#include "introtypes.h"
#include "wddefs.h"

Functions
INTSTATUS	IntWinPoolHandleAlloc (void *Detour)
	Detour callback for ExAllocatePoolWithTag.Handles allocations within a Windows guest, executed using the ExAllocatePoolWithTag API. Basically, it will check the tag of the allocation, and if it identifies an allocation for a driver object or a fast I/O dispatch, it will patch the Size argument of the call so that it's almost a page. This ensures us that critical structures protected by the introspection will be allocated alone in each page, which gives us an enormous performance boost. More...

INTSTATUS	IntWinPoolHandleFree (void *Detour)
	Detour callback for ExFreePoolWithTag.This function handles de-allocation requests executed by the guest. It will check the list of hooked structures to check if any of the structures is being de-allocated, in which case, it will remove the EPT protection on that structure. More...

const POOL_HEADER *	IntWinPoolGetPoolHeaderInPage (const void *Page, DWORD StartOffset, DWORD Tag)
	Search for a pool header with given tag in a buffer. More...

Macro Definition Documentation

◆ WIN_POOL_TAG_DRIV

#define WIN_POOL_TAG_DRIV 0x76697244

Definition at line 14 of file winpool.h.

#define WIN_POOL_TAG_DRIV2 0xF6697244

Definition at line 15 of file winpool.h.

#define WIN_POOL_TAG_FMFI 0x69664d46

Definition at line 16 of file winpool.h.

#define WIN_POOL_TAG_TOKE 0x656b6f54

Definition at line 17 of file winpool.h.

#define WIN_POOL_TAG_TOKE2 0xe56b6f54

Definition at line 18 of file winpool.h.

const POOL_HEADER* IntWinPoolGetPoolHeaderInPage	(	const void *	Page,
		DWORD	StartOffset,
		DWORD	Tag
	)

Search for a pool header with given tag in a buffer.

Will simply iterate the map in a backwards direction, checking if any memory blocks resemble a nt!_POOL_HEADER and matches the given pool tag

Parameters

[in]	Page	Pointer to a mapped guest page.
[in]	StartOffset	Offset in given page from where to begin searching.
[in]	Tag	Pool tag to match.

Definition at line 160 of file winpool.c.