14 #define HOOK_PTS_FLG_DELETE_PT_HOOK 0x00000100 15 #define HOOK_PTS_FLG_DELETE_PD_HOOK 0x00000200 19 #define HOOK_PTS_MONITORED_BITS (PT_P | PD_PS | PT_US | PT_RW | 0x000FFFFFFFFFF000) 21 #define HOOK_PT_HASH_SIZE 64 22 #define HOOK_PT_HASH_ID(x) (((x) >> 12) & (HOOK_PT_HASH_SIZE - 1)) 23 #define HOOK_PT_PAE_ROOT_HASH_ID(x) (((x) >> 5) & (HOOK_PT_HASH_SIZE - 1)) 133 _Out_ PHOOK_PTS *Hook
160 _In_ PHOOK_PTS_ENTRY Entry,
175 #endif // _HOOK_PTS_H
LIST_HEAD RemovedHooksPdpList
List of removed page-directory pointer entry hooks.
BYTE EntrySize
4 (32 bit paging) or 8 (PAE or 64 bit paging)
LIST_ENTRY Link
List element.
QWORD OldEntry
Previous page-table entry.
INTSTATUS IntHookPtsWriteEntry(PHOOK_PTS_ENTRY Entry, QWORD OldValue, QWORD NewValue)
Tests the translation modification handler.
LIST_ENTRY PtsLink
Link inside the HooksPtsList.
LIST_HEAD ChildrenEntries
Children entries. Will be empty for leafs. Each entry is a HOOK_PTS_ENTRY.
struct _HOOK_PTS_ENTRY * PHOOK_PTS_ENTRY
QWORD OldPageSize
Previous page size.
QWORD Cr3
Virtual address space where the address is monitored.
LIST_HEAD RemovedHooksPml4List
List of removed PML4 entry hooks.
struct _HOOK_PTS_STATE * PHOOK_PTS_STATE
BOOLEAN IsPs
True if this entry is a page size extension, and points to a 2M/4M/1G page.
int INTSTATUS
The status data type.
INTSTATUS IntHookPtsCommitHooks(void)
Commit all PTS hook modifications.
LIST_HEAD HooksPtsList
List of swap hooks.
QWORD CurPageSize
Current page size.
INTSTATUS IntHookPtsSetHook(QWORD Cr3, QWORD VirtualAddress, PFUNC_SwapCallback Callback, void *Context, void *Parent, DWORD Flags, PHOOK_PTS *Hook)
Start monitoring translation modifications for the given VirtualAddress.
BOOLEAN IntegrityCheckFailed
True if integrity checks failed on this translation.
WORD EntryOffset
Entry offset inside the monitored page-table.
struct _HOOK_PTS_STATE HOOK_PTS_STATE
LIST_HEAD RemovedHooksPtList
List of removed page-table entry hooks.
QWORD CurEntry
Current page-table entry.
HOOK_HEADER Header
Hook header - must be present for every hook.
HOOK_HEADER Header
Hook header - must be present for every hook.
INTSTATUS IntHookPtsRemoveHook(HOOK_PTS **Hook, DWORD Flags)
Remove a PTS hook.
INTSTATUS(* PFUNC_SwapCallback)(void *Context, QWORD VirtualAddress, QWORD OldEntry, QWORD NewEntry, QWORD OldPageSize, QWORD NewPageSize)
Callback invoked on translation modifications.
DWORD RefCount
Number of references.
QWORD PtPaAddress
Physical address of the PT/PD/PDP/PML4/PML5 entry associated to this particular page.
BOOLEAN HooksRemoved
True if any hook has been removed.
LIST_HEAD ContextEntries
The actual contexts. Each context will be a HOOK_PTS structure.
LIST_HEAD RemovedHooksPtsList
List of removed PTS entries.
INTSTATUS IntHookPtsDeleteHook(HOOK_PTS **Hook, DWORD Flags)
Permanently delete the PTS hook.
PHOOK_PTS_ENTRY Parent
The leaf page-table entry hook associated with this address.
struct _HOOK_PTS HOOK_PTS
BOOLEAN PtPaHookSet
True if a hook is placed on the PT entry.
INTSTATUS IntHookPtsCheckIntegrity(void)
Checks the integrity of the existing page-table hooks. Used for debugging the PT filter.
PFUNC_SwapCallback Callback
Swap callback.
BOOLEAN IsValid
This referrers to the entry contained by this PTE. If true, it points to a valid table.
struct _HOOK_PTS_ENTRY HOOK_PTS_ENTRY
LIST_HEAD RemovedHooksPdList
List of removed page-directory entry hooks.
BYTE Level
Page table level (1 - PT, 5 - PML5)
LIST_HEAD RemovedHooksPml5List
List of removed PML5 entry hooks.
struct _HOOK_PTS * PHOOK_PTS
HOOK_PTEWS WriteState
Write state.
LIST_HEAD * CallbacksList
List of callbacks.
LIST_ENTRY Link
Link inside the containing list.
LIST_HEAD RemovedHooksRootList
List of removed root entries.
INTSTATUS IntHookPtsInit(void)
Initializes the PTS hooks system.
QWORD VirtualAddress
The monitored virtual address.
#define HOOK_PT_HASH_SIZE
void IntHookPtsDump(void)
Prints all the page table hooks.
1.8.13