38 ERROR(
"[ERROR] Invalid dtr type: %d\n", DtrType);
69 memzero(pDtrViol,
sizeof(*pDtrViol));
99 WARNING(
"[WARNING] IntNotifyIntroEvent failed: 0x%08x\n", status);
138 exitAfterInformation =
FALSE;
157 memzero(&victim,
sizeof(victim));
158 memzero(&originator,
sizeof(originator));
166 exitAfterInformation =
TRUE;
170 ERROR(
"[ERROR] Failed getting originator: 0x%08x\n", status);
173 exitAfterInformation =
TRUE;
179 ERROR(
"[ERROR] Failed getting zone details: 0x%08x\n", status);
182 exitAfterInformation =
TRUE;
185 if (exitAfterInformation)
226 ERROR(
"[ERROR] IntLixIdtProtectAll failed. Status: %d\n", status);
261 WARNING(
"[WARNING] DTR events are not supported by the HV, will NOT protect IDTR!\n");
272 TRACE(
"[DTR] Adding protection on IDTR...\n");
277 ERROR(
"[ERROR] Failed hooking the IDTR!\n");
302 WARNING(
"[WARNING] DTR events are not supported by the HV, will NOT protect GDTR!\n");
313 TRACE(
"[DTR] Adding protection on GDTR...\n");
318 ERROR(
"[ERROR] Failed hooking the GDTR!\n");
342 TRACE(
"[DTR] Removing protection on IDTR...\n");
368 TRACE(
"[DTR] Removing protection on GDTR...\n");
Measures kernel mode exceptions checks.
QWORD GdtBase
Original GDT base.
enum _INTRO_ACTION_REASON INTRO_ACTION_REASON
The reason for which an INTRO_ACTION was taken.
BOOLEAN SupportDTR
Set to True if support for DTR access exits was detected.
QWORD IntAlertCoreGetFlags(QWORD ProtectionFlag, INTRO_ACTION_REASON Reason)
Returns the flags for an alert.
An internal error occurred (no memory, pages not present, etc.).
BOOLEAN IntPolicyCoreForceBetaIfNeeded(QWORD Flag, INTRO_ACTION *Action)
Checks if a forced action should be taken even if the log-only mode is active.
DWORD Index
The VCPU number.
MITRE_ID MitreID
The Mitre ID that corresponds to this attack.
QWORD SystemCr3
The Cr3 used to map the kernel.
#define INT_STATUS_SUCCESS
BOOLEAN IntPolicyCoreTakeAction(QWORD Flag, INTRO_ACTION *Action, INTRO_ACTION_REASON *Reason)
Returns the action that should be taken for a core introspection option.
WORD IdtLimit
The current IDT limit.
Sent when a DTR violation triggers an alert. See EVENT_DTR_VIOLATION.
static void * gGdtrHook
The GDTR hook.
#define INT_SUCCESS(Status)
QWORD Flags
A combination of ALERT_FLAG_* values describing the alert.
#define EXCEPTION_KM_ORIGINATOR_OPT_DO_NOT_BLOCK
Flag that can be passed to IntExceptKernelGetOriginator if the action should not be blocked...
#define INT_STATUS_NOT_NEEDED_HINT
INTSTATUS IntHookDtrSetHook(DWORD Flags, PFUNC_DtrReadWriteHookCallback Callback, void **Hook)
Places a descriptor table register hook.
int INTSTATUS
The status data type.
Describes a kernel-mode originator.
INTSTATUS IntIdtrUnprotect(void)
Remove the IDTR protection.
INTRO_GUEST_TYPE OSType
The type of the guest.
void IntAlertFillCpuContext(BOOLEAN CopyInstruction, INTRO_CPUCTX *CpuContext)
Fills the current CPU context for an alert.
static QWORD IntDtrGetProtOption(INTRO_OBJECT_TYPE DtrType)
Given a DTR object type, return the protection option which controls it.
void IntAlertFillVersionInfo(INTRO_VIOLATION_HEADER *Header)
Fills version information for an alert.
INTRO_ACTION_REASON Reason
The reason for which Action was taken.
INTSTATUS IntAlertFillCodeBlocks(QWORD Rip, QWORD Cr3, BOOLEAN Execute, INTRO_CODEBLOCKS *CodeBlocks)
Fills the code blocks pattern for an alert.
GENERIC_ALERT gAlert
Global alert buffer.
enum _INTRO_OBJECT_TYPE INTRO_OBJECT_TYPE
The type of the object protected by an EPT hook.
INTSTATUS IntWinIdtProtectOnCpu(DWORD CpuNumber)
Protects the IDT against writes on a CPU.
INTSTATUS IntLixIdtUnprotectAll(void)
Disable protection for IDT on all CPUs.
static void * gIdtrHook
The IDTR hook.
#define INT_STATUS_EXCEPTION_BLOCK
INTRO_CPUCTX CpuContext
The context of the CPU that triggered the alert.
INTSTATUS IntNotifyIntroEvent(INTRO_EVENT_TYPE EventClass, void *Param, size_t EventSize)
Notifies the integrator about an introspection alert.
#define INTRO_OPT_PROT_KM_IDTR
Enable interrupt descriptor-table registers protection.
QWORD IdtBase
Original IDT base.
INTRO_CODEBLOCKS CodeBlocks
Code blocks extracted for the alert.
void IntExceptKernelLogInformation(EXCEPTION_VICTIM_ZONE *Victim, EXCEPTION_KM_ORIGINATOR *Originator, INTRO_ACTION Action, INTRO_ACTION_REASON Reason)
Print the information about a kernel-mode violation and dumps the code-blocks.
#define INT_STATUS_ALREADY_INITIALIZED_HINT
Event structure for GDTR/IDTR descriptor tables modifications.
A descriptor table register. Valid for IDTR and GDTR.
Describes the modified zone.
#define UNREFERENCED_PARAMETER(P)
INTRO_VIOLATION_HEADER Header
The alert header.
INTSTATUS IntIdtrProtect(void)
Enable IDTR protection.
INTSTATUS IntWinIdtUnprotectOnCpu(DWORD CpuNumber)
Removes the IDT write protection for a CPU.
enum _INTRO_ACTION INTRO_ACTION
Event actions.
QWORD Cr3
The value of the guest CR3 register when the event was generated.
MM Mm
Guest memory information, such as paging mode, system Cr3 value, etc.
INTSTATUS(* PFUNC_DtrReadWriteHookCallback)(DTR *OldDtr, DTR *NewDtr, DWORD Flags, INTRO_ACTION *Action)
Called when a descriptor table register is accessed.
GUEST_STATE gGuest
The current guest state.
void IntAlertFillWinProcessByCr3(QWORD ProcessCr3, INTRO_PROCESS *EventProcess)
Saves information about a Windows process inside an alert. The process is searched by its kernel CR3...
INTSTATUS IntGdtrUnprotect(void)
Remove the GDTR protection.
INTRO_ACTION Action
The action that was taken as the result of this alert.
INTSTATUS IntLixIdtProtectAll(void)
Activates protection for IDT on all CPUs.
void IntAlertDtrFill(const EXCEPTION_VICTIM_ZONE *Victim, const EXCEPTION_KM_ORIGINATOR *Originator, EVENT_DTR_VIOLATION *DtrViolation)
Saves information about a DTR write attempt in an event.
static INTSTATUS IntDtrSendAlert(PEXCEPTION_VICTIM_ZONE Victim, PEXCEPTION_KM_ORIGINATOR Originator, INTRO_ACTION Action, INTRO_ACTION_REASON Reason)
Send an DTR alert.
INTRO_PROCESS CurrentProcess
The current process.
VCPU_STATE * gVcpu
The state of the current VCPU.
The action was blocked because there was no exception for it.
INTRO_EXEC_CONTEXT ExecContext
Information about the instruction that triggered the alert.
void IntAlertFillLixCurrentProcess(INTRO_PROCESS *EventProcess)
Saves the current Linux process inside an event.
static INTSTATUS IntDtrHandleWrite(DTR *OldDtr, DTR *NewDtr, DWORD Flags, INTRO_ACTION *Action)
Handle an IDTR or GDTR modification.
INTSTATUS IntExceptGetVictimDtr(DTR *NewValue, DTR *OldValue, INTRO_OBJECT_TYPE Type, EXCEPTION_VICTIM_ZONE *Victim)
This function is used to get the information about the DTR victim.
INTSTATUS IntExceptKernelGetOriginator(EXCEPTION_KM_ORIGINATOR *Originator, DWORD Options)
This function is used to get the information about the kernel-mode originator.
INTSTATUS IntAlertFillExecContext(QWORD Cr3, INTRO_EXEC_CONTEXT *ExecContext)
Fills the current execution context.
INTSTATUS IntGdtrProtect(void)
Enable GDTR protection.
void IntExcept(EXCEPTION_VICTIM_ZONE *Victim, void *Originator, EXCEPTION_TYPE Type, INTRO_ACTION *Action, INTRO_ACTION_REASON *Reason, INTRO_EVENT_TYPE EventClass)
This function is the entry point for the exception mechanism.
#define INTRO_OPT_PROT_KM_GDTR
Enable global descriptor-table registers protection.
INTSTATUS IntHookDtrRemoveHook(HOOK_DTR *Hook)
Remove a descriptor register hook.
#define INT_STATUS_INVALID_PARAMETER_3
1.8.13