Bitdefender Hypervisor Memory Introspection
serializers.c
Go to the documentation of this file.
1 /*
2  * Copyright (c) 2020 Bitdefender
3  * SPDX-License-Identifier: Apache-2.0
4  */
5 #include "serializers.h"
6 #include "guests.h"
7 #include "lixmm.h"
8 #include "winprocesshp.h"
9 #include "codeblocks.h"
10 #include "crc32.h"
11 #include "lixfiles.h"
12 
13 
14 #pragma pack(push, 1)
15 
19 typedef enum _SERIALIZER_EXCEPTION_TYPE
20 {
21  serializerExceptionTypeKm = 0,
22  serializerExceptionTypeUm = 1,
23  serializerExceptionTypeKmUm = 2
24 } SERIALIZER_EXCEPTION_TYPE;
25 
26 
30 typedef struct _SERIALIZER_HEADER
31 {
32  DWORD SerializedType;
33  DWORD Guest;
34  DWORD Event;
35  WORD Size;
36  DWORD Arch;
37 } SERIALIZER_HEADER;
38 
39 
43 typedef struct _SERIALIZER_OBJECT_HEADER
44 {
45  DWORD Version;
46  WORD Type;
47  WORD Size;
48 } SERIALIZER_OBJECT_HEADER;
49 
50 
54 typedef struct _SERIALIZER_STRING
55 {
56  DWORD Length;
57  BYTE Encode;
58  CHAR String[0];
59 } SERIALIZER_STRING, *PSERIALIZER_STRING;
60 
61 
65 typedef struct _SERIALIZER_EXCEPTION_KM_ORIGINATOR
66 {
67  BYTE _Reserved;
68 } SERIALIZER_EXCEPTION_KM_ORIGINATOR, *PSERIALIZER_EXCEPTION_KM_ORIGINATOR;
69 
73 typedef struct _SERIALIZER_EXCEPTION_UM_ORIGINATOR
74 {
75  BYTE _Reserved;
76 } SERIALIZER_EXCEPTION_UM_ORIGINATOR, *PSERIALIZER_EXCEPTION_UM_ORIGINATOR;
77 
78 
82 typedef struct _SERIALIZER_EXCEPTION_VICTIM
83 {
84  INTRO_OBJECT_TYPE Type;
85  ZONE_TYPE ZoneType;
86  QWORD ZoneFlags;
87 } SERIALIZER_EXCEPTION_VICTIM, *PSERIALIZER_EXCEPTION_VICTIM;
88 
89 
93 typedef struct _SERIALIZER_EPT
94 {
95  QWORD Gva;
96  QWORD Gpa;
97  BYTE Type;
98 } SERIALIZER_EPT, *PSERIALIZER_EPT;
99 
100 
104 typedef struct _SERIALIZER_MSR
105 {
106  DWORD Msr;
107 } SERIALIZER_MSR, *PSERIALIZER_MSR;
108 
109 
113 typedef struct _SERIALIZER_CR
114 {
115  DWORD Cr;
116 } SERIALIZER_CR, *PSERIALIZER_CR;
117 
118 
122 typedef struct _SERIALIZER_DTR
123 {
124  DWORD Type;
125 } SERIALIZER_DTR, *PSERIALIZER_DTR;
126 
127 
131 typedef struct _SERIALIZER_IDT
132 {
133  DWORD Entry;
134 } SERIALIZER_IDT, *PSERIALIZER_IDT;
135 
136 
140 typedef struct _SERIALIZER_INJECTION
141 {
142  QWORD Gva;
143  DWORD Length;
144  DWORD Type;
145 } SERIALIZER_INJECTION, *PSERIALIZER_INJECTION;
146 
147 
151 typedef struct _SERIALIZER_LIX_PROCESS
152 {
153  QWORD Gva;
154  QWORD RealParent;
155  QWORD ActualParent;
156  QWORD Parent;
157  QWORD MmGva;
158  QWORD Cr3;
159  DWORD Pid;
160  DWORD Tgid;
161  DWORD Flags;
162 } SERIALIZER_LIX_PROCESS, *PSERIALIZER_LIX_PROCESS;
163 
164 
168 typedef struct _SERIALIZER_WIN_PROCESS
169 {
170  QWORD EprocessAddress;
171  QWORD ParentEprocess;
172  QWORD RealParentEprocess;
173  QWORD Cr3;
174  QWORD UserCr3;
175  DWORD Pid;
176  QWORD Peb64Address;
177  QWORD Peb32Address;
178  QWORD MainModuleAddress;
179  QWORD Flags;
180 } SERIALIZER_WIN_PROCESS, *PSERIALIZER_WIN_PROCESS;
181 
182 
186 typedef struct _SERIALIZER_LIX_VMA
187 {
188  QWORD Start;
189  QWORD End;
190  QWORD Gva;
192  QWORD Flags;
193  QWORD File;
194 } SERIALIZER_LIX_VMA, *PSERIALIZER_LIX_VMA;
195 
196 
200 typedef struct _SERIALIZER_WIN_VAD
201 {
202  QWORD StartPage;
203  QWORD EndPage;
204  QWORD VadGva;
206  DWORD VadProtection;
207  DWORD VadType;
208  DWORD Protection;
209  DWORD ExecCount;
210  DWORD Flags;
211 } SERIALIZER_WIN_VAD, *PSERIALIZER_WIN_VAD;
212 
213 
217 typedef struct _SERIALIZER_KERNEL_DRIVER
218 {
219  QWORD ObjectGva;
220  QWORD BaseVa;
222  QWORD Size;
223  QWORD EntryPoint;
224 } SERIALIZER_KERNEL_DRIVER, *PSERIALIZER_KERNEL_DRIVER;
225 
226 
230 typedef struct _SERIALIZER_WIN_KERNEL_DRIVER
231 {
232  DWORD TimeDateStamp;
233 } SERIALIZER_WIN_KERNEL_DRIVER, *PSERIALIZER_WIN_KERNEL_DRIVER;
234 
235 
239 typedef struct _SERIALIZER_LIX_KERNEL_MODULE
240 {
241  struct
242  {
243  QWORD Base;
244  DWORD Size;
245  DWORD TextSize;
246  DWORD RoSize;
247  } InitLayout;
248 
249  struct
250  {
251  QWORD Base;
252  DWORD Size;
253  DWORD TextSize;
254  DWORD RoSize;
255  } CoreLayout;
256 } SERIALIZER_LIX_KERNEL_MODULE, *PSERIALIZER_LIX_KERNEL_MODULE;
257 
258 
262 typedef struct _SERIALIZER_KERNEL_DRV_OBJECT
263 {
265  QWORD Gva;
267  QWORD Gpa;
268  // /@brief The guest virtual address of the _FAST_IO_DISPATCH structure used by this driver object.
269  QWORD FastIOTableAddress;
270 } SERIALIZER_KERNEL_DRV_OBJECT, *PSERIALIZER_KERNEL_DRV_OBJECT;
271 
272 
276 typedef struct _SERIALIZER_WIN_MODULE
277 {
278  QWORD VirtualBase;
279  DWORD Size;
280 } SERIALIZER_WIN_MODULE, *PSERIALIZER_WIN_MODULE;
281 
282 
286 typedef struct _SERIALIZER_INSTRUX
287 {
288  QWORD Rip;
289  BYTE Bytes[16];
290 } SERIALIZER_INSTRUX, *PSERIALIZER_INSTRUX;
291 
292 
296 typedef struct _SERIALIZER_ARCH_REGS
297 {
298  QWORD Rax;
299  QWORD Rcx;
300  QWORD Rdx;
301  QWORD Rbx;
302  QWORD Rsp;
303  QWORD Rbp;
304  QWORD Rsi;
305  QWORD Rdi;
306  QWORD R8;
307  QWORD R9;
308  QWORD R10;
309  QWORD R11;
310  QWORD R12;
311  QWORD R13;
312  QWORD R14;
313  QWORD R15;
314  QWORD Cr2;
315  QWORD Flags;
316  QWORD Dr7;
317  QWORD Rip;
318  QWORD Cr0;
319  QWORD Cr4;
320  QWORD Cr3;
321  QWORD Cr8;
322  QWORD IdtBase;
323  QWORD IdtLimit;
324  QWORD GdtBase;
325  QWORD GdtLimit;
326 } SERIALIZER_ARCH_REGS, *PSERIALIZER_ARCH_REGS;
327 
328 
332 typedef struct _SERIALIZER_WRITE_INFO
333 {
334  DWORD AccessSize;
335  QWORD OldValue[8];
336  QWORD NewValue[8];
337 } SERIALIZER_WRITE_INFO, *PSERIALIZER_WRITE_INFO;
338 
339 
343 typedef struct _SERIALIZER_READ_INFO
344 {
345  DWORD AccessSize;
346  QWORD Value[8];
347 } SERIALIZER_READ_INFO, *PSERIALIZER_READ_INFO;
348 
349 
353 typedef struct _SERIALIZER_EXEC_INFO
354 {
355  QWORD Rsp;
356  QWORD StackBase;
357  QWORD StackLimit;
358  DWORD Length;
359 } SERIALIZER_EXEC_INFO, *PSERIALIZER_EXEC_INFO;
360 
361 
365 typedef struct _SERIALIZER_CODE_BLOCKS
366 {
367  QWORD StartAddress;
368  QWORD Rip;
369  DWORD RipCbIndex;
371  DWORD Count;
372  DWORD Content[0];
373 } SERIALIZER_CODE_BLOCKS, *PSERIALIZER_CODE_BLOCKS;
374 
375 
379 typedef struct _SERIALIZER_RIP_CODE
380 {
381  DWORD CsType;
382  DWORD Length;
383  BYTE Code[0];
384 } SERIALIZER_RIP_CODE, *PSERIALIZER_RIP_CODE;
385 
386 
390 typedef struct _SERIALIZER_RAW_DUMP
391 {
392  DWORD Length;
393  BYTE Raw[0];
394 } SERIALIZER_RAW_DUMP, *PSERIALIZER_RAW_DUMP;
395 
396 
400 typedef struct _SERIALIZER_EXPORT
401 {
402  DWORD Count;
403  DWORD Delta;
404  BYTE Exports[0];
405 } SERIALIZER_EXPORT, *PSERIALIZER_EXPORT;
406 
407 
411 typedef struct _SERIALIZER_DPI_WIN_DEBUG
412 {
413  QWORD Debugger;
414 } SERIALIZER_DPI_WIN_DEBUG, *PSERIALIZER_DPI_WIN_DEBUG;
415 
416 
420 typedef struct _SERIALIZER_DPI_WIN_STOLEN_TOKEN
421 {
422  QWORD StolenFrom;
423 } SERIALIZER_DPI_WIN_STOLEN_TOKEN, *PSERIALIZER_DPI_WIN_STOLEN_TOKEN;
424 
425 
429 typedef struct _SERIALIZER_DPI_WIN_HEAP_SPRAY
430 {
431  struct
432  {
433  DWORD Mapped : 1;
434  DWORD Detected : 1;
437  DWORD HeapValCount : 11;
439  DWORD Offset : 12;
440  DWORD Executable : 1;
441  DWORD Reserved : 7;
442  } HeapPages[0xF];
443 
444  QWORD ShellcodeFlags;
445 
446  BYTE DetectedPage[0x1000];
447  BYTE MaxHeapValPageContent[0x1000];
448 } SERIALIZER_DPI_WIN_HEAP_SPRAY, *PSERIALIZER_DPI_WIN_HEAP_SPRAY;
449 
450 
454 typedef struct _SERIALIZER_DPI_WIN_THREAD_START
455 {
456  QWORD ShellcodeFlags;
457  QWORD StartAddress;
458  BYTE StartPage[0x1000];
459 } SERIALIZER_DPI_WIN_THREAD_START, *PSERIALIZER_DPI_WIN_THREAD_START;
460 
461 
465 typedef struct _SERIALIZER_DPI_WIN_TOKEN_PRIVS
466 {
467  QWORD OldEnabled;
468  QWORD NewEnabled;
470  QWORD OldPresent;
471  QWORD NewPresent;
473 } SERIALIZER_DPI_WIN_TOKEN_PRIVS, *PSERIALIZER_DPI_WIN_TOKEN_PRIVS;
474 
475 
479 typedef struct _SERIALIZER_DPI_PIVOTED_STACK
480 {
481  QWORD CurrentStack;
482  QWORD StackBase;
483  QWORD StackLimit;
484  QWORD Wow64CurrentStack;
485  QWORD Wow64StackBase;
486  QWORD Wow64StackLimit;
487  BYTE TrapFrameContent[512];
488 } SERIALIZER_DPI_PIVOTED_STACK, *PSERIALIZER_DPI_PIVOTED_STACK;
489 
490 
494 typedef struct _SERIALIZER_DPI
495 {
496  DWORD Flags;
497 } SERIALIZER_DPI, *PSERIALIZER_DPI;
498 
499 #pragma pack(pop)
500 
501 
505 enum
506 {
507  intObjNone = 0,
508 
510  intObjStartOriginator,
512  intObjEndOriginator,
514  intObjStartVictim,
516  intObjEndVictim,
518  intObjStartMisc,
520  intObjEndMisc,
521 
522  intObjVictim,
523 
524  intObjEpt,
525  intObjMsr,
526  intObjCr,
527  intObjDtr,
528  intObjIdt,
529  intObjIntegrity,
530  intObjInjection,
531 
532  intObjWinProcess,
533  intObjWinProcessParent,
534  intObjLixProcess,
535  intObjLixProcessParent,
536 
537  intObjKernelDriver,
538  intObjKernelDriverReturn,
539  intObjWinKernelDriver,
540  intObjWinKernelDriverReturn,
541  intObjLixKernelModule,
542  intObjLixKernelModuleReturn,
543  intObjKernelDrvObject,
544 
545  intObjWinVad,
546  intObjLixVma,
547 
548  intObjWinModule,
549  intObjWinModuleReturn,
550 
551  intObjInstrux,
552  intObjWriteInfo,
553  intObjReadInfo,
554  intObjExecInfo,
555  intObjArchRegs,
556  intObjCodeBlocks,
557  intObjRipCode,
558  intObjRawDump,
559  intObjExport,
560  intObjDpi,
561  intObjDpiWinDebug,
562  intObjDpiWinPivotedStack,
563  intObjDpiWinStolenToken,
564  intObjDpiWinTokenPrivs,
565  intObjDpiWinThreadStart,
566  intObjDpiWinHeapSpray,
567 };
568 
569 
573 enum
574 {
575  stringEncodeUtf8 = 0,
576  stringEncodeUtf16
577 };
578 
579 #define MAX_SERIALIZER_LENGTH (16 * ONE_KILOBYTE)
580 
581 static BYTE gSerializerBuffer[MAX_SERIALIZER_LENGTH] = { 0 };
582 static BYTE *gCurrentPtr = NULL;
583 static QWORD gSerializerCurrentId = 0;
584 
585 static CODE_BLOCK_PATTERN gCodeBlocksPattern[PAGE_SIZE / sizeof(CODE_BLOCK_PATTERN)];
586 static DWORD gCodeBlocksPatternLength = 0;
587 static CODE_BLOCK gCodeBlocks[PAGE_SIZE / sizeof(CODE_BLOCK)];
588 
589 const char gBase64Chars[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
590 
591 #define Base64EncSize(Length) (((((Length) + 2) / 3) * 4) + 1)
592 
593 static char gBase64Buffer[Base64EncSize(sizeof(gSerializerBuffer))] = {0};
594 
595 
596 
597 static void
598 IntSerializeBlockToBase64(
599  _In_ const BYTE *In,
600  _Out_writes_(4) BYTE *Out,
601  _In_ size_t Length
602  )
610 {
611  Out[0] = gBase64Chars[In[0] >> 2];
612  Out[1] = gBase64Chars[((In[0] & 0x03) << 4) | ((In[1] & 0xf0) >> 4)];
613  Out[2] = (BYTE) (Length > 1 ? gBase64Chars[((In[1] & 0x0f) << 2) | ((In[2] & 0xc0) >> 6)] : '=');
614  Out[3] = (BYTE) (Length > 2 ? gBase64Chars[In[2] & 0x3f] : '=');
615 }
616 
617 
618 static char *
619 IntSerializerBase64Get(
620  _Out_ DWORD *Length
621  )
629 {
630  size_t len = gCurrentPtr - gSerializerBuffer;
631 
632  *Length = (DWORD)Base64EncSize(len);
633 
634  BYTE *out = (BYTE *)gBase64Buffer;
635  const BYTE *in = gSerializerBuffer;
636 
637  for (size_t i = 0; i < len; i += 3)
638  {
639  size_t size = ((len - i) < 4) ? (len - i) : 4;
640 
641  IntSerializeBlockToBase64(in, out, size);
642 
643  out += 4;
644  in += 3;
645  }
646 
647  *out = 0;
648 
649  return gBase64Buffer;
650 }
651 
652 
653 static DWORD
654 IntSerializeCurrentOffset(
655  void
656  )
662 {
663  return (DWORD)(gCurrentPtr - gSerializerBuffer);
664 }
665 
666 
667 static void
668 IntSerializeIncrementCurrentPtr(
669  _In_ const DWORD Size
670  )
676 {
677  gCurrentPtr += Size;
678 }
679 
680 
681 static QWORD
682 IntSerializeCurrentId(
683  void
684  )
690 {
691  return gSerializerCurrentId;
692 }
693 
694 
695 static void
696 IntSerializeIncrementCurrentId(
697  void
698  )
702 {
703  gSerializerCurrentId++;
704 }
705 
706 
707 static void
708 IntSerializeDump(
709  void
710  )
714 {
715  DWORD length = 0;
716  CHAR *pBase64 = IntSerializerBase64Get(&length);
717 
718  UNREFERENCED_LOCAL_VARIABLE(pBase64);
719 
720  // NOTE: for now we'll only execute the algorithm etc, but don't log anything since
721  // the logs get pretty easily to even 300 GB in size...
722 
723  TRACE("[SERIALIZER] Start Serializer ID -> 0x%llx\n", IntSerializeCurrentId());
724  for (DWORD index = 0; index < length; index += 1000)
725  {
726  TRACE("[SERIALIZER] %.1000s", pBase64 + index);
727  }
728  TRACE("[SERIALIZER] End Serializer ID -> 0x%llx\n", IntSerializeCurrentId());
729 }
730 
731 
732 static BOOLEAN
733 IntSerializeValidObjectSize(
734  _In_ DWORD Size
735  )
743 {
744  QWORD crt = (QWORD)(gCurrentPtr - gSerializerBuffer) + (QWORD)Size;
745 
746  if (crt > sizeof(gSerializerBuffer))
747  {
748  ERROR("[ERROR] Serilizer buffer overflows! Current offset = 0x%llx, Buffer Size = 0x%0llx, "
749  "Required size = 0x%x\n",
750  (QWORD)(gCurrentPtr - gSerializerBuffer), (QWORD)sizeof(gSerializerBuffer), Size);
751 
752  return FALSE;
753  }
754 
755  return TRUE;
756 }
757 
758 
759 static void *
760 IntSerializeCurrentPtr(
761  _In_ DWORD Size
762  )
770 {
771  if (!IntSerializeValidObjectSize(Size))
772  {
773  return NULL;
774  }
775 
776  return gCurrentPtr;
777 }
778 
779 
780 static SERIALIZER_OBJECT_HEADER *
781 IntSerializeObjectHeader(
782  _In_ const DWORD Version,
783  _In_ const DWORD Type
784  )
794 {
795  SERIALIZER_OBJECT_HEADER *pHeader = IntSerializeCurrentPtr(sizeof(*pHeader));
796 
797  if (!pHeader)
798  {
799  return NULL;
800  }
801 
802  pHeader->Version = Version;
803  pHeader->Type = (WORD)Type;
804  pHeader->Size = 0;
805 
806  IntSerializeIncrementCurrentPtr(sizeof(*pHeader));
807 
808  return pHeader;
809 }
810 
811 
812 static BOOLEAN
813 IntSerializeStringIsWcharAscii(
814  _In_ const void *String,
815  _In_ DWORD Size
816  )
825 {
826  const BYTE *pStr = String;
827 
828  for (DWORD index = 0; index < Size; index++)
829  {
830  if (pStr[index] > 0x7f)
831  {
832  return FALSE;
833  }
834  }
835 
836  return TRUE;
837 }
838 
839 
840 static void
841 IntSerializeString(
842  const void *String,
843  _In_ DWORD Size,
844  _In_ DWORD Encode,
845  _Inout_ SERIALIZER_OBJECT_HEADER *Header
846  )
855 {
856  SERIALIZER_STRING *pObject = NULL;
857  DWORD size = 0;
858 
859  if (Size != 0)
860  {
861  switch (Encode)
862  {
863  case stringEncodeUtf8 :
864  pObject = IntSerializeCurrentPtr(sizeof(*pObject) + Size);
865  if (!pObject)
866  {
867  return;
868  }
869 
870  pObject->Length = Size;
871  pObject->Encode = (BYTE)Encode;
872 
873  memcpy(pObject->String, String, pObject->Length);
874 
875  Header->Size += (WORD)(sizeof(*pObject) + pObject->Length);
876  size = pObject->Length;
877 
878  break;
879 
880  case stringEncodeUtf16 :
881  if (IntSerializeStringIsWcharAscii(String, Size))
882  {
883  pObject = IntSerializeCurrentPtr(sizeof(*pObject) + Size);
884  if (!pObject)
885  {
886  return;
887  }
888 
889  pObject->Encode = stringEncodeUtf8;
890  pObject->Length = Size / 2;
891 
892  utf16toutf8(pObject->String, String, pObject->Length);
893 
894  Header->Size += (WORD)(sizeof(*pObject) + pObject->Length);
895  size = pObject->Length;
896  }
897  else
898  {
899  pObject = IntSerializeCurrentPtr(sizeof(*pObject) + Size);
900  if (!pObject)
901  {
902  return;
903  }
904 
905  pObject->Encode = (BYTE)Encode;
906  pObject->Length = Size;
907 
908  memcpy(pObject->String, String, pObject->Length * sizeof(WCHAR));
909 
910  Header->Size += (WORD)(sizeof(*pObject) + pObject->Length * sizeof(WCHAR));
911  size = (WORD)(pObject->Length * sizeof(WCHAR));
912  }
913  break;
914 
915  default:
916  LOG("[ERROR] Should not reach here. Encode %d \n", Encode);
917  }
918  }
919  else
920  {
921  pObject = IntSerializeCurrentPtr(sizeof(*pObject));
922  if (!pObject)
923  {
924  return;
925  }
926 
927  pObject->Length = 0;
928  pObject->Encode = (BYTE)Encode;
929 
930  Header->Size += sizeof(*pObject);
931  }
932 
933  IntSerializeIncrementCurrentPtr(sizeof(*pObject) + size);
934 }
935 
936 
937 static void
938 IntSerializeEpt(
939  _In_ const EXCEPTION_VICTIM_EPT *Ept,
940  _In_ const EXCEPTION_VICTIM_ZONE *Victim
941  )
948 {
949 #define VICTIM_SERIALIZER_EPT_VERSION 1
950 
951  SERIALIZER_OBJECT_HEADER *pHeader = IntSerializeObjectHeader(VICTIM_SERIALIZER_EPT_VERSION, intObjEpt);
952  if (!pHeader)
953  {
954  return;
955  }
956 
957  SERIALIZER_EPT *pObject = IntSerializeCurrentPtr(sizeof(*pObject));
958  if (!pObject)
959  {
960  return;
961  }
962 
963  pObject->Gva = Ept->Gva;
964  pObject->Gpa = Ept->Gpa;
965  pObject->Type = IG_EPT_HOOK_NONE;
966 
967  if (Victim->ZoneFlags & ZONE_WRITE)
968  {
969  pObject->Type = IG_EPT_HOOK_WRITE;
970  }
971  else if (Victim->ZoneFlags & ZONE_READ)
972  {
973  pObject->Type = IG_EPT_HOOK_READ;
974  }
975  else if (Victim->ZoneFlags & ZONE_EXECUTE)
976  {
977  pObject->Type = IG_EPT_HOOK_EXECUTE;
978  }
979 
980  pHeader->Size = sizeof(*pObject);
981 
982  IntSerializeIncrementCurrentPtr(sizeof(*pObject));
983 }
984 
985 
986 static void
987 IntSerializeCr(
988  _In_ const EXCEPTION_VICTIM_CR *Cr
989  )
995 {
996 #define VICTIM_SERIALIZER_CR_VERSION 1
997 
998  SERIALIZER_OBJECT_HEADER *pHeader = IntSerializeObjectHeader(VICTIM_SERIALIZER_CR_VERSION, intObjCr);
999  if (!pHeader)
1000  {
1001  return;
1002  }
1003 
1004  SERIALIZER_CR *pObject = IntSerializeCurrentPtr(sizeof(*pObject));
1005  if (!pObject)
1006  {
1007  return;
1008  }
1009 
1010  pObject->Cr = Cr->Cr;
1011 
1012  pHeader->Size = sizeof(*pObject);
1013 
1014  IntSerializeIncrementCurrentPtr(sizeof(*pObject));
1015 }
1016 
1017 
1018 static void
1019 IntSerializeIdt(
1020  _In_ const EXCEPTION_VICTIM_ZONE *Victim
1021  )
1027 {
1028 #define VICTIM_SERIALIZER_IDT_VERSION 1
1029 
1030  SERIALIZER_OBJECT_HEADER *pHeader = IntSerializeObjectHeader(VICTIM_SERIALIZER_IDT_VERSION, intObjIdt);
1031  if (!pHeader)
1032  {
1033  return;
1034  }
1035 
1036  SERIALIZER_IDT *pObject = IntSerializeCurrentPtr(sizeof(*pObject));
1037  if (!pObject)
1038  {
1039  return;
1040  }
1041 
1042  pObject->Entry = (DWORD)((Victim->Ept.Gva - Victim->Object.BaseAddress) /
1043  (gGuest.Guest64 ? DESCRIPTOR_SIZE_64 : DESCRIPTOR_SIZE_32));
1044 
1045  pHeader->Size = sizeof(*pObject);
1046 
1047  IntSerializeIncrementCurrentPtr(sizeof(*pObject));
1048 }
1049 
1050 
1051 static void
1052 IntSerializeMsr(
1053  _In_ const EXCEPTION_VICTIM_MSR *Msr
1054  )
1060 {
1061 #define VICTIM_SERIALIZER_MSR_VERSION 1
1062 
1063  SERIALIZER_OBJECT_HEADER *pHeader = IntSerializeObjectHeader(VICTIM_SERIALIZER_MSR_VERSION, intObjMsr);
1064  if (!pHeader)
1065  {
1066  return;
1067  }
1068 
1069  SERIALIZER_MSR *pObject = IntSerializeCurrentPtr(sizeof(*pObject));
1070  if (!pObject)
1071  {
1072  return;
1073  }
1074 
1075  pObject->Msr = Msr->Msr;
1076 
1077  pHeader->Size = sizeof(*pObject);
1078 
1079  IntSerializeIncrementCurrentPtr(sizeof(*pObject));
1080 }
1081 
1082 
1083 static void
1084 IntSerializeDtr(
1085  _In_ const EXCEPTION_VICTIM_DTR *Dtr
1086  )
1092 {
1093 #define VICTIM_SERIALIZER_DTR_VERSION 1
1094 
1095  SERIALIZER_OBJECT_HEADER *pHeader = IntSerializeObjectHeader(VICTIM_SERIALIZER_DTR_VERSION, intObjDtr);
1096  if (!pHeader)
1097  {
1098  return;
1099  }
1100 
1101  SERIALIZER_DTR *pObject = IntSerializeCurrentPtr(sizeof(*pObject));
1102  if (!pObject)
1103  {
1104  return;
1105  }
1106 
1107  pObject->Type = Dtr->Type;
1108 
1109  pHeader->Size = sizeof(*pObject);
1110 
1111  IntSerializeIncrementCurrentPtr(sizeof(*pObject));
1112 }
1113 
1114 
1115 static void
1116 IntSerializeInjection(
1117  _In_ const EXCEPTION_VICTIM_INJECTION *Injection,
1118  _In_ const EXCEPTION_VICTIM_ZONE *Victim
1119  )
1126 {
1127 #define VICTIM_SERIALIZER_INJECTION_VERSION 1
1128 
1129  SERIALIZER_OBJECT_HEADER *pHeader = IntSerializeObjectHeader(VICTIM_SERIALIZER_INJECTION_VERSION, intObjInjection);
1130  if (!pHeader)
1131  {
1132  return;
1133  }
1134 
1135  SERIALIZER_INJECTION *pObject = IntSerializeCurrentPtr(sizeof(*pObject));
1136  if (!pObject)
1137  {
1138  return;
1139  }
1140 
1141  pObject->Gva = Injection->Gva;
1142  pObject->Length = Injection->Length;
1143  pObject->Type = 0;
1144 
1145  if (Victim->ZoneFlags & ZONE_PROC_THREAD_CTX)
1146  {
1147  pObject->Type = memCopyViolationSetContextThread;
1148  }
1149 
1150  if (Victim->ZoneFlags & ZONE_PROC_THREAD_APC)
1151  {
1152  pObject->Type = memCopyViolationQueueApcThread;
1153  }
1154 
1155  if (Victim->ZoneFlags & ZONE_WRITE)
1156  {
1157  pObject->Type = memCopyViolationWrite;
1158  }
1159 
1160  if (Victim->ZoneFlags & ZONE_READ)
1161  {
1162  pObject->Type = memCopyViolationRead;
1163  }
1164 
1165  pHeader->Size = sizeof(*pObject);
1166 
1167  IntSerializeIncrementCurrentPtr(sizeof(*pObject));
1168 }
1169 
1170 
1171 static void
1172 IntSerializeWinProcess(
1173  _In_ const WIN_PROCESS_OBJECT *Process,
1174  _In_ const DWORD ObjectType
1175  )
1182 {
1183  if (Process == NULL)
1184  {
1185  return;
1186  }
1187 
1188 #define WIN_PROCESS_SERIALIZER_VERSION 1
1189 
1190  SERIALIZER_OBJECT_HEADER *pHeader = IntSerializeObjectHeader(WIN_PROCESS_SERIALIZER_VERSION, ObjectType);
1191  if (!pHeader)
1192  {
1193  return;
1194  }
1195 
1196  SERIALIZER_WIN_PROCESS *pObject = IntSerializeCurrentPtr(sizeof(*pObject));
1197  if (!pObject)
1198  {
1199  return;
1200  }
1201 
1202  pObject->EprocessAddress = Process->EprocessAddress;
1203  pObject->ParentEprocess = Process->ParentEprocess;
1204  pObject->RealParentEprocess = Process->RealParentEprocess;
1205  pObject->Cr3 = Process->Cr3;
1206  pObject->UserCr3 = Process->UserCr3;
1207  pObject->Pid = Process->Pid;
1208  pObject->Peb64Address = Process->Peb64Address;
1209  pObject->Peb32Address = Process->Peb32Address;
1210  pObject->MainModuleAddress = Process->MainModuleAddress;
1211  pObject->Flags = Process->Flags;
1212 
1213  pHeader->Size = sizeof(*pObject);
1214  IntSerializeIncrementCurrentPtr(sizeof(*pObject));
1215 
1216  IntSerializeString(Process->Name, sizeof(Process->Name), stringEncodeUtf8, pHeader);
1217  IntSerializeString(Process->Path != NULL ? Process->Path->Path : NULL,
1218  Process->Path != NULL ? Process->Path->PathSize : 0,
1219  stringEncodeUtf16,
1220  pHeader);
1221  IntSerializeString(Process->CommandLine, Process->CommandLineSize, stringEncodeUtf8, pHeader);
1222 }
1223 
1224 
1225 static void
1226 IntSerializeLixProcess(
1227  _In_ const LIX_TASK_OBJECT *Process,
1228  _In_ const DWORD ObjectType
1229  )
1236 {
1237  if (Process == NULL)
1238  {
1239  return;
1240  }
1241 
1242 #define LIX_PROCESS_SERIALIZER_VERSION 1
1243 
1244  SERIALIZER_OBJECT_HEADER *pHeader = IntSerializeObjectHeader(LIX_PROCESS_SERIALIZER_VERSION, ObjectType);
1245  if (!pHeader)
1246  {
1247  return;
1248  }
1249 
1250  SERIALIZER_LIX_PROCESS *pObject = IntSerializeCurrentPtr(sizeof(*pObject));
1251  if (!pObject)
1252  {
1253  return;
1254  }
1255 
1256  pObject->Gva = Process->Gva;
1257  pObject->RealParent = Process->RealParent;
1258  pObject->Parent = Process->Parent;
1259  pObject->ActualParent = Process->ActualParent;
1260  pObject->MmGva = Process->MmGva;
1261  pObject->Cr3 = Process->Cr3;
1262  pObject->Pid = Process->Pid;
1263  pObject->Tgid = Process->Tgid;
1264 
1265  pHeader->Size = sizeof(*pObject);
1266  IntSerializeIncrementCurrentPtr(sizeof(*pObject));
1267 
1268  IntSerializeString(Process->Path != NULL ? Process->Path->Name : NULL,
1269  Process->Path != NULL ? (DWORD)Process->Path->NameLength : 0,
1270  stringEncodeUtf8,
1271  pHeader);
1272  IntSerializeString(Process->Path != NULL ? Process->Path->Path : NULL,
1273  Process->Path != NULL ? (DWORD)Process->Path->PathLength : 0,
1274  stringEncodeUtf8,
1275  pHeader);
1276  IntSerializeString(Process->CmdLine, Process->CmdLineLength, stringEncodeUtf8, pHeader);
1277 }
1278 
1279 
1280 static void
1281 IntSerializeProcess(
1282  _In_ void *Process,
1283  _In_ const DWORD ObjectType
1284  )
1291 {
1292  if (gGuest.OSType == introGuestLinux)
1293  {
1294  IntSerializeLixProcess(Process, ObjectType);
1295  }
1296  else if (gGuest.OSType == introGuestWindows)
1297  {
1298  IntSerializeWinProcess(Process, ObjectType);
1299  }
1300 }
1301 
1302 
1303 void
1304 IntSerializeWinVad(
1305  _In_ const VAD *Vad
1306  )
1312 {
1313  if (Vad == NULL)
1314  {
1315  return;
1316  }
1317 
1318 #define WIN_VAD_SERIALIZER_VERSION 1
1319 
1320  SERIALIZER_OBJECT_HEADER *pHeader = IntSerializeObjectHeader(WIN_VAD_SERIALIZER_VERSION, intObjWinVad);
1321  if (!pHeader)
1322  {
1323  return;
1324  }
1325 
1326  SERIALIZER_WIN_VAD *pObject = IntSerializeCurrentPtr(sizeof(*pObject));
1327  if (!pObject)
1328  {
1329  return;
1330  }
1331 
1332  pObject->StartPage = Vad->StartPage;
1333  pObject->EndPage = Vad->EndPage;
1334  pObject->VadGva = Vad->VadGva;
1335  pObject->VadProtection = Vad->VadProtection;
1336  pObject->VadType = Vad->VadType;
1337  pObject->Protection = Vad->Protection;
1338  pObject->ExecCount = Vad->ExecCount;
1339  pObject->Flags = Vad->StaticScan | Vad->IsStack | Vad->HugeVad | Vad->IsIgnored | Vad->NoChange |
1340  Vad->PrivateFixup | Vad->DeleteInProgress;
1341 
1342  pHeader->Size = sizeof(*pObject);
1343  IntSerializeIncrementCurrentPtr(sizeof(*pObject));
1344 
1345  IntSerializeString(Vad->Path != NULL ? Vad->Path->Path : NULL,
1346  Vad->Path != NULL ? Vad->Path->PathSize : 0,
1347  stringEncodeUtf16,
1348  pHeader);
1349 }
1350 
1351 
1352 static void
1353 IntSerializeLixVma(
1354  _In_ const LIX_VMA *Vma
1355  )
1361 {
1362  if (NULL == Vma)
1363  {
1364  return;
1365  }
1366 
1367 #define LIX_VMA_SERIALIZER_VERSION 1
1368 
1369  INTSTATUS status = INT_STATUS_SUCCESS;
1370  char *pFilePath = NULL;
1371  DWORD filePathLength = 0;
1372 
1373  SERIALIZER_OBJECT_HEADER *pHeader = IntSerializeObjectHeader(LIX_VMA_SERIALIZER_VERSION, intObjLixVma);
1374  if (!pHeader)
1375  {
1376  return;
1377  }
1378 
1379  SERIALIZER_LIX_VMA *pObject = IntSerializeCurrentPtr(sizeof(*pObject));
1380  if (!pObject)
1381  {
1382  return;
1383  }
1384 
1385  pObject->Start = Vma->Start;
1386  pObject->End = Vma->End;
1387  pObject->Gva = Vma->Gva;
1388  pObject->Flags = Vma->Flags;
1389  pObject->File = Vma->File;
1390 
1391  pHeader->Size = sizeof(*pObject);
1392  IntSerializeIncrementCurrentPtr(sizeof(*pObject));
1393 
1394  status = IntLixFileGetPath(Vma->File, &pFilePath, &filePathLength);
1395  if (INT_SUCCESS(status))
1396  {
1397  IntSerializeString(pFilePath, filePathLength, stringEncodeUtf8, pHeader);
1398  }
1399  else
1400  {
1401  IntSerializeString(NULL, 0, stringEncodeUtf8, pHeader);
1402  }
1403 }
1404 
1405 
1406 static void
1407 IntSerializeVad(
1408  _In_ const void *Vad
1409  )
1415 {
1416  if (gGuest.OSType == introGuestLinux)
1417  {
1418  IntSerializeLixVma(Vad);
1419  }
1420  else if (gGuest.OSType == introGuestWindows)
1421  {
1422  IntSerializeWinVad(Vad);
1423  }
1424 }
1425 
1426 
1427 static void
1428 IntSerializeWinKernelDriver(
1429  _In_ const KERNEL_DRIVER *Driver,
1430  _In_ DWORD ObjectType
1431  )
1438 {
1439  if (Driver == NULL)
1440  {
1441  return;
1442  }
1443 
1444 #define WIN_KERNEL_DRIVER_SERIALIZER_VERSION 1
1445 
1446  SERIALIZER_OBJECT_HEADER *pHeader = IntSerializeObjectHeader(WIN_KERNEL_DRIVER_SERIALIZER_VERSION, ObjectType);
1447  if (!pHeader)
1448  {
1449  return;
1450  }
1451 
1452  SERIALIZER_WIN_KERNEL_DRIVER *pObject = IntSerializeCurrentPtr(sizeof(*pObject));
1453  if (!pObject)
1454  {
1455  return;
1456  }
1457 
1458  pObject->TimeDateStamp = Driver->Win.TimeDateStamp;
1459 
1460  pHeader->Size = sizeof(*pObject);
1461  IntSerializeIncrementCurrentPtr(sizeof(*pObject));
1462 
1463  IntSerializeString(Driver->Win.Path, Driver->Win.PathLength * 2 + sizeof(WCHAR), stringEncodeUtf16, pHeader);
1464 }
1465 
1466 
1467 static void
1468 IntSerializeLixKernelModule(
1469  _In_ const KERNEL_DRIVER *Driver,
1470  _In_ DWORD ObjecType
1471  )
1478 {
1479 #define LIX_KERNEL_MODULE_SERIALIZER_VERSION 1
1480 
1481  SERIALIZER_OBJECT_HEADER *pHeader = IntSerializeObjectHeader(LIX_KERNEL_MODULE_SERIALIZER_VERSION, ObjecType);
1482  if (!pHeader)
1483  {
1484  return;
1485  }
1486 
1487  SERIALIZER_LIX_KERNEL_MODULE *pObject = IntSerializeCurrentPtr(sizeof(*pObject));
1488  if (!pObject)
1489  {
1490  return;
1491  }
1492 
1493  pObject->InitLayout.Base = Driver->Lix.InitLayout.Base;
1494  pObject->InitLayout.Size = Driver->Lix.InitLayout.Size;
1495  pObject->InitLayout.TextSize = Driver->Lix.InitLayout.TextSize;
1496  pObject->InitLayout.RoSize = Driver->Lix.InitLayout.RoSize;
1497  pObject->CoreLayout.Base = Driver->Lix.CoreLayout.Base;
1498  pObject->CoreLayout.Size = Driver->Lix.CoreLayout.Size;
1499  pObject->CoreLayout.TextSize = Driver->Lix.CoreLayout.TextSize;
1500  pObject->CoreLayout.RoSize = Driver->Lix.CoreLayout.RoSize;
1501 
1502  pHeader->Size = sizeof(*pObject);
1503  IntSerializeIncrementCurrentPtr(sizeof(*pObject));
1504 
1505  IntSerializeString(Driver->Name, (DWORD)Driver->NameLength, stringEncodeUtf8, pHeader);
1506 }
1507 
1508 
1509 static void
1510 IntSerializeKernelDrvObject(
1511  _In_ const WIN_DRIVER_OBJECT *DrvObject
1512  )
1518 {
1519  if (DrvObject == NULL)
1520  {
1521  return;
1522  }
1523 #define KERNEL_DRV_OBJECT_SERIALIZER_VERSION 1
1524 
1525  SERIALIZER_OBJECT_HEADER *pHeader = IntSerializeObjectHeader(KERNEL_DRV_OBJECT_SERIALIZER_VERSION,
1526  intObjKernelDrvObject);
1527  if (!pHeader)
1528  {
1529  return;
1530  }
1531 
1532  SERIALIZER_KERNEL_DRV_OBJECT *pObject = IntSerializeCurrentPtr(sizeof(*pObject));
1533  if (!pObject)
1534  {
1535  return;
1536  }
1537 
1538  pObject->Gva = DrvObject->DriverObjectGva;
1539  pObject->Gpa = DrvObject->DriverObjectGpa;
1540  pObject->FastIOTableAddress = DrvObject->FastIOTableAddress;
1541 
1542  pHeader->Size = sizeof(*pObject);
1543  IntSerializeIncrementCurrentPtr(sizeof(*pObject));
1544 
1545  IntSerializeString(DrvObject->Name, DrvObject->NameLen, stringEncodeUtf16, pHeader);
1546 }
1547 
1548 
1549 static void
1550 IntSerializeKernelDriver(
1551  _In_opt_ const EXCEPTION_KM_ORIGINATOR *Originator,
1552  _In_opt_ const KERNEL_DRIVER *Driver,
1553  _In_ const DWORD ObjectType
1554  )
1562 {
1563 #define KERNEL_DRIVER_SERIALIZER_VERSION 1
1564 
1565  const KERNEL_DRIVER *pDriver = NULL;
1566  const CHAR *pSection = NULL;
1567 
1568  if (Driver != NULL)
1569  {
1570  pDriver = Driver;
1571  }
1572  else
1573  {
1574  if (Originator == NULL)
1575  {
1576  return;
1577  }
1578 
1579  if (ObjectType == intObjKernelDriver)
1580  {
1581  pDriver = Originator->Original.Driver;
1582  pSection = Originator->Original.Section;
1583  }
1584  else if (ObjectType == intObjKernelDriverReturn)
1585  {
1586  pDriver = Originator->Return.Driver;
1587  pSection = Originator->Return.Section;
1588  }
1589  else
1590  {
1591  return;
1592  }
1593  }
1594 
1595  if (pDriver == NULL)
1596  {
1597  return;
1598  }
1599 
1600  SERIALIZER_OBJECT_HEADER *pHeader = IntSerializeObjectHeader(KERNEL_DRIVER_SERIALIZER_VERSION, ObjectType);
1601  if (!pHeader)
1602  {
1603  return;
1604  }
1605 
1606  SERIALIZER_KERNEL_DRIVER *pObject = IntSerializeCurrentPtr(sizeof(*pObject));
1607  if (!pObject)
1608  {
1609  return;
1610  }
1611 
1612  pObject->ObjectGva = pDriver->ObjectGva;
1613  pObject->BaseVa = pDriver->BaseVa;
1614  pObject->Size = pDriver->Size;
1615  pObject->EntryPoint = pDriver->EntryPoint;
1616 
1617  pHeader->Size = sizeof(*pObject);
1618  IntSerializeIncrementCurrentPtr(sizeof(*pObject));
1619 
1620  if (pSection != NULL)
1621  {
1622  IntSerializeString(pSection, pSection[0] == 0 ? 0 : 9, stringEncodeUtf8, pHeader);
1623  }
1624  else
1625  {
1626  IntSerializeString(pSection, 0, stringEncodeUtf8, pHeader);
1627  }
1628 
1629  if (gGuest.OSType == introGuestWindows)
1630  {
1631  IntSerializeWinKernelDriver(pDriver,
1632  ObjectType == intObjKernelDriver ?
1633  intObjWinKernelDriver : intObjWinKernelDriverReturn);
1634  }
1635  else if (gGuest.OSType == introGuestLinux)
1636  {
1637  IntSerializeLixKernelModule(pDriver,
1638  ObjectType == intObjKernelDriver ?
1639  intObjLixKernelModule : intObjLixKernelModuleReturn);
1640  }
1641 }
1642 
1643 
1644 static void
1645 IntSerializeWinModule(
1646  _In_ const WIN_PROCESS_MODULE *Module,
1647  _In_ const DWORD ObjectType
1648  )
1655 {
1656  if (Module == NULL)
1657  {
1658  return;
1659  }
1660 
1661 #define WIN_PROCESS_MODULE_SERIALIZER_VERSION 1
1662 
1663  SERIALIZER_OBJECT_HEADER *pHeader = IntSerializeObjectHeader(WIN_PROCESS_MODULE_SERIALIZER_VERSION, ObjectType);
1664  if (!pHeader)
1665  {
1666  return;
1667  }
1668 
1669  SERIALIZER_WIN_MODULE *pObject = IntSerializeCurrentPtr(sizeof(*pObject));
1670  if (!pObject)
1671  {
1672  return;
1673  }
1674 
1675  pObject->VirtualBase = Module->VirtualBase;
1676  pObject->Size = Module->Size;
1677 
1678  pHeader->Size = sizeof(*pObject);
1679  IntSerializeIncrementCurrentPtr(sizeof(*pObject));
1680 
1681  IntSerializeString(Module->Path->Path, Module->Path->PathSize, stringEncodeUtf16, pHeader);
1682 }
1683 
1684 
1685 void
1686 IntSerializeInstruction(
1687  _In_ INSTRUX *Instruction,
1688  _In_ const QWORD Rip
1689  )
1696 {
1697  if (Instruction == NULL)
1698  {
1699  return;
1700  }
1701 
1702 #define INSTRUX_SERIALIZER_VERSION 1
1703 
1704  SERIALIZER_OBJECT_HEADER *pHeader = IntSerializeObjectHeader(INSTRUX_SERIALIZER_VERSION, intObjInstrux);
1705  if (!pHeader)
1706  {
1707  return;
1708  }
1709 
1710  SERIALIZER_INSTRUX *pObject = IntSerializeCurrentPtr(sizeof(*pObject));
1711  if (!pObject)
1712  {
1713  return;
1714  }
1715 
1716  pObject->Rip = Rip;
1717  memcpy(pObject->Bytes, Instruction->InstructionBytes, sizeof(pObject->Bytes));
1718 
1719  pHeader->Size = sizeof(*pObject);
1720  IntSerializeIncrementCurrentPtr(sizeof(*pObject));
1721 }
1722 
1723 
1724 static void
1725 IntSerializeWriteInfo(
1726  _In_ const EXCEPTION_VICTIM_ZONE *Victim
1727  )
1733 {
1734  if (Victim == NULL)
1735  {
1736  return;
1737  }
1738 
1739 #define WRITE_INFO_SERIALIZER_VERSION 1
1740 
1741  SERIALIZER_OBJECT_HEADER *pHeader = IntSerializeObjectHeader(WRITE_INFO_SERIALIZER_VERSION, intObjWriteInfo);
1742  if (!pHeader)
1743  {
1744  return;
1745  }
1746 
1747  SERIALIZER_WRITE_INFO *pObject = IntSerializeCurrentPtr(sizeof(*pObject));
1748  if (!pObject)
1749  {
1750  return;
1751  }
1752 
1753  pObject->AccessSize = Victim->WriteInfo.AccessSize;
1754  memcpy(pObject->OldValue, Victim->WriteInfo.OldValue, MIN(sizeof(pObject->OldValue), pObject->AccessSize));
1755  memcpy(pObject->NewValue, Victim->WriteInfo.NewValue, MIN(sizeof(pObject->NewValue), pObject->AccessSize));
1756 
1757  pHeader->Size = sizeof(*pObject);
1758  IntSerializeIncrementCurrentPtr(sizeof(*pObject));
1759 }
1760 
1761 
1762 static void
1763 IntSerializeReadInfo(
1764  _In_ const EXCEPTION_VICTIM_ZONE *Victim
1765  )
1771 {
1772  if (Victim == NULL)
1773  {
1774  return;
1775  }
1776 
1777 #define READ_INFO_SERIALIZER_VERSION 1
1778 
1779  SERIALIZER_OBJECT_HEADER *pHeader = IntSerializeObjectHeader(READ_INFO_SERIALIZER_VERSION, intObjReadInfo);
1780  if (!pHeader)
1781  {
1782  return;
1783  }
1784 
1785  SERIALIZER_READ_INFO *pObject = IntSerializeCurrentPtr(sizeof(*pObject));
1786  if (!pObject)
1787  {
1788  return;
1789  }
1790 
1791  pObject->AccessSize = Victim->ReadInfo.AccessSize;
1792  memcpy(pObject->Value, Victim->ReadInfo.Value, MIN(sizeof(pObject->Value), pObject->AccessSize));
1793 
1794  pHeader->Size = sizeof(*pObject);
1795  IntSerializeIncrementCurrentPtr(sizeof(*pObject));
1796 }
1797 
1798 
1799 static void
1800 IntSerializeExecInfo(
1801  _In_ const EXCEPTION_VICTIM_ZONE *Victim
1802  )
1808 {
1809  if (Victim == NULL)
1810  {
1811  return;
1812  }
1813 
1814 #define EXEC_INFO_SERIALIZER_VERSION 1
1815 
1816  SERIALIZER_OBJECT_HEADER *pHeader = IntSerializeObjectHeader(EXEC_INFO_SERIALIZER_VERSION, intObjExecInfo);
1817  if (!pHeader)
1818  {
1819  return;
1820  }
1821 
1822  SERIALIZER_EXEC_INFO *pObject = IntSerializeCurrentPtr(sizeof(*pObject));
1823  if (!pObject)
1824  {
1825  return;
1826  }
1827 
1828  pObject->Rsp = Victim->ExecInfo.Rsp;
1829  pObject->Length = Victim->ExecInfo.Length;
1830  pObject->StackBase = Victim->ExecInfo.StackBase;
1831  pObject->StackLimit = Victim->ExecInfo.StackLimit;
1832 
1833  pHeader->Size = sizeof(*pObject);
1834  IntSerializeIncrementCurrentPtr(sizeof(*pObject));
1835 }
1836 
1837 
1838 static void
1839 IntSerializeAccessInfo(
1840  _In_ const EXCEPTION_VICTIM_ZONE *Victim
1841  )
1847 {
1848  if (Victim->ZoneFlags & ZONE_WRITE)
1849  {
1850  IntSerializeWriteInfo(Victim);
1851  }
1852  else if (Victim->ZoneFlags & ZONE_READ)
1853  {
1854  IntSerializeReadInfo(Victim);
1855  }
1856  else if (Victim->ZoneFlags & ZONE_EXECUTE)
1857  {
1858  IntSerializeExecInfo(Victim);
1859  }
1860 }
1861 
1862 
1863 static void
1864 IntSerializeRawDump(
1865  _In_ const EXCEPTION_UM_ORIGINATOR *Originator,
1866  _In_ const EXCEPTION_VICTIM_ZONE *Victim
1867  )
1874 {
1875  if (Victim == NULL)
1876  {
1877  return;
1878  }
1879 
1880  if (Originator == NULL)
1881  {
1882  return;
1883  }
1884 
1885 #define RAW_DUMP_SERIALIZER_VERSION 1
1886 
1887  SERIALIZER_OBJECT_HEADER *pHeader = IntSerializeObjectHeader(RAW_DUMP_SERIALIZER_VERSION, intObjRawDump);
1888  if (!pHeader)
1889  {
1890  return;
1891  }
1892 
1893  SERIALIZER_RAW_DUMP *pObject = IntSerializeCurrentPtr(sizeof(*pObject) + Victim->Injection.Length);
1894  if (!pObject)
1895  {
1896  return;
1897  }
1898 
1899  pObject->Length = Victim->Injection.Length;
1900 
1901  if (gGuest.OSType == introGuestLinux)
1902  {
1903  IntVirtMemRead(Originator->SourceVA, Victim->Injection.Length, Originator->LixProc->Cr3, pObject->Raw, NULL);
1904  }
1905  else if (gGuest.OSType == introGuestWindows)
1906  {
1907  IntVirtMemRead(Originator->SourceVA, Victim->Injection.Length, Originator->WinProc->Cr3, pObject->Raw, NULL);
1908  }
1909 
1910  pHeader->Size = (WORD)(sizeof(*pObject) + pObject->Length);
1911  IntSerializeIncrementCurrentPtr(sizeof(*pObject) + pObject->Length);
1912 }
1913 
1914 
1915 static void
1916 IntSerializeRipCode(
1917  void
1918  )
1922 {
1923 
1924 #define RIP_CODE_SERIALIZER_VERSION 1
1925  INTSTATUS status = INT_STATUS_SUCCESS;
1926 
1927  SERIALIZER_OBJECT_HEADER *pHeader = IntSerializeObjectHeader(RIP_CODE_SERIALIZER_VERSION, intObjRipCode);
1928  if (!pHeader)
1929  {
1930  return;
1931  }
1932 
1933  SERIALIZER_RIP_CODE *pObject = IntSerializeCurrentPtr(sizeof(*pObject) + PAGE_SIZE);
1934  if (!pObject)
1935  {
1936  return;
1937  }
1938 
1939  status = IntGetCurrentMode(IG_CURRENT_VCPU, &pObject->CsType);
1940  if (!INT_SUCCESS(status))
1941  {
1942  ERROR("[ERROR] IntGetCurrentMode failed: 0x%08x\n", status);
1943  pObject->CsType = IG_CS_TYPE_INVALID;
1944  }
1945 
1946  pObject->Length = PAGE_SIZE;
1947 
1948  IntVirtMemRead(gVcpu->Regs.Rip & PAGE_MASK, PAGE_SIZE, gVcpu->Regs.Cr3, pObject->Code, NULL);
1949 
1950  pHeader->Size = (WORD)(sizeof(*pObject) + pObject->Length);
1951  IntSerializeIncrementCurrentPtr(sizeof(*pObject) + pObject->Length);
1952 }
1953 
1954 
1955 static void
1956 IntSerializeCodeBlocksGetExtractRange(
1957  _In_ QWORD Rip,
1958  _In_ BOOLEAN Execute,
1959  _Out_ DWORD *Start,
1960  _Out_ DWORD *End
1961  )
1972 {
1973  DWORD startOffset = 0;
1974  DWORD endOffset = 0;
1975 
1976  startOffset = endOffset = Rip & PAGE_OFFSET;
1977 
1978  if (!Execute)
1979  {
1980  if (startOffset > EXCEPTION_CODEBLOCKS_OFFSET)
1981  {
1982  if (endOffset + EXCEPTION_CODEBLOCKS_OFFSET < PAGE_SIZE)
1983  {
1984  startOffset -= EXCEPTION_CODEBLOCKS_OFFSET;
1985  endOffset += EXCEPTION_CODEBLOCKS_OFFSET - 1;
1986  }
1987  else
1988  {
1989  startOffset = PAGE_SIZE - (EXCEPTION_CODEBLOCKS_OFFSET * 2);
1990  endOffset = PAGE_SIZE - 1;
1991  }
1992 
1993  }
1994  else
1995  {
1996  startOffset = 0;
1997  endOffset = (EXCEPTION_CODEBLOCKS_OFFSET * 2) - 1;
1998  }
1999  }
2000  else
2001  {
2002  endOffset += EXCEPTION_CODEBLOCKS_OFFSET - 1;
2003  }
2004 
2005  *Start = startOffset;
2006  *End = endOffset;
2007 }
2008 
2009 
2010 static CB_EXTRACT_LEVEL
2011 IntSerializeCodeBlocksGetExtractLevel(
2012  _In_ QWORD Rip
2013  )
2019 {
2020  if (gGuest.OSType == introGuestWindows)
2021  {
2022  if (IS_KERNEL_POINTER_WIN(gGuest.Guest64, Rip))
2023  {
2024  return cbLevelNormal;
2025  }
2026  else
2027  {
2028  return cbLevelMedium;
2029  }
2030  }
2031  else if (gGuest.OSType == introGuestLinux)
2032  {
2033  if (IS_KERNEL_POINTER_LIX(Rip))
2034  {
2035  return cbLevelNormal;
2036  }
2037  else
2038  {
2039  return cbLevelMedium;
2040  }
2041  }
2042 
2043  return cbLevelNormal;
2044 }
2045 
2046 
2047 static void
2048 IntSerializeCodeBlocksPattern(
2049  _In_ CODE_BLOCK *CodeBlocks,
2050  _In_ DWORD Count,
2051  _In_ QWORD Rip,
2052  _In_ BOOLEAN Execute,
2053  _Out_ SERIALIZER_CODE_BLOCKS *Object
2054  )
2064 {
2065  DWORD startCb = 0;
2066  DWORD ripCb = 0;
2067 
2068  if (!Execute)
2069  {
2070  DWORD previous = gCodeBlocks[0].OffsetStart;
2071  DWORD ripOffset = Rip & PAGE_OFFSET;
2072 
2073  // We must find where the RIP is inside the extracted codeblocks
2074  for (DWORD index = 0; index < Count; index++)
2075  {
2076  if (index == 0 && CodeBlocks[index].OffsetStart >= ripOffset)
2077  {
2078  ripCb = 0;
2079  break;
2080  }
2081  else if (index == Count - 1 || (previous <= ripOffset && ripOffset <= gCodeBlocks[index].OffsetStart))
2082  {
2083  ripCb = index;
2084  break;
2085  }
2086 
2087  previous = gCodeBlocks[index].OffsetStart;
2088  }
2089 
2090  if (Count <= ALERT_MAX_CODEBLOCKS || (ripCb <= ALERT_MAX_CODEBLOCKS / 2))
2091  {
2092  // [0; MIN(ALERT_MAX_CODEBLOCKS, cbCount)]
2093  startCb = 0;
2094  }
2095  else if (Count - ripCb < ALERT_MAX_CODEBLOCKS)
2096  {
2097  // [cbCount - ALERT_MAX_CODEBLOCKS; cbCount]
2098  startCb = Count >= ALERT_MAX_CODEBLOCKS ? Count - ALERT_MAX_CODEBLOCKS : 0;
2099  }
2100  else
2101  {
2102  // save before & after RIP
2103  startCb = ripCb - (ALERT_MAX_CODEBLOCKS / 2);
2104  }
2105  }
2106  else
2107  {
2108  startCb = 0;
2109  }
2110 
2111  Object->StartAddress = (Rip & PAGE_MASK) + CodeBlocks[startCb].OffsetStart;
2112  Object->Rip = Rip;
2113  Object->Count = 0;
2114 
2115  for (DWORD index = startCb; index < Count; index++)
2116  {
2117  Object->Content[Object->Count] = Crc32Compute(CodeBlocks[index].Chunks,
2118  CODE_BLOCK_CHUNKS_COUNT,
2119  INITIAL_CRC_VALUE);
2120 
2121  if (index == ripCb)
2122  {
2123  Object->RipCbIndex = Object->Count;
2124  }
2125 
2126  Object->Count++;
2127 
2128  if (Object->Count >= ALERT_MAX_CODEBLOCKS)
2129  {
2130  break;
2131  }
2132  }
2133 }
2134 
2135 
2136 static INTSTATUS
2137 IntSerializeExtractCodeBlocks(
2138  _In_ QWORD Rip,
2139  _In_ QWORD Cr3,
2140  _In_ BOOLEAN Execute,
2141  _Out_ SERIALIZER_CODE_BLOCKS *Object
2142  )
2156 {
2157  INTSTATUS status = INT_STATUS_SUCCESS;
2158  void *pContent = NULL;
2159  DWORD mode = 0;
2160  DWORD startOffset = 0;
2161  DWORD endOffset = 0;
2162  CB_EXTRACT_LEVEL extractLevel = IntSerializeCodeBlocksGetExtractLevel(Rip);
2163  DWORD cbCount = 0;
2164 
2165  status = IntGetCurrentMode(IG_CURRENT_VCPU, &mode);
2166  if (!INT_SUCCESS(status))
2167  {
2168  ERROR("[ERROR] IntGetCurrentMode failed: 0x%08x\n", status);
2169  return status;
2170  }
2171 
2172  if ((mode != IG_CS_TYPE_32B) && (mode != IG_CS_TYPE_64B))
2173  {
2174  ERROR("[ERROR] Unsupported CS type: %d\n", mode);
2175  return status;
2176  }
2177 
2178  IntSerializeCodeBlocksGetExtractRange(Rip, Execute, &startOffset, &endOffset);
2179 
2180  status = IntVirtMemMap((Rip & PAGE_MASK) + startOffset, endOffset - startOffset, Cr3, 0, &pContent);
2181  if (!INT_SUCCESS(status))
2182  {
2183  if (Execute)
2184  {
2185  WARNING("[WARNING] Failed to map range [0x%016llx - 0x%016llx], try to map range [0x%016llx - 0x%016llx]",
2186  (Rip & PAGE_MASK) + startOffset, (Rip & PAGE_MASK) + startOffset + (endOffset - startOffset),
2187  (Rip & PAGE_MASK) + startOffset, (Rip & PAGE_MASK) + startOffset + (PAGE_SIZE - startOffset));
2188  status = IntVirtMemMap((Rip & PAGE_MASK) + startOffset,
2189  PAGE_SIZE - startOffset,
2190  Cr3,
2191  0,
2192  &pContent);
2193  if (!INT_SUCCESS(status))
2194  {
2195  WARNING("[WARNING] IntVirtMemMap failed for RIP %llx and cr3 %llx: 0x%08x\n",
2196  Rip & PAGE_MASK, Cr3, status);
2197  return status;
2198  }
2199 
2200  endOffset = PAGE_SIZE;
2201  }
2202  else
2203  {
2204  WARNING("[WARNING] IntVirtMemMap failed for RIP %llx and cr3 %llx: 0x%08x\n",
2205  Rip & PAGE_MASK, Cr3, status);
2206  return status;
2207  }
2208  }
2209 
2210  status = IntFragExtractCodePattern(pContent,
2211  startOffset,
2212  endOffset - startOffset,
2213  mode,
2214  extractLevel,
2215  PAGE_SIZE / sizeof(CODE_BLOCK_PATTERN),
2216  gCodeBlocksPattern,
2217  &gCodeBlocksPatternLength);
2218  if (!INT_SUCCESS(status))
2219  {
2220  if (status == INT_STATUS_DATA_BUFFER_TOO_SMALL)
2221  {
2222  WARNING("[WARNNING] Buffer too small to extract codeblocks (size %d): 0x%08x\n",
2223  endOffset - startOffset,
2224  status);
2225  }
2226  else
2227  {
2228  ERROR("[ERROR] IntFragExtractCodePattern: 0x%08x\n", status);
2229  }
2230 
2231  goto _exit;
2232  }
2233 
2234  if (gCodeBlocksPatternLength < CODE_BLOCK_CHUNKS_COUNT)
2235  {
2236  WARNING("[WARNING] Could not extract enough code-blocks from RIP %llx: %d\n",
2237  Rip,
2238  gCodeBlocksPatternLength);
2239 
2240  status = INT_STATUS_DATA_BUFFER_TOO_SMALL;
2241  goto _exit;
2242  }
2243 
2244  for (DWORD i = 0; i < gCodeBlocksPatternLength - CODE_BLOCK_CHUNKS_COUNT; i++)
2245  {
2246  if (cbLevelNormal == extractLevel &&
2247  (codeInsCall != gCodeBlocksPattern[i].Value &&
2248  codeInsJmp != gCodeBlocksPattern[i].Value))
2249  {
2250  continue;
2251  }
2252 
2253  if (cbLevelMedium == extractLevel &&
2254  (codeInsCall != gCodeBlocksPattern[i].Value &&
2255  codeInsJmp != gCodeBlocksPattern[i].Value &&
2256  codeInsMovMem != gCodeBlocksPattern[i].Value &&
2257  codeInsMovFsGs != gCodeBlocksPattern[i].Value))
2258  {
2259  continue;
2260  }
2261 
2262  gCodeBlocks[cbCount].PivotInstruction = gCodeBlocksPattern[i].Value;
2263  gCodeBlocks[cbCount].OffsetStart = gCodeBlocksPattern[i].Offset;
2264 
2265  // Extract from offset, CODE_BLOCK_CHUNKS_COUNT forward
2266  for (DWORD j = 0; j < CODE_BLOCK_CHUNKS_COUNT; j++)
2267  {
2268  gCodeBlocks[cbCount].Chunks[j] = gCodeBlocksPattern[i + j].Value;
2269  gCodeBlocks[cbCount].Size++;
2270  }
2271 
2272  ++cbCount;
2273 
2274  if (cbCount >= sizeof(gCodeBlocks) / sizeof(gCodeBlocks[0]))
2275  {
2276  break;
2277  }
2278  }
2279 
2280 
2281  if (IntSerializeValidObjectSize(sizeof(DWORD) * MIN(ALERT_MAX_CODEBLOCKS, cbCount)))
2282  {
2283  IntSerializeCodeBlocksPattern(gCodeBlocks, cbCount, Rip, Execute, Object);
2284  }
2285  else
2286  {
2287  status = INT_STATUS_DATA_BUFFER_TOO_SMALL;
2288  goto _exit;
2289  }
2290 
2291 _exit:
2292  IntVirtMemUnmap(&pContent);
2293 
2294  return status;
2295 }
2296 
2297 
2298 static void
2299 IntSerializeCodeBlocks(
2300  _In_ QWORD Rip,
2301  _In_ QWORD Cr3,
2302  _In_ BOOLEAN Execute
2303  )
2311 {
2312 #define CODE_BLOCKS_SERIALIZER_VERSION 1
2313 
2314  if (Rip == 0)
2315  {
2316  return;
2317  }
2318 
2319  SERIALIZER_OBJECT_HEADER *pHeader = IntSerializeObjectHeader(CODE_BLOCKS_SERIALIZER_VERSION, intObjCodeBlocks);
2320  if (!pHeader)
2321  {
2322  return;
2323  }
2324 
2325  SERIALIZER_CODE_BLOCKS *pObject = IntSerializeCurrentPtr(sizeof(*pObject));
2326  if (!pObject)
2327  {
2328  return;
2329  }
2330 
2331  memzero(pObject, sizeof(*pObject));
2332 
2333  INTSTATUS status = IntSerializeExtractCodeBlocks(Rip, Cr3, Execute, pObject);
2334  if (!INT_SUCCESS(status))
2335  {
2336  WARNING("[WARNING] IntSerializeExtractCodeBlocks failed with status: 0x%08x\n", status);
2337  }
2338 
2339  pHeader->Size = (WORD)(sizeof(*pObject) + pObject->Count * sizeof(DWORD));
2340  IntSerializeIncrementCurrentPtr(sizeof(*pObject) + pObject->Count * sizeof(DWORD));
2341 }
2342 
2343 
2344 static void
2345 IntSerializeArchRegs(
2346  void
2347  )
2351 {
2352 #define ARCH_REGS_SERIALIZER_VERSION 1
2353 
2354  SERIALIZER_OBJECT_HEADER *pHeader = IntSerializeObjectHeader(RIP_CODE_SERIALIZER_VERSION, intObjArchRegs);
2355  if (!pHeader)
2356  {
2357  return;
2358  }
2359 
2360  SERIALIZER_ARCH_REGS *pObject = IntSerializeCurrentPtr(sizeof(*pObject));
2361  if (!pObject)
2362  {
2363  return;
2364  }
2365 
2366  memcpy(pObject, &gVcpu->Regs, sizeof(*pObject));
2367 
2368  pHeader->Size += sizeof(*pObject);
2369  IntSerializeIncrementCurrentPtr(sizeof(*pObject));
2370 }
2371 
2372 
2373 static void
2374 IntSerializeDpiWinDebug(
2375  _In_ const EXCEPTION_UM_ORIGINATOR *Originator,
2376  _In_ const EXCEPTION_VICTIM_ZONE *Victim
2377  )
2384 {
2385 #define DPI_WIN_DEBUG_SERIALIZER_VERSION 1
2386  UNREFERENCED_PARAMETER(Originator);
2387 
2388  WIN_PROCESS_OBJECT *pProcess = Victim->Object.WinProc;
2389  if (!pProcess)
2390  {
2391  return;
2392  }
2393 
2394  SERIALIZER_OBJECT_HEADER *pHeader = IntSerializeObjectHeader(DPI_WIN_DEBUG_SERIALIZER_VERSION, intObjDpiWinDebug);
2395  if (!pHeader)
2396  {
2397  return;
2398  }
2399 
2400  SERIALIZER_DPI_WIN_DEBUG *pObject = IntSerializeCurrentPtr(sizeof(*pObject));
2401  if (!pObject)
2402  {
2403  return;
2404  }
2405 
2406  pObject->Debugger = pProcess->CreationInfo.DebuggerEprocess;
2407 
2408  pHeader->Size += sizeof(*pObject);
2409  IntSerializeIncrementCurrentPtr(sizeof(*pObject));
2410 
2411  IntSerializeWinProcess(IntWinProcFindObjectByEprocess(pProcess->CreationInfo.DebuggerEprocess), intObjWinProcess);
2412 }
2413 
2414 
2415 static void
2416 IntSerializeDpiWinPivotedStack(
2417  _In_ const EXCEPTION_UM_ORIGINATOR *Originator,
2418  _In_ const EXCEPTION_VICTIM_ZONE *Victim
2419  )
2426 {
2427 #define DPI_WIN_PIVOTET_STACK_SERIALIZER_VERSION 1
2428  UNREFERENCED_PARAMETER(Victim);
2429 
2430  DWORD trapFrameSize = gGuest.Guest64 ? sizeof(KTRAP_FRAME64) : sizeof(KTRAP_FRAME32);
2431 
2432  WIN_PROCESS_OBJECT *pProcess = Originator->WinProc;
2433  if (!pProcess)
2434  {
2435  return;
2436  }
2437 
2438  SERIALIZER_OBJECT_HEADER *pHeader = IntSerializeObjectHeader(DPI_WIN_PIVOTET_STACK_SERIALIZER_VERSION,
2439  intObjDpiWinPivotedStack);
2440  if (!pHeader)
2441  {
2442  return;
2443  }
2444 
2445  SERIALIZER_DPI_PIVOTED_STACK *pObject = IntSerializeCurrentPtr(sizeof(*pObject));
2446  if (!pObject)
2447  {
2448  return;
2449  }
2450 
2451  pObject->CurrentStack = pProcess->DpiExtraInfo.DpiPivotedStackExtraInfo.CurrentStack;
2452  pObject->StackBase = pProcess->DpiExtraInfo.DpiPivotedStackExtraInfo.StackBase;
2453  pObject->StackLimit = pProcess->DpiExtraInfo.DpiPivotedStackExtraInfo.StackLimit;
2454  pObject->Wow64CurrentStack = pProcess->DpiExtraInfo.DpiPivotedStackExtraInfo.CurrentWow64Stack;
2455  pObject->Wow64StackBase = pProcess->DpiExtraInfo.DpiPivotedStackExtraInfo.Wow64StackBase;
2456  pObject->Wow64StackLimit = pProcess->DpiExtraInfo.DpiPivotedStackExtraInfo.Wow64StackLimit;
2457 
2458  IntVirtMemRead(pProcess->DpiExtraInfo.DpiPivotedStackExtraInfo.TrapFrameAddress,
2459  MIN(trapFrameSize, sizeof(pObject->TrapFrameContent)), gGuest.Mm.SystemCr3, pObject->TrapFrameContent,
2460  NULL);
2461 
2462  pHeader->Size += sizeof(*pObject);
2463  IntSerializeIncrementCurrentPtr(sizeof(*pObject));
2464 }
2465 
2466 
2467 static void
2468 IntSerializeDpiWinStolenToken(
2469  _In_ const EXCEPTION_UM_ORIGINATOR *Originator,
2470  _In_ const EXCEPTION_VICTIM_ZONE *Victim
2471  )
2478 {
2479 #define DPI_WIN_STOLEN_TOKEN_SERIALIZER_VERSION 1
2480  UNREFERENCED_PARAMETER(Victim);
2481 
2482  WIN_PROCESS_OBJECT *pProcess = Originator->WinProc;
2483  if (!pProcess)
2484  {
2485  return;
2486  }
2487 
2488  SERIALIZER_OBJECT_HEADER *pHeader = IntSerializeObjectHeader(DPI_WIN_STOLEN_TOKEN_SERIALIZER_VERSION,
2489  intObjDpiWinStolenToken);
2490  if (!pHeader)
2491  {
2492  return;
2493  }
2494 
2495  SERIALIZER_DPI_WIN_STOLEN_TOKEN *pObject = IntSerializeCurrentPtr(sizeof(*pObject));
2496  if (!pObject)
2497  {
2498  return;
2499  }
2500 
2501  pObject->StolenFrom = pProcess->DpiExtraInfo.DpiStolenTokenExtraInfo.StolenFromEprocess;
2502 
2503  pHeader->Size += sizeof(*pObject);
2504  IntSerializeIncrementCurrentPtr(sizeof(*pObject));
2505 
2506  IntSerializeWinProcess(IntWinProcFindObjectByEprocess(pObject->StolenFrom), intObjWinProcess);
2507 }
2508 
2509 
2510 static void
2511 IntSerializeDpiWinHeapSpray(
2512  _In_ const EXCEPTION_UM_ORIGINATOR *Originator,
2513  _In_ const EXCEPTION_VICTIM_ZONE *Victim
2514  )
2521 {
2522 #define DPI_WIN_HEAP_SPRAY_SERIALIZER_VERSION 1
2523 
2524  UNREFERENCED_PARAMETER(Victim);
2525 
2526  WORD maxNumberOfHeapVals = 0;
2527  DWORD detectedPage = 0;
2528  DWORD maxPageHeapVals = 0;
2529 
2530  WIN_PROCESS_OBJECT *pProcess = Originator->WinProc;
2531  if (!pProcess)
2532  {
2533  return;
2534  }
2535 
2536  SERIALIZER_OBJECT_HEADER *pHeader = IntSerializeObjectHeader(DPI_WIN_HEAP_SPRAY_SERIALIZER_VERSION, intObjDpiWinHeapSpray);
2537  if (!pHeader)
2538  {
2539  return;
2540  }
2541 
2542  SERIALIZER_DPI_WIN_HEAP_SPRAY *pObject = IntSerializeCurrentPtr(sizeof(*pObject));
2543  if (!pObject)
2544  {
2545  return;
2546  }
2547 
2548  pObject->ShellcodeFlags = pProcess->DpiExtraInfo.DpiHeapSprayExtraInfo.ShellcodeFlags;
2549 
2550  for (DWORD val = 1; val <= HEAP_SPRAY_NR_PAGES; val++)
2551  {
2552  DWORD checkedPage = ((val << 24) | (val << 16) | (val << 8) | val) & PAGE_MASK;
2553 
2554  pObject->HeapPages[val - 1].Mapped = pProcess->DpiExtraInfo.DpiHeapSprayExtraInfo.HeapPages[val - 1].Mapped;
2555  pObject->HeapPages[val - 1].Detected = pProcess->DpiExtraInfo.DpiHeapSprayExtraInfo.HeapPages[val - 1].Detected;
2556  pObject->HeapPages[val - 1].HeapValCount =
2557  pProcess->DpiExtraInfo.DpiHeapSprayExtraInfo.HeapPages[val - 1].HeapValCount;
2558  pObject->HeapPages[val - 1].Offset = pProcess->DpiExtraInfo.DpiHeapSprayExtraInfo.HeapPages[val - 1].Offset;
2559  pObject->HeapPages[val - 1].Executable =
2560  pProcess->DpiExtraInfo.DpiHeapSprayExtraInfo.HeapPages[val - 1].Executable;
2561 
2562  if (pProcess->DpiExtraInfo.DpiHeapSprayExtraInfo.HeapPages[val - 1].Detected)
2563  {
2564  detectedPage = checkedPage;
2565  }
2566 
2567  // Use >= so that we are sure that we will get at least one page even if there are no heap values.
2568  if (pProcess->DpiExtraInfo.DpiHeapSprayExtraInfo.HeapPages[val - 1].HeapValCount >= maxNumberOfHeapVals &&
2569  pProcess->DpiExtraInfo.DpiHeapSprayExtraInfo.HeapPages[val - 1].Mapped)
2570  {
2571  maxNumberOfHeapVals = (WORD)pProcess->DpiExtraInfo.DpiHeapSprayExtraInfo.HeapPages[val - 1].HeapValCount;
2572  maxPageHeapVals = checkedPage;
2573  }
2574  }
2575 
2576  // At this point we might not have any detected page, but only pages exceeding the max heap values heuristic,
2577  // so don't bother to complete it if not needed.
2578  if (0 != detectedPage)
2579  {
2580  IntVirtMemRead(detectedPage, PAGE_SIZE, pProcess->Cr3, pObject->DetectedPage, NULL);
2581  }
2582 
2583  IntVirtMemRead(maxPageHeapVals, PAGE_SIZE, pProcess->Cr3, pObject->MaxHeapValPageContent, NULL);
2584 
2585  pHeader->Size += sizeof(*pObject);
2586  IntSerializeIncrementCurrentPtr(sizeof(*pObject));
2587 }
2588 
2589 
2590 static void
2591 IntSerializeDpiWinTokenPrivs(
2592  _In_ const EXCEPTION_UM_ORIGINATOR *Originator,
2593  _In_ const EXCEPTION_VICTIM_ZONE *Victim
2594  )
2601 {
2602 #define DPI_WIN_TOKEN_PRIVS_SERIALIZER_VERSION 1
2603 
2604  UNREFERENCED_PARAMETER(Victim);
2605 
2606  WIN_PROCESS_OBJECT *pProcess = Originator->WinProc;
2607  if (!pProcess)
2608  {
2609  return;
2610  }
2611 
2612  SERIALIZER_OBJECT_HEADER *pHeader = IntSerializeObjectHeader(DPI_WIN_TOKEN_PRIVS_SERIALIZER_VERSION,
2613  intObjDpiWinTokenPrivs);
2614  if (!pHeader)
2615  {
2616  return;
2617  }
2618 
2619  SERIALIZER_DPI_WIN_TOKEN_PRIVS *pObject = IntSerializeCurrentPtr(sizeof(*pObject));
2620  if (!pObject)
2621  {
2622  return;
2623  }
2624 
2625  pObject->OldEnabled = pProcess->DpiExtraInfo.DpiTokenPrivsExtraInfo.OldEnabled;
2626  pObject->OldPresent = pProcess->DpiExtraInfo.DpiTokenPrivsExtraInfo.OldPresent;
2627  pObject->NewEnabled = pProcess->DpiExtraInfo.DpiTokenPrivsExtraInfo.NewEnabled;
2628  pObject->NewPresent = pProcess->DpiExtraInfo.DpiTokenPrivsExtraInfo.NewPresent;
2629 
2630  pHeader->Size += sizeof(*pObject);
2631  IntSerializeIncrementCurrentPtr(sizeof(*pObject));
2632 }
2633 
2634 
2635 static void
2636 IntSerializeDpiWinThreadStart(
2637  _In_ const EXCEPTION_UM_ORIGINATOR *Originator,
2638  _In_ const EXCEPTION_VICTIM_ZONE *Victim
2639  )
2646 {
2647 #define DPI_WIN_THREAD_START_SERIALIZER_VERSION 1
2648  UNREFERENCED_PARAMETER(Victim);
2649 
2650  WIN_PROCESS_OBJECT *pProcess = Originator->WinProc;
2651  if (!pProcess)
2652  {
2653  return;
2654  }
2655 
2656  SERIALIZER_OBJECT_HEADER *pHeader = IntSerializeObjectHeader(DPI_WIN_THREAD_START_SERIALIZER_VERSION,
2657  intObjDpiWinThreadStart);
2658  if (!pHeader)
2659  {
2660  return;
2661  }
2662 
2663  SERIALIZER_DPI_WIN_THREAD_START *pObject = IntSerializeCurrentPtr(sizeof(*pObject));
2664  if (!pObject)
2665  {
2666  return;
2667  }
2668 
2669  pObject->ShellcodeFlags = pProcess->DpiExtraInfo.DpiThreadStartExtraInfo.ShellcodeFlags;
2670  pObject->StartAddress = pProcess->DpiExtraInfo.DpiThreadStartExtraInfo.StartAddress;
2671 
2672  IntVirtMemRead(pProcess->DpiExtraInfo.DpiThreadStartExtraInfo.StartAddress & PAGE_MASK, PAGE_SIZE, pProcess->Cr3,
2673  pObject->StartPage, NULL);
2674 
2675  pHeader->Size += sizeof(*pObject);
2676  IntSerializeIncrementCurrentPtr(sizeof(*pObject));
2677 }
2678 
2679 
2680 static void
2681 IntSerializeWinDpiInfo(
2682  const _In_ EXCEPTION_UM_ORIGINATOR *Originator,
2683  const _In_ EXCEPTION_VICTIM_ZONE *Victim
2684  )
2691 {
2692  switch (Originator->PcType)
2693  {
2694  case INT_PC_VIOLATION_DPI_DEBUG_FLAG:
2695  IntSerializeDpiWinDebug(Originator, Victim);
2696  break;
2697 
2698  case INT_PC_VIOLATION_DPI_PIVOTED_STACK:
2699  IntSerializeDpiWinPivotedStack(Originator, Victim);
2700  break;
2701 
2702  case INT_PC_VIOLATION_DPI_STOLEN_TOKEN:
2703  IntSerializeDpiWinStolenToken(Originator, Victim);
2704  break;
2705 
2706  case INT_PC_VIOLATION_DPI_HEAP_SPRAY:
2707  IntSerializeDpiWinHeapSpray(Originator, Victim);
2708  break;
2709 
2710  case INT_PC_VIOLATION_DPI_TOKEN_PRIVS:
2711  IntSerializeDpiWinTokenPrivs(Originator, Victim);
2712  break;
2713 
2714  case INT_PC_VIOLATION_DPI_THREAD_START:
2715  IntSerializeDpiWinThreadStart(Originator, Victim);
2716  break;
2717 
2718  default:
2719  break;
2720  }
2721 }
2722 
2723 
2724 static void
2725 IntSerializeDpi(
2726  _In_ const EXCEPTION_UM_ORIGINATOR *Originator
2727  )
2733 {
2734 #define DPI_SERIALIZER_VERSION 1
2735 
2736  SERIALIZER_OBJECT_HEADER *pHeader = IntSerializeObjectHeader(DPI_SERIALIZER_VERSION, intObjDpi);
2737  if (!pHeader)
2738  {
2739  return;
2740  }
2741 
2742  SERIALIZER_DPI *pObject = IntSerializeCurrentPtr(sizeof(*pObject));
2743  if (!pObject)
2744  {
2745  return;
2746  }
2747 
2748  pObject->Flags = Originator->PcType;
2749 
2750  pHeader->Size += sizeof(*pObject);
2751  IntSerializeIncrementCurrentPtr(sizeof(*pObject));
2752 }
2753 
2754 
2755 static void
2756 IntSerializeExport(
2757  _In_ const EXCEPTION_VICTIM_ZONE *Victim
2758  )
2764 {
2765  WINUM_CACHE_EXPORT *pExport = NULL;
2766 
2767  if (Victim->Object.Library.Export == NULL)
2768  {
2769  pExport = IntWinUmCacheGetExportFromRange(Victim->Object.Library.WinMod, Victim->Ept.Gva, 0x20);
2770  }
2771  else
2772  {
2773  pExport = Victim->Object.Library.Export;
2774  }
2775 
2776  if (!pExport)
2777  {
2778  return;
2779  }
2780 
2781 #define EXPORT_SERIALIZER_VERSION 1
2782 
2783  SERIALIZER_OBJECT_HEADER *pHeader = IntSerializeObjectHeader(EXPORT_SERIALIZER_VERSION, intObjExport);
2784  if (!pHeader)
2785  {
2786  return;
2787  }
2788 
2789  SERIALIZER_EXPORT *pObject = IntSerializeCurrentPtr(sizeof(*pObject));
2790  if (!pObject)
2791  {
2792  return;
2793  }
2794 
2795  pObject->Count = pExport->NumberOfOffsets;
2796  pObject->Delta = (DWORD)(Victim->Ept.Gva - Victim->Object.Library.WinMod->VirtualBase - pExport->Rva);
2797 
2798  pHeader->Size = sizeof(*pObject);
2799  IntSerializeIncrementCurrentPtr(sizeof(*pObject));
2800 
2801  for (DWORD index = 0; index < pExport->NumberOfOffsets; index++)
2802  {
2803  IntSerializeString(pExport->Names[index], pExport->NameLens[index], stringEncodeUtf8, pHeader);
2804  }
2805 }
2806 
2807 
2808 static void
2809 IntSerializeWinUmOriginator(
2810  _In_ const EXCEPTION_UM_ORIGINATOR *Originator,
2811  _In_ const EXCEPTION_VICTIM_ZONE *Victim
2812  )
2819 {
2820  UNREFERENCED_PARAMETER(Victim);
2821 
2822  IntSerializeProcess(Originator->Process, intObjWinProcess);
2823  IntSerializeProcess(IntWinProcFindObjectByEprocess(Originator->WinProc->ParentEprocess), intObjWinProcessParent);
2824 
2825  IntSerializeWinModule(Originator->WinLib, intObjWinModule);
2826 
2827  if (Originator->Return.Library && Originator->Return.Rip != Originator->Rip)
2828  {
2829  IntSerializeWinModule(Originator->Return.WinLib, intObjWinModuleReturn);
2830  }
2831 }
2832 
2833 
2834 void
2835 IntSerializeLixUmOriginator(
2836  _In_ const EXCEPTION_UM_ORIGINATOR *Originator,
2837  _In_ const EXCEPTION_VICTIM_ZONE *Victim
2838  )
2845 {
2846  UNREFERENCED_PARAMETER(Victim);
2847 
2848  IntSerializeProcess(Originator->Process, intObjLixProcess);
2849  IntSerializeProcess(IntLixTaskFindByGva(Originator->LixProc->Parent), intObjLixProcessParent);
2850 
2851  IntSerializeInstruction(Originator->Instruction, Originator->Rip);
2852  IntSerializeCodeBlocks(Originator->Rip, Originator->LixProc->Cr3, Originator->Execute);
2853 }
2854 
2855 
2856 static void
2857 IntSerializeUmOriginator(
2858  _In_ const EXCEPTION_UM_ORIGINATOR *Originator,
2859  _In_ const EXCEPTION_VICTIM_ZONE *Victim
2860  )
2867 {
2868 
2869 #define START_ORIGINATOR_SERIALZIER_VERSION 1
2870 #define END_ORIGINATOR_SERIALZIER_VERSION 1
2871 
2872  IntSerializeObjectHeader(START_ORIGINATOR_SERIALZIER_VERSION, intObjStartOriginator);
2873 
2874  if (gGuest.OSType == introGuestLinux)
2875  {
2876  IntSerializeLixUmOriginator(Originator, Victim);
2877  }
2878  else if (gGuest.OSType == introGuestWindows)
2879  {
2880  IntSerializeWinUmOriginator(Originator, Victim);
2881  }
2882 
2883  IntSerializeObjectHeader(END_ORIGINATOR_SERIALZIER_VERSION, intObjEndOriginator);
2884 }
2885 
2886 
2887 static void
2888 IntSerializeLixUmVictim(
2889  _In_ const EXCEPTION_UM_ORIGINATOR *Originator,
2890  _In_ const EXCEPTION_VICTIM_ZONE *Victim
2891  )
2898 {
2899 #define LIX_VICTIM_SERIALIZER_VERSION 1
2900 
2901  UNREFERENCED_PARAMETER(Originator);
2902 
2903  SERIALIZER_OBJECT_HEADER *pHeader = IntSerializeObjectHeader(LIX_VICTIM_SERIALIZER_VERSION, intObjVictim);
2904  if (!pHeader)
2905  {
2906  return;
2907  }
2908 
2909  SERIALIZER_EXCEPTION_VICTIM *pObject = IntSerializeCurrentPtr(sizeof(*pObject));
2910  if (!pObject)
2911  {
2912  return;
2913  }
2914 
2915  pObject->Type = Victim->Object.Type;
2916  pObject->ZoneType = Victim->ZoneType;
2917  pObject->ZoneFlags = Victim->ZoneFlags;
2918 
2919  pHeader->Size = sizeof(*pObject);
2920  IntSerializeIncrementCurrentPtr(sizeof(*pObject));
2921 
2922  IntSerializeProcess(Victim->Object.Process, intObjLixProcess);
2923  IntSerializeProcess(IntLixTaskFindByGva(Victim->Object.LixProc->Parent), intObjLixProcessParent);
2924 
2925  IntSerializeVad(Victim->Object.Vad);
2926 }
2927 
2928 
2929 static void
2930 IntSerializeWinUmVictim(
2931  _In_ const EXCEPTION_UM_ORIGINATOR *Originator,
2932  _In_ const EXCEPTION_VICTIM_ZONE *Victim
2933  )
2940 {
2941 #define WIN_VICTIM_SERIALIZER_VERSION 1
2942  UNREFERENCED_PARAMETER(Originator);
2943 
2944  SERIALIZER_OBJECT_HEADER *pHeader = IntSerializeObjectHeader(WIN_VICTIM_SERIALIZER_VERSION, intObjVictim);
2945  if (!pHeader)
2946  {
2947  return;
2948  }
2949 
2950  SERIALIZER_EXCEPTION_VICTIM *pObject = IntSerializeCurrentPtr(sizeof(*pObject));
2951  if (!pObject)
2952  {
2953  return;
2954  }
2955 
2956  pObject->Type = Victim->Object.Type;
2957  pObject->ZoneType = Victim->ZoneType;
2958  pObject->ZoneFlags = Victim->ZoneFlags;
2959 
2960  pHeader->Size = sizeof(*pObject);
2961  IntSerializeIncrementCurrentPtr(sizeof(*pObject));
2962 
2963  if ((Victim->ZoneType == exceptionZoneProcess) ||
2964  (Victim->Object.Type == introObjectTypeUmGenericNxZone) ||
2965  (Victim->Object.Type == introObjectTypeSharedUserData))
2966  {
2967  IntSerializeProcess(Victim->Object.Process, intObjWinProcess);
2968  IntSerializeProcess(IntWinProcFindObjectByEprocess(Victim->Object.WinProc->ParentEprocess),
2969  intObjWinProcessParent);
2970 
2971  IntSerializeWinModule(Victim->Object.Library.WinMod, intObjWinModule);
2972  IntSerializeVad(Victim->Object.Vad);
2973  }
2974  else if (Victim->Object.Type == introObjectTypeUmModule)
2975  {
2976  IntSerializeProcess(Victim->Object.Process, intObjWinProcess);
2977  IntSerializeWinModule(Victim->Object.Library.WinMod, intObjWinModule);
2978  }
2979 }
2980 
2981 
2982 static void
2983 IntSerializeWinUmMisc(
2984  _In_ const EXCEPTION_UM_ORIGINATOR *Originator,
2985  _In_ const EXCEPTION_VICTIM_ZONE *Victim
2986  )
2993 {
2994  UNREFERENCED_PARAMETER(Originator);
2995 
2996  if ((Victim->ZoneType == exceptionZoneProcess) ||
2997  (Victim->Object.Type == introObjectTypeUmGenericNxZone) ||
2998  (Victim->Object.Type == introObjectTypeSharedUserData))
2999  {
3000  if (Victim->ZoneType == exceptionZoneProcess)
3001  {
3002  IntSerializeInjection(&Victim->Injection, Victim);
3003  IntSerializeRawDump(Originator, Victim);
3004  }
3005  else
3006  {
3007  IntSerializeEpt(&Victim->Ept, Victim);
3008  IntSerializeAccessInfo(Victim);
3009  }
3010  }
3011  else if (Victim->Object.Type == introObjectTypeUmModule)
3012  {
3013  IntSerializeInstruction(Originator->Instruction, Originator->Rip);
3014  IntSerializeExport(Victim);
3015  IntSerializeAccessInfo(Victim);
3016  IntSerializeEpt(&Victim->Ept, Victim);
3017  }
3018 
3019  if (Originator->PcType)
3020  {
3021  IntSerializeDpi(Originator);
3022  IntSerializeWinDpiInfo(Originator, Victim);
3023  }
3024 
3025  IntSerializeCodeBlocks(Originator->Rip, Originator->WinProc->Cr3, Originator->Execute);
3026  IntSerializeRipCode();
3027 }
3028 
3029 
3030 static void
3031 IntSerializeLixUmMisc(
3032  _In_ const EXCEPTION_UM_ORIGINATOR *Originator,
3033  _In_ const EXCEPTION_VICTIM_ZONE *Victim
3034  )
3041 {
3042  UNREFERENCED_PARAMETER(Originator);
3043 
3044  if (Victim->ZoneType == exceptionZoneProcess)
3045  {
3046  IntSerializeInjection(&Victim->Injection, Victim);
3047  IntSerializeRawDump(Originator, Victim);
3048 
3049  if (Originator->PcType)
3050  {
3051  IntSerializeDpi(Originator);
3052  }
3053  }
3054  else
3055  {
3056  IntSerializeEpt(&Victim->Ept, Victim);
3057  IntSerializeAccessInfo(Victim);
3058  }
3059 
3060  IntSerializeCodeBlocks(Originator->Rip, Originator->LixProc->Cr3, Originator->Execute);
3061  IntSerializeRipCode();
3062 }
3063 
3064 
3065 static void
3066 IntSerializeUmMisc(
3067  _In_ const EXCEPTION_UM_ORIGINATOR *Originator,
3068  _In_ const EXCEPTION_VICTIM_ZONE *Victim
3069  )
3076 {
3077 #define START_MISC_SERIALZIER_VERSION 1
3078 #define END_MISC_SERIALZIER_VERSION 1
3079 
3080  IntSerializeObjectHeader(START_MISC_SERIALZIER_VERSION, intObjStartMisc);
3081 
3082  if (gGuest.OSType == introGuestLinux)
3083  {
3084  IntSerializeLixUmMisc(Originator, Victim);
3085  }
3086  else if (gGuest.OSType == introGuestWindows)
3087  {
3088  IntSerializeWinUmMisc(Originator, Victim);
3089  }
3090 
3091  IntSerializeObjectHeader(END_MISC_SERIALZIER_VERSION, intObjEndMisc);
3092 }
3093 
3094 
3095 static void
3096 IntSerializeUmVictim(
3097  _In_ const EXCEPTION_UM_ORIGINATOR *Originator,
3098  _In_ const EXCEPTION_VICTIM_ZONE *Victim
3099  )
3106 {
3107 #define START_VICTIM_SERIALZIER_VERSION 1
3108 #define END_VICTIM_SERIALZIER_VERSION 1
3109 
3110  IntSerializeObjectHeader(START_VICTIM_SERIALZIER_VERSION, intObjStartVictim);
3111 
3112  if (gGuest.OSType == introGuestLinux)
3113  {
3114  IntSerializeLixUmVictim(Originator, Victim);
3115  }
3116  else if (gGuest.OSType == introGuestWindows)
3117  {
3118  IntSerializeWinUmVictim(Originator, Victim);
3119  }
3120 
3121  IntSerializeObjectHeader(END_VICTIM_SERIALZIER_VERSION, intObjEndVictim);
3122 }
3123 
3124 
3125 void
3126 IntSerializeWinKmOriginator(
3127  _In_ const EXCEPTION_KM_ORIGINATOR *Originator,
3128  _In_ const EXCEPTION_VICTIM_ZONE *Victim
3129  )
3136 {
3137 #define KM_ORIGINATOR_SERIALZIER_VERSION 1
3138 
3139  UNREFERENCED_PARAMETER(Victim);
3140 
3141  IntSerializeKernelDriver(Originator, NULL, intObjKernelDriver);
3142  IntSerializeKernelDriver(Originator, NULL, intObjKernelDriverReturn);
3143 }
3144 
3145 
3146 void
3147 IntSerializeLixKmOriginator(
3148  _In_ const EXCEPTION_KM_ORIGINATOR *Originator,
3149  _In_ const EXCEPTION_VICTIM_ZONE *Victim
3150  )
3157 {
3158 #define KM_ORIGINATOR_SERIALZIER_VERSION 1
3159 
3160  UNREFERENCED_PARAMETER(Victim);
3161 
3162  IntSerializeKernelDriver(Originator, NULL, intObjKernelDriver);
3163  IntSerializeKernelDriver(Originator, NULL, intObjKernelDriverReturn);
3164 
3165  IntSerializeInstruction(Originator->Instruction, Originator->Original.Rip);
3166 }
3167 
3168 
3169 void
3170 IntSerializeKmOriginator(
3171  _In_ const EXCEPTION_KM_ORIGINATOR *Originator,
3172  _In_ const EXCEPTION_VICTIM_ZONE *Victim
3173  )
3180 {
3181  IntSerializeObjectHeader(START_ORIGINATOR_SERIALZIER_VERSION, intObjStartOriginator);
3182 
3183  if (gGuest.OSType == introGuestLinux)
3184  {
3185  IntSerializeLixKmOriginator(Originator, Victim);
3186  }
3187  else if (gGuest.OSType == introGuestWindows)
3188  {
3189  IntSerializeWinKmOriginator(Originator, Victim);
3190  }
3191 
3192  IntSerializeObjectHeader(END_ORIGINATOR_SERIALZIER_VERSION, intObjEndOriginator);
3193 }
3194 
3195 
3196 static void
3197 IntSerializeWinKmVictim(
3198  _In_ const EXCEPTION_KM_ORIGINATOR *Originator,
3199  _In_ const EXCEPTION_VICTIM_ZONE *Victim
3200  )
3207 {
3208 #define WIN_KM_VICTIM_SERIALIZER_VERSION 1
3209 
3210  UNREFERENCED_PARAMETER(Originator);
3211 
3212  SERIALIZER_OBJECT_HEADER *pHeader = IntSerializeObjectHeader(WIN_KM_VICTIM_SERIALIZER_VERSION, intObjVictim);
3213  if (!pHeader)
3214  {
3215  return;
3216  }
3217 
3218  SERIALIZER_EXCEPTION_VICTIM *pObject = IntSerializeCurrentPtr(sizeof(*pObject));
3219  if (!pObject)
3220  {
3221  return;
3222  }
3223 
3224  pObject->Type = Victim->Object.Type;
3225  pObject->ZoneType = Victim->ZoneType;
3226  pObject->ZoneFlags = Victim->ZoneFlags;
3227 
3228  pHeader->Size = sizeof(*pObject);
3229  IntSerializeIncrementCurrentPtr(sizeof(*pObject));
3230 
3231  switch (Victim->ZoneType)
3232  {
3233  case exceptionZoneCr:
3234  IntSerializeCr(&Victim->Cr);
3235  break;
3236 
3237  case exceptionZoneMsr:
3238  IntSerializeMsr(&Victim->Msr);
3239  break;
3240 
3241  case exceptionZoneDtr:
3242  IntSerializeDtr(&Victim->Dtr);
3243  break;
3244  case exceptionZoneEpt:
3245  IntSerializeEpt(&Victim->Ept, Victim);
3246  break;
3247 
3248  default:
3249  break;
3250  }
3251 
3252  switch (Victim->Object.Type)
3253  {
3254  case introObjectTypeIdt:
3255  IntSerializeIdt(Victim);
3256  break;
3257 
3258  case introObjectTypeSsdt:
3259  case introObjectTypeVeAgent:
3260  case introObjectTypeKmModule:
3261  IntSerializeKernelDriver(NULL, Victim->Object.Module.Module, intObjKernelDriver);
3262  break;
3263 
3264  case introObjectTypeDriverObject:
3265  case introObjectTypeFastIoDispatch:
3266  IntSerializeKernelDrvObject(Victim->Object.DriverObject);
3267  break;
3268 
3269  default:
3270  break;
3271  }
3272 }
3273 
3274 
3275 static void
3276 IntSerializeLixKmVictim(
3277  _In_ const EXCEPTION_KM_ORIGINATOR *Originator,
3278  _In_ const EXCEPTION_VICTIM_ZONE *Victim
3279  )
3286 
3287 {
3288 #define LIX_KM_VICTIM_SERIALIZER_VERSION 1
3289 
3290  UNREFERENCED_PARAMETER(Originator);
3291 
3292  SERIALIZER_OBJECT_HEADER *pHeader = IntSerializeObjectHeader(LIX_KM_VICTIM_SERIALIZER_VERSION, intObjVictim);
3293  if (!pHeader)
3294  {
3295  return;
3296  }
3297 
3298  SERIALIZER_EXCEPTION_VICTIM *pObject = IntSerializeCurrentPtr(sizeof(*pObject));
3299  if (!pObject)
3300  {
3301  return;
3302  }
3303 
3304  pObject->Type = Victim->Object.Type;
3305  pObject->ZoneType = Victim->ZoneType;
3306  pObject->ZoneFlags = Victim->ZoneFlags;
3307 
3308  pHeader->Size = sizeof(*pObject);
3309  IntSerializeIncrementCurrentPtr(sizeof(*pObject));
3310 
3311  switch (Victim->ZoneType)
3312  {
3313  case exceptionZoneCr:
3314  IntSerializeCr(&Victim->Cr);
3315  break;
3316 
3317  case exceptionZoneMsr:
3318  IntSerializeMsr(&Victim->Msr);
3319  break;
3320 
3321  case exceptionZoneDtr:
3322  IntSerializeDtr(&Victim->Dtr);
3323  break;
3324 
3325  case exceptionZoneEpt:
3326  IntSerializeEpt(&Victim->Ept, Victim);
3327  break;
3328 
3329  default:
3330  break;
3331  }
3332 
3333  switch (Victim->Object.Type)
3334  {
3335  case introObjectTypeVdso:
3336  case introObjectTypeVsyscall:
3337  case introObjectTypeKmModule:
3338  IntSerializeKernelDriver(NULL, Victim->Object.Module.Module, intObjKernelDriver);
3339  break;
3340 
3341  default:
3342  break;
3343  }
3344 }
3345 
3346 
3347 static void
3348 IntSerializeKmVictim(
3349  _In_ const EXCEPTION_KM_ORIGINATOR *Originator,
3350  _In_ const EXCEPTION_VICTIM_ZONE *Victim
3351  )
3358 
3359 {
3360  IntSerializeObjectHeader(START_VICTIM_SERIALZIER_VERSION, intObjStartVictim);
3361 
3362  if (gGuest.OSType == introGuestLinux)
3363  {
3364  IntSerializeLixKmVictim(Originator, Victim);
3365  }
3366  else if (gGuest.OSType == introGuestWindows)
3367  {
3368  IntSerializeWinKmVictim(Originator, Victim);
3369  }
3370 
3371  IntSerializeObjectHeader(END_VICTIM_SERIALZIER_VERSION, intObjEndVictim);
3372 }
3373 
3374 
3375 static void
3376 IntSerializeLixKmMisc(
3377  _In_ const EXCEPTION_KM_ORIGINATOR *Originator,
3378  _In_ const EXCEPTION_VICTIM_ZONE *Victim
3379  )
3386 {
3387  IntSerializeCodeBlocks(Originator->Original.Rip, gGuest.Mm.SystemCr3, FALSE);
3388  IntSerializeCodeBlocks(Originator->Return.Rip, gGuest.Mm.SystemCr3, FALSE);
3389 
3390  IntSerializeInstruction(Originator->Instruction, Originator->Original.Rip);
3391  IntSerializeAccessInfo(Victim);
3392 
3393  IntSerializeArchRegs();
3394  IntSerializeRipCode();
3395 }
3396 
3397 
3398 static void
3399 IntSerializeWinKmMisc(
3400  _In_ const EXCEPTION_KM_ORIGINATOR *Originator,
3401  _In_ const EXCEPTION_VICTIM_ZONE *Victim
3402  )
3409 {
3410 
3411  IntSerializeCodeBlocks(Originator->Original.Rip, gGuest.Mm.SystemCr3, FALSE);
3412  IntSerializeCodeBlocks(Originator->Return.Rip, gGuest.Mm.SystemCr3, FALSE);
3413 
3414  IntSerializeInstruction(Originator->Instruction, Originator->Original.Rip);
3415  IntSerializeAccessInfo(Victim);
3416 
3417  IntSerializeEpt(&Victim->Ept, Victim);
3418 
3419  IntSerializeArchRegs();
3420  IntSerializeRipCode();
3421 
3422  if (Victim->Object.Type == introObjectTypeUmModule)
3423  {
3424  IntSerializeExport(Victim);
3425  }
3426 }
3427 
3428 
3429 static void
3430 IntSerializeKmMisc(
3431  _In_ const EXCEPTION_KM_ORIGINATOR *Originator,
3432  _In_ const EXCEPTION_VICTIM_ZONE *Victim
3433  )
3440 {
3441 #define START_MISC_SERIALZIER_VERSION 1
3442 #define END_MISC_SERIALZIER_VERSION 1
3443 
3444  UNREFERENCED_PARAMETER(Originator);
3445  UNREFERENCED_PARAMETER(Victim);
3446 
3447  IntSerializeObjectHeader(START_MISC_SERIALZIER_VERSION, intObjStartMisc);
3448 
3449  if (gGuest.OSType == introGuestLinux)
3450  {
3451  IntSerializeLixKmMisc(Originator, Victim);
3452  }
3453  else if (gGuest.OSType == introGuestWindows)
3454  {
3455  IntSerializeWinKmMisc(Originator, Victim);
3456  }
3457 
3458  IntSerializeObjectHeader(END_MISC_SERIALZIER_VERSION, intObjEndMisc);
3459 }
3460 
3461 
3462 static void
3463 IntSerializeHeader(
3464  _In_ SERIALIZER_EXCEPTION_TYPE SerializerType,
3465  _In_ INTRO_EVENT_TYPE EventClass
3466  )
3473 {
3474  SERIALIZER_HEADER *pHeader = IntSerializeCurrentPtr(sizeof(*pHeader));
3475  if (!pHeader)
3476  {
3477  return;
3478  }
3479 
3480  pHeader->SerializedType = SerializerType;
3481  pHeader->Guest = gGuest.OSType;
3482  pHeader->Event = EventClass;
3483  pHeader->Size = 0;
3484  pHeader->Arch = gGuest.Guest64;
3485 
3486  IntSerializeIncrementCurrentPtr(sizeof(*pHeader));
3487 }
3488 
3489 
3490 static void
3491 IntSerializeKmException(
3492  _In_ const void *Originator,
3493  _In_ const void *Victim,
3494  _In_ INTRO_EVENT_TYPE EventClass
3495  )
3503 {
3504  IntSerializeHeader(serializerExceptionTypeKm, EventClass);
3505 
3506  IntSerializeKmOriginator(Originator, Victim);
3507  IntSerializeKmVictim(Originator, Victim);
3508  IntSerializeKmMisc(Originator, Victim);
3509 }
3510 
3511 
3512 static void
3513 IntSerializeUmException(
3514  _In_ const void *Originator,
3515  _In_ const void *Victim,
3516  _In_ INTRO_EVENT_TYPE EventClass
3517  )
3525 {
3526  IntSerializeHeader(serializerExceptionTypeUm, EventClass);
3527 
3528  IntSerializeUmOriginator(Originator, Victim);
3529  IntSerializeUmVictim(Originator, Victim);
3530  IntSerializeUmMisc(Originator, Victim);
3531 }
3532 
3533 
3534 static void
3535 IntSerializeKernelUserException(
3536  _In_ const void *Originator,
3537  _In_ const void *Victim,
3538  _In_ INTRO_EVENT_TYPE EventClass
3539  )
3547 {
3548  IntSerializeHeader(serializerExceptionTypeKmUm, EventClass);
3549 
3550  IntSerializeKmOriginator(Originator, Victim);
3551  IntSerializeUmVictim(Originator, Victim);
3552  IntSerializeKmMisc(Originator, Victim);
3553 }
3554 
3555 void
3556 IntSerializeStart(
3557  void
3558  )
3562 {
3563  IntSerializeIncrementCurrentId();
3564  gCurrentPtr = gSerializerBuffer;
3565 }
3566 
3567 
3568 void
3569 IntSerializeException(
3570  _In_ void *Victim,
3571  _In_ void *Originator,
3572  _In_ DWORD Type,
3573  _In_ INTRO_ACTION Action,
3574  _In_ INTRO_ACTION_REASON Reason,
3575  _In_ INTRO_EVENT_TYPE EventClass
3576  )
3590 {
3591  if ((introGuestNotAllowed != Action) && (introReasonAllowedFeedback != Reason))
3592  {
3593  return;
3594  }
3595 
3596  IntSerializeStart();
3597 
3598  switch (Type)
3599  {
3600  case exceptionTypeKm:
3601  IntSerializeKmException(Originator, Victim, EventClass);
3602  break;
3603 
3604  case exceptionTypeUm:
3605  IntSerializeUmException(Originator, Victim, EventClass);
3606  break;
3607 
3608  case exceptionTypeKmUm:
3609  IntSerializeKernelUserException(Originator, Victim, EventClass);
3610  break;
3611 
3612  default:
3613  ERROR("[ERROR] Unsupported exception type (%d) ...", Type);
3614  }
3615 
3616  IntSerializeDump();
3617 }
SERIALIZER_WIN_PROCESS
struct _SERIALIZER_WIN_PROCESS SERIALIZER_WIN_PROCESS
Describes a serialized intObjWinProcess object.
IntSerializeLixVma
static void IntSerializeLixVma(const LIX_VMA *Vma)
Serialize the provided LIX_VMA object.
Definition: serializers.c:1353
PSERIALIZER_WIN_VAD
struct _SERIALIZER_WIN_VAD * PSERIALIZER_WIN_VAD
_SERIALIZER_ARCH_REGS::Flags
QWORD Flags
Definition: serializers.c:315
DPI_WIN_DEBUG_SERIALIZER_VERSION
#define DPI_WIN_DEBUG_SERIALIZER_VERSION
_In_opt_
#define _In_opt_
Definition: intro_sal.h:16
CODE_BLOCKS_SERIALIZER_VERSION
#define CODE_BLOCKS_SERIALIZER_VERSION
_SERIALIZER_ARCH_REGS::IdtBase
QWORD IdtBase
Definition: serializers.c:322
SERIALIZER_ARCH_REGS
struct _SERIALIZER_ARCH_REGS SERIALIZER_ARCH_REGS
Describes a serialized intObjArchRegs object.
_SERIALIZER_LIX_VMA::Gva
QWORD Gva
The guest virtual address of the vm_area_struct this structure is based on.
Definition: serializers.c:191
intObjWinProcess
Used for the windows process object.
Definition: serializers.c:532
IntSerializeWinDpiInfo
static void IntSerializeWinDpiInfo(const EXCEPTION_UM_ORIGINATOR *Originator, const EXCEPTION_VICTIM_ZONE *Victim)
Serialize the DPI extra information.
Definition: serializers.c:2681
_SERIALIZER_WIN_PROCESS::UserCr3
QWORD UserCr3
Process user PDBR. Includes PCID.
Definition: serializers.c:174
PSERIALIZER_DPI_WIN_HEAP_SPRAY
struct _SERIALIZER_DPI_WIN_HEAP_SPRAY * PSERIALIZER_DPI_WIN_HEAP_SPRAY
SERIALIZER_EXCEPTION_VICTIM
struct _SERIALIZER_EXCEPTION_VICTIM SERIALIZER_EXCEPTION_VICTIM
Describes a serialized intObjVictim object.
INTRO_ACTION_REASON
enum _INTRO_ACTION_REASON INTRO_ACTION_REASON
The reason for which an INTRO_ACTION was taken.
DESCRIPTOR_SIZE_32
#define DESCRIPTOR_SIZE_32
Definition: processor.h:101
intObjIdt
Used for the IDT object.
Definition: serializers.c:528
IntSerializeString
static void IntSerializeString(const void *String, DWORD Size, DWORD Encode, SERIALIZER_OBJECT_HEADER *Header)
Serialize the provided string.
Definition: serializers.c:841
PSERIALIZER_DPI_WIN_THREAD_START
struct _SERIALIZER_DPI_WIN_THREAD_START * PSERIALIZER_DPI_WIN_THREAD_START
_IG_ARCH_REGS::Rip
QWORD Rip
Definition: glueiface.h:51
_SERIALIZER_ARCH_REGS::IdtLimit
QWORD IdtLimit
Definition: serializers.c:323
_SERIALIZER_RAW_DUMP
Describes a serialized intObjRawDump object.
Definition: serializers.c:390
BOOLEAN
_Bool BOOLEAN
Definition: intro_types.h:58
_Out_
#define _Out_
Definition: intro_sal.h:22
EXPORT_SERIALIZER_VERSION
#define EXPORT_SERIALIZER_VERSION
_SERIALIZER_MSR
Describes a serialized intObjMsr object.
Definition: serializers.c:104
IntSerializeLixKmOriginator
void IntSerializeLixKmOriginator(const EXCEPTION_KM_ORIGINATOR *Originator, const EXCEPTION_VICTIM_ZONE *Victim)
Serialize the information about Linux kernel-mode originator.
Definition: serializers.c:3147
PSERIALIZER_DPI
struct _SERIALIZER_DPI * PSERIALIZER_DPI
_SERIALIZER_STRING
Describes a serialized string.
Definition: serializers.c:54
_SERIALIZER_DPI_WIN_THREAD_START::StartAddress
QWORD StartAddress
The address where the thread started executing.
Definition: serializers.c:457
_SERIALIZER_WIN_PROCESS::Flags
QWORD Flags
The protection flags.
Definition: serializers.c:179
intObjVictim
Used for the victim object.
Definition: serializers.c:522
_SERIALIZER_LIX_VMA::File
QWORD File
The guest virtual address of the file this VMA maps to.
Definition: serializers.c:193
HEAP_SPRAY_NR_PAGES
#define HEAP_SPRAY_NR_PAGES
Definition: windpi.h:22
_SERIALIZER_HEADER
Describes the header of the serializer buffer.
Definition: serializers.c:30
utf16toutf8
char * utf16toutf8(char *Destination, const WCHAR *Source, DWORD DestinationMaxLength)
Definition: introcrt.c:460
IntVirtMemUnmap
INTSTATUS IntVirtMemUnmap(void **HostPtr)
Unmaps a memory range previously mapped with IntVirtMemMap.
Definition: introcore.c:2234
_SERIALIZER_ARCH_REGS::R10
QWORD R10
Definition: serializers.c:308
IntSerializeRipCode
static void IntSerializeRipCode(void)
Serialize the guest memory page that contains the RIP at which the violation attempt was detected...
Definition: serializers.c:1916
INT_PC_VIOLATION_DPI_HEAP_SPRAY
The creation of a process was attempted while the parent had its heap sprayed.
Definition: intro_types.h:1531
_SERIALIZER_LIX_PROCESS
Describes a serialized intObjLixProcess object.
Definition: serializers.c:151
_SERIALIZER_HEADER::Event
DWORD Event
The intro event type.
Definition: serializers.c:34
codeInsMovFsGs
A mov using a segment:offset.
Definition: codeblocks.h:37
introObjectTypeKmModule
Kernel module (ntoskrnl.exe, hal.dll, etc.)
Definition: intro_types.h:235
BYTE
uint8_t BYTE
Definition: intro_types.h:47
IG_EPT_HOOK_READ
Read-access hook.
Definition: glueiface.h:298
_SERIALIZER_DPI_WIN_DEBUG
Describes a serialized intObjDpiWinDebug.
Definition: serializers.c:411
IntFragExtractCodePattern
INTSTATUS IntFragExtractCodePattern(PBYTE Buffer, DWORD StartOffset, DWORD MaxBufferSize, IG_CS_TYPE CsType, CB_EXTRACT_LEVEL ExtractLevel, DWORD PatternSize, CODE_BLOCK_PATTERN *Pattern, DWORD *TotalExtracted)
Extract a pattern of code-blocks from the given code buffer.
Definition: codeblocks.c:990
_SERIALIZER_DPI_PIVOTED_STACK
Describes a serialized intObjDpiPivotedStack.
Definition: serializers.c:479
SERIALIZER_KERNEL_DRV_OBJECT
struct _SERIALIZER_KERNEL_DRV_OBJECT SERIALIZER_KERNEL_DRV_OBJECT
Describes a serialized intObjKernelDrvObject object.
_SERIALIZER_DPI_WIN_STOLEN_TOKEN::StolenFrom
QWORD StolenFrom
The process from which the token was stolen.
Definition: serializers.c:422
gCurrentPtr
static BYTE * gCurrentPtr
Definition: serializers.c:582
_VCPU_STATE::Regs
IG_ARCH_REGS Regs
The current state of the guest registers.
Definition: guests.h:95
_SERIALIZER_WIN_VAD::Flags
DWORD Flags
The flags of the VAD.
Definition: serializers.c:210
WRITE_INFO_SERIALIZER_VERSION
#define WRITE_INFO_SERIALIZER_VERSION
Crc32Compute
DWORD Crc32Compute(const void *Buffer, size_t Size, DWORD InitialCrc)
Computes the CRC for a byte array.
Definition: crc32.c:103
_In_
#define _In_
Definition: intro_sal.h:21
_SERIALIZER_ARCH_REGS::R9
QWORD R9
Definition: serializers.c:307
PSERIALIZER_IDT
struct _SERIALIZER_IDT * PSERIALIZER_IDT
PSERIALIZER_RAW_DUMP
struct _SERIALIZER_RAW_DUMP * PSERIALIZER_RAW_DUMP
CODE_BLOCK_PATTERN
struct _CODE_BLOCK_PATTERN CODE_BLOCK_PATTERN
PSERIALIZER_ARCH_REGS
struct _SERIALIZER_ARCH_REGS * PSERIALIZER_ARCH_REGS
_CODE_BLOCK::PivotInstruction
BYTE PivotInstruction
Definition: codeblocks.h:56
_MM::SystemCr3
QWORD SystemCr3
The Cr3 used to map the kernel.
Definition: guests.h:207
INT_STATUS_SUCCESS
#define INT_STATUS_SUCCESS
Definition: introstatus.h:54
introObjectTypeDriverObject
Driver object.
Definition: intro_types.h:234
_SERIALIZER_WIN_VAD::StartPage
QWORD StartPage
The first page in the VAD.
Definition: serializers.c:202
PSERIALIZER_KERNEL_DRIVER
struct _SERIALIZER_KERNEL_DRIVER * PSERIALIZER_KERNEL_DRIVER
IntSerializeCurrentId
static QWORD IntSerializeCurrentId(void)
Increment the current serializer alert ID and returns it.
Definition: serializers.c:682
introObjectTypeFastIoDispatch
Fast IO Dispatch (Windows only)
Definition: intro_types.h:233
_SERIALIZER_EXCEPTION_VICTIM
Describes a serialized intObjVictim object.
Definition: serializers.c:82
intObjKernelDrvObject
Used for the windows driver obj object.
Definition: serializers.c:543
WORD
uint16_t WORD
Definition: intro_types.h:48
memCopyViolationSetContextThread
This represents an attempt of modifying the context of another thread.
Definition: intro_types.h:1299
_SERIALIZER_LIX_PROCESS::ActualParent
QWORD ActualParent
The guest virtual address of the parent process.
Definition: serializers.c:155
IntSerializeProcess
static void IntSerializeProcess(void *Process, const DWORD ObjectType)
Serialize the provided process object.
Definition: serializers.c:1281
gBase64Buffer
static char gBase64Buffer[Base64EncSize(sizeof(gSerializerBuffer))]
Definition: serializers.c:593
intObjStartVictim
Used to notify the deserializer that the next objects contains the victim.
Definition: serializers.c:514
intObjCr
Used for the CR object.
Definition: serializers.c:526
PSERIALIZER_WIN_PROCESS
struct _SERIALIZER_WIN_PROCESS * PSERIALIZER_WIN_PROCESS
codeInsJmp
Non-conditional jump, of any kind.
Definition: codeblocks.h:28
RIP_CODE_SERIALIZER_VERSION
#define RIP_CODE_SERIALIZER_VERSION
_EXCEPTION_VICTIM_EPT
Describes an EPT victim.
Definition: exceptions.h:722
_SERIALIZER_LIX_KERNEL_MODULE::Size
DWORD Size
The total size of the section.
Definition: serializers.c:244
_SERIALIZER_ARCH_REGS::R14
QWORD R14
Definition: serializers.c:312
IntSerializeCodeBlocksPattern
static void IntSerializeCodeBlocksPattern(CODE_BLOCK *CodeBlocks, DWORD Count, QWORD Rip, BOOLEAN Execute, SERIALIZER_CODE_BLOCKS *Object)
Iterates through all extracted code-blocks patterns and serialize the patterns.
Definition: serializers.c:2048
SERIALIZER_MSR
struct _SERIALIZER_MSR SERIALIZER_MSR
Describes a serialized intObjMsr object.
_SERIALIZER_LIX_VMA::End
QWORD End
Definition: serializers.c:189
exceptionTypeUm
User-mode exception.
Definition: exceptions.h:61
introObjectTypeUmGenericNxZone
User-mode non executable zone.
Definition: intro_types.h:244
SERIALIZER_CR
struct _SERIALIZER_CR SERIALIZER_CR
Describes a serialized intObjCr object.
intObjReadInfo
Used for the read info object.
Definition: serializers.c:553
_DPI_EXTRA_INFO::TrapFrameAddress
QWORD TrapFrameAddress
The address of the trap frame. Used for more information gathering when sending the alert...
Definition: windpi.h:40
_SERIALIZER_WRITE_INFO
Describes a serialized intObjWriteInfo object.
Definition: serializers.c:332
IntSerializeKmVictim
static void IntSerializeKmVictim(const EXCEPTION_KM_ORIGINATOR *Originator, const EXCEPTION_VICTIM_ZONE *Victim)
Serialize the information about kernel-mode victim.
Definition: serializers.c:3348
_DPI_EXTRA_INFO::Wow64StackLimit
QWORD Wow64StackLimit
The known stack limit in WoW64 mode. Valid only if the process is WoW64.
Definition: windpi.h:44
introGuestNotAllowed
Definition: intro_types.h:164
intObjWinModuleReturn
Used for the windows return module object.
Definition: serializers.c:549
_SERIALIZER_WIN_PROCESS::Peb32Address
QWORD Peb32Address
PEB 32 address (on pure x64 processes, this will be 0).
Definition: serializers.c:177
_SERIALIZER_DPI_WIN_THREAD_START
Describes a serialized intObjDpiWinThreadStart.
Definition: serializers.c:454
_DPI_EXTRA_INFO::NewEnabled
QWORD NewEnabled
The new value from parent&#39;s token Privileges.Enabled field, which was deemed malicious.
Definition: windpi.h:74
RAW_DUMP_SERIALIZER_VERSION
#define RAW_DUMP_SERIALIZER_VERSION
_CODE_BLOCK::OffsetStart
DWORD OffsetStart
The start of the extracted codeblock (not actually relevant)
Definition: codeblocks.h:53
_KERNEL_DRIVER::BaseVa
QWORD BaseVa
The guest virtual address of the kernel module that owns this driver object.
Definition: drivers.h:41
gSerializerBuffer
static BYTE gSerializerBuffer[MAX_SERIALIZER_LENGTH]
Definition: serializers.c:581
PSERIALIZER_EXPORT
struct _SERIALIZER_EXPORT * PSERIALIZER_EXPORT
_WINUM_CACHE_EXPORT::NumberOfOffsets
DWORD NumberOfOffsets
Number of symbols pointing to the exported RVA.
Definition: winumcache.h:27
IntSerializeObjectHeader
static SERIALIZER_OBJECT_HEADER * IntSerializeObjectHeader(const DWORD Version, const DWORD Type)
Creates a SERIALIZER_OBJECT_HEADER object and fill the fields with the provided parameters.
Definition: serializers.c:781
_SERIALIZER_LIX_VMA
Describes a serialized intObjLixVma object.
Definition: serializers.c:186
IntSerializeCr
static void IntSerializeCr(const EXCEPTION_VICTIM_CR *Cr)
Serialize the provided CR object.
Definition: serializers.c:987
IntSerializeExecInfo
static void IntSerializeExecInfo(const EXCEPTION_VICTIM_ZONE *Victim)
Serialize the execution violation information.
Definition: serializers.c:1800
_SERIALIZER_EXCEPTION_KM_ORIGINATOR::_Reserved
BYTE _Reserved
Unused.
Definition: serializers.c:67
_SERIALIZER_IDT::Entry
DWORD Entry
The modified entry from the IDT.
Definition: serializers.c:133
INT_SUCCESS
#define INT_SUCCESS(Status)
Definition: introstatus.h:42
PSERIALIZER_DPI_PIVOTED_STACK
struct _SERIALIZER_DPI_PIVOTED_STACK * PSERIALIZER_DPI_PIVOTED_STACK
intObjWinKernelDriver
Used for the windows kernel driver object.
Definition: serializers.c:539
_SERIALIZER_EXEC_INFO::StackBase
QWORD StackBase
The stack base for the thread that attempted the execution.
Definition: serializers.c:356
IntSerializeLixProcess
static void IntSerializeLixProcess(const LIX_TASK_OBJECT *Process, const DWORD ObjectType)
Serialize the provided LIX_TASK_OBJECT object.
Definition: serializers.c:1226
_CODE_BLOCK::Size
WORD Size
Code block size, in patterns.
Definition: codeblocks.h:55
_DPI_EXTRA_INFO::StartAddress
QWORD StartAddress
The address on which the parent&#39;s thread started execution.
Definition: windpi.h:82
intObjStartMisc
Used to notify the deserializer that the next objects contains the misc.
Definition: serializers.c:518
WIN_KERNEL_DRIVER_SERIALIZER_VERSION
#define WIN_KERNEL_DRIVER_SERIALIZER_VERSION
_SERIALIZER_ARCH_REGS::Rip
QWORD Rip
Definition: serializers.c:317
SERIALIZER_DPI_WIN_HEAP_SPRAY
struct _SERIALIZER_DPI_WIN_HEAP_SPRAY SERIALIZER_DPI_WIN_HEAP_SPRAY
Describes a serialized intObjDpiWinHeapSpray.
PAGE_OFFSET
#define PAGE_OFFSET
Definition: pgtable.h:32
IntSerializeKmMisc
static void IntSerializeKmMisc(const EXCEPTION_KM_ORIGINATOR *Originator, const EXCEPTION_VICTIM_ZONE *Victim)
Serialize the misc information for kernel-mode alert.
Definition: serializers.c:3430
_SERIALIZER_RIP_CODE
Describes a serialized intObjRipCode object.
Definition: serializers.c:379
exceptionZoneEpt
The modified object is inside an EPT hook.
Definition: exceptions.h:710
SERIALIZER_WIN_KERNEL_DRIVER
struct _SERIALIZER_WIN_KERNEL_DRIVER SERIALIZER_WIN_KERNEL_DRIVER
Describes a serialized intObjWinKernelDriver object.
_SERIALIZER_STRING::String
CHAR String[0]
The content of the string.
Definition: serializers.c:58
PSERIALIZER_DPI_WIN_DEBUG
struct _SERIALIZER_DPI_WIN_DEBUG * PSERIALIZER_DPI_WIN_DEBUG
DPI_WIN_THREAD_START_SERIALIZER_VERSION
#define DPI_WIN_THREAD_START_SERIALIZER_VERSION
_SERIALIZER_EXCEPTION_KM_ORIGINATOR
Describes a serialized intObjKmOriginator object.
Definition: serializers.c:65
PSERIALIZER_RIP_CODE
struct _SERIALIZER_RIP_CODE * PSERIALIZER_RIP_CODE
_SERIALIZER_WRITE_INFO::AccessSize
DWORD AccessSize
The original value. Only the first Size bytes are valid.
Definition: serializers.c:334
_SERIALIZER_DPI_WIN_HEAP_SPRAY::MaxHeapValPageContent
BYTE MaxHeapValPageContent[0x1000]
The copied page which has the most heap values in it.
Definition: serializers.c:447
IntSerializeCodeBlocks
static void IntSerializeCodeBlocks(QWORD Rip, QWORD Cr3, BOOLEAN Execute)
Serialize the extracted code-blocks for the current exception.
Definition: serializers.c:2299
_CODE_BLOCK_PATTERN::Offset
DWORD Offset
The offset of the instruction in the page.
Definition: codeblocks.h:70
ERROR
#define ERROR(fmt,...)
Definition: glue.h:62
CODE_BLOCK_CHUNKS_COUNT
#define CODE_BLOCK_CHUNKS_COUNT
Number of chunks (CODE_INS) per codeblock.
Definition: codeblocks.h:43
PSERIALIZER_WRITE_INFO
struct _SERIALIZER_WRITE_INFO * PSERIALIZER_WRITE_INFO
_SERIALIZER_LIX_PROCESS::Gva
QWORD Gva
The guest virtual address of the task_struct.
Definition: serializers.c:153
_EXCEPTION_UM_ORIGINATOR
Describes a user-mode originator.
Definition: exceptions.h:933
intObjWinProcessParent
Used for the windows parent process object.
Definition: serializers.c:533
_SERIALIZER_WIN_MODULE
Describes a serialized intObjWinModule object.
Definition: serializers.c:276
_SERIALIZER_WIN_PROCESS::MainModuleAddress
QWORD MainModuleAddress
The address of the main module.
Definition: serializers.c:178
_SERIALIZER_DPI
Describes a serialized intObjDpi object.
Definition: serializers.c:494
_SERIALIZER_ARCH_REGS::Cr4
QWORD Cr4
Definition: serializers.c:319
_SERIALIZER_WIN_VAD
Describes a serialized intObjWinVad object.
Definition: serializers.c:200
_SERIALIZER_LIX_VMA::Start
QWORD Start
Start of the memory described by the VMA.
Definition: serializers.c:188
_SERIALIZER_CODE_BLOCKS
Describes a serialized intObjCodeBlocks object.
Definition: serializers.c:365
_DPI_EXTRA_INFO::StolenFromEprocess
QWORD StolenFromEprocess
The EPROCESS address from which the token was stolen.
Definition: windpi.h:49
_SERIALIZER_OBJECT_HEADER
Describes the header for each serialized item.
Definition: serializers.c:43
INTSTATUS
int INTSTATUS
The status data type.
Definition: introstatus.h:24
_KERNEL_DRIVER::Size
QWORD Size
The size of the kernel module that owns this driver object.
Definition: drivers.h:43
SERIALIZER_READ_INFO
struct _SERIALIZER_READ_INFO SERIALIZER_READ_INFO
Describes a serialized intObjExecInfo object.
IntSerializeExtractCodeBlocks
static INTSTATUS IntSerializeExtractCodeBlocks(QWORD Rip, QWORD Cr3, BOOLEAN Execute, SERIALIZER_CODE_BLOCKS *Object)
Extract the code-blocks for the current exception.
Definition: serializers.c:2137
KERNEL_DRV_OBJECT_SERIALIZER_VERSION
#define KERNEL_DRV_OBJECT_SERIALIZER_VERSION
PSERIALIZER_DPI_WIN_STOLEN_TOKEN
struct _SERIALIZER_DPI_WIN_STOLEN_TOKEN * PSERIALIZER_DPI_WIN_STOLEN_TOKEN
intObjLixProcess
Used for the Linux task object.
Definition: serializers.c:534
_SERIALIZER_READ_INFO::Value
QWORD Value[8]
The read value. Only the first Size bytes are valid.
Definition: serializers.c:346
_SERIALIZER_ARCH_REGS
Describes a serialized intObjArchRegs object.
Definition: serializers.c:296
_SERIALIZER_ARCH_REGS::Rsp
QWORD Rsp
Definition: serializers.c:302
_SERIALIZER_DPI_WIN_HEAP_SPRAY
Describes a serialized intObjDpiWinHeapSpray.
Definition: serializers.c:429
IntSerializeReadInfo
static void IntSerializeReadInfo(const EXCEPTION_VICTIM_ZONE *Victim)
Serialize the read violation information.
Definition: serializers.c:1763
MAX_SERIALIZER_LENGTH
#define MAX_SERIALIZER_LENGTH
Definition: serializers.c:579
SERIALIZER_OBJECT_HEADER
struct _SERIALIZER_OBJECT_HEADER SERIALIZER_OBJECT_HEADER
Describes the header for each serialized item.
_SERIALIZER_EXCEPTION_UM_ORIGINATOR::_Reserved
BYTE _Reserved
Unused.
Definition: serializers.c:75
IntSerializeWinUmOriginator
static void IntSerializeWinUmOriginator(const EXCEPTION_UM_ORIGINATOR *Originator, const EXCEPTION_VICTIM_ZONE *Victim)
Serialize the information about windows user-mode originator.
Definition: serializers.c:2809
PSERIALIZER_LIX_PROCESS
struct _SERIALIZER_LIX_PROCESS * PSERIALIZER_LIX_PROCESS
_WIN_PROCESS_OBJECT::DebuggerEprocess
QWORD DebuggerEprocess
This will keep the EPROCESS of the debugger process (if any).
Definition: winprocess.h:278
_SERIALIZER_EPT
Describes a serialized intObjEpt object.
Definition: serializers.c:93
IntSerializeLixUmVictim
static void IntSerializeLixUmVictim(const EXCEPTION_UM_ORIGINATOR *Originator, const EXCEPTION_VICTIM_ZONE *Victim)
Serialize the information about Linux user-mode victim.
Definition: serializers.c:2888
IntSerializeIncrementCurrentPtr
static void IntSerializeIncrementCurrentPtr(const DWORD Size)
Increment the current pointer to the serializer buffer with the provided size.
Definition: serializers.c:668
IntSerializeCodeBlocksGetExtractRange
static void IntSerializeCodeBlocksGetExtractRange(QWORD Rip, BOOLEAN Execute, DWORD *Start, DWORD *End)
Computes the range from which the code-blocks should be extracted.
Definition: serializers.c:1956
intObjLixKernelModuleReturn
Used for the Linux kernel module object.
Definition: serializers.c:542
_EXCEPTION_KM_ORIGINATOR
Describes a kernel-mode originator.
Definition: exceptions.h:897
CB_EXTRACT_LEVEL
CB_EXTRACT_LEVEL
Definition: codeblocks.h:14
SERIALIZER_IDT
struct _SERIALIZER_IDT SERIALIZER_IDT
Describes a serialized intObjIdt object.
_SERIALIZER_CODE_BLOCKS::StartAddress
QWORD StartAddress
The guest linear address from which the code blocks were extracted.
Definition: serializers.c:367
intObjLixKernelModule
Used for the Linux kernel module object.
Definition: serializers.c:541
_EXCEPTION_VICTIM_MSR
Describes a MSR victim.
Definition: exceptions.h:732
_SERIALIZER_LIX_KERNEL_MODULE::CoreLayout
struct _SERIALIZER_LIX_KERNEL_MODULE::@251 CoreLayout
PSERIALIZER_EXCEPTION_KM_ORIGINATOR
struct _SERIALIZER_EXCEPTION_KM_ORIGINATOR * PSERIALIZER_EXCEPTION_KM_ORIGINATOR
_SERIALIZER_DPI_PIVOTED_STACK::StackBase
QWORD StackBase
The known stack base of the parent process.
Definition: serializers.c:482
IntSerializeValidObjectSize
static BOOLEAN IntSerializeValidObjectSize(DWORD Size)
Checks if the serializer buffer overflows.
Definition: serializers.c:733
ALERT_MAX_CODEBLOCKS
#define ALERT_MAX_CODEBLOCKS
The maximum number of code blocks included in an alert structure.
Definition: intro_types.h:667
intObjExecInfo
Used for the execution info object.
Definition: serializers.c:554
_SERIALIZER_WIN_PROCESS::EprocessAddress
QWORD EprocessAddress
This will be the address of the EPROCESS.
Definition: serializers.c:170
IntSerializeWinUmMisc
static void IntSerializeWinUmMisc(const EXCEPTION_UM_ORIGINATOR *Originator, const EXCEPTION_VICTIM_ZONE *Victim)
Serialize the misc information for windows user-mode alert.
Definition: serializers.c:2983
_SERIALIZER_ARCH_REGS::Cr8
QWORD Cr8
Definition: serializers.c:321
_GUEST_STATE::OSType
INTRO_GUEST_TYPE OSType
The type of the guest.
Definition: guests.h:274
_DPI_EXTRA_INFO::Wow64StackBase
QWORD Wow64StackBase
The known stack base in WoW64 mode. Valid only if the process is WoW64.
Definition: windpi.h:43
_SERIALIZER_INJECTION
Describes a serialized intObjInjection object.
Definition: serializers.c:140
IntSerializeWinVad
void IntSerializeWinVad(const VAD *Vad)
Serialize the provided VAD object.
Definition: serializers.c:1304
END_ORIGINATOR_SERIALZIER_VERSION
#define END_ORIGINATOR_SERIALZIER_VERSION
_Out_writes_
#define _Out_writes_(expr)
Definition: intro_sal.h:28
IntSerializeLixKmVictim
static void IntSerializeLixKmVictim(const EXCEPTION_KM_ORIGINATOR *Originator, const EXCEPTION_VICTIM_ZONE *Victim)
Serialize the information about Linux kernel-mode victim.
Definition: serializers.c:3276
SERIALIZER_DPI_WIN_STOLEN_TOKEN
struct _SERIALIZER_DPI_WIN_STOLEN_TOKEN SERIALIZER_DPI_WIN_STOLEN_TOKEN
Describes a serialized intObjDpiWinStolenToken.
MIN
#define MIN(a, b)
Definition: introdefs.h:146
_SERIALIZER_WIN_VAD::VadGva
QWORD VadGva
The guest virtual address at which the corresponding Windows _MMVAD structure is located.
Definition: serializers.c:205
_SERIALIZER_KERNEL_DRV_OBJECT::Gpa
QWORD Gpa
The guest physical address of the guest _DRIVER_OBJECT represented by this structure.
Definition: serializers.c:267
_SERIALIZER_EPT::Type
BYTE Type
The violation type.
Definition: serializers.c:97
_SERIALIZER_KERNEL_DRIVER::Size
QWORD Size
The size of the kernel module that owns this driver object.
Definition: serializers.c:222
_SERIALIZER_READ_INFO::AccessSize
DWORD AccessSize
The original value. Only the first Size bytes are valid.
Definition: serializers.c:345
READ_INFO_SERIALIZER_VERSION
#define READ_INFO_SERIALIZER_VERSION
_SERIALIZER_DPI_WIN_TOKEN_PRIVS
Describes a serialized intObjDpiWinTokenPrivs.
Definition: serializers.c:465
WIN_KM_VICTIM_SERIALIZER_VERSION
#define WIN_KM_VICTIM_SERIALIZER_VERSION
ZONE_TYPE
enum _ZONE_TYPE ZONE_TYPE
Describes the zone types that can be excepted.
_SERIALIZER_WIN_PROCESS::Peb64Address
QWORD Peb64Address
PEB 64 address (on x86 OSes, this will be 0).
Definition: serializers.c:176
_SERIALIZER_EXPORT
Describes a serialized intObjExport object.
Definition: serializers.c:400
_SERIALIZER_INSTRUX::Bytes
BYTE Bytes[16]
The instruction bytes.
Definition: serializers.c:289
IntSerializeRawDump
static void IntSerializeRawDump(const EXCEPTION_UM_ORIGINATOR *Originator, const EXCEPTION_VICTIM_ZONE *Victim)
Serialize the raw dump for the injection violation.
Definition: serializers.c:1864
SERIALIZER_WRITE_INFO
struct _SERIALIZER_WRITE_INFO SERIALIZER_WRITE_INFO
Describes a serialized intObjWriteInfo object.
_SERIALIZER_DPI_WIN_THREAD_START::ShellcodeFlags
QWORD ShellcodeFlags
The shellcode flags given by shemu on the detected page.
Definition: serializers.c:456
LOG
#define LOG(fmt,...)
Definition: glue.h:61
IG_CS_TYPE_32B
32-bit selector.
Definition: glueiface.h:187
IntSerializeCodeBlocksGetExtractLevel
static CB_EXTRACT_LEVEL IntSerializeCodeBlocksGetExtractLevel(QWORD Rip)
Get the code-blocks extraction level.
Definition: serializers.c:2011
LIX_PROCESS_SERIALIZER_VERSION
#define LIX_PROCESS_SERIALIZER_VERSION
_KERNEL_DRIVER
Describes a kernel driver.
Definition: drivers.h:30
serializerExceptionTypeUm
Used for user-mode exceptions.
Definition: serializers.c:22
_CODE_BLOCK::Chunks
BYTE Chunks[CODE_BLOCK_CHUNKS_COUNT]
The actual CODE_INS values representing the instruction pattern.
Definition: codeblocks.h:58
_SERIALIZER_LIX_KERNEL_MODULE::Base
QWORD Base
The base guest virtual address of the section.
Definition: serializers.c:243
_SERIALIZER_WIN_MODULE::Size
DWORD Size
Virtual size of the module.
Definition: serializers.c:279
SERIALIZER_EXCEPTION_TYPE
enum _SERIALIZER_EXCEPTION_TYPE SERIALIZER_EXCEPTION_TYPE
Describes the serialized exception type.
IntSerializeKernelUserException
static void IntSerializeKernelUserException(const void *Originator, const void *Victim, INTRO_EVENT_TYPE EventClass)
Serialize the kernel-user mode exception.
Definition: serializers.c:3535
SERIALIZER_DTR
struct _SERIALIZER_DTR SERIALIZER_DTR
Describes a serialized intObjDtr object.
_SERIALIZER_INSTRUX::Rip
QWORD Rip
The guest virtual address of the instruction.
Definition: serializers.c:288
LIX_KERNEL_MODULE_SERIALIZER_VERSION
#define LIX_KERNEL_MODULE_SERIALIZER_VERSION
SERIALIZER_INJECTION
struct _SERIALIZER_INJECTION SERIALIZER_INJECTION
Describes a serialized intObjInjection object.
IntSerializeException
void IntSerializeException(void *Victim, void *Originator, DWORD Type, INTRO_ACTION Action, INTRO_ACTION_REASON Reason, INTRO_EVENT_TYPE EventClass)
The entry point of the serializer; will serialize the provided exception if the violation is blocked ...
Definition: serializers.c:3569
_SERIALIZER_ARCH_REGS::Rbx
QWORD Rbx
Definition: serializers.c:301
_SERIALIZER_INJECTION::Length
DWORD Length
The length of the injection.
Definition: serializers.c:143
serializerExceptionTypeKm
Used for kernel-mode exceptions.
Definition: serializers.c:21
_SERIALIZER_DPI_PIVOTED_STACK::TrapFrameContent
BYTE TrapFrameContent[512]
The content of the trap frame where the current stack has been found.
Definition: serializers.c:487
stringEncodeUtf16
The string encoding type &#39;utf-16&#39;.
Definition: serializers.c:576
_SERIALIZER_LIX_VMA::Flags
QWORD Flags
Flags for the VMA.
Definition: serializers.c:192
_SERIALIZER_LIX_KERNEL_MODULE::TextSize
DWORD TextSize
The size of the .text (code usually).
Definition: serializers.c:245
Base64EncSize
#define Base64EncSize(Length)
Definition: serializers.c:591
stringEncodeUtf8
The string encoding type &#39;utf-8&#39;.
Definition: serializers.c:575
gCodeBlocksPatternLength
static DWORD gCodeBlocksPatternLength
Definition: serializers.c:586
IntSerializeStart
void IntSerializeStart(void)
Set the current serializer pointer to the beginning of the buffer and generated a new alert-ID...
Definition: serializers.c:3556
_WIN_PROCESS_OBJECT::Cr3
QWORD Cr3
Process PDBR. Includes PCID.
Definition: winprocess.h:96
exceptionZoneDtr
the modified object is IDTR/GDTR.
Definition: exceptions.h:715
IntGetCurrentMode
INTSTATUS IntGetCurrentMode(DWORD CpuNumber, DWORD *Mode)
Read the current CS type.
Definition: introcpu.c:977
_CODE_BLOCK
Definition: codeblocks.h:51
_DPI_EXTRA_INFO::DpiHeapSprayExtraInfo
struct _DPI_EXTRA_INFO::@202 DpiHeapSprayExtraInfo
IntSerializeAccessInfo
static void IntSerializeAccessInfo(const EXCEPTION_VICTIM_ZONE *Victim)
Serialize the read/write/exec violation information.
Definition: serializers.c:1839
_SERIALIZER_INJECTION::Gva
QWORD Gva
The guest virtual address in which the injection occurs.
Definition: serializers.c:142
PSERIALIZER_CR
struct _SERIALIZER_CR * PSERIALIZER_CR
_SERIALIZER_KERNEL_DRIVER::EntryPoint
QWORD EntryPoint
The entry point of this driver.
Definition: serializers.c:223
_SERIALIZER_KERNEL_DRIVER::ObjectGva
QWORD ObjectGva
Definition: serializers.c:219
START_MISC_SERIALZIER_VERSION
#define START_MISC_SERIALZIER_VERSION
_SERIALIZER_WIN_VAD::Protection
DWORD Protection
VAD protection as represented by Introcore.
Definition: serializers.c:208
_SERIALIZER_HEADER::Guest
DWORD Guest
The operation system.
Definition: serializers.c:33
INTRO_OBJECT_TYPE
enum _INTRO_OBJECT_TYPE INTRO_OBJECT_TYPE
The type of the object protected by an EPT hook.
DPI_SERIALIZER_VERSION
#define DPI_SERIALIZER_VERSION
_CODE_BLOCK_PATTERN
Definition: codeblocks.h:68
_Inout_
#define _Inout_
Definition: intro_sal.h:20
SERIALIZER_RIP_CODE
struct _SERIALIZER_RIP_CODE SERIALIZER_RIP_CODE
Describes a serialized intObjRipCode object.
_DPI_EXTRA_INFO::DpiPivotedStackExtraInfo
struct _DPI_EXTRA_INFO::@200 DpiPivotedStackExtraInfo
IntSerializeWinKmVictim
static void IntSerializeWinKmVictim(const EXCEPTION_KM_ORIGINATOR *Originator, const EXCEPTION_VICTIM_ZONE *Victim)
Serialize the information about Windows kernel-mode victim.
Definition: serializers.c:3197
intObjEndMisc
Used to notify the deserializer that the all the misc objects has been parsed.
Definition: serializers.c:520
_SERIALIZER_DPI_WIN_TOKEN_PRIVS::OldPresent
QWORD OldPresent
Definition: serializers.c:470
IntSerializeWinModule
static void IntSerializeWinModule(const WIN_PROCESS_MODULE *Module, const DWORD ObjectType)
Serialize the provided WIN_PROCESS_MODULE object.
Definition: serializers.c:1645
IntSerializeStringIsWcharAscii
static BOOLEAN IntSerializeStringIsWcharAscii(const void *String, DWORD Size)
Checks if the provided string contains WCHARS.
Definition: serializers.c:813
IntSerializeUmMisc
static void IntSerializeUmMisc(const EXCEPTION_UM_ORIGINATOR *Originator, const EXCEPTION_VICTIM_ZONE *Victim)
Serialize the misc information for user-mode alert.
Definition: serializers.c:3066
SERIALIZER_DPI_WIN_THREAD_START
struct _SERIALIZER_DPI_WIN_THREAD_START SERIALIZER_DPI_WIN_THREAD_START
Describes a serialized intObjDpiWinThreadStart.
PSERIALIZER_WIN_MODULE
struct _SERIALIZER_WIN_MODULE * PSERIALIZER_WIN_MODULE
START_VICTIM_SERIALZIER_VERSION
#define START_VICTIM_SERIALZIER_VERSION
_SERIALIZER_KERNEL_DRV_OBJECT::FastIOTableAddress
QWORD FastIOTableAddress
Definition: serializers.c:269
IntSerializeLixUmMisc
static void IntSerializeLixUmMisc(const EXCEPTION_UM_ORIGINATOR *Originator, const EXCEPTION_VICTIM_ZONE *Victim)
Serialize the misc information for Linux user-mode alert.
Definition: serializers.c:3031
_SERIALIZER_EXEC_INFO::StackLimit
QWORD StackLimit
The stack limit for the thread that attempted the execution.
Definition: serializers.c:357
INITIAL_CRC_VALUE
#define INITIAL_CRC_VALUE
Definition: introdefs.h:221
introGuestLinux
Linux.
Definition: intro_types.h:1881
_SERIALIZER_DPI_PIVOTED_STACK::Wow64StackLimit
QWORD Wow64StackLimit
The known stack limit of the parent process in WoW64 mode.
Definition: serializers.c:486
VICTIM_SERIALIZER_CR_VERSION
#define VICTIM_SERIALIZER_CR_VERSION
_SERIALIZER_INSTRUX
Describes a serialized intObjInstrux object.
Definition: serializers.c:286
_SERIALIZER_LIX_PROCESS::Flags
DWORD Flags
The protection flags.
Definition: serializers.c:161
gCodeBlocks
static CODE_BLOCK gCodeBlocks[PAGE_SIZE/sizeof(CODE_BLOCK)]
Definition: serializers.c:587
IS_KERNEL_POINTER_LIX
#define IS_KERNEL_POINTER_LIX(p)
Definition: lixguest.h:11
SERIALIZER_LIX_VMA
struct _SERIALIZER_LIX_VMA SERIALIZER_LIX_VMA
Describes a serialized intObjLixVma object.
EXCEPTION_CODEBLOCKS_OFFSET
#define EXCEPTION_CODEBLOCKS_OFFSET
The maximum offset for codeblocks extraction.
Definition: exceptions.h:54
IntSerializeMsr
static void IntSerializeMsr(const EXCEPTION_VICTIM_MSR *Msr)
Serialize the provided MSR object.
Definition: serializers.c:1052
_SERIALIZER_KERNEL_DRV_OBJECT
Describes a serialized intObjKernelDrvObject object.
Definition: serializers.c:262
intObjDpiWinHeapSpray
Used for the DPI heap spray object.
Definition: serializers.c:566
IG_CURRENT_VCPU
#define IG_CURRENT_VCPU
For APIs that take a VCPU number as a parameter, this can be used to specify that the current VCPU sh...
Definition: glueiface.h:324
_SERIALIZER_CR::Cr
DWORD Cr
The written CR.
Definition: serializers.c:115
_EXCEPTION_VICTIM_INJECTION
Describes an injection.
Definition: exceptions.h:774
_SERIALIZER_DPI_PIVOTED_STACK::StackLimit
QWORD StackLimit
The known stack limit of the parent process.
Definition: serializers.c:483
SERIALIZER_EXCEPTION_UM_ORIGINATOR
struct _SERIALIZER_EXCEPTION_UM_ORIGINATOR SERIALIZER_EXCEPTION_UM_ORIGINATOR
Describes a serialized intObjUmOriginator object.
PSERIALIZER_WIN_KERNEL_DRIVER
struct _SERIALIZER_WIN_KERNEL_DRIVER * PSERIALIZER_WIN_KERNEL_DRIVER
KTRAP_FRAME64
struct _KTRAP_FRAME64 KTRAP_FRAME64
ZONE_EXECUTE
#define ZONE_EXECUTE
Used for execute violation.
Definition: exceptions.h:700
_SERIALIZER_EXCEPTION_VICTIM::ZoneFlags
QWORD ZoneFlags
The zone-flags of the victim object.
Definition: serializers.c:86
_WIN_DRIVER_OBJECT
Holds information about a driver object.
Definition: windrvobj.h:13
IntSerializeWinProcess
static void IntSerializeWinProcess(const WIN_PROCESS_OBJECT *Process, const DWORD ObjectType)
Serialize the provided WIN_PROCESS_OBJECT object.
Definition: serializers.c:1172
INT_PC_VIOLATION_DPI_STOLEN_TOKEN
The parent of a process has a stolen access token when it created the child.
Definition: intro_types.h:1528
memzero
#define memzero(a, s)
Definition: introcrt.h:35
memCopyViolationQueueApcThread
This represents an attempt to queue an APC into the victim process.
Definition: intro_types.h:1302
IntSerializeDpi
static void IntSerializeDpi(const EXCEPTION_UM_ORIGINATOR *Originator)
Serialize the DPI flags.
Definition: serializers.c:2725
_GUEST_STATE::Guest64
BOOLEAN Guest64
True if this is a 64-bit guest, False if it is a 32-bit guest.
Definition: guests.h:286
ZONE_PROC_THREAD_APC
#define ZONE_PROC_THREAD_APC
Used for the APC thread hijacking technique.
Definition: exceptions.h:694
_SERIALIZER_DPI_WIN_TOKEN_PRIVS::OldEnabled
QWORD OldEnabled
Definition: serializers.c:467
QWORD
unsigned long long QWORD
Definition: intro_types.h:53
IntSerializeUmException
static void IntSerializeUmException(const void *Originator, const void *Victim, INTRO_EVENT_TYPE EventClass)
Serialize the user-mode exception.
Definition: serializers.c:3513
_SERIALIZER_ARCH_REGS::Cr3
QWORD Cr3
Definition: serializers.c:320
_SERIALIZER_HEADER::Arch
DWORD Arch
The architecture of the current guest.
Definition: serializers.c:36
intObjStartOriginator
Used to notify the deserializer that the next objects contains the originator.
Definition: serializers.c:510
_SERIALIZER_ARCH_REGS::Cr0
QWORD Cr0
Definition: serializers.c:318
IntSerializeKmOriginator
void IntSerializeKmOriginator(const EXCEPTION_KM_ORIGINATOR *Originator, const EXCEPTION_VICTIM_ZONE *Victim)
Serialize the information about kernel-mode originator.
Definition: serializers.c:3170
gCodeBlocksPattern
static CODE_BLOCK_PATTERN gCodeBlocksPattern[PAGE_SIZE/sizeof(CODE_BLOCK_PATTERN)]
Definition: serializers.c:585
_SERIALIZER_DPI_WIN_DEBUG::Debugger
QWORD Debugger
The debugger of the current process. May or may not be the parent.
Definition: serializers.c:413
INT_PC_VIOLATION_DPI_TOKEN_PRIVS
The creation of a process was attempted with token privileges altered in a malicious way...
Definition: intro_types.h:1534
TRUE
#define TRUE
Definition: intro_types.h:30
IntSerializeKernelDriver
static void IntSerializeKernelDriver(const EXCEPTION_KM_ORIGINATOR *Originator, const KERNEL_DRIVER *Driver, const DWORD ObjectType)
Serialize the provided KERNEL_DRIVER object.
Definition: serializers.c:1550
IntSerializeWinUmVictim
static void IntSerializeWinUmVictim(const EXCEPTION_UM_ORIGINATOR *Originator, const EXCEPTION_VICTIM_ZONE *Victim)
Serialize the information about user-mode windows victim.
Definition: serializers.c:2930
_SERIALIZER_DPI_WIN_HEAP_SPRAY::Detected
DWORD Detected
The bit is set if the i-th page was detected as malicious by shemu.
Definition: serializers.c:435
IS_KERNEL_POINTER_WIN
#define IS_KERNEL_POINTER_WIN(is64, p)
Checks if a guest virtual address resides inside the Windows kernel address space.
Definition: wddefs.h:76
_SERIALIZER_HEADER::SerializedType
DWORD SerializedType
The type of the serialized exception (SERIALIZER_EXCEPTION_TYPE)
Definition: serializers.c:32
_SERIALIZER_OBJECT_HEADER::Version
DWORD Version
The version of the serialized object (used for compatibility).
Definition: serializers.c:45
_SERIALIZER_KERNEL_DRIVER::BaseVa
QWORD BaseVa
The guest virtual address of the kernel module that owns this driver object.
Definition: serializers.c:221
INT_PC_VIOLATION_DPI_PIVOTED_STACK
The parent of a process had a pivoted stack when it created the child.
Definition: intro_types.h:1525
_SERIALIZER_DTR
Describes a serialized intObjDtr object.
Definition: serializers.c:122
_DPI_EXTRA_INFO::CurrentWow64Stack
QWORD CurrentWow64Stack
The current stack of the process in WoW64 mode. Valid only if the process is WoW64.
Definition: windpi.h:42
memCopyViolationWrite
This is a classic code injection attempt that simply modifies the memory of the victim process...
Definition: intro_types.h:1293
VICTIM_SERIALIZER_DTR_VERSION
#define VICTIM_SERIALIZER_DTR_VERSION
TRACE
#define TRACE(fmt,...)
Definition: glue.h:58
SERIALIZER_EXPORT
struct _SERIALIZER_EXPORT SERIALIZER_EXPORT
Describes a serialized intObjExport object.
IntSerializeWinKernelDriver
static void IntSerializeWinKernelDriver(const KERNEL_DRIVER *Driver, DWORD ObjectType)
Serialize the provided KERNEL_DRIVER object.
Definition: serializers.c:1428
cbLevelNormal
This includes instructions until codeInsBt.
Definition: codeblocks.h:16
intObjDpiWinPivotedStack
Used for the DPI pivoted stack object.
Definition: serializers.c:562
_SERIALIZER_DPI_WIN_HEAP_SPRAY::ShellcodeFlags
QWORD ShellcodeFlags
The shellcode flags given by shemu on the detected page.
Definition: serializers.c:444
SERIALIZER_INSTRUX
struct _SERIALIZER_INSTRUX SERIALIZER_INSTRUX
Describes a serialized intObjInstrux object.
introObjectTypeSharedUserData
Executions inside the SharedUserData region.
Definition: intro_types.h:264
intObjWinKernelDriverReturn
Used for the windows kernel driver object.
Definition: serializers.c:540
_WIN_PROCESS_OBJECT::DpiExtraInfo
DPI_EXTRA_INFO DpiExtraInfo
Represents the gathered extra info while checking the DPI heuristics.
Definition: winprocess.h:292
PSERIALIZER_DTR
struct _SERIALIZER_DTR * PSERIALIZER_DTR
_SERIALIZER_DPI_WIN_TOKEN_PRIVS::NewPresent
QWORD NewPresent
The new Privileges.Present value in the parent&#39;s token, which was deemed malicious.
Definition: serializers.c:472
_SERIALIZER_EXEC_INFO::Rsp
QWORD Rsp
The value of the guest RSP register at the moment of execution.
Definition: serializers.c:355
IntSerializeDpiWinDebug
static void IntSerializeDpiWinDebug(const EXCEPTION_UM_ORIGINATOR *Originator, const EXCEPTION_VICTIM_ZONE *Victim)
Serialize the DPI debug flags info (Windows).
Definition: serializers.c:2374
intObjDpi
Used for the DPI object.
Definition: serializers.c:560
_DPI_EXTRA_INFO::NewPresent
QWORD NewPresent
The new value from parent&#39;s token Privileges.Present field, which was deemed malicious.
Definition: windpi.h:77
_DPI_EXTRA_INFO::DpiThreadStartExtraInfo
struct _DPI_EXTRA_INFO::@204 DpiThreadStartExtraInfo
intObjDtr
Used for the DTR object.
Definition: serializers.c:527
_DPI_EXTRA_INFO::CurrentStack
QWORD CurrentStack
The current stack of the process at the point of process creation.
Definition: windpi.h:36
gSerializerCurrentId
static QWORD gSerializerCurrentId
Definition: serializers.c:583
exceptionTypeKm
Kernel-mode exception.
Definition: exceptions.h:62
_IG_ARCH_REGS::Cr3
QWORD Cr3
Definition: glueiface.h:54
IntSerializeLixKmMisc
static void IntSerializeLixKmMisc(const EXCEPTION_KM_ORIGINATOR *Originator, const EXCEPTION_VICTIM_ZONE *Victim)
Serialize the misc information for Linux kernel-mode alert.
Definition: serializers.c:3376
IntSerializeDpiWinStolenToken
static void IntSerializeDpiWinStolenToken(const EXCEPTION_UM_ORIGINATOR *Originator, const EXCEPTION_VICTIM_ZONE *Victim)
Serialize the DPI stolen token info (Windows).
Definition: serializers.c:2468
IntSerializeDump
static void IntSerializeDump(void)
Dumps the serialized buffer (base64 format).
Definition: serializers.c:708
_SERIALIZER_LIX_PROCESS::RealParent
QWORD RealParent
The guest virtual address of the task_struct->real_parent.
Definition: serializers.c:154
_SERIALIZER_ARCH_REGS::Rdi
QWORD Rdi
Definition: serializers.c:305
_SERIALIZER_WRITE_INFO::NewValue
QWORD NewValue[8]
The size of the access.
Definition: serializers.c:336
_LIX_TASK_OBJECT
Definition: lixprocess.h:38
introGuestWindows
Windows.
Definition: intro_types.h:1880
intObjCodeBlocks
Used for the code-blocks object.
Definition: serializers.c:556
DESCRIPTOR_SIZE_64
#define DESCRIPTOR_SIZE_64
Definition: processor.h:102
intObjEndOriginator
Used to notify the deserializer that the all the originator&#39;s objects has been parsed.
Definition: serializers.c:512
_SERIALIZER_STRING::Length
DWORD Length
The length of the string.
Definition: serializers.c:56
_SERIALIZER_HEADER::Size
WORD Size
The size (bytes) of the serializer buffer.
Definition: serializers.c:35
_SERIALIZER_WIN_VAD::EndPage
QWORD EndPage
Definition: serializers.c:203
exceptionZoneMsr
The modified object is a MSR.
Definition: exceptions.h:711
WARNING
#define WARNING(fmt,...)
Definition: glue.h:60
IntSerializeExport
static void IntSerializeExport(const EXCEPTION_VICTIM_ZONE *Victim)
Serialize the modified exports.
Definition: serializers.c:2756
intObjLixProcessParent
Used for the Linux parent task object.
Definition: serializers.c:535
intObjLixVma
Used for the Linux VMA object.
Definition: serializers.c:546
_CODE_BLOCK_PATTERN::Value
BYTE Value
The CODE_INS value describing the instruction type.
Definition: codeblocks.h:71
_SERIALIZER_MSR::Msr
DWORD Msr
The written MSR.
Definition: serializers.c:106
END_MISC_SERIALZIER_VERSION
#define END_MISC_SERIALZIER_VERSION
intObjWriteInfo
Used for the write info object.
Definition: serializers.c:552
_SERIALIZER_DPI_WIN_HEAP_SPRAY::Mapped
DWORD Mapped
Definition: serializers.c:433
LIX_KM_VICTIM_SERIALIZER_VERSION
#define LIX_KM_VICTIM_SERIALIZER_VERSION
IntSerializeLixKernelModule
static void IntSerializeLixKernelModule(const KERNEL_DRIVER *Driver, DWORD ObjecType)
Serialize the provided KERNEL_DRIVER object.
Definition: serializers.c:1468
_SERIALIZER_WIN_KERNEL_DRIVER::TimeDateStamp
DWORD TimeDateStamp
The driver&#39;s internal timestamp (from the _IMAGE_FILE_HEADER).
Definition: serializers.c:232
PSERIALIZER_MSR
struct _SERIALIZER_MSR * PSERIALIZER_MSR
WIN_PROCESS_MODULE_SERIALIZER_VERSION
#define WIN_PROCESS_MODULE_SERIALIZER_VERSION
_SERIALIZER_RIP_CODE::Length
DWORD Length
The length of the code array.
Definition: serializers.c:382
EXEC_INFO_SERIALIZER_VERSION
#define EXEC_INFO_SERIALIZER_VERSION
IntSerializeArchRegs
static void IntSerializeArchRegs(void)
Serialize the guest registers.
Definition: serializers.c:2345
PAGE_SIZE
#define PAGE_SIZE
Definition: common.h:53
_SERIALIZER_CODE_BLOCKS::Rip
QWORD Rip
Definition: serializers.c:368
_SERIALIZER_EXEC_INFO::Length
DWORD Length
The length of the instruction.
Definition: serializers.c:358
SERIALIZER_LIX_KERNEL_MODULE
struct _SERIALIZER_LIX_KERNEL_MODULE SERIALIZER_LIX_KERNEL_MODULE
Describes a serialized intObjLixKernelModule object.
_EXCEPTION_VICTIM_ZONE
Describes the modified zone.
Definition: exceptions.h:847
IntSerializeDpiWinTokenPrivs
static void IntSerializeDpiWinTokenPrivs(const EXCEPTION_UM_ORIGINATOR *Originator, const EXCEPTION_VICTIM_ZONE *Victim)
Serialize the DPI token privs info (Windows).
Definition: serializers.c:2591
UNREFERENCED_PARAMETER
#define UNREFERENCED_PARAMETER(P)
Definition: introdefs.h:29
_SERIALIZER_EXCEPTION_UM_ORIGINATOR
Describes a serialized intObjUmOriginator object.
Definition: serializers.c:73
intObjEndVictim
Used to notify the deserializer that the all the victim&#39;s objects has been parsed.
Definition: serializers.c:516
cbLevelMedium
This includes instructions until codeInsFlags.
Definition: codeblocks.h:17
SERIALIZER_EXCEPTION_KM_ORIGINATOR
struct _SERIALIZER_EXCEPTION_KM_ORIGINATOR SERIALIZER_EXCEPTION_KM_ORIGINATOR
Describes a serialized intObjKmOriginator object.
_DPI_EXTRA_INFO::OldEnabled
QWORD OldEnabled
Definition: windpi.h:72
INT_STATUS_DATA_BUFFER_TOO_SMALL
#define INT_STATUS_DATA_BUFFER_TOO_SMALL
Definition: introstatus.h:194
SERIALIZER_DPI
struct _SERIALIZER_DPI SERIALIZER_DPI
Describes a serialized intObjDpi object.
LIX_VMA_SERIALIZER_VERSION
#define LIX_VMA_SERIALIZER_VERSION
_WINUM_CACHE_EXPORT::Rva
DWORD Rva
The RVA of this export.
Definition: winumcache.h:23
_KTRAP_FRAME32
Definition: wddefs.h:796
_SERIALIZER_EXCEPTION_VICTIM::ZoneType
ZONE_TYPE ZoneType
The zone-type of the victim object.
Definition: serializers.c:85
WCHAR
uint16_t WCHAR
Definition: intro_types.h:63
IntSerializerBase64Get
static char * IntSerializerBase64Get(DWORD *Length)
Converts the serialized buffer to base64.
Definition: serializers.c:619
introObjectTypeVeAgent
The Virtualization exception agent injected inside the guest.
Definition: intro_types.h:256
KERNEL_DRIVER_SERIALIZER_VERSION
#define KERNEL_DRIVER_SERIALIZER_VERSION
PSERIALIZER_INSTRUX
struct _SERIALIZER_INSTRUX * PSERIALIZER_INSTRUX
DWORD
uint32_t DWORD
Definition: intro_types.h:49
VICTIM_SERIALIZER_MSR_VERSION
#define VICTIM_SERIALIZER_MSR_VERSION
IntSerializeEpt
static void IntSerializeEpt(const EXCEPTION_VICTIM_EPT *Ept, const EXCEPTION_VICTIM_ZONE *Victim)
Serialize the provided EPT object.
Definition: serializers.c:938
INSTRUX_SERIALIZER_VERSION
#define INSTRUX_SERIALIZER_VERSION
_DPI_EXTRA_INFO::StackBase
QWORD StackBase
The known stack base present in TIB at the moment of process creation.
Definition: windpi.h:37
_SERIALIZER_ARCH_REGS::R15
QWORD R15
Definition: serializers.c:313
_SERIALIZER_WIN_PROCESS
Describes a serialized intObjWinProcess object.
Definition: serializers.c:168
IntSerializeDpiWinPivotedStack
static void IntSerializeDpiWinPivotedStack(const EXCEPTION_UM_ORIGINATOR *Originator, const EXCEPTION_VICTIM_ZONE *Victim)
Serialize the DPI pivoted stack info (Windows).
Definition: serializers.c:2416
intObjInjection
Used for the Injection object.
Definition: serializers.c:530
intObjArchRegs
Used for the registers object.
Definition: serializers.c:555
introObjectTypeUmModule
User-mode library.
Definition: intro_types.h:245
_DPI_EXTRA_INFO::HeapPages
struct _DPI_EXTRA_INFO::@202::@205 HeapPages[HEAP_SPRAY_NR_PAGES]
_SERIALIZER_IDT
Describes a serialized intObjIdt object.
Definition: serializers.c:131
_SERIALIZER_STRING::Encode
BYTE Encode
The encode type of the string (utf-8, utf-16).
Definition: serializers.c:57
SERIALIZER_KERNEL_DRIVER
struct _SERIALIZER_KERNEL_DRIVER SERIALIZER_KERNEL_DRIVER
Describes a serialized intObjKernelDriver object.
INTRO_ACTION
enum _INTRO_ACTION INTRO_ACTION
Event actions.
_SERIALIZER_LIX_KERNEL_MODULE::RoSize
DWORD RoSize
The size of the .rodata (read-only).
Definition: serializers.c:246
_DPI_EXTRA_INFO::DpiStolenTokenExtraInfo
struct _DPI_EXTRA_INFO::@201 DpiStolenTokenExtraInfo
_DPI_EXTRA_INFO::DpiTokenPrivsExtraInfo
struct _DPI_EXTRA_INFO::@203 DpiTokenPrivsExtraInfo
PSERIALIZER_STRING
struct _SERIALIZER_STRING * PSERIALIZER_STRING
_SERIALIZER_EXEC_INFO
Describes a serialized intObjExecInfo object.
Definition: serializers.c:353
PSERIALIZER_CODE_BLOCKS
struct _SERIALIZER_CODE_BLOCKS * PSERIALIZER_CODE_BLOCKS
gBase64Chars
const char gBase64Chars[]
Definition: serializers.c:589
_EXCEPTION_VICTIM_CR
Describes a CR victim.
Definition: exceptions.h:742
_SERIALIZER_ARCH_REGS::R8
QWORD R8
Definition: serializers.c:306
_SERIALIZER_ARCH_REGS::Rbp
QWORD Rbp
Definition: serializers.c:303
IG_EPT_HOOK_NONE
No access type. This can be used for swap hooks.
Definition: glueiface.h:297
_SERIALIZER_ARCH_REGS::GdtLimit
QWORD GdtLimit
Definition: serializers.c:325
_DPI_EXTRA_INFO::OldPresent
QWORD OldPresent
Definition: windpi.h:75
_SERIALIZER_WIN_PROCESS::Pid
DWORD Pid
Process ID (the one used by Windows).
Definition: serializers.c:175
introReasonAllowedFeedback
The action was allowed, but it has the BETA flag (Introcore is in log-only mode). ...
Definition: intro_types.h:185
codeInsCall
Call, of any kind.
Definition: codeblocks.h:29
_SERIALIZER_DPI::Flags
DWORD Flags
The DPI flags.
Definition: serializers.c:496
SERIALIZER_LIX_PROCESS
struct _SERIALIZER_LIX_PROCESS SERIALIZER_LIX_PROCESS
Describes a serialized intObjLixProcess object.
IntSerializeIdt
static void IntSerializeIdt(const EXCEPTION_VICTIM_ZONE *Victim)
Serialize the provided IDT object.
Definition: serializers.c:1019
_SERIALIZER_EPT::Gva
QWORD Gva
The written/read/exec guest virtual address.
Definition: serializers.c:95
VICTIM_SERIALIZER_INJECTION_VERSION
#define VICTIM_SERIALIZER_INJECTION_VERSION
IntSerializeWinKmMisc
static void IntSerializeWinKmMisc(const EXCEPTION_KM_ORIGINATOR *Originator, const EXCEPTION_VICTIM_ZONE *Victim)
Serialize the misc information for windows kernel-mode alert.
Definition: serializers.c:3399
PSERIALIZER_EXCEPTION_UM_ORIGINATOR
struct _SERIALIZER_EXCEPTION_UM_ORIGINATOR * PSERIALIZER_EXCEPTION_UM_ORIGINATOR
IntSerializeKmException
static void IntSerializeKmException(const void *Originator, const void *Victim, INTRO_EVENT_TYPE EventClass)
Serialize the kernel-mode exception.
Definition: serializers.c:3491
IntVirtMemMap
__must_check INTSTATUS IntVirtMemMap(QWORD Gva, DWORD Length, QWORD Cr3, DWORD Flags, void **HostPtr)
Maps a guest virtual memory range inside Introcore virtual address space.
Definition: introcore.c:2134
intObjEpt
Used for the EPT object.
Definition: serializers.c:524
_SERIALIZER_ARCH_REGS::R11
QWORD R11
Definition: serializers.c:309
_SERIALIZER_DPI_WIN_HEAP_SPRAY::HeapValCount
DWORD HeapValCount
The number of heap values in the page. Since the max value can be 1024, 11 bits are needed...
Definition: serializers.c:437
intObjRawDump
Used for the injection raw dump object.
Definition: serializers.c:558
_WINUM_CACHE_EXPORT::NameLens
DWORD NameLens[MAX_OFFSETS_PER_NAME]
Length of each name pointing to this RVA.
Definition: winumcache.h:25
_GUEST_STATE::Mm
MM Mm
Guest memory information, such as paging mode, system Cr3 value, etc.
Definition: guests.h:370
_WIN_PROCESS_OBJECT::CreationInfo
struct _WIN_PROCESS_OBJECT::@227 CreationInfo
IntSerializeWinKmOriginator
void IntSerializeWinKmOriginator(const EXCEPTION_KM_ORIGINATOR *Originator, const EXCEPTION_VICTIM_ZONE *Victim)
Serialize the information about windows kernel-mode originator.
Definition: serializers.c:3126
SERIALIZER_DPI_PIVOTED_STACK
struct _SERIALIZER_DPI_PIVOTED_STACK SERIALIZER_DPI_PIVOTED_STACK
Describes a serialized intObjDpiPivotedStack.
INT_PC_VIOLATION_DPI_DEBUG_FLAG
The parent of a process tried to obtain debug privileges over the child.
Definition: intro_types.h:1522
IntSerializeLixUmOriginator
void IntSerializeLixUmOriginator(const EXCEPTION_UM_ORIGINATOR *Originator, const EXCEPTION_VICTIM_ZONE *Victim)
Serialize the information about Linux user-mode originator.
Definition: serializers.c:2835
IntSerializeKernelDrvObject
static void IntSerializeKernelDrvObject(const WIN_DRIVER_OBJECT *DrvObject)
Serialize the provided WIN_DRIVER_OBJECT object.
Definition: serializers.c:1510
_SERIALIZER_RIP_CODE::CsType
DWORD CsType
The type of the code segment. Can be one of the IG_CS_TYPE values.
Definition: serializers.c:381
IntSerializeCurrentOffset
static DWORD IntSerializeCurrentOffset(void)
Get the current offset (length) of the serialized buffer.
Definition: serializers.c:654
gGuest
GUEST_STATE gGuest
The current guest state.
Definition: guests.c:48
_SERIALIZER_ARCH_REGS::R12
QWORD R12
Definition: serializers.c:310
exceptionZoneProcess
The modified object is inside a process.
Definition: exceptions.h:714
_SERIALIZER_DPI_PIVOTED_STACK::Wow64CurrentStack
QWORD Wow64CurrentStack
The current stack of the parent process in WoW64 mode.
Definition: serializers.c:484
SERIALIZER_RAW_DUMP
struct _SERIALIZER_RAW_DUMP SERIALIZER_RAW_DUMP
Describes a serialized intObjRawDump object.
intObjDpiWinTokenPrivs
Used for the DPI token privs object.
Definition: serializers.c:564
LIX_VICTIM_SERIALIZER_VERSION
#define LIX_VICTIM_SERIALIZER_VERSION
IntVirtMemRead
INTSTATUS IntVirtMemRead(QWORD Gva, DWORD Length, QWORD Cr3, void *Buffer, DWORD *RetLength)
Reads data from a guest virtual memory range.
Definition: introcore.c:627
DPI_WIN_HEAP_SPRAY_SERIALIZER_VERSION
#define DPI_WIN_HEAP_SPRAY_SERIALIZER_VERSION
_SERIALIZER_KERNEL_DRIVER
Describes a serialized intObjKernelDriver object.
Definition: serializers.c:217
_SERIALIZER_WIN_PROCESS::Cr3
QWORD Cr3
Process PDBR. Includes PCID.
Definition: serializers.c:173
_WIN_PROCESS_MODULE
Definition: winummodule.h:30
_SERIALIZER_WIN_PROCESS::ParentEprocess
QWORD ParentEprocess
The EPROCESS of the parent process.
Definition: serializers.c:171
START_ORIGINATOR_SERIALZIER_VERSION
#define START_ORIGINATOR_SERIALZIER_VERSION
serializerExceptionTypeKmUm
Used for kernel-user mode exceptions.
Definition: serializers.c:23
_SERIALIZER_RAW_DUMP::Raw
BYTE Raw[0]
The raw dump of the injection.
Definition: serializers.c:393
IntSerializeUmOriginator
static void IntSerializeUmOriginator(const EXCEPTION_UM_ORIGINATOR *Originator, const EXCEPTION_VICTIM_ZONE *Victim)
Serialize the information about user-mode originator.
Definition: serializers.c:2857
intObjIntegrity
Used for the Integrity object.
Definition: serializers.c:529
_SERIALIZER_ARCH_REGS::Rcx
QWORD Rcx
Definition: serializers.c:299
SERIALIZER_EPT
struct _SERIALIZER_EPT SERIALIZER_EPT
Describes a serialized intObjEpt object.
introObjectTypeSsdt
SSDT (Windows only)
Definition: intro_types.h:232
SERIALIZER_EXEC_INFO
struct _SERIALIZER_EXEC_INFO SERIALIZER_EXEC_INFO
Describes a serialized intObjExecInfo object.
PSERIALIZER_LIX_KERNEL_MODULE
struct _SERIALIZER_LIX_KERNEL_MODULE * PSERIALIZER_LIX_KERNEL_MODULE
_SERIALIZER_LIX_PROCESS::Parent
QWORD Parent
The guest virtual address of the task_struct->parent.
Definition: serializers.c:156
_SERIALIZER_WRITE_INFO::OldValue
QWORD OldValue[8]
The written value. Only the first Size bytes are valid.
Definition: serializers.c:335
IntSerializeCurrentPtr
static void * IntSerializeCurrentPtr(DWORD Size)
Returns the current pointer to serializer buffer and checks for overflows.
Definition: serializers.c:760
IntSerializeIncrementCurrentId
static void IntSerializeIncrementCurrentId(void)
Increment the current serializer alert ID.
Definition: serializers.c:696
intObjKernelDriver
Used for the kernel driver object.
Definition: serializers.c:537
_SERIALIZER_ARCH_REGS::Cr2
QWORD Cr2
Definition: serializers.c:314
IntWinProcFindObjectByEprocess
PWIN_PROCESS_OBJECT IntWinProcFindObjectByEprocess(QWORD Eprocess)
Finds a process by the address of its _EPROCESS structure.
Definition: winprocesshp.c:23
IntSerializeDpiWinHeapSpray
static void IntSerializeDpiWinHeapSpray(const EXCEPTION_UM_ORIGINATOR *Originator, const EXCEPTION_VICTIM_ZONE *Victim)
Serialize the DPI heap spray info (Windows).
Definition: serializers.c:2511
END_VICTIM_SERIALZIER_VERSION
#define END_VICTIM_SERIALZIER_VERSION
INT_PC_VIOLATION_DPI_THREAD_START
The thread which created the process has started execution on some suspicious code.
Definition: intro_types.h:1537
introObjectTypeVsyscall
Virtual SYSCALL (user-mode, Linux-only)
Definition: intro_types.h:254
_LIX_VMA
Definition: lixmm.h:14
VICTIM_SERIALIZER_IDT_VERSION
#define VICTIM_SERIALIZER_IDT_VERSION
PSERIALIZER_EXEC_INFO
struct _SERIALIZER_EXEC_INFO * PSERIALIZER_EXEC_INFO
_EXCEPTION_VICTIM_DTR
Describes a DTR victim.
Definition: exceptions.h:754
CODE_BLOCK
struct _CODE_BLOCK CODE_BLOCK
_SERIALIZER_WIN_MODULE::VirtualBase
QWORD VirtualBase
Guest virtual address of the loaded module.
Definition: serializers.c:278
ZONE_READ
#define ZONE_READ
Used for read violation.
Definition: exceptions.h:699
intObjWinVad
Used for the windows VAD object.
Definition: serializers.c:545
DPI_WIN_STOLEN_TOKEN_SERIALIZER_VERSION
#define DPI_WIN_STOLEN_TOKEN_SERIALIZER_VERSION
_SERIALIZER_DPI_WIN_HEAP_SPRAY::HeapPages
struct _SERIALIZER_DPI_WIN_HEAP_SPRAY::@252 HeapPages[0xF]
DPI_WIN_PIVOTET_STACK_SERIALIZER_VERSION
#define DPI_WIN_PIVOTET_STACK_SERIALIZER_VERSION
_SERIALIZER_ARCH_REGS::R13
QWORD R13
Definition: serializers.c:311
IntWinUmCacheGetExportFromRange
WINUM_CACHE_EXPORT * IntWinUmCacheGetExportFromRange(WIN_PROCESS_MODULE *Module, QWORD Gva, DWORD Length)
Tries to find an export in the range [Gva - Length, Gva].
Definition: winumcache.c:225
PSERIALIZER_KERNEL_DRV_OBJECT
struct _SERIALIZER_KERNEL_DRV_OBJECT * PSERIALIZER_KERNEL_DRV_OBJECT
_SERIALIZER_DPI_WIN_STOLEN_TOKEN
Describes a serialized intObjDpiWinStolenToken.
Definition: serializers.c:420
_SERIALIZER_DPI_WIN_HEAP_SPRAY::DetectedPage
BYTE DetectedPage[0x1000]
The page which was detected through shemu as malicious.
Definition: serializers.c:446
DPI_WIN_TOKEN_PRIVS_SERIALIZER_VERSION
#define DPI_WIN_TOKEN_PRIVS_SERIALIZER_VERSION
PSERIALIZER_EXCEPTION_VICTIM
struct _SERIALIZER_EXCEPTION_VICTIM * PSERIALIZER_EXCEPTION_VICTIM
_SERIALIZER_EPT::Gpa
QWORD Gpa
The written/read/exec guest physical address.
Definition: serializers.c:96
intObjDpiWinDebug
Used for the DPI debug object.
Definition: serializers.c:561
intObjDpiWinStolenToken
Used for the DPI stolen token object.
Definition: serializers.c:563
_WINUM_CACHE_EXPORT::Names
PCHAR Names[MAX_OFFSETS_PER_NAME]
The names pointing to this RVA. Each name will point inside the Names structure inside WINUM_CACHE_EX...
Definition: winumcache.h:31
introObjectTypeVdso
Virtual dynamic shared object (user-mode, Linux-only)
Definition: intro_types.h:253
_SERIALIZER_OBJECT_HEADER::Size
WORD Size
The size of the serialized object.
Definition: serializers.c:47
_SERIALIZER_CR
Describes a serialized intObjCr object.
Definition: serializers.c:113
_SERIALIZER_INJECTION::Type
DWORD Type
The injection type.
Definition: serializers.c:144
_SERIALIZER_ARCH_REGS::Rdx
QWORD Rdx
Definition: serializers.c:300
PSERIALIZER_EPT
struct _SERIALIZER_EPT * PSERIALIZER_EPT
_WINUM_CACHE_EXPORT
Definition: winumcache.h:19
SERIALIZER_DPI_WIN_TOKEN_PRIVS
struct _SERIALIZER_DPI_WIN_TOKEN_PRIVS SERIALIZER_DPI_WIN_TOKEN_PRIVS
Describes a serialized intObjDpiWinTokenPrivs.
IntLixTaskFindByGva
LIX_TASK_OBJECT * IntLixTaskFindByGva(QWORD TaskStruct)
Finds Linux process with the provided "task_struct" guest virtual address.
Definition: lixprocess.c:1023
exceptionZoneCr
The modified object is a CR.
Definition: exceptions.h:712
IntSerializeDtr
static void IntSerializeDtr(const EXCEPTION_VICTIM_DTR *Dtr)
Serialize the provided DTR object.
Definition: serializers.c:1084
_SERIALIZER_LIX_PROCESS::Tgid
DWORD Tgid
The TGID.
Definition: serializers.c:160
_SERIALIZER_DPI_WIN_THREAD_START::StartPage
BYTE StartPage[0x1000]
The copied page from where the thread started executing.
Definition: serializers.c:458
exceptionTypeKmUm
Kernel-User mode exception.
Definition: exceptions.h:64
gVcpu
VCPU_STATE * gVcpu
The state of the current VCPU.
Definition: guests.c:57
VICTIM_SERIALIZER_EPT_VERSION
#define VICTIM_SERIALIZER_EPT_VERSION
_SERIALIZER_WIN_VAD::VadType
DWORD VadType
The type of the VAD.
Definition: serializers.c:207
INTRO_EVENT_TYPE
enum _INTRO_EVENT_TYPE INTRO_EVENT_TYPE
Event classes.
IG_CS_TYPE_64B
64-bit selector.
Definition: glueiface.h:188
_SERIALIZER_EXPORT::Delta
DWORD Delta
The offset inside the affected function at which the access was made.
Definition: serializers.c:403
_SERIALIZER_WIN_PROCESS::RealParentEprocess
QWORD RealParentEprocess
The active EPROCESS at the moment of creation.
Definition: serializers.c:172
_SERIALIZER_EXPORT::Count
DWORD Count
The number of the exports.
Definition: serializers.c:402
IntSerializeBlockToBase64
static void IntSerializeBlockToBase64(const BYTE *In, BYTE *Out, size_t Length)
Converts the provided binary buffer to base64.
Definition: serializers.c:598
_SERIALIZER_WIN_KERNEL_DRIVER
Describes a serialized intObjWinKernelDriver object.
Definition: serializers.c:230
WIN_VICTIM_SERIALIZER_VERSION
#define WIN_VICTIM_SERIALIZER_VERSION
ZONE_PROC_THREAD_CTX
#define ZONE_PROC_THREAD_CTX
Used for the CONTEXT structure of a thread.
Definition: exceptions.h:693
SERIALIZER_WIN_MODULE
struct _SERIALIZER_WIN_MODULE SERIALIZER_WIN_MODULE
Describes a serialized intObjWinModule object.
IntSerializeWriteInfo
static void IntSerializeWriteInfo(const EXCEPTION_VICTIM_ZONE *Victim)
Serialize the write violation information.
Definition: serializers.c:1725
PSERIALIZER_DPI_WIN_TOKEN_PRIVS
struct _SERIALIZER_DPI_WIN_TOKEN_PRIVS * PSERIALIZER_DPI_WIN_TOKEN_PRIVS
SERIALIZER_WIN_VAD
struct _SERIALIZER_WIN_VAD SERIALIZER_WIN_VAD
Describes a serialized intObjWinVad object.
_SERIALIZER_ARCH_REGS::GdtBase
QWORD GdtBase
Definition: serializers.c:324
_SERIALIZER_DTR::Type
DWORD Type
The type of the modified DTR.
Definition: serializers.c:124
_SERIALIZER_DPI_PIVOTED_STACK::Wow64StackBase
QWORD Wow64StackBase
The known stack base of the parent process in WoW64 mode.
Definition: serializers.c:485
_KERNEL_DRIVER::EntryPoint
QWORD EntryPoint
The entry point of this driver.
Definition: drivers.h:45
_SERIALIZER_ARCH_REGS::Rax
QWORD Rax
Definition: serializers.c:298
SERIALIZER_STRING
struct _SERIALIZER_STRING SERIALIZER_STRING
Describes a serialized string.
codeInsMovMem
A mov involving memory (either as the destination or as the source).
Definition: codeblocks.h:35
IntSerializeHeader
static void IntSerializeHeader(SERIALIZER_EXCEPTION_TYPE SerializerType, INTRO_EVENT_TYPE EventClass)
Serialize the header of the serializer buffer.
Definition: serializers.c:3463
PSERIALIZER_LIX_VMA
struct _SERIALIZER_LIX_VMA * PSERIALIZER_LIX_VMA
_SERIALIZER_KERNEL_DRV_OBJECT::Gva
QWORD Gva
The guest virtual address of the guest _DRIVER_OBJECT represented by this structure.
Definition: serializers.c:265
UNREFERENCED_LOCAL_VARIABLE
#define UNREFERENCED_LOCAL_VARIABLE(V)
Definition: introdefs.h:30
_SERIALIZER_LIX_KERNEL_MODULE::InitLayout
struct _SERIALIZER_LIX_KERNEL_MODULE::@250 InitLayout
IG_EPT_HOOK_EXECUTE
Execute-access hook.
Definition: glueiface.h:300
IntSerializeDpiWinThreadStart
static void IntSerializeDpiWinThreadStart(const EXCEPTION_UM_ORIGINATOR *Originator, const EXCEPTION_VICTIM_ZONE *Victim)
Serialize the DPI start thread info (Windows).
Definition: serializers.c:2636
_SERIALIZER_CODE_BLOCKS::Count
DWORD Count
The number of available entries in the CodeBlocks array.
Definition: serializers.c:371
WIN_VAD_SERIALIZER_VERSION
#define WIN_VAD_SERIALIZER_VERSION
_DPI_EXTRA_INFO::StackLimit
QWORD StackLimit
Definition: windpi.h:38
CHAR
char CHAR
Definition: intro_types.h:56
SERIALIZER_HEADER
struct _SERIALIZER_HEADER SERIALIZER_HEADER
Describes the header of the serializer buffer.
intObjMsr
Used for the MSR object.
Definition: serializers.c:525
_DPI_EXTRA_INFO::ShellcodeFlags
QWORD ShellcodeFlags
Contains the flags on the first page which was detected through shemu.
Definition: windpi.h:67
_SERIALIZER_DPI_WIN_HEAP_SPRAY::Executable
DWORD Executable
True if the page is executable in the translation.
Definition: serializers.c:440
intObjRipCode
Used for the code object.
Definition: serializers.c:557
intObjExport
Used for the export object.
Definition: serializers.c:559
memCopyViolationRead
This represents a read done from another process.
Definition: intro_types.h:1296
IntSerializeInstruction
void IntSerializeInstruction(INSTRUX *Instruction, const QWORD Rip)
Serialize the provided INSTRUX object.
Definition: serializers.c:1686
PSERIALIZER_READ_INFO
struct _SERIALIZER_READ_INFO * PSERIALIZER_READ_INFO
_SERIALIZER_RIP_CODE::Code
BYTE Code[0]
The contents of the guest memory page that contains the RIP.
Definition: serializers.c:383
IG_CS_TYPE_INVALID
Invalid selector.
Definition: glueiface.h:185
_SERIALIZER_DPI_PIVOTED_STACK::CurrentStack
QWORD CurrentStack
The current stack of the parent process.
Definition: serializers.c:481
_SERIALIZER_LIX_PROCESS::Cr3
QWORD Cr3
The CR3.
Definition: serializers.c:158
IntSerializeUmVictim
static void IntSerializeUmVictim(const EXCEPTION_UM_ORIGINATOR *Originator, const EXCEPTION_VICTIM_ZONE *Victim)
Serialize the information about user-mode victim.
Definition: serializers.c:3096
IG_EPT_HOOK_WRITE
Write-access hook.
Definition: glueiface.h:299
_VAD
A representation of a Windows VAD structure.
Definition: winvad.h:80
_SERIALIZER_LIX_KERNEL_MODULE
Describes a serialized intObjLixKernelModule object.
Definition: serializers.c:239
SERIALIZER_DPI_WIN_DEBUG
struct _SERIALIZER_DPI_WIN_DEBUG SERIALIZER_DPI_WIN_DEBUG
Describes a serialized intObjDpiWinDebug.
PAGE_MASK
#define PAGE_MASK
Definition: pgtable.h:35
_SERIALIZER_DPI_WIN_TOKEN_PRIVS::NewEnabled
QWORD NewEnabled
The new Privileges.Enabled value in the parent&#39;s token, which was deemed malicious.
Definition: serializers.c:469
_KERNEL_DRIVER::ObjectGva
QWORD ObjectGva
The guest virtual address at which this object resides.
Definition: drivers.h:39
_SERIALIZER_EXCEPTION_TYPE
_SERIALIZER_EXCEPTION_TYPE
Describes the serialized exception type.
Definition: serializers.c:19
_SERIALIZER_ARCH_REGS::Rsi
QWORD Rsi
Definition: serializers.c:304
ZONE_WRITE
#define ZONE_WRITE
Used for write violation.
Definition: exceptions.h:698
PSERIALIZER_INJECTION
struct _SERIALIZER_INJECTION * PSERIALIZER_INJECTION
_SERIALIZER_ARCH_REGS::Dr7
QWORD Dr7
Definition: serializers.c:316
_SERIALIZER_DPI_WIN_HEAP_SPRAY::Reserved
DWORD Reserved
Reserved for further use.
Definition: serializers.c:441
_SERIALIZER_WIN_VAD::ExecCount
DWORD ExecCount
The number of execution violations triggered by pages inside this VAD.
Definition: serializers.c:209
_SERIALIZER_OBJECT_HEADER::Type
WORD Type
The type of the sterilized object.
Definition: serializers.c:46
_SERIALIZER_RAW_DUMP::Length
DWORD Length
The length of the Raw field.
Definition: serializers.c:392
intObjWinModule
Used for the windows module object.
Definition: serializers.c:548
_SERIALIZER_WIN_VAD::VadProtection
DWORD VadProtection
The protection as represented inside the Windows kernel.
Definition: serializers.c:206
_SERIALIZER_LIX_PROCESS::Pid
DWORD Pid
The PID.
Definition: serializers.c:159
IntSerializeInjection
static void IntSerializeInjection(const EXCEPTION_VICTIM_INJECTION *Injection, const EXCEPTION_VICTIM_ZONE *Victim)
Serialize the provided Injection object.
Definition: serializers.c:1116
_SERIALIZER_DPI_WIN_HEAP_SPRAY::Offset
DWORD Offset
The offset where the detection on the given page was given, if Detection is equal to 1...
Definition: serializers.c:439
intObjKernelDriverReturn
Used for the return kernel driver object.
Definition: serializers.c:538
SERIALIZER_CODE_BLOCKS
struct _SERIALIZER_CODE_BLOCKS SERIALIZER_CODE_BLOCKS
Describes a serialized intObjCodeBlocks object.
IntLixFileGetPath
INTSTATUS IntLixFileGetPath(QWORD FileStructGva, char **Path, DWORD *Length)
Gets the path that corresponds to the provided FileStructGva (guest virtual address of the &#39;struct fi...
Definition: lixfiles.c:352
_SERIALIZER_EXCEPTION_VICTIM::Type
INTRO_OBJECT_TYPE Type
The type of the victim object.
Definition: serializers.c:84
_SERIALIZER_READ_INFO
Describes a serialized intObjExecInfo object.
Definition: serializers.c:343
introObjectTypeIdt
IDT.
Definition: intro_types.h:236
intObjDpiWinThreadStart
Used for the DPI thread start object.
Definition: serializers.c:565
FALSE
#define FALSE
Definition: intro_types.h:34
_WIN_PROCESS_OBJECT
This structure describes a running process inside the guest.
Definition: winprocess.h:81
IntSerializeVad
static void IntSerializeVad(const void *Vad)
Serialize the provided VAD/vma object.
Definition: serializers.c:1407
WIN_PROCESS_SERIALIZER_VERSION
#define WIN_PROCESS_SERIALIZER_VERSION
intObjInstrux
Used for the instruction object.
Definition: serializers.c:551
_SERIALIZER_LIX_PROCESS::MmGva
QWORD MmGva
The guest virtual address of the task_struct->mm.
Definition: serializers.c:157