- Generated by
1.8.13
|
Bitdefender Hypervisor Memory Introspection
|
#include "detours.h"Go to the source code of this file.
Data Structures | |
| struct | _LIX_PROTECTED_PROCESS |
| Encapsulates a protected Linux process. More... | |
| struct | _LIX_FUNCTION |
| Describes a Linux function used by the detour mechanism. More... | |
| struct | _LIX_OPAQUE_FIELDS |
| Contains information about various Linux structures. More... | |
| struct | _LIX_SYMBOL |
| Describes a Linux ksym. More... | |
| struct | _LIX_ACTIVE_PATCH |
| Describes the information about a Linux active-patch. More... | |
| struct | _LINUX_GUEST |
| Describes a Linux guest. More... | |
Macros | |
| #define | IS_KERNEL_POINTER_LIX(p) (((p) >= 0xFFFF800000000000) && ((p) < 0xffffffffffe00000)) |
| #define | LIX_MAX_HOOKED_FN_COUNT 512 |
| #define | LIX_MAX_VERSION_STRINGS 3 |
| #define | MAX_VERSION_LENGTH 256 |
| #define | LIX_FIELD(Structure, Field) gLixGuest->OsSpecificFields.OpaqueFields.Structure[lixField##Structure##Field] |
| Macro used to access fields inside the LIX_OPAQUE_FIELDS structure. More... | |
| #define | LIX_SYMBOL_NAME_LEN 128 |
| The max length of the ksym as defined by Linux kernel. More... | |
| #define | LIX_GET_VERSION(Version) ((Version) >> 24) |
| Version.Patch.Sublevel (ie. 3.10.0 or 2.6.394). Don't change the order, since it will fail when comparing versions. More... | |
| #define | LIX_GET_PATCH(Version) (((Version) & 0x00ff0000) >> 16) |
| #define | LIX_GET_SUBLEVEL(Version) (((Version) & 0x0000ffff)) |
| #define | LIX_CREATE_VERSION(K, Patch, Sublevel) ((Sublevel) | ((Patch) << 16) | ((K) << 24)) |
Typedefs | |
| typedef struct _LIX_PROTECTED_PROCESS | LIX_PROTECTED_PROCESS |
| Encapsulates a protected Linux process. More... | |
| typedef struct _LIX_PROTECTED_PROCESS * | PLIX_PROTECTED_PROCESS |
| typedef struct _LIX_FUNCTION | LIX_FUNCTION |
| Describes a Linux function used by the detour mechanism. More... | |
| typedef enum LIX_STRUCTURE | LIX_STRUCTURE |
| Structure tags used for the Linux structures. More... | |
| typedef enum _LIX_FIELD_INFO | LIX_FIELD_INFO |
| Describes information about a Linux guest. More... | |
| typedef enum _LIX_FIELD_MODULE | LIX_FIELD_MODULE |
| The index for offsets of 'struct module'. More... | |
| typedef enum _LIX_FIELD_BINPRM | LIX_FIELD_BINPRM |
| The index for offsets of 'struct linux_binprm'. More... | |
| typedef enum _LIX_FIELD_VMA | LIX_FIELD_VMA |
| The index for offsets of 'struct vm_area_struct'. More... | |
| typedef enum _LIX_FIELD_DENTRY | LIX_FIELD_DENTRY |
| The index for offsets of 'struct dentry'. More... | |
| typedef enum _LIX_FIELD_MMSTRUCT | LIX_FIELD_MMSTRUCT |
| The index for offsets of 'struct mm_struct'. More... | |
| typedef enum _LIX_FIELD_TASKSTRUCT | LIX_FIELD_TASKSTRUCT |
| The index for offsets of 'struct task-struct'. More... | |
| typedef enum _LIX_FIELD_FS | LIX_FIELD_FS |
| The index for offsets of 'struct fs_struct'. More... | |
| typedef enum _LIX_FIELD_FDTABLE | LIX_FIELD_FDTABLE |
| The index for offsets of 'struct fdtable'. More... | |
| typedef enum _LIX_FIELD_FILES | LIX_FIELD_FILES |
| The index for offsets of 'struct files_struct'. More... | |
| typedef enum _LIX_FIELD_INODE | LIX_FIELD_INODE |
| The index for offsets of 'struct inode'. More... | |
| typedef enum _LIX_FIELD_SOCKET | LIX_FIELD_SOCKET |
| The index for offsets of 'struct socket'. More... | |
| typedef enum _LIX_FIELD_SOCK | LIX_FIELD_SOCK |
| The index for offsets of 'struct sock'. More... | |
| typedef enum _LIX_FIELD_CRED | LIX_FIELD_CRED |
| The index for offsets of 'struct cred'. More... | |
| typedef enum _LIX_FIELD_NSPROXY | LIX_FIELD_NSPROXY |
| The index for offsets of 'struct nsproxy'. More... | |
| typedef enum _LIX_FIELD_UNGROUPED | LIX_FIELD_UNGROUPED |
| The index for offsets of structures that are not grouped. More... | |
| typedef struct _LIX_OPAQUE_FIELDS | LIX_OPAQUE_FIELDS |
| Contains information about various Linux structures. More... | |
| typedef struct _LIX_OPAQUE_FIELDS * | PLIX_OPAQUE_FIELDS |
| typedef struct _LIX_SYMBOL | LIX_SYMBOL |
| Describes a Linux ksym. More... | |
| typedef struct _LIX_SYMBOL * | PLIX_SYMBOL |
| typedef enum _LIX_ACTIVE_PATCH_TYPE | LIX_ACTIVE_PATCH_TYPE |
| Describes the type of an Linux active-patch. More... | |
| typedef struct _LIX_ACTIVE_PATCH | LIX_ACTIVE_PATCH |
| Describes the information about a Linux active-patch. More... | |
| typedef struct _LINUX_GUEST | LINUX_GUEST |
| Describes a Linux guest. More... | |
| typedef struct _LINUX_GUEST * | PLINUX_GUEST |
Functions | |
| INTSTATUS | IntLixTextPokeHandler (void *Detour) |
| Handles the incoming 'text_poke' patches from the guest. More... | |
| INTSTATUS | IntLixFtraceHandler (void *Detour) |
| Handles the incoming 'text_poke' patches from the guest. More... | |
| INTSTATUS | IntLixJumpLabelHandler (void *Detour) |
| Handles the incoming read (arch_jmp_label_transform) from the guest. More... | |
| INTSTATUS | IntLixGuestIsKptiActive (QWORD SyscallGva) |
| Checks if the Linux guest has the KPTI active. More... | |
| INTSTATUS | IntLixGuestNew (void) |
| Starts the initialization and enable protection for a new Linux guest. More... | |
| void | IntLixGuestUninit (void) |
| Uninitialize the Linux guest. More... | |
| int | IntLixGuestGetSystemState (void) |
| Get the system state of the Linux guest. More... | |
| void | IntLixGuestUninitGuestCode (void) |
| Removes the EPT hooks from detours/agents memory zone and clears these memory zones. More... | |
| BOOLEAN | IntLixGuestDeployUninitAgent (void) |
| Inject the 'uninit' agent to free the previously allocated memory for detours/agents. More... | |
| INTSTATUS | IntGetVersionStringLinux (DWORD FullStringSize, DWORD VersionStringSize, CHAR *FullString, CHAR *VersionString) |
| Gets the version string for a Linux guest. More... | |
Variables | |
| const LIX_FN_DETOUR | gLixHookHandlersx64 [] |
| An array that contains the descriptors about the function that will be hooked (see lixapi.c for more information). More... | |
| #define IS_KERNEL_POINTER_LIX | ( | p | ) | (((p) >= 0xFFFF800000000000) && ((p) < 0xffffffffffe00000)) |
Definition at line 11 of file lixguest.h.
Referenced by _IntLixTaskRead(), IntAlertFillCodeBlocks(), IntDecEmulateRead(), IntExceptGetVictimEpt(), IntIntegrityAddRegion(), IntKsymInitAbsolute(), IntLixCrashFetchDmesgSymbol(), IntLixCredAdd(), IntLixDentryGetName(), IntLixDumpStacktrace(), IntLixFileGetDentry(), IntLixFileGetPath(), IntLixFsrInitMap(), IntLixGetFileName(), IntLixGetInitTask(), IntLixGuestFindKernel(), IntLixGuestFindProperSyscall(), IntLixGuestIsKptiActive(), IntLixMmFindVmaInLinkedList(), IntLixMmFindVmaRange(), IntLixMmGetInitMm(), IntLixMmListVmasInternal(), IntLixMmPopulateVmasInternal(), IntLixNetGetConnectionFromSocket(), IntLixNetIterateTaskConnections(), IntLixStackTraceGet(), IntLixTaskAdd(), IntLixTaskCreate(), IntLixTaskCreateFromBinprm(), IntLixTaskFetchMm(), IntLixTaskGetCurrentTaskStruct(), IntLixTaskIsUserStackPivoted(), IntLixTaskIterateGuestTasks(), IntLixTaskIterateThreadGroup(), IntLixTaskIterateThreadNode(), IntLixUnpatchSwapgs(), IntLixVdsoHandleWriteCommon(), IntReadString(), IntSerializeCodeBlocksGetExtractLevel(), IntThrSafeInspectRunningThreads(), IntThrSafeIsStackPtrInIntro(), IntThrSafeLixInspectRunningThreadOnCpu(), IntThrSafeLixInspectWaitingThread(), and IntThrSafeMoveReturn().
| #define LIX_CREATE_VERSION | ( | K, | |
| Patch, | |||
| Sublevel | |||
| ) | ((Sublevel) | ((Patch) << 16) | ((K) << 24)) |
Definition at line 596 of file lixguest.h.
Referenced by IntLixDepInjectFile(), IntLixDepInjectProcess(), IntLixDepRunCommand(), and IntLixTaskCreate().
| #define LIX_GET_PATCH | ( | Version | ) | (((Version) & 0x00ff0000) >> 16) |
Definition at line 593 of file lixguest.h.
| #define LIX_GET_SUBLEVEL | ( | Version | ) | (((Version) & 0x0000ffff)) |
Definition at line 594 of file lixguest.h.
| #define LIX_GET_VERSION | ( | Version | ) | ((Version) >> 24) |
Version.Patch.Sublevel (ie. 3.10.0 or 2.6.394). Don't change the order, since it will fail when comparing versions.
Definition at line 592 of file lixguest.h.
| #define LIX_MAX_HOOKED_FN_COUNT 512 |
Definition at line 40 of file lixguest.h.
Referenced by IntCamiLoadLinux().
| #define LIX_MAX_VERSION_STRINGS 3 |
Definition at line 41 of file lixguest.h.
| #define LIX_SYMBOL_NAME_LEN 128 |
The max length of the ksym as defined by Linux kernel.
Definition at line 585 of file lixguest.h.
Referenced by DbgFindKsym(), IntExceptKernelLogLinuxInformation(), IntExceptPrintMsrInfo(), IntKsymFindByName(), IntLixAgentError(), IntLixAgentThreadError(), IntLixDrvSendViolationEvent(), IntLixKernelHandleRead(), and IntLixPatchSwapgs().
| #define MAX_VERSION_LENGTH 256 |
Definition at line 43 of file lixguest.h.
| typedef struct _LINUX_GUEST LINUX_GUEST |
Describes a Linux guest.
| typedef struct _LIX_FUNCTION LIX_FUNCTION |
Describes a Linux function used by the detour mechanism.
| typedef struct _LIX_PROTECTED_PROCESS LIX_PROTECTED_PROCESS |
Encapsulates a protected Linux process.
| typedef struct _LINUX_GUEST * PLINUX_GUEST |
| typedef struct _LIX_PROTECTED_PROCESS * PLIX_PROTECTED_PROCESS |
| INTSTATUS IntGetVersionStringLinux | ( | DWORD | FullStringSize, |
| DWORD | VersionStringSize, | ||
| CHAR * | FullString, | ||
| CHAR * | VersionString | ||
| ) |
Gets the version string for a Linux guest.
| [in] | FullStringSize | The size of the FullString buffer. |
| [in] | VersionStringSize | The size of the VersionString buffer. |
| [out] | FullString | A NULL-terminated string containing detailed version information. |
| [out] | VersionString | A NULL-terminated string containing human-readable version information. |
| INT_STATUS_SUCCESS | On success. |
| INT_STATUS_DATA_BUFFER_TOO_SMALL | If the version string length exceed the provided FullStringSize length. |
| INT_STATUS_INVALID_DATA_VALUE | If the version string is invalid. |
Definition at line 2730 of file lixguest.c.
Referenced by IntGetVersionString().
| INTSTATUS IntLixFtraceHandler | ( | void * | Detour | ) |
Handles the incoming 'text_poke' patches from the guest.
| INT_STATUS_SUCCESS | On success. |
Definition at line 1481 of file lixguest.c.
| BOOLEAN IntLixGuestDeployUninitAgent | ( | void | ) |
Inject the 'uninit' agent to free the previously allocated memory for detours/agents.
The agents argument structure is completed with the addresses of the previously allocated memory. The page-attrs are also restored.
| True | if the agent is injected, otherwise false. |
Definition at line 2238 of file lixguest.c.
Referenced by IntGuestDisableIntro().
| int IntLixGuestGetSystemState | ( | void | ) |
Get the system state of the Linux guest.
This function fetches the value of the 'system_state' ksym.
| On | success, returns the system state value; otherwise returns -1. |
Definition at line 2201 of file lixguest.c.
Referenced by IntLixDrvSystemBooting(), and IntLixTaskGuestTerminating().
Checks if the Linux guest has the KPTI active.
This function decodes instructions from syscall handler address and searches for the 'MOV CR3, REG' pattern; if this pattern is not found, the KPTI is not active for this guest.
If the 'TEST [gs:displacement], immediate' pattern is not found and the 'MOV CR3, REG', the KPTI is active for this guest, otherwise the value of 'displacement' operand is saved.
NOTE: The 'displacement' operand from instruction 'TEST [gs:displacement], imm' represents the value of 'kaiser_enabled_pcp' kallsym.
If the 'MOV CR3, REG' pattern is found and if the value of [GS:displacement] (previously saved from 'TEST [GS:displacement], imm') has the KAISER_PCP_ENABLED (1 << 0), thus the KPTI is active on this guest; otherwise KPTI is not active.
| [in] | SyscallGva | The address of the syscall handler. |
| INT_STATUS_SUCCESS | On success, or an appropriate INTSTATUS error value. |
Definition at line 1032 of file lixguest.c.
Referenced by IntLixGuestNew().
| INTSTATUS IntLixGuestNew | ( | void | ) |
Starts the initialization and enable protection for a new Linux guest.
This function initializes the LINUX_GUEST structure and searches for required objects: syscall, kernel sections, ksyms, version. This function also calls the IntLixGuestAllocate in order to inject the 'init' agent.
| INT_STATUS_SUCCESS | On success. |
| INT_STATUS_NOT_SUPPORTED | If the guest doesn't have a 64 bit architecture. |
Definition at line 2561 of file lixguest.c.
Referenced by IntGuestHandleCr3Write().
| void IntLixGuestUninit | ( | void | ) |
Uninitialize the Linux guest.
This function deactivate the protection and free any resources held by the LINUX_GUEST state.
Definition at line 1674 of file lixguest.c.
Referenced by IntGuestUninit().
| void IntLixGuestUninitGuestCode | ( | void | ) |
Removes the EPT hooks from detours/agents memory zone and clears these memory zones.
Definition at line 2524 of file lixguest.c.
Referenced by IntGuestDisableIntro(), and IntLixGuestUninit().
| INTSTATUS IntLixJumpLabelHandler | ( | void * | Detour | ) |
Handles the incoming read (arch_jmp_label_transform) from the guest.
The function stores the information about the incoming read.
| [in] | Detour | The detour for which this callback is invoked. |
| INT_STATUS_SUCCESS | On success. |
Definition at line 1497 of file lixguest.c.
| INTSTATUS IntLixTextPokeHandler | ( | void * | Detour | ) |
Handles the incoming 'text_poke' patches from the guest.
| [in] | Detour | The detour for which this callback is invoked. |
| INT_STATUS_SUCCESS | On success. |
Definition at line 1463 of file lixguest.c.
| const LIX_FN_DETOUR gLixHookHandlersx64[] |
An array that contains the descriptors about the function that will be hooked (see lixapi.c for more information).
An array that contains the descriptors about the function that will be hooked (see lixapi.c for more information).
Definition at line 69 of file lixapi.c.
Referenced by IntDetCallCallback().
1.8.13