Bitdefender Hypervisor Memory Introspection
Typedefs | Functions
unpacker.h File Reference
#include "introtypes.h"
#include "bddisasm.h"

Go to the source code of this file.

Typedefs

typedef INTSTATUS(* PFUNC_PageUnpackedCallback) (QWORD Cr3, QWORD VirtualAddress, PINSTRUX Instrux, void *Context)
 Called when a page is considered to be "unpacked". More...
 
typedef BOOLEAN(* PFUNC_PageIsWriteValid) (QWORD Cr3, QWORD VirtualAddress, void *Context)
 Called when a page is written. More...
 

Functions

INTSTATUS IntUnpWatchPage (QWORD Cr3, QWORD VirtualAddress, PFUNC_PageUnpackedCallback UnpackCallback, PFUNC_PageIsWriteValid WriteCheckCallback, void *CallbackContext)
 Monitor a page against unpacking. More...
 
INTSTATUS IntUnpUnWatchPage (QWORD Cr3, QWORD VirtualAddress)
 Stop monitoring the indicated page. More...
 
INTSTATUS IntUnpUnWatchVaSpacePages (QWORD Cr3)
 Stop monitoring all pages belonging to a virtual address space. More...
 
INTSTATUS IntUnpRemovePages (void)
 Stop monitoring all pages. More...
 
void IntUnpUninit (void)
 Uninit the unpacker. This will stop the monitor on all pages. More...
 

Typedef Documentation

◆ PFUNC_PageIsWriteValid

typedef BOOLEAN(* PFUNC_PageIsWriteValid) (QWORD Cr3, QWORD VirtualAddress, void *Context)

Called when a page is written.

This callback is called when a monitored page is written. The callback is used to validate the write - to determine if the write is legitimate or not. A legitimate write could be, for example, a write inside the IAT, made by the loader. Legitimate writes are not considered by the algorithm - for example, if only legitimate writes take place inside the page, and the page is executed, the unpack callback will not be triggered.

Parameters
[in]Cr3Virtual address space.
[in]VirtualAddressThe virtual address of the unpacked paged.
[in]ContextOptional context, as passed to the monitor function.
Returns
True if the write is legitimate, or false otherwise.

Definition at line 47 of file unpacker.h.

◆ PFUNC_PageUnpackedCallback

typedef INTSTATUS(* PFUNC_PageUnpackedCallback) (QWORD Cr3, QWORD VirtualAddress, PINSTRUX Instrux, void *Context)

Called when a page is considered to be "unpacked".

This callback is called when Introcore suspects that a monitored page has been unpacked. Put simply, the unpack algorithm simply watches for pages that have been executed after being modified.

Parameters
[in]Cr3Virtual address space.
[in]VirtualAddressThe virtual address of the unpacked paged.
[in]InstruxThe decode instruction that has just been fetched for execution.
[in]ContextOptional context, as passed to the monitor function.

Definition at line 24 of file unpacker.h.

Function Documentation

◆ IntUnpRemovePages()

INTSTATUS IntUnpRemovePages ( void  )

Stop monitoring all pages.

Return values
INT_STATUS_SUCCESSOn success.

Definition at line 474 of file unpacker.c.

Referenced by IntUnpUninit().

◆ IntUnpUninit()

void IntUnpUninit ( void  )

Uninit the unpacker. This will stop the monitor on all pages.

Definition at line 505 of file unpacker.c.

Referenced by IntGuestUninit().

◆ IntUnpUnWatchPage()

INTSTATUS IntUnpUnWatchPage ( QWORD  Cr3,
QWORD  VirtualAddress 
)

Stop monitoring the indicated page.

Parameters
[in]Cr3The virtual address space.
[in]VirtualAddressThe address to stop monitoring against unpack.
Return values
INT_STATUS_SUCCESSOn success.

Definition at line 396 of file unpacker.c.

◆ IntUnpUnWatchVaSpacePages()

INTSTATUS IntUnpUnWatchVaSpacePages ( QWORD  Cr3)

Stop monitoring all pages belonging to a virtual address space.

Parameters
[in]Cr3The virtual address space to stop monitoring against unpack.
Return values
INT_STATUS_SUCCESSOn success.

Definition at line 438 of file unpacker.c.

Referenced by IntWinModulesChangeProtectionFlags(), and IntWinModUnHookModule().

◆ IntUnpWatchPage()

INTSTATUS IntUnpWatchPage ( QWORD  Cr3,
QWORD  VirtualAddress,
PFUNC_PageUnpackedCallback  UnpackCallback,
PFUNC_PageIsWriteValid  WriteCheckCallback,
void *  CallbackContext 
)

Monitor a page against unpacking.

This function starts to monitor the indicated page against unpacking. The algorithm is fairly simple:

  1. Place a write hook on the indicated page;
  2. On each write inside the page, call the write check callback; if the write check callback returns true (valid write), do nothing; otherwise, mark the page dirty and increment the write count;
  3. Once the write count reaches a threshold (32), remove the write hook and place an execute hook on the page;
  4. When the page is executed, call the unpack callback, to indicate that the page has been unpacked.
Parameters
[in]Cr3Virtual address space.
[in]VirtualAddressThe virtual address of the page to be monitored.
[in]UnpackCallbackCalled when the page is deemed to be "unpacked".
[in]WriteCheckCallbackCalled on each write, to validate it. Some writes may be valid (for example, the writes made by the loader inside the IAT).
[in]CallbackContextOptional context to be passed to the unpack & write callbacks.
Return values
INT_STATUS_SUCCESSOn success.
INT_STATUS_INSUFFICIENT_RESOURCESIf a memory alloc fails.

Definition at line 316 of file unpacker.c.

Referenced by IntWinModHookPoly().