- Generated by
1.8.13
|
Bitdefender Hypervisor Memory Introspection
|
#include "thread_safeness.h"Go to the source code of this file.
Functions | |
| INTSTATUS | IntPtiHandleInt3 (void) |
| This function is the main INT3 handler. More... | |
| void | IntPtiDumpStats (void) |
| Dump PT filtering statistics. More... | |
| BOOLEAN | IntPtiIsPtrInAgent (QWORD Ptr, THS_PTR_TYPE Type) |
| Check if an address points inside the PT filter. Ignore non-executable sections when doing so. More... | |
| INTSTATUS | IntPtiCacheRemove (QWORD Gpa) |
| Remove a guest physical page from the PT filter cache. More... | |
| INTSTATUS | IntPtiCacheAdd (QWORD Gpa) |
| Add a guest-physical address to the PT filter cache of entries for which an exit is not required. More... | |
| INTSTATUS | IntPtiInjectPtFilter (void) |
| Inject the PT filter inside the guest. More... | |
| INTSTATUS | IntPtiRemovePtFilter (DWORD AgOpts) |
| Removes the PT filter. More... | |
| QWORD | IntPtiGetAgentAddress (void) |
| Get the guest virtual address where the PT filter resides. More... | |
| QWORD | IntPtiAllocMemtableSpace (QWORD Rip, DWORD Size) |
| Allocate space for a mem-table. More... | |
| void | IntPtiHandleGuestResumeFromSleep (void) |
| Sets PtFilterWaiting to true if PT filtering was enabled, or to false otherwise. More... | |
| INTSTATUS | IntPtiRemoveInstruction (QWORD Rip) |
| Remove the hook on a monitored instruction. More... | |
Allocate space for a mem-table.
Instrumenting so many instructions has a great disadvantage: there are high chances that we will hit pages that contain switch-case clauses. Since we monitor all pages that are modified by Introcore against reads, this will lead to a very high number of mem-tables that must be relocated. Since the slack space size is quite small, we cannot relocate all these instructions inside this slack space; instead, we make use of the PT filter itself - we reserved a large section specially for these mem-tables, which will be relocated inside the PT filter space, instead of the NT slack space.
| [in] | Rip | Rip of the instruction to be relocated using mem-tables. |
| [in] | Size | Size required. |
| A | guest virtual address pointing inside a section of the PT filter, which can be used by mem-tables. |
Definition at line 1988 of file ptfilter.c.
Referenced by IntMtblPatchInstruction().
Add a guest-physical address to the PT filter cache of entries for which an exit is not required.
This function updates the PT filter cache by adding the designated value to it. The cache is used by the PT filter to know which guest-physical addresses are not hooked, and, therefore, it needs not to generate a VM exit.
| [in] | Gpa | The guest physical address to be added to the cache. Low 12 bits are ignored. |
| INT_STATUS_SUCCESS | On success. |
| INT_STATUS_NOT_NEEDED_HINT | If the PT filter is not initialized. |
Definition at line 1912 of file ptfilter.c.
Referenced by IntDispatchPtAsEpt().
Remove a guest physical page from the PT filter cache.
This function removes a guest physical page from the PT filter cache. Removing an entry is required, for example, when hooking it for the first time.
| [in] | Gpa | The guest physical address to be removed from the PT filter cache. Low 12 bits are ignored. |
| INT_STATUS_SUCCESS | On success. |
| INT_STATUS_NOT_NEEDED_HINT | If the PT filter is not initialized. |
Definition at line 1863 of file ptfilter.c.
Referenced by IntHookGpaSetHook().
| void IntPtiDumpStats | ( | void | ) |
Dump PT filtering statistics.
Definition at line 907 of file ptfilter.c.
| QWORD IntPtiGetAgentAddress | ( | void | ) |
Get the guest virtual address where the PT filter resides.
| The | guest virtual address where the PT filter resides. |
Definition at line 1974 of file ptfilter.c.
Referenced by IntMtblCheckAccess(), and IntWinAgentHandleDriverVmcall().
| void IntPtiHandleGuestResumeFromSleep | ( | void | ) |
Sets PtFilterWaiting to true if PT filtering was enabled, or to false otherwise.
Definition at line 2064 of file ptfilter.c.
Referenced by IntNotifyGuestPowerStateChange().
| INTSTATUS IntPtiHandleInt3 | ( | void | ) |
This function is the main INT3 handler.
This function simply searches for the instruction that has been monitored at the current RIP, and calls the inspection function on it, IntPtiInspectInstruction.
| INT_STATUS_NOT_FOUND | If an instruction has not been monitored at current RIP. |
| INT_STATUS_NO_DETOUR_EMU | If an instruction was found. |
Definition at line 859 of file ptfilter.c.
Referenced by IntHandleBreakpoint(), and IntHandleEptViolation().
| INTSTATUS IntPtiInjectPtFilter | ( | void | ) |
Inject the PT filter inside the guest.
This function will initiate the PT filter injection. NOTE: If this function return success, it does not necessarily means that the PT filter has been successfully injected, it just means that it has been successfully scheduled for injection.
| INT_STATUS_SUCCESS | On success. |
| INT_STATUS_NOT_INITIALIZED | If Introcore is preparing to unload. |
| INT_STATUS_NOT_NEEDED_HINT | If the OS is not 64 bit Windows RS4 or newer. |
| INT_STATUS_ALREADY_INITIALIZED_HINT | If the PT filter ha been already injected. |
Definition at line 1676 of file ptfilter.c.
Referenced by IntGuestPreReturnCallback(), IntGuestUpdateCoreOptions(), IntVeCompleteLoader(), and IntWinProcCreateProcessObject().
| BOOLEAN IntPtiIsPtrInAgent | ( | QWORD | Ptr, |
| THS_PTR_TYPE | Type | ||
| ) |
Check if an address points inside the PT filter. Ignore non-executable sections when doing so.
| [in] | Ptr | The pointer. |
| [in] | Type | Live RIP or stack value. |
| True | if Ptr points inside the PT filter, false otherwise. |
Definition at line 1813 of file ptfilter.c.
Referenced by IntHandleIntroCall(), IntThrSafeIsLiveRIPInIntro(), and IntThrSafeIsStackPtrInIntro().
Remove the hook on a monitored instruction.
| [in] | Rip | The RIP of the instruction to be removed. |
| INT_STATUS_SUCCESS | On success. |
| INT_STATUS_NOT_FOUND | If PT monitoring is not enabled. |
Definition at line 792 of file ptfilter.c.
Referenced by IntHandleIntroCall().
Removes the PT filter.
This function will initiate the PT filter unloading procedure. Once this is done, all monitored instructions will be reverted to their original values. NOTE: If this function return success, it does not necessarily means that the PT filter has been successfully removed, it just means that it has been successfully scheduled for removal.
| [in] | AgOpts | Agent options, passed to the IntWinAgentInject function. |
| INT_STATUS_SUCCESS | On success. |
| INT_STATUS_NOT_NEEDED_HINT | If the PT filter was not previously injected inside the guest. |
Definition at line 1736 of file ptfilter.c.
Referenced by IntGuestUpdateCoreOptions(), and IntWinPowHandleEventCommon().
1.8.13