87 #define GPA_HOOK_TABLE_SIZE 1024 88 #define GPA_HOOK_ID(addr) (((addr) >> 12) & (GPA_HOOK_TABLE_SIZE - 1)) 90 #define GPA_EPT_TABLE_SIZE 4096 91 #define GPA_EPT_ID(addr) (((addr) >> 12) & (GPA_EPT_TABLE_SIZE - 1)) 93 #define GPA_REF_COUNT(epte) (((QWORD)((epte)->ReadCount) + \ 94 (QWORD)((epte)->WriteCount) + \ 95 ((QWORD)(epte)->ExecuteCount) + \ 96 ((QWORD)(epte)->PtCount))) 98 #define MAX_HOOK_COUNT UINT32_MAX 225 #endif // _HOOK_GPA_H_
#define GPA_HOOK_TABLE_SIZE
Size of the GPA hook hash.
LIST_ENTRY Link
List entry element.
HOOK_HEADER Header
Hook header.
DWORD ReadCount
Number of read EPT hooks.
QUEUE_HEAD RemovedHooksExecute
List of removed execute hooks.
void * Context
User-defined data that will be supplied to the callback.
INTSTATUS IntHookGpaDisableVe(void)
Disable VE filtering.
struct _HOOK_SPP_ENTRY * PHOOK_SPP_ENTRY
INTSTATUS IntHookGpaRemoveHook(HOOK_GPA **Hook, DWORD Flags)
Remove a GPA hook.
INTSTATUS IntHookGpaDisablePtCache(void)
Disable PT filtering.
QWORD OldSpp
Old SPP value. Usually indicates full write access to the entire page.
INTSTATUS IntHookGpaIsPageHooked(QWORD Gpa, BYTE *Read, BYTE *Write, BYTE *Execute)
Get the read, write and execute access for the given guest physical page.
INTSTATUS IntHookGpaGetEPTPageProtection(DWORD EptIndex, QWORD Address, BYTE *Read, BYTE *Write, BYTE *Execute)
Get the EPT page protection for the indicated guest physical address.
struct _HOOK_SPP_ENTRY HOOK_SPP_ENTRY
DWORD WriteCount
Number of write EPT hooks.
INTSTATUS IntHookGpaEnableHook(HOOK_GPA *Hook)
Enable a GPA hook.
int INTSTATUS
The status data type.
INTSTATUS IntHookGpaFindConvertible(void)
Displays all convertible pages.
QUEUE_ENTRY LinkRemoved
Link element for the removed hooks list.
INTSTATUS IntHookGpaSetHook(QWORD Gpa, DWORD Length, BYTE Type, PFUNC_EptViolationCallback Callback, void *Context, void *ParentHook, DWORD Flags, HOOK_GPA **Hook)
Places an EPT hook on the indicated memory range.
INTSTATUS IntHookGpaInit(void)
Initialize the GPA hook system. This function should be called only once, during introspection init...
struct _HOOK_GPA * PHOOK_GPA
QUEUE_HEAD RemovedHooksWrite
List of removed write hooks.
PHOOK_EPT_ENTRY IntHookGpaGetExistingEptEntry(QWORD GpaPage)
Get the EPT entry associated with the provided guest physical page.
void IntHookGpaDump(void)
Dump the entire contents of the GPA hook system, listing each hook.
INTSTATUS IntHookGpaEnablePtCache(void)
Enable PT filtering.
struct _HOOK_EPT_ENTRY HOOK_EPT_ENTRY
WORD Offset
The offset within the page where the hook starts. 0-4095 valid.
QWORD GpaPage
The page where the hook is set.
QWORD CurSpp
Current SPP permissions.
struct _HOOK_GPA_STATE * PHOOK_GPA_STATE
INTSTATUS IntHookGpaEnableVe(void)
Enable VE filtering.
QWORD GpaPage
Guest physical page address.
INTSTATUS IntHookGpaDeleteHook(HOOK_GPA **Hook, DWORD Flags)
Permanently delete a GPA hook.
QUEUE_HEAD RemovedHooksRead
List of removed read hooks.
INT64 HooksCount
Total number of hooks set.
BOOLEAN SppEnabled
True if SPP support is present and enabled.
struct _HOOK_GPA HOOK_GPA
enum _INTRO_ACTION INTRO_ACTION
Event actions.
DWORD PtCount
Number of PT hooks.
struct _HOOK_GPA_STATE HOOK_GPA_STATE
WORD Length
The length, in bytes, of the hook. 1-4096 valid.
LIST_ENTRY Link
List entry element.
INTSTATUS(* PFUNC_EptViolationCallback)(void *Context, void *Hook, QWORD Address, INTRO_ACTION *Action)
EPT callback handler.
BOOLEAN VeEnabled
True if VE filtering is enabled.
BOOLEAN PtCacheEnabled
True if the PT cache is active inside the guest.
#define GPA_EPT_TABLE_SIZE
Size of the EPT entries hash.
DWORD ExecuteCount
Number of execute EPT hooks.
PFUNC_EptViolationCallback Callback
The callback for this hook.
struct _HOOK_EPT_ENTRY * PHOOK_EPT_ENTRY
INTSTATUS IntHookGpaDisableHook(HOOK_GPA *Hook)
Disable a GPA hook.
BOOLEAN HooksRemoved
True if hooks were removed, and we must do the cleanup..
INTSTATUS IntHookGpaCommitHooks(void)
Commit existing modified hooks.
1.8.13