- Generated by
1.8.13
|
Bitdefender Hypervisor Memory Introspection
|
Go to the source code of this file.
Functions | |
| INTSTATUS | IntHookPtwEmulateWrite (QWORD Address) |
| Emulate a write that took place on page table entry at Address. More... | |
| INTSTATUS | IntHookPtwProcessWrite (PHOOK_PTEWS WriteState, QWORD Address, BYTE EntrySize, QWORD *OldValue, QWORD *NewValue) |
| Processes a page-table write, returning the old and the new page-table entry value. More... | |
Emulate a write that took place on page table entry at Address.
This function will call the page table write emulator on the indicated physical address. This function will be called, usually, from the EPT write handler, whenever detecting a write on a page-table. This function will also fill the PtEmuBuffer field of the current VCPU with the relevant information: old page-table entry value and new page-table entry value.
| [in] | Address | Written page-table entry (guest physical address). |
| INT_STATUS_SUCCESS | On success. |
| INT_STATUS_ALREADY_INITIALIZED_HINT | If a page-table write has already been emulated during this exit. |
Definition at line 12 of file hook_ptwh.c.
Referenced by IntHandleMemAccess().
| INTSTATUS IntHookPtwProcessWrite | ( | PHOOK_PTEWS | WriteState, |
| QWORD | Address, | ||
| BYTE | EntrySize, | ||
| QWORD * | OldValue, | ||
| QWORD * | NewValue | ||
| ) |
Processes a page-table write, returning the old and the new page-table entry value.
This function will process a page-table write and it will return the old and the new value inside that entry. Unlike IntHookPtwEmulateWrite, which emulates a raw write inside the page-table entry, this function works with full page-table entry modifications: if a write is made only to a portion of the page-table entry, this function will return INT_STATUS_PARTIAL_WRITE and the callers can deffer processing this page-table write until all remaining portions have been written as well. Example of a partial page-table write is PAE paging, which implies 8 byte entries in 32 bit mode: usually, these will be modified using two 4 byte stores. Because considering only one 4 byte write inside an 8 byte entry could lead to undefined behavior, Introcore waits for an entire page-table entry to be written before handling the write. NOTE: Occasionally, on Xen, we saw duplicate writes coming on the same page-table entry. On PAE paging, this lead to undefined behavior. Therefore, we don't allow two consecutive writes from the same RIP, since this indicates that a duplicate event was delivered.
| [in,out] | WriteState | The page-table write state. |
| [in] | Address | The written page-table entry (guest physical address). |
| [in] | EntrySize | The size of one page-table entry: 4 bytes (legacy paging) or 8 bytes (all other modes). |
| [out] | OldValue | Old page-table entry value. |
| [out] | NewValue | new page-table entry value. |
| INT_STATUS_SUCCESS | On success. |
| INT_STATUS_INVALID_PARAMETER | If an invalid parameter is supplied. |
| INT_STATUS_NOT_INITIALIZED | If IntHookPtwEmulateWrite hasn't been already called for this write. |
| INT_STATUS_NOT_NEEDED_HINT | If it detects a duplicate write on the same portion of the entry. |
| INT_STATUS_PARTIAL_WRITE | If only a portion of the page-table entry was written. |
Definition at line 149 of file hook_ptwh.c.
Referenced by IntHookPtsWriteCallback(), and IntVasPageTableWriteCallback().
1.8.13