Bitdefender Hypervisor Memory Introspection
|
#include "thread_safeness.h"
Go to the source code of this file.
Functions | |
INTSTATUS | IntVeHandleHypercall (DWORD CpuNumber) |
Handles hyper calls initiated by the VE agent. More... | |
INTSTATUS | IntVeDeployAgent (void) |
Inject the VE agent inside the guest. More... | |
INTSTATUS | IntVeRemoveAgent (DWORD AgOpts) |
Removes the VE agent from guest memory. More... | |
QWORD | IntVeGetDriverAddress (void) |
Gets the guest virtual address of the VE agent. More... | |
BOOLEAN | IntVeIsPtrInAgent (QWORD Ptr, THS_PTR_TYPE Type) |
Check if an address points inside the VE agent. More... | |
BOOLEAN | IntVeIsCurrentRipInAgent (void) |
Check if the current RIP points inside the VE agent. More... | |
INTSTATUS | IntVeInit (void) |
Initialize the VE system. More... | |
INTSTATUS | IntVeUnInit (void) |
Uninit the VE system. More... | |
void | IntVeDumpVeInfoPages (void) |
Dumps the VE info pages on all VCPUs. More... | |
void | IntVeDumpStats (void) |
Dump VE statistics. More... | |
INTSTATUS | IntVeHandleEPTViolationInProtectedView (IG_EPT_ACCESS AccessType, INTRO_ACTION *Action) |
Handle an EPT violation inside the protected EPT view. More... | |
void | IntVeHandleGuestResumeFromSleep (void) |
Simply set the VeAgentWaiting variable to true if VE is enabled. More... | |
INTSTATUS | IntVeUpdateCacheEntry (QWORD Address, BOOLEAN Monitored) |
Update an address inside the VE cache. More... | |
BOOLEAN | IntVeIsAgentRemapped (QWORD Gla) |
Checks if a given guest linear address belongs to the VE agent. More... | |
INTSTATUS IntVeDeployAgent | ( | void | ) |
Inject the VE agent inside the guest.
NOTE: If this function returns success, it does not mean that the VE agent has been successfully injected. It just means that it has been successfully scheduled for injection. Failures may still happen during the injection itself.
INT_STATUS_SUCCESS | On success. |
INT_STATUS_NOT_INITIALIZED | If the VE system has not been initialized. |
INT_STATUS_ALREADY_INITIALIZED_HINT | If the VE agent has already been injected. |
INT_STATUS_NOT_NEEDED_HINT | If the OS is not 64 bit Windows. |
Definition at line 2063 of file vecore.c.
Referenced by IntGuestPreReturnCallback(), IntGuestUpdateCoreOptions(), and IntWinGuestFinishInit().
void IntVeDumpStats | ( | void | ) |
void IntVeDumpVeInfoPages | ( | void | ) |
Dumps the VE info pages on all VCPUs.
Definition at line 2698 of file vecore.c.
Referenced by IntGuestPrepareUninit(), IntVeHandleEPTViolationInProtectedView(), IntVeHandleHypercall(), and IntVeHandleSwap().
QWORD IntVeGetDriverAddress | ( | void | ) |
Gets the guest virtual address of the VE agent.
The | guest virtual address where the VE agent was loaded. |
Definition at line 2200 of file vecore.c.
Referenced by IntWinAgentHandleDriverVmcall().
INTSTATUS IntVeHandleEPTViolationInProtectedView | ( | IG_EPT_ACCESS | AccessType, |
INTRO_ACTION * | Action | ||
) |
Handle an EPT violation inside the protected EPT view.
This function is called from the main EPT violation handler whenever a violation takes place inside the protected EPT view. We only dump as much info as we can & we generate an alert, after which we re-enter the guest. Normally, this will lead to a hang, as the guest would keep generating such EPT violations, but this is expected, as only a bug or an attack may end up generating such a violation.
[in] | AccessType | Access type. Can be a combination of IG_EPT_HOOK_READ, IG_EPT_HOOK_WRITE and IG_EPT_HOOK_EXECUTE. |
[out] | Action | Desired action. |
INT_STATUS_SUCCESS | On success. |
INT_STATUS_INVALID_PARAMETER | If an invalid parameter is supplied. |
Definition at line 234 of file vecore.c.
Referenced by IntHandleEptViolation().
void IntVeHandleGuestResumeFromSleep | ( | void | ) |
Simply set the VeAgentWaiting variable to true if VE is enabled.
Definition at line 2787 of file vecore.c.
Referenced by IntNotifyGuestPowerStateChange().
Handles hyper calls initiated by the VE agent.
This function handles VE agent VMCALLs. Only a few are defined:
[in] | CpuNumber | Guest VCPU number on which the VMCALL was issued. |
INT_STATUS_SUCCESS | On success. |
INT_STATUS_NOT_SUPPORTED | If an unsupported VMCALL number is raised. |
INT_STATUS_RAISE_EPT | If an EPT must be raised. This will cause the VMCALL handler to invoke the EPT violation handler, as if a regular memory access took place. |
Definition at line 1985 of file vecore.c.
Referenced by IntHandleIntroCall().
INTSTATUS IntVeInit | ( | void | ) |
Initialize the VE system.
This function initializes the VE system. In order to do so, it makes sure the VE is supported on the system:
INT_STATUS_SUCCESS | On success. |
INT_STATUS_NOT_NEEDED_HINT | If VE is not supported on the system. |
INT_STATUS_INVALID_INTERNAL_STATE | If there are GPA hooks set. |
Definition at line 2493 of file vecore.c.
Referenced by IntWinGuestNew().
Checks if a given guest linear address belongs to the VE agent.
The accessed Gla is in fact the address of a page-table entry. The algorithm in this function converts the page-table entry address to the address of the page it maps, by shifting left each self-map index entry.
[in] | Gla | The guest linear address to check. |
True | if the Gla belongs to the VE agent, false otherwise. |
Definition at line 2899 of file vecore.c.
Referenced by IntDispatchVeAsEpt().
BOOLEAN IntVeIsCurrentRipInAgent | ( | void | ) |
Check if the current RIP points inside the VE agent.
This only checks of the current RIP points inside the agent. It doesn't care about the VE handler trampoline or cloaked code, as we only call this to check if a VMCALL was initiated inside the VE agent.
True | if the current RIP points inside the agent, false otherwise. |
Definition at line 2253 of file vecore.c.
Referenced by IntHandleIntroCall().
BOOLEAN IntVeIsPtrInAgent | ( | QWORD | Ptr, |
THS_PTR_TYPE | Type | ||
) |
Check if an address points inside the VE agent.
[in] | Ptr | The pointer to be checked. |
[in] | Type | Pointer type: live RIP or stack value. |
True | if the pointer points inside any of the VE agent components, false otherwise. |
Definition at line 2214 of file vecore.c.
Referenced by IntThrSafeIsLiveRIPInIntro(), and IntThrSafeIsStackPtrInIntro().
Removes the VE agent from guest memory.
NOTE: If this function returns success, it does not mean that the VE agent has been successfully removed from the guest memory; it simply means it has been successfully scheduled for removal.
[in] | AgOpts | Agent options. |
INT_STATUS_SUCCESS | On success. |
INT_STATUS_NOT_NEEDED_HINT | If VE has not been initialized. |
Definition at line 2116 of file vecore.c.
Referenced by IntGuestUpdateCoreOptions(), IntVeDeliverDriverForLoad(), and IntWinPowHandleEventCommon().
INTSTATUS IntVeUnInit | ( | void | ) |
Uninit the VE system.
This function uninits the VE system. It will destroy the protected EPT. Note that this function does not remove the VE agent from guest memory, it simply uninitializes the VE system. This function should be called only during Introcore uninit.
Definition at line 2654 of file vecore.c.
Referenced by IntGuestUninit().
Update an address inside the VE cache.
This function will map the cache page that should contain the entry. If the entry must be monitored (it has been hooked), it will remove it from the cache. Otherwise, it will add it to the cache. Entries which are present inside this cache are page-table entry which are not effectively monitored by Introcore. This means that writes that take place on them can be safely emulated inside the guest without issuing a VMCALL to Introcore. The Address is the address of the page-table entry, it is not a page-table address, as the cache works with entries, not pages.
[in] | Address | Page table entry address to be added/removed from the cache. |
[in] | Monitored | True if the entry must be monitored (remove it from the cache), false otherwise. |
INT_STATUS_SUCCESS | On success. |
INT_STATUS_NOT_INITIALIZED_HINT | If VE is not initialized/the agent is not injected. |
Definition at line 2799 of file vecore.c.
Referenced by IntHookPtmSetHook(), and IntHookPtmWriteCallback().