38 memzero(pCrViol,
sizeof(*pCrViol));
42 if (Victim->Cr.Smap || Victim->Cr.Smep)
77 WARNING(
"[WARNING] IntNotifyIntroEvent failed: 0x%08x\n", status);
128 memzero(&victim,
sizeof(victim));
129 memzero(&originator,
sizeof(originator));
135 exitAfterInformation =
TRUE;
139 ERROR(
"[ERROR] Failed getting originator: 0x%08x\n", status);
141 exitAfterInformation =
TRUE;
147 ERROR(
"[ERROR] Failed getting zone details: 0x%08x\n", status);
149 exitAfterInformation =
TRUE;
152 if (exitAfterInformation)
199 BOOLEAN exitAfterInformation, smep, smap;
221 if (NULL == pOrigDriver)
228 memzero(&victim,
sizeof(victim));
229 memzero(&originator,
sizeof(originator));
231 exitAfterInformation =
FALSE;
237 exitAfterInformation =
TRUE;
241 ERROR(
"[ERROR] Failed getting originator: 0x%08x\n", status);
243 exitAfterInformation =
TRUE;
249 ERROR(
"[ERROR] Failed getting zone details: 0x%08x\n", status);
251 exitAfterInformation =
TRUE;
254 if (exitAfterInformation)
326 if (NULL != gCr4Hook)
331 TRACE(
"[CR4] Adding protection on CR4.SMEP and CR4.SMAP...\n");
336 ERROR(
"[ERROR] IntHookCrSetHook failed: 0x%08x!\n", status);
354 if (NULL == gCr4Hook)
359 TRACE(
"[CR4] Removing protection on CR4.SMEP and CR4.SMAP...\n");
364 ERROR(
"[ERROR] IntHookCrRemoveHook failed: 0x%08x\n", status);
Measures kernel mode exceptions checks.
enum _INTRO_ACTION_REASON INTRO_ACTION_REASON
The reason for which an INTRO_ACTION was taken.
QWORD IntAlertCoreGetFlags(QWORD ProtectionFlag, INTRO_ACTION_REASON Reason)
Returns the flags for an alert.
An internal error occurred (no memory, pages not present, etc.).
BOOLEAN IntPolicyCoreForceBetaIfNeeded(QWORD Flag, INTRO_ACTION *Action)
Checks if a forced action should be taken even if the log-only mode is active.
Event structure for CR violation.
BOOLEAN Valid
If FALSE, we failed to get the thread and the process token.
IG_ARCH_REGS Regs
The current state of the guest registers.
MITRE_ID MitreID
The Mitre ID that corresponds to this attack.
QWORD SystemCr3
The Cr3 used to map the kernel.
#define INT_STATUS_SUCCESS
BOOLEAN IntPolicyCoreTakeAction(QWORD Flag, INTRO_ACTION *Action, INTRO_ACTION_REASON *Reason)
Returns the action that should be taken for a core introspection option.
BOOLEAN ImpersonationToken
TRUE if this is an impersonation token.
INTSTATUS IntHookCrSetHook(DWORD Cr, DWORD Flags, PFUNC_CrWriteHookCallback Callback, void *Context, HOOK_CR **Hook)
Set a control register write hook.
#define INT_SUCCESS(Status)
Sent when a CR violation triggers an alert. See EVENT_CR_VIOLATION.
QWORD Flags
A combination of ALERT_FLAG_* values describing the alert.
static HOOK_CR * gCr4Hook
The Cr4 hook handle.
#define INT_STATUS_NOT_NEEDED_HINT
int INTSTATUS
The status data type.
Describes a kernel-mode originator.
void IntAlertCrFill(const EXCEPTION_VICTIM_ZONE *Victim, const EXCEPTION_KM_ORIGINATOR *Originator, EVENT_CR_VIOLATION *CrViolation)
Saves information about a CR write attempt in an event.
INTRO_GUEST_TYPE OSType
The type of the guest.
void IntAlertFillCpuContext(BOOLEAN CopyInstruction, INTRO_CPUCTX *CpuContext)
Fills the current CPU context for an alert.
static void IntCrSendAlert(EXCEPTION_VICTIM_ZONE const *Victim, EXCEPTION_KM_ORIGINATOR const *Originator, INTRO_ACTION Action, INTRO_ACTION_REASON Reason)
Sends a CR violation alert.
Describes a kernel driver.
void IntAlertFillVersionInfo(INTRO_VIOLATION_HEADER *Header)
Fills version information for an alert.
INTRO_ACTION_REASON Reason
The reason for which Action was taken.
INTSTATUS IntAlertFillCodeBlocks(QWORD Rip, QWORD Cr3, BOOLEAN Execute, INTRO_CODEBLOCKS *CodeBlocks)
Fills the code blocks pattern for an alert.
INTRO_TOKEN SecurityInfo
The thread token (if impersonating) or the process token (Windows only).
GENERIC_ALERT gAlert
Global alert buffer.
#define INT_STATUS_EXCEPTION_BLOCK
static INTSTATUS IntCrLixHandleWrite(void *Context, DWORD Cr, QWORD OldValue, QWORD NewValue, INTRO_ACTION *Action)
Handles a control register write attempt done by a Linux guest.
INTRO_CPUCTX CpuContext
The context of the CPU that triggered the alert.
INTSTATUS IntNotifyIntroEvent(INTRO_EVENT_TYPE EventClass, void *Param, size_t EventSize)
Notifies the integrator about an introspection alert.
INTRO_WIN_TOKEN WindowsToken
A Windows token.
INTSTATUS IntExceptGetVictimCr(QWORD NewValue, QWORD OldValue, DWORD Cr, EXCEPTION_VICTIM_ZONE *Victim)
This function is used to get the information about the CR victim.
INTSTATUS IntHookCrRemoveHook(HOOK_CR *Hook)
Remove a control register hook.
void IntExceptKernelLogInformation(EXCEPTION_VICTIM_ZONE *Victim, EXCEPTION_KM_ORIGINATOR *Originator, INTRO_ACTION Action, INTRO_ACTION_REASON Reason)
Print the information about a kernel-mode violation and dumps the code-blocks.
static INTSTATUS IntCrWinHandleWrite(void *Context, DWORD Cr, QWORD OldValue, QWORD NewValue, INTRO_ACTION *Action)
Handles a control register write attempt done by a Windows guest.
#define INT_STATUS_ALREADY_INITIALIZED_HINT
INTRO_CODEBLOCKS CodeBlocks
Code blocks extracted for the alert.
Describes the modified zone.
#define UNREFERENCED_PARAMETER(P)
INTRO_VIOLATION_HEADER Header
The alert header.
enum _INTRO_ACTION INTRO_ACTION
Event actions.
INTSTATUS IntCr4Unprotect(void)
Disables the CR4 protection.
QWORD Cr3
The value of the guest CR3 register when the event was generated.
MM Mm
Guest memory information, such as paging mode, system Cr3 value, etc.
GUEST_STATE gGuest
The current guest state.
void IntAlertFillWinProcessByCr3(QWORD ProcessCr3, INTRO_PROCESS *EventProcess)
Saves information about a Windows process inside an alert. The process is searched by its kernel CR3...
Exploitation for Privilege Escalation.
static INTSTATUS IntCr4HandleWrite(void *Context, DWORD Cr, QWORD OldValue, QWORD NewValue, INTRO_ACTION *Action)
Handles CR4 writes.
INTRO_ACTION Action
The action that was taken as the result of this alert.
KERNEL_DRIVER * IntDriverFindByAddress(QWORD Gva)
Returns the driver in which Gva resides.
#define INT_STATUS_NOT_SUPPORTED
INTRO_PROCESS CurrentProcess
The current process.
VCPU_STATE * gVcpu
The state of the current VCPU.
The action was blocked because there was no exception for it.
INTRO_EXEC_CONTEXT ExecContext
Information about the instruction that triggered the alert.
INTSTATUS IntCr4Protect(void)
Activates the Cr4 protection.
#define INTRO_OPT_PROT_KM_CR4
Enable CR4.SMEP and CR4.SMAP protection.
void IntAlertFillLixCurrentProcess(INTRO_PROCESS *EventProcess)
Saves the current Linux process inside an event.
INTSTATUS IntExceptKernelGetOriginator(EXCEPTION_KM_ORIGINATOR *Originator, DWORD Options)
This function is used to get the information about the kernel-mode originator.
INTSTATUS IntAlertFillExecContext(QWORD Cr3, INTRO_EXEC_CONTEXT *ExecContext)
Fills the current execution context.
void IntExcept(EXCEPTION_VICTIM_ZONE *Victim, void *Originator, EXCEPTION_TYPE Type, INTRO_ACTION *Action, INTRO_ACTION_REASON *Reason, INTRO_EVENT_TYPE EventClass)
This function is the entry point for the exception mechanism.