- Generated by
1.8.13
|
Bitdefender Hypervisor Memory Introspection
|
Go to the source code of this file.
Data Structures | |
| struct | _LIX_AGENT_HEADER |
| Header with information about running code inside the guest. More... | |
| struct | _LIX_AGENT_TOKEN |
| The tokens used by an agent. More... | |
| struct | _LIX_AGENT_DATA |
| Describes the data of an agent. More... | |
| struct | _LIX_AGENT_THREAD |
| Describes an agent-thread running inside the guest. More... | |
| struct | _LIX_AGENT |
| Describe an agent running inside the guest. More... | |
| struct | _LIX_AGENT_FUNCTIONS_LIST |
| A list of functions required by agent. More... | |
| struct | _LIX_AGENT_FUNCTINS |
| The functions required by the agent. More... | |
| struct | _LIX_AGENT_HANDLER |
| Describes a handlers that contains the data required by the agent. More... | |
| struct | _LIX_AGENT_INIT_ARGS |
| Arguments of the init agent. More... | |
| struct | _LIX_AGENT_UNINIT_ARGS |
| Arguments of the uninit agent. More... | |
| struct | _LIX_AGENT_CREATE_THREAD_ARGS |
| Arguments of the create-thread agent. More... | |
| struct | _LIX_AGENT_THREAD_DEPLOY_FILE_ARGS |
| Arguments of the deploy-file agent. More... | |
| struct | _LIX_AGENT_THREAD_DEPLOY_FILE_EXEC_ARGS |
| Arguments of the exec agent. More... | |
| struct | _LIX_AGENT_THREAD_RUN_CLI_ARGS |
| Arguments of the run command-line agent. More... | |
Macros | |
| #define | LIX_AGENT_MAX_FUNCTIONS 256 |
| #define | LIX_AGENT_MAX_NAME_LENGTH 128 |
| #define | LIX_AGENT_MAX_ARGS_LENGTH 1024 |
Enumerations | |
| enum | _LIX_AGENT_HYPERCALL { lixAgentHypercallNone = 0, lixAgentHypercallVmcall, lixAgentHypercallInt3 } |
| Agent hypercall type. More... | |
| enum | _LIX_AGENT_TAG { lixAgTagNone = 0, lixAgTagInit, lixAgTagUninit, lixAgTagCreateThread, lixAgThreadTagDeployFile, lixAgThreadTagDeployFileExec, lixAgThreadTagRunCommand } |
| Tag used to identify an agent with a handler. More... | |
Functions | |
| INTSTATUS | IntLixAgentInject (LIX_AGENT_TAG Tag, PFUNC_AgentCallbackHypercall HypercallCallback, PFUNC_AgentCallbackCompletion CompletionCallback) |
| Schedule an agent injection inside the guest. More... | |
| INTSTATUS | IntLixAgentThreadInject (LIX_AGENT_TAG Tag, DWORD TagEx, AGENT_TYPE AgentType, PFUNC_AgentCallbackHypercall HypercallCallback, PFUNC_AgentCallbackCompletion CompletionCallback, const char *Name, BYTE *ContentAddress, DWORD ContentSize) |
| Schedule an thread-agent injection inside the guest. More... | |
| INTSTATUS | IntLixAgentActivatePendingAgent (void) |
| Activates a pending agent that waits to be injected. More... | |
| void | IntLixAgentEnableInjection (void) |
| Enables agent injections. More... | |
| AG_WAITSTATE | IntLixAgentGetState (DWORD *Tag) |
| Gets the global agents state. More... | |
| void | IntLixAgentDisablePendingAgents (void) |
| Disables all pending agents. More... | |
| void | IntLixAgentNameRemoveByAgid (DWORD Agid) |
| Iterates through all agent names and removes the entry that contains the provided ID. More... | |
| DWORD | IntLixAgentNameGetTagByAgid (DWORD Agid) |
| Iterates through all agent names and returns the tag of the agent that has the provided agent ID. More... | |
| LIX_AGENT_TAG | IntLixAgentIncProcRef (const char *Name) |
| Checks if a process is an agent or not, and increments the ref count of that name. More... | |
| LIX_AGENT_TAG | IntLixAgentDecProcRef (const char *Name, BOOLEAN *Removed) |
| Checks if a process is an agent or not, and decrements the ref count of that name. More... | |
| INTSTATUS | IntLixAgentHandleInt3 (QWORD Rip) |
| Called when a INT3 instruction from the current running agent is executed. More... | |
| INTSTATUS | IntLixAgentHandleVmcall (QWORD Rip) |
| Handle a VMCALL that was executed inside the guest. More... | |
| void | IntLixAgentInit (void) |
| Initialize the agents state. More... | |
| INTSTATUS | IntLixAgentUninit (void) |
| Uninit the agents state. More... | |
| LIX_AGENT_HANDLER * | IntLixAgentGetHandlerByTag (LIX_AGENT_TAG AgentTag) |
| Iterates through all agent handlers and search the entry that has the provided tag. More... | |
| LIX_AGENT_HANDLER * | IntLixAgentThreadGetHandlerByTag (LIX_AGENT_TAG AgentTag, LIX_AGENT_TAG ThreadTag) |
| Iterates through all thread-agent handlers and search the entry that has the provided tag. More... | |
| void | IntLixAgentSendEvent (AGENT_EVENT_TYPE Event, DWORD AgentTag, DWORD ErrorCode) |
| Send an event to the integrator that contains the AGENT_EVENT_TYPE, tag of the agent and the last error code. More... | |
| #define LIX_AGENT_MAX_ARGS_LENGTH 1024 |
Definition at line 14 of file lixagent.h.
Referenced by IntLixDepInjectProcess().
| #define LIX_AGENT_MAX_FUNCTIONS 256 |
Definition at line 11 of file lixagent.h.
| #define LIX_AGENT_MAX_NAME_LENGTH 128 |
Definition at line 13 of file lixagent.h.
| typedef struct _LIX_AGENT LIX_AGENT |
Describe an agent running inside the guest.
| typedef struct _LIX_AGENT_CREATE_THREAD_ARGS LIX_AGENT_CREATE_THREAD_ARGS |
Arguments of the create-thread agent.
| typedef struct _LIX_AGENT_DATA LIX_AGENT_DATA |
Describes the data of an agent.
| typedef struct _LIX_AGENT_FUNCTINS LIX_AGENT_FUNCTIONS |
The functions required by the agent.
| typedef struct _LIX_AGENT_FUNCTIONS_LIST LIX_AGENT_FUNCTIONS_LIST |
A list of functions required by agent.
| typedef struct _LIX_AGENT_HANDLER LIX_AGENT_HANDLER |
Describes a handlers that contains the data required by the agent.
| typedef struct _LIX_AGENT_HEADER LIX_AGENT_HEADER |
Header with information about running code inside the guest.
| typedef enum _LIX_AGENT_HYPERCALL LIX_AGENT_HYPERCALL |
Agent hypercall type.
| typedef struct _LIX_AGENT_INIT_ARGS LIX_AGENT_INIT_ARGS |
Arguments of the init agent.
| typedef enum _LIX_AGENT_TAG LIX_AGENT_TAG |
Tag used to identify an agent with a handler.
| typedef struct _LIX_AGENT_THREAD LIX_AGENT_THREAD |
Describes an agent-thread running inside the guest.
Arguments of the deploy-file agent.
Arguments of the exec agent.
| typedef struct _LIX_AGENT_THREAD_RUN_CLI_ARGS LIX_AGENT_THREAD_RUN_CLI_ARGS |
Arguments of the run command-line agent.
| typedef struct _LIX_AGENT_TOKEN LIX_AGENT_TOKEN |
The tokens used by an agent.
| typedef struct _LIX_AGENT_UNINIT_ARGS LIX_AGENT_UNINIT_ARGS |
Arguments of the uninit agent.
| typedef struct _LIX_TASK_OBJECT LIX_TASK_OBJECT |
Definition at line 17 of file lixagent.h.
| typedef INTSTATUS(* PFUNC_AgentCallbackCompletion) (void *Context) |
Completion callback prototype.
| [in] | Context | The running agent. |
Definition at line 38 of file lixagent.h.
| typedef INTSTATUS(* PFUNC_AgentCallbackHypercall) (void *Context) |
Hypercall callback prototype.
| [in] | Context | The running agent. |
Definition at line 26 of file lixagent.h.
| typedef struct _LIX_AGENT * PLIX_AGENT |
| typedef struct _LIX_AGENT_CREATE_THREAD_ARGS * PLIX_AGENT_CREATE_THREAD_ARGS |
| typedef struct _LIX_AGENT_DATA * PLIX_AGENT_DATA |
| typedef struct _LIX_AGENT_FUNCTINS * PLIX_AGENT_FUNCTIONS |
| typedef struct _LIX_AGENT_FUNCTIONS_LIST * PLIX_AGENT_FUNCTIONS_LIST |
| typedef struct _LIX_AGENT_HANDLER * PLIX_AGENT_HANDLER |
| typedef struct _LIX_AGENT_HEADER * PLIX_AGENT_HEADER |
| typedef struct _LIX_AGENT_INIT_ARGS * PLIX_AGENT_INIT_ARGS |
| typedef struct _LIX_AGENT_THREAD * PLIX_AGENT_THREAD |
| typedef struct _LIX_AGENT_THREAD_DEPLOY_FILE_ARGS * PLIX_AGENT_THREAD_DEPLOY_FILE_ARGS |
| typedef struct _LIX_AGENT_THREAD_RUN_CLI_ARGS * PLIX_AGENT_THREAD_RUN_CLI_ARGS |
| typedef struct _LIX_AGENT_UNINIT_ARGS * PLIX_AGENT_UNINIT_ARGS |
| enum _LIX_AGENT_HYPERCALL |
Agent hypercall type.
| Enumerator | |
|---|---|
| lixAgentHypercallNone | Invalid hypercall type. |
| lixAgentHypercallVmcall | Hypercall using VMCALL instruction. |
| lixAgentHypercallInt3 | Hypercall using INT3 instruction. |
Definition at line 45 of file lixagent.h.
| enum _LIX_AGENT_TAG |
Tag used to identify an agent with a handler.
Definition at line 56 of file lixagent.h.
| INTSTATUS IntLixAgentActivatePendingAgent | ( | void | ) |
Activates a pending agent that waits to be injected.
The steps required to activate a pending agent are:
| INT_STATUS_SUCCESS | On success. |
| INT_STATUS_NOT_INITIALIZED | If is not safe to inject the agent; |
| INT_STATUS_NOT_NEEDED_HINT | If no agent waits to be injected; if an agent is already running. |
| INT_STATUS_ALREADY_INITIALIZED | If an agent with the same name is already running. |
| INT_STATUS_INSUFFICIENT_RESOURCES | If the memory alloc fails. |
Definition at line 1082 of file lixagent.c.
Referenced by IntAgentActivatePendingAgent(), IntLixAgentEnableInjection(), IntLixAgentExit(), IntLixAgentInject(), IntLixAgentThreadExit(), and IntLixAgentThreadInject().
| LIX_AGENT_TAG IntLixAgentDecProcRef | ( | const char * | Name, |
| BOOLEAN * | Removed | ||
| ) |
Checks if a process is an agent or not, and decrements the ref count of that name.
Each time a process terminates, we check if it was an agent, and we decrement the reference count if its name. Once the reference count of an agent name reaches 0, it will be removed.
| [in] | Name | The image name of the process which is checked. |
| [out] | Removed | True if the agent was removed. |
| The | agent tag, if the process is found to be an agent. |
Definition at line 1907 of file lixagent.c.
Referenced by IntLixTaskDestroy(), and IntLixTaskHandleExec().
| void IntLixAgentDisablePendingAgents | ( | void | ) |
Disables all pending agents.
This function should be called during the uninit phase, as it will disable all the pending agents. These agents will never be injected inside the guest.
Definition at line 1844 of file lixagent.c.
Referenced by IntAgentDisablePendingAgents(), and IntLixGuestNew().
| void IntLixAgentEnableInjection | ( | void | ) |
Enables agent injections.
Definition at line 1964 of file lixagent.c.
Referenced by IntAgentEnableInjection(), and IntLixGuestNew().
| LIX_AGENT_HANDLER* IntLixAgentGetHandlerByTag | ( | LIX_AGENT_TAG | AgentTag | ) |
Iterates through all agent handlers and search the entry that has the provided tag.
| [in] | AgentTag | The agent tag. |
| On | success, returns the found handler, otherwise returns NULL. |
Definition at line 408 of file lixaghnd.c.
Referenced by IntLixAgentCreate(), IntLixAgentThreadGetHandlerByTag(), IntLixGuestAllocate(), and IntLixGuestDeployUninitAgent().
| AG_WAITSTATE IntLixAgentGetState | ( | DWORD * | Tag | ) |
Gets the global agents state.
| [out] | Tag | Optional agent tag, if an agent is active or pending. |
| agActive | If there's an active agent. |
| agWaiting | If there's a pending agent. |
| agNone | If there are no active or pending agents. |
Definition at line 1804 of file lixagent.c.
Referenced by IntAgentGetState().
Called when a INT3 instruction from the current running agent is executed.
This function checks if the INT3 instruction is the previously replaced instruction. If true and the instruction is not restored the IntLixAgentStart is called to start the current agent (the instruction is restored only if another CPU already restored the instruction). Otherwise the function checks if the RIP comes from our agents and handles the breakpoint.
| [in] | Rip | The address of the INT3 instruction. |
| INT_STATUS_SUCCESS | On success. |
| INT_STATUS_NOT_FOUND | If the breakpoint is generated from an unrecognized RIP. |
Definition at line 1573 of file lixagent.c.
Referenced by IntAgentHandleInt3().
Handle a VMCALL that was executed inside the guest.
This function handles VMCALLs that took place inside the guest.
| [in] | Rip | The address of the VMCALL instruction. |
| INT_STATUS_SUCCESS | On success. |
Definition at line 1760 of file lixagent.c.
Referenced by IntAgentHandleVmcall().
| LIX_AGENT_TAG IntLixAgentIncProcRef | ( | const char * | Name | ) |
Checks if a process is an agent or not, and increments the ref count of that name.
Each time a process is created, we check if its name matches the name of a previously injected agent. If it does, we flag that process as an agent, and we increment the reference count of the name.
| [in] | Name | The image name of the process which is checked. |
| The | agent tag, if the process is found to be an agent. |
Definition at line 1869 of file lixagent.c.
Referenced by IntLixTaskCreate(), and IntLixTaskHandleExec().
| void IntLixAgentInit | ( | void | ) |
Initialize the agents state.
Definition at line 1978 of file lixagent.c.
Referenced by IntLixGuestNew().
| INTSTATUS IntLixAgentInject | ( | LIX_AGENT_TAG | Tag, |
| PFUNC_AgentCallbackHypercall | HypercallCallback, | ||
| PFUNC_AgentCallbackCompletion | CompletionCallback | ||
| ) |
Schedule an agent injection inside the guest.
This function schedule the injection of an agent identified by the LIX_AGENT_TAG inside the guest space. This function is used directly only for internal agents (init/uninit).
| [in] | Tag | The internal LIX_AGENT_TAG of the agent. |
| [in] | HypercallCallback | This callback can be called during the agent execution. |
| [in] | CompletionCallback | This callback is called when the agent has finished execution. |
| INT_STATUS_SUCCESS | On success. |
| INT_STATUS_NOT_INITIALIZED | If the agent state is not initialized. |
| INT_STATUS_NOT_FOUND | If the LIX_AGENT_HANDLER is not found. |
| INT_STATUS_INSUFFICIENT_RESOURCES | If the memory alloc fails. |
Definition at line 896 of file lixagent.c.
Referenced by IntLixGuestAllocate(), and IntLixGuestDeployUninitAgent().
Iterates through all agent names and returns the tag of the agent that has the provided agent ID.
| [in] | Agid | The agent ID. |
| The | tag of the agent that has the provided agent ID. |
Definition at line 312 of file lixagent.c.
Referenced by IntLixAgentHandleUserVmcall().
| void IntLixAgentNameRemoveByAgid | ( | DWORD | Agid | ) |
Iterates through all agent names and removes the entry that contains the provided ID.
| [in] | Agid | The agent ID. |
Definition at line 285 of file lixagent.c.
Referenced by IntLixAgentError(), IntLixAgentHandleUserVmcall(), and IntLixAgentThreadError().
| void IntLixAgentSendEvent | ( | AGENT_EVENT_TYPE | Event, |
| DWORD | AgentTag, | ||
| DWORD | ErrorCode | ||
| ) |
Send an event to the integrator that contains the AGENT_EVENT_TYPE, tag of the agent and the last error code.
| [in] | Event | The type of the event. |
| [in] | AgentTag | The tag of the agent |
| [in] | ErrorCode | The last error-code of the agent. |
Definition at line 2119 of file lixagent.c.
Referenced by IntLixAgentCreateThreadCompletion(), IntLixAgentCreateThreadHypercall(), IntLixAgentError(), IntLixAgentStart(), IntLixAgentThreadError(), and IntLixDepComplete().
| LIX_AGENT_HANDLER* IntLixAgentThreadGetHandlerByTag | ( | LIX_AGENT_TAG | AgentTag, |
| LIX_AGENT_TAG | ThreadTag | ||
| ) |
Iterates through all thread-agent handlers and search the entry that has the provided tag.
| [in] | AgentTag | The agent tag. |
| [in] | ThreadTag | The thread-agent tag. |
| On | success, returns the found handler, otherwise returns NULL. |
Definition at line 432 of file lixaghnd.c.
Referenced by IntLixAgentThreadCreate(), IntLixDepInjectFile(), IntLixDepInjectProcess(), and IntLixDepRunCommand().
| INTSTATUS IntLixAgentThreadInject | ( | LIX_AGENT_TAG | Tag, |
| DWORD | TagEx, | ||
| AGENT_TYPE | AgentType, | ||
| PFUNC_AgentCallbackHypercall | HypercallCallback, | ||
| PFUNC_AgentCallbackCompletion | CompletionCallback, | ||
| const char * | Name, | ||
| BYTE * | ContentAddress, | ||
| DWORD | ContentSize | ||
| ) |
Schedule an thread-agent injection inside the guest.
A thread-agent is a bootstrap that creates a kthread and allocate a zone of memory; the provided content is copied to the allocated memory zone and the kthread will execute the deployed content.
This function schedule the injection of an thread-agent identified by the LIX_AGENT_TAG inside the guest space.
| [in] | Tag | The internal LIX_AGENT_TAG of the agent. |
| [in] | TagEx | The tag provided by the integrator. |
| [in] | AgentType | The type of the injected agent (AGENT_TYPE). |
| [in] | HypercallCallback | This callback can be called during the agent execution. |
| [in] | CompletionCallback | This callback is called when the agent has finished execution. |
| [in] | Name | The agent name. |
| [in] | ContentAddress | Pointer to a memory area containing the actual agent. |
| [in] | ContentSize | The size of the agent, in bytes. |
| INT_STATUS_SUCCESS | On success. |
| INT_STATUS_NOT_INITIALIZED | If the agent state is not initialized; if is not safe to inject the agent; if the bootstrap agent data/code is not deployed yet. |
| INT_STATUS_ALREADY_INITIALIZED | If an agent with the same name is already running. |
| INT_STATUS_INSUFFICIENT_RESOURCES | If the memory alloc fails. |
Definition at line 954 of file lixagent.c.
Referenced by IntLixDepInjectFile(), IntLixDepInjectProcess(), and IntLixDepRunCommand().
| INTSTATUS IntLixAgentUninit | ( | void | ) |
Uninit the agents state.
| INT_STATUS_SUCCESS | On success. |
| INT_STATUS_NOT_INITIALIZED_HINT | If the agents state has not been initialized yet. |
Definition at line 1997 of file lixagent.c.
Referenced by IntLixGuestUninit().
1.8.13