- Generated by
1.8.13
|
Bitdefender Hypervisor Memory Introspection
|
#include "windrvobj.h"#include "windrv_protected.h"#include "alerts.h"#include "crc32.h"#include "decoder.h"#include "hook.h"#include "winpe.h"Go to the source code of this file.
Macros | |
| #define | NAMEHASH_FLTMGR 0x4283398b |
Functions | |
| static INTSTATUS | IntWinDrvObjUnprotectFastIoDispatch (WIN_DRIVER_OBJECT *DriverObject) |
| Deactivates the protection for the fast IO dispatch structure of a driver object. More... | |
| static INTSTATUS | IntWinDrvObjProtectFastIoDispatch (WIN_DRIVER_OBJECT *DriverObject) |
| Deactivates the protection for the fast IO dispatch structure of a driver object. More... | |
| BOOLEAN | IntWinDrvObjIsValidDriverObject (QWORD DriverObjectAddress) |
| Checks if a guest memory area contains a valid _DRIVER_OBJECT structure. More... | |
| INTSTATUS | IntWinDrvObjCreateFromAddress (QWORD GuestAddress, BOOLEAN StaticDetected, PWIN_DRIVER_OBJECT *DriverObject) |
| Creates a new driver object. More... | |
| PWIN_DRIVER_OBJECT | IntWinDrvObjFindByDrvObj (QWORD Gva) |
| Finds a driver object in the gWinDriverObjects list by its guest virtual address. More... | |
| PWIN_DRIVER_OBJECT | IntWinDrvObjFindByOwnerAddress (QWORD Owner) |
| Finds a driver object in the gWinDriverObjects list by the base of the kernel module that owns it. More... | |
| static INTSTATUS | IntWinDrvObjSendEptAlert (EXCEPTION_VICTIM_ZONE const *Victim, EXCEPTION_KM_ORIGINATOR const *Originator, INTRO_ACTION Action, INTRO_ACTION_REASON Reason) |
| Sends an introEventEptViolation alert for a protected driver object. More... | |
| static INTSTATUS | IntWinDrvObjSendIntegrityAlert (EXCEPTION_VICTIM_ZONE const *Victim, EXCEPTION_KM_ORIGINATOR const *Originator, INTRO_ACTION Action, INTRO_ACTION_REASON Reason) |
| Sends an introEventIntegrityViolation alert for a protected driver object. More... | |
| static INTSTATUS | IntWinDrvObjHandleWrite (WIN_DRIVER_OBJECT *Context, HOOK_GPA const *Hook, QWORD Address, INTRO_ACTION *Action) |
| Handles writes done over a protected driver object. More... | |
| static INTSTATUS | IntWinDrvObjHandleModification (INTEGRITY_REGION *IntegrityRegion) |
| Handles writes done over a protected driver object. More... | |
| INTSTATUS | IntWinDrvObjUnprotect (WIN_DRIVER_OBJECT *DriverObject) |
| Deactivates protection for a driver object and its fast IO dispatch structure. More... | |
| INTSTATUS | IntWinDrvObjProtect (WIN_DRIVER_OBJECT *DriverObject) |
| Protects a driver object and its fast IO dispatch table, if one exists. More... | |
| INTSTATUS | IntWinDrvObjRemoveFromAddress (QWORD DriverObjectAddress) |
| Frees and removes protection for a driver object by its address. More... | |
| static void | IntWinDrvObjFreeDriverObject (WIN_DRIVER_OBJECT *DriverObject) |
| Frees a driver object. More... | |
| INTSTATUS | IntWinDrvObjRemove (WIN_DRIVER_OBJECT *DriverObject) |
| Removes a driver object and updates its owner module. More... | |
| INTSTATUS | IntWinDrvObjUpdateProtection (void) |
| Updates the protection for all the driver objects in the gWinDriverObjects list. More... | |
| INTSTATUS | IntWinDrvObjUninit (void) |
| Removes all the driver objects in the gWinDriverObjects. More... | |
Variables | |
| static LIST_HEAD | gWinDriverObjects = LIST_HEAD_INIT(gWinDriverObjects) |
| List of all the loaded Windows driver objects. More... | |
| #define NAMEHASH_FLTMGR 0x4283398b |
Referenced by IntWinDrvObjHandleModification().
| INTSTATUS IntWinDrvObjCreateFromAddress | ( | QWORD | GuestAddress, |
| BOOLEAN | StaticDetected, | ||
| PWIN_DRIVER_OBJECT * | DriverObject | ||
| ) |
Creates a new driver object.
If a driver object for GuestAddress is already known this function does nothing. This function assumes that GuestAddress points to a valid driver object. IntWinDrvObjIsValidDriverObject should be used to validate that this is true before calling this function. The driver will be inserted in the gWinDriverObjects list and will be protected (alongside its fast IO dispatch structure), if necessary.
| [in] | GuestAddress | Guest virtual address at which the _DRIVER_OBJECT structure is found. |
| [in] | StaticDetected | True if the driver object was detected after it was created, through a memory scan. False if it was detected when it was created. |
| [out] | DriverObject | On success, will contain a pointer to the created WIN_DRIVER_OBJECT. If a driver object already exists for GuestAddress it will point to that driver object. May be NULL. |
| INT_STATUS_SUCCESS | in case of success. |
| INT_STATUS_NOT_NEEDED_HINT | if a driver object for GuestAddress already exists. |
| INT_STATUS_INSUFFICIENT_RESOURCES | if not enough memory is available. |
Definition at line 227 of file windrvobj.c.
Referenced by IntWinDrvHandleDriverEntry(), and IntWinObjHandleDriverDirectoryEntryInMemory().
| PWIN_DRIVER_OBJECT IntWinDrvObjFindByDrvObj | ( | QWORD | Gva | ) |
Finds a driver object in the gWinDriverObjects list by its guest virtual address.
| [in] | Gva | Guest virtual address to search by. |
Definition at line 424 of file windrvobj.c.
Referenced by IntWinDrvObjCreateFromAddress().
| PWIN_DRIVER_OBJECT IntWinDrvObjFindByOwnerAddress | ( | QWORD | Owner | ) |
Finds a driver object in the gWinDriverObjects list by the base of the kernel module that owns it.
| [in] | Owner | Guest virtual address to search by. |
Definition at line 453 of file windrvobj.c.
|
static |
Frees a driver object.
This will free the driver object itself and the memory allocated for its name.
| [in] | DriverObject | Object to free. The pointer will no longer be valid after this function returns. |
Definition at line 1323 of file windrvobj.c.
Referenced by IntWinDrvObjRemove().
|
static |
Handles writes done over a protected driver object.
This is the integrity write callback set by IntWinDrvObjProtect or by IntWinDrvObjProtectFastIoDispatch. If the fast IO dispatch pointer is changed by fltmgr, the write is allowed.
| [in,out] | IntegrityRegion | The integrity region used to protect the driver object. |
Definition at line 837 of file windrvobj.c.
Referenced by IntWinDrvObjProtect(), and IntWinDrvObjProtectFastIoDispatch().
|
static |
Handles writes done over a protected driver object.
This is the EPT write callback set by IntWinDrvObjProtect. If the write relocates the fast IO dispatch, this will send an introEventEptViolation with the object type introObjectTypeFastIoDispatch. Otherwise, the type will be introObjectTypeDriverObject. If the guest physical address of the driver object has been changed, the WIN_DRIVER_OBJECT.DriverObjectGpa field will be updated here. This will also update the WIN_KERNEL_DRIVER structure of the owner module with a pointer to the driver object, the link has not been previously established. If the old fast IO dispatch pointer was 0, the newly written one is considered to be the good one and it will be protected and the write will be allowed.
| [in] | Context | Context passed by IntWinDrvObjProtect when the hook was set. This will be the protected driver object. |
| [in] | Hook | The GPA hook object for this hook. |
| [in] | Address | The accessed guest physical address. |
| [out] | Action | The action that must be taken. |
| INT_STATUS_SUCCESS | in case of success. |
| INT_STATUS_NOT_SUPPORTED | if the fast IO dispatch is relocated and the new value is non zero and not inside the kernel virtual address space. |
Definition at line 600 of file windrvobj.c.
Referenced by IntWinDrvObjProtect().
Checks if a guest memory area contains a valid _DRIVER_OBJECT structure.
The check is based on invariants:
The DRIVER_OBJECT64 definition is used for the checks on 64-bit guests; the DRIVER_OBJECT32 definition is used for 32-bit guests.
| [in] | DriverObjectAddress | The guest virtual address to check. |
Definition at line 28 of file windrvobj.c.
Referenced by IntWinDrvHandleDriverEntry(), and IntWinObjHandleDriverDirectoryEntryInMemory().
| INTSTATUS IntWinDrvObjProtect | ( | WIN_DRIVER_OBJECT * | DriverObject | ) |
Protects a driver object and its fast IO dispatch table, if one exists.
This will set an EPT or an integrity hook for the driver object and an integrity hook for the fast IO dispatch table.
| [in,out] | DriverObject | Driver object to be protected. |
| INT_STATUS_SUCCESS | in case of success. |
| INT_STATUS_INVALID_PARAMETER_1 | if DriverObject is NULL. |
Definition at line 1164 of file windrvobj.c.
Referenced by IntWinDrvObjCreateFromAddress(), and IntWinDrvObjUpdateProtection().
|
static |
Deactivates the protection for the fast IO dispatch structure of a driver object.
The fast IO dispatch structure is always protected with the integrity mechanism, even if we used an EPT hook for the driver object itself. This is done because hooking the page with the fast IO dispatch may generate a lot of unrelated EPT violations.
| [in] | DriverObject | The driver object for which to activate the fast IO dispatch protection. |
| INT_STATUS_SUCCESS | in case of success. |
| INT_STATUS_NOT_NEEDED_HINT | if the fast IO dispatch address is 0. |
Definition at line 1054 of file windrvobj.c.
Referenced by IntWinDrvObjHandleModification(), IntWinDrvObjHandleWrite(), and IntWinDrvObjProtect().
| INTSTATUS IntWinDrvObjRemove | ( | WIN_DRIVER_OBJECT * | DriverObject | ) |
Removes a driver object and updates its owner module.
If there is a KERNEL_DRIVER that owns this driver object, it's DriverObject field will be set to NULL.
| [in] | DriverObject | Object to remove. |
| INT_STATUS_SUCCESS | in case of success. |
| INT_STATUS_INVALID_PARAMETER_1 | if DriverObject is NULL. |
Definition at line 1344 of file windrvobj.c.
Referenced by IntWinDrvObjCreateFromAddress(), IntWinDrvObjRemoveFromAddress(), IntWinDrvObjUninit(), and IntWinDrvRemoveEntry().
Frees and removes protection for a driver object by its address.
| [in] | DriverObjectAddress | Guest virtual address of the driver object. |
| INT_STATUS_SUCCESS | in case of success. |
| INT_STATUS_NOT_FOUND | if no driver object is found. |
Definition at line 1246 of file windrvobj.c.
Referenced by IntWinPoolHandleFree().
|
static |
Sends an introEventEptViolation alert for a protected driver object.
| [in] | Victim | The victim information, as obtained from the exception mechanism. |
| [in] | Originator | Originator information, as obtained from the exception mechanism. |
| [in] | Action | The action that was taken. |
| [in] | Reason | The reason for which Action was taken. |
Definition at line 482 of file windrvobj.c.
Referenced by IntWinDrvObjHandleWrite().
|
static |
Sends an introEventIntegrityViolation alert for a protected driver object.
| [in] | Victim | The victim information, as obtained from the exception mechanism. |
| [in] | Originator | Originator information, as obtained from the exception mechanism. |
| [in] | Action | The action that was taken. |
| [in] | Reason | The reason for which Action was taken. |
Definition at line 537 of file windrvobj.c.
Referenced by IntWinDrvObjHandleModification().
| INTSTATUS IntWinDrvObjUninit | ( | void | ) |
Removes all the driver objects in the gWinDriverObjects.
This will free any resources held by the driver objects and will remove their protection.
Definition at line 1429 of file windrvobj.c.
Referenced by IntWinGuestUninit().
| INTSTATUS IntWinDrvObjUnprotect | ( | WIN_DRIVER_OBJECT * | DriverObject | ) |
Deactivates protection for a driver object and its fast IO dispatch structure.
| [in,out] | DriverObject | The object for which the protection will be removed. |
| INT_STATUS_SUCCESS | in case of success. |
| INT_STATUS_INVALID_PARAMETER_1 | if DriverObject is NULL. |
| INT_STATUS_NOT_NEEDED_HINT | if the driver object is not protected. There is no need to also check the fast IO dispatch, as it can not be protected if the driver object itself is not protected. |
Definition at line 1100 of file windrvobj.c.
Referenced by IntWinDrvObjRemove(), and IntWinDrvObjUpdateProtection().
|
static |
Deactivates the protection for the fast IO dispatch structure of a driver object.
| [in] | DriverObject | The driver object for which to deactivate the fast IO dispatch protection. |
| INT_STATUS_SUCCESS | in case of success. |
| INT_STATUS_NOT_NEEDED_HINT | if the fast IO dispatch is not protected. |
Definition at line 1014 of file windrvobj.c.
Referenced by IntWinDrvObjHandleModification(), IntWinDrvObjHandleWrite(), IntWinDrvObjRemoveFromAddress(), and IntWinDrvObjUnprotect().
| INTSTATUS IntWinDrvObjUpdateProtection | ( | void | ) |
Updates the protection for all the driver objects in the gWinDriverObjects list.
Based on new core options (Activation and protection flags) protection will be activated or deactivated.
Definition at line 1385 of file windrvobj.c.
Referenced by IntGuestUpdateCoreOptions().
|
static |
List of all the loaded Windows driver objects.
Definition at line 14 of file windrvobj.c.
1.8.13