Bitdefender Hypervisor Memory Introspection
|
#include "winguest.h"
Go to the source code of this file.
Functions | |
INTSTATUS | IntWinApiHookAll (void) |
Iterates through all hookable APIs and sets requested hooks. More... | |
void | IntWinApiUpdateHooks (void) |
Iterate through all hookable APIs and enable or disable them according to the current Introcore options. More... | |
INTSTATUS | IntWinApiHookVeHandler (QWORD NewHandler, void **Cloak, QWORD *OldHandler, DWORD *ReplacedCodeLen, BYTE *ReplacedCode) |
Hooks the #VE handler. More... | |
INTSTATUS | IntWinApiUpdateHookDescriptor (WIN_UNEXPORTED_FUNCTION *Function, DWORD ArgumentsCount, const DWORD *Arguments) |
Update a hook descriptor with corresponding function patterns and argument list from CAMI. More... | |
INTSTATUS IntWinApiHookAll | ( | void | ) |
Iterates through all hookable APIs and sets requested hooks.
Definition at line 229 of file winapi.c.
Referenced by IntWinGuestFinishInit().
INTSTATUS IntWinApiHookVeHandler | ( | QWORD | NewHandler, |
void ** | Cloak, | ||
QWORD * | OldHandler, | ||
DWORD * | ReplacedCodeLen, | ||
BYTE * | ReplacedCode | ||
) |
Hooks the #VE handler.
Hook the original #VE handler and make it point to our handler. The code sequence is:
Guests older than RS3 are not aware of the VirtualizationException, and the first instruction is a "PUSH 0x14". On these, there are two cases:
We search for the JMP, which directs us to the effective handler.
If the guest has the KPTI patches, the IDT points to the shadow, so we search for the real one.
[in] | NewHandler | Address of our handler. |
[out] | Cloak | Will receive the memory cloak used to hide the hook. |
[out] | OldHandler | Will receive the address of the old handler. |
[out] | ReplacedCodeLen | Will receive the size of the code replaced by this function. |
[out] | ReplacedCode | Will receive the code replaced by this function. |
Minimum Code length in bytes to be replaced by our int20 hook.
Definition at line 367 of file winapi.c.
Referenced by IntPtiDeliverDriverForLoad(), and IntVeDeliverDriverForLoad().
INTSTATUS IntWinApiUpdateHookDescriptor | ( | WIN_UNEXPORTED_FUNCTION * | Function, |
DWORD | ArgumentsCount, | ||
const DWORD * | Arguments | ||
) |
Update a hook descriptor with corresponding function patterns and argument list from CAMI.
[in] | Function | Patterns given from CAMI, also contains the name hash. |
[in] | ArgumentsCount | Number of elements in Arguments. |
[in] | Arguments | List of arguments from CAMI. |
Definition at line 615 of file winapi.c.
Referenced by IntCamiLoadWindows().
void IntWinApiUpdateHooks | ( | void | ) |
Iterate through all hookable APIs and enable or disable them according to the current Introcore options.
Definition at line 317 of file winapi.c.
Referenced by IntGuestUpdateCoreOptions(), and IntWinApiHookAll().