doxygen/html/drivers_8c_source.html

 /*
  * Copyright (c) 2020 Bitdefender
  * SPDX-License-Identifier: Apache-2.0
  */
 #include "drivers.h"
 #include "guests.h"

 LIST_HEAD gKernelDrivers = LIST_HEAD_INIT(gKernelDrivers);

 #define for_each_driver(_var_name) list_for_each (gKernelDrivers, KERNEL_DRIVER, _var_name)

 #define MAX_DRIVER_EXPORT_CACHE_ENTRIES 10

 typedef struct _DRIVER_EXPORT_CACHE
 {
     WORD                        CurrentEntry;
     DRIVER_EXPORT_CACHE_ENTRY   Entry[MAX_DRIVER_EXPORT_CACHE_ENTRIES];
 } DRIVER_EXPORT_CACHE, *PDRIVER_EXPORT_CACHE;

 static DRIVER_EXPORT_CACHE gDriverExportCache = {0};


 INTSTATUS
 IntDriverLoadHandler(
     _In_ void const *Detour
     )
 {
     INTSTATUS status;
     IG_ARCH_REGS const *pRegs = &gVcpu->Regs;

     UNREFERENCED_PARAMETER(Detour);

     if (gGuest.OSType == introGuestLinux)
     {
         status = IntLixDrvCreateFromAddress(pRegs->R8, 0);
         if (!INT_SUCCESS(status))
         {
             ERROR("[ERROR] IntLixDrvCreateFromAddress failed for module 0x%016llx: 0x%08x\n", pRegs->Rdi, status);
             IntDbgEnterDebugger();
         }
     }
     else
     {
         QWORD args[2];
         QWORD ldrAddress;
         DWORD load;

         status = IntDetGetArguments(Detour, 2, args);
         if (!INT_SUCCESS(status))
         {
             ERROR("[ERROR] IntDetGetArguments failed: 0x%08x\n", status);
             return status;
         }

         ldrAddress = args[0];
         load = (args[1] & 0xFFFFFFFF) > 0;

         // The module is unloading, we are not interested in this, we already caught that...
         if (!load)
         {
             return INT_STATUS_SUCCESS;
         }

         status = IntWinDrvCreateFromAddress(ldrAddress, FLAG_DYNAMIC_DETECTION);
         if (!INT_SUCCESS(status))
         {
             ERROR("[ERROR] IntWinDrvCreateFromAddress failed for GVA 0x%016llx: 0x%08x\n", ldrAddress, status);
             IntDbgEnterDebugger();
         }
     }

     return INT_STATUS_SUCCESS;
 }


 INTSTATUS
 IntDriverUnloadHandler(
     _In_ void const *Detour
     )
 {
     INTSTATUS status;
     IG_ARCH_REGS const *pRegs = &gVcpu->Regs;

     UNREFERENCED_PARAMETER(Detour);

     if (gGuest.OSType == introGuestLinux)
     {
         status = IntLixDrvRemoveFromAddress(pRegs->R8);
         if (!INT_SUCCESS(status))
         {
             ERROR("[ERROR] IntLixDrvRemoveFromAddress failed for GVA 0x%016llx: 0x%08x\n", pRegs->Rdi, status);
             IntDbgEnterDebugger();
         }
     }
     else
     {
         QWORD ldrAddress = 0;

         status = IntDetGetArgument(Detour, 0, NULL, 0, &ldrAddress);
         if (!INT_SUCCESS(status))
         {
             ERROR("[ERROR] IntDetGetArgument failed: 0x%08x\n", status);
             return status;
         }

         status = IntWinDrvRemoveFromAddress(ldrAddress);
         if (!INT_SUCCESS(status) && (INT_STATUS_NOT_FOUND != status))
         {
             ERROR("[ERROR] IntWinDrvRemoveFromAddress failed for GVA 0x%016llx: 0x%08x\n", ldrAddress, status);
             IntDbgEnterDebugger();
         }
     }

     return INT_STATUS_SUCCESS;
 }


 KERNEL_DRIVER *
 IntDriverFindByAddress(
     _In_ QWORD Gva
     )
 {
     for_each_driver(pDriver)
     {
         if (pDriver->BaseVa <= Gva && pDriver->BaseVa + pDriver->Size > Gva)
         {
             return pDriver;
         }
     }

     if (gGuest.OSType == introGuestWindows)
     {
         return NULL;
     }

     for_each_driver(pDriver)
     {
         if (pDriver->Lix.Initialized)
         {
             continue;
         }

         if (IN_RANGE_LEN(Gva, pDriver->Lix.InitLayout.Base, pDriver->Lix.InitLayout.Size))
         {
             return pDriver;
         }
     }

     return NULL;
 }


 KERNEL_DRIVER *
 IntDriverFindByBase(
     _In_ QWORD Gva
     )
 {
     for_each_driver(pDriver)
     {
         if (pDriver->BaseVa == Gva)
         {
             return pDriver;
         }
     }

     return NULL;
 }


 KERNEL_DRIVER *
 IntDriverFindByLoadOrder(
     _In_ DWORD LoadOrder
     )
 {
     DWORD currentPosition = 0;

     for_each_driver(pDriver)
     {
         if (LoadOrder == currentPosition)
         {
             return pDriver;
         }

         currentPosition++;
     }

     return NULL;
 }


 KERNEL_DRIVER *
 IntDriverFindByName(
     _In_ const void *Name
     )
 {
     if (NULL == Name)
     {
         return NULL;
     }

     for_each_driver(pDriver)
     {
         int cmp = 1;

         if (NULL == pDriver->Name)
         {
             continue;
         }

         if (gGuest.OSType == introGuestWindows)
         {
             cmp = wstrcasecmp(Name, pDriver->Name);
         }
         else
         {
             cmp = strcmp(pDriver->Name, Name);
         }

         if (0 == cmp)
         {
             return pDriver;
         }
     }

     return NULL;
 }


 KERNEL_DRIVER *
 IntDriverFindByPath(
     _In_ const WCHAR *Path
     )
 {
     // We have no path on Linux, so no need for it
     if (introGuestLinux == gGuest.OSType)
     {
         return NULL;
     }

     if (NULL == Path)
     {
         return NULL;
     }

     for_each_driver(pDriver)
     {
         if (NULL == pDriver->Win.Path)
         {
             continue;
         }

         if (0 == wstrcasecmp(Path, pDriver->Win.Path))
         {
             return pDriver;
         }
     }

     return NULL;
 }


 void
 IntDriverUninit(
     void
     )
 {
     for_each_driver(pDriver)
     {
         INTSTATUS status;

         RemoveEntryList(&pDriver->Link);

         if (gGuest.OSType == introGuestLinux)
         {
             status = IntLixDrvRemoveEntry(pDriver);
             if (!INT_SUCCESS(status))
             {
                 ERROR("[ERROR] IntLixDrvRemoveEntry failed: 0x%08x\n", status);
             }
         }
         else
         {
             status = IntWinDrvRemoveEntry(pDriver);
             if (!INT_SUCCESS(status))
             {
                 ERROR("[ERROR] IntWinDrvRemoveEntry failed: 0x%08x\n", status);
             }
         }
     }
 }


 void
 IntDriverDump(
     void
     )
 {
     DWORD i = 0;

     for_each_driver(pDriver)
     {
         if (gGuest.OSType == introGuestLinux)
         {
             LOG("  #%03d I: %d, Core: 0x%016llx, CoreSize: 0x%08llx, CoreTextSize: 0x%08x, "
                 "CoreRoSize: 0x%08x, Name: '%s'\n",
                 i++,
                 pDriver->Lix.Initialized,
                 pDriver->BaseVa,
                 pDriver->Size,
                 pDriver->Lix.CoreLayout.TextSize,
                 pDriver->Lix.CoreLayout.RoSize,
                 (char *)pDriver->Name);
         }
         else
         {
             LOG("  #%03d Base: 0x%016llx, Size: 0x%08llx, PathHash: 0x%08x, NameHash: 0x%08x, Name: '%s'\n",
                 i++, pDriver->BaseVa, pDriver->Size, pDriver->Win.PathHash,
                 pDriver->NameHash, utf16_for_log(pDriver->Name));

             if (pDriver->Win.DriverObject)
             {
                 LOG("------> 0x%016llx : %s\n",
                     pDriver->Win.DriverObject->DriverObjectGva,
                     utf16_for_log(((PWIN_DRIVER_OBJECT)pDriver->Win.DriverObject)->Name));
             }
         }
     }
 }


 void
 IntDriverCacheCreateExport(
     _In_ const QWORD Rip
     )
 {
     if (gDriverExportCache.CurrentEntry == MAX_DRIVER_EXPORT_CACHE_ENTRIES)
     {
         gDriverExportCache.CurrentEntry = 0;
     }

     memzero(&gDriverExportCache.Entry[gDriverExportCache.CurrentEntry], sizeof(DRIVER_EXPORT_CACHE_ENTRY));

     gDriverExportCache.Entry[gDriverExportCache.CurrentEntry].Rip = Rip;
     gDriverExportCache.Entry[gDriverExportCache.CurrentEntry].Type.Export = 1;

     gDriverExportCache.CurrentEntry++;
 }


 void
 IntDriverCacheCreateUnknown(
     _In_ const QWORD Rip
     )
 {
     if (gDriverExportCache.CurrentEntry == MAX_DRIVER_EXPORT_CACHE_ENTRIES)
     {
         gDriverExportCache.CurrentEntry = 0;
     }

     memzero(&gDriverExportCache.Entry[gDriverExportCache.CurrentEntry], sizeof(DRIVER_EXPORT_CACHE_ENTRY));

     gDriverExportCache.Entry[gDriverExportCache.CurrentEntry].Rip = Rip;
     gDriverExportCache.Entry[gDriverExportCache.CurrentEntry].Type.Unknown = 1;

     gDriverExportCache.CurrentEntry++;
 }


 DRIVER_EXPORT_CACHE_ENTRY *
 IntDriverCacheExportFind(
     _In_ const QWORD Rip
     )
 {
     for (DWORD index = 0; index < ARRAYSIZE(gDriverExportCache.Entry); index++)
     {
         if (Rip == gDriverExportCache.Entry[index].Rip)
         {
             return &gDriverExportCache.Entry[index];
         }
     }

     return NULL;
 }


 void
 IntDriverCacheInv(
     _In_ const QWORD BaseAddress,
     _In_ const QWORD Length
     )
 {
     for (DWORD index = 0; index < ARRAYSIZE(gDriverExportCache.Entry); index++)
     {
         if (IN_RANGE_LEN(gDriverExportCache.Entry[index].Rip, BaseAddress, Length))
         {
             memzero(&gDriverExportCache.Entry[index], sizeof(DRIVER_EXPORT_CACHE_ENTRY));
         }
     }
 }
_DRIVER_EXPORT_CACHE_ENTRY::Unknown
BYTE Unknown
Set if the function at this RIP is not exported.
Definition: drivers.h:20

PDRIVER_EXPORT_CACHE
struct _DRIVER_EXPORT_CACHE * PDRIVER_EXPORT_CACHE

IntLixDrvRemoveEntry
INTSTATUS IntLixDrvRemoveEntry(KERNEL_DRIVER *Driver)
Disable protection and frees the driver structure from our internal list.
Definition: lixmodule.c:828

_VCPU_STATE::Regs
IG_ARCH_REGS Regs
The current state of the guest registers.
Definition: guests.h:95

_In_
#define _In_
Definition: intro_sal.h:21

IntDriverCacheExportFind
DRIVER_EXPORT_CACHE_ENTRY * IntDriverCacheExportFind(const QWORD Rip)
Finds an entry inside the gDriverExportCache.
Definition: drivers.c:484

INT_STATUS_SUCCESS
#define INT_STATUS_SUCCESS
Definition: introstatus.h:54

WORD
uint16_t WORD
Definition: intro_types.h:48

IntDriverCacheInv
void IntDriverCacheInv(const QWORD BaseAddress, const QWORD Length)
Invalidates all cache entries for a given guest memory range.
Definition: drivers.c:508

IntLixDrvRemoveFromAddress
INTSTATUS IntLixDrvRemoveFromAddress(QWORD DriverGva)
Disable protection and remove the driver structure from our internal list.
Definition: lixmodule.c:866

INT_SUCCESS
#define INT_SUCCESS(Status)
Definition: introstatus.h:42

ARRAYSIZE
#define ARRAYSIZE(A)
Definition: introdefs.h:101

ERROR
#define ERROR(fmt,...)
Definition: glue.h:62

IntDriverUnloadHandler
INTSTATUS IntDriverUnloadHandler(void const *Detour)
The detour handler that will be invoked when a guest driver is unloaded.This handles driver unloading...
Definition: drivers.c:110

INTSTATUS
int INTSTATUS
The status data type.
Definition: introstatus.h:24

INT_STATUS_NOT_FOUND
#define INT_STATUS_NOT_FOUND
Definition: introstatus.h:284

_IG_ARCH_REGS::Rdi
QWORD Rdi
Definition: glueiface.h:39

_DRIVER_EXPORT_CACHE::Entry
DRIVER_EXPORT_CACHE_ENTRY Entry[MAX_DRIVER_EXPORT_CACHE_ENTRIES]
The cache entries.
Definition: drivers.c:34

_GUEST_STATE::OSType
INTRO_GUEST_TYPE OSType
The type of the guest.
Definition: guests.h:278

DRIVER_EXPORT_CACHE
struct _DRIVER_EXPORT_CACHE DRIVER_EXPORT_CACHE
Driver export cache.

_DRIVER_EXPORT_CACHE_ENTRY::Type
struct _DRIVER_EXPORT_CACHE_ENTRY::@23 Type

IntWinDrvCreateFromAddress
INTSTATUS IntWinDrvCreateFromAddress(QWORD ModuleInfo, QWORD Flags)
Adds a driver to introspection&#39;s LoadedModuleList (gKernelDrivers). This way we avoid lots of mapping...
Definition: windriver.c:305

_DRIVER_EXPORT_CACHE_ENTRY::Export
BYTE Export
Set if the function at this RIP is exported.
Definition: drivers.h:21

LOG
#define LOG(fmt,...)
Definition: glue.h:61

_KERNEL_DRIVER
Describes a kernel driver.
Definition: drivers.h:30

guests.h

gDriverExportCache
static DRIVER_EXPORT_CACHE gDriverExportCache
The driver exports cache.
Definition: drivers.c:41

IntDriverLoadHandler
INTSTATUS IntDriverLoadHandler(void const *Detour)
The detour handler that will be invoked when a guest loads a new driver.This handles driver loading i...
Definition: drivers.c:45

gKernelDrivers
LIST_HEAD gKernelDrivers
List of all the drivers currently loaded inside the guest.
Definition: drivers.c:11

introGuestLinux
Linux.
Definition: intro_types.h:2044

IntDriverCacheCreateUnknown
void IntDriverCacheCreateUnknown(const QWORD Rip)
Adds a new entry to the gDriverExportCache.
Definition: drivers.c:458

IntDriverDump
void IntDriverDump(void)
Prints all the currently loaded drivers.
Definition: drivers.c:391

_DRIVER_EXPORT_CACHE_ENTRY::Rip
QWORD Rip
The guest RIP for which this entry exists.
Definition: drivers.h:16

RemoveEntryList
static BOOLEAN RemoveEntryList(LIST_ENTRY *Entry)
Definition: introlists.h:87

_WIN_DRIVER_OBJECT
Holds information about a driver object.
Definition: windrvobj.h:13

memzero
#define memzero(a, s)
Definition: introcrt.h:35

QWORD
unsigned long long QWORD
Definition: intro_types.h:53

IntDriverUninit
void IntDriverUninit(void)
Uninitializes the drivers submodule.
Definition: drivers.c:354

IN_RANGE_LEN
#define IN_RANGE_LEN(x, start, len)
Definition: introdefs.h:175

IntDriverFindByPath
KERNEL_DRIVER * IntDriverFindByPath(const WCHAR *Path)
Searches for a driver by its module path.
Definition: drivers.c:312

IntWinDrvRemoveEntry
INTSTATUS IntWinDrvRemoveEntry(KERNEL_DRIVER *Driver)
Removes the KERNEL_DRIVER from the internal structures.
Definition: windriver.c:1696

_IG_ARCH_REGS::R8
QWORD R8
Definition: glueiface.h:40

drivers.h

IntDriverFindByName
KERNEL_DRIVER * IntDriverFindByName(const void *Name)
Searches for a driver by its name.
Definition: drivers.c:266

introGuestWindows
Windows.
Definition: intro_types.h:2043

IntDriverFindByLoadOrder
KERNEL_DRIVER * IntDriverFindByLoadOrder(DWORD LoadOrder)
Searches a driver by its module load order.
Definition: drivers.c:235

IntDetGetArgument
INTSTATUS IntDetGetArgument(void const *Detour, DWORD Index, BYTE const *StackBuffer, DWORD StackBufferSize, QWORD *Value)
Reads the specified argument for a detour.
Definition: detours.c:2237

UNREFERENCED_PARAMETER
#define UNREFERENCED_PARAMETER(P)
Definition: introdefs.h:29

WCHAR
uint16_t WCHAR
Definition: intro_types.h:63

DWORD
uint32_t DWORD
Definition: intro_types.h:49

_DRIVER_EXPORT_CACHE
Driver export cache.
Definition: drivers.c:29

IntDriverFindByAddress
KERNEL_DRIVER * IntDriverFindByAddress(QWORD Gva)
Returns the driver in which Gva resides.
Definition: drivers.c:164

IntDetGetArguments
INTSTATUS IntDetGetArguments(void const *Detour, DWORD Argc, QWORD *Argv)
Reads multiple arguments from a detour.
Definition: detours.c:2296

_DRIVER_EXPORT_CACHE::CurrentEntry
WORD CurrentEntry
The number of valid entries inside the Entry array.
Definition: drivers.c:32

IntLixDrvCreateFromAddress
INTSTATUS IntLixDrvCreateFromAddress(QWORD DriverGva, QWORD StaticDetected)
Create the KERNEL_DRIVER object from the provided &#39;module struct&#39; address and activate the protection...
Definition: lixmodule.c:696

IntWinDrvRemoveFromAddress
INTSTATUS IntWinDrvRemoveFromAddress(QWORD ModuleInfo)
Removes a driver from the introspection&#39;s loaded modules list (gKernelDrivers).
Definition: windriver.c:522

IntDbgEnterDebugger
#define IntDbgEnterDebugger()
Definition: introcore.h:381

MAX_DRIVER_EXPORT_CACHE_ENTRIES
#define MAX_DRIVER_EXPORT_CACHE_ENTRIES
Maximum entries inside the DRIVER_EXPORT_CACHE.
Definition: drivers.c:24

gGuest
GUEST_STATE gGuest
The current guest state.
Definition: guests.c:50

IntDriverCacheCreateExport
void IntDriverCacheCreateExport(const QWORD Rip)
Adds a new export entry to the gDriverExportCache.
Definition: drivers.c:432

wstrcasecmp
int wstrcasecmp(const WCHAR *buf1, const WCHAR *buf2)
Definition: introcrt.c:98

LIST_HEAD_INIT
#define LIST_HEAD_INIT(Name)
Definition: introlists.h:39

FLAG_DYNAMIC_DETECTION
The object was detected when it was created.
Definition: winguest.h:152

utf16_for_log
char * utf16_for_log(const WCHAR *WString)
Converts a UTF-16 to a UTF-8 string to be used inside logging macros.
Definition: introcore.c:2845

gVcpu
VCPU_STATE * gVcpu
The state of the current VCPU.
Definition: guests.c:59

_DRIVER_EXPORT_CACHE_ENTRY
Describes an entry in the gDriverExportCache.
Definition: drivers.h:14

_IG_ARCH_REGS
Holds register state.
Definition: glueiface.h:30

IntDriverFindByBase
KERNEL_DRIVER * IntDriverFindByBase(QWORD Gva)
Searches a driver object by its module base.
Definition: drivers.c:211

for_each_driver
#define for_each_driver(_var_name)
Iterates the gKernelDrivers linked list.
Definition: drivers.c:21

_LIST_ENTRY
Definition: introlists.h:16