- Generated by
1.8.13
|
Bitdefender Hypervisor Memory Introspection
|
#include "serializers.h"#include "guests.h"#include "lixmm.h"#include "winprocesshp.h"#include "codeblocks.h"#include "crc32.h"#include "lixfiles.h"Go to the source code of this file.
Data Structures | |
| struct | _SERIALIZER_HEADER |
| Describes the header of the serializer buffer. More... | |
| struct | _SERIALIZER_OBJECT_HEADER |
| Describes the header for each serialized item. More... | |
| struct | _SERIALIZER_STRING |
| Describes a serialized string. More... | |
| struct | _SERIALIZER_EXCEPTION_KM_ORIGINATOR |
| Describes a serialized intObjKmOriginator object. More... | |
| struct | _SERIALIZER_EXCEPTION_UM_ORIGINATOR |
| Describes a serialized intObjUmOriginator object. More... | |
| struct | _SERIALIZER_EXCEPTION_VICTIM |
| Describes a serialized intObjVictim object. More... | |
| struct | _SERIALIZER_EPT |
| Describes a serialized intObjEpt object. More... | |
| struct | _SERIALIZER_MSR |
| Describes a serialized intObjMsr object. More... | |
| struct | _SERIALIZER_CR |
| Describes a serialized intObjCr object. More... | |
| struct | _SERIALIZER_DTR |
| Describes a serialized intObjDtr object. More... | |
| struct | _SERIALIZER_IDT |
| Describes a serialized intObjIdt object. More... | |
| struct | _SERIALIZER_INJECTION |
| Describes a serialized intObjInjection object. More... | |
| struct | _SERIALIZER_LIX_PROCESS |
| Describes a serialized intObjLixProcess object. More... | |
| struct | _SERIALIZER_WIN_PROCESS |
| Describes a serialized intObjWinProcess object. More... | |
| struct | _SERIALIZER_LIX_VMA |
| Describes a serialized intObjLixVma object. More... | |
| struct | _SERIALIZER_WIN_VAD |
| Describes a serialized intObjWinVad object. More... | |
| struct | _SERIALIZER_KERNEL_DRIVER |
| Describes a serialized intObjKernelDriver object. More... | |
| struct | _SERIALIZER_WIN_KERNEL_DRIVER |
| Describes a serialized intObjWinKernelDriver object. More... | |
| struct | _SERIALIZER_LIX_KERNEL_MODULE |
| Describes a serialized intObjLixKernelModule object. More... | |
| struct | _SERIALIZER_KERNEL_DRV_OBJECT |
| Describes a serialized intObjKernelDrvObject object. More... | |
| struct | _SERIALIZER_WIN_MODULE |
| Describes a serialized intObjWinModule object. More... | |
| struct | _SERIALIZER_INSTRUX |
| Describes a serialized intObjInstrux object. More... | |
| struct | _SERIALIZER_ARCH_REGS |
| Describes a serialized intObjArchRegs object. More... | |
| struct | _SERIALIZER_WRITE_INFO |
| Describes a serialized intObjWriteInfo object. More... | |
| struct | _SERIALIZER_READ_INFO |
| Describes a serialized intObjExecInfo object. More... | |
| struct | _SERIALIZER_EXEC_INFO |
| Describes a serialized intObjExecInfo object. More... | |
| struct | _SERIALIZER_CODE_BLOCKS |
| Describes a serialized intObjCodeBlocks object. More... | |
| struct | _SERIALIZER_RIP_CODE |
| Describes a serialized intObjRipCode object. More... | |
| struct | _SERIALIZER_RAW_DUMP |
| Describes a serialized intObjRawDump object. More... | |
| struct | _SERIALIZER_EXPORT |
| Describes a serialized intObjExport object. More... | |
| struct | _SERIALIZER_DPI_WIN_DEBUG |
| Describes a serialized intObjDpiWinDebug. More... | |
| struct | _SERIALIZER_DPI_WIN_STOLEN_TOKEN |
| Describes a serialized intObjDpiWinStolenToken. More... | |
| struct | _SERIALIZER_DPI_WIN_HEAP_SPRAY |
| Describes a serialized intObjDpiWinHeapSpray. More... | |
| struct | _SERIALIZER_DPI_WIN_THREAD_START |
| Describes a serialized intObjDpiWinThreadStart. More... | |
| struct | _SERIALIZER_DPI_WIN_TOKEN_PRIVS |
| Describes a serialized intObjDpiWinTokenPrivs. More... | |
| struct | _SERIALIZER_DPI_PIVOTED_STACK |
| Describes a serialized intObjDpiPivotedStack. More... | |
| struct | _SERIALIZER_DPI_WIN_SEC_DESC |
| Describes a serialized intObjDpiWinSecDesc. More... | |
| struct | _SERIALIZER_DPI_WIN_ACL_EDIT |
| Describes a serialized intObjDpiWinAclEdit. More... | |
| struct | _SERIALIZER_DPI |
| Describes a serialized intObjDpi object. More... | |
Functions | |
| static void | IntSerializeBlockToBase64 (const BYTE *In, BYTE *Out, size_t Length) |
| Converts the provided binary buffer to base64. More... | |
| static char * | IntSerializerBase64Get (DWORD *Length) |
| Converts the serialized buffer to base64. More... | |
| static DWORD | IntSerializeCurrentOffset (void) |
| Get the current offset (length) of the serialized buffer. More... | |
| static void | IntSerializeIncrementCurrentPtr (const DWORD Size) |
| Increment the current pointer to the serializer buffer with the provided size. More... | |
| static QWORD | IntSerializeCurrentId (void) |
| Increment the current serializer alert ID and returns it. More... | |
| static void | IntSerializeIncrementCurrentId (void) |
| Increment the current serializer alert ID. More... | |
| static void | IntSerializeDump (void) |
| Dumps the serialized buffer (base64 format). More... | |
| static BOOLEAN | IntSerializeValidObjectSize (DWORD Size) |
| Checks if the serializer buffer overflows. More... | |
| static void * | IntSerializeCurrentPtr (DWORD Size) |
| Returns the current pointer to serializer buffer and checks for overflows. More... | |
| static SERIALIZER_OBJECT_HEADER * | IntSerializeObjectHeader (const DWORD Version, const DWORD Type) |
| Creates a SERIALIZER_OBJECT_HEADER object and fill the fields with the provided parameters. More... | |
| static BOOLEAN | IntSerializeStringIsWcharAscii (const void *String, DWORD Size) |
| Checks if the provided string contains WCHARS. More... | |
| static void | IntSerializeString (const void *String, DWORD Size, DWORD Encode, SERIALIZER_OBJECT_HEADER *Header) |
| Serialize the provided string. More... | |
| static void | IntSerializeEpt (const EXCEPTION_VICTIM_EPT *Ept, const EXCEPTION_VICTIM_ZONE *Victim) |
| Serialize the provided EPT object. More... | |
| static void | IntSerializeCr (const EXCEPTION_VICTIM_CR *Cr) |
| Serialize the provided CR object. More... | |
| static void | IntSerializeIdt (const EXCEPTION_VICTIM_ZONE *Victim) |
| Serialize the provided IDT object. More... | |
| static void | IntSerializeMsr (const EXCEPTION_VICTIM_MSR *Msr) |
| Serialize the provided MSR object. More... | |
| static void | IntSerializeDtr (const EXCEPTION_VICTIM_DTR *Dtr) |
| Serialize the provided DTR object. More... | |
| static void | IntSerializeInjection (const EXCEPTION_VICTIM_INJECTION *Injection, const EXCEPTION_VICTIM_ZONE *Victim) |
| Serialize the provided Injection object. More... | |
| static void | IntSerializeWinProcess (const WIN_PROCESS_OBJECT *Process, const DWORD ObjectType) |
| Serialize the provided WIN_PROCESS_OBJECT object. More... | |
| static void | IntSerializeLixProcess (const LIX_TASK_OBJECT *Process, const DWORD ObjectType) |
| Serialize the provided LIX_TASK_OBJECT object. More... | |
| static void | IntSerializeProcess (void *Process, const DWORD ObjectType) |
| Serialize the provided process object. More... | |
| void | IntSerializeWinVad (const VAD *Vad) |
| Serialize the provided VAD object. More... | |
| static void | IntSerializeLixVma (const LIX_VMA *Vma) |
| Serialize the provided LIX_VMA object. More... | |
| static void | IntSerializeVad (const void *Vad) |
| Serialize the provided VAD/vma object. More... | |
| static void | IntSerializeWinKernelDriver (const KERNEL_DRIVER *Driver, DWORD ObjectType) |
| Serialize the provided KERNEL_DRIVER object. More... | |
| static void | IntSerializeLixKernelModule (const KERNEL_DRIVER *Driver, DWORD ObjecType) |
| Serialize the provided KERNEL_DRIVER object. More... | |
| static void | IntSerializeKernelDrvObject (const WIN_DRIVER_OBJECT *DrvObject) |
| Serialize the provided WIN_DRIVER_OBJECT object. More... | |
| static void | IntSerializeKernelDriver (const EXCEPTION_KM_ORIGINATOR *Originator, const KERNEL_DRIVER *Driver, const DWORD ObjectType) |
| Serialize the provided KERNEL_DRIVER object. More... | |
| static void | IntSerializeWinModule (const WIN_PROCESS_MODULE *Module, const DWORD ObjectType) |
| Serialize the provided WIN_PROCESS_MODULE object. More... | |
| void | IntSerializeInstruction (INSTRUX *Instruction, const QWORD Rip) |
| Serialize the provided INSTRUX object. More... | |
| static void | IntSerializeWriteInfo (const EXCEPTION_VICTIM_ZONE *Victim) |
| Serialize the write violation information. More... | |
| static void | IntSerializeReadInfo (const EXCEPTION_VICTIM_ZONE *Victim) |
| Serialize the read violation information. More... | |
| static void | IntSerializeExecInfo (const EXCEPTION_VICTIM_ZONE *Victim) |
| Serialize the execution violation information. More... | |
| static void | IntSerializeAccessInfo (const EXCEPTION_VICTIM_ZONE *Victim) |
| Serialize the read/write/exec violation information. More... | |
| static void | IntSerializeRawDump (const EXCEPTION_UM_ORIGINATOR *Originator, const EXCEPTION_VICTIM_ZONE *Victim) |
| Serialize the raw dump for the injection violation. More... | |
| static void | IntSerializeRipCode (void) |
| Serialize the guest memory page that contains the RIP at which the violation attempt was detected. More... | |
| static void | IntSerializeCodeBlocksGetExtractRange (QWORD Rip, BOOLEAN Execute, DWORD *Start, DWORD *End) |
| Computes the range from which the code-blocks should be extracted. More... | |
| static CB_EXTRACT_LEVEL | IntSerializeCodeBlocksGetExtractLevel (QWORD Rip) |
| Get the code-blocks extraction level. More... | |
| static void | IntSerializeCodeBlocksPattern (CODE_BLOCK *CodeBlocks, DWORD Count, QWORD Rip, BOOLEAN Execute, SERIALIZER_CODE_BLOCKS *Object) |
| Iterates through all extracted code-blocks patterns and serialize the patterns. More... | |
| static INTSTATUS | IntSerializeExtractCodeBlocks (QWORD Rip, QWORD Cr3, BOOLEAN Execute, SERIALIZER_CODE_BLOCKS *Object) |
| Extract the code-blocks for the current exception. More... | |
| static void | IntSerializeCodeBlocks (QWORD Rip, QWORD Cr3, BOOLEAN Execute) |
| Serialize the extracted code-blocks for the current exception. More... | |
| static void | IntSerializeArchRegs (void) |
| Serialize the guest registers. More... | |
| static void | IntSerializeDpiWinDebug (const EXCEPTION_UM_ORIGINATOR *Originator, const EXCEPTION_VICTIM_ZONE *Victim) |
| Serialize the DPI debug flags info (Windows). More... | |
| static void | IntSerializeDpiWinPivotedStack (const EXCEPTION_UM_ORIGINATOR *Originator, const EXCEPTION_VICTIM_ZONE *Victim) |
| Serialize the DPI pivoted stack info (Windows). More... | |
| static void | IntSerializeDpiWinStolenToken (const EXCEPTION_UM_ORIGINATOR *Originator, const EXCEPTION_VICTIM_ZONE *Victim) |
| Serialize the DPI stolen token info (Windows). More... | |
| static void | IntSerializeDpiWinHeapSpray (const EXCEPTION_UM_ORIGINATOR *Originator, const EXCEPTION_VICTIM_ZONE *Victim) |
| Serialize the DPI heap spray info (Windows). More... | |
| static void | IntSerializeDpiWinTokenPrivs (const EXCEPTION_UM_ORIGINATOR *Originator, const EXCEPTION_VICTIM_ZONE *Victim) |
| Serialize the DPI token privs info (Windows). More... | |
| static void | IntSerializeDpiWinThreadStart (const EXCEPTION_UM_ORIGINATOR *Originator, const EXCEPTION_VICTIM_ZONE *Victim) |
| Serialize the DPI start thread info (Windows). More... | |
| static void | IntSerializeDpiWinSecDesc (const EXCEPTION_UM_ORIGINATOR *Originator, const EXCEPTION_VICTIM_ZONE *Victim) |
| Serialize the DPI altered Security Descriptor info (Windows). More... | |
| static void | IntSerializeDpiWinAclEdit (const EXCEPTION_UM_ORIGINATOR *Originator, const EXCEPTION_VICTIM_ZONE *Victim) |
| Serialize the DPI ACL edit info (Windows). More... | |
| static void | IntSerializeWinDpiInfo (const EXCEPTION_UM_ORIGINATOR *Originator, const EXCEPTION_VICTIM_ZONE *Victim) |
| Serialize the DPI extra information. More... | |
| static void | IntSerializeDpi (const EXCEPTION_UM_ORIGINATOR *Originator) |
| Serialize the DPI flags. More... | |
| static void | IntSerializeExport (const EXCEPTION_VICTIM_ZONE *Victim) |
| Serialize the modified exports. More... | |
| static void | IntSerializeWinUmOriginator (const EXCEPTION_UM_ORIGINATOR *Originator, const EXCEPTION_VICTIM_ZONE *Victim) |
| Serialize the information about windows user-mode originator. More... | |
| void | IntSerializeLixUmOriginator (const EXCEPTION_UM_ORIGINATOR *Originator, const EXCEPTION_VICTIM_ZONE *Victim) |
| Serialize the information about Linux user-mode originator. More... | |
| static void | IntSerializeUmOriginator (const EXCEPTION_UM_ORIGINATOR *Originator, const EXCEPTION_VICTIM_ZONE *Victim) |
| Serialize the information about user-mode originator. More... | |
| static void | IntSerializeLixUmVictim (const EXCEPTION_UM_ORIGINATOR *Originator, const EXCEPTION_VICTIM_ZONE *Victim) |
| Serialize the information about Linux user-mode victim. More... | |
| static void | IntSerializeWinUmVictim (const EXCEPTION_UM_ORIGINATOR *Originator, const EXCEPTION_VICTIM_ZONE *Victim) |
| Serialize the information about user-mode windows victim. More... | |
| static void | IntSerializeWinUmMisc (const EXCEPTION_UM_ORIGINATOR *Originator, const EXCEPTION_VICTIM_ZONE *Victim) |
| Serialize the misc information for windows user-mode alert. More... | |
| static void | IntSerializeLixUmMisc (const EXCEPTION_UM_ORIGINATOR *Originator, const EXCEPTION_VICTIM_ZONE *Victim) |
| Serialize the misc information for Linux user-mode alert. More... | |
| static void | IntSerializeUmMisc (const EXCEPTION_UM_ORIGINATOR *Originator, const EXCEPTION_VICTIM_ZONE *Victim) |
| Serialize the misc information for user-mode alert. More... | |
| static void | IntSerializeUmVictim (const EXCEPTION_UM_ORIGINATOR *Originator, const EXCEPTION_VICTIM_ZONE *Victim) |
| Serialize the information about user-mode victim. More... | |
| void | IntSerializeWinKmOriginator (const EXCEPTION_KM_ORIGINATOR *Originator, const EXCEPTION_VICTIM_ZONE *Victim) |
| Serialize the information about windows kernel-mode originator. More... | |
| void | IntSerializeLixKmOriginator (const EXCEPTION_KM_ORIGINATOR *Originator, const EXCEPTION_VICTIM_ZONE *Victim) |
| Serialize the information about Linux kernel-mode originator. More... | |
| void | IntSerializeKmOriginator (const EXCEPTION_KM_ORIGINATOR *Originator, const EXCEPTION_VICTIM_ZONE *Victim) |
| Serialize the information about kernel-mode originator. More... | |
| static void | IntSerializeWinKmVictim (const EXCEPTION_KM_ORIGINATOR *Originator, const EXCEPTION_VICTIM_ZONE *Victim) |
| Serialize the information about Windows kernel-mode victim. More... | |
| static void | IntSerializeLixKmVictim (const EXCEPTION_KM_ORIGINATOR *Originator, const EXCEPTION_VICTIM_ZONE *Victim) |
| Serialize the information about Linux kernel-mode victim. More... | |
| static void | IntSerializeKmVictim (const EXCEPTION_KM_ORIGINATOR *Originator, const EXCEPTION_VICTIM_ZONE *Victim) |
| Serialize the information about kernel-mode victim. More... | |
| static void | IntSerializeLixKmMisc (const EXCEPTION_KM_ORIGINATOR *Originator, const EXCEPTION_VICTIM_ZONE *Victim) |
| Serialize the misc information for Linux kernel-mode alert. More... | |
| static void | IntSerializeWinKmMisc (const EXCEPTION_KM_ORIGINATOR *Originator, const EXCEPTION_VICTIM_ZONE *Victim) |
| Serialize the misc information for windows kernel-mode alert. More... | |
| static void | IntSerializeKmMisc (const EXCEPTION_KM_ORIGINATOR *Originator, const EXCEPTION_VICTIM_ZONE *Victim) |
| Serialize the misc information for kernel-mode alert. More... | |
| static void | IntSerializeHeader (SERIALIZER_EXCEPTION_TYPE SerializerType, INTRO_EVENT_TYPE EventClass) |
| Serialize the header of the serializer buffer. More... | |
| static void | IntSerializeKmException (const void *Originator, const void *Victim, INTRO_EVENT_TYPE EventClass) |
| Serialize the kernel-mode exception. More... | |
| static void | IntSerializeUmException (const void *Originator, const void *Victim, INTRO_EVENT_TYPE EventClass) |
| Serialize the user-mode exception. More... | |
| static void | IntSerializeKernelUserException (const void *Originator, const void *Victim, INTRO_EVENT_TYPE EventClass) |
| Serialize the kernel-user mode exception. More... | |
| void | IntSerializeStart (void) |
| Set the current serializer pointer to the beginning of the buffer and generated a new alert-ID. More... | |
| void | IntSerializeException (void *Victim, void *Originator, DWORD Type, INTRO_ACTION Action, INTRO_ACTION_REASON Reason, INTRO_EVENT_TYPE EventClass) |
| The entry point of the serializer; will serialize the provided exception if the violation is blocked or the feedback flag is set. More... | |
Variables | |
| static BYTE | gSerializerBuffer [MAX_SERIALIZER_LENGTH] = { 0 } |
| static BYTE * | gCurrentPtr = NULL |
| static QWORD | gSerializerCurrentId = 0 |
| static CODE_BLOCK_PATTERN | gCodeBlocksPattern [PAGE_SIZE/sizeof(CODE_BLOCK_PATTERN)] |
| static DWORD | gCodeBlocksPatternLength = 0 |
| static CODE_BLOCK | gCodeBlocks [PAGE_SIZE/sizeof(CODE_BLOCK)] |
| const char | gBase64Chars [] = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/" |
| static char | gBase64Buffer [Base64EncSize(sizeof(gSerializerBuffer))] = {0} |
| #define ARCH_REGS_SERIALIZER_VERSION 1 |
| #define Base64EncSize | ( | Length | ) | (((((Length) + 2) / 3) * 4) + 1) |
Definition at line 626 of file serializers.c.
Referenced by IntSerializerBase64Get().
| #define CODE_BLOCKS_SERIALIZER_VERSION 1 |
Referenced by IntSerializeCodeBlocks().
| #define DPI_SERIALIZER_VERSION 1 |
Referenced by IntSerializeDpi().
| #define DPI_WIN_ACL_SERIALIZER_VERSION 1 |
Referenced by IntSerializeDpiWinAclEdit().
| #define DPI_WIN_DEBUG_SERIALIZER_VERSION 1 |
Referenced by IntSerializeDpiWinDebug().
| #define DPI_WIN_HEAP_SPRAY_SERIALIZER_VERSION 1 |
Referenced by IntSerializeDpiWinHeapSpray().
| #define DPI_WIN_PIVOTET_STACK_SERIALIZER_VERSION 1 |
Referenced by IntSerializeDpiWinPivotedStack().
| #define DPI_WIN_SEC_DESC_SERIALIZER_VERSION 1 |
Referenced by IntSerializeDpiWinSecDesc().
| #define DPI_WIN_STOLEN_TOKEN_SERIALIZER_VERSION 1 |
Referenced by IntSerializeDpiWinStolenToken().
| #define DPI_WIN_THREAD_START_SERIALIZER_VERSION 1 |
Referenced by IntSerializeDpiWinThreadStart().
| #define DPI_WIN_TOKEN_PRIVS_SERIALIZER_VERSION 1 |
Referenced by IntSerializeDpiWinTokenPrivs().
| #define END_MISC_SERIALZIER_VERSION 1 |
Referenced by IntSerializeKmMisc(), and IntSerializeUmMisc().
| #define END_MISC_SERIALZIER_VERSION 1 |
| #define END_ORIGINATOR_SERIALZIER_VERSION 1 |
Referenced by IntSerializeKmOriginator(), and IntSerializeUmOriginator().
| #define END_VICTIM_SERIALZIER_VERSION 1 |
Referenced by IntSerializeKmVictim(), and IntSerializeUmVictim().
| #define EXEC_INFO_SERIALIZER_VERSION 1 |
Referenced by IntSerializeExecInfo().
| #define EXPORT_SERIALIZER_VERSION 1 |
Referenced by IntSerializeExport().
| #define INSTRUX_SERIALIZER_VERSION 1 |
Referenced by IntSerializeInstruction().
| #define KERNEL_DRIVER_SERIALIZER_VERSION 1 |
Referenced by IntSerializeKernelDriver().
| #define KERNEL_DRV_OBJECT_SERIALIZER_VERSION 1 |
Referenced by IntSerializeKernelDrvObject().
| #define KM_ORIGINATOR_SERIALZIER_VERSION 1 |
| #define KM_ORIGINATOR_SERIALZIER_VERSION 1 |
| #define LIX_KERNEL_MODULE_SERIALIZER_VERSION 1 |
Referenced by IntSerializeLixKernelModule().
| #define LIX_KM_VICTIM_SERIALIZER_VERSION 1 |
Referenced by IntSerializeLixKmVictim().
| #define LIX_PROCESS_SERIALIZER_VERSION 1 |
Referenced by IntSerializeLixProcess().
| #define LIX_VICTIM_SERIALIZER_VERSION 1 |
Referenced by IntSerializeLixUmVictim().
| #define LIX_VMA_SERIALIZER_VERSION 1 |
Referenced by IntSerializeLixVma().
| #define MAX_SERIALIZER_LENGTH (16 * ONE_KILOBYTE) |
Definition at line 614 of file serializers.c.
| #define RAW_DUMP_SERIALIZER_VERSION 1 |
Referenced by IntSerializeRawDump().
| #define READ_INFO_SERIALIZER_VERSION 1 |
Referenced by IntSerializeReadInfo().
| #define RIP_CODE_SERIALIZER_VERSION 1 |
Referenced by IntSerializeArchRegs(), and IntSerializeRipCode().
| #define START_MISC_SERIALZIER_VERSION 1 |
Referenced by IntSerializeKmMisc(), and IntSerializeUmMisc().
| #define START_MISC_SERIALZIER_VERSION 1 |
| #define START_ORIGINATOR_SERIALZIER_VERSION 1 |
Referenced by IntSerializeKmOriginator(), and IntSerializeUmOriginator().
| #define START_VICTIM_SERIALZIER_VERSION 1 |
Referenced by IntSerializeKmVictim(), and IntSerializeUmVictim().
| #define VICTIM_SERIALIZER_CR_VERSION 1 |
Referenced by IntSerializeCr().
| #define VICTIM_SERIALIZER_DTR_VERSION 1 |
Referenced by IntSerializeDtr().
| #define VICTIM_SERIALIZER_EPT_VERSION 1 |
Referenced by IntSerializeEpt().
| #define VICTIM_SERIALIZER_IDT_VERSION 1 |
Referenced by IntSerializeIdt().
| #define VICTIM_SERIALIZER_INJECTION_VERSION 1 |
Referenced by IntSerializeInjection().
| #define VICTIM_SERIALIZER_MSR_VERSION 1 |
Referenced by IntSerializeMsr().
| #define WIN_KERNEL_DRIVER_SERIALIZER_VERSION 1 |
Referenced by IntSerializeWinKernelDriver().
| #define WIN_KM_VICTIM_SERIALIZER_VERSION 1 |
Referenced by IntSerializeWinKmVictim().
| #define WIN_PROCESS_MODULE_SERIALIZER_VERSION 1 |
Referenced by IntSerializeWinModule().
| #define WIN_PROCESS_SERIALIZER_VERSION 1 |
Referenced by IntSerializeWinProcess().
| #define WIN_VAD_SERIALIZER_VERSION 1 |
Referenced by IntSerializeWinVad().
| #define WIN_VICTIM_SERIALIZER_VERSION 1 |
Referenced by IntSerializeWinUmVictim().
| #define WRITE_INFO_SERIALIZER_VERSION 1 |
Referenced by IntSerializeWriteInfo().
| typedef struct _SERIALIZER_ARCH_REGS * PSERIALIZER_ARCH_REGS |
| typedef struct _SERIALIZER_CODE_BLOCKS * PSERIALIZER_CODE_BLOCKS |
| typedef struct _SERIALIZER_CR * PSERIALIZER_CR |
| typedef struct _SERIALIZER_DPI * PSERIALIZER_DPI |
| typedef struct _SERIALIZER_DPI_PIVOTED_STACK * PSERIALIZER_DPI_PIVOTED_STACK |
| typedef struct _SERIALIZER_DPI_WIN_ACL_EDIT * PSERIALIZER_DPI_WIN_ACL_EDIT |
| typedef struct _SERIALIZER_DPI_WIN_DEBUG * PSERIALIZER_DPI_WIN_DEBUG |
| typedef struct _SERIALIZER_DPI_WIN_HEAP_SPRAY * PSERIALIZER_DPI_WIN_HEAP_SPRAY |
| typedef struct _SERIALIZER_DPI_WIN_SEC_DESC * PSERIALIZER_DPI_WIN_SEC_DESC |
| typedef struct _SERIALIZER_DPI_WIN_STOLEN_TOKEN * PSERIALIZER_DPI_WIN_STOLEN_TOKEN |
| typedef struct _SERIALIZER_DPI_WIN_THREAD_START * PSERIALIZER_DPI_WIN_THREAD_START |
| typedef struct _SERIALIZER_DPI_WIN_TOKEN_PRIVS * PSERIALIZER_DPI_WIN_TOKEN_PRIVS |
| typedef struct _SERIALIZER_DTR * PSERIALIZER_DTR |
| typedef struct _SERIALIZER_EPT * PSERIALIZER_EPT |
| typedef struct _SERIALIZER_EXCEPTION_KM_ORIGINATOR * PSERIALIZER_EXCEPTION_KM_ORIGINATOR |
| typedef struct _SERIALIZER_EXCEPTION_UM_ORIGINATOR * PSERIALIZER_EXCEPTION_UM_ORIGINATOR |
| typedef struct _SERIALIZER_EXCEPTION_VICTIM * PSERIALIZER_EXCEPTION_VICTIM |
| typedef struct _SERIALIZER_EXEC_INFO * PSERIALIZER_EXEC_INFO |
| typedef struct _SERIALIZER_EXPORT * PSERIALIZER_EXPORT |
| typedef struct _SERIALIZER_IDT * PSERIALIZER_IDT |
| typedef struct _SERIALIZER_INJECTION * PSERIALIZER_INJECTION |
| typedef struct _SERIALIZER_INSTRUX * PSERIALIZER_INSTRUX |
| typedef struct _SERIALIZER_KERNEL_DRIVER * PSERIALIZER_KERNEL_DRIVER |
| typedef struct _SERIALIZER_KERNEL_DRV_OBJECT * PSERIALIZER_KERNEL_DRV_OBJECT |
| typedef struct _SERIALIZER_LIX_KERNEL_MODULE * PSERIALIZER_LIX_KERNEL_MODULE |
| typedef struct _SERIALIZER_LIX_PROCESS * PSERIALIZER_LIX_PROCESS |
| typedef struct _SERIALIZER_LIX_VMA * PSERIALIZER_LIX_VMA |
| typedef struct _SERIALIZER_MSR * PSERIALIZER_MSR |
| typedef struct _SERIALIZER_RAW_DUMP * PSERIALIZER_RAW_DUMP |
| typedef struct _SERIALIZER_READ_INFO * PSERIALIZER_READ_INFO |
| typedef struct _SERIALIZER_RIP_CODE * PSERIALIZER_RIP_CODE |
| typedef struct _SERIALIZER_STRING * PSERIALIZER_STRING |
| typedef struct _SERIALIZER_WIN_KERNEL_DRIVER * PSERIALIZER_WIN_KERNEL_DRIVER |
| typedef struct _SERIALIZER_WIN_MODULE * PSERIALIZER_WIN_MODULE |
| typedef struct _SERIALIZER_WIN_PROCESS * PSERIALIZER_WIN_PROCESS |
| typedef struct _SERIALIZER_WIN_VAD * PSERIALIZER_WIN_VAD |
| typedef struct _SERIALIZER_WRITE_INFO * PSERIALIZER_WRITE_INFO |
| typedef struct _SERIALIZER_ARCH_REGS SERIALIZER_ARCH_REGS |
Describes a serialized intObjArchRegs object.
| typedef struct _SERIALIZER_CODE_BLOCKS SERIALIZER_CODE_BLOCKS |
Describes a serialized intObjCodeBlocks object.
| typedef struct _SERIALIZER_CR SERIALIZER_CR |
Describes a serialized intObjCr object.
| typedef struct _SERIALIZER_DPI SERIALIZER_DPI |
Describes a serialized intObjDpi object.
| typedef struct _SERIALIZER_DPI_PIVOTED_STACK SERIALIZER_DPI_PIVOTED_STACK |
Describes a serialized intObjDpiPivotedStack.
| typedef struct _SERIALIZER_DPI_WIN_ACL_EDIT SERIALIZER_DPI_WIN_ACL_EDIT |
Describes a serialized intObjDpiWinAclEdit.
| typedef struct _SERIALIZER_DPI_WIN_DEBUG SERIALIZER_DPI_WIN_DEBUG |
Describes a serialized intObjDpiWinDebug.
| typedef struct _SERIALIZER_DPI_WIN_HEAP_SPRAY SERIALIZER_DPI_WIN_HEAP_SPRAY |
Describes a serialized intObjDpiWinHeapSpray.
| typedef struct _SERIALIZER_DPI_WIN_SEC_DESC SERIALIZER_DPI_WIN_SEC_DESC |
Describes a serialized intObjDpiWinSecDesc.
| typedef struct _SERIALIZER_DPI_WIN_STOLEN_TOKEN SERIALIZER_DPI_WIN_STOLEN_TOKEN |
Describes a serialized intObjDpiWinStolenToken.
| typedef struct _SERIALIZER_DPI_WIN_THREAD_START SERIALIZER_DPI_WIN_THREAD_START |
Describes a serialized intObjDpiWinThreadStart.
| typedef struct _SERIALIZER_DPI_WIN_TOKEN_PRIVS SERIALIZER_DPI_WIN_TOKEN_PRIVS |
Describes a serialized intObjDpiWinTokenPrivs.
| typedef struct _SERIALIZER_DTR SERIALIZER_DTR |
Describes a serialized intObjDtr object.
| typedef struct _SERIALIZER_EPT SERIALIZER_EPT |
Describes a serialized intObjEpt object.
Describes a serialized intObjKmOriginator object.
| typedef enum _SERIALIZER_EXCEPTION_TYPE SERIALIZER_EXCEPTION_TYPE |
Describes the serialized exception type.
Describes a serialized intObjUmOriginator object.
| typedef struct _SERIALIZER_EXCEPTION_VICTIM SERIALIZER_EXCEPTION_VICTIM |
Describes a serialized intObjVictim object.
| typedef struct _SERIALIZER_EXEC_INFO SERIALIZER_EXEC_INFO |
Describes a serialized intObjExecInfo object.
| typedef struct _SERIALIZER_EXPORT SERIALIZER_EXPORT |
Describes a serialized intObjExport object.
| typedef struct _SERIALIZER_HEADER SERIALIZER_HEADER |
Describes the header of the serializer buffer.
| typedef struct _SERIALIZER_IDT SERIALIZER_IDT |
Describes a serialized intObjIdt object.
| typedef struct _SERIALIZER_INJECTION SERIALIZER_INJECTION |
Describes a serialized intObjInjection object.
| typedef struct _SERIALIZER_INSTRUX SERIALIZER_INSTRUX |
Describes a serialized intObjInstrux object.
| typedef struct _SERIALIZER_KERNEL_DRIVER SERIALIZER_KERNEL_DRIVER |
Describes a serialized intObjKernelDriver object.
| typedef struct _SERIALIZER_KERNEL_DRV_OBJECT SERIALIZER_KERNEL_DRV_OBJECT |
Describes a serialized intObjKernelDrvObject object.
| typedef struct _SERIALIZER_LIX_KERNEL_MODULE SERIALIZER_LIX_KERNEL_MODULE |
Describes a serialized intObjLixKernelModule object.
| typedef struct _SERIALIZER_LIX_PROCESS SERIALIZER_LIX_PROCESS |
Describes a serialized intObjLixProcess object.
| typedef struct _SERIALIZER_LIX_VMA SERIALIZER_LIX_VMA |
Describes a serialized intObjLixVma object.
| typedef struct _SERIALIZER_MSR SERIALIZER_MSR |
Describes a serialized intObjMsr object.
| typedef struct _SERIALIZER_OBJECT_HEADER SERIALIZER_OBJECT_HEADER |
Describes the header for each serialized item.
| typedef struct _SERIALIZER_RAW_DUMP SERIALIZER_RAW_DUMP |
Describes a serialized intObjRawDump object.
| typedef struct _SERIALIZER_READ_INFO SERIALIZER_READ_INFO |
Describes a serialized intObjExecInfo object.
| typedef struct _SERIALIZER_RIP_CODE SERIALIZER_RIP_CODE |
Describes a serialized intObjRipCode object.
| typedef struct _SERIALIZER_STRING SERIALIZER_STRING |
Describes a serialized string.
| typedef struct _SERIALIZER_WIN_KERNEL_DRIVER SERIALIZER_WIN_KERNEL_DRIVER |
Describes a serialized intObjWinKernelDriver object.
| typedef struct _SERIALIZER_WIN_MODULE SERIALIZER_WIN_MODULE |
Describes a serialized intObjWinModule object.
| typedef struct _SERIALIZER_WIN_PROCESS SERIALIZER_WIN_PROCESS |
Describes a serialized intObjWinProcess object.
| typedef struct _SERIALIZER_WIN_VAD SERIALIZER_WIN_VAD |
Describes a serialized intObjWinVad object.
| typedef struct _SERIALIZER_WRITE_INFO SERIALIZER_WRITE_INFO |
Describes a serialized intObjWriteInfo object.
| anonymous enum |
Describes the type of a serialize object.
Definition at line 538 of file serializers.c.
| anonymous enum |
Describes the encoding type of a string.
| Enumerator | |
|---|---|
| stringEncodeUtf8 | The string encoding type 'utf-8'. |
| stringEncodeUtf16 | The string encoding type 'utf-16'. |
Definition at line 608 of file serializers.c.
Describes the serialized exception type.
| Enumerator | |
|---|---|
| serializerExceptionTypeKm | Used for kernel-mode exceptions. |
| serializerExceptionTypeUm | Used for user-mode exceptions. |
| serializerExceptionTypeKmUm | Used for kernel-user mode exceptions. |
Definition at line 19 of file serializers.c.
|
static |
Serialize the read/write/exec violation information.
| [in] | Victim | The victim object. ` |
Definition at line 1879 of file serializers.c.
Referenced by IntSerializeLixKmMisc(), IntSerializeLixUmMisc(), IntSerializeWinKmMisc(), and IntSerializeWinUmMisc().
|
static |
Serialize the guest registers.
Definition at line 2385 of file serializers.c.
Referenced by IntSerializeLixKmMisc(), and IntSerializeWinKmMisc().
Converts the provided binary buffer to base64.
| [in] | In | The input buffer. |
| [out] | Out | The output buffer. |
| [in] | Length | The length of the input buffer. |
Definition at line 633 of file serializers.c.
Referenced by IntSerializerBase64Get().
Serialize the extracted code-blocks for the current exception.
| [in] | Rip | The value of the guest RIP at the moment of the alert. |
| [in] | Cr3 | The value |
| [in] | Execute | If the alert is an execution attempt. |
Definition at line 2339 of file serializers.c.
Referenced by IntSerializeLixKmMisc(), IntSerializeLixUmMisc(), IntSerializeLixUmOriginator(), IntSerializeWinKmMisc(), and IntSerializeWinUmMisc().
|
static |
Get the code-blocks extraction level.
| [in] | Rip | The value of the guest RIP at the moment of the alert. |
Definition at line 2051 of file serializers.c.
Referenced by IntSerializeExtractCodeBlocks().
|
static |
Computes the range from which the code-blocks should be extracted.
For execute violation the end offset may be in the next page.
| [in] | Rip | The value of the guest RIP at the moment of the alert. |
| [in] | Execute | If the alert is an execution attempt. |
| [out] | Start | The start offset relative to the RIP's page. |
| [out] | End | The end offset relative to the RIP's page. |
Definition at line 1996 of file serializers.c.
Referenced by IntSerializeExtractCodeBlocks().
|
static |
Iterates through all extracted code-blocks patterns and serialize the patterns.
| [in] | CodeBlocks | An array of code-blocks pattern. |
| [in] | Count | The number of code-blocks pattern from CodeBlocks. |
| [in] | Rip | The value of the guest RIP at the moment of the alert. |
| [in] | Execute | If the alert is an execution attempt. |
| [in] | Object | The serializer header object. |
Definition at line 2088 of file serializers.c.
Referenced by IntSerializeExtractCodeBlocks().
|
static |
Serialize the provided CR object.
| [in] | Cr | The CR violation. |
Definition at line 1022 of file serializers.c.
Referenced by IntSerializeLixKmVictim(), and IntSerializeWinKmVictim().
|
static |
Increment the current serializer alert ID and returns it.
| The | current serializer alert ID. |
Definition at line 717 of file serializers.c.
Referenced by IntSerializeDump().
|
static |
Get the current offset (length) of the serialized buffer.
| The | current offset (length) of the serialized buffer. |
Definition at line 689 of file serializers.c.
|
static |
Returns the current pointer to serializer buffer and checks for overflows.
| [in] | Size | The size of the object. |
| A | pointer inside the gSerializerBuffer, otherwise, if the buffer overflows, a null pointer. |
Definition at line 795 of file serializers.c.
Referenced by IntSerializeArchRegs(), IntSerializeCodeBlocks(), IntSerializeCr(), IntSerializeDpi(), IntSerializeDpiWinAclEdit(), IntSerializeDpiWinDebug(), IntSerializeDpiWinHeapSpray(), IntSerializeDpiWinPivotedStack(), IntSerializeDpiWinSecDesc(), IntSerializeDpiWinStolenToken(), IntSerializeDpiWinThreadStart(), IntSerializeDpiWinTokenPrivs(), IntSerializeDtr(), IntSerializeEpt(), IntSerializeExecInfo(), IntSerializeExport(), IntSerializeHeader(), IntSerializeIdt(), IntSerializeInjection(), IntSerializeInstruction(), IntSerializeKernelDriver(), IntSerializeKernelDrvObject(), IntSerializeLixKernelModule(), IntSerializeLixKmVictim(), IntSerializeLixProcess(), IntSerializeLixUmVictim(), IntSerializeLixVma(), IntSerializeMsr(), IntSerializeObjectHeader(), IntSerializeRawDump(), IntSerializeReadInfo(), IntSerializeRipCode(), IntSerializeString(), IntSerializeWinKernelDriver(), IntSerializeWinKmVictim(), IntSerializeWinModule(), IntSerializeWinProcess(), IntSerializeWinUmVictim(), IntSerializeWinVad(), and IntSerializeWriteInfo().
|
static |
Serialize the DPI flags.
| [in] | Originator | The originator object. |
Definition at line 2869 of file serializers.c.
Referenced by IntSerializeLixUmMisc(), and IntSerializeWinUmMisc().
|
static |
Serialize the DPI ACL edit info (Windows).
| [in] | Originator | The originator object. |
| [in] | Victim | The victim object. |
Definition at line 2774 of file serializers.c.
Referenced by IntSerializeWinDpiInfo().
|
static |
Serialize the DPI debug flags info (Windows).
| [in] | Originator | The originator object. |
| [in] | Victim | The victim object. |
Definition at line 2414 of file serializers.c.
Referenced by IntSerializeWinDpiInfo().
|
static |
Serialize the DPI heap spray info (Windows).
| [in] | Originator | The originator object. |
| [in] | Victim | The victim object. |
Definition at line 2551 of file serializers.c.
Referenced by IntSerializeWinDpiInfo().
|
static |
Serialize the DPI pivoted stack info (Windows).
| [in] | Originator | The originator object. |
| [in] | Victim | The victim object. |
Definition at line 2456 of file serializers.c.
Referenced by IntSerializeWinDpiInfo().
|
static |
Serialize the DPI altered Security Descriptor info (Windows).
| [in] | Originator | The originator object. |
| [in] | Victim | The victim object. |
Definition at line 2721 of file serializers.c.
Referenced by IntSerializeWinDpiInfo().
|
static |
Serialize the DPI stolen token info (Windows).
| [in] | Originator | The originator object. |
| [in] | Victim | The victim object. |
Definition at line 2508 of file serializers.c.
Referenced by IntSerializeWinDpiInfo().
|
static |
Serialize the DPI start thread info (Windows).
| [in] | Originator | The originator object. |
| [in] | Victim | The victim object. |
Definition at line 2676 of file serializers.c.
Referenced by IntSerializeWinDpiInfo().
|
static |
Serialize the DPI token privs info (Windows).
| [in] | Originator | The originator object. |
| [in] | Victim | The victim object. |
Definition at line 2631 of file serializers.c.
Referenced by IntSerializeWinDpiInfo().
|
static |
Serialize the provided DTR object.
| [in] | Dtr | The DTR violation. |
Definition at line 1119 of file serializers.c.
Referenced by IntSerializeLixKmVictim(), and IntSerializeWinKmVictim().
|
static |
Dumps the serialized buffer (base64 format).
Definition at line 743 of file serializers.c.
Referenced by IntSerializeException().
|
static |
Serialize the provided EPT object.
| [in] | Ept | The EPT violation. |
| [in] | Victim | The victim object. |
Definition at line 973 of file serializers.c.
Referenced by IntSerializeLixKmVictim(), IntSerializeLixUmMisc(), IntSerializeWinKmMisc(), IntSerializeWinKmVictim(), and IntSerializeWinUmMisc().
| void IntSerializeException | ( | void * | Victim, |
| void * | Originator, | ||
| DWORD | Type, | ||
| INTRO_ACTION | Action, | ||
| INTRO_ACTION_REASON | Reason, | ||
| INTRO_EVENT_TYPE | EventClass | ||
| ) |
The entry point of the serializer; will serialize the provided exception if the violation is blocked or the feedback flag is set.
The base64 buffer is logged.
| [in] | Originator | The originator object. |
| [in] | Victim | The victim object. |
| [in] | Type | The type of the exception (user-mode/kernel-mode). |
| [in] | Action | The action that was taken as the result of this alert. |
| [in] | Reason | The reason for which Action was taken. |
| [in] | EventClass | The type of event. |
Definition at line 3713 of file serializers.c.
|
static |
Serialize the execution violation information.
| [in] | Victim | The victim object. |
Definition at line 1840 of file serializers.c.
Referenced by IntSerializeAccessInfo().
|
static |
Serialize the modified exports.
| [in] | Victim | The victim object. |
Definition at line 2900 of file serializers.c.
Referenced by IntSerializeWinKmMisc(), and IntSerializeWinUmMisc().
|
static |
Extract the code-blocks for the current exception.
This function calls the _IntSerializeCodeBlocksPattern to serialize the extracted code-blocks.
| [in] | Rip | The value of the guest RIP at the moment of the alert. |
| [in] | Cr3 | The value |
| [in] | Execute | If the alert is an execution attempt. |
| [in] | Object | The serializer header object. |
| INT_STATUS_SUCCESS | On success. |
| INT_STATUS_DATA_BUFFER_TOO_SMALL | If the we could not extract enough code-blocks. |
Definition at line 2177 of file serializers.c.
Referenced by IntSerializeCodeBlocks().
|
static |
Serialize the header of the serializer buffer.
| [in] | SerializerType | The type of the serializer exception. |
| [in] | EventClass | The type of event. |
Definition at line 3607 of file serializers.c.
Referenced by IntSerializeKernelUserException(), IntSerializeKmException(), and IntSerializeUmException().
|
static |
Serialize the provided IDT object.
| [in] | Victim | The victim object. |
Definition at line 1054 of file serializers.c.
Referenced by IntSerializeWinKmVictim().
|
static |
Increment the current serializer alert ID.
Definition at line 731 of file serializers.c.
Referenced by IntSerializeStart().
|
static |
Increment the current pointer to the serializer buffer with the provided size.
| [in] | Size | The size to increment with. |
Definition at line 703 of file serializers.c.
Referenced by IntSerializeArchRegs(), IntSerializeCodeBlocks(), IntSerializeCr(), IntSerializeDpi(), IntSerializeDpiWinAclEdit(), IntSerializeDpiWinDebug(), IntSerializeDpiWinHeapSpray(), IntSerializeDpiWinPivotedStack(), IntSerializeDpiWinSecDesc(), IntSerializeDpiWinStolenToken(), IntSerializeDpiWinThreadStart(), IntSerializeDpiWinTokenPrivs(), IntSerializeDtr(), IntSerializeEpt(), IntSerializeExecInfo(), IntSerializeExport(), IntSerializeHeader(), IntSerializeIdt(), IntSerializeInjection(), IntSerializeInstruction(), IntSerializeKernelDriver(), IntSerializeKernelDrvObject(), IntSerializeLixKernelModule(), IntSerializeLixKmVictim(), IntSerializeLixProcess(), IntSerializeLixUmVictim(), IntSerializeLixVma(), IntSerializeMsr(), IntSerializeObjectHeader(), IntSerializeRawDump(), IntSerializeReadInfo(), IntSerializeRipCode(), IntSerializeString(), IntSerializeWinKernelDriver(), IntSerializeWinKmVictim(), IntSerializeWinModule(), IntSerializeWinProcess(), IntSerializeWinUmVictim(), IntSerializeWinVad(), and IntSerializeWriteInfo().
|
static |
Serialize the provided Injection object.
| [in] | Injection | The injection violation. |
| [in] | Victim | The victim object. |
Definition at line 1151 of file serializers.c.
Referenced by IntSerializeLixUmMisc(), and IntSerializeWinUmMisc().
| void IntSerializeInstruction | ( | INSTRUX * | Instruction, |
| const QWORD | Rip | ||
| ) |
Serialize the provided INSTRUX object.
| [in] | Instruction | The instruction object. |
| [in] | Rip | The value of the guest RIP register when the event was generated |
Definition at line 1726 of file serializers.c.
Referenced by IntSerializeLixKmMisc(), IntSerializeLixKmOriginator(), IntSerializeLixUmOriginator(), IntSerializeWinKmMisc(), and IntSerializeWinUmMisc().
|
static |
Serialize the provided KERNEL_DRIVER object.
| [in] | Originator | The originator object. |
| [in] | Driver | The kernel-driver object. |
| [in] | ObjectType | The type of the kernel-driver (intObjKernelDriver, intObjKernelDriverReturn). |
Definition at line 1590 of file serializers.c.
Referenced by IntSerializeLixKmOriginator(), IntSerializeLixKmVictim(), IntSerializeWinKmOriginator(), and IntSerializeWinKmVictim().
|
static |
Serialize the provided WIN_DRIVER_OBJECT object.
| [in] | DrvObject | The windows drv-obj object. |
Definition at line 1550 of file serializers.c.
Referenced by IntSerializeWinKmVictim().
|
static |
Serialize the kernel-user mode exception.
| [in] | Originator | The originator object. |
| [in] | Victim | The victim object. |
| [in] | EventClass | The type of event. |
Definition at line 3679 of file serializers.c.
Referenced by IntSerializeException().
|
static |
Serialize the kernel-mode exception.
| [in] | Originator | The originator object. |
| [in] | Victim | The victim object. |
| [in] | EventClass | The type of event. |
Definition at line 3635 of file serializers.c.
Referenced by IntSerializeException().
|
static |
Serialize the misc information for kernel-mode alert.
| [in] | Originator | The originator object. |
| [in] | Victim | The victim object. |
Definition at line 3574 of file serializers.c.
Referenced by IntSerializeKernelUserException(), and IntSerializeKmException().
| void IntSerializeKmOriginator | ( | const EXCEPTION_KM_ORIGINATOR * | Originator, |
| const EXCEPTION_VICTIM_ZONE * | Victim | ||
| ) |
Serialize the information about kernel-mode originator.
| [in] | Originator | The originator object. |
| [in] | Victim | The victim object. |
Definition at line 3314 of file serializers.c.
Referenced by IntSerializeKernelUserException(), and IntSerializeKmException().
|
static |
Serialize the information about kernel-mode victim.
| [in] | Originator | The originator object. |
| [in] | Victim | The victim object. |
Definition at line 3492 of file serializers.c.
Referenced by IntSerializeKmException().
|
static |
Serialize the provided KERNEL_DRIVER object.
| [in] | Driver | The Linux kernel-module object. |
| [in] | ObjecType | The type of serializer object. |
Definition at line 1508 of file serializers.c.
Referenced by IntSerializeKernelDriver().
|
static |
Serialize the misc information for Linux kernel-mode alert.
| [in] | Originator | The originator object. |
| [in] | Victim | The victim object. |
Definition at line 3520 of file serializers.c.
Referenced by IntSerializeKmMisc().
| void IntSerializeLixKmOriginator | ( | const EXCEPTION_KM_ORIGINATOR * | Originator, |
| const EXCEPTION_VICTIM_ZONE * | Victim | ||
| ) |
Serialize the information about Linux kernel-mode originator.
| [in] | Originator | The originator object. |
| [in] | Victim | The victim object. |
Definition at line 3291 of file serializers.c.
Referenced by IntSerializeKmOriginator().
|
static |
Serialize the information about Linux kernel-mode victim.
| [in] | Originator | The originator object. |
| [in] | Victim | The victim object. |
Definition at line 3420 of file serializers.c.
Referenced by IntSerializeKmVictim().
|
static |
Serialize the provided LIX_TASK_OBJECT object.
| [in] | Process | The process object. |
| [in] | ObjectType | The type of the provided process (intObjLixProcess, intObjLixProcessParent). |
Definition at line 1266 of file serializers.c.
Referenced by IntSerializeProcess().
|
static |
Serialize the misc information for Linux user-mode alert.
| [in] | Originator | The originator object. |
| [in] | Victim | The victim object. |
Definition at line 3175 of file serializers.c.
Referenced by IntSerializeUmMisc().
| void IntSerializeLixUmOriginator | ( | const EXCEPTION_UM_ORIGINATOR * | Originator, |
| const EXCEPTION_VICTIM_ZONE * | Victim | ||
| ) |
Serialize the information about Linux user-mode originator.
| [in] | Originator | The originator object. |
| [in] | Victim | The victim object. |
Definition at line 2979 of file serializers.c.
Referenced by IntSerializeUmOriginator().
|
static |
Serialize the information about Linux user-mode victim.
| [in] | Originator | The originator object. |
| [in] | Victim | The victim object. |
Definition at line 3032 of file serializers.c.
Referenced by IntSerializeUmVictim().
|
static |
Serialize the provided LIX_VMA object.
| [in] | Vma | The Linux VMA object. |
Definition at line 1393 of file serializers.c.
Referenced by IntSerializeVad().
|
static |
Serialize the provided MSR object.
| [in] | Msr | The MSR violation. |
Definition at line 1087 of file serializers.c.
Referenced by IntSerializeLixKmVictim(), and IntSerializeWinKmVictim().
|
static |
Creates a SERIALIZER_OBJECT_HEADER object and fill the fields with the provided parameters.
| [in] | Version | The version of the header object. |
| [in] | Type | The type of the header object. |
| A | pointer to the newly created object. |
| NULL | if the gSerializerBuffer overflows. |
Definition at line 816 of file serializers.c.
Referenced by IntSerializeArchRegs(), IntSerializeCodeBlocks(), IntSerializeCr(), IntSerializeDpi(), IntSerializeDpiWinAclEdit(), IntSerializeDpiWinDebug(), IntSerializeDpiWinHeapSpray(), IntSerializeDpiWinPivotedStack(), IntSerializeDpiWinSecDesc(), IntSerializeDpiWinStolenToken(), IntSerializeDpiWinThreadStart(), IntSerializeDpiWinTokenPrivs(), IntSerializeDtr(), IntSerializeEpt(), IntSerializeExecInfo(), IntSerializeExport(), IntSerializeIdt(), IntSerializeInjection(), IntSerializeInstruction(), IntSerializeKernelDriver(), IntSerializeKernelDrvObject(), IntSerializeKmMisc(), IntSerializeKmOriginator(), IntSerializeKmVictim(), IntSerializeLixKernelModule(), IntSerializeLixKmVictim(), IntSerializeLixProcess(), IntSerializeLixUmVictim(), IntSerializeLixVma(), IntSerializeMsr(), IntSerializeRawDump(), IntSerializeReadInfo(), IntSerializeRipCode(), IntSerializeUmMisc(), IntSerializeUmOriginator(), IntSerializeUmVictim(), IntSerializeWinKernelDriver(), IntSerializeWinKmVictim(), IntSerializeWinModule(), IntSerializeWinProcess(), IntSerializeWinUmVictim(), IntSerializeWinVad(), and IntSerializeWriteInfo().
|
static |
Serialize the provided process object.
| [in] | Process | The process object. |
| [in] | ObjectType | The type of the provided process. |
Definition at line 1321 of file serializers.c.
Referenced by IntSerializeLixUmOriginator(), IntSerializeLixUmVictim(), IntSerializeWinUmOriginator(), and IntSerializeWinUmVictim().
|
static |
Serialize the raw dump for the injection violation.
| [in] | Originator | The originator object. |
| [in] | Victim | The victim object. |
Definition at line 1904 of file serializers.c.
Referenced by IntSerializeLixUmMisc(), and IntSerializeWinUmMisc().
|
static |
Converts the serialized buffer to base64.
| [out] | Length | The length of the base64 buffer. |
| A | pointer to the beginning of the base64 buffer. |
Definition at line 654 of file serializers.c.
Referenced by IntSerializeDump().
|
static |
Serialize the read violation information.
| [in] | Victim | The victim object. |
Definition at line 1803 of file serializers.c.
Referenced by IntSerializeAccessInfo().
|
static |
Serialize the guest memory page that contains the RIP at which the violation attempt was detected.
Definition at line 1956 of file serializers.c.
Referenced by IntSerializeLixKmMisc(), IntSerializeLixUmMisc(), IntSerializeWinKmMisc(), and IntSerializeWinUmMisc().
| void IntSerializeStart | ( | void | ) |
Set the current serializer pointer to the beginning of the buffer and generated a new alert-ID.
Definition at line 3700 of file serializers.c.
Referenced by IntSerializeException().
|
static |
Serialize the provided string.
| [in] | String | A string. |
| [in] | Size | The size of the string. |
| [in] | Encode | The encode type of string. |
| [out] | Header | The header of the serialized object. |
Definition at line 876 of file serializers.c.
Referenced by IntSerializeExport(), IntSerializeKernelDriver(), IntSerializeKernelDrvObject(), IntSerializeLixKernelModule(), IntSerializeLixProcess(), IntSerializeLixVma(), IntSerializeWinKernelDriver(), IntSerializeWinModule(), IntSerializeWinProcess(), and IntSerializeWinVad().
Checks if the provided string contains WCHARS.
| [in] | String | A string. |
| [in] | Size | The size of the string. |
| True | if the provided string contains WCHARs, otherwise false. |
Definition at line 848 of file serializers.c.
Referenced by IntSerializeString().
|
static |
Serialize the user-mode exception.
| [in] | Originator | The originator object. |
| [in] | Victim | The victim object. |
| [in] | EventClass | The type of event. |
Definition at line 3657 of file serializers.c.
Referenced by IntSerializeException().
|
static |
Serialize the misc information for user-mode alert.
| [in] | Originator | The originator object. |
| [in] | Victim | The victim object. |
Definition at line 3210 of file serializers.c.
Referenced by IntSerializeUmException().
|
static |
Serialize the information about user-mode originator.
| [in] | Originator | The originator object. |
| [in] | Victim | The victim object. |
Definition at line 3001 of file serializers.c.
Referenced by IntSerializeUmException().
|
static |
Serialize the information about user-mode victim.
| [in] | Originator | The originator object. |
| [in] | Victim | The victim object. |
Definition at line 3240 of file serializers.c.
Referenced by IntSerializeKernelUserException(), and IntSerializeUmException().
|
static |
Serialize the provided VAD/vma object.
| [in] | Vad | The VAD/vma object. |
Definition at line 1447 of file serializers.c.
Referenced by IntSerializeLixUmVictim(), and IntSerializeWinUmVictim().
Checks if the serializer buffer overflows.
| [in] | Size | The size of the object. |
| True | if the buffer doesn't overflows, otherwise false. |
Definition at line 768 of file serializers.c.
Referenced by IntSerializeCurrentPtr(), and IntSerializeExtractCodeBlocks().
|
static |
Serialize the DPI extra information.
| [in] | Originator | The originator object. |
| [in] | Victim | The victim object. |
Definition at line 2817 of file serializers.c.
Referenced by IntSerializeWinUmMisc().
|
static |
Serialize the provided KERNEL_DRIVER object.
| [in] | Driver | The windows kernel-driver object. |
| [in] | ObjectType | The type of serializer object. |
Definition at line 1468 of file serializers.c.
Referenced by IntSerializeKernelDriver().
|
static |
Serialize the misc information for windows kernel-mode alert.
| [in] | Originator | The originator object. |
| [in] | Victim | The victim object. |
Definition at line 3543 of file serializers.c.
Referenced by IntSerializeKmMisc().
| void IntSerializeWinKmOriginator | ( | const EXCEPTION_KM_ORIGINATOR * | Originator, |
| const EXCEPTION_VICTIM_ZONE * | Victim | ||
| ) |
Serialize the information about windows kernel-mode originator.
| [in] | Originator | The originator object. |
| [in] | Victim | The victim object. |
Definition at line 3270 of file serializers.c.
Referenced by IntSerializeKmOriginator().
|
static |
Serialize the information about Windows kernel-mode victim.
| [in] | Originator | The originator object. |
| [in] | Victim | The victim object. |
Definition at line 3341 of file serializers.c.
Referenced by IntSerializeKmVictim().
|
static |
Serialize the provided WIN_PROCESS_MODULE object.
| [in] | Module | The windows module object. |
| [in] | ObjectType | The type of the windows module. (intObjWinModule, intObjWinModuleReturn). |
Definition at line 1685 of file serializers.c.
Referenced by IntSerializeWinUmOriginator(), and IntSerializeWinUmVictim().
|
static |
Serialize the provided WIN_PROCESS_OBJECT object.
| [in] | Process | The process object. |
| [in] | ObjectType | The type of the provided process (intObjWinProcess, intObjWinProcessParent). |
Definition at line 1212 of file serializers.c.
Referenced by IntSerializeDpiWinDebug(), IntSerializeDpiWinSecDesc(), IntSerializeDpiWinStolenToken(), and IntSerializeProcess().
|
static |
Serialize the misc information for windows user-mode alert.
| [in] | Originator | The originator object. |
| [in] | Victim | The victim object. |
Definition at line 3127 of file serializers.c.
Referenced by IntSerializeUmMisc().
|
static |
Serialize the information about windows user-mode originator.
| [in] | Originator | The originator object. |
| [in] | Victim | The victim object. |
Definition at line 2953 of file serializers.c.
Referenced by IntSerializeUmOriginator().
|
static |
Serialize the information about user-mode windows victim.
| [in] | Originator | The originator object. |
| [in] | Victim | The victim object. |
Definition at line 3074 of file serializers.c.
Referenced by IntSerializeUmVictim().
| void IntSerializeWinVad | ( | const VAD * | Vad | ) |
Serialize the provided VAD object.
| [in] | Vad | The windows VAD object. |
Definition at line 1344 of file serializers.c.
Referenced by IntSerializeVad().
|
static |
Serialize the write violation information.
| [in] | Victim | The victim object. |
Definition at line 1765 of file serializers.c.
Referenced by IntSerializeAccessInfo().
|
static |
Definition at line 628 of file serializers.c.
Referenced by IntSerializerBase64Get().
| const char gBase64Chars[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/" |
Definition at line 624 of file serializers.c.
Referenced by IntSerializeBlockToBase64().
|
static |
Definition at line 622 of file serializers.c.
Referenced by IntAlertFillCodeBlocks(), IntSerializeCodeBlocksPattern(), and IntSerializeExtractCodeBlocks().
|
static |
Definition at line 620 of file serializers.c.
Referenced by IntSerializeExtractCodeBlocks().
|
static |
Definition at line 621 of file serializers.c.
Referenced by IntSerializeExtractCodeBlocks().
|
static |
Definition at line 617 of file serializers.c.
Referenced by IntSerializeCurrentOffset(), IntSerializeCurrentPtr(), IntSerializeIncrementCurrentPtr(), IntSerializerBase64Get(), IntSerializeStart(), and IntSerializeValidObjectSize().
|
static |
Definition at line 616 of file serializers.c.
Referenced by IntSerializeCurrentOffset(), IntSerializerBase64Get(), IntSerializeStart(), and IntSerializeValidObjectSize().
|
static |
Definition at line 618 of file serializers.c.
Referenced by IntSerializeCurrentId(), and IntSerializeIncrementCurrentId().
1.8.13