Bitdefender Hypervisor Memory Introspection
|
#include "callbacks.h"
#include "decoder.h"
#include "gpacache.h"
#include "hook.h"
#include "hook_cr.h"
#include "hook_dtr.h"
#include "hook_msr.h"
#include "hook_xcr.h"
#include "memtables.h"
#include "ptfilter.h"
#include "rtlpvirtualunwind.h"
#include "swapmem.h"
#include "vecore.h"
#include "winprocesshp.h"
#include "winselfmap.h"
#include "wininfinityhook.h"
#include "exceptions.h"
#include "wincmdline.h"
#include "lixcmdline.h"
#include "scan_engines.h"
#include "wintoken.h"
#include "winsecdesc.h"
#include "winsud.h"
Go to the source code of this file.
Macros | |
#define | MAX_GLAS 32 |
Functions | |
static BOOLEAN | IntValidateTranslation (PHOOK_GPA Hook) |
Checks if the given GPA hook points to a valid GVA hook with a correct translation. More... | |
static BOOLEAN | IntValidatePageRightsEx (QWORD LinearAddress, QWORD PhysicalAddress, DWORD Access) |
Check if the access rights for the provided PhysicalAddress are up-to-date in the EPT. This function will get called oon each EPT violation. More... | |
static void | IntValidatePageRights (QWORD LinearAddress, QWORD PhysicalAddress, DWORD Access) |
Check if the access rights for the provided PhysicalAddress are up-to-date in the EPT. This function will get called only if the page wasn't hooked. More... | |
static INTSTATUS | IntHandleMemAccess (QWORD LinearAddress, QWORD PhysicalAddress, DWORD Length, INTRO_ACTION *Action, BOOLEAN *CallbackFound, BOOLEAN *PageHooked, BOOLEAN ProbeOnly, IG_EPT_ACCESS AccessType) |
Handle a memory access to a guest linear address. More... | |
static BOOLEAN | IntHandleFetchRetryOnPageBoundary (DWORD CpuNumber) |
Handle instruction fetch at page boundary, if an EPT execute violation has been generated. More... | |
static BOOLEAN | IntHandleCowOnPage (QWORD Gla, DWORD CpuNumber, BYTE AccessType) |
Handle copy-on-write on a page. More... | |
static BOOLEAN | IntHandlePageBoundaryCow (QWORD Gla, DWORD AccessSize, BYTE AccessType, DWORD CpuNumber) |
Check if we have a copy-on-write condition at a page boundary. More... | |
INTSTATUS | IntHandleEptViolation (void *GuestHandle, QWORD PhysicalAddress, DWORD Length, QWORD LinearAddress, DWORD CpuNumber, INTRO_ACTION *Action, IG_EPT_ACCESS AccessType) |
Handle an EPT violation. More... | |
INTSTATUS | IntHandleMsrViolation (void *GuestHandle, DWORD Msr, IG_MSR_HOOK_TYPE Flags, INTRO_ACTION *Action, QWORD OriginalValue, QWORD *NewValue, DWORD CpuNumber) |
Handle a model specific register violation. More... | |
INTSTATUS | IntHandleCrWrite (void *GuestHandle, DWORD Cr, DWORD CpuNumber, QWORD OldValue, QWORD NewValue, INTRO_ACTION *Action) |
Handle a control register violation. More... | |
static INTSTATUS | IntDispatchPtAsEpt (void) |
Dispatch a VMCALL issued by the PT filter as an EPT violation. More... | |
static INTSTATUS | IntDispatchVeAsEpt (void) |
Dispatch a VE as an EPT violation. More... | |
INTSTATUS | IntHandleIntroCall (void *GuestHandle, QWORD Rip, DWORD CpuNumber) |
Handle a VMCALL issued inside the guest. More... | |
INTSTATUS | IntHandleTimer (void *GuestHandle) |
Periodically called by the integrator, once every second. More... | |
INTSTATUS | IntHandleXcrWrite (void *GuestHandle, DWORD CpuNumber, INTRO_ACTION *Action) |
Handle extended control registers writes. More... | |
INTSTATUS | IntHandleBreakpoint (void *GuestHandle, QWORD GuestPhysicalAddress, DWORD CpuNumber) |
Handle guest breakpoints. More... | |
static INTSTATUS | IntHandleEventInjection (void *GuestHandle, DWORD Vector, QWORD ErrorCode, QWORD Cr2, DWORD CpuNumber) |
Handle event injections inside the guest. More... | |
INTSTATUS | IntHandleDtrViolation (void *GuestHandle, DWORD Flags, DWORD CpuNumber, INTRO_ACTION *Action) |
Handle GDTR, IDTR, LDTR, TR accesses. More... | |
INTSTATUS | IntEnginesResultCallback (void *GuestHandle, PENG_NOTIFICATION_HEADER EngineNotification) |
Handler called by the integrator as soon as the engines report a scan result for a buffer. More... | |
INTSTATUS | IntCallbacksInit (void) |
Initialize the callbacks. More... | |
INTSTATUS | IntCallbacksUnInit (void) |
Uninit all the Introcore callbacks. More... | |
Variables | |
QWORD | gEptEvents |
BOOLEAN | gInjectVeLoader |
BOOLEAN | gInjectVeUnloader |
BOOLEAN | gLoadPtDriver |
BOOLEAN | gUnloadPtDriver |
static BOOLEAN | gForceActionOnBeta |
#define MAX_GLAS 32 |
Referenced by IntHandleEptViolation().
INTSTATUS IntCallbacksInit | ( | void | ) |
Initialize the callbacks.
Most of the callbacks are initialized here. As soon as a callback is registered for a certain type of event, Introcore can start processing them. NOTE: Some callbacks, such as the breakpoint handler or the EPT violation handler are registered on the init flow, so as to avoid having to handle many irrelevant events while we initialize.
INT_STATUS_SUCCESS | On success. |
Definition at line 3527 of file callbacks.c.
Referenced by IntGuestHandleCr3Write().
INTSTATUS IntCallbacksUnInit | ( | void | ) |
Uninit all the Introcore callbacks.
INT_STATUS_SUCCESS | On success. |
Definition at line 3576 of file callbacks.c.
Referenced by IntGuestUninit().
|
static |
Dispatch a VMCALL issued by the PT filter as an EPT violation.
This function will act as the main EPT violation handler for very specific accesses filtered by the PT filter. This function will be called when the PT filter intercepts a guest instruction which does a relevant modification to a page-table entry. At that point, the PT filter will issue a VMCALL, but inside Introcore, in order to maintain a good separation between events, we will directly invoke the main memory access handle in order to treat the instruction as if it triggered an EPT violation. This function simply fills in the VCPU context and calls the memory access function, which will treat the page-table write instruction. In addition, if the page-table entry is not monitored by Introcore, it will be added to the PT cache, so as to not generate any more VMCALLs for it, until it becomes hooked.
INT_STATUS_SUCCESS | On success. |
Definition at line 1843 of file callbacks.c.
Referenced by IntHandleIntroCall().
|
static |
Dispatch a VE as an EPT violation.
This function gets called when the VE agent issues a VMCALL, as a result from an in-guest VE which is considered relevant. The VE agent will issue a VMCALL only for page-table writes which hit a protected page-table, and if the write modifies a relevant bit. In that case, the agent will notify Introcore, which will handle the page-table modification by properly updating the protection on the old/new pages. This function will fill in the VCPU context (including the registers and the instruction, which are all provided in the VE info page) and will call the memory access handler, which will behave as if the event was indeed generated as an EPT violation. This function also has special handling for page-walks: due to KPTI, page-walks will always be emulated in the context of the kernel CR3; however, sometimes, for some processes, the user CR3 PML4 entry will lack the A or D bit, and since we cannot switch into the user-mode CR3 from inside the guest, we will simply ask Introcore to handle those page walks, which are extremely rare, but would cause a guest hang otherwise (because the page-walk VE would be triggered in an infinite loop, as the user CR3 would never end up having the A/D bits set).
INT_STATUS_SUCCESS | On success. |
INT_STATUS_NOT_SUPPORTED | If a walk is requested from a Linux guest. |
INT_STATUS_NOT_FOUND | If the process with the current CR3 is not found. |
Definition at line 1916 of file callbacks.c.
Referenced by IntHandleIntroCall().
INTSTATUS IntEnginesResultCallback | ( | void * | GuestHandle, |
PENG_NOTIFICATION_HEADER | EngineNotification | ||
) |
Handler called by the integrator as soon as the engines report a scan result for a buffer.
Introcore may request the AV engines to scan certain memory buffers (for example, Powershell command lines or memory areas that get executed inside the guest). Since the scanning is done in a different thread/process, and due to performance concerns, we resume guest execution as soon as we have sent the buffer to be scanned. When the engines finish the scan, Introcore will be notified of the result via this handler. This handler simply dispatches the result to the appropriate callback, and they will send an alert, if a detection was generated. Currently, only two types of buffers are scanned using the AV engines:
[in] | GuestHandle | The guest handle. |
[in] | EngineNotification | A structure describing the buffer that was scanned and the scan result. |
INT_STATUS_SUCCESS | On success. |
INT_STATUS_INVALID_PARAMETER | If an invalid parameter is supplied. |
INT_STATUS_NOT_INITIALIZED_HINT | If the guest is not initialized. |
Definition at line 3426 of file callbacks.c.
Referenced by IntCallbacksInit().
Handle guest breakpoints.
This handler is called by the integrator whenever a breakpoint (INT3) takes place inside the guest. This function will just dispatch the event to an appropriate Introcore handler, in this order:
[in] | GuestHandle | The guest handle. |
[in] | GuestPhysicalAddress | Unused. |
[in] | CpuNumber | The VCPU number. |
INT_STATUS_SUCCESS | On success. |
INT_STATUS_INVALID_PARAMETER | If an invalid parameter is supplied. |
INT_STATUS_NOT_INITIALIZED_HINT | If the guest is not initialized. |
INT_STATUS_NOT_FOUND | If Introcore did not handle the VMCALL. |
INT_STATUS_FATAL_ERROR | If a fatal error occurred and the integrator should unload Introcore. |
INT_STATUS_UNINIT_BUGCHECK | If a bug-check occurred inside the guest and Introcore should be unloaded. |
Definition at line 2734 of file callbacks.c.
Referenced by IntEnableBreakpointNotifications(), and IntWinGuestInit().
Handle copy-on-write on a page.
This function handles copy-on-write events on a given guest linear address. This is needed because of an emulator flaw in Xen: a CMPXCHG instruction at a page-boundary would be emulated badly by copying the first chunk of data inside the first page, then injection a PF for the second page, if it isn't writable. When re-executing the CMPXCHG after the fault is handled, the memory value would be different, and the instruction would not execute correctly (since the first page has already been written). Check if this is a write access, inside user-mode, on a non-present or non-writable page, and inject a PF if needed.
[in] | Gla | The accessed guest linear address. |
[in] | CpuNumber | The VCPU number. |
[in] | AccessType | Access type. |
Definition at line 700 of file callbacks.c.
Referenced by IntHandleDtrViolation(), and IntHandlePageBoundaryCow().
INTSTATUS IntHandleCrWrite | ( | void * | GuestHandle, |
DWORD | Cr, | ||
DWORD | CpuNumber, | ||
QWORD | OldValue, | ||
QWORD | NewValue, | ||
INTRO_ACTION * | Action | ||
) |
Handle a control register violation.
This function is called by the integrator/HV on each CR violation. The handler will simply iterate the list of registered callbacks for this particular CR, and call each one of them. Introcore only places write hooks on the control registers; read hooks may trigger a very high performance impact.
[in] | GuestHandle | The guest handle. |
[in] | Cr | The accessed CR. |
[in] | CpuNumber | The VCPU number. |
[in] | OldValue | Old CR value. |
[in] | NewValue | New CR value. |
[in] | Action | The desired action. |
INT_STATUS_SUCCESS | On success. |
INT_STATUS_NOT_INITIALIZED_HINT | If the guest is not initialized yet. |
INT_STATUS_INVALID_PARAMETER | If an invalid parameter is supplied. |
INT_STATUS_NOT_FOUND | If no callback is found for this MSR. |
INT_STATUS_FATAL_ERROR | A fatal error occurred, and the integrator should unload Introcore. |
Definition at line 1692 of file callbacks.c.
Referenced by IntEnableCrNotifications().
INTSTATUS IntHandleDtrViolation | ( | void * | GuestHandle, |
DWORD | Flags, | ||
DWORD | CpuNumber, | ||
INTRO_ACTION * | Action | ||
) |
Handle GDTR, IDTR, LDTR, TR accesses.
This function is called on descriptor table registers accesses. This function will iterate registered callbacks and it will call all of them. Special handling is done, however, for these instructions, as they generate a descriptor table access VM exit before doing any kind of memory checks; therefore, emulating such an instruction may lead to an EPT protection bypass (since the HV may not check EPT access rights when emulating instructions). As a result, we do some serious checks when handling these instructions:
[in] | GuestHandle | The guest handle. |
[in] | Flags | Descriptor table accessed & accessed type. Check out IG_DESC_ACCESS. |
[in] | CpuNumber | The VCPU number. |
[out] | Action | Desired action. |
INT_STATUS_SUCCESS | On success. |
INT_STATUS_INVALID_PARAMETER | If an invalid parameter is supplied. |
INT_STATUS_NOT_INITIALIZED_HINT | If the guest is not initialized. |
INT_STATUS_FATAL_ERROR | If a fatal error occurred and Introcore should be unloaded. |
(for example, GDTR READ, IDTR WRITE, etc.).
Definition at line 3116 of file callbacks.c.
Referenced by IntEnableDtrNotifications().
INTSTATUS IntHandleEptViolation | ( | void * | GuestHandle, |
QWORD | PhysicalAddress, | ||
DWORD | Length, | ||
QWORD | LinearAddress, | ||
DWORD | CpuNumber, | ||
INTRO_ACTION * | Action, | ||
IG_EPT_ACCESS | AccessType | ||
) |
Handle an EPT violation.
This callback is called by the HV/integrator whenever an EPT violation takes place. Introcore will handle the event by calling registered callbacks for the accessed memory area. Note that Introcore will also call the callbacks for other linear addresses that may be accessed by the instruction. Upon return, it has to return an action to the integrator. The main steps taken by this function are:
[in] | GuestHandle | A handle to the guest that generated the EPT violation. |
[in] | PhysicalAddress | Accessed guest physical address. |
[in] | Length | Access size. Note that this parameter is reserved for future use, as the HV does not decode (and the CPU does not provide) the access size. |
[in] | LinearAddress | The accessed guest linear address. |
[in] | CpuNumber | VCPU number. |
[out] | Action | Will contain, upon successful return, the action to be taken fro the access. |
[in] | AccessType | Access type: IG_EPT_HOOK_READ, IG_EPT_HOOK_WRITE & IG_EPT_HOOK_EXECUTE. |
INT_STATUS_SUCCESS | On success. |
INT_STATUS_INVALID_PARAMETER | If an invalid parameter is supplied. |
INT_STATUS_FORCE_ACTION_ON_BETA | Force the introGuestNotAllowed, even in beta mode. This ensures that our hooks don't get overwritten. |
INT_STATUS_FATAL_ERROR | A fatal error occurred, and the integrator should unload Introcore. |
NOTE: The instruction may be modified after the fault is triggered. Therefore, we may process the GLA/GPA the fault took place at, but the instruction may encode a different address.
Definition at line 825 of file callbacks.c.
Referenced by IntEnableEptNotifications().
|
static |
Handle event injections inside the guest.
This event will be the first event to be generated once we inject an exception on CPU CpuNumber. This is used to know if an exception that we injected inside the guest really got injected. If something else got injected, Introcore can retry the injection at a later point. This simplifies the exception injection algorithm, especially because the HV may inject other things inside the guest. This function will check if the HV injected our PF or UD (which we requested earlier).
[in] | GuestHandle | The guest handle. |
[in] | Vector | The vector that got injected inside the guest. |
[in] | ErrorCode | The delivered error code, if any. |
[in] | Cr2 | The CR2, if a PF was injected. |
[in] | CpuNumber | The VCPU number. |
INT_STATUS_SUCCESS | On success. |
INT_STATUS_NOT_INITIALIZED_HINT | If the guest is not initialized. |
INT_STATUS_INVALID_PARAMETER | If an invalid parameter is used. |
Definition at line 2986 of file callbacks.c.
Referenced by IntCallbacksInit().
Handle instruction fetch at page boundary, if an EPT execute violation has been generated.
Special handling for introGuestRetry on EPT exec violations. We may request a retry when we cannot fetch the RIP, for example. Sometimes, the instruction may be situated at a page boundary and be contained inside both pages. In this case, if at least the first page is exec hooked and the second one is not present, we will induce an infinite loop by requesting introGuestRetry, because the PF on the second page will never be triggered since the EPT violation on the first one will always take place first. In this case, we will manually inject the PF on the second page.
[in] | CpuNumber | VCPU number. |
Definition at line 614 of file callbacks.c.
Referenced by IntHandleEptViolation().
Handle a VMCALL issued inside the guest.
This function will be called by the hypervisor whenever a VMCALL is executed inside the guest with a magic value in EAX register. For the Xen hypervisor, this magic value involves several registers: On x64: RAX = 0x22, RDI = 0x18, RSI = 0 On x86: EAX = 0x22, EBX = 0x18, ECX = 0 The EAX register will be overwritten by the HV on guest re-entry, so don't use it to pass the result of the VMCALL. This function will dispatch the VMCALL to the following handlers, in this order:
[in] | GuestHandle | The guest handle. |
[in] | Rip | RIP where the VMCALL originates. |
[in] | CpuNumber | The VCPU number. |
INT_STATUS_SUCCESS | On success. |
INT_STATUS_INVALID_PARAMETER | If an invalid parameter is supplied. |
INT_STATUS_NOT_INITIALIZED_HINT | If the guest is not initialized. |
INT_STATUS_NOT_FOUND | If Introcore did not handle the VMCALL. |
INT_STATUS_FATAL_ERROR | If a fatal error occurred and the integrator should unload Introcore. |
INT_STATUS_UNINIT_BUGCHECK | If a bug-check occurred inside the guest and Introcore should be unloaded. |
Definition at line 2140 of file callbacks.c.
Referenced by IntCallbacksInit().
|
static |
Handle a memory access to a guest linear address.
This function handles one GLA access (execute, read, write or read-write). The access can be combined (for example, read-write). The function will iterate the list of registered callbacks for the PhysicalAddress the given LinearAddress translates to, and it will call each registered callback. The actions returned by the callback will be combined (the numerically higher action will be kept) and returned. Each access will be handled individually; for example, if the AccessType is RWX, the function will first handle the execute access, followed by the read access, followed finally by the write access. For read accesses which do not have a registered callback, the mem-tables and the RtlpVirtualUnwind optimizations will be invoked, to see if we can instrument the instruction, for better performance. NOTE: If no callback is found, the default action is introGuestAllowed. NOTE: This function may be called for PhysicalAddress values for which an EPT violation has not been generated. This happens because when handling an instruction, Introcore will call this function for every accessed linear address, even for those for which an EPT violation may never be generated.
[in] | LinearAddress | The guest linear address accessed. |
[in] | PhysicalAddress | The guest physical address accessed. |
[in] | Length | The size of the access. For execute accesses, this is the length of the instruction For read/write accesses, this is the size of the access. |
[out] | Action | The final action returned by the invoked callbacks. |
[out] | CallbackFound | Set to true if at least one callback is found for the provided address. |
[out] | PageHooked | Set to true if the page is indeed hooked. |
[in] | ProbeOnly | If set, simply check if there is at least a callback for the address. If this is set, no callbacks will be invoked, as the function will return as soon as at find the first registered callback. |
[in] | AccessType | Access type. Can be a combination of IG_EPT_HOOK_EXECUTE, IG_EPT_HOOK_READ and IG_EPT_HOOK_WRITE. |
INT_STATUS_SUCCESS | On success. This does not necessarily mean that a callback was found! |
INT_STATUS_NOT_INITIALIZED | If the hooks system is not initialized. |
INT_STATUS_INVALID_PARAMETER | If an invalid parameter is supplied. |
Definition at line 311 of file callbacks.c.
Referenced by IntDispatchPtAsEpt(), IntDispatchVeAsEpt(), IntHandleDtrViolation(), and IntHandleEptViolation().
INTSTATUS IntHandleMsrViolation | ( | void * | GuestHandle, |
DWORD | Msr, | ||
IG_MSR_HOOK_TYPE | Flags, | ||
INTRO_ACTION * | Action, | ||
QWORD | OriginalValue, | ||
QWORD * | NewValue, | ||
DWORD | CpuNumber | ||
) |
Handle a model specific register violation.
This callback is called on MSR violations. This handle will iterate the list of registered callbacks for that particular MSR, and will call each one of them. NOTE: Although read hooks can also be established on MSRs, Introcore does not make use of that, only write hooks are set.
[in] | GuestHandle | The guest handle. |
[in] | Msr | The accessed MSR. |
[in] | Flags | MSR violation type (read or write). |
[out] | Action | Desired action. |
[in] | OriginalValue | Original MSR value. |
[out] | NewValue | New MSR value. Can be modified, but whether the HV will take this into consideration or not is implementation dependent, so it is advisable to not modify this value. |
[in] | CpuNumber | The VCPU number. |
INT_STATUS_SUCCESS | On success. |
INT_STATUS_NOT_INITIALIZED_HINT | If the guest is not initialized yet. |
INT_STATUS_INVALID_PARAMETER | If an invalid parameter is supplied. |
INT_STATUS_NOT_FOUND | If no callback is found for this MSR. |
INT_STATUS_FATAL_ERROR | A fatal error occurred, and the integrator should unload Introcore. |
Definition at line 1536 of file callbacks.c.
Referenced by IntEnableMsrNotifications().
|
static |
Check if we have a copy-on-write condition at a page boundary.
Check if the accessed gla spans inside two pages, and it it is the case, call the CoW handler.
[in] | Gla | The accessed guest linear address. |
[in] | AccessSize | The access size, in bytes. |
[in] | AccessType | Access type (should be read-write or write). |
[in] | CpuNumber | VCPU number. |
Definition at line 792 of file callbacks.c.
Referenced by IntHandleDtrViolation(), and IntHandleEptViolation().
INTSTATUS IntHandleTimer | ( | void * | GuestHandle | ) |
Periodically called by the integrator, once every second.
This function is called every second. Tasks such as integrity checks can be done here. The main tasks this handle carries are:
[in] | GuestHandle | The guest handle. |
INT_STATUS_SUCCESS | On success. |
INT_STATUS_INVALID_PARAMETER | If an invalid parameter is supplied. |
INT_STATUS_NOT_INITIALIZED_HINT | If the guest is not initialized. |
It would be nice to pause the guest while we do the checks; However, since we're doing read-only operations and the protected areas should not be modified during the normal usage, we can safely let all other processors run code.
Definition at line 2359 of file callbacks.c.
Referenced by IntCallbacksInit().
INTSTATUS IntHandleXcrWrite | ( | void * | GuestHandle, |
DWORD | CpuNumber, | ||
INTRO_ACTION * | Action | ||
) |
Handle extended control registers writes.
This function handles the XSETBV instruction, which modifies XCRs. Currently, only XCR0 can be intercepted. Even this is intercepted in order to aid into activating protection, and it is not protected against attacks. This function will iterate the list of XCR callbacks, and it will call each one.
[in] | GuestHandle | The guest handle. |
[in] | CpuNumber | The VCPU number. |
[out] | Action | The desired action. |
INT_STATUS_SUCCESS | On success. |
INT_STATUS_INVALID_PARAMETER | If an invalid parameter is supplied. |
INT_STATUS_NOT_INITIALIZED_HINT | If the guest is not initialized. |
INT_STATUS_NOT_FOUND | If Introcore did not handle the VMCALL. |
INT_STATUS_FATAL_ERROR | If a fatal error occurred and the integrator should unload Introcore. |
Definition at line 2580 of file callbacks.c.
Referenced by IntEnableXcrNotifications().
|
static |
Check if the access rights for the provided PhysicalAddress are up-to-date in the EPT. This function will get called only if the page wasn't hooked.
Sometimes, setting the access rights may silently fail on some HVs. In order to address this, we implement the following workaround: on EPT violations that are generated on a GPA which doesn't have any callback set, we will re-set the access rights again, hopping that this time, no errors will take place in the HV.
[in] | LinearAddress | The accessed linear address. |
[in] | PhysicalAddress | The accessed physical address. |
[in] | Access | The access type. |
Definition at line 228 of file callbacks.c.
Referenced by IntHandleMemAccess().
|
static |
Check if the access rights for the provided PhysicalAddress are up-to-date in the EPT. This function will get called oon each EPT violation.
Sometimes, setting the access rights may silently fail on some HVs. In order to address this, we implement the following workaround: on EPT violations that are generated on a GPA which doesn't have any callback set, we will re-set the access rights again, hopping that this time, no errors will take place in the HV.
[in] | LinearAddress | The accessed linear address. |
[in] | PhysicalAddress | The accessed physical address. |
[in] | Access | The access type. |
Definition at line 114 of file callbacks.c.
Referenced by IntHandleEptViolation().
Checks if the given GPA hook points to a valid GVA hook with a correct translation.
This function will get the GVA hook (if any) pointing to the GPA hook, and it will attempt to translate the virtual address to a physical address. Normally, the GPA the EPT violation just took place on and the GPA we obtain after we translate the GVA should be the same. However, if there has been a translation error (for example, somehow we missed a PTE write), the translated GPA could differ.
[in] | Hook | The GPA hook. |
Definition at line 37 of file callbacks.c.
Referenced by IntHandleMemAccess().
QWORD gEptEvents |
Definition at line 29 of file callbacks.c.
Referenced by IntHandleEptViolation(), and IntVeDumpStats().
|
static |
Definition at line 33 of file callbacks.c.
Referenced by IntHandleEptViolation(), and IntHandleMemAccess().
BOOLEAN gInjectVeLoader |
Definition at line 30 of file callbacks.c.
Referenced by DbgLoadVe(), and IntHandleTimer().
BOOLEAN gInjectVeUnloader |
Definition at line 30 of file callbacks.c.
Referenced by DbgUnloadVe(), and IntHandleTimer().
BOOLEAN gLoadPtDriver |
Definition at line 31 of file callbacks.c.
Referenced by DbgLoadPt(), and IntHandleTimer().
BOOLEAN gUnloadPtDriver |
Definition at line 31 of file callbacks.c.
Referenced by DbgUnloadPt(), and IntHandleTimer().