Bitdefender Hypervisor Memory Introspection
aghcall.h
Go to the documentation of this file.
1 /*
2  * Copyright (c) 2020 Bitdefender
3  * SPDX-License-Identifier: Apache-2.0
4  */
5 #ifndef _AGHCALL_H_
6 #define _AGHCALL_H_
7 
24 
25 #define AGENT_HCALL_FETCH_CMD 1
26 #define AGENT_HCALL_FETCH_CHUNK 2
27 #define AGENT_HCALL_MOD_BASE 3
28 #define AGENT_HCALL_OWN_BASE 4
29 #define AGENT_HCALL_VE 5
30 #define AGENT_HCALL_PT 6
31 #define AGENT_HCALL_VCPUID 7
32 #define AGENT_HCALL_SYS_LNK 9
33 
34 
36 #define AGENT_HCALL_ERROR ((DWORD)-1)
37 
38 #define AGENT_MAX_COMMAND_LINE_LENGTH 1024
39 #define AGENT_MAX_AGENT_NAME_LENGTH 32
40 
44 typedef enum _AGENT_TYPE
45 {
46  AGENT_TYPE_FILE,
47  AGENT_TYPE_PROCESS,
48  AGENT_TYPE_LIBRARY,
49  AGENT_TYPE_BINARY,
50  AGENT_TYPE_DRIVER,
51  AGENT_TYPE_BREAKPOINT,
52  AGENT_TYPE_VE_LOADER,
53  AGENT_TYPE_VE_UNLOADER,
54  AGENT_TYPE_PT_LOADER,
55  AGENT_TYPE_PT_UNLOADER,
56 } AGENT_TYPE;
57 
58 
60 #define AGENT_COMMAND_VERSION 3
61 
62 
67 typedef struct _AGENT_COMMAND
68 {
69  unsigned int Version;
70  unsigned int Type;
71  unsigned int Pid;
72  unsigned int Synched;
73  unsigned int Size;
74  unsigned int Flags;
75  unsigned long long Pointer;
76  unsigned int Agid;
77 
79  char Name[AGENT_MAX_AGENT_NAME_LENGTH];
80 
82  char Args[AGENT_MAX_COMMAND_LINE_LENGTH];
83 } AGENT_COMMAND, *PAGENT_COMMAND;
84 
85 #endif // _AGHCALL_H_
AGENT_TYPE_BREAKPOINT
A single breakpoint will be injected.
Definition: aghcall.h:51
AGENT_MAX_AGENT_NAME_LENGTH
#define AGENT_MAX_AGENT_NAME_LENGTH
Definition: aghcall.h:39
_AGENT_COMMAND::Agid
unsigned int Agid
Internal use; IT'S NOT the agent tag.
Definition: aghcall.h:76
AGENT_TYPE_VE_UNLOADER
The VE agent unloader.
Definition: aghcall.h:53
_AGENT_COMMAND::Size
unsigned int Size
The size of the agent.
Definition: aghcall.h:73
_AGENT_COMMAND::Type
unsigned int Type
The agent type. One of AGENT_TYPE.
Definition: aghcall.h:70
_AGENT_COMMAND
Definition: aghcall.h:67
AGENT_TYPE_PT_LOADER
The PT filter loader.
Definition: aghcall.h:54
_AGENT_TYPE
_AGENT_TYPE
Definition: aghcall.h:44
AGENT_TYPE_DRIVER
A driver will be injected and started inside the kernel. NOT USED!
Definition: aghcall.h:50
_AGENT_COMMAND::Pointer
unsigned long long Pointer
A pointer to the agent contents in guest memory.
Definition: aghcall.h:75
AGENT_TYPE_VE_LOADER
The VE agent loader.
Definition: aghcall.h:52
AGENT_TYPE_PT_UNLOADER
The PT filter unloader.
Definition: aghcall.h:55
PAGENT_COMMAND
struct _AGENT_COMMAND * PAGENT_COMMAND
AGENT_TYPE_LIBRARY
A DLL will be injected inside a process. NOT USED!
Definition: aghcall.h:48
AGENT_TYPE
enum _AGENT_TYPE AGENT_TYPE
_AGENT_COMMAND::Flags
unsigned int Flags
Note used.
Definition: aghcall.h:74
AGENT_TYPE_BINARY
A binary blob of code will be injected and started in the kernel. NOT USED!
Definition: aghcall.h:49
_AGENT_COMMAND::Args
char Args[AGENT_MAX_COMMAND_LINE_LENGTH]
Command line arguments used by the injected process. It is limited to AGENT_MAX_COMMAND_LINE_LENGTH b...
Definition: aghcall.h:82
_AGENT_COMMAND::Version
unsigned int Version
Structure version. Check out AGENT_COMMAND_VERSION.
Definition: aghcall.h:69
_AGENT_COMMAND::Name
char Name[AGENT_MAX_AGENT_NAME_LENGTH]
The agent name. This will be the file name or the process name.
Definition: aghcall.h:79
AGENT_MAX_COMMAND_LINE_LENGTH
#define AGENT_MAX_COMMAND_LINE_LENGTH
Definition: aghcall.h:38
AGENT_TYPE_PROCESS
Process agent. A process will be injected & started inside the guest.
Definition: aghcall.h:47
_AGENT_COMMAND::Pid
unsigned int Pid
The process PID from which to start a process agent.
Definition: aghcall.h:71
_AGENT_COMMAND::Synched
unsigned int Synched
Always FALSE for now. Will not wait for the process agent to finish.
Definition: aghcall.h:72
AGENT_TYPE_FILE
File agent. A file will be dropped inside the guest.
Definition: aghcall.h:46
AGENT_COMMAND
struct _AGENT_COMMAND AGENT_COMMAND