Bitdefender Hypervisor Memory Introspection
glue.c
Go to the documentation of this file.
1 /*
2  * Copyright (c) 2020 Bitdefender
3  * SPDX-License-Identifier: Apache-2.0
4  */
5 #include "glue.h"
6 #include "alert_exceptions.h"
7 
14 #define CFG_CHECK_MTRR_ON_MAPS
15 
16 
17 #ifndef USER_MODE
18 QWORD gPageBitmap[8] = { 0 };
26 void *gFastPaPageBase = NULL;
30 void *gFastPaPtBase = NULL;
34 DWORD gFastPaPagesCount = 0;
35 #endif // !USER_MODE
36 
40 static GLUE_IFACE gIface = {0};
44 static UPPER_IFACE gUpIface = {0};
49 void *gIntHandle = NULL;
50 
55 QWORD gEventId = 0;
56 
58 DWORD gCurLogBuffer = 0;
59 
65 #ifdef DEBUG
66 IG_LOG_LEVEL gLogLevel = intLogLevelDebug;
67 #else
68 IG_LOG_LEVEL gLogLevel = intLogLevelWarning;
69 #endif
70 
72 PFUNC_IntTracePrint GlueTracePrint = NULL;
74 PFUNC_IntEnterDebugger GlueEnterDebugger = NULL;
75 
76 void
77 IntGlueReset(
78  void
79  )
83 {
84  memzero(&gIface, sizeof(gIface));
85  memzero(&gUpIface, sizeof(gUpIface));
86 
87  gIntHandle = NULL;
88 
89  gEventId = 0;
90 
91 #ifndef USER_MODE
92  memset(gPageBitmap, 0, sizeof(gPageBitmap));
93  gFastPaPageBase = NULL;
94  gFastPaPtBase = NULL;
95  gFastPaPagesCount = 0;
96 #endif // !USER_MODE
97 }
98 
99 
100 INTSTATUS
101 IntGlueInit(
102  _In_ GLUE_IFACE const *GlueInterface,
103  _In_ UPPER_IFACE const *UpperInterface
104  )
131 {
132  if ((gIface.Size) || (gUpIface.Size))
133  {
134  return INT_STATUS_ALREADY_INITIALIZED_HINT;
135  }
136 
137  if ((GLUE_IFACE_VERSION_LATEST != GlueInterface->Version) ||
138  (GLUE_IFACE_VERSION_LATEST_SIZE != GlueInterface->Size))
139  {
140  return INT_STATUS_NOT_SUPPORTED;
141  }
142 
143  if ((NULL == GlueInterface->QueryGuestInfo) ||
144  (NULL == GlueInterface->PhysMemMapToHost) ||
145  (NULL == GlueInterface->PhysMemUnmap) ||
146  (NULL == GlueInterface->RegisterMSRHandler) ||
147  (NULL == GlueInterface->UnregisterMSRHandler) ||
148  (NULL == GlueInterface->RegisterEPTHandler) ||
149  (NULL == GlueInterface->UnregisterEPTHandler) ||
150  (NULL == GlueInterface->GetEPTPageProtection) ||
151  (NULL == GlueInterface->SetEPTPageProtection) ||
152  (NULL == GlueInterface->PhysMemGetTypeFromMtrrs) ||
153  (NULL == GlueInterface->EnableMSRExit) ||
154  (NULL == GlueInterface->DisableMSRExit) ||
155  (NULL == GlueInterface->PauseVcpus) ||
156  (NULL == GlueInterface->ResumeVcpus) ||
157  (NULL == GlueInterface->GpaToHpa) ||
158  (NULL == GlueInterface->RegisterIntroTimerHandler) ||
159  (NULL == GlueInterface->UnregisterIntroTimerHandler) ||
160  (NULL == GlueInterface->RegisterIntroCallHandler) ||
161  (NULL == GlueInterface->UnregisterIntroCallHandler) ||
162  (NULL == GlueInterface->RegisterDtrHandler) ||
163  (NULL == GlueInterface->UnregisterDtrHandler) ||
164  (NULL == GlueInterface->InjectTrap) ||
165  (NULL == GlueInterface->SetIntroEmulatorContext) ||
166  (NULL == GlueInterface->RegisterXcrWriteHandler) ||
167  (NULL == GlueInterface->UnregisterXcrWriteHandler) ||
168  (NULL == GlueInterface->RegisterCrWriteHandler) ||
169  (NULL == GlueInterface->UnregisterCrWriteHandler) ||
170  (NULL == GlueInterface->EnableCrWriteExit) ||
171  (NULL == GlueInterface->DisableCrWriteExit) ||
172  (NULL == GlueInterface->NotifyIntrospectionAlert) ||
173  (NULL == GlueInterface->RegisterBreakpointHandler) ||
174  (NULL == GlueInterface->UnregisterBreakpointHandler) ||
175  (NULL == GlueInterface->ReleaseBuffer))
176  {
177  return INT_STATUS_INVALID_PARAMETER_1;
178  }
179 
180  if ((UPPER_IFACE_VERSION_LATEST != UpperInterface->Version) ||
181  (UPPER_IFACE_VERSION_LATEST_SIZE != UpperInterface->Size))
182  {
183  return INT_STATUS_NOT_SUPPORTED;
184  }
185 
186  if ((NULL == UpperInterface->TracePrint) ||
187  (NULL == UpperInterface->MemAllocWithTagAndInfo) ||
188  (NULL == UpperInterface->MemFreeWithTagAndInfo) ||
189  (NULL == UpperInterface->SpinLockInit) ||
190  (NULL == UpperInterface->SpinLockUnInit) ||
191  (NULL == UpperInterface->SpinLockAcquire) ||
192  (NULL == UpperInterface->SpinLockRelease) ||
193  (NULL == UpperInterface->RwSpinLockInit) ||
194  (NULL == UpperInterface->RwSpinLockUnInit) ||
195  (NULL == UpperInterface->RwSpinLockAcquireExclusive) ||
196  (NULL == UpperInterface->RwSpinLockAcquireShared) ||
197  (NULL == UpperInterface->RwSpinLockReleaseExclusive) ||
198  (NULL == UpperInterface->RwSpinLockReleaseShared) ||
199  (NULL == UpperInterface->BugCheck) ||
200  (NULL == UpperInterface->EnterDebugger))
201  {
202  return INT_STATUS_INVALID_PARAMETER_2;
203  }
204 
205  memcpy(&gIface, GlueInterface, sizeof(gIface));
206  memcpy(&gUpIface, UpperInterface, sizeof(gUpIface));
207 
208  GlueTracePrint = gUpIface.TracePrint;
209  GlueEnterDebugger = gUpIface.EnterDebugger;
210 
211 #ifndef USER_MODE
212  // Only for Napoca, request a PT for fast mappings
213  // Keep at max 512 pages if more are given
214  IntReserveVaSpaceWithPt(&gFastPaPageBase, &gFastPaPagesCount, &gFastPaPtBase);
215  gFastPaPagesCount = MIN(gFastPaPagesCount, ARRAYSIZE(gPageBitmap) * 64);
216 
217  gUpIface.TracePrint(__FILE__, __LINE__, "[FASTMAP] Reserved %d pages @ %p/%p\n", gFastPaPagesCount, gFastPaPageBase,
218  gFastPaPtBase);
219 #endif // !USER_MODE
220 
221  return INT_STATUS_SUCCESS;
222 }
223 
224 
225 INTSTATUS
226 IntQueryGuestInfo(
227  _In_ DWORD InfoClass,
228  _In_opt_ void *InfoParam,
229  _When_(InfoClass == IG_QUERY_INFO_CLASS_SET_REGISTERS, _In_reads_bytes_(BufferLength))
230  _When_(InfoClass != IG_QUERY_INFO_CLASS_SET_REGISTERS, _Out_writes_bytes_(BufferLength))
231  void *Buffer,
232  _In_ DWORD BufferLength
233  )
234 {
235  return gIface.QueryGuestInfo(gIntHandle, InfoClass, InfoParam, Buffer, BufferLength);
236 }
237 
238 
239 INTSTATUS
240 IntGpaToHpa(
241  _In_ QWORD Gpa,
242  _Out_ QWORD *Hpa
243  )
244 {
245  return gIface.GpaToHpa(gIntHandle, Gpa, Hpa);
246 }
247 
248 
249 #ifndef USER_MODE
250 static INTSTATUS
251 IntPhysMemFastMap(
252  _In_ QWORD PhysAddress,
253  _Outptr_ void **HostPtr
254  )
272 {
273  BYTE *pPage = gFastPaPageBase;
274  QWORD *pPageTable = gFastPaPtBase;
275  DWORD firstFreeIndex = ARRAYSIZE(gPageBitmap);
276  DWORD pos = 0;
277  QWORD freeSlot;
278  QWORD hpa;
279  INTSTATUS status;
280 
281  for (DWORD i = 0; i < ARRAYSIZE(gPageBitmap); i++)
282  {
283  if (gPageBitmap[i] != UINT64_MAX)
284  {
285  firstFreeIndex = i;
286  break;
287  }
288  }
289 
290  if ((firstFreeIndex * 64 >= gFastPaPagesCount) || (firstFreeIndex >= ARRAYSIZE(gPageBitmap)))
291  {
292  return INT_STATUS_OUT_OF_RESOURCES;
293  }
294 
295  status = IntGpaToHpa(PhysAddress, &hpa);
296  if (!INT_SUCCESS(status))
297  {
298  return status;
299  }
300 
301 #ifdef CFG_CHECK_MTRR_ON_MAPS
302  {
303  IG_MEMTYPE memType = IG_MEM_UNKNOWN;
304 
305  status = IntPhysMemGetTypeFromMtrrs(PhysAddress, &memType);
306  if (!INT_SUCCESS(status))
307  {
308  return status;
309  }
310  else if (memType != IG_MEM_WB)
311  {
312  return INT_STATUS_INVALID_DATA_TYPE;
313  }
314  }
315 #endif // CFG_CHECK_MTRR_ON_MAPS
316 
317  // Check for the first free position
318  if (!_BitScanForward64(&pos, ~gPageBitmap[firstFreeIndex]))
319  {
320  return INT_STATUS_OUT_OF_RESOURCES;
321  }
322 
323  freeSlot = (firstFreeIndex * 64ull) + pos;
324 
325  pPageTable[freeSlot] = ((hpa & PHYS_PAGE_MASK) | (pPageTable[freeSlot] & 0xFFCULL) | 0x003); // R/W = 1, P = 1
326  *HostPtr = pPage + (freeSlot * PAGE_SIZE) + (PhysAddress & PAGE_OFFSET);
327 
328  __invlpg(*HostPtr);
329 
330  gPageBitmap[firstFreeIndex] |= (1ULL << pos);
331 
332  return INT_STATUS_SUCCESS;
333 }
334 #endif // !USER_MODE
335 
336 
337 INTSTATUS
338 IntPhysMemMap(
339  _In_ QWORD PhysAddress,
340  _In_ DWORD Length,
341  _In_ DWORD Flags,
342  _Outptr_result_bytebuffer_(Length) void **HostPtr
343  )
366 {
367  if (0 == Length)
368  {
369  return INT_STATUS_INVALID_PARAMETER_2;
370  }
371 
372 #ifndef USER_MODE
373  if (PAGE_COUNT(PhysAddress, Length) == 1 &&
374  !(Flags & PHYS_MAP_FLG_NO_FASTMAP))
375  {
376  INTSTATUS status = IntPhysMemFastMap(PhysAddress, HostPtr);
377  if (INT_SUCCESS(status))
378  {
379  return status;
380  }
381 
382  // This means that MTRR memory type is not WB
383  if (status == INT_STATUS_INVALID_DATA_TYPE)
384  {
385  return status;
386  }
387  }
388 #endif // !USER_MODE
389 
390  Flags &= ~PHYS_MAP_FLG_NO_FASTMAP; // clear the introspection's internal flags
391  return gIface.PhysMemMapToHost(gIntHandle, PhysAddress, Length, Flags, HostPtr);
392 }
393 
394 
395 INTSTATUS
396 IntPhysMemUnmap(
397  _Inout_ _At_(*HostPtr, _Post_null_) void **HostPtr
398  )
412 {
413  INTSTATUS status;
414 #ifndef USER_MODE
415  // Check if this page is mapped in the fast map zone.
416  if ((*HostPtr >= gFastPaPageBase) &&
417  (*HostPtr < (void *)((BYTE *)gFastPaPageBase + (QWORD)gFastPaPagesCount * PAGE_SIZE)))
418  {
419  QWORD currentSlot, *pPageTable;
420 
421  pPageTable = (QWORD *)gFastPaPtBase;
422 
423  // Get the slot used by this allocation
424  currentSlot = (((size_t) * HostPtr & PAGE_MASK) - (size_t)gFastPaPageBase) / PAGE_SIZE;
425 
426  // Mark the slot as being available
427  gPageBitmap[currentSlot / 64] &= ~(1ULL << (currentSlot % 64));
428 
429  pPageTable[currentSlot] = (pPageTable[currentSlot] & 0xFFCULL);
430 
431  __invlpg(*HostPtr);
432  *HostPtr = NULL;
433 
434  return INT_STATUS_SUCCESS;
435  }
436 #endif // !USER_MODE
437 
438  status = gIface.PhysMemUnmap(gIntHandle, HostPtr);
439  if (!INT_SUCCESS(status))
440  {
441  ERROR("[ERROR] gIface.PhysMemUnmap failed for (%p %p): 0x%08x\n", HostPtr, *HostPtr, status);
442  }
443 
444  *HostPtr = NULL;
445 
446  return status;
447 }
448 
449 
450 INTSTATUS
451 IntReserveVaSpaceWithPt(
452  _Outptr_ void **FirstPageBase,
453  _Out_ DWORD *PagesCount,
454  _Outptr_ void **PtBase
455  )
458 
470 {
471  if (NULL == gIface.ReserveVaSpaceWithPt)
472  {
473  return INT_STATUS_OPERATION_NOT_IMPLEMENTED;
474  }
475 
476  return gIface.ReserveVaSpaceWithPt(gIntHandle, FirstPageBase, PagesCount, PtBase);
477 }
478 
479 
480 INTSTATUS
481 GluePauseVcpus(
482  void
483  )
484 {
485  return gIface.PauseVcpus(gIntHandle);
486 }
487 
488 
489 INTSTATUS
490 GlueResumeVcpus(
491  void
492  )
493 {
494  return gIface.ResumeVcpus(gIntHandle);
495 }
496 
497 
498 INTSTATUS
499 IntEnableMsrExit(
500  _In_ DWORD Msr,
501  _Out_ BOOLEAN *OldValue
502  )
503 {
504  return gIface.EnableMSRExit(gIntHandle, Msr, OldValue);
505 }
506 
507 
508 INTSTATUS
509 IntDisableMsrExit(
510  _In_ DWORD Msr,
511  _Out_ BOOLEAN *OldValue
512  )
513 {
514  return gIface.DisableMSRExit(gIntHandle, Msr, OldValue);
515 }
516 
517 
518 INTSTATUS
519 IntRegisterMSRHandler(
520  _In_ PFUNC_IntMSRViolationCallback Callback
521  )
522 {
523  return gIface.RegisterMSRHandler(gIntHandle, Callback);
524 }
525 
526 
527 INTSTATUS
528 IntUnregisterMSRHandler(
529  void
530  )
531 {
532  return gIface.UnregisterMSRHandler(gIntHandle);
533 }
534 
535 
536 INTSTATUS
537 IntPhysMemGetTypeFromMtrrs(
538  _In_ QWORD Gpa,
539  _Out_ IG_MEMTYPE *MemType
540  )
541 {
542  return gIface.PhysMemGetTypeFromMtrrs(gIntHandle, Gpa, MemType);
543 }
544 
545 
546 INTSTATUS
547 IntEnableCrWriteExit(
548  _In_ DWORD Cr
549  )
550 {
551  return gIface.EnableCrWriteExit(gIntHandle, Cr);
552 }
553 
554 
555 INTSTATUS
556 IntDisableCrWriteExit(
557  _In_ DWORD Cr
558  )
559 {
560  return gIface.DisableCrWriteExit(gIntHandle, Cr);
561 }
562 
563 
564 INTSTATUS
565 IntRegisterCrWriteHandler(
566  _In_ PFUNC_IntCrWriteCallback Callback
567  )
568 {
569  return gIface.RegisterCrWriteHandler(gIntHandle, Callback);
570 }
571 
572 
573 INTSTATUS
574 IntUnregisterCrWriteHandler(
575  void
576  )
577 {
578  return gIface.UnregisterCrWriteHandler(gIntHandle);
579 }
580 
581 
582 INTSTATUS
583 IntRegisterBreakpointHandler(
584  _In_ PFUNC_IntBreakpointCallback Callback
585  )
586 {
587  return gIface.RegisterBreakpointHandler(gIntHandle, Callback);
588 }
589 
590 
591 INTSTATUS
592 IntUnregisterBreakpointHandler(
593  void
594  )
595 {
596  return gIface.UnregisterBreakpointHandler(gIntHandle);
597 }
598 
599 
600 INTSTATUS
601 IntRegisterEventInjectionHandler(
602  _In_ PFUNC_IntEventInjectionCallback Callback
603  )
604 {
605  return gIface.RegisterEventInjectionHandler(gIntHandle, Callback);
606 }
607 
608 
609 INTSTATUS
610 IntUnregisterEventInjectionHandler(
611  void
612  )
613 {
614  return gIface.UnregisterEventInjectionHandler(gIntHandle);
615 }
616 
617 
618 INTSTATUS
619 IntRegisterEnginesResultCallback(
620  _In_ PFUNC_IntEventEnginesResultCallback Callback
621  )
630 {
631  if (NULL == gIface.RegisterEnginesResultCallback)
632  {
633  return INT_STATUS_NOT_NEEDED_HINT;
634  }
635 
636  return gIface.RegisterEnginesResultCallback(gIntHandle, Callback);
637 }
638 
639 INTSTATUS
640 IntUnregisterEnginesResultCalback(
641  void
642  )
649 {
650  if (NULL == gIface.UnregisterEnginesResultCalback)
651  {
652  return INT_STATUS_NOT_NEEDED_HINT;
653  }
654 
655  return gIface.UnregisterEnginesResultCalback(gIntHandle);
656 }
657 
658 INTSTATUS
659 IntGetEPTPageProtection(
660  _In_ DWORD EptIndex,
661  _In_ QWORD Gpa,
662  _Out_ BYTE *Read,
663  _Out_ BYTE *Write,
664  _Out_ BYTE *Execute
665  )
666 {
667  return gIface.GetEPTPageProtection(gIntHandle, EptIndex, Gpa, Read, Write, Execute);
668 }
669 
670 
671 INTSTATUS
672 IntSetEPTPageProtection(
673  _In_ DWORD EptIndex,
674  _In_ QWORD Gpa,
675  _In_ BYTE Read,
676  _In_ BYTE Write,
677  _In_ BYTE Execute
678  )
679 {
680  return gIface.SetEPTPageProtection(gIntHandle, EptIndex, Gpa, Read, Write, Execute);
681 }
682 
683 
684 INTSTATUS
685 IntGetSPPPageProtection(
686  _In_ QWORD Gpa,
687  _Out_ QWORD *Spp
688  )
689 {
690  return gIface.GetSPPPageProtection(gIntHandle, Gpa, Spp);
691 }
692 
693 
694 INTSTATUS
695 IntSetSPPPageProtection(
696  _In_ QWORD Gpa,
697  _In_ QWORD Spp
698  )
699 {
700  return gIface.SetSPPPageProtection(gIntHandle, Gpa, Spp);
701 }
702 
703 
704 BOOLEAN
705 GlueIsSppApiAvailable(
706  void
707  )
717 {
718  return (gIface.GetSPPPageProtection && gIface.SetSPPPageProtection);
719 }
720 
721 
722 INTSTATUS
723 IntRegisterEPTHandler(
724  _In_ PFUNC_IntEPTViolationCallback Callback
725  )
726 {
727  return gIface.RegisterEPTHandler(gIntHandle, Callback);
728 }
729 
730 
731 INTSTATUS
732 IntUnregisterEPTHandler(
733  void
734  )
735 {
736  return gIface.UnregisterEPTHandler(gIntHandle);
737 }
738 
739 
740 INTSTATUS
741 IntRegisterIntroCallHandler(
742  _In_ PFUNC_IntIntroCallCallback Callback
743  )
744 {
745  return gIface.RegisterIntroCallHandler(gIntHandle, Callback);
746 }
747 
748 
749 INTSTATUS
750 IntUnregisterIntroCallHandler(
751  void
752  )
753 {
754  return gIface.UnregisterIntroCallHandler(gIntHandle);
755 }
756 
757 
758 INTSTATUS
759 IntRegisterVmxTimerHandler(
760  _In_ PFUNC_IntIntroTimerCallback Callback
761  )
762 {
763  return gIface.RegisterIntroTimerHandler(gIntHandle, Callback);
764 }
765 
766 
767 INTSTATUS
768 IntUnregisterVmxTimerHandler(
769  void
770  )
771 {
772  return gIface.UnregisterIntroTimerHandler(gIntHandle);
773 }
774 
775 
776 INTSTATUS
777 IntRegisterDtrHandler(
778  _In_ PFUNC_IntIntroDescriptorTableCallback Callback
779  )
780 {
781  return gIface.RegisterDtrHandler(gIntHandle, Callback);
782 }
783 
784 
785 INTSTATUS
786 IntUnregisterDtrHandler(
787  void
788  )
789 {
790  return gIface.UnregisterDtrHandler(gIntHandle);
791 }
792 
793 
794 INTSTATUS
795 IntRegisterXcrWriteHandler(
796  _In_ PFUNC_IntXcrWriteCallback Callback
797  )
798 {
799  return gIface.RegisterXcrWriteHandler(gIntHandle, Callback);
800 }
801 
802 
803 INTSTATUS
804 IntUnregisterXcrWriteHandler(
805  void
806  )
807 {
808  return gIface.UnregisterXcrWriteHandler(gIntHandle);
809 }
810 
811 
812 INTSTATUS
813 IntSpinLockInit(
814  _Outptr_ void **SpinLock,
815  _In_z_ char *Name
816  )
817 {
818  return gUpIface.SpinLockInit(SpinLock, Name);
819 }
820 
821 
822 INTSTATUS
823 IntSpinLockUnInit(
824  _Inout_ _At_(*SpinLock, _Post_null_) void **SpinLock
825  )
826 {
827  return gUpIface.SpinLockUnInit(SpinLock);
828 }
829 
830 
831 _Acquires_lock_(SpinLock)
832 void
833 IntSpinLockAcquire(
834  _In_ void *SpinLock
835  )
836 {
837  INTSTATUS status = gUpIface.SpinLockAcquire(SpinLock);
838  if (!INT_SUCCESS(status))
839  {
840  CRITICAL("[ERROR] SpinLockAcquire failed: 0x%08x\n", status);
841  IntBugCheck();
842  }
843 }
844 
845 
846 _Releases_lock_(SpinLock)
847 void
848 IntSpinLockRelease(
849  _In_ void *SpinLock
850  )
851 {
852  INTSTATUS status = gUpIface.SpinLockRelease(SpinLock);
853  if (!INT_SUCCESS(status))
854  {
855  CRITICAL("[ERROR] SpinLockRelease failed: 0x%08x\n", status);
856  IntBugCheck();
857  }
858 }
859 
860 
861 INTSTATUS
862 IntRwSpinLockInit(
863  _Outptr_ void **SpinLock,
864  _In_z_ char *Name
865  )
866 {
867  return gUpIface.RwSpinLockInit(SpinLock, Name);
868 }
869 
870 
871 INTSTATUS
872 IntRwSpinLockUnInit(
873  _Inout_ _At_(*SpinLock, _Post_null_) void **SpinLock
874  )
875 {
876  return gUpIface.RwSpinLockUnInit(SpinLock);
877 }
878 
879 
880 INTSTATUS
881 IntRwSpinLockAcquireShared(
882  _In_ void *SpinLock
883  )
884 {
885  return gUpIface.RwSpinLockAcquireShared(SpinLock);
886 }
887 
888 
889 INTSTATUS
890 IntRwSpinLockAcquireExclusive(
891  _In_ void *SpinLock
892  )
893 {
894  return gUpIface.RwSpinLockAcquireExclusive(SpinLock);
895 }
896 
897 
898 INTSTATUS
899 IntRwSpinLockReleaseShared(
900  _In_ void *SpinLock
901  )
902 {
903  return gUpIface.RwSpinLockReleaseShared(SpinLock);
904 }
905 
906 
907 INTSTATUS
908 IntRwSpinLockReleaseExclusive(
909  _In_ void *SpinLock
910  )
911 {
912  return gUpIface.RwSpinLockReleaseExclusive(SpinLock);
913 }
914 
915 
916 __noreturn void
917 IntBugCheck(
918  void
919  )
920 {
921  gUpIface.BugCheck();
922  __unreachable;
923 }
924 
925 
926 INTSTATUS
927 IntNotifyIntroActive(
928  void
929  )
930 {
931  if (NULL == gIface.NotifyIntrospectionActivated)
932  {
933  return INT_STATUS_SUCCESS;
934  }
935 
936  return gIface.NotifyIntrospectionActivated(gIntHandle);
937 }
938 
939 
940 INTSTATUS
941 IntNotifyIntroInactive(
942  void
943  )
944 {
945  if (NULL == gIface.NotifyIntrospectionDeactivated)
946  {
947  return INT_STATUS_SUCCESS;
948  }
949 
950  return gIface.NotifyIntrospectionDeactivated(gIntHandle);
951 }
952 
953 
954 INTSTATUS
955 IntNotifyIntroDetectedOs(
956  _In_ INTRO_GUEST_TYPE OsType,
957  _In_ DWORD OsVersion,
958  _In_ BOOLEAN Is64
959  )
971 {
972  GUEST_INFO info = {0};
973 
974  if (NULL == gIface.NotifyIntrospectionDetectedOs)
975  {
976  return INT_STATUS_SUCCESS;
977  }
978 
979  info.Type = OsType;
980  info.BuildNumber = info.OsVersion = OsVersion;
981  info.Guest64 = Is64;
982  info.StartupTime = IG_INVALID_TIME;
983 
984  return gIface.NotifyIntrospectionDetectedOs(gIntHandle, &info);
985 }
986 
987 
988 INTSTATUS
989 IntNotifyIntroErrorState(
990  _In_ INTRO_ERROR_STATE State,
991  _In_opt_ INTRO_ERROR_CONTEXT *Context
992  )
993 {
994  if (NULL == gIface.NotifyIntrospectionErrorState)
995  {
996  return INT_STATUS_SUCCESS;
997  }
998 
999  return gIface.NotifyIntrospectionErrorState(gIntHandle, State, Context);
1000 }
1001 
1002 
1003 INTSTATUS
1004 IntNotifyEngines(
1005  _Inout_ void *Parameters
1006  )
1007 {
1008  if (NULL == gIface.NotifyScanEngines)
1009  {
1010  return INT_STATUS_NOT_SUPPORTED;
1011  }
1012 
1013  return gIface.NotifyScanEngines(gIntHandle, Parameters);
1014 }
1015 
1016 
1017 INTSTATUS
1018 IntSetIntroEmulatorContext(
1019  _In_ DWORD CpuNumber,
1020  _In_ QWORD VirtualAddress,
1021  _In_ DWORD BufferSize,
1022  _In_reads_bytes_(BufferSize) BYTE *Buffer
1023  )
1024 {
1025  return gIface.SetIntroEmulatorContext(gIntHandle, CpuNumber, VirtualAddress, BufferSize, Buffer);
1026 }
1027 
1028 
1029 INTSTATUS
1030 IntInjectTrap(
1031  _In_ DWORD CpuNumber,
1032  _In_ BYTE TrapNumber,
1033  _In_ DWORD ErrorCode,
1034  _In_opt_ QWORD Cr2
1035  )
1036 {
1037  return gIface.InjectTrap(gIntHandle, CpuNumber, TrapNumber, ErrorCode, Cr2);
1038 }
1039 
1040 
1041 INTSTATUS
1042 IntNotifyIntroEvent(
1043  _In_ INTRO_EVENT_TYPE EventClass,
1044  _In_ void *Param,
1045  _In_ size_t EventSize
1046  )
1058 {
1059  IntAlertCreateExceptionInEvent(Param, EventClass);
1060 
1061  return gIface.NotifyIntrospectionAlert(gIntHandle, EventClass, Param, EventSize);
1062 }
1063 
1064 
1065 INTSTATUS
1066 IntGetAgentContent(
1067  _In_ DWORD AgentTag,
1068  _In_ BOOLEAN Is64,
1069  _Out_ DWORD *Size,
1070  _Outptr_ BYTE **Content
1071  )
1072 {
1073  if (NULL == gIface.GetAgentContent)
1074  {
1075  return INT_STATUS_OPERATION_NOT_IMPLEMENTED;
1076  }
1077 
1078  return gIface.GetAgentContent(gIntHandle, AgentTag, Is64, Size, Content);
1079 }
1080 
1081 
1082 INTSTATUS
1083 IntReleaseBuffer(
1084  _In_ void *Buffer,
1085  _In_ DWORD Size
1086  )
1087 {
1088  if (NULL == gIface.ReleaseBuffer)
1089  {
1090  return INT_STATUS_OPERATION_NOT_IMPLEMENTED;
1091  }
1092 
1093  return gIface.ReleaseBuffer(gIntHandle, Buffer, Size);
1094 }
1095 
1096 
1097 INTSTATUS
1098 IntToggleRepOptimization(
1099  _In_ BOOLEAN Enable
1100  )
1101 {
1102  if (NULL == gIface.ToggleRepOptimization)
1103  {
1104  return INT_STATUS_SUCCESS;
1105  }
1106 
1107  return gIface.ToggleRepOptimization(gIntHandle, Enable);
1108 }
1109 
1110 
1111 INTSTATUS
1112 IntQueryHeapSize(
1113  _Out_ size_t *TotalHeapSize,
1114  _Out_ size_t *FreeHeapSize
1115  )
1116 {
1117  if (NULL == gUpIface.QueryHeapSize)
1118  {
1119  *TotalHeapSize = 0xFFFFFFFF;
1120  *FreeHeapSize = 0xFFFFFFFF;
1121 
1122  return INT_STATUS_SUCCESS;
1123  }
1124 
1125  return gUpIface.QueryHeapSize(TotalHeapSize, FreeHeapSize);
1126 }
1127 
1128 
1129 INTSTATUS
1130 IntSendMessage(
1131  _In_ char const *Message
1132  )
1143 {
1144  EVENT_INTROSPECTION_MESSAGE msg;
1145 
1146  strlcpy(msg.Message, Message, sizeof(msg.Message));
1147 
1148  return IntNotifyIntroEvent(introEventMessage, &msg, sizeof(msg));
1149 }
1150 
1151 
1152 INTSTATUS
1153 IntSetVEInfoPage(
1154  _In_ DWORD CpuNumber,
1155  _In_ QWORD VeInfoGpa
1156  )
1157 {
1158  if (NULL == gIface.SetVeInfoPage)
1159  {
1160  return INT_STATUS_NOT_SUPPORTED;
1161  }
1162 
1163  return gIface.SetVeInfoPage(gIntHandle, CpuNumber, VeInfoGpa);
1164 }
1165 
1166 
1167 INTSTATUS
1168 IntCreateEPT(
1169  _Out_ DWORD *EptIndex
1170  )
1171 {
1172  if (NULL == gIface.CreateEPT)
1173  {
1174  return INT_STATUS_NOT_SUPPORTED;
1175  }
1176 
1177  return gIface.CreateEPT(gIntHandle, EptIndex);
1178 }
1179 
1180 
1181 INTSTATUS
1182 IntDestroyEPT(
1183  _In_ DWORD EptIndex
1184  )
1185 {
1186  if (NULL == gIface.DestroyEPT)
1187  {
1188  return INT_STATUS_NOT_SUPPORTED;
1189  }
1190 
1191  return gIface.DestroyEPT(gIntHandle, EptIndex);
1192 }
1193 
1194 
1195 INTSTATUS
1196 IntSwitchEPT(
1197  _In_ DWORD NewEptIndex
1198  )
1199 {
1200  if (NULL == gIface.SwitchEPT)
1201  {
1202  return INT_STATUS_NOT_SUPPORTED;
1203  }
1204 
1205  return gIface.SwitchEPT(gIntHandle, NewEptIndex);
1206 }
1207 
1208 
1209 INTSTATUS
1210 IntGetEPTPageConvertible(
1211  _In_ DWORD EptIndex,
1212  _In_ QWORD Address,
1213  _Out_ BOOLEAN *Convertible
1214  )
1215 {
1216  if (NULL == gIface.GetEPTPageConvertible)
1217  {
1218  return INT_STATUS_NOT_SUPPORTED;
1219  }
1220 
1221  return gIface.GetEPTPageConvertible(gIntHandle, EptIndex, Address, Convertible);
1222 }
1223 
1224 
1225 INTSTATUS
1226 IntSetEPTPageConvertible(
1227  _In_ DWORD EptIndex,
1228  _In_ QWORD Address,
1229  _In_ BOOLEAN Convertible
1230  )
1231 {
1232  if (NULL == gIface.SetEPTPageConvertible)
1233  {
1234  return INT_STATUS_NOT_SUPPORTED;
1235  }
1236 
1237  return gIface.SetEPTPageConvertible(gIntHandle, EptIndex, Address, Convertible);
1238 }
1239 
1240 
1241 INTSTATUS
1242 IntFlushEPTPermissions(
1243  void
1244  )
1245 {
1246  if (NULL == gIface.FlushEPTPermissions)
1247  {
1248  // Simulate a flush by pausing and resuming the VCPUs.
1249  IntPauseVcpus();
1250 
1251  IntResumeVcpus();
1252 
1253  return INT_STATUS_SUCCESS;
1254  }
1255 
1256  return gIface.FlushEPTPermissions(gIntHandle);
1257 }
1258 
1259 
1260 BOOLEAN
1261 GlueIsVeApiAvailable(
1262  void
1263  )
1273 {
1274  return (gIface.SetVeInfoPage &&
1275  gIface.CreateEPT &&
1276  gIface.DestroyEPT &&
1277  gIface.SwitchEPT &&
1278  gIface.GetEPTPageConvertible &&
1279  gIface.SetEPTPageConvertible);
1280 }
1281 
1282 
1283 BOOLEAN
1284 GlueIsScanEnginesApiAvailable(
1285  void
1286  )
1296 {
1297  return (gIface.NotifyScanEngines && gIface.RegisterEnginesResultCallback);
1298 }
1299 
1300 
1301 #ifdef INT_COMPILER_MSVC
1302 
1303 __attribute__((malloc))
1304 __attribute__ ((alloc_size (1)))
1305 __must_check
1306 void *
1307 IntAllocWithTag(
1308  _In_ size_t Length,
1309  _In_ DWORD Tag,
1310  _In_ const char *FileName,
1311  _In_ DWORD FileLine
1312  )
1313 {
1314  INTSTATUS status;
1315  void *addr = NULL;
1316 
1317  if (Length >= 4 * ONE_GIGABYTE)
1318  {
1319  return addr;
1320  }
1321 
1322  if (Length < 8)
1323  {
1324  Length = 8;
1325  }
1326 
1327  status = gUpIface.MemAllocWithTagAndInfo(&addr, Length, Tag);
1328  if (INT_SUCCESS(status))
1329  {
1330  memzero(addr, Length);
1331  }
1332  else
1333  {
1334  addr = NULL;
1335 
1336  gUpIface.TracePrint(__FILE__, __LINE__,
1337  "[ERROR] MemAllocWithTagAndInfo failed in file '%s:%d' for size 0x%llx: 0x%08x\n",
1338  FileName, FileLine, Length, status);
1339  }
1340 
1341  return addr;
1342 }
1343 
1344 
1345 INTSTATUS
1346 IntFreeWithTag(
1347  _In_ void *Address,
1348  _In_ DWORD Tag
1349  )
1350 {
1351  void **addr = &Address;
1352 
1353  return gUpIface.MemFreeWithTagAndInfo(addr, Tag);
1354 }
1355 
1356 #endif
intLogLevelDebug
Shows all logs.
Definition: glueiface.h:391
_In_opt_
#define _In_opt_
Definition: intro_sal.h:16
IntDisableCrWriteExit
INTSTATUS IntDisableCrWriteExit(DWORD Cr)
Definition: glue.c:556
IntUnregisterEPTHandler
INTSTATUS IntUnregisterEPTHandler(void)
Definition: glue.c:732
BOOLEAN
_Bool BOOLEAN
Definition: intro_types.h:58
_Out_
#define _Out_
Definition: intro_sal.h:22
IntSpinLockInit
INTSTATUS IntSpinLockInit(void **SpinLock, char *Name)
Definition: glue.c:813
IntUnregisterCrWriteHandler
INTSTATUS IntUnregisterCrWriteHandler(void)
Definition: glue.c:574
_GLUE_IFACE::UnregisterBreakpointHandler
PFUNC_IntUnregisterBreakpointHandler UnregisterBreakpointHandler
Definition: glueiface.h:2136
_UPPER_IFACE::QueryHeapSize
PFUNC_IntQueryHeapSize QueryHeapSize
Definition: upperiface.h:283
_GLUE_IFACE::UnregisterIntroCallHandler
PFUNC_IntUnregisterIntroCallHandler UnregisterIntroCallHandler
Definition: glueiface.h:2115
IntNotifyIntroEvent
INTSTATUS IntNotifyIntroEvent(INTRO_EVENT_TYPE EventClass, void *Param, size_t EventSize)
Notifies the integrator about an introspection alert.
Definition: glue.c:1042
_GLUE_IFACE::NotifyIntrospectionDetectedOs
PFUNC_IntNotifyIntrospectionDetectedOs NotifyIntrospectionDetectedOs
Definition: glueiface.h:2154
BYTE
uint8_t BYTE
Definition: intro_types.h:47
IntPhysMemFastMap
static INTSTATUS IntPhysMemFastMap(QWORD PhysAddress, void **HostPtr)
Maps a guest physical address using the fast map mechanism.
Definition: glue.c:251
_GLUE_IFACE::RegisterXcrWriteHandler
PFUNC_IntRegisterXcrWriteHandler RegisterXcrWriteHandler
Definition: glueiface.h:2131
GlueIsVeApiAvailable
BOOLEAN GlueIsVeApiAvailable(void)
Checks if the virtualization exception API is implemented.
Definition: glue.c:1261
_GLUE_IFACE::GetEPTPageProtection
PFUNC_IntGetEPTPageProtection GetEPTPageProtection
Definition: glueiface.h:2098
_GLUE_IFACE::UnregisterDtrHandler
PFUNC_IntUnregisterDescriptorTableHandler UnregisterDtrHandler
Definition: glueiface.h:2123
GLUE_IFACE_VERSION_LATEST
#define GLUE_IFACE_VERSION_LATEST
Definition: glueiface.h:2227
_In_
#define _In_
Definition: intro_sal.h:21
_BitScanForward64
static uint8_t _BitScanForward64(uint32_t *Index, uint64_t Mask)
Definition: intrinsics.h:104
IntUnregisterXcrWriteHandler
INTSTATUS IntUnregisterXcrWriteHandler(void)
Definition: glue.c:804
IntSendMessage
INTSTATUS IntSendMessage(char const *Message)
Sends an Introcore message.
Definition: glue.c:1130
INT_STATUS_SUCCESS
#define INT_STATUS_SUCCESS
Definition: introstatus.h:54
IntUnregisterIntroCallHandler
INTSTATUS IntUnregisterIntroCallHandler(void)
Definition: glue.c:750
_GLUE_IFACE::GetAgentContent
PFUNC_IntGetAgentContent GetAgentContent
Definition: glueiface.h:2160
gIface
static GLUE_IFACE gIface
The instance of the GLUE_IFACE that is being used.
Definition: glue.c:40
INT_STATUS_OUT_OF_RESOURCES
#define INT_STATUS_OUT_OF_RESOURCES
Definition: introstatus.h:203
_UPPER_IFACE::MemFreeWithTagAndInfo
PFUNC_HpFreeWithTagAndInfo MemFreeWithTagAndInfo
Definition: upperiface.h:272
_Out_writes_bytes_
#define _Out_writes_bytes_(expr)
Definition: intro_sal.h:38
PFUNC_IntTracePrint
INTSTATUS PRINTF_ATTRIBUTE(* PFUNC_IntTracePrint)(const CHAR *File, DWORD Line, const CHAR *Format,...)
Provides print-like trace functionality for introcore.
Definition: upperiface.h:42
_GLUE_IFACE::RegisterIntroTimerHandler
PFUNC_IntRegisterVmxTimerHandler RegisterIntroTimerHandler
Definition: glueiface.h:2118
_GLUE_IFACE::PhysMemUnmap
PFUNC_IntPhysMemUnmap PhysMemUnmap
Definition: glueiface.h:2095
_GUEST_INFO::BuildNumber
QWORD BuildNumber
Definition: intro_types.h:2380
_GLUE_IFACE::UnregisterIntroTimerHandler
PFUNC_IntUnregisterVmxTimerHandler UnregisterIntroTimerHandler
Definition: glueiface.h:2119
_GLUE_IFACE::ResumeVcpus
PFUNC_IntRequestVcpusResume ResumeVcpus
Definition: glueiface.h:2111
IntPhysMemMap
INTSTATUS IntPhysMemMap(QWORD PhysAddress, DWORD Length, DWORD Flags, void **HostPtr)
Maps a guest physical address inside Introcore VA space.
Definition: glue.c:338
_GLUE_IFACE::InjectTrap
PFUNC_IntInjectTrap InjectTrap
Definition: glueiface.h:2142
IntNotifyEngines
INTSTATUS IntNotifyEngines(void *Parameters)
Definition: glue.c:1004
GlueIsSppApiAvailable
BOOLEAN GlueIsSppApiAvailable(void)
Checks if the SPP APIs in GLUE_IFACE are implemented.
Definition: glue.c:705
_UPPER_IFACE
Interface that exposes basic services to the introspection engines.
Definition: upperiface.h:262
INT_SUCCESS
#define INT_SUCCESS(Status)
Definition: introstatus.h:42
IntUnregisterBreakpointHandler
INTSTATUS IntUnregisterBreakpointHandler(void)
Definition: glue.c:592
gFastPaPagesCount
DWORD gFastPaPagesCount
The number of pages reserved for the fast map zone.
Definition: glue.c:34
IntResumeVcpus
INTSTATUS IntResumeVcpus(void)
Resumes the VCPUs previously paused with IntPauseVcpus.
Definition: introcore.c:2355
_UPPER_IFACE::MemAllocWithTagAndInfo
PFUNC_HpAllocWithTagAndInfo MemAllocWithTagAndInfo
Definition: upperiface.h:271
_GLUE_IFACE::CreateEPT
PFUNC_IntCreateEPT CreateEPT
Definition: glueiface.h:2168
IntUnregisterEnginesResultCalback
INTSTATUS IntUnregisterEnginesResultCalback(void)
Thin wrapper over the optional GLUE_IFACE.UnregisterEnginesResultCalback API.
Definition: glue.c:640
PAGE_OFFSET
#define PAGE_OFFSET
Definition: pgtable.h:32
ARRAYSIZE
#define ARRAYSIZE(A)
Definition: introdefs.h:101
_GLUE_IFACE::GetEPTPageConvertible
PFUNC_IntGetEPTPageConvertible GetEPTPageConvertible
Definition: glueiface.h:2171
IntNotifyIntroInactive
INTSTATUS IntNotifyIntroInactive(void)
Definition: glue.c:941
IntRwSpinLockUnInit
INTSTATUS IntRwSpinLockUnInit(void **SpinLock)
Definition: glue.c:872
gEventId
QWORD gEventId
The ID of the current event.
Definition: glue.c:55
_UPPER_IFACE::RwSpinLockAcquireShared
PFUNC_IntRwSpinLockAcquireShared RwSpinLockAcquireShared
Definition: upperiface.h:279
_GLUE_IFACE::DestroyEPT
PFUNC_IntDestroyEPT DestroyEPT
Definition: glueiface.h:2169
IntUnregisterEventInjectionHandler
INTSTATUS IntUnregisterEventInjectionHandler(void)
Definition: glue.c:610
PFUNC_IntEPTViolationCallback
INTSTATUS(* PFUNC_IntEPTViolationCallback)(void *GuestHandle, QWORD PhysicalAddress, DWORD Length, QWORD VirtualAddress, DWORD CpuNumber, INTRO_ACTION *Action, IG_EPT_ACCESS Type)
Definition: glueiface.h:428
_UPPER_IFACE::RwSpinLockReleaseShared
PFUNC_IntRwSpinLockReleaseShared RwSpinLockReleaseShared
Definition: upperiface.h:281
IntRegisterEnginesResultCallback
INTSTATUS IntRegisterEnginesResultCallback(PFUNC_IntEventEnginesResultCallback Callback)
Thin wrapper over the optional GLUE_IFACE.RegisterEnginesResultCallback API.
Definition: glue.c:619
INT_STATUS_NOT_NEEDED_HINT
#define INT_STATUS_NOT_NEEDED_HINT
Definition: introstatus.h:317
introEventMessage
Plain text message sent from Introcore to the integrator. See EVENT_INTROSPECTION_MESSAGE.
Definition: intro_types.h:100
ERROR
#define ERROR(fmt,...)
Definition: glue.h:62
gFastPaPageBase
void * gFastPaPageBase
The base of the fast map memory region.
Definition: glue.c:26
_GLUE_IFACE::PhysMemMapToHost
PFUNC_IntPhysMemMapToHost PhysMemMapToHost
Definition: glueiface.h:2094
_Outptr_
#define _Outptr_
Definition: intro_sal.h:19
PHYS_MAP_FLG_NO_FASTMAP
#define PHYS_MAP_FLG_NO_FASTMAP
Indicates that IntPhysMemMap should not use the fast memory mapping mechanism.
Definition: glue.h:71
PHYS_PAGE_MASK
#define PHYS_PAGE_MASK
Definition: pgtable.h:38
INTSTATUS
int INTSTATUS
The status data type.
Definition: introstatus.h:24
UPPER_IFACE_VERSION_LATEST
#define UPPER_IFACE_VERSION_LATEST
Definition: upperiface.h:291
IntRegisterIntroCallHandler
INTSTATUS IntRegisterIntroCallHandler(PFUNC_IntIntroCallCallback Callback)
Definition: glue.c:741
IntSetVEInfoPage
INTSTATUS IntSetVEInfoPage(DWORD CpuNumber, QWORD VeInfoGpa)
Definition: glue.c:1153
IntNotifyIntroErrorState
INTSTATUS IntNotifyIntroErrorState(INTRO_ERROR_STATE State, INTRO_ERROR_CONTEXT *Context)
Definition: glue.c:989
_UPPER_IFACE::RwSpinLockAcquireExclusive
PFUNC_IntRwSpinLockAcquireExclusive RwSpinLockAcquireExclusive
Definition: upperiface.h:280
IntRegisterDtrHandler
INTSTATUS IntRegisterDtrHandler(PFUNC_IntIntroDescriptorTableCallback Callback)
Definition: glue.c:777
_GLUE_IFACE::RegisterMSRHandler
PFUNC_IntRegisterMSRHandler RegisterMSRHandler
Definition: glueiface.h:2107
PAGE_COUNT
#define PAGE_COUNT(addr, bytes)
Definition: pgtable.h:189
_UPPER_IFACE::RwSpinLockUnInit
PFUNC_IntRwSpinLockUnInit RwSpinLockUnInit
Definition: upperiface.h:278
PFUNC_IntMSRViolationCallback
INTSTATUS(* PFUNC_IntMSRViolationCallback)(void *GuestHandle, DWORD Msr, IG_MSR_HOOK_TYPE Flags, INTRO_ACTION *Action, QWORD OriginalValue, QWORD *NewValue, DWORD CpuNumber)
Definition: glueiface.h:457
IntPauseVcpus
INTSTATUS IntPauseVcpus(void)
Pauses all the guest VCPUs.
Definition: introcore.c:2320
IntGetAgentContent
INTSTATUS IntGetAgentContent(DWORD AgentTag, BOOLEAN Is64, DWORD *Size, BYTE **Content)
Definition: glue.c:1066
IntAlertCreateExceptionInEvent
INTSTATUS IntAlertCreateExceptionInEvent(void *Event, INTRO_EVENT_TYPE Type)
This function creates an alert-exception for each alert sent to the integrator.
Definition: alert_exceptions.c:1513
IntRegisterEventInjectionHandler
INTSTATUS IntRegisterEventInjectionHandler(PFUNC_IntEventInjectionCallback Callback)
Definition: glue.c:601
INT_STATUS_OPERATION_NOT_IMPLEMENTED
#define INT_STATUS_OPERATION_NOT_IMPLEMENTED
Definition: introstatus.h:125
MIN
#define MIN(a, b)
Definition: introdefs.h:146
_GLUE_IFACE
Interface used for communicating between the introspection engine and the integrator.
Definition: glueiface.h:2078
_GLUE_IFACE::UnregisterEPTHandler
PFUNC_IntUnregisterEPTHandler UnregisterEPTHandler
Definition: glueiface.h:2103
IntGpaToHpa
INTSTATUS IntGpaToHpa(QWORD Gpa, QWORD *Hpa)
Definition: glue.c:240
IntEnableCrWriteExit
INTSTATUS IntEnableCrWriteExit(DWORD Cr)
Definition: glue.c:547
_UPPER_IFACE::BugCheck
PFUNC_IntBugCheck BugCheck
Definition: upperiface.h:284
IntPhysMemUnmap
INTSTATUS IntPhysMemUnmap(void **HostPtr)
Unmaps an address previously mapped with IntPhysMemMap.
Definition: glue.c:396
_GLUE_IFACE::DisableCrWriteExit
PFUNC_IntDisableCrWriteExit DisableCrWriteExit
Definition: glueiface.h:2126
PFUNC_IntIntroDescriptorTableCallback
INTSTATUS(* PFUNC_IntIntroDescriptorTableCallback)(void *GuestHandle, DWORD Flags, DWORD CpuNumber, INTRO_ACTION *Action)
Definition: glueiface.h:518
IntNotifyIntroDetectedOs
INTSTATUS IntNotifyIntroDetectedOs(INTRO_GUEST_TYPE OsType, DWORD OsVersion, BOOLEAN Is64)
Wrapper over GLUE_IFACE.NotifyIntrospectionDetectedOs.
Definition: glue.c:955
IntSetEPTPageConvertible
INTSTATUS IntSetEPTPageConvertible(DWORD EptIndex, QWORD Address, BOOLEAN Convertible)
Definition: glue.c:1226
_GLUE_IFACE::RegisterBreakpointHandler
PFUNC_IntRegisterBreakpointHandler RegisterBreakpointHandler
Definition: glueiface.h:2135
_UPPER_IFACE::SpinLockAcquire
PFUNC_IntSpinLockAcquire SpinLockAcquire
Definition: upperiface.h:275
_GLUE_IFACE::SetEPTPageConvertible
PFUNC_IntSetEPTPageConvertible SetEPTPageConvertible
Definition: glueiface.h:2172
PFUNC_IntBreakpointCallback
INTSTATUS(* PFUNC_IntBreakpointCallback)(void *GuestHandle, QWORD PhysicalAddress, DWORD CpuNumber)
Definition: glueiface.h:590
IG_MEM_WB
Write-back.
Definition: glueiface.h:163
IntSpinLockAcquire
void IntSpinLockAcquire(void *SpinLock)
Definition: glue.c:833
intLogLevelWarning
Shows warning logs and logs with a higher level.
Definition: glueiface.h:393
_GLUE_IFACE::SetIntroEmulatorContext
PFUNC_IntSetIntroEmulatorContext SetIntroEmulatorContext
Definition: glueiface.h:2144
_UPPER_IFACE::Size
DWORD Size
The size of the interface.Must match UPPER_IFACE_VERSION_1_SIZE.
Definition: upperiface.h:267
_GLUE_IFACE::NotifyIntrospectionAlert
PFUNC_IntNotifyIntroAlert NotifyIntrospectionAlert
Definition: glueiface.h:2157
__invlpg
static void __invlpg(void *Address)
Definition: intrinsics.h:389
IntReleaseBuffer
INTSTATUS IntReleaseBuffer(void *Buffer, DWORD Size)
Definition: glue.c:1083
_Inout_
#define _Inout_
Definition: intro_sal.h:20
IntRegisterMSRHandler
INTSTATUS IntRegisterMSRHandler(PFUNC_IntMSRViolationCallback Callback)
Definition: glue.c:519
_Acquires_lock_
#define _Acquires_lock_(expr)
Definition: intro_sal.h:34
_GLUE_IFACE::NotifyIntrospectionErrorState
PFUNC_IntNotifyIntrospectionErrorState NotifyIntrospectionErrorState
Definition: glueiface.h:2156
_GLUE_IFACE::SetVeInfoPage
PFUNC_IntSetVeInfoPage SetVeInfoPage
Definition: glueiface.h:2167
IntCreateEPT
INTSTATUS IntCreateEPT(DWORD *EptIndex)
Definition: glue.c:1168
_GLUE_IFACE::EnableMSRExit
PFUNC_IntEnableMsrExit EnableMSRExit
Definition: glueiface.h:2105
gLogLevel
IG_LOG_LEVEL gLogLevel
The currently used log level.
Definition: glue.c:68
_GLUE_IFACE::RegisterDtrHandler
PFUNC_IntRegisterDescriptorTableHandler RegisterDtrHandler
Definition: glueiface.h:2122
PFUNC_IntEventInjectionCallback
INTSTATUS(* PFUNC_IntEventInjectionCallback)(void *GuestHandle, DWORD Vector, QWORD ErrorCode, QWORD Cr2, DWORD CpuNumber)
Definition: glueiface.h:610
_INTRO_ERROR_CONTEXT
The context of an error state.
Definition: intro_types.h:2415
_GLUE_IFACE::RegisterIntroCallHandler
PFUNC_IntRegisterIntroCallHandler RegisterIntroCallHandler
Definition: glueiface.h:2114
IntSwitchEPT
INTSTATUS IntSwitchEPT(DWORD NewEptIndex)
Definition: glue.c:1196
_UPPER_IFACE::SpinLockRelease
PFUNC_IntSpinLockRelease SpinLockRelease
Definition: upperiface.h:276
_GLUE_IFACE::RegisterEnginesResultCallback
PFUNC_IntRegisterEnginesResultCallback RegisterEnginesResultCallback
Definition: glueiface.h:2175
_GLUE_IFACE::SetEPTPageProtection
PFUNC_IntSetEPTPageProtection SetEPTPageProtection
Definition: glueiface.h:2099
IntRegisterEPTHandler
INTSTATUS IntRegisterEPTHandler(PFUNC_IntEPTViolationCallback Callback)
Definition: glue.c:723
IntReserveVaSpaceWithPt
INTSTATUS IntReserveVaSpaceWithPt(void **FirstPageBase, DWORD *PagesCount, void **PtBase)
Reserves a contiguous region of virtual memory which will then be used to map physical pages...
Definition: glue.c:451
memzero
#define memzero(a, s)
Definition: introcrt.h:35
_GLUE_IFACE::GpaToHpa
PFUNC_IntGpaToHpa GpaToHpa
Definition: glueiface.h:2092
_GLUE_IFACE::ToggleRepOptimization
PFUNC_IntToggleRepOptimization ToggleRepOptimization
Definition: glueiface.h:2162
QWORD
unsigned long long QWORD
Definition: intro_types.h:53
IntUnregisterVmxTimerHandler
INTSTATUS IntUnregisterVmxTimerHandler(void)
Definition: glue.c:768
IntQueryGuestInfo
INTSTATUS IntQueryGuestInfo(DWORD InfoClass, void *InfoParam, void *Buffer, DWORD BufferLength)
Definition: glue.c:226
IntGlueReset
void IntGlueReset(void)
Resets the global glue state (gIface. gUpIface, gIntHandle, gEventId, etc)
Definition: glue.c:77
GlueResumeVcpus
INTSTATUS GlueResumeVcpus(void)
Definition: glue.c:490
gFastPaPtBase
void * gFastPaPtBase
The base of the page table that maps the fast map zone.
Definition: glue.c:30
_GLUE_IFACE::RegisterEventInjectionHandler
PFUNC_IntRegisterEventInjectionHandler RegisterEventInjectionHandler
Definition: glueiface.h:2139
_GLUE_IFACE::Size
DWORD Size
The size of the interface.Must match GLUE_IFACE_VERSION_1_SIZE.
Definition: glueiface.h:2083
IntToggleRepOptimization
INTSTATUS IntToggleRepOptimization(BOOLEAN Enable)
Definition: glue.c:1098
_GLUE_IFACE::SwitchEPT
PFUNC_IntSwitchEPT SwitchEPT
Definition: glueiface.h:2170
__must_check
#define __must_check
Definition: introtypes.h:48
_GLUE_IFACE::FlushEPTPermissions
PFUNC_IntFlushEPTPermissions FlushEPTPermissions
Definition: glueiface.h:2178
_Releases_lock_
#define _Releases_lock_(expr)
Definition: intro_sal.h:35
IntGlueInit
INTSTATUS IntGlueInit(GLUE_IFACE const *GlueInterface, UPPER_IFACE const *UpperInterface)
Initializes the instances of GLUE_IFACE and UPPER_IFACE that will be used.
Definition: glue.c:101
IntSetSPPPageProtection
INTSTATUS IntSetSPPPageProtection(QWORD Gpa, QWORD Spp)
Definition: glue.c:695
_UPPER_IFACE::RwSpinLockInit
PFUNC_IntRwSpinLockInit RwSpinLockInit
Definition: upperiface.h:277
IntInjectTrap
INTSTATUS IntInjectTrap(DWORD CpuNumber, BYTE TrapNumber, DWORD ErrorCode, QWORD Cr2)
Definition: glue.c:1030
GlueIsScanEnginesApiAvailable
BOOLEAN GlueIsScanEnginesApiAvailable(void)
Checks if the third party memory scanning engines are present.
Definition: glue.c:1284
IntPhysMemGetTypeFromMtrrs
INTSTATUS IntPhysMemGetTypeFromMtrrs(QWORD Gpa, IG_MEMTYPE *MemType)
Definition: glue.c:537
_GLUE_IFACE::SetSPPPageProtection
PFUNC_IntSetSPPPageProtection SetSPPPageProtection
Definition: glueiface.h:2101
GLUE_IFACE_VERSION_LATEST_SIZE
#define GLUE_IFACE_VERSION_LATEST_SIZE
Definition: glueiface.h:2228
IntSpinLockUnInit
INTSTATUS IntSpinLockUnInit(void **SpinLock)
Definition: glue.c:823
PFUNC_IntEnterDebugger
void(* PFUNC_IntEnterDebugger)(void)
Breaks into the debugger.
Definition: upperiface.h:215
PFUNC_IntEventEnginesResultCallback
INTSTATUS(* PFUNC_IntEventEnginesResultCallback)(void *GuestHandle, PENG_NOTIFICATION_HEADER EngineNotification)
Definition: glueiface.h:633
__unreachable
#define __unreachable
Definition: common.h:62
strlcpy
size_t strlcpy(char *dst, const char *src, size_t dest_size)
Definition: introcrt.c:1093
_GUEST_INFO::StartupTime
QWORD StartupTime
Startup time.
Definition: intro_types.h:2388
IntRwSpinLockReleaseShared
INTSTATUS IntRwSpinLockReleaseShared(void *SpinLock)
Definition: glue.c:899
IntRwSpinLockReleaseExclusive
INTSTATUS IntRwSpinLockReleaseExclusive(void *SpinLock)
Definition: glue.c:908
INT_STATUS_ALREADY_INITIALIZED_HINT
#define INT_STATUS_ALREADY_INITIALIZED_HINT
Definition: introstatus.h:323
_Outptr_result_bytebuffer_
#define _Outptr_result_bytebuffer_(expr)
Definition: intro_sal.h:24
_GLUE_IFACE::DisableMSRExit
PFUNC_IntDisableMsrExit DisableMSRExit
Definition: glueiface.h:2106
_GLUE_IFACE::NotifyScanEngines
PFUNC_IntNotifyEngines NotifyScanEngines
Definition: glueiface.h:2158
PAGE_SIZE
#define PAGE_SIZE
Definition: common.h:70
_GLUE_IFACE::ReserveVaSpaceWithPt
PFUNC_IntReserveVaSpaceWithPt ReserveVaSpaceWithPt
Definition: glueiface.h:2150
IntGetEPTPageConvertible
INTSTATUS IntGetEPTPageConvertible(DWORD EptIndex, QWORD Address, BOOLEAN *Convertible)
Definition: glue.c:1210
INTRO_GUEST_TYPE
INTRO_GUEST_TYPE
The type of the introspected operating system.
Definition: intro_types.h:2040
_GLUE_IFACE::UnregisterCrWriteHandler
PFUNC_IntUnregisterCrWriteHandler UnregisterCrWriteHandler
Definition: glueiface.h:2128
DWORD
uint32_t DWORD
Definition: intro_types.h:49
_GLUE_IFACE::UnregisterEventInjectionHandler
PFUNC_IntUnregisterEventInjectionHandler UnregisterEventInjectionHandler
Definition: glueiface.h:2140
PFUNC_IntIntroCallCallback
INTSTATUS(* PFUNC_IntIntroCallCallback)(void *GuestHandle, QWORD Rip, DWORD Cpu)
Definition: glueiface.h:483
_UPPER_IFACE::EnterDebugger
PFUNC_IntEnterDebugger EnterDebugger
Definition: upperiface.h:285
IntRegisterXcrWriteHandler
INTSTATUS IntRegisterXcrWriteHandler(PFUNC_IntXcrWriteCallback Callback)
Definition: glue.c:795
IG_INVALID_TIME
#define IG_INVALID_TIME
Definition: glueiface.h:329
_At_
#define _At_(expr, arg)
Definition: intro_sal.h:23
IntRwSpinLockAcquireExclusive
INTSTATUS IntRwSpinLockAcquireExclusive(void *SpinLock)
Definition: glue.c:890
_In_reads_bytes_
#define _In_reads_bytes_(expr)
Definition: intro_sal.h:25
_UPPER_IFACE::SpinLockInit
PFUNC_IntSpinLockInit SpinLockInit
Definition: upperiface.h:273
_GLUE_IFACE::GetSPPPageProtection
PFUNC_IntGetSPPPageProtection GetSPPPageProtection
Definition: glueiface.h:2100
IntFlushEPTPermissions
INTSTATUS IntFlushEPTPermissions(void)
Definition: glue.c:1242
PFUNC_IntCrWriteCallback
INTSTATUS(* PFUNC_IntCrWriteCallback)(void *GuestHandle, DWORD Cr, DWORD CpuNumber, QWORD OldValue, QWORD NewValue, INTRO_ACTION *Action)
Definition: glueiface.h:543
GlueEnterDebugger
PFUNC_IntEnterDebugger GlueEnterDebugger
The API used to break into the debugger.
Definition: glue.c:74
_GLUE_IFACE::QueryGuestInfo
PFUNC_IntQueryGuestInfo QueryGuestInfo
Definition: glueiface.h:2090
IntSpinLockRelease
void IntSpinLockRelease(void *SpinLock)
Definition: glue.c:848
_In_z_
#define _In_z_
Definition: intro_sal.h:17
PFUNC_IntIntroTimerCallback
INTSTATUS(* PFUNC_IntIntroTimerCallback)(void *GuestHandle)
Definition: glueiface.h:499
IntDisableMsrExit
INTSTATUS IntDisableMsrExit(DWORD Msr, BOOLEAN *OldValue)
Definition: glue.c:509
INT_STATUS_INVALID_DATA_TYPE
#define INT_STATUS_INVALID_DATA_TYPE
Definition: introstatus.h:139
INTRO_ERROR_STATE
INTRO_ERROR_STATE
Error states.
Definition: intro_types.h:2433
_When_
#define _When_(expr, arg)
Definition: intro_sal.h:26
IntSetIntroEmulatorContext
INTSTATUS IntSetIntroEmulatorContext(DWORD CpuNumber, QWORD VirtualAddress, DWORD BufferSize, BYTE *Buffer)
Definition: glue.c:1018
IntEnableMsrExit
INTSTATUS IntEnableMsrExit(DWORD Msr, BOOLEAN *OldValue)
Definition: glue.c:499
IG_LOG_LEVEL
enum _IG_LOG_LEVEL IG_LOG_LEVEL
Controls the verbosity of the logs.
_GUEST_INFO
Guest information.
Definition: intro_types.h:2377
_GLUE_IFACE::UnregisterMSRHandler
PFUNC_IntUnregisterMSRHandler UnregisterMSRHandler
Definition: glueiface.h:2108
IntSetEPTPageProtection
INTSTATUS IntSetEPTPageProtection(DWORD EptIndex, QWORD Gpa, BYTE Read, BYTE Write, BYTE Execute)
Definition: glue.c:672
gPageBitmap
QWORD gPageBitmap[8]
Indicates which pages inside the fast map region are free.
Definition: glue.c:21
_GLUE_IFACE::UnregisterEnginesResultCalback
PFUNC_IntUnregisterEnginesResultCalback UnregisterEnginesResultCalback
Definition: glueiface.h:2176
IntRegisterVmxTimerHandler
INTSTATUS IntRegisterVmxTimerHandler(PFUNC_IntIntroTimerCallback Callback)
Definition: glue.c:759
_GLUE_IFACE::NotifyIntrospectionDeactivated
PFUNC_IntNotifyIntrospectionDeactivated NotifyIntrospectionDeactivated
Definition: glueiface.h:2153
_GLUE_IFACE::UnregisterXcrWriteHandler
PFUNC_IntUnregisterXcrWriteHandler UnregisterXcrWriteHandler
Definition: glueiface.h:2132
_GLUE_IFACE::EnableCrWriteExit
PFUNC_IntEnableCrWriteExit EnableCrWriteExit
Definition: glueiface.h:2125
_EVENT_INTROSPECTION_MESSAGE::Message
CHAR Message[ALERT_MAX_MESSAGE_SIZE]
Raw data.
Definition: intro_types.h:1901
_GLUE_IFACE::RegisterCrWriteHandler
PFUNC_IntRegisterCrWriteHandler RegisterCrWriteHandler
Definition: glueiface.h:2127
UPPER_IFACE_VERSION_LATEST_SIZE
#define UPPER_IFACE_VERSION_LATEST_SIZE
Definition: upperiface.h:292
IG_MEM_UNKNOWN
Unknown memory type.
Definition: glueiface.h:165
IG_MEMTYPE
IG_MEMTYPE
Memory type values.
Definition: glueiface.h:157
INT_STATUS_INVALID_PARAMETER_1
#define INT_STATUS_INVALID_PARAMETER_1
Definition: introstatus.h:62
INT_STATUS_NOT_SUPPORTED
#define INT_STATUS_NOT_SUPPORTED
Definition: introstatus.h:287
GluePauseVcpus
INTSTATUS GluePauseVcpus(void)
Definition: glue.c:481
gUpIface
static UPPER_IFACE gUpIface
The instance of UPPER_IFACE that is being used.
Definition: glue.c:44
_GLUE_IFACE::NotifyIntrospectionActivated
PFUNC_IntNotifyIntrospectionActivated NotifyIntrospectionActivated
Definition: glueiface.h:2152
INTRO_EVENT_TYPE
enum _INTRO_EVENT_TYPE INTRO_EVENT_TYPE
Event classes.
alert_exceptions.h
CRITICAL
#define CRITICAL(fmt,...)
Definition: glue.h:63
IntBugCheck
__noreturn void IntBugCheck(void)
Definition: glue.c:917
ONE_GIGABYTE
#define ONE_GIGABYTE
Definition: introdefs.h:91
gIntHandle
void * gIntHandle
The guest handle provided by the integrator at initialization.
Definition: glue.c:49
GlueTracePrint
PFUNC_IntTracePrint GlueTracePrint
The trace API used.
Definition: glue.c:72
_UPPER_IFACE::RwSpinLockReleaseExclusive
PFUNC_IntRwSpinLockReleaseExclusive RwSpinLockReleaseExclusive
Definition: upperiface.h:282
IntUnregisterDtrHandler
INTSTATUS IntUnregisterDtrHandler(void)
Definition: glue.c:786
IntQueryHeapSize
INTSTATUS IntQueryHeapSize(size_t *TotalHeapSize, size_t *FreeHeapSize)
Definition: glue.c:1112
_UPPER_IFACE::TracePrint
PFUNC_IntTracePrint TracePrint
Definition: upperiface.h:270
_GLUE_IFACE::PhysMemGetTypeFromMtrrs
PFUNC_IntGetPhysicalPageTypeFromMtrrs PhysMemGetTypeFromMtrrs
Definition: glueiface.h:2096
_GUEST_INFO::OsVersion
DWORD OsVersion
Definition: intro_types.h:2384
__noreturn
#define __noreturn
Definition: introtypes.h:50
IntGetSPPPageProtection
INTSTATUS IntGetSPPPageProtection(QWORD Gpa, QWORD *Spp)
Definition: glue.c:685
IntNotifyIntroActive
INTSTATUS IntNotifyIntroActive(void)
Definition: glue.c:927
IntRegisterCrWriteHandler
INTSTATUS IntRegisterCrWriteHandler(PFUNC_IntCrWriteCallback Callback)
Definition: glue.c:565
IntUnregisterMSRHandler
INTSTATUS IntUnregisterMSRHandler(void)
Definition: glue.c:528
PAGE_MASK
#define PAGE_MASK
Definition: pgtable.h:35
IntGetEPTPageProtection
INTSTATUS IntGetEPTPageProtection(DWORD EptIndex, QWORD Gpa, BYTE *Read, BYTE *Write, BYTE *Execute)
Definition: glue.c:659
_GLUE_IFACE::RegisterEPTHandler
PFUNC_IntRegisterEPTHandler RegisterEPTHandler
Definition: glueiface.h:2102
IntDestroyEPT
INTSTATUS IntDestroyEPT(DWORD EptIndex)
Definition: glue.c:1182
IntRwSpinLockAcquireShared
INTSTATUS IntRwSpinLockAcquireShared(void *SpinLock)
Definition: glue.c:881
INT_STATUS_INVALID_PARAMETER_2
#define INT_STATUS_INVALID_PARAMETER_2
Definition: introstatus.h:65
_GLUE_IFACE::PauseVcpus
PFUNC_IntRequestVcpusPause PauseVcpus
Definition: glueiface.h:2110
gCurLogBuffer
DWORD gCurLogBuffer
Used for utf16_for_log to support calling that function 8 times in a single macro.
Definition: glue.c:58
PFUNC_IntXcrWriteCallback
INTSTATUS(* PFUNC_IntXcrWriteCallback)(void *GuestHandle, DWORD CpuNumber, INTRO_ACTION *Action)
Definition: glueiface.h:568
_GLUE_IFACE::ReleaseBuffer
PFUNC_IntReleaseBuffer ReleaseBuffer
Definition: glueiface.h:2161
IntRegisterBreakpointHandler
INTSTATUS IntRegisterBreakpointHandler(PFUNC_IntBreakpointCallback Callback)
Definition: glue.c:583
_GUEST_INFO::Guest64
BOOLEAN Guest64
True if the OS is in 64-bit mode, False if it is not.
Definition: intro_types.h:2382
_GUEST_INFO::Type
INTRO_GUEST_TYPE Type
Type.
Definition: intro_types.h:2379
_EVENT_INTROSPECTION_MESSAGE
Event structure for plain data/message passing.
Definition: intro_types.h:1899
_UPPER_IFACE::SpinLockUnInit
PFUNC_IntSpinLockUnInit SpinLockUnInit
Definition: upperiface.h:274
IntRwSpinLockInit
INTSTATUS IntRwSpinLockInit(void **SpinLock, char *Name)
Definition: glue.c:862