Exposes the functions used to used to dump (log) code and registers. More...

#include "glue.h"
#include "bddisasm.h"
#include "wddefs.h"

Typedefs
typedef struct _LIX_TRAP_FRAME	LIX_TRAP_FRAME

Functions
TIMER_FRIENDLY void	IntDumpArchRegs (IG_ARCH_REGS const *Registers)
	This function dumps the register values in a user friendly format. More...

TIMER_FRIENDLY void	IntDumpBuffer (const void *Buffer, QWORD Gva, DWORD Length, DWORD RowLength, DWORD ElementLength, BOOLEAN LogHeader, BOOLEAN DumpAscii)
	This function dumps a given buffer in a user friendly format. More...

TIMER_FRIENDLY void	IntDumpGvaEx (QWORD Gva, DWORD Length, QWORD Cr3, DWORD RowLength, DWORD ElementLength, BOOLEAN LogHeader, BOOLEAN DumpAscii)
	This function dumps a given GVA in a user friendly format. This function uses IntDumpBuffer to perform the dump, but it also does the memory mapping of the GVA given the address space (Cr3). More...

TIMER_FRIENDLY void	IntDumpGva (QWORD Gva, DWORD Length, QWORD Cr3)
	This function is a wrapper over IntDumpGvaEx (it uses RowLength = 16, ElementLength = 1, LogHeader = TRUE and DumpAscii = TRUE). More...

void	IntDisasmBuffer (void *Buffer, DWORD Length, QWORD Rip)
	This function disassembles a given code buffer and then dumps the instructions (textual disassembly). More...

void	IntDisasmGva (QWORD Gva, DWORD Length)
	This function disassembles a code buffer (given its GVA) and then dumps the instructions (textual disassembly). More...

TIMER_FRIENDLY void	IntDumpInstruction (INSTRUX *Instruction, QWORD Rip)
	This function dumps a given instruction (textual disassembly). More...

void	IntDisasmLixFunction (const char *FunctionName)
	This function dumps a Linux function (textual disassembly) given its name. More...

void	IntDumpCode (BYTE Page, DWORD Offset, IG_CS_TYPE CsType, IG_ARCH_REGS Registers)
	This function dumps an entire page (textual disassembly and opcodes). More...

INTSTATUS	IntDumpCodeAndRegs (QWORD Gva, QWORD Gpa, IG_ARCH_REGS *Registers)
	This function dumps an entire page (textual disassembly and opcodes) as well as the values of the registers. More...

void	IntDumpLixUmTrapFrame (LIX_TRAP_FRAME *TrapFrame)
	This function dumps a Linux UM trap frame. More...

void	IntDumpWinTrapFrame64 (KTRAP_FRAME64 *TrapFrame)
	This function dumps a windows 64 guest trap frame. More...

void	IntDumpWinTrapFrame32 (KTRAP_FRAME32 *TrapFrame)
	This function dumps a windows 64 guest trap frame. More...

Detailed Description

Exposes the functions used to used to dump (log) code and registers.

Definition in file dumper.h.

Typedef Documentation

◆ LIX_TRAP_FRAME

typedef struct _LIX_TRAP_FRAME LIX_TRAP_FRAME

Definition at line 18 of file dumper.h.

Function Documentation

◆ IntDisasmBuffer()

void IntDisasmBuffer	(	void *	Buffer,
		DWORD	Length,
		QWORD	Rip
	)

This function disassembles a given code buffer and then dumps the instructions (textual disassembly).

Parameters

[in]	Buffer	The code buffer to be dumped.
[in]	Length	The length of the code buffer to be dumped.
[in]	Rip	The RIP value of the code to be dumped.

Definition at line 294 of file dumper.c.

Referenced by IntDetHandleWrite().

◆ IntDisasmGva()

void IntDisasmGva	(	QWORD	Gva,
		DWORD	Length
	)

This function disassembles a code buffer (given its GVA) and then dumps the instructions (textual disassembly).

Parameters

[in]	Gva	The GVA of the code to be dumped.
[in]	Length	The length of the code buffer to be dumped.

Definition at line 432 of file dumper.c.

Referenced by DbgDisasm(), IntDetHandleWrite(), IntDisasmLixFunction(), IntLixApiHook(), IntLixGuestAgentContentHandler(), IntLixGuestDetourDataHandler(), IntLixPatchSwapgs(), IntLixStackDumpUmStackTrace(), IntMtblCheckAccess(), IntVeDumpVeInfoPage(), IntVeHandleAccess(), and IntVeHandleEPTViolationInProtectedView().

◆ IntDisasmLixFunction()

void IntDisasmLixFunction ( const char * FunctionName )

This function dumps a Linux function (textual disassembly) given its name.

Parameters

[in] FunctionName The function to be dumped.

Definition at line 614 of file dumper.c.

◆ IntDumpArchRegs()

TIMER_FRIENDLY void IntDumpArchRegs ( IG_ARCH_REGS const * Registers )

This function dumps the register values in a user friendly format.

Parameters

[in] Registers The registers to be dumped (must NOT be NULL).

Definition at line 20 of file dumper.c.

Referenced by IntDumpCodeAndRegs(), IntEngDumpCodeAndRegs(), IntHandleEptViolation(), IntHookPtwEmulateWrite(), IntLixAgentError(), IntLixAgentHandleBreakpoint(), IntLixAgentThreadError(), IntLixAgentThreadHandleBreakpoint(), IntLixGuestAgentContentHandler(), IntLixGuestDetourDataHandler(), IntLogGuestRegisters(), IntVeDumpVeInfoPage(), IntVeHandleAccess(), and IntVeHandleEPTViolationInProtectedView().

◆ IntDumpBuffer()

TIMER_FRIENDLY void IntDumpBuffer	(	const void *	Buffer,
		QWORD	Gva,
		DWORD	Length,
		DWORD	RowLength,
		DWORD	ElementLength,
		BOOLEAN	LogHeader,
		BOOLEAN	DumpAscii
	)

This function dumps a given buffer in a user friendly format.

NOTE: Timer friendly only if Cr3 != 0 or gGuest.SystemCr3 != 0.

Example:
[DUMPER] Dumping buffer from GVA 0000000001482000 with size 591
0000000001482000 : e8 00 00 00 00 58 c6 40 07 01 c3 cc 00 00 00 00 .....X.........
0000000001482010 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0000000001482020 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

Parameters

[in]	Buffer	The buffer to be dumped.
[in]	Gva	The GVA mapped by the Buffer (it can be 0).
[in]	Length	The length of the buffer to be dumped.
[in]	RowLength	The number of elements to be printed on each row (valid values 1 -> 16 or 0 resulting in a default value - 8).
[in]	ElementLength	The length, in bytes, of one element (1, 2, 4 or 8 bytes).
[in]	LogHeader	If TRUE, a header will be logged (GVA and Length information).
[in]	DumpAscii	If TRUE, the ASCII values corresponding to the dumped buffer will be logged as well.

Definition at line 48 of file dumper.c.

Referenced by IntDumpGvaEx(), IntDumpInstruction(), IntExceptDumpSignatures(), IntExceptUserLogInformation(), IntMemClkDump(), IntMemClkHandleRead(), IntMemClkUnInit(), IntSlackAllocWindows(), IntWinGuestFindSelfMapIndex(), IntWinNetFillTcpStruct(), IntWinProcHandleInstrument(), IntWinThrHandleQueueApc(), and IntWinThrHandleThreadHijack().

◆ IntDumpCode()

void IntDumpCode	(	BYTE *	Page,
		DWORD	Offset,
		IG_CS_TYPE	CsType,
		IG_ARCH_REGS *	Registers
	)

This function dumps an entire page (textual disassembly and opcodes).

Parameters

[in]	Page	The page to be dumped.
[in]	Offset	The offset to dump the code from.
[in]	CsType	The code segment type.
[in]	Registers	The registers (used to obtain the RIP).

Definition at line 637 of file dumper.c.

Referenced by IntDumpCodeAndRegs(), and IntEngDumpCodeAndRegs().

◆ IntDumpCodeAndRegs()

INTSTATUS IntDumpCodeAndRegs	(	QWORD	Gva,
		QWORD	Gpa,
		IG_ARCH_REGS *	Registers
	)

This function dumps an entire page (textual disassembly and opcodes) as well as the values of the registers.

Parameters

[in]	Gva	The GVA (used to obtain the offset in page).
[in]	Gpa	The GPA (it is mapped by this function).
[in]	Registers	The registers.

Definition at line 692 of file dumper.c.

Referenced by IntLixVmaHandlePageExecution(), IntWinCrashHandleDepViolation(), IntWinSudHandleKernelSudExec(), IntWinSudHandleUserSudExec(), and IntWinVadIsExecSuspicious().

◆ IntDumpGva()

TIMER_FRIENDLY void IntDumpGva	(	QWORD	Gva,
		DWORD	Length,
		QWORD	Cr3
	)

This function is a wrapper over IntDumpGvaEx (it uses RowLength = 16, ElementLength = 1, LogHeader = TRUE and DumpAscii = TRUE).

NOTE: Timer friendly only if Cr3 != 0 or gGuest.SystemCr3 != 0.

Parameters

[in]	Gva	The GVA of the buffer.
[in]	Length	The length of the buffer to be dumped.
[in]	Cr3	The address space (if 0, the function uses the CR3 of the current VCPU).

Definition at line 273 of file dumper.c.

Referenced by IntExceptUserLogInformation(), IntExceptUserLogWindowsInformation(), IntHandleEptViolation(), IntHookPtwEmulateWrite(), IntLixVmaGetPageCount(), IntPtiRemoveInstruction(), and IntThrSafeIsLiveRIPInIntro().

◆ IntDumpGvaEx()

TIMER_FRIENDLY void IntDumpGvaEx	(	QWORD	Gva,
		DWORD	Length,
		QWORD	Cr3,
		DWORD	RowLength,
		DWORD	ElementLength,
		BOOLEAN	LogHeader,
		BOOLEAN	DumpAscii
	)

This function dumps a given GVA in a user friendly format. This function uses IntDumpBuffer to perform the dump, but it also does the memory mapping of the GVA given the address space (Cr3).

NOTE: Timer friendly only if Cr3 != 0 or gGuest.SystemCr3 != 0.

Parameters

[in]	Gva	The GVA of the buffer.
[in]	Length	The length of the buffer to be dumped.
[in]	Cr3	The address space (if 0, the function uses the CR3 of the current VCPU).
[in]	RowLength	The number of elements to be printed on each row (valid values 1 -> 16 or 0 resulting in a default value - 8).
[in]	ElementLength	The length, in bytes, of one element (1, 2, 4 or 8 bytes).
[in]	LogHeader	If TRUE, a header will be logged (GVA and Length information).
[in]	DumpAscii	If TRUE, the ASCII values corresponding to the dumped buffer will be logged as well.

Definition at line 204 of file dumper.c.

Referenced by IntDumpGva(), IntLogCriticalStructureCoruption(), IntMtblCheckAccess(), and IntWinNetFindTcpPartition().

◆ IntDumpInstruction()

TIMER_FRIENDLY void IntDumpInstruction	(	INSTRUX *	Instruction,
		QWORD	Rip
	)

This function dumps a given instruction (textual disassembly).

Parameters

[in]	Instruction	The instruction to be dumped.
[in]	Rip	The RIP value of the instruction to be dumped.

Definition at line 583 of file dumper.c.

Referenced by IntDecEmulateRead(), IntDetRelocate(), IntDetSetHook(), IntExceptGetVictimEpt(), IntFragExtractPattern(), IntHandleEptViolation(), and IntLogCurrentIP().

◆ IntDumpLixUmTrapFrame()

void IntDumpLixUmTrapFrame ( LIX_TRAP_FRAME * TrapFrame )

This function dumps a Linux UM trap frame.

Parameters

[in] TrapFrame The trap frame to be dumped.

Definition at line 741 of file dumper.c.

Referenced by IntLixStackDumpUmStackTrace().

◆ IntDumpWinTrapFrame32()

void IntDumpWinTrapFrame32 ( KTRAP_FRAME32 * TrapFrame )

This function dumps a windows 64 guest trap frame.

Parameters

[in] TrapFrame The trap frame to be dumped.

Definition at line 789 of file dumper.c.

Referenced by IntExceptUserLogWindowsInformation().

◆ IntDumpWinTrapFrame64()

void IntDumpWinTrapFrame64 ( KTRAP_FRAME64 * TrapFrame )

This function dumps a windows 64 guest trap frame.

Parameters

[in] TrapFrame The trap frame to be dumped.

Definition at line 765 of file dumper.c.

Referenced by IntExceptUserLogWindowsInformation().

Typedefs

Functions

Detailed Description

Typedef Documentation

◆ LIX_TRAP_FRAME

Function Documentation

◆ IntDisasmBuffer()

◆ IntDisasmGva()

◆ IntDisasmLixFunction()

◆ IntDumpArchRegs()

◆ IntDumpBuffer()

◆ IntDumpCode()

◆ IntDumpCodeAndRegs()

◆ IntDumpGva()

◆ IntDumpGvaEx()

◆ IntDumpInstruction()

◆ IntDumpLixUmTrapFrame()

◆ IntDumpWinTrapFrame32()

◆ IntDumpWinTrapFrame64()