Bitdefender Hypervisor Memory Introspection
winpool.h
Go to the documentation of this file.
1 /*
2  * Copyright (c) 2020 Bitdefender
3  * SPDX-License-Identifier: Apache-2.0
4  */
5 #ifndef _WINPOOL_H_
6 #define _WINPOOL_H_
7 
8 #include "introtypes.h"
9 #include "wddefs.h"
10 
11 
12 // Note: On windows 7, it seems that the most significant bit is used to mark the allocation
13 // as "Protected", thus the tags may or may not have the most significant bit set.
14 #define WIN_POOL_TAG_DRIV 0x76697244
15 #define WIN_POOL_TAG_DRIV2 0xF6697244
16 #define WIN_POOL_TAG_FMFI 0x69664d46
17 #define WIN_POOL_TAG_TOKE 0x656b6f54
18 #define WIN_POOL_TAG_TOKE2 0xe56b6f54
19 
20 INTSTATUS
21 IntWinPoolHandleAlloc(
22  _In_ void *Detour
23  );
24 
25 INTSTATUS
26 IntWinPoolHandleFree(
27  _In_ void *Detour
28  );
29 
30 const POOL_HEADER*
31 IntWinPoolGetPoolHeaderInPage(
32  _In_ const void* Page,
33  _In_ DWORD StartOffset,
34  _In_ DWORD Tag
35  );
36 
37 #endif // _WINPOOL_H_
_In_
#define _In_
Definition: intro_sal.h:21
IntWinPoolGetPoolHeaderInPage
const POOL_HEADER * IntWinPoolGetPoolHeaderInPage(const void *Page, DWORD StartOffset, DWORD Tag)
Search for a pool header with given tag in a buffer.
Definition: winpool.c:160
_POOL_HEADER
Definition: wddefs.h:460
INTSTATUS
int INTSTATUS
The status data type.
Definition: introstatus.h:24
IntWinPoolHandleAlloc
INTSTATUS IntWinPoolHandleAlloc(void *Detour)
Detour callback for ExAllocatePoolWithTag.Handles allocations within a Windows guest, executed using the ExAllocatePoolWithTag API. Basically, it will check the tag of the allocation, and if it identifies an allocation for a driver object or a fast I/O dispatch, it will patch the Size argument of the call so that it's almost a page. This ensures us that critical structures protected by the introspection will be allocated alone in each page, which gives us an enormous performance boost.
Definition: winpool.c:13
IntWinPoolHandleFree
INTSTATUS IntWinPoolHandleFree(void *Detour)
Detour callback for ExFreePoolWithTag.This function handles de-allocation requests executed by the gu...
Definition: winpool.c:106
DWORD
uint32_t DWORD
Definition: intro_types.h:49
Page
VE_CACHE_LINE * Page
Mapped page inside Introspection virtual address space.
Definition: vecore.c:120
wddefs.h
Contains definitions for structures and constants used by the Windows kernel.