- Generated by
1.8.13
|
Bitdefender Hypervisor Memory Introspection
|
Go to the source code of this file.
Data Structures | |
| struct | _PROTECTED_PROCESS_INFO |
| Encapsulates a protected Windows process. More... | |
| struct | _WIN_UNEXPORTED_FUNCTION_PATTERN |
| Describes a pattern for a kernel function that is not exported. More... | |
| struct | _WIN_UNEXPORTED_FUNCTION |
| Describes a function that is not exported. More... | |
| struct | _PROTECTED_MODULE_INFO |
| Encapsulates a protected Windows kernel module. More... | |
| struct | _WIN_OPAQUE_FIELDS |
| Contains information about various Windows user mode and kernel mode structures.Everything about a structure of interest should be placed here (size, field offsets, etc). The Km structure contains information about kernel objects, while the Um field contains information about user mode objects. Each structure has a specific tag (WIN_KM_STRUCTURE for Km, WIN_UM_STRUCTURE for Um) which is used to identify it. Each entry inside an array contains specific information. The specific WIN_UM_FIELD and WIN_KM_FIELD structures describe the information found at each index in these arrays. For example, the WIN_KM_FIELD_PROCESS enum describes the information found in the Km.Process array. If the offset at which the name of a process is found inside the kernel _EPROCESS structure is needed, it can be obtained by looking at Km.Process[winKmFieldProcessName]. In order to simplify this, the WIN_KM_FIELD macro can be used: WIN_OPAQUE_FIELDS(Process, Name). A similar approach is available for user mode fields with the WIN_UM_FIELD macro. These fields are set when a CAMI file is loaded at initialization time, in the IntCamiLoadOpaqueFields function. If the loaded CAMI file contains a structure that is not known by introcore, or contains more field than the current introcore version uses, the extra information is discarded. This is why new fields should be added right before the End tags, in order to preserve the current order and allow older introcore versions to load newer CAMI files. More... | |
| struct | _WIN_MODULE_UNIQUE_KEY |
| Information that can identify a module. More... | |
| struct | _WINDOWS_GUEST |
| Holds information about a Windows guest. More... | |
| struct | _WIN_INIT_SWAP |
| The initialization swap handle. More... | |
Macros | |
| #define | IMAGE_BASE_NAME_LEN 16u |
| The maximum length of a process name. More... | |
| #define | IMAGE_FULL_PATH_LEN 260u |
| The maximum length of a process path. More... | |
| #define | PROT_PROC_FLAG_NO_PATH 0x00000001 |
| Flag used to represent internally that a process is protected by name, not by path. More... | |
| #define | WIN_KM_FIELD(Structure, Field) gWinGuest->OsSpecificFields.Km.Structure[winKmField##Structure##Field] |
| Macro used to access kernel mode fields inside the WIN_OPAQUE_FIELDS structure. More... | |
| #define | WIN_SYSCALL_NUMBER(Syscall) WIN_KM_FIELD(SyscallNumbers, Syscall) |
| Macro used to access syscall numbers from inside the WIN_OPAQUE_FIELDS structure. More... | |
| #define | WIN_UM_FIELD(Structure, Field) gWinGuest->OsSpecificFields.Um.Structure[winUmField##Structure##Field] |
| Macro used to access user mode fields inside the WIN_OPAQUE_FIELDS structure. More... | |
Typedefs | |
| typedef struct _GUEST_STATE | GUEST_STATE |
| typedef struct _GUEST_STATE * | PGUEST_STATE |
| typedef struct _PROTECTED_PROCESS_INFO | PROTECTED_PROCESS_INFO |
| Encapsulates a protected Windows process. More... | |
| typedef struct _PROTECTED_PROCESS_INFO * | PPROTECTED_PROCESS_INFO |
| typedef struct _WIN_UNEXPORTED_FUNCTION_PATTERN | WIN_UNEXPORTED_FUNCTION_PATTERN |
| Describes a pattern for a kernel function that is not exported. More... | |
| typedef struct _WIN_UNEXPORTED_FUNCTION_PATTERN * | PWIN_UNEXPORTED_FUNCTION_PATTERN |
| typedef struct _WIN_UNEXPORTED_FUNCTION | WIN_UNEXPORTED_FUNCTION |
| Describes a function that is not exported. More... | |
| typedef struct _WIN_UNEXPORTED_FUNCTION * | PWIN_UNEXPORTED_FUNCTION |
| typedef struct _PROTECTED_MODULE_INFO | PROTECTED_MODULE_INFO |
| Encapsulates a protected Windows kernel module. More... | |
| typedef struct _PROTECTED_MODULE_INFO * | PPROTECTED_MODULE_INFO |
| typedef enum _WIN_UM_FIELD_DLL | WIN_UM_FIELD_DLL |
| Indexes in the WIN_OPAQUE_FIELDS.Um.Dll array, containing offsets inside the _LDR_DATA_TABLE_ENTRY structure. More... | |
| typedef enum _WIN_UM_FIELD_PEB | WIN_UM_FIELD_PEB |
| Indexes in the WIN_OPAQUE_FIELDS.Um.Peb array, containing offsets inside the _PEB structure.These are the indexes of the offsets inside the WIN_OPAQUE_FIELDS.Um.Peb array. The WIN_UM_FIELD can be used to access these more easily. More... | |
| typedef enum _WIN_UM_FIELD_TEB | WIN_UM_FIELD_TEB |
| Indexes in the WIN_OPAQUE_FIELDS.Um.Teb array, containing offsets inside the _TEB structure.The WIN_UM_FIELD macro can be used to access these more easily. More... | |
| typedef enum _WIN_KM_STRUCTURE | WIN_KM_STRUCTURE |
| Structure tags used for the kernel mode structures.Each of these refers to a WIN_OPAQUE_FIELDS.Km field. More... | |
| typedef enum _WIN_UM_STRUCTURE | WIN_UM_STRUCTURE |
| Structure tags used for the user mode structures.Each of these refers to a WIN_OPAQUE_FIELDS.Um field. More... | |
| typedef enum _WIN_KM_FIELD_PROCESS | WIN_KM_FIELD_PROCESS |
| Indexes in the WIN_OPAQUE_FIELDS.Km.Process array, containing offsets inside the _EPROCESS structure.The WIN_KM_FIELD macro can be used to access these more easily. More... | |
| typedef enum _WIN_KM_FIELD_THREAD | WIN_KM_FIELD_THREAD |
| Indexes in the WIN_OPAQUE_FIELDS.Km.Thread array, containing offsets inside the _ETHREAD structure.The WIN_KM_FIELD macro can be used to access these more easily. More... | |
| typedef enum _WIN_KM_FIELD_DRVOBJ | WIN_KM_FIELD_DRVOBJ |
| Indexes in the WIN_OPAQUE_FIELDS.Km.DrvObj array, containing information about the _DRIVER_OBJECT structure.The WIN_KM_FIELD macro can be used to access these more easily. More... | |
| typedef enum _WIN_KM_FIELD_PCR | WIN_KM_FIELD_PCR |
| Indexes in the WIN_OPAQUE_FIELDS.Km.Pcr array, containing information about the _KPCR structure.The WIN_KM_FIELD macro can be used to access these more easily. More... | |
| typedef enum _WIN_KM_FIELD_POOLDESCRIPTOR | WIN_KM_FIELD_POOLDESCRIPTOR |
| Indexes in the WIN_OPAQUE_FIELDS.Km.PoolDescriptor array, containing information about the _POOL_DESCRIPTOR structure.The WIN_KM_FIELD macro can be used to access these more easily. More... | |
| typedef enum _WIN_KM_FIELD_MMPFN | WIN_KM_FIELD_MMPFN |
| Indexes in the WIN_OPAQUE_FIELDS.Km.Mmpfn array, containing information about the _MMPFN structure.For 32-bit versions of the OS, this is split into two sections: PAE and non-PAE, as Windows versions prior to Windows 8 were able to boot without PAE support and in those cases the _MMPFN structure was different. For 32-bit guests with PAE enabled (gGuest->Mm.Mode is PAGING_PAE_MODE in those cases) the Pae version of the tags should be used. For the other guests, the normal versions should be used. More... | |
| typedef enum _WIN_KM_FIELD_TOKEN | WIN_KM_FIELD_TOKEN |
| Indexes in the WIN_OPAQUE_FIELDS.Km.Token array, containing information about the _TOKEN structure.The WIN_KM_FIELD macro can be used to access these more easily. More... | |
| typedef enum _WIN_KM_FIELD_UNGROUPED | WIN_KM_FIELD_UNGROUPED |
| Indexes in the WIN_OPAQUE_FIELDS.Km.Ungrouped array, containing information about various kernel structures or data.The WIN_KM_FIELD macro can be used to access these more easily. More... | |
| typedef enum _WIN_KM_FIELD_EPROCESSFLAGS | WIN_KM_FIELD_EPROCESSFLAGS |
| Indexes in the WIN_OPAQUE_FIELDS.Km.EprocessFlags array, containing information about the flags inside the _EPROCESS structure.The WIN_KM_FIELD macro can be used to access these more easily. More... | |
| typedef enum _WIN_KM_FIELD_VAD_SHORT | WIN_KM_FIELD_VAD_SHORT |
| Indexes in the WIN_OPAQUE_FIELDS.Km.VadShort array, containing information about the _MMVAD_SHORT structure.The WIN_KM_FIELD macro can be used to access these more easily. More... | |
| typedef enum _WIN_KM_FIELD_VAD_LONG | WIN_KM_FIELD_VAD_LONG |
| Indexes in the WIN_OPAQUE_FIELDS.Km.VadLong array, containing information about the _MMVAD_LONG structure.The WIN_KM_FIELD macro can be used to access these more easily. More... | |
| typedef enum _WIN_KM_FIELD_VADFLAGS | WIN_KM_FIELD_VADFLAGS |
| Indexes in the WIN_OPAQUE_FIELDS.Km.VadFlags array, containing information about the bits in the winKmFieldVadShortFlags field.Certain values are parsed by shifting the flags value and then applying a mask, while boolean values are stored as the bit that must be checked in order to know if that bit is set or not. For example, in order to obtain the type from a 32-bit flags value you need to: More... | |
| typedef enum _WIN_KM_FIELD_SYSCALL_NUMBERS | WIN_KM_FIELD_SYSCALL_NUMBERS |
| Indexes in the WIN_OPAQUE_FIELDS.Km.SyscallNumbers array, containing syscall numbers.The WIN_SYSCALL_NUMBER or WIN_KM_FIELD macros can be used to access these more easily. More... | |
| typedef enum _WIN_KM_FIELD_FILE_OBJECT | WIN_KM_FIELD_FILE_OBJECT |
| Indexes in the WIN_OPAQUE_FIELDS.Km.FileObject array, containing information about the _FILE_OBJECT structure.The WIN_KM_FIELD macros can be used to access these more easily. More... | |
| typedef struct _WIN_OPAQUE_FIELDS | WIN_OPAQUE_FIELDS |
| Contains information about various Windows user mode and kernel mode structures.Everything about a structure of interest should be placed here (size, field offsets, etc). The Km structure contains information about kernel objects, while the Um field contains information about user mode objects. Each structure has a specific tag (WIN_KM_STRUCTURE for Km, WIN_UM_STRUCTURE for Um) which is used to identify it. Each entry inside an array contains specific information. The specific WIN_UM_FIELD and WIN_KM_FIELD structures describe the information found at each index in these arrays. For example, the WIN_KM_FIELD_PROCESS enum describes the information found in the Km.Process array. If the offset at which the name of a process is found inside the kernel _EPROCESS structure is needed, it can be obtained by looking at Km.Process[winKmFieldProcessName]. In order to simplify this, the WIN_KM_FIELD macro can be used: WIN_OPAQUE_FIELDS(Process, Name). A similar approach is available for user mode fields with the WIN_UM_FIELD macro. These fields are set when a CAMI file is loaded at initialization time, in the IntCamiLoadOpaqueFields function. If the loaded CAMI file contains a structure that is not known by introcore, or contains more field than the current introcore version uses, the extra information is discarded. This is why new fields should be added right before the End tags, in order to preserve the current order and allow older introcore versions to load newer CAMI files. More... | |
| typedef struct _WIN_OPAQUE_FIELDS * | PWIN_OPAQUE_FIELDS |
| typedef struct _WIN_MODULE_UNIQUE_KEY | WIN_MODULE_UNIQUE_KEY |
| Information that can identify a module. More... | |
| typedef struct _WIN_MODULE_UNIQUE_KEY | PWIN_MODULE_UNIQUE_KEY |
| typedef struct _WINDOWS_GUEST | WINDOWS_GUEST |
| Holds information about a Windows guest. More... | |
| typedef struct _WINDOWS_GUEST * | PWINDOWS_GUEST |
| typedef struct _WIN_INIT_SWAP | WIN_INIT_SWAP |
| The initialization swap handle. More... | |
| typedef struct _WIN_INIT_SWAP * | PWIN_INIT_SWAP |
Functions | |
| INTSTATUS | IntWinGuestNew (void) |
| Starts the initialization and protection process for a new Windows guest. More... | |
| INTSTATUS | IntWinGuestInit (void) |
| Initializes a new Windows guest. More... | |
| void | IntWinGuestUninit (void) |
| Uninits a Windows guest. More... | |
| void | IntWinGuestCancelKernelRead (void) |
| Cancels the kernel read. More... | |
| INTSTATUS | IntWinGetVersionString (DWORD FullStringSize, DWORD VersionStringSize, CHAR *FullString, CHAR *VersionString) |
| Gets the version string for a Windows guest. More... | |
| #define IMAGE_BASE_NAME_LEN 16u |
The maximum length of a process name.
Definition at line 15 of file winguest.h.
Referenced by IntLixAgentNameIsRunning(), IntWinDpiIsSelf(), IntWinProcAddProtectedProcess(), IntWinProcCreateProcessObject(), IntWinProcDump(), IntWinProcGetImageBaseNameFromPath(), IntWinProcGetNameFromEprocess(), IntWinProcGetNameFromInternalEprocess(), IntWinProcIsPsActiveProcessHead(), IntWinProcRemoveAllProtectedProcesses(), and IntWinProcRemoveProtectedProcess().
| #define IMAGE_FULL_PATH_LEN 260u |
The maximum length of a process path.
Definition at line 18 of file winguest.h.
| #define PROT_PROC_FLAG_NO_PATH 0x00000001 |
Flag used to represent internally that a process is protected by name, not by path.
Definition at line 21 of file winguest.h.
Referenced by IntWinProcAddProtectedProcess(), and IntWinProcGetProtectedInfoEx().
| typedef struct _GUEST_STATE GUEST_STATE |
Definition at line 12 of file winguest.h.
| typedef struct _GUEST_STATE * PGUEST_STATE |
Definition at line 12 of file winguest.h.
| typedef struct _PROTECTED_MODULE_INFO * PPROTECTED_MODULE_INFO |
| typedef struct _PROTECTED_PROCESS_INFO * PPROTECTED_PROCESS_INFO |
| typedef struct _PROTECTED_MODULE_INFO PROTECTED_MODULE_INFO |
Encapsulates a protected Windows kernel module.
| typedef struct _PROTECTED_PROCESS_INFO PROTECTED_PROCESS_INFO |
Encapsulates a protected Windows process.
| typedef struct _WIN_INIT_SWAP * PWIN_INIT_SWAP |
| typedef struct _WIN_MODULE_UNIQUE_KEY PWIN_MODULE_UNIQUE_KEY |
| typedef struct _WIN_UNEXPORTED_FUNCTION * PWIN_UNEXPORTED_FUNCTION |
| typedef struct _WIN_UNEXPORTED_FUNCTION_PATTERN * PWIN_UNEXPORTED_FUNCTION_PATTERN |
| typedef struct _WINDOWS_GUEST * PWINDOWS_GUEST |
| typedef struct _WIN_INIT_SWAP WIN_INIT_SWAP |
The initialization swap handle.
These are used to read WINDOWS_GUEST.KernelBuffer.
| typedef struct _WIN_MODULE_UNIQUE_KEY WIN_MODULE_UNIQUE_KEY |
Information that can identify a module.
This can be used to obtain a PDB for a module.
| typedef struct _WIN_UNEXPORTED_FUNCTION WIN_UNEXPORTED_FUNCTION |
Describes a function that is not exported.
This structure has a variable length
| typedef struct _WIN_UNEXPORTED_FUNCTION_PATTERN WIN_UNEXPORTED_FUNCTION_PATTERN |
Describes a pattern for a kernel function that is not exported.
Functions that are not exported can not be found by name, so we search them by a pattern
| typedef struct _WINDOWS_GUEST WINDOWS_GUEST |
Holds information about a Windows guest.
| enum OBJ_DISCOVERY_TYPE |
Describes the mode in which a kernel object was found.
| Enumerator | |
|---|---|
| FLAG_STATIC_DETECTION | The object was detected after it was created. This usually implies a memory scan of some type. |
| FLAG_DYNAMIC_DETECTION | The object was detected when it was created. |
Definition at line 145 of file winguest.h.
Protected kernel module types.
| Enumerator | |
|---|---|
| winModNone | Invalid. |
| winModCore | Core Windows kernel modules. |
| winModAntivirus | Antivirus modules. |
| winModCitrix | Xen-specific Citrix modules. |
Definition at line 115 of file winguest.h.
| enum WIN_PRODUCT_TYPE |
The type of the Windows OS.
This is equivalent to the _NT_PRODUCT_TYPE enum found inside the Windows kernel.
Definition at line 795 of file winguest.h.
| INTSTATUS IntWinGetVersionString | ( | DWORD | FullStringSize, |
| DWORD | VersionStringSize, | ||
| CHAR * | FullString, | ||
| CHAR * | VersionString | ||
| ) |
Gets the version string for a Windows guest.
| [in] | FullStringSize | The size of the FullString buffer |
| [in] | VersionStringSize | The size of the VersionString buffer |
| [out] | FullString | A NULL-terminated string containing detailed version information |
| [out] | VersionString | A NULL-terminated string containing human-readable version information |
| INT_STATUS_SUCCESS | in case of success |
| INT_STATUS_NOT_READY | if the information is not yet available |
| INT_STATUS_DATA_BUFFER_TOO_SMALL | if any of the buffers is not large enough |
Definition at line 2650 of file winguest.c.
Referenced by IntGetVersionString().
| void IntWinGuestCancelKernelRead | ( | void | ) |
Cancels the kernel read.
This function cancels all the pending page faults that were scheduled in order to read the WINDOWS_GUEST.KernelBuffer.
Definition at line 607 of file winguest.c.
Referenced by IntGuestPrepareUninit(), and IntWinGuestNew().
| INTSTATUS IntWinGuestInit | ( | void | ) |
Initializes a new Windows guest.
Any operations that should be done after basic information about the guest is obtained should be done here. Breakpoint exits are enabled here and not in IntCallbacksInit where all the other events are enabled because activating the break point exits earlier may cause a slow boot on Linux OS so this activation step is done by each OS as a custom step in the initialization phase.
Definition at line 641 of file winguest.c.
Referenced by IntWinGuestNew().
| INTSTATUS IntWinGuestNew | ( | void | ) |
Starts the initialization and protection process for a new Windows guest.
This will find the base of the kernel, initiate the WINDOWS_GUEST.KernelBuffer read, will start to look for relevant kernel objects, variables, and functions and will activate protection when every needed piece of information is known. The initialization depends on the value of the syscall MSR (for 64-bit guests) or the sysenter MSR (for 32-bit guests) as it will point inside the kernel image and we need a valid address that points somewhere inside the kernel image. Parts of the initialization may be done asynchronously.
| INT_STATUS_SUCCESS | in case of success |
| INT_STATUS_NOT_INITIALIZED | if the sysenter or syscall MSR does not point inside the kernel space |
| INT_STATUS_INSUFFICIENT_RESOURCES | if not enough memory is available |
Definition at line 2346 of file winguest.c.
Referenced by IntGuestHandleCr3Write().
| void IntWinGuestUninit | ( | void | ) |
Uninits a Windows guest.
This will run the uninit routines for all the Windows subsystems and will also free any resources held by the WINDOWS_GUEST state. After this function returns, the GuestInitialized field of gGuest will be set to False.
Definition at line 671 of file winguest.c.
Referenced by IntGuestUninit().
1.8.13