- Generated by
1.8.13
|
Bitdefender Hypervisor Memory Introspection
|
#include "guests.h"Go to the source code of this file.
Data Structures | |
| struct | _HOOK_OBJECT_DESCRIPTOR |
| struct | _HOOK_REGION_DESCRIPTOR |
| struct | _HOOK_OBJECTS_STATE |
Typedefs | |
| typedef struct _HOOK_HEADER | HOOK_HEADER |
| typedef struct _HOOK_OBJECT_DESCRIPTOR | HOOK_OBJECT_DESCRIPTOR |
| typedef struct _HOOK_OBJECT_DESCRIPTOR * | PHOOK_OBJECT_DESCRIPTOR |
| typedef struct _HOOK_REGION_DESCRIPTOR | HOOK_REGION_DESCRIPTOR |
| typedef struct _HOOK_REGION_DESCRIPTOR * | PHOOK_REGION_DESCRIPTOR |
| typedef struct _HOOK_OBJECTS_STATE | HOOK_OBJECT_STATE |
| typedef struct _HOOK_OBJECTS_STATE * | PHOOK_OBJECT_STATE |
Functions | |
| INTSTATUS | IntHookObjectCreate (DWORD ObjectType, QWORD Cr3, void **Object) |
| Create a new hook object. More... | |
| INTSTATUS | IntHookObjectHookRegion (void *Object, QWORD Cr3, QWORD Gla, SIZE_T Length, BYTE Type, void *Callback, void *Context, DWORD Flags, HOOK_REGION_DESCRIPTOR **Region) |
| Hook a contiguous region of virtual memory inside the provided virtual address space. More... | |
| INTSTATUS | IntHookObjectRemoveRegion (HOOK_REGION_DESCRIPTOR **Region, DWORD Flags) |
| Remove a hooked region of memory. More... | |
| INTSTATUS | IntHookObjectDestroy (HOOK_OBJECT_DESCRIPTOR **Object, DWORD Flags) |
| Destroy an entire hook object. All regions belonging to this object will be removed. More... | |
| void * | IntHookObjectFindRegion (QWORD Gva, void *HookObject, BYTE HookType) |
| Searches for a region of hooked memory inside the provided hook object. More... | |
| INTSTATUS | IntHookObjectCommit (void) |
| Commit removed hook objects and regions. More... | |
| INTSTATUS | IntHookObjectInit (void) |
| Initialize the hook object system. More... | |
| INTSTATUS | IntHookObjectUninit (void) |
| Uninit the hook object system. More... | |
| typedef struct _HOOK_HEADER HOOK_HEADER |
Definition at line 10 of file hook_object.h.
| typedef struct _HOOK_OBJECT_DESCRIPTOR HOOK_OBJECT_DESCRIPTOR |
Describes an object. An object may contain multiple regions. The regions need not be contiguous or of the same type.
| typedef struct _HOOK_OBJECTS_STATE HOOK_OBJECT_STATE |
Global hook object state.
| typedef struct _HOOK_REGION_DESCRIPTOR HOOK_REGION_DESCRIPTOR |
Describes a region. A given object may contain several different protected regions. The regions can be of different types, but a given region can be of only one type.
| typedef struct _HOOK_OBJECT_DESCRIPTOR * PHOOK_OBJECT_DESCRIPTOR |
| typedef struct _HOOK_OBJECTS_STATE * PHOOK_OBJECT_STATE |
| typedef struct _HOOK_REGION_DESCRIPTOR * PHOOK_REGION_DESCRIPTOR |
| INTSTATUS IntHookObjectCommit | ( | void | ) |
Commit removed hook objects and regions.
This function deletes all removed objects and regions. At this point they will be permanently deleted.
| INT_STATUS_SUCCESS | On success. |
Definition at line 525 of file hook_object.c.
Referenced by IntHookCommitAllHooks().
Create a new hook object.
This function will create a new hook object, which can be used as a container for multiple hooked regions. For example, one might wish to create a hook object for a loaded module, or for an entire process.
| [in] | ObjectType | The type of the object. User defined. |
| [in] | Cr3 | The address space the object resides in. Use 0 for global (kernel) objects. |
| [out] | Object | Will contain, upon successfully return, the newly created object. The object can then be used as a parameter for other hook related functions. |
| INT_STATUS_SUCCESS | On success. |
| INT_STATUS_INSUFFICIENT_RESOURCES | If a memory allocation function fails. |
| INT_STATUS_INVALID_PARAMETER | If an invalid parameter is supplied. |
Definition at line 81 of file hook_object.c.
Referenced by IntLixDrvActivateProtection(), IntLixGuestAllocateHook(), IntLixHookKernelRead(), IntLixHookKernelWrite(), IntLixIdtProtectOnCpu(), IntLixTaskActivateExploitProtection(), IntLixVdsoDynamicProtectNonRelocate(), IntLixVdsoFixedProtect(), IntModBlockHandleBlockModHeadersInMemory(), IntPtiDeliverDriverForLoad(), IntVeDeliverDriverForLoad(), IntWinDrvCreateFromAddress(), IntWinDrvHeadersInMemory(), IntWinDrvObjProtect(), IntWinHalProtectHalHeapExecs(), IntWinHalProtectHalIntCtrl(), IntWinIdtProtectOnCpuEpt(), IntWinInfHookHookSppWmiGetClock(), IntWinInfHookSppHookWmiSiloPtr(), and IntWinModHookModule().
| INTSTATUS IntHookObjectDestroy | ( | HOOK_OBJECT_DESCRIPTOR ** | Object, |
| DWORD | Flags | ||
| ) |
Destroy an entire hook object. All regions belonging to this object will be removed.
This function will destroy an entire hook object, and all its belonging regions. This function will not delete the hooked regions on the spot - instead, it will remove them: all hooks will be disabled (no callbacks will be called from this point on), but the regions will be deleted during the commit phase.
| [in,out] | Object | The hook object to be destroyed. |
| [in] | Flags | The hook flags. Will usually be 0. |
| INT_STATUS_SUCCESS | On success. |
| INT_STATUS_INVALID_PARAMETER | If an invalid parameter is supplied. |
Definition at line 357 of file hook_object.c.
Referenced by IntLixDrvActivateProtection(), IntLixDrvDeactivateProtection(), IntLixGuestUnhookGuestCode(), IntLixIdtUnprotectAll(), IntLixTaskDeactivateExploitProtection(), IntLixUnhookKernelRead(), IntLixUnhookKernelWrite(), IntLixVdsoUnprotect(), IntModBlockHandleBlockModHeadersInMemory(), IntPtiUnhookPtFilter(), IntVeUnhookVeAgent(), IntWinDrvHandleDriverEntry(), IntWinDrvObjUnprotect(), IntWinDrvRemoveEntry(), IntWinDrvUnprotect(), IntWinHalUnprotectHalHeapExecs(), IntWinHalUnprotectHalIntCtrl(), IntWinIdtUnprotectOnCpuEpt(), IntWinInfHookSppViolationCallbackWmiPtrChanged(), IntWinInfHookUnprotect(), IntWinModBlockRemoveBlockObject(), and IntWinModUnHookModule().
Searches for a region of hooked memory inside the provided hook object.
| [in] | Gva | The region guest virtual address to be searched. |
| [in] | HookObject | The target hook object. |
| [in] | HookType | The searched hook type. |
Definition at line 424 of file hook_object.c.
Referenced by IntExceptVerifyCodeBlocksSig(), and IntLixVdsoDynamicProtectNonRelocate().
| INTSTATUS IntHookObjectHookRegion | ( | void * | Object, |
| QWORD | Cr3, | ||
| QWORD | Gla, | ||
| SIZE_T | Length, | ||
| BYTE | Type, | ||
| void * | Callback, | ||
| void * | Context, | ||
| DWORD | Flags, | ||
| HOOK_REGION_DESCRIPTOR ** | Region | ||
| ) |
Hook a contiguous region of virtual memory inside the provided virtual address space.
This function hooks a contiguous region of memory inside the provided virtual address space. The entire region will be hooked using the same hook type. Both access hooks (read, write or execute) and swap hooks can be set. The region will later be removed by either explicitly calling IntHookObjectRemoveRegion on the handle returned bu this function (the Region parameter) or when the hook object this region belongs to is destroyed.
| [in] | Object | A previously created hook object, using IntHookObjectCreate function. |
| [in] | Cr3 | The target virtual address space. |
| [in] | Gla | Guest linear address where the hook starts. |
| [in] | Length | The length of the hooked region. Can span multiple pages. |
| [in] | Type | Hook type. Can be IG_EPT_HOOK_READ, IG_EPT_HOOK_WRITE, IG_EPT_HOOK_EXECUTE or IG_EPT_HOOK_NONE, for swap in hooks. |
| [in] | Callback | The callback to be called whenever the region is accessed or swapped. |
| [in] | Context | Optional context to be passed to the provided callback on events. |
| [in] | Flags | Hook flags. |
| [out] | Region | Optional pointer to a region handle, which can later be used to unhook the memory area. |
| INT_STATUS_SUCCESS | On success. |
| INT_STATUS_INVALID_PARAMETER | If an invalid parameter is supplied. |
| INT_STATUS_INSUFFICIENT_RESOURCES | If a memory allocation fails. |
Definition at line 132 of file hook_object.c.
Referenced by IntLixDrvActivateProtection(), IntLixGuestAllocateHook(), IntLixHookKernelRead(), IntLixHookKernelWrite(), IntLixIdtProtectOnCpu(), IntLixVdsoDynamicProtectNonRelocate(), IntLixVdsoFixedProtect(), IntLixVmaProtect(), IntModBlockHandleBlockModHeadersInMemory(), IntPtiHookPtDriver(), IntVeHookVeDriver(), IntWinDrvCreateFromAddress(), IntWinDrvHeadersInMemory(), IntWinDrvObjProtect(), IntWinHalProtectHalHeapExecs(), IntWinHalProtectHalIntCtrl(), IntWinIdtProtectOnCpuEpt(), IntWinInfHookHookSppWmiGetClock(), IntWinInfHookSppHookWmiSiloPtr(), IntWinModHookModule(), and IntWinProtectReadNtEat().
| INTSTATUS IntHookObjectInit | ( | void | ) |
Initialize the hook object system.
| INT_STATUS_SUCCESS | On success. |
Definition at line 598 of file hook_object.c.
Referenced by IntHookInit().
| INTSTATUS IntHookObjectRemoveRegion | ( | HOOK_REGION_DESCRIPTOR ** | Region, |
| DWORD | Flags | ||
| ) |
Remove a hooked region of memory.
This function will remove a region of hooked memory. It will call the remove function for each child hook (with the HOOK_FLG_CHAIN_DELETE flag set, in order to allow us to delete the hooks), and it will remove the hook from the list of active hooks. The region will not actually be removed until the commit phase. However, it will be marked as removed, and no callback for any of the lower-level hooks will be called again.
| [in,out] | Region | The hook region to be removed. |
| [in] | Flags | Flags. Reserved for future use. |
| INT_STATUS_SUCCESS | On success. |
| INT_STATUS_NOT_NEEDED_HINT | If the region has already been removed. |
Definition at line 309 of file hook_object.c.
Referenced by IntHookRemoveChain(), IntLixVmaRemoveProtection(), and IntWinUnprotectReadNtEat().
| INTSTATUS IntHookObjectUninit | ( | void | ) |
Uninit the hook object system.
| INT_STATUS_SUCCESS | On success. |
| INT_STATUS_NOT_INITIALIZED_HINT | If the hook system has not been initialized yet. |
Definition at line 614 of file hook_object.c.
Referenced by IntHookInit(), and IntHookUninit().
1.8.13