Bitdefender Hypervisor Memory Introspection
Variables
winhkhnd.c File Reference
Internal » Guest API detours

Windows detour descriptors. More...

#include "introcore.h"
#include "winbugcheck.h"
#include "winpool.h"
#include "winpower.h"
#include "winthread.h"
#include "winumcrash.h"
#include "winvad.h"
#include "drivers.h"

Go to the source code of this file.

Variables

API_HOOK_DESCRIPTOR gHookableApisX86 []
 The functions to be hooked for 32-bit Windows guests. More...
 
const size_t gHookableApisX86Size = ARRAYSIZE(gHookableApisX86)
 The number of functions to be hooked for 32-bit Windows guests. More...
 
API_HOOK_DESCRIPTOR gHookableApisX64 []
 The functions to be hooked for 64-bit Windows guests. More...
 
const size_t gHookableApisX64Size = ARRAYSIZE(gHookableApisX64)
 The number of functions to be hooked for 64-bit Windows guests. More...
 

Detailed Description

Windows detour descriptors.

This file contains the descriptors for all the detours introcore will set on Windows kernel functions.

Each descriptor is a API_HOOK_DESCRIPTOR structure and contains the information needed in order to properly set the hook.

If a detour uses the hypercall type hypercallTypeInt3 it must have a INT3 instruction (0xCC) in its handler and set API_HOOK_HANDLER.HypercallOffset to the offset at which the INT3 is found. If a detour uses the hypercall type hypercallTypeVmcall it must have a VMCALL instruction (0x0F 0x01 0xC1) and set API_HOOK_HANDLER.HypercallOffset to the offset at which the VMCALL is found. In addition to this, the handler must set RAX = 34, RDI = 24, RSI = 0 for 64-bit guests and EAX = 34, EBX = 24, ECX = 0 for 32-bit guests, otherwise the VMCALL may not be recognized by the hypervisor (Xen will inject a general protection fault inside the guest, for example). Usually, there is no reason to use VMCALL as the hypercall for a function detour and INT3 is recommended.

Check the documentation of individual detour handlers for details about those.

Convention for documenting the assembly code:

  1. Each instruction will be placed on a separate line;
  2. Each instruction will be preceded by a line comment using the following template: "// 0x00: MOV eax, ebx ; Additional information"
    • The instruction offset inside the handler, hex format, two digits;
    • The mneomonic;
    • Operands;
    • Comments (optional);
  3. Labels will be placed above the referencing instruction, with an underscore and ending in : "// _label:"
  4. Detailed descriptions can be placed before the instruction line comment Example: // This is just a NOP. // _label: // 0x20 nop 0x90,
  5. Relative addressing should reference the destination instruction offset, not a label: "// 0x20: JMP 0x22" 0xEB, 0x00, "// 0x22: ..."

Definition in file winhkhnd.c.

Variable Documentation

◆ gHookableApisX64

API_HOOK_DESCRIPTOR gHookableApisX64[]

The functions to be hooked for 64-bit Windows guests.

Definition at line 1590 of file winhkhnd.c.

Referenced by IntWinApiHookAll(), IntWinApiUpdateHookDescriptor(), and IntWinApiUpdateHooks().

◆ gHookableApisX64Size

const size_t gHookableApisX64Size = ARRAYSIZE(gHookableApisX64)

The number of functions to be hooked for 64-bit Windows guests.

Definition at line 4526 of file winhkhnd.c.

Referenced by IntWinApiHookAll(), IntWinApiUpdateHookDescriptor(), and IntWinApiUpdateHooks().

◆ gHookableApisX86

API_HOOK_DESCRIPTOR gHookableApisX86[]

The functions to be hooked for 32-bit Windows guests.

Definition at line 61 of file winhkhnd.c.

Referenced by IntWinApiHookAll(), IntWinApiUpdateHookDescriptor(), and IntWinApiUpdateHooks().

◆ gHookableApisX86Size

const size_t gHookableApisX86Size = ARRAYSIZE(gHookableApisX86)

The number of functions to be hooked for 32-bit Windows guests.

Definition at line 1584 of file winhkhnd.c.

Referenced by IntWinApiHookAll(), IntWinApiUpdateHookDescriptor(), and IntWinApiUpdateHooks().