Bitdefender Hypervisor Memory Introspection
|
User mode exceptions. More...
#include "exceptions.h"
#include "guests.h"
#include "winpe.h"
#include "winprocesshp.h"
#include "winstack.h"
#include "winuser_checks.h"
Go to the source code of this file.
Macros | |
#define | MEMORY_FUNC_SIZE 0x400 |
Functions | |
static char * | IntExceptUserGetPcTypeString (INTRO_PC_VIOLATION_TYPE Type) |
Returns a string that contains the descriptions of the porovided process creation violation type. More... | |
int | IntExceptPrintLixTaskInfo (const LIX_TASK_OBJECT *Task, char *Header, char *Line, int MaxLength, DWORD NameAlignment) |
Print the information about the provided LIX_TASK_OBJECT. More... | |
static void | IntExceptUserLogLinuxInformation (EXCEPTION_VICTIM_ZONE *Victim, EXCEPTION_UM_ORIGINATOR *Originator, INTRO_ACTION Action, INTRO_ACTION_REASON Reason) |
Print the information about a violation (Linux guest). More... | |
int | IntExceptPrintWinProcInfo (WIN_PROCESS_OBJECT *Process, char *Header, char *Line, int MaxLength, DWORD NameAlignment) |
Print the data from the provided WIN_PROCESS_OBJECT. More... | |
int | IntExceptPrintWinModInfo (WIN_PROCESS_MODULE *Module, char *Header, char *Line, int MaxLength, DWORD NameAlignment) |
Print the data from the provided WIN_PROCESS_MODULE. More... | |
static void | IntExceptUserLogWindowsInformation (EXCEPTION_VICTIM_ZONE *Victim, EXCEPTION_UM_ORIGINATOR *Originator, INTRO_ACTION Action, INTRO_ACTION_REASON Reason) |
Print the information about a violation (windows guest). More... | |
static __inline BOOLEAN | IntExceptUserMatchZoneFlags (EXCEPTION_VICTIM_ZONE *Victim, DWORD ZoneFlags) |
Checks if the zone-flags of the current exception match the zone flags of the victim. More... | |
static __inline BOOLEAN | IntExceptUserMatchZoneType (EXCEPTION_VICTIM_ZONE *Victim, UM_EXCEPTION_OBJECT ZoneType) |
Checks if the zone-type of the current exception matches the zone-type of the victim. More... | |
static __inline BOOLEAN | IntExceptUserMatchArchitecture (EXCEPTION_UM_ORIGINATOR *Originator, DWORD ExceptionFlags) |
Checks if the architecture-flags of the current exception match the architecture-flags of the originator. More... | |
static __inline BOOLEAN | IntExceptUserMatchChild (EXCEPTION_VICTIM_ZONE *Victim, EXCEPTION_UM_ORIGINATOR *Originator, DWORD ExceptionFlags) |
Checks if the victim is a child of the originator. More... | |
static __inline BOOLEAN | IntExceptUserMatchSystemProcess (EXCEPTION_VICTIM_ZONE *Victim, EXCEPTION_UM_ORIGINATOR *Originator, DWORD ExceptionFlags) |
Checks if the originator is a system process; for process-creation violation this function checks if the victim is a system process. More... | |
static __inline BOOLEAN | IntExceptUserMatchNameGlob (EXCEPTION_VICTIM_ZONE *Victim, UM_EXCEPTION_GLOB *Exception) |
Checks if the exception glob-name of the current exception matches the glob-name of the victim. More... | |
static __inline BOOLEAN | IntExceptUserMatchProcessGlob (EXCEPTION_UM_ORIGINATOR *Originator, UM_EXCEPTION_GLOB *Exception) |
Checks if the exception process glob-name of the current exception matches the process glob-name of the victim. More... | |
static __inline BOOLEAN | IntExceptUserMatchNameHash (EXCEPTION_VICTIM_ZONE *Victim, UM_EXCEPTION *Exception) |
Checks if the exception name-hash of the current exception matches the name-hash of the victim. More... | |
static __inline BOOLEAN | IntExceptUserMatchProcessHash (EXCEPTION_UM_ORIGINATOR *Originator, UM_EXCEPTION *Exception) |
Checks if the exception process name-hash of the current exception matches the process name-hash of the victim. More... | |
static BOOLEAN | IntExceptUserIsGlobItem (char Item) |
Checks if the provided char is a glob char. More... | |
void | IntExceptUserLogInformation (EXCEPTION_VICTIM_ZONE *Victim, EXCEPTION_UM_ORIGINATOR *Originator, INTRO_ACTION Action, INTRO_ACTION_REASON Reason) |
Print the information about a user-mode violation, dumps the code-blocks and the injection buffer, if any. More... | |
INTSTATUS | IntExceptUserGetExecOriginator (void *Process, EXCEPTION_UM_ORIGINATOR *Originator) |
This function is used to get the originator for heap execution. More... | |
static INTSTATUS | IntExceptUserHandleMemoryFunctions (WIN_PROCESS_OBJECT *Process, WIN_PROCESS_MODULE *Module, EXCEPTION_UM_ORIGINATOR *Originator) |
This function is used to check if the write has been made using a function that write/read memory (eg. memcpy, memset, etc). More... | |
INTSTATUS | IntExceptUserGetOriginator (void *Process, BOOLEAN ModuleWrite, QWORD Address, INSTRUX *Instrux, EXCEPTION_UM_ORIGINATOR *Originator) |
This function is used to get the information about the user-mode originator. More... | |
INTSTATUS | IntExceptGetVictimProcessCreation (void *Process, INTRO_OBJECT_TYPE ObjectType, EXCEPTION_VICTIM_ZONE *Victim) |
This function is used to get the information about the victim for process-creation violation. More... | |
INTSTATUS | IntExceptGetVictimProcess (void *Process, QWORD DestinationGva, DWORD Length, QWORD ZoneFlags, EXCEPTION_VICTIM_ZONE *Victim) |
This function is used to get the information about the victim process for injection violations. More... | |
INTSTATUS | IntExceptUserVerifyExtra (EXCEPTION_VICTIM_ZONE *Victim, EXCEPTION_UM_ORIGINATOR *Originator, UM_EXCEPTION *Exception) |
This function is used as an extra step in exception mechanism that verify the initialization flags of a process. More... | |
INTSTATUS | IntExceptUserVerifyExtraGlobMatch (EXCEPTION_VICTIM_ZONE *Victim, EXCEPTION_UM_ORIGINATOR *Originator, UM_EXCEPTION_GLOB *Exception) |
This function is used as an extra step in exception mechanism that verify the initialization flags of a process. More... | |
INTSTATUS | IntExceptUserMatchVictim (EXCEPTION_VICTIM_ZONE *Victim, EXCEPTION_UM_ORIGINATOR *Originator, void *Exception, EXCEPTION_TYPE ExceptionType) |
This function checks if the exception matches the originator and the modified zone. More... | |
INTSTATUS | IntExceptUser (EXCEPTION_VICTIM_ZONE *Victim, EXCEPTION_UM_ORIGINATOR *Originator, INTRO_ACTION *Action, INTRO_ACTION_REASON *Reason) |
This function iterates through exception lists and tries to find an exception that matches the originator and the victim. More... | |
Variables | |
char | gExcLogLine [2 *ONE_KILOBYTE] |
The exception log line. More... | |
User mode exceptions.
Definition in file exceptions_user.c.
#define MEMORY_FUNC_SIZE 0x400 |
Referenced by IntExceptUserHandleMemoryFunctions().
INTSTATUS IntExceptGetVictimProcess | ( | void * | Process, |
QWORD | DestinationGva, | ||
DWORD | Length, | ||
QWORD | ZoneFlags, | ||
EXCEPTION_VICTIM_ZONE * | Victim | ||
) |
This function is used to get the information about the victim process for injection violations.
[in] | Process | The process in which the injection occurred. |
[in] | DestinationGva | The guest virtual address at which the injection violation occurred. |
[in] | Length | The length (bytes) of the injection. |
[in] | ZoneFlags | The flags of the memory zone at which the injection violation occurred. |
[out] | Victim | The victim object. |
INT_STATUS_SUCCESS | On success. |
INT_STATUS_INVALID_PARAMETER_1 | If the provided process is invalid. |
INT_STATUS_INVALID_PARAMETER_5 | If the provided victim object is invalid. |
Definition at line 2594 of file exceptions_user.c.
Referenced by IntLixAccessRemoteVmHandler(), IntLixTaskHandleInjection(), IntWinDagentHandleDoubleAgent(), IntWinProcHandleCopyMemory(), IntWinProcHandleInstrument(), IntWinThrHandleQueueApc(), and IntWinThrHandleThreadHijack().
INTSTATUS IntExceptGetVictimProcessCreation | ( | void * | Process, |
INTRO_OBJECT_TYPE | ObjectType, | ||
EXCEPTION_VICTIM_ZONE * | Victim | ||
) |
This function is used to get the information about the victim for process-creation violation.
[in] | Process | The process in which the violation occurred. |
[in] | ObjectType | The process-creation violation type. |
[out] | Victim | The victim object. |
INT_STATUS_SUCCESS | On success. |
INT_STATUS_INVALID_PARAMETER_1 | If the provided process is invalid. |
INT_STATUS_INVALID_PARAMETER_2 | If the provided object-type is not introObjectTypeProcessCreation or introObjectTypeProcessCreationDpi. |
INT_STATUS_INVALID_PARAMETER_3 | If the provided victim object is invalid. |
Definition at line 2532 of file exceptions_user.c.
Referenced by IntLixValidateProcessCreationRights(), and IntWinDpiCheckCreation().
int IntExceptPrintLixTaskInfo | ( | const LIX_TASK_OBJECT * | Task, |
char * | Header, | ||
char * | Line, | ||
int | MaxLength, | ||
DWORD | NameAlignment | ||
) |
Print the information about the provided LIX_TASK_OBJECT.
[in] | Task | The task object. |
[in] | Header | The header of the output buffer. |
[in] | Line | The output buffer. |
[in] | MaxLength | The maximum number chars that can be written. |
[in] | NameAlignment | The alignment of the chars in the buffer. |
The | number of written chars. |
Definition at line 71 of file exceptions_user.c.
Referenced by IntExceptKernelLogLinuxInformation(), IntExceptKernelUserLogWindowsInformation(), and IntExceptUserLogLinuxInformation().
int IntExceptPrintWinModInfo | ( | WIN_PROCESS_MODULE * | Module, |
char * | Header, | ||
char * | Line, | ||
int | MaxLength, | ||
DWORD | NameAlignment | ||
) |
Print the data from the provided WIN_PROCESS_MODULE.
[in] | Module | The module object. |
[in] | Header | The header of the output buffer. |
[in] | Line | The output buffer. |
[in] | MaxLength | The maximum number chars that can be written. |
[in] | NameAlignment | The alignment of the chars in the buffer. |
The | number of written chars. |
Definition at line 613 of file exceptions_user.c.
Referenced by IntExceptKernelUserLogWindowsInformation(), and IntExceptUserLogWindowsInformation().
int IntExceptPrintWinProcInfo | ( | WIN_PROCESS_OBJECT * | Process, |
char * | Header, | ||
char * | Line, | ||
int | MaxLength, | ||
DWORD | NameAlignment | ||
) |
Print the data from the provided WIN_PROCESS_OBJECT.
[in] | Process | The process object. |
[in] | Header | The header of the output buffer. |
[in] | Line | The output buffer. |
[in] | MaxLength | The maximum number chars that can be written. |
[in] | NameAlignment | The alignment of the chars in the buffer. |
The | number of written chars. |
Definition at line 455 of file exceptions_user.c.
Referenced by IntExceptKernelUserLogWindowsInformation(), and IntExceptUserLogWindowsInformation().
INTSTATUS IntExceptUser | ( | EXCEPTION_VICTIM_ZONE * | Victim, |
EXCEPTION_UM_ORIGINATOR * | Originator, | ||
INTRO_ACTION * | Action, | ||
INTRO_ACTION_REASON * | Reason | ||
) |
This function iterates through exception lists and tries to find an exception that matches the originator and the victim.
NOTE: If the exceptions binary is not loaded any violation is allowed.
[in] | Victim | The victim object. |
[in] | Originator | The originator object. |
[out] | Action | The action that was taken. |
[out] | Reason | The reason for which Action was taken. |
INT_STATUS_INVALID_PARAMETER_1 | If the victim object is invalid. |
INT_STATUS_INVALID_PARAMETER_2 | If the originator object is invalid. |
INT_STATUS_INVALID_PARAMETER_3 | If the action is invalid. |
INT_STATUS_INVALID_PARAMETER_4 | If the reason is invalid. |
INT_STATUS_EXCEPTION_ALLOW | If the violation is allowed. |
INT_STATUS_EXCEPTION_NOT_MATCHED | If the violation is not allowed. |
Definition at line 2915 of file exceptions_user.c.
Referenced by IntExcept().
INTSTATUS IntExceptUserGetExecOriginator | ( | void * | Process, |
EXCEPTION_UM_ORIGINATOR * | Originator | ||
) |
This function is used to get the originator for heap execution.
[in] | Process | The process in which the execution occurred. |
[out] | Originator | The exception object. |
INT_STATUS_SUCCESS | On success. |
Definition at line 2220 of file exceptions_user.c.
Referenced by IntLixVmaHandlePageExecution(), IntWinCrashHandleDepViolation(), IntWinSudHandleUserSudExec(), and IntWinVadIsExecSuspicious().
INTSTATUS IntExceptUserGetOriginator | ( | void * | Process, |
BOOLEAN | ModuleWrite, | ||
QWORD | Address, | ||
INSTRUX * | Instrux, | ||
EXCEPTION_UM_ORIGINATOR * | Originator | ||
) |
This function is used to get the information about the user-mode originator.
[in] | Process | The process in which the violation occurred. |
[in] | ModuleWrite | If the violation is write. |
[in] | Address | The modified address. |
[in] | Instrux | The instruction that caused the violation, if any. |
[out] | Originator | The originator object. |
INT_STATUS_SUCCESS | On success. |
INT_STATUS_INVALID_PARAMETER_1 | If the provided process is invalid. |
INT_STATUS_INVALID_PARAMETER_5 | If the provided originator object is invalid. |
Definition at line 2435 of file exceptions_user.c.
Referenced by IntLixAccessRemoteVmHandler(), IntLixTaskHandleInjection(), IntLixValidateProcessCreationRights(), IntLixVdsoHandleUserModeWrite(), IntWinDagentHandleDoubleAgent(), IntWinDpiCheckCreation(), IntWinModHandleUserWrite(), IntWinProcHandleCopyMemory(), IntWinProcHandleInstrument(), IntWinThrHandleQueueApc(), and IntWinThrHandleThreadHijack().
|
static |
Returns a string that contains the descriptions of the porovided process creation violation type.
[in] | Type | The type of the violation. |
The | description of the violation type. |
Definition at line 24 of file exceptions_user.c.
Referenced by IntExceptUserLogLinuxInformation(), and IntExceptUserLogWindowsInformation().
|
static |
This function is used to check if the write has been made using a function that write/read memory (eg. memcpy, memset, etc).
We can't except a function that write/read memory because is too generic. To solve this issue, this function get the stack-trace and set the first module found as a originator's return module.
[in] | Process | The process in which the violation occurred. |
[in] | Module | The module object. |
[out] | Originator | The originator object. |
INT_STATUS_SUCCESS | On success. |
INT_STATUS_NOT_NEEDED_HINT | If the function that modified the memory zone is not a function that write/read memory. |
Definition at line 2271 of file exceptions_user.c.
Referenced by IntExceptUserGetOriginator().
|
static |
Checks if the provided char is a glob char.
[in] | Item | The char to be checked. |
True | if char is a glob item, otherwise false. |
Definition at line 2115 of file exceptions_user.c.
Referenced by IntExceptUser().
void IntExceptUserLogInformation | ( | EXCEPTION_VICTIM_ZONE * | Victim, |
EXCEPTION_UM_ORIGINATOR * | Originator, | ||
INTRO_ACTION | Action, | ||
INTRO_ACTION_REASON | Reason | ||
) |
Print the information about a user-mode violation, dumps the code-blocks and the injection buffer, if any.
[in] | Victim | The victim object. |
[in] | Originator | The originator object. |
[in] | Action | The action that was taken. |
[in] | Reason | The reason for which Action was taken. |
Definition at line 2131 of file exceptions_user.c.
Referenced by IntExcept(), IntLixVdsoHandleUserModeWrite(), IntWinCrashHandleDepViolation(), and IntWinSudHandleUserSudExec().
|
static |
Print the information about a violation (Linux guest).
[in] | Victim | The victim object. |
[in] | Originator | The originator object. |
[in] | Action | The action that was taken. |
[in] | Reason | The reason for which Action was taken. |
Definition at line 165 of file exceptions_user.c.
Referenced by IntExceptUserLogInformation().
|
static |
Print the information about a violation (windows guest).
[in] | Victim | The victim object. |
[in] | Originator | The originator object. |
[in] | Action | The action that was taken. |
[in] | Reason | The reason for which Action was taken. |
Definition at line 746 of file exceptions_user.c.
Referenced by IntExceptUserLogInformation().
|
static |
Checks if the architecture-flags of the current exception match the architecture-flags of the originator.
[in] | Originator | The originator object. |
[in] | ExceptionFlags | The architecture-flags of the current exception. |
True | if the zone-flags match, otherwise false. |
Definition at line 1821 of file exceptions_user.c.
Referenced by IntExceptUserMatchVictim().
|
static |
Checks if the victim is a child of the originator.
[in] | Victim | The victim object. |
[in] | Originator | The originator object. |
[in] | ExceptionFlags | The flags of the current exception. |
True | if the victim is a child of the originator, otherwise false. |
Definition at line 1876 of file exceptions_user.c.
Referenced by IntExceptUserMatchVictim().
|
static |
Checks if the exception glob-name of the current exception matches the glob-name of the victim.
[in] | Victim | The victim object. |
[in] | Exception | The exception object. |
True | if the glob-name matches, otherwise false. |
Definition at line 1997 of file exceptions_user.c.
Referenced by IntExceptUserMatchVictim().
|
static |
Checks if the exception name-hash of the current exception matches the name-hash of the victim.
[in] | Victim | The victim object. |
[in] | Exception | The exception object. |
True | if the name-hash matches, otherwise false. |
Definition at line 2058 of file exceptions_user.c.
Referenced by IntExceptUserMatchVictim().
|
static |
Checks if the exception process glob-name of the current exception matches the process glob-name of the victim.
[in] | Originator | The originator object. |
[in] | Exception | The exception object. |
True | if the process glob-name matches, otherwise false. |
Definition at line 2027 of file exceptions_user.c.
Referenced by IntExceptUserMatchVictim().
|
static |
Checks if the exception process name-hash of the current exception matches the process name-hash of the victim.
[in] | Originator | The originator object. |
[in] | Exception | The exception object. |
True | if the process name-hash matches, otherwise false. |
Definition at line 2077 of file exceptions_user.c.
Referenced by IntExceptUserMatchVictim().
|
static |
Checks if the originator is a system process; for process-creation violation this function checks if the victim is a system process.
This function also checks if the victim is 'apphelp', 'one-time-injection' and 'module load'.
[in] | Victim | The victim object. |
[in] | Originator | The originator object. |
[in] | ExceptionFlags | The flags of the current exception. |
True | if the originator/victim is a system process, otherwise false. |
Definition at line 1918 of file exceptions_user.c.
Referenced by IntExceptUserMatchVictim().
INTSTATUS IntExceptUserMatchVictim | ( | EXCEPTION_VICTIM_ZONE * | Victim, |
EXCEPTION_UM_ORIGINATOR * | Originator, | ||
void * | Exception, | ||
EXCEPTION_TYPE | ExceptionType | ||
) |
This function checks if the exception matches the originator and the modified zone.
The following are verified:
[in] | Victim | The victim object. |
[in] | Originator | The originator object. |
[in] | Exception | The current exception object. |
[in] | ExceptionType | The type of the exception object. |
INT_STATUS_EXCEPTION_NOT_MATCHED | If any check fails. |
INT_STATUS_EXCEPTION_ALLOW | If all checks have passed. |
INT_STATUS_NOT_SUPPORTED | If ExceptionType value is invalid. |
Definition at line 2732 of file exceptions_user.c.
Referenced by IntExceptMatchException().
|
static |
Checks if the zone-flags of the current exception match the zone flags of the victim.
[in] | Victim | The victim object. |
[in] | ZoneFlags | The zone-flags of the current exception. |
True | if the zone-flags match, otherwise false. |
Definition at line 1641 of file exceptions_user.c.
Referenced by IntExceptUserMatchVictim().
|
static |
Checks if the zone-type of the current exception matches the zone-type of the victim.
[in] | Victim | The victim object. |
[in] | ZoneType | The zone-type of the current exception. |
True | if the zone-type matches, otherwise false. |
Definition at line 1680 of file exceptions_user.c.
Referenced by IntExceptUserMatchVictim().
INTSTATUS IntExceptUserVerifyExtra | ( | EXCEPTION_VICTIM_ZONE * | Victim, |
EXCEPTION_UM_ORIGINATOR * | Originator, | ||
UM_EXCEPTION * | Exception | ||
) |
This function is used as an extra step in exception mechanism that verify the initialization flags of a process.
[in] | Victim | The victim object. |
[in] | Originator | The originator object. |
[in] | Exception | The current exception object. |
INT_STATUS_EXCEPTION_CHECKS_OK | On success. |
Definition at line 2672 of file exceptions_user.c.
Referenced by IntExceptMatchException().
INTSTATUS IntExceptUserVerifyExtraGlobMatch | ( | EXCEPTION_VICTIM_ZONE * | Victim, |
EXCEPTION_UM_ORIGINATOR * | Originator, | ||
UM_EXCEPTION_GLOB * | Exception | ||
) |
This function is used as an extra step in exception mechanism that verify the initialization flags of a process.
[in] | Victim | The victim object. |
[in] | Originator | The originator object. |
[in] | Exception | The current exception object. |
INT_STATUS_EXCEPTION_CHECKS_OK | On success. |
Definition at line 2702 of file exceptions_user.c.
Referenced by IntExceptMatchException().
char gExcLogLine[2 *ONE_KILOBYTE] |
The exception log line.
Definition at line 40 of file exceptions.c.
Referenced by IntExceptUserLogLinuxInformation(), and IntExceptUserLogWindowsInformation().