IntroVirt/WindowsFunctionCall_8hh_source.html

/*

 * Copyright 2021 Assured Information Security, Inc.

 *

 * Licensed under the Apache License, Version 2.0 (the "License");

 * you may not use this file except in compliance with the License.

 * You may obtain a copy of the License at

 *

 *         http://www.apache.org/licenses/LICENSE-2.0

 *

 * Unless required by applicable law or agreed to in writing, software

 * distributed under the License is distributed on an "AS IS" BASIS,

 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

 * See the License for the specific language governing permissions and

 * limitations under the License.

 */

#pragma once


#include <introvirt/core/function/FunctionCall.hh>

#include <introvirt/core/fwd.hh>

#include <introvirt/core/memory/guest_ptr.hh>

#include <introvirt/windows/event/fwd.hh>


#include <functional>

#include <memory>


namespace introvirt {

namespace windows {


enum class WindowsCallType { AUTO, CDECL, STDCALL, FASTCALL, X64 };


class WindowsFunctionCall : public FunctionCall {

  public:

    guest_ptr<void> return_address() const override;

    void return_address(const guest_ptr<void>& value) override;


    bool is_return_event(Event& event) const override;

    void handle_return(Event& event) override;

    bool returned() const override;


    bool x64() const;


    virtual ~WindowsFunctionCall();


  protected:

    uint64_t raw_return_value() const;

    void raw_return_value(uint64_t value);


    uint64_t get_argument(unsigned int index) const;

    void set_argument(unsigned int index, uint64_t value);


    guest_ptr<void> get_address_argument(unsigned int index) const;

    void set_address_argument(unsigned int index, const guest_ptr<void>& address);


    Vcpu& vcpu();

    const Vcpu& vcpu() const;


    WindowsFunctionCall(Event& event, unsigned int argument_count,

                        WindowsCallType type = WindowsCallType::AUTO);


  private:

    uint64_t _get_argument_cdecl(unsigned int index) const;

    void _set_argument_cdecl(unsigned int index, uint64_t value);


    uint64_t _get_argument_fastcall(unsigned int index) const;

    void _set_argument_fastcall(unsigned int index, uint64_t value);


    uint64_t _get_argument_x64(unsigned int index) const;

    void _set_argument_x64(unsigned int index, uint64_t value);


    WindowsEvent* event_;

    guest_ptr<guest_size_t[]> stack_;


    std::function<uint64_t(unsigned int)> get_argument_;

    std::function<void(unsigned int, uint64_t)> set_argument_;


    const uint64_t tid_;

    uint64_t return_rsp_;


    bool returned_ = false;

    uint64_t raw_return_value_ = -1;


    bool x64_;

};


} // namespace windows

} // namespace introvirt

FunctionCall.hh

introvirt::Event
Interface class for hypervisor events.
Definition Event.hh:43

introvirt::FunctionCall
Base class for function calls.
Definition FunctionCall.hh:33

introvirt::Vcpu
A class representing a single virtual processor.
Definition Vcpu.hh:33

introvirt::basic_guest_ptr
Definition guest_ptr.hh:88

introvirt::windows::WindowsEvent
Definition WindowsEvent.hh:26

introvirt::windows::WindowsFunctionCall
Definition WindowsFunctionCall.hh:31

introvirt::windows::WindowsFunctionCall::vcpu
const Vcpu & vcpu() const

introvirt::windows::WindowsFunctionCall::set_argument
void set_argument(unsigned int index, uint64_t value)

introvirt::windows::WindowsFunctionCall::return_address
guest_ptr< void > return_address() const override
Get the return address for this function call.

introvirt::windows::WindowsFunctionCall::vcpu
Vcpu & vcpu()

introvirt::windows::WindowsFunctionCall::return_address
void return_address(const guest_ptr< void > &value) override
Set the return address for this function call.

introvirt::windows::WindowsFunctionCall::is_return_event
bool is_return_event(Event &event) const override
Check if the given event is a return event for this function call.

introvirt::windows::WindowsFunctionCall::WindowsFunctionCall
WindowsFunctionCall(Event &event, unsigned int argument_count, WindowsCallType type=WindowsCallType::AUTO)

introvirt::windows::WindowsFunctionCall::get_argument
uint64_t get_argument(unsigned int index) const

introvirt::windows::WindowsFunctionCall::~WindowsFunctionCall
virtual ~WindowsFunctionCall()

introvirt::windows::WindowsFunctionCall::set_address_argument
void set_address_argument(unsigned int index, const guest_ptr< void > &address)

introvirt::windows::WindowsFunctionCall::x64
bool x64() const
Check if the call is from x64 mode.hh>

introvirt::windows::WindowsFunctionCall::returned
bool returned() const override
Check if the call has returned.

introvirt::windows::WindowsFunctionCall::raw_return_value
uint64_t raw_return_value() const

introvirt::windows::WindowsFunctionCall::raw_return_value
void raw_return_value(uint64_t value)

introvirt::windows::WindowsFunctionCall::get_address_argument
guest_ptr< void > get_address_argument(unsigned int index) const

introvirt::windows::WindowsFunctionCall::handle_return
void handle_return(Event &event) override
Handle the return event.

fwd.hh

guest_ptr.hh
Type-safe guest virtual address pointer and guest_ptr template.

introvirt::windows::WindowsCallType
WindowsCallType
Definition WindowsFunctionCall.hh:29

introvirt::windows::WindowsCallType::FASTCALL
@ FASTCALL

introvirt::windows::WindowsCallType::CDECL
@ CDECL

introvirt::windows::WindowsCallType::AUTO
@ AUTO

introvirt::windows::WindowsCallType::STDCALL
@ STDCALL

introvirt::windows::WindowsCallType::X64
@ X64

introvirt
Core IntroVirt classes.
Definition Cr0.hh:20

fwd.hh