- Generated by
1.8.13
|
Bitdefender Hypervisor Memory Introspection
|
#include "winbugcheck.h"#include "alerts.h"#include "decoder.h"#include "guests.h"#include "memcloak.h"#include "winprocesshp.h"Go to the source code of this file.
Macros | |
| #define | BUGCHECK_NAME(x) case(x): return &(#x[9]) |
| #define | MODULE_NAMES_TO_PRINT 64 |
| #define | TRACE_LIMIT_X64 0x2000 |
| #define | TRACE_LIMIT_X86 0x2000 |
Functions | |
| static char const * | IntGetBugCheckName (QWORD Reason) |
| Returns a name for a bug check code. More... | |
| static char const * | IntGetBugCheckLink (QWORD Reason) |
| Returns the bug check documentation page link for a bug check reason. More... | |
| static void | IntLogBSODParams (QWORD Reason, QWORD Param1, QWORD Param2, QWORD Param3, QWORD Param4) |
| Logs the bug check parameters. More... | |
| static void | IntLogCurrentIP (QWORD Rip, CHAR const *Message) |
| Logs information about the RIP at which the crash was triggered. More... | |
| static void | IntLogGuestRegisters (void) |
| Logs the guest register state. More... | |
| static void | IntLogProcessInfo (void) |
| Logs information about the current process. More... | |
| static void | IntWinLogVAInfo (QWORD Va) |
| Logs information about a guest virtual address translation. More... | |
| static void | IntWinDumpEflags (DWORD Eflags) |
| Logs the EFLAGS contents. More... | |
| static void | IntLogStackTrace (QWORD Address, CHAR const *Message) |
| Attempts to log a guest stack trace. More... | |
| static void | IntLogTrapFrame (QWORD TrapFrame) |
| Logs information about a trap frame. More... | |
| static void | IntLogContextRecord (QWORD ContextRecord) |
| Logs information about a context record. More... | |
| static void | IntLogExceptionRecord (QWORD ExceptionRecord) |
| Logs information about an exception record. More... | |
| static void | IntLogCriticalProcessHasDied (QWORD Param1, QWORD Param2) |
| Handles a BUGCHECK_CRITICAL_PROCESS_DIED bug check. More... | |
| static void | IntLogCriticalStructureCoruption (QWORD Param3, QWORD Param4) |
| Handles a BUGCHEDCK_CRITICAL_STRUCTURE_CORRUPTION bug check. More... | |
| static void | IntWinBcLogBsodEvent (QWORD Reason, QWORD Param1, QWORD Param2, QWORD Param3, QWORD Param4) |
| Logs a bug check event and related information about the crash and the kernel. More... | |
| static INTSTATUS | IntWinBcSendBsodEvent (QWORD Reason, QWORD Param1, QWORD Param2, QWORD Param3, QWORD Param4) |
| Sends a introEventCrashEvent event. More... | |
| INTSTATUS | IntWinBcHandleBugCheck (void const *Detour) |
| Handles a Windows OS crash.This is the detour handle for the KeBugCheck2 32-bit Windows kernel API and the KeBugCheckEx 64-bit Windows kernel API. This will log as much information as possible and will notify the integrator about the event. More... | |
| #define BUGCHECK_NAME | ( | x | ) | case(x): return &(#x[9]) |
Referenced by IntGetBugCheckName().
| #define MODULE_NAMES_TO_PRINT 64 |
Referenced by IntLogStackTrace().
| #define TRACE_LIMIT_X64 0x2000 |
Referenced by IntLogStackTrace().
| #define TRACE_LIMIT_X86 0x2000 |
Referenced by IntLogStackTrace().
|
static |
Returns the bug check documentation page link for a bug check reason.
| [in] | Reason | The bug check reason, as obtained from the guest. This is one of the reasons documented by Microsoft: https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/bug-check-code-reference2 |
Definition at line 55 of file winbugcheck.c.
Referenced by IntLogBSODParams().
|
static |
Returns a name for a bug check code.
| [in] | Reason | The bug check reason, as obtained from the guest. This is one of the reasons documented by Microsoft: https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/bug-check-code-reference2 |
Jump over the "BUGCHECK_" part of the define
Definition at line 13 of file winbugcheck.c.
Referenced by IntLogBSODParams().
|
static |
Logs the bug check parameters.
| [in] | Reason | The bug check reason, as obtained from the guest. This is one of the reasons documented by Microsoft: https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/bug-check-code-reference2 |
| [in] | Param1 | First parameter, as obtained from the guest. It has different meanings based on the Reason. |
| [in] | Param2 | Second parameter, as obtained from the guest. It has different meanings based on the Reason. |
| [in] | Param3 | Third parameter, as obtained from the guest. It has different meanings based on the Reason. |
| [in] | Param4 | Fourth parameter, as obtained from the guest. It has different meanings based on the Reason. |
Definition at line 109 of file winbugcheck.c.
Referenced by IntWinBcLogBsodEvent().
|
static |
Logs information about a context record.
| [in] | ContextRecord | Guest virtual address from which the context record will be read |
Definition at line 526 of file winbugcheck.c.
Referenced by IntWinBcLogBsodEvent().
Handles a BUGCHECK_CRITICAL_PROCESS_DIED bug check.
| [in] | Param1 | First parameter, as obtained from the guest. This is the process object. |
| [in] | Param2 | Second parameter, as obtained from the guest. If 0, a process died; if 1, a thread died. |
Definition at line 664 of file winbugcheck.c.
Referenced by IntWinBcLogBsodEvent().
Handles a BUGCHEDCK_CRITICAL_STRUCTURE_CORRUPTION bug check.
This is usually generated by patch guard. The different types of corrupted regions are documented here: https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/bug-check-0x109—critical-structure-corruption
| [in] | Param3 | Third parameter, as obtained from the guest. It has different meanings based on the Reason |
| [in] | Param4 | Fourth parameter, as obtained from the guest. It has different meanings based on the Reason. This is the type of the region that was corrupted. |
Definition at line 701 of file winbugcheck.c.
Referenced by IntWinBcLogBsodEvent().
Logs information about the RIP at which the crash was triggered.
This will log the instruction at RIP, and, if possible, the name of the module in which RIP resided and the offset relative to the module base at which the crash was triggered.
| [in] | Rip | The RIP to be logged. |
| [in] | Message | Optional message to be displayed. |
Definition at line 142 of file winbugcheck.c.
Referenced by IntLogContextRecord(), IntLogTrapFrame(), and IntWinBcLogBsodEvent().
|
static |
Logs information about an exception record.
| [in] | ExceptionRecord | Guest virtual address from which the except exception will be read |
Definition at line 599 of file winbugcheck.c.
Referenced by IntWinBcLogBsodEvent().
|
static |
Logs the guest register state.
This will dump the general purpose registers, control register, eflags, debug registers, segment registers, ant the base and limit of the IDT and GDT for all the guests CPUs.
Definition at line 186 of file winbugcheck.c.
Referenced by IntWinBcLogBsodEvent().
|
static |
Logs information about the current process.
Definition at line 266 of file winbugcheck.c.
Referenced by IntWinBcLogBsodEvent().
Attempts to log a guest stack trace.
| [in] | Address | Guest virtual address from which to obtain a trace. If 0, will use the value of the guest RSP on the current CPU |
| [in] | Message | Optional NULL-terminated string with a message to be displayed. |
Definition at line 370 of file winbugcheck.c.
Referenced by IntLogTrapFrame(), and IntWinBcLogBsodEvent().
|
static |
Logs information about a trap frame.
| [in] | TrapFrame | Guest virtual address from which the trap frame will be read |
Definition at line 453 of file winbugcheck.c.
Referenced by IntWinBcLogBsodEvent().
|
static |
Logs a bug check event and related information about the crash and the kernel.
| [in] | Reason | The bug check reason, as obtained from the guest. This is one of the reasons documented by Microsoft: https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/bug-check-code-reference2 |
| [in] | Param1 | First parameter, as obtained from the guest. It has different meanings based on the Reason |
| [in] | Param2 | Second parameter, as obtained from the guest. It has different meanings based on the Reason |
| [in] | Param3 | Third parameter, as obtained from the guest. It has different meanings based on the Reason |
| [in] | Param4 | Fourth parameter, as obtained from the guest. It has different meanings based on the Reason. This is the type of the region that was corrupted. |
Definition at line 797 of file winbugcheck.c.
Referenced by IntWinBcHandleBugCheck().
|
static |
Sends a introEventCrashEvent event.
If the INTRO_OPT_EVENT_OS_CRASH option is not enabled, this function does nothing.
| [in] | Reason | The bug check reason, as obtained from the guest. This is one of the reasons documented by Microsoft: https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/bug-check-code-reference2 |
| [in] | Param1 | First parameter, as obtained from the guest. It has different meanings based on the Reason. |
| [in] | Param2 | Second parameter, as obtained from the guest. It has different meanings based on the Reason. |
| [in] | Param3 | Third parameter, as obtained from the guest. It has different meanings based on the Reason. |
| [in] | Param4 | Fourth parameter, as obtained from the guest. It has different meanings based on the Reason. This is the type of the region that was corrupted. |
Definition at line 877 of file winbugcheck.c.
Referenced by IntWinBcHandleBugCheck().
|
static |
Logs the EFLAGS contents.
| [in] | Eflags | Raw guest EFLAGS value |
Definition at line 344 of file winbugcheck.c.
Referenced by IntLogContextRecord(), and IntLogTrapFrame().
|
static |
Logs information about a guest virtual address translation.
| [in] | Va | Guest virtual address to log |
Definition at line 313 of file winbugcheck.c.
Referenced by IntWinBcLogBsodEvent().
1.8.13