- Generated by
1.8.13
|
Bitdefender Hypervisor Memory Introspection
|
Contains the virtual address space monitor logic. More...
Go to the source code of this file.
Data Structures | |
| struct | _VAS_STATE |
Typedefs | |
| typedef struct _VAS_STATE | VAS_STATE |
| typedef struct _VAS_STATE * | PVAS_STATE |
Functions | |
| INTSTATUS | IntVasPageTableWriteCallback (void *Context, void *Hook, QWORD Address, INTRO_ACTION *Action) |
| Handle writes inside the monitored page-tables. More... | |
| static INTSTATUS | IntVasHookTables (QWORD LinearAddress, QWORD CurrentPage, BYTE PagingMode, BYTE Level, PVAS_ROOT Root, PVAS_TABLE *Table) |
| Recursively hook all the page-tables starting with the indicated page-table. More... | |
| static INTSTATUS | IntVasUnHookTables (PVAS_TABLE Table) |
| Every table starting with this one will be deleted. More... | |
| static INTSTATUS | IntVasDeleteTable (PVAS_TABLE DataAddress, QWORD DataInfo) |
| Delete the indicated VAS table. More... | |
| static QWORD | IntVasGetPageSize (PVAS_TABLE Table) |
| Computes the size of a page, given a VAS table. More... | |
| INTSTATUS | IntVasStartMonitorVaSpace (QWORD Cr3, PFUNC_VaSpaceModificationCallback Callback, void *Context, QWORD MonitoredBits, void **Root) |
| Start monitoring the indicated virtual address space. More... | |
| INTSTATUS | IntVasStopMonitorVaSpace (QWORD Cr3, PVAS_ROOT Root) |
| Stops monitoring the indicated virtual address space. More... | |
| static INTSTATUS | IntVasDumpTables (PVAS_TABLE Table, PVAS_TABLE_ENTRY Parent) |
| Dump the VAS tables. More... | |
| INTSTATUS | IntVasDump (QWORD Cr3) |
| Dump the monitored tables for the indicated Cr3. More... | |
| INTSTATUS | IntVasInit (void) |
| Initialize the VAS monitor state. More... | |
| INTSTATUS | IntVasUnInit (void) |
| Uninit the VAS monitor state. More... | |
Variables | |
| static VAS_STATE | gVasState = { 0 } |
Contains the virtual address space monitor logic.
This module contains the virtual address space monitor logic, which involves hooking every page-table belonging to a virtual address space. When any kind of modification takes for a virtual address, the indicated callback will be invoked. NOTE: This module works with an entire virtual address space; therefore, it consumes a lot of memory (it monitors every page-table) and a lot of CPU (since every page-table write will trigger an EPT violation). Please be aware of these when deciding to use it. If you wish to monitor the translation of several virtual addresses, but not an entire address space, use hook_pts instead.
Definition in file vasmonitor.c.
| typedef struct _VAS_STATE * PVAS_STATE |
| typedef struct _VAS_STATE VAS_STATE |
Global VAS state.
|
static |
Delete the indicated VAS table.
| [in] | DataAddress | VAS table to be deleted. |
| [in] | DataInfo | Unused. |
| INT_STATUS_SUCCESS | On success. |
| INT_STATUS_INVALID_PARAMETER | If an invalid parameter is supplied. |
Definition at line 60 of file vasmonitor.c.
Referenced by IntVasUnHookTables().
Dump the monitored tables for the indicated Cr3.
| [in] | Cr3 | The Cr3 to dump the VAS state for. |
| INT_STATUS_SUCCESS | On success. |
| INT_STATUS_NOT_FOUND | If the indicated virtual address space is not monitored. |
Definition at line 1077 of file vasmonitor.c.
Referenced by DbgDumpVaSpace(), IntVasPageTableWriteCallback(), and IntWinProcDump().
|
static |
Dump the VAS tables.
| [in] | Table | Root table to dump. |
| [in] | Parent | Parent entry. |
| INT_STATUS_SUCCESS | On success. |
Definition at line 1035 of file vasmonitor.c.
Referenced by IntVasDump().
|
static |
Computes the size of a page, given a VAS table.
| [in] | Table | The VAS table. |
Definition at line 98 of file vasmonitor.c.
Referenced by IntVasPageTableWriteCallback(), and IntVasUnHookTables().
|
static |
Recursively hook all the page-tables starting with the indicated page-table.
This function will parse the indicated page-table - CurrentPage. It will fetch each entry from it, and it will recursively call the hook function on these entries, until all page-tables have been hooked. On success, it will return a handle to a VAS hook on the current page.
| [in] | LinearAddress | The partial linear address that translates through this page-table. |
| [in] | CurrentPage | Guest physical address of the current page-table. |
| [in] | PagingMode | Paging mode. |
| [in] | Level | Current page-table level (5, 4, 3, 2, 1). |
| [in] | Root | A root VAS entry. |
| [out] | Table | A newly hooked page-table. |
| INT_STATUS_SUCCESS | On success. |
| INT_STATUS_INVALID_PARAMETER | If an invalid parameter is supplied. |
| INT_STATUS_INSUFFICIENT_RESOURCES | If a memory alloc fails. |
Definition at line 408 of file vasmonitor.c.
Referenced by IntVasPageTableWriteCallback(), and IntVasStartMonitorVaSpace().
| INTSTATUS IntVasInit | ( | void | ) |
Initialize the VAS monitor state.
| INT_STATUS_SUCCESS | On success. |
Definition at line 1125 of file vasmonitor.c.
Referenced by IntGuestInit().
| INTSTATUS IntVasPageTableWriteCallback | ( | void * | Context, |
| void * | Hook, | ||
| QWORD | Address, | ||
| INTRO_ACTION * | Action | ||
| ) |
Handle writes inside the monitored page-tables.
This function handles monitored page-table writes. It has to:
| [in] | Context | The monitored page-table that is being written to. |
| [in] | Hook | GPA hook handle. |
| [in] | Address | Written address. |
| [in] | Action | Desired action. |
| INT_STATUS_SUCCESS | On success. |
| INT_STATUS_INVALID_PARAMETER | If an invalid parameter is supplied. |
Definition at line 135 of file vasmonitor.c.
Referenced by IntVasHookTables().
| INTSTATUS IntVasStartMonitorVaSpace | ( | QWORD | Cr3, |
| PFUNC_VaSpaceModificationCallback | Callback, | ||
| void * | Context, | ||
| QWORD | MonitoredBits, | ||
| void ** | Root | ||
| ) |
Start monitoring the indicated virtual address space.
This function will start to monitor the indicated virtual address space against modifications. Whenever a new page is mapped, unmapped or has its entry modified, the indicated callback will be called. NOTE: This function will NOT call the indicated callback for virtual addresses that are already mapped when enabling the monitor.
| [in] | Cr3 | The Cr3 of the virtual address space to be monitored. |
| [in] | Callback | The callback to be called on translations modifications. |
| [in] | Context | Optional context to be passed to the callback on translation modifications. |
| [in] | MonitoredBits | The callback will be called if any of these bits are modified. |
| [out] | Root | A handle to the virtual address space monitor object. |
| INT_STATUS_SUCCESS | On success. |
| INT_STATUS_INVALID_PARAMETER | If an invalid parameter is supplied. |
| INT_STATUS_INSUFFICIENT_RESOURCES | If a memory alloc fails. |
Definition at line 877 of file vasmonitor.c.
Stops monitoring the indicated virtual address space.
Either Cr3 or Root must be specified. If Root is specified, it will be used instead of Cr3. Otherwise, the actual entry will be searched using the provided CR3. Both arguments cannot be 0 at the same time.
| [in] | Cr3 | The virtual address space to stop monitoring on. |
| [in] | Root | Handle to the virtual address space monitor. |
| INT_STATUS_SUCCESS | On success. |
| INT_STATUS_NOT_FOUND | If an indicated monitored space is not found. |
Definition at line 979 of file vasmonitor.c.
|
static |
Every table starting with this one will be deleted.
| [in] | Table | The root page-table to be unhooked. All children will also be unhooked. |
| INT_STATUS_SUCCESS | On success. |
| INT_STATUS_INVALID_PARAMETER | If an invalid parameter is supplied. |
Definition at line 797 of file vasmonitor.c.
Referenced by IntVasPageTableWriteCallback(), IntVasStartMonitorVaSpace(), and IntVasStopMonitorVaSpace().
| INTSTATUS IntVasUnInit | ( | void | ) |
Uninit the VAS monitor state.
| INT_STATUS_SUCCESS | On success. |
| INT_STATUS_NOT_INITIALIZED_HINT | If the VAS state has bot been initialized. |
Definition at line 1143 of file vasmonitor.c.
Referenced by IntGuestUninit().
|
static |
Definition at line 32 of file vasmonitor.c.
1.8.13