Bitdefender Hypervisor Memory Introspection
winbugcheck.c
Go to the documentation of this file.
1 /*
2  * Copyright (c) 2020 Bitdefender
3  * SPDX-License-Identifier: Apache-2.0
4  */
5 #include "winbugcheck.h"
6 #include "alerts.h"
7 #include "decoder.h"
8 #include "guests.h"
9 #include "memcloak.h"
10 #include "winprocesshp.h"
11 
12 static char const *
13 IntGetBugCheckName(
14  _In_ QWORD Reason
15  )
25 {
27 #define BUGCHECK_NAME(x) case(x): return &(#x[9])
28 
29  switch (Reason)
30  {
31  BUGCHECK_NAME(BUGCHECK_IRQL_NOT_LESS_OR_EQUAL);
32  BUGCHECK_NAME(BUGCHECK_BAD_POOL_HEADER);
33  BUGCHECK_NAME(BUGCHECK_MEMORY_MANAGEMENT);
34  BUGCHECK_NAME(BUGCHECK_KMODE_EXCEPTION_NOT_HANDLED);
35  BUGCHECK_NAME(BUGCHECK_SYSTEM_SERVICE_EXCEPTION);
36  BUGCHECK_NAME(BUGCHECK_PFN_LIST_CORRUPT);
37  BUGCHECK_NAME(BUGCHECK_PAGE_FAULT_IN_NONPAGED_AREA);
38  BUGCHECK_NAME(BUGCHECK_PROCESS_INITIALIZATION_FAILED);
39  BUGCHECK_NAME(BUGCHECK_KERNEL_STACK_INPAGE_ERROR);
40  BUGCHECK_NAME(BUGCHECK_KERNEL_DATA_INPAGE_ERROR);
41  BUGCHECK_NAME(BUGCHECK_INACCESSIBLE_BOOT_DEVICE);
42  BUGCHECK_NAME(BUGCHECK_SYSTEM_THREAD_EXCEPTION_NOT_HANDLED);
43  BUGCHECK_NAME(BUGCHECK_UNEXPECTED_KERNEL_MODE_TRAP);
44  BUGCHECK_NAME(BUGCHECK_KERNEL_MODE_EXCEPTION_NOT_HANDLED);
45  BUGCHECK_NAME(BUGCHECK_CRITICAL_PROCESS_DIED);
46  BUGCHECK_NAME(BUGCHEDCK_CRITICAL_STRUCTURE_CORRUPTION);
47  default:
48  return "Unknown";
49  }
50 
51 #undef BUGCHECK_NAME
52 }
53 
54 static char const *
55 IntGetBugCheckLink(
56  _In_ QWORD Reason
57  )
67 {
68  switch (Reason)
69  {
70  case BUGCHECK_IRQL_NOT_LESS_OR_EQUAL:
71  return "https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/bug-check-0xa--irql-not-less-or-equal";
72  case BUGCHECK_BAD_POOL_HEADER:
73  return "https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/bug-check-0x19--bad-pool-header";
74  case BUGCHECK_MEMORY_MANAGEMENT:
75  return "https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/bug-check-0x1a--memory-management";
76  case BUGCHECK_KMODE_EXCEPTION_NOT_HANDLED:
77  return "https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/bug-check-0x1e--kmode-exception-not-handled";
78  case BUGCHECK_SYSTEM_SERVICE_EXCEPTION:
79  return "https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/bug-check-0x3b--system-service-exception";
80  case BUGCHECK_PFN_LIST_CORRUPT:
81  return "https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/bug-check-0x4e--pfn-list-corrupt";
82  case BUGCHECK_PAGE_FAULT_IN_NONPAGED_AREA:
83  return "https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/bug-check-0x50--page-fault-in-nonpaged-area";
84  case BUGCHECK_PROCESS_INITIALIZATION_FAILED:
85  return "https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/bug-check-0x60--process-initialization-failed";
86  case BUGCHECK_KERNEL_STACK_INPAGE_ERROR:
87  return "https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/bug-check-0x77--kernel-stack-inpage-error";
88  case BUGCHECK_KERNEL_DATA_INPAGE_ERROR:
89  return "https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/bug-check-0x7a--kernel-data-inpage-error";
90  case BUGCHECK_INACCESSIBLE_BOOT_DEVICE:
91  return "https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/bug-check-0x7b--inaccessible-boot-device";
92  case BUGCHECK_SYSTEM_THREAD_EXCEPTION_NOT_HANDLED:
93  return "https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/bug-check-0x7e--system-thread-exception-not-handled";
94  case BUGCHECK_UNEXPECTED_KERNEL_MODE_TRAP:
95  return "https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/bug-check-0x7f--unexpected-kernel-mode-trap";
96  case BUGCHECK_KERNEL_MODE_EXCEPTION_NOT_HANDLED:
97  return "https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/bug-check-0x8e--kernel-mode-exception-not-handled";
98  case BUGCHECK_CRITICAL_PROCESS_DIED:
99  return "https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/bug-check-0xef--critical-process-died";
100  case BUGCHEDCK_CRITICAL_STRUCTURE_CORRUPTION:
101  return "https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/bug-check-0x109---critical-structure-corruption";
102  default:
103  return "https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/bug-check-code-reference2";
104  }
105 }
106 
107 
108 __forceinline static void
109 IntLogBSODParams(
110  _In_ QWORD Reason,
111  _In_ QWORD Param1,
112  _In_ QWORD Param2,
113  _In_ QWORD Param3,
114  _In_ QWORD Param4
115  )
127 {
128  CHAR const *name = IntGetBugCheckName(Reason);
129  CHAR const *link = IntGetBugCheckLink(Reason);
130 
131  NLOG("Bugcheck 0x%llx - %s\n"
132  "Parameter 1: 0x%016llx\n"
133  "Parameter 2: 0x%016llx\n"
134  "Parameter 3: 0x%016llx\n"
135  "Parameter 4: 0x%016llx\n"
136  "See the online documentation at %s for details\n",
137  Reason, name, Param1, Param2, Param3, Param4, link);
138 }
139 
140 
141 static void
142 IntLogCurrentIP(
143  _In_ QWORD Rip,
144  _In_opt_ CHAR const *Message
145  )
155 {
156  INTSTATUS status;
157  INSTRUX instrux;
158  KERNEL_DRIVER const *pDriver;
159 
160  status = IntDecDecodeInstruction(gGuest.Guest64 ? IG_CS_TYPE_64B : IG_CS_TYPE_32B, Rip, &instrux);
161  if (!INT_SUCCESS(status))
162  {
163  ERROR("[ERROR] IntDecDecodeInstruction failed for instruction at 0x%016llx: 0x%08x\n", Rip, status);
164  return;
165  }
166 
167  pDriver = IntDriverFindByAddress(Rip);
168  if (NULL == pDriver)
169  {
170  ERROR("[ERROR] IntDriverFindByAddress failed : 0x%018llx", Rip);
171  return;
172  }
173 
174  if (Message)
175  {
176  NLOG("\n%s:\n", Message);
177  }
178 
179  NLOG("%s+0x%llx\n0x%016llx\n", utf16_for_log(pDriver->Name), Rip - pDriver->BaseVa, Rip);
180 
181  IntDumpInstruction(&instrux, Rip);
182 }
183 
184 
185 static void
186 IntLogGuestRegisters(
187  void
188  )
195 {
196  IG_ARCH_REGS const *pRegs = &gVcpu->Regs;
197  IG_SEG_REGS segs = {0};
198 
199  NLOG("\nGuest registers on the CPU that caused the bugcheck (%d):\n", gVcpu->Index);
200 
201  IntDumpArchRegs(pRegs);
202 
203  LOG("CR0 = 0x%016llx CR2 = 0x%016llx CR3 = 0x%016llx CR4 = 0x%016llx CR8 = 0x%016llx\n",
204  pRegs->Cr0, pRegs->Cr2, pRegs->Cr3, pRegs->Cr4, pRegs->Cr8);
205  LOG("FLG = 0x%016llx DR7 = 0x%016llx\n", pRegs->Flags, pRegs->Dr7);
206 
207  LOG("IDT Base = 0x%016llx Limit = 0x%016llx\n", pRegs->IdtBase, pRegs->IdtLimit);
208  LOG("GDT Base = 0x%016llx Limit = 0x%016llx\n", pRegs->GdtBase, pRegs->GdtLimit);
209 
210  IntGetSegs(gVcpu->Index, &segs);
211  LOG("CS = 0x%02llx Base = 0x%016llx Limit = 0x%016llx Ar = 0x%08llx\n",
212  segs.CsSelector, segs.CsBase, segs.CsLimit, segs.CsAr);
213  LOG("SS = 0x%02llx Base = 0x%016llx Limit = 0x%016llx Ar = 0x%08llx\n",
214  segs.SsSelector, segs.SsBase, segs.SsLimit, segs.SsAr);
215  LOG("DS = 0x%02llx Base = 0x%016llx Limit = 0x%016llx Ar = 0x%08llx\n",
216  segs.DsSelector, segs.DsBase, segs.DsLimit, segs.DsAr);
217  LOG("ES = 0x%02llx Base = 0x%016llx Limit = 0x%016llx Ar = 0x%08llx\n",
218  segs.EsSelector, segs.EsBase, segs.EsLimit, segs.EsAr);
219  LOG("FS = 0x%02llx Base = 0x%016llx Limit = 0x%016llx Ar = 0x%08llx\n",
220  segs.FsSelector, segs.FsBase, segs.FsLimit, segs.FsAr);
221  LOG("GS = 0x%02llx Base = 0x%016llx Limit = 0x%016llx Ar = 0x%08llx\n",
222  segs.GsSelector, segs.GsBase, segs.GsLimit, segs.GsAr);
223 
224  for (DWORD i = 0; i < gGuest.CpuCount; i++)
225  {
226  VCPU_STATE const *v = &gGuest.VcpuArray[i];
227  IG_ARCH_REGS regs = {0};
228 
229  if (v->Index == gVcpu->Index)
230  {
231  continue;
232  }
233 
234  IntGetGprs(v->Index, &regs);
235  pRegs = &regs;
236 
237  NLOG("\nGuest registers on the CPU %d:\n", v->Index);
238 
239  IntDumpArchRegs(pRegs);
240 
241  LOG("CR0 = 0x%016llx CR2 = 0x%016llx CR3 = 0x%016llx CR4 = 0x%016llx CR8 = 0x%016llx\n",
242  pRegs->Cr0, pRegs->Cr2, pRegs->Cr3, pRegs->Cr4, pRegs->Cr8);
243  LOG("FLG = 0x%016llx DR7 = 0x%016llx\n", pRegs->Flags, pRegs->Dr7);
244 
245  LOG("IDT Base = 0x%016llx Limit = 0x%016llx\n", pRegs->IdtBase, pRegs->IdtLimit);
246  LOG("GDT Base = 0x%016llx Limit = 0x%016llx\n", pRegs->GdtBase, pRegs->GdtLimit);
247 
248  IntGetSegs(v->Index, &segs);
249  LOG("CS = 0x%02llx Base = 0x%016llx Limit = 0x%016llx Ar = 0x%08llx\n",
250  segs.CsSelector, segs.CsBase, segs.CsLimit, segs.CsAr);
251  LOG("SS = 0x%02llx Base = 0x%016llx Limit = 0x%016llx Ar = 0x%08llx\n",
252  segs.SsSelector, segs.SsBase, segs.SsLimit, segs.SsAr);
253  LOG("DS = 0x%02llx Base = 0x%016llx Limit = 0x%016llx Ar = 0x%08llx\n",
254  segs.DsSelector, segs.DsBase, segs.DsLimit, segs.DsAr);
255  LOG("ES = 0x%02llx Base = 0x%016llx Limit = 0x%016llx Ar = 0x%08llx\n",
256  segs.EsSelector, segs.EsBase, segs.EsLimit, segs.EsAr);
257  LOG("FS = 0x%02llx Base = 0x%016llx Limit = 0x%016llx Ar = 0x%08llx\n",
258  segs.FsSelector, segs.FsBase, segs.FsLimit, segs.FsAr);
259  LOG("GS = 0x%02llx Base = 0x%016llx Limit = 0x%016llx Ar = 0x%08llx\n",
260  segs.GsSelector, segs.GsBase, segs.GsLimit, segs.GsAr);
261  }
262 }
263 
264 
265 static void
266 IntLogProcessInfo(
267  void
268  )
272 {
273  IG_ARCH_REGS const *regs = &gVcpu->Regs;
274  WIN_PROCESS_OBJECT const *process = IntWinProcFindObjectByCr3(regs->Cr3);
275 
276  if (NULL != process)
277  {
278  NLOG("\nPROCESS INFORMATION\n"
279  "Process name: %s\n"
280  "Process path: %s\n"
281  "Eprocess: 0x%016llx\n"
282  "Parent: 0x%016llx\n"
283  "Real parent: 0x%016llx\n"
284  "Creation time: 0x%016llx\n"
285  "Cr3/User Cr3: 0x%016llx/0x%016llx\n"
286  "Pid: %d\n"
287  "Token: 0x%016llx\n",
288  process->Name,
289  process->Path ? utf16_for_log(process->Path->Path) : "<invalid>",
290  process->EprocessAddress,
291  process->ParentEprocess,
292  process->RealParentEprocess,
293  process->CreationTime,
294  process->Cr3, process->UserCr3,
295  process->Pid,
296  process->OriginalTokenPtr);
297 
298  if (gGuest.Guest64)
299  {
300  NLOG("PEB32 address: 0x%016llx\nPEB64 address: 0x%016llx\n", process->Peb32Address, process->Peb64Address);
301  }
302  else
303  {
304  NLOG("PEB32 address: 0x%016llx\n", process->Peb32Address);
305  }
306 
307  NLOG("Flags: 0x%08x Exit Status: 0x%08x\n", process->Flags, process->ExitStatus);
308  }
309 }
310 
311 
312 static void
313 IntWinLogVAInfo(
314  _In_ QWORD Va
315  )
321 {
322  INTSTATUS status;
323  VA_TRANSLATION vaTrans = {0};
324  IG_ARCH_REGS const *registers = &gVcpu->Regs;
325 
326  status = IntTranslateVirtualAddressEx(Va, registers->Cr3, TRFLG_NONE, &vaTrans);
327  if (!INT_SUCCESS(status))
328  {
329  return;
330  }
331 
332  NLOG("\nVA TRANSLATION\n");
333  NLOG("Virtual Address: 0x%016llx\nPhysical Address: 0x%016llx\nEntries mappings:\n",
334  vaTrans.VirtualAddress, vaTrans.PhysicalAddress);
335 
336  for (DWORD index = 0; index < vaTrans.MappingsCount; index++)
337  {
338  NLOG(" EntryMapping[%d]: 0x%016llx\n", index, vaTrans.MappingsEntries[index]);
339  }
340 }
341 
342 
343 static void
344 IntWinDumpEflags(
345  _In_ DWORD Eflags
346  )
352 {
353  EFLAGS efl;
354 
355  efl.Raw = Eflags;
356  NLOG("%s %s %s %s %s %s %s %s %s\n",
357  (efl.IOPL ? "iopl=1 " : "iopl=0 "),
358  (efl.OF ? "ov" : "nv"),
359  (efl.DF ? "dn" : "up"),
360  (efl.IF ? "ei" : "di"),
361  (efl.SF ? "ng" : "pl"),
362  (efl.ZF ? "zr" : "nr"),
363  (efl.AF ? "ac" : "na"),
364  (efl.PF ? "pe" : "po"),
365  (efl.CF ? "cy" : "nc"));
366 }
367 
368 
369 static void
370 IntLogStackTrace(
371  _In_ QWORD Address,
372  _In_opt_ CHAR const *Message
373  )
381 {
382 #define MODULE_NAMES_TO_PRINT 64
383 #define TRACE_LIMIT_X64 0x2000
384 #define TRACE_LIMIT_X86 0x2000
385  INTSTATUS status;
386  PIG_ARCH_REGS pRegs;
387  QWORD rsp;
388  QWORD rspValue = 0;
389  QWORD limit;
390  QWORD writtenModules = 0;
391 
392  if (Message)
393  {
394  NLOG("\n%s\n", Message);
395  }
396 
397  pRegs = &gVcpu->Regs;
398 
399  if (Address)
400  {
401  rsp = Address;
402  }
403  else
404  {
405  rsp = pRegs->Rsp;
406  }
407 
408  limit = gGuest.Guest64 ? TRACE_LIMIT_X64 : TRACE_LIMIT_X86;
409 
410  for (size_t i = 1; i < limit; i++)
411  {
412  if (gGuest.Guest64)
413  {
414  status = IntKernVirtMemFetchQword(rsp + 8 * i, &rspValue);
415  }
416  else
417  {
418  status = IntKernVirtMemFetchDword(rsp + 4 * i, (DWORD *)&rspValue);
419  }
420 
421  if (!INT_SUCCESS(status))
422  {
423  break;
424  }
425 
426  KERNEL_DRIVER *pDriver = IntDriverFindByAddress(rspValue);
427  if (pDriver)
428  {
429  if (gGuest.Guest64)
430  {
431  NLOG("0x%016llx %s+0x%llx\n", rsp + 8ull * i, utf16_for_log(pDriver->Name), rspValue - pDriver->BaseVa);
432  }
433  else
434  {
435  NLOG("%08llx %s+0x%llx\n", rsp + 4ull * i, utf16_for_log(pDriver->Name), rspValue - pDriver->BaseVa);
436  }
437 
438  writtenModules++;
439  }
440 
441  if (writtenModules > MODULE_NAMES_TO_PRINT)
442  {
443  break;
444  }
445  }
446 #undef MODULE_NAMES_TO_PRINT
447 #undef TRACE_LIMIT_X64
448 #undef TRACE_LIMIT_X86
449 }
450 
451 
452 static void
453 IntLogTrapFrame(
454  _In_ QWORD TrapFrame
455  )
461 {
462  if (gGuest.Guest64)
463  {
464  INTSTATUS status;
465  KTRAP_FRAME64 trapStructure = {0};
466 
467  NLOG("\nTrap Frame at 0x%016llx:\n", TrapFrame);
468  status = IntKernVirtMemRead(TrapFrame, sizeof(trapStructure), &trapStructure, NULL);
469  if (!INT_SUCCESS(status))
470  {
471  ERROR("[ERROR] IntKernVirtMemRead failed at 0x%016llx: 0x%08x\n", TrapFrame, status);
472  return;
473  }
474 
475  NLOG("rax = %016llx rbx = %016llx rcx = %016llx\n"
476  "rdx = %016llx rsi = %016llx rdi = %016llx\n"
477  "rip = %016llx rsp = %016llx rbp = %016llx\n"
478  " r8 = %016llx r9 = %016llx r10 = %016llx\n"
479  "r11 = %016llx r12 = %016llx r13 = %016llx\n"
480  "r14 = %016llx r15 = %016llx\n"
481  "eflags = %08x\n",
482  trapStructure.Rax, trapStructure.Rbx, trapStructure.Rcx,
483  trapStructure.Rdx, trapStructure.Rsi, trapStructure.Rdi,
484  trapStructure.Rip, trapStructure.Rsp, trapStructure.Rbp,
485  trapStructure.R8, trapStructure.R9, trapStructure.R10,
486  trapStructure.R11, 0ull, 0ull, 0ull, 0ull,
487  trapStructure.EFlags);
488 
489  IntWinDumpEflags(trapStructure.EFlags);
490  IntLogCurrentIP(trapStructure.Rip, NULL);
491  IntLogStackTrace(trapStructure.Rsp, "Stack trace:");
492  IntLogStackTrace(0, NULL);
493  }
494  else
495  {
496  INTSTATUS status;
497  KTSS ktssStructure = {0};
498 
499  NLOG("\nKTSS at %08llx:\n", TrapFrame);
500 
501  status = IntKernVirtMemRead(TrapFrame, sizeof(ktssStructure), &ktssStructure, NULL);
502  if (!INT_SUCCESS(status))
503  {
504  ERROR("[ERROR] IntKernVirtMemRead failed at 0x%016llx: 0x%08x\n", TrapFrame, status);
505  return;
506  }
507 
508  NLOG("eax = 0x%08x ebx = 0x%08x ecx = 0x%08x\n"
509  "edx = 0x%08x esi = 0x%08x edi = 0x%08x\n"
510  "eip = 0x%08x esp = 0x%08x ebp = 0x%08x\n"
511  "cs = %04x ss = %04x ds = %04x es = %04x fs = %04x gs = %04x efl=0x%08x\n",
512  ktssStructure.Eax, ktssStructure.Ebx, ktssStructure.Ecx, ktssStructure.Edx, ktssStructure.Esi,
513  ktssStructure.Edi, ktssStructure.Eip, ktssStructure.Esp, ktssStructure.Ebp, ktssStructure.Cs,
514  ktssStructure.Ss, ktssStructure.Ds, ktssStructure.Es, ktssStructure.Fs, ktssStructure.Gs,
515  ktssStructure.EFlags);
516 
517  IntWinDumpEflags(ktssStructure.EFlags);
518  IntLogCurrentIP(ktssStructure.Eip, NULL);
519  IntLogStackTrace(ktssStructure.Esp, "Stack trace:");
520  IntLogStackTrace(0, NULL);
521  }
522 }
523 
524 
525 static void
526 IntLogContextRecord(
527  _In_ QWORD ContextRecord
528  )
534 {
535  if (gGuest.Guest64)
536  {
537  INTSTATUS status;
538  CONTEXT64 contextStructure = {0};
539 
540  NLOG("\nContext Record at 0x%016llx:\n", ContextRecord);
541 
542  status = IntKernVirtMemRead(ContextRecord, sizeof(contextStructure), &contextStructure, NULL);
543  if (!INT_SUCCESS(status))
544  {
545  ERROR("[ERROR] IntKernVirtMemRead failed at 0x%016llx: 0x%08x\n", ContextRecord, status);
546  return;
547  }
548 
549  NLOG("rax = 0x%016llx rbx = 0x%016llx rcx = 0x%016llx\n"
550  "rdx = 0x%016llx rsi = 0x%016llx rdi = 0x%016llx\n"
551  "rip = 0x%016llx rsp = 0x%016llx rbp = 0x%016llx\n"
552  " r8 = 0x%016llx r9 = 0x%016llx r10 = 0x%016llx\n"
553  "r11 = 0x%016llx r12 = 0x%016llx r13 = 0x%016llx\n"
554  "r14 = 0x%016llx r15 = 0x%016llx\n"
555  "cs = 0x%04x ss = 0x%04x ds = 0x%04x es = 0x%04x fs = 0x%04x gs = 0x%04x efl = 0x%08x\n",
556  contextStructure.Rax, contextStructure.Rbx, contextStructure.Rcx,
557  contextStructure.Rdx, contextStructure.Rsi, contextStructure.Rdi,
558  contextStructure.Rip, contextStructure.Rsp, contextStructure.Rbp,
559  contextStructure.R8, contextStructure.R9, contextStructure.R10,
560  contextStructure.R11, contextStructure.R12, contextStructure.R13,
561  contextStructure.R14, contextStructure.R15, contextStructure.SegCs,
562  contextStructure.SegSs, contextStructure.SegDs, contextStructure.SegEs,
563  contextStructure.SegFs, contextStructure.SegGs, contextStructure.EFlags);
564 
565  IntWinDumpEflags(contextStructure.EFlags);
566  IntLogCurrentIP(contextStructure.Rip, NULL);
567  }
568  else
569  {
570  INTSTATUS status;
571  CONTEXT32 contextStructure = {0};
572 
573  NLOG("\nContext Record at %08llx:\n", ContextRecord);
574 
575  status = IntKernVirtMemRead(ContextRecord, sizeof(contextStructure), &contextStructure, NULL);
576  if (!INT_SUCCESS(status))
577  {
578  ERROR("[ERROR] IntKernVirtMemRead failed at 0x%016llx: 0x%08x\n", ContextRecord, status);
579  return;
580  }
581 
582  NLOG("eax = 0x%08x ebx = 0x%08x ecx = 0x%08x edx = 0x%08x esi = 0x%08x edi = 0x%08x\n"
583  "eip = 0x%08x esp = 0x%08x ebp = 0x%08x\n"
584  "cs = 0x%04x ss = 0x%04x ds = 0x%04x es = 0x%04x fs = 0x%04x gs = 0x%04x efl = %08x\n",
585  contextStructure.Eax, contextStructure.Ebx, contextStructure.Ecx,
586  contextStructure.Edx, contextStructure.Esi, contextStructure.Edi,
587  contextStructure.Eip, contextStructure.Esp, contextStructure.Ebp,
588  contextStructure.SegCs, contextStructure.SegSs, contextStructure.SegDs,
589  contextStructure.SegEs, contextStructure.SegFs,
590  contextStructure.SegGs, contextStructure.EFlags);
591 
592  IntWinDumpEflags(contextStructure.EFlags);
593  IntLogCurrentIP(contextStructure.Eip, NULL);
594  }
595 }
596 
597 
598 static void
599 IntLogExceptionRecord(
600  _In_ QWORD ExceptionRecord
601  )
607 {
608  if (gGuest.Guest64)
609  {
610  INTSTATUS status;
611  EXCEPTION_RECORD64 excpStructure = {0};
612 
613  NLOG("\nException Record at 0x%016llx:\n", ExceptionRecord);
614 
615  status = IntKernVirtMemRead(ExceptionRecord, sizeof(excpStructure), &excpStructure, NULL);
616  if (!INT_SUCCESS(status))
617  {
618  ERROR("[ERROR] IntKernVirtMemRead failed at 0x%016llx: 0x%08x\n", ExceptionRecord, status);
619  return;
620  }
621 
622  NLOG("Exception address: 0x%016llx\n"
623  "Exception Code: 0x%08x\n"
624  "ExceptionFlags: 0x%08x\n"
625  "NumberParameters: 0x%x\n",
626  excpStructure.ExceptionAddress, excpStructure.ExceptionCode,
627  excpStructure.ExceptionFlags, excpStructure.NumberParameters);
628 
629  for (DWORD excpParam = 0; excpParam < excpStructure.NumberParameters; excpParam++)
630  {
631  NLOG(" Parameter[%d]: 0x%016llx\n", excpParam, excpStructure.ExceptionInformation[excpParam]);
632  }
633  }
634  else
635  {
636  INTSTATUS status;
637  EXCEPTION_RECORD32 excpStructure = {0};
638 
639  NLOG("\nException Record at %08llx:\n", ExceptionRecord);
640 
641  status = IntKernVirtMemRead(ExceptionRecord, sizeof(excpStructure), &excpStructure, NULL);
642  if (!INT_SUCCESS(status))
643  {
644  ERROR("[ERROR] IntKernVirtMemRead failed at 0x%016llx: 0x%08x\n", ExceptionRecord, status);
645  return;
646  }
647 
648  NLOG("Exception address: %08x\n"
649  "Exception Code: 0x%08x\n"
650  "ExceptionFlags: 0x%08x\n"
651  "NumberParameters: 0x%x\n",
652  excpStructure.ExceptionAddress, excpStructure.ExceptionCode,
653  excpStructure.ExceptionFlags, excpStructure.NumberParameters);
654 
655  for (DWORD excpParam = 0; excpParam < excpStructure.NumberParameters; excpParam++)
656  {
657  NLOG(" Parameter[%d]: 0x%08x\n", excpParam, excpStructure.ExceptionInformation[excpParam]);
658  }
659  }
660 }
661 
662 
663 static void
664 IntLogCriticalProcessHasDied(
665  _In_ QWORD Param1,
666  _In_ QWORD Param2
667  )
674 {
675  const WIN_PROCESS_OBJECT *proc = IntWinProcFindObjectByEprocess(Param1);
676  const CHAR *objectType = "<unknown>";
677 
678  if (Param2 == 0)
679  {
680  objectType = "process";
681  }
682  else if (Param2 == 1)
683  {
684  objectType = "thread";
685  }
686 
687  LOG("A %s object has died!\n", objectType);
688  if (proc != NULL)
689  {
690  NLOG("\tProcess name: \"%s\" PID: %u Eprocess: 0x%016llx Cr3: 0x%016llx User Cr3: 0x%016llx Protected: %u\n",
691  proc->Name, proc->Pid, proc->EprocessAddress, proc->Cr3, proc->UserCr3, proc->Protected);
692  }
693  else
694  {
695  NLOG("\tNo process found for Eprocess 0x%016llx\n", Param1);
696  }
697 }
698 
699 
700 static void
701 IntLogCriticalStructureCoruption(
702  _In_ QWORD Param3,
703  _In_ QWORD Param4
704  )
715 {
716  QWORD regionType = Param4;
717  const PCHAR regions[] =
718  {
719  /* 0 */ "A generic data region",
720  /* 1 */ "Modification of a function or .pdata",
721  /* 2 */ "A processor IDT",
722  /* 3 */ "A processor GDT",
723  /* 4 */ "Type 1 process list corruption",
724  /* 5 */ "Type 2 process list corruption",
725  /* 6 */ "Debug routine modification",
726  /* 7 */ "Critical MSR modification",
727  /* 8 */ "Object type",
728  /* 9 */ "A processor IVT",
729  /* a */ "Modification of a system service function",
730  /* b */ "A generic session data region",
731  /* c */ "Modification of a session function or .pdata",
732  /* d */ "Modification of an import table",
733  /* e */ "Modification of a session import table",
734  /* f */ "Ps Win32 callout modification",
735  /* 10 */ "Debug switch routine modification",
736  /* 11 */ "IRP allocator modification",
737  /* 12 */ "Driver call dispatcher modification",
738  /* 13 */ "IRP completion dispatcher modification",
739  /* 14 */ "IRP deallocator modification",
740  /* 15 */ "A processor control register",
741  /* 16 */ "Critical floating point control register modification",
742  /* 17 */ "Local APIC modification",
743  /* 18 */ "Kernel notification callout modification",
744  /* 19 */ "Loaded module list modification",
745  /* 1a */ "Type 3 process list corruption",
746  /* 1b */ "Type 4 process list corruption",
747  /* 1c */ "Driver object corruption",
748  /* 1d */ "Executive callback object modification",
749  /* 1e */ "Modification of module padding",
750  /* 1f */ "Modification of a protected process",
751  /* 20 */ "A generic data region",
752  /* 21 */ "A page hash mismatch",
753  /* 22 */ "A session page hash mismatch",
754  /* 23 */ "Load config directory modification",
755  /* 24 */ "Inverted function table modification",
756  /* 25 */ "Session configuration modification",
757  /* 26 */ "An extended processor control register",
758  /* 27 */ "Type 1 pool corruption",
759  /* 28 */ "Type 2 pool corruption",
760  /* 29 */ "Type 3 pool corruption",
761  /* 2a */ "Type 4 pool corruption",
762  /* 2b */ "Modification of a function or .pdata",
763  /* 2c */ "Image integrity corruption",
764  /* 2d */ "Processor misconfiguration",
765  /* 2e */ "Type 5 process list corruption",
766  /* 2f */ "Process shadow corruption",
767  };
768 
769  if (regionType < ARRAYSIZE(regions))
770  {
771  LOG("0x%04llx - %s\n", regionType, regions[regionType]);
772  }
773  else if (0x101 == regionType)
774  {
775  LOG("0x%04llx - %s\n", regionType, "General pool corruption");
776  }
777  else if (0x102 == regionType)
778  {
779  LOG("0x%04llx - %s\n", regionType, "Modification of win32k.sys");
780  }
781  else
782  {
783  LOG("0x%04llx - %s\n", regionType, "Undocumented");
784  }
785 
786  LOG("Dumping cloak regions\n");
787  IntMemClkDump();
788 
789  if (0x2b == regionType && IS_KERNEL_POINTER_WIN(gGuest.Guest64, Param3))
790  {
791  IntDumpGvaEx(gGuest.Mm.SystemCr3, Param3 & PAGE_MASK, PAGE_SIZE, 16, 1, TRUE, TRUE);
792  }
793 }
794 
795 
796 static void
797 IntWinBcLogBsodEvent(
798  _In_ QWORD Reason,
799  _In_ QWORD Param1,
800  _In_ QWORD Param2,
801  _In_ QWORD Param3,
802  _In_ QWORD Param4
803  )
816 {
817  KERNEL_DRIVER const *pKernel = gGuest.KernelDriver;
818 
819  NLOG("\n**********************************************************************\n"
820  "* *\n"
821  "* Bugcheck Analysis *\n"
822  "* *\n"
823  "**********************************************************************\n\n");
824 
825  IntLogBSODParams(Reason, Param1, Param2, Param3, Param4);
826 
827  switch (Reason)
828  {
829  case BUGCHECK_IRQL_NOT_LESS_OR_EQUAL:
830  IntLogCurrentIP(Param4, "Faulting IP");
831  IntWinLogVAInfo(Param1);
832  break;
833 
834  case BUGCHECK_SYSTEM_SERVICE_EXCEPTION:
835  IntLogCurrentIP(Param2, "Faulting IP");
836  IntLogContextRecord(Param3);
837  break;
838 
839  case BUGCHECK_SYSTEM_THREAD_EXCEPTION_NOT_HANDLED:
840  IntLogExceptionRecord(Param3);
841  IntLogContextRecord(Param4);
842  break;
843 
844  case BUGCHECK_UNEXPECTED_KERNEL_MODE_TRAP:
845  case BUGCHECK_KERNEL_MODE_EXCEPTION_NOT_HANDLED:
846  IntLogTrapFrame(Param2);
847  break;
848 
849  case BUGCHECK_CRITICAL_PROCESS_DIED:
850  IntLogCriticalProcessHasDied(Param1, Param2);
851  break;
852 
853  case BUGCHEDCK_CRITICAL_STRUCTURE_CORRUPTION:
854  IntLogCriticalStructureCoruption(Param3, Param4);
855  break;
856 
857  default: // More can be added if it is needed
858  NLOG("Bug Check reason not known!\n");
859  break;
860  }
861 
862  if (NULL != pKernel)
863  {
864  LOG("Kernel loaded at 0x%016llx Version info: 0x%08x:0x%08llx\n",
865  pKernel->BaseVa, pKernel->Win.TimeDateStamp, pKernel->Size);
866  }
867 
868  IntLogGuestRegisters();
869 
870  IntLogProcessInfo();
871 
872  IntLogStackTrace(0, "Stack Trace:");
873 }
874 
875 
876 static INTSTATUS
877 IntWinBcSendBsodEvent(
878  _In_ QWORD Reason,
879  _In_ QWORD Param1,
880  _In_ QWORD Param2,
881  _In_ QWORD Param3,
882  _In_ QWORD Param4
883  )
897 {
898  INTSTATUS status;
899  EVENT_CRASH_EVENT *pCrashEvent;
900 
901  if (0 == (gGuest.CoreOptions.Current & INTRO_OPT_EVENT_OS_CRASH))
902  {
903  return INT_STATUS_NOT_NEEDED_HINT;
904  }
905 
906  pCrashEvent = &gAlert.Crash;
907  memzero(pCrashEvent, sizeof(*pCrashEvent));
908 
909  pCrashEvent->Reason = Reason;
910  pCrashEvent->Param1 = Param1;
911  pCrashEvent->Param2 = Param2;
912  pCrashEvent->Param3 = Param3;
913  pCrashEvent->Param4 = Param4;
914 
915  IntAlertFillWinProcessCurrent(&pCrashEvent->CurrentProcess);
916 
917  status = IntNotifyIntroEvent(introEventCrashEvent, pCrashEvent, sizeof(*pCrashEvent));
918  if (!INT_SUCCESS(status))
919  {
920  WARNING("[WARNING] IntNotifyIntroEvent failed: 0x%08x\n", status);
921  }
922 
923  return INT_STATUS_SUCCESS;
924 }
925 
926 
927 INTSTATUS
928 IntWinBcHandleBugCheck(
929  _In_ void const *Detour
930  )
944 
945 {
946  INTSTATUS status;
947  PIG_ARCH_REGS pRegs;
948  QWORD code, param1, param2, param3, param4;
949 
950  if (NULL == Detour)
951  {
952  return INT_STATUS_INVALID_PARAMETER_1;
953  }
954 
955  pRegs = &gVcpu->Regs;
956 
957  if (gGuest.Guest64)
958  {
959  code = pRegs->Rcx;
960  param1 = pRegs->Rdx;
961  param2 = pRegs->R8;
962  param3 = pRegs->R9;
963 
964  IntKernVirtMemFetchQword(pRegs->Rsp + 8 * 5, &param4);
965  }
966  else
967  {
968  // We have RET, Arg1, ... on the stack.
969  IntKernVirtMemFetchDword(pRegs->Rsp + 4 * 1, (DWORD *)&code);
970  IntKernVirtMemFetchDword(pRegs->Rsp + 4 * 2, (DWORD *)&param1);
971  IntKernVirtMemFetchDword(pRegs->Rsp + 4 * 3, (DWORD *)&param2);
972  IntKernVirtMemFetchDword(pRegs->Rsp + 4 * 4, (DWORD *)&param3);
973  IntKernVirtMemFetchDword(pRegs->Rsp + 4 * 5, (DWORD *)&param4);
974  }
975 
976  LOG("[INFO] The guest has generated a bugcheck on CPU %d: 0x%08x 0x%016llx 0x%016llx 0x%016llx 0x%016llx\n",
977  gVcpu->Index, (DWORD)code, param1, param2, param3, param4);
978 
979  // Set the beta alerts, so we don't block the writes that will follow
980  gGuest.KernelBetaDetections = TRUE;
981 
982  IntWinBcLogBsodEvent(code, param1, param2, param3, param4);
983 
984  status = IntWinBcSendBsodEvent(code, param1, param2, param3, param4);
985  if (!INT_SUCCESS(status))
986  {
987  ERROR("[ERROR] IntWinBcSendBsodEvent failed: 0x%08x\n", status);
988  }
989 
990  return INT_STATUS_SUCCESS;
991 }
_EXCEPTION_RECORD32::NumberParameters
DWORD NumberParameters
Definition: wddefs.h:1069
_CONTEXT64::R9
QWORD R9
Definition: wddefs.h:1481
_CONTEXT64::Rcx
QWORD Rcx
Definition: wddefs.h:1473
IntDumpArchRegs
TIMER_FRIENDLY void IntDumpArchRegs(IG_ARCH_REGS const *Registers)
This function dumps the register values in a user friendly format.
Definition: dumper.c:20
_In_opt_
#define _In_opt_
Definition: intro_sal.h:16
_VA_TRANSLATION::PhysicalAddress
QWORD PhysicalAddress
The physical address to which VirtualAddress translates to.
Definition: introcore.h:107
_EXCEPTION_RECORD32::ExceptionCode
DWORD ExceptionCode
Definition: wddefs.h:1065
_WIN_PROCESS_OBJECT::Flags
DWORD Flags
Windows process flags (possible values for this bitmask are described below).
Definition: winprocess.h:119
BUGCHECK_KMODE_EXCEPTION_NOT_HANDLED
#define BUGCHECK_KMODE_EXCEPTION_NOT_HANDLED
Definition: winbugcheck.h:25
TRACE_LIMIT_X86
#define TRACE_LIMIT_X86
_CONTEXT64::Rdx
QWORD Rdx
Definition: wddefs.h:1474
_CONTEXT64::R12
QWORD R12
Definition: wddefs.h:1484
IntLogTrapFrame
static void IntLogTrapFrame(QWORD TrapFrame)
Logs information about a trap frame.
Definition: winbugcheck.c:453
_IG_SEG_REGS::CsBase
QWORD CsBase
Definition: glueiface.h:66
_CONTEXT32::Eax
DWORD Eax
Definition: wddefs.h:1553
_IG_SEG_REGS::DsBase
QWORD DsBase
Definition: glueiface.h:74
_IG_ARCH_REGS::Cr0
QWORD Cr0
Definition: glueiface.h:52
_KTSS::EFlags
DWORD EFlags
Definition: wddefs.h:760
_VCPU_STATE::Regs
IG_ARCH_REGS Regs
The current state of the guest registers.
Definition: guests.h:95
_IG_SEG_REGS::EsSelector
QWORD EsSelector
Definition: glueiface.h:80
_VCPU_STATE::Index
DWORD Index
The VCPU number.
Definition: guests.h:172
_In_
#define _In_
Definition: intro_sal.h:21
IntLogCurrentIP
static void IntLogCurrentIP(QWORD Rip, CHAR const *Message)
Logs information about the RIP at which the crash was triggered.
Definition: winbugcheck.c:142
_EXCEPTION_RECORD32::ExceptionInformation
DWORD ExceptionInformation[EXCEPTION_MAXIMUM_PARAMETERS]
Definition: wddefs.h:1070
_WIN_PROCESS_OBJECT::RealParentEprocess
QWORD RealParentEprocess
The active EPROCESS at the moment of creation.
Definition: winprocess.h:90
_MM::SystemCr3
QWORD SystemCr3
The Cr3 used to map the kernel.
Definition: guests.h:207
INT_STATUS_SUCCESS
#define INT_STATUS_SUCCESS
Definition: introstatus.h:54
_KTSS::Ss
WORD Ss
Definition: wddefs.h:773
_KERNEL_DRIVER::Win
WIN_KERNEL_DRIVER Win
Valid only for Windows guests.
Definition: drivers.h:70
_EXCEPTION_RECORD64::ExceptionAddress
QWORD ExceptionAddress
The address at which the exception was generated.
Definition: wddefs.h:1050
_EXCEPTION_RECORD64::ExceptionCode
DWORD ExceptionCode
The code generated by hardware, or the one used with RaiseException(), or DBG_CONTROL_C.
Definition: wddefs.h:1046
_EFLAGS::SF
DWORD SF
Definition: winbugcheck.h:54
IntGetGprs
INTSTATUS IntGetGprs(DWORD CpuNumber, PIG_ARCH_REGS Regs)
Get the current guest GPR state.
Definition: introcpu.c:827
_IG_ARCH_REGS::Cr8
QWORD Cr8
Definition: glueiface.h:55
_IG_SEG_REGS::DsSelector
QWORD DsSelector
Definition: glueiface.h:76
BUGCHECK_KERNEL_MODE_EXCEPTION_NOT_HANDLED
#define BUGCHECK_KERNEL_MODE_EXCEPTION_NOT_HANDLED
Definition: winbugcheck.h:35
IntGetBugCheckLink
static char const * IntGetBugCheckLink(QWORD Reason)
Returns the bug check documentation page link for a bug check reason.
Definition: winbugcheck.c:55
IntLogStackTrace
static void IntLogStackTrace(QWORD Address, CHAR const *Message)
Attempts to log a guest stack trace.
Definition: winbugcheck.c:370
_CONTEXT32::SegFs
DWORD SegFs
Definition: wddefs.h:1544
_KERNEL_DRIVER::BaseVa
QWORD BaseVa
The guest virtual address of the kernel module that owns this driver object.
Definition: drivers.h:41
_EVENT_CRASH_EVENT::Param3
QWORD Param3
Third parameter.
Definition: intro_types.h:1809
_KTRAP_FRAME64
Definition: wddefs.h:845
INT_SUCCESS
#define INT_SUCCESS(Status)
Definition: introstatus.h:42
_EFLAGS::Raw
DWORD Raw
Raw register value.
Definition: winbugcheck.h:44
introEventCrashEvent
Informational event sent when the guest crashes. See EVENT_CRASH_EVENT.
Definition: intro_types.h:109
_KTRAP_FRAME64::R8
QWORD R8
Definition: wddefs.h:898
ARRAYSIZE
#define ARRAYSIZE(A)
Definition: introdefs.h:101
_GUEST_STATE::KernelBetaDetections
BOOLEAN KernelBetaDetections
True if the kernel protection is in beta (log-only) mode.
Definition: guests.h:299
_IG_SEG_REGS
Holds segment register state.
Definition: glueiface.h:64
_IG_SEG_REGS::GsAr
QWORD GsAr
Definition: glueiface.h:89
_IG_ARCH_REGS::Rdx
QWORD Rdx
Definition: glueiface.h:34
INT_STATUS_NOT_NEEDED_HINT
#define INT_STATUS_NOT_NEEDED_HINT
Definition: introstatus.h:317
_CONTEXT64::Rdi
QWORD Rdi
Definition: wddefs.h:1479
ERROR
#define ERROR(fmt,...)
Definition: glue.h:62
BUGCHECK_MEMORY_MANAGEMENT
#define BUGCHECK_MEMORY_MANAGEMENT
Definition: winbugcheck.h:24
_CONTEXT64::SegGs
WORD SegGs
Definition: wddefs.h:1461
_KTSS::Ds
WORD Ds
Definition: wddefs.h:775
INTSTATUS
int INTSTATUS
The status data type.
Definition: introstatus.h:24
_KERNEL_DRIVER::Size
QWORD Size
The size of the kernel module that owns this driver object.
Definition: drivers.h:43
BUGCHECK_SYSTEM_THREAD_EXCEPTION_NOT_HANDLED
#define BUGCHECK_SYSTEM_THREAD_EXCEPTION_NOT_HANDLED
Definition: winbugcheck.h:33
_CONTEXT32::Ecx
DWORD Ecx
Definition: wddefs.h:1552
_WIN_PROCESS_OBJECT::Peb64Address
QWORD Peb64Address
PEB 64 address (on x86 OSes, this will be 0).
Definition: winprocess.h:101
TRFLG_NONE
#define TRFLG_NONE
No special options.
Definition: introcore.h:82
_IG_SEG_REGS::SsBase
QWORD SsBase
Definition: glueiface.h:70
_EVENT_CRASH_EVENT::Param1
QWORD Param1
First parameter.
Definition: intro_types.h:1807
_IG_SEG_REGS::GsSelector
QWORD GsSelector
Definition: glueiface.h:88
_IG_ARCH_REGS::Flags
QWORD Flags
Definition: glueiface.h:49
_GUEST_STATE::VcpuArray
PVCPU_STATE VcpuArray
Array of the VCPUs assigned to this guest. The index in this array matches the VCPU number...
Definition: guests.h:368
_EFLAGS::DF
DWORD DF
Definition: winbugcheck.h:57
_IG_SEG_REGS::SsAr
QWORD SsAr
Definition: glueiface.h:73
_IG_SEG_REGS::CsAr
QWORD CsAr
Definition: glueiface.h:69
_EFLAGS::IF
DWORD IF
Definition: winbugcheck.h:56
_KTSS::Esi
DWORD Esi
Definition: wddefs.h:767
_EFLAGS::OF
DWORD OF
Definition: winbugcheck.h:58
_IG_SEG_REGS::FsLimit
QWORD FsLimit
Definition: glueiface.h:83
_CONTEXT32::Ebx
DWORD Ebx
Definition: wddefs.h:1550
_GENERIC_ALERT::Crash
EVENT_CRASH_EVENT Crash
Definition: alerts.h:27
BUGCHECK_PFN_LIST_CORRUPT
#define BUGCHECK_PFN_LIST_CORRUPT
Definition: winbugcheck.h:27
_EVENT_CRASH_EVENT
Event structure for guest OS crashes.
Definition: intro_types.h:1804
_WIN_PROCESS_OBJECT::ParentEprocess
QWORD ParentEprocess
The EPROCESS of the parent process.
Definition: winprocess.h:89
IntGetBugCheckName
static char const * IntGetBugCheckName(QWORD Reason)
Returns a name for a bug check code.
Definition: winbugcheck.c:13
_WIN_PROCESS_OBJECT::Protected
DWORD Protected
TRUE if this is a protected process. If this is FALSE, most of the above fields aren&#39;t used at all...
Definition: winprocess.h:128
_CONTEXT32::EFlags
DWORD EFlags
Definition: wddefs.h:1558
_WIN_KERNEL_DRIVER::TimeDateStamp
DWORD TimeDateStamp
The driver`s internal timestamp (from the _IMAGE_FILE_HEADER).
Definition: windriver.h:23
_CONTEXT64::SegFs
WORD SegFs
Definition: wddefs.h:1460
LOG
#define LOG(fmt,...)
Definition: glue.h:61
IG_CS_TYPE_32B
32-bit selector.
Definition: glueiface.h:187
BUGCHECK_SYSTEM_SERVICE_EXCEPTION
#define BUGCHECK_SYSTEM_SERVICE_EXCEPTION
Definition: winbugcheck.h:26
_KERNEL_DRIVER
Describes a kernel driver.
Definition: drivers.h:30
_KTRAP_FRAME64::Rax
QWORD Rax
Definition: wddefs.h:895
_IG_ARCH_REGS::Rsp
QWORD Rsp
Definition: glueiface.h:36
_IG_SEG_REGS::SsSelector
QWORD SsSelector
Definition: glueiface.h:72
_EFLAGS::IOPL
DWORD IOPL
Definition: winbugcheck.h:59
IntWinDumpEflags
static void IntWinDumpEflags(DWORD Eflags)
Logs the EFLAGS contents.
Definition: winbugcheck.c:344
_KTSS::Es
WORD Es
Definition: wddefs.h:769
_CONTEXT64::Rax
QWORD Rax
Definition: wddefs.h:1472
_KTSS::Ecx
DWORD Ecx
Definition: wddefs.h:762
_EFLAGS::CF
DWORD CF
Definition: winbugcheck.h:47
_CONTEXT32
Context Frame for 32-bit guests.
Definition: wddefs.h:1530
_IG_ARCH_REGS::R9
QWORD R9
Definition: glueiface.h:41
_CONTEXT64::Rbp
QWORD Rbp
Definition: wddefs.h:1477
_WIN_PROCESS_OBJECT::Cr3
QWORD Cr3
Process PDBR. Includes PCID.
Definition: winprocess.h:96
_VA_TRANSLATION::MappingsCount
DWORD MappingsCount
The number of entries inside the MappingsTrace and MappingsEntries arrays.
Definition: introcore.h:123
_CONTEXT64::Rip
QWORD Rip
Definition: wddefs.h:1489
gAlert
GENERIC_ALERT gAlert
Global alert buffer.
Definition: alerts.c:27
_CONTEXT64::R11
QWORD R11
Definition: wddefs.h:1483
IntWinBcLogBsodEvent
static void IntWinBcLogBsodEvent(QWORD Reason, QWORD Param1, QWORD Param2, QWORD Param3, QWORD Param4)
Logs a bug check event and related information about the crash and the kernel.
Definition: winbugcheck.c:797
_WIN_PROCESS_OBJECT::CreationTime
QWORD CreationTime
The creation time of the process, as stored inside the EPROCESS.
Definition: winprocess.h:93
_IG_SEG_REGS::DsAr
QWORD DsAr
Definition: glueiface.h:77
IntDumpInstruction
TIMER_FRIENDLY void IntDumpInstruction(INSTRUX *Instruction, QWORD Rip)
This function dumps a given instruction (textual disassembly).
Definition: dumper.c:513
_WIN_PROCESS_OBJECT::Path
WINUM_PATH * Path
Will point inside the loaded modules list to the full process path.
Definition: winprocess.h:109
IntKernVirtMemFetchDword
INTSTATUS IntKernVirtMemFetchDword(QWORD GuestVirtualAddress, DWORD *Data)
Reads 4 bytes from the guest kernel memory.
Definition: introcore.c:829
_KTRAP_FRAME64::Rip
QWORD Rip
Definition: wddefs.h:1011
_EXCEPTION_RECORD64::NumberParameters
DWORD NumberParameters
The number of valid entries inside the ExceptionInformation array.
Definition: wddefs.h:1051
BUGCHECK_PROCESS_INITIALIZATION_FAILED
#define BUGCHECK_PROCESS_INITIALIZATION_FAILED
Definition: winbugcheck.h:29
IntLogBSODParams
static void IntLogBSODParams(QWORD Reason, QWORD Param1, QWORD Param2, QWORD Param3, QWORD Param4)
Logs the bug check parameters.
Definition: winbugcheck.c:109
IntKernVirtMemFetchQword
INTSTATUS IntKernVirtMemFetchQword(QWORD GuestVirtualAddress, QWORD *Data)
Reads 8 bytes from the guest kernel memory.
Definition: introcore.c:811
IntWinBcSendBsodEvent
static INTSTATUS IntWinBcSendBsodEvent(QWORD Reason, QWORD Param1, QWORD Param2, QWORD Param3, QWORD Param4)
Sends a introEventCrashEvent event.
Definition: winbugcheck.c:877
_VA_TRANSLATION::MappingsEntries
QWORD MappingsEntries[MAX_TRANSLATION_DEPTH]
Contains the entry in which paging table.
Definition: introcore.h:115
IntNotifyIntroEvent
INTSTATUS IntNotifyIntroEvent(INTRO_EVENT_TYPE EventClass, void *Param, size_t EventSize)
Notifies the integrator about an introspection alert.
Definition: glue.c:1042
_EFLAGS::AF
DWORD AF
Definition: winbugcheck.h:51
memzero
#define memzero(a, s)
Definition: introcrt.h:35
_EVENT_CRASH_EVENT::CurrentProcess
INTRO_PROCESS CurrentProcess
The currently active process.
Definition: intro_types.h:1812
_EVENT_CRASH_EVENT::Reason
QWORD Reason
The bugcheck reason.
Definition: intro_types.h:1806
_KTSS::Ebx
DWORD Ebx
Definition: wddefs.h:764
winbugcheck.h
Information about Windows kernel crashes.
_KTRAP_FRAME64::Rbp
QWORD Rbp
Definition: wddefs.h:994
_GUEST_STATE::Guest64
BOOLEAN Guest64
True if this is a 64-bit guest, False if it is a 32-bit guest.
Definition: guests.h:286
QWORD
unsigned long long QWORD
Definition: intro_types.h:53
_WIN_PROCESS_OBJECT::Name
CHAR Name[IMAGE_BASE_NAME_LEN]
Process base name.
Definition: winprocess.h:106
_INTRO_PROT_OPTIONS::Current
QWORD Current
The currently used options.
Definition: guests.h:232
_EFLAGS
The layout of the EFLAGS register.
Definition: winbugcheck.h:42
_EXCEPTION_RECORD32
An _EXCEPTION_RECORD structure used by 64-bit guests.
Definition: wddefs.h:1063
_EXCEPTION_RECORD64::ExceptionInformation
QWORD ExceptionInformation[EXCEPTION_MAXIMUM_PARAMETERS]
Exception-dependent parameters.
Definition: wddefs.h:1054
_CONTEXT32::SegCs
DWORD SegCs
Definition: wddefs.h:1557
_WIN_PROCESS_OBJECT::UserCr3
QWORD UserCr3
Process user PDBR. Includes PCID.
Definition: winprocess.h:97
_VCPU_STATE
Structure encapsulating VCPU-specific information.
Definition: guests.h:83
_CONTEXT32::Esi
DWORD Esi
Definition: wddefs.h:1549
_CONTEXT64::R15
QWORD R15
Definition: wddefs.h:1487
_CONTEXT32::SegDs
DWORD SegDs
Definition: wddefs.h:1546
_CONTEXT64::Rsp
QWORD Rsp
Definition: wddefs.h:1476
_CONTEXT64::Rsi
QWORD Rsi
Definition: wddefs.h:1478
_KTSS::Fs
WORD Fs
Definition: wddefs.h:777
_CONTEXT32::Ebp
DWORD Ebp
Definition: wddefs.h:1555
_IG_ARCH_REGS::GdtBase
QWORD GdtBase
Definition: glueiface.h:58
TRUE
#define TRUE
Definition: intro_types.h:30
IS_KERNEL_POINTER_WIN
#define IS_KERNEL_POINTER_WIN(is64, p)
Checks if a guest virtual address resides inside the Windows kernel address space.
Definition: wddefs.h:76
IntWinBcHandleBugCheck
INTSTATUS IntWinBcHandleBugCheck(void const *Detour)
Handles a Windows OS crash.This is the detour handle for the KeBugCheck2 32-bit Windows kernel API an...
Definition: winbugcheck.c:928
_CONTEXT32::SegSs
DWORD SegSs
Definition: wddefs.h:1560
IntWinProcFindObjectByCr3
PWIN_PROCESS_OBJECT IntWinProcFindObjectByCr3(QWORD Cr3)
Finds a process by its kernel CR3.
Definition: winprocesshp.c:122
_WIN_PROCESS_OBJECT::ExitStatus
DWORD ExitStatus
The exit status of the process (used when sending the process terminated event).
Definition: winprocess.h:188
IntWinLogVAInfo
static void IntWinLogVAInfo(QWORD Va)
Logs information about a guest virtual address translation.
Definition: winbugcheck.c:313
_IG_SEG_REGS::FsBase
QWORD FsBase
Definition: glueiface.h:82
_KERNEL_DRIVER::Name
void * Name
The name of the driver.
Definition: drivers.h:54
_IG_ARCH_REGS::R8
QWORD R8
Definition: glueiface.h:40
_IG_ARCH_REGS::IdtLimit
QWORD IdtLimit
Definition: glueiface.h:57
_KTSS::Edi
DWORD Edi
Definition: wddefs.h:768
IntAlertFillWinProcessCurrent
void IntAlertFillWinProcessCurrent(INTRO_PROCESS *EventProcess)
Saves information about the current Windows process inside an alert.
Definition: alerts.c:781
_IG_ARCH_REGS::Cr3
QWORD Cr3
Definition: glueiface.h:54
_IG_SEG_REGS::GsLimit
QWORD GsLimit
Definition: glueiface.h:87
_CONTEXT64::SegSs
WORD SegSs
Definition: wddefs.h:1462
IntTranslateVirtualAddressEx
INTSTATUS IntTranslateVirtualAddressEx(QWORD Gva, QWORD Cr3, DWORD Flags, VA_TRANSLATION *Translation)
Translates a guest virtual address to a guest physical address.
Definition: introcore.c:1863
BUGCHECK_CRITICAL_PROCESS_DIED
#define BUGCHECK_CRITICAL_PROCESS_DIED
Definition: winbugcheck.h:36
_CONTEXT64::Rbx
QWORD Rbx
Definition: wddefs.h:1475
PCHAR
char * PCHAR
Definition: intro_types.h:56
BUGCHECK_INACCESSIBLE_BOOT_DEVICE
#define BUGCHECK_INACCESSIBLE_BOOT_DEVICE
Definition: winbugcheck.h:32
_IG_ARCH_REGS::GdtLimit
QWORD GdtLimit
Definition: glueiface.h:59
_CONTEXT64::R8
QWORD R8
Definition: wddefs.h:1480
WARNING
#define WARNING(fmt,...)
Definition: glue.h:60
_WIN_PROCESS_OBJECT::Pid
DWORD Pid
Process ID (the one used by Windows).
Definition: winprocess.h:98
_CONTEXT64::R13
QWORD R13
Definition: wddefs.h:1485
_KTRAP_FRAME64::Rdi
QWORD Rdi
Definition: wddefs.h:986
_CONTEXT32::Edx
DWORD Edx
Definition: wddefs.h:1551
_GUEST_STATE::CpuCount
DWORD CpuCount
The number of logical CPUs.
Definition: guests.h:275
PAGE_SIZE
#define PAGE_SIZE
Definition: common.h:53
_CONTEXT64::SegEs
WORD SegEs
Definition: wddefs.h:1459
_IG_SEG_REGS::SsLimit
QWORD SsLimit
Definition: glueiface.h:71
_IG_SEG_REGS::EsAr
QWORD EsAr
Definition: glueiface.h:81
_CONTEXT32::SegEs
DWORD SegEs
Definition: wddefs.h:1545
IntMemClkDump
void IntMemClkDump(void)
Dumps all the active cloak regions.
Definition: memcloak.c:1218
__forceinline
#define __forceinline
Definition: introtypes.h:61
_WIN_PROCESS_OBJECT::Peb32Address
QWORD Peb32Address
PEB 32 address (on pure x64 processes, this will be 0).
Definition: winprocess.h:102
_IG_SEG_REGS::CsSelector
QWORD CsSelector
Definition: glueiface.h:68
BUGCHECK_KERNEL_STACK_INPAGE_ERROR
#define BUGCHECK_KERNEL_STACK_INPAGE_ERROR
Definition: winbugcheck.h:30
DWORD
uint32_t DWORD
Definition: intro_types.h:49
_KTRAP_FRAME64::Rdx
QWORD Rdx
Definition: wddefs.h:897
_KTRAP_FRAME64::Rcx
QWORD Rcx
Definition: wddefs.h:896
IntDumpGvaEx
TIMER_FRIENDLY void IntDumpGvaEx(QWORD Gva, DWORD Length, QWORD Cr3, DWORD RowLength, DWORD ElementLength, BOOLEAN LogHeader, BOOLEAN DumpAscii)
This function dumps a given GVA in a user friendly format. This function uses IntDumpBuffer to perfor...
Definition: dumper.c:180
BUGCHECK_PAGE_FAULT_IN_NONPAGED_AREA
#define BUGCHECK_PAGE_FAULT_IN_NONPAGED_AREA
Definition: winbugcheck.h:28
_WIN_PROCESS_OBJECT::OriginalTokenPtr
QWORD OriginalTokenPtr
Original Token pointer inside EPROCESS (should never change).
Definition: winprocess.h:241
_KTSS::Edx
DWORD Edx
Definition: wddefs.h:763
IntLogExceptionRecord
static void IntLogExceptionRecord(QWORD ExceptionRecord)
Logs information about an exception record.
Definition: winbugcheck.c:599
_EFLAGS::PF
DWORD PF
Definition: winbugcheck.h:49
_IG_SEG_REGS::GsBase
QWORD GsBase
Definition: glueiface.h:86
_CONTEXT64::SegDs
WORD SegDs
Definition: wddefs.h:1458
_IG_SEG_REGS::CsLimit
QWORD CsLimit
Definition: glueiface.h:67
_GUEST_STATE::Mm
MM Mm
Guest memory information, such as paging mode, system Cr3 value, etc.
Definition: guests.h:370
_WIN_PROCESS_OBJECT::EprocessAddress
QWORD EprocessAddress
This will be the address of the ActiveProcess field.
Definition: winprocess.h:88
_KTSS
Definition: wddefs.h:750
_IG_SEG_REGS::FsAr
QWORD FsAr
Definition: glueiface.h:85
_KTRAP_FRAME64::Rsp
QWORD Rsp
Definition: wddefs.h:1018
gGuest
GUEST_STATE gGuest
The current guest state.
Definition: guests.c:48
_IG_SEG_REGS::FsSelector
QWORD FsSelector
Definition: glueiface.h:84
BUGCHECK_KERNEL_DATA_INPAGE_ERROR
#define BUGCHECK_KERNEL_DATA_INPAGE_ERROR
Definition: winbugcheck.h:31
_KTSS::Eax
DWORD Eax
Definition: wddefs.h:761
_KTSS::Cs
WORD Cs
Definition: wddefs.h:771
_EXCEPTION_RECORD32::ExceptionAddress
DWORD ExceptionAddress
Definition: wddefs.h:1068
INTRO_OPT_EVENT_OS_CRASH
#define INTRO_OPT_EVENT_OS_CRASH
Enable OS crash events (generates introEventCrashEvent events).
Definition: intro_types.h:431
_KTRAP_FRAME64::R10
QWORD R10
Definition: wddefs.h:900
_EVENT_CRASH_EVENT::Param4
QWORD Param4
Fourth parameter.
Definition: intro_types.h:1810
_CONTEXT32::Eip
DWORD Eip
Definition: wddefs.h:1556
IntWinProcFindObjectByEprocess
PWIN_PROCESS_OBJECT IntWinProcFindObjectByEprocess(QWORD Eprocess)
Finds a process by the address of its _EPROCESS structure.
Definition: winprocesshp.c:23
_IG_ARCH_REGS::Rcx
QWORD Rcx
Definition: glueiface.h:33
_KTSS::Ebp
DWORD Ebp
Definition: wddefs.h:766
_VA_TRANSLATION::VirtualAddress
QWORD VirtualAddress
The translated virtual address.
Definition: introcore.h:105
IntKernVirtMemRead
INTSTATUS IntKernVirtMemRead(QWORD KernelGva, DWORD Length, void *Buffer, DWORD *RetLength)
Reads data from a guest kernel virtual memory range.
Definition: introcore.c:674
IntDriverFindByAddress
KERNEL_DRIVER * IntDriverFindByAddress(QWORD Gva)
Returns the driver in which Gva resides.
Definition: drivers.c:164
_KTRAP_FRAME64::EFlags
DWORD EFlags
Definition: wddefs.h:1016
NLOG
#define NLOG(fmt,...)
Definition: glue.h:43
_CONTEXT64::SegCs
WORD SegCs
Definition: wddefs.h:1457
_IG_ARCH_REGS::Cr4
QWORD Cr4
Definition: glueiface.h:53
BUGCHECK_UNEXPECTED_KERNEL_MODE_TRAP
#define BUGCHECK_UNEXPECTED_KERNEL_MODE_TRAP
Definition: winbugcheck.h:34
BUGCHEDCK_CRITICAL_STRUCTURE_CORRUPTION
#define BUGCHEDCK_CRITICAL_STRUCTURE_CORRUPTION
Definition: winbugcheck.h:37
_VA_TRANSLATION
Encapsulates information about a virtual to physical memory translation.
Definition: introcore.h:102
_GUEST_STATE::KernelDriver
KERNEL_DRIVER * KernelDriver
Points to the driver object that describes the kernel image.
Definition: guests.h:381
utf16_for_log
char * utf16_for_log(const WCHAR *WString)
Converts a UTF-16 to a UTF-8 string to be used inside logging macros.
Definition: introcore.c:2845
_CONTEXT64::R14
QWORD R14
Definition: wddefs.h:1486
INT_STATUS_INVALID_PARAMETER_1
#define INT_STATUS_INVALID_PARAMETER_1
Definition: introstatus.h:62
_CONTEXT32::Edi
DWORD Edi
Definition: wddefs.h:1548
gVcpu
VCPU_STATE * gVcpu
The state of the current VCPU.
Definition: guests.c:57
_KTSS::Esp
DWORD Esp
Definition: wddefs.h:765
MODULE_NAMES_TO_PRINT
#define MODULE_NAMES_TO_PRINT
IG_CS_TYPE_64B
64-bit selector.
Definition: glueiface.h:188
IntLogGuestRegisters
static void IntLogGuestRegisters(void)
Logs the guest register state.
Definition: winbugcheck.c:186
_KTSS::Gs
WORD Gs
Definition: wddefs.h:779
_IG_ARCH_REGS::Dr7
QWORD Dr7
Definition: glueiface.h:50
_EXCEPTION_RECORD64::ExceptionFlags
DWORD ExceptionFlags
Definition: wddefs.h:1047
IntLogProcessInfo
static void IntLogProcessInfo(void)
Logs information about the current process.
Definition: winbugcheck.c:266
IntLogCriticalProcessHasDied
static void IntLogCriticalProcessHasDied(QWORD Param1, QWORD Param2)
Handles a BUGCHECK_CRITICAL_PROCESS_DIED bug check.
Definition: winbugcheck.c:664
IntLogCriticalStructureCoruption
static void IntLogCriticalStructureCoruption(QWORD Param3, QWORD Param4)
Handles a BUGCHEDCK_CRITICAL_STRUCTURE_CORRUPTION bug check.
Definition: winbugcheck.c:701
_CONTEXT64::R10
QWORD R10
Definition: wddefs.h:1482
_IG_ARCH_REGS
Holds register state.
Definition: glueiface.h:30
_KTRAP_FRAME64::R11
QWORD R11
Definition: wddefs.h:901
IntGetSegs
INTSTATUS IntGetSegs(DWORD CpuNumber, PIG_SEG_REGS Regs)
Read the guest segment registers.
Definition: introcpu.c:995
_EFLAGS::ZF
DWORD ZF
Definition: winbugcheck.h:53
_EXCEPTION_RECORD32::ExceptionFlags
DWORD ExceptionFlags
Definition: wddefs.h:1066
_KTRAP_FRAME64::Rsi
QWORD Rsi
Definition: wddefs.h:987
_CONTEXT64::EFlags
DWORD EFlags
Definition: wddefs.h:1463
TRACE_LIMIT_X64
#define TRACE_LIMIT_X64
CHAR
char CHAR
Definition: intro_types.h:56
_CONTEXT32::SegGs
DWORD SegGs
Definition: wddefs.h:1543
_KTRAP_FRAME64::Rbx
QWORD Rbx
Definition: wddefs.h:985
_CONTEXT64
Context Frame for 64-bit guests.
Definition: wddefs.h:1445
_IG_ARCH_REGS::Cr2
QWORD Cr2
Definition: glueiface.h:48
_CONTEXT32::Esp
DWORD Esp
Definition: wddefs.h:1559
_IG_ARCH_REGS::IdtBase
QWORD IdtBase
Definition: glueiface.h:56
PAGE_MASK
#define PAGE_MASK
Definition: pgtable.h:35
_EVENT_CRASH_EVENT::Param2
QWORD Param2
Second parameter.
Definition: intro_types.h:1808
_IG_SEG_REGS::EsBase
QWORD EsBase
Definition: glueiface.h:78
BUGCHECK_BAD_POOL_HEADER
#define BUGCHECK_BAD_POOL_HEADER
Definition: winbugcheck.h:23
_KTSS::Eip
DWORD Eip
Definition: wddefs.h:759
_GUEST_STATE::CoreOptions
INTRO_PROT_OPTIONS CoreOptions
The activation and protection options for this guest.
Definition: guests.h:267
IntDecDecodeInstruction
INTSTATUS IntDecDecodeInstruction(IG_CS_TYPE CsType, QWORD Gva, void *Instrux)
Decode an instruction from the provided guest linear address.
Definition: decoder.c:180
BUGCHECK_NAME
#define BUGCHECK_NAME(x)
_EXCEPTION_RECORD64
An _EXCEPTION_RECORD structure used by 64-bit guests.
Definition: wddefs.h:1043
BUGCHECK_IRQL_NOT_LESS_OR_EQUAL
#define BUGCHECK_IRQL_NOT_LESS_OR_EQUAL
Definition: winbugcheck.h:22
_IG_SEG_REGS::DsLimit
QWORD DsLimit
Definition: glueiface.h:75
_WIN_PROCESS_OBJECT
This structure describes a running process inside the guest.
Definition: winprocess.h:81
_KTRAP_FRAME64::R9
QWORD R9
Definition: wddefs.h:899
_WINUM_PATH::Path
WCHAR * Path
The string which represents the user-mode module path.
Definition: winumpath.h:17
_IG_SEG_REGS::EsLimit
QWORD EsLimit
Definition: glueiface.h:79
IntLogContextRecord
static void IntLogContextRecord(QWORD ContextRecord)
Logs information about a context record.
Definition: winbugcheck.c:526