HyperDbg Debugger
Loading...
Searching...
No Matches
Ept.h
Go to the documentation of this file.
1
12#pragma once
13
15// Constants //
17
22#define PAGE_ATTRIB_READ 0x2
23#define PAGE_ATTRIB_WRITE 0x4
24#define PAGE_ATTRIB_EXEC 0x8
25#define PAGE_ATTRIB_EXEC_HIDDEN_HOOK 0x10
26
31#define SIZE_2_MB ((SIZE_T)(512 * PAGE_SIZE))
32
37#define ADDRMASK_EPT_PML1_OFFSET(_VAR_) ((_VAR_) & 0xFFFULL)
38
43#define ADDRMASK_EPT_PML1_INDEX(_VAR_) (((_VAR_) & 0x1FF000ULL) >> 12)
44
49#define ADDRMASK_EPT_PML2_INDEX(_VAR_) (((_VAR_) & 0x3FE00000ULL) >> 21)
50
55#define ADDRMASK_EPT_PML3_INDEX(_VAR_) (((_VAR_) & 0x7FC0000000ULL) >> 30)
56
61#define ADDRMASK_EPT_PML4_INDEX(_VAR_) (((_VAR_) & 0xFF8000000000ULL) >> 39)
62
64// Structs Cont. //
66
78
91
96#define MAX_VARIABLE_RANGE_MTRRS 255
97
104#define NUM_FIXED_RANGE_MTRRS ((1 + 2 + 8) * RTL_NUMBER_OF_FIELD(IA32_MTRR_FIXED_RANGE_TYPE, s.Types)) // = 88
105
110#define NUM_MTRR_ENTRIES (MAX_VARIABLE_RANGE_MTRRS + NUM_FIXED_RANGE_MTRRS) // = 343
111
116typedef struct _EPT_STATE
117{
118 LIST_ENTRY HookedPagesList; // A list of the details about hooked pages
119 MTRR_RANGE_DESCRIPTOR MemoryRanges[NUM_MTRR_ENTRIES]; // Physical memory ranges described by the BIOS in the MTRRs. Used to build the EPT identity mapping.
120 UINT32 NumberOfEnabledMemoryRanges; // Number of memory ranges specified in MemoryRanges
121 PVMM_EPT_PAGE_TABLE EptPageTable; // Page table entries for EPT operation
122 PVMM_EPT_PAGE_TABLE ModeBasedUserDisabledEptPageTable; // Page table entries for hooks based on user-mode disabled mode-based execution control bits
123 PVMM_EPT_PAGE_TABLE ModeBasedKernelDisabledEptPageTable; // Page table entries for hooks based on kernel-mode disabled mode-based execution control bits
124 EPT_POINTER ModeBasedUserDisabledEptPointer; // Extended-Page-Table Pointer for user-disabled mode-based execution
125 EPT_POINTER ModeBasedKernelDisabledEptPointer; // Extended-Page-Table Pointer for kernel-disabled mode-based execution
126 EPT_POINTER ExecuteOnlyEptPointer; // Extended-Page-Table Pointer for execute-only execution
127 UINT8 DefaultMemoryType;
128} EPT_STATE, *PEPT_STATE;
129
160
162// Functions //
164
165// ----------------------------------------------------------------------------
166// Private Interfaces
167//
168
169BOOLEAN
170EptSetupPML2Entry(PVMM_EPT_PAGE_TABLE EptPageTable, PEPT_PML2_ENTRY NewEntry, SIZE_T PageFrameNumber);
171
172BOOLEAN
173EptHandlePageHookExit(_Inout_ VIRTUAL_MACHINE_STATE * VCpu,
174 _In_ VMX_EXIT_QUALIFICATION_EPT_VIOLATION ViolationQualification,
175 _In_ UINT64 GuestPhysicalAddr);
176
177// ----------------------------------------------------------------------------
178// Public Interfaces
179//
180
186BOOLEAN
187EptCheckFeatures(VOID);
188
194BOOLEAN
195EptBuildMtrrMap(VOID);
196
202PVMM_EPT_PAGE_TABLE
203EptAllocateAndCreateIdentityPageTable(VOID);
204
213BOOLEAN
214EptSplitLargePage(PVMM_EPT_PAGE_TABLE EptPageTable,
215 PVOID PreAllocatedBuffer,
216 SIZE_T PhysicalAddress);
217
227PEPT_PML2_ENTRY
228EptGetPml2Entry(PVMM_EPT_PAGE_TABLE EptPageTable, SIZE_T PhysicalAddress);
229
235BOOLEAN
236EptLogicalProcessorInitialize(VOID);
237
245BOOLEAN
246EptHandleEptViolation(VIRTUAL_MACHINE_STATE * VCpu);
247
255PEPT_PML1_ENTRY
256EptGetPml1Entry(PVMM_EPT_PAGE_TABLE EptPageTable, SIZE_T PhysicalAddress);
257
268PVOID
269EptGetPml1OrPml2Entry(PVMM_EPT_PAGE_TABLE EptPageTable, SIZE_T PhysicalAddress, BOOLEAN * IsLargePage);
270
276VOID
277EptHandleMisconfiguration(VOID);
278
288VOID
289EptSetPML1AndInvalidateTLB(_Inout_ VIRTUAL_MACHINE_STATE * VCpu,
290 _Out_ PEPT_PML1_ENTRY EntryAddress,
291 _In_ EPT_PML1_ENTRY EntryValue,
292 _In_ _Strict_type_match_ INVEPT_TYPE InvalidationType);
293
301BOOLEAN
302EptCheckAndHandleBreakpoint(VIRTUAL_MACHINE_STATE * VCpu);
BOOLEAN
UCHAR BOOLEAN
Definition BasicTypes.h:39
UCHAR
unsigned char UCHAR
Definition BasicTypes.h:35
VOID
#define VOID
Definition BasicTypes.h:33
UINT64
unsigned __int64 UINT64
Definition BasicTypes.h:21
UINT8
unsigned char UINT8
Definition BasicTypes.h:46
UINT32
unsigned int UINT32
Definition BasicTypes.h:48
EptGetPml2Entry
PEPT_PML2_ENTRY EptGetPml2Entry(PVMM_EPT_PAGE_TABLE EptPageTable, SIZE_T PhysicalAddress)
Split 2MB (LargePage) into 4kb pages.
Definition Ept.c:431
EptSplitLargePage
BOOLEAN EptSplitLargePage(PVMM_EPT_PAGE_TABLE EptPageTable, PVOID PreAllocatedBuffer, SIZE_T PhysicalAddress)
Convert 2MB pages to 4KB pages.
Definition Ept.c:462
EptSetPML1AndInvalidateTLB
VOID EptSetPML1AndInvalidateTLB(_Inout_ VIRTUAL_MACHINE_STATE *VCpu, _Out_ PEPT_PML1_ENTRY EntryAddress, _In_ EPT_PML1_ENTRY EntryValue, _In_ _Strict_type_match_ INVEPT_TYPE InvalidationType)
This function set the specific PML1 entry in a spinlock protected area then invalidate the TLB ,...
EptLogicalProcessorInitialize
BOOLEAN EptLogicalProcessorInitialize(VOID)
Initialize EPT Table based on Processor Index.
Definition Ept.c:759
PVMM_EPT_DYNAMIC_SPLIT
struct _VMM_EPT_DYNAMIC_SPLIT * PVMM_EPT_DYNAMIC_SPLIT
PMTRR_RANGE_DESCRIPTOR
struct _MTRR_RANGE_DESCRIPTOR * PMTRR_RANGE_DESCRIPTOR
IA32_MTRR_FIXED_RANGE_TYPE
union _IA32_MTRR_FIXED_RANGE_TYPE IA32_MTRR_FIXED_RANGE_TYPE
Fixed range MTRR.
EptSetupPML2Entry
BOOLEAN EptSetupPML2Entry(PVMM_EPT_PAGE_TABLE EptPageTable, PEPT_PML2_ENTRY NewEntry, SIZE_T PageFrameNumber)
Set up PML2 Entries.
Definition Ept.c:603
EptHandlePageHookExit
BOOLEAN EptHandlePageHookExit(_Inout_ VIRTUAL_MACHINE_STATE *VCpu, _In_ VMX_EXIT_QUALIFICATION_EPT_VIOLATION ViolationQualification, _In_ UINT64 GuestPhysicalAddr)
PEPT_STATE
struct _EPT_STATE * PEPT_STATE
MTRR_RANGE_DESCRIPTOR
struct _MTRR_RANGE_DESCRIPTOR MTRR_RANGE_DESCRIPTOR
MTRR Descriptor.
EptBuildMtrrMap
BOOLEAN EptBuildMtrrMap(VOID)
Build MTRR Map.
Definition Ept.c:156
EptCheckFeatures
BOOLEAN EptCheckFeatures(VOID)
Check for EPT Features.
Definition Ept.c:22
EptAllocateAndCreateIdentityPageTable
PVMM_EPT_PAGE_TABLE EptAllocateAndCreateIdentityPageTable(VOID)
Allocates page maps and create identity page table.
Definition Ept.c:642
EptCheckAndHandleBreakpoint
BOOLEAN EptCheckAndHandleBreakpoint(VIRTUAL_MACHINE_STATE *VCpu)
Check if the breakpoint vm-exit relates to EPT hook or not.
Definition Ept.c:1211
EptHandleEptViolation
BOOLEAN EptHandleEptViolation(VIRTUAL_MACHINE_STATE *VCpu)
Handle EPT Violation.
Definition Ept.c:1002
EptGetPml1OrPml2Entry
PVOID EptGetPml1OrPml2Entry(PVMM_EPT_PAGE_TABLE EptPageTable, SIZE_T PhysicalAddress, BOOLEAN *IsLargePage)
Get the PML1 entry for this physical address if the large page is available then large page of Pml2 i...
Definition Ept.c:368
NUM_MTRR_ENTRIES
#define NUM_MTRR_ENTRIES
Total number of MTRR descriptors to store.
Definition Ept.h:110
EptGetPml1Entry
PEPT_PML1_ENTRY EptGetPml1Entry(PVMM_EPT_PAGE_TABLE EptPageTable, SIZE_T PhysicalAddress)
Get the PML1 Entry of a special address.
Definition Ept.c:304
EPT_STATE
struct _EPT_STATE EPT_STATE
Main structure for saving the state of EPT among the project.
VMM_EPT_DYNAMIC_SPLIT
struct _VMM_EPT_DYNAMIC_SPLIT VMM_EPT_DYNAMIC_SPLIT
Split 2MB granularity to 4 KB granularity.
EptHandleMisconfiguration
VOID EptHandleMisconfiguration(VOID)
Handle Ept Misconfigurations.
Definition Ept.c:1046
PEPT_PML1_ENTRY
EPT_PTE * PEPT_PML1_ENTRY
Definition State.h:22
PEPT_PML2_ENTRY
EPT_PDE_2MB * PEPT_PML2_ENTRY
Definition State.h:20
EPT_PML1_ENTRY
EPT_PTE EPT_PML1_ENTRY
Definition State.h:22
VMM_EPT_PML1E_COUNT
#define VMM_EPT_PML1E_COUNT
Then number of 4096 byte Page Table entries in the page table per 2MB PML2 entry when dynamically spl...
Definition State.h:98
PEPT_PML2_POINTER
EPT_PDE * PEPT_PML2_POINTER
Definition State.h:21
PAGE_SIZE
#define PAGE_SIZE
Size of each page (4096 bytes)
Definition common.h:69
_EPT_STATE
Main structure for saving the state of EPT among the project.
Definition Ept.h:117
_EPT_STATE::NumberOfEnabledMemoryRanges
UINT32 NumberOfEnabledMemoryRanges
Definition Ept.h:120
_EPT_STATE::ModeBasedKernelDisabledEptPageTable
PVMM_EPT_PAGE_TABLE ModeBasedKernelDisabledEptPageTable
Definition Ept.h:123
_EPT_STATE::ModeBasedKernelDisabledEptPointer
EPT_POINTER ModeBasedKernelDisabledEptPointer
Definition Ept.h:125
_EPT_STATE::DefaultMemoryType
UINT8 DefaultMemoryType
Definition Ept.h:127
_EPT_STATE::HookedPagesList
LIST_ENTRY HookedPagesList
Definition Ept.h:118
_EPT_STATE::ModeBasedUserDisabledEptPointer
EPT_POINTER ModeBasedUserDisabledEptPointer
Definition Ept.h:124
_EPT_STATE::EptPageTable
PVMM_EPT_PAGE_TABLE EptPageTable
Definition Ept.h:121
_EPT_STATE::ModeBasedUserDisabledEptPageTable
PVMM_EPT_PAGE_TABLE ModeBasedUserDisabledEptPageTable
Definition Ept.h:122
_EPT_STATE::MemoryRanges
MTRR_RANGE_DESCRIPTOR MemoryRanges[NUM_MTRR_ENTRIES]
Definition Ept.h:119
_EPT_STATE::ExecuteOnlyEptPointer
EPT_POINTER ExecuteOnlyEptPointer
Definition Ept.h:126
_MTRR_RANGE_DESCRIPTOR
MTRR Descriptor.
Definition Ept.h:72
_MTRR_RANGE_DESCRIPTOR::MemoryType
UCHAR MemoryType
Definition Ept.h:75
_MTRR_RANGE_DESCRIPTOR::FixedRange
BOOLEAN FixedRange
Definition Ept.h:76
_MTRR_RANGE_DESCRIPTOR::PhysicalBaseAddress
SIZE_T PhysicalBaseAddress
Definition Ept.h:73
_MTRR_RANGE_DESCRIPTOR::PhysicalEndAddress
SIZE_T PhysicalEndAddress
Definition Ept.h:74
_VIRTUAL_MACHINE_STATE
The status of each core after and before VMX.
Definition State.h:290
_VMM_EPT_DYNAMIC_SPLIT
Split 2MB granularity to 4 KB granularity.
Definition Ept.h:135
_VMM_EPT_DYNAMIC_SPLIT::DynamicSplitList
LIST_ENTRY DynamicSplitList
Linked list entries for each dynamic split.
Definition Ept.h:157
_VMM_EPT_DYNAMIC_SPLIT::Pointer
PEPT_PML2_POINTER Pointer
Definition Ept.h:150
_VMM_EPT_DYNAMIC_SPLIT::PML1
EPT_PML1_ENTRY PML1[VMM_EPT_PML1E_COUNT]
The 4096 byte page table entries that correspond to the split 2MB table entry.
Definition Ept.h:141
_VMM_EPT_DYNAMIC_SPLIT::Entry
PEPT_PML2_ENTRY Entry
Definition Ept.h:149
_VMM_EPT_DYNAMIC_SPLIT::u
union _VMM_EPT_DYNAMIC_SPLIT::@6 u
The pointer to the 2MB entry in the page table which this split is servicing.
_VMM_EPT_PAGE_TABLE
Structure for saving EPT Table.
Definition State.h:105
_IA32_MTRR_FIXED_RANGE_TYPE
Fixed range MTRR.
Definition Ept.h:84
_IA32_MTRR_FIXED_RANGE_TYPE::Types
UINT8 Types[8]
Definition Ept.h:88
_IA32_MTRR_FIXED_RANGE_TYPE::s
struct _IA32_MTRR_FIXED_RANGE_TYPE::@5 s
_IA32_MTRR_FIXED_RANGE_TYPE::AsUInt
UINT64 AsUInt
Definition Ept.h:85