Bitdefender Hypervisor Memory Introspection
handlers.h
Go to the documentation of this file.
1 /*
2  * Copyright (c) 2020 Bitdefender
3  * SPDX-License-Identifier: Apache-2.0
4  */
5 #ifndef _HANDLERS_H_
6 #define _HANDLERS_H_
7 
8 #pragma pack(push, 8)
9 
10 typedef enum {
11  det_commit_creds = 0,
12  det_arch_jump_label_transform,
13  det_module_param_sysfs_setup,
14  det_module_param_sysfs_remove,
15  det_wake_up_new_task,
16  det_flush_old_exec,
17  det_begin_new_exec,
18  det_do_exit,
19  det_arch_ptrace,
20  det_compat_arch_ptrace,
21  det_process_vm_rw_core,
22  det___vma_link_rb,
23  det_change_protection,
24  det_vma_adjust,
25  det___vma_adjust,
26  det_vma_rb_erase,
27  det___vma_rb_erase,
28  det_expand_downwards,
29  det_complete_signal,
30  det_text_poke,
31  det___text_poke,
32  det_ftrace_write,
33  det_panic,
34  det_crash_kexec,
35  det___access_remote_vm,
36  det_mprotect_fixup_vma_wants_writenotify,
37  det_do_munmap_rb_erase,
38  det_vma_adjust_rb_erase,
39 
40  det_max_id
41 } DETOUR_ID;
42 
43 typedef char * (d_path_fn)(void *path, char *buf, int buflen);
44 
45 typedef struct _LIX_GUEST_OS_SPECIFIC {
46  struct {
47  unsigned int CredAltered;
48  } Info;
49 
50  struct {
51  unsigned int MmOffset;
52  unsigned int FlagsOffset;
53  unsigned int FileOffset;
54  unsigned int VmNextOffset;
55  unsigned int VmPrevOffset;
56  unsigned int Rb;
57 
58  unsigned int ProtectionBit;
59  } Vma;
60 
61  struct {
62  unsigned int FlagsOffset;
63  unsigned int Rb;
64 
65  unsigned int ProtectionBit;
66  } Mm;
67 
68  struct {
69  unsigned int InExecve;
70  unsigned int InExecveBit;
71  } Task;
72 
73  struct {
74  unsigned int FileOffset;
75  } Binprm;
76 
77  struct {
78  unsigned int DentryOffset;
79  unsigned int PathOffset;
80  } File;
81 
82  struct {
83  unsigned int InodeOffset;
84  } Dentry;
85 
86  struct {
87  unsigned int Mode;
88  unsigned int Uid;
89  unsigned int Gid;
90  } Inode;
91 
92  unsigned int CurrentTaskOffset;
93  unsigned int CurrentCpuOffset;
94 
95  void *PercpuMemPtr;
96  d_path_fn *DPathFnPtr;
97 } LIX_GUEST_OS_SPECIFIC;
98 
99 
100 typedef struct _LIX_GUEST_DETOUR {
101  char Name[32];
102  char HijackName[32];
103  unsigned long long Address;
104  unsigned long long RelocatedCode;
105  unsigned long long JumpBack;
106  unsigned long long EnableOptions;
107 } LIX_GUEST_DETOUR;
108 
109 
110 typedef struct _LIX_HYPERCALL_PAGE
111 {
112  unsigned long long ProtectionOptions;
113  unsigned long long DetoursCount;
114 
115  LIX_GUEST_DETOUR Detours[det_max_id];
116 
117  LIX_GUEST_OS_SPECIFIC OsSpecificFields;
118 } LIX_HYPERCALL_PAGE;
119 
120 #pragma pack(pop)
121 
122 #endif // _HANDLERS_H_
_LIX_GUEST_OS_SPECIFIC::File
struct _LIX_GUEST_OS_SPECIFIC::@265 File
_LIX_GUEST_OS_SPECIFIC::Task
struct _LIX_GUEST_OS_SPECIFIC::@263 Task
_LIX_GUEST_OS_SPECIFIC::Mm
struct _LIX_GUEST_OS_SPECIFIC::@262 Mm
LIX_GUEST_DETOUR
struct _LIX_GUEST_DETOUR LIX_GUEST_DETOUR
_LIX_GUEST_DETOUR::Address
unsigned long long Address
Definition: handlers.h:103
_LIX_GUEST_OS_SPECIFIC::VmPrevOffset
unsigned int VmPrevOffset
Definition: handlers.h:55
_LIX_GUEST_OS_SPECIFIC::Info
struct _LIX_GUEST_OS_SPECIFIC::@260 Info
_LIX_GUEST_OS_SPECIFIC::Dentry
struct _LIX_GUEST_OS_SPECIFIC::@266 Dentry
_LIX_GUEST_OS_SPECIFIC::DentryOffset
unsigned int DentryOffset
Definition: handlers.h:78
_LIX_HYPERCALL_PAGE::OsSpecificFields
LIX_GUEST_OS_SPECIFIC OsSpecificFields
Definition: handlers.h:117
_LIX_GUEST_DETOUR::EnableOptions
unsigned long long EnableOptions
Definition: handlers.h:106
_LIX_GUEST_OS_SPECIFIC::FileOffset
unsigned int FileOffset
Definition: handlers.h:53
_LIX_GUEST_DETOUR
Definition: handlers.h:100
_LIX_GUEST_OS_SPECIFIC::Gid
unsigned int Gid
Definition: handlers.h:89
d_path_fn
char *() d_path_fn(void *path, char *buf, int buflen)
Definition: handlers.h:43
_LIX_GUEST_OS_SPECIFIC::Rb
unsigned int Rb
Definition: handlers.h:56
_LIX_GUEST_OS_SPECIFIC::CurrentCpuOffset
unsigned int CurrentCpuOffset
Definition: handlers.h:93
_LIX_GUEST_OS_SPECIFIC::DPathFnPtr
d_path_fn * DPathFnPtr
Definition: handlers.h:96
_LIX_GUEST_OS_SPECIFIC::InExecveBit
unsigned int InExecveBit
Definition: handlers.h:70
_LIX_GUEST_OS_SPECIFIC::InodeOffset
unsigned int InodeOffset
Definition: handlers.h:83
_LIX_GUEST_OS_SPECIFIC::Uid
unsigned int Uid
Definition: handlers.h:88
_LIX_GUEST_OS_SPECIFIC::CurrentTaskOffset
unsigned int CurrentTaskOffset
Definition: handlers.h:92
LIX_HYPERCALL_PAGE
struct _LIX_HYPERCALL_PAGE LIX_HYPERCALL_PAGE
_LIX_GUEST_OS_SPECIFIC::InExecve
unsigned int InExecve
Definition: handlers.h:69
_LIX_HYPERCALL_PAGE
Definition: handlers.h:110
_LIX_GUEST_OS_SPECIFIC::Binprm
struct _LIX_GUEST_OS_SPECIFIC::@264 Binprm
_LIX_GUEST_OS_SPECIFIC::ProtectionBit
unsigned int ProtectionBit
Definition: handlers.h:58
_LIX_GUEST_OS_SPECIFIC::MmOffset
unsigned int MmOffset
Definition: handlers.h:51
_LIX_GUEST_OS_SPECIFIC::PathOffset
unsigned int PathOffset
Definition: handlers.h:79
_LIX_GUEST_OS_SPECIFIC::VmNextOffset
unsigned int VmNextOffset
Definition: handlers.h:54
_LIX_GUEST_OS_SPECIFIC::Mode
unsigned int Mode
Definition: handlers.h:87
_LIX_GUEST_OS_SPECIFIC::PercpuMemPtr
void * PercpuMemPtr
Definition: handlers.h:95
_LIX_GUEST_OS_SPECIFIC::FlagsOffset
unsigned int FlagsOffset
Definition: handlers.h:52
_LIX_GUEST_DETOUR::RelocatedCode
unsigned long long RelocatedCode
Definition: handlers.h:104
_LIX_HYPERCALL_PAGE::ProtectionOptions
unsigned long long ProtectionOptions
Definition: handlers.h:112
_LIX_HYPERCALL_PAGE::DetoursCount
unsigned long long DetoursCount
Definition: handlers.h:113
LIX_GUEST_OS_SPECIFIC
struct _LIX_GUEST_OS_SPECIFIC LIX_GUEST_OS_SPECIFIC
_LIX_GUEST_DETOUR::JumpBack
unsigned long long JumpBack
Definition: handlers.h:105
_LIX_GUEST_OS_SPECIFIC::CredAltered
unsigned int CredAltered
Definition: handlers.h:47
_LIX_GUEST_OS_SPECIFIC
Definition: handlers.h:45
_LIX_GUEST_OS_SPECIFIC::Inode
struct _LIX_GUEST_OS_SPECIFIC::@267 Inode
_LIX_GUEST_OS_SPECIFIC::Vma
struct _LIX_GUEST_OS_SPECIFIC::@261 Vma
DETOUR_ID
DETOUR_ID
Definition: handlers.h:10