Bitdefender Hypervisor Memory Introspection
Data Structures | Macros | Typedefs | Functions
hook_ptm.h File Reference
#include "hook_gpa.h"

Go to the source code of this file.

Data Structures

struct  _HOOK_PTM_TABLE
 
struct  _HOOK_PTM
 
struct  _HOOK_PTM_STATE
 

Macros

#define PTM_HOOK_TABLE_SIZE   1024
 
#define PTM_HOOK_ID(addr)   (((addr) >> 12) & (PTM_HOOK_TABLE_SIZE - 1))
 
#define PTM_PAE_ROOT_HOOK_ID(addr)   (((addr) >> 5) & (PTM_HOOK_TABLE_SIZE - 1))
 

Typedefs

typedef struct _HOOK_PTM_TABLE HOOK_PTM_TABLE
 
typedef struct _HOOK_PTM_TABLEPHOOK_PTM_TABLE
 
typedef struct _HOOK_PTM HOOK_PTM
 
typedef struct _HOOK_PTMPHOOK_PTM
 
typedef struct _HOOK_PTM_STATE HOOK_PTM_STATE
 
typedef struct _HOOK_PTM_STATEPHOOK_PTM_STATE
 

Functions

INTSTATUS IntHookPtmSetHook (QWORD Address, PFUNC_EptViolationCallback Callback, void *Context, void *ParentHook, DWORD Flags, PHOOK_PTM *Hook)
 Set a hook on a page-table. More...
 
INTSTATUS IntHookPtmRemoveHook (HOOK_PTM **Hook, DWORD Flags)
 Remove a page-table hook handle. More...
 
INTSTATUS IntHookPtmDeleteHook (HOOK_PTM **Hook, DWORD Flags)
 Permanently delete a page-table hook handle. More...
 
INTSTATUS IntHookPtmCommitHooks (void)
 Commit the page-table hooks. More...
 
INTSTATUS IntHookPtmInit (void)
 Initialize the page-table hook system. More...
 

Macro Definition Documentation

◆ PTM_HOOK_ID

#define PTM_HOOK_ID (   addr)    (((addr) >> 12) & (PTM_HOOK_TABLE_SIZE - 1))

Definition at line 49 of file hook_ptm.h.

Referenced by IntHookPtmAddTable().

◆ PTM_HOOK_TABLE_SIZE

#define PTM_HOOK_TABLE_SIZE   1024

Definition at line 48 of file hook_ptm.h.

Referenced by IntHookPtmInit().

◆ PTM_PAE_ROOT_HOOK_ID

#define PTM_PAE_ROOT_HOOK_ID (   addr)    (((addr) >> 5) & (PTM_HOOK_TABLE_SIZE - 1))

Definition at line 50 of file hook_ptm.h.

Referenced by IntHookPtmAddTable().

Typedef Documentation

◆ HOOK_PTM

typedef struct _HOOK_PTM HOOK_PTM

Public handle for the page-table hooks. Each call to IntHookPtmSetHook will return a freshly allocated HOOK_PTM structure. However, only a single HOOK_PTM_TABLE will be allocated for each distinct page-table. Therefore, removing a HOOK_PTM will only decrement the reference count of the associated HOOK_PTM_TABLE hook, which will be removed only when the last pointing HOOK_PTM is removed.

◆ HOOK_PTM_STATE

typedef struct _HOOK_PTM_STATE HOOK_PTM_STATE

Global page-table hook state.

◆ HOOK_PTM_TABLE

typedef struct _HOOK_PTM_TABLE HOOK_PTM_TABLE

This structure describes one monitored page-table.

◆ PHOOK_PTM

typedef struct _HOOK_PTM * PHOOK_PTM

◆ PHOOK_PTM_STATE

typedef struct _HOOK_PTM_STATE * PHOOK_PTM_STATE

◆ PHOOK_PTM_TABLE

typedef struct _HOOK_PTM_TABLE * PHOOK_PTM_TABLE

Function Documentation

◆ IntHookPtmCommitHooks()

INTSTATUS IntHookPtmCommitHooks ( void  )

Commit the page-table hooks.

This function deletes all the hooks that have been removed. Only the hooks which were flagged with the HOOK_FLG_CHAIN_DELETE are spared, as it is expected that a higher level hook manager will delete them.

Return values
INT_STATUS_SUCCESSOn success.

Definition at line 688 of file hook_ptm.c.

Referenced by IntHookCommitAllHooks().

◆ IntHookPtmDeleteHook()

INTSTATUS IntHookPtmDeleteHook ( HOOK_PTM **  Hook,
DWORD  Flags 
)

Permanently delete a page-table hook handle.

Unlike IntHookPtmDeleteTableHook, this function only deletes the handle to a PHOOK_PTM_TABLE. The PHOOK_PTM_TABLE entry will actually be deleted only when its reference count reaches 0.

Parameters
[in]HookThe page-table hook.
[in]FlagsHook flags.
Return values
INT_STATUS_SUCCESSOn success.

Definition at line 643 of file hook_ptm.c.

Referenced by IntHookPtsDeletePdHook().

◆ IntHookPtmInit()

INTSTATUS IntHookPtmInit ( void  )

Initialize the page-table hook system.

Return values
INT_STATUS_SUCCESSOn success.

Definition at line 771 of file hook_ptm.c.

Referenced by IntHookInit().

◆ IntHookPtmRemoveHook()

INTSTATUS IntHookPtmRemoveHook ( HOOK_PTM **  Hook,
DWORD  Flags 
)

Remove a page-table hook handle.

Unlike IntHookPtmRemoveTableHook which removes a page-table hook, this function removes a user set page-table hook. If multiple hooks are established on the same page-table, this function will just decrement the reference count of the PHOOK_PTM_TABLE entry. Otherwise, it will remove the PHOOK_PTM_TABLE using the IntHookPtmRemoveTableHook.

Parameters
[in,out]HookThe hook to be removed.
[in]FlagsHook flags. If HOOK_FLG_CHAIN_DELETE, the hook will be deleted by a higher level hook manager, instead of the commit function.
Return values
INT_STATUS_SUCCESSOn success.

Definition at line 520 of file hook_ptm.c.

Referenced by IntHookPtsDisableEntry(), IntHookPtsEnableEntry(), IntHookPtsRemovePteHook(), and IntHookRemoveChain().

◆ IntHookPtmSetHook()

INTSTATUS IntHookPtmSetHook ( QWORD  Address,
PFUNC_EptViolationCallback  Callback,
void *  Context,
void *  ParentHook,
DWORD  Flags,
PHOOK_PTM Hook 
)

Set a hook on a page-table.

Establishes a hook on the given page-table. The provided callback will be called whenever any entry inside the page-table is modified.

Parameters
[in]AddressThe guest physical address of the page-table.
[in]CallbackThe page-table modification callback.
[in]ContextUser-defined context to be passed to the Callback.
[in]ParentHookHigher level hook, if any.
[in]FlagsHook flags. Check the HOOK_FLG* definitions.
[out]HookOptional output parameter that will contain a handle to the newly placed hook.
Return values
INT_STATUS_SUCCESSOn success.
INT_STATUS_INVALID_PARAMETERIf an invalid parameter is used.

Definition at line 325 of file hook_ptm.c.

Referenced by IntHookPtsCreateEntry(), and IntHookPtsEnableEntry().