- Generated by
1.8.13
|
Bitdefender Hypervisor Memory Introspection
|
Go to the source code of this file.
Data Structures | |
| struct | _DRIVER_EXPORT_CACHE_ENTRY |
| Describes an entry in the gDriverExportCache. More... | |
| struct | _KERNEL_DRIVER |
| Describes a kernel driver. More... | |
Typedefs | |
| typedef struct _DRIVER_EXPORT_CACHE_ENTRY | DRIVER_EXPORT_CACHE_ENTRY |
| Describes an entry in the gDriverExportCache. More... | |
| typedef struct _DRIVER_EXPORT_CACHE_ENTRY * | PDRIVER_EXPORT_CACHE_ENTRY |
| typedef struct _KERNEL_DRIVER | KERNEL_DRIVER |
| Describes a kernel driver. More... | |
| typedef struct _KERNEL_DRIVER * | PKERNEL_DRIVER |
Functions | |
| INTSTATUS | IntDriverLoadHandler (void const *Detour) |
| The detour handler that will be invoked when a guest loads a new driver.This handles driver loading in both Windows and Linux OSs. It simply gathers the arguments from the guest and delegates the driver loading event to IntLixDrvCreateFromAddress or IntWinDrvCreateFromAddress. If one of this function fails Introcore will try to trap to a debugger. More... | |
| INTSTATUS | IntDriverUnloadHandler (void const *Detour) |
| The detour handler that will be invoked when a guest driver is unloaded.This handles driver unloading for both Windows and Linux OSs. It simply gathers the arguments from the guest and delegates the driver unloading event to IntLixDrvRemoveFromAddress or IntWinDrvRemoveFromAddress. If one of this function fails introcore will try to trap to a debugger. More... | |
| KERNEL_DRIVER * | IntDriverFindByAddress (QWORD Gva) |
| Returns the driver in which Gva resides. More... | |
| KERNEL_DRIVER * | IntDriverFindByBase (QWORD Gva) |
| Searches a driver object by its module base. More... | |
| KERNEL_DRIVER * | IntDriverFindByLoadOrder (DWORD LoadOrder) |
| Searches a driver by its module load order. More... | |
| KERNEL_DRIVER * | IntDriverFindByName (const void *Name) |
| Searches for a driver by its name. More... | |
| KERNEL_DRIVER * | IntDriverFindByPath (const WCHAR *Path) |
| Searches for a driver by its module path. More... | |
| void | IntDriverUninit (void) |
| Uninitializes the drivers submodule. More... | |
| void | IntDriverDump (void) |
| Prints all the currently loaded drivers. More... | |
| void | IntDriverCacheCreateExport (const QWORD Rip) |
| Adds a new export entry to the gDriverExportCache. More... | |
| void | IntDriverCacheCreateUnknown (const QWORD Rip) |
| Adds a new entry to the gDriverExportCache. More... | |
| DRIVER_EXPORT_CACHE_ENTRY * | IntDriverCacheExportFind (const QWORD Rip) |
| Finds an entry inside the gDriverExportCache. More... | |
| void | IntDriverCacheInv (const QWORD BaseAddress, const QWORD Length) |
| Invalidates all cache entries for a given guest memory range. More... | |
| typedef struct _DRIVER_EXPORT_CACHE_ENTRY DRIVER_EXPORT_CACHE_ENTRY |
Describes an entry in the gDriverExportCache.
| typedef struct _KERNEL_DRIVER KERNEL_DRIVER |
Describes a kernel driver.
This structure contains information that is common for both Windows and Linux kernels, with the OS-specific parts being saved in the Win or Lix fields.
| typedef struct _DRIVER_EXPORT_CACHE_ENTRY * PDRIVER_EXPORT_CACHE_ENTRY |
| typedef struct _KERNEL_DRIVER * PKERNEL_DRIVER |
| void IntDriverCacheCreateExport | ( | const QWORD | Rip | ) |
Adds a new export entry to the gDriverExportCache.
If the cache is full, it is reset.
| [in] | Rip | The guest RIP for which this entry is created. |
Definition at line 432 of file drivers.c.
Referenced by IntExceptWinKernelGetOriginator().
| void IntDriverCacheCreateUnknown | ( | const QWORD | Rip | ) |
Adds a new entry to the gDriverExportCache.
If the cache is full, it is reset.
| [in] | Rip | The guest RIP for which this entry is created. |
Definition at line 458 of file drivers.c.
Referenced by IntExceptWinKernelGetOriginator().
| DRIVER_EXPORT_CACHE_ENTRY* IntDriverCacheExportFind | ( | const QWORD | Rip | ) |
Finds an entry inside the gDriverExportCache.
| [in] | Rip | The guest RIP to search for. |
Definition at line 484 of file drivers.c.
Referenced by IntExceptWinKernelGetOriginator().
Invalidates all cache entries for a given guest memory range.
| [in] | BaseAddress | The start of the range. |
| [in] | Length | The size of the range. |
Definition at line 508 of file drivers.c.
Referenced by IntWinDrvRemoveFromAddress().
| void IntDriverDump | ( | void | ) |
| KERNEL_DRIVER* IntDriverFindByAddress | ( | QWORD | Gva | ) |
Returns the driver in which Gva resides.
For Windows guests, this will check that Gva is inside a kernel module and will return the appropriate driver. For Linux guests, if the module is initialized, this will check that the Gva is inside a kernel module and will return the appropriate driver; if the module is not initialized, this will check that Gva is inside the 'init_layout' memory region.
| [in] | Gva | The searched guest virtual address. |
Definition at line 164 of file drivers.c.
Referenced by IntAlertEptFillFromVictimZone(), IntCrLixHandleWrite(), IntDetSendIntegrityAlert(), IntExceptGetOriginatorFromModification(), IntExceptGetVictimMsr(), IntExceptLixKernelGetOriginator(), IntExceptPrintMsrInfo(), IntExceptWinKernelGetOriginator(), IntLixDumpStacktrace(), IntLixStackTraceGet(), IntLixStackTraceGetReg(), IntLixVdsoHandleWriteCommon(), IntLogCurrentIP(), IntLogStackTrace(), IntSlackSendIntegrityAlert(), IntWinDrvObjCreateFromAddress(), IntWinDrvObjHandleWrite(), IntWinDrvObjRemove(), IntWinGuestFinishInit(), IntWinInfCheckCtxLoggerOnRelocation(), IntWinInfHookGetWmiLoggerGetCpuClock(), IntWinInfHookSppViolationCallbackWmiPtrChanged(), IntWinModFillDriverInjectionData(), IntWinStackTraceGet32(), and IntWinStackTraceGet64().
| KERNEL_DRIVER* IntDriverFindByBase | ( | QWORD | Gva | ) |
Searches a driver object by its module base.
| [in] | Gva | Guest virtual address to search for. |
Definition at line 211 of file drivers.c.
Referenced by IntExceptKernelLogWindowsInformation().
| KERNEL_DRIVER* IntDriverFindByLoadOrder | ( | DWORD | LoadOrder | ) |
Searches a driver by its module load order.
The load order is the order in which the drivers were added to the gKernelDrivers list. For Windows drivers, the driver at position 0 is always ntoskrnl.exe, while the driver at position 1 is always hal.dll.
| [in] | LoadOrder | The index inside the list. |
Definition at line 235 of file drivers.c.
Referenced by IntLdrFixImports(), IntWinAgentHandleDriverVmcall(), and IntWinAgentSelectBootstrapAddress().
| KERNEL_DRIVER* IntDriverFindByName | ( | const void * | Name | ) |
Searches for a driver by its name.
| [in] | Name | NULL-terminated string with the driver name. For Windows guests this must be a wide char string; for Linux guests it must be a char string. |
Definition at line 266 of file drivers.c.
Referenced by IntLdrFixImports(), IntWinAgentHandleDriverVmcall(), IntWinApiHook(), IntWinHalCreateHalData(), and IntWinNetFindTcpObjects().
| KERNEL_DRIVER* IntDriverFindByPath | ( | const WCHAR * | Path | ) |
Searches for a driver by its module path.
This function always returns NULL for Linux guests.
| [in] | Path | NULL-terminated string with the kernel module path. |
| void IntDriverUninit | ( | void | ) |
Uninitializes the drivers submodule.
This will free every driver inside the gKernelDrivers list. The actual remove operation is delegated to IntLixDrvRemoveEntry or IntWinDrvRemoveEntry.
Definition at line 354 of file drivers.c.
Referenced by IntLixGuestUninit(), and IntWinGuestUninit().
1.8.13