Bitdefender Hypervisor Memory Introspection
memtables.h
Go to the documentation of this file.
1 /*
2  * Copyright (c) 2020 Bitdefender
3  * SPDX-License-Identifier: Apache-2.0
4  */
5 #ifndef _MEM_TABLES_H_
6 #define _MEM_TABLES_H_
7 
8 #include "thread_safeness.h"
9 
10 
11 #define MAX_MEM_TABLE_SIZE 256
12 // PUSHF (opcode = 1)
13 // PUSH dst (rex + opcode = 1 + 1 = 2)
14 // PUSH idx (rex + opcode = 1 + 1 = 2)
15 // MOV [rsp + 8], slack_addr low (opcode + modrm + sub + disp + imm = 1 + 1 + 1 + 1 + 4 = 8)
16 // MOV [rsp + C], slack_addr high (opcode + modrm + sub + disp + imm = 1 + 1 + 1 + 1 + 4 = 8)
17 // IMUL idx, idx, 11 (rex + opcode + modrm + imm = 1 + 1 + 1 + 1 = 4)
18 // ADD [rsp + 8], idx (rex + opcode + modrm + sib + disp = 1 + 1 + 1 + 1 + 1 = 5)
19 // POP idx (rex + opcode = 1 + 1 = 2)
20 // POP dst (rex + opcode = 1 + 1 = 2)
21 // MOV [rsp - 8], 0 (rex + opcode + modrm + sib + disp + imm4 = 9 bytes)
22 // POPF (opcode = 1)
23 // JMP dst (rex + opcode + modrm = 1 + 1 + 1 = 3)
24 // 11 * number of entries
25 #define MEM_TABLE_HEADER_SIZE 47
26 #define MEM_TABLE_ENTRY_SIZE 11u
27 #define MAX_MEM_TABLE_SLACK_SIZE ((MEM_TABLE_HEADER_SIZE) + (MEM_TABLE_ENTRY_SIZE) * (MAX_MEM_TABLE_SIZE))
28 
29 
33 typedef struct _MEM_TABLE_RELOC
34 {
35  LIST_ENTRY Link;
36 
37  QWORD Rip;
38  QWORD TableGva;
39  QWORD Hits;
40 
41  QWORD SlackAddress;
42  DWORD SlackSize;
43  void *InsCloak;
44  void *SlackCloak;
45 
46  BOOLEAN Patched;
47  BOOLEAN Ignored;
48  BOOLEAN InAgent;
49  BOOLEAN Dumped;
50 } MEM_TABLE_RELOC, *PMEM_TABLE_RELOC;
51 
52 
53 //
54 // API
55 //
56 BOOLEAN
57 IntMtblIsPtrInReloc(
58  _In_ QWORD Ptr,
59  _In_ THS_PTR_TYPE Type,
60  _Out_opt_ QWORD *Table
61  );
62 
63 INTSTATUS
64 IntMtblCheckAccess(
65  void
66  );
67 
68 void
69 IntMtblDisable(
70  void
71  );
72 
73 INTSTATUS
74 IntMtblRemoveAgentEntries(
75  void
76  );
77 
78 BOOLEAN
79 IntMtblInsRelocated(
80  _In_ QWORD Rip
81  );
82 
83 INTSTATUS
84 IntMtblUninit(
85  void
86  );
87 
88 #endif // _MEM_TABLES_H_
BOOLEAN
_Bool BOOLEAN
Definition: intro_types.h:58
_MEM_TABLE_RELOC
Definition: memtables.h:33
_MEM_TABLE_RELOC::SlackCloak
void * SlackCloak
Slack handler cloak handle.
Definition: memtables.h:44
IntMtblCheckAccess
INTSTATUS IntMtblCheckAccess(void)
Check if the current instruction is like a switch-case table access instruction.
Definition: memtables.c:401
_In_
#define _In_
Definition: intro_sal.h:21
IntMtblIsPtrInReloc
BOOLEAN IntMtblIsPtrInReloc(QWORD Ptr, THS_PTR_TYPE Type, QWORD *Table)
Check if the given pointer is inside a mem-table relocation handler.
Definition: memtables.c:596
_MEM_TABLE_RELOC::InAgent
BOOLEAN InAgent
True if we relocated the instruction inside the PT filter agent.
Definition: memtables.h:48
INTSTATUS
int INTSTATUS
The status data type.
Definition: introstatus.h:24
PMEM_TABLE_RELOC
struct _MEM_TABLE_RELOC * PMEM_TABLE_RELOC
MEM_TABLE_RELOC
struct _MEM_TABLE_RELOC MEM_TABLE_RELOC
IntMtblInsRelocated
BOOLEAN IntMtblInsRelocated(QWORD Rip)
Check if the instruction at the provided RIP is instrumented.
Definition: memtables.c:677
IntMtblDisable
void IntMtblDisable(void)
Disables mem-table instructions instrumentation.
Definition: memtables.c:644
_MEM_TABLE_RELOC::Patched
BOOLEAN Patched
True if the instruction has been instrumented.
Definition: memtables.h:46
_MEM_TABLE_RELOC::SlackAddress
QWORD SlackAddress
Slack address where the handler was allocated.
Definition: memtables.h:41
_MEM_TABLE_RELOC::InsCloak
void * InsCloak
Instrumented instruction cloak handle.
Definition: memtables.h:43
_MEM_TABLE_RELOC::Ignored
BOOLEAN Ignored
True if we didn't manage to hook it.
Definition: memtables.h:47
_Out_opt_
#define _Out_opt_
Definition: intro_sal.h:30
_MEM_TABLE_RELOC::TableGva
QWORD TableGva
Guest virtual address of the switch-case table accessed by the instruction.
Definition: memtables.h:38
QWORD
unsigned long long QWORD
Definition: intro_types.h:53
_MEM_TABLE_RELOC::Rip
QWORD Rip
RIP of the instrumented instruction.
Definition: memtables.h:37
_MEM_TABLE_RELOC::Dumped
BOOLEAN Dumped
TRUE if it's a problematic table and we dumped it's content in an error.
Definition: memtables.h:49
IntMtblRemoveAgentEntries
INTSTATUS IntMtblRemoveAgentEntries(void)
Removes only the mem-table entries that were relocated inside the PT filter.
Definition: memtables.c:707
thread_safeness.h
DWORD
uint32_t DWORD
Definition: intro_types.h:49
THS_PTR_TYPE
THS_PTR_TYPE
The type of pointer to be checked.
Definition: thread_safeness.h:28
_MEM_TABLE_RELOC::SlackSize
DWORD SlackSize
Size of the allocated slack buffer.
Definition: memtables.h:42
_MEM_TABLE_RELOC::Hits
QWORD Hits
Number of times this instruction generated a read EPT violation.
Definition: memtables.h:39
_LIST_ENTRY
Definition: introlists.h:16
IntMtblUninit
INTSTATUS IntMtblUninit(void)
Completely uninit the mem-tables, removing all the handlers from the NT slack space.
Definition: memtables.c:745
_MEM_TABLE_RELOC::Link
LIST_ENTRY Link
List element link.
Definition: memtables.h:35