Bitdefender Hypervisor Memory Introspection
Data Structures | Typedefs | Functions
hook_cr.h File Reference
#include "introtypes.h"

Go to the source code of this file.

Data Structures

struct  _CR_HOOK_STATE
 
struct  _HOOK_CR
 

Typedefs

typedef INTSTATUS(* PFUNC_CrWriteHookCallback) (void *Context, DWORD Cr, QWORD OldValue, QWORD NewValue, INTRO_ACTION *Action)
 Called when a control-register write takes place. More...
 
typedef struct _CR_HOOK_STATE CR_HOOK_STATE
 
typedef struct _CR_HOOK_STATEPCR_HOOK_STATE
 
typedef struct _HOOK_CR HOOK_CR
 
typedef struct _HOOK_CRPHOOK_CR
 

Functions

INTSTATUS IntHookCrSetHook (DWORD Cr, DWORD Flags, PFUNC_CrWriteHookCallback Callback, void *Context, HOOK_CR **Hook)
 Set a control register write hook. More...
 
INTSTATUS IntHookCrRemoveHook (HOOK_CR *Hook)
 Remove a control register hook. More...
 
INTSTATUS IntHookCrCommit (void)
 Commit the control register hooks. More...
 
INTSTATUS IntHookCrInit (void)
 Initialize the control registers hook state. More...
 
INTSTATUS IntHookCrUninit (void)
 Uninit the control register hooks state. More...
 

Typedef Documentation

◆ CR_HOOK_STATE

typedef struct _CR_HOOK_STATE CR_HOOK_STATE

Global CR hooks state.

◆ HOOK_CR

typedef struct _HOOK_CR HOOK_CR

Describes one CR hook.

◆ PCR_HOOK_STATE

typedef struct _CR_HOOK_STATE * PCR_HOOK_STATE

◆ PFUNC_CrWriteHookCallback

typedef INTSTATUS(* PFUNC_CrWriteHookCallback) (void *Context, DWORD Cr, QWORD OldValue, QWORD NewValue, INTRO_ACTION *Action)

Called when a control-register write takes place.

Parameters
[in]ContextThe context, as provided when the CR hook was set.
[in]CrThe written CR.
[in]OldValueOld CR value.
[in]NewValueNew CR value.
[out]ActionDesired action.

Definition at line 21 of file hook_cr.h.

◆ PHOOK_CR

typedef struct _HOOK_CR * PHOOK_CR

Function Documentation

◆ IntHookCrCommit()

INTSTATUS IntHookCrCommit ( void  )

Commit the control register hooks.

This function will iterate the list of CR hooks, and it will delete all the hooks that were flagged for removal.

Return values
INT_STATUS_SUCCESSOn success.
INT_STATUS_NOT_INITIALIZEDIf the CR hooks state is not initialized.

Definition at line 234 of file hook_cr.c.

Referenced by IntGuestPreReturnCallback().

◆ IntHookCrInit()

INTSTATUS IntHookCrInit ( void  )

Initialize the control registers hook state.

Return values
INT_STATUS_SUCCESSOn success.
INT_STATUS_INSUFFICIENT_RESOURCESIf a memory alloc fails.

Definition at line 272 of file hook_cr.c.

Referenced by IntGuestInit().

◆ IntHookCrRemoveHook()

INTSTATUS IntHookCrRemoveHook ( HOOK_CR Hook)

Remove a control register hook.

Removes a CR write hook. First of all, this function will mark the hook as being disabled (the callback will never be called again). If we are currently in the context of a CR violation, we will wait for the commit phase to permanently delete the hook. Otherwise, the hook will be deleted immediately.

Parameters
[in]HookThe hook to be removed.
Return values
INT_STATUS_SUCCESSOn success.
INT_STATUS_INVALID_PARAMETERIf an invalid parameter is supplied.
INT_STATUS_NOT_INITIALIZEDIf the CR hooks state is not initialized.

Definition at line 135 of file hook_cr.c.

Referenced by DbgTestCrHookRem(), IntCr4Unprotect(), IntGuestHandleCr3Write(), IntGuestPrepareUninit(), IntGuestUninit(), IntHandleCrWrite(), and IntHookCrRemoveAllHooks().

◆ IntHookCrSetHook()

INTSTATUS IntHookCrSetHook ( DWORD  Cr,
DWORD  Flags,
PFUNC_CrWriteHookCallback  Callback,
void *  Context,
HOOK_CR **  Hook 
)

Set a control register write hook.

This function will place a write hook on the indicated control register. Whenever the register is written, the indicated callback will be called. NOTE: On some hypervisors, modifying certain bits inside CR4 (for example CR4.PGE[7]) will not trigger an event to be sent to Introcore. NOTE: When placing a write hook on a CR for the first time, Introcore will ask the HV to enable VM exits on that particular register. This may lead to a significant performance impact (for example, when monitoring CR3 for writes, a VM exit will be triggered on each context switch). When removing the last write hook on a particular CR, Introcore will ask the HV to disable VM exits on that CR. NOTE: VM exits on some registers will always be enabled (for example, CR0 or CR4), but the CPU may trigger a VM exit only when certain bits are modified (for example, CR0.PE or CR0.PG).

Parameters
[in]CrThe control register to be monitored.
[in]FlagsGeneric flags, caller defined.
[in]CallbackThe callback to be called when the CR is modified.
[in]ContextOptional context, will be passed as an argument to the Callback.
[out]HookOptional hook handle. Can be later used to remove the hook.
Return values
INT_STATUS_SUCCESSOn success.
INT_STATUS_INVALID_PARAMETERIf an invalid parameter is supplied.
INT_STATUS_INSUFFICIENT_RESOURCESIf a memory alloc fails.

Definition at line 11 of file hook_cr.c.

Referenced by DbgTestCrHookSet(), IntCr4Protect(), and IntGuestInit().

◆ IntHookCrUninit()

INTSTATUS IntHookCrUninit ( void  )

Uninit the control register hooks state.

Return values
INT_STATUS_SUCCESSOn success.
INT_STATUS_NOT_INITIALIZED_HINTIf the CR hooks state is not initialized.

Definition at line 295 of file hook_cr.c.

Referenced by IntGuestUninit().