doxygen/html/winpower_8c_source.html

 /*
  * Copyright (c) 2020 Bitdefender
  * SPDX-License-Identifier: Apache-2.0
  */
 #include "winpower.h"
 #include "guests.h"
 #include "ptfilter.h"
 #include "vecore.h"
 #include "winagent.h"


 static INTRO_POWER_STATE
 IntWinPowFromGuestToIntroPowState(
     _In_ DWORD GuestPowerAction,
     _In_ DWORD GuestPowerState
     )
 {
     // Shutdown: action is "shutdown" or "shutdown off" and state different from hibernate (can be sleep)
     if ((GuestPowerAction == PowerActionShutdown ||
          GuestPowerAction == PowerActionShutdownOff) &&
         GuestPowerState != PowerSystemHibernate)
     {
         return intPowStateShutdown;
     }

     // Reset: power action is reset (we don't care about requested power state, as there is not an edge case
     // like "pressing restart" but system enters on hibernate)
     if (GuestPowerAction == PowerActionShutdownReset)
     {
         return intPowStateReboot;
     }

     // Sleep: action must be sleep and the requested power state must be sleep
     if (GuestPowerAction == PowerActionSleep &&
         GuestPowerState >= PowerSystemSleeping1 &&
         GuestPowerState <= PowerSystemSleeping3)
     {
         return intPowStateSleeping;
     }

     // Hibernate: action can be hibernate/shutdown/shutdown off and the requested power state must be hibernate
     if ((GuestPowerAction == PowerActionHibernate ||
          GuestPowerAction == PowerActionShutdown ||
          GuestPowerAction == PowerActionShutdownOff ||
          GuestPowerAction == PowerActionSleep) &&
         GuestPowerState == PowerSystemHibernate)
     {
         return intPowStateHibernate;
     }

     WARNING("[WARNING] Unknown power action/reason: %d %d!\n", GuestPowerAction, GuestPowerState);

     return intPowStateUnknown;
 }


 static INTSTATUS
 IntWinPowGetRequestedPowerState(
     _Out_ DWORD *RequestedPowerAction,
     _Out_ DWORD *RequestedPowerState
     )
 {
     if (gGuest.Guest64)
     {
         *RequestedPowerState = (DWORD)gVcpu->Regs.Rdx;
         *RequestedPowerAction = (DWORD)gVcpu->Regs.Rcx;
         return INT_STATUS_SUCCESS;
     }
     else
     {
         DWORD buffer[2];
         INTSTATUS status;

         status = IntKernVirtMemRead(gVcpu->Regs.Rsp + 0x4, 8, buffer, NULL);
         if (!INT_SUCCESS(status))
         {
             return status;
         }

         *RequestedPowerAction = buffer[0];
         *RequestedPowerState = buffer[1];

         return INT_STATUS_SUCCESS;
     }
 }


 INTSTATUS
 IntWinPowEnableSpinWait(
     void
     )

 {
     INTSTATUS status = INT_STATUS_SUCCESS;
     BYTE hkbuff[4] = { 0xf3, 0x90, 0xeb, 0xfc };

     LOG("[POW-SPIN-WAIT] IntWinPowEnableSpinWait called!\n");

     IntPauseVcpus();

     // 0x6 is the address after the hypercall, where the spinwait is taking place
     // if the handler is ever changed, this must also be changed!
     status = IntDetModifyPublicData(detTagPowerState, hkbuff, sizeof(hkbuff), "spinwait");
     if (!INT_SUCCESS(status))
     {
         ERROR("[ERROR] IntDetModifyPublicData failed: 0x%08x\n", status);
     }

     IntResumeVcpus();

     return status;
 }


 INTSTATUS
 IntWinPowDisableSpinWait(
     void
     )
 {
     INTSTATUS status;
     BYTE nopbuff[4] = { 0x66, 0x90, 0x66, 0x90 };

     LOG("[POW-SPIN-WAIT] IntWinPowDisableSpinWait called!\n");

     IntPauseVcpus();

     // 0x6 is the address after the hypercall, where the spinwait is taking place
     // if the handler is ever changed, this must also be changed!
     status = IntDetModifyPublicData(detTagPowerState, nopbuff, sizeof(nopbuff), "spinwait");
     if (!INT_SUCCESS(status))
     {
         ERROR("[ERROR] IntDetModifyPublicData failed: 0x%08x\n", status);
     }

     IntResumeVcpus();

     return status;
 }


 static INTSTATUS
 IntWinPowHandleEventCommon(
     _In_ INTRO_POWER_STATE PowerState
     )
 {
     // Init to not needed hint, so we don't call IntWinPowEnableSpinWait in case INTRO_OPT_IN_GUEST_PT_FILTER
     // or INTRO_OPT_VE is not set
     INTSTATUS status = INT_STATUS_NOT_NEEDED_HINT;

     if (PowerState == intPowStateUnknown)
     {
         return INT_STATUS_NOT_NEEDED_HINT;
     }

     // INTRO_OPT_IN_GUEST_PT_FILTER and INTRO_OPT_VE are mutually exclusive (this is enforced in IntNewGuestNotification
     // and IntGuestUpdateCoreOptions
     if (gGuest.CoreOptions.Current & INTRO_OPT_IN_GUEST_PT_FILTER)
     {
         LOG("Removing the PT Filter due to power state change...\n");
         status = IntPtiRemovePtFilter(AG_OPT_INJECT_ON_RIP_POWSTATE_CHANGE);
     }
     else if (gGuest.CoreOptions.Current & INTRO_OPT_VE)
     {
         LOG("Removing the #VE Agent due to power state change...\n");
         status = IntVeRemoveAgent(AG_OPT_INJECT_ON_RIP_POWSTATE_CHANGE);
     }

     if (!INT_SUCCESS(status))
     {
         ERROR("[ERROR] IntPtiRemovePtFilter/IntVeRemoveAgent failed: 0x%08x (options: %016llx)\n",
               status, gGuest.CoreOptions.Current);
     }
     else if (INT_STATUS_NOT_NEEDED_HINT != status)
     {
         // if the unloader was deployed then enable the spinwait
         status = IntWinPowEnableSpinWait();
         if (!INT_SUCCESS(status))
         {
             ERROR("[ERROR] IntWinPowEnableSpinWait failed: 0x%08x\n", status);
         }
     }

     return status;
 }


 static void
 IntWinPowHandleHibernateEvent(
     void
     )
 {
     // Set this on TRUE because in this way we'll block other APIs
     gGuest.EnterHibernate = TRUE;

     IntGuestUpdateCoreOptions(0);
 }


 INTSTATUS
 IntWinPowHandlePowerStateChange(
     _In_ void *Detour
     )
 {
     INTSTATUS status = INT_STATUS_SUCCESS;
     DWORD requestedPowerState;
     DWORD requestedPowerAction;
     INTRO_POWER_STATE internalPowerState;

     UNREFERENCED_PARAMETER(Detour);

     status = IntWinPowGetRequestedPowerState(&requestedPowerAction, &requestedPowerState);
     if (!INT_SUCCESS(status))
     {
         ERROR("[ERROR] We could not get the requested power state!");
         return status;
     }

     LOG("[POWER-STATE] Entering power state %d, action %d\n", requestedPowerState, requestedPowerAction);

     // For power-state >= sleep, we should disable the PT filter as the following might happen inside the guest:
     // 1. Guest is hybrid sleeping -> it will unmap the PT filter agent, so a BSOD will occur
     // 2. Guest is hibernating -> the agent will remain inside the guest and a BSOD will most likely occur at resume
     //                            also, the name of the patched processes must be restored

     internalPowerState = IntWinPowFromGuestToIntroPowState(requestedPowerAction, requestedPowerState);

     // First do the common handling, then handle more specifically depending on which power state guest tries to get in
     status = IntWinPowHandleEventCommon(internalPowerState);
     if (!INT_SUCCESS(status))
     {
         ERROR("[ERROR] IntWinPowHandleEventCommon failed: 0x%08x\n", status);
     }

     LOG("[POWER-STATE] Internal power state: %d\n", internalPowerState);

     switch (internalPowerState)
     {
     case intPowStateSleeping:
     case intPowStateShutdown:
     case intPowStateReboot:
     case intPowStateUnknown:
     {
         // We have nothing to do for now
         break;
     }
     case intPowStateHibernate:
     {
         IntWinPowHandleHibernateEvent();

         break;
     }
     default:
     {
         ERROR("[ERROR] Power state %d requested, but we don't have any callback for it!\n", requestedPowerState);
         return INT_STATUS_NOT_FOUND;
     }
     }

     return INT_STATUS_SUCCESS;
 }
_Out_
#define _Out_
Definition: intro_sal.h:22

IntWinPowHandlePowerStateChange
INTSTATUS IntWinPowHandlePowerStateChange(void *Detour)
Detour callback which is called whenever NtSetSystemPowerState is called, resulting in a hypercall to...
Definition: winpower.c:273

INTRO_OPT_VE
#define INTRO_OPT_VE
Enable the Virtualization exception page table access pre-filtering agent (64-bit Windows only)...
Definition: intro_types.h:475

PowerActionHibernate
Definition: wddefs.h:1807

IntWinPowEnableSpinWait
INTSTATUS IntWinPowEnableSpinWait(void)
This function is called in order to re-enable spin waiting in the handler after it was previously dis...
Definition: winpower.c:137

PowerSystemSleeping1
Definition: wddefs.h:1789

BYTE
uint8_t BYTE
Definition: intro_types.h:47

_VCPU_STATE::Regs
IG_ARCH_REGS Regs
The current state of the guest registers.
Definition: guests.h:95

_In_
#define _In_
Definition: intro_sal.h:21

INT_STATUS_SUCCESS
#define INT_STATUS_SUCCESS
Definition: introstatus.h:54

IntWinPowFromGuestToIntroPowState
static INTRO_POWER_STATE IntWinPowFromGuestToIntroPowState(DWORD GuestPowerAction, DWORD GuestPowerState)
Converts in-guest parameters given to NtSetSystemPowerState to an internal introspection used power s...
Definition: winpower.c:42

IntWinPowDisableSpinWait
INTSTATUS IntWinPowDisableSpinWait(void)
This function is called in order to disable spin waiting after everything we needed to be unloaded wa...
Definition: winpower.c:170

PowerActionShutdown
Definition: wddefs.h:1808

INT_SUCCESS
#define INT_SUCCESS(Status)
Definition: introstatus.h:42

IntResumeVcpus
INTSTATUS IntResumeVcpus(void)
Resumes the VCPUs previously paused with IntPauseVcpus.
Definition: introcore.c:2355

intPowStateHibernate
The guest is about to enter hibernate (S4).
Definition: winpower.h:18

_IG_ARCH_REGS::Rdx
QWORD Rdx
Definition: glueiface.h:34

INT_STATUS_NOT_NEEDED_HINT
#define INT_STATUS_NOT_NEEDED_HINT
Definition: introstatus.h:317

ERROR
#define ERROR(fmt,...)
Definition: glue.h:62

INTSTATUS
int INTSTATUS
The status data type.
Definition: introstatus.h:24

INT_STATUS_NOT_FOUND
#define INT_STATUS_NOT_FOUND
Definition: introstatus.h:284

intPowStateSleeping
The guest is about to enter a sleep state (S1, S2, S3).
Definition: winpower.h:17

IntPauseVcpus
INTSTATUS IntPauseVcpus(void)
Pauses all the guest VCPUs.
Definition: introcore.c:2320

LOG
#define LOG(fmt,...)
Definition: glue.h:61

guests.h

_IG_ARCH_REGS::Rsp
QWORD Rsp
Definition: glueiface.h:36

AG_OPT_INJECT_ON_RIP_POWSTATE_CHANGE
#define AG_OPT_INJECT_ON_RIP_POWSTATE_CHANGE
Definition: winagent.h:17

IntWinPowGetRequestedPowerState
static INTSTATUS IntWinPowGetRequestedPowerState(DWORD *RequestedPowerAction, DWORD *RequestedPowerState)
Gets the parameters of NtSetSystemPowerState depending on OS architecture.
Definition: winpower.c:96

PowerActionShutdownOff
Definition: wddefs.h:1810

IntDetModifyPublicData
INTSTATUS IntDetModifyPublicData(DETOUR_TAG Tag, void const *Data, DWORD DataSize, char const *PublicDataName)
Modifies public parts of a detour handler.
Definition: detours.c:1751

_GUEST_STATE::Guest64
BOOLEAN Guest64
True if this is a 64-bit guest, False if it is a 32-bit guest.
Definition: guests.h:290

_INTRO_PROT_OPTIONS::Current
QWORD Current
The currently used options.
Definition: guests.h:236

TRUE
#define TRUE
Definition: intro_types.h:30

IntVeRemoveAgent
INTSTATUS IntVeRemoveAgent(DWORD AgOpts)
Removes the VE agent from guest memory.
Definition: vecore.c:2116

intPowStateUnknown
The state is not among the known combinations or it is unused by the introspection engine...
Definition: winpower.h:16

detTagPowerState
Definition: detours.h:149

WARNING
#define WARNING(fmt,...)
Definition: glue.h:60

ptfilter.h

IntWinPowHandleHibernateEvent
static void IntWinPowHandleHibernateEvent(void)
Callback called when the change of guest power state to hibernate occurs.
Definition: winpower.c:258

UNREFERENCED_PARAMETER
#define UNREFERENCED_PARAMETER(P)
Definition: introdefs.h:29

intPowStateReboot
The guest is about to reboot.
Definition: winpower.h:19

DWORD
uint32_t DWORD
Definition: intro_types.h:49

vecore.h

PowerActionSleep
Definition: wddefs.h:1806

INTRO_POWER_STATE
enum _INTRO_POWER_STATE INTRO_POWER_STATE
Detected guest power states.

_GUEST_STATE::EnterHibernate
BOOLEAN EnterHibernate
True if the guest is entering into hibernate.
Definition: guests.h:319

intPowStateShutdown
Definition: winpower.h:20

gGuest
GUEST_STATE gGuest
The current guest state.
Definition: guests.c:50

winagent.h

_IG_ARCH_REGS::Rcx
QWORD Rcx
Definition: glueiface.h:33

IntKernVirtMemRead
INTSTATUS IntKernVirtMemRead(QWORD KernelGva, DWORD Length, void *Buffer, DWORD *RetLength)
Reads data from a guest kernel virtual memory range.
Definition: introcore.c:674

IntWinPowHandleEventCommon
static INTSTATUS IntWinPowHandleEventCommon(INTRO_POWER_STATE PowerState)
This function will be called on any power state change event. Everything that we want to uninit on ev...
Definition: winpower.c:201

IntPtiRemovePtFilter
INTSTATUS IntPtiRemovePtFilter(DWORD AgOpts)
Removes the PT filter.
Definition: ptfilter.c:1736

gVcpu
VCPU_STATE * gVcpu
The state of the current VCPU.
Definition: guests.c:59

IntGuestUpdateCoreOptions
void IntGuestUpdateCoreOptions(QWORD NewOptions)
Updates Introcore options.
Definition: guests.c:1426

INTRO_OPT_IN_GUEST_PT_FILTER
#define INTRO_OPT_IN_GUEST_PT_FILTER
Enable in-guest page-table filtering (64-bit Windows only).
Definition: intro_types.h:461

PowerSystemSleeping3
Definition: wddefs.h:1791

PowerSystemHibernate
Definition: wddefs.h:1792

_GUEST_STATE::CoreOptions
INTRO_PROT_OPTIONS CoreOptions
The activation and protection options for this guest.
Definition: guests.h:271

winpower.h

PowerActionShutdownReset
Definition: wddefs.h:1809