Bitdefender Hypervisor Memory Introspection
Data Structures | Typedefs | Functions
kernvm.h File Reference
#include "introcore.h"

Go to the source code of this file.

Data Structures

struct  _MPX_BOUND
 A MPX bound structure. More...
 
struct  _MPX_TRANSLATION
 A MPX translation structure. More...
 

Typedefs

typedef struct _MPX_BOUND MPX_BOUND
 A MPX bound structure. More...
 
typedef struct _MPX_BOUNDPMPX_BOUND
 
typedef struct _MPX_TRANSLATION MPX_TRANSLATION
 A MPX translation structure. More...
 
typedef struct _MPX_TRANSLATIONPMPX_TRANSLATION
 

Functions

INTSTATUS IntSplitVirtualAddress (QWORD VirtualAddress, DWORD *OffsetsCount, QWORD *OffsetsTrace)
 Split a linear address into page-table indexes. More...
 
INTSTATUS IntIterateVirtualAddressSpace (QWORD Cr3, PFUNC_VirtualAddressSpaceCallback Callback)
 Iterate an entire virtual address space. More...
 
INTSTATUS IntValidateRangeForWrite (QWORD Cr3, QWORD VirtualAddress, DWORD Size, DWORD Ring)
 Validate a range of virtual memory for write. More...
 
INTSTATUS IntVirtMemSafeWrite (QWORD Cr3, QWORD VirtualAddress, DWORD Size, void *Buffer, DWORD Ring)
 Safely modify guest memory. More...
 

Typedef Documentation

◆ MPX_BOUND

typedef struct _MPX_BOUND MPX_BOUND

A MPX bound structure.

◆ MPX_TRANSLATION

typedef struct _MPX_TRANSLATION MPX_TRANSLATION

A MPX translation structure.

◆ PMPX_BOUND

typedef struct _MPX_BOUND * PMPX_BOUND

◆ PMPX_TRANSLATION

typedef struct _MPX_TRANSLATION * PMPX_TRANSLATION

Function Documentation

◆ IntIterateVirtualAddressSpace()

INTSTATUS IntIterateVirtualAddressSpace ( QWORD  Cr3,
PFUNC_VirtualAddressSpaceCallback  Callback 
)

Iterate an entire virtual address space.

Iterate the entire virtual address space identified by Cr3. For each valid, mapped linear address, it will call the provided callback, passing the virtual address, virtual address space, page size and the page-table entry as parameters.

Parameters
[in]Cr3Virtual address space to be iterated.
[in]CallbackCallback to be called for each valid mapped linear address.
Return values
INT_STATUS_SUCCESSOn success.
INT_STATUS_INVALID_PARAMETERIf an invalid parameter is supplied.

Definition at line 327 of file kernvm.c.

Referenced by DbgIterateVaSpace(), DbgSearchVaSpace(), and IntIterateVaSpace().

◆ IntSplitVirtualAddress()

INTSTATUS IntSplitVirtualAddress ( QWORD  VirtualAddress,
DWORD OffsetsCount,
QWORD OffsetsTrace 
)

Split a linear address into page-table indexes.

Splits the given virtual address in indexes inside the paging structures. It handles every possible paging mode. For example, in 4 level paging, OffsetsTrace[0] will contain PML4 index, OffsetsTrace[1], PDP index, etc.

Parameters
[in]VirtualAddressThe virtual address to be split in indexes.
[out]OffsetsCountThe number of offsets extracted.
[out]OffsetsTraceWill contain, upon return, each index inside each page-table level.
Return values
INT_STATUS_SUCCESSOn success.
INT_STATUS_INVALID_PARAMETERIf an invalid parameter is supplied.

Definition at line 12 of file kernvm.c.

Referenced by IntHookPtsHandleModification().

◆ IntValidateRangeForWrite()

INTSTATUS IntValidateRangeForWrite ( QWORD  Cr3,
QWORD  VirtualAddress,
DWORD  Size,
DWORD  Ring 
)

Validate a range of virtual memory for write.

This function will make sure that the virtual address range [VirtualAddress, VirtualAddress + Size] is accessible:

  • each page must be mapped
  • each page must be writable
  • each page must be kernel page if ring is 0, user page if ring is 3
  • each page must be writable in EPT Note: when writing guest memory, it is highly indicated to pause all the VCPUS while this and the write functions are called; this eliminates possible race conditions induced by an attacker in order to make us modify undesired memory areas.
Parameters
[in]Cr3Virtual address space for the modification.
[in]VirtualAddressVirtual address to be validated.
[in]SizeSize of the write.
[in]RingRequired privilege level for the write.
Return values
INT_STATUS_SUCCESSOn success.
INT_STATUS_PAGE_NOT_PRESENTIf the page is not present.
INT_STATUS_ACCESS_DENIEDIf at least one check did not pass, and the caller should not write the target address.

Definition at line 406 of file kernvm.c.

◆ IntVirtMemSafeWrite()

INTSTATUS IntVirtMemSafeWrite ( QWORD  Cr3,
QWORD  VirtualAddress,
DWORD  Size,
void *  Buffer,
DWORD  Ring 
)

Safely modify guest memory.

Safely write the destination virtual address, after making sure that all checks have passed, by calling IntValidateRangeForWrite.

Parameters
[in]Cr3Target virtual address space.
[in]VirtualAddressVirtual address to be modified.
[in]SizeNumber of bytes to write at VirtualAddress.
[in]BufferThe source buffer.
[in]RingThe required privilege level for the write.
Return values
INT_STATUS_SUCCESSOn success.
INT_STATUS_INSUFFICIENT_RESOURCESIf a memory allocation function failed.
INT_STATUS_PAGE_NOT_PRESENTIf the target page is not present.
INT_STATUS_ACCESS_DENIEDIf at least a check failed, and it is not safe to modify VirtualAddress.

Definition at line 498 of file kernvm.c.

Referenced by IntDetPatchArgument(), IntLixDepDeployFileHypercall(), IntLixTaskMarkAgent(), IntPtiDeliverDriverForLoad(), IntPtiRemoveInstruction(), IntSetValueForOperand(), IntVeDeliverDriverForLoad(), IntVePatchVeCoreJmpKiKernelExit(), IntVePatchVeCoreJmpTrampoline(), IntWinAgentDeployWinDriver(), IntWinAgentHandleDriverVmcall(), IntWinAgentHandleLoader1Hypercall(), IntWinIntObjHandleArrayModification(), IntWinIntObjHandleObjectModification(), IntWinProcEnforceProcessDep(), IntWinProcMarkAgent(), IntWinProcMarkAsSystemProcess(), IntWinProcPatchSpareValue(), IntWinProcRemoveProcess(), IntWinProcValidateSystemCr3(), IntWinSDCheckAclIntegrity(), and IntWinSDCheckSecDescIntegrity().