24#include <mspdb/PDB.hh>
194 virtual std::unique_ptr<HANDLE_TABLE>
CidTable() = 0;
199 virtual std::unique_ptr<const HANDLE_TABLE>
CidTable()
const = 0;
244 virtual bool x64()
const = 0;
251 virtual const mspdb::PDB&
pdb()
const = 0;
A class representing a single virtual processor.
Definition Vcpu.hh:33
Definition guest_ptr.hh:88
Windows Service Descriptor Table.
Definition ServiceDescriptorTable.hh:33
A representation of a Windows Guest OS.
Definition WindowsGuest.hh:33
Definition DBGKD_GET_VERSION64.hh:32
Class for the Windows NT DEVICE_OBJECT structure.
Definition DEVICE_OBJECT.hh:38
Definition KDDEBUGGER_DATA64.hh:27
The KPCR (Kernel Processor Control Region) is used by Windows to hold information about the current t...
Definition KPCR.hh:32
Definition NtBuildLab.hh:26
Abstraction for the Windows NT kernel.
Definition NtKernel.hh:37
virtual uint16_t NtBuildNumber() const =0
Get the build number.
virtual const DBGKD_GET_VERSION64 & KdVersionBlock() const =0
Get the KdVersionBlock from the kernel.
virtual uint64_t InvalidPteMask() const =0
Get the value of the InvalidPteMask field from MI_SYSTEM_INFORMATION.
virtual bool x64() const =0
Check if the kernel is for x64.
virtual std::shared_ptr< OBJECT_DIRECTORY > RootDirectoryObject() const =0
Get the PDB for the kernel image.
virtual uint16_t MinorVersion() const =0
Get the minor version of the kernel.
virtual const pe::PE & pe() const =0
Get the PE (Portable Executable) image of the kernel.
virtual bool hasObHeaderCookie() const =0
Check if the kernel has an ObHeaderCookieValue.
virtual const KPCR & kpcr(const Vcpu &vcpu) const =0
Get the KPCR that belongs to the given vcpu (const overload)
virtual const nt::NtBuildLab & NtBuildLab() const =0
Get the build label.
virtual std::unique_ptr< HANDLE_TABLE > CidTable()=0
Get the PspCidTable from the kernel.
virtual ~NtKernel()=default
virtual unsigned int cpu_count() const =0
Get the number of CPUs that Windows has configured.
virtual uint16_t MajorVersion() const =0
Get the major version of the kernel.
virtual const guest_ptr< void > & ptr() const =0
Get the base address of the kernel.
virtual guest_ptr< void > symbol(const std::string &name) const =0
Return true if the kernel is a 64-bit version.
virtual uint8_t ObHeaderCookie() const =0
Get the ObHeaderCookie if one exists.
virtual const WindowsGuest & guest() const =0
Get the guest the kernel is running on.
virtual std::unique_ptr< const HANDLE_TABLE > CidTable() const =0
Get the PspCidTable from the kernel.
virtual const ServiceDescriptorTable & KeServiceDescriptorTableShadow() const =0
Get the KeServiceDescriptorTableShadow.
virtual const TypeTable & types() const =0
Get the type table.
virtual KPCR & kpcr(const Vcpu &vcpu)=0
Get the KPCR for the given vcpu.
virtual std::string get_device_drive_letter(const nt::DEVICE_OBJECT &device) const =0
Get the drive letter associated with a device.
virtual const ServiceDescriptorTable & KeServiceDescriptorTable() const =0
Get the KeServiceDescriptorTable.
virtual std::string profile_path() const =0
Get the introvirt profile directory for this kernel.
virtual std::shared_ptr< PROCESS > process(const guest_ptr< void > &ptr) const =0
Get the PROCESS at the given address.
virtual const KDDEBUGGER_DATA64 & KdDebuggerDataBlock() const =0
Get the KdDebuggerDataBlock from the kernel.
virtual std::shared_ptr< THREAD > thread(const guest_ptr< void > &ptr) const =0
Get the THREAD at the given address.
virtual std::vector< std::shared_ptr< const LDR_DATA_TABLE_ENTRY > > PsLoadedModuleList() const =0
Get the kernel's loaded module list.
virtual const mspdb::PDB & pdb() const =0
Get the PDB file for this type container.
Class for managing NT object types.
Definition TypeTable.hh:35
Parser for Windows Portable Executable (PE) headers.
Definition PE.hh:30
Type-safe guest virtual address pointer and guest_ptr template.
Core IntroVirt classes.
Definition Cr0.hh:20