Bitdefender Hypervisor Memory Introspection
vecommon.h
Go to the documentation of this file.
1 /*
2  * Copyright (c) 2020 Bitdefender
3  * SPDX-License-Identifier: Apache-2.0
4  */
5 #ifndef _VECOMMON_H_
6 #define _VECOMMON_H_
7 
17 
18 
20 #define VE_VMCALL_OP 0x22
21 #define VE_VMCALL_SUBOP 0x18
23 
24 
31 #define VE_HCALL_NOP 0
32 
40 #define VE_HCALL_BREAK 1
41 
49 #define VE_HCALL_TRACE 2
50 
56 #define VE_HCALL_RAISE_EPT 3
57 
58 
59 
60 #pragma pack(push)
61 #pragma pack(1)
62 
63 
67 typedef struct _REGISTERS
68 {
69  QWORD RAX; // Offset 0x30
70  QWORD RCX; // Offset 0x38
71  QWORD RDX; // Offset 0x40
72  QWORD RBX; // Offset 0x48
73  QWORD RSP; // Offset 0x50
74  QWORD RBP; // Offset 0x58
75  QWORD RSI; // Offset 0x60
76  QWORD RDI; // Offset 0x68
77  QWORD R8; // Offset 0x70
78  QWORD R9; // Offset 0x78
79  QWORD R10; // Offset 0x80
80  QWORD R11; // Offset 0x88
81  QWORD R12; // Offset 0x90
82  QWORD R13; // Offset 0x98
83  QWORD R14; // Offset 0xA0
84  QWORD R15; // Offset 0xA8
85  QWORD RIP; // Offset 0xB0
86  QWORD CS; // Offset 0xB8
87  QWORD RFLAGS; // Offset 0xC0
88  QWORD CR0; // Offset 0xC8
89  QWORD CR3; // Offset 0xD0
90  QWORD CR4; // Offset 0xD8
91  QWORD DR7; // Offset 0xE0
92  QWORD SS; // Offset 0xE8
93  QWORD MXCSR; // Offset 0xF0
94  QWORD Reserved2; // Offset 0xF8
95  BYTE XMM[256]; // Offset 0x100-0x200
96 
97 } REGISTERS, *PREGISTERS;
98 
99 
107 typedef struct _VECPU
108 {
109  // #VE information area.
110  DWORD Reason;
111  DWORD Reserved;
112  QWORD Qualification;
115  QWORD GuestLinearAddress;
116  QWORD GuestPhysicalAddress;
117  QWORD EptpIndex;
118  QWORD Reserved2;
119 
120  REGISTERS Registers;
121 
122  PBYTE ProtectedStack;
123  PBYTE OriginalStack;
124 
125  QWORD OldValue;
126  QWORD NewValue;
127 
128  QWORD VeTotal;
129  QWORD VeMm;
130  QWORD VePageWalk;
131  QWORD VeIgnoredTotal;
132  QWORD VeIgnoredCache;
134  QWORD VeIgnoredIrrelevant;
136 
138  QWORD TscTotal;
139  QWORD TscCount;
140 
141  // fetched instruction bytes.
142  BYTE Instruction[16];
143 
144  QWORD Self;
145  QWORD Index;
146 
147  BOOLEAN Raised;
148 
149 } VECPU, *PVECPU;
150 
151 #pragma pack(pop)
152 
154 #define VE_STACK_SIZE 0x4000
155 
157 #define VE_MAX_CPUS 64
158 
159 
163 typedef union _VECPU_PAGE
164 {
165  VECPU Cpu;
166  BYTE Page[0x1000];
167 } VECPU_PAGE, *PVECPU_PAGE;
168 
169 
173 typedef struct _VE_STACK
174 {
175  BYTE Stack[VE_STACK_SIZE];
176 } VE_STACK, *PVE_STACK;
177 
178 
187 
189 #define VE_CACHE_LINES 64
190 #define VE_CACHE_BUCKETS 64
192 #define VE_CACHE_ENTRIES 8
194 
195 #define VE_CACHE_GET_LINE(x) (((x) >> 12) & (VE_CACHE_LINES - 1))
196 #define VE_CACHE_GET_BUCKET(x) (((x) >> 3) & (VE_CACHE_BUCKETS - 1))
197 
201 typedef struct _VE_CACHE_LINE
202 {
203  QWORD Entries[VE_CACHE_BUCKETS][VE_CACHE_ENTRIES];
204 } VE_CACHE_LINE;
205 
206 
210 typedef unsigned int VESTATUS;
211 
212 #define VE_STATUS_SUCCESS 0x00000000
213 #define VE_STATUS_ERROR 0x80000000
214 #define VE_STATUS_NOT_SUPPORTED 0x80000001
215 #define VE_STATUS_DISASM_ERROR 0x80000002
216 #define VE_STATUS_PAGE_NOT_PRESENT 0x80000003
217 #define VE_STATUS_ACCESS_DENIED 0x80000004
218 
219 #define VE_SUCCESS(s) ((s) < VE_STATUS_ERROR)
220 
221 #define VE_BREAK_UNKNOWN_EXIT 0x00000001
222 #define VE_BREAK_PAGE_WALK_FAILED 0x00000002
223 #define VE_BREAK_EMULATION_FAILED 0x00000003
224 #define VE_BREAK_CS_NOT_KERNEL 0x00000004
225 
226 
227 #endif // _VECOMMON_H_
_VECPU::Reserved2
QWORD Reserved2
Reserved by Intel.
Definition: vecommon.h:118
_REGISTERS::RSP
QWORD RSP
Definition: vecommon.h:73
_VECPU::VeMm
QWORD VeMm
Number of VEs generated by the OS.
Definition: vecommon.h:129
BOOLEAN
_Bool BOOLEAN
Definition: intro_types.h:58
VE_CACHE_BUCKETS
#define VE_CACHE_BUCKETS
64 buckets/line, indexed by bits [3, 8] inside the page-table entry address.
Definition: vecommon.h:191
_VECPU::OldValue
QWORD OldValue
Old page-table entry.
Definition: vecommon.h:125
_REGISTERS::RDX
QWORD RDX
Definition: vecommon.h:71
_REGISTERS::CR0
QWORD CR0
Definition: vecommon.h:88
BYTE
uint8_t BYTE
Definition: intro_types.h:47
_VECPU::GuestPhysicalAddress
QWORD GuestPhysicalAddress
Same as the GPA field provided on EPT Violations.
Definition: vecommon.h:116
_VECPU::TscTotal
QWORD TscTotal
Total number of CPU ticks spent inside the agent.
Definition: vecommon.h:138
VE_STACK
struct _VE_STACK VE_STACK
_REGISTERS::RAX
QWORD RAX
Definition: vecommon.h:69
PREGISTERS
struct _REGISTERS * PREGISTERS
PVE_STACK
struct _VE_STACK * PVE_STACK
VE_STACK_SIZE
#define VE_STACK_SIZE
Total size of the stack used by the VE agent.
Definition: vecommon.h:154
VE_CACHE_ENTRIES
#define VE_CACHE_ENTRIES
8 entries/bucket.
Definition: vecommon.h:193
_VECPU::NewValue
QWORD NewValue
New page-table entry.
Definition: vecommon.h:126
_REGISTERS::R11
QWORD R11
Definition: vecommon.h:80
PVECPU
struct _VECPU * PVECPU
_VECPU::Registers
REGISTERS Registers
Offset 0x30 - 0x200, general purpose registers.
Definition: vecommon.h:120
_VE_STACK
Definition: vecommon.h:173
_REGISTERS::DR7
QWORD DR7
Definition: vecommon.h:91
_REGISTERS::RIP
QWORD RIP
Definition: vecommon.h:85
_REGISTERS::MXCSR
QWORD MXCSR
Definition: vecommon.h:93
_REGISTERS::CR4
QWORD CR4
Definition: vecommon.h:90
_REGISTERS
Definition: vecommon.h:67
_VECPU::VeTotal
QWORD VeTotal
Total number of VEs.
Definition: vecommon.h:128
_REGISTERS::Reserved2
QWORD Reserved2
Definition: vecommon.h:94
VECPU
struct _VECPU VECPU
_REGISTERS::R12
QWORD R12
Definition: vecommon.h:81
_REGISTERS::R14
QWORD R14
Definition: vecommon.h:83
_VECPU::ProtectedStack
PBYTE ProtectedStack
Offset 0x200, the protected stack.
Definition: vecommon.h:122
_REGISTERS::RBX
QWORD RBX
Definition: vecommon.h:72
PBYTE
uint8_t * PBYTE
Definition: intro_types.h:47
_VECPU::TscCount
QWORD TscCount
Total number of times the agent has been invoked.
Definition: vecommon.h:139
_VECPU::EptpIndex
QWORD EptpIndex
The index of the EPT in which the fault took place.
Definition: vecommon.h:117
QWORD
unsigned long long QWORD
Definition: intro_types.h:53
_REGISTERS::R10
QWORD R10
Definition: vecommon.h:79
_VECPU
Definition: vecommon.h:107
PVECPU_PAGE
union _VECPU_PAGE * PVECPU_PAGE
_REGISTERS::RDI
QWORD RDI
Definition: vecommon.h:76
VECPU_PAGE
union _VECPU_PAGE VECPU_PAGE
_VECPU::GuestLinearAddress
QWORD GuestLinearAddress
Same as the GLA field provided on EPT Violations.
Definition: vecommon.h:115
_VECPU::Self
QWORD Self
Pointer to self.
Definition: vecommon.h:144
_REGISTERS::R8
QWORD R8
Definition: vecommon.h:77
_REGISTERS::RBP
QWORD RBP
Definition: vecommon.h:74
_REGISTERS::CR3
QWORD CR3
Definition: vecommon.h:89
_VECPU::Raised
BOOLEAN Raised
True if the current VE has been sent to Introcore via VMCALL.
Definition: vecommon.h:147
DWORD
uint32_t DWORD
Definition: intro_types.h:49
_REGISTERS::SS
QWORD SS
Definition: vecommon.h:92
_REGISTERS::R13
QWORD R13
Definition: vecommon.h:82
_VE_CACHE_LINE
Definition: vecommon.h:201
_VECPU::VeIgnoredTotal
QWORD VeIgnoredTotal
Definition: vecommon.h:131
_VECPU_PAGE::Cpu
VECPU Cpu
The VE info page.
Definition: vecommon.h:165
VE_CACHE_LINE
struct _VE_CACHE_LINE VE_CACHE_LINE
_REGISTERS::CS
QWORD CS
Definition: vecommon.h:86
_VECPU::Reserved
DWORD Reserved
Definition: vecommon.h:111
_REGISTERS::RFLAGS
QWORD RFLAGS
Definition: vecommon.h:87
VESTATUS
unsigned int VESTATUS
Definition: vecommon.h:210
_VECPU::OriginalStack
PBYTE OriginalStack
Offset 0x208, the original stack.
Definition: vecommon.h:123
_VECPU::VePageWalk
QWORD VePageWalk
Number of VEs generated by the CPU page-walker.
Definition: vecommon.h:130
Page
VE_CACHE_LINE * Page
Mapped page inside Introspection virtual address space.
Definition: vecore.c:120
_REGISTERS::RSI
QWORD RSI
Definition: vecommon.h:75
_REGISTERS::RCX
QWORD RCX
Definition: vecommon.h:70
_REGISTERS::XMM
BYTE XMM[256]
Definition: vecommon.h:95
_VECPU_PAGE
Definition: vecommon.h:163
REGISTERS
struct _REGISTERS REGISTERS
_VECPU::Reason
DWORD Reason
Same as the basic VM Exit reason.
Definition: vecommon.h:110
_REGISTERS::R15
QWORD R15
Definition: vecommon.h:84
_REGISTERS::R9
QWORD R9
Definition: vecommon.h:78
_VECPU::Index
QWORD Index
VCPU index.
Definition: vecommon.h:145