Bitdefender Hypervisor Memory Introspection
Data Structures | Typedefs | Functions
lixcred.h File Reference
#include "introtypes.h"

Go to the source code of this file.

Data Structures

struct  _LIX_CREDS
 Describes one set of credentials. More...
 

Typedefs

typedef struct _LIX_CREDS LIX_CREDS
 Describes one set of credentials. More...
 
typedef struct _LIX_TASK_OBJECT LIX_TASK_OBJECT
 

Functions

INTSTATUS IntLixCredAdd (QWORD CredsGva, LIX_CREDS **Creds)
 Adds a cred structure in the integrity protected credentials list. More...
 
void IntLixCredRemove (LIX_CREDS **Creds)
 Removes the integrity protection for the credentials set that belong to a process. More...
 
void IntLixCredsVerify (LIX_TASK_OBJECT *Task)
 Verifies whether the credentials of a process has been altered or not. More...
 
INTSTATUS IntLixCommitCredsHandle (void *Detour)
 Detour handler for "commit_creds" function. More...
 

Typedef Documentation

◆ LIX_CREDS

typedef struct _LIX_CREDS LIX_CREDS

Describes one set of credentials.

◆ LIX_TASK_OBJECT

typedef struct _LIX_TASK_OBJECT LIX_TASK_OBJECT

Definition at line 21 of file lixcred.h.

Function Documentation

◆ IntLixCommitCredsHandle()

INTSTATUS IntLixCommitCredsHandle ( void *  Detour)

Detour handler for "commit_creds" function.

Because a process is able to change it's credentials (by calling setuid(), setgid(), etc) we have to keep track of these changes. The kernel is nice and creates a new "cred" structure for any change, then calls "commit_creds" to install the new credentials set on the current task. However, this new credentials set is based on the previous one which may have been already altered. So, in order to avoid registering an altered credentials set as a clean one, we make one last integrity check on the current set.

This function also checks if the syscall that triggered this change was performed from a known user mode library. Otherwise, a feedback only alert will be sent.

Parameters
[in]DetourUnused.
Returns
INT_STATUS_SUCCESS on success.

Definition at line 694 of file lixcred.c.

◆ IntLixCredAdd()

INTSTATUS IntLixCredAdd ( QWORD  CredsGva,
LIX_CREDS **  Creds 
)

Adds a cred structure in the integrity protected credentials list.

Parameters
[in]CredsGvaThe guest virtual address of the cred structure.
[in]CredsWill contain upon success the reference to the LIX_CRED structure.
Returns
INT_STATUS_SUCCESS On success.
INT_STATUS_NOT_NEEDED_HINT If tokens protection is not activated.
INT_STATUS_INVALID_PARAMETER_1 If the given creds GVA is not a kernel pointer.
INT_STATUS_INVALID_PARAMETER_2 If the Creds parameter does not point to a valid memory region.
INT_STATUS_INSUFFICIENT_RESOURCES If there was not enough memory available.

Definition at line 365 of file lixcred.c.

Referenced by IntLixCommitCredsHandle(), IntLixTaskCreate(), and IntLixTaskCreateFromBinprm().

◆ IntLixCredRemove()

void IntLixCredRemove ( LIX_CREDS **  Creds)

Removes the integrity protection for the credentials set that belong to a process.

This function will decrement the credentials refcount and will completely remove them when the refcount reaches 0.

Parameters
[in]CredsThe credentials to be unprotected.

Definition at line 441 of file lixcred.c.

Referenced by IntLixCommitCredsHandle(), IntLixTaskDestroy(), and IntLixTaskRemoveEntry().

◆ IntLixCredsVerify()

void IntLixCredsVerify ( LIX_TASK_OBJECT Task)

Verifies whether the credentials of a process has been altered or not.

Parameters
[in]TaskThe Linux process.

Definition at line 534 of file lixcred.c.

Referenced by IntLixCommitCredsHandle(), IntLixTaskAdd(), IntLixTaskDestroy(), and IntLixTaskHandleExec().