Bitdefender Hypervisor Memory Introspection
Functions | Variables
dtr_protection.c File Reference
#include "dtr_protection.h"
#include "alerts.h"
#include "guests.h"
#include "hook_dtr.h"
#include "introcpu.h"
#include "winidt.h"
#include "lixidt.h"

Go to the source code of this file.

Functions

static QWORD IntDtrGetProtOption (INTRO_OBJECT_TYPE DtrType)
 Given a DTR object type, return the protection option which controls it. More...
 
static INTSTATUS IntDtrSendAlert (PEXCEPTION_VICTIM_ZONE Victim, PEXCEPTION_KM_ORIGINATOR Originator, INTRO_ACTION Action, INTRO_ACTION_REASON Reason)
 Send an DTR alert. More...
 
static INTSTATUS IntDtrHandleWrite (DTR *OldDtr, DTR *NewDtr, DWORD Flags, INTRO_ACTION *Action)
 Handle an IDTR or GDTR modification. More...
 
INTSTATUS IntIdtrProtect (void)
 Enable IDTR protection. More...
 
INTSTATUS IntGdtrProtect (void)
 Enable GDTR protection. More...
 
INTSTATUS IntIdtrUnprotect (void)
 Remove the IDTR protection. More...
 
INTSTATUS IntGdtrUnprotect (void)
 Remove the GDTR protection. More...
 

Variables

static void * gIdtrHook
 The IDTR hook. More...
 
static void * gGdtrHook
 The GDTR hook. More...
 

Function Documentation

◆ IntDtrGetProtOption()

static QWORD IntDtrGetProtOption ( INTRO_OBJECT_TYPE  DtrType)
static

Given a DTR object type, return the protection option which controls it.

Parameters
[in]DtrTypeThe descriptor table register type.
Returns
The protection option which enables/disables protection on that descriptor table register.

Definition at line 19 of file dtr_protection.c.

Referenced by IntDtrHandleWrite(), and IntDtrSendAlert().

◆ IntDtrHandleWrite()

static INTSTATUS IntDtrHandleWrite ( DTR OldDtr,
DTR NewDtr,
DWORD  Flags,
INTRO_ACTION Action 
)
static

Handle an IDTR or GDTR modification.

This function will inspect if the IDTR or GDTR is being modified in a malicious way. In order to do so, it will try to match the hard-coded PatchGuard signatures, and, if a match is not found, the exceptions mechanism will be invoked. If a match is not found, the action will be blocked, and an alert will be sent.

Parameters
[in]OldDtrOld DTR value.
[in]NewDtrNew DTR value.
[in]FlagsDTR access flags - see IG_DESC_ACCESS.
[out]ActionThe desired action.
Return values
INT_STATUS_SUCCESSOn success.
INT_STATUS_INVALID_PARAMETERIf an invalid parameter is supplied.

Definition at line 107 of file dtr_protection.c.

Referenced by IntGdtrProtect(), and IntIdtrProtect().

◆ IntDtrSendAlert()

static INTSTATUS IntDtrSendAlert ( PEXCEPTION_VICTIM_ZONE  Victim,
PEXCEPTION_KM_ORIGINATOR  Originator,
INTRO_ACTION  Action,
INTRO_ACTION_REASON  Reason 
)
static

Send an DTR alert.

This will send an introEventDtrViolation to the integrator. These alerts are controlled by the INTRO_OPT_PROT_KM_IDTR and INTRO_OPT_PROT_KM_GDTR options.

Parameters
[in]VictimThe victim zone, which identifies the written DTR.
[in]OriginatorThe attacker, who modified the DTR.
[in]ActionThe desired action.
[in]ReasonThe action reason.
Return values
INT_STATUS_SUCCESSOn success.

Definition at line 46 of file dtr_protection.c.

Referenced by IntDtrHandleWrite().

◆ IntGdtrProtect()

INTSTATUS IntGdtrProtect ( void  )

Enable GDTR protection.

Return values
INT_STATUS_SUCCESSOn success.
INT_STATUS_NOT_NEEDED_HINTIf DTR events are not supported.
INT_STATUS_ALREADY_INITIALIZED_HINTIf GDTR is already protected.

Definition at line 286 of file dtr_protection.c.

Referenced by IntGuestUpdateCoreOptions(), IntLixGuestActivateProtection(), and IntWinGuestActivateProtection().

◆ IntGdtrUnprotect()

INTSTATUS IntGdtrUnprotect ( void  )

Remove the GDTR protection.

Return values
INT_STATUS_SUCCESSOn success.
INT_STATUS_NOT_NEEDED_HINTIf GDTR is not protected.

Definition at line 353 of file dtr_protection.c.

Referenced by IntGuestUpdateCoreOptions().

◆ IntIdtrProtect()

INTSTATUS IntIdtrProtect ( void  )

Enable IDTR protection.

Return values
INT_STATUS_SUCCESSOn success.
INT_STATUS_NOT_NEEDED_HINTIf DTR events are not supported.
INT_STATUS_ALREADY_INITIALIZED_HINTIf IDTR is already protected.

Definition at line 245 of file dtr_protection.c.

Referenced by IntGuestUpdateCoreOptions(), IntLixGuestActivateProtection(), and IntWinGuestActivateProtection().

◆ IntIdtrUnprotect()

INTSTATUS IntIdtrUnprotect ( void  )

Remove the IDTR protection.

Return values
INT_STATUS_SUCCESSOn success.
INT_STATUS_NOT_NEEDED_HINTIf IDTR is not protected.

Definition at line 327 of file dtr_protection.c.

Referenced by IntGuestUpdateCoreOptions().

Variable Documentation

◆ gGdtrHook

void* gGdtrHook
static

The GDTR hook.

Definition at line 15 of file dtr_protection.c.

Referenced by IntGdtrProtect(), and IntGdtrUnprotect().

◆ gIdtrHook

void* gIdtrHook
static

The IDTR hook.

Definition at line 14 of file dtr_protection.c.

Referenced by IntIdtrProtect(), and IntIdtrUnprotect().