Bitdefender Hypervisor Memory Introspection
Data Structures | Macros | Typedefs | Enumerations | Functions
winpfn.h File Reference
#include "introtypes.h"

Go to the source code of this file.

Data Structures

struct  _WIN_PFN_LOCK
 A PFN lock. More...
 

Macros

#define WIN_PFN_INC_VALUE   0xbd
 The value used to increment the reference counter of a PFN database entry. More...
 
#define WIN_PFN_REF_MAX   0xffff
 The maximum value we allow a PFN reference counter to reach. More...
 
#define WIN_PFN_GET_STRUCT_VA(MmPfn, Gpa)
 Get the address of a guest _MMPFN structure. More...
 

Typedefs

typedef struct _WIN_PFN_LOCK WIN_PFN_LOCK
 A PFN lock. More...
 
typedef struct _WIN_PFN_LOCKPWIN_PFN_LOCK
 

Enumerations

enum  WIN_PFN_PAGE_LOCATION {
  WinPfnZeroPage = 0, WinPfnFreePage, WinPfnStandbyPage, WinPfnModifiedPage,
  WinPfnModifiedNowritePage, WinPfnBadPage, WinPfnActivePage, WinPfnTransitionPage
}
 Page location value, as defined by the _MMLISTS kernel enum. More...
 

Functions

INTSTATUS IntWinPfnIsMmPfnDatabase (QWORD MmPfnDatabase)
 Checks if a a guest virtual address points to MmPfnDatabase. More...
 
INTSTATUS IntWinPfnLockGva (QWORD Gva, WIN_PFN_LOCK **PfnLock)
 Locks a guest virtual address. More...
 
INTSTATUS IntWinPfnLockGpa (QWORD Gpa, WIN_PFN_LOCK **PfnLock)
 Locks a guest physical address. More...
 
INTSTATUS IntWinPfnRemoveLock (WIN_PFN_LOCK *PfnLock, BOOLEAN Force)
 Removes a PFN lock. More...
 
void IntWinPfnDump (void)
 Prints all the PFN locks. More...
 
void IntWinPfnUnInit (void)
 Uninits the PFN locks. More...
 

Macro Definition Documentation

◆ WIN_PFN_GET_STRUCT_VA

#define WIN_PFN_GET_STRUCT_VA (   MmPfn,
  Gpa 
)
Value:
((MmPfn) + \
((((gGuest.Guest64 || !gGuest.PaeEnabled)) ? \
WIN_KM_FIELD(Mmpfn, Size) : WIN_KM_FIELD(Mmpfn, PaeSize)) * ((Gpa) >> 12)))
_GUEST_STATE::PaeEnabled
BOOLEAN PaeEnabled
True if Physical Address Extension is enabled.
Definition: guests.h:295
_GUEST_STATE::Guest64
BOOLEAN Guest64
True if this is a 64-bit guest, False if it is a 32-bit guest.
Definition: guests.h:290
WIN_KM_FIELD
#define WIN_KM_FIELD(Structure, Field)
Macro used to access kernel mode fields inside the WIN_OPAQUE_FIELDS structure.
Definition: winguest.h:740
gGuest
GUEST_STATE gGuest
The current guest state.
Definition: guests.c:50

Get the address of a guest _MMPFN structure.

Parameters
[in]MmPfnThe guest virtual address of the MMPFN database.
[in]GpaThe guest physical address for which to return the _MMPFN address.
Returns
The guest virtual address at which the _MMPFN structure for Gpa is found.

Definition at line 60 of file winpfn.h.

Referenced by DbgDumpPfn(), IntWinPfnIsMmPfnDatabase(), and IntWinPfnModifyRefCount().

◆ WIN_PFN_INC_VALUE

#define WIN_PFN_INC_VALUE   0xbd

The value used to increment the reference counter of a PFN database entry.

Definition at line 11 of file winpfn.h.

Referenced by IntWinPfnModifyRefCount().

◆ WIN_PFN_REF_MAX

#define WIN_PFN_REF_MAX   0xffff

The maximum value we allow a PFN reference counter to reach.

Definition at line 14 of file winpfn.h.

Referenced by IntWinPfnModifyRefCount().

Typedef Documentation

◆ PWIN_PFN_LOCK

typedef struct _WIN_PFN_LOCK * PWIN_PFN_LOCK

◆ WIN_PFN_LOCK

typedef struct _WIN_PFN_LOCK WIN_PFN_LOCK

A PFN lock.

Enumeration Type Documentation

◆ WIN_PFN_PAGE_LOCATION

enum WIN_PFN_PAGE_LOCATION

Page location value, as defined by the _MMLISTS kernel enum.

While this is an enum, it is important to note that the Windows kernel uses only 4 bits to store this information.

Enumerator
WinPfnZeroPage 

A page from the ZeroedPageList.

WinPfnFreePage 

A page from the FreePageList.

WinPfnStandbyPage 

A page from the StandbyPageList.

WinPfnModifiedPage 

A page from the ModifiedPageList.

WinPfnModifiedNowritePage 

A page from the ModifiedNoWritePageList.

WinPfnBadPage 

A page from the BadPageList.

WinPfnActivePage 

The page is active and valid, but not part of any list (ActiveAndValid).

WinPfnTransitionPage 

A temporary state, while waiting for I/O (TransitionPage).

Definition at line 69 of file winpfn.h.

Function Documentation

◆ IntWinPfnDump()

void IntWinPfnDump ( void  )

Prints all the PFN locks.

Definition at line 901 of file winpfn.c.

◆ IntWinPfnIsMmPfnDatabase()

INTSTATUS IntWinPfnIsMmPfnDatabase ( QWORD  MmPfnDatabase)

Checks if a a guest virtual address points to MmPfnDatabase.

Parameters
[in]MmPfnDatabaseGuest virtual address to check.
Return values
INT_STATUS_SUCCESSif the provided address is indeed the MmPfnDataBase.
INT_STATUS_INVALID_OBJECT_TYPEif it is not.

Definition at line 24 of file winpfn.c.

Referenced by IntWinGuestFindKernelObjectsInternal().

◆ IntWinPfnLockGpa()

INTSTATUS IntWinPfnLockGpa ( QWORD  Gpa,
WIN_PFN_LOCK **  PfnLock 
)

Locks a guest physical address.

Parameters
[in]GpaGuest physical address to lock.
[out]PfnLockOn success, will contain a pointer to the lock. May be NULL.
Returns
INT_STATUS_SUCCESS if successful, or an appropriate INTSTATUS error value.

Definition at line 820 of file winpfn.c.

Referenced by IntWinProcLockCr3().

◆ IntWinPfnLockGva()

INTSTATUS IntWinPfnLockGva ( QWORD  Gva,
WIN_PFN_LOCK **  PfnLock 
)

Locks a guest virtual address.

This will actually lock the guest physical address to which Gva translates to, and place a swap hook on Gva page tables. If the page is not currently present, it will be locked when it will be made present.

Parameters
[in]GvaGuest virtual address to lock.
[out]PfnLockOn success, will contain a pointer to the lock. May be NULL.
Returns
INT_STATUS_SUCCESS if successful, or an appropriate INTSTATUS error value.

Definition at line 799 of file winpfn.c.

◆ IntWinPfnRemoveLock()

INTSTATUS IntWinPfnRemoveLock ( WIN_PFN_LOCK PfnLock,
BOOLEAN  Force 
)

Removes a PFN lock.

This will decrement the Introcore reference counter and only remove the lock when it reaches 0, unless a forced removal is requested.

Parameters
[in,out]PfnLockLock to remove. The pointer will no longer be valid after this function returns.
[in]ForceTrue to remove the lock even if the reference counter is not 0.
Return values
INT_STATUS_SUCCESSin case of success.
INT_STATUS_NOT_NEEDED_HINTif the reference counter has not reached 0 and Force is False.
INT_STATUS_INVALID_PARAMETER_1if PfnLock is NULL.

Definition at line 838 of file winpfn.c.

Referenced by IntWinPfnUnInit(), IntWinProcRemoveProcess(), and IntWinProcUnlockCr3().

◆ IntWinPfnUnInit()

void IntWinPfnUnInit ( void  )

Uninits the PFN locks.

If any locks are still active when this function is called, they will be forcibly removed using IntWinPfnRemoveLock.

Definition at line 922 of file winpfn.c.

Referenced by IntGuestUninit().