Bitdefender Hypervisor Memory Introspection
winstack.h
Go to the documentation of this file.
1 /*
2  * Copyright (c) 2020 Bitdefender
3  * SPDX-License-Identifier: Apache-2.0
4  */
5 #ifndef _WINSTACK_H_
6 #define _WINSTACK_H_
7 
8 #include "guest_stack.h"
9 
10 typedef struct _DPI_EXTRA_INFO DPI_EXTRA_INFO, *PDPI_EXTRA_INFO;
11 typedef struct _WIN_PROCESS_OBJECT WIN_PROCESS_OBJECT, *PWIN_PROCESS_OBJECT;
12 
13 // CS selectors for 64-bit guests
14 #define CODE_SEG_UM_32_GUEST_64 0x23
15 #define CODE_SEG_UM_64_GUEST_64 0x33
16 
17 #define CODE_SEG_UM_32_GUEST_32 0x1b
18 
19 
20 INTSTATUS
21 IntWinStackTraceGet(
22  _In_ QWORD StackFrame,
23  _In_ QWORD Rip,
24  _In_ DWORD MaxNumberOfTraces,
25  _In_ QWORD Flags,
26  _Inout_ STACK_TRACE *StackTrace
27  );
28 
29 INTSTATUS
30 IntWinStackTraceGetUser(
31  _In_ PIG_ARCH_REGS Registers,
32  _In_ PWIN_PROCESS_OBJECT Process,
33  _In_ DWORD MaxNumberOfTraces,
34  _Out_ STACK_TRACE *StackTrace
35  );
36 
37 INTSTATUS
38 IntWinStackUserCheckIsPivoted(
39  _In_ QWORD UserRsp,
40  _In_ DWORD SegCs,
41  _In_ BOOLEAN IsWow64Stack,
42  _Inout_ DPI_EXTRA_INFO *DpiExtraInfo,
43  _Out_ BOOLEAN *IsPivoted
44  );
45 
46 INTSTATUS
47 IntWinStackUserTrapFrameGetGeneric(
48  _Out_ QWORD *UserRsp,
49  _Out_ DWORD *SegCs,
50  _In_ BOOLEAN Fallback,
51  _Inout_ DPI_EXTRA_INFO *DpiExtraInfo
52  );
53 
54 INTSTATUS
55 IntWinStackWow64CheckIsPivoted(
56  _In_ WIN_PROCESS_OBJECT *Process,
57  _In_ WIN_PROCESS_OBJECT *RealParent,
58  _Inout_ DPI_EXTRA_INFO *DpiExtraInfo
59  );
60 
61 BOOLEAN
62 IntWinIsUmTrapFrame(
63  _In_ void *TrapFrame
64  );
65 
66 #endif // _WINSTACK_H_
BOOLEAN
_Bool BOOLEAN
Definition: intro_types.h:58
_Out_
#define _Out_
Definition: intro_sal.h:22
_WIN_PROCESS_OBJECT::Flags
DWORD Flags
Windows process flags (possible values for this bitmask are described below).
Definition: winprocess.h:121
_In_
#define _In_
Definition: intro_sal.h:21
PWIN_PROCESS_OBJECT
struct _WIN_PROCESS_OBJECT * PWIN_PROCESS_OBJECT
Definition: winstack.h:11
PDPI_EXTRA_INFO
struct _DPI_EXTRA_INFO * PDPI_EXTRA_INFO
Definition: winstack.h:10
IntWinStackWow64CheckIsPivoted
INTSTATUS IntWinStackWow64CheckIsPivoted(WIN_PROCESS_OBJECT *Process, WIN_PROCESS_OBJECT *RealParent, DPI_EXTRA_INFO *DpiExtraInfo)
Check whether a wow64 process' stack is pivoted.
Definition: winstack.c:2203
INTSTATUS
int INTSTATUS
The status data type.
Definition: introstatus.h:24
_Inout_
#define _Inout_
Definition: intro_sal.h:20
QWORD
unsigned long long QWORD
Definition: intro_types.h:53
_WIN_PROCESS_OBJECT::DpiExtraInfo
DPI_EXTRA_INFO DpiExtraInfo
Represents the gathered extra info while checking the DPI heuristics.
Definition: winprocess.h:304
IntWinStackTraceGet
INTSTATUS IntWinStackTraceGet(QWORD StackFrame, QWORD Rip, DWORD MaxNumberOfTraces, QWORD Flags, STACK_TRACE *StackTrace)
Get a kernel stack trace starting from the current stack pointer for 64 bit systems.
Definition: winstack.c:1164
DWORD
uint32_t DWORD
Definition: intro_types.h:49
IntWinIsUmTrapFrame
BOOLEAN IntWinIsUmTrapFrame(void *TrapFrame)
Checks whether a TrapFrame is valid or not.
Definition: winstack.c:2283
_IG_ARCH_REGS
Holds register state.
Definition: glueiface.h:30
IntWinStackUserTrapFrameGetGeneric
INTSTATUS IntWinStackUserTrapFrameGetGeneric(QWORD *UserRsp, DWORD *SegCs, BOOLEAN Fallback, DPI_EXTRA_INFO *DpiExtraInfo)
Get a bit trap frame from a kernel stack.
Definition: winstack.c:2020
_STACK_TRACE
Structure that describes a stack trace.
Definition: guest_stack.h:42
guest_stack.h
_DPI_EXTRA_INFO
Definition: windpi.h:27
IntWinStackTraceGetUser
INTSTATUS IntWinStackTraceGetUser(PIG_ARCH_REGS Registers, PWIN_PROCESS_OBJECT Process, DWORD MaxNumberOfTraces, STACK_TRACE *StackTrace)
Get the user stack trace of a windows process.
Definition: winstack.c:1604
IntWinStackUserCheckIsPivoted
INTSTATUS IntWinStackUserCheckIsPivoted(QWORD UserRsp, DWORD SegCs, BOOLEAN IsWow64Stack, DPI_EXTRA_INFO *DpiExtraInfo, BOOLEAN *IsPivoted)
Check whether the stack is pivoted by checking if it's in the bounds of the stack base and limit from...
Definition: winstack.c:1741
_WIN_PROCESS_OBJECT
This structure describes a running process inside the guest.
Definition: winprocess.h:83