Bitdefender Hypervisor Memory Introspection
Functions
vecore.h File Reference
#include "thread_safeness.h"

Go to the source code of this file.

Functions

INTSTATUS IntVeHandleHypercall (DWORD CpuNumber)
 Handles hyper calls initiated by the VE agent. More...
 
INTSTATUS IntVeDeployAgent (void)
 Inject the VE agent inside the guest. More...
 
INTSTATUS IntVeRemoveAgent (DWORD AgOpts)
 Removes the VE agent from guest memory. More...
 
QWORD IntVeGetDriverAddress (void)
 Gets the guest virtual address of the VE agent. More...
 
BOOLEAN IntVeIsPtrInAgent (QWORD Ptr, THS_PTR_TYPE Type)
 Check if an address points inside the VE agent. More...
 
BOOLEAN IntVeIsCurrentRipInAgent (void)
 Check if the current RIP points inside the VE agent. More...
 
INTSTATUS IntVeInit (void)
 Initialize the VE system. More...
 
INTSTATUS IntVeUnInit (void)
 Uninit the VE system. More...
 
void IntVeDumpVeInfoPages (void)
 Dumps the VE info pages on all VCPUs. More...
 
void IntVeDumpStats (void)
 Dump VE statistics. More...
 
INTSTATUS IntVeHandleEPTViolationInProtectedView (IG_EPT_ACCESS AccessType, INTRO_ACTION *Action)
 Handle an EPT violation inside the protected EPT view. More...
 
void IntVeHandleGuestResumeFromSleep (void)
 Simply set the VeAgentWaiting variable to true if VE is enabled. More...
 
INTSTATUS IntVeUpdateCacheEntry (QWORD Address, BOOLEAN Monitored)
 Update an address inside the VE cache. More...
 
BOOLEAN IntVeIsAgentRemapped (QWORD Gla)
 Checks if a given guest linear address belongs to the VE agent. More...
 

Function Documentation

◆ IntVeDeployAgent()

INTSTATUS IntVeDeployAgent ( void  )

Inject the VE agent inside the guest.

NOTE: If this function returns success, it does not mean that the VE agent has been successfully injected. It just means that it has been successfully scheduled for injection. Failures may still happen during the injection itself.

Return values
INT_STATUS_SUCCESSOn success.
INT_STATUS_NOT_INITIALIZEDIf the VE system has not been initialized.
INT_STATUS_ALREADY_INITIALIZED_HINTIf the VE agent has already been injected.
INT_STATUS_NOT_NEEDED_HINTIf the OS is not 64 bit Windows.

Definition at line 2063 of file vecore.c.

Referenced by IntGuestPreReturnCallback(), IntGuestUpdateCoreOptions(), and IntWinGuestFinishInit().

◆ IntVeDumpStats()

void IntVeDumpStats ( void  )

Dump VE statistics.

Definition at line 2719 of file vecore.c.

Referenced by IntHandleTimer().

◆ IntVeDumpVeInfoPages()

void IntVeDumpVeInfoPages ( void  )

Dumps the VE info pages on all VCPUs.

Definition at line 2698 of file vecore.c.

Referenced by IntGuestPrepareUninit(), IntVeHandleEPTViolationInProtectedView(), IntVeHandleHypercall(), and IntVeHandleSwap().

◆ IntVeGetDriverAddress()

QWORD IntVeGetDriverAddress ( void  )

Gets the guest virtual address of the VE agent.

Return values
Theguest virtual address where the VE agent was loaded.

Definition at line 2200 of file vecore.c.

Referenced by IntWinAgentHandleDriverVmcall().

◆ IntVeHandleEPTViolationInProtectedView()

INTSTATUS IntVeHandleEPTViolationInProtectedView ( IG_EPT_ACCESS  AccessType,
INTRO_ACTION Action 
)

Handle an EPT violation inside the protected EPT view.

This function is called from the main EPT violation handler whenever a violation takes place inside the protected EPT view. We only dump as much info as we can & we generate an alert, after which we re-enter the guest. Normally, this will lead to a hang, as the guest would keep generating such EPT violations, but this is expected, as only a bug or an attack may end up generating such a violation.

Parameters
[in]AccessTypeAccess type. Can be a combination of IG_EPT_HOOK_READ, IG_EPT_HOOK_WRITE and IG_EPT_HOOK_EXECUTE.
[out]ActionDesired action.
Return values
INT_STATUS_SUCCESSOn success.
INT_STATUS_INVALID_PARAMETERIf an invalid parameter is supplied.

Definition at line 234 of file vecore.c.

Referenced by IntHandleEptViolation().

◆ IntVeHandleGuestResumeFromSleep()

void IntVeHandleGuestResumeFromSleep ( void  )

Simply set the VeAgentWaiting variable to true if VE is enabled.

Definition at line 2787 of file vecore.c.

Referenced by IntNotifyGuestPowerStateChange().

◆ IntVeHandleHypercall()

INTSTATUS IntVeHandleHypercall ( DWORD  CpuNumber)

Handles hyper calls initiated by the VE agent.

This function handles VE agent VMCALLs. Only a few are defined:

  1. NOP - does nothing, just causes an exit.
  2. BREAK - break into debugger; initiates when the VE agent encounters an exceptional condition that prevents it from safely continuing execution.
  3. TRACE - logs some information.
  4. RAISE EPT - this is the main hyper call, used to raise an EPT violation from a VE that took place inside the guest.
Parameters
[in]CpuNumberGuest VCPU number on which the VMCALL was issued.
Return values
INT_STATUS_SUCCESSOn success.
INT_STATUS_NOT_SUPPORTEDIf an unsupported VMCALL number is raised.
INT_STATUS_RAISE_EPTIf an EPT must be raised. This will cause the VMCALL handler to invoke the EPT violation handler, as if a regular memory access took place.

Definition at line 1985 of file vecore.c.

Referenced by IntHandleIntroCall().

◆ IntVeInit()

INTSTATUS IntVeInit ( void  )

Initialize the VE system.

This function initializes the VE system. In order to do so, it makes sure the VE is supported on the system:

  1. VE must be supported;
  2. VMFUNC must be supported;
  3. At most VE_MAX_CPUS VCPUs must be assigned to the guest;
  4. The Glue must contain all the VE related functions; In order to carry on the initialization, this function:
  1. It creates a new EPT - the protected EPT;
  2. It gets the maximum guest physical address accessible by the guest;
  3. Makes the entire guest space non-executable inside the protected EPT view;
  4. It creates the VE module entry.
Return values
INT_STATUS_SUCCESSOn success.
INT_STATUS_NOT_NEEDED_HINTIf VE is not supported on the system.
INT_STATUS_INVALID_INTERNAL_STATEIf there are GPA hooks set.

Definition at line 2493 of file vecore.c.

Referenced by IntWinGuestNew().

◆ IntVeIsAgentRemapped()

BOOLEAN IntVeIsAgentRemapped ( QWORD  Gla)

Checks if a given guest linear address belongs to the VE agent.

The accessed Gla is in fact the address of a page-table entry. The algorithm in this function converts the page-table entry address to the address of the page it maps, by shifting left each self-map index entry.

Parameters
[in]GlaThe guest linear address to check.
Return values
Trueif the Gla belongs to the VE agent, false otherwise.

Definition at line 2899 of file vecore.c.

Referenced by IntDispatchVeAsEpt().

◆ IntVeIsCurrentRipInAgent()

BOOLEAN IntVeIsCurrentRipInAgent ( void  )

Check if the current RIP points inside the VE agent.

This only checks of the current RIP points inside the agent. It doesn't care about the VE handler trampoline or cloaked code, as we only call this to check if a VMCALL was initiated inside the VE agent.

Return values
Trueif the current RIP points inside the agent, false otherwise.

Definition at line 2253 of file vecore.c.

Referenced by IntHandleIntroCall().

◆ IntVeIsPtrInAgent()

BOOLEAN IntVeIsPtrInAgent ( QWORD  Ptr,
THS_PTR_TYPE  Type 
)

Check if an address points inside the VE agent.

Parameters
[in]PtrThe pointer to be checked.
[in]TypePointer type: live RIP or stack value.
Return values
Trueif the pointer points inside any of the VE agent components, false otherwise.

Definition at line 2214 of file vecore.c.

Referenced by IntThrSafeIsLiveRIPInIntro(), and IntThrSafeIsStackPtrInIntro().

◆ IntVeRemoveAgent()

INTSTATUS IntVeRemoveAgent ( DWORD  AgOpts)

Removes the VE agent from guest memory.

NOTE: If this function returns success, it does not mean that the VE agent has been successfully removed from the guest memory; it simply means it has been successfully scheduled for removal.

Parameters
[in]AgOptsAgent options.
Return values
INT_STATUS_SUCCESSOn success.
INT_STATUS_NOT_NEEDED_HINTIf VE has not been initialized.

Definition at line 2116 of file vecore.c.

Referenced by IntGuestUpdateCoreOptions(), IntVeDeliverDriverForLoad(), and IntWinPowHandleEventCommon().

◆ IntVeUnInit()

INTSTATUS IntVeUnInit ( void  )

Uninit the VE system.

This function uninits the VE system. It will destroy the protected EPT. Note that this function does not remove the VE agent from guest memory, it simply uninitializes the VE system. This function should be called only during Introcore uninit.

Definition at line 2654 of file vecore.c.

Referenced by IntGuestUninit().

◆ IntVeUpdateCacheEntry()

INTSTATUS IntVeUpdateCacheEntry ( QWORD  Address,
BOOLEAN  Monitored 
)

Update an address inside the VE cache.

This function will map the cache page that should contain the entry. If the entry must be monitored (it has been hooked), it will remove it from the cache. Otherwise, it will add it to the cache. Entries which are present inside this cache are page-table entry which are not effectively monitored by Introcore. This means that writes that take place on them can be safely emulated inside the guest without issuing a VMCALL to Introcore. The Address is the address of the page-table entry, it is not a page-table address, as the cache works with entries, not pages.

Parameters
[in]AddressPage table entry address to be added/removed from the cache.
[in]MonitoredTrue if the entry must be monitored (remove it from the cache), false otherwise.
Return values
INT_STATUS_SUCCESSOn success.
INT_STATUS_NOT_INITIALIZED_HINTIf VE is not initialized/the agent is not injected.

Definition at line 2799 of file vecore.c.

Referenced by IntHookPtmSetHook(), and IntHookPtmWriteCallback().