memcloak.c

Go to the documentation of this file.

/*
 * Copyright (c) 2020 Bitdefender
 * SPDX-License-Identifier: Apache-2.0
 */

#include "memcloak.h"
#include "crc32.h"
#include "decoder.h"
#include "hook.h"

typedef struct _MEMCLOAK_PAGE
{
    DWORD           DataOffset;         
    DWORD           PageStartOffset;    
    DWORD           PageEndOffset;      
    void           *SwapHook;           
    void           *ReadHook;           
    void           *WriteHook;          
    void           *Region;             
} MEMCLOAK_PAGE, *PMEMCLOAK_PAGE;

#define MEMCLOACK_PAGE_MAX_COUNT    2   

typedef struct _MEMCLOAK_REGION
{
    LIST_ENTRY      Link;               
    QWORD           Gva;                
    QWORD           Cr3;                
    DWORD           Size;               
    DWORD           Options;            
    PBYTE           OriginalData;       
    PBYTE           PatchedData;        

    MEMCLOAK_PAGE   Pages[MEMCLOACK_PAGE_MAX_COUNT];
    DWORD           PageCount;          

    PFUNC_IntMemCloakWriteHandle WriteHandler;
} MEMCLOAK_REGION, *PMEMCLOAK_REGION;

static LIST_HEAD gMemClkRegions = LIST_HEAD_INIT(gMemClkRegions);


static INTSTATUS
IntMemClkUncloakRegionInternal(
    _In_ DWORD Options,
    _Inout_ PMEMCLOAK_REGION Region
    );

static INTSTATUS
IntMemClkHandleSwap(
    _Inout_ MEMCLOAK_PAGE *Context,
    _In_ QWORD VirtualAddress,
    _In_ QWORD OldEntry,
    _In_ QWORD NewEntry,
    _In_ QWORD OldPageSize,
    _In_ QWORD NewPageSize
    )

{
    INTSTATUS status;
    PMEMCLOAK_REGION pCloak;
    PMEMCLOAK_PAGE pPage;
    DWORD oldPgOffs, newPgOffs, internalOffset, size;
    QWORD oldPhysAddr, newPhysAddr;
    BOOLEAN oldValid,  newValid;

    status = INT_STATUS_SUCCESS;

    // Fetch the context
    pPage = Context;
    pCloak = (PMEMCLOAK_REGION)pPage->Region;

    // Get the physical page address.
    oldPhysAddr = CLEAN_PHYS_ADDRESS64(OldEntry) & (~(OldPageSize - 1));
    newPhysAddr = CLEAN_PHYS_ADDRESS64(NewEntry) & (~(NewPageSize - 1));

    oldValid = (OldEntry & 1);
    newValid = (NewEntry & 1);

    // If nothing interesting changed, bail out.
    if ((!oldValid && !newValid) || ((oldValid && newValid && (oldPhysAddr == newPhysAddr))))
    {
        return INT_STATUS_SUCCESS;
    }

    // Compute the offset inside the current page of the cloaked data.
    if ((pCloak->Gva & PAGE_MASK) ==
        ((pCloak->Gva + pCloak->Size - 1) & PAGE_MASK))
    {
        // The cloaked region is contained within the same 4K page. This is the simplest case. Note that we use
        // 4K pages for this test because they're the smallest entity that can be translated by the CPU.
        oldPgOffs = (DWORD)(pCloak->Gva & (OldPageSize - 1));
        newPgOffs = (DWORD)(pCloak->Gva & (NewPageSize - 1));

        internalOffset = 0;

        size = pCloak->Size;
    }
    else
    {
        // Hook spills multiple pages. Handle each case. Note that we use PAGE_SIZE and PAGE_MASK because we place
        // hooks on 4K pages: even if the pages will be remapped as a large 2M page, this callback will be invoked
        // for each 4K page individually.
        if ((pCloak->Gva & PAGE_MASK) == (VirtualAddress & PAGE_MASK))
        {
            // The first page written. This also covers the above case.
            oldPgOffs = (DWORD)(pCloak->Gva & (OldPageSize - 1));
            newPgOffs = (DWORD)(pCloak->Gva & (NewPageSize - 1));

            internalOffset = 0;

            size = (DWORD)MIN(PAGE_REMAINING(pCloak->Gva), pCloak->Size);
        }
        else
        {
            // Another page written.
            oldPgOffs = (DWORD)(((pCloak->Gva & PAGE_MASK) + PAGE_SIZE) & (OldPageSize - 1));
            newPgOffs = (DWORD)(((pCloak->Gva & PAGE_MASK) + PAGE_SIZE) & (NewPageSize - 1));

            internalOffset = (DWORD)((VirtualAddress & PAGE_MASK) - pCloak->Gva);

            size = MIN(PAGE_SIZE, pCloak->Size - internalOffset);
        }
    }

    // Even if the old page and the new page have different sizes, the internalOffset will be the same, since we
    // align the accesses to 4K (we always deal with 4K pages).

    if ((internalOffset >= pCloak->Size) || (internalOffset + size > pCloak->Size) || (size > pCloak->Size))
    {
        ERROR("[ERROR] Invalid state: internalOffset = %d, size = %d, total size = %d\n",
              internalOffset, size, pCloak->Size);
        IntDbgEnterDebugger();
    }

    TRACE("[MEMCLOAK] Translation modification, VA = 0x%016llx, OldEntry = 0x%016llx, NewEntry = 0x%016llx, "
          "OldSize = 0x%016llx, NewSize = 0x%016llx, OldOffs = %x, NewOffs = %x, size = %d\n",
          VirtualAddress, OldEntry, NewEntry, OldPageSize, NewPageSize, oldPgOffs, newPgOffs, size);

    TRACE("[MEMCLOAK] Will patch at GPA %llx/%llx offset %x/%x, size %d, int offset %d, [GVA1: %llx GVA2: %llx]\n",
          oldPhysAddr, newPhysAddr, oldPgOffs, newPgOffs, size,
          internalOffset, pCloak->Gva, VirtualAddress);

    if (oldValid)
    {
        status = IntPhysicalMemWrite(oldPhysAddr + oldPgOffs, size, &pCloak->OriginalData[internalOffset]);
        if (!INT_SUCCESS(status))
        {
            ERROR("[ERROR] IntPhysicalMemWrite failed: 0x%08x\n", status);
        }
    }

    if (newValid)
    {
        // Old entry was not present, the new one is.
        status = IntPhysicalMemWrite(newPhysAddr + newPgOffs, size, &pCloak->PatchedData[internalOffset]);
        if (!INT_SUCCESS(status))
        {
            ERROR("[ERROR] IntPhysicalMemWrite failed: 0x%08x\n", status);
        }
    }

    return status;
}


static INTSTATUS
IntMemClkHandleRead(
    _Inout_ MEMCLOAK_PAGE *Context,
    _In_ PHOOK_GPA Hook,
    _In_ QWORD Gpa,
    _Out_ INTRO_ACTION *Action
    )
{
    PIG_ARCH_REGS regs;
    PMEMCLOAK_REGION pClkReg;
    PMEMCLOAK_PAGE pClkPage;
    PPATCH_BUFFER pb;
    PINSTRUX instrux;
    INTSTATUS status;
    DWORD patchSize, origCodeOffset, retBufOffset, readSize;
    QWORD gla;
    PHOOK_GVA pGva;
    DWORD startReadOffset, endReadOffset;
    DWORD glaOffset, gpaOffset;

    // Fetch the cloak region pointer.
    pClkPage = Context;
    pClkReg = (PMEMCLOAK_REGION)pClkPage->Region;

    *Action = introGuestAllowed;

    pGva = (PHOOK_GVA)Hook->Header.ParentHook;
    if (NULL == pGva)
    {
        return INT_STATUS_INVALID_PARAMETER_2;
    }

    if (pGva->Header.HookType != hookTypeGva)
    {
        return INT_STATUS_INVALID_PARAMETER_2;
    }

    // Get the register state
    regs = &gVcpu->Regs;
    instrux = &gVcpu->Instruction;
    pb = &gVcpu->PatchBuffer;

    // In certain situations when the GLA is page-aligned it can't be trusted
    // Let's say we have a cloak region starting at 0x1006 and the guest starts a read on 0xffc with size 8
    // This will end at 0x1004, not even touching our region, but the CPU may report 0x1000 as the faulting GLA
    // So take the GLA from the instruction instead
    // This is not needed on Napoca due to the way read accessed are handled. On Xen, a read is emulated, so we need
    // to supply the actual value for the operand of the offending instruction, on Napoca the read is single stepped
    // so the contents are copied inside the guest starting with the offending GLA
    status = IntDecDecodeSourceLinearAddressFromInstruction(instrux, regs, &gla);
    if (!INT_SUCCESS(status))
    {
        ERROR("[ERROR] IntDecDecodeSourceLinearAddressFromInstruction failed: 0x%08x\n", status);
        return status;
    }

    // If reads are allowed to be performed from within the cloaked region, bail out.
    if ((0 != (pClkReg->Options & MEMCLOAK_OPT_ALLOW_INTERNAL)) &&
        ((regs->Rip >= pClkReg->Gva) && (regs->Rip < pClkReg->Gva + pClkReg->Size)))
    {
        return INT_STATUS_NOT_NEEDED_HINT;
    }

    readSize = gVcpu->AccessSize;
    glaOffset = gla & PAGE_OFFSET;
    gpaOffset = Gpa & PAGE_OFFSET;

    if ((0 == readSize) || (readSize > ND_MAX_REGISTER_SIZE))
    {
        CHAR instrText[ND_MIN_BUF_SIZE] = {0};

        NdToText(instrux, regs->Rip, ND_MIN_BUF_SIZE, instrText);

        ERROR("[MEMCLOAK] [ERROR] Couldn't find the source memory operand for instruction at RIP 0x%016llx '%s'!\n",
              regs->Rip, instrText);

        IntDbgEnterDebugger();

        return INT_STATUS_NOT_SUPPORTED;
    }

    // Read the actual bytes form the guest. We will patch below with the original bytes. Note that if the patch-buffer
    // has already been initialized, it simply means that this is an access that touches multiple cloaks (example,
    // inside the kernel slack space, where the detour handlers are closely packed together).
    if (!pb->Valid)
    {
        status = IntVirtMemRead(gla, readSize, regs->Cr3, pb->Data, NULL);
        if ((INT_STATUS_PAGE_NOT_PRESENT == status) || (INT_STATUS_NO_MAPPING_STRUCTURES == status))
        {
            *Action = introGuestAllowed;
            return INT_STATUS_SUCCESS;
        }
        else if (!INT_SUCCESS(status))
        {
            ERROR("[ERROR] IntVirtMemRead failed for GPA 0x%016llx with size %d: 0x%08x\n", gla, readSize, status);
            return status;
        }

        pb->Gla = gla;
        pb->Size = readSize;
        pb->Valid = TRUE;
    }
    else if (pb->Gla != gla)
    {
        // The access was already handled. This can happen if the access spans inside two pages, because we call the
        // handlers for each accessed page. For example, if we have a read at 0x1FFC with size 8, this callback will
        // be called two times: the first time with GLA = 0x1FFC and size 8, and the second time with GLA = 0x2000 and
        // size 4. Since the read was already handled the first time this callback was called, we can safely bail out.
        // Note that if the patch buffer is valid we may still have to handle this access, as the read may span multiple
        // cloaks, but on those cases, the patch buffer and the current GLAs will always be the same.
        return INT_STATUS_NOT_NEEDED_HINT;
    }

    startReadOffset = gpaOffset;
    endReadOffset = startReadOffset + readSize;

    //
    // There are a few cases that must be supported, which can be summarized as:
    //  If the cloak sub-region is: [cStart, cEnd) and the read region is [rStart, rEnd), we can combine them as:
    //      1. rStart < cStart < rEnd < cEnd (starts before the sub-region, ends inside it)
    //      2. rStart < cStart < cEnd < rEnd (starts before the sub-region, ends after it)
    //      3. cStart < rStart < rEnd < cEnd (starts inside the sub-region, ends inside it)
    //      4. cStart < rStart < cEnd < rEnd (starts inside the sub-region, ends after it)
    //  Note that rEnd < cStart (read ends before the start of the sub-region) and cEnd < rStart (read starts after the
    // end of the sub-region) are handled by the hooking mechanism and this callback is never invoked in those cases
    //  The above examples can get more complicated when dealing with page boundary issues, mainly: a read that starts
    // in one page and ends in the next one, touches a sub-region contained only in the next page: this is true when a
    // region is split across two pages (so it is contained in two sub-regions) or when it starts at the page start
    //

    if (glaOffset == gpaOffset)
    {
        // The access starts in the same page as the hooked page
        // The read ends in the next page, but we care only about the current one
        if (endReadOffset > PAGE_SIZE)
        {
            // The read ends at the end of this page
            endReadOffset = PAGE_SIZE;
            // Ignore anything that is read from the next page
            readSize = endReadOffset - startReadOffset;
        }

        if (startReadOffset < pClkPage->PageStartOffset)
        {
            // The read starts before the cloak
            origCodeOffset = 0 + pClkPage->DataOffset;
            retBufOffset = pClkPage->PageStartOffset - startReadOffset;
            // The read either ends inside the sub-region or after it ends, give back the minimum between the sub-region
            // size and the read size (ignoring everything that comes before the sub-region)
            patchSize = MIN(endReadOffset - pClkPage->PageStartOffset,
                            pClkPage->PageEndOffset - pClkPage->PageStartOffset);
        }
        else
        {
            // The read starts inside the sub-region
            origCodeOffset = startReadOffset - pClkPage->PageStartOffset + pClkPage->DataOffset;
            retBufOffset = 0;
            // The read either ends inside the sub-region or after it ends, give back the minimum between the sub-region
            // size and the read size (ignoring everything that comes before the sub-region)
            patchSize = MIN(endReadOffset - startReadOffset, pClkPage->PageEndOffset - startReadOffset);
        }
    }
    else
    {
        DWORD readInPrevPage;

        // The access starts in a page, but the hook is in the next one
        // Advance the read start to the next page
        startReadOffset = gpaOffset;
        // Recalculate the read size and the read end offset to ignore anything from the previous page
        readSize -= (PAGE_SIZE - glaOffset);
        endReadOffset = startReadOffset + readSize;
        // Remember what was read in the previous page
        readInPrevPage = gVcpu->AccessSize - readSize;

        if (startReadOffset <= pClkPage->PageStartOffset)
        {
            // The read starts before the cloak
            origCodeOffset = 0 + pClkPage->DataOffset;
            // Keep in mind that the instruction reads data from two pages, but pClkPage->PageStartOffset and
            // startReadOffset refer only to the current page
            retBufOffset = pClkPage->PageStartOffset - startReadOffset + readInPrevPage;
            // The read either ends inside the sub-region or after it ends, give back the minimum between the sub-region
            // size and the read size (ignoring everything that comes before the sub-region)
            patchSize = MIN(endReadOffset - pClkPage->PageStartOffset,
                            pClkPage->PageEndOffset - pClkPage->PageStartOffset);
        }
        else
        {
            // The read starts inside the cloak sub-range. This shouldn't happen as the read starts in the previous page
            // and the sub-range starts in the current page

            CHAR text[ND_MIN_BUF_SIZE] = { 0 };

            NdToText(instrux, regs->Rip, ND_MIN_BUF_SIZE, text);

            LOG("[MEMCLOAK] This should not happen\n");
            LOG("[MEMCLOAK] [CPU %d] From RIP 0x%016llx with instruction '%s', RegSize %d, GPA 0x%016llx, "
                "MemSize %d, access 0x%016llx/%d [0x%08x, 0x%08x) -> [0x%08x: 0x%08x, 0x%08x)\n",
                gVcpu->Index, regs->Rip, text, instrux->Operands[0].Size, Gpa,
                instrux->Operands[1].Size, gla, readSize, startReadOffset, endReadOffset,
                pClkPage->DataOffset, pClkPage->PageStartOffset, pClkPage->PageEndOffset);
            IntEnterDebugger();

            origCodeOffset = retBufOffset = patchSize = 0;
        }
    }

    if (startReadOffset < pClkPage->PageEndOffset &&
        endReadOffset > pClkPage->PageStartOffset)
    {
        // Patch the return buffer only if the guest read overlaps with the region guarded by this cloak page
        // This can happen as in the above case when the region starts at 0x1006 and and 8 bytes read starts at 0xffc,
        // but it is reported as being done for [0x1000, 0x10008), when in fact it does not overlap the region
        memcpy(&pb->Data[retBufOffset], &pClkReg->OriginalData[origCodeOffset], patchSize);
    }

#ifdef DEBUG

    TRACE("[MEMCLOAK] Handled the access on 0x%016llx/0x%016llx with retBufOffset = 0x%08x, "
          "origCodeOffset = 0x%08x, patchSize = 0x%08x\n",
          gla, Gpa, retBufOffset, origCodeOffset, patchSize);

    IntDumpBuffer(pb->Data, pb->Gla, pb->Size, 16, 1, TRUE, TRUE);

#endif // DEBUG

    *Action = introGuestAllowedPatched;

    return INT_STATUS_SUCCESS;
}


static INTSTATUS
IntMemClkHandleWrite(
    _In_ PMEMCLOAK_PAGE *Context,
    _In_ void *Hook,
    _In_ QWORD Address,
    _Out_ INTRO_ACTION *Action
    )
{
    INTSTATUS status;
    MEMCLOAK_REGION *pClkRegion;

    pClkRegion = (MEMCLOAK_REGION *)((MEMCLOAK_PAGE *)Context)->Region;

    // By default, any writes inside a memcloak should be denied.
    // This may be overwritten by the region's write handler.
    *Action = introGuestNotAllowed;

    if (NULL != pClkRegion->WriteHandler)
    {
        status = pClkRegion->WriteHandler(Hook, Address, pClkRegion->Gva, pClkRegion, Action);
        if (!INT_SUCCESS(status))
        {
            WARNING("[WARNING] Memcloak write handler failed for virtual address 0x%llx. Status: 0x%08x\n",
                    Address, status);
        }
    }

    // Force the returned action, on beta. We must deny writes inside the hooked portions, even on beta!
    return INT_STATUS_FORCE_ACTION_ON_BETA;
}


void
IntMemClkCleanup(
    _Inout_ MEMCLOAK_REGION *Region
    )
{
    if (NULL != Region->OriginalData)
    {
        HpFreeAndNullWithTag(&Region->OriginalData, IC_TAG_MCBF);
    }

    if (NULL != Region->PatchedData)
    {
        HpFreeAndNullWithTag(&Region->PatchedData, IC_TAG_MCBF);
    }

    HpFreeAndNullWithTag(&Region, IC_TAG_MCRG);
}


INTSTATUS
IntMemClkCloakRegion(
    _In_ QWORD VirtualAddress,
    _In_ QWORD Cr3,
    _In_ DWORD Size,
    _In_ DWORD Options,
    _In_opt_ PBYTE OriginalData,
    _In_opt_ PBYTE PatchedData,
    _In_opt_ PFUNC_IntMemCloakWriteHandle WriteHandler,
    _Out_ void **CloakHandle
    )
{
    INTSTATUS status;
    PMEMCLOAK_REGION pClkReg;
    DWORD leftToHook;
    DWORD pageCount;

    if (NULL == CloakHandle)
    {
        return INT_STATUS_INVALID_PARAMETER_8;
    }

    leftToHook = Size;
    pageCount = ((((VirtualAddress + Size - 1) & PAGE_MASK) - (VirtualAddress & PAGE_MASK)) / PAGE_SIZE) + 1;

    if (pageCount > MEMCLOACK_PAGE_MAX_COUNT)
    {
        return INT_STATUS_NOT_SUPPORTED;
    }

    pClkReg = HpAllocWithTag(sizeof(*pClkReg), IC_TAG_MCRG);
    if (NULL == pClkReg)
    {
        return INT_STATUS_INSUFFICIENT_RESOURCES;
    }

    InsertTailList(&gMemClkRegions, &pClkReg->Link);

    if (0 == Cr3)
    {
        Cr3 = gGuest.Mm.SystemCr3;
    }

    pClkReg->Gva = VirtualAddress;
    pClkReg->Cr3 = Cr3;
    pClkReg->Size = Size;
    pClkReg->Options = Options;
    pClkReg->WriteHandler = WriteHandler;

    pClkReg->OriginalData = HpAllocWithTag(Size, IC_TAG_MCBF);
    if (NULL == pClkReg->OriginalData)
    {
        status = INT_STATUS_INSUFFICIENT_RESOURCES;
        goto cleanup_and_exit;
    }

    pClkReg->PatchedData = HpAllocWithTag(Size, IC_TAG_MCBF);
    if (NULL == pClkReg->PatchedData)
    {
        status = INT_STATUS_INSUFFICIENT_RESOURCES;
        goto cleanup_and_exit;
    }

    // Now copy the original data inside the internal buffer.
    if (NULL != OriginalData)
    {
        memcpy(pClkReg->OriginalData, OriginalData, Size);
    }

    // And the patched data.
    if (NULL != PatchedData)
    {
        memcpy(pClkReg->PatchedData, PatchedData, Size);
    }

    for (QWORD va = VirtualAddress; va < VirtualAddress + Size;)
    {
        DWORD hookLen = MIN(leftToHook, PAGE_REMAINING(va));
        PMEMCLOAK_PAGE pClkPage = &pClkReg->Pages[pClkReg->PageCount++];

        leftToHook -= hookLen;

        pClkPage->Region = pClkReg;
        pClkPage->DataOffset = (DWORD)(va - VirtualAddress);
        pClkPage->PageStartOffset = va & PAGE_OFFSET;
        pClkPage->PageEndOffset = pClkPage->PageStartOffset + hookLen;

        // Swap hook. The callback will be called on translation changes.
        status = IntHookGvaSetHook(Cr3, va, hookLen, IG_EPT_HOOK_NONE, IntMemClkHandleSwap,
                                   pClkPage, NULL, HOOK_FLG_HIGH_PRIORITY, (PHOOK_GVA *)&pClkPage->SwapHook);
        if (!INT_SUCCESS(status))
        {
            ERROR("[ERROR] IntHookGvaSetHook failed for 0x%016llx: 0x%08x\n", va, status);
            goto cleanup_and_exit;
        }

        // Write hook. Needed on order to ensure correct EPT access rights are present.
        status = IntHookGvaSetHook(Cr3, va, hookLen, IG_EPT_HOOK_WRITE, IntMemClkHandleWrite,
                                   pClkPage, NULL, 0, (PHOOK_GVA *)&pClkPage->WriteHook);
        if (!INT_SUCCESS(status))
        {
            ERROR("[ERROR] IntHookGvaSetHook failed for 0x%016llx: 0x%08x\n", va, status);
            goto cleanup_and_exit;
        }

        // Read hook. On each read hitting our cloaked region, return the original date, thus hiding our modifications.
        status = IntHookGvaSetHook(Cr3, va, hookLen, IG_EPT_HOOK_READ, IntMemClkHandleRead,
                                   pClkPage, NULL, 0, (PHOOK_GVA *)&pClkPage->ReadHook);
        if (!INT_SUCCESS(status))
        {
            ERROR("[ERROR] IntHookGvaSetHook failed for 0x%016llx: 0x%08x\n", va, status);
            goto cleanup_and_exit;
        }

        va += hookLen;
    }

    if (0 != (Options & MEMCLOAK_OPT_APPLY_PATCH))
    {
        IntPauseVcpus();

        status = IntVirtMemWrite(VirtualAddress, Size, Cr3, pClkReg->PatchedData);

        IntResumeVcpus();

        if (!INT_SUCCESS(status) && (INT_STATUS_PAGE_NOT_PRESENT != status) &&
            (INT_STATUS_NO_MAPPING_STRUCTURES != status))
        {
            ERROR("[ERROR] IntVirtMemWrite failed: 0x%08x\n", status);
            goto cleanup_and_exit;
        }
    }

    *CloakHandle = pClkReg;

    return INT_STATUS_SUCCESS;

cleanup_and_exit:
    if (NULL != pClkReg)
    {
        INTSTATUS status2 = IntMemClkUncloakRegionInternal(Options, pClkReg);
        if (!INT_SUCCESS(status2))
        {
            ERROR("[ERROR] IntMemClkUncloakRegionInternal failed: 0x%08x\n", status2);
        }
    }

    return status;
}


INTSTATUS
IntMemClkModifyOriginalData(
    _In_ void *CloakHandle,
    _In_ DWORD Offset,
    _In_ DWORD Size,
    _In_ void *Data
    )
{
    PMEMCLOAK_REGION pClk;

    if (NULL == CloakHandle)
    {
        return INT_STATUS_INVALID_PARAMETER_1;
    }

    pClk = (PMEMCLOAK_REGION)CloakHandle;

    if (Offset >= pClk->Size)
    {
        return INT_STATUS_INVALID_PARAMETER_2;
    }

    if (Offset + Size > pClk->Size)
    {
        return INT_STATUS_INVALID_PARAMETER_3;
    }

    if (Size > pClk->Size)
    {
        return INT_STATUS_INVALID_PARAMETER_3;
    }

    if (NULL == Data)
    {
        return INT_STATUS_INVALID_PARAMETER_4;
    }

    memcpy(pClk->OriginalData + Offset, Data, Size);

    return INT_STATUS_SUCCESS;
}


INTSTATUS
IntMemClkModifyPatchedData(
    _In_ void *CloakHandle,
    _In_ DWORD Offset,
    _In_ DWORD Size,
    _In_opt_ const void *Data
    )
{
    INTSTATUS status;
    PMEMCLOAK_REGION pClk;

    if (NULL == CloakHandle)
    {
        return INT_STATUS_INVALID_PARAMETER_1;
    }

    pClk = (PMEMCLOAK_REGION)CloakHandle;

    if (Offset >= pClk->Size)
    {
        return INT_STATUS_INVALID_PARAMETER_2;
    }

    if (Offset + Size > pClk->Size)
    {
        return INT_STATUS_INVALID_PARAMETER_3;
    }

    if (Size > pClk->Size)
    {
        return INT_STATUS_INVALID_PARAMETER_3;
    }

    IntPauseVcpus();

    if (NULL != Data)
    {
        memcpy(pClk->PatchedData + Offset, Data, Size);
    }
    else
    {
        memset(pClk->PatchedData + Offset, 0, Size);
    }

    status = IntVirtMemWrite(pClk->Gva + Offset,
                             Size,
                             pClk->Cr3,
                             pClk->PatchedData + Offset);

    IntResumeVcpus();

    if (!INT_SUCCESS(status) && (INT_STATUS_PAGE_NOT_PRESENT != status) && (INT_STATUS_NO_MAPPING_STRUCTURES != status))
    {
        ERROR("[ERROR] IntVirtMemWrite failed: 0x%08x\n", status);
        return status;
    }

    // Even if we couldn't modify the memory, because it's swapped out, we're still ok - on swap-in, the
    // original content will be brought back in memory.
    return INT_STATUS_SUCCESS;
}


static INTSTATUS
IntMemClkUncloakRegionInternal(
    _In_ DWORD Options,
    _Inout_ PMEMCLOAK_REGION Region
    )
{
    INTSTATUS status = INT_STATUS_SUCCESS;

    RemoveEntryList(&Region->Link);

    if (0 != (Options & MEMCLOAK_OPT_APPLY_PATCH))
    {
        IntPauseVcpus();

        memcpy(Region->PatchedData, Region->OriginalData, Region->Size);

        status = IntKernVirtMemWrite(Region->Gva, Region->Size, Region->OriginalData);

        IntResumeVcpus();

        if (!INT_SUCCESS(status) &&
            (INT_STATUS_PAGE_NOT_PRESENT != status) &&
            (INT_STATUS_NO_MAPPING_STRUCTURES != status))
        {
            ERROR("[ERROR] IntKernVirtMemWrite failed: 0x%08x\n", status);
        }
    }

    for (DWORD i = 0; i < Region->PageCount; i++)
    {
        MEMCLOAK_PAGE *pPage = &Region->Pages[i];

        if (NULL != pPage->ReadHook)
        {
            status = IntHookGvaRemoveHook((HOOK_GVA **)&pPage->ReadHook, 0);
            if (!INT_SUCCESS(status))
            {
                ERROR("[ERROR] IntHookGvaRemoveHook failed: 0x%08x\n", status);
            }
        }

        if (NULL != pPage->WriteHook)
        {
            status = IntHookGvaRemoveHook((HOOK_GVA **)&pPage->WriteHook, 0);
            if (!INT_SUCCESS(status))
            {
                ERROR("[ERROR] IntHookGvaRemoveHook failed: 0x%08x\n", status);
            }
        }

        if (NULL != pPage->SwapHook)
        {
            status = IntHookGvaRemoveHook((HOOK_GVA **)&pPage->SwapHook, 0);
            if (!INT_SUCCESS(status))
            {
                ERROR("[ERROR] IntHookGvaRemoveHook failed: 0x%08x\n", status);
            }
        }
    }

    IntMemClkCleanup(Region);

    return status;
}


INTSTATUS
IntMemClkUncloakRegion(
    _In_ void *CloakHandle,
    _In_ DWORD Options
    )
{
    INTSTATUS status;

    if (NULL == CloakHandle)
    {
        return INT_STATUS_INVALID_PARAMETER_1;
    }

    status = IntMemClkUncloakRegionInternal(Options, CloakHandle);
    if (!INT_SUCCESS(status))
    {
        ERROR("[ERROR] IntMemClkUncloakRegionInternal failed: 0x%08x\n", status);
    }

    return status;
}


INTSTATUS
IntMemClkHashRegion(
    _In_ QWORD VirtualAddress,
    _In_ QWORD PhysicalAddress,
    _In_ DWORD Size,
    _Out_ DWORD *Crc32
    )
{
    INTSTATUS status;
    QWORD virtPage;
    LIST_ENTRY *list;
    DWORD pageOffset, intOffset, size;
    static BYTE pPageContent[PAGE_SIZE];

    if ((VirtualAddress & PAGE_OFFSET) + Size > PAGE_SIZE)
    {
        return INT_STATUS_INVALID_PARAMETER_3;
    }

    if (NULL == Crc32)
    {
        return INT_STATUS_INVALID_PARAMETER_4;
    }

    virtPage = VirtualAddress & PAGE_MASK;

    status = IntPhysicalMemRead(PhysicalAddress & PHYS_PAGE_MASK, PAGE_SIZE, pPageContent, NULL);
    if (!INT_SUCCESS(status))
    {
        ERROR("[ERROR] IntPhysMemRead failed: 0x%08x\n", status);
        return status;
    }

    list = gMemClkRegions.Flink;
    while (list != &gMemClkRegions)
    {
        PMEMCLOAK_REGION pReg = CONTAINING_RECORD(list, MEMCLOAK_REGION, Link);

        list = list->Flink;

        if ((pReg->Gva >= virtPage) && (pReg->Gva < virtPage + PAGE_SIZE))
        {
            // The cloaked region is contained within the page or starts within this page.
            pageOffset = pReg->Gva & PAGE_OFFSET;
            intOffset = 0;
            size = MIN(PAGE_SIZE - pageOffset, pReg->Size);
        }
        else if ((virtPage >= pReg->Gva) && (virtPage < pReg->Gva + pReg->Size))
        {
            // The cloaked region contains the page or parts of the page.
            pageOffset = 0;
            intOffset = (DWORD)(virtPage - pReg->Gva);
            size = MIN(PAGE_SIZE, pReg->Size - intOffset);
        }
        else
        {
            // No overlap, continue.
            continue;
        }

        memcpy(&pPageContent[pageOffset], &pReg->OriginalData[intOffset], size);
    }

    *Crc32 = Crc32ComputeFast(&pPageContent[VirtualAddress & PAGE_OFFSET], Size, 0);

    return status;

}


BOOLEAN
IntMemClkIsPtrInCloak(
    _In_ const void *Cloak,
    _In_ QWORD Ptr
    )
{
    const MEMCLOAK_REGION *pReg;

    if (NULL == Cloak)
    {
        return FALSE;
    }

    pReg = Cloak;
    if (Ptr >= pReg->Gva && Ptr < pReg->Gva + pReg->Size)
    {
        return TRUE;
    }

    return FALSE;
}


INTSTATUS
IntMemClkGetOriginalData(
    _In_ void *CloakHandle,
    _Out_ BYTE **OriginalData,
    _Out_  DWORD *Length
    )
{
    MEMCLOAK_REGION *pClk;

    if (NULL == CloakHandle)
    {
        return INT_STATUS_INVALID_PARAMETER_1;
    }

    if (NULL == OriginalData)
    {
        return INT_STATUS_INVALID_PARAMETER_2;
    }

    if (NULL == Length)
    {
        return INT_STATUS_INVALID_PARAMETER_3;
    }

    pClk = (MEMCLOAK_REGION *)CloakHandle;

    *OriginalData = pClk->OriginalData;

    *Length = pClk->Size;

    return INT_STATUS_SUCCESS;
}


INTSTATUS
IntMemClkUnInit(
    void
    )
{
    INTSTATUS status;
    LIST_ENTRY *list;

    list = gMemClkRegions.Flink;
    while (list != &gMemClkRegions)
    {
        PMEMCLOAK_REGION pClkReg = CONTAINING_RECORD(list, MEMCLOAK_REGION, Link);
        list = list->Flink;

        ERROR("[ERROR] There should be no memcloaks remaining... Got one on %llx, %llx, %d!\n",
              pClkReg->Gva, pClkReg->Cr3, pClkReg->Size);

        if (pClkReg->OriginalData)
        {
            IntDumpBuffer(pClkReg->OriginalData, 0, pClkReg->Size, 16, 1, TRUE, FALSE);
        }

        if (pClkReg->PatchedData)
        {
            IntDumpBuffer(pClkReg->PatchedData, 0, pClkReg->Size, 16, 1, TRUE, FALSE);
        }

        status = IntMemClkUncloakRegionInternal(0, pClkReg);
        if (!INT_SUCCESS(status))
        {
            ERROR("[ERROR] IntMemClkUncloakRegionInternal failed: 0x%08x\n", status);
        }
    }

    return INT_STATUS_SUCCESS;
}


void
IntMemClkDump(
    void
    )
{
    if (IsListEmpty(&gMemClkRegions))
    {
        LOG("No cloack regions!\n");
    }

    for (LIST_ENTRY *entry = gMemClkRegions.Flink; entry != &gMemClkRegions; entry = entry->Flink)
    {
        PMEMCLOAK_REGION pClkReg = CONTAINING_RECORD(entry, MEMCLOAK_REGION, Link);

        LOG("Region @ [0x%016llx, 0x%016llx) with Cr3 = 0x%016llx. Page count: %d. Options: 0x%08x\n",
            pClkReg->Gva, pClkReg->Gva + pClkReg->Size,
            pClkReg->Cr3, pClkReg->PageCount, pClkReg->Options);
        LOG("Original data:\n");
        IntDumpBuffer(pClkReg->OriginalData, pClkReg->Gva, pClkReg->Size, 16, 1, TRUE, TRUE);
        LOG("Patched data:\n");
        IntDumpBuffer(pClkReg->PatchedData, pClkReg->Gva, pClkReg->Size, 16, 1, TRUE, TRUE);

        for (DWORD i = 0; i < pClkReg->PageCount; i++)
        {
            PMEMCLOAK_PAGE pClkPage = &pClkReg->Pages[i];

            NLOG("\t\tData offset: 0x%08x Start: 0x%08x End: 0x%08x\n",
                 pClkPage->DataOffset, pClkPage->PageStartOffset, pClkPage->PageEndOffset);
        }
    }
}