Bitdefender Hypervisor Memory Introspection
|
#include "guests.h"
Go to the source code of this file.
Macros | |
#define | WIN_SHARED_USER_DATA_PTR (gGuest.Guest64 ? 0xFFFFF78000000000 : 0xFFDF0000) |
The address where the SharedUserData is mapped in the Windows kernel. More... | |
Functions | |
INTSTATUS | IntWinSudProtectSudExec (void) |
Protects SharedUserData against executions by establishing an EPT hook on it. More... | |
INTSTATUS | IntWinSudUnprotectSudExec (void) |
Removes the execution EPT hook on SharedUserData. More... | |
TIMER_FRIENDLY INTSTATUS | IntWinSudCheckIntegrity (void) |
This function checks the integrity of protected fields from SharedUserData, described in gProtFields. More... | |
INTSTATUS | IntWinSudProtectIntegrity (void) |
Initializes the SharedUserData integrity protection. More... | |
INTSTATUS | IntWinSudUnprotectIntegrity (void) |
Uninitializes the SharedUserData integrity protection. More... | |
#define WIN_SHARED_USER_DATA_PTR (gGuest.Guest64 ? 0xFFFFF78000000000 : 0xFFDF0000) |
The address where the SharedUserData is mapped in the Windows kernel.
Definition at line 11 of file winsud.h.
Referenced by IntWinGuestFetchProductType(), IntWinSudCheckIntegrity(), IntWinSudHandleFieldModification(), IntWinSudProtectIntegrity(), IntWinSudProtectSudExec(), and IntWinSudSendSudIntegrityAlert().
TIMER_FRIENDLY INTSTATUS IntWinSudCheckIntegrity | ( | void | ) |
This function checks the integrity of protected fields from SharedUserData, described in gProtFields.
For every field in gProtFields, this function will check whether the internally saved value is equal to the current value. For this purpose, this function will fetch the SharedUserData contents in gSudBuffer in order to verfiy the new values. For fields that have ShouldBeZero set to TRUE, this function will verify every byte from the described field to be equal to zero. If the ShouldBeZero field has been previously modified and the modification has been allowed, it has the ReenableOnZero flag set, therefore, if a ShouldBeZero field is now filled with zeroes, this function will re-enable the checks on it.
INT_STATUS_SUCCESS | On success. |
INT_STATUS_NOT_INITIALIZED_HINT | If the SharedUserData integrity protection was not yet initialized. |
INT_STATUS_INVALID_INTERNAL_STATE | If the SharedUserData protection is initialized but the protection flags do not include this protection. |
Definition at line 980 of file winsud.c.
Referenced by IntHandleTimer().
INTSTATUS IntWinSudProtectIntegrity | ( | void | ) |
Initializes the SharedUserData integrity protection.
This includes allocating the global buffer for SharedUserData contents, fetching the values in the internal states for the current fields and making some checks regarding the field sizes in order to ensure that the internal state for the protected fields is correct.
INT_STATUS_SUCCESS | On success. |
INT_STATUS_NOT_NEEDED_HINT | If the protection is already initialized. |
INT_STATUS_INSUFFICIENT_RESOURCES | If the global buffer could not be allocated. |
Definition at line 1099 of file winsud.c.
Referenced by IntGuestUpdateCoreOptions(), and IntWinGuestActivateProtection().
INTSTATUS IntWinSudProtectSudExec | ( | void | ) |
Protects SharedUserData against executions by establishing an EPT hook on it.
INT_STATUS_SUCCESS | On success. |
INT_STATUS_ALREADY_INITIALIZED | If the hook is already established. |
Definition at line 661 of file winsud.c.
Referenced by IntGuestUpdateCoreOptions(), and IntWinGuestActivateProtection().
INTSTATUS IntWinSudUnprotectIntegrity | ( | void | ) |
Uninitializes the SharedUserData integrity protection.
This will de-allocate the global buffer and will set the gSudIntegrityInitialized boolean to FALSE, so that the next integrity checks will not be made anymore. Note that there is no need to reset the global state at this point, as a future call to IntWinSudProtectIntegrity will update the old values, and the ShouldBeZero fields that have ReenableOnZero flag set will be monitored on the next integrity check after the protection was re-activated.
INT_STATUS_SUCCESS | On success. |
INT_STATUS_NOT_NEEDED_HINT | If the protection is already uninitialized. |
Definition at line 1178 of file winsud.c.
Referenced by IntGuestUpdateCoreOptions().
INTSTATUS IntWinSudUnprotectSudExec | ( | void | ) |
Removes the execution EPT hook on SharedUserData.
INT_STATUS_SUCCESS | On success. |
INT_STATUS_NOT_INITIALIZED | If the hook was not previously established. |
Definition at line 697 of file winsud.c.
Referenced by IntGuestUpdateCoreOptions().