Bitdefender Hypervisor Memory Introspection
Data Structures | Macros | Typedefs | Functions
lixcrash.c File Reference
#include "lixcrash.h"
#include "alerts.h"
#include "decoder.h"
#include "guests.h"
#include "lixksym.h"

Go to the source code of this file.

Data Structures

struct  _PRINTK_LOG_HEADER
 Linux 'struct printk_log' buffer header. More...
 

Macros

#define MAX_STACKTRACES   16
 
#define MAX_FUNC_NAME   128
 
#define MAX_LOG_SIZE   512
 
#define PREFIX_MAX   32
 
#define LOG_LINE_MAX   (1024 - PREFIX_MAX)
 
#define LIX_SIGNAL_STOP_MASK
 The signal for STOP action. More...
 
#define LIX_SIGNAL_IGNORE_MASK
 The signal for IGNORE action. More...
 
#define LIX_SIGNAL_FATAL(sig)   !((sig) > 0 && (sig) < SIGRTMIN && (BIT(sig) & (LIX_SIGNAL_IGNORE_MASK | LIX_SIGNAL_STOP_MASK)))
 Check if the provided signal is fatal. More...
 

Typedefs

typedef struct _PRINTK_LOG_HEADER PRINTK_LOG_HEADER
 Linux 'struct printk_log' buffer header. More...
 
typedef struct _PRINTK_LOG_HEADERPPRINTK_LOG_HEADER
 

Functions

static INTSTATUS IntLixCrashSendPanicEvent (void)
 Send an event, if the operating system crashed, that contains information about the task that generated the crash. More...
 
static INTSTATUS IntLixCrashFetchDmesgSymbol (QWORD *LogBufferGva, QWORD *LogBufferLengthGva, QWORD *LogFirstIdxGva)
 Find the address of the symbols 'log_buf', 'log_buf_len' and 'log_first_idx'. More...
 
static BOOLEAN IntLixCrashEnoughHeapAvailable (DWORD Size)
 Checks if the size of the free heap is bigger than the provided size. More...
 
INTSTATUS IntLixTaskSendExceptionEvent (DWORD Signal, LIX_TASK_OBJECT *Task)
 Sends an event that contains the information about signal received by the provided task. This function sends the event only if the guest options has the INTRO_OPT_EVENT_PROCESS_CRASH flag. More...
 
INTSTATUS IntLixCrashHandle (void *Detour)
 Sends an event that contains the information about signal received by the current task. This function overwrite the return value of the 'complete_signal' with SIGKILL if the current task must be killed; the current task must be killed if an exploit has been detected by the introspection engine. More...
 
void IntLixCrashDumpDmesg (void)
 Dumps the 'dmesg' buffer from guest. More...
 
INTSTATUS IntLixCrashPanicHandler (void *Detour)
 Called if the 'panic' or 'kcrash_exec' handler is hit. More...
 

Macro Definition Documentation

◆ LIX_SIGNAL_FATAL

#define LIX_SIGNAL_FATAL (   sig)    !((sig) > 0 && (sig) < SIGRTMIN && (BIT(sig) & (LIX_SIGNAL_IGNORE_MASK | LIX_SIGNAL_STOP_MASK)))

Check if the provided signal is fatal.

The possible effects an unblocked signal set to SIG_DFL can have are:

  • ignore - Nothing Happens.
  • terminate - kill the process, i.e. all threads in the group.
  • coredump - write a core dump file describing all threads using the same mm and then kill all those threads.
  • stop - stop all the threads in the group, i.e. TASK_STOPPED state

NOTE: For more information see include/linux/signal.h (linux kernel).

Definition at line 45 of file lixcrash.c.

Referenced by IntLixTaskSendExceptionEvent().

◆ LIX_SIGNAL_IGNORE_MASK

#define LIX_SIGNAL_IGNORE_MASK
Value:
(\
BIT(SIGCONT) | BIT(SIGCHLD) | \
BIT(SIGWINCH) | BIT(SIGURG) )
BIT
#define BIT(x)
Definition: common.h:68
SIGCHLD
#define SIGCHLD
Definition: lixddefs.h:212
SIGCONT
#define SIGCONT
Definition: lixddefs.h:213
SIGWINCH
#define SIGWINCH
Definition: lixddefs.h:223
SIGURG
#define SIGURG
Definition: lixddefs.h:218

The signal for IGNORE action.

Definition at line 30 of file lixcrash.c.

◆ LIX_SIGNAL_STOP_MASK

#define LIX_SIGNAL_STOP_MASK
Value:
( \
BIT(SIGSTOP) | BIT(SIGTSTP) | \
BIT(SIGTTIN) | BIT(SIGTTOU) )
SIGSTOP
#define SIGSTOP
Definition: lixddefs.h:214
BIT
#define BIT(x)
Definition: common.h:68
SIGTSTP
#define SIGTSTP
Definition: lixddefs.h:215
SIGTTOU
#define SIGTTOU
Definition: lixddefs.h:217
SIGTTIN
#define SIGTTIN
Definition: lixddefs.h:216

The signal for STOP action.

Definition at line 23 of file lixcrash.c.

◆ LOG_LINE_MAX

#define LOG_LINE_MAX   (1024 - PREFIX_MAX)

Definition at line 17 of file lixcrash.c.

Referenced by IntLixCrashDumpDmesg().

◆ MAX_FUNC_NAME

#define MAX_FUNC_NAME   128

Definition at line 13 of file lixcrash.c.

◆ MAX_LOG_SIZE

#define MAX_LOG_SIZE   512

Definition at line 14 of file lixcrash.c.

◆ MAX_STACKTRACES

#define MAX_STACKTRACES   16

Definition at line 12 of file lixcrash.c.

◆ PREFIX_MAX

#define PREFIX_MAX   32

Definition at line 16 of file lixcrash.c.

Typedef Documentation

◆ PPRINTK_LOG_HEADER

typedef struct _PRINTK_LOG_HEADER * PPRINTK_LOG_HEADER

◆ PRINTK_LOG_HEADER

typedef struct _PRINTK_LOG_HEADER PRINTK_LOG_HEADER

Linux 'struct printk_log' buffer header.

Function Documentation

◆ IntLixCrashDumpDmesg()

void IntLixCrashDumpDmesg ( void  )

Dumps the 'dmesg' buffer from guest.

This function search for the 'log_buf', 'log_buf_len' and 'first_idx' and parse the buffer. For Linux kernel 2.6 the 'dmesg' is a continuously buffer of chars. For kernel versions bigger than 2.6 the 'dmesg' has a header 'printk_log' for each line.

Definition at line 340 of file lixcrash.c.

Referenced by IntLixCrashPanicHandler().

◆ IntLixCrashEnoughHeapAvailable()

static BOOLEAN IntLixCrashEnoughHeapAvailable ( DWORD  Size)
static

Checks if the size of the free heap is bigger than the provided size.

Parameters
[in]SizeThe size needed to map the 'dmesg' buffer
Return values
INT_STATUS_SUCCESSTrue if there's enough heap to map the 'dmesg' buffer, otherwise false

Definition at line 215 of file lixcrash.c.

Referenced by IntLixCrashDumpDmesg().

◆ IntLixCrashFetchDmesgSymbol()

static INTSTATUS IntLixCrashFetchDmesgSymbol ( QWORD LogBufferGva,
QWORD LogBufferLengthGva,
QWORD LogFirstIdxGva 
)
static

Find the address of the symbols 'log_buf', 'log_buf_len' and 'log_first_idx'.

This function tries to search the using IntKsymFindByName; this search may fail because on Debian the symbol is not exported. If the symbol is not exported, the 'log_buf_kexec_setup' function is used to find these symbols. This function initialize the 'log_buf', 'log_len', 'log_first_idx' calling the VMCOREINFO_SYMBOL; knowing these we search for the first three MOV instructions that have the format MOV RDX, immediate and read the immediate value.

Parameters
[out]LogBufferGvaContains, on success, the address of 'log_buf'.
[out]LogBufferLengthGvaContains, on success, the address of 'log_buf_len'.
[out]LogFirstIdxGvaContains, on success, the address of 'log_first_idx'.
Return values
INT_STATUS_SUCCESSOn success.
INT_STATUS_NOT_FOUNDIf at symbols is not found.

Definition at line 93 of file lixcrash.c.

Referenced by IntLixCrashDumpDmesg().

◆ IntLixCrashHandle()

INTSTATUS IntLixCrashHandle ( void *  Detour)

Sends an event that contains the information about signal received by the current task. This function overwrite the return value of the 'complete_signal' with SIGKILL if the current task must be killed; the current task must be killed if an exploit has been detected by the introspection engine.

Parameters
[in]DetourThe internal detour structure.
Return values
INT_STATUS_SUCCESSOn success.

Definition at line 298 of file lixcrash.c.

◆ IntLixCrashPanicHandler()

INTSTATUS IntLixCrashPanicHandler ( void *  Detour)

Called if the 'panic' or 'kcrash_exec' handler is hit.

This function dumps the 'dmesg' buffer and send an crash event; also set the disable and the bugcheck vars to true in order to uninit the introspection.

Parameters
[in]DetourThe internal detour structure.
Return values
INT_STATUS_DISABLE_DETOUR_ON_RETThe detours must be removed/disabled because the guest crashed.

Definition at line 493 of file lixcrash.c.

◆ IntLixCrashSendPanicEvent()

static INTSTATUS IntLixCrashSendPanicEvent ( void  )
static

Send an event, if the operating system crashed, that contains information about the task that generated the crash.

Return values
INT_STATUS_SUCCESSOn success.

Definition at line 65 of file lixcrash.c.

Referenced by IntLixCrashPanicHandler().

◆ IntLixTaskSendExceptionEvent()

INTSTATUS IntLixTaskSendExceptionEvent ( DWORD  Signal,
LIX_TASK_OBJECT Task 
)

Sends an event that contains the information about signal received by the provided task. This function sends the event only if the guest options has the INTRO_OPT_EVENT_PROCESS_CRASH flag.

Parameters
[in]SignalThe signal number sent to the task.
[in]TaskThe task that received the signal.
Return values
INT_STATUS_SUCCESSOn success.
INT_STATUS_NOT_NEEDED_HINTIf the INTRO_OPT_EVENT_PROCESS_CRASH flag is not set.

Definition at line 240 of file lixcrash.c.

Referenced by IntLixCrashHandle(), and IntLixTaskDestroy().