Skip to main content

WindowsProcess

vmi_os_windows

Struct WindowsProcess 

Source 
pub struct WindowsProcess<'a, Driver>
where
    Driver: VmiRead,
    Driver::Architecture: ArchAdapter<Driver>,
{ /* private fields */ }
Expand description

A Windows process.

A process in Windows is represented by the _EPROCESS structure, which contains metadata about its execution state, memory layout, and handles.

§Implementation Details

Corresponds to _EPROCESS.

Implementations§

Source§

impl<'a, Driver> WindowsProcess<'a, Driver>
where Driver: VmiRead, Driver::Architecture: ArchAdapter<Driver>,

Source

pub fn new(vmi: VmiState<'a, WindowsOs<Driver>>, process: ProcessObject) -> Self

Creates a new Windows process.

Source

pub fn is_wow64(&self) -> Result<bool, VmiError>

Checks if the process is a WoW64 process.

§Implementation Details

Corresponds to _EPROCESS.WoW64Process != NULL.

Source

pub fn peb(&self) -> Result<Option<WindowsPeb<'a, Driver>>, VmiError>

Returns the process environment block (PEB).

§Implementation Details

The function first reads the _EPROCESS.WoW64Process field to determine if the process is a 32-bit process. If the field is NULL, the process is 64-bit. Otherwise, the function reads the _EWOW64PROCESS.Peb field to get the 32-bit PEB.

Source

pub fn native_peb(&self) -> Result<Option<WindowsPeb<'a, Driver>>, VmiError>

Returns the native process environment block (PEB).

§Implementation Details

Corresponds to _EPROCESS.Peb.

Source

pub fn session(&self) -> Result<Option<WindowsSession<'a, Driver>>, VmiError>

Returns the session of the process.

Source

pub fn handle_table( &self, ) -> Result<Option<WindowsHandleTable<'a, Driver>>, VmiError>

Returns the handle table of the process.

§Implementation Details

Corresponds to _EPROCESS.ObjectTable.

Source

pub fn lookup_object<T>(&self, handle: u64) -> Result<Option<T>, VmiError>
where T: FromWindowsObject<'a, Driver>,

Looks up the object associated with the given handle and attempts to convert it to the specified type.

Resolves a handle value through the process handle table and converts the resulting WindowsObject using the FromWindowsObject trait.

Returns Ok(None) if the handle table is unavailable, the handle is invalid, the entry has no associated object, or the object is not of the requested type.

§Examples
// Look up the raw object.
let object = process.lookup_object::<WindowsObject<_>>(handle)?;

// Look up and convert to a specific type.
let process = current_process.lookup_object::<WindowsProcess<_>>(handle)?;
let file = current_process.lookup_object::<WindowsFileObject<_>>(handle)?;
Source

pub fn vad_root(&self) -> Result<Option<WindowsRegion<'a, Driver>>, VmiError>

Returns the root of the virtual address descriptor (VAD) tree.

§Implementation Details

Corresponds to _EPROCESS.VadRoot->BalancedRoot for Windows 7 and _EPROCESS.VadRoot->Root for Windows 8.1 and later.

Source

pub fn vad_hint(&self) -> Result<Option<WindowsRegion<'a, Driver>>, VmiError>

Returns the VAD hint node.

The VAD hint is an optimization used by Windows to speed up VAD lookups. This method returns the address of the hint node in the VAD tree.

§Implementation Details

Corresponds to _EPROCESS.VadRoot->NodeHint for Windows 7 and _EPROCESS.VadRoot->Hint for Windows 8.1 and later.

Trait Implementations§

Source§

impl<'a, Driver> From<WindowsProcess<'a, Driver>> for WindowsObject<'a, Driver>
where Driver: VmiRead, Driver::Architecture: ArchAdapter<Driver>,

Source§

fn from(value: WindowsProcess<'a, Driver>) -> Self

Converts to this type from the input type.
Source§

impl<'a, Driver> FromWindowsObject<'a, Driver> for WindowsProcess<'a, Driver>
where Driver: VmiRead, Driver::Architecture: ArchAdapter<Driver>,

Source§

fn from_object( object: WindowsObject<'a, Driver>, ) -> Result<Option<Self>, VmiError>

Attempts to convert a WindowsObject into a specific object type.
Source§

impl<'a, Driver> VmiOsProcess<'a, Driver> for WindowsProcess<'a, Driver>
where Driver: VmiRead, Driver::Architecture: ArchAdapter<Driver>,

Source§

fn id(&self) -> Result<ProcessId, VmiError>

Returns the process ID.

§Implementation Details

Corresponds to _EPROCESS.UniqueProcessId.

Source§

fn object(&self) -> Result<ProcessObject, VmiError>

Returns the process object.

Source§

fn name(&self) -> Result<String, VmiError>

Returns the name of the process.

§Implementation Details

Corresponds to _EPROCESS.ImageFileName.

Source§

fn parent_id(&self) -> Result<ProcessId, VmiError>

Returns the parent process ID.

§Implementation Details

Corresponds to _EPROCESS.InheritedFromUniqueProcessId.

Source§

fn architecture(&self) -> Result<VmiOsImageArchitecture, VmiError>

Returns the architecture of the process.

§Implementation Details

The function reads the _EPROCESS.WoW64Process field to determine if the process is a 32-bit process. If the field is NULL, the process is 64-bit. Otherwise, the process is 32-bit.

Source§

fn translation_root(&self) -> Result<Pa, VmiError>

Returns the process’s page table translation root.

§Implementation Details

Corresponds to _KPROCESS.DirectoryTableBase.

Source§

fn user_translation_root(&self) -> Result<Pa, VmiError>

Returns the user-mode page table translation root.

If KPTI is disabled, this function will return the same value as translation_root.

§Implementation Details

Corresponds to _KPROCESS.UserDirectoryTableBase.

Source§

fn image_base(&self) -> Result<Va, VmiError>

Returns the base address of the process image.

§Implementation Details

Corresponds to _EPROCESS.SectionBaseAddress.

Source§

fn regions( &self, ) -> Result<impl Iterator<Item = Result<WindowsRegion<'a, Driver>, VmiError>> + use<'a, Driver>, VmiError>

Returns an iterator over the process’s memory regions (VADs).

§Implementation Details

The function iterates over the VAD tree of the process.

Source§

fn find_region( &self, address: Va, ) -> Result<Option<WindowsRegion<'a, Driver>>, VmiError>

Finds the memory region (VAD) containing the given address.

This method efficiently searches the VAD tree to find the VAD node that corresponds to the given virtual address within the process’s address space.

Returns the matching VAD if found, or None if the address is not within any VAD.

§Implementation Details

The functionality is similar to the Windows kernel’s internal MiLocateAddress() function.

Source§

fn threads( &self, ) -> Result<impl Iterator<Item = Result<<Self::Os as VmiOs>::Thread<'a>, VmiError>> + use<'a, Driver>, VmiError>

Returns an iterator over the threads in the process.

§Notes

Both _EPROCESS and _KPROCESS structures contain the same list of threads.

§Implementation Details

Corresponds to _EPROCESS.ThreadListHead.

Source§

fn is_valid_address(&self, address: Va) -> Result<Option<bool>, VmiError>

Checks whether the given virtual address is valid in the process.

This method checks if page-faulting on the address would result in a successful access.

Source§

type Os = WindowsOs<Driver>

The VMI OS type.
Source§

impl<Driver> VmiVa for WindowsProcess<'_, Driver>
where Driver: VmiRead, Driver::Architecture: ArchAdapter<Driver>,

Source§

fn va(&self) -> Va

Returns the virtual address.

Auto Trait Implementations§

§

impl<'a, Driver> Freeze for WindowsProcess<'a, Driver>

§

impl<'a, Driver> !RefUnwindSafe for WindowsProcess<'a, Driver>

§

impl<'a, Driver> !Send for WindowsProcess<'a, Driver>

§

impl<'a, Driver> !Sync for WindowsProcess<'a, Driver>

§

impl<'a, Driver> Unpin for WindowsProcess<'a, Driver>

§

impl<'a, Driver> UnsafeUnpin for WindowsProcess<'a, Driver>

§

impl<'a, Driver> !UnwindSafe for WindowsProcess<'a, Driver>

Blanket Implementations§

Source§

impl<T> Any for T
where T: 'static + ?Sized,

Source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
Source§

impl<T> ArchivePointee for T

Source§

type ArchivedMetadata = ()

The archived version of the pointer metadata for this type.
Source§

fn pointer_metadata( _: &<T as ArchivePointee>::ArchivedMetadata, ) -> <T as Pointee>::Metadata

Converts some archived metadata to the pointer metadata for itself.
Source§

impl<T> Borrow<T> for T
where T: ?Sized,

Source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
Source§

impl<T> BorrowMut<T> for T
where T: ?Sized,

Source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
Source§

impl<T> From<T> for T

Source§

fn from(t: T) -> T

Returns the argument unchanged.

Source§

impl<T> Instrument for T

Source§

fn instrument(self, span: Span) -> Instrumented<Self>

Instruments this type with the provided Span, returning an Instrumented wrapper. Read more
Source§

fn in_current_span(self) -> Instrumented<Self>

Instruments this type with the current Span, returning an Instrumented wrapper. Read more
Source§

impl<T, U> Into<U> for T
where U: From<T>,

Source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

Source§

impl<T> LayoutRaw for T

Source§

fn layout_raw(_: <T as Pointee>::Metadata) -> Result<Layout, LayoutError>

Returns the layout of the type.
Source§

impl<T, N1, N2> Niching<NichedOption<T, N1>> for N2
where T: SharedNiching<N1, N2>, N1: Niching<T>, N2: Niching<T>,

Source§

unsafe fn is_niched(niched: *const NichedOption<T, N1>) -> bool

Returns whether the given value has been niched. Read more
Source§

fn resolve_niched(out: Place<NichedOption<T, N1>>)

Writes data to out indicating that a T is niched.
Source§

impl<T> Pointee for T

Source§

type Metadata = ()

The metadata type for pointers and references to this type.
Source§

impl<T> PolicyExt for T
where T: ?Sized,

Source§

fn and<P, B, E>(self, other: P) -> And<T, P>
where T: Policy<B, E>, P: Policy<B, E>,

Create a new Policy that returns Action::Follow only if self and other return Action::Follow. Read more
Source§

fn or<P, B, E>(self, other: P) -> Or<T, P>
where T: Policy<B, E>, P: Policy<B, E>,

Create a new Policy that returns Action::Follow if either self or other returns Action::Follow. Read more
Source§

impl<T, U> TryFrom<U> for T
where U: Into<T>,

Source§

type Error = Infallible

The type returned in the event of a conversion error.
Source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
Source§

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

Source§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
Source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.
Source§

impl<T> WithSubscriber for T

Source§

fn with_subscriber<S>(self, subscriber: S) -> WithDispatch<Self>
where S: Into<Dispatch>,

Attaches the provided Subscriber to this type, returning a WithDispatch wrapper. Read more
Source§

fn with_current_subscriber(self) -> WithDispatch<Self>

Attaches the current default Subscriber to this type, returning a WithDispatch wrapper. Read more