- Generated by
1.8.13
|
Bitdefender Hypervisor Memory Introspection
|
Go to the source code of this file.
Functions | |
| INTSTATUS | IntEferRead (QWORD CpuNumber, QWORD *Efer) |
| Reads the value of the guest IA32 EFER MSR. More... | |
| INTSTATUS | IntRipRead (DWORD CpuNumber, QWORD *Rip) |
| Reads the value of the guest RIP. More... | |
| INTSTATUS | IntIdtFindBase (DWORD CpuNumber, QWORD *Base, WORD *Limit) |
| Returns the IDT base and limit for a guest CPU. More... | |
| INTSTATUS | IntIdtGetEntry (DWORD CpuNumber, DWORD Entry, QWORD *Handler) |
| Get the handler of an interrupt from the IDT. More... | |
| INTSTATUS | IntGdtFindBase (DWORD CpuNumber, QWORD *GdtBase, WORD *GdtLimit) |
| Returns the GDT base and limit for a guest CPU. More... | |
| INTSTATUS | IntFsRead (DWORD CpuNumber, QWORD *FsValue) |
| Reads the IA32_FS_BASE guest MSR. More... | |
| INTSTATUS | IntGsRead (DWORD CpuNumber, QWORD *GsValue) |
| Reads the IA32_GS_BASE guest MSR. More... | |
| static INTSTATUS | IntKernelGsRead (DWORD CpuNumber, QWORD *GsValue) |
| Reads the IA32_KERNEL_GS_BASE guest MSR. More... | |
| INTSTATUS | IntCr0Read (DWORD CpuNumber, QWORD *Cr0Value) |
| Reads the value of the guest CR0. More... | |
| INTSTATUS | IntCr3Read (DWORD CpuNumber, QWORD *Cr3Value) |
| Reads the value of the guest CR3. More... | |
| INTSTATUS | IntCr4Read (DWORD CpuNumber, QWORD *Cr4Value) |
| Reads the value of the guest CR4. More... | |
| INTSTATUS | IntCr8Read (DWORD CpuNumber, QWORD *Cr8Value) |
| Reads the value of the guest CR8. More... | |
| INTSTATUS | IntSysenterRead (DWORD CpuNumber, QWORD *SysCs, QWORD *SysEip, QWORD *SysEsp) |
| Queries the IA32_SYSENTER_CS, IA32_SYSENTER_EIP, and IA32_SYSENTER_ESP guest MSRs. More... | |
| INTSTATUS | IntSyscallRead (DWORD CpuNumber, QWORD *SysStar, QWORD *SysLstar) |
| Queries the IA32_STAR, and IA32_LSTAR guest MSRs. More... | |
| INTSTATUS | IntDebugCtlRead (DWORD CpuNumber, QWORD *DebugCtl) |
| Queries the IA32_DEBUGCTL guest MSR. More... | |
| INTSTATUS | IntLbrRead (DWORD BuffersSize, QWORD *LbrFrom, QWORD *LbrTo) |
| INTSTATUS | IntLerRead (QWORD *LerFrom, QWORD *LerTo) |
| DWORD | IntGetCurrentCpu (void) |
| Returns the current CPU number. More... | |
| INTSTATUS | IntGetGprs (DWORD CpuNumber, PIG_ARCH_REGS Regs) |
| Get the current guest GPR state. More... | |
| INTSTATUS | IntSetGprs (DWORD CpuNumber, PIG_ARCH_REGS Regs) |
| Sets the values of the guest GPRs. More... | |
| INTSTATUS | IntGetCurrentRing (DWORD CpuNumber, DWORD *Ring) |
| Read the current protection level. More... | |
| INTSTATUS | IntGetCurrentMode (DWORD CpuNumber, DWORD *Mode) |
| Read the current CS type. More... | |
| INTSTATUS | IntGetSegs (DWORD CpuNumber, PIG_SEG_REGS Regs) |
| Read the guest segment registers. More... | |
| INTSTATUS | IntGetXsaveAreaSize (DWORD *Size) |
| Get the size of the guest XSAVE area on the current CPU. More... | |
| INTSTATUS | IntGetXcr0 (DWORD CpuNumber, QWORD *Xcr0Value) |
| Get the value of the guest XCR0 register. More... | |
| INTSTATUS | IntGetXsaveArea (DWORD CpuNumber, XSAVE_AREA *XsaveArea) |
| Get the contents of the guest XSAVE area. More... | |
| INTSTATUS | IntSetXsaveArea (DWORD CpuNumber, XSAVE_AREA *XsaveArea) |
| Sets the contents of the guest XSAVE area. More... | |
| INTSTATUS | IntFindKernelPcr (DWORD CpuNumber, QWORD *Pcr) |
| Finds the address of the Windows kernel _KPCR. More... | |
| INTSTATUS | IntGetAllRegisters (DWORD CpuNumber, PIG_ARCH_REGS Regs) |
| Returns the entire guest register state. This will return the GPRs, control registers, and IDT and GDT base and limit. This also bypasses the cache used by IntGetGprs. More... | |
| INTSTATUS | IntGetCurrentEptIndex (DWORD CpuNumber, DWORD *EptpIndex) |
| Get the EPTP index of the currently loaded EPT. More... | |
| INTSTATUS | IntGetMaxGpfn (QWORD *MaxGpfn) |
| Get the last physical page frame number accessible by the guest. More... | |
Reads the value of the guest CR0.
If CpuNumber points to the current CPU and the value is already known and cached inside gVcpu, it is not re-read from the guest, and the cached value is returned, as it can not change while introcore is handling an event because the guest is not running on that CPU. The value can not change by using IntSetGprs.
| [in] | CpuNumber | The CPU from which the CR0 is read. Can be IG_CURRENT_VCPU for this CPU |
| [out] | Cr0Value | On success, the value the CR0 register |
| INT_STATUS_SUCCESS | in case of success |
| INT_STATUS_INVALID_PARAMETER_2 | if Cr0Value is NULL |
Definition at line 363 of file introcpu.c.
Referenced by IntIterateVirtualAddressSpace(), and IntWinGetActiveCpuCount().
Reads the value of the guest CR3.
If CpuNumber points to the current CPU and the value is already known and cached inside gVcpu, it is not re-read from the guest, and the cached value is returned, as it can not change while Introcore is handling an event because the guest is not running on that CPU. The value can not change by using IntSetGprs.
| [in] | CpuNumber | The CPU from which the CR3 is read. Can be IG_CURRENT_VCPU for this CPU |
| [out] | Cr3Value | On success, the value the CR3 register |
| INT_STATUS_SUCCESS | in case of success |
| INT_STATUS_INVALID_PARAMETER_2 | if Cr3Value is NULL |
Definition at line 415 of file introcpu.c.
Referenced by IntAlertFillWinProcessCurrent(), IntDumpGvaEx(), IntPeFindFunctionStart(), IntSwapMemInjectPendingPF(), IntTranslateVirtualAddress(), IntVasPageTableWriteCallback(), IntVirtMemMap(), IntVirtMemReadWrite(), IntVirtMemSafeWrite(), IntVirtMemSet(), IntWinAgentDeployWinDriver(), IntWinGetActiveCpuCount(), IntWinGuestFindSystemCr3(), and IntWinGuestNew().
Reads the value of the guest CR4.
If CpuNumber points to the current CPU and the value is already known and cached inside gVcpu, it is not re-read from the guest, and the cached value is returned, as it can not change while introcore is handling an event because the guest is not running on that CPU. The value can not change by using IntSetGprs.
| [in] | CpuNumber | The CPU from which the CR4 is read. Can be IG_CURRENT_VCPU for this CPU |
| [out] | Cr4Value | On success, the value the CR4 register |
| INT_STATUS_SUCCESS | in case of success |
| INT_STATUS_INVALID_PARAMETER_2 | if Cr4Value is NULL |
Definition at line 467 of file introcpu.c.
Referenced by IntIterateVirtualAddressSpace().
Reads the value of the guest CR8.
If CpuNumber points to the current CPU and the value is already known and cached inside gVcpu, it is not re-read from the guest, and the cached value is returned, as it can not change while introcore is handling an event because the guest is not running on that CPU. The value can not change by using IntSetGprs.
| [in] | CpuNumber | The CPU from which the CR8 is read. Can be IG_CURRENT_VCPU for this CPU |
| [out] | Cr8Value | On success, the value the CR8 register |
| INT_STATUS_SUCCESS | in case of success |
| INT_STATUS_INVALID_PARAMETER_2 | if Cr8Value is NULL |
Definition at line 519 of file introcpu.c.
Queries the IA32_DEBUGCTL guest MSR.
| [in] | CpuNumber | The CPU from which the MSR is read. Can be IG_CURRENT_VCPU for this CPU |
| [out] | DebugCtl | On success, the value of the IA32_DEBUGCTL MSR. May be NULL. |
Definition at line 684 of file introcpu.c.
Reads the value of the guest IA32 EFER MSR.
| [in] | CpuNumber | The CPU from which the MSR is read. Can be IG_CURRENT_VCPU for this CPU |
| [out] | Efer | On success, the value of the MSR |
| INT_STATUS_SUCCESS | in case of success |
| INT_STATUS_INVALID_PARAMETER_2 | if Efer is NULL |
Definition at line 12 of file introcpu.c.
Referenced by IntFindKernelPcr(), IntGuestGetPagingMode(), IntGuestInitMemoryInfo(), and IntIterateVirtualAddressSpace().
Finds the address of the Windows kernel _KPCR.
For 64-bit guests, this is done by reading either the IA32_GS_BASE MSR, or the IA32_KERNEL_GS_BASE MSR if the first one does not point inside the kernel. For 32-bit guests it is obtained from the guest GDT.
| [in] | CpuNumber | The CPU for which the _KPCR address is read. Can be IG_CURRENT_VCPU for this CPU |
| [out] | Pcr | On success, the address of the _KPCR structure |
| INT_STATUS_SUCCESS | in case of success |
| INT_STATUS_NOT_FOUND | if the _KPCR address is not found |
Definition at line 1116 of file introcpu.c.
Referenced by DbgLogKpcr(), IntWinGuestFindIdleCr3(), IntWinGuestFindKernelCr3(), IntWinIntObjProtect(), and IntWinThrGetCurrentThread().
Reads the IA32_FS_BASE guest MSR.
| [in] | CpuNumber | The CPU from which the MSR is read. Can be IG_CURRENT_VCPU for this CPU |
| [out] | FsValue | On success, the value of the MSR |
| INT_STATUS_SUCCESS | in case of success |
| INT_STATUS_INVALID_PARAMETER_2 | if FsValue is NULL |
Definition at line 252 of file introcpu.c.
Referenced by IntWinGuestNew(), and IntWinThrGetCurrentTib().
Returns the GDT base and limit for a guest CPU.
| [in] | CpuNumber | The CPU from which the GDT is read. Can be IG_CURRENT_VCPU for this CPU |
| [out] | GdtBase | On success, the base of the GDT |
| [out] | GdtLimit | On success, the limit of the GDT. May be NULL |
| INT_STATUS_SUCCESS | in case of success |
| INT_STATUS_INVALID_PARAMETER_2 | if GdtBase is NULL |
Definition at line 206 of file introcpu.c.
Referenced by IntFindKernelPcr(), IntHandleDtrViolation(), and IntVeDeliverDriverForLoad().
| INTSTATUS IntGetAllRegisters | ( | DWORD | CpuNumber, |
| PIG_ARCH_REGS | Regs | ||
| ) |
Returns the entire guest register state. This will return the GPRs, control registers, and IDT and GDT base and limit. This also bypasses the cache used by IntGetGprs.
| [in] | CpuNumber | The CPU for which the _KPCR address is read. Can be IG_CURRENT_VCPU for this CPU |
| [out] | Regs | On success, will contain the values of the registers |
Definition at line 1218 of file introcpu.c.
Referenced by IntIdtFindBase().
| DWORD IntGetCurrentCpu | ( | void | ) |
Returns the current CPU number.
Definition at line 802 of file introcpu.c.
Referenced by IntApiEnter(), IntGuestInit(), and IntWinThrGetCurrentThread().
Get the EPTP index of the currently loaded EPT.
| [in] | CpuNumber | The CPU for which the _KPCR address is read. Can be IG_CURRENT_VCPU for this CPU |
| [out] | EptpIndex | On success, will contain the EPT index |
Definition at line 1238 of file introcpu.c.
Referenced by IntHandleEptViolation(), IntHookGpaInit(), and IntVeHandleEPTViolationInProtectedView().
Read the current CS type.
| [in] | CpuNumber | The CPU from which the registers are read. Can be IG_CURRENT_VCPU for this CPU |
| [out] | Mode | The current CS type. Can be one of the IG_CS_TYPE values |
Definition at line 977 of file introcpu.c.
Referenced by IntAlertFillCodeBlocks(), IntAlertFillExecContext(), IntDecDecodeInstructionAtRip(), IntDecDecodeInstructionAtRipWithCache(), IntDisasmBuffer(), IntDisasmGva(), IntDispatchVeAsEpt(), IntDumpCodeAndRegs(), IntEngFillExecDetails(), IntExceptDumpSignatures(), IntExceptVerifyCodeBlocksSig(), IntExceptVerifyValueCodeSig(), IntHandleFetchRetryOnPageBoundary(), IntSerializeExtractCodeBlocks(), IntSerializeRipCode(), IntShcIsSuspiciousCode(), IntWinHalHandleHalHeapExec(), IntWinStackTraceGetUser(), and IntWinThrGetCurrentStackBaseAndLimit().
Read the current protection level.
| [in] | CpuNumber | The CPU from which the registers are read. Can be IG_CURRENT_VCPU for this CPU |
| [out] | Ring | The current protection level. Can be one of the IG_CS_RING values |
Definition at line 959 of file introcpu.c.
Referenced by IntAlertCoreGetFlags(), IntAlertProcGetFlags(), IntDecEmulateRead(), IntHandleCowOnPage(), IntHandleFetchRetryOnPageBoundary(), IntLixAgentHandleInt3(), IntLixAgentHandleVmcall(), IntSwapMemInjectPendingPF(), IntWinAgentDeployWinDriver(), IntWinAgentHandleInt3(), IntWinAgentHandleVmcall(), IntWinSudHandleSudExec(), and IntWinThrGetCurrentStackBaseAndLimit().
| INTSTATUS IntGetGprs | ( | DWORD | CpuNumber, |
| PIG_ARCH_REGS | Regs | ||
| ) |
Get the current guest GPR state.
If CpuNumber points to the current CPU and the GPR values are already known and cached inside gVcpu, we will not query them again, and the cached values are returned, as they can not change while introcore is handling an event because the guest is not running on that CPU. The values can change only by using IntSetGprs, but in that case the cached values are updated. In cases in which the query is done while in an user mode context, and KPTI is enabled, the CR3 value returned in Regs will be that of the kernel CR3 of the current process.
| [in] | CpuNumber | The CPU from which the registers are read. Can be IG_CURRENT_VCPU for this CPU |
| [out] | Regs | On success, will contain the values of the GPRs |
Definition at line 827 of file introcpu.c.
Referenced by IntCr0Read(), IntCr3Read(), IntCr4Read(), IntCr8Read(), IntDecComputeLinearAddress(), IntDecComputeVsibLinearAddresses(), IntDecEmulateInstruction(), IntDecGetAccessedMem(), IntDecGetWrittenValueFromInstruction(), IntDetSetReturnValue(), IntDisableIntro(), IntGetCurrentInstructionLength(), IntGetCurrentInstructionMnemonic(), IntGetValueFromOperand(), IntGuestHandleCr3Write(), IntHandleBreakpoint(), IntHandleCrWrite(), IntHandleDtrViolation(), IntHandleEptViolation(), IntHandleEventInjection(), IntHandleIntroCall(), IntHandleMsrViolation(), IntHandleXcrWrite(), IntLixUnpatchSwapgs(), IntLogGuestRegisters(), IntRipRead(), IntSetValueForOperand(), IntThrSafeInspectRunningThreads(), IntVeDumpVeInfoPage(), and IntWinThrGetCurrentStackBaseAndLimit().
Get the last physical page frame number accessible by the guest.
In practice, it has been observed that this is not entirely accurate. See IntGuestGetLastGpa
| [out] | MaxGpfn | The last physical page frame number available to the guest |
Definition at line 1273 of file introcpu.c.
Referenced by IntGuestGetLastGpa().
| INTSTATUS IntGetSegs | ( | DWORD | CpuNumber, |
| PIG_SEG_REGS | Regs | ||
| ) |
Read the guest segment registers.
| [in] | CpuNumber | The CPU from which the registers are read. Can be IG_CURRENT_VCPU for this CPU |
| [out] | Regs | The values of the guest segment registers |
Definition at line 995 of file introcpu.c.
Referenced by IntDecComputeLinearAddress(), IntDecComputeVsibLinearAddresses(), IntDecDecodeInstructionAtRip(), IntDecDecodeInstructionAtRipWithCache(), IntLogGuestRegisters(), and IntShcIsSuspiciousCode().
Get the value of the guest XCR0 register.
| [in] | CpuNumber | The CPU from which the registers are read. Can be IG_CURRENT_VCPU for this CPU |
| [out] | Xcr0Value | On success, the value of the XCR0 register |
Definition at line 1030 of file introcpu.c.
Referenced by IntDecGetMaxvl().
| INTSTATUS IntGetXsaveArea | ( | DWORD | CpuNumber, |
| XSAVE_AREA * | XsaveArea | ||
| ) |
Get the contents of the guest XSAVE area.
The XSAVE_AREA.XsaveArea buffer is allocated here and will be exactly XSAVE_AREA.Size bytes in length. Callers must free this buffer by calling IntFreeXsaveArea. If the function fails, no memory is allocated.
| [in] | CpuNumber | The CPU from which the registers are read. Can be IG_CURRENT_VCPU for this CPU |
| [out] | XsaveArea | The XSAVE area size and contents |
| INT_STATUS_SUCCESS | in case of success |
| INT_STATUS_INSUFFICIENT_RESOURCES | is not enough memory is available |
Definition at line 1048 of file introcpu.c.
Referenced by IntDecGetSetSseRegValue().
Get the size of the guest XSAVE area on the current CPU.
| [out] | Size | On success, the size of the guest XSAVE area |
Definition at line 1014 of file introcpu.c.
Referenced by IntGetXsaveArea().
Reads the IA32_GS_BASE guest MSR.
| [in] | CpuNumber | The CPU from which the MSR is read. Can be IG_CURRENT_VCPU for this CPU |
| [out] | GsValue | On success, the value of the MSR |
| INT_STATUS_SUCCESS | in case of success |
| INT_STATUS_INVALID_PARAMETER_2 | if GsValue is NULL |
Definition at line 289 of file introcpu.c.
Referenced by IntFindKernelPcr(), IntLixGuestIsKptiActive(), IntLixTaskGetCurrentTaskStruct(), IntShcIsSuspiciousCode(), IntWinGuestNew(), and IntWinThrGetCurrentTib().
Returns the IDT base and limit for a guest CPU.
| [in] | CpuNumber | The CPU from which the IDT is read. Can be IG_CURRENT_VCPU for this CPU |
| [out] | Base | On success, the base of the IDT |
| [out] | Limit | On success, the limit of the IDT. May be NULL |
| INT_STATUS_SUCCESS | in case of success |
| INT_STATUS_INVALID_PARAMETER_2 | if Base is NULL |
Definition at line 102 of file introcpu.c.
Referenced by IntHandleDtrViolation(), IntIdtGetEntry(), IntLixGuestNew(), IntLixIdtProtectOnCpu(), and IntWinGuestNew().
Get the handler of an interrupt from the IDT.
| [in] | CpuNumber | The CPU from which the query is done. Can be IG_CURRENT_VCPU for this CPU |
| [in] | Entry | The number of the IDT entry |
| [out] | Handler | On success, the address of the interrupt handler |
| INT_STATUS_SUCCESS | in case of success |
| INT_STATUS_INVALID_PARAMETER_3 | if Handler is NULL |
Definition at line 145 of file introcpu.c.
Referenced by IntGuestDetectOs(), IntVeFindKernelKvaShadowAndKernelExit(), IntVeIsPtrInAgent(), IntWinApiHookVeHandler(), and IntWinGuestNew().
Reads the IA32_KERNEL_GS_BASE guest MSR.
| [in] | CpuNumber | The CPU from which the MSR is read. Can be IG_CURRENT_VCPU for this CPU |
| [out] | GsValue | On success, the value of the MSR |
| INT_STATUS_SUCCESS | in case of success |
| INT_STATUS_INVALID_PARAMETER_2 | if GsValue is NULL |
Definition at line 326 of file introcpu.c.
Referenced by IntFindKernelPcr().
Definition at line 720 of file introcpu.c.
Definition at line 776 of file introcpu.c.
Reads the value of the guest RIP.
If CpuNumber points to the current CPU and the value is already known and cached inside gVcpu, it is not re-read from the guest, and the cached value is returned, as it can not change while introcore is handling an event because the guest is not running on that CPU. The value can change only by using IntSetGprs, but in that case the cached value is updated.
| [in] | CpuNumber | The CPU from which the RIP is read. Can be IG_CURRENT_VCPU for this CPU |
| [out] | Rip | On success, the value the Rip register |
| INT_STATUS_SUCCESS | in case of success |
| INT_STATUS_INVALID_PARAMETER_2 | if Rip is NULL |
Definition at line 49 of file introcpu.c.
Referenced by IntRtlpVirtualUnwindCheckAccess().
| INTSTATUS IntSetGprs | ( | DWORD | CpuNumber, |
| PIG_ARCH_REGS | Regs | ||
| ) |
Sets the values of the guest GPRs.
This will set only the general purpose registers (from RAX to R15), the other fields of the IG_ARCH_REGS struct are ignored. If CpuNumber points to the current CPU and the GPR values are cached inside gVcpu, we will also update the cache. If we are on an event triggered by the #VE agent (gVcpu->VeContext is True), the guest register state will not actually change, only the values in the cache. The values will be propagated back to the guest via the #VE info page, so we'd rather avoid an expensive hypercall. If we are in the context of the #VE agent, but there is no valid register cache, Introcore will bug check, as that is an unrecoverable error.
| [in] | CpuNumber | The CPU for which the registers are set. Can be IG_CURRENT_VCPU for this CPU |
| [in] | Regs | The new register values |
Definition at line 905 of file introcpu.c.
Referenced by IntDecEmulateInstruction(), IntDecEmulatePTWrite(), IntDecEmulateRead(), IntDetCallCallback(), IntDetPatchArgument(), IntDetSetReturnValue(), IntHandleBreakpoint(), IntLixAgentCreateThreadHypercall(), IntLixAgentExit(), IntLixAgentStart(), IntLixDepDeployFileHypercall(), IntLixUnpatchSwapgs(), IntSetValueForOperand(), IntThrSafeMoveRip(), IntWinAgentHandleDriverVmcall(), IntWinAgentHandleLoader1Hypercall(), IntWinAgentRestoreState32(), IntWinAgentRestoreState64(), IntWinModBlockHandleExecution(), and IntWinProcHandleCreate().
| INTSTATUS IntSetXsaveArea | ( | DWORD | CpuNumber, |
| XSAVE_AREA * | XsaveArea | ||
| ) |
Sets the contents of the guest XSAVE area.
| [in] | CpuNumber | The CPU on which the XSAVE area contents are written. Can be IG_CURRENT_VCPU for this CPU |
| [in] | XsaveArea | Pointer to a XSAVE_AREA structure containing the buffer with the data to be written |
Definition at line 1097 of file introcpu.c.
Referenced by IntDecGetSetSseRegValue().
Queries the IA32_STAR, and IA32_LSTAR guest MSRs.
| [in] | CpuNumber | The CPU from which the MSRs are read. Can be IG_CURRENT_VCPU for this CPU |
| [out] | SysStar | On success, the value of the IA32_STAR MSR. May be NULL. |
| [out] | SysLstar | On success, the value of the IA32_LSTAR_MSR. May be NULL. |
Definition at line 635 of file introcpu.c.
Referenced by IntGuestDetectOs(), IntGuestHandleCr3Write(), IntLixGuestNew(), and IntWinGuestNew().
Queries the IA32_SYSENTER_CS, IA32_SYSENTER_EIP, and IA32_SYSENTER_ESP guest MSRs.
| [in] | CpuNumber | The CPU from which the MSRs are read. Can be IG_CURRENT_VCPU for this CPU |
| [out] | SysCs | On success, the value of the IA32_SYSENTER_CS MSR. May be NULL |
| [out] | SysEip | On success, the value of the IA32_SYSENTER_EIP MSR. May be NULL |
| [out] | SysEsp | On success, the value of the IA32_SYSENTER_ESP MSR. May be NULL |
Definition at line 571 of file introcpu.c.
Referenced by IntGuestDetectOs(), IntGuestHandleCr3Write(), and IntWinGuestNew().
1.8.13