More code watching progress

... but it still bug checks

src/driver/ept.cpp

@@ -94,6 +94,20 @@ namespace vmx
 				}
 			}
 		}
+
+		void reset_all_watch_point_pages(ept_code_watch_point* watch_point)
+		{
+			while (watch_point)
+			{
+				if (watch_point->target_page)
+				{
+					watch_point->target_page->read_access = 0;
+					watch_point->target_page->execute_access = 1;
+				}
+
+				watch_point = watch_point->next_watch_point;
+			}
+		}
 	}
 
 	ept_hook::ept_hook(const uint64_t physical_base)
@@ -251,6 +265,8 @@ namespace vmx
 		auto* watch_point = this->find_ept_code_watch_point(physical_base_address);
 		if (watch_point)
 		{
+			reset_all_watch_point_pages(this->ept_code_watch_points);
+
 			if (!violation_qualification.ept_executable && violation_qualification.execute_access)
 			{
 				watch_point->target_page->execute_access = 1;
@@ -368,6 +384,8 @@ namespace vmx
 		{
 			throw std::runtime_error("Failed to get PML1 entry for target address");
 		}
+
+		watch_point->target_page->read_access = 0;
 	}
 
 	ept_pointer ept::get_ept_pointer() const

src/driver/hypervisor.cpp

@@ -192,6 +192,31 @@ bool hypervisor::install_ept_hook(const void* destination, const void* source, c
 	return failures == 0;
 }
 
+bool hypervisor::install_ept_code_watch_point(const uint64_t physical_page) const
+{
+	try
+	{
+		this->ept_->install_code_watch_point(physical_page);
+	}
+	catch (std::exception& e)
+	{
+		debug_log("Failed to install ept watch point on core %d: %s\n", thread::get_processor_index(), e.what());
+		return false;
+	}
+	catch (...)
+	{
+		debug_log("Failed to install ept watch point on core %d.\n", thread::get_processor_index());
+		return false;
+	}
+
+	thread::dispatch_on_all_cores([&]
+	{
+		this->ept_->invalidate();
+	});
+
+	return true;
+}
+
 void hypervisor::disable_all_ept_hooks() const
 {
 	this->ept_->disable_all_hooks();

src/driver/hypervisor.hpp

@@ -21,6 +21,9 @@ public:
 
 	bool install_ept_hook(const void* destination, const void* source, size_t length,
 	                      vmx::ept_translation_hint* translation_hint = nullptr);
+
+	bool install_ept_code_watch_point(uint64_t physical_page) const;
+
 	void disable_all_ept_hooks() const;
 
 	vmx::ept& get_ept() const;

src/driver/irp.cpp

@@ -182,7 +182,12 @@ namespace
 					const auto physical_address = memory::get_physical_address(const_cast<uint8_t*>(current));
 					if (physical_address)
 					{
-						hypervisor->get_ept().install_code_watch_point(physical_address);
+						debug_log("Watching %p -> %llX\n", current, physical_address);
+						(void)hypervisor->install_ept_code_watch_point(physical_address);
+					}
+					else
+					{
+						debug_log("Failed to resovle physical address for %p\n", current);
 					}
 				}
 			}

src/runner/main.cpp

@@ -185,10 +185,11 @@ std::vector<uint64_t> query_records(const driver_device& driver_device, const si
 	return result;
 }
 
-void report_records(const std::atomic_bool& flag, const driver_device& driver_device)
+void report_records(const std::atomic_bool& flag, const driver_device& driver_device, const uint32_t pid, const HMODULE target_module, const std::vector<std::pair<size_t, size_t>>& regions)
 {
 	std::set<uint64_t> access_addresses{};
 
+	int i = 0;
 	while (flag)
 	{
 		std::this_thread::sleep_for(std::chrono::seconds(1));
@@ -201,6 +202,11 @@ void report_records(const std::atomic_bool& flag, const driver_device& driver_de
 				printf("%p\n", reinterpret_cast<void*>(new_record));
 			}
 		}
+
+		if((++i) % 5 == 0)
+		{
+			watch_regions(driver_device, pid, target_module, regions);
+		}
 	}
 }
 
@@ -268,7 +274,7 @@ void unsafe_main(const int /*argc*/, char* /*argv*/[])
 	std::atomic_bool terminate{false};
 	std::thread t([&]()
 	{
-		report_records(terminate, driver_device);
+		report_records(terminate, driver_device, pid, target_module, regions);
 	});
 
 	_getch();