Skip to main content

VmiEventResponse

vmi

Struct VmiEventResponse 

Source 
pub struct VmiEventResponse<Arch>
where
    Arch: Architecture,
{
    pub action: VmiEventAction,
    pub view: Option<View>,
    pub registers: Option<<<Arch as Architecture>::Registers as Registers>::GpRegisters>,
}
Expand description

A response to a VMI event.

Fields§

§action: VmiEventAction

The primary action to take when resuming.

§view: Option<View>

The view to set for the vCPU.

§registers: Option<<<Arch as Architecture>::Registers as Registers>::GpRegisters>

The vCPU registers to set.

Implementations§

Source§

impl<Arch> VmiEventResponse<Arch>
where Arch: Architecture,

Source

pub fn deny() -> VmiEventResponse<Arch>

Available on crate features utils and injector only.

Creates a response to deny the event.

Source

pub fn reinject_interrupt() -> VmiEventResponse<Arch>

Available on crate features utils and injector only.

Creates a response to reinject an interrupt.

Examples found in repository?
examples/windows-breakpoint-manager.rs (line 291)
276    fn interrupt(
277        &mut self,
278        vmi: &VmiContext<WindowsOs<Driver>>,
279    ) -> Result<VmiEventResponse<Amd64>, VmiError> {
280        let tag = match self.bpm.get_by_event(vmi.event(), ()) {
281            Some(breakpoints) => {
282                // Breakpoints can have multiple tags, but we have set only one
283                // tag for each breakpoint.
284                let first_breakpoint = breakpoints.into_iter().next().expect("breakpoint");
285                first_breakpoint.tag()
286            }
287            None => {
288                if BreakpointController::is_breakpoint(vmi, vmi.event())? {
289                    // This breakpoint was not set by us. Reinject it.
290                    tracing::warn!("Unknown breakpoint, reinjecting");
291                    return Ok(VmiEventResponse::reinject_interrupt());
292                }
293                else {
294                    // We have received a breakpoint event, but there is no
295                    // breakpoint instruction at the current memory location.
296                    // This can happen if the event was triggered by a breakpoint
297                    // we just removed.
298                    tracing::warn!("Ignoring old breakpoint event");
299                    return Ok(VmiEventResponse::fast_singlestep(vmi.default_view()));
300                }
301            }
302        };
303
304        let process = vmi.os().current_process()?;
305        let process_id = process.id()?;
306        let process_name = process.name()?;
307        tracing::Span::current()
308            .record("pid", process_id.0)
309            .record("process", process_name);
310
311        match tag {
312            "NtCreateFile" => self.NtCreateFile(vmi)?,
313            "NtWriteFile" => self.NtWriteFile(vmi)?,
314            "PspInsertProcess" => self.PspInsertProcess(vmi)?,
315            "MmCleanProcessAddressSpace" => self.MmCleanProcessAddressSpace(vmi)?,
316            _ => panic!("Unhandled tag: {tag}"),
317        }
318
319        Ok(VmiEventResponse::fast_singlestep(vmi.default_view()))
320    }
Source

pub fn singlestep() -> VmiEventResponse<Arch>

Available on crate features utils and injector only.

Creates a response to single-step one instruction.

Examples found in repository?
examples/windows-breakpoint-manager.rs (line 261)
240    fn memory_access(
241        &mut self,
242        vmi: &VmiContext<WindowsOs<Driver>>,
243    ) -> Result<VmiEventResponse<Amd64>, VmiError> {
244        let memory_access = vmi.event().reason().as_memory_access();
245
246        tracing::trace!(
247            pa = %memory_access.pa,
248            va = %memory_access.va,
249            access = %memory_access.access,
250        );
251
252        if memory_access.access.contains(MemoryAccess::W) {
253            // It is assumed that a write memory access event is caused by a
254            // page table modification.
255            //
256            // The page table entry is marked as dirty in the page table monitor
257            // and a singlestep is performed to process the dirty entries.
258            self.ptm
259                .mark_dirty_entry(memory_access.pa, self.view, vmi.event().vcpu_id());
260
261            Ok(VmiEventResponse::singlestep().with_view(vmi.default_view()))
262        }
263        else if memory_access.access.contains(MemoryAccess::R) {
264            // When the guest tries to read from the memory, a fast-singlestep
265            // is performed over the instruction that tried to read the memory.
266            // This is done to allow the instruction to read the original memory
267            // content.
268            Ok(VmiEventResponse::fast_singlestep(vmi.default_view()))
269        }
270        else {
271            panic!("Unhandled memory access: {memory_access:?}");
272        }
273    }
Source

pub fn fast_singlestep(view: View) -> VmiEventResponse<Arch>

Available on crate features utils and injector only.

Creates a response to fast single-step one instruction in the specified view. Unlike regular singlestep, fast singlestep never generates a VMI event.

Examples found in repository?
examples/windows-breakpoint-manager.rs (line 268)
240    fn memory_access(
241        &mut self,
242        vmi: &VmiContext<WindowsOs<Driver>>,
243    ) -> Result<VmiEventResponse<Amd64>, VmiError> {
244        let memory_access = vmi.event().reason().as_memory_access();
245
246        tracing::trace!(
247            pa = %memory_access.pa,
248            va = %memory_access.va,
249            access = %memory_access.access,
250        );
251
252        if memory_access.access.contains(MemoryAccess::W) {
253            // It is assumed that a write memory access event is caused by a
254            // page table modification.
255            //
256            // The page table entry is marked as dirty in the page table monitor
257            // and a singlestep is performed to process the dirty entries.
258            self.ptm
259                .mark_dirty_entry(memory_access.pa, self.view, vmi.event().vcpu_id());
260
261            Ok(VmiEventResponse::singlestep().with_view(vmi.default_view()))
262        }
263        else if memory_access.access.contains(MemoryAccess::R) {
264            // When the guest tries to read from the memory, a fast-singlestep
265            // is performed over the instruction that tried to read the memory.
266            // This is done to allow the instruction to read the original memory
267            // content.
268            Ok(VmiEventResponse::fast_singlestep(vmi.default_view()))
269        }
270        else {
271            panic!("Unhandled memory access: {memory_access:?}");
272        }
273    }
274
275    #[tracing::instrument(skip_all, fields(pid, process))]
276    fn interrupt(
277        &mut self,
278        vmi: &VmiContext<WindowsOs<Driver>>,
279    ) -> Result<VmiEventResponse<Amd64>, VmiError> {
280        let tag = match self.bpm.get_by_event(vmi.event(), ()) {
281            Some(breakpoints) => {
282                // Breakpoints can have multiple tags, but we have set only one
283                // tag for each breakpoint.
284                let first_breakpoint = breakpoints.into_iter().next().expect("breakpoint");
285                first_breakpoint.tag()
286            }
287            None => {
288                if BreakpointController::is_breakpoint(vmi, vmi.event())? {
289                    // This breakpoint was not set by us. Reinject it.
290                    tracing::warn!("Unknown breakpoint, reinjecting");
291                    return Ok(VmiEventResponse::reinject_interrupt());
292                }
293                else {
294                    // We have received a breakpoint event, but there is no
295                    // breakpoint instruction at the current memory location.
296                    // This can happen if the event was triggered by a breakpoint
297                    // we just removed.
298                    tracing::warn!("Ignoring old breakpoint event");
299                    return Ok(VmiEventResponse::fast_singlestep(vmi.default_view()));
300                }
301            }
302        };
303
304        let process = vmi.os().current_process()?;
305        let process_id = process.id()?;
306        let process_name = process.name()?;
307        tracing::Span::current()
308            .record("pid", process_id.0)
309            .record("process", process_name);
310
311        match tag {
312            "NtCreateFile" => self.NtCreateFile(vmi)?,
313            "NtWriteFile" => self.NtWriteFile(vmi)?,
314            "PspInsertProcess" => self.PspInsertProcess(vmi)?,
315            "MmCleanProcessAddressSpace" => self.MmCleanProcessAddressSpace(vmi)?,
316            _ => panic!("Unhandled tag: {tag}"),
317        }
318
319        Ok(VmiEventResponse::fast_singlestep(vmi.default_view()))
320    }
Source

pub fn emulate() -> VmiEventResponse<Arch>

Available on crate features utils and injector only.

Creates a response to emulate the instruction.

Source

pub fn with_view(self, view: View) -> VmiEventResponse<Arch>

Available on crate features utils and injector only.

Sets a specific view for the response.

Examples found in repository?
examples/windows-breakpoint-manager.rs (line 261)
240    fn memory_access(
241        &mut self,
242        vmi: &VmiContext<WindowsOs<Driver>>,
243    ) -> Result<VmiEventResponse<Amd64>, VmiError> {
244        let memory_access = vmi.event().reason().as_memory_access();
245
246        tracing::trace!(
247            pa = %memory_access.pa,
248            va = %memory_access.va,
249            access = %memory_access.access,
250        );
251
252        if memory_access.access.contains(MemoryAccess::W) {
253            // It is assumed that a write memory access event is caused by a
254            // page table modification.
255            //
256            // The page table entry is marked as dirty in the page table monitor
257            // and a singlestep is performed to process the dirty entries.
258            self.ptm
259                .mark_dirty_entry(memory_access.pa, self.view, vmi.event().vcpu_id());
260
261            Ok(VmiEventResponse::singlestep().with_view(vmi.default_view()))
262        }
263        else if memory_access.access.contains(MemoryAccess::R) {
264            // When the guest tries to read from the memory, a fast-singlestep
265            // is performed over the instruction that tried to read the memory.
266            // This is done to allow the instruction to read the original memory
267            // content.
268            Ok(VmiEventResponse::fast_singlestep(vmi.default_view()))
269        }
270        else {
271            panic!("Unhandled memory access: {memory_access:?}");
272        }
273    }
274
275    #[tracing::instrument(skip_all, fields(pid, process))]
276    fn interrupt(
277        &mut self,
278        vmi: &VmiContext<WindowsOs<Driver>>,
279    ) -> Result<VmiEventResponse<Amd64>, VmiError> {
280        let tag = match self.bpm.get_by_event(vmi.event(), ()) {
281            Some(breakpoints) => {
282                // Breakpoints can have multiple tags, but we have set only one
283                // tag for each breakpoint.
284                let first_breakpoint = breakpoints.into_iter().next().expect("breakpoint");
285                first_breakpoint.tag()
286            }
287            None => {
288                if BreakpointController::is_breakpoint(vmi, vmi.event())? {
289                    // This breakpoint was not set by us. Reinject it.
290                    tracing::warn!("Unknown breakpoint, reinjecting");
291                    return Ok(VmiEventResponse::reinject_interrupt());
292                }
293                else {
294                    // We have received a breakpoint event, but there is no
295                    // breakpoint instruction at the current memory location.
296                    // This can happen if the event was triggered by a breakpoint
297                    // we just removed.
298                    tracing::warn!("Ignoring old breakpoint event");
299                    return Ok(VmiEventResponse::fast_singlestep(vmi.default_view()));
300                }
301            }
302        };
303
304        let process = vmi.os().current_process()?;
305        let process_id = process.id()?;
306        let process_name = process.name()?;
307        tracing::Span::current()
308            .record("pid", process_id.0)
309            .record("process", process_name);
310
311        match tag {
312            "NtCreateFile" => self.NtCreateFile(vmi)?,
313            "NtWriteFile" => self.NtWriteFile(vmi)?,
314            "PspInsertProcess" => self.PspInsertProcess(vmi)?,
315            "MmCleanProcessAddressSpace" => self.MmCleanProcessAddressSpace(vmi)?,
316            _ => panic!("Unhandled tag: {tag}"),
317        }
318
319        Ok(VmiEventResponse::fast_singlestep(vmi.default_view()))
320    }
321
322    #[tracing::instrument(skip_all)]
323    fn singlestep(
324        &mut self,
325        vmi: &VmiContext<WindowsOs<Driver>>,
326    ) -> Result<VmiEventResponse<Amd64>, VmiError> {
327        // Get the page table modifications by processing the dirty page table
328        // entries.
329        let ptm_events = self.ptm.process_dirty_entries(vmi, vmi.event().vcpu_id())?;
330
331        // Let the breakpoint controller handle the page table modifications.
332        self.bpm.handle_ptm_events(vmi, ptm_events)?;
333
334        // Disable singlestep and switch back to our view.
335        Ok(VmiEventResponse::default().with_view(self.view))
336    }
Source

pub fn with_registers( self, registers: <<Arch as Architecture>::Registers as Registers>::GpRegisters, ) -> VmiEventResponse<Arch>

Available on crate features utils and injector only.

Sets specific CPU registers for the response.

Trait Implementations§

Source§

impl<Arch> Debug for VmiEventResponse<Arch>
where Arch: Debug + Architecture, <Arch as Architecture>::Registers: Debug,

Source§

fn fmt(&self, f: &mut Formatter<'_>) -> Result<(), Error>

Formats the value using the given formatter. Read more
Source§

impl<Arch> Default for VmiEventResponse<Arch>
where Arch: Architecture,

Source§

fn default() -> VmiEventResponse<Arch>

Returns the “default value” for a type. Read more

Auto Trait Implementations§

§

impl<Arch> Freeze for VmiEventResponse<Arch>
where <<Arch as Architecture>::Registers as Registers>::GpRegisters: Freeze,

§

impl<Arch> RefUnwindSafe for VmiEventResponse<Arch>
where <<Arch as Architecture>::Registers as Registers>::GpRegisters: RefUnwindSafe,

§

impl<Arch> Send for VmiEventResponse<Arch>
where <<Arch as Architecture>::Registers as Registers>::GpRegisters: Send,

§

impl<Arch> Sync for VmiEventResponse<Arch>
where <<Arch as Architecture>::Registers as Registers>::GpRegisters: Sync,

§

impl<Arch> Unpin for VmiEventResponse<Arch>
where <<Arch as Architecture>::Registers as Registers>::GpRegisters: Unpin,

§

impl<Arch> UnsafeUnpin for VmiEventResponse<Arch>
where <<Arch as Architecture>::Registers as Registers>::GpRegisters: UnsafeUnpin,

§

impl<Arch> UnwindSafe for VmiEventResponse<Arch>
where <<Arch as Architecture>::Registers as Registers>::GpRegisters: UnwindSafe,

Blanket Implementations§

Source§

impl<T> Any for T
where T: 'static + ?Sized,

Source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
Source§

impl<T> ArchivePointee for T

Source§

type ArchivedMetadata = ()

The archived version of the pointer metadata for this type.
Source§

fn pointer_metadata( _: &<T as ArchivePointee>::ArchivedMetadata, ) -> <T as Pointee>::Metadata

Converts some archived metadata to the pointer metadata for itself.
Source§

impl<T> Borrow<T> for T
where T: ?Sized,

Source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
Source§

impl<T> BorrowMut<T> for T
where T: ?Sized,

Source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
Source§

impl<T> From<T> for T

Source§

fn from(t: T) -> T

Returns the argument unchanged.

Source§

impl<T> Instrument for T

Source§

fn instrument(self, span: Span) -> Instrumented<Self>

Instruments this type with the provided Span, returning an Instrumented wrapper. Read more
Source§

fn in_current_span(self) -> Instrumented<Self>

Instruments this type with the current Span, returning an Instrumented wrapper. Read more
Source§

impl<T, U> Into<U> for T
where U: From<T>,

Source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

Source§

impl<T> LayoutRaw for T

Source§

fn layout_raw(_: <T as Pointee>::Metadata) -> Result<Layout, LayoutError>

Returns the layout of the type.
Source§

impl<T, N1, N2> Niching<NichedOption<T, N1>> for N2
where T: SharedNiching<N1, N2>, N1: Niching<T>, N2: Niching<T>,

Source§

unsafe fn is_niched(niched: *const NichedOption<T, N1>) -> bool

Returns whether the given value has been niched. Read more
Source§

fn resolve_niched(out: Place<NichedOption<T, N1>>)

Writes data to out indicating that a T is niched.
Source§

impl<T> Pointee for T

Source§

type Metadata = ()

The metadata type for pointers and references to this type.
Source§

impl<T> PolicyExt for T
where T: ?Sized,

Source§

fn and<P, B, E>(self, other: P) -> And<T, P>
where T: Policy<B, E>, P: Policy<B, E>,

Create a new Policy that returns Action::Follow only if self and other return Action::Follow. Read more
Source§

fn or<P, B, E>(self, other: P) -> Or<T, P>
where T: Policy<B, E>, P: Policy<B, E>,

Create a new Policy that returns Action::Follow if either self or other returns Action::Follow. Read more
Source§

impl<T, U> TryFrom<U> for T
where U: Into<T>,

Source§

type Error = Infallible

The type returned in the event of a conversion error.
Source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
Source§

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

Source§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
Source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.
Source§

impl<T> WithSubscriber for T

Source§

fn with_subscriber<S>(self, subscriber: S) -> WithDispatch<Self>
where S: Into<Dispatch>,

Attaches the provided Subscriber to this type, returning a WithDispatch wrapper. Read more
Source§

fn with_current_subscriber(self) -> WithDispatch<Self>

Attaches the current default Subscriber to this type, returning a WithDispatch wrapper. Read more