State.h

Go to the documentation of this file.

 
#pragma once
 
//                    typedefs                   //
 
typedef EPT_PML4E   EPT_PML4_POINTER, *PEPT_PML4_POINTER;
typedef EPT_PDPTE   EPT_PML3_POINTER, *PEPT_PML3_POINTER;
typedef EPT_PDE_2MB EPT_PML2_ENTRY, *PEPT_PML2_ENTRY;
typedef EPT_PDE     EPT_PML2_POINTER, *PEPT_PML2_POINTER;
typedef EPT_PTE     EPT_PML1_ENTRY, *PEPT_PML1_ENTRY;
 
//                  Constants                   //
 
#define PENDING_INTERRUPTS_BUFFER_CAPACITY 64
 
#define MaximumHiddenBreakpointsOnPage 40
 
//                    Enums                     //
 
typedef enum _NMI_BROADCAST_ACTION_TYPE
{
    NMI_BROADCAST_ACTION_NONE = 0,
    NMI_BROADCAST_ACTION_TEST,
    NMI_BROADCAST_ACTION_REQUEST,
    NMI_BROADCAST_ACTION_INVALIDATE_EPT_CACHE_SINGLE_CONTEXT,
    NMI_BROADCAST_ACTION_INVALIDATE_EPT_CACHE_ALL_CONTEXTS,
 
} NMI_BROADCAST_ACTION_TYPE;
 
typedef enum _EPT_HOOKED_LAST_VIOLATION
{
    EPT_HOOKED_LAST_VIOLATION_READ  = 1,
    EPT_HOOKED_LAST_VIOLATION_WRITE = 2,
    EPT_HOOKED_LAST_VIOLATION_EXEC  = 3
 
} EPT_HOOKED_LAST_VIOLATION;
 
//                Memory Layout                 //
 
#define VMM_EPT_PML4E_COUNT 512
 
#define VMM_EPT_PML3E_COUNT 512
 
#define VMM_EPT_PML2E_COUNT 512
 
#define VMM_EPT_PML1E_COUNT 512
 
typedef struct _VMM_EPT_PAGE_TABLE
{
    DECLSPEC_ALIGN(PAGE_SIZE)
    EPT_PML4_POINTER PML4[VMM_EPT_PML4E_COUNT];
 
    DECLSPEC_ALIGN(PAGE_SIZE)
    EPT_PML3_POINTER PML3[VMM_EPT_PML3E_COUNT];
 
    DECLSPEC_ALIGN(PAGE_SIZE)
    EPT_PML2_ENTRY PML2[VMM_EPT_PML3E_COUNT][VMM_EPT_PML2E_COUNT];
 
} VMM_EPT_PAGE_TABLE, *PVMM_EPT_PAGE_TABLE;
 
//                    Structure                 //
 
typedef struct _VM_EXIT_TRANSPARENCY
{
    UINT64 PreviousTimeStampCounter;
 
    HANDLE  ThreadId;
    UINT64  RevealedTimeStampCounterByRdtsc;
    BOOLEAN CpuidAfterRdtscDetected;
 
} VM_EXIT_TRANSPARENCY, *PVM_EXIT_TRANSPARENCY;
 
typedef struct _VMX_VMXOFF_STATE
{
    BOOLEAN IsVmxoffExecuted; // Shows whether the VMXOFF executed or not
    UINT64  GuestRip;         // Rip address of guest to return
    UINT64  GuestRsp;         // Rsp address of guest to return
 
} VMX_VMXOFF_STATE, *PVMX_VMXOFF_STATE;
 
typedef struct _EPT_HOOKED_PAGE_DETAIL
{
    DECLSPEC_ALIGN(PAGE_SIZE)
    CHAR FakePageContents[PAGE_SIZE];
 
    LIST_ENTRY PageHookList;
 
    UINT64 VirtualAddress;
 
    UINT64 AddressOfEptHook2sDetourListEntry;
 
    SIZE_T PhysicalBaseAddress;
 
    SIZE_T StartOfTargetPhysicalAddress;
 
    SIZE_T EndOfTargetPhysicalAddress;
 
    UINT64 HookingTag;
 
    SIZE_T PhysicalBaseAddressOfFakePageContents;
 
    EPT_PML1_ENTRY OriginalEntry;
 
    EPT_PML1_ENTRY ChangedEntry;
 
    PCHAR Trampoline;
 
    BOOLEAN IsExecutionHook;
 
    BOOLEAN IsHiddenBreakpoint;
 
    EPT_HOOKS_CONTEXT LastContextState;
 
    BOOLEAN IsPostEventTriggerAllowed;
 
    EPT_HOOKED_LAST_VIOLATION LastViolation;
 
    UINT64 BreakpointAddresses[MaximumHiddenBreakpointsOnPage];
 
    CHAR PreviousBytesOnBreakpointAddresses[MaximumHiddenBreakpointsOnPage];
 
    UINT64 CountOfBreakpoints;
 
} EPT_HOOKED_PAGE_DETAIL, *PEPT_HOOKED_PAGE_DETAIL;
 
typedef struct _NMI_BROADCASTING_STATE
{
    volatile NMI_BROADCAST_ACTION_TYPE NmiBroadcastAction; // The broadcast action for NMI
 
} NMI_BROADCASTING_STATE, *PNMI_BROADCASTING_STATE;
 
typedef struct _VIRTUAL_MACHINE_STATE
{
    BOOLEAN      IsOnVmxRootMode;                                               // Detects whether the current logical core is on Executing on VMX Root Mode
    BOOLEAN      IncrementRip;                                                  // Checks whether it has to redo the previous instruction or not (it used mainly in Ept routines)
    BOOLEAN      HasLaunched;                                                   // Indicate whether the core is virtualized or not
    BOOLEAN      IgnoreMtfUnset;                                                // Indicate whether the core should ignore unsetting the MTF or not
    BOOLEAN      WaitForImmediateVmexit;                                        // Whether the current core is waiting for an immediate vm-exit or not
    BOOLEAN      EnableExternalInterruptsOnContinue;                            // Whether to enable external interrupts on the continue  or not
    BOOLEAN      EnableExternalInterruptsOnContinueMtf;                         // Whether to enable external interrupts on the continue state of MTF or not
    BOOLEAN      RegisterBreakOnMtf;                                            // Registered Break in the case of MTFs (used in instrumentation step-in)
    BOOLEAN      IgnoreOneMtf;                                                  // Ignore (mark as handled) for one MTF
    BOOLEAN      NotNormalEptp;                                                 // Indicate that the target processor is on the normal EPTP or not
    BOOLEAN      MbecEnabled;                                                   // Indicate that the target processor is on MBEC-enabled mode or not
    PUINT64      PmlBufferAddress;                                              // Address of buffer used for dirty logging
    BOOLEAN      Test;                                                          // Used for test purposes
    UINT64       TestNumber;                                                    // Used for test purposes (Number)
    GUEST_REGS * Regs;                                                          // The virtual processor's general-purpose registers
    UINT32       CoreId;                                                        // The core's unique identifier
    UINT32       ExitReason;                                                    // The core's exit reason
    UINT32       ExitQualification;                                             // The core's exit qualification
    UINT64       LastVmexitRip;                                                 // RIP in the current VM-exit
    UINT64       VmxonRegionPhysicalAddress;                                    // Vmxon region physical address
    UINT64       VmxonRegionVirtualAddress;                                     // VMXON region virtual address
    UINT64       VmcsRegionPhysicalAddress;                                     // VMCS region physical address
    UINT64       VmcsRegionVirtualAddress;                                      // VMCS region virtual address
    UINT64       VmmStack;                                                      // Stack for VMM in VM-Exit State
    UINT64       MsrBitmapVirtualAddress;                                       // Msr Bitmap Virtual Address
    UINT64       MsrBitmapPhysicalAddress;                                      // Msr Bitmap Physical Address
    UINT64       IoBitmapVirtualAddressA;                                       // I/O Bitmap Virtual Address (A)
    UINT64       IoBitmapPhysicalAddressA;                                      // I/O Bitmap Physical Address (A)
    UINT64       IoBitmapVirtualAddressB;                                       // I/O Bitmap Virtual Address (B)
    UINT64       IoBitmapPhysicalAddressB;                                      // I/O Bitmap Physical Address (B)
    UINT32       QueuedNmi;                                                     // Queued NMIs
    UINT32       PendingExternalInterrupts[PENDING_INTERRUPTS_BUFFER_CAPACITY]; // This list holds a buffer for external-interrupts that are in pending state due to the external-interrupt
                                                                                // blocking and waits for interrupt-window exiting
                                                                                // From hvpp :
                                                                                // Pending interrupt queue (FIFO).
                                                                                // Make storage for up-to 64 pending interrupts.
                                                                                // In practice I haven't seen more than 2 pending interrupts.
    VMX_VMXOFF_STATE        VmxoffState;                                        // Shows the vmxoff state of the guest
    NMI_BROADCASTING_STATE  NmiBroadcastingState;                               // Shows the state of NMI broadcasting
    VM_EXIT_TRANSPARENCY    TransparencyState;                                  // The state of the debugger in transparent-mode
    PEPT_HOOKED_PAGE_DETAIL MtfEptHookRestorePoint;                             // It shows the detail of the hooked paged that should be restore in MTF vm-exit
    UINT8                   LastExceptionOccuredInHost;                         // The vector of last exception occured in host
    UINT64                  HostIdt;                                            // host Interrupt Descriptor Table (actual type is SEGMENT_DESCRIPTOR_INTERRUPT_GATE_64*)
    UINT64                  HostGdt;                                            // host Global Descriptor Table (actual type is SEGMENT_DESCRIPTOR_32* or SEGMENT_DESCRIPTOR_64*)
    UINT64                  HostTss;                                            // host Task State Segment (actual type is TASK_STATE_SEGMENT_64*)
    UINT64                  HostInterruptStack;                                 // host interrupt RSP
 
    //
    // EPT Descriptors
    //
    EPT_POINTER         EptPointer;   // Extended-Page-Table Pointer
    PVMM_EPT_PAGE_TABLE EptPageTable; // Details of core-specific page-table
 
} VIRTUAL_MACHINE_STATE, *PVIRTUAL_MACHINE_STATE;