Bitdefender Hypervisor Memory Introspection
winbugcheck.c
Go to the documentation of this file.
1 /*
2  * Copyright (c) 2020 Bitdefender
3  * SPDX-License-Identifier: Apache-2.0
4  */
5 #include "winbugcheck.h"
6 #include "alerts.h"
7 #include "decoder.h"
8 #include "guests.h"
9 #include "memcloak.h"
10 #include "winprocesshp.h"
11 
12 static char const *
13 IntGetBugCheckName(
14  _In_ QWORD Reason
15  )
25 {
27 #define BUGCHECK_NAME(x) case(x): return &(#x[9])
28 
29  switch (Reason)
30  {
31  BUGCHECK_NAME(BUGCHECK_IRQL_NOT_LESS_OR_EQUAL);
32  BUGCHECK_NAME(BUGCHECK_BAD_POOL_HEADER);
33  BUGCHECK_NAME(BUGCHECK_MEMORY_MANAGEMENT);
34  BUGCHECK_NAME(BUGCHECK_KMODE_EXCEPTION_NOT_HANDLED);
35  BUGCHECK_NAME(BUGCHECK_SYSTEM_SERVICE_EXCEPTION);
36  BUGCHECK_NAME(BUGCHECK_PFN_LIST_CORRUPT);
37  BUGCHECK_NAME(BUGCHECK_PAGE_FAULT_IN_NONPAGED_AREA);
38  BUGCHECK_NAME(BUGCHECK_PROCESS_INITIALIZATION_FAILED);
39  BUGCHECK_NAME(BUGCHECK_KERNEL_STACK_INPAGE_ERROR);
40  BUGCHECK_NAME(BUGCHECK_KERNEL_DATA_INPAGE_ERROR);
41  BUGCHECK_NAME(BUGCHECK_INACCESSIBLE_BOOT_DEVICE);
42  BUGCHECK_NAME(BUGCHECK_SYSTEM_THREAD_EXCEPTION_NOT_HANDLED);
43  BUGCHECK_NAME(BUGCHECK_UNEXPECTED_KERNEL_MODE_TRAP);
44  BUGCHECK_NAME(BUGCHECK_KERNEL_MODE_EXCEPTION_NOT_HANDLED);
45  BUGCHECK_NAME(BUGCHECK_CRITICAL_PROCESS_DIED);
46  BUGCHECK_NAME(BUGCHEDCK_CRITICAL_STRUCTURE_CORRUPTION);
47  default:
48  return "Unknown";
49  }
50 
51 #undef BUGCHECK_NAME
52 }
53 
54 static char const *
55 IntGetBugCheckLink(
56  _In_ QWORD Reason
57  )
67 {
68  switch (Reason)
69  {
70  case BUGCHECK_IRQL_NOT_LESS_OR_EQUAL:
71  return "https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/bug-check-0xa--irql-not-less-or-equal";
72  case BUGCHECK_BAD_POOL_HEADER:
73  return "https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/bug-check-0x19--bad-pool-header";
74  case BUGCHECK_MEMORY_MANAGEMENT:
75  return "https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/bug-check-0x1a--memory-management";
76  case BUGCHECK_KMODE_EXCEPTION_NOT_HANDLED:
77  return "https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/bug-check-0x1e--kmode-exception-not-handled";
78  case BUGCHECK_SYSTEM_SERVICE_EXCEPTION:
79  return "https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/bug-check-0x3b--system-service-exception";
80  case BUGCHECK_PFN_LIST_CORRUPT:
81  return "https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/bug-check-0x4e--pfn-list-corrupt";
82  case BUGCHECK_PAGE_FAULT_IN_NONPAGED_AREA:
83  return "https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/bug-check-0x50--page-fault-in-nonpaged-area";
84  case BUGCHECK_PROCESS_INITIALIZATION_FAILED:
85  return "https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/bug-check-0x60--process-initialization-failed";
86  case BUGCHECK_KERNEL_STACK_INPAGE_ERROR:
87  return "https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/bug-check-0x77--kernel-stack-inpage-error";
88  case BUGCHECK_KERNEL_DATA_INPAGE_ERROR:
89  return "https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/bug-check-0x7a--kernel-data-inpage-error";
90  case BUGCHECK_INACCESSIBLE_BOOT_DEVICE:
91  return "https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/bug-check-0x7b--inaccessible-boot-device";
92  case BUGCHECK_SYSTEM_THREAD_EXCEPTION_NOT_HANDLED:
93  return "https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/bug-check-0x7e--system-thread-exception-not-handled";
94  case BUGCHECK_UNEXPECTED_KERNEL_MODE_TRAP:
95  return "https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/bug-check-0x7f--unexpected-kernel-mode-trap";
96  case BUGCHECK_KERNEL_MODE_EXCEPTION_NOT_HANDLED:
97  return "https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/bug-check-0x8e--kernel-mode-exception-not-handled";
98  case BUGCHECK_CRITICAL_PROCESS_DIED:
99  return "https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/bug-check-0xef--critical-process-died";
100  case BUGCHEDCK_CRITICAL_STRUCTURE_CORRUPTION:
101  return "https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/bug-check-0x109---critical-structure-corruption";
102  default:
103  return "https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/bug-check-code-reference2";
104  }
105 }
106 
107 
108 __forceinline static void
109 IntLogBSODParams(
110  _In_ QWORD Reason,
111  _In_ QWORD Param1,
112  _In_ QWORD Param2,
113  _In_ QWORD Param3,
114  _In_ QWORD Param4
115  )
127 {
128  CHAR const *name = IntGetBugCheckName(Reason);
129  CHAR const *link = IntGetBugCheckLink(Reason);
130 
131  NLOG("Bugcheck 0x%llx - %s\n"
132  "Parameter 1: 0x%016llx\n"
133  "Parameter 2: 0x%016llx\n"
134  "Parameter 3: 0x%016llx\n"
135  "Parameter 4: 0x%016llx\n"
136  "See the online documentation at %s for details\n",
137  Reason, name, Param1, Param2, Param3, Param4, link);
138 }
139 
140 
141 static void
142 IntLogCurrentIP(
143  _In_ QWORD Rip,
144  _In_opt_ CHAR const *Message
145  )
155 {
156  INTSTATUS status;
157  INSTRUX instrux;
158  KERNEL_DRIVER const *pDriver;
159 
160  status = IntDecDecodeInstruction(gGuest.Guest64 ? IG_CS_TYPE_64B : IG_CS_TYPE_32B, Rip, &instrux);
161  if (!INT_SUCCESS(status))
162  {
163  ERROR("[ERROR] IntDecDecodeInstruction failed for instruction at 0x%016llx: 0x%08x\n", Rip, status);
164  return;
165  }
166 
167  pDriver = IntDriverFindByAddress(Rip);
168  if (NULL == pDriver)
169  {
170  ERROR("[ERROR] IntDriverFindByAddress failed: 0x%016llx", Rip);
171  return;
172  }
173 
174  if (Message)
175  {
176  NLOG("\n%s:\n", Message);
177  }
178 
179  NLOG("%s+0x%llx\n0x%016llx\n", utf16_for_log(pDriver->Name), Rip - pDriver->BaseVa, Rip);
180 
181  IntDumpInstruction(&instrux, Rip);
182 }
183 
184 
185 static void
186 IntLogGuestRegisters(
187  void
188  )
195 {
196  IG_ARCH_REGS const *pRegs = &gVcpu->Regs;
197  IG_SEG_REGS segs = {0};
198 
199  NLOG("\nGuest registers on the CPU that caused the bugcheck (%d):\n", gVcpu->Index);
200 
201  IntDumpArchRegs(pRegs);
202 
203  LOG("CR0 = 0x%016llx CR2 = 0x%016llx CR3 = 0x%016llx CR4 = 0x%016llx CR8 = 0x%016llx\n",
204  pRegs->Cr0, pRegs->Cr2, pRegs->Cr3, pRegs->Cr4, pRegs->Cr8);
205  LOG("FLG = 0x%016llx DR7 = 0x%016llx\n", pRegs->Flags, pRegs->Dr7);
206 
207  LOG("IDT Base = 0x%016llx Limit = 0x%016llx\n", pRegs->IdtBase, pRegs->IdtLimit);
208  LOG("GDT Base = 0x%016llx Limit = 0x%016llx\n", pRegs->GdtBase, pRegs->GdtLimit);
209 
210  IntGetSegs(gVcpu->Index, &segs);
211  LOG("CS = 0x%02llx Base = 0x%016llx Limit = 0x%016llx Ar = 0x%08llx\n",
212  segs.CsSelector, segs.CsBase, segs.CsLimit, segs.CsAr);
213  LOG("SS = 0x%02llx Base = 0x%016llx Limit = 0x%016llx Ar = 0x%08llx\n",
214  segs.SsSelector, segs.SsBase, segs.SsLimit, segs.SsAr);
215  LOG("DS = 0x%02llx Base = 0x%016llx Limit = 0x%016llx Ar = 0x%08llx\n",
216  segs.DsSelector, segs.DsBase, segs.DsLimit, segs.DsAr);
217  LOG("ES = 0x%02llx Base = 0x%016llx Limit = 0x%016llx Ar = 0x%08llx\n",
218  segs.EsSelector, segs.EsBase, segs.EsLimit, segs.EsAr);
219  LOG("FS = 0x%02llx Base = 0x%016llx Limit = 0x%016llx Ar = 0x%08llx\n",
220  segs.FsSelector, segs.FsBase, segs.FsLimit, segs.FsAr);
221  LOG("GS = 0x%02llx Base = 0x%016llx Limit = 0x%016llx Ar = 0x%08llx\n",
222  segs.GsSelector, segs.GsBase, segs.GsLimit, segs.GsAr);
223 
224  for (DWORD i = 0; i < gGuest.CpuCount; i++)
225  {
226  VCPU_STATE const *v = &gGuest.VcpuArray[i];
227  IG_ARCH_REGS regs = {0};
228 
229  if (v->Index == gVcpu->Index)
230  {
231  continue;
232  }
233 
234  IntGetGprs(v->Index, &regs);
235  pRegs = &regs;
236 
237  NLOG("\nGuest registers on the CPU %d:\n", v->Index);
238 
239  IntDumpArchRegs(pRegs);
240 
241  LOG("CR0 = 0x%016llx CR2 = 0x%016llx CR3 = 0x%016llx CR4 = 0x%016llx CR8 = 0x%016llx\n",
242  pRegs->Cr0, pRegs->Cr2, pRegs->Cr3, pRegs->Cr4, pRegs->Cr8);
243  LOG("FLG = 0x%016llx DR7 = 0x%016llx\n", pRegs->Flags, pRegs->Dr7);
244 
245  LOG("IDT Base = 0x%016llx Limit = 0x%016llx\n", pRegs->IdtBase, pRegs->IdtLimit);
246  LOG("GDT Base = 0x%016llx Limit = 0x%016llx\n", pRegs->GdtBase, pRegs->GdtLimit);
247 
248  IntGetSegs(v->Index, &segs);
249  LOG("CS = 0x%02llx Base = 0x%016llx Limit = 0x%016llx Ar = 0x%08llx\n",
250  segs.CsSelector, segs.CsBase, segs.CsLimit, segs.CsAr);
251  LOG("SS = 0x%02llx Base = 0x%016llx Limit = 0x%016llx Ar = 0x%08llx\n",
252  segs.SsSelector, segs.SsBase, segs.SsLimit, segs.SsAr);
253  LOG("DS = 0x%02llx Base = 0x%016llx Limit = 0x%016llx Ar = 0x%08llx\n",
254  segs.DsSelector, segs.DsBase, segs.DsLimit, segs.DsAr);
255  LOG("ES = 0x%02llx Base = 0x%016llx Limit = 0x%016llx Ar = 0x%08llx\n",
256  segs.EsSelector, segs.EsBase, segs.EsLimit, segs.EsAr);
257  LOG("FS = 0x%02llx Base = 0x%016llx Limit = 0x%016llx Ar = 0x%08llx\n",
258  segs.FsSelector, segs.FsBase, segs.FsLimit, segs.FsAr);
259  LOG("GS = 0x%02llx Base = 0x%016llx Limit = 0x%016llx Ar = 0x%08llx\n",
260  segs.GsSelector, segs.GsBase, segs.GsLimit, segs.GsAr);
261  }
262 }
263 
264 
265 static void
266 IntLogProcessInfo(
267  void
268  )
272 {
273  IG_ARCH_REGS const *regs = &gVcpu->Regs;
274  WIN_PROCESS_OBJECT const *process = IntWinProcFindObjectByCr3(regs->Cr3);
275 
276  if (NULL != process)
277  {
278  NLOG("\nPROCESS INFORMATION\n"
279  "Process name: %s\n"
280  "Process path: %s\n"
281  "Eprocess: 0x%016llx\n"
282  "Parent: 0x%016llx\n"
283  "Real parent: 0x%016llx\n"
284  "Creation time: 0x%016llx\n"
285  "Cr3/User Cr3: 0x%016llx/0x%016llx\n"
286  "Pid: %d\n"
287  "Token: 0x%016llx\n",
288  process->Name,
289  process->Path ? utf16_for_log(process->Path->Path) : "<invalid>",
290  process->EprocessAddress,
291  process->ParentEprocess,
292  process->RealParentEprocess,
293  process->CreationTime,
294  process->Cr3, process->UserCr3,
295  process->Pid,
296  process->OriginalTokenPtr);
297 
298  if (gGuest.Guest64)
299  {
300  NLOG("PEB32 address: 0x%016llx\nPEB64 address: 0x%016llx\n", process->Peb32Address, process->Peb64Address);
301  }
302  else
303  {
304  NLOG("PEB32 address: 0x%016llx\n", process->Peb32Address);
305  }
306 
307  NLOG("Flags: 0x%08x Exit Status: 0x%08x\n", process->Flags, process->ExitStatus);
308  }
309 }
310 
311 
312 static void
313 IntWinLogVAInfo(
314  _In_ QWORD Va
315  )
321 {
322  INTSTATUS status;
323  VA_TRANSLATION vaTrans = {0};
324  IG_ARCH_REGS const *registers = &gVcpu->Regs;
325 
326  status = IntTranslateVirtualAddressEx(Va, registers->Cr3, TRFLG_NONE, &vaTrans);
327  if (!INT_SUCCESS(status))
328  {
329  return;
330  }
331 
332  NLOG("\nVA TRANSLATION\n");
333  NLOG("Virtual Address: 0x%016llx\nPhysical Address: 0x%016llx\nEntries mappings:\n",
334  vaTrans.VirtualAddress, vaTrans.PhysicalAddress);
335 
336  for (DWORD index = 0; index < vaTrans.MappingsCount; index++)
337  {
338  NLOG(" EntryMapping[%d]: 0x%016llx\n", index, vaTrans.MappingsEntries[index]);
339  }
340 }
341 
342 
343 static void
344 IntWinDumpEflags(
345  _In_ DWORD Eflags
346  )
352 {
353  EFLAGS efl;
354 
355  efl.Raw = Eflags;
356  NLOG("%s %s %s %s %s %s %s %s %s\n",
357  (efl.IOPL ? "iopl=1 " : "iopl=0 "),
358  (efl.OF ? "ov" : "nv"),
359  (efl.DF ? "dn" : "up"),
360  (efl.IF ? "ei" : "di"),
361  (efl.SF ? "ng" : "pl"),
362  (efl.ZF ? "zr" : "nr"),
363  (efl.AF ? "ac" : "na"),
364  (efl.PF ? "pe" : "po"),
365  (efl.CF ? "cy" : "nc"));
366 }
367 
368 
369 static void
370 IntLogStackTrace(
371  _In_ QWORD Address,
372  _In_opt_ CHAR const *Message
373  )
381 {
382 #define MODULE_NAMES_TO_PRINT 64
383 #define TRACE_LIMIT_X64 0x2000
384 #define TRACE_LIMIT_X86 0x2000
385  INTSTATUS status;
386  PIG_ARCH_REGS pRegs;
387  QWORD rsp;
388  QWORD rspValue = 0;
389  QWORD limit;
390  QWORD writtenModules = 0;
391 
392  if (Message)
393  {
394  NLOG("\n%s\n", Message);
395  }
396 
397  pRegs = &gVcpu->Regs;
398 
399  if (Address)
400  {
401  rsp = Address;
402  }
403  else
404  {
405  rsp = pRegs->Rsp;
406  }
407 
408  limit = gGuest.Guest64 ? TRACE_LIMIT_X64 : TRACE_LIMIT_X86;
409 
410  for (size_t i = 1; i < limit; i++)
411  {
412  if (gGuest.Guest64)
413  {
414  status = IntKernVirtMemFetchQword(rsp + 8 * i, &rspValue);
415  }
416  else
417  {
418  status = IntKernVirtMemFetchDword(rsp + 4 * i, (DWORD *)&rspValue);
419  }
420 
421  if (!INT_SUCCESS(status))
422  {
423  break;
424  }
425 
426  KERNEL_DRIVER *pDriver = IntDriverFindByAddress(rspValue);
427  if (pDriver)
428  {
429  if (gGuest.Guest64)
430  {
431  NLOG("0x%016llx %s+0x%llx\n", rsp + 8ull * i, utf16_for_log(pDriver->Name), rspValue - pDriver->BaseVa);
432  }
433  else
434  {
435  NLOG("%08llx %s+0x%llx\n", rsp + 4ull * i, utf16_for_log(pDriver->Name), rspValue - pDriver->BaseVa);
436  }
437 
438  writtenModules++;
439  }
440 
441  if (writtenModules > MODULE_NAMES_TO_PRINT)
442  {
443  break;
444  }
445  }
446 #undef MODULE_NAMES_TO_PRINT
447 #undef TRACE_LIMIT_X64
448 #undef TRACE_LIMIT_X86
449 }
450 
451 
452 static void
453 IntLogTrapFrame(
454  _In_ QWORD TrapFrame
455  )
461 {
462  if (gGuest.Guest64)
463  {
464  INTSTATUS status;
465  KTRAP_FRAME64 trapStructure = {0};
466 
467  NLOG("\nTrap Frame at 0x%016llx:\n", TrapFrame);
468  status = IntKernVirtMemRead(TrapFrame, sizeof(trapStructure), &trapStructure, NULL);
469  if (!INT_SUCCESS(status))
470  {
471  ERROR("[ERROR] IntKernVirtMemRead failed at 0x%016llx: 0x%08x\n", TrapFrame, status);
472  return;
473  }
474 
475  NLOG("rax = %016llx rbx = %016llx rcx = %016llx\n"
476  "rdx = %016llx rsi = %016llx rdi = %016llx\n"
477  "rip = %016llx rsp = %016llx rbp = %016llx\n"
478  " r8 = %016llx r9 = %016llx r10 = %016llx\n"
479  "r11 = %016llx r12 = %016llx r13 = %016llx\n"
480  "r14 = %016llx r15 = %016llx\n"
481  "eflags = %08x\n",
482  trapStructure.Rax, trapStructure.Rbx, trapStructure.Rcx,
483  trapStructure.Rdx, trapStructure.Rsi, trapStructure.Rdi,
484  trapStructure.Rip, trapStructure.Rsp, trapStructure.Rbp,
485  trapStructure.R8, trapStructure.R9, trapStructure.R10,
486  trapStructure.R11, 0ull, 0ull, 0ull, 0ull,
487  trapStructure.EFlags);
488 
489  IntWinDumpEflags(trapStructure.EFlags);
490  IntLogCurrentIP(trapStructure.Rip, NULL);
491  IntLogStackTrace(trapStructure.Rsp, "Stack trace:");
492  IntLogStackTrace(0, NULL);
493  }
494  else
495  {
496  INTSTATUS status;
497  KTSS ktssStructure = {0};
498 
499  NLOG("\nKTSS at %08llx:\n", TrapFrame);
500 
501  status = IntKernVirtMemRead(TrapFrame, sizeof(ktssStructure), &ktssStructure, NULL);
502  if (!INT_SUCCESS(status))
503  {
504  ERROR("[ERROR] IntKernVirtMemRead failed at 0x%016llx: 0x%08x\n", TrapFrame, status);
505  return;
506  }
507 
508  NLOG("eax = 0x%08x ebx = 0x%08x ecx = 0x%08x\n"
509  "edx = 0x%08x esi = 0x%08x edi = 0x%08x\n"
510  "eip = 0x%08x esp = 0x%08x ebp = 0x%08x\n"
511  "cs = %04x ss = %04x ds = %04x es = %04x fs = %04x gs = %04x efl=0x%08x\n",
512  ktssStructure.Eax, ktssStructure.Ebx, ktssStructure.Ecx, ktssStructure.Edx, ktssStructure.Esi,
513  ktssStructure.Edi, ktssStructure.Eip, ktssStructure.Esp, ktssStructure.Ebp, ktssStructure.Cs,
514  ktssStructure.Ss, ktssStructure.Ds, ktssStructure.Es, ktssStructure.Fs, ktssStructure.Gs,
515  ktssStructure.EFlags);
516 
517  IntWinDumpEflags(ktssStructure.EFlags);
518  IntLogCurrentIP(ktssStructure.Eip, NULL);
519  IntLogStackTrace(ktssStructure.Esp, "Stack trace:");
520  IntLogStackTrace(0, NULL);
521  }
522 }
523 
524 
525 static void
526 IntLogContextRecord(
527  _In_ QWORD ContextRecord
528  )
534 {
535  if (gGuest.Guest64)
536  {
537  INTSTATUS status;
538  CONTEXT64 contextStructure = {0};
539 
540  NLOG("\nContext Record at 0x%016llx:\n", ContextRecord);
541 
542  status = IntKernVirtMemRead(ContextRecord, sizeof(contextStructure), &contextStructure, NULL);
543  if (!INT_SUCCESS(status))
544  {
545  ERROR("[ERROR] IntKernVirtMemRead failed at 0x%016llx: 0x%08x\n", ContextRecord, status);
546  return;
547  }
548 
549  NLOG("rax = 0x%016llx rbx = 0x%016llx rcx = 0x%016llx\n"
550  "rdx = 0x%016llx rsi = 0x%016llx rdi = 0x%016llx\n"
551  "rip = 0x%016llx rsp = 0x%016llx rbp = 0x%016llx\n"
552  " r8 = 0x%016llx r9 = 0x%016llx r10 = 0x%016llx\n"
553  "r11 = 0x%016llx r12 = 0x%016llx r13 = 0x%016llx\n"
554  "r14 = 0x%016llx r15 = 0x%016llx\n"
555  "cs = 0x%04x ss = 0x%04x ds = 0x%04x es = 0x%04x fs = 0x%04x gs = 0x%04x efl = 0x%08x\n",
556  contextStructure.Rax, contextStructure.Rbx, contextStructure.Rcx,
557  contextStructure.Rdx, contextStructure.Rsi, contextStructure.Rdi,
558  contextStructure.Rip, contextStructure.Rsp, contextStructure.Rbp,
559  contextStructure.R8, contextStructure.R9, contextStructure.R10,
560  contextStructure.R11, contextStructure.R12, contextStructure.R13,
561  contextStructure.R14, contextStructure.R15, contextStructure.SegCs,
562  contextStructure.SegSs, contextStructure.SegDs, contextStructure.SegEs,
563  contextStructure.SegFs, contextStructure.SegGs, contextStructure.EFlags);
564 
565  IntWinDumpEflags(contextStructure.EFlags);
566  IntLogCurrentIP(contextStructure.Rip, NULL);
567  }
568  else
569  {
570  INTSTATUS status;
571  CONTEXT32 contextStructure = {0};
572 
573  NLOG("\nContext Record at %08llx:\n", ContextRecord);
574 
575  status = IntKernVirtMemRead(ContextRecord, sizeof(contextStructure), &contextStructure, NULL);
576  if (!INT_SUCCESS(status))
577  {
578  ERROR("[ERROR] IntKernVirtMemRead failed at 0x%016llx: 0x%08x\n", ContextRecord, status);
579  return;
580  }
581 
582  NLOG("eax = 0x%08x ebx = 0x%08x ecx = 0x%08x edx = 0x%08x esi = 0x%08x edi = 0x%08x\n"
583  "eip = 0x%08x esp = 0x%08x ebp = 0x%08x\n"
584  "cs = 0x%04x ss = 0x%04x ds = 0x%04x es = 0x%04x fs = 0x%04x gs = 0x%04x efl = %08x\n",
585  contextStructure.Eax, contextStructure.Ebx, contextStructure.Ecx,
586  contextStructure.Edx, contextStructure.Esi, contextStructure.Edi,
587  contextStructure.Eip, contextStructure.Esp, contextStructure.Ebp,
588  contextStructure.SegCs, contextStructure.SegSs, contextStructure.SegDs,
589  contextStructure.SegEs, contextStructure.SegFs,
590  contextStructure.SegGs, contextStructure.EFlags);
591 
592  IntWinDumpEflags(contextStructure.EFlags);
593  IntLogCurrentIP(contextStructure.Eip, NULL);
594  }
595 }
596 
597 
598 static void
599 IntLogExceptionRecord(
600  _In_ QWORD ExceptionRecord
601  )
607 {
608  if (gGuest.Guest64)
609  {
610  INTSTATUS status;
611  EXCEPTION_RECORD64 excpStructure = {0};
612 
613  NLOG("\nException Record at 0x%016llx:\n", ExceptionRecord);
614 
615  status = IntKernVirtMemRead(ExceptionRecord, sizeof(excpStructure), &excpStructure, NULL);
616  if (!INT_SUCCESS(status))
617  {
618  ERROR("[ERROR] IntKernVirtMemRead failed at 0x%016llx: 0x%08x\n", ExceptionRecord, status);
619  return;
620  }
621 
622  NLOG("Exception address: 0x%016llx\n"
623  "Exception Code: 0x%08x\n"
624  "ExceptionFlags: 0x%08x\n"
625  "NumberParameters: 0x%x\n",
626  excpStructure.ExceptionAddress, excpStructure.ExceptionCode,
627  excpStructure.ExceptionFlags, excpStructure.NumberParameters);
628 
629  excpStructure.NumberParameters = MIN(excpStructure.NumberParameters, EXCEPTION_MAXIMUM_PARAMETERS);
630 
631  for (DWORD excpParam = 0; excpParam < excpStructure.NumberParameters; excpParam++)
632  {
633  NLOG(" Parameter[%d]: 0x%016llx\n", excpParam, excpStructure.ExceptionInformation[excpParam]);
634  }
635  }
636  else
637  {
638  INTSTATUS status;
639  EXCEPTION_RECORD32 excpStructure = {0};
640 
641  NLOG("\nException Record at %08llx:\n", ExceptionRecord);
642 
643  status = IntKernVirtMemRead(ExceptionRecord, sizeof(excpStructure), &excpStructure, NULL);
644  if (!INT_SUCCESS(status))
645  {
646  ERROR("[ERROR] IntKernVirtMemRead failed at 0x%016llx: 0x%08x\n", ExceptionRecord, status);
647  return;
648  }
649 
650  NLOG("Exception address: %08x\n"
651  "Exception Code: 0x%08x\n"
652  "ExceptionFlags: 0x%08x\n"
653  "NumberParameters: 0x%x\n",
654  excpStructure.ExceptionAddress, excpStructure.ExceptionCode,
655  excpStructure.ExceptionFlags, excpStructure.NumberParameters);
656 
657  excpStructure.NumberParameters = MIN(excpStructure.NumberParameters, EXCEPTION_MAXIMUM_PARAMETERS);
658 
659  for (DWORD excpParam = 0; excpParam < excpStructure.NumberParameters; excpParam++)
660  {
661  NLOG(" Parameter[%d]: 0x%08x\n", excpParam, excpStructure.ExceptionInformation[excpParam]);
662  }
663  }
664 }
665 
666 
667 static void
668 IntLogCriticalProcessHasDied(
669  _In_ QWORD Param1,
670  _In_ QWORD Param2
671  )
678 {
679  const WIN_PROCESS_OBJECT *proc = IntWinProcFindObjectByEprocess(Param1);
680  const CHAR *objectType = "<unknown>";
681 
682  if (Param2 == 0)
683  {
684  objectType = "process";
685  }
686  else if (Param2 == 1)
687  {
688  objectType = "thread";
689  }
690 
691  LOG("A %s object has died!\n", objectType);
692  if (proc != NULL)
693  {
694  NLOG("\tProcess name: \"%s\" PID: %u Eprocess: 0x%016llx Cr3: 0x%016llx User Cr3: 0x%016llx Protected: %u\n",
695  proc->Name, proc->Pid, proc->EprocessAddress, proc->Cr3, proc->UserCr3, proc->Protected);
696  }
697  else
698  {
699  NLOG("\tNo process found for Eprocess 0x%016llx\n", Param1);
700  }
701 }
702 
703 
704 static void
705 IntLogCriticalStructureCoruption(
706  _In_ QWORD Param3,
707  _In_ QWORD Param4
708  )
719 {
720  QWORD regionType = Param4;
721  const PCHAR regions[] =
722  {
723  /* 0 */ "A generic data region",
724  /* 1 */ "Modification of a function or .pdata",
725  /* 2 */ "A processor IDT",
726  /* 3 */ "A processor GDT",
727  /* 4 */ "Type 1 process list corruption",
728  /* 5 */ "Type 2 process list corruption",
729  /* 6 */ "Debug routine modification",
730  /* 7 */ "Critical MSR modification",
731  /* 8 */ "Object type",
732  /* 9 */ "A processor IVT",
733  /* a */ "Modification of a system service function",
734  /* b */ "A generic session data region",
735  /* c */ "Modification of a session function or .pdata",
736  /* d */ "Modification of an import table",
737  /* e */ "Modification of a session import table",
738  /* f */ "Ps Win32 callout modification",
739  /* 10 */ "Debug switch routine modification",
740  /* 11 */ "IRP allocator modification",
741  /* 12 */ "Driver call dispatcher modification",
742  /* 13 */ "IRP completion dispatcher modification",
743  /* 14 */ "IRP deallocator modification",
744  /* 15 */ "A processor control register",
745  /* 16 */ "Critical floating point control register modification",
746  /* 17 */ "Local APIC modification",
747  /* 18 */ "Kernel notification callout modification",
748  /* 19 */ "Loaded module list modification",
749  /* 1a */ "Type 3 process list corruption",
750  /* 1b */ "Type 4 process list corruption",
751  /* 1c */ "Driver object corruption",
752  /* 1d */ "Executive callback object modification",
753  /* 1e */ "Modification of module padding",
754  /* 1f */ "Modification of a protected process",
755  /* 20 */ "A generic data region",
756  /* 21 */ "A page hash mismatch",
757  /* 22 */ "A session page hash mismatch",
758  /* 23 */ "Load config directory modification",
759  /* 24 */ "Inverted function table modification",
760  /* 25 */ "Session configuration modification",
761  /* 26 */ "An extended processor control register",
762  /* 27 */ "Type 1 pool corruption",
763  /* 28 */ "Type 2 pool corruption",
764  /* 29 */ "Type 3 pool corruption",
765  /* 2a */ "Type 4 pool corruption",
766  /* 2b */ "Modification of a function or .pdata",
767  /* 2c */ "Image integrity corruption",
768  /* 2d */ "Processor misconfiguration",
769  /* 2e */ "Type 5 process list corruption",
770  /* 2f */ "Process shadow corruption",
771  };
772 
773  if (regionType < ARRAYSIZE(regions))
774  {
775  LOG("0x%04llx - %s\n", regionType, regions[regionType]);
776  }
777  else if (0x101 == regionType)
778  {
779  LOG("0x%04llx - %s\n", regionType, "General pool corruption");
780  }
781  else if (0x102 == regionType)
782  {
783  LOG("0x%04llx - %s\n", regionType, "Modification of win32k.sys");
784  }
785  else
786  {
787  LOG("0x%04llx - %s\n", regionType, "Undocumented");
788  }
789 
790  LOG("Dumping cloak regions\n");
791  IntMemClkDump();
792 
793  if (0x2b == regionType && IS_KERNEL_POINTER_WIN(gGuest.Guest64, Param3))
794  {
795  IntDumpGvaEx(gGuest.Mm.SystemCr3, Param3 & PAGE_MASK, PAGE_SIZE, 16, 1, TRUE, TRUE);
796  }
797 }
798 
799 
800 static void
801 IntWinBcLogBsodEvent(
802  _In_ QWORD Reason,
803  _In_ QWORD Param1,
804  _In_ QWORD Param2,
805  _In_ QWORD Param3,
806  _In_ QWORD Param4
807  )
820 {
821  KERNEL_DRIVER const *pKernel = gGuest.KernelDriver;
822 
823  NLOG("\n**********************************************************************\n"
824  "* *\n"
825  "* Bugcheck Analysis *\n"
826  "* *\n"
827  "**********************************************************************\n\n");
828 
829  IntLogBSODParams(Reason, Param1, Param2, Param3, Param4);
830 
831  switch (Reason)
832  {
833  case BUGCHECK_IRQL_NOT_LESS_OR_EQUAL:
834  IntLogCurrentIP(Param4, "Faulting IP");
835  IntWinLogVAInfo(Param1);
836  break;
837 
838  case BUGCHECK_SYSTEM_SERVICE_EXCEPTION:
839  IntLogCurrentIP(Param2, "Faulting IP");
840  IntLogContextRecord(Param3);
841  break;
842 
843  case BUGCHECK_SYSTEM_THREAD_EXCEPTION_NOT_HANDLED:
844  IntLogExceptionRecord(Param3);
845  IntLogContextRecord(Param4);
846  break;
847 
848  case BUGCHECK_UNEXPECTED_KERNEL_MODE_TRAP:
849  case BUGCHECK_KERNEL_MODE_EXCEPTION_NOT_HANDLED:
850  IntLogTrapFrame(Param2);
851  break;
852 
853  case BUGCHECK_CRITICAL_PROCESS_DIED:
854  IntLogCriticalProcessHasDied(Param1, Param2);
855  break;
856 
857  case BUGCHEDCK_CRITICAL_STRUCTURE_CORRUPTION:
858  IntLogCriticalStructureCoruption(Param3, Param4);
859  break;
860 
861  default: // More can be added if it is needed
862  NLOG("Bug Check reason not known!\n");
863  break;
864  }
865 
866  if (NULL != pKernel)
867  {
868  LOG("Kernel loaded at 0x%016llx Version info: 0x%08x:0x%08llx\n",
869  pKernel->BaseVa, pKernel->Win.TimeDateStamp, pKernel->Size);
870  }
871 
872  IntLogGuestRegisters();
873 
874  IntLogProcessInfo();
875 
876  IntLogStackTrace(0, "Stack Trace:");
877 }
878 
879 
880 static INTSTATUS
881 IntWinBcSendBsodEvent(
882  _In_ QWORD Reason,
883  _In_ QWORD Param1,
884  _In_ QWORD Param2,
885  _In_ QWORD Param3,
886  _In_ QWORD Param4
887  )
901 {
902  INTSTATUS status;
903  EVENT_CRASH_EVENT *pCrashEvent;
904 
905  if (0 == (gGuest.CoreOptions.Current & INTRO_OPT_EVENT_OS_CRASH))
906  {
907  return INT_STATUS_NOT_NEEDED_HINT;
908  }
909 
910  pCrashEvent = &gAlert.Crash;
911  memzero(pCrashEvent, sizeof(*pCrashEvent));
912 
913  pCrashEvent->Reason = Reason;
914  pCrashEvent->Param1 = Param1;
915  pCrashEvent->Param2 = Param2;
916  pCrashEvent->Param3 = Param3;
917  pCrashEvent->Param4 = Param4;
918 
919  IntAlertFillWinProcessCurrent(&pCrashEvent->CurrentProcess);
920 
921  status = IntNotifyIntroEvent(introEventCrashEvent, pCrashEvent, sizeof(*pCrashEvent));
922  if (!INT_SUCCESS(status))
923  {
924  WARNING("[WARNING] IntNotifyIntroEvent failed: 0x%08x\n", status);
925  }
926 
927  return INT_STATUS_SUCCESS;
928 }
929 
930 
931 INTSTATUS
932 IntWinBcHandleBugCheck(
933  _In_ void const *Detour
934  )
948 
949 {
950  INTSTATUS status;
951  PIG_ARCH_REGS pRegs;
952  QWORD code, param1, param2, param3, param4;
953 
954  if (NULL == Detour)
955  {
956  return INT_STATUS_INVALID_PARAMETER_1;
957  }
958 
959  pRegs = &gVcpu->Regs;
960 
961  if (gGuest.Guest64)
962  {
963  code = pRegs->Rcx;
964  param1 = pRegs->Rdx;
965  param2 = pRegs->R8;
966  param3 = pRegs->R9;
967 
968  IntKernVirtMemFetchQword(pRegs->Rsp + 8 * 5, &param4);
969  }
970  else
971  {
972  // We have RET, Arg1, ... on the stack.
973  IntKernVirtMemFetchDword(pRegs->Rsp + 4 * 1, (DWORD *)&code);
974  IntKernVirtMemFetchDword(pRegs->Rsp + 4 * 2, (DWORD *)&param1);
975  IntKernVirtMemFetchDword(pRegs->Rsp + 4 * 3, (DWORD *)&param2);
976  IntKernVirtMemFetchDword(pRegs->Rsp + 4 * 4, (DWORD *)&param3);
977  IntKernVirtMemFetchDword(pRegs->Rsp + 4 * 5, (DWORD *)&param4);
978  }
979 
980  LOG("[INFO] The guest has generated a bugcheck on CPU %d: 0x%08x 0x%016llx 0x%016llx 0x%016llx 0x%016llx\n",
981  gVcpu->Index, (DWORD)code, param1, param2, param3, param4);
982 
983  // Set the beta alerts, so we don't block the writes that will follow
984  gGuest.KernelBetaDetections = TRUE;
985 
986  IntWinBcLogBsodEvent(code, param1, param2, param3, param4);
987 
988  status = IntWinBcSendBsodEvent(code, param1, param2, param3, param4);
989  if (!INT_SUCCESS(status))
990  {
991  ERROR("[ERROR] IntWinBcSendBsodEvent failed: 0x%08x\n", status);
992  }
993 
994  return INT_STATUS_SUCCESS;
995 }
_EXCEPTION_RECORD32::NumberParameters
DWORD NumberParameters
Definition: wddefs.h:1214
_CONTEXT64::R9
QWORD R9
Definition: wddefs.h:1626
_CONTEXT64::Rcx
QWORD Rcx
Definition: wddefs.h:1618
IntDumpArchRegs
TIMER_FRIENDLY void IntDumpArchRegs(IG_ARCH_REGS const *Registers)
This function dumps the register values in a user friendly format.
Definition: dumper.c:20
_In_opt_
#define _In_opt_
Definition: intro_sal.h:16
_VA_TRANSLATION::PhysicalAddress
QWORD PhysicalAddress
The physical address to which VirtualAddress translates to.
Definition: introcore.h:107
_EXCEPTION_RECORD32::ExceptionCode
DWORD ExceptionCode
Definition: wddefs.h:1210
_WIN_PROCESS_OBJECT::Flags
DWORD Flags
Windows process flags (possible values for this bitmask are described below).
Definition: winprocess.h:121
BUGCHECK_KMODE_EXCEPTION_NOT_HANDLED
#define BUGCHECK_KMODE_EXCEPTION_NOT_HANDLED
Definition: winbugcheck.h:25
TRACE_LIMIT_X86
#define TRACE_LIMIT_X86
_CONTEXT64::Rdx
QWORD Rdx
Definition: wddefs.h:1619
_CONTEXT64::R12
QWORD R12
Definition: wddefs.h:1629
IntLogTrapFrame
static void IntLogTrapFrame(QWORD TrapFrame)
Logs information about a trap frame.
Definition: winbugcheck.c:453
_IG_SEG_REGS::CsBase
QWORD CsBase
Definition: glueiface.h:66
_CONTEXT32::Eax
DWORD Eax
Definition: wddefs.h:1698
_IG_SEG_REGS::DsBase
QWORD DsBase
Definition: glueiface.h:74
_IG_ARCH_REGS::Cr0
QWORD Cr0
Definition: glueiface.h:52
_KTSS::EFlags
DWORD EFlags
Definition: wddefs.h:905
_VCPU_STATE::Regs
IG_ARCH_REGS Regs
The current state of the guest registers.
Definition: guests.h:95
_IG_SEG_REGS::EsSelector
QWORD EsSelector
Definition: glueiface.h:80
_VCPU_STATE::Index
DWORD Index
The VCPU number.
Definition: guests.h:172
_In_
#define _In_
Definition: intro_sal.h:21
IntLogCurrentIP
static void IntLogCurrentIP(QWORD Rip, CHAR const *Message)
Logs information about the RIP at which the crash was triggered.
Definition: winbugcheck.c:142
_EXCEPTION_RECORD32::ExceptionInformation
DWORD ExceptionInformation[EXCEPTION_MAXIMUM_PARAMETERS]
Definition: wddefs.h:1215
_WIN_PROCESS_OBJECT::RealParentEprocess
QWORD RealParentEprocess
The active EPROCESS at the moment of creation.
Definition: winprocess.h:92
_MM::SystemCr3
QWORD SystemCr3
The Cr3 used to map the kernel.
Definition: guests.h:211
INT_STATUS_SUCCESS
#define INT_STATUS_SUCCESS
Definition: introstatus.h:54
_KTSS::Ss
WORD Ss
Definition: wddefs.h:918
_KERNEL_DRIVER::Win
WIN_KERNEL_DRIVER Win
Valid only for Windows guests.
Definition: drivers.h:70
_EXCEPTION_RECORD64::ExceptionAddress
QWORD ExceptionAddress
The address at which the exception was generated.
Definition: wddefs.h:1195
_EXCEPTION_RECORD64::ExceptionCode
DWORD ExceptionCode
The code generated by hardware, or the one used with RaiseException(), or DBG_CONTROL_C.
Definition: wddefs.h:1191
_EFLAGS::SF
DWORD SF
Definition: winbugcheck.h:54
IntGetGprs
INTSTATUS IntGetGprs(DWORD CpuNumber, PIG_ARCH_REGS Regs)
Get the current guest GPR state.
Definition: introcpu.c:827
_IG_ARCH_REGS::Cr8
QWORD Cr8
Definition: glueiface.h:55
_IG_SEG_REGS::DsSelector
QWORD DsSelector
Definition: glueiface.h:76
BUGCHECK_KERNEL_MODE_EXCEPTION_NOT_HANDLED
#define BUGCHECK_KERNEL_MODE_EXCEPTION_NOT_HANDLED
Definition: winbugcheck.h:35
IntGetBugCheckLink
static char const * IntGetBugCheckLink(QWORD Reason)
Returns the bug check documentation page link for a bug check reason.
Definition: winbugcheck.c:55
IntLogStackTrace
static void IntLogStackTrace(QWORD Address, CHAR const *Message)
Attempts to log a guest stack trace.
Definition: winbugcheck.c:370
_CONTEXT32::SegFs
DWORD SegFs
Definition: wddefs.h:1689
_KERNEL_DRIVER::BaseVa
QWORD BaseVa
The guest virtual address of the kernel module that owns this driver object.
Definition: drivers.h:41
_EVENT_CRASH_EVENT::Param3
QWORD Param3
Third parameter.
Definition: intro_types.h:1972
_KTRAP_FRAME64
Definition: wddefs.h:990
INT_SUCCESS
#define INT_SUCCESS(Status)
Definition: introstatus.h:42
_EFLAGS::Raw
DWORD Raw
Raw register value.
Definition: winbugcheck.h:44
introEventCrashEvent
Informational event sent when the guest crashes. See EVENT_CRASH_EVENT.
Definition: intro_types.h:109
_KTRAP_FRAME64::R8
QWORD R8
Definition: wddefs.h:1043
ARRAYSIZE
#define ARRAYSIZE(A)
Definition: introdefs.h:101
_GUEST_STATE::KernelBetaDetections
BOOLEAN KernelBetaDetections
True if the kernel protection is in beta (log-only) mode.
Definition: guests.h:303
_IG_SEG_REGS
Holds segment register state.
Definition: glueiface.h:64
_IG_SEG_REGS::GsAr
QWORD GsAr
Definition: glueiface.h:89
_IG_ARCH_REGS::Rdx
QWORD Rdx
Definition: glueiface.h:34
INT_STATUS_NOT_NEEDED_HINT
#define INT_STATUS_NOT_NEEDED_HINT
Definition: introstatus.h:317
_CONTEXT64::Rdi
QWORD Rdi
Definition: wddefs.h:1624
ERROR
#define ERROR(fmt,...)
Definition: glue.h:62
BUGCHECK_MEMORY_MANAGEMENT
#define BUGCHECK_MEMORY_MANAGEMENT
Definition: winbugcheck.h:24
_CONTEXT64::SegGs
WORD SegGs
Definition: wddefs.h:1606
_KTSS::Ds
WORD Ds
Definition: wddefs.h:920
INTSTATUS
int INTSTATUS
The status data type.
Definition: introstatus.h:24
_KERNEL_DRIVER::Size
QWORD Size
The size of the kernel module that owns this driver object.
Definition: drivers.h:43
BUGCHECK_SYSTEM_THREAD_EXCEPTION_NOT_HANDLED
#define BUGCHECK_SYSTEM_THREAD_EXCEPTION_NOT_HANDLED
Definition: winbugcheck.h:33
_CONTEXT32::Ecx
DWORD Ecx
Definition: wddefs.h:1697
_WIN_PROCESS_OBJECT::Peb64Address
QWORD Peb64Address
PEB 64 address (on x86 OSes, this will be 0).
Definition: winprocess.h:103
TRFLG_NONE
#define TRFLG_NONE
No special options.
Definition: introcore.h:82
_IG_SEG_REGS::SsBase
QWORD SsBase
Definition: glueiface.h:70
_EVENT_CRASH_EVENT::Param1
QWORD Param1
First parameter.
Definition: intro_types.h:1970
_IG_SEG_REGS::GsSelector
QWORD GsSelector
Definition: glueiface.h:88
_IG_ARCH_REGS::Flags
QWORD Flags
Definition: glueiface.h:49
_GUEST_STATE::VcpuArray
PVCPU_STATE VcpuArray
Array of the VCPUs assigned to this guest. The index in this array matches the VCPU number...
Definition: guests.h:372
_EFLAGS::DF
DWORD DF
Definition: winbugcheck.h:57
_IG_SEG_REGS::SsAr
QWORD SsAr
Definition: glueiface.h:73
_IG_SEG_REGS::CsAr
QWORD CsAr
Definition: glueiface.h:69
_EFLAGS::IF
DWORD IF
Definition: winbugcheck.h:56
_KTSS::Esi
DWORD Esi
Definition: wddefs.h:912
_EFLAGS::OF
DWORD OF
Definition: winbugcheck.h:58
_IG_SEG_REGS::FsLimit
QWORD FsLimit
Definition: glueiface.h:83
_CONTEXT32::Ebx
DWORD Ebx
Definition: wddefs.h:1695
_GENERIC_ALERT::Crash
EVENT_CRASH_EVENT Crash
Definition: alerts.h:27
MIN
#define MIN(a, b)
Definition: introdefs.h:146
BUGCHECK_PFN_LIST_CORRUPT
#define BUGCHECK_PFN_LIST_CORRUPT
Definition: winbugcheck.h:27
_EVENT_CRASH_EVENT
Event structure for guest OS crashes.
Definition: intro_types.h:1967
_WIN_PROCESS_OBJECT::ParentEprocess
QWORD ParentEprocess
The EPROCESS of the parent process.
Definition: winprocess.h:91
IntGetBugCheckName
static char const * IntGetBugCheckName(QWORD Reason)
Returns a name for a bug check code.
Definition: winbugcheck.c:13
_WIN_PROCESS_OBJECT::Protected
DWORD Protected
TRUE if this is a protected process. If this is FALSE, most of the above fields aren&#39;t used at all...
Definition: winprocess.h:130
_CONTEXT32::EFlags
DWORD EFlags
Definition: wddefs.h:1703
_WIN_KERNEL_DRIVER::TimeDateStamp
DWORD TimeDateStamp
The driver`s internal timestamp (from the _IMAGE_FILE_HEADER).
Definition: windriver.h:23
_CONTEXT64::SegFs
WORD SegFs
Definition: wddefs.h:1605
LOG
#define LOG(fmt,...)
Definition: glue.h:61
IG_CS_TYPE_32B
32-bit selector.
Definition: glueiface.h:187
BUGCHECK_SYSTEM_SERVICE_EXCEPTION
#define BUGCHECK_SYSTEM_SERVICE_EXCEPTION
Definition: winbugcheck.h:26
_KERNEL_DRIVER
Describes a kernel driver.
Definition: drivers.h:30
_KTRAP_FRAME64::Rax
QWORD Rax
Definition: wddefs.h:1040
_IG_ARCH_REGS::Rsp
QWORD Rsp
Definition: glueiface.h:36
_IG_SEG_REGS::SsSelector
QWORD SsSelector
Definition: glueiface.h:72
_EFLAGS::IOPL
DWORD IOPL
Definition: winbugcheck.h:59
IntWinDumpEflags
static void IntWinDumpEflags(DWORD Eflags)
Logs the EFLAGS contents.
Definition: winbugcheck.c:344
_KTSS::Es
WORD Es
Definition: wddefs.h:914
_CONTEXT64::Rax
QWORD Rax
Definition: wddefs.h:1617
_KTSS::Ecx
DWORD Ecx
Definition: wddefs.h:907
_EFLAGS::CF
DWORD CF
Definition: winbugcheck.h:47
_CONTEXT32
Context Frame for 32-bit guests.
Definition: wddefs.h:1675
_IG_ARCH_REGS::R9
QWORD R9
Definition: glueiface.h:41
_CONTEXT64::Rbp
QWORD Rbp
Definition: wddefs.h:1622
_WIN_PROCESS_OBJECT::Cr3
QWORD Cr3
Process PDBR. Includes PCID.
Definition: winprocess.h:98
_VA_TRANSLATION::MappingsCount
DWORD MappingsCount
The number of entries inside the MappingsTrace and MappingsEntries arrays.
Definition: introcore.h:123
_CONTEXT64::Rip
QWORD Rip
Definition: wddefs.h:1634
gAlert
GENERIC_ALERT gAlert
Global alert buffer.
Definition: alerts.c:27
_CONTEXT64::R11
QWORD R11
Definition: wddefs.h:1628
IntWinBcLogBsodEvent
static void IntWinBcLogBsodEvent(QWORD Reason, QWORD Param1, QWORD Param2, QWORD Param3, QWORD Param4)
Logs a bug check event and related information about the crash and the kernel.
Definition: winbugcheck.c:801
_WIN_PROCESS_OBJECT::CreationTime
QWORD CreationTime
The creation time of the process, as stored inside the EPROCESS.
Definition: winprocess.h:95
_IG_SEG_REGS::DsAr
QWORD DsAr
Definition: glueiface.h:77
IntDumpInstruction
TIMER_FRIENDLY void IntDumpInstruction(INSTRUX *Instruction, QWORD Rip)
This function dumps a given instruction (textual disassembly).
Definition: dumper.c:583
_WIN_PROCESS_OBJECT::Path
WINUM_PATH * Path
Will point inside the loaded modules list to the full process path.
Definition: winprocess.h:111
IntKernVirtMemFetchDword
INTSTATUS IntKernVirtMemFetchDword(QWORD GuestVirtualAddress, DWORD *Data)
Reads 4 bytes from the guest kernel memory.
Definition: introcore.c:829
_KTRAP_FRAME64::Rip
QWORD Rip
Definition: wddefs.h:1156
_EXCEPTION_RECORD64::NumberParameters
DWORD NumberParameters
The number of valid entries inside the ExceptionInformation array.
Definition: wddefs.h:1196
BUGCHECK_PROCESS_INITIALIZATION_FAILED
#define BUGCHECK_PROCESS_INITIALIZATION_FAILED
Definition: winbugcheck.h:29
IntLogBSODParams
static void IntLogBSODParams(QWORD Reason, QWORD Param1, QWORD Param2, QWORD Param3, QWORD Param4)
Logs the bug check parameters.
Definition: winbugcheck.c:109
IntKernVirtMemFetchQword
INTSTATUS IntKernVirtMemFetchQword(QWORD GuestVirtualAddress, QWORD *Data)
Reads 8 bytes from the guest kernel memory.
Definition: introcore.c:811
IntWinBcSendBsodEvent
static INTSTATUS IntWinBcSendBsodEvent(QWORD Reason, QWORD Param1, QWORD Param2, QWORD Param3, QWORD Param4)
Sends a introEventCrashEvent event.
Definition: winbugcheck.c:881
_VA_TRANSLATION::MappingsEntries
QWORD MappingsEntries[MAX_TRANSLATION_DEPTH]
Contains the entry in which paging table.
Definition: introcore.h:115
IntNotifyIntroEvent
INTSTATUS IntNotifyIntroEvent(INTRO_EVENT_TYPE EventClass, void *Param, size_t EventSize)
Notifies the integrator about an introspection alert.
Definition: glue.c:1042
_EFLAGS::AF
DWORD AF
Definition: winbugcheck.h:51
memzero
#define memzero(a, s)
Definition: introcrt.h:35
_EVENT_CRASH_EVENT::CurrentProcess
INTRO_PROCESS CurrentProcess
The currently active process.
Definition: intro_types.h:1975
_EVENT_CRASH_EVENT::Reason
QWORD Reason
The bugcheck reason.
Definition: intro_types.h:1969
_KTSS::Ebx
DWORD Ebx
Definition: wddefs.h:909
winbugcheck.h
Information about Windows kernel crashes.
_KTRAP_FRAME64::Rbp
QWORD Rbp
Definition: wddefs.h:1139
_GUEST_STATE::Guest64
BOOLEAN Guest64
True if this is a 64-bit guest, False if it is a 32-bit guest.
Definition: guests.h:290
QWORD
unsigned long long QWORD
Definition: intro_types.h:53
_WIN_PROCESS_OBJECT::Name
CHAR Name[IMAGE_BASE_NAME_LEN]
Process base name.
Definition: winprocess.h:108
_INTRO_PROT_OPTIONS::Current
QWORD Current
The currently used options.
Definition: guests.h:236
_EFLAGS
The layout of the EFLAGS register.
Definition: winbugcheck.h:42
_EXCEPTION_RECORD32
An _EXCEPTION_RECORD structure used by 64-bit guests.
Definition: wddefs.h:1208
_EXCEPTION_RECORD64::ExceptionInformation
QWORD ExceptionInformation[EXCEPTION_MAXIMUM_PARAMETERS]
Exception-dependent parameters.
Definition: wddefs.h:1199
_CONTEXT32::SegCs
DWORD SegCs
Definition: wddefs.h:1702
_WIN_PROCESS_OBJECT::UserCr3
QWORD UserCr3
Process user PDBR. Includes PCID.
Definition: winprocess.h:99
_VCPU_STATE
Structure encapsulating VCPU-specific information.
Definition: guests.h:83
_CONTEXT32::Esi
DWORD Esi
Definition: wddefs.h:1694
_CONTEXT64::R15
QWORD R15
Definition: wddefs.h:1632
_CONTEXT32::SegDs
DWORD SegDs
Definition: wddefs.h:1691
_CONTEXT64::Rsp
QWORD Rsp
Definition: wddefs.h:1621
_CONTEXT64::Rsi
QWORD Rsi
Definition: wddefs.h:1623
_KTSS::Fs
WORD Fs
Definition: wddefs.h:922
_CONTEXT32::Ebp
DWORD Ebp
Definition: wddefs.h:1700
_IG_ARCH_REGS::GdtBase
QWORD GdtBase
Definition: glueiface.h:58
TRUE
#define TRUE
Definition: intro_types.h:30
IS_KERNEL_POINTER_WIN
#define IS_KERNEL_POINTER_WIN(is64, p)
Checks if a guest virtual address resides inside the Windows kernel address space.
Definition: wddefs.h:76
IntWinBcHandleBugCheck
INTSTATUS IntWinBcHandleBugCheck(void const *Detour)
Handles a Windows OS crash.This is the detour handle for the KeBugCheck2 32-bit Windows kernel API an...
Definition: winbugcheck.c:932
_CONTEXT32::SegSs
DWORD SegSs
Definition: wddefs.h:1705
IntWinProcFindObjectByCr3
PWIN_PROCESS_OBJECT IntWinProcFindObjectByCr3(QWORD Cr3)
Finds a process by its kernel CR3.
Definition: winprocesshp.c:195
_WIN_PROCESS_OBJECT::ExitStatus
DWORD ExitStatus
The exit status of the process (used when sending the process terminated event).
Definition: winprocess.h:192
IntWinLogVAInfo
static void IntWinLogVAInfo(QWORD Va)
Logs information about a guest virtual address translation.
Definition: winbugcheck.c:313
_IG_SEG_REGS::FsBase
QWORD FsBase
Definition: glueiface.h:82
_KERNEL_DRIVER::Name
void * Name
The name of the driver.
Definition: drivers.h:54
_IG_ARCH_REGS::R8
QWORD R8
Definition: glueiface.h:40
_IG_ARCH_REGS::IdtLimit
QWORD IdtLimit
Definition: glueiface.h:57
_KTSS::Edi
DWORD Edi
Definition: wddefs.h:913
IntAlertFillWinProcessCurrent
void IntAlertFillWinProcessCurrent(INTRO_PROCESS *EventProcess)
Saves information about the current Windows process inside an alert.
Definition: alerts.c:781
_IG_ARCH_REGS::Cr3
QWORD Cr3
Definition: glueiface.h:54
_IG_SEG_REGS::GsLimit
QWORD GsLimit
Definition: glueiface.h:87
_CONTEXT64::SegSs
WORD SegSs
Definition: wddefs.h:1607
IntTranslateVirtualAddressEx
INTSTATUS IntTranslateVirtualAddressEx(QWORD Gva, QWORD Cr3, DWORD Flags, VA_TRANSLATION *Translation)
Translates a guest virtual address to a guest physical address.
Definition: introcore.c:1863
BUGCHECK_CRITICAL_PROCESS_DIED
#define BUGCHECK_CRITICAL_PROCESS_DIED
Definition: winbugcheck.h:36
_CONTEXT64::Rbx
QWORD Rbx
Definition: wddefs.h:1620
PCHAR
char * PCHAR
Definition: intro_types.h:56
BUGCHECK_INACCESSIBLE_BOOT_DEVICE
#define BUGCHECK_INACCESSIBLE_BOOT_DEVICE
Definition: winbugcheck.h:32
_IG_ARCH_REGS::GdtLimit
QWORD GdtLimit
Definition: glueiface.h:59
_CONTEXT64::R8
QWORD R8
Definition: wddefs.h:1625
WARNING
#define WARNING(fmt,...)
Definition: glue.h:60
_WIN_PROCESS_OBJECT::Pid
DWORD Pid
Process ID (the one used by Windows).
Definition: winprocess.h:100
_CONTEXT64::R13
QWORD R13
Definition: wddefs.h:1630
_KTRAP_FRAME64::Rdi
QWORD Rdi
Definition: wddefs.h:1131
_CONTEXT32::Edx
DWORD Edx
Definition: wddefs.h:1696
_GUEST_STATE::CpuCount
DWORD CpuCount
The number of logical CPUs.
Definition: guests.h:279
PAGE_SIZE
#define PAGE_SIZE
Definition: common.h:70
_CONTEXT64::SegEs
WORD SegEs
Definition: wddefs.h:1604
_IG_SEG_REGS::SsLimit
QWORD SsLimit
Definition: glueiface.h:71
_IG_SEG_REGS::EsAr
QWORD EsAr
Definition: glueiface.h:81
_CONTEXT32::SegEs
DWORD SegEs
Definition: wddefs.h:1690
IntMemClkDump
void IntMemClkDump(void)
Dumps all the active cloak regions.
Definition: memcloak.c:1218
__forceinline
#define __forceinline
Definition: introtypes.h:61
_WIN_PROCESS_OBJECT::Peb32Address
QWORD Peb32Address
PEB 32 address (on pure x64 processes, this will be 0).
Definition: winprocess.h:104
_IG_SEG_REGS::CsSelector
QWORD CsSelector
Definition: glueiface.h:68
BUGCHECK_KERNEL_STACK_INPAGE_ERROR
#define BUGCHECK_KERNEL_STACK_INPAGE_ERROR
Definition: winbugcheck.h:30
DWORD
uint32_t DWORD
Definition: intro_types.h:49
_KTRAP_FRAME64::Rdx
QWORD Rdx
Definition: wddefs.h:1042
_KTRAP_FRAME64::Rcx
QWORD Rcx
Definition: wddefs.h:1041
IntDumpGvaEx
TIMER_FRIENDLY void IntDumpGvaEx(QWORD Gva, DWORD Length, QWORD Cr3, DWORD RowLength, DWORD ElementLength, BOOLEAN LogHeader, BOOLEAN DumpAscii)
This function dumps a given GVA in a user friendly format. This function uses IntDumpBuffer to perfor...
Definition: dumper.c:204
BUGCHECK_PAGE_FAULT_IN_NONPAGED_AREA
#define BUGCHECK_PAGE_FAULT_IN_NONPAGED_AREA
Definition: winbugcheck.h:28
_WIN_PROCESS_OBJECT::OriginalTokenPtr
QWORD OriginalTokenPtr
Original Token pointer inside EPROCESS (should never change).
Definition: winprocess.h:247
_KTSS::Edx
DWORD Edx
Definition: wddefs.h:908
IntLogExceptionRecord
static void IntLogExceptionRecord(QWORD ExceptionRecord)
Logs information about an exception record.
Definition: winbugcheck.c:599
_EFLAGS::PF
DWORD PF
Definition: winbugcheck.h:49
_IG_SEG_REGS::GsBase
QWORD GsBase
Definition: glueiface.h:86
_CONTEXT64::SegDs
WORD SegDs
Definition: wddefs.h:1603
_IG_SEG_REGS::CsLimit
QWORD CsLimit
Definition: glueiface.h:67
_GUEST_STATE::Mm
MM Mm
Guest memory information, such as paging mode, system Cr3 value, etc.
Definition: guests.h:374
_WIN_PROCESS_OBJECT::EprocessAddress
QWORD EprocessAddress
This will be the address of the ActiveProcess field.
Definition: winprocess.h:90
_KTSS
Definition: wddefs.h:895
_IG_SEG_REGS::FsAr
QWORD FsAr
Definition: glueiface.h:85
_KTRAP_FRAME64::Rsp
QWORD Rsp
Definition: wddefs.h:1163
gGuest
GUEST_STATE gGuest
The current guest state.
Definition: guests.c:50
_IG_SEG_REGS::FsSelector
QWORD FsSelector
Definition: glueiface.h:84
BUGCHECK_KERNEL_DATA_INPAGE_ERROR
#define BUGCHECK_KERNEL_DATA_INPAGE_ERROR
Definition: winbugcheck.h:31
_KTSS::Eax
DWORD Eax
Definition: wddefs.h:906
_KTSS::Cs
WORD Cs
Definition: wddefs.h:916
_EXCEPTION_RECORD32::ExceptionAddress
DWORD ExceptionAddress
Definition: wddefs.h:1213
INTRO_OPT_EVENT_OS_CRASH
#define INTRO_OPT_EVENT_OS_CRASH
Enable OS crash events (generates introEventCrashEvent events).
Definition: intro_types.h:447
_KTRAP_FRAME64::R10
QWORD R10
Definition: wddefs.h:1045
_EVENT_CRASH_EVENT::Param4
QWORD Param4
Fourth parameter.
Definition: intro_types.h:1973
_CONTEXT32::Eip
DWORD Eip
Definition: wddefs.h:1701
IntWinProcFindObjectByEprocess
PWIN_PROCESS_OBJECT IntWinProcFindObjectByEprocess(QWORD Eprocess)
Finds a process by the address of its _EPROCESS structure.
Definition: winprocesshp.c:96
_IG_ARCH_REGS::Rcx
QWORD Rcx
Definition: glueiface.h:33
_KTSS::Ebp
DWORD Ebp
Definition: wddefs.h:911
_VA_TRANSLATION::VirtualAddress
QWORD VirtualAddress
The translated virtual address.
Definition: introcore.h:105
IntKernVirtMemRead
INTSTATUS IntKernVirtMemRead(QWORD KernelGva, DWORD Length, void *Buffer, DWORD *RetLength)
Reads data from a guest kernel virtual memory range.
Definition: introcore.c:674
IntDriverFindByAddress
KERNEL_DRIVER * IntDriverFindByAddress(QWORD Gva)
Returns the driver in which Gva resides.
Definition: drivers.c:164
_KTRAP_FRAME64::EFlags
DWORD EFlags
Definition: wddefs.h:1161
NLOG
#define NLOG(fmt,...)
Definition: glue.h:43
_CONTEXT64::SegCs
WORD SegCs
Definition: wddefs.h:1602
_IG_ARCH_REGS::Cr4
QWORD Cr4
Definition: glueiface.h:53
BUGCHECK_UNEXPECTED_KERNEL_MODE_TRAP
#define BUGCHECK_UNEXPECTED_KERNEL_MODE_TRAP
Definition: winbugcheck.h:34
BUGCHEDCK_CRITICAL_STRUCTURE_CORRUPTION
#define BUGCHEDCK_CRITICAL_STRUCTURE_CORRUPTION
Definition: winbugcheck.h:37
_VA_TRANSLATION
Encapsulates information about a virtual to physical memory translation.
Definition: introcore.h:102
_GUEST_STATE::KernelDriver
KERNEL_DRIVER * KernelDriver
Points to the driver object that describes the kernel image.
Definition: guests.h:385
utf16_for_log
char * utf16_for_log(const WCHAR *WString)
Converts a UTF-16 to a UTF-8 string to be used inside logging macros.
Definition: introcore.c:2845
_CONTEXT64::R14
QWORD R14
Definition: wddefs.h:1631
INT_STATUS_INVALID_PARAMETER_1
#define INT_STATUS_INVALID_PARAMETER_1
Definition: introstatus.h:62
_CONTEXT32::Edi
DWORD Edi
Definition: wddefs.h:1693
gVcpu
VCPU_STATE * gVcpu
The state of the current VCPU.
Definition: guests.c:59
_KTSS::Esp
DWORD Esp
Definition: wddefs.h:910
MODULE_NAMES_TO_PRINT
#define MODULE_NAMES_TO_PRINT
IG_CS_TYPE_64B
64-bit selector.
Definition: glueiface.h:188
IntLogGuestRegisters
static void IntLogGuestRegisters(void)
Logs the guest register state.
Definition: winbugcheck.c:186
_KTSS::Gs
WORD Gs
Definition: wddefs.h:924
_IG_ARCH_REGS::Dr7
QWORD Dr7
Definition: glueiface.h:50
_EXCEPTION_RECORD64::ExceptionFlags
DWORD ExceptionFlags
Definition: wddefs.h:1192
IntLogProcessInfo
static void IntLogProcessInfo(void)
Logs information about the current process.
Definition: winbugcheck.c:266
IntLogCriticalProcessHasDied
static void IntLogCriticalProcessHasDied(QWORD Param1, QWORD Param2)
Handles a BUGCHECK_CRITICAL_PROCESS_DIED bug check.
Definition: winbugcheck.c:668
IntLogCriticalStructureCoruption
static void IntLogCriticalStructureCoruption(QWORD Param3, QWORD Param4)
Handles a BUGCHEDCK_CRITICAL_STRUCTURE_CORRUPTION bug check.
Definition: winbugcheck.c:705
_CONTEXT64::R10
QWORD R10
Definition: wddefs.h:1627
_IG_ARCH_REGS
Holds register state.
Definition: glueiface.h:30
_KTRAP_FRAME64::R11
QWORD R11
Definition: wddefs.h:1046
IntGetSegs
INTSTATUS IntGetSegs(DWORD CpuNumber, PIG_SEG_REGS Regs)
Read the guest segment registers.
Definition: introcpu.c:995
_EFLAGS::ZF
DWORD ZF
Definition: winbugcheck.h:53
_EXCEPTION_RECORD32::ExceptionFlags
DWORD ExceptionFlags
Definition: wddefs.h:1211
_KTRAP_FRAME64::Rsi
QWORD Rsi
Definition: wddefs.h:1132
EXCEPTION_MAXIMUM_PARAMETERS
#define EXCEPTION_MAXIMUM_PARAMETERS
Definition: wddefs.h:1180
_CONTEXT64::EFlags
DWORD EFlags
Definition: wddefs.h:1608
TRACE_LIMIT_X64
#define TRACE_LIMIT_X64
CHAR
char CHAR
Definition: intro_types.h:56
_CONTEXT32::SegGs
DWORD SegGs
Definition: wddefs.h:1688
_KTRAP_FRAME64::Rbx
QWORD Rbx
Definition: wddefs.h:1130
_CONTEXT64
Context Frame for 64-bit guests.
Definition: wddefs.h:1590
_IG_ARCH_REGS::Cr2
QWORD Cr2
Definition: glueiface.h:48
_CONTEXT32::Esp
DWORD Esp
Definition: wddefs.h:1704
_IG_ARCH_REGS::IdtBase
QWORD IdtBase
Definition: glueiface.h:56
PAGE_MASK
#define PAGE_MASK
Definition: pgtable.h:35
_EVENT_CRASH_EVENT::Param2
QWORD Param2
Second parameter.
Definition: intro_types.h:1971
_IG_SEG_REGS::EsBase
QWORD EsBase
Definition: glueiface.h:78
BUGCHECK_BAD_POOL_HEADER
#define BUGCHECK_BAD_POOL_HEADER
Definition: winbugcheck.h:23
_KTSS::Eip
DWORD Eip
Definition: wddefs.h:904
_GUEST_STATE::CoreOptions
INTRO_PROT_OPTIONS CoreOptions
The activation and protection options for this guest.
Definition: guests.h:271
IntDecDecodeInstruction
INTSTATUS IntDecDecodeInstruction(IG_CS_TYPE CsType, QWORD Gva, void *Instrux)
Decode an instruction from the provided guest linear address.
Definition: decoder.c:180
BUGCHECK_NAME
#define BUGCHECK_NAME(x)
_EXCEPTION_RECORD64
An _EXCEPTION_RECORD structure used by 64-bit guests.
Definition: wddefs.h:1188
BUGCHECK_IRQL_NOT_LESS_OR_EQUAL
#define BUGCHECK_IRQL_NOT_LESS_OR_EQUAL
Definition: winbugcheck.h:22
_IG_SEG_REGS::DsLimit
QWORD DsLimit
Definition: glueiface.h:75
_WIN_PROCESS_OBJECT
This structure describes a running process inside the guest.
Definition: winprocess.h:83
_KTRAP_FRAME64::R9
QWORD R9
Definition: wddefs.h:1044
_WINUM_PATH::Path
WCHAR * Path
The string which represents the user-mode module path.
Definition: winumpath.h:17
_IG_SEG_REGS::EsLimit
QWORD EsLimit
Definition: glueiface.h:79
IntLogContextRecord
static void IntLogContextRecord(QWORD ContextRecord)
Logs information about a context record.
Definition: winbugcheck.c:526