Bitdefender Hypervisor Memory Introspection
|
#include "thread_safeness.h"
Go to the source code of this file.
Functions | |
INTSTATUS | IntSwapgsStartMitigation (void) |
Scan the kernel for vulnerable SWAPGS gadgets, and mitigate CVE-2019-1125, when such gadgets are found. More... | |
void | IntSwapgsUninit (void) |
Uninit the SWAPGS mitigation. More... | |
void | IntSwapgsDisable (void) |
Disable SWAPGS mitigations. Must be used only for PrepareUninit. More... | |
BOOLEAN | IntSwapgsIsPtrInHandler (QWORD Ptr, THS_PTR_TYPE Type, QWORD *Gadget) |
Check if a pointer points inside a SWAPGS handler. More... | |
QWORD | IntSwapgsRelocatePtrIfNeeded (QWORD Ptr) |
Relocate a pointer if it points inside a SWAPGS gadget, and make it point inside the installed handler. More... | |
void IntSwapgsDisable | ( | void | ) |
Disable SWAPGS mitigations. Must be used only for PrepareUninit.
Definition at line 501 of file swapgs.c.
Referenced by IntGuestPrepareUninit().
BOOLEAN IntSwapgsIsPtrInHandler | ( | QWORD | Ptr, |
THS_PTR_TYPE | Type, | ||
QWORD * | Gadget | ||
) |
Check if a pointer points inside a SWAPGS handler.
[in] | Ptr | The pointer to be checked. |
[in] | Type | Live RIP or stack value. |
[out] | Gadget | The gadget address, if any is found, or NULL otherwise. |
True | if the Ptr points inside a gadget, false otherwise. |
Definition at line 531 of file swapgs.c.
Referenced by IntThrSafeIsLiveRIPInIntro(), and IntThrSafeIsStackPtrInIntro().
Relocate a pointer if it points inside a SWAPGS gadget, and make it point inside the installed handler.
[in] | Ptr | The pointer to be checked. |
The | new value for the pointer, if it was relocated. |
Definition at line 579 of file swapgs.c.
Referenced by IntThrSafeMoveReturn(), and IntThrSafeMoveRip().
INTSTATUS IntSwapgsStartMitigation | ( | void | ) |
Scan the kernel for vulnerable SWAPGS gadgets, and mitigate CVE-2019-1125, when such gadgets are found.
This function scans the NT image (.text and KVASCODE sections) for code sequences that are vulnerable to SWAPGS variant 2. When such a sequence is found, it will replace the first GS based access after the SWAPGS with a JMP to a small handler installed inside the NT slack space, which will simply serialize execution using LFENCE. Example: Considering the sequence: TEST [mem], imm JZ skip_swapgs SWAPGS skip_swapgs: MOV r10, gs:[0x188] ... we will replace the "MOV r10, gs:[0x188]" instruction with a "CALL" to a handler installed inside the slack space, which will force a "LFENCE" before actually doing the GS based addressing. NOTE: This scanning & instrumentation is done with the VCPUs paused.
INT_STATUS_SUCCESS | On success. |
INT_STATUS_NOT_NEEDED_HINT | If KPTI is not active, or if the guest is not x64, or if it is not Windows. |
INT_STATUS_INVALID_INTERNAL_STATE | If the NT image headers are corrupt. |
INT_STATUS_NOT_SUPPORTED | If a handler cannot be installed. |
INT_STATUS_INSUFFICIENT_RESOURCES | If a memory alloc fails. |
Definition at line 190 of file swapgs.c.
Referenced by DbgMitigateSwapgs(), and IntWinGuestFinishInit().
void IntSwapgsUninit | ( | void | ) |
Uninit the SWAPGS mitigation.
All gadgets will be restored, making the OS vulnerable again.
Definition at line 446 of file swapgs.c.
Referenced by DbgMitigateSwapgs(), and IntGuestUninit().