winvad.c

Go to the documentation of this file.

/*
 * Copyright (c) 2020 Bitdefender
 * SPDX-License-Identifier: Apache-2.0
 */
#include "winvad.h"
#include "hook.h"
#include "processor.h"
#include "swapmem.h"
#include "winprocesshp.h"
#include "shellcode.h"
#include "winummodule.h"
#include "winthread.h"
#include "exceptions.h"
#include "alerts.h"
#include "scan_engines.h"
#include "winnet.h"

#define VAD_SEARCH_LIMIT 1000
#define MAX_VAD_EXECS   64u

static INTSTATUS
IntWinVadHandleInsertGeneric(
    _Inout_ WIN_PROCESS_OBJECT *Process,
    _In_ QWORD VadAddress,
    _In_ BOOLEAN StaticScan,
    _Out_opt_ VAD **Vad
    );


static __forceinline BYTE *
IntWinVadMapShortVad(
    _In_ QWORD Gva
    )
{
    void *ptr = NULL;

    if (!INT_SUCCESS(IntVirtMemMap(Gva, WIN_KM_FIELD(VadShort, Size), gGuest.Mm.SystemCr3, 0, &ptr)))
    {
        return NULL;
    }

    return ptr;
}

#define VAD_SHORT_FIELD_PTR(type_, ptr_, field_) (type_ *)((BYTE *)(ptr_) + WIN_KM_FIELD(VadShort, field_))

#define VAD_LONG_FIELD_PTR(type_, ptr_, field_) (type_ *)((BYTE *)(ptr_) + WIN_KM_FIELD(VadLong, field_))

#define VadShortByte(ptr_, field_) *VAD_SHORT_FIELD_PTR(BYTE, ptr_, field_)

#define VadShortWord(ptr_, field_) *VAD_SHORT_FIELD_PTR(WORD, ptr_, field_)

#define VadShortDword(ptr_, field_) *VAD_SHORT_FIELD_PTR(DWORD, ptr_, field_)

#define VadShortQword(ptr_, field_) *VAD_SHORT_FIELD_PTR(QWORD, ptr_, field_)

#define VadShortPtrSize(ptr_, field_) gGuest.Guest64 ? VadShortQword(ptr_, field_) : VadShortDword(ptr_, field_)

#define VadShortAnySize(size_, ptr_, field_)    (size_) == 8 ? VadShortQword(ptr_, field_) : \
                                                (size_) == 4 ? VadShortDword(ptr_, field_) : \
                                                (size_) == 2 ? VadShortWord(ptr_, field_) : \
                                                (size_) == 1 ? VadShortByte(ptr_, field_) : 0


static __forceinline BOOLEAN
IntWinVadIsProbablyNaCl(
    _In_ VAD const *Vad
    )
{
    // NaCl regions come in chunks of 16 pages as private memory, ignore them
    return Vad->Process->HasNaClEnabled && 16 == Vad->PageCount && VadNone == Vad->VadType;
}


static BOOLEAN
IntWinVadIsProbablyDominoJava(
    _In_ VAD const *Vad
    )

{
    return Vad->VadType == VadNone &&
           (Vad->VadProtection & VAD_PROT_EXECUTE_READWRITE) &&
           Vad->Process->IsDominoJava &&
           !Vad->Process->FirstDominoJavaIgnored;
}


static INTSTATUS
IntWinVadRemoveRange(
    _Inout_ VAD *Vad,
    _In_ QWORD StartPage,
    _In_ QWORD EndPage
    )
{
    INTSTATUS status;

    if (NULL == Vad->VadPages)
    {
        return INT_STATUS_NOT_NEEDED_HINT;
    }

    for (QWORD curpg = (StartPage & PAGE_MASK); curpg <= (EndPage & PAGE_MASK); curpg += PAGE_SIZE)
    {
        DWORD pos = (DWORD)((curpg - Vad->StartPage) >> 12);

        if (NULL == Vad->VadPages[pos])
        {
            continue;
        }

        if (NULL != Vad->VadPages[pos]->ExecHook)
        {
            // The page was hooked
            status = IntHookGvaRemoveHook((HOOK_GVA **)&Vad->VadPages[pos]->ExecHook, 0);
            if (!INT_SUCCESS(status))
            {
                ERROR("[ERROR] IntHookGvaRemoveHook failed: 0x%08x\n", status);
            }
        }

        HpFreeAndNullWithTag(&Vad->VadPages[pos], IC_TAG_VAD_PAGE);
    }

    return INT_STATUS_SUCCESS;
}


static INTSTATUS
IntWinVadRemoveAllPages(
    _Inout_ VAD *Vad
    )
{
    INTSTATUS status;

    status = INT_STATUS_SUCCESS;
    if (NULL != Vad->VadPages)
    {
        status = IntWinVadRemoveRange(Vad, Vad->StartPage, Vad->EndPage);
        if (!INT_SUCCESS(status))
        {
            ERROR("[ERROR] IntWinVadRemoveRange failed for VAD 0x%016llx: 0x%08x\n", Vad->VadGva, status);
        }

        HpFreeAndNullWithTag(&Vad->VadPages, IC_TAG_VAD_PGARR);
    }

    return status;
}


void
IntWinVadDestroyObject(
    _Inout_ VAD **Vad
    )
{
    INTSTATUS status;
    PVAD pVad;

    if (NULL == Vad || NULL == *Vad)
    {
        return;
    }

    pVad = *Vad;
    *Vad = NULL;

    // Remove the VAD transaction, if any.
    if (pVad->PathSwapHandle)
    {
        status = IntSwapMemRemoveTransaction(pVad->PathSwapHandle);
        if (!INT_SUCCESS(status))
        {
            ERROR("[ERROR] IntSwapMemRemoveTransactionsForAddress failed: 0x%08x\n", status);
        }

        pVad->PathSwapHandle = NULL;
    }

    if ((VadImageMap == pVad->VadType) && (NULL != pVad->Path))
    {
        status = IntWinModHandleUnloadFromVad(pVad->Process, pVad);
        if (!INT_SUCCESS(status))
        {
            ERROR("[ERROR] IntWinModHandleUnloadFromVad failed: 0x%08x\n", status);
        }
    }

    IntWinUmPathDereference(&pVad->Path);

    // Remove all the pages from this VAD.
    IntWinVadRemoveAllPages(pVad);

    HpFreeAndNullWithTag(&pVad, IC_TAG_VAD);
}


_Function_class_(FUNC_RbTreeNodeFree) static void
IntWinVadRbTreeNodeFree(
    _Inout_ RBNODE *Node
    )
{
    PVAD pVad = CONTAINING_RECORD(Node, VAD, RbNode);

    IntWinVadDestroyObject(&pVad);
}


_Function_class_(FUNC_RbTreeNodeCompare) static int
IntWinVadRbTreeNodeCompare(
    _In_ RBNODE const *Left,
    _In_ RBNODE const *Right
    )
{
    VAD const *p1 = CONTAINING_RECORD(Left, VAD, RbNode);
    VAD const *p2 = CONTAINING_RECORD(Right, VAD, RbNode);

    if (p1->EndPage < p2->StartPage)
    {
        return -1;
    }
    else if (p1->StartPage > p2->EndPage)
    {
        return 1;
    }
    else
    {
        return 0;
    }
}


_Function_class_(FUNC_RbTreeNodeCustomCompare) static int
IntWinVadRbTreeNodeCompareVa(
    _In_ RBNODE const *Node,
    _In_ void *Key
    )
{
    QWORD gva = (QWORD)Key;
    VAD const *vad = CONTAINING_RECORD(Node, VAD, RbNode);

    if (gva >= vad->StartPage && gva < vad->StartPage + vad->PageCount * PAGE_SIZE)
    {
        return 0;
    }
    else if (vad->StartPage < gva)
    {
        return -1;
    }
    else
    {
        return 1;
    }
}


_Function_class_(FUNC_RbTreeNodeCustomCompare) static int
IntWinVadRbTreeNodeCompareBases(
    _In_ RBNODE const *Node,
    _In_ void *Key
    )
{
    QWORD base = (QWORD)Key;
    VAD const *vad = CONTAINING_RECORD(Node, VAD, RbNode);

    if (base == vad->StartPage)
    {
        return 0;
    }
    else if (vad->StartPage < base)
    {
        return -1;
    }
    else
    {
        return 1;
    }
}


void
IntWinVadProcessInit(
    _Inout_ WIN_PROCESS_OBJECT *Process
    )
{
    RbPreinit(&Process->VadTree);

    RbInit(&Process->VadTree, IntWinVadRbTreeNodeFree, IntWinVadRbTreeNodeCompare);
}


static DWORD
IntWinVadVmProtectionToIntroProtection(
    _In_ DWORD VmProtection
    )
{
    // High bits represent NoCache, Guard & WriteCombine.
    VmProtection &= 0xFF;

    switch (VmProtection)
    {
    case WIN_MM_PAGE_NOACCESS:
        return 0;
    case WIN_MM_PAGE_READONLY:
        return PROT_READ;
    case WIN_MM_PAGE_READWRITE:
        return PROT_READ | PROT_WRITE;
    case WIN_MM_PAGE_WRITECOPY:
        return PROT_READ | PROT_WRITE;
    case WIN_MM_PAGE_EXECUTE:
        return PROT_EXEC;
    case WIN_MM_PAGE_EXECUTE_READ:
        return PROT_READ | PROT_EXEC;
    case WIN_MM_PAGE_EXECUTE_READWRITE:
        return PROT_READ | PROT_WRITE | PROT_EXEC;
    case WIN_MM_PAGE_EXECUTE_WRITECOPY:
        return PROT_READ | PROT_WRITE | PROT_EXEC;
    default:
        return 0;
    }
}


static DWORD
IntWinVadVadProtectionToIntroProtection(
    _In_ WIN_VAD_PROT VadProtection
    )
{
    // High bits represent NoCache, Guard & WriteCombine.
    VadProtection &= 0xFF;

    switch (VadProtection)
    {
    case VAD_PROT_NOACCESS:
        return 0;
    case VAD_PROT_READONLY:
        return PROT_READ;
    case VAD_PROT_READWRITE:
        return PROT_READ | PROT_WRITE;
    case VAD_PROT_WRITECOPY:
        return PROT_READ | PROT_WRITE;
    case VAD_PROT_EXECUTE:
        return PROT_EXEC;
    case VAD_PROT_EXECUTE_READ:
        return PROT_READ | PROT_EXEC;
    case VAD_PROT_EXECUTE_READWRITE:
        return PROT_READ | PROT_WRITE | PROT_EXEC;
    case VAD_PROT_EXECUTE_WRITECOPY:
        return PROT_READ | PROT_WRITE | PROT_EXEC;
    default:
        return 0;
    }
}


static DWORD
IntWinVadVadProtectionToVmProtection(
    _In_ WIN_VAD_PROT VadProtection
    )
{
    // High bits represent NoCache, Guard & WriteCombine.
    VadProtection &= 0xFF;

    switch (VadProtection)
    {
    case VAD_PROT_NOACCESS:
        return WIN_MM_PAGE_NOACCESS;
    case VAD_PROT_READONLY:
        return WIN_MM_PAGE_READONLY;
    case VAD_PROT_READWRITE:
        return WIN_MM_PAGE_READWRITE;
    case VAD_PROT_WRITECOPY:
        return WIN_MM_PAGE_WRITECOPY;
    case VAD_PROT_EXECUTE:
        return WIN_MM_PAGE_EXECUTE;
    case VAD_PROT_EXECUTE_READ:
        return WIN_MM_PAGE_EXECUTE_READ;
    case VAD_PROT_EXECUTE_READWRITE:
        return WIN_MM_PAGE_EXECUTE_READWRITE;
    case VAD_PROT_EXECUTE_WRITECOPY:
        return WIN_MM_PAGE_EXECUTE_WRITECOPY;
    default:
        return 0;
    }
}


VAD *
IntWinVadFindByVa(
    _In_ WIN_PROCESS_OBJECT *Process,
    _In_ QWORD Va
    )
{
    PRBNODE found = NULL;

    RbLookupNodeCustomCompare(&Process->VadTree, IntWinVadRbTreeNodeCompareVa, (void *)Va, &found);

    if (!found)
    {
        return NULL;
    }

    return CONTAINING_RECORD(found, VAD, RbNode);
}


static VAD *
IntWinVadFindByRange(
    _In_ PWIN_PROCESS_OBJECT Process,
    _In_ QWORD StartPage,
    _In_ QWORD EndPage
    )
{
    VAD target;
    PRBNODE found;

    target.StartPage = StartPage;
    target.EndPage = EndPage;

    found = NULL;

    RbLookupNode(&Process->VadTree, &target.RbNode, &found);

    if (!found)
    {
        return NULL;
    }

    return CONTAINING_RECORD(found, VAD, RbNode);
}


static PVAD
IntWinVadFindByBase(
    _In_ PWIN_PROCESS_OBJECT Process,
    _In_ QWORD Base
    )
{
    PRBNODE found = NULL;

    RbLookupNodeCustomCompare(&Process->VadTree, IntWinVadRbTreeNodeCompareBases, (void *)Base, &found);

    if (!found)
    {
        return NULL;
    }

    return CONTAINING_RECORD(found, VAD, RbNode);
}


static INTSTATUS
IntWinVadAdjustRange(
    _Inout_ VAD *Vad,
    _In_ QWORD NewStartPage,
    _In_ QWORD NewEndPage
    )
{
    INTSTATUS status;
    VAD_PAGE **pNewVadPages = NULL;
    QWORD newPageCount = 0, newPageIdx = 0;

    // New current pages array contains the region [Vad->StartPage, Vad->EndPage]. We need to adjust that region to
    // hold only [NewStartPage, NewOldPage].
    newPageCount = ((NewEndPage - NewStartPage) >> 12) + 1;

    if (NULL == Vad->VadPages)
    {
        goto no_array;
    }

    pNewVadPages = HpAllocWithTag(sizeof(*pNewVadPages) * newPageCount, IC_TAG_VAD_PGARR);
    if (NULL == pNewVadPages)
    {
        return INT_STATUS_INSUFFICIENT_RESOURCES;
    }

    for (QWORD curpg = (Vad->StartPage & PAGE_MASK); curpg <= (Vad->EndPage & PAGE_MASK); curpg += PAGE_SIZE)
    {
        QWORD pos = ((curpg - Vad->StartPage) >> 12);

        if (curpg >= NewStartPage && curpg <= NewEndPage)
        {
            if (NULL == Vad->VadPages[pos])
            {
                pNewVadPages[newPageIdx++] = NULL;
            }
            else
            {
                Vad->VadPages[pos]->RangeStart = MAX(Vad->VadPages[pos]->RangeStart, NewStartPage);
                Vad->VadPages[pos]->RangeEnd = MIN(Vad->VadPages[pos]->RangeEnd, NewEndPage);

                pNewVadPages[newPageIdx++] = Vad->VadPages[pos];
            }
        }
        else
        {
            if (NULL != Vad->VadPages[pos])
            {
                if (NULL != Vad->VadPages[pos]->ExecHook)
                {
                    // The page was hooked
                    status = IntHookGvaRemoveHook((HOOK_GVA **)&Vad->VadPages[pos]->ExecHook, 0);
                    if (!INT_SUCCESS(status))
                    {
                        ERROR("[ERROR] IntHookGvaRemoveHook failed: 0x%08x\n", status);
                    }
                }

                HpFreeAndNullWithTag(&Vad->VadPages[pos], IC_TAG_VAD_PAGE);
            }
        }
    }

    HpFreeAndNullWithTag(&Vad->VadPages, IC_TAG_VAD_PGARR);

    Vad->VadPages = pNewVadPages;

no_array:
    Vad->StartPage = NewStartPage;
    Vad->EndPage = NewEndPage;
    Vad->PageCount = newPageCount;

    return INT_STATUS_SUCCESS;
}


static INTSTATUS
IntWinVadIsExecSuspicious(
    _In_ WIN_PROCESS_OBJECT* Process,
    _In_ QWORD VirtualAddress,
    _In_ QWORD PhysicalAddress,
    _Out_ INTRO_ACTION* Action
    )
{
    INTSTATUS status;
    QWORD scflags;
    PIG_ARCH_REGS regs;
    PINSTRUX instrux;
    char text[ND_MIN_BUF_SIZE] = { 0 };
    BOOLEAN bRspOut, bIsStack;
    QWORD tibBase, stackBase, stackLimit;
    BOOLEAN detected, feedback;
    INTRO_ACTION_REASON reason;
    BOOLEAN isCurrentProcess;

    EXCEPTION_UM_ORIGINATOR originator = { 0 };
    EXCEPTION_VICTIM_ZONE victim = { 0 };

    scflags = 0;
    tibBase = stackBase = stackLimit = 0;
    detected = feedback = FALSE;

    if (NULL == Process)
    {
        return INT_STATUS_INVALID_PARAMETER_1;
    }

    if (NULL == Action)
    {
        return INT_STATUS_INVALID_PARAMETER_4;
    }

    *Action = introGuestAllowed;
    reason = introReasonAllowed;

    regs = &gVcpu->Regs;
    instrux = &gVcpu->Instruction;

    isCurrentProcess = Process->Cr3 == regs->Cr3;

    status = IntWinThrGetCurrentStackBaseAndLimit(&tibBase, &stackBase, &stackLimit);
    if ((INT_STATUS_PAGE_NOT_PRESENT == status) || (INT_STATUS_NO_MAPPING_STRUCTURES == status))
    {
        LOG("TIB is not present! Will inject #PF for %llx!\n", tibBase);

        // We just blocked an instruction being executed inside user-mode. It is safe to inject a #PF right now.
        // NOTE: We do not save a handle for this swap event (this is the only one) since this page may be executed
        // in the context of multiple threads, which would mean multiple swap-in attempts; therefore, we don't use
        // a context or a callback for this swap, which will be removed when terminating the process, if needed.
        status = IntSwapMemReadData(regs->Cr3, tibBase, 32, SWAPMEM_OPT_UM_FAULT | SWAPMEM_OPT_NO_DUPS,
                                    NULL, 0, NULL, NULL, NULL);
        if (!INT_SUCCESS(status))
        {
            ERROR("[ERROR] IntSwapMemReadData failed: 0x%08x\n", status);
            return status;
        }
        else
        {
            *Action = introGuestRetry;
            return INT_STATUS_SUCCESS;
        }
    }
    else if (!INT_SUCCESS(status))
    {
        // If we couldn't read the TIB and the stack base/stack limit, assume the stack is OK - we still need to
        // validate the code!
        ERROR("[ERROR] IntWinThrGetCurrentStackBaseAndLimit failed: 0x%08x\n", status);
        stackLimit = stackBase = 0;
    }

    if ((stackLimit == 0) && (stackBase == 0))
    {
        bRspOut = bIsStack = FALSE;
    }
    else
    {
        // Take a 3 page safety margin - the usual size of the guard region; we may have a RSP that points slightly
        // out of the stack area, but within the guard area.
        bRspOut = ((regs->Rsp < stackLimit - 0x3000) || (regs->Rsp >= stackBase));
        bIsStack = (VirtualAddress >= stackLimit) && (VirtualAddress < stackBase);
    }

    status = IntShcIsSuspiciousCode(VirtualAddress, PhysicalAddress, IG_CS_TYPE_INVALID, regs, &scflags);
    if (!INT_SUCCESS(status))
    {
        scflags = 0;
    }

    if (bRspOut || bIsStack)
    {
        // Pivoted stack or executions on the stack trigger detection directly.
        detected = TRUE;
    }
    else if (0 != scflags)
    {
        detected = TRUE;

        // Shellcode flags (as set by the shellcode emulator) may be overridden via CAMI. A flag marked for feedback
        // will cause the alert to be logged & sent, but no actual detection will appear. Note that we force feedback
        // for shellcode flags if and only if all the reported flags are marked as feedback. If there is a single
        // shellcode flag set that is not feedback, a normal detection will be generated.
        if ((scflags & gGuest.ShemuOptions.Feedback) == scflags)
        {
            feedback = TRUE;
        }
    }

    if (!detected)
    {
        // We did not find malicious activity, send context to the scan engine if we have the options set, but only
        // once, for the current process
        if (isCurrentProcess && !!(gGuest.CoreOptions.Current & INTRO_OPT_NOTIFY_ENGINES))
        {
            INTRO_EXEC_INFO executionInfo = { 0 };

            executionInfo.Rsp = regs->Rsp;
            executionInfo.StackBase = stackBase;
            executionInfo.StackLimit = stackLimit;
            executionInfo.Length = instrux->Length;

            status = IntWinEngExecSendNotification(Process, regs, &executionInfo);
            if (!INT_SUCCESS(status))
            {
                WARNING("[WARNING] IntWinEngExecSendNotification failed: 0x%08x\n", status);
            }
        }

        // Since the engines scan is asynchronous we can't do anything else, but exit
        goto _send_notification;
    }

    status = IntExceptUserGetExecOriginator(Process, &originator);
    if (!INT_SUCCESS(status))
    {
        ERROR("[ERROR] Failed getting originator: 0x%08x\n", status);
        goto _send_notification;
    }

    status = IntExceptGetVictimEpt(Process,
                                   PhysicalAddress,
                                   VirtualAddress,
                                   introObjectTypeUmGenericNxZone,
                                   ZONE_EXECUTE,
                                   &victim);
    if (!INT_SUCCESS(status))
    {
        ERROR("[ERROR] Failed getting modified zone: 0x%08x\n", status);
        goto _send_notification;
    }

    IntExcept(&victim, &originator, exceptionTypeUm, Action, &reason, introEventEptViolation);
    // Override the action & reason, if we have shemu feedback only.
    if ((*Action == introGuestNotAllowed) && feedback)
    {
        *Action = introGuestAllowed;
        reason = introReasonAllowedFeedback;
    }

_send_notification:
    // Since we can get here for other processes, not only the current one, we have to make sure we don't send an
    // alert and we don't inject a #UD unless we are doing it for the current process. We still want to analyze the
    // code in order to properly mark the page as non-malicious, if needed
    if (IntPolicyProcTakeAction(PROC_OPT_PROT_EXPLOIT, Process, Action, &reason) && isCurrentProcess)
    {
        EVENT_EPT_VIOLATION* pEptViol = &gAlert.Ept;

        memzero(pEptViol, sizeof(*pEptViol));

        status = NdToText(instrux, regs->Rip, ND_MIN_BUF_SIZE, text);
        if (!INT_SUCCESS(status))
        {
            ERROR("[ERROR] NdToText failed: 0x%08x\n", status);
            return status;
        }

        LOG("[VADNX] [CPU %d] EXPLOIT detected! Execution attempted at 0x%016llx! Instruction: %s\n",
            gVcpu->Index, regs->Rip, text);

        LOG("[VADNX] Current address: %llx, current stack: %llx, known stack: %llx/%llx, TIB: %llx\n",
            regs->Rip, regs->Rsp, stackBase, stackLimit, tibBase);

        LOG("[VADNX] RSP out: %d; Is stack: %d; Shellcode flags: %llx;\n",
            bRspOut, bIsStack, scflags);

        IntDumpCodeAndRegs(regs->Rip, PhysicalAddress, regs);

        pEptViol->Header.Action = *Action;
        pEptViol->Header.Reason = reason;
        pEptViol->Header.MitreID = idExploitClientExec;

        IntAlertEptFillFromVictimZone(&victim, pEptViol);

        IntAlertFillCpuContext(TRUE, &pEptViol->Header.CpuContext);

        IntAlertFillWinProcess(Process, &pEptViol->Header.CurrentProcess);

        IntAlertFillWinUmModule(originator.Return.Library, &pEptViol->Originator.ReturnModule);
        pEptViol->ReturnRip = originator.Return.Rip;

        pEptViol->Header.Flags = IntAlertProcGetFlags(PROC_OPT_PROT_EXPLOIT, Process, reason, 0);

        IntAlertFillCodeBlocks(regs->Rip, regs->Cr3, TRUE, &pEptViol->CodeBlocks);
        IntAlertFillExecContext(0, &pEptViol->ExecContext);

        IntAlertFillVersionInfo(&pEptViol->Header);

        status = IntNotifyIntroEvent(introEventEptViolation, pEptViol, sizeof(*pEptViol));
        if (!INT_SUCCESS(status))
        {
            WARNING("[WARNING] IntNotifyIntroEvent failed: 0x%08x\n", status);
        }

        status = IntWinNetSendProcessConnections(Process);
        if (!INT_SUCCESS(status))
        {
            WARNING("[WARNING] IntWinNetSendProcessConnections failed: 0x%08x\n", status);
        }
    }

    return INT_STATUS_SUCCESS;
}


static INTSTATUS
IntWinVadHandlePageExecution(
    _Inout_ VAD_PAGE *Context,
    _In_ void const *Hook,
    _In_ QWORD Address,
    _Out_ INTRO_ACTION *Action
    )
{
    INTSTATUS status;
    PVAD_PAGE pPage;
    PWIN_PROCESS_OBJECT pProc;
    PIG_ARCH_REGS regs;
    QWORD currentThread = 0;
    INFO_UD_PENDING *entryPendingUD = NULL;
    BOOLEAN isCurrentProcess;

    UNREFERENCED_PARAMETER(Hook);

    // Default action = allow.
    *Action = introGuestAllowed;

    pPage = Context;
    pProc = pPage->Vad->Process;
    regs = &gVcpu->Regs;
    isCurrentProcess = pProc->Cr3 == regs->Cr3;

    // If this is a shared memory region between two protected processes, the hook will be invoked for both, but the
    // current process is the one that triggered the violation, so ignore the others
    if (!isCurrentProcess)
    {
        // If this page is shared between multiple processes, we can be in one of the following cases:
        //  1. process a.exe and b.exe share the same page; a.exe is protected, while b.exe is not - if b.exe fetches
        // instructions from that page, an EPT violation will be generated; since the page is not hooked in the
        // current process (b.exe), we allow the execution. This can pretty much freeze the guest in two situations:
        //   i.  for each instruction that the guest tries to execute from the monitored page while in the context
        // of b.exe, an EPT violation will be triggered
        //   ii. if an interrupt is pending and is delivered to the guest, the same instruction ends up being retried
        // in an infinite loop
        //  2. both a.exe, and b.exe are protected against exploits. b.exe executes code from the shared page, an
        // EPT violation is triggered and introcore inspects the code from that page and considers that it is not
        // malicious, marking the page as legitimate and removing the hook from that page. Since the same page is
        // hooked more than once, the EPT hook is still in place, and further attempts made by b.exe to execute code
        // from that page will trigger new EPT violations.
        // https://lists.xenproject.org/archives/html/xen-devel/2019-01/msg00900.html is also relevant
        // In the first case, we will allow the action, which will remove the hook on that page, but will still
        // keep the VAD. The second case is handled partially in IntShcWinHandlePageExecution, as it is more tricky.
        // We have to keep in mind that the page may indeed contain malicious code, and that we can't make any
        // assumptions about the order in which the hooks are invoked, for example, if we have a.exe, b.exe and c.exe
        // all sharing the same page, and b.exe is the current process and the hooks are invoked in order (first for a,
        // then for b and lastly for c) we want to keep the hook in all processes, but send the alert only for b.exe.
        // So we have to analyze code and then take an action.
        // If the code is clean, the page will be marked as clean in all processes, and unhooked from all
        // processes; if it is malicious, it will remain hooked in all processes, but the alert will be sent only
        // for the current process.
        PWIN_PROCESS_OBJECT pCurrentProcess = IntWinProcFindObjectByCr3(regs->Cr3);
        if (!pCurrentProcess->ProtExploits)
        {
            TRACE("[WINVAD] Removing VAD hook on 0x%016llx for process `%s` (Cr3 0x%016llx). "
                  "Current process is `%s` (Cr3 0x%016llx)\n",
                  pPage->Address, pProc->Name, pProc->Cr3, pCurrentProcess->Name, pCurrentProcess->Cr3);

            status = INT_STATUS_NOT_NEEDED_HINT;
            *Action = introGuestAllowed;
            goto cleanup_and_exit;
        }
    }

    // We keep a list of tuples (CR3, RIP, ETHREAD) for all the injected/pending UDs
    // If a tuple comes more than once it means that the requested #UD did not happen before and now we will just
    // request another #UD; without checking again and without generating duplicated alerts for the same execution.
    // The list cleanup takes place:
    // 1. when #UD is successfully injected --> IntHandleEventInjection (using gVcpu->Exception.CurrentUD which stores
    // the allocated addresses for a tuple)
    // 2. when a process terminates --> IntWinProcDeleteProcessObject (using the CR3)

    status = IntWinThrGetCurrentThread(gVcpu->Index, &currentThread);
    if (!INT_SUCCESS(status))
    {
        ERROR("[ERROR] IntWinThrGetCurrentThread failed: 0x%08x\n", status);
        return status;
    }

    entryPendingUD = IntUDGetEntry(regs->Cr3, regs->Rip, currentThread);
    if (NULL != entryPendingUD)
    {
        goto retry_inject_ud;
    }

    if (IntWinVadIsProbablyDominoJava(pPage->Vad))
    {
        pPage->Vad->Process->FirstDominoJavaIgnored = TRUE;
        pPage->Vad->IsIgnored = 1;
        pPage->Legitimate = TRUE;
        status = INT_STATUS_SUCCESS;
        goto cleanup_and_exit;
    }

    status = IntWinVadIsExecSuspicious(pProc, regs->Rip, Address, Action);
    if (!INT_SUCCESS(status))
    {
        ERROR("[ERROR] IntWinVadIsExecSuspicious failed: 0x%08x\n", status);
        goto cleanup_and_exit;
    }

    // If the actions is allowed, remove the hook on the page/region.
    if (introGuestAllowed == *Action)
    {
        pPage->Legitimate = TRUE;
    }

    IntPolicyProcForceBetaIfNeeded(PROC_OPT_PROT_EXPLOIT, pProc, Action);

cleanup_and_exit:
    // Remove the exec hook if we allow the action.
    if ((introGuestAllowed == *Action) && (NULL != pPage->ExecHook))
    {
        // Remove the hook on this page, only if we didn't block anything. If we did, we will maintain the hook in
        // order to block further execution attempts. We also remove the hook if we're in BETA mode - otherwise,
        // there will be lots & lots of alerts, that may end up hanging the process.
        status = IntHookGvaRemoveHook((HOOK_GVA **)&pPage->ExecHook, 0);
        if (!INT_SUCCESS(status))
        {
            ERROR("[ERROR] IntHookGvaRemoveHook failed: 0x%08x\n", status);
        }

        // Since we removed the protection from this page, it is safe to return introGuestRetry. This will re-enter the
        // guest at the same instruction, and it will execute it natively. Returning introGuestAllowed will simply
        // cause the instruction to be emulated, which is not ideal. In addition, returning anything else than
        // introGuestRetry on an execution attempt, will cause the EPT violation handler to dissect the instruction
        // and to call the EPT handler for every memory access made by the instruction; in certain cases, this may lead
        // to weird scenarios: for example, if we have a piece of code outside any module which places a memory hook,
        // the following would happen:
        // 1. The code executes & triggers an EPT exec violation;
        // 2. Introcore deems the attempt legitimate, and returns allowed instead of retry;
        // 3. The EPT callback will dissect the instruction, and it will analyze any other memory accesses;
        // 4. If the instruction that triggered the execution EPT violation also makes a write on a shared module,
        //    we would see this, and we would call the appropriate EPT handlers BUT this will happen without triggering
        //    the CoW inside the guest.
        *Action = introGuestRetry;

        // If the entire VAD was created executable, and the first page executed was deemed legitimate, then remove
        // the protection on the entire memory region.
        if (pPage->Legitimate)
        {
            pPage->Vad->ExecCount++;

            status = IntWinVadRemoveRange(pPage->Vad, pPage->RangeStart, pPage->RangeEnd);
            if (!INT_SUCCESS(status))
            {
                ERROR("[ERROR] IntWinVadRemoveRanges failed: 0x%08x\n", status);
            }
        }
    }

retry_inject_ud:
    // Terminate the process, if we decided to or if #UD already pending, inject it again
    if ((INT_SUCCESS(status) && (introGuestNotAllowed == *Action) && ((NULL != pProc) && pProc->ProtKillExploit) &&
         isCurrentProcess) ||
        NULL != entryPendingUD)
    {
        INTSTATUS status2;

        // If we already injected the same entry, there's no need for another injection, most probably causing an error
        if (entryPendingUD != NULL && gVcpu->CurrentUD == entryPendingUD)
        {
            goto _skip_inject;
        }

        status2 = IntInjectExceptionInGuest(VECTOR_UD, 0, NO_ERRORCODE, gVcpu->Index);
        if (!INT_SUCCESS(status2))
        {
            ERROR("[ERROR] IntInjectExceptionInGuest failed, process will not be killed: %08x\n", status2);
        }
        else
        {
            if (NULL == entryPendingUD)
            {
                // If not already pending, add to the list of pending UDs and store the allocated address
                // in entryPendingUD
                status = IntUDAddToPendingList(regs->Cr3, regs->Rip, currentThread, &entryPendingUD);
                if (!INT_SUCCESS(status))
                {
                    ERROR("[ERROR] IntUDAddToPendingList failed: 0x%08x\n", status);
                    return status;
                }
            }

            // Set gVcpu->CurrentUD pointer to the allocated address for the tuple
            gVcpu->CurrentUD = entryPendingUD;
        }

_skip_inject:
        *Action = introGuestRetry;
    }

    return status;
}


static INTSTATUS
IntWinVadHandleFilePathInMemory(
    _Inout_ VAD *Context,
    _In_ QWORD Cr3,
    _In_ QWORD VirtualAddress,
    _In_ QWORD PhysicalAddress,
    _In_reads_bytes_(DataSize) void *Data,
    _In_ DWORD DataSize,
    _In_ DWORD Flags
    )
{
    PVAD pVad = Context;

    UNREFERENCED_PARAMETER(Cr3);
    UNREFERENCED_PARAMETER(VirtualAddress);
    UNREFERENCED_PARAMETER(PhysicalAddress);
    UNREFERENCED_PARAMETER(Flags);

    pVad->PathSwapHandle = NULL;

    pVad->Path = IntWinUmPathCreate(Data, DataSize, pVad->SubsectionGva);

    return IntWinModHandleLoadFromVad(pVad->Process, pVad);
}


INTSTATUS
IntWinVadRemoveProcessTree(
    _Inout_ WIN_PROCESS_OBJECT *Process
    )
{
    if (NULL == Process)
    {
        return INT_STATUS_INVALID_PARAMETER_1;
    }

    RbUninit(&Process->VadTree);

    return INT_STATUS_SUCCESS;
}


static INTSTATUS
IntWinVadFetchVadFromMemory(
    _In_ QWORD VadGva,
    _Out_ VAD *Vad
    )
{
    BYTE *vadBuffer = IntWinVadMapShortVad(VadGva);
    QWORD flags = 0;
    QWORD startVpn, endVpn;

    if (NULL == vadBuffer)
    {
        return INT_STATUS_INSUFFICIENT_RESOURCES;
    }

    Vad->VadGva = VadGva;

    // Parent, Left, and Right are always pointers, so read WordSize from the guest
    Vad->Parent = VadShortPtrSize(vadBuffer, Parent);
    Vad->Left = VadShortPtrSize(vadBuffer, Left);
    Vad->Right = VadShortPtrSize(vadBuffer, Right);

    startVpn = endVpn = 0;
    // Starting and Ending Vpn can have different sizes and sometimes can be extended by another High byte
    if (WIN_KM_FIELD(VadShort, VpnSize) == 4)
    {
        startVpn = VadShortDword(vadBuffer, StartingVpn);
        endVpn = VadShortDword(vadBuffer, EndingVpn);
    }
    else
    {
        startVpn = VadShortQword(vadBuffer, StartingVpn);
        endVpn = VadShortQword(vadBuffer, EndingVpn);
    }

    // Add the extra byte if it is present
    if (0 != WIN_KM_FIELD(VadShort, StartingVpnHigh))
    {
        startVpn |= ((QWORD)VadShortByte(vadBuffer, StartingVpnHigh) << 32);
    }
    if (0 != WIN_KM_FIELD(VadShort, EndingVpnHigh))
    {
        endVpn |= ((QWORD)VadShortByte(vadBuffer, EndingVpnHigh) << 32);
    }

    Vad->StartPage = startVpn << 12;
    Vad->EndPage = endVpn << 12;

    if (Vad->EndPage < Vad->StartPage)
    {
        WARNING("[WARNING] VAD EndPage is before StartPage: start = 0x%016llx, end = 0x%016llx, vad at 0x%016llx!\n",
                Vad->StartPage, Vad->EndPage, VadGva);
        Vad->EndPage = Vad->StartPage;
    }

    // The Flags field can have different sizes, so read it into a QWORD
    flags = VadShortAnySize(WIN_KM_FIELD(VadShort, FlagsSize), vadBuffer, Flags);

    // Type and Protection are 3 and 5 bits long, but are not the same bits always, so normalize them
    Vad->VadType = (flags >> WIN_KM_FIELD(VadFlags, TypeShift)) & WIN_KM_FIELD(VadFlags, TypeMask);
    Vad->VadProtection = (flags >> WIN_KM_FIELD(VadFlags, ProtectionShift)) & WIN_KM_FIELD(VadFlags, ProtectionMask);

    // NoChange is always 1 bit and it is present on all Windows versions, so check for it
    Vad->NoChange = 0 != (flags & BIT(WIN_KM_FIELD(VadFlags, NoChangeBit)));

    // DeleteInProgress and PrivateFixup are always 1-bit wide, but are not present on all Windows versions, so it is
    // easier to check them directly against a mask instead of the method used for NoChange; if they are not used,
    // the mask is 0
    Vad->DeleteInProgress = 0 != (flags & WIN_KM_FIELD(VadFlags, DeleteInProgressMask));
    Vad->PrivateFixup = 0 != (flags & WIN_KM_FIELD(VadFlags, PrivateFixupMask));

    Vad->PageCount = (((Vad->EndPage - Vad->StartPage) >> 12) + 1);
    Vad->Protection = IntWinVadVadProtectionToIntroProtection(Vad->VadProtection);

    Vad->HugeVad = (Vad->PageCount * sizeof(VAD_PAGE) >= 4 * ONE_GIGABYTE);
    Vad->Path = NULL;
    Vad->Process = NULL;

    IntVirtMemUnmap(&vadBuffer);

    return INT_STATUS_SUCCESS;
}


static INTSTATUS
IntWinVadFetchImageName(
    _Inout_ VAD *Vad
    )
{
    DWORD len = 0;
    QWORD pathGva = 0;
    QWORD tmp = 0;
    DWORD subsecOffsetInVad;
    DWORD ctlAreaOffsetInSubsec;
    DWORD fileObjectOffsetInCtlArea;
    DWORD fileLengthOffsetInFileObject;
    DWORD fileBufferOffsetInFileObject;
    INTSTATUS status;

    if (NULL != Vad->Path)
    {
        return INT_STATUS_NOT_NEEDED_HINT;
    }

    subsecOffsetInVad = WIN_KM_FIELD(VadLong, Subsection);
    ctlAreaOffsetInSubsec = WIN_KM_FIELD(Ungrouped, SubsectionCtlArea);
    fileObjectOffsetInCtlArea = WIN_KM_FIELD(Ungrouped, CtlAreaFile);
    fileLengthOffsetInFileObject = WIN_KM_FIELD(FileObject, NameLength);
    fileBufferOffsetInFileObject = WIN_KM_FIELD(FileObject, NameBuffer);

    // Read the _SUBSECTION address.
    status = IntKernVirtMemRead(Vad->VadGva + subsecOffsetInVad, gGuest.WordSize, &tmp, NULL);
    if (!INT_SUCCESS(status))
    {
        return status;
    }

    if (0 == tmp)
    {
        return INT_STATUS_NOT_NEEDED_HINT;
    }

    Vad->SubsectionGva = tmp;
    Vad->Path = IntWinUmPathFetchAndReferenceBySubsection(Vad->SubsectionGva);

    if (NULL != Vad->Path)
    {
        // If we can reuse the path, then we can already consider it is a module load
        return IntWinModHandleLoadFromVad(Vad->Process, Vad);
    }

    // Read the _CONTROL_AREA address.
    status = IntKernVirtMemRead(tmp + ctlAreaOffsetInSubsec, gGuest.WordSize, &tmp, NULL);
    if (!INT_SUCCESS(status))
    {
        return status;
    }

    if (0 == tmp)
    {
        return INT_STATUS_NOT_NEEDED_HINT;
    }

    // Read the _FILE_OBJECT address.
    status = IntKernVirtMemRead(tmp + fileObjectOffsetInCtlArea, gGuest.WordSize, &tmp, NULL);
    if (!INT_SUCCESS(status))
    {
        return status;
    }

    tmp = EX_FAST_REF_TO_PTR(gGuest.Guest64, tmp);

    if (0 == tmp)
    {
        return INT_STATUS_NOT_NEEDED_HINT;
    }

    status = IntKernVirtMemRead(tmp + fileLengthOffsetInFileObject, sizeof(WORD), &len, NULL);
    if (!INT_SUCCESS(status))
    {
        return status;
    }

    status = IntKernVirtMemRead(tmp + fileBufferOffsetInFileObject, gGuest.WordSize, &pathGva, NULL);
    if (!INT_SUCCESS(status))
    {
        return status;
    }

    status = IntSwapMemReadData(0, pathGva, len, SWAPMEM_OPT_BP_FAULT, Vad, 0,
                                IntWinVadHandleFilePathInMemory, NULL, &Vad->PathSwapHandle);
    if (!INT_SUCCESS(status))
    {
        ERROR("[ERROR] IntSwapMemReadData failed: 0x%08x\n", status);
    }

    return INT_STATUS_SUCCESS;
}


static INTSTATUS
IntWinVadCreateObject(
    _In_ WIN_PROCESS_OBJECT *Process,
    _In_ QWORD VadGva,
    _Out_ VAD **Vad,
    _In_ BOOLEAN StaticScan
    )
{
    INTSTATUS status;

    VAD *pVad = HpAllocWithTag(sizeof(*pVad), IC_TAG_VAD);
    if (NULL == pVad)
    {
        return INT_STATUS_INSUFFICIENT_RESOURCES;
    }

    status = IntWinVadFetchVadFromMemory(VadGva, pVad);
    if (!INT_SUCCESS(status))
    {
        HpFreeAndNullWithTag(&pVad, IC_TAG_VAD);
        ERROR("[ERROR] IntWinVadFetchVadFromMemory failed from GVA %llx: 0x%08x\n", VadGva, status);
        return status;
    }

    // We don't handle other VAD types except for VadNone and VadImageMap.
    if ((pVad->VadType != VadNone) && (pVad->VadType != VadImageMap) && (pVad->VadType != VadWriteWatch))
    {
        TRACE("[WINVAD] Vad with type %d created at [0x%016llx, 0x%016llx]. Will ignore it.\n",
              pVad->VadType, pVad->StartPage, pVad->EndPage);
        HpFreeAndNullWithTag(&pVad, IC_TAG_VAD);
        *Vad = NULL;
        return INT_STATUS_NOT_NEEDED_HINT;
    }

    pVad->Process = Process;
    pVad->Path = NULL;
    pVad->VadPages = NULL;
    pVad->StaticScan = StaticScan;

    if (VadImageMap == pVad->VadType)
    {
        status = IntWinVadFetchImageName(pVad);
        if (!INT_SUCCESS(status))
        {
            ERROR("[ERROR] IntWinVadFetchImageName failed for VAD 0x%016llx: 0x%08x\n", pVad->VadGva, status);
        }
    }

    *Vad = pVad;

    return INT_STATUS_SUCCESS;
}


INTSTATUS
IntWinVadShortDump(
    _In_ QWORD VadNodeGva,
    _In_ DWORD Level,
    _In_opt_ void *Context
    )
{
    const PCHAR prot[] =
    {
        "noaccess", "readonly", "execute", "execute-read", "readwrite",
        "writecopy", "execute-readwrite", "execute-writecopy"
    };
    VAD vad = {0};
    INTSTATUS status;

    UNREFERENCED_PARAMETER(Context);

    if (!IS_KERNEL_POINTER_WIN(gGuest.Guest64, VadNodeGva))
    {
        return INT_STATUS_INVALID_PARAMETER_1;
    }

    status = IntWinVadFetchVadFromMemory(VadNodeGva, &vad);
    if (!INT_SUCCESS(status))
    {
        return status;
    }

    NLOG("0x%016llx (%d): [0x%016llx, 0x%016llx]: Type: %d Prot: 0x%04x (%s)\n",
         VadNodeGva, Level, vad.StartPage, vad.EndPage, vad.VadType, vad.VadProtection,
         vad.VadProtection >= ARRAYSIZE(prot) ? "" : prot[vad.VadProtection]);

    return INT_STATUS_SUCCESS;
}


_Function_class_(FUNC_RbTreeWalkCallback)
BOOLEAN
IntWinVadDump(
    _In_ VAD const *Vad,
    _In_ void *Context
    )
{
    QWORD i;
    const char *vadTypes[] =
    {
        "VadNone",
        "VadDevicePhysicalMemory",
        "VadImageMap",
        "VadAwe",
        "VadWriteWatch",
        "VadLargePages",
        "VadRotatePhysical",
        "VadLargePageSection",
    };

    UNREFERENCED_PARAMETER(Context);

    if (NULL == Vad)
    {
        return FALSE;
    }

    NLOG("            VAD @ 0x%016llx for [0x%016llx, 0x%016llx], type %-24s, protection: 0x%08x (%c%c%c) "
         "Ignored: %d, ExecCount: %d",
         Vad->VadGva, Vad->StartPage, Vad->EndPage,
         Vad->VadType < sizeof(vadTypes) / sizeof(vadTypes[0]) ? vadTypes[Vad->VadType] : "unknown",
         Vad->VadProtection,
         (Vad->Protection & PROT_READ) ? 'R' : '-',
         (Vad->Protection & PROT_WRITE) ? 'W' : '-',
         (Vad->Protection & PROT_EXEC) ? 'X' : '-',
         Vad->IsIgnored,
         Vad->ExecCount);

    if (NULL != Vad->Path)
    {
        NLOG(", path '%s'\n", utf16_for_log(Vad->Path->Path));
    }
    else
    {
        NLOG("\n");
    }

    if (NULL != Vad->VadPages)
    {
        for (i = 0; i < Vad->PageCount; i++)
        {
            if (NULL != Vad->VadPages[i])
            {
                NLOG("                PAGE @ %llx, protection %c%c%c, hook at %p\n",
                     Vad->VadPages[i]->Address,
                     (Vad->VadPages[i]->Protection & PROT_READ) ? 'R' : '-',
                     (Vad->VadPages[i]->Protection & PROT_WRITE) ? 'W' : '-',
                     (Vad->VadPages[i]->Protection & PROT_EXEC) ? 'X' : '-',
                     Vad->VadPages[i]->ExecHook);
            }
        }
    }

    return TRUE;
}


_Function_class_(FUNC_RbTreeWalkCallback) static
BOOLEAN
IntWinVadRemoveRanges(
    _Inout_ VAD *Vad,
    _In_ void *Context
    )
{
    UNREFERENCED_PARAMETER(Context);

    if (NULL == Vad)
    {
        return FALSE;
    }

    IntWinVadRemoveAllPages(Vad);

    return TRUE;
}


void
IntWinVadStopExploitMonitor(
    _Inout_ WIN_PROCESS_OBJECT *Process
    )
{
    RbWalkInorderTree(&Process->VadTree, (PFUNC_RbTreeWalkCallback)IntWinVadRemoveRanges, NULL);
}


QWORD
IntWinVadFindNodeInGuestSpace(
    _In_ QWORD VadRoot,
    _In_ QWORD StartPage,
    _In_ QWORD EndPage,
    _In_ DWORD Level,
    _In_ QWORD OldStartPage,
    _In_ BOOLEAN LastBranchRight
    )
{
    INTSTATUS status;
    VAD vad = {0};

    if (!IS_KERNEL_POINTER_WIN(gGuest.Guest64, VadRoot))
    {
        return 0;
    }

    if (Level >= VAD_SEARCH_LIMIT)
    {
        ERROR("[ERROR] Max recursion level reached, will bail out\n");
        return 0;
    }

    VadRoot = RTL_BALANCED_NODE_PARENT_TO_PTR(VadRoot);

    status = IntWinVadFetchVadFromMemory(VadRoot, &vad);
    if (!INT_SUCCESS(status))
    {
        ERROR("[ERROR] IntWinVadFetchVadFromMemory failed: 0x%08x\n", status);
        return 0;
    }

    // Workaround for Windows 7/8: the first level isn't in fact a VAD, and we have to follow the right branch.
    if ((gGuest.OSVersion <= 9200) && (0 == Level))
    {
        return IntWinVadFindNodeInGuestSpace(vad.Right, StartPage, EndPage, Level + 1, 0, TRUE);
    }

    if (Level > 0 && vad.StartPage <= OldStartPage && LastBranchRight)
    {
        ERROR("[ERROR] The in-guest VAD tree seems to be corrupted! Last branch right, "
              "current start page: 0x%16llx, old start page: 0x%16llx\n",
              vad.StartPage, OldStartPage);
        return 0;
    }

    if (Level > 0 && vad.StartPage >= OldStartPage && !LastBranchRight)
    {
        ERROR("[ERROR] The in-guest VAD tree seems to be corrupted! Last branch left, "
              "current start page: 0x%16llx, old start page: 0x%16llx\n",
              vad.StartPage, OldStartPage);
        return 0;
    }

    if (StartPage > vad.EndPage)
    {
        return IntWinVadFindNodeInGuestSpace(vad.Right, StartPage, EndPage, Level + 1, vad.StartPage, TRUE);
    }
    else if (EndPage < vad.StartPage)
    {
        return IntWinVadFindNodeInGuestSpace(vad.Left, StartPage, EndPage, Level + 1, vad.StartPage, FALSE);
    }
    else if (StartPage >= vad.StartPage && EndPage <= vad.EndPage)
    {
        return vad.VadGva;
    }

    return 0;
}


INTSTATUS
IntWinVadInOrderRecursiveTraversal(
    _In_ QWORD VadNodeGva,
    _In_ DWORD Level,
    _In_ PFUNC_WinVadTraversalCallback Callback,
    _In_opt_ void *Context
    )
{
    INTSTATUS status;
    QWORD left;
    QWORD right;
    INTSTATUS failStatus = INT_STATUS_SUCCESS;
    VAD vad = {0};
#define MAX_LEVEL 64

    if (!IS_KERNEL_POINTER_WIN(gGuest.Guest64, VadNodeGva))
    {
        return INT_STATUS_INVALID_PARAMETER_1;
    }

    if (NULL == Callback)
    {
        return INT_STATUS_INVALID_PARAMETER_3;
    }

    if (Level > MAX_LEVEL)
    {
        ERROR("[ERROR] Too much recursion: requested level: %d, max level: %d\n", Level, MAX_LEVEL);
        return INT_STATUS_BUFFER_OVERFLOW;
    }

    // On OSs with _MM_AVL_TABLE in the root, we should convert it to ptr by stripping the last 2 bits.
    // Otherwise the structure might be off by some bits and invalid data could be read from the guest.
    if (gGuest.OSVersion <= 9200 && 0 == Level)
    {
        VadNodeGva = RTL_BALANCED_NODE_PARENT_TO_PTR(VadNodeGva);
    }

    status = IntWinVadFetchVadFromMemory(VadNodeGva, &vad);
    if (!INT_SUCCESS(status))
    {
        ERROR("[ERROR] IntWinVadFetchVadFromMemory failed for 0x%016llx: 0x%08x\n", VadNodeGva, status);
        return status;
    }

    left = vad.Left;
    right = vad.Right;

    if (IS_KERNEL_POINTER_WIN(gGuest.Guest64, left))
    {
        status = IntWinVadInOrderRecursiveTraversal(left, Level + 1, Callback, Context);
        if (!INT_SUCCESS(status))
        {
            failStatus = status;
        }
    }

    if (gGuest.OSVersion <= 9200 && 0 == Level)
    {
        // Windows 7 and Windows 8 hold in _EPROCESS.VadRoot a _MM_AVL_TABLE struct. It's Parent points to itself,
        // the children may be NULL or valid tree nodes, skip the callback for the fake root
        TRACE("[WINVAD] -------> Special Win 7/8 case: 0x%016llx is not an actual VAD. Left = 0x%016llx "
              "Right = 0x%016llx\n", VadNodeGva, left, right);
    }
    else
    {
        Callback(VadNodeGva, Level, Context);
    }

    if (IS_KERNEL_POINTER_WIN(gGuest.Guest64, right))
    {
        status = IntWinVadInOrderRecursiveTraversal(right, Level + 1, Callback, Context);
        if (!INT_SUCCESS(status))
        {
            failStatus = status;
        }
    }

    return failStatus;
}


INTSTATUS
IntWinVadWalkTree(
    _In_ PWIN_PROCESS_OBJECT Process,
    _In_ PFUNC_RbTreeWalkCallback Callback
    )
{
    if (NULL == Process)
    {
        return INT_STATUS_INVALID_PARAMETER_1;
    }

    if (NULL == Callback)
    {
        return INT_STATUS_INVALID_PARAMETER_2;
    }

    RbWalkInorderTree(&Process->VadTree, Callback, NULL);

    return INT_STATUS_SUCCESS;
}


static PVAD
IntWinVadRescanVad(
    _Inout_ WIN_PROCESS_OBJECT *Process,
    _In_ QWORD StartPage,
    _In_ QWORD EndPage
    )
{
    INTSTATUS status;
    PVAD pVad;
    QWORD vadroot = 0, vadgva = 0;

    status = IntKernVirtMemRead(Process->EprocessAddress + WIN_KM_FIELD(Process, VadRoot),
                                gGuest.WordSize, &vadroot, NULL);
    if (!INT_SUCCESS(status))
    {
        ERROR("[ERROR] IntKernVirtMemRead failed: 0x%08x\n", status);
        return NULL;
    }

    for (DWORD tries = 0; tries < VAD_SEARCH_LIMIT; tries++)
    {
        vadgva = IntWinVadFindNodeInGuestSpace(vadroot, StartPage, EndPage, 0, 0, FALSE);
        if (0 != vadgva)
        {
            TRACE("[WINVAD] VAD for range [0x%016llx, 0x%016llx] found at 0x%016llx. Tries: %u\n",
                  StartPage, EndPage, vadgva, tries);
            break;
        }
    }

    if (0 == vadgva)
    {
        LOG("IntWinVadFindNodeInGuestSpace failed for range [0x%016llx, 0x%016llx] in process %u\n",
            StartPage, EndPage, Process->Pid);
        return NULL;
    }

    status = IntWinVadHandleInsertGeneric(Process, vadgva, FALSE, &pVad);
    if (!INT_SUCCESS(status))
    {
        ERROR("[ERROR] IntWinVadHandleInsertGeneric failed for VAD %llx: 0x%08x\n", vadgva, status);
        return NULL;
    }

    return pVad;
}


VAD *
IntWinVadFindAndUpdateIfNecessary(
    _Inout_ WIN_PROCESS_OBJECT *Process,
    _In_ QWORD StartHint,
    _In_ QWORD LengthHint
    )
{
    const QWORD startPage = StartHint & PAGE_MASK;
    const QWORD endPage = (StartHint + LengthHint - 1) & PAGE_MASK;
    VAD *vad = IntWinVadFindByRange(Process, startPage, endPage);
    if (NULL != vad && startPage >= vad->StartPage && endPage <= vad->EndPage)
    {
        return vad;
    }

    vad = IntWinVadRescanVad(Process, startPage, endPage);
    if (NULL == vad)
    {
        LOG("IntWinVadRescanVad failed for [0x%016llx, 0x%016llx] in process %u\n",
            startPage, endPage, Process->Pid);
    }

    return vad;
}


static INTSTATUS
IntWinVadHandleProtectGeneric(
    _Inout_ WIN_PROCESS_OBJECT *Process,
    _In_ QWORD StartPage,
    _In_ QWORD EndPage,
    _In_ DWORD VmProtection,
    _In_ BOOLEAN AtInsertion
    )

{
    INTSTATUS status;
    PVAD pVad;
    DWORD newprot;

    if (EndPage < StartPage)
    {
        return INT_STATUS_INVALID_PARAMETER_MIX;
    }

    // Get the associated VAD.
    pVad = IntWinVadFindByRange(Process, StartPage, EndPage);
    if (NULL == pVad)
    {
        QWORD vadroot = 0, vadgva = 0;

        TRACE("[WINVAD] Range [%llx, %llx] not cached, searching guest space for VAD...\n", StartPage, EndPage);

        status = IntKernVirtMemRead(Process->EprocessAddress + WIN_KM_FIELD(Process, VadRoot),
                                    gGuest.WordSize,
                                    &vadroot,
                                    NULL);
        if (!INT_SUCCESS(status))
        {
            ERROR("[ERROR] IntKernVirtMemRead failed: 0x%08x\n", status);
            return status;
        }

        for (DWORD tries = 0; tries < VAD_SEARCH_LIMIT; tries++)
        {
            vadgva = IntWinVadFindNodeInGuestSpace(vadroot, StartPage, EndPage, 0, 0, FALSE);
            if (0 != vadgva)
            {
                break;
            }
        }

        if (0 == vadgva)
        {
            // We'll only warn and return an informational status as there might be in-guest race conditions.
            // For example, calling VirtualProtectEx on a previously freed memory region.
            WARNING("[WARNING] IntWinVadFindNodeInGuestSpacefailed to find a VAD for range [%llx, %llx] "
                    "in process %d\n", StartPage, EndPage, Process->Pid);
            return INT_STATUS_NOT_INITIALIZED_HINT;
        }

        TRACE("[WINVAD] VAD for range [%llx, %llx] found at %llx\n", StartPage, EndPage, vadgva);

        status = IntWinVadHandleInsertGeneric(Process, vadgva, FALSE, &pVad);
        if (!INT_SUCCESS(status))
        {
            ERROR("[ERROR] IntWinVadHandleInsertGeneric failed for VAD %llx: 0x%08x\n", vadgva, status);
            return status;
        }
    }

    if ((StartPage < pVad->StartPage) || (StartPage > pVad->EndPage))
    {
        ERROR("[ERROR] The start page lies outside the VAD range: 0x%016llx vs [0x%016llx, 0x%016llx]\n",
              StartPage, pVad->StartPage, pVad->EndPage);
        return INT_STATUS_INVALID_PARAMETER_2;
    }

    if ((EndPage < pVad->StartPage) || (EndPage > pVad->EndPage))
    {
        ERROR("[ERROR] The end page lies outside the VAD range: 0x%016llx vs [0x%016llx, 0x%016llx]\n",
              EndPage, pVad->StartPage, pVad->EndPage);
        return INT_STATUS_INVALID_PARAMETER_3;
    }

    if (pVad->HugeVad)
    {
        WARNING("[WARNING] Protecting range [0x%016llx, 0x%016llx] of huge VAD [0x%016llx, 0x%016llx] "
                "with %llu pages at GVA 0x%016llx\n",
                StartPage, EndPage, pVad->StartPage, pVad->EndPage, pVad->PageCount, pVad->VadGva);
        return INT_STATUS_NOT_NEEDED_HINT;
    }

    pVad->IsIgnored = IntWinVadIsProbablyNaCl(pVad);
    if (pVad->IsIgnored)
    {
        TRACE("[INFO] Ignoring VAD @ 0x%016llx [0x%016llx, 0x%016llx] for process `%s` (%d)\n",
              pVad->VadGva, pVad->StartPage, pVad->EndPage, Process->Name, Process->Pid);
        return INT_STATUS_NOT_NEEDED_HINT;
    }

    // We are not interested in mapped executable files, so we will skip them.
    if (((pVad->VadType == VadImageMap) && (pVad->PageCount > 2)) ||
        (VadRotatePhysical == pVad->VadType) ||
        (VadDevicePhysicalMemory == pVad->VadType) ||
        !pVad->Process->ProtExploits ||
        (pVad->ExecCount > MIN((pVad->PageCount / 20), MAX_VAD_EXECS)))
    {
        return INT_STATUS_NOT_NEEDED_HINT;
    }

    // If the function was called due to some VirtualProtect call (or commit with different rights)
    // and the Vad.u.VadFlags.NoChange is set, we should bail out, as the OS won't apply the protections to it.
    if (pVad->NoChange && !AtInsertion)
    {
        return INT_STATUS_NOT_NEEDED_HINT;
    }

    // Compute the simplified protection mask.
    newprot = IntWinVadVmProtectionToIntroProtection(VmProtection);
    if (VmProtection & WIN_MM_PAGE_GUARD)
    {
        pVad->IsStack = TRUE;
    }

    // If the pages array was not allocated, do so now.
    if (NULL == pVad->VadPages)
    {
        pVad->VadPages = HpAllocWithTag(sizeof(*pVad->VadPages) * pVad->PageCount, IC_TAG_VAD_PGARR);
        if (NULL == pVad->VadPages)
        {
            return INT_STATUS_INSUFFICIENT_RESOURCES;
        }
    }

    for (QWORD curpg = (StartPage & PAGE_MASK); curpg <= (EndPage & PAGE_MASK); curpg += PAGE_SIZE)
    {
        DWORD pos = (DWORD)((curpg - pVad->StartPage) >> 12);

        if (NULL == pVad->VadPages[pos])
        {
            pVad->VadPages[pos] = HpAllocWithTag(sizeof(**pVad->VadPages), IC_TAG_VAD_PAGE);
            if (NULL == pVad->VadPages[pos])
            {
                return INT_STATUS_INSUFFICIENT_RESOURCES;
            }

            // So we can do MIN/MAX on them.
            pVad->VadPages[pos]->RangeStart = 0xFFFFFFFFFFFFFFFF;
            pVad->VadPages[pos]->RangeEnd = 0;

            // The old page protection was given by the VAD protection.
            pVad->VadPages[pos]->Vad = pVad;
            pVad->VadPages[pos]->Address = curpg;
            pVad->VadPages[pos]->VmProtection = VmProtection;
            pVad->VadPages[pos]->Protection = newprot;
        }
        else
        {
            pVad->VadPages[pos]->VmProtection = VmProtection;
            pVad->VadPages[pos]->Protection = newprot;
        }

        // We always store the maximum range, in order to remove as many pages when we detect a legitimate execution.
        pVad->VadPages[pos]->RangeStart = MIN(pVad->VadPages[pos]->RangeStart, StartPage);
        pVad->VadPages[pos]->RangeEnd = MAX(pVad->VadPages[pos]->RangeEnd, EndPage);

        if ((0 != (newprot & PROT_EXEC)) &&
            (NULL == pVad->VadPages[pos]->ExecHook) && (!pVad->VadPages[pos]->Legitimate))
        {
            status = IntHookGvaSetHook(Process->Cr3, curpg, PAGE_SIZE, IG_EPT_HOOK_EXECUTE,
                                       IntWinVadHandlePageExecution, pVad->VadPages[pos], NULL, 0,
                                       (PHOOK_GVA *)&pVad->VadPages[pos]->ExecHook);
            if (!INT_SUCCESS(status))
            {
                ERROR("[ERROR] IntHookGvaSetHook failed: 0x%08x\n", status);
            }
        }

        // The page was executable, and now it is not.
        if (0 == (newprot & PROT_EXEC) && (NULL != pVad->VadPages[pos]->ExecHook))
        {
            status = IntHookGvaRemoveHook((HOOK_GVA **)&pVad->VadPages[pos]->ExecHook, 0);
            if (!INT_SUCCESS(status))
            {
                ERROR("[ERROR] IntHookGvaRemoveHook failed: 0x%08x\n", status);
            }
        }
    }

    return INT_STATUS_SUCCESS;
}


static INTSTATUS
IntWinVadReimportProcessTree(
    _Inout_ WIN_PROCESS_OBJECT *Process
    )
{
    INTSTATUS status;

    status = IntWinVadRemoveProcessTree(Process);
    if (!INT_SUCCESS(status))
    {
        ERROR("[ERROR] IntWinVadRemoveProcessTree failed: 0x%08x\n", status);
        return status;
    }

    status = IntWinVadImportProcessTree(Process);
    if (!INT_SUCCESS(status))
    {
        ERROR("[ERROR] IntWinVadImportProcessTree failed: 0x%08x\n", status);
        return status;
    }

    return status;
}


static INTSTATUS
IntWinVadHandleDeleteGeneric(
    _Inout_ WIN_PROCESS_OBJECT *Process,
    _In_ QWORD StartPage,
    _In_ QWORD EndPage,
    _In_ DWORD Level
    )
{
    INTSTATUS status;
    PVAD pVad;

    if (Level >= 2)
    {
        WARNING("[WARNING] Exceeded max recursion level for VAD deletion @ [0x%016llx, 0x%016llx] %s:%d\n",
                StartPage, EndPage, Process->Name, Process->Pid);
        IntDbgEnterDebugger();
        return INT_STATUS_INVALID_PARAMETER_4;
    }

    if (EndPage < StartPage)
    {
        WARNING("[WARNING] EndPage is LESS than StartPage: [0x%016llx, 0x%016llx]\n", StartPage, EndPage);
        IntDbgEnterDebugger();
        return INT_STATUS_INVALID_PARAMETER_2;
    }

    pVad = IntWinVadFindByRange(Process, StartPage, EndPage);
    if (NULL == pVad)
    {
        // Since we ignore all VAD types except for VadNone and VadImageMap, we don't have to log error here or
        // return an error.
    }
    else if ((StartPage == pVad->StartPage) && (EndPage == pVad->EndPage))
    {
        RbDeleteNode(&Process->VadTree, &pVad->RbNode);

        IntWinVadDestroyObject(&pVad);
    }
    else if (StartPage == pVad->StartPage)
    {
        // Only the lower sub-range is deleted
        QWORD newStart = EndPage + PAGE_SIZE;

        TRACE("[WINVAD] Adjusting VAD 0x%016llx. Old start: 0x%016llx New start: 0x%016llx "
              "for process %s:%d (0x%016llx)\n",
              pVad->VadGva, pVad->StartPage, newStart, Process->Name, Process->Pid, Process->EprocessAddress);

        status = IntWinVadAdjustRange(pVad, newStart, pVad->EndPage);
        if (!INT_SUCCESS(status))
        {
            ERROR("[ERROR] IntWinVadAdjustRange failed for [0x%016llx, 0x%016llx] in VAD 0x%016llx "
                  "process 0x%016llx: 0x%08x\n",
                  StartPage, EndPage, pVad->VadGva, Process->EprocessAddress, status);
        }
    }
    else if (EndPage == pVad->EndPage)
    {
        // Only the upper sub-range is deleted
        QWORD newEnd = StartPage - PAGE_SIZE;

        TRACE("[WINVAD] Adjusting VAD 0x%016llx. Old end: 0x%016llx New end: 0x%016llx for process %s:%d (0x%016llx)\n",
              pVad->VadGva, pVad->EndPage, newEnd, Process->Name, Process->Pid, Process->EprocessAddress);

        status = IntWinVadAdjustRange(pVad, pVad->StartPage, newEnd);
        if (!INT_SUCCESS(status))
        {
            ERROR("[ERROR] IntWinVadAdjustRange failed for [0x%016llx, 0x%016llx] in VAD 0x%016llx "
                  "process 0x%016llx: 0x%08x\n",
                  StartPage, EndPage, pVad->VadGva, Process->EprocessAddress, status);
        }
    }
    else
    {
        TRACE("[WINVAD] Guest attempts to delete VAD [%016llx, %016llx], but we matched with VAD [%016llx, %016llx]"
              ",  will reimport process tree for %s:%d\n",
              StartPage, EndPage, pVad->StartPage, pVad->EndPage,
              Process->Name, Process->Pid);

        IntPauseVcpus();

        status = IntWinVadReimportProcessTree(Process);
        if (!INT_SUCCESS(status))
        {
            ERROR("[ERROR] IntWinVadReimportProcessTree failed: 0x%08x\n", status);
            goto _resume_maybe_enter_dbg;
        }

        status = IntWinVadHandleDeleteGeneric(Process, StartPage, EndPage, Level + 1);
        if (!INT_SUCCESS(status))
        {
            ERROR("[ERROR] IntWinVadHandleDeleteGeneric failed: 0x%08x\n", status);
            goto _resume_maybe_enter_dbg;
        }

_resume_maybe_enter_dbg:
        IntResumeVcpus();

        if (!INT_SUCCESS(status))
        {
            IntDbgEnterDebugger();
        }
    }

    return INT_STATUS_SUCCESS;
}


static INTSTATUS
IntWinVadHandleInsertGeneric(
    _Inout_ WIN_PROCESS_OBJECT *Process,
    _In_ QWORD VadAddress,
    _In_ BOOLEAN StaticScan,
    _Out_opt_ VAD **Vad
    )

{
    INTSTATUS status;
    PVAD pVad = NULL;
    BOOLEAN previouslyMonitored;

    if (Vad != NULL)
    {
        *Vad = NULL;
    }

    previouslyMonitored = !!(Process->MonitorVad);

    status = IntWinVadCreateObject(Process, VadAddress, &pVad, StaticScan);
    if (!INT_SUCCESS(status))
    {
        ERROR("[ERROR] IntWinVadCreateObject failed: 0x%08x\n", status);

        return status;
    }

    if (NULL != pVad && Process->MonitorVad)
    {
        BOOLEAN hugeNoWrite;
        const QWORD maxTries = pVad->PageCount + 1;
        QWORD tryCount = 0;

        do
        {
            PVAD toRemove;

            status = RbInsertNode(&Process->VadTree, &pVad->RbNode);
            if (INT_STATUS_KEY_ALREADY_EXISTS != status)
            {
                // We managed to insert it (or another error occurred), break out of the loop
                break;
            }

            WARNING("[WARNING] [WINVAD] Special case `INT_STATUS_KEY_ALREADY_EXISTS` while inserting 0x%016llx "
                    "[0x%016llx, 0x%016llx] in 0x%016llx (PID %u)\n",
                    pVad->VadGva, pVad->StartPage, pVad->EndPage, Process->EprocessAddress, Process->Pid);

            toRemove = IntWinVadFindByRange(Process, pVad->StartPage, pVad->EndPage);
            if (NULL == toRemove)
            {
                ERROR("[ERROR] IntWinVadFindByRange failed for [%016llx, %016llx]\n", pVad->StartPage, pVad->EndPage);
                IntDbgEnterDebugger();
                IntWinVadDestroyObject(&pVad);

                return status;
            }

            status = IntWinVadHandleDeleteGeneric(Process, toRemove->StartPage, toRemove->EndPage, 0);
            if (!INT_SUCCESS(status))
            {
                ERROR("[ERROR] IntWinVadHandleDeleteGeneric failed for [0x%016llx, 0x%016llx] "
                      "in process 0x%016llx: 0x%08x\n",
                      toRemove->StartPage, toRemove->EndPage, Process->EprocessAddress, status);
            }

            tryCount++;
        } while (tryCount < maxTries);
        if (!INT_SUCCESS(status))
        {
            ERROR("[ERROR] RbInsertNode failed for [0x%016llx, 0x%016llx] in process PID %u: 0x%08x\n",
                  pVad->StartPage, pVad->EndPage, Process->Pid, status);
            IntDbgEnterDebugger();
            IntWinVadDestroyObject(&pVad);

            return status;
        }

        pVad->IsIgnored = IntWinVadIsProbablyNaCl(pVad);
        if (pVad->IsIgnored)
        {
            TRACE("[INFO] Ignoring VAD @ 0x%016llx [0x%016llx, 0x%016llx] for process `%s` (%d)\n",
                  pVad->VadGva, pVad->StartPage, pVad->EndPage, Process->Name, Process->Pid);
        }

        hugeNoWrite = (pVad->PageCount >= 65536) && (0 == (pVad->Protection & PROT_WRITE));

        // If needed, monitor these pages.
        if ((!pVad->IsIgnored) && (!hugeNoWrite) && (pVad->Protection & PROT_EXEC) &&
            ((pVad->VadType != VadImageMap) || (pVad->PageCount <= 2)))
        {
            status = IntWinVadHandleProtectGeneric(Process, pVad->StartPage, pVad->EndPage,
                                                   IntWinVadVadProtectionToVmProtection(pVad->VadProtection), TRUE);
            if (!INT_SUCCESS(status))
            {
                ERROR("[ERROR] IntWinVadHandleProtectGeneric failed: 0x%08x\n", status);
            }
        }
    }
    else if (pVad != NULL && previouslyMonitored)
    {
        //
        // We decided on the current VAD (which is also the main module) that VAD should not be monitored
        // anymore. Thus the current VAD should be destroyed. Note that the VADs inserted before this
        // would have already been destroyed, due to the fact that we called IntWinVadRemoveProcessTree,
        // but the current VAD has not got the chance to be added into the tree - thus it will be leaked
        // otherwise.
        // Also, a big note to this is the fact that a caller might externally call this function mistakenly
        // for non-protected (and non-vad-monitored) processes. As a safe guard, we'll destroy the VAD only
        // if it was decided in IntWinVadCreateObject that from now on we should not monitor vad anymore.
        //
        IntWinVadDestroyObject(&pVad);
    }

    if (Vad != NULL)
    {
        *Vad = pVad;
    }
    return INT_STATUS_SUCCESS;
}


static INTSTATUS
IntWinVadStaticInsertNodeIntoProcess(
    _In_ QWORD VadNodeGva,
    _In_ DWORD Level,
    _Inout_ WIN_PROCESS_OBJECT *Process
    )
{
    INTSTATUS status;

    UNREFERENCED_PARAMETER(Level);

    if (!IS_KERNEL_POINTER_WIN(gGuest.Guest64, VadNodeGva))
    {
        return INT_STATUS_INVALID_PARAMETER_1;
    }

    // It is possible that during VAD iteration we decided to remove the process protection (based on the Main Module)
    // Thus, don't insert the current node if MonitorVad was cleared.
    if (!Process->MonitorVad)
    {
        return INT_STATUS_NOT_NEEDED_HINT;
    }

    status = IntWinVadHandleInsertGeneric(Process, VadNodeGva, TRUE, NULL);
    if (!INT_SUCCESS(status))
    {
        ERROR("[ERROR] IntWinVadHandleInsertGeneric failed for 0x%016llx in process %d: 0x%08x\n",
              VadNodeGva, Process->Pid, status);
        return status;
    }

    TRACE("[WINVAD] VAD 0x%016llx found at static scan on level %d\n", VadNodeGva, Level);

    return INT_STATUS_SUCCESS;
}


INTSTATUS
IntWinVadImportProcessTree(
    _Inout_ WIN_PROCESS_OBJECT *Process
    )
{
    INTSTATUS status;
    QWORD root = 0;

    if (NULL == Process)
    {
        return INT_STATUS_INVALID_PARAMETER_1;
    }

    status = IntKernVirtMemRead(Process->EprocessAddress + WIN_KM_FIELD(Process, VadRoot),
                                gGuest.WordSize,
                                &root,
                                NULL);
    if (!INT_SUCCESS(status))
    {
        ERROR("[ERROR] IntKernVirtMemRead failed: 0x%08x\n", status);
        return status;
    }

    if (0 == root)
    {
        TRACE("[WINVAD] Skipping static scan for process 0x%016llx because root @ 0x%016llx is 0\n",
              Process->EprocessAddress, Process->EprocessAddress + WIN_KM_FIELD(Process, VadRoot));
        return INT_STATUS_NOT_NEEDED_HINT;
    }

    TRACE("[WINVAD] Starting static scan for process 0x%016llx from root @ 0x%016llx = 0x%016llx\n",
          Process->EprocessAddress,
          Process->EprocessAddress + WIN_KM_FIELD(Process, VadRoot),
          root);

    status = IntWinVadInOrderRecursiveTraversal(root, 0, IntWinVadStaticInsertNodeIntoProcess, Process);
    if (!INT_SUCCESS(status))
    {
        ERROR("[ERROR] IntWinVadInOrderRecursiveTraversal failed for root 0x%016llx: 0x%08x\n", root, status);
        return status;
    }

    return INT_STATUS_SUCCESS;
}


INTSTATUS
IntWinVadHandleInsert(
    _In_ void const  *Detour
    )
{
    INTSTATUS status;
    WIN_PROCESS_OBJECT *pProc;
    QWORD args[2];
    QWORD vadGva;
    QWORD eprocessGva;

    if (NULL == Detour)
    {
        return INT_STATUS_INVALID_PARAMETER_1;
    }

    // the parameters are the same on x86 as on x64
    // RCX: pointer to a MMVAD or MMVAD_SHORT structure. Private VADs (created by VirtualAlloc(Ex) calls) are
    // always MMVAD_SHORT
    // RDX: pointer to the EPROCESS structure of the process for which the VAD is created. This might not be in
    // the process list yet
    status = IntDetGetArguments(Detour, 2, args);
    if (!INT_SUCCESS(status))
    {
        ERROR("[ERROR] IntDetGetArguments failed: 0x%08x\n", status);
        goto cleanup_and_exit;
    }

    vadGva = args[0];
    eprocessGva = args[1];

    // Get the process object.
    pProc = IntWinProcFindObjectByEprocess(eprocessGva);
    if (!pProc || !pProc->MonitorVad)
    {
        status = INT_STATUS_NOT_NEEDED_HINT;
        goto cleanup_and_exit;
    }

    status = IntWinVadHandleInsertGeneric(pProc, vadGva, FALSE, NULL);
    if (INT_STATUS_NOT_FOUND != status && !INT_SUCCESS(status))
    {
        ERROR("[ERROR] IntWinVadHandleInsertionGeneric failed for process 0x%016llx VAD 0x%016llx: 0x%08x\n",
              eprocessGva, vadGva, status);
        goto cleanup_and_exit;
    }

    status = INT_STATUS_SUCCESS;

cleanup_and_exit:

    return status;
}


INTSTATUS
IntWinVadHandleInsertPrivate(
    _In_ void const *Detour
    )
{
    INTSTATUS status;
    PWIN_PROCESS_OBJECT pProc = NULL;
    PIG_ARCH_REGS pRegs = NULL;
    QWORD vadGva = 0;

    if (NULL == Detour)
    {
        return INT_STATUS_INVALID_PARAMETER_1;
    }

    pRegs = &gVcpu->Regs;

    status = IntDetGetArgument(Detour, 0, NULL, 0, &vadGva);
    if (!INT_SUCCESS(status))
    {
        ERROR("[ERROR] IntDetGetArgument failed: 0x%08x\n", status);
        goto cleanup_and_exit;
    }

    pProc = IntWinProcFindObjectByCr3(pRegs->Cr3);
    if (!pProc || !pProc->MonitorVad)
    {
        status = INT_STATUS_NOT_NEEDED_HINT;
        goto cleanup_and_exit;
    }

    status = IntWinVadHandleInsertGeneric(pProc, vadGva, FALSE, NULL);
    if (INT_STATUS_NOT_FOUND != status && !INT_SUCCESS(status))
    {
        ERROR("[ERROR] IntWinVadHandleInsertionGeneric failed for process 0x%016llx VAD 0x%016llx: 0x%08x\n",
              pProc->EprocessAddress, vadGva, status);
        goto cleanup_and_exit;
    }

    status = INT_STATUS_SUCCESS;

cleanup_and_exit:

    return status;
}

_Function_class_(PFUNC_PreDetourCallback)
INTSTATUS
IntWinPatchVadHandleCommit(
    _In_ QWORD FunctionAddress,
    _Inout_ API_HOOK_HANDLER *Handler,
    _In_ QWORD HandlerAddress
    )
{
    API_HOOK_HANDLER *pHandler = Handler;

    UNREFERENCED_PARAMETER(FunctionAddress);
    UNREFERENCED_PARAMETER(HandlerAddress);

    if (gGuest.Guest64)
    {
        *(DWORD *)(pHandler->Code + 0x0d) = WIN_KM_FIELD(Pcr, CurrentThread);

        *(DWORD *)(pHandler->Code + 0x14) = WIN_KM_FIELD(Thread, AttachedProcess);

        *(DWORD *)(pHandler->Code + 0x1f) = WIN_KM_FIELD(Thread, Process);

        *(DWORD *)(pHandler->Code + 0x25) = WIN_KM_FIELD(Process, Spare);
        *(DWORD *)(pHandler->Code + 0x2d) = WIN_KM_FIELD(Process, Spare);
    }
    else
    {
        if (gGuest.OSVersion < WIN_BUILD_8_1)
        {
            // Stdcall
            *(BYTE *)(pHandler->Code + 0x3) = 0x10;
        }
        else
        {
            // Fastcall
            *(BYTE *)(pHandler->Code + 0x3) = 0x8;
        }

        *(DWORD *)(pHandler->Code + 0x0c) = WIN_KM_FIELD(Pcr, CurrentThread);

        *(DWORD *)(pHandler->Code + 0x12) = WIN_KM_FIELD(Thread, AttachedProcess);

        *(DWORD *)(pHandler->Code + 0x1c) = WIN_KM_FIELD(Thread, Process);

        *(DWORD *)(pHandler->Code + 0x22) = WIN_KM_FIELD(Process, Spare);
        *(DWORD *)(pHandler->Code + 0x2a) = WIN_KM_FIELD(Process, Spare);
    }

    return INT_STATUS_SUCCESS;
}


INTSTATUS
IntWinVadHandleCommit(
    _In_ void const *Detour
    )
{
    WIN_PROCESS_OBJECT *pProc;
    IG_ARCH_REGS *regs;
    INTSTATUS status;
    QWORD gvaVad;
    QWORD protPage;
    QWORD protSize;
    DWORD vmProt;
    QWORD endPage;
    QWORD args[4] = {0};
    VAD *pVad;

    STATS_ENTER(statsVadCommitExisting);

    regs = &gVcpu->Regs;
    pProc = IntWinProcFindObjectByCr3(regs->Cr3);

    if (!pProc || !pProc->Protected || !pProc->MonitorVad)
    {
        // Nothing to do
        goto cleanup_and_exit;
    }

    status = IntDetGetArguments(Detour, 4, args);
    if (!INT_SUCCESS(status))
    {
        ERROR("[ERROR] IntDetGetArgument failed: 0x%08x\n", status);
        goto cleanup_and_exit;
    }

    gvaVad = args[0];
    protPage = args[1];
    protSize = args[2];
    vmProt = (DWORD)args[3];

    // Try to find an existing VAD
    pVad = IntWinVadFindByVa(pProc, protPage);
    if (NULL != pVad)
    {
        if (gvaVad != pVad->VadGva)
        {
            // This VAD was deleted in the meantime, try to get it back
            status = IntWinVadHandleInsertGeneric(pProc, gvaVad, FALSE, NULL);
            if (!INT_SUCCESS(status))
            {
                ERROR("[ERROR] IntWinVadHandleInsertGeneric failed for 0x%016llx: 0x%08x\n", gvaVad, status);
                goto cleanup_and_exit;
            }
        }
    }
    else
    {
        status = IntWinVadHandleInsertGeneric(pProc, gvaVad, FALSE, NULL);
        if (!INT_SUCCESS(status))
        {
            ERROR("[ERROR] IntWinVadHandleInsertGeneric failed for 0x%016llx: 0x%08x\n", gvaVad, status);
            goto cleanup_and_exit;
        }
    }

    // Now apply the protection change. Note that VAD ranges are inclusive, so the end page is the last page
    // contained by the VAD
    endPage = (protPage + protSize - 1) & PAGE_MASK;
    protPage &= PAGE_MASK;

    status = IntWinVadHandleProtectGeneric(pProc, protPage, endPage, vmProt, FALSE);
    if (!INT_SUCCESS(status))
    {
        ERROR("[ERROR] IntWinVadHandleProtectGeneric failed for [0x%016llx, 0x%016llx]: 0x%08x\n",
              protPage, endPage, status);
        goto cleanup_and_exit;
    }

cleanup_and_exit:
    STATS_EXIT(statsVadCommitExisting);

    return INT_STATUS_SUCCESS;
}


INTSTATUS
IntWinVadHandleInsertMap(
    _In_ void const *Detour
    )
{
    INTSTATUS status;
    PIG_ARCH_REGS pRegs;
    PWIN_PROCESS_OBJECT pProc;
    QWORD vadGva;

    if (NULL == Detour)
    {
        return INT_STATUS_INVALID_PARAMETER_1;
    }

    pRegs = &gVcpu->Regs;

    status = IntDetGetArgument(Detour, 0, NULL, 0, &vadGva);
    if (!INT_SUCCESS(status))
    {
        ERROR("[ERROR] IntDetGetArgument failed: 0x%08x\n", status);
        return status;
    }

    pProc = IntWinProcFindObjectByCr3(pRegs->Cr3);
    if (NULL == pProc || !pProc->MonitorVad)
    {
        return INT_STATUS_NOT_NEEDED_HINT;
    }

    status = IntWinVadHandleInsertGeneric(pProc, vadGva, FALSE, NULL);
    if (INT_STATUS_NOT_FOUND != status && !INT_SUCCESS(status))
    {
        ERROR("[ERROR] IntWinVadHandleInsertionGeneric failed for VAD 0x%016llx: 0x%08x\n", vadGva, status);
    }

    return status;
}


INTSTATUS
IntWinVadHandleDeleteVaRange(
    _In_ void const *Detour
    )
{
    QWORD startPage;
    QWORD endPage;
    PIG_ARCH_REGS pRegs;
    PWIN_PROCESS_OBJECT pProcess;
    QWORD args[2];
    INTSTATUS status;

    if (NULL == Detour)
    {
        return INT_STATUS_INVALID_PARAMETER_1;
    }

    pRegs = &gVcpu->Regs;

    status = IntDetGetArguments(Detour, 2, args);
    if (!INT_SUCCESS(status))
    {
        ERROR("[ERROR] IntDetGetArguments failed: 0x%08x\n", status);
        return status;
    }

    startPage = args[0];
    endPage = args[1];

    // Align addresses to page boundaries
    startPage &= PAGE_MASK;
    endPage &= PAGE_MASK;

    // This function is always executed in the context of the process from who's address space the pages are removed
    // so we can simply get it by the current Cr3
    pProcess = IntWinProcFindObjectByCr3(pRegs->Cr3);
    if (!pProcess || !pProcess->MonitorVad)
    {
        // No process was created yet, or the process is not VAD monitored - bail out.
        return INT_STATUS_NOT_NEEDED_HINT;
    }

    // Delete the VAD from our internal tree.
    status = IntWinVadHandleDeleteGeneric(pProcess, startPage, endPage, 0);
    if (!INT_SUCCESS(status))
    {
        ERROR("[ERROR] IntWinVadHandleDeleteGeneric failed: 0x%08x\n", status);
        return status;
    }

    return INT_STATUS_SUCCESS;
}


INTSTATUS
IntWinVadHandleFinishVadDeletion(
    _In_ void const *Detour
    )
{
    QWORD startPage;
    QWORD endPage;
    PIG_ARCH_REGS pRegs;
    PWIN_PROCESS_OBJECT pProcess;
    QWORD args[2];
    INTSTATUS status;

    if (NULL == Detour)
    {
        return INT_STATUS_INVALID_PARAMETER_1;
    }

    pRegs = &gVcpu->Regs;

    status = IntDetGetArguments(Detour, 2, args);
    if (!INT_SUCCESS(status))
    {
        ERROR("[ERROR] IntDetGetArguments failed: 0x%08x\n", status);
        return status;
    }

    startPage = args[0];
    endPage = args[1];

    // Align addresses to page boundaries
    startPage &= PAGE_MASK;
    endPage &= PAGE_MASK;

    // This function is always executed in the context of the process from who's address space the pages are removed
    // so we can simply get it by the current Cr3
    pProcess = IntWinProcFindObjectByCr3(pRegs->Cr3);
    if (!pProcess || !pProcess->MonitorVad)
    {
        // No process was created yet, or the process is not VAD monitored - bail out.
        return INT_STATUS_NOT_NEEDED_HINT;
    }

    // Delete the VAD from our internal tree.
    status = IntWinVadHandleDeleteGeneric(pProcess, startPage, endPage, 0);
    if (!INT_SUCCESS(status))
    {
        ERROR("[ERROR] IntWinVadHandleDeleteGeneric failed: 0x%08x\n", status);
        return status;
    }

    return INT_STATUS_SUCCESS;
}


INTSTATUS
IntWinVadHandleVirtualProtect(
    _In_ void const *Detour
    )
{
    INTSTATUS status;
    QWORD dstEproc = 0;
    QWORD baseGva = 0;
    QWORD startPage = 0;
    QWORD endPage = 0;
    QWORD length = 0;
    QWORD newRights; // WIN_MM_PAGE_* constants (as passed to VirtualProtect(Ex))
    WIN_PROCESS_OBJECT *pDestProc;
    QWORD args[4];

    status = IntDetGetArgument(Detour, 0, NULL, 0, &dstEproc);
    if (!INT_SUCCESS(status))
    {
        ERROR("[ERROR] IntDetGetArgument failed: 0x%08x\n", status);
        goto cleanup_and_exit;
    }

    pDestProc = IntWinProcFindObjectByEprocess(dstEproc);
    if (!pDestProc || !pDestProc->MonitorVad || !pDestProc->ProtExploits)
    {
        status = INT_STATUS_NOT_NEEDED_HINT;
        goto cleanup_and_exit;
    }

    status = IntDetGetArguments(Detour, 4, args);
    if (!INT_SUCCESS(status))
    {
        ERROR("[ERROR] IntDetGetArguments failed: 0x%08x\n", status);
        goto cleanup_and_exit;
    }

    status = IntKernVirtMemRead(args[1], gGuest.WordSize, &baseGva, NULL);
    if (!INT_SUCCESS(status))
    {
        ERROR("[ERROR] IntKernVirtMemRead failed: 0x%08x\n", status);
        goto cleanup_and_exit;
    }

    status = IntKernVirtMemRead(args[2], gGuest.WordSize, &length, NULL);
    if (!INT_SUCCESS(status))
    {
        ERROR("[ERROR] IntKernVirtMemRead failed: 0x%08x\n", status);
        goto cleanup_and_exit;
    }

    newRights = args[3] & 0xFFFFFFFF;

    // VirtualProtect documentation: The region of affected pages includes all pages containing one or more bytes in
    // the range from the lpAddress parameter to (lpAddress+dwSize). This means that a 2-byte range straddling a page
    // boundary causes the protection attributes of both pages to be changed.

    endPage = (baseGva + length - 1) & PAGE_MASK;
    startPage = baseGva & PAGE_MASK;

    status = IntWinVadHandleProtectGeneric(pDestProc, startPage, endPage, (DWORD)newRights, FALSE);
    if (!INT_SUCCESS(status))
    {
        ERROR("[ERROR] IntWinVadHandleProtectGeneric failed for [0x%016llx, 0x%016llx] in process 0x%016llx: 0x%08x\n",
              startPage, endPage, pDestProc->EprocessAddress, status);
        goto cleanup_and_exit;
    }

cleanup_and_exit:

    return status;
}


BOOLEAN
IntWinVadIsInTree(
    _In_ const VAD *Vad
    )
{
    INTSTATUS status;
    VAD dummy = { 0 };
    VAD parent = { 0 };

    if (NULL == Vad)
    {
        return FALSE;
    }

    status = IntWinVadFetchVadFromMemory(Vad->VadGva, &dummy);
    if (!INT_SUCCESS(status))
    {
        ERROR("[ERROR] Could not fetch VAD 0x%016llx from memory: 0x%08x\n", Vad->VadGva, status);
        return FALSE;
    }

    // If the parent value is not a valid kernel pointer, we can assume the VAD was not inserted yet. The parent value
    // seems to always be 0xFFFFFFFE on x86/0xFFFFFFFFFFFFFFFE on x64, but we allow a more relaxed interval, for safety.
    if (!IS_KERNEL_POINTER_WIN(gGuest.Guest64, dummy.Parent) ||
        (dummy.Parent == 0) ||
        ((dummy.Parent >= 0xFFFFFFF0) && (dummy.Parent <= 0xFFFFFFFF)) ||
        ((dummy.Parent >= 0xFFFFFFFFFFFFFFF0) && (dummy.Parent <= 0xFFFFFFFFFFFFFFFF)))
    {
        return FALSE;
    }

    // Red is bit 0 and Balance is bit 1
    status = IntWinVadFetchVadFromMemory(dummy.Parent & (~3), &parent);
    if (!INT_SUCCESS(status))
    {
        WARNING("[WARNING] IntWinVadFetchVadFromMemory failed for parent 0x%016llx: 0x%08x\n",
                dummy.Parent & (~3), status);
        return FALSE;
    }

    // We can also verify for now that the parent has either the left or right node the current VAD
    if (parent.Left != Vad->VadGva && parent.Right != Vad->VadGva)
    {
        WARNING("[WARNING] The current VAD's parent doesn't have as a child 0x%016llx "
                "(left 0x%016llx, right: 0x%016llx)\n",
                Vad->VadGva, parent.Left, parent.Right);
        return FALSE;
    }

    if (Vad->NoChange != Vad->PrivateFixup || Vad->DeleteInProgress)
    {
        WARNING("[WARNING] NoChange is %d, PrivateFixup is %d, DeleteInProgress is %d, "
                "the VAD doesn't seem to be considered in the tree!\n",
                Vad->NoChange, Vad->PrivateFixup, Vad->DeleteInProgress);
        return FALSE;
    }


    return TRUE;
}


_Function_class_(PFUNC_PreDetourCallback)
INTSTATUS
IntWinVadPatchInsertPrivate(
    _In_ QWORD FunctionAddress,
    _Inout_ API_HOOK_HANDLER *Handler,
    _In_ QWORD HandlerAddress
    )
{
    API_HOOK_HANDLER *pHandler = Handler;

    UNREFERENCED_PARAMETER(FunctionAddress);
    UNREFERENCED_PARAMETER(HandlerAddress);

    if (gGuest.Guest64)
    {
        if (gGuest.OSVersion == 9600)
        {
            *(DWORD *)(&pHandler->Code[9]) = WIN_KM_FIELD(Process, Spare);
            *(DWORD *)(&pHandler->Code[18]) = WIN_KM_FIELD(Process, Spare);
        }
        else
        {
            *(DWORD *)(&pHandler->Code[37]) = WIN_KM_FIELD(Process, Spare);
            *(DWORD *)(&pHandler->Code[45]) = WIN_KM_FIELD(Process, Spare);
        }
    }
    else
    {
        if (gGuest.OSVersion >= 7600 && gGuest.OSVersion <= 7602)
        {
            *(DWORD *)(&pHandler->Code[30]) = WIN_KM_FIELD(Process, Spare);
        }
        else if (gGuest.OSVersion == 9200)
        {
            *(DWORD *)(&pHandler->Code[7]) = WIN_KM_FIELD(Process, Spare);
        }
        else if (gGuest.OSVersion >= 9600)
        {
            *(DWORD *)(&pHandler->Code[13]) = WIN_KM_FIELD(Process, Spare);
        }
    }

    return INT_STATUS_SUCCESS;
}


_Function_class_(PFUNC_PreDetourCallback)
INTSTATUS
IntWinVadPatchInsertMap(
    _In_ QWORD FunctionAddress,
    _Inout_ API_HOOK_HANDLER *Handler,
    _In_ QWORD HandlerAddress
    )
{
    API_HOOK_HANDLER *pHandler = Handler;

    UNREFERENCED_PARAMETER(FunctionAddress);
    UNREFERENCED_PARAMETER(Handler);
    UNREFERENCED_PARAMETER(HandlerAddress);

    if (gGuest.Guest64)
    {
        *(DWORD *)(&pHandler->Code[37]) = WIN_KM_FIELD(Process, Spare);
        *(DWORD *)(&pHandler->Code[45]) = WIN_KM_FIELD(Process, Spare);
    }
    else
    {
        if (gGuest.OSVersion >= 7600 && gGuest.OSVersion <= 7602)
        {
            *(DWORD *)(&pHandler->Code[30]) = WIN_KM_FIELD(Process, Spare);
        }
        else if (gGuest.OSVersion >= 9200)
        {
            *(DWORD *)(&pHandler->Code[33]) = WIN_KM_FIELD(Process, Spare);
        }
    }

    return INT_STATUS_SUCCESS;
}


_Function_class_(PFUNC_PreDetourCallback)
INTSTATUS
IntWinVadPatchVirtualProtect(
    _In_ QWORD FunctionAddress,
    _Inout_ API_HOOK_HANDLER *Handler,
    _In_ QWORD HandlerAddress
    )
{
    API_HOOK_HANDLER *pHandler = Handler;

    UNREFERENCED_PARAMETER(FunctionAddress);
    UNREFERENCED_PARAMETER(HandlerAddress);

    if (gGuest.Guest64)
    {
        if (gGuest.OSVersion >= 7600 && gGuest.OSVersion <= 9200)
        {
            *(DWORD *)(&pHandler->Code[8]) = WIN_KM_FIELD(Process, Spare);
            *(DWORD *)(&pHandler->Code[16]) = WIN_KM_FIELD(Process, Spare);
        }
        else if (gGuest.OSVersion >= 9600)
        {
            *(DWORD *)(&pHandler->Code[9]) = WIN_KM_FIELD(Process, Spare);
            *(DWORD *)(&pHandler->Code[17]) = WIN_KM_FIELD(Process, Spare);
        }
    }
    else
    {
        if (gGuest.OSVersion >= 7600 && gGuest.OSVersion <= 9200)
        {
            *(DWORD *)(&pHandler->Code[14]) = WIN_KM_FIELD(Process, Spare);
        }
        else if (gGuest.OSVersion >= 9600)
        {
            *(DWORD *)(&pHandler->Code[9]) = WIN_KM_FIELD(Process, Spare);
            *(DWORD *)(&pHandler->Code[17]) = WIN_KM_FIELD(Process, Spare);
        }
    }

    return INT_STATUS_SUCCESS;
}


_Function_class_(PFUNC_PreDetourCallback)
INTSTATUS
IntWinVadPatchDeleteVaRange(
    _In_ QWORD FunctionAddress,
    _Inout_ API_HOOK_HANDLER *Handler,
    _In_ QWORD HandlerAddress
    )
{
    API_HOOK_HANDLER *pHandler = Handler;

    UNREFERENCED_PARAMETER(FunctionAddress);
    UNREFERENCED_PARAMETER(HandlerAddress);

    if (gGuest.Guest64)
    {
        *(DWORD *)(&pHandler->Code[31]) = WIN_KM_FIELD(Process, Spare);
        *(DWORD *)(&pHandler->Code[39]) = WIN_KM_FIELD(Process, Spare);
    }
    else
    {
        if (gGuest.OSVersion >= 7600 && gGuest.OSVersion <= 7602)
        {
            *(DWORD *)(&pHandler->Code[24]) = WIN_KM_FIELD(Process, Spare);
        }
        else if (gGuest.OSVersion >= 9200 && gGuest.OSVersion <= 16299)
        {
            *(DWORD *)(&pHandler->Code[27]) = WIN_KM_FIELD(Process, Spare);
        }
    }

    return INT_STATUS_SUCCESS;
}


_Function_class_(PFUNC_PreDetourCallback)
INTSTATUS
IntWinVadPatchFinishVadDeletion(
    _In_ QWORD FunctionAddress,
    _Inout_ API_HOOK_HANDLER *Handler,
    _In_ QWORD HandlerAddress
    )
{
    API_HOOK_HANDLER *pHandler = Handler;

    UNREFERENCED_PARAMETER(FunctionAddress);
    UNREFERENCED_PARAMETER(HandlerAddress);

    if (gGuest.Guest64)
    {
        *(DWORD *)(&pHandler->Code[37]) = WIN_KM_FIELD(Process, Spare);
        *(DWORD *)(&pHandler->Code[45]) = WIN_KM_FIELD(Process, Spare);
    }
    else
    {
        if (gGuest.OSVersion >= 17134)
        {
            *(DWORD *)(&pHandler->Code[27]) = WIN_KM_FIELD(Process, Spare);
        }
    }

    return INT_STATUS_SUCCESS;
}


_Function_class_(PFUNC_PreDetourCallback)
INTSTATUS
IntWinVadPatchInsert(
    _In_ QWORD FunctionAddress,
    _Inout_ API_HOOK_HANDLER *Handler,
    _In_ QWORD HandlerAddress
    )
{
    API_HOOK_HANDLER *pHandler = Handler;

    UNREFERENCED_PARAMETER(FunctionAddress);
    UNREFERENCED_PARAMETER(HandlerAddress);

    if (gGuest.Guest64)
    {
        if (gGuest.OSVersion >= 10240)
        {
            *(DWORD *)(&pHandler->Code[8]) = WIN_KM_FIELD(Process, Spare);
            *(DWORD *)(&pHandler->Code[16]) = WIN_KM_FIELD(Process, Spare);
        }
    }
    else
    {
        if (gGuest.OSVersion >= 18363)
        {
            *(DWORD *)(&pHandler->Code[9]) = WIN_KM_FIELD(Process, Spare);
        }
    }

    return INT_STATUS_SUCCESS;
}


INTSTATUS
IntWinVadProcImportMainModuleVad(
    _Inout_ WIN_PROCESS_OBJECT *Process
    )
{
    INTSTATUS status;
    QWORD vadRoot;
    QWORD vadNode;

    vadNode = 0;
    vadRoot = 0;

    if (NULL == Process)
    {
        return INT_STATUS_INVALID_PARAMETER_1;
    }

    status = IntKernVirtMemRead(Process->EprocessAddress + WIN_KM_FIELD(Process, VadRoot),
                                gGuest.WordSize,
                                &vadRoot,
                                NULL);
    if (!INT_SUCCESS(status))
    {
        ERROR("[ERROR] IntKernVirtMemRead failed: 0x%08x\n", status);
        return status;
    }

    vadNode = IntWinVadFindNodeInGuestSpace(vadRoot,
                                            Process->MainModuleAddress & PAGE_MASK,
                                            Process->MainModuleAddress & PAGE_MASK,
                                            0,
                                            0,
                                            FALSE);
    if (!vadNode)
    {
        // We cannot get a valid VAD - skipping.
        return INT_STATUS_NOT_NEEDED_HINT;
    }

    // Note that we don't want to insert a vad in the tree here, we just want to get a vad object for
    // the main module vad. This will get destroyed at process uninit, therefore there is no need to
    // cleanup this vad during the RbTree uninit. Also, since the VAD might have been previously loaded
    // inside the process, we will consider it as "static scanned".
    status = IntWinVadCreateObject(Process, vadNode, (VAD **)&Process->MainModuleVad, TRUE);
    if (!INT_SUCCESS(status))
    {
        ERROR("[ERROR] IntWinVadCreateObject failed: 0x%08x\n", status);
        return status;
    }

    return INT_STATUS_SUCCESS;
}

INTSTATUS
IntWinVadFetchByRange(
    _In_ QWORD VadRoot,
    _In_ QWORD StartPage,
    _In_ QWORD EndPage,
    _Out_ VAD *Vad
    )

{
    QWORD vadNode = 0;

    if (0 == VadRoot)
    {
        return INT_STATUS_INVALID_PARAMETER_1;
    }

    if (NULL == Vad)
    {
        return INT_STATUS_INVALID_PARAMETER_4;
    }

    vadNode = IntWinVadFindNodeInGuestSpace(VadRoot,
                                            StartPage & PAGE_MASK,
                                            EndPage & PAGE_MASK,
                                            0,
                                            0,
                                            FALSE);
    if (0 == vadNode)
    {
        ERROR("[ERROR] Vad [0x%016llx, 0x%016llx] not found starting from root 0x%016llx\n",
              StartPage,
              EndPage,
              VadRoot);

        return INT_STATUS_NOT_FOUND;
    }

    return IntWinVadFetchVadFromMemory(vadNode, Vad);
}


#undef VAD_SHORT_FIELD_PTR
#undef VAD_LONG_FIELD_PTR

#undef VadShortByte
#undef VadShortWord
#undef VadShortDword
#undef VadShortQword
#undef VadShortPtrSize
#undef VadShortAnySize