HyperDbg Debugger
Loading...
Searching...
No Matches
Macros | Functions
HyperDbgVmmImports.h File Reference

Headers relating exported functions from hypervisor. More...

Go to the source code of this file.

Macros

#define IMPORT_EXPORT_VMM   __declspec(dllimport)
 

Functions

IMPORT_EXPORT_VMM NTSTATUS VmFuncVmxVmcall (unsigned long long VmcallNumber, unsigned long long OptionalParam1, unsigned long long OptionalParam2, unsigned long long OptionalParam3)
 Export for running VMX VMCALLs.
 
IMPORT_EXPORT_VMM VOID VmFuncPerformRipIncrement (UINT32 CoreId)
 Perform the incrementation of RIP.
 
IMPORT_EXPORT_VMM VOID VmFuncSuppressRipIncrement (UINT32 CoreId)
 Suppress the incrementation of RIP.
 
IMPORT_EXPORT_VMM VOID VmFuncChangeMtfUnsettingState (UINT32 CoreId, BOOLEAN Set)
 Suppress unsetting MTF.
 
IMPORT_EXPORT_VMM VOID VmFuncChangeIgnoreOneMtfState (UINT32 CoreId, BOOLEAN Set)
 Change ignore one MTF state.
 
IMPORT_EXPORT_VMM VOID VmFuncSetMonitorTrapFlag (BOOLEAN Set)
 Set the monitor trap flag.
 
IMPORT_EXPORT_VMM VOID VmFuncSetRflagTrapFlag (BOOLEAN Set)
 Set Rflag's trap flag.
 
IMPORT_EXPORT_VMM VOID VmFuncRegisterMtfBreak (UINT32 CoreId)
 Register for break in the case of an MTF.
 
IMPORT_EXPORT_VMM VOID VmFuncUnRegisterMtfBreak (UINT32 CoreId)
 Unregister for break in the case of an MTF.
 
IMPORT_EXPORT_VMM VOID VmFuncSetLoadDebugControls (BOOLEAN Set)
 Set LOAD DEBUG CONTROLS on Vm-entry controls.
 
IMPORT_EXPORT_VMM VOID VmFuncSetSaveDebugControls (BOOLEAN Set)
 Set SAVE DEBUG CONTROLS on Vm-exit controls.
 
IMPORT_EXPORT_VMM VOID VmFuncSetPmcVmexit (BOOLEAN Set)
 Set vm-exit for rdpmc instructions.
 
IMPORT_EXPORT_VMM VOID VmFuncSetMovControlRegsExiting (BOOLEAN Set, UINT64 ControlRegister, UINT64 MaskRegister)
 Set vm-exit for mov-to-cr0/4.
 
IMPORT_EXPORT_VMM VOID VmFuncSetMovToCr3Vmexit (UINT32 CoreId, BOOLEAN Set)
 Set vm-exit for mov-to-cr3.
 
IMPORT_EXPORT_VMM VOID VmFuncWriteExceptionBitmap (UINT32 BitmapMask)
 Write on exception bitmap in VMCS DO NOT CALL IT DIRECTLY, instead use HvSetExceptionBitmap.
 
IMPORT_EXPORT_VMM VOID VmFuncSetInterruptWindowExiting (BOOLEAN Set)
 Set Interrupt-window exiting.
 
IMPORT_EXPORT_VMM VOID VmFuncSetNmiWindowExiting (BOOLEAN Set)
 Set NMI-window exiting.
 
IMPORT_EXPORT_VMM VOID VmFuncSetNmiExiting (BOOLEAN Set)
 Set the NMI Exiting.
 
IMPORT_EXPORT_VMM VOID VmFuncSetExceptionBitmap (UINT32 CoreId, UINT32 IdtIndex)
 Set exception bitmap in VMCS.
 
IMPORT_EXPORT_VMM VOID VmFuncUnsetExceptionBitmap (UINT32 CoreId, UINT32 IdtIndex)
 Unset exception bitmap in VMCS.
 
IMPORT_EXPORT_VMM VOID VmFuncSetExternalInterruptExiting (UINT32 CoreId, BOOLEAN Set)
 Set the External Interrupt Exiting.
 
IMPORT_EXPORT_VMM VOID VmFuncSetRdtscExiting (UINT32 CoreId, BOOLEAN Set)
 Set the RDTSC/P Exiting.
 
IMPORT_EXPORT_VMM VOID VmFuncSetMovDebugRegsExiting (UINT32 CoreId, BOOLEAN Set)
 Set or unset the Mov to Debug Registers Exiting.
 
IMPORT_EXPORT_VMM VOID VmFuncInjectPendingExternalInterrupts (UINT32 CoreId)
 Inject pending external interrupts.
 
IMPORT_EXPORT_VMM VOID VmFuncSetRflags (UINT64 Rflags)
 Set guest's RFLAGS.
 
IMPORT_EXPORT_VMM VOID VmFuncSetRip (UINT64 Rip)
 Set guest's RIP.
 
IMPORT_EXPORT_VMM VOID VmFuncSetTriggerEventForVmcalls (BOOLEAN Set)
 Set triggering events for VMCALLs.
 
IMPORT_EXPORT_VMM VOID VmFuncSetTriggerEventForCpuids (BOOLEAN Set)
 Set triggering events for CPUIDs.
 
IMPORT_EXPORT_VMM VOID VmFuncSetInterruptibilityState (UINT64 InterruptibilityState)
 Set guest's interruptibility state.
 
IMPORT_EXPORT_VMM VOID VmFuncCheckAndEnableExternalInterrupts (UINT32 CoreId)
 Check and enable external interrupts.
 
IMPORT_EXPORT_VMM VOID VmFuncDisableExternalInterruptsAndInterruptWindow (UINT32 CoreId)
 Disable external-interrupts and interrupt window.
 
IMPORT_EXPORT_VMM VOID VmFuncEventInjectPageFaultWithCr2 (UINT32 CoreId, UINT64 Address, UINT32 PageFaultCode)
 Inject #PF and configure CR2 register.
 
IMPORT_EXPORT_VMM VOID VmFuncEventInjectPageFaultRangeAddress (UINT32 CoreId, UINT64 AddressFrom, UINT64 AddressTo, UINT32 PageFaultCode)
 Inject a range of page-faults.
 
IMPORT_EXPORT_VMM VOID VmFuncEventInjectInterruption (UINT32 InterruptionType, UINT32 Vector, BOOLEAN DeliverErrorCode, UINT32 ErrorCode)
 Inject interrupt/faults/exceptions.
 
IMPORT_EXPORT_VMM VOID VmFuncVmxBroadcastInitialize ()
 Export for initialize the VMX Broadcast mechanism.
 
IMPORT_EXPORT_VMM VOID VmFuncVmxBroadcastUninitialize ()
 Export for uninitialize the VMX Broadcast mechanism.
 
IMPORT_EXPORT_VMM VOID VmFuncEventInjectBreakpoint ()
 Inject #BP to the guest (Event Injection)
 
IMPORT_EXPORT_VMM VOID VmFuncInvalidateEptSingleContext (UINT32 CoreId)
 Requests for single-context EPT invalidation.
 
IMPORT_EXPORT_VMM VOID VmFuncInvalidateEptAllContexts ()
 Requests for all contexts EPT invalidation.
 
IMPORT_EXPORT_VMM VOID VmFuncUninitVmm ()
 Uninitialize Terminate Vmx on all logical cores.
 
IMPORT_EXPORT_VMM VOID VmFuncEnableMtfAndChangeExternalInterruptState (UINT32 CoreId)
 Enables MTF and adjust external interrupt state.
 
IMPORT_EXPORT_VMM VOID VmFuncEnableAndCheckForPreviousExternalInterrupts (UINT32 CoreId)
 Checks to enable and reinject previous interrupts.
 
IMPORT_EXPORT_VMM UINT16 VmFuncGetCsSelector ()
 Read CS selector.
 
IMPORT_EXPORT_VMM UINT32 VmFuncReadExceptionBitmap ()
 Read exception bitmap in VMCS.
 
IMPORT_EXPORT_VMM UINT64 VmFuncGetLastVmexitRip (UINT32 CoreId)
 get the last vm-exit RIP
 
IMPORT_EXPORT_VMM UINT64 VmFuncGetRflags ()
 Read guest's RFLAGS.
 
IMPORT_EXPORT_VMM UINT64 VmFuncGetRip ()
 Read guest's RIP.
 
IMPORT_EXPORT_VMM UINT64 VmFuncGetInterruptibilityState ()
 Read guest's interruptibility state.
 
IMPORT_EXPORT_VMM UINT64 VmFuncClearSteppingBits (UINT64 Interruptibility)
 Clear STI and MOV SS bits.
 
IMPORT_EXPORT_VMM BOOLEAN VmFuncInitVmm (VMM_CALLBACKS *VmmCallbacks)
 Initializes hypervisor.
 
IMPORT_EXPORT_VMM UINT32 VmFuncVmxCompatibleStrlen (const CHAR *s)
 VMX-root compatible strlen.
 
IMPORT_EXPORT_VMM UINT32 VmFuncVmxCompatibleWcslen (const wchar_t *s)
 VMX-root compatible strlen.
 
IMPORT_EXPORT_VMM BOOLEAN VmFuncNmiBroadcastRequest (UINT32 CoreId)
 Broadcast NMI requests.
 
IMPORT_EXPORT_VMM BOOLEAN VmFuncNmiBroadcastInvalidateEptSingleContext (UINT32 CoreId)
 Broadcast NMI requests for single-context EPT invalidation.
 
IMPORT_EXPORT_VMM BOOLEAN VmFuncNmiBroadcastInvalidateEptAllContexts (UINT32 CoreId)
 Broadcast NMI requests for all contexts EPT invalidation.
 
IMPORT_EXPORT_VMM BOOLEAN VmFuncVmxGetCurrentExecutionMode ()
 Get the current VMX operation state.
 
IMPORT_EXPORT_VMM BOOLEAN VmFuncQueryModeExecTrap ()
 Get the current state of mode exec trap mechanism.
 
IMPORT_EXPORT_VMM INT32 VmFuncVmxCompatibleStrcmp (const CHAR *Address1, const CHAR *Address2)
 VMX-root compatible strcmp.
 
IMPORT_EXPORT_VMM INT32 VmFuncVmxCompatibleStrncmp (const CHAR *Address1, const CHAR *Address2, SIZE_T Num)
 VMX-root compatible strncmp.
 
IMPORT_EXPORT_VMM INT32 VmFuncVmxCompatibleWcscmp (const wchar_t *Address1, const wchar_t *Address2)
 VMX-root compatible wcscmp.
 
IMPORT_EXPORT_VMM INT32 VmFuncVmxCompatibleWcsncmp (const wchar_t *Address1, const wchar_t *Address2, SIZE_T Num)
 VMX-root compatible wcsncmp.
 
IMPORT_EXPORT_VMM INT32 VmFuncVmxCompatibleMemcmp (const CHAR *Address1, const CHAR *Address2, size_t Count)
 VMX-root compatible memcmp.
 
IMPORT_EXPORT_VMM VOID ConfigureEnableMovToCr3ExitingOnAllProcessors ()
 routines for debugging threads (enable mov-to-cr3 exiting)
 
IMPORT_EXPORT_VMM VOID ConfigureDisableMovToCr3ExitingOnAllProcessors ()
 routines for debugging threads (disable mov-to-cr3 exiting)
 
IMPORT_EXPORT_VMM VOID ConfigureEnableEferSyscallEventsOnAllProcessors ()
 routines for enabling syscall hooks on all cores
 
IMPORT_EXPORT_VMM VOID ConfigureDisableEferSyscallEventsOnAllProcessors ()
 routines for disabling syscall hooks on all cores
 
IMPORT_EXPORT_VMM VOID ConfigureSetExternalInterruptExitingOnSingleCore (UINT32 TargetCoreId)
 set external interrupt exiting on a single core
 
IMPORT_EXPORT_VMM VOID ConfigureEnableRdtscExitingOnSingleCore (UINT32 TargetCoreId)
 enable RDTSC exiting on a single core
 
IMPORT_EXPORT_VMM VOID ConfigureEnableRdpmcExitingOnSingleCore (UINT32 TargetCoreId)
 enable RDPMC exiting on a single core
 
IMPORT_EXPORT_VMM VOID ConfigureEnableMovToDebugRegistersExitingOnSingleCore (UINT32 TargetCoreId)
 enable mov 2 debug register exiting on a single core
 
IMPORT_EXPORT_VMM VOID ConfigureSetExceptionBitmapOnSingleCore (UINT32 TargetCoreId, UINT32 BitMask)
 set exception bitmap on a single core
 
IMPORT_EXPORT_VMM VOID ConfigureEnableMovToControlRegisterExitingOnSingleCore (UINT32 TargetCoreId, DEBUGGER_EVENT_OPTIONS *BroadcastingOption)
 enable mov 2 control register on a single core
 
IMPORT_EXPORT_VMM VOID ConfigureChangeMsrBitmapWriteOnSingleCore (UINT32 TargetCoreId, UINT64 MsrMask)
 change the mask of msr bitmaps for write on a single core
 
IMPORT_EXPORT_VMM VOID ConfigureChangeMsrBitmapReadOnSingleCore (UINT32 TargetCoreId, UINT64 MsrMask)
 change the mask of msr bitmaps for read on a single core
 
IMPORT_EXPORT_VMM VOID ConfigureChangeIoBitmapOnSingleCore (UINT32 TargetCoreId, UINT64 Port)
 change I/O port bitmap on a single core
 
IMPORT_EXPORT_VMM VOID ConfigureEnableEferSyscallHookOnSingleCore (UINT32 TargetCoreId)
 routines for enabling EFER syscall hooks on a single core
 
IMPORT_EXPORT_VMM VOID ConfigureSetEferSyscallOrSysretHookType (DEBUGGER_EVENT_SYSCALL_SYSRET_TYPE SyscallHookType)
 routines for setting EFER syscall or sysret hooks type
 
IMPORT_EXPORT_VMM VOID ConfigureDirtyLoggingInitializeOnAllProcessors ()
 routines for initializing dirty logging mechanism
 
IMPORT_EXPORT_VMM VOID ConfigureDirtyLoggingUninitializeOnAllProcessors ()
 routines for uninitializing dirty logging mechanism
 
IMPORT_EXPORT_VMM VOID ConfigureModeBasedExecHookUninitializeOnAllProcessors ()
 routines for initializing Mode-based execution hooks
 
IMPORT_EXPORT_VMM VOID ConfigureUninitializeExecTrapOnAllProcessors ()
 routines for uninitializing user-mode, kernel-mode exec trap
 
IMPORT_EXPORT_VMM BOOLEAN ConfigureInitializeExecTrapOnAllProcessors ()
 routines for initializing user-mode, kernel-mode exec trap
 
IMPORT_EXPORT_VMM BOOLEAN ConfigureEptHook (PVOID TargetAddress, UINT32 ProcessId)
 This function invokes a VMCALL to set the hook and broadcast the exiting for the breakpoints on exception bitmap.
 
IMPORT_EXPORT_VMM BOOLEAN ConfigureEptHookFromVmxRoot (PVOID TargetAddress)
 This function invokes a direct VMCALL to setup the hook.
 
IMPORT_EXPORT_VMM BOOLEAN ConfigureEptHook2 (UINT32 CoreId, PVOID TargetAddress, PVOID HookFunction, UINT32 ProcessId)
 This function allocates a buffer in VMX Non Root Mode and then invokes a VMCALL to set the hook (inline)
 
IMPORT_EXPORT_VMM BOOLEAN ConfigureEptHook2FromVmxRoot (UINT32 CoreId, PVOID TargetAddress, PVOID HookFunction)
 This function allocates a buffer in VMX Non Root Mode and then invokes a VMCALL to set the hook (inline EPT hook)
 
IMPORT_EXPORT_VMM BOOLEAN ConfigureEptHookMonitor (UINT32 CoreId, EPT_HOOKS_ADDRESS_DETAILS_FOR_MEMORY_MONITOR *HookingDetails, UINT32 ProcessId)
 This function allocates a buffer in VMX Non Root Mode and then invokes a VMCALL to set the hook.
 
IMPORT_EXPORT_VMM BOOLEAN ConfigureEptHookMonitorFromVmxRoot (UINT32 CoreId, EPT_HOOKS_ADDRESS_DETAILS_FOR_MEMORY_MONITOR *MemoryAddressDetails)
 This function allocates a buffer in VMX Non Root Mode and then invokes a VMCALL to set the hook.
 
IMPORT_EXPORT_VMM BOOLEAN ConfigureEptHookModifyInstructionFetchState (UINT32 CoreId, PVOID PhysicalAddress, BOOLEAN IsUnset)
 Change PML EPT state for execution (execute) @detail should be called from VMX-root.
 
IMPORT_EXPORT_VMM BOOLEAN ConfigureEptHookModifyPageReadState (UINT32 CoreId, PVOID PhysicalAddress, BOOLEAN IsUnset)
 Change PML EPT state for read @detail should be called from VMX-root.
 
IMPORT_EXPORT_VMM BOOLEAN ConfigureEptHookModifyPageWriteState (UINT32 CoreId, PVOID PhysicalAddress, BOOLEAN IsUnset)
 Change PML EPT state for write @detail should be called from VMX-root.
 
IMPORT_EXPORT_VMM BOOLEAN ConfigureEptHookUnHookAllByHookingTag (UINT64 HookingTag)
 Remove all hooks from the hooked pages list using Hooking Tag.
 
IMPORT_EXPORT_VMM BOOLEAN ConfigureEptHookUnHookSingleHookByHookingTagFromVmxRoot (UINT64 HookingTag, EPT_SINGLE_HOOK_UNHOOKING_DETAILS *TargetUnhookingDetails)
 Remove single hook from the hooked pages by the given hooking tag.
 
IMPORT_EXPORT_VMM BOOLEAN ConfigureEptHookUnHookSingleAddress (UINT64 VirtualAddress, UINT64 PhysAddress, UINT32 ProcessId)
 Remove single hook from the hooked pages list and invalidate TLB.
 
IMPORT_EXPORT_VMM BOOLEAN ConfigureEptHookUnHookSingleAddressFromVmxRoot (UINT64 VirtualAddress, UINT64 PhysAddress, EPT_SINGLE_HOOK_UNHOOKING_DETAILS *TargetUnhookingDetails)
 Remove single hook from the hooked pages list and invalidate TLB.
 
IMPORT_EXPORT_VMM VOID ConfigureEptHookAllocateExtraHookingPagesForMemoryMonitorsAndExecEptHooks (UINT32 Count)
 Allocate (reserve) extra pages for storing details of page hooks for memory monitor and regular hidden breakpoit exec EPT hooks.
 
IMPORT_EXPORT_VMM VOID ConfigureEptHookReservePreallocatedPoolsForEptHooks (UINT32 Count)
 Allocate (reserve) pages for storing EPT hooks page hooks.
 
IMPORT_EXPORT_VMM BOOLEAN ConfigureExecTrapAddProcessToWatchingList (UINT32 ProcessId)
 Add the target process to the watching list.
 
IMPORT_EXPORT_VMM BOOLEAN ConfigureExecTrapRemoveProcessFromWatchingList (UINT32 ProcessId)
 Remove the target process from the watching list.
 
IMPORT_EXPORT_VMM NTSTATUS DirectVmcallTest (UINT32 CoreId, DIRECT_VMCALL_PARAMETERS *DirectVmcallOptions)
 routines for test direct VMCALL
 
IMPORT_EXPORT_VMM NTSTATUS DirectVmcallPerformVmcall (UINT32 CoreId, UINT64 VmcallNumber, DIRECT_VMCALL_PARAMETERS *DirectVmcallOptions)
 routines for performing a direct VMCALL
 
IMPORT_EXPORT_VMM NTSTATUS DirectVmcallChangeMsrBitmapRead (UINT32 CoreId, DIRECT_VMCALL_PARAMETERS *DirectVmcallOptions)
 routines for changing MSR Bitmap (Read)
 
IMPORT_EXPORT_VMM NTSTATUS DirectVmcallChangeMsrBitmapWrite (UINT32 CoreId, DIRECT_VMCALL_PARAMETERS *DirectVmcallOptions)
 routines for changing MSR Bitmap (Write)
 
IMPORT_EXPORT_VMM NTSTATUS DirectVmcallChangeIoBitmap (UINT32 CoreId, DIRECT_VMCALL_PARAMETERS *DirectVmcallOptions)
 routines for changing IO Bitmap
 
IMPORT_EXPORT_VMM NTSTATUS DirectVmcallEnableRdpmcExiting (UINT32 CoreId, DIRECT_VMCALL_PARAMETERS *DirectVmcallOptions)
 routines for enabling rdpmc exiting
 
IMPORT_EXPORT_VMM NTSTATUS DirectVmcallEnableRdtscpExiting (UINT32 CoreId, DIRECT_VMCALL_PARAMETERS *DirectVmcallOptions)
 routines for enabling rdtsc/rdtscp exiting
 
IMPORT_EXPORT_VMM NTSTATUS DirectVmcallEnableMov2DebugRegsExiting (UINT32 CoreId, DIRECT_VMCALL_PARAMETERS *DirectVmcallOptions)
 routines for enabling mov to debug registers exiting
 
IMPORT_EXPORT_VMM NTSTATUS DirectVmcallSetExceptionBitmap (UINT32 CoreId, DIRECT_VMCALL_PARAMETERS *DirectVmcallOptions)
 routines for setting exception bitmap
 
IMPORT_EXPORT_VMM NTSTATUS DirectVmcallEnableExternalInterruptExiting (UINT32 CoreId, DIRECT_VMCALL_PARAMETERS *DirectVmcallOptions)
 routines for enabling external interrupt exiting
 
IMPORT_EXPORT_VMM NTSTATUS DirectVmcallEnableMovToCrExiting (UINT32 CoreId, DIRECT_VMCALL_PARAMETERS *DirectVmcallOptions)
 routines for enabling mov to CR exiting
 
IMPORT_EXPORT_VMM NTSTATUS DirectVmcallEnableEferSyscall (UINT32 CoreId, DIRECT_VMCALL_PARAMETERS *DirectVmcallOptions)
 routines for enabling syscall hook using EFER SCE bit
 
IMPORT_EXPORT_VMM NTSTATUS DirectVmcallSetHiddenBreakpointHook (UINT32 CoreId, DIRECT_VMCALL_PARAMETERS *DirectVmcallOptions)
 routines for putting hidden breakpoints (using EPT)
 
IMPORT_EXPORT_VMM NTSTATUS DirectVmcallInvalidateEptAllContexts (UINT32 CoreId, DIRECT_VMCALL_PARAMETERS *DirectVmcallOptions)
 routines for invalidating EPT (All Contexts)
 
IMPORT_EXPORT_VMM NTSTATUS DirectVmcallInvalidateSingleContext (UINT32 CoreId, DIRECT_VMCALL_PARAMETERS *DirectVmcallOptions)
 routines for invalidating EPT (A Single Context)
 
IMPORT_EXPORT_VMM NTSTATUS DirectVmcallUnsetExceptionBitmap (UINT32 CoreId, DIRECT_VMCALL_PARAMETERS *DirectVmcallOptions)
 routines for unsetting exception bitmap on VMCS
 
IMPORT_EXPORT_VMM NTSTATUS DirectVmcallUnhookSinglePage (UINT32 CoreId, DIRECT_VMCALL_PARAMETERS *DirectVmcallOptions)
 routines for restoring a single EPT entry and invalidating EPT cache
 
IMPORT_EXPORT_VMM NTSTATUS DirectVmcallSetDisableExternalInterruptExitingOnlyOnClearingInterruptEvents (UINT32 CoreId, DIRECT_VMCALL_PARAMETERS *DirectVmcallOptions)
 routines for disabling external interrupt exiting only to clear !interrupt commands
 
IMPORT_EXPORT_VMM NTSTATUS DirectVmcallResetMsrBitmapRead (UINT32 CoreId, DIRECT_VMCALL_PARAMETERS *DirectVmcallOptions)
 routines for resetting MSR Bitmap Read
 
IMPORT_EXPORT_VMM NTSTATUS DirectVmcallResetMsrBitmapWrite (UINT32 CoreId, DIRECT_VMCALL_PARAMETERS *DirectVmcallOptions)
 routines for resetting MSR Bitmap Write
 
IMPORT_EXPORT_VMM NTSTATUS DirectVmcallResetExceptionBitmapOnlyOnClearingExceptionEvents (UINT32 CoreId, DIRECT_VMCALL_PARAMETERS *DirectVmcallOptions)
 routines for resetting exception bitmap on VMCS
 
IMPORT_EXPORT_VMM NTSTATUS DirectVmcallResetIoBitmap (UINT32 CoreId, DIRECT_VMCALL_PARAMETERS *DirectVmcallOptions)
 routines for resetting I/O Bitmaps (A & B)
 
IMPORT_EXPORT_VMM NTSTATUS DirectVmcallDisableRdtscExitingForClearingTscEvents (UINT32 CoreId, DIRECT_VMCALL_PARAMETERS *DirectVmcallOptions)
 routines for clearing rdtsc exiting bit ONLY in the case of disabling the events for !tsc command
 
IMPORT_EXPORT_VMM NTSTATUS DirectVmcallDisableRdpmcExiting (UINT32 CoreId, DIRECT_VMCALL_PARAMETERS *DirectVmcallOptions)
 routines for disabling rdpmc exiting in primary cpu-based controls
 
IMPORT_EXPORT_VMM NTSTATUS DirectVmcallDisableEferSyscallEvents (UINT32 CoreId, DIRECT_VMCALL_PARAMETERS *DirectVmcallOptions)
 routines for disabling syscall hook using EFER SCE bit
 
IMPORT_EXPORT_VMM NTSTATUS DirectVmcallDisableMov2DrExitingForClearingDrEvents (UINT32 CoreId, DIRECT_VMCALL_PARAMETERS *DirectVmcallOptions)
 routines for clearing mov 2 hw dr exiting bit ONLY in the case of disabling the events for !dr command
 
IMPORT_EXPORT_VMM NTSTATUS DirectVmcallDisableMov2CrExitingForClearingCrEvents (UINT32 CoreId, DIRECT_VMCALL_PARAMETERS *DirectVmcallOptions)
 routines for clearing mov 2 cr exiting bit ONLY in the case of disabling the events for !crwrite command
 
IMPORT_EXPORT_VMM BOOLEAN DisassemblerShowInstructionsInVmxNonRootMode (PVOID Address, UINT32 Length, BOOLEAN Is32Bit)
 Disassembler show the instructions.
 
IMPORT_EXPORT_VMM BOOLEAN DisassemblerShowOneInstructionInVmxNonRootMode (PVOID Address, UINT64 ActualRip, BOOLEAN Is32Bit)
 Disassembler show only one instruction.
 
IMPORT_EXPORT_VMM UINT32 DisassemblerShowOneInstructionInVmxRootMode (PVOID Address, BOOLEAN Is32Bit)
 Shows the disassembly of only one instruction.
 
IMPORT_EXPORT_VMM UINT64 VirtualAddressToPhysicalAddress (_In_ PVOID VirtualAddress)
 Converts Virtual Address to Physical Address.
 
IMPORT_EXPORT_VMM UINT64 VirtualAddressToPhysicalAddressByProcessId (_In_ PVOID VirtualAddress, _In_ UINT32 ProcessId)
 
IMPORT_EXPORT_VMM UINT64 VirtualAddressToPhysicalAddressByProcessCr3 (_In_ PVOID VirtualAddress, _In_ CR3_TYPE TargetCr3)
 
IMPORT_EXPORT_VMM UINT64 VirtualAddressToPhysicalAddressOnTargetProcess (_In_ PVOID VirtualAddress)
 
IMPORT_EXPORT_VMM UINT64 PhysicalAddressToVirtualAddress (_In_ UINT64 PhysicalAddress)
 
IMPORT_EXPORT_VMM UINT64 PhysicalAddressToVirtualAddressByProcessId (_In_ PVOID PhysicalAddress, _In_ UINT32 ProcessId)
 
IMPORT_EXPORT_VMM UINT64 PhysicalAddressToVirtualAddressByCr3 (_In_ PVOID PhysicalAddress, _In_ CR3_TYPE TargetCr3)
 
IMPORT_EXPORT_VMM UINT64 PhysicalAddressToVirtualAddressOnTargetProcess (_In_ PVOID PhysicalAddress)
 
IMPORT_EXPORT_VMM CR3_TYPE SwitchToProcessMemoryLayout (_In_ UINT32 ProcessId)
 
IMPORT_EXPORT_VMM CR3_TYPE SwitchToCurrentProcessMemoryLayout ()
 Switch to guest's running process's cr3.
 
IMPORT_EXPORT_VMM CR3_TYPE SwitchToProcessMemoryLayoutByCr3 (_In_ CR3_TYPE TargetCr3)
 
IMPORT_EXPORT_VMM VOID SwitchToPreviousProcess (_In_ CR3_TYPE PreviousProcess)
 
IMPORT_EXPORT_VMM BOOLEAN CheckAddressValidityUsingTsx (CHAR *Address)
 This function checks whether the address is valid or not using Intel TSX.
 
IMPORT_EXPORT_VMM BOOLEAN CheckAccessValidityAndSafety (UINT64 TargetAddress, UINT32 Size)
 Check the safety to access the memory.
 
IMPORT_EXPORT_VMM BOOLEAN CheckAddressPhysical (UINT64 PAddr)
 Checks if the physical address is correct or not based on physical address width.
 
IMPORT_EXPORT_VMM UINT32 CheckAddressMaximumInstructionLength (PVOID Address)
 This function returns the maximum instruction length that can be read from this address.
 
IMPORT_EXPORT_VMM CR3_TYPE LayoutGetCurrentProcessCr3 ()
 Get cr3 of the target running process.
 
IMPORT_EXPORT_VMM CR3_TYPE LayoutGetExactGuestProcessCr3 ()
 Get cr3 of the target running process.
 
IMPORT_EXPORT_VMM PVOID MemoryMapperGetPteVa (_In_ PVOID Va, _In_ PAGING_LEVEL Level)
 
IMPORT_EXPORT_VMM PVOID MemoryMapperGetPteVaByCr3 (_In_ PVOID Va, _In_ PAGING_LEVEL Level, _In_ CR3_TYPE TargetCr3)
 
IMPORT_EXPORT_VMM PVOID MemoryMapperGetPteVaWithoutSwitchingByCr3 (_In_ PVOID Va, _In_ PAGING_LEVEL Level, _In_ CR3_TYPE TargetCr3)
 
IMPORT_EXPORT_VMM PVOID MemoryMapperGetPteVaOnTargetProcess (_In_ PVOID Va, _In_ PAGING_LEVEL Level)
 
IMPORT_EXPORT_VMM PVOID MemoryMapperSetExecuteDisableToPteOnTargetProcess (_In_ PVOID Va, _In_ BOOLEAN Set)
 
IMPORT_EXPORT_VMM BOOLEAN MemoryMapperCheckPteIsPresentOnTargetProcess (PVOID Va, PAGING_LEVEL Level)
 This function checks whether the virtual address is present in the RAM or not.
 
IMPORT_EXPORT_VMM BOOLEAN MemoryMapperReadMemorySafe (_In_ UINT64 VaAddressToRead, _Inout_ PVOID BufferToSaveMemory, _In_ SIZE_T SizeToRead)
 
IMPORT_EXPORT_VMM BOOLEAN MemoryMapperReadMemorySafeByPhysicalAddress (_In_ UINT64 PaAddressToRead, _Inout_ UINT64 BufferToSaveMemory, _In_ SIZE_T SizeToRead)
 
IMPORT_EXPORT_VMM BOOLEAN MemoryMapperReadMemorySafeOnTargetProcess (_In_ UINT64 VaAddressToRead, _Inout_ PVOID BufferToSaveMemory, _In_ SIZE_T SizeToRead)
 
IMPORT_EXPORT_VMM UINT32 DisassemblerLengthDisassembleEngine (PVOID Address, BOOLEAN Is32Bit)
 Disassembler length disassemble engine.
 
IMPORT_EXPORT_VMM UINT32 DisassemblerLengthDisassembleEngineInVmxRootOnTargetProcess (PVOID Address, BOOLEAN Is32Bit)
 Disassembler length disassembler engine.
 
IMPORT_EXPORT_VMM BOOLEAN MemoryMapperWriteMemorySafe (_Inout_ UINT64 Destination, _In_ PVOID Source, _In_ SIZE_T SizeToWrite, _In_ CR3_TYPE TargetProcessCr3)
 
IMPORT_EXPORT_VMM BOOLEAN MemoryMapperWriteMemorySafeOnTargetProcess (_Inout_ UINT64 Destination, _In_ PVOID Source, _In_ SIZE_T Size)
 
IMPORT_EXPORT_VMM BOOLEAN MemoryMapperWriteMemorySafeByPhysicalAddress (_Inout_ UINT64 DestinationPa, _In_ UINT64 Source, _In_ SIZE_T SizeToWrite)
 
IMPORT_EXPORT_VMM BOOLEAN MemoryMapperWriteMemoryUnsafe (_Inout_ UINT64 Destination, _In_ PVOID Source, _In_ SIZE_T SizeToWrite, _In_ UINT32 TargetProcessId)
 
IMPORT_EXPORT_VMM UINT64 MemoryMapperReserveUsermodeAddressOnTargetProcess (_In_ UINT32 ProcessId, _In_ BOOLEAN Allocate)
 
IMPORT_EXPORT_VMM BOOLEAN MemoryMapperFreeMemoryOnTargetProcess (_In_ UINT32 ProcessId, _Inout_ PVOID BaseAddress)
 
IMPORT_EXPORT_VMM BOOLEAN MemoryMapperSetSupervisorBitWithoutSwitchingByCr3 (_In_ PVOID Va, _In_ BOOLEAN Set, _In_ PAGING_LEVEL Level, _In_ CR3_TYPE TargetCr3)
 
IMPORT_EXPORT_VMM BOOLEAN MemoryMapperCheckIfPageIsNxBitSetOnTargetProcess (_In_ PVOID Va)
 
IMPORT_EXPORT_VMM BOOLEAN MemoryMapperCheckIfPdeIsLargePageOnTargetProcess (_In_ PVOID Va)
 
IMPORT_EXPORT_VMM BOOLEAN MemoryManagerReadProcessMemoryNormal (HANDLE PID, PVOID Address, DEBUGGER_READ_MEMORY_TYPE MemType, PVOID UserBuffer, SIZE_T Size, PSIZE_T ReturnSize)
 Read process memory.
 
IMPORT_EXPORT_VMM BOOLEAN PoolManagerCheckAndPerformAllocationAndDeallocation ()
 This function performs allocations from VMX non-root based on g_RequestNewAllocation.
 
IMPORT_EXPORT_VMM BOOLEAN PoolManagerRequestAllocation (SIZE_T Size, UINT32 Count, POOL_ALLOCATION_INTENTION Intention)
 Request to allocate new buffers.
 
IMPORT_EXPORT_VMM UINT64 PoolManagerRequestPool (POOL_ALLOCATION_INTENTION Intention, BOOLEAN RequestNewPool, UINT32 Size)
 This function should be called from vmx-root in order to get a pool from the list.
 
IMPORT_EXPORT_VMM BOOLEAN PoolManagerFreePool (UINT64 AddressToFree)
 This function set a pool flag to be freed, and it will be freed on the next IOCTL when it's safe to remove.
 
IMPORT_EXPORT_VMM VOID PoolManagerShowPreAllocatedPools ()
 Shows list of pre-allocated pools available (used for debugging purposes)
 
IMPORT_EXPORT_VMM VOID SetGuestCsSel (PVMX_SEGMENT_SELECTOR Cs)
 Set just the Guest Cs selector.
 
IMPORT_EXPORT_VMM VOID SetGuestCs (PVMX_SEGMENT_SELECTOR Cs)
 Set the Guest Cs.
 
IMPORT_EXPORT_VMM VMX_SEGMENT_SELECTOR GetGuestCs ()
 Get the Guest Cs Selector.
 
IMPORT_EXPORT_VMM VOID SetGuestSsSel (PVMX_SEGMENT_SELECTOR Ss)
 Set just the Guest Ss selector.
 
IMPORT_EXPORT_VMM VOID SetGuestSs (PVMX_SEGMENT_SELECTOR Ss)
 Set the Guest Ss selector.
 
IMPORT_EXPORT_VMM VMX_SEGMENT_SELECTOR GetGuestSs ()
 Get the Guest Ss Selector.
 
IMPORT_EXPORT_VMM VOID SetGuestDsSel (PVMX_SEGMENT_SELECTOR Ds)
 Set just the Guest Ds selector.
 
IMPORT_EXPORT_VMM VOID SetGuestDs (PVMX_SEGMENT_SELECTOR Ds)
 Set the Guest Ds selector.
 
IMPORT_EXPORT_VMM VMX_SEGMENT_SELECTOR GetGuestDs ()
 Get the Guest Ds Selector.
 
IMPORT_EXPORT_VMM VOID SetGuestFsSel (PVMX_SEGMENT_SELECTOR Fs)
 Set just the Guest Fs selector.
 
IMPORT_EXPORT_VMM VOID SetGuestFs (PVMX_SEGMENT_SELECTOR Fs)
 Set the Guest Fs selector.
 
IMPORT_EXPORT_VMM VMX_SEGMENT_SELECTOR GetGuestFs ()
 Get the Guest Fs Selector.
 
IMPORT_EXPORT_VMM VOID SetGuestGsSel (PVMX_SEGMENT_SELECTOR Gs)
 Set just the Guest Gs selector.
 
IMPORT_EXPORT_VMM VOID SetGuestGs (PVMX_SEGMENT_SELECTOR Gs)
 Set the Guest Gs selector.
 
IMPORT_EXPORT_VMM VMX_SEGMENT_SELECTOR GetGuestGs ()
 Get the Guest Gs Selector.
 
IMPORT_EXPORT_VMM VOID SetGuestEsSel (PVMX_SEGMENT_SELECTOR Es)
 Set just the Guest Es selector.
 
IMPORT_EXPORT_VMM VOID SetGuestEs (PVMX_SEGMENT_SELECTOR Es)
 Set the Guest Es selector.
 
IMPORT_EXPORT_VMM VMX_SEGMENT_SELECTOR GetGuestEs ()
 Get the Guest Es Selector.
 
IMPORT_EXPORT_VMM VOID SetGuestIdtr (UINT64 Idtr)
 Set the Guest Idtr.
 
IMPORT_EXPORT_VMM UINT64 GetGuestIdtr ()
 Get the Guest Idtr.
 
IMPORT_EXPORT_VMM VOID SetGuestLdtr (UINT64 Ldtr)
 Set the Guest Ldtr.
 
IMPORT_EXPORT_VMM UINT64 GetGuestLdtr ()
 Get the Guest Ldtr.
 
IMPORT_EXPORT_VMM VOID SetGuestGdtr (UINT64 Gdtr)
 Set the Guest Gdtr.
 
IMPORT_EXPORT_VMM UINT64 GetGuestGdtr ()
 Get the Guest Gdtr.
 
IMPORT_EXPORT_VMM VOID SetGuestTr (UINT64 Tr)
 
IMPORT_EXPORT_VMM UINT64 GetGuestTr ()
 Get the Guest Tr.
 
IMPORT_EXPORT_VMM VOID SetGuestRFlags (UINT64 RFlags)
 Set the Guest RFLAGS Register.
 
IMPORT_EXPORT_VMM UINT64 GetGuestRFlags ()
 Get the Guest Rflags value.
 
IMPORT_EXPORT_VMM VOID SetGuestRIP (UINT64 RIP)
 Set the Guest RIP Register.
 
IMPORT_EXPORT_VMM VOID SetGuestRSP (UINT64 RSP)
 Set the Guest RSP Register.
 
IMPORT_EXPORT_VMM UINT64 GetGuestRIP ()
 Get the Guest RIP value.
 
IMPORT_EXPORT_VMM UINT64 GetGuestCr0 ()
 Get the Guest Cr0 value.
 
IMPORT_EXPORT_VMM UINT64 GetGuestCr2 ()
 Get the Guest Cr2 value.
 
IMPORT_EXPORT_VMM UINT64 GetGuestCr3 ()
 Get the Guest Cr3 value.
 
IMPORT_EXPORT_VMM UINT64 GetGuestCr4 ()
 Get the Guest Cr4 value.
 
IMPORT_EXPORT_VMM UINT64 GetGuestCr8 ()
 Get the Guest Cr8 value.
 
IMPORT_EXPORT_VMM VOID SetGuestCr0 (UINT64 Cr0)
 Set the Guest Cr0 Register.
 
IMPORT_EXPORT_VMM VOID SetGuestCr2 (UINT64 Cr2)
 Set the Guest Cr2 Register.
 
IMPORT_EXPORT_VMM VOID SetGuestCr3 (UINT64 Cr3)
 Set the Guest Cr3 Register.
 
IMPORT_EXPORT_VMM VOID SetGuestCr4 (UINT64 Cr4)
 Set the Guest Cr4 Register.
 
IMPORT_EXPORT_VMM VOID SetGuestCr8 (UINT64 Cr8)
 Set the Guest Cr8 Register.
 
IMPORT_EXPORT_VMM UINT64 GetGuestDr0 ()
 Get the Guest Dr0 value.
 
IMPORT_EXPORT_VMM UINT64 GetGuestDr1 ()
 Get the Guest Dr1 value.
 
IMPORT_EXPORT_VMM UINT64 GetGuestDr2 ()
 Get the Guest Dr2 value.
 
IMPORT_EXPORT_VMM UINT64 GetGuestDr3 ()
 Get the Guest Dr3 value.
 
IMPORT_EXPORT_VMM UINT64 GetGuestDr6 ()
 Get the Guest Dr6 (breakpoint status) value.
 
IMPORT_EXPORT_VMM UINT64 GetGuestDr7 ()
 Get the Guest Dr7 (breakpoint trigger) value.
 
IMPORT_EXPORT_VMM VOID SetGuestDr0 (UINT64 value)
 Set the Guest Dr0 Register.
 
IMPORT_EXPORT_VMM VOID SetGuestDr1 (UINT64 value)
 Set the Guest Dr1 Register.
 
IMPORT_EXPORT_VMM VOID SetGuestDr2 (UINT64 value)
 Set the Guest Dr2 Register.
 
IMPORT_EXPORT_VMM VOID SetGuestDr3 (UINT64 value)
 Set the Guest Dr3 Register.
 
IMPORT_EXPORT_VMM VOID SetGuestDr6 (UINT64 value)
 Set the Guest Dr6 Register.
 
IMPORT_EXPORT_VMM VOID SetGuestDr7 (UINT64 value)
 Set the Guest Dr7 Register.
 
IMPORT_EXPORT_VMM BOOLEAN SetDebugRegisters (UINT32 DebugRegNum, DEBUG_REGISTER_TYPE ActionType, BOOLEAN ApplyToVmcs, UINT64 TargetAddress)
 Configure hardware debug register for access, write and fetch breakpoints.
 
IMPORT_EXPORT_VMM NTSTATUS TransparentHideDebugger (PDEBUGGER_HIDE_AND_TRANSPARENT_DEBUGGER_MODE Measurements)
 Hide debugger on transparent-mode (activate transparent-mode)
 
IMPORT_EXPORT_VMM NTSTATUS TransparentUnhideDebugger ()
 Deactivate transparent-mode.
 
IMPORT_EXPORT_VMM VOID BroadcastEnableBreakpointExitingOnExceptionBitmapAllCores ()
 routines to enable vm-exit for breakpoints (exception bitmap)
 
IMPORT_EXPORT_VMM VOID BroadcastDisableBreakpointExitingOnExceptionBitmapAllCores ()
 routines to disable vm-exit for breakpoints (exception bitmap)
 
IMPORT_EXPORT_VMM VOID BroadcastEnableDbAndBpExitingAllCores ()
 routines to set vm-exit on all #DBs and #BP on all cores
 
IMPORT_EXPORT_VMM VOID BroadcastDisableDbAndBpExitingAllCores ()
 routines to unset vm-exit on all #DBs and #BP on all cores
 
IMPORT_EXPORT_VMM VOID BroadcastEnableRdtscExitingAllCores ()
 a broadcast that causes vm-exit on all execution of rdtsc/rdtscp
 
IMPORT_EXPORT_VMM VOID BroadcastDisableRdtscExitingAllCores ()
 a broadcast that causes for disabling rdtsc/p exiting
 
IMPORT_EXPORT_VMM VOID BroadcastChangeAllMsrBitmapReadAllCores (UINT64 BitmapMask)
 routines for !msrread command which
 
IMPORT_EXPORT_VMM VOID BroadcastResetChangeAllMsrBitmapReadAllCores ()
 routines for disable (reset) !msrread command
 
IMPORT_EXPORT_VMM VOID BroadcastChangeAllMsrBitmapWriteAllCores (UINT64 BitmapMask)
 routines for !msrwrite command which
 
IMPORT_EXPORT_VMM VOID BroadcastResetAllMsrBitmapWriteAllCores ()
 routines for reset !msrwrite command which
 
IMPORT_EXPORT_VMM VOID BroadcastDisableRdtscExitingForClearingEventsAllCores ()
 routines ONLY for disabling !tsc command
 
IMPORT_EXPORT_VMM VOID BroadcastDisableMov2ControlRegsExitingForClearingEventsAllCores (PDEBUGGER_EVENT_OPTIONS BroadcastingOption)
 routines ONLY for disabling !crwrite command
 
IMPORT_EXPORT_VMM VOID BroadcastDisableMov2DebugRegsExitingForClearingEventsAllCores ()
 routines ONLY for disabling !dr command
 
IMPORT_EXPORT_VMM VOID BroadcastEnableRdpmcExitingAllCores ()
 routines for !pmc
 
IMPORT_EXPORT_VMM VOID BroadcastDisableRdpmcExitingAllCores ()
 routines for disabling !pmc
 
IMPORT_EXPORT_VMM VOID BroadcastSetExceptionBitmapAllCores (UINT64 ExceptionIndex)
 routines for !exception command which
 
IMPORT_EXPORT_VMM VOID BroadcastUnsetExceptionBitmapAllCores (UINT64 ExceptionIndex)
 routines for disabling exception bitmap
 
IMPORT_EXPORT_VMM VOID BroadcastResetExceptionBitmapAllCores ()
 routines for reset !exception command
 
IMPORT_EXPORT_VMM VOID BroadcastEnableMovControlRegisterExitingAllCores (PDEBUGGER_EVENT_OPTIONS BroadcastingOption)
 routines for !crwrite
 
IMPORT_EXPORT_VMM VOID BroadcastDisableMovToControlRegistersExitingAllCores (PDEBUGGER_EVENT_OPTIONS BroadcastingOption)
 routines for disabling !crwrite
 
IMPORT_EXPORT_VMM VOID BroadcastEnableMovDebugRegistersExitingAllCores ()
 routines for !dr
 
IMPORT_EXPORT_VMM VOID BroadcastDisableMovDebugRegistersExitingAllCores ()
 routines for disabling !dr
 
IMPORT_EXPORT_VMM VOID BroadcastSetExternalInterruptExitingAllCores ()
 routines for !interrupt command which
 
IMPORT_EXPORT_VMM VOID BroadcastUnsetExternalInterruptExitingOnlyOnClearingInterruptEventsAllCores ()
 routines for ONLY terminate !interrupt command
 
IMPORT_EXPORT_VMM VOID BroadcastIoBitmapChangeAllCores (UINT64 Port)
 routines for !ioin and !ioout command which
 
IMPORT_EXPORT_VMM VOID BroadcastIoBitmapResetAllCores ()
 routines for reset !ioin and !ioout command
 
IMPORT_EXPORT_VMM VOID BroadcastEnableMovToCr3ExitingOnAllProcessors ()
 routines for debugging threads (enable mov-to-cr3 exiting)
 
IMPORT_EXPORT_VMM VOID BroadcastDisableMovToCr3ExitingOnAllProcessors ()
 routines for debugging threads (disable mov-to-cr3 exiting)
 
IMPORT_EXPORT_VMM VOID BroadcastEnableEferSyscallEventsOnAllProcessors ()
 routines for enabling syscall hooks on all cores
 
IMPORT_EXPORT_VMM VOID BroadcastDisableEferSyscallEventsOnAllProcessors ()
 routines for disabling syscall hooks on all cores
 

Detailed Description

Headers relating exported functions from hypervisor.

Author
Sina Karvandi (sina@.nosp@m.hype.nosp@m.rdbg..nosp@m.org)
Version
0.1
Date
2022-12-09
Copyright
This project is released under the GNU Public License v3.

Macro Definition Documentation

◆ IMPORT_EXPORT_VMM

#define IMPORT_EXPORT_VMM   __declspec(dllimport)

Function Documentation

◆ BroadcastChangeAllMsrBitmapReadAllCores()

IMPORT_EXPORT_VMM VOID BroadcastChangeAllMsrBitmapReadAllCores ( UINT64 BitmapMask)

routines for !msrread command which

causes vm-exit on all msr reads

Parameters
BitmapMaskBit mask of msr to put on msr bitmap
Returns
VOID
161{
162 //
163 // Broadcast to all cores
164 //
165 KeGenericCallDpc(DpcRoutineChangeMsrBitmapReadOnAllCores, (PVOID)BitmapMask);
166}
DpcRoutineChangeMsrBitmapReadOnAllCores
VOID DpcRoutineChangeMsrBitmapReadOnAllCores(KDPC *Dpc, PVOID DeferredContext, PVOID SystemArgument1, PVOID SystemArgument2)
Disable Msr Bitmaps on all cores (vm-exit on all msrs)
Definition DpcRoutines.c:726

◆ BroadcastChangeAllMsrBitmapWriteAllCores()

IMPORT_EXPORT_VMM VOID BroadcastChangeAllMsrBitmapWriteAllCores ( UINT64 BitmapMask)

routines for !msrwrite command which

causes vm-exit on all msr writes

Returns
VOID
188{
189 //
190 // Broadcast to all cores
191 //
192 KeGenericCallDpc(DpcRoutineChangeMsrBitmapWriteOnAllCores, (PVOID)BitmapMask);
193}
DpcRoutineChangeMsrBitmapWriteOnAllCores
VOID DpcRoutineChangeMsrBitmapWriteOnAllCores(KDPC *Dpc, PVOID DeferredContext, PVOID SystemArgument1, PVOID SystemArgument2)
Disable Msr Bitmaps on all cores (vm-exit on all msrs)
Definition DpcRoutines.c:787

◆ BroadcastDisableBreakpointExitingOnExceptionBitmapAllCores()

IMPORT_EXPORT_VMM VOID BroadcastDisableBreakpointExitingOnExceptionBitmapAllCores ( )

routines to disable vm-exit for breakpoints (exception bitmap)

Returns
VOID
78{
79 //
80 // Broadcast to all cores
81 //
82 KeGenericCallDpc(DpcRoutineDisableBreakpointOnExceptionBitmapOnAllCores, NULL);
83}
DpcRoutineDisableBreakpointOnExceptionBitmapOnAllCores
VOID DpcRoutineDisableBreakpointOnExceptionBitmapOnAllCores(KDPC *Dpc, PVOID DeferredContext, PVOID SystemArgument1, PVOID SystemArgument2)
Disable breakpoint exiting on exception bitmaps on all cores.
Definition DpcRoutines.c:1442

◆ BroadcastDisableDbAndBpExitingAllCores()

IMPORT_EXPORT_VMM VOID BroadcastDisableDbAndBpExitingAllCores ( )

routines to unset vm-exit on all #DBs and #BP on all cores

Returns
VOID
50{
51 //
52 // Broadcast to all cores
53 //
54 KeGenericCallDpc(DpcRoutineDisableDbAndBpExitingOnAllCores, NULL);
55}
DpcRoutineDisableDbAndBpExitingOnAllCores
VOID DpcRoutineDisableDbAndBpExitingOnAllCores(KDPC *Dpc, PVOID DeferredContext, PVOID SystemArgument1, PVOID SystemArgument2)
Disable vm-exit on #DBs and #BPs on all cores.
Definition DpcRoutines.c:1571

◆ BroadcastDisableEferSyscallEventsOnAllProcessors()

IMPORT_EXPORT_VMM VOID BroadcastDisableEferSyscallEventsOnAllProcessors ( )

routines for disabling syscall hooks on all cores

Returns
VOID
514{
515 KeGenericCallDpc(DpcRoutineDisableEferSyscallEvents, 0x0);
516}
DpcRoutineDisableEferSyscallEvents
VOID DpcRoutineDisableEferSyscallEvents(KDPC *Dpc, PVOID DeferredContext, PVOID SystemArgument1, PVOID SystemArgument2)
Broadcast syscall unhook to all cores.
Definition DpcRoutines.c:633

◆ BroadcastDisableMov2ControlRegsExitingForClearingEventsAllCores()

IMPORT_EXPORT_VMM VOID BroadcastDisableMov2ControlRegsExitingForClearingEventsAllCores ( PDEBUGGER_EVENT_OPTIONS BroadcastingOption)

routines ONLY for disabling !crwrite command

Parameters
Event
Returns
VOID
228{
229 //
230 // Broadcast to all cores
231 //
232 KeGenericCallDpc(DpcRoutineDisableMov2CrExitingForClearingCrEventsAllCores, BroadcastingOption);
233}
DpcRoutineDisableMov2CrExitingForClearingCrEventsAllCores
VOID DpcRoutineDisableMov2CrExitingForClearingCrEventsAllCores(KDPC *Dpc, DEBUGGER_EVENT_OPTIONS *EventOptions, PVOID SystemArgument1, PVOID SystemArgument2)
Disables mov to control registers exiting ONLY for clearing !crwrite events.
Definition DpcRoutines.c:976

◆ BroadcastDisableMov2DebugRegsExitingForClearingEventsAllCores()

IMPORT_EXPORT_VMM VOID BroadcastDisableMov2DebugRegsExitingForClearingEventsAllCores ( )

routines ONLY for disabling !dr command

Returns
VOID
241{
242 //
243 // Broadcast to all cores
244 //
245 KeGenericCallDpc(DpcRoutineDisableMov2DrExitingForClearingDrEventsAllCores, NULL);
246}
DpcRoutineDisableMov2DrExitingForClearingDrEventsAllCores
VOID DpcRoutineDisableMov2DrExitingForClearingDrEventsAllCores(KDPC *Dpc, PVOID DeferredContext, PVOID SystemArgument1, PVOID SystemArgument2)
Disables mov to debug registers exiting ONLY for clearing !dr events.
Definition DpcRoutines.c:944

◆ BroadcastDisableMovDebugRegistersExitingAllCores()

IMPORT_EXPORT_VMM VOID BroadcastDisableMovDebugRegistersExitingAllCores ( )

routines for disabling !dr

Returns
VOID
369{
370 //
371 // Broadcast to all cores
372 //
373 KeGenericCallDpc(DpcRoutineDisableMovDebigRegisterExitingAllCores, NULL);
374}
DpcRoutineDisableMovDebigRegisterExitingAllCores
VOID DpcRoutineDisableMovDebigRegisterExitingAllCores(KDPC *Dpc, PVOID DeferredContext, PVOID SystemArgument1, PVOID SystemArgument2)
Disables mov debug registers exitings.
Definition DpcRoutines.c:1254

◆ BroadcastDisableMovToControlRegistersExitingAllCores()

IMPORT_EXPORT_VMM VOID BroadcastDisableMovToControlRegistersExitingAllCores ( PDEBUGGER_EVENT_OPTIONS BroadcastingOption)

routines for disabling !crwrite

Parameters
Event
Returns
VOID
342{
343 //
344 // Broadcast to all cores
345 //
346 KeGenericCallDpc(DpcRoutineDisableMovControlRegisterExitingAllCores, BroadcastingOption);
347}
DpcRoutineDisableMovControlRegisterExitingAllCores
VOID DpcRoutineDisableMovControlRegisterExitingAllCores(KDPC *Dpc, DEBUGGER_EVENT_OPTIONS *EventOptions, PVOID SystemArgument1, PVOID SystemArgument2)
Disables mov control registers exitings.
Definition DpcRoutines.c:1224

◆ BroadcastDisableMovToCr3ExitingOnAllProcessors()

IMPORT_EXPORT_VMM VOID BroadcastDisableMovToCr3ExitingOnAllProcessors ( )

routines for debugging threads (disable mov-to-cr3 exiting)

Returns
VOID
492{
493 KeGenericCallDpc(DpcRoutineDisableMovToCr3Exiting, 0x0);
494}
DpcRoutineDisableMovToCr3Exiting
VOID DpcRoutineDisableMovToCr3Exiting(KDPC *Dpc, PVOID DeferredContext, PVOID SystemArgument1, PVOID SystemArgument2)
Broadcast to disable mov-to-cr3 exitings.
Definition DpcRoutines.c:571

◆ BroadcastDisableRdpmcExitingAllCores()

IMPORT_EXPORT_VMM VOID BroadcastDisableRdpmcExitingAllCores ( )

routines for disabling !pmc

Returns
VOID
268{
269 //
270 // Broadcast to all cores
271 //
272 KeGenericCallDpc(DpcRoutineDisableRdpmcExitingAllCores, NULL);
273}
DpcRoutineDisableRdpmcExitingAllCores
VOID DpcRoutineDisableRdpmcExitingAllCores(KDPC *Dpc, PVOID DeferredContext, PVOID SystemArgument1, PVOID SystemArgument2)
Disable rdpmc exiting in primary cpu-based controls.
Definition DpcRoutines.c:1037

◆ BroadcastDisableRdtscExitingAllCores()

IMPORT_EXPORT_VMM VOID BroadcastDisableRdtscExitingAllCores ( )

a broadcast that causes for disabling rdtsc/p exiting

Returns
VOID
146{
147 //
148 // Broadcast to all cores
149 //
150 KeGenericCallDpc(DpcRoutineDisableRdtscExitingAllCores, NULL);
151}
DpcRoutineDisableRdtscExitingAllCores
VOID DpcRoutineDisableRdtscExitingAllCores(KDPC *Dpc, PVOID DeferredContext, PVOID SystemArgument1, PVOID SystemArgument2)
Disables rdtsc/rdtscp exiting in primary cpu-based controls.
Definition DpcRoutines.c:879

◆ BroadcastDisableRdtscExitingForClearingEventsAllCores()

IMPORT_EXPORT_VMM VOID BroadcastDisableRdtscExitingForClearingEventsAllCores ( )

routines ONLY for disabling !tsc command

Returns
VOID
214{
215 //
216 // Broadcast to all cores
217 //
218 KeGenericCallDpc(DpcRoutineDisableRdtscExitingForClearingTscEventsAllCores, NULL);
219}
DpcRoutineDisableRdtscExitingForClearingTscEventsAllCores
VOID DpcRoutineDisableRdtscExitingForClearingTscEventsAllCores(KDPC *Dpc, PVOID DeferredContext, PVOID SystemArgument1, PVOID SystemArgument2)
Disables rdtsc/rdtscp exiting in primary cpu-based controls ONLY for clearing !tsc events.
Definition DpcRoutines.c:911

◆ BroadcastEnableBreakpointExitingOnExceptionBitmapAllCores()

IMPORT_EXPORT_VMM VOID BroadcastEnableBreakpointExitingOnExceptionBitmapAllCores ( )

routines to enable vm-exit for breakpoints (exception bitmap)

Returns
VOID
64{
65 //
66 // Broadcast to all cores
67 //
68 KeGenericCallDpc(DpcRoutineEnableBreakpointOnExceptionBitmapOnAllCores, NULL);
69}
DpcRoutineEnableBreakpointOnExceptionBitmapOnAllCores
VOID DpcRoutineEnableBreakpointOnExceptionBitmapOnAllCores(KDPC *Dpc, PVOID DeferredContext, PVOID SystemArgument1, PVOID SystemArgument2)
Enable breakpoint exiting on exception bitmaps on all cores.
Definition DpcRoutines.c:1411

◆ BroadcastEnableDbAndBpExitingAllCores()

IMPORT_EXPORT_VMM VOID BroadcastEnableDbAndBpExitingAllCores ( )

routines to set vm-exit on all #DBs and #BP on all cores

Returns
VOID
36{
37 //
38 // Broadcast to all cores
39 //
40 KeGenericCallDpc(DpcRoutineEnableDbAndBpExitingOnAllCores, NULL);
41}
DpcRoutineEnableDbAndBpExitingOnAllCores
VOID DpcRoutineEnableDbAndBpExitingOnAllCores(KDPC *Dpc, PVOID DeferredContext, PVOID SystemArgument1, PVOID SystemArgument2)
Enable vm-exit on #DBs and #BPs on all cores.
Definition DpcRoutines.c:1535

◆ BroadcastEnableEferSyscallEventsOnAllProcessors()

IMPORT_EXPORT_VMM VOID BroadcastEnableEferSyscallEventsOnAllProcessors ( )

routines for enabling syscall hooks on all cores

Returns
VOID
503{
504 KeGenericCallDpc(DpcRoutineEnableEferSyscallEvents, 0x0);
505}
DpcRoutineEnableEferSyscallEvents
VOID DpcRoutineEnableEferSyscallEvents(KDPC *Dpc, PVOID DeferredContext, PVOID SystemArgument1, PVOID SystemArgument2)
Broadcast syscall hook to all cores.
Definition DpcRoutines.c:602

◆ BroadcastEnableMovControlRegisterExitingAllCores()

IMPORT_EXPORT_VMM VOID BroadcastEnableMovControlRegisterExitingAllCores ( PDEBUGGER_EVENT_OPTIONS BroadcastingOption)

routines for !crwrite

causes vm-exit on all accesses to debug registers

Parameters
Event
Returns
VOID
328{
329 //
330 // Broadcast to all cores
331 //
332 KeGenericCallDpc(DpcRoutineEnableMovControlRegisterExitingAllCores, BroadcastingOption);
333}
DpcRoutineEnableMovControlRegisterExitingAllCores
VOID DpcRoutineEnableMovControlRegisterExitingAllCores(KDPC *Dpc, DEBUGGER_EVENT_OPTIONS *EventOptions, PVOID SystemArgument1, PVOID SystemArgument2)
Enables mov control registers exitings.
Definition DpcRoutines.c:1194

◆ BroadcastEnableMovDebugRegistersExitingAllCores()

IMPORT_EXPORT_VMM VOID BroadcastEnableMovDebugRegistersExitingAllCores ( )

routines for !dr

causes vm-exit on all accesses to debug registers

Returns
VOID
356{
357 //
358 // Broadcast to all cores
359 //
360 KeGenericCallDpc(DpcRoutineEnableMovDebigRegisterExitingAllCores, NULL);
361}
DpcRoutineEnableMovDebigRegisterExitingAllCores
VOID DpcRoutineEnableMovDebigRegisterExitingAllCores(KDPC *Dpc, PVOID DeferredContext, PVOID SystemArgument1, PVOID SystemArgument2)
Enables mov debug registers exitings.
Definition DpcRoutines.c:1163

◆ BroadcastEnableMovToCr3ExitingOnAllProcessors()

IMPORT_EXPORT_VMM VOID BroadcastEnableMovToCr3ExitingOnAllProcessors ( )

routines for debugging threads (enable mov-to-cr3 exiting)

Returns
VOID
437{
438 KeGenericCallDpc(DpcRoutineEnableMovToCr3Exiting, 0x0);
439}
DpcRoutineEnableMovToCr3Exiting
VOID DpcRoutineEnableMovToCr3Exiting(KDPC *Dpc, PVOID DeferredContext, PVOID SystemArgument1, PVOID SystemArgument2)
Broadcast to enable mov-to-cr3 exitings.
Definition DpcRoutines.c:447

◆ BroadcastEnableRdpmcExitingAllCores()

IMPORT_EXPORT_VMM VOID BroadcastEnableRdpmcExitingAllCores ( )

routines for !pmc

causes vm-exit on all execution of rdpmc

Returns
VOID
255{
256 //
257 // Broadcast to all cores
258 //
259 KeGenericCallDpc(DpcRoutineEnableRdpmcExitingAllCores, NULL);
260}
DpcRoutineEnableRdpmcExitingAllCores
VOID DpcRoutineEnableRdpmcExitingAllCores(KDPC *Dpc, PVOID DeferredContext, PVOID SystemArgument1, PVOID SystemArgument2)
Enables rdpmc exiting in primary cpu-based controls.
Definition DpcRoutines.c:1006

◆ BroadcastEnableRdtscExitingAllCores()

IMPORT_EXPORT_VMM VOID BroadcastEnableRdtscExitingAllCores ( )

a broadcast that causes vm-exit on all execution of rdtsc/rdtscp

Returns
VOID
133{
134 //
135 // Broadcast to all cores
136 //
137 KeGenericCallDpc(DpcRoutineEnableRdtscExitingAllCores, NULL);
138}
DpcRoutineEnableRdtscExitingAllCores
VOID DpcRoutineEnableRdtscExitingAllCores(KDPC *Dpc, PVOID DeferredContext, PVOID SystemArgument1, PVOID SystemArgument2)
Enables rdtsc/rdtscp exiting in primary cpu-based controls.
Definition DpcRoutines.c:848

◆ BroadcastIoBitmapChangeAllCores()

IMPORT_EXPORT_VMM VOID BroadcastIoBitmapChangeAllCores ( UINT64 Port)

routines for !ioin and !ioout command which

causes vm-exit on all i/o instructions or one port

Returns
VOID
410{
411 //
412 // Broadcast to all cores
413 //
414 KeGenericCallDpc(DpcRoutineChangeIoBitmapOnAllCores, (PVOID)Port);
415}
DpcRoutineChangeIoBitmapOnAllCores
VOID DpcRoutineChangeIoBitmapOnAllCores(KDPC *Dpc, PVOID DeferredContext, PVOID SystemArgument1, PVOID SystemArgument2)
Change I/O Bitmaps on all cores.
Definition DpcRoutines.c:1350

◆ BroadcastIoBitmapResetAllCores()

IMPORT_EXPORT_VMM VOID BroadcastIoBitmapResetAllCores ( )

routines for reset !ioin and !ioout command

Returns
VOID
423{
424 //
425 // Broadcast to all cores
426 //
427 KeGenericCallDpc(DpcRoutineResetIoBitmapOnAllCores, NULL);
428}
DpcRoutineResetIoBitmapOnAllCores
VOID DpcRoutineResetIoBitmapOnAllCores(KDPC *Dpc, PVOID DeferredContext, PVOID SystemArgument1, PVOID SystemArgument2)
Reset I/O Bitmaps on all cores.
Definition DpcRoutines.c:1380

◆ BroadcastResetAllMsrBitmapWriteAllCores()

IMPORT_EXPORT_VMM VOID BroadcastResetAllMsrBitmapWriteAllCores ( )

routines for reset !msrwrite command which

Returns
VOID
201{
202 //
203 // Broadcast to all cores
204 //
205 KeGenericCallDpc(DpcRoutineResetMsrBitmapWriteOnAllCores, NULL);
206}
DpcRoutineResetMsrBitmapWriteOnAllCores
VOID DpcRoutineResetMsrBitmapWriteOnAllCores(KDPC *Dpc, PVOID DeferredContext, PVOID SystemArgument1, PVOID SystemArgument2)
Reset Msr Bitmaps on all cores (vm-exit on all msrs)
Definition DpcRoutines.c:817

◆ BroadcastResetChangeAllMsrBitmapReadAllCores()

IMPORT_EXPORT_VMM VOID BroadcastResetChangeAllMsrBitmapReadAllCores ( )

routines for disable (reset) !msrread command

Returns
VOID
174{
175 //
176 // Broadcast to all cores
177 //
178 KeGenericCallDpc(DpcRoutineResetMsrBitmapReadOnAllCores, NULL);
179}
DpcRoutineResetMsrBitmapReadOnAllCores
VOID DpcRoutineResetMsrBitmapReadOnAllCores(KDPC *Dpc, PVOID DeferredContext, PVOID SystemArgument1, PVOID SystemArgument2)
Reset Msr Bitmaps on all cores (vm-exit on all msrs)
Definition DpcRoutines.c:756

◆ BroadcastResetExceptionBitmapAllCores()

IMPORT_EXPORT_VMM VOID BroadcastResetExceptionBitmapAllCores ( )

routines for reset !exception command

Returns
VOID
313{
314 //
315 // Broadcast to all cores
316 //
317 KeGenericCallDpc(DpcRoutineResetExceptionBitmapOnlyOnClearingExceptionEventsOnAllCores, NULL);
318}
DpcRoutineResetExceptionBitmapOnlyOnClearingExceptionEventsOnAllCores
VOID DpcRoutineResetExceptionBitmapOnlyOnClearingExceptionEventsOnAllCores(KDPC *Dpc, PVOID DeferredContext, PVOID SystemArgument1, PVOID SystemArgument2)
Reset Exception Bitmaps on all cores.
Definition DpcRoutines.c:1129

◆ BroadcastSetExceptionBitmapAllCores()

IMPORT_EXPORT_VMM VOID BroadcastSetExceptionBitmapAllCores ( UINT64 ExceptionIndex)

routines for !exception command which

causes vm-exit when exception occurred

Parameters
ExceptionIndexindex of exception on IDT
Returns
VOID
284{
285 //
286 // Broadcast to all cores
287 //
288 KeGenericCallDpc(DpcRoutineSetExceptionBitmapOnAllCores, (PVOID)ExceptionIndex);
289}
DpcRoutineSetExceptionBitmapOnAllCores
VOID DpcRoutineSetExceptionBitmapOnAllCores(KDPC *Dpc, PVOID DeferredContext, PVOID SystemArgument1, PVOID SystemArgument2)
Enable Exception Bitmaps on all cores.
Definition DpcRoutines.c:1068

◆ BroadcastSetExternalInterruptExitingAllCores()

IMPORT_EXPORT_VMM VOID BroadcastSetExternalInterruptExitingAllCores ( )

routines for !interrupt command which

causes vm-exit when external interrupt occurs

Returns
VOID
383{
384 //
385 // Broadcast to all cores
386 //
387 KeGenericCallDpc(DpcRoutineSetEnableExternalInterruptExitingOnAllCores, NULL);
388}
DpcRoutineSetEnableExternalInterruptExitingOnAllCores
VOID DpcRoutineSetEnableExternalInterruptExitingOnAllCores(KDPC *Dpc, PVOID DeferredContext, PVOID SystemArgument1, PVOID SystemArgument2)
Enable vm-exit on all cores for external interrupts.
Definition DpcRoutines.c:1285

◆ BroadcastUnsetExceptionBitmapAllCores()

IMPORT_EXPORT_VMM VOID BroadcastUnsetExceptionBitmapAllCores ( UINT64 ExceptionIndex)

routines for disabling exception bitmap

removes vm-exit when exception occurred

Parameters
ExceptionIndexindex of exception on IDT
Returns
VOID
300{
301 //
302 // Broadcast to all cores
303 //
304 KeGenericCallDpc(DpcRoutineUnsetExceptionBitmapOnAllCores, (PVOID)ExceptionIndex);
305}
DpcRoutineUnsetExceptionBitmapOnAllCores
VOID DpcRoutineUnsetExceptionBitmapOnAllCores(KDPC *Dpc, PVOID DeferredContext, PVOID SystemArgument1, PVOID SystemArgument2)
Disable Exception Bitmaps on all cores.
Definition DpcRoutines.c:1098

◆ BroadcastUnsetExternalInterruptExitingOnlyOnClearingInterruptEventsAllCores()

IMPORT_EXPORT_VMM VOID BroadcastUnsetExternalInterruptExitingOnlyOnClearingInterruptEventsAllCores ( )

routines for ONLY terminate !interrupt command

Returns
VOID
396{
397 //
398 // Broadcast to all cores
399 //
400 KeGenericCallDpc(DpcRoutineSetDisableExternalInterruptExitingOnlyOnClearingInterruptEventsOnAllCores, NULL);
401}
DpcRoutineSetDisableExternalInterruptExitingOnlyOnClearingInterruptEventsOnAllCores
VOID DpcRoutineSetDisableExternalInterruptExitingOnlyOnClearingInterruptEventsOnAllCores(KDPC *Dpc, PVOID DeferredContext, PVOID SystemArgument1, PVOID SystemArgument2)
Disable vm-exit on all cores for external interrupts only for clearing !interrupt events.
Definition DpcRoutines.c:1316

◆ CheckAccessValidityAndSafety()

IMPORT_EXPORT_VMM BOOLEAN CheckAccessValidityAndSafety ( UINT64 TargetAddress,
UINT32 Size )

Check the safety to access the memory.

Parameters
TargetAddress
Size
Returns
BOOLEAN
157{
158 CR3_TYPE GuestCr3;
159 UINT64 OriginalCr3;
160 BOOLEAN IsKernelAddress;
161 BOOLEAN Result = FALSE;
162
163 //
164 // First, we check if the address is canonical based
165 // on Intel processor's virtual address width
166 //
167 if (!CheckAddressCanonicality(TargetAddress, &IsKernelAddress))
168 {
169 //
170 // No need for further check, address is invalid
171 //
172 Result = FALSE;
173 goto Return;
174 }
175
176 //
177 // Find the current process cr3
178 //
179 GuestCr3.Flags = LayoutGetCurrentProcessCr3().Flags;
180
181 //
182 // Move to new cr3
183 //
184 OriginalCr3 = __readcr3();
185 __writecr3(GuestCr3.Flags);
186
187 //
188 // We'll only check address with TSX if the address is a kernel-mode
189 // address because an exception is thrown if we access user-mode code
190 // from vmx-root mode, thus, TSX will fail the transaction and the
191 // result is not true, so we check each pages' page-table for user-mode
192 // codes in both user-mode and kernel-mode
193 //
194 // if (g_RtmSupport && IsKernelAddress)
195 // {
196 // //
197 // // The guest supports Intel TSX
198 // //
199 // UINT64 AlignedPage = (UINT64)PAGE_ALIGN(TargetAddress);
200 // UINT64 PageCount = ((TargetAddress - AlignedPage) + Size) / PAGE_SIZE;
201 //
202 // for (size_t i = 0; i <= PageCount; i++)
203 // {
204 // UINT64 CheckAddr = AlignedPage + (PAGE_SIZE * i);
205 // if (!CheckAddressValidityUsingTsx(CheckAddr))
206 // {
207 // //
208 // // Address is not valid
209 // //
210 // Result = FALSE;
211 //
212 // goto RestoreCr3;
213 // }
214 // }
215 // }
216
217 //
218 // We've realized that using TSX for address checking is not faster
219 // than the legacy memory checking (traversing the page-tables),
220 // based on our resultsm it's ~50 TSC clock cycles for a valid address
221 // and ~180 TSC clock cycles for an invalid address slower to use TSX
222 // for memory checking, that's why it is deprecated now
223 //
224
225 //
226 // Check if memory is safe and present
227 //
228 UINT64 AddressToCheck = (CHAR *)TargetAddress + Size - ((CHAR *)PAGE_ALIGN(TargetAddress));
229
230 if (AddressToCheck > PAGE_SIZE)
231 {
232 //
233 // Address should be accessed in more than one page
234 //
235 UINT64 ReadSize = AddressToCheck;
236
237 while (Size != 0)
238 {
239 ReadSize = (UINT64)PAGE_ALIGN(TargetAddress + PAGE_SIZE) - TargetAddress;
240
241 if (ReadSize == PAGE_SIZE && Size < PAGE_SIZE)
242 {
243 ReadSize = Size;
244 }
245
246 if (!MemoryMapperCheckIfPageIsPresentByCr3((PVOID)TargetAddress, GuestCr3))
247 {
248 //
249 // Address is not valid
250 //
251 Result = FALSE;
252
253 goto RestoreCr3;
254 }
255
256 /*
257 LogInfo("Addr From : %llx to Addr To : %llx | ReadSize : %llx\n",
258 TargetAddress,
259 TargetAddress + ReadSize,
260 ReadSize);
261 */
262
263 //
264 // Apply the changes to the next addresses (if any)
265 //
266 Size = (UINT32)(Size - ReadSize);
267 TargetAddress = TargetAddress + ReadSize;
268 }
269 }
270 else
271 {
272 if (!MemoryMapperCheckIfPageIsPresentByCr3((PVOID)TargetAddress, GuestCr3))
273 {
274 //
275 // Address is not valid
276 //
277 Result = FALSE;
278
279 goto RestoreCr3;
280 }
281 }
282
283 //
284 // If we've reached here, the address was valid
285 //
286 Result = TRUE;
287
288RestoreCr3:
289
290 //
291 // Move back to original cr3
292 //
293 __writecr3(OriginalCr3);
294
295Return:
296 return Result;
297}
CheckAddressCanonicality
BOOLEAN CheckAddressCanonicality(UINT64 VAddr, PBOOLEAN IsKernelAddress)
Checks if the address is canonical based on x86 processor's virtual address width or not.
Definition AddressCheck.c:66
BOOLEAN
UCHAR BOOLEAN
Definition BasicTypes.h:39
TRUE
#define TRUE
Definition BasicTypes.h:55
FALSE
#define FALSE
Definition BasicTypes.h:54
UINT64
unsigned __int64 UINT64
Definition BasicTypes.h:21
UINT32
unsigned int UINT32
Definition BasicTypes.h:48
CHAR
char CHAR
Definition BasicTypes.h:31
LayoutGetCurrentProcessCr3
CR3_TYPE LayoutGetCurrentProcessCr3()
Get cr3 of the target running process.
Definition Layout.c:55
MemoryMapperCheckIfPageIsPresentByCr3
_Use_decl_annotations_ BOOLEAN MemoryMapperCheckIfPageIsPresentByCr3(PVOID Va, CR3_TYPE TargetCr3)
This function checks if the page is mapped or not.
Definition MemoryMapper.c:418
PAGE_SIZE
#define PAGE_SIZE
Size of each page (4096 bytes)
Definition common.h:69
PAGE_ALIGN
#define PAGE_ALIGN(Va)
Aligning a page.
Definition common.h:75
_CR3_TYPE
CR3 Structure.
Definition BasicTypes.h:130
_CR3_TYPE::Flags
UINT64 Flags
Definition BasicTypes.h:133

◆ CheckAddressMaximumInstructionLength()

IMPORT_EXPORT_VMM UINT32 CheckAddressMaximumInstructionLength ( PVOID Address)

This function returns the maximum instruction length that can be read from this address.

Parameters
Address
Returns
UINT32
307{
308 UINT64 SizeOfSafeBufferToRead = 0;
309
310 //
311 // Compute the amount of buffer we can read without problem
312 //
313 SizeOfSafeBufferToRead = (UINT64)Address & 0xfff;
314 SizeOfSafeBufferToRead += MAXIMUM_INSTR_SIZE;
315
316 if (SizeOfSafeBufferToRead >= PAGE_SIZE)
317 {
318 SizeOfSafeBufferToRead = SizeOfSafeBufferToRead - PAGE_SIZE;
319
320 //
321 // When we reached here, we're sure the instruction is on the boundary of a
322 // page table, so we have the maximum instruction length to read, but just
323 // to make sure that the instruction is not continued into two pages, we'll
324 // check the validity of the next page
325 //
326 if (CheckAccessValidityAndSafety((UINT64)Address + PAGE_SIZE, sizeof(CHAR)))
327 {
328 //
329 // Address is safe to be read from the next page, so we just extend it
330 // to the MAXIMUM_INSTR_SIZE
331 //
332 SizeOfSafeBufferToRead = MAXIMUM_INSTR_SIZE;
333 }
334 else
335 {
336 SizeOfSafeBufferToRead = MAXIMUM_INSTR_SIZE - SizeOfSafeBufferToRead;
337 }
338 }
339 else
340 {
341 SizeOfSafeBufferToRead = MAXIMUM_INSTR_SIZE;
342 }
343
344 return (UINT32)SizeOfSafeBufferToRead;
345}
CheckAccessValidityAndSafety
BOOLEAN CheckAccessValidityAndSafety(UINT64 TargetAddress, UINT32 Size)
Check the safety to access the memory.
Definition AddressCheck.c:156
MAXIMUM_INSTR_SIZE
#define MAXIMUM_INSTR_SIZE
maximum instruction size in Intel
Definition Constants.h:468
Address
UINT64 Address
Definition HyperDbgScriptImports.h:67

◆ CheckAddressPhysical()

IMPORT_EXPORT_VMM BOOLEAN CheckAddressPhysical ( UINT64 PAddr)

Checks if the physical address is correct or not based on physical address width.

Parameters
PAddrPhysical address to check
Returns
BOOLEAN
121{
122 UINT64 Addr = (UINT64)PAddr;
123 UINT64 MaxPA;
124
125 //
126 // Get processor's address width for PS
127 //
128 UINT32 AddrWidth = g_CompatibilityCheck.PhysicalAddressWidth;
129
130 //
131 // get max address for physical address
132 //
133 MaxPA = ((UINT64)1ull << (AddrWidth - 1)) - 1;
134
135 // LogInfo("Max physical address: %llx", MaxPA);
136
137 //
138 // Check to see if the address in a canonical address
139 //
140 if (Addr > MaxPA)
141 {
142 return FALSE;
143 }
144
145 return TRUE;
146}
g_CompatibilityCheck
COMPATIBILITY_CHECKS_STATUS g_CompatibilityCheck
Different attributes and compatibility checks of the current processor.
Definition GlobalVariables.h:26
_COMPATIBILITY_CHECKS_STATUS::PhysicalAddressWidth
UINT32 PhysicalAddressWidth
Definition CompatibilityChecks.h:31

◆ CheckAddressValidityUsingTsx()

IMPORT_EXPORT_VMM BOOLEAN CheckAddressValidityUsingTsx ( CHAR * Address)

This function checks whether the address is valid or not using Intel TSX.

Parameters
AddressAddress to check
UINT32ProcId
Returns
BOOLEAN Returns true if the address is valid; otherwise, false
25{
26 UINT32 Status = 0;
27 BOOLEAN Result = FALSE;
28 CHAR TempContent;
29
30 if ((Status = _xbegin()) == _XBEGIN_STARTED)
31 {
32 //
33 // Try to read the memory
34 //
35 TempContent = *(CHAR *)Address;
36 _xend();
37
38 //
39 // No error, address is valid
40 //
41 Result = TRUE;
42 }
43 else
44 {
45 //
46 // Address is not valid, it aborts the tsx rtm
47 //
48 Result = FALSE;
49 }
50
51 return Result;
52}
_XBEGIN_STARTED
#define _XBEGIN_STARTED
Intel TSX Constants.
Definition Common.h:213

◆ ConfigureChangeIoBitmapOnSingleCore()

IMPORT_EXPORT_VMM VOID ConfigureChangeIoBitmapOnSingleCore ( UINT32 TargetCoreId,
UINT64 Port )

change I/O port bitmap on a single core

Parameters
TargetCoreIdThe target core's ID (to just run on this core)
PortTarget port in I/O bitmap
Returns
VOID
569{
570 DpcRoutineRunTaskOnSingleCore(TargetCoreId, (PVOID)DpcRoutinePerformChangeIoBitmapOnSingleCore, (PVOID)Port);
571}
DpcRoutinePerformChangeIoBitmapOnSingleCore
VOID DpcRoutinePerformChangeIoBitmapOnSingleCore(KDPC *Dpc, PVOID DeferredContext, PVOID SystemArgument1, PVOID SystemArgument2)
change I/O bitmap on a single core
Definition DpcRoutines.c:419
DpcRoutineRunTaskOnSingleCore
NTSTATUS DpcRoutineRunTaskOnSingleCore(UINT32 CoreNumber, PVOID Routine, PVOID DeferredContext)
This function synchronize the function execution for a single core You should only used it for one co...
Definition DpcRoutines.c:35

◆ ConfigureChangeMsrBitmapReadOnSingleCore()

IMPORT_EXPORT_VMM VOID ConfigureChangeMsrBitmapReadOnSingleCore ( UINT32 TargetCoreId,
UINT64 MsrMask )

change the mask of msr bitmaps for read on a single core

Parameters
TargetCoreIdThe target core's ID (to just run on this core)
MsrMaskThe ECX in MSR (mask)
Returns
VOID
555{
556 DpcRoutineRunTaskOnSingleCore(TargetCoreId, (PVOID)DpcRoutinePerformChangeMsrBitmapReadOnSingleCore, (PVOID)MsrMask);
557}
DpcRoutinePerformChangeMsrBitmapReadOnSingleCore
VOID DpcRoutinePerformChangeMsrBitmapReadOnSingleCore(KDPC *Dpc, PVOID DeferredContext, PVOID SystemArgument1, PVOID SystemArgument2)
change msr bitmap read on a single core
Definition DpcRoutines.c:161

◆ ConfigureChangeMsrBitmapWriteOnSingleCore()

IMPORT_EXPORT_VMM VOID ConfigureChangeMsrBitmapWriteOnSingleCore ( UINT32 TargetCoreId,
UINT64 MsrMask )

change the mask of msr bitmaps for write on a single core

Parameters
TargetCoreIdThe target core's ID (to just run on this core)
MsrMaskThe ECX in MSR (mask)
Returns
VOID
541{
542 DpcRoutineRunTaskOnSingleCore(TargetCoreId, (PVOID)DpcRoutinePerformChangeMsrBitmapWriteOnSingleCore, (PVOID)MsrMask);
543}
DpcRoutinePerformChangeMsrBitmapWriteOnSingleCore
VOID DpcRoutinePerformChangeMsrBitmapWriteOnSingleCore(KDPC *Dpc, PVOID DeferredContext, PVOID SystemArgument1, PVOID SystemArgument2)
change msr bitmap write on a single core
Definition DpcRoutines.c:189

◆ ConfigureDirtyLoggingInitializeOnAllProcessors()

IMPORT_EXPORT_VMM VOID ConfigureDirtyLoggingInitializeOnAllProcessors ( )

routines for initializing dirty logging mechanism

Returns
VOID
95{
96 DirtyLoggingInitialize();
97}
DirtyLoggingInitialize
BOOLEAN DirtyLoggingInitialize()
Initialize the dirty logging mechanism.
Definition DirtyLogging.c:21

◆ ConfigureDirtyLoggingUninitializeOnAllProcessors()

IMPORT_EXPORT_VMM VOID ConfigureDirtyLoggingUninitializeOnAllProcessors ( )

routines for uninitializing dirty logging mechanism

Returns
VOID
106{
107 DirtyLoggingUninitialize();
108}
DirtyLoggingUninitialize
VOID DirtyLoggingUninitialize()
Initialize the dirty logging mechanism.
Definition DirtyLogging.c:182

◆ ConfigureDisableEferSyscallEventsOnAllProcessors()

IMPORT_EXPORT_VMM VOID ConfigureDisableEferSyscallEventsOnAllProcessors ( )

routines for disabling syscall hooks on all cores

Returns
VOID
144{
145 BroadcastDisableEferSyscallEventsOnAllProcessors();
146}
BroadcastDisableEferSyscallEventsOnAllProcessors
VOID BroadcastDisableEferSyscallEventsOnAllProcessors()
routines for disabling syscall hooks on all cores
Definition Broadcast.c:513

◆ ConfigureDisableMovToCr3ExitingOnAllProcessors()

IMPORT_EXPORT_VMM VOID ConfigureDisableMovToCr3ExitingOnAllProcessors ( )

routines for debugging threads (disable mov-to-cr3 exiting)

Returns
VOID
117{
118 //
119 // Indicate that the future #PFs should or should not be checked with user debugger
120 //
121 g_CheckPageFaultsAndMov2Cr3VmexitsWithUserDebugger = FALSE;
122
123 BroadcastDisableMovToCr3ExitingOnAllProcessors();
124}
BroadcastDisableMovToCr3ExitingOnAllProcessors
VOID BroadcastDisableMovToCr3ExitingOnAllProcessors()
routines for debugging threads (disable mov-to-cr3 exiting)
Definition Broadcast.c:491
g_CheckPageFaultsAndMov2Cr3VmexitsWithUserDebugger
BOOLEAN g_CheckPageFaultsAndMov2Cr3VmexitsWithUserDebugger
Whether the page-fault and cr3 vm-exits in vmx-root should check the #PFs or the PML4....
Definition GlobalVariables.h:114

◆ ConfigureEnableEferSyscallEventsOnAllProcessors()

IMPORT_EXPORT_VMM VOID ConfigureEnableEferSyscallEventsOnAllProcessors ( )

routines for enabling syscall hooks on all cores

Returns
VOID
133{
134 BroadcastEnableEferSyscallEventsOnAllProcessors();
135}
BroadcastEnableEferSyscallEventsOnAllProcessors
VOID BroadcastEnableEferSyscallEventsOnAllProcessors()
routines for enabling syscall hooks on all cores
Definition Broadcast.c:502

◆ ConfigureEnableEferSyscallHookOnSingleCore()

IMPORT_EXPORT_VMM VOID ConfigureEnableEferSyscallHookOnSingleCore ( UINT32 TargetCoreId)

routines for enabling EFER syscall hooks on a single core

Parameters
TargetCoreIdThe target core's ID (to just run on this core)
Returns
VOID
427{
428 DpcRoutineRunTaskOnSingleCore(TargetCoreId, (PVOID)DpcRoutinePerformEnableEferSyscallHookOnSingleCore, NULL);
429}
DpcRoutinePerformEnableEferSyscallHookOnSingleCore
VOID DpcRoutinePerformEnableEferSyscallHookOnSingleCore(KDPC *Dpc, PVOID DeferredContext, PVOID SystemArgument1, PVOID SystemArgument2)
Enable syscall hook EFER on a single core.
Definition DpcRoutines.c:390

◆ ConfigureEnableMovToControlRegisterExitingOnSingleCore()

IMPORT_EXPORT_VMM VOID ConfigureEnableMovToControlRegisterExitingOnSingleCore ( UINT32 TargetCoreId,
DEBUGGER_EVENT_OPTIONS * BroadcastingOption )

enable mov 2 control register on a single core

Parameters
TargetCoreIdThe target core's ID (to just run on this core)
BroadcastingOptionThe optional broadcasting fields
Returns
VOID
527{
528 DpcRoutineRunTaskOnSingleCore(TargetCoreId, (PVOID)DpcRoutinePerformEnableMovToControlRegisterExiting, &BroadcastingOption);
529}
DpcRoutinePerformEnableMovToControlRegisterExiting
VOID DpcRoutinePerformEnableMovToControlRegisterExiting(KDPC *Dpc, DEBUGGER_EVENT_OPTIONS *EventOptions, PVOID SystemArgument1, PVOID SystemArgument2)
Set the Mov to Control Registers Exitings.
Definition DpcRoutines.c:333

◆ ConfigureEnableMovToCr3ExitingOnAllProcessors()

IMPORT_EXPORT_VMM VOID ConfigureEnableMovToCr3ExitingOnAllProcessors ( )

routines for debugging threads (enable mov-to-cr3 exiting)

Returns
VOID
22{
23 //
24 // Indicate that the future #PFs should or should not be checked with user debugger
25 //
26 g_CheckPageFaultsAndMov2Cr3VmexitsWithUserDebugger = TRUE;
27
28 BroadcastEnableMovToCr3ExitingOnAllProcessors();
29}
BroadcastEnableMovToCr3ExitingOnAllProcessors
VOID BroadcastEnableMovToCr3ExitingOnAllProcessors()
routines for debugging threads (enable mov-to-cr3 exiting)
Definition Broadcast.c:436

◆ ConfigureEnableMovToDebugRegistersExitingOnSingleCore()

IMPORT_EXPORT_VMM VOID ConfigureEnableMovToDebugRegistersExitingOnSingleCore ( UINT32 TargetCoreId)

enable mov 2 debug register exiting on a single core

Parameters
TargetCoreIdThe target core's ID (to just run on this core)
Returns
VOID
499{
500 DpcRoutineRunTaskOnSingleCore(TargetCoreId, (PVOID)DpcRoutinePerformEnableMovToDebugRegistersExiting, NULL);
501}
DpcRoutinePerformEnableMovToDebugRegistersExiting
VOID DpcRoutinePerformEnableMovToDebugRegistersExiting(KDPC *Dpc, PVOID DeferredContext, PVOID SystemArgument1, PVOID SystemArgument2)
Set the Mov to Debug Registers Exitings.
Definition DpcRoutines.c:304

◆ ConfigureEnableRdpmcExitingOnSingleCore()

IMPORT_EXPORT_VMM VOID ConfigureEnableRdpmcExitingOnSingleCore ( UINT32 TargetCoreId)

enable RDPMC exiting on a single core

Parameters
TargetCoreIdThe target core's ID (to just run on this core)
Returns
VOID
486{
487 DpcRoutineRunTaskOnSingleCore(TargetCoreId, (PVOID)DpcRoutinePerformEnableRdpmcExitingOnSingleCore, NULL);
488}
DpcRoutinePerformEnableRdpmcExitingOnSingleCore
VOID DpcRoutinePerformEnableRdpmcExitingOnSingleCore(KDPC *Dpc, PVOID DeferredContext, PVOID SystemArgument1, PVOID SystemArgument2)
set rdpmc exiting
Definition DpcRoutines.c:246

◆ ConfigureEnableRdtscExitingOnSingleCore()

IMPORT_EXPORT_VMM VOID ConfigureEnableRdtscExitingOnSingleCore ( UINT32 TargetCoreId)

enable RDTSC exiting on a single core

Parameters
TargetCoreIdThe target core's ID (to just run on this core)
Returns
VOID
473{
474 DpcRoutineRunTaskOnSingleCore(TargetCoreId, (PVOID)DpcRoutinePerformEnableRdtscExitingOnSingleCore, NULL);
475}
DpcRoutinePerformEnableRdtscExitingOnSingleCore
VOID DpcRoutinePerformEnableRdtscExitingOnSingleCore(KDPC *Dpc, PVOID DeferredContext, PVOID SystemArgument1, PVOID SystemArgument2)
set rdtsc/rdtscp exiting
Definition DpcRoutines.c:217

◆ ConfigureEptHook()

IMPORT_EXPORT_VMM BOOLEAN ConfigureEptHook ( PVOID TargetAddress,
UINT32 ProcessId )

This function invokes a VMCALL to set the hook and broadcast the exiting for the breakpoints on exception bitmap.

this command uses hidden breakpoints (0xcc) to hook, THIS FUNCTION SHOULD BE CALLED WHEN THE VMLAUNCH ALREADY EXECUTED, it is because, broadcasting to enable exception bitmap for breakpoint is not clear here, if we want to broadcast to enable exception bitmaps on all cores when vmlaunch is not executed then that's ok but a user might call this function when we didn't configure the vmcs, it's a problem! we can solve it by giving a hint to vmcs configure function to make it ok for future configuration but that sounds stupid, I think it's better to not support this feature. Btw, debugger won't use this function in the above mentioned method, so we won't have any problem with this :)

Parameters
TargetAddressThe address of function or memory address to be hooked
ProcessIdThe process id to translate based on that process's cr3
Returns
BOOLEAN Returns true if the hook was successful or false if there was an error
262{
263 return EptHook(TargetAddress, ProcessId);
264}
EptHook
BOOLEAN EptHook(PVOID TargetAddress, UINT32 ProcessId)
This function invokes a VMCALL to set the hook and broadcast the exiting for the breakpoints on excep...
Definition EptHook.c:605

◆ ConfigureEptHook2()

IMPORT_EXPORT_VMM BOOLEAN ConfigureEptHook2 ( UINT32 CoreId,
PVOID TargetAddress,
PVOID HookFunction,
UINT32 ProcessId )

This function allocates a buffer in VMX Non Root Mode and then invokes a VMCALL to set the hook (inline)

this command uses hidden detours, this NOT be called from vmx-root mode

Parameters
CoreIdID of the target core
TargetAddressThe address of function or memory address to be hooked
HookFunctionThe function that will be called when hook triggered
ProcessIdThe process id to translate based on that process's cr3
Returns
BOOLEAN Returns true if the hook was successful or false if there was an error
299{
300 return EptHookInlineHook(&g_GuestState[CoreId],
301 TargetAddress,
302 HookFunction,
303 ProcessId);
304}
EptHookInlineHook
BOOLEAN EptHookInlineHook(VIRTUAL_MACHINE_STATE *VCpu, PVOID TargetAddress, PVOID HookFunction, UINT32 ProcessId)
This function applies EPT hook 2 (inline) to the target EPT table.
Definition EptHook.c:1542
g_GuestState
VIRTUAL_MACHINE_STATE * g_GuestState
Save the state and variables related to virtualization on each to logical core.
Definition GlobalVariables.h:38

◆ ConfigureEptHook2FromVmxRoot()

IMPORT_EXPORT_VMM BOOLEAN ConfigureEptHook2FromVmxRoot ( UINT32 CoreId,
PVOID TargetAddress,
PVOID HookFunction )

This function allocates a buffer in VMX Non Root Mode and then invokes a VMCALL to set the hook (inline EPT hook)

this command uses hidden detours, this should be called from vmx-root mode

Parameters
CoreIdID of the target core
TargetAddressThe address of function or memory address to be hooked
HookFunctionThe function that will be called when hook triggered
Returns
BOOLEAN Returns true if the hook was successful or false if there was an error
341{
342 return EptHookInlineHookFromVmxRoot(&g_GuestState[CoreId],
343 TargetAddress,
344 HookFunction);
345}
EptHookInlineHookFromVmxRoot
BOOLEAN EptHookInlineHookFromVmxRoot(VIRTUAL_MACHINE_STATE *VCpu, PVOID TargetAddress, PVOID HookFunction)
This function applies EPT inline to the target EPT table.
Definition EptHook.c:1613

◆ ConfigureEptHookAllocateExtraHookingPagesForMemoryMonitorsAndExecEptHooks()

IMPORT_EXPORT_VMM VOID ConfigureEptHookAllocateExtraHookingPagesForMemoryMonitorsAndExecEptHooks ( UINT32 Count)

Allocate (reserve) extra pages for storing details of page hooks for memory monitor and regular hidden breakpoit exec EPT hooks.

Parameters
Count
Returns
VOID
228{
229 EptHookAllocateExtraHookingPagesForMemoryMonitorsAndExecEptHooks(Count);
230}
EptHookAllocateExtraHookingPagesForMemoryMonitorsAndExecEptHooks
VOID EptHookAllocateExtraHookingPagesForMemoryMonitorsAndExecEptHooks(UINT32 Count)
Allocate (reserve) extra pages for storing details of page hooks for memory monitor and regular hidde...
Definition EptHook.c:110

◆ ConfigureEptHookFromVmxRoot()

IMPORT_EXPORT_VMM BOOLEAN ConfigureEptHookFromVmxRoot ( PVOID TargetAddress)

This function invokes a direct VMCALL to setup the hook.

the caller of this function should make sure to 1) broadcast to all cores to intercept breakpoints (#BPs) and after calling this function 2) the caller should broadcast to all cores to invalidate their EPTPs

Parameters
TargetAddressThe address of function or memory address to be hooked
Returns
BOOLEAN Returns true if the hook was successful or false if there was an error
279{
280 return EptHookFromVmxRoot(TargetAddress);
281}
EptHookFromVmxRoot
BOOLEAN EptHookFromVmxRoot(PVOID TargetAddress)
This function invokes a direct VMCALL to setup the hook.
Definition EptHook.c:631

◆ ConfigureEptHookModifyInstructionFetchState()

IMPORT_EXPORT_VMM BOOLEAN ConfigureEptHookModifyInstructionFetchState ( UINT32 CoreId,
PVOID PhysicalAddress,
BOOLEAN IsUnset )

Change PML EPT state for execution (execute) @detail should be called from VMX-root.

Parameters
CoreIdCurrent Core ID
PhysicalAddressTarget physical address
IsUnsetIs unsetting bit or setting bit
Returns
BOOLEAN
378{
379 return EptHookModifyInstructionFetchState(&g_GuestState[CoreId], PhysicalAddress, IsUnset);
380}
EptHookModifyInstructionFetchState
BOOLEAN EptHookModifyInstructionFetchState(VIRTUAL_MACHINE_STATE *VCpu, PVOID PhysicalAddress, BOOLEAN IsUnset)
Change PML EPT state for execution (execute) @detail should be called from VMX-root.
Definition EptHook.c:2566

◆ ConfigureEptHookModifyPageReadState()

IMPORT_EXPORT_VMM BOOLEAN ConfigureEptHookModifyPageReadState ( UINT32 CoreId,
PVOID PhysicalAddress,
BOOLEAN IsUnset )

Change PML EPT state for read @detail should be called from VMX-root.

Parameters
VCpuThe virtual processor's state
PhysicalAddressTarget physical address
IsUnsetIs unsetting bit or setting bit
Returns
BOOLEAN
396{
397 return EptHookModifyPageReadState(&g_GuestState[CoreId], PhysicalAddress, IsUnset);
398}
EptHookModifyPageReadState
BOOLEAN EptHookModifyPageReadState(VIRTUAL_MACHINE_STATE *VCpu, PVOID PhysicalAddress, BOOLEAN IsUnset)
Change PML EPT state for read @detail should be called from VMX-root.
Definition EptHook.c:2624

◆ ConfigureEptHookModifyPageWriteState()

IMPORT_EXPORT_VMM BOOLEAN ConfigureEptHookModifyPageWriteState ( UINT32 CoreId,
PVOID PhysicalAddress,
BOOLEAN IsUnset )

Change PML EPT state for write @detail should be called from VMX-root.

Parameters
VCpuThe virtual processor's state
PhysicalAddressTarget physical address
IsUnsetIs unsetting bit or setting bit
Returns
BOOLEAN
414{
415 return EptHookModifyPageWriteState(&g_GuestState[CoreId], PhysicalAddress, IsUnset);
416}
EptHookModifyPageWriteState
BOOLEAN EptHookModifyPageWriteState(VIRTUAL_MACHINE_STATE *VCpu, PVOID PhysicalAddress, BOOLEAN IsUnset)
Change PML EPT state for write @detail should be called from VMX-root.
Definition EptHook.c:2682

◆ ConfigureEptHookMonitor()

IMPORT_EXPORT_VMM BOOLEAN ConfigureEptHookMonitor ( UINT32 CoreId,
EPT_HOOKS_ADDRESS_DETAILS_FOR_MEMORY_MONITOR * HookingDetails,
UINT32 ProcessId )

This function allocates a buffer in VMX Non Root Mode and then invokes a VMCALL to set the hook.

this command uses hidden detours, this NOT be called from vmx-root mode

Parameters
CoreIdID of the target core
HookingDetailsMonitor hooking detail
ProcessIdThe process id to translate based on that process's cr3
Returns
BOOLEAN Returns true if the hook was successful or false if there was an error
321{
322 return EptHookMonitorHook(&g_GuestState[CoreId],
323 HookingDetails,
324 ProcessId);
325}
EptHookMonitorHook
BOOLEAN EptHookMonitorHook(VIRTUAL_MACHINE_STATE *VCpu, EPT_HOOKS_ADDRESS_DETAILS_FOR_MEMORY_MONITOR *HookingDetails, UINT32 ProcessId)
This function applies monitor hooks to the target EPT table.
Definition EptHook.c:1582

◆ ConfigureEptHookMonitorFromVmxRoot()

IMPORT_EXPORT_VMM BOOLEAN ConfigureEptHookMonitorFromVmxRoot ( UINT32 CoreId,
EPT_HOOKS_ADDRESS_DETAILS_FOR_MEMORY_MONITOR * MemoryAddressDetails )

This function allocates a buffer in VMX Non Root Mode and then invokes a VMCALL to set the hook.

this command uses hidden detours, this should be called from vmx-root mode

Parameters
CoreIdID of the target core
MemoryAddressDetailsMonitor hooking details
Returns
BOOLEAN Returns true if the hook was successful or false if there was an error
360{
361 return EptHookMonitorFromVmxRoot(&g_GuestState[CoreId], MemoryAddressDetails);
362}
EptHookMonitorFromVmxRoot
BOOLEAN EptHookMonitorFromVmxRoot(VIRTUAL_MACHINE_STATE *VCpu, EPT_HOOKS_ADDRESS_DETAILS_FOR_MEMORY_MONITOR *MemoryAddressDetails)
This function applies EPT monitor hooks to the target EPT table.
Definition EptHook.c:1651

◆ ConfigureEptHookReservePreallocatedPoolsForEptHooks()

IMPORT_EXPORT_VMM VOID ConfigureEptHookReservePreallocatedPoolsForEptHooks ( UINT32 Count)

Allocate (reserve) pages for storing EPT hooks page hooks.

Parameters
Count
Returns
VOID
240{
241 EptHookReservePreallocatedPoolsForEptHooks(Count);
242}
EptHookReservePreallocatedPoolsForEptHooks
VOID EptHookReservePreallocatedPoolsForEptHooks(UINT32 Count)
Reserve pre-allocated pools for EPT hooks.
Definition EptHook.c:70

◆ ConfigureEptHookUnHookAllByHookingTag()

IMPORT_EXPORT_VMM BOOLEAN ConfigureEptHookUnHookAllByHookingTag ( UINT64 HookingTag)

Remove all hooks from the hooked pages list using Hooking Tag.

Should be called from vmx non-root

Parameters
HookingTagThe hooking tag to remove all hooks
Returns
BOOLEAN If unhook was successful it returns true or if it was not successful returns false
158{
159 return EptHookUnHookAllByHookingTag(HookingTag);
160}
EptHookUnHookAllByHookingTag
BOOLEAN EptHookUnHookAllByHookingTag(UINT64 HookingTag)
Remove all hooks from the hooked pages by the given hooking tag.
Definition EptHook.c:2296

◆ ConfigureEptHookUnHookSingleAddress()

IMPORT_EXPORT_VMM BOOLEAN ConfigureEptHookUnHookSingleAddress ( UINT64 VirtualAddress,
UINT64 PhysAddress,
UINT32 ProcessId )

Remove single hook from the hooked pages list and invalidate TLB.

Should be called from vmx non-root

Parameters
VirtualAddressVirtual address to unhook
PhysAddressPhysical address to unhook (optional)
ProcessIdThe process id of target process

in unhooking for some hooks only physical address is availables

Returns
BOOLEAN If unhook was successful it returns true or if it was not successful returns false
191{
192 return EptHookUnHookSingleAddress(VirtualAddress, PhysAddress, ProcessId);
193}
EptHookUnHookSingleAddress
BOOLEAN EptHookUnHookSingleAddress(UINT64 VirtualAddress, UINT64 PhysAddress, UINT32 ProcessId)
Remove single hook from the hooked pages list and invalidate TLB.
Definition EptHook.c:2370

◆ ConfigureEptHookUnHookSingleAddressFromVmxRoot()

IMPORT_EXPORT_VMM BOOLEAN ConfigureEptHookUnHookSingleAddressFromVmxRoot ( UINT64 VirtualAddress,
UINT64 PhysAddress,
EPT_SINGLE_HOOK_UNHOOKING_DETAILS * TargetUnhookingDetails )

Remove single hook from the hooked pages list and invalidate TLB.

Should be called from vmx root-mode and it's the responsibility of caller to broadcast to all cores to remove the target physical address and invalidate EPT and modify exception bitmap (#BPs) if needed

Parameters
VirtualAddressVirtual address to unhook
PhysAddressPhysical address to unhook (optional)
TargetUnhookingDetailsTarget data for the caller to restore EPT entry and invalidate EPT caches. Only when applied in VMX-root mode directly
Returns
BOOLEAN If unhook was successful it returns true or if it was not successful returns false
212{
213 return EptHookUnHookSingleAddressFromVmxRoot(VirtualAddress,
214 PhysAddress,
215 TargetUnhookingDetails);
216}
EptHookUnHookSingleAddressFromVmxRoot
BOOLEAN EptHookUnHookSingleAddressFromVmxRoot(UINT64 VirtualAddress, UINT64 PhysAddress, EPT_SINGLE_HOOK_UNHOOKING_DETAILS *TargetUnhookingDetails)
Remove single hook from the hooked pages list and invalidate TLB.
Definition EptHook.c:2404

◆ ConfigureEptHookUnHookSingleHookByHookingTagFromVmxRoot()

IMPORT_EXPORT_VMM BOOLEAN ConfigureEptHookUnHookSingleHookByHookingTagFromVmxRoot ( UINT64 HookingTag,
EPT_SINGLE_HOOK_UNHOOKING_DETAILS * TargetUnhookingDetails )

Remove single hook from the hooked pages by the given hooking tag.

Should be called from Vmx root-mode

Parameters
HookingTagThe hooking tag to unhook
Returns
BOOLEAN If unhook was successful it returns true or if it was not successful returns false
172{
173 return EptHookUnHookSingleHookByHookingTagFromVmxRoot(HookingTag, TargetUnhookingDetails);
174}
EptHookUnHookSingleHookByHookingTagFromVmxRoot
BOOLEAN EptHookUnHookSingleHookByHookingTagFromVmxRoot(UINT64 HookingTag, EPT_SINGLE_HOOK_UNHOOKING_DETAILS *TargetUnhookingDetails)
Remove single hook from the hooked pages by the given hooking tag.
Definition EptHook.c:2339

◆ ConfigureExecTrapAddProcessToWatchingList()

IMPORT_EXPORT_VMM BOOLEAN ConfigureExecTrapAddProcessToWatchingList ( UINT32 ProcessId)

Add the target process to the watching list.

Parameters
ProcessId
Returns
BOOLEAN
61{
62 return ExecTrapAddProcessToWatchingList(ProcessId);
63}
ExecTrapAddProcessToWatchingList
BOOLEAN ExecTrapAddProcessToWatchingList(UINT32 ProcessId)
Add the target process to the watching list.
Definition ExecTrap.c:894

◆ ConfigureExecTrapRemoveProcessFromWatchingList()

IMPORT_EXPORT_VMM BOOLEAN ConfigureExecTrapRemoveProcessFromWatchingList ( UINT32 ProcessId)

Remove the target process from the watching list.

Parameters
ProcessId
Returns
BOOLEAN
73{
74 return ExecTrapRemoveProcessFromWatchingList(ProcessId);
75}
ExecTrapRemoveProcessFromWatchingList
BOOLEAN ExecTrapRemoveProcessFromWatchingList(UINT32 ProcessId)
Remove the target process from the watching list.
Definition ExecTrap.c:909

◆ ConfigureInitializeExecTrapOnAllProcessors()

IMPORT_EXPORT_VMM BOOLEAN ConfigureInitializeExecTrapOnAllProcessors ( )

routines for initializing user-mode, kernel-mode exec trap

Returns
BOOLEAN
38{
39 return ExecTrapInitialize();
40}
ExecTrapInitialize
BOOLEAN ExecTrapInitialize()
Initialize the reversing machine based on service request.
Definition ExecTrap.c:497

◆ ConfigureModeBasedExecHookUninitializeOnAllProcessors()

IMPORT_EXPORT_VMM VOID ConfigureModeBasedExecHookUninitializeOnAllProcessors ( )

routines for initializing Mode-based execution hooks

Returns
VOID
84{
85 ModeBasedExecHookUninitialize();
86}
ModeBasedExecHookUninitialize
VOID ModeBasedExecHookUninitialize()
Uinitialize the needed structure for hooking mode execution.
Definition ModeBasedExecHook.c:247

◆ ConfigureSetEferSyscallOrSysretHookType()

IMPORT_EXPORT_VMM VOID ConfigureSetEferSyscallOrSysretHookType ( DEBUGGER_EVENT_SYSCALL_SYSRET_TYPE SyscallHookType)

routines for setting EFER syscall or sysret hooks type

Parameters
SyscallHookTypeType of hook
Returns
VOID
440{
441 if (SyscallHookType == DEBUGGER_EVENT_SYSCALL_SYSRET_HANDLE_ALL_UD)
442 {
443 g_IsUnsafeSyscallOrSysretHandling = TRUE;
444 }
445 else if (SyscallHookType == DEBUGGER_EVENT_SYSCALL_SYSRET_SAFE_ACCESS_MEMORY)
446 {
447 g_IsUnsafeSyscallOrSysretHandling = FALSE;
448 }
449}
g_IsUnsafeSyscallOrSysretHandling
BOOLEAN g_IsUnsafeSyscallOrSysretHandling
Shows whether the debuggee is waiting for an trap step or not.
Definition GlobalVariables.h:101
DEBUGGER_EVENT_SYSCALL_SYSRET_SAFE_ACCESS_MEMORY
@ DEBUGGER_EVENT_SYSCALL_SYSRET_SAFE_ACCESS_MEMORY
Definition Events.h:192
DEBUGGER_EVENT_SYSCALL_SYSRET_HANDLE_ALL_UD
@ DEBUGGER_EVENT_SYSCALL_SYSRET_HANDLE_ALL_UD
Definition Events.h:193

◆ ConfigureSetExceptionBitmapOnSingleCore()

IMPORT_EXPORT_VMM VOID ConfigureSetExceptionBitmapOnSingleCore ( UINT32 TargetCoreId,
UINT32 BitMask )

set exception bitmap on a single core

Parameters
TargetCoreIdThe target core's ID (to just run on this core)
BitMaskThe bit mask of exception bitmap
Returns
VOID
513{
514 DpcRoutineRunTaskOnSingleCore(TargetCoreId, (PVOID)DpcRoutinePerformSetExceptionBitmapOnSingleCore, (PVOID)BitMask);
515}
DpcRoutinePerformSetExceptionBitmapOnSingleCore
VOID DpcRoutinePerformSetExceptionBitmapOnSingleCore(KDPC *Dpc, PVOID DeferredContext, PVOID SystemArgument1, PVOID SystemArgument2)
change exception bitmap on a single core
Definition DpcRoutines.c:275

◆ ConfigureSetExternalInterruptExitingOnSingleCore()

IMPORT_EXPORT_VMM VOID ConfigureSetExternalInterruptExitingOnSingleCore ( UINT32 TargetCoreId)

set external interrupt exiting on a single core

Parameters
TargetCoreIdThe target core's ID (to just run on this core)
Returns
VOID
460{
461 DpcRoutineRunTaskOnSingleCore(TargetCoreId, (PVOID)DpcRoutinePerformSetExternalInterruptExitingOnSingleCore, NULL);
462}
DpcRoutinePerformSetExternalInterruptExitingOnSingleCore
VOID DpcRoutinePerformSetExternalInterruptExitingOnSingleCore(KDPC *Dpc, PVOID DeferredContext, PVOID SystemArgument1, PVOID SystemArgument2)
Enable external interrupt exiting on a single core.
Definition DpcRoutines.c:361

◆ ConfigureUninitializeExecTrapOnAllProcessors()

IMPORT_EXPORT_VMM VOID ConfigureUninitializeExecTrapOnAllProcessors ( )

routines for uninitializing user-mode, kernel-mode exec trap

Returns
VOID
49{
50 ExecTrapUninitialize();
51}
ExecTrapUninitialize
VOID ExecTrapUninitialize()
Uinitialize the needed structure for the reversing machine.
Definition ExecTrap.c:605

◆ DirectVmcallChangeIoBitmap()

IMPORT_EXPORT_VMM NTSTATUS DirectVmcallChangeIoBitmap ( UINT32 CoreId,
DIRECT_VMCALL_PARAMETERS * DirectVmcallOptions )

routines for changing IO Bitmap

Should be called from VMX root-mode

Parameters
CoreId
DirectVmcallOptions
Returns
NTSTATUS
105{
106 //
107 // Call the VMCALL handler (directly)
108 //
109 return VmxVmcallDirectVmcallHandler(&g_GuestState[CoreId], VMCALL_CHANGE_IO_BITMAP, DirectVmcallOptions);
110}
VmxVmcallDirectVmcallHandler
NTSTATUS VmxVmcallDirectVmcallHandler(VIRTUAL_MACHINE_STATE *VCpu, UINT64 VmcallNumber, DIRECT_VMCALL_PARAMETERS *DirectVmcallOptions)
Direct Vmcall Handler.
Definition Vmcall.c:109
VMCALL_CHANGE_IO_BITMAP
#define VMCALL_CHANGE_IO_BITMAP
VMCALL to change I/O Bitmaps (A & B)
Definition Vmcall.h:118

◆ DirectVmcallChangeMsrBitmapRead()

IMPORT_EXPORT_VMM NTSTATUS DirectVmcallChangeMsrBitmapRead ( UINT32 CoreId,
DIRECT_VMCALL_PARAMETERS * DirectVmcallOptions )

routines for changing MSR Bitmap (Read)

Should be called from VMX root-mode

Parameters
CoreId
DirectVmcallOptions
Returns
NTSTATUS
67{
68 //
69 // Call the VMCALL handler (directly)
70 //
71 return VmxVmcallDirectVmcallHandler(&g_GuestState[CoreId], VMCALL_CHANGE_MSR_BITMAP_READ, DirectVmcallOptions);
72}
VMCALL_CHANGE_MSR_BITMAP_READ
#define VMCALL_CHANGE_MSR_BITMAP_READ
VMCALL to change MSR Bitmap Read.
Definition Vmcall.h:76

◆ DirectVmcallChangeMsrBitmapWrite()

IMPORT_EXPORT_VMM NTSTATUS DirectVmcallChangeMsrBitmapWrite ( UINT32 CoreId,
DIRECT_VMCALL_PARAMETERS * DirectVmcallOptions )

routines for changing MSR Bitmap (Write)

Should be called from VMX root-mode

Parameters
CoreId
DirectVmcallOptions
Returns
NTSTATUS
86{
87 //
88 // Call the VMCALL handler (directly)
89 //
90 return VmxVmcallDirectVmcallHandler(&g_GuestState[CoreId], VMCALL_CHANGE_MSR_BITMAP_WRITE, DirectVmcallOptions);
91}
VMCALL_CHANGE_MSR_BITMAP_WRITE
#define VMCALL_CHANGE_MSR_BITMAP_WRITE
VMCALL to change MSR Bitmap Write.
Definition Vmcall.h:82

◆ DirectVmcallDisableEferSyscallEvents()

IMPORT_EXPORT_VMM NTSTATUS DirectVmcallDisableEferSyscallEvents ( UINT32 CoreId,
DIRECT_VMCALL_PARAMETERS * DirectVmcallOptions )

routines for disabling syscall hook using EFER SCE bit

Should be called from VMX root-mode

Parameters
CoreId
DirectVmcallOptions
Returns
NTSTATUS
486{
487 //
488 // Call the VMCALL handler (directly)
489 //
490 return VmxVmcallDirectVmcallHandler(&g_GuestState[CoreId], VMCALL_DISABLE_SYSCALL_HOOK_EFER, DirectVmcallOptions);
491}
VMCALL_DISABLE_SYSCALL_HOOK_EFER
#define VMCALL_DISABLE_SYSCALL_HOOK_EFER
VMCALL to disable syscall hook using EFER SCE bit.
Definition Vmcall.h:70

◆ DirectVmcallDisableMov2CrExitingForClearingCrEvents()

IMPORT_EXPORT_VMM NTSTATUS DirectVmcallDisableMov2CrExitingForClearingCrEvents ( UINT32 CoreId,
DIRECT_VMCALL_PARAMETERS * DirectVmcallOptions )

routines for clearing mov 2 cr exiting bit ONLY in the case of disabling the events for !crwrite command

Should be called from VMX root-mode

Parameters
CoreId
DirectVmcallOptions
Returns
NTSTATUS
526{
527 //
528 // Call the VMCALL handler (directly)
529 //
530 return VmxVmcallDirectVmcallHandler(&g_GuestState[CoreId], VMCALL_DISABLE_MOV_TO_CR_EXITING_ONLY_FOR_CR_EVENTS, DirectVmcallOptions);
531}
VMCALL_DISABLE_MOV_TO_CR_EXITING_ONLY_FOR_CR_EVENTS
#define VMCALL_DISABLE_MOV_TO_CR_EXITING_ONLY_FOR_CR_EVENTS
VMCALL to clear mov 2 cr exiting bit ONLY in the case of disabling the events for !...
Definition Vmcall.h:268

◆ DirectVmcallDisableMov2DrExitingForClearingDrEvents()

IMPORT_EXPORT_VMM NTSTATUS DirectVmcallDisableMov2DrExitingForClearingDrEvents ( UINT32 CoreId,
DIRECT_VMCALL_PARAMETERS * DirectVmcallOptions )

routines for clearing mov 2 hw dr exiting bit ONLY in the case of disabling the events for !dr command

Should be called from VMX root-mode

Parameters
CoreId
DirectVmcallOptions
Returns
NTSTATUS
506{
507 //
508 // Call the VMCALL handler (directly)
509 //
510 return VmxVmcallDirectVmcallHandler(&g_GuestState[CoreId], VMCALL_DISABLE_MOV_TO_HW_DR_EXITING_ONLY_FOR_DR_EVENTS, DirectVmcallOptions);
511}
VMCALL_DISABLE_MOV_TO_HW_DR_EXITING_ONLY_FOR_DR_EVENTS
#define VMCALL_DISABLE_MOV_TO_HW_DR_EXITING_ONLY_FOR_DR_EVENTS
VMCALL to clear mov 2 hw dr exiting bit ONLY in the case of disabling the events for !...
Definition Vmcall.h:250

◆ DirectVmcallDisableRdpmcExiting()

IMPORT_EXPORT_VMM NTSTATUS DirectVmcallDisableRdpmcExiting ( UINT32 CoreId,
DIRECT_VMCALL_PARAMETERS * DirectVmcallOptions )

routines for disabling rdpmc exiting in primary cpu-based controls

Should be called from VMX root-mode

Parameters
CoreId
DirectVmcallOptions
Returns
NTSTATUS
467{
468 //
469 // Call the VMCALL handler (directly)
470 //
471 return VmxVmcallDirectVmcallHandler(&g_GuestState[CoreId], VMCALL_UNSET_RDPMC_EXITING, DirectVmcallOptions);
472}
VMCALL_UNSET_RDPMC_EXITING
#define VMCALL_UNSET_RDPMC_EXITING
VMCALL to disable rdpmc exiting in primary cpu-based controls.
Definition Vmcall.h:142

◆ DirectVmcallDisableRdtscExitingForClearingTscEvents()

IMPORT_EXPORT_VMM NTSTATUS DirectVmcallDisableRdtscExitingForClearingTscEvents ( UINT32 CoreId,
DIRECT_VMCALL_PARAMETERS * DirectVmcallOptions )

routines for clearing rdtsc exiting bit ONLY in the case of disabling the events for !tsc command

Should be called from VMX root-mode

Parameters
CoreId
DirectVmcallOptions
Returns
NTSTATUS
448{
449 //
450 // Call the VMCALL handler (directly)
451 //
452 return VmxVmcallDirectVmcallHandler(&g_GuestState[CoreId], VMCALL_DISABLE_RDTSC_EXITING_ONLY_FOR_TSC_EVENTS, DirectVmcallOptions);
453}
VMCALL_DISABLE_RDTSC_EXITING_ONLY_FOR_TSC_EVENTS
#define VMCALL_DISABLE_RDTSC_EXITING_ONLY_FOR_TSC_EVENTS
VMCALL to clear rdtsc exiting bit ONLY in the case of disabling the events for !tsc command.
Definition Vmcall.h:243

◆ DirectVmcallEnableEferSyscall()

IMPORT_EXPORT_VMM NTSTATUS DirectVmcallEnableEferSyscall ( UINT32 CoreId,
DIRECT_VMCALL_PARAMETERS * DirectVmcallOptions )

routines for enabling syscall hook using EFER SCE bit

Should be called from VMX root-mode

Parameters
CoreId
DirectVmcallOptions
Returns
NTSTATUS
238{
239 //
240 // Call the VMCALL handler (directly)
241 //
242 return VmxVmcallDirectVmcallHandler(&g_GuestState[CoreId], VMCALL_ENABLE_SYSCALL_HOOK_EFER, DirectVmcallOptions);
243}
VMCALL_ENABLE_SYSCALL_HOOK_EFER
#define VMCALL_ENABLE_SYSCALL_HOOK_EFER
VMCALL to enable syscall hook using EFER SCE bit.
Definition Vmcall.h:64

◆ DirectVmcallEnableExternalInterruptExiting()

IMPORT_EXPORT_VMM NTSTATUS DirectVmcallEnableExternalInterruptExiting ( UINT32 CoreId,
DIRECT_VMCALL_PARAMETERS * DirectVmcallOptions )

routines for enabling external interrupt exiting

Should be called from VMX root-mode

Parameters
CoreId
DirectVmcallOptions
Returns
NTSTATUS
200{
201 //
202 // Call the VMCALL handler (directly)
203 //
204 return VmxVmcallDirectVmcallHandler(&g_GuestState[CoreId], VMCALL_ENABLE_EXTERNAL_INTERRUPT_EXITING, DirectVmcallOptions);
205}
VMCALL_ENABLE_EXTERNAL_INTERRUPT_EXITING
#define VMCALL_ENABLE_EXTERNAL_INTERRUPT_EXITING
VMCALL to enable external interrupt exiting.
Definition Vmcall.h:112

◆ DirectVmcallEnableMov2DebugRegsExiting()

IMPORT_EXPORT_VMM NTSTATUS DirectVmcallEnableMov2DebugRegsExiting ( UINT32 CoreId,
DIRECT_VMCALL_PARAMETERS * DirectVmcallOptions )

routines for enabling mov to debug registers exiting

Should be called from VMX root-mode

Parameters
CoreId
DirectVmcallOptions
Returns
NTSTATUS
162{
163 //
164 // Call the VMCALL handler (directly)
165 //
166 return VmxVmcallDirectVmcallHandler(&g_GuestState[CoreId], VMCALL_ENABLE_MOV_TO_DEBUG_REGS_EXITING, DirectVmcallOptions);
167}
VMCALL_ENABLE_MOV_TO_DEBUG_REGS_EXITING
#define VMCALL_ENABLE_MOV_TO_DEBUG_REGS_EXITING
VMCALL to enable mov to debug registers exiting.
Definition Vmcall.h:106

◆ DirectVmcallEnableMovToCrExiting()

IMPORT_EXPORT_VMM NTSTATUS DirectVmcallEnableMovToCrExiting ( UINT32 CoreId,
DIRECT_VMCALL_PARAMETERS * DirectVmcallOptions )

routines for enabling mov to CR exiting

Should be called from VMX root-mode

Parameters
CoreId
DirectVmcallOptions
Returns
NTSTATUS
219{
220 //
221 // Call the VMCALL handler (directly)
222 //
223 return VmxVmcallDirectVmcallHandler(&g_GuestState[CoreId], VMCALL_ENABLE_MOV_TO_CONTROL_REGS_EXITING, DirectVmcallOptions);
224}
VMCALL_ENABLE_MOV_TO_CONTROL_REGS_EXITING
#define VMCALL_ENABLE_MOV_TO_CONTROL_REGS_EXITING
VMCALL to enable mov to CR exiting.
Definition Vmcall.h:255

◆ DirectVmcallEnableRdpmcExiting()

IMPORT_EXPORT_VMM NTSTATUS DirectVmcallEnableRdpmcExiting ( UINT32 CoreId,
DIRECT_VMCALL_PARAMETERS * DirectVmcallOptions )

routines for enabling rdpmc exiting

Should be called from VMX root-mode

Parameters
CoreId
DirectVmcallOptions
Returns
NTSTATUS
124{
125 //
126 // Call the VMCALL handler (directly)
127 //
128 return VmxVmcallDirectVmcallHandler(&g_GuestState[CoreId], VMCALL_SET_RDPMC_EXITING, DirectVmcallOptions);
129}
VMCALL_SET_RDPMC_EXITING
#define VMCALL_SET_RDPMC_EXITING
VMCALL to enable rdpmc exiting in primary cpu-based controls.
Definition Vmcall.h:94

◆ DirectVmcallEnableRdtscpExiting()

IMPORT_EXPORT_VMM NTSTATUS DirectVmcallEnableRdtscpExiting ( UINT32 CoreId,
DIRECT_VMCALL_PARAMETERS * DirectVmcallOptions )

routines for enabling rdtsc/rdtscp exiting

Should be called from VMX root-mode

Parameters
CoreId
DirectVmcallOptions
Returns
NTSTATUS
143{
144 //
145 // Call the VMCALL handler (directly)
146 //
147 return VmxVmcallDirectVmcallHandler(&g_GuestState[CoreId], VMCALL_SET_RDTSC_EXITING, DirectVmcallOptions);
148}
VMCALL_SET_RDTSC_EXITING
#define VMCALL_SET_RDTSC_EXITING
VMCALL to enable rdtsc/rdtscp exiting in primary cpu-based controls.
Definition Vmcall.h:88

◆ DirectVmcallInvalidateEptAllContexts()

IMPORT_EXPORT_VMM NTSTATUS DirectVmcallInvalidateEptAllContexts ( UINT32 CoreId,
DIRECT_VMCALL_PARAMETERS * DirectVmcallOptions )

routines for invalidating EPT (All Contexts)

Should be called from VMX root-mode

Parameters
CoreId
DirectVmcallOptions
Returns
NTSTATUS
276{
277 //
278 // Call the VMCALL handler (directly)
279 //
280 return VmxVmcallDirectVmcallHandler(&g_GuestState[CoreId], VMCALL_INVEPT_ALL_CONTEXTS, DirectVmcallOptions);
281}
VMCALL_INVEPT_ALL_CONTEXTS
#define VMCALL_INVEPT_ALL_CONTEXTS
VMCALL to invalidate EPT (All Contexts)
Definition Vmcall.h:40

◆ DirectVmcallInvalidateSingleContext()

IMPORT_EXPORT_VMM NTSTATUS DirectVmcallInvalidateSingleContext ( UINT32 CoreId,
DIRECT_VMCALL_PARAMETERS * DirectVmcallOptions )

routines for invalidating EPT (A Single Context)

Should be called from VMX root-mode

Parameters
CoreId
DirectVmcallOptions
Returns
NTSTATUS
295{
296 //
297 // Call the VMCALL handler (directly)
298 //
299 return VmxVmcallDirectVmcallHandler(&g_GuestState[CoreId], VMCALL_INVEPT_SINGLE_CONTEXT, DirectVmcallOptions);
300}
VMCALL_INVEPT_SINGLE_CONTEXT
#define VMCALL_INVEPT_SINGLE_CONTEXT
VMCALL to invalidate EPT (A Single Context)
Definition Vmcall.h:46

◆ DirectVmcallPerformVmcall()

IMPORT_EXPORT_VMM NTSTATUS DirectVmcallPerformVmcall ( UINT32 CoreId,
UINT64 VmcallNumber,
DIRECT_VMCALL_PARAMETERS * DirectVmcallOptions )

routines for performing a direct VMCALL

Should be called from VMX root-mode

Parameters
CoreId
VmcallNumber
DirectVmcallOptions
Returns
NTSTATUS
48{
49 //
50 // Call the VMCALL handler (directly)
51 //
52 return VmxVmcallDirectVmcallHandler(&g_GuestState[CoreId], VmcallNumber, DirectVmcallOptions);
53}

◆ DirectVmcallResetExceptionBitmapOnlyOnClearingExceptionEvents()

IMPORT_EXPORT_VMM NTSTATUS DirectVmcallResetExceptionBitmapOnlyOnClearingExceptionEvents ( UINT32 CoreId,
DIRECT_VMCALL_PARAMETERS * DirectVmcallOptions )

routines for resetting exception bitmap on VMCS

Should be called from VMX root-mode

Parameters
CoreId
DirectVmcallOptions
Returns
NTSTATUS
409{
410 //
411 // Call the VMCALL handler (directly)
412 //
413 return VmxVmcallDirectVmcallHandler(&g_GuestState[CoreId], VMCALL_RESET_EXCEPTION_BITMAP_ONLY_ON_CLEARING_EXCEPTION_EVENTS, DirectVmcallOptions);
414}
VMCALL_RESET_EXCEPTION_BITMAP_ONLY_ON_CLEARING_EXCEPTION_EVENTS
#define VMCALL_RESET_EXCEPTION_BITMAP_ONLY_ON_CLEARING_EXCEPTION_EVENTS
VMCALL to reset exception bitmap on VMCS.
Definition Vmcall.h:168

◆ DirectVmcallResetIoBitmap()

IMPORT_EXPORT_VMM NTSTATUS DirectVmcallResetIoBitmap ( UINT32 CoreId,
DIRECT_VMCALL_PARAMETERS * DirectVmcallOptions )

routines for resetting I/O Bitmaps (A & B)

Should be called from VMX root-mode

Parameters
CoreId
DirectVmcallOptions
Returns
NTSTATUS
428{
429 //
430 // Call the VMCALL handler (directly)
431 //
432 return VmxVmcallDirectVmcallHandler(&g_GuestState[CoreId], VMCALL_RESET_IO_BITMAP, DirectVmcallOptions);
433}
VMCALL_RESET_IO_BITMAP
#define VMCALL_RESET_IO_BITMAP
VMCALL to reset I/O Bitmaps (A & B)
Definition Vmcall.h:174

◆ DirectVmcallResetMsrBitmapRead()

IMPORT_EXPORT_VMM NTSTATUS DirectVmcallResetMsrBitmapRead ( UINT32 CoreId,
DIRECT_VMCALL_PARAMETERS * DirectVmcallOptions )

routines for resetting MSR Bitmap Read

Should be called from VMX root-mode

Parameters
CoreId
DirectVmcallOptions
Returns
NTSTATUS
371{
372 //
373 // Call the VMCALL handler (directly)
374 //
375 return VmxVmcallDirectVmcallHandler(&g_GuestState[CoreId], VMCALL_RESET_MSR_BITMAP_READ, DirectVmcallOptions);
376}
VMCALL_RESET_MSR_BITMAP_READ
#define VMCALL_RESET_MSR_BITMAP_READ
VMCALL to reset MSR Bitmap Read.
Definition Vmcall.h:154

◆ DirectVmcallResetMsrBitmapWrite()

IMPORT_EXPORT_VMM NTSTATUS DirectVmcallResetMsrBitmapWrite ( UINT32 CoreId,
DIRECT_VMCALL_PARAMETERS * DirectVmcallOptions )

routines for resetting MSR Bitmap Write

Should be called from VMX root-mode

Parameters
CoreId
DirectVmcallOptions
Returns
NTSTATUS
390{
391 //
392 // Call the VMCALL handler (directly)
393 //
394 return VmxVmcallDirectVmcallHandler(&g_GuestState[CoreId], VMCALL_RESET_MSR_BITMAP_WRITE, DirectVmcallOptions);
395}
VMCALL_RESET_MSR_BITMAP_WRITE
#define VMCALL_RESET_MSR_BITMAP_WRITE
VMCALL to reset MSR Bitmap Write.
Definition Vmcall.h:160

◆ DirectVmcallSetDisableExternalInterruptExitingOnlyOnClearingInterruptEvents()

IMPORT_EXPORT_VMM NTSTATUS DirectVmcallSetDisableExternalInterruptExitingOnlyOnClearingInterruptEvents ( UINT32 CoreId,
DIRECT_VMCALL_PARAMETERS * DirectVmcallOptions )

routines for disabling external interrupt exiting only to clear !interrupt commands

Should be called from VMX root-mode

Parameters
CoreId
DirectVmcallOptions
Returns
NTSTATUS
352{
353 //
354 // Call the VMCALL handler (directly)
355 //
356 return VmxVmcallDirectVmcallHandler(&g_GuestState[CoreId], VMCALL_DISABLE_EXTERNAL_INTERRUPT_EXITING_ONLY_TO_CLEAR_INTERRUPT_COMMANDS, DirectVmcallOptions);
357}
VMCALL_DISABLE_EXTERNAL_INTERRUPT_EXITING_ONLY_TO_CLEAR_INTERRUPT_COMMANDS
#define VMCALL_DISABLE_EXTERNAL_INTERRUPT_EXITING_ONLY_TO_CLEAR_INTERRUPT_COMMANDS
VMCALL to disable external interrupt exiting only to clear !interrupt commands.
Definition Vmcall.h:136

◆ DirectVmcallSetExceptionBitmap()

IMPORT_EXPORT_VMM NTSTATUS DirectVmcallSetExceptionBitmap ( UINT32 CoreId,
DIRECT_VMCALL_PARAMETERS * DirectVmcallOptions )

routines for setting exception bitmap

Should be called from VMX root-mode

Parameters
CoreId
DirectVmcallOptions
Returns
NTSTATUS
181{
182 //
183 // Call the VMCALL handler (directly)
184 //
185 return VmxVmcallDirectVmcallHandler(&g_GuestState[CoreId], VMCALL_SET_EXCEPTION_BITMAP, DirectVmcallOptions);
186}
VMCALL_SET_EXCEPTION_BITMAP
#define VMCALL_SET_EXCEPTION_BITMAP
VMCALL to set exception bitmap on VMCS.
Definition Vmcall.h:100

◆ DirectVmcallSetHiddenBreakpointHook()

IMPORT_EXPORT_VMM NTSTATUS DirectVmcallSetHiddenBreakpointHook ( UINT32 CoreId,
DIRECT_VMCALL_PARAMETERS * DirectVmcallOptions )

routines for putting hidden breakpoints (using EPT)

Should be called from VMX root-mode

Parameters
CoreId
DirectVmcallOptions
Returns
NTSTATUS
257{
258 //
259 // Call the VMCALL handler (directly)
260 //
261 return VmxVmcallDirectVmcallHandler(&g_GuestState[CoreId], VMCALL_SET_HIDDEN_CC_BREAKPOINT, DirectVmcallOptions);
262}
VMCALL_SET_HIDDEN_CC_BREAKPOINT
#define VMCALL_SET_HIDDEN_CC_BREAKPOINT
VMCALL to put hidden breakpoints (using EPT)
Definition Vmcall.h:124

◆ DirectVmcallTest()

IMPORT_EXPORT_VMM NTSTATUS DirectVmcallTest ( UINT32 CoreId,
DIRECT_VMCALL_PARAMETERS * DirectVmcallOptions )

routines for test direct VMCALL

Should be called from VMX root-mode

Parameters
CoreId
DirectVmcallOptions
Returns
NTSTATUS
27{
28 //
29 // Call the VMCALL handler (directly)
30 //
31 return VmxVmcallDirectVmcallHandler(&g_GuestState[CoreId], VMCALL_TEST, DirectVmcallOptions);
32}
VMCALL_TEST
#define VMCALL_TEST
VMCALL to test hypervisor.
Definition Vmcall.h:22

◆ DirectVmcallUnhookSinglePage()

IMPORT_EXPORT_VMM NTSTATUS DirectVmcallUnhookSinglePage ( UINT32 CoreId,
DIRECT_VMCALL_PARAMETERS * DirectVmcallOptions )

routines for restoring a single EPT entry and invalidating EPT cache

Should be called from VMX root-mode

Parameters
CoreId
DirectVmcallOptions
Returns
NTSTATUS
333{
334 //
335 // Call the VMCALL handler (directly)
336 //
337 return VmxVmcallDirectVmcallHandler(&g_GuestState[CoreId], VMCALL_UNHOOK_SINGLE_PAGE, DirectVmcallOptions);
338}
VMCALL_UNHOOK_SINGLE_PAGE
#define VMCALL_UNHOOK_SINGLE_PAGE
VMCALL to restore a single EPT entry and invalidate EPT cache.
Definition Vmcall.h:58

◆ DirectVmcallUnsetExceptionBitmap()

IMPORT_EXPORT_VMM NTSTATUS DirectVmcallUnsetExceptionBitmap ( UINT32 CoreId,
DIRECT_VMCALL_PARAMETERS * DirectVmcallOptions )

routines for unsetting exception bitmap on VMCS

Should be called from VMX root-mode

Parameters
CoreId
DirectVmcallOptions
Returns
NTSTATUS
314{
315 //
316 // Call the VMCALL handler (directly)
317 //
318 return VmxVmcallDirectVmcallHandler(&g_GuestState[CoreId], VMCALL_UNSET_EXCEPTION_BITMAP, DirectVmcallOptions);
319}
VMCALL_UNSET_EXCEPTION_BITMAP
#define VMCALL_UNSET_EXCEPTION_BITMAP
VMCALL to unset exception bitmap on VMCS.
Definition Vmcall.h:192

◆ DisassemblerLengthDisassembleEngine()

IMPORT_EXPORT_VMM UINT32 DisassemblerLengthDisassembleEngine ( PVOID Address,
BOOLEAN Is32Bit )

Disassembler length disassemble engine.

if you want to call it directly, shouldn't not be in VMX-root mode, otherwise, you can call DisassemblerLengthDisassembleEngineInVmxRootOnTargetProcess to access memory safely

Parameters
Address
Is32Bit
Returns
UINT32
226{
227 ZydisDecoder Decoder;
228 ZydisDecodedInstruction Instruction;
229 ZydisDecodedOperand Operands[ZYDIS_MAX_OPERAND_COUNT];
230 ZyanStatus Status;
231
232 if (ZydisGetVersion() != ZYDIS_VERSION)
233 {
234 LogError("Err, invalid zydis version");
235 return NULL_ZERO;
236 }
237
238 //
239 // Initialize Zydis decoder
240 //
241 if (Is32Bit)
242 {
243 if (!ZYAN_SUCCESS(ZydisDecoderInit(&Decoder, ZYDIS_MACHINE_MODE_LONG_COMPAT_32, ZYDIS_STACK_WIDTH_32)))
244 {
245 return NULL_ZERO;
246 }
247 }
248 else
249 {
250 if (!ZYAN_SUCCESS(ZydisDecoderInit(&Decoder, ZYDIS_MACHINE_MODE_LONG_64, ZYDIS_STACK_WIDTH_64)))
251 {
252 return NULL_ZERO;
253 }
254 }
255
256 //
257 // Start the decode loop
258 //
259 while ((Status = ZydisDecoderDecodeFull(&Decoder,
260 (PVOID)((UINT64)Address),
261 MAXIMUM_INSTR_SIZE,
262 &Instruction,
263 Operands)) != ZYDIS_STATUS_NO_MORE_DATA)
264 {
265 NT_ASSERT(ZYAN_SUCCESS(Status));
266
267 if (!ZYAN_SUCCESS(Status))
268 {
269 //
270 // Probably invalid instruction
271 //
272 return NULL_ZERO;
273 }
274
275 //
276 // This is a length disassembler, so we just return the length
277 //
278 return Instruction.length;
279 }
280
281 //
282 // return an error status
283 //
284 return NULL_ZERO;
285}
NULL_ZERO
#define NULL_ZERO
Definition BasicTypes.h:51
LogError
#define LogError(format,...)
Log in the case of error.
Definition HyperDbgHyperLogIntrinsics.h:113

◆ DisassemblerLengthDisassembleEngineInVmxRootOnTargetProcess()

IMPORT_EXPORT_VMM UINT32 DisassemblerLengthDisassembleEngineInVmxRootOnTargetProcess ( PVOID Address,
BOOLEAN Is32Bit )

Disassembler length disassembler engine.

Should be called in VMX-root mode

Parameters
Address
Is32Bit
Returns
UINT32
298{
299 BYTE SafeMemoryToRead[MAXIMUM_INSTR_SIZE] = {0};
300 UINT64 SizeOfSafeBufferToRead = 0;
301
302 //
303 // Read the maximum number of instruction that is valid to be read in the
304 // target address
305 //
306 SizeOfSafeBufferToRead = CheckAddressMaximumInstructionLength(Address);
307
308 //
309 // Find the current instruction
310 //
311 MemoryMapperReadMemorySafeOnTargetProcess((UINT64)Address,
312 SafeMemoryToRead,
313 SizeOfSafeBufferToRead);
314
315 return DisassemblerLengthDisassembleEngine(SafeMemoryToRead, Is32Bit);
316}
CheckAddressMaximumInstructionLength
UINT32 CheckAddressMaximumInstructionLength(PVOID Address)
This function returns the maximum instruction length that can be read from this address.
Definition AddressCheck.c:306
BYTE
unsigned char BYTE
Definition BasicTypes.h:24
DisassemblerLengthDisassembleEngine
UINT32 DisassemblerLengthDisassembleEngine(PVOID Address, BOOLEAN Is32Bit)
Disassembler length disassemble engine.
Definition Disassembler.c:225
MemoryMapperReadMemorySafeOnTargetProcess
_Use_decl_annotations_ BOOLEAN MemoryMapperReadMemorySafeOnTargetProcess(UINT64 VaAddressToRead, PVOID BufferToSaveMemory, SIZE_T SizeToRead)
Read memory safely by mapping the buffer on the target process memory (It's a wrapper)
Definition MemoryMapper.c:1120

◆ DisassemblerShowInstructionsInVmxNonRootMode()

IMPORT_EXPORT_VMM BOOLEAN DisassemblerShowInstructionsInVmxNonRootMode ( PVOID Address,
UINT32 Length,
BOOLEAN Is32Bit )

Disassembler show the instructions.

This function should not be called from VMX-root mode

Parameters
Address
Length
Is32Bit
Returns
BOOLEAN
27{
28 ZydisDecoder Decoder;
29 ZydisFormatter Formatter;
30 SIZE_T ReadOffset = 0;
31 ZydisDecodedInstruction Instruction;
32 ZydisDecodedOperand Operands[ZYDIS_MAX_OPERAND_COUNT];
33 ZyanStatus Status;
34 CHAR PrintBuffer[128];
35
36 PAGED_CODE();
37
38 if (ZydisGetVersion() != ZYDIS_VERSION)
39 {
40 LogError("Err, invalid zydis version");
41 return FALSE;
42 }
43
44 //
45 // Initialize Zydis decoder
46 //
47 if (Is32Bit)
48 {
49 if (!ZYAN_SUCCESS(ZydisDecoderInit(&Decoder, ZYDIS_MACHINE_MODE_LONG_COMPAT_32, ZYDIS_STACK_WIDTH_32)))
50 {
51 return FALSE;
52 }
53 }
54 else
55 {
56 if (!ZYAN_SUCCESS(ZydisDecoderInit(&Decoder, ZYDIS_MACHINE_MODE_LONG_64, ZYDIS_STACK_WIDTH_64)))
57 {
58 return FALSE;
59 }
60 }
61
62 //
63 // Initialize Zydis formatter
64 //
65 if (!ZYAN_SUCCESS(ZydisFormatterInit(&Formatter, ZYDIS_FORMATTER_STYLE_INTEL)))
66 {
67 return FALSE;
68 }
69
70 //
71 // Start the decode loop
72 //
73 while ((Status = ZydisDecoderDecodeFull(&Decoder,
74 (PVOID)((UINT64)Address + ReadOffset),
75 Length - ReadOffset,
76 &Instruction,
77 Operands)) != ZYDIS_STATUS_NO_MORE_DATA)
78 {
79 NT_ASSERT(ZYAN_SUCCESS(Status));
80 if (!ZYAN_SUCCESS(Status))
81 {
82 ReadOffset++;
83 continue;
84 }
85
86 // Format and print the instruction
87 const ZyanU64 InstrAddress = (ZyanU64)((UINT64)Address + ReadOffset);
88 ZydisFormatterFormatInstruction(
89 &Formatter,
90 &Instruction,
91 Operands,
92 Instruction.operand_count_visible,
93 PrintBuffer,
94 sizeof(PrintBuffer),
95 InstrAddress,
96 NULL);
97
98 LogInfo("+%-4X 0x%-16llX\t\t%hs\n", (UINT32)ReadOffset, InstrAddress, PrintBuffer);
99
100 ReadOffset += Instruction.length;
101 }
102
103 //
104 // return an error status so that the driver does not have to be unloaded after running
105 //
106 return TRUE;
107}
LogInfo
#define LogInfo(format,...)
Define log variables.
Definition HyperDbgHyperLogIntrinsics.h:71

◆ DisassemblerShowOneInstructionInVmxNonRootMode()

IMPORT_EXPORT_VMM BOOLEAN DisassemblerShowOneInstructionInVmxNonRootMode ( PVOID Address,
UINT64 ActualRip,
BOOLEAN Is32Bit )

Disassembler show only one instruction.

This function should not be directly called from VMX-root mode if the caller is sure that the target buffer is safe to be access, then it's okay

Parameters
Address
ActualRip
Is32Bit
Returns
BOOLEAN
122{
123 ZydisDecoder Decoder;
124 ZydisFormatter Formatter;
125 SIZE_T ReadOffset = 0;
126 ZydisDecodedInstruction Instruction;
127 ZydisDecodedOperand Operands[ZYDIS_MAX_OPERAND_COUNT];
128 ZyanStatus Status;
129 CHAR PrintBuffer[128];
130
131 if (ZydisGetVersion() != ZYDIS_VERSION)
132 {
133 LogError("Err, invalid zydis version");
134 return FALSE;
135 }
136
137 //
138 // Initialize Zydis decoder
139 //
140 if (Is32Bit)
141 {
142 if (!ZYAN_SUCCESS(ZydisDecoderInit(&Decoder, ZYDIS_MACHINE_MODE_LONG_COMPAT_32, ZYDIS_STACK_WIDTH_32)))
143 {
144 return FALSE;
145 }
146 }
147 else
148 {
149 if (!ZYAN_SUCCESS(ZydisDecoderInit(&Decoder, ZYDIS_MACHINE_MODE_LONG_64, ZYDIS_STACK_WIDTH_64)))
150 {
151 return FALSE;
152 }
153 }
154
155 //
156 // Initialize Zydis formatter
157 //
158 if (!ZYAN_SUCCESS(ZydisFormatterInit(&Formatter, ZYDIS_FORMATTER_STYLE_INTEL)))
159 {
160 return FALSE;
161 }
162
163 //
164 // Start the decode loop
165 //
166 while ((Status = ZydisDecoderDecodeFull(&Decoder,
167 (PVOID)((UINT64)Address + ReadOffset),
168 MAXIMUM_INSTR_SIZE - ReadOffset,
169 &Instruction,
170 Operands)) != ZYDIS_STATUS_NO_MORE_DATA)
171 {
172 NT_ASSERT(ZYAN_SUCCESS(Status));
173 if (!ZYAN_SUCCESS(Status))
174 {
175 ReadOffset++;
176 continue;
177 }
178
179 // Format and print the instruction
180 const ZyanU64 InstrAddress = (ZyanU64)((UINT64)ActualRip + ReadOffset);
181 ZydisFormatterFormatInstruction(
182 &Formatter,
183 &Instruction,
184 Operands,
185 Instruction.operand_count_visible,
186 PrintBuffer,
187 sizeof(PrintBuffer),
188 InstrAddress,
189 NULL);
190
191 // LogInfo("+%-4X 0x%-16llX\t\t%hs\n", (UINT32)ReadOffset, InstrAddress, PrintBuffer);
192
193 Log("core: %x | pid: %x - tid: %x,\t %llx \t\t\t\t%hs\n",
194 KeGetCurrentProcessorNumberEx(NULL),
195 PsGetCurrentProcessId(),
196 PsGetCurrentThreadId(),
197 ActualRip,
198 PrintBuffer);
199
200 // ReadOffset += Instruction.length;
201
202 //
203 // Only one instruction is enough
204 //
205 break;
206 }
207
208 //
209 // return an error status so that the driver does not have to be unloaded after running
210 //
211 return TRUE;
212}
Log
#define Log(format,...)
Log without any prefix.
Definition HyperDbgHyperLogIntrinsics.h:129

◆ DisassemblerShowOneInstructionInVmxRootMode()

IMPORT_EXPORT_VMM UINT32 DisassemblerShowOneInstructionInVmxRootMode ( PVOID Address,
BOOLEAN Is32Bit )

Shows the disassembly of only one instruction.

Should be called in VMX-root mode

Parameters
Address
Is32Bit
Returns
UINT32
329{
330 BYTE SafeMemoryToRead[MAXIMUM_INSTR_SIZE] = {0};
331 UINT64 SizeOfSafeBufferToRead = 0;
332
333 //
334 // Read the maximum number of instruction that is valid to be read in the
335 // target address
336 //
337 SizeOfSafeBufferToRead = CheckAddressMaximumInstructionLength(Address);
338
339 //
340 // Find the current instruction
341 //
342 MemoryMapperReadMemorySafeOnTargetProcess((UINT64)Address,
343 SafeMemoryToRead,
344 SizeOfSafeBufferToRead);
345
346 return DisassemblerShowOneInstructionInVmxNonRootMode(SafeMemoryToRead, (UINT64)Address, Is32Bit);
347}
DisassemblerShowOneInstructionInVmxNonRootMode
BOOLEAN DisassemblerShowOneInstructionInVmxNonRootMode(PVOID Address, UINT64 ActualRip, BOOLEAN Is32Bit)
Disassembler show only one instruction.
Definition Disassembler.c:121

◆ GetGuestCr0()

IMPORT_EXPORT_VMM UINT64 GetGuestCr0 ( )

Get the Guest Cr0 value.

Returns
UINT64
461{
462 UINT64 Cr0;
463
464 __vmx_vmread(VMCS_GUEST_CR0, &Cr0);
465 return Cr0;
466}

◆ GetGuestCr2()

IMPORT_EXPORT_VMM UINT64 GetGuestCr2 ( )

Get the Guest Cr2 value.

Returns
UINT64
475{
476 UINT64 Cr2;
477
478 Cr2 = __readcr2();
479 return Cr2;
480}

◆ GetGuestCr3()

IMPORT_EXPORT_VMM UINT64 GetGuestCr3 ( )

Get the Guest Cr3 value.

Returns
UINT64
489{
490 UINT64 Cr3;
491
492 __vmx_vmread(VMCS_GUEST_CR3, &Cr3);
493 return Cr3;
494}

◆ GetGuestCr4()

IMPORT_EXPORT_VMM UINT64 GetGuestCr4 ( )

Get the Guest Cr4 value.

Returns
UINT64
503{
504 UINT64 Cr4;
505
506 __vmx_vmread(VMCS_GUEST_CR4, &Cr4);
507 return Cr4;
508}

◆ GetGuestCr8()

IMPORT_EXPORT_VMM UINT64 GetGuestCr8 ( )

Get the Guest Cr8 value.

Returns
UINT64
517{
518 UINT64 Cr8;
519
520 Cr8 = __readcr8();
521 return Cr8;
522}

◆ GetGuestCs()

IMPORT_EXPORT_VMM VMX_SEGMENT_SELECTOR GetGuestCs ( )

Get the Guest Cs Selector.

Returns
SEGMENT_SELECTOR
50{
51 VMX_SEGMENT_SELECTOR Cs;
52
53 __vmx_vmread(VMCS_GUEST_CS_BASE, &Cs.Base);
54 VmxVmread32P(VMCS_GUEST_CS_LIMIT, &Cs.Limit);
55 VmxVmread32P(VMCS_GUEST_CS_ACCESS_RIGHTS, &Cs.Attributes.AsUInt);
56 VmxVmread16P(VMCS_GUEST_CS_SELECTOR, &Cs.Selector);
57
58 return Cs;
59}
VmxVmread16P
UCHAR VmxVmread16P(size_t Field, UINT16 *FieldValue)
VMX VMREAD instruction (16-bit)
Definition Vmx.c:104
VmxVmread32P
UCHAR VmxVmread32P(size_t Field, UINT32 *FieldValue)
VMX VMREAD instruction (32-bit)
Definition Vmx.c:86
_VMX_SEGMENT_SELECTOR
Segment selector.
Definition DataTypes.h:436
_VMX_SEGMENT_SELECTOR::Limit
UINT32 Limit
Definition DataTypes.h:439
_VMX_SEGMENT_SELECTOR::Attributes
VMX_SEGMENT_ACCESS_RIGHTS_TYPE Attributes
Definition DataTypes.h:438
_VMX_SEGMENT_SELECTOR::Selector
UINT16 Selector
Definition DataTypes.h:437
_VMX_SEGMENT_SELECTOR::Base
UINT64 Base
Definition DataTypes.h:440
VMX_SEGMENT_ACCESS_RIGHTS_TYPE::AsUInt
UINT32 AsUInt
Definition DataTypes.h:428

◆ GetGuestDr0()

IMPORT_EXPORT_VMM UINT64 GetGuestDr0 ( )

Get the Guest Dr0 value.

Returns
UINT64
663{
664 UINT64 Dr0 = 0;
665 Dr0 = __readdr(0);
666 return Dr0;
667}

◆ GetGuestDr1()

IMPORT_EXPORT_VMM UINT64 GetGuestDr1 ( )

Get the Guest Dr1 value.

Returns
UINT64
676{
677 UINT64 Dr1 = 0;
678 Dr1 = __readdr(1);
679 return Dr1;
680}

◆ GetGuestDr2()

IMPORT_EXPORT_VMM UINT64 GetGuestDr2 ( )

Get the Guest Dr2 value.

Returns
UINT64
689{
690 UINT64 Dr2 = 0;
691 Dr2 = __readdr(2);
692 return Dr2;
693}

◆ GetGuestDr3()

IMPORT_EXPORT_VMM UINT64 GetGuestDr3 ( )

Get the Guest Dr3 value.

Returns
UINT64
702{
703 UINT64 Dr3 = 0;
704 Dr3 = __readdr(3);
705 return Dr3;
706}

◆ GetGuestDr6()

IMPORT_EXPORT_VMM UINT64 GetGuestDr6 ( )

Get the Guest Dr6 (breakpoint status) value.

Returns
UINT64
715{
716 UINT64 Dr6 = 0;
717 Dr6 = __readdr(6);
718 return Dr6;
719}

◆ GetGuestDr7()

IMPORT_EXPORT_VMM UINT64 GetGuestDr7 ( )

Get the Guest Dr7 (breakpoint trigger) value.

Returns
UINT64
728{
729 UINT64 Dr7 = 0;
730 Dr7 = __readdr(7);
731 return Dr7;
732}

◆ GetGuestDs()

IMPORT_EXPORT_VMM VMX_SEGMENT_SELECTOR GetGuestDs ( )

Get the Guest Ds Selector.

Returns
SEGMENT_SELECTOR
140{
141 VMX_SEGMENT_SELECTOR Ds;
142
143 __vmx_vmread(VMCS_GUEST_DS_BASE, &Ds.Base);
144 VmxVmread32P(VMCS_GUEST_DS_LIMIT, &Ds.Limit);
145 VmxVmread32P(VMCS_GUEST_DS_ACCESS_RIGHTS, &Ds.Attributes.AsUInt);
146 VmxVmread16P(VMCS_GUEST_DS_SELECTOR, &Ds.Selector);
147
148 return Ds;
149}

◆ GetGuestEs()

IMPORT_EXPORT_VMM VMX_SEGMENT_SELECTOR GetGuestEs ( )

Get the Guest Es Selector.

Returns
SEGMENT_SELECTOR
275{
276 VMX_SEGMENT_SELECTOR Es;
277
278 __vmx_vmread(VMCS_GUEST_ES_BASE, &Es.Base);
279 VmxVmread32P(VMCS_GUEST_ES_LIMIT, &Es.Limit);
280 VmxVmread32P(VMCS_GUEST_ES_ACCESS_RIGHTS, &Es.Attributes.AsUInt);
281 VmxVmread16P(VMCS_GUEST_ES_SELECTOR, &Es.Selector);
282
283 return Es;
284}

◆ GetGuestFs()

IMPORT_EXPORT_VMM VMX_SEGMENT_SELECTOR GetGuestFs ( )

Get the Guest Fs Selector.

Returns
SEGMENT_SELECTOR
185{
186 VMX_SEGMENT_SELECTOR Fs;
187
188 __vmx_vmread(VMCS_GUEST_FS_BASE, &Fs.Base);
189 VmxVmread32P(VMCS_GUEST_FS_LIMIT, &Fs.Limit);
190 VmxVmread32P(VMCS_GUEST_FS_ACCESS_RIGHTS, &Fs.Attributes.AsUInt);
191 VmxVmread16P(VMCS_GUEST_FS_SELECTOR, &Fs.Selector);
192
193 return Fs;
194}

◆ GetGuestGdtr()

IMPORT_EXPORT_VMM UINT64 GetGuestGdtr ( )

Get the Guest Gdtr.

Returns
UINT64
359{
360 UINT64 Gdtr;
361
362 __vmx_vmread(VMCS_GUEST_GDTR_BASE, &Gdtr);
363
364 return Gdtr;
365}

◆ GetGuestGs()

IMPORT_EXPORT_VMM VMX_SEGMENT_SELECTOR GetGuestGs ( )

Get the Guest Gs Selector.

Returns
SEGMENT_SELECTOR
230{
231 VMX_SEGMENT_SELECTOR Gs;
232
233 __vmx_vmread(VMCS_GUEST_GS_BASE, &Gs.Base);
234 VmxVmread32P(VMCS_GUEST_GS_LIMIT, &Gs.Limit);
235 VmxVmread32P(VMCS_GUEST_GS_ACCESS_RIGHTS, &Gs.Attributes.AsUInt);
236 VmxVmread16P(VMCS_GUEST_GS_SELECTOR, &Gs.Selector);
237
238 return Gs;
239}

◆ GetGuestIdtr()

IMPORT_EXPORT_VMM UINT64 GetGuestIdtr ( )

Get the Guest Idtr.

Returns
UINT64
305{
306 UINT64 Idtr;
307
308 __vmx_vmread(VMCS_GUEST_IDTR_BASE, &Idtr);
309
310 return Idtr;
311}

◆ GetGuestLdtr()

IMPORT_EXPORT_VMM UINT64 GetGuestLdtr ( )

Get the Guest Ldtr.

Returns
UINT64
332{
333 UINT64 Ldtr;
334
335 __vmx_vmread(VMCS_GUEST_LDTR_BASE, &Ldtr);
336
337 return Ldtr;
338}

◆ GetGuestRFlags()

IMPORT_EXPORT_VMM UINT64 GetGuestRFlags ( )

Get the Guest Rflags value.

Returns
UINT64
410{
411 UINT64 RFlags;
412 __vmx_vmread(VMCS_GUEST_RFLAGS, &RFlags);
413 return RFlags;
414}

◆ GetGuestRIP()

IMPORT_EXPORT_VMM UINT64 GetGuestRIP ( )

Get the Guest RIP value.

Returns
UINT64
447{
448 UINT64 RIP;
449
450 __vmx_vmread(VMCS_GUEST_RIP, &RIP);
451 return RIP;
452}

◆ GetGuestSs()

IMPORT_EXPORT_VMM VMX_SEGMENT_SELECTOR GetGuestSs ( )

Get the Guest Ss Selector.

Returns
SEGMENT_SELECTOR
95{
96 VMX_SEGMENT_SELECTOR Ss;
97
98 __vmx_vmread(VMCS_GUEST_SS_BASE, &Ss.Base);
99 VmxVmread32P(VMCS_GUEST_SS_LIMIT, &Ss.Limit);
100 VmxVmread32P(VMCS_GUEST_SS_ACCESS_RIGHTS, &Ss.Attributes.AsUInt);
101 VmxVmread16P(VMCS_GUEST_SS_SELECTOR, &Ss.Selector);
102
103 return Ss;
104}

◆ GetGuestTr()

IMPORT_EXPORT_VMM UINT64 GetGuestTr ( )

Get the Guest Tr.

Returns
UINT64
384{
385 UINT64 Tr;
386
387 __vmx_vmread(VMCS_GUEST_TR_BASE, &Tr);
388
389 return Tr;
390}

◆ LayoutGetCurrentProcessCr3()

IMPORT_EXPORT_VMM CR3_TYPE LayoutGetCurrentProcessCr3 ( )

Get cr3 of the target running process.

Returns
CR3_TYPE Returns the cr3 of running process
56{
57 CR3_TYPE GuestCr3;
58
59 //
60 // Due to KVA Shadowing, we need to switch to a different directory table base
61 // if the PCID indicates this is a user mode directory table base.
62 //
63 NT_KPROCESS * CurrentProcess = (NT_KPROCESS *)(PsGetCurrentProcess());
64 GuestCr3.Flags = CurrentProcess->DirectoryTableBase;
65
66 return GuestCr3;
67}
_NT_KPROCESS
KPROCESS Brief structure.
Definition Common.h:265
_NT_KPROCESS::DirectoryTableBase
ULONG_PTR DirectoryTableBase
Definition Common.h:268

◆ LayoutGetExactGuestProcessCr3()

IMPORT_EXPORT_VMM CR3_TYPE LayoutGetExactGuestProcessCr3 ( )

Get cr3 of the target running process.

Returns
CR3_TYPE Returns the cr3 of running process
76{
77 CR3_TYPE GuestCr3 = {0};
78
79 __vmx_vmread(VMCS_GUEST_CR3, &GuestCr3.Flags);
80
81 return GuestCr3;
82}

◆ MemoryManagerReadProcessMemoryNormal()

IMPORT_EXPORT_VMM BOOLEAN MemoryManagerReadProcessMemoryNormal ( HANDLE PID,
PVOID Address,
DEBUGGER_READ_MEMORY_TYPE MemType,
PVOID UserBuffer,
SIZE_T Size,
PSIZE_T ReturnSize )

Read process memory.

This function should not be called from vmx-root mode

Parameters
PIDTarget Process Id
AddressTarget Address
MemTypeType of memory
UserBufferBuffer to save to the user. This buffer must be in nonpageable memory.
SizeSize of read
ReturnSizeReturn Size
Returns
BOOLEAN
35{
36 PEPROCESS SourceProcess;
37 MM_COPY_ADDRESS CopyAddress = {0};
38 KAPC_STATE State = {0};
39 PHYSICAL_ADDRESS TempPhysicalAddress = {0};
40
41 //
42 // Check if we want another process memory, this way we attach to that process
43 // the find the physical address of the memory and read it from here using physical
44 // address
45
46 //
47 // The second thing that we consider here is reading a physical address doesn't
48 // need to attach to another process
49 //
50 if (PsGetCurrentProcessId() != PID && MemType == DEBUGGER_READ_VIRTUAL_ADDRESS)
51 {
52 //
53 // User needs another process memory
54 //
55
56 if (PsLookupProcessByProcessId(PID, &SourceProcess) != STATUS_SUCCESS)
57 {
58 //
59 // if the process not found
60 //
61 return FALSE;
62 }
63 __try
64 {
65 KeStackAttachProcess(SourceProcess, &State);
66
67 //
68 // We're in context of another process let's read the memory
69 //
70 TempPhysicalAddress = MmGetPhysicalAddress(Address);
71
72 KeUnstackDetachProcess(&State);
73
74 //
75 // Now we have to read the physical address
76 //
77 CopyAddress.PhysicalAddress.QuadPart = TempPhysicalAddress.QuadPart;
78 MmCopyMemory(UserBuffer, CopyAddress, Size, MM_COPY_MEMORY_PHYSICAL, ReturnSize);
79
80 ObDereferenceObject(SourceProcess);
81
82 return TRUE;
83 }
84 __except (EXCEPTION_EXECUTE_HANDLER)
85 {
86 KeUnstackDetachProcess(&State);
87
88 ObDereferenceObject(SourceProcess);
89
90 return FALSE;
91 }
92 }
93 else
94 {
95 //
96 // Process needs itself memory
97 //
98 __try
99 {
100 if (MemType == DEBUGGER_READ_VIRTUAL_ADDRESS)
101 {
102 CopyAddress.VirtualAddress = Address;
103 MmCopyMemory(UserBuffer, CopyAddress, Size, MM_COPY_MEMORY_VIRTUAL, ReturnSize);
104 }
105 else if (MemType == DEBUGGER_READ_PHYSICAL_ADDRESS)
106 {
107 //
108 // Check whether the physical memory is valid or not
109 //
110 if (!CheckAddressPhysical((UINT64)Address))
111 {
112 return FALSE;
113 }
114
115 CopyAddress.PhysicalAddress.QuadPart = (LONGLONG)Address;
116 MmCopyMemory(UserBuffer, CopyAddress, Size, MM_COPY_MEMORY_PHYSICAL, ReturnSize);
117 }
118 else
119 {
120 //
121 // Type is not recognized
122 //
123 return FALSE;
124 }
125
126 //
127 // MmCopyVirtualMemory(SourceProcess, Address, TargetProcess, UserBuffer, Size, KernelMode, ReturnSize);
128 // memcpy(UserBuffer, Address, Size);
129 //
130
131 return TRUE;
132 }
133 __except (EXCEPTION_EXECUTE_HANDLER)
134 {
135 return FALSE;
136 }
137 }
138}
CheckAddressPhysical
BOOLEAN CheckAddressPhysical(UINT64 PAddr)
Checks if the physical address is correct or not based on physical address width.
Definition AddressCheck.c:120
DEBUGGER_READ_PHYSICAL_ADDRESS
@ DEBUGGER_READ_PHYSICAL_ADDRESS
Definition RequestStructures.h:229
DEBUGGER_READ_VIRTUAL_ADDRESS
@ DEBUGGER_READ_VIRTUAL_ADDRESS
Definition RequestStructures.h:230

◆ MemoryMapperCheckIfPageIsNxBitSetOnTargetProcess()

IMPORT_EXPORT_VMM BOOLEAN MemoryMapperCheckIfPageIsNxBitSetOnTargetProcess ( _In_ PVOID Va)

◆ MemoryMapperCheckIfPdeIsLargePageOnTargetProcess()

IMPORT_EXPORT_VMM BOOLEAN MemoryMapperCheckIfPdeIsLargePageOnTargetProcess ( _In_ PVOID Va)

◆ MemoryMapperCheckPteIsPresentOnTargetProcess()

IMPORT_EXPORT_VMM BOOLEAN MemoryMapperCheckPteIsPresentOnTargetProcess ( PVOID Va,
PAGING_LEVEL Level )

This function checks whether the virtual address is present in the RAM or not.

Parameters
VaVirtual Address
LevelPMLx
Returns
BOOLEAN Is present or not
175{
176 PPAGE_ENTRY PageEntry = NULL;
177 CR3_TYPE GuestCr3;
178 CR3_TYPE CurrentProcessCr3 = {0};
179 BOOLEAN Result = FALSE;
180
181 //
182 // Move to guest process as we're currently in system cr3
183 //
184
185 //
186 // Find the current process cr3
187 //
188 GuestCr3.Flags = LayoutGetCurrentProcessCr3().Flags;
189
190 //
191 // Switch to new process's memory layout
192 // It is because, we're not trying to change the cr3 multiple times
193 // so instead of using PhysicalAddressToVirtualAddressByCr3 we use
194 // PhysicalAddressToVirtualAddress, but keep in mind that cr3 should
195 // be a kernel cr3 (not KPTI user cr3) as the functions to translate
196 // physical address to virtual address is not mapped on the user cr3
197 //
198 CurrentProcessCr3 = SwitchToProcessMemoryLayoutByCr3(GuestCr3);
199
200 //
201 // Call the wrapper
202 //
203 PageEntry = MemoryMapperGetPteVaWithoutSwitchingByCr3(Va, Level, GuestCr3);
204
205 if (PageEntry == NULL)
206 {
207 Result = FALSE;
208 }
209 else
210 {
211 //
212 // Check if page is present or not
213 //
214 if (PageEntry->Fields.Present == TRUE)
215 {
216 //
217 // It's present
218 //
219 Result = TRUE;
220 }
221 else
222 {
223 //
224 // It's not present
225 //
226 Result = FALSE;
227 }
228 }
229
230 //
231 // Restore the original process
232 //
233 SwitchToPreviousProcess(CurrentProcessCr3);
234
235 return Result;
236}
MemoryMapperGetPteVaWithoutSwitchingByCr3
_Use_decl_annotations_ PVOID MemoryMapperGetPteVaWithoutSwitchingByCr3(PVOID Va, PAGING_LEVEL Level, CR3_TYPE TargetCr3)
This function gets virtual address and returns its PTE of the virtual address based on the specific c...
Definition MemoryMapper.c:314
SwitchToPreviousProcess
_Use_decl_annotations_ VOID SwitchToPreviousProcess(CR3_TYPE PreviousProcess)
Switch to previous process's cr3.
Definition SwitchLayout.c:125
SwitchToProcessMemoryLayoutByCr3
_Use_decl_annotations_ CR3_TYPE SwitchToProcessMemoryLayoutByCr3(CR3_TYPE TargetCr3)
Switch to another process's cr3.
Definition SwitchLayout.c:99
test-case-generator.NULL
NULL()
Definition test-case-generator.py:530
_PAGE_ENTRY
Page Entries.
Definition MemoryMapper.h:61
_PAGE_ENTRY::Fields
struct _PAGE_ENTRY::@2::@4 Fields
_PAGE_ENTRY::Present
UINT64 Present
Definition MemoryMapper.h:79

◆ MemoryMapperFreeMemoryOnTargetProcess()

IMPORT_EXPORT_VMM BOOLEAN MemoryMapperFreeMemoryOnTargetProcess ( _In_ UINT32 ProcessId,
_Inout_ PVOID BaseAddress )

◆ MemoryMapperGetPteVa()

IMPORT_EXPORT_VMM PVOID MemoryMapperGetPteVa ( _In_ PVOID Va,
_In_ PAGING_LEVEL Level )

◆ MemoryMapperGetPteVaByCr3()

IMPORT_EXPORT_VMM PVOID MemoryMapperGetPteVaByCr3 ( _In_ PVOID Va,
_In_ PAGING_LEVEL Level,
_In_ CR3_TYPE TargetCr3 )

◆ MemoryMapperGetPteVaOnTargetProcess()

IMPORT_EXPORT_VMM PVOID MemoryMapperGetPteVaOnTargetProcess ( _In_ PVOID Va,
_In_ PAGING_LEVEL Level )

◆ MemoryMapperGetPteVaWithoutSwitchingByCr3()

IMPORT_EXPORT_VMM PVOID MemoryMapperGetPteVaWithoutSwitchingByCr3 ( _In_ PVOID Va,
_In_ PAGING_LEVEL Level,
_In_ CR3_TYPE TargetCr3 )

◆ MemoryMapperReadMemorySafe()

IMPORT_EXPORT_VMM BOOLEAN MemoryMapperReadMemorySafe ( _In_ UINT64 VaAddressToRead,
_Inout_ PVOID BufferToSaveMemory,
_In_ SIZE_T SizeToRead )

◆ MemoryMapperReadMemorySafeByPhysicalAddress()

IMPORT_EXPORT_VMM BOOLEAN MemoryMapperReadMemorySafeByPhysicalAddress ( _In_ UINT64 PaAddressToRead,
_Inout_ UINT64 BufferToSaveMemory,
_In_ SIZE_T SizeToRead )

◆ MemoryMapperReadMemorySafeOnTargetProcess()

IMPORT_EXPORT_VMM BOOLEAN MemoryMapperReadMemorySafeOnTargetProcess ( _In_ UINT64 VaAddressToRead,
_Inout_ PVOID BufferToSaveMemory,
_In_ SIZE_T SizeToRead )

◆ MemoryMapperReserveUsermodeAddressOnTargetProcess()

IMPORT_EXPORT_VMM UINT64 MemoryMapperReserveUsermodeAddressOnTargetProcess ( _In_ UINT32 ProcessId,
_In_ BOOLEAN Allocate )

◆ MemoryMapperSetExecuteDisableToPteOnTargetProcess()

IMPORT_EXPORT_VMM PVOID MemoryMapperSetExecuteDisableToPteOnTargetProcess ( _In_ PVOID Va,
_In_ BOOLEAN Set )

◆ MemoryMapperSetSupervisorBitWithoutSwitchingByCr3()

IMPORT_EXPORT_VMM BOOLEAN MemoryMapperSetSupervisorBitWithoutSwitchingByCr3 ( _In_ PVOID Va,
_In_ BOOLEAN Set,
_In_ PAGING_LEVEL Level,
_In_ CR3_TYPE TargetCr3 )

◆ MemoryMapperWriteMemorySafe()

IMPORT_EXPORT_VMM BOOLEAN MemoryMapperWriteMemorySafe ( _Inout_ UINT64 Destination,
_In_ PVOID Source,
_In_ SIZE_T SizeToWrite,
_In_ CR3_TYPE TargetProcessCr3 )

◆ MemoryMapperWriteMemorySafeByPhysicalAddress()

IMPORT_EXPORT_VMM BOOLEAN MemoryMapperWriteMemorySafeByPhysicalAddress ( _Inout_ UINT64 DestinationPa,
_In_ UINT64 Source,
_In_ SIZE_T SizeToWrite )

◆ MemoryMapperWriteMemorySafeOnTargetProcess()

IMPORT_EXPORT_VMM BOOLEAN MemoryMapperWriteMemorySafeOnTargetProcess ( _Inout_ UINT64 Destination,
_In_ PVOID Source,
_In_ SIZE_T Size )

◆ MemoryMapperWriteMemoryUnsafe()

IMPORT_EXPORT_VMM BOOLEAN MemoryMapperWriteMemoryUnsafe ( _Inout_ UINT64 Destination,
_In_ PVOID Source,
_In_ SIZE_T SizeToWrite,
_In_ UINT32 TargetProcessId )

◆ PhysicalAddressToVirtualAddress()

IMPORT_EXPORT_VMM UINT64 PhysicalAddressToVirtualAddress ( _In_ UINT64 PhysicalAddress)

◆ PhysicalAddressToVirtualAddressByCr3()

IMPORT_EXPORT_VMM UINT64 PhysicalAddressToVirtualAddressByCr3 ( _In_ PVOID PhysicalAddress,
_In_ CR3_TYPE TargetCr3 )

◆ PhysicalAddressToVirtualAddressByProcessId()

IMPORT_EXPORT_VMM UINT64 PhysicalAddressToVirtualAddressByProcessId ( _In_ PVOID PhysicalAddress,
_In_ UINT32 ProcessId )

◆ PhysicalAddressToVirtualAddressOnTargetProcess()

IMPORT_EXPORT_VMM UINT64 PhysicalAddressToVirtualAddressOnTargetProcess ( _In_ PVOID PhysicalAddress)

◆ PoolManagerCheckAndPerformAllocationAndDeallocation()

IMPORT_EXPORT_VMM BOOLEAN PoolManagerCheckAndPerformAllocationAndDeallocation ( )

This function performs allocations from VMX non-root based on g_RequestNewAllocation.

Returns
BOOLEAN If the pool manager allocates buffer or there was no buffer to allocate then it returns true, if there was any error then it returns false
303{
304 BOOLEAN Result = TRUE;
305 PLIST_ENTRY ListTemp = 0;
306
307 //
308 // let's make sure we're on vmx non-root and also we have new allocation
309 //
310 if (VmxGetCurrentExecutionMode() == TRUE)
311 {
312 //
313 // allocation's can't be done from vmx root
314 //
315 return FALSE;
316 }
317
318 //
319 // Make sure paging works properly
320 //
321 PAGED_CODE();
322
323 //
324 // Check for new allocation
325 //
326 if (g_IsNewRequestForAllocationReceived)
327 {
328 for (SIZE_T i = 0; i < MaximumRequestsQueueDepth; i++)
329 {
330 REQUEST_NEW_ALLOCATION * CurrentItem = &g_RequestNewAllocation[i];
331
332 if (CurrentItem->Size != 0)
333 {
334 Result = PoolManagerAllocateAndAddToPoolTable(CurrentItem->Size,
335 CurrentItem->Count,
336 CurrentItem->Intention);
337
338 //
339 // Free the data for future use
340 //
341 CurrentItem->Count = 0;
342 CurrentItem->Intention = 0;
343 CurrentItem->Size = 0;
344 }
345 }
346 }
347
348 //
349 // Check for deallocation
350 //
351 if (g_IsNewRequestForDeAllocation)
352 {
353 ListTemp = &g_ListOfAllocatedPoolsHead;
354
355 SpinlockLock(&LockForReadingPool);
356
357 while (&g_ListOfAllocatedPoolsHead != ListTemp->Flink)
358 {
359 ListTemp = ListTemp->Flink;
360
361 //
362 // Get the head of the record
363 //
364 PPOOL_TABLE PoolTable = (PPOOL_TABLE)CONTAINING_RECORD(ListTemp, POOL_TABLE, PoolsList);
365
366 //
367 // Check whether this pool should be freed or not and
368 // also check whether it's already freed or not
369 //
370 if (PoolTable->ShouldBeFreed && !PoolTable->AlreadyFreed)
371 {
372 //
373 // Set the flag to indicate that we freed
374 //
375 PoolTable->AlreadyFreed = TRUE;
376
377 //
378 // This item should be freed
379 //
380 PlatformMemFreePool((PVOID)PoolTable->Address);
381
382 //
383 // Now we should remove the entry from the g_ListOfAllocatedPoolsHead
384 //
385 RemoveEntryList(&PoolTable->PoolsList);
386
387 //
388 // Free the structure pool
389 //
390 PlatformMemFreePool(PoolTable);
391 }
392 }
393
394 SpinlockUnlock(&LockForReadingPool);
395 }
396
397 //
398 // All allocation and deallocation are performed
399 //
400 g_IsNewRequestForDeAllocation = FALSE;
401 g_IsNewRequestForAllocationReceived = FALSE;
402
403 return Result;
404}
PlatformMemFreePool
VOID PlatformMemFreePool(PVOID BufferAddress)
Free (dellocate) a non-paged buffer.
Definition Mem.c:86
PoolManagerAllocateAndAddToPoolTable
BOOLEAN PoolManagerAllocateAndAddToPoolTable(SIZE_T Size, UINT32 Count, POOL_ALLOCATION_INTENTION Intention)
Allocate the new pools and add them to pool table.
Definition PoolManager.c:253
LockForReadingPool
volatile LONG LockForReadingPool
Spinlock for reading pool.
Definition PoolManager.h:77
PPOOL_TABLE
struct _POOL_TABLE * PPOOL_TABLE
MaximumRequestsQueueDepth
#define MaximumRequestsQueueDepth
Maximum Pool Requests (while not allocated)
Definition PoolManager.h:22
g_IsNewRequestForAllocationReceived
BOOLEAN g_IsNewRequestForAllocationReceived
We set it when there is a new allocation.
Definition PoolManager.h:83
g_RequestNewAllocation
REQUEST_NEW_ALLOCATION * g_RequestNewAllocation
If sb wants allocation from vmx root, adds it's request to this structure.
Definition PoolManager.h:65
g_IsNewRequestForDeAllocation
BOOLEAN g_IsNewRequestForDeAllocation
We set it when there is a new allocation.
Definition PoolManager.h:89
g_ListOfAllocatedPoolsHead
LIST_ENTRY g_ListOfAllocatedPoolsHead
Create a list from all pools.
Definition PoolManager.h:95
SpinlockLock
void SpinlockLock(volatile LONG *Lock)
Tries to get the lock and won't return until successfully get the lock.
Definition Spinlock.c:52
SpinlockUnlock
void SpinlockUnlock(volatile LONG *Lock)
Release the lock.
Definition Spinlock.c:158
VmxGetCurrentExecutionMode
BOOLEAN VmxGetCurrentExecutionMode()
Check current execution mode (vmx-root and non-root)
Definition Vmx.c:222
RemoveEntryList
FORCEINLINE BOOLEAN RemoveEntryList(_In_ PLIST_ENTRY Entry)
Definition Windows.h:56
_POOL_TABLE
Table of holding pools detail structure.
Definition PoolManager.h:34
_POOL_TABLE::Address
UINT64 Address
Definition PoolManager.h:35
_POOL_TABLE::ShouldBeFreed
BOOLEAN ShouldBeFreed
Definition PoolManager.h:40
_POOL_TABLE::AlreadyFreed
BOOLEAN AlreadyFreed
Definition PoolManager.h:41
_POOL_TABLE::PoolsList
LIST_ENTRY PoolsList
Definition PoolManager.h:38
_REQUEST_NEW_ALLOCATION
Manage the requests for new allocations.
Definition PoolManager.h:50
_REQUEST_NEW_ALLOCATION::Count
UINT32 Count
Definition PoolManager.h:52
_REQUEST_NEW_ALLOCATION::Size
SIZE_T Size
Definition PoolManager.h:51
_REQUEST_NEW_ALLOCATION::Intention
POOL_ALLOCATION_INTENTION Intention
Definition PoolManager.h:53

◆ PoolManagerFreePool()

IMPORT_EXPORT_VMM BOOLEAN PoolManagerFreePool ( UINT64 AddressToFree)

This function set a pool flag to be freed, and it will be freed on the next IOCTL when it's safe to remove.

Parameters
AddressToFreeThe pool address that was previously obtained from the pool manager
Returns
BOOLEAN If the address was already in the list of allocated pools by pool manager then it returns TRUE; otherwise, FALSE
137{
138 PLIST_ENTRY ListTemp = 0;
139 BOOLEAN Result = FALSE;
140 ListTemp = &g_ListOfAllocatedPoolsHead;
141
142 SpinlockLock(&LockForReadingPool);
143
144 while (&g_ListOfAllocatedPoolsHead != ListTemp->Flink)
145 {
146 ListTemp = ListTemp->Flink;
147
148 //
149 // Get the head of the record
150 //
151 PPOOL_TABLE PoolTable = (PPOOL_TABLE)CONTAINING_RECORD(ListTemp, POOL_TABLE, PoolsList);
152
153 if (PoolTable->Address == AddressToFree)
154 {
155 //
156 // We found an entry that matched the detailed from
157 // previously allocated pools
158 //
159 PoolTable->ShouldBeFreed = TRUE;
160 Result = TRUE;
161
162 g_IsNewRequestForDeAllocation = TRUE;
163 break;
164 }
165 }
166
167 SpinlockUnlock(&LockForReadingPool);
168 return Result;
169}

◆ PoolManagerRequestAllocation()

IMPORT_EXPORT_VMM BOOLEAN PoolManagerRequestAllocation ( SIZE_T Size,
UINT32 Count,
POOL_ALLOCATION_INTENTION Intention )

Request to allocate new buffers.

Parameters
SizeRequest new buffer to allocate
CountCount of chunks
IntentionThe intention of chunks (buffer tag)
Returns
BOOLEAN If the request is save it returns true otherwise it returns false
416{
417 BOOLEAN FoundAPlace = FALSE;
418
419 //
420 // ******** We check to find a free place to store ********
421 //
422
423 SpinlockLock(&LockForRequestAllocation);
424
425 for (SIZE_T i = 0; i < MaximumRequestsQueueDepth; i++)
426 {
427 REQUEST_NEW_ALLOCATION * CurrentItem = &g_RequestNewAllocation[i];
428
429 if (CurrentItem->Size == 0)
430 {
431 CurrentItem->Count = Count;
432 CurrentItem->Intention = Intention;
433 CurrentItem->Size = Size;
434
435 FoundAPlace = TRUE;
436
437 break;
438 }
439 }
440
441 if (!FoundAPlace)
442 {
443 SpinlockUnlock(&LockForRequestAllocation);
444 return FALSE;
445 }
446
447 //
448 // Signals to show that we have new allocations
449 //
450 g_IsNewRequestForAllocationReceived = TRUE;
451
452 SpinlockUnlock(&LockForRequestAllocation);
453 return TRUE;
454}
LockForRequestAllocation
volatile LONG LockForRequestAllocation
Request allocation Spinlock.
Definition PoolManager.h:71

◆ PoolManagerRequestPool()

IMPORT_EXPORT_VMM UINT64 PoolManagerRequestPool ( POOL_ALLOCATION_INTENTION Intention,
BOOLEAN RequestNewPool,
UINT32 Size )

This function should be called from vmx-root in order to get a pool from the list.

If RequestNewPool is TRUE then Size is used, otherwise Size is useless Note : Most of the times this function called from vmx root but not all the time

Parameters
IntentionThe intention why we need this pool for (buffer tag)
RequestNewPoolCreate a request to allocate a new pool with the same size, next time that it's safe to allocate (this way we never ran out of pools for this "Intention")
SizeIf the RequestNewPool is true the we should specify a size for the new pool
Returns
UINT64 Returns a pool address or returns null if there was an error
213{
214 UINT64 Address = 0;
215
216 ScopedSpinlock(
217 LockForReadingPool,
218 LIST_FOR_EACH_LINK(g_ListOfAllocatedPoolsHead, POOL_TABLE, PoolsList, PoolTable) {
219 if (PoolTable->Intention == Intention && PoolTable->IsBusy == FALSE)
220 {
221 PoolTable->IsBusy = TRUE;
222 Address = PoolTable->Address;
223 break;
224 }
225 });
226
227 //
228 // Check if we need additional pools e.g another pool or the pool
229 // will be available for the next use blah blah
230 //
231 if (RequestNewPool)
232 {
233 PoolManagerRequestAllocation(Size, 1, Intention);
234 }
235
236 //
237 // return Address might be null indicating there is no valid pools
238 //
239 return Address;
240}
LIST_FOR_EACH_LINK
#define LIST_FOR_EACH_LINK(_head, _struct_type, _member, _var)
Definition MetaMacros.h:34
PoolManagerRequestAllocation
BOOLEAN PoolManagerRequestAllocation(SIZE_T Size, UINT32 Count, POOL_ALLOCATION_INTENTION Intention)
Request to allocate new buffers.
Definition PoolManager.c:415
ScopedSpinlock
#define ScopedSpinlock(LockObject, CodeToRun)
Definition Spinlock.h:39

◆ PoolManagerShowPreAllocatedPools()

IMPORT_EXPORT_VMM VOID PoolManagerShowPreAllocatedPools ( )

Shows list of pre-allocated pools available (used for debugging purposes)

Returns
VOID
178{
179 PLIST_ENTRY ListTemp = 0;
180 ListTemp = &g_ListOfAllocatedPoolsHead;
181
182 while (&g_ListOfAllocatedPoolsHead != ListTemp->Flink)
183 {
184 ListTemp = ListTemp->Flink;
185
186 //
187 // Get the head of the record
188 //
189 PPOOL_TABLE PoolTable = (PPOOL_TABLE)CONTAINING_RECORD(ListTemp, POOL_TABLE, PoolsList);
190
191 LogInfo("Pool details, Pool intention: %x | Pool address: %llx | Pool state: %s | Should be freed: %s | Already freed: %s\n",
192 PoolTable->Intention,
193 PoolTable->Address,
194 PoolTable->IsBusy ? "used" : "free",
195 PoolTable->ShouldBeFreed ? "true" : "false",
196 PoolTable->AlreadyFreed ? "true" : "false");
197 }
198}
_POOL_TABLE::IsBusy
BOOLEAN IsBusy
Definition PoolManager.h:39
_POOL_TABLE::Intention
POOL_ALLOCATION_INTENTION Intention
Definition PoolManager.h:37

◆ SetDebugRegisters()

IMPORT_EXPORT_VMM BOOLEAN SetDebugRegisters ( UINT32 DebugRegNum,
DEBUG_REGISTER_TYPE ActionType,
BOOLEAN ApplyToVmcs,
UINT64 TargetAddress )

Configure hardware debug register for access, write and fetch breakpoints.

if apply to vmcs is true then should be called at vmx-root mode keep in mind that it applies only on one core Also, the caller must be sure that Load Debug Controls and Save Debug Controls on VM-entry and VM-exit controls on the VMCS of the target core, vmcalls VMCALL_SET_VM_ENTRY_LOAD_DEBUG_CONTROLS and VMCALL_SET_VM_EXIT_SAVE_DEBUG_CONTROLS are designed for this purpose should be called on vmx-root mode if the ApplyToVmcs is TRUE

Parameters
DebugRegNumDebug register that want to apply to it (can be between 0 to 3 as current processors support only 4 locations on hardware debug register)
ActionTypeType of breakpoint (Access, write, fetch)
ApplyToVmcsApply on GUEST_RIP register of VMCS, see details above for more information
TargetAddressTarget breakpoint virtual address
Returns
BOOLEAN If TRUE, shows the request configuration is correct, otherwise it's either not supported or not correct configuration
38{
39 DR7 Dr7 = {0};
40
41 //
42 // Debug registers can be dr0, dr1, dr2, dr3
43 //
44 if (DebugRegNum >= 4)
45 {
46 return FALSE;
47 }
48
49 //
50 // Configure the dr7 (dr6 is only to show the status)
51 // the configuration derived from https://stackoverflow.com/questions/40818920/
52 //
53 // Check-list:
54 // - Set the reserved bits to their right values
55 // - Set DR7.LE and DR7.GE to 1
56 // - Set DR7.L0(L1, L2, L3) to 1 [local breakpoint]
57 // - Make sure DR7.RW/0 (RW/1, RW/2, RW/3) is 0 [break on instruction exec]
58 // - Make sure DR7.LEN0 (LEN1, LEN2, LEN3) is 0 [1 byte length]
59 // - Set DR0 (1, 2, 3) to the instruction linear address
60 // - Make sure linear address [DR0 to DR3] falls on the first byte of the instruction
61 //
62
63 //
64 // Must be 1
65 //
66 Dr7.Reserved1 = 1;
67
68 //
69 // Based on Intel Manual:
70 // we recommend that the LE and GE flags be set to 1 if exact breakpoints are required
71 //
72 Dr7.LocalExactBreakpoint = 1;
73 Dr7.GlobalExactBreakpoint = 1;
74
75 //
76 // Set the target address and enable it on dr7
77 //
78 if (DebugRegNum == 0)
79 {
80 __writedr(0, TargetAddress);
81
82 Dr7.GlobalBreakpoint0 = 1;
83
84 //
85 // Based on SDM :
86 // 00 - Break on instruction execution only.
87 // 01 - Break on data writes only.
88 // 10 - Break on I/O reads or writes.
89 // 11 - Break on data reads or writes but not instruction fetches
90 // Also 10, is based on another bit so it is configured based on
91 // other bits, read the SDM for more.
92 //
93
94 switch (ActionType)
95 {
96 case BREAK_ON_INSTRUCTION_FETCH:
97 Dr7.ReadWrite0 = 0b00; // 0b00 => 0
98 break;
99 case BREAK_ON_WRITE_ONLY:
100 Dr7.ReadWrite0 = 0b01; // 0b01 => 1
101 break;
102 case BREAK_ON_IO_READ_OR_WRITE_NOT_SUPPORTED:
103 Dr7.ReadWrite0 = 0b10; // 0b10 => 2
104 LogError("Err, I/O access breakpoint by debug regs are not supported");
105 return FALSE;
106 break;
107 case BREAK_ON_READ_AND_WRITE_BUT_NOT_FETCH:
108 Dr7.ReadWrite0 = 0b11; // 0b11 => 3
109 break;
110
111 default:
112 //
113 // what?
114 //
115 LogError("Err, unknown parameter as debug reg action type");
116 return FALSE;
117 break;
118 }
119 }
120 else if (DebugRegNum == 1)
121 {
122 __writedr(1, TargetAddress);
123 Dr7.GlobalBreakpoint1 = 1;
124
125 //
126 // Based on SDM :
127 // 00 - Break on instruction execution only.
128 // 01 - Break on data writes only.
129 // 10 - Break on I/O reads or writes.
130 // 11 - Break on data reads or writes but not instruction fetches
131 // Also 10, is based on another bit so it is configured based on
132 // other bits, read the SDM for more.
133 //
134
135 switch (ActionType)
136 {
137 case BREAK_ON_INSTRUCTION_FETCH:
138 Dr7.ReadWrite1 = 0b00; // 0b00 => 0
139 break;
140 case BREAK_ON_WRITE_ONLY:
141 Dr7.ReadWrite1 = 0b01; // 0b01 => 1
142 break;
143 case BREAK_ON_IO_READ_OR_WRITE_NOT_SUPPORTED:
144 Dr7.ReadWrite1 = 0b10; // 0b10 => 2
145 LogError("Err, I/O access breakpoint by debug regs are not supported");
146 return FALSE;
147 break;
148 case BREAK_ON_READ_AND_WRITE_BUT_NOT_FETCH:
149 Dr7.ReadWrite1 = 0b11; // 0b11 => 3
150 break;
151
152 default:
153 //
154 // what?
155 //
156 LogError("Err, unknown parameter as debug reg action type");
157 return FALSE;
158 break;
159 }
160 }
161 else if (DebugRegNum == 2)
162 {
163 __writedr(2, TargetAddress);
164 Dr7.GlobalBreakpoint2 = 1;
165
166 //
167 // Based on SDM :
168 // 00 - Break on instruction execution only.
169 // 01 - Break on data writes only.
170 // 10 - Break on I/O reads or writes.
171 // 11 - Break on data reads or writes but not instruction fetches
172 // Also 10, is based on another bit so it is configured based on
173 // other bits, read the SDM for more.
174 //
175
176 switch (ActionType)
177 {
178 case BREAK_ON_INSTRUCTION_FETCH:
179 Dr7.ReadWrite2 = 0b00; // 0b00 => 0
180 break;
181 case BREAK_ON_WRITE_ONLY:
182 Dr7.ReadWrite2 = 0b01; // 0b01 => 1
183 break;
184 case BREAK_ON_IO_READ_OR_WRITE_NOT_SUPPORTED:
185 Dr7.ReadWrite2 = 0b10; // 0b10 => 2
186 LogError("Err, I/O access breakpoint by debug regs are not supported");
187 return FALSE;
188 break;
189 case BREAK_ON_READ_AND_WRITE_BUT_NOT_FETCH:
190 Dr7.ReadWrite2 = 0b11; // 0b11 => 3
191 break;
192
193 default:
194 //
195 // what?
196 //
197 LogError("Err, unknown parameter as debug reg action type");
198 return FALSE;
199 break;
200 }
201 }
202 else if (DebugRegNum == 3)
203 {
204 __writedr(3, TargetAddress);
205 Dr7.GlobalBreakpoint3 = 1;
206
207 //
208 // Based on SDM :
209 // 00 - Break on instruction execution only.
210 // 01 - Break on data writes only.
211 // 10 - Break on I/O reads or writes.
212 // 11 - Break on data reads or writes but not instruction fetches
213 // Also 10, is based on another bit so it is configured based on
214 // other bits, read the SDM for more.
215 //
216
217 switch (ActionType)
218 {
219 case BREAK_ON_INSTRUCTION_FETCH:
220 Dr7.ReadWrite3 = 0b00; // 0b00 => 0
221 break;
222 case BREAK_ON_WRITE_ONLY:
223 Dr7.ReadWrite3 = 0b01; // 0b01 => 1
224 break;
225 case BREAK_ON_IO_READ_OR_WRITE_NOT_SUPPORTED:
226 Dr7.ReadWrite3 = 0b10; // 0b10 => 2
227 LogError("Err, I/O access breakpoint by debug regs are not supported");
228 return FALSE;
229 break;
230 case BREAK_ON_READ_AND_WRITE_BUT_NOT_FETCH:
231 Dr7.ReadWrite3 = 0b11; // 0b11 => 3
232 break;
233
234 default:
235 //
236 // what?
237 //
238 LogError("Err, unknown parameter as debug reg action type");
239 return FALSE;
240 break;
241 }
242 }
243
244 //
245 // Applies to debug register 7, the caller must be sure that Load Debug
246 // Controls and Save Debug Controls on VM-entry and VM-exit controls
247 // on the VMCS of the target core
248 //
249 if (ApplyToVmcs)
250 {
251 __vmx_vmwrite(VMCS_GUEST_DR7, Dr7.AsUInt);
252 }
253 else
254 {
255 __writedr(7, Dr7.AsUInt);
256 }
257
258 return TRUE;
259}
BREAK_ON_READ_AND_WRITE_BUT_NOT_FETCH
@ BREAK_ON_READ_AND_WRITE_BUT_NOT_FETCH
Definition DataTypes.h:73
BREAK_ON_IO_READ_OR_WRITE_NOT_SUPPORTED
@ BREAK_ON_IO_READ_OR_WRITE_NOT_SUPPORTED
Definition DataTypes.h:72
BREAK_ON_WRITE_ONLY
@ BREAK_ON_WRITE_ONLY
Definition DataTypes.h:71
BREAK_ON_INSTRUCTION_FETCH
@ BREAK_ON_INSTRUCTION_FETCH
Definition DataTypes.h:70

◆ SetGuestCr0()

IMPORT_EXPORT_VMM VOID SetGuestCr0 ( UINT64 Cr0)

Set the Guest Cr0 Register.

Parameters
Cr0The Cr0 Value for the guest
Returns
VOID
532{
533 VmxVmwrite64(VMCS_GUEST_CR0, Cr0);
534}
VmxVmwrite64
UCHAR VmxVmwrite64(size_t Field, UINT64 FieldValue)
VMX VMWRITE instruction (64-bit)
Definition Vmx.c:122

◆ SetGuestCr2()

IMPORT_EXPORT_VMM VOID SetGuestCr2 ( UINT64 Cr2)

Set the Guest Cr2 Register.

Parameters
Cr2The Cr2 Value for the guest
Returns
VOID
544{
545 __writecr2(Cr2);
546}

◆ SetGuestCr3()

IMPORT_EXPORT_VMM VOID SetGuestCr3 ( UINT64 Cr3)

Set the Guest Cr3 Register.

Parameters
Cr3The Cr3 Value for the guest
Returns
VOID
556{
557 VmxVmwrite64(VMCS_GUEST_CR3, Cr3);
558}

◆ SetGuestCr4()

IMPORT_EXPORT_VMM VOID SetGuestCr4 ( UINT64 Cr4)

Set the Guest Cr4 Register.

Parameters
Cr4The Cr4 Value for the guest
Returns
VOID
568{
569 VmxVmwrite64(VMCS_GUEST_CR4, Cr4);
570}

◆ SetGuestCr8()

IMPORT_EXPORT_VMM VOID SetGuestCr8 ( UINT64 Cr8)

Set the Guest Cr8 Register.

Parameters
Cr8The Cr8 Value for the guest
Returns
VOID
580{
581 __writecr8(Cr8);
582}

◆ SetGuestCs()

IMPORT_EXPORT_VMM VOID SetGuestCs ( PVMX_SEGMENT_SELECTOR Cs)

Set the Guest Cs.

Parameters
CsThe CS Selector for the guest
Returns
VOID
36{
37 __vmx_vmwrite(VMCS_GUEST_CS_BASE, Cs->Base);
38 __vmx_vmwrite(VMCS_GUEST_CS_LIMIT, Cs->Limit);
39 __vmx_vmwrite(VMCS_GUEST_CS_ACCESS_RIGHTS, Cs->Attributes.AsUInt);
40 __vmx_vmwrite(VMCS_GUEST_CS_SELECTOR, Cs->Selector);
41}

◆ SetGuestCsSel()

IMPORT_EXPORT_VMM VOID SetGuestCsSel ( PVMX_SEGMENT_SELECTOR Cs)

Set just the Guest Cs selector.

Parameters
CsThe CS Selector for the guest
Returns
VOID
23{
24 __vmx_vmwrite(VMCS_GUEST_CS_SELECTOR, Cs->Selector);
25}

◆ SetGuestDr0()

IMPORT_EXPORT_VMM VOID SetGuestDr0 ( UINT64 value)

Set the Guest Dr0 Register.

Parameters
Dr0The Dr0 Value for the guest
Returns
VOID
592{
593 __writedr(0, value);
594}

◆ SetGuestDr1()

IMPORT_EXPORT_VMM VOID SetGuestDr1 ( UINT64 value)

Set the Guest Dr1 Register.

Parameters
Dr1The Dr1 Value for the guest
Returns
VOID
604{
605 __writedr(1, value);
606}

◆ SetGuestDr2()

IMPORT_EXPORT_VMM VOID SetGuestDr2 ( UINT64 value)

Set the Guest Dr2 Register.

Parameters
Dr2The Dr2 Value for the guest
Returns
VOID
616{
617 __writedr(2, value);
618}

◆ SetGuestDr3()

IMPORT_EXPORT_VMM VOID SetGuestDr3 ( UINT64 value)

Set the Guest Dr3 Register.

Parameters
Dr3The Dr3 Value for the guest
Returns
VOID
628{
629 __writedr(3, value);
630}

◆ SetGuestDr6()

IMPORT_EXPORT_VMM VOID SetGuestDr6 ( UINT64 value)

Set the Guest Dr6 Register.

Parameters
Dr6The Dr6 Value for the guest
Returns
VOID
640{
641 __writedr(6, value);
642}

◆ SetGuestDr7()

IMPORT_EXPORT_VMM VOID SetGuestDr7 ( UINT64 value)

Set the Guest Dr7 Register.

Parameters
Dr7The Dr7 Value for the guest
Returns
VOID
652{
653 __writedr(7, value);
654}

◆ SetGuestDs()

IMPORT_EXPORT_VMM VOID SetGuestDs ( PVMX_SEGMENT_SELECTOR Ds)

Set the Guest Ds selector.

Parameters
DsThe DS Selector for the guest
Returns
VOID
126{
127 VmxVmwrite64(VMCS_GUEST_DS_BASE, Ds->Base);
128 VmxVmwrite64(VMCS_GUEST_DS_LIMIT, Ds->Limit);
129 VmxVmwrite64(VMCS_GUEST_DS_ACCESS_RIGHTS, Ds->Attributes.AsUInt);
130 VmxVmwrite64(VMCS_GUEST_DS_SELECTOR, Ds->Selector);
131}

◆ SetGuestDsSel()

IMPORT_EXPORT_VMM VOID SetGuestDsSel ( PVMX_SEGMENT_SELECTOR Ds)

Set just the Guest Ds selector.

Parameters
DsThe DS Selector for the guest
Returns
VOID
114{
115 VmxVmwrite64(VMCS_GUEST_DS_SELECTOR, Ds->Selector);
116}

◆ SetGuestEs()

IMPORT_EXPORT_VMM VOID SetGuestEs ( PVMX_SEGMENT_SELECTOR Es)

Set the Guest Es selector.

Parameters
EsThe ES Selector for the guest
Returns
VOID
261{
262 VmxVmwrite64(VMCS_GUEST_ES_BASE, Es->Base);
263 VmxVmwrite64(VMCS_GUEST_ES_LIMIT, Es->Limit);
264 VmxVmwrite64(VMCS_GUEST_ES_ACCESS_RIGHTS, Es->Attributes.AsUInt);
265 VmxVmwrite64(VMCS_GUEST_ES_SELECTOR, Es->Selector);
266}

◆ SetGuestEsSel()

IMPORT_EXPORT_VMM VOID SetGuestEsSel ( PVMX_SEGMENT_SELECTOR Es)

Set just the Guest Es selector.

Parameters
EsThe ES Selector for the guest
Returns
VOID
249{
250 VmxVmwrite64(VMCS_GUEST_ES_SELECTOR, Es->Selector);
251}

◆ SetGuestFs()

IMPORT_EXPORT_VMM VOID SetGuestFs ( PVMX_SEGMENT_SELECTOR Fs)

Set the Guest Fs selector.

Parameters
FsThe FS Selector for the guest
Returns
VOID
171{
172 VmxVmwrite64(VMCS_GUEST_FS_BASE, Fs->Base);
173 VmxVmwrite64(VMCS_GUEST_FS_LIMIT, Fs->Limit);
174 VmxVmwrite64(VMCS_GUEST_FS_ACCESS_RIGHTS, Fs->Attributes.AsUInt);
175 VmxVmwrite64(VMCS_GUEST_FS_SELECTOR, Fs->Selector);
176}

◆ SetGuestFsSel()

IMPORT_EXPORT_VMM VOID SetGuestFsSel ( PVMX_SEGMENT_SELECTOR Fs)

Set just the Guest Fs selector.

Parameters
FsThe FS Selector for the guest
Returns
VOID
159{
160 VmxVmwrite64(VMCS_GUEST_FS_SELECTOR, Fs->Selector);
161}

◆ SetGuestGdtr()

IMPORT_EXPORT_VMM VOID SetGuestGdtr ( UINT64 Gdtr)

Set the Guest Gdtr.

Parameters
GdtrThe Gdtr Selector for the guest
Returns
VOID
348{
349 VmxVmwrite64(VMCS_GUEST_GDTR_BASE, Gdtr);
350}

◆ SetGuestGs()

IMPORT_EXPORT_VMM VOID SetGuestGs ( PVMX_SEGMENT_SELECTOR Gs)

Set the Guest Gs selector.

Parameters
GsThe GS Selector for the guest
Returns
VOID
216{
217 VmxVmwrite64(VMCS_GUEST_GS_BASE, Gs->Base);
218 VmxVmwrite64(VMCS_GUEST_GS_LIMIT, Gs->Limit);
219 VmxVmwrite64(VMCS_GUEST_GS_ACCESS_RIGHTS, Gs->Attributes.AsUInt);
220 VmxVmwrite64(VMCS_GUEST_GS_SELECTOR, Gs->Selector);
221}

◆ SetGuestGsSel()

IMPORT_EXPORT_VMM VOID SetGuestGsSel ( PVMX_SEGMENT_SELECTOR Gs)

Set just the Guest Gs selector.

Parameters
GsThe GS Selector for the guest
Returns
VOID
204{
205 VmxVmwrite64(VMCS_GUEST_GS_SELECTOR, Gs->Selector);
206}

◆ SetGuestIdtr()

IMPORT_EXPORT_VMM VOID SetGuestIdtr ( UINT64 Idtr)

Set the Guest Idtr.

Parameters
IdtrThe Idtr Selector for the guest
Returns
VOID
294{
295 VmxVmwrite64(VMCS_GUEST_IDTR_BASE, Idtr);
296}

◆ SetGuestLdtr()

IMPORT_EXPORT_VMM VOID SetGuestLdtr ( UINT64 Ldtr)

Set the Guest Ldtr.

Parameters
LdtrThe Idtr Selector for the guest
Returns
VOID
321{
322 VmxVmwrite64(VMCS_GUEST_LDTR_BASE, Ldtr);
323}

◆ SetGuestRFlags()

IMPORT_EXPORT_VMM VOID SetGuestRFlags ( UINT64 RFlags)

Set the Guest RFLAGS Register.

Parameters
RflagsThe Rflags Value for the guest
Returns
VOID
399{
400 VmxVmwrite64(VMCS_GUEST_RFLAGS, RFlags);
401}

◆ SetGuestRIP()

IMPORT_EXPORT_VMM VOID SetGuestRIP ( UINT64 RIP)

Set the Guest RIP Register.

Parameters
RIPThe RIP Value for the guest
Returns
VOID
424{
425 VmxVmwrite64(VMCS_GUEST_RIP, RIP);
426}

◆ SetGuestRSP()

IMPORT_EXPORT_VMM VOID SetGuestRSP ( UINT64 RSP)

Set the Guest RSP Register.

Parameters
RSPThe RSP Value for the guest
Returns
VOID
436{
437 VmxVmwrite64(VMCS_GUEST_RSP, RSP);
438}

◆ SetGuestSs()

IMPORT_EXPORT_VMM VOID SetGuestSs ( PVMX_SEGMENT_SELECTOR Ss)

Set the Guest Ss selector.

Parameters
SsThe SS Selector for the guest
Returns
VOID
81{
82 VmxVmwrite64(VMCS_GUEST_SS_BASE, Ss->Base);
83 VmxVmwrite64(VMCS_GUEST_SS_LIMIT, Ss->Limit);
84 VmxVmwrite64(VMCS_GUEST_SS_ACCESS_RIGHTS, Ss->Attributes.AsUInt);
85 VmxVmwrite64(VMCS_GUEST_SS_SELECTOR, Ss->Selector);
86}

◆ SetGuestSsSel()

IMPORT_EXPORT_VMM VOID SetGuestSsSel ( PVMX_SEGMENT_SELECTOR Ss)

Set just the Guest Ss selector.

Parameters
SsThe SS Selector for the guest
Returns
VOID
69{
70 __vmx_vmwrite(VMCS_GUEST_SS_SELECTOR, Ss->Selector);
71}

◆ SetGuestTr()

IMPORT_EXPORT_VMM VOID SetGuestTr ( UINT64 Tr)
Parameters
TrThe Tr Selector for the guest
Returns
VOID
373{
374 VmxVmwrite64(VMCS_GUEST_TR_BASE, Tr);
375}

◆ SwitchToCurrentProcessMemoryLayout()

IMPORT_EXPORT_VMM CR3_TYPE SwitchToCurrentProcessMemoryLayout ( )

Switch to guest's running process's cr3.

this function can be called from vmx-root mode

Returns
CR3_TYPE The cr3 of current process which can be used by SwitchToPreviousProcess function
71{
72 CR3_TYPE GuestCr3;
73 CR3_TYPE CurrentProcessCr3 = {0};
74
75 GuestCr3.Flags = LayoutGetCurrentProcessCr3().Flags;
76
77 //
78 // Read the current cr3
79 //
80 CurrentProcessCr3.Flags = __readcr3();
81
82 //
83 // Change to a new cr3 (of target process)
84 //
85 __writecr3(GuestCr3.Flags);
86
87 return CurrentProcessCr3;
88}

◆ SwitchToPreviousProcess()

IMPORT_EXPORT_VMM VOID SwitchToPreviousProcess ( _In_ CR3_TYPE PreviousProcess)

◆ SwitchToProcessMemoryLayout()

IMPORT_EXPORT_VMM CR3_TYPE SwitchToProcessMemoryLayout ( _In_ UINT32 ProcessId)

◆ SwitchToProcessMemoryLayoutByCr3()

IMPORT_EXPORT_VMM CR3_TYPE SwitchToProcessMemoryLayoutByCr3 ( _In_ CR3_TYPE TargetCr3)

◆ TransparentHideDebugger()

IMPORT_EXPORT_VMM NTSTATUS TransparentHideDebugger ( PDEBUGGER_HIDE_AND_TRANSPARENT_DEBUGGER_MODE Measurements)

Hide debugger on transparent-mode (activate transparent-mode)

Parameters
Measurements
Returns
NTSTATUS
357{
358 //
359 // Check whether the transparent-mode was already initialized or not
360 //
361 if (!g_TransparentMode)
362 {
363 //
364 // Allocate the measurements buffer
365 //
366 g_TransparentModeMeasurements = (PTRANSPARENCY_MEASUREMENTS)PlatformMemAllocateZeroedNonPagedPool(sizeof(TRANSPARENCY_MEASUREMENTS));
367
368 if (!g_TransparentModeMeasurements)
369 {
370 return STATUS_INSUFFICIENT_RESOURCES;
371 }
372
373 //
374 // Initialize the lists
375 //
376 InitializeListHead(&g_TransparentModeMeasurements->ProcessList);
377
378 //
379 // Fill the transparency details CPUID
380 //
381 g_TransparentModeMeasurements->CpuidAverage = Measurements->CpuidAverage;
382 g_TransparentModeMeasurements->CpuidMedian = Measurements->CpuidMedian;
383 g_TransparentModeMeasurements->CpuidStandardDeviation = Measurements->CpuidStandardDeviation;
384
385 //
386 // Fill the transparency details RDTSC
387 //
388 g_TransparentModeMeasurements->RdtscAverage = Measurements->RdtscAverage;
389 g_TransparentModeMeasurements->RdtscMedian = Measurements->RdtscMedian;
390 g_TransparentModeMeasurements->RdtscStandardDeviation = Measurements->RdtscStandardDeviation;
391
392 //
393 // add the new process name or Id to the list
394 //
395 TransparentAddNameOrProcessIdToTheList(Measurements);
396
397 //
398 // Enable RDTSC and RDTSCP exiting on all cores
399 //
400 BroadcastEnableRdtscExitingAllCores();
401
402 //
403 // Finally, enable the transparent-mode
404 //
405 g_TransparentMode = TRUE;
406 }
407 else
408 {
409 //
410 // It's already initialized, we just need to
411 // add the new process name or Id to the list
412 //
413 TransparentAddNameOrProcessIdToTheList(Measurements);
414 }
415
416 return STATUS_SUCCESS;
417}
BroadcastEnableRdtscExitingAllCores
VOID BroadcastEnableRdtscExitingAllCores()
a broadcast that causes vm-exit on all execution of rdtsc/rdtscp
Definition Broadcast.c:132
g_TransparentModeMeasurements
TRANSPARENCY_MEASUREMENTS * g_TransparentModeMeasurements
holds the measurements from the user-mode and kernel-mode
Definition GlobalVariables.h:56
g_TransparentMode
BOOLEAN g_TransparentMode
Shows whether the debugger transparent mode is enabled (true) or not (false)
Definition GlobalVariables.h:75
PlatformMemAllocateZeroedNonPagedPool
PVOID PlatformMemAllocateZeroedNonPagedPool(SIZE_T NumberOfBytes)
Allocate a non-paged buffer (zeroed)
Definition Mem.c:69
TransparentAddNameOrProcessIdToTheList
BOOLEAN TransparentAddNameOrProcessIdToTheList(PDEBUGGER_HIDE_AND_TRANSPARENT_DEBUGGER_MODE Measurements)
Add name or process id of the target process to the list of processes that HyperDbg should apply tran...
Definition Transparency.c:270
InitializeListHead
FORCEINLINE VOID InitializeListHead(_Out_ PLIST_ENTRY ListHead)
Definition Windows.h:41
PTRANSPARENCY_MEASUREMENTS
struct _TRANSPARENCY_MEASUREMENTS * PTRANSPARENCY_MEASUREMENTS
_DEBUGGER_HIDE_AND_TRANSPARENT_DEBUGGER_MODE::CpuidStandardDeviation
UINT64 CpuidStandardDeviation
Definition RequestStructures.h:553
_DEBUGGER_HIDE_AND_TRANSPARENT_DEBUGGER_MODE::RdtscStandardDeviation
UINT64 RdtscStandardDeviation
Definition RequestStructures.h:557
_DEBUGGER_HIDE_AND_TRANSPARENT_DEBUGGER_MODE::CpuidAverage
UINT64 CpuidAverage
Definition RequestStructures.h:552
_DEBUGGER_HIDE_AND_TRANSPARENT_DEBUGGER_MODE::RdtscAverage
UINT64 RdtscAverage
Definition RequestStructures.h:556
_DEBUGGER_HIDE_AND_TRANSPARENT_DEBUGGER_MODE::CpuidMedian
UINT64 CpuidMedian
Definition RequestStructures.h:554
_DEBUGGER_HIDE_AND_TRANSPARENT_DEBUGGER_MODE::RdtscMedian
UINT64 RdtscMedian
Definition RequestStructures.h:558
_TRANSPARENCY_MEASUREMENTS
The measurements from user-mode and kernel-mode.
Definition Transparency.h:46
_TRANSPARENCY_MEASUREMENTS::RdtscStandardDeviation
UINT64 RdtscStandardDeviation
Definition Transparency.h:52
_TRANSPARENCY_MEASUREMENTS::CpuidStandardDeviation
UINT64 CpuidStandardDeviation
Definition Transparency.h:48
_TRANSPARENCY_MEASUREMENTS::RdtscAverage
UINT64 RdtscAverage
Definition Transparency.h:51
_TRANSPARENCY_MEASUREMENTS::CpuidAverage
UINT64 CpuidAverage
Definition Transparency.h:47
_TRANSPARENCY_MEASUREMENTS::RdtscMedian
UINT64 RdtscMedian
Definition Transparency.h:53
_TRANSPARENCY_MEASUREMENTS::CpuidMedian
UINT64 CpuidMedian
Definition Transparency.h:49
_TRANSPARENCY_MEASUREMENTS::ProcessList
LIST_ENTRY ProcessList
Definition Transparency.h:55

◆ TransparentUnhideDebugger()

IMPORT_EXPORT_VMM NTSTATUS TransparentUnhideDebugger ( )

Deactivate transparent-mode.

Returns
NTSTATUS
426{
427 PLIST_ENTRY TempList = 0;
428 PVOID BufferToDeAllocate = 0;
429
430 if (g_TransparentMode)
431 {
432 //
433 // Disable the transparent-mode
434 //
435 g_TransparentMode = FALSE;
436
437 //
438 // Disable RDTSC and RDTSCP emulation
439 //
440 BroadcastDisableRdtscExitingAllCores();
441
442 //
443 // Free list of allocated buffers
444 //
445 // Check for process id and process name, if not match then we don't emulate it
446 //
447 TempList = &g_TransparentModeMeasurements->ProcessList;
448 while (&g_TransparentModeMeasurements->ProcessList != TempList->Flink)
449 {
450 TempList = TempList->Flink;
451 PTRANSPARENCY_PROCESS ProcessDetails = (PTRANSPARENCY_PROCESS)CONTAINING_RECORD(TempList, TRANSPARENCY_PROCESS, OtherProcesses);
452
453 //
454 // Save the buffer so we can de-allocate it
455 //
456 BufferToDeAllocate = ProcessDetails->BufferAddress;
457
458 //
459 // We have to remove the event from the list
460 //
461 RemoveEntryList(&ProcessDetails->OtherProcesses);
462
463 //
464 // Free the buffer
465 //
466 PlatformMemFreePool(BufferToDeAllocate);
467 }
468
469 //
470 // Deallocate the measurements buffer
471 //
472 PlatformMemFreePool(g_TransparentModeMeasurements);
473 g_TransparentModeMeasurements = NULL;
474
475 return STATUS_SUCCESS;
476 }
477 else
478 {
479 return STATUS_UNSUCCESSFUL;
480 }
481}
BroadcastDisableRdtscExitingAllCores
VOID BroadcastDisableRdtscExitingAllCores()
a broadcast that causes for disabling rdtsc/p exiting
Definition Broadcast.c:145
STATUS_UNSUCCESSFUL
#define STATUS_UNSUCCESSFUL
Definition Windows.h:172
PTRANSPARENCY_PROCESS
struct _TRANSPARENCY_PROCESS * PTRANSPARENCY_PROCESS
_TRANSPARENCY_PROCESS
The ProcessList of TRANSPARENCY_MEASUREMENTS is from this architecture.
Definition Transparency.h:64
_TRANSPARENCY_PROCESS::BufferAddress
PVOID BufferAddress
Definition Transparency.h:67
_TRANSPARENCY_PROCESS::OtherProcesses
LIST_ENTRY OtherProcesses
Definition Transparency.h:69

◆ VirtualAddressToPhysicalAddress()

IMPORT_EXPORT_VMM UINT64 VirtualAddressToPhysicalAddress ( _In_ PVOID VirtualAddress)

Converts Virtual Address to Physical Address.

Parameters
VirtualAddressThe target virtual address
Returns
UINT64 Returns the physical address
155{
156 return MmGetPhysicalAddress(VirtualAddress).QuadPart;
157}

◆ VirtualAddressToPhysicalAddressByProcessCr3()

IMPORT_EXPORT_VMM UINT64 VirtualAddressToPhysicalAddressByProcessCr3 ( _In_ PVOID VirtualAddress,
_In_ CR3_TYPE TargetCr3 )

◆ VirtualAddressToPhysicalAddressByProcessId()

IMPORT_EXPORT_VMM UINT64 VirtualAddressToPhysicalAddressByProcessId ( _In_ PVOID VirtualAddress,
_In_ UINT32 ProcessId )

◆ VirtualAddressToPhysicalAddressOnTargetProcess()

IMPORT_EXPORT_VMM UINT64 VirtualAddressToPhysicalAddressOnTargetProcess ( _In_ PVOID VirtualAddress)

◆ VmFuncChangeIgnoreOneMtfState()

IMPORT_EXPORT_VMM VOID VmFuncChangeIgnoreOneMtfState ( UINT32 CoreId,
BOOLEAN Set )

Change ignore one MTF state.

Parameters
CoreIdTarget core's ID
SetState of setting or unsetting
Returns
VOID
61{
62 g_GuestState[CoreId].IgnoreOneMtf = Set;
63}
_VIRTUAL_MACHINE_STATE::IgnoreOneMtf
BOOLEAN IgnoreOneMtf
Definition State.h:299

◆ VmFuncChangeMtfUnsettingState()

IMPORT_EXPORT_VMM VOID VmFuncChangeMtfUnsettingState ( UINT32 CoreId,
BOOLEAN Set )

Suppress unsetting MTF.

Parameters
CoreIdTarget core's ID
SetState of setting or unsetting
Returns
VOID
48{
49 g_GuestState[CoreId].IgnoreMtfUnset = Set;
50}
_VIRTUAL_MACHINE_STATE::IgnoreMtfUnset
BOOLEAN IgnoreMtfUnset
Definition State.h:294

◆ VmFuncCheckAndEnableExternalInterrupts()

IMPORT_EXPORT_VMM VOID VmFuncCheckAndEnableExternalInterrupts ( UINT32 CoreId)

Check and enable external interrupts.

Parameters
CoreIdTarget core's ID
Returns
VOID
506{
507 HvCheckAndEnableExternalInterrupts(&g_GuestState[CoreId]);
508}
HvCheckAndEnableExternalInterrupts
VOID HvCheckAndEnableExternalInterrupts(VIRTUAL_MACHINE_STATE *VCpu)
Check and enable external interrupts.
Definition Hv.c:1271

◆ VmFuncClearSteppingBits()

IMPORT_EXPORT_VMM UINT64 VmFuncClearSteppingBits ( UINT64 Interruptibility)

Clear STI and MOV SS bits.

Returns
UINT64
410{
411 return HvClearSteppingBits(Interruptibility);
412}
HvClearSteppingBits
UINT64 HvClearSteppingBits(UINT64 Interruptibility)
Clear STI and MOV SS bits.
Definition Hv.c:1220

◆ VmFuncDisableExternalInterruptsAndInterruptWindow()

IMPORT_EXPORT_VMM VOID VmFuncDisableExternalInterruptsAndInterruptWindow ( UINT32 CoreId)

Disable external-interrupts and interrupt window.

Parameters
CoreId
Returns
VOID
519{
520 HvDisableExternalInterruptsAndInterruptWindow(&g_GuestState[CoreId]);
521}
HvDisableExternalInterruptsAndInterruptWindow
VOID HvDisableExternalInterruptsAndInterruptWindow(VIRTUAL_MACHINE_STATE *VCpu)
Disable external-interrupts and interrupt window.
Definition Hv.c:1300

◆ VmFuncEnableAndCheckForPreviousExternalInterrupts()

IMPORT_EXPORT_VMM VOID VmFuncEnableAndCheckForPreviousExternalInterrupts ( UINT32 CoreId)

Checks to enable and reinject previous interrupts.

Parameters
UINT32CoreId
Returns
VOID
813{
814 HvEnableAndCheckForPreviousExternalInterrupts(&g_GuestState[CoreId]);
815}
HvEnableAndCheckForPreviousExternalInterrupts
VOID HvEnableAndCheckForPreviousExternalInterrupts(VIRTUAL_MACHINE_STATE *VCpu)
Checks to enable and reinject previous interrupts.
Definition Hv.c:1072

◆ VmFuncEnableMtfAndChangeExternalInterruptState()

IMPORT_EXPORT_VMM VOID VmFuncEnableMtfAndChangeExternalInterruptState ( UINT32 CoreId)

Enables MTF and adjust external interrupt state.

Parameters
UINT32CoreId
Returns
VOID
800{
801 HvEnableMtfAndChangeExternalInterruptState(&g_GuestState[CoreId]);
802}
HvEnableMtfAndChangeExternalInterruptState
VOID HvEnableMtfAndChangeExternalInterruptState(VIRTUAL_MACHINE_STATE *VCpu)
Enables MTF and adjust external interrupt state.
Definition Hv.c:1389

◆ VmFuncEventInjectBreakpoint()

IMPORT_EXPORT_VMM VOID VmFuncEventInjectBreakpoint ( )

Inject #BP to the guest (Event Injection)

Returns
VOID
720{
721 EventInjectBreakpoint();
722}
EventInjectBreakpoint
VOID EventInjectBreakpoint()
Inject #BP to the guest (Event Injection)
Definition Events.c:46

◆ VmFuncEventInjectInterruption()

IMPORT_EXPORT_VMM VOID VmFuncEventInjectInterruption ( UINT32 InterruptionType,
UINT32 Vector,
BOOLEAN DeliverErrorCode,
UINT32 ErrorCode )

Inject interrupt/faults/exceptions.

Parameters
InterruptionType
Vector
DeliverErrorCode
ErrorCode
Returns
VOID
666{
667 EventInjectInterruption(InterruptionType,
668 Vector,
669 DeliverErrorCode,
670 ErrorCode);
671}
EventInjectInterruption
VOID EventInjectInterruption(INTERRUPT_TYPE InterruptionType, EXCEPTION_VECTORS Vector, BOOLEAN DeliverErrorCode, UINT32 ErrorCode)
Injects interruption to a guest.
Definition Events.c:24

◆ VmFuncEventInjectPageFaultRangeAddress()

IMPORT_EXPORT_VMM VOID VmFuncEventInjectPageFaultRangeAddress ( UINT32 CoreId,
UINT64 AddressFrom,
UINT64 AddressTo,
UINT32 PageFaultCode )

Inject a range of page-faults.

Parameters
CoreIdTarget core's ID
AddressFromPage-fault address (from)
AddressToPage-fault address (to)
AddressPage-fault address
PageFaultCodePage-fault error code
Returns
VOID
647{
648 EventInjectPageFaultRangeAddress(&g_GuestState[CoreId], AddressFrom, AddressTo, PageFaultCode);
649}
EventInjectPageFaultRangeAddress
VOID EventInjectPageFaultRangeAddress(VIRTUAL_MACHINE_STATE *VCpu, UINT64 AddressFrom, UINT64 AddressTo, UINT32 PageFaultCode)
Inject a range of page-faults.
Definition Events.c:237

◆ VmFuncEventInjectPageFaultWithCr2()

IMPORT_EXPORT_VMM VOID VmFuncEventInjectPageFaultWithCr2 ( UINT32 CoreId,
UINT64 Address,
UINT32 PageFaultCode )

Inject #PF and configure CR2 register.

Parameters
CoreIdTarget core's ID
AddressPage-fault address
PageFaultCodePage-fault error code
Returns
VOID
627{
628 EventInjectPageFaultWithCr2(&g_GuestState[CoreId], Address, PageFaultCode);
629}
EventInjectPageFaultWithCr2
VOID EventInjectPageFaultWithCr2(VIRTUAL_MACHINE_STATE *VCpu, UINT64 Address, UINT32 PageFaultCode)
Inject page-fault with an address as cr2.
Definition Events.c:281

◆ VmFuncGetCsSelector()

IMPORT_EXPORT_VMM UINT16 VmFuncGetCsSelector ( )

Read CS selector.

Returns
UINT16
342{
343 return HvGetCsSelector();
344}
HvGetCsSelector
UINT16 HvGetCsSelector()
Read CS selector.
Definition Hv.c:1132

◆ VmFuncGetInterruptibilityState()

IMPORT_EXPORT_VMM UINT64 VmFuncGetInterruptibilityState ( )

Read guest's interruptibility state.

Returns
UINT64
399{
400 return HvGetInterruptibilityState();
401}
HvGetInterruptibilityState
UINT64 HvGetInterruptibilityState()
Read guest's interruptibility state.
Definition Hv.c:1205

◆ VmFuncGetLastVmexitRip()

IMPORT_EXPORT_VMM UINT64 VmFuncGetLastVmexitRip ( UINT32 CoreId)

get the last vm-exit RIP

Parameters
CoreIdTarget core's ID
Returns
UINT64
319{
320 return g_GuestState[CoreId].LastVmexitRip;
321}
_VIRTUAL_MACHINE_STATE::LastVmexitRip
UINT64 LastVmexitRip
Definition State.h:309

◆ VmFuncGetRflags()

IMPORT_EXPORT_VMM UINT64 VmFuncGetRflags ( )

Read guest's RFLAGS.

Returns
UINT64
353{
354 return HvGetRflags();
355}
HvGetRflags
UINT64 HvGetRflags()
Read guest's RFLAGS.
Definition Hv.c:1151

◆ VmFuncGetRip()

IMPORT_EXPORT_VMM UINT64 VmFuncGetRip ( )

Read guest's RIP.

Returns
UINT64
376{
377 return HvGetRip();
378}
HvGetRip
UINT64 HvGetRip()
Read guest's RIP.
Definition Hv.c:1178

◆ VmFuncInitVmm()

IMPORT_EXPORT_VMM BOOLEAN VmFuncInitVmm ( VMM_CALLBACKS * VmmCallbacks)

Initializes hypervisor.

Parameters
VmmCallbacks
Returns
BOOLEAN Shows whether the initialization was successful or not
531{
532 return HvInitVmm(VmmCallbacks);
533}
HvInitVmm
BOOLEAN HvInitVmm(VMM_CALLBACKS *VmmCallbacks)
Initializes the hypervisor.
Definition Hv.c:1322

◆ VmFuncInjectPendingExternalInterrupts()

IMPORT_EXPORT_VMM VOID VmFuncInjectPendingExternalInterrupts ( UINT32 CoreId)

Inject pending external interrupts.

Parameters
CoreIdTarget core's ID
Returns
VOID
331{
332 HvInjectPendingExternalInterrupts(&g_GuestState[CoreId]);
333}
HvInjectPendingExternalInterrupts
VOID HvInjectPendingExternalInterrupts(VIRTUAL_MACHINE_STATE *VCpu)
Inject pending external interrupts.
Definition Hv.c:1249

◆ VmFuncInvalidateEptAllContexts()

IMPORT_EXPORT_VMM VOID VmFuncInvalidateEptAllContexts ( )

Requests for all contexts EPT invalidation.

Returns
VOID
490{
491 //
492 // Broadcast NMI requests
493 //
494 EptInveptAllContexts();
495}
EptInveptAllContexts
UCHAR EptInveptAllContexts()
Invalidates all contexts in EPT cache table.
Definition Invept.c:54

◆ VmFuncInvalidateEptSingleContext()

IMPORT_EXPORT_VMM VOID VmFuncInvalidateEptSingleContext ( UINT32 CoreId)

Requests for single-context EPT invalidation.

Parameters
CoreIdTarget core's ID
Returns
VOID
479{
480 EptInveptSingleContext(g_GuestState[CoreId].EptPointer.AsUInt);
481}
EptInveptSingleContext
UCHAR EptInveptSingleContext(_In_ UINT64 EptPointer)
Invalidates a single context in ept cache table.
Definition Invept.c:40

◆ VmFuncNmiBroadcastInvalidateEptAllContexts()

IMPORT_EXPORT_VMM BOOLEAN VmFuncNmiBroadcastInvalidateEptAllContexts ( UINT32 CoreId)

Broadcast NMI requests for all contexts EPT invalidation.

Parameters
CoreIdTarget core's ID
Returns
BOOLEAN
464{
465 //
466 // Broadcast NMI requests
467 //
468 return VmxBroadcastNmi(&g_GuestState[CoreId], NMI_BROADCAST_ACTION_INVALIDATE_EPT_CACHE_ALL_CONTEXTS);
469}
VmxBroadcastNmi
BOOLEAN VmxBroadcastNmi(VIRTUAL_MACHINE_STATE *VCpu, NMI_BROADCAST_ACTION_TYPE VmxBroadcastAction)
Broadcast NMI in vmx-root mode.
Definition VmxBroadcast.c:143
NMI_BROADCAST_ACTION_INVALIDATE_EPT_CACHE_ALL_CONTEXTS
@ NMI_BROADCAST_ACTION_INVALIDATE_EPT_CACHE_ALL_CONTEXTS
Definition State.h:54

◆ VmFuncNmiBroadcastInvalidateEptSingleContext()

IMPORT_EXPORT_VMM BOOLEAN VmFuncNmiBroadcastInvalidateEptSingleContext ( UINT32 CoreId)

Broadcast NMI requests for single-context EPT invalidation.

Parameters
CoreIdTarget core's ID
Returns
BOOLEAN
449{
450 //
451 // Broadcast NMI requests
452 //
453 return VmxBroadcastNmi(&g_GuestState[CoreId], NMI_BROADCAST_ACTION_INVALIDATE_EPT_CACHE_SINGLE_CONTEXT);
454}
NMI_BROADCAST_ACTION_INVALIDATE_EPT_CACHE_SINGLE_CONTEXT
@ NMI_BROADCAST_ACTION_INVALIDATE_EPT_CACHE_SINGLE_CONTEXT
Definition State.h:53

◆ VmFuncNmiBroadcastRequest()

IMPORT_EXPORT_VMM BOOLEAN VmFuncNmiBroadcastRequest ( UINT32 CoreId)

Broadcast NMI requests.

Parameters
CoreIdTarget core's ID
Returns
BOOLEAN
434{
435 //
436 // Broadcast NMI requests
437 //
438 return VmxBroadcastNmi(&g_GuestState[CoreId], NMI_BROADCAST_ACTION_REQUEST);
439}
NMI_BROADCAST_ACTION_REQUEST
@ NMI_BROADCAST_ACTION_REQUEST
Definition State.h:52

◆ VmFuncPerformRipIncrement()

IMPORT_EXPORT_VMM VOID VmFuncPerformRipIncrement ( UINT32 CoreId)

Perform the incrementation of RIP.

Parameters
CoreIdTarget core's ID
Returns
VOID
23{
24 HvPerformRipIncrement(&g_GuestState[CoreId]);
25}
HvPerformRipIncrement
VOID HvPerformRipIncrement(VIRTUAL_MACHINE_STATE *VCpu)
Perform the incrementation of RIP.
Definition Hv.c:337

◆ VmFuncQueryModeExecTrap()

IMPORT_EXPORT_VMM BOOLEAN VmFuncQueryModeExecTrap ( )

Get the current state of mode exec trap mechanism.

Returns
BOOLEAN
564{
565 return g_ExecTrapInitialized;
566}
g_ExecTrapInitialized
BOOLEAN g_ExecTrapInitialized
Showes whether the execution trap handler is allowed to trigger an event or not.
Definition GlobalVariables.h:149

◆ VmFuncReadExceptionBitmap()

IMPORT_EXPORT_VMM UINT32 VmFuncReadExceptionBitmap ( )

Read exception bitmap in VMCS.

Should be called in vmx-root

Returns
UINT32
204{
205 return HvReadExceptionBitmap();
206}
HvReadExceptionBitmap
UINT32 HvReadExceptionBitmap()
Read exception bitmap in VMCS.
Definition Hv.c:587

◆ VmFuncRegisterMtfBreak()

IMPORT_EXPORT_VMM VOID VmFuncRegisterMtfBreak ( UINT32 CoreId)

Register for break in the case of an MTF.

Parameters
CoreIdTarget core's ID
Returns
VOID
74{
75 g_GuestState[CoreId].RegisterBreakOnMtf = TRUE;
76}
_VIRTUAL_MACHINE_STATE::RegisterBreakOnMtf
BOOLEAN RegisterBreakOnMtf
Definition State.h:298

◆ VmFuncSetExceptionBitmap()

IMPORT_EXPORT_VMM VOID VmFuncSetExceptionBitmap ( UINT32 CoreId,
UINT32 IdtIndex )

Set exception bitmap in VMCS.

Should be called in vmx-root

Parameters
CoreIdTarget core's ID
IdtIndexInterrupt Descriptor Table index of exception
Returns
VOID
254{
255 HvSetExceptionBitmap(&g_GuestState[CoreId], IdtIndex);
256}
HvSetExceptionBitmap
VOID HvSetExceptionBitmap(VIRTUAL_MACHINE_STATE *VCpu, UINT32 IdtIndex)
Set exception bitmap in VMCS.
Definition Hv.c:1022

◆ VmFuncSetExternalInterruptExiting()

IMPORT_EXPORT_VMM VOID VmFuncSetExternalInterruptExiting ( UINT32 CoreId,
BOOLEAN Set )

Set the External Interrupt Exiting.

Parameters
CoreIdTarget core's ID
SetSet or unset the External Interrupt Exiting
Returns
VOID
281{
282 HvSetExternalInterruptExiting(&g_GuestState[CoreId], Set);
283}
HvSetExternalInterruptExiting
VOID HvSetExternalInterruptExiting(VIRTUAL_MACHINE_STATE *VCpu, BOOLEAN Set)
Set the External Interrupt Exiting.
Definition Hv.c:1055

◆ VmFuncSetInterruptibilityState()

IMPORT_EXPORT_VMM VOID VmFuncSetInterruptibilityState ( UINT64 InterruptibilityState)

Set guest's interruptibility state.

Parameters
InterruptibilityState
Returns
VOID
422{
423 HvSetInterruptibilityState(InterruptibilityState);
424}
HvSetInterruptibilityState
VOID HvSetInterruptibilityState(UINT64 InterruptibilityState)
Set guest's interruptibility state.
Definition Hv.c:1236

◆ VmFuncSetInterruptWindowExiting()

IMPORT_EXPORT_VMM VOID VmFuncSetInterruptWindowExiting ( BOOLEAN Set)

Set Interrupt-window exiting.

Parameters
SetSet or unset the Interrupt-window exiting
Returns
VOID
216{
217 HvSetInterruptWindowExiting(Set);
218}
HvSetInterruptWindowExiting
VOID HvSetInterruptWindowExiting(BOOLEAN Set)
Set Interrupt-window exiting.
Definition Hv.c:606

◆ VmFuncSetLoadDebugControls()

IMPORT_EXPORT_VMM VOID VmFuncSetLoadDebugControls ( BOOLEAN Set)

Set LOAD DEBUG CONTROLS on Vm-entry controls.

Parameters
SetSet or unset
Returns
VOID
123{
124 HvSetLoadDebugControls(Set);
125}
HvSetLoadDebugControls
VOID HvSetLoadDebugControls(BOOLEAN Set)
Set LOAD DEBUG CONTROLS on Vm-entry controls.
Definition Hv.c:402

◆ VmFuncSetMonitorTrapFlag()

IMPORT_EXPORT_VMM VOID VmFuncSetMonitorTrapFlag ( BOOLEAN Set)

Set the monitor trap flag.

Parameters
SetSet or unset the MTFs
Returns
VOID
99{
100 HvSetMonitorTrapFlag(Set);
101}
HvSetMonitorTrapFlag
VOID HvSetMonitorTrapFlag(BOOLEAN Set)
Set the monitor trap flag.
Definition Hv.c:349

◆ VmFuncSetMovControlRegsExiting()

IMPORT_EXPORT_VMM VOID VmFuncSetMovControlRegsExiting ( BOOLEAN Set,
UINT64 ControlRegister,
UINT64 MaskRegister )

Set vm-exit for mov-to-cr0/4.

Should be called in vmx-root

Parameters
Setor unset the vm-exits
ControlRegister
MaskRegister
Returns
VOID
163{
164 HvSetMovControlRegsExiting(Set, ControlRegister, MaskRegister);
165}
HvSetMovControlRegsExiting
VOID HvSetMovControlRegsExiting(BOOLEAN Set, UINT64 ControlRegister, UINT64 MaskRegister)
Set vm-exit for mov-to-cr0/4.
Definition Hv.c:543

◆ VmFuncSetMovDebugRegsExiting()

IMPORT_EXPORT_VMM VOID VmFuncSetMovDebugRegsExiting ( UINT32 CoreId,
BOOLEAN Set )

Set or unset the Mov to Debug Registers Exiting.

Parameters
CoreIdTarget core's ID
SetSet or unset the Mov to Debug Registers Exiting
Returns
VOID
307{
308 HvSetMovDebugRegsExiting(&g_GuestState[CoreId], Set);
309}
HvSetMovDebugRegsExiting
VOID HvSetMovDebugRegsExiting(VIRTUAL_MACHINE_STATE *VCpu, BOOLEAN Set)
Set or unset the Mov to Debug Registers Exiting.
Definition Hv.c:1121

◆ VmFuncSetMovToCr3Vmexit()

IMPORT_EXPORT_VMM VOID VmFuncSetMovToCr3Vmexit ( UINT32 CoreId,
BOOLEAN Set )

Set vm-exit for mov-to-cr3.

Should be called in vmx-root

Parameters
CoreIdtarget core id
SetSet or unset the vm-exits
Returns
VOID
178{
179 HvSetMovToCr3Vmexit(&g_GuestState[CoreId], Set);
180}
HvSetMovToCr3Vmexit
VOID HvSetMovToCr3Vmexit(VIRTUAL_MACHINE_STATE *VCpu, BOOLEAN Set)
Set vm-exit for mov-to-cr3.
Definition Hv.c:558

◆ VmFuncSetNmiExiting()

IMPORT_EXPORT_VMM VOID VmFuncSetNmiExiting ( BOOLEAN Set)

Set the NMI Exiting.

Parameters
SetSet or unset the NMI Exiting
Returns
VOID
240{
241 HvSetNmiExiting(Set);
242}
HvSetNmiExiting
VOID HvSetNmiExiting(BOOLEAN Set)
Set the NMI Exiting.
Definition Hv.c:953

◆ VmFuncSetNmiWindowExiting()

IMPORT_EXPORT_VMM VOID VmFuncSetNmiWindowExiting ( BOOLEAN Set)

Set NMI-window exiting.

Parameters
SetSet or unset the NMI-window exiting
Returns
VOID
228{
229 HvSetNmiWindowExiting(Set);
230}
HvSetNmiWindowExiting
VOID HvSetNmiWindowExiting(BOOLEAN Set)
Set NMI-window exiting.
Definition Hv.c:714

◆ VmFuncSetPmcVmexit()

IMPORT_EXPORT_VMM VOID VmFuncSetPmcVmexit ( BOOLEAN Set)

Set vm-exit for rdpmc instructions.

Should be called in vmx-root

Parameters
SetSet or unset the vm-exits
Returns
VOID
148{
149 HvSetPmcVmexit(Set);
150}
HvSetPmcVmexit
VOID HvSetPmcVmexit(BOOLEAN Set)
Set vm-exit for rdpmc instructions.
Definition Hv.c:509

◆ VmFuncSetRdtscExiting()

IMPORT_EXPORT_VMM VOID VmFuncSetRdtscExiting ( UINT32 CoreId,
BOOLEAN Set )

Set the RDTSC/P Exiting.

Parameters
CoreIdTarget core's ID
SetSet or unset the RDTSC/P Exiting
Returns
VOID
294{
295 HvSetRdtscExiting(&g_GuestState[CoreId], Set);
296}
HvSetRdtscExiting
VOID HvSetRdtscExiting(VIRTUAL_MACHINE_STATE *VCpu, BOOLEAN Set)
Set the RDTSC/P Exiting.
Definition Hv.c:1108

◆ VmFuncSetRflags()

IMPORT_EXPORT_VMM VOID VmFuncSetRflags ( UINT64 Rflags)

Set guest's RFLAGS.

Parameters
Rflags
Returns
VOID
365{
366 HvSetRflags(Rflags);
367}
HvSetRflags
VOID HvSetRflags(UINT64 Rflags)
Set guest's RFLAGS.
Definition Hv.c:1167

◆ VmFuncSetRflagTrapFlag()

IMPORT_EXPORT_VMM VOID VmFuncSetRflagTrapFlag ( BOOLEAN Set)

Set Rflag's trap flag.

Parameters
SetSet or unset the TF
Returns
VOID
111{
112 HvSetRflagTrapFlag(Set);
113}
HvSetRflagTrapFlag
VOID HvSetRflagTrapFlag(BOOLEAN Set)
Set the rflag's trap flag.
Definition Hv.c:381

◆ VmFuncSetRip()

IMPORT_EXPORT_VMM VOID VmFuncSetRip ( UINT64 Rip)

Set guest's RIP.

Parameters
Rip
Returns
VOID
388{
389 HvSetRip(Rip);
390}
HvSetRip
VOID HvSetRip(UINT64 Rip)
Set guest's RIP.
Definition Hv.c:1194

◆ VmFuncSetSaveDebugControls()

IMPORT_EXPORT_VMM VOID VmFuncSetSaveDebugControls ( BOOLEAN Set)

Set SAVE DEBUG CONTROLS on Vm-exit controls.

Parameters
SetSet or unset
Returns
VOID
135{
136 HvSetSaveDebugControls(Set);
137}
HvSetSaveDebugControls
VOID HvSetSaveDebugControls(BOOLEAN Set)
Set SAVE DEBUG CONTROLS on Vm-exit controls.
Definition Hv.c:433

◆ VmFuncSetTriggerEventForCpuids()

IMPORT_EXPORT_VMM VOID VmFuncSetTriggerEventForCpuids ( BOOLEAN Set)

Set triggering events for CPUIDs.

Parameters
SetSet or unset the trigger
Returns
VOID
588{
589 g_TriggerEventForCpuids = Set;
590}
g_TriggerEventForCpuids
BOOLEAN g_TriggerEventForCpuids
Showes whether the cpuid handler is allowed to trigger an event or not.
Definition GlobalVariables.h:138

◆ VmFuncSetTriggerEventForVmcalls()

IMPORT_EXPORT_VMM VOID VmFuncSetTriggerEventForVmcalls ( BOOLEAN Set)

Set triggering events for VMCALLs.

Parameters
SetSet or unset the trigger
Returns
VOID
576{
577 g_TriggerEventForVmcalls = Set;
578}
g_TriggerEventForVmcalls
BOOLEAN g_TriggerEventForVmcalls
Showes whether the vmcall handler is allowed to trigger an event or not.
Definition GlobalVariables.h:131

◆ VmFuncSuppressRipIncrement()

IMPORT_EXPORT_VMM VOID VmFuncSuppressRipIncrement ( UINT32 CoreId)

Suppress the incrementation of RIP.

Parameters
CoreIdTarget core's ID
Returns
VOID
35{
36 HvSuppressRipIncrement(&g_GuestState[CoreId]);
37}
HvSuppressRipIncrement
VOID HvSuppressRipIncrement(VIRTUAL_MACHINE_STATE *VCpu)
Suppress the incrementation of RIP.
Definition Hv.c:324

◆ VmFuncUninitVmm()

IMPORT_EXPORT_VMM VOID VmFuncUninitVmm ( )

Uninitialize Terminate Vmx on all logical cores.

Returns
VOID
542{
543 VmxPerformTermination();
544}
VmxPerformTermination
VOID VmxPerformTermination()
Terminate Vmx on all logical cores.
Definition Vmx.c:1200

◆ VmFuncUnRegisterMtfBreak()

IMPORT_EXPORT_VMM VOID VmFuncUnRegisterMtfBreak ( UINT32 CoreId)

Unregister for break in the case of an MTF.

Parameters
CoreIdTarget core's ID
Returns
VOID
87{
88 g_GuestState[CoreId].RegisterBreakOnMtf = FALSE;
89}

◆ VmFuncUnsetExceptionBitmap()

IMPORT_EXPORT_VMM VOID VmFuncUnsetExceptionBitmap ( UINT32 CoreId,
UINT32 IdtIndex )

Unset exception bitmap in VMCS.

Should be called in vmx-root

Parameters
CoreIdTarget core's ID
IdtIndexInterrupt Descriptor Table index of exception
Returns
VOID
268{
269 HvUnsetExceptionBitmap(&g_GuestState[CoreId], IdtIndex);
270}
HvUnsetExceptionBitmap
VOID HvUnsetExceptionBitmap(VIRTUAL_MACHINE_STATE *VCpu, UINT32 IdtIndex)
Unset exception bitmap in VMCS.
Definition Hv.c:1039

◆ VmFuncVmxBroadcastInitialize()

IMPORT_EXPORT_VMM VOID VmFuncVmxBroadcastInitialize ( )

Export for initialize the VMX Broadcast mechanism.

Returns
VOID
698{
699 VmxBroadcastInitialize();
700}
VmxBroadcastInitialize
VOID VmxBroadcastInitialize()
Initialize the VMX Broadcast mechanism.
Definition VmxBroadcast.c:20

◆ VmFuncVmxBroadcastUninitialize()

IMPORT_EXPORT_VMM VOID VmFuncVmxBroadcastUninitialize ( )

Export for uninitialize the VMX Broadcast mechanism.

Returns
VOID
709{
710 VmxBroadcastUninitialize();
711}
VmxBroadcastUninitialize
VOID VmxBroadcastUninitialize()
Uninitialize the VMX Broadcast mechanism.
Definition VmxBroadcast.c:57

◆ VmFuncVmxCompatibleMemcmp()

IMPORT_EXPORT_VMM INT32 VmFuncVmxCompatibleMemcmp ( const CHAR * Address1,
const CHAR * Address2,
size_t Count )

VMX-root compatible memcmp.

Parameters
Address1
Address2
Count
Returns
INT32
788{
789 return VmxCompatibleMemcmp(Address1, Address2, Count);
790}
VmxCompatibleMemcmp
INT32 VmxCompatibleMemcmp(const CHAR *Address1, const CHAR *Address2, size_t Count)
implementation of vmx-root mode compatible memcmp
Definition Vmx.c:1748

◆ VmFuncVmxCompatibleStrcmp()

IMPORT_EXPORT_VMM INT32 VmFuncVmxCompatibleStrcmp ( const CHAR * Address1,
const CHAR * Address2 )

VMX-root compatible strcmp.

Parameters
Address1
Address2
Returns
INT32
733{
734 return VmxCompatibleStrcmp(Address1, Address2, NULL_ZERO, FALSE);
735}
VmxCompatibleStrcmp
INT32 VmxCompatibleStrcmp(const CHAR *Address1, const CHAR *Address2, SIZE_T Num, BOOLEAN IsStrncmp)
implementation of vmx-root mode compatible strcmp and strncmp
Definition Vmx.c:1472

◆ VmFuncVmxCompatibleStrlen()

IMPORT_EXPORT_VMM UINT32 VmFuncVmxCompatibleStrlen ( const CHAR * s)

VMX-root compatible strlen.

Parameters
sA pointer to the string
Returns
UINT32
600{
601 return VmxCompatibleStrlen(s);
602}
VmxCompatibleStrlen
UINT32 VmxCompatibleStrlen(const CHAR *S)
implementation of vmx-root mode compatible strlen
Definition Vmx.c:1290

◆ VmFuncVmxCompatibleStrncmp()

IMPORT_EXPORT_VMM INT32 VmFuncVmxCompatibleStrncmp ( const CHAR * Address1,
const CHAR * Address2,
SIZE_T Num )

VMX-root compatible strncmp.

Parameters
Address1
Address2
Num
Returns
INT32
747{
748 return VmxCompatibleStrcmp(Address1, Address2, Num, TRUE);
749}

◆ VmFuncVmxCompatibleWcscmp()

IMPORT_EXPORT_VMM INT32 VmFuncVmxCompatibleWcscmp ( const wchar_t * Address1,
const wchar_t * Address2 )

VMX-root compatible wcscmp.

Parameters
Address1
Address2
Returns
INT32
760{
761 return VmxCompatibleWcscmp(Address1, Address2, NULL_ZERO, FALSE);
762}
VmxCompatibleWcscmp
INT32 VmxCompatibleWcscmp(const wchar_t *Address1, const wchar_t *Address2, SIZE_T Num, BOOLEAN IsWcsncmp)
implementation of vmx-root mode compatible wcscmp and wcsncmp
Definition Vmx.c:1610

◆ VmFuncVmxCompatibleWcslen()

IMPORT_EXPORT_VMM UINT32 VmFuncVmxCompatibleWcslen ( const wchar_t * s)

VMX-root compatible strlen.

Parameters
sA pointer to the string
Returns
UINT32
612{
613 return VmxCompatibleWcslen(s);
614}
VmxCompatibleWcslen
UINT32 VmxCompatibleWcslen(const wchar_t *S)
implementation of vmx-root mode compatible wcslen
Definition Vmx.c:1379

◆ VmFuncVmxCompatibleWcsncmp()

IMPORT_EXPORT_VMM INT32 VmFuncVmxCompatibleWcsncmp ( const wchar_t * Address1,
const wchar_t * Address2,
SIZE_T Num )

VMX-root compatible wcsncmp.

Parameters
Address1
Address2
Num
Returns
INT32
774{
775 return VmxCompatibleWcscmp(Address1, Address2, Num, TRUE);
776}

◆ VmFuncVmxGetCurrentExecutionMode()

IMPORT_EXPORT_VMM BOOLEAN VmFuncVmxGetCurrentExecutionMode ( )

Get the current VMX operation state.

Returns
BOOLEAN
553{
554 return VmxGetCurrentExecutionMode();
555}

◆ VmFuncVmxVmcall()

IMPORT_EXPORT_VMM NTSTATUS VmFuncVmxVmcall ( unsigned long long VmcallNumber,
unsigned long long OptionalParam1,
unsigned long long OptionalParam2,
unsigned long long OptionalParam3 )

Export for running VMX VMCALLs.

Parameters
VmcallNumber
OptionalParam1
OptionalParam2
OptionalParam3
Returns
NTSTATUS
687{
688 return AsmVmxVmcall(VmcallNumber, OptionalParam1, OptionalParam2, OptionalParam3);
689}
AsmVmxVmcall
NTSTATUS AsmVmxVmcall(unsigned long long VmcallNumber, unsigned long long OptionalParam1, unsigned long long OptionalParam2, long long OptionalParam3)
Request Vmcall.

◆ VmFuncWriteExceptionBitmap()

IMPORT_EXPORT_VMM VOID VmFuncWriteExceptionBitmap ( UINT32 BitmapMask)

Write on exception bitmap in VMCS DO NOT CALL IT DIRECTLY, instead use HvSetExceptionBitmap.

Should be called in vmx-root

Parameters
BitmapMaskThe content to write on exception bitmap
Returns
VOID
192{
193 HvWriteExceptionBitmap(BitmapMask);
194}
HvWriteExceptionBitmap
VOID HvWriteExceptionBitmap(UINT32 BitmapMask)
Write on exception bitmap in VMCS DO NOT CALL IT DIRECTLY, instead use HvSetExceptionBitmap.
Definition Hv.c:572