Bitdefender Hypervisor Memory Introspection
Functions | Variables
lixkernel.c File Reference
#include "lixkernel.h"
#include "decoder.h"
#include "hook.h"
#include "lixvdso.h"
#include "alerts.h"
#include "lixksym.h"

Go to the source code of this file.

Functions

static void IntLixPatchSwapgs (void)
 Finds vulnerable SWAPGS instruction inside the kernel and applies mitigations. More...
 
static void IntLixUnpatchSwapgs (void)
 Deactivates swapgs mitigations set by IntLixPatchSwapgs. More...
 
static INTSTATUS IntLixKernelHandleRead (void *Context, void *Hook, QWORD Address, INTRO_ACTION *Action)
 Handles reads performed from a Kernel module's text section. More...
 
static INTSTATUS IntLixHookKernelRead (void)
 Establishes read hooks for Kernel code. More...
 
static INTSTATUS IntLixHookKernelWrite (void)
 Establishes read and write hooks for Kernel code. More...
 
INTSTATUS IntLixKernelWriteProtect (void)
 Activates kernel protection. More...
 
INTSTATUS IntLixKernelReadProtect (void)
 Activates kernel protection. More...
 
static void IntLixUnhookKernelWrite (void)
 Removes write hooks from the kernel code section. More...
 
static void IntLixUnhookKernelRead (void)
 Removes write hooks from the kernel code section. More...
 
void IntLixKernelWriteUnprotect (void)
 Deactivates the kernel protection against write. More...
 
void IntLixKernelReadUnprotect (void)
 Deactivates the kernel protection against read. More...
 

Variables

struct {
   QWORD   LfenceRip
 The RIP where the lfence instruction was injected. More...
 
   BYTE   OriginalBytes [3]
 The bytes that were modified with the lfence instruction. More...
 
gPatchedSwapgs [128] = {0}
 native_swapgs gadgets patched by Introspection. More...
 
static DWORD gTotalPatchedSwapgs = 0
 The total number of patched swapgs gadgets. More...
 
static QWORD gNativeSwapgs = 0
 The guest virtual address of the "native_swapgs" function. More...
 
static BYTE gOriginalNativeSwapgs [0x10] = {0}
 The original first 10 bytes of the "native_swapgs" function. More...
 
static BOOLEAN gNativeSwapgsHooked = FALSE
 Variable marking whether the "native_swapgs" function was detoured or not. More...
 
API_HOOK_DESCRIPTOR gSwapgsDetour
 Hook descriptor for "native_swapgs" detour. More...
 

Detailed Description

This file contains the protection logic against malicious kernel reads and writes, as well as the mitigation logic for CVE-2019-1125 vulnerability on Linux operating systems.. For an in-depth explanation of this mechanism, see swapgs.c.

Definition in file lixkernel.c.

Function Documentation

◆ IntLixHookKernelRead()

static INTSTATUS IntLixHookKernelRead ( void  )
static

Establishes read hooks for Kernel code.

Returns
INT_STATUS_SUCCESS On success.
INT_STATUS_NOT_NEEDED_HINT If the hooks are already established.

Definition at line 593 of file lixkernel.c.

Referenced by IntLixKernelReadProtect().

◆ IntLixHookKernelWrite()

static INTSTATUS IntLixHookKernelWrite ( void  )
static

Establishes read and write hooks for Kernel code.

Returns
INT_STATUS_SUCCESS On success.
INT_STATUS_NOT_NEEDED_HINT If the hooks are already established.

Definition at line 660 of file lixkernel.c.

Referenced by IntLixKernelWriteProtect().

◆ IntLixKernelHandleRead()

static INTSTATUS IntLixKernelHandleRead ( void *  Context,
void *  Hook,
QWORD  Address,
INTRO_ACTION Action 
)
static

Handles reads performed from a Kernel module's text section.

Parameters
[in]ContextContext supplied to IntHookGpaSetHook. This should be a pointer to a KERNEL_DRIVER object.
[in]HookThe HOOK_GPA object which triggered this event.
[in]AddressThe accessed guest physical address.
[out]ActionThe action that has to be taken.
Returns
INT_STATUS_SUCCESS On success.
INT_STATUS_REMOVE_HOOK_ON_RET If the hook placed on the page containing the address should be removed.

Definition at line 418 of file lixkernel.c.

Referenced by IntLixHookKernelRead().

◆ IntLixKernelReadProtect()

INTSTATUS IntLixKernelReadProtect ( void  )

Activates kernel protection.

This function will protect kernel code against malicious reads.

Returns
INT_STATUS_SUCCESS On success.

Definition at line 781 of file lixkernel.c.

Referenced by IntGuestUpdateCoreOptions(), and IntLixGuestActivateProtection().

◆ IntLixKernelReadUnprotect()

void IntLixKernelReadUnprotect ( void  )

Deactivates the kernel protection against read.

Definition at line 883 of file lixkernel.c.

Referenced by IntGuestUpdateCoreOptions().

◆ IntLixKernelWriteProtect()

INTSTATUS IntLixKernelWriteProtect ( void  )

Activates kernel protection.

This function will protect kernel code against malicious writes.

Returns
INT_STATUS_SUCCESS On success.

Definition at line 754 of file lixkernel.c.

Referenced by IntGuestUpdateCoreOptions(), and IntLixGuestActivateProtection().

◆ IntLixKernelWriteUnprotect()

void IntLixKernelWriteUnprotect ( void  )

Deactivates the kernel protection against write.

Definition at line 866 of file lixkernel.c.

Referenced by IntGuestUpdateCoreOptions().

◆ IntLixPatchSwapgs()

static void IntLixPatchSwapgs ( void  )
static

Finds vulnerable SWAPGS instruction inside the kernel and applies mitigations.

Definition at line 80 of file lixkernel.c.

Referenced by IntLixKernelReadProtect(), and IntLixKernelWriteProtect().

◆ IntLixUnhookKernelRead()

static void IntLixUnhookKernelRead ( void  )
static

Removes write hooks from the kernel code section.

Definition at line 838 of file lixkernel.c.

Referenced by IntLixKernelReadUnprotect().

◆ IntLixUnhookKernelWrite()

static void IntLixUnhookKernelWrite ( void  )
static

Removes write hooks from the kernel code section.

Definition at line 808 of file lixkernel.c.

Referenced by IntLixKernelWriteUnprotect().

◆ IntLixUnpatchSwapgs()

static void IntLixUnpatchSwapgs ( void  )
static

Deactivates swapgs mitigations set by IntLixPatchSwapgs.

Definition at line 324 of file lixkernel.c.

Referenced by IntLixKernelReadUnprotect(), IntLixKernelWriteUnprotect(), and IntLixUnhookKernelWrite().

Variable Documentation

◆ gNativeSwapgs

QWORD gNativeSwapgs = 0
static

The guest virtual address of the "native_swapgs" function.

Definition at line 36 of file lixkernel.c.

Referenced by IntLixPatchSwapgs(), and IntLixUnpatchSwapgs().

◆ gNativeSwapgsHooked

BOOLEAN gNativeSwapgsHooked = FALSE
static

Variable marking whether the "native_swapgs" function was detoured or not.

Definition at line 45 of file lixkernel.c.

Referenced by IntLixPatchSwapgs(), and IntLixUnpatchSwapgs().

◆ gOriginalNativeSwapgs

BYTE gOriginalNativeSwapgs[0x10] = {0}
static

The original first 10 bytes of the "native_swapgs" function.

Definition at line 41 of file lixkernel.c.

Referenced by IntLixPatchSwapgs(), and IntLixUnpatchSwapgs().

◆ gPatchedSwapgs

struct { ... } gPatchedSwapgs[128]

native_swapgs gadgets patched by Introspection.

Referenced by IntLixPatchSwapgs(), and IntLixUnpatchSwapgs().

◆ gSwapgsDetour

API_HOOK_DESCRIPTOR gSwapgsDetour
Initial value:
=
{
.FunctionName = "native_swapgs",
.MinVersion = DETOUR_MIN_VERSION_ANY,
.MaxVersion = DETOUR_MAX_VERSION_ANY,
.Callback = NULL,
.Tag = detTagSwapgs,
.EnableFlags = DETOUR_ENABLE_ALWAYS,
.HandlersCount = 1,
.Handlers =
{
{
.MinVersion = DETOUR_MIN_VERSION_ANY,
.MaxVersion = DETOUR_MAX_VERSION_ANY,
.HypercallType = hypercallTypeNone,
.CodeLength = 5,
.Code = { 0 },
.HypercallOffset = DETOUR_INVALID_HYPERCALL,
.RelocatedCodeOffset = 0x00,
},
},
}
DETOUR_ENABLE_ALWAYS
#define DETOUR_ENABLE_ALWAYS
Can be used as the API_HOOK_DESCRIPTOR.EnableFlags to always enable the detour.
Definition: detours.h:429
DETOUR_MAX_VERSION_ANY
#define DETOUR_MAX_VERSION_ANY
Specifies that the first OS version for which a detour handler is available is the latest OS version ...
Definition: detours.h:317
hypercallTypeNone
No hypercall. This detour does not generate events.
Definition: detours.h:187
DETOUR_MIN_VERSION_ANY
#define DETOUR_MIN_VERSION_ANY
Specifies that the first OS version for which a detour handler is available is the first OS version s...
Definition: detours.h:314
DETOUR_INVALID_HYPERCALL
#define DETOUR_INVALID_HYPERCALL
Used to specify that no hypercall is present in the detour handler so the HypercallOffset field insid...
Definition: detours.h:321

Hook descriptor for "native_swapgs" detour.

Definition at line 52 of file lixkernel.c.

Referenced by IntLixPatchSwapgs().

◆ gTotalPatchedSwapgs

DWORD gTotalPatchedSwapgs = 0
static

The total number of patched swapgs gadgets.

Definition at line 31 of file lixkernel.c.

Referenced by IntLixPatchSwapgs(), and IntLixUnpatchSwapgs().

◆ LfenceRip

QWORD LfenceRip

The RIP where the lfence instruction was injected.

Definition at line 24 of file lixkernel.c.

Referenced by IntLixUnpatchSwapgs().

◆ OriginalBytes

BYTE OriginalBytes[3]

The bytes that were modified with the lfence instruction.

Definition at line 25 of file lixkernel.c.

Referenced by IntLixPatchSwapgs(), and IntLixUnpatchSwapgs().