#include "introcrt.h"

Data Structures
struct	_WINUM_CACHE_EXPORT

struct	_WINUM_CACHE_MEMORY_FUNCS

struct	_WINUM_CACHE_EXPORTS

struct	_WINUM_MODULE_CACHE

Macros
#define	MAX_OFFSETS_PER_NAME 10
	We can have up to this many exports pointing to the same RVA. More...

#define	WINUMCACHE_MAX_EXPORTS 10000u
	We will not cache more than this many exports. More...

Typedefs
typedef struct _WIN_PROCESS_MODULE	WIN_PROCESS_MODULE

typedef struct _WINUM_CACHE_EXPORT	WINUM_CACHE_EXPORT

typedef struct _WINUM_CACHE_EXPORT *	PWINUM_CACHE_EXPORT

typedef struct _WINUM_CACHE_MEMORY_FUNCS	WINUM_CACHE_MEMORY_FUNCS

typedef struct _WINUM_CACHE_MEMORY_FUNCS *	PWINUM_CACHE_MEMORY_FUNCS

typedef struct _WINUM_CACHE_EXPORTS	WINUM_CACHE_EXPORTS

typedef struct _WINUM_CACHE_EXPORTS *	PWINUM_CACHE_EXPORTS

typedef struct _WINUM_MODULE_CACHE	WINUM_MODULE_CACHE

typedef struct _WINUM_MODULE_CACHE *	PWINUM_MODULE_CACHE

Functions
INTSTATUS	IntWinUmModCacheSetHeaders (WIN_PROCESS_MODULE Module, BYTE Headers)
	Sets the MZ/PE headers in the cache of a given module. More...

void	IntWinUmModCacheGet (WIN_PROCESS_MODULE *Module)
	Initializes the cache for the provided module. More...

void	IntWinUmModCacheRelease (WINUM_MODULE_CACHE *Cache)
	Removes a module cache, if it was written (it's dirty). More...

void	IntWinUmCacheUninit (void)
	Uninit the module cache system. This will remove all cache entries. Use this during Introcore uninit. More...

WINUM_CACHE_EXPORT *	IntWinUmModCacheExportFind (WIN_PROCESS_MODULE *Module, DWORD Rva, DWORD ErrorRange)
	Tries to find an export in the range [Rva, Rva + ErrorRange]. More...

BOOLEAN	IntWinUmCacheIsExportDirRead (WIN_PROCESS_MODULE *Module)
	Checks if the exports directory of the given module has been read. More...

WINUM_CACHE_EXPORT *	IntWinUmCacheGetExportFromRange (WIN_PROCESS_MODULE *Module, QWORD Gva, DWORD Length)
	Tries to find an export in the range [Gva - Length, Gva]. More...

Macro Definition Documentation

◆ MAX_OFFSETS_PER_NAME

#define MAX_OFFSETS_PER_NAME 10

We can have up to this many exports pointing to the same RVA.

Definition at line 13 of file winumcache.h.

Referenced by IntWinModHandleExportsInMemory().

◆ WINUMCACHE_MAX_EXPORTS

#define WINUMCACHE_MAX_EXPORTS 10000u

We will not cache more than this many exports.

Definition at line 112 of file winumcache.h.

Referenced by IntWinModHandleExportsInMemory().

Typedef Documentation

◆ PWINUM_CACHE_EXPORT

typedef struct _WINUM_CACHE_EXPORT * PWINUM_CACHE_EXPORT

◆ PWINUM_CACHE_EXPORTS

typedef struct _WINUM_CACHE_EXPORTS * PWINUM_CACHE_EXPORTS

◆ PWINUM_CACHE_MEMORY_FUNCS

typedef struct _WINUM_CACHE_MEMORY_FUNCS * PWINUM_CACHE_MEMORY_FUNCS

◆ PWINUM_MODULE_CACHE

typedef struct _WINUM_MODULE_CACHE * PWINUM_MODULE_CACHE

◆ WIN_PROCESS_MODULE

typedef struct _WIN_PROCESS_MODULE WIN_PROCESS_MODULE

Definition at line 10 of file winumcache.h.

◆ WINUM_CACHE_EXPORT

typedef struct _WINUM_CACHE_EXPORT WINUM_CACHE_EXPORT

Describes a cached exported RVA (Relative Virtual Address).

◆ WINUM_CACHE_EXPORTS

typedef struct _WINUM_CACHE_EXPORTS WINUM_CACHE_EXPORTS

Describes an exports cache.

◆ WINUM_CACHE_MEMORY_FUNCS

typedef struct _WINUM_CACHE_MEMORY_FUNCS WINUM_CACHE_MEMORY_FUNCS

This structure describes the exported memory related functions.

◆ WINUM_MODULE_CACHE

typedef struct _WINUM_MODULE_CACHE WINUM_MODULE_CACHE

Describes one module cache.

Function Documentation

◆ IntWinUmCacheGetExportFromRange()

WINUM_CACHE_EXPORT* IntWinUmCacheGetExportFromRange	(	WIN_PROCESS_MODULE *	Module,
		QWORD	Gva,
		DWORD	Length
	)

Tries to find an export in the range [Gva - Length, Gva].

Given Module, it will try to find a valid export which lies at most Length bytes before the provided Gva.

Parameters

[in]	Module	The module where the export is searched.
[in]	Gva	Gva to start the search at.
[in]	Length	Maximum number of bytes to search backwards to see if an export is found.

Returns: A pointer to the WINUM_CACHE_EXPORT structure, if an export is found, or NULL if no export is found.

Definition at line 225 of file winumcache.c.

Referenced by IntAlertEptFillFromVictimZone(), IntExceptGetVictimProcess(), IntExceptKernelUserLogWindowsInformation(), IntExceptUserLogWindowsInformation(), IntExceptVerifyExportSig(), and IntSerializeExport().

◆ IntWinUmCacheIsExportDirRead()

BOOLEAN IntWinUmCacheIsExportDirRead ( WIN_PROCESS_MODULE * Module )

Checks if the exports directory of the given module has been read.

Returns: True if the exports dir has been read, or false otherwise.

Definition at line 1063 of file winumcache.c.

Referenced by IntAlertEptFillFromVictimZone().

◆ IntWinUmCacheUninit()

void IntWinUmCacheUninit ( void )

Uninit the module cache system. This will remove all cache entries. Use this during Introcore uninit.

Definition at line 1082 of file winumcache.c.

Referenced by IntWinGuestUninit().

◆ IntWinUmModCacheExportFind()

WINUM_CACHE_EXPORT* IntWinUmModCacheExportFind	(	WIN_PROCESS_MODULE *	Module,
		DWORD	Rva,
		DWORD	ErrorRange
	)

Tries to find an export in the range [Rva, Rva + ErrorRange].

Given Module, it will try to find a valid export which lies within the [Rva, Rva + ErrorRange] interval.

Parameters

[in]	Module	The module where the export is searched.
[in]	Rva	Rva to start the search at.
[in]	ErrorRange	Maximum interval to search after the provided Rva.

Returns: A pointer to the WINUM_CACHE_EXPORT structure, if an export is found, or NULL if no export is found.

Definition at line 262 of file winumcache.c.

Referenced by IntWinThrHandleQueueApc(), and IntWinUmCacheGetExportFromRange().

◆ IntWinUmModCacheGet()

void IntWinUmModCacheGet ( WIN_PROCESS_MODULE * Module )

Initializes the cache for the provided module.

If a cache already exists for the indicated module (because an instance of it has already been loaded), it will be used for this module as well. Otherwise, a new cache will be created for this module. If other instances of this module get loaded, they will be able to reuse the same cache structure.

Parameters

[in] Module The module for which the cache is to be created.

Definition at line 936 of file winumcache.c.

Referenced by IntWinModHandleModulePathInMemory().

◆ IntWinUmModCacheRelease()

void IntWinUmModCacheRelease ( WINUM_MODULE_CACHE * Cache )

Removes a module cache, if it was written (it's dirty).

NOTE: This function gets called when a module is unloaded. However, we will not destroy the cache, unless it is dirty (it has been loaded statically).

Parameters

[in] Cache The cache to be removed if dirty.

Definition at line 1000 of file winumcache.c.

Referenced by IntWinModRemoveModule().

◆ IntWinUmModCacheSetHeaders()

INTSTATUS IntWinUmModCacheSetHeaders	(	WIN_PROCESS_MODULE *	Module,
		BYTE *	Headers
	)

Sets the MZ/PE headers in the cache of a given module.

Parameters

[in]	Module	The module whose headers are to be set.
[in]	Headers	Buffer containing the MZ/PE headers.

Return values

INT_STATUS_SUCCESS On success.

Definition at line 1025 of file winumcache.c.

Referenced by IntWinModHandleModuleHeadersInMemory().

Data Structures

Macros

Typedefs

Functions

Macro Definition Documentation

◆ MAX_OFFSETS_PER_NAME

◆ WINUMCACHE_MAX_EXPORTS

Typedef Documentation

◆ PWINUM_CACHE_EXPORT

◆ PWINUM_CACHE_EXPORTS

◆ PWINUM_CACHE_MEMORY_FUNCS

◆ PWINUM_MODULE_CACHE

◆ WIN_PROCESS_MODULE

◆ WINUM_CACHE_EXPORT

◆ WINUM_CACHE_EXPORTS

◆ WINUM_CACHE_MEMORY_FUNCS

◆ WINUM_MODULE_CACHE

Function Documentation

◆ IntWinUmCacheGetExportFromRange()

◆ IntWinUmCacheIsExportDirRead()

◆ IntWinUmCacheUninit()

◆ IntWinUmModCacheExportFind()

◆ IntWinUmModCacheGet()

◆ IntWinUmModCacheRelease()

◆ IntWinUmModCacheSetHeaders()