- Generated by
1.8.13
|
Bitdefender Hypervisor Memory Introspection
|
#include "winapi.h"#include "decoder.h"#include "drivers.h"#include "guests.h"#include "introcpu.h"#include "memcloak.h"#include "winhkhnd.h"#include "winpe.h"#include "crc32.h"Go to the source code of this file.
Macros | |
| #define | MIN_CODE_LEN 24 |
Functions | |
| static INTSTATUS | IntWinApiFindFunctionRva (WIN_UNEXPORTED_FUNCTION *Patterns, QWORD ModuleBase, BOOLEAN IgnoreSectionHint, DWORD *FunctionRva, DETOUR_ARGS **Arguments) |
| Searches for a function in a module, based on the given patterns. More... | |
| static INTSTATUS | IntWinApiHook (API_HOOK_DESCRIPTOR *HookDescriptor) |
| Will hook one function from a module as described by the HookDescriptor. More... | |
| INTSTATUS | IntWinApiHookAll (void) |
| Iterates through all hookable APIs and sets requested hooks. More... | |
| void | IntWinApiUpdateHooks (void) |
| Iterate through all hookable APIs and enable or disable them according to the current Introcore options. More... | |
| INTSTATUS | IntWinApiHookVeHandler (QWORD NewHandler, void **Cloak, QWORD *OldHandler, DWORD *ReplacedCodeLen, BYTE *ReplacedCode) |
| Hooks the #VE handler. More... | |
| INTSTATUS | IntWinApiUpdateHookDescriptor (WIN_UNEXPORTED_FUNCTION *Function, DWORD ArgumentsCount, const DWORD *Arguments) |
| Update a hook descriptor with corresponding function patterns and argument list from CAMI. More... | |
| #define MIN_CODE_LEN 24 |
Referenced by IntWinApiHookVeHandler().
|
static |
Searches for a function in a module, based on the given patterns.
Will search in the module represented by ModuleBase a function which matches at least one of the given WIN_UNEXPORTED_FUNCTION patterns. If IgnoreSectionHint is set to TRUE, then it will search through all the sections, otherwise just on the section hint present in the descriptor, if any.
| [in] | Patterns | Contains information about the patterns which describe the searched function. |
| [in] | ModuleBase | The module base where the patterns are searched for. |
| [in] | IgnoreSectionHint | If this parameter is set to TRUE, all the sections in the given module are scanned for the given patterns. |
| [out] | FunctionRva | The relative address to the module base where the function was found. |
| [in] | Arguments | The arguments assigned for the found pattern, if any. |
| INT_STATUS_SUCCESS | On success. |
| INT_STATUS_NOT_FOUND | If the given patterns could not be found. |
Definition at line 17 of file winapi.c.
Referenced by IntWinApiHook().
|
static |
Will hook one function from a module as described by the HookDescriptor.
Will place a detour on HookDescriptor->FunctionName from HookDescriptor->ModuleName. If HookDescriptor->Exported is TRUE, will search for said export and hook it. Otherwise, it will search for the pattern signatures in HookDescriptor->Patterns to find the function's address.
| [in] | HookDescriptor | Describes the way a function will be hooked. |
| INT_STATUS_SUCCESS | On success. |
| INT_STATUS_NOT_FOUND | If no good handler / matching signature is found. |
Definition at line 87 of file winapi.c.
Referenced by IntWinApiHookAll().
| INTSTATUS IntWinApiHookAll | ( | void | ) |
Iterates through all hookable APIs and sets requested hooks.
Definition at line 229 of file winapi.c.
Referenced by IntWinGuestFinishInit().
| INTSTATUS IntWinApiHookVeHandler | ( | QWORD | NewHandler, |
| void ** | Cloak, | ||
| QWORD * | OldHandler, | ||
| DWORD * | ReplacedCodeLen, | ||
| BYTE * | ReplacedCode | ||
| ) |
Hooks the #VE handler.
Hook the original #VE handler and make it point to our handler. The code sequence is:
Guests older than RS3 are not aware of the VirtualizationException, and the first instruction is a "PUSH 0x14". On these, there are two cases:
We search for the JMP, which directs us to the effective handler.
If the guest has the KPTI patches, the IDT points to the shadow, so we search for the real one.
| [in] | NewHandler | Address of our handler. |
| [out] | Cloak | Will receive the memory cloak used to hide the hook. |
| [out] | OldHandler | Will receive the address of the old handler. |
| [out] | ReplacedCodeLen | Will receive the size of the code replaced by this function. |
| [out] | ReplacedCode | Will receive the code replaced by this function. |
Minimum Code length in bytes to be replaced by our int20 hook.
Definition at line 367 of file winapi.c.
Referenced by IntPtiDeliverDriverForLoad(), and IntVeDeliverDriverForLoad().
| INTSTATUS IntWinApiUpdateHookDescriptor | ( | WIN_UNEXPORTED_FUNCTION * | Function, |
| DWORD | ArgumentsCount, | ||
| const DWORD * | Arguments | ||
| ) |
Update a hook descriptor with corresponding function patterns and argument list from CAMI.
| [in] | Function | Patterns given from CAMI, also contains the name hash. |
| [in] | ArgumentsCount | Number of elements in Arguments. |
| [in] | Arguments | List of arguments from CAMI. |
Definition at line 615 of file winapi.c.
Referenced by IntCamiLoadWindows().
| void IntWinApiUpdateHooks | ( | void | ) |
Iterate through all hookable APIs and enable or disable them according to the current Introcore options.
Definition at line 317 of file winapi.c.
Referenced by IntGuestUpdateCoreOptions(), and IntWinApiHookAll().
1.8.13