Bitdefender Hypervisor Memory Introspection
hook_dtr.c
Go to the documentation of this file.
1 /*
2  * Copyright (c) 2020 Bitdefender
3  * SPDX-License-Identifier: Apache-2.0
4  */
5 #include "hook_dtr.h"
6 #include "callbacks.h"
7 #include "guests.h"
8 
9 
10 INTSTATUS
11 IntHookDtrSetHook(
12  _In_ DWORD Flags,
13  _In_ PFUNC_DtrReadWriteHookCallback Callback,
14  _Out_opt_ void **Hook
15  )
38 {
39  if (Callback == NULL)
40  {
41  return INT_STATUS_INVALID_PARAMETER_3;
42  }
43 
44  HOOK_DTR *pHook = HpAllocWithTag(sizeof(*pHook), IC_TAG_DTRH);
45  if (NULL == pHook)
46  {
47  return INT_STATUS_INSUFFICIENT_RESOURCES;
48  }
49 
50  pHook->Flags = Flags;
51  pHook->Callback = Callback;
52 
53  if (0 == gGuest.DtrHooks->HooksCount++)
54  {
55  INTSTATUS status = IntEnableDtrNotifications();
56  if (!INT_SUCCESS(status))
57  {
58  HpFreeAndNullWithTag(&pHook, IC_TAG_DTRH);
59  return status;
60  }
61  }
62 
63  InsertTailList(&gGuest.DtrHooks->DtrHooksList, &pHook->Link);
64 
65  if (NULL != Hook)
66  {
67  *Hook = pHook;
68  }
69 
70  return INT_STATUS_SUCCESS;
71 }
72 
73 
74 static INTSTATUS
75 IntHookDtrDeleteHook(
76  _In_ HOOK_DTR *Hook
77  )
88 {
89  if (!Hook->Disabled)
90  {
91  return INT_STATUS_INVALID_PARAMETER_1;
92  }
93 
94  HpFreeAndNullWithTag(&Hook, IC_TAG_DTRH);
95 
96  if (0 >= --gGuest.DtrHooks->HooksCount)
97  {
98  return IntDisableDtrNotifications();
99  }
100 
101  return INT_STATUS_SUCCESS;
102 }
103 
104 
105 INTSTATUS
106 IntHookDtrRemoveHook(
107  _In_ HOOK_DTR *Hook
108  )
121 {
122  if (NULL == Hook)
123  {
124  return INT_STATUS_INVALID_PARAMETER_1;
125  }
126 
127  Hook->Disabled = TRUE;
128 
129  // If we're not handling an DTR violation right now than we can safely delete the DTR hook.
130  if (CPU_STATE_DTR_LOAD != gVcpu->State)
131  {
132  RemoveEntryList(&Hook->Link);
133 
134  INTSTATUS status = IntHookDtrDeleteHook(Hook);
135  if (!INT_SUCCESS(status))
136  {
137  ERROR("[ERROR] IntHookDtrDeleteHook failed: 0x%08x\n", status);
138  }
139  }
140 
141  return INT_STATUS_SUCCESS;
142 }
143 
144 
145 static void
146 IntHookDtrRemoveAllHooks(
147  void
148  )
152 {
153  list_for_each(gGuest.DtrHooks->DtrHooksList, HOOK_DTR, pHook)
154  {
155  INTSTATUS status = IntHookDtrRemoveHook(pHook);
156  if (!INT_SUCCESS(status))
157  {
158  ERROR("[ERROR] IntHookDtrRemoveHook failed: 0x%08x\n", status);
159  }
160  }
161 }
162 
163 
164 INTSTATUS
165 IntHookDtrCommit(
166  void
167  )
176 {
177  INTSTATUS status = INT_STATUS_SUCCESS;
178 
179  if (NULL == gGuest.DtrHooks)
180  {
181  return INT_STATUS_NOT_INITIALIZED;
182  }
183 
184  list_for_each(gGuest.DtrHooks->DtrHooksList, HOOK_DTR, pHook)
185  {
186  if (pHook->Disabled)
187  {
188  RemoveEntryList(&pHook->Link);
189 
190  status = IntHookDtrDeleteHook(pHook);
191  if (!INT_SUCCESS(status))
192  {
193  ERROR("[ERROR] IntHookDtrDeleteHook failed: 0x%08x\n", status);
194  }
195  }
196  }
197 
198  return status;
199 }
200 
201 
202 INTSTATUS
203 IntHookDtrInit(
204  void
205  )
212 {
213  gGuest.DtrHooks = HpAllocWithTag(sizeof(*gGuest.DtrHooks), IC_TAG_DTRS);
214  if (NULL == gGuest.DtrHooks)
215  {
216  return INT_STATUS_INSUFFICIENT_RESOURCES;
217  }
218 
219  InitializeListHead(&gGuest.DtrHooks->DtrHooksList);
220 
221  return INT_STATUS_SUCCESS;
222 }
223 
224 
225 INTSTATUS
226 IntHookDtrUninit(
227  void
228  )
235 {
236  if (NULL == gGuest.DtrHooks)
237  {
238  return INT_STATUS_NOT_INITIALIZED_HINT;
239  }
240 
241  IntHookDtrRemoveAllHooks();
242 
243  HpFreeAndNullWithTag(&gGuest.DtrHooks, IC_TAG_DTRS);
244 
245  return INT_STATUS_SUCCESS;
246 }
IntHookDtrSetHook
INTSTATUS IntHookDtrSetHook(DWORD Flags, PFUNC_DtrReadWriteHookCallback Callback, void **Hook)
Places a descriptor table register hook.
Definition: hook_dtr.c:11
_In_
#define _In_
Definition: intro_sal.h:21
_DTR_HOOK_STATE::HooksCount
INT64 HooksCount
The total number of DTR hooks.
Definition: hook_dtr.h:35
INT_STATUS_SUCCESS
#define INT_STATUS_SUCCESS
Definition: introstatus.h:54
IC_TAG_DTRS
#define IC_TAG_DTRS
IDTR & GDTR hook state.
Definition: memtags.h:73
_HOOK_DTR::Link
LIST_ENTRY Link
List entry element.
Definition: hook_dtr.h:44
_HOOK_DTR::Flags
DWORD Flags
Hook flags, a combination of IG_DESC_ACCESS.
Definition: hook_dtr.h:45
INT_SUCCESS
#define INT_SUCCESS(Status)
Definition: introstatus.h:42
ERROR
#define ERROR(fmt,...)
Definition: glue.h:62
_HOOK_DTR::Callback
PFUNC_DtrReadWriteHookCallback Callback
The callback.
Definition: hook_dtr.h:47
HpAllocWithTag
#define HpAllocWithTag(Len, Tag)
Definition: glue.h:516
INTSTATUS
int INTSTATUS
The status data type.
Definition: introstatus.h:24
IntHookDtrRemoveAllHooks
static void IntHookDtrRemoveAllHooks(void)
Remove all descriptor register hooks.
Definition: hook_dtr.c:146
IntHookDtrInit
INTSTATUS IntHookDtrInit(void)
Initialize the descriptor registers hook state.
Definition: hook_dtr.c:203
hook_dtr.h
_Out_opt_
#define _Out_opt_
Definition: intro_sal.h:30
INT_STATUS_NOT_INITIALIZED
#define INT_STATUS_NOT_INITIALIZED
Definition: introstatus.h:266
RemoveEntryList
static BOOLEAN RemoveEntryList(LIST_ENTRY *Entry)
Definition: introlists.h:87
_HOOK_DTR
Definition: hook_dtr.h:42
_VCPU_STATE::State
CPU_STATE State
The state of this VCPU. Describes what action is the VCPU currently doing.
Definition: guests.h:173
CPU_STATE_DTR_LOAD
Handling a LIDT or LGDT.
Definition: guests.h:26
TRUE
#define TRUE
Definition: intro_types.h:30
HpFreeAndNullWithTag
#define HpFreeAndNullWithTag(Add, Tag)
Definition: glue.h:517
IntHookDtrUninit
INTSTATUS IntHookDtrUninit(void)
Uninit the descriptor registers hooks state.
Definition: hook_dtr.c:226
IntHookDtrRemoveHook
INTSTATUS IntHookDtrRemoveHook(HOOK_DTR *Hook)
Remove a descriptor register hook.
Definition: hook_dtr.c:106
InsertTailList
static void InsertTailList(LIST_ENTRY *ListHead, LIST_ENTRY *Entry)
Definition: introlists.h:135
_GUEST_STATE::DtrHooks
DTR_HOOK_STATE * DtrHooks
DTR hook state.
Definition: guests.h:390
InitializeListHead
static void InitializeListHead(LIST_ENTRY *ListHead)
Definition: introlists.h:69
IntHookDtrCommit
INTSTATUS IntHookDtrCommit(void)
Commit the descriptor registers hooks.
Definition: hook_dtr.c:165
IntDisableDtrNotifications
static INTSTATUS IntDisableDtrNotifications(void)
Definition: callbacks.h:142
DWORD
uint32_t DWORD
Definition: intro_types.h:49
PFUNC_DtrReadWriteHookCallback
INTSTATUS(* PFUNC_DtrReadWriteHookCallback)(DTR *OldDtr, DTR *NewDtr, DWORD Flags, INTRO_ACTION *Action)
Called when a descriptor table register is accessed.
Definition: hook_dtr.h:21
gGuest
GUEST_STATE gGuest
The current guest state.
Definition: guests.c:50
IntHookDtrDeleteHook
static INTSTATUS IntHookDtrDeleteHook(HOOK_DTR *Hook)
Permanently delete a descriptor register hook.
Definition: hook_dtr.c:75
INT_STATUS_NOT_INITIALIZED_HINT
#define INT_STATUS_NOT_INITIALIZED_HINT
Definition: introstatus.h:320
INT_STATUS_INVALID_PARAMETER_1
#define INT_STATUS_INVALID_PARAMETER_1
Definition: introstatus.h:62
gVcpu
VCPU_STATE * gVcpu
The state of the current VCPU.
Definition: guests.c:59
IntEnableDtrNotifications
static INTSTATUS IntEnableDtrNotifications(void)
Definition: callbacks.h:125
list_for_each
#define list_for_each(_head, _struct_type, _var)
Definition: introlists.h:41
_DTR_HOOK_STATE::DtrHooksList
LIST_HEAD DtrHooksList
The list of DTR hooks.
Definition: hook_dtr.h:34
IC_TAG_DTRH
#define IC_TAG_DTRH
IDTR & GDTR hook.
Definition: memtags.h:72
INT_STATUS_INSUFFICIENT_RESOURCES
#define INT_STATUS_INSUFFICIENT_RESOURCES
Definition: introstatus.h:281
INT_STATUS_INVALID_PARAMETER_3
#define INT_STATUS_INVALID_PARAMETER_3
Definition: introstatus.h:68