Public Member Functions | |
| void | process_event (Event &event) override |
| void | handle_syscall (Event &event) |
| void | handle_sysret (Event &event) |
| void | handle_hypercall (Event &event) |
| int | service_string_reverse (Event &event) |
| int | service_write_protect (Event &event) |
| void | memory_access_violation (Event &event) |
| int | service_protect_process (Event &event) |
| void | cleanup () |
| void | process_event (Event &event) override |
| Process an incoming event. | |
 Public Member Functions inherited from introvirt::EventCallback | |
| virtual | ~EventCallback ()=default |
Public Attributes | |
| map< uint64_t, list< unique_ptr< Watchpoint > > > | read_only_protections_ |
| set< uint64_t > | protected_pids_ |
| mutex | mtx_ |
Detailed Description
This is our callback class for handling IntroVirt events. It implements the core logic for this example.
It processes all received events, handling hypercalls and system calls as needed. In the case of this example, we only need to track NtTerminateProcess system calls so we can clean up our write-protections when a process terminates itself.
- Examples
- ivmemwatch.cc, and vmcall_interface.cc.
Member Function Documentation
◆ cleanup()
|
inline |
- Examples
- vmcall_interface.cc.
◆ handle_hypercall()
|
inline |
This method is called when we receive a EVENT_HYPERCALL event.
Here we print out some basic information about the hypercall, and perform more complex actions if a valid service code is provided in the RCX register.
- Examples
- vmcall_interface.cc.
◆ handle_syscall()
|
inline |
This method is called when we receive a EVENT_FAST_SYSCALL event.
Handle NtTerminateProcess to clean up protections when a process exits. Also, prevent termination of protected processes.
- Examples
- vmcall_interface.cc.
◆ handle_sysret()
|
inline |
This method is called when we receive a EVENT_FAST_SYSCALL_RET event.
- Examples
- vmcall_interface.cc.
◆ memory_access_violation()
|
inline |
This is our memory access violation handler.
- Examples
- vmcall_interface.cc.
◆ process_event() [1/2]
|
inlineoverridevirtual |
The main event callback method. Every event received from the hypervisor is passed to this method for processing. We only care about hypercalls and system calls in this example.
The EVENT_FAST_SYSCALL_RET event is used to handle the return from system calls.
Implements introvirt::EventCallback.
- Examples
- ivmemwatch.cc, and vmcall_interface.cc.
◆ process_event() [2/2]
|
inlineoverridevirtual |
◆ service_protect_process()
|
inline |
This is the handler for the PROTECT_PROCESS service code.
It demonstrates how to protect a process from being terminated, injected into, or debugged by other processes in the guest.
The logic that performs the protection is not in this method. Instead, we do the protection in our system call handler. All this needs to do is add the PID to our protected list.
- Examples
- vmcall_interface.cc.
◆ service_string_reverse()
|
inline |
This is the handler for the CSTRING_REVERSE service code.
It demonstrates how to read a C-style string from guest memory, reverse it in place, and handle any potential memory access issues.
It is very common to need to read and write guest memory when writing IntroVirt tools. The guest_ptr<> class and related helper functions make this easy and safe.
- Examples
- vmcall_interface.cc.
◆ service_write_protect()
|
inline |
This is the handler for the WRITE_PROTECT service code.
It demonstrates how to create a watchpoint on a memory region to make it read-only from the guest's perspective. Any write attempts to this region will trigger a memory access violation that we can handle in the hypervisor.
- Examples
- vmcall_interface.cc.
Member Data Documentation
◆ mtx_
| mutex EventHandler::mtx_ |
- Examples
- vmcall_interface.cc.
◆ protected_pids_
| set<uint64_t> EventHandler::protected_pids_ |
- Examples
- vmcall_interface.cc.
◆ read_only_protections_
| map<uint64_t, list<unique_ptr<Watchpoint> > > EventHandler::read_only_protections_ |
- Examples
- vmcall_interface.cc.
The documentation for this class was generated from the following files:
- /home/runner/work/IntroVirt/IntroVirt/examples/vmcall_interface.cc
- /home/runner/work/IntroVirt/IntroVirt/tools/ivmemwatch.cc