Hooking Memory Controller Routines

All off-topic discussion goes here.
Post Reply
Victor43
Posts: 60
Joined: Thu Dec 15, 2011 7:34 am
Location: Canada

Hooking Memory Controller Routines

Post by Victor43 » Tue Oct 17, 2017 4:02 am

Is there anyway that the memory controller can be hooked ? I would like to find out if the memory controller can be hooked or is there someway to intercept (by hooking) every memory read write and execute command for code that is loaded and executing in memory ? I'd like to write a program that can maintain a list of executing programs in memory along with maintaining behavior analysis characteristics of each program or executing code what each is doing in memory. Can this be done by way of a hypervisor (virtualization) technologies or possibly by straightforward hooking of memory management routines or something along these lines ?

User avatar
tangptr
Posts: 31
Joined: Mon Nov 14, 2016 11:14 am
Location: People Republic of China
Contact:

Re: Hooking Memory Controller Routines

Post by tangptr » Tue Oct 17, 2017 4:12 am

Yes, it could. By using Intel Extended Page Table, or AMD Nested Page Table(or Rapid Virtualization Index), you could achieve that by setting page property as no-access.
Doing so, the hypervisor could intercept memory access by EPT Violation(on Intel Processor) and #NPF Exception(on AMD Processor).
Both EPT Violation and #NPF Exception would cause VM-Exit, which is the key matter of interception on virtualization.
However, the processor must support EPT or NPT feature.
Additionally, accessing DMA could not be intercepted by EPT/NPT and can access certain memory without being intercepted.
In order to intercept that, you should apply Intel VT-d(Virtualization Technology for Directed I/O) or AMD EAP(External Access Protection).
Nonetheless, the processor must support VT-d/EAP features.
Only via chaos and excellence can beauty and success be respectively created and achieved.

Victor43
Posts: 60
Joined: Thu Dec 15, 2011 7:34 am
Location: Canada

Re: Hooking Memory Controller Routines

Post by Victor43 » Wed Oct 18, 2017 3:40 am

Thanks tangptr. I'll review the response carefully and get back if I have any further questions. The key point is that it can be done was my main objective in finding out and you've answered this nicely.

Victor43
Posts: 60
Joined: Thu Dec 15, 2011 7:34 am
Location: Canada

Re: Hooking Memory Controller Routines

Post by Victor43 » Sat Jan 06, 2018 5:27 am

Happy New Year !

If the memory controller was indeed hooked and an attempt to capture every read/write/execute is made then would it not be possible to know which thread is accessing which memory cell and every detail associated with the request such as Thread PID 00232 accessing Memory location x0234ACC for a memory write with value 0x0234 and so on. Is this realistically possible ? A sort of behavior analytic analysis.

Post Reply