Bitdefender Hypervisor Memory Introspection
Data Structures | Macros | Typedefs | Functions | Variables
drivers.c File Reference
#include "drivers.h"
#include "guests.h"

Go to the source code of this file.

Data Structures

struct  _DRIVER_EXPORT_CACHE
 Driver export cache. More...
 

Macros

#define for_each_driver(_var_name)   list_for_each (gKernelDrivers, KERNEL_DRIVER, _var_name)
 Iterates the gKernelDrivers linked list. More...
 
#define MAX_DRIVER_EXPORT_CACHE_ENTRIES   10
 Maximum entries inside the DRIVER_EXPORT_CACHE. More...
 

Typedefs

typedef struct _DRIVER_EXPORT_CACHE DRIVER_EXPORT_CACHE
 Driver export cache. More...
 
typedef struct _DRIVER_EXPORT_CACHEPDRIVER_EXPORT_CACHE
 

Functions

INTSTATUS IntDriverLoadHandler (void const *Detour)
 The detour handler that will be invoked when a guest loads a new driver.This handles driver loading in both Windows and Linux OSs. It simply gathers the arguments from the guest and delegates the driver loading event to IntLixDrvCreateFromAddress or IntWinDrvCreateFromAddress. If one of this function fails Introcore will try to trap to a debugger. More...
 
INTSTATUS IntDriverUnloadHandler (void const *Detour)
 The detour handler that will be invoked when a guest driver is unloaded.This handles driver unloading for both Windows and Linux OSs. It simply gathers the arguments from the guest and delegates the driver unloading event to IntLixDrvRemoveFromAddress or IntWinDrvRemoveFromAddress. If one of this function fails introcore will try to trap to a debugger. More...
 
KERNEL_DRIVERIntDriverFindByAddress (QWORD Gva)
 Returns the driver in which Gva resides. More...
 
KERNEL_DRIVERIntDriverFindByBase (QWORD Gva)
 Searches a driver object by its module base. More...
 
KERNEL_DRIVERIntDriverFindByLoadOrder (DWORD LoadOrder)
 Searches a driver by its module load order. More...
 
KERNEL_DRIVERIntDriverFindByName (const void *Name)
 Searches for a driver by its name. More...
 
KERNEL_DRIVERIntDriverFindByPath (const WCHAR *Path)
 Searches for a driver by its module path. More...
 
void IntDriverUninit (void)
 Uninitializes the drivers submodule. More...
 
void IntDriverDump (void)
 Prints all the currently loaded drivers. More...
 
void IntDriverCacheCreateExport (const QWORD Rip)
 Adds a new export entry to the gDriverExportCache. More...
 
void IntDriverCacheCreateUnknown (const QWORD Rip)
 Adds a new entry to the gDriverExportCache. More...
 
DRIVER_EXPORT_CACHE_ENTRYIntDriverCacheExportFind (const QWORD Rip)
 Finds an entry inside the gDriverExportCache. More...
 
void IntDriverCacheInv (const QWORD BaseAddress, const QWORD Length)
 Invalidates all cache entries for a given guest memory range. More...
 

Variables

LIST_HEAD gKernelDrivers = LIST_HEAD_INIT(gKernelDrivers)
 List of all the drivers currently loaded inside the guest. More...
 
static DRIVER_EXPORT_CACHE gDriverExportCache = {0}
 The driver exports cache. More...
 

Macro Definition Documentation

◆ for_each_driver

#define for_each_driver (   _var_name)    list_for_each (gKernelDrivers, KERNEL_DRIVER, _var_name)

Iterates the gKernelDrivers linked list.

Can be used to safely iterate the drivers list. The current driver pointed to by _var_name can safely be removed from the list, but note that removing other drivers while iterating the list using this macro is not a valid operation and can corrupt the list.

Parameters
[in]_var_nameThe name of the variable in which the KERNEL_DRIVER pointer will be placed. This variable will be declared by the macro an available only in the context created by the macro.

Definition at line 21 of file drivers.c.

Referenced by IntDriverDump(), IntDriverFindByAddress(), IntDriverFindByBase(), IntDriverFindByLoadOrder(), IntDriverFindByName(), IntDriverFindByPath(), and IntDriverUninit().

◆ MAX_DRIVER_EXPORT_CACHE_ENTRIES

#define MAX_DRIVER_EXPORT_CACHE_ENTRIES   10

Maximum entries inside the DRIVER_EXPORT_CACHE.

Definition at line 24 of file drivers.c.

Referenced by IntDriverCacheCreateExport(), and IntDriverCacheCreateUnknown().

Typedef Documentation

◆ DRIVER_EXPORT_CACHE

typedef struct _DRIVER_EXPORT_CACHE DRIVER_EXPORT_CACHE

Driver export cache.

◆ PDRIVER_EXPORT_CACHE

typedef struct _DRIVER_EXPORT_CACHE * PDRIVER_EXPORT_CACHE

Function Documentation

◆ IntDriverCacheCreateExport()

void IntDriverCacheCreateExport ( const QWORD  Rip)

Adds a new export entry to the gDriverExportCache.

If the cache is full, it is reset.

Parameters
[in]RipThe guest RIP for which this entry is created.

Definition at line 432 of file drivers.c.

Referenced by IntExceptWinKernelGetOriginator().

◆ IntDriverCacheCreateUnknown()

void IntDriverCacheCreateUnknown ( const QWORD  Rip)

Adds a new entry to the gDriverExportCache.

If the cache is full, it is reset.

Parameters
[in]RipThe guest RIP for which this entry is created.

Definition at line 458 of file drivers.c.

Referenced by IntExceptWinKernelGetOriginator().

◆ IntDriverCacheExportFind()

DRIVER_EXPORT_CACHE_ENTRY* IntDriverCacheExportFind ( const QWORD  Rip)

Finds an entry inside the gDriverExportCache.

Parameters
[in]RipThe guest RIP to search for.
Returns
The cache entry for the given RIP, if one exists; NULL if no cache entry exists.

Definition at line 484 of file drivers.c.

Referenced by IntExceptWinKernelGetOriginator().

◆ IntDriverCacheInv()

void IntDriverCacheInv ( const QWORD  BaseAddress,
const QWORD  Length 
)

Invalidates all cache entries for a given guest memory range.

Parameters
[in]BaseAddressThe start of the range.
[in]LengthThe size of the range.

Definition at line 508 of file drivers.c.

Referenced by IntWinDrvRemoveFromAddress().

◆ IntDriverDump()

void IntDriverDump ( void  )

Prints all the currently loaded drivers.

Definition at line 391 of file drivers.c.

◆ IntDriverFindByAddress()

KERNEL_DRIVER* IntDriverFindByAddress ( QWORD  Gva)

Returns the driver in which Gva resides.

For Windows guests, this will check that Gva is inside a kernel module and will return the appropriate driver. For Linux guests, if the module is initialized, this will check that the Gva is inside a kernel module and will return the appropriate driver; if the module is not initialized, this will check that Gva is inside the 'init_layout' memory region.

Parameters
[in]GvaThe searched guest virtual address.
Returns
A pointer to a KERNEL_DRIVER structure, or NULL if Gva is not inside a driver.

Definition at line 164 of file drivers.c.

Referenced by IntAlertEptFillFromVictimZone(), IntCrLixHandleWrite(), IntDetSendIntegrityAlert(), IntExceptGetOriginatorFromModification(), IntExceptGetVictimMsr(), IntExceptLixKernelGetOriginator(), IntExceptPrintMsrInfo(), IntExceptWinKernelGetOriginator(), IntLixDumpStacktrace(), IntLixStackTraceGet(), IntLixStackTraceGetReg(), IntLixVdsoHandleWriteCommon(), IntLogCurrentIP(), IntLogStackTrace(), IntSlackSendIntegrityAlert(), IntWinDrvObjCreateFromAddress(), IntWinDrvObjHandleWrite(), IntWinDrvObjRemove(), IntWinGuestFinishInit(), IntWinInfCheckCtxLoggerOnRelocation(), IntWinInfHookGetWmiLoggerGetCpuClock(), IntWinInfHookSppViolationCallbackWmiPtrChanged(), IntWinModFillDriverInjectionData(), IntWinStackTraceGet32(), and IntWinStackTraceGet64().

◆ IntDriverFindByBase()

KERNEL_DRIVER* IntDriverFindByBase ( QWORD  Gva)

Searches a driver object by its module base.

Parameters
[in]GvaGuest virtual address to search for.
Returns
A pointer to a KERNEL_DRIVER structure, or NULL if Gva is not inside a driver.

Definition at line 211 of file drivers.c.

Referenced by IntExceptKernelLogWindowsInformation().

◆ IntDriverFindByLoadOrder()

KERNEL_DRIVER* IntDriverFindByLoadOrder ( DWORD  LoadOrder)

Searches a driver by its module load order.

The load order is the order in which the drivers were added to the gKernelDrivers list. For Windows drivers, the driver at position 0 is always ntoskrnl.exe, while the driver at position 1 is always hal.dll.

Parameters
[in]LoadOrderThe index inside the list.
Returns
A pointer to a KERNEL_DRIVER structure, or NULL if no driver is found.

Definition at line 235 of file drivers.c.

Referenced by IntLdrFixImports(), IntWinAgentHandleDriverVmcall(), and IntWinAgentSelectBootstrapAddress().

◆ IntDriverFindByName()

KERNEL_DRIVER* IntDriverFindByName ( const void *  Name)

Searches for a driver by its name.

Parameters
[in]NameNULL-terminated string with the driver name. For Windows guests this must be a wide char string; for Linux guests it must be a char string.
Returns
A pointer to a KERNEL_DRIVER structure, or NULL if no driver is found.

Definition at line 266 of file drivers.c.

Referenced by IntLdrFixImports(), IntWinAgentHandleDriverVmcall(), IntWinApiHook(), IntWinHalCreateHalData(), and IntWinNetFindTcpObjects().

◆ IntDriverFindByPath()

KERNEL_DRIVER* IntDriverFindByPath ( const WCHAR Path)

Searches for a driver by its module path.

This function always returns NULL for Linux guests.

Parameters
[in]PathNULL-terminated string with the kernel module path.
Returns
A pointer to a KERNEL_DRIVER structure, or NULL if no driver is found.

Definition at line 312 of file drivers.c.

◆ IntDriverUninit()

void IntDriverUninit ( void  )

Uninitializes the drivers submodule.

This will free every driver inside the gKernelDrivers list. The actual remove operation is delegated to IntLixDrvRemoveEntry or IntWinDrvRemoveEntry.

Definition at line 354 of file drivers.c.

Referenced by IntLixGuestUninit(), and IntWinGuestUninit().

Variable Documentation

◆ gDriverExportCache

DRIVER_EXPORT_CACHE gDriverExportCache = {0}
static

The driver exports cache.

This is used in order to validate that a guest RIP points inside a driver, without the need of actually parsing the driver exports.

Definition at line 41 of file drivers.c.

◆ gKernelDrivers

LIST_HEAD gKernelDrivers = LIST_HEAD_INIT(gKernelDrivers)

List of all the drivers currently loaded inside the guest.

Can always be safely used.

Definition at line 11 of file drivers.c.