Bitdefender Hypervisor Memory Introspection
|
#include "lixcred.h"
#include "alerts.h"
#include "crc32.h"
#include "guests.h"
#include "lixfiles.h"
#include "lixmm.h"
#include "lixprocess.h"
#include "lixstack.h"
#include "kernvm.h"
Go to the source code of this file.
Data Structures | |
struct | _INTERNAL_CRED |
The beginning of the cred structure as defined by linux kernel. More... | |
Typedefs | |
typedef struct _INTERNAL_CRED | INTERNAL_CRED |
The beginning of the cred structure as defined by linux kernel. More... | |
Functions | |
static void | IntLixCredUninitMap (void) |
Unmaps the cred structure previously mapped by IntLixCredInitMap. More... | |
static INTSTATUS | IntLixCredInitMap (QWORD CredGva) |
Maps a cred structure in order to calculate the checksum in a faster manner. More... | |
static void | IntLixCredsDump (const LIX_CREDS *Creds) |
Logs information about a cred structure. More... | |
static void | IntLixTaskSendCredViolationEvent (const LIX_TASK_OBJECT *Task) |
Sends an EVENT_INTEGRITY_VIOLATION event. More... | |
static DWORD | IntLixCredCalculateCrc32Region (DWORD Offset, DWORD Size, DWORD InitialCrc) |
Calculates the CRC32 checksum for a memory region representing a slice of the cred structure. More... | |
static INTSTATUS | IntLixCredCalculateChecksum (QWORD CredGva, DWORD *Checksum) |
Calculates the CRC32 checksum for a cred structure. More... | |
INTSTATUS | IntLixCredAdd (QWORD CredsGva, LIX_CREDS **Creds) |
Adds a cred structure in the integrity protected credentials list. More... | |
void | IntLixCredRemove (LIX_CREDS **Creds) |
Removes the integrity protection for the credentials set that belong to a process. More... | |
static INTSTATUS | IntLixCredCheckIntegrity (LIX_CREDS *Creds, BOOLEAN Update, BOOLEAN *Valid) |
Checks if the credentials have been altered. More... | |
void | IntLixCredsVerify (LIX_TASK_OBJECT *Task) |
Verifies whether the credentials of a process has been altered or not. More... | |
static void | IntLixCredAnalyzeStack (LIX_TASK_OBJECT *Task, INTRO_ACTION *Action, INTRO_ACTION_REASON *Reason) |
Analyze the user mode stack of a process that is patching it's credentials. More... | |
INTSTATUS | IntLixCommitCredsHandle (void *Detour) |
Detour handler for "commit_creds" function. More... | |
Variables | |
static LIST_HEAD | gCreds = LIST_HEAD_INIT(gCreds) |
The list head of the credentials structures protected by introcore. More... | |
static QWORD | gCredGva = 0 |
The guest virtual address of the "struct cred" that is currently being mapped. More... | |
static void * | gCredMap1 = NULL |
The mapping point of the cred structure. More... | |
static void * | gCredMap2 = NULL |
The secondary mapping point of the cred structure. More... | |
char * | gLibPaths [] |
Directories where libraries changing credentials should be located. More... | |
char * | gLibFiles [] |
Libraries allowed to change process credentials. More... | |
typedef struct _INTERNAL_CRED INTERNAL_CRED |
The beginning of the cred structure as defined by linux kernel.
Subject to change, but these fields are the same since 2.6.32 (maybe older too...)
INTSTATUS IntLixCommitCredsHandle | ( | void * | Detour | ) |
Detour handler for "commit_creds" function.
Because a process is able to change it's credentials (by calling setuid(), setgid(), etc) we have to keep track of these changes. The kernel is nice and creates a new "cred" structure for any change, then calls "commit_creds" to install the new credentials set on the current task. However, this new credentials set is based on the previous one which may have been already altered. So, in order to avoid registering an altered credentials set as a clean one, we make one last integrity check on the current set.
This function also checks if the syscall that triggered this change was performed from a known user mode library. Otherwise, a feedback only alert will be sent.
[in] | Detour | Unused. |
Adds a cred structure in the integrity protected credentials list.
[in] | CredsGva | The guest virtual address of the cred structure. |
[in] | Creds | Will contain upon success the reference to the LIX_CRED structure. |
Definition at line 365 of file lixcred.c.
Referenced by IntLixCommitCredsHandle(), IntLixTaskCreate(), and IntLixTaskCreateFromBinprm().
|
static |
Analyze the user mode stack of a process that is patching it's credentials.
This function will check if the transition from user to kernel was triggered from a known user mode library. See gLibFiles for the list of libraries allowed to perform this action.
[in] | Task | The Linux process. |
[out] | Action | The action that should be further taken for this event. |
[out] | Reason | The reason for the taken action. |
Calculates the CRC32 checksum for a cred structure.
Will calculate the checksum only for structure regions that actually represent credentials and will ignore fields that may change such as usage, rcu. Thus, we were able to identify three regions:
We assume that sizeof(struct cred.usage) is 4 and sizeof(struct cred.rcu) is 16.
[in] | CredGva | The guest virtual address of the cred structure. |
[out] | Checksum | Upon successful return will contain the checksum of the structure. |
Definition at line 295 of file lixcred.c.
Referenced by IntLixCredAdd(), and IntLixCredCheckIntegrity().
Calculates the CRC32 checksum for a memory region representing a slice of the cred structure.
The given region may not fit in a single page so we must check the page limits in order to determine where the requested region is mapped. There are three cases:
[in] | Offset | The offset in cred structure where the region begins. |
[in] | Size | The size of the region. |
[in] | InitialCrc | The initial crc32 checksum. |
Definition at line 252 of file lixcred.c.
Referenced by IntLixCredCalculateChecksum().
|
static |
Checks if the credentials have been altered.
[in] | Creds | The credentials set. |
[in] | Update | Whether the checksum should be updated if changed or not. |
[out] | Valid | Will contain upon successful return the check result. |
Definition at line 477 of file lixcred.c.
Referenced by IntLixCredsVerify().
Maps a cred structure in order to calculate the checksum in a faster manner.
[in] | CredGva | The guest virtual address of the creds structure to be mapped. |
Definition at line 117 of file lixcred.c.
Referenced by IntLixCredCalculateChecksum().
void IntLixCredRemove | ( | LIX_CREDS ** | Creds | ) |
Removes the integrity protection for the credentials set that belong to a process.
This function will decrement the credentials refcount and will completely remove them when the refcount reaches 0.
[in] | Creds | The credentials to be unprotected. |
Definition at line 441 of file lixcred.c.
Referenced by IntLixCommitCredsHandle(), IntLixTaskDestroy(), and IntLixTaskRemoveEntry().
|
static |
Logs information about a cred structure.
[in] | Creds | The LIX_CREDS structure associated with the credentials. |
Definition at line 159 of file lixcred.c.
Referenced by IntLixTaskSendCredViolationEvent().
void IntLixCredsVerify | ( | LIX_TASK_OBJECT * | Task | ) |
Verifies whether the credentials of a process has been altered or not.
[in] | Task | The Linux process. |
Definition at line 534 of file lixcred.c.
Referenced by IntLixCommitCredsHandle(), IntLixTaskAdd(), IntLixTaskDestroy(), and IntLixTaskHandleExec().
|
static |
Unmaps the cred structure previously mapped by IntLixCredInitMap.
Definition at line 90 of file lixcred.c.
Referenced by IntLixCredCalculateChecksum(), and IntLixCredInitMap().
|
static |
Sends an EVENT_INTEGRITY_VIOLATION event.
[in] | Task | The process accused of credential violence. |
Definition at line 191 of file lixcred.c.
Referenced by IntLixCredsVerify().
|
static |
The guest virtual address of the "struct cred" that is currently being mapped.
Definition at line 44 of file lixcred.c.
Referenced by IntLixCredCalculateCrc32Region(), IntLixCredInitMap(), and IntLixCredUninitMap().
|
static |
The mapping point of the cred structure.
Definition at line 49 of file lixcred.c.
Referenced by IntLixCredCalculateCrc32Region(), IntLixCredInitMap(), and IntLixCredUninitMap().
|
static |
The secondary mapping point of the cred structure.
The mapping point of second page if the cred structure that is currently mapped doesn't fit in one single page.The second mapping point of the cred structure if it doesn't fit in the f
Definition at line 57 of file lixcred.c.
Referenced by IntLixCredCalculateCrc32Region(), IntLixCredInitMap(), and IntLixCredUninitMap().
|
static |
char* gLibFiles[] |
Libraries allowed to change process credentials.
Definition at line 82 of file lixcred.c.
Referenced by IntLixCredAnalyzeStack().
char* gLibPaths[] |
Directories where libraries changing credentials should be located.
Definition at line 62 of file lixcred.c.
Referenced by IntLixCredAnalyzeStack().