Bitdefender Hypervisor Memory Introspection
|
Exposes the types, constants and functions used to handle Windows Drivers related events. More...
#include "windrvobj.h"
Go to the source code of this file.
Data Structures | |
struct | _WIN_KERNEL_DRIVER |
Macros | |
#define | DRIVER_MAX_ITERATIONS 4096 |
When iterating the guest PsLoadedModuleList, we won't go through more than this many entries, in order to avoid a denial of service when crafted entries are present inside the guest. More... | |
Typedefs | |
typedef struct _WIN_KERNEL_DRIVER | WIN_KERNEL_DRIVER |
typedef struct _WIN_KERNEL_DRIVER * | PWIN_KERNEL_DRIVER |
typedef struct _KERNEL_DRIVER | KERNEL_DRIVER |
typedef struct _KERNEL_DRIVER * | PKERNEL_DRIVER |
Functions | |
INTSTATUS | IntWinDrvIsListHead (QWORD PsLoadedModuleListGva, void *PsLoadedModuleList, QWORD KernelLdr) |
Used to identify WINDOWS_GUEST::PsLoadedModuleList. More... | |
INTSTATUS | IntWinDrvIterateLoadedModules (PFUNC_IterateListCallback Callback, QWORD Aux) |
Used to iterate trough the WINDOWS_GUEST::PsLoadedModuleList. More... | |
INTSTATUS | IntWinDrvCreateFromAddress (QWORD ModuleInfo, QWORD Flags) |
Adds a driver to introspection's LoadedModuleList (gKernelDrivers). This way we avoid lots of mapping when searching a driver. More... | |
INTSTATUS | IntWinDrvRemoveFromAddress (QWORD ModuleInfo) |
Removes a driver from the introspection's loaded modules list (gKernelDrivers). More... | |
INTSTATUS | IntWinDrvProtect (KERNEL_DRIVER *Driver, QWORD ProtectionFlag) |
Used to enable protection for the given driver. More... | |
INTSTATUS | IntWinDrvUnprotect (KERNEL_DRIVER *Driver) |
Used to disable protection for the given driver. More... | |
INTSTATUS | IntWinDrvHandleDriverEntry (void *Context, void *Hook, QWORD Address, INTRO_ACTION *Action) |
Used to notify the introspection engine when the DriverEntry of a module starts executing. More... | |
INTSTATUS | IntWinDrvHandleWrite (void *Context, void *Hook, QWORD Address, INTRO_ACTION *Action) |
Used to notify the introspection engine when a write took place on a protected driver. More... | |
INTSTATUS | IntWinDrvHandleRead (void *Context, void *Hook, QWORD Address, INTRO_ACTION *Action) |
Used to notify the introspection engine when a read took place on a protected driver (used only for ntoskrnl.exe). More... | |
INTSTATUS | IntWinProtectReadNtEat (void) |
Used to place a read hook on the ntoskrnl.exe EAT. More... | |
INTSTATUS | IntWinUnprotectReadNtEat (void) |
Used to remove the EAT read hook from ntoskrnl.exe. More... | |
INTSTATUS | IntWinDrvRemoveEntry (KERNEL_DRIVER *Driver) |
Removes the KERNEL_DRIVER from the internal structures. More... | |
INTSTATUS | IntWinDrvUpdateProtection (void) |
Used to update the protection for all the loaded modules (gKernelDrivers). More... | |
Exposes the types, constants and functions used to handle Windows Drivers related events.
Definition in file windriver.h.
#define DRIVER_MAX_ITERATIONS 4096 |
When iterating the guest PsLoadedModuleList, we won't go through more than this many entries, in order to avoid a denial of service when crafted entries are present inside the guest.
Definition at line 52 of file windriver.h.
Referenced by IntWinDrvIterateLoadedModules().
typedef struct _KERNEL_DRIVER KERNEL_DRIVER |
Definition at line 48 of file windriver.h.
typedef struct _KERNEL_DRIVER * PKERNEL_DRIVER |
Definition at line 48 of file windriver.h.
typedef struct _WIN_KERNEL_DRIVER * PWIN_KERNEL_DRIVER |
typedef struct _WIN_KERNEL_DRIVER WIN_KERNEL_DRIVER |
Adds a driver to introspection's LoadedModuleList (gKernelDrivers). This way we avoid lots of mapping when searching a driver.
[in] | ModuleInfo | The LDR_DATA_TABLE_ENTRY32 or LDR_DATA_TABLE_ENTRY64 corresponding to the module. |
[in] | Flags | If FLAG_DYNAMIC_DETECTION flag is set, we will execute-protect the first page of the module. This way, when the first instruction will get executed, we will be notified, and we'll have a chance to protect the driver's driver object. |
INT_STATUS_SUCCESS | On success. |
Definition at line 305 of file windriver.c.
Referenced by IntDriverLoadHandler(), and IntWinGuestFinishInit().
INTSTATUS IntWinDrvHandleDriverEntry | ( | void * | Context, |
void * | Hook, | ||
QWORD | Address, | ||
INTRO_ACTION * | Action | ||
) |
Used to notify the introspection engine when the DriverEntry of a module starts executing.
This hook will be established on the page containing the EP of freshly loaded drivers. On the execution of the first EP instruction, we will be notified, and we will be able to retrieve the driver-object associated to that driver, and hook it, if needed.
[in] | Context | User-supplied context (may contain anything, including NULL). |
[in] | Hook | The GPA hook associated to this callback. |
[in] | Address | GPA address that was accessed. |
[out] | Action | Desired action (allow, block). |
INT_STATUS_SUCCESS | On success. |
Definition at line 1152 of file windriver.c.
Referenced by IntWinDrvCreateFromAddress().
INTSTATUS IntWinDrvHandleRead | ( | void * | Context, |
void * | Hook, | ||
QWORD | Address, | ||
INTRO_ACTION * | Action | ||
) |
Used to notify the introspection engine when a read took place on a protected driver (used only for ntoskrnl.exe).
[in] | Context | The driver for which the violation took place (KERNEL_DRIVER structure). |
[in] | Hook | The GPA hook associated to this callback. |
[in] | Address | GPA address that was accessed. |
[out] | Action | Desired action (allow, block). |
INT_STATUS_SUCCESS | On success. |
Definition at line 1483 of file windriver.c.
Referenced by IntWinProtectReadNtEat().
INTSTATUS IntWinDrvHandleWrite | ( | void * | Context, |
void * | Hook, | ||
QWORD | Address, | ||
INTRO_ACTION * | Action | ||
) |
Used to notify the introspection engine when a write took place on a protected driver.
[in] | Context | The driver for which the violation took place (KERNEL_DRIVER structure). |
[in] | Hook | The GPA hook associated to this callback. |
[in] | Address | GPA address that was accessed. |
[out] | Action | Desired action (allow, block). |
INT_STATUS_SUCCESS | On success. |
Definition at line 1315 of file windriver.c.
Referenced by IntWinDrvHeadersInMemory().
INTSTATUS IntWinDrvIsListHead | ( | QWORD | PsLoadedModuleListGva, |
void * | PsLoadedModuleList, | ||
QWORD | KernelLdr | ||
) |
Used to identify WINDOWS_GUEST::PsLoadedModuleList.
[in] | PsLoadedModuleListGva | The PsLoadedModuleList GVA. |
[in] | PsLoadedModuleList | The PsLoadedModuleList (mapped). |
[in] | KernelLdr | GVA pointer to a LDR_DATA_TABLE_ENTRY32 or LDR_DATA_TABLE_ENTRY64 structure. |
INT_STATUS_SUCCESS | If the PsLoadedModuleListGva is the actual list head. |
Definition at line 67 of file windriver.c.
Referenced by IntWinGuestFindKernelObjectsInternal().
INTSTATUS IntWinDrvIterateLoadedModules | ( | PFUNC_IterateListCallback | Callback, |
QWORD | Aux | ||
) |
Used to iterate trough the WINDOWS_GUEST::PsLoadedModuleList.
[in] | Callback | The PFUNC_IterateListCallback callback invoked for every module. |
[in] | Aux | The auxiliary value passed to the callback. |
INT_STATUS_SUCCESS | On success. |
Definition at line 227 of file windriver.c.
Referenced by IntWinGuestFinishInit().
INTSTATUS IntWinDrvProtect | ( | KERNEL_DRIVER * | Driver, |
QWORD | ProtectionFlag | ||
) |
Used to enable protection for the given driver.
[in] | Driver | The driver to be protected. |
[in] | ProtectionFlag | The protection flag. |
INT_STATUS_SUCCESS | On success. |
INT_STATUS_ALREADY_INITIALIZED_HINT | If the driver is already protected. |
INT_STATUS_INVALID_PARAMETER_1 | If the driver is NULL. |
Definition at line 1069 of file windriver.c.
Referenced by IntWinDrvCreateFromAddress(), and IntWinDrvUpdateProtection().
INTSTATUS IntWinDrvRemoveEntry | ( | KERNEL_DRIVER * | Driver | ) |
Removes the KERNEL_DRIVER from the internal structures.
[in] | Driver | The driver to be removed. |
INT_STATUS_SUCCESS | On success. |
Definition at line 1696 of file windriver.c.
Referenced by IntDriverUninit(), IntWinDrvCreateFromAddress(), and IntWinDrvRemoveFromAddress().
Removes a driver from the introspection's loaded modules list (gKernelDrivers).
[in] | ModuleInfo | The LDR_DATA_TABLE_ENTRY32 or LDR_DATA_TABLE_ENTRY64 corresponding to the module. |
INT_STATUS_SUCCESS | On success. |
Definition at line 522 of file windriver.c.
Referenced by IntDriverUnloadHandler().
INTSTATUS IntWinDrvUnprotect | ( | KERNEL_DRIVER * | Driver | ) |
Used to disable protection for the given driver.
[in] | Driver | The driver to be removed from protection. |
INT_STATUS_SUCCESS | On success. |
INT_STATUS_INVALID_PARAMETER_1 | If the driver is NULL. |
Definition at line 1103 of file windriver.c.
Referenced by IntWinDrvRemoveEntry(), and IntWinDrvUpdateProtection().
INTSTATUS IntWinDrvUpdateProtection | ( | void | ) |
Used to update the protection for all the loaded modules (gKernelDrivers).
INT_STATUS_SUCCESS | On success. |
Definition at line 1751 of file windriver.c.
Referenced by IntGuestUpdateCoreOptions().
INTSTATUS IntWinProtectReadNtEat | ( | void | ) |
Used to place a read hook on the ntoskrnl.exe EAT.
INT_STATUS_SUCCESS | On success. |
Definition at line 622 of file windriver.c.
Referenced by IntGuestUpdateCoreOptions(), and IntWinDrvHeadersInMemory().
INTSTATUS IntWinUnprotectReadNtEat | ( | void | ) |
Used to remove the EAT read hook from ntoskrnl.exe.
INT_STATUS_SUCCESS | On success. |
Definition at line 690 of file windriver.c.
Referenced by IntGuestUpdateCoreOptions(), and IntWinDrvForceDisableReadNtEat().