- Generated by
1.8.13
|
Bitdefender Hypervisor Memory Introspection
|
Kernel mode exceptions. More...
#include "exceptions.h"#include "guests.h"#include "lixstack.h"#include "winpe.h"#include "winstack.h"#include "lixksym.h"Go to the source code of this file.
Functions | |
| static int | IntExceptPrintLixKmDrvInfo (KERNEL_DRIVER *Driver, char *Header, char *Line, int MaxLength, DWORD NameAlignment) |
| Print the information about the provided KERNEL_DRIVER (Linux guest). More... | |
| int | IntExceptPrintWinKmModInfo (KERNEL_DRIVER *Module, char *Header, char *Line, int MaxLength, DWORD NameAlignment) |
| Print the information about the provided KERNEL_DRIVER (windows guest). More... | |
| static int | IntExceptPrintMsrInfo (EXCEPTION_VICTIM_ZONE *Victim, char *Header, char *Line, int MaxLength) |
| Print the information about the modified MSR. More... | |
| static int | IntExceptPrintCrInfo (EXCEPTION_VICTIM_ZONE *Victim, char *Header, char *Line, int MaxLength) |
| Print the information about the modified CR. More... | |
| static int | IntExceptPrintIdtInfo (EXCEPTION_VICTIM_ZONE *Victim, char *Header, char *Line, int MaxLength) |
| Print the information about the modified IDT entry. More... | |
| static int | IntExceptPrintDtrInfo (EXCEPTION_VICTIM_ZONE *Victim, char *Header, char *Line, int MaxLength) |
| Print the information about the modified IDTR/GDTR. More... | |
| static void | IntExceptKernelLogLinuxInformation (EXCEPTION_VICTIM_ZONE *Victim, EXCEPTION_KM_ORIGINATOR *Originator, INTRO_ACTION Action, INTRO_ACTION_REASON Reason) |
| Print the information about a kernel-mode violation (Linux guest). More... | |
| static int | IntExceptPrintDrvObjInfo (WIN_DRIVER_OBJECT *DrvObj, char *Header, char *Line, int MaxLength) |
| Print the information about the WIN_DRIVER_OBJECT. More... | |
| static void | IntExceptKernelLogWindowsInformation (EXCEPTION_VICTIM_ZONE *Victim, EXCEPTION_KM_ORIGINATOR *Originator, INTRO_ACTION Action, INTRO_ACTION_REASON Reason) |
| Print the information about a kernel-mode violation (windows guest). More... | |
| void | IntExceptKernelLogInformation (EXCEPTION_VICTIM_ZONE *Victim, EXCEPTION_KM_ORIGINATOR *Originator, INTRO_ACTION Action, INTRO_ACTION_REASON Reason) |
| Print the information about a kernel-mode violation and dumps the code-blocks. More... | |
| static BOOLEAN | IntExceptLixKernelIsMemoryFunc (QWORD Rip) |
| This function is used to check if the write has been made using any of "memcpy","__memcpy", "memset", "__memset", "memmove" function. More... | |
| static INTSTATUS | IntExceptLixKernelGetOriginator (EXCEPTION_KM_ORIGINATOR *Originator) |
| This function is used to get the information about the kernel-mode originator (Linux guest). More... | |
| static INTSTATUS | IntExceptWinKernelGetOriginator (EXCEPTION_KM_ORIGINATOR *Originator, DWORD Options) |
| This function is used to get the information about the kernel-mode originator (windows guest). More... | |
| INTSTATUS | IntExceptKernelGetOriginator (EXCEPTION_KM_ORIGINATOR *Originator, DWORD Options) |
| This function is used to get the information about the kernel-mode originator. More... | |
| INTSTATUS | IntExceptGetOriginatorFromModification (EXCEPTION_VICTIM_ZONE *Victim, EXCEPTION_KM_ORIGINATOR *Originator) |
| This function is used for integrity violations to get the information about the kernel-mode originator. More... | |
| INTSTATUS | IntExceptGetVictimDtr (DTR *NewValue, DTR *OldValue, INTRO_OBJECT_TYPE Type, EXCEPTION_VICTIM_ZONE *Victim) |
| This function is used to get the information about the DTR victim. More... | |
| INTSTATUS | IntExceptGetVictimMsr (QWORD NewValue, QWORD OldValue, DWORD Msr, EXCEPTION_VICTIM_ZONE *Victim) |
| This function is used to get the information about the MSR victim. More... | |
| INTSTATUS | IntExceptGetVictimIntegrity (INTEGRITY_REGION *IntegrityRegion, DWORD *Offset, EXCEPTION_VICTIM_ZONE *Victim) |
| This function is used to get the information about the modified zone from the integrity region. More... | |
| INTSTATUS | IntExceptGetVictimCr (QWORD NewValue, QWORD OldValue, DWORD Cr, EXCEPTION_VICTIM_ZONE *Victim) |
| This function is used to get the information about the CR victim. More... | |
| INTSTATUS | IntExceptKernelVerifyExtra (EXCEPTION_VICTIM_ZONE *Victim, EXCEPTION_UM_ORIGINATOR *Originator, UM_EXCEPTION *Exception) |
| This function is used as an extra step in exception mechanism. More... | |
| INTSTATUS | IntExceptKernelMatchVictim (EXCEPTION_VICTIM_ZONE *Victim, EXCEPTION_KM_ORIGINATOR *Originator, KM_EXCEPTION *Exception) |
| This function checks if the exception matches the originator and the modified zone. More... | |
| INTSTATUS | IntExceptKernel (EXCEPTION_VICTIM_ZONE *Victim, EXCEPTION_KM_ORIGINATOR *Originator, INTRO_ACTION *Action, INTRO_ACTION_REASON *Reason) |
| This function iterates through exception lists and tries to find an exception that matches the originator and the victim. More... | |
Variables | |
| char | gExcLogLine [2 *ONE_KILOBYTE] |
| The exception log line. More... | |
Kernel mode exceptions.
Definition in file exceptions_kern.c.
| INTSTATUS IntExceptGetOriginatorFromModification | ( | EXCEPTION_VICTIM_ZONE * | Victim, |
| EXCEPTION_KM_ORIGINATOR * | Originator | ||
| ) |
This function is used for integrity violations to get the information about the kernel-mode originator.
The function tries to get the address of the originator driver from the written memory zone (victim->WriteInfo).
| [in] | Victim | The victim object. |
| [out] | Originator | The originator object. |
| INT_STATUS_SUCCESS | On success. |
| INT_STATUS_EXCEPTION_BLOCK | If the violation should be blocked. |
| INT_STATUS_EXCEPTION_ALLOW | If the violation should be allowed. |
| INT_STATUS_NOT_SUPPORTED | If the modified object type is not of the following:
|
Definition at line 2207 of file exceptions_kern.c.
Referenced by IntWinDrvObjHandleModification(), IntWinHalHandleDispatchTableWrite(), IntWinIdtHandleModification(), and IntWinInfHookIntegrityHandleWrite().
| INTSTATUS IntExceptGetVictimCr | ( | QWORD | NewValue, |
| QWORD | OldValue, | ||
| DWORD | Cr, | ||
| EXCEPTION_VICTIM_ZONE * | Victim | ||
| ) |
This function is used to get the information about the CR victim.
| [in] | NewValue | The new value (written) of the CR. |
| [in] | OldValue | The old value of the CR. |
| [in] | Cr | The number of the CR register. |
| [out] | Victim | The victim object. |
| INT_STATUS_SUCCESS | On success. |
| INT_STATUS_NOT_SUPPORTED | If the provided CR is not CR4. |
| INT_STATUS_INVALID_PARAMETER_2 | If the provided DTR object is invalid. |
| INT_STATUS_INVALID_PARAMETER_4 | If the provided victim object is invalid. |
Definition at line 2620 of file exceptions_kern.c.
Referenced by IntCrLixHandleWrite(), and IntCrWinHandleWrite().
| INTSTATUS IntExceptGetVictimDtr | ( | DTR * | NewValue, |
| DTR * | OldValue, | ||
| INTRO_OBJECT_TYPE | Type, | ||
| EXCEPTION_VICTIM_ZONE * | Victim | ||
| ) |
This function is used to get the information about the DTR victim.
| [in] | NewValue | The new value (written) of the DTR. |
| [in] | OldValue | The old value of the DTR. |
| [in] | Type | Any of the following: introObjectTypeIdtr / introObjectTypeGdtr. |
| [out] | Victim | The victim object. |
| INT_STATUS_SUCCESS | On success. |
| INT_STATUS_INVALID_PARAMETER_1 | If the provided DTR object is invalid. |
| INT_STATUS_INVALID_PARAMETER_2 | If the provided DTR object is invalid. |
| INT_STATUS_INVALID_PARAMETER_4 | If the provided victim object is invalid. |
Definition at line 2342 of file exceptions_kern.c.
Referenced by IntDtrHandleWrite().
| INTSTATUS IntExceptGetVictimIntegrity | ( | INTEGRITY_REGION * | IntegrityRegion, |
| DWORD * | Offset, | ||
| EXCEPTION_VICTIM_ZONE * | Victim | ||
| ) |
This function is used to get the information about the modified zone from the integrity region.
Will get the old value and new value at the modified address aligned down to 64/32 bits (the upper bytes may be the same, so we won't catch them). Returns the found modification offset so we can call it recursively (we start scanning at the given offset).
| [in] | IntegrityRegion | The integrity region object. |
| [in] | Offset | The offset in the region (not page) form where to search for modifications (for recursive calls). |
| [out] | Victim | The victim object. |
| INT_STATUS_SUCCESS | On success. |
| INT_STATUS_INVALID_PARAMETER_1 | If the provided integrity-region object is invalid. |
| INT_STATUS_INVALID_PARAMETER_2 | If the provided offset pointer is invalid. |
| INT_STATUS_INVALID_PARAMETER_4 | If the provided victim object is invalid. |
| INT_STATUS_NOT_FOUND | If no modification is found. |
| INT_STATUS_BUFFER_OVERFLOW | If the provided region modification won't fit the modified object. |
Definition at line 2440 of file exceptions_kern.c.
Referenced by IntWinDrvObjHandleModification(), IntWinHalHandleDispatchTableWrite(), IntWinIdtHandleModification(), and IntWinInfHookIntegrityHandleWrite().
| INTSTATUS IntExceptGetVictimMsr | ( | QWORD | NewValue, |
| QWORD | OldValue, | ||
| DWORD | Msr, | ||
| EXCEPTION_VICTIM_ZONE * | Victim | ||
| ) |
This function is used to get the information about the MSR victim.
| [in] | NewValue | The new value (written) of the MSR. |
| [in] | OldValue | The old value of the MSR. |
| [in] | Msr | The number of the MSR. |
| [out] | Victim | The victim object. |
| INT_STATUS_SUCCESS | On success. |
| INT_STATUS_INVALID_PARAMETER_4 | If the provided victim object is invalid. |
Definition at line 2394 of file exceptions_kern.c.
Referenced by IntLixMsrHandleWrite(), and IntWinMsrHandleWrite().
| INTSTATUS IntExceptKernel | ( | EXCEPTION_VICTIM_ZONE * | Victim, |
| EXCEPTION_KM_ORIGINATOR * | Originator, | ||
| INTRO_ACTION * | Action, | ||
| INTRO_ACTION_REASON * | Reason | ||
| ) |
This function iterates through exception lists and tries to find an exception that matches the originator and the victim.
| [in] | Victim | The victim object. |
| [in] | Originator | The originator object. |
| [out] | Action | The action that was taken. |
| [out] | Reason | The reason for which Action was taken. |
| INT_STATUS_INVALID_PARAMETER_1 | If the victim object is invalid. |
| INT_STATUS_INVALID_PARAMETER_2 | If the originator object is invalid. |
| INT_STATUS_INVALID_PARAMETER_3 | If the action is invalid. |
| INT_STATUS_INVALID_PARAMETER_4 | If the reason is invalid. |
| INT_STATUS_EXCEPTION_ALLOW | If the violation is allowed. |
| INT_STATUS_EXCEPTION_NOT_MATCHED | If the violation is not allowed. |
Definition at line 3073 of file exceptions_kern.c.
Referenced by IntExcept().
| INTSTATUS IntExceptKernelGetOriginator | ( | EXCEPTION_KM_ORIGINATOR * | Originator, |
| DWORD | Options | ||
| ) |
This function is used to get the information about the kernel-mode originator.
| [out] | Originator | The originator object. |
| [out] | Options | If the violation should be blocked. |
| INT_STATUS_SUCCESS | On success. |
| INT_STATUS_INVALID_PARAMETER_1 | If the provided originator is invalid. |
| INT_STATUS_NOT_SUPPORTED | If the guest type is not supported. |
Definition at line 2160 of file exceptions_kern.c.
Referenced by IntCrLixHandleWrite(), IntCrWinHandleWrite(), IntDtrHandleWrite(), IntHookGvaEnableHooks(), IntHookPtsCheckIntegrity(), IntLixDrvHandleWrite(), IntLixIdtWriteHandler(), IntLixKernelHandleRead(), IntLixMsrHandleWrite(), IntLixVdsoHandleKernelModeWrite(), IntVeHandleAccess(), IntVeHandleEPTViolationInProtectedView(), IntWinDrvHandleRead(), IntWinDrvHandleWrite(), IntWinDrvObjHandleWrite(), IntWinGuestHandleKernelSudExec(), IntWinHalHandleHalHeapExec(), IntWinHalHandleHalIntCtrlWrite(), IntWinIdtWriteHandler(), IntWinInfHookEptSppHandleWrite(), IntWinModHandleKernelWrite(), IntWinMsrHandleWrite(), IntWinSelfMapHandleCr3SelfMapWrite(), and IntWinTokenPrivsHandleWrite().
| void IntExceptKernelLogInformation | ( | EXCEPTION_VICTIM_ZONE * | Victim, |
| EXCEPTION_KM_ORIGINATOR * | Originator, | ||
| INTRO_ACTION | Action, | ||
| INTRO_ACTION_REASON | Reason | ||
| ) |
Print the information about a kernel-mode violation and dumps the code-blocks.
| [in] | Victim | The victim object. |
| [in] | Originator | The originator object. |
| [in] | Action | The action that was taken. |
| [in] | Reason | The reason for which Action was taken. |
Definition at line 1667 of file exceptions_kern.c.
Referenced by IntCrLixHandleWrite(), IntCrWinHandleWrite(), IntDtrHandleWrite(), IntExcept(), IntLixDrvHandleWrite(), IntLixKernelHandleRead(), IntLixMsrHandleWrite(), IntLixVdsoHandleKernelModeWrite(), IntVeHandleAccess(), IntVeHandleEPTViolationInProtectedView(), IntWinDrvHandleRead(), IntWinDrvHandleWrite(), IntWinDrvObjHandleModification(), IntWinDrvObjHandleWrite(), IntWinGuestHandleKernelSudExec(), IntWinHalHandleHalHeapExec(), IntWinHalHandleHalIntCtrlWrite(), IntWinInfHookEptSppHandleWrite(), IntWinInfHookIntegrityHandleWrite(), IntWinMsrHandleWrite(), and IntWinTokenPrivsHandleWrite().
|
static |
Print the information about a kernel-mode violation (Linux guest).
| [in] | Victim | The victim object. |
| [in] | Originator | The originator object. |
| [in] | Action | The action that was taken. |
| [in] | Reason | The reason for which Action was taken. |
Definition at line 632 of file exceptions_kern.c.
Referenced by IntExceptKernelLogInformation().
|
static |
Print the information about a kernel-mode violation (windows guest).
| [in] | Victim | The victim object. |
| [in] | Originator | The originator object. |
| [in] | Action | The action that was taken. |
| [in] | Reason | The reason for which Action was taken. |
Definition at line 1191 of file exceptions_kern.c.
Referenced by IntExceptKernelLogInformation().
| INTSTATUS IntExceptKernelMatchVictim | ( | EXCEPTION_VICTIM_ZONE * | Victim, |
| EXCEPTION_KM_ORIGINATOR * | Originator, | ||
| KM_EXCEPTION * | Exception | ||
| ) |
This function checks if the exception matches the originator and the modified zone.
The following are verified:
| [in] | Victim | The victim object. |
| [in] | Originator | The originator object. |
| [in] | Exception | The current exception object. |
| INT_STATUS_EXCEPTION_NOT_MATCHED | If any check fails. |
| INT_STATUS_EXCEPTION_ALLOW | If all checks have passed. |
Definition at line 2692 of file exceptions_kern.c.
Referenced by IntExceptMatchException().
| INTSTATUS IntExceptKernelVerifyExtra | ( | EXCEPTION_VICTIM_ZONE * | Victim, |
| EXCEPTION_UM_ORIGINATOR * | Originator, | ||
| UM_EXCEPTION * | Exception | ||
| ) |
This function is used as an extra step in exception mechanism.
| [in] | Victim | The victim object. |
| [in] | Originator | The originator object. |
| [in] | Exception | The current exception object. |
| INT_STATUS_EXCEPTION_CHECKS_OK | On success. |
Definition at line 2668 of file exceptions_kern.c.
Referenced by IntExceptMatchException().
|
static |
This function is used to get the information about the kernel-mode originator (Linux guest).
The stack-trace is parsed in order to fetch the return driver.
| [out] | Originator | The originator object. |
| INT_STATUS_SUCCESS | On success. |
Definition at line 1735 of file exceptions_kern.c.
Referenced by IntExceptKernelGetOriginator().
This function is used to check if the write has been made using any of "memcpy","__memcpy", "memset", "__memset", "memmove" function.
| [in] | Rip | The rip from which the writing came from. |
| True | if the write has been made using the generic write functions, otherwise, false. |
Definition at line 1705 of file exceptions_kern.c.
Referenced by IntExceptLixKernelGetOriginator().
|
static |
Print the information about the modified CR.
| [in] | Victim | The victim object. |
| [in] | Header | The header of the output buffer. |
| [in] | Line | The output buffer. |
| [in] | MaxLength | The maximum number chars that can be written. |
| The | number of written chars. |
Definition at line 335 of file exceptions_kern.c.
Referenced by IntExceptKernelLogLinuxInformation(), and IntExceptKernelLogWindowsInformation().
|
static |
Print the information about the WIN_DRIVER_OBJECT.
| [in] | DrvObj | The WIN_DRIVER_OBJECT object. |
| [in] | Header | The header of the output buffer. |
| [in] | Line | The output buffer. |
| [in] | MaxLength | The maximum number chars that can be written. |
| The | number of written chars. |
Definition at line 1105 of file exceptions_kern.c.
Referenced by IntExceptKernelLogWindowsInformation().
|
static |
Print the information about the modified IDTR/GDTR.
| [in] | Victim | The victim object. |
| [in] | Header | The header of the output buffer. |
| [in] | Line | The output buffer. |
| [in] | MaxLength | The maximum number chars that can be written. |
| The | number of written chars. |
Definition at line 527 of file exceptions_kern.c.
Referenced by IntExceptKernelLogWindowsInformation().
|
static |
Print the information about the modified IDT entry.
| [in] | Victim | The victim object. |
| [in] | Header | The header of the output buffer. |
| [in] | Line | The output buffer. |
| [in] | MaxLength | The maximum number chars that can be written. |
| The | number of written chars. |
Definition at line 433 of file exceptions_kern.c.
Referenced by IntExceptKernelLogLinuxInformation(), and IntExceptKernelLogWindowsInformation().
|
static |
Print the information about the provided KERNEL_DRIVER (Linux guest).
| [in] | Driver | The driver object. |
| [in] | Header | The header of the output buffer. |
| [in] | Line | The output buffer. |
| [in] | MaxLength | The maximum number chars that can be written. |
| [in] | NameAlignment | The alignment of the chars in the buffer. |
| The | number of written chars. |
Definition at line 23 of file exceptions_kern.c.
Referenced by IntExceptKernelLogLinuxInformation(), and IntExceptPrintMsrInfo().
|
static |
Print the information about the modified MSR.
| [in] | Victim | The victim object. |
| [in] | Header | The header of the output buffer. |
| [in] | Line | The output buffer. |
| [in] | MaxLength | The maximum number chars that can be written. |
| The | number of written chars. |
Definition at line 185 of file exceptions_kern.c.
Referenced by IntExceptKernelLogLinuxInformation(), and IntExceptKernelLogWindowsInformation().
| int IntExceptPrintWinKmModInfo | ( | KERNEL_DRIVER * | Module, |
| char * | Header, | ||
| char * | Line, | ||
| int | MaxLength, | ||
| DWORD | NameAlignment | ||
| ) |
Print the information about the provided KERNEL_DRIVER (windows guest).
| [in] | Module | The driver object. |
| [in] | Header | The header of the output buffer. |
| [in] | Line | The output buffer. |
| [in] | MaxLength | The maximum number chars that can be written. |
| [in] | NameAlignment | The alignment of the chars in the buffer. |
| The | number of written chars. |
Definition at line 90 of file exceptions_kern.c.
Referenced by IntExceptKernelLogWindowsInformation(), IntExceptKernelUserLogWindowsInformation(), and IntExceptPrintMsrInfo().
|
static |
This function is used to get the information about the kernel-mode originator (windows guest).
The stack-trace is parsed in order to fetch the return driver.
The section for the original and the return driver is parsed in order to check if the violation should be blocked.
| [out] | Originator | The originator object. |
| [out] | Options | If the violation should be blocked. |
| INT_STATUS_SUCCESS | On success. |
| INT_STATUS_EXCEPTION_BLOCK | If the violation should be blocked. |
Definition at line 1856 of file exceptions_kern.c.
Referenced by IntExceptKernelGetOriginator().
| char gExcLogLine[2 *ONE_KILOBYTE] |
The exception log line.
Definition at line 40 of file exceptions.c.
Referenced by IntExceptKernelLogLinuxInformation(), and IntExceptKernelLogWindowsInformation().
1.8.13