Struct ObjectReader 

pub struct ObjectReader<P: PhysicalMemoryProvider> {
    vas: VirtualAddressSpace<P>,
    symbols: Box<dyn SymbolResolver>,
}

Reads kernel objects from a physical memory dump using symbol information.

Combines a VirtualAddressSpace with a [SymbolResolver] to provide high-level access to kernel data structures like task_struct, modules, etc.

Fields

vas: VirtualAddressSpace<P>

symbols: Box<dyn SymbolResolver>

Implementations

impl<P: PhysicalMemoryProvider> ObjectReader<P>

pub fn new( vas: VirtualAddressSpace<P>, symbols: Box<dyn SymbolResolver>, ) -> Self

Create a new object reader.

pub fn symbols(&self) -> &dyn SymbolResolver

Access the underlying symbol resolver.

pub fn vas(&self) -> &VirtualAddressSpace<P>

Access the underlying virtual address space.

pub fn with_cr3(&self, cr3: u64) -> Self

where P: Clone,

Create a new reader sharing the same physical memory and symbols but using a different page table root (CR3). Useful for switching to a process’s user-mode address space.

pub fn read_field<T: Pod + Default>( &self, base_vaddr: u64, struct_name: &str, field_name: &str, ) -> Result<T>

Read a field from a struct at base_vaddr and interpret it as type T.

Looks up the field offset from the symbol resolver, reads size_of::<T>() bytes from virtual memory, and casts via bytemuck::from_bytes.

pub fn read_pointer( &self, base_vaddr: u64, struct_name: &str, field_name: &str, ) -> Result<u64>

Read a pointer (u64) from a struct field.

pub fn read_string(&self, vaddr: u64, max_len: usize) -> Result<String>

Read a null-terminated string from virtual memory, up to max_len bytes.

pub fn read_field_string( &self, base_vaddr: u64, struct_name: &str, field_name: &str, max_len: usize, ) -> Result<String>

Read a string from a struct field (the field contains inline char data, not a pointer).

pub fn walk_list( &self, head_vaddr: u64, struct_name: &str, list_field: &str, ) -> Result<Vec<u64>>

Walk a Linux list_head doubly-linked list.

Starting from head_vaddr (the address of the list_head embedded in the head/sentinel node), follows next pointers and returns the virtual address of each containing struct (using container_of logic with list_field offset).

Stops when the walk loops back to head_vaddr or hits MAX_LIST_ITERATIONS.

pub fn walk_list_with( &self, head_vaddr: u64, list_struct: &str, next_field: &str, container_struct: &str, list_field: &str, ) -> Result<Vec<u64>>

Walk a doubly-linked list with configurable list struct and field names.

This is a generalized version of walk_list that works with any linked-list structure, not just Linux list_head.

For example, Windows uses _LIST_ENTRY with Flink/Blink fields instead of list_head with next/prev.

Arguments

• head_vaddr — virtual address of the list head (sentinel node)
• list_struct — name of the list-link struct (e.g., "list_head", "_LIST_ENTRY")
• next_field — name of the forward pointer field (e.g., "next", "Flink")
• container_struct — name of the containing struct (e.g., "_EPROCESS")
• list_field — name of the list-link field in the container struct (e.g., "ActiveProcessLinks")

pub fn read_bytes(&self, vaddr: u64, len: usize) -> Result<Vec<u8>>

Read len raw bytes from virtual memory at vaddr.

pub fn required_symbol(&self, name: &str) -> Result<u64>

Resolve a global kernel symbol address, returning an error if absent.

pub fn required_field_offset( &self, struct_name: &str, field_name: &str, ) -> Result<usize>

Resolve a struct field offset, returning an error if absent.

fn read_u64_at(&self, vaddr: u64) -> Result<u64>