All notable changes to this project will be documented in this file.
The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.
- Breaking:
VmiOstrait no longer takes aDrivergeneric parameter;Driveris now an associated type (type Driver: VmiDriver), along withtype Architecture: Architecture. This eliminates the redundant<Driver, Os>pair from all context types (VmiSession,VmiState,VmiContext,VmiHandler), which now only require<Os>. - Breaking:
read_wstring*methods renamed toread_string_utf16*(read_wstring->read_string_utf16,read_wstring_bytes->read_string_utf16_bytes, and their_limited/_invariants) - Breaking:
VmiDriversplit into a base trait and composable sub-traitsVmiRead,VmiWrite,VmiQueryProtection,VmiSetProtection,VmiQueryRegisters,VmiSetRegisters,VmiViewControl,VmiEventControl,VmiVmControl- Context types (
VmiOs,VmiSession,VmiState,VmiContext,VmiHandler) relaxed toVmiDriver, with methods gated behind the minimal bounds they require - Dump drivers now only implement
VmiDriver,VmiRead, andVmiQueryRegisters
- Breaking:
WindowsThread::attached_process()renamed toWindowsThread::current_process() - Breaking:
InjectorHandlernow acceptsVmiSessioninstead ofVmiCore - Breaking:
InjectorHandlerrefactored into a generic delegation wrapper withExecutionMode-based dispatch - Breaking: Bridge trait hierarchy restructured:
BridgeHandlersplit intoBridgeContract(magic/verification constants),BridgeHandler(per-request handling), andBridgeDispatch(packet routing). TheBridgegeneric parameter on injector types is now bounded onBridgeDispatchinstead ofBridgeHandler - Breaking: Injectors now use VMCALL (
GuestRequest) instead of CPUID for guest-host bridge communication. Existing guest-side shellcode using CPUID must be updated - Breaking:
VmiHandler::check_completion()renamed toVmiHandler::poll() - Breaking:
VmiEventResponseredesigned from bitflags to an enum-based action model:VmiEventResponseFlagsremoved, replaced byVmiEventActionenum with variants:Continue,Deny,ReinjectInterrupt,Singlestep,FastSinglestep,EmulateVmiEventResponsefields changed:flags->action- Builder methods
and_reinject_interrupt(),and_singlestep(),and_fast_singlestep(),and_emulate()removed set_view()/and_set_view()replaced bywith_view()set_registers()/and_set_registers()replaced bywith_registers()- New:
VmiEventResponse::deny()for suppressing CR/MSR write side effects - Singlestep now has one-shot semantics. The Xen driver automatically
disables singlestep when a singlestep handler returns without
VmiEventAction::Singlestep. Callers no longer need to manually toggle off. fast_singlestepnow requires aViewparameter (the view to execute in)
- Breaking: GFN allocation API redesigned:
allocate_gfn(gfn)renamed toallocate_gfn_at(gfn)for allocating a specific GFNallocate_gfn()now takes no parameters and returnsResult<Gfn, VmiError>, with the driver choosing the GFN to allocateVmiCore::allocate_next_available_gfn()removed (useallocate_gfn()instead)
-
KernelInjectorHandler/UserInjectorHandlertype aliases -
Kernel-mode injection handler (
KernelMode) -
inject!macro now supportsnt!prefix for kernel symbol lookup -
WindowsThread::is_attached()- checks if a thread is attached to a foreign process (via_KTHREAD.ApcStateIndex) -
WindowsThread::saved_process()- returns the thread's home process when attached to a foreign process (via_KTHREAD.SavedApcState.Process) -
WindowsThread::teb()andWindowsThread::native_teb()- return the thread's TEB -
WindowsThread::trap_frame()+struct WindowsTrapFrame- returns the thread's trap frame -
WindowsProcess::native_peb()- returns the process's native PEB (via_EPROCESS.Peb) -
WindowsProcess::is_wow64()- checks if the process is a WoW64 process (via_EPROCESS.WoW64Process) -
WindowsExceptionVectortrait for Windows-specific exception vectors (APC, DPC) -
WindowsInterrupttrait for creating Windows-specific interrupts -
WindowsPageTableEntrytrait made public -
ptm::archmodule made public, exposingArchAdapter -
KiDeliverApckernel symbol -
WindowsTeb::tls_slot()for reading thread-local storage slots -
WoW64 TLS slot constants (
WOW64_TLS_CPURESERVED, ...) -
FromWindowsObjecttrait for typed conversion fromWindowsObject -
WindowsProcess::lookup_object()method for typed handle lookup -
WindowsThreadStateenum representingKTHREAD_STATEscheduling states -
WindowsThread::state()- returns the thread's scheduling state (via_KTHREAD.State) -
BreakpointManager::handle_ptm_events()- batch processing for page table monitor events -
GpRegistersmarker trait invmi-corefor general-purpose register sets
- Updated lifetime annotations to avoid warnings on Rust 1.89
RecipeContextandRecipeExecutornow operate overVmiStateinstead ofVmiContext
- WindowsOs::object_type - to return
WindowsObjectTypefromWindowsObjectTypeKind
- Fixed handling of large page table entries in
PageTableMonitor - Fixed finding of
ntoskrnlfor recent Windows versions
- Switched to rust edition 2024 and MSRV 1.85
- These functions now return Option:
- WindowsProcess::peb()
- WindowsProcess::handle_table()
- InjectorHandler::inject() now returns an Result<InjectorResultCode, BridgePacket> instead of ()
- WindowsHandleTable::iter() now returns HandleTableEntryIterator
- VmiOs refactored from the ground up
- Each OS component is now a separate struct
- Common OS components are now traits (VmiOsProcess, VmiOsThread, ...)
- VmiHandler::finished() is renamed to VmiHandler::check_completion(), which now returns an Option<Output> instead of a bool
- New drivers for offline analysis
- VmiDriverKdmp, VmiDriverXenCoreDump
- Implemented handling of PFN changes in the PageTableMonitor
- Added Output type to the VmiHandler
- vmi_core::os::OsModule + VmiOs::modules() to get the list of loaded modules
- Return PageIn event when connecting an intermediate PTE