Bitdefender Hypervisor Memory Introspection
hook.c
Go to the documentation of this file.
1 /*
2  * Copyright (c) 2020 Bitdefender
3  * SPDX-License-Identifier: Apache-2.0
4  */
5 #include "hook.h"
6 
7 
8 HOOK_STATE *gHooks = NULL;
9 
10 
11 INTSTATUS
12 IntHookCommitAllHooks(
13  void
14  )
30 {
31  INTSTATUS status;
32 
33  if (NULL == gHooks)
34  {
35  return INT_STATUS_NOT_INITIALIZED_HINT;
36  }
37 
38  if (!gHooks->Dirty)
39  {
40  return INT_STATUS_NOT_NEEDED_HINT;
41  }
42 
43  STATS_ENTER(statsHookCommit);
44 
45  status = IntHookObjectCommit();
46  if (!INT_SUCCESS(status))
47  {
48  ERROR("[ERROR] IntHookObjectCommit failed: 0x%08x\n", status);
49  goto cleanup_and_exit;
50  }
51 
52  status = IntHookGvaCommitHooks();
53  if (!INT_SUCCESS(status))
54  {
55  ERROR("[ERROR] IntHookGvaCommitHooks failed: 0x%08x\n", status);
56  goto cleanup_and_exit;
57  }
58 
59  status = IntHookPtsCommitHooks();
60  if (!INT_SUCCESS(status))
61  {
62  ERROR("[ERROR] IntHookPtsCommitHooks failed: 0x%08x\n", status);
63  goto cleanup_and_exit;
64  }
65 
66  status = IntHookPtmCommitHooks();
67  if (!INT_SUCCESS(status))
68  {
69  ERROR("[ERROR] IntHookPtmCommitHooks failed: 0x%08x\n", status);
70  goto cleanup_and_exit;
71  }
72 
73  status = IntHookGpaCommitHooks();
74  if (!INT_SUCCESS(status))
75  {
76  ERROR("[ERROR] IntHookGpaCommitHooks failed: 0x%08x\n", status);
77  goto cleanup_and_exit;
78  }
79 
80 #ifdef DEBUG_CHECK_HOOKS
81  IntDbgCheckHooks();
82 #endif
83 
84 
85 cleanup_and_exit:
86  if (gHooks->GpaHooks.HooksRemoved || gHooks->GvaHooks.HooksRemoved ||
87  gHooks->PtsHooks.HooksRemoved || gHooks->Objects.ObjectsRemoved ||
88  gHooks->PtmHooks.HooksRemoved)
89  {
90  // There are hooks uncommitted. We don't want to reset the dirt marker,
91  // so we have a chance to commit them on next run.
92  }
93  else
94  {
95  gHooks->Dirty = FALSE;
96  }
97 
98  STATS_EXIT(statsHookCommit);
99 
100  return status;
101 }
102 
103 
104 INTSTATUS
105 IntHookRemoveChain(
106  _In_ PHOOK_GPA HookGpa
107  )
124 {
125  PHOOK_HEADER pHook;
126 
127  if (NULL == HookGpa)
128  {
129  return INT_STATUS_INVALID_PARAMETER_1;
130  }
131 
132  // Find the most upper level hook.
133  pHook = &HookGpa->Header;
134  while (pHook->ParentHook)
135  {
136  pHook = (PHOOK_HEADER)pHook->ParentHook;
137  }
138 
139  // Remove the most upper level hook.
140  switch (pHook->HookType)
141  {
142  case hookTypeGpa:
143  return IntHookGpaRemoveHook((HOOK_GPA **)&pHook, 0);
144 
145  case hookTypeGva:
146  return IntHookGvaRemoveHook((HOOK_GVA **)&pHook, 0);
147 
148  case hookTypePts:
149  return IntHookPtsRemoveHook((HOOK_PTS **)&pHook, 0);
150 
151  case hookTypePtm:
152  return IntHookPtmRemoveHook((HOOK_PTM **)&pHook, 0);
153 
154  case hookTypeRegion:
155  return IntHookObjectRemoveRegion((PHOOK_REGION_DESCRIPTOR *)&pHook, 0);
156 
157  default:
158  ERROR("[ERROR] Unknown hook type %d!\n", pHook->HookType);
159  return INT_STATUS_NOT_SUPPORTED;
160  }
161 }
162 
163 
164 INTSTATUS
165 IntHookInit(
166  void
167  )
178 {
179  INTSTATUS status;
180 
181  if (NULL != gHooks)
182  {
183  ERROR("[ERROR] Trying to do IntHookInit multiple times!\n");
184  return INT_STATUS_ALREADY_INITIALIZED;
185  }
186 
187  gHooks = HpAllocWithTag(sizeof(*gHooks), IC_TAG_HOOKS);
188  if (NULL == gHooks)
189  {
190  return INT_STATUS_INSUFFICIENT_RESOURCES;
191  }
192 
193  status = IntHookGpaInit();
194  if (!INT_SUCCESS(status))
195  {
196  goto cleanup_and_exit;
197  }
198 
199  status = IntHookPtmInit();
200  if (!INT_SUCCESS(status))
201  {
202  goto cleanup_and_exit;
203  }
204 
205  status = IntHookPtsInit();
206  if (!INT_SUCCESS(status))
207  {
208  goto cleanup_and_exit;
209  }
210 
211  status = IntHookGvaInit();
212  if (!INT_SUCCESS(status))
213  {
214  goto cleanup_and_exit;
215  }
216 
217  status = IntHookObjectInit();
218  if (!INT_SUCCESS(status))
219  {
220  goto cleanup_and_exit;
221  }
222 
223  return INT_STATUS_SUCCESS;
224 
225 cleanup_and_exit:
226  IntHookObjectUninit();
227 
228  if (NULL != gHooks)
229  {
230  HpFreeAndNullWithTag(&gHooks, IC_TAG_HOOKS);
231  }
232 
233  return status;
234 }
235 
236 
237 INTSTATUS
238 IntHookUninit(
239  void
240  )
250 {
251  INTSTATUS status;
252 
253  if (NULL == gHooks)
254  {
255  return INT_STATUS_NOT_INITIALIZED_HINT;
256  }
257 
258  status = IntHookCommitAllHooks();
259  if (!INT_SUCCESS(status))
260  {
261  ERROR("[ERROR] IntHookCommitAllHooks failed: 0x%08x\n", status);
262  }
263 
264  status = IntHookObjectUninit();
265  if (!INT_SUCCESS(status))
266  {
267  ERROR("[ERROR] IntHookObjectUninit: 0x%08x\n", status);
268  }
269 
270  HpFreeAndNullWithTag(&gHooks, IC_TAG_HOOKS);
271 
272  gHooks = NULL;
273 
274  return INT_STATUS_SUCCESS;
275 }
276 
277 
278 QWORD
279 IntHookGetGlaFromGpaHook(
280  _In_ HOOK_GPA const *Hook,
281  _In_ QWORD Address
282  )
303 {
304  HOOK_GVA const *pGva = Hook->Header.ParentHook;
305 
306  if ((NULL == pGva) || (pGva->Header.HookType != hookTypeGva))
307  {
308  ERROR("[ERROR] The GPA hook for address 0x%016llx does not point to a valid GVA hook: %p, type %d",
309  Hook->GpaPage, pGva, pGva ? pGva->Header.HookType : 0);
310  IntBugCheck();
311  }
312 
313  return pGva->GvaPage + (Address & 0xFFF);
314 }
IntHookPtmRemoveHook
INTSTATUS IntHookPtmRemoveHook(HOOK_PTM **Hook, DWORD Flags)
Remove a page-table hook handle.
Definition: hook_ptm.c:520
_HOOK_STATE
Definition: hook.h:90
_HOOK_STATE::Dirty
BOOLEAN Dirty
Set whenever hooks are added or removed.
Definition: hook.h:97
_HOOK_REGION_DESCRIPTOR
Definition: hook_object.h:36
_HOOK_STATE::GvaHooks
HOOK_GVA_STATE GvaHooks
GVA hooks state.
Definition: hook.h:93
_In_
#define _In_
Definition: intro_sal.h:21
IntHookGpaRemoveHook
INTSTATUS IntHookGpaRemoveHook(HOOK_GPA **Hook, DWORD Flags)
Remove a GPA hook.
Definition: hook_gpa.c:738
INT_STATUS_SUCCESS
#define INT_STATUS_SUCCESS
Definition: introstatus.h:54
IntHookInit
INTSTATUS IntHookInit(void)
Initialize the global hook system.
Definition: hook.c:165
STATS_EXIT
#define STATS_EXIT(id)
Definition: stats.h:160
hookTypeGpa
Used by GPA hooks.
Definition: hook.h:17
hookTypePtm
Used by the internal page monitor (used by PTS).
Definition: hook.h:21
INT_SUCCESS
#define INT_SUCCESS(Status)
Definition: introstatus.h:42
hookTypeGva
Used by GVA hooks.
Definition: hook.h:18
INT_STATUS_NOT_NEEDED_HINT
#define INT_STATUS_NOT_NEEDED_HINT
Definition: introstatus.h:317
ERROR
#define ERROR(fmt,...)
Definition: glue.h:62
IntHookCommitAllHooks
INTSTATUS IntHookCommitAllHooks(void)
Commits all the hooks.
Definition: hook.c:12
hookTypeRegion
An entire hook region, consisting of multiple GVA hooks.
Definition: hook.h:23
HpAllocWithTag
#define HpAllocWithTag(Len, Tag)
Definition: glue.h:516
INTSTATUS
int INTSTATUS
The status data type.
Definition: introstatus.h:24
_HOOK_GVA::GvaPage
QWORD GvaPage
Guest virtual page base address, aligned to 4K.
Definition: hook_gva.h:32
IntHookPtsCommitHooks
INTSTATUS IntHookPtsCommitHooks(void)
Commit all PTS hook modifications.
Definition: hook_pts.c:2084
_HOOK_OBJECTS_STATE::ObjectsRemoved
BOOLEAN ObjectsRemoved
True whenever an object has been removed.
Definition: hook_object.h:56
gHooks
HOOK_STATE * gHooks
Global hooks state.
Definition: hook.c:8
IntHookGpaInit
INTSTATUS IntHookGpaInit(void)
Initialize the GPA hook system. This function should be called only once, during introspection init...
Definition: hook_gpa.c:1097
statsHookCommit
Measures the hook commits.
Definition: stats.h:42
_HOOK_GVA
Definition: hook_gva.h:18
_HOOK_GVA_STATE::HooksRemoved
BOOLEAN HooksRemoved
True if at least one hook has been removed since the last commit.
Definition: hook_gva.h:52
_HOOK_GPA
Definition: hook_gpa.h:41
_HOOK_HEADER::HookType
BYTE HookType
The type of the hook structure (see _HOOK_TYPE)
Definition: hook.h:68
INT_STATUS_ALREADY_INITIALIZED
#define INT_STATUS_ALREADY_INITIALIZED
Definition: introstatus.h:263
IntDbgCheckHooks
static void IntDbgCheckHooks(void)
Definition: debugger.c:182
STATS_ENTER
#define STATS_ENTER(id)
Definition: stats.h:153
IntBugCheck
__noreturn void IntBugCheck(void)
Definition: glue.c:917
QWORD
unsigned long long QWORD
Definition: intro_types.h:53
IntHookObjectInit
INTSTATUS IntHookObjectInit(void)
Initialize the hook object system.
Definition: hook_object.c:598
PHOOK_HEADER
struct _HOOK_HEADER * PHOOK_HEADER
_HOOK_HEADER::ParentHook
void * ParentHook
The parent hook. For a GPA hook, for example, a GVA hook or a PagedHook will be the parent hook...
Definition: hook.h:73
_HOOK_GVA::Header
HOOK_HEADER Header
The hook header.
Definition: hook_gva.h:20
_HOOK_STATE::PtmHooks
HOOK_PTM_STATE PtmHooks
Page table monitoring (internal) state.
Definition: hook.h:94
IntHookObjectUninit
INTSTATUS IntHookObjectUninit(void)
Uninit the hook object system.
Definition: hook_object.c:614
HpFreeAndNullWithTag
#define HpFreeAndNullWithTag(Add, Tag)
Definition: glue.h:517
IntHookPtsRemoveHook
INTSTATUS IntHookPtsRemoveHook(HOOK_PTS **Hook, DWORD Flags)
Remove a PTS hook.
Definition: hook_pts.c:1944
_HOOK_PTS_STATE::HooksRemoved
BOOLEAN HooksRemoved
True if any hook has been removed.
Definition: hook_pts.h:117
IntHookGvaRemoveHook
INTSTATUS IntHookGvaRemoveHook(HOOK_GVA **Hook, DWORD Flags)
Remove a GVA hook.
Definition: hook_gva.c:507
_HOOK_STATE::GpaHooks
HOOK_GPA_STATE GpaHooks
GPA hooks state.
Definition: hook.h:92
IntHookObjectRemoveRegion
INTSTATUS IntHookObjectRemoveRegion(HOOK_REGION_DESCRIPTOR **Region, DWORD Flags)
Remove a hooked region of memory.
Definition: hook_object.c:309
IntHookPtmInit
INTSTATUS IntHookPtmInit(void)
Initialize the page-table hook system.
Definition: hook_ptm.c:771
IntHookGvaCommitHooks
INTSTATUS IntHookGvaCommitHooks(void)
Commit all the modified GVA hooks.
Definition: hook_gva.c:657
IntHookGetGlaFromGpaHook
QWORD IntHookGetGlaFromGpaHook(HOOK_GPA const *Hook, QWORD Address)
Gets the GLA from a GPA hook.
Definition: hook.c:279
IntHookPtmCommitHooks
INTSTATUS IntHookPtmCommitHooks(void)
Commit the page-table hooks.
Definition: hook_ptm.c:688
IntHookRemoveChain
INTSTATUS IntHookRemoveChain(PHOOK_GPA HookGpa)
Removes a hook chain, starting with the given GPA hook.
Definition: hook.c:105
_HOOK_PTS
Definition: hook_pts.h:85
_HOOK_STATE::Objects
HOOK_OBJECT_STATE Objects
Object hooks state.
Definition: hook.h:96
IntHookObjectCommit
INTSTATUS IntHookObjectCommit(void)
Commit removed hook objects and regions.
Definition: hook_object.c:525
IntHookUninit
INTSTATUS IntHookUninit(void)
Uninit the global hooks system.
Definition: hook.c:238
_HOOK_STATE::PtsHooks
HOOK_PTS_STATE PtsHooks
PTS hooks state (public page-table monitoring).
Definition: hook.h:95
INT_STATUS_NOT_INITIALIZED_HINT
#define INT_STATUS_NOT_INITIALIZED_HINT
Definition: introstatus.h:320
INT_STATUS_INVALID_PARAMETER_1
#define INT_STATUS_INVALID_PARAMETER_1
Definition: introstatus.h:62
INT_STATUS_NOT_SUPPORTED
#define INT_STATUS_NOT_SUPPORTED
Definition: introstatus.h:287
hookTypePts
Used by page-table hooks.
Definition: hook.h:19
IC_TAG_HOOKS
#define IC_TAG_HOOKS
Global hook state.
Definition: memtags.h:74
_HOOK_GPA_STATE::HooksRemoved
BOOLEAN HooksRemoved
True if hooks were removed, and we must do the cleanup..
Definition: hook_gpa.h:119
IntHookPtsInit
INTSTATUS IntHookPtsInit(void)
Initializes the PTS hooks system.
Definition: hook_pts.c:2183
_HOOK_PTM
Definition: hook_ptm.h:37
IntHookGpaCommitHooks
INTSTATUS IntHookGpaCommitHooks(void)
Commit existing modified hooks.
Definition: hook_gpa.c:876
IntHookGvaInit
INTSTATUS IntHookGvaInit(void)
Initialize the GVA hooks system.
Definition: hook_gva.c:714
_HOOK_PTM_STATE::HooksRemoved
BOOLEAN HooksRemoved
True if hooks have been removed.
Definition: hook_ptm.h:61
_HOOK_HEADER
Definition: hook.h:65
FALSE
#define FALSE
Definition: intro_types.h:34
INT_STATUS_INSUFFICIENT_RESOURCES
#define INT_STATUS_INSUFFICIENT_RESOURCES
Definition: introstatus.h:281