Bitdefender Hypervisor Memory Introspection
Functions
rtlpvirtualunwind.h File Reference
#include "introtypes.h"

Go to the source code of this file.

Functions

INTSTATUS IntRtlpVirtualUnwindCheckAccess (void)
 Check if a memory read operation was issued by RtlpVirtualUnwind or friends and update the cache. More...
 

Function Documentation

◆ IntRtlpVirtualUnwindCheckAccess()

INTSTATUS IntRtlpVirtualUnwindCheckAccess ( void  )

Check if a memory read operation was issued by RtlpVirtualUnwind or friends and update the cache.

Sometimes, on Windows 7 especially, the RtlpVirtualUnwind family of functions may read code from a page that has been read hooked via EPT (because we have API hooks inside it). This code usually scans the code page for specific opcodes (for example, 0x48 REX prefix). In order to avoid all of these reads, we will detour all the code regions that we know read the code page, and we will place a handler for them inside the NT slack space. This handler is simply a cache, and it will compare the address of the read, and if a match is found, it will load an immediate, instead of accessing the memory. Whenever a new read fault takes place, we will update the cache. Therefore, multiple reads from these functions, which touch the same addresses, will not cause an EPT violation anymore, since the detour handler would compare that value as an immediate. Example of instrumentation: Consider instruction "mov al, [rcx]" inside the NT!RtlpVirtualUnwind. This instruction may trigger lots of EPT read violations, so we instrument it as follows:

  1. We replace it with a "JMP" to our detour handler
  2. Our detour handler looks like this: cli entry0: mov al, value0 cmp ecx, address0 jz match entry1: mov al, value1 cmp ecx, address1 jz match ... entryk: mov al, valuek cmp ecx, addressk jmp match ... mov al, [rcx] match: sti jmp original_code
  3. When the handler is first hit, there will be no matches, so the original instruction "mov al, [rcx]" will be executed, which will generate an EPT violation.
  4. When such a read EPT violation takes place, this function will randomly select an entry inside the handler and store the value at [rcx] inside al (valuek) and the low 32 bits from the kernel address in ecx (addressk - note that this is ok, since we only instrument NT sequences). NOTE: These sequences of instructions are instrumented during init, they are not hooked dynamically; however, the handler code (the cache) is dynamically updated whenever a read takes place that did not match the cache. NOTE: Only several instructions are instrumented using this algorithm. Please take a look at the switch tag statement, as each block is made for a particular instruction.
Return values
INT_STATUS_SUCCESSOn success.
INT_STATUS_NOT_NEEDED_HINTIf the instruction needs not be inspected.

Definition at line 14 of file rtlpvirtualunwind.c.

Referenced by IntHandleMemAccess().