Bitdefender Hypervisor Memory Introspection
handlers.h
Go to the documentation of this file.
1 /*
2  * Copyright (c) 2020 Bitdefender
3  * SPDX-License-Identifier: Apache-2.0
4  */
5 #ifndef _HANDLERS_H_
6 #define _HANDLERS_H_
7 
8 #pragma pack(push, 8)
9 
10 typedef enum {
11  det_commit_creds = 0,
12  det_arch_jump_label_transform,
13  det_module_param_sysfs_setup,
14  det_module_param_sysfs_remove,
15  det_wake_up_new_task,
16  det_flush_old_exec,
17  det_do_exit,
18  det_arch_ptrace,
19  det_compat_arch_ptrace,
20  det_process_vm_rw_core,
21  det___vma_link_rb,
22  det_change_protection,
23  det_vma_adjust,
24  det___vma_adjust,
25  det_vma_rb_erase,
26  det___vma_rb_erase,
27  det_expand_downwards,
28  det_complete_signal,
29  det_text_poke,
30  det___text_poke,
31  det_ftrace_write,
32  det_panic,
33  det_crash_kexec,
34  det___access_remote_vm,
35  det_mprotect_fixup_vma_wants_writenotify,
36  det_do_munmap_rb_erase,
37  det_vma_adjust_rb_erase,
38 
39  det_max_id
40 } DETOUR_ID;
41 
42 typedef char * (d_path_fn)(void *path, char *buf, int buflen);
43 
44 typedef struct _LIX_GUEST_OS_SPECIFIC {
45  struct {
46  unsigned int MmOffset;
47  unsigned int FlagsOffset;
48  unsigned int FileOffset;
49  unsigned int VmNextOffset;
50  unsigned int VmPrevOffset;
51  unsigned int Rb;
52 
53  unsigned int ProtectionBit;
54  } Vma;
55 
56  struct {
57  unsigned int FlagsOffset;
58  unsigned int Rb;
59 
60  unsigned int ProtectionBit;
61  } Mm;
62 
63  struct {
64  unsigned int InExecve;
65  unsigned int InExecveBit;
66  } Task;
67 
68  struct {
69  unsigned int FileOffset;
70  } Binprm;
71 
72  struct {
73  unsigned int DentryOffset;
74  unsigned int PathOffset;
75  } File;
76 
77  struct {
78  unsigned int InodeOffset;
79  } Dentry;
80 
81  struct {
82  unsigned int Mode;
83  unsigned int Uid;
84  unsigned int Gid;
85  } Inode;
86 
87  unsigned int CurrentTaskOffset;
88  unsigned int CurrentCpuOffset;
89 
90  void *PercpuMemPtr;
91  d_path_fn *DPathFnPtr;
92 } LIX_GUEST_OS_SPECIFIC;
93 
94 
95 typedef struct _LIX_GUEST_DETOUR {
96  char Name[32];
97  char HijackName[32];
98  unsigned long long Address;
99  unsigned long long RelocatedCode;
100  unsigned long long JumpBack;
101  unsigned long long EnableOptions;
102 } LIX_GUEST_DETOUR;
103 
104 
105 typedef struct _LIX_HYPERCALL_PAGE
106 {
107  unsigned long long ProtectionOptions;
108  unsigned long long DetoursCount;
109 
110  LIX_GUEST_DETOUR Detours[det_max_id];
111 
112  LIX_GUEST_OS_SPECIFIC OsSpecificFields;
113 } LIX_HYPERCALL_PAGE;
114 
115 #pragma pack(pop)
116 
117 #endif // _HANDLERS_H_
LIX_GUEST_DETOUR
struct _LIX_GUEST_DETOUR LIX_GUEST_DETOUR
_LIX_GUEST_DETOUR::Address
unsigned long long Address
Definition: handlers.h:98
_LIX_GUEST_OS_SPECIFIC::Inode
struct _LIX_GUEST_OS_SPECIFIC::@260 Inode
_LIX_GUEST_OS_SPECIFIC::VmPrevOffset
unsigned int VmPrevOffset
Definition: handlers.h:50
_LIX_GUEST_OS_SPECIFIC::Vma
struct _LIX_GUEST_OS_SPECIFIC::@254 Vma
_LIX_GUEST_OS_SPECIFIC::DentryOffset
unsigned int DentryOffset
Definition: handlers.h:73
_LIX_HYPERCALL_PAGE::OsSpecificFields
LIX_GUEST_OS_SPECIFIC OsSpecificFields
Definition: handlers.h:112
_LIX_GUEST_DETOUR::EnableOptions
unsigned long long EnableOptions
Definition: handlers.h:101
_LIX_GUEST_OS_SPECIFIC::FileOffset
unsigned int FileOffset
Definition: handlers.h:48
_LIX_GUEST_DETOUR
Definition: handlers.h:95
_LIX_GUEST_OS_SPECIFIC::Gid
unsigned int Gid
Definition: handlers.h:84
d_path_fn
char *() d_path_fn(void *path, char *buf, int buflen)
Definition: handlers.h:42
_LIX_GUEST_OS_SPECIFIC::Rb
unsigned int Rb
Definition: handlers.h:51
_LIX_GUEST_OS_SPECIFIC::CurrentCpuOffset
unsigned int CurrentCpuOffset
Definition: handlers.h:88
_LIX_GUEST_OS_SPECIFIC::DPathFnPtr
d_path_fn * DPathFnPtr
Definition: handlers.h:91
_LIX_GUEST_OS_SPECIFIC::InExecveBit
unsigned int InExecveBit
Definition: handlers.h:65
_LIX_GUEST_OS_SPECIFIC::Task
struct _LIX_GUEST_OS_SPECIFIC::@256 Task
_LIX_GUEST_OS_SPECIFIC::InodeOffset
unsigned int InodeOffset
Definition: handlers.h:78
_LIX_GUEST_OS_SPECIFIC::Uid
unsigned int Uid
Definition: handlers.h:83
_LIX_GUEST_OS_SPECIFIC::Dentry
struct _LIX_GUEST_OS_SPECIFIC::@259 Dentry
_LIX_GUEST_OS_SPECIFIC::CurrentTaskOffset
unsigned int CurrentTaskOffset
Definition: handlers.h:87
LIX_HYPERCALL_PAGE
struct _LIX_HYPERCALL_PAGE LIX_HYPERCALL_PAGE
_LIX_GUEST_OS_SPECIFIC::InExecve
unsigned int InExecve
Definition: handlers.h:64
_LIX_HYPERCALL_PAGE
Definition: handlers.h:105
_LIX_GUEST_OS_SPECIFIC::Binprm
struct _LIX_GUEST_OS_SPECIFIC::@257 Binprm
_LIX_GUEST_OS_SPECIFIC::ProtectionBit
unsigned int ProtectionBit
Definition: handlers.h:53
_LIX_GUEST_OS_SPECIFIC::MmOffset
unsigned int MmOffset
Definition: handlers.h:46
_LIX_GUEST_OS_SPECIFIC::PathOffset
unsigned int PathOffset
Definition: handlers.h:74
_LIX_GUEST_OS_SPECIFIC::Mm
struct _LIX_GUEST_OS_SPECIFIC::@255 Mm
_LIX_GUEST_OS_SPECIFIC::VmNextOffset
unsigned int VmNextOffset
Definition: handlers.h:49
_LIX_GUEST_OS_SPECIFIC::Mode
unsigned int Mode
Definition: handlers.h:82
_LIX_GUEST_OS_SPECIFIC::PercpuMemPtr
void * PercpuMemPtr
Definition: handlers.h:90
_LIX_GUEST_OS_SPECIFIC::FlagsOffset
unsigned int FlagsOffset
Definition: handlers.h:47
_LIX_GUEST_DETOUR::RelocatedCode
unsigned long long RelocatedCode
Definition: handlers.h:99
_LIX_HYPERCALL_PAGE::ProtectionOptions
unsigned long long ProtectionOptions
Definition: handlers.h:107
_LIX_HYPERCALL_PAGE::DetoursCount
unsigned long long DetoursCount
Definition: handlers.h:108
LIX_GUEST_OS_SPECIFIC
struct _LIX_GUEST_OS_SPECIFIC LIX_GUEST_OS_SPECIFIC
_LIX_GUEST_DETOUR::JumpBack
unsigned long long JumpBack
Definition: handlers.h:100
_LIX_GUEST_OS_SPECIFIC::File
struct _LIX_GUEST_OS_SPECIFIC::@258 File
_LIX_GUEST_OS_SPECIFIC
Definition: handlers.h:44
DETOUR_ID
DETOUR_ID
Definition: handlers.h:10