Bitdefender Hypervisor Memory Introspection
|
This file handles possibly malicious code executions (sending notifications to the scan engines). More...
Go to the source code of this file.
Functions | |
static void | IntEngCopyArchRegsToIntroGprs (PIG_ARCH_REGS ArchRegs, PINTRO_GPRS IntroGprs) |
Obtains an INTRO_GPRS structure from an IG_ARCH_REGS structure. More... | |
static void | IntEngCopyIntroGprsToArchRegs (PINTRO_GPRS IntroGprs, PIG_ARCH_REGS ArchRegs) |
Obtains an IG_ARCH_REGS structure from an INTRO_GPRS structure. More... | |
static INTSTATUS | IntEngDumpCodeAndRegs (PENG_NOTIFICATION_CODE_EXEC ExecNotification) |
Dump the malicious code and registers (used when a malicious code execution is detected). More... | |
static INTSTATUS | IntEngSendExecViolation (PENG_NOTIFICATION_CODE_EXEC ExecNotification) |
Send an EVENT_ENGINES_DETECTION_VIOLATION event to the integrator (a malicious code execution was detected by the scan engines). More... | |
static INTSTATUS | IntEngFillExecDetails (PIG_ARCH_REGS Registers, PENG_NOTIFICATION_CODE_EXEC ExecNotification) |
Fill the execution details inside the ENG_NOTIFICATION_CODE_EXEC structure. More... | |
INTSTATUS | IntLixEngExecSendNotification (LIX_TASK_OBJECT *Task, PIG_ARCH_REGS Registers, PINTRO_EXEC_INFO ExecInfo) |
Notify the scan engines about a possible malicious code execution in a Linux guest. More... | |
INTSTATUS | IntWinEngExecSendNotification (PWIN_PROCESS_OBJECT Process, PIG_ARCH_REGS Registers, PINTRO_EXEC_INFO ExecInfo) |
Notify the scan engines about a possible malicious code execution in a Windows guest. More... | |
INTSTATUS | IntHandleExecCallback (PENG_NOTIFICATION_CODE_EXEC ExecNotification) |
Handle the code execution scan result provided by the engines. More... | |
This file handles possibly malicious code executions (sending notifications to the scan engines).
Introcore may request the AV engines to scan a possibly malicious code execution (if the internal logic did not detect a violation). The scan is done in an asynchronous fashion - data is gathered and sent to the engines and then the execution resumes - the scan engines will invoke a callback (IntHandleExecCallback) providing their scan result.
Definition in file scan_engines.c.
|
static |
Obtains an INTRO_GPRS structure from an IG_ARCH_REGS structure.
[in] | ArchRegs | The architecture registers. |
[out] | IntroGprs | The general purpose registers. |
Definition at line 21 of file scan_engines.c.
Referenced by IntEngFillExecDetails().
|
static |
Obtains an IG_ARCH_REGS structure from an INTRO_GPRS structure.
[in] | IntroGprs | The general purpose registers. |
[out] | ArchRegs | The architecture registers. |
Definition at line 56 of file scan_engines.c.
Referenced by IntEngDumpCodeAndRegs().
|
static |
Dump the malicious code and registers (used when a malicious code execution is detected).
When a malicious code execution is detected by the scan engines, this function will dump (log) the page containing the malicious code and the values of the registers.
[in] | ExecNotification | The engine execution notification. |
Definition at line 91 of file scan_engines.c.
Referenced by IntHandleExecCallback().
|
static |
Fill the execution details inside the ENG_NOTIFICATION_CODE_EXEC structure.
Fill execution details such as OS type, code32/64 and registers.
[in] | Registers | The architecture registers. |
[out] | ExecNotification | The engine execution notification. |
Definition at line 169 of file scan_engines.c.
Referenced by IntLixEngExecSendNotification(), and IntWinEngExecSendNotification().
|
static |
Send an EVENT_ENGINES_DETECTION_VIOLATION event to the integrator (a malicious code execution was detected by the scan engines).
[in] | ExecNotification | The engine execution notification. |
Definition at line 120 of file scan_engines.c.
Referenced by IntHandleExecCallback().
INTSTATUS IntHandleExecCallback | ( | PENG_NOTIFICATION_CODE_EXEC | ExecNotification | ) |
Handle the code execution scan result provided by the engines.
If the introspection successfully sent a code execution notification to the engines, this callback will be triggered in an asynchronous fashion. Please note that since the ENG_NOTIFICATION_CODE_EXEC is heap allocated, this callback must always be invoked (otherwise a memory leak will occur).
[in] | ExecNotification | The engine notification sent to the integrator from IntWinEngExecSendNotification or IntLixEngExecSendNotification. |
Definition at line 371 of file scan_engines.c.
Referenced by IntEnginesResultCallback().
INTSTATUS IntLixEngExecSendNotification | ( | LIX_TASK_OBJECT * | Task, |
PIG_ARCH_REGS | Registers, | ||
PINTRO_EXEC_INFO | ExecInfo | ||
) |
Notify the scan engines about a possible malicious code execution in a Linux guest.
If the Introcore internal logic did not consider the code executions as being malicious, the scan engines will be notified and they will provided a result in an asynchronous fashion.
[in] | Task | The Linux task that triggered the execution. |
[in] | Registers | The current state of the CPU registers. |
[in] | ExecInfo | Information about the execution itself. |
Definition at line 215 of file scan_engines.c.
Referenced by IntLixVmaHandlePageExecution().
INTSTATUS IntWinEngExecSendNotification | ( | PWIN_PROCESS_OBJECT | Process, |
PIG_ARCH_REGS | Registers, | ||
PINTRO_EXEC_INFO | ExecInfo | ||
) |
Notify the scan engines about a possible malicious code execution in a Windows guest.
If the Introcore internal logic did not consider the code executions as being malicious, the scan engines will be notified and they will provided a result in an asynchronous fashion.
[in] | Process | The Windows process that triggered the execution. |
[in] | Registers | The current state of the CPU registers. |
[in] | ExecInfo | Information about the execution itself. |
Definition at line 293 of file scan_engines.c.
Referenced by IntWinVadIsExecSuspicious().