53 ERROR(
"[ERROR] IntGuestGetIdtFromGla failed: 0x%08x, the write on 0x%016llx (gpa 0x%016llx) " 66 ERROR(
"[ERROR] Failed getting originator: 0x%08x\n", status);
78 ERROR(
"[ERROR] Failed getting zone details: 0x%08x\n", status);
89 memzero(pEptViol,
sizeof(*pEptViol));
120 WARNING(
"[WARNING] IntNotifyIntroEvent failed: 0x%08x\n", status);
165 WARNING(
"[WARNING] Cpu %d has no IDT yet!\n", CpuNumber);
174 ERROR(
"[ERROR] IntHookObjectCreate failed: 0x%08x\n", status);
182 if (CpuNumber == indexCpu)
189 TRACE(
"[HOOK] IDT already hooked -> @ %llx for CPU %d.\n", idtBase, CpuNumber);
195 TRACE(
"[HOOK] Hooking IDT (0x20 entries) for CPU %d @ 0x%016llx\n", CpuNumber, idtBase);
208 ERROR(
"[ERROR] Failed hooking IDT at 0x%016llx for CPU %d: 0x%08x\n", idtBase, CpuNumber, status);
212 TRACE(
"[HOOK] Hooking IDT Int80 for CPU %d @ 0x%016llx\n", CpuNumber, idtBase +
IDT_DESC_SIZE64 * 0x80);
225 ERROR(
"[ERROR] Failed hooking entry 80 of IDT at 0x%016llx for CPU %d: 0x%08x\n", idtBase, CpuNumber, status);
277 ERROR(
"[ERROR] Failed removing idt hook object: 0x%08x\n", status);
Measures kernel mode exceptions checks.
enum _INTRO_ACTION_REASON INTRO_ACTION_REASON
The reason for which an INTRO_ACTION was taken.
INTRO_CODEBLOCKS CodeBlocks
Code blocks extracted for the alert.
INTSTATUS IntIdtFindBase(DWORD CpuNumber, QWORD *Base, WORD *Limit)
Returns the IDT base and limit for a guest CPU.
QWORD IntAlertCoreGetFlags(QWORD ProtectionFlag, INTRO_ACTION_REASON Reason)
Returns the flags for an alert.
An internal error occurred (no memory, pages not present, etc.).
BOOLEAN IntPolicyCoreForceBetaIfNeeded(QWORD Flag, INTRO_ACTION *Action)
Checks if a forced action should be taken even if the log-only mode is active.
INTSTATUS IntHookObjectDestroy(HOOK_OBJECT_DESCRIPTOR **Object, DWORD Flags)
Destroy an entire hook object. All regions belonging to this object will be removed.
IG_ARCH_REGS Regs
The current state of the guest registers.
DWORD Index
The VCPU number.
MITRE_ID MitreID
The Mitre ID that corresponds to this attack.
#define INT_STATUS_SUCCESS
BOOLEAN IntPolicyCoreTakeAction(QWORD Flag, INTRO_ACTION *Action, INTRO_ACTION_REASON *Reason)
Returns the action that should be taken for a core introspection option.
WORD IdtLimit
The current IDT limit.
#define INT_SUCCESS(Status)
QWORD Flags
A combination of ALERT_FLAG_* values describing the alert.
void * IdtHookObject
The EPT hook object used to protect the IDT.
INTSTATUS IntLixIdtUnprotectAll(void)
Disable protection for IDT on all CPUs.
#define INT_STATUS_NOT_NEEDED_HINT
KERNEL_DRIVER * Driver
The driver that's modifying the memory.
struct _EVENT_EPT_VIOLATION::@283 Originator
int INTSTATUS
The status data type.
Describes a kernel-mode originator.
PVCPU_STATE VcpuArray
Array of the VCPUs assigned to this guest. The index in this array matches the VCPU number...
#define INTRO_OPT_PROT_KM_IDT
void IntAlertFillCpuContext(BOOLEAN CopyInstruction, INTRO_CPUCTX *CpuContext)
Fills the current CPU context for an alert.
struct _EXCEPTION_KM_ORIGINATOR::@63 Return
void IntAlertFillVersionInfo(INTRO_VIOLATION_HEADER *Header)
Fills version information for an alert.
INTRO_VIOLATION_HEADER Header
The alert header.
INTRO_ACTION_REASON Reason
The reason for which Action was taken.
INTSTATUS IntAlertFillCodeBlocks(QWORD Rip, QWORD Cr3, BOOLEAN Execute, INTRO_CODEBLOCKS *CodeBlocks)
Fills the code blocks pattern for an alert.
GENERIC_ALERT gAlert
Global alert buffer.
void IntAlertFillLixKmModule(const KERNEL_DRIVER *Driver, INTRO_MODULE *EventModule)
Saves information about a kernel module inside an alert.
void IntAlertEptFillFromVictimZone(const EXCEPTION_VICTIM_ZONE *Victim, EVENT_EPT_VIOLATION *EptViolation)
Fills the victim information inside an EPT alert.
#define INT_STATUS_NOT_INITIALIZED
INTRO_CPUCTX CpuContext
The context of the CPU that triggered the alert.
INTSTATUS IntNotifyIntroEvent(INTRO_EVENT_TYPE EventClass, void *Param, size_t EventSize)
Notifies the integrator about an introspection alert.
INTSTATUS IntExceptGetVictimEpt(void *Context, QWORD Gpa, QWORD Gva, INTRO_OBJECT_TYPE Type, DWORD ZoneFlags, EXCEPTION_VICTIM_ZONE *Victim)
Fills an EXCEPTION_VICTIM_ZONE with relevant information from an EPT violation.
QWORD IdtBase
Original IDT base.
#define INT_STATUS_INVALID_PARAMETER_4
QWORD Gpa
The accessed guest physical address. Valid only for EPT exits.
INTRO_EXEC_CONTEXT ExecContext
Information about the instruction that triggered the alert.
INTSTATUS IntLixIdtProtectAll(void)
Activates protection for IDT on all CPUs.
INTSTATUS IntGuestGetIdtFromGla(QWORD Address, QWORD *IdtBase, QWORD *IdtLimit)
Checks if an address is inside one of the guest's IDTs.
Sent when an EPT violation triggers an alert. See EVENT_EPT_VIOLATION.
#define IDT_DESC_SIZE64
The size of a 64-bit interrupt descriptor.
DWORD CpuCount
The number of logical CPUs.
Describes the modified zone.
#define UNREFERENCED_PARAMETER(P)
static INTSTATUS IntLixIdtWriteHandler(void *Context, void *Hook, QWORD Address, INTRO_ACTION *Action)
Called if a write occurs on the protected IDT descriptors.
enum _INTRO_ACTION INTRO_ACTION
Event actions.
QWORD Rip
The RIP from where the call to the exported function came.
GUEST_STATE gGuest
The current guest state.
INTSTATUS IntLixIdtProtectOnCpu(DWORD CpuNumber)
Activates protection for the provided CPU's IDT.
struct _EXCEPTION_KM_ORIGINATOR::@64 Original
INTRO_ACTION Action
The action that was taken as the result of this alert.
INTSTATUS IntHookObjectHookRegion(void *Object, QWORD Cr3, QWORD Gla, SIZE_T Length, BYTE Type, void *Callback, void *Context, DWORD Flags, HOOK_REGION_DESCRIPTOR **Region)
Hook a contiguous region of virtual memory inside the provided virtual address space.
INTRO_PROCESS CurrentProcess
The current process.
VCPU_STATE * gVcpu
The state of the current VCPU.
The action was blocked because there was no exception for it.
INTRO_MODULE Module
The module that did the malicious access.
Event structure for EPT violations.
void IntAlertFillLixCurrentProcess(INTRO_PROCESS *EventProcess)
Saves the current Linux process inside an event.
INTSTATUS IntExceptKernelGetOriginator(EXCEPTION_KM_ORIGINATOR *Originator, DWORD Options)
This function is used to get the information about the kernel-mode originator.
INTSTATUS IntAlertFillExecContext(QWORD Cr3, INTRO_EXEC_CONTEXT *ExecContext)
Fills the current execution context.
#define ZONE_WRITE
Used for write violation.
QWORD Gla
The accessed guest virtual address. Valid only for EPT exits.
INTSTATUS IntHookObjectCreate(DWORD ObjectType, QWORD Cr3, void **Object)
Create a new hook object.
void IntExcept(EXCEPTION_VICTIM_ZONE *Victim, void *Originator, EXCEPTION_TYPE Type, INTRO_ACTION *Action, INTRO_ACTION_REASON *Reason, INTRO_EVENT_TYPE EventClass)
This function is the entry point for the exception mechanism.
INTRO_MODULE ReturnModule
The module to which the current code returns to.