- Generated by
1.8.13
|
Bitdefender Hypervisor Memory Introspection
|
Go to the source code of this file.
Data Structures | |
| struct | _LIX_TASK_PATH |
| Describes a path cache entry. More... | |
| struct | _LIX_TASK_OBJECT |
Macros | |
| #define | LIX_COMM_SIZE 16u |
| The maximum size of the process comm. More... | |
| #define | LIX_PROCESSES_MAX_COUNT 65536 |
| The maximum number of processes allowed. More... | |
Typedefs | |
| typedef struct _LIX_CREDS | LIX_CREDS |
| typedef struct _LIX_TASK_PATH | LIX_TASK_PATH |
| Describes a path cache entry. More... | |
| typedef struct _LIX_TASK_OBJECT | LIX_TASK_OBJECT |
| typedef INTSTATUS(* | PFUNC_LixTaskIterateTasks) (LIX_TASK_OBJECT *Task) |
Functions | |
| static QWORD | IntLixProcGetProtOption (const LIX_TASK_OBJECT *Process) |
| Returns the introcore options related to user mode protection. More... | |
| static BOOLEAN | IntLixProcPolicyIsBeta (const LIX_TASK_OBJECT *Process, QWORD Flag) |
| Verifies whether a specific process protection flag is in beta mode or not for a Linux process. More... | |
| static BOOLEAN | IntLixProcPolicyIsFeedback (const LIX_TASK_OBJECT *Process, QWORD Flag) |
| Verifies whether a specific process protection flag is in feedback only mode or not for a Linux process. More... | |
| INTSTATUS | IntLixTaskGetUserStack (LIX_TASK_OBJECT *Task, QWORD *StackPointer, QWORD *StackBase, QWORD *StackLimit) |
| Finds the user mode stack limits for a Linux process. More... | |
| INTSTATUS | IntLixGetInitTask (QWORD *InitTask) |
| Finds the guest virtual address of the "init_task". More... | |
| LIX_TASK_OBJECT * | IntLixTaskGetCurrent (DWORD CpuNumber) |
| Finds the task that is currently running on the given CPU. More... | |
| INTSTATUS | IntLixTaskGetCurrentTaskStruct (DWORD CpuNumber, QWORD *TaskStruct) |
| Reads the guest virtual address of the task currently running on a CPU. More... | |
| QWORD | IntLixGetKernelCr3 (QWORD Cr3) |
| Transforms an user CR3 into a kernel CR3 on systems with KPTI enabled and active. More... | |
| LIX_TASK_OBJECT * | IntLixTaskFindByCr3 (QWORD Cr3) |
| Finds the Linux process having the provided Cr3. More... | |
| LIX_TASK_OBJECT * | IntLixTaskFindByGva (QWORD TaskStruct) |
| Finds Linux process with the provided "task_struct" guest virtual address. More... | |
| LIX_TASK_OBJECT * | IntLixTaskProtFindByMm (QWORD MmGva) |
| Finds the protected Linux process having the provided mm guest virtual address. More... | |
| LIX_TASK_OBJECT * | IntLixTaskFindByMm (QWORD MmGva) |
| Finds the Linux process having the provided mm guest virtual address. More... | |
| LIX_TASK_OBJECT * | IntLixTaskFindByPid (DWORD Pid) |
| Finds the Linux process having the provided PID. More... | |
| INTSTATUS | IntLixTaskGetTrapFrame (const LIX_TASK_OBJECT *Task, LIX_TRAP_FRAME *TrapFrame) |
| Retrieves the trap frame for a Linux task. More... | |
| DWORD | IntLixTaskGetExecCount (void) |
| Returns the number of processes that have performed an exec. More... | |
| INTSTATUS | IntLixTaskHandleFork (void *Detour) |
| Handles the fork() system call performed by a linux process. More... | |
| INTSTATUS | IntLixTaskHandlePtrace (void *Detour) |
| Handles the ptrace() system call. More... | |
| INTSTATUS | IntLixTaskHandleVmRw (void *Detour) |
| Handles the process_vm_writev() system call. More... | |
| INTSTATUS | IntLixTaskHandleExec (void *Detour) |
| Handles the exec() system call of a linux process. More... | |
| INTSTATUS | IntLixTaskHandleDoExit (void *Detour) |
| Handles the exit() system call. More... | |
| INTSTATUS | IntLixTaskIterateGuestTasks (PFUNC_IterateListCallback Callback, QWORD Aux) |
| Iterates the guest process list and calls the provided callback for each process and thread found. More... | |
| INTSTATUS | IntLixTaskAdd (QWORD TaskGva, QWORD StaticDetected) |
| Creates and adds a Linux process in the internal list. More... | |
| INTSTATUS | IntLixTaskAddProtected (const char *ProcessName, QWORD ProtectionMask, QWORD Context) |
| Adds a protected process name pattern. More... | |
| INTSTATUS | IntLixTaskRemoveProtected (const char *ProcessName) |
| Removes a pattern of processes to be protected. More... | |
| void | IntLixTaskUpdateProtection (void) |
| Adjusts protection for all active Linux processes. More... | |
| INTSTATUS | IntLixTaskGetAgentsAsCli (char *CommandLine, DWORD Length) |
| Returns a string with the command lines of all active agents. More... | |
| void | IntLixTaskUninit (void) |
| Uninitializes the Linux process subsystem. More... | |
| void | IntLixTaskDumpAsTree (void) |
| Dump the process tree. More... | |
| void | IntLixTaskDump (void) |
| Dumps the process list. More... | |
| void | IntLixTaskDumpProtected (void) |
| Dumps the list with processes that Introcore should protect. More... | |
| INTSTATUS | IntLixTaskIterateTasks (PFUNC_LixTaskIterateTasks Callback) |
| Call the Callback parameter for each task saved internally. More... | |
| void | IntLixTaskEnum (DWORD *Pids, DWORD BufferSize) |
| BOOLEAN | IntLixTaskGuestTerminating (void) |
| Check whether the guest OS is terminating or not. More... | |
| void | IntLixProcUpdateProtectedProcess (const void *Name, const CAMI_STRING_ENCODING Encoding, const CAMI_PROT_OPTIONS *Options) |
| Updates the protection flags for Linux tasks that should be protected based on options received via CAMI. More... | |
| INTSTATUS | IntLixAccessRemoteVmHandler (void *Detour) |
| Detour handler for __access_remote_vm. More... | |
| INTSTATUS | IntLixTaskIsUserStackPivoted (LIX_TASK_OBJECT *Task, QWORD Ptr, BOOLEAN *IsPivoted) |
| Verifies whether the stack of a Linux process is pivoted or not. More... | |
| #define LIX_COMM_SIZE 16u |
The maximum size of the process comm.
Definition at line 13 of file lixprocess.h.
Referenced by IntLixGetInitTask(), IntLixTaskAddProtected(), and IntLixTaskDumpTree().
| #define LIX_PROCESSES_MAX_COUNT 65536 |
The maximum number of processes allowed.
Definition at line 15 of file lixprocess.h.
Referenced by IntLixTaskIterateGuestTasks(), IntLixTaskIterateThreadGroup(), and IntLixTaskIterateThreadNode().
| typedef struct _LIX_CREDS LIX_CREDS |
Definition at line 17 of file lixprocess.h.
| typedef struct _LIX_TASK_OBJECT LIX_TASK_OBJECT |
| typedef struct _LIX_TASK_PATH LIX_TASK_PATH |
Describes a path cache entry.
| typedef INTSTATUS(* PFUNC_LixTaskIterateTasks) (LIX_TASK_OBJECT *Task) |
Callback for iterating internally available Linux processes.
Definition at line 183 of file lixprocess.h.
| INTSTATUS IntLixAccessRemoteVmHandler | ( | void * | Detour | ) |
Detour handler for __access_remote_vm.
This function will deny any attempt of a process to alter the memory space of another process. Even though _access_remote_vm is also used to also perform reads, the detour handler inside the OS will filter the events and only the ones performing writes will trigger any actions.
| [in] | Detour | Unused. |
Definition at line 5009 of file lixprocess.c.
Finds the guest virtual address of the "init_task".
Searches the linux kernel for the 'init_task' variable. This variable can be exported in kallsyms but some distros (Debian) disable variable exporting in kallsyms, and we must do it our way then.
| [out] | InitTask | Will contain, upon successful return, the guest virtual address of "init_task" variable. |
Definition at line 401 of file lixprocess.c.
Referenced by IntLixTaskIterateGuestTasks().
Transforms an user CR3 into a kernel CR3 on systems with KPTI enabled and active.
| [in] | Cr3 | The user CR3 value. |
Definition at line 919 of file lixprocess.c.
Referenced by IntGetGprs(), and IntLixTaskFindByCr3().
|
static |
Returns the introcore options related to user mode protection.
| [in] | Process | The Linux process. (currently ignored) |
Definition at line 124 of file lixprocess.h.
Referenced by IntLixProcPolicyIsBeta(), IntLixProcPolicyIsFeedback(), and IntPolicyGetProcProt().
|
static |
Verifies whether a specific process protection flag is in beta mode or not for a Linux process.
| [in] | Process | The Linux process. |
| [in] | Flag | The process protection flag. |
Definition at line 141 of file lixprocess.h.
Referenced by IntPolicyProcIsBeta().
|
static |
Verifies whether a specific process protection flag is in feedback only mode or not for a Linux process.
| [in] | Process | The Linux process. |
| [in] | Flag | The process protection flag. |
Definition at line 161 of file lixprocess.h.
Referenced by IntPolicyProcIsFeedback().
| void IntLixProcUpdateProtectedProcess | ( | const void * | Name, |
| const CAMI_STRING_ENCODING | Encoding, | ||
| const CAMI_PROT_OPTIONS * | Options | ||
| ) |
Updates the protection flags for Linux tasks that should be protected based on options received via CAMI.
| [in] | Name | The name (or glob pattern) of the task to be protected whose options should be patched. |
| [in] | Encoding | The encoding type of the Name string parameter. Currently only CAMI_STRING_ENCODING_UTF8 are supported for Linux tasks. |
| [in] | Options | The CAMI_PROT_OPTIONS which should by applied for processes matching the supplied Name. |
Definition at line 1173 of file lixprocess.c.
Referenced by IntCamiUpdateProcessProtectionItems().
Creates and adds a Linux process in the internal list.
| [in] | TaskGva | The guest virtual address of the "task_struct" kernel object. |
| [in] | StaticDetected | A value greater than 0 suggest that the process was static detected. |
Definition at line 3996 of file lixprocess.c.
Referenced by IntLixGuestInitAgentCompletion(), and IntLixTaskHandleFork().
Adds a protected process name pattern.
| [in] | ProcessName | The process name pattern. |
| [in] | ProtectionMask | The protection flags set for this process. |
| [in] | Context | The context provided by the integrator. |
Definition at line 4334 of file lixprocess.c.
Referenced by IntAddRemoveProtectedProcessUtf8().
| void IntLixTaskDump | ( | void | ) |
Dumps the process list.
Definition at line 4797 of file lixprocess.c.
Referenced by DbgDumpProcesses().
| void IntLixTaskDumpAsTree | ( | void | ) |
Dump the process tree.
Definition at line 4784 of file lixprocess.c.
| void IntLixTaskDumpProtected | ( | void | ) |
Dumps the list with processes that Introcore should protect.
Definition at line 4869 of file lixprocess.c.
Referenced by DbgProcList().
| LIX_TASK_OBJECT* IntLixTaskFindByCr3 | ( | QWORD | Cr3 | ) |
Finds the Linux process having the provided Cr3.
| [in] | Cr3 | The CR3 value. |
Definition at line 942 of file lixprocess.c.
Referenced by IntDecDecodeInstructionAtRipWithCache(), IntLixAgentHandleUserVmcall(), and IntLixCmdLineSendViolationEvent().
| LIX_TASK_OBJECT* IntLixTaskFindByGva | ( | QWORD | TaskStruct | ) |
Finds Linux process with the provided "task_struct" guest virtual address.
| [in] | TaskStruct | The guest virtual address of the "task_struct". |
Definition at line 1025 of file lixprocess.c.
Referenced by IntExceptKernelLogLinuxInformation(), IntExceptUserLogLinuxInformation(), IntLixCmdLineInspect(), IntLixCommitCredsHandle(), IntLixCrashHandle(), IntLixTaskAdd(), IntLixTaskCreateFromBinprm(), IntLixTaskGetCurrent(), IntLixTaskHandleDoExit(), IntLixTaskHandleExec(), IntLixTaskSendTaskEvent(), IntSerializeLixUmOriginator(), and IntSerializeLixUmVictim().
| LIX_TASK_OBJECT* IntLixTaskFindByMm | ( | QWORD | MmGva | ) |
Finds the Linux process having the provided mm guest virtual address.
| [in] | MmGva | The guest virtual address of a mm struct. |
Definition at line 999 of file lixprocess.c.
Referenced by IntLixAccessRemoteVmHandler(), IntLixVmaAdjust(), IntLixVmaChangeProtection(), IntLixVmaExpandDownwards(), IntLixVmaInsert(), and IntLixVmaRemove().
| LIX_TASK_OBJECT* IntLixTaskFindByPid | ( | DWORD | Pid | ) |
Finds the Linux process having the provided PID.
| [in] | Pid | The task PID. |
Definition at line 1051 of file lixprocess.c.
Referenced by IntLixTaskAdd(), IntLixTaskCreate(), and IntLixVdsoDynamicProtectRelocate().
Returns a string with the command lines of all active agents.
| [out] | CommandLine | Will contain, upon successful return, the agents command lines. |
| [in] | Length | The size of the CommandLine parameter. |
Definition at line 4525 of file lixprocess.c.
Referenced by IntLixDepGetInternalArgs().
| LIX_TASK_OBJECT* IntLixTaskGetCurrent | ( | DWORD | CpuNumber | ) |
Finds the task that is currently running on the given CPU.
This function will read the value of "current_task" from the per-cpu memory region and will return the LIX_TASK_OBJECT corresponding to the read value. Even though at any given time there will be a task running on a CPU, it is not guaranteed that there is a LIX_TASK_OBJECT associated to it. (e.g. idle tasks)
| [in] | CpuNumber | The CPU number. |
Definition at line 858 of file lixprocess.c.
Referenced by IntAlertFillLixCurrentProcess(), IntExceptGetVictimEpt(), IntExceptKernelLogLinuxInformation(), IntLixAccessRemoteVmHandler(), IntLixVdsoHandleUserModeWrite(), and IntThrSafeLixGetCurrentStack().
Reads the guest virtual address of the task currently running on a CPU.
| [in] | CpuNumber | The CPU number. |
| [out] | TaskStruct | Will contain, upon successful return, the guest virtual address of the task currently running on the given CPU. |
Definition at line 795 of file lixprocess.c.
Referenced by IntLixTaskGetCurrent(), IntLixTaskHandleInjection(), and IntThrSafeInspectRunningThreads().
| DWORD IntLixTaskGetExecCount | ( | void | ) |
Returns the number of processes that have performed an exec.
Definition at line 1077 of file lixprocess.c.
Referenced by IntLixDrvIterateList().
| INTSTATUS IntLixTaskGetTrapFrame | ( | const LIX_TASK_OBJECT * | Task, |
| LIX_TRAP_FRAME * | TrapFrame | ||
| ) |
Retrieves the trap frame for a Linux task.
The kernel implementation for this function is the following:
#define task_pt_regs(task) ({ unsigned long __ptr = (unsigned long)task_stack_page(task); __ptr += THREAD_SIZE - TOP_OF_KERNEL_STACK_PADDING; ((struct pt_regs *)__ptr) - 1; })
Note: On x86_64 configurations TOP_OF_KERNEL_STACK_PADDING is zero so it can be ignored.
| [in] | Task | The Linux task. |
| [out] | TrapFrame | Upon successful return will be filled with with the trap frame of the supplied task. |
Definition at line 1098 of file lixprocess.c.
Referenced by IntLixCredAnalyzeStack(), IntLixStackDumpUmStackTrace(), IntLixTaskGetUserStack(), and IntLixTaskSendExceptionEvent().
| INTSTATUS IntLixTaskGetUserStack | ( | LIX_TASK_OBJECT * | Task, |
| QWORD * | StackPointer, | ||
| QWORD * | StackBase, | ||
| QWORD * | StackLimit | ||
| ) |
Finds the user mode stack limits for a Linux process.
| [in] | Task | The Linux process. |
| [out] | StackPointer | Will contain, upon successful return, the user mode RSP value. |
| [out] | StackBase | Will contain, upon successful return, the user mode stack base. |
| [out] | StackLimit | Will contain, upon successful return, the user mode stack limit. |
Definition at line 2044 of file lixprocess.c.
Referenced by IntLixTaskCreate(), IntLixValidateExecStack(), and IntLixVmaHandlePageExecution().
| BOOLEAN IntLixTaskGuestTerminating | ( | void | ) |
Check whether the guest OS is terminating or not.
This function will firstly attempt to compare the "system_state" kernel variable with the "Running" value. Linux documentation tells us that any state value greater than running means the system is either going down or it's suspending/hibernating. However, is some cases we may not be able to access the "system_state" and we apply the following heuristic to determine if the guest is shutting down:
Definition at line 4923 of file lixprocess.c.
Referenced by IntLixGuestDeployUninitAgent().
| INTSTATUS IntLixTaskHandleDoExit | ( | void * | Detour | ) |
Handles the exit() system call.
| [in] | Detour | Unused. |
Definition at line 3481 of file lixprocess.c.
| INTSTATUS IntLixTaskHandleExec | ( | void * | Detour | ) |
Handles the exec() system call of a linux process.
| [in] | Detour | Unused. |
Definition at line 2947 of file lixprocess.c.
| INTSTATUS IntLixTaskHandleFork | ( | void * | Detour | ) |
Handles the fork() system call performed by a linux process.
| [in] | Detour | Unused. |
Definition at line 3179 of file lixprocess.c.
| INTSTATUS IntLixTaskHandlePtrace | ( | void * | Detour | ) |
Handles the ptrace() system call.
This function will deny any ptrace() request that may taint a process which is being protected. The currently handled requests are PTRACE_POKE* and PTRACE_SET*REGS.
| [in] | Detour | Unused. |
Definition at line 3423 of file lixprocess.c.
| INTSTATUS IntLixTaskHandleVmRw | ( | void * | Detour | ) |
Handles the process_vm_writev() system call.
This function will deny any foreign memory writes attempted into a protected process. Note:Even though the detoured function is "process_vm_rw_core" which handles both reads and writes inside the memory space of another process, this function assumes the code that is detouring this function will filter the actions and will perform the hypercall only when a write is attempted.
| [in] | Detour | Unused. |
Definition at line 3381 of file lixprocess.c.
| INTSTATUS IntLixTaskIsUserStackPivoted | ( | LIX_TASK_OBJECT * | Task, |
| QWORD | Ptr, | ||
| BOOLEAN * | IsPivoted | ||
| ) |
Verifies whether the stack of a Linux process is pivoted or not.
| [in] | Task | The Linux process. |
| [in] | Ptr | The current RSP value. |
| [out] | IsPivoted | Upon successful return, will be set to TRUE if the stack is pivoted, FALSE otherwise. |
Definition at line 2795 of file lixprocess.c.
Referenced by IntLixValidateExecStack().
| INTSTATUS IntLixTaskIterateGuestTasks | ( | PFUNC_IterateListCallback | Callback, |
| QWORD | Aux | ||
| ) |
Iterates the guest process list and calls the provided callback for each process and thread found.
| [in] | Callback | The callback that should be called for each task. |
| [in] | Aux | Context that will be sent as a parameter to the provided callback. |
Definition at line 3799 of file lixprocess.c.
Referenced by IntLixGuestInitAgentCompletion(), and IntThrSafeCheckThreads().
| INTSTATUS IntLixTaskIterateTasks | ( | PFUNC_LixTaskIterateTasks | Callback | ) |
Call the Callback parameter for each task saved internally.
| [in] | Callback | The callback to be called for each task. |
Definition at line 4892 of file lixprocess.c.
Referenced by IntLixNetSendGuestConnections().
| LIX_TASK_OBJECT* IntLixTaskProtFindByMm | ( | QWORD | MmGva | ) |
Finds the protected Linux process having the provided mm guest virtual address.
| [in] | MmGva | The guest virtual address of a mm struct. |
Definition at line 974 of file lixprocess.c.
| INTSTATUS IntLixTaskRemoveProtected | ( | const char * | ProcessName | ) |
Removes a pattern of processes to be protected.
| [in] | ProcessName | The process pattern. |
Definition at line 4439 of file lixprocess.c.
Referenced by IntAddRemoveProtectedProcessUtf8().
| void IntLixTaskUninit | ( | void | ) |
Uninitializes the Linux process subsystem.
Definition at line 4570 of file lixprocess.c.
Referenced by IntLixGuestUninit().
| void IntLixTaskUpdateProtection | ( | void | ) |
Adjusts protection for all active Linux processes.
Definition at line 4495 of file lixprocess.c.
Referenced by IntCamiSetProcProtOptions(), and IntGuestUpdateCoreOptions().
1.8.13