6 #ifdef INT_COMPILER_MSVC 7 #include "../../autogen/ver.h" 8 #endif // INT_COMPILER_MSVC 59 ERROR(
"[ERROR] IntGetCurrentMode failed: 0x%08x\n", status);
63 memcpy(&ExecContext->Registers, pRegs,
sizeof(ExecContext->Registers));
66 Cr3, ExecContext->RipCode, NULL);
95 DWORD startOffset, endOffset, totalSize;
96 DWORD patternSize, cbCount, csType;
102 patternSize = ripCb = cbCount = 0;
107 ERROR(
"[ERROR] IntGetCurrentMode failed: 0x%08x\n", status);
113 ERROR(
"[ERROR] Unsupported CS type: %d\n", csType);
170 totalSize = endOffset - startOffset;
173 memzero(gPatterns,
sizeof(gPatterns));
178 WARNING(
"[WARNING] IntVirtMemMap failed for RIP %llx and cr3 %llx: 0x%08x\n",
179 Rip & PAGE_MASK, Cr3, status);
195 WARNING(
"[WARNNING] Buffer too small to extract codeblocks (size %d): 0x%08x\n", totalSize, status);
199 ERROR(
"[ERROR] IntFragExtractCodePattern: 0x%08x\n", status);
202 goto unmap_and_leave;
207 WARNING(
"[WARNING] Could not extract enough code-blocks from RIP %llx: %d\n", Rip, patternSize);
209 goto unmap_and_leave;
254 for (
DWORD i = 0; i < cbCount; i++)
256 if (i == 0 &&
gCodeBlocks[i].OffsetStart >= ripOffset)
261 else if (i == cbCount - 1 || (previous <= ripOffset && ripOffset <=
gCodeBlocks[i].OffsetStart))
292 CodeBlocks->Rip = Rip;
293 CodeBlocks->Count = 0;
295 for (
DWORD i = startCb; i < cbCount; i++)
297 CodeBlocks->CodeBlocks[CodeBlocks->Count].Offset = (
WORD)
gCodeBlocks[i].OffsetStart;
300 CODE_BLOCK_CHUNKS_COUNT,
304 CodeBlocks->RipCbIndex = CodeBlocks->Count;
315 CodeBlocks->Valid =
TRUE;
346 Header->VerInfo.IntroMajor = INTRO_VERSION_MAJOR;
347 Header->VerInfo.IntroMinor = INTRO_VERSION_MINOR;
348 Header->VerInfo.IntroRevision = INTRO_VERSION_REVISION;
349 Header->VerInfo.IntroBuildNumber = INTRO_VERSION_BUILDNUMBER;
356 &Header->VerInfo.CamiMinor,
357 &Header->VerInfo.CamiBuildNumber);
360 WARNING(
"[WARNING] IntCamiGetVersion failed: 0x%08x\n", status);
391 WARNING(
"[WARNING] IntGetCurrentRing failed: 0x%08x\n", status);
456 WARNING(
"[WARNING] IntGetCurrentRing failed: 0x%08x\n", status);
485 flags |= AdditionalFlags;
505 CpuContext->Valid =
TRUE;
514 sizeof(CpuContext->Instruction),
515 CpuContext->Instruction);
537 WriteInfo->Size = Victim->WriteInfo.AccessSize;
539 memcpy(WriteInfo->NewValue, Victim->WriteInfo.NewValue,
MIN(
sizeof(WriteInfo->NewValue), WriteInfo->Size));
540 memcpy(WriteInfo->OldValue, Victim->WriteInfo.OldValue,
MIN(
sizeof(WriteInfo->OldValue), WriteInfo->Size));
561 ReadInfo->Size = Victim->ReadInfo.AccessSize;
563 memcpy(ReadInfo->Value, Victim->ReadInfo.Value,
MIN(
sizeof(ReadInfo->Value), ReadInfo->Size));
584 ExecInfo->Length = Victim->ExecInfo.Length;
585 ExecInfo->Rsp = Victim->ExecInfo.Rsp;
586 ExecInfo->StackBase = Victim->ExecInfo.StackBase;
587 ExecInfo->StackLimit = Victim->ExecInfo.StackLimit;
603 if (NULL == DriverObject)
610 EventDrvObj->Valid =
TRUE;
611 EventDrvObj->Address = DriverObject->DriverObjectGva;
612 EventDrvObj->Owner = DriverObject->Owner;
630 EventModule->Valid =
FALSE;
634 if (NULL != Driver->Win.Path && Driver->Win.Path[0] != u
'\0')
639 if (NULL != Driver->Name && *(
WCHAR *)Driver->Name != u
'\0')
644 EventModule->Base = Driver->BaseVa;
645 EventModule->Size = (
DWORD)Driver->Size;
646 EventModule->TimeDateStamp = Driver->Win.TimeDateStamp;
648 EventModule->Valid =
TRUE;
666 EventModule->Valid =
FALSE;
670 if (NULL != Module->Path && Module->Path->Path[0] != u
'\0')
676 EventModule->Base = Module->VirtualBase;
677 EventModule->Size = Module->Size;
681 EventModule->TimeDateStamp = Module->Cache->Info.TimeDateStamp;
684 EventModule->Valid =
TRUE;
701 QWORD ethreadGva = 0;
708 EventProcess->Cr3 = Process->Cr3;
709 EventProcess->CreationTime = Process->CreationTime;
710 EventProcess->Pid = Process->Pid;
712 strlcpy(EventProcess->ImageName, Process->Name,
sizeof(EventProcess->ImageName));
714 if (NULL != Process->Path)
716 wstrlcpy(EventProcess->Path, Process->Path->Path,
ARRAYSIZE(EventProcess->Path));
719 EventProcess->Valid =
TRUE;
727 EventProcess->SecurityInfo.WindowsToken.ImpersonationToken =
TRUE;
728 goto _skip_process_token;
733 Process->EprocessAddress,
734 &EventProcess->SecurityInfo.WindowsToken);
737 EventProcess->SecurityInfo.WindowsToken.Valid =
FALSE;
741 EventProcess->SecurityInfo.WindowsToken.Valid =
TRUE;
745 if (Process->CommandLine != NULL)
747 strlcpy(EventProcess->CmdLine, Process->CommandLine,
sizeof(EventProcess->CmdLine));
750 EventProcess->Context = Process->Context;
751 EventProcess->Wow64 = !!Process->Wow64Process;
772 EventProcess->Valid =
FALSE;
798 EventProcess->Valid =
FALSE;
822 if (Originator->Return.Library)
826 EptViolation->ReturnRip = Originator->Return.Rip;
845 if (Originator->Original.Driver)
849 memcpy(EptViolation->RipSectionName,
850 Originator->Original.Section,
851 sizeof(EptViolation->RipSectionName));
854 if (Originator->Return.Driver)
858 memcpy(EptViolation->ReturnRipSectionName,
859 Originator->Return.Section,
860 sizeof(EptViolation->ReturnRipSectionName));
863 EptViolation->ReturnRip = Originator->Return.Rip;
880 switch (Victim->Object.Type)
892 if (Victim->Object.Module.Module)
904 memcpy(EptViolation->ModifiedSectionName,
905 Victim->Object.Module.SectionName,
906 sizeof(EptViolation->ModifiedSectionName));
919 ERROR(
"[ERROR] IntDriverFindByAddress for GVA 0x%016llx\n", Victim->WriteInfo.OldValue[0]);
927 (
DWORD)(Victim->WriteInfo.OldValue[0] - pDriver->
BaseVa),
929 EptViolation->FunctionName);
936 (
DWORD)(Victim->WriteInfo.OldValue[0] - pDriver->
BaseVa),
938 EptViolation->FunctionName);
943 WARNING(
"[WARNING] IntPeGetExportNameByRva failed for module 0x%016llx, " 944 "RVA %x, GVA 0x%016llx: 0x%08x\n",
946 (
DWORD)(Victim->WriteInfo.OldValue[0] - pDriver->
BaseVa),
947 Victim->WriteInfo.OldValue[0],
960 (
DWORD)(Victim->Ept.Gva - Victim->Object.BaseAddress),
970 (
DWORD)(Victim->Ept.Gva - Victim->Object.BaseAddress),
977 functionStart = (
DWORD)(Victim->Ept.Gva - Victim->Object.BaseAddress);
986 EptViolation->FunctionName);
995 EptViolation->FunctionName);
999 WARNING(
"[WARNING] IntPeGetExportNameByRva failed for module 0x%016llx, " 1000 "RVA %x, GVA 0x%016llx: 0x%08x\n",
1001 Victim->Object.BaseAddress,
1002 (
DWORD)(Victim->Ept.Gva - Victim->Object.BaseAddress),
1038 EptViolation->Victim.IdtEntry = (
BYTE)((Victim->Ept.Gva - Victim->Object.BaseAddress) /
1047 if (pModule != NULL)
1052 if (NULL != pModule && NULL == Victim->Object.Library.Export)
1055 if (pExport != NULL)
1059 strlcpy(EptViolation->Export.Name[export],
1060 pExport->
Names[export],
1066 EptViolation->Export.Delta = (
DWORD)(Victim->Ept.Gva - pModule->
VirtualBase - pExport->
Rva);
1074 else if (Victim->Object.Library.Export != NULL)
1080 strlcpy(EptViolation->Export.Name[export], pExport->
Names[export],
1085 strlcpy(EptViolation->FunctionName,
1091 if (pModule != NULL)
1093 EptViolation->Export.Delta = (
DWORD)(Victim->Ept.Gva - pModule->
VirtualBase - pExport->
Rva);
1094 EptViolation->Delta =
1095 (
DWORD)(Victim->Ept.Gva - pModule->
VirtualBase - Victim->Object.Library.Export->Rva);
1101 strlcpy(EptViolation->FunctionName,
"<not_read>",
sizeof(EptViolation->FunctionName));
1111 WARNING(
"[WARNING] Shouldn't reach here (for now). Type is %d...\n", Victim->Object.Type);
1115 EptViolation->Victim.Type = Victim->Object.Type;
1117 EptViolation->Offset = Victim->Ept.Gva &
PAGE_OFFSET;
1118 EptViolation->VirtualPage = Victim->Ept.Gva &
PAGE_MASK;
1120 EptViolation->HookStartVirtual = Victim->Object.BaseAddress;
1124 &EptViolation->HookStartPhysical);
1126 EptViolation->ZoneTypes = Victim->ZoneFlags;
1166 MsrViolation->Victim.Msr = Victim->Msr.Msr;
1192 DtrViolation->Victim.Type = Victim->Dtr.Type;
1226 CrViolation->Victim.Cr = Victim->Cr.Cr;
1251 if (Driver->NameLength > 0 && *(
char *)Driver->Name)
1256 EventModule->Base = Driver->BaseVa;
1257 EventModule->Size = (
DWORD)Driver->Size;
1259 EventModule->Valid =
TRUE;
1280 EventProcess->Valid =
TRUE;
1281 EventProcess->Cr3 = Task->Cr3;
1282 EventProcess->CreationTime = Task->CreationTime;
1283 EventProcess->Pid = Task->Pid;
1286 if (Task->Comm[0] != 0)
1288 strlcpy(EventProcess->ImageName, Task->Comm,
sizeof(EventProcess->ImageName));
1290 else if (Task->Path)
1292 strlcpy(EventProcess->ImageName, Task->Path->Name,
sizeof(EventProcess->ImageName));
1297 strlcpy(EventProcess->CmdLine, Task->CmdLine,
sizeof(EventProcess->CmdLine));
1305 EventProcess->Context = Task->Context;
1322 EventProcess->Valid =
FALSE;
1342 if (NULL == Connection)
1347 memzero(Event,
sizeof(*Event));
1349 Event->Family = Connection->AddressFamily;
1350 Event->State = Connection->State;
1352 Event->LocalPort = Connection->LocalPort;
1353 Event->RemotePort = Connection->RemotePort;
1355 memcpy(&Event->LocalAddress, &Connection->LocalAddress,
sizeof(Event->LocalAddress));
1357 memcpy(&Event->RemoteAddress, &Connection->RemoteAddress,
sizeof(Event->RemoteAddress));
1386 if (NULL == CollectedExtraInfo)
1391 if (NULL == VictimProcess)
1406 ExtraInfo->DpiPivotedStack.CurrentStack = CollectedExtraInfo->DpiPivotedStackExtraInfo.CurrentStack;
1407 ExtraInfo->DpiPivotedStack.StackBase = CollectedExtraInfo->DpiPivotedStackExtraInfo.StackBase;
1408 ExtraInfo->DpiPivotedStack.StackLimit = CollectedExtraInfo->DpiPivotedStackExtraInfo.StackLimit;
1409 ExtraInfo->DpiPivotedStack.Wow64CurrentStack = CollectedExtraInfo->DpiPivotedStackExtraInfo.CurrentWow64Stack;
1410 ExtraInfo->DpiPivotedStack.Wow64StackBase = CollectedExtraInfo->DpiPivotedStackExtraInfo.Wow64StackBase;
1411 ExtraInfo->DpiPivotedStack.Wow64StackLimit = CollectedExtraInfo->DpiPivotedStackExtraInfo.Wow64StackLimit;
1413 IntVirtMemRead(CollectedExtraInfo->DpiPivotedStackExtraInfo.TrapFrameAddress,
1414 MIN(sz,
sizeof(ExtraInfo->DpiPivotedStack.TrapFrameContent)),
1416 ExtraInfo->DpiPivotedStack.TrapFrameContent,
1422 CollectedExtraInfo->DpiStolenTokenExtraInfo.StolenFromEprocess);
1428 WORD maxNumberOfHeapVals = 0;
1429 DWORD detectedPage = 0, maxPageHeapVals = 0;
1431 ExtraInfo->DpiHeapSpray.ShellcodeFlags = CollectedExtraInfo->DpiHeapSprayExtraInfo.ShellcodeFlags;
1435 DWORD checkedPage = ((val << 24) | (val << 16) | (val << 8) | val) &
PAGE_MASK;
1437 ExtraInfo->DpiHeapSpray.HeapPages[val - 1].Mapped =
1438 CollectedExtraInfo->DpiHeapSprayExtraInfo.HeapPages[val - 1].Mapped;
1439 ExtraInfo->DpiHeapSpray.HeapPages[val - 1].Detected =
1440 CollectedExtraInfo->DpiHeapSprayExtraInfo.HeapPages[val - 1].Detected;
1441 ExtraInfo->DpiHeapSpray.HeapPages[val - 1].HeapValCount =
1442 CollectedExtraInfo->DpiHeapSprayExtraInfo.HeapPages[val - 1].HeapValCount;
1443 ExtraInfo->DpiHeapSpray.HeapPages[val - 1].Offset =
1444 CollectedExtraInfo->DpiHeapSprayExtraInfo.HeapPages[val - 1].Offset;
1445 ExtraInfo->DpiHeapSpray.HeapPages[val - 1].Executable =
1446 CollectedExtraInfo->DpiHeapSprayExtraInfo.HeapPages[val - 1].Executable;
1448 if (CollectedExtraInfo->DpiHeapSprayExtraInfo.HeapPages[val - 1].Detected)
1450 detectedPage = checkedPage;
1454 if (CollectedExtraInfo->DpiHeapSprayExtraInfo.HeapPages[val - 1].HeapValCount >= maxNumberOfHeapVals &&
1455 CollectedExtraInfo->DpiHeapSprayExtraInfo.HeapPages[val - 1].Mapped)
1457 maxNumberOfHeapVals = (
WORD)CollectedExtraInfo->DpiHeapSprayExtraInfo.HeapPages[val - 1].HeapValCount;
1458 maxPageHeapVals = checkedPage;
1464 if (0 != detectedPage)
1472 ExtraInfo->DpiHeapSpray.MaxHeapValPageContent,
1477 ExtraInfo->DpiTokenPrivs.OldEnabled = CollectedExtraInfo->DpiTokenPrivsExtraInfo.OldEnabled;
1478 ExtraInfo->DpiTokenPrivs.OldPresent = CollectedExtraInfo->DpiTokenPrivsExtraInfo.OldPresent;
1479 ExtraInfo->DpiTokenPrivs.NewEnabled = CollectedExtraInfo->DpiTokenPrivsExtraInfo.NewEnabled;
1480 ExtraInfo->DpiTokenPrivs.NewPresent = CollectedExtraInfo->DpiTokenPrivsExtraInfo.NewPresent;
1484 ExtraInfo->DpiThreadStart.ShellcodeFlags = CollectedExtraInfo->DpiThreadStartExtraInfo.ShellcodeFlags;
1485 ExtraInfo->DpiThreadStart.StartAddress = CollectedExtraInfo->DpiThreadStartExtraInfo.StartAddress;
1490 ExtraInfo->DpiThreadStart.StartPage,
1499 CollectedExtraInfo->DpiSecDescAclExtraInfo.SecDescStolenFromEproc),
1500 &ExtraInfo->DpiSecDescAcl.SecDescStolenFrom);
1502 ExtraInfo->DpiSecDescAcl.NewPointerValue = CollectedExtraInfo->DpiSecDescAclExtraInfo.NewPtrValue;
1503 ExtraInfo->DpiSecDescAcl.OldPointerValue = CollectedExtraInfo->DpiSecDescAclExtraInfo.OldPtrValue;
1507 ExtraInfo->DpiSecDescAcl.NewSacl);
1510 ExtraInfo->DpiSecDescAcl.NewDacl);
1513 ExtraInfo->DpiSecDescAcl.OldSacl);
1516 ExtraInfo->DpiSecDescAcl.OldDacl);
#define DESCRIPTOR_SIZE_32
enum _INTRO_ACTION_REASON INTRO_ACTION_REASON
The reason for which an INTRO_ACTION was taken.
#define ALERT_FLAG_ANTIVIRUS
If set, the alert is on anti virus object.
INTSTATUS IntPeFindFunctionStart(QWORD ImageBase, BYTE *ImageBaseBuffer, DWORD Rva, DWORD *BeginAddress)
Find the start address of a function, given a Rva pointing inside of it.
#define HEAP_SPRAY_NR_PAGES
void IntAlertEptFillFromVictimZone(const EXCEPTION_VICTIM_ZONE *Victim, EVENT_EPT_VIOLATION *EptViolation)
Fills the victim information inside an EPT alert.
INTSTATUS IntVirtMemUnmap(void **HostPtr)
Unmaps a memory range previously mapped with IntVirtMemMap.
The creation of a process was attempted while the parent had its heap sprayed.
Event structure for CR violation.
void IntAlertFillExecInfo(const EXCEPTION_VICTIM_ZONE *Victim, INTRO_EXEC_INFO *ExecInfo)
Fills the execution information for an alert.
A mov using a segment:offset.
Kernel module (ntoskrnl.exe, hal.dll, etc.).
INTSTATUS IntFragExtractCodePattern(PBYTE Buffer, DWORD StartOffset, DWORD MaxBufferSize, IG_CS_TYPE CsType, CB_EXTRACT_LEVEL ExtractLevel, DWORD PatternSize, CODE_BLOCK_PATTERN *Pattern, DWORD *TotalExtracted)
Extract a pattern of code-blocks from the given code buffer.
WINDOWS_GUEST * gWinGuest
Global variable holding the state of a Windows guest.
#define ALERT_MAX_FUNCTIONS
The maximum number of functions included in an alert structure.
IG_ARCH_REGS Regs
The current state of the guest registers.
DWORD Index
The VCPU number.
DWORD Crc32Compute(const void *Buffer, size_t Size, DWORD InitialCrc)
Computes the CRC for a byte array.
struct _CODE_BLOCK_PATTERN CODE_BLOCK_PATTERN
QWORD SystemCr3
The Cr3 used to map the kernel.
#define INT_STATUS_SUCCESS
Fast IO Dispatch (Windows only).
void IntAlertFillConnection(const INTRONET_ENDPOINT *Connection, EVENT_CONNECTION_EVENT *Event)
Saves information about a guest connection in an event.
Infinity hook modifications of WMI_LOGGER_CONTEXT.GetCpuClock.
Non-conditional jump, of any kind.
User-mode non executable zone.
void IntAlertFillWinProcessByCr3(QWORD ProcessCr3, INTRO_PROCESS *EventProcess)
Saves information about a Windows process inside an alert. The process is searched by its kernel CR3...
DWORD OffsetStart
The start of the extracted codeblock (not actually relevant)
QWORD BaseVa
The guest virtual address of the kernel module that owns this driver object.
QWORD IntPolicyGetProcProt(const void *Process)
Gets the protection policy for a process.
DWORD NumberOfOffsets
Number of symbols pointing to the exported RVA.
void IntAlertFillWinProcessCurrent(INTRO_PROCESS *EventProcess)
Saves information about the current Windows process inside an alert.
#define INT_SUCCESS(Status)
INTSTATUS IntWinThrGetCurrentThread(DWORD CpuNumber, QWORD *EthreadAddress)
Get the ETHREAD structure address of the thread currently running on the given CPU.
WORD Size
Code block size, in patterns.
INTRO_PC_VIOLATION_TYPE
Process creation violation flags.
Exposes the types, constants and functions used to describe protected Windows Kernel modules and driv...
Holds code block patterns information.
INTSTATUS IntWinGetAccesTokenFromThread(QWORD EthreadGva, INTRO_WIN_TOKEN *Token)
Reads the contents of a _TOKEN Windows structure assigned to a thread.
#define CODE_BLOCK_CHUNKS_COUNT
Number of chunks (CODE_INS) per codeblock.
Describes a user-mode originator.
INTSTATUS IntWinGetAccessTokenFromProcess(DWORD ProcessId, QWORD EprocessGva, INTRO_WIN_TOKEN *Token)
Reads the contents of a _TOKEN Windows structure assigned to a process.
int INTSTATUS
The status data type.
void IntAlertFillDriverObject(const WIN_DRIVER_OBJECT *DriverObject, INTRO_DRVOBJ *EventDrvObj)
Saves driver object information inside an alert. Available only for Windows guests.
DWORD OSVersion
Os version.
void IntAlertFillWinProcess(const WIN_PROCESS_OBJECT *Process, INTRO_PROCESS *EventProcess)
Saves information about a windows process inside an alert.
void IntAlertFillWinUmModule(const WIN_PROCESS_MODULE *Module, INTRO_MODULE *EventModule)
Fills information about a user mode module inside an alert.
#define INT_STATUS_NOT_FOUND
void IntAlertEptFillFromKmOriginator(const EXCEPTION_KM_ORIGINATOR *Originator, EVENT_EPT_VIOLATION *EptViolation)
Fills kernel mode originator information inside an EPT alert.
QWORD IntAlertCoreGetFlags(QWORD ProtectionFlag, INTRO_ACTION_REASON Reason)
Returns the flags for an alert.
#define ALERT_MAX_FUNCTION_NAME_LEN
The maximum size of a function name inside an alert structure.
Describes a kernel-mode originator.
INTSTATUS IntCamiGetVersion(DWORD *MajorVersion, DWORD *MinorVersion, DWORD *BuildNumber)
Get the version of the loaded CAMI support file.
#define ALERT_MAX_CODEBLOCKS
The maximum number of code blocks included in an alert structure.
BOOLEAN IntPolicyIsCoreOptionFeedback(QWORD Flag)
Checks if a core protection option is in feedback-only mode.
void IntAlertFillWinKmModule(const KERNEL_DRIVER *Driver, INTRO_MODULE *EventModule)
Saves kernel module information inside an alert.
INTRO_GUEST_TYPE OSType
The type of the guest.
INSTRUX Instruction
The current instruction, pointed by the guest RIP.
QWORD VirtualBase
Guest virtual address of the loaded module.
Process ACL (SACL/DACL) was modified.
#define INTRO_OPT_PROT_UM_SYS_PROCS
Enable user-mode system processes protection (injection only).
BOOLEAN IntPolicyProcIsBeta(const void *Process, QWORD Flag)
Checks if a process protection policy is in log-only mode.
Describes a kernel driver.
BYTE Chunks[CODE_BLOCK_CHUNKS_COUNT]
The actual CODE_INS values representing the instruction pattern.
void IntAlertFillCpuContext(BOOLEAN CopyInstruction, INTRO_CPUCTX *CpuContext)
Fills the current CPU context for an alert.
BOOLEAN IntPolicyCoreIsOptionBeta(QWORD Flag)
Checks if one of the kernel protection options is in log-only mode.
void IntAlertFillLixKmModule(const KERNEL_DRIVER *Driver, INTRO_MODULE *EventModule)
Saves information about a kernel module inside an alert.
Exposes the functions used to provide Windows Threads related support.
INTSTATUS IntGetCurrentMode(DWORD CpuNumber, DWORD *Mode)
Read the current CS type.
#define ALERT_FLAG_BETA
If set, the alert is a BETA alert. No action was taken.
void IntAlertFillVersionInfo(INTRO_VIOLATION_HEADER *Header)
Fills version information for an alert.
#define INITIAL_CRC_VALUE
Hal interrupt controller.
EXCEPTIONS * Exceptions
The exceptions that are currently loaded.
static CODE_BLOCK gCodeBlocks[PAGE_SIZE/sizeof(CODE_BLOCK)]
#define IS_KERNEL_POINTER_LIX(p)
#define EXCEPTION_CODEBLOCKS_OFFSET
The maximum offset for codeblocks extraction.
GENERIC_ALERT gAlert
Global alert buffer.
#define IG_CURRENT_VCPU
For APIs that take a VCPU number as a parameter, this can be used to specify that the current VCPU sh...
INTSTATUS IntPeGetExportNameByRva(QWORD ImageBase, BYTE *ImageBaseBuffer, DWORD Rva, DWORD ExportNameSize, CHAR *ExportName)
Find the export name a Rva lies in.
struct _KTRAP_FRAME64 KTRAP_FRAME64
#define ZONE_EXECUTE
Used for execute violation.
#define COPY_ACL_TO_INTRO_ACL(Acl, IntroAcl)
Converts an ACL to an INTRO_ACL.
Holds information about a driver object.
The parent of a process has a stolen access token when it created the child.
Event structure for MSR violation.
BOOLEAN Guest64
True if this is a 64-bit guest, False if it is a 32-bit guest.
INTSTATUS IntTranslateVirtualAddress(QWORD Gva, QWORD Cr3, QWORD *PhysicalAddress)
Translates a guest virtual address to a guest physical address.
The creation of a process was attempted with token privileges altered in a malicious way...
INTSTATUS IntPeGetExportNameByRvaInBuffer(QWORD ImageBase, BYTE *Buffer, DWORD BufferSize, DWORD Rva, DWORD ExportNameSize, CHAR *ExportName)
Find the export name a Rva lies in.
#define IS_KERNEL_POINTER_WIN(is64, p)
Checks if a guest virtual address resides inside the Windows kernel address space.
The parent of a process had a pivoted stack when it created the child.
This includes instructions until codeInsBt.
PWIN_PROCESS_OBJECT IntWinProcFindObjectByCr3(QWORD Cr3)
Finds a process by its kernel CR3.
#define INT_STATUS_INVALID_INTERNAL_STATE
struct _EXCEPTIONS::@26 Version
Loaded exceptions binary version.
Holds information about a memory read attempt.
void * Name
The name of the driver.
QWORD KernelVa
The guest virtual address at which the kernel image.
void IntAlertFillWriteInfo(const EXCEPTION_VICTIM_ZONE *Victim, INTRO_WRITE_INFO *WriteInfo)
Fills the write information for an alert.
void IntAlertFillReadInfo(const EXCEPTION_VICTIM_ZONE *Victim, INTRO_READ_INFO *ReadInfo)
Fills the read information for an alert.
Holds the context in which an execution attempt was detected.
Holds information about a memory write attempt.
#define DESCRIPTOR_SIZE_64
QWORD IntAlertProcGetFlags(QWORD ProtectionFlag, const void *Process, INTRO_ACTION_REASON Reason, QWORD AdditionalFlags)
Returns the flags for an alert.
size_t strlcpy(char *dst, const char *src, size_t dest_size)
void IntAlertDtrFill(const EXCEPTION_VICTIM_ZONE *Victim, const EXCEPTION_KM_ORIGINATOR *Originator, EVENT_DTR_VIOLATION *DtrViolation)
Saves information about a DTR write attempt in an event.
Event structure for GDTR/IDTR descriptor tables modifications.
#define ALERT_FLAG_NOT_RING0
If set, the alert was triggered in ring 1, 2 or 3.
Holds all the alert types.
Describes the modified zone.
Exception Table (Linux-only).
This includes instructions until codeInsFlags.
#define INT_STATUS_DATA_BUFFER_TOO_SMALL
DWORD Rva
The RVA of this export.
Executions inside the SharedUserData region.
The Virtualization exception agent injected inside the guest.
BOOLEAN IntWinUmCacheIsExportDirRead(WIN_PROCESS_MODULE *Module)
Checks if the exports directory of the given module has been read.
DWORD KernelBufferSize
The size of the KernelBuffer.
void IntAlertFillLixCurrentProcess(INTRO_PROCESS *EventProcess)
Saves the current Linux process inside an event.
void IntAlertCrFill(const EXCEPTION_VICTIM_ZONE *Victim, const EXCEPTION_KM_ORIGINATOR *Originator, EVENT_CR_VIOLATION *CrViolation)
Saves information about a CR write attempt in an event.
PWCHAR Name
NULL-terminated wide-char string containing the name of the driver, as taken from the guest driver ob...
The action was allowed, but it has the BETA flag (Introcore is in log-only mode). ...
void IntAlertEptFillFromUmOriginator(const EXCEPTION_UM_ORIGINATOR *Originator, EVENT_EPT_VIOLATION *EptViolation)
Fills user mode originator information inside an EPT alert.
__must_check INTSTATUS IntVirtMemMap(QWORD Gva, DWORD Length, QWORD Cr3, DWORD Flags, void **HostPtr)
Maps a guest virtual memory range inside Introcore virtual address space.
DWORD NameLens[MAX_OFFSETS_PER_NAME]
Length of each name pointing to this RVA.
MM Mm
Guest memory information, such as paging mode, system Cr3 value, etc.
#define ALERT_FLAG_SYSPROC
If set, the alert is on system process.
Self mapping index in PDBR.
The parent of a process tried to obtain debug privileges over the child.
The parent of a process has an altered security descriptor pointer.
GUEST_STATE gGuest
The current guest state.
INTSTATUS IntVirtMemRead(QWORD Gva, DWORD Length, QWORD Cr3, void *Buffer, DWORD *RetLength)
Reads data from a guest virtual memory range.
#define INT_STATUS_INVALID_DATA_TYPE
#define ALERT_FLAG_FEEDBACK_ONLY
If set, the alert is a feedback only alert.
size_t wstrlcpy(WCHAR *dst, const WCHAR *src, size_t dest_size)
PWIN_PROCESS_OBJECT IntWinProcFindObjectByEprocess(QWORD Eprocess)
Finds a process by the address of its _EPROCESS structure.
The thread which created the process has started execution on some suspicious code.
BOOLEAN IntPolicyProcIsFeedback(const void *Process, QWORD Flag)
Checks if a process protection policy is in feedback-only mode.
KERNEL_DRIVER * IntDriverFindByAddress(QWORD Gva)
Returns the driver in which Gva resides.
struct _CODE_BLOCK CODE_BLOCK
#define ZONE_READ
Used for read violation.
WINUM_CACHE_EXPORT * IntWinUmCacheGetExportFromRange(WIN_PROCESS_MODULE *Module, QWORD Gva, DWORD Length)
Tries to find an export in the range [Gva - Length, Gva].
INTSTATUS IntAlertFillExecContext(QWORD Cr3, INTRO_EXEC_CONTEXT *ExecContext)
Fills the current execution context.
INTSTATUS IntCr3Read(DWORD CpuNumber, QWORD *Cr3Value)
Reads the value of the guest CR3.
Holds information about an execution attempt.
PCHAR Names[MAX_OFFSETS_PER_NAME]
The names pointing to this RVA. Each name will point inside the Names structure inside WINUM_CACHE_EX...
INTSTATUS IntAlertFillDpiExtraInfo(DPI_EXTRA_INFO *CollectedExtraInfo, INTRO_PC_VIOLATION_TYPE PcType, WIN_PROCESS_OBJECT *VictimProcess, INTRO_DPI_EXTRA_INFO *ExtraInfo)
Fills the collected DPI extra information.
BYTE * KernelBuffer
A buffer containing the entire kernel image.
#define INT_STATUS_INVALID_PARAMETER_1
#define INT_STATUS_NOT_SUPPORTED
Describes a driver object.
VCPU_STATE * gVcpu
The state of the current VCPU.
BOOLEAN IntWinDrvIsProtectedAv(const WCHAR *Driver)
Check wether a kernel driver is a known and protected antivirus.
LIX_TASK_OBJECT * IntLixTaskGetCurrent(DWORD CpuNumber)
Finds the task that is currently running on the given CPU.
DWORD Crc32String(const char *String, DWORD InitialCrc)
Computes the CRC for a NULL-terminated utf-8 string.
Event structure for connections.
Holds the CPU context for an event.
INTSTATUS IntPeFindFunctionStartInBuffer(QWORD ImageBase, BYTE *Buffer, DWORD BufferSize, DWORD Rva, DWORD *BeginAddress)
Find the start address of a function, given a Rva pointing inside of it.
#define ZONE_LIB_IMPORTS
Used for the imports of a dll, driver, etc.
Event structure for EPT violations.
INTSTATUS IntGetCurrentRing(DWORD CpuNumber, DWORD *Ring)
Read the current protection level.
A mov involving memory (either as the destination or as the source).
void IntAlertMsrFill(const EXCEPTION_VICTIM_ZONE *Victim, const EXCEPTION_KM_ORIGINATOR *Originator, EVENT_MSR_VIOLATION *MsrViolation)
Saves information about a MSR write attempt in an event.
The parent of a process has an altered access control entry (inside SACL or DACL).
#define INTRO_VIOLATION_VERSION
Violation header version.
Structure for keeping the relevant DPI violation information.
Describes a user-mode or kernel-mode module.
Describes a guest process.
BOOLEAN IntWinDrvObjIsProtectedAv(const WCHAR *DrvObj)
Checks if a driver object belongs to a known and protected antivirus.
Process security descriptor pointer.
#define ZONE_WRITE
Used for write violation.
WCHAR * utf8toutf16(WCHAR *Destination, const char *Source, DWORD DestinationMaxLength)
void IntAlertFillLixProcess(const LIX_TASK_OBJECT *Task, INTRO_PROCESS *EventProcess)
Saves information about a Linux process inside an event.
INTSTATUS IntAlertFillCodeBlocks(QWORD Rip, QWORD Cr3, BOOLEAN Execute, INTRO_CODEBLOCKS *CodeBlocks)
Fills the code blocks pattern for an alert.
This structure describes a running process inside the guest.
#define INT_STATUS_INVALID_PARAMETER_3