Bitdefender Hypervisor Memory Introspection
|
#include "introtypes.h"
Go to the source code of this file.
Functions | |
INTSTATUS | IntRtlpVirtualUnwindCheckAccess (void) |
Check if a memory read operation was issued by RtlpVirtualUnwind or friends and update the cache. More... | |
INTSTATUS IntRtlpVirtualUnwindCheckAccess | ( | void | ) |
Check if a memory read operation was issued by RtlpVirtualUnwind or friends and update the cache.
Sometimes, on Windows 7 especially, the RtlpVirtualUnwind family of functions may read code from a page that has been read hooked via EPT (because we have API hooks inside it). This code usually scans the code page for specific opcodes (for example, 0x48 REX prefix). In order to avoid all of these reads, we will detour all the code regions that we know read the code page, and we will place a handler for them inside the NT slack space. This handler is simply a cache, and it will compare the address of the read, and if a match is found, it will load an immediate, instead of accessing the memory. Whenever a new read fault takes place, we will update the cache. Therefore, multiple reads from these functions, which touch the same addresses, will not cause an EPT violation anymore, since the detour handler would compare that value as an immediate. Example of instrumentation: Consider instruction "mov al, [rcx]" inside the NT!RtlpVirtualUnwind. This instruction may trigger lots of EPT read violations, so we instrument it as follows:
INT_STATUS_SUCCESS | On success. |
INT_STATUS_NOT_NEEDED_HINT | If the instruction needs not be inspected. |
Definition at line 14 of file rtlpvirtualunwind.c.
Referenced by IntHandleMemAccess().