Bitdefender Hypervisor Memory Introspection
|
#include "lixprocess.h"
Go to the source code of this file.
Data Structures | |
struct | _LIX_VMA |
Typedefs | |
typedef struct _LIX_VMA | LIX_VMA |
typedef struct _LIX_VMA * | PLIX_VMA |
Functions | |
INTSTATUS | IntLixMmGetInitMm (QWORD *InitMm) |
Find the address of the "init_mm" variable inside the kernel. More... | |
INTSTATUS | IntLixMmFindVmaRange (QWORD Gva, LIX_TASK_OBJECT *Task, QWORD *VmaStart, QWORD *VmaEnd) |
Finds the VMA limits that contain an address. More... | |
INTSTATUS | IntLixMmFetchVma (LIX_TASK_OBJECT *Task, QWORD Address, LIX_VMA *Vma) |
Retrieve information about a VMA structure containing a user mode address. More... | |
LIX_VMA * | IntLixMmFindVma (LIX_TASK_OBJECT *Task, QWORD Vma) |
Finds a protected VMA inside a process VMA list. More... | |
LIX_VMA * | IntLixMmFindVmaByRange (const LIX_TASK_OBJECT *Process, QWORD Address) |
Finds if a memory address inside a process is being protected and returns the corresponding LIX_VMA structure. More... | |
INTSTATUS | IntLixMmPopulateVmas (LIX_TASK_OBJECT *Task) |
Populate the Introcore VMAs linked list by iterating the one inside the guest. More... | |
void | IntLixMmDestroyVmas (LIX_TASK_OBJECT *Task) |
Remove protection for the VMAs belonging to a process. More... | |
void | IntLixMmListVmas (QWORD Mm, LIX_TASK_OBJECT *Process) |
INTSTATUS | IntLixVmaInsert (void *Detour) |
Detour handler for "__vma_link_rb" function. More... | |
INTSTATUS | IntLixVmaChangeProtection (void *Detour) |
Detour handler for "change_protection" function. More... | |
INTSTATUS | IntLixVmaAdjust (void *Detour) |
Detour handler for in-guest functions adjusting VMA ranges. More... | |
INTSTATUS | IntLixVmaExpandDownwards (void *Detour) |
Detour handler for "expand_downwards" function. More... | |
INTSTATUS | IntLixVmaRemove (void *Detour) |
Detour handler for functions that unmap memory for processes. More... | |
void IntLixMmDestroyVmas | ( | LIX_TASK_OBJECT * | Task | ) |
Remove protection for the VMAs belonging to a process.
[in] | Task | The process whose VMAs will be unprotected. |
Definition at line 1016 of file lixmm.c.
Referenced by IntLixMmPopulateVmas(), and IntLixTaskDeactivateExploitProtection().
INTSTATUS IntLixMmFetchVma | ( | LIX_TASK_OBJECT * | Task, |
QWORD | Address, | ||
LIX_VMA * | Vma | ||
) |
Retrieve information about a VMA structure containing a user mode address.
[in] | Task | The process on whose mm space the address should be searched. |
[in] | Address | The searched address. |
[out] | Vma | Upon successful return will contain information about the requested VMA. |
Definition at line 581 of file lixmm.c.
Referenced by IntLixCredAnalyzeStack(), IntLixMmFindVmaRange(), and IntLixStackDumpUmStackTrace().
LIX_VMA* IntLixMmFindVma | ( | LIX_TASK_OBJECT * | Task, |
QWORD | Vma | ||
) |
Finds a protected VMA inside a process VMA list.
[in] | Task | The process in whose list the Vma should be found. |
[in] | Vma | The Gva of a VMA object. |
Definition at line 871 of file lixmm.c.
Referenced by IntLixVmaAdjustInternal(), IntLixVmaChangeProtection(), IntLixVmaExpandDownwards(), IntLixVmaInsert(), and IntLixVmaRemove().
LIX_VMA* IntLixMmFindVmaByRange | ( | const LIX_TASK_OBJECT * | Process, |
QWORD | Address | ||
) |
Finds if a memory address inside a process is being protected and returns the corresponding LIX_VMA structure.
[in] | Process | |
[in] | Address |
Definition at line 699 of file lixmm.c.
Referenced by IntExceptGetVictimEpt(), and IntLixVmaHandlePageExecution().
INTSTATUS IntLixMmFindVmaRange | ( | QWORD | Gva, |
LIX_TASK_OBJECT * | Task, | ||
QWORD * | VmaStart, | ||
QWORD * | VmaEnd | ||
) |
Finds the VMA limits that contain an address.
[in] | Gva | The address that will be searched. |
[in] | Task | The process the process on whose address space the search will be performed. |
[out] | VmaStart | Upon successful return will contain the lower limit of the VMA. |
[out] | VmaEnd | Upon successful return will contain the upper limit of the VMA. |
Definition at line 640 of file lixmm.c.
Referenced by IntLixTaskGetUserStack(), and IntLixTaskIsUserStackPivoted().
Find the address of the "init_mm" variable inside the kernel.
Searches the linux kernel for the 'init_mm' variable. This variable can be exported in kallsyms but some distros (Debian) disable variable exporting in kallsyms, and we must do it our way then.
Linux kernel v5.5 defines the init_mm as follows:
If the "init_mm" address couldn't be resolved via kallsyms then this function will perform a search inside the ".data" section and will apply the following heuristic in order to determine it's address:
[out] | InitMm | Upon successful return will contain the address of the init_mm symbol. |
Definition at line 76 of file lixmm.c.
Referenced by IntLixGuestNew().
void IntLixMmListVmas | ( | QWORD | Mm, |
LIX_TASK_OBJECT * | Process | ||
) |
Logs all VMAs from a mm_struct.
[in] | Mm | The mm_struct GVA. |
[in] | Process | Pointer to a LIX_TASK_OBJECT structure. |
Definition at line 1671 of file lixmm.c.
Referenced by IntLixTaskDump().
INTSTATUS IntLixMmPopulateVmas | ( | LIX_TASK_OBJECT * | Task | ) |
Populate the Introcore VMAs linked list by iterating the one inside the guest.
This function will iterate the in-guest VMA list and attempt to protect the ones which are marked as executable.
[in] | Task | The process whose VMA list should be populated. |
Definition at line 1510 of file lixmm.c.
Referenced by IntLixTaskActivateExploitProtection().
INTSTATUS IntLixVmaAdjust | ( | void * | Detour | ) |
Detour handler for in-guest functions adjusting VMA ranges.
This function checks the result of the "vma_adjust" call and adjust the protection for the affected VMAs.
[in] | Detour | Unused. |
INTSTATUS IntLixVmaChangeProtection | ( | void * | Detour | ) |
Detour handler for "change_protection" function.
This function is called whenever a VMA belonging to a protected memory space is making a transition from executable to non-executable and vice-versa. If the VMA if being marked as executable than this function will establish the protection, otherwise the protection will be removed and it will be marked as unprotected.
[in] | Detour | Unused. |
INTSTATUS IntLixVmaExpandDownwards | ( | void * | Detour | ) |
Detour handler for "expand_downwards" function.
This function updates the protection for VMAs which are able to expand downwards (usually this is the case for stack VMAs). It checks if the lower limit has changed and updates the protected memory range.
[in] | Detour | Unused. |
INTSTATUS IntLixVmaInsert | ( | void * | Detour | ) |
Detour handler for "__vma_link_rb" function.
This function is called when an executable VMA is being created. If the newly created VMA is already protected (by a previous vma_adjust call) then it will be ignored.
[in] | Detour | Unused. |
INTSTATUS IntLixVmaRemove | ( | void * | Detour | ) |
Detour handler for functions that unmap memory for processes.
This functions removes the protection from a vma as it's being unmapped from the process memory space. Usually, the kernel function that will trigger this event is "(__)vma_rb_erase". Because the support for RHEL 6 required lots of hacks and workarounds, other functions may trigger this. However, every detour must provide this function the Gva of the removed VMA in R8 register and the Gva mm struct owning the VMA in R9 register.
[in] | Detour | Unused. |