5 #ifndef _WINUM_CACHE_H_ 6 #define _WINUM_CACHE_H_ 13 #define MAX_OFFSETS_PER_NAME 10 112 #define WINUMCACHE_MAX_EXPORTS 10000u 158 #endif // _WINUM_CACHE_H_ BOOLEAN ExportDirRead
True if the exports directory has been read.
RBTREE Tree
The RB tree containing all the exports (WINUM_CACHE_EXPORT entries).
DWORD IatSize
Size of the imports table.
BOOLEAN MemoryFuncsRead
True if the memory functions have been identified.
struct _WINUM_CACHE_EXPORTS WINUM_CACHE_EXPORTS
struct _WINUM_CACHE_EXPORTS * PWINUM_CACHE_EXPORTS
void IntWinUmModCacheRelease(WINUM_MODULE_CACHE *Cache)
Removes a module cache, if it was written (it's dirty).
DWORD StartNames
First RVA pointing to the exported names.
DWORD NumberOfOffsets
Number of symbols pointing to the exported RVA.
struct _WINUM_CACHE_MEMORY_FUNCS * PWINUM_CACHE_MEMORY_FUNCS
int INTSTATUS
The status data type.
DWORD EatRva
RVA of the exports table.
DWORD EndNames
Last RVA pointing to the exported names.
WINUM_CACHE_EXPORT * IntWinUmModCacheExportFind(WIN_PROCESS_MODULE *Module, DWORD Rva, DWORD ErrorRange)
Tries to find an export in the range [Rva, Rva + ErrorRange].
struct _WINUM_MODULE_CACHE WINUM_MODULE_CACHE
WINUM_CACHE_MEMORY_FUNCS MemFuncs
Memory related functions RVAs.
WINUM_CACHE_EXPORT * Array
The array of WINUM_CACHE_EXPORT entries.
struct _WINUM_MODULE_CACHE * PWINUM_MODULE_CACHE
BOOLEAN Wow64
True if this module is Wow64.
DWORD MemmoveSRva
RVA of the memmoves function.
struct _WINUM_CACHE_EXPORT * PWINUM_CACHE_EXPORT
LIST_ENTRY Link
Link inside the global list of module caches.
DWORD MemmoveRva
RVA of the memmove function.
DWORD MemcpyRva
RVA of the memcpy function.
DWORD TimeDateStamp
Module time & date stamp.
struct _WINUM_CACHE_EXPORT WINUM_CACHE_EXPORT
DWORD NameOffsets[MAX_OFFSETS_PER_NAME]
Name RVAs pointing to this exported RVA.
void IntWinUmModCacheGet(WIN_PROCESS_MODULE *Module)
Initializes the cache for the provided module.
DWORD Rva
The RVA of this export.
BOOLEAN IntWinUmCacheIsExportDirRead(WIN_PROCESS_MODULE *Module)
Checks if the exports directory of the given module has been read.
DWORD MemcpySRva
RVA of the memcpys function.
DWORD EatSize
Size of the exports table.
DWORD NameHashes[MAX_OFFSETS_PER_NAME]
Hashes of the names pointing to this RVA.
#define _In_reads_bytes_(expr)
DWORD SizeOfImage
Size of image.
DWORD NameLens[MAX_OFFSETS_PER_NAME]
Length of each name pointing to this RVA.
DWORD MemsetRva
RVA of the memset function.
#define MAX_OFFSETS_PER_NAME
We can have up to this many exports pointing to the same RVA.
BOOLEAN Dirty
True if this caches was created for a module loaded by a statically detected process. Dirty caches are NOT reused by other loaded modules, and they will be destroyed when the module is unloaded.
WINUM_CACHE_EXPORT * IntWinUmCacheGetExportFromRange(WIN_PROCESS_MODULE *Module, QWORD Gva, DWORD Length)
Tries to find an export in the range [Gva - Length, Gva].
RBNODE RbNode
RB tree node entry.
PCHAR Names[MAX_OFFSETS_PER_NAME]
The names pointing to this RVA. Each name will point inside the Names structure inside WINUM_CACHE_EX...
void IntWinUmCacheUninit(void)
Uninit the module cache system. This will remove all cache entries. Use this during Introcore uninit...
struct _WINUM_CACHE_MEMORY_FUNCS WINUM_CACHE_MEMORY_FUNCS
INTSTATUS IntWinUmModCacheSetHeaders(WIN_PROCESS_MODULE *Module, BYTE *Headers)
Sets the MZ/PE headers in the cache of a given module.
DWORD IatRva
RVA of the imports table.
BYTE * Headers
A buffer containing the MZ/PE headers of this module.
WINUM_CACHE_EXPORTS Exports
The exports cache.
DWORD ModuleNameHash
The hash on the name of the cached module.
PCHAR Names
A pointer to a contiguous memory area containing all the exported names.
1.8.13