Bitdefender Hypervisor Memory Introspection
|
#include "lixapi.h"
#include "decoder.h"
#include "drivers.h"
#include "lixcrash.h"
#include "lixcred.h"
#include "lixmm.h"
#include "guests.h"
#include "crc32.h"
#include "lixksym.h"
Go to the source code of this file.
Macros | |
#define | __init_detour_entry(fn_name, callback, flags) |
Create a new LIX_FN_DETOUR entry. More... | |
#define | __init_detour_entry_regex(fn_name, regex, callback, flags) |
Create a new LIX_FN_DETOUR entry that appends the provided 'regex' to the end of the 'FunctioName'. More... | |
#define | __init_detour_entry_hijack(fn_name, hijack_fn_name, callback, flags) |
Create a new LIX_FN_DETOUR entry that is used for middle-function detours. More... | |
Functions | |
static INTSTATUS | IntLixApiHijackHook (const LIX_FN_DETOUR *FnDetour, QWORD *Address) |
Fetch the address of the hijack function name provided by the LIX_FN_DETOUR. More... | |
static INTSTATUS | IntLixApiHook (const LIX_FN_DETOUR *FnDetour, BOOLEAN *MustValidateThreads) |
Will hook one function as described by the FnDetour. More... | |
static BOOLEAN | IntLixApiCmpFunctionNameWithHash (const char *Name, DWORD NameHash) |
Check if the crc32 of the Name is equal to the provided NameHash. More... | |
INTSTATUS | IntLixApiHookAll (void) |
Iterates through all APIs that can be hooked and sets requested hooks. More... | |
void | IntLixApiUpdateHooks (void) |
Update the hookable APIs according to the current Introcore options. More... | |
Variables | |
const LIX_FN_DETOUR | gLixHookHandlersx64 [] |
An array of the LIX_FN_DETOUR that contains all detours used by the introspection engine. More... | |
#define __init_detour_entry | ( | fn_name, | |
callback, | |||
flags | |||
) |
Create a new LIX_FN_DETOUR entry.
The 'FunctionName', 'Callback' and 'EnableFlags' are provided by the caller and the ID of the detour-entry is generated.
#define __init_detour_entry_hijack | ( | fn_name, | |
hijack_fn_name, | |||
callback, | |||
flags | |||
) |
Create a new LIX_FN_DETOUR entry that is used for middle-function detours.
The 'FunctionName', 'Callback', 'EnableFlags' and 'HijackFunctionName' are provided by the caller and the ID of the detour-entry is generated.
#define __init_detour_entry_regex | ( | fn_name, | |
regex, | |||
callback, | |||
flags | |||
) |
Create a new LIX_FN_DETOUR entry that appends the provided 'regex' to the end of the 'FunctioName'.
The 'FunctionName', 'Callback', 'EnableFlags' and 'Regex' are provided by the caller and the ID of the detour-entry is generated.
Check if the crc32 of the Name is equal to the provided NameHash.
[in] | Name | A string that contains the name of the function. |
[in] | NameHash | The crc32 that is compared with the crc32 of the Name. |
True | if the NameHash is equal to the crc32 of the Name. |
Definition at line 239 of file lixapi.c.
Referenced by IntLixApiHookAll().
|
static |
Fetch the address of the hijack function name provided by the LIX_FN_DETOUR.
This function fetch the address of the LIX_FN_DETOUR.FunctionName and parse the function. For each instruction the function looks for 'CALL rel addr' pattern and if the pattern matches, the relative address is compared with LIX_FN_DETOUR.HijackFunctionName relative address.
[in] | FnDetour | The internal structure of the detour entry. |
[out] | Address | On success, contains the address of the hijack function. |
INT_STATUS_SUCCESS | On success. |
INT_STATUS_NOT_FOUND | If the provided hijack function name is not found. |
Definition at line 107 of file lixapi.c.
Referenced by IntLixApiHook().
|
static |
Will hook one function as described by the FnDetour.
If the provided LIX_FN_DETOUR describes a middle-function detour, the IntLixApiHijackHook is called to fetch the address of the function, otherwise the IntKsymFindByName is called. The found address is passed to the IntDetSetLixHook to hook it.
[in] | FnDetour | The internal structure of the detour entry. |
[out] | MustValidateThreads | On success, contains true if the thread safeness must validate the running threads, otherwise false |
INT_STATUS_SUCCESS | On success. |
INT_STATUS_NOT_FOUND | If the provided LIX_FN_DETOUR is not found. |
Definition at line 177 of file lixapi.c.
Referenced by IntLixApiHookAll().
INTSTATUS IntLixApiHookAll | ( | void | ) |
Iterates through all APIs that can be hooked and sets requested hooks.
The function name of the LIX_FN_DETOUR may be duplicated, but it has different 'HijackFunctionName'. The 'HookHandler' field of the LIX_FUNCTION structure describes the index of the LIX_FN_DETOUR that must be hooked.
INT_STATUS_SUCCESS | On success. |
INT_STATUS_NOT_FOUND | If the provided LIX_FN_DETOUR is not found. |
Definition at line 257 of file lixapi.c.
Referenced by IntLixGuestInitAgentCompletion().
void IntLixApiUpdateHooks | ( | void | ) |
Update the hookable APIs according to the current Introcore options.
This function writes the 'ProtectionOptions' field of the LIX_HYPERCALL_PAGE.
Definition at line 341 of file lixapi.c.
Referenced by IntGuestUpdateCoreOptions().
const LIX_FN_DETOUR gLixHookHandlersx64[] |
An array of the LIX_FN_DETOUR that contains all detours used by the introspection engine.
An array that contains the descriptors about the function that will be hooked (see lixapi.c for more information).
Definition at line 69 of file lixapi.c.
Referenced by IntDetCallCallback().