Bitdefender Hypervisor Memory Introspection
winguest_supported.c
Go to the documentation of this file.
1 /*
2  * Copyright (c) 2020 Bitdefender
3  * SPDX-License-Identifier: Apache-2.0
4  */
5 #include "winguest_supported.h"
6 #include "guests.h"
7 #include "winpe.h"
8 #include "update_guests.h"
9 
10 
11 INTSTATUS
12 IntWinGuestIsSupported(
13  void
14  )
24 {
25  INTSTATUS status;
26 
27  LOG("Searching for an OS with NtBuildNUmber = %d and kpti = %d\n", gGuest.OSVersion, gGuest.KptiInstalled);
28 
29  status = IntCamiLoadSection(CAMI_SECTION_HINT_SUPPORTED_OS | CAMI_SECTION_HINT_WINDOWS);
30  if (!INT_SUCCESS(status))
31  {
32  ERROR("[ERROR] Failed to fetch valid Os info for %d: 0x%08x\n", gGuest.OSVersion, status);
33  return status;
34  }
35 
36  gGuest.SafeToApplyOptions = TRUE;
37 
38  return INT_STATUS_SUCCESS;
39 }
40 
41 
42 BOOLEAN
43 IntWinGuestIsIncreasedUserVa(
44  void
45  )
52 {
53  INTSTATUS status;
54  QWORD expGva = 0;
55  DWORD value = 0;
56 
57  if (gGuest.Guest64)
58  {
59  return FALSE;
60  }
61 
62  status = IntPeFindKernelExport("MmHighestUserAddress", &expGva);
63  if (!INT_SUCCESS(status))
64  {
65  WARNING("[WARNING] Failed to find MmHighestUserAddress: %08x\n", status);
66  return FALSE;
67  }
68 
69  status = IntKernVirtMemFetchDword(expGva, &value);
70  if (!INT_SUCCESS(status))
71  {
72  WARNING("[WARNING] Failed to read MmHighestUserAddress value!\n");
73  return FALSE;
74  }
75 
76  LOG("[INTRO-INIT] Found MmHighestUserAddress at GVA 0x%08llx with value 0x%08x\n", expGva, value);
77 
78  return (value >= 2 * ONE_GIGABYTE);
79 }
BOOLEAN
_Bool BOOLEAN
Definition: intro_types.h:58
IntWinGuestIsSupported
INTSTATUS IntWinGuestIsSupported(void)
Load os information from cami.
Definition: winguest_supported.c:12
IntPeFindKernelExport
INTSTATUS IntPeFindKernelExport(const char *Name, QWORD *ExportGva)
Find an export inside the NT kernel image.
Definition: winpe.c:1748
INT_STATUS_SUCCESS
#define INT_STATUS_SUCCESS
Definition: introstatus.h:54
winguest_supported.h
INT_SUCCESS
#define INT_SUCCESS(Status)
Definition: introstatus.h:42
_GUEST_STATE::SafeToApplyOptions
BOOLEAN SafeToApplyOptions
True if the current options can be changed dynamically.
Definition: guests.h:294
ERROR
#define ERROR(fmt,...)
Definition: glue.h:62
INTSTATUS
int INTSTATUS
The status data type.
Definition: introstatus.h:24
_GUEST_STATE::OSVersion
DWORD OSVersion
Os version.
Definition: guests.h:281
CAMI_SECTION_HINT_SUPPORTED_OS
Section will contain information about a supported OS.
Definition: update_guests.h:42
LOG
#define LOG(fmt,...)
Definition: glue.h:61
IntKernVirtMemFetchDword
INTSTATUS IntKernVirtMemFetchDword(QWORD GuestVirtualAddress, DWORD *Data)
Reads 4 bytes from the guest kernel memory.
Definition: introcore.c:829
_GUEST_STATE::Guest64
BOOLEAN Guest64
True if this is a 64-bit guest, False if it is a 32-bit guest.
Definition: guests.h:290
QWORD
unsigned long long QWORD
Definition: intro_types.h:53
TRUE
#define TRUE
Definition: intro_types.h:30
update_guests.h
Exposes the definitions used by the CAMI parser and the functions used to load guest support informat...
WARNING
#define WARNING(fmt,...)
Definition: glue.h:60
DWORD
uint32_t DWORD
Definition: intro_types.h:49
IntWinGuestIsIncreasedUserVa
BOOLEAN IntWinGuestIsIncreasedUserVa(void)
Check if the guest has an increased user address space.
Definition: winguest_supported.c:43
gGuest
GUEST_STATE gGuest
The current guest state.
Definition: guests.c:50
CAMI_SECTION_HINT_WINDOWS
Section will contain windows related information.
Definition: update_guests.h:47
_GUEST_STATE::KptiInstalled
BOOLEAN KptiInstalled
True if KPTI was detected as installed (not necessarily active).
Definition: guests.h:292
ONE_GIGABYTE
#define ONE_GIGABYTE
Definition: introdefs.h:91
IntCamiLoadSection
INTSTATUS IntCamiLoadSection(DWORD CamiSectionHint)
Load CAMI objects from section with given hint.
Definition: update_guests.c:1565
FALSE
#define FALSE
Definition: intro_types.h:34