Bitdefender Hypervisor Memory Introspection
windriver.h
Go to the documentation of this file.
1 /*
2  * Copyright (c) 2020 Bitdefender
3  * SPDX-License-Identifier: Apache-2.0
4  */
12 
13 #ifndef _WINDRIVER_H_
14 #define _WINDRIVER_H_
15 
16 #include "windrvobj.h"
17 
18 //
19 // Internal definition of a loaded kernel driver.
20 //
21 typedef struct _WIN_KERNEL_DRIVER
22 {
23  DWORD TimeDateStamp;
24 
25  DWORD PathHash;
26  DWORD PathLength;
27 
28  PWCHAR Path;
29 
32  void *EpHookObject;
33 
34  PBYTE MzPeHeaders;
35 
36  PWIN_DRIVER_OBJECT DriverObject;
37 
38  void *HeadersSwapHandle;
39 
40  void *EatReadHook;
41 
43  QWORD EatReadCount;
44 
45 } WIN_KERNEL_DRIVER, *PWIN_KERNEL_DRIVER;
46 
47 
48 typedef struct _KERNEL_DRIVER KERNEL_DRIVER, *PKERNEL_DRIVER;
49 
52 #define DRIVER_MAX_ITERATIONS 4096
53 
54 
55 //
56 // Loaded drivers specific API
57 //
58 INTSTATUS
59 IntWinDrvIsListHead(
60  _In_ QWORD PsLoadedModuleListGva,
61  _In_ void *PsLoadedModuleList,
62  _In_ QWORD KernelLdr
63  );
64 
65 INTSTATUS
66 IntWinDrvIterateLoadedModules(
67  _In_ PFUNC_IterateListCallback Callback,
68  _In_ QWORD Aux
69  );
70 
71 INTSTATUS
72 IntWinDrvCreateFromAddress(
73  _In_ QWORD ModuleInfo,
74  _In_ QWORD Flags
75  );
76 
77 INTSTATUS
78 IntWinDrvRemoveFromAddress(
79  _In_ QWORD ModuleInfo
80  );
81 
82 INTSTATUS
83 IntWinDrvProtect(
84  _In_ KERNEL_DRIVER *Driver,
85  _In_ QWORD ProtectionFlag
86  );
87 
88 INTSTATUS
89 IntWinDrvUnprotect(
90  _In_ KERNEL_DRIVER *Driver
91  );
92 
93 INTSTATUS
94 IntWinDrvHandleDriverEntry(
95  _In_opt_ void *Context,
96  _In_ void *Hook,
97  _In_ QWORD Address,
98  _Out_ INTRO_ACTION *Action
99  );
100 
101 INTSTATUS
102 IntWinDrvHandleWrite(
103  _In_ void *Context,
104  _In_ void *Hook,
105  _In_ QWORD Address,
106  _Out_ INTRO_ACTION *Action
107  );
108 
109 INTSTATUS
110 IntWinDrvHandleRead(
111  _In_ void *Context,
112  _In_ void *Hook,
113  _In_ QWORD Address,
114  _Out_ INTRO_ACTION *Action
115  );
116 
117 INTSTATUS
118 IntWinProtectReadNtEat(
119  void
120  );
121 
122 INTSTATUS
123 IntWinUnprotectReadNtEat(
124  void
125  );
126 
127 INTSTATUS
128 IntWinDrvRemoveEntry(
129  _In_ KERNEL_DRIVER *Driver
130  );
131 
132 INTSTATUS
133 IntWinDrvUpdateProtection(
134  void
135  );
136 
137 #endif // _WINDRIVER_H_
PWCHAR
uint16_t * PWCHAR
Definition: intro_types.h:63
_In_opt_
#define _In_opt_
Definition: intro_sal.h:16
IntWinDrvHandleRead
INTSTATUS IntWinDrvHandleRead(void *Context, void *Hook, QWORD Address, INTRO_ACTION *Action)
Used to notify the introspection engine when a read took place on a protected driver (used only for n...
Definition: windriver.c:1483
_Out_
#define _Out_
Definition: intro_sal.h:22
IntWinDrvUpdateProtection
INTSTATUS IntWinDrvUpdateProtection(void)
Used to update the protection for all the loaded modules (gKernelDrivers).
Definition: windriver.c:1751
_WIN_KERNEL_DRIVER::EatReadCount
QWORD EatReadCount
The number of EAT reads that took place from withing known drivers.
Definition: windriver.h:43
_In_
#define _In_
Definition: intro_sal.h:21
_WIN_KERNEL_DRIVER
Definition: windriver.h:21
_WIN_KERNEL_DRIVER::PathLength
DWORD PathLength
The driver`s path length (number of WCHARS).
Definition: windriver.h:26
PWIN_KERNEL_DRIVER
struct _WIN_KERNEL_DRIVER * PWIN_KERNEL_DRIVER
_WIN_KERNEL_DRIVER::MzPeHeaders
PBYTE MzPeHeaders
The driver`s MZ/PE headers (cached internally).
Definition: windriver.h:34
INTSTATUS
int INTSTATUS
The status data type.
Definition: introstatus.h:24
_WIN_KERNEL_DRIVER::HeadersSwapHandle
void * HeadersSwapHandle
The swap handle used to read the driver`s headers.
Definition: windriver.h:38
IntWinDrvCreateFromAddress
INTSTATUS IntWinDrvCreateFromAddress(QWORD ModuleInfo, QWORD Flags)
Adds a driver to introspection's LoadedModuleList (gKernelDrivers). This way we avoid lots of mapping...
Definition: windriver.c:305
_WIN_KERNEL_DRIVER::TimeDateStamp
DWORD TimeDateStamp
The driver`s internal timestamp (from the _IMAGE_FILE_HEADER).
Definition: windriver.h:23
_KERNEL_DRIVER
Describes a kernel driver.
Definition: drivers.h:30
IntWinUnprotectReadNtEat
INTSTATUS IntWinUnprotectReadNtEat(void)
Used to remove the EAT read hook from ntoskrnl.exe.
Definition: windriver.c:690
IntWinDrvHandleDriverEntry
INTSTATUS IntWinDrvHandleDriverEntry(void *Context, void *Hook, QWORD Address, INTRO_ACTION *Action)
Used to notify the introspection engine when the DriverEntry of a module starts executing.
Definition: windriver.c:1152
IntWinDrvProtect
INTSTATUS IntWinDrvProtect(KERNEL_DRIVER *Driver, QWORD ProtectionFlag)
Used to enable protection for the given driver.
Definition: windriver.c:1069
PBYTE
uint8_t * PBYTE
Definition: intro_types.h:47
_WIN_DRIVER_OBJECT
Holds information about a driver object.
Definition: windrvobj.h:13
QWORD
unsigned long long QWORD
Definition: intro_types.h:53
WIN_KERNEL_DRIVER
struct _WIN_KERNEL_DRIVER WIN_KERNEL_DRIVER
PFUNC_IterateListCallback
INTSTATUS(* PFUNC_IterateListCallback)(QWORD Node, QWORD Aux)
Definition: introtypes.h:71
IntWinDrvRemoveEntry
INTSTATUS IntWinDrvRemoveEntry(KERNEL_DRIVER *Driver)
Removes the KERNEL_DRIVER from the internal structures.
Definition: windriver.c:1696
IntWinDrvIsListHead
INTSTATUS IntWinDrvIsListHead(QWORD PsLoadedModuleListGva, void *PsLoadedModuleList, QWORD KernelLdr)
Used to identify WINDOWS_GUEST::PsLoadedModuleList.
Definition: windriver.c:67
_WIN_KERNEL_DRIVER::Path
PWCHAR Path
The driver`s path.
Definition: windriver.h:28
_WIN_KERNEL_DRIVER::EatReadHook
void * EatReadHook
The read hook placed on the driver`s EAT.
Definition: windriver.h:40
DWORD
uint32_t DWORD
Definition: intro_types.h:49
_KERNEL_DRIVER::ProtectionFlag
QWORD ProtectionFlag
The introcore option that decided that this driver must be protected.
Definition: drivers.h:49
IntWinProtectReadNtEat
INTSTATUS IntWinProtectReadNtEat(void)
Used to place a read hook on the ntoskrnl.exe EAT.
Definition: windriver.c:622
INTRO_ACTION
enum _INTRO_ACTION INTRO_ACTION
Event actions.
IntWinDrvRemoveFromAddress
INTSTATUS IntWinDrvRemoveFromAddress(QWORD ModuleInfo)
Removes a driver from the introspection's loaded modules list (gKernelDrivers).
Definition: windriver.c:522
IntWinDrvIterateLoadedModules
INTSTATUS IntWinDrvIterateLoadedModules(PFUNC_IterateListCallback Callback, QWORD Aux)
Used to iterate trough the WINDOWS_GUEST::PsLoadedModuleList.
Definition: windriver.c:227
_WIN_KERNEL_DRIVER::EpHookObject
void * EpHookObject
The EP hook placed on the driver (we will be notified when the execution began) - useful to obtain th...
Definition: windriver.h:32
IntWinDrvUnprotect
INTSTATUS IntWinDrvUnprotect(KERNEL_DRIVER *Driver)
Used to disable protection for the given driver.
Definition: windriver.c:1103
_WIN_KERNEL_DRIVER::DriverObject
PWIN_DRIVER_OBJECT DriverObject
The driver object.
Definition: windriver.h:36
_WIN_KERNEL_DRIVER::PathHash
DWORD PathHash
CRC32 hash value for the driver`s path.
Definition: windriver.h:25
IntWinDrvHandleWrite
INTSTATUS IntWinDrvHandleWrite(void *Context, void *Hook, QWORD Address, INTRO_ACTION *Action)
Used to notify the introspection engine when a write took place on a protected driver.
Definition: windriver.c:1315
PKERNEL_DRIVER
struct _KERNEL_DRIVER * PKERNEL_DRIVER
Definition: windriver.h:48