Bitdefender Hypervisor Memory Introspection
Data Structures | Typedefs | Functions
hook_gva.h File Reference
#include "hook_gpa.h"
#include "hook_pts.h"

Go to the source code of this file.

Data Structures

struct  _HOOK_GVA
 
struct  _HOOK_GVA_STATE
 

Typedefs

typedef struct _HOOK_HEADER HOOK_HEADER
 
typedef struct _HOOK_GVA HOOK_GVA
 
typedef struct _HOOK_GVAPHOOK_GVA
 
typedef struct _HOOK_GVA_STATE HOOK_GVA_STATE
 
typedef struct _HOOK_GVA_STATEPHOOK_GVA_STATE
 

Functions

INTSTATUS IntHookGvaSetHook (QWORD Cr3, QWORD Gva, DWORD Length, BYTE Type, void *Callback, void *Context, void *ParentHook, DWORD Flags, HOOK_GVA **GvaHook)
 Set a read, write, execute or swap hook on a guest virtual address. More...
 
INTSTATUS IntHookGvaRemoveHook (HOOK_GVA **Hook, DWORD Flags)
 Remove a GVA hook. More...
 
INTSTATUS IntHookGvaDeleteHook (HOOK_GVA **Hook, DWORD Flags)
 Completely delete a GVA hook. More...
 
INTSTATUS IntHookGvaCommitHooks (void)
 Commit all the modified GVA hooks. More...
 
INTSTATUS IntHookGvaInit (void)
 Initialize the GVA hooks system. More...
 

Typedef Documentation

◆ HOOK_GVA

typedef struct _HOOK_GVA HOOK_GVA

This structures describes a hooked guest virtual page. Page-table interception and guest physical page hooks are handled internally.

◆ HOOK_GVA_STATE

typedef struct _HOOK_GVA_STATE HOOK_GVA_STATE

Global GVA hooks state.

◆ HOOK_HEADER

typedef struct _HOOK_HEADER HOOK_HEADER

Definition at line 11 of file hook_gva.h.

◆ PHOOK_GVA

typedef struct _HOOK_GVA * PHOOK_GVA

◆ PHOOK_GVA_STATE

typedef struct _HOOK_GVA_STATE * PHOOK_GVA_STATE

Function Documentation

◆ IntHookGvaCommitHooks()

INTSTATUS IntHookGvaCommitHooks ( void  )

Commit all the modified GVA hooks.

This function will delete all GVA hooks which were previously marked as removed. Hooks marked with the HOOK_FLG_CHAIN_DELETE flag will not be deleted now, as it is expected that a higher level hook manager will do so.

Return values
INT_STATUS_SUCCESSOn success.

Definition at line 657 of file hook_gva.c.

Referenced by IntHookCommitAllHooks().

◆ IntHookGvaDeleteHook()

INTSTATUS IntHookGvaDeleteHook ( HOOK_GVA **  Hook,
DWORD  Flags 
)

Completely delete a GVA hook.

Delete the indicated GVA hook, together with the PTS or GPA hooks established through it.

Parameters
[in,out]HookThe GVA hook to be deleted. Will be set to NULL on return.
[in]FlagsFlags. See HOOK_FLG* for more info.
Return values
INT_STATUS_SUCCESSOn success.
INT_STATUS_INVALID_PARAMETERIf an invalid parameter is used.

Definition at line 612 of file hook_gva.c.

Referenced by IntHookObjectDeleteRegion().

◆ IntHookGvaInit()

INTSTATUS IntHookGvaInit ( void  )

Initialize the GVA hooks system.

Return values
INT_STATUS_SUCCESSOn success.

Definition at line 714 of file hook_gva.c.

Referenced by IntHookInit().

◆ IntHookGvaRemoveHook()

INTSTATUS IntHookGvaRemoveHook ( HOOK_GVA **  Hook,
DWORD  Flags 
)

Remove a GVA hook.

Removes the indicated GVA hook, together with any PTS or GPA hooks established through it. This function will not delete the hook - the actual deletion will be made either during the commit phase, or when the caller of this function (if it is a higher level hook system) decides so.

Parameters
[in,out]HookThe GVA hook to be removed.
[in]FlagsFlags. See HOOK_FLG* for more info.
Return values
INT_STATUS_SUCCESSOn success.
INT_STATUS_INVALID_PARAMETERIf an invalid parameter is supplied.

Definition at line 507 of file hook_gva.c.

Referenced by IntHookObjectRemoveRegionInternal(), IntHookRemoveChain(), IntLixDrvInitVfreeHandler(), IntLixDrvRemoveEntry(), IntMemClkUncloakRegionInternal(), IntUnpPageWriteCallback(), IntUnpUnWatchPageInternal(), IntVeUnlockDriver(), IntWinInfHookHandleSiloFirstWrite(), IntWinInfHookUnprotect(), IntWinSudUnprotectSudExec(), IntWinTokenPrivsUnprotectOnProcess(), IntWinTokenProtectPrivsInternal(), IntWinTokenUnprotectPrivs(), IntWinVadAdjustRange(), IntWinVadHandlePageExecution(), IntWinVadHandleProtectGeneric(), and IntWinVadRemoveRange().

◆ IntHookGvaSetHook()

INTSTATUS IntHookGvaSetHook ( QWORD  Cr3,
QWORD  Gva,
DWORD  Length,
BYTE  Type,
void *  Callback,
void *  Context,
void *  ParentHook,
DWORD  Flags,
HOOK_GVA **  GvaHook 
)

Set a read, write, execute or swap hook on a guest virtual address.

This function establishes an EPT hook on the indicates guest virtual (linear) address. A guest virtual address hook usually consists of two children hooks:

  1. PTS hook - this hook covers all page-table entries the provided Gva translates through; any change in any level of the page-tables will lead to the guest physical hook being updated, thus maintaining a consistent association between the hooked guest virtual address and the guest physical address it translates to.
  2. GPA hook - this is the actual EPT hook; since EPT works with guest physical pages, all hooks end up being a guest physical hook. This hook will be removed whenever the guest virtual page is swapped out, and it will be restored each time it is swapped in. This function can be used to set read, write or execute hook on the memory interval given by [Gva, Gva + Length - 1]. This interval cannot exceed a page boundary. Gva needs not be page aligned. In this case, a PTS hook and a GPA hook will be established. In this case, Callback must be a PFUNC_EptViolationCallback. This function can also be used to establish a swap hook on the given virtual page. In this case, low 12 bits from Gva are ignored, as is the Length argument. In this case, Callback must be PFUNC_SwapCallback and the Type must be IG_EPT_HOOK_NONE. NOTE: Since EPT hooks can only be placed on guest physical pages, this function takes care of translating the virtual address to a physical address in order to hook that page using EPT. It also takes care internally of swap operations, so the guest physical hook will be updated whenever a translation change is made to this virtual address.
Parameters
[in]Cr3The virtual address space the hook is placed in. If this parameter is 0, the current System Cr3 will be used, meaning that a global hook will be placed (usually for kernel pages).
[in]GvaThe guest virtual address to be hooked.
[in]LengthThe memory area size to be hooked. Ignored if Type is IG_EPT_HOOK_NONE.
[in]TypeHook type. Can be IG_EPT_HOOK_READ, IG_EPT_HOOK_WRITE, IG_EPT_HOOK_EXECUTE for regular EPT hooks, or IG_EPT_HOOK_NONE for a swap hook.
[in]CallbackThe callback to be called on [Gva, Gva + Length - 1] accesses. If type is IG_EPT_HOOK_NONE, the callback type must be PFUNC_SwapCallback, otherwise it must be PFUNC_EptViolationCallback.
[in]ContextOptional context to be passes as a parameter to the callback.
[in]ParentHookOptional parent hook.
[in]FlagsHook flags. Check our HOOK_FLG* for more info.
[out]GvaHookOptional output handle for the established hook. Can later be used to remove the hook.
Return values
INT_STATUS_SUCCESSOn success.
INT_STATUS_NOT_SUPPORTEDIf the hooked memory area spans outside the page.

Definition at line 345 of file hook_gva.c.

Referenced by IntHookObjectHookRegion(), IntLixDrvCreateFromAddress(), IntMemClkCloakRegion(), IntUnpPageWriteCallback(), IntUnpWatchPage(), IntVeLockDriver(), IntWinInfHookGetCircularCtxLogger(), IntWinSudProtectSudExec(), IntWinTokenProtectPrivsInternal(), and IntWinVadHandleProtectGeneric().