doxygen/html/cr__protection_8c_source.html

 /*
  * Copyright (c) 2020 Bitdefender
  * SPDX-License-Identifier: Apache-2.0
  */
 #include "cr_protection.h"
 #include "alerts.h"
 #include "guests.h"
 #include "hook_cr.h"

 static HOOK_CR *gCr4Hook = NULL;


 static void
 IntCrSendAlert(
     _In_ EXCEPTION_VICTIM_ZONE const *Victim,
     _In_ EXCEPTION_KM_ORIGINATOR const *Originator,
     _In_ INTRO_ACTION Action,
     _In_ INTRO_ACTION_REASON Reason
     )
 {
     INTSTATUS status;
     EVENT_CR_VIOLATION *pCrViol = &gAlert.Cr;

     memzero(pCrViol, sizeof(*pCrViol));

     pCrViol->Header.Action = Action;
     pCrViol->Header.Reason = Reason;
     if (Victim->Cr.Smap || Victim->Cr.Smep)
     {
         pCrViol->Header.MitreID = idExploitPrivEsc;
     }
     else
     {
         pCrViol->Header.MitreID = idRootkit;
     }

     pCrViol->Header.Flags = IntAlertCoreGetFlags(INTRO_OPT_PROT_KM_CR4, Reason);

     IntAlertCrFill(Victim, Originator, pCrViol);

     IntAlertFillCpuContext(TRUE, &pCrViol->Header.CpuContext);

     if (gGuest.OSType == introGuestWindows)
     {
         IntAlertFillWinProcessByCr3(pCrViol->Header.CpuContext.Cr3, &pCrViol->Header.CurrentProcess);

         pCrViol->Header.CurrentProcess.SecurityInfo.WindowsToken.ImpersonationToken = FALSE;
         pCrViol->Header.CurrentProcess.SecurityInfo.WindowsToken.Valid = TRUE;
     }
     else
     {
         IntAlertFillLixCurrentProcess(&pCrViol->Header.CurrentProcess);
     }

     IntAlertFillExecContext(gGuest.Mm.SystemCr3, &pCrViol->ExecContext);
     IntAlertFillCodeBlocks(Originator->Original.Rip, gGuest.Mm.SystemCr3, FALSE, &pCrViol->CodeBlocks);

     IntAlertFillVersionInfo(&pCrViol->Header);

     status = IntNotifyIntroEvent(introEventCrViolation, pCrViol, sizeof(*pCrViol));
     if (!INT_SUCCESS(status))
     {
         WARNING("[WARNING] IntNotifyIntroEvent failed: 0x%08x\n", status);
     }
 }


 static INTSTATUS
 IntCrWinHandleWrite(
     _In_opt_ void *Context,
     _In_ DWORD Cr,
     _In_ QWORD OldValue,
     _In_ QWORD NewValue,
     _Out_ INTRO_ACTION *Action
     )
 {
     INTSTATUS status;
     EXCEPTION_VICTIM_ZONE victim;
     EXCEPTION_KM_ORIGINATOR originator;
     INTRO_ACTION_REASON reason;
     BOOLEAN exitAfterInformation = FALSE;
     BOOLEAN smap = (OldValue & CR4_SMAP) != 0 && (NewValue & CR4_SMAP) == 0;
     BOOLEAN smep = (OldValue & CR4_SMEP) != 0 && (NewValue & CR4_SMEP) == 0;

     UNREFERENCED_PARAMETER(Context);

     *Action = introGuestNotAllowed;
     reason = introReasonUnknown;

     // We allow writes that aren't on SMEP/SMAP or aren't deactivation of SMEP/SMAP
     if (!smap && !smep)
     {
         *Action = introGuestAllowed;
         return INT_STATUS_SUCCESS;
     }

     STATS_ENTER(statsExceptionsKern);

     memzero(&victim, sizeof(victim));
     memzero(&originator, sizeof(originator));

     status = IntExceptKernelGetOriginator(&originator, 0);
     if (status == INT_STATUS_EXCEPTION_BLOCK)
     {
         reason = introReasonNoException;
         exitAfterInformation = TRUE;
     }
     else if (!INT_SUCCESS(status))
     {
         ERROR("[ERROR] Failed getting originator: 0x%08x\n", status);
         reason = introReasonInternalError;
         exitAfterInformation = TRUE;
     }

     status = IntExceptGetVictimCr(NewValue, OldValue, Cr, &victim);
     if (!INT_SUCCESS(status))
     {
         ERROR("[ERROR] Failed getting zone details: 0x%08x\n", status);
         reason = introReasonInternalError;
         exitAfterInformation = TRUE;
     }

     if (exitAfterInformation)
     {
         IntExceptKernelLogInformation(&victim, &originator, *Action, reason);
     }
     else
     {
         IntExcept(&victim, &originator, exceptionTypeKm, Action, &reason, introEventCrViolation);
     }

     STATS_EXIT(statsExceptionsKern);

     if (IntPolicyCoreTakeAction(INTRO_OPT_PROT_KM_CR4,  Action, &reason))
     {
         IntCrSendAlert(&victim, &originator, *Action, reason);
     }

     IntPolicyCoreForceBetaIfNeeded(INTRO_OPT_PROT_KM_CR4, Action);

     return status;
 }


 static INTSTATUS
 IntCrLixHandleWrite(
     _In_opt_ void *Context,
     _In_ DWORD Cr,
     _In_ QWORD OldValue,
     _In_ QWORD NewValue,
     _Out_ INTRO_ACTION *Action
     )
 {
     INTSTATUS status;
     BOOLEAN exitAfterInformation, smep, smap;
     KERNEL_DRIVER *pOrigDriver;
     EXCEPTION_VICTIM_ZONE victim;
     EXCEPTION_KM_ORIGINATOR originator;
     INTRO_ACTION_REASON reason;

     UNREFERENCED_PARAMETER(Context);

     *Action = introGuestNotAllowed;
     reason = introReasonUnknown;

     smap = (OldValue & CR4_SMAP) != 0 && (NewValue & CR4_SMAP) == 0;
     smep = (OldValue & CR4_SMEP) != 0 && (NewValue & CR4_SMEP) == 0;

     // We allow writes that aren't on SMEP/SMAP or aren't deactivation of SMEP/SMAP
     if (!smap && !smep)
     {
         *Action = introGuestAllowed;
         return INT_STATUS_SUCCESS;
     }

     pOrigDriver = IntDriverFindByAddress(gVcpu->Regs.Rip);
     if (NULL == pOrigDriver)
     {
         WARNING("[WARNING] RIP 0x%016llx is not inside any module!\n", gVcpu->Regs.Rip);
     }

     STATS_ENTER(statsExceptionsKern);

     memzero(&victim, sizeof(victim));
     memzero(&originator, sizeof(originator));

     exitAfterInformation = FALSE;

     status = IntExceptKernelGetOriginator(&originator, 0);
     if (status == INT_STATUS_EXCEPTION_BLOCK)
     {
         reason = introReasonNoException;
         exitAfterInformation = TRUE;
     }
     else if (!INT_SUCCESS(status))
     {
         ERROR("[ERROR] Failed getting originator: 0x%08x\n", status);
         reason = introReasonInternalError;
         exitAfterInformation = TRUE;
     }

     status = IntExceptGetVictimCr(NewValue, OldValue, Cr, &victim);
     if (!INT_SUCCESS(status))
     {
         ERROR("[ERROR] Failed getting zone details: 0x%08x\n", status);
         reason = introReasonInternalError;
         exitAfterInformation = TRUE;
     }

     if (exitAfterInformation)
     {
         IntExceptKernelLogInformation(&victim, &originator, *Action, reason);
     }
     else
     {
         IntExcept(&victim, &originator, exceptionTypeKm, Action, &reason, introEventCrViolation);
     }

     STATS_EXIT(statsExceptionsKern);

     if (IntPolicyCoreTakeAction(INTRO_OPT_PROT_KM_CR4, Action, &reason))
     {
         IntCrSendAlert(&victim, &originator, *Action, reason);
     }

     IntPolicyCoreForceBetaIfNeeded(INTRO_OPT_PROT_KM_CR4, Action);

     return INT_STATUS_SUCCESS;
 }


 static INTSTATUS
 IntCr4HandleWrite(
     _In_opt_ void *Context,
     _In_ DWORD Cr,
     _In_ QWORD OldValue,
     _In_ QWORD NewValue,
     _Out_ INTRO_ACTION *Action
     )
 {
     if (gGuest.OSType == introGuestWindows)
     {
         return IntCrWinHandleWrite(Context, Cr, OldValue, NewValue, Action);
     }
     else if (gGuest.OSType == introGuestLinux)
     {
         return IntCrLixHandleWrite(Context, Cr, OldValue, NewValue, Action);
     }

     return INT_STATUS_NOT_SUPPORTED;
 }


 INTSTATUS
 IntCr4Protect(
     void
     )
 {
     INTSTATUS status;

     if (NULL != gCr4Hook)
     {
         return INT_STATUS_ALREADY_INITIALIZED_HINT;
     }

     TRACE("[CR4] Adding protection on CR4.SMEP and CR4.SMAP...\n");

     status = IntHookCrSetHook(4, 0, IntCr4HandleWrite, NULL, &gCr4Hook);
     if (!INT_SUCCESS(status))
     {
         ERROR("[ERROR] IntHookCrSetHook failed: 0x%08x!\n", status);
         return status;
     }

     return INT_STATUS_SUCCESS;
 }


 INTSTATUS
 IntCr4Unprotect(
     void
     )
 {
     if (NULL == gCr4Hook)
     {
         return INT_STATUS_NOT_NEEDED_HINT;
     }

     TRACE("[CR4] Removing protection on CR4.SMEP and CR4.SMAP...\n");

     INTSTATUS status = IntHookCrRemoveHook(gCr4Hook);
     if (!INT_SUCCESS(status))
     {
         ERROR("[ERROR] IntHookCrRemoveHook failed: 0x%08x\n", status);
         return status;
     }

     gCr4Hook = NULL;

     return INT_STATUS_SUCCESS;
 }
statsExceptionsKern
Measures kernel mode exceptions checks.
Definition: stats.h:51

_In_opt_
#define _In_opt_
Definition: intro_sal.h:16

INTRO_ACTION_REASON
enum _INTRO_ACTION_REASON INTRO_ACTION_REASON
The reason for which an INTRO_ACTION was taken.

_IG_ARCH_REGS::Rip
QWORD Rip
Definition: glueiface.h:51

BOOLEAN
_Bool BOOLEAN
Definition: intro_types.h:58

_Out_
#define _Out_
Definition: intro_sal.h:22

IntAlertCoreGetFlags
QWORD IntAlertCoreGetFlags(QWORD ProtectionFlag, INTRO_ACTION_REASON Reason)
Returns the flags for an alert.
Definition: alerts.c:366

introReasonInternalError
An internal error occurred (no memory, pages not present, etc.).
Definition: intro_types.h:195

IntPolicyCoreForceBetaIfNeeded
BOOLEAN IntPolicyCoreForceBetaIfNeeded(QWORD Flag, INTRO_ACTION *Action)
Checks if a forced action should be taken even if the log-only mode is active.
Definition: introcore.c:2803

_EVENT_CR_VIOLATION
Event structure for CR violation.
Definition: intro_types.h:1346

_INTRO_WIN_TOKEN::Valid
BOOLEAN Valid
If FALSE, we failed to get the thread and the process token.
Definition: intro_types.h:883

_VCPU_STATE::Regs
IG_ARCH_REGS Regs
The current state of the guest registers.
Definition: guests.h:95

_In_
#define _In_
Definition: intro_sal.h:21

_INTRO_VIOLATION_HEADER::MitreID
MITRE_ID MitreID
The Mitre ID that corresponds to this attack.
Definition: intro_types.h:1199

_MM::SystemCr3
QWORD SystemCr3
The Cr3 used to map the kernel.
Definition: guests.h:211

INT_STATUS_SUCCESS
#define INT_STATUS_SUCCESS
Definition: introstatus.h:54

IntPolicyCoreTakeAction
BOOLEAN IntPolicyCoreTakeAction(QWORD Flag, INTRO_ACTION *Action, INTRO_ACTION_REASON *Reason)
Returns the action that should be taken for a core introspection option.
Definition: introcore.c:2693

_INTRO_WIN_TOKEN::ImpersonationToken
BOOLEAN ImpersonationToken
TRUE if this is an impersonation token.
Definition: intro_types.h:864

STATS_EXIT
#define STATS_EXIT(id)
Definition: stats.h:160

introGuestNotAllowed
Definition: intro_types.h:164

IntHookCrSetHook
INTSTATUS IntHookCrSetHook(DWORD Cr, DWORD Flags, PFUNC_CrWriteHookCallback Callback, void *Context, HOOK_CR **Hook)
Set a control register write hook.
Definition: hook_cr.c:11

INT_SUCCESS
#define INT_SUCCESS(Status)
Definition: introstatus.h:42

introEventCrViolation
Sent when a CR violation triggers an alert. See EVENT_CR_VIOLATION.
Definition: intro_types.h:88

_INTRO_VIOLATION_HEADER::Flags
QWORD Flags
A combination of ALERT_FLAG_* values describing the alert.
Definition: intro_types.h:1198

gCr4Hook
static HOOK_CR * gCr4Hook
The Cr4 hook handle.
Definition: cr_protection.c:13

INT_STATUS_NOT_NEEDED_HINT
#define INT_STATUS_NOT_NEEDED_HINT
Definition: introstatus.h:317

ERROR
#define ERROR(fmt,...)
Definition: glue.h:62

INTSTATUS
int INTSTATUS
The status data type.
Definition: introstatus.h:24

idRootkit
Rootkit.
Definition: intro_types.h:1144

_EXCEPTION_KM_ORIGINATOR
Describes a kernel-mode originator.
Definition: exceptions.h:943

IntAlertCrFill
void IntAlertCrFill(const EXCEPTION_VICTIM_ZONE *Victim, const EXCEPTION_KM_ORIGINATOR *Originator, EVENT_CR_VIOLATION *CrViolation)
Saves information about a CR write attempt in an event.
Definition: alerts.c:1210

_GENERIC_ALERT::Cr
EVENT_CR_VIOLATION Cr
Definition: alerts.h:18

_GUEST_STATE::OSType
INTRO_GUEST_TYPE OSType
The type of the guest.
Definition: guests.h:278

IntAlertFillCpuContext
void IntAlertFillCpuContext(BOOLEAN CopyInstruction, INTRO_CPUCTX *CpuContext)
Fills the current CPU context for an alert.
Definition: alerts.c:492

IntCrSendAlert
static void IntCrSendAlert(EXCEPTION_VICTIM_ZONE const *Victim, EXCEPTION_KM_ORIGINATOR const *Originator, INTRO_ACTION Action, INTRO_ACTION_REASON Reason)
Sends a CR violation alert.
Definition: cr_protection.c:17

_KERNEL_DRIVER
Describes a kernel driver.
Definition: drivers.h:30

guests.h

IntAlertFillVersionInfo
void IntAlertFillVersionInfo(INTRO_VIOLATION_HEADER *Header)
Fills version information for an alert.
Definition: alerts.c:327

cr_protection.h

_INTRO_VIOLATION_HEADER::Reason
INTRO_ACTION_REASON Reason
The reason for which Action was taken.
Definition: intro_types.h:1195

IntAlertFillCodeBlocks
INTSTATUS IntAlertFillCodeBlocks(QWORD Rip, QWORD Cr3, BOOLEAN Execute, INTRO_CODEBLOCKS *CodeBlocks)
Fills the code blocks pattern for an alert.
Definition: alerts.c:71

_INTRO_PROCESS::SecurityInfo
INTRO_TOKEN SecurityInfo
The thread token (if impersonating) or the process token (Windows only).
Definition: intro_types.h:912

gAlert
GENERIC_ALERT gAlert
Global alert buffer.
Definition: alerts.c:27

INT_STATUS_EXCEPTION_BLOCK
#define INT_STATUS_EXCEPTION_BLOCK
Definition: introstatus.h:421

introGuestLinux
Linux.
Definition: intro_types.h:2044

IntCrLixHandleWrite
static INTSTATUS IntCrLixHandleWrite(void *Context, DWORD Cr, QWORD OldValue, QWORD NewValue, INTRO_ACTION *Action)
Handles a control register write attempt done by a Linux guest.
Definition: cr_protection.c:175

STATS_ENTER
#define STATS_ENTER(id)
Definition: stats.h:153

_INTRO_VIOLATION_HEADER::CpuContext
INTRO_CPUCTX CpuContext
The context of the CPU that triggered the alert.
Definition: intro_types.h:1196

CR4_SMEP
#define CR4_SMEP
Definition: processor.h:61

IntNotifyIntroEvent
INTSTATUS IntNotifyIntroEvent(INTRO_EVENT_TYPE EventClass, void *Param, size_t EventSize)
Notifies the integrator about an introspection alert.
Definition: glue.c:1042

memzero
#define memzero(a, s)
Definition: introcrt.h:35

_INTRO_TOKEN::WindowsToken
INTRO_WIN_TOKEN WindowsToken
A Windows token.
Definition: intro_types.h:892

QWORD
unsigned long long QWORD
Definition: intro_types.h:53

IntExceptGetVictimCr
INTSTATUS IntExceptGetVictimCr(QWORD NewValue, QWORD OldValue, DWORD Cr, EXCEPTION_VICTIM_ZONE *Victim)
This function is used to get the information about the CR victim.
Definition: exceptions_kern.c:3047

TRUE
#define TRUE
Definition: intro_types.h:30

alerts.h

TRACE
#define TRACE(fmt,...)
Definition: glue.h:58

IntHookCrRemoveHook
INTSTATUS IntHookCrRemoveHook(HOOK_CR *Hook)
Remove a control register hook.
Definition: hook_cr.c:135

IntExceptKernelLogInformation
void IntExceptKernelLogInformation(EXCEPTION_VICTIM_ZONE *Victim, EXCEPTION_KM_ORIGINATOR *Originator, INTRO_ACTION Action, INTRO_ACTION_REASON Reason)
Print the information about a kernel-mode violation and dumps the code-blocks.
Definition: exceptions_kern.c:2032

exceptionTypeKm
Kernel-mode exception.
Definition: exceptions.h:61

IntCrWinHandleWrite
static INTSTATUS IntCrWinHandleWrite(void *Context, DWORD Cr, QWORD OldValue, QWORD NewValue, INTRO_ACTION *Action)
Handles a control register write attempt done by a Windows guest.
Definition: cr_protection.c:83

introGuestWindows
Windows.
Definition: intro_types.h:2043

INT_STATUS_ALREADY_INITIALIZED_HINT
#define INT_STATUS_ALREADY_INITIALIZED_HINT
Definition: introstatus.h:323

WARNING
#define WARNING(fmt,...)
Definition: glue.h:60

CR4_SMAP
#define CR4_SMAP
Definition: processor.h:62

_EVENT_CR_VIOLATION::CodeBlocks
INTRO_CODEBLOCKS CodeBlocks
Code blocks extracted for the alert.
Definition: intro_types.h:1368

_EXCEPTION_VICTIM_ZONE
Describes the modified zone.
Definition: exceptions.h:893

UNREFERENCED_PARAMETER
#define UNREFERENCED_PARAMETER(P)
Definition: introdefs.h:29

_HOOK_CR
Definition: hook_cr.h:43

DWORD
uint32_t DWORD
Definition: intro_types.h:49

_EVENT_CR_VIOLATION::Header
INTRO_VIOLATION_HEADER Header
The alert header.
Definition: intro_types.h:1348

INTRO_ACTION
enum _INTRO_ACTION INTRO_ACTION
Event actions.

IntCr4Unprotect
INTSTATUS IntCr4Unprotect(void)
Disables the CR4 protection.
Definition: cr_protection.c:345

introReasonUnknown
Definition: intro_types.h:224

_INTRO_CPUCTX::Cr3
QWORD Cr3
The value of the guest CR3 register when the event was generated.
Definition: intro_types.h:970

_GUEST_STATE::Mm
MM Mm
Guest memory information, such as paging mode, system Cr3 value, etc.
Definition: guests.h:374

gGuest
GUEST_STATE gGuest
The current guest state.
Definition: guests.c:50

IntAlertFillWinProcessByCr3
void IntAlertFillWinProcessByCr3(QWORD ProcessCr3, INTRO_PROCESS *EventProcess)
Saves information about a Windows process inside an alert. The process is searched by its kernel CR3...
Definition: alerts.c:756

introGuestAllowed
Definition: intro_types.h:149

idExploitPrivEsc
Exploitation for Privilege Escalation.
Definition: intro_types.h:1148

IntCr4HandleWrite
static INTSTATUS IntCr4HandleWrite(void *Context, DWORD Cr, QWORD OldValue, QWORD NewValue, INTRO_ACTION *Action)
Handles CR4 writes.
Definition: cr_protection.c:277

_INTRO_VIOLATION_HEADER::Action
INTRO_ACTION Action
The action that was taken as the result of this alert.
Definition: intro_types.h:1194

IntDriverFindByAddress
KERNEL_DRIVER * IntDriverFindByAddress(QWORD Gva)
Returns the driver in which Gva resides.
Definition: drivers.c:164

INT_STATUS_NOT_SUPPORTED
#define INT_STATUS_NOT_SUPPORTED
Definition: introstatus.h:287

_INTRO_VIOLATION_HEADER::CurrentProcess
INTRO_PROCESS CurrentProcess
The current process.
Definition: intro_types.h:1197

gVcpu
VCPU_STATE * gVcpu
The state of the current VCPU.
Definition: guests.c:59

introReasonNoException
The action was blocked because there was no exception for it.
Definition: intro_types.h:189

_EVENT_CR_VIOLATION::ExecContext
INTRO_EXEC_CONTEXT ExecContext
Information about the instruction that triggered the alert.
Definition: intro_types.h:1370

IntCr4Protect
INTSTATUS IntCr4Protect(void)
Activates the Cr4 protection.
Definition: cr_protection.c:313

INTRO_OPT_PROT_KM_CR4
#define INTRO_OPT_PROT_KM_CR4
Enable CR4.SMEP and CR4.SMAP protection.
Definition: intro_types.h:426

IntAlertFillLixCurrentProcess
void IntAlertFillLixCurrentProcess(INTRO_PROCESS *EventProcess)
Saves the current Linux process inside an event.
Definition: alerts.c:1310

hook_cr.h

IntExceptKernelGetOriginator
INTSTATUS IntExceptKernelGetOriginator(EXCEPTION_KM_ORIGINATOR *Originator, DWORD Options)
This function is used to get the information about the kernel-mode originator.
Definition: exceptions_kern.c:2520

IntAlertFillExecContext
INTSTATUS IntAlertFillExecContext(QWORD Cr3, INTRO_EXEC_CONTEXT *ExecContext)
Fills the current execution context.
Definition: alerts.c:31

IntExcept
void IntExcept(EXCEPTION_VICTIM_ZONE *Victim, void *Originator, EXCEPTION_TYPE Type, INTRO_ACTION *Action, INTRO_ACTION_REASON *Reason, INTRO_EVENT_TYPE EventClass)
This function is the entry point for the exception mechanism.
Definition: exceptions.c:3357

FALSE
#define FALSE
Definition: intro_types.h:34