Slide 41
Slide 41 text
// windows_vmi.cpp
static process * find_new_process(CPUState *env, uint32_t cr3)
{
uint32_t kdvb, psAPH, curr_proc, next_proc;
process *pe;
DECAF_read_mem(env, gkpcr + KDVB_OFFSET, 4, &kdvb);
DECAF_read_mem(env, kdvb + PSAPH_OFFSET, 4, &psAPH);
DECAF_read_mem(env, psAPH, 4, &curr_proc);
while (curr_proc != 0 && curr_proc != psAPH)
{
uint32_t pid, proc_cr3;
uint32_t curr_proc_base = curr_proc - handle_funds[GuestOS_index].offset->PSAPL_OFFSET;
DECAF_read_mem(env, curr_proc_base + handle_funds[GuestOS_index].offset->PSAPID_OFFSET, 4, &pid);
if (VMI_find_process_by_pid(pid) != NULL) //we have seen this process
goto next;
DECAF_read_mem(env, curr_proc_base + 0x18, 4, &proc_cr3);
if(cr3 != proc_cr3) //This is a new process, but not the current one. Skip it!
goto next; //This is the one we are looking for
pe = new process();
pe->EPROC_base_addr = curr_proc_base;
pe->pid = pid; pe->cr3 = proc_cr3;
DECAF_read_mem(env, curr_proc_base + handle_funds[GuestOS_index].offset->PSAPNAME_OFFSET, NAMESIZE, pe->name);
DECAF_read_mem(env, curr_proc_base + handle_funds[GuestOS_index].offset->PSAPPID_OFFSET, 4, &pe->parent_pid);
VMI_create_process(pe);
return pe;
next:
DECAF_read_mem(env, curr_proc, 4, &next_proc);
if (curr_proc == next_proc) { //why do we need this check?
break;
}
curr_proc = next_proc;
}
return NULL;
}