- Generated by
1.8.13
|
Bitdefender Hypervisor Memory Introspection
|
#include <stdint.h>#include <signal.h>#include <stddef.h>#include <stdbool.h>#include <errno.h>Go to the source code of this file.
Macros | |
| #define | MAX_ERRNO 4095 |
| #define | GFP_KERNEL 0x14000c0 |
| #define | O_RDONLY 00000000 |
| #define | O_WRONLY 00000001 |
| #define | O_RDWR 00000002 |
| #define | O_CREAT 00000100 |
| #define | O_EXCL 00000200 |
| #define | O_TRUNC 00001000 |
| #define | S_IRWXU 00700 |
| #define | S_IRUSR 00400 |
| #define | S_IWUSR 00200 |
| #define | S_IXUSR 00100 |
| #define | S_IRWXG 00070 |
| #define | S_IRGRP 00040 |
| #define | S_IWGRP 00020 |
| #define | S_IXGRP 00010 |
| #define | S_IRWXO 00007 |
| #define | S_IROTH 00004 |
| #define | S_IWOTH 00002 |
| #define | S_IXOTH 00001 |
| #define | UMH_NO_WAIT 0 |
| #define | UMH_WAIT_EXEC 1 |
| #define | UMH_WAIT_PROC 2 |
| #define | UMH_KILLABLE 4 |
| #define | LIX_NAME_MAX 128 |
| #define | __VMALLOC_BASE_L4 0xffffc90000000000UL |
| #define | __VMALLOC_BASE_L5 0xffa0000000000000UL |
| #define | VMALLOC_SIZE_TB_L4 32UL |
| #define | VMALLOC_SIZE_TB_L5 12800UL |
| #define | __VMEMMAP_BASE_L4 0xffffea0000000000UL |
| #define | __VMEMMAP_BASE_L5 0xffd4000000000000UL |
| #define | VMALLOC_START __VMALLOC_BASE_L4 |
| #define | VMALLOC_SIZE_TB VMALLOC_SIZE_TB_L4 |
| #define | VMEMMAP_START __VMEMMAP_BASE_L4 |
| #define | VMALLOC_END (VMALLOC_START + (VMALLOC_SIZE_TB << 40) - 1) |
| #define | PAGE_KERNEL_EXEC 0x163 |
| #define | KERNEL_VERSION(K, Patch, Sublevel) ((Sublevel) | ((Patch) << 16) | ((K) << 24)) |
| #define | __unreachable __builtin_unreachable() |
| #define | __likely(x) __builtin_expect(!!(x), 1) |
| #define | __unlikely(x) __builtin_expect(!!(x), 0) |
| #define | IS_ERR_VALUE(x) __unlikely((unsigned long)(void *)(x) >= (unsigned long)-MAX_ERRNO) |
| #define | BIT(x) (1ULL << (x)) |
| #define | UNUSED_PARAMETER(P) ((void)(P)) |
| #define | PAGE_SIZE 0x1000 |
| #define | __fn_aligned __attribute__((aligned(1))) |
| #define | __fn_save_all __attribute__((no_caller_saved_registers)) |
| #define | __section(S) __attribute__((section (S))) |
| #define | __default_fn_attr __fn_save_all __fn_aligned |
| #define | __fn_naked __attribute__((naked)) |
| #define | __fn_section(x) __attribute__((__section__(x))) |
| #define | __aligned(x) __attribute__((aligned(x))) |
| #define | __agent_data(x) __section("." x "_data") __aligned(1) |
| Creates a region for data. More... | |
| #define | __agent_text(x) __default_fn_attr __section("." x "_text") |
| Creates a region for source-code. More... | |
| #define | __agent_trampoline(x) __fn_naked __section("." x "_trampoline") |
| Creates a section for trampoline. More... | |
| #define | __agent_exit(x) |
| Generates the exit asm-code using a label. More... | |
| #define | GNUASM_DEFINE_STR(SYMBOL, STR) asm volatile ("#define " SYMBOL " " #STR); |
| Defines an asm string-symbol. More... | |
| #define | GNUASM_DEFINE_VAL(SYMBOL, VALUE) asm volatile ("#define " SYMBOL " %0" :: "n"(VALUE)) |
| Defines an asm value. More... | |
| #define | __exit |
| Generates the exit asm-code for agents. More... | |
| #define | __do_exit(address, do_exit_fn, vfree_fn) |
| Pushes the exit address on the stack and jumps to the 'do_exit' function in order to terminate the thread. More... | |
| #define | __breakpoint_param_1(param) register size_t __p1 asm("r8") = (size_t)(param); asm volatile("" :: "r" (__p1)); |
| Stores the 'param' in the 'r8' register. More... | |
| #define | __breakpoint_param_2(param) register size_t __p2 asm("r9") = (size_t)(param); asm volatile("" :: "r" (__p2)); |
| Stores the 'param' in the 'r9' register. More... | |
| #define | __breakpoint_param_3(param) register size_t __p3 asm("r10") = (size_t)(param); asm volatile("" :: "r" (__p3)); |
| Stores the 'param' in the 'r10' register. More... | |
| #define | __breakpoint_param_4(param) register size_t __p4 asm("r11") = (size_t)(param); asm volatile("" :: "r" (__p4)); |
| Stores the 'param' in the 'r11' register. More... | |
| #define | __breakpoint_param_5(param) register size_t __p5 asm("r12") = (size_t)(param); asm volatile("" :: "r" (__p5)); |
| Stores the 'param' in the 'r12' register. More... | |
| #define | __breakpoint_param_6(param) register size_t __p6 asm("r13") = (size_t)(param); asm volatile("" :: "r" (__p6)); |
| Stores the 'param' in the 'r13' register. More... | |
| #define | __breakpoint_param_7(param) register size_t __p7 asm("r14") = (size_t)(param); asm volatile("" :: "r" (__p7)); |
| Stores the 'param' in the 'r14' register. More... | |
| #define | __breakpoint_param_8(param) register size_t __p8 asm("r15") = (size_t)(param); asm volatile("" :: "r" (__p8)); |
| Stores the 'param' in the 'r15' register. More... | |
| #define | breakpoint_1(token, p1) |
| Hypercall using 1 argument. More... | |
| #define | breakpoint_2(token, p1, p2) |
| Hypercall using 2 argument. More... | |
| #define | breakpoint_3(token, p1, p2, p3) |
| Hypercall using 3 argument. More... | |
| #define | breakpoint_4(token, p1, p2, p3, p4) |
| Hypercall using 4 argument. More... | |
| #define | breakpoint_5(token, p1, p2, p3, p4, p5) |
| Hypercall using 5 argument. More... | |
| #define | breakpoint_6(token, p1, p2, p3, p4, p5, p6) |
| Hypercall using 6 argument. More... | |
Functions | |
| static __default_fn_attr unsigned long | breakpoint (unsigned long token) |
| Generate INT3 instruction for hypercall. More... | |
| #define __agent_data | ( | x | ) | __section("." x "_data") __aligned(1) |
| #define __agent_exit | ( | x | ) |
Generates the exit asm-code using a label.
Definition at line 106 of file common.h.
Referenced by __agent_trampoline().
| #define __agent_text | ( | x | ) | __default_fn_attr __section("." x "_text") |
| #define __agent_trampoline | ( | x | ) | __fn_naked __section("." x "_trampoline") |
| #define __breakpoint_param_1 | ( | param | ) | register size_t __p1 asm("r8") = (size_t)(param); asm volatile("" :: "r" (__p1)); |
| #define __breakpoint_param_2 | ( | param | ) | register size_t __p2 asm("r9") = (size_t)(param); asm volatile("" :: "r" (__p2)); |
| #define __breakpoint_param_3 | ( | param | ) | register size_t __p3 asm("r10") = (size_t)(param); asm volatile("" :: "r" (__p3)); |
| #define __breakpoint_param_4 | ( | param | ) | register size_t __p4 asm("r11") = (size_t)(param); asm volatile("" :: "r" (__p4)); |
| #define __breakpoint_param_5 | ( | param | ) | register size_t __p5 asm("r12") = (size_t)(param); asm volatile("" :: "r" (__p5)); |
| #define __breakpoint_param_6 | ( | param | ) | register size_t __p6 asm("r13") = (size_t)(param); asm volatile("" :: "r" (__p6)); |
| #define __breakpoint_param_7 | ( | param | ) | register size_t __p7 asm("r14") = (size_t)(param); asm volatile("" :: "r" (__p7)); |
| #define __breakpoint_param_8 | ( | param | ) | register size_t __p8 asm("r15") = (size_t)(param); asm volatile("" :: "r" (__p8)); |
| #define __default_fn_attr __fn_save_all __fn_aligned |
Definition at line 78 of file common.h.
Referenced by __access_remote_vm(), __vma_link_rb(), _memcpy(), arch_jump_label_transform(), arch_ptrace(), begin_new_exec(), call_usermodehelper(), change_protection(), commit_creds(), complete_signal(), d_path(), do_exit(), do_munmap_rb_erase(), expand_downwards(), flush_old_exec(), ftrace_write(), is_detour_enabled(), module_param_sysfs_remove(), module_param_sysfs_setup(), panic(), pre_vma_adjust(), process_vm_rw_core(), store_regs(), text_poke(), vma_adjust(), vma_adjust_rb_erase(), vma_rb_erase(), vmcall(), and wake_up_new_task().
| #define __do_exit | ( | address, | |
| do_exit_fn, | |||
| vfree_fn | |||
| ) |
Pushes the exit address on the stack and jumps to the 'do_exit' function in order to terminate the thread.
Definition at line 126 of file common.h.
Referenced by trampoline().
| #define __exit |
Generates the exit asm-code for agents.
Definition at line 120 of file common.h.
Referenced by trampoline().
| #define __fn_naked __attribute__((naked)) |
| #define __fn_save_all __attribute__((no_caller_saved_registers)) |
| #define __likely | ( | x | ) | __builtin_expect(!!(x), 1) |
Definition at line 63 of file common.h.
Referenced by DiffTime(), IntCr3Read(), IntCr4Read(), IntGetGprs(), IntGuestPreReturnCallback(), IntLixDrvSystemBooting(), IntLixTaskIsUserStackPivoted(), IntLixTaskPathGetRef(), IntMapGpaForTranslation(), IntPeFindFunctionByPatternInBuffer(), IntRipRead(), IntSetGprs(), IntUnmapGpaForTranslation(), IntWinDpiGatherDpiInfo(), IntWinInfHookProtect(), and IntWinProcHandleCreateInternal().
| #define __section | ( | S | ) | __attribute__((section (S))) |
| #define __unlikely | ( | x | ) | __builtin_expect(!!(x), 0) |
Definition at line 64 of file common.h.
Referenced by Crc32ComputeFast(), IntEnginesResultCallback(), IntExceptKernel(), IntExceptKernelUser(), IntExceptUser(), IntFragExtractPattern(), IntGetGprs(), IntGuestHandleCr3Write(), IntGuestPreReturnCallback(), IntHandleBreakpoint(), IntHandleCrWrite(), IntHandleDtrViolation(), IntHandleEptViolation(), IntHandleEventInjection(), IntHandleIntroCall(), IntHandleMsrViolation(), IntHandleXcrWrite(), IntLixCredCheckIntegrity(), IntLixGuestGetSystemState(), IntLixTaskAdd(), IntLixTaskDestroy(), IntLixTaskGetCurrentTaskStruct(), IntLixTaskHandleDoExit(), IntLixTaskHandleExec(), IntLixTaskIsUserStackPivoted(), IntLixVmaAdjust(), IntLixVmaChangeProtection(), IntLixVmaExpandDownwards(), IntLixVmaInsert(), IntLixVmaProtect(), IntLixVmaRemove(), IntPhysMemReadWriteAnySize(), IntSetGprs(), IntStatStart(), IntStatStop(), IntTranslateVirtualAddressEx(), IntVeDeliverDriverForLoad(), IntVeInit(), IntVirtMemMap(), IntVirtMemReadWrite(), IntVirtMemUnmap(), IntVirtMemUnmapMultiPage(), IntWinInfHookProtect(), IntWinProcCreateProcessObject(), IntWinProcHandleCreateInternal(), IntWinSDDumpAclEntries(), IntWinSDProcessAcl(), and utf16_for_log().
| #define __unreachable __builtin_unreachable() |
Definition at line 62 of file common.h.
Referenced by IntBugCheck().
| #define BIT | ( | x | ) | (1ULL << (x)) |
Definition at line 68 of file common.h.
Referenced by __vma_link_rb(), change_protection(), commit_creds(), do_munmap_rb_erase(), expand_downwards(), IntFragHandleCommon(), IntHookPtsSetHook(), IntLixCommitCredsHandle(), IntLixKernelToUserPgd(), IntLixTaskCreateFromBinprm(), IntLixUserToKernelPgd(), IntUpdateLoadExceptions(), IntWinDumpPrivilegesMask(), IntWinObjIsTypeObject(), IntWinVadFetchVadFromMemory(), mprotect_fixup_vma_wants_writenotify(), pre_vma_adjust(), vma_adjust_rb_erase(), and vma_rb_erase().
| #define breakpoint_1 | ( | token, | |
| p1 | |||
| ) |
| #define breakpoint_2 | ( | token, | |
| p1, | |||
| p2 | |||
| ) |
Hypercall using 2 argument.
Definition at line 185 of file common.h.
Referenced by __agent_text(), call_usermodehelper(), exec(), init(), and run().
| #define breakpoint_3 | ( | token, | |
| p1, | |||
| p2, | |||
| p3 | |||
| ) |
| #define breakpoint_4 | ( | token, | |
| p1, | |||
| p2, | |||
| p3, | |||
| p4 | |||
| ) |
| #define breakpoint_5 | ( | token, | |
| p1, | |||
| p2, | |||
| p3, | |||
| p4, | |||
| p5 | |||
| ) |
| #define breakpoint_6 | ( | token, | |
| p1, | |||
| p2, | |||
| p3, | |||
| p4, | |||
| p5, | |||
| p6 | |||
| ) |
| #define GFP_KERNEL 0x14000c0 |
Definition at line 15 of file common.h.
Referenced by __agent_text(), call_usermodehelper(), exec(), and run().
| #define GNUASM_DEFINE_STR | ( | SYMBOL, | |
| STR | |||
| ) | asm volatile ("#define " SYMBOL " " #STR); |
| #define GNUASM_DEFINE_VAL | ( | SYMBOL, | |
| VALUE | |||
| ) | asm volatile ("#define " SYMBOL " %0" :: "n"(VALUE)) |
| #define IS_ERR_VALUE | ( | x | ) | __unlikely((unsigned long)(void *)(x) >= (unsigned long)-MAX_ERRNO) |
Definition at line 66 of file common.h.
Referenced by __agent_text(), deploy(), and exec().
| #define KERNEL_VERSION | ( | K, | |
| Patch, | |||
| Sublevel | |||
| ) | ((Sublevel) | ((Patch) << 16) | ((K) << 24)) |
| #define O_CREAT 00000100 |
| #define O_TRUNC 00001000 |
| #define PAGE_KERNEL_EXEC 0x163 |
Definition at line 58 of file common.h.
Referenced by __agent_text().
| #define PAGE_SIZE 0x1000 |
Definition at line 70 of file common.h.
Referenced by _IntLixTaskRead(), d_path(), init(), IntAlertFillCodeBlocks(), IntAlertFillDpiExtraInfo(), IntDecEmulatePTWrite(), IntDetCallCallback(), IntDetSetHook(), IntDumpCode(), IntDumpCodeAndRegs(), IntExceptDumpSignatures(), IntExceptInvCbCacheByGva(), IntExceptUserLogWindowsInformation(), IntExceptVerifyCodeBlocksSig(), IntExceptVerifyValueCodeSig(), IntExceptWinKernelGetOriginator(), IntFragDumpBlocks(), IntFragExtractCodeBlocks(), IntGpaCacheAddEntry(), IntGpaCacheFetchAndAdd(), IntGpaCachePatchAndAdd(), IntGuestGetLastGpa(), IntHandleEptViolation(), IntHandleFetchRetryOnPageBoundary(), IntHookGpaSetHook(), IntHookObjectHookRegion(), IntHookPtmAddTable(), IntIcAddInvdForInstruction(), IntIcFlushGvaPage(), IntIterateVirtualAddressSpaceRec(), IntKsymFindIndexesTableStart(), IntKsymFindMarkersReducedTableEnd(), IntKsymFindMarkersTableEnd(), IntKsymInitAbsolute(), IntKsymRelativeFindOffsetTableEnd(), IntKsymRelativeFindOffsetTableStart(), IntLixAgentFindInstruction(), IntLixCredCalculateCrc32Region(), IntLixCredInitMap(), IntLixDrvCreateFromAddress(), IntLixDrvFindList(), IntLixDrvIsLegitimateTextPoke(), IntLixFsrRead(), IntLixGetInitTask(), IntLixGuestAllocate(), IntLixGuestAllocateFill(), IntLixGuestFindKernel(), IntLixGuestFindKernelBase(), IntLixGuestFindKernelVersionAndRo(), IntLixGuestFindProperSyscall(), IntLixGuestInit(), IntLixGuestInitAgentCompletion(), IntLixHookKernelRead(), IntLixMmGetInitMm(), IntLixMmListVmasInternal(), IntLixPatchSwapgs(), IntLixResolveExeFileOffset(), IntLixResolveThreadStructOffset(), IntLixStackTraceGet(), IntLixStackTraceGetReg(), IntLixTaskCreateInitTask(), IntLixTaskFetchCmdLine(), IntLixVdsoDynamicProtectNonRelocate(), IntLixVdsoDynamicProtectRelocate(), IntLixVdsoFixedProtect(), IntLixVdsoResolveDynamicOffset(), IntLixVmaGetPageCount(), IntLogCriticalStructureCoruption(), IntMapGpaForTranslation(), IntMemClkCloakRegion(), IntMemClkHandleRead(), IntMemClkHandleSwap(), IntMemClkHashRegion(), IntModBlockHandleBlockModHeadersInMemory(), IntPeFindExportByName(), IntPeFindExportByOrdinal(), IntPeFindExportByRva(), IntPeFindFunctionByPattern(), IntPeFindFunctionStart(), IntPeFindFunctionStartInBuffer(), IntPeGetDirectory(), IntPeGetExportNameByRva(), IntPeGetRuntimeFunction(), IntPeGetRuntimeFunctionInBuffer(), IntPeGetSectionHeaderByIndex(), IntPeGetSectionHeaderByRva(), IntPeGetSectionHeadersByName(), IntPeListSectionsHeaders(), IntPeParseUnwindData(), IntPeValidateHeader(), IntPhysMemFastMap(), IntPhysMemUnmap(), IntPtiCacheAdd(), IntPtiCacheRemove(), IntPtiHookPtDriver(), IntPtiMonitorAllPtWriteCandidates(), IntPtiRemovePtFilter(), IntReadString(), IntSerializeCodeBlocksGetExtractRange(), IntSerializeDpiWinHeapSpray(), IntSerializeDpiWinThreadStart(), IntSerializeExtractCodeBlocks(), IntSerializeRipCode(), IntShcIsSuspiciousCode(), IntSlackAllocLinux(), IntSlackAllocWindows(), IntThrGetStackSize(), IntThrSafeWinInspectWaitingThread(), IntUnpPageWriteCallback(), IntUnpWatchPage(), IntValidateRangeForWrite(), IntVasHookTables(), IntVeDeliverDriverForLoad(), IntVeFindKernelKvaShadowAndKernelExit(), IntVeHandleAccess(), IntVeHandleEPTViolationInProtectedView(), IntVeHandleSwap(), IntVeHookVeDriver(), IntVeLockDriver(), IntVeRemoveAgent(), IntVeSetVeInfoPage(), IntVeUnlockDriver(), IntVeUpdateCacheEntry(), IntVirtMemMapMultiPage(), IntVirtMemSafeWrite(), IntWinAgentFindInstruction(), IntWinDagentCheckSuspiciousDllLoad(), IntWinDagentHandleSuspModHeaders(), IntWinDpiValidateHeapSpray(), IntWinDrvCreateFromAddress(), IntWinDrvHeadersInMemory(), IntWinDrvIsListHead(), IntWinDrvObjIsValidDriverObject(), IntWinDrvProtect(), IntWinGuestFindBuildNumber(), IntWinGuestFindDriversNamespaceNoBuffer(), IntWinGuestFindKernel(), IntWinGuestFindKernelCr3(), IntWinGuestFindKernelObjectsInternal(), IntWinGuestFindSelfMapIndex(), IntWinGuestFindSystemCr3(), IntWinGuestIsSystemCr3(), IntWinGuestNew(), IntWinGuestReadKernel(), IntWinGuestValidateKernel(), IntWinHalCreateHalData(), IntWinHalFindHalHeapAndInterruptController(), IntWinHalFindPerformanceCounter(), IntWinHalHandleHalHeapExec(), IntWinHalHeadersInMemory(), IntWinHalProtectHalHeapExecs(), IntWinHalReadHal(), IntWinModBlockBlockModuleLoad(), IntWinModHandleLoadFromVad(), IntWinModHandleModulePathInMemory(), IntWinModHookModule(), IntWinModHookPoly(), IntWinNetFillTcpStruct(), IntWinNetFindTcpBitmap(), IntWinNetFindTcpObjects(), IntWinNetFindTcpPartition(), IntWinNetSearchForAlloc(), IntWinPfnIsMmPfnDatabase(), IntWinPoolGetPoolHeaderInPage(), IntWinPoolHandleAlloc(), IntWinProcHandleCopyMemory(), IntWinProcHandleInstrument(), IntWinProcHandleReadFromLsass(), IntWinProcLockCr3(), IntWinProcSetUserCr3(), IntWinStackHandleUserStackPagedOut(), IntWinStackTraceGet64(), IntWinStackTraceGetUser(), IntWinStackTraceGetUser64(), IntWinStackUserTrapFrameGet32(), IntWinStackUserTrapFrameGet64(), IntWinSudCheckIntegrity(), IntWinSudHandleFieldModification(), IntWinSudProtectIntegrity(), IntWinSudProtectSudExec(), IntWinTokenPrivsShouldHook(), IntWinTokenProtectPrivsInternal(), IntWinUmModCacheFillHeaders(), IntWinVadAdjustRange(), IntWinVadHandleDeleteGeneric(), IntWinVadHandleProtectGeneric(), IntWinVadRbTreeNodeCompareVa(), IntWinVadRemoveRange(), store_regs(), and UtilIsBufferZero().
| #define VMALLOC_END (VMALLOC_START + (VMALLOC_SIZE_TB << 40) - 1) |
Definition at line 56 of file common.h.
Referenced by __agent_text().
| #define VMALLOC_SIZE_TB VMALLOC_SIZE_TB_L4 |
| #define VMALLOC_START __VMALLOC_BASE_L4 |
Definition at line 52 of file common.h.
Referenced by __agent_text().
| #define VMEMMAP_START __VMEMMAP_BASE_L4 |
|
inlinestatic |
1.8.13