Lines Matching refs:CSAM
3 * CSAM - Guest OS Code Scanning and Analysis Manager
103 { "csamon", 0, 0, NULL, 0, 0, csamr3CmdOn, "", "Enable CSAM code scanning." },
104 { "csamoff", 0, 0, NULL, 0, 0, csamr3CmdOff, "", "Disable CSAM code scanning." },
109 * SSM descriptor table for the CSAM structure.
114 SSMFIELD_ENTRY_IGNORE( CSAM, offVM),
115 SSMFIELD_ENTRY_PAD_HC64( CSAM, Alignment0, sizeof(uint32_t)),
116 SSMFIELD_ENTRY_IGN_HCPTR( CSAM, pPageTree),
117 SSMFIELD_ENTRY( CSAM, aDangerousInstr),
118 SSMFIELD_ENTRY( CSAM, cDangerousInstr),
119 SSMFIELD_ENTRY( CSAM, iDangerousInstr),
120 SSMFIELD_ENTRY_RCPTR( CSAM, pPDBitmapGC), /// @todo ignore this?
121 SSMFIELD_ENTRY_RCPTR( CSAM, pPDHCBitmapGC), /// @todo ignore this?
122 SSMFIELD_ENTRY_IGN_HCPTR( CSAM, pPDBitmapHC),
123 SSMFIELD_ENTRY_IGN_HCPTR( CSAM, pPDGCBitmapHC),
124 SSMFIELD_ENTRY_IGN_HCPTR( CSAM, savedstate.pSSM),
125 SSMFIELD_ENTRY( CSAM, savedstate.cPageRecords),
126 SSMFIELD_ENTRY( CSAM, savedstate.cPatchPageRecords),
127 SSMFIELD_ENTRY( CSAM, cDirtyPages),
128 SSMFIELD_ENTRY_RCPTR_ARRAY( CSAM, pvDirtyBasePage),
129 SSMFIELD_ENTRY_RCPTR_ARRAY( CSAM, pvDirtyFaultPage),
130 SSMFIELD_ENTRY( CSAM, cPossibleCodePages),
131 SSMFIELD_ENTRY_RCPTR_ARRAY( CSAM, pvPossibleCodePage),
132 SSMFIELD_ENTRY_RCPTR_ARRAY( CSAM, pvCallInstruction),
133 SSMFIELD_ENTRY( CSAM, iCallInstruction),
134 SSMFIELD_ENTRY( CSAM, fScanningStarted),
135 SSMFIELD_ENTRY( CSAM, fGatesChecked),
136 SSMFIELD_ENTRY_PAD_HC( CSAM, Alignment1, 6, 2),
137 SSMFIELD_ENTRY_IGNORE( CSAM, StatNrTraps),
138 SSMFIELD_ENTRY_IGNORE( CSAM, StatNrPages),
139 SSMFIELD_ENTRY_IGNORE( CSAM, StatNrPagesInv),
140 SSMFIELD_ENTRY_IGNORE( CSAM, StatNrRemovedPages),
141 SSMFIELD_ENTRY_IGNORE( CSAM, StatNrPatchPages),
142 SSMFIELD_ENTRY_IGNORE( CSAM, StatNrPageNPHC),
143 SSMFIELD_ENTRY_IGNORE( CSAM, StatNrPageNPGC),
144 SSMFIELD_ENTRY_IGNORE( CSAM, StatNrFlushes),
145 SSMFIELD_ENTRY_IGNORE( CSAM, StatNrFlushesSkipped),
146 SSMFIELD_ENTRY_IGNORE( CSAM, StatNrKnownPagesHC),
147 SSMFIELD_ENTRY_IGNORE( CSAM, StatNrKnownPagesGC),
148 SSMFIELD_ENTRY_IGNORE( CSAM, StatNrInstr),
149 SSMFIELD_ENTRY_IGNORE( CSAM, StatNrBytesRead),
150 SSMFIELD_ENTRY_IGNORE( CSAM, StatNrOpcodeRead),
151 SSMFIELD_ENTRY_IGNORE( CSAM, StatTime),
152 SSMFIELD_ENTRY_IGNORE( CSAM, StatTimeCheckAddr),
153 SSMFIELD_ENTRY_IGNORE( CSAM, StatTimeAddrConv),
154 SSMFIELD_ENTRY_IGNORE( CSAM, StatTimeFlushPage),
155 SSMFIELD_ENTRY_IGNORE( CSAM, StatTimeDisasm),
156 SSMFIELD_ENTRY_IGNORE( CSAM, StatFlushDirtyPages),
157 SSMFIELD_ENTRY_IGNORE( CSAM, StatCheckGates),
158 SSMFIELD_ENTRY_IGNORE( CSAM, StatCodePageModified),
159 SSMFIELD_ENTRY_IGNORE( CSAM, StatDangerousWrite),
160 SSMFIELD_ENTRY_IGNORE( CSAM, StatInstrCacheHit),
161 SSMFIELD_ENTRY_IGNORE( CSAM, StatInstrCacheMiss),
162 SSMFIELD_ENTRY_IGNORE( CSAM, StatPagePATM),
163 SSMFIELD_ENTRY_IGNORE( CSAM, StatPageCSAM),
164 SSMFIELD_ENTRY_IGNORE( CSAM, StatPageREM),
165 SSMFIELD_ENTRY_IGNORE( CSAM, StatNrUserPages),
166 SSMFIELD_ENTRY_IGNORE( CSAM, StatPageMonitor),
167 SSMFIELD_ENTRY_IGNORE( CSAM, StatPageRemoveREMFlush),
168 SSMFIELD_ENTRY_IGNORE( CSAM, StatBitmapAlloc),
169 SSMFIELD_ENTRY_IGNORE( CSAM, StatScanNextFunction),
170 SSMFIELD_ENTRY_IGNORE( CSAM, StatScanNextFunctionFailed),
181 * SSM descriptor table for the CSAM::pPDBitmapHC array.
218 * Initializes the CSAM.
233 return SSMR3RegisterStub(pVM, "CSAM", 0);
255 rc = SSMR3RegisterInternal(pVM, "CSAM", 0, CSAM_SAVED_STATE_VERSION, sizeof(pVM->csam.s) + PAGE_SIZE*16,
261 STAM_REG(pVM, &pVM->csam.s.StatNrTraps, STAMTYPE_COUNTER, "/CSAM/PageTraps", STAMUNIT_OCCURENCES, "The number of CSAM page traps.");
262 STAM_REG(pVM, &pVM->csam.s.StatDangerousWrite, STAMTYPE_COUNTER, "/CSAM/DangerousWrites", STAMUNIT_OCCURENCES, "The number of dangerous writes that cause a context switch.");
264 STAM_REG(pVM, &pVM->csam.s.StatNrPageNPHC, STAMTYPE_COUNTER, "/CSAM/HC/PageNotPresent", STAMUNIT_OCCURENCES, "The number of CSAM pages marked not present.");
265 STAM_REG(pVM, &pVM->csam.s.StatNrPageNPGC, STAMTYPE_COUNTER, "/CSAM/GC/PageNotPresent", STAMUNIT_OCCURENCES, "The number of CSAM pages marked not present.");
266 STAM_REG(pVM, &pVM->csam.s.StatNrPages, STAMTYPE_COUNTER, "/CSAM/PageRec/AddedRW", STAMUNIT_OCCURENCES, "The number of CSAM page records (RW monitoring).");
267 STAM_REG(pVM, &pVM->csam.s.StatNrPagesInv, STAMTYPE_COUNTER, "/CSAM/PageRec/AddedRWI", STAMUNIT_OCCURENCES, "The number of CSAM page records (RW & invalidation monitoring).");
268 STAM_REG(pVM, &pVM->csam.s.StatNrRemovedPages, STAMTYPE_COUNTER, "/CSAM/PageRec/Removed", STAMUNIT_OCCURENCES, "The number of removed CSAM page records.");
269 STAM_REG(pVM, &pVM->csam.s.StatPageRemoveREMFlush,STAMTYPE_COUNTER, "/CSAM/PageRec/Removed/REMFlush", STAMUNIT_OCCURENCES, "The number of removed CSAM page records that caused a REM flush.");
271 STAM_REG(pVM, &pVM->csam.s.StatNrPatchPages, STAMTYPE_COUNTER, "/CSAM/PageRec/Patch", STAMUNIT_OCCURENCES, "The number of CSAM patch page records.");
272 STAM_REG(pVM, &pVM->csam.s.StatNrUserPages, STAMTYPE_COUNTER, "/CSAM/PageRec/Ignore/User", STAMUNIT_OCCURENCES, "The number of CSAM user page records (ignored).");
273 STAM_REG(pVM, &pVM->csam.s.StatPagePATM, STAMTYPE_COUNTER, "/CSAM/PageRec/Type/PATM", STAMUNIT_OCCURENCES, "The number of PATM page records.");
274 STAM_REG(pVM, &pVM->csam.s.StatPageCSAM, STAMTYPE_COUNTER, "/CSAM/PageRec/Type/CSAM", STAMUNIT_OCCURENCES, "The number of CSAM page records.");
275 STAM_REG(pVM, &pVM->csam.s.StatPageREM, STAMTYPE_COUNTER, "/CSAM/PageRec/Type/REM", STAMUNIT_OCCURENCES, "The number of REM page records.");
276 STAM_REG(pVM, &pVM->csam.s.StatPageMonitor, STAMTYPE_COUNTER, "/CSAM/PageRec/Monitored", STAMUNIT_OCCURENCES, "The number of monitored pages.");
278 STAM_REG(pVM, &pVM->csam.s.StatCodePageModified, STAMTYPE_COUNTER, "/CSAM/Monitor/DirtyPage", STAMUNIT_OCCURENCES, "The number of code page modifications.");
280 STAM_REG(pVM, &pVM->csam.s.StatNrFlushes, STAMTYPE_COUNTER, "/CSAM/PageFlushes", STAMUNIT_OCCURENCES, "The number of CSAM page flushes.");
281 STAM_REG(pVM, &pVM->csam.s.StatNrFlushesSkipped, STAMTYPE_COUNTER, "/CSAM/PageFlushesSkipped", STAMUNIT_OCCURENCES, "The number of CSAM page flushes that were skipped.");
282 STAM_REG(pVM, &pVM->csam.s.StatNrKnownPagesHC, STAMTYPE_COUNTER, "/CSAM/HC/KnownPageRecords", STAMUNIT_OCCURENCES, "The number of known CSAM page records.");
283 STAM_REG(pVM, &pVM->csam.s.StatNrKnownPagesGC, STAMTYPE_COUNTER, "/CSAM/GC/KnownPageRecords", STAMUNIT_OCCURENCES, "The number of known CSAM page records.");
284 STAM_REG(pVM, &pVM->csam.s.StatNrInstr, STAMTYPE_COUNTER, "/CSAM/ScannedInstr", STAMUNIT_OCCURENCES, "The number of scanned instructions.");
285 STAM_REG(pVM, &pVM->csam.s.StatNrBytesRead, STAMTYPE_COUNTER, "/CSAM/BytesRead", STAMUNIT_OCCURENCES, "The number of bytes read for scanning.");
286 STAM_REG(pVM, &pVM->csam.s.StatNrOpcodeRead, STAMTYPE_COUNTER, "/CSAM/OpcodeBytesRead", STAMUNIT_OCCURENCES, "The number of opcode bytes read by the recompiler.");
288 STAM_REG(pVM, &pVM->csam.s.StatBitmapAlloc, STAMTYPE_COUNTER, "/CSAM/Alloc/PageBitmap", STAMUNIT_OCCURENCES, "The number of page bitmap allocations.");
290 STAM_REG(pVM, &pVM->csam.s.StatInstrCacheHit, STAMTYPE_COUNTER, "/CSAM/Cache/Hit", STAMUNIT_OCCURENCES, "The number of dangerous instruction cache hits.");
291 STAM_REG(pVM, &pVM->csam.s.StatInstrCacheMiss, STAMTYPE_COUNTER, "/CSAM/Cache/Miss", STAMUNIT_OCCURENCES, "The number of dangerous instruction cache misses.");
293 STAM_REG(pVM, &pVM->csam.s.StatScanNextFunction, STAMTYPE_COUNTER, "/CSAM/Function/Scan/Success", STAMUNIT_OCCURENCES, "The number of found functions beyond the ret border.");
294 STAM_REG(pVM, &pVM->csam.s.StatScanNextFunctionFailed, STAMTYPE_COUNTER, "/CSAM/Function/Scan/Failed", STAMUNIT_OCCURENCES, "The number of refused functions beyond the ret border.");
296 STAM_REG(pVM, &pVM->csam.s.StatTime, STAMTYPE_PROFILE, "/PROF/CSAM/Scan", STAMUNIT_TICKS_PER_CALL, "Scanning overhead.");
297 STAM_REG(pVM, &pVM->csam.s.StatTimeCheckAddr, STAMTYPE_PROFILE, "/PROF/CSAM/CheckAddr", STAMUNIT_TICKS_PER_CALL, "Address check overhead.");
298 STAM_REG(pVM, &pVM->csam.s.StatTimeAddrConv, STAMTYPE_PROFILE, "/PROF/CSAM/AddrConv", STAMUNIT_TICKS_PER_CALL, "Address conversion overhead.");
299 STAM_REG(pVM, &pVM->csam.s.StatTimeFlushPage, STAMTYPE_PROFILE, "/PROF/CSAM/FlushPage", STAMUNIT_TICKS_PER_CALL, "Page flushing overhead.");
300 STAM_REG(pVM, &pVM->csam.s.StatTimeDisasm, STAMTYPE_PROFILE, "/PROF/CSAM/Disasm", STAMUNIT_TICKS_PER_CALL, "Disassembly overhead.");
301 STAM_REG(pVM, &pVM->csam.s.StatFlushDirtyPages, STAMTYPE_PROFILE, "/PROF/CSAM/FlushDirtyPage", STAMUNIT_TICKS_PER_CALL, "Dirty page flushing overhead.");
302 STAM_REG(pVM, &pVM->csam.s.StatCheckGates, STAMTYPE_PROFILE, "/PROF/CSAM/CheckGates", STAMUNIT_TICKS_PER_CALL, "CSAMR3CheckGates overhead.");
305 * Check CFGM option and enable/disable CSAM.
335 * (Re)initializes CSAM
435 * CSAM reset callback.
455 /* Remove all CSAM page records. */
526 CSAM csamInfo = pVM->csam.s;
536 * Save CSAM structure
579 CSAM csamInfo;
591 * Restore CSAM structure
791 || PATMIsPatchGCAddr(pDisInfo->pVM, uSrcAddr) /** @todo does CSAM actually analyze patch code, or is this just a copy&past check? */
938 Log(("CSAM: Patching dangerous 'mov xx, cs' instruction at %RGv with an int3\n", pCurInstrGC));
1131 if (RT_SUCCESS(rc2)) Log(("CSAM Call Analysis: %s", szOutput));
1300 LogFlow(("CSAM: maximum calldepth reached for %RRv\n", pCurInstrGC));
1344 if (RT_SUCCESS(rc2)) Log(("CSAM Analysis: %s", szOutput));
1614 * Notify CSAM of a page flush
1726 * Notify CSAM of a page flush
1738 * Remove a CSAM monitored page. Use with care!
1792 * Returns monitor description based on CSAM tag
1800 return "CSAM-PATM self-modifying code monitor handler";
1803 return "CSAM-REM self-modifying code monitor handler";
1805 return "CSAM self-modifying code monitor handler";
2212 * @param pPage CSAM patch structure pointer
2738 * Query CSAM state (enabled/disabled)
2791 return DBGCCmdHlpPrintf(pCmdHlp, "CSAM is permanently disabled by HM.\n");
2796 return DBGCCmdHlpPrintf(pCmdHlp, "CSAM Scanning disabled\n");
2808 return DBGCCmdHlpPrintf(pCmdHlp, "CSAM is permanently disabled by HM.\n");
2813 return DBGCCmdHlpPrintf(pCmdHlp, "CSAM Scanning enabled\n");