Bitdefender Hypervisor Memory Introspection
|
Go to the source code of this file.
Macros | |
#define | CFG_CHECK_MTRR_ON_MAPS |
If defined, the MTRRs will be checked for every mapping. More... | |
Variables | |
QWORD | gPageBitmap [8] = { 0 } |
Indicates which pages inside the fast map region are free. More... | |
void * | gFastPaPageBase = NULL |
The base of the fast map memory region. More... | |
void * | gFastPaPtBase = NULL |
The base of the page table that maps the fast map zone. More... | |
DWORD | gFastPaPagesCount = 0 |
The number of pages reserved for the fast map zone. More... | |
static GLUE_IFACE | gIface = {0} |
The instance of the GLUE_IFACE that is being used. More... | |
static UPPER_IFACE | gUpIface = {0} |
The instance of UPPER_IFACE that is being used. More... | |
void * | gIntHandle = NULL |
The guest handle provided by the integrator at initialization. More... | |
QWORD | gEventId = 0 |
The ID of the current event. More... | |
DWORD | gCurLogBuffer = 0 |
Used for utf16_for_log to support calling that function 8 times in a single macro. More... | |
IG_LOG_LEVEL | gLogLevel = intLogLevelWarning |
The currently used log level. More... | |
PFUNC_IntTracePrint | GlueTracePrint = NULL |
The trace API used. More... | |
PFUNC_IntEnterDebugger | GlueEnterDebugger = NULL |
The API used to break into the debugger. More... | |
#define CFG_CHECK_MTRR_ON_MAPS |
BOOLEAN GlueIsScanEnginesApiAvailable | ( | void | ) |
Checks if the third party memory scanning engines are present.
If the API needed for the scanning engines is not present, the support will be considered to be off and the feature will not be available.
True | if the API is implemented |
False | if it is not |
Definition at line 1284 of file glue.c.
Referenced by IntWinProcCreateProcessObject().
BOOLEAN GlueIsSppApiAvailable | ( | void | ) |
Checks if the SPP APIs in GLUE_IFACE are implemented.
Checks if GLUE_IFACE.GetSPPPageProtection and GLUE_IFACE.SetSPPPageProtection are implemented. These APIs are optional and their absence is treated as if the hypervisor does not have support for Intel SPP.
True | if the APIs are available |
False | if the APIs are not available |
Definition at line 705 of file glue.c.
Referenced by IntHookGpaInit().
BOOLEAN GlueIsVeApiAvailable | ( | void | ) |
Checks if the virtualization exception API is implemented.
If at least one of the APIs is not implemented, we will not use the #VE filtering mechanism even if the INTRO_OPT_VE option is used.
True | if the API is implemented |
False | if it is not |
Definition at line 1261 of file glue.c.
Referenced by IntVeInit().
INTSTATUS GluePauseVcpus | ( | void | ) |
Definition at line 481 of file glue.c.
Referenced by IntPauseVcpus().
INTSTATUS GlueResumeVcpus | ( | void | ) |
Definition at line 490 of file glue.c.
Referenced by IntResumeVcpus().
__noreturn void IntBugCheck | ( | void | ) |
Definition at line 917 of file glue.c.
Referenced by IntDecEmulateRead(), IntGetCurrentCpu(), IntGetGprs(), IntHandleMemAccess(), IntHookGetGlaFromGpaHook(), IntLixCredRemove(), IntSpinLockAcquire(), IntSpinLockRelease(), IntWinAgentHandleBreakpointAgent(), IntWinAgentHandleLoader1Hypercall(), IntWinAgentHandleLoader2Hypercall(), IntWinAgentReleaseBootstrap(), IntWinSudHandleSudExec(), strlcat(), strlcpy(), and wstrlcpy().
Definition at line 1168 of file glue.c.
Referenced by IntVeInit().
Definition at line 1182 of file glue.c.
Referenced by IntVeInit(), and IntVeUnInit().
Definition at line 556 of file glue.c.
Referenced by IntHookCrRemoveHook().
Definition at line 509 of file glue.c.
Referenced by IntHookMsrRemoveHook().
Definition at line 547 of file glue.c.
Referenced by IntHookCrSetHook().
Definition at line 499 of file glue.c.
Referenced by IntHookMsrSetHook().
INTSTATUS IntFlushEPTPermissions | ( | void | ) |
Definition at line 1242 of file glue.c.
Referenced by IntHookPtmAddTable(), IntValidatePageRights(), and IntValidatePageRightsEx().
Definition at line 1066 of file glue.c.
Referenced by IntLixDepGetInternalContent(), and IntWinDepInjectProcess().
Definition at line 1210 of file glue.c.
Referenced by IntHookGpaFindConvertible(), IntVeDumpVeInfoPage(), and IntVeHandleEPTViolationInProtectedView().
INTSTATUS IntGetEPTPageProtection | ( | DWORD | EptIndex, |
QWORD | Gpa, | ||
BYTE * | Read, | ||
BYTE * | Write, | ||
BYTE * | Execute | ||
) |
Definition at line 659 of file glue.c.
Referenced by DbgCheckEpt(), IntDbgCheckHooks(), IntHookGpaDump(), IntValidatePageRights(), IntValidatePageRightsEx(), IntVeHandleEPTViolationInProtectedView(), IntVeHandleSwap(), and IntWinHalProtectHalHeapExecs().
INTSTATUS IntGlueInit | ( | GLUE_IFACE const * | GlueInterface, |
UPPER_IFACE const * | UpperInterface | ||
) |
Initializes the instances of GLUE_IFACE and UPPER_IFACE that will be used.
This is one of the first functions called when introcore starts, it needs to set up the interfaces used for communication with the integrator. On Napoca, it will also initialize the fast page map mechanism. Failure to initialize this is not treated as an error, and initialization can continue. Once this function returns, gIface and gUpIface can safely be used to call functions exposed by the integrator. It is important to note, that a failure reported by this function can't even be logged, as there is no logging API available before gUpIface is initialized.
[in] | GlueInterface | Instance of the GLUE_IFACE interface which has the APIs exposed by the integrator initialized |
[in] | UpperInterface | Instance of the UPPER_IFACE interface which has the APIs exposed by the integrator initialized |
INT_STATUS_SUCCESS | in case of success |
INT_STATUS_ALREADY_INITIALIZED_HINT | if gIface or gUpIface is already initialized |
INT_STATUS_NOT_SUPPORTED | if the sizes reported inside the interfaces do not match GLUE_IFACE_VERSION_LATEST or GLUE_IFACE_VERSION_LATEST_SIZE, or the versions reported inside the interfaces do not match UPPER_IFACE_VERSION_LATEST or UPPER_IFACE_VERSION_LATEST_SIZE |
INT_STATUS_INVALID_PARAMETER_1 | if one of the mandatory APIs inside GLUE_IFACE are not found in GlueInterface |
INT_STATUS_INVALID_PARAMETER_2 | if one of the mandatory APIs inside UPPER_IFACE are not found in UpperInterface |
Definition at line 101 of file glue.c.
Referenced by IntInit().
void IntGlueReset | ( | void | ) |
Resets the global glue state (gIface. gUpIface, gIntHandle, gEventId, etc)
Definition at line 77 of file glue.c.
Referenced by IntPreinit(), and IntUninit().
Definition at line 240 of file glue.c.
Referenced by IntPhysMemFastMap().
Definition at line 1030 of file glue.c.
Referenced by IntInjectExceptionInGuest().
INTSTATUS IntNotifyEngines | ( | void * | Parameters | ) |
Definition at line 1004 of file glue.c.
Referenced by IntLixCmdLineInspect(), IntLixEngExecSendNotification(), IntWinEngExecSendNotification(), and IntWinInspectCommandLine().
INTSTATUS IntNotifyIntroActive | ( | void | ) |
Definition at line 927 of file glue.c.
Referenced by IntLixGuestInitAgentCompletion(), and IntWinGuestFinishInit().
INTSTATUS IntNotifyIntroDetectedOs | ( | INTRO_GUEST_TYPE | OsType, |
DWORD | OsVersion, | ||
BOOLEAN | Is64 | ||
) |
Wrapper over GLUE_IFACE.NotifyIntrospectionDetectedOs.
Simply encapsulates the guest information into a GUEST_INFO structure and sends it to the integrator.
[in] | OsType | The type of the OS |
[in] | OsVersion | The version of the OS kernel |
[in] | Is64 | True for 64-bit kernels, False for 32-bit kernels |
Definition at line 955 of file glue.c.
Referenced by IntLixGuestNew(), and IntWinGuestFinishInit().
INTSTATUS IntNotifyIntroErrorState | ( | INTRO_ERROR_STATE | State, |
INTRO_ERROR_CONTEXT * | Context | ||
) |
Definition at line 989 of file glue.c.
Referenced by IntGuestDisableIntro(), IntGuestHandleCr3Write(), IntNewGuestNotification(), IntWinProcProtect(), and IntWinProcUpdateProtection().
INTSTATUS IntNotifyIntroEvent | ( | INTRO_EVENT_TYPE | EventClass, |
void * | Param, | ||
size_t | EventSize | ||
) |
Notifies the integrator about an introspection alert.
It also sets the exception information inside the event before sending it
[in] | EventClass | The type of the event |
[in] | Param | The event buffer |
[in] | EventSize | The size of the Param buffer, in bytes |
Definition at line 1042 of file glue.c.
Referenced by IntAgentHandleLogGatherVmcall(), IntAgentHandleRemediationVmcall(), IntCrSendAlert(), IntDetSendIntegrityAlert(), IntDtrSendAlert(), IntEngSendExecViolation(), IntHookGvaEnableHooks(), IntHookPtsCheckIntegrity(), IntLixAgentHandleUserVmcall(), IntLixAgentSendEvent(), IntLixCmdLineSendViolationEvent(), IntLixCrashSendPanicEvent(), IntLixDrvSendEvent(), IntLixDrvSendViolationEvent(), IntLixIdtWriteHandler(), IntLixKernelHandleRead(), IntLixMsrHandleWrite(), IntLixNetSendConnectionEvent(), IntLixTaskSendAgentEvent(), IntLixTaskSendBlockedEvent(), IntLixTaskSendCredViolationEvent(), IntLixTaskSendExceptionEvent(), IntLixTaskSendInjectionEvent(), IntLixTaskSendTaskEvent(), IntLixVdsoHandleWriteCommon(), IntLixVmaHandlePageExecution(), IntSendMessage(), IntSlackSendIntegrityAlert(), IntVeHandleAccess(), IntVeHandleEPTViolationInProtectedView(), IntWinAgentHandleAppVmcall(), IntWinAgentHandleDriverVmcall(), IntWinBcSendBsodEvent(), IntWinCrashHandleDepViolation(), IntWinDagentSendDoubleAgentAlert(), IntWinDepComplete(), IntWinDepDeploy(), IntWinDpiSendProcessCreationViolation(), IntWinDrvObjSendEptAlert(), IntWinDrvObjSendIntegrityAlert(), IntWinDrvSendAlert(), IntWinDrvSendEvent(), IntWinHalHandleDispatchTableWrite(), IntWinHalHandleHalHeapExec(), IntWinHalSendAlert(), IntWinHalSendPerfCntIntegrityAlert(), IntWinIdtSendIntegrityAlert(), IntWinIdtWriteHandler(), IntWinInfHookEptSppSendAlert(), IntWinInfHookIntegritySendAlert(), IntWinIntObjSendIntegrityAlert(), IntWinModHandleKernelWrite(), IntWinModHandleUserWrite(), IntWinModPolyHandler(), IntWinMsrSendAlert(), IntWinNetSendConnectionEvent(), IntWinProcHandleCopyMemory(), IntWinProcHandleInstrument(), IntWinProcSendAgentEvent(), IntWinProcSendDllEvent(), IntWinProcSendProcessEvent(), IntWinProcSendProcessExceptionEvent(), IntWinProcValidateSystemCr3(), IntWinSDSendAclIntegrityViolation(), IntWinSDSendSecDescIntViolation(), IntWinSelfMapHandleCr3SelfMapModification(), IntWinSelfMapHandleCr3SelfMapWrite(), IntWinSendCmdLineViolation(), IntWinSudSendSudExecAlert(), IntWinSudSendSudIntegrityAlert(), IntWinThrHandleQueueApc(), IntWinThrHandleThreadHijack(), IntWinTokenPrivsSendEptAlert(), IntWinTokenPrivsSendIntegrityAlert(), IntWinTokenPtrCheckIntegrityOnProcess(), and IntWinVadIsExecSuspicious().
INTSTATUS IntNotifyIntroInactive | ( | void | ) |
Definition at line 941 of file glue.c.
Referenced by IntGuestUninit().
Maps a guest physical address using the fast map mechanism.
Available only on Napoca. This is faster than issuing a GLUE_IFACE.PhysMemMapToHost call. Since on Napoca we run directly in the VMX root, we can easily access the hypervisor page tables. Note that we need to also be able to invalidate page table entries. Implementing this for scenarios in which introcore does not run inside the hypervisor is not really feasible.
[in] | PhysAddress | The guest physical address to be mapped |
[out] | HostPtr | On success, contains a pointer to the mapped memory |
INT_STATUS_SUCCESS | in case of success |
INT_STATUS_OUT_OF_RESOURCES | if no more free pages exist |
INT_STATUS_INVALID_DATA_TYPE | is CFG_CHECK_MTRR_ON_MAPS is defined and the memory type is not IG_MEM_WB |
Definition at line 251 of file glue.c.
Referenced by IntPhysMemMap().
INTSTATUS IntPhysMemGetTypeFromMtrrs | ( | QWORD | Gpa, |
IG_MEMTYPE * | MemType | ||
) |
Definition at line 537 of file glue.c.
Referenced by IntPhysMemFastMap().
Maps a guest physical address inside Introcore VA space.
IntPhysMemUnmap must be used to unmap memory obtained from this function. For scenarios in which Introcore runs directly inside the VMX root, and if the fast map mechanism is implemented (by providing a GLUE_IFACE.ReserveVaSpaceWithPt implementation), it will map the page directly inside a predefined range reserved at startup. In this way, we avoid making long, slow calls to mapping APIs, which has a significant performance impact. If the fast mapping is not available, or no more free pages are found, we use the standard mapping API: GLUE_IFACE.PhysMemMapToHost. For most use-cases this is true, and this function can be considered a thin wrapper over GLUE_IFACE.PhysMemMapToHost.
[in] | PhysAddress | The guest physical address to be mapped |
[in] | Length | The size to be mapped, in bytes |
[in] | Flags | Flags that control the mapping. Either 0 or PHYS_MAP_FLG_NO_FASTMAP. PHYS_MAP_FLG_NO_FASTMAP is ignored if the hypervisor is not Napoca, since that is true by default in those cases. |
[out] | HostPtr | On success, will hold a pointer to the memory at which PhysicalAddress is mapped |
Definition at line 338 of file glue.c.
Referenced by IntDecEmulatePageWalk(), IntDumpCodeAndRegs(), IntGpaCacheAddEntry(), IntIterateVirtualAddressSpaceRec(), IntLixGuestFindKernelVersionAndRo(), IntMapGpaForTranslation(), IntPeFindFunctionStart(), IntPhysMemReadWrite(), IntPhysMemReadWriteAnySize(), IntVasHookTables(), IntVeHandleSwap(), IntVeSetVeInfoPage(), IntVirtMemMap(), IntVirtMemSafeWrite(), IntWinDrvObjIsValidDriverObject(), IntWinGuestFindSelfMapIndex(), IntWinGuestIsSystemCr3(), IntWinHalFindHalHeapAndInterruptController(), IntWinSelfMapHandleCr3SelfMapModification(), and IntWinSelfMapHandleCr3SelfMapWrite().
INTSTATUS IntPhysMemUnmap | ( | void ** | HostPtr | ) |
Unmaps an address previously mapped with IntPhysMemMap.
This function handles the cases in which memory came from the fast mapping mechanism by checking if the provided address is in the range [gFastPaPageBase, gFastPaPageBase + gFastPaPagesCount * PAGE_SIZE]. For most use-cases this is a thin wrapper over GLUE_IFACE.PhysMemUnmap.
[in,out] | HostPtr | Points to the address at the start of the area that must be unmapped. Must be the same address as obtained from IntPhysMemMap, partial unmaps are not possible. After this function returns it will point to NULL and the old address is no longer valid. |
Definition at line 396 of file glue.c.
Referenced by IntDecEmulatePageWalk(), IntDumpCodeAndRegs(), IntGpaCacheAddEntry(), IntGpaCacheFlush(), IntGpaCacheRelease(), IntGpaCacheUnInit(), IntIterateVirtualAddressSpaceRec(), IntLixGuestFindKernelVersionAndRo(), IntPeFindFunctionStart(), IntPhysMemReadWrite(), IntUnmapGpaForTranslation(), IntVasHookTables(), IntVeHandleSwap(), IntVeSetVeInfoPage(), IntVirtMemSafeWrite(), IntVirtMemUnmap(), IntWinDrvObjIsValidDriverObject(), IntWinGuestFindSelfMapIndex(), IntWinGuestIsSystemCr3(), IntWinHalFindHalHeapAndInterruptController(), IntWinSelfMapHandleCr3SelfMapModification(), and IntWinSelfMapHandleCr3SelfMapWrite().
INTSTATUS IntQueryGuestInfo | ( | DWORD | InfoClass, |
void * | InfoParam, | ||
void * | Buffer, | ||
DWORD | BufferLength | ||
) |
Definition at line 226 of file glue.c.
Referenced by IntDebugCtlRead(), IntDecDecodeOperandSize(), IntEferRead(), IntFsRead(), IntGdtFindBase(), IntGetAllRegisters(), IntGetCurrentCpu(), IntGetCurrentEptIndex(), IntGetCurrentMode(), IntGetCurrentRing(), IntGetGprs(), IntGetMaxGpfn(), IntGetSegs(), IntGetXcr0(), IntGetXsaveArea(), IntGetXsaveAreaSize(), IntGsRead(), IntGuestInit(), IntKernelGsRead(), IntSetGprs(), IntSetXsaveArea(), IntSyscallRead(), IntSysenterRead(), and IntTranslateVirtualAddressEx().
INTSTATUS IntQueryHeapSize | ( | size_t * | TotalHeapSize, |
size_t * | FreeHeapSize | ||
) |
Definition at line 1112 of file glue.c.
Referenced by IntLixCrashEnoughHeapAvailable(), and IntWinProcIsEnoughHeapAvailable().
INTSTATUS IntRegisterBreakpointHandler | ( | PFUNC_IntBreakpointCallback | Callback | ) |
Definition at line 583 of file glue.c.
Referenced by IntEnableBreakpointNotifications(), and IntWinGuestInit().
INTSTATUS IntRegisterCrWriteHandler | ( | PFUNC_IntCrWriteCallback | Callback | ) |
Definition at line 565 of file glue.c.
Referenced by IntEnableCrNotifications().
INTSTATUS IntRegisterDtrHandler | ( | PFUNC_IntIntroDescriptorTableCallback | Callback | ) |
Definition at line 777 of file glue.c.
Referenced by IntEnableDtrNotifications().
INTSTATUS IntRegisterEnginesResultCallback | ( | PFUNC_IntEventEnginesResultCallback | Callback | ) |
Thin wrapper over the optional GLUE_IFACE.RegisterEnginesResultCallback API.
[in] | Callback | The callback to be registered |
Definition at line 619 of file glue.c.
Referenced by IntCallbacksInit().
INTSTATUS IntRegisterEPTHandler | ( | PFUNC_IntEPTViolationCallback | Callback | ) |
Definition at line 723 of file glue.c.
Referenced by IntEnableEptNotifications().
INTSTATUS IntRegisterEventInjectionHandler | ( | PFUNC_IntEventInjectionCallback | Callback | ) |
Definition at line 601 of file glue.c.
Referenced by IntCallbacksInit().
INTSTATUS IntRegisterIntroCallHandler | ( | PFUNC_IntIntroCallCallback | Callback | ) |
Definition at line 741 of file glue.c.
Referenced by IntCallbacksInit().
INTSTATUS IntRegisterMSRHandler | ( | PFUNC_IntMSRViolationCallback | Callback | ) |
Definition at line 519 of file glue.c.
Referenced by IntEnableMsrNotifications().
INTSTATUS IntRegisterVmxTimerHandler | ( | PFUNC_IntIntroTimerCallback | Callback | ) |
Definition at line 759 of file glue.c.
Referenced by IntCallbacksInit().
INTSTATUS IntRegisterXcrWriteHandler | ( | PFUNC_IntXcrWriteCallback | Callback | ) |
Definition at line 795 of file glue.c.
Referenced by IntEnableXcrNotifications().
Definition at line 1083 of file glue.c.
Referenced by IntCamiClearUpdateBuffer(), IntLixAgentThreadFree(), and IntWinAgentFree().
Reserves a contiguous region of virtual memory which will then be used to map physical pages.
Will return the base address of the region, the number of pages reserved , and the Page Table base, which maps the given virtual address range. Calling this function more than once should be avoided.
[in] | FirstPageBase | On success, will contain the start of the virtual address range |
[in] | PagesCount | On success, will contain the number of pages reserved |
[in] | PtBase | On success, will contain a pointer to the page table that was reserved |
INT_STATUS_SUCCESS | in case of success |
INT_STATUS_OPERATION_NOT_IMPLEMENTED | if GLUE_IFACE.ReserveVaSpaceWithPt is not implemented. Since this API is optional, this should not be treated as a fatal error |
Definition at line 451 of file glue.c.
Referenced by IntGlueInit().
INTSTATUS IntRwSpinLockInit | ( | void ** | SpinLock, |
char * | Name | ||
) |
INTSTATUS IntSendMessage | ( | char const * | Message | ) |
Sends an Introcore message.
This will encapsulate Message inside a EVENT_INTROSPECTION_MESSAGE structure and will send an event of type introEventMessage
[in] | Message | NULL terminated string with the message |
Definition at line 1226 of file glue.c.
Referenced by IntHookGpaEnableDisableVe(), IntHookGpaSetHook(), and IntHookGpaSetNewPageProtection().
INTSTATUS IntSetEPTPageProtection | ( | DWORD | EptIndex, |
QWORD | Gpa, | ||
BYTE | Read, | ||
BYTE | Write, | ||
BYTE | Execute | ||
) |
Definition at line 672 of file glue.c.
Referenced by IntHookGpaEnableDisablePtCache(), IntHookGpaSetHook(), IntHookGpaSetNewPageProtection(), IntValidatePageRights(), IntValidatePageRightsEx(), IntVeEnableDisableDriverAccessInProtectedView(), IntVeHandleSwap(), and IntVeInit().
INTSTATUS IntSetIntroEmulatorContext | ( | DWORD | CpuNumber, |
QWORD | VirtualAddress, | ||
DWORD | BufferSize, | ||
BYTE * | Buffer | ||
) |
Definition at line 1018 of file glue.c.
Referenced by IntHandleEptViolation().
Definition at line 695 of file glue.c.
Referenced by IntHookGpaSetHook(), and IntHookGpaSetNewPageProtection().
Definition at line 1153 of file glue.c.
Referenced by IntVeSetVeInfoPage().
void IntSpinLockAcquire | ( | void * | SpinLock | ) |
Definition at line 833 of file glue.c.
Referenced by IntAddExceptionFromAlert(), IntAddRemoveProtectedProcessUtf16(), IntAddRemoveProtectedProcessUtf8(), IntDisableIntro(), IntEnginesResultCallback(), IntFlushAlertExceptions(), IntFlushGpaCache(), IntGetCurrentInstructionLength(), IntGetCurrentInstructionMnemonic(), IntGetCurrentIntroOptions(), IntGetExceptionsVersion(), IntGetGuestInfo(), IntGetSupportVersion(), IntGetVersionString(), IntHandleBreakpoint(), IntHandleCrWrite(), IntHandleDtrViolation(), IntHandleEptViolation(), IntHandleEventInjection(), IntHandleIntroCall(), IntHandleMsrViolation(), IntHandleTimer(), IntHandleXcrWrite(), IntInjectFileAgentInGuest(), IntInjectProcessAgentInGuest(), IntIterateVaSpace(), IntModifyDynamicOptions(), IntNewGuestNotification(), IntNotifyGuestPowerStateChange(), IntRemoveAllProtectedProcesses(), IntRemoveException(), IntSetLogLevel(), IntUpdateExceptions(), and IntUpdateSupport().
INTSTATUS IntSpinLockInit | ( | void ** | SpinLock, |
char * | Name | ||
) |
void IntSpinLockRelease | ( | void * | SpinLock | ) |
Definition at line 848 of file glue.c.
Referenced by IntAddExceptionFromAlert(), IntAddRemoveProtectedProcessUtf16(), IntAddRemoveProtectedProcessUtf8(), IntDisableIntro(), IntEnginesResultCallback(), IntFlushAlertExceptions(), IntFlushGpaCache(), IntGetCurrentInstructionLength(), IntGetCurrentInstructionMnemonic(), IntGetCurrentIntroOptions(), IntGetExceptionsVersion(), IntGetGuestInfo(), IntGetSupportVersion(), IntGetVersionString(), IntHandleBreakpoint(), IntHandleCrWrite(), IntHandleDtrViolation(), IntHandleEptViolation(), IntHandleEventInjection(), IntHandleIntroCall(), IntHandleMsrViolation(), IntHandleTimer(), IntHandleXcrWrite(), IntInjectFileAgentInGuest(), IntInjectProcessAgentInGuest(), IntIterateVaSpace(), IntModifyDynamicOptions(), IntNewGuestNotification(), IntNotifyGuestPowerStateChange(), IntRemoveAllProtectedProcesses(), IntRemoveException(), IntSetLogLevel(), IntUpdateExceptions(), and IntUpdateSupport().
INTSTATUS IntSpinLockUnInit | ( | void ** | SpinLock | ) |
Definition at line 823 of file glue.c.
Referenced by IntUninit().
Definition at line 1098 of file glue.c.
Referenced by IntHandleEptViolation().
INTSTATUS IntUnregisterBreakpointHandler | ( | void | ) |
Definition at line 592 of file glue.c.
Referenced by IntCallbacksUnInit(), and IntDisableBreakpointNotifications().
INTSTATUS IntUnregisterCrWriteHandler | ( | void | ) |
Definition at line 574 of file glue.c.
Referenced by IntDisableCrNotifications().
INTSTATUS IntUnregisterDtrHandler | ( | void | ) |
Definition at line 786 of file glue.c.
Referenced by IntDisableDtrNotifications().
INTSTATUS IntUnregisterEnginesResultCalback | ( | void | ) |
Thin wrapper over the optional GLUE_IFACE.UnregisterEnginesResultCalback API.
Definition at line 640 of file glue.c.
Referenced by IntCallbacksUnInit().
INTSTATUS IntUnregisterEPTHandler | ( | void | ) |
Definition at line 732 of file glue.c.
Referenced by IntDisableEptNotifications().
INTSTATUS IntUnregisterEventInjectionHandler | ( | void | ) |
Definition at line 610 of file glue.c.
Referenced by IntCallbacksUnInit().
INTSTATUS IntUnregisterIntroCallHandler | ( | void | ) |
Definition at line 750 of file glue.c.
Referenced by IntCallbacksUnInit().
INTSTATUS IntUnregisterMSRHandler | ( | void | ) |
Definition at line 528 of file glue.c.
Referenced by IntDisableMsrNotifications().
INTSTATUS IntUnregisterVmxTimerHandler | ( | void | ) |
Definition at line 768 of file glue.c.
Referenced by IntCallbacksUnInit().
INTSTATUS IntUnregisterXcrWriteHandler | ( | void | ) |
Definition at line 804 of file glue.c.
Referenced by IntDisableXcrNotifications().
DWORD gCurLogBuffer = 0 |
Used for utf16_for_log to support calling that function 8 times in a single macro.
Definition at line 58 of file glue.c.
Referenced by utf16_for_log().
QWORD gEventId = 0 |
The ID of the current event.
Each event handler increments this when a new event is triggered. It is reset back to zero by IntGlueReset. This can be used to tag events and caches.
Definition at line 55 of file glue.c.
Referenced by IncStatsCallsCount(), IntAddExceptionFromAlert(), IntApiEnter(), IntCr0Read(), IntCr3Read(), IntCr4Read(), IntCr8Read(), IntEnginesResultCallback(), IntExceptVerifyCodeBlocksSig(), IntFlushAlertExceptions(), IntGetCurrentIntroOptions(), IntGetExceptionsVersion(), IntGetGprs(), IntGetSupportVersion(), IntGetVersionString(), IntGlueReset(), IntHandleBreakpoint(), IntHandleCrWrite(), IntHandleDtrViolation(), IntHandleEptViolation(), IntHandleEventInjection(), IntHandleIntroCall(), IntHandleMsrViolation(), IntHandleTimer(), IntHandleXcrWrite(), IntLixGuestNew(), IntModifyDynamicOptions(), IntMtblCheckAccess(), IntNewGuestNotification(), IntRemoveException(), IntRipRead(), IntSetGprs(), IntStatsDumpAll(), IntStatStart(), IntStatStop(), and IntWinGuestFinishInit().
void* gFastPaPageBase = NULL |
The base of the fast map memory region.
Allocated pointers are in the region [gFastPaPageBase, gFastPaPageBase + gFastPaPagesCount * PAGE_SIZE]. Valid only on Napoca
Definition at line 26 of file glue.c.
Referenced by IntGlueInit(), IntGlueReset(), IntPhysMemFastMap(), and IntPhysMemUnmap().
DWORD gFastPaPagesCount = 0 |
The number of pages reserved for the fast map zone.
Valid only for Napoca.
Definition at line 34 of file glue.c.
Referenced by IntGlueInit(), IntGlueReset(), IntPhysMemFastMap(), and IntPhysMemUnmap().
void* gFastPaPtBase = NULL |
The base of the page table that maps the fast map zone.
gFastPaPtBase[0] will be the PT entry that maps gFastPaPageBase. Valid only on Napoca.
Definition at line 30 of file glue.c.
Referenced by IntGlueInit(), IntGlueReset(), IntPhysMemFastMap(), and IntPhysMemUnmap().
|
static |
The instance of the GLUE_IFACE that is being used.
This is initialized in IntGlueInit and reset in IntGlueReset.
void* gIntHandle = NULL |
The guest handle provided by the integrator at initialization.
This is used when communicating between the introspection engine and the integrator and is treated as an opaque pointer by introcore.
Definition at line 49 of file glue.c.
Referenced by DbgProcAdd(), DbgProcClear(), DbgProcRem(), GluePauseVcpus(), GlueResumeVcpus(), IntCreateEPT(), IntDestroyEPT(), IntDisableCrWriteExit(), IntDisableMsrExit(), IntEnableCrWriteExit(), IntEnableMsrExit(), IntFlushEPTPermissions(), IntGetAgentContent(), IntGetEPTPageConvertible(), IntGetEPTPageProtection(), IntGetSPPPageProtection(), IntGlueReset(), IntGpaToHpa(), IntInjectTrap(), IntNewGuestNotification(), IntNotifyEngines(), IntNotifyIntroActive(), IntNotifyIntroDetectedOs(), IntNotifyIntroErrorState(), IntNotifyIntroEvent(), IntNotifyIntroInactive(), IntPhysMemGetTypeFromMtrrs(), IntPhysMemMap(), IntPhysMemUnmap(), IntQueryGuestInfo(), IntRegisterBreakpointHandler(), IntRegisterCrWriteHandler(), IntRegisterDtrHandler(), IntRegisterEnginesResultCallback(), IntRegisterEPTHandler(), IntRegisterEventInjectionHandler(), IntRegisterIntroCallHandler(), IntRegisterMSRHandler(), IntRegisterVmxTimerHandler(), IntRegisterXcrWriteHandler(), IntReleaseBuffer(), IntReserveVaSpaceWithPt(), IntSetEPTPageConvertible(), IntSetEPTPageProtection(), IntSetIntroEmulatorContext(), IntSetSPPPageProtection(), IntSetVEInfoPage(), IntSwitchEPT(), IntToggleRepOptimization(), IntUninit(), IntUnregisterBreakpointHandler(), IntUnregisterCrWriteHandler(), IntUnregisterDtrHandler(), IntUnregisterEnginesResultCalback(), IntUnregisterEPTHandler(), IntUnregisterEventInjectionHandler(), IntUnregisterIntroCallHandler(), IntUnregisterMSRHandler(), IntUnregisterVmxTimerHandler(), and IntUnregisterXcrWriteHandler().
IG_LOG_LEVEL gLogLevel = intLogLevelWarning |
The currently used log level.
For debug builds, this defaults to intLogLevelDebug; for Release builds the default value is intLogLevelWarning. Can be changed at runtime by the integrator using the GLUE_IFACE.SetLogLevel API. INT_LOG will check this before deciding if a message will be logged or not.
Definition at line 68 of file glue.c.
Referenced by DbgSetLogLevel(), and IntSetLogLevel().
PFUNC_IntEnterDebugger GlueEnterDebugger = NULL |
The API used to break into the debugger.
Definition at line 74 of file glue.c.
Referenced by IntDbgEnterDebugger2(), IntEnterDebugger2(), and IntGlueInit().
PFUNC_IntTracePrint GlueTracePrint = NULL |
QWORD gPageBitmap[8] = { 0 } |
Indicates which pages inside the fast map region are free.
Every bit describes a page. If the bit is set, the corresponding page is allocated. Valid only for Napoca.
Definition at line 21 of file glue.c.
Referenced by IntGlueInit(), IntGlueReset(), IntPhysMemFastMap(), and IntPhysMemUnmap().
|
static |
The instance of UPPER_IFACE that is being used.
This is initialized in IntGlueInit and reset in IntGlueReset.
Definition at line 44 of file glue.c.
Referenced by DbgCrWriteTestCallback().