Bitdefender Hypervisor Memory Introspection
vasmonitor.h
Go to the documentation of this file.
1 /*
2  * Copyright (c) 2020 Bitdefender
3  * SPDX-License-Identifier: Apache-2.0
4  */
5 #ifndef _VASMONITOR_H_
6 #define _VASMONITOR_H_
7 
8 #include "hook_ptwh.h"
9 
10 
25 typedef INTSTATUS
26 (*PFUNC_VaSpaceModificationCallback)(
27  _In_ void *Context,
28  _In_ QWORD VirtualAddress,
29  _In_ QWORD OldEntry,
30  _In_ QWORD NewEntry,
31  _In_ QWORD PageSize
32  );
33 
34 
35 #define VAS_COMPUTE_GLA_64(Base, Index, Level) (PAGE_SX((Base) | ((QWORD)(Index) << ((((Level) - 1) * 9) + 12))))
36 #define VAS_COMPUTE_GLA_PAE(Base, Index, Level) ((Base) | ((QWORD)(Index) << ((((Level) - 1) * 9) + 12)))
37 #define VAS_COMPUTE_GLA_32(Base, Index, Level) ((Base) | ((QWORD)(Index) << ((((Level) - 1) * 10) + 12)))
38 
39 #define VAS_COMPUTE_GLA(Base, Index, Level, Pg) ( \
40  (Pg) == PAGING_5_LEVEL_MODE ? VAS_COMPUTE_GLA_64((Base), (Index), (Level)) : \
41  (Pg) == PAGING_4_LEVEL_MODE ? VAS_COMPUTE_GLA_64((Base), (Index), (Level)) : \
42  (Pg) == PAGING_PAE_MODE ? VAS_COMPUTE_GLA_PAE((Base), (Index), (Level)) : \
43  (Pg) == PAGING_NORMAL_MODE ? VAS_COMPUTE_GLA_32((Base), (Index), (Level)) : 0 \
44  )
45 
46 #define VAS_TRANSITIONS_THRESHOLD 64
47 #define VAS_TOTAL_WRITES_THESHOLD 4096
48 
49 
53 typedef struct _VAS_TABLE_ENTRY
54 {
55  HOOK_PTEWS WriteState;
56 } VAS_TABLE_ENTRY, *PVAS_TABLE_ENTRY;
57 
58 
62 typedef struct _VAS_TABLE
63 {
64  struct _VAS_ROOT *Root;
65  void *WriteHook;
66  PVAS_TABLE_ENTRY Entries;
67  struct _VAS_TABLE **Tables;
68  QWORD LinearAddress;
69  DWORD WriteCount;
70  WORD EntriesCount;
72  BYTE Level;
73  BYTE PagingMode;
74 } VAS_TABLE, *PVAS_TABLE;
75 
76 
80 typedef struct _VAS_ROOT
81 {
82  LIST_ENTRY Link;
83  QWORD Cr3;
84  void *Context;
85  QWORD MonitoredBits;
86  PFUNC_VaSpaceModificationCallback Callback;
87  PVAS_TABLE Table;
89 } VAS_ROOT, *PVAS_ROOT;
90 
91 
92 
93 //
94 // API
95 //
96 INTSTATUS
97 IntVasStartMonitorVaSpace(
98  _In_ QWORD Cr3,
99  _In_ PFUNC_VaSpaceModificationCallback Callback,
100  _In_ void *Context,
101  _In_ QWORD MonitoredBits,
102  _Out_ void **Root
103  );
104 
105 INTSTATUS
106 IntVasStopMonitorVaSpace(
107  _In_opt_ QWORD Cr3,
108  _In_opt_ PVAS_ROOT Root
109  );
110 
111 INTSTATUS
112 IntVasDump(
113  _In_ QWORD Cr3
114  );
115 
116 INTSTATUS
117 IntVasInit(
118  void
119  );
120 
121 INTSTATUS
122 IntVasUnInit(
123  void
124  );
125 
126 
127 #endif // _VASMONITOR_H_
_In_opt_
#define _In_opt_
Definition: intro_sal.h:16
_VAS_TABLE::WriteCount
DWORD WriteCount
Definition: vasmonitor.h:69
_Out_
#define _Out_
Definition: intro_sal.h:22
IntVasUnInit
INTSTATUS IntVasUnInit(void)
Uninit the VAS monitor state.
Definition: vasmonitor.c:1143
BYTE
uint8_t BYTE
Definition: intro_types.h:47
_In_
#define _In_
Definition: intro_sal.h:21
WORD
uint16_t WORD
Definition: intro_types.h:48
IntVasInit
INTSTATUS IntVasInit(void)
Initialize the VAS monitor state.
Definition: vasmonitor.c:1125
_VAS_TABLE::LinearAddress
QWORD LinearAddress
The first linear address translated by this table.
Definition: vasmonitor.h:68
_VAS_TABLE::PagingMode
BYTE PagingMode
Paging mode.
Definition: vasmonitor.h:73
IntVasDump
INTSTATUS IntVasDump(QWORD Cr3)
Dump the monitored tables for the indicated Cr3.
Definition: vasmonitor.c:1077
_VAS_TABLE::Level
BYTE Level
The level of the current page table.
Definition: vasmonitor.h:72
_VAS_TABLE
Definition: vasmonitor.h:62
INTSTATUS
int INTSTATUS
The status data type.
Definition: introstatus.h:24
_VAS_ROOT::Link
LIST_ENTRY Link
List entry link.
Definition: vasmonitor.h:82
_VAS_TABLE_ENTRY
Definition: vasmonitor.h:53
PVAS_ROOT
struct _VAS_ROOT * PVAS_ROOT
PVAS_TABLE_ENTRY
struct _VAS_TABLE_ENTRY * PVAS_TABLE_ENTRY
_VAS_TABLE::Root
struct _VAS_ROOT * Root
The root handle.
Definition: vasmonitor.h:64
_VAS_TABLE_ENTRY::WriteState
HOOK_PTEWS WriteState
Write state of each page-table entry.
Definition: vasmonitor.h:55
VAS_TABLE
struct _VAS_TABLE VAS_TABLE
PVAS_TABLE
struct _VAS_TABLE * PVAS_TABLE
IntVasStopMonitorVaSpace
INTSTATUS IntVasStopMonitorVaSpace(QWORD Cr3, PVAS_ROOT Root)
Stops monitoring the indicated virtual address space.
Definition: vasmonitor.c:979
QWORD
unsigned long long QWORD
Definition: intro_types.h:53
_VAS_ROOT::Context
void * Context
Optional context, will be passed to the callback.
Definition: vasmonitor.h:84
_HOOK_PTEWS
Definition: hook_ptwh.h:18
_VAS_TABLE::WriteHook
void * WriteHook
The write hook handle.
Definition: vasmonitor.h:65
hook_ptwh.h
_VAS_TABLE::Tables
struct _VAS_TABLE ** Tables
Pointer to children tables, for each valid entry. NULL for leafs.
Definition: vasmonitor.h:67
_VAS_TABLE::Entries
PVAS_TABLE_ENTRY Entries
Children entries.
Definition: vasmonitor.h:66
DWORD
uint32_t DWORD
Definition: intro_types.h:49
_VAS_ROOT::MonitoredBits
QWORD MonitoredBits
Monitored bits inside page-table entries.
Definition: vasmonitor.h:85
_VAS_ROOT::Callback
PFUNC_VaSpaceModificationCallback Callback
Definition: vasmonitor.h:86
_VAS_ROOT
Definition: vasmonitor.h:80
_VAS_TABLE::EntriesCount
WORD EntriesCount
The number of entries. It can vary from 4 to 512 to 1024, depending on mode.
Definition: vasmonitor.h:71
VAS_ROOT
struct _VAS_ROOT VAS_ROOT
PFUNC_VaSpaceModificationCallback
INTSTATUS(* PFUNC_VaSpaceModificationCallback)(void *Context, QWORD VirtualAddress, QWORD OldEntry, QWORD NewEntry, QWORD PageSize)
Translation modification callback.
Definition: vasmonitor.h:26
IntVasStartMonitorVaSpace
INTSTATUS IntVasStartMonitorVaSpace(QWORD Cr3, PFUNC_VaSpaceModificationCallback Callback, void *Context, QWORD MonitoredBits, void **Root)
Start monitoring the indicated virtual address space.
Definition: vasmonitor.c:877
_VAS_ROOT::Cr3
QWORD Cr3
Monitored virtual address space.
Definition: vasmonitor.h:83
VAS_TABLE_ENTRY
struct _VAS_TABLE_ENTRY VAS_TABLE_ENTRY
_LIST_ENTRY
Definition: introlists.h:16