70 "/@/.snapshots/*/snapshots/lib64/*",
71 "/@/.snapshots/*/snapshots/lib32/*",
72 "/@/.snapshots/*/snapshots/lib/*",
73 "/@/.snapshots/*/snapshot/lib64/*",
74 "/@/.snapshots/*/snapshot/lib32/*",
75 "/@/.snapshots/*/snapshot/lib/*",
133 ERROR(
"[ERROR] IntVirtMemMap failed for %llx: %08x\n", CredGva, status);
134 goto _cleanup_and_fail;
142 ERROR(
"[ERROR] IntVirtMemMap failed for %llx: %08x\n", (CredGva & PAGE_MASK) +
PAGE_SIZE, status);
143 goto _cleanup_and_fail;
179 ERROR(
"[ERROR] IntVirtMemMap failed for gva %llx\n", Creds->Gva);
183 LOG(
"--> uid = %04d, guid = %04d, suid = %04d, sgid = %04d, euid = %04d, egid = %04d, fsuid = %04d, fsgid = %04d\n",
201 memzero(pEvent,
sizeof(*pEvent));
206 ERROR(
"[ERROR] IntKernVirtMemFetchQword failed: 0x%08x\n", status);
237 LOG(
"[CRED] [INTEGRITY VIOLATION] Modified credentials for process (%d %llx %s) at address %llx.\n",
240 LOG(
"[CRED] ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ROOTKIT ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n\n");
245 WARNING(
"[WARNING] IntNotifyIntroEvent failed: %08x\n", status);
274 DWORD crc = InitialCrc;
325 range[1] = range[0] + 4;
327 range[3] = range[2] + 16;
332 range[1] = range[0] + 16;
334 range[3] = range[2] + 4;
403 if (CredsGva == pExtCreds->Gva)
406 pExtCreds->RefCount++;
419 pCreds->
Gva = CredsGva;
425 ERROR(
"[ERROR] IntLixCredCalculateChecksum failed for 0x%llx. Status: 0x%08x\n", CredsGva, status);
464 ERROR(
"[ERROR] Refcount for creds %llx is already 0!\n", pCreds->
Gva);
512 ERROR(
"[ERROR] IntLixCredCalculateChecksum failed for %llx (refcount: %d): 0x%08x\n",
513 Creds->Gva, Creds->RefCount, status);
523 Creds->Checksum = checksum;
550 if (NULL == Task->Creds)
558 ERROR(
"[ERROR] IntLixCredCheckIntegrity failed for task '%s' (%d, 0x%llx)\n",
559 Task->ProcName, Task->Pid, Task->Gva);
570 Task->Dpi.StolenTokens =
TRUE;
598 char *pFilePath = NULL;
607 ERROR(
"[ERROR] IntLixTaskGetTrapFrame failed with status: 0x%08x\n", status);
618 ERROR(
"[ERROR] IntLixMmFetchVad failed for RIP %llx: %08x\n", trapFrame.
Rip, status);
634 ERROR(
"[ERROR] IntLixFileGetPath filed for file @ 0x%016llx : %08x\n", vma.
File, status);
638 char *pFileName = NULL;
655 for (; len > 0; len--)
657 if (pFilePath[len] ==
'/')
659 pFileName = &pFilePath[len + 1];
664 if (NULL == pFileName)
666 pFileName = pFilePath;
688 LOG(
"[WARNING] [LIX-CRED] Return address is inside '%s'\n", pFilePath);
723 ERROR(
"[ERROR] IntLixTaskGetCurrent returned NULL\n");
739 ERROR(
"[ERROR] IntKernVirtMemFetchDword failed for %llx with status: %08x\n",
742 else if (0 == (in &
BIT(
LIX_FIELD(TaskStruct, InExecveBit))))
756 ERROR(
"[ERROR] IntLixCredAdd failed for %s (%d 0x%llx). Status: 0x%08x\n",
761 pTask->
Creds = newCreds;
enum _INTRO_ACTION_REASON INTRO_ACTION_REASON
The reason for which an INTRO_ACTION was taken.
#define INTRO_OPT_PROT_DPI_TOKEN_STEAL
Enable process creation protection for stolen token.
BOOLEAN Valid
Set to True if the information in the structure is valid, False otherwise.
INTSTATUS IntVirtMemUnmap(void **HostPtr)
Unmaps a memory range previously mapped with IntVirtMemMap.
DWORD Size
The size of the access.
static void * gCredMap1
The mapping point of the cred structure.
An internal error occurred (no memory, pages not present, etc.).
IG_ARCH_REGS Regs
The current state of the guest registers.
DWORD Crc32Compute(const void *Buffer, size_t Size, DWORD InitialCrc)
Computes the CRC for a byte array.
static QWORD gCredGva
The guest virtual address of the "struct cred" that is currently being mapped.
MITRE_ID MitreID
The Mitre ID that corresponds to this attack.
QWORD SystemCr3
The Cr3 used to map the kernel.
#define INT_STATUS_SUCCESS
BOOLEAN glob_match_utf8(char const *Pattern, char const *String, BOOLEAN IgnoreCase, BOOLEAN Truncated)
#define PAGE_REMAINING(addr)
Event structure for integrity violations on monitored structures.
QWORD Gva
The guest virtual address of the task_struct.
void IntLixCredsVerify(LIX_TASK_OBJECT *Task)
Verifies whether the credentials of a process has been altered or not.
The beginning of the cred structure as defined by linux kernel.
#define INT_SUCCESS(Status)
QWORD Flags
A combination of ALERT_FLAG_* values describing the alert.
Access 'struct creds' fields.
The action was not allowed because there was no reason to allow it.
BOOLEAN KernelBetaDetections
True if the kernel protection is in beta (log-only) mode.
struct _EVENT_INTEGRITY_VIOLATION::@304 Victim
DWORD RefCount
Number of processes referring this credentials set.
#define INT_STATUS_NOT_NEEDED_HINT
#define ALERT_FLAG_ASYNC
If set, the alert was generated in an async manner.
#define INTRO_OPT_PROT_KM_CREDS
#define HpAllocWithTag(Len, Tag)
int INTSTATUS
The status data type.
#define PAGE_COUNT(addr, bytes)
DWORD Checksum
The CRC32 checksum.
void IntAlertFillVersionInfo(INTRO_VIOLATION_HEADER *Header)
Fills version information for an alert.
static void IntLixCredAnalyzeStack(LIX_TASK_OBJECT *Task, INTRO_ACTION *Action, INTRO_ACTION_REASON *Reason)
Analyze the user mode stack of a process that is patching it's credentials.
static void IntLixCredsDump(const LIX_CREDS *Creds)
Logs information about a cred structure.
Access Token Manipulation.
INTRO_ACTION_REASON Reason
The reason for which Action was taken.
#define ALERT_FLAG_BETA
If set, the alert is a BETA alert. No action was taken.
GENERIC_ALERT gAlert
Global alert buffer.
INTSTATUS IntKernVirtMemFetchDword(QWORD GuestVirtualAddress, DWORD *Data)
Reads 4 bytes from the guest kernel memory.
#define INITIAL_CRC_VALUE
static DWORD IntLixCredCalculateCrc32Region(DWORD Offset, DWORD Size, DWORD InitialCrc)
Calculates the CRC32 checksum for a memory region representing a slice of the cred structure...
DWORD Size
The size of the modified memory area.
Describes one set of credentials.
void IntLixCredRemove(LIX_CREDS **Creds)
Removes the integrity protection for the credentials set that belong to a process.
INTSTATUS IntLixMmFetchVma(LIX_TASK_OBJECT *Task, QWORD Address, LIX_VMA *Vma)
Retrieve information about a VMA structure containing a user mode address.
#define IS_KERNEL_POINTER_LIX(p)
INTSTATUS IntKernVirtMemFetchQword(QWORD GuestVirtualAddress, QWORD *Data)
Reads 8 bytes from the guest kernel memory.
INTRO_CPUCTX CpuContext
The context of the CPU that triggered the alert.
__noreturn void IntBugCheck(void)
INTSTATUS IntNotifyIntroEvent(INTRO_EVENT_TYPE EventClass, void *Param, size_t EventSize)
Notifies the integrator about an introspection alert.
static BOOLEAN RemoveEntryList(LIST_ENTRY *Entry)
QWORD Current
The currently used options.
QWORD VirtualAddress
The guest virtual address which was modified.
INTRO_VIOLATION_HEADER Header
The alert header.
INTSTATUS IntLixCredAdd(QWORD CredsGva, LIX_CREDS **Creds)
Adds a cred structure in the integrity protected credentials list.
#define LIX_FIELD(Structure, Field)
Macro used to access fields inside the LIX_OPAQUE_FIELDS structure.
#define HpFreeAndNullWithTag(Add, Tag)
struct _INTERNAL_CRED INTERNAL_CRED
The beginning of the cred structure as defined by linux kernel.
INTSTATUS IntLixCommitCredsHandle(void *Detour)
Detour handler for "commit_creds" function.
static void InsertTailList(LIST_ENTRY *ListHead, LIST_ENTRY *Entry)
char * gLibPaths[]
Directories where libraries changing credentials should be located.
#define VICTIM_PROCESS_CREDENTIALS
Printable name used for introObjectTypeCreds objects.
static LIST_HEAD gCreds
The list head of the credentials structures protected by introcore.
DWORD KernelMode
TRUE if this process/thread is inside kernel mode.
#define UNREFERENCED_PARAMETER(P)
QWORD Gva
Guest virtual address of the protected cred structure.
WCHAR Name[ALERT_PATH_MAX_LEN]
NULL-terminated string with a human readable description of the modified object.
BOOLEAN Valid
Set to True if the information in the structure is valid, False otherwise.
LIX_CREDS * Creds
The LIX_CREDS reference for the credentials of this process.
enum _INTRO_ACTION INTRO_ACTION
Event actions.
INTSTATUS IntLixTaskGetTrapFrame(const LIX_TASK_OBJECT *Task, LIX_TRAP_FRAME *TrapFrame)
Retrieves the trap frame for a Linux task.
INTRO_WRITE_INFO WriteInfo
static void * gCredMap2
The secondary mapping point of the cred structure.
__must_check INTSTATUS IntVirtMemMap(QWORD Gva, DWORD Length, QWORD Cr3, DWORD Flags, void **HostPtr)
Maps a guest virtual memory range inside Introcore virtual address space.
MM Mm
Guest memory information, such as paging mode, system Cr3 value, etc.
char Comm[LIX_COMM_SIZE]
The short name of the executable.
static void IntLixTaskSendCredViolationEvent(const LIX_TASK_OBJECT *Task)
Sends an EVENT_INTEGRITY_VIOLATION event.
GUEST_STATE gGuest
The current guest state.
EVENT_INTEGRITY_VIOLATION Integrity
struct _EVENT_INTEGRITY_VIOLATION::@302 Originator
INTRO_ACTION Action
The action that was taken as the result of this alert.
QWORD BaseAddress
The guest virtual address at which the monitored integrity region starts.
char * gLibFiles[]
Libraries allowed to change process credentials.
#define LIST_HEAD_INIT(Name)
static INTSTATUS IntLixCredCheckIntegrity(LIX_CREDS *Creds, BOOLEAN Update, BOOLEAN *Valid)
Checks if the credentials have been altered.
INTRO_PROCESS Process
The module to which the current code return to.
LIX_TASK_OBJECT * IntLixTaskFindByGva(QWORD TaskStruct)
Finds Linux process with the provided "task_struct" guest virtual address.
#define INT_STATUS_INVALID_PARAMETER_1
INTRO_PROCESS CurrentProcess
The current process.
VCPU_STATE * gVcpu
The state of the current VCPU.
The action was blocked because there was no exception for it.
Sent for integrity violation alerts. See EVENT_INTEGRITY_VIOLATION.
static INTSTATUS IntLixCredInitMap(QWORD CredGva)
Maps a cred structure in order to calculate the checksum in a faster manner.
static void IntLixCredUninitMap(void)
Unmaps the cred structure previously mapped by IntLixCredInitMap.
LIST_ENTRY Link
Linked list entry.
#define list_for_each(_head, _struct_type, _var)
void IntAlertFillLixProcess(const LIX_TASK_OBJECT *Task, INTRO_PROCESS *EventProcess)
Saves information about a Linux process inside an event.
#define INT_STATUS_INVALID_PARAMETER_2
INTRO_PROT_OPTIONS CoreOptions
The activation and protection options for this guest.
static INTSTATUS IntLixCredCalculateChecksum(QWORD CredGva, DWORD *Checksum)
Calculates the CRC32 checksum for a cred structure.
#define INT_STATUS_INVALID_DATA_SIZE
QWORD File
The Gva of the file this VMA maps to. Can be 0 which means this VMA is not a memory mapped file...
INTSTATUS IntLixFileGetPath(QWORD FileStructGva, char **Path, DWORD *Length)
Gets the path that corresponds to the provided FileStructGva (guest virtual address of the 'struct fi...
#define INT_STATUS_INSUFFICIENT_RESOURCES