Bitdefender Hypervisor Memory Introspection
decoder.h
Go to the documentation of this file.
1 /*
2  * Copyright (c) 2020 Bitdefender
3  * SPDX-License-Identifier: Apache-2.0
4  */
5 #ifndef _DECODER_H_
6 #define _DECODER_H_
7 
8 #include "glue.h"
9 #include "bddisasm.h"
10 
14 enum
15 {
16  opMov = 0,
17  opXor,
18  opAnd,
19  opOr,
20  opBts,
21  opAdd
22 };
23 
24 #define DEC_EFLAG_CF 0x00000001
25 
27 #define DEC_GET_FLAG(eflags, flag) ((eflags) >> (((flag) - 1) % 64))
28 
30 #define DEC_OPT_NO_CACHE 0x00000001
31 
33 #define DEC_INVALID_GPA 0xFFFFFFFFFFFFFFFF
34 
36 #define QWORD_HIGH_PART_MASK 0xFFFFFFFF00000000
37 
39 typedef struct _MEMADDR
40 {
41  QWORD Gla;
42  DWORD Size;
43  BYTE Access;
44  BYTE Reserved1;
45  WORD Reserved2;
46 } MEMADDR, *PMEMADDR;
47 
48 
50 typedef struct _OPERAND_VALUE
51 {
52  union
53  {
54  BYTE ByteValues[ND_MAX_REGISTER_SIZE];
55  WORD WordValues[ND_MAX_REGISTER_SIZE / 2];
56  DWORD DwordValues[ND_MAX_REGISTER_SIZE / 4];
57  QWORD QwordValues[ND_MAX_REGISTER_SIZE / 8];
58  } Value;
59 
60  DWORD Size;
61 } OPERAND_VALUE, *POPERAND_VALUE;
62 
63 
64 //
65 // API
66 //
67 INTSTATUS
68 IntDecDecodeInstruction(
69  _In_ IG_CS_TYPE CsType,
70  _In_ QWORD Gva,
71  _Out_ void *Instrux
72  );
73 
74 INTSTATUS
75 IntDecDecodeInstructionFromBuffer(
76  _In_reads_bytes_(BufferSize) PBYTE Buffer,
77  _In_ size_t BufferSize,
78  _In_ IG_CS_TYPE CsType,
79  _Out_ void *Instrux
80  );
81 
82 INTSTATUS
83 IntDecDecodeInstructionAtRip(
84  _In_ DWORD CpuNumber,
85  _In_ IG_ARCH_REGS *Registers,
86  _In_opt_ IG_SEG_REGS *Segments,
87  _Out_ INSTRUX *Instrux
88  );
89 
90 INTSTATUS
91 IntDecDecodeInstructionAtRipWithCache(
92  _In_ void *Cache,
93  _In_ DWORD CpuNumber,
94  _In_ PIG_ARCH_REGS Registers,
95  _Out_ PINSTRUX Instrux,
96  _In_ DWORD Options,
97  _Out_opt_ BOOLEAN *CacheHit,
98  _Out_opt_ BOOLEAN *Added
99  );
100 
101 INTSTATUS
102 IntDecDecodeAccessSize(
103  _In_ PINSTRUX Instrux,
104  _In_ PIG_ARCH_REGS Registers,
105  _In_ QWORD Gla,
106  _In_ BYTE AccessType,
107  _Out_ DWORD *AccessSize
108  );
109 
110 INTSTATUS
111 IntDecGetWrittenValueFromInstruction(
112  _In_ PINSTRUX Instrux,
113  _In_opt_ PIG_ARCH_REGS Registers,
114  _In_opt_ PBYTE MemoryValue,
115  _Out_ OPERAND_VALUE *WrittenValue
116  );
117 
118 INTSTATUS
119 IntDecEmulateInstruction(
120  _In_ DWORD CpuNumber,
121  _In_ PINSTRUX Instrux
122  );
123 
124 INTSTATUS
125 IntDecEmulatePTWrite(
126  _Out_ QWORD *NewValue
127  );
128 
129 #define PW_FLAGS_SET_A BIT(0)
130 #define PW_FLAGS_SET_D BIT(1)
131 
132 INTSTATUS
133 IntDecEmulatePageWalk(
134  _In_ QWORD Gla,
135  _In_ QWORD Cr3,
136  _In_ DWORD Flags
137  );
138 
139 INTSTATUS
140 IntDecGetAccessedMemCount(
141  _In_ PINSTRUX Instrux,
142  _Out_ DWORD *Count
143  );
144 
145 INTSTATUS
146 IntDecGetAccessedMem(
147  _In_ PINSTRUX Instrux,
148  _In_opt_ PIG_ARCH_REGS Registers,
149  _In_opt_ PIG_XSAVE_AREA XsaveArea,
150  _Out_writes_(*Count) MEMADDR *Gla,
151  _Inout_ DWORD *Count
152  );
153 
154 INTSTATUS
155 IntDecGetSseRegValue(
156  _In_opt_ PIG_XSAVE_AREA XsaveArea,
157  _In_ DWORD Reg,
158  _In_ DWORD Size,
159  _Out_ OPERAND_VALUE *Value
160  );
161 
162 INTSTATUS
163 IntDecSetSseRegValue(
164  _In_opt_ PIG_XSAVE_AREA XsaveArea,
165  _In_ DWORD Reg,
166  _In_ DWORD Size,
167  _In_ OPERAND_VALUE *Value,
168  _In_ BOOLEAN Commit
169  );
170 
171 INTSTATUS
172 IntDecEmulateRead(
173  _In_ PINSTRUX Instrux,
174  _In_opt_ BYTE *SrcValueBuffer
175  );
176 
177 INTSTATUS
178 IntDecComputeLinearAddress(
179  _In_ PINSTRUX Instrux,
180  _In_ PND_OPERAND Operand,
181  _In_opt_ PIG_ARCH_REGS Registers,
182  _Out_ QWORD *LinearAddress
183  );
184 
185 INTSTATUS
186 IntDecDecodeDestinationLinearAddressFromInstruction(
187  _In_ PINSTRUX Instrux,
188  _In_opt_ PIG_ARCH_REGS Registers,
189  _Out_ QWORD *LinearAddress
190  );
191 
192 INTSTATUS
193 IntDecDecodeSourceLinearAddressFromInstruction(
194  _In_ PINSTRUX Instrux,
195  _In_opt_ PIG_ARCH_REGS Registers,
196  _Out_ QWORD *LinearAddress
197  );
198 
199 INTSTATUS
200 IntDecGetMaxvl(
201  _Out_ ND_OPERAND_SIZE *Maxvl
202  );
203 
204 #endif // _DECODER_H_
_In_opt_
#define _In_opt_
Definition: intro_sal.h:16
IntDecGetAccessedMem
INTSTATUS IntDecGetAccessedMem(PINSTRUX Instrux, PIG_ARCH_REGS Registers, PIG_XSAVE_AREA XsaveArea, MEMADDR *Gla, DWORD *Count)
Decode each accessed address by an instruction.
Definition: decoder.c:3160
BOOLEAN
_Bool BOOLEAN
Definition: intro_types.h:58
_Out_
#define _Out_
Definition: intro_sal.h:22
opMov
MOV instruction.
Definition: decoder.h:16
IntDecEmulateRead
INTSTATUS IntDecEmulateRead(PINSTRUX Instrux, BYTE *SrcValueBuffer)
Emulate a read access.
Definition: decoder.c:1570
_IG_XSAVE_AREA
Describes an XSAVE area format.
Definition: glueiface.h:93
opXor
XOR instruction.
Definition: decoder.h:17
BYTE
uint8_t BYTE
Definition: intro_types.h:47
_In_
#define _In_
Definition: intro_sal.h:21
_MEMADDR::Reserved2
WORD Reserved2
Definition: decoder.h:45
WORD
uint16_t WORD
Definition: intro_types.h:48
opAdd
ADD instruction.
Definition: decoder.h:21
_MEMADDR
Describes a memory address, as used in an instruction.
Definition: decoder.h:39
IntDecGetSseRegValue
INTSTATUS IntDecGetSseRegValue(PIG_XSAVE_AREA XsaveArea, DWORD Reg, DWORD Size, OPERAND_VALUE *Value)
Get the value of a vector register. Wrapper over IntDecGetSetSseRegValue.
Definition: decoder.c:3561
_IG_SEG_REGS
Holds segment register state.
Definition: glueiface.h:64
IntDecDecodeInstructionAtRip
INTSTATUS IntDecDecodeInstructionAtRip(DWORD CpuNumber, IG_ARCH_REGS *Registers, IG_SEG_REGS *Segments, INSTRUX *Instrux)
Decode an instruction at current RIP on the provided VCPU.
Definition: decoder.c:384
INTSTATUS
int INTSTATUS
The status data type.
Definition: introstatus.h:24
IntDecComputeLinearAddress
INTSTATUS IntDecComputeLinearAddress(PINSTRUX Instrux, PND_OPERAND Operand, PIG_ARCH_REGS Registers, QWORD *LinearAddress)
Given an instruction and a memory operand, it will compute the guest linear address encoded by that o...
Definition: decoder.c:790
_MEMADDR::Access
BYTE Access
Access (read, write, or a combination).
Definition: decoder.h:43
PMEMADDR
struct _MEMADDR * PMEMADDR
_Out_writes_
#define _Out_writes_(expr)
Definition: intro_sal.h:28
IG_CS_TYPE
IG_CS_TYPE
The type of the code segment.
Definition: glueiface.h:183
IntDecEmulatePageWalk
INTSTATUS IntDecEmulatePageWalk(QWORD Gla, QWORD Cr3, DWORD Flags)
Definition: decoder.c:3613
_MEMADDR::Gla
QWORD Gla
The guest linear address.
Definition: decoder.h:41
_Inout_
#define _Inout_
Definition: intro_sal.h:20
_Out_opt_
#define _Out_opt_
Definition: intro_sal.h:30
_OPERAND_VALUE
Describes an operand value.
Definition: decoder.h:50
OPERAND_VALUE
struct _OPERAND_VALUE OPERAND_VALUE
Describes an operand value.
PBYTE
uint8_t * PBYTE
Definition: intro_types.h:47
_MEMADDR::Reserved1
BYTE Reserved1
Definition: decoder.h:44
QWORD
unsigned long long QWORD
Definition: intro_types.h:53
IntDecGetAccessedMemCount
INTSTATUS IntDecGetAccessedMemCount(PINSTRUX Instrux, DWORD *Count)
Decode the number of memory locations accessed by an instruction.
Definition: decoder.c:3110
IntDecSetSseRegValue
INTSTATUS IntDecSetSseRegValue(PIG_XSAVE_AREA XsaveArea, DWORD Reg, DWORD Size, OPERAND_VALUE *Value, BOOLEAN Commit)
Sets the value of a vector register. Wrapper over IntDecGetSetSseRegValue.
Definition: decoder.c:3586
opAnd
AND instruction.
Definition: decoder.h:18
IntDecDecodeInstructionFromBuffer
INTSTATUS IntDecDecodeInstructionFromBuffer(PBYTE Buffer, size_t BufferSize, IG_CS_TYPE CsType, void *Instrux)
Decode an instruction from the provided buffer.
Definition: decoder.c:308
_OPERAND_VALUE::Size
DWORD Size
The operand size.
Definition: decoder.h:60
IntDecEmulatePTWrite
INTSTATUS IntDecEmulatePTWrite(QWORD *NewValue)
Emulate a page-table write.
Definition: decoder.c:2720
DWORD
uint32_t DWORD
Definition: intro_types.h:49
_In_reads_bytes_
#define _In_reads_bytes_(expr)
Definition: intro_sal.h:25
_MEMADDR::Size
DWORD Size
The size.
Definition: decoder.h:42
IntDecDecodeSourceLinearAddressFromInstruction
INTSTATUS IntDecDecodeSourceLinearAddressFromInstruction(PINSTRUX Instrux, PIG_ARCH_REGS Registers, QWORD *LinearAddress)
Decode the source memory linear address.
Definition: decoder.c:1149
POPERAND_VALUE
struct _OPERAND_VALUE * POPERAND_VALUE
IntDecDecodeAccessSize
INTSTATUS IntDecDecodeAccessSize(PINSTRUX Instrux, PIG_ARCH_REGS Registers, QWORD Gla, BYTE AccessType, DWORD *AccessSize)
Decode the memory access size of a given instruction.
Definition: decoder.c:731
IntDecDecodeDestinationLinearAddressFromInstruction
INTSTATUS IntDecDecodeDestinationLinearAddressFromInstruction(PINSTRUX Instrux, PIG_ARCH_REGS Registers, QWORD *LinearAddress)
Decode the destination memory linear address.
Definition: decoder.c:1202
opBts
BTS instruction.
Definition: decoder.h:20
IntDecGetMaxvl
INTSTATUS IntDecGetMaxvl(ND_OPERAND_SIZE *Maxvl)
Computes the maximum vector length, given the enabled states inside the XCR0 register.
Definition: decoder.c:3672
IntDecGetWrittenValueFromInstruction
INTSTATUS IntDecGetWrittenValueFromInstruction(PINSTRUX Instrux, PIG_ARCH_REGS Registers, PBYTE MemoryValue, OPERAND_VALUE *WrittenValue)
Decode a written value from a memory write instruction.
Definition: decoder.c:1861
IntDecDecodeInstructionAtRipWithCache
INTSTATUS IntDecDecodeInstructionAtRipWithCache(void *Cache, DWORD CpuNumber, PIG_ARCH_REGS Registers, PINSTRUX Instrux, DWORD Options, BOOLEAN *CacheHit, BOOLEAN *Added)
Decode an instruction using the cache.
Definition: decoder.c:449
_IG_ARCH_REGS
Holds register state.
Definition: glueiface.h:30
opOr
OR instruction.
Definition: decoder.h:19
MEMADDR
struct _MEMADDR MEMADDR
Describes a memory address, as used in an instruction.
IntDecEmulateInstruction
INTSTATUS IntDecEmulateInstruction(DWORD CpuNumber, PINSTRUX Instrux)
Emulate a MOV or a PUSH instruction.
Definition: decoder.c:2592
IntDecDecodeInstruction
INTSTATUS IntDecDecodeInstruction(IG_CS_TYPE CsType, QWORD Gva, void *Instrux)
Decode an instruction from the provided guest linear address.
Definition: decoder.c:180