18 #define LIX_VMA_VDSO_FLAGS (VM_READ | VM_EXEC | VM_DONTEXPAND | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC) 23 #define LIX_VMA_PROT_MASK BIT(63) 28 #define LIX_VMA_IS_VDSO(Vma) (((((Vma)->Flags & LIX_VMA_VDSO_FLAGS) == LIX_VMA_VDSO_FLAGS) && (0 == (Vma)->File) && (IntLixVmaGetPageCount(Vma) <= 2))) 33 #define LIX_VMA_MAX_GUEST (10 * 4096) 38 #define for_each_vad(Process, _var_name) list_for_each((Process)->Vmas, LIX_VMA, _var_name) 62 if (Vma->Start >= Vma->End)
64 ERROR(
"[ERROR] Invalid VMA [%llx - %llx]\n", Vma->Start, Vma->End);
71 return (Vma->End - Vma->Start) /
PAGE_SIZE;
124 startGva < gLixGuest->Layout.DataEnd;
133 ERROR(
"[ERROR] IntVirtMemMap failed for 0x%016llx: 0x%08x\n", startGva, status);
139 QWORD pgd, next, prev;
140 QWORD startCode, endCode, startData, endData;
149 ERROR(
"[ERROR] IntKernVirtMemFetchQword failed for 0x%016llx: 0x%08x\n",
172 ERROR(
"[ERROR] IntKernVirtMemFetchQword failed for 0x%016llx: 0x%08x\n",
173 mm +
LIX_FIELD(MmStruct, MmList), status);
180 ERROR(
"[ERROR] IntVirtMemFetchQword failed for 0x%016llx: 0x%08x\n",
181 mm +
LIX_FIELD(MmStruct, MmList) + 8, status);
193 prev == 0xffffffffffffffff || next == 0xffffffffffffffff)
198 if (prev != mm +
LIX_FIELD(MmStruct, MmList) + 8)
208 if (prevNext != mm +
LIX_FIELD(MmStruct, MmList))
214 if (next != mm +
LIX_FIELD(MmStruct, MmList))
224 if (nextPrev != mm +
LIX_FIELD(MmStruct, MmList))
231 if (offset +
LIX_FIELD(MmStruct, StartCode) >= PAGE_SIZE)
236 ERROR(
"[ERROR] IntKernVirtMemFetchQword failed for 0x%016llx: 0x%08x\n",
237 mm +
LIX_FIELD(MmStruct, StartCode), status);
243 startCode = *(
QWORD *)(p + offset +
LIX_FIELD(MmStruct, StartCode));
257 ERROR(
"[ERROR] IntKernVirtMemFetchQword failed for 0x%016llx: 0x%08x\n",
258 mm +
LIX_FIELD(MmStruct, EndCode), status);
278 ERROR(
"[ERROR] IntKernVirtMemFetchQword failed for 0x%016llx: 0x%08x\n",
279 mm +
LIX_FIELD(MmStruct, StartData), status);
285 startData = *(
QWORD *)(p + offset +
LIX_FIELD(MmStruct, StartData));
299 ERROR(
"[ERROR] IntKernVirtMemFetchQword failed for 0x%016llx: 0x%08x\n",
300 mm +
LIX_FIELD(MmStruct, StartData), status);
306 startData = *(
QWORD *)(p + offset +
LIX_FIELD(MmStruct, StartData));
320 ERROR(
"[ERROR] IntKernVirtMemFetchQword failed for 0x%016llx: 0x%08x\n",
321 mm +
LIX_FIELD(MmStruct, EndData), status);
337 TRACE(
"[LIXMM] Found init_mm @ 0x%016llx\n", mm);
396 ERROR(
"[ERROR] IntKernVirtMemFetchQword failed for 0x%llx: 0x%08x\n", MmGva +
LIX_FIELD(MmStruct, Vma), status);
408 ERROR(
"[ERROR] IntLixFsrInitMap failed for vma 0x%llx: 0x%08x\n", currentVma, status);
415 ERROR(
"[ERROR] Failed to read from vma 0x%llx at offset 0x%x. Status: 0x%08x\n",
416 currentVma,
LIX_FIELD(Vma, VmaEnd), status);
423 ERROR(
"[ERROR] Failed to read from vma 0x%llx at offset 0x%x. Status: 0x%08x\n",
424 currentVma,
LIX_FIELD(Vma, VmaStart), status);
431 *VmaGva = currentVma;
438 status =
IntLixFsrRead(currentVma, offset,
sizeof(nextVma), &nextVma);
441 ERROR(
"[ERROR] Failed to read next vma from 0x%llx at offset 0x%x. Status: 0x%08x\n",
442 currentVma, offset, status);
449 currentVma = nextVma;
494 QWORD vmaStart, vmaEnd;
495 QWORD maxIterations = 64;
497 vmaStart = vmaEnd = rbGva = 0;
502 ERROR(
"[ERROR] Failed to read rb_node for mm 0x%llx. Status: 0x%08x\n", MmGva, status);
508 if (!maxIterations--)
510 ERROR(
"[ERROR] Max iterations limit reached!\n");
519 ERROR(
"[ERROR] Failed to map vma 0x%llx. Status: 0x%08x\n", vmaGva, status);
526 ERROR(
"[ERROR] Failed to read from vma 0x%llx at offset 0x%x. Status: 0x%08x\n",
535 ERROR(
"[ERROR] Failed to read from vma 0x%llx at offset 0x%x. Status: 0x%08x\n",
541 if (vmaEnd > Address)
546 ERROR(
"[ERROR] Failed to read from vma 0x%llx at offset 0x%x. Status: 0x%08x\n",
547 vmaGva,
LIX_FIELD(Vma, VmaStart), status);
551 if (vmaStart <= Address)
617 WARNING(
"[WARNING] Failed to find addr 0x%llx in rbtree for task %s (%d, 0x%llx), mm 0x%llx. Status: 0x%08x\n",
618 Address, Task->Comm, Task->Pid, Task->Gva, Task->MmGva, status);
629 ERROR(
"[ERROR] Failed to find addr in linked list\n");
671 if (NULL == VmaStart)
681 *VmaStart = *VmaEnd = 0;
686 ERROR(
"[ERROR] IntLixMmFetchVma failed for task %s(%d, 0x%llx) gva 0x%llx, mm 0x%llx. Status: 0x%08x\n",
687 Task->Comm, Task->Pid, Task->Gva, Gva, Task->MmGva, status);
691 *VmaStart = vad.
Start;
715 if (Address >= pVma->Start && Address < pVma->End)
742 if (Vma == pVma->Gva)
775 ERROR(
"[ERROR] IntLixFsrInitMap failed for vma %llx: 0x%08x\n", VmaGva, status);
784 ERROR(
"[ERROR] Failed reading vm_area_struct->vm_start: %08x\n", status);
791 ERROR(
"[ERROR] Failed reading vm_area_struct->vm_end: %08x\n", status);
798 ERROR(
"[ERROR] Failed reading vm_area_struct->vm_flags: %08x\n", status);
805 ERROR(
"[ERROR] Failed reading vm_area_struct->vm_file: %08x\n", status);
809 Vma->Process = Process;
887 if (pVma->Gva == Vma)
917 QWORD newFlags = 0, oldFlags = 0;
922 ERROR(
"[ERROR] IntKernVirtMemFetchQword IntVirtMemFetchQwordUnmapV GVA 0x%016llx: %08x\n",
923 Vma->Gva +
LIX_FIELD(Vma, Flags), status);
936 if (oldFlags == newFlags)
945 ERROR(
"[ERROR] IntKernVirtMemPatchQword failed for GVA 0x%016llx: %08x\n",
946 Vma->Gva +
LIX_FIELD(Vma, Flags), status);
976 ERROR(
"[ERROR] IntHookObjectRemoveRegion failed: %08x\n", status);
985 ERROR(
"[ERROR] IntVmaMarkProtection failed: %08x\n", status);
1081 BOOLEAN detected, feedback, excepted;
1091 detected = excepted = feedback =
FALSE;
1101 if (NULL != entryPendingUD)
1103 goto _retry_inject_ud;
1111 bIsStack = ((rip >= pStackVma->
Start) && (rip < pStackVma->End));
1122 if (bRspOut || bIsStack)
1127 else if (0 != scflags)
1151 ERROR(
"[ERROR] Failed to get user mode stack for process %s (%d, 0x%llx). Status: 0x%08x\n",
1152 pTask->
Comm, pTask->
Pid, pTask->
Gva, status);
1155 executionInfo.
Rsp = regs->
Rsp;
1156 executionInfo.
Length = instrux->Length;
1161 WARNING(
"[WARNING] IntLixEngExecSendNotification failed: 0x%08x\n", status2);
1170 ERROR(
"[ERROR] Failed getting originator: 0x%08x\n", status);
1171 goto _send_notification;
1182 ERROR(
"[ERROR] Failed getting modified zone: 0x%08x\n", status);
1183 goto _send_notification;
1200 if (detected && (!excepted))
1203 char text[ND_MIN_BUF_SIZE] = { 0 };
1205 status = NdToText(instrux, rip, ND_MIN_BUF_SIZE, text);
1208 ERROR(
"[ERROR] NdToText failed: 0x%08x\n", status);
1209 snprintf(text,
sizeof(text),
"<invalid>");
1212 LOG(
"[VMANX] [CPU %d] EXPLOIT detected! Execution attempted at 0x%016llx! Instruction: %s\n",
1215 LOG(
"[VMANX] Current address: %llx, current stack: %llx, known stack: %llx/%llx\n",
1216 rip, regs->
Rsp, pStackVma ? pStackVma->
End : 0, pStackVma ? pStackVma->
Start : 0);
1222 memset(pEptViol, 0,
sizeof(*pEptViol));
1241 WARNING(
"[WARNING] IntNotifyIntroEvent failed: 0x%08x\n", status);
1247 ERROR(
"[ERROR] IntLixNetSendTaskConnections failed: %08x\n", status);
1268 ERROR(
"[ERROR] IntLixVmaRemoveProtection failed for vad [%llx - %llx]: %08x\n",
1281 NULL != entryPendingUD)
1288 if (entryPendingUD != NULL &&
gVcpu->
CurrentUD == entryPendingUD)
1296 ERROR(
"[ERROR] IntInjectExceptionInGuest failed, process will not be killed: %08x\n", status2);
1300 if (NULL == entryPendingUD)
1306 ERROR(
"[ERROR] IntVadAddToPendingUDList failed: %08x\n", status);
1339 if (0 == (Vma->End - Vma->Start))
1341 WARNING(
"[WARNING] Vma %llx [%llx - %llx] can't be protected!\n", Vma->Gva, Vma->Start, Vma->End);
1353 LOG(
"[ERROR] [VMA] Special case when protecting an already protected vad [%llx - %llx]\n",
1354 Vma->Start, Vma->End);
1359 ERROR(
"[ERROR] IntLixVmaRemoveProtection failed for vad [%llx - %llx]: %08x\n",
1360 Vma->Start, Vma->End, status);
1366 WARNING(
"[WARNING] Big vad [%llx - %llx] (%ld pages) in process '%s' (%d)\n",
1368 goto _mark_protection;
1374 Vma->End - Vma->Start,
1382 ERROR(
"[ERROR] IntHookObjectHookRegion failed for [%llx - %llx]: %08x\n",
1383 Vma->Start, Vma->End, status);
1391 ERROR(
"[ERROR] IntVmaMarkProtection failed: %08x\n", status);
1420 DWORD maxIterations;
1425 ERROR(
"[ERROR] IntKernVirtMemFetchQword failed for %llx: 0x%08x\n", Process->MmGva, status);
1436 ERROR(
"[ERROR] IntKernVirtMemFetchQword failed for %llx: 0x%08x\n", Process->MmGva, status);
1440 currentVma = prevVma;
1463 ERROR(
"[ERROR] IntLixVmaFill failed for vma %llx: %08x\n", currentVma, status);
1472 shouldProtect =
FALSE;
1480 ERROR(
"[ERROR] IntLixVmaCreate failed for vma %llx: %08x\n", currentVma, status);
1487 ERROR(
"[ERROR] IntLixVmaProtect failed for vad [%llx - %llx] flags %08llx, 0x%016llx: %08x\n",
1497 ERROR(
"[ERROR] IntKernVirtMemFetchQword failed for vma %llx: %08x\n", currentVma, status);
1501 currentVma = nextVma;
1534 ERROR(
"[ERROR] IntLixMmPopulateVmasInternal failed for forward parsing: %08x\n", status);
1535 goto _free_and_exit;
1541 ERROR(
"[ERROR] IntLixMmPopulateVmasInternal failed for backward parsing: %08x\n", status);
1542 goto _free_and_exit;
1574 DWORD maxIterations;
1579 ERROR(
"[ERROR] IntKernVirtMemFetchQword failed for %llx: 0x%08x\n", Mm +
LIX_FIELD(MmStruct, Vma), status);
1590 ERROR(
"[ERROR] IntKernVirtMemFetchQword failed for %llx: 0x%08x\n", Mm, status);
1594 currentVma = prevVma;
1612 char *fileName = NULL;
1617 ERROR(
"[ERROR] IntLixVmaFill failed for vma 0x%016llx: %08x\n", currentVma, status);
1627 LOG(
" [%016llx -> %016llx] : %08llx @ 0x%016llx Hooked=%d (%c%c%c) => %06ld pages '%s'\n",
1635 DWORD presentPages = 0;
1659 ERROR(
"[ERROR] IntKernVirtMemFetchQword failed for vma %llx: %08x\n", currentVma, status);
1663 currentVma = nextVma;
1730 ERROR(
"[ERROR] IntLixVmaCreate failed: %08x\n", status);
1744 ERROR(
"[ERROR] IntLixVmaProtect failed: 0x%08x\n", status);
1789 ERROR(
"[ERROR] IntKernVirtMemFetchQword failed: 0x%08x\n", status);
1801 newlyCreated =
TRUE;
1806 ERROR(
"[ERROR] IntLixVmaCreate failed for vma %llx: %08x\n", vma, status);
1813 if (newlyCreated || (newFlags != pVma->
Flags))
1818 ERROR(
"[ERROR] IntLixVmaProtect failed for vad [%llx - %llx] flags %08llx, 0x%016llx: %08x\n",
1835 pVma->
Flags = newFlags;
1867 ERROR(
"[ERROR] IntLixVmaRemoveProtection failed for vad [%llx - %llx]: %08x\n",
1868 AdjustedVma->Start, AdjustedVma->End, status);
1875 ERROR(
"[ERROR] IntLixVmaProtect failed: 0x%08x\n", status);
1886 ERROR(
"[ERROR] IntLixVmaCreate failed: 0x%08x\n", status);
1893 ERROR(
"[ERROR] IntLixVmaProtect failed: 0x%08x\n", status);
1933 ERROR(
"[ERROR] IntKernVirtMemFetchQword failed for vma %llx: %08x\n", vma, status);
1949 if (address < pVma->Start)
1953 pVma->
Start = address;
1958 ERROR(
"[ERROR] IntLixVmaIntervalChanged failed for vad [%llx/%llx - %llx/%llx] flags %08llx, 0x%016llx: %08x\n",
1986 QWORD oldStart, oldEnd;
1989 if (NULL == Task || 0 == Vma)
2000 oldStart = pVma->
Start;
2007 ERROR(
"[ERROR] IntLixFsrInitMap failed for Vma 0x%llx: 0x%08x\n", pVma->
Gva, status);
2014 ERROR(
"[ERROR] Failed to read from Vma 0x%llx at offset 0x%x. Status: 0x%08x\n",
2023 ERROR(
"[ERROR] Failed to read from Vma 0x%llx at offset 0x%x. Status: 0x%08x\n",
2029 if (oldStart != pVma->
Start || oldEnd != pVma->
End)
2034 ERROR(
"[ERROR] IntLixVmaIntervalChanged failed for vad [%llx/%llx - %llx/%llx] flags %08llx, 0x%016llx: %08x\n",
2088 ERROR(
"[ERROR] IntLixVmaAdjustInternal failed for vma 0x%llx (mm gva: 0x%llx) from task %s (%d 0x%llx). Status: 0x%08x\n",
2095 ERROR(
"[ERROR] IntLixVmaAdjustInternal failed for vma 0x%llx (mm gva: 0x%llx) from task %s (%d 0x%llx). Status: 0x%08x\n",
2102 ERROR(
"[ERROR] IntLixVmaAdjustInternal failed for vma 0x%llx (mm gva: 0x%llx) from task %s (%d 0x%llx). Status: 0x%08x\n",
INTSTATUS IntLixFsrRead(QWORD Gva, DWORD Offset, DWORD Size, void *Buffer)
Performs a read from a previously mapped guest virtual address.
enum _INTRO_ACTION_REASON INTRO_ACTION_REASON
The reason for which an INTRO_ACTION was taken.
LIX_VMA * IntLixMmFindVmaByRange(const LIX_TASK_OBJECT *Process, QWORD Address)
Finds if a memory address inside a process is being protected and returns the corresponding LIX_VMA s...
INTSTATUS IntVirtMemUnmap(void **HostPtr)
Unmaps a memory range previously mapped with IntVirtMemMap.
INTSTATUS IntLixVmaCreate(QWORD VmaGva, LIX_TASK_OBJECT *Process, LIX_VMA **Vma)
Creates a LIX_VMA object.
void IntLixMmDestroyVmas(LIX_TASK_OBJECT *Task)
Remove protection for the VMAs belonging to a process.
IG_ARCH_REGS Regs
The current state of the guest registers.
DWORD Index
The VCPU number.
MITRE_ID MitreID
The Mitre ID that corresponds to this attack.
QWORD SystemCr3
The Cr3 used to map the kernel.
static void IntLixMmListVmasInternal(QWORD Mm, LIX_TASK_OBJECT *Process, BOOLEAN Backward)
Logs all VMAs from a mm_struct.
#define INT_STATUS_SUCCESS
DWORD MustKill
Will kill the process with the first occasion.
User-mode non executable zone.
INTSTATUS IntLixVmaExpandDownwards(void *Detour)
Detour handler for "expand_downwards" function.
QWORD Gva
The guest virtual address of the task_struct.
QWORD Feedback
Options that will be forced to feedback only mode.
#define INT_SUCCESS(Status)
INTSTATUS IntLixNetSendTaskConnections(LIX_TASK_OBJECT *Task)
Logs and sends to the integrator all connections opened by a Linux proces..
QWORD Flags
A combination of ALERT_FLAG_* values describing the alert.
INFO_UD_PENDING * IntUDGetEntry(const QWORD Cr3, const QWORD Rip, const QWORD Thread)
Get a UD entry for the provided Cr3, Rip and Thread ID.
#define INT_STATUS_NOT_NEEDED_HINT
static INTSTATUS IntLixVmaProtect(LIX_VMA *Vma)
Activates protection for a VMA.
Describes a user-mode originator.
LIX_VMA * IntLixMmFindVma(LIX_TASK_OBJECT *Task, QWORD Vma)
Finds a protected VMA inside a process VMA list.
INTSTATUS IntShcIsSuspiciousCode(QWORD Gva, QWORD Gpa, DWORD CsType, IG_ARCH_REGS *Registers, QWORD *ShellcodeFlags)
Checks if the code located at the given guest virtual address is suspicious or not.
#define HpAllocWithTag(Len, Tag)
int INTSTATUS
The status data type.
QWORD CodeEnd
The guest virtual address where the code ends.
QWORD CodeStart
The guest virtual address where the code starts.
#define INT_STATUS_NOT_FOUND
INTSTATUS IntInjectExceptionInGuest(BYTE Vector, QWORD Cr2, DWORD ErrorCode, DWORD CpuNumber)
Injects an exception inside the guest.
static INTSTATUS IntLixVmaFill(QWORD VmaGva, LIX_TASK_OBJECT *Process, LIX_VMA *Vma)
Retrieves in-guest information about a VMA and stores them in a LIX_VMA structure.
INTSTATUS IntLixVmaRemove(void *Detour)
Detour handler for functions that unmap memory for processes.
INTSTATUS IntDumpCodeAndRegs(QWORD Gva, QWORD Gpa, IG_ARCH_REGS *Registers)
This function dumps an entire page (textual disassembly and opcodes) as well as the values of the reg...
void IntAlertFillCpuContext(BOOLEAN CopyInstruction, INTRO_CPUCTX *CpuContext)
Fills the current CPU context for an alert.
INSTRUX Instruction
The current instruction, pointed by the guest RIP.
QWORD Start
Start of the memory described by the VMA.
void IntAlertFillVersionInfo(INTRO_VIOLATION_HEADER *Header)
Fills version information for an alert.
INTSTATUS IntLixEngExecSendNotification(LIX_TASK_OBJECT *Task, PIG_ARCH_REGS Registers, PINTRO_EXEC_INFO ExecInfo)
Notify the scan engines about a possible malicious code execution in a Linux guest.
QWORD IntAlertProcGetFlags(QWORD ProtectionFlag, const void *Process, INTRO_ACTION_REASON Reason, QWORD AdditionalFlags)
Returns the flags for an alert.
INTRO_VIOLATION_HEADER Header
The alert header.
INTRO_ACTION_REASON Reason
The reason for which Action was taken.
Exposes the functions used to schedule an asynchronous code execution scan and receives its result...
LIX_TASK_OBJECT * IntLixTaskFindByMm(QWORD MmGva)
Finds the Linux process having the provided mm guest virtual address.
static INTSTATUS IntLixMmPopulateVmasInternal(LIX_TASK_OBJECT *Process, BOOLEAN Backward)
Iterate the VMA linked list of a process in the given direction and protect the executable ones...
GENERIC_ALERT gAlert
Global alert buffer.
static INTSTATUS IntLixVmaHandlePageExecution(void *Context, void *Hook, QWORD Address, INTRO_ACTION *Action)
Linux user mode page execution handler.
QWORD DataStart
The guest virtual address where the data starts.
INTSTATUS IntLixMmGetInitMm(QWORD *InitMm)
Find the address of the "init_mm" variable inside the kernel.
void IntAlertEptFillFromVictimZone(const EXCEPTION_VICTIM_ZONE *Victim, EVENT_EPT_VIOLATION *EptViolation)
Fills the victim information inside an EPT alert.
#define IS_KERNEL_POINTER_LIX(p)
INTSTATUS IntKernVirtMemFetchQword(QWORD GuestVirtualAddress, QWORD *Data)
Reads 8 bytes from the guest kernel memory.
INTSTATUS IntLixVmaChangeProtection(void *Detour)
Detour handler for "change_protection" function.
struct _LINUX_GUEST::@126 Layout
INTRO_CPUCTX CpuContext
The context of the CPU that triggered the alert.
#define LIX_VMA_IS_VDSO(Vma)
Checks if a Vma is a vDSO mapping.
INTSTATUS IntLixMmFindVmaRange(QWORD Gva, LIX_TASK_OBJECT *Task, QWORD *VmaStart, QWORD *VmaEnd)
Finds the VMA limits that contain an address.
INTSTATUS IntNotifyIntroEvent(INTRO_EVENT_TYPE EventClass, void *Param, size_t EventSize)
Notifies the integrator about an introspection alert.
static BOOLEAN RemoveEntryList(LIST_ENTRY *Entry)
#define ZONE_EXECUTE
Used for execute violation.
#define IN_RANGE(x, start, end)
QWORD End
End of the memory described by the VMA.
static LIX_VMA * IntLixVmaFindByGva(const LIX_TASK_OBJECT *Process, QWORD Vma)
Finds if a VMA is being protected and returns the corresponding LIX_VMA structure.
INTSTATUS IntExceptGetVictimEpt(void *Context, QWORD Gpa, QWORD Gva, INTRO_OBJECT_TYPE Type, DWORD ZoneFlags, EXCEPTION_VICTIM_ZONE *Victim)
Fills an EXCEPTION_VICTIM_ZONE with relevant information from an EPT violation.
QWORD Current
The currently used options.
INTSTATUS IntLixMmFetchVma(LIX_TASK_OBJECT *Task, QWORD Address, LIX_VMA *Vma)
Retrieve information about a VMA structure containing a user mode address.
static void IntLixVmaDestroy(LIX_VMA *Vma)
Destroys a LIX_VMA object.
#define for_each_vad(Process, _var_name)
Iterator for the process VMAs.
INTSTATUS IntTranslateVirtualAddress(QWORD Gva, QWORD Cr3, QWORD *PhysicalAddress)
Translates a guest virtual address to a guest physical address.
#define INT_STATUS_INVALID_PARAMETER_4
#define PROC_OPT_KILL_ON_EXPLOIT
QWORD Gpa
The accessed guest physical address. Valid only for EPT exits.
#define LIX_FIELD(Structure, Field)
Macro used to access fields inside the LIX_OPAQUE_FIELDS structure.
#define HpFreeAndNullWithTag(Add, Tag)
INFO_UD_PENDING * CurrentUD
The currently pending #UD injection on this CPU.
QWORD StackLimit
The stack limit for the thread that attempted the execution.
static void InsertTailList(LIST_ENTRY *ListHead, LIST_ENTRY *Entry)
INTSTATUS IntLixFsrInitMap(QWORD Gva)
Initialize the fast read mechanism.
INTRO_EXEC_CONTEXT ExecContext
Information about the instruction that triggered the alert.
Sent when an EPT violation triggers an alert. See EVENT_EPT_VIOLATION.
static void InitializeListHead(LIST_ENTRY *ListHead)
Describes the modified zone.
void * Hook
The EPT hook placed on the VMA when it is being protected.
#define UNREFERENCED_PARAMETER(P)
INTSTATUS IntHookObjectRemoveRegion(HOOK_REGION_DESCRIPTOR **Region, DWORD Flags)
Remove a hooked region of memory.
#define PROC_OPT_PROT_EXPLOIT
Blocks malicious execution attempts.
QWORD Flags
Flags for the VMA.
INTSTATUS IntLixMmFindVmaInRbTree(QWORD MmGva, QWORD Address, QWORD *VmaGva)
Finds the GVA of the VMA which contains a user memory address traversing the VMA rb tree of the mm_st...
static INTSTATUS IntLixVmaAdjustInternal(LIX_TASK_OBJECT *Task, QWORD Vma)
Checks if the VMA limits have changed and updates the protected memory range.
LIX_TASK_OBJECT * Process
Process owning the VMA.
QWORD DataEnd
The guest virtual address where the data ends.
enum _INTRO_ACTION INTRO_ACTION
Event actions.
BOOLEAN IntPolicyProcForceBetaIfNeeded(QWORD Flag, void *Process, INTRO_ACTION *Action)
Checks if a forced action should be taken even if the process log-only mode is active.
#define INT_STATUS_INVALID_OBJECT_TYPE
INTSTATUS IntLixTaskGetUserStack(LIX_TASK_OBJECT *Task, QWORD *StackPointer, QWORD *StackBase, QWORD *StackLimit)
Finds the user mode stack limits for a Linux process.
The action was allowed, but it has the BETA flag (Introcore is in log-only mode). ...
QWORD Gva
The guest virtual address of the vm_area_struct this structure is based on.
INTSTATUS IntLixGetFileName(QWORD FileStruct, char **FileName, DWORD *NameLength, QWORD *DentryGva)
Gets the file-name that corresponds to the provided FileStruct (guest virtual address).
__must_check INTSTATUS IntVirtMemMap(QWORD Gva, DWORD Length, QWORD Cr3, DWORD Flags, void **HostPtr)
Maps a guest virtual memory range inside Introcore virtual address space.
MM Mm
Guest memory information, such as paging mode, system Cr3 value, etc.
char Comm[LIX_COMM_SIZE]
The short name of the executable.
INTSTATUS IntLixVmaInsert(void *Detour)
Detour handler for "__vma_link_rb" function.
GUEST_STATE gGuest
The current guest state.
QWORD MmGva
The guest virtual address of the "mm_struct".
void IntLixFsrUninitMap(void)
Uninitialize the fast read mechanism.
TIMER_FRIENDLY void IntDumpGva(QWORD Gva, DWORD Length, QWORD Cr3)
This function is a wrapper over IntDumpGvaEx (it uses RowLength = 16, ElementLength = 1...
static INTSTATUS IntLixVmaIntervalChanged(LIX_VMA *AdjustedVma, QWORD InsertVma)
Simply re-apply the protection for the given vma.
QWORD Rsp
The value of the guest RSP register at the moment of execution.
INTRO_PROT_OPTIONS ShemuOptions
Flags which describe the way shemu will give detections.
void IntLixMmListVmas(QWORD Mm, LIX_TASK_OBJECT *Process)
INTRO_ACTION Action
The action that was taken as the result of this alert.
struct _LIX_TASK_OBJECT::@136 Protection
Protection specific flags.
INTSTATUS IntUDAddToPendingList(const QWORD Cr3, const QWORD Rip, const QWORD Thread, INFO_UD_PENDING **CurrentPendingUD)
Add a new UD to the list of pending injections.
Holds information about an execution attempt.
INTSTATUS IntHookObjectHookRegion(void *Object, QWORD Cr3, QWORD Gla, SIZE_T Length, BYTE Type, void *Callback, void *Context, DWORD Flags, HOOK_REGION_DESCRIPTOR **Region)
Hook a contiguous region of virtual memory inside the provided virtual address space.
INTSTATUS IntKernVirtMemPatchQword(QWORD GuestVirtualAddress, QWORD Data)
Writes 8 bytes in the guest kernel memory.
INTSTATUS IntExceptUserGetExecOriginator(void *Process, EXCEPTION_UM_ORIGINATOR *Originator)
This function is used to get the originator for heap execution.
static INTSTATUS IntLixVmaRemoveProtection(LIX_VMA *Vma, BOOLEAN Mark)
Removes the protection for a VMA.
QWORD StackBase
The stack base for the thread that attempted the execution.
#define INT_STATUS_INVALID_PARAMETER_1
INTRO_PROCESS CurrentProcess
The current process.
VCPU_STATE * gVcpu
The state of the current VCPU.
static size_t IntLixVmaGetPageCount(const LIX_VMA *Vma)
Calculate the number of pages available inside a VMA.
Event structure for EPT violations.
Exploitation for Client Execution.
DWORD Length
The length of the instruction.
LIST_ENTRY Link
Linked list entry.
QWORD IntKsymFindByName(const char *Name, QWORD *SymEnd)
Searches the given Name in kallsyms and returns the Start & End offset.
#define LIX_VMA_MAX_GUEST
Max VMAs allowed for a process.
void IntAlertFillLixProcess(const LIX_TASK_OBJECT *Task, INTRO_PROCESS *EventProcess)
Saves information about a Linux process inside an event.
INTSTATUS IntLixMmPopulateVmas(LIX_TASK_OBJECT *Task)
Populate the Introcore VMAs linked list by iterating the one inside the guest.
INTSTATUS IntAlertFillExecContext(QWORD Cr3, INTRO_EXEC_CONTEXT *ExecContext)
Fills the current execution context.
#define INT_STATUS_INVALID_PARAMETER_2
INTRO_PROT_OPTIONS CoreOptions
The activation and protection options for this guest.
QWORD Gla
The accessed guest virtual address. Valid only for EPT exits.
#define LIX_VMA_PROT_MASK
The bit in vma.vm_flags used to mark the VMA protection status.
void IntExcept(EXCEPTION_VICTIM_ZONE *Victim, void *Originator, EXCEPTION_TYPE Type, INTRO_ACTION *Action, INTRO_ACTION_REASON *Reason, INTRO_EVENT_TYPE EventClass)
This function is the entry point for the exception mechanism.
static INTSTATUS IntVmaMarkProtection(LIX_VMA *Vma, BOOLEAN Protected)
Marks the VMA as either protected or unprotected.
LINUX_GUEST * gLixGuest
Global variable holding the state of a Linux guest.
static INTSTATUS IntLixMmFindVmaInLinkedList(QWORD MmGva, QWORD Address, QWORD *VmaGva, BOOLEAN Backward)
Finds the GVA of the VMA which contains a user memory address by iterating the VMAs linked list of a ...
QWORD File
The Gva of the file this VMA maps to. Can be 0 which means this VMA is not a memory mapped file...
INTSTATUS IntLixVmaAdjust(void *Detour)
Detour handler for in-guest functions adjusting VMA ranges.
#define INTRO_OPT_NOTIFY_ENGINES
Send suspicious pages to be scanned by third party scan engines.
#define INT_STATUS_INSUFFICIENT_RESOURCES
QWORD Mask
The protection flags enabled for this process.
#define INT_STATUS_INVALID_PARAMETER_3
1.8.13