- Generated by
1.8.13
|
Bitdefender Hypervisor Memory Introspection
|
#include "hook.h"Go to the source code of this file.
Functions | |
| INTSTATUS | IntHookCommitAllHooks (void) |
| Commits all the hooks. More... | |
| INTSTATUS | IntHookRemoveChain (PHOOK_GPA HookGpa) |
| Removes a hook chain, starting with the given GPA hook. More... | |
| INTSTATUS | IntHookInit (void) |
| Initialize the global hook system. More... | |
| INTSTATUS | IntHookUninit (void) |
| Uninit the global hooks system. More... | |
| QWORD | IntHookGetGlaFromGpaHook (HOOK_GPA const *Hook, QWORD Address) |
| Gets the GLA from a GPA hook. More... | |
Variables | |
| HOOK_STATE * | gHooks = NULL |
| Global hooks state. More... | |
| INTSTATUS IntHookCommitAllHooks | ( | void | ) |
Commits all the hooks.
This function will call the commit function for each existing hook system. The commit functions have the role of actually deleting each removed hook. The reason this has to be done is because we want to allow a callback to remove its own hook. Therefore, whenever a hook is removed, we cannot free it right away, since it may be removed from its own callback. Instead, each removed hook is placed in a removed hooks list, and they are deleted all at once when every callback was handled. If a new hook system is to be added, a commit function should normally be created for it as well, and that commit function should be called here.
| INT_STATUS_SUCCESS | On success. |
| INT_STATUS_NOT_INITIALIZED_HINT | If the hook system has not been initialized. |
| INT_STATUS_NOT_NEEDED_HINT | If no hooks were removed. |
Definition at line 12 of file hook.c.
Referenced by IntGuestPrepareUninit(), IntGuestPreReturnCallback(), and IntHookUninit().
Gets the GLA from a GPA hook.
Since GVA and GPA hooks are distinct, and logic hooks will be placed on guest virtual pages, but the EPT works with guest physical pages, the only relation between a GPA hook and a virtual address is given by the parent-child relationship between the hooks. This function will return the linear address associated with a given guest physical hook. NOTE: If we have multiple guest virtual pages pointing to the same guest physical page, we should also have multiple guest physical page hooks, as Introcore does not take into consideration shared memory. Multiple hooks set on the same guest physical range will lead to multiple hook structures being allocated. The only aliasing issue that could potentially appear is if that the same callback, with the same context is used for different virtual pages which translate to the same physical page; in this scenario, the caller must be aware of shared memory implications, and should use the context to properly identify the virtual pages involved in the hook.
| [in] | Hook | The GPA hook. |
| [in] | Address | The guest physical address accessed, used only to extract the low 12 bit (page offset). |
Definition at line 279 of file hook.c.
Referenced by IntLixDrvIsLegitimateTextPoke(), IntLixGuestAgentContentHandler(), IntLixGuestDetourCodeHandler(), IntLixGuestDetourDataHandler(), IntVeHandleAccess(), IntWinDrvHandleRead(), IntWinDrvHandleWrite(), IntWinHalHandleHalHeapExec(), IntWinHalHandleHalIntCtrlWrite(), IntWinModHandleKernelWrite(), IntWinModHandleUserWrite(), and IntWinTokenPrivsHandleWrite().
| INTSTATUS IntHookInit | ( | void | ) |
Initialize the global hook system.
This function will initialize all the hook systems. Creating a new hook subsystem requires that it be initialized here, by calling its Init function.
| INT_STATUS_SUCCESS | On success. |
| INT_STATUS_ALREADY_INITIALIZED | If the hook system has already been initialized. |
| INT_STATUS_INSUFFICIENT_RESOURCES | If a memory allocation function failed. |
Definition at line 165 of file hook.c.
Referenced by IntGuestInit().
Removes a hook chain, starting with the given GPA hook.
In Introcore, the hooks may be chained. For example, an object (or region hook) may contain multiple GVA hooks, which in turn contain multiple PTS or GPA hooks. Whenever a callback returns the status INT_STATUS_REMOVE_HOOK_ON_RET, we must remove the top-most hook structure. This is done by starting with the current GPA hook, and iterating, upwards, each parent hook until we end up finding a NULL parent. Once we encounter such a hook, we may call the appropriate remove function on it, which in turn will take care of removing all the children hooks, up until and including the current HookGpa.
| [in] | HookGpa | The GPA hook, which usually is the bottom most hook. |
| INT_STATUS_SUCCESS | On success. |
| INT_STATUS_INVALID_PARAMETER | If an invalid parameter is supplied. |
| INT_STATUS_NOT_SUPPORTED | If an unknown top-most hook is encountered. |
Definition at line 105 of file hook.c.
Referenced by IntHandleMemAccess(), and IntWinHalHandleHalHeapExec().
| INTSTATUS IntHookUninit | ( | void | ) |
Uninit the global hooks system.
This function will call the uninit function of each hook system. Creating a new hook system will require to add a call to its uninit function here.
| INT_STATUS_SUCCESS | On success. |
| INT_STATUS_NOT_INITIALIZED_HINT | If the hooks system is not initialized. |
Definition at line 238 of file hook.c.
Referenced by IntGuestUninit().
| HOOK_STATE* gHooks = NULL |
Global hooks state.
Definition at line 8 of file hook.c.
Referenced by DbgDumpHooksGva(), IntDbgCheckHooks(), IntHandleMemAccess(), IntHookGpaCommitHooks(), IntHookGpaDeleteHookInternal(), IntHookGpaDump(), IntHookGpaEnableDisablePtCache(), IntHookGpaEnableDisableVe(), IntHookGpaFindConvertible(), IntHookGpaGetEptEntry(), IntHookGpaGetExistingEptEntry(), IntHookGpaInit(), IntHookGpaIsPageHooked(), IntHookGpaRemoveHookInternal(), IntHookGpaSetHook(), IntHookGpaSetNewPageProtection(), IntHookGvaCommitHooks(), IntHookGvaInit(), IntHookGvaRemoveHookInternal(), IntHookGvaSetHook(), IntHookObjectCommit(), IntHookObjectCreate(), IntHookObjectDestroy(), IntHookObjectDestroyAll(), IntHookObjectHookRegion(), IntHookObjectInit(), IntHookObjectRemoveRegionInternal(), IntHookObjectUninit(), IntHookPtmAddTable(), IntHookPtmCommitHooks(), IntHookPtmInit(), IntHookPtmRemoveHookInternal(), IntHookPtmRemoveTableHook(), IntHookPtmSetHook(), IntHookPtsCheckIntegrity(), IntHookPtsCloneCallbacks(), IntHookPtsCommitHooks(), IntHookPtsDump(), IntHookPtsInit(), IntHookPtsRemoveHookInternal(), IntHookPtsRemovePteHook(), IntHookPtsSetHook(), IntHookPtsWriteCallback(), and IntVeInit().
1.8.13