- Generated by
1.8.13
|
Bitdefender Hypervisor Memory Introspection
|
Go to the source code of this file.
Data Structures | |
| union | _INTERRUPT_GATE |
| An 64-bit interrupt gate as defined by the Intel docs. More... | |
| union | _INTERRUPT_GATE32 |
| An 32-bit interrupt gate as defined by the Intel docs. More... | |
| struct | _SEGMENT_DESCRIPTOR32 |
| Segment descriptor for 32-bit systems. More... | |
| struct | _XSAVE_AREA |
| XSAVE area container. More... | |
| struct | _DTR |
| A descriptor table register. Valid for IDTR and GDTR. More... | |
Macros | |
| #define | MSR_LBR_0_FROM_IP 0x00000680 |
| #define | MSR_LBR_1_FROM_IP 0x00000681 |
| #define | MSR_LBR_2_FROM_IP 0x00000682 |
| #define | MSR_LBR_3_FROM_IP 0x00000683 |
| #define | MSR_LBR_4_FROM_IP 0x00000684 |
| #define | MSR_LBR_5_FROM_IP 0x00000685 |
| #define | MSR_LBR_6_FROM_IP 0x00000686 |
| #define | MSR_LBR_7_FROM_IP 0x00000687 |
| #define | MSR_LBR_8_FROM_IP 0x00000688 |
| #define | MSR_LBR_9_FROM_IP 0x00000689 |
| #define | MSR_LBR_A_FROM_IP 0x0000068A |
| #define | MSR_LBR_B_FROM_IP 0x0000068B |
| #define | MSR_LBR_C_FROM_IP 0x0000068C |
| #define | MSR_LBR_D_FROM_IP 0x0000068D |
| #define | MSR_LBR_E_FROM_IP 0x0000068E |
| #define | MSR_LBR_F_FROM_IP 0x0000068F |
| #define | MSR_LBR_0_TO_IP 0x000006C0 |
| #define | MSR_LBR_1_TO_IP 0x000006C1 |
| #define | MSR_LBR_2_TO_IP 0x000006C2 |
| #define | MSR_LBR_3_TO_IP 0x000006C3 |
| #define | MSR_LBR_4_TO_IP 0x000006C4 |
| #define | MSR_LBR_5_TO_IP 0x000006C5 |
| #define | MSR_LBR_6_TO_IP 0x000006C6 |
| #define | MSR_LBR_7_TO_IP 0x000006C7 |
| #define | MSR_LBR_8_TO_IP 0x000006C8 |
| #define | MSR_LBR_9_TO_IP 0x000006C9 |
| #define | MSR_LBR_A_TO_IP 0x000006CA |
| #define | MSR_LBR_B_TO_IP 0x000006CB |
| #define | MSR_LBR_C_TO_IP 0x000006CC |
| #define | MSR_LBR_D_TO_IP 0x000006CD |
| #define | MSR_LBR_E_TO_IP 0x000006CE |
| #define | MSR_LBR_F_TO_IP 0x000006CF |
| #define | MSR_LER_FROM_IP 0x000001DD |
| #define | MSR_LER_TO_IP 0x000001DE |
| #define | LBR_STACK_SIZE 16 |
| #define | IntFreeXsaveArea(xa) HpFreeAndNullWithTag(&(xa).XsaveArea, IC_TAG_XSAVE) |
| Frees an XSAVE area. More... | |
Typedefs | |
| typedef union _INTERRUPT_GATE | INTERRUPT_GATE |
| An 64-bit interrupt gate as defined by the Intel docs. More... | |
| typedef union _INTERRUPT_GATE * | PINTERRUPT_GATE |
| typedef union _INTERRUPT_GATE32 | INTERRUPT_GATE32 |
| An 32-bit interrupt gate as defined by the Intel docs. More... | |
| typedef union _INTERRUPT_GATE32 * | PINTERRUPT_GATE32 |
| typedef struct _SEGMENT_DESCRIPTOR32 | SEGMENT_DESCRIPTOR32 |
| Segment descriptor for 32-bit systems. More... | |
| typedef struct _SEGMENT_DESCRIPTOR32 * | PSEGMENT_DESCRIPTOR32 |
| typedef struct _XSAVE_AREA | XSAVE_AREA |
| XSAVE area container. More... | |
| typedef struct _DTR | DTR |
| A descriptor table register. Valid for IDTR and GDTR. More... | |
| typedef struct _DTR * | PDTR |
Functions | |
| INTSTATUS | IntEferRead (QWORD CpuNumber, QWORD *Efer) |
| Reads the value of the guest IA32 EFER MSR. More... | |
| INTSTATUS | IntRipRead (DWORD CpuNumber, QWORD *Rip) |
| Reads the value of the guest RIP. More... | |
| INTSTATUS | IntIdtFindBase (DWORD CpuNumber, QWORD *Base, WORD *Limit) |
| Returns the IDT base and limit for a guest CPU. More... | |
| INTSTATUS | IntIdtGetEntry (DWORD CpuNumber, DWORD Entry, QWORD *Handler) |
| Get the handler of an interrupt from the IDT. More... | |
| INTSTATUS | IntGdtFindBase (DWORD CpuNumber, QWORD *GdtBase, WORD *GdtLimit) |
| Returns the GDT base and limit for a guest CPU. More... | |
| INTSTATUS | IntFsRead (DWORD CpuNumber, QWORD *FsValue) |
| Reads the IA32_FS_BASE guest MSR. More... | |
| INTSTATUS | IntGsRead (DWORD CpuNumber, QWORD *GsValue) |
| Reads the IA32_GS_BASE guest MSR. More... | |
| INTSTATUS | IntCr0Read (DWORD CpuNumber, QWORD *Cr0Value) |
| Reads the value of the guest CR0. More... | |
| INTSTATUS | IntCr3Read (DWORD CpuNumber, QWORD *Cr3Value) |
| Reads the value of the guest CR3. More... | |
| INTSTATUS | IntCr4Read (DWORD CpuNumber, QWORD *Cr4Value) |
| Reads the value of the guest CR4. More... | |
| INTSTATUS | IntCr8Read (DWORD CpuNumber, QWORD *Cr8Value) |
| Reads the value of the guest CR8. More... | |
| INTSTATUS | IntSysenterRead (DWORD CpuNumber, QWORD *SysCs, QWORD *SysEip, QWORD *SysEsp) |
| Queries the IA32_SYSENTER_CS, IA32_SYSENTER_EIP, and IA32_SYSENTER_ESP guest MSRs. More... | |
| INTSTATUS | IntSyscallRead (DWORD CpuNumber, QWORD *SysStar, QWORD *SysLstar) |
| Queries the IA32_STAR, and IA32_LSTAR guest MSRs. More... | |
| INTSTATUS | IntDebugCtlRead (DWORD CpuNumber, QWORD *DebugCtl) |
| Queries the IA32_DEBUGCTL guest MSR. More... | |
| INTSTATUS | IntLbrRead (DWORD BuffersSize, QWORD *LbrFrom, QWORD *LbrTo) |
| INTSTATUS | IntLerRead (QWORD *LerFrom, QWORD *LerTo) |
| DWORD | IntGetCurrentCpu (void) |
| Returns the current CPU number. More... | |
| INTSTATUS | IntGetGprs (DWORD CpuNumber, PIG_ARCH_REGS Regs) |
| Get the current guest GPR state. More... | |
| INTSTATUS | IntSetGprs (DWORD CpuNumber, PIG_ARCH_REGS Regs) |
| Sets the values of the guest GPRs. More... | |
| INTSTATUS | IntGetCurrentRing (DWORD CpuNumber, DWORD *Ring) |
| Read the current protection level. More... | |
| INTSTATUS | IntGetCurrentMode (DWORD CpuNumber, DWORD *Mode) |
| Read the current CS type. More... | |
| INTSTATUS | IntGetSegs (DWORD CpuNumber, PIG_SEG_REGS Regs) |
| Read the guest segment registers. More... | |
| INTSTATUS | IntGetXsaveAreaSize (DWORD *Size) |
| Get the size of the guest XSAVE area on the current CPU. More... | |
| INTSTATUS | IntGetXsaveArea (DWORD CpuNumber, XSAVE_AREA *XsaveArea) |
| Get the contents of the guest XSAVE area. More... | |
| INTSTATUS | IntSetXsaveArea (DWORD CpuNumber, XSAVE_AREA *XsaveArea) |
| Sets the contents of the guest XSAVE area. More... | |
| INTSTATUS | IntGetXcr0 (DWORD CpuNumber, QWORD *Xcr0Value) |
| Get the value of the guest XCR0 register. More... | |
| INTSTATUS | IntFindKernelPcr (DWORD CpuNumber, QWORD *Pcr) |
| Finds the address of the Windows kernel _KPCR. More... | |
| INTSTATUS | IntGetCurrentEptIndex (DWORD CpuNumber, DWORD *EptpIndex) |
| Get the EPTP index of the currently loaded EPT. More... | |
| INTSTATUS | IntGetAllRegisters (DWORD CpuNumber, PIG_ARCH_REGS Regs) |
| Returns the entire guest register state. This will return the GPRs, control registers, and IDT and GDT base and limit. This also bypasses the cache used by IntGetGprs. More... | |
| INTSTATUS | IntGetMaxGpfn (QWORD *MaxGpfn) |
| Get the last physical page frame number accessible by the guest. More... | |
| #define IntFreeXsaveArea | ( | xa | ) | HpFreeAndNullWithTag(&(xa).XsaveArea, IC_TAG_XSAVE) |
Frees an XSAVE area.
| [in] | xa | A XSAVE_AREA structure to be cleaned up. Note that the structure itself is not freed, only its internal buffers. |
Definition at line 286 of file introcpu.h.
Referenced by IntDecGetSetSseRegValue().
| #define LBR_STACK_SIZE 16 |
Definition at line 120 of file introcpu.h.
Referenced by IntLbrRead().
| #define MSR_LBR_0_FROM_IP 0x00000680 |
Definition at line 83 of file introcpu.h.
Referenced by IntLbrRead().
| #define MSR_LBR_0_TO_IP 0x000006C0 |
Definition at line 100 of file introcpu.h.
Referenced by IntLbrRead().
| #define MSR_LBR_1_FROM_IP 0x00000681 |
Definition at line 84 of file introcpu.h.
Referenced by IntLbrRead().
| #define MSR_LBR_1_TO_IP 0x000006C1 |
Definition at line 101 of file introcpu.h.
Referenced by IntLbrRead().
| #define MSR_LBR_2_FROM_IP 0x00000682 |
Definition at line 85 of file introcpu.h.
Referenced by IntLbrRead().
| #define MSR_LBR_2_TO_IP 0x000006C2 |
Definition at line 102 of file introcpu.h.
Referenced by IntLbrRead().
| #define MSR_LBR_3_FROM_IP 0x00000683 |
Definition at line 86 of file introcpu.h.
Referenced by IntLbrRead().
| #define MSR_LBR_3_TO_IP 0x000006C3 |
Definition at line 103 of file introcpu.h.
Referenced by IntLbrRead().
| #define MSR_LBR_4_FROM_IP 0x00000684 |
Definition at line 87 of file introcpu.h.
Referenced by IntLbrRead().
| #define MSR_LBR_4_TO_IP 0x000006C4 |
Definition at line 104 of file introcpu.h.
Referenced by IntLbrRead().
| #define MSR_LBR_5_FROM_IP 0x00000685 |
Definition at line 88 of file introcpu.h.
Referenced by IntLbrRead().
| #define MSR_LBR_5_TO_IP 0x000006C5 |
Definition at line 105 of file introcpu.h.
Referenced by IntLbrRead().
| #define MSR_LBR_6_FROM_IP 0x00000686 |
Definition at line 89 of file introcpu.h.
Referenced by IntLbrRead().
| #define MSR_LBR_6_TO_IP 0x000006C6 |
Definition at line 106 of file introcpu.h.
Referenced by IntLbrRead().
| #define MSR_LBR_7_FROM_IP 0x00000687 |
Definition at line 90 of file introcpu.h.
Referenced by IntLbrRead().
| #define MSR_LBR_7_TO_IP 0x000006C7 |
Definition at line 107 of file introcpu.h.
Referenced by IntLbrRead().
| #define MSR_LBR_8_FROM_IP 0x00000688 |
Definition at line 91 of file introcpu.h.
Referenced by IntLbrRead().
| #define MSR_LBR_8_TO_IP 0x000006C8 |
Definition at line 108 of file introcpu.h.
Referenced by IntLbrRead().
| #define MSR_LBR_9_FROM_IP 0x00000689 |
Definition at line 92 of file introcpu.h.
Referenced by IntLbrRead().
| #define MSR_LBR_9_TO_IP 0x000006C9 |
Definition at line 109 of file introcpu.h.
Referenced by IntLbrRead().
| #define MSR_LBR_A_FROM_IP 0x0000068A |
Definition at line 93 of file introcpu.h.
Referenced by IntLbrRead().
| #define MSR_LBR_A_TO_IP 0x000006CA |
Definition at line 110 of file introcpu.h.
Referenced by IntLbrRead().
| #define MSR_LBR_B_FROM_IP 0x0000068B |
Definition at line 94 of file introcpu.h.
Referenced by IntLbrRead().
| #define MSR_LBR_B_TO_IP 0x000006CB |
Definition at line 111 of file introcpu.h.
Referenced by IntLbrRead().
| #define MSR_LBR_C_FROM_IP 0x0000068C |
Definition at line 95 of file introcpu.h.
Referenced by IntLbrRead().
| #define MSR_LBR_C_TO_IP 0x000006CC |
Definition at line 112 of file introcpu.h.
Referenced by IntLbrRead().
| #define MSR_LBR_D_FROM_IP 0x0000068D |
Definition at line 96 of file introcpu.h.
Referenced by IntLbrRead().
| #define MSR_LBR_D_TO_IP 0x000006CD |
Definition at line 113 of file introcpu.h.
Referenced by IntLbrRead().
| #define MSR_LBR_E_FROM_IP 0x0000068E |
Definition at line 97 of file introcpu.h.
Referenced by IntLbrRead().
| #define MSR_LBR_E_TO_IP 0x000006CE |
Definition at line 114 of file introcpu.h.
Referenced by IntLbrRead().
| #define MSR_LBR_F_FROM_IP 0x0000068F |
Definition at line 98 of file introcpu.h.
Referenced by IntLbrRead().
| #define MSR_LBR_F_TO_IP 0x000006CF |
Definition at line 115 of file introcpu.h.
Referenced by IntLbrRead().
| #define MSR_LER_FROM_IP 0x000001DD |
Definition at line 117 of file introcpu.h.
Referenced by IntLerRead().
| #define MSR_LER_TO_IP 0x000001DE |
Definition at line 118 of file introcpu.h.
Referenced by IntLerRead().
| typedef union _INTERRUPT_GATE INTERRUPT_GATE |
An 64-bit interrupt gate as defined by the Intel docs.
| typedef union _INTERRUPT_GATE32 INTERRUPT_GATE32 |
An 32-bit interrupt gate as defined by the Intel docs.
| typedef union _INTERRUPT_GATE * PINTERRUPT_GATE |
| typedef union _INTERRUPT_GATE32 * PINTERRUPT_GATE32 |
| typedef struct _SEGMENT_DESCRIPTOR32 * PSEGMENT_DESCRIPTOR32 |
| typedef struct _SEGMENT_DESCRIPTOR32 SEGMENT_DESCRIPTOR32 |
Segment descriptor for 32-bit systems.
| typedef struct _XSAVE_AREA XSAVE_AREA |
XSAVE area container.
Reads the value of the guest CR0.
If CpuNumber points to the current CPU and the value is already known and cached inside gVcpu, it is not re-read from the guest, and the cached value is returned, as it can not change while introcore is handling an event because the guest is not running on that CPU. The value can not change by using IntSetGprs.
| [in] | CpuNumber | The CPU from which the CR0 is read. Can be IG_CURRENT_VCPU for this CPU |
| [out] | Cr0Value | On success, the value the CR0 register |
| INT_STATUS_SUCCESS | in case of success |
| INT_STATUS_INVALID_PARAMETER_2 | if Cr0Value is NULL |
Definition at line 363 of file introcpu.c.
Referenced by IntIterateVirtualAddressSpace(), and IntWinGetActiveCpuCount().
Reads the value of the guest CR3.
If CpuNumber points to the current CPU and the value is already known and cached inside gVcpu, it is not re-read from the guest, and the cached value is returned, as it can not change while Introcore is handling an event because the guest is not running on that CPU. The value can not change by using IntSetGprs.
| [in] | CpuNumber | The CPU from which the CR3 is read. Can be IG_CURRENT_VCPU for this CPU |
| [out] | Cr3Value | On success, the value the CR3 register |
| INT_STATUS_SUCCESS | in case of success |
| INT_STATUS_INVALID_PARAMETER_2 | if Cr3Value is NULL |
Definition at line 415 of file introcpu.c.
Referenced by IntAlertFillWinProcessCurrent(), IntDumpGvaEx(), IntPeFindFunctionStart(), IntSwapMemInjectPendingPF(), IntTranslateVirtualAddress(), IntVasPageTableWriteCallback(), IntVirtMemMap(), IntVirtMemReadWrite(), IntVirtMemSafeWrite(), IntVirtMemSet(), IntWinAgentDeployWinDriver(), IntWinGetActiveCpuCount(), IntWinGuestFindSystemCr3(), and IntWinGuestNew().
Reads the value of the guest CR4.
If CpuNumber points to the current CPU and the value is already known and cached inside gVcpu, it is not re-read from the guest, and the cached value is returned, as it can not change while introcore is handling an event because the guest is not running on that CPU. The value can not change by using IntSetGprs.
| [in] | CpuNumber | The CPU from which the CR4 is read. Can be IG_CURRENT_VCPU for this CPU |
| [out] | Cr4Value | On success, the value the CR4 register |
| INT_STATUS_SUCCESS | in case of success |
| INT_STATUS_INVALID_PARAMETER_2 | if Cr4Value is NULL |
Definition at line 467 of file introcpu.c.
Referenced by IntIterateVirtualAddressSpace().
Reads the value of the guest CR8.
If CpuNumber points to the current CPU and the value is already known and cached inside gVcpu, it is not re-read from the guest, and the cached value is returned, as it can not change while introcore is handling an event because the guest is not running on that CPU. The value can not change by using IntSetGprs.
| [in] | CpuNumber | The CPU from which the CR8 is read. Can be IG_CURRENT_VCPU for this CPU |
| [out] | Cr8Value | On success, the value the CR8 register |
| INT_STATUS_SUCCESS | in case of success |
| INT_STATUS_INVALID_PARAMETER_2 | if Cr8Value is NULL |
Definition at line 519 of file introcpu.c.
Queries the IA32_DEBUGCTL guest MSR.
| [in] | CpuNumber | The CPU from which the MSR is read. Can be IG_CURRENT_VCPU for this CPU |
| [out] | DebugCtl | On success, the value of the IA32_DEBUGCTL MSR. May be NULL. |
Definition at line 684 of file introcpu.c.
Reads the value of the guest IA32 EFER MSR.
| [in] | CpuNumber | The CPU from which the MSR is read. Can be IG_CURRENT_VCPU for this CPU |
| [out] | Efer | On success, the value of the MSR |
| INT_STATUS_SUCCESS | in case of success |
| INT_STATUS_INVALID_PARAMETER_2 | if Efer is NULL |
Definition at line 12 of file introcpu.c.
Referenced by IntFindKernelPcr(), IntGuestGetPagingMode(), IntGuestInitMemoryInfo(), and IntIterateVirtualAddressSpace().
Finds the address of the Windows kernel _KPCR.
For 64-bit guests, this is done by reading either the IA32_GS_BASE MSR, or the IA32_KERNEL_GS_BASE MSR if the first one does not point inside the kernel. For 32-bit guests it is obtained from the guest GDT.
| [in] | CpuNumber | The CPU for which the _KPCR address is read. Can be IG_CURRENT_VCPU for this CPU |
| [out] | Pcr | On success, the address of the _KPCR structure |
| INT_STATUS_SUCCESS | in case of success |
| INT_STATUS_NOT_FOUND | if the _KPCR address is not found |
Definition at line 1116 of file introcpu.c.
Referenced by DbgLogKpcr(), IntWinGuestFindIdleCr3(), IntWinGuestFindKernelCr3(), IntWinIntObjProtect(), and IntWinThrGetCurrentThread().
Reads the IA32_FS_BASE guest MSR.
| [in] | CpuNumber | The CPU from which the MSR is read. Can be IG_CURRENT_VCPU for this CPU |
| [out] | FsValue | On success, the value of the MSR |
| INT_STATUS_SUCCESS | in case of success |
| INT_STATUS_INVALID_PARAMETER_2 | if FsValue is NULL |
Definition at line 252 of file introcpu.c.
Referenced by IntWinGuestNew(), and IntWinThrGetCurrentTib().
Returns the GDT base and limit for a guest CPU.
| [in] | CpuNumber | The CPU from which the GDT is read. Can be IG_CURRENT_VCPU for this CPU |
| [out] | GdtBase | On success, the base of the GDT |
| [out] | GdtLimit | On success, the limit of the GDT. May be NULL |
| INT_STATUS_SUCCESS | in case of success |
| INT_STATUS_INVALID_PARAMETER_2 | if GdtBase is NULL |
Definition at line 206 of file introcpu.c.
Referenced by IntFindKernelPcr(), IntHandleDtrViolation(), and IntVeDeliverDriverForLoad().
| INTSTATUS IntGetAllRegisters | ( | DWORD | CpuNumber, |
| PIG_ARCH_REGS | Regs | ||
| ) |
Returns the entire guest register state. This will return the GPRs, control registers, and IDT and GDT base and limit. This also bypasses the cache used by IntGetGprs.
| [in] | CpuNumber | The CPU for which the _KPCR address is read. Can be IG_CURRENT_VCPU for this CPU |
| [out] | Regs | On success, will contain the values of the registers |
Definition at line 1218 of file introcpu.c.
Referenced by IntIdtFindBase().
| DWORD IntGetCurrentCpu | ( | void | ) |
Returns the current CPU number.
Definition at line 802 of file introcpu.c.
Referenced by IntApiEnter(), IntGuestInit(), and IntWinThrGetCurrentThread().
Get the EPTP index of the currently loaded EPT.
| [in] | CpuNumber | The CPU for which the _KPCR address is read. Can be IG_CURRENT_VCPU for this CPU |
| [out] | EptpIndex | On success, will contain the EPT index |
Definition at line 1238 of file introcpu.c.
Referenced by IntHandleEptViolation(), IntHookGpaInit(), and IntVeHandleEPTViolationInProtectedView().
Read the current CS type.
| [in] | CpuNumber | The CPU from which the registers are read. Can be IG_CURRENT_VCPU for this CPU |
| [out] | Mode | The current CS type. Can be one of the IG_CS_TYPE values |
Definition at line 977 of file introcpu.c.
Referenced by IntAlertFillCodeBlocks(), IntAlertFillExecContext(), IntDecDecodeInstructionAtRip(), IntDecDecodeInstructionAtRipWithCache(), IntDisasmBuffer(), IntDisasmGva(), IntDispatchVeAsEpt(), IntDumpCodeAndRegs(), IntEngFillExecDetails(), IntExceptDumpSignatures(), IntExceptVerifyCodeBlocksSig(), IntExceptVerifyValueCodeSig(), IntHandleFetchRetryOnPageBoundary(), IntSerializeExtractCodeBlocks(), IntSerializeRipCode(), IntShcIsSuspiciousCode(), IntWinHalHandleHalHeapExec(), IntWinStackTraceGetUser(), and IntWinThrGetCurrentStackBaseAndLimit().
Read the current protection level.
| [in] | CpuNumber | The CPU from which the registers are read. Can be IG_CURRENT_VCPU for this CPU |
| [out] | Ring | The current protection level. Can be one of the IG_CS_RING values |
Definition at line 959 of file introcpu.c.
Referenced by IntAlertCoreGetFlags(), IntAlertProcGetFlags(), IntDecEmulateRead(), IntHandleCowOnPage(), IntHandleFetchRetryOnPageBoundary(), IntLixAgentHandleInt3(), IntLixAgentHandleVmcall(), IntSwapMemInjectPendingPF(), IntWinAgentDeployWinDriver(), IntWinAgentHandleInt3(), IntWinAgentHandleVmcall(), IntWinSudHandleSudExec(), and IntWinThrGetCurrentStackBaseAndLimit().
| INTSTATUS IntGetGprs | ( | DWORD | CpuNumber, |
| PIG_ARCH_REGS | Regs | ||
| ) |
Get the current guest GPR state.
If CpuNumber points to the current CPU and the GPR values are already known and cached inside gVcpu, we will not query them again, and the cached values are returned, as they can not change while introcore is handling an event because the guest is not running on that CPU. The values can change only by using IntSetGprs, but in that case the cached values are updated. In cases in which the query is done while in an user mode context, and KPTI is enabled, the CR3 value returned in Regs will be that of the kernel CR3 of the current process.
| [in] | CpuNumber | The CPU from which the registers are read. Can be IG_CURRENT_VCPU for this CPU |
| [out] | Regs | On success, will contain the values of the GPRs |
Definition at line 827 of file introcpu.c.
Referenced by IntCr0Read(), IntCr3Read(), IntCr4Read(), IntCr8Read(), IntDecComputeLinearAddress(), IntDecComputeVsibLinearAddresses(), IntDecEmulateInstruction(), IntDecGetAccessedMem(), IntDecGetWrittenValueFromInstruction(), IntDetSetReturnValue(), IntDisableIntro(), IntGetCurrentInstructionLength(), IntGetCurrentInstructionMnemonic(), IntGetValueFromOperand(), IntGuestHandleCr3Write(), IntHandleBreakpoint(), IntHandleCrWrite(), IntHandleDtrViolation(), IntHandleEptViolation(), IntHandleEventInjection(), IntHandleIntroCall(), IntHandleMsrViolation(), IntHandleXcrWrite(), IntLixUnpatchSwapgs(), IntLogGuestRegisters(), IntRipRead(), IntSetValueForOperand(), IntThrSafeInspectRunningThreads(), IntVeDumpVeInfoPage(), and IntWinThrGetCurrentStackBaseAndLimit().
Get the last physical page frame number accessible by the guest.
In practice, it has been observed that this is not entirely accurate. See IntGuestGetLastGpa
| [out] | MaxGpfn | The last physical page frame number available to the guest |
Definition at line 1273 of file introcpu.c.
Referenced by IntGuestGetLastGpa().
| INTSTATUS IntGetSegs | ( | DWORD | CpuNumber, |
| PIG_SEG_REGS | Regs | ||
| ) |
Read the guest segment registers.
| [in] | CpuNumber | The CPU from which the registers are read. Can be IG_CURRENT_VCPU for this CPU |
| [out] | Regs | The values of the guest segment registers |
Definition at line 995 of file introcpu.c.
Referenced by IntDecComputeLinearAddress(), IntDecComputeVsibLinearAddresses(), IntDecDecodeInstructionAtRip(), IntDecDecodeInstructionAtRipWithCache(), IntLogGuestRegisters(), and IntShcIsSuspiciousCode().
Get the value of the guest XCR0 register.
| [in] | CpuNumber | The CPU from which the registers are read. Can be IG_CURRENT_VCPU for this CPU |
| [out] | Xcr0Value | On success, the value of the XCR0 register |
Definition at line 1030 of file introcpu.c.
Referenced by IntDecGetMaxvl().
| INTSTATUS IntGetXsaveArea | ( | DWORD | CpuNumber, |
| XSAVE_AREA * | XsaveArea | ||
| ) |
Get the contents of the guest XSAVE area.
The XSAVE_AREA.XsaveArea buffer is allocated here and will be exactly XSAVE_AREA.Size bytes in length. Callers must free this buffer by calling IntFreeXsaveArea. If the function fails, no memory is allocated.
| [in] | CpuNumber | The CPU from which the registers are read. Can be IG_CURRENT_VCPU for this CPU |
| [out] | XsaveArea | The XSAVE area size and contents |
| INT_STATUS_SUCCESS | in case of success |
| INT_STATUS_INSUFFICIENT_RESOURCES | is not enough memory is available |
Definition at line 1048 of file introcpu.c.
Referenced by IntDecGetSetSseRegValue().
Get the size of the guest XSAVE area on the current CPU.
| [out] | Size | On success, the size of the guest XSAVE area |
Definition at line 1014 of file introcpu.c.
Referenced by IntGetXsaveArea().
Reads the IA32_GS_BASE guest MSR.
| [in] | CpuNumber | The CPU from which the MSR is read. Can be IG_CURRENT_VCPU for this CPU |
| [out] | GsValue | On success, the value of the MSR |
| INT_STATUS_SUCCESS | in case of success |
| INT_STATUS_INVALID_PARAMETER_2 | if GsValue is NULL |
Definition at line 289 of file introcpu.c.
Referenced by IntFindKernelPcr(), IntLixGuestIsKptiActive(), IntLixTaskGetCurrentTaskStruct(), IntShcIsSuspiciousCode(), IntWinGuestNew(), and IntWinThrGetCurrentTib().
Returns the IDT base and limit for a guest CPU.
| [in] | CpuNumber | The CPU from which the IDT is read. Can be IG_CURRENT_VCPU for this CPU |
| [out] | Base | On success, the base of the IDT |
| [out] | Limit | On success, the limit of the IDT. May be NULL |
| INT_STATUS_SUCCESS | in case of success |
| INT_STATUS_INVALID_PARAMETER_2 | if Base is NULL |
Definition at line 102 of file introcpu.c.
Referenced by IntHandleDtrViolation(), IntIdtGetEntry(), IntLixGuestNew(), IntLixIdtProtectOnCpu(), and IntWinGuestNew().
Get the handler of an interrupt from the IDT.
| [in] | CpuNumber | The CPU from which the query is done. Can be IG_CURRENT_VCPU for this CPU |
| [in] | Entry | The number of the IDT entry |
| [out] | Handler | On success, the address of the interrupt handler |
| INT_STATUS_SUCCESS | in case of success |
| INT_STATUS_INVALID_PARAMETER_3 | if Handler is NULL |
Definition at line 145 of file introcpu.c.
Referenced by IntGuestDetectOs(), IntVeFindKernelKvaShadowAndKernelExit(), IntVeIsPtrInAgent(), IntWinApiHookVeHandler(), and IntWinGuestNew().
Definition at line 720 of file introcpu.c.
Definition at line 776 of file introcpu.c.
Reads the value of the guest RIP.
If CpuNumber points to the current CPU and the value is already known and cached inside gVcpu, it is not re-read from the guest, and the cached value is returned, as it can not change while introcore is handling an event because the guest is not running on that CPU. The value can change only by using IntSetGprs, but in that case the cached value is updated.
| [in] | CpuNumber | The CPU from which the RIP is read. Can be IG_CURRENT_VCPU for this CPU |
| [out] | Rip | On success, the value the Rip register |
| INT_STATUS_SUCCESS | in case of success |
| INT_STATUS_INVALID_PARAMETER_2 | if Rip is NULL |
Definition at line 49 of file introcpu.c.
Referenced by IntRtlpVirtualUnwindCheckAccess().
| INTSTATUS IntSetGprs | ( | DWORD | CpuNumber, |
| PIG_ARCH_REGS | Regs | ||
| ) |
Sets the values of the guest GPRs.
This will set only the general purpose registers (from RAX to R15), the other fields of the IG_ARCH_REGS struct are ignored. If CpuNumber points to the current CPU and the GPR values are cached inside gVcpu, we will also update the cache. If we are on an event triggered by the #VE agent (gVcpu->VeContext is True), the guest register state will not actually change, only the values in the cache. The values will be propagated back to the guest via the #VE info page, so we'd rather avoid an expensive hypercall. If we are in the context of the #VE agent, but there is no valid register cache, Introcore will bug check, as that is an unrecoverable error.
| [in] | CpuNumber | The CPU for which the registers are set. Can be IG_CURRENT_VCPU for this CPU |
| [in] | Regs | The new register values |
Definition at line 905 of file introcpu.c.
Referenced by IntDecEmulateInstruction(), IntDecEmulatePTWrite(), IntDecEmulateRead(), IntDetCallCallback(), IntDetPatchArgument(), IntDetSetReturnValue(), IntHandleBreakpoint(), IntLixAgentCreateThreadHypercall(), IntLixAgentExit(), IntLixAgentStart(), IntLixDepDeployFileHypercall(), IntLixUnpatchSwapgs(), IntSetValueForOperand(), IntThrSafeMoveRip(), IntWinAgentHandleDriverVmcall(), IntWinAgentHandleLoader1Hypercall(), IntWinAgentRestoreState32(), IntWinAgentRestoreState64(), IntWinModBlockHandleExecution(), and IntWinProcHandleCreate().
| INTSTATUS IntSetXsaveArea | ( | DWORD | CpuNumber, |
| XSAVE_AREA * | XsaveArea | ||
| ) |
Sets the contents of the guest XSAVE area.
| [in] | CpuNumber | The CPU on which the XSAVE area contents are written. Can be IG_CURRENT_VCPU for this CPU |
| [in] | XsaveArea | Pointer to a XSAVE_AREA structure containing the buffer with the data to be written |
Definition at line 1097 of file introcpu.c.
Referenced by IntDecGetSetSseRegValue().
Queries the IA32_STAR, and IA32_LSTAR guest MSRs.
| [in] | CpuNumber | The CPU from which the MSRs are read. Can be IG_CURRENT_VCPU for this CPU |
| [out] | SysStar | On success, the value of the IA32_STAR MSR. May be NULL. |
| [out] | SysLstar | On success, the value of the IA32_LSTAR_MSR. May be NULL. |
Definition at line 635 of file introcpu.c.
Referenced by IntGuestDetectOs(), IntGuestHandleCr3Write(), IntLixGuestNew(), and IntWinGuestNew().
Queries the IA32_SYSENTER_CS, IA32_SYSENTER_EIP, and IA32_SYSENTER_ESP guest MSRs.
| [in] | CpuNumber | The CPU from which the MSRs are read. Can be IG_CURRENT_VCPU for this CPU |
| [out] | SysCs | On success, the value of the IA32_SYSENTER_CS MSR. May be NULL |
| [out] | SysEip | On success, the value of the IA32_SYSENTER_EIP MSR. May be NULL |
| [out] | SysEsp | On success, the value of the IA32_SYSENTER_ESP MSR. May be NULL |
Definition at line 571 of file introcpu.c.
Referenced by IntGuestDetectOs(), IntGuestHandleCr3Write(), and IntWinGuestNew().
1.8.13