- Generated by
1.8.13
|
Bitdefender Hypervisor Memory Introspection
|
#include "guest_stack.h"Go to the source code of this file.
Macros | |
| #define | MAX_FUNC_NAME 128 |
| The maximum number of characters allowed for a function name. More... | |
Typedefs | |
| typedef struct _LIX_TASK_OBJECT | LIX_TASK_OBJECT |
| typedef struct _LIX_TRAP_FRAME | LIX_TRAP_FRAME |
Functions | |
| INTSTATUS | IntLixStackTraceGet (QWORD Cr3, QWORD Stack, QWORD Rip, DWORD MaxNumberOfTraces, QWORD Flags, STACK_TRACE *StackTrace) |
| Retrieves a Kernel stack trace. More... | |
| INTSTATUS | IntLixStackTraceGetReg (QWORD Cr3, PIG_ARCH_REGS Registers, DWORD MaxNumberOfTraces, QWORD Flags, STACK_TRACE *StackTrace) |
| Retrieves a Kernel stack backtrace based on the register values. More... | |
| void | IntLixDumpStacktrace (DWORD MaxTraces) |
| Logs a Kernel stack backtrace. More... | |
| void | IntLixStackDumpUmStackTrace (LIX_TASK_OBJECT *Task) |
| Logs the libraries found in the user mode stacktrace. More... | |
| #define MAX_FUNC_NAME 128 |
The maximum number of characters allowed for a function name.
Definition at line 10 of file lixstack.h.
Referenced by IntLixDumpStacktrace().
| typedef struct _LIX_TASK_OBJECT LIX_TASK_OBJECT |
Definition at line 12 of file lixstack.h.
| typedef struct _LIX_TRAP_FRAME LIX_TRAP_FRAME |
Definition at line 13 of file lixstack.h.
| void IntLixDumpStacktrace | ( | DWORD | MaxTraces | ) |
Logs a Kernel stack backtrace.
Unlike IntLixStackTraceGet, this function will parse the stack and for each value that does look like a valid kernel pointer will log it's symbol name (if available) as well as the module where it resides.
This function's behavior is somehow similar to the dump_stack() function from Linux Kernel.
| [in] | MaxTraces | The maximum number of traces. |
Definition at line 292 of file lixstack.c.
| void IntLixStackDumpUmStackTrace | ( | LIX_TASK_OBJECT * | Task | ) |
Logs the libraries found in the user mode stacktrace.
This function will read the trap frame available in the kernel mode stack of the process and will attempt to log the filenames of the VMAs that have pointers on the stack. Will also log the trap frame as well as the code residing at the trap frame return address.
| [in] | Task | The Linux process. |
Definition at line 381 of file lixstack.c.
| INTSTATUS IntLixStackTraceGet | ( | QWORD | Cr3, |
| QWORD | Stack, | ||
| QWORD | Rip, | ||
| DWORD | MaxNumberOfTraces, | ||
| QWORD | Flags, | ||
| STACK_TRACE * | StackTrace | ||
| ) |
Retrieves a Kernel stack trace.
This function will attempt to parse stackframes starting from the value of the Stack parameter. When a valid return address if found, information about the code residing at that address(such as kernel driver, next stack frame, return address, instruction pointer) are fetched.
Note: This function will fail for Kernels compiled with "-fomit-frame-pointer". Sigh!
| [in] | Cr3 | The CR3 that will be used to map virtual memory. If not set then the system CR3 will be used. |
| [in] | Stack | The current stack pointer. |
| [in] | Rip | The current instruction pointer. |
| [in] | MaxNumberOfTraces | The maximum number of traces this function should retrieve. |
| [in] | Flags | Flags controlling this function's behaviour. The only flag acknowledged by this function is STACK_FLG_FAST_GET. |
| [in,out] | StackTrace | Will contain upon successful return the backtrace. |
Definition at line 14 of file lixstack.c.
Referenced by IntLixStackTraceGetReg().
| INTSTATUS IntLixStackTraceGetReg | ( | QWORD | Cr3, |
| PIG_ARCH_REGS | Registers, | ||
| DWORD | MaxNumberOfTraces, | ||
| QWORD | Flags, | ||
| STACK_TRACE * | StackTrace | ||
| ) |
Retrieves a Kernel stack backtrace based on the register values.
This function will extract a valid stack frame pointer and will supply it to IntLixStackTraceGet alongside the instruction pointer.
| [in] | Cr3 | The CR3 that will be used to map virtual memory. If not set then the system CR3 will be used. |
| [in] | Registers | The registers values. |
| [in] | MaxNumberOfTraces | The maximum number of traces this function should retrieve. |
| [in] | Flags | Flags controlling the behavior of this function. |
| [in,out] | StackTrace | Will contain upon successful return the backtrace. |
Definition at line 225 of file lixstack.c.
Referenced by IntExceptLixKernelGetOriginator(), and IntLixVdsoHandleWrite().
1.8.13