public void Exception(ref _EXCEPTION_RECORD64 Exception, uint FirstChance) { if (FirstChance != 1) { // Save the dump client.WriteDumpFile(dumpPath, (uint)(miniDump ? Defines.DebugDumpSmall : Defines.DebugDumpDefault)); dumpTaken = true; } }
public void Exception(ref _EXCEPTION_RECORD64 Exception, uint FirstChance) { if (FirstChance != 1) { // Save the dump client.WriteDumpFile2(dumpPath, (uint)Defines.DebugDumpSmall, (uint)(miniDump ? Defines.DebugFormatDefault : Defines.DebugFormatUserSmallFullMemory | Defines.DebugFormatUserSmallHandleData)); dumpTaken = true; } }
public void Exception(ref _EXCEPTION_RECORD64 Exception, uint FirstChance) { throw new NotImplementedException(); }
public void Exception(ref _EXCEPTION_RECORD64 Exception, uint FirstChance) { logger.Debug("Exception: Code: 0x{0:x8}, First Chance: {1}", Exception.ExceptionCode, FirstChance); bool handle = false; if (FirstChance == 1) { if (_engine.skipFirstChanceGuardPageException && Exception.ExceptionCode == 0x80000001) { return; } // Guard page or illegal op if (Exception.ExceptionCode == 0x80000001 || Exception.ExceptionCode == 0xC000001D) { handle = true; } // Access violation if (Exception.ExceptionCode == 0xC0000005) { // http://msdn.microsoft.com/en-us/library/windows/desktop/aa363082(v=vs.85).aspx // A/V on EIP if (Exception.ExceptionInformation[0] == 0) { handle = true; } // write a/v else if (Exception.ExceptionInformation[0] == 1 && Exception.ExceptionInformation[1] != 0) { handle = true; } // DEP else if (Exception.ExceptionInformation[0] == 8) { handle = true; } } // Skip uninteresting first chance if (!handle) { return; } } if (_engine.skipSecondChangeGuardPageException && FirstChance == 0 && Exception.ExceptionCode == 0x80000001) { return; } // Don't recurse if (_engine.handlingException.WaitOne(0, false) || _engine.handledException.WaitOne(0, false)) { return; } // //////////////////////////////////////////////////////////////////////////////////////////////////////// try { _engine.handlingException.Set(); // 1. Output registers _engine.dbgControl.Execute((uint)Const.DEBUG_OUTCTL_THIS_CLIENT, "r", (uint)Const.DEBUG_EXECUTE_ECHO); _engine.dbgControl.Execute((uint)Const.DEBUG_OUTCTL_THIS_CLIENT, "rF", (uint)Const.DEBUG_EXECUTE_ECHO); _engine.dbgControl.Execute((uint)Const.DEBUG_OUTCTL_THIS_CLIENT, "rX", (uint)Const.DEBUG_EXECUTE_ECHO); _engine.output.Append("\n\n"); // 2. Output stacktrace // Note: There is a known bug in dbgeng that can cause stack traces to take days due to issues in // resolving symbols. There is no known work arround. We need the ability to skip a stacktrace // when this occurs. _engine.dbgControl.Execute((uint)Const.DEBUG_OUTCTL_THIS_CLIENT, "kb", (uint)Const.DEBUG_EXECUTE_ECHO); _engine.output.Append("\n\n"); // 3. Dump File // Note: This can cause hangs on a bad day. Don't think it's all that important, so skipping. // 4. !exploitable // TODO - Load correct version of !exploitable if (IntPtr.Size == 4) { // 32bit string path = Assembly.GetExecutingAssembly().Location; path = Path.GetDirectoryName(path); path = Path.Combine(path, "Debuggers\\DebugEngine\\msec86.dll"); _engine.dbgControl.Execute((uint)Const.DEBUG_OUTCTL_THIS_CLIENT, ".load " + path, (uint)Const.DEBUG_EXECUTE_ECHO); } else { // 64bit string path = Assembly.GetExecutingAssembly().Location; path = Path.GetDirectoryName(path); path = Path.Combine(path, "Debuggers\\DebugEngine\\msec64.dll"); _engine.dbgControl.Execute((uint)Const.DEBUG_OUTCTL_THIS_CLIENT, ".load " + path, (uint)Const.DEBUG_EXECUTE_ECHO); } _engine.dbgControl.Execute((uint)Const.DEBUG_OUTCTL_THIS_CLIENT, "!exploitable -m", (uint)Const.DEBUG_EXECUTE_ECHO); _engine.output.Replace("\x0a", "\r\n"); string output = _engine.output.ToString(); Fault fault = new Fault(); fault.type = FaultType.Fault; fault.detectionSource = "WindowsDebugEngine"; fault.majorHash = reMajorHash.Match(output).Groups[1].Value; fault.minorHash = reMinorHash.Match(output).Groups[1].Value; fault.exploitability = reClassification.Match(output).Groups[1].Value; fault.title = reShortDescription.Match(output).Groups[1].Value; fault.collectedData.Add(new Fault.Data("StackTrace.txt", Encoding.UTF8.GetBytes(output))); fault.description = output; _engine.crashInfo = fault; } catch (Exception ex) { logger.Debug(ex); throw; } finally { //_engine.dbgClient.TerminateProcesses(); //_engine.dbgClient.EndSession((uint)Const.DEBUG_END_PASSIVE); //_engine.dbgClient.EndSession((uint)Const.DEBUG_END_ACTIVE_TERMINATE); _engine.handledException.Set(); } }
public void Exception(ref _EXCEPTION_RECORD64 Exception, uint FirstChance) { }