Bitdefender Hypervisor Memory Introspection
unpacker.h
Go to the documentation of this file.
1 /*
2  * Copyright (c) 2020 Bitdefender
3  * SPDX-License-Identifier: Apache-2.0
4  */
5 #ifndef _UNPACKER_H_
6 #define _UNPACKER_H_
7 
8 #include "introtypes.h"
9 #include "bddisasm.h"
10 
11 
23 typedef INTSTATUS
24 (*PFUNC_PageUnpackedCallback)(
25  _In_ QWORD Cr3,
26  _In_ QWORD VirtualAddress,
27  _In_ PINSTRUX Instrux,
28  _In_ void *Context
29  );
30 
31 
46 typedef BOOLEAN
47 (*PFUNC_PageIsWriteValid)(
48  _In_ QWORD Cr3,
49  _In_ QWORD VirtualAddress,
50  _In_ void *Context
51  );
52 
53 
54 //
55 // API
56 //
57 INTSTATUS
58 IntUnpWatchPage(
59  _In_ QWORD Cr3,
60  _In_ QWORD VirtualAddress,
61  _In_ PFUNC_PageUnpackedCallback UnpackCallback,
62  _In_ PFUNC_PageIsWriteValid WriteCheckCallback,
63  _In_opt_ void *CallbackContext
64  );
65 
66 INTSTATUS
67 IntUnpUnWatchPage(
68  _In_ QWORD Cr3,
69  _In_ QWORD VirtualAddress
70  );
71 
72 INTSTATUS
73 IntUnpUnWatchVaSpacePages(
74  _In_ QWORD Cr3
75  );
76 
77 INTSTATUS
78 IntUnpRemovePages(
79  void
80  );
81 
82 void
83 IntUnpUninit(
84  void
85  );
86 
87 #endif // _UNPACKER_H_
IntUnpUninit
void IntUnpUninit(void)
Uninit the unpacker. This will stop the monitor on all pages.
Definition: unpacker.c:505
_In_opt_
#define _In_opt_
Definition: intro_sal.h:16
BOOLEAN
_Bool BOOLEAN
Definition: intro_types.h:58
_In_
#define _In_
Definition: intro_sal.h:21
IntUnpRemovePages
INTSTATUS IntUnpRemovePages(void)
Stop monitoring all pages.
Definition: unpacker.c:474
PFUNC_PageUnpackedCallback
INTSTATUS(* PFUNC_PageUnpackedCallback)(QWORD Cr3, QWORD VirtualAddress, PINSTRUX Instrux, void *Context)
Called when a page is considered to be "unpacked".
Definition: unpacker.h:24
INTSTATUS
int INTSTATUS
The status data type.
Definition: introstatus.h:24
QWORD
unsigned long long QWORD
Definition: intro_types.h:53
IntUnpUnWatchVaSpacePages
INTSTATUS IntUnpUnWatchVaSpacePages(QWORD Cr3)
Stop monitoring all pages belonging to a virtual address space.
Definition: unpacker.c:438
IntUnpUnWatchPage
INTSTATUS IntUnpUnWatchPage(QWORD Cr3, QWORD VirtualAddress)
Stop monitoring the indicated page.
Definition: unpacker.c:396
PFUNC_PageIsWriteValid
BOOLEAN(* PFUNC_PageIsWriteValid)(QWORD Cr3, QWORD VirtualAddress, void *Context)
Called when a page is written.
Definition: unpacker.h:47
IntUnpWatchPage
INTSTATUS IntUnpWatchPage(QWORD Cr3, QWORD VirtualAddress, PFUNC_PageUnpackedCallback UnpackCallback, PFUNC_PageIsWriteValid WriteCheckCallback, void *CallbackContext)
Monitor a page against unpacking.
Definition: unpacker.c:316