Bitdefender Hypervisor Memory Introspection
hook.h
Go to the documentation of this file.
1 /*
2  * Copyright (c) 2020 Bitdefender
3  * SPDX-License-Identifier: Apache-2.0
4  */
5 #ifndef _HOOK_H_
6 #define _HOOK_H_
7 
8 #include "introtypes.h"
9 
10 
15 enum _HOOK_TYPE
16 {
17  hookTypeGpa = 1,
18  hookTypeGva,
19  hookTypePts,
20  hookTypePtsPt,
21  hookTypePtm,
22  hookTypePtmPt,
23  hookTypeRegion,
24 };
25 
32 
35 #define HOOK_FLG_GLOBAL_MASK 0xFFFF0000
36 
39 #define HOOK_FLG_INTERNAL_MASK 0x0000FFFF
40 
41 // Global flags, used for each kind of hook. The lower 16 bits are used by each hook subsystem individually.
42 
44 #define HOOK_FLG_REMOVE 0x80000000
45 #define HOOK_FLG_DISABLED 0x40000000
47 #define HOOK_FLG_CHAIN_DELETE 0x20000000
49 #define HOOK_FLG_PAGING_STRUCTURE 0x08000000
50 #define HOOK_FLG_PAE_ROOT 0x04000000
51 #define HOOK_FLG_PT_UM_ROOT 0x02000000
53 #define HOOK_FLG_HIGH_PRIORITY 0x01000000
55 
57 #define HOOK_PAGE_TABLE_FLAGS (HOOK_FLG_PAGING_STRUCTURE|HOOK_FLG_PAE_ROOT|HOOK_FLG_PT_UM_ROOT)
58 
60 
61 
65 typedef struct _HOOK_HEADER
66 {
67  DWORD Flags;
68  BYTE HookType;
69  BYTE EptHookType;
70  BYTE _Reserved[2];
71 
73  void *ParentHook;
74  void *Context;
75 } HOOK_HEADER, *PHOOK_HEADER;
76 
77 
78 #include "hook_gpa.h"
79 #include "hook_ptm.h"
80 #include "hook_gva.h"
81 #include "hook_ptwh.h"
82 #include "hook_pts.h"
83 #include "hook_object.h"
84 #include "hook_ptwh.h"
85 
86 
90 typedef struct _HOOK_STATE
91 {
92  HOOK_GPA_STATE GpaHooks;
93  HOOK_GVA_STATE GvaHooks;
94  HOOK_PTM_STATE PtmHooks;
95  HOOK_PTS_STATE PtsHooks;
96  HOOK_OBJECT_STATE Objects;
97  BOOLEAN Dirty;
98 } HOOK_STATE, *PHOOK_STATE;
99 
100 
101 extern HOOK_STATE *gHooks;
102 
103 //
104 // API
105 //
106 INTSTATUS
107 IntHookCommitAllHooks(
108  void
109  );
110 
111 INTSTATUS
112 IntHookRemoveChain(
113  _In_ PHOOK_GPA HookGpa
114  );
115 
116 INTSTATUS
117 IntHookInit(
118  void
119  );
120 
121 INTSTATUS
122 IntHookUninit(
123  void
124  );
125 
126 QWORD
127 IntHookGetGlaFromGpaHook(
128  _In_ HOOK_GPA const *Hook,
129  _In_ QWORD Address
130  );
131 
132 #endif // _HOOK_H_
_HOOK_STATE
Definition: hook.h:90
BOOLEAN
_Bool BOOLEAN
Definition: intro_types.h:58
_HOOK_STATE::Dirty
BOOLEAN Dirty
Set whenever hooks are added or removed.
Definition: hook.h:97
_HOOK_HEADER::Context
void * Context
User-defined data that will be supplied to the callback.
Definition: hook.h:74
IntHookInit
INTSTATUS IntHookInit(void)
Initialize the global hook system.
Definition: hook.c:165
BYTE
uint8_t BYTE
Definition: intro_types.h:47
IntHookRemoveChain
INTSTATUS IntHookRemoveChain(PHOOK_GPA HookGpa)
Removes a hook chain, starting with the given GPA hook.
Definition: hook.c:105
PHOOK_STATE
struct _HOOK_STATE * PHOOK_STATE
_HOOK_STATE::GvaHooks
HOOK_GVA_STATE GvaHooks
GVA hooks state.
Definition: hook.h:93
_In_
#define _In_
Definition: intro_sal.h:21
IntHookCommitAllHooks
INTSTATUS IntHookCommitAllHooks(void)
Commits all the hooks.
Definition: hook.c:12
hook_pts.h
hookTypeGpa
Used by GPA hooks.
Definition: hook.h:17
hookTypePtm
Used by the internal page monitor (used by PTS).
Definition: hook.h:21
hookTypeGva
Used by GVA hooks.
Definition: hook.h:18
HOOK_STATE
struct _HOOK_STATE HOOK_STATE
IntHookGetGlaFromGpaHook
QWORD IntHookGetGlaFromGpaHook(HOOK_GPA const *Hook, QWORD Address)
Gets the GLA from a GPA hook.
Definition: hook.c:279
_HOOK_HEADER::EptHookType
BYTE EptHookType
The type of the hook in EPT (see IG_EPT_HOOK_TYPE)
Definition: hook.h:69
hookTypeRegion
An entire hook region, consisting of multiple GVA hooks.
Definition: hook.h:23
INTSTATUS
int INTSTATUS
The status data type.
Definition: introstatus.h:24
gHooks
HOOK_STATE * gHooks
Global hooks state.
Definition: hook.c:8
hook_object.h
hook_gva.h
hook_ptm.h
_HOOK_GVA_STATE
Definition: hook_gva.h:47
_HOOK_GPA_STATE
Definition: hook_gpa.h:104
_HOOK_GPA
Definition: hook_gpa.h:41
_HOOK_HEADER::HookType
BYTE HookType
The type of the hook structure (see _HOOK_TYPE)
Definition: hook.h:68
_HOOK_PTS_STATE
Definition: hook_pts.h:105
hook_gpa.h
IntHookUninit
INTSTATUS IntHookUninit(void)
Uninit the global hooks system.
Definition: hook.c:238
_HOOK_OBJECTS_STATE
Definition: hook_object.h:53
QWORD
unsigned long long QWORD
Definition: intro_types.h:53
PHOOK_HEADER
struct _HOOK_HEADER * PHOOK_HEADER
_HOOK_HEADER::ParentHook
void * ParentHook
The parent hook. For a GPA hook, for example, a GVA hook or a PagedHook will be the parent hook...
Definition: hook.h:73
_HOOK_HEADER::_Reserved
BYTE _Reserved[2]
Definition: hook.h:70
_HOOK_STATE::PtmHooks
HOOK_PTM_STATE PtmHooks
Page table monitoring (internal) state.
Definition: hook.h:94
_HOOK_TYPE
_HOOK_TYPE
Definition: hook.h:15
hook_ptwh.h
_HOOK_STATE::GpaHooks
HOOK_GPA_STATE GpaHooks
GPA hooks state.
Definition: hook.h:92
DWORD
uint32_t DWORD
Definition: intro_types.h:49
_HOOK_PTM_STATE
Definition: hook_ptm.h:56
_HOOK_STATE::Objects
HOOK_OBJECT_STATE Objects
Object hooks state.
Definition: hook.h:96
_HOOK_STATE::PtsHooks
HOOK_PTS_STATE PtsHooks
PTS hooks state (public page-table monitoring).
Definition: hook.h:95
HOOK_HEADER
struct _HOOK_HEADER HOOK_HEADER
hookTypePtmPt
Used by an internal page monitored using PTM.
Definition: hook.h:22
hookTypePts
Used by page-table hooks.
Definition: hook.h:19
_HOOK_HEADER::Flags
DWORD Flags
Generic flags. Check out EPT Hook flags.
Definition: hook.h:67
hookTypePtsPt
Used by an internal page monitored using PTS.
Definition: hook.h:20
_HOOK_HEADER
Definition: hook.h:65