Bitdefender Hypervisor Memory Introspection
|
#include "winpool.h"
#include "introcore.h"
#include "windrvobj.h"
#include "detours.h"
#include "guests.h"
Go to the source code of this file.
Functions | |
INTSTATUS | IntWinPoolHandleAlloc (void *Detour) |
Detour callback for ExAllocatePoolWithTag.Handles allocations within a Windows guest, executed using the ExAllocatePoolWithTag API. Basically, it will check the tag of the allocation, and if it identifies an allocation for a driver object or a fast I/O dispatch, it will patch the Size argument of the call so that it's almost a page. This ensures us that critical structures protected by the introspection will be allocated alone in each page, which gives us an enormous performance boost. More... | |
INTSTATUS | IntWinPoolHandleFree (void *Detour) |
Detour callback for ExFreePoolWithTag.This function handles de-allocation requests executed by the guest. It will check the list of hooked structures to check if any of the structures is being de-allocated, in which case, it will remove the EPT protection on that structure. More... | |
const POOL_HEADER * | IntWinPoolGetPoolHeaderInPage (const void *Page, DWORD StartOffset, DWORD Tag) |
Search for a pool header with given tag in a buffer. More... | |
const POOL_HEADER* IntWinPoolGetPoolHeaderInPage | ( | const void * | Page, |
DWORD | StartOffset, | ||
DWORD | Tag | ||
) |
Search for a pool header with given tag in a buffer.
Will simply iterate the map in a backwards direction, checking if any memory blocks resemble a nt!_POOL_HEADER and matches the given pool tag
[in] | Page | Pointer to a mapped guest page. |
[in] | StartOffset | Offset in given page from where to begin searching. |
[in] | Tag | Pool tag to match. |
Definition at line 160 of file winpool.c.
Referenced by IntWinTokenPrivsShouldHook().