Bitdefender Hypervisor Memory Introspection
|
Go to the source code of this file.
Typedefs | |
typedef INTSTATUS(* | PFUNC_PageUnpackedCallback) (QWORD Cr3, QWORD VirtualAddress, PINSTRUX Instrux, void *Context) |
Called when a page is considered to be "unpacked". More... | |
typedef BOOLEAN(* | PFUNC_PageIsWriteValid) (QWORD Cr3, QWORD VirtualAddress, void *Context) |
Called when a page is written. More... | |
Functions | |
INTSTATUS | IntUnpWatchPage (QWORD Cr3, QWORD VirtualAddress, PFUNC_PageUnpackedCallback UnpackCallback, PFUNC_PageIsWriteValid WriteCheckCallback, void *CallbackContext) |
Monitor a page against unpacking. More... | |
INTSTATUS | IntUnpUnWatchPage (QWORD Cr3, QWORD VirtualAddress) |
Stop monitoring the indicated page. More... | |
INTSTATUS | IntUnpUnWatchVaSpacePages (QWORD Cr3) |
Stop monitoring all pages belonging to a virtual address space. More... | |
INTSTATUS | IntUnpRemovePages (void) |
Stop monitoring all pages. More... | |
void | IntUnpUninit (void) |
Uninit the unpacker. This will stop the monitor on all pages. More... | |
Called when a page is written.
This callback is called when a monitored page is written. The callback is used to validate the write - to determine if the write is legitimate or not. A legitimate write could be, for example, a write inside the IAT, made by the loader. Legitimate writes are not considered by the algorithm - for example, if only legitimate writes take place inside the page, and the page is executed, the unpack callback will not be triggered.
[in] | Cr3 | Virtual address space. |
[in] | VirtualAddress | The virtual address of the unpacked paged. |
[in] | Context | Optional context, as passed to the monitor function. |
Definition at line 47 of file unpacker.h.
typedef INTSTATUS(* PFUNC_PageUnpackedCallback) (QWORD Cr3, QWORD VirtualAddress, PINSTRUX Instrux, void *Context) |
Called when a page is considered to be "unpacked".
This callback is called when Introcore suspects that a monitored page has been unpacked. Put simply, the unpack algorithm simply watches for pages that have been executed after being modified.
[in] | Cr3 | Virtual address space. |
[in] | VirtualAddress | The virtual address of the unpacked paged. |
[in] | Instrux | The decode instruction that has just been fetched for execution. |
[in] | Context | Optional context, as passed to the monitor function. |
Definition at line 24 of file unpacker.h.
INTSTATUS IntUnpRemovePages | ( | void | ) |
Stop monitoring all pages.
INT_STATUS_SUCCESS | On success. |
Definition at line 474 of file unpacker.c.
Referenced by IntUnpUninit().
void IntUnpUninit | ( | void | ) |
Uninit the unpacker. This will stop the monitor on all pages.
Definition at line 505 of file unpacker.c.
Referenced by IntGuestUninit().
Stop monitoring the indicated page.
[in] | Cr3 | The virtual address space. |
[in] | VirtualAddress | The address to stop monitoring against unpack. |
INT_STATUS_SUCCESS | On success. |
Definition at line 396 of file unpacker.c.
Stop monitoring all pages belonging to a virtual address space.
[in] | Cr3 | The virtual address space to stop monitoring against unpack. |
INT_STATUS_SUCCESS | On success. |
Definition at line 438 of file unpacker.c.
Referenced by IntWinModulesChangeProtectionFlags(), and IntWinModUnHookModule().
INTSTATUS IntUnpWatchPage | ( | QWORD | Cr3, |
QWORD | VirtualAddress, | ||
PFUNC_PageUnpackedCallback | UnpackCallback, | ||
PFUNC_PageIsWriteValid | WriteCheckCallback, | ||
void * | CallbackContext | ||
) |
Monitor a page against unpacking.
This function starts to monitor the indicated page against unpacking. The algorithm is fairly simple:
[in] | Cr3 | Virtual address space. |
[in] | VirtualAddress | The virtual address of the page to be monitored. |
[in] | UnpackCallback | Called when the page is deemed to be "unpacked". |
[in] | WriteCheckCallback | Called on each write, to validate it. Some writes may be valid (for example, the writes made by the loader inside the IAT). |
[in] | CallbackContext | Optional context to be passed to the unpack & write callbacks. |
INT_STATUS_SUCCESS | On success. |
INT_STATUS_INSUFFICIENT_RESOURCES | If a memory alloc fails. |
Definition at line 316 of file unpacker.c.
Referenced by IntWinModHookPoly().