Bitdefender Hypervisor Memory Introspection
stats.c
Go to the documentation of this file.
1 /*
2  * Copyright (c) 2020 Bitdefender
3  * SPDX-License-Identifier: Apache-2.0
4  */
17 
18 #include "guests.h"
19 
21 STAT_COUNTER gCounters[statsMaxCounter] = {0};
22 
23 #ifdef STATS_HAS_HIGHRES_TIMER
24 static INT64 gStatCallTimeNs;
26 #endif
27 
28 __pure
29 static const char *
30 IntStatGetName(
31  _In_ STAT_ID StatId
32  )
40 {
41 #define __stats_case(x) case x: return &(#x[5])
42 
43  switch (StatId)
44  {
45  __stats_case(statsEptViolation);
46  __stats_case(statsEptRead);
47  __stats_case(statsEptWrite);
48  __stats_case(statsEptExecute);
49  __stats_case(statsEptKernel);
50  __stats_case(statsEptUser);
51  __stats_case(statsEptDecode);
52  __stats_case(statsEptLookup);
53  __stats_case(statsEptHandle);
54  __stats_case(statsEptRMW);
55  __stats_case(statsVmcall);
56  __stats_case(statsCrViolation);
57  __stats_case(statsMsrViolation);
58  __stats_case(statsXcrViolation);
59  __stats_case(statsTimer);
60  __stats_case(statsInt3);
61  __stats_case(statsDtrViolation);
62  __stats_case(statsEventInjection);
63  __stats_case(statsModuleLoadViolation);
64  __stats_case(statsDeleteRegion);
65  __stats_case(statsDeleteGva);
66  __stats_case(statsHookCommit);
67  __stats_case(statsPtWriteProc);
68  __stats_case(statsPtWriteEmu);
69  __stats_case(statsPtWriteTotal);
70  __stats_case(statsPtWriteHits);
71  __stats_case(statsPtWriteRelevant);
72  __stats_case(statsExceptionsUser);
73  __stats_case(statsExceptionsKern);
74  __stats_case(statsExceptionsGlobMatch);
75  __stats_case(statsUmCrash);
76  __stats_case(statsVasmon);
77  __stats_case(statsVadCommitExisting);
78  __stats_case(statsPtsIntegrity);
79  __stats_case(statsPtsFilterInt3);
80  __stats_case(statsPtsFilterVmcall);
81  __stats_case(statsPtsFilterInsSearch);
82  __stats_case(statsSwapgsInsSearch);
83  __stats_case(statsSelfMapEntryProtection);
84  __stats_case(statsCopyMemoryTotal);
85  __stats_case(statsCopyMemoryRead);
86  __stats_case(statsCopyMemoryWrite);
87  __stats_case(statsCopyMemoryProtectedRead);
88  __stats_case(statsCopyMemoryProtectedWrite);
89  __stats_case(statsDepViolation);
90  __stats_case(statsStackTrace32);
91  __stats_case(statsStackTrace64);
92  __stats_case(statsStackTraceSpecialCase);
93  __stats_case(statsDpiGatherInfo);
94  __stats_case(statsDpiDebugFlag);
95  __stats_case(statsDpiStackPivot);
96  __stats_case(statsDpiStealToken);
97  __stats_case(statsDpiHeapSpray);
98  __stats_case(statsDpiTokenPrivs);
99  __stats_case(statsDpiThreadStart);
100  __stats_case(statsProcessCreationCheck);
101  __stats_case(statsNtEatRead);
102  __stats_case(statsTokenWrites);
103  __stats_case(statsKmUmWrites);
104  __stats_case(statsMaxCounter);
105  }
106 
107  return "<err_counter>";
108 
109 #undef __stats_case
110 }
111 
112 static __forceinline void
113 GetTime(
114  _Out_ TIMESPEC *Time
115  )
123 {
124 #ifndef STATS_HAS_HIGHRES_TIMER
125  *Time = __rdtsc();
126 #else
127  clock_gettime(CLOCK_MONOTONIC, Time);
128 #endif
129 }
130 
131 
132 static __forceinline void
133 DiffTime(
134  _In_ TIMESPEC const *End,
135  _In_ TIMESPEC const *Start,
136  _Out_ TIMESPEC *Result
137  )
145 {
146 #ifdef STATS_HAS_HIGHRES_TIMER
147  if (__likely(End->tv_nsec > Start->tv_nsec))
148  {
149  Result->tv_sec = End->tv_sec - Start->tv_sec;
150  Result->tv_nsec = End->tv_nsec - Start->tv_nsec;
151  }
152  else
153  {
154  Result->tv_sec = End->tv_sec - Start->tv_sec - 1;
155  Result->tv_nsec = NSEC_PER_SEC + End->tv_nsec - Start->tv_nsec;
156  }
157 #else
158  *Result = *End - *Start;
159 #endif
160 }
161 
162 
163 static __forceinline void
164 IncStatsCallsCount(
165  void
166  )
172 {
173 #ifdef STATS_HAS_HIGHRES_TIMER
174  for (DWORD i = 0; i < ARRAYSIZE(gCounters); i++)
175  {
176  if (gCounters[i].StartEventId == gEventId)
177  {
178  gCounters[i].StatCalls++;
179  }
180  }
181 #endif
182 }
183 
184 
185 static __forceinline void
186 AddToTime(
187  _Inout_ TIMESPEC *Time,
188  _In_ TIMESPEC const *Adder
189  )
196 {
197 #ifdef STATS_HAS_HIGHRES_TIMER
198  Time->tv_sec += Adder->tv_sec;
199  Time->tv_nsec += Adder->tv_nsec;
200 
201  if (Time->tv_nsec >= (INT64)NSEC_PER_SEC)
202  {
203  ++Time->tv_sec;
204  Time->tv_nsec -= NSEC_PER_SEC;
205  }
206 #else
207  *Time += *Adder;
208 #endif
209 }
210 
211 
212 void
213 IntStatsDumpAll(
214  void
215  )
219 {
220  LOG("[STATS] Introspection stats (totaling %lld events):\n", gEventId);
221 
222  for (DWORD i = 0; i < statsMaxCounter; i++)
223  {
224  // This is double the size of what we really need
225  char line[255];
226  STAT_COUNTER const *pCounter = &gCounters[i];
227 
228  if (0 == pCounter->TotalCount)
229  {
230  continue;
231  }
232 
233 #if defined(STATS_DISABLE_TIMER)
234  snprintf(line, sizeof(line), "%20s: %12llu times\n", IntStatGetName(i), pCounter->TotalCount);
235 
236 #elif defined(STATS_HAS_HIGHRES_TIMER)
237  double t = (double)(pCounter->Total.tv_sec * NSEC_PER_SEC +
238  pCounter->Total.tv_nsec) / (double)pCounter->TotalCount;
239  INT64 spe = 0;
240  INT64 nspe = (INT64)t % NSEC_PER_SEC;
241 
242  for (INT64 j = (INT64)t; j >= (INT64)NSEC_PER_SEC; j -= NSEC_PER_SEC)
243  {
244  ++spe;
245  }
246 
247  snprintf(line, sizeof(line),
248  "%25s: %8lld times - %4lu.%09lu (total) %4lld.%09lld (per exit) %4lld.%09lld (max)\n",
249  IntStatGetName(i), pCounter->TotalCount,
250  pCounter->Total.tv_sec, pCounter->Total.tv_nsec,
251  spe, nspe,
252  NSEC_TO_SEC(pCounter->Max), pCounter->Max % NSEC_PER_SEC);
253 #else
254  snprintf(line, sizeof(line),
255  "%25s: %20llu CPU ticks %12llu times - %4.6f (total) %4.12f (per exit) %4.12f (max)\n",
256  IntStatGetName(i),
257  pCounter->Total, pCounter->TotalCount,
258  pCounter->Total / (double)gGuest.TscSpeed,
259  pCounter->Total / (double)gGuest.TscSpeed / (double)pCounter->TotalCount,
260  pCounter->Max / (double)gGuest.TscSpeed);
261 #endif
262 
263  LOG("%s\n", line);
264  }
265 }
266 
267 
268 void
269 IntStatsReset(
270  _In_ STAT_ID StatId
271  )
277 {
278  STAT_COUNTER *pCounter = &gCounters[StatId];
279 
280  pCounter->TotalCount = 0;
281 
282 #ifndef STATS_DISABLE_TIMER
283  pCounter->Max = 0;
284  pCounter->StartEventId = 0;
285 
286  memset(&pCounter->Start, 0, sizeof(pCounter->Start));
287 #endif
288 }
289 
290 
291 void
292 IntStatsResetAll(
293  void
294  )
298 {
299  for (STAT_ID i = 0; i < statsMaxCounter; i++)
300  {
301  IntStatsReset(i);
302  }
303 }
304 
305 
306 #ifndef STATS_DISABLE_TIMER
307 
308 void
309 IntStatStart(
310  _In_ STAT_ID StatId
311  )
323 {
324  STAT_COUNTER *pCounter;
325 
326  if (__unlikely(gGuest.UninitPrepared || gEventId <= gGuest.IntroActiveEventId))
327  {
328  return;
329  }
330 
331  pCounter = &gCounters[StatId];
332 
333  pCounter->StartEventId = gEventId;
334 
335  GetTime(&pCounter->Start);
336 
337  IncStatsCallsCount();
338 
339  pCounter->StatCalls = 0;
340 }
341 
342 
343 void
344 IntStatStop(
345  _In_ STAT_ID StatId
346  )
357 {
358  if (__unlikely(gGuest.UninitPrepared || gEventId <= gGuest.IntroActiveEventId))
359  {
360  return;
361  }
362 
363  TIMESPEC total, end;
364  STAT_COUNTER *pCounter = &gCounters[StatId];
365 
366  pCounter->TotalCount++;
367 
368  if (pCounter->StartEventId != gEventId)
369  {
370  if (pCounter->StartEventId != 0)
371  {
372  ERROR("[ERROR] StartCount on event id %lld and stop on %lld for counter %d\n",
373  pCounter->StartEventId, gEventId, StatId);
374  }
375 
376  return;
377  }
378 
379  GetTime(&end);
380 
381  IncStatsCallsCount();
382 
383  DiffTime(&end, &pCounter->Start, &total);
384 
385 #ifndef STATS_HAS_HIGHRES_TIMER
386 
387  if (total > pCounter->Max)
388  {
389  pCounter->Max = total;
390  }
391 
392 #else
393 
394  QWORD totalNs = total.tv_sec * NSEC_PER_SEC + total.tv_nsec;
395  QWORD statCallNs = pCounter->StatCalls * gStatCallTimeNs;
396 
397  // Subtract the time spent in clock_gettime (by how many times it was called)
398  if (totalNs > statCallNs)
399  {
400  TIMESPEC t1;
401  TIMESPEC oldTotal = total;
402 
403  t1.tv_sec = statCallNs / NSEC_PER_SEC;
404  t1.tv_nsec = statCallNs - (t1.tv_sec * NSEC_PER_SEC);
405 
406  total.tv_nsec -= pCounter->StatCalls * gStatCallTimeNs;
407 
408  DiffTime(&oldTotal, &t1, &total);
409  }
410 
411  if (totalNs > pCounter->Max)
412  {
413  pCounter->Max = totalNs;
414  }
415 
416 #endif // STATS_HAS_HIGHRES_TIMER
417 
418  AddToTime(&pCounter->Total, &total);
419 
420  pCounter->StartEventId = 0;
421 }
422 
423 void
424 IntStatDiscard(
425  _In_ STAT_ID StatId
426  )
432 {
433  gCounters[StatId].StartEventId = 0;
434  gCounters[StatId].StatCalls = 0;
435 }
436 
437 #endif // STATS_DISABLE_TIMER
438 
439 
440 void
441 IntStatsInit(
442  void
443  )
449 {
450 #ifdef STATS_HAS_HIGHRES_TIMER
451  const DWORD calibrationCalls = 10000;
452  TIMESPEC start, end, total;
453 
454  GetTime(&start);
455 
456  for (DWORD i = 0; i < calibrationCalls; i++)
457  {
458  GetTime(&total);
459  }
460 
461  GetTime(&end);
462 
463  DiffTime(&end, &start, &total);
464 
465  gStatCallTimeNs = (end.tv_nsec - start.tv_nsec) / calibrationCalls;
466 
467  // Allow a 10% error margin
468  gStatCallTimeNs -= (gStatCallTimeNs / 10);
469 
470  LOG("[DEBUG] Calibrated clock_gettime timer to %lld nanoseconds\n", gStatCallTimeNs);
471 #endif
472 }
statsExceptionsKern
Measures kernel mode exceptions checks.
Definition: stats.h:51
IntStatStop
void IntStatStop(STAT_ID StatId)
Stops a stat measurement.
Definition: stats.c:344
gCounters
STAT_COUNTER gCounters[statsMaxCounter]
The list of counters.
Definition: stats.c:21
statsDepViolation
Measures IntWinHandleException invocations done for DEP violations.
Definition: stats.h:76
__unlikely
#define __unlikely(x)
Definition: common.h:47
_Out_
#define _Out_
Definition: intro_sal.h:22
INT64
long long INT64
Definition: intro_types.h:45
NSEC_TO_SEC
#define NSEC_TO_SEC(nsec)
Definition: introdefs.h:97
statsDpiStackPivot
Measures the pivoted stack DPI protection information gathering.
Definition: stats.h:87
statsCrViolation
Measures CR violation exits.
Definition: stats.h:30
_In_
#define _In_
Definition: intro_sal.h:21
statsDpiDebugFlag
Measures the debug flag DPI protection information gathering.
Definition: stats.h:86
statsPtWriteEmu
Measures page table writes emulation.
Definition: stats.h:45
statsExceptionsUser
Measures user mode exceptions checks.
Definition: stats.h:50
statsPtWriteProc
Measures page table writes.
Definition: stats.h:44
statsPtsIntegrity
Measures page tables integrity checks.
Definition: stats.h:59
IntStatGetName
static __pure const char * IntStatGetName(STAT_ID StatId)
Returns the name of a STAT_ID.
Definition: stats.c:30
statsPtsFilterInsSearch
Measures the instruction search done for the page table filtering agent.
Definition: stats.h:62
statsXcrViolation
Measures XCR violation exits.
Definition: stats.h:32
statsEptViolation
Measures all EPT violations.
Definition: stats.h:18
ARRAYSIZE
#define ARRAYSIZE(A)
Definition: introdefs.h:101
statsNtEatRead
Measures reads done from the kernel EAT.
Definition: stats.h:93
statsCopyMemoryTotal
Measures the IntWinProcHandleCopyMemory detour handler.
Definition: stats.h:67
statsVasmon
Measures page table writes done by the VAS monitor.
Definition: stats.h:56
__pure
#define __pure
Definition: introtypes.h:46
statsPtWriteTotal
Measures all the page table writes.
Definition: stats.h:46
statsDpiStealToken
Measures the stolen token flag DPI protection information gathering.
Definition: stats.h:88
statsKmUmWrites
Writes done from kernel mode over user mode.
Definition: stats.h:96
ERROR
#define ERROR(fmt,...)
Definition: glue.h:62
statsTokenWrites
Token writes.
Definition: stats.h:94
statsDtrViolation
Measures the DTR violation exits.
Definition: stats.h:35
gEventId
QWORD gEventId
The ID of the current event.
Definition: glue.c:55
statsStackTraceSpecialCase
Measures the cases in which the stack trace mechanism encounters a JMP after a CALL.
Definition: stats.h:81
statsDpiThreadStart
Measures the thread start DPI protection information gathering.
Definition: stats.h:91
AddToTime
static void AddToTime(TIMESPEC *Time, TIMESPEC const *Adder)
Adds two time values.
Definition: stats.c:186
_GUEST_STATE::IntroActiveEventId
QWORD IntroActiveEventId
The event ID on which introcore became active.
Definition: guests.h:377
statsProcessCreationCheck
Measures the process creation checks.
Definition: stats.h:84
statsDpiHeapSpray
Measures the heap spray DPI protection information gathering.
Definition: stats.h:89
statsEptRMW
Measures the EPT violations for which the instruction does a read and a write.
Definition: stats.h:27
IntStatsResetAll
void IntStatsResetAll(void)
Resets all the stats.
Definition: stats.c:292
statsPtWriteHits
Measures page table entries writes.
Definition: stats.h:47
statsEventInjection
Measures event injections.
Definition: stats.h:36
IntStatsInit
void IntStatsInit(void)
Initialization routine.
Definition: stats.c:441
LOG
#define LOG(fmt,...)
Definition: glue.h:61
statsVmcall
Measures the handling of VMCALL exits.
Definition: stats.h:29
statsHookCommit
Measures the hook commits.
Definition: stats.h:42
statsEptHandle
Measures the execution of EPT violation handlers.
Definition: stats.h:26
statsPtsFilterInt3
Measures the INT3 exits generated by the page table filtering mechanism.
Definition: stats.h:60
_Inout_
#define _Inout_
Definition: intro_sal.h:20
IntStatDiscard
void IntStatDiscard(STAT_ID StatId)
Discards the current measurement for a stat counter.
Definition: stats.c:424
statsEptKernel
Measures EPT violations generated while the guest was in kernel mode.
Definition: stats.h:22
QWORD
unsigned long long QWORD
Definition: intro_types.h:53
_STAT_COUNTER
A stats counter.
Definition: stats.h:121
statsVadCommitExisting
Measures the IntWinVadHandleCommit detour handler.
Definition: stats.h:57
statsDeleteRegion
Measures the deletion of HOOK_REGION_DESCRIPTOR objects.
Definition: stats.h:39
statsStackTrace32
Measures the stack trace mechanism for 32-bit execution contexts.
Definition: stats.h:78
IntStatsDumpAll
void IntStatsDumpAll(void)
Prints all the non-zero stats.
Definition: stats.c:213
statsCopyMemoryProtectedWrite
Measures the handling of memory reads in which a write protection policy exists.
Definition: stats.h:74
NSEC_PER_SEC
#define NSEC_PER_SEC
Definition: introdefs.h:93
statsEptDecode
Measures the decoding of instructions that generate EPT violations.
Definition: stats.h:24
IntStatsReset
void IntStatsReset(STAT_ID StatId)
Resets a stat.
Definition: stats.c:269
statsEptUser
Measures EPT violations generated while the guest was in user mode.
Definition: stats.h:23
statsInt3
Measures the INT3 events.
Definition: stats.h:34
statsPtWriteRelevant
Measures page table writes that are actually relevant for Introcore.
Definition: stats.h:48
_GUEST_STATE::UninitPrepared
BOOLEAN UninitPrepared
Definition: guests.h:316
DiffTime
static void DiffTime(TIMESPEC const *End, TIMESPEC const *Start, TIMESPEC *Result)
Computes the delta between two time values.
Definition: stats.c:133
__forceinline
#define __forceinline
Definition: introtypes.h:61
IncStatsCallsCount
static void IncStatsCallsCount(void)
Computes the time GetTime was called for each counter that was started before this one and on this ev...
Definition: stats.c:164
statsTimer
Measures the timer events.
Definition: stats.h:33
statsPtsFilterVmcall
Measures the VMCALL exists generated by the page table filtering agent.
Definition: stats.h:61
DWORD
uint32_t DWORD
Definition: intro_types.h:49
_STAT_COUNTER::TotalCount
QWORD TotalCount
The total number of times an event was measured.
Definition: stats.h:123
__rdtsc
static uint64_t __rdtsc(void)
Definition: intrinsics.h:306
TIMESPEC
QWORD TIMESPEC
Definition: stats.h:115
statsCopyMemoryRead
Measures IntWinProcHandleCopyMemory invocations done for memory reads.
Definition: stats.h:69
statsSelfMapEntryProtection
Measures the self map entry validation.
Definition: stats.h:65
statsMaxCounter
The number of valid stats IDs. Not a valid ID. Must always be the last entry in the enum...
Definition: stats.h:99
statsSwapgsInsSearch
Measures the instruction search done for the SWAPGS protection.
Definition: stats.h:63
statsMsrViolation
Measures MSR violation exits.
Definition: stats.h:31
gGuest
GUEST_STATE gGuest
The current guest state.
Definition: guests.c:48
statsEptWrite
Measures write EPT violations.
Definition: stats.h:20
STAT_ID
enum _STAT_ID STAT_ID
Stat IDs.
statsCopyMemoryProtectedRead
Measures the handling of memory reads in which a read protection policy exists.
Definition: stats.h:72
__stats_case
#define __stats_case(x)
IntStatStart
void IntStatStart(STAT_ID StatId)
Starts a stat measurement.
Definition: stats.c:309
_GUEST_STATE::TscSpeed
QWORD TscSpeed
Number of ticks/second of this given guest. Should be the same as the global (physical) one...
Definition: guests.h:272
__likely
#define __likely(x)
Definition: common.h:46
statsEptLookup
Measures the look-up of EPT violation handlers.
Definition: stats.h:25
statsDpiGatherInfo
Measures the information gathering for the DPI mechanism.
Definition: stats.h:83
GetTime
static void GetTime(TIMESPEC *Time)
Returns the current time.
Definition: stats.c:113
statsModuleLoadViolation
Measures module load violation handling.
Definition: stats.h:37
statsUmCrash
Measures user mode crash handlers.
Definition: stats.h:54
statsEptExecute
Measures execute EPT violations.
Definition: stats.h:21
statsExceptionsGlobMatch
Measures glob-match exceptions.
Definition: stats.h:52
statsEptRead
Measures read EPT violations.
Definition: stats.h:19
statsDeleteGva
Measures the deletion of HOOK_GVA objects.
Definition: stats.h:40
statsDpiTokenPrivs
Measures the token privileges DPI protection information gathering.
Definition: stats.h:90