- Generated by
1.8.13
|
Bitdefender Hypervisor Memory Introspection
|
#include "winpool.h"#include "introcore.h"#include "windrvobj.h"#include "detours.h"#include "guests.h"Go to the source code of this file.
Functions | |
| INTSTATUS | IntWinPoolHandleAlloc (void *Detour) |
| Detour callback for ExAllocatePoolWithTag.Handles allocations within a Windows guest, executed using the ExAllocatePoolWithTag API. Basically, it will check the tag of the allocation, and if it identifies an allocation for a driver object or a fast I/O dispatch, it will patch the Size argument of the call so that it's almost a page. This ensures us that critical structures protected by the introspection will be allocated alone in each page, which gives us an enormous performance boost. More... | |
| INTSTATUS | IntWinPoolHandleFree (void *Detour) |
| Detour callback for ExFreePoolWithTag.This function handles de-allocation requests executed by the guest. It will check the list of hooked structures to check if any of the structures is being de-allocated, in which case, it will remove the EPT protection on that structure. More... | |
| const POOL_HEADER * | IntWinPoolGetPoolHeaderInPage (const void *Page, DWORD StartOffset, DWORD Tag) |
| Search for a pool header with given tag in a buffer. More... | |
| const POOL_HEADER* IntWinPoolGetPoolHeaderInPage | ( | const void * | Page, |
| DWORD | StartOffset, | ||
| DWORD | Tag | ||
| ) |
Search for a pool header with given tag in a buffer.
Will simply iterate the map in a backwards direction, checking if any memory blocks resemble a nt!_POOL_HEADER and matches the given pool tag
| [in] | Page | Pointer to a mapped guest page. |
| [in] | StartOffset | Offset in given page from where to begin searching. |
| [in] | Tag | Pool tag to match. |
Definition at line 160 of file winpool.c.
Referenced by IntWinTokenPrivsShouldHook().
1.8.13