments this type with the current Span, returning an Instrumented wrapper. Read more
Source§

impl<T, U> Into<U> for T
where U: From<T>,

Source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

Source§

impl<T> PolicyExt for T
where T: ?Sized,

Source§

fn and<P, B, E>(self, other: P) -> And<T, P>
where T: Policy<B, E>, P: Policy<B, E>,

Create a new Policy that returns Action::Follow only if self and other return Action::Follow. Read more
Source§

fn or<P, B, E>(self, other: P) -> Or<T, P>
where T: Policy<B, E>, P: Policy<B, E>,

Create a new Policy that returns Action::Follow if either self or other returns Action::Follow. Read more
Source§

impl<T, U> TryFrom<U> for T
where U: Into<T>,

Source§

type Error = Infallible

The type returned in the event of a conversion error.
Source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
Source§

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

Source§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
Source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.
Source§

impl<T> WithSubscriber for T

Source§

fn with_subscriber<S>(self, subscriber: S) -> WithDispatch<Self>
where S: Into<Dispatch>,

Attaches the provided Subscriber to this type, returning a WithDispatch wrapper. Read more
Source§

fn with_current_subscriber(self) -> WithDispatch<Self>

Attaches the current default Subscriber to this type, returning a WithDispatch wrapper. Read more
Source§

impl<T> ErasedDestructor for T
where T: 'static,