Bitdefender Hypervisor Memory Introspection
hook_object.h
Go to the documentation of this file.
1 /*
2  * Copyright (c) 2020 Bitdefender
3  * SPDX-License-Identifier: Apache-2.0
4  */
5 #ifndef _HOOK_STRUCTURE_H_
6 #define _HOOK_STRUCTURE_H_
7 
8 #include "guests.h"
9 
10 typedef struct _HOOK_HEADER HOOK_HEADER;
11 
12 
16 typedef struct _HOOK_OBJECT_DESCRIPTOR
17 {
18  LIST_ENTRY Link;
19  LIST_HEAD Regions;
20  LIST_HEAD RemovedRegions;
23  DWORD ObjectType;
24  QWORD Cr3;
25  DWORD Flags;
26 
28  BOOLEAN RegionsRemoved;
29 } HOOK_OBJECT_DESCRIPTOR, *PHOOK_OBJECT_DESCRIPTOR;
30 
31 
36 typedef struct _HOOK_REGION_DESCRIPTOR
37 {
38  HOOK_HEADER Header;
39  LIST_ENTRY Link;
40  QWORD HookStart;
41  QWORD HookLength;
42  DWORD HooksCount;
43  void **Hooks;
44 
46  PHOOK_OBJECT_DESCRIPTOR Object;
47 } HOOK_REGION_DESCRIPTOR, *PHOOK_REGION_DESCRIPTOR;
48 
49 
53 typedef struct _HOOK_OBJECTS_STATE
54 {
55  LIST_HEAD Objects;
56  BOOLEAN ObjectsRemoved;
57 } HOOK_OBJECT_STATE, *PHOOK_OBJECT_STATE;
58 
59 
60 //
61 // API
62 //
63 INTSTATUS
64 IntHookObjectCreate(
65  _In_ DWORD ObjectType,
66  _In_ QWORD Cr3,
67  _Out_ void **Object
68  );
69 
70 INTSTATUS
71 IntHookObjectHookRegion(
72  _In_ void *Object,
73  _In_ QWORD Cr3,
74  _In_ QWORD Gla,
75  _In_ SIZE_T Length,
76  _In_ BYTE Type,
77  _In_ void *Callback,
78  _In_opt_ void *Context,
79  _In_opt_ DWORD Flags,
80  _Out_opt_ HOOK_REGION_DESCRIPTOR **Region
81  );
82 
83 INTSTATUS
84 IntHookObjectRemoveRegion(
85  _Inout_ HOOK_REGION_DESCRIPTOR **Region,
86  _In_ DWORD Flags
87  );
88 
89 INTSTATUS
90 IntHookObjectDestroy(
91  _Inout_ HOOK_OBJECT_DESCRIPTOR **Object,
92  _In_ DWORD Flags
93  );
94 
95 void *
96 IntHookObjectFindRegion(
97  _In_ QWORD Gva,
98  _In_ void *HookObject,
99  _In_ BYTE HookType
100  );
101 
102 INTSTATUS
103 IntHookObjectCommit(
104  void
105  );
106 
107 INTSTATUS
108 IntHookObjectInit(
109  void
110  );
111 
112 INTSTATUS
113 IntHookObjectUninit(
114  void
115  );
116 
117 #endif // _HOOK_STRUCTURE_H_
_HOOK_OBJECT_DESCRIPTOR::RemovedRegions
LIST_HEAD RemovedRegions
All the removed regions are inserted here. The regions must be committed in the exact same order they...
Definition: hook_object.h:22
_In_opt_
#define _In_opt_
Definition: intro_sal.h:16
_Out_
#define _Out_
Definition: intro_sal.h:22
BOOLEAN
_Bool BOOLEAN
Definition: intro_types.h:58
_HOOK_REGION_DESCRIPTOR
Definition: hook_object.h:36
BYTE
uint8_t BYTE
Definition: intro_types.h:47
IntHookObjectDestroy
INTSTATUS IntHookObjectDestroy(HOOK_OBJECT_DESCRIPTOR **Object, DWORD Flags)
Destroy an entire hook object. All regions belonging to this object will be removed.
Definition: hook_object.c:357
_HOOK_REGION_DESCRIPTOR::Hooks
void ** Hooks
Array of hooks. They will usually be HOOK_GVA objects.
Definition: hook_object.h:43
_In_
#define _In_
Definition: intro_sal.h:21
PHOOK_OBJECT_STATE
struct _HOOK_OBJECTS_STATE * PHOOK_OBJECT_STATE
_HOOK_REGION_DESCRIPTOR::Object
PHOOK_OBJECT_DESCRIPTOR Object
Parent object. Optional, but it is strongly recommended to link a region to an object.
Definition: hook_object.h:46
_HOOK_OBJECT_DESCRIPTOR::ObjectType
DWORD ObjectType
One of the INTRO_OBJECT_TYPE values.
Definition: hook_object.h:23
INTSTATUS
int INTSTATUS
The status data type.
Definition: introstatus.h:24
_HOOK_OBJECTS_STATE::ObjectsRemoved
BOOLEAN ObjectsRemoved
True whenever an object has been removed.
Definition: hook_object.h:56
_HOOK_REGION_DESCRIPTOR::HookStart
QWORD HookStart
Guest virtual address of the hooked region.
Definition: hook_object.h:40
IntHookObjectFindRegion
void * IntHookObjectFindRegion(QWORD Gva, void *HookObject, BYTE HookType)
Searches for a region of hooked memory inside the provided hook object.
Definition: hook_object.c:424
HOOK_REGION_DESCRIPTOR
struct _HOOK_REGION_DESCRIPTOR HOOK_REGION_DESCRIPTOR
_Inout_
#define _Inout_
Definition: intro_sal.h:20
_Out_opt_
#define _Out_opt_
Definition: intro_sal.h:30
_HOOK_REGION_DESCRIPTOR::HookLength
QWORD HookLength
Length of the hooked region. May span multiple pages.
Definition: hook_object.h:41
_HOOK_OBJECT_DESCRIPTOR::RegionsRemoved
BOOLEAN RegionsRemoved
True if regions have been removed from this object (used by the commit function). ...
Definition: hook_object.h:28
_HOOK_OBJECTS_STATE
Definition: hook_object.h:53
QWORD
unsigned long long QWORD
Definition: intro_types.h:53
IntHookObjectInit
INTSTATUS IntHookObjectInit(void)
Initialize the hook object system.
Definition: hook_object.c:598
_HOOK_OBJECT_DESCRIPTOR::Flags
DWORD Flags
Hook flags.
Definition: hook_object.h:25
_HOOK_OBJECT_DESCRIPTOR::Link
LIST_ENTRY Link
The list entry element.
Definition: hook_object.h:18
_HOOK_REGION_DESCRIPTOR::Header
HOOK_HEADER Header
The hook header.
Definition: hook_object.h:38
IntHookObjectUninit
INTSTATUS IntHookObjectUninit(void)
Uninit the hook object system.
Definition: hook_object.c:614
HOOK_OBJECT_DESCRIPTOR
struct _HOOK_OBJECT_DESCRIPTOR HOOK_OBJECT_DESCRIPTOR
IntHookObjectRemoveRegion
INTSTATUS IntHookObjectRemoveRegion(HOOK_REGION_DESCRIPTOR **Region, DWORD Flags)
Remove a hooked region of memory.
Definition: hook_object.c:309
_HOOK_OBJECT_DESCRIPTOR::Regions
LIST_HEAD Regions
Definition: hook_object.h:19
DWORD
uint32_t DWORD
Definition: intro_types.h:49
HOOK_OBJECT_STATE
struct _HOOK_OBJECTS_STATE HOOK_OBJECT_STATE
_HOOK_OBJECT_DESCRIPTOR
Definition: hook_object.h:16
IntHookObjectCommit
INTSTATUS IntHookObjectCommit(void)
Commit removed hook objects and regions.
Definition: hook_object.c:525
PHOOK_REGION_DESCRIPTOR
struct _HOOK_REGION_DESCRIPTOR * PHOOK_REGION_DESCRIPTOR
_HOOK_OBJECTS_STATE::Objects
LIST_HEAD Objects
List of objects.
Definition: hook_object.h:55
IntHookObjectHookRegion
INTSTATUS IntHookObjectHookRegion(void *Object, QWORD Cr3, QWORD Gla, SIZE_T Length, BYTE Type, void *Callback, void *Context, DWORD Flags, HOOK_REGION_DESCRIPTOR **Region)
Hook a contiguous region of virtual memory inside the provided virtual address space.
Definition: hook_object.c:132
_HOOK_OBJECT_DESCRIPTOR::Cr3
QWORD Cr3
The CR3 of the object. If this is a kernel object, Cr3 must be 0.
Definition: hook_object.h:24
_HOOK_REGION_DESCRIPTOR::Link
LIST_ENTRY Link
The list entry element.
Definition: hook_object.h:39
PHOOK_OBJECT_DESCRIPTOR
struct _HOOK_OBJECT_DESCRIPTOR * PHOOK_OBJECT_DESCRIPTOR
IntHookObjectCreate
INTSTATUS IntHookObjectCreate(DWORD ObjectType, QWORD Cr3, void **Object)
Create a new hook object.
Definition: hook_object.c:81
_HOOK_REGION_DESCRIPTOR::HooksCount
DWORD HooksCount
Number of hooks set for this region of memory.
Definition: hook_object.h:42
_LIST_ENTRY
Definition: introlists.h:16
SIZE_T
size_t SIZE_T
Definition: intro_types.h:60
_HOOK_HEADER
Definition: hook.h:65