Bitdefender Hypervisor Memory Introspection
Data Structures | Macros | Typedefs | Functions
vasmonitor.h File Reference
#include "hook_ptwh.h"

Go to the source code of this file.

Data Structures

struct  _VAS_TABLE_ENTRY
 
struct  _VAS_TABLE
 
struct  _VAS_ROOT
 

Macros

#define VAS_COMPUTE_GLA_64(Base, Index, Level)   (PAGE_SX((Base) | ((QWORD)(Index) << ((((Level) - 1) * 9) + 12))))
 
#define VAS_COMPUTE_GLA_PAE(Base, Index, Level)   ((Base) | ((QWORD)(Index) << ((((Level) - 1) * 9) + 12)))
 
#define VAS_COMPUTE_GLA_32(Base, Index, Level)   ((Base) | ((QWORD)(Index) << ((((Level) - 1) * 10) + 12)))
 
#define VAS_COMPUTE_GLA(Base, Index, Level, Pg)
 
#define VAS_TRANSITIONS_THRESHOLD   64
 
#define VAS_TOTAL_WRITES_THESHOLD   4096
 

Typedefs

typedef INTSTATUS(* PFUNC_VaSpaceModificationCallback) (void *Context, QWORD VirtualAddress, QWORD OldEntry, QWORD NewEntry, QWORD PageSize)
 Translation modification callback. More...
 
typedef struct _VAS_TABLE_ENTRY VAS_TABLE_ENTRY
 
typedef struct _VAS_TABLE_ENTRYPVAS_TABLE_ENTRY
 
typedef struct _VAS_TABLE VAS_TABLE
 
typedef struct _VAS_TABLEPVAS_TABLE
 
typedef struct _VAS_ROOT VAS_ROOT
 
typedef struct _VAS_ROOTPVAS_ROOT
 

Functions

INTSTATUS IntVasStartMonitorVaSpace (QWORD Cr3, PFUNC_VaSpaceModificationCallback Callback, void *Context, QWORD MonitoredBits, void **Root)
 Start monitoring the indicated virtual address space. More...
 
INTSTATUS IntVasStopMonitorVaSpace (QWORD Cr3, PVAS_ROOT Root)
 Stops monitoring the indicated virtual address space. More...
 
INTSTATUS IntVasDump (QWORD Cr3)
 Dump the monitored tables for the indicated Cr3. More...
 
INTSTATUS IntVasInit (void)
 Initialize the VAS monitor state. More...
 
INTSTATUS IntVasUnInit (void)
 Uninit the VAS monitor state. More...
 

Macro Definition Documentation

◆ VAS_COMPUTE_GLA

#define VAS_COMPUTE_GLA (   Base,
  Index,
  Level,
  Pg 
)
Value:
( \
(Pg) == PAGING_5_LEVEL_MODE ? VAS_COMPUTE_GLA_64((Base), (Index), (Level)) : \
(Pg) == PAGING_4_LEVEL_MODE ? VAS_COMPUTE_GLA_64((Base), (Index), (Level)) : \
(Pg) == PAGING_PAE_MODE ? VAS_COMPUTE_GLA_PAE((Base), (Index), (Level)) : \
(Pg) == PAGING_NORMAL_MODE ? VAS_COMPUTE_GLA_32((Base), (Index), (Level)) : 0 \
)
VAS_COMPUTE_GLA_PAE
#define VAS_COMPUTE_GLA_PAE(Base, Index, Level)
Definition: vasmonitor.h:36
VAS_COMPUTE_GLA_32
#define VAS_COMPUTE_GLA_32(Base, Index, Level)
Definition: vasmonitor.h:37
VAS_COMPUTE_GLA_64
#define VAS_COMPUTE_GLA_64(Base, Index, Level)
Definition: vasmonitor.h:35
PAGING_5_LEVEL_MODE
5-level paging
Definition: introcore.h:72
PAGING_PAE_MODE
32-bit paging with PAE
Definition: introcore.h:70
PAGING_4_LEVEL_MODE
4-level paging
Definition: introcore.h:71
PAGING_NORMAL_MODE
32-bit paging
Definition: introcore.h:69

Definition at line 39 of file vasmonitor.h.

Referenced by IntVasPageTableWriteCallback(), and IntVasUnHookTables().

◆ VAS_COMPUTE_GLA_32

#define VAS_COMPUTE_GLA_32 (   Base,
  Index,
  Level 
)    ((Base) | ((QWORD)(Index) << ((((Level) - 1) * 10) + 12)))

Definition at line 37 of file vasmonitor.h.

Referenced by IntVasHookTables().

◆ VAS_COMPUTE_GLA_64

#define VAS_COMPUTE_GLA_64 (   Base,
  Index,
  Level 
)    (PAGE_SX((Base) | ((QWORD)(Index) << ((((Level) - 1) * 9) + 12))))

Definition at line 35 of file vasmonitor.h.

Referenced by IntVasHookTables().

◆ VAS_COMPUTE_GLA_PAE

#define VAS_COMPUTE_GLA_PAE (   Base,
  Index,
  Level 
)    ((Base) | ((QWORD)(Index) << ((((Level) - 1) * 9) + 12)))

Definition at line 36 of file vasmonitor.h.

Referenced by IntVasHookTables().

◆ VAS_TOTAL_WRITES_THESHOLD

#define VAS_TOTAL_WRITES_THESHOLD   4096

Definition at line 47 of file vasmonitor.h.

◆ VAS_TRANSITIONS_THRESHOLD

#define VAS_TRANSITIONS_THRESHOLD   64

Definition at line 46 of file vasmonitor.h.

Typedef Documentation

◆ PFUNC_VaSpaceModificationCallback

typedef INTSTATUS(* PFUNC_VaSpaceModificationCallback) (void *Context, QWORD VirtualAddress, QWORD OldEntry, QWORD NewEntry, QWORD PageSize)

Translation modification callback.

Callback invoked for VA space modifications. Whenever a translation is modified, the callback is invoked. IMPORTANT: PageSize is the size of the NewEntry. If OldEntry and NewEntry are ALWAYS the entries located at the same level: for example, PD. Even if VirtualAddress was mapped as a 4K page and then it is remapped as a 2M page, OldEntry and NewEntry will both be the PD entries, so be careful.

Parameters
[in]ContextThe context, as supplied when starting to monitor the address space.
[in]VirtualAddressModified virtual address.
[in]OldEntryOld page-table entry.
[in]NewEntryNew page-table entry.
[in]PageSizeThe size of the newly mapped page.

Definition at line 26 of file vasmonitor.h.

◆ PVAS_ROOT

typedef struct _VAS_ROOT * PVAS_ROOT

◆ PVAS_TABLE

typedef struct _VAS_TABLE * PVAS_TABLE

◆ PVAS_TABLE_ENTRY

typedef struct _VAS_TABLE_ENTRY * PVAS_TABLE_ENTRY

◆ VAS_ROOT

typedef struct _VAS_ROOT VAS_ROOT

The root structure. This structure is used as a handle when placing virtual address space hooks.

◆ VAS_TABLE

typedef struct _VAS_TABLE VAS_TABLE

Describes one entire monitored page table.

◆ VAS_TABLE_ENTRY

typedef struct _VAS_TABLE_ENTRY VAS_TABLE_ENTRY

One page table entry that points to another table.

Function Documentation

◆ IntVasDump()

INTSTATUS IntVasDump ( QWORD  Cr3)

Dump the monitored tables for the indicated Cr3.

Parameters
[in]Cr3The Cr3 to dump the VAS state for.
Return values
INT_STATUS_SUCCESSOn success.
INT_STATUS_NOT_FOUNDIf the indicated virtual address space is not monitored.

Definition at line 1077 of file vasmonitor.c.

Referenced by DbgDumpVaSpace(), IntVasPageTableWriteCallback(), and IntWinProcDump().

◆ IntVasInit()

INTSTATUS IntVasInit ( void  )

Initialize the VAS monitor state.

Return values
INT_STATUS_SUCCESSOn success.

Definition at line 1125 of file vasmonitor.c.

Referenced by IntGuestInit().

◆ IntVasStartMonitorVaSpace()

INTSTATUS IntVasStartMonitorVaSpace ( QWORD  Cr3,
PFUNC_VaSpaceModificationCallback  Callback,
void *  Context,
QWORD  MonitoredBits,
void **  Root 
)

Start monitoring the indicated virtual address space.

This function will start to monitor the indicated virtual address space against modifications. Whenever a new page is mapped, unmapped or has its entry modified, the indicated callback will be called. NOTE: This function will NOT call the indicated callback for virtual addresses that are already mapped when enabling the monitor.

Parameters
[in]Cr3The Cr3 of the virtual address space to be monitored.
[in]CallbackThe callback to be called on translations modifications.
[in]ContextOptional context to be passed to the callback on translation modifications.
[in]MonitoredBitsThe callback will be called if any of these bits are modified.
[out]RootA handle to the virtual address space monitor object.
Return values
INT_STATUS_SUCCESSOn success.
INT_STATUS_INVALID_PARAMETERIf an invalid parameter is supplied.
INT_STATUS_INSUFFICIENT_RESOURCESIf a memory alloc fails.

Definition at line 877 of file vasmonitor.c.

◆ IntVasStopMonitorVaSpace()

INTSTATUS IntVasStopMonitorVaSpace ( QWORD  Cr3,
PVAS_ROOT  Root 
)

Stops monitoring the indicated virtual address space.

Either Cr3 or Root must be specified. If Root is specified, it will be used instead of Cr3. Otherwise, the actual entry will be searched using the provided CR3. Both arguments cannot be 0 at the same time.

Parameters
[in]Cr3The virtual address space to stop monitoring on.
[in]RootHandle to the virtual address space monitor.
Return values
INT_STATUS_SUCCESSOn success.
INT_STATUS_NOT_FOUNDIf an indicated monitored space is not found.

Definition at line 979 of file vasmonitor.c.

◆ IntVasUnInit()

INTSTATUS IntVasUnInit ( void  )

Uninit the VAS monitor state.

Return values
INT_STATUS_SUCCESSOn success.
INT_STATUS_NOT_INITIALIZED_HINTIf the VAS state has bot been initialized.

Definition at line 1143 of file vasmonitor.c.

Referenced by IntGuestUninit().