Bitdefender Hypervisor Memory Introspection
Functions
winidt.h File Reference
#include "introtypes.h"

Go to the source code of this file.

Functions

INTSTATUS IntWinIdtProtectOnCpu (DWORD CpuNumber)
 Protects the IDT against writes on a CPU. More...
 
INTSTATUS IntWinIdtUnprotectOnCpu (DWORD CpuNumber)
 Removes the IDT write protection for a CPU. More...
 
INTSTATUS IntWinIdtProtectAll (void)
 Activates the IDT protection for all the guest CPUs. More...
 
INTSTATUS IntWinIdtUnprotectAll (void)
 Removes the IDT protection for all the guest CPUs. More...
 

Function Documentation

◆ IntWinIdtProtectAll()

INTSTATUS IntWinIdtProtectAll ( void  )

Activates the IDT protection for all the guest CPUs.

Returns
INT_STATUS_SUCCESS if successful, or an appropriate INTSTATUS error value

Definition at line 559 of file winidt.c.

Referenced by IntGuestUpdateCoreOptions(), and IntWinGuestActivateProtection().

◆ IntWinIdtProtectOnCpu()

INTSTATUS IntWinIdtProtectOnCpu ( DWORD  CpuNumber)

Protects the IDT against writes on a CPU.

For Windows versions older than 16299 or for 32-bit Windows versions the integrity mechanism is used because the IDT and the GDT are placed in the same page on those versions, and the GDT is written very often, which will end up causing performance problems, due to the high amount of VMEXITs that will be generated. The integrity mechanism will not be able to catch a change as soon as it is done, as it does the checks periodically, and will not be able to consult the exceptions mechanism. For all the other Windows versions, an EPT write hook is placed on the IDT. We can do that because on those versions the IDT is in its own page, so we can hook it without expecting a large number of VMEXITs, as the IDT is not written very often.

Parameters
[in]CpuNumberThe CPU for which the IDT will be protected. Can not be IG_CURRENT_VCPU.
Return values
INT_STATUS_SUCCESSin case of success.
INT_STATUS_INVALID_PARAMETER_2if CpuNumber is not valid.
INT_STATUS_NOT_INITIALIZED_HINTif the base of the IDT on the given CPU is not a valid kernel pointer.

Definition at line 479 of file winidt.c.

Referenced by IntDtrHandleWrite(), and IntWinIdtProtectAll().

◆ IntWinIdtUnprotectAll()

INTSTATUS IntWinIdtUnprotectAll ( void  )

Removes the IDT protection for all the guest CPUs.

Returns
INT_STATUS_SUCCESS if successful, or an appropriate INTSTATUS error value

Definition at line 590 of file winidt.c.

Referenced by IntGuestUpdateCoreOptions().

◆ IntWinIdtUnprotectOnCpu()

INTSTATUS IntWinIdtUnprotectOnCpu ( DWORD  CpuNumber)

Removes the IDT write protection for a CPU.

Parameters
[in]CpuNumberThe CPU for which the protection is removed. Can not be IG_CURRENT_VCPU.
Return values
INT_STATUS_SUCCESSin case of success.
INT_STATUS_INVALID_PARAMETER_2if CpuNumber is not valid.
INT_STATUS_NOT_INITIALIZED_HINTif the base of the IDT on the given CPU is not a valid kernel pointer.

Definition at line 524 of file winidt.c.

Referenced by IntDtrHandleWrite(), and IntWinIdtUnprotectAll().