- Generated by
1.8.13
|
Bitdefender Hypervisor Memory Introspection
|
#include "introtypes.h"Go to the source code of this file.
Macros | |
| #define | LDR_FLAG_FIX_RELOCATIONS 0x00000001 |
| If flag is set, the relocations will be applied. More... | |
| #define | LDR_FLAG_FIX_IMPORTS 0x00000002 |
| If flag is set, the imports will be fixed. More... | |
Functions | |
| INTSTATUS | IntLdrGetImageSizeAndEntryPoint (PBYTE RawPe, DWORD RawSize, DWORD *VirtualSize, DWORD *EntryPoint) |
| Returns the entry point and the virtual size for the provided module. More... | |
| INTSTATUS | IntLdrLoadPEImage (PBYTE RawPe, DWORD RawPeSize, QWORD GuestVirtualAddress, PBYTE LoadedPe, DWORD VirtualPeSize, DWORD Flags) |
| Load the provided PE image at the provided guest virtual address, and return it in LoadedPe. More... | |
| #define LDR_FLAG_FIX_IMPORTS 0x00000002 |
If flag is set, the imports will be fixed.
Definition at line 12 of file loader.h.
Referenced by IntLdrLoadPEImage().
| #define LDR_FLAG_FIX_RELOCATIONS 0x00000001 |
If flag is set, the relocations will be applied.
Definition at line 11 of file loader.h.
Referenced by IntLdrLoadPEImage(), IntPtiDeliverDriverForLoad(), IntVeDeliverDriverForLoad(), and IntWinAgentDeployWinDriver().
| INTSTATUS IntLdrGetImageSizeAndEntryPoint | ( | PBYTE | RawPe, |
| DWORD | RawSize, | ||
| DWORD * | VirtualSize, | ||
| DWORD * | EntryPoint | ||
| ) |
Returns the entry point and the virtual size for the provided module.
This module will get the entry point and the virtual size of the module. If a special section named ENTRYP is found, the beginning of that section is considered to be the entry point. The returned entry point is a RVA inside the module. NOTE: this function assumes that the PE contained at RawPe is fully read into memory.
| [in] | RawPe | The PE file contents. |
| [in] | RawSize | The PE raw size. |
| [out] | VirtualSize | The virtual PE size (SizeOfImage). |
| [out] | EntryPoint | A RVA to the PE entry point. |
| INT_STATUS_SUCCESS | On success. |
| INT_STATUS_INVALID_PARAMETER | If an invalid parameter is supplied. |
Definition at line 11 of file loader.c.
Referenced by IntPtiInjectPtFilter(), IntVeInit(), IntWinAgentDeployWinDriver(), and IntWinAgentInject().
| INTSTATUS IntLdrLoadPEImage | ( | PBYTE | RawPe, |
| DWORD | RawPeSize, | ||
| QWORD | GuestVirtualAddress, | ||
| PBYTE | LoadedPe, | ||
| DWORD | VirtualPeSize, | ||
| DWORD | Flags | ||
| ) |
Load the provided PE image at the provided guest virtual address, and return it in LoadedPe.
This function will act as a PE loader which is capable of loading a PE file from the Introcore memory address space to the guest memory address space. NOTE: For now, we only support parsing relocations & imports (basic in order to get the PE ready for running); We don't take into consideration forwarded exports, delayed imports or bounded imports.
| [in] | RawPe | A buffer that contains the raw PE image that must be "loaded" (disk image). |
| [in] | RawPeSize | Raw size of the PE to be loaded (disk size). |
| [in] | GuestVirtualAddress | Guest virtual address where the module will be loaded. |
| [in] | LoadedPe | Will contain, upon exit, the fixed image. |
| [in] | VirtualPeSize | The size of the loaded image. |
| [in] | Flags | Indicates what fixups are required. Supported fixups are: LDR_FLAG_FIX_RELOCATIONS and LDR_FLAG_FIX_IMPORTS. |
| INT_STATUS_SUCCESS | On success. |
| INT_STATUS_INVALID_PARAMETER | If an invalid parameter is supplied. |
| INT_STATUS_INVALID_OBJECT_TYPE | If the MZ/PE is malformed in any way. |
| INT_STATUS_NOT_SUPPORTED | If the PE does not match the guest OS architecture. |
Definition at line 670 of file loader.c.
Referenced by IntPtiDeliverDriverForLoad(), IntVeDeliverDriverForLoad(), and IntWinAgentDeployWinDriver().
1.8.13