Bitdefender Hypervisor Memory Introspection
|
Options used to control Introcore behavior. More...
Macros | |
#define | INTRO_OPT_PROT_KM_NT 0x0000000000000001ull |
Enable kernel image protection (Windows only). More... | |
#define | INTRO_OPT_PROT_KM_LX 0x0000000000000001ull |
Enable kernel image protection (Linux only). More... | |
#define | INTRO_OPT_PROT_KM_HAL 0x0000000000000002ull |
Enable HAL protection (Windows only). More... | |
#define | INTRO_OPT_PROT_KM_SSDT 0x0000000000000004ull |
Enable SSDT protection (Windows only). More... | |
#define | INTRO_OPT_PROT_KM_IDT 0x0000000000000008ull |
#define | INTRO_OPT_PROT_KM_HAL_DISP_TABLE 0x0000000000000010ull |
Enable HDT (Hal Dispatch Table) protection (Windows only). More... | |
#define | INTRO_OPT_PROT_KM_SYSTEM_CR3 0x0000000000000020ull |
Enable System process PDBR protection. More... | |
#define | INTRO_OPT_PROT_KM_TOKEN_PTR 0x0000000000000040ull |
Enable process token protection (Windows only). More... | |
#define | INTRO_OPT_PROT_KM_CREDS 0x0000000000000040ull |
#define | INTRO_OPT_PROT_KM_NT_DRIVERS 0x0000000000000080ull |
Enable core NT drivers protection (Windows only). More... | |
#define | INTRO_OPT_PROT_KM_LX_MODULES 0x0000000000000080ull |
Enable Linux kernel modules protection (Linux only). More... | |
#define | INTRO_OPT_PROT_KM_AV_DRIVERS 0x0000000000000100ull |
Enable AV drivers protection (Windows only). More... | |
#define | INTRO_OPT_PROT_KM_XEN_DRIVERS 0x0000000000000200ull |
#define | INTRO_OPT_PROT_KM_DRVOBJ 0x0000000000000400ull |
Enable driver object & fast I/O dispatch protection. More... | |
#define | INTRO_OPT_PROT_KM_CR4 0x0000000000000800ull |
Enable CR4.SMEP and CR4.SMAP protection. More... | |
#define | INTRO_OPT_PROT_KM_MSR_SYSCALL 0x0000000000001000ull |
#define | INTRO_OPT_PROT_KM_IDTR 0x0000000000002000ull |
Enable interrupt descriptor-table registers protection. More... | |
#define | INTRO_OPT_PROT_KM_HAL_HEAP_EXEC 0x0000000000004000ull |
Enable execution prevention on the Hal Heap when it is not ASLR'd (Windows only). More... | |
#define | INTRO_OPT_PROT_KM_HAL_INT_CTRL 0x0000000000008000ull |
Enable Hal Interrupt Controller write protection. More... | |
#define | INTRO_OPT_PROT_UM_MISC_PROCS 0x0000000000010000ull |
#define | INTRO_OPT_PROT_UM_SYS_PROCS 0x0000000000020000ull |
Enable user-mode system processes protection (injection only). More... | |
#define | INTRO_OPT_PROT_KM_SELF_MAP_ENTRY 0x0000000000040000ull |
#define | INTRO_OPT_PROT_KM_GDTR 0x0000000000080000ull |
Enable global descriptor-table registers protection. More... | |
#define | INTRO_OPT_EVENT_PROCESSES 0x0000000000100000ull |
Enable process creation and termination events (generates introEventProcessEvent events). More... | |
#define | INTRO_OPT_EVENT_MODULES 0x0000000000200000ull |
Enable user mode and kernel mode module load and unload events (generates introEventModuleEvent events). More... | |
#define | INTRO_OPT_EVENT_OS_CRASH 0x0000000000400000ull |
Enable OS crash events (generates introEventCrashEvent events). More... | |
#define | INTRO_OPT_EVENT_PROCESS_CRASH 0x0000000000800000ull |
Enable application crash events (generates introEventExceptionEvent). More... | |
#define | INTRO_OPT_AGENT_INJECTION 0x0000000001000000ull |
Enable agent injections. More... | |
#define | INTRO_OPT_FULL_PATH 0x0000000002000000ull |
Enable full-path protection of processes. More... | |
#define | INTRO_OPT_KM_BETA_DETECTIONS 0x0000000004000000ull |
#define | INTRO_OPT_NOTIFY_ENGINES 0x0000000008000000ull |
Send suspicious pages to be scanned by third party scan engines. More... | |
#define | INTRO_OPT_IN_GUEST_PT_FILTER 0x0000000010000000ull |
Enable in-guest page-table filtering (64-bit Windows only). More... | |
#define | INTRO_OPT_BUGCHECK_CLEANUP 0x0000000020000000ull |
Enable memory cleanup after an OS crash (Windows). More... | |
#define | INTRO_OPT_PANIC_CLEANUP 0x0000000020000000ull |
Enable memory cleanup after an OS crash (Linux). More... | |
#define | INTRO_OPT_SYSPROC_BETA_DETECTIONS 0x0000000040000000ull |
Enable system processes beta (log only) detection. More... | |
#define | INTRO_OPT_VE 0x0000000080000000ull |
Enable the Virtualization exception page table access pre-filtering agent (64-bit Windows only). More... | |
#define | INTRO_OPT_EVENT_CONNECTIONS 0x0000000100000000ull |
Enable connection events. More... | |
#define | INTRO_OPT_PROT_KM_LOGGER_CONTEXT 0x0000000200000000ull |
Enable protection on WMI_LOGGER_CONTEXT.GetCpuClock used by InfinityHook (Windows only). More... | |
#define | INTRO_OPT_PROT_DPI_DEBUG 0x0000000400000000ull |
Enable process creation protection for child processes created with debug flag. More... | |
#define | INTRO_OPT_PROT_DPI_STACK_PIVOT 0x0000000800000000ull |
Enable process creation protection for pivoted stack. More... | |
#define | INTRO_OPT_PROT_DPI_TOKEN_STEAL 0x0000001000000000ull |
Enable process creation protection for stolen token. More... | |
#define | INTRO_OPT_PROT_DPI_HEAP_SPRAY 0x0000002000000000ull |
Enable process creation protection for heap sprayed parent. More... | |
#define | INTRO_OPT_PROT_KM_NT_EAT_READS 0x0000004000000000ull |
Enable kernel EAT read protection (Windows only). More... | |
#define | INTRO_OPT_PROT_KM_LX_TEXT_READS 0x0000008000000000ull |
Enable kernel '_text' section read protection (Linux only). More... | |
#define | INTRO_OPT_PROT_KM_VDSO 0x0000010000000000ull |
Enable vDSO image protection (Linux only). More... | |
#define | INTRO_OPT_PROT_KM_SWAPGS 0x0000020000000000ull |
Enable SWAPGS (CVE-2019-1125) mitigation. More... | |
#define | INTRO_OPT_PROT_KM_TOKEN_PRIVS 0x0000040000000000ull |
Enable protection over Token Privileges bitmaps. More... | |
#define | INTRO_OPT_PROT_DPI_TOKEN_PRIVS 0x0000080000000000ull |
Enable process creation protection for parent which has violated Token privileges constraints. More... | |
#define | INTRO_OPT_PROT_DPI_THREAD_SHELL 0x0000100000000000ull |
Examines the code where the current thread started execution when the current thread creates a process. More... | |
#define | INTRO_OPT_PROT_KM_SUD_EXEC 0x0000200000000000ull |
Enable protection against executions on SharedUserData. More... | |
#define | INTRO_OPT_PROT_KM_HAL_PERF_CNT 0x0000400000000000ull |
Enable protection over HalPerformanceCounter's function pointer, which is called inside KeQueryPerformanceCounter. More... | |
#define | INTRO_OPT_PROT_KM_SD_ACL 0x0000800000000000ull |
Enable integrity protection over the Security Descriptor pointer and the 2 ACLs (SACL/DACL). More... | |
#define | INTRO_OPT_PROT_DPI_SD_ACL 0x0001000000000000ull |
Enable detection of Security Descriptor pointer modifications and ACL modifications on process creation. More... | |
#define | INTRO_OPT_PROT_KM_SUD_INTEGRITY 0x0002000000000000ull |
Enable integrity checks over various SharedUserData fields, as well as the zero-filled zone after the SharedUserData structure. More... | |
#define | INTRO_OPT_PROT_KM_INTERRUPT_OBJ 0x0004000000000000ull |
Enable protection against modifications of interrupt objects from KPRCB's InterruptObject. More... | |
#define | INTRO_OPT_PROT_DPI |
Aggregates all the deep process inspection flags. More... | |
#define | INTRO_OPT_ENABLE_KM_PROTECTION |
Aggregates all the kernel mode protection flags. More... | |
#define | INTRO_OPT_ENABLE_UM_PROTECTION |
Aggregates all the user mode protection flags. More... | |
#define | INTRO_OPT_ENABLE_AV_PROTECTION (INTRO_OPT_PROT_KM_AV_DRIVERS) |
Aggregates all the AV protection flags. More... | |
#define | INTRO_OPT_ENABLE_CR_PROTECTION (INTRO_OPT_PROT_KM_CR4) |
Aggregates all the control register protection flags. More... | |
#define | INTRO_OPT_ENABLE_MSR_PROTECTION (INTRO_OPT_PROT_KM_MSR_SYSCALL) |
Aggregates all the MSR protection flags. More... | |
#define | INTRO_OPT_ENABLE_INTEGRITY_CHECKS |
Aggregates all the integrity protection flags. More... | |
#define | INTRO_OPT_ENABLE_DTR_PROTECTION |
Aggregates all the descriptor table register protection flags. More... | |
#define | INTRO_OPT_ENABLE_KM_BETA_DETECTIONS (INTRO_OPT_KM_BETA_DETECTIONS) |
Aggregates all the kernel log-only detection flags. More... | |
#define | INTRO_OPT_ENABLE_FULL_PATH (INTRO_OPT_FULL_PATH) |
Aggregates all the full path protection flags. More... | |
#define | INTRO_OPT_ENABLE_XEN_PROTECTION (INTRO_OPT_PROT_KM_XEN_DRIVERS) |
Aggregates all the XEN-related protection flags. More... | |
#define | INTRO_OPT_ENABLE_MANUAL_AGENT_INJ (INTRO_OPT_AGENT_INJECTION) |
Aggregates all the agent injection flags. More... | |
#define | INTRO_OPT_ENABLE_MISC_EVENTS |
Aggregates all the miscellaneous protection flags. More... | |
#define | INTRO_OPT_DYNAMIC_OPTIONS_MASK (0xffffffffffffffff) |
All the flags that can be modified without unloading Introcore. More... | |
#define | INTRO_OPT_DEFAULT_OPTIONS |
Aggregates all the default options. More... | |
#define | INTRO_OPT_DEFAULT_XEN_OPTIONS |
Aggregates all the default XEN options. More... | |
#define | INTRO_OPT_ONLY_KERNEL |
Aggregates all the kernel-only protection and activation flags. More... | |
#define | POLICY_KM_BETA_FLAGS |
Aggregates all the flags that are affected by the INTRO_OPT_ENABLE_KM_BETA_DETECTIONS flag. More... | |
Options used to control Introcore behavior.
#define INTRO_OPT_AGENT_INJECTION 0x0000000001000000ull |
Enable agent injections.
Definition at line 451 of file intro_types.h.
Referenced by IntInjectFileAgentInGuest(), and IntInjectProcessAgentInGuest().
#define INTRO_OPT_BUGCHECK_CLEANUP 0x0000000020000000ull |
Enable memory cleanup after an OS crash (Windows).
When this flag is set, introcore will try to remove all the code it modified inside the guest.
Definition at line 466 of file intro_types.h.
Referenced by IntGuestUninitOnBugcheck().
#define INTRO_OPT_DEFAULT_OPTIONS |
Aggregates all the default options.
Definition at line 612 of file intro_types.h.
#define INTRO_OPT_DEFAULT_XEN_OPTIONS |
Aggregates all the default XEN options.
Definition at line 625 of file intro_types.h.
#define INTRO_OPT_DYNAMIC_OPTIONS_MASK (0xffffffffffffffff) |
All the flags that can be modified without unloading Introcore.
Definition at line 609 of file intro_types.h.
#define INTRO_OPT_ENABLE_AV_PROTECTION (INTRO_OPT_PROT_KM_AV_DRIVERS) |
Aggregates all the AV protection flags.
Definition at line 566 of file intro_types.h.
#define INTRO_OPT_ENABLE_CR_PROTECTION (INTRO_OPT_PROT_KM_CR4) |
Aggregates all the control register protection flags.
Definition at line 569 of file intro_types.h.
#define INTRO_OPT_ENABLE_DTR_PROTECTION |
Aggregates all the descriptor table register protection flags.
Definition at line 587 of file intro_types.h.
#define INTRO_OPT_ENABLE_FULL_PATH (INTRO_OPT_FULL_PATH) |
Aggregates all the full path protection flags.
Definition at line 594 of file intro_types.h.
Referenced by IntWinProcChangeProtectionFlags().
#define INTRO_OPT_ENABLE_INTEGRITY_CHECKS |
Aggregates all the integrity protection flags.
Definition at line 575 of file intro_types.h.
#define INTRO_OPT_ENABLE_KM_BETA_DETECTIONS (INTRO_OPT_KM_BETA_DETECTIONS) |
Aggregates all the kernel log-only detection flags.
Definition at line 591 of file intro_types.h.
Referenced by IntNewGuestNotification().
#define INTRO_OPT_ENABLE_KM_PROTECTION |
Aggregates all the kernel mode protection flags.
Definition at line 544 of file intro_types.h.
#define INTRO_OPT_ENABLE_MANUAL_AGENT_INJ (INTRO_OPT_AGENT_INJECTION) |
Aggregates all the agent injection flags.
Definition at line 600 of file intro_types.h.
#define INTRO_OPT_ENABLE_MISC_EVENTS |
Aggregates all the miscellaneous protection flags.
Definition at line 603 of file intro_types.h.
#define INTRO_OPT_ENABLE_MSR_PROTECTION (INTRO_OPT_PROT_KM_MSR_SYSCALL) |
Aggregates all the MSR protection flags.
Definition at line 572 of file intro_types.h.
#define INTRO_OPT_ENABLE_UM_PROTECTION |
Aggregates all the user mode protection flags.
Definition at line 561 of file intro_types.h.
Referenced by IntWinProcAddProtectedProcess(), IntWinProcCreateProcessObject(), and IntWinProcHandleCopyMemory().
#define INTRO_OPT_ENABLE_XEN_PROTECTION (INTRO_OPT_PROT_KM_XEN_DRIVERS) |
Aggregates all the XEN-related protection flags.
Definition at line 597 of file intro_types.h.
#define INTRO_OPT_EVENT_CONNECTIONS 0x0000000100000000ull |
Enable connection events.
Ignored for processes that do not have the PROC_OPT_PROT_EXPLOIT protection flag. Will send one introEventConnectionEvent for each connection opened by a process when an introEventEptViolation event is triggered for an execution attempt.
Definition at line 482 of file intro_types.h.
Referenced by IntLixNetIterateTaskConnections(), IntLixNetSendGuestConnections(), and IntWinNetSendProcessConnections().
#define INTRO_OPT_EVENT_MODULES 0x0000000000200000ull |
Enable user mode and kernel mode module load and unload events (generates introEventModuleEvent events).
Definition at line 445 of file intro_types.h.
Referenced by IntLixDrvSendEvent(), IntWinDrvSendEvent(), and IntWinProcSendDllEvent().
#define INTRO_OPT_EVENT_OS_CRASH 0x0000000000400000ull |
Enable OS crash events (generates introEventCrashEvent events).
Definition at line 447 of file intro_types.h.
Referenced by IntWinBcSendBsodEvent().
#define INTRO_OPT_EVENT_PROCESS_CRASH 0x0000000000800000ull |
Enable application crash events (generates introEventExceptionEvent).
Definition at line 449 of file intro_types.h.
Referenced by IntLixTaskSendExceptionEvent(), and IntWinProcSendProcessExceptionEvent().
#define INTRO_OPT_EVENT_PROCESSES 0x0000000000100000ull |
Enable process creation and termination events (generates introEventProcessEvent events).
Definition at line 443 of file intro_types.h.
Referenced by IntLixTaskSendTaskEvent(), and IntWinProcSendProcessEvent().
#define INTRO_OPT_FULL_PATH 0x0000000002000000ull |
Enable full-path protection of processes.
If set, the full path of the main module of the process must match the full path provided at protection time.
Definition at line 456 of file intro_types.h.
Referenced by IntWinProcGetProtectedInfoEx().
#define INTRO_OPT_IN_GUEST_PT_FILTER 0x0000000010000000ull |
Enable in-guest page-table filtering (64-bit Windows only).
Definition at line 461 of file intro_types.h.
Referenced by IntGuestInit(), IntGuestUpdateCoreOptions(), IntHandleTimer(), IntPtiHandleGuestResumeFromSleep(), IntVeCompleteLoader(), IntWinPowHandleEventCommon(), and IntWinProcCreateProcessObject().
#define INTRO_OPT_KM_BETA_DETECTIONS 0x0000000004000000ull |
Enable kernel beta (log only) detections.
Definition at line 457 of file intro_types.h.
Referenced by IntGuestInit(), and IntGuestUpdateCoreOptions().
#define INTRO_OPT_NOTIFY_ENGINES 0x0000000008000000ull |
Send suspicious pages to be scanned by third party scan engines.
Definition at line 459 of file intro_types.h.
Referenced by IntLixVmaHandlePageExecution(), and IntWinVadIsExecSuspicious().
#define INTRO_OPT_ONLY_KERNEL |
Aggregates all the kernel-only protection and activation flags.
Definition at line 639 of file intro_types.h.
#define INTRO_OPT_PANIC_CLEANUP 0x0000000020000000ull |
Enable memory cleanup after an OS crash (Linux).
When this flag is set, introcore will try to remove all the code it modified inside the guest.
Definition at line 470 of file intro_types.h.
#define INTRO_OPT_PROT_DPI |
Aggregates all the deep process inspection flags.
Definition at line 534 of file intro_types.h.
Referenced by IntLixTaskHandleExec(), IntLixValidateProcessCreationRights(), and IntWinDpiCheckCreation().
#define INTRO_OPT_PROT_DPI_DEBUG 0x0000000400000000ull |
Enable process creation protection for child processes created with debug flag.
Definition at line 488 of file intro_types.h.
Referenced by IntWinDpiGatherDpiInfo(), and IntWinDpiHandleDpiDebug().
#define INTRO_OPT_PROT_DPI_HEAP_SPRAY 0x0000002000000000ull |
Enable process creation protection for heap sprayed parent.
Definition at line 494 of file intro_types.h.
Referenced by IntWinDpiGatherDpiInfo(), and IntWinDpiHandleDpiHeapSpray().
#define INTRO_OPT_PROT_DPI_SD_ACL 0x0001000000000000ull |
Enable detection of Security Descriptor pointer modifications and ACL modifications on process creation.
Definition at line 524 of file intro_types.h.
Referenced by IntWinDpiGatherDpiInfo(), IntWinDpiHandleDpiAclEdit(), and IntWinDpiHandleDpiSecDesc().
#define INTRO_OPT_PROT_DPI_STACK_PIVOT 0x0000000800000000ull |
Enable process creation protection for pivoted stack.
Definition at line 490 of file intro_types.h.
Referenced by IntLixTaskHandleExec(), IntWinDpiGatherDpiInfo(), and IntWinDpiHandleDpiPivotedStack().
#define INTRO_OPT_PROT_DPI_THREAD_SHELL 0x0000100000000000ull |
Examines the code where the current thread started execution when the current thread creates a process.
Definition at line 509 of file intro_types.h.
Referenced by IntWinDpiGatherDpiInfo(), and IntWinDpiHandleDpiThreadStart().
#define INTRO_OPT_PROT_DPI_TOKEN_PRIVS 0x0000080000000000ull |
Enable process creation protection for parent which has violated Token privileges constraints.
Definition at line 507 of file intro_types.h.
Referenced by IntWinDpiGatherDpiInfo(), and IntWinDpiHandleDpiTokenPrivs().
#define INTRO_OPT_PROT_DPI_TOKEN_STEAL 0x0000001000000000ull |
Enable process creation protection for stolen token.
Definition at line 492 of file intro_types.h.
Referenced by IntLixCredsVerify(), IntWinDpiGatherDpiInfo(), and IntWinDpiHandleDpiStolenToken().
#define INTRO_OPT_PROT_KM_AV_DRIVERS 0x0000000000000100ull |
Enable AV drivers protection (Windows only).
Definition at line 422 of file intro_types.h.
Referenced by IntWinDrvIsProtected().
#define INTRO_OPT_PROT_KM_CR4 0x0000000000000800ull |
Enable CR4.SMEP and CR4.SMAP protection.
Definition at line 426 of file intro_types.h.
Referenced by IntCrLixHandleWrite(), IntCrSendAlert(), IntCrWinHandleWrite(), IntGuestUpdateCoreOptions(), IntLixGuestActivateProtection(), and IntWinGuestActivateProtection().
#define INTRO_OPT_PROT_KM_CREDS 0x0000000000000040ull |
Enable 'struct creds' protection (Linux only).
Definition at line 417 of file intro_types.h.
Referenced by IntLixCredAdd(), IntLixCredCheckIntegrity(), and IntLixCredsVerify().
#define INTRO_OPT_PROT_KM_DRVOBJ 0x0000000000000400ull |
Enable driver object & fast I/O dispatch protection.
Definition at line 425 of file intro_types.h.
Referenced by IntWinDrvObjHandleModification(), IntWinDrvObjHandleWrite(), IntWinDrvObjIsProtected(), IntWinDrvObjSendEptAlert(), and IntWinDrvObjSendIntegrityAlert().
#define INTRO_OPT_PROT_KM_GDTR 0x0000000000080000ull |
Enable global descriptor-table registers protection.
Definition at line 440 of file intro_types.h.
Referenced by IntDtrGetProtOption(), IntGuestUpdateCoreOptions(), IntLixGuestActivateProtection(), and IntWinGuestActivateProtection().
#define INTRO_OPT_PROT_KM_HAL 0x0000000000000002ull |
Enable HAL protection (Windows only).
Definition at line 410 of file intro_types.h.
Referenced by IntWinDrvIsProtected().
#define INTRO_OPT_PROT_KM_HAL_DISP_TABLE 0x0000000000000010ull |
Enable HDT (Hal Dispatch Table) protection (Windows only).
Definition at line 414 of file intro_types.h.
Referenced by IntWinHalCreateHalData(), IntWinHalHandleDispatchTableWrite(), and IntWinHalUpdateProtection().
#define INTRO_OPT_PROT_KM_HAL_HEAP_EXEC 0x0000000000004000ull |
Enable execution prevention on the Hal Heap when it is not ASLR'd (Windows only).
Definition at line 431 of file intro_types.h.
Referenced by IntWinHalCreateHalData(), IntWinHalHandleHalHeapExec(), and IntWinHalUpdateProtection().
#define INTRO_OPT_PROT_KM_HAL_INT_CTRL 0x0000000000008000ull |
Enable Hal Interrupt Controller write protection.
Definition at line 433 of file intro_types.h.
Referenced by IntWinHalCreateHalData(), IntWinHalHandleHalIntCtrlWrite(), IntWinHalSendAlert(), and IntWinHalUpdateProtection().
#define INTRO_OPT_PROT_KM_HAL_PERF_CNT 0x0000400000000000ull |
Enable protection over HalPerformanceCounter's function pointer, which is called inside KeQueryPerformanceCounter.
Definition at line 519 of file intro_types.h.
Referenced by IntWinHalFindPerformanceCounterInternal(), IntWinHalHandlePerfCounterModification(), IntWinHalSendPerfCntIntegrityAlert(), and IntWinHalUpdateProtection().
#define INTRO_OPT_PROT_KM_IDT 0x0000000000000008ull |
Enable IDT protection.
Definition at line 412 of file intro_types.h.
Referenced by IntGuestUpdateCoreOptions(), IntLixGuestActivateProtection(), IntLixIdtWriteHandler(), IntWinGuestActivateProtection(), IntWinIdtHandleModification(), IntWinIdtSendIntegrityAlert(), and IntWinIdtWriteHandler().
#define INTRO_OPT_PROT_KM_IDTR 0x0000000000002000ull |
Enable interrupt descriptor-table registers protection.
Definition at line 429 of file intro_types.h.
Referenced by IntDtrGetProtOption(), IntGuestUpdateCoreOptions(), IntLixGuestActivateProtection(), and IntWinGuestActivateProtection().
#define INTRO_OPT_PROT_KM_INTERRUPT_OBJ 0x0004000000000000ull |
Enable protection against modifications of interrupt objects from KPRCB's InterruptObject.
Definition at line 531 of file intro_types.h.
Referenced by IntGuestUpdateCoreOptions(), IntWinGuestActivateProtection(), IntWinIntObjHandleModification(), and IntWinIntObjSendIntegrityAlert().
#define INTRO_OPT_PROT_KM_LOGGER_CONTEXT 0x0000000200000000ull |
Enable protection on WMI_LOGGER_CONTEXT.GetCpuClock used by InfinityHook (Windows only).
Definition at line 485 of file intro_types.h.
Referenced by IntGuestUpdateCoreOptions(), IntWinInfHookEptSppHandleWrite(), IntWinInfHookEptSppSendAlert(), IntWinInfHookIntegrityHandleWrite(), IntWinInfHookIntegritySendAlert(), and IntWinInfHookProtect().
#define INTRO_OPT_PROT_KM_LX 0x0000000000000001ull |
Enable kernel image protection (Linux only).
Definition at line 409 of file intro_types.h.
Referenced by IntGuestUpdateCoreOptions(), IntLixGuestActivateProtection(), IntLixHookKernelWrite(), IntLixKernelReadUnprotect(), and IntLixKernelWriteUnprotect().
#define INTRO_OPT_PROT_KM_LX_MODULES 0x0000000000000080ull |
Enable Linux kernel modules protection (Linux only).
Definition at line 421 of file intro_types.h.
Referenced by IntLixDrvActivateProtection(), and IntLixDrvUpdateProtection().
#define INTRO_OPT_PROT_KM_LX_TEXT_READS 0x0000008000000000ull |
Enable kernel '_text' section read protection (Linux only).
Definition at line 499 of file intro_types.h.
Referenced by IntGuestUpdateCoreOptions(), IntLixGuestActivateProtection(), IntLixHookKernelRead(), IntLixKernelReadUnprotect(), and IntLixKernelWriteUnprotect().
#define INTRO_OPT_PROT_KM_MSR_SYSCALL 0x0000000000001000ull |
Enable SYSCALL/SYSENTER MSR protection.
Definition at line 427 of file intro_types.h.
Referenced by IntGuestUpdateCoreOptions(), IntLixGuestActivateProtection(), IntLixMsrHandleWrite(), IntWinGuestActivateProtection(), IntWinMsrHandleWrite(), and IntWinMsrSendAlert().
#define INTRO_OPT_PROT_KM_NT 0x0000000000000001ull |
Enable kernel image protection (Windows only).
Definition at line 408 of file intro_types.h.
Referenced by IntExceptGetVictimEpt(), and IntWinDrvIsProtected().
#define INTRO_OPT_PROT_KM_NT_DRIVERS 0x0000000000000080ull |
Enable core NT drivers protection (Windows only).
Definition at line 419 of file intro_types.h.
Referenced by IntWinDrvIsProtected().
#define INTRO_OPT_PROT_KM_NT_EAT_READS 0x0000004000000000ull |
Enable kernel EAT read protection (Windows only).
Definition at line 497 of file intro_types.h.
Referenced by IntGuestUpdateCoreOptions(), IntWinDrvForceDisableReadNtEat(), and IntWinDrvHeadersInMemory().
#define INTRO_OPT_PROT_KM_SD_ACL 0x0000800000000000ull |
Enable integrity protection over the Security Descriptor pointer and the 2 ACLs (SACL/DACL).
Definition at line 522 of file intro_types.h.
Referenced by IntWinSDCheckIntegrity(), IntWinSDSendAclIntegrityViolation(), and IntWinSDSendSecDescIntViolation().
#define INTRO_OPT_PROT_KM_SELF_MAP_ENTRY 0x0000000000040000ull |
Enable self-map entry protection.
Definition at line 438 of file intro_types.h.
Referenced by IntGuestUpdateCoreOptions(), IntWinSelfMapGetAndCheckSelfMapEntry(), IntWinSelfMapHandleCr3SelfMapModification(), IntWinSelfMapHandleCr3SelfMapWrite(), IntWinSelfMapProtectSelfMapIndex(), and IntWinSelfMapValidateSelfMapEntries().
#define INTRO_OPT_PROT_KM_SSDT 0x0000000000000004ull |
Enable SSDT protection (Windows only).
Definition at line 411 of file intro_types.h.
#define INTRO_OPT_PROT_KM_SUD_EXEC 0x0000200000000000ull |
Enable protection against executions on SharedUserData.
Note that even if the alert can be both for KM or UM, it is a KM policy flag, since there could not be SharedUserData executions without malicious behavior happening in kernel.
Definition at line 515 of file intro_types.h.
Referenced by IntGuestUpdateCoreOptions(), IntWinGuestActivateProtection(), IntWinSudHandleKernelSudExec(), IntWinSudHandleUserSudExec(), and IntWinSudSendSudExecAlert().
#define INTRO_OPT_PROT_KM_SUD_INTEGRITY 0x0002000000000000ull |
Enable integrity checks over various SharedUserData fields, as well as the zero-filled zone after the SharedUserData structure.
Definition at line 528 of file intro_types.h.
Referenced by IntGuestUpdateCoreOptions(), IntWinGuestActivateProtection(), IntWinSudCheckIntegrity(), IntWinSudHandleFieldModification(), and IntWinSudSendSudIntegrityAlert().
#define INTRO_OPT_PROT_KM_SWAPGS 0x0000020000000000ull |
Enable SWAPGS (CVE-2019-1125) mitigation.
Definition at line 502 of file intro_types.h.
Referenced by IntLixPatchSwapgs(), and IntSwapgsStartMitigation().
#define INTRO_OPT_PROT_KM_SYSTEM_CR3 0x0000000000000020ull |
Enable System process PDBR protection.
Definition at line 415 of file intro_types.h.
Referenced by IntWinProcValidateSystemCr3().
#define INTRO_OPT_PROT_KM_TOKEN_PRIVS 0x0000040000000000ull |
Enable protection over Token Privileges bitmaps.
Definition at line 505 of file intro_types.h.
Referenced by IntGuestUpdateCoreOptions(), IntWinProcCreateProcessObject(), IntWinProcDeleteProcessObject(), IntWinTokenCheckIntegrity(), IntWinTokenPrivsCheckIntegrityOnProcess(), IntWinTokenPrivsHandleWrite(), IntWinTokenPrivsProtectOnProcess(), IntWinTokenPrivsSendEptAlert(), IntWinTokenPrivsSendIntegrityAlert(), IntWinTokenProtectPrivs(), and IntWinTokenUnprotectPrivs().
#define INTRO_OPT_PROT_KM_TOKEN_PTR 0x0000000000000040ull |
Enable process token protection (Windows only).
Definition at line 416 of file intro_types.h.
Referenced by IntWinProcCreateProcessObject(), IntWinProcDeleteProcessObject(), and IntWinTokenCheckIntegrity().
#define INTRO_OPT_PROT_KM_VDSO 0x0000010000000000ull |
Enable vDSO image protection (Linux only).
Definition at line 500 of file intro_types.h.
Referenced by IntGuestUpdateCoreOptions(), IntLixGuestActivateProtection(), IntLixTaskHandleExec(), and IntLixVdsoHandleWriteCommon().
#define INTRO_OPT_PROT_KM_XEN_DRIVERS 0x0000000000000200ull |
Enable Xen drivers protection (Windows only).
Definition at line 423 of file intro_types.h.
Referenced by IntWinDrvIsProtected().
#define INTRO_OPT_PROT_UM_MISC_PROCS 0x0000000000010000ull |
Enable user-mode process protection.
Definition at line 435 of file intro_types.h.
Referenced by IntLixProcGetProtOption(), IntLixTaskActivateProtection(), IntLixTaskAdjustProtections(), IntLixTaskShouldProtect(), IntWinProcGetProtectedInfo(), IntWinProcGetProtectedInfoEx(), and IntWinProcGetProtOption().
#define INTRO_OPT_PROT_UM_SYS_PROCS 0x0000000000020000ull |
Enable user-mode system processes protection (injection only).
Definition at line 437 of file intro_types.h.
Referenced by IntAlertCoreGetFlags(), IntAlertProcGetFlags(), IntWinProcGetProtectedInfo(), IntWinProcGetProtectedInfoEx(), and IntWinProcGetProtOption().
#define INTRO_OPT_SYSPROC_BETA_DETECTIONS 0x0000000040000000ull |
Enable system processes beta (log only) detection.
Definition at line 472 of file intro_types.h.
Referenced by IntGuestInit(), and IntGuestUpdateCoreOptions().
#define INTRO_OPT_VE 0x0000000080000000ull |
Enable the Virtualization exception page table access pre-filtering agent (64-bit Windows only).
Definition at line 475 of file intro_types.h.
Referenced by IntGuestInit(), IntGuestUpdateCoreOptions(), IntHandleTimer(), IntVeCompleteLoader(), IntVeDumpStats(), IntVeHandleGuestResumeFromSleep(), IntVeInit(), IntWinGuestFinishInit(), and IntWinPowHandleEventCommon().
#define POLICY_KM_BETA_FLAGS |
Aggregates all the flags that are affected by the INTRO_OPT_ENABLE_KM_BETA_DETECTIONS flag.
Definition at line 650 of file intro_types.h.
Referenced by IntPolicyCoreIsOptionBeta().