Bitdefender Hypervisor Memory Introspection
|
#include "introtypes.h"
Go to the source code of this file.
Data Structures | |
struct | _LIX_MODULE_LAYOUT |
The layout of the core/init sections. More... | |
struct | _LIX_KERNEL_MODULE |
The internal structure of the Linux-driver. More... | |
struct | _LIX_KERNEL_PATCH |
The internal structure of the Linux active-patch. More... | |
Macros | |
#define | LIX_MODULE_NAME_LEN 56 |
The maximum length of the Linux module name. More... | |
#define | LIX_ACTIVE_PATCH_SIZE 27 |
The maximum size of the active-patch data. More... | |
Typedefs | |
typedef struct _LIX_MODULE_LAYOUT | LIX_MODULE_LAYOUT |
The layout of the core/init sections. More... | |
typedef struct _LIX_MODULE_LAYOUT * | PLIX_MODULE_LAYOUT |
typedef struct _LIX_KERNEL_MODULE | LIX_KERNEL_MODULE |
The internal structure of the Linux-driver. More... | |
typedef struct _LIX_KERNEL_MODULE * | PLIX_KERNEL_MODULE |
typedef struct _KERNEL_DRIVER | KERNEL_DRIVER |
typedef struct _KERNEL_DRIVER * | PKERNEL_DRIVER |
typedef struct _LIX_ACTIVE_PATCH | LIX_ACTIVE_PATCH |
typedef struct _LIX_ACTIVE_PATCH * | PLIX_ACTIVE_PATCH |
typedef struct _LIX_KERNEL_PATCH | LIX_KERNEL_PATCH |
The internal structure of the Linux active-patch. More... | |
typedef struct _LIX_KERNEL_PATCH * | PLIX_KERNEL_PATCH |
Functions | |
INTSTATUS | IntLixDrvFindList (QWORD *Drivers) |
Searches the Linux kernel for the 'modules' variable. More... | |
INTSTATUS | IntLixDrvRemoveEntry (KERNEL_DRIVER *Driver) |
Disable protection and frees the driver structure from our internal list. More... | |
void | IntLixDrvGetSecName (KERNEL_DRIVER *Driver, QWORD Gva, CHAR *SectionName) |
Get the section of the driver that contains the provided guest virtual address. More... | |
INTSTATUS | IntLixDrvIsLegitimateTextPoke (void *Hook, QWORD Address, LIX_ACTIVE_PATCH *ActivePatch, INTRO_ACTION *Action) |
This function checks if the modified zone by the current instruction is a 'text_poke'. More... | |
INTSTATUS | IntLixDrvHandleWrite (void *Context, void *Hook, QWORD Address, INTRO_ACTION *Action) |
Called if an write occurs on the protected memory zone. More... | |
INTSTATUS | IntLixDrvIterateList (PFUNC_IterateListCallback Callback, QWORD Aux) |
Iterates the 'modules' list form the guest and activate protection for each driver that is initialized. More... | |
INTSTATUS | IntLixDrvCreateFromAddress (QWORD DriverGva, QWORD StaticDetected) |
Create the KERNEL_DRIVER object from the provided 'module struct' address and activate the protection for it. More... | |
INTSTATUS | IntLixDrvRemoveFromAddress (QWORD DriverGva) |
Disable protection and remove the driver structure from our internal list. More... | |
INTSTATUS | IntLixDrvCreateKernel (void) |
Create the KERNEL_DRIVER object for the operating system kernel and activate the protection for it. More... | |
void | IntLixDrvUpdateProtection (void) |
Update Linux drivers protection according to the new core options. More... | |
#define LIX_ACTIVE_PATCH_SIZE 27 |
The maximum size of the active-patch data.
Definition at line 12 of file lixmodule.h.
#define LIX_MODULE_NAME_LEN 56 |
The maximum length of the Linux module name.
Definition at line 11 of file lixmodule.h.
Referenced by IntLixDrvCreateDriverObject(), and IntLixDrvValidate().
typedef struct _KERNEL_DRIVER KERNEL_DRIVER |
Definition at line 49 of file lixmodule.h.
typedef struct _LIX_ACTIVE_PATCH LIX_ACTIVE_PATCH |
Definition at line 50 of file lixmodule.h.
typedef struct _LIX_KERNEL_MODULE LIX_KERNEL_MODULE |
The internal structure of the Linux-driver.
typedef struct _LIX_KERNEL_PATCH LIX_KERNEL_PATCH |
The internal structure of the Linux active-patch.
typedef struct _LIX_MODULE_LAYOUT LIX_MODULE_LAYOUT |
The layout of the core/init sections.
typedef struct _KERNEL_DRIVER * PKERNEL_DRIVER |
Definition at line 49 of file lixmodule.h.
typedef struct _LIX_ACTIVE_PATCH * PLIX_ACTIVE_PATCH |
Definition at line 50 of file lixmodule.h.
typedef struct _LIX_KERNEL_MODULE * PLIX_KERNEL_MODULE |
typedef struct _LIX_KERNEL_PATCH * PLIX_KERNEL_PATCH |
typedef struct _LIX_MODULE_LAYOUT * PLIX_MODULE_LAYOUT |
Create the KERNEL_DRIVER object from the provided 'module struct' address and activate the protection for it.
This function calls '_IntLixDrvRemoveDuplicate' to check if the provided drivers already exists in out list. If the driver is found, it is delete and an event is sent to the integrator. The function reads the vale of the 'enum module_state' in order to check if the driver should be protected and added to out list. The 'module_state' has one of the following value:
[in] | DriverGva | The address of the 'struct module'. |
[in] | StaticDetected | True if the driver is static detected, otherwise false |
INT_STATUS_SUCCESS | On success. |
INT_STATUS_NOT_INITIALIZED | If the IDT of the provided CPU is not initialized. |
Definition at line 696 of file lixmodule.c.
Referenced by IntDriverLoadHandler(), and IntLixGuestInitAgentCompletion().
INTSTATUS IntLixDrvCreateKernel | ( | void | ) |
Create the KERNEL_DRIVER object for the operating system kernel and activate the protection for it.
INT_STATUS_SUCCESS | On success. |
INT_STATUS_INSUFFICIENT_RESOURCES | If the HpAllocWithTag fails. |
Definition at line 1452 of file lixmodule.c.
Referenced by IntLixGuestInit().
Searches the Linux kernel for the 'modules' variable.
This variable it's declared as static inside 'module.c', so we can't find it in kallsyms. Note: Only call this on the static initialization.
[out] | Drivers | Contains the guest virtual address of 'struct module *modules'. |
INT_STATUS_SUCCESS | On success. |
INT_STATUS_NOT_FOUND | If the 'modules' variable is not found. |
Definition at line 244 of file lixmodule.c.
Referenced by IntLixDrvIterateList().
void IntLixDrvGetSecName | ( | KERNEL_DRIVER * | Driver, |
QWORD | Gva, | ||
CHAR * | SectionName | ||
) |
Get the section of the driver that contains the provided guest virtual address.
If the guest virtual address not belong to any section the 'unknown' string is returned.
[in] | Driver | The internal driver structure. |
[in] | Gva | The guest virtual address that belong to a section. |
[out] | SectionName | A string that contains the name of the section, if any. |
Definition at line 913 of file lixmodule.c.
Referenced by IntExceptLixKernelGetOriginator(), IntLixDrvSendViolationEvent(), and IntLixKernelHandleRead().
INTSTATUS IntLixDrvHandleWrite | ( | void * | Context, |
void * | Hook, | ||
QWORD | Address, | ||
INTRO_ACTION * | Action | ||
) |
Called if an write occurs on the protected memory zone.
This function checks if the write comes from a 'text_poke' or the write occurs when the system is booting. If these checks fails, the exception mechanism is used to decide if the write should be allowed.
[in] | Context | The context provided by the caller; in our case is the driver object. |
[in] | Hook | The GPA hook associated to this callback. |
[in] | Address | The GPA address that was accessed. |
[out] | Action | The action that must be taken. |
INT_STATUS_SUCCESS | On success. |
INT_STATUS_INVALID_PARAMETER_1 | If the provided Context is null. |
INT_STATUS_INVALID_PARAMETER_2 | If the provided Hook is null. |
INT_STATUS_INVALID_PARAMETER_4 | If the provided Action is null. |
Definition at line 1236 of file lixmodule.c.
Referenced by IntLixDrvActivateProtection(), and IntLixHookKernelWrite().
INTSTATUS IntLixDrvIsLegitimateTextPoke | ( | void * | Hook, |
QWORD | Address, | ||
LIX_ACTIVE_PATCH * | ActivePatch, | ||
INTRO_ACTION * | Action | ||
) |
This function checks if the modified zone by the current instruction is a 'text_poke'.
This function get the modified memory from the instruction operand and check if it match with the last active-patch information fetched from the 'text_poke' detour.
[in] | Hook | The hook object. |
[in] | Address | The modified address. |
[in] | ActivePatch | The active patch that modified the protected memory zone. |
[out] | Action | The action that must be taken. |
INT_STATUS_SUCCESS | On success. |
INT_STATUS_INVALID_PARAMETER_1 | If the provided Hook is null. |
INT_STATUS_INVALID_PARAMETER_3 | If the provided Action is null. |
INT_STATUS_NOT_SUPPORTED | If the modified guest virtual address is not in our active-patch range. |
Definition at line 980 of file lixmodule.c.
Referenced by IntDetHandleWrite(), and IntLixDrvHandleWrite().
INTSTATUS IntLixDrvIterateList | ( | PFUNC_IterateListCallback | Callback, |
QWORD | Aux | ||
) |
Iterates the 'modules' list form the guest and activate protection for each driver that is initialized.
[in] | Callback | The callback that will be called for each found driver. |
[in] | Aux | The auxiliary parameter (StaticDetection) passed to the callback. |
INT_STATUS_SUCCESS | On success. |
INT_STATUS_INVALID_PARAMETER_1 | If the provided callback is invalid. |
INT_STATUS_NOT_FOUND | If the 'modules' list is not found. |
INT_STATUS_NOT_INITIALIZED_HINT | If the 'modules' list is empty. |
INT_STATUS_NOT_SUPPORTED | If the number of the drivers exceed the LIX_MODULE_MAX_ITERATIONS limit. |
Definition at line 1364 of file lixmodule.c.
Referenced by IntLixGuestInitAgentCompletion().
INTSTATUS IntLixDrvRemoveEntry | ( | KERNEL_DRIVER * | Driver | ) |
Disable protection and frees the driver structure from our internal list.
If the swap-mem hook on the init section is enabled, the function will disable it.
[in] | Driver | The internal driver structure. |
INT_STATUS_SUCCESS | On success. |
INT_STATUS_INVALID_PARAMETER_1 | If the parameter is invalid. |
Definition at line 828 of file lixmodule.c.
Referenced by IntDriverUninit(), IntLixDrvRemoveDuplicate(), and IntLixDrvRemoveFromAddress().
Disable protection and remove the driver structure from our internal list.
If the swap-mem hook on the init section is enabled, the function will disable it.
[in] | DriverGva | The internal driver structure |
INT_STATUS_SUCCESS | On success. |
Definition at line 866 of file lixmodule.c.
Referenced by IntDriverUnloadHandler().
void IntLixDrvUpdateProtection | ( | void | ) |
Update Linux drivers protection according to the new core options.
Definition at line 487 of file lixmodule.c.
Referenced by IntGuestUpdateCoreOptions().