public void Exception(ref _EXCEPTION_RECORD64 Exception, uint FirstChance)
{
if (FirstChance != 1)
{
// Save the dump
client.WriteDumpFile(dumpPath, (uint)(miniDump ? Defines.DebugDumpSmall : Defines.DebugDumpDefault));
dumpTaken = true;
}
}
public void Exception(ref _EXCEPTION_RECORD64 Exception, uint FirstChance)
{
if (FirstChance != 1)
{
// Save the dump
client.WriteDumpFile2(dumpPath, (uint)Defines.DebugDumpSmall, (uint)(miniDump ? Defines.DebugFormatDefault : Defines.DebugFormatUserSmallFullMemory | Defines.DebugFormatUserSmallHandleData));
dumpTaken = true;
}
}
public void Exception(ref _EXCEPTION_RECORD64 Exception, uint FirstChance)
{
throw new NotImplementedException();
}
public void Exception(ref _EXCEPTION_RECORD64 Exception, uint FirstChance)
{
throw new NotImplementedException();
}
public void Exception(ref _EXCEPTION_RECORD64 Exception, uint FirstChance)
{
logger.Debug("Exception: Code: 0x{0:x8}, First Chance: {1}", Exception.ExceptionCode, FirstChance);
bool handle = false;
if (FirstChance == 1)
{
if (_engine.skipFirstChanceGuardPageException && Exception.ExceptionCode == 0x80000001)
{
return;
}
// Guard page or illegal op
if (Exception.ExceptionCode == 0x80000001 || Exception.ExceptionCode == 0xC000001D)
{
handle = true;
}
// Access violation
if (Exception.ExceptionCode == 0xC0000005)
{
// http://msdn.microsoft.com/en-us/library/windows/desktop/aa363082(v=vs.85).aspx
// A/V on EIP
if (Exception.ExceptionInformation[0] == 0)
{
handle = true;
}
// write a/v
else if (Exception.ExceptionInformation[0] == 1 && Exception.ExceptionInformation[1] != 0)
{
handle = true;
}
// DEP
else if (Exception.ExceptionInformation[0] == 8)
{
handle = true;
}
}
// Skip uninteresting first chance
if (!handle)
{
return;
}
}
if (_engine.skipSecondChangeGuardPageException && FirstChance == 0 && Exception.ExceptionCode == 0x80000001)
{
return;
}
// Don't recurse
if (_engine.handlingException.WaitOne(0, false) || _engine.handledException.WaitOne(0, false))
{
return;
}
// ////////////////////////////////////////////////////////////////////////////////////////////////////////
try
{
_engine.handlingException.Set();
// 1. Output registers
_engine.dbgControl.Execute((uint)Const.DEBUG_OUTCTL_THIS_CLIENT, "r", (uint)Const.DEBUG_EXECUTE_ECHO);
_engine.dbgControl.Execute((uint)Const.DEBUG_OUTCTL_THIS_CLIENT, "rF", (uint)Const.DEBUG_EXECUTE_ECHO);
_engine.dbgControl.Execute((uint)Const.DEBUG_OUTCTL_THIS_CLIENT, "rX", (uint)Const.DEBUG_EXECUTE_ECHO);
_engine.output.Append("\n\n");
// 2. Output stacktrace
// Note: There is a known bug in dbgeng that can cause stack traces to take days due to issues in
// resolving symbols. There is no known work arround. We need the ability to skip a stacktrace
// when this occurs.
_engine.dbgControl.Execute((uint)Const.DEBUG_OUTCTL_THIS_CLIENT, "kb", (uint)Const.DEBUG_EXECUTE_ECHO);
_engine.output.Append("\n\n");
// 3. Dump File
// Note: This can cause hangs on a bad day. Don't think it's all that important, so skipping.
// 4. !exploitable
// TODO - Load correct version of !exploitable
if (IntPtr.Size == 4)
{
// 32bit
string path = Assembly.GetExecutingAssembly().Location;
path = Path.GetDirectoryName(path);
path = Path.Combine(path, "Debuggers\\DebugEngine\\msec86.dll");
_engine.dbgControl.Execute((uint)Const.DEBUG_OUTCTL_THIS_CLIENT, ".load " + path, (uint)Const.DEBUG_EXECUTE_ECHO);
}
else
{
// 64bit
string path = Assembly.GetExecutingAssembly().Location;
path = Path.GetDirectoryName(path);
path = Path.Combine(path, "Debuggers\\DebugEngine\\msec64.dll");
_engine.dbgControl.Execute((uint)Const.DEBUG_OUTCTL_THIS_CLIENT, ".load " + path, (uint)Const.DEBUG_EXECUTE_ECHO);
}
_engine.dbgControl.Execute((uint)Const.DEBUG_OUTCTL_THIS_CLIENT, "!exploitable -m", (uint)Const.DEBUG_EXECUTE_ECHO);
_engine.output.Replace("\x0a", "\r\n");
string output = _engine.output.ToString();
Fault fault = new Fault();
fault.type = FaultType.Fault;
fault.detectionSource = "WindowsDebugEngine";
fault.majorHash = reMajorHash.Match(output).Groups[1].Value;
fault.minorHash = reMinorHash.Match(output).Groups[1].Value;
fault.exploitability = reClassification.Match(output).Groups[1].Value;
fault.title = reShortDescription.Match(output).Groups[1].Value;
fault.collectedData.Add(new Fault.Data("StackTrace.txt", Encoding.UTF8.GetBytes(output)));
fault.description = output;
_engine.crashInfo = fault;
}
catch (Exception ex)
{
logger.Debug(ex);
throw;
}
finally
{
//_engine.dbgClient.TerminateProcesses();
//_engine.dbgClient.EndSession((uint)Const.DEBUG_END_PASSIVE);
//_engine.dbgClient.EndSession((uint)Const.DEBUG_END_ACTIVE_TERMINATE);
_engine.handledException.Set();
}
}
public void Exception(ref _EXCEPTION_RECORD64 Exception, uint FirstChance)
{
if (FirstChance != 1)
{
// Save the dump
client.WriteDumpFile2(dumpPath, (uint)Defines.DebugDumpSmall, (uint)(miniDump ? Defines.DebugFormatDefault : Defines.DebugFormatUserSmallFullMemory | Defines.DebugFormatUserSmallHandleData));
dumpTaken = true;
}
}
public void Exception(ref _EXCEPTION_RECORD64 Exception, uint FirstChance)
{
}
