doxygen/html/unpacker_8c_source.html

 /*
  * Copyright (c) 2020 Bitdefender
  * SPDX-License-Identifier: Apache-2.0
  */
 #include "unpacker.h"
 #include "decoder.h"
 #include "hook.h"


 #define UNPACK_STATE_NONE           0x00
 #define UNPACK_STATE_DIRTY          0x01
 #define UNPACK_STATE_EXEC           0x02


 typedef struct _UNPACK_PAGE
 {
     LIST_ENTRY      Link;
     QWORD           Cr3;
     QWORD           VirtualAddress;
     WORD            WriteCount;
     BYTE            State;
     PFUNC_PageUnpackedCallback UnpackCallback;
     PFUNC_PageIsWriteValid WriteCheckCallback;
     void           *CallbackContext;
     void           *WriteHook;
     void           *ExecHook;
 } UNPACK_PAGE, *PUNPACK_PAGE;


 static LIST_HEAD gUnpckPages = LIST_HEAD_INIT(gUnpckPages);


 static PUNPACK_PAGE
 IntUnpFindPage(
     _In_ QWORD Cr3,
     _In_ QWORD VirtualAddress
     )
 {
     LIST_ENTRY *list;

     list = gUnpckPages.Flink;
     while (list != &gUnpckPages)
     {
         PUNPACK_PAGE pPage = CONTAINING_RECORD(list, UNPACK_PAGE, Link);
         list = list->Flink;

         if ((pPage->VirtualAddress == VirtualAddress) && (pPage->Cr3 == Cr3))
         {
             return pPage;
         }
     }

     return NULL;
 }


 static INTSTATUS
 IntUnpUnWatchPageInternal(
     _In_ PUNPACK_PAGE Page
     )
 {
     INTSTATUS status;

     if (NULL == Page)
     {
         return INT_STATUS_INVALID_PARAMETER_1;
     }

     if (NULL != Page->WriteHook)
     {
         status = IntHookGvaRemoveHook((HOOK_GVA **)&Page->WriteHook, 0);
         if (!INT_SUCCESS(status))
         {
             ERROR("[ERROR] IntHookGvaRemoveHook failed: 0x%08x\n", status);
         }
     }

     if (NULL != Page->ExecHook)
     {
         status = IntHookGvaRemoveHook((HOOK_GVA **)&Page->ExecHook, 0);
         if (!INT_SUCCESS(status))
         {
             ERROR("[ERROR] IntHookGvaRemoveHook failed: 0x%08x\n", status);
         }
     }

     RemoveEntryList(&Page->Link);

     HpFreeAndNullWithTag(&Page, IC_TAG_UNPG);

     return INT_STATUS_SUCCESS;
 }


 static INTSTATUS
 IntUnpPageExecuteCallback(
     _In_opt_ void *Context,
     _In_ void *Hook,
     _In_ QWORD Address,
     _Out_ INTRO_ACTION *Action
     )
 {
     INTSTATUS status;
     PUNPACK_PAGE pPage;
     PFUNC_PageUnpackedCallback cbk;
     QWORD cr3, va;
     void *cbkCtxt;
     INSTRUX instrux;

     UNREFERENCED_PARAMETER(Hook);

     if (NULL == Context)
     {
         return INT_STATUS_INVALID_PARAMETER_1;
     }

     if (NULL == Action)
     {
         return INT_STATUS_INVALID_PARAMETER_5;
     }

     cbk = NULL;
     cbkCtxt = NULL;
     va = 0;
     cr3 = 0;

     pPage = (PUNPACK_PAGE)Context;

     pPage->State |= UNPACK_STATE_EXEC;

     if (pPage->State & UNPACK_STATE_DIRTY)
     {
         // Decode the designated instruction.
         status = IntDecDecodeInstructionAtRip(gVcpu->Index, &gVcpu->Regs, NULL, &instrux);
         if (!INT_SUCCESS(status))
         {
             ERROR("[ERROR] IntDecDecodeInstructionAtRip failed: 0x%08x\n", status);

             memset(&instrux, 0, sizeof(instrux));
         }

         if (NULL != pPage->UnpackCallback)
         {
             cbk = pPage->UnpackCallback;
             cr3 = pPage->Cr3;
             va = pPage->VirtualAddress + (Address & PAGE_OFFSET);
             cbkCtxt = pPage->CallbackContext;
         }
     }

     // Done, remove the hook from this page.
     IntUnpUnWatchPageInternal(pPage);

     if (NULL != cbk)
     {
         status = cbk(cr3, va, &instrux, cbkCtxt);
         if (!INT_SUCCESS(status))
         {
             ERROR("[ERROR] Unpacker callback failed: 0x%08x\n", status);
         }
     }

     *Action = introGuestAllowed;

     return INT_STATUS_SUCCESS;
 }


 static INTSTATUS
 IntUnpPageWriteCallback(
     _In_opt_ void *Context,
     _In_ void *Hook,
     _In_ QWORD Address,
     _Out_ INTRO_ACTION *Action
     )
 {
     INTSTATUS status;
     PUNPACK_PAGE pPage;
     BOOLEAN bValid;

     UNREFERENCED_PARAMETER(Address);
     UNREFERENCED_PARAMETER(Hook);

     if (NULL == Context)
     {
         return INT_STATUS_INVALID_PARAMETER_1;
     }

     if (NULL == Action)
     {
         return INT_STATUS_INVALID_PARAMETER_4;
     }


     pPage = (PUNPACK_PAGE)Context;

     // Check if the write is valid (example, it is an IAT).
     if (NULL != pPage->WriteCheckCallback)
     {
         bValid = pPage->WriteCheckCallback(pPage->Cr3,
                                            pPage->VirtualAddress + (Address & 0xFFF),
                                            pPage->CallbackContext);
     }
     else
     {
         bValid = FALSE;
     }

     if (!bValid)
     {
         pPage->State |= UNPACK_STATE_DIRTY;
         pPage->WriteCount++;
     }

     if (pPage->WriteCount >= 32)
     {
         if (NULL != pPage->WriteHook)
         {
             status = IntHookGvaRemoveHook((HOOK_GVA **)&pPage->WriteHook, 0);
             if (!INT_SUCCESS(status))
             {
                 ERROR("[ERROR] IntHookGvaRemoveHook failed: 0x%08x\n", status);
             }
         }

         status = IntHookGvaSetHook(pPage->Cr3,
                                    pPage->VirtualAddress,
                                    PAGE_SIZE,
                                    IG_EPT_HOOK_EXECUTE,
                                    IntUnpPageExecuteCallback,
                                    pPage,
                                    NULL,
                                    0,
                                    (PHOOK_GVA *)&pPage->ExecHook);
         if (!INT_SUCCESS(status))
         {
             ERROR("[ERROR] IntHookGvaSetHook failed: 0x%08x\n", status);
             pPage->ExecHook = NULL;
             goto cleanup_and_exit;
         }
     }

 cleanup_and_exit:

     // We will always allow the actions, but we won't send any notifications.
     *Action = introGuestAllowed;

     return INT_STATUS_SUCCESS;
 }


 INTSTATUS
 IntUnpWatchPage(
     _In_ QWORD Cr3,
     _In_ QWORD VirtualAddress,
     _In_ PFUNC_PageUnpackedCallback UnpackCallback,
     _In_ PFUNC_PageIsWriteValid WriteCheckCallback,
     _In_opt_ void *CallbackContext
     )
 {
     INTSTATUS status;

     UNPACK_PAGE *pPage = HpAllocWithTag(sizeof(*pPage), IC_TAG_UNPG);
     if (NULL == pPage)
     {
         return INT_STATUS_INSUFFICIENT_RESOURCES;
     }

     pPage->Cr3 = Cr3;
     pPage->VirtualAddress = VirtualAddress;
     pPage->State = UNPACK_STATE_NONE;
     pPage->UnpackCallback = UnpackCallback;
     pPage->WriteCheckCallback = WriteCheckCallback;
     pPage->CallbackContext = CallbackContext;
     pPage->WriteHook = NULL;
     pPage->ExecHook = NULL;

     InsertTailList(&gUnpckPages, &pPage->Link);

     status = IntHookGvaSetHook(Cr3,
                                VirtualAddress,
                                PAGE_SIZE,
                                IG_EPT_HOOK_WRITE,
                                IntUnpPageWriteCallback,
                                pPage,
                                NULL,
                                0,
                                (PHOOK_GVA *)&pPage->WriteHook);
     if (!INT_SUCCESS(status))
     {
         ERROR("[ERROR] IntHookGvaSetHook failed: 0x%08x\n", status);
         pPage->WriteHook = NULL;
         goto cleanup_and_exit;
     }

     status = INT_STATUS_SUCCESS;

 cleanup_and_exit:
     if (!INT_SUCCESS(status))
     {
         if (NULL != pPage)
         {
             IntUnpUnWatchPageInternal(pPage);
         }
     }

     return status;
 }


 INTSTATUS
 IntUnpUnWatchPage(
     _In_ QWORD Cr3,
     _In_ QWORD VirtualAddress
     )
 {
     INTSTATUS status;
     LIST_ENTRY *list;

     list = gUnpckPages.Flink;
     while (list != &gUnpckPages)
     {
         PUNPACK_PAGE pPage = CONTAINING_RECORD(list, UNPACK_PAGE, Link);
         list = list->Flink;

         if ((pPage->VirtualAddress == VirtualAddress) && (pPage->Cr3 == Cr3))
         {
             status = IntUnpUnWatchPageInternal(pPage);
             if (!INT_SUCCESS(status))
             {
                 ERROR("[ERROR] IntUnpUnWatchPageInternal failed: 0x%08x, page 0x%016llx/0x%016llx\n",
                       status,
                       pPage->VirtualAddress,
                       pPage->Cr3);
             }

             break;
         }
     }

     return INT_STATUS_SUCCESS;
 }


 INTSTATUS
 IntUnpUnWatchVaSpacePages(
     _In_ QWORD Cr3
     )
 {
     INTSTATUS status;
     LIST_ENTRY *list;

     list = gUnpckPages.Flink;
     while (list != &gUnpckPages)
     {
         PUNPACK_PAGE pPage = CONTAINING_RECORD(list, UNPACK_PAGE, Link);
         list = list->Flink;

         if (pPage->Cr3 == Cr3)
         {
             status = IntUnpUnWatchPageInternal(pPage);
             if (!INT_SUCCESS(status))
             {
                 ERROR("[ERROR] IntUnpUnWatchPageInternal failed: 0x%08x, page 0x%016llx/0x%016llx\n",
                       status, pPage->VirtualAddress, pPage->Cr3);
             }
         }
     }

     return INT_STATUS_SUCCESS;
 }


 INTSTATUS
 IntUnpRemovePages(
     void
     )
 {
     INTSTATUS status;
     LIST_ENTRY *list;

     list = gUnpckPages.Flink;
     while (list != &gUnpckPages)
     {
         PUNPACK_PAGE pPage = CONTAINING_RECORD(list, UNPACK_PAGE, Link);
         list = list->Flink;

         status = IntUnpUnWatchPageInternal(pPage);
         if (!INT_SUCCESS(status))
         {
             ERROR("[ERROR] IntUnpUnWatchPageInternal failed: 0x%08x, page 0x%016llx/0x%016llx\n",
                   status, pPage->VirtualAddress, pPage->Cr3);
         }
     }

     return INT_STATUS_SUCCESS;
 }


 void
 IntUnpUninit(
     void
     )
 {
     IntUnpRemovePages();
 }
_In_opt_
#define _In_opt_
Definition: intro_sal.h:16

_UNPACK_PAGE::CallbackContext
void * CallbackContext
Optional context, passed to the callbacks.
Definition: unpacker.c:43

BOOLEAN
_Bool BOOLEAN
Definition: intro_types.h:58

_Out_
#define _Out_
Definition: intro_sal.h:22

CONTAINING_RECORD
#define CONTAINING_RECORD(List, Type, Member)
Definition: introlists.h:36

BYTE
uint8_t BYTE
Definition: intro_types.h:47

_VCPU_STATE::Regs
IG_ARCH_REGS Regs
The current state of the guest registers.
Definition: guests.h:95

_VCPU_STATE::Index
DWORD Index
The VCPU number.
Definition: guests.h:172

_In_
#define _In_
Definition: intro_sal.h:21

INT_STATUS_SUCCESS
#define INT_STATUS_SUCCESS
Definition: introstatus.h:54

WORD
uint16_t WORD
Definition: intro_types.h:48

_LIST_ENTRY::Flink
struct _LIST_ENTRY * Flink
Definition: introlists.h:20

_UNPACK_PAGE::ExecHook
void * ExecHook
Exec hook handle.
Definition: unpacker.c:45

IntUnpUnWatchVaSpacePages
INTSTATUS IntUnpUnWatchVaSpacePages(QWORD Cr3)
Stop monitoring all pages belonging to a virtual address space.
Definition: unpacker.c:438

INT_SUCCESS
#define INT_SUCCESS(Status)
Definition: introstatus.h:42

PAGE_OFFSET
#define PAGE_OFFSET
Definition: pgtable.h:32

PFUNC_PageUnpackedCallback
INTSTATUS(* PFUNC_PageUnpackedCallback)(QWORD Cr3, QWORD VirtualAddress, PINSTRUX Instrux, void *Context)
Called when a page is considered to be "unpacked".
Definition: unpacker.h:24

_UNPACK_PAGE::VirtualAddress
QWORD VirtualAddress
Page virtual address.
Definition: unpacker.c:38

ERROR
#define ERROR(fmt,...)
Definition: glue.h:62

IntDecDecodeInstructionAtRip
INTSTATUS IntDecDecodeInstructionAtRip(DWORD CpuNumber, IG_ARCH_REGS *Registers, IG_SEG_REGS *Segments, INSTRUX *Instrux)
Decode an instruction at current RIP on the provided VCPU.
Definition: decoder.c:384

HpAllocWithTag
#define HpAllocWithTag(Len, Tag)
Definition: glue.h:516

INTSTATUS
int INTSTATUS
The status data type.
Definition: introstatus.h:24

IntUnpPageWriteCallback
static INTSTATUS IntUnpPageWriteCallback(void *Context, void *Hook, QWORD Address, INTRO_ACTION *Action)
Handle writes inside a monitored page.
Definition: unpacker.c:218

unpacker.h

_UNPACK_PAGE::WriteCount
WORD WriteCount
Number of times the page has been written.
Definition: unpacker.c:39

_UNPACK_PAGE::Link
LIST_ENTRY Link
List entry link.
Definition: unpacker.c:36

IntUnpUnWatchPageInternal
static INTSTATUS IntUnpUnWatchPageInternal(PUNPACK_PAGE Page)
Remove monitor from the indicated page.
Definition: unpacker.c:86

IntHookGvaSetHook
INTSTATUS IntHookGvaSetHook(QWORD Cr3, QWORD Gva, DWORD Length, BYTE Type, void *Callback, void *Context, void *ParentHook, DWORD Flags, HOOK_GVA **GvaHook)
Set a read, write, execute or swap hook on a guest virtual address.
Definition: hook_gva.c:345

IntUnpPageExecuteCallback
static INTSTATUS IntUnpPageExecuteCallback(void *Context, void *Hook, QWORD Address, INTRO_ACTION *Action)
Handle executions from a monitored page.
Definition: unpacker.c:132

hook.h

_HOOK_GVA
Definition: hook_gva.h:18

RemoveEntryList
static BOOLEAN RemoveEntryList(LIST_ENTRY *Entry)
Definition: introlists.h:87

QWORD
unsigned long long QWORD
Definition: intro_types.h:53

_UNPACK_PAGE::WriteHook
void * WriteHook
Write hook handle.
Definition: unpacker.c:44

INT_STATUS_INVALID_PARAMETER_4
#define INT_STATUS_INVALID_PARAMETER_4
Definition: introstatus.h:71

HpFreeAndNullWithTag
#define HpFreeAndNullWithTag(Add, Tag)
Definition: glue.h:517

INT_STATUS_INVALID_PARAMETER_5
#define INT_STATUS_INVALID_PARAMETER_5
Definition: introstatus.h:74

_UNPACK_PAGE::WriteCheckCallback
PFUNC_PageIsWriteValid WriteCheckCallback
Write callback, called when the page is written.
Definition: unpacker.c:42

InsertTailList
static void InsertTailList(LIST_ENTRY *ListHead, LIST_ENTRY *Entry)
Definition: introlists.h:135

IntHookGvaRemoveHook
INTSTATUS IntHookGvaRemoveHook(HOOK_GVA **Hook, DWORD Flags)
Remove a GVA hook.
Definition: hook_gva.c:507

_UNPACK_PAGE
Definition: unpacker.c:34

PAGE_SIZE
#define PAGE_SIZE
Definition: common.h:70

UNREFERENCED_PARAMETER
#define UNREFERENCED_PARAMETER(P)
Definition: introdefs.h:29

decoder.h

IntUnpUninit
void IntUnpUninit(void)
Uninit the unpacker. This will stop the monitor on all pages.
Definition: unpacker.c:505

INTRO_ACTION
enum _INTRO_ACTION INTRO_ACTION
Event actions.

UNPACK_STATE_EXEC
#define UNPACK_STATE_EXEC
The page contains code that has been fetched for execution.
Definition: unpacker.c:28

IntUnpUnWatchPage
INTSTATUS IntUnpUnWatchPage(QWORD Cr3, QWORD VirtualAddress)
Stop monitoring the indicated page.
Definition: unpacker.c:396

UNPACK_PAGE
struct _UNPACK_PAGE UNPACK_PAGE

UNPACK_STATE_DIRTY
#define UNPACK_STATE_DIRTY
The page was written.
Definition: unpacker.c:27

PFUNC_PageIsWriteValid
BOOLEAN(* PFUNC_PageIsWriteValid)(QWORD Cr3, QWORD VirtualAddress, void *Context)
Called when a page is written.
Definition: unpacker.h:47

IntUnpFindPage
static PUNPACK_PAGE IntUnpFindPage(QWORD Cr3, QWORD VirtualAddress)
Finds a monitored page.
Definition: unpacker.c:54

introGuestAllowed
Definition: intro_types.h:149

_UNPACK_PAGE::Cr3
QWORD Cr3
Virtual address space this page belongs to.
Definition: unpacker.c:37

LIST_HEAD_INIT
#define LIST_HEAD_INIT(Name)
Definition: introlists.h:39

IC_TAG_UNPG
#define IC_TAG_UNPG
Protected unpacker-page.
Definition: memtags.h:39

INT_STATUS_INVALID_PARAMETER_1
#define INT_STATUS_INVALID_PARAMETER_1
Definition: introstatus.h:62

gVcpu
VCPU_STATE * gVcpu
The state of the current VCPU.
Definition: guests.c:59

Page
VE_CACHE_LINE * Page
Mapped page inside Introspection virtual address space.
Definition: vecore.c:120

IntUnpRemovePages
INTSTATUS IntUnpRemovePages(void)
Stop monitoring all pages.
Definition: unpacker.c:474

gUnpckPages
static LIST_HEAD gUnpckPages
Definition: unpacker.c:49

_UNPACK_PAGE::UnpackCallback
PFUNC_PageUnpackedCallback UnpackCallback
Unpack callback, called as soon as the page has been unpacked.
Definition: unpacker.c:41

UNPACK_STATE_NONE
#define UNPACK_STATE_NONE
Initial state.
Definition: unpacker.c:26

IG_EPT_HOOK_EXECUTE
Execute-access hook.
Definition: glueiface.h:300

IG_EPT_HOOK_WRITE
Write-access hook.
Definition: glueiface.h:299

_UNPACK_PAGE::State
BYTE State
Page state - check UNPACK_STATE*.
Definition: unpacker.c:40

IntUnpWatchPage
INTSTATUS IntUnpWatchPage(QWORD Cr3, QWORD VirtualAddress, PFUNC_PageUnpackedCallback UnpackCallback, PFUNC_PageIsWriteValid WriteCheckCallback, void *CallbackContext)
Monitor a page against unpacking.
Definition: unpacker.c:316

PUNPACK_PAGE
struct _UNPACK_PAGE * PUNPACK_PAGE

_LIST_ENTRY
Definition: introlists.h:16

FALSE
#define FALSE
Definition: intro_types.h:34

INT_STATUS_INSUFFICIENT_RESOURCES
#define INT_STATUS_INSUFFICIENT_RESOURCES
Definition: introstatus.h:281