- Generated by
1.8.13
|
Bitdefender Hypervisor Memory Introspection
|
#include "introtypes.h"Go to the source code of this file.
Data Structures | |
| struct | _HOOK_PTEWS |
Macros | |
| #define | LAST_WRITE_RIP_MASK ((1ULL << 23) - 1) |
| We keep only the low 32 bits from the RIP. More... | |
Typedefs | |
| typedef struct _HOOK_PTEWS | HOOK_PTEWS |
| typedef struct _HOOK_PTEWS * | PHOOK_PTEWS |
Functions | |
| INTSTATUS | IntHookPtwEmulateWrite (QWORD Address) |
| Emulate a write that took place on page table entry at Address. More... | |
| INTSTATUS | IntHookPtwProcessWrite (PHOOK_PTEWS WriteState, QWORD Address, BYTE EntrySize, QWORD *OldValue, QWORD *NewValue) |
| Processes a page-table write, returning the old and the new page-table entry value. More... | |
| #define LAST_WRITE_RIP_MASK ((1ULL << 23) - 1) |
We keep only the low 32 bits from the RIP.
Definition at line 11 of file hook_ptwh.h.
Referenced by IntHookPtwProcessWrite().
| typedef struct _HOOK_PTEWS HOOK_PTEWS |
Page Table Entry Write State. Whenever processing a page-table write, this structure keeps the intermediate state, as a page-table write may only modify a partial chunk of the entry. We call the swap callbacks only when the entire page-table entry has been written.
| typedef struct _HOOK_PTEWS * PHOOK_PTEWS |
Emulate a write that took place on page table entry at Address.
This function will call the page table write emulator on the indicated physical address. This function will be called, usually, from the EPT write handler, whenever detecting a write on a page-table. This function will also fill the PtEmuBuffer field of the current VCPU with the relevant information: old page-table entry value and new page-table entry value.
| [in] | Address | Written page-table entry (guest physical address). |
| INT_STATUS_SUCCESS | On success. |
| INT_STATUS_ALREADY_INITIALIZED_HINT | If a page-table write has already been emulated during this exit. |
Definition at line 12 of file hook_ptwh.c.
Referenced by IntHandleMemAccess().
| INTSTATUS IntHookPtwProcessWrite | ( | PHOOK_PTEWS | WriteState, |
| QWORD | Address, | ||
| BYTE | EntrySize, | ||
| QWORD * | OldValue, | ||
| QWORD * | NewValue | ||
| ) |
Processes a page-table write, returning the old and the new page-table entry value.
This function will process a page-table write and it will return the old and the new value inside that entry. Unlike IntHookPtwEmulateWrite, which emulates a raw write inside the page-table entry, this function works with full page-table entry modifications: if a write is made only to a portion of the page-table entry, this function will return INT_STATUS_PARTIAL_WRITE and the callers can deffer processing this page-table write until all remaining portions have been written as well. Example of a partial page-table write is PAE paging, which implies 8 byte entries in 32 bit mode: usually, these will be modified using two 4 byte stores. Because considering only one 4 byte write inside an 8 byte entry could lead to undefined behavior, Introcore waits for an entire page-table entry to be written before handling the write. NOTE: Occasionally, on Xen, we saw duplicate writes coming on the same page-table entry. On PAE paging, this lead to undefined behavior. Therefore, we don't allow two consecutive writes from the same RIP, since this indicates that a duplicate event was delivered.
| [in,out] | WriteState | The page-table write state. |
| [in] | Address | The written page-table entry (guest physical address). |
| [in] | EntrySize | The size of one page-table entry: 4 bytes (legacy paging) or 8 bytes (all other modes). |
| [out] | OldValue | Old page-table entry value. |
| [out] | NewValue | new page-table entry value. |
| INT_STATUS_SUCCESS | On success. |
| INT_STATUS_INVALID_PARAMETER | If an invalid parameter is supplied. |
| INT_STATUS_NOT_INITIALIZED | If IntHookPtwEmulateWrite hasn't been already called for this write. |
| INT_STATUS_NOT_NEEDED_HINT | If it detects a duplicate write on the same portion of the entry. |
| INT_STATUS_PARTIAL_WRITE | If only a portion of the page-table entry was written. |
Definition at line 149 of file hook_ptwh.c.
Referenced by IntHookPtsWriteCallback(), and IntVasPageTableWriteCallback().
1.8.13