- Generated by
1.8.13
|
Bitdefender Hypervisor Memory Introspection
|
#include "introtypes.h"#include "hook_gpa.h"#include "hook_ptm.h"#include "hook_gva.h"#include "hook_ptwh.h"#include "hook_pts.h"#include "hook_object.h"Go to the source code of this file.
Data Structures | |
| struct | _HOOK_HEADER |
| struct | _HOOK_STATE |
Macros | |
| #define | HOOK_FLG_GLOBAL_MASK 0xFFFF0000 |
| Global flags must be defined here and must be handled by each hooks layer (even if it ignores them, but it must not define or use hooks that overlap existing global hooks). More... | |
| #define | HOOK_FLG_INTERNAL_MASK 0x0000FFFF |
| Local flags are reserved for internal use inside each hook layer. These flags must not be propagated from one layer to another, as they have different meaning between different hook layers. More... | |
| #define | HOOK_FLG_REMOVE 0x80000000 |
| If flag is set, the hook has been removed, and waits the next commit to be actually deleted. More... | |
| #define | HOOK_FLG_DISABLED 0x40000000 |
| If flag is set, the hook is disabled, therefore ignored on EPT violations. More... | |
| #define | HOOK_FLG_CHAIN_DELETE 0x20000000 |
| If flag is set, then we won't remove the hook on commit phase; we'll let the parent hook handle the delete. More... | |
| #define | HOOK_FLG_PAGING_STRUCTURE 0x08000000 |
| If flag is set, the hook is set on paging structures. More... | |
| #define | HOOK_FLG_PAE_ROOT 0x04000000 |
| #define | HOOK_FLG_PT_UM_ROOT 0x02000000 |
| If flag is set, the hook is set on the root paging structure, and only the low, user-mode entires are hooked. More... | |
| #define | HOOK_FLG_HIGH_PRIORITY 0x01000000 |
| If flag is set, the callback associated to this hook will have a higher priority than the others. More... | |
| #define | HOOK_PAGE_TABLE_FLAGS (HOOK_FLG_PAGING_STRUCTURE|HOOK_FLG_PAE_ROOT|HOOK_FLG_PT_UM_ROOT) |
| Any of these flags set indicates that we are dealing with a page table page. More... | |
Typedefs | |
| typedef struct _HOOK_HEADER | HOOK_HEADER |
| typedef struct _HOOK_HEADER * | PHOOK_HEADER |
| typedef struct _HOOK_STATE | HOOK_STATE |
| typedef struct _HOOK_STATE * | PHOOK_STATE |
Enumerations | |
| enum | _HOOK_TYPE { hookTypeGpa = 1, hookTypeGva, hookTypePts, hookTypePtsPt, hookTypePtm, hookTypePtmPt, hookTypeRegion } |
Functions | |
| INTSTATUS | IntHookCommitAllHooks (void) |
| Commits all the hooks. More... | |
| INTSTATUS | IntHookRemoveChain (PHOOK_GPA HookGpa) |
| Removes a hook chain, starting with the given GPA hook. More... | |
| INTSTATUS | IntHookInit (void) |
| Initialize the global hook system. More... | |
| INTSTATUS | IntHookUninit (void) |
| Uninit the global hooks system. More... | |
| QWORD | IntHookGetGlaFromGpaHook (HOOK_GPA const *Hook, QWORD Address) |
| Gets the GLA from a GPA hook. More... | |
Variables | |
| HOOK_STATE * | gHooks |
| Global hooks state. More... | |
| typedef struct _HOOK_HEADER HOOK_HEADER |
General hook header. A hook header must precede each hook type, especially if chaining is needed.
| typedef struct _HOOK_STATE HOOK_STATE |
General hooks-state.
| typedef struct _HOOK_HEADER * PHOOK_HEADER |
| typedef struct _HOOK_STATE * PHOOK_STATE |
| enum _HOOK_TYPE |
Context types - each hook type has a dedicated constant. Creating a new hook system requires that you also create a dedicated hook type.
| INTSTATUS IntHookCommitAllHooks | ( | void | ) |
Commits all the hooks.
This function will call the commit function for each existing hook system. The commit functions have the role of actually deleting each removed hook. The reason this has to be done is because we want to allow a callback to remove its own hook. Therefore, whenever a hook is removed, we cannot free it right away, since it may be removed from its own callback. Instead, each removed hook is placed in a removed hooks list, and they are deleted all at once when every callback was handled. If a new hook system is to be added, a commit function should normally be created for it as well, and that commit function should be called here.
| INT_STATUS_SUCCESS | On success. |
| INT_STATUS_NOT_INITIALIZED_HINT | If the hook system has not been initialized. |
| INT_STATUS_NOT_NEEDED_HINT | If no hooks were removed. |
Definition at line 12 of file hook.c.
Referenced by IntGuestPrepareUninit(), IntGuestPreReturnCallback(), and IntHookUninit().
Gets the GLA from a GPA hook.
Since GVA and GPA hooks are distinct, and logic hooks will be placed on guest virtual pages, but the EPT works with guest physical pages, the only relation between a GPA hook and a virtual address is given by the parent-child relationship between the hooks. This function will return the linear address associated with a given guest physical hook. NOTE: If we have multiple guest virtual pages pointing to the same guest physical page, we should also have multiple guest physical page hooks, as Introcore does not take into consideration shared memory. Multiple hooks set on the same guest physical range will lead to multiple hook structures being allocated. The only aliasing issue that could potentially appear is if that the same callback, with the same context is used for different virtual pages which translate to the same physical page; in this scenario, the caller must be aware of shared memory implications, and should use the context to properly identify the virtual pages involved in the hook.
| [in] | Hook | The GPA hook. |
| [in] | Address | The guest physical address accessed, used only to extract the low 12 bit (page offset). |
Definition at line 279 of file hook.c.
Referenced by IntLixDrvIsLegitimateTextPoke(), IntLixGuestAgentContentHandler(), IntLixGuestDetourDataHandler(), IntVeHandleAccess(), IntWinDrvHandleRead(), IntWinDrvHandleWrite(), IntWinHalHandleHalHeapExec(), IntWinHalHandleHalIntCtrlWrite(), IntWinModHandleKernelWrite(), IntWinModHandleUserWrite(), and IntWinTokenPrivsHandleWrite().
| INTSTATUS IntHookInit | ( | void | ) |
Initialize the global hook system.
This function will initialize all the hook systems. Creating a new hook subsystem requires that it be initialized here, by calling its Init function.
| INT_STATUS_SUCCESS | On success. |
| INT_STATUS_ALREADY_INITIALIZED | If the hook system has already been initialized. |
| INT_STATUS_INSUFFICIENT_RESOURCES | If a memory allocation function failed. |
Definition at line 165 of file hook.c.
Referenced by IntGuestInit().
Removes a hook chain, starting with the given GPA hook.
In Introcore, the hooks may be chained. For example, an object (or region hook) may contain multiple GVA hooks, which in turn contain multiple PTS or GPA hooks. Whenever a callback returns the status INT_STATUS_REMOVE_HOOK_ON_RET, we must remove the top-most hook structure. This is done by starting with the current GPA hook, and iterating, upwards, each parent hook until we end up finding a NULL parent. Once we encounter such a hook, we may call the appropriate remove function on it, which in turn will take care of removing all the children hooks, up until and including the current HookGpa.
| [in] | HookGpa | The GPA hook, which usually is the bottom most hook. |
| INT_STATUS_SUCCESS | On success. |
| INT_STATUS_INVALID_PARAMETER | If an invalid parameter is supplied. |
| INT_STATUS_NOT_SUPPORTED | If an unknown top-most hook is encountered. |
Definition at line 105 of file hook.c.
Referenced by IntHandleMemAccess(), and IntWinHalHandleHalHeapExec().
| INTSTATUS IntHookUninit | ( | void | ) |
Uninit the global hooks system.
This function will call the uninit function of each hook system. Creating a new hook system will require to add a call to its uninit function here.
| INT_STATUS_SUCCESS | On success. |
| INT_STATUS_NOT_INITIALIZED_HINT | If the hooks system is not initialized. |
Definition at line 238 of file hook.c.
Referenced by IntGuestUninit().
| HOOK_STATE* gHooks |
Global hooks state.
Definition at line 8 of file hook.c.
Referenced by DbgDumpHooksGva(), IntDbgCheckHooks(), IntHandleMemAccess(), IntHookGpaCommitHooks(), IntHookGpaDeleteHookInternal(), IntHookGpaDump(), IntHookGpaEnableDisablePtCache(), IntHookGpaEnableDisableVe(), IntHookGpaFindConvertible(), IntHookGpaGetEptEntry(), IntHookGpaGetExistingEptEntry(), IntHookGpaInit(), IntHookGpaIsPageHooked(), IntHookGpaRemoveHookInternal(), IntHookGpaSetHook(), IntHookGpaSetNewPageProtection(), IntHookGvaCommitHooks(), IntHookGvaInit(), IntHookGvaRemoveHookInternal(), IntHookGvaSetHook(), IntHookObjectCommit(), IntHookObjectCreate(), IntHookObjectDestroy(), IntHookObjectDestroyAll(), IntHookObjectHookRegion(), IntHookObjectInit(), IntHookObjectRemoveRegionInternal(), IntHookObjectUninit(), IntHookPtmAddTable(), IntHookPtmCommitHooks(), IntHookPtmInit(), IntHookPtmRemoveHookInternal(), IntHookPtmRemoveTableHook(), IntHookPtmSetHook(), IntHookPtsCheckIntegrity(), IntHookPtsCloneCallbacks(), IntHookPtsCommitHooks(), IntHookPtsDump(), IntHookPtsInit(), IntHookPtsRemoveHookInternal(), IntHookPtsRemovePteHook(), IntHookPtsSetHook(), IntHookPtsWriteCallback(), and IntVeInit().
1.8.13