Bitdefender Hypervisor Memory Introspection
serializers.c
Go to the documentation of this file.
1 /*
2  * Copyright (c) 2020 Bitdefender
3  * SPDX-License-Identifier: Apache-2.0
4  */
5 #include "serializers.h"
6 #include "guests.h"
7 #include "lixmm.h"
8 #include "winprocesshp.h"
9 #include "codeblocks.h"
10 #include "crc32.h"
11 #include "lixfiles.h"
12 
13 
14 #pragma pack(push, 1)
15 
19 typedef enum _SERIALIZER_EXCEPTION_TYPE
20 {
21  serializerExceptionTypeKm = 0,
22  serializerExceptionTypeUm = 1,
23  serializerExceptionTypeKmUm = 2
24 } SERIALIZER_EXCEPTION_TYPE;
25 
26 
30 typedef struct _SERIALIZER_HEADER
31 {
32  DWORD SerializedType;
33  DWORD Guest;
34  DWORD Event;
35  WORD Size;
36  DWORD Arch;
37 } SERIALIZER_HEADER;
38 
39 
43 typedef struct _SERIALIZER_OBJECT_HEADER
44 {
45  DWORD Version;
46  WORD Type;
47  WORD Size;
48 } SERIALIZER_OBJECT_HEADER;
49 
50 
54 typedef struct _SERIALIZER_STRING
55 {
56  DWORD Length;
57  BYTE Encode;
58  CHAR String[0];
59 } SERIALIZER_STRING, *PSERIALIZER_STRING;
60 
61 
65 typedef struct _SERIALIZER_EXCEPTION_KM_ORIGINATOR
66 {
67  BYTE _Reserved;
68 } SERIALIZER_EXCEPTION_KM_ORIGINATOR, *PSERIALIZER_EXCEPTION_KM_ORIGINATOR;
69 
73 typedef struct _SERIALIZER_EXCEPTION_UM_ORIGINATOR
74 {
75  BYTE _Reserved;
76 } SERIALIZER_EXCEPTION_UM_ORIGINATOR, *PSERIALIZER_EXCEPTION_UM_ORIGINATOR;
77 
78 
82 typedef struct _SERIALIZER_EXCEPTION_VICTIM
83 {
84  INTRO_OBJECT_TYPE Type;
85  ZONE_TYPE ZoneType;
86  QWORD ZoneFlags;
87 } SERIALIZER_EXCEPTION_VICTIM, *PSERIALIZER_EXCEPTION_VICTIM;
88 
89 
93 typedef struct _SERIALIZER_EPT
94 {
95  QWORD Gva;
96  QWORD Gpa;
97  BYTE Type;
98 } SERIALIZER_EPT, *PSERIALIZER_EPT;
99 
100 
104 typedef struct _SERIALIZER_MSR
105 {
106  DWORD Msr;
107 } SERIALIZER_MSR, *PSERIALIZER_MSR;
108 
109 
113 typedef struct _SERIALIZER_CR
114 {
115  DWORD Cr;
116 } SERIALIZER_CR, *PSERIALIZER_CR;
117 
118 
122 typedef struct _SERIALIZER_DTR
123 {
124  DWORD Type;
125 } SERIALIZER_DTR, *PSERIALIZER_DTR;
126 
127 
131 typedef struct _SERIALIZER_IDT
132 {
133  DWORD Entry;
134 } SERIALIZER_IDT, *PSERIALIZER_IDT;
135 
136 
140 typedef struct _SERIALIZER_INJECTION
141 {
142  QWORD Gva;
143  DWORD Length;
144  DWORD Type;
145 } SERIALIZER_INJECTION, *PSERIALIZER_INJECTION;
146 
147 
151 typedef struct _SERIALIZER_LIX_PROCESS
152 {
153  QWORD Gva;
154  QWORD RealParent;
155  QWORD ActualParent;
156  QWORD Parent;
157  QWORD MmGva;
158  QWORD Cr3;
159  DWORD Pid;
160  DWORD Tgid;
161  DWORD Flags;
162 } SERIALIZER_LIX_PROCESS, *PSERIALIZER_LIX_PROCESS;
163 
164 
168 typedef struct _SERIALIZER_WIN_PROCESS
169 {
170  QWORD EprocessAddress;
171  QWORD ParentEprocess;
172  QWORD RealParentEprocess;
173  QWORD Cr3;
174  QWORD UserCr3;
175  DWORD Pid;
176  QWORD Peb64Address;
177  QWORD Peb32Address;
178  QWORD MainModuleAddress;
179  QWORD Flags;
180 } SERIALIZER_WIN_PROCESS, *PSERIALIZER_WIN_PROCESS;
181 
182 
186 typedef struct _SERIALIZER_LIX_VMA
187 {
188  QWORD Start;
189  QWORD End;
190  QWORD Gva;
192  QWORD Flags;
193  QWORD File;
194 } SERIALIZER_LIX_VMA, *PSERIALIZER_LIX_VMA;
195 
196 
200 typedef struct _SERIALIZER_WIN_VAD
201 {
202  QWORD StartPage;
203  QWORD EndPage;
204  QWORD VadGva;
206  DWORD VadProtection;
207  DWORD VadType;
208  DWORD Protection;
209  DWORD ExecCount;
210  DWORD Flags;
211 } SERIALIZER_WIN_VAD, *PSERIALIZER_WIN_VAD;
212 
213 
217 typedef struct _SERIALIZER_KERNEL_DRIVER
218 {
219  QWORD ObjectGva;
220  QWORD BaseVa;
222  QWORD Size;
223  QWORD EntryPoint;
224 } SERIALIZER_KERNEL_DRIVER, *PSERIALIZER_KERNEL_DRIVER;
225 
226 
230 typedef struct _SERIALIZER_WIN_KERNEL_DRIVER
231 {
232  DWORD TimeDateStamp;
233 } SERIALIZER_WIN_KERNEL_DRIVER, *PSERIALIZER_WIN_KERNEL_DRIVER;
234 
235 
239 typedef struct _SERIALIZER_LIX_KERNEL_MODULE
240 {
241  struct
242  {
243  QWORD Base;
244  DWORD Size;
245  DWORD TextSize;
246  DWORD RoSize;
247  } InitLayout;
248 
249  struct
250  {
251  QWORD Base;
252  DWORD Size;
253  DWORD TextSize;
254  DWORD RoSize;
255  } CoreLayout;
256 } SERIALIZER_LIX_KERNEL_MODULE, *PSERIALIZER_LIX_KERNEL_MODULE;
257 
258 
262 typedef struct _SERIALIZER_KERNEL_DRV_OBJECT
263 {
265  QWORD Gva;
267  QWORD Gpa;
268  // /@brief The guest virtual address of the _FAST_IO_DISPATCH structure used by this driver object.
269  QWORD FastIOTableAddress;
270 } SERIALIZER_KERNEL_DRV_OBJECT, *PSERIALIZER_KERNEL_DRV_OBJECT;
271 
272 
276 typedef struct _SERIALIZER_WIN_MODULE
277 {
278  QWORD VirtualBase;
279  DWORD Size;
280 } SERIALIZER_WIN_MODULE, *PSERIALIZER_WIN_MODULE;
281 
282 
286 typedef struct _SERIALIZER_INSTRUX
287 {
288  QWORD Rip;
289  BYTE Bytes[16];
290 } SERIALIZER_INSTRUX, *PSERIALIZER_INSTRUX;
291 
292 
296 typedef struct _SERIALIZER_ARCH_REGS
297 {
298  QWORD Rax;
299  QWORD Rcx;
300  QWORD Rdx;
301  QWORD Rbx;
302  QWORD Rsp;
303  QWORD Rbp;
304  QWORD Rsi;
305  QWORD Rdi;
306  QWORD R8;
307  QWORD R9;
308  QWORD R10;
309  QWORD R11;
310  QWORD R12;
311  QWORD R13;
312  QWORD R14;
313  QWORD R15;
314  QWORD Cr2;
315  QWORD Flags;
316  QWORD Dr7;
317  QWORD Rip;
318  QWORD Cr0;
319  QWORD Cr4;
320  QWORD Cr3;
321  QWORD Cr8;
322  QWORD IdtBase;
323  QWORD IdtLimit;
324  QWORD GdtBase;
325  QWORD GdtLimit;
326 } SERIALIZER_ARCH_REGS, *PSERIALIZER_ARCH_REGS;
327 
328 
332 typedef struct _SERIALIZER_WRITE_INFO
333 {
334  DWORD AccessSize;
335  QWORD OldValue[8];
336  QWORD NewValue[8];
337 } SERIALIZER_WRITE_INFO, *PSERIALIZER_WRITE_INFO;
338 
339 
343 typedef struct _SERIALIZER_READ_INFO
344 {
345  DWORD AccessSize;
346  QWORD Value[8];
347 } SERIALIZER_READ_INFO, *PSERIALIZER_READ_INFO;
348 
349 
353 typedef struct _SERIALIZER_EXEC_INFO
354 {
355  QWORD Rsp;
356  QWORD StackBase;
357  QWORD StackLimit;
358  DWORD Length;
359 } SERIALIZER_EXEC_INFO, *PSERIALIZER_EXEC_INFO;
360 
361 
365 typedef struct _SERIALIZER_CODE_BLOCKS
366 {
367  QWORD StartAddress;
368  QWORD Rip;
369  DWORD RipCbIndex;
371  DWORD Count;
372  DWORD Content[0];
373 } SERIALIZER_CODE_BLOCKS, *PSERIALIZER_CODE_BLOCKS;
374 
375 
379 typedef struct _SERIALIZER_RIP_CODE
380 {
381  DWORD CsType;
382  DWORD Length;
383  BYTE Code[0];
384 } SERIALIZER_RIP_CODE, *PSERIALIZER_RIP_CODE;
385 
386 
390 typedef struct _SERIALIZER_RAW_DUMP
391 {
392  DWORD Length;
393  BYTE Raw[0];
394 } SERIALIZER_RAW_DUMP, *PSERIALIZER_RAW_DUMP;
395 
396 
400 typedef struct _SERIALIZER_EXPORT
401 {
402  DWORD Count;
403  DWORD Delta;
404  BYTE Exports[0];
405 } SERIALIZER_EXPORT, *PSERIALIZER_EXPORT;
406 
407 
411 typedef struct _SERIALIZER_DPI_WIN_DEBUG
412 {
413  QWORD Debugger;
414 } SERIALIZER_DPI_WIN_DEBUG, *PSERIALIZER_DPI_WIN_DEBUG;
415 
416 
420 typedef struct _SERIALIZER_DPI_WIN_STOLEN_TOKEN
421 {
422  QWORD StolenFrom;
423 } SERIALIZER_DPI_WIN_STOLEN_TOKEN, *PSERIALIZER_DPI_WIN_STOLEN_TOKEN;
424 
425 
429 typedef struct _SERIALIZER_DPI_WIN_HEAP_SPRAY
430 {
431  struct
432  {
433  DWORD Mapped : 1;
434  DWORD Detected : 1;
437  DWORD HeapValCount : 11;
439  DWORD Offset : 12;
440  DWORD Executable : 1;
441  DWORD Reserved : 7;
442  } HeapPages[0xF];
443 
444  QWORD ShellcodeFlags;
445 
446  BYTE DetectedPage[0x1000];
447  BYTE MaxHeapValPageContent[0x1000];
448 } SERIALIZER_DPI_WIN_HEAP_SPRAY, *PSERIALIZER_DPI_WIN_HEAP_SPRAY;
449 
450 
454 typedef struct _SERIALIZER_DPI_WIN_THREAD_START
455 {
456  QWORD ShellcodeFlags;
457  QWORD StartAddress;
458  BYTE StartPage[0x1000];
459 } SERIALIZER_DPI_WIN_THREAD_START, *PSERIALIZER_DPI_WIN_THREAD_START;
460 
461 
465 typedef struct _SERIALIZER_DPI_WIN_TOKEN_PRIVS
466 {
467  QWORD OldEnabled;
468  QWORD NewEnabled;
470  QWORD OldPresent;
471  QWORD NewPresent;
473 } SERIALIZER_DPI_WIN_TOKEN_PRIVS, *PSERIALIZER_DPI_WIN_TOKEN_PRIVS;
474 
475 
479 typedef struct _SERIALIZER_DPI_PIVOTED_STACK
480 {
481  QWORD CurrentStack;
482  QWORD StackBase;
483  QWORD StackLimit;
484  QWORD Wow64CurrentStack;
485  QWORD Wow64StackBase;
486  QWORD Wow64StackLimit;
487  BYTE TrapFrameContent[512];
488 } SERIALIZER_DPI_PIVOTED_STACK, *PSERIALIZER_DPI_PIVOTED_STACK;
489 
490 
494 typedef struct _SERIALIZER_DPI_WIN_SEC_DESC
495 {
498  QWORD SecDescStolenFromEproc;
499 
500  QWORD OldPtrValue;
501  QWORD NewPtrValue;
502 
503  ACL OldSacl;
504  ACL OldDacl;
505 
506  ACL NewSacl;
507  ACL NewDacl;
508 } SERIALIZER_DPI_WIN_SEC_DESC, *PSERIALIZER_DPI_WIN_SEC_DESC;
509 
510 
514 typedef struct _SERIALIZER_DPI_WIN_ACL_EDIT
515 {
516  ACL OldSacl;
517  ACL OldDacl;
518 
519  ACL NewSacl;
520  ACL NewDacl;
521 } SERIALIZER_DPI_WIN_ACL_EDIT, *PSERIALIZER_DPI_WIN_ACL_EDIT;
522 
523 
527 typedef struct _SERIALIZER_DPI
528 {
529  DWORD Flags;
530 } SERIALIZER_DPI, *PSERIALIZER_DPI;
531 
532 #pragma pack(pop)
533 
534 
538 enum
539 {
540  intObjNone = 0,
541 
543  intObjStartOriginator,
545  intObjEndOriginator,
547  intObjStartVictim,
549  intObjEndVictim,
551  intObjStartMisc,
553  intObjEndMisc,
554 
555  intObjVictim,
556 
557  intObjEpt,
558  intObjMsr,
559  intObjCr,
560  intObjDtr,
561  intObjIdt,
562  intObjIntegrity,
563  intObjInjection,
564 
565  intObjWinProcess,
566  intObjWinProcessParent,
567  intObjLixProcess,
568  intObjLixProcessParent,
569 
570  intObjKernelDriver,
571  intObjKernelDriverReturn,
572  intObjWinKernelDriver,
573  intObjWinKernelDriverReturn,
574  intObjLixKernelModule,
575  intObjLixKernelModuleReturn,
576  intObjKernelDrvObject,
577 
578  intObjWinVad,
579  intObjLixVma,
580 
581  intObjWinModule,
582  intObjWinModuleReturn,
583 
584  intObjInstrux,
585  intObjWriteInfo,
586  intObjReadInfo,
587  intObjExecInfo,
588  intObjArchRegs,
589  intObjCodeBlocks,
590  intObjRipCode,
591  intObjRawDump,
592  intObjExport,
593  intObjDpi,
594  intObjDpiWinDebug,
595  intObjDpiWinPivotedStack,
596  intObjDpiWinStolenToken,
597  intObjDpiWinTokenPrivs,
598  intObjDpiWinThreadStart,
599  intObjDpiWinHeapSpray,
600  intObjDpiWinSecDesc,
601  intObjDpiWinAclEdit,
602 };
603 
604 
608 enum
609 {
610  stringEncodeUtf8 = 0,
611  stringEncodeUtf16
612 };
613 
614 #define MAX_SERIALIZER_LENGTH (16 * ONE_KILOBYTE)
615 
616 static BYTE gSerializerBuffer[MAX_SERIALIZER_LENGTH] = { 0 };
617 static BYTE *gCurrentPtr = NULL;
618 static QWORD gSerializerCurrentId = 0;
619 
620 static CODE_BLOCK_PATTERN gCodeBlocksPattern[PAGE_SIZE / sizeof(CODE_BLOCK_PATTERN)];
621 static DWORD gCodeBlocksPatternLength = 0;
622 static CODE_BLOCK gCodeBlocks[PAGE_SIZE / sizeof(CODE_BLOCK)];
623 
624 const char gBase64Chars[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
625 
626 #define Base64EncSize(Length) (((((Length) + 2) / 3) * 4) + 1)
627 
628 static char gBase64Buffer[Base64EncSize(sizeof(gSerializerBuffer))] = {0};
629 
630 
631 
632 static void
633 IntSerializeBlockToBase64(
634  _In_ const BYTE *In,
635  _Out_writes_(4) BYTE *Out,
636  _In_ size_t Length
637  )
645 {
646  Out[0] = gBase64Chars[In[0] >> 2];
647  Out[1] = gBase64Chars[((In[0] & 0x03) << 4) | ((In[1] & 0xf0) >> 4)];
648  Out[2] = (BYTE) (Length > 1 ? gBase64Chars[((In[1] & 0x0f) << 2) | ((In[2] & 0xc0) >> 6)] : '=');
649  Out[3] = (BYTE) (Length > 2 ? gBase64Chars[In[2] & 0x3f] : '=');
650 }
651 
652 
653 static char *
654 IntSerializerBase64Get(
655  _Out_ DWORD *Length
656  )
664 {
665  size_t len = gCurrentPtr - gSerializerBuffer;
666 
667  *Length = (DWORD)Base64EncSize(len);
668 
669  BYTE *out = (BYTE *)gBase64Buffer;
670  const BYTE *in = gSerializerBuffer;
671 
672  for (size_t i = 0; i < len; i += 3)
673  {
674  size_t size = ((len - i) < 4) ? (len - i) : 4;
675 
676  IntSerializeBlockToBase64(in, out, size);
677 
678  out += 4;
679  in += 3;
680  }
681 
682  *out = 0;
683 
684  return gBase64Buffer;
685 }
686 
687 
688 static DWORD
689 IntSerializeCurrentOffset(
690  void
691  )
697 {
698  return (DWORD)(gCurrentPtr - gSerializerBuffer);
699 }
700 
701 
702 static void
703 IntSerializeIncrementCurrentPtr(
704  _In_ const DWORD Size
705  )
711 {
712  gCurrentPtr += Size;
713 }
714 
715 
716 static QWORD
717 IntSerializeCurrentId(
718  void
719  )
725 {
726  return gSerializerCurrentId;
727 }
728 
729 
730 static void
731 IntSerializeIncrementCurrentId(
732  void
733  )
737 {
738  gSerializerCurrentId++;
739 }
740 
741 
742 static void
743 IntSerializeDump(
744  void
745  )
749 {
750  DWORD length = 0;
751  CHAR *pBase64 = IntSerializerBase64Get(&length);
752 
753  UNREFERENCED_LOCAL_VARIABLE(pBase64);
754 
755  // NOTE: for now we'll only execute the algorithm etc, but don't log anything since
756  // the logs get pretty easily to even 300 GB in size...
757 
758  TRACE("[SERIALIZER] Start Serializer ID -> 0x%llx\n", IntSerializeCurrentId());
759  for (DWORD index = 0; index < length; index += 1000)
760  {
761  TRACE("[SERIALIZER] %.1000s", pBase64 + index);
762  }
763  TRACE("[SERIALIZER] End Serializer ID -> 0x%llx\n", IntSerializeCurrentId());
764 }
765 
766 
767 static BOOLEAN
768 IntSerializeValidObjectSize(
769  _In_ DWORD Size
770  )
778 {
779  QWORD crt = (QWORD)(gCurrentPtr - gSerializerBuffer) + (QWORD)Size;
780 
781  if (crt > sizeof(gSerializerBuffer))
782  {
783  ERROR("[ERROR] Serilizer buffer overflows! Current offset = 0x%llx, Buffer Size = 0x%0llx, "
784  "Required size = 0x%x\n",
785  (QWORD)(gCurrentPtr - gSerializerBuffer), (QWORD)sizeof(gSerializerBuffer), Size);
786 
787  return FALSE;
788  }
789 
790  return TRUE;
791 }
792 
793 
794 static void *
795 IntSerializeCurrentPtr(
796  _In_ DWORD Size
797  )
805 {
806  if (!IntSerializeValidObjectSize(Size))
807  {
808  return NULL;
809  }
810 
811  return gCurrentPtr;
812 }
813 
814 
815 static SERIALIZER_OBJECT_HEADER *
816 IntSerializeObjectHeader(
817  _In_ const DWORD Version,
818  _In_ const DWORD Type
819  )
829 {
830  SERIALIZER_OBJECT_HEADER *pHeader = IntSerializeCurrentPtr(sizeof(*pHeader));
831 
832  if (!pHeader)
833  {
834  return NULL;
835  }
836 
837  pHeader->Version = Version;
838  pHeader->Type = (WORD)Type;
839  pHeader->Size = 0;
840 
841  IntSerializeIncrementCurrentPtr(sizeof(*pHeader));
842 
843  return pHeader;
844 }
845 
846 
847 static BOOLEAN
848 IntSerializeStringIsWcharAscii(
849  _In_ const void *String,
850  _In_ DWORD Size
851  )
860 {
861  const BYTE *pStr = String;
862 
863  for (DWORD index = 0; index < Size; index++)
864  {
865  if (pStr[index] > 0x7f)
866  {
867  return FALSE;
868  }
869  }
870 
871  return TRUE;
872 }
873 
874 
875 static void
876 IntSerializeString(
877  const void *String,
878  _In_ DWORD Size,
879  _In_ DWORD Encode,
880  _Inout_ SERIALIZER_OBJECT_HEADER *Header
881  )
890 {
891  SERIALIZER_STRING *pObject = NULL;
892  DWORD size = 0;
893 
894  if (String != NULL && Size != 0)
895  {
896  switch (Encode)
897  {
898  case stringEncodeUtf8 :
899  pObject = IntSerializeCurrentPtr(sizeof(*pObject) + Size);
900  if (!pObject)
901  {
902  return;
903  }
904 
905  pObject->Length = Size;
906  pObject->Encode = (BYTE)Encode;
907 
908  memcpy(pObject->String, String, pObject->Length);
909 
910  Header->Size += (WORD)(sizeof(*pObject) + pObject->Length);
911  size = pObject->Length;
912 
913  break;
914 
915  case stringEncodeUtf16 :
916  if (IntSerializeStringIsWcharAscii(String, Size))
917  {
918  pObject = IntSerializeCurrentPtr(sizeof(*pObject) + Size);
919  if (!pObject)
920  {
921  return;
922  }
923 
924  pObject->Encode = stringEncodeUtf8;
925  pObject->Length = Size / 2;
926 
927  utf16toutf8(pObject->String, String, pObject->Length);
928 
929  Header->Size += (WORD)(sizeof(*pObject) + pObject->Length);
930  size = pObject->Length;
931  }
932  else
933  {
934  pObject = IntSerializeCurrentPtr(sizeof(*pObject) + Size);
935  if (!pObject)
936  {
937  return;
938  }
939 
940  pObject->Encode = (BYTE)Encode;
941  pObject->Length = Size;
942 
943  memcpy(pObject->String, String, pObject->Length * sizeof(WCHAR));
944 
945  Header->Size += (WORD)(sizeof(*pObject) + pObject->Length * sizeof(WCHAR));
946  size = (WORD)(pObject->Length * sizeof(WCHAR));
947  }
948  break;
949 
950  default:
951  LOG("[ERROR] Should not reach here. Encode %d \n", Encode);
952  }
953  }
954  else
955  {
956  pObject = IntSerializeCurrentPtr(sizeof(*pObject));
957  if (!pObject)
958  {
959  return;
960  }
961 
962  pObject->Length = 0;
963  pObject->Encode = (BYTE)Encode;
964 
965  Header->Size += sizeof(*pObject);
966  }
967 
968  IntSerializeIncrementCurrentPtr(sizeof(*pObject) + size);
969 }
970 
971 
972 static void
973 IntSerializeEpt(
974  _In_ const EXCEPTION_VICTIM_EPT *Ept,
975  _In_ const EXCEPTION_VICTIM_ZONE *Victim
976  )
983 {
984 #define VICTIM_SERIALIZER_EPT_VERSION 1
985 
986  SERIALIZER_OBJECT_HEADER *pHeader = IntSerializeObjectHeader(VICTIM_SERIALIZER_EPT_VERSION, intObjEpt);
987  if (!pHeader)
988  {
989  return;
990  }
991 
992  SERIALIZER_EPT *pObject = IntSerializeCurrentPtr(sizeof(*pObject));
993  if (!pObject)
994  {
995  return;
996  }
997 
998  pObject->Gva = Ept->Gva;
999  pObject->Gpa = Ept->Gpa;
1000  pObject->Type = IG_EPT_HOOK_NONE;
1001 
1002  if (Victim->ZoneFlags & ZONE_WRITE)
1003  {
1004  pObject->Type = IG_EPT_HOOK_WRITE;
1005  }
1006  else if (Victim->ZoneFlags & ZONE_READ)
1007  {
1008  pObject->Type = IG_EPT_HOOK_READ;
1009  }
1010  else if (Victim->ZoneFlags & ZONE_EXECUTE)
1011  {
1012  pObject->Type = IG_EPT_HOOK_EXECUTE;
1013  }
1014 
1015  pHeader->Size = sizeof(*pObject);
1016 
1017  IntSerializeIncrementCurrentPtr(sizeof(*pObject));
1018 }
1019 
1020 
1021 static void
1022 IntSerializeCr(
1023  _In_ const EXCEPTION_VICTIM_CR *Cr
1024  )
1030 {
1031 #define VICTIM_SERIALIZER_CR_VERSION 1
1032 
1033  SERIALIZER_OBJECT_HEADER *pHeader = IntSerializeObjectHeader(VICTIM_SERIALIZER_CR_VERSION, intObjCr);
1034  if (!pHeader)
1035  {
1036  return;
1037  }
1038 
1039  SERIALIZER_CR *pObject = IntSerializeCurrentPtr(sizeof(*pObject));
1040  if (!pObject)
1041  {
1042  return;
1043  }
1044 
1045  pObject->Cr = Cr->Cr;
1046 
1047  pHeader->Size = sizeof(*pObject);
1048 
1049  IntSerializeIncrementCurrentPtr(sizeof(*pObject));
1050 }
1051 
1052 
1053 static void
1054 IntSerializeIdt(
1055  _In_ const EXCEPTION_VICTIM_ZONE *Victim
1056  )
1062 {
1063 #define VICTIM_SERIALIZER_IDT_VERSION 1
1064 
1065  SERIALIZER_OBJECT_HEADER *pHeader = IntSerializeObjectHeader(VICTIM_SERIALIZER_IDT_VERSION, intObjIdt);
1066  if (!pHeader)
1067  {
1068  return;
1069  }
1070 
1071  SERIALIZER_IDT *pObject = IntSerializeCurrentPtr(sizeof(*pObject));
1072  if (!pObject)
1073  {
1074  return;
1075  }
1076 
1077  pObject->Entry = (DWORD)((Victim->Ept.Gva - Victim->Object.BaseAddress) /
1078  (gGuest.Guest64 ? DESCRIPTOR_SIZE_64 : DESCRIPTOR_SIZE_32));
1079 
1080  pHeader->Size = sizeof(*pObject);
1081 
1082  IntSerializeIncrementCurrentPtr(sizeof(*pObject));
1083 }
1084 
1085 
1086 static void
1087 IntSerializeMsr(
1088  _In_ const EXCEPTION_VICTIM_MSR *Msr
1089  )
1095 {
1096 #define VICTIM_SERIALIZER_MSR_VERSION 1
1097 
1098  SERIALIZER_OBJECT_HEADER *pHeader = IntSerializeObjectHeader(VICTIM_SERIALIZER_MSR_VERSION, intObjMsr);
1099  if (!pHeader)
1100  {
1101  return;
1102  }
1103 
1104  SERIALIZER_MSR *pObject = IntSerializeCurrentPtr(sizeof(*pObject));
1105  if (!pObject)
1106  {
1107  return;
1108  }
1109 
1110  pObject->Msr = Msr->Msr;
1111 
1112  pHeader->Size = sizeof(*pObject);
1113 
1114  IntSerializeIncrementCurrentPtr(sizeof(*pObject));
1115 }
1116 
1117 
1118 static void
1119 IntSerializeDtr(
1120  _In_ const EXCEPTION_VICTIM_DTR *Dtr
1121  )
1127 {
1128 #define VICTIM_SERIALIZER_DTR_VERSION 1
1129 
1130  SERIALIZER_OBJECT_HEADER *pHeader = IntSerializeObjectHeader(VICTIM_SERIALIZER_DTR_VERSION, intObjDtr);
1131  if (!pHeader)
1132  {
1133  return;
1134  }
1135 
1136  SERIALIZER_DTR *pObject = IntSerializeCurrentPtr(sizeof(*pObject));
1137  if (!pObject)
1138  {
1139  return;
1140  }
1141 
1142  pObject->Type = Dtr->Type;
1143 
1144  pHeader->Size = sizeof(*pObject);
1145 
1146  IntSerializeIncrementCurrentPtr(sizeof(*pObject));
1147 }
1148 
1149 
1150 static void
1151 IntSerializeInjection(
1152  _In_ const EXCEPTION_VICTIM_INJECTION *Injection,
1153  _In_ const EXCEPTION_VICTIM_ZONE *Victim
1154  )
1161 {
1162 #define VICTIM_SERIALIZER_INJECTION_VERSION 1
1163 
1164  SERIALIZER_OBJECT_HEADER *pHeader = IntSerializeObjectHeader(VICTIM_SERIALIZER_INJECTION_VERSION, intObjInjection);
1165  if (!pHeader)
1166  {
1167  return;
1168  }
1169 
1170  SERIALIZER_INJECTION *pObject = IntSerializeCurrentPtr(sizeof(*pObject));
1171  if (!pObject)
1172  {
1173  return;
1174  }
1175 
1176  pObject->Gva = Injection->Gva;
1177  pObject->Length = Injection->Length;
1178  pObject->Type = 0;
1179 
1180  if (Victim->ZoneFlags & ZONE_WRITE)
1181  {
1182  if (Victim->ZoneFlags & ZONE_PROC_THREAD_CTX)
1183  {
1184  pObject->Type = memCopyViolationSetContextThread;
1185  }
1186  else if (Victim->ZoneFlags & ZONE_PROC_THREAD_APC)
1187  {
1188  pObject->Type = memCopyViolationQueueApcThread;
1189  }
1190  else if (Victim->ZoneFlags & ZONE_PROC_INSTRUMENT)
1191  {
1192  pObject->Type = memCopyViolationInstrument;
1193  }
1194  else
1195  {
1196  pObject->Type = memCopyViolationWrite;
1197  }
1198  }
1199 
1200  if (Victim->ZoneFlags & ZONE_READ)
1201  {
1202  pObject->Type = memCopyViolationRead;
1203  }
1204 
1205  pHeader->Size = sizeof(*pObject);
1206 
1207  IntSerializeIncrementCurrentPtr(sizeof(*pObject));
1208 }
1209 
1210 
1211 static void
1212 IntSerializeWinProcess(
1213  _In_ const WIN_PROCESS_OBJECT *Process,
1214  _In_ const DWORD ObjectType
1215  )
1222 {
1223  if (Process == NULL)
1224  {
1225  return;
1226  }
1227 
1228 #define WIN_PROCESS_SERIALIZER_VERSION 1
1229 
1230  SERIALIZER_OBJECT_HEADER *pHeader = IntSerializeObjectHeader(WIN_PROCESS_SERIALIZER_VERSION, ObjectType);
1231  if (!pHeader)
1232  {
1233  return;
1234  }
1235 
1236  SERIALIZER_WIN_PROCESS *pObject = IntSerializeCurrentPtr(sizeof(*pObject));
1237  if (!pObject)
1238  {
1239  return;
1240  }
1241 
1242  pObject->EprocessAddress = Process->EprocessAddress;
1243  pObject->ParentEprocess = Process->ParentEprocess;
1244  pObject->RealParentEprocess = Process->RealParentEprocess;
1245  pObject->Cr3 = Process->Cr3;
1246  pObject->UserCr3 = Process->UserCr3;
1247  pObject->Pid = Process->Pid;
1248  pObject->Peb64Address = Process->Peb64Address;
1249  pObject->Peb32Address = Process->Peb32Address;
1250  pObject->MainModuleAddress = Process->MainModuleAddress;
1251  pObject->Flags = Process->Flags;
1252 
1253  pHeader->Size = sizeof(*pObject);
1254  IntSerializeIncrementCurrentPtr(sizeof(*pObject));
1255 
1256  IntSerializeString(Process->Name, sizeof(Process->Name), stringEncodeUtf8, pHeader);
1257  IntSerializeString(Process->Path != NULL ? Process->Path->Path : NULL,
1258  Process->Path != NULL ? Process->Path->PathSize : 0,
1259  stringEncodeUtf16,
1260  pHeader);
1261  IntSerializeString(Process->CommandLine, Process->CommandLineSize, stringEncodeUtf8, pHeader);
1262 }
1263 
1264 
1265 static void
1266 IntSerializeLixProcess(
1267  _In_ const LIX_TASK_OBJECT *Process,
1268  _In_ const DWORD ObjectType
1269  )
1276 {
1277  if (Process == NULL)
1278  {
1279  return;
1280  }
1281 
1282 #define LIX_PROCESS_SERIALIZER_VERSION 1
1283 
1284  SERIALIZER_OBJECT_HEADER *pHeader = IntSerializeObjectHeader(LIX_PROCESS_SERIALIZER_VERSION, ObjectType);
1285  if (!pHeader)
1286  {
1287  return;
1288  }
1289 
1290  SERIALIZER_LIX_PROCESS *pObject = IntSerializeCurrentPtr(sizeof(*pObject));
1291  if (!pObject)
1292  {
1293  return;
1294  }
1295 
1296  pObject->Gva = Process->Gva;
1297  pObject->RealParent = Process->RealParent;
1298  pObject->Parent = Process->Parent;
1299  pObject->ActualParent = Process->ActualParent;
1300  pObject->MmGva = Process->MmGva;
1301  pObject->Cr3 = Process->Cr3;
1302  pObject->Pid = Process->Pid;
1303  pObject->Tgid = Process->Tgid;
1304 
1305  pHeader->Size = sizeof(*pObject);
1306  IntSerializeIncrementCurrentPtr(sizeof(*pObject));
1307 
1308  IntSerializeString(Process->Path != NULL ? Process->Path->Name : NULL,
1309  Process->Path != NULL ? (DWORD)Process->Path->NameLength : 0,
1310  stringEncodeUtf8,
1311  pHeader);
1312  IntSerializeString(Process->Path != NULL ? Process->Path->Path : NULL,
1313  Process->Path != NULL ? (DWORD)Process->Path->PathLength : 0,
1314  stringEncodeUtf8,
1315  pHeader);
1316  IntSerializeString(Process->CmdLine, Process->CmdLineLength + 1, stringEncodeUtf8, pHeader);
1317 }
1318 
1319 
1320 static void
1321 IntSerializeProcess(
1322  _In_ void *Process,
1323  _In_ const DWORD ObjectType
1324  )
1331 {
1332  if (gGuest.OSType == introGuestLinux)
1333  {
1334  IntSerializeLixProcess(Process, ObjectType);
1335  }
1336  else if (gGuest.OSType == introGuestWindows)
1337  {
1338  IntSerializeWinProcess(Process, ObjectType);
1339  }
1340 }
1341 
1342 
1343 void
1344 IntSerializeWinVad(
1345  _In_ const VAD *Vad
1346  )
1352 {
1353  if (Vad == NULL)
1354  {
1355  return;
1356  }
1357 
1358 #define WIN_VAD_SERIALIZER_VERSION 1
1359 
1360  SERIALIZER_OBJECT_HEADER *pHeader = IntSerializeObjectHeader(WIN_VAD_SERIALIZER_VERSION, intObjWinVad);
1361  if (!pHeader)
1362  {
1363  return;
1364  }
1365 
1366  SERIALIZER_WIN_VAD *pObject = IntSerializeCurrentPtr(sizeof(*pObject));
1367  if (!pObject)
1368  {
1369  return;
1370  }
1371 
1372  pObject->StartPage = Vad->StartPage;
1373  pObject->EndPage = Vad->EndPage;
1374  pObject->VadGva = Vad->VadGva;
1375  pObject->VadProtection = Vad->VadProtection;
1376  pObject->VadType = Vad->VadType;
1377  pObject->Protection = Vad->Protection;
1378  pObject->ExecCount = Vad->ExecCount;
1379  pObject->Flags = Vad->StaticScan | Vad->IsStack | Vad->HugeVad | Vad->IsIgnored | Vad->NoChange |
1380  Vad->PrivateFixup | Vad->DeleteInProgress;
1381 
1382  pHeader->Size = sizeof(*pObject);
1383  IntSerializeIncrementCurrentPtr(sizeof(*pObject));
1384 
1385  IntSerializeString(Vad->Path != NULL ? Vad->Path->Path : NULL,
1386  Vad->Path != NULL ? Vad->Path->PathSize : 0,
1387  stringEncodeUtf16,
1388  pHeader);
1389 }
1390 
1391 
1392 static void
1393 IntSerializeLixVma(
1394  _In_ const LIX_VMA *Vma
1395  )
1401 {
1402  if (NULL == Vma)
1403  {
1404  return;
1405  }
1406 
1407 #define LIX_VMA_SERIALIZER_VERSION 1
1408 
1409  INTSTATUS status = INT_STATUS_SUCCESS;
1410  char *pFilePath = NULL;
1411  DWORD filePathLength = 0;
1412 
1413  SERIALIZER_OBJECT_HEADER *pHeader = IntSerializeObjectHeader(LIX_VMA_SERIALIZER_VERSION, intObjLixVma);
1414  if (!pHeader)
1415  {
1416  return;
1417  }
1418 
1419  SERIALIZER_LIX_VMA *pObject = IntSerializeCurrentPtr(sizeof(*pObject));
1420  if (!pObject)
1421  {
1422  return;
1423  }
1424 
1425  pObject->Start = Vma->Start;
1426  pObject->End = Vma->End;
1427  pObject->Gva = Vma->Gva;
1428  pObject->Flags = Vma->Flags;
1429  pObject->File = Vma->File;
1430 
1431  pHeader->Size = sizeof(*pObject);
1432  IntSerializeIncrementCurrentPtr(sizeof(*pObject));
1433 
1434  status = IntLixFileGetPath(Vma->File, &pFilePath, &filePathLength);
1435  if (INT_SUCCESS(status))
1436  {
1437  IntSerializeString(pFilePath, filePathLength, stringEncodeUtf8, pHeader);
1438  }
1439  else
1440  {
1441  IntSerializeString(NULL, 0, stringEncodeUtf8, pHeader);
1442  }
1443 }
1444 
1445 
1446 static void
1447 IntSerializeVad(
1448  _In_ const void *Vad
1449  )
1455 {
1456  if (gGuest.OSType == introGuestLinux)
1457  {
1458  IntSerializeLixVma(Vad);
1459  }
1460  else if (gGuest.OSType == introGuestWindows)
1461  {
1462  IntSerializeWinVad(Vad);
1463  }
1464 }
1465 
1466 
1467 static void
1468 IntSerializeWinKernelDriver(
1469  _In_ const KERNEL_DRIVER *Driver,
1470  _In_ DWORD ObjectType
1471  )
1478 {
1479  if (Driver == NULL)
1480  {
1481  return;
1482  }
1483 
1484 #define WIN_KERNEL_DRIVER_SERIALIZER_VERSION 1
1485 
1486  SERIALIZER_OBJECT_HEADER *pHeader = IntSerializeObjectHeader(WIN_KERNEL_DRIVER_SERIALIZER_VERSION, ObjectType);
1487  if (!pHeader)
1488  {
1489  return;
1490  }
1491 
1492  SERIALIZER_WIN_KERNEL_DRIVER *pObject = IntSerializeCurrentPtr(sizeof(*pObject));
1493  if (!pObject)
1494  {
1495  return;
1496  }
1497 
1498  pObject->TimeDateStamp = Driver->Win.TimeDateStamp;
1499 
1500  pHeader->Size = sizeof(*pObject);
1501  IntSerializeIncrementCurrentPtr(sizeof(*pObject));
1502 
1503  IntSerializeString(Driver->Win.Path, Driver->Win.PathLength * 2 + sizeof(WCHAR), stringEncodeUtf16, pHeader);
1504 }
1505 
1506 
1507 static void
1508 IntSerializeLixKernelModule(
1509  _In_ const KERNEL_DRIVER *Driver,
1510  _In_ DWORD ObjecType
1511  )
1518 {
1519 #define LIX_KERNEL_MODULE_SERIALIZER_VERSION 1
1520 
1521  SERIALIZER_OBJECT_HEADER *pHeader = IntSerializeObjectHeader(LIX_KERNEL_MODULE_SERIALIZER_VERSION, ObjecType);
1522  if (!pHeader)
1523  {
1524  return;
1525  }
1526 
1527  SERIALIZER_LIX_KERNEL_MODULE *pObject = IntSerializeCurrentPtr(sizeof(*pObject));
1528  if (!pObject)
1529  {
1530  return;
1531  }
1532 
1533  pObject->InitLayout.Base = Driver->Lix.InitLayout.Base;
1534  pObject->InitLayout.Size = Driver->Lix.InitLayout.Size;
1535  pObject->InitLayout.TextSize = Driver->Lix.InitLayout.TextSize;
1536  pObject->InitLayout.RoSize = Driver->Lix.InitLayout.RoSize;
1537  pObject->CoreLayout.Base = Driver->Lix.CoreLayout.Base;
1538  pObject->CoreLayout.Size = Driver->Lix.CoreLayout.Size;
1539  pObject->CoreLayout.TextSize = Driver->Lix.CoreLayout.TextSize;
1540  pObject->CoreLayout.RoSize = Driver->Lix.CoreLayout.RoSize;
1541 
1542  pHeader->Size = sizeof(*pObject);
1543  IntSerializeIncrementCurrentPtr(sizeof(*pObject));
1544 
1545  IntSerializeString(Driver->Name, (DWORD)Driver->NameLength, stringEncodeUtf8, pHeader);
1546 }
1547 
1548 
1549 static void
1550 IntSerializeKernelDrvObject(
1551  _In_ const WIN_DRIVER_OBJECT *DrvObject
1552  )
1558 {
1559  if (DrvObject == NULL)
1560  {
1561  return;
1562  }
1563 #define KERNEL_DRV_OBJECT_SERIALIZER_VERSION 1
1564 
1565  SERIALIZER_OBJECT_HEADER *pHeader = IntSerializeObjectHeader(KERNEL_DRV_OBJECT_SERIALIZER_VERSION,
1566  intObjKernelDrvObject);
1567  if (!pHeader)
1568  {
1569  return;
1570  }
1571 
1572  SERIALIZER_KERNEL_DRV_OBJECT *pObject = IntSerializeCurrentPtr(sizeof(*pObject));
1573  if (!pObject)
1574  {
1575  return;
1576  }
1577 
1578  pObject->Gva = DrvObject->DriverObjectGva;
1579  pObject->Gpa = DrvObject->DriverObjectGpa;
1580  pObject->FastIOTableAddress = DrvObject->FastIOTableAddress;
1581 
1582  pHeader->Size = sizeof(*pObject);
1583  IntSerializeIncrementCurrentPtr(sizeof(*pObject));
1584 
1585  IntSerializeString(DrvObject->Name, DrvObject->NameLen, stringEncodeUtf16, pHeader);
1586 }
1587 
1588 
1589 static void
1590 IntSerializeKernelDriver(
1591  _In_opt_ const EXCEPTION_KM_ORIGINATOR *Originator,
1592  _In_opt_ const KERNEL_DRIVER *Driver,
1593  _In_ const DWORD ObjectType
1594  )
1602 {
1603 #define KERNEL_DRIVER_SERIALIZER_VERSION 1
1604 
1605  const KERNEL_DRIVER *pDriver = NULL;
1606  const CHAR *pSection = NULL;
1607 
1608  if (Driver != NULL)
1609  {
1610  pDriver = Driver;
1611  }
1612  else
1613  {
1614  if (Originator == NULL)
1615  {
1616  return;
1617  }
1618 
1619  if (ObjectType == intObjKernelDriver)
1620  {
1621  pDriver = Originator->Original.Driver;
1622  pSection = Originator->Original.Section;
1623  }
1624  else if (ObjectType == intObjKernelDriverReturn)
1625  {
1626  pDriver = Originator->Return.Driver;
1627  pSection = Originator->Return.Section;
1628  }
1629  else
1630  {
1631  return;
1632  }
1633  }
1634 
1635  if (pDriver == NULL)
1636  {
1637  return;
1638  }
1639 
1640  SERIALIZER_OBJECT_HEADER *pHeader = IntSerializeObjectHeader(KERNEL_DRIVER_SERIALIZER_VERSION, ObjectType);
1641  if (!pHeader)
1642  {
1643  return;
1644  }
1645 
1646  SERIALIZER_KERNEL_DRIVER *pObject = IntSerializeCurrentPtr(sizeof(*pObject));
1647  if (!pObject)
1648  {
1649  return;
1650  }
1651 
1652  pObject->ObjectGva = pDriver->ObjectGva;
1653  pObject->BaseVa = pDriver->BaseVa;
1654  pObject->Size = pDriver->Size;
1655  pObject->EntryPoint = pDriver->EntryPoint;
1656 
1657  pHeader->Size = sizeof(*pObject);
1658  IntSerializeIncrementCurrentPtr(sizeof(*pObject));
1659 
1660  if (pSection != NULL)
1661  {
1662  IntSerializeString(pSection, pSection[0] == 0 ? 0 : 9, stringEncodeUtf8, pHeader);
1663  }
1664  else
1665  {
1666  IntSerializeString(pSection, 0, stringEncodeUtf8, pHeader);
1667  }
1668 
1669  if (gGuest.OSType == introGuestWindows)
1670  {
1671  IntSerializeWinKernelDriver(pDriver,
1672  ObjectType == intObjKernelDriver ?
1673  intObjWinKernelDriver : intObjWinKernelDriverReturn);
1674  }
1675  else if (gGuest.OSType == introGuestLinux)
1676  {
1677  IntSerializeLixKernelModule(pDriver,
1678  ObjectType == intObjKernelDriver ?
1679  intObjLixKernelModule : intObjLixKernelModuleReturn);
1680  }
1681 }
1682 
1683 
1684 static void
1685 IntSerializeWinModule(
1686  _In_ const WIN_PROCESS_MODULE *Module,
1687  _In_ const DWORD ObjectType
1688  )
1695 {
1696  if (Module == NULL)
1697  {
1698  return;
1699  }
1700 
1701 #define WIN_PROCESS_MODULE_SERIALIZER_VERSION 1
1702 
1703  SERIALIZER_OBJECT_HEADER *pHeader = IntSerializeObjectHeader(WIN_PROCESS_MODULE_SERIALIZER_VERSION, ObjectType);
1704  if (!pHeader)
1705  {
1706  return;
1707  }
1708 
1709  SERIALIZER_WIN_MODULE *pObject = IntSerializeCurrentPtr(sizeof(*pObject));
1710  if (!pObject)
1711  {
1712  return;
1713  }
1714 
1715  pObject->VirtualBase = Module->VirtualBase;
1716  pObject->Size = Module->Size;
1717 
1718  pHeader->Size = sizeof(*pObject);
1719  IntSerializeIncrementCurrentPtr(sizeof(*pObject));
1720 
1721  IntSerializeString(Module->Path->Path, Module->Path->PathSize, stringEncodeUtf16, pHeader);
1722 }
1723 
1724 
1725 void
1726 IntSerializeInstruction(
1727  _In_ INSTRUX *Instruction,
1728  _In_ const QWORD Rip
1729  )
1736 {
1737  if (Instruction == NULL)
1738  {
1739  return;
1740  }
1741 
1742 #define INSTRUX_SERIALIZER_VERSION 1
1743 
1744  SERIALIZER_OBJECT_HEADER *pHeader = IntSerializeObjectHeader(INSTRUX_SERIALIZER_VERSION, intObjInstrux);
1745  if (!pHeader)
1746  {
1747  return;
1748  }
1749 
1750  SERIALIZER_INSTRUX *pObject = IntSerializeCurrentPtr(sizeof(*pObject));
1751  if (!pObject)
1752  {
1753  return;
1754  }
1755 
1756  pObject->Rip = Rip;
1757  memcpy(pObject->Bytes, Instruction->InstructionBytes, sizeof(pObject->Bytes));
1758 
1759  pHeader->Size = sizeof(*pObject);
1760  IntSerializeIncrementCurrentPtr(sizeof(*pObject));
1761 }
1762 
1763 
1764 static void
1765 IntSerializeWriteInfo(
1766  _In_ const EXCEPTION_VICTIM_ZONE *Victim
1767  )
1773 {
1774  if (Victim == NULL)
1775  {
1776  return;
1777  }
1778 
1779 #define WRITE_INFO_SERIALIZER_VERSION 1
1780 
1781  SERIALIZER_OBJECT_HEADER *pHeader = IntSerializeObjectHeader(WRITE_INFO_SERIALIZER_VERSION, intObjWriteInfo);
1782  if (!pHeader)
1783  {
1784  return;
1785  }
1786 
1787  SERIALIZER_WRITE_INFO *pObject = IntSerializeCurrentPtr(sizeof(*pObject));
1788  if (!pObject)
1789  {
1790  return;
1791  }
1792 
1793  pObject->AccessSize = Victim->WriteInfo.AccessSize;
1794  memcpy(pObject->OldValue, Victim->WriteInfo.OldValue, MIN(sizeof(pObject->OldValue), pObject->AccessSize));
1795  memcpy(pObject->NewValue, Victim->WriteInfo.NewValue, MIN(sizeof(pObject->NewValue), pObject->AccessSize));
1796 
1797  pHeader->Size = sizeof(*pObject);
1798  IntSerializeIncrementCurrentPtr(sizeof(*pObject));
1799 }
1800 
1801 
1802 static void
1803 IntSerializeReadInfo(
1804  _In_ const EXCEPTION_VICTIM_ZONE *Victim
1805  )
1811 {
1812  if (Victim == NULL)
1813  {
1814  return;
1815  }
1816 
1817 #define READ_INFO_SERIALIZER_VERSION 1
1818 
1819  SERIALIZER_OBJECT_HEADER *pHeader = IntSerializeObjectHeader(READ_INFO_SERIALIZER_VERSION, intObjReadInfo);
1820  if (!pHeader)
1821  {
1822  return;
1823  }
1824 
1825  SERIALIZER_READ_INFO *pObject = IntSerializeCurrentPtr(sizeof(*pObject));
1826  if (!pObject)
1827  {
1828  return;
1829  }
1830 
1831  pObject->AccessSize = Victim->ReadInfo.AccessSize;
1832  memcpy(pObject->Value, Victim->ReadInfo.Value, MIN(sizeof(pObject->Value), pObject->AccessSize));
1833 
1834  pHeader->Size = sizeof(*pObject);
1835  IntSerializeIncrementCurrentPtr(sizeof(*pObject));
1836 }
1837 
1838 
1839 static void
1840 IntSerializeExecInfo(
1841  _In_ const EXCEPTION_VICTIM_ZONE *Victim
1842  )
1848 {
1849  if (Victim == NULL)
1850  {
1851  return;
1852  }
1853 
1854 #define EXEC_INFO_SERIALIZER_VERSION 1
1855 
1856  SERIALIZER_OBJECT_HEADER *pHeader = IntSerializeObjectHeader(EXEC_INFO_SERIALIZER_VERSION, intObjExecInfo);
1857  if (!pHeader)
1858  {
1859  return;
1860  }
1861 
1862  SERIALIZER_EXEC_INFO *pObject = IntSerializeCurrentPtr(sizeof(*pObject));
1863  if (!pObject)
1864  {
1865  return;
1866  }
1867 
1868  pObject->Rsp = Victim->ExecInfo.Rsp;
1869  pObject->Length = Victim->ExecInfo.Length;
1870  pObject->StackBase = Victim->ExecInfo.StackBase;
1871  pObject->StackLimit = Victim->ExecInfo.StackLimit;
1872 
1873  pHeader->Size = sizeof(*pObject);
1874  IntSerializeIncrementCurrentPtr(sizeof(*pObject));
1875 }
1876 
1877 
1878 static void
1879 IntSerializeAccessInfo(
1880  _In_ const EXCEPTION_VICTIM_ZONE *Victim
1881  )
1887 {
1888  if (Victim->ZoneFlags & ZONE_WRITE)
1889  {
1890  IntSerializeWriteInfo(Victim);
1891  }
1892  else if (Victim->ZoneFlags & ZONE_READ)
1893  {
1894  IntSerializeReadInfo(Victim);
1895  }
1896  else if (Victim->ZoneFlags & ZONE_EXECUTE)
1897  {
1898  IntSerializeExecInfo(Victim);
1899  }
1900 }
1901 
1902 
1903 static void
1904 IntSerializeRawDump(
1905  _In_ const EXCEPTION_UM_ORIGINATOR *Originator,
1906  _In_ const EXCEPTION_VICTIM_ZONE *Victim
1907  )
1914 {
1915  if (Victim == NULL)
1916  {
1917  return;
1918  }
1919 
1920  if (Originator == NULL)
1921  {
1922  return;
1923  }
1924 
1925 #define RAW_DUMP_SERIALIZER_VERSION 1
1926 
1927  SERIALIZER_OBJECT_HEADER *pHeader = IntSerializeObjectHeader(RAW_DUMP_SERIALIZER_VERSION, intObjRawDump);
1928  if (!pHeader)
1929  {
1930  return;
1931  }
1932 
1933  SERIALIZER_RAW_DUMP *pObject = IntSerializeCurrentPtr(sizeof(*pObject) + Victim->Injection.Length);
1934  if (!pObject)
1935  {
1936  return;
1937  }
1938 
1939  pObject->Length = Victim->Injection.Length;
1940 
1941  if (gGuest.OSType == introGuestLinux)
1942  {
1943  IntVirtMemRead(Originator->SourceVA, Victim->Injection.Length, Originator->LixProc->Cr3, pObject->Raw, NULL);
1944  }
1945  else if (gGuest.OSType == introGuestWindows)
1946  {
1947  IntVirtMemRead(Originator->SourceVA, Victim->Injection.Length, Originator->WinProc->Cr3, pObject->Raw, NULL);
1948  }
1949 
1950  pHeader->Size = (WORD)(sizeof(*pObject) + pObject->Length);
1951  IntSerializeIncrementCurrentPtr(sizeof(*pObject) + pObject->Length);
1952 }
1953 
1954 
1955 static void
1956 IntSerializeRipCode(
1957  void
1958  )
1962 {
1963 
1964 #define RIP_CODE_SERIALIZER_VERSION 1
1965  INTSTATUS status = INT_STATUS_SUCCESS;
1966 
1967  SERIALIZER_OBJECT_HEADER *pHeader = IntSerializeObjectHeader(RIP_CODE_SERIALIZER_VERSION, intObjRipCode);
1968  if (!pHeader)
1969  {
1970  return;
1971  }
1972 
1973  SERIALIZER_RIP_CODE *pObject = IntSerializeCurrentPtr(sizeof(*pObject) + PAGE_SIZE);
1974  if (!pObject)
1975  {
1976  return;
1977  }
1978 
1979  status = IntGetCurrentMode(IG_CURRENT_VCPU, &pObject->CsType);
1980  if (!INT_SUCCESS(status))
1981  {
1982  ERROR("[ERROR] IntGetCurrentMode failed: 0x%08x\n", status);
1983  pObject->CsType = IG_CS_TYPE_INVALID;
1984  }
1985 
1986  pObject->Length = PAGE_SIZE;
1987 
1988  IntVirtMemRead(gVcpu->Regs.Rip & PAGE_MASK, PAGE_SIZE, gVcpu->Regs.Cr3, pObject->Code, NULL);
1989 
1990  pHeader->Size = (WORD)(sizeof(*pObject) + pObject->Length);
1991  IntSerializeIncrementCurrentPtr(sizeof(*pObject) + pObject->Length);
1992 }
1993 
1994 
1995 static void
1996 IntSerializeCodeBlocksGetExtractRange(
1997  _In_ QWORD Rip,
1998  _In_ BOOLEAN Execute,
1999  _Out_ DWORD *Start,
2000  _Out_ DWORD *End
2001  )
2012 {
2013  DWORD startOffset = 0;
2014  DWORD endOffset = 0;
2015 
2016  startOffset = endOffset = Rip & PAGE_OFFSET;
2017 
2018  if (!Execute)
2019  {
2020  if (startOffset > EXCEPTION_CODEBLOCKS_OFFSET)
2021  {
2022  if (endOffset + EXCEPTION_CODEBLOCKS_OFFSET < PAGE_SIZE)
2023  {
2024  startOffset -= EXCEPTION_CODEBLOCKS_OFFSET;
2025  endOffset += EXCEPTION_CODEBLOCKS_OFFSET - 1;
2026  }
2027  else
2028  {
2029  startOffset = PAGE_SIZE - (EXCEPTION_CODEBLOCKS_OFFSET * 2);
2030  endOffset = PAGE_SIZE - 1;
2031  }
2032 
2033  }
2034  else
2035  {
2036  startOffset = 0;
2037  endOffset = (EXCEPTION_CODEBLOCKS_OFFSET * 2) - 1;
2038  }
2039  }
2040  else
2041  {
2042  endOffset += EXCEPTION_CODEBLOCKS_OFFSET - 1;
2043  }
2044 
2045  *Start = startOffset;
2046  *End = endOffset;
2047 }
2048 
2049 
2050 static CB_EXTRACT_LEVEL
2051 IntSerializeCodeBlocksGetExtractLevel(
2052  _In_ QWORD Rip
2053  )
2059 {
2060  if (gGuest.OSType == introGuestWindows)
2061  {
2062  if (IS_KERNEL_POINTER_WIN(gGuest.Guest64, Rip))
2063  {
2064  return cbLevelNormal;
2065  }
2066  else
2067  {
2068  return cbLevelMedium;
2069  }
2070  }
2071  else if (gGuest.OSType == introGuestLinux)
2072  {
2073  if (IS_KERNEL_POINTER_LIX(Rip))
2074  {
2075  return cbLevelNormal;
2076  }
2077  else
2078  {
2079  return cbLevelMedium;
2080  }
2081  }
2082 
2083  return cbLevelNormal;
2084 }
2085 
2086 
2087 static void
2088 IntSerializeCodeBlocksPattern(
2089  _In_ CODE_BLOCK *CodeBlocks,
2090  _In_ DWORD Count,
2091  _In_ QWORD Rip,
2092  _In_ BOOLEAN Execute,
2093  _Out_ SERIALIZER_CODE_BLOCKS *Object
2094  )
2104 {
2105  DWORD startCb = 0;
2106  DWORD ripCb = 0;
2107 
2108  if (!Execute)
2109  {
2110  DWORD previous = gCodeBlocks[0].OffsetStart;
2111  DWORD ripOffset = Rip & PAGE_OFFSET;
2112 
2113  // We must find where the RIP is inside the extracted codeblocks
2114  for (DWORD index = 0; index < Count; index++)
2115  {
2116  if (index == 0 && CodeBlocks[index].OffsetStart >= ripOffset)
2117  {
2118  ripCb = 0;
2119  break;
2120  }
2121  else if (index == Count - 1 || (previous <= ripOffset && ripOffset <= gCodeBlocks[index].OffsetStart))
2122  {
2123  ripCb = index;
2124  break;
2125  }
2126 
2127  previous = gCodeBlocks[index].OffsetStart;
2128  }
2129 
2130  if (Count <= ALERT_MAX_CODEBLOCKS || (ripCb <= ALERT_MAX_CODEBLOCKS / 2))
2131  {
2132  // [0; MIN(ALERT_MAX_CODEBLOCKS, cbCount)]
2133  startCb = 0;
2134  }
2135  else if (Count - ripCb < ALERT_MAX_CODEBLOCKS)
2136  {
2137  // [cbCount - ALERT_MAX_CODEBLOCKS; cbCount]
2138  startCb = Count >= ALERT_MAX_CODEBLOCKS ? Count - ALERT_MAX_CODEBLOCKS : 0;
2139  }
2140  else
2141  {
2142  // save before & after RIP
2143  startCb = ripCb - (ALERT_MAX_CODEBLOCKS / 2);
2144  }
2145  }
2146  else
2147  {
2148  startCb = 0;
2149  }
2150 
2151  Object->StartAddress = (Rip & PAGE_MASK) + CodeBlocks[startCb].OffsetStart;
2152  Object->Rip = Rip;
2153  Object->Count = 0;
2154 
2155  for (DWORD index = startCb; index < Count; index++)
2156  {
2157  Object->Content[Object->Count] = Crc32Compute(CodeBlocks[index].Chunks,
2158  CODE_BLOCK_CHUNKS_COUNT,
2159  INITIAL_CRC_VALUE);
2160 
2161  if (index == ripCb)
2162  {
2163  Object->RipCbIndex = Object->Count;
2164  }
2165 
2166  Object->Count++;
2167 
2168  if (Object->Count >= ALERT_MAX_CODEBLOCKS)
2169  {
2170  break;
2171  }
2172  }
2173 }
2174 
2175 
2176 static INTSTATUS
2177 IntSerializeExtractCodeBlocks(
2178  _In_ QWORD Rip,
2179  _In_ QWORD Cr3,
2180  _In_ BOOLEAN Execute,
2181  _Out_ SERIALIZER_CODE_BLOCKS *Object
2182  )
2196 {
2197  INTSTATUS status = INT_STATUS_SUCCESS;
2198  void *pContent = NULL;
2199  DWORD mode = 0;
2200  DWORD startOffset = 0;
2201  DWORD endOffset = 0;
2202  CB_EXTRACT_LEVEL extractLevel = IntSerializeCodeBlocksGetExtractLevel(Rip);
2203  DWORD cbCount = 0;
2204 
2205  status = IntGetCurrentMode(IG_CURRENT_VCPU, &mode);
2206  if (!INT_SUCCESS(status))
2207  {
2208  ERROR("[ERROR] IntGetCurrentMode failed: 0x%08x\n", status);
2209  return status;
2210  }
2211 
2212  if ((mode != IG_CS_TYPE_32B) && (mode != IG_CS_TYPE_64B))
2213  {
2214  ERROR("[ERROR] Unsupported CS type: %d\n", mode);
2215  return status;
2216  }
2217 
2218  IntSerializeCodeBlocksGetExtractRange(Rip, Execute, &startOffset, &endOffset);
2219 
2220  status = IntVirtMemMap((Rip & PAGE_MASK) + startOffset, endOffset - startOffset, Cr3, 0, &pContent);
2221  if (!INT_SUCCESS(status))
2222  {
2223  if (Execute)
2224  {
2225  WARNING("[WARNING] Failed to map range [0x%016llx - 0x%016llx], try to map range [0x%016llx - 0x%016llx]",
2226  (Rip & PAGE_MASK) + startOffset, (Rip & PAGE_MASK) + startOffset + (endOffset - startOffset),
2227  (Rip & PAGE_MASK) + startOffset, (Rip & PAGE_MASK) + startOffset + (PAGE_SIZE - startOffset));
2228  status = IntVirtMemMap((Rip & PAGE_MASK) + startOffset,
2229  PAGE_SIZE - startOffset,
2230  Cr3,
2231  0,
2232  &pContent);
2233  if (!INT_SUCCESS(status))
2234  {
2235  WARNING("[WARNING] IntVirtMemMap failed for RIP %llx and cr3 %llx: 0x%08x\n",
2236  Rip & PAGE_MASK, Cr3, status);
2237  return status;
2238  }
2239 
2240  endOffset = PAGE_SIZE;
2241  }
2242  else
2243  {
2244  WARNING("[WARNING] IntVirtMemMap failed for RIP %llx and cr3 %llx: 0x%08x\n",
2245  Rip & PAGE_MASK, Cr3, status);
2246  return status;
2247  }
2248  }
2249 
2250  status = IntFragExtractCodePattern(pContent,
2251  startOffset,
2252  endOffset - startOffset,
2253  mode,
2254  extractLevel,
2255  PAGE_SIZE / sizeof(CODE_BLOCK_PATTERN),
2256  gCodeBlocksPattern,
2257  &gCodeBlocksPatternLength);
2258  if (!INT_SUCCESS(status))
2259  {
2260  if (status == INT_STATUS_DATA_BUFFER_TOO_SMALL)
2261  {
2262  WARNING("[WARNNING] Buffer too small to extract codeblocks (size %d): 0x%08x\n",
2263  endOffset - startOffset,
2264  status);
2265  }
2266  else
2267  {
2268  ERROR("[ERROR] IntFragExtractCodePattern: 0x%08x\n", status);
2269  }
2270 
2271  goto _exit;
2272  }
2273 
2274  if (gCodeBlocksPatternLength < CODE_BLOCK_CHUNKS_COUNT)
2275  {
2276  WARNING("[WARNING] Could not extract enough code-blocks from RIP %llx: %d\n",
2277  Rip,
2278  gCodeBlocksPatternLength);
2279 
2280  status = INT_STATUS_DATA_BUFFER_TOO_SMALL;
2281  goto _exit;
2282  }
2283 
2284  for (DWORD i = 0; i < gCodeBlocksPatternLength - CODE_BLOCK_CHUNKS_COUNT; i++)
2285  {
2286  if (cbLevelNormal == extractLevel &&
2287  (codeInsCall != gCodeBlocksPattern[i].Value &&
2288  codeInsJmp != gCodeBlocksPattern[i].Value))
2289  {
2290  continue;
2291  }
2292 
2293  if (cbLevelMedium == extractLevel &&
2294  (codeInsCall != gCodeBlocksPattern[i].Value &&
2295  codeInsJmp != gCodeBlocksPattern[i].Value &&
2296  codeInsMovMem != gCodeBlocksPattern[i].Value &&
2297  codeInsMovFsGs != gCodeBlocksPattern[i].Value))
2298  {
2299  continue;
2300  }
2301 
2302  gCodeBlocks[cbCount].PivotInstruction = gCodeBlocksPattern[i].Value;
2303  gCodeBlocks[cbCount].OffsetStart = gCodeBlocksPattern[i].Offset;
2304 
2305  // Extract from offset, CODE_BLOCK_CHUNKS_COUNT forward
2306  for (DWORD j = 0; j < CODE_BLOCK_CHUNKS_COUNT; j++)
2307  {
2308  gCodeBlocks[cbCount].Chunks[j] = gCodeBlocksPattern[i + j].Value;
2309  gCodeBlocks[cbCount].Size++;
2310  }
2311 
2312  ++cbCount;
2313 
2314  if (cbCount >= sizeof(gCodeBlocks) / sizeof(gCodeBlocks[0]))
2315  {
2316  break;
2317  }
2318  }
2319 
2320 
2321  if (IntSerializeValidObjectSize(sizeof(DWORD) * MIN(ALERT_MAX_CODEBLOCKS, cbCount)))
2322  {
2323  IntSerializeCodeBlocksPattern(gCodeBlocks, cbCount, Rip, Execute, Object);
2324  }
2325  else
2326  {
2327  status = INT_STATUS_DATA_BUFFER_TOO_SMALL;
2328  goto _exit;
2329  }
2330 
2331 _exit:
2332  IntVirtMemUnmap(&pContent);
2333 
2334  return status;
2335 }
2336 
2337 
2338 static void
2339 IntSerializeCodeBlocks(
2340  _In_ QWORD Rip,
2341  _In_ QWORD Cr3,
2342  _In_ BOOLEAN Execute
2343  )
2351 {
2352 #define CODE_BLOCKS_SERIALIZER_VERSION 1
2353 
2354  if (Rip == 0)
2355  {
2356  return;
2357  }
2358 
2359  SERIALIZER_OBJECT_HEADER *pHeader = IntSerializeObjectHeader(CODE_BLOCKS_SERIALIZER_VERSION, intObjCodeBlocks);
2360  if (!pHeader)
2361  {
2362  return;
2363  }
2364 
2365  SERIALIZER_CODE_BLOCKS *pObject = IntSerializeCurrentPtr(sizeof(*pObject));
2366  if (!pObject)
2367  {
2368  return;
2369  }
2370 
2371  memzero(pObject, sizeof(*pObject));
2372 
2373  INTSTATUS status = IntSerializeExtractCodeBlocks(Rip, Cr3, Execute, pObject);
2374  if (!INT_SUCCESS(status))
2375  {
2376  WARNING("[WARNING] IntSerializeExtractCodeBlocks failed with status: 0x%08x\n", status);
2377  }
2378 
2379  pHeader->Size = (WORD)(sizeof(*pObject) + pObject->Count * sizeof(DWORD));
2380  IntSerializeIncrementCurrentPtr(sizeof(*pObject) + pObject->Count * sizeof(DWORD));
2381 }
2382 
2383 
2384 static void
2385 IntSerializeArchRegs(
2386  void
2387  )
2391 {
2392 #define ARCH_REGS_SERIALIZER_VERSION 1
2393 
2394  SERIALIZER_OBJECT_HEADER *pHeader = IntSerializeObjectHeader(RIP_CODE_SERIALIZER_VERSION, intObjArchRegs);
2395  if (!pHeader)
2396  {
2397  return;
2398  }
2399 
2400  SERIALIZER_ARCH_REGS *pObject = IntSerializeCurrentPtr(sizeof(*pObject));
2401  if (!pObject)
2402  {
2403  return;
2404  }
2405 
2406  memcpy(pObject, &gVcpu->Regs, sizeof(*pObject));
2407 
2408  pHeader->Size += sizeof(*pObject);
2409  IntSerializeIncrementCurrentPtr(sizeof(*pObject));
2410 }
2411 
2412 
2413 static void
2414 IntSerializeDpiWinDebug(
2415  _In_ const EXCEPTION_UM_ORIGINATOR *Originator,
2416  _In_ const EXCEPTION_VICTIM_ZONE *Victim
2417  )
2424 {
2425 #define DPI_WIN_DEBUG_SERIALIZER_VERSION 1
2426  UNREFERENCED_PARAMETER(Originator);
2427 
2428  WIN_PROCESS_OBJECT *pProcess = Victim->Object.WinProc;
2429  if (!pProcess)
2430  {
2431  return;
2432  }
2433 
2434  SERIALIZER_OBJECT_HEADER *pHeader = IntSerializeObjectHeader(DPI_WIN_DEBUG_SERIALIZER_VERSION, intObjDpiWinDebug);
2435  if (!pHeader)
2436  {
2437  return;
2438  }
2439 
2440  SERIALIZER_DPI_WIN_DEBUG *pObject = IntSerializeCurrentPtr(sizeof(*pObject));
2441  if (!pObject)
2442  {
2443  return;
2444  }
2445 
2446  pObject->Debugger = pProcess->CreationInfo.DebuggerEprocess;
2447 
2448  pHeader->Size += sizeof(*pObject);
2449  IntSerializeIncrementCurrentPtr(sizeof(*pObject));
2450 
2451  IntSerializeWinProcess(IntWinProcFindObjectByEprocess(pProcess->CreationInfo.DebuggerEprocess), intObjWinProcess);
2452 }
2453 
2454 
2455 static void
2456 IntSerializeDpiWinPivotedStack(
2457  _In_ const EXCEPTION_UM_ORIGINATOR *Originator,
2458  _In_ const EXCEPTION_VICTIM_ZONE *Victim
2459  )
2466 {
2467 #define DPI_WIN_PIVOTET_STACK_SERIALIZER_VERSION 1
2468  UNREFERENCED_PARAMETER(Victim);
2469 
2470  DWORD trapFrameSize = gGuest.Guest64 ? sizeof(KTRAP_FRAME64) : sizeof(KTRAP_FRAME32);
2471 
2472  WIN_PROCESS_OBJECT *pProcess = Originator->WinProc;
2473  if (!pProcess)
2474  {
2475  return;
2476  }
2477 
2478  SERIALIZER_OBJECT_HEADER *pHeader = IntSerializeObjectHeader(DPI_WIN_PIVOTET_STACK_SERIALIZER_VERSION,
2479  intObjDpiWinPivotedStack);
2480  if (!pHeader)
2481  {
2482  return;
2483  }
2484 
2485  SERIALIZER_DPI_PIVOTED_STACK *pObject = IntSerializeCurrentPtr(sizeof(*pObject));
2486  if (!pObject)
2487  {
2488  return;
2489  }
2490 
2491  pObject->CurrentStack = pProcess->DpiExtraInfo.DpiPivotedStackExtraInfo.CurrentStack;
2492  pObject->StackBase = pProcess->DpiExtraInfo.DpiPivotedStackExtraInfo.StackBase;
2493  pObject->StackLimit = pProcess->DpiExtraInfo.DpiPivotedStackExtraInfo.StackLimit;
2494  pObject->Wow64CurrentStack = pProcess->DpiExtraInfo.DpiPivotedStackExtraInfo.CurrentWow64Stack;
2495  pObject->Wow64StackBase = pProcess->DpiExtraInfo.DpiPivotedStackExtraInfo.Wow64StackBase;
2496  pObject->Wow64StackLimit = pProcess->DpiExtraInfo.DpiPivotedStackExtraInfo.Wow64StackLimit;
2497 
2498  IntVirtMemRead(pProcess->DpiExtraInfo.DpiPivotedStackExtraInfo.TrapFrameAddress,
2499  MIN(trapFrameSize, sizeof(pObject->TrapFrameContent)), gGuest.Mm.SystemCr3, pObject->TrapFrameContent,
2500  NULL);
2501 
2502  pHeader->Size += sizeof(*pObject);
2503  IntSerializeIncrementCurrentPtr(sizeof(*pObject));
2504 }
2505 
2506 
2507 static void
2508 IntSerializeDpiWinStolenToken(
2509  _In_ const EXCEPTION_UM_ORIGINATOR *Originator,
2510  _In_ const EXCEPTION_VICTIM_ZONE *Victim
2511  )
2518 {
2519 #define DPI_WIN_STOLEN_TOKEN_SERIALIZER_VERSION 1
2520  UNREFERENCED_PARAMETER(Victim);
2521 
2522  WIN_PROCESS_OBJECT *pProcess = Originator->WinProc;
2523  if (!pProcess)
2524  {
2525  return;
2526  }
2527 
2528  SERIALIZER_OBJECT_HEADER *pHeader = IntSerializeObjectHeader(DPI_WIN_STOLEN_TOKEN_SERIALIZER_VERSION,
2529  intObjDpiWinStolenToken);
2530  if (!pHeader)
2531  {
2532  return;
2533  }
2534 
2535  SERIALIZER_DPI_WIN_STOLEN_TOKEN *pObject = IntSerializeCurrentPtr(sizeof(*pObject));
2536  if (!pObject)
2537  {
2538  return;
2539  }
2540 
2541  pObject->StolenFrom = pProcess->DpiExtraInfo.DpiStolenTokenExtraInfo.StolenFromEprocess;
2542 
2543  pHeader->Size += sizeof(*pObject);
2544  IntSerializeIncrementCurrentPtr(sizeof(*pObject));
2545 
2546  IntSerializeWinProcess(IntWinProcFindObjectByEprocess(pObject->StolenFrom), intObjWinProcess);
2547 }
2548 
2549 
2550 static void
2551 IntSerializeDpiWinHeapSpray(
2552  _In_ const EXCEPTION_UM_ORIGINATOR *Originator,
2553  _In_ const EXCEPTION_VICTIM_ZONE *Victim
2554  )
2561 {
2562 #define DPI_WIN_HEAP_SPRAY_SERIALIZER_VERSION 1
2563 
2564  UNREFERENCED_PARAMETER(Victim);
2565 
2566  WORD maxNumberOfHeapVals = 0;
2567  DWORD detectedPage = 0;
2568  DWORD maxPageHeapVals = 0;
2569 
2570  WIN_PROCESS_OBJECT *pProcess = Originator->WinProc;
2571  if (!pProcess)
2572  {
2573  return;
2574  }
2575 
2576  SERIALIZER_OBJECT_HEADER *pHeader = IntSerializeObjectHeader(DPI_WIN_HEAP_SPRAY_SERIALIZER_VERSION, intObjDpiWinHeapSpray);
2577  if (!pHeader)
2578  {
2579  return;
2580  }
2581 
2582  SERIALIZER_DPI_WIN_HEAP_SPRAY *pObject = IntSerializeCurrentPtr(sizeof(*pObject));
2583  if (!pObject)
2584  {
2585  return;
2586  }
2587 
2588  pObject->ShellcodeFlags = pProcess->DpiExtraInfo.DpiHeapSprayExtraInfo.ShellcodeFlags;
2589 
2590  for (DWORD val = 1; val <= HEAP_SPRAY_NR_PAGES; val++)
2591  {
2592  DWORD checkedPage = ((val << 24) | (val << 16) | (val << 8) | val) & PAGE_MASK;
2593 
2594  pObject->HeapPages[val - 1].Mapped = pProcess->DpiExtraInfo.DpiHeapSprayExtraInfo.HeapPages[val - 1].Mapped;
2595  pObject->HeapPages[val - 1].Detected = pProcess->DpiExtraInfo.DpiHeapSprayExtraInfo.HeapPages[val - 1].Detected;
2596  pObject->HeapPages[val - 1].HeapValCount =
2597  pProcess->DpiExtraInfo.DpiHeapSprayExtraInfo.HeapPages[val - 1].HeapValCount;
2598  pObject->HeapPages[val - 1].Offset = pProcess->DpiExtraInfo.DpiHeapSprayExtraInfo.HeapPages[val - 1].Offset;
2599  pObject->HeapPages[val - 1].Executable =
2600  pProcess->DpiExtraInfo.DpiHeapSprayExtraInfo.HeapPages[val - 1].Executable;
2601 
2602  if (pProcess->DpiExtraInfo.DpiHeapSprayExtraInfo.HeapPages[val - 1].Detected)
2603  {
2604  detectedPage = checkedPage;
2605  }
2606 
2607  // Use >= so that we are sure that we will get at least one page even if there are no heap values.
2608  if (pProcess->DpiExtraInfo.DpiHeapSprayExtraInfo.HeapPages[val - 1].HeapValCount >= maxNumberOfHeapVals &&
2609  pProcess->DpiExtraInfo.DpiHeapSprayExtraInfo.HeapPages[val - 1].Mapped)
2610  {
2611  maxNumberOfHeapVals = (WORD)pProcess->DpiExtraInfo.DpiHeapSprayExtraInfo.HeapPages[val - 1].HeapValCount;
2612  maxPageHeapVals = checkedPage;
2613  }
2614  }
2615 
2616  // At this point we might not have any detected page, but only pages exceeding the max heap values heuristic,
2617  // so don't bother to complete it if not needed.
2618  if (0 != detectedPage)
2619  {
2620  IntVirtMemRead(detectedPage, PAGE_SIZE, pProcess->Cr3, pObject->DetectedPage, NULL);
2621  }
2622 
2623  IntVirtMemRead(maxPageHeapVals, PAGE_SIZE, pProcess->Cr3, pObject->MaxHeapValPageContent, NULL);
2624 
2625  pHeader->Size += sizeof(*pObject);
2626  IntSerializeIncrementCurrentPtr(sizeof(*pObject));
2627 }
2628 
2629 
2630 static void
2631 IntSerializeDpiWinTokenPrivs(
2632  _In_ const EXCEPTION_UM_ORIGINATOR *Originator,
2633  _In_ const EXCEPTION_VICTIM_ZONE *Victim
2634  )
2641 {
2642 #define DPI_WIN_TOKEN_PRIVS_SERIALIZER_VERSION 1
2643 
2644  UNREFERENCED_PARAMETER(Victim);
2645 
2646  WIN_PROCESS_OBJECT *pProcess = Originator->WinProc;
2647  if (!pProcess)
2648  {
2649  return;
2650  }
2651 
2652  SERIALIZER_OBJECT_HEADER *pHeader = IntSerializeObjectHeader(DPI_WIN_TOKEN_PRIVS_SERIALIZER_VERSION,
2653  intObjDpiWinTokenPrivs);
2654  if (!pHeader)
2655  {
2656  return;
2657  }
2658 
2659  SERIALIZER_DPI_WIN_TOKEN_PRIVS *pObject = IntSerializeCurrentPtr(sizeof(*pObject));
2660  if (!pObject)
2661  {
2662  return;
2663  }
2664 
2665  pObject->OldEnabled = pProcess->DpiExtraInfo.DpiTokenPrivsExtraInfo.OldEnabled;
2666  pObject->OldPresent = pProcess->DpiExtraInfo.DpiTokenPrivsExtraInfo.OldPresent;
2667  pObject->NewEnabled = pProcess->DpiExtraInfo.DpiTokenPrivsExtraInfo.NewEnabled;
2668  pObject->NewPresent = pProcess->DpiExtraInfo.DpiTokenPrivsExtraInfo.NewPresent;
2669 
2670  pHeader->Size += sizeof(*pObject);
2671  IntSerializeIncrementCurrentPtr(sizeof(*pObject));
2672 }
2673 
2674 
2675 static void
2676 IntSerializeDpiWinThreadStart(
2677  _In_ const EXCEPTION_UM_ORIGINATOR *Originator,
2678  _In_ const EXCEPTION_VICTIM_ZONE *Victim
2679  )
2686 {
2687 #define DPI_WIN_THREAD_START_SERIALIZER_VERSION 1
2688  UNREFERENCED_PARAMETER(Victim);
2689 
2690  WIN_PROCESS_OBJECT *pProcess = Originator->WinProc;
2691  if (!pProcess)
2692  {
2693  return;
2694  }
2695 
2696  SERIALIZER_OBJECT_HEADER *pHeader = IntSerializeObjectHeader(DPI_WIN_THREAD_START_SERIALIZER_VERSION,
2697  intObjDpiWinThreadStart);
2698  if (!pHeader)
2699  {
2700  return;
2701  }
2702 
2703  SERIALIZER_DPI_WIN_THREAD_START *pObject = IntSerializeCurrentPtr(sizeof(*pObject));
2704  if (!pObject)
2705  {
2706  return;
2707  }
2708 
2709  pObject->ShellcodeFlags = pProcess->DpiExtraInfo.DpiThreadStartExtraInfo.ShellcodeFlags;
2710  pObject->StartAddress = pProcess->DpiExtraInfo.DpiThreadStartExtraInfo.StartAddress;
2711 
2712  IntVirtMemRead(pProcess->DpiExtraInfo.DpiThreadStartExtraInfo.StartAddress & PAGE_MASK, PAGE_SIZE, pProcess->Cr3,
2713  pObject->StartPage, NULL);
2714 
2715  pHeader->Size += sizeof(*pObject);
2716  IntSerializeIncrementCurrentPtr(sizeof(*pObject));
2717 }
2718 
2719 
2720 static void
2721 IntSerializeDpiWinSecDesc(
2722  _In_ const EXCEPTION_UM_ORIGINATOR *Originator,
2723  _In_ const EXCEPTION_VICTIM_ZONE *Victim
2724  )
2731 {
2732 #define DPI_WIN_SEC_DESC_SERIALIZER_VERSION 1
2733 
2734  WIN_PROCESS_OBJECT *pProcess = Originator->WinProc;
2735  if (!pProcess)
2736  {
2737  return;
2738  }
2739 
2740  SERIALIZER_OBJECT_HEADER *pHeader = IntSerializeObjectHeader(DPI_WIN_SEC_DESC_SERIALIZER_VERSION,
2741  intObjDpiWinSecDesc);
2742  if (!pHeader)
2743  {
2744  return;
2745  }
2746 
2747  SERIALIZER_DPI_WIN_SEC_DESC *pObject = IntSerializeCurrentPtr(sizeof(*pObject));
2748  if (!pObject)
2749  {
2750  return;
2751  }
2752 
2753  pObject->SecDescStolenFromEproc =
2754  pProcess->DpiExtraInfo.DpiSecDescAclExtraInfo.SecDescStolenFromEproc;
2755 
2756 
2757  pObject->OldPtrValue = Victim->Object.WinProc->DpiExtraInfo.DpiSecDescAclExtraInfo.OldPtrValue;
2758  pObject->NewPtrValue = Victim->Object.WinProc->DpiExtraInfo.DpiSecDescAclExtraInfo.NewPtrValue;
2759 
2760  memcpy(&pObject->OldSacl, &Victim->Object.WinProc->DpiExtraInfo.DpiSecDescAclExtraInfo.OldSacl, sizeof(ACL));
2761  memcpy(&pObject->OldDacl, &Victim->Object.WinProc->DpiExtraInfo.DpiSecDescAclExtraInfo.OldDacl, sizeof(ACL));
2762  memcpy(&pObject->NewSacl, &Victim->Object.WinProc->DpiExtraInfo.DpiSecDescAclExtraInfo.NewSacl, sizeof(ACL));
2763  memcpy(&pObject->NewDacl, &Victim->Object.WinProc->DpiExtraInfo.DpiSecDescAclExtraInfo.NewDacl, sizeof(ACL));
2764 
2765  IntSerializeWinProcess(IntWinProcFindObjectByEprocess(pObject->SecDescStolenFromEproc),
2766  intObjDpiWinSecDesc);
2767 
2768  pHeader->Size += sizeof(*pObject);
2769  IntSerializeIncrementCurrentPtr(sizeof(*pObject));
2770 }
2771 
2772 
2773 static void
2774 IntSerializeDpiWinAclEdit(
2775  _In_ const EXCEPTION_UM_ORIGINATOR *Originator,
2776  _In_ const EXCEPTION_VICTIM_ZONE *Victim
2777  )
2784 {
2785 #define DPI_WIN_ACL_SERIALIZER_VERSION 1
2786 
2787  WIN_PROCESS_OBJECT *pProcess = Originator->WinProc;
2788  if (!pProcess)
2789  {
2790  return;
2791  }
2792 
2793  SERIALIZER_OBJECT_HEADER *pHeader = IntSerializeObjectHeader(DPI_WIN_ACL_SERIALIZER_VERSION,
2794  intObjDpiWinAclEdit);
2795  if (!pHeader)
2796  {
2797  return;
2798  }
2799 
2800  SERIALIZER_DPI_WIN_ACL_EDIT *pObject = IntSerializeCurrentPtr(sizeof(*pObject));
2801  if (!pObject)
2802  {
2803  return;
2804  }
2805 
2806  memcpy(&pObject->OldSacl, &Victim->Object.WinProc->DpiExtraInfo.DpiSecDescAclExtraInfo.OldSacl, sizeof(ACL));
2807  memcpy(&pObject->OldDacl, &Victim->Object.WinProc->DpiExtraInfo.DpiSecDescAclExtraInfo.OldDacl, sizeof(ACL));
2808  memcpy(&pObject->NewSacl, &Victim->Object.WinProc->DpiExtraInfo.DpiSecDescAclExtraInfo.NewSacl, sizeof(ACL));
2809  memcpy(&pObject->NewDacl, &Victim->Object.WinProc->DpiExtraInfo.DpiSecDescAclExtraInfo.NewDacl, sizeof(ACL));
2810 
2811  pHeader->Size += sizeof(*pObject);
2812  IntSerializeIncrementCurrentPtr(sizeof(*pObject));
2813 }
2814 
2815 
2816 static void
2817 IntSerializeWinDpiInfo(
2818  const _In_ EXCEPTION_UM_ORIGINATOR *Originator,
2819  const _In_ EXCEPTION_VICTIM_ZONE *Victim
2820  )
2827 {
2828  switch (Originator->PcType)
2829  {
2830  case INT_PC_VIOLATION_DPI_DEBUG_FLAG:
2831  IntSerializeDpiWinDebug(Originator, Victim);
2832  break;
2833 
2834  case INT_PC_VIOLATION_DPI_PIVOTED_STACK:
2835  IntSerializeDpiWinPivotedStack(Originator, Victim);
2836  break;
2837 
2838  case INT_PC_VIOLATION_DPI_STOLEN_TOKEN:
2839  IntSerializeDpiWinStolenToken(Originator, Victim);
2840  break;
2841 
2842  case INT_PC_VIOLATION_DPI_HEAP_SPRAY:
2843  IntSerializeDpiWinHeapSpray(Originator, Victim);
2844  break;
2845 
2846  case INT_PC_VIOLATION_DPI_TOKEN_PRIVS:
2847  IntSerializeDpiWinTokenPrivs(Originator, Victim);
2848  break;
2849 
2850  case INT_PC_VIOLATION_DPI_THREAD_START:
2851  IntSerializeDpiWinThreadStart(Originator, Victim);
2852  break;
2853 
2854  case INT_PC_VIOLATION_DPI_SEC_DESC:
2855  IntSerializeDpiWinSecDesc(Originator, Victim);
2856  break;
2857 
2858  case INT_PC_VIOLATION_DPI_ACL_EDIT:
2859  IntSerializeDpiWinAclEdit(Originator, Victim);
2860  break;
2861 
2862  default:
2863  break;
2864  }
2865 }
2866 
2867 
2868 static void
2869 IntSerializeDpi(
2870  _In_ const EXCEPTION_UM_ORIGINATOR *Originator
2871  )
2877 {
2878 #define DPI_SERIALIZER_VERSION 1
2879 
2880  SERIALIZER_OBJECT_HEADER *pHeader = IntSerializeObjectHeader(DPI_SERIALIZER_VERSION, intObjDpi);
2881  if (!pHeader)
2882  {
2883  return;
2884  }
2885 
2886  SERIALIZER_DPI *pObject = IntSerializeCurrentPtr(sizeof(*pObject));
2887  if (!pObject)
2888  {
2889  return;
2890  }
2891 
2892  pObject->Flags = Originator->PcType;
2893 
2894  pHeader->Size += sizeof(*pObject);
2895  IntSerializeIncrementCurrentPtr(sizeof(*pObject));
2896 }
2897 
2898 
2899 static void
2900 IntSerializeExport(
2901  _In_ const EXCEPTION_VICTIM_ZONE *Victim
2902  )
2908 {
2909  WINUM_CACHE_EXPORT *pExport = NULL;
2910 
2911  if (Victim->Object.Library.Export == NULL)
2912  {
2913  pExport = IntWinUmCacheGetExportFromRange(Victim->Object.Library.WinMod, Victim->Ept.Gva, 0x20);
2914  }
2915  else
2916  {
2917  pExport = Victim->Object.Library.Export;
2918  }
2919 
2920  if (!pExport)
2921  {
2922  return;
2923  }
2924 
2925 #define EXPORT_SERIALIZER_VERSION 1
2926 
2927  SERIALIZER_OBJECT_HEADER *pHeader = IntSerializeObjectHeader(EXPORT_SERIALIZER_VERSION, intObjExport);
2928  if (!pHeader)
2929  {
2930  return;
2931  }
2932 
2933  SERIALIZER_EXPORT *pObject = IntSerializeCurrentPtr(sizeof(*pObject));
2934  if (!pObject)
2935  {
2936  return;
2937  }
2938 
2939  pObject->Count = pExport->NumberOfOffsets;
2940  pObject->Delta = (DWORD)(Victim->Ept.Gva - Victim->Object.Library.WinMod->VirtualBase - pExport->Rva);
2941 
2942  pHeader->Size = sizeof(*pObject);
2943  IntSerializeIncrementCurrentPtr(sizeof(*pObject));
2944 
2945  for (DWORD index = 0; index < pExport->NumberOfOffsets; index++)
2946  {
2947  IntSerializeString(pExport->Names[index], pExport->NameLens[index], stringEncodeUtf8, pHeader);
2948  }
2949 }
2950 
2951 
2952 static void
2953 IntSerializeWinUmOriginator(
2954  _In_ const EXCEPTION_UM_ORIGINATOR *Originator,
2955  _In_ const EXCEPTION_VICTIM_ZONE *Victim
2956  )
2963 {
2964  UNREFERENCED_PARAMETER(Victim);
2965 
2966  IntSerializeProcess(Originator->Process, intObjWinProcess);
2967  IntSerializeProcess(IntWinProcFindObjectByEprocess(Originator->WinProc->ParentEprocess), intObjWinProcessParent);
2968 
2969  IntSerializeWinModule(Originator->WinLib, intObjWinModule);
2970 
2971  if (Originator->Return.Library && Originator->Return.Rip != Originator->Rip)
2972  {
2973  IntSerializeWinModule(Originator->Return.WinLib, intObjWinModuleReturn);
2974  }
2975 }
2976 
2977 
2978 void
2979 IntSerializeLixUmOriginator(
2980  _In_ const EXCEPTION_UM_ORIGINATOR *Originator,
2981  _In_ const EXCEPTION_VICTIM_ZONE *Victim
2982  )
2989 {
2990  UNREFERENCED_PARAMETER(Victim);
2991 
2992  IntSerializeProcess(Originator->Process, intObjLixProcess);
2993  IntSerializeProcess(IntLixTaskFindByGva(Originator->LixProc->Parent), intObjLixProcessParent);
2994 
2995  IntSerializeInstruction(Originator->Instruction, Originator->Rip);
2996  IntSerializeCodeBlocks(Originator->Rip, Originator->LixProc->Cr3, Originator->Execute);
2997 }
2998 
2999 
3000 static void
3001 IntSerializeUmOriginator(
3002  _In_ const EXCEPTION_UM_ORIGINATOR *Originator,
3003  _In_ const EXCEPTION_VICTIM_ZONE *Victim
3004  )
3011 {
3012 
3013 #define START_ORIGINATOR_SERIALZIER_VERSION 1
3014 #define END_ORIGINATOR_SERIALZIER_VERSION 1
3015 
3016  IntSerializeObjectHeader(START_ORIGINATOR_SERIALZIER_VERSION, intObjStartOriginator);
3017 
3018  if (gGuest.OSType == introGuestLinux)
3019  {
3020  IntSerializeLixUmOriginator(Originator, Victim);
3021  }
3022  else if (gGuest.OSType == introGuestWindows)
3023  {
3024  IntSerializeWinUmOriginator(Originator, Victim);
3025  }
3026 
3027  IntSerializeObjectHeader(END_ORIGINATOR_SERIALZIER_VERSION, intObjEndOriginator);
3028 }
3029 
3030 
3031 static void
3032 IntSerializeLixUmVictim(
3033  _In_ const EXCEPTION_UM_ORIGINATOR *Originator,
3034  _In_ const EXCEPTION_VICTIM_ZONE *Victim
3035  )
3042 {
3043 #define LIX_VICTIM_SERIALIZER_VERSION 1
3044 
3045  UNREFERENCED_PARAMETER(Originator);
3046 
3047  SERIALIZER_OBJECT_HEADER *pHeader = IntSerializeObjectHeader(LIX_VICTIM_SERIALIZER_VERSION, intObjVictim);
3048  if (!pHeader)
3049  {
3050  return;
3051  }
3052 
3053  SERIALIZER_EXCEPTION_VICTIM *pObject = IntSerializeCurrentPtr(sizeof(*pObject));
3054  if (!pObject)
3055  {
3056  return;
3057  }
3058 
3059  pObject->Type = Victim->Object.Type;
3060  pObject->ZoneType = Victim->ZoneType;
3061  pObject->ZoneFlags = Victim->ZoneFlags;
3062 
3063  pHeader->Size = sizeof(*pObject);
3064  IntSerializeIncrementCurrentPtr(sizeof(*pObject));
3065 
3066  IntSerializeProcess(Victim->Object.Process, intObjLixProcess);
3067  IntSerializeProcess(IntLixTaskFindByGva(Victim->Object.LixProc->Parent), intObjLixProcessParent);
3068 
3069  IntSerializeVad(Victim->Object.Vad);
3070 }
3071 
3072 
3073 static void
3074 IntSerializeWinUmVictim(
3075  _In_ const EXCEPTION_UM_ORIGINATOR *Originator,
3076  _In_ const EXCEPTION_VICTIM_ZONE *Victim
3077  )
3084 {
3085 #define WIN_VICTIM_SERIALIZER_VERSION 1
3086  UNREFERENCED_PARAMETER(Originator);
3087 
3088  SERIALIZER_OBJECT_HEADER *pHeader = IntSerializeObjectHeader(WIN_VICTIM_SERIALIZER_VERSION, intObjVictim);
3089  if (!pHeader)
3090  {
3091  return;
3092  }
3093 
3094  SERIALIZER_EXCEPTION_VICTIM *pObject = IntSerializeCurrentPtr(sizeof(*pObject));
3095  if (!pObject)
3096  {
3097  return;
3098  }
3099 
3100  pObject->Type = Victim->Object.Type;
3101  pObject->ZoneType = Victim->ZoneType;
3102  pObject->ZoneFlags = Victim->ZoneFlags;
3103 
3104  pHeader->Size = sizeof(*pObject);
3105  IntSerializeIncrementCurrentPtr(sizeof(*pObject));
3106 
3107  if ((Victim->ZoneType == exceptionZoneProcess) ||
3108  (Victim->Object.Type == introObjectTypeUmGenericNxZone) ||
3109  (Victim->Object.Type == introObjectTypeSudExec))
3110  {
3111  IntSerializeProcess(Victim->Object.Process, intObjWinProcess);
3112  IntSerializeProcess(IntWinProcFindObjectByEprocess(Victim->Object.WinProc->ParentEprocess),
3113  intObjWinProcessParent);
3114 
3115  IntSerializeWinModule(Victim->Object.Library.WinMod, intObjWinModule);
3116  IntSerializeVad(Victim->Object.Vad);
3117  }
3118  else if (Victim->Object.Type == introObjectTypeUmModule)
3119  {
3120  IntSerializeProcess(Victim->Object.Process, intObjWinProcess);
3121  IntSerializeWinModule(Victim->Object.Library.WinMod, intObjWinModule);
3122  }
3123 }
3124 
3125 
3126 static void
3127 IntSerializeWinUmMisc(
3128  _In_ const EXCEPTION_UM_ORIGINATOR *Originator,
3129  _In_ const EXCEPTION_VICTIM_ZONE *Victim
3130  )
3137 {
3138  UNREFERENCED_PARAMETER(Originator);
3139 
3140  if ((Victim->ZoneType == exceptionZoneProcess) ||
3141  (Victim->Object.Type == introObjectTypeUmGenericNxZone) ||
3142  (Victim->Object.Type == introObjectTypeSudExec))
3143  {
3144  if (Victim->ZoneType == exceptionZoneProcess)
3145  {
3146  IntSerializeInjection(&Victim->Injection, Victim);
3147  IntSerializeRawDump(Originator, Victim);
3148  }
3149  else
3150  {
3151  IntSerializeEpt(&Victim->Ept, Victim);
3152  IntSerializeAccessInfo(Victim);
3153  }
3154  }
3155  else if (Victim->Object.Type == introObjectTypeUmModule)
3156  {
3157  IntSerializeInstruction(Originator->Instruction, Originator->Rip);
3158  IntSerializeExport(Victim);
3159  IntSerializeAccessInfo(Victim);
3160  IntSerializeEpt(&Victim->Ept, Victim);
3161  }
3162 
3163  if (Originator->PcType)
3164  {
3165  IntSerializeDpi(Originator);
3166  IntSerializeWinDpiInfo(Originator, Victim);
3167  }
3168 
3169  IntSerializeCodeBlocks(Originator->Rip, Originator->WinProc->Cr3, Originator->Execute);
3170  IntSerializeRipCode();
3171 }
3172 
3173 
3174 static void
3175 IntSerializeLixUmMisc(
3176  _In_ const EXCEPTION_UM_ORIGINATOR *Originator,
3177  _In_ const EXCEPTION_VICTIM_ZONE *Victim
3178  )
3185 {
3186  UNREFERENCED_PARAMETER(Originator);
3187 
3188  if (Victim->ZoneType == exceptionZoneProcess)
3189  {
3190  IntSerializeInjection(&Victim->Injection, Victim);
3191  IntSerializeRawDump(Originator, Victim);
3192 
3193  if (Originator->PcType)
3194  {
3195  IntSerializeDpi(Originator);
3196  }
3197  }
3198  else
3199  {
3200  IntSerializeEpt(&Victim->Ept, Victim);
3201  IntSerializeAccessInfo(Victim);
3202  }
3203 
3204  IntSerializeCodeBlocks(Originator->Rip, Originator->LixProc->Cr3, Originator->Execute);
3205  IntSerializeRipCode();
3206 }
3207 
3208 
3209 static void
3210 IntSerializeUmMisc(
3211  _In_ const EXCEPTION_UM_ORIGINATOR *Originator,
3212  _In_ const EXCEPTION_VICTIM_ZONE *Victim
3213  )
3220 {
3221 #define START_MISC_SERIALZIER_VERSION 1
3222 #define END_MISC_SERIALZIER_VERSION 1
3223 
3224  IntSerializeObjectHeader(START_MISC_SERIALZIER_VERSION, intObjStartMisc);
3225 
3226  if (gGuest.OSType == introGuestLinux)
3227  {
3228  IntSerializeLixUmMisc(Originator, Victim);
3229  }
3230  else if (gGuest.OSType == introGuestWindows)
3231  {
3232  IntSerializeWinUmMisc(Originator, Victim);
3233  }
3234 
3235  IntSerializeObjectHeader(END_MISC_SERIALZIER_VERSION, intObjEndMisc);
3236 }
3237 
3238 
3239 static void
3240 IntSerializeUmVictim(
3241  _In_ const EXCEPTION_UM_ORIGINATOR *Originator,
3242  _In_ const EXCEPTION_VICTIM_ZONE *Victim
3243  )
3250 {
3251 #define START_VICTIM_SERIALZIER_VERSION 1
3252 #define END_VICTIM_SERIALZIER_VERSION 1
3253 
3254  IntSerializeObjectHeader(START_VICTIM_SERIALZIER_VERSION, intObjStartVictim);
3255 
3256  if (gGuest.OSType == introGuestLinux)
3257  {
3258  IntSerializeLixUmVictim(Originator, Victim);
3259  }
3260  else if (gGuest.OSType == introGuestWindows)
3261  {
3262  IntSerializeWinUmVictim(Originator, Victim);
3263  }
3264 
3265  IntSerializeObjectHeader(END_VICTIM_SERIALZIER_VERSION, intObjEndVictim);
3266 }
3267 
3268 
3269 void
3270 IntSerializeWinKmOriginator(
3271  _In_ const EXCEPTION_KM_ORIGINATOR *Originator,
3272  _In_ const EXCEPTION_VICTIM_ZONE *Victim
3273  )
3280 {
3281 #define KM_ORIGINATOR_SERIALZIER_VERSION 1
3282 
3283  UNREFERENCED_PARAMETER(Victim);
3284 
3285  IntSerializeKernelDriver(Originator, NULL, intObjKernelDriver);
3286  IntSerializeKernelDriver(Originator, NULL, intObjKernelDriverReturn);
3287 }
3288 
3289 
3290 void
3291 IntSerializeLixKmOriginator(
3292  _In_ const EXCEPTION_KM_ORIGINATOR *Originator,
3293  _In_ const EXCEPTION_VICTIM_ZONE *Victim
3294  )
3301 {
3302 #define KM_ORIGINATOR_SERIALZIER_VERSION 1
3303 
3304  UNREFERENCED_PARAMETER(Victim);
3305 
3306  IntSerializeKernelDriver(Originator, NULL, intObjKernelDriver);
3307  IntSerializeKernelDriver(Originator, NULL, intObjKernelDriverReturn);
3308 
3309  IntSerializeInstruction(Originator->Instruction, Originator->Original.Rip);
3310 }
3311 
3312 
3313 void
3314 IntSerializeKmOriginator(
3315  _In_ const EXCEPTION_KM_ORIGINATOR *Originator,
3316  _In_ const EXCEPTION_VICTIM_ZONE *Victim
3317  )
3324 {
3325  IntSerializeObjectHeader(START_ORIGINATOR_SERIALZIER_VERSION, intObjStartOriginator);
3326 
3327  if (gGuest.OSType == introGuestLinux)
3328  {
3329  IntSerializeLixKmOriginator(Originator, Victim);
3330  }
3331  else if (gGuest.OSType == introGuestWindows)
3332  {
3333  IntSerializeWinKmOriginator(Originator, Victim);
3334  }
3335 
3336  IntSerializeObjectHeader(END_ORIGINATOR_SERIALZIER_VERSION, intObjEndOriginator);
3337 }
3338 
3339 
3340 static void
3341 IntSerializeWinKmVictim(
3342  _In_ const EXCEPTION_KM_ORIGINATOR *Originator,
3343  _In_ const EXCEPTION_VICTIM_ZONE *Victim
3344  )
3351 {
3352 #define WIN_KM_VICTIM_SERIALIZER_VERSION 1
3353 
3354  UNREFERENCED_PARAMETER(Originator);
3355 
3356  SERIALIZER_OBJECT_HEADER *pHeader = IntSerializeObjectHeader(WIN_KM_VICTIM_SERIALIZER_VERSION, intObjVictim);
3357  if (!pHeader)
3358  {
3359  return;
3360  }
3361 
3362  SERIALIZER_EXCEPTION_VICTIM *pObject = IntSerializeCurrentPtr(sizeof(*pObject));
3363  if (!pObject)
3364  {
3365  return;
3366  }
3367 
3368  pObject->Type = Victim->Object.Type;
3369  pObject->ZoneType = Victim->ZoneType;
3370  pObject->ZoneFlags = Victim->ZoneFlags;
3371 
3372  pHeader->Size = sizeof(*pObject);
3373  IntSerializeIncrementCurrentPtr(sizeof(*pObject));
3374 
3375  switch (Victim->ZoneType)
3376  {
3377  case exceptionZoneCr:
3378  IntSerializeCr(&Victim->Cr);
3379  break;
3380 
3381  case exceptionZoneMsr:
3382  IntSerializeMsr(&Victim->Msr);
3383  break;
3384 
3385  case exceptionZoneDtr:
3386  IntSerializeDtr(&Victim->Dtr);
3387  break;
3388  case exceptionZoneEpt:
3389  IntSerializeEpt(&Victim->Ept, Victim);
3390  break;
3391 
3392  default:
3393  break;
3394  }
3395 
3396  switch (Victim->Object.Type)
3397  {
3398  case introObjectTypeIdt:
3399  IntSerializeIdt(Victim);
3400  break;
3401 
3402  case introObjectTypeSsdt:
3403  case introObjectTypeVeAgent:
3404  case introObjectTypeKmModule:
3405  IntSerializeKernelDriver(NULL, Victim->Object.Module.Module, intObjKernelDriver);
3406  break;
3407 
3408  case introObjectTypeDriverObject:
3409  case introObjectTypeFastIoDispatch:
3410  IntSerializeKernelDrvObject(Victim->Object.DriverObject);
3411  break;
3412 
3413  default:
3414  break;
3415  }
3416 }
3417 
3418 
3419 static void
3420 IntSerializeLixKmVictim(
3421  _In_ const EXCEPTION_KM_ORIGINATOR *Originator,
3422  _In_ const EXCEPTION_VICTIM_ZONE *Victim
3423  )
3430 
3431 {
3432 #define LIX_KM_VICTIM_SERIALIZER_VERSION 1
3433 
3434  UNREFERENCED_PARAMETER(Originator);
3435 
3436  SERIALIZER_OBJECT_HEADER *pHeader = IntSerializeObjectHeader(LIX_KM_VICTIM_SERIALIZER_VERSION, intObjVictim);
3437  if (!pHeader)
3438  {
3439  return;
3440  }
3441 
3442  SERIALIZER_EXCEPTION_VICTIM *pObject = IntSerializeCurrentPtr(sizeof(*pObject));
3443  if (!pObject)
3444  {
3445  return;
3446  }
3447 
3448  pObject->Type = Victim->Object.Type;
3449  pObject->ZoneType = Victim->ZoneType;
3450  pObject->ZoneFlags = Victim->ZoneFlags;
3451 
3452  pHeader->Size = sizeof(*pObject);
3453  IntSerializeIncrementCurrentPtr(sizeof(*pObject));
3454 
3455  switch (Victim->ZoneType)
3456  {
3457  case exceptionZoneCr:
3458  IntSerializeCr(&Victim->Cr);
3459  break;
3460 
3461  case exceptionZoneMsr:
3462  IntSerializeMsr(&Victim->Msr);
3463  break;
3464 
3465  case exceptionZoneDtr:
3466  IntSerializeDtr(&Victim->Dtr);
3467  break;
3468 
3469  case exceptionZoneEpt:
3470  IntSerializeEpt(&Victim->Ept, Victim);
3471  break;
3472 
3473  default:
3474  break;
3475  }
3476 
3477  switch (Victim->Object.Type)
3478  {
3479  case introObjectTypeVdso:
3480  case introObjectTypeVsyscall:
3481  case introObjectTypeKmModule:
3482  IntSerializeKernelDriver(NULL, Victim->Object.Module.Module, intObjKernelDriver);
3483  break;
3484 
3485  default:
3486  break;
3487  }
3488 }
3489 
3490 
3491 static void
3492 IntSerializeKmVictim(
3493  _In_ const EXCEPTION_KM_ORIGINATOR *Originator,
3494  _In_ const EXCEPTION_VICTIM_ZONE *Victim
3495  )
3502 
3503 {
3504  IntSerializeObjectHeader(START_VICTIM_SERIALZIER_VERSION, intObjStartVictim);
3505 
3506  if (gGuest.OSType == introGuestLinux)
3507  {
3508  IntSerializeLixKmVictim(Originator, Victim);
3509  }
3510  else if (gGuest.OSType == introGuestWindows)
3511  {
3512  IntSerializeWinKmVictim(Originator, Victim);
3513  }
3514 
3515  IntSerializeObjectHeader(END_VICTIM_SERIALZIER_VERSION, intObjEndVictim);
3516 }
3517 
3518 
3519 static void
3520 IntSerializeLixKmMisc(
3521  _In_ const EXCEPTION_KM_ORIGINATOR *Originator,
3522  _In_ const EXCEPTION_VICTIM_ZONE *Victim
3523  )
3530 {
3531  IntSerializeCodeBlocks(Originator->Original.Rip, gGuest.Mm.SystemCr3, FALSE);
3532  IntSerializeCodeBlocks(Originator->Return.Rip, gGuest.Mm.SystemCr3, FALSE);
3533 
3534  IntSerializeInstruction(Originator->Instruction, Originator->Original.Rip);
3535  IntSerializeAccessInfo(Victim);
3536 
3537  IntSerializeArchRegs();
3538  IntSerializeRipCode();
3539 }
3540 
3541 
3542 static void
3543 IntSerializeWinKmMisc(
3544  _In_ const EXCEPTION_KM_ORIGINATOR *Originator,
3545  _In_ const EXCEPTION_VICTIM_ZONE *Victim
3546  )
3553 {
3554 
3555  IntSerializeCodeBlocks(Originator->Original.Rip, gGuest.Mm.SystemCr3, FALSE);
3556  IntSerializeCodeBlocks(Originator->Return.Rip, gGuest.Mm.SystemCr3, FALSE);
3557 
3558  IntSerializeInstruction(Originator->Instruction, Originator->Original.Rip);
3559  IntSerializeAccessInfo(Victim);
3560 
3561  IntSerializeEpt(&Victim->Ept, Victim);
3562 
3563  IntSerializeArchRegs();
3564  IntSerializeRipCode();
3565 
3566  if (Victim->Object.Type == introObjectTypeUmModule)
3567  {
3568  IntSerializeExport(Victim);
3569  }
3570 }
3571 
3572 
3573 static void
3574 IntSerializeKmMisc(
3575  _In_ const EXCEPTION_KM_ORIGINATOR *Originator,
3576  _In_ const EXCEPTION_VICTIM_ZONE *Victim
3577  )
3584 {
3585 #define START_MISC_SERIALZIER_VERSION 1
3586 #define END_MISC_SERIALZIER_VERSION 1
3587 
3588  UNREFERENCED_PARAMETER(Originator);
3589  UNREFERENCED_PARAMETER(Victim);
3590 
3591  IntSerializeObjectHeader(START_MISC_SERIALZIER_VERSION, intObjStartMisc);
3592 
3593  if (gGuest.OSType == introGuestLinux)
3594  {
3595  IntSerializeLixKmMisc(Originator, Victim);
3596  }
3597  else if (gGuest.OSType == introGuestWindows)
3598  {
3599  IntSerializeWinKmMisc(Originator, Victim);
3600  }
3601 
3602  IntSerializeObjectHeader(END_MISC_SERIALZIER_VERSION, intObjEndMisc);
3603 }
3604 
3605 
3606 static void
3607 IntSerializeHeader(
3608  _In_ SERIALIZER_EXCEPTION_TYPE SerializerType,
3609  _In_ INTRO_EVENT_TYPE EventClass
3610  )
3617 {
3618  SERIALIZER_HEADER *pHeader = IntSerializeCurrentPtr(sizeof(*pHeader));
3619  if (!pHeader)
3620  {
3621  return;
3622  }
3623 
3624  pHeader->SerializedType = SerializerType;
3625  pHeader->Guest = gGuest.OSType;
3626  pHeader->Event = EventClass;
3627  pHeader->Size = 0;
3628  pHeader->Arch = gGuest.Guest64;
3629 
3630  IntSerializeIncrementCurrentPtr(sizeof(*pHeader));
3631 }
3632 
3633 
3634 static void
3635 IntSerializeKmException(
3636  _In_ const void *Originator,
3637  _In_ const void *Victim,
3638  _In_ INTRO_EVENT_TYPE EventClass
3639  )
3647 {
3648  IntSerializeHeader(serializerExceptionTypeKm, EventClass);
3649 
3650  IntSerializeKmOriginator(Originator, Victim);
3651  IntSerializeKmVictim(Originator, Victim);
3652  IntSerializeKmMisc(Originator, Victim);
3653 }
3654 
3655 
3656 static void
3657 IntSerializeUmException(
3658  _In_ const void *Originator,
3659  _In_ const void *Victim,
3660  _In_ INTRO_EVENT_TYPE EventClass
3661  )
3669 {
3670  IntSerializeHeader(serializerExceptionTypeUm, EventClass);
3671 
3672  IntSerializeUmOriginator(Originator, Victim);
3673  IntSerializeUmVictim(Originator, Victim);
3674  IntSerializeUmMisc(Originator, Victim);
3675 }
3676 
3677 
3678 static void
3679 IntSerializeKernelUserException(
3680  _In_ const void *Originator,
3681  _In_ const void *Victim,
3682  _In_ INTRO_EVENT_TYPE EventClass
3683  )
3691 {
3692  IntSerializeHeader(serializerExceptionTypeKmUm, EventClass);
3693 
3694  IntSerializeKmOriginator(Originator, Victim);
3695  IntSerializeUmVictim(Originator, Victim);
3696  IntSerializeKmMisc(Originator, Victim);
3697 }
3698 
3699 void
3700 IntSerializeStart(
3701  void
3702  )
3706 {
3707  IntSerializeIncrementCurrentId();
3708  gCurrentPtr = gSerializerBuffer;
3709 }
3710 
3711 
3712 void
3713 IntSerializeException(
3714  _In_ void *Victim,
3715  _In_ void *Originator,
3716  _In_ DWORD Type,
3717  _In_ INTRO_ACTION Action,
3718  _In_ INTRO_ACTION_REASON Reason,
3719  _In_ INTRO_EVENT_TYPE EventClass
3720  )
3734 {
3735  if ((introGuestNotAllowed != Action) && (introReasonAllowedFeedback != Reason))
3736  {
3737  return;
3738  }
3739 
3740  IntSerializeStart();
3741 
3742  switch (Type)
3743  {
3744  case exceptionTypeKm:
3745  IntSerializeKmException(Originator, Victim, EventClass);
3746  break;
3747 
3748  case exceptionTypeUm:
3749  IntSerializeUmException(Originator, Victim, EventClass);
3750  break;
3751 
3752  case exceptionTypeKmUm:
3753  IntSerializeKernelUserException(Originator, Victim, EventClass);
3754  break;
3755 
3756  default:
3757  ERROR("[ERROR] Unsupported exception type (%d) ...", Type);
3758  }
3759 
3760  IntSerializeDump();
3761 }
_SERIALIZER_DPI_WIN_HEAP_SPRAY::HeapPages
struct _SERIALIZER_DPI_WIN_HEAP_SPRAY::@258 HeapPages[0xF]
SERIALIZER_WIN_PROCESS
struct _SERIALIZER_WIN_PROCESS SERIALIZER_WIN_PROCESS
Describes a serialized intObjWinProcess object.
IntSerializeLixVma
static void IntSerializeLixVma(const LIX_VMA *Vma)
Serialize the provided LIX_VMA object.
Definition: serializers.c:1393
PSERIALIZER_WIN_VAD
struct _SERIALIZER_WIN_VAD * PSERIALIZER_WIN_VAD
_SERIALIZER_ARCH_REGS::Flags
QWORD Flags
Definition: serializers.c:315
DPI_WIN_DEBUG_SERIALIZER_VERSION
#define DPI_WIN_DEBUG_SERIALIZER_VERSION
intObjDpiWinSecDesc
Used for the DPI security descriptor objects.
Definition: serializers.c:600
_In_opt_
#define _In_opt_
Definition: intro_sal.h:16
CODE_BLOCKS_SERIALIZER_VERSION
#define CODE_BLOCKS_SERIALIZER_VERSION
_SERIALIZER_ARCH_REGS::IdtBase
QWORD IdtBase
Definition: serializers.c:322
SERIALIZER_ARCH_REGS
struct _SERIALIZER_ARCH_REGS SERIALIZER_ARCH_REGS
Describes a serialized intObjArchRegs object.
_SERIALIZER_LIX_VMA::Gva
QWORD Gva
The guest virtual address of the vm_area_struct this structure is based on.
Definition: serializers.c:191
IntSerializeWinDpiInfo
static void IntSerializeWinDpiInfo(const EXCEPTION_UM_ORIGINATOR *Originator, const EXCEPTION_VICTIM_ZONE *Victim)
Serialize the DPI extra information.
Definition: serializers.c:2817
_SERIALIZER_WIN_PROCESS::UserCr3
QWORD UserCr3
Process user PDBR. Includes PCID.
Definition: serializers.c:174
PSERIALIZER_DPI_WIN_HEAP_SPRAY
struct _SERIALIZER_DPI_WIN_HEAP_SPRAY * PSERIALIZER_DPI_WIN_HEAP_SPRAY
SERIALIZER_EXCEPTION_VICTIM
struct _SERIALIZER_EXCEPTION_VICTIM SERIALIZER_EXCEPTION_VICTIM
Describes a serialized intObjVictim object.
INTRO_ACTION_REASON
enum _INTRO_ACTION_REASON INTRO_ACTION_REASON
The reason for which an INTRO_ACTION was taken.
DESCRIPTOR_SIZE_32
#define DESCRIPTOR_SIZE_32
Definition: processor.h:101
IntSerializeString
static void IntSerializeString(const void *String, DWORD Size, DWORD Encode, SERIALIZER_OBJECT_HEADER *Header)
Serialize the provided string.
Definition: serializers.c:876
PSERIALIZER_DPI_WIN_THREAD_START
struct _SERIALIZER_DPI_WIN_THREAD_START * PSERIALIZER_DPI_WIN_THREAD_START
_IG_ARCH_REGS::Rip
QWORD Rip
Definition: glueiface.h:51
_SERIALIZER_ARCH_REGS::IdtLimit
QWORD IdtLimit
Definition: serializers.c:323
_SERIALIZER_RAW_DUMP
Describes a serialized intObjRawDump object.
Definition: serializers.c:390
BOOLEAN
_Bool BOOLEAN
Definition: intro_types.h:58
_Out_
#define _Out_
Definition: intro_sal.h:22
_DPI_EXTRA_INFO::HeapPages
struct _DPI_EXTRA_INFO::@206::@210 HeapPages[HEAP_SPRAY_NR_PAGES]
EXPORT_SERIALIZER_VERSION
#define EXPORT_SERIALIZER_VERSION
_SERIALIZER_MSR
Describes a serialized intObjMsr object.
Definition: serializers.c:104
IntSerializeLixKmOriginator
void IntSerializeLixKmOriginator(const EXCEPTION_KM_ORIGINATOR *Originator, const EXCEPTION_VICTIM_ZONE *Victim)
Serialize the information about Linux kernel-mode originator.
Definition: serializers.c:3291
PSERIALIZER_DPI
struct _SERIALIZER_DPI * PSERIALIZER_DPI
_SERIALIZER_STRING
Describes a serialized string.
Definition: serializers.c:54
_SERIALIZER_DPI_WIN_THREAD_START::StartAddress
QWORD StartAddress
The address where the thread started executing.
Definition: serializers.c:457
_SERIALIZER_WIN_PROCESS::Flags
QWORD Flags
The protection flags.
Definition: serializers.c:179
_SERIALIZER_LIX_VMA::File
QWORD File
The guest virtual address of the file this VMA maps to.
Definition: serializers.c:193
HEAP_SPRAY_NR_PAGES
#define HEAP_SPRAY_NR_PAGES
Definition: windpi.h:22
_SERIALIZER_HEADER
Describes the header of the serializer buffer.
Definition: serializers.c:30
utf16toutf8
char * utf16toutf8(char *Destination, const WCHAR *Source, DWORD DestinationMaxLength)
Definition: introcrt.c:460
intObjEndOriginator
Used to notify the deserializer that the all the originator&#39;s objects has been parsed.
Definition: serializers.c:545
IntVirtMemUnmap
INTSTATUS IntVirtMemUnmap(void **HostPtr)
Unmaps a memory range previously mapped with IntVirtMemMap.
Definition: introcore.c:2234
_SERIALIZER_ARCH_REGS::R10
QWORD R10
Definition: serializers.c:308
_SERIALIZER_LIX_KERNEL_MODULE::InitLayout
struct _SERIALIZER_LIX_KERNEL_MODULE::@256 InitLayout
IntSerializeRipCode
static void IntSerializeRipCode(void)
Serialize the guest memory page that contains the RIP at which the violation attempt was detected...
Definition: serializers.c:1956
INT_PC_VIOLATION_DPI_HEAP_SPRAY
The creation of a process was attempted while the parent had its heap sprayed.
Definition: intro_types.h:1666
intObjReadInfo
Used for the read info object.
Definition: serializers.c:586
_SERIALIZER_LIX_PROCESS
Describes a serialized intObjLixProcess object.
Definition: serializers.c:151
_SERIALIZER_HEADER::Event
DWORD Event
The intro event type.
Definition: serializers.c:34
codeInsMovFsGs
A mov using a segment:offset.
Definition: codeblocks.h:37
introObjectTypeKmModule
Kernel module (ntoskrnl.exe, hal.dll, etc.).
Definition: intro_types.h:238
_SERIALIZER_DPI_WIN_ACL_EDIT::NewSacl
ACL NewSacl
The new SACL header.
Definition: serializers.c:519
BYTE
uint8_t BYTE
Definition: intro_types.h:47
IG_EPT_HOOK_READ
Read-access hook.
Definition: glueiface.h:298
_SERIALIZER_DPI_WIN_DEBUG
Describes a serialized intObjDpiWinDebug.
Definition: serializers.c:411
IntFragExtractCodePattern
INTSTATUS IntFragExtractCodePattern(PBYTE Buffer, DWORD StartOffset, DWORD MaxBufferSize, IG_CS_TYPE CsType, CB_EXTRACT_LEVEL ExtractLevel, DWORD PatternSize, CODE_BLOCK_PATTERN *Pattern, DWORD *TotalExtracted)
Extract a pattern of code-blocks from the given code buffer.
Definition: codeblocks.c:990
_SERIALIZER_DPI_PIVOTED_STACK
Describes a serialized intObjDpiPivotedStack.
Definition: serializers.c:479
SERIALIZER_KERNEL_DRV_OBJECT
struct _SERIALIZER_KERNEL_DRV_OBJECT SERIALIZER_KERNEL_DRV_OBJECT
Describes a serialized intObjKernelDrvObject object.
_SERIALIZER_DPI_WIN_STOLEN_TOKEN::StolenFrom
QWORD StolenFrom
The process from which the token was stolen.
Definition: serializers.c:422
gCurrentPtr
static BYTE * gCurrentPtr
Definition: serializers.c:617
_VCPU_STATE::Regs
IG_ARCH_REGS Regs
The current state of the guest registers.
Definition: guests.h:95
_SERIALIZER_WIN_VAD::Flags
DWORD Flags
The flags of the VAD.
Definition: serializers.c:210
WRITE_INFO_SERIALIZER_VERSION
#define WRITE_INFO_SERIALIZER_VERSION
Crc32Compute
DWORD Crc32Compute(const void *Buffer, size_t Size, DWORD InitialCrc)
Computes the CRC for a byte array.
Definition: crc32.c:103
_In_
#define _In_
Definition: intro_sal.h:21
_SERIALIZER_ARCH_REGS::R9
QWORD R9
Definition: serializers.c:307
PSERIALIZER_IDT
struct _SERIALIZER_IDT * PSERIALIZER_IDT
PSERIALIZER_RAW_DUMP
struct _SERIALIZER_RAW_DUMP * PSERIALIZER_RAW_DUMP
CODE_BLOCK_PATTERN
struct _CODE_BLOCK_PATTERN CODE_BLOCK_PATTERN
PSERIALIZER_ARCH_REGS
struct _SERIALIZER_ARCH_REGS * PSERIALIZER_ARCH_REGS
_CODE_BLOCK::PivotInstruction
BYTE PivotInstruction
Definition: codeblocks.h:56
_MM::SystemCr3
QWORD SystemCr3
The Cr3 used to map the kernel.
Definition: guests.h:211
INT_STATUS_SUCCESS
#define INT_STATUS_SUCCESS
Definition: introstatus.h:54
introObjectTypeDriverObject
Driver object.
Definition: intro_types.h:237
_SERIALIZER_WIN_VAD::StartPage
QWORD StartPage
The first page in the VAD.
Definition: serializers.c:202
PSERIALIZER_KERNEL_DRIVER
struct _SERIALIZER_KERNEL_DRIVER * PSERIALIZER_KERNEL_DRIVER
IntSerializeCurrentId
static QWORD IntSerializeCurrentId(void)
Increment the current serializer alert ID and returns it.
Definition: serializers.c:717
introObjectTypeFastIoDispatch
Fast IO Dispatch (Windows only).
Definition: intro_types.h:236
_DPI_EXTRA_INFO::DpiPivotedStackExtraInfo
struct _DPI_EXTRA_INFO::@204 DpiPivotedStackExtraInfo
_SERIALIZER_EXCEPTION_VICTIM
Describes a serialized intObjVictim object.
Definition: serializers.c:82
_SERIALIZER_DPI_WIN_SEC_DESC::OldDacl
ACL OldDacl
The old DACL header.
Definition: serializers.c:504
WORD
uint16_t WORD
Definition: intro_types.h:48
memCopyViolationSetContextThread
This represents an attempt of modifying the context of another thread.
Definition: intro_types.h:1417
_SERIALIZER_LIX_PROCESS::ActualParent
QWORD ActualParent
The guest virtual address of the parent process.
Definition: serializers.c:155
IntSerializeProcess
static void IntSerializeProcess(void *Process, const DWORD ObjectType)
Serialize the provided process object.
Definition: serializers.c:1321
gBase64Buffer
static char gBase64Buffer[Base64EncSize(sizeof(gSerializerBuffer))]
Definition: serializers.c:628
_DPI_EXTRA_INFO::DpiSecDescAclExtraInfo
struct _DPI_EXTRA_INFO::@209 DpiSecDescAclExtraInfo
PSERIALIZER_WIN_PROCESS
struct _SERIALIZER_WIN_PROCESS * PSERIALIZER_WIN_PROCESS
codeInsJmp
Non-conditional jump, of any kind.
Definition: codeblocks.h:28
RIP_CODE_SERIALIZER_VERSION
#define RIP_CODE_SERIALIZER_VERSION
_EXCEPTION_VICTIM_EPT
Describes an EPT victim.
Definition: exceptions.h:759
_SERIALIZER_LIX_KERNEL_MODULE::Size
DWORD Size
The total size of the section.
Definition: serializers.c:244
_SERIALIZER_ARCH_REGS::R14
QWORD R14
Definition: serializers.c:312
IntSerializeCodeBlocksPattern
static void IntSerializeCodeBlocksPattern(CODE_BLOCK *CodeBlocks, DWORD Count, QWORD Rip, BOOLEAN Execute, SERIALIZER_CODE_BLOCKS *Object)
Iterates through all extracted code-blocks patterns and serialize the patterns.
Definition: serializers.c:2088
SERIALIZER_MSR
struct _SERIALIZER_MSR SERIALIZER_MSR
Describes a serialized intObjMsr object.
_SERIALIZER_LIX_VMA::End
QWORD End
Definition: serializers.c:189
exceptionTypeUm
User-mode exception.
Definition: exceptions.h:60
introObjectTypeUmGenericNxZone
User-mode non executable zone.
Definition: intro_types.h:247
SERIALIZER_CR
struct _SERIALIZER_CR SERIALIZER_CR
Describes a serialized intObjCr object.
IntSerializeDpiWinSecDesc
static void IntSerializeDpiWinSecDesc(const EXCEPTION_UM_ORIGINATOR *Originator, const EXCEPTION_VICTIM_ZONE *Victim)
Serialize the DPI altered Security Descriptor info (Windows).
Definition: serializers.c:2721
_DPI_EXTRA_INFO::TrapFrameAddress
QWORD TrapFrameAddress
The address of the trap frame. Used for more information gathering when sending the alert...
Definition: windpi.h:40
_SERIALIZER_WRITE_INFO
Describes a serialized intObjWriteInfo object.
Definition: serializers.c:332
IntSerializeKmVictim
static void IntSerializeKmVictim(const EXCEPTION_KM_ORIGINATOR *Originator, const EXCEPTION_VICTIM_ZONE *Victim)
Serialize the information about kernel-mode victim.
Definition: serializers.c:3492
_DPI_EXTRA_INFO::Wow64StackLimit
QWORD Wow64StackLimit
The known stack limit in WoW64 mode. Valid only if the process is WoW64.
Definition: windpi.h:44
introGuestNotAllowed
Definition: intro_types.h:164
_SERIALIZER_WIN_PROCESS::Peb32Address
QWORD Peb32Address
PEB 32 address (on pure x64 processes, this will be 0).
Definition: serializers.c:177
_SERIALIZER_DPI_WIN_THREAD_START
Describes a serialized intObjDpiWinThreadStart.
Definition: serializers.c:454
_DPI_EXTRA_INFO::NewEnabled
QWORD NewEnabled
The new value from parent&#39;s token Privileges.Enabled field, which was deemed malicious.
Definition: windpi.h:74
RAW_DUMP_SERIALIZER_VERSION
#define RAW_DUMP_SERIALIZER_VERSION
_CODE_BLOCK::OffsetStart
DWORD OffsetStart
The start of the extracted codeblock (not actually relevant)
Definition: codeblocks.h:53
_WIN_PROCESS_OBJECT::CreationInfo
struct _WIN_PROCESS_OBJECT::@232 CreationInfo
_KERNEL_DRIVER::BaseVa
QWORD BaseVa
The guest virtual address of the kernel module that owns this driver object.
Definition: drivers.h:41
gSerializerBuffer
static BYTE gSerializerBuffer[MAX_SERIALIZER_LENGTH]
Definition: serializers.c:616
PSERIALIZER_EXPORT
struct _SERIALIZER_EXPORT * PSERIALIZER_EXPORT
_WINUM_CACHE_EXPORT::NumberOfOffsets
DWORD NumberOfOffsets
Number of symbols pointing to the exported RVA.
Definition: winumcache.h:27
IntSerializeObjectHeader
static SERIALIZER_OBJECT_HEADER * IntSerializeObjectHeader(const DWORD Version, const DWORD Type)
Creates a SERIALIZER_OBJECT_HEADER object and fill the fields with the provided parameters.
Definition: serializers.c:816
_SERIALIZER_LIX_VMA
Describes a serialized intObjLixVma object.
Definition: serializers.c:186
IntSerializeCr
static void IntSerializeCr(const EXCEPTION_VICTIM_CR *Cr)
Serialize the provided CR object.
Definition: serializers.c:1022
IntSerializeExecInfo
static void IntSerializeExecInfo(const EXCEPTION_VICTIM_ZONE *Victim)
Serialize the execution violation information.
Definition: serializers.c:1840
_SERIALIZER_EXCEPTION_KM_ORIGINATOR::_Reserved
BYTE _Reserved
Unused.
Definition: serializers.c:67
_SERIALIZER_IDT::Entry
DWORD Entry
The modified entry from the IDT.
Definition: serializers.c:133
INT_SUCCESS
#define INT_SUCCESS(Status)
Definition: introstatus.h:42
intObjWinProcess
Used for the windows process object.
Definition: serializers.c:565
PSERIALIZER_DPI_PIVOTED_STACK
struct _SERIALIZER_DPI_PIVOTED_STACK * PSERIALIZER_DPI_PIVOTED_STACK
_SERIALIZER_EXEC_INFO::StackBase
QWORD StackBase
The stack base for the thread that attempted the execution.
Definition: serializers.c:356
IntSerializeLixProcess
static void IntSerializeLixProcess(const LIX_TASK_OBJECT *Process, const DWORD ObjectType)
Serialize the provided LIX_TASK_OBJECT object.
Definition: serializers.c:1266
_CODE_BLOCK::Size
WORD Size
Code block size, in patterns.
Definition: codeblocks.h:55
_DPI_EXTRA_INFO::StartAddress
QWORD StartAddress
The address on which the parent&#39;s thread started execution.
Definition: windpi.h:82
intObjWinModule
Used for the windows module object.
Definition: serializers.c:581
intObjWinKernelDriver
Used for the windows kernel driver object.
Definition: serializers.c:572
WIN_KERNEL_DRIVER_SERIALIZER_VERSION
#define WIN_KERNEL_DRIVER_SERIALIZER_VERSION
_SERIALIZER_ARCH_REGS::Rip
QWORD Rip
Definition: serializers.c:317
SERIALIZER_DPI_WIN_HEAP_SPRAY
struct _SERIALIZER_DPI_WIN_HEAP_SPRAY SERIALIZER_DPI_WIN_HEAP_SPRAY
Describes a serialized intObjDpiWinHeapSpray.
PAGE_OFFSET
#define PAGE_OFFSET
Definition: pgtable.h:32
IntSerializeKmMisc
static void IntSerializeKmMisc(const EXCEPTION_KM_ORIGINATOR *Originator, const EXCEPTION_VICTIM_ZONE *Victim)
Serialize the misc information for kernel-mode alert.
Definition: serializers.c:3574
_SERIALIZER_RIP_CODE
Describes a serialized intObjRipCode object.
Definition: serializers.c:379
exceptionZoneEpt
The modified object is inside an EPT hook.
Definition: exceptions.h:746
SERIALIZER_WIN_KERNEL_DRIVER
struct _SERIALIZER_WIN_KERNEL_DRIVER SERIALIZER_WIN_KERNEL_DRIVER
Describes a serialized intObjWinKernelDriver object.
_SERIALIZER_STRING::String
CHAR String[0]
The content of the string.
Definition: serializers.c:58
PSERIALIZER_DPI_WIN_DEBUG
struct _SERIALIZER_DPI_WIN_DEBUG * PSERIALIZER_DPI_WIN_DEBUG
DPI_WIN_THREAD_START_SERIALIZER_VERSION
#define DPI_WIN_THREAD_START_SERIALIZER_VERSION
_SERIALIZER_EXCEPTION_KM_ORIGINATOR
Describes a serialized intObjKmOriginator object.
Definition: serializers.c:65
PSERIALIZER_RIP_CODE
struct _SERIALIZER_RIP_CODE * PSERIALIZER_RIP_CODE
_SERIALIZER_WRITE_INFO::AccessSize
DWORD AccessSize
The original value. Only the first Size bytes are valid.
Definition: serializers.c:334
intObjDpiWinTokenPrivs
Used for the DPI token privs object.
Definition: serializers.c:597
_SERIALIZER_DPI_WIN_HEAP_SPRAY::MaxHeapValPageContent
BYTE MaxHeapValPageContent[0x1000]
The copied page which has the most heap values in it.
Definition: serializers.c:447
IntSerializeCodeBlocks
static void IntSerializeCodeBlocks(QWORD Rip, QWORD Cr3, BOOLEAN Execute)
Serialize the extracted code-blocks for the current exception.
Definition: serializers.c:2339
_CODE_BLOCK_PATTERN::Offset
DWORD Offset
The offset of the instruction in the page.
Definition: codeblocks.h:70
ERROR
#define ERROR(fmt,...)
Definition: glue.h:62
CODE_BLOCK_CHUNKS_COUNT
#define CODE_BLOCK_CHUNKS_COUNT
Number of chunks (CODE_INS) per codeblock.
Definition: codeblocks.h:43
PSERIALIZER_WRITE_INFO
struct _SERIALIZER_WRITE_INFO * PSERIALIZER_WRITE_INFO
_SERIALIZER_DPI_WIN_SEC_DESC
Describes a serialized intObjDpiWinSecDesc.
Definition: serializers.c:494
_SERIALIZER_LIX_PROCESS::Gva
QWORD Gva
The guest virtual address of the task_struct.
Definition: serializers.c:153
_EXCEPTION_UM_ORIGINATOR
Describes a user-mode originator.
Definition: exceptions.h:994
_SERIALIZER_DPI_WIN_SEC_DESC::SecDescStolenFromEproc
QWORD SecDescStolenFromEproc
If the parent security descriptor has been stolen, this variable may indicate (in case we find it) th...
Definition: serializers.c:498
_SERIALIZER_WIN_MODULE
Describes a serialized intObjWinModule object.
Definition: serializers.c:276
_SERIALIZER_WIN_PROCESS::MainModuleAddress
QWORD MainModuleAddress
The address of the main module.
Definition: serializers.c:178
_SERIALIZER_DPI
Describes a serialized intObjDpi object.
Definition: serializers.c:527
_SERIALIZER_ARCH_REGS::Cr4
QWORD Cr4
Definition: serializers.c:319
_SERIALIZER_WIN_VAD
Describes a serialized intObjWinVad object.
Definition: serializers.c:200
_SERIALIZER_LIX_VMA::Start
QWORD Start
Start of the memory described by the VMA.
Definition: serializers.c:188
_SERIALIZER_CODE_BLOCKS
Describes a serialized intObjCodeBlocks object.
Definition: serializers.c:365
_DPI_EXTRA_INFO::StolenFromEprocess
QWORD StolenFromEprocess
The EPROCESS address from which the token was stolen.
Definition: windpi.h:49
_SERIALIZER_OBJECT_HEADER
Describes the header for each serialized item.
Definition: serializers.c:43
INTSTATUS
int INTSTATUS
The status data type.
Definition: introstatus.h:24
_KERNEL_DRIVER::Size
QWORD Size
The size of the kernel module that owns this driver object.
Definition: drivers.h:43
SERIALIZER_READ_INFO
struct _SERIALIZER_READ_INFO SERIALIZER_READ_INFO
Describes a serialized intObjExecInfo object.
IntSerializeExtractCodeBlocks
static INTSTATUS IntSerializeExtractCodeBlocks(QWORD Rip, QWORD Cr3, BOOLEAN Execute, SERIALIZER_CODE_BLOCKS *Object)
Extract the code-blocks for the current exception.
Definition: serializers.c:2177
KERNEL_DRV_OBJECT_SERIALIZER_VERSION
#define KERNEL_DRV_OBJECT_SERIALIZER_VERSION
intObjIdt
Used for the IDT object.
Definition: serializers.c:561
intObjInjection
Used for the Injection object.
Definition: serializers.c:563
PSERIALIZER_DPI_WIN_STOLEN_TOKEN
struct _SERIALIZER_DPI_WIN_STOLEN_TOKEN * PSERIALIZER_DPI_WIN_STOLEN_TOKEN
_SERIALIZER_READ_INFO::Value
QWORD Value[8]
The read value. Only the first Size bytes are valid.
Definition: serializers.c:346
_SERIALIZER_ARCH_REGS
Describes a serialized intObjArchRegs object.
Definition: serializers.c:296
_SERIALIZER_ARCH_REGS::Rsp
QWORD Rsp
Definition: serializers.c:302
intObjEpt
Used for the EPT object.
Definition: serializers.c:557
_SERIALIZER_DPI_WIN_HEAP_SPRAY
Describes a serialized intObjDpiWinHeapSpray.
Definition: serializers.c:429
IntSerializeReadInfo
static void IntSerializeReadInfo(const EXCEPTION_VICTIM_ZONE *Victim)
Serialize the read violation information.
Definition: serializers.c:1803
MAX_SERIALIZER_LENGTH
#define MAX_SERIALIZER_LENGTH
Definition: serializers.c:614
SERIALIZER_OBJECT_HEADER
struct _SERIALIZER_OBJECT_HEADER SERIALIZER_OBJECT_HEADER
Describes the header for each serialized item.
intObjStartVictim
Used to notify the deserializer that the next objects contains the victim.
Definition: serializers.c:547
_SERIALIZER_EXCEPTION_UM_ORIGINATOR::_Reserved
BYTE _Reserved
Unused.
Definition: serializers.c:75
IntSerializeWinUmOriginator
static void IntSerializeWinUmOriginator(const EXCEPTION_UM_ORIGINATOR *Originator, const EXCEPTION_VICTIM_ZONE *Victim)
Serialize the information about windows user-mode originator.
Definition: serializers.c:2953
PSERIALIZER_LIX_PROCESS
struct _SERIALIZER_LIX_PROCESS * PSERIALIZER_LIX_PROCESS
_WIN_PROCESS_OBJECT::DebuggerEprocess
QWORD DebuggerEprocess
This will keep the EPROCESS of the debugger process (if any).
Definition: winprocess.h:284
_SERIALIZER_EPT
Describes a serialized intObjEpt object.
Definition: serializers.c:93
IntSerializeLixUmVictim
static void IntSerializeLixUmVictim(const EXCEPTION_UM_ORIGINATOR *Originator, const EXCEPTION_VICTIM_ZONE *Victim)
Serialize the information about Linux user-mode victim.
Definition: serializers.c:3032
IntSerializeIncrementCurrentPtr
static void IntSerializeIncrementCurrentPtr(const DWORD Size)
Increment the current pointer to the serializer buffer with the provided size.
Definition: serializers.c:703
IntSerializeCodeBlocksGetExtractRange
static void IntSerializeCodeBlocksGetExtractRange(QWORD Rip, BOOLEAN Execute, DWORD *Start, DWORD *End)
Computes the range from which the code-blocks should be extracted.
Definition: serializers.c:1996
_EXCEPTION_KM_ORIGINATOR
Describes a kernel-mode originator.
Definition: exceptions.h:943
CB_EXTRACT_LEVEL
CB_EXTRACT_LEVEL
Definition: codeblocks.h:14
intObjDpiWinHeapSpray
Used for the DPI heap spray object.
Definition: serializers.c:599
SERIALIZER_IDT
struct _SERIALIZER_IDT SERIALIZER_IDT
Describes a serialized intObjIdt object.
_SERIALIZER_CODE_BLOCKS::StartAddress
QWORD StartAddress
The guest linear address from which the code blocks were extracted.
Definition: serializers.c:367
_EXCEPTION_VICTIM_MSR
Describes a MSR victim.
Definition: exceptions.h:769
intObjDpiWinThreadStart
Used for the DPI thread start object.
Definition: serializers.c:598
PSERIALIZER_EXCEPTION_KM_ORIGINATOR
struct _SERIALIZER_EXCEPTION_KM_ORIGINATOR * PSERIALIZER_EXCEPTION_KM_ORIGINATOR
_SERIALIZER_DPI_PIVOTED_STACK::StackBase
QWORD StackBase
The known stack base of the parent process.
Definition: serializers.c:482
IntSerializeValidObjectSize
static BOOLEAN IntSerializeValidObjectSize(DWORD Size)
Checks if the serializer buffer overflows.
Definition: serializers.c:768
ALERT_MAX_CODEBLOCKS
#define ALERT_MAX_CODEBLOCKS
The maximum number of code blocks included in an alert structure.
Definition: intro_types.h:705
_SERIALIZER_WIN_PROCESS::EprocessAddress
QWORD EprocessAddress
This will be the address of the EPROCESS.
Definition: serializers.c:170
IntSerializeWinUmMisc
static void IntSerializeWinUmMisc(const EXCEPTION_UM_ORIGINATOR *Originator, const EXCEPTION_VICTIM_ZONE *Victim)
Serialize the misc information for windows user-mode alert.
Definition: serializers.c:3127
_SERIALIZER_ARCH_REGS::Cr8
QWORD Cr8
Definition: serializers.c:321
_GUEST_STATE::OSType
INTRO_GUEST_TYPE OSType
The type of the guest.
Definition: guests.h:278
_DPI_EXTRA_INFO::Wow64StackBase
QWORD Wow64StackBase
The known stack base in WoW64 mode. Valid only if the process is WoW64.
Definition: windpi.h:43
_SERIALIZER_INJECTION
Describes a serialized intObjInjection object.
Definition: serializers.c:140
IntSerializeWinVad
void IntSerializeWinVad(const VAD *Vad)
Serialize the provided VAD object.
Definition: serializers.c:1344
END_ORIGINATOR_SERIALZIER_VERSION
#define END_ORIGINATOR_SERIALZIER_VERSION
_Out_writes_
#define _Out_writes_(expr)
Definition: intro_sal.h:28
IntSerializeLixKmVictim
static void IntSerializeLixKmVictim(const EXCEPTION_KM_ORIGINATOR *Originator, const EXCEPTION_VICTIM_ZONE *Victim)
Serialize the information about Linux kernel-mode victim.
Definition: serializers.c:3420
PSERIALIZER_DPI_WIN_SEC_DESC
struct _SERIALIZER_DPI_WIN_SEC_DESC * PSERIALIZER_DPI_WIN_SEC_DESC
intObjRipCode
Used for the code object.
Definition: serializers.c:590
SERIALIZER_DPI_WIN_STOLEN_TOKEN
struct _SERIALIZER_DPI_WIN_STOLEN_TOKEN SERIALIZER_DPI_WIN_STOLEN_TOKEN
Describes a serialized intObjDpiWinStolenToken.
MIN
#define MIN(a, b)
Definition: introdefs.h:146
_SERIALIZER_WIN_VAD::VadGva
QWORD VadGva
The guest virtual address at which the corresponding Windows _MMVAD structure is located.
Definition: serializers.c:205
_SERIALIZER_KERNEL_DRV_OBJECT::Gpa
QWORD Gpa
The guest physical address of the guest _DRIVER_OBJECT represented by this structure.
Definition: serializers.c:267
_SERIALIZER_EPT::Type
BYTE Type
The violation type.
Definition: serializers.c:97
_SERIALIZER_KERNEL_DRIVER::Size
QWORD Size
The size of the kernel module that owns this driver object.
Definition: serializers.c:222
intObjKernelDriverReturn
Used for the return kernel driver object.
Definition: serializers.c:571
_SERIALIZER_READ_INFO::AccessSize
DWORD AccessSize
The original value. Only the first Size bytes are valid.
Definition: serializers.c:345
intObjLixProcess
Used for the Linux task object.
Definition: serializers.c:567
READ_INFO_SERIALIZER_VERSION
#define READ_INFO_SERIALIZER_VERSION
_SERIALIZER_DPI_WIN_TOKEN_PRIVS
Describes a serialized intObjDpiWinTokenPrivs.
Definition: serializers.c:465
WIN_KM_VICTIM_SERIALIZER_VERSION
#define WIN_KM_VICTIM_SERIALIZER_VERSION
ZONE_TYPE
enum _ZONE_TYPE ZONE_TYPE
Describes the zone types that can be excepted.
_SERIALIZER_WIN_PROCESS::Peb64Address
QWORD Peb64Address
PEB 64 address (on x86 OSes, this will be 0).
Definition: serializers.c:176
_SERIALIZER_EXPORT
Describes a serialized intObjExport object.
Definition: serializers.c:400
_SERIALIZER_INSTRUX::Bytes
BYTE Bytes[16]
The instruction bytes.
Definition: serializers.c:289
IntSerializeRawDump
static void IntSerializeRawDump(const EXCEPTION_UM_ORIGINATOR *Originator, const EXCEPTION_VICTIM_ZONE *Victim)
Serialize the raw dump for the injection violation.
Definition: serializers.c:1904
SERIALIZER_WRITE_INFO
struct _SERIALIZER_WRITE_INFO SERIALIZER_WRITE_INFO
Describes a serialized intObjWriteInfo object.
_ACL
An access control list.
Definition: wddefs.h:637
_SERIALIZER_DPI_WIN_THREAD_START::ShellcodeFlags
QWORD ShellcodeFlags
The shellcode flags given by shemu on the detected page.
Definition: serializers.c:456
LOG
#define LOG(fmt,...)
Definition: glue.h:61
intObjCodeBlocks
Used for the code-blocks object.
Definition: serializers.c:589
IG_CS_TYPE_32B
32-bit selector.
Definition: glueiface.h:187
ZONE_PROC_INSTRUMENT
#define ZONE_PROC_INSTRUMENT
Used for exceptions for instrumentation callback.
Definition: exceptions.h:732
IntSerializeCodeBlocksGetExtractLevel
static CB_EXTRACT_LEVEL IntSerializeCodeBlocksGetExtractLevel(QWORD Rip)
Get the code-blocks extraction level.
Definition: serializers.c:2051
LIX_PROCESS_SERIALIZER_VERSION
#define LIX_PROCESS_SERIALIZER_VERSION
_KERNEL_DRIVER
Describes a kernel driver.
Definition: drivers.h:30
serializerExceptionTypeUm
Used for user-mode exceptions.
Definition: serializers.c:22
_CODE_BLOCK::Chunks
BYTE Chunks[CODE_BLOCK_CHUNKS_COUNT]
The actual CODE_INS values representing the instruction pattern.
Definition: codeblocks.h:58
_SERIALIZER_LIX_KERNEL_MODULE::Base
QWORD Base
The base guest virtual address of the section.
Definition: serializers.c:243
_SERIALIZER_WIN_MODULE::Size
DWORD Size
Virtual size of the module.
Definition: serializers.c:279
SERIALIZER_EXCEPTION_TYPE
enum _SERIALIZER_EXCEPTION_TYPE SERIALIZER_EXCEPTION_TYPE
Describes the serialized exception type.
IntSerializeKernelUserException
static void IntSerializeKernelUserException(const void *Originator, const void *Victim, INTRO_EVENT_TYPE EventClass)
Serialize the kernel-user mode exception.
Definition: serializers.c:3679
SERIALIZER_DTR
struct _SERIALIZER_DTR SERIALIZER_DTR
Describes a serialized intObjDtr object.
_SERIALIZER_INSTRUX::Rip
QWORD Rip
The guest virtual address of the instruction.
Definition: serializers.c:288
LIX_KERNEL_MODULE_SERIALIZER_VERSION
#define LIX_KERNEL_MODULE_SERIALIZER_VERSION
SERIALIZER_INJECTION
struct _SERIALIZER_INJECTION SERIALIZER_INJECTION
Describes a serialized intObjInjection object.
IntSerializeException
void IntSerializeException(void *Victim, void *Originator, DWORD Type, INTRO_ACTION Action, INTRO_ACTION_REASON Reason, INTRO_EVENT_TYPE EventClass)
The entry point of the serializer; will serialize the provided exception if the violation is blocked ...
Definition: serializers.c:3713
_SERIALIZER_ARCH_REGS::Rbx
QWORD Rbx
Definition: serializers.c:301
_SERIALIZER_INJECTION::Length
DWORD Length
The length of the injection.
Definition: serializers.c:143
serializerExceptionTypeKm
Used for kernel-mode exceptions.
Definition: serializers.c:21
_SERIALIZER_DPI_PIVOTED_STACK::TrapFrameContent
BYTE TrapFrameContent[512]
The content of the trap frame where the current stack has been found.
Definition: serializers.c:487
_SERIALIZER_LIX_VMA::Flags
QWORD Flags
Flags for the VMA.
Definition: serializers.c:192
_SERIALIZER_LIX_KERNEL_MODULE::TextSize
DWORD TextSize
The size of the .text (code usually).
Definition: serializers.c:245
_SERIALIZER_LIX_KERNEL_MODULE::CoreLayout
struct _SERIALIZER_LIX_KERNEL_MODULE::@257 CoreLayout
Base64EncSize
#define Base64EncSize(Length)
Definition: serializers.c:626
gCodeBlocksPatternLength
static DWORD gCodeBlocksPatternLength
Definition: serializers.c:621
IntSerializeStart
void IntSerializeStart(void)
Set the current serializer pointer to the beginning of the buffer and generated a new alert-ID...
Definition: serializers.c:3700
_WIN_PROCESS_OBJECT::Cr3
QWORD Cr3
Process PDBR. Includes PCID.
Definition: winprocess.h:98
intObjCr
Used for the CR object.
Definition: serializers.c:559
exceptionZoneDtr
The modified object is IDTR/GDTR.
Definition: exceptions.h:751
IntGetCurrentMode
INTSTATUS IntGetCurrentMode(DWORD CpuNumber, DWORD *Mode)
Read the current CS type.
Definition: introcpu.c:977
_CODE_BLOCK
Definition: codeblocks.h:51
IntSerializeAccessInfo
static void IntSerializeAccessInfo(const EXCEPTION_VICTIM_ZONE *Victim)
Serialize the read/write/exec violation information.
Definition: serializers.c:1879
_SERIALIZER_INJECTION::Gva
QWORD Gva
The guest virtual address in which the injection occurs.
Definition: serializers.c:142
PSERIALIZER_CR
struct _SERIALIZER_CR * PSERIALIZER_CR
_SERIALIZER_KERNEL_DRIVER::EntryPoint
QWORD EntryPoint
The entry point of this driver.
Definition: serializers.c:223
_SERIALIZER_KERNEL_DRIVER::ObjectGva
QWORD ObjectGva
Definition: serializers.c:219
START_MISC_SERIALZIER_VERSION
#define START_MISC_SERIALZIER_VERSION
_SERIALIZER_WIN_VAD::Protection
DWORD Protection
VAD protection as represented by Introcore.
Definition: serializers.c:208
_SERIALIZER_HEADER::Guest
DWORD Guest
The operation system.
Definition: serializers.c:33
INTRO_OBJECT_TYPE
enum _INTRO_OBJECT_TYPE INTRO_OBJECT_TYPE
The type of the object protected by an EPT hook.
DPI_SERIALIZER_VERSION
#define DPI_SERIALIZER_VERSION
_CODE_BLOCK_PATTERN
Definition: codeblocks.h:68
_Inout_
#define _Inout_
Definition: intro_sal.h:20
SERIALIZER_RIP_CODE
struct _SERIALIZER_RIP_CODE SERIALIZER_RIP_CODE
Describes a serialized intObjRipCode object.
intObjDtr
Used for the DTR object.
Definition: serializers.c:560
IntSerializeWinKmVictim
static void IntSerializeWinKmVictim(const EXCEPTION_KM_ORIGINATOR *Originator, const EXCEPTION_VICTIM_ZONE *Victim)
Serialize the information about Windows kernel-mode victim.
Definition: serializers.c:3341
_SERIALIZER_DPI_WIN_TOKEN_PRIVS::OldPresent
QWORD OldPresent
Definition: serializers.c:470
IntSerializeWinModule
static void IntSerializeWinModule(const WIN_PROCESS_MODULE *Module, const DWORD ObjectType)
Serialize the provided WIN_PROCESS_MODULE object.
Definition: serializers.c:1685
IntSerializeStringIsWcharAscii
static BOOLEAN IntSerializeStringIsWcharAscii(const void *String, DWORD Size)
Checks if the provided string contains WCHARS.
Definition: serializers.c:848
IntSerializeUmMisc
static void IntSerializeUmMisc(const EXCEPTION_UM_ORIGINATOR *Originator, const EXCEPTION_VICTIM_ZONE *Victim)
Serialize the misc information for user-mode alert.
Definition: serializers.c:3210
SERIALIZER_DPI_WIN_THREAD_START
struct _SERIALIZER_DPI_WIN_THREAD_START SERIALIZER_DPI_WIN_THREAD_START
Describes a serialized intObjDpiWinThreadStart.
PSERIALIZER_WIN_MODULE
struct _SERIALIZER_WIN_MODULE * PSERIALIZER_WIN_MODULE
START_VICTIM_SERIALZIER_VERSION
#define START_VICTIM_SERIALZIER_VERSION
_SERIALIZER_KERNEL_DRV_OBJECT::FastIOTableAddress
QWORD FastIOTableAddress
Definition: serializers.c:269
IntSerializeLixUmMisc
static void IntSerializeLixUmMisc(const EXCEPTION_UM_ORIGINATOR *Originator, const EXCEPTION_VICTIM_ZONE *Victim)
Serialize the misc information for Linux user-mode alert.
Definition: serializers.c:3175
_SERIALIZER_EXEC_INFO::StackLimit
QWORD StackLimit
The stack limit for the thread that attempted the execution.
Definition: serializers.c:357
INITIAL_CRC_VALUE
#define INITIAL_CRC_VALUE
Definition: introdefs.h:221
introGuestLinux
Linux.
Definition: intro_types.h:2044
_SERIALIZER_DPI_PIVOTED_STACK::Wow64StackLimit
QWORD Wow64StackLimit
The known stack limit of the parent process in WoW64 mode.
Definition: serializers.c:486
VICTIM_SERIALIZER_CR_VERSION
#define VICTIM_SERIALIZER_CR_VERSION
_SERIALIZER_INSTRUX
Describes a serialized intObjInstrux object.
Definition: serializers.c:286
_SERIALIZER_LIX_PROCESS::Flags
DWORD Flags
The protection flags.
Definition: serializers.c:161
gCodeBlocks
static CODE_BLOCK gCodeBlocks[PAGE_SIZE/sizeof(CODE_BLOCK)]
Definition: serializers.c:622
IS_KERNEL_POINTER_LIX
#define IS_KERNEL_POINTER_LIX(p)
Definition: lixguest.h:11
SERIALIZER_LIX_VMA
struct _SERIALIZER_LIX_VMA SERIALIZER_LIX_VMA
Describes a serialized intObjLixVma object.
EXCEPTION_CODEBLOCKS_OFFSET
#define EXCEPTION_CODEBLOCKS_OFFSET
The maximum offset for codeblocks extraction.
Definition: exceptions.h:53
IntSerializeMsr
static void IntSerializeMsr(const EXCEPTION_VICTIM_MSR *Msr)
Serialize the provided MSR object.
Definition: serializers.c:1087
_SERIALIZER_KERNEL_DRV_OBJECT
Describes a serialized intObjKernelDrvObject object.
Definition: serializers.c:262
IG_CURRENT_VCPU
#define IG_CURRENT_VCPU
For APIs that take a VCPU number as a parameter, this can be used to specify that the current VCPU sh...
Definition: glueiface.h:324
_SERIALIZER_CR::Cr
DWORD Cr
The written CR.
Definition: serializers.c:115
_EXCEPTION_VICTIM_INJECTION
Describes an injection.
Definition: exceptions.h:820
intObjInstrux
Used for the instruction object.
Definition: serializers.c:584
_SERIALIZER_DPI_PIVOTED_STACK::StackLimit
QWORD StackLimit
The known stack limit of the parent process.
Definition: serializers.c:483
SERIALIZER_EXCEPTION_UM_ORIGINATOR
struct _SERIALIZER_EXCEPTION_UM_ORIGINATOR SERIALIZER_EXCEPTION_UM_ORIGINATOR
Describes a serialized intObjUmOriginator object.
PSERIALIZER_WIN_KERNEL_DRIVER
struct _SERIALIZER_WIN_KERNEL_DRIVER * PSERIALIZER_WIN_KERNEL_DRIVER
KTRAP_FRAME64
struct _KTRAP_FRAME64 KTRAP_FRAME64
intObjWinKernelDriverReturn
Used for the windows kernel driver object.
Definition: serializers.c:573
ZONE_EXECUTE
#define ZONE_EXECUTE
Used for execute violation.
Definition: exceptions.h:736
_SERIALIZER_EXCEPTION_VICTIM::ZoneFlags
QWORD ZoneFlags
The zone-flags of the victim object.
Definition: serializers.c:86
_WIN_DRIVER_OBJECT
Holds information about a driver object.
Definition: windrvobj.h:13
IntSerializeWinProcess
static void IntSerializeWinProcess(const WIN_PROCESS_OBJECT *Process, const DWORD ObjectType)
Serialize the provided WIN_PROCESS_OBJECT object.
Definition: serializers.c:1212
SERIALIZER_DPI_WIN_SEC_DESC
struct _SERIALIZER_DPI_WIN_SEC_DESC SERIALIZER_DPI_WIN_SEC_DESC
Describes a serialized intObjDpiWinSecDesc.
INT_PC_VIOLATION_DPI_STOLEN_TOKEN
The parent of a process has a stolen access token when it created the child.
Definition: intro_types.h:1663
memzero
#define memzero(a, s)
Definition: introcrt.h:35
memCopyViolationQueueApcThread
This represents an attempt to queue an APC into the victim process.
Definition: intro_types.h:1420
IntSerializeDpi
static void IntSerializeDpi(const EXCEPTION_UM_ORIGINATOR *Originator)
Serialize the DPI flags.
Definition: serializers.c:2869
_GUEST_STATE::Guest64
BOOLEAN Guest64
True if this is a 64-bit guest, False if it is a 32-bit guest.
Definition: guests.h:290
intObjExport
Used for the export object.
Definition: serializers.c:592
ZONE_PROC_THREAD_APC
#define ZONE_PROC_THREAD_APC
Used for the APC thread hijacking technique.
Definition: exceptions.h:729
_SERIALIZER_DPI_WIN_TOKEN_PRIVS::OldEnabled
QWORD OldEnabled
Definition: serializers.c:467
QWORD
unsigned long long QWORD
Definition: intro_types.h:53
IntSerializeUmException
static void IntSerializeUmException(const void *Originator, const void *Victim, INTRO_EVENT_TYPE EventClass)
Serialize the user-mode exception.
Definition: serializers.c:3657
_SERIALIZER_ARCH_REGS::Cr3
QWORD Cr3
Definition: serializers.c:320
intObjLixVma
Used for the Linux VMA object.
Definition: serializers.c:579
_SERIALIZER_HEADER::Arch
DWORD Arch
The architecture of the current guest.
Definition: serializers.c:36
_SERIALIZER_DPI_WIN_SEC_DESC::NewSacl
ACL NewSacl
The new SACL header.
Definition: serializers.c:506
intObjWinProcessParent
Used for the windows parent process object.
Definition: serializers.c:566
intObjExecInfo
Used for the execution info object.
Definition: serializers.c:587
_SERIALIZER_ARCH_REGS::Cr0
QWORD Cr0
Definition: serializers.c:318
IntSerializeKmOriginator
void IntSerializeKmOriginator(const EXCEPTION_KM_ORIGINATOR *Originator, const EXCEPTION_VICTIM_ZONE *Victim)
Serialize the information about kernel-mode originator.
Definition: serializers.c:3314
gCodeBlocksPattern
static CODE_BLOCK_PATTERN gCodeBlocksPattern[PAGE_SIZE/sizeof(CODE_BLOCK_PATTERN)]
Definition: serializers.c:620
_SERIALIZER_DPI_WIN_DEBUG::Debugger
QWORD Debugger
The debugger of the current process. May or may not be the parent.
Definition: serializers.c:413
INT_PC_VIOLATION_DPI_TOKEN_PRIVS
The creation of a process was attempted with token privileges altered in a malicious way...
Definition: intro_types.h:1669
TRUE
#define TRUE
Definition: intro_types.h:30
IntSerializeKernelDriver
static void IntSerializeKernelDriver(const EXCEPTION_KM_ORIGINATOR *Originator, const KERNEL_DRIVER *Driver, const DWORD ObjectType)
Serialize the provided KERNEL_DRIVER object.
Definition: serializers.c:1590
IntSerializeWinUmVictim
static void IntSerializeWinUmVictim(const EXCEPTION_UM_ORIGINATOR *Originator, const EXCEPTION_VICTIM_ZONE *Victim)
Serialize the information about user-mode windows victim.
Definition: serializers.c:3074
_SERIALIZER_DPI_WIN_HEAP_SPRAY::Detected
DWORD Detected
The bit is set if the i-th page was detected as malicious by shemu.
Definition: serializers.c:435
IS_KERNEL_POINTER_WIN
#define IS_KERNEL_POINTER_WIN(is64, p)
Checks if a guest virtual address resides inside the Windows kernel address space.
Definition: wddefs.h:76
_SERIALIZER_HEADER::SerializedType
DWORD SerializedType
The type of the serialized exception (SERIALIZER_EXCEPTION_TYPE)
Definition: serializers.c:32
_SERIALIZER_OBJECT_HEADER::Version
DWORD Version
The version of the serialized object (used for compatibility).
Definition: serializers.c:45
_SERIALIZER_KERNEL_DRIVER::BaseVa
QWORD BaseVa
The guest virtual address of the kernel module that owns this driver object.
Definition: serializers.c:221
INT_PC_VIOLATION_DPI_PIVOTED_STACK
The parent of a process had a pivoted stack when it created the child.
Definition: intro_types.h:1660
_SERIALIZER_DTR
Describes a serialized intObjDtr object.
Definition: serializers.c:122
_DPI_EXTRA_INFO::CurrentWow64Stack
QWORD CurrentWow64Stack
The current stack of the process in WoW64 mode. Valid only if the process is WoW64.
Definition: windpi.h:42
memCopyViolationWrite
This is a classic code injection attempt that simply modifies the memory of the victim process...
Definition: intro_types.h:1411
intObjMsr
Used for the MSR object.
Definition: serializers.c:558
VICTIM_SERIALIZER_DTR_VERSION
#define VICTIM_SERIALIZER_DTR_VERSION
TRACE
#define TRACE(fmt,...)
Definition: glue.h:58
SERIALIZER_EXPORT
struct _SERIALIZER_EXPORT SERIALIZER_EXPORT
Describes a serialized intObjExport object.
IntSerializeWinKernelDriver
static void IntSerializeWinKernelDriver(const KERNEL_DRIVER *Driver, DWORD ObjectType)
Serialize the provided KERNEL_DRIVER object.
Definition: serializers.c:1468
cbLevelNormal
This includes instructions until codeInsBt.
Definition: codeblocks.h:16
_SERIALIZER_DPI_WIN_HEAP_SPRAY::ShellcodeFlags
QWORD ShellcodeFlags
The shellcode flags given by shemu on the detected page.
Definition: serializers.c:444
SERIALIZER_INSTRUX
struct _SERIALIZER_INSTRUX SERIALIZER_INSTRUX
Describes a serialized intObjInstrux object.
memCopyViolationInstrument
This represents an attempt to set an instrument callback inside the victim process.
Definition: intro_types.h:1423
_WIN_PROCESS_OBJECT::DpiExtraInfo
DPI_EXTRA_INFO DpiExtraInfo
Represents the gathered extra info while checking the DPI heuristics.
Definition: winprocess.h:304
PSERIALIZER_DTR
struct _SERIALIZER_DTR * PSERIALIZER_DTR
_SERIALIZER_DPI_WIN_TOKEN_PRIVS::NewPresent
QWORD NewPresent
The new Privileges.Present value in the parent&#39;s token, which was deemed malicious.
Definition: serializers.c:472
_SERIALIZER_EXEC_INFO::Rsp
QWORD Rsp
The value of the guest RSP register at the moment of execution.
Definition: serializers.c:355
IntSerializeDpiWinDebug
static void IntSerializeDpiWinDebug(const EXCEPTION_UM_ORIGINATOR *Originator, const EXCEPTION_VICTIM_ZONE *Victim)
Serialize the DPI debug flags info (Windows).
Definition: serializers.c:2414
_DPI_EXTRA_INFO::SecDescStolenFromEproc
QWORD SecDescStolenFromEproc
If the parent security descriptor has been stolen, this variable may indicate (in case we find it) th...
Definition: windpi.h:90
_DPI_EXTRA_INFO::NewPresent
QWORD NewPresent
The new value from parent&#39;s token Privileges.Present field, which was deemed malicious.
Definition: windpi.h:77
_DPI_EXTRA_INFO::CurrentStack
QWORD CurrentStack
The current stack of the process at the point of process creation.
Definition: windpi.h:36
gSerializerCurrentId
static QWORD gSerializerCurrentId
Definition: serializers.c:618
exceptionTypeKm
Kernel-mode exception.
Definition: exceptions.h:61
_IG_ARCH_REGS::Cr3
QWORD Cr3
Definition: glueiface.h:54
IntSerializeLixKmMisc
static void IntSerializeLixKmMisc(const EXCEPTION_KM_ORIGINATOR *Originator, const EXCEPTION_VICTIM_ZONE *Victim)
Serialize the misc information for Linux kernel-mode alert.
Definition: serializers.c:3520
IntSerializeDpiWinStolenToken
static void IntSerializeDpiWinStolenToken(const EXCEPTION_UM_ORIGINATOR *Originator, const EXCEPTION_VICTIM_ZONE *Victim)
Serialize the DPI stolen token info (Windows).
Definition: serializers.c:2508
IntSerializeDump
static void IntSerializeDump(void)
Dumps the serialized buffer (base64 format).
Definition: serializers.c:743
_SERIALIZER_LIX_PROCESS::RealParent
QWORD RealParent
The guest virtual address of the task_struct->real_parent.
Definition: serializers.c:154
_SERIALIZER_ARCH_REGS::Rdi
QWORD Rdi
Definition: serializers.c:305
_SERIALIZER_WRITE_INFO::NewValue
QWORD NewValue[8]
The size of the access.
Definition: serializers.c:336
_LIX_TASK_OBJECT
Definition: lixprocess.h:38
introGuestWindows
Windows.
Definition: intro_types.h:2043
intObjEndMisc
Used to notify the deserializer that the all the misc objects has been parsed.
Definition: serializers.c:553
DESCRIPTOR_SIZE_64
#define DESCRIPTOR_SIZE_64
Definition: processor.h:102
_SERIALIZER_STRING::Length
DWORD Length
The length of the string.
Definition: serializers.c:56
intObjStartOriginator
Used to notify the deserializer that the next objects contains the originator.
Definition: serializers.c:543
_SERIALIZER_HEADER::Size
WORD Size
The size (bytes) of the serializer buffer.
Definition: serializers.c:35
_SERIALIZER_WIN_VAD::EndPage
QWORD EndPage
Definition: serializers.c:203
exceptionZoneMsr
The modified object is a MSR.
Definition: exceptions.h:747
WARNING
#define WARNING(fmt,...)
Definition: glue.h:60
IntSerializeExport
static void IntSerializeExport(const EXCEPTION_VICTIM_ZONE *Victim)
Serialize the modified exports.
Definition: serializers.c:2900
_CODE_BLOCK_PATTERN::Value
BYTE Value
The CODE_INS value describing the instruction type.
Definition: codeblocks.h:71
_SERIALIZER_MSR::Msr
DWORD Msr
The written MSR.
Definition: serializers.c:106
SERIALIZER_DPI_WIN_ACL_EDIT
struct _SERIALIZER_DPI_WIN_ACL_EDIT SERIALIZER_DPI_WIN_ACL_EDIT
Describes a serialized intObjDpiWinAclEdit.
END_MISC_SERIALZIER_VERSION
#define END_MISC_SERIALZIER_VERSION
_SERIALIZER_DPI_WIN_HEAP_SPRAY::Mapped
DWORD Mapped
Definition: serializers.c:433
LIX_KM_VICTIM_SERIALIZER_VERSION
#define LIX_KM_VICTIM_SERIALIZER_VERSION
IntSerializeDpiWinAclEdit
static void IntSerializeDpiWinAclEdit(const EXCEPTION_UM_ORIGINATOR *Originator, const EXCEPTION_VICTIM_ZONE *Victim)
Serialize the DPI ACL edit info (Windows).
Definition: serializers.c:2774
IntSerializeLixKernelModule
static void IntSerializeLixKernelModule(const KERNEL_DRIVER *Driver, DWORD ObjecType)
Serialize the provided KERNEL_DRIVER object.
Definition: serializers.c:1508
_SERIALIZER_WIN_KERNEL_DRIVER::TimeDateStamp
DWORD TimeDateStamp
The driver&#39;s internal timestamp (from the _IMAGE_FILE_HEADER).
Definition: serializers.c:232
PSERIALIZER_MSR
struct _SERIALIZER_MSR * PSERIALIZER_MSR
WIN_PROCESS_MODULE_SERIALIZER_VERSION
#define WIN_PROCESS_MODULE_SERIALIZER_VERSION
_SERIALIZER_DPI_WIN_SEC_DESC::NewDacl
ACL NewDacl
The new DACL header.
Definition: serializers.c:507
_SERIALIZER_RIP_CODE::Length
DWORD Length
The length of the code array.
Definition: serializers.c:382
EXEC_INFO_SERIALIZER_VERSION
#define EXEC_INFO_SERIALIZER_VERSION
intObjLixProcessParent
Used for the Linux parent task object.
Definition: serializers.c:568
IntSerializeArchRegs
static void IntSerializeArchRegs(void)
Serialize the guest registers.
Definition: serializers.c:2385
PAGE_SIZE
#define PAGE_SIZE
Definition: common.h:70
_SERIALIZER_CODE_BLOCKS::Rip
QWORD Rip
Definition: serializers.c:368
_SERIALIZER_EXEC_INFO::Length
DWORD Length
The length of the instruction.
Definition: serializers.c:358
SERIALIZER_LIX_KERNEL_MODULE
struct _SERIALIZER_LIX_KERNEL_MODULE SERIALIZER_LIX_KERNEL_MODULE
Describes a serialized intObjLixKernelModule object.
_EXCEPTION_VICTIM_ZONE
Describes the modified zone.
Definition: exceptions.h:893
IntSerializeDpiWinTokenPrivs
static void IntSerializeDpiWinTokenPrivs(const EXCEPTION_UM_ORIGINATOR *Originator, const EXCEPTION_VICTIM_ZONE *Victim)
Serialize the DPI token privs info (Windows).
Definition: serializers.c:2631
UNREFERENCED_PARAMETER
#define UNREFERENCED_PARAMETER(P)
Definition: introdefs.h:29
DPI_WIN_SEC_DESC_SERIALIZER_VERSION
#define DPI_WIN_SEC_DESC_SERIALIZER_VERSION
_SERIALIZER_EXCEPTION_UM_ORIGINATOR
Describes a serialized intObjUmOriginator object.
Definition: serializers.c:73
_DPI_EXTRA_INFO::DpiStolenTokenExtraInfo
struct _DPI_EXTRA_INFO::@205 DpiStolenTokenExtraInfo
cbLevelMedium
This includes instructions until codeInsFlags.
Definition: codeblocks.h:17
SERIALIZER_EXCEPTION_KM_ORIGINATOR
struct _SERIALIZER_EXCEPTION_KM_ORIGINATOR SERIALIZER_EXCEPTION_KM_ORIGINATOR
Describes a serialized intObjKmOriginator object.
_DPI_EXTRA_INFO::OldEnabled
QWORD OldEnabled
Definition: windpi.h:72
INT_STATUS_DATA_BUFFER_TOO_SMALL
#define INT_STATUS_DATA_BUFFER_TOO_SMALL
Definition: introstatus.h:194
SERIALIZER_DPI
struct _SERIALIZER_DPI SERIALIZER_DPI
Describes a serialized intObjDpi object.
LIX_VMA_SERIALIZER_VERSION
#define LIX_VMA_SERIALIZER_VERSION
_WINUM_CACHE_EXPORT::Rva
DWORD Rva
The RVA of this export.
Definition: winumcache.h:23
_KTRAP_FRAME32
Definition: wddefs.h:941
_SERIALIZER_EXCEPTION_VICTIM::ZoneType
ZONE_TYPE ZoneType
The zone-type of the victim object.
Definition: serializers.c:85
WCHAR
uint16_t WCHAR
Definition: intro_types.h:63
IntSerializerBase64Get
static char * IntSerializerBase64Get(DWORD *Length)
Converts the serialized buffer to base64.
Definition: serializers.c:654
introObjectTypeSudExec
Executions inside the SharedUserData region.
Definition: intro_types.h:267
introObjectTypeVeAgent
The Virtualization exception agent injected inside the guest.
Definition: intro_types.h:259
KERNEL_DRIVER_SERIALIZER_VERSION
#define KERNEL_DRIVER_SERIALIZER_VERSION
PSERIALIZER_INSTRUX
struct _SERIALIZER_INSTRUX * PSERIALIZER_INSTRUX
DWORD
uint32_t DWORD
Definition: intro_types.h:49
VICTIM_SERIALIZER_MSR_VERSION
#define VICTIM_SERIALIZER_MSR_VERSION
IntSerializeEpt
static void IntSerializeEpt(const EXCEPTION_VICTIM_EPT *Ept, const EXCEPTION_VICTIM_ZONE *Victim)
Serialize the provided EPT object.
Definition: serializers.c:973
_DPI_EXTRA_INFO::DpiThreadStartExtraInfo
struct _DPI_EXTRA_INFO::@208 DpiThreadStartExtraInfo
_SERIALIZER_DPI_WIN_ACL_EDIT::OldDacl
ACL OldDacl
The old DACL header.
Definition: serializers.c:517
INSTRUX_SERIALIZER_VERSION
#define INSTRUX_SERIALIZER_VERSION
_DPI_EXTRA_INFO::StackBase
QWORD StackBase
The known stack base present in TIB at the moment of process creation.
Definition: windpi.h:37
_DPI_EXTRA_INFO::DpiHeapSprayExtraInfo
struct _DPI_EXTRA_INFO::@206 DpiHeapSprayExtraInfo
_SERIALIZER_ARCH_REGS::R15
QWORD R15
Definition: serializers.c:313
_SERIALIZER_WIN_PROCESS
Describes a serialized intObjWinProcess object.
Definition: serializers.c:168
IntSerializeDpiWinPivotedStack
static void IntSerializeDpiWinPivotedStack(const EXCEPTION_UM_ORIGINATOR *Originator, const EXCEPTION_VICTIM_ZONE *Victim)
Serialize the DPI pivoted stack info (Windows).
Definition: serializers.c:2456
introObjectTypeUmModule
User-mode library.
Definition: intro_types.h:248
_SERIALIZER_IDT
Describes a serialized intObjIdt object.
Definition: serializers.c:131
_SERIALIZER_STRING::Encode
BYTE Encode
The encode type of the string (utf-8, utf-16).
Definition: serializers.c:57
SERIALIZER_KERNEL_DRIVER
struct _SERIALIZER_KERNEL_DRIVER SERIALIZER_KERNEL_DRIVER
Describes a serialized intObjKernelDriver object.
INTRO_ACTION
enum _INTRO_ACTION INTRO_ACTION
Event actions.
_SERIALIZER_LIX_KERNEL_MODULE::RoSize
DWORD RoSize
The size of the .rodata (read-only).
Definition: serializers.c:246
PSERIALIZER_STRING
struct _SERIALIZER_STRING * PSERIALIZER_STRING
_SERIALIZER_EXEC_INFO
Describes a serialized intObjExecInfo object.
Definition: serializers.c:353
PSERIALIZER_CODE_BLOCKS
struct _SERIALIZER_CODE_BLOCKS * PSERIALIZER_CODE_BLOCKS
gBase64Chars
const char gBase64Chars[]
Definition: serializers.c:624
_EXCEPTION_VICTIM_CR
Describes a CR victim.
Definition: exceptions.h:779
_SERIALIZER_ARCH_REGS::R8
QWORD R8
Definition: serializers.c:306
_SERIALIZER_ARCH_REGS::Rbp
QWORD Rbp
Definition: serializers.c:303
IG_EPT_HOOK_NONE
No access type. This can be used for swap hooks.
Definition: glueiface.h:297
_SERIALIZER_ARCH_REGS::GdtLimit
QWORD GdtLimit
Definition: serializers.c:325
_DPI_EXTRA_INFO::OldPresent
QWORD OldPresent
Definition: windpi.h:75
_SERIALIZER_WIN_PROCESS::Pid
DWORD Pid
Process ID (the one used by Windows).
Definition: serializers.c:175
introReasonAllowedFeedback
The action was allowed, but it has the BETA flag (Introcore is in log-only mode). ...
Definition: intro_types.h:185
codeInsCall
Call, of any kind.
Definition: codeblocks.h:29
_SERIALIZER_DPI::Flags
DWORD Flags
The DPI flags.
Definition: serializers.c:529
intObjVictim
Used for the victim object.
Definition: serializers.c:555
SERIALIZER_LIX_PROCESS
struct _SERIALIZER_LIX_PROCESS SERIALIZER_LIX_PROCESS
Describes a serialized intObjLixProcess object.
_SERIALIZER_DPI_WIN_SEC_DESC::OldPtrValue
QWORD OldPtrValue
Old value.
Definition: serializers.c:500
IntSerializeIdt
static void IntSerializeIdt(const EXCEPTION_VICTIM_ZONE *Victim)
Serialize the provided IDT object.
Definition: serializers.c:1054
_SERIALIZER_EPT::Gva
QWORD Gva
The written/read/exec guest virtual address.
Definition: serializers.c:95
VICTIM_SERIALIZER_INJECTION_VERSION
#define VICTIM_SERIALIZER_INJECTION_VERSION
IntSerializeWinKmMisc
static void IntSerializeWinKmMisc(const EXCEPTION_KM_ORIGINATOR *Originator, const EXCEPTION_VICTIM_ZONE *Victim)
Serialize the misc information for windows kernel-mode alert.
Definition: serializers.c:3543
PSERIALIZER_EXCEPTION_UM_ORIGINATOR
struct _SERIALIZER_EXCEPTION_UM_ORIGINATOR * PSERIALIZER_EXCEPTION_UM_ORIGINATOR
_DPI_EXTRA_INFO::DpiTokenPrivsExtraInfo
struct _DPI_EXTRA_INFO::@207 DpiTokenPrivsExtraInfo
IntSerializeKmException
static void IntSerializeKmException(const void *Originator, const void *Victim, INTRO_EVENT_TYPE EventClass)
Serialize the kernel-mode exception.
Definition: serializers.c:3635
IntVirtMemMap
__must_check INTSTATUS IntVirtMemMap(QWORD Gva, DWORD Length, QWORD Cr3, DWORD Flags, void **HostPtr)
Maps a guest virtual memory range inside Introcore virtual address space.
Definition: introcore.c:2134
DPI_WIN_ACL_SERIALIZER_VERSION
#define DPI_WIN_ACL_SERIALIZER_VERSION
_SERIALIZER_ARCH_REGS::R11
QWORD R11
Definition: serializers.c:309
_SERIALIZER_DPI_WIN_HEAP_SPRAY::HeapValCount
DWORD HeapValCount
The number of heap values in the page. Since the max value can be 1024, 11 bits are needed...
Definition: serializers.c:437
_WINUM_CACHE_EXPORT::NameLens
DWORD NameLens[MAX_OFFSETS_PER_NAME]
Length of each name pointing to this RVA.
Definition: winumcache.h:25
stringEncodeUtf16
The string encoding type &#39;utf-16&#39;.
Definition: serializers.c:611
_GUEST_STATE::Mm
MM Mm
Guest memory information, such as paging mode, system Cr3 value, etc.
Definition: guests.h:374
IntSerializeWinKmOriginator
void IntSerializeWinKmOriginator(const EXCEPTION_KM_ORIGINATOR *Originator, const EXCEPTION_VICTIM_ZONE *Victim)
Serialize the information about windows kernel-mode originator.
Definition: serializers.c:3270
SERIALIZER_DPI_PIVOTED_STACK
struct _SERIALIZER_DPI_PIVOTED_STACK SERIALIZER_DPI_PIVOTED_STACK
Describes a serialized intObjDpiPivotedStack.
INT_PC_VIOLATION_DPI_DEBUG_FLAG
The parent of a process tried to obtain debug privileges over the child.
Definition: intro_types.h:1657
IntSerializeLixUmOriginator
void IntSerializeLixUmOriginator(const EXCEPTION_UM_ORIGINATOR *Originator, const EXCEPTION_VICTIM_ZONE *Victim)
Serialize the information about Linux user-mode originator.
Definition: serializers.c:2979
IntSerializeKernelDrvObject
static void IntSerializeKernelDrvObject(const WIN_DRIVER_OBJECT *DrvObject)
Serialize the provided WIN_DRIVER_OBJECT object.
Definition: serializers.c:1550
_SERIALIZER_RIP_CODE::CsType
DWORD CsType
The type of the code segment. Can be one of the IG_CS_TYPE values.
Definition: serializers.c:381
IntSerializeCurrentOffset
static DWORD IntSerializeCurrentOffset(void)
Get the current offset (length) of the serialized buffer.
Definition: serializers.c:689
intObjStartMisc
Used to notify the deserializer that the next objects contains the misc.
Definition: serializers.c:551
INT_PC_VIOLATION_DPI_SEC_DESC
The parent of a process has an altered security descriptor pointer.
Definition: intro_types.h:1675
gGuest
GUEST_STATE gGuest
The current guest state.
Definition: guests.c:50
_SERIALIZER_ARCH_REGS::R12
QWORD R12
Definition: serializers.c:310
exceptionZoneProcess
The modified object is inside a process.
Definition: exceptions.h:750
_SERIALIZER_DPI_PIVOTED_STACK::Wow64CurrentStack
QWORD Wow64CurrentStack
The current stack of the parent process in WoW64 mode.
Definition: serializers.c:484
SERIALIZER_RAW_DUMP
struct _SERIALIZER_RAW_DUMP SERIALIZER_RAW_DUMP
Describes a serialized intObjRawDump object.
LIX_VICTIM_SERIALIZER_VERSION
#define LIX_VICTIM_SERIALIZER_VERSION
IntVirtMemRead
INTSTATUS IntVirtMemRead(QWORD Gva, DWORD Length, QWORD Cr3, void *Buffer, DWORD *RetLength)
Reads data from a guest virtual memory range.
Definition: introcore.c:627
DPI_WIN_HEAP_SPRAY_SERIALIZER_VERSION
#define DPI_WIN_HEAP_SPRAY_SERIALIZER_VERSION
_SERIALIZER_DPI_WIN_ACL_EDIT::NewDacl
ACL NewDacl
The new DACL header.
Definition: serializers.c:520
_SERIALIZER_KERNEL_DRIVER
Describes a serialized intObjKernelDriver object.
Definition: serializers.c:217
_SERIALIZER_WIN_PROCESS::Cr3
QWORD Cr3
Process PDBR. Includes PCID.
Definition: serializers.c:173
_WIN_PROCESS_MODULE
Definition: winummodule.h:30
intObjDpiWinDebug
Used for the DPI debug object.
Definition: serializers.c:594
_SERIALIZER_WIN_PROCESS::ParentEprocess
QWORD ParentEprocess
The EPROCESS of the parent process.
Definition: serializers.c:171
START_ORIGINATOR_SERIALZIER_VERSION
#define START_ORIGINATOR_SERIALZIER_VERSION
serializerExceptionTypeKmUm
Used for kernel-user mode exceptions.
Definition: serializers.c:23
_SERIALIZER_RAW_DUMP::Raw
BYTE Raw[0]
The raw dump of the injection.
Definition: serializers.c:393
intObjDpiWinAclEdit
Used for the DPI ACL objects.
Definition: serializers.c:601
IntSerializeUmOriginator
static void IntSerializeUmOriginator(const EXCEPTION_UM_ORIGINATOR *Originator, const EXCEPTION_VICTIM_ZONE *Victim)
Serialize the information about user-mode originator.
Definition: serializers.c:3001
_SERIALIZER_ARCH_REGS::Rcx
QWORD Rcx
Definition: serializers.c:299
SERIALIZER_EPT
struct _SERIALIZER_EPT SERIALIZER_EPT
Describes a serialized intObjEpt object.
introObjectTypeSsdt
SSDT (Windows only).
Definition: intro_types.h:235
SERIALIZER_EXEC_INFO
struct _SERIALIZER_EXEC_INFO SERIALIZER_EXEC_INFO
Describes a serialized intObjExecInfo object.
PSERIALIZER_LIX_KERNEL_MODULE
struct _SERIALIZER_LIX_KERNEL_MODULE * PSERIALIZER_LIX_KERNEL_MODULE
intObjArchRegs
Used for the registers object.
Definition: serializers.c:588
_SERIALIZER_LIX_PROCESS::Parent
QWORD Parent
The guest virtual address of the task_struct->parent.
Definition: serializers.c:156
_SERIALIZER_WRITE_INFO::OldValue
QWORD OldValue[8]
The written value. Only the first Size bytes are valid.
Definition: serializers.c:335
IntSerializeCurrentPtr
static void * IntSerializeCurrentPtr(DWORD Size)
Returns the current pointer to serializer buffer and checks for overflows.
Definition: serializers.c:795
IntSerializeIncrementCurrentId
static void IntSerializeIncrementCurrentId(void)
Increment the current serializer alert ID.
Definition: serializers.c:731
_SERIALIZER_ARCH_REGS::Cr2
QWORD Cr2
Definition: serializers.c:314
IntWinProcFindObjectByEprocess
PWIN_PROCESS_OBJECT IntWinProcFindObjectByEprocess(QWORD Eprocess)
Finds a process by the address of its _EPROCESS structure.
Definition: winprocesshp.c:96
IntSerializeDpiWinHeapSpray
static void IntSerializeDpiWinHeapSpray(const EXCEPTION_UM_ORIGINATOR *Originator, const EXCEPTION_VICTIM_ZONE *Victim)
Serialize the DPI heap spray info (Windows).
Definition: serializers.c:2551
END_VICTIM_SERIALZIER_VERSION
#define END_VICTIM_SERIALZIER_VERSION
INT_PC_VIOLATION_DPI_THREAD_START
The thread which created the process has started execution on some suspicious code.
Definition: intro_types.h:1672
intObjWriteInfo
Used for the write info object.
Definition: serializers.c:585
introObjectTypeVsyscall
Virtual SYSCALL (user-mode, Linux-only).
Definition: intro_types.h:257
_LIX_VMA
Definition: lixmm.h:14
VICTIM_SERIALIZER_IDT_VERSION
#define VICTIM_SERIALIZER_IDT_VERSION
_SERIALIZER_DPI_WIN_SEC_DESC::NewPtrValue
QWORD NewPtrValue
New value.
Definition: serializers.c:501
PSERIALIZER_EXEC_INFO
struct _SERIALIZER_EXEC_INFO * PSERIALIZER_EXEC_INFO
_EXCEPTION_VICTIM_DTR
Describes a DTR victim.
Definition: exceptions.h:791
CODE_BLOCK
struct _CODE_BLOCK CODE_BLOCK
_SERIALIZER_WIN_MODULE::VirtualBase
QWORD VirtualBase
Guest virtual address of the loaded module.
Definition: serializers.c:278
ZONE_READ
#define ZONE_READ
Used for read violation.
Definition: exceptions.h:735
DPI_WIN_STOLEN_TOKEN_SERIALIZER_VERSION
#define DPI_WIN_STOLEN_TOKEN_SERIALIZER_VERSION
DPI_WIN_PIVOTET_STACK_SERIALIZER_VERSION
#define DPI_WIN_PIVOTET_STACK_SERIALIZER_VERSION
_SERIALIZER_ARCH_REGS::R13
QWORD R13
Definition: serializers.c:311
IntWinUmCacheGetExportFromRange
WINUM_CACHE_EXPORT * IntWinUmCacheGetExportFromRange(WIN_PROCESS_MODULE *Module, QWORD Gva, DWORD Length)
Tries to find an export in the range [Gva - Length, Gva].
Definition: winumcache.c:225
intObjWinModuleReturn
Used for the windows return module object.
Definition: serializers.c:582
PSERIALIZER_KERNEL_DRV_OBJECT
struct _SERIALIZER_KERNEL_DRV_OBJECT * PSERIALIZER_KERNEL_DRV_OBJECT
_SERIALIZER_DPI_WIN_STOLEN_TOKEN
Describes a serialized intObjDpiWinStolenToken.
Definition: serializers.c:420
_SERIALIZER_DPI_WIN_HEAP_SPRAY::DetectedPage
BYTE DetectedPage[0x1000]
The page which was detected through shemu as malicious.
Definition: serializers.c:446
DPI_WIN_TOKEN_PRIVS_SERIALIZER_VERSION
#define DPI_WIN_TOKEN_PRIVS_SERIALIZER_VERSION
PSERIALIZER_EXCEPTION_VICTIM
struct _SERIALIZER_EXCEPTION_VICTIM * PSERIALIZER_EXCEPTION_VICTIM
_SERIALIZER_EPT::Gpa
QWORD Gpa
The written/read/exec guest physical address.
Definition: serializers.c:96
_WINUM_CACHE_EXPORT::Names
PCHAR Names[MAX_OFFSETS_PER_NAME]
The names pointing to this RVA. Each name will point inside the Names structure inside WINUM_CACHE_EX...
Definition: winumcache.h:31
introObjectTypeVdso
Virtual dynamic shared object (user-mode, Linux-only).
Definition: intro_types.h:256
_SERIALIZER_OBJECT_HEADER::Size
WORD Size
The size of the serialized object.
Definition: serializers.c:47
intObjDpiWinStolenToken
Used for the DPI stolen token object.
Definition: serializers.c:596
intObjEndVictim
Used to notify the deserializer that the all the victim&#39;s objects has been parsed.
Definition: serializers.c:549
_SERIALIZER_CR
Describes a serialized intObjCr object.
Definition: serializers.c:113
stringEncodeUtf8
The string encoding type &#39;utf-8&#39;.
Definition: serializers.c:610
_SERIALIZER_INJECTION::Type
DWORD Type
The injection type.
Definition: serializers.c:144
_SERIALIZER_ARCH_REGS::Rdx
QWORD Rdx
Definition: serializers.c:300
PSERIALIZER_EPT
struct _SERIALIZER_EPT * PSERIALIZER_EPT
_WINUM_CACHE_EXPORT
Definition: winumcache.h:19
SERIALIZER_DPI_WIN_TOKEN_PRIVS
struct _SERIALIZER_DPI_WIN_TOKEN_PRIVS SERIALIZER_DPI_WIN_TOKEN_PRIVS
Describes a serialized intObjDpiWinTokenPrivs.
IntLixTaskFindByGva
LIX_TASK_OBJECT * IntLixTaskFindByGva(QWORD TaskStruct)
Finds Linux process with the provided "task_struct" guest virtual address.
Definition: lixprocess.c:1025
exceptionZoneCr
The modified object is a CR.
Definition: exceptions.h:748
IntSerializeDtr
static void IntSerializeDtr(const EXCEPTION_VICTIM_DTR *Dtr)
Serialize the provided DTR object.
Definition: serializers.c:1119
_SERIALIZER_LIX_PROCESS::Tgid
DWORD Tgid
The TGID.
Definition: serializers.c:160
_SERIALIZER_DPI_WIN_THREAD_START::StartPage
BYTE StartPage[0x1000]
The copied page from where the thread started executing.
Definition: serializers.c:458
intObjLixKernelModule
Used for the Linux kernel module object.
Definition: serializers.c:574
exceptionTypeKmUm
Kernel-User mode exception.
Definition: exceptions.h:63
gVcpu
VCPU_STATE * gVcpu
The state of the current VCPU.
Definition: guests.c:59
VICTIM_SERIALIZER_EPT_VERSION
#define VICTIM_SERIALIZER_EPT_VERSION
_SERIALIZER_DPI_WIN_SEC_DESC::OldSacl
ACL OldSacl
The old SACL header.
Definition: serializers.c:503
_SERIALIZER_WIN_VAD::VadType
DWORD VadType
The type of the VAD.
Definition: serializers.c:207
INTRO_EVENT_TYPE
enum _INTRO_EVENT_TYPE INTRO_EVENT_TYPE
Event classes.
IG_CS_TYPE_64B
64-bit selector.
Definition: glueiface.h:188
_SERIALIZER_EXPORT::Delta
DWORD Delta
The offset inside the affected function at which the access was made.
Definition: serializers.c:403
_SERIALIZER_WIN_PROCESS::RealParentEprocess
QWORD RealParentEprocess
The active EPROCESS at the moment of creation.
Definition: serializers.c:172
_SERIALIZER_EXPORT::Count
DWORD Count
The number of the exports.
Definition: serializers.c:402
IntSerializeBlockToBase64
static void IntSerializeBlockToBase64(const BYTE *In, BYTE *Out, size_t Length)
Converts the provided binary buffer to base64.
Definition: serializers.c:633
_SERIALIZER_WIN_KERNEL_DRIVER
Describes a serialized intObjWinKernelDriver object.
Definition: serializers.c:230
WIN_VICTIM_SERIALIZER_VERSION
#define WIN_VICTIM_SERIALIZER_VERSION
ZONE_PROC_THREAD_CTX
#define ZONE_PROC_THREAD_CTX
Used for the CONTEXT structure of a thread.
Definition: exceptions.h:728
SERIALIZER_WIN_MODULE
struct _SERIALIZER_WIN_MODULE SERIALIZER_WIN_MODULE
Describes a serialized intObjWinModule object.
IntSerializeWriteInfo
static void IntSerializeWriteInfo(const EXCEPTION_VICTIM_ZONE *Victim)
Serialize the write violation information.
Definition: serializers.c:1765
PSERIALIZER_DPI_WIN_TOKEN_PRIVS
struct _SERIALIZER_DPI_WIN_TOKEN_PRIVS * PSERIALIZER_DPI_WIN_TOKEN_PRIVS
SERIALIZER_WIN_VAD
struct _SERIALIZER_WIN_VAD SERIALIZER_WIN_VAD
Describes a serialized intObjWinVad object.
intObjRawDump
Used for the injection raw dump object.
Definition: serializers.c:591
_SERIALIZER_ARCH_REGS::GdtBase
QWORD GdtBase
Definition: serializers.c:324
_SERIALIZER_DTR::Type
DWORD Type
The type of the modified DTR.
Definition: serializers.c:124
_SERIALIZER_DPI_PIVOTED_STACK::Wow64StackBase
QWORD Wow64StackBase
The known stack base of the parent process in WoW64 mode.
Definition: serializers.c:485
_KERNEL_DRIVER::EntryPoint
QWORD EntryPoint
The entry point of this driver.
Definition: drivers.h:45
_SERIALIZER_ARCH_REGS::Rax
QWORD Rax
Definition: serializers.c:298
SERIALIZER_STRING
struct _SERIALIZER_STRING SERIALIZER_STRING
Describes a serialized string.
codeInsMovMem
A mov involving memory (either as the destination or as the source).
Definition: codeblocks.h:35
IntSerializeHeader
static void IntSerializeHeader(SERIALIZER_EXCEPTION_TYPE SerializerType, INTRO_EVENT_TYPE EventClass)
Serialize the header of the serializer buffer.
Definition: serializers.c:3607
intObjDpiWinPivotedStack
Used for the DPI pivoted stack object.
Definition: serializers.c:595
PSERIALIZER_LIX_VMA
struct _SERIALIZER_LIX_VMA * PSERIALIZER_LIX_VMA
_SERIALIZER_KERNEL_DRV_OBJECT::Gva
QWORD Gva
The guest virtual address of the guest _DRIVER_OBJECT represented by this structure.
Definition: serializers.c:265
UNREFERENCED_LOCAL_VARIABLE
#define UNREFERENCED_LOCAL_VARIABLE(V)
Definition: introdefs.h:30
_SERIALIZER_DPI_WIN_ACL_EDIT::OldSacl
ACL OldSacl
The old SACL header.
Definition: serializers.c:516
IG_EPT_HOOK_EXECUTE
Execute-access hook.
Definition: glueiface.h:300
IntSerializeDpiWinThreadStart
static void IntSerializeDpiWinThreadStart(const EXCEPTION_UM_ORIGINATOR *Originator, const EXCEPTION_VICTIM_ZONE *Victim)
Serialize the DPI start thread info (Windows).
Definition: serializers.c:2676
INT_PC_VIOLATION_DPI_ACL_EDIT
The parent of a process has an altered access control entry (inside SACL or DACL).
Definition: intro_types.h:1678
_SERIALIZER_CODE_BLOCKS::Count
DWORD Count
The number of available entries in the CodeBlocks array.
Definition: serializers.c:371
WIN_VAD_SERIALIZER_VERSION
#define WIN_VAD_SERIALIZER_VERSION
_DPI_EXTRA_INFO::StackLimit
QWORD StackLimit
Definition: windpi.h:38
CHAR
char CHAR
Definition: intro_types.h:56
SERIALIZER_HEADER
struct _SERIALIZER_HEADER SERIALIZER_HEADER
Describes the header of the serializer buffer.
_DPI_EXTRA_INFO::ShellcodeFlags
QWORD ShellcodeFlags
Contains the flags on the first page which was detected through shemu.
Definition: windpi.h:67
PSERIALIZER_DPI_WIN_ACL_EDIT
struct _SERIALIZER_DPI_WIN_ACL_EDIT * PSERIALIZER_DPI_WIN_ACL_EDIT
_SERIALIZER_DPI_WIN_HEAP_SPRAY::Executable
DWORD Executable
True if the page is executable in the translation.
Definition: serializers.c:440
memCopyViolationRead
This represents a read done from another process.
Definition: intro_types.h:1414
IntSerializeInstruction
void IntSerializeInstruction(INSTRUX *Instruction, const QWORD Rip)
Serialize the provided INSTRUX object.
Definition: serializers.c:1726
PSERIALIZER_READ_INFO
struct _SERIALIZER_READ_INFO * PSERIALIZER_READ_INFO
_SERIALIZER_RIP_CODE::Code
BYTE Code[0]
The contents of the guest memory page that contains the RIP.
Definition: serializers.c:383
IG_CS_TYPE_INVALID
Invalid selector.
Definition: glueiface.h:185
_SERIALIZER_DPI_PIVOTED_STACK::CurrentStack
QWORD CurrentStack
The current stack of the parent process.
Definition: serializers.c:481
_SERIALIZER_LIX_PROCESS::Cr3
QWORD Cr3
The CR3.
Definition: serializers.c:158
IntSerializeUmVictim
static void IntSerializeUmVictim(const EXCEPTION_UM_ORIGINATOR *Originator, const EXCEPTION_VICTIM_ZONE *Victim)
Serialize the information about user-mode victim.
Definition: serializers.c:3240
IG_EPT_HOOK_WRITE
Write-access hook.
Definition: glueiface.h:299
intObjWinVad
Used for the windows VAD object.
Definition: serializers.c:578
_VAD
A representation of a Windows VAD structure.
Definition: winvad.h:80
intObjKernelDriver
Used for the kernel driver object.
Definition: serializers.c:570
_SERIALIZER_LIX_KERNEL_MODULE
Describes a serialized intObjLixKernelModule object.
Definition: serializers.c:239
SERIALIZER_DPI_WIN_DEBUG
struct _SERIALIZER_DPI_WIN_DEBUG SERIALIZER_DPI_WIN_DEBUG
Describes a serialized intObjDpiWinDebug.
PAGE_MASK
#define PAGE_MASK
Definition: pgtable.h:35
_SERIALIZER_DPI_WIN_TOKEN_PRIVS::NewEnabled
QWORD NewEnabled
The new Privileges.Enabled value in the parent&#39;s token, which was deemed malicious.
Definition: serializers.c:469
_KERNEL_DRIVER::ObjectGva
QWORD ObjectGva
The guest virtual address at which this object resides.
Definition: drivers.h:39
_SERIALIZER_EXCEPTION_TYPE
_SERIALIZER_EXCEPTION_TYPE
Describes the serialized exception type.
Definition: serializers.c:19
_SERIALIZER_DPI_WIN_ACL_EDIT
Describes a serialized intObjDpiWinAclEdit.
Definition: serializers.c:514
_SERIALIZER_ARCH_REGS::Rsi
QWORD Rsi
Definition: serializers.c:304
ZONE_WRITE
#define ZONE_WRITE
Used for write violation.
Definition: exceptions.h:734
PSERIALIZER_INJECTION
struct _SERIALIZER_INJECTION * PSERIALIZER_INJECTION
_SERIALIZER_ARCH_REGS::Dr7
QWORD Dr7
Definition: serializers.c:316
_SERIALIZER_DPI_WIN_HEAP_SPRAY::Reserved
DWORD Reserved
Reserved for further use.
Definition: serializers.c:441
intObjLixKernelModuleReturn
Used for the Linux kernel module object.
Definition: serializers.c:575
_SERIALIZER_WIN_VAD::ExecCount
DWORD ExecCount
The number of execution violations triggered by pages inside this VAD.
Definition: serializers.c:209
_SERIALIZER_OBJECT_HEADER::Type
WORD Type
The type of the sterilized object.
Definition: serializers.c:46
_SERIALIZER_RAW_DUMP::Length
DWORD Length
The length of the Raw field.
Definition: serializers.c:392
_SERIALIZER_WIN_VAD::VadProtection
DWORD VadProtection
The protection as represented inside the Windows kernel.
Definition: serializers.c:206
intObjDpi
Used for the DPI object.
Definition: serializers.c:593
_SERIALIZER_LIX_PROCESS::Pid
DWORD Pid
The PID.
Definition: serializers.c:159
intObjIntegrity
Used for the Integrity object.
Definition: serializers.c:562
IntSerializeInjection
static void IntSerializeInjection(const EXCEPTION_VICTIM_INJECTION *Injection, const EXCEPTION_VICTIM_ZONE *Victim)
Serialize the provided Injection object.
Definition: serializers.c:1151
_SERIALIZER_DPI_WIN_HEAP_SPRAY::Offset
DWORD Offset
The offset where the detection on the given page was given, if Detection is equal to 1...
Definition: serializers.c:439
intObjKernelDrvObject
Used for the windows driver obj object.
Definition: serializers.c:576
SERIALIZER_CODE_BLOCKS
struct _SERIALIZER_CODE_BLOCKS SERIALIZER_CODE_BLOCKS
Describes a serialized intObjCodeBlocks object.
IntLixFileGetPath
INTSTATUS IntLixFileGetPath(QWORD FileStructGva, char **Path, DWORD *Length)
Gets the path that corresponds to the provided FileStructGva (guest virtual address of the &#39;struct fi...
Definition: lixfiles.c:352
_SERIALIZER_EXCEPTION_VICTIM::Type
INTRO_OBJECT_TYPE Type
The type of the victim object.
Definition: serializers.c:84
_SERIALIZER_READ_INFO
Describes a serialized intObjExecInfo object.
Definition: serializers.c:343
introObjectTypeIdt
IDT.
Definition: intro_types.h:239
FALSE
#define FALSE
Definition: intro_types.h:34
_WIN_PROCESS_OBJECT
This structure describes a running process inside the guest.
Definition: winprocess.h:83
IntSerializeVad
static void IntSerializeVad(const void *Vad)
Serialize the provided VAD/vma object.
Definition: serializers.c:1447
WIN_PROCESS_SERIALIZER_VERSION
#define WIN_PROCESS_SERIALIZER_VERSION
_SERIALIZER_LIX_PROCESS::MmGva
QWORD MmGva
The guest virtual address of the task_struct->mm.
Definition: serializers.c:157