16 #define STILL_ACTIVE 0x00000103L 17 #define EXCEPTION_ACCESS_VIOLATION 0xC0000005L 18 #define EXCEPTION_DATATYPE_MISALIGNMENT 0x80000002L 19 #define EXCEPTION_BREAKPOINT 0x80000003L 20 #define EXCEPTION_SINGLE_STEP 0x80000004L 21 #define EXCEPTION_ARRAY_BOUNDS_EXCEEDED 0xC000008CL 22 #define EXCEPTION_FLT_DENORMAL_OPERAND 0xC000008DL 23 #define EXCEPTION_FLT_DIVIDE_BY_ZERO 0xC000008EL 24 #define EXCEPTION_FLT_INEXACT_RESULT 0xC000008FL 25 #define EXCEPTION_FLT_INVALID_OPERATION 0xC0000090L 26 #define EXCEPTION_FLT_OVERFLOW 0xC0000091L 27 #define EXCEPTION_FLT_STACK_CHECK 0xC0000092L 28 #define EXCEPTION_FLT_UNDERFLOW 0xC0000093L 29 #define EXCEPTION_INT_DIVIDE_BY_ZERO 0xC0000094L 30 #define EXCEPTION_INT_OVERFLOW 0xC0000095L 31 #define EXCEPTION_PRIV_INSTRUCTION 0xC0000096L 32 #define EXCEPTION_IN_PAGE_ERROR 0xC0000006L 33 #define EXCEPTION_ILLEGAL_INSTRUCTION 0xC000001DL 34 #define EXCEPTION_NONCONTINUABLE_EXCEPTION 0xC0000025L 35 #define EXCEPTION_STACK_OVERFLOW 0xC00000FDL 36 #define EXCEPTION_INVALID_DISPOSITION 0xC0000026L 37 #define EXCEPTION_GUARD_PAGE 0x80000001L 38 #define EXCEPTION_INVALID_HANDLE 0xC0000008L 39 #define EXCEPTION_POSSIBLE_DEADLOCK 0xC0000194L 40 #define CONTROL_C_EXIT 0xC000013AL 44 #define KI_EXCEPTION_INTERNAL 0x10000000 45 #define KI_EXCEPTION_GP_FAULT ((INTSTATUS)(KI_EXCEPTION_INTERNAL | 0x01)) 47 #define KI_EXCEPTION_INVALID_OP ((INTSTATUS)(KI_EXCEPTION_INTERNAL | 0x02)) 49 #define KI_EXCEPTION_INTEGER_DIVIDE_BY_ZERO ((INTSTATUS)(KI_EXCEPTION_INTERNAL | 0x03)) 51 #define KI_EXCEPTION_ACCESS_VIOLATION ((INTSTATUS)(KI_EXCEPTION_INTERNAL | 0x04)) 58 #define FLG_CONTINUABLE 0 59 #define FLG_NON_CONTINUABLE 1 81 #define IS_DEP_FAULT(Er) ((EXCEPTION_ACCESS_VIOLATION == (Er).ExceptionCode) && \ 82 !IS_KERNEL_POINTER_WIN(gGuest.Guest64, (Er).ExceptionAddress) && \ 83 (PARAM1_DEP == (Er).ExceptionInformation[0])) 85 #define CODE_SEG_UM_32 0x20 86 #define CODE_SEG_UM_64 0x30 109 switch (ExceptionCode)
151 *Status = ExceptionCode;
162 _In_ void const *TrapFrame,
194 Regs->R12 = ExFrame->R12;
195 Regs->R13 = ExFrame->R13;
196 Regs->R14 = ExFrame->R14;
197 Regs->R15 = ExFrame->R15;
221 _In_ void const *ExceptionRecord,
259 QWORD stackLimit = 0;
282 ERROR(
"[ERROR] IntKernVirtMemRead failed for 0x%016llx: 0x%08x\n", TrapFrameGva, status);
289 ERROR(
"[ERROR] IntKernVirtMemRead failed for 0x%016llx: 0x%08x\n", ExceptionFrameGva, status);
298 switch (tf.
SegCs & ~0x7)
309 WARNING(
"[WARNING] Unrecognized CS value: 0x%08x\n", tf.
SegCs);
322 ERROR(
"[ERROR] IntKernVirtMemRead failed for 0x%016llx: 0x%08x\n", TrapFrameGva, status);
339 WARNING(
"[WARNING] IntTranslateVirtualAddress failed for 0x%016llx and Cr3 0x%016llx: 0x%08x\n",
350 WARNING(
"[WARNING] IntWinThrGetCurrentTib failed: 0x%08x\n", status);
358 WARNING(
"[WARNING] IntWinThrGetUmStackBaseAndLimitFromTib failed: 0x%08x\n", status);
363 bRspOut = ((regs.
Rsp < stackLimit - 0x3000) || (regs.
Rsp >= stackBase));
364 bIsStack = (regs.
Rip >= stackLimit) && (regs.
Rip < stackBase);
377 if (!(bRspOut || bIsStack || (0 != scflags)))
384 memzero(&originator,
sizeof(originator));
385 memzero(&victim,
sizeof(victim));
390 ERROR(
"[ERROR] Failed getting originator: 0x%08x\n", status);
394 originator.
Rip = regs.
Rip;
401 ERROR(
"[ERROR] Failed getting modified zone: 0x%08x\n", status);
408 LOG(
"[DEP] [CPU %d] EXPLOIT detected! Execution attempted at 0x%016llx!\n",
gVcpu->
Index, regs.
Rip);
409 LOG(
"[DEP] Current address: 0x%016llx, current stack: 0x%016llx, known stack: 0x%016llx/0x%016llx, " 410 "TIB: 0x%016llx\n", regs.
Rip, regs.
Rsp, stackBase, stackLimit, tibBase);
411 LOG(
"[DEP] RSP out: %d; Is stack: %d; ScFlags: 0x%llx\n", bRspOut, bIsStack, scflags);
416 memzero(pEvent,
sizeof(*pEvent));
460 WARNING(
"[WARNING] IntVirtMemRead failed for 0x%016llx: 0x%08x\n", regs.
Rip &
PAGE_MASK, status);
468 WARNING(
"[WARNING] IntNotifyIntroEvent failed: 0x%08x\n", status);
477 _In_ void const *ExceptionRecord
497 if (NULL == ExceptionRecord)
505 ERROR(
"[ERROR] Can not find process. Current CR3 = 0x%016llx\n",
gVcpu->
Regs.
Cr3);
519 LOG(
"[UMEXCEPTION] Code: 0x%08x at RIP 0x%016llx inside process `%s` (Pid %d, Cr3 0x%016llx). " 534 LOG(
"[UMEXCEPTION] Code: 0x%08x at RIP 0x%08x inside process `%s` (Pid %d, Cr3 0x%016llx). " 594 ERROR(
"[ERROR] IntDetGetArguments failed: 0x%08x\n", status);
595 goto _cleanup_and_exit;
611 goto _cleanup_and_exit;
621 ERROR(
"[ERROR] IntKernVirtMemRead failed for 0x%016llx: 0x%08x\n", pRegs->
Rcx, status);
622 goto _cleanup_and_exit;
629 goto _cleanup_and_exit;
636 goto _cleanup_and_exit;
646 ERROR(
"[ERROR] IntWinCrashHandleDepViolation failed: 0x%08x\n", status);
655 ERROR(
"[ERROR] IntWinSendUmExceptionEvent failed: 0x%08x\n", status);
656 goto _cleanup_and_exit;
667 ERROR(
"[ERROR] IntKernVirtMemRead failed for 0x%016llx: 0x%08x\n", erGva, status);
668 goto _cleanup_and_exit;
675 goto _cleanup_and_exit;
686 ERROR(
"[ERROR] IntWinCrashHandleDepViolation failed: 0x%08x\n", status);
695 ERROR(
"[ERROR] IntWinSendUmExceptionEvent failed: 0x%08x\n", status);
696 goto _cleanup_and_exit;
#define EXCEPTION_IN_PAGE_ERROR
struct _EVENT_EPT_VIOLATION::@284 Victim
INTRO_CODEBLOCKS CodeBlocks
Code blocks extracted for the alert.
Measures IntWinHandleException invocations done for DEP violations.
#define CODE_SEG_UM_64
64-bit user mode code selector
BOOLEAN EnforcedDep
TRUE is the DEP (Data Execution Prevention) has been enforced.
#define EXCEPTION_FLT_DENORMAL_OPERAND
A user-mode data execution prevention (DEP) violation.
Attempt to read inaccessible data.
INTSTATUS IntWinHandleException(void *Detour)
Handles a hardware exception triggered inside the guestThis is the detour handler for the guest KiDis...
#define EXCEPTION_SINGLE_STEP
#define EXCEPTION_GUARD_PAGE
BYTE Violation
The type of the access. It must be one of the IG_EPT_HOOK_TYPE values.
IG_ARCH_REGS Regs
The current state of the guest registers.
DWORD Index
The VCPU number.
#define EXCEPTION_NONCONTINUABLE_EXCEPTION
MITRE_ID MitreID
The Mitre ID that corresponds to this attack.
#define INT_STATUS_SUCCESS
#define EXCEPTION_PRIV_INSTRUCTION
QWORD ExceptionAddress
The address at which the exception was generated.
DWORD ExceptionCode
The code generated by hardware, or the one used with RaiseException(), or DBG_CONTROL_C.
INTSTATUS IntWinThrGetCurrentTib(IG_CS_RING CurrentRing, IG_CS_TYPE CsType, QWORD *Tib)
Obtain the TIB (Thread Information Block) of the thread running on the current CPU.
void IntAlertFillWinProcess(const WIN_PROCESS_OBJECT *Process, INTRO_PROCESS *EventProcess)
Saves information about a windows process inside an alert.
User-mode non executable zone.
BOOLEAN LastExceptionContinuable
TRUE if the last exception is continuable (for example a #PF that was caused due to the way the OS do...
QWORD HookStartPhysical
The start of the monitored guest physical memory area for which this alert was generated.
static INTSTATUS IntWinSetUmExceptionEvent(void const *ExceptionRecord)
Sets the last exception triggered by a process.
#define INT_SUCCESS(Status)
#define EXCEPTION_FLT_STACK_CHECK
QWORD Flags
A combination of ALERT_FLAG_* values describing the alert.
#define EXCEPTION_FLT_INVALID_OPERATION
#define EXCEPTION_POSSIBLE_DEADLOCK
#define INT_STATUS_NOT_NEEDED_HINT
Describes a user-mode originator.
static INTSTATUS IntWinCrashHandleDepViolation(void const *ExceptionRecord, QWORD ExceptionFrameGva, QWORD TrapFrameGva)
Handles a crash generated by a DEP violation.
INTSTATUS IntShcIsSuspiciousCode(QWORD Gva, QWORD Gpa, DWORD CsType, IG_ARCH_REGS *Registers, QWORD *ShellcodeFlags)
Checks if the code located at the given guest virtual address is suspicious or not.
int INTSTATUS
The status data type.
#define EXCEPTION_FLT_UNDERFLOW
#define FLG_NON_CONTINUABLE
#define KI_EXCEPTION_ACCESS_VIOLATION
Page fault.
#define INT_STATUS_NOT_FOUND
QWORD Rip
The value of the guest RIP register when the event was generated.
#define EXCEPTION_INT_DIVIDE_BY_ZERO
INTSTATUS IntDumpCodeAndRegs(QWORD Gva, QWORD Gpa, IG_ARCH_REGS *Registers)
This function dumps an entire page (textual disassembly and opcodes) as well as the values of the reg...
An _KEXCEPTION_FRAME structure used by 64-bit guests.
QWORD HookStartVirtual
The start of the monitored guest virtual memory area for which this alert was generated.
DWORD Protected
TRUE if this is a protected process. If this is FALSE, most of the above fields aren't used at all...
QWORD SourceVA
The GVA from where the injection is.
ACCESS_VIOLATION_EVENT
The type of event that caused the access violation.
void IntAlertFillVersionInfo(INTRO_VIOLATION_HEADER *Header)
Fills version information for an alert.
QWORD IntAlertProcGetFlags(QWORD ProtectionFlag, const void *Process, INTRO_ACTION_REASON Reason, QWORD AdditionalFlags)
Returns the flags for an alert.
INTRO_VIOLATION_HEADER Header
The alert header.
INTRO_ACTION_REASON Reason
The reason for which Action was taken.
Exposes the functions used to provide Windows Threads related support.
QWORD Cr3
Process PDBR. Includes PCID.
#define EXCEPTION_ILLEGAL_INSTRUCTION
#define ALERT_FLAG_DEP_VIOLATION
If set, the alert was generated by a DEP violation.
#define EXCEPTION_ACCESS_VIOLATION
GENERIC_ALERT gAlert
Global alert buffer.
#define EXCEPTION_FLT_INEXACT_RESULT
#define EXCEPTION_DATATYPE_MISALIGNMENT
#define KI_EXCEPTION_GP_FAULT
General protection fault.
INTRO_CPUCTX CpuContext
The context of the CPU that triggered the alert.
#define EXCEPTION_INVALID_HANDLE
INTSTATUS IntNotifyIntroEvent(INTRO_EVENT_TYPE EventClass, void *Param, size_t EventSize)
Notifies the integrator about an introspection alert.
#define ZONE_EXECUTE
Used for execute violation.
BOOLEAN Valid
Set to True if the information in the structure is valid, False otherwise.
BOOLEAN Guest64
True if this is a 64-bit guest, False if it is a 32-bit guest.
INTSTATUS IntExceptGetVictimEpt(void *Context, QWORD Gpa, QWORD Gva, INTRO_OBJECT_TYPE Type, DWORD ZoneFlags, EXCEPTION_VICTIM_ZONE *Victim)
Fills an EXCEPTION_VICTIM_ZONE with relevant information from an EPT violation.
CHAR Name[IMAGE_BASE_NAME_LEN]
Process base name.
#define IS_DEP_FAULT(Er)
Checks if a fault is an access violation caused by DEP.
An _EXCEPTION_RECORD structure used by 64-bit guests.
void IntExceptUserLogInformation(EXCEPTION_VICTIM_ZONE *Victim, EXCEPTION_UM_ORIGINATOR *Originator, INTRO_ACTION Action, INTRO_ACTION_REASON Reason)
Print the information about a user-mode violation, dumps the code-blocks and the injection buffer...
INTSTATUS IntTranslateVirtualAddress(QWORD Gva, QWORD Cr3, QWORD *PhysicalAddress)
Translates a guest virtual address to a guest physical address.
#define IS_KERNEL_POINTER_WIN(is64, p)
Checks if a guest virtual address resides inside the Windows kernel address space.
PWIN_PROCESS_OBJECT IntWinProcFindObjectByCr3(QWORD Cr3)
Finds a process by its kernel CR3.
QWORD LastExceptionRip
The RIP of the last exception that took place.
static void IntWinFillRegsFromExceptionInfo(void const *TrapFrame, KEXCEPTION_FRAME64 const *ExFrame, IG_ARCH_REGS *Regs)
Reads the guest registers available inside the guest exception information structures.
#define KERNEL_MODE
The event was triggered inside the kernel space.
QWORD StackLimit
The stack limit for the thread that attempted the execution.
INTRO_EXEC_CONTEXT ExecContext
Information about the instruction that triggered the alert.
DWORD Pid
Process ID (the one used by Windows).
#define EXCEPTION_FLT_DIVIDE_BY_ZERO
Sent when an EPT violation triggers an alert. See EVENT_EPT_VIOLATION.
Describes the modified zone.
DWORD CsType
The type of the code segment. Can be one of the IG_CS_TYPE values.
INTSTATUS IntWinThrGetUmStackBaseAndLimitFromTib(QWORD Tib, IG_CS_TYPE CsType, QWORD Cr3, QWORD *StackBase, QWORD *StackLimit)
Obtains the user mode stack base and stack limit values.
INTSTATUS IntDetGetArguments(void const *Detour, DWORD Argc, QWORD *Argv)
Reads multiple arguments from a detour.
BOOLEAN Valid
Set to True if the information in the structure is valid, False otherwise.
#define EXCEPTION_BREAKPOINT
#define EXCEPTION_ARRAY_BOUNDS_EXCEEDED
DWORD Offset
The offset inside the page where the violation took place.
QWORD Cr3
The value of the guest CR3 register when the event was generated.
#define ALERT_FLAG_SYSPROC
If set, the alert is on system process.
DWORD SystemProcess
TRUE if this is a system process.
GUEST_STATE gGuest
The current guest state.
INTSTATUS IntVirtMemRead(QWORD Gva, DWORD Length, QWORD Cr3, void *Buffer, DWORD *RetLength)
Reads data from a guest virtual memory range.
#define CODE_SEG_UM_32
32-bit user mode code selector
QWORD Rsp
The value of the guest RSP register at the moment of execution.
INTRO_ACTION Action
The action that was taken as the result of this alert.
INTSTATUS IntKernVirtMemRead(QWORD KernelGva, DWORD Length, void *Buffer, DWORD *RetLength)
Reads data from a guest kernel virtual memory range.
#define ZONE_DEP_EXECUTION
Used for executions inside DEP zones.
QWORD VirtualPage
The guest virtual page in which the access was made.
DWORD LastException
The code of the last exception that took place.
INTSTATUS IntExceptUserGetExecOriginator(void *Process, EXCEPTION_UM_ORIGINATOR *Originator)
This function is used to get the originator for heap execution.
#define EXCEPTION_STACK_OVERFLOW
QWORD StackBase
The stack base for the thread that attempted the execution.
#define INT_STATUS_INVALID_PARAMETER_1
INTRO_PROCESS CurrentProcess
The current process.
#define EXCEPTION_FLT_OVERFLOW
VCPU_STATE * gVcpu
The state of the current VCPU.
The action was blocked because there was no exception for it.
static BOOLEAN IntWinPreProcessException(DWORD ExceptionCode, DWORD *Status)
Translates an internal kernel exception code to an exception status known by used mode applications...
#define EXCEPTION_INVALID_DISPOSITION
#define KI_EXCEPTION_INTEGER_DIVIDE_BY_ZERO
Divide error.
INTRO_EXEC_INFO ExecInfo
Execution information. Valid only if Violation is IG_EPT_HOOK_EXECUTE.
Event structure for EPT violations.
#define KI_EXCEPTION_INVALID_OP
Invalid opcode exceptions.
Exploitation for Client Execution.
DWORD Length
The length of the instruction.
Measures user mode crash handlers.
#define IntWinGetCurrentProcess()
BYTE RipCode[0x1000]
The contents of the guest memory page that contains the RIP at which the execution attempt was detect...
QWORD Rip
Where the write/exec came.
An _EXCEPTION_RECORD structure used by 64-bit guests.
Attempt to write inaccessible data.
INTRO_OBJECT_TYPE Type
The type of the accessed memory area.
#define EXCEPTION_INT_OVERFLOW
This structure describes a running process inside the guest.