Bitdefender Hypervisor Memory Introspection
Data Structures | Macros | Typedefs | Enumerations | Functions | Variables
stats.h File Reference
#include "introdefs.h"

Go to the source code of this file.

Data Structures

struct  _STAT_COUNTER
 A stats counter. More...
 

Macros

#define STATS_DISABLE_TIMER   1
 
#define STATS_ENTER(id)
 
#define STATS_DISCARD(id)
 
#define STATS_EXIT(id)   IntStatStop(id)
 

Typedefs

typedef enum _STAT_ID STAT_ID
 Stat IDs. More...
 
typedef QWORD TIMESPEC
 
typedef struct _STAT_COUNTER STAT_COUNTER
 A stats counter. More...
 
typedef struct _STAT_COUNTERPSTAT_COUNTER
 

Enumerations

enum  _STAT_ID {
  statsEptViolation = 0, statsEptRead, statsEptWrite, statsEptExecute,
  statsEptKernel, statsEptUser, statsEptDecode, statsEptLookup,
  statsEptHandle, statsEptRMW, statsVmcall, statsCrViolation,
  statsMsrViolation, statsXcrViolation, statsTimer, statsInt3,
  statsDtrViolation, statsEventInjection, statsModuleLoadViolation, statsDeleteRegion,
  statsDeleteGva, statsHookCommit, statsPtWriteProc, statsPtWriteEmu,
  statsPtWriteTotal, statsPtWriteHits, statsPtWriteRelevant, statsExceptionsUser,
  statsExceptionsKern, statsExceptionsGlobMatch, statsUmCrash, statsVasmon,
  statsVadCommitExisting, statsPtsIntegrity, statsPtsFilterInt3, statsPtsFilterVmcall,
  statsPtsFilterInsSearch, statsSwapgsInsSearch, statsSelfMapEntryProtection, statsCopyMemoryTotal,
  statsCopyMemoryRead, statsCopyMemoryWrite, statsCopyMemoryProtectedRead, statsCopyMemoryProtectedWrite,
  statsDepViolation, statsStackTrace32, statsStackTrace64, statsStackTraceSpecialCase,
  statsDpiGatherInfo, statsProcessCreationCheck, statsDpiDebugFlag, statsDpiStackPivot,
  statsDpiStealToken, statsDpiHeapSpray, statsDpiTokenPrivs, statsDpiThreadStart,
  statsNtEatRead, statsTokenWrites, statsTokenChangeCheck, statsTokenSwapCheck,
  statsKmUmWrites, statsSetProcInfo, statsDpiSdAcl, statsSudIntegrity,
  statsSudExec, statsSecDesc, statsMaxCounter
}
 Stat IDs. More...
 

Functions

void IntStatsDumpAll (void)
 Prints all the non-zero stats. More...
 
void IntStatStart (STAT_ID StatId)
 
void IntStatStop (STAT_ID StatId)
 
void IntStatDiscard (STAT_ID StatId)
 Discards the current measurement for a stat counter. More...
 
void IntStatsResetAll (void)
 Resets all the stats. More...
 
void IntStatsReset (STAT_ID StatId)
 Resets a stat. More...
 
void IntStatsInit (void)
 Initialization routine. More...
 

Variables

STAT_COUNTER gCounters [statsMaxCounter]
 The list of counters. More...
 

Macro Definition Documentation

◆ STATS_DISABLE_TIMER

#define STATS_DISABLE_TIMER   1

Definition at line 116 of file stats.h.

◆ STATS_DISCARD

#define STATS_DISCARD (   id)

Definition at line 154 of file stats.h.

◆ STATS_ENTER

#define STATS_ENTER (   id)

Definition at line 153 of file stats.h.

Referenced by IntCrLixHandleWrite(), IntCrWinHandleWrite(), IntDispatchPtAsEpt(), IntDtrHandleWrite(), IntExceptUser(), IntHandleBreakpoint(), IntHandleCrWrite(), IntHandleDtrViolation(), IntHandleEptViolation(), IntHandleEventInjection(), IntHandleIntroCall(), IntHandleMemAccess(), IntHandleMsrViolation(), IntHandleTimer(), IntHandleXcrWrite(), IntHookCommitAllHooks(), IntHookGvaDeleteHookInternal(), IntHookObjectCommit(), IntHookPtmWriteCallback(), IntHookPtsCheckIntegrity(), IntHookPtsHandleModification(), IntHookPtsWriteCallback(), IntHookPtwEmulateWrite(), IntHookPtwProcessWrite(), IntLixAccessRemoteVmHandler(), IntLixDrvHandleWrite(), IntLixIdtWriteHandler(), IntLixKernelHandleRead(), IntLixMsrHandleWrite(), IntLixTaskHandleInjection(), IntLixVdsoHandleKernelModeWrite(), IntLixVdsoHandleUserModeWrite(), IntPtiHandleInt3(), IntPtiMonitorAllPtWriteCandidates(), IntSwapgsStartMitigation(), IntVasPageTableWriteCallback(), IntVeHandleAccess(), IntVeHandleEPTViolationInProtectedView(), IntWinDagentCheckNativeSubsystem(), IntWinDagentHandleDoubleAgent(), IntWinDagentHandleSlackWritable(), IntWinDagentHandleSuspModHeaders(), IntWinDpiGatherDpiInfo(), IntWinDrvHandleRead(), IntWinDrvHandleWrite(), IntWinDrvObjHandleModification(), IntWinDrvObjHandleWrite(), IntWinHalHandleHalHeapExec(), IntWinHalHandleHalIntCtrlWrite(), IntWinHalHandlePerfCounterModification(), IntWinHandleException(), IntWinIdtHandleModification(), IntWinIdtWriteHandler(), IntWinInfHookEptSppHandleWrite(), IntWinInfHookIntegrityHandleWrite(), IntWinModBlockHandleExecution(), IntWinModHandleKernelWrite(), IntWinModHandleUserWrite(), IntWinMsrHandleWrite(), IntWinProcHandleCopyMemory(), IntWinProcHandleCreateInternal(), IntWinProcHandleInstrument(), IntWinSDCheckIntegrity(), IntWinSelfMapHandleCr3SelfMapWrite(), IntWinSelfMapValidateSelfMapEntries(), IntWinStackTraceGet32(), IntWinStackTraceGet64(), IntWinSudCheckIntegrity(), IntWinSudHandleFieldModification(), IntWinSudHandleKernelSudExec(), IntWinSudHandleSudExec(), IntWinSudHandleUserSudExec(), IntWinThrHandleQueueApc(), IntWinThrHandleThreadHijack(), IntWinTokenPrivsCheckIntegrityOnProcess(), IntWinTokenPrivsHandleSwap(), IntWinTokenPrivsHandleWrite(), and IntWinVadHandleCommit().

◆ STATS_EXIT

#define STATS_EXIT (   id)    IntStatStop(id)

Definition at line 160 of file stats.h.

Referenced by IntCrLixHandleWrite(), IntCrWinHandleWrite(), IntDispatchPtAsEpt(), IntDtrHandleWrite(), IntExceptUser(), IntHandleBreakpoint(), IntHandleCrWrite(), IntHandleDtrViolation(), IntHandleEptViolation(), IntHandleEventInjection(), IntHandleIntroCall(), IntHandleMemAccess(), IntHandleMsrViolation(), IntHandleTimer(), IntHandleXcrWrite(), IntHookCommitAllHooks(), IntHookGvaDeleteHookInternal(), IntHookObjectCommit(), IntHookPtmWriteCallback(), IntHookPtsCheckIntegrity(), IntHookPtsHandleModification(), IntHookPtsWriteCallback(), IntHookPtwEmulateWrite(), IntHookPtwProcessWrite(), IntLixAccessRemoteVmHandler(), IntLixDrvHandleWrite(), IntLixIdtWriteHandler(), IntLixKernelHandleRead(), IntLixMsrHandleWrite(), IntLixTaskHandleInjection(), IntLixVdsoHandleKernelModeWrite(), IntLixVdsoHandleUserModeWrite(), IntPtiHandleInt3(), IntPtiMonitorAllPtWriteCandidates(), IntSwapgsStartMitigation(), IntVasPageTableWriteCallback(), IntVeHandleAccess(), IntVeHandleEPTViolationInProtectedView(), IntWinDagentCheckNativeSubsystem(), IntWinDagentHandleDoubleAgent(), IntWinDagentHandleSlackWritable(), IntWinDagentHandleSuspModHeaders(), IntWinDpiGatherDpiInfo(), IntWinDrvHandleRead(), IntWinDrvHandleWrite(), IntWinDrvObjHandleModification(), IntWinDrvObjHandleWrite(), IntWinHalHandleHalHeapExec(), IntWinHalHandleHalIntCtrlWrite(), IntWinHalHandlePerfCounterModification(), IntWinHandleException(), IntWinIdtHandleModification(), IntWinIdtWriteHandler(), IntWinInfHookEptSppHandleWrite(), IntWinInfHookIntegrityHandleWrite(), IntWinModBlockHandleExecution(), IntWinModHandleKernelWrite(), IntWinModHandleUserWrite(), IntWinMsrHandleWrite(), IntWinProcHandleCopyMemory(), IntWinProcHandleCreateInternal(), IntWinProcHandleInstrument(), IntWinSDCheckIntegrity(), IntWinSelfMapHandleCr3SelfMapWrite(), IntWinSelfMapValidateSelfMapEntries(), IntWinStackTraceGet32(), IntWinStackTraceGet64(), IntWinSudCheckIntegrity(), IntWinSudHandleFieldModification(), IntWinSudHandleKernelSudExec(), IntWinSudHandleSudExec(), IntWinSudHandleUserSudExec(), IntWinThrHandleQueueApc(), IntWinThrHandleThreadHijack(), IntWinTokenPrivsCheckIntegrityOnProcess(), IntWinTokenPrivsHandleSwap(), IntWinTokenPrivsHandleWrite(), and IntWinVadHandleCommit().

Typedef Documentation

◆ PSTAT_COUNTER

typedef struct _STAT_COUNTER * PSTAT_COUNTER

◆ STAT_COUNTER

typedef struct _STAT_COUNTER STAT_COUNTER

A stats counter.

◆ STAT_ID

typedef enum _STAT_ID STAT_ID

Stat IDs.

Each ID is used to identify a specific code section to time (this can be as large as an entire VMEXIT event handler, or a more specific event). Stats may be nested in other stats.

◆ TIMESPEC

typedef QWORD TIMESPEC

Definition at line 127 of file stats.h.

Enumeration Type Documentation

◆ _STAT_ID

enum _STAT_ID

Stat IDs.

Each ID is used to identify a specific code section to time (this can be as large as an entire VMEXIT event handler, or a more specific event). Stats may be nested in other stats.

Enumerator
statsEptViolation 

Measures all EPT violations.

statsEptRead 

Measures read EPT violations.

statsEptWrite 

Measures write EPT violations.

statsEptExecute 

Measures execute EPT violations.

statsEptKernel 

Measures EPT violations generated while the guest was in kernel mode.

statsEptUser 

Measures EPT violations generated while the guest was in user mode.

statsEptDecode 

Measures the decoding of instructions that generate EPT violations.

statsEptLookup 

Measures the look-up of EPT violation handlers.

statsEptHandle 

Measures the execution of EPT violation handlers.

statsEptRMW 

Measures the EPT violations for which the instruction does a read and a write.

statsVmcall 

Measures the handling of VMCALL exits.

statsCrViolation 

Measures CR violation exits.

statsMsrViolation 

Measures MSR violation exits.

statsXcrViolation 

Measures XCR violation exits.

statsTimer 

Measures the timer events.

statsInt3 

Measures the INT3 events.

statsDtrViolation 

Measures the DTR violation exits.

statsEventInjection 

Measures event injections.

statsModuleLoadViolation 

Measures module load violation handling.

statsDeleteRegion 

Measures the deletion of HOOK_REGION_DESCRIPTOR objects.

statsDeleteGva 

Measures the deletion of HOOK_GVA objects.

statsHookCommit 

Measures the hook commits.

statsPtWriteProc 

Measures page table writes.

statsPtWriteEmu 

Measures page table writes emulation.

statsPtWriteTotal 

Measures all the page table writes.

statsPtWriteHits 

Measures page table entries writes.

statsPtWriteRelevant 

Measures page table writes that are actually relevant for Introcore.

statsExceptionsUser 

Measures user mode exceptions checks.

statsExceptionsKern 

Measures kernel mode exceptions checks.

statsExceptionsGlobMatch 

Measures glob-match exceptions.

statsUmCrash 

Measures user mode crash handlers.

statsVasmon 

Measures page table writes done by the VAS monitor.

statsVadCommitExisting 

Measures the IntWinVadHandleCommit detour handler.

statsPtsIntegrity 

Measures page tables integrity checks.

statsPtsFilterInt3 

Measures the INT3 exits generated by the page table filtering mechanism.

statsPtsFilterVmcall 

Measures the VMCALL exists generated by the page table filtering agent.

statsPtsFilterInsSearch 

Measures the instruction search done for the page table filtering agent.

statsSwapgsInsSearch 

Measures the instruction search done for the SWAPGS protection.

statsSelfMapEntryProtection 

Measures the self map entry validation.

statsCopyMemoryTotal 

Measures the IntWinProcHandleCopyMemory detour handler.

statsCopyMemoryRead 

Measures IntWinProcHandleCopyMemory invocations done for memory reads.

statsCopyMemoryWrite 

Measures IntWinProcHandleCopyMemory invocations done for memory writes.

statsCopyMemoryProtectedRead 

Measures the handling of memory reads in which a read protection policy exists.

statsCopyMemoryProtectedWrite 

Measures the handling of memory reads in which a write protection policy exists.

statsDepViolation 

Measures IntWinHandleException invocations done for DEP violations.

statsStackTrace32 

Measures the stack trace mechanism for 32-bit execution contexts.

statsStackTrace64 

Measures the stack trace mechanism for 64-bit execution contexts.

statsStackTraceSpecialCase 

Measures the cases in which the stack trace mechanism encounters a JMP after a CALL.

statsDpiGatherInfo 

Measures the information gathering for the DPI mechanism.

statsProcessCreationCheck 

Measures the process creation checks.

statsDpiDebugFlag 

Measures the debug flag DPI protection information gathering.

statsDpiStackPivot 

Measures the pivoted stack DPI protection information gathering.

statsDpiStealToken 

Measures the stolen token flag DPI protection information gathering.

statsDpiHeapSpray 

Measures the heap spray DPI protection information gathering.

statsDpiTokenPrivs 

Measures the token privileges DPI protection information gathering.

statsDpiThreadStart 

Measures the thread start DPI protection information gathering.

statsNtEatRead 

Measures reads done from the kernel EAT.

statsTokenWrites 

Token writes.

statsTokenChangeCheck 

Measures the checks to see if the token has been changed when a write occurs over the token.

statsTokenSwapCheck 

Measures the checks to see if the token has been changed when a token swap occurs.

statsKmUmWrites 

Writes done from kernel mode over user mode.

statsSetProcInfo 

Measures exits on NtSetInformationProcess.

statsDpiSdAcl 

Measures the security descriptor DPI protection information gathering.

statsSudIntegrity 

Measures the checks done on SharedUserData.

statsSudExec 

Measures the execution handling on SharedUserData page.

statsSecDesc 

Measures the integrity checks on the process security descriptor.

statsMaxCounter 

The number of valid stats IDs. Not a valid ID. Must always be the last entry in the enum.

Definition at line 16 of file stats.h.

Function Documentation

◆ IntStatDiscard()

void IntStatDiscard ( STAT_ID  StatId)

Discards the current measurement for a stat counter.

Parameters
[in]StatIdCounter to discard.

Definition at line 431 of file stats.c.

Referenced by IntStatStop().

◆ IntStatsDumpAll()

void IntStatsDumpAll ( void  )

Prints all the non-zero stats.

Definition at line 220 of file stats.c.

Referenced by IntGuestUninit(), and IntHandleTimer().

◆ IntStatsInit()

void IntStatsInit ( void  )

Initialization routine.

If STATS_HAS_HIGHRES_TIMER is defined will determine how much a GetTime takes so we know how much to subtract when a counter includes another counter.

Definition at line 448 of file stats.c.

Referenced by IntGuestInit(), and IntStatStop().

◆ IntStatsReset()

void IntStatsReset ( STAT_ID  StatId)

Resets a stat.

Parameters
[in]StatIdStat to reset.

Definition at line 276 of file stats.c.

Referenced by IntStatsResetAll(), and IntStatStop().

◆ IntStatsResetAll()

void IntStatsResetAll ( void  )

Resets all the stats.

Definition at line 299 of file stats.c.

Referenced by IntStatStop().

◆ IntStatStart()

void IntStatStart ( STAT_ID  StatId)

Definition at line 172 of file stats.h.

Referenced by IntStatStop().

◆ IntStatStop()

void IntStatStop ( STAT_ID  StatId)

Definition at line 180 of file stats.h.

Variable Documentation

◆ gCounters

STAT_COUNTER gCounters[statsMaxCounter]

The list of counters.

Definition at line 21 of file stats.c.