- Generated by
1.8.13
|
Bitdefender Hypervisor Memory Introspection
|
This module monitors pages against unpack. More...
Go to the source code of this file.
Data Structures | |
| struct | _UNPACK_PAGE |
Macros | |
| #define | UNPACK_STATE_NONE 0x00 |
| Initial state. More... | |
| #define | UNPACK_STATE_DIRTY 0x01 |
| The page was written. More... | |
| #define | UNPACK_STATE_EXEC 0x02 |
| The page contains code that has been fetched for execution. More... | |
Typedefs | |
| typedef struct _UNPACK_PAGE | UNPACK_PAGE |
| typedef struct _UNPACK_PAGE * | PUNPACK_PAGE |
Functions | |
| static PUNPACK_PAGE | IntUnpFindPage (QWORD Cr3, QWORD VirtualAddress) |
| Finds a monitored page. More... | |
| static INTSTATUS | IntUnpUnWatchPageInternal (PUNPACK_PAGE Page) |
| Remove monitor from the indicated page. More... | |
| static INTSTATUS | IntUnpPageExecuteCallback (void *Context, void *Hook, QWORD Address, INTRO_ACTION *Action) |
| Handle executions from a monitored page. More... | |
| static INTSTATUS | IntUnpPageWriteCallback (void *Context, void *Hook, QWORD Address, INTRO_ACTION *Action) |
| Handle writes inside a monitored page. More... | |
| INTSTATUS | IntUnpWatchPage (QWORD Cr3, QWORD VirtualAddress, PFUNC_PageUnpackedCallback UnpackCallback, PFUNC_PageIsWriteValid WriteCheckCallback, void *CallbackContext) |
| Monitor a page against unpacking. More... | |
| INTSTATUS | IntUnpUnWatchPage (QWORD Cr3, QWORD VirtualAddress) |
| Stop monitoring the indicated page. More... | |
| INTSTATUS | IntUnpUnWatchVaSpacePages (QWORD Cr3) |
| Stop monitoring all pages belonging to a virtual address space. More... | |
| INTSTATUS | IntUnpRemovePages (void) |
| Stop monitoring all pages. More... | |
| void | IntUnpUninit (void) |
| Uninit the unpacker. This will stop the monitor on all pages. More... | |
Variables | |
| static LIST_HEAD | gUnpckPages = LIST_HEAD_INIT(gUnpckPages) |
This module monitors pages against unpack.
This module monitors pages against unpack. Note that this is legacy code, and it should be rewritten in a more efficient manner (for example, the unpack monitor should be enabled for an entire module, not on a single page at a time). It should also return a handle to the monitored page/module. NOTE: All pages are kept in a single linked list; this can cause serious performance penalty if many such pages are monitored. If performance is of concern, this module must be optimized. NOTE: Since the monitor functions work directly with a Cr3 and a virtual address, no handles are returned. Make sure that each page is monitored only once, otherwise, when trying to remove a page, only the first match will be removed. Alternatively, rewrite this mechanism to return a handle for each monitored page.
Definition in file unpacker.c.
| #define UNPACK_STATE_DIRTY 0x01 |
The page was written.
Definition at line 27 of file unpacker.c.
Referenced by IntUnpPageExecuteCallback(), and IntUnpPageWriteCallback().
| #define UNPACK_STATE_EXEC 0x02 |
The page contains code that has been fetched for execution.
Definition at line 28 of file unpacker.c.
Referenced by IntUnpPageExecuteCallback().
| #define UNPACK_STATE_NONE 0x00 |
| typedef struct _UNPACK_PAGE * PUNPACK_PAGE |
| typedef struct _UNPACK_PAGE UNPACK_PAGE |
One page monitored against unpack.
|
static |
Finds a monitored page.
| [in] | Cr3 | Virtual address space of the monitored page. |
| [in] | VirtualAddress | Address to be found. |
Definition at line 54 of file unpacker.c.
|
static |
Handle executions from a monitored page.
If the page is dirty, this function will decode the current instruction and it will invoke the unpack callback.
| [in] | Context | The context - a monitored page. |
| [in] | Hook | GPA hook handle. |
| [in] | Address | Guest physical address that has just been executed. |
| [out] | Action | Desired action. |
| INT_STATUS_SUCCESS | On success. |
Definition at line 132 of file unpacker.c.
Referenced by IntUnpPageWriteCallback().
|
static |
Handle writes inside a monitored page.
When the page is written, the write callback will be called, in order to check the write. If the callback returns false, it means that the write is not legitimate, the page will be marked as being dirty, and the execute hook will be set on it. If it returns true, the write callback will be kept, and no execute callback will be set.
| [in] | Context | The context - a monitored page. |
| [in] | Hook | GPA hook handle. |
| [in] | Address | Guest physical address that has just been executed. |
| [out] | Action | Desired action. |
| INT_STATUS_SUCCESS | On success. |
Definition at line 218 of file unpacker.c.
Referenced by IntUnpWatchPage().
| INTSTATUS IntUnpRemovePages | ( | void | ) |
Stop monitoring all pages.
| INT_STATUS_SUCCESS | On success. |
Definition at line 474 of file unpacker.c.
Referenced by IntUnpUninit().
| void IntUnpUninit | ( | void | ) |
Uninit the unpacker. This will stop the monitor on all pages.
Definition at line 505 of file unpacker.c.
Referenced by IntGuestUninit().
Stop monitoring the indicated page.
| [in] | Cr3 | The virtual address space. |
| [in] | VirtualAddress | The address to stop monitoring against unpack. |
| INT_STATUS_SUCCESS | On success. |
Definition at line 396 of file unpacker.c.
|
static |
Remove monitor from the indicated page.
| [in] | Page | The monitored page. |
| INT_STATUS_SUCCESS | On success. |
| INT_STATUS_INVALID_PARAMETER | If an invalid parameter is supplied. |
Definition at line 86 of file unpacker.c.
Referenced by IntUnpPageExecuteCallback(), IntUnpRemovePages(), IntUnpUnWatchPage(), IntUnpUnWatchVaSpacePages(), and IntUnpWatchPage().
Stop monitoring all pages belonging to a virtual address space.
| [in] | Cr3 | The virtual address space to stop monitoring against unpack. |
| INT_STATUS_SUCCESS | On success. |
Definition at line 438 of file unpacker.c.
Referenced by IntWinModulesChangeProtectionFlags(), and IntWinModUnHookModule().
| INTSTATUS IntUnpWatchPage | ( | QWORD | Cr3, |
| QWORD | VirtualAddress, | ||
| PFUNC_PageUnpackedCallback | UnpackCallback, | ||
| PFUNC_PageIsWriteValid | WriteCheckCallback, | ||
| void * | CallbackContext | ||
| ) |
Monitor a page against unpacking.
This function starts to monitor the indicated page against unpacking. The algorithm is fairly simple:
| [in] | Cr3 | Virtual address space. |
| [in] | VirtualAddress | The virtual address of the page to be monitored. |
| [in] | UnpackCallback | Called when the page is deemed to be "unpacked". |
| [in] | WriteCheckCallback | Called on each write, to validate it. Some writes may be valid (for example, the writes made by the loader inside the IAT). |
| [in] | CallbackContext | Optional context to be passed to the unpack & write callbacks. |
| INT_STATUS_SUCCESS | On success. |
| INT_STATUS_INSUFFICIENT_RESOURCES | If a memory alloc fails. |
Definition at line 316 of file unpacker.c.
Referenced by IntWinModHookPoly().
|
static |
Definition at line 49 of file unpacker.c.
1.8.13