Bitdefender Hypervisor Memory Introspection
Functions | Variables
udlist.c File Reference

Maintains a list of pending UD injections for each (Cr3, Rip, Thread) tuple. More...

#include "udlist.h"
#include "guests.h"

Go to the source code of this file.

Functions

INTSTATUS IntUDAddToPendingList (const QWORD Cr3, const QWORD Rip, const QWORD Thread, INFO_UD_PENDING **CurrentPendingUD)
 Add a new UD to the list of pending injections. More...
 
void IntUDRemoveEntry (INFO_UD_PENDING **InfoUD)
 Remove a pending UD entry. More...
 
void IntUDRemoveAllEntriesForCr3 (const QWORD Cr3)
 Remove all pending UD entries for a given virtual address space. More...
 
INFO_UD_PENDINGIntUDGetEntry (const QWORD Cr3, const QWORD Rip, const QWORD Thread)
 Get a UD entry for the provided Cr3, Rip and Thread ID. More...
 

Variables

LIST_HEAD gListPendingUD = LIST_HEAD_INIT(gListPendingUD)
 The list of pending UD injections. Once a UD gets injected, its entry will be removed from this list. More...
 

Detailed Description

Maintains a list of pending UD injections for each (Cr3, Rip, Thread) tuple.

This module manages a list of pending UD injections. When Introcore blocks an exploit inside a process, there is an option of killing the attacked process, as there is no reliable way execution can continue. Killing the process is done by injecting an undefined opcode exception (UD) inside the process, which will cause it to die. However, when Introcore requests an exception injection inside the guest, there is no guarantee that the exception would actually get injected (it may be overwritten by the HV, some other event with a higher priority may get injected, etc.). Therefore, when we see an exploit for the first time and decide to kill the process, we will allocate a UD injection entry. If the injection fails, the exploit would try to execute again, but since we already have a pending UD entry, we won't generate another alert, and we will re-inject this UD again. The UD entry will be freed as soon as the exception is injected (thanks to the IntHandleEventInjection callback inside callbacks.c).

Definition in file udlist.c.

Function Documentation

◆ IntUDAddToPendingList()

INTSTATUS IntUDAddToPendingList ( const QWORD  Cr3,
const QWORD  Rip,
const QWORD  Thread,
INFO_UD_PENDING **  CurrentPendingUD 
)

Add a new UD to the list of pending injections.

This function will create a pending UD entry for the provided CR3, RIP, and thread ID. This will allow us later to check if we have already injected a UD for a given context, so we can avoid injecting it multiple times.

Parameters
[in]Cr3The Cr3.
[in]RipThe RIP.
[in]ThreadThe thread ID (software thread!).
[out]CurrentPendingUDWill contain, upon successful return, the newly allocated pending UD entry.
Return values
INT_STATUS_SUCCESSOn success.
INT_STATUS_INVALID_PARAMETERIf an invalid parameter is supplied.
INT_STATUS_INSUFFICIENT_RESOURCESIf a memory alloc fails.

Definition at line 30 of file udlist.c.

Referenced by IntLixVmaHandlePageExecution(), IntWinGuestHandleSudExec(), and IntWinVadHandlePageExecution().

◆ IntUDGetEntry()

INFO_UD_PENDING* IntUDGetEntry ( const QWORD  Cr3,
const QWORD  Rip,
const QWORD  Thread 
)

Get a UD entry for the provided Cr3, Rip and Thread ID.

Parameters
[in]Cr3The Cr3.
[in]RipThe Rip.
[in]ThreadThe thread ID (software thread!).
Returns
The pending UD entry, if one is found, or NULL if none is found.

Definition at line 150 of file udlist.c.

Referenced by IntLixVmaHandlePageExecution(), IntWinGuestHandleSudExec(), and IntWinVadHandlePageExecution().

◆ IntUDRemoveAllEntriesForCr3()

void IntUDRemoveAllEntriesForCr3 ( const QWORD  Cr3)

Remove all pending UD entries for a given virtual address space.

NOTE: Use this function when a process is being terminated.

Parameters
[in]Cr3The target CR3.

Definition at line 116 of file udlist.c.

Referenced by IntLixTaskDestroy(), and IntWinProcDeleteProcessObject().

◆ IntUDRemoveEntry()

void IntUDRemoveEntry ( INFO_UD_PENDING **  InfoUD)

Remove a pending UD entry.

Remove the given entry from the list of UD entries and free it.

Parameters
[in,out]InfoUDThe pending UD.

Definition at line 96 of file udlist.c.

Referenced by IntHandleEventInjection(), and IntUDRemoveAllEntriesForCr3().

Variable Documentation

◆ gListPendingUD

LIST_HEAD gListPendingUD = LIST_HEAD_INIT(gListPendingUD)

The list of pending UD injections. Once a UD gets injected, its entry will be removed from this list.

Definition at line 26 of file udlist.c.