Bitdefender Hypervisor Memory Introspection
Data Structures | Macros | Typedefs | Functions | Variables
lixfiles.c File Reference
#include "lixfiles.h"
#include "guests.h"

Go to the source code of this file.

Data Structures

struct  _DENTRY_PATH
 Describes an entry from dentry-cache. More...
 
struct  _DENTRY_STRING
 Describes a path that will be cached. More...
 

Macros

#define for_each_dentry(_var_name)   list_for_each(gLixDentryCache, DENTRY_PATH, _var_name)
 

Typedefs

typedef struct _DENTRY_PATH DENTRY_PATH
 Describes an entry from dentry-cache. More...
 
typedef struct _DENTRY_PATHPDENTRY_PATH
 
typedef struct _DENTRY_STRING DENTRY_STRING
 Describes a path that will be cached. More...
 
typedef struct _DENTRY_STRINGPDENTRY_STRING
 

Functions

static BOOLEAN IntLixFileCachePathIsValid (char *Path)
 Verify if the provided path starts with at least one entry from gLixDentryCacheStrings. More...
 
void IntLixFilesCacheUninit (void)
 Removes and frees the entries of the dentry-cache. More...
 
CHARIntLixFileCacheCreateDentryPath (char *Path, DWORD Length, QWORD DentryGva)
 Creates a new cache entry and returns the path string from the newly created entry. More...
 
DENTRY_PATHIntLixFileCacheFindDentry (QWORD DentryGva)
 Search for an entry that has the provided DentryGva in the gLixDentryCache array. More...
 
INTSTATUS IntLixFileGetDentry (QWORD File, QWORD *Dentry)
 Reads the value of the dentry field of the 'struct file'. More...
 
INTSTATUS IntLixDentryGetName (QWORD Dentry, char **FileName, DWORD *NameLength)
 Gets the file-name that corresponds to the provided Dentry (guest virtual address). More...
 
static INTSTATUS IntLixFileReadDentry (QWORD DentryGva, char *Name, DWORD *Length)
 Reads the name and the length form 'struct dentry'. More...
 
INTSTATUS IntLixFileGetPath (QWORD FileStructGva, char **Path, DWORD *Length)
 Gets the path that corresponds to the provided FileStructGva (guest virtual address of the 'struct file'). More...
 
INTSTATUS IntLixGetFileName (QWORD FileStruct, char **FileName, DWORD *NameLength, QWORD *DentryGva)
 Gets the file-name that corresponds to the provided FileStruct (guest virtual address). More...
 

Variables

static DENTRY_STRING gLixDentryCacheStrings []
 An array that contains the paths that will be cached. More...
 
static LIST_HEAD gLixDentryCache = LIST_HEAD_INIT(gLixDentryCache)
 A list that contains the cached entries. More...
 
static char gLixPath [PAGE_SIZE] = { 0 }
 

Macro Definition Documentation

◆ for_each_dentry

#define for_each_dentry (   _var_name)    list_for_each(gLixDentryCache, DENTRY_PATH, _var_name)

Definition at line 57 of file lixfiles.c.

Referenced by IntLixFileCacheCreateDentryPath(), IntLixFileCacheFindDentry(), and IntLixFilesCacheUninit().

Typedef Documentation

◆ DENTRY_PATH

typedef struct _DENTRY_PATH DENTRY_PATH

Describes an entry from dentry-cache.

◆ DENTRY_STRING

typedef struct _DENTRY_STRING DENTRY_STRING

Describes a path that will be cached.

◆ PDENTRY_PATH

typedef struct _DENTRY_PATH * PDENTRY_PATH

◆ PDENTRY_STRING

typedef struct _DENTRY_STRING * PDENTRY_STRING

Function Documentation

◆ IntLixDentryGetName()

INTSTATUS IntLixDentryGetName ( QWORD  Dentry,
char **  FileName,
DWORD NameLength 
)

Gets the file-name that corresponds to the provided Dentry (guest virtual address).

NOTE: The caller must free the file-name.

Parameters
[in]DentryThe guest virtual address of the 'struct dentry'.
[in]FileNameOn success, contains a pointer to the file-name.
[in]NameLengthOn success, the length of the file-name.
Return values
INT_STATUS_SUCCESSOn success.
INT_STATUS_INSUFFICIENT_RESOURCESIf the alloc fails.
INT_STATUS_INVALID_DATA_SIZEIf the length of the file-name is invalid.
INT_STATUS_INVALID_PARAMETER_1If the pointer to the 'struct dentry' is not a kernel pointer.
INT_STATUS_INVALID_PARAMETER_2If the pointer to the file-name parameter is invalid.

Definition at line 227 of file lixfiles.c.

Referenced by IntLixGetFileName().

◆ IntLixFileCacheCreateDentryPath()

CHAR* IntLixFileCacheCreateDentryPath ( char *  Path,
DWORD  Length,
QWORD  DentryGva 
)

Creates a new cache entry and returns the path string from the newly created entry.

If we already have a dentry that contains the provided path, we just update it with the new DentryGva.

Parameters
[in]PathThe path that will be cached.
[in]LengthThe length of the path.
[in]DentryGvaThe guest virtual address of the 'struct dentry' that contains the provided path.
Return values
Onsuccess, returns the path string from the newly created cache-entry; otherwise returns NULL.

Definition at line 108 of file lixfiles.c.

Referenced by IntLixFileGetPath().

◆ IntLixFileCacheFindDentry()

DENTRY_PATH* IntLixFileCacheFindDentry ( QWORD  DentryGva)

Search for an entry that has the provided DentryGva in the gLixDentryCache array.

Parameters
[in]DentryGvaThe guest virtual address of the 'struct dentry'.
Return values
Onsuccess, returns the path for the provided DentryGva; otherwise returns NULL.

Definition at line 171 of file lixfiles.c.

Referenced by IntLixFileGetPath().

◆ IntLixFileCachePathIsValid()

static BOOLEAN IntLixFileCachePathIsValid ( char *  Path)
static

Verify if the provided path starts with at least one entry from gLixDentryCacheStrings.

Parameters
[in]PathThe path to be verified.
Return values
Trueif the provided Path starts with at least one entry from gLixDentryCacheStrings, otherwise false.

Definition at line 61 of file lixfiles.c.

Referenced by IntLixFileGetPath().

◆ IntLixFileGetDentry()

INTSTATUS IntLixFileGetDentry ( QWORD  File,
QWORD Dentry 
)

Reads the value of the dentry field of the 'struct file'.

Parameters
[in]FileThe guest virtual address of the 'struct file'
[in]DentryThe guest virtual address of the 'struct dentry'.
Return values
INT_STATUS_SUCCESSOn success.
INT_STATUS_NOT_SUPPORTEDIf the guest virtual address of the 'struct dentry' is not a kernel pointer.

Definition at line 195 of file lixfiles.c.

Referenced by IntLixFileGetPath(), IntLixGetFileName(), IntLixTaskCreate(), IntLixTaskGetPath(), and IntLixTaskPathGetByFile().

◆ IntLixFileGetPath()

INTSTATUS IntLixFileGetPath ( QWORD  FileStructGva,
char **  Path,
DWORD Length 
)

Gets the path that corresponds to the provided FileStructGva (guest virtual address of the 'struct file').

For each iteration the parent of the dentry is fetched; the loop of iteration ends when the dentry.parent is equal with the current dentry guest virtual address or the dentry.parent is not a valid kernel guest virtual address.

Parameters
[in]FileStructGvaThe guest virtual address of the 'struct file'.
[out]PathOn success, contains a pointer to the path of the file.
[out]LengthOn success, the length of the path.
Return values
INT_STATUS_SUCCESSOn success.
INT_STATUS_INVALID_PARAMETER_1If the pointer to the 'struct dentry' is not a kernel pointer.
INT_STATUS_INVALID_PARAMETER_2If the pointer to the Path parameter is invalid.
INT_STATUS_NOT_SUPPORTEDIf the guest virtual address of the 'struct dentry' is not a kernel pointer.

Definition at line 352 of file lixfiles.c.

Referenced by IntLixCredAnalyzeStack(), IntLixTaskPathGetByDentry(), and IntSerializeLixVma().

◆ IntLixFileReadDentry()

static INTSTATUS IntLixFileReadDentry ( QWORD  DentryGva,
char *  Name,
DWORD Length 
)
static

Reads the name and the length form 'struct dentry'.

Parameters
[in]DentryGvaThe guest virtual address of the 'struct dentry'.
[in]NameOn success, contains the content of the dentry.d_name
[in]LengthOn success, the length of the dentry.d_name.
Return values
INT_STATUS_SUCCESSOn success.
INT_STATUS_INVALID_DATA_SIZEIf the length of the file-name is invalid.

Definition at line 303 of file lixfiles.c.

Referenced by IntLixFileGetPath().

◆ IntLixFilesCacheUninit()

void IntLixFilesCacheUninit ( void  )

Removes and frees the entries of the dentry-cache.

Definition at line 86 of file lixfiles.c.

Referenced by IntLixGuestUninit().

◆ IntLixGetFileName()

INTSTATUS IntLixGetFileName ( QWORD  FileStruct,
char **  FileName,
DWORD NameLength,
QWORD DentryGva 
)

Gets the file-name that corresponds to the provided FileStruct (guest virtual address).

Parameters
[in]FileStructThe guest virtual address of the 'struct file'.
[in]FileNameOn success, contains a pointer to the file-name.
[in]NameLengthThe length of the file-name.
[in]DentryGvaThe guest virtual address of the 'struct dentry'.
Return values
INT_STATUS_SUCCESSOn success.
INT_STATUS_INVALID_PARAMETER_1If the pointer to the 'struct file' is not a kernel pointer.
INT_STATUS_INVALID_PARAMETER_2If the pointer to the file-name parameter is invalid.

Definition at line 565 of file lixfiles.c.

Referenced by IntLixMmListVmasInternal(), and IntLixStackDumpUmStackTrace().

Variable Documentation

◆ gLixDentryCache

LIST_HEAD gLixDentryCache = LIST_HEAD_INIT(gLixDentryCache)
static

A list that contains the cached entries.

Definition at line 52 of file lixfiles.c.

◆ gLixDentryCacheStrings

DENTRY_STRING gLixDentryCacheStrings[]
static
Initial value:
=
{
{ .String = "/lib/x86_64-linux-gnu/", .Length = CSTRLEN("/lib/x86_64-linux-gnu/") },
{ .String = "/usr/lib/", .Length = CSTRLEN("/usr/lib/") },
{ .String = "/usr/bin/", .Length = CSTRLEN("/usr/bin/") },
{ .String = "/usr/", .Length = CSTRLEN("/usr/") },
{ .String = "/bin/", .Length = CSTRLEN("/bin/") },
{ .String = "/sbin/", .Length = CSTRLEN("/sbin/") },
{ .String = "/lib/", .Length = CSTRLEN("/lib/") },
}
CSTRLEN
#define CSTRLEN(String)
Definition: introdefs.h:105

An array that contains the paths that will be cached.

NOTE: Add path in descending order by length.

Definition at line 38 of file lixfiles.c.

◆ gLixPath

char gLixPath[PAGE_SIZE] = { 0 }
static

Definition at line 54 of file lixfiles.c.

Referenced by IntLixFileCacheCreateDentryPath(), and IntLixFileGetPath().