doxygen/html/codeblocks_8h_source.html

 /*
  * Copyright (c) 2020 Bitdefender
  * SPDX-License-Identifier: Apache-2.0
  */
 #ifndef _CODEBLOCKS_H_
 #define _CODEBLOCKS_H_

 #include "exceptions.h"


 typedef enum
 {
     cbLevelNormal = 1,
     cbLevelMedium,
 } CB_EXTRACT_LEVEL;


 typedef enum
 {
     codeInsInvalid = 0,
     codeInsJc,
     codeInsJmp,
     codeInsCall,
     codeInsRet,
     codeInsStr,
     codeInsXchg,
     codeInsBt,
     codeInsMovReg,
     codeInsMovMem,
     codeInsMovImm,
     codeInsMovFsGs,
     codeInsFlags,
 } CODE_INS;


 #define CODE_BLOCK_CHUNKS_COUNT             8


 typedef struct _CODE_BLOCK
 {
     DWORD           OffsetStart;
     DWORD           Hash;
     WORD            Size;
     BYTE            PivotInstruction;
     BYTE            Chunks[CODE_BLOCK_CHUNKS_COUNT];
 } CODE_BLOCK, *PCODE_BLOCK;


 #pragma pack(push)
 #pragma pack(1)

 typedef struct _CODE_BLOCK_PATTERN
 {
     DWORD Offset;
     BYTE  Value;
 } CODE_BLOCK_PATTERN, *PCODE_BLOCK_PATTERN;
 #pragma pack(pop)


 //
 // API
 //
 INTSTATUS
 IntFragExtractPattern(
     _In_reads_(MaxBufferSize) BYTE *Buffer,
     _In_ DWORD MaxBufferSize,
     _In_ IG_CS_TYPE CsType,
     _In_ CB_EXTRACT_LEVEL ExtractLevel,
     _In_ DWORD PatternSize,
     _Out_writes_to_(PatternSize, *TotalExtracted) BYTE *Pattern,
     _Out_ DWORD *TotalExtracted,
     _Inout_ DWORD *TotalParsed
     );

 INTSTATUS
 IntFragExtractCodeBlocks(
     _In_reads_(MaxBufferSize) BYTE *Buffer,
     _In_ DWORD MaxBufferSize,
     _In_ IG_CS_TYPE CsType,
     _In_ CB_EXTRACT_LEVEL ExtractLevel,
     _Inout_ DWORD *HashesCount,
     _Out_writes_(*HashesCount) DWORD *Hashes
     );

 __pure INTSTATUS
 IntFragMatchSignature(
     _In_ const DWORD *Hashes,
     _In_ DWORD CodeBlocksCount,
     _In_ const SIG_CODEBLOCKS *ExceptionSignature
     );

 INTSTATUS
 IntFragExtractCodePattern(
     _In_ PBYTE Buffer,
     _In_ DWORD StartOffset,
     _In_ DWORD MaxBufferSize,
     _In_ IG_CS_TYPE CsType,
     _In_ CB_EXTRACT_LEVEL ExtractLevel,
     _In_ DWORD PatternSize,
     _Out_writes_to_(PatternSize, *TotalExtracted) CODE_BLOCK_PATTERN *Pattern,
     _Out_ DWORD *TotalExtracted
     );

 INTSTATUS
 IntFragDumpBlocks(
     _In_ PBYTE Buffer,
     _In_ QWORD StartAddress,
     _In_ DWORD MaxBufferSize,
     _In_ IG_CS_TYPE CsType,
     _In_ CB_EXTRACT_LEVEL ExtractLevel,
     _In_ QWORD Rip,
     _In_ BOOLEAN ReturnRip
     );

 #endif // _CODEBLOCKS_H_
BOOLEAN
_Bool BOOLEAN
Definition: intro_types.h:58

_Out_
#define _Out_
Definition: intro_sal.h:22

codeInsMovFsGs
A mov using a segment:offset.
Definition: codeblocks.h:37

BYTE
uint8_t BYTE
Definition: intro_types.h:47

IntFragExtractCodePattern
INTSTATUS IntFragExtractCodePattern(PBYTE Buffer, DWORD StartOffset, DWORD MaxBufferSize, IG_CS_TYPE CsType, CB_EXTRACT_LEVEL ExtractLevel, DWORD PatternSize, CODE_BLOCK_PATTERN *Pattern, DWORD *TotalExtracted)
Extract a pattern of code-blocks from the given code buffer.
Definition: codeblocks.c:990

_In_
#define _In_
Definition: intro_sal.h:21

CODE_BLOCK_PATTERN
struct _CODE_BLOCK_PATTERN CODE_BLOCK_PATTERN

_CODE_BLOCK::PivotInstruction
BYTE PivotInstruction
Definition: codeblocks.h:56

WORD
uint16_t WORD
Definition: intro_types.h:48

codeInsJmp
Non-conditional jump, of any kind.
Definition: codeblocks.h:28

_CODE_BLOCK::OffsetStart
DWORD OffsetStart
The start of the extracted codeblock (not actually relevant)
Definition: codeblocks.h:53

IntFragExtractCodeBlocks
INTSTATUS IntFragExtractCodeBlocks(BYTE *Buffer, DWORD MaxBufferSize, IG_CS_TYPE CsType, CB_EXTRACT_LEVEL ExtractLevel, DWORD *HashesCount, DWORD *Hashes)
Extract a block of code-block hashes from the given code buffer.
Definition: codeblocks.c:746

_CODE_BLOCK::Size
WORD Size
Code block size, in patterns.
Definition: codeblocks.h:55

_In_reads_
#define _In_reads_(expr)
Definition: intro_sal.h:27

__pure
#define __pure
Definition: introtypes.h:46

codeInsRet
Ret, of any kind.
Definition: codeblocks.h:30

_CODE_BLOCK_PATTERN::Offset
DWORD Offset
The offset of the instruction in the page.
Definition: codeblocks.h:70

CODE_BLOCK_CHUNKS_COUNT
#define CODE_BLOCK_CHUNKS_COUNT
Number of chunks (CODE_INS) per codeblock.
Definition: codeblocks.h:43

codeInsMovImm
A mov using immediate value.
Definition: codeblocks.h:36

INTSTATUS
int INTSTATUS
The status data type.
Definition: introstatus.h:24

IntFragMatchSignature
__pure INTSTATUS IntFragMatchSignature(const DWORD *Hashes, DWORD CodeBlocksCount, const SIG_CODEBLOCKS *ExceptionSignature)
Match a block of code-block hashes against a list of code-block exception signatures.
Definition: codeblocks.c:912

CB_EXTRACT_LEVEL
CB_EXTRACT_LEVEL
Definition: codeblocks.h:14

_Out_writes_
#define _Out_writes_(expr)
Definition: intro_sal.h:28

codeInsXchg
Exchange instruction, including xchg, xadd, cmpxchg, cmpxchg8b/16b.
Definition: codeblocks.h:32

codeInsBt
Bit manipulation instruction - bt, bts, btr, btc.
Definition: codeblocks.h:33

codeInsFlags
Push/Pop flags.
Definition: codeblocks.h:38

_CODE_BLOCK::Chunks
BYTE Chunks[CODE_BLOCK_CHUNKS_COUNT]
The actual CODE_INS values representing the instruction pattern.
Definition: codeblocks.h:58

IntFragDumpBlocks
INTSTATUS IntFragDumpBlocks(PBYTE Buffer, QWORD StartAddress, DWORD MaxBufferSize, IG_CS_TYPE CsType, CB_EXTRACT_LEVEL ExtractLevel, QWORD Rip, BOOLEAN ReturnRip)
Dumps code-blocks that can then be used to generate an exception signature.
Definition: codeblocks.c:1293

IG_CS_TYPE
IG_CS_TYPE
The type of the code segment.
Definition: glueiface.h:183

_CODE_BLOCK
Definition: codeblocks.h:51

_CODE_BLOCK_PATTERN
Definition: codeblocks.h:68

_Inout_
#define _Inout_
Definition: intro_sal.h:20

PBYTE
uint8_t * PBYTE
Definition: intro_types.h:47

codeInsJc
Conditional jump, of any kind, including loop.
Definition: codeblocks.h:27

QWORD
unsigned long long QWORD
Definition: intro_types.h:53

exceptions.h

CODE_INS
CODE_INS
Definition: codeblocks.h:24

cbLevelNormal
This includes instructions until codeInsBt.
Definition: codeblocks.h:16

codeInsInvalid
Not really used, only to signal an error.
Definition: codeblocks.h:26

_CODE_BLOCK_PATTERN::Value
BYTE Value
The CODE_INS value describing the instruction type.
Definition: codeblocks.h:71

_CODE_BLOCK::Hash
DWORD Hash
The hash will be computed on Chunks array.
Definition: codeblocks.h:54

cbLevelMedium
This includes instructions until codeInsFlags.
Definition: codeblocks.h:17

DWORD
uint32_t DWORD
Definition: intro_types.h:49

codeInsStr
Some sort of string instruction - lods, stos, scas, movs.
Definition: codeblocks.h:31

codeInsCall
Call, of any kind.
Definition: codeblocks.h:29

IntFragExtractPattern
INTSTATUS IntFragExtractPattern(BYTE *Buffer, DWORD MaxBufferSize, IG_CS_TYPE CsType, CB_EXTRACT_LEVEL ExtractLevel, DWORD PatternSize, BYTE *Pattern, DWORD *TotalExtracted, DWORD *TotalParsed)
Extract a pattern of code-blocks from the given code buffer.
Definition: codeblocks.c:502

CODE_BLOCK
struct _CODE_BLOCK CODE_BLOCK

PCODE_BLOCK
struct _CODE_BLOCK * PCODE_BLOCK

codeInsMovReg
A mov involving only registers.
Definition: codeblocks.h:34

_Out_writes_to_
#define _Out_writes_to_(expr, expr2)
Definition: intro_sal.h:29

codeInsMovMem
A mov involving memory (either as the destination or as the source).
Definition: codeblocks.h:35

_EXCEPTION_CB_SIGNATURE
Describes a codeblocks signature.
Definition: exceptions.h:397

PCODE_BLOCK_PATTERN
struct _CODE_BLOCK_PATTERN * PCODE_BLOCK_PATTERN