#include "guest_stack.h"

Macros
#define	CODE_SEG_UM_32_GUEST_64 0x23

#define	CODE_SEG_UM_64_GUEST_64 0x33

#define	CODE_SEG_UM_32_GUEST_32 0x1b

Typedefs
typedef struct _DPI_EXTRA_INFO	DPI_EXTRA_INFO

typedef struct _DPI_EXTRA_INFO *	PDPI_EXTRA_INFO

typedef struct _WIN_PROCESS_OBJECT	WIN_PROCESS_OBJECT

typedef struct _WIN_PROCESS_OBJECT *	PWIN_PROCESS_OBJECT

Functions
INTSTATUS	IntWinStackTraceGet (QWORD StackFrame, QWORD Rip, DWORD MaxNumberOfTraces, QWORD Flags, STACK_TRACE *StackTrace)
	Get a kernel stack trace starting from the current stack pointer for 64 bit systems. More...

INTSTATUS	IntWinStackTraceGetUser (PIG_ARCH_REGS Registers, PWIN_PROCESS_OBJECT Process, DWORD MaxNumberOfTraces, STACK_TRACE *StackTrace)
	Get the user stack trace of a windows process. More...

INTSTATUS	IntWinStackUserCheckIsPivoted (QWORD UserRsp, DWORD SegCs, BOOLEAN IsWow64Stack, DPI_EXTRA_INFO DpiExtraInfo, BOOLEAN IsPivoted)
	Check whether the stack is pivoted by checking if it's in the bounds of the stack base and limit from the TIB. More...

INTSTATUS	IntWinStackUserTrapFrameGetGeneric (QWORD UserRsp, DWORD SegCs, BOOLEAN Fallback, DPI_EXTRA_INFO *DpiExtraInfo)
	Get a bit trap frame from a kernel stack. More...

INTSTATUS	IntWinStackWow64CheckIsPivoted (WIN_PROCESS_OBJECT Process, WIN_PROCESS_OBJECT RealParent, DPI_EXTRA_INFO *DpiExtraInfo)
	Check whether a wow64 process' stack is pivoted. More...

BOOLEAN	IntWinIsUmTrapFrame (void *TrapFrame)
	Checks whether a TrapFrame is valid or not. More...

Macro Definition Documentation

◆ CODE_SEG_UM_32_GUEST_32

#define CODE_SEG_UM_32_GUEST_32 0x1b

Definition at line 17 of file winstack.h.

Referenced by IntWinIsUmTrapFrame().

◆ CODE_SEG_UM_32_GUEST_64

#define CODE_SEG_UM_32_GUEST_64 0x23

Definition at line 14 of file winstack.h.

Referenced by IntWinStackUserCheckIsPivoted(), and IntWinStackWow64CheckIsPivoted().

◆ CODE_SEG_UM_64_GUEST_64

#define CODE_SEG_UM_64_GUEST_64 0x33

Definition at line 15 of file winstack.h.

Referenced by IntWinIsUmTrapFrame(), and IntWinStackUserCheckIsPivoted().

Typedef Documentation

◆ DPI_EXTRA_INFO

typedef struct _DPI_EXTRA_INFO DPI_EXTRA_INFO

Definition at line 10 of file winstack.h.

◆ PDPI_EXTRA_INFO

typedef struct _DPI_EXTRA_INFO * PDPI_EXTRA_INFO

Definition at line 10 of file winstack.h.

◆ PWIN_PROCESS_OBJECT

typedef struct _WIN_PROCESS_OBJECT * PWIN_PROCESS_OBJECT

Definition at line 11 of file winstack.h.

◆ WIN_PROCESS_OBJECT

typedef struct _WIN_PROCESS_OBJECT WIN_PROCESS_OBJECT

Definition at line 11 of file winstack.h.

Function Documentation

◆ IntWinIsUmTrapFrame()

BOOLEAN IntWinIsUmTrapFrame ( void * TrapFrame )

Checks whether a TrapFrame is valid or not.

Parameters

[in] TrapFrame Pointer to a trap frame to be checked.

Returns: TRUE if the trap frame is valid, FALSE otherwise.

Definition at line 2283 of file winstack.c.

Referenced by IntWinStackUserTrapFrameGet32(), IntWinStackUserTrapFrameGet64(), and IntWinStackUserTrapFrameGetGeneric().

◆ IntWinStackTraceGet()

INTSTATUS IntWinStackTraceGet	(	QWORD	StackFrame,
		QWORD	Rip,
		DWORD	MaxNumberOfTraces,
		QWORD	Flags,
		STACK_TRACE *	StackTrace
	)

Get a kernel stack trace starting from the current stack pointer for 64 bit systems.

Parameters

[in]	StackFrame	The current stack frame (EBP on x86, RSP on x86_64).
[in]	Rip	The current instruction pointer ( ignored on x86).
[in]	MaxNumberOfTraces	Maximum number of stack traces to get.
[in]	Flags	Can be either STACK_FLG_ONLY_DRIVER_ADDRS or STACK_FLG_FAST_GET.
[in,out]	StackTrace	A caller initialized STACK_TRACE structure that will hold the stack trace.

Returns: INT_STATUS_SUCCESS if successful, or an appropriate INTSTATUS error value.

Definition at line 1164 of file winstack.c.

Referenced by IntExceptWinKernelGetOriginator().

◆ IntWinStackTraceGetUser()

INTSTATUS IntWinStackTraceGetUser	(	PIG_ARCH_REGS	Registers,
		PWIN_PROCESS_OBJECT	Process,
		DWORD	MaxNumberOfTraces,
		STACK_TRACE *	StackTrace
	)

Get the user stack trace of a windows process.

Parameters

[in]	Registers	Pointer to a structure containing registers of the current CPU.
[in]	Process	Pointer to the process from which to get the stack trace.
[in]	MaxNumberOfTraces	Maximum number of stack traces to get.
[in,out]	StackTrace	A caller initialized STACK_TRACE structure that will hold the stack trace.

Returns: INT_STATUS_SUCCESS if successful, or an appropriate INTSTATUS error value.

Definition at line 1604 of file winstack.c.

Referenced by IntExceptUserGetExecOriginator(), and IntExceptUserHandleMemoryFunctions().

◆ IntWinStackUserCheckIsPivoted()

INTSTATUS IntWinStackUserCheckIsPivoted	(	QWORD	UserRsp,
		DWORD	SegCs,
		BOOLEAN	IsWow64Stack,
		DPI_EXTRA_INFO *	DpiExtraInfo,
		BOOLEAN *	IsPivoted
	)

Check whether the stack is pivoted by checking if it's in the bounds of the stack base and limit from the TIB.

Parameters

[in]	UserRsp	The current user stack pointer.
[in]	SegCs	The CS selector, can be any of the CODE_SEG_UM_32_GUEST_64, CODE_SEG_UM_64_GUEST_64, or CODE_SEG_UM_32_GUEST_32.
[in]	IsWow64Stack	True if this is a Wow64 stack.
[in,out]	DpiExtraInfo	Pointer to a caller allocated DPI_EXTRA_INFO structure that will have the stack base and limit fields set upon success.
[out]	IsPivoted	Will be set to TRUE if the stack is pivoted, FALSE otherwise.

Returns: INT_STATUS_SUCCESS if successful, or an appropriate INTSTATUS error value.

Definition at line 1741 of file winstack.c.

Referenced by IntWinDpiValidatePivotedStack(), and IntWinStackWow64CheckIsPivoted().

◆ IntWinStackUserTrapFrameGetGeneric()

INTSTATUS IntWinStackUserTrapFrameGetGeneric	(	QWORD *	UserRsp,
		DWORD *	SegCs,
		BOOLEAN	Fallback,
		DPI_EXTRA_INFO *	DpiExtraInfo
	)

Get a bit trap frame from a kernel stack.

Will also set the DpiExtraInfo DpiPivotedStackExtraInfo.TrapFrameAddress and DpiPivotedStackExtraInfo.CurrentStack fields accordingly upon success.

Parameters

[out]	UserRsp	Will hold the current user space stack pointer.
[out]	SegCs	Will be set to any of the CODE_SEG_UM_32_GUEST_64, CODE_SEG_UM_64_GUEST_64, or CODE_SEG_UM_32_GUEST_32 accordingly.
[in]	Fallback	If TRUE and we fail getting a valid trap frame, will search on the user stack.
[in,out]	DpiExtraInfo	Pointer to a caller allocated DPI_EXTRA_INFO structure.

Returns: INT_STATUS_SUCCESS if successful, or an appropriate INTSTATUS error value.

Definition at line 2020 of file winstack.c.

Referenced by IntWinDpiValidatePivotedStack().

◆ IntWinStackWow64CheckIsPivoted()

INTSTATUS IntWinStackWow64CheckIsPivoted	(	WIN_PROCESS_OBJECT *	Process,
		WIN_PROCESS_OBJECT *	RealParent,
		DPI_EXTRA_INFO *	DpiExtraInfo
	)

Check whether a wow64 process' stack is pivoted.

Will set the CreationInfo field of the Process accordingly upon success.

Parameters

[in]	Process	The process whose stack to be checked.
[in]	RealParent	The process' parent.
[in,out]	DpiExtraInfo	Pointer to a caller allocated DPI_EXTRA_INFO structure.

Returns: INT_STATUS_SUCCESS if successful, or an appropriate INTSTATUS error value.

Definition at line 2203 of file winstack.c.

Referenced by IntWinDpiValidatePivotedStack().

Macros

Typedefs

Functions

Macro Definition Documentation

◆ CODE_SEG_UM_32_GUEST_32

◆ CODE_SEG_UM_32_GUEST_64

◆ CODE_SEG_UM_64_GUEST_64

Typedef Documentation

◆ DPI_EXTRA_INFO

◆ PDPI_EXTRA_INFO

◆ PWIN_PROCESS_OBJECT

◆ WIN_PROCESS_OBJECT

Function Documentation

◆ IntWinIsUmTrapFrame()

◆ IntWinStackTraceGet()

◆ IntWinStackTraceGetUser()

◆ IntWinStackUserCheckIsPivoted()

◆ IntWinStackUserTrapFrameGetGeneric()

◆ IntWinStackWow64CheckIsPivoted()