Bitdefender Hypervisor Memory Introspection
Data Structures | Macros | Typedefs | Functions
lixnet.c File Reference
#include "lixnet.h"
#include "alerts.h"
#include "guests.h"
#include "intronet.h"
#include "introstatus.h"

Go to the source code of this file.

Data Structures

struct  _SOCK_PROTO
 An internal structure used to cache the "struct proto" addresses of required connection types. More...
 

Macros

#define LIX_FDTABLE_MAX_FDS_CAP   2048u
 The maximum number of file descriptors to be iterated. More...
 

Typedefs

typedef struct _SOCK_PROTO SOCK_PROTO
 An internal structure used to cache the "struct proto" addresses of required connection types. More...
 

Functions

static void IntLixNetSendConnectionEvent (INTRONET_ENDPOINT *Connection)
 Sends a connection event to the integrator. More...
 
static INTSTATUS IntLixNetGetConnectionFromSocket (QWORD SocketGva, INTRONET_ENDPOINT *Connection)
 Fills an INTRONET_ENDPOINT structure from a TCP/IP socket GVA. More...
 
static BOOLEAN IntLixNetFileIsSocket (QWORD StructFileGva, QWORD *SocketGva)
 Check if a give file object is a socked and return the socket GVA. More...
 
INTSTATUS IntLixNetIterateTaskConnections (LIX_TASK_OBJECT *Task, PFUNC_IterateConnectionsCallback Callback)
 Iterates all TCP/IP connections of a process and supplies them to callback. More...
 
static void IntLixNetProcessConnection (INTRONET_ENDPOINT *Endpoint)
 Callback for IntLixNetIterateTaskConnections that processes each TCP/IP connection. More...
 
INTSTATUS IntLixNetSendTaskConnections (LIX_TASK_OBJECT *Task)
 Logs and sends to the integrator all connections opened by a Linux proces.. More...
 
INTSTATUS IntLixNetSendGuestConnections (void)
 Sends all active in-guest TCP/IP connections as events to the integrator. More...
 

Macro Definition Documentation

◆ LIX_FDTABLE_MAX_FDS_CAP

#define LIX_FDTABLE_MAX_FDS_CAP   2048u

The maximum number of file descriptors to be iterated.

Definition at line 11 of file lixnet.c.

Referenced by IntLixNetIterateTaskConnections().

Typedef Documentation

◆ SOCK_PROTO

typedef struct _SOCK_PROTO SOCK_PROTO

An internal structure used to cache the "struct proto" addresses of required connection types.

Function Documentation

◆ IntLixNetFileIsSocket()

static BOOLEAN IntLixNetFileIsSocket ( QWORD  StructFileGva,
QWORD SocketGva 
)
static

Check if a give file object is a socked and return the socket GVA.

Parameters
[in]StructFileGvaThe GVA of the file structure.
[out]SocketGvaWill contain the GVA of the socket structure corresponding to the given file structure when the returned value is TRUE
Returns
TRUE If the file is indeed a socket.
FALSE If the file is not a socket.

Definition at line 216 of file lixnet.c.

Referenced by IntLixNetIterateTaskConnections().

◆ IntLixNetGetConnectionFromSocket()

static INTSTATUS IntLixNetGetConnectionFromSocket ( QWORD  SocketGva,
INTRONET_ENDPOINT Connection 
)
static

Fills an INTRONET_ENDPOINT structure from a TCP/IP socket GVA.

This function is able to retrieve the connection details starting from the address of a socket object. If the connection type is not either IPv4 or IPv6 it will be ignored.

  • Known issue: For kernel versions < 3.16 (except the Centos/Redhat 3.10 which backported the patch) this function is not able to retrieve IPv6 connections.
Parameters
[in]SocketGvaThe GVA of a socket object.
[out]ConnectionUpon successful return this structure will be filled with the connection details.
Returns
INT_STATUS_SUCCESS On success.
INT_STATUS_NOT_NEEDED_HINT If the SocketGva does not refer to a valid TCP/IP connection.

Definition at line 50 of file lixnet.c.

Referenced by IntLixNetIterateTaskConnections().

◆ IntLixNetIterateTaskConnections()

INTSTATUS IntLixNetIterateTaskConnections ( LIX_TASK_OBJECT Task,
PFUNC_IterateConnectionsCallback  Callback 
)

Iterates all TCP/IP connections of a process and supplies them to callback.

This function will iterate all file descriptors for the given process and for those that refer to a socket will attempt to extract the connection details if the protocol used is TCP IPv4 or IPv6.

Parameters
[in]TaskThe Linux process.
[in]CallbackThe callback that will be called for each connection.
Returns
INT_STATUS_SUCCESS On success.
INT_STATUS_NOT_NEEDED_HINT If the connection events are not enabled.
INT_STATUS_INVALID_PARAMETER_1 If the Task parameter does not point to a valid LIX_TASK_OBJECT.
INT_STATUS_NOT_SUPPORTED If the current OS type is not Linux.

Definition at line 273 of file lixnet.c.

Referenced by IntLixNetSendTaskConnections().

◆ IntLixNetProcessConnection()

static void IntLixNetProcessConnection ( INTRONET_ENDPOINT Endpoint)
static

Callback for IntLixNetIterateTaskConnections that processes each TCP/IP connection.

This function will log the connection details and send to the integrator an event.

Parameters
[in]EndpointThe TCP/IP connection.

Definition at line 390 of file lixnet.c.

Referenced by IntLixNetSendTaskConnections().

◆ IntLixNetSendConnectionEvent()

static void IntLixNetSendConnectionEvent ( INTRONET_ENDPOINT Connection)
static

Sends a connection event to the integrator.

Parameters
[in]ConnectionThe TCP/IP connection.

Definition at line 24 of file lixnet.c.

Referenced by IntLixNetProcessConnection().

◆ IntLixNetSendGuestConnections()

INTSTATUS IntLixNetSendGuestConnections ( void  )

Sends all active in-guest TCP/IP connections as events to the integrator.

This function will iterate all processes running inside the guest and send all their active TCP/IP connections.

Returns
INT_STATUS_SUCCESS On success.
INT_STATUS_NOT_NEEDED_HINT If connection events are not enabled.

Definition at line 435 of file lixnet.c.

◆ IntLixNetSendTaskConnections()

INTSTATUS IntLixNetSendTaskConnections ( LIX_TASK_OBJECT Task)

Logs and sends to the integrator all connections opened by a Linux proces..

Parameters
[in]TaskThe Linux process.
Returns
INT_STATUS_SUCCESS On success.
INT_STATUS_INVALID_PARAMETER_1 If an invalid process is supplied

Definition at line 413 of file lixnet.c.

Referenced by IntLixNetSendGuestConnections(), and IntLixVmaHandlePageExecution().