codeblocks.h File Reference

#include "exceptions.h"

Go to the source code of this file.

Data Structures
struct	_CODE_BLOCK
struct	_CODE_BLOCK_PATTERN

Macros
#define	CODE_BLOCK_CHUNKS_COUNT   8
	Number of chunks (CODE_INS) per codeblock. More...

Typedefs
typedef struct _CODE_BLOCK	CODE_BLOCK
typedef struct _CODE_BLOCK *	PCODE_BLOCK
typedef struct _CODE_BLOCK_PATTERN	CODE_BLOCK_PATTERN
typedef struct _CODE_BLOCK_PATTERN *	PCODE_BLOCK_PATTERN

Enumerations
enum	CB_EXTRACT_LEVEL { cbLevelNormal = 1, cbLevelMedium }
enum	CODE_INS {   codeInsInvalid = 0, codeInsJc, codeInsJmp, codeInsCall,   codeInsRet, codeInsStr, codeInsXchg, codeInsBt,   codeInsMovReg, codeInsMovMem, codeInsMovImm, codeInsMovFsGs,   codeInsFlags }

Functions
INTSTATUS	IntFragExtractPattern (BYTE *Buffer, DWORD MaxBufferSize, IG_CS_TYPE CsType, CB_EXTRACT_LEVEL ExtractLevel, DWORD PatternSize, BYTE *Pattern, DWORD *TotalExtracted, DWORD *TotalParsed)
	Extract a pattern of code-blocks from the given code buffer. More...
INTSTATUS	IntFragExtractCodeBlocks (BYTE *Buffer, DWORD MaxBufferSize, IG_CS_TYPE CsType, CB_EXTRACT_LEVEL ExtractLevel, DWORD *HashesCount, DWORD *Hashes)
	Extract a block of code-block hashes from the given code buffer. More...
__pure INTSTATUS	IntFragMatchSignature (const DWORD *Hashes, DWORD CodeBlocksCount, const SIG_CODEBLOCKS *ExceptionSignature)
	Match a block of code-block hashes against a list of code-block exception signatures. More...
INTSTATUS	IntFragExtractCodePattern (PBYTE Buffer, DWORD StartOffset, DWORD MaxBufferSize, IG_CS_TYPE CsType, CB_EXTRACT_LEVEL ExtractLevel, DWORD PatternSize, CODE_BLOCK_PATTERN *Pattern, DWORD *TotalExtracted)
	Extract a pattern of code-blocks from the given code buffer. More...
INTSTATUS	IntFragDumpBlocks (PBYTE Buffer, QWORD StartAddress, DWORD MaxBufferSize, IG_CS_TYPE CsType, CB_EXTRACT_LEVEL ExtractLevel, QWORD Rip, BOOLEAN ReturnRip)
	Dumps code-blocks that can then be used to generate an exception signature. More...

Macro Definition Documentation

CODE_BLOCK_CHUNKS_COUNT

#define CODE_BLOCK_CHUNKS_COUNT   8

Number of chunks (CODE_INS) per codeblock.

Definition at line 43 of file codeblocks.h.

Referenced by IntAlertFillCodeBlocks(), IntFragDumpBlocks(), IntFragExtractCodeBlocks(), IntFragLogCodeBlocks(), IntSerializeCodeBlocksPattern(), and IntSerializeExtractCodeBlocks().

Typedef Documentation

CODE_BLOCK

typedef struct _CODE_BLOCK CODE_BLOCK

Describes a single normalized code block. This is just a "passing" structure. From this it will be built a CODE_SIGNATURE structure that will be matched against the databases (or inserted into one). Each codeblock is a series of patterns that will be computed into a hash. A signature will consist of a few hashes like this.

CODE_BLOCK_PATTERN

typedef struct _CODE_BLOCK_PATTERN CODE_BLOCK_PATTERN

This structure describes an instruction inside a pattern.

PCODE_BLOCK

typedef struct _CODE_BLOCK * PCODE_BLOCK

PCODE_BLOCK_PATTERN

typedef struct _CODE_BLOCK_PATTERN * PCODE_BLOCK_PATTERN

Enumeration Type Documentation

CB_EXTRACT_LEVEL

enum CB_EXTRACT_LEVEL

This defines how "aggressive" the pattern extraction should be.

Enumerator
cbLevelNormal	This includes instructions until codeInsBt.
cbLevelMedium	This includes instructions until codeInsFlags.

Definition at line 14 of file codeblocks.h.

CODE_INS

enum CODE_INS

Defines the instruction types that are included in the blocks.

Enumerator
codeInsInvalid	Not really used, only to signal an error.
codeInsJc	Conditional jump, of any kind, including loop.
codeInsJmp	Non-conditional jump, of any kind.
codeInsCall	Call, of any kind.
codeInsRet	Ret, of any kind.
codeInsStr	Some sort of string instruction - lods, stos, scas, movs.
codeInsXchg	Exchange instruction, including xchg, xadd, cmpxchg, cmpxchg8b/16b.
codeInsBt	Bit manipulation instruction - bt, bts, btr, btc.
codeInsMovReg	A mov involving only registers.
codeInsMovMem	A mov involving memory (either as the destination or as the source).
codeInsMovImm	A mov using immediate value.
codeInsMovFsGs	A mov using a segment:offset.
codeInsFlags	Push/Pop flags.

Definition at line 24 of file codeblocks.h.

Function Documentation

IntFragDumpBlocks()

INTSTATUS IntFragDumpBlocks	(	PBYTE	Buffer,
		QWORD	StartAddress,
		DWORD	MaxBufferSize,
		IG_CS_TYPE	CsType,
		CB_EXTRACT_LEVEL	ExtractLevel,
		QWORD	Rip,
		BOOLEAN	ReturnRip
	)

Dumps code-blocks that can then be used to generate an exception signature.

Parameters

[in]	Buffer	The code buffer to be parsed.
[in]	StartAddress	The offset to start the parsing at.
[in]	MaxBufferSize	The size of the code buffer.
[in]	CsType	Operating mode, should be IG_CS_TYPE_32B or IG_CS_TYPE_64B.
[in]	ExtractLevel	cbLevelNormal or cbLevelMedium.
[in]	Rip	The current Rip.
[in]	ReturnRip	The return Rip.

Return values

INT_STATUS_SUCCESS	On success.
INT_STATUS_INVALID_PARAMETER	If an invalid parameter is supplied.
INT_STATUS_INSUFFICIENT_RESOURCES	If a memory alloc fails.
INT_STATUS_DATA_BUFFER_TOO_SMALL	If at least CODE_BLOCK_CHUNKS_COUNT could not be extracted.

Definition at line 1293 of file codeblocks.c.

Referenced by DbgDumpCodeblocks(), and IntExceptDumpSignatures().

IntFragExtractCodeBlocks()

INTSTATUS IntFragExtractCodeBlocks	(	BYTE *	Buffer,
		DWORD	MaxBufferSize,
		IG_CS_TYPE	CsType,
		CB_EXTRACT_LEVEL	ExtractLevel,
		DWORD *	HashesCount,
		DWORD *	Hashes
	)

Extract a block of code-block hashes from the given code buffer.

This function will parse the provided code buffer, and it will extract a pattern of CODE_INS values representing the relevant instructions located inside the buffer. Once the pattern has been extracted, it will parse it, and it will compute hashes on blocks of CODE_BLOCK_CHUNKS_COUNT patterns, starting with a pivot instruction, which can be a codeInsJmp, codeInsCall or mov that involves memory or fs/gs segments.

Parameters

[in]	Buffer	The code buffer to be parsed.
[in]	MaxBufferSize	The size of the code buffer.
[in]	CsType	Operating mode, should be IG_CS_TYPE_32B or IG_CS_TYPE_64B.
[in]	ExtractLevel	cbLevelNormal or cbLevelMedium.
[in,out]	HashesCount	Will add to this variable the total number of hashes extracted.
[out]	Hashes	Will contain upon successful return the extracted hashes.

Return values

INT_STATUS_SUCCESS	On success.
INT_STATUS_INVALID_PARAMETER	If an invalid parameter is supplied.
INT_STATUS_NOT_FOUND	If no hash could be extracted.

Definition at line 746 of file codeblocks.c.

Referenced by IntExceptVerifyCodeBlocksSig().

IntFragExtractCodePattern()

INTSTATUS IntFragExtractCodePattern	(	PBYTE	Buffer,
		DWORD	StartOffset,
		DWORD	MaxBufferSize,
		IG_CS_TYPE	CsType,
		CB_EXTRACT_LEVEL	ExtractLevel,
		DWORD	PatternSize,
		CODE_BLOCK_PATTERN *	Pattern,
		DWORD *	TotalExtracted
	)

Extract a pattern of code-blocks from the given code buffer.

This function will parse the provided code buffer, and it will extract a pattern of CODE_INS values representing the relevant instructions located inside the buffer. The pattern can then be used to compute hashes (code-blocks). This function will use the disassembler to decode each instruction inside the Buffer, and depending on the instruction type, a CODE_INS value will be outputted inside the Pattern buffer. This function may also call the optimized IntFragHandleCommon function which will try to handle the current instruction without calling the disassembler, but if it fails, it will still rely on it.

Parameters

[in]	Buffer	The code buffer to be parsed.
[in]	StartOffset	The offset to start the parsing at.
[in]	MaxBufferSize	The size of the code buffer.
[in]	CsType	Operating mode, should be IG_CS_TYPE_32B or IG_CS_TYPE_64B.
[in]	ExtractLevel	cbLevelNormal or cbLevelMedium.
[in]	PatternSize	Maximum size of the pattern.
[out]	Pattern	The pattern of instructions located in Buffer.
[out]	TotalExtracted	Number of CODE_INS values extracted from the Buffer into Pattern.

Return values

INT_STATUS_SUCCESS	On success.
INT_STATUS_INVALID_PARAMETER	If an invalid parameter is supplied.
INT_STATUS_DATA_BUFFER_TOO_SMALL	If the buffer is too small (the last instructions cannot be parsed).

Definition at line 990 of file codeblocks.c.

Referenced by IntAlertFillCodeBlocks(), IntFragDumpBlocks(), and IntSerializeExtractCodeBlocks().

IntFragExtractPattern()

INTSTATUS IntFragExtractPattern	(	BYTE *	Buffer,
		DWORD	MaxBufferSize,
		IG_CS_TYPE	CsType,
		CB_EXTRACT_LEVEL	ExtractLevel,
		DWORD	PatternSize,
		BYTE *	Pattern,
		DWORD *	TotalExtracted,
		DWORD *	TotalParsed
	)

Extract a pattern of code-blocks from the given code buffer.

This function will parse the provided code buffer, and it will extract a pattern of CODE_INS values representing the relevant instructions located inside the buffer. The pattern can then be used to compute hashes (code-blocks). This function will use the disassembler to decode each instruction inside the Buffer, and depending on the instruction type, a CODE_INS value will be outputted inside the Pattern buffer. This function may also call the optimized IntFragHandleCommon function which will try to handle the current instruction without calling the disassembler, but if it fails, it will still rely on it.

Parameters

[in]	Buffer	The code buffer to be parsed.
[in]	MaxBufferSize	The size of the code buffer.
[in]	CsType	Operating mode, should be IG_CS_TYPE_32B or IG_CS_TYPE_64B.
[in]	ExtractLevel	cbLevelNormal or cbLevelMedium.
[in]	PatternSize	Maximum size of the pattern.
[out]	Pattern	The pattern of instructions located in Buffer.
[out]	TotalExtracted	Number of CODE_INS values extracted from the Buffer into Pattern.
[in,out]	TotalParsed	Will add to this variable the total size in bytes parsed from Buffer.

Return values

INT_STATUS_SUCCESS	On success.
INT_STATUS_INVALID_PARAMETER	If an invalid parameter is supplied.
INT_STATUS_DATA_BUFFER_TOO_SMALL	If the buffer is too small (the last instructions cannot be parsed).

Definition at line 502 of file codeblocks.c.

Referenced by IntFragExtractCodeBlocks().

IntFragMatchSignature()

__pure INTSTATUS IntFragMatchSignature	(	const DWORD *	Hashes,
		DWORD	CodeBlocksCount,
		const SIG_CODEBLOCKS *	ExceptionSignature
	)

Match a block of code-block hashes against a list of code-block exception signatures.

This function will attempt to match the code-blocks located in the Hashes variable against the code-block signature list inside ExceptionSignature.

Parameters

[in]	Hashes	The list of hashes to be matched.
[in]	CodeBlocksCount	Number of hashes in Hashes.
[in]	ExceptionSignature	the exception signature containing the hashes to match against.

Return values

INT_STATUS_SIGNATURE_MATCHED	If the Hashes block matches a signature inside ExceptionSignature.
INT_STATUS_SIGNATURE_NOT_FOUND	If no match is found.
INT_STATUS_INVALID_PARAMETER	If an invalid parameter is supplied.

Definition at line 912 of file codeblocks.c.

Referenced by IntExceptVerifyCodeBlocksSig().