doxygen/html/memcloak_8h_source.html

 /*
  * Copyright (c) 2020 Bitdefender
  * SPDX-License-Identifier: Apache-2.0
  */
 #ifndef _MEMCLOAK_H_
 #define _MEMCLOAK_H_


 #include "introtypes.h"

 typedef INTSTATUS (*PFUNC_IntMemCloakWriteHandle)(
     _In_ void *Hook,
     _In_ QWORD Address,
     _In_ QWORD RegionVirtualAddress,
     _In_ void *CloakHandle,
     _Out_ INTRO_ACTION *Action);

 typedef enum
 {
     MEMCLOAK_OPT_ALLOW_INTERNAL = 0x00000001,
     MEMCLOAK_OPT_APPLY_PATCH = 0x00000002,
 } MEMCLOAK_OPTIONS;


 //
 // API
 //
 INTSTATUS
 IntMemClkCloakRegion(
     _In_ QWORD VirtualAddress,
     _In_ QWORD Cr3,
     _In_ DWORD Size,
     _In_ DWORD Options,
     _In_opt_ PBYTE OriginalData,
     _In_opt_ PBYTE PatchedData,
     _In_opt_ PFUNC_IntMemCloakWriteHandle WriteHandler,
     _Out_ void **CloakHandle
     );

 INTSTATUS
 IntMemClkModifyOriginalData(
     _In_ void *CloakHandle,
     _In_ DWORD Offset,
     _In_ DWORD Size,
     _In_ void *Data
     );

 INTSTATUS
 IntMemClkModifyPatchedData(
     _In_ void *CloakHandle,
     _In_ DWORD Offset,
     _In_ DWORD Size,
     _In_opt_ const void *Data
     );

 INTSTATUS
 IntMemClkUncloakRegion(
     _In_ void *CloakHandle,
     _In_ DWORD Options
     );

 INTSTATUS
 IntMemClkHashRegion(
     _In_ QWORD VirtualAddress,
     _In_ QWORD PhysicalAddress,
     _In_ DWORD Size,
     _Out_ DWORD *Crc32
     );

 BOOLEAN
 IntMemClkIsPtrInCloak(
     _In_ const void *Cloak,
     _In_ QWORD Ptr
     );

 INTSTATUS
 IntMemClkGetOriginalData(
     _In_ void *CloakHandle,
     _Out_ BYTE **OriginalData,
     _Out_ DWORD *Length
     );

 INTSTATUS
 IntMemClkUnInit(
     void
     );

 void
 IntMemClkDump(
     void
     );


 #endif // _MEMCLOAK_H_
_In_opt_
#define _In_opt_
Definition: intro_sal.h:16

BOOLEAN
_Bool BOOLEAN
Definition: intro_types.h:58

_Out_
#define _Out_
Definition: intro_sal.h:22

_LIX_TASK_OBJECT::Cr3
QWORD Cr3
The CR3 for this process.
Definition: lixprocess.h:70

BYTE
uint8_t BYTE
Definition: intro_types.h:47

_In_
#define _In_
Definition: intro_sal.h:21

PFUNC_IntMemCloakWriteHandle
INTSTATUS(* PFUNC_IntMemCloakWriteHandle)(void *Hook, QWORD Address, QWORD RegionVirtualAddress, void *CloakHandle, INTRO_ACTION *Action)
The type of custom write handlers that can be used by cloak regions.
Definition: memcloak.h:41

IntMemClkModifyPatchedData
INTSTATUS IntMemClkModifyPatchedData(void *CloakHandle, DWORD Offset, DWORD Size, const void *Data)
Modifies the patched data inside the guest memory.
Definition: memcloak.c:795

IntMemClkIsPtrInCloak
BOOLEAN IntMemClkIsPtrInCloak(const void *Cloak, QWORD Ptr)
Checks if a guest virtual address is located inside a cloak region.
Definition: memcloak.c:1089

INTSTATUS
int INTSTATUS
The status data type.
Definition: introstatus.h:24

IntMemClkUnInit
INTSTATUS IntMemClkUnInit(void)
Uninits the memory cloak subsystem.
Definition: memcloak.c:1169

MEMCLOAK_OPT_APPLY_PATCH
Will write the contents of the patched data inside the guest.
Definition: memcloak.h:54

MEMCLOAK_OPT_ALLOW_INTERNAL
Allows the code inside the region to modify the region.
Definition: memcloak.h:53

introtypes.h

PBYTE
uint8_t * PBYTE
Definition: intro_types.h:47

IntMemClkGetOriginalData
INTSTATUS IntMemClkGetOriginalData(void *CloakHandle, BYTE **OriginalData, DWORD *Length)
Returns the original data of a cloaked region.
Definition: memcloak.c:1121

QWORD
unsigned long long QWORD
Definition: intro_types.h:53

IntMemClkModifyOriginalData
INTSTATUS IntMemClkModifyOriginalData(void *CloakHandle, DWORD Offset, DWORD Size, void *Data)
Modifies the internal copy of the original data buffer held by a cloak region.
Definition: memcloak.c:734

IntMemClkCloakRegion
INTSTATUS IntMemClkCloakRegion(QWORD VirtualAddress, QWORD Cr3, DWORD Size, DWORD Options, PBYTE OriginalData, PBYTE PatchedData, PFUNC_IntMemCloakWriteHandle WriteHandler, void **CloakHandle)
Hides a memory zone from the guest.
Definition: memcloak.c:548

IntMemClkDump
void IntMemClkDump(void)
Dumps all the active cloak regions.
Definition: memcloak.c:1218

DWORD
uint32_t DWORD
Definition: intro_types.h:49

INTRO_ACTION
enum _INTRO_ACTION INTRO_ACTION
Event actions.

IntMemClkUncloakRegion
INTSTATUS IntMemClkUncloakRegion(void *CloakHandle, DWORD Options)
Removes a cloak region, making the original memory contents available again to the guest...
Definition: memcloak.c:970

IntMemClkHashRegion
INTSTATUS IntMemClkHashRegion(QWORD VirtualAddress, QWORD PhysicalAddress, DWORD Size, DWORD *Crc32)
Hashes the contents of a cloaked memory page.
Definition: memcloak.c:1005

MEMCLOAK_OPTIONS
MEMCLOAK_OPTIONS
Options that control the way a cloaked memory region is handled.
Definition: memcloak.h:51