Abstraction for the Windows NT kernel. More...

#include <NtKernel.hh>

Public Member Functions
virtual const DBGKD_GET_VERSION64 &	KdVersionBlock () const =0
	Get the KdVersionBlock from the kernel.

virtual const KDDEBUGGER_DATA64 &	KdDebuggerDataBlock () const =0
	Get the KdDebuggerDataBlock from the kernel.

virtual const ServiceDescriptorTable &	KeServiceDescriptorTable () const =0
	Get the KeServiceDescriptorTable.

virtual const ServiceDescriptorTable &	KeServiceDescriptorTableShadow () const =0
	Get the KeServiceDescriptorTableShadow.

virtual bool	hasObHeaderCookie () const =0
	Check if the kernel has an ObHeaderCookieValue.

virtual uint8_t	ObHeaderCookie () const =0
	Get the ObHeaderCookie if one exists.

virtual const nt::NtBuildLab &	NtBuildLab () const =0
	Get the build label.

virtual uint16_t	NtBuildNumber () const =0
	Get the build number.

virtual uint16_t	MajorVersion () const =0
	Get the major version of the kernel.

virtual uint16_t	MinorVersion () const =0
	Get the minor version of the kernel.

virtual unsigned int	cpu_count () const =0
	Get the number of CPUs that Windows has configured.

virtual guest_ptr< void >	symbol (const std::string &name) const =0
	Return true if the kernel is a 64-bit version.

virtual const guest_ptr< void > &	ptr () const =0
	Get the base address of the kernel.

virtual uint64_t	InvalidPteMask () const =0
	Get the value of the InvalidPteMask field from MI_SYSTEM_INFORMATION.

virtual const TypeTable &	types () const =0
	Get the type table.

virtual const pe::PE &	pe () const =0
	Get the PE (Portable Executable) image of the kernel.

virtual std::shared_ptr< OBJECT_DIRECTORY >	RootDirectoryObject () const =0
	Get the PDB for the kernel image.

virtual std::unique_ptr< HANDLE_TABLE >	CidTable ()=0
	Get the PspCidTable from the kernel.

virtual std::unique_ptr< const HANDLE_TABLE >	CidTable () const =0
	Get the PspCidTable from the kernel.

virtual std::vector< std::shared_ptr< const LDR_DATA_TABLE_ENTRY > >	PsLoadedModuleList () const =0
	Get the kernel's loaded module list.

virtual std::string	get_device_drive_letter (const nt::DEVICE_OBJECT &device) const =0
	Get the drive letter associated with a device.

virtual KPCR &	kpcr (const Vcpu &vcpu)=0
	Get the KPCR for the given vcpu.

virtual const KPCR &	kpcr (const Vcpu &vcpu) const =0
	Get the KPCR that belongs to the given vcpu (const overload)

virtual const WindowsGuest &	guest () const =0
	Get the guest the kernel is running on.

virtual bool	x64 () const =0
	Check if the kernel is for x64.

virtual const mspdb::PDB &	pdb () const =0
	Get the PDB file for this type container.

virtual std::shared_ptr< THREAD >	thread (const guest_ptr< void > &ptr) const =0
	Get the THREAD at the given address.

virtual std::shared_ptr< PROCESS >	process (const guest_ptr< void > &ptr) const =0
	Get the PROCESS at the given address.

virtual std::string	profile_path () const =0
	Get the introvirt profile directory for this kernel.

virtual	~NtKernel ()=default

Detailed Description

Abstraction for the Windows NT kernel.

Examples: ivprocinfo.cc, ivservicetable.cc, and ivsessions.cc.

Constructor & Destructor Documentation

◆ ~NtKernel()

virtual introvirt::windows::nt::NtKernel::~NtKernel ( )

virtualdefault

Member Function Documentation

◆ CidTable() [1/2]

virtual std::unique_ptr< const HANDLE_TABLE > introvirt::windows::nt::NtKernel::CidTable ( ) const

pure virtual

Get the PspCidTable from the kernel.

The PspCidTable is a special HANDLE_TABLE, containing all of the PROCESS and THREAD objects.

Returns: The CidTable from the kernel

Exceptions

SymbolNotFoundException If the PspCidTable symbol does not exist

◆ CidTable() [2/2]

virtual std::unique_ptr< HANDLE_TABLE > introvirt::windows::nt::NtKernel::CidTable ( )

pure virtual

Get the PspCidTable from the kernel.

The PspCidTable is a special HANDLE_TABLE, containing all of the PROCESS and THREAD objects.

Returns: The CidTable from the kernel

Exceptions

SymbolNotFoundException If the PspCidTable symbol does not exist

Examples: ivmemwatch.cc, ivprocinfo.cc, ivservicetable.cc, and ivsessions.cc.

◆ cpu_count()

virtual unsigned int introvirt::windows::nt::NtKernel::cpu_count ( ) const

pure virtual

Get the number of CPUs that Windows has configured.

Returns: unsigned int

◆ get_device_drive_letter()

virtual std::string introvirt::windows::nt::NtKernel::get_device_drive_letter ( const nt::DEVICE_OBJECT & device ) const

pure virtual

Get the drive letter associated with a device.

Parameters

device The device to get a drive letter for

Returns: A string containing the device's drive letter

◆ guest()

virtual const WindowsGuest & introvirt::windows::nt::NtKernel::guest ( ) const

pure virtual

Get the guest the kernel is running on.

Returns: The guest the kernel is running on

◆ hasObHeaderCookie()

virtual bool introvirt::windows::nt::NtKernel::hasObHeaderCookie ( ) const

pure virtual

Check if the kernel has an ObHeaderCookieValue.

Returns: true If an ObHeaderCookie value is in use; false if the kernel does not have an ObHeaderCookie

◆ InvalidPteMask()

virtual uint64_t introvirt::windows::nt::NtKernel::InvalidPteMask ( ) const

pure virtual

Get the value of the InvalidPteMask field from MI_SYSTEM_INFORMATION.

Returns: uint64_t

◆ KdDebuggerDataBlock()

virtual const KDDEBUGGER_DATA64 & introvirt::windows::nt::NtKernel::KdDebuggerDataBlock ( ) const

pure virtual

Get the KdDebuggerDataBlock from the kernel.

This is a structure used by debuggers

Returns: The KdDebuggerDataBlock from the kernel

◆ KdVersionBlock()

virtual const DBGKD_GET_VERSION64 & introvirt::windows::nt::NtKernel::KdVersionBlock ( ) const

pure virtual

Get the KdVersionBlock from the kernel.

This is a structure used by debuggers

Returns: The KdVersionBlock from the kernel

◆ KeServiceDescriptorTable()

virtual const ServiceDescriptorTable & introvirt::windows::nt::NtKernel::KeServiceDescriptorTable ( ) const

pure virtual

Get the KeServiceDescriptorTable.

This is the first system call table in the kernel. It seems to only contain NT system call information.

◆ KeServiceDescriptorTableShadow()

virtual const ServiceDescriptorTable & introvirt::windows::nt::NtKernel::KeServiceDescriptorTableShadow ( ) const

pure virtual

Get the KeServiceDescriptorTableShadow.

This is the second system call table in the kernel. It seems to contain NT + Win32k system call information.

Examples: ivservicetable.cc.

◆ kpcr() [1/2]

virtual const KPCR & introvirt::windows::nt::NtKernel::kpcr ( const Vcpu & vcpu ) const

pure virtual

Get the KPCR that belongs to the given vcpu (const overload)

Parameters

vcpu	The vcpu to get the KPCR for

Returns: The KPCR that belongs to the given vcpu

◆ kpcr() [2/2]

virtual KPCR & introvirt::windows::nt::NtKernel::kpcr ( const Vcpu & vcpu )

pure virtual

Get the KPCR for the given vcpu.

Parameters

vcpu	The vcpu to get the KPCR for

Returns: The KPCR that belongs to the given vcpu

◆ MajorVersion()

virtual uint16_t introvirt::windows::nt::NtKernel::MajorVersion ( ) const

pure virtual

Get the major version of the kernel.

Returns: The kernel's major version

◆ MinorVersion()

virtual uint16_t introvirt::windows::nt::NtKernel::MinorVersion ( ) const

pure virtual

Get the minor version of the kernel.

Returns: The kernel's minor version

◆ NtBuildLab()

virtual const nt::NtBuildLab & introvirt::windows::nt::NtKernel::NtBuildLab ( ) const

pure virtual

Get the build label.

Returns: The build label for the kernel

◆ NtBuildNumber()

virtual uint16_t introvirt::windows::nt::NtKernel::NtBuildNumber ( ) const

pure virtual

Get the build number.

Returns: The value of the NtBuildNumber symbol

◆ ObHeaderCookie()

virtual uint8_t introvirt::windows::nt::NtKernel::ObHeaderCookie ( ) const

pure virtual

Get the ObHeaderCookie if one exists.

Returns: The ObHeaderCookie from the kernel

◆ pdb()

virtual const mspdb::PDB & introvirt::windows::nt::NtKernel::pdb ( ) const

pure virtual

Get the PDB file for this type container.

Returns: The PDB instance

Examples: ivservicetable.cc.

◆ pe()

virtual const pe::PE & introvirt::windows::nt::NtKernel::pe ( ) const

pure virtual

Get the PE (Portable Executable) image of the kernel.

Returns: The PE of the kernel

Examples: ivguestinfo.cc.

◆ process()

virtual std::shared_ptr< PROCESS > introvirt::windows::nt::NtKernel::process ( const guest_ptr< void > & ptr ) const

pure virtual

Get the PROCESS at the given address.

Parameters

ptr	Guest address of the process object

Returns: std::shared_ptr<nt::PROCESS>

Examples: ivprocinfo.cc, ivservicetable.cc, and ivsessions.cc.

◆ profile_path()

virtual std::string introvirt::windows::nt::NtKernel::profile_path ( ) const

pure virtual

Get the introvirt profile directory for this kernel.

Returns: std::string

◆ PsLoadedModuleList()

virtual std::vector< std::shared_ptr< const LDR_DATA_TABLE_ENTRY > > introvirt::windows::nt::NtKernel::PsLoadedModuleList ( ) const

pure virtual

Get the kernel's loaded module list.

Returns: std::vector<std::unique_ptr<const LDR_DATA_TABLE_ENTRY>>

◆ ptr()

virtual const guest_ptr< void > & introvirt::windows::nt::NtKernel::ptr ( ) const

pure virtual

Get the base address of the kernel.

Returns: The base address of the kernel

Examples: ivservicetable.cc.

◆ RootDirectoryObject()

virtual std::shared_ptr< OBJECT_DIRECTORY > introvirt::windows::nt::NtKernel::RootDirectoryObject ( ) const

pure virtual

Get the PDB for the kernel image.

This is just a helper call to pe().pdb().

Returns: The PDB for the kernel image

Get the RootDirectoryObject from the kernel

Returns: The root directory object, which all kernel objects live under

Exceptions

SymbolNotFoundException If the ObpRootDirectoryObject symbol does not exist

◆ symbol()

virtual guest_ptr< void > introvirt::windows::nt::NtKernel::symbol ( const std::string & name ) const

pure virtual

Return true if the kernel is a 64-bit version.

Returns: true If the kernel is 64-bit; false If the kernel is

Look up a symbol by name and return its address

Parameters

name	The name of the symbol to retrieve

Returns: The address of the symbol

Exceptions

SymbolNotFoundException If the symbol does not exist

◆ thread()

virtual std::shared_ptr< THREAD > introvirt::windows::nt::NtKernel::thread ( const guest_ptr< void > & ptr ) const

pure virtual

Get the THREAD at the given address.

Parameters

ptr	Guest address of the thread object

Returns: std::shared_ptr<nt::THREAD>

◆ types()

virtual const TypeTable & introvirt::windows::nt::NtKernel::types ( ) const

pure virtual

Get the type table.

Returns: const TypeTable&

◆ x64()

virtual bool introvirt::windows::nt::NtKernel::x64 ( ) const

pure virtual

Check if the kernel is for x64.

Returns: true If the kernel is for x64; false If the kernel is for x32

The documentation for this class was generated from the following file:

/home/runner/work/IntroVirt/IntroVirt/include/introvirt/windows/kernel/nt/NtKernel.hh

Public Member Functions

Detailed Description

Constructor & Destructor Documentation

◆ ~NtKernel()

Member Function Documentation

◆ CidTable() [1/2]

◆ CidTable() [2/2]

◆ cpu_count()

◆ get_device_drive_letter()

◆ guest()

◆ hasObHeaderCookie()

◆ InvalidPteMask()

◆ KdDebuggerDataBlock()

◆ KdVersionBlock()

◆ KeServiceDescriptorTable()

◆ KeServiceDescriptorTableShadow()

◆ kpcr() [1/2]

◆ kpcr() [2/2]

◆ MajorVersion()

◆ MinorVersion()

◆ NtBuildLab()

◆ NtBuildNumber()

◆ ObHeaderCookie()

◆ pdb()

◆ pe()

◆ process()

◆ profile_path()

◆ PsLoadedModuleList()

◆ ptr()

◆ RootDirectoryObject()

◆ symbol()

◆ thread()

◆ types()

◆ x64()