[Victor43]

Is there anyway that the memory controller can be hooked ? I would like to find out if the memory controller can be hooked or is there someway to intercept (by hooking) every memory read write and execute command for code that is loaded and executing in memory ? I'd like to write a program that can maintain a list of executing programs in memory along with maintaining behavior analysis characteristics of each program or executing code what each is doing in memory. Can this be done by way of a hypervisor (virtualization) technologies or possibly by straightforward hooking of memory management routines or something along these lines ?

[tangptr]

Yes, it could. By using Intel Extended Page Table, or AMD Nested Page Table(or Rapid Virtualization Index), you could achieve that by setting page property as no-access.
Doing so, the hypervisor could intercept memory access by EPT Violation(on Intel Processor) and #NPF Exception(on AMD Processor).
Both EPT Violation and #NPF Exception would cause VM-Exit, which is the key matter of interception on virtualization.
However, the processor must support EPT or NPT feature.
Additionally, accessing DMA could not be intercepted by EPT/NPT and can access certain memory without being intercepted.
In order to intercept that, you should apply Intel VT-d(Virtualization Technology for Directed I/O) or AMD EAP(External Access Protection).
Nonetheless, the processor must support VT-d/EAP features.

[Victor43]

Thanks tangptr. I'll review the response carefully and get back if I have any further questions. The key point is that it can be done was my main objective in finding out and you've answered this nicely.

[Victor43]

Happy New Year !

If the memory controller was indeed hooked and an attempt to capture every read/write/execute is made then would it not be possible to know which thread is accessing which memory cell and every detail associated with the request such as Thread PID 00232 accessing Memory location x0234ACC for a memory write with value 0x0234 and so on. Is this realistically possible ? A sort of behavior analytic analysis.

[tangptr]

Happy New Year !

If the memory controller was indeed hooked and an attempt to capture every read/write/execute is made then would it not be possible to know which thread is accessing which memory cell and every detail associated with the request such as Thread PID 00232 accessing Memory location x0234ACC for a memory write with value 0x0234 and so on. Is this realistically possible ? A sort of behavior analytic analysis.

You may refer to an open-source project created by Intel Corporation.
The project is called "haxm", an acronym that stands for "Hardware Accelerated Execution Manager".
Source code is available at github: https://github.com/intel/haxm
The processor would record certain data when EPT violation occurs:
Field "Exit Qualification" indicates why the EPT violation occurs.
Field "Guest Physical Address" indicates the physical address related to violation.
Field "Guest RIP" indicates the instruction pointer related to violation.
Specifically, the data being written would not be recorded explicitly.
You may analyze through "Guest RIP" field.
The instructions may include these data in immediate value ,register operand, memory operand format.