doxygen/html/integrity_8h_source.html

 /*
  * Copyright (c) 2020 Bitdefender
  * SPDX-License-Identifier: Apache-2.0
  */
 #ifndef _INTEGRITY_H_
 #define _INTEGRITY_H_

 #include "introtypes.h"

 typedef INTSTATUS
 (*PFUNC_IntegrityViolationCallback)(
     _In_ void *IntegrityRegion
     );


 typedef struct _INTEGRITY_REGION
 {
     LIST_ENTRY                          Link;
     QWORD                               Gva;
     DWORD                               Length;
     DWORD                               OriginalHash;
     DWORD                               ModifiedHash;
     DWORD                               ViolationCount;
     INTRO_OBJECT_TYPE                   Type;
     void                                *Context;
     void                                *OriginalContent;
     PFUNC_IntegrityViolationCallback    Callback;
     BOOLEAN                             Deleted;
 } INTEGRITY_REGION, *PINTEGRITY_REGION;


 //
 // API
 //
 INTSTATUS
 IntIntegrityCheckAll(
     void
     );

 INTSTATUS
 IntIntegrityAddRegion(
     _In_ QWORD VirtualAddress,
     _In_ DWORD Length,
     _In_ INTRO_OBJECT_TYPE Type,
     _In_opt_ void *Context,
     _In_ PFUNC_IntegrityViolationCallback Callback,
     _In_ BOOLEAN CopyContent,
     _Out_ void **Descriptor
     );

 INTSTATUS
 IntIntegrityRecalculate(
     _In_ INTEGRITY_REGION *IntegrityRegion
     );

 INTSTATUS
 IntIntegrityRemoveRegion(
     _In_ void *Descriptor
     );

 INTSTATUS
 IntIntegrityDeleteRegion(
     _In_ void *Descriptor
     );

 void
 IntIntegrityDump(
     void
     );

 INTSTATUS
 IntIntegrityUninit(
     void
     );

 #endif  // _INTEGRITY_H_
_In_opt_
#define _In_opt_
Definition: intro_sal.h:16

_Out_
#define _Out_
Definition: intro_sal.h:22

BOOLEAN
_Bool BOOLEAN
Definition: intro_types.h:58

_In_
#define _In_
Definition: intro_sal.h:21

IntIntegrityAddRegion
INTSTATUS IntIntegrityAddRegion(QWORD VirtualAddress, DWORD Length, INTRO_OBJECT_TYPE Type, void *Context, PFUNC_IntegrityViolationCallback Callback, BOOLEAN CopyContent, void **Descriptor)
Creates an INTEGRITY_REGION object and adds it to the gIntegrityRegions list.
Definition: integrity.c:91

_INTEGRITY_REGION::Context
void * Context
User supplied context, see IntIntegrityAddRegion for an example.
Definition: integrity.h:41

_INTEGRITY_REGION::Callback
PFUNC_IntegrityViolationCallback Callback
The callback to be called when a violation occurs.
Definition: integrity.h:45

INTSTATUS
int INTSTATUS
The status data type.
Definition: introstatus.h:24

PFUNC_IntegrityViolationCallback
INTSTATUS(* PFUNC_IntegrityViolationCallback)(void *IntegrityRegion)
Integrity violation callback.
Definition: integrity.h:20

IntIntegrityDeleteRegion
INTSTATUS IntIntegrityDeleteRegion(void *Descriptor)
Marks the given integrity region for deletion. It will be removed after calling all the integrity cal...
Definition: integrity.c:348

_INTEGRITY_REGION::Link
LIST_ENTRY Link
Link to the next integrity region.
Definition: integrity.h:30

_INTEGRITY_REGION::ViolationCount
DWORD ViolationCount
The number of detected modifications on the given region.
Definition: integrity.h:37

_INTEGRITY_REGION
Definition: integrity.h:28

PINTEGRITY_REGION
struct _INTEGRITY_REGION * PINTEGRITY_REGION

_INTEGRITY_REGION::Type
INTRO_OBJECT_TYPE Type
The associated INTRO_OBJECT_TYPE with the protected region.
Definition: integrity.h:39

INTRO_OBJECT_TYPE
enum _INTRO_OBJECT_TYPE INTRO_OBJECT_TYPE
The type of the object protected by an EPT hook.

IntIntegrityRecalculate
INTSTATUS IntIntegrityRecalculate(INTEGRITY_REGION *IntegrityRegion)
Recalculates the hash and reads the original content again for a given region.
Definition: integrity.c:242

introtypes.h

IntIntegrityUninit
INTSTATUS IntIntegrityUninit(void)
Uninits the integrity mechanism by removing every integrity region from the list. ...
Definition: integrity.c:503

_INTEGRITY_REGION::OriginalHash
DWORD OriginalHash
Definition: integrity.h:33

_INTEGRITY_REGION::Deleted
BOOLEAN Deleted
Set TRUE for postpone deleting of integrity regions (e.g. deleting from callback) ...
Definition: integrity.h:47

QWORD
unsigned long long QWORD
Definition: intro_types.h:53

_INTEGRITY_REGION::ModifiedHash
DWORD ModifiedHash
The newly computed hash when a modification is detected.
Definition: integrity.h:35

_INTEGRITY_REGION::Gva
QWORD Gva
The guest virtual address where the region starts.
Definition: integrity.h:31

DWORD
uint32_t DWORD
Definition: intro_types.h:49

IntIntegrityRemoveRegion
INTSTATUS IntIntegrityRemoveRegion(void *Descriptor)
Removes an integrity region from the gIntegrityRegions list.
Definition: integrity.c:313

IntIntegrityDump
void IntIntegrityDump(void)
Dumps all the INTEGRITY_REGION structures from gIntegrityRegions. Used mainly for debugging...
Definition: integrity.c:486

_INTEGRITY_REGION::OriginalContent
void * OriginalContent
A buffer containing the original bytes of the associated region.
Definition: integrity.h:43

INTEGRITY_REGION
struct _INTEGRITY_REGION INTEGRITY_REGION

_INTEGRITY_REGION::Length
DWORD Length
The length of the current region, in bytes.
Definition: integrity.h:32

IntIntegrityCheckAll
INTSTATUS IntIntegrityCheckAll(void)
The function which is called once every second and checks all the integrity regions.
Definition: integrity.c:377

_LIST_ENTRY
Definition: introlists.h:16