Bitdefender Hypervisor Memory Introspection
Data Structures | Typedefs | Functions
winhal.h File Reference
#include "introtypes.h"

Go to the source code of this file.

Data Structures

struct  _WIN_HAL_DATA
 Hal information. More...
 

Typedefs

typedef struct _WIN_HAL_DATA WIN_HAL_DATA
 Hal information. More...
 
typedef struct _WIN_HAL_DATAPWIN_HAL_DATA
 

Functions

INTSTATUS IntWinHalCreateHalData (void)
 Initializes gHalData. More...
 
void IntWinHalUninit (void)
 Frees any resources held by gHalData and removes all the HAL protections. More...
 
INTSTATUS IntWinHalUpdateProtection (void)
 Updates any of the HAL protections. More...
 
INTSTATUS IntWinHalProtectHalHeapExecs (void)
 Hooks the HAL heap against execution. More...
 
INTSTATUS IntWinHalProtectHalIntCtrl (void)
 Protects the HAL interrupt controller against writes. More...
 
INTSTATUS IntWinHalProtectHalDispatchTable (void)
 Activates the HAL dispatch table protection. More...
 
INTSTATUS IntWinHalUnprotectHalHeapExecs (void)
 Deactivates the HAL heap execution protection. More...
 
INTSTATUS IntWinHalUnprotectHalIntCtrl (void)
 Deactivates the HAL interrupt controller write protection. More...
 
INTSTATUS IntWinHalUnprotectHalDispatchTable (void)
 Deactivates the HAL dispatch table protection. More...
 

Typedef Documentation

◆ PWIN_HAL_DATA

typedef struct _WIN_HAL_DATA * PWIN_HAL_DATA

◆ WIN_HAL_DATA

typedef struct _WIN_HAL_DATA WIN_HAL_DATA

Hal information.

Function Documentation

◆ IntWinHalCreateHalData()

INTSTATUS IntWinHalCreateHalData ( void  )

Initializes gHalData.

Will collect the relevant information from the guest and if any of the INTRO_OPT_PROT_KM_HAL_DISP_TABLE, INTRO_OPT_PROT_KM_HAL_HEAP_EXEC, or INTRO_OPT_PROT_KM_HAL_INT_CTRL option is active, will activate the needed protections.

Returns
INT_STATUS_SUCCESS if successful, or an appropriate INTSTATUS error value

Definition at line 1258 of file winhal.c.

Referenced by IntWinGuestFinishInit().

◆ IntWinHalProtectHalDispatchTable()

INTSTATUS IntWinHalProtectHalDispatchTable ( void  )

Activates the HAL dispatch table protection.

Will set IntWinHalHandleDispatchTableWrite as the EPT hook handler.

Returns
INT_STATUS_SUCCESS if successful, or an appropriate INTSTATUS error value

Definition at line 758 of file winhal.c.

Referenced by IntWinHalCreateHalData(), and IntWinHalUpdateProtection().

◆ IntWinHalProtectHalHeapExecs()

INTSTATUS IntWinHalProtectHalHeapExecs ( void  )

Hooks the HAL heap against execution.

This will protect the first 16 pages from the HAL heap. Based on the Windows version, some of them already have the NX bit set inside the guest page tables. IntWinHalHandleHalHeapExec will be set as the EPT hook handler. Pages that translate to physical address 0 or that are not present are not hooked.

Return values
INT_STATUS_SUCCESSin case of success.
INT_STATUS_ALREADY_INITIALIZED_HINTif the HAL heap is already protected.
INT_STATUS_NOT_NEEDED_HINTif the HAL heap is not yet initialized.

Definition at line 562 of file winhal.c.

Referenced by IntWinHalCreateHalData(), and IntWinHalUpdateProtection().

◆ IntWinHalProtectHalIntCtrl()

INTSTATUS IntWinHalProtectHalIntCtrl ( void  )

Protects the HAL interrupt controller against writes.

Will set IntWinHalHandleHalIntCtrlWrite as the EPT hook callback.

Returns
INT_STATUS_SUCCESS if successful, or an appropriate INTSTATUS error value

Definition at line 681 of file winhal.c.

Referenced by IntWinHalCreateHalData(), and IntWinHalUpdateProtection().

◆ IntWinHalUninit()

void IntWinHalUninit ( void  )

Frees any resources held by gHalData and removes all the HAL protections.

Definition at line 1445 of file winhal.c.

Referenced by IntWinGuestUninit().

◆ IntWinHalUnprotectHalDispatchTable()

INTSTATUS IntWinHalUnprotectHalDispatchTable ( void  )

Deactivates the HAL dispatch table protection.

Returns
INT_STATUS_SUCCESS if successful, or an appropriate INTSTATUS error value

Definition at line 801 of file winhal.c.

Referenced by IntWinHalUninit(), and IntWinHalUpdateProtection().

◆ IntWinHalUnprotectHalHeapExecs()

INTSTATUS IntWinHalUnprotectHalHeapExecs ( void  )

Deactivates the HAL heap execution protection.

Returns
INT_STATUS_SUCCESS if successful, or an appropriate INTSTATUS error value

Definition at line 656 of file winhal.c.

Referenced by IntWinHalUninit(), and IntWinHalUpdateProtection().

◆ IntWinHalUnprotectHalIntCtrl()

INTSTATUS IntWinHalUnprotectHalIntCtrl ( void  )

Deactivates the HAL interrupt controller write protection.

Returns
INT_STATUS_SUCCESS if successful, or an appropriate INTSTATUS error value

Definition at line 733 of file winhal.c.

Referenced by IntWinHalUninit(), and IntWinHalUpdateProtection().

◆ IntWinHalUpdateProtection()

INTSTATUS IntWinHalUpdateProtection ( void  )

Updates any of the HAL protections.

If any of the INTRO_OPT_PROT_KM_HAL_DISP_TABLE, INTRO_OPT_PROT_KM_HAL_HEAP_EXEC, or INTRO_OPT_PROT_KM_HAL_INT_CTRL option is changed, the protection is enabled, or disabled, based on the new value.

Returns
INT_STATUS_SUCCESS if successful, or an appropriate INTSTATUS error value

Definition at line 1385 of file winhal.c.

Referenced by IntGuestUpdateCoreOptions().