Bitdefender Hypervisor Memory Introspection
|
#include "guests.h"
Go to the source code of this file.
Macros | |
#define | SELF_MAP_ENTRY(Cr3) (CLEAN_PHYS_ADDRESS64(((QWORD)(Cr3))) + gGuest.Mm.SelfMapIndex * 8ull) |
Computes the self map entry physical address based on a given Cr3. More... | |
#define | SELF_MAP_ENTRY_IS_DETECTION(entry) (((entry) & PT_P) != 0 && ((entry) & PT_US) != 0) |
Decides if a self map entry value is malicious or not. More... | |
#define | SELF_MAP_ENTRY_VA |
Computes the virtual address at which the self map entry is mapped for this guest. More... | |
Typedefs | |
typedef struct _WIN_PROCESS_OBJECT | WIN_PROCESS_OBJECT |
typedef struct _WIN_PROCESS_OBJECT * | PWIN_PROCESS_OBJECT |
Functions | |
INTSTATUS | IntWinSelfMapValidateSelfMapEntries (void) |
Validates the self map entries for every process in the system. More... | |
INTSTATUS | IntWinSelfMapUnprotectSelfMapIndex (WIN_PROCESS_OBJECT *Process) |
Removes the EPT protection for the self map entry index of a process. More... | |
INTSTATUS | IntWinSelfMapProtectSelfMapIndex (WIN_PROCESS_OBJECT *Process) |
Protects the self map index of a process by placing an EPT write hook on it. More... | |
INTSTATUS | IntWinSelfMapDisableSelfMapEntryProtection (void) |
Disables the self map entry protection for all the processes on the system. More... | |
INTSTATUS | IntWinSelfMapEnableSelfMapEntryProtection (void) |
Enables the self map protection mechanism for the entire system. More... | |
INTSTATUS | IntWinSelfMapGetAndCheckSelfMapEntry (WIN_PROCESS_OBJECT *Process) |
Sets and validates the self map entry values for a process. More... | |
#define SELF_MAP_ENTRY | ( | Cr3 | ) | (CLEAN_PHYS_ADDRESS64(((QWORD)(Cr3))) + gGuest.Mm.SelfMapIndex * 8ull) |
Computes the self map entry physical address based on a given Cr3.
This is done using the self map index value used by the guest for the self mapping mechanism.
[in] | Cr3 | The Cr3 for which the self map entry physical address is calculated |
Definition at line 21 of file winselfmap.h.
Referenced by IntWinSelfMapCheckSelfMapEntry(), IntWinSelfMapGetAndCheckSelfMapEntry(), IntWinSelfMapHandleCr3SelfMapModification(), and IntWinSelfMapProtectSelfMapIndex().
Decides if a self map entry value is malicious or not.
If the entry is present and has the user/supervisor bit set, it is considered to be malicious, as it can be accessed from user mode code
[in] | entry | The self map entry value |
True | if the value of the entry is suspicious |
False | if the value of the entry is not suspicious |
Definition at line 34 of file winselfmap.h.
Referenced by IntWinSelfMapCheckSelfMapEntry(), and IntWinSelfMapHandleCr3SelfMapWrite().
#define SELF_MAP_ENTRY_VA |
Computes the virtual address at which the self map entry is mapped for this guest.
This is done using the self map index value used by the guest for the self mapping mechanism
Definition at line 39 of file winselfmap.h.
Referenced by IntWinSelfMapHandleCr3SelfMapModification(), and IntWinSelfMapHandleCr3SelfMapWrite().
typedef struct _WIN_PROCESS_OBJECT * PWIN_PROCESS_OBJECT |
Definition at line 10 of file winselfmap.h.
typedef struct _WIN_PROCESS_OBJECT WIN_PROCESS_OBJECT |
Definition at line 10 of file winselfmap.h.
INTSTATUS IntWinSelfMapDisableSelfMapEntryProtection | ( | void | ) |
Disables the self map entry protection for all the processes on the system.
This will deactivate protection and will remove any hooks set by IntWinSelfMapProtectSelfMapIndex
INT_STATUS_SUCCESS | in case of success |
INT_STATUS_NOT_INITIALIZED_HINT | if the guest is not initialized or the protection is not active |
INT_STATUS_NOT_NEEDED_HINT | if the guest is not Windows, not using 4- or 5-level paging (the other paging modes do not use the self map mechanism) |
Definition at line 656 of file winselfmap.c.
Referenced by IntGuestUpdateCoreOptions().
INTSTATUS IntWinSelfMapEnableSelfMapEntryProtection | ( | void | ) |
Enables the self map protection mechanism for the entire system.
It will first check the self map index of every process using IntWinSelfMapCheckSelfMapEntry, then the actual protection will be activated using IntWinSelfMapProtectSelfMapIndex.
INT_STATUS_SUCCESS | in case of success |
INT_STATUS_NOT_INITIALIZED_HINT | if the guest is not initialized or the protection is not active |
INT_STATUS_NOT_NEEDED_HINT | if the guest is not Windows, not using 4- or 5-level paging (the other paging modes do not use the self map mechanism) |
Definition at line 516 of file winselfmap.c.
Referenced by IntGuestUpdateCoreOptions().
INTSTATUS IntWinSelfMapGetAndCheckSelfMapEntry | ( | WIN_PROCESS_OBJECT * | Process | ) |
Sets and validates the self map entry values for a process.
If KPTI enabled for Process, this will read and validate both the kernel and the user Cr3. If not, only the kernel Cr3 will be considered, as the user Cr3 will be 0. The values are obtained from the _KPROCESS kernel structure. If the INTRO_OPT_PROT_KM_SELF_MAP_ENTRY option was used, and a malicious change of the self map value is detected, an alert will eventually be sent. If the process is swapped-out, the function does nothing.
[in,out] | Process | The process for which the values are read and validated |
INT_STATUS_SUCCESS | in case of success |
INT_STATUS_INVALID_PARAMETER_1 | if Process is NULL |
INT_STATUS_NOT_INITIALIZED_HINT | if the guest is not initialized or the protection is not active |
INT_STATUS_NOT_NEEDED_HINT | if the guest is not Windows, not using 4- or 5-level paging (the other paging modes do not use the self map mechanism) or the process is swapped-out. |
Definition at line 579 of file winselfmap.c.
Referenced by IntWinProcCreateProcessObject(), and IntWinProcDeleteProcessObject().
INTSTATUS IntWinSelfMapProtectSelfMapIndex | ( | WIN_PROCESS_OBJECT * | Process | ) |
Protects the self map index of a process by placing an EPT write hook on it.
Essentially, this will protect the user/supervisor bit, in order to make sure that user mode code can not access the page tables. Currently, this is enabled only for the system process, as other processes may swap out their Cr3 contents. Processes that have their self map entry protected in this way will have an EPT hook set on the page of their kernel and user Cr3 (if KPTI is enabled). Because of this, care should be taken when activating this for processes, as it may have a negative impact on performance because the kernel may do a lot of writes on those pages. This is manageable for processes that are already protected, as we have other hooks placed on their page tables already. The EPT hook handler used is IntWinSelfMapHandleCr3SelfMapWrite.
[in] | Process | The process for which the protection is activated |
INT_STATUS_SUCCESS | in case of success |
INT_STATUS_INVALID_PARAMETER_1 | if Process is NULL |
INT_STATUS_NOT_NEEDED_HINT | if the guest is not Windows, not using 4- or 5-level paging (the other paging modes do not use the self map mechanism) |
Definition at line 710 of file winselfmap.c.
Referenced by IntWinProcChangeProtectionFlags(), IntWinProcCreateProcessObject(), and IntWinSelfMapEnableSelfMapEntryProtection().
INTSTATUS IntWinSelfMapUnprotectSelfMapIndex | ( | WIN_PROCESS_OBJECT * | Process | ) |
Removes the EPT protection for the self map entry index of a process.
This removes the EPT hooks set by IntWinSelfMapProtectSelfMapIndex.
[in] | Process | The process for which the protection is removed. |
INT_STATUS_SUCCESS | in case of success |
INT_STATUS_INVALID_PARAMETER_1 | if Process is NULL |
Definition at line 802 of file winselfmap.c.
Referenced by IntWinProcChangeProtectionFlags(), IntWinProcDeleteProcessObject(), and IntWinSelfMapDisableSelfMapEntryProtection().
INTSTATUS IntWinSelfMapValidateSelfMapEntries | ( | void | ) |
Validates the self map entries for every process in the system.
This function is used by the integrity mechanism in order to perform self map entry validations. Due to performance reasons, we can't hook the self map entry for every process in the system. For processes that are already protected this is not a problem, as we already have hooks placed inside their page tables. For the other processes we delegate the check to the periodic integrity callback. It uses the IntWinSelfMapCheckSelfMapEntry function to check the self map entry for every process on the system.
INT_STATUS_SUCCESS | in case of success |
INT_STATUS_NOT_INITIALIZED_HINT | if the guest is not initialized or the protection is not active |
INT_STATUS_NOT_NEEDED_HINT | if the guest is not Windows, not using 4- or 5-level paging (the other paging modes do not use the self map mechanism), or if the INTRO_OPT_PROT_KM_SELF_MAP_ENTRY activation option was not provided |
Definition at line 453 of file winselfmap.c.
Referenced by IntHandleTimer().