39 #define LIX_MODULE_MAP_START 0xffffffffa0000000 40 #define LIX_MODULE_MAP_END 0xfffffffffeffffff 42 #define LIX_MODULE_MAX_ITERATIONS 4096 65 BYTE *pLixModule = NULL;
87 if (pName[index] <
' ' || pName[index] >
'z')
104 moduleBase = *(
QWORD *)(pLixModule +
LIX_FIELD(Module, ModuleCore));
106 textSize = *(
DWORD *)(pLixModule +
LIX_FIELD(Module, CoreTextSize));
110 moduleBase = *(
QWORD *)(pLixModule +
LIX_FIELD(Module, CoreLayout));
111 coreSize = *(
DWORD *)(pLixModule +
LIX_FIELD(Module, CoreLayout) + 0x08);
112 textSize = *(
DWORD *)(pLixModule +
LIX_FIELD(Module, CoreLayout) + 0x0c);
125 textSize >= coreSize)
131 TRACE(
"[LIXMODULE] Found module '%s' with base 0x%016llx and size %x and text size %x\n",
132 pName, moduleBase, coreSize, textSize);
167 if (!Driver->Lix.Initialized)
169 WARNING(
"[WARNING]_IntLixDrvActivateProtection called but driver %s is not initialized yet!\n",
170 (
char *)Driver->Name);
174 if (Driver->Protected)
176 TRACE(
"[INFO] Driver %s is already protected.", (
char *)Driver->Name);
183 ERROR(
"[ERROR] IntHookObjectCreate failed for driver %s. Protection will be disabled! \n",
184 (
char *)Driver->Name);
188 status =
IntHookObjectHookRegion(Driver->HookObject, 0, Driver->Lix.CoreLayout.Base, Driver->Lix.CoreLayout.RoSize,
192 ERROR(
"[ERROR] IntHookObjectHookRegion failed for Driver->Name -> %s Layout.Base -> 0x%llx " 193 "Layout.RoSize -> 0x%x\n",
194 (
char *)Driver->Name, Driver->Lix.CoreLayout.Base, Driver->Lix.CoreLayout.RoSize);
198 Driver->Protected =
FALSE;
203 Driver->Protected =
TRUE;
206 TRACE(
"[INFO] Driver %s successfully hooked. GVA: 0x%llx Size: 0x%x\n",
207 (
char *)Driver->Name, Driver->Lix.CoreLayout.Base, Driver->Lix.CoreLayout.RoSize);
227 if (!Driver->Protected || (!Driver->HookObject))
235 ERROR(
"[ERROR] IntHookObjectDestroy failed for driver %s", (
char *)Driver->Name);
238 Driver->Protected =
FALSE;
239 Driver->ProtectionFlag = 0;
264 startGva < gLixGuest->Layout.DataEnd;
273 ERROR(
"[ERROR] IntVirtMemMap failed for 0x%016llx: 0x%08x\n", startGva, status);
283 while (parsed < toParse)
286 QWORD current = startGva + parsed *
sizeof(
QWORD);
303 ERROR(
"[ERROR] Failed getting the prev pointer from 0x%016llx: 0x%08x\n",
310 prev = ptr[parsed + 1];
313 if ((prev < LIX_MODULE_MAP_START || prev > LIX_MODULE_MAP_END) && prev != current)
319 if (next == prev && next == current)
356 *Drivers = startGva + parsed *
sizeof(
QWORD);
357 LOG(
"[MODULE] Found the 'modules' list at 0x%016llx\n", *Drivers);
402 if (((OldEntry &
PD_P) && !(NewEntry & PD_P)) || (!(OldEntry &
PD_RW) && (NewEntry & PD_RW)))
412 ERROR(
"[ERROR] IntLixDrvActivateProtection failed for `%s` (0x%llx 0x%08x)\n",
413 (
char *)pDriver->
Name,
424 ERROR(
"[ERROR] IntHookGvaRemoveHook: 0x%08x\n", status);
460 memzero(pEvent,
sizeof(*pEvent));
479 WARNING(
"[WARNING] IntNotifyIntroEvent failed: 0x%08x\n", status);
532 if (pDriver->ObjectGva == DriverGva)
534 WARNING(
"[WARNING] Driver %s (%llx) already exists in our list...\n",
535 (
char *)pDriver->Name, pDriver->ObjectGva);
537 if (!pDriver->Lix.Initialized)
539 ERROR(
"[ERROR] Driver '%s' %llx is not initialized but already in our list...\n",
540 (
char *)pDriver->Name, pDriver->ObjectGva);
550 ERROR(
"[ERROR] IntLixDrvRemoveEntry failed: 0x%08x\n", status);
574 CHAR *pLixMod = NULL;
587 ERROR(
"[ERROR] Failed mapping GVA 0x%016llx: 0x%08x\n", pDriver->
ObjectGva, status);
600 if (NULL == pDriver->
Name)
654 if (pDriver->
Name != NULL)
734 DWORD moduleState = 0;
739 ERROR(
"[ERROR] IntKernVirtMemFetchDword failed for @ 0x%016llx with status: 0x%08x\n",
740 DriverGva +
LIX_FIELD(Module, State), status);
754 LOG(
"[MODULE] Module @ %llx is dying...\n", DriverGva);
762 LOG(
"[MODULE] Module @ %llx still setting up. Will ignore on static init...\n", DriverGva);
768 ERROR(
"[ERROR] Shouldn't reach here. State type %d...\n", moduleState);
777 ERROR(
"[ERROR] IntLixDrvCreateDriverObject failed with status: 0x%08x\n", status);
789 ERROR(
"[ERROR] IntHookGvaSetHook failed for VA 0x%llx with size %08x in module %s: 0x%08x",
791 (
char *)pDriver->
Name, status);
804 TRACE(
"---> EP: 0x%016llx, Size: %llx, TextSize: %x, RoSize: %x\n",
809 TRACE(
"---> Init: 0x%016llx, Size: %x, TextSize: %x, RoSize: %x\n",
849 if (NULL != Driver->Lix.InitSwapHook)
881 if (pDriver->ObjectGva == DriverGva)
885 TRACE(
"[MODULE] Unloaded module %s @ 0x%016llx\n", (
char *)pDriver->Name, pDriver->BaseVa);
894 ERROR(
"[ERROR] IntLixDrvRemoveEntry failed: 0x%08x\n", status);
905 ERROR(
"[ERROR] Driver @ 0x%016llx is not found in internal list! Count: %d. \n", DriverGva,
gModuleIgnore);
933 if (SectionName == NULL)
940 QWORD offset = Gva - Driver->BaseVa;
942 if (offset < Driver->Lix.CoreLayout.TextSize)
944 memcpy(SectionName,
"text",
sizeof(
"text"));
946 else if (offset < Driver->Lix.CoreLayout.RoSize)
948 memcpy(SectionName,
"text_ro",
sizeof(
"text_ro"));
952 memcpy(SectionName,
"text_rw",
sizeof(
"text_rw"));
955 else if (!Driver->Lix.Initialized &&
IN_RANGE(Gva, Driver->Lix.InitLayout.Base, Driver->Lix.InitLayout.Size))
957 QWORD offset = Gva - Driver->Lix.InitLayout.Base;
959 if (offset < Driver->Lix.InitLayout.TextSize)
961 memcpy(SectionName,
"init",
sizeof(
"init"));
963 else if (offset < Driver->Lix.InitLayout.RoSize)
965 memcpy(SectionName,
"init_ro",
sizeof(
"init_ro"));
969 memcpy(SectionName,
"init_rw",
sizeof(
"init_rw"));
974 memcpy(SectionName,
"unknown",
sizeof(
"unknown"));
1006 BYTE patchData[
sizeof(ActivePatch->Data)];
1016 if (ActivePatch == NULL)
1030 if (!
IN_RANGE_LEN(gva, ActivePatch->Gva, ActivePatch->Length))
1032 WARNING(
"[WARNING] IntLixDrvIsLegitimateTextPoke called for 0x%llx which is not in ActivePatch range!\n", gva);
1033 LOG(
"[INFO] Active patch is at 0x%llx and is %d bytes long\n",
1034 ActivePatch->Gva, ActivePatch->Length);
1045 writeSize > ActivePatch->Length ||
1046 writeSize >
sizeof(patchData))
1048 WARNING(
"[WARNING] Invalid patch write at GVA %llx with size %d (rcx: 0x%llx)\n",
1059 WARNING(
"[WARNING] Can't get newValue from instruction: 0x%08x\n", status);
1070 ERROR(
"[ERROR] IntKernVirtMemRead failed for 0x%llx and size %d with status 0x%08x\n",
1075 pWriteBuffer = patchData;
1079 CHAR nd[ND_MIN_BUF_SIZE];
1083 ERROR(
"[ERROR] Instruction %s at RIP %llx is not supported for detour writes...\n", nd,
gVcpu->
Regs.
Rip);
1094 if (delta > writeSize)
1096 ERROR(
"[ERROR] Found a delta greater than the written size (d:%d w:%d).\n", delta, writeSize);
1100 pWriteBuffer += delta;
1105 if (0 != memcmp(pWriteBuffer, ActivePatch->Data + (gva - ActivePatch->Gva), writeSize))
1107 WARNING(
"[WARNING] Invalid patch write at GVA %llx with size %d\n",
1108 ActivePatch->Gva, writeSize);
1146 memzero(pEptViol,
sizeof(*pEptViol));
1175 pEptViol->
ZoneTypes = Victim->ZoneFlags;
1200 WARNING(
"[WARNING] IntNotifyIntroEvent failed: 0x%08x\n", status);
1215 static int state = -1;
1269 if (NULL == Context)
1306 ERROR(
"[ERROR] IntLixDrvHandleTextPoke failed for GPA: 0x%llx, GVA: 0x%llx: 0x%08x\n",
1307 Address, pGvaHook->
GvaPage + (Address & PAGE_OFFSET), status);
1323 informationOnly =
TRUE;
1327 ERROR(
"[ERROR] IntExceptKernelGetOriginator failed with status: 0x%08x\n", status);
1329 informationOnly =
TRUE;
1336 ERROR(
"[ERROR] IntExceptGetVictimEpt failed with status: 0x%08x\n", status);
1338 informationOnly =
TRUE;
1341 if (informationOnly)
1383 QWORD currentDriver = 0;
1384 QWORD moduleList = 0;
1387 if (NULL == Callback)
1397 WARNING(
"[WARNING] No modules found, and init process didn't started...\n");
1401 WARNING(
"[WARNING] No modules found, and there are only 2 processes started...\n");
1412 ERROR(
"[ERROR] Failed finding the module list: 0x%08x\n", status);
1419 ERROR(
"[ERROR] Failed getting the first module from 0x%016llx\n", currentDriver);
1425 currentDriver -=
LIX_FIELD(Module, List);
1427 status = Callback(currentDriver, Aux);
1436 ERROR(
"[ERROR] Failed getting the next module from 0x%016llx\n",
1437 currentDriver +
LIX_FIELD(Module, List));
1463 if (NULL == pDriver)
1469 if (NULL == pDriver->
Name)
1475 memcpy(pDriver->
Name,
"kernel",
sizeof(
"kernel"));
Measures kernel mode exceptions checks.
static INTSTATUS IntLixDrvSendEvent(KERNEL_DRIVER *Driver, BOOLEAN Loaded, BOOLEAN StaticDetected)
Send an event to the integrator that contains the information about the provided driver.
struct _EVENT_EPT_VIOLATION::@284 Victim
enum _INTRO_ACTION_REASON INTRO_ACTION_REASON
The reason for which an INTRO_ACTION was taken.
INTRO_CODEBLOCKS CodeBlocks
Code blocks extracted for the alert.
BOOLEAN Valid
Set to True if the information in the structure is valid, False otherwise.
Describes the information about a Linux active-patch.
INTSTATUS IntVirtMemUnmap(void **HostPtr)
Unmaps a memory range previously mapped with IntVirtMemMap.
DWORD GplSymbolsCount
The number of GPL-exported symbols (num_gpl_syms).
QWORD IntAlertCoreGetFlags(QWORD ProtectionFlag, INTRO_ACTION_REASON Reason)
Returns the flags for an alert.
An internal error occurred (no memory, pages not present, etc.).
BOOLEAN IntPolicyCoreForceBetaIfNeeded(QWORD Flag, INTRO_ACTION *Action)
Checks if a forced action should be taken even if the log-only mode is active.
static INTSTATUS IntLixDrvValidate(QWORD Driver)
Validates if the provided driver with the provided address is valid.
BYTE ByteValues[ND_MAX_REGISTER_SIZE]
Kernel module (ntoskrnl.exe, hal.dll, etc.).
INTSTATUS IntHookObjectDestroy(HOOK_OBJECT_DESCRIPTOR **Object, DWORD Flags)
Destroy an entire hook object. All regions belonging to this object will be removed.
BYTE Violation
The type of the access. It must be one of the IG_EPT_HOOK_TYPE values.
DWORD RoSize
The size of the .rodata (read-only).
IG_ARCH_REGS Regs
The current state of the guest registers.
LIX_ACTIVE_PATCH ActivePatch[lixActivePatchCount]
An array that contains information about the active-patches.
MITRE_ID MitreID
The Mitre ID that corresponds to this attack.
QWORD SystemCr3
The Cr3 used to map the kernel.
#define INT_STATUS_SUCCESS
BOOLEAN IntPolicyCoreTakeAction(QWORD Flag, INTRO_ACTION *Action, INTRO_ACTION_REASON *Reason)
Returns the action that should be taken for a core introspection option.
#define PAGE_REMAINING(addr)
void IntLixDrvUpdateProtection(void)
Update Linux drivers protection according to the new core options.
QWORD ReturnRip
The RIP at which the code that triggered the alert returns.
INTSTATUS IntLixDrvRemoveEntry(KERNEL_DRIVER *Driver)
Disable protection and frees the driver structure from our internal list.
INTSTATUS IntKsymFindByAddress(QWORD Gva, DWORD Length, char *SymName, QWORD *SymStart, QWORD *SymEnd)
Finds the symbol which is located at the given address.
QWORD BaseVa
The guest virtual address of the kernel module that owns this driver object.
QWORD HookStartPhysical
The start of the monitored guest physical memory area for which this alert was generated.
#define INT_SUCCESS(Status)
Event structure for module loading and unloading.
void IntLixDrvGetSecName(KERNEL_DRIVER *Driver, QWORD Gva, CHAR *SectionName)
Get the section of the driver that contains the provided guest virtual address.
QWORD Flags
A combination of ALERT_FLAG_* values describing the alert.
INTSTATUS IntVirtMemFetchQword(QWORD GuestVirtualAddress, QWORD Cr3, QWORD *Data)
Reads 8 bytes from the guest memory.
void * InitProcessObj
The LIX_TASK_OBJECT of the 'init' process.
EVENT_MODULE_EVENT Module
QWORD IntHookGetGlaFromGpaHook(HOOK_GPA const *Hook, QWORD Address)
Gets the GLA from a GPA hook.
WORD Length
The patch length.
#define INTRO_OPT_PROT_KM_LX_MODULES
Enable Linux kernel modules protection (Linux only).
#define INT_STATUS_NOT_NEEDED_HINT
static BOOLEAN IntLixDrvIsActivePatch(QWORD Gva)
Checks if the provided guest virtual address is inside an active-patch range.
struct _EVENT_EPT_VIOLATION::@283 Originator
#define HpAllocWithTag(Len, Tag)
int INTSTATUS
The status data type.
QWORD Size
The size of the kernel module that owns this driver object.
QWORD GvaPage
Guest virtual page base address, aligned to 4K.
QWORD CodeEnd
The guest virtual address where the code ends.
QWORD CodeStart
The guest virtual address where the code starts.
int IntLixGuestGetSystemState(void)
Get the system state of the Linux guest.
LIX_MODULE_LAYOUT CoreLayout
The layout of the core section.
LIX_MODULE_LAYOUT InitLayout
The layout of the init section.
void * InitSwapHook
The hook on the init section.
#define INT_STATUS_NOT_FOUND
Describes a kernel-mode originator.
static INTSTATUS IntLixDrvInitVfreeHandler(void *Context, QWORD VirtualAddress, QWORD OldEntry, QWORD NewEntry, QWORD OldPageSize, QWORD NewPageSize)
This function is called when the init section of the driver is freed.
void IntAlertFillCpuContext(BOOLEAN CopyInstruction, INTRO_CPUCTX *CpuContext)
Fills the current CPU context for an alert.
INSTRUX Instruction
The current instruction, pointed by the guest RIP.
#define _Out_writes_(expr)
LIST_HEAD gKernelDrivers
List of all the drivers currently loaded inside the guest.
#define LIX_MODULE_MAP_START
Module mapping space, as defined by linux kernel (mm.txt)
QWORD HookStartVirtual
The start of the monitored guest virtual memory area for which this alert was generated.
#define LIX_MODULE_NAME_LEN
The maximum length of the Linux module name.
static void IntLixDrvSendViolationEvent(KERNEL_DRIVER *Driver, EXCEPTION_KM_ORIGINATOR *Originator, EXCEPTION_VICTIM_ZONE *Victim, HOOK_GPA *Hook, QWORD Address, INTRO_ACTION Action, INTRO_ACTION_REASON Reason)
Sends an introEventEptViolation event for a protected kernel module.
_MODULE_STATE
The state of a kernel module.
QWORD GplSymbols
The GVA of the exported gpl symbols (gpl_syms).
DWORD gModuleIgnore
Used to count the modules that are unloading.
Describes a kernel driver.
INTSTATUS IntHookGvaSetHook(QWORD Cr3, QWORD Gva, DWORD Length, BYTE Type, void *Callback, void *Context, void *ParentHook, DWORD Flags, HOOK_GVA **GvaHook)
Set a read, write, execute or swap hook on a guest virtual address.
void IntAlertFillVersionInfo(INTRO_VIOLATION_HEADER *Header)
Fills version information for an alert.
DWORD AccessSize
The size of the memory access. Valid only for EPT exits.
INTRO_VIOLATION_HEADER Header
The alert header.
INTSTATUS IntLixDrvRemoveFromAddress(QWORD DriverGva)
Disable protection and remove the driver structure from our internal list.
The module is still setting it up.
QWORD ZoneTypes
The types of the accessed memory area.
DWORD NameHash
The hash of the name.
static INTSTATUS IntLixDrvCreateDriverObject(QWORD DriverGva, KERNEL_DRIVER **Object)
Create a KERNEL_DRIVER object that contains the information found at the address of the 'struct modul...
INTRO_ACTION_REASON Reason
The reason for which Action was taken.
QWORD ExTableStart
The guest virtual address where the ex-table starts.
INTSTATUS IntAlertFillCodeBlocks(QWORD Rip, QWORD Cr3, BOOLEAN Execute, INTRO_CODEBLOCKS *CodeBlocks)
Fills the code blocks pattern for an alert.
GENERIC_ALERT gAlert
Global alert buffer.
static void IntLixDrvRemoveDuplicate(QWORD DriverGva)
Removes the driver with the provided guest virtual address if exists in our list. ...
void IntAlertFillLixKmModule(const KERNEL_DRIVER *Driver, INTRO_MODULE *EventModule)
Saves information about a kernel module inside an alert.
DWORD Size
The total size of the section.
INTSTATUS IntKernVirtMemFetchDword(QWORD GuestVirtualAddress, DWORD *Data)
Reads 4 bytes from the guest kernel memory.
QWORD DataStart
The guest virtual address where the data starts.
#define INITIAL_CRC_VALUE
#define INT_STATUS_EXCEPTION_BLOCK
Describes an operand value.
void IntAlertEptFillFromVictimZone(const EXCEPTION_VICTIM_ZONE *Victim, EVENT_EPT_VIOLATION *EptViolation)
Fills the victim information inside an EPT alert.
INTSTATUS IntKernVirtMemFetchQword(QWORD GuestVirtualAddress, QWORD *Data)
Reads 8 bytes from the guest kernel memory.
static BOOLEAN IntLixDrvSystemBooting(void)
Checks if the system is booting.
SIZE_T NameLength
The length of the Name. This is the number of characters in the Name buffer.
static INTSTATUS IntLixDrvActivateProtection(KERNEL_DRIVER *Driver)
Activates protection for the provided driver.
struct _LINUX_GUEST::@126 Layout
INTSTATUS IntLixDrvCreateKernel(void)
Create the KERNEL_DRIVER object for the operating system kernel and activate the protection for it...
INTRO_CPUCTX CpuContext
The context of the CPU that triggered the alert.
INTSTATUS IntNotifyIntroEvent(INTRO_EVENT_TYPE EventClass, void *Param, size_t EventSize)
Notifies the integrator about an introspection alert.
static BOOLEAN RemoveEntryList(LIST_ENTRY *Entry)
#define IN_RANGE(x, start, end)
INTSTATUS IntExceptGetVictimEpt(void *Context, QWORD Gpa, QWORD Gva, INTRO_OBJECT_TYPE Type, DWORD ZoneFlags, EXCEPTION_VICTIM_ZONE *Victim)
Fills an EXCEPTION_VICTIM_ZONE with relevant information from an EPT violation.
QWORD Current
The currently used options.
INTSTATUS IntTranslateVirtualAddress(QWORD Gva, QWORD Cr3, QWORD *PhysicalAddress)
Translates a guest virtual address to a guest physical address.
#define IN_RANGE_LEN(x, start, len)
INTSTATUS(* PFUNC_IterateListCallback)(QWORD Node, QWORD Aux)
#define INT_STATUS_INVALID_PARAMETER_4
union _OPERAND_VALUE::@22 Value
The actual operand value.
The module is full formed, running module_init.
static void IntLixDrvDeactivateProtection(KERNEL_DRIVER *Driver)
Disable protection for the provided driver.
#define LIX_FIELD(Structure, Field)
Macro used to access fields inside the LIX_OPAQUE_FIELDS structure.
#define HpFreeAndNullWithTag(Add, Tag)
#define INT_STATUS_INVALID_PARAMETER_5
#define INTRO_OPT_EVENT_MODULES
Enable user mode and kernel mode module load and unload events (generates introEventModuleEvent event...
void * Name
The name of the driver.
void IntExceptKernelLogInformation(EXCEPTION_VICTIM_ZONE *Victim, EXCEPTION_KM_ORIGINATOR *Originator, INTRO_ACTION Action, INTRO_ACTION_REASON Reason)
Print the information about a kernel-mode violation and dumps the code-blocks.
CHAR FunctionName[ALERT_MAX_FUNCTION_NAME_LEN]
The name of the modified function, if any. This is the same as Export.Name[0].
INTSTATUS IntLixDrvHandleWrite(void *Context, void *Hook, QWORD Address, INTRO_ACTION *Action)
Called if an write occurs on the protected memory zone.
static void InsertTailList(LIST_ENTRY *ListHead, LIST_ENTRY *Entry)
INTRO_EXEC_CONTEXT ExecContext
Information about the instruction that triggered the alert.
BOOLEAN Loaded
True if the module was loaded, False if it was unloaded.
#define INT_STATUS_ALREADY_INITIALIZED_HINT
LIX_KERNEL_MODULE Lix
Valid only for Linux guests.
INTSTATUS IntLixDrvFindList(QWORD *Drivers)
Searches the Linux kernel for the 'modules' variable.
INTSTATUS IntHookGvaRemoveHook(HOOK_GVA **Hook, DWORD Flags)
Remove a GVA hook.
Sent when an EPT violation triggers an alert. See EVENT_EPT_VIOLATION.
#define LIX_SYMBOL_NAME_LEN
The max length of the ksym as defined by Linux kernel.
Describes the modified zone.
#define UNREFERENCED_PARAMETER(P)
DWORD IntLixTaskGetExecCount(void)
Returns the number of processes that have performed an exec.
Exception Table (Linux-only).
INTSTATUS IntLixDrvIsLegitimateTextPoke(void *Hook, QWORD Address, LIX_ACTIVE_PATCH *ActivePatch, INTRO_ACTION *Action)
This function checks if the modified zone by the current instruction is a 'text_poke'.
QWORD ProtectionFlag
The introcore option that decided that this driver must be protected.
INTRO_PROCESS CurrentProcess
The currently active process.
QWORD KernelSymbols
The GVA of the exported symbols (syms).
QWORD DataEnd
The guest virtual address where the data ends.
enum _INTRO_ACTION INTRO_ACTION
Event actions.
LIST_ENTRY Link
Entry inside the gKernelDrivers list.
#define INT_STATUS_INVALID_OBJECT_TYPE
No access type. This can be used for swap hooks.
INTRO_MODULE Module
The module for which this event was triggered.
QWORD RoDataEnd
The guest virtual address where the read-only data ends.
DWORD Offset
The offset inside the page where the violation took place.
__must_check INTSTATUS IntVirtMemMap(QWORD Gva, DWORD Length, QWORD Cr3, DWORD Flags, void **HostPtr)
Maps a guest virtual memory range inside Introcore virtual address space.
MM Mm
Guest memory information, such as paging mode, system Cr3 value, etc.
GUEST_STATE gGuest
The current guest state.
enum _MODULE_STATE MODULE_STATE
The state of a kernel module.
INTRO_ACTION Action
The action that was taken as the result of this alert.
INTSTATUS IntKernVirtMemRead(QWORD KernelGva, DWORD Length, void *Buffer, DWORD *RetLength)
Reads data from a guest kernel virtual memory range.
CHAR ModifiedSectionName[ALERT_MAX_SECTION_NAME_LEN]
The name of the modified section, if any.
#define LIX_MODULE_MAX_ITERATIONS
INTSTATUS IntLixDrvCreateFromAddress(QWORD DriverGva, QWORD StaticDetected)
Create the KERNEL_DRIVER object from the provided 'module struct' address and activate the protection...
QWORD VirtualPage
The guest virtual page in which the access was made.
INTSTATUS IntHookObjectHookRegion(void *Object, QWORD Cr3, QWORD Gla, SIZE_T Length, BYTE Type, void *Callback, void *Context, DWORD Flags, HOOK_REGION_DESCRIPTOR **Region)
Hook a contiguous region of virtual memory inside the provided virtual address space.
#define INT_STATUS_NOT_INITIALIZED_HINT
KERNEL_DRIVER * KernelDriver
Points to the driver object that describes the kernel image.
#define INT_STATUS_INVALID_PARAMETER_1
#define INT_STATUS_NOT_SUPPORTED
INTRO_PROCESS CurrentProcess
The current process.
VCPU_STATE * gVcpu
The state of the current VCPU.
INTSTATUS IntDecGetWrittenValueFromInstruction(PINSTRUX Instrux, PIG_ARCH_REGS Registers, PBYTE MemoryValue, OPERAND_VALUE *WrittenValue)
Decode a written value from a memory write instruction.
The action was blocked because there was no exception for it.
DWORD Crc32String(const char *String, DWORD InitialCrc)
Computes the CRC for a NULL-terminated utf-8 string.
INTRO_MODULE Module
The module that did the malicious access.
BOOLEAN Initialized
This means that the init section is discarded.
QWORD Base
The base GVA of the section.
CHAR RipSectionName[ALERT_MAX_SECTION_NAME_LEN]
The name of the section in which the RIP resides. May be empty.
Event structure for EPT violations.
QWORD EntryPoint
The entry point of this driver.
#define UNREFERENCED_LOCAL_VARIABLE(V)
void IntAlertFillLixCurrentProcess(INTRO_PROCESS *EventProcess)
Saves the current Linux process inside an event.
QWORD Gva
The start of the region which follows to be patched.
#define list_for_each(_head, _struct_type, _var)
INTSTATUS IntLixDrvIterateList(PFUNC_IterateListCallback Callback, QWORD Aux)
Iterates the 'modules' list form the guest and activate protection for each driver that is initialize...
DWORD SymbolsCount
The number of symbols (num_syms).
#define INT_STATUS_REMOVE_HOOK_ON_RET
Can be used by hook callbacks in order to signal that the hook should be removed. ...
QWORD ObjectGva
The guest virtual address at which this object resides.
#define LIX_MODULE_MAP_END
INTSTATUS IntExceptKernelGetOriginator(EXCEPTION_KM_ORIGINATOR *Originator, DWORD Options)
This function is used to get the information about the kernel-mode originator.
INTSTATUS IntAlertFillExecContext(QWORD Cr3, INTRO_EXEC_CONTEXT *ExecContext)
Fills the current execution context.
#define ZONE_WRITE
Used for write violation.
#define INT_STATUS_INVALID_PARAMETER_2
INTRO_PROT_OPTIONS CoreOptions
The activation and protection options for this guest.
QWORD Gla
The accessed guest virtual address. Valid only for EPT exits.
INTSTATUS IntHookObjectCreate(DWORD ObjectType, QWORD Cr3, void **Object)
Create a new hook object.
void IntExcept(EXCEPTION_VICTIM_ZONE *Victim, void *Originator, EXCEPTION_TYPE Type, INTRO_ACTION *Action, INTRO_ACTION_REASON *Reason, INTRO_EVENT_TYPE EventClass)
This function is the entry point for the exception mechanism.
LINUX_GUEST * gLixGuest
Global variable holding the state of a Linux guest.
BOOLEAN Protected
True if the module is protected.
INTRO_MODULE ReturnModule
The module to which the current code returns to.
#define INT_STATUS_INSUFFICIENT_RESOURCES
The module is going away.
DWORD TextSize
The size of the .text (code usually).
#define INT_STATUS_INVALID_PARAMETER_3