Bitdefender Hypervisor Memory Introspection
hook_ptwh.h
Go to the documentation of this file.
1 /*
2  * Copyright (c) 2020 Bitdefender
3  * SPDX-License-Identifier: Apache-2.0
4  */
5 #ifndef _HOOK_PTWH_H_
6 #define _HOOK_PTWH_H_
7 
8 #include "introtypes.h"
9 
10 
11 #define LAST_WRITE_RIP_MASK ((1ULL << 23) - 1)
12 
13 typedef struct _HOOK_PTEWS
19 {
20  QWORD CurEntry;
21  QWORD IntEntry;
22  DWORD WrittenMask : 8;
24  DWORD LastWriteRip : 23;
25  DWORD LastWriteSize : 1;
26 } HOOK_PTEWS, *PHOOK_PTEWS;
27 
28 
29 //
30 // API
31 //
32 INTSTATUS
33 IntHookPtwEmulateWrite(
34  _In_ QWORD Address
35  );
36 
37 _Success_(return == INT_STATUS_SUCCESS)
38 INTSTATUS
39 IntHookPtwProcessWrite(
40  _Inout_ PHOOK_PTEWS WriteState,
41  _In_ QWORD Address,
42  _In_ BYTE EntrySize,
43  _Out_ QWORD *OldValue,
44  _Out_ QWORD *NewValue
45  );
46 
47 
48 #endif // _HOOK_PTWH_H_
_Out_
#define _Out_
Definition: intro_sal.h:22
BYTE
uint8_t BYTE
Definition: intro_types.h:47
_In_
#define _In_
Definition: intro_sal.h:21
INT_STATUS_SUCCESS
#define INT_STATUS_SUCCESS
Definition: introstatus.h:54
_Success_
#define _Success_(expr)
Definition: intro_sal.h:47
_HOOK_PTEWS::IntEntry
QWORD IntEntry
Definition: hook_ptwh.h:21
_HOOK_PTEWS::WrittenMask
DWORD WrittenMask
Bit mask indicating which bytes inside the page-table entry have been written.
Definition: hook_ptwh.h:23
INTSTATUS
int INTSTATUS
The status data type.
Definition: introstatus.h:24
_Inout_
#define _Inout_
Definition: intro_sal.h:20
QWORD
unsigned long long QWORD
Definition: intro_types.h:53
_HOOK_PTEWS
Definition: hook_ptwh.h:18
IntHookPtwEmulateWrite
INTSTATUS IntHookPtwEmulateWrite(QWORD Address)
Emulate a write that took place on page table entry at Address.
Definition: hook_ptwh.c:12
DWORD
uint32_t DWORD
Definition: intro_types.h:49
HOOK_PTEWS
struct _HOOK_PTEWS HOOK_PTEWS
_HOOK_PTEWS::CurEntry
QWORD CurEntry
Current page-table entry value.
Definition: hook_ptwh.h:20
_HOOK_PTEWS::LastWriteRip
DWORD LastWriteRip
Last RIP that wrote this entry (low 23 bits only).
Definition: hook_ptwh.h:24
PHOOK_PTEWS
struct _HOOK_PTEWS * PHOOK_PTEWS
_HOOK_PTEWS::LastWriteSize
DWORD LastWriteSize
The size of the last write (1 == 8 bytes, 0 == 4 bytes).
Definition: hook_ptwh.h:25
IntHookPtwProcessWrite
INTSTATUS IntHookPtwProcessWrite(PHOOK_PTEWS WriteState, QWORD Address, BYTE EntrySize, QWORD *OldValue, QWORD *NewValue)
Processes a page-table write, returning the old and the new page-table entry value.
Definition: hook_ptwh.c:149