Bitdefender Hypervisor Memory Introspection
|
#include "exceptions.h"
Go to the source code of this file.
Data Structures | |
struct | _CODE_BLOCK |
struct | _CODE_BLOCK_PATTERN |
Macros | |
#define | CODE_BLOCK_CHUNKS_COUNT 8 |
Number of chunks (CODE_INS) per codeblock. More... | |
Typedefs | |
typedef struct _CODE_BLOCK | CODE_BLOCK |
typedef struct _CODE_BLOCK * | PCODE_BLOCK |
typedef struct _CODE_BLOCK_PATTERN | CODE_BLOCK_PATTERN |
typedef struct _CODE_BLOCK_PATTERN * | PCODE_BLOCK_PATTERN |
Enumerations | |
enum | CB_EXTRACT_LEVEL { cbLevelNormal = 1, cbLevelMedium } |
enum | CODE_INS { codeInsInvalid = 0, codeInsJc, codeInsJmp, codeInsCall, codeInsRet, codeInsStr, codeInsXchg, codeInsBt, codeInsMovReg, codeInsMovMem, codeInsMovImm, codeInsMovFsGs, codeInsFlags } |
Functions | |
INTSTATUS | IntFragExtractPattern (BYTE *Buffer, DWORD MaxBufferSize, IG_CS_TYPE CsType, CB_EXTRACT_LEVEL ExtractLevel, DWORD PatternSize, BYTE *Pattern, DWORD *TotalExtracted, DWORD *TotalParsed) |
Extract a pattern of code-blocks from the given code buffer. More... | |
INTSTATUS | IntFragExtractCodeBlocks (BYTE *Buffer, DWORD MaxBufferSize, IG_CS_TYPE CsType, CB_EXTRACT_LEVEL ExtractLevel, DWORD *HashesCount, DWORD *Hashes) |
Extract a block of code-block hashes from the given code buffer. More... | |
__pure INTSTATUS | IntFragMatchSignature (const DWORD *Hashes, DWORD CodeBlocksCount, const SIG_CODEBLOCKS *ExceptionSignature) |
Match a block of code-block hashes against a list of code-block exception signatures. More... | |
INTSTATUS | IntFragExtractCodePattern (PBYTE Buffer, DWORD StartOffset, DWORD MaxBufferSize, IG_CS_TYPE CsType, CB_EXTRACT_LEVEL ExtractLevel, DWORD PatternSize, CODE_BLOCK_PATTERN *Pattern, DWORD *TotalExtracted) |
Extract a pattern of code-blocks from the given code buffer. More... | |
INTSTATUS | IntFragDumpBlocks (PBYTE Buffer, QWORD StartAddress, DWORD MaxBufferSize, IG_CS_TYPE CsType, CB_EXTRACT_LEVEL ExtractLevel, QWORD Rip, BOOLEAN ReturnRip) |
Dumps code-blocks that can then be used to generate an exception signature. More... | |
#define CODE_BLOCK_CHUNKS_COUNT 8 |
Number of chunks (CODE_INS) per codeblock.
Definition at line 43 of file codeblocks.h.
Referenced by IntAlertFillCodeBlocks(), IntFragDumpBlocks(), IntFragExtractCodeBlocks(), IntFragLogCodeBlocks(), IntSerializeCodeBlocksPattern(), and IntSerializeExtractCodeBlocks().
typedef struct _CODE_BLOCK CODE_BLOCK |
Describes a single normalized code block. This is just a "passing" structure. From this it will be built a CODE_SIGNATURE structure that will be matched against the databases (or inserted into one). Each codeblock is a series of patterns that will be computed into a hash. A signature will consist of a few hashes like this.
typedef struct _CODE_BLOCK_PATTERN CODE_BLOCK_PATTERN |
This structure describes an instruction inside a pattern.
typedef struct _CODE_BLOCK * PCODE_BLOCK |
typedef struct _CODE_BLOCK_PATTERN * PCODE_BLOCK_PATTERN |
enum CB_EXTRACT_LEVEL |
This defines how "aggressive" the pattern extraction should be.
Enumerator | |
---|---|
cbLevelNormal | This includes instructions until codeInsBt. |
cbLevelMedium | This includes instructions until codeInsFlags. |
Definition at line 14 of file codeblocks.h.
enum CODE_INS |
Defines the instruction types that are included in the blocks.
Definition at line 24 of file codeblocks.h.
INTSTATUS IntFragDumpBlocks | ( | PBYTE | Buffer, |
QWORD | StartAddress, | ||
DWORD | MaxBufferSize, | ||
IG_CS_TYPE | CsType, | ||
CB_EXTRACT_LEVEL | ExtractLevel, | ||
QWORD | Rip, | ||
BOOLEAN | ReturnRip | ||
) |
Dumps code-blocks that can then be used to generate an exception signature.
[in] | Buffer | The code buffer to be parsed. |
[in] | StartAddress | The offset to start the parsing at. |
[in] | MaxBufferSize | The size of the code buffer. |
[in] | CsType | Operating mode, should be IG_CS_TYPE_32B or IG_CS_TYPE_64B. |
[in] | ExtractLevel | cbLevelNormal or cbLevelMedium. |
[in] | Rip | The current Rip. |
[in] | ReturnRip | The return Rip. |
INT_STATUS_SUCCESS | On success. |
INT_STATUS_INVALID_PARAMETER | If an invalid parameter is supplied. |
INT_STATUS_INSUFFICIENT_RESOURCES | If a memory alloc fails. |
INT_STATUS_DATA_BUFFER_TOO_SMALL | If at least CODE_BLOCK_CHUNKS_COUNT could not be extracted. |
Definition at line 1293 of file codeblocks.c.
Referenced by DbgDumpCodeblocks(), and IntExceptDumpSignatures().
INTSTATUS IntFragExtractCodeBlocks | ( | BYTE * | Buffer, |
DWORD | MaxBufferSize, | ||
IG_CS_TYPE | CsType, | ||
CB_EXTRACT_LEVEL | ExtractLevel, | ||
DWORD * | HashesCount, | ||
DWORD * | Hashes | ||
) |
Extract a block of code-block hashes from the given code buffer.
This function will parse the provided code buffer, and it will extract a pattern of CODE_INS values representing the relevant instructions located inside the buffer. Once the pattern has been extracted, it will parse it, and it will compute hashes on blocks of CODE_BLOCK_CHUNKS_COUNT patterns, starting with a pivot instruction, which can be a codeInsJmp, codeInsCall or mov that involves memory or fs/gs segments.
[in] | Buffer | The code buffer to be parsed. |
[in] | MaxBufferSize | The size of the code buffer. |
[in] | CsType | Operating mode, should be IG_CS_TYPE_32B or IG_CS_TYPE_64B. |
[in] | ExtractLevel | cbLevelNormal or cbLevelMedium. |
[in,out] | HashesCount | Will add to this variable the total number of hashes extracted. |
[out] | Hashes | Will contain upon successful return the extracted hashes. |
INT_STATUS_SUCCESS | On success. |
INT_STATUS_INVALID_PARAMETER | If an invalid parameter is supplied. |
INT_STATUS_NOT_FOUND | If no hash could be extracted. |
Definition at line 746 of file codeblocks.c.
Referenced by IntExceptVerifyCodeBlocksSig().
INTSTATUS IntFragExtractCodePattern | ( | PBYTE | Buffer, |
DWORD | StartOffset, | ||
DWORD | MaxBufferSize, | ||
IG_CS_TYPE | CsType, | ||
CB_EXTRACT_LEVEL | ExtractLevel, | ||
DWORD | PatternSize, | ||
CODE_BLOCK_PATTERN * | Pattern, | ||
DWORD * | TotalExtracted | ||
) |
Extract a pattern of code-blocks from the given code buffer.
This function will parse the provided code buffer, and it will extract a pattern of CODE_INS values representing the relevant instructions located inside the buffer. The pattern can then be used to compute hashes (code-blocks). This function will use the disassembler to decode each instruction inside the Buffer, and depending on the instruction type, a CODE_INS value will be outputted inside the Pattern buffer. This function may also call the optimized IntFragHandleCommon function which will try to handle the current instruction without calling the disassembler, but if it fails, it will still rely on it.
[in] | Buffer | The code buffer to be parsed. |
[in] | StartOffset | The offset to start the parsing at. |
[in] | MaxBufferSize | The size of the code buffer. |
[in] | CsType | Operating mode, should be IG_CS_TYPE_32B or IG_CS_TYPE_64B. |
[in] | ExtractLevel | cbLevelNormal or cbLevelMedium. |
[in] | PatternSize | Maximum size of the pattern. |
[out] | Pattern | The pattern of instructions located in Buffer. |
[out] | TotalExtracted | Number of CODE_INS values extracted from the Buffer into Pattern. |
INT_STATUS_SUCCESS | On success. |
INT_STATUS_INVALID_PARAMETER | If an invalid parameter is supplied. |
INT_STATUS_DATA_BUFFER_TOO_SMALL | If the buffer is too small (the last instructions cannot be parsed). |
Definition at line 990 of file codeblocks.c.
Referenced by IntAlertFillCodeBlocks(), IntFragDumpBlocks(), and IntSerializeExtractCodeBlocks().
INTSTATUS IntFragExtractPattern | ( | BYTE * | Buffer, |
DWORD | MaxBufferSize, | ||
IG_CS_TYPE | CsType, | ||
CB_EXTRACT_LEVEL | ExtractLevel, | ||
DWORD | PatternSize, | ||
BYTE * | Pattern, | ||
DWORD * | TotalExtracted, | ||
DWORD * | TotalParsed | ||
) |
Extract a pattern of code-blocks from the given code buffer.
This function will parse the provided code buffer, and it will extract a pattern of CODE_INS values representing the relevant instructions located inside the buffer. The pattern can then be used to compute hashes (code-blocks). This function will use the disassembler to decode each instruction inside the Buffer, and depending on the instruction type, a CODE_INS value will be outputted inside the Pattern buffer. This function may also call the optimized IntFragHandleCommon function which will try to handle the current instruction without calling the disassembler, but if it fails, it will still rely on it.
[in] | Buffer | The code buffer to be parsed. |
[in] | MaxBufferSize | The size of the code buffer. |
[in] | CsType | Operating mode, should be IG_CS_TYPE_32B or IG_CS_TYPE_64B. |
[in] | ExtractLevel | cbLevelNormal or cbLevelMedium. |
[in] | PatternSize | Maximum size of the pattern. |
[out] | Pattern | The pattern of instructions located in Buffer. |
[out] | TotalExtracted | Number of CODE_INS values extracted from the Buffer into Pattern. |
[in,out] | TotalParsed | Will add to this variable the total size in bytes parsed from Buffer. |
INT_STATUS_SUCCESS | On success. |
INT_STATUS_INVALID_PARAMETER | If an invalid parameter is supplied. |
INT_STATUS_DATA_BUFFER_TOO_SMALL | If the buffer is too small (the last instructions cannot be parsed). |
Definition at line 502 of file codeblocks.c.
Referenced by IntFragExtractCodeBlocks().
__pure INTSTATUS IntFragMatchSignature | ( | const DWORD * | Hashes, |
DWORD | CodeBlocksCount, | ||
const SIG_CODEBLOCKS * | ExceptionSignature | ||
) |
Match a block of code-block hashes against a list of code-block exception signatures.
This function will attempt to match the code-blocks located in the Hashes variable against the code-block signature list inside ExceptionSignature.
[in] | Hashes | The list of hashes to be matched. |
[in] | CodeBlocksCount | Number of hashes in Hashes. |
[in] | ExceptionSignature | the exception signature containing the hashes to match against. |
INT_STATUS_SIGNATURE_MATCHED | If the Hashes block matches a signature inside ExceptionSignature. |
INT_STATUS_SIGNATURE_NOT_FOUND | If no match is found. |
INT_STATUS_INVALID_PARAMETER | If an invalid parameter is supplied. |
Definition at line 912 of file codeblocks.c.
Referenced by IntExceptVerifyCodeBlocksSig().