- Generated by
1.8.13
|
Bitdefender Hypervisor Memory Introspection
|
#include "decoder.h"#include "gpacache.h"#include "guests.h"#include "icache.h"#include "introcpu.h"#include "kernvm.h"#include "lixprocess.h"#include "winprocesshp.h"Go to the source code of this file.
Macros | |
| #define | REG_GPRV(ctx, reg) (*((&(ctx)->Rax) + (reg))) |
| Get the value of a register inside a register array. More... | |
| #define | REG_GPRP(ctx, reg) ((&(ctx)->Rax) + (reg)) |
| Get the pointer to a register. More... | |
| #define | IS_ACCESS_IN_KERNEL_WIN(is64, gla, size) |
| Checks if a memory access is done inside the Windows kernel virtual address space. More... | |
| #define | IS_ACCESS_IN_KERNEL_LIX(gla, size) |
| Checks if a memory access is done inside the Linux kernel virtual address space. More... | |
| #define | GET_SIGN(sz, x) |
| Get the sign bit of a value. More... | |
Enumerations | |
| enum | { FM_LOGIC, FM_SUB, FM_ADD } |
| Describes the flags affected by an instruction. More... | |
Functions | |
| static void | IntDecSetFlags (QWORD Dst, QWORD Src1, QWORD Src2, DWORD Size, PIG_ARCH_REGS Regs, DWORD FlagsMode) |
| Sets the flags according to the result of an operation. More... | |
| INTSTATUS | IntDecDecodeInstruction (IG_CS_TYPE CsType, QWORD Gva, void *Instrux) |
| Decode an instruction from the provided guest linear address. More... | |
| INTSTATUS | IntDecDecodeInstructionFromBuffer (PBYTE Buffer, size_t BufferSize, IG_CS_TYPE CsType, void *Instrux) |
| Decode an instruction from the provided buffer. More... | |
| INTSTATUS | IntDecDecodeInstructionAtRip (DWORD CpuNumber, IG_ARCH_REGS *Registers, IG_SEG_REGS *Segments, INSTRUX *Instrux) |
| Decode an instruction at current RIP on the provided VCPU. More... | |
| INTSTATUS | IntDecDecodeInstructionAtRipWithCache (void *Cache, DWORD CpuNumber, PIG_ARCH_REGS Registers, PINSTRUX Instrux, DWORD Options, BOOLEAN *CacheHit, BOOLEAN *Added) |
| Decode an instruction using the cache. More... | |
| static INTSTATUS | IntDecDecodeOperandSize (PINSTRUX Instrux, PND_OPERAND Operand, PIG_ARCH_REGS Registers, DWORD *AccessSize) |
| Decode the size of the given operand. More... | |
| INTSTATUS | IntDecDecodeAccessSize (PINSTRUX Instrux, PIG_ARCH_REGS Registers, QWORD Gla, BYTE AccessType, DWORD *AccessSize) |
| Decode the memory access size of a given instruction. More... | |
| INTSTATUS | IntDecComputeLinearAddress (PINSTRUX Instrux, PND_OPERAND Operand, PIG_ARCH_REGS Registers, QWORD *LinearAddress) |
| Given an instruction and a memory operand, it will compute the guest linear address encoded by that operand. More... | |
| static INTSTATUS | IntDecComputeVsibLinearAddresses (PINSTRUX Instrux, PND_OPERAND Operand, PIG_ARCH_REGS Registers, PIG_XSAVE_AREA XsaveArea, QWORD *LinearAddresses) |
| Decode VSIB addresses from the given instruction. More... | |
| INTSTATUS | IntDecDecodeSourceLinearAddressFromInstruction (PINSTRUX Instrux, PIG_ARCH_REGS Registers, QWORD *LinearAddress) |
| Decode the source memory linear address. More... | |
| INTSTATUS | IntDecDecodeDestinationLinearAddressFromInstruction (PINSTRUX Instrux, PIG_ARCH_REGS Registers, QWORD *LinearAddress) |
| Decode the destination memory linear address. More... | |
| static INTSTATUS | IntSetValueForOperand (PINSTRUX Instrux, DWORD OperandIndex, PIG_ARCH_REGS Registers, OPERAND_VALUE *OpValue, BOOLEAN Commit) |
| Set the value of an instruction operand. More... | |
| static INTSTATUS | IntGetValueFromOperand (PINSTRUX Instrux, DWORD OperandIndex, PIG_ARCH_REGS Registers, PBYTE MemoryValue, OPERAND_VALUE *WrittenValue) |
| Get the value of an instruction operand. More... | |
| INTSTATUS | IntDecEmulateRead (PINSTRUX Instrux, BYTE *SrcValueBuffer) |
| Emulate a read access. More... | |
| INTSTATUS | IntDecGetWrittenValueFromInstruction (PINSTRUX Instrux, PIG_ARCH_REGS Registers, PBYTE MemoryValue, OPERAND_VALUE *WrittenValue) |
| Decode a written value from a memory write instruction. More... | |
| INTSTATUS | IntDecEmulateInstruction (DWORD CpuNumber, PINSTRUX Instrux) |
| Emulate a MOV or a PUSH instruction. More... | |
| static QWORD | IntDecAtomicStore (void *Address, DWORD Size, QWORD New, QWORD Old) |
| Atomically store a value in memory. More... | |
| INTSTATUS | IntDecEmulatePTWrite (QWORD *NewValue) |
| Emulate a page-table write. More... | |
| INTSTATUS | IntDecGetAccessedMemCount (PINSTRUX Instrux, DWORD *Count) |
| Decode the number of memory locations accessed by an instruction. More... | |
| INTSTATUS | IntDecGetAccessedMem (PINSTRUX Instrux, PIG_ARCH_REGS Registers, PIG_XSAVE_AREA XsaveArea, MEMADDR *Gla, DWORD *Count) |
| Decode each accessed address by an instruction. More... | |
| static INTSTATUS | IntDecGetSetSseRegValue (PIG_XSAVE_AREA XsaveArea, DWORD Reg, DWORD Size, OPERAND_VALUE *Value, BOOLEAN Set, BOOLEAN Commit) |
| Gets or sets the value of a vector register. More... | |
| INTSTATUS | IntDecGetSseRegValue (PIG_XSAVE_AREA XsaveArea, DWORD Reg, DWORD Size, OPERAND_VALUE *Value) |
| Get the value of a vector register. Wrapper over IntDecGetSetSseRegValue. More... | |
| INTSTATUS | IntDecSetSseRegValue (PIG_XSAVE_AREA XsaveArea, DWORD Reg, DWORD Size, OPERAND_VALUE *Value, BOOLEAN Commit) |
| Sets the value of a vector register. Wrapper over IntDecGetSetSseRegValue. More... | |
| INTSTATUS | IntDecEmulatePageWalk (QWORD Gla, QWORD Cr3, DWORD Flags) |
| INTSTATUS | IntDecGetMaxvl (ND_OPERAND_SIZE *Maxvl) |
| Computes the maximum vector length, given the enabled states inside the XCR0 register. More... | |
Variables | |
| enum { ... } | INT_FLAGS_MODE |
| Describes the flags affected by an instruction. More... | |
| #define GET_SIGN | ( | sz, | |
| x | |||
| ) |
Get the sign bit of a value.
| [in] | sz | Size of the value. |
| [in] | x | Value. |
Definition at line 67 of file decoder.c.
Referenced by IntDecSetFlags().
| #define IS_ACCESS_IN_KERNEL_LIX | ( | gla, | |
| size | |||
| ) |
Checks if a memory access is done inside the Linux kernel virtual address space.
| [in] | gla | Guest linear address at which the access starts. |
| [in] | size | The size of the access. |
| True | if the entire access is done inside the kernel virtual address space. |
| False | if it is not. |
Definition at line 50 of file decoder.c.
Referenced by IntDecEmulateRead().
| #define IS_ACCESS_IN_KERNEL_WIN | ( | is64, | |
| gla, | |||
| size | |||
| ) |
Checks if a memory access is done inside the Windows kernel virtual address space.
| [in] | is64 | True if this is a 64-bit kernel, False if it is a 32-bit kernel. |
| [in] | gla | Guest linear address at which the access starts. |
| [in] | size | The size of the access. |
| True | if the entire access is done inside the kernel virtual address space. |
| False | if it is not. |
Definition at line 41 of file decoder.c.
Referenced by IntDecEmulateRead().
| #define REG_GPRP | ( | ctx, | |
| reg | |||
| ) | ((&(ctx)->Rax) + (reg)) |
Get the pointer to a register.
This assumes that the registers are placed in the order documented by the Intel manual.
| [in] | ctx | Structure containing the registers. IG_ARCH_REGS can safely be used with this macro. |
| [in] | reg | The index of the register. |
| #define REG_GPRV | ( | ctx, | |
| reg | |||
| ) | (*((&(ctx)->Rax) + (reg))) |
Get the value of a register inside a register array.
This assumes that the registers are placed in the order documented by the Intel manual.
| [in] | ctx | Structure containing the registers. IG_ARCH_REGS can safely be used with this macro. |
| [in] | reg | The index of the register. |
| anonymous enum |
Atomically store a value in memory.
Atomically store a value in memory. Returns the actual memory value. If it is different from Old, New has not been stored in memory.
| [in] | Address | Memory addresses where to atomic store will be made. |
| [in] | Size | Store size, in bytes. |
| [in] | New | The new value to be stored in memory. |
| [in] | Old | The old value present in memory. |
Definition at line 2680 of file decoder.c.
Referenced by IntDecEmulatePTWrite().
| INTSTATUS IntDecComputeLinearAddress | ( | PINSTRUX | Instrux, |
| PND_OPERAND | Operand, | ||
| PIG_ARCH_REGS | Registers, | ||
| QWORD * | LinearAddress | ||
| ) |
Given an instruction and a memory operand, it will compute the guest linear address encoded by that operand.
| [in] | Instrux | The decoded instruction. |
| [in] | Operand | The memory operand. |
| [in] | Registers | Optional pointer to the general purpose registers state. |
| [out] | LinearAddress | The computed linear address associated with the provided operand. |
| INT_STATUS_SUCCESS | On success. |
| INT_STATUS_INVALID_PARAMETER | If an invalid parameter is supplied. |
| INT_STATUS_NOT_SUPPORTED | If VSIB is used by the instruction. |
Definition at line 790 of file decoder.c.
Referenced by IntDecDecodeDestinationLinearAddressFromInstruction(), IntDecDecodeSourceLinearAddressFromInstruction(), IntDecEmulatePTWrite(), IntDecGetAccessedMem(), IntDecGetWrittenValueFromInstruction(), IntGetValueFromOperand(), IntHandleDtrViolation(), and IntSetValueForOperand().
|
static |
Decode VSIB addresses from the given instruction.
This function will compute up to 16 indexes as used by VSIB addressing. Make sure the LinearAddresses param can hold the maximum number of indexes. This function must be called when the memory operand of the given instruction uses the VSIB addressing.
| [in] | Instrux | The decoded instruction. |
| [in] | Operand | The VSIB memory operand. |
| [in] | Registers | Optional pointer to the general purpose registers state. |
| [in] | XsaveArea | Optional pointer to the XSAVE area where the state is saved. |
| [out] | LinearAddresses | Up to 16 VSIB addresses accessed by the instruction. |
| INT_STATUS_SUCCESS | On success. |
| INT_STATUS_INVALID_PARAMETER | If an invalid parameter is provided. |
Definition at line 973 of file decoder.c.
Referenced by IntDecGetAccessedMem().
| INTSTATUS IntDecDecodeAccessSize | ( | PINSTRUX | Instrux, |
| PIG_ARCH_REGS | Registers, | ||
| QWORD | Gla, | ||
| BYTE | AccessType, | ||
| DWORD * | AccessSize | ||
| ) |
Decode the memory access size of a given instruction.
This function will decode the memory access size from the provided instruction. Important note: this function assumes that the memory access as explicit (as part of an instruction execution). However, there are several cases where the CPU may access memory implicitly:
| [in] | Instrux | The decoded instruction. |
| [in] | Registers | The general purpose registers state. |
| [in] | Gla | Reserved for future use. |
| [in] | AccessType | The operand who`s access is equal to AccessType will be decoded (useful for MOVS instruction). |
| [out] | AccessSize | Will contain, upon successful return, the size of the memory operand who`s access is AccessType. |
| INT_STATUS_SUCCESS | On success. |
| INT_STATUS_NOT_FOUND | If a memory operand with access AccessType is not found. |
Definition at line 731 of file decoder.c.
Referenced by IntHandleEptViolation().
| INTSTATUS IntDecDecodeDestinationLinearAddressFromInstruction | ( | PINSTRUX | Instrux, |
| PIG_ARCH_REGS | Registers, | ||
| QWORD * | LinearAddress | ||
| ) |
Decode the destination memory linear address.
| [in] | Instrux | The decoded instruction. |
| [in] | Registers | Optional pointer to the general purpose registers state. |
| [out] | LinearAddress | Will contain, upon successful exit, the written linear address. |
| INT_STATUS_SUCCESS | On success. |
| INT_STATUS_INVALID_PARAMETER | If an invalid parameter is supplied. |
| INT_STATUS_NOT_FOUND | If a memory operand that is written is not found. |
Definition at line 1202 of file decoder.c.
Referenced by IntHandleEptViolation().
| INTSTATUS IntDecDecodeInstruction | ( | IG_CS_TYPE | CsType, |
| QWORD | Gva, | ||
| void * | Instrux | ||
| ) |
Decode an instruction from the provided guest linear address.
Will decode, in the context of the current CPU the instruction located at address GuestVirtualAddress. The decoded instruction will be returned in the Instrux argument. Note that this function does not use the instruction cache. It will map & decode the provided Gva on each call.
| [in] | CsType | Operating mode/mode in which the instruction must be decoded. |
| [in] | Gva | The guest virtual address that contains the instruction to be decoded. |
| [out] | Instrux | Will contain, upon successful return, the decoded instruction. |
| INT_STATUS_SUCCESS | On success. |
| INT_STATUS_INVALID_PARAMETER | If an invalid parameter is supplied. |
| INT_STATUS_PAGE_NOT_PRESENT | If the page containing the instruction is not mapped. |
| INT_STATUS_DISASM_ERROR | If the decoding failed. |
Definition at line 180 of file decoder.c.
Referenced by IntDecDecodeInstructionAtRip(), IntDecDecodeInstructionAtRipWithCache(), IntDisasmGva(), IntLixApiHijackHook(), IntLixCrashFetchDmesgSymbol(), IntLixFindDataStart(), IntLixGuestFindPgd(), IntLixGuestFindProperSyscall(), IntLixGuestResolveExTableLimits(), IntLixPatchSwapgs(), IntLixResolveCurrentCpuOffset(), IntLixResolveCurrentProcessOffset(), IntLixResolveExeFileOffset(), IntLixResolveThreadStructOffset(), IntLixVdsoResolveImageAddress(), IntLogCurrentIP(), IntPeFindFunctionStart(), IntWinApiHookVeHandler(), and IntWinStackTraceGet64().
| INTSTATUS IntDecDecodeInstructionAtRip | ( | DWORD | CpuNumber, |
| IG_ARCH_REGS * | Registers, | ||
| IG_SEG_REGS * | Segments, | ||
| INSTRUX * | Instrux | ||
| ) |
Decode an instruction at current RIP on the provided VCPU.
Will decode the instruction pointed by the current RIP on the provided CPU. If CpuNumber is not the current VCPU, make sure it is paused before doing any kind of query on it, since information from a running VCPU is undefined.
| [in] | CpuNumber | The CPU number. |
| [in] | Registers | The general purpose register state. |
| [in] | Segments | Optional pointer to the segment register state. If NULL, the segment registers will be fetched internally. |
| [out] | Instrux | Will contain, upon successful return, the decoded instruction. |
| INT_STATUS_SUCCESS | On success. |
| INT_STATUS_INVALID_PARAMETER | If an invalid parameter is supplied. |
| INT_STATUS_NOT_SUPPORTED | If the provided CPU is not in 16, 32 or 64 bit mode. |
| INT_DISASM_ERROR | If a decoding error occurs. |
Definition at line 384 of file decoder.c.
Referenced by IntHandleBreakpoint(), and IntUnpPageExecuteCallback().
| INTSTATUS IntDecDecodeInstructionAtRipWithCache | ( | void * | Cache, |
| DWORD | CpuNumber, | ||
| PIG_ARCH_REGS | Registers, | ||
| PINSTRUX | Instrux, | ||
| DWORD | Options, | ||
| BOOLEAN * | CacheHit, | ||
| BOOLEAN * | Added | ||
| ) |
Decode an instruction using the cache.
Given the CPU CpuNumber, this function will decode the instruction located at RIP, using the cache. If the instruction was already cached, it will be returned from there. Otherwise, it will be added to the cache, if Options does not contain DEC_OPT_NO_CACHE.
| [in] | Cache | The instruction cache. |
| [in] | CpuNumber | The CPU number for which the instruction at RIP will be decoded. |
| [in] | Registers | The general purpose registers state. |
| [out] | Instrux | Will contain, upon successful return, the decoded instruction. |
| [in] | Options | Decode options. Can be 0 or DEC_OPT_NO_CACHE, which indicates that the instruction should not be cached. |
| [out] | CacheHit | Optional, set to true if the cache was hit, or false otherwise. |
| [out] | Added | Optional, set to true if the instruction has been added to the cache, false otherwise. |
| INT_STATUS_SUCCESS | On success. |
| INT_STATUS_INVALID_PARAMETER | If an invalid parameter is supplied. |
| INT_STATUS_PAGE_NOT_PRESENT | If the page containing the instruction is swapped out. |
| INT_STATUS_NO_MAPPING_STRUCTURES | If the page containing the instruction is swapped out. |
| INT_STATUS_NOT_SUPPORTED | If the CR3 for the CPU CpuNumber does not point to a valid process. |
Definition at line 449 of file decoder.c.
Referenced by IntGetCurrentInstructionLength(), IntGetCurrentInstructionMnemonic(), IntHandleDtrViolation(), and IntHandleEptViolation().
| INTSTATUS IntDecDecodeInstructionFromBuffer | ( | PBYTE | Buffer, |
| size_t | BufferSize, | ||
| IG_CS_TYPE | CsType, | ||
| void * | Instrux | ||
| ) |
Decode an instruction from the provided buffer.
Decodes an instruction from the provided buffer. If the function fails, the Instrux parameter is undefined.
| [in] | Buffer | The buffer containing the instruction. |
| [in] | BufferSize | The size of the input buffer. |
| [in] | CsType | Operating mode (16, 32 or 64 bit). |
| [out] | Instrux | Will contain upon successful return the decoded instruction. |
| INT_STATUS_SUCCESS | On success. |
| INT_STATUS_INVALID_PARAMETER | If an invalid parameter is supplied. |
| INT_STATUS_DISASM_ERROR | If instruction decoding failed. |
Definition at line 308 of file decoder.c.
Referenced by DbgTestSse(), IntDetRelocate(), IntDetSetHook(), IntDisasmBuffer(), IntDispatchVeAsEpt(), IntDumpCode(), IntFragExtractCodePattern(), IntFragExtractPattern(), IntGuestIsKptiActive(), IntLixGuestIsKptiActive(), IntPtiMonitorAllPtWriteCandidates(), IntVeDumpVeInfoPage(), IntVeFindKernelKvaShadowAndKernelExit(), IntWinGuestFindKernelCr3(), IntWinHalFindPerformanceCounterInternal(), and IntWinHalHandleHalHeapExec().
|
static |
Decode the size of the given operand.
Given an instruction operand and the general purpose registers state, it will decode it's size. It assumes it will be called for memory operands only. This function is required, as some instructions may contain operands who's size is variable (for example, XSAVE/XRSTOR memory operand, which depends on the enabled extended state).
| [in] | Instrux | The decoded instruction. |
| [in] | Operand | The instruction (memory) operand for which the size is to be computed. |
| [in] | Registers | The general purpose registers state. |
| [out] | AccessSize | Will contain, upon successful return, the actual size of the provided operand. |
| INT_STATUS_SUCCESS | On success. |
Cache-flushing instructions (CLFLUSH, CLFLUSHOPT, CLWB) should not be a problem, as the page walk and the EPT walk should be done when data is written in memory an cached.
Definition at line 654 of file decoder.c.
Referenced by IntDecDecodeAccessSize(), and IntDecGetAccessedMem().
| INTSTATUS IntDecDecodeSourceLinearAddressFromInstruction | ( | PINSTRUX | Instrux, |
| PIG_ARCH_REGS | Registers, | ||
| QWORD * | LinearAddress | ||
| ) |
Decode the source memory linear address.
| [in] | Instrux | The decoded instruction. |
| [in] | Registers | Optional pointer to the general purpose registers state. |
| [out] | LinearAddress | Will contain, upon successful exit, the read linear address. |
| INT_STATUS_SUCCESS | On success. |
| INT_STATUS_INVALID_PARAMETER | If an invalid parameter is supplied. |
| INT_STATUS_NOT_FOUND | If a memory operand that is read is not found. |
Definition at line 1149 of file decoder.c.
Referenced by IntMemClkHandleRead().
Emulate a MOV or a PUSH instruction.
This function emulates the instruction currently pointed by RIP on the provided CpuNumber. It is intended to be used only by detours handlers, and, as such, it only supports two instructions: PUSH and MOV. This function should not be called outside a direct detour handler.
| [in] | CpuNumber | The CPU context (should be IG_CURRENT_VCPU). |
| [in] | Instrux | The decoded instruction. |
| INT_STATUS_SUCCESS | On success. |
| INT_STATUS_INVALID_PARAMETER | If an invalid parameter is supplied. |
| INT_STATUS_NOT_SUPPORTED | If an unsupported instruction is provided. |
Emulates a page-walk by setting the A and/or D flags inside the required page-table levels. This function will always set the A bit at every level of the page-tables. The D flag will be set if the page is already A, and it has write permissions.
| [in] | Gla | The guest linear address for which A/D bits will be set. |
| [in] | Cr3 | The CR3 used for the translation of Gla. |
| [in] | Flags | Contains the page-walk flags: PW_FLAGS_SET_A in order to set the A bit, PW_FLAGS_SET_D in order to set the D bit. |
| INT_STATUS_SUCCESS | On success. |
Definition at line 3613 of file decoder.c.
Referenced by IntDecEmulateRead().
Emulate a page-table write.
Fast Page Table write emulator. This function makes some strong assumptions:
| [out] | NewValue | The new value stored inside the page-table entry. |
| INT_STATUS_SUCCESS | On success. |
| INT_STATUS_INVALID_PARAMETER | If an invalid parameter has been supplied. |
| INT_STATUS_NOT_SUPPORTED | If the instruction is not supported. |
Definition at line 2720 of file decoder.c.
Referenced by IntHookPtwEmulateWrite().
Emulate a read access.
This function assumes that it is called for emulating instructions that read data from memory. If not NULL, SrcValueBuffer will be used instead of the real memory contents. Caller must ensure that SrcValueBuffer has a minimum size of gVcpu->AccessSize. Note that after calling this function some assumptions about the global state can't be made: on successful emulation, gVcpu->Regs.Rip will no longer point to the instruction bytes from which gVcpu->Instruction was decoded, but to the next instruction; as a result, calling IntDecEmulateRead twice on the same exit might prove fatal.
| [in] | Instrux | The decoded instruction. |
| [in] | SrcValueBuffer | Optional pointer to the source value buffer. |
| INT_STATUS_SUCCESS | On success. |
| INT_STATUS_NOT_SUPPORTED | If the emulation is not supported (invalid OS, architecture, instruction). |
set the operand value, then update the RIP, we will still have the same problem, only in reverse: we may end up with the instruction being emulated, but the RIP still pointing to it
Definition at line 1570 of file decoder.c.
Referenced by IntHandleEptViolation().
| INTSTATUS IntDecGetAccessedMem | ( | PINSTRUX | Instrux, |
| PIG_ARCH_REGS | Registers, | ||
| PIG_XSAVE_AREA | XsaveArea, | ||
| MEMADDR * | Gla, | ||
| DWORD * | Count | ||
| ) |
Decode each accessed address by an instruction.
Given an instruction, it computes every accessed linear address. It assumes the caller has already allocated enough storage space inside Gla.
| [in] | Instrux | The decoded instruction. |
| [in] | Registers | Optional pointer to the general purpose registers state. |
| [in] | XsaveArea | Optional pointer to the XSAVE area. |
| [out] | Gla | Pointer to an array that will contain, upon return, each accessed Gla. |
| [in,out] | Count | On function entry, contains the number of slots available inside Gla. On return, it contains the actual number of entries stored in Gla array. |
| INT_STATUS_SUCCESS | On success. |
| INT_STATUS_INVALID_PARAMETER | If an invalid parameter is supplied. |
| INT_STATUS_DATA_BUFFER_TOO_SMALL | If the Gla array is too small. |
Definition at line 3160 of file decoder.c.
Referenced by DbgTestSse(), and IntHandleEptViolation().
Decode the number of memory locations accessed by an instruction.
Given the decoded instruction, this function will return in Count the number of memory locations accessed by this instruction. There may be cases where an instruction accesses multiple locations - for example, POP [mem] will read the from the memory (stack) and it will store to the provided mem address. Another example includes instructions with VSIB addressing, which may access up to 16 different locations.
| [in] | Instrux | The decoded instruction. |
| [out] | Count | The number of memory locations accessed by the instruction. |
| INT_STATUS_SUCCESS | On success. |
| INT_STATUS_INVALID_PARAMETER | If an invalid parameter is supplied. |
Definition at line 3110 of file decoder.c.
Referenced by IntHandleEptViolation().
| INTSTATUS IntDecGetMaxvl | ( | ND_OPERAND_SIZE * | Maxvl | ) |
Computes the maximum vector length, given the enabled states inside the XCR0 register.
| [out] | Maxvl | Contains, upon successful return, the maximum vector length: 128, 256 or 512 bits. |
| INT_STATUS_SUCCESS | On success. |
| INT_STATUS_NOT_FOUND | If XCR0 contains an invalid combination of bits. |
Definition at line 3672 of file decoder.c.
Referenced by IntDecEmulateRead().
|
static |
Gets or sets the value of a vector register.
| [in] | XsaveArea | Optional XSAVE area. If NULL, it will be queried internally. |
| [in] | Reg | The vector register to be accessed. |
| [in] | Size | The size to return/set in the vector register. |
| [in,out] | Value | The value of the vector register. |
| [in] | Set | If true, the vector register will be modified. Otherwise, it will return the vector register value. |
| [in] | Commit | If true, the vector registers state will be committed (use only if Set is true). |
| INT_STATUS_SUCCESS | On success. |
| INT_STATUS_INSUFFICIENT_RESOURCES | If memory could not be allocated for the XSAVE area. |
| INT_STATUS_INVALID_PARAMETER | If an invalid parameter is supplied. |
| INT_STATUS_NOT_SUPPORTED | If an invalid register is specified (for example, XMM8 outside long-mode). |
Definition at line 3291 of file decoder.c.
Referenced by IntDecGetSseRegValue(), and IntDecSetSseRegValue().
| INTSTATUS IntDecGetSseRegValue | ( | PIG_XSAVE_AREA | XsaveArea, |
| DWORD | Reg, | ||
| DWORD | Size, | ||
| OPERAND_VALUE * | Value | ||
| ) |
Get the value of a vector register. Wrapper over IntDecGetSetSseRegValue.
| [in] | XsaveArea | Optional XSAVE area. If NULL, it will be queried internally. |
| [in] | Reg | The vector register to be accessed. |
| [in] | Size | The size to return/set in the vector register. |
| [out] | Value | The value of the vector register. |
| INT_STATUS_SUCCESS | On success. |
| INT_STATUS_INSUFFICIENT_RESOURCES | If memory could not be allocated for the XSAVE area. |
| INT_STATUS_INVALID_PARAMETER | If an invalid parameter is supplied. |
| INT_STATUS_NOT_SUPPORTED | If an invalid register is specified (for example, XMM8 outside long-mode). |
Definition at line 3561 of file decoder.c.
Referenced by IntDecComputeVsibLinearAddresses(), and IntGetValueFromOperand().
| INTSTATUS IntDecGetWrittenValueFromInstruction | ( | PINSTRUX | Instrux, |
| PIG_ARCH_REGS | Registers, | ||
| PBYTE | MemoryValue, | ||
| OPERAND_VALUE * | WrittenValue | ||
| ) |
Decode a written value from a memory write instruction.
Get the written value from an INSTRUX. It only supports a basic set of instructions (MOV, STOSB, MOVSB, XCHG, ADD, XOR, etc.). WrittenValue will always contain the value that will be written in the destination operand. For instructions that write to more than one operand (XCHG, XADD, etc), the value written to the memory operand will be returned. For CMPXCHG, CMPXCHG8B and CMPXCHG16B the return value is computed based on the compare result. No checks are made on WrittenValue size. The caller should allocate enough for the largest possible operand size. For now, the only supported instruction for which more than a QWORD is needed is CMPXCHG16B (2 QWORDs)
| [in] | Instrux | The decoded instruction. |
| [in] | Registers | Optional pointer to the general purpose registers state. |
| [in] | MemoryValue | Optional parameter to an already mapped memory region containing the memory operand. |
| [out] | WrittenValue | Will contain, upon successful return, the written value to memory. |
| INT_STATUS_SUCCESS | On success. |
| INT_STATUS_INVALID_PARAMETER | If an invalid parameter is supplied. |
| INT_STATUS_NOT_SUPPORTED | If an unsupported instruction is provided. |
Definition at line 1861 of file decoder.c.
Referenced by IntExceptGetVictimEpt(), IntHookPtwEmulateWrite(), IntLixDrvIsLegitimateTextPoke(), IntWinDrvObjHandleWrite(), IntWinInfHookHandleSiloFirstWrite(), and IntWinInfHookSppViolationCallbackWmiPtrChanged().
|
static |
Sets the flags according to the result of an operation.
| [in] | Dst | The result of the operation. |
| [in] | Src1 | The first source operand. |
| [in] | Src2 | The second source operand. |
| [in] | Size | The size of the destination. |
| [in,out] | Regs | The registers state. |
| [in] | FlagsMode | Flags mode. A combination of INT_FLAGS_MODE values |
Definition at line 73 of file decoder.c.
Referenced by IntDecEmulatePTWrite(), and IntDecEmulateRead().
| INTSTATUS IntDecSetSseRegValue | ( | PIG_XSAVE_AREA | XsaveArea, |
| DWORD | Reg, | ||
| DWORD | Size, | ||
| OPERAND_VALUE * | Value, | ||
| BOOLEAN | Commit | ||
| ) |
Sets the value of a vector register. Wrapper over IntDecGetSetSseRegValue.
| [in] | XsaveArea | Optional XSAVE area. If NULL, it will be queried internally. |
| [in] | Reg | The vector register to be accessed. |
| [in] | Size | The size to return/set in the vector register. |
| [in] | Value | The value of the vector register. |
| [in] | Commit | True if the vector register state must be committed. |
| INT_STATUS_SUCCESS | On success. |
| INT_STATUS_INSUFFICIENT_RESOURCES | If memory could not be allocated for the XSAVE area. |
| INT_STATUS_INVALID_PARAMETER | If an invalid parameter is supplied. |
| INT_STATUS_NOT_SUPPORTED | If an invalid register is specified (for example, XMM8 outside long-mode). |
Definition at line 3586 of file decoder.c.
Referenced by IntSetValueForOperand().
|
static |
Get the value of an instruction operand.
Returns the value from the given operand. Supported operand types: GPRs, memory operands, immediate operands OperandIndex is zero-based index of the desired operand. If provided, MemoryValue will be used to fetch the memory operand, if the operand is located in memory. Otherwise, the linear address will be computed and the operand will be fetched from within the guest memory. Note: no checks are made on OperandValue size. The caller should allocate enough space for the maximum possible operand size
| [in] | Instrux | Decoded instruction. |
| [in] | OperandIndex | The index of the operand who`s value is to be fetched. |
| [in] | Registers | Optional pointer to the general purpose registers state. |
| [in] | MemoryValue | Optional pointer to a memory region containing the memory operand. |
| [out] | WrittenValue | Will contain, upon successful return, the operand value. |
| INT_STATUS_SUCCESS | On success. |
| INT_STATUS_NOT_SUPPORTED | If the given operand type is not supported |
Definition at line 1401 of file decoder.c.
Referenced by IntDecEmulateInstruction(), IntDecEmulatePTWrite(), IntDecEmulateRead(), and IntDecGetWrittenValueFromInstruction().
|
static |
Set the value of an instruction operand.
This function will set the value for the provided instruction operand. If the operand is a general purpose register, it will modify that register. If the operand is memory, it will do a memory store to that address. This function only supports memory, general purpose & vector registers.
| [in] | Instrux | The decoded instruction. |
| [in] | OperandIndex | The operand who`s value is to be modified. |
| [in] | Registers | Optional pointer to the general purpose registers state. |
| [in] | OpValue | The new operand value to be set. |
| [in] | Commit | If true, the registers state will be committed to the visible state. |
| INT_STATUS_SUCCESS | On success. |
| INT_STATUS_NOT_SUPPORTED | If an unsupported operand type is used. |
Definition at line 1255 of file decoder.c.
Referenced by IntDecEmulateInstruction(), IntDecEmulatePTWrite(), and IntDecEmulateRead().
| enum { ... } INT_FLAGS_MODE |
Describes the flags affected by an instruction.
1.8.13