50 if (*(
char *)Driver->Name)
52 ret = snprintf(Line, MaxLength,
"%s(%-*s", Header, NameAlignment, (
char *)Driver->Name);
59 if (ret < 0 || ret >= MaxLength)
61 ERROR(
"[ERROR] snprintf error: %d, size %d\n", ret, MaxLength);
70 ret = snprintf(Line, MaxLength,
" [0x%08x], %016llx", Driver->NameHash, Driver->BaseVa);
72 if (ret < 0 || ret >= MaxLength)
74 ERROR(
"[ERROR] snprintf error: %d, size %d\n", ret, MaxLength);
83 ret = snprintf(Line, MaxLength,
")");
85 if (ret < 0 || ret >= MaxLength)
87 ERROR(
"[ERROR] snprintf error: %d, size %d\n", ret, MaxLength);
129 wName = Module->Win.Path ? Module->Win.Path : Module->Name ? Module->Name : NULL;
142 ret = snprintf(Line, MaxLength,
"%s(%-*s", Header, NameAlignment, name);
146 ret = snprintf(Line, MaxLength,
"%s(%s", Header, name);
149 if (ret < 0 || ret >= MaxLength)
151 ERROR(
"[ERROR] snprintf error: %d, size %d\n", ret, MaxLength);
160 ret = snprintf(Line, MaxLength,
" [0x%08x], %0*llx", Module->NameHash,
gGuest.
WordSize * 2, Module->BaseVa);
162 if (ret < 0 || ret >= MaxLength)
164 ERROR(
"[ERROR] snprintf error: %d, size %d\n", ret, MaxLength);
173 if (Module->Win.TimeDateStamp)
175 ret = snprintf(Line, MaxLength,
", VerInfo: %x:%llx", Module->Win.TimeDateStamp, Module->Size);
177 if (ret < 0 || ret >= MaxLength)
179 ERROR(
"[ERROR] snprintf error: %d, size %d\n", ret, MaxLength);
189 ret = snprintf(Line, MaxLength,
")");
191 if (ret < 0 || ret >= MaxLength)
193 ERROR(
"[ERROR] snprintf error: %d, size %d\n", ret, MaxLength);
224 const char *msrName = NULL;
225 int ret = 0, total = 0;
227 ret = snprintf(Line, MaxLength,
"%s: (%08x", Header, Victim->Msr.Msr);
229 if (ret < 0 || ret >= MaxLength)
231 ERROR(
"[ERROR] snprintf error: %d, size %d\n", ret, MaxLength);
242 msrName =
"SYSENTER_CS";
246 msrName =
"SYSENTER_ESP";
250 msrName =
"SYSENTER_EIP";
263 ret = snprintf(Line, MaxLength,
", %s", msrName);
265 if (ret < 0 || ret >= MaxLength)
267 ERROR(
"[ERROR] snprintf error: %d, size %d\n", ret, MaxLength);
277 ret = snprintf(Line, MaxLength,
")");
279 if (ret < 0 || ret >= MaxLength)
281 ERROR(
"[ERROR] snprintf error: %d, size %d\n", ret, MaxLength);
290 ret = snprintf(Line, MaxLength,
", WriteInfo: (%016llx -> %016llx)",
291 Victim->WriteInfo.OldValue[0],
292 Victim->WriteInfo.NewValue[0]);
294 if (ret < 0 || ret >= MaxLength)
296 ERROR(
"[ERROR] snprintf error: %d, size %d\n", ret, MaxLength);
305 if (Victim->Msr.NewDriverBase)
313 if (ret < 0 || ret >= MaxLength)
315 ERROR(
"[ERROR] snprintf error: %d, size %d\n", ret, MaxLength);
328 if (ret < 0 || ret >= MaxLength)
330 ERROR(
"[ERROR] snprintf error: %d, size %d\n", ret, MaxLength);
353 ret = snprintf(Line, MaxLength,
", %s", symbol);
355 if (ret < 0 || ret >= MaxLength)
357 ERROR(
"[ERROR] snprintf error: %d, size %d\n", ret, MaxLength);
391 int ret = 0, total = 0;
393 ret = snprintf(Line, MaxLength,
"%s%u", Header, Victim->Cr.Cr);
395 if (ret < 0 || ret >= MaxLength)
397 ERROR(
"[ERROR] snprintf error: %d, size %d\n", ret, MaxLength);
406 if (Victim->Cr.Smep && Victim->Cr.Smap)
408 ret = snprintf(Line, MaxLength,
", (SMAP, SMEP)");
410 if (ret < 0 || ret >= MaxLength)
412 ERROR(
"[ERROR] snprintf error: %d, size %d\n", ret, MaxLength);
421 else if (Victim->Cr.Smap)
423 ret = snprintf(Line, MaxLength,
", (SMEP)");
425 if (ret < 0 || ret >= MaxLength)
427 ERROR(
"[ERROR] snprintf error: %d, size %d\n", ret, MaxLength);
436 else if (Victim->Cr.Smep)
438 ret = snprintf(Line, MaxLength,
", (SMAP)");
440 if (ret < 0 || ret >= MaxLength)
442 ERROR(
"[ERROR] snprintf error: %d, size %d\n", ret, MaxLength);
452 ret = snprintf(Line, MaxLength,
", WriteInfo: (%u, %016llx -> %016llx)",
453 Victim->WriteInfo.AccessSize,
454 Victim->WriteInfo.OldValue[0],
455 Victim->WriteInfo.NewValue[0]);
457 if (ret < 0 || ret >= MaxLength)
459 ERROR(
"[ERROR] snprintf error: %d, size %d\n", ret, MaxLength);
490 int ret = 0, total = 0;
491 QWORD entry, entryNo;
496 entry = Victim->Object.BaseAddress + Victim->Integrity.Offset;
502 entry = Victim->Ept.Gva;
503 entryNo = (Victim->Ept.Gva - Victim->Object.BaseAddress) /
508 ret = snprintf(Line, MaxLength,
"%s (IDT Base Address: %llx, IDT Entry modified: %llu (0x%016llx) (%s)",
509 Header, Victim->Object.BaseAddress, entryNo, entry, prot);
511 if (ret < 0 || ret >= MaxLength)
513 ERROR(
"[ERROR] snprintf error: %d, size %d\n", ret, MaxLength);
522 ret = snprintf(Line, MaxLength,
", WriteInfo: (%u", Victim->WriteInfo.AccessSize);
524 if (ret < 0 || ret >= MaxLength)
526 ERROR(
"[ERROR] snprintf error: %d, size %d\n", ret, MaxLength);
535 for (
DWORD i = 0; i *
sizeof(Victim->WriteInfo.NewValue[0]) < Victim->WriteInfo.AccessSize; i++)
537 ret = snprintf(Line, MaxLength,
", %016llx -> 0x%016llx",
538 Victim->WriteInfo.OldValue[i],
539 Victim->WriteInfo.NewValue[i]);
541 if (ret < 0 || ret >= MaxLength)
543 ERROR(
"[ERROR] snprintf error: %d, size %d\n", ret, MaxLength);
553 ret = snprintf(Line, MaxLength,
")");
555 if (ret < 0 || ret >= MaxLength)
557 ERROR(
"[ERROR] snprintf error: %d, size %d\n", ret, MaxLength);
588 const char *dtrName = NULL;
589 int ret = 0, total = 0;
591 ret = snprintf(Line, MaxLength,
"%s(", Header);
593 if (ret < 0 || ret >= MaxLength)
595 ERROR(
"[ERROR] snprintf error: %d, size %d\n", ret, MaxLength);
617 ret = snprintf(Line, MaxLength,
"%s", dtrName);
619 if (ret < 0 || ret >= MaxLength)
621 ERROR(
"[ERROR] snprintf error: %d, size %d\n", ret, MaxLength);
630 ret = snprintf(Line, MaxLength,
")");
632 if (ret < 0 || ret >= MaxLength)
634 ERROR(
"[ERROR] snprintf error: %d, size %d\n", ret, MaxLength);
643 ret = snprintf(Line, MaxLength,
", WriteInfo: (%016llx -> %016llx)",
644 Victim->WriteInfo.OldValue[0],
645 Victim->WriteInfo.NewValue[0]);
647 if (ret < 0 || ret >= MaxLength)
649 ERROR(
"[ERROR] snprintf error: %d, size %d\n", ret, MaxLength);
658 ret = snprintf(Line, MaxLength,
", DtrLimit: (%04llx -> %04llx)",
659 Victim->WriteInfo.OldValue[1],
660 Victim->WriteInfo.NewValue[1]);
662 if (ret < 0 || ret >= MaxLength)
664 ERROR(
"[ERROR] snprintf error: %d, size %d\n", ret, MaxLength);
695 DWORD modNameAlignment;
700 pDriver = Originator->Original.Driver;
701 pRetDriver = Originator->Return.Driver;
703 modNameAlignment = 0;
708 if (pModDriver && pDriver && pRetDriver)
713 if (pModDriver && pRetDriver)
715 if (modNameAlignment > 0)
733 if (ret < 0 || ret >= rem)
735 ERROR(
"[ERROR] snprintf error: %d, size %d\n", ret, rem);
747 char instr[ND_MIN_BUF_SIZE];
750 if (Originator->Instruction)
752 NDSTATUS s = NdToText(Originator->Instruction, Originator->Original.Rip,
sizeof(instr), instr);
777 if (ret < 0 || ret >= rem)
779 ERROR(
"[ERROR] snprintf error: %d, size %d\n", ret, rem);
787 ret = snprintf(l, rem,
", RIP %016llx", Originator->Original.Rip);
789 if (ret < 0 || ret >= rem)
791 ERROR(
"[ERROR] snprintf error: %d, size %d\n", ret, rem);
799 if (Originator->Original.Section[0] != 0)
801 ret = snprintf(l, rem,
" (%s)", Originator->Original.Section);
803 if (ret < 0 || ret >= rem)
805 ERROR(
"[ERROR] snprintf error: %d, size %d\n", ret, rem);
816 ret = snprintf(l, rem,
" (%s)", symbol);
818 if (ret < 0 || ret >= rem)
820 ERROR(
"[ERROR] snprintf error: %d, size %d\n", ret, rem);
831 ret = snprintf(l, rem,
", Instr: %s", instr);
833 if (ret < 0 || ret >= rem)
835 ERROR(
"[ERROR] snprintf error: %d, size %d\n", ret, rem);
851 if (ret < 0 || ret >= rem)
853 ERROR(
"[ERROR] snprintf error: %d, size %d\n", ret, rem);
863 if (ret < 0 || ret >= rem)
865 ERROR(
"[ERROR] snprintf error: %d, size %d\n", ret, rem);
877 if (pRetDriver && Originator->Original.Rip != Originator->Return.Rip)
897 if (ret < 0 || ret >= rem)
899 ERROR(
"[ERROR] snprintf error: %d, size %d\n", ret, rem);
907 ret = snprintf(l, rem,
", RIP %016llx", Originator->Return.Rip);
909 if (ret < 0 || ret >= rem)
911 ERROR(
"[ERROR] snprintf error: %d, size %d\n", ret, rem);
919 if (Originator->Return.Section[0] != 0)
921 ret = snprintf(l, rem,
"(%s)", Originator->Return.Section);
923 if (ret < 0 || ret >= rem)
925 ERROR(
"[ERROR] snprintf error: %d, size %d\n", ret, rem);
936 ret = snprintf(l, rem,
" (%s)", symbol);
938 if (ret < 0 || ret >= rem)
940 ERROR(
"[ERROR] snprintf error: %d, size %d\n", ret, rem);
960 if (ret < 0 || ret >= rem)
962 ERROR(
"[ERROR] snprintf error: %d, size %d\n", ret, rem);
976 pDriver = Victim->Object.Module.Module;
982 if (ret < 0 || ret >= rem)
984 ERROR(
"[ERROR] snprintf error: %d, size %d\n", ret, rem);
994 ret = snprintf(l, rem,
"Victim -> Module: %*s", modNameAlignment,
"[vdso]");
996 if (ret < 0 || ret >= rem)
998 ERROR(
"[ERROR] snprintf error: %d, size %d\n", ret, rem);
1008 ret = snprintf(l, rem,
"Victim -> Module: %*s", modNameAlignment,
"[vsyscall]");
1010 if (ret < 0 || ret >= rem)
1012 ERROR(
"[ERROR] snprintf error: %d, size %d\n", ret, rem);
1021 ret = snprintf(l, rem,
", Address: (%0llx, %0llx)",
1022 Victim->Ept.Gva, Victim->Ept.Gpa);
1024 if (ret < 0 || ret >= rem)
1026 ERROR(
"[ERROR] snprintf error: %d, size %d\n", ret, rem);
1042 ret = snprintf(l, rem,
", %s", symbol);
1044 if (ret < 0 || ret >= rem)
1046 ERROR(
"[ERROR] snprintf error: %d, size %d\n", ret, rem);
1058 ret = snprintf(l, rem,
", WriteInfo: (%u, %016llx -> %016llx)", Victim->WriteInfo.AccessSize,
1059 Victim->WriteInfo.OldValue[0], Victim->WriteInfo.NewValue[0]);
1063 ret = snprintf(l, rem,
", ReadInfo: (%u, %016llx)", Victim->ReadInfo.AccessSize, Victim->ReadInfo.Value[0]);
1066 if (ret < 0 || ret >= rem)
1068 ERROR(
"[ERROR] snprintf error: %d, size %d\n", ret, rem);
1076 if (Victim->ZoneFlags)
1078 ret = snprintf(l, rem,
", Flags:%s%s%s%s%s (0x%llx)",
1084 (
unsigned long long)Victim->ZoneFlags);
1086 if (ret < 0 || ret >= rem)
1088 ERROR(
"[ERROR] snprintf error: %d, size %d\n", ret, rem);
1103 if (ret < 0 || ret >= rem)
1105 ERROR(
"[ERROR] snprintf error: %d, size %d\n", ret, rem);
1119 if (ret < 0 || ret >= rem)
1121 ERROR(
"[ERROR] snprintf error: %d, size %d\n", ret, rem);
1137 ret = snprintf(l, rem,
"^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^%sROOTKIT (kernel-mode) ",
1140 if (ret < 0 || ret >= rem)
1142 ERROR(
"[ERROR] snprintf error: %d, size %d\n", ret, rem);
1153 ret = snprintf(l, rem,
"(no sig)");
1156 ret = snprintf(l, rem,
"(no exc)");
1159 ret = snprintf(l, rem,
"(extra)");
1162 ret = snprintf(l, rem,
"(error)");
1165 ret = snprintf(l, rem,
"(value)");
1168 ret = snprintf(l, rem,
"(export)");
1171 ret = snprintf(l, rem,
"(value code)");
1174 ret = snprintf(l, rem,
"(idt)");
1177 ret = snprintf(l, rem,
"(version os)");
1180 ret = snprintf(l, rem,
"(version intro)");
1183 ret = snprintf(l, rem,
"(process creation)");
1186 ret = snprintf(l, rem,
"(unknown)");
1189 ret = snprintf(l, rem,
"(%d)", Reason);
1193 if (ret < 0 || ret >= rem)
1195 ERROR(
"[ERROR] snprintf error: %d, size %d\n", ret, rem);
1203 snprintf(l, rem,
" ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^");
1205 if (ret < 0 || ret >= rem)
1207 ERROR(
"[ERROR] snprintf error: %d, size %d\n", ret, rem);
1218 for (
DWORD t = 0; t < Originator->StackTrace.NumberOfTraces; t++)
1220 if (NULL != Originator->StackTrace.Traces[t].ReturnModule)
1240 LOG(
"[STACK TRACE] [at %llx] returning to [%s at %llx] %s",
1241 Originator->StackTrace.Traces[t].CurrentRip,
1242 (
char *)((
KERNEL_DRIVER *)Originator->StackTrace.Traces[t].ReturnModule)->Name,
1243 Originator->StackTrace.Traces[t].ReturnAddress, symbol);
1247 LOG(
"[STACK TRACE] [at %llx]", Originator->StackTrace.Traces[t].CurrentRip);
1282 ret = snprintf(Line, MaxLength,
"%s(%s", Header, name);
1284 if (ret < 0 || ret >= MaxLength)
1286 ERROR(
"[ERROR] snprintf error: %d, size %d\n", ret, MaxLength);
1295 ret = snprintf(Line, MaxLength,
" [0x%08x], %0*llx, %0llx",
1296 DrvObj->NameHash,
gGuest.
WordSize * 2, DrvObj->DriverObjectGva, DrvObj->DriverObjectGpa);
1298 if (ret < 0 || ret >= MaxLength)
1300 ERROR(
"[ERROR] snprintf error: %d, size %d\n", ret, MaxLength);
1309 if (DrvObj->FastIOTableAddress)
1311 ret = snprintf(Line, MaxLength,
", %0*llx",
gGuest.
WordSize * 2, DrvObj->FastIOTableAddress);
1313 if (ret < 0 || ret >= MaxLength)
1315 ERROR(
"[ERROR] snprintf error: %d, size %d\n", ret, MaxLength);
1325 ret = snprintf(Line, MaxLength,
")");
1327 if (ret < 0 || ret >= MaxLength)
1329 ERROR(
"[ERROR] snprintf error: %d, size %d\n", ret, MaxLength);
1359 DWORD modNameAlignment;
1363 pDriver = Originator->Original.Driver;
1364 pRetDriver = Originator->Return.Driver;
1366 modNameAlignment = 0;
1371 if (pModDriver && pDriver)
1376 if (pModDriver && pRetDriver)
1378 if (modNameAlignment > 0)
1404 if (ret < 0 || ret >= rem)
1406 ERROR(
"[ERROR] snprintf error: %d, size %d\n", ret, rem);
1419 char instr[ND_MIN_BUF_SIZE];
1421 if (Originator->Instruction)
1423 NDSTATUS ndstatus = NdToText(Originator->Instruction, Originator->Original.Rip,
sizeof(instr), instr);
1424 if (!ND_SUCCESS(ndstatus))
1436 if (ret < 0 || ret >= rem)
1438 ERROR(
"[ERROR] snprintf error: %d, size %d\n", ret, rem);
1446 ret = snprintf(l, rem,
", RIP %0*llx",
gGuest.
WordSize * 2, Originator->Original.Rip);
1448 if (ret < 0 || ret >= rem)
1450 ERROR(
"[ERROR] snprintf error: %d, size %d\n", ret, rem);
1458 if (Originator->Original.Section[0] != 0)
1460 ret = snprintf(l, rem,
" (%s)", Originator->Original.Section);
1462 if (ret < 0 || ret >= rem)
1464 ERROR(
"[ERROR] snprintf error: %d, size %d\n", ret, rem);
1475 ret = snprintf(l, rem,
", Instr: %s", instr);
1477 if (ret < 0 || ret >= rem)
1479 ERROR(
"[ERROR] snprintf error: %d, size %d\n", ret, rem);
1490 if (Originator->Return.Driver && Originator->Original.Rip != Originator->Return.Rip)
1497 if (ret < 0 || ret >= rem)
1499 ERROR(
"[ERROR] snprintf error: %d, size %d\n", ret, rem);
1507 ret = snprintf(l, rem,
", RIP %0*llx",
gGuest.
WordSize * 2, Originator->Return.Rip);
1509 if (ret < 0 || ret >= rem)
1511 ERROR(
"[ERROR] snprintf error: %d, size %d\n", ret, rem);
1519 if (Originator->Return.Section[0] != 0)
1521 ret = snprintf(l, rem,
"(%s)", Originator->Return.Section);
1523 if (ret < 0 || ret >= rem)
1525 ERROR(
"[ERROR] snprintf error: %d, size %d\n", ret, rem);
1545 if (ret < 0 || ret >= rem)
1547 ERROR(
"[ERROR] snprintf error: %d, size %d\n", ret, rem);
1561 pDriver = Victim->Object.Module.Module;
1565 if (ret < 0 || ret >= rem)
1567 ERROR(
"[ERROR] snprintf error: %d, size %d\n", ret, rem);
1575 ret = snprintf(l, rem,
", Address: (%0*llx, %0*llx)",
1578 if (ret < 0 || ret >= rem)
1580 ERROR(
"[ERROR] snprintf error: %d, size %d\n", ret, rem);
1590 ret = snprintf(l, rem,
", WriteInfo: (%u, %016llx -> %016llx)", Victim->WriteInfo.AccessSize,
1591 Victim->WriteInfo.OldValue[0], Victim->WriteInfo.NewValue[0]);
1595 ret = snprintf(l, rem,
", ReadInfo: (%u, %016llx)", Victim->ReadInfo.AccessSize, Victim->ReadInfo.Value[0]);
1598 if (ret < 0 || ret >= rem)
1600 ERROR(
"[ERROR] snprintf error: %d, size %d\n", ret, rem);
1608 if (Victim->ZoneFlags)
1610 ret = snprintf(l, rem,
", Flags:%s%s%s%s%s (0x%llx)",
1616 (
unsigned long long)Victim->ZoneFlags);
1618 if (ret < 0 || ret >= rem)
1620 ERROR(
"[ERROR] snprintf error: %d, size %d\n", ret, rem);
1645 if (ret < 0 || ret >= rem)
1647 ERROR(
"[ERROR] snprintf error: %d, size %d\n", ret, rem);
1660 if (ret < 0 || ret >= rem)
1662 ERROR(
"[ERROR] snprintf error: %d, size %d\n", ret, rem);
1671 ret = snprintf(l, rem,
", WriteInfo: (%u, %016llx -> %016llx)",
1672 Victim->WriteInfo.AccessSize,
1673 Victim->WriteInfo.OldValue[0],
1674 Victim->WriteInfo.NewValue[0]);
1676 if (ret < 0 || ret >= rem)
1678 ERROR(
"[ERROR] snprintf error: %d, size %d\n", ret, rem);
1688 ret = snprintf(l, rem,
", INTEGRITY");
1690 if (ret < 0 || ret >= rem)
1692 ERROR(
"[ERROR] snprintf error: %d, size %d\n", ret, rem);
1707 if (ret < 0 || ret >= rem)
1709 ERROR(
"[ERROR] snprintf error: %d, size %d\n", ret, rem);
1721 LOG(
"Victim -> Hal interrupt controller: (%0*llx, %0*llx), WriteInfo: (%d, %016llx -> %016llx)\n",
1723 Victim->WriteInfo.AccessSize,
1724 Victim->WriteInfo.OldValue[0], Victim->WriteInfo.NewValue[0]);
1728 LOG(
"Victim -> Hal heap execute: (%0*llx, %0*llx)\n",
1733 LOG(
"Victim -> SharedUserData execute: (%0*llx, %0*llx)\n",
1740 if (ret < 0 || ret >= rem)
1742 ERROR(
"[ERROR] snprintf error: %d, size %d\n", ret, rem);
1754 LOG(
"Victim -> Self map entry: %s [0x%08x] (%016llx, %016llx), " 1755 "WriteInfo: (%d, %016llx -> %016llx), Index: %08x\n",
1756 Victim->Object.Name, Victim->Object.NameHash,
1757 Victim->Ept.Gva, Victim->Ept.Gpa,
1758 Victim->WriteInfo.AccessSize,
1759 Victim->WriteInfo.OldValue[0],
1760 Victim->WriteInfo.NewValue[0],
1767 LOG(
"Victim -> Circular Kernel Context Logger (%016llx, %016llx), " 1768 "WriteInfo: (%d, %016llx -> %016llx), INTEGRITY\n",
1769 Victim->Integrity.StartVirtualAddress,
1770 Victim->Integrity.StartVirtualAddress + Victim->Integrity.TotalLength,
1771 Victim->WriteInfo.AccessSize,
1772 Victim->WriteInfo.OldValue[0],
1773 Victim->WriteInfo.NewValue[0]);
1777 LOG(
"Victim -> Circular Kernel Context Logger (%016llx, %016llx), " 1778 "WriteInfo: (%d, %016llx -> %016llx), EPT\n",
1779 Victim->Ept.Gva, Victim->Ept.Gpa,
1780 Victim->WriteInfo.AccessSize,
1781 Victim->WriteInfo.OldValue[0],
1782 Victim->WriteInfo.NewValue[0]);
1787 LOG(
"Victim -> HalPerformanceCounter (%016llx, %016llx), " 1788 "WriteInfo: (%d, %016llx -> %016llx), INTEGRITY\n",
1789 Victim->Integrity.StartVirtualAddress,
1790 Victim->Integrity.StartVirtualAddress + Victim->Integrity.TotalLength,
1791 Victim->WriteInfo.AccessSize,
1792 Victim->WriteInfo.OldValue[0],
1793 Victim->WriteInfo.NewValue[0]);
1800 if (ret < 0 || ret >= rem)
1802 ERROR(
"[ERROR] snprintf error: %d, size %d\n", ret, rem);
1816 LOG(
"Victim -> Token privileges (%s [0x%08x] %d), WriteInfo: (Present: 0x%016llx, " 1817 "Enabled: 0x%016llx -> Present: 0x%016llx, Enabled: 0x%016llx), INTEGRITY\n",
1818 Victim->Object.WinProc->Name,
1819 Victim->Object.WinProc->NameHash,
1820 Victim->Object.WinProc->Pid,
1821 Victim->WriteInfo.OldValue[0],
1822 Victim->WriteInfo.OldValue[1],
1823 Victim->WriteInfo.NewValue[0],
1824 Victim->WriteInfo.NewValue[1]);
1828 LOG(
"Victim -> Token privileges (%s [0x%08x] %d), WriteInfo: (%d, %016llx -> %016llx), EPT\n",
1829 Victim->Object.WinProc->Name,
1830 Victim->Object.WinProc->NameHash,
1831 Victim->Object.WinProc->Pid,
1832 Victim->WriteInfo.AccessSize,
1833 Victim->WriteInfo.OldValue[0],
1834 Victim->WriteInfo.NewValue[0]);
1844 DWORD SDHeadersHash = 0;
1858 memcpy(&oldSacl, &Victim->WriteInfo.OldValue[0],
sizeof(
ACL));
1859 memcpy(&newSacl, &Victim->WriteInfo.NewValue[0],
sizeof(
ACL));
1861 memcpy(&oldDacl, &Victim->WriteInfo.OldValue[1],
sizeof(
ACL));
1862 memcpy(&newDacl, &Victim->WriteInfo.NewValue[1],
sizeof(
ACL));
1864 if (Victim->Integrity.Buffer)
1867 Victim->Integrity.BufferSize,
1873 LOG(
"Victim -> Security descriptor pointer was modified for process (%s [0x%08x] %d), WriteInfo: " 1874 "(NewSdSize:%d, 0x%016llx -> 0x%016llx) New SD Hash:0x%x Old SACL " 1875 "AclSize:0x%x, AceCount:0x%x, AclRevision:0x%x " 1876 "New SACL AclSize:0x%x, AceCount:0x%x, AclRevision:0x%x " 1877 "Old DACL AclSize:0x%x, AceCount:0x%x, AclRevision:0x%x " 1878 "New DACL AclSize:0x%x, AceCount:0x%x, AclRevision:0x%x\n",
1879 Victim->Object.WinProc->Name,
1880 Victim->Object.WinProc->NameHash,
1881 Victim->Object.WinProc->Pid,
1882 Victim->Integrity.BufferSize,
1883 Victim->WriteInfo.OldValue[2],
1884 Victim->WriteInfo.NewValue[2],
1893 LOG(
"Victim -> ACL edited for process (%s [0x%08x] %d) NewSdSize:%d New SD Hash:0x%x " 1894 "Old SACL AclSize:0x%x, AceCount:0x%x, AclRevision:0x%x " 1895 "New SACL AclSize:0x%x, AceCount:0x%x, AclRevision:0x%x " 1896 "Old DACL AclSize:0x%x, AceCount:0x%x, AclRevision:0x%x " 1897 "New DACL AclSize:0x%x, AceCount:0x%x, AclRevision:0x%x\n",
1898 Victim->Object.WinProc->Name,
1899 Victim->Object.WinProc->NameHash,
1900 Victim->Object.WinProc->Pid,
1901 Victim->Integrity.BufferSize,
1911 LOG(
"Victim -> SharedUserData (%s [0x%08x] 0x%016llx + 0x%08x), WriteInfo: (0x%016llx -> 0x%016llx 0x%08x)\n",
1912 Victim->Object.Name,
1913 Victim->Object.NameHash,
1914 Victim->Integrity.StartVirtualAddress,
1915 Victim->Integrity.Offset,
1916 Victim->WriteInfo.OldValue[0],
1917 Victim->WriteInfo.NewValue[0],
1918 Victim->WriteInfo.AccessSize);
1922 LOG(
"Victim -> Interrupt Object (0x%016llx, entry %d) DispatchAddress: (0x%016llx -> 0x%016llx), " 1923 "ServiceRoutine: (0x%016llx -> 0x%016llx)",
1924 Victim->Integrity.StartVirtualAddress, Victim->Integrity.InterruptObjIndex,
1925 Victim->WriteInfo.OldValue[0], Victim->WriteInfo.NewValue[0],
1926 Victim->WriteInfo.OldValue[1], Victim->WriteInfo.NewValue[1]);
1934 ret = snprintf(l, rem,
"^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^%sROOTKIT (kernel-mode) ",
1937 if (ret < 0 || ret >= rem)
1939 ERROR(
"[ERROR] snprintf error: %d, size %d\n", ret, rem);
1950 ret = snprintf(l, rem,
"(no sig)");
1953 ret = snprintf(l, rem,
"(no exc)");
1956 ret = snprintf(l, rem,
"(extra)");
1959 ret = snprintf(l, rem,
"(error)");
1962 ret = snprintf(l, rem,
"(value)");
1965 ret = snprintf(l, rem,
"(export)");
1968 ret = snprintf(l, rem,
"(value code)");
1971 ret = snprintf(l, rem,
"(idt)");
1974 ret = snprintf(l, rem,
"(version os)");
1977 ret = snprintf(l, rem,
"(version intro)");
1980 ret = snprintf(l, rem,
"(process creation)");
1983 ret = snprintf(l, rem,
"(unknown)");
1986 ret = snprintf(l, rem,
"(%d)", Reason);
1990 if (ret < 0 || ret >= rem)
1992 ERROR(
"[ERROR] snprintf error: %d, size %d\n", ret, rem);
2000 ret = snprintf(l, rem,
" ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^");
2002 if (ret < 0 || ret >= rem)
2004 ERROR(
"[ERROR] snprintf error: %d, size %d\n", ret, rem);
2014 for (
DWORD t = 0; t < Originator->StackTrace.NumberOfTraces; t++)
2016 if (NULL != Originator->StackTrace.Traces[t].ReturnModule)
2018 LOG(
"[STACK TRACE] [at 0x%016llx] returning to [%s at 0x%016llx]\n",
2019 Originator->StackTrace.Traces[t].CurrentRip,
2021 Originator->StackTrace.Traces[t].ReturnAddress);
2025 LOG(
"[STACK TRACE] [at 0x%016llx]\n", Originator->StackTrace.Traces[t].CurrentRip);
2119 Originator->StackTrace.Traces = Originator->StackElements;
2124 if (!
INT_SUCCESS(status) && 0 == Originator->StackTrace.NumberOfTraces)
2126 WARNING(
"[WARNING] Failed getting a stack trace: 0x%08x. Skip checking for exported functions!\n",
2130 for (
DWORD t = 0; t < Originator->StackTrace.NumberOfTraces; t++)
2133 if (NULL == pRetMod)
2138 Originator->Return.Driver = pRetMod;
2139 Originator->Return.Rip = Originator->StackTrace.Traces[t].ReturnAddress;
2144 if (NULL == Originator->Return.Driver)
2146 for (
DWORD t = 0; t < Originator->StackTrace.NumberOfTraces; t++)
2149 if (NULL == pRetMod)
2161 Originator->Return.Driver = pRetMod;
2162 Originator->Return.Rip = Originator->StackTrace.Traces[t].ReturnAddress;
2168 if (NULL == Originator->Original.Driver && NULL == Originator->Return.Driver)
2174 if (NULL != Originator->Original.Driver)
2176 rip = Originator->Original.Rip;
2177 pDriver = Originator->Original.Driver;
2185 Originator->Original.NameHash = pDriver->
NameHash;
2195 if (NULL != Originator->Return.Driver)
2197 rip = Originator->Return.Rip;
2198 pDriver = Originator->Return.Driver;
2206 Originator->Return.NameHash = pDriver->
NameHash;
2243 DWORD currentTrace = 0;
2253 Originator->StackTrace.Traces = Originator->StackElements;
2256 if (!
INT_SUCCESS(status) && (Originator->StackTrace.NumberOfTraces == 0))
2258 WARNING(
"[WARNING] Failed getting a stack trace: 0x%08x. Skip checking for exported functions!\n",
2264 if (NULL == Originator->Original.Driver)
2268 for (t = 0; t < Originator->StackTrace.NumberOfTraces; t++)
2270 if (NULL == Originator->StackTrace.Traces[t].ReturnModule)
2275 Originator->Return.Driver = Originator->StackTrace.Traces[t].ReturnModule;
2277 Originator->Return.Rip = Originator->StackTrace.Traces[t].ReturnAddress;
2285 Originator->Return.Driver = Originator->Original.Driver;
2288 if (NULL == Originator->Original.Driver && NULL != Originator->Return.Driver)
2290 TRACE(
"[WARNING] The RIP 0x%016llx is not inside any module, but it returns to one 0x%016llx " 2291 "(BaseVa 0x%016llx).\n",
2292 Originator->Original.Rip,
2293 Originator->Return.Rip,
2294 Originator->Return.Driver->BaseVa);
2296 else if (NULL == Originator->Original.Driver && NULL == Originator->Return.Driver)
2304 pDriver = Originator->Return.Driver;
2305 pOriginalDriver = Originator->Original.Driver;
2315 (
DWORD)(Originator->Return.Rip - pDriver->
BaseVa),
2319 ERROR(
"[ERROR] Failed getting section details for Rip 0x%016llx: 0x%08x\n",
2320 Originator->Original.Rip, status);
2325 WARNING(
"[WARNING] Rip 0x%016llx isn't inside any section. ModuleBase: 0x%016llx\n",
2326 Originator->Original.Rip, pDriver->
BaseVa);
2338 if (Originator->Original.Driver != NULL &&
2339 0 == Originator->Original.Section[0])
2341 memcpy(Originator->Original.Section, sectionHeader.
Name,
sizeof(sectionHeader.
Name));
2344 memcpy(Originator->Return.Section, sectionHeader.
Name,
sizeof(sectionHeader.
Name));
2348 0 == memcmp(Originator->Return.Section,
"PAGEVRF", 7))
2350 WARNING(
"[WARNING] The RIP is inside the kernel section %s, the VERIFIER is active...\n",
2351 Originator->Return.Section);
2359 WARNING(
"[WARNING] Code executed from a section that doesn't contain code (RIP 0x%016llx). " \
2360 "Characteristics: 0x%08x, Name: %s\n",
2361 Originator->Return.Rip, sectionHeader.
Characteristics, Originator->Return.Section);
2372 0 == memcmp(Originator->Return.Section,
"INIT", 4))
2374 Originator->IsEntryPoint =
TRUE;
2380 if (0 == Originator->StackTrace.NumberOfTraces ||
2381 NULL == Originator->Original.Driver)
2396 (
DWORD)(Originator->Return.Rip - pDriver->
BaseVa));
2403 (
DWORD)(Originator->Return.Rip - pDriver->
BaseVa));
2416 if (pDriver == Originator->StackTrace.Traces[currentTrace].ReturnModule)
2435 if (NULL == Originator->StackTrace.Traces[currentTrace].ReturnModule)
2437 WARNING(
"[WARNING] RIP 0x%016llx returning to an address that isn't inside a driver 0x%016llx. " 2438 "Block the attempt\n",
2439 Originator->Original.Rip,
2440 Originator->StackTrace.Traces[currentTrace].ReturnAddress);
2463 Originator->Return.Rip = Originator->StackTrace.Traces[currentTrace].ReturnAddress;
2465 pDriver = Originator->StackTrace.Traces[currentTrace].ReturnModule;
2466 if (NULL == pDriver)
2471 Originator->Return.Driver = pDriver;
2474 }
while (currentTrace < Originator->StackTrace.NumberOfTraces);
2489 Originator->Return.NameHash = pDriver->
NameHash;
2493 if (pOriginalDriver)
2507 Originator->Original.NameHash = pOriginalDriver->
NameHash;
2535 if (NULL == Originator)
2550 Originator->Instruction = NULL;
2597 if (NULL == Originator)
2604 ERROR(
"[ERROR] Integrity alerts are not supported on guests %d\n",
gGuest.
OSType);
2608 Originator->IsIntegrity =
TRUE;
2616 if (Victim->WriteInfo.NewValue[0] < 0x60 || Victim->WriteInfo.NewValue[0] > 0x200)
2618 WARNING(
"[WARNING] The new size 0x%016llx is too big...\n", Victim->WriteInfo.NewValue[0]);
2625 WARNING(
"[WARNING] Not writing on size field & writing non-pointer value: 0x%016llx\n",
2626 Victim->WriteInfo.NewValue[0]);
2654 addr = Victim->WriteInfo.NewValue[0];
2662 if (NULL == Originator->Return.Driver)
2666 WARNING(
"[WARNING] Written value is not a kernel pointer or inside any driver: 0x%016llx\n", addr);
2676 else if (0 ==
wstrcasecmp(Originator->Return.Driver->Name, u
"hal.dll") ||
2677 0 ==
wstrcasecmp(Originator->Return.Driver->Name, u
"halmacpi.dll") ||
2678 0 ==
wstrcasecmp(Originator->Return.Driver->Name, u
"halacpi.dll"))
2684 Originator->Return.NameHash = Originator->Return.Driver->NameHash;
2688 Originator->Original.NameHash = Originator->Return.NameHash;
2689 Originator->Original.Driver = Originator->Return.Driver;
2695 QWORD addr = Victim->WriteInfo.NewValue[0];
2700 if (NULL == Originator->Return.Driver)
2708 else if (0 ==
wstrcasecmp(Originator->Return.Driver->Name, u
"hal.dll") ||
2709 0 ==
wstrcasecmp(Originator->Return.Driver->Name, u
"halmacpi.dll") ||
2710 0 ==
wstrcasecmp(Originator->Return.Driver->Name, u
"halacpi.dll"))
2716 Originator->Return.NameHash = Originator->Return.Driver->NameHash;
2722 addr = Victim->WriteInfo.NewValue[1];
2726 if (NULL == Originator->Original.Driver)
2734 else if (0 ==
wstrcasecmp(Originator->Original.Driver->Name, u
"hal.dll") ||
2735 0 ==
wstrcasecmp(Originator->Original.Driver->Name, u
"halmacpi.dll") ||
2736 0 ==
wstrcasecmp(Originator->Original.Driver->Name, u
"halacpi.dll"))
2742 Originator->Original.NameHash = Originator->Original.Driver->NameHash;
2747 Originator->Original.NameHash = Originator->Return.NameHash;
2748 Originator->Original.Driver = Originator->Return.Driver;
2783 if (NULL == NewValue)
2788 if (NULL == OldValue)
2798 Victim->Object.Type = Type;
2801 Victim->WriteInfo.NewValue[0] = NewValue->Base;
2802 Victim->WriteInfo.NewValue[1] = NewValue->Limit;
2803 Victim->Dtr.Type = Type;
2804 Victim->WriteInfo.OldValue[0] = OldValue->Base;
2805 Victim->WriteInfo.OldValue[1] = OldValue->Limit;
2839 Victim->Object.Type = 0;
2842 Victim->WriteInfo.NewValue[0] = NewValue;
2843 Victim->Msr.Msr = Msr;
2844 Victim->WriteInfo.OldValue[0] = OldValue;
2847 Victim->Msr.NewDriverBase = 0;
2853 Victim->Msr.NewDriverBase = pDriver->
BaseVa;
2887 BYTE *pPage, *pOriginal;
2891 if (NULL == IntegrityRegion)
2908 ERROR(
"[ERROR] Integrity alerts are not supported on guests %d\n",
gGuest.
OSType);
2912 pOriginal = IntegrityRegion->OriginalContent;
2918 ERROR(
"[ERROR] Failed mapping/reading at GVA 0x%016llx, with length %x: 0x%08x\n",
2919 IntegrityRegion->Gva, IntegrityRegion->Length, status);
2924 for (i = *Offset; i < IntegrityRegion->Length; i++)
2926 if (pPage[i] != pOriginal[i])
2936 *Offset = IntegrityRegion->Length;
2937 goto _cleanup_and_leave;
2945 switch (IntegrityRegion->Type)
2958 Victim->Object.Type = IntegrityRegion->Type;
2961 Victim->Integrity.StartVirtualAddress = IntegrityRegion->Gva;
2962 Victim->Integrity.TotalLength = IntegrityRegion->Length;
2963 Victim->Integrity.Offset = i;
2965 switch (IntegrityRegion->Type)
2970 Victim->WriteInfo.AccessSize =
sizeof(
IDT_ENTRY64);
2974 Victim->WriteInfo.AccessSize =
sizeof(
IDT_ENTRY32);
2993 if (i + Victim->WriteInfo.AccessSize > IntegrityRegion->Length)
2995 Victim->WriteInfo.AccessSize = IntegrityRegion->Length - i;
2998 memcpy(Victim->WriteInfo.OldValue, pOriginal + i, Victim->WriteInfo.AccessSize);
2999 memcpy(Victim->WriteInfo.NewValue, pPage + i, Victim->WriteInfo.AccessSize);
3001 switch (IntegrityRegion->Type)
3008 if (NULL == pDrvObj)
3010 LOG(
"We must have a integrity context (a driver object)\n");
3012 goto _cleanup_and_leave;
3015 Victim->Object.NameHash = pDrvObj->
NameHash;
3016 Victim->Object.DriverObject = pDrvObj;
3030 Victim->Object.BaseAddress = IntegrityRegion->Gva;
3035 LOG(
"Invalid integrity region type: %d\n", IntegrityRegion->Type);
3079 Victim->Object.Type = (
DWORD) -1;
3081 Victim->WriteInfo.NewValue[0] = NewValue;
3082 Victim->WriteInfo.OldValue[0] = OldValue;
3085 Victim->WriteInfo.AccessSize =
sizeof(
QWORD);
3087 Victim->Cr.Smap = ((OldValue &
CR4_SMAP) != 0) && ((NewValue &
CR4_SMAP) == 0);
3088 Victim->Cr.Smep = ((OldValue &
CR4_SMEP) != 0) && ((NewValue &
CR4_SMEP) == 0);
3177 (Originator->Original.Driver != NULL))
3208 Exception->VictimNameHash == Victim->Object.NameHash)
3215 Originator->Return.Driver : Originator->Original.Driver;
3221 match = Victim->Object.BaseAddress == pDriver->
BaseVa;
3250 switch (Exception->Type)
3440 LOG(
"[ERROR] This is a corruption in the update/exception. Type = %d!\n", Exception->Type);
3455 (Victim->WriteInfo.OldValue[0] == 0))
3466 match = 0 == memcmp(Originator->Return.Section,
"INIT", 4);
3470 match = 0 == memcmp(Originator->Return.Section,
"init", 4);
3478 match = 0 == memcmp(Originator->Original.Section,
"INIT", 4);
3482 match = 0 == memcmp(Originator->Original.Section,
"init", 4);
3486 else if (Originator->IsEntryPoint)
3491 else if (Victim->WriteInfo.OldValue[0] == 0)
3567 if (NULL == Originator)
3587 !memcmp(Victim->WriteInfo.OldValue, Victim->WriteInfo.NewValue,
3588 MIN(Victim->WriteInfo.AccessSize,
sizeof(Victim->WriteInfo.NewValue)))))
3602 goto _match_ex_alert;
3607 goto _match_ex_alert;
3610 if (pEx->OriginatorNameHash > Originator->Original.NameHash)
3614 else if (pEx->OriginatorNameHash != Originator->Original.NameHash)
3652 if (Originator->Original.Driver && Originator->Return.Driver &&
3653 (Originator->Original.Rip == Originator->Return.Rip))
3675 if (pEx->OriginatorNameHash > Originator->Original.NameHash)
3679 else if (pEx->OriginatorNameHash != Originator->Original.NameHash)
3700 goto _beta_exceptions;
3719 if (pEx->OriginatorNameHash > Originator->Return.NameHash)
3723 else if (pEx->OriginatorNameHash != Originator->Return.NameHash)
3757 if (pEx->OriginatorNameHash != Originator->Return.NameHash)
3764 if (pEx->OriginatorNameHash != Originator->Original.NameHash)
#define IMAGE_SCN_MEM_EXECUTE
INTSTATUS IntExceptKernelGetOriginator(EXCEPTION_KM_ORIGINATOR *Originator, DWORD Options)
This function is used to get the information about the kernel-mode originator.
#define EXCEPTION_NO_INSTRUCTION
QWORD DriverObjectGva
The guest virtual address of the guest _DRIVER_OBJECT represented by this structure.
enum _INTRO_ACTION_REASON INTRO_ACTION_REASON
The reason for which an INTRO_ACTION was taken.
#define DESCRIPTOR_SIZE_32
#define INT_STATUS_EXCEPTION_NOT_MATCHED
INTSTATUS IntPeGetSectionHeaderByRva(QWORD ImageBase, BYTE *ImageBaseBuffer, DWORD GuestRva, IMAGE_SECTION_HEADER *SectionHeader)
Given a relative virtual address, return the section header which describes the section the RVA lies ...
static int IntExceptPrintDrvObjInfo(WIN_DRIVER_OBJECT *DrvObj, char *Header, char *Line, int MaxLength)
Print the information about the WIN_DRIVER_OBJECT.
#define IG_IA32_SYSENTER_ESP
char * utf16toutf8(char *Destination, const WCHAR *Source, DWORD DestinationMaxLength)
INTSTATUS IntVirtMemUnmap(void **HostPtr)
Unmaps a memory range previously mapped with IntVirtMemMap.
An internal error occurred (no memory, pages not present, etc.).
INTSTATUS IntExceptGetVictimMsr(QWORD NewValue, QWORD OldValue, DWORD Msr, EXCEPTION_VICTIM_ZONE *Victim)
This function is used to get the information about the MSR victim.
QWORD End
The end guest virtual address of ksym (exclusive).
Kernel module (ntoskrnl.exe, hal.dll, etc.).
BYTE Unknown
Set if the function at this RIP is not exported.
INTSTATUS IntExceptGetVictimIntegrity(INTEGRITY_REGION *IntegrityRegion, DWORD *Offset, EXCEPTION_VICTIM_ZONE *Victim)
This function is used to get the information about the modified zone from the integrity region...
static int IntExceptPrintIdtInfo(EXCEPTION_VICTIM_ZONE *Victim, char *Header, char *Line, int MaxLength)
Print the information about the modified IDT entry.
WINDOWS_GUEST * gWinGuest
Global variable holding the state of a Windows guest.
IG_ARCH_REGS Regs
The current state of the guest registers.
DWORD Crc32Compute(const void *Buffer, size_t Size, DWORD InitialCrc)
Computes the CRC for a byte array.
The modified object is anything inside the HAL heap zone.
QWORD SystemCr3
The Cr3 used to map the kernel.
#define INT_STATUS_SUCCESS
Fast IO Dispatch (Windows only).
An interrupt object from KPRCB.
LIST_HEAD NoNameKernelExceptions
Linked list used for kernel-mode exceptions that don't have a valid originator (-).
The name can be any string.
INTSTATUS IntExceptGetVictimCr(QWORD NewValue, QWORD OldValue, DWORD Cr, EXCEPTION_VICTIM_ZONE *Victim)
This function is used to get the information about the CR victim.
Infinity hook modifications of WMI_LOGGER_CONTEXT.GetCpuClock.
WIN_KERNEL_DRIVER Win
Valid only for Windows guests.
The modified object is only the driver's EAT.
struct _IDT_ENTRY32 IDT_ENTRY32
INTSTATUS IntLixStackTraceGetReg(QWORD Cr3, PIG_ARCH_REGS Registers, DWORD MaxNumberOfTraces, QWORD Flags, STACK_TRACE *StackTrace)
Retrieves a Kernel stack backtrace based on the register values.
#define ZONE_LIB_RESOURCES
Used for the resources section (usually .rsrc inside a driver or dll).
QWORD Start
The start guest virtual address of ksym.
The modified object represents an execution inside SharedUserData.
INTSTATUS IntKsymFindByAddress(QWORD Gva, DWORD Length, char *SymName, QWORD *SymStart, QWORD *SymEnd)
Finds the symbol which is located at the given address.
QWORD BaseVa
The guest virtual address of the kernel module that owns this driver object.
The exception will take into consideration the return driver/dll.
#define IMAGE_SCN_MEM_WRITE
#define INT_SUCCESS(Status)
#define EXCEPTION_NO_NAME
The modified object is inside an EPT hook.
BOOLEAN KernelBetaDetections
True if the kernel protection is in beta (log-only) mode.
#define INT_STATUS_EXCEPTION_CHECKS_OK
void IntDriverCacheCreateExport(const QWORD Rip)
Adds a new export entry to the gDriverExportCache.
static INTSTATUS IntExceptLixKernelGetOriginator(EXCEPTION_KM_ORIGINATOR *Originator)
This function is used to get the information about the kernel-mode originator (Linux guest)...
DWORD PathLength
The driver`s path length (number of WCHARS).
The modified object is HalPerformanceCounter.
The exception is valid only for read violation.
#define EXCEPTION_KM_ORIGINATOR_OPT_DO_NOT_BLOCK
Flag that can be passed to IntExceptKernelGetOriginator if the action should not be blocked...
PBYTE MzPeHeaders
The driver`s MZ/PE headers (cached internally).
QWORD Parent
Depends if this is a thread or a process.
#define IG_IA32_SYSENTER_EIP
Describes a user-mode originator.
INTSTATUS IntPeFindExportByRvaInBuffer(QWORD ImageBase, BYTE *Buffer, DWORD BufferSize, DWORD Rva)
Check if the indicated Rva belongs to an exported function.
INTSTATUS IntExceptGetVictimDtr(DTR *NewValue, DTR *OldValue, INTRO_OBJECT_TYPE Type, EXCEPTION_VICTIM_ZONE *Victim)
This function is used to get the information about the DTR victim.
The modified object is only the driver's data sections.
INTSTATUS IntExceptMatchException(void *Victim, void *Originator, void *Exception, EXCEPTION_TYPE ExceptionType, INTRO_ACTION *Action, INTRO_ACTION_REASON *Reason)
This function tries to find a exception for the current violation..
int INTSTATUS
The status data type.
The _FAST_IO_DISPATCH structure used by 32-bit guests.
LIX_MODULE_LAYOUT CoreLayout
The layout of the core section.
#define INT_STATUS_NOT_FOUND
The exception will match only for the init phase of a driver/process.
LIST_HEAD KernelAlertExceptions
Linked list used for kernel-mode exceptions that are added from alert.
#define MAX_PATH
The maximum size of a path (260 characters on windows).
INTSTATUS IntExceptGetOriginatorFromModification(EXCEPTION_VICTIM_ZONE *Victim, EXCEPTION_KM_ORIGINATOR *Originator)
This function is used for integrity violations to get the information about the kernel-mode originato...
Integrity protection of SharedUserData region.
Describes a kernel-mode originator.
The modified object is only the driver's IAT.
int IntExceptPrintWinKmModInfo(KERNEL_DRIVER *Module, char *Header, char *Line, int MaxLength, DWORD NameAlignment)
Print the information about the provided KERNEL_DRIVER (windows guest).
INTRO_GUEST_TYPE OSType
The type of the guest.
INSTRUX Instruction
The current instruction, pointed by the guest RIP.
struct _DRIVER_EXPORT_CACHE_ENTRY::@23 Type
The exception is valid only for write violation.
Process ACL (SACL/DACL) was modified.
The modified object is anything inside the driver.
Describes a kernel driver.
#define ZONE_INTEGRITY
Used for integrity zone.
DWORD NameHash
The hash of the name.
The modified object is a SharedUserData field.
The modified object is IDTR/GDTR.
enum _INTRO_OBJECT_TYPE INTRO_OBJECT_TYPE
The type of the object protected by an EPT hook.
The exception is valid only for CR4.SMEP write.
static int IntExceptPrintMsrInfo(EXCEPTION_VICTIM_ZONE *Victim, char *Header, char *Line, int MaxLength)
Print the information about the modified MSR.
#define ZONE_LIB_CODE
Used for a generic code zone.
#define INITIAL_CRC_VALUE
#define INT_STATUS_EXCEPTION_BLOCK
Hal interrupt controller.
EXCEPTIONS * Exceptions
The exceptions that are currently loaded.
#define IG_CURRENT_VCPU
For APIs that take a VCPU number as a parameter, this can be used to specify that the current VCPU sh...
The modified object is inside an integrity hook.
The exception is valid only for CR4.SMAP write.
SIZE_T NameLength
The length of the Name. This is the number of characters in the Name buffer.
#define ZONE_EXECUTE
Used for execute violation.
LIST_HEAD KernelFeedbackExceptions
Linked list used for kernel-mode exceptions that have the feedback flag.
Holds information about a driver object.
CPU_STATE State
The state of this VCPU. Describes what action is the VCPU currently doing.
The exception is valid only for execute violation.
BOOLEAN Guest64
True if this is a 64-bit guest, False if it is a 32-bit guest.
The modified object is only the driver's code sections.
The name is the operating system kernel name.
DWORD NameHash
Hash of the Name.
DRIVER_EXPORT_CACHE_ENTRY * IntDriverCacheExportFind(const QWORD Rip)
Finds an entry inside the gDriverExportCache.
INTSTATUS IntExceptKernelMatchVictim(EXCEPTION_VICTIM_ZONE *Victim, EXCEPTION_KM_ORIGINATOR *Originator, KM_EXCEPTION *Exception)
This function checks if the exception matches the originator and the modified zone.
Write protection over HalPerformanceCounter.
#define INT_STATUS_INVALID_PARAMETER_4
static BOOLEAN IntExceptLixKernelIsMemoryFunc(QWORD Rip)
This function is used to check if the write has been made using any of "memcpy","__memcpy", "memset", "__memset", "memmove" function.
#define IS_KERNEL_POINTER_WIN(is64, p)
Checks if a guest virtual address resides inside the Windows kernel address space.
#define EXCEPTION_KM_ORIGINATOR_OPT_FULL_STACK
Flag that can be passed to IntExceptKernelGetOriginator when the full stack is needed.
Allow modification of it's own driver object.
#define INT_STATUS_INVALID_INTERNAL_STATE
The modified object is SSDT (valid only on windows x86).
static int IntExceptPrintCrInfo(EXCEPTION_VICTIM_ZONE *Victim, char *Header, char *Line, int MaxLength)
Print the information about the modified CR.
The modified object is the self map entry inside PDBR.
void * Name
The name of the driver.
QWORD KernelVa
The guest virtual address at which the kernel image.
struct _IDT_ENTRY64 IDT_ENTRY64
LIX_SYMBOL MemoryFunctions[5]
The guest virtual address of memcpy, __memcpy, memset, __memset, memmove.
QWORD DriverObjectGpa
The guest physical address of the guest _DRIVER_OBJECT represented by this structure.
BYTE WordSize
Guest word size. Will be 4 for 32-bit guests and 8 for 64-bit guests.
INTSTATUS IntWinStackTraceGet(QWORD StackFrame, QWORD Rip, DWORD MaxNumberOfTraces, QWORD Flags, STACK_TRACE *StackTrace)
Get a kernel stack trace starting from the current stack pointer for 64 bit systems.
#define DESCRIPTOR_SIZE_64
void IntLixDrvGetSecName(KERNEL_DRIVER *Driver, QWORD Gva, CHAR *SectionName)
Get the section of the driver that contains the provided guest virtual address.
The modified object is a MSR.
void IntExceptKernelLogInformation(EXCEPTION_VICTIM_ZONE *Victim, EXCEPTION_KM_ORIGINATOR *Originator, INTRO_ACTION Action, INTRO_ACTION_REASON Reason)
Print the information about a kernel-mode violation and dumps the code-blocks.
LIX_KERNEL_MODULE Lix
Valid only for Linux guests.
#define EXCEPTION_NO_SYMBOL
The exception will take into consideration the return driver.
#define ZONE_LIB_EXPORTS
Used for the exports of a dll, driver, etc.
DWORD SelfMapIndex
The self map index.
The modified object is the privileges field inside the nt!_TOKEN structure.
The modified object is SMEP and/or SMAP bits of CR4.
#define IDT_DESC_SIZE64
The size of a 64-bit interrupt descriptor.
A descriptor table register. Valid for IDTR and GDTR.
#define LIX_SYMBOL_NAME_LEN
The max length of the ksym as defined by Linux kernel.
Describes the modified zone.
#define UNREFERENCED_PARAMETER(P)
The modified object is IDTR.
Describe a kernel-mode exception.
#define for_each_km_exception(_ex_head, _var_name)
static int IntExceptPrintLixKmDrvInfo(KERNEL_DRIVER *Driver, char *Header, char *Line, int MaxLength, DWORD NameAlignment)
Print the information about the provided KERNEL_DRIVER (Linux guest).
Describe a user-mode exception.
Executions inside the SharedUserData region.
The Virtualization exception agent injected inside the guest.
DWORD KernelBufferSize
The size of the KernelBuffer.
The exception is valid only for integrity zone.
The modified object is anything inside the driver's fast IO dispatch table.
The modified object is any with the modified name.
enum _INTRO_ACTION INTRO_ACTION
Event actions.
#define IMAGE_SCN_CNT_CODE
INTSTATUS IntExceptKernelVerifyExtra(EXCEPTION_VICTIM_ZONE *Victim, EXCEPTION_UM_ORIGINATOR *Originator, UM_EXCEPTION *Exception)
This function is used as an extra step in exception mechanism.
LIST_HEAD GenericKernelExceptions
Linked list used for kernel-mode exceptions that have a generic originator (*).
The action was allowed, but it has the BETA flag (Introcore is in log-only mode). ...
__must_check INTSTATUS IntVirtMemMap(QWORD Gva, DWORD Length, QWORD Cr3, DWORD Flags, void **HostPtr)
Maps a guest virtual memory range inside Introcore virtual address space.
MM Mm
Guest memory information, such as paging mode, system Cr3 value, etc.
Self mapping index in PDBR.
GUEST_STATE gGuest
The current guest state.
The _FAST_IO_DISPATCH structure used by 64-bit guests.
The modified object is any IDT entry.
char gExcLogLine[2 *ONE_KILOBYTE]
The exception log line.
KERNEL_DRIVER * IntDriverFindByBase(QWORD Gva)
Searches a driver object by its module base.
The modified object is an ACL (SACL/DACL) of a process.
#define EXCEPTION_TABLE_ID(H)
#define FIELD_OFFSET(type, field)
Virtual SYSCALL (user-mode, Linux-only).
static INTSTATUS IntExceptWinKernelGetOriginator(EXCEPTION_KM_ORIGINATOR *Originator, DWORD Options)
This function is used to get the information about the kernel-mode originator (windows guest)...
int wstrcasecmp(const WCHAR *buf1, const WCHAR *buf2)
LIST_HEAD KernelExceptions[EXCEPTION_TABLE_SIZE]
Array of linked lists used for kernel-mode exceptions.
INTSTATUS IntPeFindExportByRva(QWORD ImageBase, BYTE *ImageBaseBuffer, DWORD Rva)
Check if a RVA lies inside an exported function.
KERNEL_DRIVER * IntDriverFindByAddress(QWORD Gva)
Returns the driver in which Gva resides.
#define ZONE_READ
Used for read violation.
The modified object is WMI_LOGGER_CONTEXT.GetCpuClock used by InfinityHook (valid only on windows)...
static void IntExceptKernelLogLinuxInformation(EXCEPTION_VICTIM_ZONE *Victim, EXCEPTION_KM_ORIGINATOR *Originator, INTRO_ACTION Action, INTRO_ACTION_REASON Reason)
Print the information about a kernel-mode violation (Linux guest).
The action was blocked because no exception signature matched.
void IntExceptDumpSignatures(void *Originator, EXCEPTION_VICTIM_ZONE *Victim, BOOLEAN KernelMode, BOOLEAN ReturnDrv)
Dump code blocks from the originator's RIP.
Virtual dynamic shared object (user-mode, Linux-only).
The modified object is an interrupt object from KPRCB.
BYTE * KernelBuffer
A buffer containing the entire kernel image.
KERNEL_DRIVER * KernelDriver
Points to the driver object that describes the kernel image.
char * utf16_for_log(const WCHAR *WString)
Converts a UTF-16 to a UTF-8 string to be used inside logging macros.
int IntExceptPrintLixTaskInfo(const LIX_TASK_OBJECT *Task, char *Header, char *Line, int MaxLength, DWORD NameAlignment)
Print the information about the provided LIX_TASK_OBJECT.
LIX_TASK_OBJECT * IntLixTaskFindByGva(QWORD TaskStruct)
Finds Linux process with the provided "task_struct" guest virtual address.
The modified object is a CR.
#define INT_STATUS_INVALID_PARAMETER_1
#define INT_STATUS_NOT_SUPPORTED
VCPU_STATE * gVcpu
The state of the current VCPU.
The action was blocked because there was no exception for it.
void IntDriverCacheCreateUnknown(const QWORD Rip)
Adds a new entry to the gDriverExportCache.
LIX_TASK_OBJECT * IntLixTaskGetCurrent(DWORD CpuNumber)
Finds the task that is currently running on the given CPU.
UINT8 Name[IMAGE_SIZEOF_SHORT_NAME]
Describes an entry in the gDriverExportCache.
QWORD Base
The base GVA of the section.
#define ZONE_LIB_IMPORTS
Used for the imports of a dll, driver, etc.
The original RIP is outside a driver and it returns into a driver (which is the originator name)...
static void IntExceptKernelLogWindowsInformation(EXCEPTION_VICTIM_ZONE *Victim, EXCEPTION_KM_ORIGINATOR *Originator, INTRO_ACTION Action, INTRO_ACTION_REASON Reason)
Print the information about a kernel-mode violation (windows guest).
QWORD EntryPoint
The entry point of this driver.
PWIN_DRIVER_OBJECT DriverObject
The driver object.
The exception is valid only on 32 bit systems/process.
#define EXPORT_NAME_UNKNOWN
The modified object is anything inside the driver object.
INTSTATUS IntExceptKernel(EXCEPTION_VICTIM_ZONE *Victim, EXCEPTION_KM_ORIGINATOR *Originator, INTRO_ACTION *Action, INTRO_ACTION_REASON *Reason)
This function iterates through exception lists and tries to find an exception that matches the origin...
#define IDT_DESC_SIZE32
The size of a 32-bit interrupt descriptor.
The modified object is only the driver's resources sections.
Process security descriptor pointer.
#define ZONE_WRITE
Used for write violation.
#define INT_STATUS_INVALID_PARAMETER_2
static int IntExceptPrintDtrInfo(EXCEPTION_VICTIM_ZONE *Victim, char *Header, char *Line, int MaxLength)
Print the information about the modified IDTR/GDTR.
The modified object is the security descriptor pointer of a process.
The name is the operating system HAL name (valid only for windows).
#define IG_IA32_SYSENTER_CS
LINUX_GUEST * gLixGuest
Global variable holding the state of a Linux guest.
The modified object is a MSR.
#define INT_STATUS_EXCEPTION_ALLOW
The exception (and signature, where's the case) matched, but the extra checks failed.
#define INT_STATUS_INVALID_PARAMETER_3