- Generated by
1.8.13
|
Bitdefender Hypervisor Memory Introspection
|
Go to the source code of this file.
Functions | |
| INTSTATUS | IntSplitVirtualAddress (QWORD VirtualAddress, DWORD *OffsetsCount, QWORD *OffsetsTrace) |
| Split a linear address into page-table indexes. More... | |
| static INTSTATUS | IntIterateVirtualAddressSpaceRec (QWORD VirtualAddress, QWORD Cr3, QWORD CurrentPage, BYTE PagingMode, BYTE Level, PFUNC_VirtualAddressSpaceCallback Callback) |
| Iterate, recursively, an entire virtual address space. More... | |
| INTSTATUS | IntIterateVirtualAddressSpace (QWORD Cr3, PFUNC_VirtualAddressSpaceCallback Callback) |
| Iterate an entire virtual address space. More... | |
| INTSTATUS | IntValidateRangeForWrite (QWORD Cr3, QWORD VirtualAddress, DWORD Size, DWORD Ring) |
| Validate a range of virtual memory for write. More... | |
| INTSTATUS | IntVirtMemSafeWrite (QWORD Cr3, QWORD VirtualAddress, DWORD Size, void *Buffer, DWORD Ring) |
| Safely modify guest memory. More... | |
| INTSTATUS IntIterateVirtualAddressSpace | ( | QWORD | Cr3, |
| PFUNC_VirtualAddressSpaceCallback | Callback | ||
| ) |
Iterate an entire virtual address space.
Iterate the entire virtual address space identified by Cr3. For each valid, mapped linear address, it will call the provided callback, passing the virtual address, virtual address space, page size and the page-table entry as parameters.
| [in] | Cr3 | Virtual address space to be iterated. |
| [in] | Callback | Callback to be called for each valid mapped linear address. |
| INT_STATUS_SUCCESS | On success. |
| INT_STATUS_INVALID_PARAMETER | If an invalid parameter is supplied. |
Definition at line 327 of file kernvm.c.
Referenced by DbgIterateVaSpace(), DbgSearchVaSpace(), and IntIterateVaSpace().
|
static |
Iterate, recursively, an entire virtual address space.
Recursively iterate the entire virtual address space identified by Cr3. For each valid, mapped linear address, it will call the provided callback, passing the virtual address, virtual address space, page size and the page-table entry as parameters.
| [in] | VirtualAddress | Current linear address. |
| [in] | Cr3 | Virtual address space to be iterated. |
| [in] | CurrentPage | Current page table to be parsed. |
| [in] | PagingMode | Paging mode: legacy, PAE, 4-level, 5-level. |
| [in] | Level | Current page-table level (PML4 - 0, PDP - 1, etc.) |
| [in] | Callback | Callback to be called for each valid mapped linear address. |
| INT_STATUS_SUCCESS | On success. |
| INT_STATUS_INVALID_PARAMETER | If an invalid parameter is supplied. |
Definition at line 84 of file kernvm.c.
Referenced by IntIterateVirtualAddressSpace().
| INTSTATUS IntSplitVirtualAddress | ( | QWORD | VirtualAddress, |
| DWORD * | OffsetsCount, | ||
| QWORD * | OffsetsTrace | ||
| ) |
Split a linear address into page-table indexes.
Splits the given virtual address in indexes inside the paging structures. It handles every possible paging mode. For example, in 4 level paging, OffsetsTrace[0] will contain PML4 index, OffsetsTrace[1], PDP index, etc.
| [in] | VirtualAddress | The virtual address to be split in indexes. |
| [out] | OffsetsCount | The number of offsets extracted. |
| [out] | OffsetsTrace | Will contain, upon return, each index inside each page-table level. |
| INT_STATUS_SUCCESS | On success. |
| INT_STATUS_INVALID_PARAMETER | If an invalid parameter is supplied. |
Definition at line 12 of file kernvm.c.
Referenced by IntHookPtsHandleModification().
Validate a range of virtual memory for write.
This function will make sure that the virtual address range [VirtualAddress, VirtualAddress + Size] is accessible:
| [in] | Cr3 | Virtual address space for the modification. |
| [in] | VirtualAddress | Virtual address to be validated. |
| [in] | Size | Size of the write. |
| [in] | Ring | Required privilege level for the write. |
| INT_STATUS_SUCCESS | On success. |
| INT_STATUS_PAGE_NOT_PRESENT | If the page is not present. |
| INT_STATUS_ACCESS_DENIED | If at least one check did not pass, and the caller should not write the target address. |
| INTSTATUS IntVirtMemSafeWrite | ( | QWORD | Cr3, |
| QWORD | VirtualAddress, | ||
| DWORD | Size, | ||
| void * | Buffer, | ||
| DWORD | Ring | ||
| ) |
Safely modify guest memory.
Safely write the destination virtual address, after making sure that all checks have passed, by calling IntValidateRangeForWrite.
| [in] | Cr3 | Target virtual address space. |
| [in] | VirtualAddress | Virtual address to be modified. |
| [in] | Size | Number of bytes to write at VirtualAddress. |
| [in] | Buffer | The source buffer. |
| [in] | Ring | The required privilege level for the write. |
| INT_STATUS_SUCCESS | On success. |
| INT_STATUS_INSUFFICIENT_RESOURCES | If a memory allocation function failed. |
| INT_STATUS_PAGE_NOT_PRESENT | If the target page is not present. |
| INT_STATUS_ACCESS_DENIED | If at least a check failed, and it is not safe to modify VirtualAddress. |
Definition at line 498 of file kernvm.c.
Referenced by IntDetPatchArgument(), IntLixDepDeployFileHypercall(), IntLixTaskMarkAgent(), IntPtiDeliverDriverForLoad(), IntPtiRemoveInstruction(), IntSetValueForOperand(), IntVeDeliverDriverForLoad(), IntVePatchVeCoreJmpKiKernelExit(), IntVePatchVeCoreJmpTrampoline(), IntWinAgentDeployWinDriver(), IntWinAgentHandleDriverVmcall(), IntWinAgentHandleLoader1Hypercall(), IntWinIntObjHandleArrayModification(), IntWinIntObjHandleObjectModification(), IntWinProcEnforceProcessDep(), IntWinProcMarkAgent(), IntWinProcMarkAsSystemProcess(), IntWinProcPatchSpareValue(), IntWinProcRemoveProcess(), IntWinProcValidateSystemCr3(), IntWinSDCheckAclIntegrity(), and IntWinSDCheckSecDescIntegrity().
1.8.13