1use std::{
2 cmp::max,
3 collections::{HashMap, HashSet},
4 path::{Path, PathBuf},
5};
6
7use anyhow::{anyhow, bail, ensure, Result};
8use raw_cstr::AsRawCstr;
9use simics::{
10 debug, get_attribute, get_interface, get_object, info, ConfObject, IntRegisterInterface,
11};
12use vergilius::bindings::*;
13use windows_sys::Win32::{Foundation::UNICODE_STRING, System::Kernel::LIST_ENTRY};
14
15use crate::os::{
16 windows::{debug_info::DebugInfo, util::read_virtual},
17 DebugInfoConfig,
18};
19
20use super::{
21 debug_info::ProcessModule,
22 util::{read_unicode_string, read_unicode_string_dtb, read_virtual_dtb},
23};
24
25#[allow(clippy::large_enum_variant)]
26pub enum WindowsKpcr {
27 Windows10_0_10240_16384 {
28 kpcr: windows_10_0_10240_16384_x64::_KPCR,
29 },
30 Windows10_0_10586_0 {
31 kpcr: windows_10_0_10586_0_x64::_KPCR,
32 },
33 Windows10_0_14393_0 {
34 kpcr: windows_10_0_14393_0_x64::_KPCR,
35 },
36 Windows10_0_15063_0 {
37 kpcr: windows_10_0_15063_0_x64::_KPCR,
38 },
39 Windows10_0_16299_15 {
40 kpcr: windows_10_0_16299_15_x64::_KPCR,
41 },
42 Windows10_0_17134_1 {
43 kpcr: windows_10_0_17134_1_x64::_KPCR,
44 },
45 Windows10_0_17763_107 {
46 kpcr: windows_10_0_17763_107_x64::_KPCR,
47 },
48 Windows10_0_18362_418 {
49 kpcr: windows_10_0_18362_418_x64::_KPCR,
50 },
51 Windows10_0_19041_1288 {
52 kpcr: windows_10_0_19041_1288_x64::_KPCR,
53 },
54 Windows10_0_19045_2965 {
55 kpcr: windows_10_0_19045_2965_x64::_KPCR,
56 },
57 Windows10_0_22000_194 {
58 kpcr: windows_10_0_22000_194_x64::_KPCR,
59 },
60 Windows10_0_22621_382 {
61 kpcr: windows_10_0_22621_382_x64::_KPCR,
62 },
63 Windows10_0_22631_2428 {
64 kpcr: windows_10_0_22631_2428_x64::_KPCR,
65 },
66}
67
68impl WindowsKpcr {
69 pub fn new(processor: *mut ConfObject, maj: u32, min: u32, build: u32) -> Result<Self> {
70 let mut int_register = get_interface::<IntRegisterInterface>(processor)?;
71 let ia32_kernel_gs_base_nr =
72 int_register.get_number("ia32_kernel_gs_base".as_raw_cstr()?)?;
73 let ia32_gs_base_nr = int_register.get_number("ia32_gs_base".as_raw_cstr()?)?;
74 let ia32_kernel_gs_base = int_register.read(ia32_kernel_gs_base_nr)?;
75 let ia32_gs_base = int_register.read(ia32_gs_base_nr)?;
76 let sim_idtr_base: u64 = get_attribute(processor, "idtr_base")?.try_into()?;
77
78 let kpcr_address = max(ia32_gs_base, ia32_kernel_gs_base);
79
80 match (maj, min, build) {
81 (10, 0, 10240) => {
82 let kpcr =
83 read_virtual::<windows_10_0_10240_16384_x64::_KPCR>(processor, kpcr_address)?;
84 ensure!(
85 std::ptr::eq(
86 unsafe { kpcr.__bindgen_anon_1.__bindgen_anon_1 }.Self_,
87 kpcr_address as *mut _
88 ),
89 "Invalid KPCR: Self != KPCR address"
90 );
91 ensure!(
92 std::ptr::eq(kpcr.IdtBase, sim_idtr_base as *mut _),
93 "Invalid KPCR: IdtBase != IDTR base"
94 );
95
96 Ok(WindowsKpcr::Windows10_0_10240_16384 { kpcr })
97 }
98 (10, 0, 10586) => {
99 let kpcr =
100 read_virtual::<windows_10_0_10586_0_x64::_KPCR>(processor, kpcr_address)?;
101 ensure!(
102 std::ptr::eq(
103 unsafe { kpcr.__bindgen_anon_1.__bindgen_anon_1 }.Self_,
104 kpcr_address as *mut _
105 ),
106 "Invalid KPCR: Self != KPCR address"
107 );
108 ensure!(
109 std::ptr::eq(kpcr.IdtBase, sim_idtr_base as *mut _),
110 "Invalid KPCR: IdtBase != IDTR base"
111 );
112
113 Ok(WindowsKpcr::Windows10_0_10586_0 { kpcr })
114 }
115 (10, 0, 14393) => {
116 let kpcr =
117 read_virtual::<windows_10_0_14393_0_x64::_KPCR>(processor, kpcr_address)?;
118 ensure!(
119 std::ptr::eq(
120 unsafe { kpcr.__bindgen_anon_1.__bindgen_anon_1 }.Self_,
121 kpcr_address as *mut _
122 ),
123 "Invalid KPCR: Self != KPCR address"
124 );
125 ensure!(
126 std::ptr::eq(kpcr.IdtBase, sim_idtr_base as *mut _),
127 "Invalid KPCR: IdtBase != IDTR base"
128 );
129
130 Ok(WindowsKpcr::Windows10_0_14393_0 { kpcr })
131 }
132 (10, 0, 15063) => {
133 let kpcr =
134 read_virtual::<windows_10_0_15063_0_x64::_KPCR>(processor, kpcr_address)?;
135 ensure!(
136 std::ptr::eq(
137 unsafe { kpcr.__bindgen_anon_1.__bindgen_anon_1 }.Self_,
138 kpcr_address as *mut _
139 ),
140 "Invalid KPCR: Self != KPCR address"
141 );
142 ensure!(
143 std::ptr::eq(kpcr.IdtBase, sim_idtr_base as *mut _),
144 "Invalid KPCR: IdtBase != IDTR base"
145 );
146
147 Ok(WindowsKpcr::Windows10_0_15063_0 { kpcr })
148 }
149 (10, 0, 16299) => {
150 let kpcr =
151 read_virtual::<windows_10_0_16299_15_x64::_KPCR>(processor, kpcr_address)?;
152 ensure!(
153 std::ptr::eq(
154 unsafe { kpcr.__bindgen_anon_1.__bindgen_anon_1 }.Self_,
155 kpcr_address as *mut _
156 ),
157 "Invalid KPCR: Self != KPCR address"
158 );
159 ensure!(
160 std::ptr::eq(kpcr.IdtBase, sim_idtr_base as *mut _),
161 "Invalid KPCR: IdtBase != IDTR base"
162 );
163
164 Ok(WindowsKpcr::Windows10_0_16299_15 { kpcr })
165 }
166 (10, 0, 17134) => {
167 let kpcr =
168 read_virtual::<windows_10_0_17134_1_x64::_KPCR>(processor, kpcr_address)?;
169 ensure!(
170 std::ptr::eq(
171 unsafe { kpcr.__bindgen_anon_1.__bindgen_anon_1 }.Self_,
172 kpcr_address as *mut _
173 ),
174 "Invalid KPCR: Self != KPCR address"
175 );
176 ensure!(
177 std::ptr::eq(kpcr.IdtBase, sim_idtr_base as *mut _),
178 "Invalid KPCR: IdtBase != IDTR base"
179 );
180
181 Ok(WindowsKpcr::Windows10_0_17134_1 { kpcr })
182 }
183 (10, 0, 17763) => {
184 let kpcr =
185 read_virtual::<windows_10_0_17763_107_x64::_KPCR>(processor, kpcr_address)?;
186 ensure!(
187 std::ptr::eq(
188 unsafe { kpcr.__bindgen_anon_1.__bindgen_anon_1 }.Self_,
189 kpcr_address as *mut _
190 ),
191 "Invalid KPCR: Self != KPCR address"
192 );
193 ensure!(
194 std::ptr::eq(kpcr.IdtBase, sim_idtr_base as *mut _),
195 "Invalid KPCR: IdtBase != IDTR base"
196 );
197
198 Ok(WindowsKpcr::Windows10_0_17763_107 { kpcr })
199 }
200 (10, 0, 18362) => {
201 let kpcr =
202 read_virtual::<windows_10_0_18362_418_x64::_KPCR>(processor, kpcr_address)?;
203 ensure!(
204 std::ptr::eq(
205 unsafe { kpcr.__bindgen_anon_1.__bindgen_anon_1 }.Self_,
206 kpcr_address as *mut _
207 ),
208 "Invalid KPCR: Self != KPCR address"
209 );
210 ensure!(
211 std::ptr::eq(kpcr.IdtBase, sim_idtr_base as *mut _),
212 "Invalid KPCR: IdtBase != IDTR base"
213 );
214
215 Ok(WindowsKpcr::Windows10_0_18362_418 { kpcr })
216 }
217 (10, 0, 19041) => {
218 let kpcr =
219 read_virtual::<windows_10_0_19041_1288_x64::_KPCR>(processor, kpcr_address)?;
220 ensure!(
221 std::ptr::eq(
222 unsafe { kpcr.__bindgen_anon_1.__bindgen_anon_1 }.Self_,
223 kpcr_address as *mut _
224 ),
225 "Invalid KPCR: Self != KPCR address"
226 );
227 ensure!(
228 std::ptr::eq(kpcr.IdtBase, sim_idtr_base as *mut _),
229 "Invalid KPCR: IdtBase != IDTR base"
230 );
231
232 Ok(WindowsKpcr::Windows10_0_19041_1288 { kpcr })
233 }
234 (10, 0, 19045) => {
235 let kpcr =
236 read_virtual::<windows_10_0_19045_2965_x64::_KPCR>(processor, kpcr_address)?;
237 ensure!(
238 std::ptr::eq(
239 unsafe { kpcr.__bindgen_anon_1.__bindgen_anon_1 }.Self_,
240 kpcr_address as *mut _
241 ),
242 "Invalid KPCR: Self != KPCR address"
243 );
244 ensure!(
245 std::ptr::eq(kpcr.IdtBase, sim_idtr_base as *mut _),
246 "Invalid KPCR: IdtBase != IDTR base"
247 );
248
249 Ok(WindowsKpcr::Windows10_0_19045_2965 { kpcr })
250 }
251 (10, 0, 22000) => {
252 let kpcr =
253 read_virtual::<windows_10_0_22000_194_x64::_KPCR>(processor, kpcr_address)?;
254 ensure!(
255 std::ptr::eq(
256 unsafe { kpcr.__bindgen_anon_1.__bindgen_anon_1 }.Self_,
257 kpcr_address as *mut _
258 ),
259 "Invalid KPCR: Self != KPCR address"
260 );
261 ensure!(
262 std::ptr::eq(kpcr.IdtBase, sim_idtr_base as *mut _),
263 "Invalid KPCR: IdtBase != IDTR base"
264 );
265
266 Ok(WindowsKpcr::Windows10_0_22000_194 { kpcr })
267 }
268 (10, 0, 22621) => {
269 let kpcr =
270 read_virtual::<windows_10_0_22621_382_x64::_KPCR>(processor, kpcr_address)?;
271 ensure!(
272 std::ptr::eq(
273 unsafe { kpcr.__bindgen_anon_1.__bindgen_anon_1 }.Self_,
274 kpcr_address as *mut _
275 ),
276 "Invalid KPCR: Self != KPCR address"
277 );
278 ensure!(
279 std::ptr::eq(kpcr.IdtBase, sim_idtr_base as *mut _),
280 "Invalid KPCR: IdtBase != IDTR base"
281 );
282
283 Ok(WindowsKpcr::Windows10_0_22621_382 { kpcr })
284 }
285 (10, 0, 22631) => {
286 let kpcr =
287 read_virtual::<windows_10_0_22631_2428_x64::_KPCR>(processor, kpcr_address)?;
288 ensure!(
289 std::ptr::eq(
290 unsafe { kpcr.__bindgen_anon_1.__bindgen_anon_1 }.Self_,
291 kpcr_address as *mut _
292 ),
293 "Invalid KPCR: Self != KPCR address"
294 );
295 ensure!(
296 std::ptr::eq(kpcr.IdtBase, sim_idtr_base as *mut _),
297 "Invalid KPCR: IdtBase != IDTR base"
298 );
299
300 Ok(WindowsKpcr::Windows10_0_22631_2428 { kpcr })
301 }
302 (_, _, _) => bail!("Unsupported Windows version"),
303 }
304 }
305
306 pub fn kpcrb_address(&self) -> u64 {
307 match self {
308 WindowsKpcr::Windows10_0_10240_16384 { kpcr } => {
309 unsafe { kpcr.__bindgen_anon_1.__bindgen_anon_1 }.CurrentPrcb as u64
310 }
311 WindowsKpcr::Windows10_0_10586_0 { kpcr } => {
312 unsafe { kpcr.__bindgen_anon_1.__bindgen_anon_1 }.CurrentPrcb as u64
313 }
314 WindowsKpcr::Windows10_0_14393_0 { kpcr } => {
315 unsafe { kpcr.__bindgen_anon_1.__bindgen_anon_1 }.CurrentPrcb as u64
316 }
317 WindowsKpcr::Windows10_0_15063_0 { kpcr } => {
318 unsafe { kpcr.__bindgen_anon_1.__bindgen_anon_1 }.CurrentPrcb as u64
319 }
320 WindowsKpcr::Windows10_0_16299_15 { kpcr } => {
321 unsafe { kpcr.__bindgen_anon_1.__bindgen_anon_1 }.CurrentPrcb as u64
322 }
323 WindowsKpcr::Windows10_0_17134_1 { kpcr } => {
324 unsafe { kpcr.__bindgen_anon_1.__bindgen_anon_1 }.CurrentPrcb as u64
325 }
326 WindowsKpcr::Windows10_0_17763_107 { kpcr } => {
327 unsafe { kpcr.__bindgen_anon_1.__bindgen_anon_1 }.CurrentPrcb as u64
328 }
329 WindowsKpcr::Windows10_0_18362_418 { kpcr } => {
330 unsafe { kpcr.__bindgen_anon_1.__bindgen_anon_1 }.CurrentPrcb as u64
331 }
332 WindowsKpcr::Windows10_0_19041_1288 { kpcr } => {
333 unsafe { kpcr.__bindgen_anon_1.__bindgen_anon_1 }.CurrentPrcb as u64
334 }
335 WindowsKpcr::Windows10_0_19045_2965 { kpcr } => {
336 unsafe { kpcr.__bindgen_anon_1.__bindgen_anon_1 }.CurrentPrcb as u64
337 }
338 WindowsKpcr::Windows10_0_22000_194 { kpcr } => {
339 unsafe { kpcr.__bindgen_anon_1.__bindgen_anon_1 }.CurrentPrcb as u64
340 }
341 WindowsKpcr::Windows10_0_22621_382 { kpcr } => {
342 unsafe { kpcr.__bindgen_anon_1.__bindgen_anon_1 }.CurrentPrcb as u64
343 }
344 WindowsKpcr::Windows10_0_22631_2428 { kpcr } => {
345 unsafe { kpcr.__bindgen_anon_1.__bindgen_anon_1 }.CurrentPrcb as u64
346 }
347 }
348 }
349}
350
351#[allow(clippy::large_enum_variant)]
352pub enum WindowsKprcb {
353 Windows10_0_10240_16384 {
354 kprcb: windows_10_0_10240_16384_x64::_KPRCB,
355 },
356 Windows10_0_10586_0 {
357 kprcb: windows_10_0_10586_0_x64::_KPRCB,
358 },
359 Windows10_0_14393_0 {
360 kprcb: windows_10_0_14393_0_x64::_KPRCB,
361 },
362 Windows10_0_15063_0 {
363 kprcb: windows_10_0_15063_0_x64::_KPRCB,
364 },
365 Windows10_0_16299_15 {
366 kprcb: windows_10_0_16299_15_x64::_KPRCB,
367 },
368 Windows10_0_17134_1 {
369 kprcb: windows_10_0_17134_1_x64::_KPRCB,
370 },
371 Windows10_0_17763_107 {
372 kprcb: windows_10_0_17763_107_x64::_KPRCB,
373 },
374 Windows10_0_18362_418 {
375 kprcb: windows_10_0_18362_418_x64::_KPRCB,
376 },
377 Windows10_0_19041_1288 {
378 kprcb: windows_10_0_19041_1288_x64::_KPRCB,
379 },
380 Windows10_0_19045_2965 {
381 kprcb: windows_10_0_19045_2965_x64::_KPRCB,
382 },
383 Windows10_0_22000_194 {
384 kprcb: windows_10_0_22000_194_x64::_KPRCB,
385 },
386 Windows10_0_22621_382 {
387 kprcb: windows_10_0_22621_382_x64::_KPRCB,
388 },
389 Windows10_0_22631_2428 {
390 kprcb: windows_10_0_22631_2428_x64::_KPRCB,
391 },
392}
393
394impl WindowsKprcb {
395 pub fn new(
396 processor: *mut ConfObject,
397 maj: u32,
398 min: u32,
399 build: u32,
400 kpcrb_address: u64,
401 ) -> Result<Self> {
402 match (maj, min, build) {
403 (10, 0, 10240) => {
404 let kprcb =
405 read_virtual::<windows_10_0_10240_16384_x64::_KPRCB>(processor, kpcrb_address)?;
406
407 Ok(WindowsKprcb::Windows10_0_10240_16384 { kprcb })
408 }
409 (10, 0, 10586) => {
410 let kprcb =
411 read_virtual::<windows_10_0_10586_0_x64::_KPRCB>(processor, kpcrb_address)?;
412
413 Ok(WindowsKprcb::Windows10_0_10586_0 { kprcb })
414 }
415 (10, 0, 14393) => {
416 let kprcb =
417 read_virtual::<windows_10_0_14393_0_x64::_KPRCB>(processor, kpcrb_address)?;
418
419 Ok(WindowsKprcb::Windows10_0_14393_0 { kprcb })
420 }
421 (10, 0, 15063) => {
422 let kprcb =
423 read_virtual::<windows_10_0_15063_0_x64::_KPRCB>(processor, kpcrb_address)?;
424
425 Ok(WindowsKprcb::Windows10_0_15063_0 { kprcb })
426 }
427 (10, 0, 16299) => {
428 let kprcb =
429 read_virtual::<windows_10_0_16299_15_x64::_KPRCB>(processor, kpcrb_address)?;
430
431 Ok(WindowsKprcb::Windows10_0_16299_15 { kprcb })
432 }
433 (10, 0, 17134) => {
434 let kprcb =
435 read_virtual::<windows_10_0_17134_1_x64::_KPRCB>(processor, kpcrb_address)?;
436
437 Ok(WindowsKprcb::Windows10_0_17134_1 { kprcb })
438 }
439 (10, 0, 17763) => {
440 let kprcb =
441 read_virtual::<windows_10_0_17763_107_x64::_KPRCB>(processor, kpcrb_address)?;
442
443 Ok(WindowsKprcb::Windows10_0_17763_107 { kprcb })
444 }
445 (10, 0, 18362) => {
446 let kprcb =
447 read_virtual::<windows_10_0_18362_418_x64::_KPRCB>(processor, kpcrb_address)?;
448
449 Ok(WindowsKprcb::Windows10_0_18362_418 { kprcb })
450 }
451 (10, 0, 19041) => {
452 let kprcb =
453 read_virtual::<windows_10_0_19041_1288_x64::_KPRCB>(processor, kpcrb_address)?;
454
455 Ok(WindowsKprcb::Windows10_0_19041_1288 { kprcb })
456 }
457 (10, 0, 19045) => {
458 let kprcb =
459 read_virtual::<windows_10_0_19045_2965_x64::_KPRCB>(processor, kpcrb_address)?;
460
461 Ok(WindowsKprcb::Windows10_0_19045_2965 { kprcb })
462 }
463 (10, 0, 22000) => {
464 let kprcb =
465 read_virtual::<windows_10_0_22000_194_x64::_KPRCB>(processor, kpcrb_address)?;
466
467 Ok(WindowsKprcb::Windows10_0_22000_194 { kprcb })
468 }
469 (10, 0, 22621) => {
470 let kprcb =
471 read_virtual::<windows_10_0_22621_382_x64::_KPRCB>(processor, kpcrb_address)?;
472
473 Ok(WindowsKprcb::Windows10_0_22621_382 { kprcb })
474 }
475 (10, 0, 22631) => {
476 let kprcb =
477 read_virtual::<windows_10_0_22631_2428_x64::_KPRCB>(processor, kpcrb_address)?;
478
479 Ok(WindowsKprcb::Windows10_0_22631_2428 { kprcb })
480 }
481 (_, _, _) => bail!("Unsupported Windows version"),
482 }
483 }
484
485 pub fn current_thread(&self) -> u64 {
486 match self {
487 WindowsKprcb::Windows10_0_10240_16384 { kprcb } => kprcb.CurrentThread as u64,
488 WindowsKprcb::Windows10_0_10586_0 { kprcb } => kprcb.CurrentThread as u64,
489 WindowsKprcb::Windows10_0_14393_0 { kprcb } => kprcb.CurrentThread as u64,
490 WindowsKprcb::Windows10_0_15063_0 { kprcb } => kprcb.CurrentThread as u64,
491 WindowsKprcb::Windows10_0_16299_15 { kprcb } => kprcb.CurrentThread as u64,
492 WindowsKprcb::Windows10_0_17134_1 { kprcb } => kprcb.CurrentThread as u64,
493 WindowsKprcb::Windows10_0_17763_107 { kprcb } => kprcb.CurrentThread as u64,
494 WindowsKprcb::Windows10_0_18362_418 { kprcb } => kprcb.CurrentThread as u64,
495 WindowsKprcb::Windows10_0_19041_1288 { kprcb } => kprcb.CurrentThread as u64,
496 WindowsKprcb::Windows10_0_19045_2965 { kprcb } => kprcb.CurrentThread as u64,
497 WindowsKprcb::Windows10_0_22000_194 { kprcb } => kprcb.CurrentThread as u64,
498 WindowsKprcb::Windows10_0_22621_382 { kprcb } => kprcb.CurrentThread as u64,
499 WindowsKprcb::Windows10_0_22631_2428 { kprcb } => kprcb.CurrentThread as u64,
500 }
501 }
502}
503
504pub enum WindowsLdrDataTableEntry {
505 Windows10_0_10240_16384 {
506 ldr_data_table_entry: windows_10_0_10240_16384_x64::_LDR_DATA_TABLE_ENTRY,
507 },
508 Windows10_0_10586_0 {
509 ldr_data_table_entry: windows_10_0_10586_0_x64::_LDR_DATA_TABLE_ENTRY,
510 },
511 Windows10_0_14393_0 {
512 ldr_data_table_entry: windows_10_0_14393_0_x64::_LDR_DATA_TABLE_ENTRY,
513 },
514 Windows10_0_15063_0 {
515 ldr_data_table_entry: windows_10_0_15063_0_x64::_LDR_DATA_TABLE_ENTRY,
516 },
517 Windows10_0_16299_15 {
518 ldr_data_table_entry: windows_10_0_16299_15_x64::_LDR_DATA_TABLE_ENTRY,
519 },
520 Windows10_0_17134_1 {
521 ldr_data_table_entry: windows_10_0_17134_1_x64::_LDR_DATA_TABLE_ENTRY,
522 },
523 Windows10_0_17763_107 {
524 ldr_data_table_entry: windows_10_0_17763_107_x64::_LDR_DATA_TABLE_ENTRY,
525 },
526 Windows10_0_18362_418 {
527 ldr_data_table_entry: windows_10_0_18362_418_x64::_LDR_DATA_TABLE_ENTRY,
528 },
529 Windows10_0_19041_1288 {
530 ldr_data_table_entry: windows_10_0_19041_1288_x64::_LDR_DATA_TABLE_ENTRY,
531 },
532 Windows10_0_19045_2965 {
533 ldr_data_table_entry: windows_10_0_19045_2965_x64::_LDR_DATA_TABLE_ENTRY,
534 },
535 Windows10_0_22000_194 {
536 ldr_data_table_entry: windows_10_0_22000_194_x64::_LDR_DATA_TABLE_ENTRY,
537 },
538 Windows10_0_22621_382 {
539 ldr_data_table_entry: windows_10_0_22621_382_x64::_LDR_DATA_TABLE_ENTRY,
540 },
541 Windows10_0_22631_2428 {
542 ldr_data_table_entry: windows_10_0_22631_2428_x64::_LDR_DATA_TABLE_ENTRY,
543 },
544}
545
546impl WindowsLdrDataTableEntry {
547 pub fn new(
548 processor: *mut ConfObject,
549 major: u32,
550 minor: u32,
551 build: u32,
552 ldr_data_table_entry_address: u64,
553 ) -> Result<Self> {
554 match (major, minor, build) {
555 (10, 0, 10240) => {
556 let ldr_data_table_entry = read_virtual::<
557 windows_10_0_10240_16384_x64::_LDR_DATA_TABLE_ENTRY,
558 >(
559 processor, ldr_data_table_entry_address
560 )?;
561 Ok(WindowsLdrDataTableEntry::Windows10_0_10240_16384 {
562 ldr_data_table_entry,
563 })
564 }
565 (10, 0, 10586) => {
566 let ldr_data_table_entry = read_virtual::<
567 windows_10_0_10586_0_x64::_LDR_DATA_TABLE_ENTRY,
568 >(
569 processor, ldr_data_table_entry_address
570 )?;
571 Ok(WindowsLdrDataTableEntry::Windows10_0_10586_0 {
572 ldr_data_table_entry,
573 })
574 }
575 (10, 0, 14393) => {
576 let ldr_data_table_entry = read_virtual::<
577 windows_10_0_14393_0_x64::_LDR_DATA_TABLE_ENTRY,
578 >(
579 processor, ldr_data_table_entry_address
580 )?;
581 Ok(WindowsLdrDataTableEntry::Windows10_0_14393_0 {
582 ldr_data_table_entry,
583 })
584 }
585 (10, 0, 15063) => {
586 let ldr_data_table_entry = read_virtual::<
587 windows_10_0_15063_0_x64::_LDR_DATA_TABLE_ENTRY,
588 >(
589 processor, ldr_data_table_entry_address
590 )?;
591 Ok(WindowsLdrDataTableEntry::Windows10_0_15063_0 {
592 ldr_data_table_entry,
593 })
594 }
595 (10, 0, 16299) => {
596 let ldr_data_table_entry = read_virtual::<
597 windows_10_0_16299_15_x64::_LDR_DATA_TABLE_ENTRY,
598 >(
599 processor, ldr_data_table_entry_address
600 )?;
601 Ok(WindowsLdrDataTableEntry::Windows10_0_16299_15 {
602 ldr_data_table_entry,
603 })
604 }
605 (10, 0, 17134) => {
606 let ldr_data_table_entry = read_virtual::<
607 windows_10_0_17134_1_x64::_LDR_DATA_TABLE_ENTRY,
608 >(
609 processor, ldr_data_table_entry_address
610 )?;
611 Ok(WindowsLdrDataTableEntry::Windows10_0_17134_1 {
612 ldr_data_table_entry,
613 })
614 }
615 (10, 0, 17763) => {
616 let ldr_data_table_entry = read_virtual::<
617 windows_10_0_17763_107_x64::_LDR_DATA_TABLE_ENTRY,
618 >(
619 processor, ldr_data_table_entry_address
620 )?;
621 Ok(WindowsLdrDataTableEntry::Windows10_0_17763_107 {
622 ldr_data_table_entry,
623 })
624 }
625 (10, 0, 18362) => {
626 let ldr_data_table_entry = read_virtual::<
627 windows_10_0_18362_418_x64::_LDR_DATA_TABLE_ENTRY,
628 >(
629 processor, ldr_data_table_entry_address
630 )?;
631 Ok(WindowsLdrDataTableEntry::Windows10_0_18362_418 {
632 ldr_data_table_entry,
633 })
634 }
635 (10, 0, 19041) => {
636 let ldr_data_table_entry = read_virtual::<
637 windows_10_0_19041_1288_x64::_LDR_DATA_TABLE_ENTRY,
638 >(
639 processor, ldr_data_table_entry_address
640 )?;
641 Ok(WindowsLdrDataTableEntry::Windows10_0_19041_1288 {
642 ldr_data_table_entry,
643 })
644 }
645 (10, 0, 19045) => {
646 let ldr_data_table_entry = read_virtual::<
647 windows_10_0_19045_2965_x64::_LDR_DATA_TABLE_ENTRY,
648 >(
649 processor, ldr_data_table_entry_address
650 )?;
651 Ok(WindowsLdrDataTableEntry::Windows10_0_19045_2965 {
652 ldr_data_table_entry,
653 })
654 }
655 (10, 0, 22000) => {
656 let ldr_data_table_entry = read_virtual::<
657 windows_10_0_22000_194_x64::_LDR_DATA_TABLE_ENTRY,
658 >(
659 processor, ldr_data_table_entry_address
660 )?;
661 Ok(WindowsLdrDataTableEntry::Windows10_0_22000_194 {
662 ldr_data_table_entry,
663 })
664 }
665 (10, 0, 22621) => {
666 let ldr_data_table_entry = read_virtual::<
667 windows_10_0_22621_382_x64::_LDR_DATA_TABLE_ENTRY,
668 >(
669 processor, ldr_data_table_entry_address
670 )?;
671 Ok(WindowsLdrDataTableEntry::Windows10_0_22621_382 {
672 ldr_data_table_entry,
673 })
674 }
675 (10, 0, 22631) => {
676 let ldr_data_table_entry = read_virtual::<
677 windows_10_0_22631_2428_x64::_LDR_DATA_TABLE_ENTRY,
678 >(
679 processor, ldr_data_table_entry_address
680 )?;
681 Ok(WindowsLdrDataTableEntry::Windows10_0_22631_2428 {
682 ldr_data_table_entry,
683 })
684 }
685 (_, _, _) => bail!("Unsupported Windows version"),
686 }
687 }
688
689 pub fn new_dtb(
690 processor: *mut ConfObject,
691 major: u32,
692 minor: u32,
693 build: u32,
694 directory_table_base: u64,
695 virtual_address: u64,
696 ) -> Result<Self> {
697 match (major, minor, build) {
698 (10, 0, 10240) => {
699 let ldr_data_table_entry = read_virtual_dtb::<
700 windows_10_0_10240_16384_x64::_LDR_DATA_TABLE_ENTRY,
701 >(
702 processor, directory_table_base, virtual_address
703 )?;
704 Ok(WindowsLdrDataTableEntry::Windows10_0_10240_16384 {
705 ldr_data_table_entry,
706 })
707 }
708 (10, 0, 10586) => {
709 let ldr_data_table_entry = read_virtual_dtb::<
710 windows_10_0_10586_0_x64::_LDR_DATA_TABLE_ENTRY,
711 >(
712 processor, directory_table_base, virtual_address
713 )?;
714 Ok(WindowsLdrDataTableEntry::Windows10_0_10586_0 {
715 ldr_data_table_entry,
716 })
717 }
718 (10, 0, 14393) => {
719 let ldr_data_table_entry = read_virtual_dtb::<
720 windows_10_0_14393_0_x64::_LDR_DATA_TABLE_ENTRY,
721 >(
722 processor, directory_table_base, virtual_address
723 )?;
724 Ok(WindowsLdrDataTableEntry::Windows10_0_14393_0 {
725 ldr_data_table_entry,
726 })
727 }
728 (10, 0, 15063) => {
729 let ldr_data_table_entry = read_virtual_dtb::<
730 windows_10_0_15063_0_x64::_LDR_DATA_TABLE_ENTRY,
731 >(
732 processor, directory_table_base, virtual_address
733 )?;
734 Ok(WindowsLdrDataTableEntry::Windows10_0_15063_0 {
735 ldr_data_table_entry,
736 })
737 }
738 (10, 0, 16299) => {
739 let ldr_data_table_entry = read_virtual_dtb::<
740 windows_10_0_16299_15_x64::_LDR_DATA_TABLE_ENTRY,
741 >(
742 processor, directory_table_base, virtual_address
743 )?;
744 Ok(WindowsLdrDataTableEntry::Windows10_0_16299_15 {
745 ldr_data_table_entry,
746 })
747 }
748 (10, 0, 17134) => {
749 let ldr_data_table_entry = read_virtual_dtb::<
750 windows_10_0_17134_1_x64::_LDR_DATA_TABLE_ENTRY,
751 >(
752 processor, directory_table_base, virtual_address
753 )?;
754 Ok(WindowsLdrDataTableEntry::Windows10_0_17134_1 {
755 ldr_data_table_entry,
756 })
757 }
758 (10, 0, 17763) => {
759 let ldr_data_table_entry = read_virtual_dtb::<
760 windows_10_0_17763_107_x64::_LDR_DATA_TABLE_ENTRY,
761 >(
762 processor, directory_table_base, virtual_address
763 )?;
764 Ok(WindowsLdrDataTableEntry::Windows10_0_17763_107 {
765 ldr_data_table_entry,
766 })
767 }
768 (10, 0, 18362) => {
769 let ldr_data_table_entry = read_virtual_dtb::<
770 windows_10_0_18362_418_x64::_LDR_DATA_TABLE_ENTRY,
771 >(
772 processor, directory_table_base, virtual_address
773 )?;
774 Ok(WindowsLdrDataTableEntry::Windows10_0_18362_418 {
775 ldr_data_table_entry,
776 })
777 }
778 (10, 0, 19041) => {
779 let ldr_data_table_entry = read_virtual_dtb::<
780 windows_10_0_19041_1288_x64::_LDR_DATA_TABLE_ENTRY,
781 >(
782 processor, directory_table_base, virtual_address
783 )?;
784 Ok(WindowsLdrDataTableEntry::Windows10_0_19041_1288 {
785 ldr_data_table_entry,
786 })
787 }
788 (10, 0, 19045) => {
789 let ldr_data_table_entry = read_virtual_dtb::<
790 windows_10_0_19045_2965_x64::_LDR_DATA_TABLE_ENTRY,
791 >(
792 processor, directory_table_base, virtual_address
793 )?;
794 Ok(WindowsLdrDataTableEntry::Windows10_0_19045_2965 {
795 ldr_data_table_entry,
796 })
797 }
798 (10, 0, 22000) => {
799 let ldr_data_table_entry = read_virtual_dtb::<
800 windows_10_0_22000_194_x64::_LDR_DATA_TABLE_ENTRY,
801 >(
802 processor, directory_table_base, virtual_address
803 )?;
804 Ok(WindowsLdrDataTableEntry::Windows10_0_22000_194 {
805 ldr_data_table_entry,
806 })
807 }
808 (10, 0, 22621) => {
809 let ldr_data_table_entry = read_virtual_dtb::<
810 windows_10_0_22621_382_x64::_LDR_DATA_TABLE_ENTRY,
811 >(
812 processor, directory_table_base, virtual_address
813 )?;
814 Ok(WindowsLdrDataTableEntry::Windows10_0_22621_382 {
815 ldr_data_table_entry,
816 })
817 }
818 (10, 0, 22631) => {
819 let ldr_data_table_entry = read_virtual_dtb::<
820 windows_10_0_22631_2428_x64::_LDR_DATA_TABLE_ENTRY,
821 >(
822 processor, directory_table_base, virtual_address
823 )?;
824 Ok(WindowsLdrDataTableEntry::Windows10_0_22631_2428 {
825 ldr_data_table_entry,
826 })
827 }
828 (_, _, _) => bail!("Unsupported Windows version"),
829 }
830 }
831
832 pub fn new_from_in_memory_order_links(
833 processor: *mut ConfObject,
834 major: u32,
835 minor: u32,
836 build: u32,
837 in_memory_order_links_address: u64,
838 ) -> Result<Self> {
839 let in_memory_order_links_offset = match (major, minor, build) {
840 (10, 0, 10240) => {
841 std::mem::offset_of!(
842 windows_10_0_10240_16384_x64::_LDR_DATA_TABLE_ENTRY,
843 InMemoryOrderLinks
844 )
845 }
846 (10, 0, 10586) => {
847 std::mem::offset_of!(
848 windows_10_0_10586_0_x64::_LDR_DATA_TABLE_ENTRY,
849 InMemoryOrderLinks
850 )
851 }
852 (10, 0, 14393) => {
853 std::mem::offset_of!(
854 windows_10_0_14393_0_x64::_LDR_DATA_TABLE_ENTRY,
855 InMemoryOrderLinks
856 )
857 }
858 (10, 0, 15063) => {
859 std::mem::offset_of!(
860 windows_10_0_15063_0_x64::_LDR_DATA_TABLE_ENTRY,
861 InMemoryOrderLinks
862 )
863 }
864 (10, 0, 16299) => {
865 std::mem::offset_of!(
866 windows_10_0_16299_15_x64::_LDR_DATA_TABLE_ENTRY,
867 InMemoryOrderLinks
868 )
869 }
870 (10, 0, 17134) => {
871 std::mem::offset_of!(
872 windows_10_0_17134_1_x64::_LDR_DATA_TABLE_ENTRY,
873 InMemoryOrderLinks
874 )
875 }
876 (10, 0, 17763) => {
877 std::mem::offset_of!(
878 windows_10_0_17763_107_x64::_LDR_DATA_TABLE_ENTRY,
879 InMemoryOrderLinks
880 )
881 }
882 (10, 0, 18362) => {
883 std::mem::offset_of!(
884 windows_10_0_18362_418_x64::_LDR_DATA_TABLE_ENTRY,
885 InMemoryOrderLinks
886 )
887 }
888 (10, 0, 19041) => {
889 std::mem::offset_of!(
890 windows_10_0_19041_1288_x64::_LDR_DATA_TABLE_ENTRY,
891 InMemoryOrderLinks
892 )
893 }
894 (10, 0, 19045) => {
895 std::mem::offset_of!(
896 windows_10_0_19045_2965_x64::_LDR_DATA_TABLE_ENTRY,
897 InMemoryOrderLinks
898 )
899 }
900 (10, 0, 22000) => {
901 std::mem::offset_of!(
902 windows_10_0_22000_194_x64::_LDR_DATA_TABLE_ENTRY,
903 InMemoryOrderLinks
904 )
905 }
906 (10, 0, 22621) => {
907 std::mem::offset_of!(
908 windows_10_0_22621_382_x64::_LDR_DATA_TABLE_ENTRY,
909 InMemoryOrderLinks
910 )
911 }
912 (10, 0, 22631) => {
913 std::mem::offset_of!(
914 windows_10_0_22631_2428_x64::_LDR_DATA_TABLE_ENTRY,
915 InMemoryOrderLinks
916 )
917 }
918 (_, _, _) => bail!("Unsupported Windows version"),
919 };
920
921 let ldr_data_table_entry_address =
922 in_memory_order_links_address - in_memory_order_links_offset as u64;
923
924 Self::new(processor, major, minor, build, ldr_data_table_entry_address)
925 }
926
927 pub fn dll_base(&self) -> u64 {
928 match self {
929 WindowsLdrDataTableEntry::Windows10_0_10240_16384 {
930 ldr_data_table_entry,
931 } => ldr_data_table_entry.DllBase as u64,
932 WindowsLdrDataTableEntry::Windows10_0_10586_0 {
933 ldr_data_table_entry,
934 } => ldr_data_table_entry.DllBase as u64,
935 WindowsLdrDataTableEntry::Windows10_0_14393_0 {
936 ldr_data_table_entry,
937 } => ldr_data_table_entry.DllBase as u64,
938 WindowsLdrDataTableEntry::Windows10_0_15063_0 {
939 ldr_data_table_entry,
940 } => ldr_data_table_entry.DllBase as u64,
941 WindowsLdrDataTableEntry::Windows10_0_16299_15 {
942 ldr_data_table_entry,
943 } => ldr_data_table_entry.DllBase as u64,
944 WindowsLdrDataTableEntry::Windows10_0_17134_1 {
945 ldr_data_table_entry,
946 } => ldr_data_table_entry.DllBase as u64,
947 WindowsLdrDataTableEntry::Windows10_0_17763_107 {
948 ldr_data_table_entry,
949 } => ldr_data_table_entry.DllBase as u64,
950 WindowsLdrDataTableEntry::Windows10_0_18362_418 {
951 ldr_data_table_entry,
952 } => ldr_data_table_entry.DllBase as u64,
953 WindowsLdrDataTableEntry::Windows10_0_19041_1288 {
954 ldr_data_table_entry,
955 } => ldr_data_table_entry.DllBase as u64,
956 WindowsLdrDataTableEntry::Windows10_0_19045_2965 {
957 ldr_data_table_entry,
958 } => ldr_data_table_entry.DllBase as u64,
959 WindowsLdrDataTableEntry::Windows10_0_22000_194 {
960 ldr_data_table_entry,
961 } => ldr_data_table_entry.DllBase as u64,
962 WindowsLdrDataTableEntry::Windows10_0_22621_382 {
963 ldr_data_table_entry,
964 } => ldr_data_table_entry.DllBase as u64,
965 WindowsLdrDataTableEntry::Windows10_0_22631_2428 {
966 ldr_data_table_entry,
967 } => ldr_data_table_entry.DllBase as u64,
968 }
969 }
970
971 pub fn entry_point(&self) -> u64 {
972 match self {
973 WindowsLdrDataTableEntry::Windows10_0_10240_16384 {
974 ldr_data_table_entry,
975 } => ldr_data_table_entry.EntryPoint as u64,
976 WindowsLdrDataTableEntry::Windows10_0_10586_0 {
977 ldr_data_table_entry,
978 } => ldr_data_table_entry.EntryPoint as u64,
979 WindowsLdrDataTableEntry::Windows10_0_14393_0 {
980 ldr_data_table_entry,
981 } => ldr_data_table_entry.EntryPoint as u64,
982 WindowsLdrDataTableEntry::Windows10_0_15063_0 {
983 ldr_data_table_entry,
984 } => ldr_data_table_entry.EntryPoint as u64,
985 WindowsLdrDataTableEntry::Windows10_0_16299_15 {
986 ldr_data_table_entry,
987 } => ldr_data_table_entry.EntryPoint as u64,
988 WindowsLdrDataTableEntry::Windows10_0_17134_1 {
989 ldr_data_table_entry,
990 } => ldr_data_table_entry.EntryPoint as u64,
991 WindowsLdrDataTableEntry::Windows10_0_17763_107 {
992 ldr_data_table_entry,
993 } => ldr_data_table_entry.EntryPoint as u64,
994 WindowsLdrDataTableEntry::Windows10_0_18362_418 {
995 ldr_data_table_entry,
996 } => ldr_data_table_entry.EntryPoint as u64,
997 WindowsLdrDataTableEntry::Windows10_0_19041_1288 {
998 ldr_data_table_entry,
999 } => ldr_data_table_entry.EntryPoint as u64,
1000 WindowsLdrDataTableEntry::Windows10_0_19045_2965 {
1001 ldr_data_table_entry,
1002 } => ldr_data_table_entry.EntryPoint as u64,
1003 WindowsLdrDataTableEntry::Windows10_0_22000_194 {
1004 ldr_data_table_entry,
1005 } => ldr_data_table_entry.EntryPoint as u64,
1006 WindowsLdrDataTableEntry::Windows10_0_22621_382 {
1007 ldr_data_table_entry,
1008 } => ldr_data_table_entry.EntryPoint as u64,
1009 WindowsLdrDataTableEntry::Windows10_0_22631_2428 {
1010 ldr_data_table_entry,
1011 } => ldr_data_table_entry.EntryPoint as u64,
1012 }
1013 }
1014
1015 pub fn size_of_image(&self) -> u64 {
1016 match self {
1017 WindowsLdrDataTableEntry::Windows10_0_10240_16384 {
1018 ldr_data_table_entry,
1019 } => ldr_data_table_entry.SizeOfImage as u64,
1020 WindowsLdrDataTableEntry::Windows10_0_10586_0 {
1021 ldr_data_table_entry,
1022 } => ldr_data_table_entry.SizeOfImage as u64,
1023 WindowsLdrDataTableEntry::Windows10_0_14393_0 {
1024 ldr_data_table_entry,
1025 } => ldr_data_table_entry.SizeOfImage as u64,
1026 WindowsLdrDataTableEntry::Windows10_0_15063_0 {
1027 ldr_data_table_entry,
1028 } => ldr_data_table_entry.SizeOfImage as u64,
1029 WindowsLdrDataTableEntry::Windows10_0_16299_15 {
1030 ldr_data_table_entry,
1031 } => ldr_data_table_entry.SizeOfImage as u64,
1032 WindowsLdrDataTableEntry::Windows10_0_17134_1 {
1033 ldr_data_table_entry,
1034 } => ldr_data_table_entry.SizeOfImage as u64,
1035 WindowsLdrDataTableEntry::Windows10_0_17763_107 {
1036 ldr_data_table_entry,
1037 } => ldr_data_table_entry.SizeOfImage as u64,
1038 WindowsLdrDataTableEntry::Windows10_0_18362_418 {
1039 ldr_data_table_entry,
1040 } => ldr_data_table_entry.SizeOfImage as u64,
1041 WindowsLdrDataTableEntry::Windows10_0_19041_1288 {
1042 ldr_data_table_entry,
1043 } => ldr_data_table_entry.SizeOfImage as u64,
1044 WindowsLdrDataTableEntry::Windows10_0_19045_2965 {
1045 ldr_data_table_entry,
1046 } => ldr_data_table_entry.SizeOfImage as u64,
1047 WindowsLdrDataTableEntry::Windows10_0_22000_194 {
1048 ldr_data_table_entry,
1049 } => ldr_data_table_entry.SizeOfImage as u64,
1050 WindowsLdrDataTableEntry::Windows10_0_22621_382 {
1051 ldr_data_table_entry,
1052 } => ldr_data_table_entry.SizeOfImage as u64,
1053 WindowsLdrDataTableEntry::Windows10_0_22631_2428 {
1054 ldr_data_table_entry,
1055 } => ldr_data_table_entry.SizeOfImage as u64,
1056 }
1057 }
1058
1059 pub fn full_name(&self, processor: *mut ConfObject) -> Result<String> {
1060 match self {
1061 WindowsLdrDataTableEntry::Windows10_0_10240_16384 {
1062 ldr_data_table_entry,
1063 } => read_unicode_string(
1064 processor,
1065 ldr_data_table_entry.FullDllName.Length as usize,
1066 ldr_data_table_entry.FullDllName.Buffer,
1067 ),
1068 WindowsLdrDataTableEntry::Windows10_0_10586_0 {
1069 ldr_data_table_entry,
1070 } => read_unicode_string(
1071 processor,
1072 ldr_data_table_entry.FullDllName.Length as usize,
1073 ldr_data_table_entry.FullDllName.Buffer,
1074 ),
1075 WindowsLdrDataTableEntry::Windows10_0_14393_0 {
1076 ldr_data_table_entry,
1077 } => read_unicode_string(
1078 processor,
1079 ldr_data_table_entry.FullDllName.Length as usize,
1080 ldr_data_table_entry.FullDllName.Buffer,
1081 ),
1082 WindowsLdrDataTableEntry::Windows10_0_15063_0 {
1083 ldr_data_table_entry,
1084 } => read_unicode_string(
1085 processor,
1086 ldr_data_table_entry.FullDllName.Length as usize,
1087 ldr_data_table_entry.FullDllName.Buffer,
1088 ),
1089 WindowsLdrDataTableEntry::Windows10_0_16299_15 {
1090 ldr_data_table_entry,
1091 } => read_unicode_string(
1092 processor,
1093 ldr_data_table_entry.FullDllName.Length as usize,
1094 ldr_data_table_entry.FullDllName.Buffer,
1095 ),
1096 WindowsLdrDataTableEntry::Windows10_0_17134_1 {
1097 ldr_data_table_entry,
1098 } => read_unicode_string(
1099 processor,
1100 ldr_data_table_entry.FullDllName.Length as usize,
1101 ldr_data_table_entry.FullDllName.Buffer,
1102 ),
1103 WindowsLdrDataTableEntry::Windows10_0_17763_107 {
1104 ldr_data_table_entry,
1105 } => read_unicode_string(
1106 processor,
1107 ldr_data_table_entry.FullDllName.Length as usize,
1108 ldr_data_table_entry.FullDllName.Buffer,
1109 ),
1110 WindowsLdrDataTableEntry::Windows10_0_18362_418 {
1111 ldr_data_table_entry,
1112 } => read_unicode_string(
1113 processor,
1114 ldr_data_table_entry.FullDllName.Length as usize,
1115 ldr_data_table_entry.FullDllName.Buffer,
1116 ),
1117 WindowsLdrDataTableEntry::Windows10_0_19041_1288 {
1118 ldr_data_table_entry,
1119 } => read_unicode_string(
1120 processor,
1121 ldr_data_table_entry.FullDllName.Length as usize,
1122 ldr_data_table_entry.FullDllName.Buffer,
1123 ),
1124 WindowsLdrDataTableEntry::Windows10_0_19045_2965 {
1125 ldr_data_table_entry,
1126 } => read_unicode_string(
1127 processor,
1128 ldr_data_table_entry.FullDllName.Length as usize,
1129 ldr_data_table_entry.FullDllName.Buffer,
1130 ),
1131 WindowsLdrDataTableEntry::Windows10_0_22000_194 {
1132 ldr_data_table_entry,
1133 } => read_unicode_string(
1134 processor,
1135 ldr_data_table_entry.FullDllName.Length as usize,
1136 ldr_data_table_entry.FullDllName.Buffer,
1137 ),
1138 WindowsLdrDataTableEntry::Windows10_0_22621_382 {
1139 ldr_data_table_entry,
1140 } => read_unicode_string(
1141 processor,
1142 ldr_data_table_entry.FullDllName.Length as usize,
1143 ldr_data_table_entry.FullDllName.Buffer,
1144 ),
1145 WindowsLdrDataTableEntry::Windows10_0_22631_2428 {
1146 ldr_data_table_entry,
1147 } => read_unicode_string(
1148 processor,
1149 ldr_data_table_entry.FullDllName.Length as usize,
1150 ldr_data_table_entry.FullDllName.Buffer,
1151 ),
1152 }
1153 }
1154
1155 pub fn full_name_dtb(
1156 &self,
1157 processor: *mut ConfObject,
1158 directory_table_base: u64,
1159 ) -> Result<String> {
1160 match self {
1161 WindowsLdrDataTableEntry::Windows10_0_10240_16384 {
1162 ldr_data_table_entry,
1163 } => read_unicode_string_dtb(
1164 processor,
1165 ldr_data_table_entry.FullDllName.Length as usize,
1166 ldr_data_table_entry.FullDllName.Buffer,
1167 directory_table_base,
1168 ),
1169 WindowsLdrDataTableEntry::Windows10_0_10586_0 {
1170 ldr_data_table_entry,
1171 } => read_unicode_string_dtb(
1172 processor,
1173 ldr_data_table_entry.FullDllName.Length as usize,
1174 ldr_data_table_entry.FullDllName.Buffer,
1175 directory_table_base,
1176 ),
1177 WindowsLdrDataTableEntry::Windows10_0_14393_0 {
1178 ldr_data_table_entry,
1179 } => read_unicode_string_dtb(
1180 processor,
1181 ldr_data_table_entry.FullDllName.Length as usize,
1182 ldr_data_table_entry.FullDllName.Buffer,
1183 directory_table_base,
1184 ),
1185 WindowsLdrDataTableEntry::Windows10_0_15063_0 {
1186 ldr_data_table_entry,
1187 } => read_unicode_string_dtb(
1188 processor,
1189 ldr_data_table_entry.FullDllName.Length as usize,
1190 ldr_data_table_entry.FullDllName.Buffer,
1191 directory_table_base,
1192 ),
1193 WindowsLdrDataTableEntry::Windows10_0_16299_15 {
1194 ldr_data_table_entry,
1195 } => read_unicode_string_dtb(
1196 processor,
1197 ldr_data_table_entry.FullDllName.Length as usize,
1198 ldr_data_table_entry.FullDllName.Buffer,
1199 directory_table_base,
1200 ),
1201 WindowsLdrDataTableEntry::Windows10_0_17134_1 {
1202 ldr_data_table_entry,
1203 } => read_unicode_string_dtb(
1204 processor,
1205 ldr_data_table_entry.FullDllName.Length as usize,
1206 ldr_data_table_entry.FullDllName.Buffer,
1207 directory_table_base,
1208 ),
1209 WindowsLdrDataTableEntry::Windows10_0_17763_107 {
1210 ldr_data_table_entry,
1211 } => read_unicode_string_dtb(
1212 processor,
1213 ldr_data_table_entry.FullDllName.Length as usize,
1214 ldr_data_table_entry.FullDllName.Buffer,
1215 directory_table_base,
1216 ),
1217 WindowsLdrDataTableEntry::Windows10_0_18362_418 {
1218 ldr_data_table_entry,
1219 } => read_unicode_string_dtb(
1220 processor,
1221 ldr_data_table_entry.FullDllName.Length as usize,
1222 ldr_data_table_entry.FullDllName.Buffer,
1223 directory_table_base,
1224 ),
1225 WindowsLdrDataTableEntry::Windows10_0_19041_1288 {
1226 ldr_data_table_entry,
1227 } => read_unicode_string_dtb(
1228 processor,
1229 ldr_data_table_entry.FullDllName.Length as usize,
1230 ldr_data_table_entry.FullDllName.Buffer,
1231 directory_table_base,
1232 ),
1233 WindowsLdrDataTableEntry::Windows10_0_19045_2965 {
1234 ldr_data_table_entry,
1235 } => read_unicode_string_dtb(
1236 processor,
1237 ldr_data_table_entry.FullDllName.Length as usize,
1238 ldr_data_table_entry.FullDllName.Buffer,
1239 directory_table_base,
1240 ),
1241 WindowsLdrDataTableEntry::Windows10_0_22000_194 {
1242 ldr_data_table_entry,
1243 } => read_unicode_string_dtb(
1244 processor,
1245 ldr_data_table_entry.FullDllName.Length as usize,
1246 ldr_data_table_entry.FullDllName.Buffer,
1247 directory_table_base,
1248 ),
1249 WindowsLdrDataTableEntry::Windows10_0_22621_382 {
1250 ldr_data_table_entry,
1251 } => read_unicode_string_dtb(
1252 processor,
1253 ldr_data_table_entry.FullDllName.Length as usize,
1254 ldr_data_table_entry.FullDllName.Buffer,
1255 directory_table_base,
1256 ),
1257 WindowsLdrDataTableEntry::Windows10_0_22631_2428 {
1258 ldr_data_table_entry,
1259 } => read_unicode_string_dtb(
1260 processor,
1261 ldr_data_table_entry.FullDllName.Length as usize,
1262 ldr_data_table_entry.FullDllName.Buffer,
1263 directory_table_base,
1264 ),
1265 }
1266 }
1267
1268 pub fn base_name(&self, processor: *mut ConfObject) -> Result<String> {
1269 match self {
1270 WindowsLdrDataTableEntry::Windows10_0_10240_16384 {
1271 ldr_data_table_entry,
1272 } => read_unicode_string(
1273 processor,
1274 ldr_data_table_entry.BaseDllName.Length as usize,
1275 ldr_data_table_entry.BaseDllName.Buffer,
1276 ),
1277 WindowsLdrDataTableEntry::Windows10_0_10586_0 {
1278 ldr_data_table_entry,
1279 } => read_unicode_string(
1280 processor,
1281 ldr_data_table_entry.BaseDllName.Length as usize,
1282 ldr_data_table_entry.BaseDllName.Buffer,
1283 ),
1284 WindowsLdrDataTableEntry::Windows10_0_14393_0 {
1285 ldr_data_table_entry,
1286 } => read_unicode_string(
1287 processor,
1288 ldr_data_table_entry.BaseDllName.Length as usize,
1289 ldr_data_table_entry.BaseDllName.Buffer,
1290 ),
1291 WindowsLdrDataTableEntry::Windows10_0_15063_0 {
1292 ldr_data_table_entry,
1293 } => read_unicode_string(
1294 processor,
1295 ldr_data_table_entry.BaseDllName.Length as usize,
1296 ldr_data_table_entry.BaseDllName.Buffer,
1297 ),
1298 WindowsLdrDataTableEntry::Windows10_0_16299_15 {
1299 ldr_data_table_entry,
1300 } => read_unicode_string(
1301 processor,
1302 ldr_data_table_entry.BaseDllName.Length as usize,
1303 ldr_data_table_entry.BaseDllName.Buffer,
1304 ),
1305 WindowsLdrDataTableEntry::Windows10_0_17134_1 {
1306 ldr_data_table_entry,
1307 } => read_unicode_string(
1308 processor,
1309 ldr_data_table_entry.BaseDllName.Length as usize,
1310 ldr_data_table_entry.BaseDllName.Buffer,
1311 ),
1312 WindowsLdrDataTableEntry::Windows10_0_17763_107 {
1313 ldr_data_table_entry,
1314 } => read_unicode_string(
1315 processor,
1316 ldr_data_table_entry.BaseDllName.Length as usize,
1317 ldr_data_table_entry.BaseDllName.Buffer,
1318 ),
1319 WindowsLdrDataTableEntry::Windows10_0_18362_418 {
1320 ldr_data_table_entry,
1321 } => read_unicode_string(
1322 processor,
1323 ldr_data_table_entry.BaseDllName.Length as usize,
1324 ldr_data_table_entry.BaseDllName.Buffer,
1325 ),
1326 WindowsLdrDataTableEntry::Windows10_0_19041_1288 {
1327 ldr_data_table_entry,
1328 } => read_unicode_string(
1329 processor,
1330 ldr_data_table_entry.BaseDllName.Length as usize,
1331 ldr_data_table_entry.BaseDllName.Buffer,
1332 ),
1333 WindowsLdrDataTableEntry::Windows10_0_19045_2965 {
1334 ldr_data_table_entry,
1335 } => read_unicode_string(
1336 processor,
1337 ldr_data_table_entry.BaseDllName.Length as usize,
1338 ldr_data_table_entry.BaseDllName.Buffer,
1339 ),
1340 WindowsLdrDataTableEntry::Windows10_0_22000_194 {
1341 ldr_data_table_entry,
1342 } => read_unicode_string(
1343 processor,
1344 ldr_data_table_entry.BaseDllName.Length as usize,
1345 ldr_data_table_entry.BaseDllName.Buffer,
1346 ),
1347 WindowsLdrDataTableEntry::Windows10_0_22621_382 {
1348 ldr_data_table_entry,
1349 } => read_unicode_string(
1350 processor,
1351 ldr_data_table_entry.BaseDllName.Length as usize,
1352 ldr_data_table_entry.BaseDllName.Buffer,
1353 ),
1354 WindowsLdrDataTableEntry::Windows10_0_22631_2428 {
1355 ldr_data_table_entry,
1356 } => read_unicode_string(
1357 processor,
1358 ldr_data_table_entry.BaseDllName.Length as usize,
1359 ldr_data_table_entry.BaseDllName.Buffer,
1360 ),
1361 }
1362 }
1363
1364 pub fn base_name_dtb(
1365 &self,
1366 processor: *mut ConfObject,
1367 directory_table_base: u64,
1368 ) -> Result<String> {
1369 match self {
1370 WindowsLdrDataTableEntry::Windows10_0_10240_16384 {
1371 ldr_data_table_entry,
1372 } => read_unicode_string_dtb(
1373 processor,
1374 ldr_data_table_entry.BaseDllName.Length as usize,
1375 ldr_data_table_entry.BaseDllName.Buffer,
1376 directory_table_base,
1377 ),
1378 WindowsLdrDataTableEntry::Windows10_0_10586_0 {
1379 ldr_data_table_entry,
1380 } => read_unicode_string_dtb(
1381 processor,
1382 ldr_data_table_entry.BaseDllName.Length as usize,
1383 ldr_data_table_entry.BaseDllName.Buffer,
1384 directory_table_base,
1385 ),
1386 WindowsLdrDataTableEntry::Windows10_0_14393_0 {
1387 ldr_data_table_entry,
1388 } => read_unicode_string_dtb(
1389 processor,
1390 ldr_data_table_entry.BaseDllName.Length as usize,
1391 ldr_data_table_entry.BaseDllName.Buffer,
1392 directory_table_base,
1393 ),
1394 WindowsLdrDataTableEntry::Windows10_0_15063_0 {
1395 ldr_data_table_entry,
1396 } => read_unicode_string_dtb(
1397 processor,
1398 ldr_data_table_entry.BaseDllName.Length as usize,
1399 ldr_data_table_entry.BaseDllName.Buffer,
1400 directory_table_base,
1401 ),
1402 WindowsLdrDataTableEntry::Windows10_0_16299_15 {
1403 ldr_data_table_entry,
1404 } => read_unicode_string_dtb(
1405 processor,
1406 ldr_data_table_entry.BaseDllName.Length as usize,
1407 ldr_data_table_entry.BaseDllName.Buffer,
1408 directory_table_base,
1409 ),
1410 WindowsLdrDataTableEntry::Windows10_0_17134_1 {
1411 ldr_data_table_entry,
1412 } => read_unicode_string_dtb(
1413 processor,
1414 ldr_data_table_entry.BaseDllName.Length as usize,
1415 ldr_data_table_entry.BaseDllName.Buffer,
1416 directory_table_base,
1417 ),
1418 WindowsLdrDataTableEntry::Windows10_0_17763_107 {
1419 ldr_data_table_entry,
1420 } => read_unicode_string_dtb(
1421 processor,
1422 ldr_data_table_entry.BaseDllName.Length as usize,
1423 ldr_data_table_entry.BaseDllName.Buffer,
1424 directory_table_base,
1425 ),
1426 WindowsLdrDataTableEntry::Windows10_0_18362_418 {
1427 ldr_data_table_entry,
1428 } => read_unicode_string_dtb(
1429 processor,
1430 ldr_data_table_entry.BaseDllName.Length as usize,
1431 ldr_data_table_entry.BaseDllName.Buffer,
1432 directory_table_base,
1433 ),
1434 WindowsLdrDataTableEntry::Windows10_0_19041_1288 {
1435 ldr_data_table_entry,
1436 } => read_unicode_string_dtb(
1437 processor,
1438 ldr_data_table_entry.BaseDllName.Length as usize,
1439 ldr_data_table_entry.BaseDllName.Buffer,
1440 directory_table_base,
1441 ),
1442 WindowsLdrDataTableEntry::Windows10_0_19045_2965 {
1443 ldr_data_table_entry,
1444 } => read_unicode_string_dtb(
1445 processor,
1446 ldr_data_table_entry.BaseDllName.Length as usize,
1447 ldr_data_table_entry.BaseDllName.Buffer,
1448 directory_table_base,
1449 ),
1450 WindowsLdrDataTableEntry::Windows10_0_22000_194 {
1451 ldr_data_table_entry,
1452 } => read_unicode_string_dtb(
1453 processor,
1454 ldr_data_table_entry.BaseDllName.Length as usize,
1455 ldr_data_table_entry.BaseDllName.Buffer,
1456 directory_table_base,
1457 ),
1458 WindowsLdrDataTableEntry::Windows10_0_22621_382 {
1459 ldr_data_table_entry,
1460 } => read_unicode_string_dtb(
1461 processor,
1462 ldr_data_table_entry.BaseDllName.Length as usize,
1463 ldr_data_table_entry.BaseDllName.Buffer,
1464 directory_table_base,
1465 ),
1466 WindowsLdrDataTableEntry::Windows10_0_22631_2428 {
1467 ldr_data_table_entry,
1468 } => read_unicode_string_dtb(
1469 processor,
1470 ldr_data_table_entry.BaseDllName.Length as usize,
1471 ldr_data_table_entry.BaseDllName.Buffer,
1472 directory_table_base,
1473 ),
1474 }
1475 }
1476
1477 pub fn in_load_order_links(&self) -> LIST_ENTRY {
1478 match self {
1479 WindowsLdrDataTableEntry::Windows10_0_10240_16384 {
1480 ldr_data_table_entry,
1481 } => unsafe {
1482 std::mem::transmute::<
1483 vergilius::windows_10_0_10240_16384_x64::_LIST_ENTRY,
1484 windows_sys::Win32::System::Kernel::LIST_ENTRY,
1485 >(ldr_data_table_entry.InLoadOrderLinks)
1486 },
1487 WindowsLdrDataTableEntry::Windows10_0_10586_0 {
1488 ldr_data_table_entry,
1489 } => unsafe {
1490 std::mem::transmute::<
1491 vergilius::windows_10_0_10586_0_x64::_LIST_ENTRY,
1492 windows_sys::Win32::System::Kernel::LIST_ENTRY,
1493 >(ldr_data_table_entry.InLoadOrderLinks)
1494 },
1495 WindowsLdrDataTableEntry::Windows10_0_14393_0 {
1496 ldr_data_table_entry,
1497 } => unsafe {
1498 std::mem::transmute::<
1499 vergilius::windows_10_0_14393_0_x64::_LIST_ENTRY,
1500 windows_sys::Win32::System::Kernel::LIST_ENTRY,
1501 >(ldr_data_table_entry.InLoadOrderLinks)
1502 },
1503 WindowsLdrDataTableEntry::Windows10_0_15063_0 {
1504 ldr_data_table_entry,
1505 } => unsafe {
1506 std::mem::transmute::<
1507 vergilius::windows_10_0_15063_0_x64::_LIST_ENTRY,
1508 windows_sys::Win32::System::Kernel::LIST_ENTRY,
1509 >(ldr_data_table_entry.InLoadOrderLinks)
1510 },
1511 WindowsLdrDataTableEntry::Windows10_0_16299_15 {
1512 ldr_data_table_entry,
1513 } => unsafe {
1514 std::mem::transmute::<
1515 vergilius::windows_10_0_16299_15_x64::_LIST_ENTRY,
1516 windows_sys::Win32::System::Kernel::LIST_ENTRY,
1517 >(ldr_data_table_entry.InLoadOrderLinks)
1518 },
1519 WindowsLdrDataTableEntry::Windows10_0_17134_1 {
1520 ldr_data_table_entry,
1521 } => unsafe {
1522 std::mem::transmute::<
1523 vergilius::windows_10_0_17134_1_x64::_LIST_ENTRY,
1524 windows_sys::Win32::System::Kernel::LIST_ENTRY,
1525 >(ldr_data_table_entry.InLoadOrderLinks)
1526 },
1527 WindowsLdrDataTableEntry::Windows10_0_17763_107 {
1528 ldr_data_table_entry,
1529 } => unsafe {
1530 std::mem::transmute::<
1531 vergilius::windows_10_0_17763_107_x64::_LIST_ENTRY,
1532 windows_sys::Win32::System::Kernel::LIST_ENTRY,
1533 >(ldr_data_table_entry.InLoadOrderLinks)
1534 },
1535 WindowsLdrDataTableEntry::Windows10_0_18362_418 {
1536 ldr_data_table_entry,
1537 } => unsafe {
1538 std::mem::transmute::<
1539 vergilius::windows_10_0_18362_418_x64::_LIST_ENTRY,
1540 windows_sys::Win32::System::Kernel::LIST_ENTRY,
1541 >(ldr_data_table_entry.InLoadOrderLinks)
1542 },
1543 WindowsLdrDataTableEntry::Windows10_0_19041_1288 {
1544 ldr_data_table_entry,
1545 } => unsafe {
1546 std::mem::transmute::<
1547 vergilius::windows_10_0_19041_1288_x64::_LIST_ENTRY,
1548 windows_sys::Win32::System::Kernel::LIST_ENTRY,
1549 >(ldr_data_table_entry.InLoadOrderLinks)
1550 },
1551 WindowsLdrDataTableEntry::Windows10_0_19045_2965 {
1552 ldr_data_table_entry,
1553 } => unsafe {
1554 std::mem::transmute::<
1555 vergilius::windows_10_0_19045_2965_x64::_LIST_ENTRY,
1556 windows_sys::Win32::System::Kernel::LIST_ENTRY,
1557 >(ldr_data_table_entry.InLoadOrderLinks)
1558 },
1559 WindowsLdrDataTableEntry::Windows10_0_22000_194 {
1560 ldr_data_table_entry,
1561 } => unsafe {
1562 std::mem::transmute::<
1563 vergilius::windows_10_0_22000_194_x64::_LIST_ENTRY,
1564 windows_sys::Win32::System::Kernel::LIST_ENTRY,
1565 >(ldr_data_table_entry.InLoadOrderLinks)
1566 },
1567 WindowsLdrDataTableEntry::Windows10_0_22621_382 {
1568 ldr_data_table_entry,
1569 } => unsafe {
1570 std::mem::transmute::<
1571 vergilius::windows_10_0_22621_382_x64::_LIST_ENTRY,
1572 windows_sys::Win32::System::Kernel::LIST_ENTRY,
1573 >(ldr_data_table_entry.InLoadOrderLinks)
1574 },
1575 WindowsLdrDataTableEntry::Windows10_0_22631_2428 {
1576 ldr_data_table_entry,
1577 } => unsafe {
1578 std::mem::transmute::<
1579 vergilius::windows_10_0_22631_2428_x64::_LIST_ENTRY,
1580 windows_sys::Win32::System::Kernel::LIST_ENTRY,
1581 >(ldr_data_table_entry.InLoadOrderLinks)
1582 },
1583 }
1584 }
1585}
1586
1587pub enum WindowsPebLdrData {
1588 Windows10_0_10240_16384 {
1589 ldr_data: windows_10_0_10240_16384_x64::_PEB_LDR_DATA,
1590 },
1591 Windows10_0_10586_0 {
1592 ldr_data: windows_10_0_10586_0_x64::_PEB_LDR_DATA,
1593 },
1594 Windows10_0_14393_0 {
1595 ldr_data: windows_10_0_14393_0_x64::_PEB_LDR_DATA,
1596 },
1597 Windows10_0_15063_0 {
1598 ldr_data: windows_10_0_15063_0_x64::_PEB_LDR_DATA,
1599 },
1600 Windows10_0_16299_15 {
1601 ldr_data: windows_10_0_16299_15_x64::_PEB_LDR_DATA,
1602 },
1603 Windows10_0_17134_1 {
1604 ldr_data: windows_10_0_17134_1_x64::_PEB_LDR_DATA,
1605 },
1606 Windows10_0_17763_107 {
1607 ldr_data: windows_10_0_17763_107_x64::_PEB_LDR_DATA,
1608 },
1609 Windows10_0_18362_418 {
1610 ldr_data: windows_10_0_18362_418_x64::_PEB_LDR_DATA,
1611 },
1612 Windows10_0_19041_1288 {
1613 ldr_data: windows_10_0_19041_1288_x64::_PEB_LDR_DATA,
1614 },
1615 Windows10_0_19045_2965 {
1616 ldr_data: windows_10_0_19045_2965_x64::_PEB_LDR_DATA,
1617 },
1618 Windows10_0_22000_194 {
1619 ldr_data: windows_10_0_22000_194_x64::_PEB_LDR_DATA,
1620 },
1621 Windows10_0_22621_382 {
1622 ldr_data: windows_10_0_22621_382_x64::_PEB_LDR_DATA,
1623 },
1624 Windows10_0_22631_2428 {
1625 ldr_data: windows_10_0_22631_2428_x64::_PEB_LDR_DATA,
1626 },
1627}
1628
1629impl WindowsPebLdrData {
1630 pub fn new(
1631 processor: *mut ConfObject,
1632 major: u32,
1633 minor: u32,
1634 build: u32,
1635 ldr_data_address: u64,
1636 ) -> Result<Self> {
1637 match (major, minor, build) {
1638 (10, 0, 10240) => {
1639 let ldr_data = read_virtual::<windows_10_0_10240_16384_x64::_PEB_LDR_DATA>(
1640 processor,
1641 ldr_data_address,
1642 )?;
1643 Ok(WindowsPebLdrData::Windows10_0_10240_16384 { ldr_data })
1644 }
1645 (10, 0, 10586) => {
1646 let ldr_data = read_virtual::<windows_10_0_10586_0_x64::_PEB_LDR_DATA>(
1647 processor,
1648 ldr_data_address,
1649 )?;
1650 Ok(WindowsPebLdrData::Windows10_0_10586_0 { ldr_data })
1651 }
1652 (10, 0, 14393) => {
1653 let ldr_data = read_virtual::<windows_10_0_14393_0_x64::_PEB_LDR_DATA>(
1654 processor,
1655 ldr_data_address,
1656 )?;
1657 Ok(WindowsPebLdrData::Windows10_0_14393_0 { ldr_data })
1658 }
1659 (10, 0, 15063) => {
1660 let ldr_data = read_virtual::<windows_10_0_15063_0_x64::_PEB_LDR_DATA>(
1661 processor,
1662 ldr_data_address,
1663 )?;
1664 Ok(WindowsPebLdrData::Windows10_0_15063_0 { ldr_data })
1665 }
1666 (10, 0, 16299) => {
1667 let ldr_data = read_virtual::<windows_10_0_16299_15_x64::_PEB_LDR_DATA>(
1668 processor,
1669 ldr_data_address,
1670 )?;
1671 Ok(WindowsPebLdrData::Windows10_0_16299_15 { ldr_data })
1672 }
1673 (10, 0, 17134) => {
1674 let ldr_data = read_virtual::<windows_10_0_17134_1_x64::_PEB_LDR_DATA>(
1675 processor,
1676 ldr_data_address,
1677 )?;
1678 Ok(WindowsPebLdrData::Windows10_0_17134_1 { ldr_data })
1679 }
1680 (10, 0, 17763) => {
1681 let ldr_data = read_virtual::<windows_10_0_17763_107_x64::_PEB_LDR_DATA>(
1682 processor,
1683 ldr_data_address,
1684 )?;
1685 Ok(WindowsPebLdrData::Windows10_0_17763_107 { ldr_data })
1686 }
1687 (10, 0, 18362) => {
1688 let ldr_data = read_virtual::<windows_10_0_18362_418_x64::_PEB_LDR_DATA>(
1689 processor,
1690 ldr_data_address,
1691 )?;
1692 Ok(WindowsPebLdrData::Windows10_0_18362_418 { ldr_data })
1693 }
1694 (10, 0, 19041) => {
1695 let ldr_data = read_virtual::<windows_10_0_19041_1288_x64::_PEB_LDR_DATA>(
1696 processor,
1697 ldr_data_address,
1698 )?;
1699 Ok(WindowsPebLdrData::Windows10_0_19041_1288 { ldr_data })
1700 }
1701 (10, 0, 19045) => {
1702 let ldr_data = read_virtual::<windows_10_0_19045_2965_x64::_PEB_LDR_DATA>(
1703 processor,
1704 ldr_data_address,
1705 )?;
1706 Ok(WindowsPebLdrData::Windows10_0_19045_2965 { ldr_data })
1707 }
1708 (10, 0, 22000) => {
1709 let ldr_data = read_virtual::<windows_10_0_22000_194_x64::_PEB_LDR_DATA>(
1710 processor,
1711 ldr_data_address,
1712 )?;
1713 Ok(WindowsPebLdrData::Windows10_0_22000_194 { ldr_data })
1714 }
1715 (10, 0, 22621) => {
1716 let ldr_data = read_virtual::<windows_10_0_22621_382_x64::_PEB_LDR_DATA>(
1717 processor,
1718 ldr_data_address,
1719 )?;
1720 Ok(WindowsPebLdrData::Windows10_0_22621_382 { ldr_data })
1721 }
1722 (10, 0, 22631) => {
1723 let ldr_data = read_virtual::<windows_10_0_22631_2428_x64::_PEB_LDR_DATA>(
1724 processor,
1725 ldr_data_address,
1726 )?;
1727 Ok(WindowsPebLdrData::Windows10_0_22631_2428 { ldr_data })
1728 }
1729 (_, _, _) => bail!("Unsupported Windows version"),
1730 }
1731 }
1732
1733 pub fn new_dtb(
1734 processor: *mut ConfObject,
1735 major: u32,
1736 minor: u32,
1737 build: u32,
1738 directory_table_base: u64,
1739 virtual_address: u64,
1740 ) -> Result<Self> {
1741 match (major, minor, build) {
1742 (10, 0, 10240) => {
1743 let ldr_data = read_virtual_dtb::<windows_10_0_10240_16384_x64::_PEB_LDR_DATA>(
1744 processor,
1745 directory_table_base,
1746 virtual_address,
1747 )?;
1748 Ok(WindowsPebLdrData::Windows10_0_10240_16384 { ldr_data })
1749 }
1750 (10, 0, 10586) => {
1751 let ldr_data = read_virtual_dtb::<windows_10_0_10586_0_x64::_PEB_LDR_DATA>(
1752 processor,
1753 directory_table_base,
1754 virtual_address,
1755 )?;
1756 Ok(WindowsPebLdrData::Windows10_0_10586_0 { ldr_data })
1757 }
1758 (10, 0, 14393) => {
1759 let ldr_data = read_virtual_dtb::<windows_10_0_14393_0_x64::_PEB_LDR_DATA>(
1760 processor,
1761 directory_table_base,
1762 virtual_address,
1763 )?;
1764 Ok(WindowsPebLdrData::Windows10_0_14393_0 { ldr_data })
1765 }
1766 (10, 0, 15063) => {
1767 let ldr_data = read_virtual_dtb::<windows_10_0_15063_0_x64::_PEB_LDR_DATA>(
1768 processor,
1769 directory_table_base,
1770 virtual_address,
1771 )?;
1772 Ok(WindowsPebLdrData::Windows10_0_15063_0 { ldr_data })
1773 }
1774 (10, 0, 16299) => {
1775 let ldr_data = read_virtual_dtb::<windows_10_0_16299_15_x64::_PEB_LDR_DATA>(
1776 processor,
1777 directory_table_base,
1778 virtual_address,
1779 )?;
1780 Ok(WindowsPebLdrData::Windows10_0_16299_15 { ldr_data })
1781 }
1782 (10, 0, 17134) => {
1783 let ldr_data = read_virtual_dtb::<windows_10_0_17134_1_x64::_PEB_LDR_DATA>(
1784 processor,
1785 directory_table_base,
1786 virtual_address,
1787 )?;
1788 Ok(WindowsPebLdrData::Windows10_0_17134_1 { ldr_data })
1789 }
1790 (10, 0, 17763) => {
1791 let ldr_data = read_virtual_dtb::<windows_10_0_17763_107_x64::_PEB_LDR_DATA>(
1792 processor,
1793 directory_table_base,
1794 virtual_address,
1795 )?;
1796 Ok(WindowsPebLdrData::Windows10_0_17763_107 { ldr_data })
1797 }
1798 (10, 0, 18362) => {
1799 let ldr_data = read_virtual_dtb::<windows_10_0_18362_418_x64::_PEB_LDR_DATA>(
1800 processor,
1801 directory_table_base,
1802 virtual_address,
1803 )?;
1804 Ok(WindowsPebLdrData::Windows10_0_18362_418 { ldr_data })
1805 }
1806 (10, 0, 19041) => {
1807 let ldr_data = read_virtual_dtb::<windows_10_0_19041_1288_x64::_PEB_LDR_DATA>(
1808 processor,
1809 directory_table_base,
1810 virtual_address,
1811 )?;
1812 Ok(WindowsPebLdrData::Windows10_0_19041_1288 { ldr_data })
1813 }
1814 (10, 0, 19045) => {
1815 let ldr_data = read_virtual_dtb::<windows_10_0_19045_2965_x64::_PEB_LDR_DATA>(
1816 processor,
1817 directory_table_base,
1818 virtual_address,
1819 )?;
1820 Ok(WindowsPebLdrData::Windows10_0_19045_2965 { ldr_data })
1821 }
1822 (10, 0, 22000) => {
1823 let ldr_data = read_virtual_dtb::<windows_10_0_22000_194_x64::_PEB_LDR_DATA>(
1824 processor,
1825 directory_table_base,
1826 virtual_address,
1827 )?;
1828 Ok(WindowsPebLdrData::Windows10_0_22000_194 { ldr_data })
1829 }
1830 (10, 0, 22621) => {
1831 let ldr_data = read_virtual_dtb::<windows_10_0_22621_382_x64::_PEB_LDR_DATA>(
1832 processor,
1833 directory_table_base,
1834 virtual_address,
1835 )?;
1836 Ok(WindowsPebLdrData::Windows10_0_22621_382 { ldr_data })
1837 }
1838 (10, 0, 22631) => {
1839 let ldr_data = read_virtual_dtb::<windows_10_0_22631_2428_x64::_PEB_LDR_DATA>(
1840 processor,
1841 directory_table_base,
1842 virtual_address,
1843 )?;
1844 Ok(WindowsPebLdrData::Windows10_0_22631_2428 { ldr_data })
1845 }
1846 (_, _, _) => bail!("Unsupported Windows version"),
1847 }
1848 }
1849
1850 pub fn length(&self) -> usize {
1851 match self {
1852 WindowsPebLdrData::Windows10_0_10240_16384 { ldr_data } => ldr_data.Length as usize,
1853 WindowsPebLdrData::Windows10_0_10586_0 { ldr_data } => ldr_data.Length as usize,
1854 WindowsPebLdrData::Windows10_0_14393_0 { ldr_data } => ldr_data.Length as usize,
1855 WindowsPebLdrData::Windows10_0_15063_0 { ldr_data } => ldr_data.Length as usize,
1856 WindowsPebLdrData::Windows10_0_16299_15 { ldr_data } => ldr_data.Length as usize,
1857 WindowsPebLdrData::Windows10_0_17134_1 { ldr_data } => ldr_data.Length as usize,
1858 WindowsPebLdrData::Windows10_0_17763_107 { ldr_data } => ldr_data.Length as usize,
1859 WindowsPebLdrData::Windows10_0_18362_418 { ldr_data } => ldr_data.Length as usize,
1860 WindowsPebLdrData::Windows10_0_19041_1288 { ldr_data } => ldr_data.Length as usize,
1861 WindowsPebLdrData::Windows10_0_19045_2965 { ldr_data } => ldr_data.Length as usize,
1862 WindowsPebLdrData::Windows10_0_22000_194 { ldr_data } => ldr_data.Length as usize,
1863 WindowsPebLdrData::Windows10_0_22621_382 { ldr_data } => ldr_data.Length as usize,
1864 WindowsPebLdrData::Windows10_0_22631_2428 { ldr_data } => ldr_data.Length as usize,
1865 }
1866 }
1867
1868 pub fn in_load_order_module_list(&self) -> LIST_ENTRY {
1869 match self {
1870 WindowsPebLdrData::Windows10_0_10240_16384 { ldr_data } => unsafe {
1871 std::mem::transmute::<
1872 vergilius::windows_10_0_10240_16384_x64::_LIST_ENTRY,
1873 windows_sys::Win32::System::Kernel::LIST_ENTRY,
1874 >(ldr_data.InLoadOrderModuleList)
1875 },
1876 WindowsPebLdrData::Windows10_0_10586_0 { ldr_data } => unsafe {
1877 std::mem::transmute::<
1878 vergilius::windows_10_0_10586_0_x64::_LIST_ENTRY,
1879 windows_sys::Win32::System::Kernel::LIST_ENTRY,
1880 >(ldr_data.InLoadOrderModuleList)
1881 },
1882 WindowsPebLdrData::Windows10_0_14393_0 { ldr_data } => unsafe {
1883 std::mem::transmute::<
1884 vergilius::windows_10_0_14393_0_x64::_LIST_ENTRY,
1885 windows_sys::Win32::System::Kernel::LIST_ENTRY,
1886 >(ldr_data.InLoadOrderModuleList)
1887 },
1888 WindowsPebLdrData::Windows10_0_15063_0 { ldr_data } => unsafe {
1889 std::mem::transmute::<
1890 vergilius::windows_10_0_15063_0_x64::_LIST_ENTRY,
1891 windows_sys::Win32::System::Kernel::LIST_ENTRY,
1892 >(ldr_data.InLoadOrderModuleList)
1893 },
1894 WindowsPebLdrData::Windows10_0_16299_15 { ldr_data } => unsafe {
1895 std::mem::transmute::<
1896 vergilius::windows_10_0_16299_15_x64::_LIST_ENTRY,
1897 windows_sys::Win32::System::Kernel::LIST_ENTRY,
1898 >(ldr_data.InLoadOrderModuleList)
1899 },
1900 WindowsPebLdrData::Windows10_0_17134_1 { ldr_data } => unsafe {
1901 std::mem::transmute::<
1902 vergilius::windows_10_0_17134_1_x64::_LIST_ENTRY,
1903 windows_sys::Win32::System::Kernel::LIST_ENTRY,
1904 >(ldr_data.InLoadOrderModuleList)
1905 },
1906 WindowsPebLdrData::Windows10_0_17763_107 { ldr_data } => unsafe {
1907 std::mem::transmute::<
1908 vergilius::windows_10_0_17763_107_x64::_LIST_ENTRY,
1909 windows_sys::Win32::System::Kernel::LIST_ENTRY,
1910 >(ldr_data.InLoadOrderModuleList)
1911 },
1912 WindowsPebLdrData::Windows10_0_18362_418 { ldr_data } => unsafe {
1913 std::mem::transmute::<
1914 vergilius::windows_10_0_18362_418_x64::_LIST_ENTRY,
1915 windows_sys::Win32::System::Kernel::LIST_ENTRY,
1916 >(ldr_data.InLoadOrderModuleList)
1917 },
1918 WindowsPebLdrData::Windows10_0_19041_1288 { ldr_data } => unsafe {
1919 std::mem::transmute::<
1920 vergilius::windows_10_0_19041_1288_x64::_LIST_ENTRY,
1921 windows_sys::Win32::System::Kernel::LIST_ENTRY,
1922 >(ldr_data.InLoadOrderModuleList)
1923 },
1924 WindowsPebLdrData::Windows10_0_19045_2965 { ldr_data } => unsafe {
1925 std::mem::transmute::<
1926 vergilius::windows_10_0_19045_2965_x64::_LIST_ENTRY,
1927 windows_sys::Win32::System::Kernel::LIST_ENTRY,
1928 >(ldr_data.InLoadOrderModuleList)
1929 },
1930 WindowsPebLdrData::Windows10_0_22000_194 { ldr_data } => unsafe {
1931 std::mem::transmute::<
1932 vergilius::windows_10_0_22000_194_x64::_LIST_ENTRY,
1933 windows_sys::Win32::System::Kernel::LIST_ENTRY,
1934 >(ldr_data.InLoadOrderModuleList)
1935 },
1936 WindowsPebLdrData::Windows10_0_22621_382 { ldr_data } => unsafe {
1937 std::mem::transmute::<
1938 vergilius::windows_10_0_22621_382_x64::_LIST_ENTRY,
1939 windows_sys::Win32::System::Kernel::LIST_ENTRY,
1940 >(ldr_data.InLoadOrderModuleList)
1941 },
1942 WindowsPebLdrData::Windows10_0_22631_2428 { ldr_data } => unsafe {
1943 std::mem::transmute::<
1944 vergilius::windows_10_0_22631_2428_x64::_LIST_ENTRY,
1945 windows_sys::Win32::System::Kernel::LIST_ENTRY,
1946 >(ldr_data.InLoadOrderModuleList)
1947 },
1948 }
1949 }
1950}
1951
1952pub enum WindowsPeb {
1953 Windows10_0_10240_16384 {
1954 peb: windows_10_0_10240_16384_x64::_PEB,
1955 },
1956 Windows10_0_10586_0 {
1957 peb: windows_10_0_10586_0_x64::_PEB,
1958 },
1959 Windows10_0_14393_0 {
1960 peb: windows_10_0_14393_0_x64::_PEB,
1961 },
1962 Windows10_0_15063_0 {
1963 peb: windows_10_0_15063_0_x64::_PEB,
1964 },
1965 Windows10_0_16299_15 {
1966 peb: windows_10_0_16299_15_x64::_PEB,
1967 },
1968 Windows10_0_17134_1 {
1969 peb: windows_10_0_17134_1_x64::_PEB,
1970 },
1971 Windows10_0_17763_107 {
1972 peb: windows_10_0_17763_107_x64::_PEB,
1973 },
1974 Windows10_0_18362_418 {
1975 peb: windows_10_0_18362_418_x64::_PEB,
1976 },
1977 Windows10_0_19041_1288 {
1978 peb: windows_10_0_19041_1288_x64::_PEB,
1979 },
1980 Windows10_0_19045_2965 {
1981 peb: windows_10_0_19045_2965_x64::_PEB,
1982 },
1983 Windows10_0_22000_194 {
1984 peb: windows_10_0_22000_194_x64::_PEB,
1985 },
1986 Windows10_0_22621_382 {
1987 peb: windows_10_0_22621_382_x64::_PEB,
1988 },
1989 Windows10_0_22631_2428 {
1990 peb: windows_10_0_22631_2428_x64::_PEB,
1991 },
1992}
1993
1994impl WindowsPeb {
1995 pub fn new(
1996 processor: *mut ConfObject,
1997 major: u32,
1998 minor: u32,
1999 build: u32,
2000 peb_address: u64,
2001 ) -> Result<Self> {
2002 match (major, minor, build) {
2003 (10, 0, 10240) => {
2004 let peb =
2005 read_virtual::<windows_10_0_10240_16384_x64::_PEB>(processor, peb_address)?;
2006 Ok(WindowsPeb::Windows10_0_10240_16384 { peb })
2007 }
2008 (10, 0, 10586) => {
2009 let peb = read_virtual::<windows_10_0_10586_0_x64::_PEB>(processor, peb_address)?;
2010 Ok(WindowsPeb::Windows10_0_10586_0 { peb })
2011 }
2012 (10, 0, 14393) => {
2013 let peb = read_virtual::<windows_10_0_14393_0_x64::_PEB>(processor, peb_address)?;
2014 Ok(WindowsPeb::Windows10_0_14393_0 { peb })
2015 }
2016 (10, 0, 15063) => {
2017 let peb = read_virtual::<windows_10_0_15063_0_x64::_PEB>(processor, peb_address)?;
2018 Ok(WindowsPeb::Windows10_0_15063_0 { peb })
2019 }
2020 (10, 0, 16299) => {
2021 let peb = read_virtual::<windows_10_0_16299_15_x64::_PEB>(processor, peb_address)?;
2022 Ok(WindowsPeb::Windows10_0_16299_15 { peb })
2023 }
2024 (10, 0, 17134) => {
2025 let peb = read_virtual::<windows_10_0_17134_1_x64::_PEB>(processor, peb_address)?;
2026 Ok(WindowsPeb::Windows10_0_17134_1 { peb })
2027 }
2028 (10, 0, 17763) => {
2029 let peb = read_virtual::<windows_10_0_17763_107_x64::_PEB>(processor, peb_address)?;
2030 Ok(WindowsPeb::Windows10_0_17763_107 { peb })
2031 }
2032 (10, 0, 18362) => {
2033 let peb = read_virtual::<windows_10_0_18362_418_x64::_PEB>(processor, peb_address)?;
2034 Ok(WindowsPeb::Windows10_0_18362_418 { peb })
2035 }
2036 (10, 0, 19041) => {
2037 let peb =
2038 read_virtual::<windows_10_0_19041_1288_x64::_PEB>(processor, peb_address)?;
2039 Ok(WindowsPeb::Windows10_0_19041_1288 { peb })
2040 }
2041 (10, 0, 19045) => {
2042 let peb =
2043 read_virtual::<windows_10_0_19045_2965_x64::_PEB>(processor, peb_address)?;
2044 Ok(WindowsPeb::Windows10_0_19045_2965 { peb })
2045 }
2046 (10, 0, 22000) => {
2047 let peb = read_virtual::<windows_10_0_22000_194_x64::_PEB>(processor, peb_address)?;
2048 Ok(WindowsPeb::Windows10_0_22000_194 { peb })
2049 }
2050 (10, 0, 22621) => {
2051 let peb = read_virtual::<windows_10_0_22621_382_x64::_PEB>(processor, peb_address)?;
2052 Ok(WindowsPeb::Windows10_0_22621_382 { peb })
2053 }
2054 (10, 0, 22631) => {
2055 let peb =
2056 read_virtual::<windows_10_0_22631_2428_x64::_PEB>(processor, peb_address)?;
2057 Ok(WindowsPeb::Windows10_0_22631_2428 { peb })
2058 }
2059 (_, _, _) => {
2060 bail!("Unsupported Windows version")
2061 }
2062 }
2063 }
2064
2065 pub fn new_dtb(
2066 processor: *mut ConfObject,
2067 major: u32,
2068 minor: u32,
2069 build: u32,
2070 directory_table_base: u64,
2071 virtual_address: u64,
2072 ) -> Result<Self> {
2073 match (major, minor, build) {
2074 (10, 0, 10240) => {
2075 let peb = read_virtual_dtb::<windows_10_0_10240_16384_x64::_PEB>(
2076 processor,
2077 directory_table_base,
2078 virtual_address,
2079 )?;
2080 Ok(WindowsPeb::Windows10_0_10240_16384 { peb })
2081 }
2082 (10, 0, 10586) => {
2083 let peb = read_virtual_dtb::<windows_10_0_10586_0_x64::_PEB>(
2084 processor,
2085 directory_table_base,
2086 virtual_address,
2087 )?;
2088 Ok(WindowsPeb::Windows10_0_10586_0 { peb })
2089 }
2090 (10, 0, 14393) => {
2091 let peb = read_virtual_dtb::<windows_10_0_14393_0_x64::_PEB>(
2092 processor,
2093 directory_table_base,
2094 virtual_address,
2095 )?;
2096 Ok(WindowsPeb::Windows10_0_14393_0 { peb })
2097 }
2098 (10, 0, 15063) => {
2099 let peb = read_virtual_dtb::<windows_10_0_15063_0_x64::_PEB>(
2100 processor,
2101 directory_table_base,
2102 virtual_address,
2103 )?;
2104 Ok(WindowsPeb::Windows10_0_15063_0 { peb })
2105 }
2106 (10, 0, 16299) => {
2107 let peb = read_virtual_dtb::<windows_10_0_16299_15_x64::_PEB>(
2108 processor,
2109 directory_table_base,
2110 virtual_address,
2111 )?;
2112 Ok(WindowsPeb::Windows10_0_16299_15 { peb })
2113 }
2114 (10, 0, 17134) => {
2115 let peb = read_virtual_dtb::<windows_10_0_17134_1_x64::_PEB>(
2116 processor,
2117 directory_table_base,
2118 virtual_address,
2119 )?;
2120 Ok(WindowsPeb::Windows10_0_17134_1 { peb })
2121 }
2122 (10, 0, 17763) => {
2123 let peb = read_virtual_dtb::<windows_10_0_17763_107_x64::_PEB>(
2124 processor,
2125 directory_table_base,
2126 virtual_address,
2127 )?;
2128 Ok(WindowsPeb::Windows10_0_17763_107 { peb })
2129 }
2130 (10, 0, 18362) => {
2131 let peb = read_virtual_dtb::<windows_10_0_18362_418_x64::_PEB>(
2132 processor,
2133 directory_table_base,
2134 virtual_address,
2135 )?;
2136 Ok(WindowsPeb::Windows10_0_18362_418 { peb })
2137 }
2138 (10, 0, 19041) => {
2139 let peb = read_virtual_dtb::<windows_10_0_19041_1288_x64::_PEB>(
2140 processor,
2141 directory_table_base,
2142 virtual_address,
2143 )?;
2144 Ok(WindowsPeb::Windows10_0_19041_1288 { peb })
2145 }
2146 (10, 0, 19045) => {
2147 let peb = read_virtual_dtb::<windows_10_0_19045_2965_x64::_PEB>(
2148 processor,
2149 directory_table_base,
2150 virtual_address,
2151 )?;
2152 Ok(WindowsPeb::Windows10_0_19045_2965 { peb })
2153 }
2154 (10, 0, 22000) => {
2155 let peb = read_virtual_dtb::<windows_10_0_22000_194_x64::_PEB>(
2156 processor,
2157 directory_table_base,
2158 virtual_address,
2159 )?;
2160 Ok(WindowsPeb::Windows10_0_22000_194 { peb })
2161 }
2162 (10, 0, 22621) => {
2163 let peb = read_virtual_dtb::<windows_10_0_22621_382_x64::_PEB>(
2164 processor,
2165 directory_table_base,
2166 virtual_address,
2167 )?;
2168 Ok(WindowsPeb::Windows10_0_22621_382 { peb })
2169 }
2170 (10, 0, 22631) => {
2171 let peb = read_virtual_dtb::<windows_10_0_22631_2428_x64::_PEB>(
2172 processor,
2173 directory_table_base,
2174 virtual_address,
2175 )?;
2176 Ok(WindowsPeb::Windows10_0_22631_2428 { peb })
2177 }
2178 (_, _, _) => {
2179 bail!("Unsupported Windows version")
2180 }
2181 }
2182 }
2183
2184 pub fn base(&self) -> u64 {
2185 match self {
2186 WindowsPeb::Windows10_0_10240_16384 { peb } => peb.ImageBaseAddress as u64,
2187 WindowsPeb::Windows10_0_10586_0 { peb } => peb.ImageBaseAddress as u64,
2188 WindowsPeb::Windows10_0_14393_0 { peb } => peb.ImageBaseAddress as u64,
2189 WindowsPeb::Windows10_0_15063_0 { peb } => peb.ImageBaseAddress as u64,
2190 WindowsPeb::Windows10_0_16299_15 { peb } => peb.ImageBaseAddress as u64,
2191 WindowsPeb::Windows10_0_17134_1 { peb } => peb.ImageBaseAddress as u64,
2192 WindowsPeb::Windows10_0_17763_107 { peb } => peb.ImageBaseAddress as u64,
2193 WindowsPeb::Windows10_0_18362_418 { peb } => peb.ImageBaseAddress as u64,
2194 WindowsPeb::Windows10_0_19041_1288 { peb } => peb.ImageBaseAddress as u64,
2195 WindowsPeb::Windows10_0_19045_2965 { peb } => peb.ImageBaseAddress as u64,
2196 WindowsPeb::Windows10_0_22000_194 { peb } => peb.ImageBaseAddress as u64,
2197 WindowsPeb::Windows10_0_22621_382 { peb } => peb.ImageBaseAddress as u64,
2198 WindowsPeb::Windows10_0_22631_2428 { peb } => peb.ImageBaseAddress as u64,
2199 }
2200 }
2201
2202 pub fn ldr_address(&self) -> u64 {
2203 match self {
2204 WindowsPeb::Windows10_0_10240_16384 { peb } => peb.Ldr as u64,
2205 WindowsPeb::Windows10_0_10586_0 { peb } => peb.Ldr as u64,
2206 WindowsPeb::Windows10_0_14393_0 { peb } => peb.Ldr as u64,
2207 WindowsPeb::Windows10_0_15063_0 { peb } => peb.Ldr as u64,
2208 WindowsPeb::Windows10_0_16299_15 { peb } => peb.Ldr as u64,
2209 WindowsPeb::Windows10_0_17134_1 { peb } => peb.Ldr as u64,
2210 WindowsPeb::Windows10_0_17763_107 { peb } => peb.Ldr as u64,
2211 WindowsPeb::Windows10_0_18362_418 { peb } => peb.Ldr as u64,
2212 WindowsPeb::Windows10_0_19041_1288 { peb } => peb.Ldr as u64,
2213 WindowsPeb::Windows10_0_19045_2965 { peb } => peb.Ldr as u64,
2214 WindowsPeb::Windows10_0_22000_194 { peb } => peb.Ldr as u64,
2215 WindowsPeb::Windows10_0_22621_382 { peb } => peb.Ldr as u64,
2216 WindowsPeb::Windows10_0_22631_2428 { peb } => peb.Ldr as u64,
2217 }
2218 }
2219}
2220
2221pub enum WindowsTeb {
2222 Windows10_0_10240_16384 {
2223 teb: windows_10_0_10240_16384_x64::_TEB,
2224 },
2225 Windows10_0_10586_0 {
2226 teb: windows_10_0_10586_0_x64::_TEB,
2227 },
2228 Windows10_0_14393_0 {
2229 teb: windows_10_0_14393_0_x64::_TEB,
2230 },
2231 Windows10_0_15063_0 {
2232 teb: windows_10_0_15063_0_x64::_TEB,
2233 },
2234 Windows10_0_16299_15 {
2235 teb: windows_10_0_16299_15_x64::_TEB,
2236 },
2237 Windows10_0_17134_1 {
2238 teb: windows_10_0_17134_1_x64::_TEB,
2239 },
2240 Windows10_0_17763_107 {
2241 teb: windows_10_0_17763_107_x64::_TEB,
2242 },
2243 Windows10_0_18362_418 {
2244 teb: windows_10_0_18362_418_x64::_TEB,
2245 },
2246 Windows10_0_19041_1288 {
2247 teb: windows_10_0_19041_1288_x64::_TEB,
2248 },
2249 Windows10_0_19045_2965 {
2250 teb: windows_10_0_19045_2965_x64::_TEB,
2251 },
2252 Windows10_0_22000_194 {
2253 teb: windows_10_0_22000_194_x64::_TEB,
2254 },
2255 Windows10_0_22621_382 {
2256 teb: windows_10_0_22621_382_x64::_TEB,
2257 },
2258 Windows10_0_22631_2428 {
2259 teb: windows_10_0_22631_2428_x64::_TEB,
2260 },
2261}
2262
2263impl WindowsTeb {
2264 pub fn new(
2265 processor: *mut ConfObject,
2266 major: u32,
2267 minor: u32,
2268 build: u32,
2269 teb_address: u64,
2270 ) -> Result<Self> {
2271 match (major, minor, build) {
2272 (10, 0, 10240) => {
2273 let teb =
2274 read_virtual::<windows_10_0_10240_16384_x64::_TEB>(processor, teb_address)?;
2275 Ok(WindowsTeb::Windows10_0_10240_16384 { teb })
2276 }
2277 (10, 0, 10586) => {
2278 let teb = read_virtual::<windows_10_0_10586_0_x64::_TEB>(processor, teb_address)?;
2279 Ok(WindowsTeb::Windows10_0_10586_0 { teb })
2280 }
2281 (10, 0, 14393) => {
2282 let teb = read_virtual::<windows_10_0_14393_0_x64::_TEB>(processor, teb_address)?;
2283 Ok(WindowsTeb::Windows10_0_14393_0 { teb })
2284 }
2285 (10, 0, 15063) => {
2286 let teb = read_virtual::<windows_10_0_15063_0_x64::_TEB>(processor, teb_address)?;
2287 Ok(WindowsTeb::Windows10_0_15063_0 { teb })
2288 }
2289 (10, 0, 16299) => {
2290 let teb = read_virtual::<windows_10_0_16299_15_x64::_TEB>(processor, teb_address)?;
2291 Ok(WindowsTeb::Windows10_0_16299_15 { teb })
2292 }
2293 (10, 0, 17134) => {
2294 let teb = read_virtual::<windows_10_0_17134_1_x64::_TEB>(processor, teb_address)?;
2295 Ok(WindowsTeb::Windows10_0_17134_1 { teb })
2296 }
2297 (10, 0, 17763) => {
2298 let teb = read_virtual::<windows_10_0_17763_107_x64::_TEB>(processor, teb_address)?;
2299 Ok(WindowsTeb::Windows10_0_17763_107 { teb })
2300 }
2301 (10, 0, 18362) => {
2302 let teb = read_virtual::<windows_10_0_18362_418_x64::_TEB>(processor, teb_address)?;
2303 Ok(WindowsTeb::Windows10_0_18362_418 { teb })
2304 }
2305 (10, 0, 19041) => {
2306 let teb =
2307 read_virtual::<windows_10_0_19041_1288_x64::_TEB>(processor, teb_address)?;
2308 Ok(WindowsTeb::Windows10_0_19041_1288 { teb })
2309 }
2310 (10, 0, 19045) => {
2311 let teb =
2312 read_virtual::<windows_10_0_19045_2965_x64::_TEB>(processor, teb_address)?;
2313 Ok(WindowsTeb::Windows10_0_19045_2965 { teb })
2314 }
2315 (10, 0, 22000) => {
2316 let teb = read_virtual::<windows_10_0_22000_194_x64::_TEB>(processor, teb_address)?;
2317 Ok(WindowsTeb::Windows10_0_22000_194 { teb })
2318 }
2319 (10, 0, 22621) => {
2320 let teb = read_virtual::<windows_10_0_22621_382_x64::_TEB>(processor, teb_address)?;
2321 Ok(WindowsTeb::Windows10_0_22621_382 { teb })
2322 }
2323 (10, 0, 22631) => {
2324 let teb =
2325 read_virtual::<windows_10_0_22631_2428_x64::_TEB>(processor, teb_address)?;
2326 Ok(WindowsTeb::Windows10_0_22631_2428 { teb })
2327 }
2328 (_, _, _) => {
2329 bail!("Unsupported Windows version")
2330 }
2331 }
2332 }
2333
2334 pub fn peb(
2335 &self,
2336 processor: *mut ConfObject,
2337 major: u32,
2338 minor: u32,
2339 build: u32,
2340 ) -> Result<WindowsPeb> {
2341 let peb_address = match self {
2342 WindowsTeb::Windows10_0_10240_16384 { teb } => teb.ProcessEnvironmentBlock as u64,
2343 WindowsTeb::Windows10_0_10586_0 { teb } => teb.ProcessEnvironmentBlock as u64,
2344 WindowsTeb::Windows10_0_14393_0 { teb } => teb.ProcessEnvironmentBlock as u64,
2345 WindowsTeb::Windows10_0_15063_0 { teb } => teb.ProcessEnvironmentBlock as u64,
2346 WindowsTeb::Windows10_0_16299_15 { teb } => teb.ProcessEnvironmentBlock as u64,
2347 WindowsTeb::Windows10_0_17134_1 { teb } => teb.ProcessEnvironmentBlock as u64,
2348 WindowsTeb::Windows10_0_17763_107 { teb } => teb.ProcessEnvironmentBlock as u64,
2349 WindowsTeb::Windows10_0_18362_418 { teb } => teb.ProcessEnvironmentBlock as u64,
2350 WindowsTeb::Windows10_0_19041_1288 { teb } => teb.ProcessEnvironmentBlock as u64,
2351 WindowsTeb::Windows10_0_19045_2965 { teb } => teb.ProcessEnvironmentBlock as u64,
2352 WindowsTeb::Windows10_0_22000_194 { teb } => teb.ProcessEnvironmentBlock as u64,
2353 WindowsTeb::Windows10_0_22621_382 { teb } => teb.ProcessEnvironmentBlock as u64,
2354 WindowsTeb::Windows10_0_22631_2428 { teb } => teb.ProcessEnvironmentBlock as u64,
2355 };
2356 WindowsPeb::new(processor, major, minor, build, peb_address)
2357 }
2358}
2359
2360pub enum WindowsEProcess {
2361 Windows10_0_10240_16384 {
2362 eprocess: windows_10_0_10240_16384_x64::_EPROCESS,
2363 },
2364 Windows10_0_10586_0 {
2365 eprocess: windows_10_0_10586_0_x64::_EPROCESS,
2366 },
2367 Windows10_0_14393_0 {
2368 eprocess: windows_10_0_14393_0_x64::_EPROCESS,
2369 },
2370 Windows10_0_15063_0 {
2371 eprocess: windows_10_0_15063_0_x64::_EPROCESS,
2372 },
2373 Windows10_0_16299_15 {
2374 eprocess: windows_10_0_16299_15_x64::_EPROCESS,
2375 },
2376 Windows10_0_17134_1 {
2377 eprocess: windows_10_0_17134_1_x64::_EPROCESS,
2378 },
2379 Windows10_0_17763_107 {
2380 eprocess: windows_10_0_17763_107_x64::_EPROCESS,
2381 },
2382 Windows10_0_18362_418 {
2383 eprocess: windows_10_0_18362_418_x64::_EPROCESS,
2384 },
2385 Windows10_0_19041_1288 {
2386 eprocess: windows_10_0_19041_1288_x64::_EPROCESS,
2387 },
2388 Windows10_0_19045_2965 {
2389 eprocess: windows_10_0_19045_2965_x64::_EPROCESS,
2390 },
2391 Windows10_0_22000_194 {
2392 eprocess: windows_10_0_22000_194_x64::_EPROCESS,
2393 },
2394 Windows10_0_22621_382 {
2395 eprocess: windows_10_0_22621_382_x64::_EPROCESS,
2396 },
2397 Windows10_0_22631_2428 {
2398 eprocess: windows_10_0_22631_2428_x64::_EPROCESS,
2399 },
2400}
2401
2402impl WindowsEProcess {
2403 pub fn new(
2404 processor: *mut ConfObject,
2405 major: u32,
2406 minor: u32,
2407 build: u32,
2408 eprocess_address: u64,
2409 ) -> Result<Self> {
2410 match (major, minor, build) {
2411 (10, 0, 10240) => {
2412 let eprocess = read_virtual::<windows_10_0_10240_16384_x64::_EPROCESS>(
2413 processor,
2414 eprocess_address,
2415 )?;
2416 Ok(WindowsEProcess::Windows10_0_10240_16384 { eprocess })
2417 }
2418 (10, 0, 10586) => {
2419 let eprocess = read_virtual::<windows_10_0_10586_0_x64::_EPROCESS>(
2420 processor,
2421 eprocess_address,
2422 )?;
2423 Ok(WindowsEProcess::Windows10_0_10586_0 { eprocess })
2424 }
2425 (10, 0, 14393) => {
2426 let eprocess = read_virtual::<windows_10_0_14393_0_x64::_EPROCESS>(
2427 processor,
2428 eprocess_address,
2429 )?;
2430 Ok(WindowsEProcess::Windows10_0_14393_0 { eprocess })
2431 }
2432 (10, 0, 15063) => {
2433 let eprocess = read_virtual::<windows_10_0_15063_0_x64::_EPROCESS>(
2434 processor,
2435 eprocess_address,
2436 )?;
2437 Ok(WindowsEProcess::Windows10_0_15063_0 { eprocess })
2438 }
2439 (10, 0, 16299) => {
2440 let eprocess = read_virtual::<windows_10_0_16299_15_x64::_EPROCESS>(
2441 processor,
2442 eprocess_address,
2443 )?;
2444 Ok(WindowsEProcess::Windows10_0_16299_15 { eprocess })
2445 }
2446 (10, 0, 17134) => {
2447 let eprocess = read_virtual::<windows_10_0_17134_1_x64::_EPROCESS>(
2448 processor,
2449 eprocess_address,
2450 )?;
2451 Ok(WindowsEProcess::Windows10_0_17134_1 { eprocess })
2452 }
2453 (10, 0, 17763) => {
2454 let eprocess = read_virtual::<windows_10_0_17763_107_x64::_EPROCESS>(
2455 processor,
2456 eprocess_address,
2457 )?;
2458 Ok(WindowsEProcess::Windows10_0_17763_107 { eprocess })
2459 }
2460 (10, 0, 18362) => {
2461 let eprocess = read_virtual::<windows_10_0_18362_418_x64::_EPROCESS>(
2462 processor,
2463 eprocess_address,
2464 )?;
2465 Ok(WindowsEProcess::Windows10_0_18362_418 { eprocess })
2466 }
2467 (10, 0, 19041) => {
2468 let eprocess = read_virtual::<windows_10_0_19041_1288_x64::_EPROCESS>(
2469 processor,
2470 eprocess_address,
2471 )?;
2472 Ok(WindowsEProcess::Windows10_0_19041_1288 { eprocess })
2473 }
2474 (10, 0, 19045) => {
2475 let eprocess = read_virtual::<windows_10_0_19045_2965_x64::_EPROCESS>(
2476 processor,
2477 eprocess_address,
2478 )?;
2479 Ok(WindowsEProcess::Windows10_0_19045_2965 { eprocess })
2480 }
2481 (10, 0, 22000) => {
2482 let eprocess = read_virtual::<windows_10_0_22000_194_x64::_EPROCESS>(
2483 processor,
2484 eprocess_address,
2485 )?;
2486 Ok(WindowsEProcess::Windows10_0_22000_194 { eprocess })
2487 }
2488 (10, 0, 22621) => {
2489 let eprocess = read_virtual::<windows_10_0_22621_382_x64::_EPROCESS>(
2490 processor,
2491 eprocess_address,
2492 )?;
2493 Ok(WindowsEProcess::Windows10_0_22621_382 { eprocess })
2494 }
2495 (10, 0, 22631) => {
2496 let eprocess = read_virtual::<windows_10_0_22631_2428_x64::_EPROCESS>(
2497 processor,
2498 eprocess_address,
2499 )?;
2500 Ok(WindowsEProcess::Windows10_0_22631_2428 { eprocess })
2501 }
2502 (_, _, _) => {
2503 bail!("Unsupported Windows version")
2504 }
2505 }
2506 }
2507
2508 pub fn new_from_active_process_links_address(
2509 processor: *mut ConfObject,
2510 major: u32,
2511 minor: u32,
2512 build: u32,
2513 active_process_links_address: u64,
2514 ) -> Result<Self> {
2515 let active_process_links_offset = match (major, minor, build) {
2516 (10, 0, 10240) => {
2517 std::mem::offset_of!(windows_10_0_10240_16384_x64::_EPROCESS, ActiveProcessLinks)
2518 }
2519 (10, 0, 10586) => {
2520 std::mem::offset_of!(windows_10_0_10586_0_x64::_EPROCESS, ActiveProcessLinks)
2521 }
2522 (10, 0, 14393) => {
2523 std::mem::offset_of!(windows_10_0_14393_0_x64::_EPROCESS, ActiveProcessLinks)
2524 }
2525 (10, 0, 15063) => {
2526 std::mem::offset_of!(windows_10_0_15063_0_x64::_EPROCESS, ActiveProcessLinks)
2527 }
2528 (10, 0, 16299) => {
2529 std::mem::offset_of!(windows_10_0_16299_15_x64::_EPROCESS, ActiveProcessLinks)
2530 }
2531 (10, 0, 17134) => {
2532 std::mem::offset_of!(windows_10_0_17134_1_x64::_EPROCESS, ActiveProcessLinks)
2533 }
2534 (10, 0, 17763) => {
2535 std::mem::offset_of!(windows_10_0_17763_107_x64::_EPROCESS, ActiveProcessLinks)
2536 }
2537 (10, 0, 18362) => {
2538 std::mem::offset_of!(windows_10_0_18362_418_x64::_EPROCESS, ActiveProcessLinks)
2539 }
2540 (10, 0, 19041) => {
2541 std::mem::offset_of!(windows_10_0_19041_1288_x64::_EPROCESS, ActiveProcessLinks)
2542 }
2543 (10, 0, 19045) => {
2544 std::mem::offset_of!(windows_10_0_19045_2965_x64::_EPROCESS, ActiveProcessLinks)
2545 }
2546 (10, 0, 22000) => {
2547 std::mem::offset_of!(windows_10_0_22000_194_x64::_EPROCESS, ActiveProcessLinks)
2548 }
2549 (10, 0, 22621) => {
2550 std::mem::offset_of!(windows_10_0_22621_382_x64::_EPROCESS, ActiveProcessLinks)
2551 }
2552 (10, 0, 22631) => {
2553 std::mem::offset_of!(windows_10_0_22631_2428_x64::_EPROCESS, ActiveProcessLinks)
2554 }
2555 (_, _, _) => {
2556 bail!("Unsupported Windows version")
2557 }
2558 };
2559 let eprocess_address = active_process_links_address - active_process_links_offset as u64;
2560
2561 Self::new(processor, major, minor, build, eprocess_address)
2562 }
2563
2564 pub fn active_process_links(&self) -> LIST_ENTRY {
2565 match self {
2566 WindowsEProcess::Windows10_0_10240_16384 { eprocess } => unsafe {
2567 std::mem::transmute::<
2568 vergilius::windows_10_0_10240_16384_x64::_LIST_ENTRY,
2569 windows_sys::Win32::System::Kernel::LIST_ENTRY,
2570 >(eprocess.ActiveProcessLinks)
2571 },
2572 WindowsEProcess::Windows10_0_10586_0 { eprocess } => unsafe {
2573 std::mem::transmute::<
2574 vergilius::windows_10_0_10586_0_x64::_LIST_ENTRY,
2575 windows_sys::Win32::System::Kernel::LIST_ENTRY,
2576 >(eprocess.ActiveProcessLinks)
2577 },
2578 WindowsEProcess::Windows10_0_14393_0 { eprocess } => unsafe {
2579 std::mem::transmute::<
2580 vergilius::windows_10_0_14393_0_x64::_LIST_ENTRY,
2581 windows_sys::Win32::System::Kernel::LIST_ENTRY,
2582 >(eprocess.ActiveProcessLinks)
2583 },
2584 WindowsEProcess::Windows10_0_15063_0 { eprocess } => unsafe {
2585 std::mem::transmute::<
2586 vergilius::windows_10_0_15063_0_x64::_LIST_ENTRY,
2587 windows_sys::Win32::System::Kernel::LIST_ENTRY,
2588 >(eprocess.ActiveProcessLinks)
2589 },
2590 WindowsEProcess::Windows10_0_16299_15 { eprocess } => unsafe {
2591 std::mem::transmute::<
2592 vergilius::windows_10_0_16299_15_x64::_LIST_ENTRY,
2593 windows_sys::Win32::System::Kernel::LIST_ENTRY,
2594 >(eprocess.ActiveProcessLinks)
2595 },
2596 WindowsEProcess::Windows10_0_17134_1 { eprocess } => unsafe {
2597 std::mem::transmute::<
2598 vergilius::windows_10_0_17134_1_x64::_LIST_ENTRY,
2599 windows_sys::Win32::System::Kernel::LIST_ENTRY,
2600 >(eprocess.ActiveProcessLinks)
2601 },
2602 WindowsEProcess::Windows10_0_17763_107 { eprocess } => unsafe {
2603 std::mem::transmute::<
2604 vergilius::windows_10_0_17763_107_x64::_LIST_ENTRY,
2605 windows_sys::Win32::System::Kernel::LIST_ENTRY,
2606 >(eprocess.ActiveProcessLinks)
2607 },
2608 WindowsEProcess::Windows10_0_18362_418 { eprocess } => unsafe {
2609 std::mem::transmute::<
2610 vergilius::windows_10_0_18362_418_x64::_LIST_ENTRY,
2611 windows_sys::Win32::System::Kernel::LIST_ENTRY,
2612 >(eprocess.ActiveProcessLinks)
2613 },
2614 WindowsEProcess::Windows10_0_19041_1288 { eprocess } => unsafe {
2615 std::mem::transmute::<
2616 vergilius::windows_10_0_19041_1288_x64::_LIST_ENTRY,
2617 windows_sys::Win32::System::Kernel::LIST_ENTRY,
2618 >(eprocess.ActiveProcessLinks)
2619 },
2620 WindowsEProcess::Windows10_0_19045_2965 { eprocess } => unsafe {
2621 std::mem::transmute::<
2622 vergilius::windows_10_0_19045_2965_x64::_LIST_ENTRY,
2623 windows_sys::Win32::System::Kernel::LIST_ENTRY,
2624 >(eprocess.ActiveProcessLinks)
2625 },
2626 WindowsEProcess::Windows10_0_22000_194 { eprocess } => unsafe {
2627 std::mem::transmute::<
2628 vergilius::windows_10_0_22000_194_x64::_LIST_ENTRY,
2629 windows_sys::Win32::System::Kernel::LIST_ENTRY,
2630 >(eprocess.ActiveProcessLinks)
2631 },
2632 WindowsEProcess::Windows10_0_22621_382 { eprocess } => unsafe {
2633 std::mem::transmute::<
2634 vergilius::windows_10_0_22621_382_x64::_LIST_ENTRY,
2635 windows_sys::Win32::System::Kernel::LIST_ENTRY,
2636 >(eprocess.ActiveProcessLinks)
2637 },
2638 WindowsEProcess::Windows10_0_22631_2428 { eprocess } => unsafe {
2639 std::mem::transmute::<
2640 vergilius::windows_10_0_22631_2428_x64::_LIST_ENTRY,
2641 windows_sys::Win32::System::Kernel::LIST_ENTRY,
2642 >(eprocess.ActiveProcessLinks)
2643 },
2644 }
2645 }
2646
2647 pub fn pid(&self) -> u64 {
2648 match self {
2649 WindowsEProcess::Windows10_0_10240_16384 { eprocess } => {
2650 eprocess.UniqueProcessId as u64
2651 }
2652 WindowsEProcess::Windows10_0_10586_0 { eprocess } => eprocess.UniqueProcessId as u64,
2653 WindowsEProcess::Windows10_0_14393_0 { eprocess } => eprocess.UniqueProcessId as u64,
2654 WindowsEProcess::Windows10_0_15063_0 { eprocess } => eprocess.UniqueProcessId as u64,
2655 WindowsEProcess::Windows10_0_16299_15 { eprocess } => eprocess.UniqueProcessId as u64,
2656 WindowsEProcess::Windows10_0_17134_1 { eprocess } => eprocess.UniqueProcessId as u64,
2657 WindowsEProcess::Windows10_0_17763_107 { eprocess } => eprocess.UniqueProcessId as u64,
2658 WindowsEProcess::Windows10_0_18362_418 { eprocess } => eprocess.UniqueProcessId as u64,
2659 WindowsEProcess::Windows10_0_19041_1288 { eprocess } => eprocess.UniqueProcessId as u64,
2660 WindowsEProcess::Windows10_0_19045_2965 { eprocess } => eprocess.UniqueProcessId as u64,
2661 WindowsEProcess::Windows10_0_22000_194 { eprocess } => eprocess.UniqueProcessId as u64,
2662 WindowsEProcess::Windows10_0_22621_382 { eprocess } => eprocess.UniqueProcessId as u64,
2663 WindowsEProcess::Windows10_0_22631_2428 { eprocess } => eprocess.UniqueProcessId as u64,
2664 }
2665 }
2666
2667 pub fn file_name(&self, processor: *mut ConfObject) -> Result<String> {
2668 let object_name_information_addr = match self {
2670 WindowsEProcess::Windows10_0_10240_16384 { eprocess } => {
2671 eprocess.SeAuditProcessCreationInfo.ImageFileName as u64
2672 }
2673 WindowsEProcess::Windows10_0_10586_0 { eprocess } => {
2674 eprocess.SeAuditProcessCreationInfo.ImageFileName as u64
2675 }
2676 WindowsEProcess::Windows10_0_14393_0 { eprocess } => {
2677 eprocess.SeAuditProcessCreationInfo.ImageFileName as u64
2678 }
2679 WindowsEProcess::Windows10_0_15063_0 { eprocess } => {
2680 eprocess.SeAuditProcessCreationInfo.ImageFileName as u64
2681 }
2682 WindowsEProcess::Windows10_0_16299_15 { eprocess } => {
2683 eprocess.SeAuditProcessCreationInfo.ImageFileName as u64
2684 }
2685 WindowsEProcess::Windows10_0_17134_1 { eprocess } => {
2686 eprocess.SeAuditProcessCreationInfo.ImageFileName as u64
2687 }
2688 WindowsEProcess::Windows10_0_17763_107 { eprocess } => {
2689 eprocess.SeAuditProcessCreationInfo.ImageFileName as u64
2690 }
2691 WindowsEProcess::Windows10_0_18362_418 { eprocess } => {
2692 eprocess.SeAuditProcessCreationInfo.ImageFileName as u64
2693 }
2694 WindowsEProcess::Windows10_0_19041_1288 { eprocess } => {
2695 eprocess.SeAuditProcessCreationInfo.ImageFileName as u64
2696 }
2697 WindowsEProcess::Windows10_0_19045_2965 { eprocess } => {
2698 eprocess.SeAuditProcessCreationInfo.ImageFileName as u64
2699 }
2700 WindowsEProcess::Windows10_0_22000_194 { eprocess } => {
2701 eprocess.SeAuditProcessCreationInfo.ImageFileName as u64
2702 }
2703 WindowsEProcess::Windows10_0_22621_382 { eprocess } => {
2704 eprocess.SeAuditProcessCreationInfo.ImageFileName as u64
2705 }
2706 WindowsEProcess::Windows10_0_22631_2428 { eprocess } => {
2707 eprocess.SeAuditProcessCreationInfo.ImageFileName as u64
2708 }
2709 };
2710
2711 if object_name_information_addr == 0 {
2712 return Ok("".to_string());
2713 }
2714
2715 let object_name_information =
2716 read_virtual::<UNICODE_STRING>(processor, object_name_information_addr)?;
2717
2718 read_unicode_string(
2719 processor,
2720 object_name_information.Length as usize,
2721 object_name_information.Buffer,
2722 )
2723 }
2724
2725 pub fn base_address(
2726 &self,
2727 processor: *mut ConfObject,
2728 major: u32,
2729 minor: u32,
2730 build: u32,
2731 ) -> Result<u64> {
2732 let peb_address = match self {
2733 WindowsEProcess::Windows10_0_10240_16384 { eprocess } => eprocess.Peb as u64,
2734 WindowsEProcess::Windows10_0_10586_0 { eprocess } => eprocess.Peb as u64,
2735 WindowsEProcess::Windows10_0_14393_0 { eprocess } => eprocess.Peb as u64,
2736 WindowsEProcess::Windows10_0_15063_0 { eprocess } => eprocess.Peb as u64,
2737 WindowsEProcess::Windows10_0_16299_15 { eprocess } => eprocess.Peb as u64,
2738 WindowsEProcess::Windows10_0_17134_1 { eprocess } => eprocess.Peb as u64,
2739 WindowsEProcess::Windows10_0_17763_107 { eprocess } => eprocess.Peb as u64,
2740 WindowsEProcess::Windows10_0_18362_418 { eprocess } => eprocess.Peb as u64,
2741 WindowsEProcess::Windows10_0_19041_1288 { eprocess } => eprocess.Peb as u64,
2742 WindowsEProcess::Windows10_0_19045_2965 { eprocess } => eprocess.Peb as u64,
2743 WindowsEProcess::Windows10_0_22000_194 { eprocess } => eprocess.Peb as u64,
2744 WindowsEProcess::Windows10_0_22621_382 { eprocess } => eprocess.Peb as u64,
2745 WindowsEProcess::Windows10_0_22631_2428 { eprocess } => eprocess.Peb as u64,
2746 };
2747 let peb = WindowsPeb::new(processor, major, minor, build, peb_address)?;
2748 Ok(peb.base())
2749 }
2750
2751 #[allow(clippy::too_many_arguments)]
2752 pub fn modules<P>(
2753 &self,
2754 processor: *mut ConfObject,
2755 major: u32,
2756 minor: u32,
2757 build: u32,
2758 download_directory: P,
2759 not_found_full_name_cache: &mut HashSet<String>,
2760 user_debug_info: &DebugInfoConfig,
2761 ) -> Result<Vec<ProcessModule>>
2762 where
2763 P: AsRef<Path>,
2764 {
2765 let peb_address = match self {
2766 WindowsEProcess::Windows10_0_10240_16384 { eprocess } => eprocess.Peb as u64,
2767 WindowsEProcess::Windows10_0_10586_0 { eprocess } => eprocess.Peb as u64,
2768 WindowsEProcess::Windows10_0_14393_0 { eprocess } => eprocess.Peb as u64,
2769 WindowsEProcess::Windows10_0_15063_0 { eprocess } => eprocess.Peb as u64,
2770 WindowsEProcess::Windows10_0_16299_15 { eprocess } => eprocess.Peb as u64,
2771 WindowsEProcess::Windows10_0_17134_1 { eprocess } => eprocess.Peb as u64,
2772 WindowsEProcess::Windows10_0_17763_107 { eprocess } => eprocess.Peb as u64,
2773 WindowsEProcess::Windows10_0_18362_418 { eprocess } => eprocess.Peb as u64,
2774 WindowsEProcess::Windows10_0_19041_1288 { eprocess } => eprocess.Peb as u64,
2775 WindowsEProcess::Windows10_0_19045_2965 { eprocess } => eprocess.Peb as u64,
2776 WindowsEProcess::Windows10_0_22000_194 { eprocess } => eprocess.Peb as u64,
2777 WindowsEProcess::Windows10_0_22621_382 { eprocess } => eprocess.Peb as u64,
2778 WindowsEProcess::Windows10_0_22631_2428 { eprocess } => eprocess.Peb as u64,
2779 };
2780 let mut directory_table_base = match self {
2781 WindowsEProcess::Windows10_0_10240_16384 { eprocess } => {
2782 eprocess.Pcb.DirectoryTableBase
2783 }
2784 WindowsEProcess::Windows10_0_10586_0 { eprocess } => eprocess.Pcb.DirectoryTableBase,
2785 WindowsEProcess::Windows10_0_14393_0 { eprocess } => eprocess.Pcb.DirectoryTableBase,
2786 WindowsEProcess::Windows10_0_15063_0 { eprocess } => eprocess.Pcb.DirectoryTableBase,
2787 WindowsEProcess::Windows10_0_16299_15 { eprocess } => eprocess.Pcb.DirectoryTableBase,
2788 WindowsEProcess::Windows10_0_17134_1 { eprocess } => eprocess.Pcb.DirectoryTableBase,
2789 WindowsEProcess::Windows10_0_17763_107 { eprocess } => eprocess.Pcb.DirectoryTableBase,
2790 WindowsEProcess::Windows10_0_18362_418 { eprocess } => eprocess.Pcb.DirectoryTableBase,
2791 WindowsEProcess::Windows10_0_19041_1288 { eprocess } => eprocess.Pcb.DirectoryTableBase,
2792 WindowsEProcess::Windows10_0_19045_2965 { eprocess } => eprocess.Pcb.DirectoryTableBase,
2793 WindowsEProcess::Windows10_0_22000_194 { eprocess } => eprocess.Pcb.DirectoryTableBase,
2794 WindowsEProcess::Windows10_0_22621_382 { eprocess } => eprocess.Pcb.DirectoryTableBase,
2795 WindowsEProcess::Windows10_0_22631_2428 { eprocess } => eprocess.Pcb.DirectoryTableBase,
2796 };
2797
2798 if directory_table_base == 0 {
2799 directory_table_base = match self {
2800 WindowsEProcess::Windows10_0_10240_16384 { .. } => {
2801 bail!("No UserDirectoryTableBase before 1803");
2802 }
2803 WindowsEProcess::Windows10_0_10586_0 { .. } => {
2804 bail!("No UserDirectoryTableBase before 1803")
2805 }
2806 WindowsEProcess::Windows10_0_14393_0 { .. } => {
2807 bail!("No UserDirectoryTableBase before 1803")
2808 }
2809 WindowsEProcess::Windows10_0_15063_0 { .. } => {
2810 bail!("No UserDirectoryTableBase before 1803")
2811 }
2812 WindowsEProcess::Windows10_0_16299_15 { .. } => {
2813 bail!("No UserDirectoryTableBase before 1803")
2814 }
2815 WindowsEProcess::Windows10_0_17134_1 { eprocess } => {
2816 eprocess.Pcb.UserDirectoryTableBase
2817 }
2818 WindowsEProcess::Windows10_0_17763_107 { eprocess } => {
2819 eprocess.Pcb.UserDirectoryTableBase
2820 }
2821 WindowsEProcess::Windows10_0_18362_418 { eprocess } => {
2822 eprocess.Pcb.UserDirectoryTableBase
2823 }
2824 WindowsEProcess::Windows10_0_19041_1288 { eprocess } => {
2825 eprocess.Pcb.UserDirectoryTableBase
2826 }
2827 WindowsEProcess::Windows10_0_19045_2965 { eprocess } => {
2828 eprocess.Pcb.UserDirectoryTableBase
2829 }
2830 WindowsEProcess::Windows10_0_22000_194 { eprocess } => {
2831 eprocess.Pcb.UserDirectoryTableBase
2832 }
2833 WindowsEProcess::Windows10_0_22621_382 { eprocess } => {
2834 eprocess.Pcb.UserDirectoryTableBase
2835 }
2836 WindowsEProcess::Windows10_0_22631_2428 { eprocess } => {
2837 eprocess.Pcb.UserDirectoryTableBase
2838 }
2839 };
2840 }
2841
2842 let mut modules = Vec::new();
2843
2844 if peb_address != 0 {
2845 let peb = WindowsPeb::new_dtb(
2846 processor,
2847 major,
2848 minor,
2849 build,
2850 directory_table_base,
2851 peb_address,
2852 )?;
2853 let ldr_address = peb.ldr_address();
2854 let ldr = WindowsPebLdrData::new_dtb(
2855 processor,
2856 major,
2857 minor,
2858 build,
2859 directory_table_base,
2860 ldr_address,
2861 )?;
2862 let mut list_entry = ldr.in_load_order_module_list();
2863 let last_entry = list_entry.Blink;
2864
2865 while !list_entry.Flink.is_null() {
2866 let ldr_data_entry = WindowsLdrDataTableEntry::new_dtb(
2867 processor,
2868 major,
2869 minor,
2870 build,
2871 directory_table_base,
2872 list_entry.Flink as u64,
2873 )?;
2874
2875 let base = ldr_data_entry.dll_base();
2876 let size = ldr_data_entry.size_of_image();
2877 let full_name = ldr_data_entry.full_name_dtb(processor, directory_table_base)?;
2878 let base_name = ldr_data_entry.base_name_dtb(processor, directory_table_base)?;
2879 let debug_info = full_name
2880 .split('\\')
2881 .next_back()
2882 .ok_or_else(|| anyhow!("Failed to get file name"))
2883 .and_then(|fname| {
2884 DebugInfo::new(
2886 processor,
2887 fname,
2888 base,
2889 download_directory.as_ref(),
2890 not_found_full_name_cache,
2891 user_debug_info,
2892 )
2893 })
2894 .ok()
2895 .flatten();
2896
2897 debug!(get_object("tsffs")?, "Found module: {}", full_name);
2898
2899 modules.push(ProcessModule {
2900 base,
2901 size,
2902 full_name,
2903 base_name,
2904 debug_info,
2905 });
2906
2907 list_entry = ldr_data_entry.in_load_order_links();
2908
2909 if std::ptr::eq(list_entry.Flink, last_entry) {
2910 break;
2911 }
2912 }
2913 }
2914
2915 Ok(modules)
2916 }
2917}
2918
2919pub enum WindowsKThread {
2920 Windows10_0_10240_16384 {
2921 kthread: windows_10_0_10240_16384_x64::_KTHREAD,
2922 },
2923 Windows10_0_10586_0 {
2924 kthread: windows_10_0_10586_0_x64::_KTHREAD,
2925 },
2926 Windows10_0_14393_0 {
2927 kthread: windows_10_0_14393_0_x64::_KTHREAD,
2928 },
2929 Windows10_0_15063_0 {
2930 kthread: windows_10_0_15063_0_x64::_KTHREAD,
2931 },
2932 Windows10_0_16299_15 {
2933 kthread: windows_10_0_16299_15_x64::_KTHREAD,
2934 },
2935 Windows10_0_17134_1 {
2936 kthread: windows_10_0_17134_1_x64::_KTHREAD,
2937 },
2938 Windows10_0_17763_107 {
2939 kthread: windows_10_0_17763_107_x64::_KTHREAD,
2940 },
2941 Windows10_0_18362_418 {
2942 kthread: windows_10_0_18362_418_x64::_KTHREAD,
2943 },
2944 Windows10_0_19041_1288 {
2945 kthread: windows_10_0_19041_1288_x64::_KTHREAD,
2946 },
2947 Windows10_0_19045_2965 {
2948 kthread: windows_10_0_19045_2965_x64::_KTHREAD,
2949 },
2950 Windows10_0_22000_194 {
2951 kthread: windows_10_0_22000_194_x64::_KTHREAD,
2952 },
2953 Windows10_0_22621_382 {
2954 kthread: windows_10_0_22621_382_x64::_KTHREAD,
2955 },
2956 Windows10_0_22631_2428 {
2957 kthread: windows_10_0_22631_2428_x64::_KTHREAD,
2958 },
2959}
2960
2961impl WindowsKThread {
2962 pub fn new(
2963 processor: *mut ConfObject,
2964 major: u32,
2965 minor: u32,
2966 build: u32,
2967 kthread_address: u64,
2968 ) -> Result<Self> {
2969 match (major, minor, build) {
2970 (10, 0, 10240) => {
2971 let kthread = read_virtual::<windows_10_0_10240_16384_x64::_KTHREAD>(
2972 processor,
2973 kthread_address,
2974 )?;
2975 Ok(WindowsKThread::Windows10_0_10240_16384 { kthread })
2976 }
2977 (10, 0, 10586) => {
2978 let kthread =
2979 read_virtual::<windows_10_0_10586_0_x64::_KTHREAD>(processor, kthread_address)?;
2980 Ok(WindowsKThread::Windows10_0_10586_0 { kthread })
2981 }
2982 (10, 0, 14393) => {
2983 let kthread =
2984 read_virtual::<windows_10_0_14393_0_x64::_KTHREAD>(processor, kthread_address)?;
2985 Ok(WindowsKThread::Windows10_0_14393_0 { kthread })
2986 }
2987 (10, 0, 15063) => {
2988 let kthread =
2989 read_virtual::<windows_10_0_15063_0_x64::_KTHREAD>(processor, kthread_address)?;
2990 Ok(WindowsKThread::Windows10_0_15063_0 { kthread })
2991 }
2992 (10, 0, 16299) => {
2993 let kthread = read_virtual::<windows_10_0_16299_15_x64::_KTHREAD>(
2994 processor,
2995 kthread_address,
2996 )?;
2997 Ok(WindowsKThread::Windows10_0_16299_15 { kthread })
2998 }
2999 (10, 0, 17134) => {
3000 let kthread =
3001 read_virtual::<windows_10_0_17134_1_x64::_KTHREAD>(processor, kthread_address)?;
3002 Ok(WindowsKThread::Windows10_0_17134_1 { kthread })
3003 }
3004 (10, 0, 17763) => {
3005 let kthread = read_virtual::<windows_10_0_17763_107_x64::_KTHREAD>(
3006 processor,
3007 kthread_address,
3008 )?;
3009 Ok(WindowsKThread::Windows10_0_17763_107 { kthread })
3010 }
3011 (10, 0, 18362) => {
3012 let kthread = read_virtual::<windows_10_0_18362_418_x64::_KTHREAD>(
3013 processor,
3014 kthread_address,
3015 )?;
3016 Ok(WindowsKThread::Windows10_0_18362_418 { kthread })
3017 }
3018 (10, 0, 19041) => {
3019 let kthread = read_virtual::<windows_10_0_19041_1288_x64::_KTHREAD>(
3020 processor,
3021 kthread_address,
3022 )?;
3023 Ok(WindowsKThread::Windows10_0_19041_1288 { kthread })
3024 }
3025 (10, 0, 19045) => {
3026 let kthread = read_virtual::<windows_10_0_19045_2965_x64::_KTHREAD>(
3027 processor,
3028 kthread_address,
3029 )?;
3030 Ok(WindowsKThread::Windows10_0_19045_2965 { kthread })
3031 }
3032 (10, 0, 22000) => {
3033 let kthread = read_virtual::<windows_10_0_22000_194_x64::_KTHREAD>(
3034 processor,
3035 kthread_address,
3036 )?;
3037 Ok(WindowsKThread::Windows10_0_22000_194 { kthread })
3038 }
3039 (10, 0, 22621) => {
3040 let kthread = read_virtual::<windows_10_0_22621_382_x64::_KTHREAD>(
3041 processor,
3042 kthread_address,
3043 )?;
3044 Ok(WindowsKThread::Windows10_0_22621_382 { kthread })
3045 }
3046 (10, 0, 22631) => {
3047 let kthread = read_virtual::<windows_10_0_22631_2428_x64::_KTHREAD>(
3048 processor,
3049 kthread_address,
3050 )?;
3051 Ok(WindowsKThread::Windows10_0_22631_2428 { kthread })
3052 }
3053 (_, _, _) => {
3054 bail!("Unsupported Windows version")
3055 }
3056 }
3057 }
3058
3059 pub fn process(
3060 &self,
3061 processor: *mut ConfObject,
3062 major: u32,
3063 minor: u32,
3064 build: u32,
3065 ) -> Result<WindowsEProcess> {
3066 let process_address = match self {
3067 WindowsKThread::Windows10_0_10240_16384 { kthread } => kthread.Process as u64,
3068 WindowsKThread::Windows10_0_10586_0 { kthread } => kthread.Process as u64,
3069 WindowsKThread::Windows10_0_14393_0 { kthread } => kthread.Process as u64,
3070 WindowsKThread::Windows10_0_15063_0 { kthread } => kthread.Process as u64,
3071 WindowsKThread::Windows10_0_16299_15 { kthread } => kthread.Process as u64,
3072 WindowsKThread::Windows10_0_17134_1 { kthread } => kthread.Process as u64,
3073 WindowsKThread::Windows10_0_17763_107 { kthread } => kthread.Process as u64,
3074 WindowsKThread::Windows10_0_18362_418 { kthread } => kthread.Process as u64,
3075 WindowsKThread::Windows10_0_19041_1288 { kthread } => kthread.Process as u64,
3076 WindowsKThread::Windows10_0_19045_2965 { kthread } => kthread.Process as u64,
3077 WindowsKThread::Windows10_0_22000_194 { kthread } => kthread.Process as u64,
3078 WindowsKThread::Windows10_0_22621_382 { kthread } => kthread.Process as u64,
3079 WindowsKThread::Windows10_0_22631_2428 { kthread } => kthread.Process as u64,
3080 };
3081 WindowsEProcess::new(processor, major, minor, build, process_address)
3082 }
3083
3084 pub fn teb(
3085 &self,
3086 processor: *mut ConfObject,
3087 major: u32,
3088 minor: u32,
3089 build: u32,
3090 ) -> Result<WindowsTeb> {
3091 let teb_address = match self {
3092 WindowsKThread::Windows10_0_10240_16384 { kthread } => kthread.Teb as u64,
3093 WindowsKThread::Windows10_0_10586_0 { kthread } => kthread.Teb as u64,
3094 WindowsKThread::Windows10_0_14393_0 { kthread } => kthread.Teb as u64,
3095 WindowsKThread::Windows10_0_15063_0 { kthread } => kthread.Teb as u64,
3096 WindowsKThread::Windows10_0_16299_15 { kthread } => kthread.Teb as u64,
3097 WindowsKThread::Windows10_0_17134_1 { kthread } => kthread.Teb as u64,
3098 WindowsKThread::Windows10_0_17763_107 { kthread } => kthread.Teb as u64,
3099 WindowsKThread::Windows10_0_18362_418 { kthread } => kthread.Teb as u64,
3100 WindowsKThread::Windows10_0_19041_1288 { kthread } => kthread.Teb as u64,
3101 WindowsKThread::Windows10_0_19045_2965 { kthread } => kthread.Teb as u64,
3102 WindowsKThread::Windows10_0_22000_194 { kthread } => kthread.Teb as u64,
3103 WindowsKThread::Windows10_0_22621_382 { kthread } => kthread.Teb as u64,
3104 WindowsKThread::Windows10_0_22631_2428 { kthread } => kthread.Teb as u64,
3105 };
3106 WindowsTeb::new(processor, major, minor, build, teb_address)
3107 }
3108}