Bitdefender Hypervisor Memory Introspection
Data Structures | Macros | Typedefs
vecommon.h File Reference

This file is common between the VE driver and the introspection engine. More...

Go to the source code of this file.

Data Structures

struct  _REGISTERS
 
struct  _VECPU
 
union  _VECPU_PAGE
 
struct  _VE_STACK
 
struct  _VE_CACHE_LINE
 

Macros

#define VE_VMCALL_OP   0x22
 Major VMCALL number (as defined by Xen, passed in EAX). More...
 
#define VE_VMCALL_SUBOP   0x18
 Minor VMCALL number (as defined by Xen, passed in EDI on x64, EBX on x86). More...
 
#define VE_HCALL_NOP   0
 
#define VE_HCALL_BREAK   1
 
#define VE_HCALL_TRACE   2
 
#define VE_HCALL_RAISE_EPT   3
 
#define VE_STACK_SIZE   0x4000
 Total size of the stack used by the VE agent. More...
 
#define VE_MAX_CPUS   64
 Currently, VE supports only 64 VCPUs max. More...
 
#define VE_CACHE_LINES   64
 64 cache lines (pages), indexed by bits [12, 17] inside the page-table address. More...
 
#define VE_CACHE_BUCKETS   64
 64 buckets/line, indexed by bits [3, 8] inside the page-table entry address. More...
 
#define VE_CACHE_ENTRIES   8
 8 entries/bucket. More...
 
#define VE_CACHE_GET_LINE(x)   (((x) >> 12) & (VE_CACHE_LINES - 1))
 
#define VE_CACHE_GET_BUCKET(x)   (((x) >> 3) & (VE_CACHE_BUCKETS - 1))
 
#define VE_STATUS_SUCCESS   0x00000000
 
#define VE_STATUS_ERROR   0x80000000
 
#define VE_STATUS_NOT_SUPPORTED   0x80000001
 
#define VE_STATUS_DISASM_ERROR   0x80000002
 
#define VE_STATUS_PAGE_NOT_PRESENT   0x80000003
 
#define VE_STATUS_ACCESS_DENIED   0x80000004
 
#define VE_SUCCESS(s)   ((s) < VE_STATUS_ERROR)
 
#define VE_BREAK_UNKNOWN_EXIT   0x00000001
 
#define VE_BREAK_PAGE_WALK_FAILED   0x00000002
 
#define VE_BREAK_EMULATION_FAILED   0x00000003
 
#define VE_BREAK_CS_NOT_KERNEL   0x00000004
 

Typedefs

typedef struct _REGISTERS REGISTERS
 
typedef struct _REGISTERSPREGISTERS
 
typedef struct _VECPU VECPU
 
typedef struct _VECPUPVECPU
 
typedef union _VECPU_PAGE VECPU_PAGE
 
typedef union _VECPU_PAGEPVECPU_PAGE
 
typedef struct _VE_STACK VE_STACK
 
typedef struct _VE_STACKPVE_STACK
 
typedef struct _VE_CACHE_LINE VE_CACHE_LINE
 
typedef unsigned int VESTATUS
 

Detailed Description

This file is common between the VE driver and the introspection engine.

This file contains shared definitions, between the VE agent and the Introspection engine. The most important ones are the VE info page (which is kept mapped inside Introcore, for quick access to the instruction and page-table values) and the statuses.

Definition in file vecommon.h.

Macro Definition Documentation

◆ VE_BREAK_CS_NOT_KERNEL

#define VE_BREAK_CS_NOT_KERNEL   0x00000004

Definition at line 224 of file vecommon.h.

◆ VE_BREAK_EMULATION_FAILED

#define VE_BREAK_EMULATION_FAILED   0x00000003

Definition at line 223 of file vecommon.h.

◆ VE_BREAK_PAGE_WALK_FAILED

#define VE_BREAK_PAGE_WALK_FAILED   0x00000002

Definition at line 222 of file vecommon.h.

◆ VE_BREAK_UNKNOWN_EXIT

#define VE_BREAK_UNKNOWN_EXIT   0x00000001

Definition at line 221 of file vecommon.h.

◆ VE_CACHE_BUCKETS

#define VE_CACHE_BUCKETS   64

64 buckets/line, indexed by bits [3, 8] inside the page-table entry address.

Definition at line 191 of file vecommon.h.

◆ VE_CACHE_ENTRIES

#define VE_CACHE_ENTRIES   8

8 entries/bucket.

Definition at line 193 of file vecommon.h.

Referenced by IntVeUpdateCacheEntry().

◆ VE_CACHE_GET_BUCKET

#define VE_CACHE_GET_BUCKET (   x)    (((x) >> 3) & (VE_CACHE_BUCKETS - 1))

Definition at line 196 of file vecommon.h.

Referenced by IntVeUpdateCacheEntry().

◆ VE_CACHE_GET_LINE

#define VE_CACHE_GET_LINE (   x)    (((x) >> 12) & (VE_CACHE_LINES - 1))

Definition at line 195 of file vecommon.h.

Referenced by IntVeUpdateCacheEntry().

◆ VE_CACHE_LINES

#define VE_CACHE_LINES   64

64 cache lines (pages), indexed by bits [12, 17] inside the page-table address.

Page-Table cache related structures. The cache uses a double indexing algorithm; assuming value X is a page-table entry address:

  • Use bits [12, 17] in X to index the cache line
  • Use bits [3, 8] in X to index a bucket/way inside the line
  • Iterate each entry inside the bucket, and compare it with X. One page will contain 512 entries, 64 lines, 8 buckets, so this behaves like a 4K 8-ways associative cache.

Definition at line 189 of file vecommon.h.

Referenced by IntVeDeliverDriverForUnload(), and IntVeHandleSwap().

◆ VE_HCALL_BREAK

#define VE_HCALL_BREAK   1

Logs the message string stored by the #VE driver for the current cpu. Input: RAX = VE_VMCALL_OP Input: RDI = VE_VMCALL_SUBOP Input: RSI = 0 Input: RDX = VE_HCALL_BREAK Input: RBX = reason INPUT: RCX = reason parameter

Definition at line 40 of file vecommon.h.

Referenced by IntVeHandleHypercall().

◆ VE_HCALL_NOP

#define VE_HCALL_NOP   0

NOP Input: RAX = VE_VMCALL_OP Input: RDI = VE_VMCALL_SUBOP Input: RSI = 0 Input: RDX = VE_HCALL_NOP Input: RBX = Ignored

Definition at line 31 of file vecommon.h.

Referenced by IntVeHandleHypercall().

◆ VE_HCALL_RAISE_EPT

#define VE_HCALL_RAISE_EPT   3

Raises an EPT exception. Input: RAX = VE_VMCALL_OP Input: RDI = VE_VMCALL_SUBOP Input: RSI = 0 Input: RDX = VE_HCALL_RAISE_EPT

Definition at line 56 of file vecommon.h.

Referenced by IntVeHandleHypercall().

◆ VE_HCALL_TRACE

#define VE_HCALL_TRACE   2

Trace #VE agent execution to Introcore. Input: RAX = VE_VMCALL_OP Input: RDI = VE_VMCALL_SUBOP Input: RSI = 0 Input: RDX = VE_HCALL_TRACE Input: RBX = parameter 1 INPUT: RCX = parameter 2

Definition at line 49 of file vecommon.h.

Referenced by IntVeHandleHypercall().

◆ VE_MAX_CPUS

#define VE_MAX_CPUS   64

Currently, VE supports only 64 VCPUs max.

Definition at line 157 of file vecommon.h.

Referenced by IntVeInit().

◆ VE_STACK_SIZE

#define VE_STACK_SIZE   0x4000

Total size of the stack used by the VE agent.

Definition at line 154 of file vecommon.h.

Referenced by IntVeDeliverDriverForLoad().

◆ VE_STATUS_ACCESS_DENIED

#define VE_STATUS_ACCESS_DENIED   0x80000004

Definition at line 217 of file vecommon.h.

◆ VE_STATUS_DISASM_ERROR

#define VE_STATUS_DISASM_ERROR   0x80000002

Definition at line 215 of file vecommon.h.

◆ VE_STATUS_ERROR

#define VE_STATUS_ERROR   0x80000000

Definition at line 213 of file vecommon.h.

◆ VE_STATUS_NOT_SUPPORTED

#define VE_STATUS_NOT_SUPPORTED   0x80000001

Definition at line 214 of file vecommon.h.

◆ VE_STATUS_PAGE_NOT_PRESENT

#define VE_STATUS_PAGE_NOT_PRESENT   0x80000003

Definition at line 216 of file vecommon.h.

◆ VE_STATUS_SUCCESS

#define VE_STATUS_SUCCESS   0x00000000

Definition at line 212 of file vecommon.h.

◆ VE_SUCCESS

#define VE_SUCCESS (   s)    ((s) < VE_STATUS_ERROR)

Definition at line 219 of file vecommon.h.

◆ VE_VMCALL_OP

#define VE_VMCALL_OP   0x22

Major VMCALL number (as defined by Xen, passed in EAX).

Definition at line 20 of file vecommon.h.

◆ VE_VMCALL_SUBOP

#define VE_VMCALL_SUBOP   0x18

Minor VMCALL number (as defined by Xen, passed in EDI on x64, EBX on x86).

Definition at line 22 of file vecommon.h.

Typedef Documentation

◆ PREGISTERS

typedef struct _REGISTERS * PREGISTERS

◆ PVE_STACK

typedef struct _VE_STACK * PVE_STACK

◆ PVECPU

typedef struct _VECPU * PVECPU

◆ PVECPU_PAGE

typedef union _VECPU_PAGE * PVECPU_PAGE

◆ REGISTERS

typedef struct _REGISTERS REGISTERS

General purpose registers state. Offsets are relative to the beginning of the VE info page.

◆ VE_CACHE_LINE

typedef struct _VE_CACHE_LINE VE_CACHE_LINE

One VE cache line.

◆ VE_STACK

typedef struct _VE_STACK VE_STACK

VE agent stack.

◆ VECPU

typedef struct _VECPU VECPU

The VE information page. One such structure, that spans an entire page, must be present for each VCPU. The address of the VE info page (host physical address) is stored inside the VMCS, and when a VE is generated, the CPU will store in it information related to the event. Right now, only EPT violation events can be delivered as virtualization exceptions. The beginning of the page is reserved for the CPU, but the rest of it is used by the VE agent and Introcore.

◆ VECPU_PAGE

typedef union _VECPU_PAGE VECPU_PAGE

VE info page. Used in order to force the size of the page to exactly 4K.

◆ VESTATUS

typedef unsigned int VESTATUS

VE status.

Definition at line 210 of file vecommon.h.