- Generated by
1.8.13
|
Bitdefender Hypervisor Memory Introspection
|
#include "drivers.h"#include "winhal.h"#include "alerts.h"#include "decoder.h"#include "hook.h"#include "winpe.h"Go to the source code of this file.
Macros | |
| #define | HAL_HEAP_PROT_PAGES_EXEC 0x20 |
| The number of HAL heap pages to protect against executions. More... | |
| #define | MAX_INT_CTRL_TYPE_OFFSET (gGuest.Guest64 ? 0xf0 : 0x6c) |
| #define | MIN_INT_CTRL_TYPE_OFFSET (gGuest.Guest64 ? 0xc0 : 0x60) |
| #define | MAX_INT_CTRL_COUNT 20 |
| #define | HAL_HEAP_ORIGINAL 0xFFFFFFFFF0000000 |
| #define | MASK_DEVICE_ADDRESS_FEC 0x00000000fec00000 |
| #define | MASK_DEVICE_ADDRESS_FED 0x00000000fed00000 |
| #define | MASK_DEVICE_ADDRESS_FEE 0x00000000fee00000 |
| #define | HAL_HEAP_PHYSICAL_ADDRESS 0x1000 |
Functions | |
| static void | IntWinHalSendAlert (EXCEPTION_VICTIM_ZONE const *Victim, EXCEPTION_KM_ORIGINATOR const *Originator, INTRO_ACTION Action, INTRO_ACTION_REASON Reason) |
| Sends an introEventEptViolation for HAL alerts. More... | |
| static INTSTATUS | IntWinHalHandleHalIntCtrlWrite (KERNEL_DRIVER *Context, HOOK_GPA const *Hook, QWORD Address, INTRO_ACTION *Action) |
| Handles writes done over the HAL interrupt controller. More... | |
| static INTSTATUS | IntWinHalHandleHalHeapExec (void *Context, HOOK_GPA *Hook, QWORD Address, INTRO_ACTION *Action) |
| Handles execution attempts from the HAL heap. More... | |
| static INTSTATUS | IntWinHalHandleDispatchTableWrite (PINTEGRITY_REGION IntegrityRegion) |
| Handles modifications done to the HAL dispatch table. More... | |
| INTSTATUS | IntWinHalProtectHalHeapExecs (void) |
| Hooks the HAL heap against execution. More... | |
| INTSTATUS | IntWinHalUnprotectHalHeapExecs (void) |
| Deactivates the HAL heap execution protection. More... | |
| INTSTATUS | IntWinHalProtectHalIntCtrl (void) |
| Protects the HAL interrupt controller against writes. More... | |
| INTSTATUS | IntWinHalUnprotectHalIntCtrl (void) |
| Deactivates the HAL interrupt controller write protection. More... | |
| INTSTATUS | IntWinHalProtectHalDispatchTable (void) |
| Activates the HAL dispatch table protection. More... | |
| INTSTATUS | IntWinHalUnprotectHalDispatchTable (void) |
| Deactivates the HAL dispatch table protection. More... | |
| static BOOLEAN | IntWinHalIsIntController (QWORD CheckedAddress, QWORD HalHeap) |
| Checks if a guest memory range is the HAL interrupt controller. More... | |
| static INTSTATUS | IntWinHalFindInterruptController (QWORD HalHeap, QWORD HalHeapSize, QWORD *HalInterruptController) |
| Attempts to find the Hal Interrupt Controller address within the .data section of Hal. More... | |
| static INTSTATUS | IntWinHalFindHalHeapAndInterruptController (QWORD *HalHeapBaseAddress, QWORD *HalInterruptController) |
| Attempts to find the Hal Heap and the Hal Interrupt Controller address within the .data section of Hal. More... | |
| INTSTATUS | IntWinHalCreateHalData (void) |
| Initializes gHalData. More... | |
| INTSTATUS | IntWinHalUpdateProtection (void) |
| Updates any of the HAL protections. More... | |
| void | IntWinHalUninit (void) |
| Frees any resources held by gHalData and removes all the HAL protections. More... | |
Variables | |
| static WIN_HAL_DATA | gHalData = { 0 } |
| The HAL information. More... | |
| #define HAL_HEAP_ORIGINAL 0xFFFFFFFFF0000000 |
Referenced by IntWinHalFindHalHeapAndInterruptController().
| #define HAL_HEAP_PHYSICAL_ADDRESS 0x1000 |
Referenced by IntWinHalFindHalHeapAndInterruptController().
| #define HAL_HEAP_PROT_PAGES_EXEC 0x20 |
The number of HAL heap pages to protect against executions.
Definition at line 12 of file winhal.c.
Referenced by IntWinHalCreateHalData(), and IntWinHalFindHalHeapAndInterruptController().
| #define MASK_DEVICE_ADDRESS_FEC 0x00000000fec00000 |
Referenced by IntWinHalFindHalHeapAndInterruptController().
| #define MASK_DEVICE_ADDRESS_FED 0x00000000fed00000 |
Referenced by IntWinHalFindHalHeapAndInterruptController().
| #define MASK_DEVICE_ADDRESS_FEE 0x00000000fee00000 |
Referenced by IntWinHalFindHalHeapAndInterruptController().
| #define MAX_INT_CTRL_COUNT 20 |
Referenced by IntWinHalIsIntController().
| #define MAX_INT_CTRL_TYPE_OFFSET (gGuest.Guest64 ? 0xf0 : 0x6c) |
Referenced by IntWinHalIsIntController().
| #define MIN_INT_CTRL_TYPE_OFFSET (gGuest.Guest64 ? 0xc0 : 0x60) |
| INTSTATUS IntWinHalCreateHalData | ( | void | ) |
Initializes gHalData.
Will collect the relevant information from the guest and if any of the INTRO_OPT_PROT_KM_HAL_DISP_TABLE, INTRO_OPT_PROT_KM_HAL_HEAP_EXEC, or INTRO_OPT_PROT_KM_HAL_INT_CTRL option is active, will activate the needed protections.
Definition at line 1258 of file winhal.c.
Referenced by IntWinGuestFinishInit().
|
static |
Attempts to find the Hal Heap and the Hal Interrupt Controller address within the .data section of Hal.
On Windows versions newer than RS2 the Hal Hep is randomized using KASLR. Within the .data section of Hal there are 2 variables (HalpHeapStart and HalpOriginalHeapStart) that seem to point to the Hal Heap. This function aims to find the Hal Heap using the following mechanism:
| [out] | HalHeapBaseAddress | The Hal Heap address. |
| [out] | HalInterruptController | The Hal Interrupt Controller address. |
Definition at line 1046 of file winhal.c.
Referenced by IntWinHalCreateHalData().
|
static |
Attempts to find the Hal Interrupt Controller address within the .data section of Hal.
This functions reads the .data section of the Hal module in order to find the RVA of the Hal Interrupt Controller. Candidate RVAs are verified using IntWinHalIsIntController in order to find the correct address.
| [in] | HalHeap | The Hal Heap address. |
| [in] | HalHeapSize | The Hal Heap size (may not be the entire Hal Heap). |
| [out] | HalInterruptController | The Hal Interrupt Controller address. |
Definition at line 962 of file winhal.c.
Referenced by IntWinHalCreateHalData(), and IntWinHalFindHalHeapAndInterruptController().
|
static |
Handles modifications done to the HAL dispatch table.
This is the integrity callback set by IntWinHalProtectHalDispatchTable.
| [in,out] | IntegrityRegion | The integrity region used to protect the HAL dispatch table. |
Definition at line 382 of file winhal.c.
Referenced by IntWinHalProtectHalDispatchTable().
|
static |
Handles execution attempts from the HAL heap.
This is the EPT hook handler set by IntWinHalProtectHalHeapExecs. If execution comes from a CPU that is in real mode it is allowed, as it will be the result of an IPI sent at boot in order to wake up an AP. If there is an exception for the executed code, the execution is allowed, and the hook will be removed.
| [in] | Context | The context set by IntWinHalProtectHalHeapExecs. Ignored. |
| [in,out] | Hook | The hook for which this callback was invoked. |
| [in] | Address | The accessed physical address. |
| [out] | Action | The action to be taken. |
Definition at line 160 of file winhal.c.
Referenced by IntWinHalProtectHalHeapExecs().
|
static |
Handles writes done over the HAL interrupt controller.
This is the EPT write hook set by IntWinHalProtectHalIntCtrl.
| [in] | Context | The context set by IntWinHalProtectHalIntCtrl. This will be the hal.dll KERNEL_DRIVER. |
| [in] | Hook | The hook for which this callback was invoked. |
| [in] | Address | The accessed physical address. |
| [out] | Action | The action to be taken. |
| INT_STATUS_SUCCESS | in case of success. |
| INT_STATUS_INVALID_PARAMETER_1 | if Context is NULL. |
Definition at line 70 of file winhal.c.
Referenced by IntWinHalProtectHalIntCtrl().
Checks if a guest memory range is the HAL interrupt controller.
The check is done based on invariants:
| [in] | CheckedAddress | The guest virtual address to check. |
| [in] | HalHeap | The Hal Heap address. |
Definition at line 833 of file winhal.c.
Referenced by IntWinHalFindInterruptController().
| INTSTATUS IntWinHalProtectHalDispatchTable | ( | void | ) |
Activates the HAL dispatch table protection.
Will set IntWinHalHandleDispatchTableWrite as the EPT hook handler.
Definition at line 758 of file winhal.c.
Referenced by IntWinHalCreateHalData(), and IntWinHalUpdateProtection().
| INTSTATUS IntWinHalProtectHalHeapExecs | ( | void | ) |
Hooks the HAL heap against execution.
This will protect the first 16 pages from the HAL heap. Based on the Windows version, some of them already have the NX bit set inside the guest page tables. IntWinHalHandleHalHeapExec will be set as the EPT hook handler. Pages that translate to physical address 0 or that are not present are not hooked.
| INT_STATUS_SUCCESS | in case of success. |
| INT_STATUS_ALREADY_INITIALIZED_HINT | if the HAL heap is already protected. |
| INT_STATUS_NOT_NEEDED_HINT | if the HAL heap is not yet initialized. |
Definition at line 562 of file winhal.c.
Referenced by IntWinHalCreateHalData(), and IntWinHalUpdateProtection().
| INTSTATUS IntWinHalProtectHalIntCtrl | ( | void | ) |
Protects the HAL interrupt controller against writes.
Will set IntWinHalHandleHalIntCtrlWrite as the EPT hook callback.
Definition at line 681 of file winhal.c.
Referenced by IntWinHalCreateHalData(), and IntWinHalUpdateProtection().
|
static |
Sends an introEventEptViolation for HAL alerts.
| [in] | Victim | Victim information. |
| [in] | Originator | Originator information. |
| [in] | Action | The action taken. |
| [in] | Reason | The reason for which Action was taken. |
Definition at line 19 of file winhal.c.
Referenced by IntWinHalHandleHalIntCtrlWrite().
| void IntWinHalUninit | ( | void | ) |
Frees any resources held by gHalData and removes all the HAL protections.
Definition at line 1445 of file winhal.c.
Referenced by IntWinGuestUninit().
| INTSTATUS IntWinHalUnprotectHalDispatchTable | ( | void | ) |
Deactivates the HAL dispatch table protection.
Definition at line 801 of file winhal.c.
Referenced by IntWinHalUninit(), and IntWinHalUpdateProtection().
| INTSTATUS IntWinHalUnprotectHalHeapExecs | ( | void | ) |
Deactivates the HAL heap execution protection.
Definition at line 656 of file winhal.c.
Referenced by IntWinHalUninit(), and IntWinHalUpdateProtection().
| INTSTATUS IntWinHalUnprotectHalIntCtrl | ( | void | ) |
Deactivates the HAL interrupt controller write protection.
Definition at line 733 of file winhal.c.
Referenced by IntWinHalUninit(), and IntWinHalUpdateProtection().
| INTSTATUS IntWinHalUpdateProtection | ( | void | ) |
Updates any of the HAL protections.
If any of the INTRO_OPT_PROT_KM_HAL_DISP_TABLE, INTRO_OPT_PROT_KM_HAL_HEAP_EXEC, or INTRO_OPT_PROT_KM_HAL_INT_CTRL option is changed, the protection is enabled, or disabled, based on the new value.
Definition at line 1385 of file winhal.c.
Referenced by IntGuestUpdateCoreOptions().
|
static |
1.8.13