Go to the source code of this file.
|
INTSTATUS | IntSplitVirtualAddress (QWORD VirtualAddress, DWORD *OffsetsCount, QWORD *OffsetsTrace) |
| Split a linear address into page-table indexes. More...
|
|
INTSTATUS | IntIterateVirtualAddressSpace (QWORD Cr3, PFUNC_VirtualAddressSpaceCallback Callback) |
| Iterate an entire virtual address space. More...
|
|
INTSTATUS | IntValidateRangeForWrite (QWORD Cr3, QWORD VirtualAddress, DWORD Size, DWORD Ring) |
| Validate a range of virtual memory for write. More...
|
|
INTSTATUS | IntVirtMemSafeWrite (QWORD Cr3, QWORD VirtualAddress, DWORD Size, void *Buffer, DWORD Ring) |
| Safely modify guest memory. More...
|
|
◆ MPX_BOUND
◆ MPX_TRANSLATION
A MPX translation structure.
◆ PMPX_BOUND
◆ PMPX_TRANSLATION
◆ IntIterateVirtualAddressSpace()
Iterate an entire virtual address space.
Iterate the entire virtual address space identified by Cr3. For each valid, mapped linear address, it will call the provided callback, passing the virtual address, virtual address space, page size and the page-table entry as parameters.
- Parameters
-
[in] | Cr3 | Virtual address space to be iterated. |
[in] | Callback | Callback to be called for each valid mapped linear address. |
- Return values
-
Definition at line 327 of file kernvm.c.
Referenced by DbgIterateVaSpace(), DbgSearchVaSpace(), and IntIterateVaSpace().
◆ IntSplitVirtualAddress()
Split a linear address into page-table indexes.
Splits the given virtual address in indexes inside the paging structures. It handles every possible paging mode. For example, in 4 level paging, OffsetsTrace[0] will contain PML4 index, OffsetsTrace[1], PDP index, etc.
- Parameters
-
[in] | VirtualAddress | The virtual address to be split in indexes. |
[out] | OffsetsCount | The number of offsets extracted. |
[out] | OffsetsTrace | Will contain, upon return, each index inside each page-table level. |
- Return values
-
Definition at line 12 of file kernvm.c.
Referenced by IntHookPtsHandleModification().
◆ IntValidateRangeForWrite()
Validate a range of virtual memory for write.
This function will make sure that the virtual address range [VirtualAddress, VirtualAddress + Size] is accessible:
- each page must be mapped
- each page must be writable
- each page must be kernel page if ring is 0, user page if ring is 3
- each page must be writable in EPT Note: when writing guest memory, it is highly indicated to pause all the VCPUS while this and the write functions are called; this eliminates possible race conditions induced by an attacker in order to make us modify undesired memory areas.
- Parameters
-
[in] | Cr3 | Virtual address space for the modification. |
[in] | VirtualAddress | Virtual address to be validated. |
[in] | Size | Size of the write. |
[in] | Ring | Required privilege level for the write. |
- Return values
-
Definition at line 406 of file kernvm.c.
◆ IntVirtMemSafeWrite()
Safely modify guest memory.
Safely write the destination virtual address, after making sure that all checks have passed, by calling IntValidateRangeForWrite.
- Parameters
-
[in] | Cr3 | Target virtual address space. |
[in] | VirtualAddress | Virtual address to be modified. |
[in] | Size | Number of bytes to write at VirtualAddress. |
[in] | Buffer | The source buffer. |
[in] | Ring | The required privilege level for the write. |
- Return values
-
Definition at line 498 of file kernvm.c.
Referenced by IntDetPatchArgument(), IntLixDepDeployFileHypercall(), IntLixTaskMarkAgent(), IntPtiDeliverDriverForLoad(), IntPtiRemoveInstruction(), IntSetValueForOperand(), IntVeDeliverDriverForLoad(), IntVePatchVeCoreJmpKiKernelExit(), IntVePatchVeCoreJmpTrampoline(), IntWinAgentDeployWinDriver(), IntWinAgentHandleDriverVmcall(), IntWinAgentHandleLoader1Hypercall(), IntWinIntObjHandleArrayModification(), IntWinIntObjHandleObjectModification(), IntWinProcEnforceProcessDep(), IntWinProcMarkAgent(), IntWinProcMarkAsSystemProcess(), IntWinProcPatchSpareValue(), IntWinProcRemoveProcess(), IntWinProcValidateSystemCr3(), IntWinSDCheckAclIntegrity(), and IntWinSDCheckSecDescIntegrity().