Bitdefender Hypervisor Memory Introspection
windrvobj.h
Go to the documentation of this file.
1 /*
2  * Copyright (c) 2020 Bitdefender
3  * SPDX-License-Identifier: Apache-2.0
4  */
5 #ifndef _WINDRVOBJ_H_
6 #define _WINDRVOBJ_H_
7 
8 #include "introtypes.h"
9 
13 typedef struct _WIN_DRIVER_OBJECT
14 {
16  LIST_ENTRY Link;
18  QWORD DriverObjectGva;
25  QWORD DriverObjectGpa;
27  QWORD FastIOTableAddress;
30  PWCHAR Name;
32  DWORD NameLen;
34  DWORD NameHash;
38  QWORD Owner;
39 
43  void *DrvobjHookObject;
47  void *DrvobjIntegrityObject;
52  void *FiodispIntegrityObject;
53 
55  BOOLEAN DrvobjProtected;
57  BOOLEAN FiodispProtected;
66  BOOLEAN Aligned;
67 } WIN_DRIVER_OBJECT, *PWIN_DRIVER_OBJECT;
68 
69 
70 BOOLEAN
71 IntWinDrvObjIsValidDriverObject(
72  _In_ QWORD DriverObjectAddress
73  );
74 
75 PWIN_DRIVER_OBJECT
76 IntWinDrvObjFindByDrvObj(
77  _In_ QWORD Gva
78  );
79 
80 PWIN_DRIVER_OBJECT
81 IntWinDrvObjFindByOwnerAddress(
82  _In_ QWORD Owner
83  );
84 
85 INTSTATUS
86 IntWinDrvObjCreateFromAddress(
87  _In_ QWORD GuestAddress,
88  _In_ BOOLEAN StaticDetected,
89  _Out_opt_ PWIN_DRIVER_OBJECT *DriverObject
90  );
91 
92 INTSTATUS
93 IntWinDrvObjRemoveFromAddress(
94  _In_ QWORD DriverObjectAddress
95  );
96 
97 INTSTATUS
98 IntWinDrvObjProtect(
99  _Inout_ WIN_DRIVER_OBJECT *DriverObject
100  );
101 
102 INTSTATUS
103 IntWinDrvObjUnprotect(
104  _Inout_ WIN_DRIVER_OBJECT *DriverObject
105  );
106 
107 INTSTATUS
108 IntWinDrvObjRemove(
109  _Inout_ WIN_DRIVER_OBJECT *DriverObject
110  );
111 
112 INTSTATUS
113 IntWinDrvObjUpdateProtection(
114  void
115  );
116 
117 INTSTATUS
118 IntWinDrvObjUninit(
119  void
120  );
121 
122 #endif // _WINDRVOBJ_H_
PWCHAR
uint16_t * PWCHAR
Definition: intro_types.h:63
_WIN_DRIVER_OBJECT::DriverObjectGva
QWORD DriverObjectGva
The guest virtual address of the guest _DRIVER_OBJECT represented by this structure.
Definition: windrvobj.h:18
_WIN_DRIVER_OBJECT::Link
LIST_ENTRY Link
Entry inside the gWinDriverObjects list.
Definition: windrvobj.h:16
BOOLEAN
_Bool BOOLEAN
Definition: intro_types.h:58
_In_
#define _In_
Definition: intro_sal.h:21
_WIN_DRIVER_OBJECT::DrvobjIntegrityObject
void * DrvobjIntegrityObject
The integrity object used for the _DRIVER_OBJECT structure.
Definition: windrvobj.h:47
IntWinDrvObjFindByDrvObj
PWIN_DRIVER_OBJECT IntWinDrvObjFindByDrvObj(QWORD Gva)
Finds a driver object in the gWinDriverObjects list by its guest virtual address. ...
Definition: windrvobj.c:424
IntWinDrvObjCreateFromAddress
INTSTATUS IntWinDrvObjCreateFromAddress(QWORD GuestAddress, BOOLEAN StaticDetected, PWIN_DRIVER_OBJECT *DriverObject)
Creates a new driver object.
Definition: windrvobj.c:227
IntWinDrvObjUninit
INTSTATUS IntWinDrvObjUninit(void)
Removes all the driver objects in the gWinDriverObjects.
Definition: windrvobj.c:1429
INTSTATUS
int INTSTATUS
The status data type.
Definition: introstatus.h:24
IntWinDrvObjProtect
INTSTATUS IntWinDrvObjProtect(WIN_DRIVER_OBJECT *DriverObject)
Protects a driver object and its fast IO dispatch table, if one exists.
Definition: windrvobj.c:1164
IntWinDrvObjUpdateProtection
INTSTATUS IntWinDrvObjUpdateProtection(void)
Updates the protection for all the driver objects in the gWinDriverObjects list.
Definition: windrvobj.c:1385
IntWinDrvObjUnprotect
INTSTATUS IntWinDrvObjUnprotect(WIN_DRIVER_OBJECT *DriverObject)
Deactivates protection for a driver object and its fast IO dispatch structure.
Definition: windrvobj.c:1100
WIN_DRIVER_OBJECT
struct _WIN_DRIVER_OBJECT WIN_DRIVER_OBJECT
Holds information about a driver object.
_Inout_
#define _Inout_
Definition: intro_sal.h:20
_WIN_DRIVER_OBJECT::DrvobjHookObject
void * DrvobjHookObject
The EPT hook object used for the _DRIVER_OBJECT structure.
Definition: windrvobj.h:43
_Out_opt_
#define _Out_opt_
Definition: intro_sal.h:30
IntWinDrvObjFindByOwnerAddress
PWIN_DRIVER_OBJECT IntWinDrvObjFindByOwnerAddress(QWORD Owner)
Finds a driver object in the gWinDriverObjects list by the base of the kernel module that owns it...
Definition: windrvobj.c:453
_WIN_DRIVER_OBJECT::FastIOTableAddress
QWORD FastIOTableAddress
The guest virtual address of the _FAST_IO_DISPATCH structure used by this driver object. May be 0.
Definition: windrvobj.h:27
IntWinDrvObjRemove
INTSTATUS IntWinDrvObjRemove(WIN_DRIVER_OBJECT *DriverObject)
Removes a driver object and updates its owner module.
Definition: windrvobj.c:1344
_WIN_DRIVER_OBJECT
Holds information about a driver object.
Definition: windrvobj.h:13
QWORD
unsigned long long QWORD
Definition: intro_types.h:53
_WIN_DRIVER_OBJECT::NameHash
DWORD NameHash
Hash of the Name.
Definition: windrvobj.h:34
_WIN_DRIVER_OBJECT::Owner
QWORD Owner
Guest virtual address of the kernel module that owns this driver object.
Definition: windrvobj.h:38
_WIN_DRIVER_OBJECT::DriverObjectGpa
QWORD DriverObjectGpa
The guest physical address of the guest _DRIVER_OBJECT represented by this structure.
Definition: windrvobj.h:25
DWORD
uint32_t DWORD
Definition: intro_types.h:49
_WIN_DRIVER_OBJECT::Name
PWCHAR Name
NULL-terminated wide-char string containing the name of the driver, as taken from the guest driver ob...
Definition: windrvobj.h:30
_WIN_DRIVER_OBJECT::Aligned
BOOLEAN Aligned
True if the driver object allocation is page aligned.
Definition: windrvobj.h:66
IntWinDrvObjIsValidDriverObject
BOOLEAN IntWinDrvObjIsValidDriverObject(QWORD DriverObjectAddress)
Checks if a guest memory area contains a valid _DRIVER_OBJECT structure.
Definition: windrvobj.c:28
PWIN_DRIVER_OBJECT
struct _WIN_DRIVER_OBJECT * PWIN_DRIVER_OBJECT
_WIN_DRIVER_OBJECT::DrvobjProtected
BOOLEAN DrvobjProtected
True if the driver object structure is protected.
Definition: windrvobj.h:55
_WIN_DRIVER_OBJECT::FiodispProtected
BOOLEAN FiodispProtected
True if the fast IO dispatch structure is protected.
Definition: windrvobj.h:57
_WIN_DRIVER_OBJECT::FiodispIntegrityObject
void * FiodispIntegrityObject
The integrity object used for the _FAST_IO_DISPATCH structure.
Definition: windrvobj.h:52
_LIST_ENTRY
Definition: introlists.h:16
IntWinDrvObjRemoveFromAddress
INTSTATUS IntWinDrvObjRemoveFromAddress(QWORD DriverObjectAddress)
Frees and removes protection for a driver object by its address.
Definition: windrvobj.c:1246
_WIN_DRIVER_OBJECT::NameLen
DWORD NameLen
The length, in characters, of Name, not including the NULL-terminator.
Definition: windrvobj.h:32