Bitdefender Hypervisor Memory Introspection
|
#include "introtypes.h"
Go to the source code of this file.
Macros | |
#define | LDR_FLAG_FIX_RELOCATIONS 0x00000001 |
If flag is set, the relocations will be applied. More... | |
#define | LDR_FLAG_FIX_IMPORTS 0x00000002 |
If flag is set, the imports will be fixed. More... | |
Functions | |
INTSTATUS | IntLdrGetImageSizeAndEntryPoint (PBYTE RawPe, DWORD RawSize, DWORD *VirtualSize, DWORD *EntryPoint) |
Returns the entry point and the virtual size for the provided module. More... | |
INTSTATUS | IntLdrLoadPEImage (PBYTE RawPe, DWORD RawPeSize, QWORD GuestVirtualAddress, PBYTE LoadedPe, DWORD VirtualPeSize, DWORD Flags) |
Load the provided PE image at the provided guest virtual address, and return it in LoadedPe. More... | |
#define LDR_FLAG_FIX_IMPORTS 0x00000002 |
If flag is set, the imports will be fixed.
Definition at line 12 of file loader.h.
Referenced by IntLdrLoadPEImage().
#define LDR_FLAG_FIX_RELOCATIONS 0x00000001 |
If flag is set, the relocations will be applied.
Definition at line 11 of file loader.h.
Referenced by IntLdrLoadPEImage(), IntPtiDeliverDriverForLoad(), IntVeDeliverDriverForLoad(), and IntWinAgentDeployWinDriver().
INTSTATUS IntLdrGetImageSizeAndEntryPoint | ( | PBYTE | RawPe, |
DWORD | RawSize, | ||
DWORD * | VirtualSize, | ||
DWORD * | EntryPoint | ||
) |
Returns the entry point and the virtual size for the provided module.
This module will get the entry point and the virtual size of the module. If a special section named ENTRYP is found, the beginning of that section is considered to be the entry point. The returned entry point is a RVA inside the module. NOTE: this function assumes that the PE contained at RawPe is fully read into memory.
[in] | RawPe | The PE file contents. |
[in] | RawSize | The PE raw size. |
[out] | VirtualSize | The virtual PE size (SizeOfImage). |
[out] | EntryPoint | A RVA to the PE entry point. |
INT_STATUS_SUCCESS | On success. |
INT_STATUS_INVALID_PARAMETER | If an invalid parameter is supplied. |
Definition at line 11 of file loader.c.
Referenced by IntPtiInjectPtFilter(), IntVeInit(), IntWinAgentDeployWinDriver(), and IntWinAgentInject().
INTSTATUS IntLdrLoadPEImage | ( | PBYTE | RawPe, |
DWORD | RawPeSize, | ||
QWORD | GuestVirtualAddress, | ||
PBYTE | LoadedPe, | ||
DWORD | VirtualPeSize, | ||
DWORD | Flags | ||
) |
Load the provided PE image at the provided guest virtual address, and return it in LoadedPe.
This function will act as a PE loader which is capable of loading a PE file from the Introcore memory address space to the guest memory address space. NOTE: For now, we only support parsing relocations & imports (basic in order to get the PE ready for running); We don't take into consideration forwarded exports, delayed imports or bounded imports.
[in] | RawPe | A buffer that contains the raw PE image that must be "loaded" (disk image). |
[in] | RawPeSize | Raw size of the PE to be loaded (disk size). |
[in] | GuestVirtualAddress | Guest virtual address where the module will be loaded. |
[in] | LoadedPe | Will contain, upon exit, the fixed image. |
[in] | VirtualPeSize | The size of the loaded image. |
[in] | Flags | Indicates what fixups are required. Supported fixups are: LDR_FLAG_FIX_RELOCATIONS and LDR_FLAG_FIX_IMPORTS. |
INT_STATUS_SUCCESS | On success. |
INT_STATUS_INVALID_PARAMETER | If an invalid parameter is supplied. |
INT_STATUS_INVALID_OBJECT_TYPE | If the MZ/PE is malformed in any way. |
INT_STATUS_NOT_SUPPORTED | If the PE does not match the guest OS architecture. |
Definition at line 670 of file loader.c.
Referenced by IntPtiDeliverDriverForLoad(), IntVeDeliverDriverForLoad(), and IntWinAgentDeployWinDriver().