Bitdefender Hypervisor Memory Introspection
Data Structures | Macros | Typedefs | Enumerations
aghcall.h File Reference

This file contains the private, undocumented hypercalls. They are used only by the loaders and the agent driver. More...

Go to the source code of this file.

Data Structures

struct  _AGENT_COMMAND
 

Macros

#define AGENT_HCALL_FETCH_CMD   1
 Used to get the command structure for the agent. More...
 
#define AGENT_HCALL_FETCH_CHUNK   2
 Used to get the remediation agent data. More...
 
#define AGENT_HCALL_MOD_BASE   3
 Used to get the base of the module indicated by edi/rcx. More...
 
#define AGENT_HCALL_OWN_BASE   4
 Used to get the base of the agent module. More...
 
#define AGENT_HCALL_VE   5
 Used to get a generically piece of data inside a pre-allocated region. More...
 
#define AGENT_HCALL_PT   6
 Used to get the PT cache agent. More...
 
#define AGENT_HCALL_VCPUID   7
 Used to get the ID of the current VCPU. More...
 
#define AGENT_HCALL_SYS_LNK   9
 Used to get a kernel syscall linkage address. More...
 
#define AGENT_HCALL_ERROR   ((DWORD)-1)
 Generic error signaling hypercall. More...
 
#define AGENT_MAX_COMMAND_LINE_LENGTH   1024
 
#define AGENT_MAX_AGENT_NAME_LENGTH   32
 
#define AGENT_COMMAND_VERSION   3
 Agent command structure version. Increment this whenever modifying the AGENT_COMMAND structure. More...
 

Typedefs

typedef enum _AGENT_TYPE AGENT_TYPE
 
typedef struct _AGENT_COMMAND AGENT_COMMAND
 
typedef struct _AGENT_COMMANDPAGENT_COMMAND
 

Enumerations

enum  _AGENT_TYPE {
  AGENT_TYPE_FILE, AGENT_TYPE_PROCESS, AGENT_TYPE_LIBRARY, AGENT_TYPE_BINARY,
  AGENT_TYPE_DRIVER, AGENT_TYPE_BREAKPOINT, AGENT_TYPE_VE_LOADER, AGENT_TYPE_VE_UNLOADER,
  AGENT_TYPE_PT_LOADER, AGENT_TYPE_PT_UNLOADER
}
 

Detailed Description

This file contains the private, undocumented hypercalls. They are used only by the loaders and the agent driver.

Agent hypercall codes. Generic hypercall interface on Xen: x86: EAX = 34, EBX = 24, ECX = 0, args in EDX, ESI, EDI x64: RAX = 34, RDI = 24, RSI = 0, args in RDX, RCX, RBX RDX/EDX will contain agent/introspection specific hypercall code. RCX/ESI and RBX/EDI will contain additional arguments, specific to the agent hypercall code specified in RDX/EDX.

  1. Stage 1 Loader hypercalls (identified using the RIP)
  2. Stage 2 Loader hypercalls (identified using the RIP and tokens)
  3. Driver Agent Hypercalls (identified using the RIP and hypercall code):

Definition in file aghcall.h.

Macro Definition Documentation

◆ AGENT_COMMAND_VERSION

#define AGENT_COMMAND_VERSION   3

Agent command structure version. Increment this whenever modifying the AGENT_COMMAND structure.

Definition at line 60 of file aghcall.h.

Referenced by IntWinAgentHandleDriverVmcall().

◆ AGENT_HCALL_ERROR

#define AGENT_HCALL_ERROR   ((DWORD)-1)

Generic error signaling hypercall.

Definition at line 36 of file aghcall.h.

Referenced by IntWinAgentHandleDriverVmcall().

◆ AGENT_HCALL_FETCH_CHUNK

#define AGENT_HCALL_FETCH_CHUNK   2

Used to get the remediation agent data.

Definition at line 26 of file aghcall.h.

Referenced by IntWinAgentHandleDriverVmcall().

◆ AGENT_HCALL_FETCH_CMD

#define AGENT_HCALL_FETCH_CMD   1

Used to get the command structure for the agent.

Definition at line 25 of file aghcall.h.

Referenced by IntWinAgentHandleDriverVmcall().

◆ AGENT_HCALL_MOD_BASE

#define AGENT_HCALL_MOD_BASE   3

Used to get the base of the module indicated by edi/rcx.

Definition at line 27 of file aghcall.h.

Referenced by IntWinAgentHandleDriverVmcall().

◆ AGENT_HCALL_OWN_BASE

#define AGENT_HCALL_OWN_BASE   4

Used to get the base of the agent module.

Definition at line 28 of file aghcall.h.

Referenced by IntWinAgentHandleDriverVmcall().

◆ AGENT_HCALL_PT

#define AGENT_HCALL_PT   6

Used to get the PT cache agent.

Definition at line 30 of file aghcall.h.

Referenced by IntWinAgentHandleDriverVmcall().

◆ AGENT_HCALL_SYS_LNK

#define AGENT_HCALL_SYS_LNK   9

Used to get a kernel syscall linkage address.

Definition at line 32 of file aghcall.h.

Referenced by IntWinAgentHandleDriverVmcall().

◆ AGENT_HCALL_VCPUID

#define AGENT_HCALL_VCPUID   7

Used to get the ID of the current VCPU.

Definition at line 31 of file aghcall.h.

Referenced by IntWinAgentHandleDriverVmcall().

◆ AGENT_HCALL_VE

#define AGENT_HCALL_VE   5

Used to get a generically piece of data inside a pre-allocated region.

Definition at line 29 of file aghcall.h.

Referenced by IntWinAgentHandleDriverVmcall().

◆ AGENT_MAX_AGENT_NAME_LENGTH

#define AGENT_MAX_AGENT_NAME_LENGTH   32

Definition at line 39 of file aghcall.h.

◆ AGENT_MAX_COMMAND_LINE_LENGTH

#define AGENT_MAX_COMMAND_LINE_LENGTH   1024

Definition at line 38 of file aghcall.h.

Typedef Documentation

◆ AGENT_COMMAND

typedef struct _AGENT_COMMAND AGENT_COMMAND

Structure used by the introbootdrv to request a command from Introcore. The first hypercall issued by introbootdrv will request this data, which tells it what to do.

◆ AGENT_TYPE

typedef enum _AGENT_TYPE AGENT_TYPE

Possible agent types. Note that not all of them are supported, but they are defined for future use.

◆ PAGENT_COMMAND

typedef struct _AGENT_COMMAND * PAGENT_COMMAND

Enumeration Type Documentation

◆ _AGENT_TYPE

enum _AGENT_TYPE

Possible agent types. Note that not all of them are supported, but they are defined for future use.

Enumerator
AGENT_TYPE_FILE 

File agent. A file will be dropped inside the guest.

AGENT_TYPE_PROCESS 

Process agent. A process will be injected & started inside the guest.

AGENT_TYPE_LIBRARY 

A DLL will be injected inside a process. NOT USED!

AGENT_TYPE_BINARY 

A binary blob of code will be injected and started in the kernel. NOT USED!

AGENT_TYPE_DRIVER 

A driver will be injected and started inside the kernel. NOT USED!

AGENT_TYPE_BREAKPOINT 

A single breakpoint will be injected.

AGENT_TYPE_VE_LOADER 

The VE agent loader.

AGENT_TYPE_VE_UNLOADER 

The VE agent unloader.

AGENT_TYPE_PT_LOADER 

The PT filter loader.

AGENT_TYPE_PT_UNLOADER 

The PT filter unloader.

Definition at line 44 of file aghcall.h.