#include "hook.h"
#include "hook_gva.h"
#include "alerts.h"
#include "memcloak.h"

Functions
static INTSTATUS	IntHookGvaDisableHooks (HOOK_GVA *Hook)
	Deactivates a GVA hook. More...

static INTSTATUS	IntHookGvaEnableHooks (HOOK_GVA *Hook, QWORD NewGpaPage)
	Enable a GVA hook. More...

static INTSTATUS	IntHookGvaRemoveHookInternal (HOOK_GVA *Hook, DWORD Flags)
	Remove a GVA hook. More...

static INTSTATUS	IntHookGvaHandleSwap (HOOK_GVA *Hook, QWORD VirtualAddress, QWORD OldEntry, QWORD NewEntry, QWORD OldPageSize, QWORD NewPageSize)
	Handle a swap event on a hooked guest virtual page. More...

INTSTATUS	IntHookGvaSetHook (QWORD Cr3, QWORD Gva, DWORD Length, BYTE Type, void Callback, void Context, void ParentHook, DWORD Flags, HOOK_GVA *GvaHook)
	Set a read, write, execute or swap hook on a guest virtual address. More...

INTSTATUS	IntHookGvaRemoveHook (HOOK_GVA **Hook, DWORD Flags)
	Remove a GVA hook. More...

static INTSTATUS	IntHookGvaDeleteHookInternal (HOOK_GVA *Hook, DWORD Flags)
	Completely delete a GVA hook. More...

INTSTATUS	IntHookGvaDeleteHook (HOOK_GVA **Hook, DWORD Flags)
	Completely delete a GVA hook. More...

INTSTATUS	IntHookGvaCommitHooks (void)
	Commit all the modified GVA hooks. More...

INTSTATUS	IntHookGvaInit (void)
	Initialize the GVA hooks system. More...

Function Documentation

◆ IntHookGvaCommitHooks()

INTSTATUS IntHookGvaCommitHooks ( void )

Commit all the modified GVA hooks.

This function will delete all GVA hooks which were previously marked as removed. Hooks marked with the HOOK_FLG_CHAIN_DELETE flag will not be deleted now, as it is expected that a higher level hook manager will do so.

Return values

INT_STATUS_SUCCESS On success.

Definition at line 657 of file hook_gva.c.

Referenced by IntHookCommitAllHooks().

◆ IntHookGvaDeleteHook()

INTSTATUS IntHookGvaDeleteHook	(	HOOK_GVA **	Hook,
		DWORD	Flags
	)

Completely delete a GVA hook.

Delete the indicated GVA hook, together with the PTS or GPA hooks established through it.

Parameters

[in,out]	Hook	The GVA hook to be deleted. Will be set to NULL on return.
[in]	Flags	Flags. See HOOK_FLG* for more info.

Return values

INT_STATUS_SUCCESS	On success.
INT_STATUS_INVALID_PARAMETER	If an invalid parameter is used.

Definition at line 612 of file hook_gva.c.

Referenced by IntHookObjectDeleteRegion().

◆ IntHookGvaDeleteHookInternal()

static INTSTATUS IntHookGvaDeleteHookInternal	(	HOOK_GVA *	Hook,
		DWORD	Flags
	)

static

Completely delete a GVA hook.

Delete the indicated GVA hook, together with the PTS or GPA hooks established through it.

Parameters

[in]	Hook	The GVA hook to be deleted.
[in]	Flags	Flags. See HOOK_FLG* for more info.

Return values

INT_STATUS_SUCCESS	On success.
INT_STATUS_INVALID_INTERNAL_STATE	If the hook was not previously marked as removed.

Definition at line 555 of file hook_gva.c.

Referenced by IntHookGvaCommitHooks(), and IntHookGvaDeleteHook().

◆ IntHookGvaDisableHooks()

static INTSTATUS IntHookGvaDisableHooks ( HOOK_GVA * Hook )

static

Deactivates a GVA hook.

The GVA hook will be disabled, by completely removing the GPA hook placed on the physical page that the GVA translates to. Before removing the GPA hook, a hash will be computed on the entire page, if integrity check is on.

Parameters

[in] Hook The GVA hook.

Return values

INT_STATUS_SUCCESS	On success.
INT_STATUS_NOT_INITIALIZED	If no GPA hook is set for this GVA hook.

Definition at line 12 of file hook_gva.c.

Referenced by IntHookGvaHandleSwap().

◆ IntHookGvaEnableHooks()

static INTSTATUS IntHookGvaEnableHooks	(	HOOK_GVA *	Hook,
		QWORD	NewGpaPage
	)

static

Enable a GVA hook.

The GPA hook for the physical page this GVA translates to will be hooked. In addition, if integrity check is enabled, a hash will be computed on the newly mapped page. If this hash is not the same as the one computed when the hook was disabled, an integrity check alert is generated.

Parameters

[in]	Hook	The GVA hook.
[in]	NewGpaPage	The new guest physical page the hooked GVA translates to.

Return values

INT_STATUS_SUCCESS On success.

Definition at line 59 of file hook_gva.c.

Referenced by IntHookGvaHandleSwap().

◆ IntHookGvaHandleSwap()

static INTSTATUS IntHookGvaHandleSwap	(	HOOK_GVA *	Hook,
		QWORD	VirtualAddress,
		QWORD	OldEntry,
		QWORD	NewEntry,
		QWORD	OldPageSize,
		QWORD	NewPageSize
	)

static

Handle a swap event on a hooked guest virtual page.

This function will be called whenever a hooked virtual page is swapped in and out of the physical memory. When the page is swapped out, this function will disable the hook on it. When the page is swapped in, the hook will be re-enabled. If the physical page address is changed, the hook will be moved to the new page.

Parameters

[in]	Hook	The GVA hook.
[in]	VirtualAddress	Swapped guest virtual address.
[in]	OldEntry	Old page table entry.
[in]	NewEntry	New page table entry.
[in]	OldPageSize	Old page size.
[in]	NewPageSize	New page size.

Return values

INT_STATUS_SUCCESS On success.

Definition at line 250 of file hook_gva.c.

Referenced by IntHookGvaSetHook().

◆ IntHookGvaInit()

INTSTATUS IntHookGvaInit ( void )

Initialize the GVA hooks system.

Return values

INT_STATUS_SUCCESS On success.

Definition at line 714 of file hook_gva.c.

Referenced by IntHookInit().

◆ IntHookGvaRemoveHook()

INTSTATUS IntHookGvaRemoveHook	(	HOOK_GVA **	Hook,
		DWORD	Flags
	)

Remove a GVA hook.

Removes the indicated GVA hook, together with any PTS or GPA hooks established through it. This function will not delete the hook - the actual deletion will be made either during the commit phase, or when the caller of this function (if it is a higher level hook system) decides so.

Parameters

[in,out]	Hook	The GVA hook to be removed.
[in]	Flags	Flags. See HOOK_FLG* for more info.

Return values

INT_STATUS_SUCCESS	On success.
INT_STATUS_INVALID_PARAMETER	If an invalid parameter is supplied.

Definition at line 507 of file hook_gva.c.

Referenced by IntHookObjectRemoveRegionInternal(), IntHookRemoveChain(), IntLixDrvInitVfreeHandler(), IntLixDrvRemoveEntry(), IntMemClkUncloakRegionInternal(), IntUnpPageWriteCallback(), IntUnpUnWatchPageInternal(), IntVeUnlockDriver(), IntWinInfHookHandleSiloFirstWrite(), IntWinInfHookUnprotect(), IntWinSudUnprotectSudExec(), IntWinTokenPrivsUnprotectOnProcess(), IntWinTokenProtectPrivsInternal(), IntWinTokenUnprotectPrivs(), IntWinVadAdjustRange(), IntWinVadHandlePageExecution(), IntWinVadHandleProtectGeneric(), and IntWinVadRemoveRange().

◆ IntHookGvaRemoveHookInternal()

static INTSTATUS IntHookGvaRemoveHookInternal	(	HOOK_GVA *	Hook,
		DWORD	Flags
	)

static

Remove a GVA hook.

The GVA hook will be marked for removal. This function also removes the GPA hook established on the physical page and the PTS hook establishes on the page-tales used to translate the hooked GVA. The hook will be marked for removal, and it will either be deleted during the commit phase, or it will be deleted by a higher level hook manager.

Parameters

[in]	Hook	The GVA hook.
[in]	Flags	The removal flags. Can be HOOK_FLG_CHAIN_DELETE for a chained delete.

Return values

INT_STATUS_SUCCESS	On success.
INT_STATUS_NOT_NEEDED_HINT	If the hook has already been removed.

Definition at line 184 of file hook_gva.c.

Referenced by IntHookGvaRemoveHook(), and IntHookGvaSetHook().

◆ IntHookGvaSetHook()

INTSTATUS IntHookGvaSetHook	(	QWORD	Cr3,
		QWORD	Gva,
		DWORD	Length,
		BYTE	Type,
		void *	Callback,
		void *	Context,
		void *	ParentHook,
		DWORD	Flags,
		HOOK_GVA **	GvaHook
	)

Set a read, write, execute or swap hook on a guest virtual address.

This function establishes an EPT hook on the indicates guest virtual (linear) address. A guest virtual address hook usually consists of two children hooks:

PTS hook - this hook covers all page-table entries the provided Gva translates through; any change in any level of the page-tables will lead to the guest physical hook being updated, thus maintaining a consistent association between the hooked guest virtual address and the guest physical address it translates to.
GPA hook - this is the actual EPT hook; since EPT works with guest physical pages, all hooks end up being a guest physical hook. This hook will be removed whenever the guest virtual page is swapped out, and it will be restored each time it is swapped in. This function can be used to set read, write or execute hook on the memory interval given by [Gva, Gva + Length - 1]. This interval cannot exceed a page boundary. Gva needs not be page aligned. In this case, a PTS hook and a GPA hook will be established. In this case, Callback must be a PFUNC_EptViolationCallback. This function can also be used to establish a swap hook on the given virtual page. In this case, low 12 bits from Gva are ignored, as is the Length argument. In this case, Callback must be PFUNC_SwapCallback and the Type must be IG_EPT_HOOK_NONE. NOTE: Since EPT hooks can only be placed on guest physical pages, this function takes care of translating the virtual address to a physical address in order to hook that page using EPT. It also takes care internally of swap operations, so the guest physical hook will be updated whenever a translation change is made to this virtual address.

Parameters

[in]	Cr3	The virtual address space the hook is placed in. If this parameter is 0, the current System Cr3 will be used, meaning that a global hook will be placed (usually for kernel pages).
[in]	Gva	The guest virtual address to be hooked.
[in]	Length	The memory area size to be hooked. Ignored if Type is IG_EPT_HOOK_NONE.
[in]	Type	Hook type. Can be IG_EPT_HOOK_READ, IG_EPT_HOOK_WRITE, IG_EPT_HOOK_EXECUTE for regular EPT hooks, or IG_EPT_HOOK_NONE for a swap hook.
[in]	Callback	The callback to be called on [Gva, Gva + Length - 1] accesses. If type is IG_EPT_HOOK_NONE, the callback type must be PFUNC_SwapCallback, otherwise it must be PFUNC_EptViolationCallback.
[in]	Context	Optional context to be passes as a parameter to the callback.
[in]	ParentHook	Optional parent hook.
[in]	Flags	Hook flags. Check our HOOK_FLG* for more info.
[out]	GvaHook	Optional output handle for the established hook. Can later be used to remove the hook.

Return values

INT_STATUS_SUCCESS	On success.
INT_STATUS_NOT_SUPPORTED	If the hooked memory area spans outside the page.

Definition at line 345 of file hook_gva.c.

Referenced by IntHookObjectHookRegion(), IntLixDrvCreateFromAddress(), IntMemClkCloakRegion(), IntUnpPageWriteCallback(), IntUnpWatchPage(), IntVeLockDriver(), IntWinInfHookGetCircularCtxLogger(), IntWinSudProtectSudExec(), IntWinTokenProtectPrivsInternal(), and IntWinVadHandleProtectGeneric().

Functions

Function Documentation

◆ IntHookGvaCommitHooks()

◆ IntHookGvaDeleteHook()

◆ IntHookGvaDeleteHookInternal()

◆ IntHookGvaDisableHooks()

◆ IntHookGvaEnableHooks()

◆ IntHookGvaHandleSwap()

◆ IntHookGvaInit()

◆ IntHookGvaRemoveHook()

◆ IntHookGvaRemoveHookInternal()

◆ IntHookGvaSetHook()