447 BYTE MaxHeapValPageContent[0x1000];
614 #define MAX_SERIALIZER_LENGTH (16 * ONE_KILOBYTE) 624 const char gBase64Chars[] =
"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
626 #define Base64EncSize(Length) (((((Length) + 2) / 3) * 4) + 1) 647 Out[1] =
gBase64Chars[((In[0] & 0x03) << 4) | ((In[1] & 0xf0) >> 4)];
648 Out[2] = (
BYTE) (Length > 1 ?
gBase64Chars[((In[1] & 0x0f) << 2) | ((In[2] & 0xc0) >> 6)] :
'=');
672 for (
size_t i = 0; i < len; i += 3)
674 size_t size = ((len - i) < 4) ? (len - i) : 4;
759 for (
DWORD index = 0; index < length; index += 1000)
761 TRACE(
"[SERIALIZER] %.1000s", pBase64 + index);
783 ERROR(
"[ERROR] Serilizer buffer overflows! Current offset = 0x%llx, Buffer Size = 0x%0llx, " 784 "Required size = 0x%x\n",
849 _In_ const void *String,
861 const BYTE *pStr = String;
863 for (
DWORD index = 0; index <
Size; index++)
865 if (pStr[index] > 0x7f)
894 if (String != NULL && Size != 0)
910 Header->Size += (
WORD)(
sizeof(*pObject) + pObject->
Length);
925 pObject->
Length = Size / 2;
929 Header->Size += (
WORD)(
sizeof(*pObject) + pObject->
Length);
945 Header->Size += (
WORD)(
sizeof(*pObject) + pObject->
Length *
sizeof(
WCHAR));
951 LOG(
"[ERROR] Should not reach here. Encode %d \n", Encode);
965 Header->Size +=
sizeof(*pObject);
984 #define VICTIM_SERIALIZER_EPT_VERSION 1 998 pObject->
Gva = Ept->Gva;
999 pObject->
Gpa = Ept->Gpa;
1015 pHeader->
Size =
sizeof(*pObject);
1031 #define VICTIM_SERIALIZER_CR_VERSION 1 1045 pObject->
Cr = Cr->Cr;
1047 pHeader->
Size =
sizeof(*pObject);
1063 #define VICTIM_SERIALIZER_IDT_VERSION 1 1077 pObject->
Entry = (
DWORD)((Victim->Ept.Gva - Victim->Object.BaseAddress) /
1080 pHeader->
Size =
sizeof(*pObject);
1096 #define VICTIM_SERIALIZER_MSR_VERSION 1 1110 pObject->
Msr = Msr->Msr;
1112 pHeader->
Size =
sizeof(*pObject);
1128 #define VICTIM_SERIALIZER_DTR_VERSION 1 1142 pObject->
Type = Dtr->Type;
1144 pHeader->
Size =
sizeof(*pObject);
1162 #define VICTIM_SERIALIZER_INJECTION_VERSION 1 1176 pObject->
Gva = Injection->Gva;
1177 pObject->
Length = Injection->Length;
1205 pHeader->
Size =
sizeof(*pObject);
1223 if (Process == NULL)
1228 #define WIN_PROCESS_SERIALIZER_VERSION 1 1245 pObject->
Cr3 = Process->Cr3;
1246 pObject->
UserCr3 = Process->UserCr3;
1247 pObject->
Pid = Process->Pid;
1251 pObject->
Flags = Process->Flags;
1253 pHeader->
Size =
sizeof(*pObject);
1258 Process->Path != NULL ? Process->Path->PathSize : 0,
1277 if (Process == NULL)
1282 #define LIX_PROCESS_SERIALIZER_VERSION 1 1296 pObject->
Gva = Process->Gva;
1298 pObject->
Parent = Process->Parent;
1300 pObject->
MmGva = Process->MmGva;
1301 pObject->
Cr3 = Process->Cr3;
1302 pObject->
Pid = Process->Pid;
1303 pObject->
Tgid = Process->Tgid;
1305 pHeader->
Size =
sizeof(*pObject);
1309 Process->Path != NULL ? (
DWORD)Process->Path->NameLength : 0,
1313 Process->Path != NULL ? (
DWORD)Process->Path->PathLength : 0,
1358 #define WIN_VAD_SERIALIZER_VERSION 1 1373 pObject->
EndPage = Vad->EndPage;
1374 pObject->
VadGva = Vad->VadGva;
1376 pObject->
VadType = Vad->VadType;
1379 pObject->
Flags = Vad->StaticScan | Vad->IsStack | Vad->HugeVad | Vad->IsIgnored | Vad->NoChange |
1380 Vad->PrivateFixup | Vad->DeleteInProgress;
1382 pHeader->
Size =
sizeof(*pObject);
1386 Vad->Path != NULL ? Vad->Path->PathSize : 0,
1407 #define LIX_VMA_SERIALIZER_VERSION 1 1410 char *pFilePath = NULL;
1411 DWORD filePathLength = 0;
1425 pObject->
Start = Vma->Start;
1426 pObject->
End = Vma->End;
1427 pObject->
Gva = Vma->Gva;
1428 pObject->
Flags = Vma->Flags;
1429 pObject->
File = Vma->File;
1431 pHeader->
Size =
sizeof(*pObject);
1448 _In_ const void *Vad
1484 #define WIN_KERNEL_DRIVER_SERIALIZER_VERSION 1 1500 pHeader->
Size =
sizeof(*pObject);
1519 #define LIX_KERNEL_MODULE_SERIALIZER_VERSION 1 1542 pHeader->
Size =
sizeof(*pObject);
1559 if (DrvObject == NULL)
1563 #define KERNEL_DRV_OBJECT_SERIALIZER_VERSION 1 1578 pObject->
Gva = DrvObject->DriverObjectGva;
1579 pObject->
Gpa = DrvObject->DriverObjectGpa;
1582 pHeader->
Size =
sizeof(*pObject);
1603 #define KERNEL_DRIVER_SERIALIZER_VERSION 1 1606 const CHAR *pSection = NULL;
1614 if (Originator == NULL)
1621 pDriver = Originator->Original.Driver;
1622 pSection = Originator->Original.Section;
1626 pDriver = Originator->Return.Driver;
1627 pSection = Originator->Return.Section;
1635 if (pDriver == NULL)
1657 pHeader->
Size =
sizeof(*pObject);
1660 if (pSection != NULL)
1701 #define WIN_PROCESS_MODULE_SERIALIZER_VERSION 1 1716 pObject->
Size = Module->Size;
1718 pHeader->
Size =
sizeof(*pObject);
1727 _In_ INSTRUX *Instruction,
1737 if (Instruction == NULL)
1742 #define INSTRUX_SERIALIZER_VERSION 1 1757 memcpy(pObject->
Bytes, Instruction->InstructionBytes,
sizeof(pObject->
Bytes));
1759 pHeader->
Size =
sizeof(*pObject);
1779 #define WRITE_INFO_SERIALIZER_VERSION 1 1793 pObject->
AccessSize = Victim->WriteInfo.AccessSize;
1797 pHeader->
Size =
sizeof(*pObject);
1817 #define READ_INFO_SERIALIZER_VERSION 1 1831 pObject->
AccessSize = Victim->ReadInfo.AccessSize;
1834 pHeader->
Size =
sizeof(*pObject);
1854 #define EXEC_INFO_SERIALIZER_VERSION 1 1868 pObject->
Rsp = Victim->ExecInfo.Rsp;
1869 pObject->
Length = Victim->ExecInfo.Length;
1870 pObject->
StackBase = Victim->ExecInfo.StackBase;
1871 pObject->
StackLimit = Victim->ExecInfo.StackLimit;
1873 pHeader->
Size =
sizeof(*pObject);
1920 if (Originator == NULL)
1925 #define RAW_DUMP_SERIALIZER_VERSION 1 1939 pObject->
Length = Victim->Injection.Length;
1943 IntVirtMemRead(Originator->SourceVA, Victim->Injection.Length, Originator->LixProc->Cr3, pObject->
Raw, NULL);
1947 IntVirtMemRead(Originator->SourceVA, Victim->Injection.Length, Originator->WinProc->Cr3, pObject->
Raw, NULL);
1964 #define RIP_CODE_SERIALIZER_VERSION 1 1982 ERROR(
"[ERROR] IntGetCurrentMode failed: 0x%08x\n", status);
2013 DWORD startOffset = 0;
2014 DWORD endOffset = 0;
2045 *Start = startOffset;
2114 for (
DWORD index = 0; index < Count; index++)
2116 if (index == 0 && CodeBlocks[index].OffsetStart >= ripOffset)
2121 else if (index == Count - 1 || (previous <= ripOffset && ripOffset <=
gCodeBlocks[index].OffsetStart))
2151 Object->StartAddress = (Rip &
PAGE_MASK) + CodeBlocks[startCb].OffsetStart;
2155 for (
DWORD index = startCb; index < Count; index++)
2157 Object->Content[Object->Count] =
Crc32Compute(CodeBlocks[index].Chunks,
2163 Object->RipCbIndex = Object->Count;
2198 void *pContent = NULL;
2200 DWORD startOffset = 0;
2201 DWORD endOffset = 0;
2208 ERROR(
"[ERROR] IntGetCurrentMode failed: 0x%08x\n", status);
2214 ERROR(
"[ERROR] Unsupported CS type: %d\n", mode);
2225 WARNING(
"[WARNING] Failed to map range [0x%016llx - 0x%016llx], try to map range [0x%016llx - 0x%016llx]",
2226 (Rip & PAGE_MASK) + startOffset, (Rip & PAGE_MASK) + startOffset + (endOffset - startOffset),
2227 (Rip & PAGE_MASK) + startOffset, (Rip & PAGE_MASK) + startOffset + (
PAGE_SIZE - startOffset));
2235 WARNING(
"[WARNING] IntVirtMemMap failed for RIP %llx and cr3 %llx: 0x%08x\n",
2236 Rip & PAGE_MASK, Cr3, status);
2244 WARNING(
"[WARNING] IntVirtMemMap failed for RIP %llx and cr3 %llx: 0x%08x\n",
2245 Rip & PAGE_MASK, Cr3, status);
2252 endOffset - startOffset,
2262 WARNING(
"[WARNNING] Buffer too small to extract codeblocks (size %d): 0x%08x\n",
2263 endOffset - startOffset,
2268 ERROR(
"[ERROR] IntFragExtractCodePattern: 0x%08x\n", status);
2276 WARNING(
"[WARNING] Could not extract enough code-blocks from RIP %llx: %d\n",
2352 #define CODE_BLOCKS_SERIALIZER_VERSION 1 2371 memzero(pObject,
sizeof(*pObject));
2376 WARNING(
"[WARNING] IntSerializeExtractCodeBlocks failed with status: 0x%08x\n", status);
2392 #define ARCH_REGS_SERIALIZER_VERSION 1 2406 memcpy(pObject, &
gVcpu->
Regs,
sizeof(*pObject));
2408 pHeader->
Size +=
sizeof(*pObject);
2425 #define DPI_WIN_DEBUG_SERIALIZER_VERSION 1 2448 pHeader->
Size +=
sizeof(*pObject);
2467 #define DPI_WIN_PIVOTET_STACK_SERIALIZER_VERSION 1 2502 pHeader->
Size +=
sizeof(*pObject);
2519 #define DPI_WIN_STOLEN_TOKEN_SERIALIZER_VERSION 1 2543 pHeader->
Size +=
sizeof(*pObject);
2562 #define DPI_WIN_HEAP_SPRAY_SERIALIZER_VERSION 1 2566 WORD maxNumberOfHeapVals = 0;
2567 DWORD detectedPage = 0;
2568 DWORD maxPageHeapVals = 0;
2592 DWORD checkedPage = ((val << 24) | (val << 16) | (val << 8) | val) &
PAGE_MASK;
2604 detectedPage = checkedPage;
2612 maxPageHeapVals = checkedPage;
2618 if (0 != detectedPage)
2625 pHeader->
Size +=
sizeof(*pObject);
2642 #define DPI_WIN_TOKEN_PRIVS_SERIALIZER_VERSION 1 2670 pHeader->
Size +=
sizeof(*pObject);
2687 #define DPI_WIN_THREAD_START_SERIALIZER_VERSION 1 2715 pHeader->
Size +=
sizeof(*pObject);
2732 #define DPI_WIN_SEC_DESC_SERIALIZER_VERSION 1 2757 pObject->
OldPtrValue = Victim->Object.WinProc->DpiExtraInfo.DpiSecDescAclExtraInfo.OldPtrValue;
2758 pObject->
NewPtrValue = Victim->Object.WinProc->DpiExtraInfo.DpiSecDescAclExtraInfo.NewPtrValue;
2760 memcpy(&pObject->
OldSacl, &Victim->Object.WinProc->DpiExtraInfo.DpiSecDescAclExtraInfo.OldSacl,
sizeof(
ACL));
2761 memcpy(&pObject->
OldDacl, &Victim->Object.WinProc->DpiExtraInfo.DpiSecDescAclExtraInfo.OldDacl,
sizeof(
ACL));
2762 memcpy(&pObject->
NewSacl, &Victim->Object.WinProc->DpiExtraInfo.DpiSecDescAclExtraInfo.NewSacl,
sizeof(
ACL));
2763 memcpy(&pObject->
NewDacl, &Victim->Object.WinProc->DpiExtraInfo.DpiSecDescAclExtraInfo.NewDacl,
sizeof(
ACL));
2768 pHeader->
Size +=
sizeof(*pObject);
2785 #define DPI_WIN_ACL_SERIALIZER_VERSION 1 2806 memcpy(&pObject->
OldSacl, &Victim->Object.WinProc->DpiExtraInfo.DpiSecDescAclExtraInfo.OldSacl,
sizeof(
ACL));
2807 memcpy(&pObject->
OldDacl, &Victim->Object.WinProc->DpiExtraInfo.DpiSecDescAclExtraInfo.OldDacl,
sizeof(
ACL));
2808 memcpy(&pObject->
NewSacl, &Victim->Object.WinProc->DpiExtraInfo.DpiSecDescAclExtraInfo.NewSacl,
sizeof(
ACL));
2809 memcpy(&pObject->
NewDacl, &Victim->Object.WinProc->DpiExtraInfo.DpiSecDescAclExtraInfo.NewDacl,
sizeof(
ACL));
2811 pHeader->
Size +=
sizeof(*pObject);
2828 switch (Originator->PcType)
2878 #define DPI_SERIALIZER_VERSION 1 2892 pObject->
Flags = Originator->PcType;
2894 pHeader->
Size +=
sizeof(*pObject);
2911 if (Victim->Object.Library.Export == NULL)
2917 pExport = Victim->Object.Library.Export;
2925 #define EXPORT_SERIALIZER_VERSION 1 2940 pObject->
Delta = (
DWORD)(Victim->Ept.Gva - Victim->Object.Library.WinMod->VirtualBase - pExport->
Rva);
2942 pHeader->
Size =
sizeof(*pObject);
2971 if (Originator->Return.Library && Originator->Return.Rip != Originator->Rip)
3013 #define START_ORIGINATOR_SERIALZIER_VERSION 1 3014 #define END_ORIGINATOR_SERIALZIER_VERSION 1 3043 #define LIX_VICTIM_SERIALIZER_VERSION 1 3059 pObject->
Type = Victim->Object.Type;
3060 pObject->
ZoneType = Victim->ZoneType;
3063 pHeader->
Size =
sizeof(*pObject);
3085 #define WIN_VICTIM_SERIALIZER_VERSION 1 3100 pObject->
Type = Victim->Object.Type;
3101 pObject->
ZoneType = Victim->ZoneType;
3104 pHeader->
Size =
sizeof(*pObject);
3163 if (Originator->PcType)
3193 if (Originator->PcType)
3221 #define START_MISC_SERIALZIER_VERSION 1 3222 #define END_MISC_SERIALZIER_VERSION 1 3251 #define START_VICTIM_SERIALZIER_VERSION 1 3252 #define END_VICTIM_SERIALZIER_VERSION 1 3281 #define KM_ORIGINATOR_SERIALZIER_VERSION 1 3302 #define KM_ORIGINATOR_SERIALZIER_VERSION 1 3352 #define WIN_KM_VICTIM_SERIALIZER_VERSION 1 3368 pObject->
Type = Victim->Object.Type;
3369 pObject->
ZoneType = Victim->ZoneType;
3372 pHeader->
Size =
sizeof(*pObject);
3375 switch (Victim->ZoneType)
3396 switch (Victim->Object.Type)
3432 #define LIX_KM_VICTIM_SERIALIZER_VERSION 1 3448 pObject->
Type = Victim->Object.Type;
3449 pObject->
ZoneType = Victim->ZoneType;
3452 pHeader->
Size =
sizeof(*pObject);
3455 switch (Victim->ZoneType)
3477 switch (Victim->Object.Type)
3585 #define START_MISC_SERIALZIER_VERSION 1 3586 #define END_MISC_SERIALZIER_VERSION 1 3626 pHeader->
Event = EventClass;
3636 _In_ const void *Originator,
3637 _In_ const void *Victim,
3658 _In_ const void *Originator,
3659 _In_ const void *Victim,
3680 _In_ const void *Originator,
3681 _In_ const void *Victim,
3715 _In_ void *Originator,
3757 ERROR(
"[ERROR] Unsupported exception type (%d) ...", Type);
struct _SERIALIZER_DPI_WIN_HEAP_SPRAY::@258 HeapPages[0xF]
struct _SERIALIZER_WIN_PROCESS SERIALIZER_WIN_PROCESS
Describes a serialized intObjWinProcess object.
static void IntSerializeLixVma(const LIX_VMA *Vma)
Serialize the provided LIX_VMA object.
struct _SERIALIZER_WIN_VAD * PSERIALIZER_WIN_VAD
#define DPI_WIN_DEBUG_SERIALIZER_VERSION
Used for the DPI security descriptor objects.
#define CODE_BLOCKS_SERIALIZER_VERSION
struct _SERIALIZER_ARCH_REGS SERIALIZER_ARCH_REGS
Describes a serialized intObjArchRegs object.
QWORD Gva
The guest virtual address of the vm_area_struct this structure is based on.
static void IntSerializeWinDpiInfo(const EXCEPTION_UM_ORIGINATOR *Originator, const EXCEPTION_VICTIM_ZONE *Victim)
Serialize the DPI extra information.
QWORD UserCr3
Process user PDBR. Includes PCID.
struct _SERIALIZER_DPI_WIN_HEAP_SPRAY * PSERIALIZER_DPI_WIN_HEAP_SPRAY
struct _SERIALIZER_EXCEPTION_VICTIM SERIALIZER_EXCEPTION_VICTIM
Describes a serialized intObjVictim object.
enum _INTRO_ACTION_REASON INTRO_ACTION_REASON
The reason for which an INTRO_ACTION was taken.
#define DESCRIPTOR_SIZE_32
static void IntSerializeString(const void *String, DWORD Size, DWORD Encode, SERIALIZER_OBJECT_HEADER *Header)
Serialize the provided string.
struct _SERIALIZER_DPI_WIN_THREAD_START * PSERIALIZER_DPI_WIN_THREAD_START
Describes a serialized intObjRawDump object.
struct _DPI_EXTRA_INFO::@206::@210 HeapPages[HEAP_SPRAY_NR_PAGES]
#define EXPORT_SERIALIZER_VERSION
Describes a serialized intObjMsr object.
void IntSerializeLixKmOriginator(const EXCEPTION_KM_ORIGINATOR *Originator, const EXCEPTION_VICTIM_ZONE *Victim)
Serialize the information about Linux kernel-mode originator.
struct _SERIALIZER_DPI * PSERIALIZER_DPI
Describes a serialized string.
QWORD StartAddress
The address where the thread started executing.
QWORD Flags
The protection flags.
QWORD File
The guest virtual address of the file this VMA maps to.
#define HEAP_SPRAY_NR_PAGES
Describes the header of the serializer buffer.
char * utf16toutf8(char *Destination, const WCHAR *Source, DWORD DestinationMaxLength)
Used to notify the deserializer that the all the originator's objects has been parsed.
INTSTATUS IntVirtMemUnmap(void **HostPtr)
Unmaps a memory range previously mapped with IntVirtMemMap.
struct _SERIALIZER_LIX_KERNEL_MODULE::@256 InitLayout
static void IntSerializeRipCode(void)
Serialize the guest memory page that contains the RIP at which the violation attempt was detected...
The creation of a process was attempted while the parent had its heap sprayed.
Used for the read info object.
Describes a serialized intObjLixProcess object.
DWORD Event
The intro event type.
A mov using a segment:offset.
Kernel module (ntoskrnl.exe, hal.dll, etc.).
ACL NewSacl
The new SACL header.
Describes a serialized intObjDpiWinDebug.
INTSTATUS IntFragExtractCodePattern(PBYTE Buffer, DWORD StartOffset, DWORD MaxBufferSize, IG_CS_TYPE CsType, CB_EXTRACT_LEVEL ExtractLevel, DWORD PatternSize, CODE_BLOCK_PATTERN *Pattern, DWORD *TotalExtracted)
Extract a pattern of code-blocks from the given code buffer.
Describes a serialized intObjDpiPivotedStack.
struct _SERIALIZER_KERNEL_DRV_OBJECT SERIALIZER_KERNEL_DRV_OBJECT
Describes a serialized intObjKernelDrvObject object.
QWORD StolenFrom
The process from which the token was stolen.
static BYTE * gCurrentPtr
IG_ARCH_REGS Regs
The current state of the guest registers.
DWORD Flags
The flags of the VAD.
#define WRITE_INFO_SERIALIZER_VERSION
DWORD Crc32Compute(const void *Buffer, size_t Size, DWORD InitialCrc)
Computes the CRC for a byte array.
struct _SERIALIZER_IDT * PSERIALIZER_IDT
struct _SERIALIZER_RAW_DUMP * PSERIALIZER_RAW_DUMP
struct _CODE_BLOCK_PATTERN CODE_BLOCK_PATTERN
struct _SERIALIZER_ARCH_REGS * PSERIALIZER_ARCH_REGS
QWORD SystemCr3
The Cr3 used to map the kernel.
#define INT_STATUS_SUCCESS
QWORD StartPage
The first page in the VAD.
struct _SERIALIZER_KERNEL_DRIVER * PSERIALIZER_KERNEL_DRIVER
static QWORD IntSerializeCurrentId(void)
Increment the current serializer alert ID and returns it.
Fast IO Dispatch (Windows only).
struct _DPI_EXTRA_INFO::@204 DpiPivotedStackExtraInfo
Describes a serialized intObjVictim object.
ACL OldDacl
The old DACL header.
This represents an attempt of modifying the context of another thread.
QWORD ActualParent
The guest virtual address of the parent process.
static void IntSerializeProcess(void *Process, const DWORD ObjectType)
Serialize the provided process object.
static char gBase64Buffer[Base64EncSize(sizeof(gSerializerBuffer))]
struct _DPI_EXTRA_INFO::@209 DpiSecDescAclExtraInfo
struct _SERIALIZER_WIN_PROCESS * PSERIALIZER_WIN_PROCESS
Non-conditional jump, of any kind.
#define RIP_CODE_SERIALIZER_VERSION
DWORD Size
The total size of the section.
static void IntSerializeCodeBlocksPattern(CODE_BLOCK *CodeBlocks, DWORD Count, QWORD Rip, BOOLEAN Execute, SERIALIZER_CODE_BLOCKS *Object)
Iterates through all extracted code-blocks patterns and serialize the patterns.
struct _SERIALIZER_MSR SERIALIZER_MSR
Describes a serialized intObjMsr object.
User-mode non executable zone.
struct _SERIALIZER_CR SERIALIZER_CR
Describes a serialized intObjCr object.
static void IntSerializeDpiWinSecDesc(const EXCEPTION_UM_ORIGINATOR *Originator, const EXCEPTION_VICTIM_ZONE *Victim)
Serialize the DPI altered Security Descriptor info (Windows).
QWORD TrapFrameAddress
The address of the trap frame. Used for more information gathering when sending the alert...
Describes a serialized intObjWriteInfo object.
static void IntSerializeKmVictim(const EXCEPTION_KM_ORIGINATOR *Originator, const EXCEPTION_VICTIM_ZONE *Victim)
Serialize the information about kernel-mode victim.
QWORD Wow64StackLimit
The known stack limit in WoW64 mode. Valid only if the process is WoW64.
QWORD Peb32Address
PEB 32 address (on pure x64 processes, this will be 0).
Describes a serialized intObjDpiWinThreadStart.
QWORD NewEnabled
The new value from parent's token Privileges.Enabled field, which was deemed malicious.
#define RAW_DUMP_SERIALIZER_VERSION
DWORD OffsetStart
The start of the extracted codeblock (not actually relevant)
struct _WIN_PROCESS_OBJECT::@232 CreationInfo
QWORD BaseVa
The guest virtual address of the kernel module that owns this driver object.
static BYTE gSerializerBuffer[MAX_SERIALIZER_LENGTH]
struct _SERIALIZER_EXPORT * PSERIALIZER_EXPORT
DWORD NumberOfOffsets
Number of symbols pointing to the exported RVA.
static SERIALIZER_OBJECT_HEADER * IntSerializeObjectHeader(const DWORD Version, const DWORD Type)
Creates a SERIALIZER_OBJECT_HEADER object and fill the fields with the provided parameters.
Describes a serialized intObjLixVma object.
static void IntSerializeCr(const EXCEPTION_VICTIM_CR *Cr)
Serialize the provided CR object.
static void IntSerializeExecInfo(const EXCEPTION_VICTIM_ZONE *Victim)
Serialize the execution violation information.
DWORD Entry
The modified entry from the IDT.
#define INT_SUCCESS(Status)
Used for the windows process object.
struct _SERIALIZER_DPI_PIVOTED_STACK * PSERIALIZER_DPI_PIVOTED_STACK
QWORD StackBase
The stack base for the thread that attempted the execution.
static void IntSerializeLixProcess(const LIX_TASK_OBJECT *Process, const DWORD ObjectType)
Serialize the provided LIX_TASK_OBJECT object.
WORD Size
Code block size, in patterns.
QWORD StartAddress
The address on which the parent's thread started execution.
Used for the windows module object.
Used for the windows kernel driver object.
#define WIN_KERNEL_DRIVER_SERIALIZER_VERSION
struct _SERIALIZER_DPI_WIN_HEAP_SPRAY SERIALIZER_DPI_WIN_HEAP_SPRAY
Describes a serialized intObjDpiWinHeapSpray.
static void IntSerializeKmMisc(const EXCEPTION_KM_ORIGINATOR *Originator, const EXCEPTION_VICTIM_ZONE *Victim)
Serialize the misc information for kernel-mode alert.
Describes a serialized intObjRipCode object.
The modified object is inside an EPT hook.
struct _SERIALIZER_WIN_KERNEL_DRIVER SERIALIZER_WIN_KERNEL_DRIVER
Describes a serialized intObjWinKernelDriver object.
CHAR String[0]
The content of the string.
struct _SERIALIZER_DPI_WIN_DEBUG * PSERIALIZER_DPI_WIN_DEBUG
#define DPI_WIN_THREAD_START_SERIALIZER_VERSION
Describes a serialized intObjKmOriginator object.
struct _SERIALIZER_RIP_CODE * PSERIALIZER_RIP_CODE
DWORD AccessSize
The original value. Only the first Size bytes are valid.
Used for the DPI token privs object.
BYTE MaxHeapValPageContent[0x1000]
The copied page which has the most heap values in it.
static void IntSerializeCodeBlocks(QWORD Rip, QWORD Cr3, BOOLEAN Execute)
Serialize the extracted code-blocks for the current exception.
DWORD Offset
The offset of the instruction in the page.
#define CODE_BLOCK_CHUNKS_COUNT
Number of chunks (CODE_INS) per codeblock.
struct _SERIALIZER_WRITE_INFO * PSERIALIZER_WRITE_INFO
Describes a serialized intObjDpiWinSecDesc.
QWORD Gva
The guest virtual address of the task_struct.
Describes a user-mode originator.
QWORD SecDescStolenFromEproc
If the parent security descriptor has been stolen, this variable may indicate (in case we find it) th...
Describes a serialized intObjWinModule object.
QWORD MainModuleAddress
The address of the main module.
Describes a serialized intObjDpi object.
Describes a serialized intObjWinVad object.
QWORD Start
Start of the memory described by the VMA.
Describes a serialized intObjCodeBlocks object.
QWORD StolenFromEprocess
The EPROCESS address from which the token was stolen.
Describes the header for each serialized item.
int INTSTATUS
The status data type.
QWORD Size
The size of the kernel module that owns this driver object.
struct _SERIALIZER_READ_INFO SERIALIZER_READ_INFO
Describes a serialized intObjExecInfo object.
static INTSTATUS IntSerializeExtractCodeBlocks(QWORD Rip, QWORD Cr3, BOOLEAN Execute, SERIALIZER_CODE_BLOCKS *Object)
Extract the code-blocks for the current exception.
#define KERNEL_DRV_OBJECT_SERIALIZER_VERSION
Used for the Injection object.
struct _SERIALIZER_DPI_WIN_STOLEN_TOKEN * PSERIALIZER_DPI_WIN_STOLEN_TOKEN
QWORD Value[8]
The read value. Only the first Size bytes are valid.
Describes a serialized intObjArchRegs object.
Describes a serialized intObjDpiWinHeapSpray.
static void IntSerializeReadInfo(const EXCEPTION_VICTIM_ZONE *Victim)
Serialize the read violation information.
#define MAX_SERIALIZER_LENGTH
struct _SERIALIZER_OBJECT_HEADER SERIALIZER_OBJECT_HEADER
Describes the header for each serialized item.
Used to notify the deserializer that the next objects contains the victim.
static void IntSerializeWinUmOriginator(const EXCEPTION_UM_ORIGINATOR *Originator, const EXCEPTION_VICTIM_ZONE *Victim)
Serialize the information about windows user-mode originator.
struct _SERIALIZER_LIX_PROCESS * PSERIALIZER_LIX_PROCESS
QWORD DebuggerEprocess
This will keep the EPROCESS of the debugger process (if any).
Describes a serialized intObjEpt object.
static void IntSerializeLixUmVictim(const EXCEPTION_UM_ORIGINATOR *Originator, const EXCEPTION_VICTIM_ZONE *Victim)
Serialize the information about Linux user-mode victim.
static void IntSerializeIncrementCurrentPtr(const DWORD Size)
Increment the current pointer to the serializer buffer with the provided size.
static void IntSerializeCodeBlocksGetExtractRange(QWORD Rip, BOOLEAN Execute, DWORD *Start, DWORD *End)
Computes the range from which the code-blocks should be extracted.
Describes a kernel-mode originator.
Used for the DPI heap spray object.
struct _SERIALIZER_IDT SERIALIZER_IDT
Describes a serialized intObjIdt object.
QWORD StartAddress
The guest linear address from which the code blocks were extracted.
Used for the DPI thread start object.
struct _SERIALIZER_EXCEPTION_KM_ORIGINATOR * PSERIALIZER_EXCEPTION_KM_ORIGINATOR
QWORD StackBase
The known stack base of the parent process.
static BOOLEAN IntSerializeValidObjectSize(DWORD Size)
Checks if the serializer buffer overflows.
#define ALERT_MAX_CODEBLOCKS
The maximum number of code blocks included in an alert structure.
QWORD EprocessAddress
This will be the address of the EPROCESS.
static void IntSerializeWinUmMisc(const EXCEPTION_UM_ORIGINATOR *Originator, const EXCEPTION_VICTIM_ZONE *Victim)
Serialize the misc information for windows user-mode alert.
INTRO_GUEST_TYPE OSType
The type of the guest.
QWORD Wow64StackBase
The known stack base in WoW64 mode. Valid only if the process is WoW64.
Describes a serialized intObjInjection object.
void IntSerializeWinVad(const VAD *Vad)
Serialize the provided VAD object.
#define END_ORIGINATOR_SERIALZIER_VERSION
#define _Out_writes_(expr)
static void IntSerializeLixKmVictim(const EXCEPTION_KM_ORIGINATOR *Originator, const EXCEPTION_VICTIM_ZONE *Victim)
Serialize the information about Linux kernel-mode victim.
struct _SERIALIZER_DPI_WIN_SEC_DESC * PSERIALIZER_DPI_WIN_SEC_DESC
Used for the code object.
struct _SERIALIZER_DPI_WIN_STOLEN_TOKEN SERIALIZER_DPI_WIN_STOLEN_TOKEN
Describes a serialized intObjDpiWinStolenToken.
QWORD VadGva
The guest virtual address at which the corresponding Windows _MMVAD structure is located.
QWORD Gpa
The guest physical address of the guest _DRIVER_OBJECT represented by this structure.
BYTE Type
The violation type.
QWORD Size
The size of the kernel module that owns this driver object.
Used for the return kernel driver object.
DWORD AccessSize
The original value. Only the first Size bytes are valid.
Used for the Linux task object.
#define READ_INFO_SERIALIZER_VERSION
Describes a serialized intObjDpiWinTokenPrivs.
#define WIN_KM_VICTIM_SERIALIZER_VERSION
enum _ZONE_TYPE ZONE_TYPE
Describes the zone types that can be excepted.
QWORD Peb64Address
PEB 64 address (on x86 OSes, this will be 0).
Describes a serialized intObjExport object.
BYTE Bytes[16]
The instruction bytes.
static void IntSerializeRawDump(const EXCEPTION_UM_ORIGINATOR *Originator, const EXCEPTION_VICTIM_ZONE *Victim)
Serialize the raw dump for the injection violation.
struct _SERIALIZER_WRITE_INFO SERIALIZER_WRITE_INFO
Describes a serialized intObjWriteInfo object.
QWORD ShellcodeFlags
The shellcode flags given by shemu on the detected page.
Used for the code-blocks object.
#define ZONE_PROC_INSTRUMENT
Used for exceptions for instrumentation callback.
static CB_EXTRACT_LEVEL IntSerializeCodeBlocksGetExtractLevel(QWORD Rip)
Get the code-blocks extraction level.
#define LIX_PROCESS_SERIALIZER_VERSION
Describes a kernel driver.
Used for user-mode exceptions.
BYTE Chunks[CODE_BLOCK_CHUNKS_COUNT]
The actual CODE_INS values representing the instruction pattern.
QWORD Base
The base guest virtual address of the section.
DWORD Size
Virtual size of the module.
enum _SERIALIZER_EXCEPTION_TYPE SERIALIZER_EXCEPTION_TYPE
Describes the serialized exception type.
static void IntSerializeKernelUserException(const void *Originator, const void *Victim, INTRO_EVENT_TYPE EventClass)
Serialize the kernel-user mode exception.
struct _SERIALIZER_DTR SERIALIZER_DTR
Describes a serialized intObjDtr object.
QWORD Rip
The guest virtual address of the instruction.
#define LIX_KERNEL_MODULE_SERIALIZER_VERSION
struct _SERIALIZER_INJECTION SERIALIZER_INJECTION
Describes a serialized intObjInjection object.
void IntSerializeException(void *Victim, void *Originator, DWORD Type, INTRO_ACTION Action, INTRO_ACTION_REASON Reason, INTRO_EVENT_TYPE EventClass)
The entry point of the serializer; will serialize the provided exception if the violation is blocked ...
DWORD Length
The length of the injection.
Used for kernel-mode exceptions.
BYTE TrapFrameContent[512]
The content of the trap frame where the current stack has been found.
QWORD Flags
Flags for the VMA.
DWORD TextSize
The size of the .text (code usually).
struct _SERIALIZER_LIX_KERNEL_MODULE::@257 CoreLayout
#define Base64EncSize(Length)
static DWORD gCodeBlocksPatternLength
void IntSerializeStart(void)
Set the current serializer pointer to the beginning of the buffer and generated a new alert-ID...
QWORD Cr3
Process PDBR. Includes PCID.
The modified object is IDTR/GDTR.
INTSTATUS IntGetCurrentMode(DWORD CpuNumber, DWORD *Mode)
Read the current CS type.
static void IntSerializeAccessInfo(const EXCEPTION_VICTIM_ZONE *Victim)
Serialize the read/write/exec violation information.
QWORD Gva
The guest virtual address in which the injection occurs.
struct _SERIALIZER_CR * PSERIALIZER_CR
QWORD EntryPoint
The entry point of this driver.
#define START_MISC_SERIALZIER_VERSION
DWORD Protection
VAD protection as represented by Introcore.
DWORD Guest
The operation system.
enum _INTRO_OBJECT_TYPE INTRO_OBJECT_TYPE
The type of the object protected by an EPT hook.
#define DPI_SERIALIZER_VERSION
struct _SERIALIZER_RIP_CODE SERIALIZER_RIP_CODE
Describes a serialized intObjRipCode object.
static void IntSerializeWinKmVictim(const EXCEPTION_KM_ORIGINATOR *Originator, const EXCEPTION_VICTIM_ZONE *Victim)
Serialize the information about Windows kernel-mode victim.
static void IntSerializeWinModule(const WIN_PROCESS_MODULE *Module, const DWORD ObjectType)
Serialize the provided WIN_PROCESS_MODULE object.
static BOOLEAN IntSerializeStringIsWcharAscii(const void *String, DWORD Size)
Checks if the provided string contains WCHARS.
static void IntSerializeUmMisc(const EXCEPTION_UM_ORIGINATOR *Originator, const EXCEPTION_VICTIM_ZONE *Victim)
Serialize the misc information for user-mode alert.
struct _SERIALIZER_DPI_WIN_THREAD_START SERIALIZER_DPI_WIN_THREAD_START
Describes a serialized intObjDpiWinThreadStart.
struct _SERIALIZER_WIN_MODULE * PSERIALIZER_WIN_MODULE
#define START_VICTIM_SERIALZIER_VERSION
static void IntSerializeLixUmMisc(const EXCEPTION_UM_ORIGINATOR *Originator, const EXCEPTION_VICTIM_ZONE *Victim)
Serialize the misc information for Linux user-mode alert.
QWORD StackLimit
The stack limit for the thread that attempted the execution.
#define INITIAL_CRC_VALUE
QWORD Wow64StackLimit
The known stack limit of the parent process in WoW64 mode.
#define VICTIM_SERIALIZER_CR_VERSION
Describes a serialized intObjInstrux object.
DWORD Flags
The protection flags.
static CODE_BLOCK gCodeBlocks[PAGE_SIZE/sizeof(CODE_BLOCK)]
#define IS_KERNEL_POINTER_LIX(p)
struct _SERIALIZER_LIX_VMA SERIALIZER_LIX_VMA
Describes a serialized intObjLixVma object.
#define EXCEPTION_CODEBLOCKS_OFFSET
The maximum offset for codeblocks extraction.
static void IntSerializeMsr(const EXCEPTION_VICTIM_MSR *Msr)
Serialize the provided MSR object.
Describes a serialized intObjKernelDrvObject object.
#define IG_CURRENT_VCPU
For APIs that take a VCPU number as a parameter, this can be used to specify that the current VCPU sh...
Used for the instruction object.
QWORD StackLimit
The known stack limit of the parent process.
struct _SERIALIZER_EXCEPTION_UM_ORIGINATOR SERIALIZER_EXCEPTION_UM_ORIGINATOR
Describes a serialized intObjUmOriginator object.
struct _SERIALIZER_WIN_KERNEL_DRIVER * PSERIALIZER_WIN_KERNEL_DRIVER
struct _KTRAP_FRAME64 KTRAP_FRAME64
Used for the windows kernel driver object.
#define ZONE_EXECUTE
Used for execute violation.
QWORD ZoneFlags
The zone-flags of the victim object.
Holds information about a driver object.
static void IntSerializeWinProcess(const WIN_PROCESS_OBJECT *Process, const DWORD ObjectType)
Serialize the provided WIN_PROCESS_OBJECT object.
struct _SERIALIZER_DPI_WIN_SEC_DESC SERIALIZER_DPI_WIN_SEC_DESC
Describes a serialized intObjDpiWinSecDesc.
The parent of a process has a stolen access token when it created the child.
This represents an attempt to queue an APC into the victim process.
static void IntSerializeDpi(const EXCEPTION_UM_ORIGINATOR *Originator)
Serialize the DPI flags.
BOOLEAN Guest64
True if this is a 64-bit guest, False if it is a 32-bit guest.
Used for the export object.
#define ZONE_PROC_THREAD_APC
Used for the APC thread hijacking technique.
static void IntSerializeUmException(const void *Originator, const void *Victim, INTRO_EVENT_TYPE EventClass)
Serialize the user-mode exception.
Used for the Linux VMA object.
DWORD Arch
The architecture of the current guest.
ACL NewSacl
The new SACL header.
Used for the windows parent process object.
Used for the execution info object.
void IntSerializeKmOriginator(const EXCEPTION_KM_ORIGINATOR *Originator, const EXCEPTION_VICTIM_ZONE *Victim)
Serialize the information about kernel-mode originator.
static CODE_BLOCK_PATTERN gCodeBlocksPattern[PAGE_SIZE/sizeof(CODE_BLOCK_PATTERN)]
QWORD Debugger
The debugger of the current process. May or may not be the parent.
The creation of a process was attempted with token privileges altered in a malicious way...
static void IntSerializeKernelDriver(const EXCEPTION_KM_ORIGINATOR *Originator, const KERNEL_DRIVER *Driver, const DWORD ObjectType)
Serialize the provided KERNEL_DRIVER object.
static void IntSerializeWinUmVictim(const EXCEPTION_UM_ORIGINATOR *Originator, const EXCEPTION_VICTIM_ZONE *Victim)
Serialize the information about user-mode windows victim.
DWORD Detected
The bit is set if the i-th page was detected as malicious by shemu.
#define IS_KERNEL_POINTER_WIN(is64, p)
Checks if a guest virtual address resides inside the Windows kernel address space.
DWORD SerializedType
The type of the serialized exception (SERIALIZER_EXCEPTION_TYPE)
DWORD Version
The version of the serialized object (used for compatibility).
QWORD BaseVa
The guest virtual address of the kernel module that owns this driver object.
The parent of a process had a pivoted stack when it created the child.
Describes a serialized intObjDtr object.
QWORD CurrentWow64Stack
The current stack of the process in WoW64 mode. Valid only if the process is WoW64.
This is a classic code injection attempt that simply modifies the memory of the victim process...
#define VICTIM_SERIALIZER_DTR_VERSION
struct _SERIALIZER_EXPORT SERIALIZER_EXPORT
Describes a serialized intObjExport object.
static void IntSerializeWinKernelDriver(const KERNEL_DRIVER *Driver, DWORD ObjectType)
Serialize the provided KERNEL_DRIVER object.
This includes instructions until codeInsBt.
QWORD ShellcodeFlags
The shellcode flags given by shemu on the detected page.
struct _SERIALIZER_INSTRUX SERIALIZER_INSTRUX
Describes a serialized intObjInstrux object.
This represents an attempt to set an instrument callback inside the victim process.
DPI_EXTRA_INFO DpiExtraInfo
Represents the gathered extra info while checking the DPI heuristics.
struct _SERIALIZER_DTR * PSERIALIZER_DTR
QWORD NewPresent
The new Privileges.Present value in the parent's token, which was deemed malicious.
QWORD Rsp
The value of the guest RSP register at the moment of execution.
static void IntSerializeDpiWinDebug(const EXCEPTION_UM_ORIGINATOR *Originator, const EXCEPTION_VICTIM_ZONE *Victim)
Serialize the DPI debug flags info (Windows).
QWORD SecDescStolenFromEproc
If the parent security descriptor has been stolen, this variable may indicate (in case we find it) th...
QWORD NewPresent
The new value from parent's token Privileges.Present field, which was deemed malicious.
QWORD CurrentStack
The current stack of the process at the point of process creation.
static QWORD gSerializerCurrentId
static void IntSerializeLixKmMisc(const EXCEPTION_KM_ORIGINATOR *Originator, const EXCEPTION_VICTIM_ZONE *Victim)
Serialize the misc information for Linux kernel-mode alert.
static void IntSerializeDpiWinStolenToken(const EXCEPTION_UM_ORIGINATOR *Originator, const EXCEPTION_VICTIM_ZONE *Victim)
Serialize the DPI stolen token info (Windows).
static void IntSerializeDump(void)
Dumps the serialized buffer (base64 format).
QWORD RealParent
The guest virtual address of the task_struct->real_parent.
QWORD NewValue[8]
The size of the access.
Used to notify the deserializer that the all the misc objects has been parsed.
#define DESCRIPTOR_SIZE_64
DWORD Length
The length of the string.
Used to notify the deserializer that the next objects contains the originator.
WORD Size
The size (bytes) of the serializer buffer.
The modified object is a MSR.
static void IntSerializeExport(const EXCEPTION_VICTIM_ZONE *Victim)
Serialize the modified exports.
BYTE Value
The CODE_INS value describing the instruction type.
DWORD Msr
The written MSR.
struct _SERIALIZER_DPI_WIN_ACL_EDIT SERIALIZER_DPI_WIN_ACL_EDIT
Describes a serialized intObjDpiWinAclEdit.
#define END_MISC_SERIALZIER_VERSION
#define LIX_KM_VICTIM_SERIALIZER_VERSION
static void IntSerializeDpiWinAclEdit(const EXCEPTION_UM_ORIGINATOR *Originator, const EXCEPTION_VICTIM_ZONE *Victim)
Serialize the DPI ACL edit info (Windows).
static void IntSerializeLixKernelModule(const KERNEL_DRIVER *Driver, DWORD ObjecType)
Serialize the provided KERNEL_DRIVER object.
DWORD TimeDateStamp
The driver's internal timestamp (from the _IMAGE_FILE_HEADER).
struct _SERIALIZER_MSR * PSERIALIZER_MSR
#define WIN_PROCESS_MODULE_SERIALIZER_VERSION
ACL NewDacl
The new DACL header.
DWORD Length
The length of the code array.
#define EXEC_INFO_SERIALIZER_VERSION
Used for the Linux parent task object.
static void IntSerializeArchRegs(void)
Serialize the guest registers.
DWORD Length
The length of the instruction.
struct _SERIALIZER_LIX_KERNEL_MODULE SERIALIZER_LIX_KERNEL_MODULE
Describes a serialized intObjLixKernelModule object.
Describes the modified zone.
static void IntSerializeDpiWinTokenPrivs(const EXCEPTION_UM_ORIGINATOR *Originator, const EXCEPTION_VICTIM_ZONE *Victim)
Serialize the DPI token privs info (Windows).
#define UNREFERENCED_PARAMETER(P)
#define DPI_WIN_SEC_DESC_SERIALIZER_VERSION
Describes a serialized intObjUmOriginator object.
struct _DPI_EXTRA_INFO::@205 DpiStolenTokenExtraInfo
This includes instructions until codeInsFlags.
struct _SERIALIZER_EXCEPTION_KM_ORIGINATOR SERIALIZER_EXCEPTION_KM_ORIGINATOR
Describes a serialized intObjKmOriginator object.
#define INT_STATUS_DATA_BUFFER_TOO_SMALL
struct _SERIALIZER_DPI SERIALIZER_DPI
Describes a serialized intObjDpi object.
#define LIX_VMA_SERIALIZER_VERSION
DWORD Rva
The RVA of this export.
ZONE_TYPE ZoneType
The zone-type of the victim object.
static char * IntSerializerBase64Get(DWORD *Length)
Converts the serialized buffer to base64.
Executions inside the SharedUserData region.
The Virtualization exception agent injected inside the guest.
#define KERNEL_DRIVER_SERIALIZER_VERSION
struct _SERIALIZER_INSTRUX * PSERIALIZER_INSTRUX
#define VICTIM_SERIALIZER_MSR_VERSION
static void IntSerializeEpt(const EXCEPTION_VICTIM_EPT *Ept, const EXCEPTION_VICTIM_ZONE *Victim)
Serialize the provided EPT object.
struct _DPI_EXTRA_INFO::@208 DpiThreadStartExtraInfo
ACL OldDacl
The old DACL header.
#define INSTRUX_SERIALIZER_VERSION
QWORD StackBase
The known stack base present in TIB at the moment of process creation.
struct _DPI_EXTRA_INFO::@206 DpiHeapSprayExtraInfo
Describes a serialized intObjWinProcess object.
static void IntSerializeDpiWinPivotedStack(const EXCEPTION_UM_ORIGINATOR *Originator, const EXCEPTION_VICTIM_ZONE *Victim)
Serialize the DPI pivoted stack info (Windows).
Describes a serialized intObjIdt object.
BYTE Encode
The encode type of the string (utf-8, utf-16).
struct _SERIALIZER_KERNEL_DRIVER SERIALIZER_KERNEL_DRIVER
Describes a serialized intObjKernelDriver object.
enum _INTRO_ACTION INTRO_ACTION
Event actions.
DWORD RoSize
The size of the .rodata (read-only).
struct _SERIALIZER_STRING * PSERIALIZER_STRING
Describes a serialized intObjExecInfo object.
struct _SERIALIZER_CODE_BLOCKS * PSERIALIZER_CODE_BLOCKS
const char gBase64Chars[]
No access type. This can be used for swap hooks.
DWORD Pid
Process ID (the one used by Windows).
The action was allowed, but it has the BETA flag (Introcore is in log-only mode). ...
DWORD Flags
The DPI flags.
Used for the victim object.
struct _SERIALIZER_LIX_PROCESS SERIALIZER_LIX_PROCESS
Describes a serialized intObjLixProcess object.
QWORD OldPtrValue
Old value.
static void IntSerializeIdt(const EXCEPTION_VICTIM_ZONE *Victim)
Serialize the provided IDT object.
QWORD Gva
The written/read/exec guest virtual address.
#define VICTIM_SERIALIZER_INJECTION_VERSION
static void IntSerializeWinKmMisc(const EXCEPTION_KM_ORIGINATOR *Originator, const EXCEPTION_VICTIM_ZONE *Victim)
Serialize the misc information for windows kernel-mode alert.
struct _SERIALIZER_EXCEPTION_UM_ORIGINATOR * PSERIALIZER_EXCEPTION_UM_ORIGINATOR
struct _DPI_EXTRA_INFO::@207 DpiTokenPrivsExtraInfo
static void IntSerializeKmException(const void *Originator, const void *Victim, INTRO_EVENT_TYPE EventClass)
Serialize the kernel-mode exception.
__must_check INTSTATUS IntVirtMemMap(QWORD Gva, DWORD Length, QWORD Cr3, DWORD Flags, void **HostPtr)
Maps a guest virtual memory range inside Introcore virtual address space.
#define DPI_WIN_ACL_SERIALIZER_VERSION
DWORD HeapValCount
The number of heap values in the page. Since the max value can be 1024, 11 bits are needed...
DWORD NameLens[MAX_OFFSETS_PER_NAME]
Length of each name pointing to this RVA.
The string encoding type 'utf-16'.
MM Mm
Guest memory information, such as paging mode, system Cr3 value, etc.
void IntSerializeWinKmOriginator(const EXCEPTION_KM_ORIGINATOR *Originator, const EXCEPTION_VICTIM_ZONE *Victim)
Serialize the information about windows kernel-mode originator.
struct _SERIALIZER_DPI_PIVOTED_STACK SERIALIZER_DPI_PIVOTED_STACK
Describes a serialized intObjDpiPivotedStack.
The parent of a process tried to obtain debug privileges over the child.
void IntSerializeLixUmOriginator(const EXCEPTION_UM_ORIGINATOR *Originator, const EXCEPTION_VICTIM_ZONE *Victim)
Serialize the information about Linux user-mode originator.
static void IntSerializeKernelDrvObject(const WIN_DRIVER_OBJECT *DrvObject)
Serialize the provided WIN_DRIVER_OBJECT object.
DWORD CsType
The type of the code segment. Can be one of the IG_CS_TYPE values.
static DWORD IntSerializeCurrentOffset(void)
Get the current offset (length) of the serialized buffer.
Used to notify the deserializer that the next objects contains the misc.
The parent of a process has an altered security descriptor pointer.
GUEST_STATE gGuest
The current guest state.
The modified object is inside a process.
QWORD Wow64CurrentStack
The current stack of the parent process in WoW64 mode.
struct _SERIALIZER_RAW_DUMP SERIALIZER_RAW_DUMP
Describes a serialized intObjRawDump object.
#define LIX_VICTIM_SERIALIZER_VERSION
INTSTATUS IntVirtMemRead(QWORD Gva, DWORD Length, QWORD Cr3, void *Buffer, DWORD *RetLength)
Reads data from a guest virtual memory range.
#define DPI_WIN_HEAP_SPRAY_SERIALIZER_VERSION
ACL NewDacl
The new DACL header.
Describes a serialized intObjKernelDriver object.
QWORD Cr3
Process PDBR. Includes PCID.
Used for the DPI debug object.
QWORD ParentEprocess
The EPROCESS of the parent process.
#define START_ORIGINATOR_SERIALZIER_VERSION
Used for kernel-user mode exceptions.
BYTE Raw[0]
The raw dump of the injection.
Used for the DPI ACL objects.
static void IntSerializeUmOriginator(const EXCEPTION_UM_ORIGINATOR *Originator, const EXCEPTION_VICTIM_ZONE *Victim)
Serialize the information about user-mode originator.
struct _SERIALIZER_EPT SERIALIZER_EPT
Describes a serialized intObjEpt object.
struct _SERIALIZER_EXEC_INFO SERIALIZER_EXEC_INFO
Describes a serialized intObjExecInfo object.
struct _SERIALIZER_LIX_KERNEL_MODULE * PSERIALIZER_LIX_KERNEL_MODULE
Used for the registers object.
QWORD Parent
The guest virtual address of the task_struct->parent.
QWORD OldValue[8]
The written value. Only the first Size bytes are valid.
static void * IntSerializeCurrentPtr(DWORD Size)
Returns the current pointer to serializer buffer and checks for overflows.
static void IntSerializeIncrementCurrentId(void)
Increment the current serializer alert ID.
PWIN_PROCESS_OBJECT IntWinProcFindObjectByEprocess(QWORD Eprocess)
Finds a process by the address of its _EPROCESS structure.
static void IntSerializeDpiWinHeapSpray(const EXCEPTION_UM_ORIGINATOR *Originator, const EXCEPTION_VICTIM_ZONE *Victim)
Serialize the DPI heap spray info (Windows).
#define END_VICTIM_SERIALZIER_VERSION
The thread which created the process has started execution on some suspicious code.
Used for the write info object.
Virtual SYSCALL (user-mode, Linux-only).
#define VICTIM_SERIALIZER_IDT_VERSION
QWORD NewPtrValue
New value.
struct _SERIALIZER_EXEC_INFO * PSERIALIZER_EXEC_INFO
struct _CODE_BLOCK CODE_BLOCK
QWORD VirtualBase
Guest virtual address of the loaded module.
#define ZONE_READ
Used for read violation.
#define DPI_WIN_STOLEN_TOKEN_SERIALIZER_VERSION
#define DPI_WIN_PIVOTET_STACK_SERIALIZER_VERSION
WINUM_CACHE_EXPORT * IntWinUmCacheGetExportFromRange(WIN_PROCESS_MODULE *Module, QWORD Gva, DWORD Length)
Tries to find an export in the range [Gva - Length, Gva].
Used for the windows return module object.
struct _SERIALIZER_KERNEL_DRV_OBJECT * PSERIALIZER_KERNEL_DRV_OBJECT
Describes a serialized intObjDpiWinStolenToken.
BYTE DetectedPage[0x1000]
The page which was detected through shemu as malicious.
#define DPI_WIN_TOKEN_PRIVS_SERIALIZER_VERSION
struct _SERIALIZER_EXCEPTION_VICTIM * PSERIALIZER_EXCEPTION_VICTIM
QWORD Gpa
The written/read/exec guest physical address.
PCHAR Names[MAX_OFFSETS_PER_NAME]
The names pointing to this RVA. Each name will point inside the Names structure inside WINUM_CACHE_EX...
Virtual dynamic shared object (user-mode, Linux-only).
WORD Size
The size of the serialized object.
Used for the DPI stolen token object.
Used to notify the deserializer that the all the victim's objects has been parsed.
Describes a serialized intObjCr object.
The string encoding type 'utf-8'.
DWORD Type
The injection type.
struct _SERIALIZER_EPT * PSERIALIZER_EPT
struct _SERIALIZER_DPI_WIN_TOKEN_PRIVS SERIALIZER_DPI_WIN_TOKEN_PRIVS
Describes a serialized intObjDpiWinTokenPrivs.
LIX_TASK_OBJECT * IntLixTaskFindByGva(QWORD TaskStruct)
Finds Linux process with the provided "task_struct" guest virtual address.
The modified object is a CR.
static void IntSerializeDtr(const EXCEPTION_VICTIM_DTR *Dtr)
Serialize the provided DTR object.
BYTE StartPage[0x1000]
The copied page from where the thread started executing.
Used for the Linux kernel module object.
Kernel-User mode exception.
VCPU_STATE * gVcpu
The state of the current VCPU.
#define VICTIM_SERIALIZER_EPT_VERSION
ACL OldSacl
The old SACL header.
DWORD VadType
The type of the VAD.
enum _INTRO_EVENT_TYPE INTRO_EVENT_TYPE
Event classes.
DWORD Delta
The offset inside the affected function at which the access was made.
QWORD RealParentEprocess
The active EPROCESS at the moment of creation.
DWORD Count
The number of the exports.
static void IntSerializeBlockToBase64(const BYTE *In, BYTE *Out, size_t Length)
Converts the provided binary buffer to base64.
Describes a serialized intObjWinKernelDriver object.
#define WIN_VICTIM_SERIALIZER_VERSION
#define ZONE_PROC_THREAD_CTX
Used for the CONTEXT structure of a thread.
struct _SERIALIZER_WIN_MODULE SERIALIZER_WIN_MODULE
Describes a serialized intObjWinModule object.
static void IntSerializeWriteInfo(const EXCEPTION_VICTIM_ZONE *Victim)
Serialize the write violation information.
struct _SERIALIZER_DPI_WIN_TOKEN_PRIVS * PSERIALIZER_DPI_WIN_TOKEN_PRIVS
struct _SERIALIZER_WIN_VAD SERIALIZER_WIN_VAD
Describes a serialized intObjWinVad object.
Used for the injection raw dump object.
DWORD Type
The type of the modified DTR.
QWORD Wow64StackBase
The known stack base of the parent process in WoW64 mode.
QWORD EntryPoint
The entry point of this driver.
struct _SERIALIZER_STRING SERIALIZER_STRING
Describes a serialized string.
A mov involving memory (either as the destination or as the source).
static void IntSerializeHeader(SERIALIZER_EXCEPTION_TYPE SerializerType, INTRO_EVENT_TYPE EventClass)
Serialize the header of the serializer buffer.
Used for the DPI pivoted stack object.
struct _SERIALIZER_LIX_VMA * PSERIALIZER_LIX_VMA
QWORD Gva
The guest virtual address of the guest _DRIVER_OBJECT represented by this structure.
#define UNREFERENCED_LOCAL_VARIABLE(V)
ACL OldSacl
The old SACL header.
static void IntSerializeDpiWinThreadStart(const EXCEPTION_UM_ORIGINATOR *Originator, const EXCEPTION_VICTIM_ZONE *Victim)
Serialize the DPI start thread info (Windows).
The parent of a process has an altered access control entry (inside SACL or DACL).
DWORD Count
The number of available entries in the CodeBlocks array.
#define WIN_VAD_SERIALIZER_VERSION
struct _SERIALIZER_HEADER SERIALIZER_HEADER
Describes the header of the serializer buffer.
QWORD ShellcodeFlags
Contains the flags on the first page which was detected through shemu.
struct _SERIALIZER_DPI_WIN_ACL_EDIT * PSERIALIZER_DPI_WIN_ACL_EDIT
DWORD Executable
True if the page is executable in the translation.
This represents a read done from another process.
void IntSerializeInstruction(INSTRUX *Instruction, const QWORD Rip)
Serialize the provided INSTRUX object.
struct _SERIALIZER_READ_INFO * PSERIALIZER_READ_INFO
BYTE Code[0]
The contents of the guest memory page that contains the RIP.
QWORD CurrentStack
The current stack of the parent process.
static void IntSerializeUmVictim(const EXCEPTION_UM_ORIGINATOR *Originator, const EXCEPTION_VICTIM_ZONE *Victim)
Serialize the information about user-mode victim.
Used for the windows VAD object.
A representation of a Windows VAD structure.
Used for the kernel driver object.
Describes a serialized intObjLixKernelModule object.
struct _SERIALIZER_DPI_WIN_DEBUG SERIALIZER_DPI_WIN_DEBUG
Describes a serialized intObjDpiWinDebug.
QWORD NewEnabled
The new Privileges.Enabled value in the parent's token, which was deemed malicious.
QWORD ObjectGva
The guest virtual address at which this object resides.
_SERIALIZER_EXCEPTION_TYPE
Describes the serialized exception type.
Describes a serialized intObjDpiWinAclEdit.
#define ZONE_WRITE
Used for write violation.
struct _SERIALIZER_INJECTION * PSERIALIZER_INJECTION
DWORD Reserved
Reserved for further use.
Used for the Linux kernel module object.
DWORD ExecCount
The number of execution violations triggered by pages inside this VAD.
WORD Type
The type of the sterilized object.
DWORD Length
The length of the Raw field.
DWORD VadProtection
The protection as represented inside the Windows kernel.
Used for the Integrity object.
static void IntSerializeInjection(const EXCEPTION_VICTIM_INJECTION *Injection, const EXCEPTION_VICTIM_ZONE *Victim)
Serialize the provided Injection object.
DWORD Offset
The offset where the detection on the given page was given, if Detection is equal to 1...
Used for the windows driver obj object.
struct _SERIALIZER_CODE_BLOCKS SERIALIZER_CODE_BLOCKS
Describes a serialized intObjCodeBlocks object.
INTSTATUS IntLixFileGetPath(QWORD FileStructGva, char **Path, DWORD *Length)
Gets the path that corresponds to the provided FileStructGva (guest virtual address of the 'struct fi...
INTRO_OBJECT_TYPE Type
The type of the victim object.
Describes a serialized intObjExecInfo object.
This structure describes a running process inside the guest.
static void IntSerializeVad(const void *Vad)
Serialize the provided VAD/vma object.
#define WIN_PROCESS_SERIALIZER_VERSION
QWORD MmGva
The guest virtual address of the task_struct->mm.