Bitdefender Hypervisor Memory Introspection
Data Structures | Macros | Typedefs | Functions
memtables.h File Reference
#include "thread_safeness.h"

Go to the source code of this file.

Data Structures

struct  _MEM_TABLE_RELOC
 

Macros

#define MAX_MEM_TABLE_SIZE   256
 
#define MEM_TABLE_HEADER_SIZE   47
 
#define MEM_TABLE_ENTRY_SIZE   11u
 
#define MAX_MEM_TABLE_SLACK_SIZE   ((MEM_TABLE_HEADER_SIZE) + (MEM_TABLE_ENTRY_SIZE) * (MAX_MEM_TABLE_SIZE))
 

Typedefs

typedef struct _MEM_TABLE_RELOC MEM_TABLE_RELOC
 
typedef struct _MEM_TABLE_RELOCPMEM_TABLE_RELOC
 

Functions

BOOLEAN IntMtblIsPtrInReloc (QWORD Ptr, THS_PTR_TYPE Type, QWORD *Table)
 Check if the given pointer is inside a mem-table relocation handler. More...
 
INTSTATUS IntMtblCheckAccess (void)
 Check if the current instruction is like a switch-case table access instruction. More...
 
void IntMtblDisable (void)
 Disables mem-table instructions instrumentation. More...
 
INTSTATUS IntMtblRemoveAgentEntries (void)
 Removes only the mem-table entries that were relocated inside the PT filter. More...
 
BOOLEAN IntMtblInsRelocated (QWORD Rip)
 Check if the instruction at the provided RIP is instrumented. More...
 
INTSTATUS IntMtblUninit (void)
 Completely uninit the mem-tables, removing all the handlers from the NT slack space. More...
 

Macro Definition Documentation

◆ MAX_MEM_TABLE_SIZE

#define MAX_MEM_TABLE_SIZE   256

Definition at line 11 of file memtables.h.

Referenced by IntMtblCheckAccess(), and IntMtblPatchInstruction().

◆ MAX_MEM_TABLE_SLACK_SIZE

#define MAX_MEM_TABLE_SLACK_SIZE   ((MEM_TABLE_HEADER_SIZE) + (MEM_TABLE_ENTRY_SIZE) * (MAX_MEM_TABLE_SIZE))

Definition at line 27 of file memtables.h.

Referenced by IntMtblPatchInstruction().

◆ MEM_TABLE_ENTRY_SIZE

#define MEM_TABLE_ENTRY_SIZE   11u

Definition at line 26 of file memtables.h.

Referenced by IntMtblPatchInstruction().

◆ MEM_TABLE_HEADER_SIZE

#define MEM_TABLE_HEADER_SIZE   47

Definition at line 25 of file memtables.h.

Referenced by IntMtblPatchInstruction().

Typedef Documentation

◆ MEM_TABLE_RELOC

typedef struct _MEM_TABLE_RELOC MEM_TABLE_RELOC

Describes a relocated mem-table instruction.

◆ PMEM_TABLE_RELOC

typedef struct _MEM_TABLE_RELOC * PMEM_TABLE_RELOC

Function Documentation

◆ IntMtblCheckAccess()

INTSTATUS IntMtblCheckAccess ( void  )

Check if the current instruction is like a switch-case table access instruction.

This function checks if the current instruction (pointed by the RIP on the current VCPU) looks like an instruction which loads switch-case offset from a code-page. We look after the following features: 0. The instruction must be a MOV instruction;

  1. The instruction must have exactly 2 operands;
  2. First operand must be a register;
  3. Second operand must be memory;
  4. SIB addressing must be used, with a non-zero index;
  5. The memory access must be read;
  6. Both operands must be 4 bytes;
  7. The instruction must be at least 5 bytes long (in order to accommodate a relative jump);
  8. The read linear address must point inside the NT image;
  9. The read linear address must not point inside the SSDT; If such a candidate instruction is found, a new entry is allocated for it (or an existing entry is searched). Once we identify the proper entry, we increment the number times the instruction triggered a memory read, and once it exceeds 50 hits, we will try to instrument it using the IntMtblPatchInstruction function. If instrumenting the instruction fails, we flag the entry as being ignored, and we won't try to instrument it again. NOTE: This function is called on read EPT violations that take place on addresses for which we don't have a registered hook/callback.
Return values
INT_STATUS_SUCCESSOn success.
INT_STATUS_NOT_NEEDED_HINTIf there's no need to instrument the instruction.
INT_STATUS_INSUFFICIENT_RESOURCESIf a memory alloc fails.

Definition at line 401 of file memtables.c.

Referenced by IntHandleMemAccess().

◆ IntMtblDisable()

void IntMtblDisable ( void  )

Disables mem-table instructions instrumentation.

This function will remove all the hooks placed on mem-table like instructions, thus disabling the instrumentation. Note that the handlers will still remain, and if we have pointers still pointing there, nothing bad will happen. This function should be called only when preparing for uninit.

Definition at line 644 of file memtables.c.

Referenced by IntGuestPrepareUninit().

◆ IntMtblInsRelocated()

BOOLEAN IntMtblInsRelocated ( QWORD  Rip)

Check if the instruction at the provided RIP is instrumented.

Parameters
[in]RipThe RIP to be checked.
Return values
TRUEif the RIP contains an instrumented instruction, FALSE otherwise.

Definition at line 677 of file memtables.c.

Referenced by IntHandleEptViolation().

◆ IntMtblIsPtrInReloc()

BOOLEAN IntMtblIsPtrInReloc ( QWORD  Ptr,
THS_PTR_TYPE  Type,
QWORD Table 
)

Check if the given pointer is inside a mem-table relocation handler.

Parameters
[in]PtrThe pointer to be checked.
[in]TypePointer type - stack value or live RIP.
[out]TableOptional address to the relocation table, if any is found.
Return values
TRUEIf the pointer points within a relocation handler, FALSE otherwise.

Definition at line 596 of file memtables.c.

Referenced by IntThrSafeIsLiveRIPInIntro(), and IntThrSafeIsStackPtrInIntro().

◆ IntMtblRemoveAgentEntries()

INTSTATUS IntMtblRemoveAgentEntries ( void  )

Removes only the mem-table entries that were relocated inside the PT filter.

When using the PT filter, many mem-table instructions may need to be instrumented. Since the NT sections slack space is very scarce, we will use, in that case, the PT filter itself in order to accommodate the relocated instructions. However, when the PT filter is unloaded, we also must stop instrumenting the instructions that were relocated inside of it.

Return values
INT_STATUS_SUCCESSOn success.

Definition at line 707 of file memtables.c.

Referenced by IntPtiDisableFiltering().

◆ IntMtblUninit()

INTSTATUS IntMtblUninit ( void  )

Completely uninit the mem-tables, removing all the handlers from the NT slack space.

This function must be called only during uninit, and only after thread-safeness was employed, in order to make sure no live RIPs or saved RIPs point inside a handler.

Return values
INT_STATUS_SUCCESSOn success.

Definition at line 745 of file memtables.c.

Referenced by IntGuestUninit().