- Generated by
1.8.13
|
Bitdefender Hypervisor Memory Introspection
|
Kernel mode exceptions. More...
#include "exceptions.h"#include "guests.h"#include "lixstack.h"#include "winpe.h"#include "winstack.h"#include "lixksym.h"#include "crc32.h"Go to the source code of this file.
Functions | |
| static int | IntExceptPrintLixKmDrvInfo (KERNEL_DRIVER *Driver, char *Header, char *Line, int MaxLength, DWORD NameAlignment) |
| Print the information about the provided KERNEL_DRIVER (Linux guest). More... | |
| int | IntExceptPrintWinKmModInfo (KERNEL_DRIVER *Module, char *Header, char *Line, int MaxLength, DWORD NameAlignment) |
| Print the information about the provided KERNEL_DRIVER (windows guest). More... | |
| static int | IntExceptPrintMsrInfo (EXCEPTION_VICTIM_ZONE *Victim, char *Header, char *Line, int MaxLength) |
| Print the information about the modified MSR. More... | |
| static int | IntExceptPrintCrInfo (EXCEPTION_VICTIM_ZONE *Victim, char *Header, char *Line, int MaxLength) |
| Print the information about the modified CR. More... | |
| static int | IntExceptPrintIdtInfo (EXCEPTION_VICTIM_ZONE *Victim, char *Header, char *Line, int MaxLength) |
| Print the information about the modified IDT entry. More... | |
| static int | IntExceptPrintDtrInfo (EXCEPTION_VICTIM_ZONE *Victim, char *Header, char *Line, int MaxLength) |
| Print the information about the modified IDTR/GDTR. More... | |
| static void | IntExceptKernelLogLinuxInformation (EXCEPTION_VICTIM_ZONE *Victim, EXCEPTION_KM_ORIGINATOR *Originator, INTRO_ACTION Action, INTRO_ACTION_REASON Reason) |
| Print the information about a kernel-mode violation (Linux guest). More... | |
| static int | IntExceptPrintDrvObjInfo (WIN_DRIVER_OBJECT *DrvObj, char *Header, char *Line, int MaxLength) |
| Print the information about the WIN_DRIVER_OBJECT. More... | |
| static void | IntExceptKernelLogWindowsInformation (EXCEPTION_VICTIM_ZONE *Victim, EXCEPTION_KM_ORIGINATOR *Originator, INTRO_ACTION Action, INTRO_ACTION_REASON Reason) |
| Print the information about a kernel-mode violation (windows guest). More... | |
| void | IntExceptKernelLogInformation (EXCEPTION_VICTIM_ZONE *Victim, EXCEPTION_KM_ORIGINATOR *Originator, INTRO_ACTION Action, INTRO_ACTION_REASON Reason) |
| Print the information about a kernel-mode violation and dumps the code-blocks. More... | |
| static BOOLEAN | IntExceptLixKernelIsMemoryFunc (QWORD Rip) |
| This function is used to check if the write has been made using any of "memcpy","__memcpy", "memset", "__memset", "memmove" function. More... | |
| static INTSTATUS | IntExceptLixKernelGetOriginator (EXCEPTION_KM_ORIGINATOR *Originator) |
| This function is used to get the information about the kernel-mode originator (Linux guest). More... | |
| static INTSTATUS | IntExceptWinKernelGetOriginator (EXCEPTION_KM_ORIGINATOR *Originator, DWORD Options) |
| This function is used to get the information about the kernel-mode originator (windows guest). More... | |
| INTSTATUS | IntExceptKernelGetOriginator (EXCEPTION_KM_ORIGINATOR *Originator, DWORD Options) |
| This function is used to get the information about the kernel-mode originator. More... | |
| INTSTATUS | IntExceptGetOriginatorFromModification (EXCEPTION_VICTIM_ZONE *Victim, EXCEPTION_KM_ORIGINATOR *Originator) |
| This function is used for integrity violations to get the information about the kernel-mode originator. More... | |
| INTSTATUS | IntExceptGetVictimDtr (DTR *NewValue, DTR *OldValue, INTRO_OBJECT_TYPE Type, EXCEPTION_VICTIM_ZONE *Victim) |
| This function is used to get the information about the DTR victim. More... | |
| INTSTATUS | IntExceptGetVictimMsr (QWORD NewValue, QWORD OldValue, DWORD Msr, EXCEPTION_VICTIM_ZONE *Victim) |
| This function is used to get the information about the MSR victim. More... | |
| INTSTATUS | IntExceptGetVictimIntegrity (INTEGRITY_REGION *IntegrityRegion, DWORD *Offset, EXCEPTION_VICTIM_ZONE *Victim) |
| This function is used to get the information about the modified zone from the integrity region. More... | |
| INTSTATUS | IntExceptGetVictimCr (QWORD NewValue, QWORD OldValue, DWORD Cr, EXCEPTION_VICTIM_ZONE *Victim) |
| This function is used to get the information about the CR victim. More... | |
| INTSTATUS | IntExceptKernelVerifyExtra (EXCEPTION_VICTIM_ZONE *Victim, EXCEPTION_UM_ORIGINATOR *Originator, UM_EXCEPTION *Exception) |
| This function is used as an extra step in exception mechanism. More... | |
| INTSTATUS | IntExceptKernelMatchVictim (EXCEPTION_VICTIM_ZONE *Victim, EXCEPTION_KM_ORIGINATOR *Originator, KM_EXCEPTION *Exception) |
| This function checks if the exception matches the originator and the modified zone. More... | |
| INTSTATUS | IntExceptKernel (EXCEPTION_VICTIM_ZONE *Victim, EXCEPTION_KM_ORIGINATOR *Originator, INTRO_ACTION *Action, INTRO_ACTION_REASON *Reason) |
| This function iterates through exception lists and tries to find an exception that matches the originator and the victim. More... | |
Variables | |
| char | gExcLogLine [2 *ONE_KILOBYTE] |
| The exception log line. More... | |
Kernel mode exceptions.
Definition in file exceptions_kern.c.
| INTSTATUS IntExceptGetOriginatorFromModification | ( | EXCEPTION_VICTIM_ZONE * | Victim, |
| EXCEPTION_KM_ORIGINATOR * | Originator | ||
| ) |
This function is used for integrity violations to get the information about the kernel-mode originator.
The function tries to get the address of the originator driver from the written memory zone (victim->WriteInfo).
| [in] | Victim | The victim object. |
| [out] | Originator | The originator object. |
| INT_STATUS_SUCCESS | On success. |
| INT_STATUS_EXCEPTION_BLOCK | If the violation should be blocked. |
| INT_STATUS_EXCEPTION_ALLOW | If the violation should be allowed. |
| INT_STATUS_NOT_SUPPORTED | If the modified object type is not of the following:
|
Definition at line 2567 of file exceptions_kern.c.
Referenced by IntWinDrvObjHandleModification(), IntWinHalHandleDispatchTableWrite(), IntWinHalHandlePerfCounterModification(), IntWinIdtHandleModification(), IntWinInfHookIntegrityHandleWrite(), and IntWinIntObjHandleModification().
| INTSTATUS IntExceptGetVictimCr | ( | QWORD | NewValue, |
| QWORD | OldValue, | ||
| DWORD | Cr, | ||
| EXCEPTION_VICTIM_ZONE * | Victim | ||
| ) |
This function is used to get the information about the CR victim.
| [in] | NewValue | The new value (written) of the CR. |
| [in] | OldValue | The old value of the CR. |
| [in] | Cr | The number of the CR register. |
| [out] | Victim | The victim object. |
| INT_STATUS_SUCCESS | On success. |
| INT_STATUS_NOT_SUPPORTED | If the provided CR is not CR4. |
| INT_STATUS_INVALID_PARAMETER_2 | If the provided DTR object is invalid. |
| INT_STATUS_INVALID_PARAMETER_4 | If the provided victim object is invalid. |
Definition at line 3047 of file exceptions_kern.c.
Referenced by IntCrLixHandleWrite(), and IntCrWinHandleWrite().
| INTSTATUS IntExceptGetVictimDtr | ( | DTR * | NewValue, |
| DTR * | OldValue, | ||
| INTRO_OBJECT_TYPE | Type, | ||
| EXCEPTION_VICTIM_ZONE * | Victim | ||
| ) |
This function is used to get the information about the DTR victim.
| [in] | NewValue | The new value (written) of the DTR. |
| [in] | OldValue | The old value of the DTR. |
| [in] | Type | Any of the following: introObjectTypeIdtr / introObjectTypeGdtr. |
| [out] | Victim | The victim object. |
| INT_STATUS_SUCCESS | On success. |
| INT_STATUS_INVALID_PARAMETER_1 | If the provided DTR object is invalid. |
| INT_STATUS_INVALID_PARAMETER_2 | If the provided DTR object is invalid. |
| INT_STATUS_INVALID_PARAMETER_4 | If the provided victim object is invalid. |
Definition at line 2763 of file exceptions_kern.c.
Referenced by IntDtrHandleWrite().
| INTSTATUS IntExceptGetVictimIntegrity | ( | INTEGRITY_REGION * | IntegrityRegion, |
| DWORD * | Offset, | ||
| EXCEPTION_VICTIM_ZONE * | Victim | ||
| ) |
This function is used to get the information about the modified zone from the integrity region.
Will get the old value and new value at the modified address aligned down to 64/32 bits (the upper bytes may be the same, so we won't catch them). Returns the found modification offset so we can call it recursively (we start scanning at the given offset).
| [in] | IntegrityRegion | The integrity region object. |
| [in] | Offset | The offset in the region (not page) form where to search for modifications (for recursive calls). |
| [out] | Victim | The victim object. |
| INT_STATUS_SUCCESS | On success. |
| INT_STATUS_INVALID_PARAMETER_1 | If the provided integrity-region object is invalid. |
| INT_STATUS_INVALID_PARAMETER_2 | If the provided offset pointer is invalid. |
| INT_STATUS_INVALID_PARAMETER_4 | If the provided victim object is invalid. |
| INT_STATUS_NOT_FOUND | If no modification is found. |
| INT_STATUS_BUFFER_OVERFLOW | If the provided region modification won't fit the modified object. |
Definition at line 2861 of file exceptions_kern.c.
Referenced by IntWinDrvObjHandleModification(), IntWinHalHandleDispatchTableWrite(), IntWinHalHandlePerfCounterModification(), IntWinIdtHandleModification(), IntWinInfHookIntegrityHandleWrite(), and IntWinIntObjHandleModification().
| INTSTATUS IntExceptGetVictimMsr | ( | QWORD | NewValue, |
| QWORD | OldValue, | ||
| DWORD | Msr, | ||
| EXCEPTION_VICTIM_ZONE * | Victim | ||
| ) |
This function is used to get the information about the MSR victim.
| [in] | NewValue | The new value (written) of the MSR. |
| [in] | OldValue | The old value of the MSR. |
| [in] | Msr | The number of the MSR. |
| [out] | Victim | The victim object. |
| INT_STATUS_SUCCESS | On success. |
| INT_STATUS_INVALID_PARAMETER_4 | If the provided victim object is invalid. |
Definition at line 2815 of file exceptions_kern.c.
Referenced by IntLixMsrHandleWrite(), and IntWinMsrHandleWrite().
| INTSTATUS IntExceptKernel | ( | EXCEPTION_VICTIM_ZONE * | Victim, |
| EXCEPTION_KM_ORIGINATOR * | Originator, | ||
| INTRO_ACTION * | Action, | ||
| INTRO_ACTION_REASON * | Reason | ||
| ) |
This function iterates through exception lists and tries to find an exception that matches the originator and the victim.
| [in] | Victim | The victim object. |
| [in] | Originator | The originator object. |
| [out] | Action | The action that was taken. |
| [out] | Reason | The reason for which Action was taken. |
| INT_STATUS_INVALID_PARAMETER_1 | If the victim object is invalid. |
| INT_STATUS_INVALID_PARAMETER_2 | If the originator object is invalid. |
| INT_STATUS_INVALID_PARAMETER_3 | If the action is invalid. |
| INT_STATUS_INVALID_PARAMETER_4 | If the reason is invalid. |
| INT_STATUS_EXCEPTION_ALLOW | If the violation is allowed. |
| INT_STATUS_EXCEPTION_NOT_MATCHED | If the violation is not allowed. |
Definition at line 3535 of file exceptions_kern.c.
Referenced by IntExcept().
| INTSTATUS IntExceptKernelGetOriginator | ( | EXCEPTION_KM_ORIGINATOR * | Originator, |
| DWORD | Options | ||
| ) |
This function is used to get the information about the kernel-mode originator.
| [out] | Originator | The originator object. |
| [out] | Options | A mask containing different flags regarding how the originator should be fetched. |
| INT_STATUS_SUCCESS | On success. |
| INT_STATUS_INVALID_PARAMETER_1 | If the provided originator is invalid. |
| INT_STATUS_NOT_SUPPORTED | If the guest type is not supported. |
Definition at line 2520 of file exceptions_kern.c.
Referenced by IntCrLixHandleWrite(), IntCrWinHandleWrite(), IntDtrHandleWrite(), IntHookGvaEnableHooks(), IntHookPtsCheckIntegrity(), IntLixDrvHandleWrite(), IntLixIdtWriteHandler(), IntLixKernelHandleRead(), IntLixMsrHandleWrite(), IntLixVdsoHandleKernelModeWrite(), IntVeHandleAccess(), IntVeHandleEPTViolationInProtectedView(), IntWinDrvHandleRead(), IntWinDrvHandleWrite(), IntWinDrvObjHandleWrite(), IntWinHalHandleHalHeapExec(), IntWinHalHandleHalIntCtrlWrite(), IntWinIdtWriteHandler(), IntWinInfHookEptSppHandleWrite(), IntWinModHandleKernelWrite(), IntWinMsrHandleWrite(), IntWinSelfMapHandleCr3SelfMapWrite(), IntWinSudHandleKernelSudExec(), and IntWinTokenPrivsHandleWrite().
| void IntExceptKernelLogInformation | ( | EXCEPTION_VICTIM_ZONE * | Victim, |
| EXCEPTION_KM_ORIGINATOR * | Originator, | ||
| INTRO_ACTION | Action, | ||
| INTRO_ACTION_REASON | Reason | ||
| ) |
Print the information about a kernel-mode violation and dumps the code-blocks.
| [in] | Victim | The victim object. |
| [in] | Originator | The originator object. |
| [in] | Action | The action that was taken. |
| [in] | Reason | The reason for which Action was taken. |
Definition at line 2032 of file exceptions_kern.c.
Referenced by IntCrLixHandleWrite(), IntCrWinHandleWrite(), IntDtrHandleWrite(), IntExcept(), IntLixDrvHandleWrite(), IntLixKernelHandleRead(), IntLixMsrHandleWrite(), IntLixVdsoHandleKernelModeWrite(), IntVeHandleAccess(), IntVeHandleEPTViolationInProtectedView(), IntWinDrvHandleRead(), IntWinDrvHandleWrite(), IntWinDrvObjHandleModification(), IntWinDrvObjHandleWrite(), IntWinHalHandleHalHeapExec(), IntWinHalHandleHalIntCtrlWrite(), IntWinHalHandlePerfCounterModification(), IntWinInfHookEptSppHandleWrite(), IntWinInfHookIntegrityHandleWrite(), IntWinMsrHandleWrite(), IntWinSudHandleKernelSudExec(), and IntWinTokenPrivsHandleWrite().
|
static |
Print the information about a kernel-mode violation (Linux guest).
| [in] | Victim | The victim object. |
| [in] | Originator | The originator object. |
| [in] | Action | The action that was taken. |
| [in] | Reason | The reason for which Action was taken. |
Definition at line 678 of file exceptions_kern.c.
Referenced by IntExceptKernelLogInformation().
|
static |
Print the information about a kernel-mode violation (windows guest).
| [in] | Victim | The victim object. |
| [in] | Originator | The originator object. |
| [in] | Action | The action that was taken. |
| [in] | Reason | The reason for which Action was taken. |
Definition at line 1343 of file exceptions_kern.c.
Referenced by IntExceptKernelLogInformation().
| INTSTATUS IntExceptKernelMatchVictim | ( | EXCEPTION_VICTIM_ZONE * | Victim, |
| EXCEPTION_KM_ORIGINATOR * | Originator, | ||
| KM_EXCEPTION * | Exception | ||
| ) |
This function checks if the exception matches the originator and the modified zone.
The following are verified:
| [in] | Victim | The victim object. |
| [in] | Originator | The originator object. |
| [in] | Exception | The current exception object. |
| INT_STATUS_EXCEPTION_NOT_MATCHED | If any check fails. |
| INT_STATUS_EXCEPTION_ALLOW | If all checks have passed. |
Definition at line 3119 of file exceptions_kern.c.
Referenced by IntExceptMatchException().
| INTSTATUS IntExceptKernelVerifyExtra | ( | EXCEPTION_VICTIM_ZONE * | Victim, |
| EXCEPTION_UM_ORIGINATOR * | Originator, | ||
| UM_EXCEPTION * | Exception | ||
| ) |
This function is used as an extra step in exception mechanism.
| [in] | Victim | The victim object. |
| [in] | Originator | The originator object. |
| [in] | Exception | The current exception object. |
| INT_STATUS_EXCEPTION_CHECKS_OK | On success. |
Definition at line 3095 of file exceptions_kern.c.
Referenced by IntExceptMatchException().
|
static |
This function is used to get the information about the kernel-mode originator (Linux guest).
The stack-trace is parsed in order to fetch the return driver.
| [out] | Originator | The originator object. |
| INT_STATUS_SUCCESS | On success. |
Definition at line 2100 of file exceptions_kern.c.
Referenced by IntExceptKernelGetOriginator().
This function is used to check if the write has been made using any of "memcpy","__memcpy", "memset", "__memset", "memmove" function.
| [in] | Rip | The rip from which the writing came from. |
| True | if the write has been made using the generic write functions, otherwise, false. |
Definition at line 2070 of file exceptions_kern.c.
Referenced by IntExceptLixKernelGetOriginator().
|
static |
Print the information about the modified CR.
| [in] | Victim | The victim object. |
| [in] | Header | The header of the output buffer. |
| [in] | Line | The output buffer. |
| [in] | MaxLength | The maximum number chars that can be written. |
| The | number of written chars. |
Definition at line 374 of file exceptions_kern.c.
Referenced by IntExceptKernelLogLinuxInformation(), and IntExceptKernelLogWindowsInformation().
|
static |
Print the information about the WIN_DRIVER_OBJECT.
| [in] | DrvObj | The WIN_DRIVER_OBJECT object. |
| [in] | Header | The header of the output buffer. |
| [in] | Line | The output buffer. |
| [in] | MaxLength | The maximum number chars that can be written. |
| The | number of written chars. |
Definition at line 1255 of file exceptions_kern.c.
Referenced by IntExceptKernelLogWindowsInformation().
|
static |
Print the information about the modified IDTR/GDTR.
| [in] | Victim | The victim object. |
| [in] | Header | The header of the output buffer. |
| [in] | Line | The output buffer. |
| [in] | MaxLength | The maximum number chars that can be written. |
| The | number of written chars. |
Definition at line 571 of file exceptions_kern.c.
Referenced by IntExceptKernelLogWindowsInformation().
|
static |
Print the information about the modified IDT entry.
| [in] | Victim | The victim object. |
| [in] | Header | The header of the output buffer. |
| [in] | Line | The output buffer. |
| [in] | MaxLength | The maximum number chars that can be written. |
| The | number of written chars. |
Definition at line 473 of file exceptions_kern.c.
Referenced by IntExceptKernelLogLinuxInformation(), and IntExceptKernelLogWindowsInformation().
|
static |
Print the information about the provided KERNEL_DRIVER (Linux guest).
| [in] | Driver | The driver object. |
| [in] | Header | The header of the output buffer. |
| [in] | Line | The output buffer. |
| [in] | MaxLength | The maximum number chars that can be written. |
| [in] | NameAlignment | The alignment of the chars in the buffer. |
| The | number of written chars. |
Definition at line 24 of file exceptions_kern.c.
Referenced by IntExceptKernelLogLinuxInformation(), and IntExceptPrintMsrInfo().
|
static |
Print the information about the modified MSR.
| [in] | Victim | The victim object. |
| [in] | Header | The header of the output buffer. |
| [in] | Line | The output buffer. |
| [in] | MaxLength | The maximum number chars that can be written. |
| The | number of written chars. |
Definition at line 207 of file exceptions_kern.c.
Referenced by IntExceptKernelLogLinuxInformation(), and IntExceptKernelLogWindowsInformation().
| int IntExceptPrintWinKmModInfo | ( | KERNEL_DRIVER * | Module, |
| char * | Header, | ||
| char * | Line, | ||
| int | MaxLength, | ||
| DWORD | NameAlignment | ||
| ) |
Print the information about the provided KERNEL_DRIVER (windows guest).
| [in] | Module | The driver object. |
| [in] | Header | The header of the output buffer. |
| [in] | Line | The output buffer. |
| [in] | MaxLength | The maximum number chars that can be written. |
| [in] | NameAlignment | The alignment of the chars in the buffer. |
| The | number of written chars. |
Definition at line 101 of file exceptions_kern.c.
Referenced by IntExceptKernelLogWindowsInformation(), IntExceptKernelUserLogWindowsInformation(), and IntExceptPrintMsrInfo().
|
static |
This function is used to get the information about the kernel-mode originator (windows guest).
The stack-trace is parsed in order to fetch the return driver.
The section for the original and the return driver is parsed in order to check if the violation should be blocked.
| [out] | Originator | The originator object. |
| [out] | Options | A mask containing different flags regarding how the originator should be fetched. |
| INT_STATUS_SUCCESS | On success. |
| INT_STATUS_EXCEPTION_BLOCK | If the violation should be blocked. |
Definition at line 2221 of file exceptions_kern.c.
Referenced by IntExceptKernelGetOriginator().
| char gExcLogLine[2 *ONE_KILOBYTE] |
The exception log line.
Definition at line 40 of file exceptions.c.
Referenced by IntExceptKernelLogLinuxInformation(), and IntExceptKernelLogWindowsInformation().
1.8.13