Bitdefender Hypervisor Memory Introspection
Data Structures | Macros | Typedefs | Functions | Variables
memcloak.c File Reference
#include "memcloak.h"
#include "crc32.h"
#include "decoder.h"
#include "hook.h"

Go to the source code of this file.

Data Structures

struct  _MEMCLOAK_PAGE
 A structure that describes a hidden guest memory page. More...
 
struct  _MEMCLOAK_REGION
 A structure that describes a hidden guest memory region. More...
 

Macros

#define MEMCLOACK_PAGE_MAX_COUNT   2
 The maximum number of pages that can be contained in a MEMCLOAK_REGION. More...
 

Typedefs

typedef struct _MEMCLOAK_PAGE MEMCLOAK_PAGE
 A structure that describes a hidden guest memory page. More...
 
typedef struct _MEMCLOAK_PAGEPMEMCLOAK_PAGE
 
typedef struct _MEMCLOAK_REGION MEMCLOAK_REGION
 A structure that describes a hidden guest memory region. More...
 
typedef struct _MEMCLOAK_REGIONPMEMCLOAK_REGION
 

Functions

static INTSTATUS IntMemClkUncloakRegionInternal (DWORD Options, PMEMCLOAK_REGION Region)
 Removes a cloak region, making the original memory contents available again to the guest. More...
 
static INTSTATUS IntMemClkHandleSwap (MEMCLOAK_PAGE *Context, QWORD VirtualAddress, QWORD OldEntry, QWORD NewEntry, QWORD OldPageSize, QWORD NewPageSize)
 Handles swap-in and swap-outs performed on hidden memory regions. More...
 
static INTSTATUS IntMemClkHandleRead (MEMCLOAK_PAGE *Context, PHOOK_GPA Hook, QWORD Gpa, INTRO_ACTION *Action)
 Handles reads from a hidden memory region. More...
 
static INTSTATUS IntMemClkHandleWrite (PMEMCLOAK_PAGE *Context, void *Hook, QWORD Address, INTRO_ACTION *Action)
 Handles writes done inside a hidden memory region. More...
 
void IntMemClkCleanup (MEMCLOAK_REGION *Region)
 Frees any resources held by a MEMCLOAK_REGION. More...
 
INTSTATUS IntMemClkCloakRegion (QWORD VirtualAddress, QWORD Cr3, DWORD Size, DWORD Options, PBYTE OriginalData, PBYTE PatchedData, PFUNC_IntMemCloakWriteHandle WriteHandler, void **CloakHandle)
 Hides a memory zone from the guest. More...
 
INTSTATUS IntMemClkModifyOriginalData (void *CloakHandle, DWORD Offset, DWORD Size, void *Data)
 Modifies the internal copy of the original data buffer held by a cloak region. More...
 
INTSTATUS IntMemClkModifyPatchedData (void *CloakHandle, DWORD Offset, DWORD Size, const void *Data)
 Modifies the patched data inside the guest memory. More...
 
INTSTATUS IntMemClkUncloakRegion (void *CloakHandle, DWORD Options)
 Removes a cloak region, making the original memory contents available again to the guest. More...
 
INTSTATUS IntMemClkHashRegion (QWORD VirtualAddress, QWORD PhysicalAddress, DWORD Size, DWORD *Crc32)
 Hashes the contents of a cloaked memory page. More...
 
BOOLEAN IntMemClkIsPtrInCloak (const void *Cloak, QWORD Ptr)
 Checks if a guest virtual address is located inside a cloak region. More...
 
INTSTATUS IntMemClkGetOriginalData (void *CloakHandle, BYTE **OriginalData, DWORD *Length)
 Returns the original data of a cloaked region. More...
 
INTSTATUS IntMemClkUnInit (void)
 Uninits the memory cloak subsystem. More...
 
void IntMemClkDump (void)
 Dumps all the active cloak regions. More...
 

Variables

static LIST_HEAD gMemClkRegions = LIST_HEAD_INIT(gMemClkRegions)
 A list containing all the memory regions that are currently hidden from the guest. More...