- Generated by
1.8.13
|
Bitdefender Hypervisor Memory Introspection
|
#include "introtypes.h"Go to the source code of this file.
Data Structures | |
| struct | _WIN_DRIVER_OBJECT |
| Holds information about a driver object. More... | |
Typedefs | |
| typedef struct _WIN_DRIVER_OBJECT | WIN_DRIVER_OBJECT |
| Holds information about a driver object. More... | |
| typedef struct _WIN_DRIVER_OBJECT * | PWIN_DRIVER_OBJECT |
Functions | |
| BOOLEAN | IntWinDrvObjIsValidDriverObject (QWORD DriverObjectAddress) |
| Checks if a guest memory area contains a valid _DRIVER_OBJECT structure. More... | |
| PWIN_DRIVER_OBJECT | IntWinDrvObjFindByDrvObj (QWORD Gva) |
| Finds a driver object in the gWinDriverObjects list by its guest virtual address. More... | |
| PWIN_DRIVER_OBJECT | IntWinDrvObjFindByOwnerAddress (QWORD Owner) |
| Finds a driver object in the gWinDriverObjects list by the base of the kernel module that owns it. More... | |
| INTSTATUS | IntWinDrvObjCreateFromAddress (QWORD GuestAddress, BOOLEAN StaticDetected, PWIN_DRIVER_OBJECT *DriverObject) |
| Creates a new driver object. More... | |
| INTSTATUS | IntWinDrvObjRemoveFromAddress (QWORD DriverObjectAddress) |
| Frees and removes protection for a driver object by its address. More... | |
| INTSTATUS | IntWinDrvObjProtect (WIN_DRIVER_OBJECT *DriverObject) |
| Protects a driver object and its fast IO dispatch table, if one exists. More... | |
| INTSTATUS | IntWinDrvObjUnprotect (WIN_DRIVER_OBJECT *DriverObject) |
| Deactivates protection for a driver object and its fast IO dispatch structure. More... | |
| INTSTATUS | IntWinDrvObjRemove (WIN_DRIVER_OBJECT *DriverObject) |
| Removes a driver object and updates its owner module. More... | |
| INTSTATUS | IntWinDrvObjUpdateProtection (void) |
| Updates the protection for all the driver objects in the gWinDriverObjects list. More... | |
| INTSTATUS | IntWinDrvObjUninit (void) |
| Removes all the driver objects in the gWinDriverObjects. More... | |
| typedef struct _WIN_DRIVER_OBJECT * PWIN_DRIVER_OBJECT |
| typedef struct _WIN_DRIVER_OBJECT WIN_DRIVER_OBJECT |
Holds information about a driver object.
| INTSTATUS IntWinDrvObjCreateFromAddress | ( | QWORD | GuestAddress, |
| BOOLEAN | StaticDetected, | ||
| PWIN_DRIVER_OBJECT * | DriverObject | ||
| ) |
Creates a new driver object.
If a driver object for GuestAddress is already known this function does nothing. This function assumes that GuestAddress points to a valid driver object. IntWinDrvObjIsValidDriverObject should be used to validate that this is true before calling this function. The driver will be inserted in the gWinDriverObjects list and will be protected (alongside its fast IO dispatch structure), if necessary.
| [in] | GuestAddress | Guest virtual address at which the _DRIVER_OBJECT structure is found. |
| [in] | StaticDetected | True if the driver object was detected after it was created, through a memory scan. False if it was detected when it was created. |
| [out] | DriverObject | On success, will contain a pointer to the created WIN_DRIVER_OBJECT. If a driver object already exists for GuestAddress it will point to that driver object. May be NULL. |
| INT_STATUS_SUCCESS | in case of success. |
| INT_STATUS_NOT_NEEDED_HINT | if a driver object for GuestAddress already exists. |
| INT_STATUS_INSUFFICIENT_RESOURCES | if not enough memory is available. |
Definition at line 227 of file windrvobj.c.
Referenced by IntWinDrvHandleDriverEntry(), and IntWinObjHandleDriverDirectoryEntryInMemory().
| PWIN_DRIVER_OBJECT IntWinDrvObjFindByDrvObj | ( | QWORD | Gva | ) |
Finds a driver object in the gWinDriverObjects list by its guest virtual address.
| [in] | Gva | Guest virtual address to search by. |
Definition at line 424 of file windrvobj.c.
Referenced by IntWinDrvObjCreateFromAddress().
| PWIN_DRIVER_OBJECT IntWinDrvObjFindByOwnerAddress | ( | QWORD | Owner | ) |
Finds a driver object in the gWinDriverObjects list by the base of the kernel module that owns it.
| [in] | Owner | Guest virtual address to search by. |
Definition at line 453 of file windrvobj.c.
Checks if a guest memory area contains a valid _DRIVER_OBJECT structure.
The check is based on invariants:
The DRIVER_OBJECT64 definition is used for the checks on 64-bit guests; the DRIVER_OBJECT32 definition is used for 32-bit guests.
| [in] | DriverObjectAddress | The guest virtual address to check. |
Definition at line 28 of file windrvobj.c.
Referenced by IntWinDrvHandleDriverEntry(), and IntWinObjHandleDriverDirectoryEntryInMemory().
| INTSTATUS IntWinDrvObjProtect | ( | WIN_DRIVER_OBJECT * | DriverObject | ) |
Protects a driver object and its fast IO dispatch table, if one exists.
This will set an EPT or an integrity hook for the driver object and an integrity hook for the fast IO dispatch table.
| [in,out] | DriverObject | Driver object to be protected. |
| INT_STATUS_SUCCESS | in case of success. |
| INT_STATUS_INVALID_PARAMETER_1 | if DriverObject is NULL. |
Definition at line 1164 of file windrvobj.c.
Referenced by IntWinDrvObjCreateFromAddress(), and IntWinDrvObjUpdateProtection().
| INTSTATUS IntWinDrvObjRemove | ( | WIN_DRIVER_OBJECT * | DriverObject | ) |
Removes a driver object and updates its owner module.
If there is a KERNEL_DRIVER that owns this driver object, it's DriverObject field will be set to NULL.
| [in] | DriverObject | Object to remove. |
| INT_STATUS_SUCCESS | in case of success. |
| INT_STATUS_INVALID_PARAMETER_1 | if DriverObject is NULL. |
Definition at line 1344 of file windrvobj.c.
Referenced by IntWinDrvObjCreateFromAddress(), IntWinDrvObjRemoveFromAddress(), IntWinDrvObjUninit(), and IntWinDrvRemoveEntry().
Frees and removes protection for a driver object by its address.
| [in] | DriverObjectAddress | Guest virtual address of the driver object. |
| INT_STATUS_SUCCESS | in case of success. |
| INT_STATUS_NOT_FOUND | if no driver object is found. |
Definition at line 1246 of file windrvobj.c.
Referenced by IntWinPoolHandleFree().
| INTSTATUS IntWinDrvObjUninit | ( | void | ) |
Removes all the driver objects in the gWinDriverObjects.
This will free any resources held by the driver objects and will remove their protection.
Definition at line 1429 of file windrvobj.c.
Referenced by IntWinGuestUninit().
| INTSTATUS IntWinDrvObjUnprotect | ( | WIN_DRIVER_OBJECT * | DriverObject | ) |
Deactivates protection for a driver object and its fast IO dispatch structure.
| [in,out] | DriverObject | The object for which the protection will be removed. |
| INT_STATUS_SUCCESS | in case of success. |
| INT_STATUS_INVALID_PARAMETER_1 | if DriverObject is NULL. |
| INT_STATUS_NOT_NEEDED_HINT | if the driver object is not protected. There is no need to also check the fast IO dispatch, as it can not be protected if the driver object itself is not protected. |
Definition at line 1100 of file windrvobj.c.
Referenced by IntWinDrvObjRemove(), and IntWinDrvObjUpdateProtection().
| INTSTATUS IntWinDrvObjUpdateProtection | ( | void | ) |
Updates the protection for all the driver objects in the gWinDriverObjects list.
Based on new core options (Activation and protection flags) protection will be activated or deactivated.
Definition at line 1385 of file windrvobj.c.
Referenced by IntGuestUpdateCoreOptions().
1.8.13