39 DWORD modNameAlignment;
42 char instr[ND_MIN_BUF_SIZE];
44 pDriver = Originator->Original.Driver;
45 pRetDriver = Originator->Return.Driver;
51 if (Originator->Instruction)
53 NDSTATUS ndstatus = NdToText(Originator->Instruction, Originator->Original.Rip,
sizeof(instr), instr);
54 if (!ND_SUCCESS(ndstatus))
68 ret = snprintf(l, rem,
", RIP %0*llx",
gGuest.
WordSize * 2, Originator->Original.Rip);
72 ERROR(
"[ERROR] Encoding error with snprintf: %d\n", ret);
80 if (Originator->Original.Section[0] != 0)
82 ret = snprintf(l, rem,
" (%s)", Originator->Original.Section);
86 ERROR(
"[ERROR] Encoding error with snprintf: %d\n", ret);
97 ret = snprintf(l, rem,
", Instr: %s", instr);
101 ERROR(
"[ERROR] Encoding error with snprintf: %d\n", ret);
112 if (Originator->Return.Driver && Originator->Original.Rip != Originator->Return.Rip)
121 ret = snprintf(l, rem,
", RIP %0*llx",
gGuest.
WordSize * 2, Originator->Return.Rip);
125 ERROR(
"[ERROR] Encoding error with snprintf: %d\n", ret);
133 if (Originator->Return.Section[0] != 0)
135 ret = snprintf(l, rem,
"(%s)", Originator->Return.Section);
139 ERROR(
"[ERROR] Encoding error with snprintf: %d\n", ret);
172 if (Victim->Object.Library.Export == NULL)
178 pExport = Victim->Object.Library.Export;
183 ret = snprintf(l, rem,
", Exports (%u) : [", pExport->
NumberOfOffsets);
186 ERROR(
"[ERROR] Encoding error with snprintf: %d\n", ret);
198 ret = snprintf(l, rem,
"'%s'", pExport->
Names[export]);
202 ret = snprintf(l, rem,
"'%s',", pExport->
Names[export]);
207 ERROR(
"[ERROR] Encoding error with snprintf: %d\n", ret);
217 ret = snprintf(l, rem,
"], Delta: +%02x, ",
218 (
DWORD)(Victim->Ept.Gva - Victim->Object.Library.WinMod->VirtualBase - pExport->
Rva));
221 ERROR(
"[ERROR] Encoding error with snprintf: %d\n", ret);
230 ret = snprintf(l, rem,
", Address: (%0*llx, %0*llx)",
235 ERROR(
"[ERROR] Encoding error with snprintf: %d\n", ret);
243 ret = snprintf(l, rem,
", WriteInfo: (%u, %016llx -> %016llx)",
244 Victim->WriteInfo.AccessSize,
245 Victim->WriteInfo.OldValue[0],
246 Victim->WriteInfo.NewValue[0]);
249 ERROR(
"[ERROR] Encoding error with snprintf: %d\n", ret);
257 if (Victim->ZoneFlags)
259 ret = snprintf(l, rem,
", Flags:%s%s%s%s%s (0x%llx)",
265 (
unsigned long long)Victim->ZoneFlags);
268 ERROR(
"[ERROR] Encoding error with snprintf: %d\n", ret);
285 ret = snprintf(l, rem,
"^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^%sROOTKIT (kernel-user mode) ",
286 Victim->Object.Library.WinMod->Subsystem->Process->BetaDetections ?
" (B) " :
" ");
289 ERROR(
"[ERROR] Encoding error with snprintf: %d\n", ret);
300 ret = snprintf(l, rem,
"(no sig)");
303 ret = snprintf(l, rem,
"(no exc)");
306 ret = snprintf(l, rem,
"(extra)");
309 ret = snprintf(l, rem,
"(error)");
312 ret = snprintf(l, rem,
"(value)");
315 ret = snprintf(l, rem,
"(export)");
318 ret = snprintf(l, rem,
"(value code)");
321 ret = snprintf(l, rem,
"(idt)");
324 ret = snprintf(l, rem,
"(version os)");
327 ret = snprintf(l, rem,
"(version intro)");
330 ret = snprintf(l, rem,
"(process creation)");
333 ret = snprintf(l, rem,
"(unknown)");
336 ret = snprintf(l, rem,
"(%d)", Reason);
343 snprintf(l, rem,
" ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^");
347 for (
DWORD t = 0; t < Originator->StackTrace.NumberOfTraces; t++)
349 if (NULL != Originator->StackTrace.Traces[t].ReturnModule)
351 LOG(
"[STACK TRACE] [at 0x%016llx] returning to [%s at 0x%016llx]\n",
352 Originator->StackTrace.Traces[t].CurrentRip,
354 Originator->StackTrace.Traces[t].ReturnAddress);
358 LOG(
"[STACK TRACE] [at 0x%016llx]\n", Originator->StackTrace.Traces[t].CurrentRip);
490 Exception->Victim.NameHash == Victim->Object.NameHash)
522 return (Exception->Victim.ProcessHash == Victim->Object.Library.WinMod->Subsystem->Process->NameHash);
526 WARNING(
"[WARNING] Not supported for Linux guest!\n");
548 switch (Exception->Type)
577 LOG(
"[ERROR] This is a corruption in the update/exception. Type = %d!\n", Exception->Type);
640 (Originator->Original.Driver != NULL))
651 (Victim->WriteInfo.OldValue[0] == 0))
662 match = 0 == memcmp(Originator->Return.Section,
"INIT", 4);
666 match = 0 == memcmp(Originator->Return.Section,
"init", 4);
674 match = 0 == memcmp(Originator->Original.Section,
"INIT", 4);
678 match = 0 == memcmp(Originator->Original.Section,
"init", 4);
682 else if (Originator->IsEntryPoint)
687 else if (Victim->WriteInfo.OldValue[0] == 0)
736 if (NULL == Originator)
760 goto _match_ex_alert;
765 goto _match_ex_alert;
768 if (pEx->OriginatorNameHash > Originator->Original.NameHash)
772 else if (pEx->OriginatorNameHash != Originator->Original.NameHash)
811 if (Originator->Original.Driver &&
812 Originator->Return.Driver &&
813 Originator->Original.Rip == Originator->Return.Rip)
835 if (pEx->OriginatorNameHash > Originator->Original.NameHash)
839 else if (pEx->OriginatorNameHash != Originator->Original.NameHash)
860 goto _beta_exceptions;
879 if (pEx->OriginatorNameHash > Originator->Return.NameHash)
883 else if (pEx->OriginatorNameHash != Originator->Return.NameHash)
917 if (pEx->OriginatorNameHash != Originator->Return.NameHash)
924 if (pEx->OriginatorNameHash != Originator->Original.NameHash)
#define EXCEPTION_NO_INSTRUCTION
enum _INTRO_ACTION_REASON INTRO_ACTION_REASON
The reason for which an INTRO_ACTION was taken.
#define INT_STATUS_EXCEPTION_NOT_MATCHED
An internal error occurred (no memory, pages not present, etc.).
int IntExceptPrintWinProcInfo(WIN_PROCESS_OBJECT *Process, char *Header, char *Line, int MaxLength, DWORD NameAlignment)
Print the data from the provided WIN_PROCESS_OBJECT.
LIST_HEAD KernelUserExceptions[EXCEPTION_TABLE_SIZE]
Array of linked lists used for kernel-user mode exceptions.
Describe a kernel-user mode exception.
void IntExceptKernelUserLogInformation(EXCEPTION_VICTIM_ZONE *Victim, EXCEPTION_KM_ORIGINATOR *Originator, INTRO_ACTION Action, INTRO_ACTION_REASON Reason)
Print the information about a kernel-user mode violation and dumps the code-blocks.
The name can be any string.
#define ZONE_LIB_RESOURCES
Used for the resources section (usually .rsrc inside a driver or dll).
DWORD NumberOfOffsets
Number of symbols pointing to the exported RVA.
The exception will take into consideration the return driver/dll.
#define INT_STATUS_EXCEPTION_CHECKS_OK
int IntExceptPrintWinModInfo(WIN_PROCESS_MODULE *Module, char *Header, char *Line, int MaxLength, DWORD NameAlignment)
Print the data from the provided WIN_PROCESS_MODULE.
The exception is valid only for read violation.
static void IntExceptKernelUserLogWindowsInformation(EXCEPTION_VICTIM_ZONE *Victim, EXCEPTION_KM_ORIGINATOR *Originator, INTRO_ACTION Action, INTRO_ACTION_REASON Reason)
Print the information about a kernel-user mode violation (windows guest).
Describes a user-mode originator.
The name can be any string.
INTSTATUS IntExceptMatchException(void *Victim, void *Originator, void *Exception, EXCEPTION_TYPE ExceptionType, INTRO_ACTION *Action, INTRO_ACTION_REASON *Reason)
This function tries to find a exception for the current violation..
int INTSTATUS
The status data type.
The exception will match only for the init phase of a driver/process.
Describes a kernel-mode originator.
The modified object is any with the modified name.
INTRO_GUEST_TYPE OSType
The type of the guest.
The exception is valid only for write violation.
Describes a kernel driver.
#define ZONE_INTEGRITY
Used for integrity zone.
static __inline BOOLEAN IntExceptKernelUserMatchObjectType(EXCEPTION_VICTIM_ZONE *Victim, KUM_EXCEPTION *Exception)
Checks if the zone-type of the current exception matches the object-type of the victim.
LIST_HEAD KernelUserAlertExceptions
Linked list used for kernel-user mode exceptions that are added from alert.
#define ZONE_LIB_CODE
Used for a generic code zone.
#define INITIAL_CRC_VALUE
EXCEPTIONS * Exceptions
The exceptions that are currently loaded.
The modified object is inside an integrity hook.
static __inline BOOLEAN IntExceptKernelUserMatchArch(KUM_EXCEPTION *Exception)
Checks if the architecture-flags of the current exception match the architecture-flags of the origina...
#define ZONE_EXECUTE
Used for execute violation.
The exception is valid only for execute violation.
BOOLEAN Guest64
True if this is a 64-bit guest, False if it is a 32-bit guest.
INTSTATUS IntExceptKernelUserVerifyExtra(EXCEPTION_VICTIM_ZONE *Victim, EXCEPTION_UM_ORIGINATOR *Originator, UM_EXCEPTION *Exception)
This function is used as an extra step in exception mechanism.
The name is the operating system kernel name.
#define INT_STATUS_INVALID_PARAMETER_4
INTSTATUS IntExceptKernelUser(EXCEPTION_VICTIM_ZONE *Victim, EXCEPTION_KM_ORIGINATOR *Originator, INTRO_ACTION *Action, INTRO_ACTION_REASON *Reason)
This function iterates through exception lists and tries to find an exception that matches the origin...
#define for_each_kum_exception(_ex_head, _var_name)
static __inline BOOLEAN IntExceptKernelUserMatchProcessHash(EXCEPTION_VICTIM_ZONE *Victim, KUM_EXCEPTION *Exception)
Checks if the exception process name-hash of the current exception matches the process name-hash of t...
BYTE WordSize
Guest word size. Will be 4 for 32-bit guests and 8 for 64-bit guests.
LIST_HEAD KernelUserFeedbackExceptions
Linked list used for kernel-user mode exceptions that have the feedback flag.
char gExcLogLine[2 *ONE_KILOBYTE]
The exception log line.
The exception will take into consideration the return driver.
#define ZONE_LIB_EXPORTS
Used for the exports of a dll, driver, etc.
The modified object is inside the process module's EAT.
Describes the modified zone.
#define UNREFERENCED_PARAMETER(P)
INTSTATUS IntExceptKernelUserMatchVictim(EXCEPTION_VICTIM_ZONE *Victim, EXCEPTION_KM_ORIGINATOR *Originator, KUM_EXCEPTION *Exception)
This function checks if the exception matches the originator and the modified zone.
The modified object is inside the process module's IAT.
Describe a user-mode exception.
DWORD Rva
The RVA of this export.
enum _INTRO_ACTION INTRO_ACTION
Event actions.
int IntExceptPrintWinKmModInfo(KERNEL_DRIVER *Module, char *Header, char *Line, int MaxLength, DWORD NameAlignment)
Print the information about the provided KERNEL_DRIVER (windows guest).
static __inline BOOLEAN IntExceptKernelUserMatchNameHash(EXCEPTION_VICTIM_ZONE *Victim, KUM_EXCEPTION *Exception)
Checks if the exception name-hash of the current exception matches the name-hash of the victim...
The action was allowed, but it has the BETA flag (Introcore is in log-only mode). ...
GUEST_STATE gGuest
The current guest state.
static __inline BOOLEAN IntExceptKernelUserMatchZoneFlags(EXCEPTION_VICTIM_ZONE *Victim, KUM_EXCEPTION *Exception)
Checks if the zone-flags of the current exception match the zone flags of the victim.
LIST_HEAD NoNameKernelUserExceptions
Linked list used for kernel-user mode exceptions that don't have a valid originator (-)...
#define EXCEPTION_TABLE_ID(H)
#define ZONE_READ
Used for read violation.
WINUM_CACHE_EXPORT * IntWinUmCacheGetExportFromRange(WIN_PROCESS_MODULE *Module, QWORD Gva, DWORD Length)
Tries to find an export in the range [Gva - Length, Gva].
The action was blocked because no exception signature matched.
PCHAR Names[MAX_OFFSETS_PER_NAME]
The names pointing to this RVA. Each name will point inside the Names structure inside WINUM_CACHE_EX...
void IntExceptDumpSignatures(void *Originator, EXCEPTION_VICTIM_ZONE *Victim, BOOLEAN KernelMode, BOOLEAN ReturnDrv)
Dump code blocks from the originator's RIP.
LIST_HEAD GenericKernelUserExceptions
Linked list used for kernel-user mode exceptions that have a generic originator(*).
char * utf16_for_log(const WCHAR *WString)
Converts a UTF-16 to a UTF-8 string to be used inside logging macros.
#define INT_STATUS_INVALID_PARAMETER_1
Kernel-User mode exception.
The action was blocked because there was no exception for it.
#define ZONE_LIB_IMPORTS
Used for the imports of a dll, driver, etc.
The original RIP is outside a driver and it returns into a driver (which is the originator name)...
The exception is valid only on 32 bit systems/process.
#define EXPORT_NAME_UNKNOWN
#define ZONE_WRITE
Used for write violation.
#define INT_STATUS_INVALID_PARAMETER_2
#define INT_STATUS_EXCEPTION_ALLOW
The exception (and signature, where's the case) matched, but the extra checks failed.
#define INT_STATUS_INVALID_PARAMETER_3
The modified object is inside the process modules.
1.8.13