Bitdefender Hypervisor Memory Introspection
hook_ptm.h
Go to the documentation of this file.
1 /*
2  * Copyright (c) 2020 Bitdefender
3  * SPDX-License-Identifier: Apache-2.0
4  */
5 #ifndef _HOOK_PTM_H_
6 #define _HOOK_PTM_H_
7 
8 #include "hook_gpa.h"
9 
10 
14 typedef struct _HOOK_PTM_TABLE
15 {
16  HOOK_HEADER Header;
17  LIST_ENTRY Link;
18  QWORD Gpa;
19  PHOOK_GPA GpaHook;
20  BOOLEAN GpaHookSet;
21  DWORD RefCount;
23  DWORD DelCount;
24  DWORD EntriesCount;
25  LIST_ENTRY *Entries;
28 } HOOK_PTM_TABLE, *PHOOK_PTM_TABLE;
29 
30 
37 typedef struct _HOOK_PTM
38 {
39  HOOK_HEADER Header;
40  LIST_ENTRY Link;
41  QWORD Address;
42  PHOOK_PTM_TABLE PtHook;
43  PFUNC_EptViolationCallback Callback;
45 } HOOK_PTM, *PHOOK_PTM;
46 
47 
48 #define PTM_HOOK_TABLE_SIZE 1024
49 #define PTM_HOOK_ID(addr) (((addr) >> 12) & (PTM_HOOK_TABLE_SIZE - 1))
50 #define PTM_PAE_ROOT_HOOK_ID(addr) (((addr) >> 5) & (PTM_HOOK_TABLE_SIZE - 1))
51 
52 
56 typedef struct _HOOK_PTM_STATE
57 {
58  LIST_ENTRY PtmHooks[PTM_HOOK_TABLE_SIZE];
59  LIST_ENTRY RemovedPtmHooks;
60  LIST_ENTRY RemovedPtHooks;
61  BOOLEAN HooksRemoved;
62 } HOOK_PTM_STATE, *PHOOK_PTM_STATE;
63 
64 
65 //
66 // API
67 //
68 INTSTATUS
69 IntHookPtmSetHook(
70  _In_ QWORD Address,
71  _In_ PFUNC_EptViolationCallback Callback,
72  _In_ void *Context,
73  _In_ void *ParentHook,
74  _In_ DWORD Flags,
75  _Out_opt_ PHOOK_PTM *Hook
76  );
77 
78 INTSTATUS
79 IntHookPtmRemoveHook(
80  _Inout_ HOOK_PTM **Hook,
81  _In_ DWORD Flags
82  );
83 
84 INTSTATUS
85 IntHookPtmDeleteHook(
86  _In_ HOOK_PTM **Hook,
87  _In_ DWORD Flags
88  );
89 
90 INTSTATUS
91 IntHookPtmCommitHooks(
92  void
93  );
94 
95 INTSTATUS
96 IntHookPtmInit(
97  void
98  );
99 
100 #endif // _HOOK_PTM_H_
_HOOK_PTM_TABLE::GpaHook
PHOOK_GPA GpaHook
The GPA hook set on this page-table.
Definition: hook_ptm.h:19
IntHookPtmRemoveHook
INTSTATUS IntHookPtmRemoveHook(HOOK_PTM **Hook, DWORD Flags)
Remove a page-table hook handle.
Definition: hook_ptm.c:520
_HOOK_PTM_STATE::RemovedPtmHooks
LIST_ENTRY RemovedPtmHooks
List of removed page-table hooks (HOOK_PTM_TABLE).
Definition: hook_ptm.h:59
BOOLEAN
_Bool BOOLEAN
Definition: intro_types.h:58
_HOOK_PTM::PtHook
PHOOK_PTM_TABLE PtHook
Definition: hook_ptm.h:42
_In_
#define _In_
Definition: intro_sal.h:21
PTM_HOOK_TABLE_SIZE
#define PTM_HOOK_TABLE_SIZE
Definition: hook_ptm.h:48
PHOOK_PTM
struct _HOOK_PTM * PHOOK_PTM
PHOOK_PTM_TABLE
struct _HOOK_PTM_TABLE * PHOOK_PTM_TABLE
INTSTATUS
int INTSTATUS
The status data type.
Definition: introstatus.h:24
_HOOK_PTM_TABLE::Header
HOOK_HEADER Header
Hook header - used by all memory hooks.
Definition: hook_ptm.h:16
_HOOK_GPA
Definition: hook_gpa.h:41
PHOOK_PTM_STATE
struct _HOOK_PTM_STATE * PHOOK_PTM_STATE
_Inout_
#define _Inout_
Definition: intro_sal.h:20
hook_gpa.h
_Out_opt_
#define _Out_opt_
Definition: intro_sal.h:30
QWORD
unsigned long long QWORD
Definition: intro_types.h:53
_HOOK_PTM::Address
QWORD Address
Guest physical address of the monitored page-table entry.
Definition: hook_ptm.h:41
HOOK_PTM_STATE
struct _HOOK_PTM_STATE HOOK_PTM_STATE
_HOOK_PTM_TABLE::EntriesCount
DWORD EntriesCount
Definition: hook_ptm.h:24
IntHookPtmDeleteHook
INTSTATUS IntHookPtmDeleteHook(HOOK_PTM **Hook, DWORD Flags)
Permanently delete a page-table hook handle.
Definition: hook_ptm.c:643
IntHookPtmInit
INTSTATUS IntHookPtmInit(void)
Initialize the page-table hook system.
Definition: hook_ptm.c:771
DWORD
uint32_t DWORD
Definition: intro_types.h:49
_HOOK_PTM_TABLE::Entries
LIST_ENTRY * Entries
A list of hooked entries. When a HOOK_PTS_ENTRY is created for entry at offset X, Entries[x] will con...
Definition: hook_ptm.h:27
HOOK_PTM
struct _HOOK_PTM HOOK_PTM
IntHookPtmCommitHooks
INTSTATUS IntHookPtmCommitHooks(void)
Commit the page-table hooks.
Definition: hook_ptm.c:688
_HOOK_PTM_TABLE::DelCount
DWORD DelCount
Number of delete requests. The entry will be deleted when this reaches 0.
Definition: hook_ptm.h:23
_HOOK_PTM_STATE
Definition: hook_ptm.h:56
PFUNC_EptViolationCallback
INTSTATUS(* PFUNC_EptViolationCallback)(void *Context, void *Hook, QWORD Address, INTRO_ACTION *Action)
EPT callback handler.
Definition: hook_gpa.h:30
_HOOK_PTM_STATE::RemovedPtHooks
LIST_ENTRY RemovedPtHooks
List of removed PTM hooks (HOOK_PTM).
Definition: hook_ptm.h:60
_HOOK_PTM_TABLE::RefCount
DWORD RefCount
Number of references - number of HOOK_PTM structures that point to this entry.
Definition: hook_ptm.h:22
_HOOK_PTM_TABLE::Gpa
QWORD Gpa
The page-table guest physical address.
Definition: hook_ptm.h:18
_HOOK_PTM_TABLE
Definition: hook_ptm.h:14
_HOOK_PTM::Link
LIST_ENTRY Link
List entry link.
Definition: hook_ptm.h:40
_HOOK_PTM_TABLE::GpaHookSet
BOOLEAN GpaHookSet
Definition: hook_ptm.h:20
IntHookPtmSetHook
INTSTATUS IntHookPtmSetHook(QWORD Address, PFUNC_EptViolationCallback Callback, void *Context, void *ParentHook, DWORD Flags, PHOOK_PTM *Hook)
Set a hook on a page-table.
Definition: hook_ptm.c:325
_HOOK_PTM
Definition: hook_ptm.h:37
_HOOK_PTM::Header
HOOK_HEADER Header
Hook header - used by all memory hooks.
Definition: hook_ptm.h:39
HOOK_PTM_TABLE
struct _HOOK_PTM_TABLE HOOK_PTM_TABLE
_HOOK_PTM_STATE::HooksRemoved
BOOLEAN HooksRemoved
True if hooks have been removed.
Definition: hook_ptm.h:61
_HOOK_PTM_TABLE::Link
LIST_ENTRY Link
List entry link.
Definition: hook_ptm.h:17
_LIST_ENTRY
Definition: introlists.h:16
_HOOK_HEADER
Definition: hook.h:65