Bitdefender Hypervisor Memory Introspection
Functions | Variables
msr_protection.c File Reference
#include "msr_protection.h"
#include "alerts.h"
#include "guests.h"
#include "hook_msr.h"

Go to the source code of this file.

Functions

static INTSTATUS IntWinMsrSendAlert (PEXCEPTION_VICTIM_ZONE Victim, PEXCEPTION_KM_ORIGINATOR Originator, INTRO_ACTION Action, INTRO_ACTION_REASON Reason)
 Send an MSR alert. More...
 
static INTSTATUS IntLixMsrHandleWrite (DWORD Msr, DWORD Flags, INTRO_ACTION *Action, void *Context, QWORD OriginalValue, const QWORD *NewValue)
 Handles a model specific register write attempt done by a Linux guest. More...
 
static INTSTATUS IntWinMsrHandleWrite (DWORD Msr, DWORD Flags, INTRO_ACTION *Action, void *Context, QWORD OriginalValue, const QWORD *NewValue)
 Handles a model specific register write attempt done by a Windows guest. More...
 
INTSTATUS IntMsrSyscallProtect (void)
 Enable protection for all SYSCALL and SYSENTER MSRs. More...
 
INTSTATUS IntMsrSyscallUnprotect (void)
 Remove protection from all protected MSRs. More...
 

Variables

static BOOLEAN gMsrHookSet
 True if the SYSCALL/SYSENTER MSRs are protected. More...
 
static void * gSysenterEipHook
 IA32_SYSENTER_EIP hook. More...
 
static void * gSysenterEspHook
 IA32_SYSENTER_ESP hook. More...
 
static void * gSysenterCsHook
 IA32_SYSENTER_CS hook. More...
 
static void * gSyscallLstarHook
 IA32_LSTAR hook. More...
 
static void * gSyscallStarHook
 IA32_STAR hook. More...
 

Function Documentation

◆ IntLixMsrHandleWrite()

static INTSTATUS IntLixMsrHandleWrite ( DWORD  Msr,
DWORD  Flags,
INTRO_ACTION Action,
void *  Context,
QWORD  OriginalValue,
const QWORD NewValue 
)
static

Handles a model specific register write attempt done by a Linux guest.

Will analyze the write and will decide if it is malicious. If the attempt is deemed malicious, Introcore will send an alert, unless an exception matches this write.

Parameters
[in]MsrThe written MSR.
[in]FlagsAccess flags.
[out]ActionThe action that must be taken.
[in]ContextUnused.
[in]OriginalValueThe old, original value of the register. If the action is blocked, the register will keep this value.
[in]NewValueThe written value.
Return values
INT_STATUS_SUCCESSOn success.
INT_STATUS_INVALID_PARAMETERIf an invalid parameter is supplied.

Definition at line 74 of file msr_protection.c.

Referenced by IntMsrSyscallProtect().

◆ IntMsrSyscallProtect()

INTSTATUS IntMsrSyscallProtect ( void  )

Enable protection for all SYSCALL and SYSENTER MSRs.

Return values
INT_STATUS_SUCCESSOn success.
INT_STATUS_ALREADY_INITIALIZED_HINTIf the MSR hooks have already been set.

Definition at line 334 of file msr_protection.c.

Referenced by IntGuestUpdateCoreOptions(), IntLixGuestActivateProtection(), and IntWinGuestActivateProtection().

◆ IntMsrSyscallUnprotect()

INTSTATUS IntMsrSyscallUnprotect ( void  )

Remove protection from all protected MSRs.

Return values
INT_STATUS_SUCCESSOn success.
INT_STATUS_NOT_NEEDED_HINTIf the MSRs have not been hooked yet.

Definition at line 427 of file msr_protection.c.

Referenced by IntGuestUpdateCoreOptions().

◆ IntWinMsrHandleWrite()

static INTSTATUS IntWinMsrHandleWrite ( DWORD  Msr,
DWORD  Flags,
INTRO_ACTION Action,
void *  Context,
QWORD  OriginalValue,
const QWORD NewValue 
)
static

Handles a model specific register write attempt done by a Windows guest.

Will analyze the write and will decide if it is malicious. If the attempt is deemed malicious, Introcore will send an alert, unless an exception matches this write.

Parameters
[in]MsrThe written MSR.
[in]FlagsAccess flags.
[out]ActionThe action that must be taken.
[in]ContextUnused.
[in]OriginalValueThe old, original value of the register. If the action is blocked, the register will keep this value.
[in]NewValueThe written value.
Return values
INT_STATUS_SUCCESSOn success.
INT_STATUS_INVALID_PARAMETERIf an invalid parameter is supplied.

Definition at line 219 of file msr_protection.c.

Referenced by IntMsrSyscallProtect().

◆ IntWinMsrSendAlert()

static INTSTATUS IntWinMsrSendAlert ( PEXCEPTION_VICTIM_ZONE  Victim,
PEXCEPTION_KM_ORIGINATOR  Originator,
INTRO_ACTION  Action,
INTRO_ACTION_REASON  Reason 
)
static

Send an MSR alert.

This will send an introEventMsrViolation to the integrator. These alerts are controlled by the INTRO_OPT_ENABLE_MSR_PROTECTION option.

Parameters
[in]VictimThe victim zone, which identifies the written MSR.
[in]OriginatorThe attacker, who modified the MSR.
[in]ActionThe desired action.
[in]ReasonThe action reason.
Return values
INT_STATUS_SUCCESSOn success.

Definition at line 20 of file msr_protection.c.

Referenced by IntWinMsrHandleWrite().

Variable Documentation

◆ gMsrHookSet

BOOLEAN gMsrHookSet
static

True if the SYSCALL/SYSENTER MSRs are protected.

Definition at line 11 of file msr_protection.c.

Referenced by IntMsrSyscallProtect(), and IntMsrSyscallUnprotect().

◆ gSyscallLstarHook

void* gSyscallLstarHook
static

IA32_LSTAR hook.

Definition at line 15 of file msr_protection.c.

Referenced by IntMsrSyscallProtect(), and IntMsrSyscallUnprotect().

◆ gSyscallStarHook

void* gSyscallStarHook
static

IA32_STAR hook.

Definition at line 16 of file msr_protection.c.

Referenced by IntMsrSyscallProtect(), and IntMsrSyscallUnprotect().

◆ gSysenterCsHook

void* gSysenterCsHook
static

IA32_SYSENTER_CS hook.

Definition at line 14 of file msr_protection.c.

Referenced by IntMsrSyscallProtect(), and IntMsrSyscallUnprotect().

◆ gSysenterEipHook

void* gSysenterEipHook
static

IA32_SYSENTER_EIP hook.

Definition at line 12 of file msr_protection.c.

Referenced by IntMsrSyscallProtect(), and IntMsrSyscallUnprotect().

◆ gSysenterEspHook

void* gSysenterEspHook
static

IA32_SYSENTER_ESP hook.

Definition at line 13 of file msr_protection.c.

Referenced by IntMsrSyscallProtect(), and IntMsrSyscallUnprotect().