Bitdefender Hypervisor Memory Introspection
Typedefs | Functions
shellcode.h File Reference
#include "introcore.h"

Go to the source code of this file.

Typedefs

typedef struct _WIN_PROCESS_OBJECT WIN_PROCESS_OBJECT
 

Functions

INTSTATUS IntShcIsSuspiciousCode (QWORD Gva, QWORD Gpa, DWORD CsType, IG_ARCH_REGS *Registers, QWORD *ShellcodeFlags)
 Checks if the code located at the given guest virtual address is suspicious or not. More...
 

Typedef Documentation

◆ WIN_PROCESS_OBJECT

typedef struct _WIN_PROCESS_OBJECT WIN_PROCESS_OBJECT

Definition at line 10 of file shellcode.h.

Function Documentation

◆ IntShcIsSuspiciousCode()

INTSTATUS IntShcIsSuspiciousCode ( QWORD  Gva,
QWORD  Gpa,
DWORD  CsType,
IG_ARCH_REGS Registers,
QWORD ShellcodeFlags 
)

Checks if the code located at the given guest virtual address is suspicious or not.

This function will call the shellcode emulator on the provided memory address. The shellcode emulator looks after the following shellcode indicators: 0. NOP sled;

  1. Store RIP in a reg (CALL/POP, FNSTENV/POP, LEA);
  2. Write self;
  3. Access via FS/GS register inside TEB (used for imports fixup);
  4. Direct SYSCALL/SYSENTER invocation;
  5. Strings built & referenced on the stack; Some other potential useful indicators (although much weaker and FP prone) are:
  6. Branch inside an already executed instruction (CALL $+4, JMP);
  7. Weird data transfer sequences (PUSH/POP);
  8. Redundant prefixes (especially segment override!);
  9. Write ESP (this is done by NaCl for sure...); These are not used, however.
Parameters
[in]GvaGuest virtual address to be emulated.
[in]GpaGuest physical address to be emulated.
[in]CsTypeOperating mode, should be 32 or 64 bit mode.
[in]RegistersGeneral purpose registers state.
[in]ShellcodeFlagsWill contain, upon return, the shellcode flags identified by the shellcode emulator.
Return values
INT_STATUS_SUCCESSOn success.
INT_STATUS_INVALID_PARAMETERIf an invalid parameter is supplied.

IntVirtMemRead(Registers->RegRsp & PAGE_MASK, SHEMU_STACK_SIZE, Registers->RegCr3, ctx->Stack, NULL);

Definition at line 25 of file shellcode.c.

Referenced by IntLixVmaHandlePageExecution(), IntWinCrashHandleDepViolation(), IntWinDpiValidateHeapSpray(), IntWinDpiValidateThreadStart(), and IntWinVadIsExecSuspicious().