#include "hook.h"
#include "hook_ptm.h"
#include "vecore.h"

Data Structures
struct	_INVOCATION_CONTEXT

Macros
#define	LOCAL_BUF_SIZE 4

Typedefs
typedef struct _INVOCATION_CONTEXT	INVOCATION_CONTEXT

typedef struct _INVOCATION_CONTEXT *	PINVOCATION_CONTEXT

Functions
static INTSTATUS	IntHookPtmWriteCallback (void Context, void Hook, QWORD Address, INTRO_ACTION *Action)
	Called whenever a monitored page-table is written. More...

static INTSTATUS	IntHookPtmAddTable (QWORD Gpa, DWORD Flags, PHOOK_PTM_TABLE *PtHook)
	Add a new page-table to the monitored list. More...

INTSTATUS	IntHookPtmSetHook (QWORD Address, PFUNC_EptViolationCallback Callback, void Context, void ParentHook, DWORD Flags, PHOOK_PTM *Hook)
	Set a hook on a page-table. More...

static INTSTATUS	IntHookPtmRemoveTableHook (PHOOK_PTM_TABLE Hook, DWORD Flags)
	Remove a page-table hook. More...

static INTSTATUS	IntHookPtmRemoveHookInternal (PHOOK_PTM Hook, DWORD Flags)
	Remove a page-table hook handle. More...

INTSTATUS	IntHookPtmRemoveHook (HOOK_PTM **Hook, DWORD Flags)
	Remove a page-table hook handle. More...

static INTSTATUS	IntHookPtmDeleteTableHook (PHOOK_PTM_TABLE Hook, DWORD Flags)
	Permanently delete a page-table hook. More...

static INTSTATUS	IntHookPtmDeleteHookInternal (PHOOK_PTM Hook, DWORD Flags)
	Permanently delete a page-table hook handle. More...

INTSTATUS	IntHookPtmDeleteHook (HOOK_PTM **Hook, DWORD Flags)
	Permanently delete a page-table hook handle. More...

INTSTATUS	IntHookPtmCommitHooks (void)
	Commit the page-table hooks. More...

INTSTATUS	IntHookPtmInit (void)
	Initialize the page-table hook system. More...

Macro Definition Documentation

◆ LOCAL_BUF_SIZE

#define LOCAL_BUF_SIZE 4

Referenced by IntHookPtmWriteCallback().

Typedef Documentation

◆ INVOCATION_CONTEXT

typedef struct _INVOCATION_CONTEXT INVOCATION_CONTEXT

Local invocation context, so we don't cause deadlocks while calling the modification callback.

◆ PINVOCATION_CONTEXT

typedef struct _INVOCATION_CONTEXT * PINVOCATION_CONTEXT

Function Documentation

◆ IntHookPtmAddTable()

static INTSTATUS IntHookPtmAddTable	(	QWORD	Gpa,
		DWORD	Flags,
		PHOOK_PTM_TABLE *	PtHook
	)

static

Add a new page-table to the monitored list.

Either return the PHOOK_PTM_TABLE entry of an already monitored page-table, or allocate a new one, if the page-table is not already monitored.

Parameters

[in]	Gpa	The guest physical address of the page-table.
[in]	Flags	Flags. Use HOOK_FLG_PAE_ROOT to indicate a PAE root entry.
[out]	PtHook	The found or newly allocated page-table hook.

Return values

INT_STATUS_SUCCESS	On success.
INT_STATUS_INVALID_PARAMETER	If an invalid parameter is supplied.
INT_STATUS_INSUFFICIENT_RESOURCES	If a memory allocation function fails.

Definition at line 182 of file hook_ptm.c.

Referenced by IntHookPtmSetHook().

◆ IntHookPtmCommitHooks()

INTSTATUS IntHookPtmCommitHooks ( void )

Commit the page-table hooks.

This function deletes all the hooks that have been removed. Only the hooks which were flagged with the HOOK_FLG_CHAIN_DELETE are spared, as it is expected that a higher level hook manager will delete them.

Return values

INT_STATUS_SUCCESS On success.

Definition at line 688 of file hook_ptm.c.

Referenced by IntHookCommitAllHooks().

◆ IntHookPtmDeleteHook()

INTSTATUS IntHookPtmDeleteHook	(	HOOK_PTM **	Hook,
		DWORD	Flags
	)

Permanently delete a page-table hook handle.

Unlike IntHookPtmDeleteTableHook, this function only deletes the handle to a PHOOK_PTM_TABLE. The PHOOK_PTM_TABLE entry will actually be deleted only when its reference count reaches 0.

Parameters

[in]	Hook	The page-table hook.
[in]	Flags	Hook flags.

Return values

INT_STATUS_SUCCESS On success.

Definition at line 643 of file hook_ptm.c.

Referenced by IntHookPtsDeletePdHook().

◆ IntHookPtmDeleteHookInternal()

static INTSTATUS IntHookPtmDeleteHookInternal	(	PHOOK_PTM	Hook,
		DWORD	Flags
	)

static

Permanently delete a page-table hook handle.

Unlike IntHookPtmDeleteTableHook, this function only deletes the handle to a PHOOK_PTM_TABLE. The PHOOK_PTM_TABLE entry will actually be deleted only when its reference count reaches 0.

Parameters

[in]	Hook	The page-table hook.
[in]	Flags	Hook flags.

Return values

INT_STATUS_SUCCESS On success.

Definition at line 601 of file hook_ptm.c.

Referenced by IntHookPtmCommitHooks(), and IntHookPtmDeleteHook().

◆ IntHookPtmDeleteTableHook()

static INTSTATUS IntHookPtmDeleteTableHook	(	PHOOK_PTM_TABLE	Hook,
		DWORD	Flags
	)

static

Permanently delete a page-table hook.

Parameters

[in]	Hook	The page-table hook.
[in]	Flags	Hook flags.

Return values

INT_STATUS_SUCCESS On success.

Definition at line 567 of file hook_ptm.c.

Referenced by IntHookPtmCommitHooks(), and IntHookPtmDeleteHookInternal().

◆ IntHookPtmInit()

INTSTATUS IntHookPtmInit ( void )

Initialize the page-table hook system.

Return values

INT_STATUS_SUCCESS On success.

Definition at line 771 of file hook_ptm.c.

Referenced by IntHookInit().

◆ IntHookPtmRemoveHook()

INTSTATUS IntHookPtmRemoveHook	(	HOOK_PTM **	Hook,
		DWORD	Flags
	)

Remove a page-table hook handle.

Unlike IntHookPtmRemoveTableHook which removes a page-table hook, this function removes a user set page-table hook. If multiple hooks are established on the same page-table, this function will just decrement the reference count of the PHOOK_PTM_TABLE entry. Otherwise, it will remove the PHOOK_PTM_TABLE using the IntHookPtmRemoveTableHook.

Parameters

[in,out]	Hook	The hook to be removed.
[in]	Flags	Hook flags. If HOOK_FLG_CHAIN_DELETE, the hook will be deleted by a higher level hook manager, instead of the commit function.

Return values

INT_STATUS_SUCCESS On success.

Definition at line 520 of file hook_ptm.c.

Referenced by IntHookPtsDisableEntry(), IntHookPtsEnableEntry(), IntHookPtsRemovePteHook(), and IntHookRemoveChain().

◆ IntHookPtmRemoveHookInternal()

static INTSTATUS IntHookPtmRemoveHookInternal	(	PHOOK_PTM	Hook,
		DWORD	Flags
	)

static

Remove a page-table hook handle.

Unlike IntHookPtmRemoveTableHook which removes a page-table hook, this function removes a user set page-table hook. If multiple hooks are established on the same page-table, this function will just decrement the reference count of the PHOOK_PTM_TABLE entry. Otherwise, it will remove the PHOOK_PTM_TABLE using the IntHookPtmRemoveTableHook.

Parameters

[in]	Hook	The hook to be removed.
[in]	Flags	Hook flags. If HOOK_FLG_CHAIN_DELETE, the hook will be deleted by a higher level hook manager, instead of the commit function.

Return values

INT_STATUS_SUCCESS On success.

Definition at line 459 of file hook_ptm.c.

Referenced by IntHookPtmRemoveHook().

◆ IntHookPtmRemoveTableHook()

static INTSTATUS IntHookPtmRemoveTableHook	(	PHOOK_PTM_TABLE	Hook,
		DWORD	Flags
	)

static

Remove a page-table hook.

Parameters

[in]	Hook	The hook to be removed.
[in]	Flags	Hook flags. If HOOK_FLG_CHAIN_DELETE, the hook will be deleted by a higher level hook manager, instead of the commit function.

Return values

INT_STATUS_SUCCESS On success.

Definition at line 415 of file hook_ptm.c.

Referenced by IntHookPtmRemoveHookInternal().

◆ IntHookPtmSetHook()

INTSTATUS IntHookPtmSetHook	(	QWORD	Address,
		PFUNC_EptViolationCallback	Callback,
		void *	Context,
		void *	ParentHook,
		DWORD	Flags,
		PHOOK_PTM *	Hook
	)

Set a hook on a page-table.

Establishes a hook on the given page-table. The provided callback will be called whenever any entry inside the page-table is modified.

Parameters

[in]	Address	The guest physical address of the page-table.
[in]	Callback	The page-table modification callback.
[in]	Context	User-defined context to be passed to the Callback.
[in]	ParentHook	Higher level hook, if any.
[in]	Flags	Hook flags. Check the HOOK_FLG* definitions.
[out]	Hook	Optional output parameter that will contain a handle to the newly placed hook.

Return values

INT_STATUS_SUCCESS	On success.
INT_STATUS_INVALID_PARAMETER	If an invalid parameter is used.

Definition at line 325 of file hook_ptm.c.

Referenced by IntHookPtsCreateEntry(), and IntHookPtsEnableEntry().

◆ IntHookPtmWriteCallback()

static INTSTATUS IntHookPtmWriteCallback	(	void *	Context,
		void *	Hook,
		QWORD	Address,
		INTRO_ACTION *	Action
	)

static

Called whenever a monitored page-table is written.

This callback is called whenever a write takes place inside a monitored page-table. Note that page-table monitoring is optimized - we will have a single such callback for each hooked page-table, no matter how many actual swap hooks are established on virtual addresses which translate through that page-table. Inside this callback, each HOOK_PTS_ENTRY hook callback will be called for handling.

Parameters

[in]	Context	User supplied context, a PHOOK_PTM_TABLE on this case.
[in]	Hook	The GPA hook handle.
[in]	Address	The written physical address.
[out]	Action	Action to be taken.

Return values

INT_STATUS_SUCCESS On success.

IMPORTANT NOTE: We do not support writes that spill to the next entry. This will be caught by the PTS callback.

Definition at line 23 of file hook_ptm.c.

Referenced by IntHookPtmAddTable().

Data Structures

Macros

Typedefs

Functions

Macro Definition Documentation

◆ LOCAL_BUF_SIZE

Typedef Documentation

◆ INVOCATION_CONTEXT

◆ PINVOCATION_CONTEXT

Function Documentation

◆ IntHookPtmAddTable()

◆ IntHookPtmCommitHooks()

◆ IntHookPtmDeleteHook()

◆ IntHookPtmDeleteHookInternal()

◆ IntHookPtmDeleteTableHook()

◆ IntHookPtmInit()

◆ IntHookPtmRemoveHook()

◆ IntHookPtmRemoveHookInternal()

◆ IntHookPtmRemoveTableHook()

◆ IntHookPtmSetHook()

◆ IntHookPtmWriteCallback()