- Generated by
1.8.13
|
Bitdefender Hypervisor Memory Introspection
|
#include "exceptions.h"#include "codeblocks.h"#include "crc32.h"#include "decoder.h"#include "hook.h"#include "winpe.h"#include "winthread.h"#include "lixmm.h"#include "serializers.h"Go to the source code of this file.
Data Structures | |
| struct | _CB_CACHE |
| Describes a code-blocks cache entry. More... | |
Macros | |
| #define | CB_CACHE_FLG_RETURN 0x1 |
| Indicated that the gCodeBlocksReturnCache cache should be used. More... | |
| #define | CB_CACHE_FLG_ORIGINAL 0x2 |
| Indicates that the gCodeBlocksOriginalCache should be used. More... | |
Typedefs | |
| typedef struct _CB_CACHE | CB_CACHE |
| Describes a code-blocks cache entry. More... | |
| typedef struct _CB_CACHE * | PCB_CACHE |
Functions | |
| void | IntExceptInvCbCacheByGva (QWORD Gva) |
| Invalidate the cache used for code blocks for a given guest virtual address. More... | |
| void | IntExceptInvCbCacheByCr3 (QWORD Cr3) |
| Invalidate the cache used for code blocks for a given CR3. More... | |
| static DWORD | IntExceptExtendedPatternMatch (const BYTE *Buffer, DWORD Length, const SIG_VALUE_CODE *Sig, DWORD IndexPattern) |
| Try to match the given buffer with the given signature. More... | |
| static void | IntExceptRemoveKmListExceptions (LIST_HEAD *ListHead) |
| This function removes and frees all entries from a kernel-mode exceptions list. More... | |
| static void | IntExceptRemoveKernelUserListExceptions (LIST_HEAD *ListHead) |
| This function removes and frees all entries from a kernel-user mode exceptions list. More... | |
| static void | IntExceptRemoveUmListExceptions (LIST_HEAD *ListHead) |
| This function removes and frees all entries from a user-mode exceptions list. More... | |
| static void | IntExceptRemoveUmGlobListExceptions (LIST_HEAD *ListHead) |
| This function removes and frees all entries from a user-mode glob exceptions list. More... | |
| INTSTATUS | IntExceptRemove (void) |
| This function removes and frees all exceptions and signatures that have been added from exception binary file. More... | |
| INTSTATUS | IntExceptAlertRemove (void) |
| This function removes and frees all exceptions and signatures that have been added from alert. More... | |
| INTSTATUS | IntExceptInit (void) |
| This function allocates the exceptions data and initialize the exception lists and the signature lists. More... | |
| INTSTATUS | IntExceptUninit (void) |
| This function removes and frees all exceptions and signatures. More... | |
| static INTSTATUS | IntExceptWinGetVictimDriver (KERNEL_DRIVER *Driver, EXCEPTION_VICTIM_ZONE *Victim) |
| This function get the information from KERNEL_DRIVER and fill the information required by EXCEPTION_VICTIM_ZONE. More... | |
| static INTSTATUS | IntExceptLixGetVictimDriver (KERNEL_DRIVER *Driver, EXCEPTION_VICTIM_ZONE *Victim) |
| Fills an EXCEPTION_VICTIM_ZONE with the relevant information from a KERNEL_DRIVER. More... | |
| INTSTATUS | IntExceptGetVictimEpt (void *Context, QWORD Gpa, QWORD Gva, INTRO_OBJECT_TYPE Type, DWORD ZoneFlags, EXCEPTION_VICTIM_ZONE *Victim) |
| Fills an EXCEPTION_VICTIM_ZONE with relevant information from an EPT violation. More... | |
| static INTSTATUS | IntExceptVerifyCodeBlocksSig (void *Exception, void *Originator, EXCEPTION_SIGNATURE_ID *Signatures, DWORD SignatureCount, EXCEPTION_TYPE ExceptionType) |
| This function checks if the code blocks from the originator RIP match the code blocks from the given exception. More... | |
| static INTSTATUS | IntExceptVerifyValueCodeSig (void *Exception, void *Originator, EXCEPTION_VICTIM_ZONE *Victim, EXCEPTION_SIGNATURE_ID *Signatures, DWORD SignaturesCount, EXCEPTION_TYPE ExceptionType) |
| This function checks if the opcodes from the originator's RIP match the opcodes pattern from the given exception. More... | |
| static INTSTATUS | IntExceptVerifyValueSig (void *Exception, void *Originator, EXCEPTION_VICTIM_ZONE *Victim, EXCEPTION_SIGNATURE_ID *Signatures, DWORD SignaturesCount, EXCEPTION_TYPE ExceptionType) |
| This function checks if the hash of the modified zone from the originator matches the hash from the given exception. More... | |
| static INTSTATUS | IntExceptVerifyExportSig (void *Exception, void *Originator, EXCEPTION_VICTIM_ZONE *Victim, EXCEPTION_SIGNATURE_ID *Signatures, DWORD SignaturesCount, EXCEPTION_TYPE ExceptionType) |
| Checks if the modified library from the originator matches the library from the given exception. More... | |
| static INTSTATUS | IntExceptVerifyIdtSignature (void *Exception, void *Originator, PEXCEPTION_VICTIM_ZONE Victim, EXCEPTION_SIGNATURE_ID *Signatures, DWORD SignaturesCount, EXCEPTION_TYPE ExceptionType) |
| This function checks if the modified IDT entry matches the entry from the given exception. More... | |
| static INTSTATUS | IntExceptVerifyProcessCreationSignature (void *Exception, void *Originator, EXCEPTION_SIGNATURE_ID *Signatures, DWORD SignaturesCount, EXCEPTION_TYPE ExceptionType) |
| Checks if the DPI mask of the newly created process match the DPI mask from the given exception. More... | |
| static INTSTATUS | IntExceptVerifyVersionOsSignature (void *Exception, EXCEPTION_SIGNATURE_ID *Signatures, DWORD SignaturesCount) |
| This function checks if the version of the guest operating system is in the minimum-maximum range. More... | |
| static INTSTATUS | IntExceptVerifyVersionIntroSignature (void *Exception, EXCEPTION_SIGNATURE_ID *Signatures, DWORD SignaturesCount) |
| This function checks if the version of the introspection is in the minimum-maximum range. More... | |
| static BOOLEAN | IntExceptSignaturesHasType (EXCEPTION_SIGNATURE_ID *Signatures, DWORD Count, EXCEPTION_SIGNATURE_TYPE Type) |
| This function checks if any signature from an signature-array has the given type. More... | |
| static INTSTATUS | IntExceptVerifySignature (void *Exception, void *Originator, EXCEPTION_VICTIM_ZONE *Victim, EXCEPTION_TYPE ExceptionType, INTRO_ACTION_REASON *Reason) |
| Iterates all signatures from the given exception and call the suitable function for that signature type. More... | |
| void | IntExceptDumpSignatures (void *Originator, EXCEPTION_VICTIM_ZONE *Victim, BOOLEAN KernelMode, BOOLEAN ReturnDrv) |
| Dump code blocks from the originator's RIP. More... | |
| INTSTATUS | IntExceptMatchException (void *Victim, void *Originator, void *Exception, EXCEPTION_TYPE ExceptionType, INTRO_ACTION *Action, INTRO_ACTION_REASON *Reason) |
| This function tries to find a exception for the current violation.. More... | |
| void | IntExcept (EXCEPTION_VICTIM_ZONE *Victim, void *Originator, EXCEPTION_TYPE Type, INTRO_ACTION *Action, INTRO_ACTION_REASON *Reason, INTRO_EVENT_TYPE EventClass) |
| This function is the entry point for the exception mechanism. More... | |
Variables | |
| static QWORD | gUsedRips [255] = {0} |
| Cache of RIPs from which code blocks were already dumped. More... | |
| INT_VERSION_INFO | IntHviVersion |
| The version of the introcore library. More... | |
| static BYTE * | gValueBuffer = NULL |
| Pre-allocated buffer used to match value signatures. More... | |
| static DWORD | gValueBufferSize = 2 * PAGE_SIZE |
| The size, in bytes, of the gValueBuffer buffer. More... | |
| char | gExcLogLine [2 *ONE_KILOBYTE] |
| The exception log line. More... | |
| static CB_CACHE | gCodeBlocksOriginalCache = { 0 } |
| Cache for code blocks extracted from an originator. More... | |
| static CB_CACHE | gCodeBlocksReturnCache = {0} |
| Cache for code blocks extracted from a return originator. More... | |
| #define CB_CACHE_FLG_ORIGINAL 0x2 |
Indicates that the gCodeBlocksOriginalCache should be used.
Definition at line 73 of file exceptions.c.
Referenced by IntExceptVerifyCodeBlocksSig().
| #define CB_CACHE_FLG_RETURN 0x1 |
Indicated that the gCodeBlocksReturnCache cache should be used.
Definition at line 71 of file exceptions.c.
Referenced by IntExceptVerifyCodeBlocksSig().
| void IntExcept | ( | EXCEPTION_VICTIM_ZONE * | Victim, |
| void * | Originator, | ||
| EXCEPTION_TYPE | Type, | ||
| INTRO_ACTION * | Action, | ||
| INTRO_ACTION_REASON * | Reason, | ||
| INTRO_EVENT_TYPE | EventClass | ||
| ) |
This function is the entry point for the exception mechanism.
This will dispatch the exception checking to the appropriate function, depending if we are in user-mode or kernel-mode. It will also serialize the exception.
| [in] | Originator | The originator structure used by the exceptions mechanism. |
| [in] | Victim | The current victim to check. |
| [in] | Type | The exception type. |
| [out] | Reason | The reason for which Action was taken. |
| [out] | Action | The action that was taken. |
| [in] | EventClass | The event type for which this function is called. This is needed by the serializer. |
Definition at line 3357 of file exceptions.c.
Referenced by IntCrLixHandleWrite(), IntCrWinHandleWrite(), IntDtrHandleWrite(), IntLixAccessRemoteVmHandler(), IntLixDrvHandleWrite(), IntLixIdtWriteHandler(), IntLixKernelHandleRead(), IntLixMsrHandleWrite(), IntLixTaskHandleInjection(), IntLixValidateProcessCreationRights(), IntLixVdsoHandleKernelModeWrite(), IntLixVdsoHandleUserModeWrite(), IntLixVmaHandlePageExecution(), IntWinDagentHandleDoubleAgent(), IntWinDpiCheckCreation(), IntWinDrvHandleRead(), IntWinDrvHandleWrite(), IntWinDrvObjHandleModification(), IntWinDrvObjHandleWrite(), IntWinHalHandleHalHeapExec(), IntWinHalHandleHalIntCtrlWrite(), IntWinHalHandlePerfCounterModification(), IntWinIdtHandleModification(), IntWinIdtWriteHandler(), IntWinInfHookEptSppHandleWrite(), IntWinInfHookIntegrityHandleWrite(), IntWinIntObjHandleModification(), IntWinModHandleKernelWrite(), IntWinModHandleUserWrite(), IntWinMsrHandleWrite(), IntWinProcHandleCopyMemory(), IntWinProcHandleInstrument(), IntWinSDCheckAclIntegrity(), IntWinSDCheckSecDescIntegrity(), IntWinSelfMapHandleCr3SelfMapWrite(), IntWinSudHandleFieldModification(), IntWinSudHandleKernelSudExec(), IntWinSudHandleUserSudExec(), IntWinThrHandleQueueApc(), IntWinThrHandleThreadHijack(), IntWinTokenPrivsCheckIntegrityOnProcess(), IntWinTokenPrivsHandleWrite(), and IntWinVadIsExecSuspicious().
| INTSTATUS IntExceptAlertRemove | ( | void | ) |
This function removes and frees all exceptions and signatures that have been added from alert.
The exceptions that have been added from binary file are not removed or freed.
| INT_STATUS_SUCCESS | On success. |
| INT_STATUS_NOT_INITIALIZED | If the exceptions data is not initialized. |
Definition at line 382 of file exceptions.c.
Referenced by IntExceptUninit(), and IntUpdateFlushAlertExceptions().
| void IntExceptDumpSignatures | ( | void * | Originator, |
| EXCEPTION_VICTIM_ZONE * | Victim, | ||
| BOOLEAN | KernelMode, | ||
| BOOLEAN | ReturnDrv | ||
| ) |
Dump code blocks from the originator's RIP.
param[in] Originator The originator of the current violation. param[in] Victim The internal structure of the modified zone. param[in] KernelMode True if the kernel-mode originator is given. param[in] ReturnDrv True if the kernel-mode originator has a return driver.
Definition at line 2978 of file exceptions.c.
Referenced by IntExceptKernelLogInformation(), IntExceptKernelUserLogInformation(), and IntExceptUserLogInformation().
|
static |
Try to match the given buffer with the given signature.
| [in] | Buffer | The buffer that will be compared with the signature pattern. |
| [in] | Length | The length of the buffer. |
| [in] | Sig | The signature that will be compared with the given buffer. |
| [in] | IndexPattern | The start position from the signature pattern. |
| SIG_NOT_FOUND | If the content of the buffer don't match the content of the signature pattern. |
| SIG_FOUND | If the content of the buffer matches the content of the signature pattern. |
Definition at line 127 of file exceptions.c.
Referenced by IntExceptVerifyValueCodeSig().
| INTSTATUS IntExceptGetVictimEpt | ( | void * | Context, |
| QWORD | Gpa, | ||
| QWORD | Gva, | ||
| INTRO_OBJECT_TYPE | Type, | ||
| DWORD | ZoneFlags, | ||
| EXCEPTION_VICTIM_ZONE * | Victim | ||
| ) |
Fills an EXCEPTION_VICTIM_ZONE with relevant information from an EPT violation.
This function can be called from both user-mode and kernel-mode objects.
The type of the Context parameter changes based on the Type value:
| [in] | Context | A pointer to a context that depends on the Type value (see the table from above). |
| [in] | Gpa | The guest physically address where the read/write/exec violation occurred. |
| [in] | Gva | The guest virtual address where the read/write/exec violation occurred. |
| [in] | Type | The type of the modified object (INTRO_OBJECT_TYPE). |
| [in] | ZoneFlags | The flags of the modified zone. |
| [out] | Victim | The victim structure used by the exceptions mechanism. |
| INT_STATUS_SUCCESS | On success. |
| INT_STATUS_INVALID_PARAMETER_5 | If the zone flags are invalid. |
| INT_STATUS_INVALID_PARAMETER_6 | If the pointer to the victim structure is invalid. |
| INT_STATUS_NOT_SUPPORTED | If the object type is invalid. |
Definition at line 742 of file exceptions.c.
Referenced by IntLixDrvHandleWrite(), IntLixIdtWriteHandler(), IntLixKernelHandleRead(), IntLixVdsoHandleKernelModeWrite(), IntLixVdsoHandleUserModeWrite(), IntLixVmaHandlePageExecution(), IntVeHandleAccess(), IntVeHandleEPTViolationInProtectedView(), IntWinCrashHandleDepViolation(), IntWinDrvHandleRead(), IntWinDrvHandleWrite(), IntWinDrvObjHandleWrite(), IntWinHalHandleHalHeapExec(), IntWinHalHandleHalIntCtrlWrite(), IntWinIdtWriteHandler(), IntWinInfHookEptSppHandleWrite(), IntWinModHandleKernelWrite(), IntWinModHandleUserWrite(), IntWinSelfMapHandleCr3SelfMapWrite(), IntWinSudHandleKernelSudExec(), IntWinSudHandleUserSudExec(), IntWinTokenPrivsHandleWrite(), and IntWinVadIsExecSuspicious().
| INTSTATUS IntExceptInit | ( | void | ) |
This function allocates the exceptions data and initialize the exception lists and the signature lists.
This function also allocates a buffer used by the SIG_VALUE signatures.
| INT_STATUS_SUCCESS | On success. |
| INT_STATUS_INSUFFICIENT_RESOURCES | If not enough memory is available. |
Definition at line 441 of file exceptions.c.
Referenced by IntGuestInit(), and IntUpdateAddExceptionFromAlert().
| void IntExceptInvCbCacheByCr3 | ( | QWORD | Cr3 | ) |
Invalidate the cache used for code blocks for a given CR3.
The cache must be invalidated if a process is terminating or for each exception regardless of the action (because the integrator can over-rule our action).
param[in] Cr3 The CR3 for witch the cache must be invalidated.
Definition at line 102 of file exceptions.c.
Referenced by IntWinProcUnprotect().
| void IntExceptInvCbCacheByGva | ( | QWORD | Gva | ) |
Invalidate the cache used for code blocks for a given guest virtual address.
The cache must be invalided if a process is terminating or for each exception regardless of the action (because the integrator can over-rule our action).
| [in] | Gva | The guest virtual address for witch the cache must be invalidated. |
Definition at line 77 of file exceptions.c.
Referenced by IntExcept().
|
static |
Fills an EXCEPTION_VICTIM_ZONE with the relevant information from a KERNEL_DRIVER.
This function assume that the KERNEL_DRIVER refers a Linux module and must be used only for Linux guests.
| [in] | Driver | The driver that have been modified. |
| [out] | Victim | The victim structure used by the exceptions mechanism. |
| INT_STATUS_SUCCESS | On success. |
Definition at line 680 of file exceptions.c.
Referenced by IntExceptGetVictimEpt().
| INTSTATUS IntExceptMatchException | ( | void * | Victim, |
| void * | Originator, | ||
| void * | Exception, | ||
| EXCEPTION_TYPE | ExceptionType, | ||
| INTRO_ACTION * | Action, | ||
| INTRO_ACTION_REASON * | Reason | ||
| ) |
This function tries to find a exception for the current violation..
This mechanism has three steps:
| [in] | Exception | The current exception to check. |
| [in] | Originator | The originator structure used by the exceptions mechanism. |
| [in] | Victim | The current victim to check. |
| [in] | ExceptionType | The type of the exception EXCEPTION_TYPE. |
| [out] | Reason | The action that was taken. |
| [out] | Action | The reason for which Action was taken. |
| INT_STATUS_NOT_SUPPORTED | If the exception type is invalid |
| INT_STATUS_EXCEPTION_ALLOW | If the exception matched |
| INT_STATUS_EXCEPTION_NOT_MATCHED | If no exception matched |
Definition at line 3167 of file exceptions.c.
Referenced by IntExceptKernel(), IntExceptKernelUser(), and IntExceptUser().
| INTSTATUS IntExceptRemove | ( | void | ) |
This function removes and frees all exceptions and signatures that have been added from exception binary file.
The exceptions that have been added from alerts are not removed or freed.
| INT_STATUS_SUCCESS | On success. |
| INT_STATUS_NOT_INITIALIZED | If the exceptions data is not initialized. |
Definition at line 257 of file exceptions.c.
Referenced by IntExceptUninit(), and IntUpdateLoadExceptions().
|
static |
This function removes and frees all entries from a kernel-user mode exceptions list.
| [in] | ListHead | A pointer to a kernel-user mode exceptions list. |
Definition at line 194 of file exceptions.c.
Referenced by IntExceptAlertRemove(), and IntExceptRemove().
|
static |
This function removes and frees all entries from a kernel-mode exceptions list.
| [in] | ListHead | A pointer to a kernel-mode exceptions list. |
Definition at line 173 of file exceptions.c.
Referenced by IntExceptAlertRemove(), and IntExceptRemove().
|
static |
This function removes and frees all entries from a user-mode glob exceptions list.
| [in] | ListHead | A pointer to a user-mode glob exceptions list. |
Definition at line 236 of file exceptions.c.
Referenced by IntExceptRemove().
|
static |
This function removes and frees all entries from a user-mode exceptions list.
| [in] | ListHead | A pointer to a user-mode exceptions list. |
Definition at line 215 of file exceptions.c.
Referenced by IntExceptAlertRemove(), and IntExceptRemove().
|
static |
This function checks if any signature from an signature-array has the given type.
| [in] | Signatures | An array of signature IDs. |
| [in] | Count | The number of the signature-array. |
| [in] | Type | The type of signature. |
| True | if any signature from an signature-array has the given type. |
Definition at line 2708 of file exceptions.c.
Referenced by IntExceptVerifySignature().
| INTSTATUS IntExceptUninit | ( | void | ) |
This function removes and frees all exceptions and signatures.
This function also frees the exception data and the buffer used by the SIG_VALUE signature. The code blocks cache is invalidated and the buffer used for logged RIP is cleaned.
| INT_STATUS_SUCCESS | On success. |
| INT_STATUS_NOT_INITIALIZED_HINT | If the exceptions data is not initialized. |
Definition at line 513 of file exceptions.c.
Referenced by IntGuestUninit().
|
static |
This function checks if the code blocks from the originator RIP match the code blocks from the given exception.
A code blocks cache is used to avoid to extract same code blocks for each call. The cache is used if this function is called with the saved gEventId or is called for the same guest virtual address and the save process.
| [in] | Exception | The current exception to check. |
| [in] | Originator | The originator structure used by the exceptions mechanism. |
| [in] | Signatures | An array of signature IDs. |
| [in] | SignatureCount | The number of signature IDs. |
| [in] | ExceptionType | The type of the exception EXCEPTION_TYPE. |
| INT_STATUS_NOT_SUPPORTED | If the exception type is invalid, the code blocks cache is invalid or the current mode could not be obtained. |
| INT_STATUS_SIGNATURE_MATCHED | If any signature of the exception matched. |
| INT_STATUS_SIGNATURE_NOT_FOUND | If no signature matched |
Definition at line 1151 of file exceptions.c.
Referenced by IntExceptVerifySignature().
|
static |
Checks if the modified library from the originator matches the library from the given exception.
A cache is used to store the exports for the protected library. For every call, the function checks if the export match the function name from the exception and if the modified size is in the range of 0 and the given delta from exception.
| [in] | Exception | The current exception to check. |
| [in] | Originator | The originator structure used by the exceptions mechanism. |
| [in,out] | Victim | The victim structure used by the exceptions mechanism. |
| [in] | Signatures | An array of signature IDs. |
| [in,out] | SignaturesCount | The number of signature IDs. |
| [in] | ExceptionType | The type of the exception EXCEPTION_TYPE |
| INT_STATUS_NOT_SUPPORTED | If the exception type is invalid or the cs type is invalid. |
| INT_STATUS_SIGNATURE_MATCHED | If any signature of the exception matched. |
| INT_STATUS_SIGNATURE_NOT_FOUND | If no signature matched. |
Definition at line 2027 of file exceptions.c.
Referenced by IntExceptVerifySignature().
|
static |
This function checks if the modified IDT entry matches the entry from the given exception.
| [in] | Exception | The current exception to check, |
| [in] | Originator | The originator structure used by the exceptions mechanism. |
| [in,out] | Victim | The victim structure used by the exceptions mechanism. |
| [in] | Signatures | An array of signature IDs. |
| [in,out] | SignaturesCount | The number of signature IDs. |
| [in] | ExceptionType | The type of the exception EXCEPTION_TYPE. |
| INT_STATUS_NOT_SUPPORTED | If the exception type is invalid or the cs type is invalid. |
| INT_STATUS_SIGNATURE_MATCHED | If any signature of the exception matched. |
| INT_STATUS_SIGNATURE_NOT_FOUND | If no signature matched. |
Definition at line 2219 of file exceptions.c.
Referenced by IntExceptVerifySignature().
|
static |
Checks if the DPI mask of the newly created process match the DPI mask from the given exception.
| [in] | Exception | The current exception to check. |
| [in] | Originator | The originator structure used by the exceptions mechanism. |
| [in] | Signatures | An array of signature IDs. |
| [in] | SignaturesCount | The number of signature IDs. |
| [in] | ExceptionType | The type of the exception EXCEPTION_TYPE. |
| INT_STATUS_NOT_SUPPORTED | If the exception type is invalid or the CS type is invalid. |
| INT_STATUS_SIGNATURE_MATCHED | If any signature of the exception matched. |
| INT_STATUS_SIGNATURE_NOT_FOUND | If no signature matched. |
Definition at line 2323 of file exceptions.c.
Referenced by IntExceptVerifySignature().
|
static |
Iterates all signatures from the given exception and call the suitable function for that signature type.
| [in] | Exception | The current exception to check. |
| [in] | Originator | The originator structure used by the exceptions mechanism. |
| [in] | Victim | The current victim to check. |
| [in] | ExceptionType | The type of the exception EXCEPTION_TYPE. |
| [out] | Reason | The reason for which the violation is allowed/blocked. |
| INT_STATUS_NOT_SUPPORTED | If the exception type is invalid. |
| INT_STATUS_SIGNATURE_MATCHED | If any signature of the exception matched. |
| INT_STATUS_SIGNATURE_NOT_FOUND | If no signature matched. |
Definition at line 2736 of file exceptions.c.
Referenced by IntExceptMatchException().
|
static |
This function checks if the opcodes from the originator's RIP match the opcodes pattern from the given exception.
For every call of this function the guest virtual address near the RIP is mapped only once. The mapped guest virtual address is freed after all the checks have been made.
| [in] | Exception | The current exception to check. |
| [in] | Originator | The originator structure used by the exceptions mechanism. |
| [in] | Victim | The EXCEPTION_VICTIM_ZONE structure used by the exceptions mechanism. |
| [in] | Signatures | An array of signature IDs. |
| [in] | SignaturesCount | The number of signature IDs. |
| [in] | ExceptionType | The type of the exception EXCEPTION_TYPE. |
| INT_STATUS_NOT_SUPPORTED | If the exception type is invalid or the cs type is invalid. |
| INT_STATUS_SIGNATURE_MATCHED | If any signature of the exception matched. |
| INT_STATUS_SIGNATURE_NOT_FOUND | If no signature matched. |
Definition at line 1507 of file exceptions.c.
Referenced by IntExceptVerifySignature().
|
static |
This function checks if the hash of the modified zone from the originator matches the hash from the given exception.
| [in] | Exception | The current exception to check. |
| [in] | Originator | The originator structure used by the exceptions mechanism. |
| [in] | Victim | The victim structure used by the exceptions mechanism. |
| [in] | Signatures | An array of signature IDs. |
| [in] | SignaturesCount | The number of signature IDs. |
| [in] | ExceptionType | The type of the exception EXCEPTION_TYPE. |
| INT_STATUS_NOT_SUPPORTED | If the exception type is invalid or the cs type is invalid. |
| INT_STATUS_SIGNATURE_MATCHED | If any signature of the exception matched. |
| INT_STATUS_SIGNATURE_NOT_FOUND | If no signature matched. |
Definition at line 1760 of file exceptions.c.
Referenced by IntExceptVerifySignature().
|
static |
This function checks if the version of the introspection is in the minimum-maximum range.
| [in] | Exception | The current exception to check. |
| [in] | Signatures | An array of signature IDs. |
| [in] | SignaturesCount | The number of signature IDs. |
| INT_STATUS_NOT_SUPPORTED | If the exception type is invalid or the CS type is invalid. |
| INT_STATUS_SIGNATURE_MATCHED | If any signature of the exception matched. |
| INT_STATUS_SIGNATURE_NOT_FOUND | If no signature matched. |
Definition at line 2561 of file exceptions.c.
Referenced by IntExceptVerifySignature().
|
static |
This function checks if the version of the guest operating system is in the minimum-maximum range.
| [in] | Exception | The current exception to check. |
| [in] | Signatures | An array of signature IDs. |
| [in] | SignaturesCount | The number of signature IDs. |
| INT_STATUS_NOT_SUPPORTED | If the exception type is invalid or the cs type is invalid. |
| INT_STATUS_SIGNATURE_MATCHED | If any signature of the exception matched. |
| INT_STATUS_SIGNATURE_NOT_FOUND | If no signature matched. |
Definition at line 2407 of file exceptions.c.
Referenced by IntExceptVerifySignature().
|
static |
This function get the information from KERNEL_DRIVER and fill the information required by EXCEPTION_VICTIM_ZONE.
This function assume that the KERNEL_DRIVER refers a windows driver and must be used only for windows guests.
| [in] | Driver | The driver that have been modified. |
| [out] | Victim | The victim structure used by the exceptions mechanism. |
| INT_STATUS_SUCCESS | On success. |
Definition at line 562 of file exceptions.c.
Referenced by IntExceptGetVictimEpt().
|
static |
Cache for code blocks extracted from an originator.
Used by IntExceptVerifyCodeBlocksSig. Invalidated every time a new IntExcept pass is started (if the victim GVA is in the same page as CB_CACHE.Rip), or when a process is terminated (if the process Cr3 is the same as CB_CACHE.Cr3).
Definition at line 62 of file exceptions.c.
Referenced by IntExceptVerifyCodeBlocksSig().
|
static |
Cache for code blocks extracted from a return originator.
Used by IntExceptVerifyCodeBlocksSig. Invalidated every time a new IntExcept pass is started (if the victim GVA is in the same page as CB_CACHE.Rip), or when a process is terminated (if the process Cr3 is the same as CB_CACHE.Cr3).
Definition at line 68 of file exceptions.c.
Referenced by IntExceptVerifyCodeBlocksSig().
| char gExcLogLine[2 *ONE_KILOBYTE] |
The exception log line.
Definition at line 40 of file exceptions.c.
Referenced by IntExceptKernelLogLinuxInformation(), IntExceptKernelLogWindowsInformation(), IntExceptKernelUserLogWindowsInformation(), IntExceptUserLogLinuxInformation(), and IntExceptUserLogWindowsInformation().
|
static |
Cache of RIPs from which code blocks were already dumped.
Used by IntExceptDumpSignatures in order to avoid dumping the same code blocks multiple times.
Definition at line 23 of file exceptions.c.
Referenced by IntExceptDumpSignatures(), and IntExceptUninit().
|
static |
Pre-allocated buffer used to match value signatures.
Used by IntExceptVerifyValueSig to hold the injected memory contents. This avoids allocating and freeing a temporary buffer each time an EVENT_MEMCOPY_VIOLATION event is analyzed.
Allocated in IntExceptInit and freed in IntExceptUninit. May be reallocated by IntExceptVerifyValueSig if needed.
Definition at line 34 of file exceptions.c.
Referenced by IntExceptInit(), IntExceptUninit(), and IntExceptVerifyValueSig().
The size, in bytes, of the gValueBuffer buffer.
Definition at line 37 of file exceptions.c.
Referenced by IntExceptInit(), and IntExceptVerifyValueSig().
| INT_VERSION_INFO IntHviVersion |
The version of the introcore library.
Definition at line 27 of file introcore.c.
1.8.13