Bitdefender Hypervisor Memory Introspection
winstubs.h
Go to the documentation of this file.
1 /*
2  * Copyright (c) 2020 Bitdefender
3  * SPDX-License-Identifier: Apache-2.0
4  */
5 #ifndef _WINSTUBS_H_
6 #define _WINSTUBS_H_
7 
8 //
9 // x64 & x86 trampoline code - this will get injected inside a kernel slack space, and it won't be removed (only at
10 // Introcore shutdown). This will basically act as buffer between the hooked instruction and the real loader, that will
11 // be injected wherever (slack space, module headers, pool, etc.).
12 //
13 BYTE gTrampolineAgentx64[15] =
14 {
15  0x50,
16  0xcc,
17  0x48, 0x85, 0xc0,
18  0x74, 0x02,
19  0xff, 0xd0,
20  0x58,
21  0xc3,
22  0xcc,
23  0x31, 0xc0,
24  0xc3,
25 };
26 
27 #define TRAMP_X64_STOP 11
28 #define TRAMP_X64_VMCALL1 1
29 #define TRAMP_X64_VMCALL2 11
30 
31 
32 BYTE gTrampolineAgentx86[15] =
33 {
34  0x50,
35  0xcc,
36  0x90, 0x85, 0xc0,
37  0x74, 0x02,
38  0xff, 0xd0,
39  0x58,
40  0xc3,
41  0xcc,
42  0x31, 0xc0,
43  0xc3,
44 };
45 
46 #define TRAMP_X86_STOP 11
47 #define TRAMP_X86_VMCALL1 1
48 #define TRAMP_X86_VMCALL2 11
49 
50 #define TRAMPOLINE_MAX_SIZE \
51  (sizeof(gTrampolineAgentx64) > sizeof(gTrampolineAgentx86)) ? sizeof(gTrampolineAgentx64) : sizeof(gTrampolineAgentx86)
52 
53 //
54 // 64 bit bootstrap agent code. These bootstraps will start a kernel thread that will execute the injected agent.
55 //
56 BYTE gWindowsBootstrapAgentx64[0x180] =
57 {
58  0x50, 0x51, 0x52, 0x53, 0x55, 0x56, 0x57, 0x41, 0x50, 0x41, 0x51, 0x41, 0x52, 0x41, 0x53, 0x41,
59  0x54, 0x41, 0x55, 0x41, 0x56, 0x41, 0x57, 0x4d, 0x31, 0xf6, 0x48, 0xf7, 0xc4, 0x0f, 0x00, 0x00,
60  0x00, 0x74, 0x09, 0x41, 0xbe, 0x08, 0x00, 0x00, 0x00, 0x4c, 0x29, 0xf4, 0x31, 0xc9, 0x8b, 0x15,
61  0x14, 0x01, 0x00, 0x00, 0x44, 0x8b, 0x05, 0x11, 0x01, 0x00, 0x00, 0x48, 0x83, 0xec, 0x20, 0xff,
62  0x15, 0xeb, 0x00, 0x00, 0x00, 0x48, 0x83, 0xc4, 0x20, 0x4c, 0x01, 0xf4, 0x48, 0x31, 0xf6, 0x48,
63  0x85, 0xc0, 0x75, 0x05, 0xbe, 0x9a, 0x00, 0x00, 0xc0, 0x48, 0x89, 0xc1, 0x48, 0x8b, 0x15, 0xf5,
64  0x00, 0x00, 0x00, 0xcc, 0x4c, 0x29, 0xf4, 0x49, 0x89, 0xcf, 0x4d, 0x89, 0xfd, 0x44, 0x8b, 0x05,
65  0xdc, 0x00, 0x00, 0x00, 0x4d, 0x01, 0xc7, 0x48, 0x83, 0xec, 0x08, 0x48, 0x89, 0xe1, 0xba, 0x00,
66  0x00, 0x1f, 0x00, 0x4d, 0x31, 0xc0, 0x4d, 0x31, 0xc9, 0x41, 0x57, 0x48, 0x8d, 0x05, 0x3c, 0x00,
67  0x00, 0x00, 0x50, 0x6a, 0x00, 0x48, 0x83, 0xec, 0x20, 0xff, 0x15, 0xa1, 0x00, 0x00, 0x00, 0x48,
68  0x83, 0xc4, 0x40, 0x85, 0xc0, 0x79, 0x19, 0x50, 0x48, 0x83, 0xec, 0x28, 0x4c, 0x89, 0xe9, 0x8b,
69  0x15, 0x97, 0x00, 0x00, 0x00, 0xff, 0x15, 0x7d, 0x00, 0x00, 0x00, 0x48, 0x83, 0xc4, 0x28, 0x58,
70  0x4c, 0x01, 0xf4, 0x48, 0x89, 0xc1, 0x48, 0x8b, 0x15, 0x93, 0x00, 0x00, 0x00, 0xcc, 0xf3, 0x90,
71  0x83, 0x3d, 0x7d, 0x00, 0x00, 0x00, 0x00, 0x74, 0xf5, 0x51, 0x48, 0x83, 0xec, 0x20, 0xff, 0xd1,
72  0x48, 0x8b, 0x4c, 0x24, 0x20, 0x57, 0x48, 0x89, 0xcf, 0x8b, 0x0d, 0x61, 0x00, 0x00, 0x00, 0x48,
73  0x29, 0xcf, 0x49, 0x89, 0xf8, 0x8b, 0x0d, 0x4d, 0x00, 0x00, 0x00, 0x31, 0xc0, 0xf3, 0xaa, 0x4c,
74  0x89, 0xc1, 0x5f, 0x8b, 0x15, 0x43, 0x00, 0x00, 0x00, 0xff, 0x15, 0x29, 0x00, 0x00, 0x00, 0x48,
75  0x83, 0xc4, 0x28, 0x48, 0x8b, 0x15, 0x4e, 0x00, 0x00, 0x00, 0xcc, 0xff, 0x25, 0x4f, 0x00, 0x00,
76  0x00, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
77  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
78  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
79  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
80  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
81  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
82 };
83 
84 #define OFFSET_WIN_X64_ALLOC 0x130
85 #define OFFSET_WIN_X64_FREE 0x138
86 #define OFFSET_WIN_X64_THREAD 0x140
87 #define OFFSET_WIN_X64_AGENT_SIZE 0x148
88 #define OFFSET_WIN_X64_AGENT_TAG 0x14C
89 #define OFFSET_WIN_X64_AGENT_EP 0x150
90 #define OFFSET_WIN_X64_SEMAPHORE 0x154
91 #define OFFSET_WIN_X64_TOKEN1 0x158
92 #define OFFSET_WIN_X64_TOKEN2 0x160
93 #define OFFSET_WIN_X64_TOKEN3 0x168
94 #define OFFSET_WIN_X64_JUMPBACK 0x170
95 
96 
97 
98 //
99 // 32 bit bootstrap agent code.
100 //
101 BYTE gWindowsBootstrapAgentx86[0x120] =
102 {
103  0x60, 0xbd, 0xbd, 0xbd, 0xbd, 0xbd, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0xff, 0xb5, 0x00,
104  0x01, 0x00, 0x00, 0xff, 0xb5, 0xfc, 0x00, 0x00, 0x00, 0x6a, 0x00, 0xff, 0x95, 0xf0, 0x00, 0x00,
105  0x00, 0x31, 0xf6, 0x85, 0xc0, 0x75, 0x05, 0xbe, 0x9a, 0x00, 0x00, 0xc0, 0x89, 0xc1, 0x8b, 0x95,
106  0x0c, 0x01, 0x00, 0x00, 0xcc, 0x89, 0xc8, 0x89, 0xc6, 0x8b, 0x9d, 0x04, 0x01, 0x00, 0x00, 0x01,
107  0xd8, 0x83, 0xec, 0x08, 0x50, 0x8d, 0x8d, 0x81, 0x00, 0x00, 0x00, 0x51, 0x6a, 0x00, 0x6a, 0x00,
108  0x6a, 0x00, 0x68, 0x00, 0x00, 0x1f, 0x00, 0x8d, 0x4c, 0x24, 0x18, 0x51, 0xff, 0x95, 0xf8, 0x00,
109  0x00, 0x00, 0x83, 0xc4, 0x08, 0x85, 0xc0, 0x79, 0x0f, 0x50, 0xff, 0xb5, 0x00, 0x01, 0x00, 0x00,
110  0x56, 0xff, 0x95, 0xf4, 0x00, 0x00, 0x00, 0x58, 0x89, 0xc1, 0x8b, 0x95, 0x10, 0x01, 0x00, 0x00,
111  0xcc, 0x60, 0xe8, 0x00, 0x00, 0x00, 0x00, 0x5d, 0x81, 0xed, 0x87, 0x00, 0x00, 0x00, 0xf3, 0x90,
112  0x83, 0xbd, 0x08, 0x01, 0x00, 0x00, 0x00, 0x74, 0xf5, 0x8b, 0x4c, 0x24, 0x24, 0x51, 0x83, 0xec,
113  0x08, 0xff, 0xd1, 0x8b, 0x0c, 0x24, 0x89, 0xcf, 0x2b, 0xbd, 0x04, 0x01, 0x00, 0x00, 0x89, 0xfe,
114  0x8b, 0x8d, 0xfc, 0x00, 0x00, 0x00, 0x31, 0xc0, 0xf3, 0xaa, 0xff, 0xb5, 0x00, 0x01, 0x00, 0x00,
115  0x56, 0xff, 0x95, 0xf4, 0x00, 0x00, 0x00, 0x83, 0xc4, 0x04, 0x8b, 0x95, 0x14, 0x01, 0x00, 0x00,
116  0xcc, 0x8b, 0x85, 0x18, 0x01, 0x00, 0x00, 0x89, 0x44, 0x24, 0x1c, 0x61, 0xff, 0xe0, 0x90, 0x90,
117  0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
118  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
119  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
120  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
121 };
122 
123 #define OFFSET_WIN_X86_RELOC 0x002
124 #define OFFSET_WIN_X86_ALLOC 0xF0
125 #define OFFSET_WIN_X86_FREE 0xF4
126 #define OFFSET_WIN_X86_THREAD 0xF8
127 #define OFFSET_WIN_X86_AGENT_SIZE 0xFC
128 #define OFFSET_WIN_X86_AGENT_TAG 0x100
129 #define OFFSET_WIN_X86_AGENT_EP 0x104
130 #define OFFSET_WIN_X86_SEMAPHORE 0x108
131 #define OFFSET_WIN_X86_TOKEN1 0x10C
132 #define OFFSET_WIN_X86_TOKEN2 0x110
133 #define OFFSET_WIN_X86_TOKEN3 0x114
134 #define OFFSET_WIN_X86_JUMPBACK 0x118
135 
136 
137 #endif // _WINSTUBS_H_
BYTE
uint8_t BYTE
Definition: intro_types.h:47
gWindowsBootstrapAgentx64
BYTE gWindowsBootstrapAgentx64[0x180]
Definition: winstubs.h:56
gTrampolineAgentx64
BYTE gTrampolineAgentx64[15]
Definition: winstubs.h:13
gWindowsBootstrapAgentx86
BYTE gWindowsBootstrapAgentx86[0x120]
Definition: winstubs.h:101
gTrampolineAgentx86
BYTE gTrampolineAgentx86[15]
Definition: winstubs.h:32