- Generated by
1.8.13
|
Bitdefender Hypervisor Memory Introspection
|
#include "lixprocess.h"#include "alerts.h"#include "crc32.h"#include "hook.h"#include "icache.h"#include "lixcrash.h"#include "lixfiles.h"#include "lixmm.h"#include "lixcred.h"#include "lixvdso.h"#include "kernvm.h"#include "lixksym.h"#include "lixcmdline.h"Go to the source code of this file.
Data Structures | |
| struct | _LIX_TASK_LOG |
| This structure contains control bits for linux process logging. More... | |
Macros | |
| #define | LIX_MM_PROT_MASK BIT(63) |
| The bit used to mark a memory space as protected. More... | |
| #define | for_next_task(_task, _var_name) list_for_next(_task, gLixTasks, LIX_TASK_OBJECT, _var_name) |
| list_for_next wrapper used to iterate tasks from a given node. More... | |
| #define | for_each_task(_var_name) list_for_each(gLixTasks, LIX_TASK_OBJECT, _var_name) |
| list_for_each wrapper used to iterate Linux tasks. More... | |
| #define | for_each_protected_task(_var_name) |
| list_for_each wrapper used to iterate protected tasks. More... | |
| #define | for_each_task_to_protect(_var_name) list_for_each(gLixTasksToProtect, LIX_PROTECTED_PROCESS, _var_name) |
| list_for_each wrapper used to iterate tasks that should be protected. More... | |
| #define | for_each_path(_var_name) list_for_each(gLixTaskPaths, LIX_TASK_PATH, _var_name) |
| list_for_each wrapper used to iterate cached paths. More... | |
Typedefs | |
| typedef struct _LIX_TASK_LOG | LIX_TASK_LOG |
| This structure contains control bits for linux process logging. More... | |
Functions | |
| char * | basename_s (char *path, size_t len) |
| Returns a pointer inside a path string pointing to the beginning of the file base name. More... | |
| void | sanitize_path (char *path, size_t len, size_t *new_len) |
| Sanitizes an Unix path by removing trailing path delimiters. More... | |
| static LIX_TASK_PATH * | IntLixTaskPathGetRef (LIX_TASK_PATH *Path) |
| Increases the reference counter for a LIX_TASK_PATH object. More... | |
| static LIX_TASK_PATH * | IntLixTaskPathGetByDentry (QWORD FileGva, QWORD PathGva, QWORD DentryGva) |
| Get the LIX_TASK_PATH object associated with a given path. More... | |
| static LIX_TASK_PATH * | IntLixTaskPathGetByFile (QWORD FileGva) |
| Get a LIX_TASK_PATH object based on the guest virtual address of a "file" structure. More... | |
| static LIX_TASK_PATH * | IntLixTaskPathGetByPath (QWORD PathGva, QWORD DentryGva) |
| Get a LIX_TASK_PATH object based on the guest virtual address of a path string. More... | |
| static void | IntLixTaskPathFree (LIX_TASK_PATH **Path) |
| Release a LIX_TASK_PATH object. More... | |
| static BOOLEAN | IntLixTaskMustLog (const LIX_TASK_OBJECT *Task, BOOLEAN Protected) |
| Controls whether information about a task must be logged or not. More... | |
| INTSTATUS | IntLixGetInitTask (QWORD *InitTask) |
| Finds the guest virtual address of the "init_task". More... | |
| static INTSTATUS | _IntLixTaskStartMap (QWORD TaskGva) |
| Map the task_struct in order to perform further reads from it without any overhead. More... | |
| static INTSTATUS | _IntLixTaskRead (DWORD Offset, DWORD Size, void *Buffer) |
| Perform a read from the previously mapped "task_struct" structure. More... | |
| static void | _IntLixTaskFinishMap (void) |
| Unmaps a previously mapped "task_struct". More... | |
| static INTSTATUS | IntLixTaskFetchMm (QWORD MmStruct, LIX_TASK_OBJECT *Task, LIX_TASK_OBJECT *Parent) |
| Fetches the CR3 of a Linux task. More... | |
| INTSTATUS | IntLixTaskGetCurrentTaskStruct (DWORD CpuNumber, QWORD *TaskStruct) |
| Reads the guest virtual address of the task currently running on a CPU. More... | |
| LIX_TASK_OBJECT * | IntLixTaskGetCurrent (DWORD CpuNumber) |
| Finds the task that is currently running on the given CPU. More... | |
| static QWORD | IntLixUserToKernelPgd (QWORD Pgd) |
| Translates the value of a user page global directory to it's corresponding kernel value when KPTI is active. More... | |
| static QWORD | IntLixKernelToUserPgd (QWORD Pgd) |
| Translates the value of a kernel page global directory to it's corresponding user value when KPTI is active. More... | |
| QWORD | IntLixGetKernelCr3 (QWORD Cr3) |
| Transforms an user CR3 into a kernel CR3 on systems with KPTI enabled and active. More... | |
| LIX_TASK_OBJECT * | IntLixTaskFindByCr3 (QWORD Cr3) |
| Finds the Linux process having the provided Cr3. More... | |
| LIX_TASK_OBJECT * | IntLixTaskProtFindByMm (QWORD MmGva) |
| Finds the protected Linux process having the provided mm guest virtual address. More... | |
| LIX_TASK_OBJECT * | IntLixTaskFindByMm (QWORD MmGva) |
| Finds the Linux process having the provided mm guest virtual address. More... | |
| LIX_TASK_OBJECT * | IntLixTaskFindByGva (QWORD TaskStruct) |
| Finds Linux process with the provided "task_struct" guest virtual address. More... | |
| LIX_TASK_OBJECT * | IntLixTaskFindByPid (DWORD Pid) |
| Finds the Linux process having the provided PID. More... | |
| DWORD | IntLixTaskGetExecCount (void) |
| Returns the number of processes that have performed an exec. More... | |
| INTSTATUS | IntLixTaskGetTrapFrame (const LIX_TASK_OBJECT *Task, LIX_TRAP_FRAME *TrapFrame) |
| Retrieves the trap frame for a Linux task. More... | |
| static LIX_PROTECTED_PROCESS * | IntLixTaskShouldProtect (const LIX_TASK_OBJECT *Task) |
| Checks whether a Linux task should be protected or not. More... | |
| void | IntLixProcUpdateProtectedProcess (const void *Name, const CAMI_STRING_ENCODING Encoding, const CAMI_PROT_OPTIONS *Options) |
| Updates the protection flags for Linux tasks that should be protected based on options received via CAMI. More... | |
| static INTSTATUS | IntLixTaskDeactivateExploitProtection (LIX_TASK_OBJECT *Task) |
| Deactivates exploit protection for a Linux task. More... | |
| static INTSTATUS | IntLixTaskActivateExploitProtection (LIX_TASK_OBJECT *Task) |
| Activates exploit protection for a Linux task. More... | |
| static INTSTATUS | IntLixTaskActivateProtection (LIX_TASK_OBJECT *Task, LIX_TASK_OBJECT *Parent) |
| Activates protection for a Linux process. More... | |
| static void | IntLixTaskDeactivateProtection (LIX_TASK_OBJECT *Task) |
| Deactivates protection for a Linux process. More... | |
| static INTSTATUS | IntLixTaskFetchCmdLine (LIX_TASK_OBJECT *Process, QWORD BinprmGva) |
| Fetches the command line for a Linux process on the exec() system call. More... | |
| static void | IntLixTaskSetProcName (LIX_TASK_OBJECT *Task) |
| Sets the name for a Linux process. More... | |
| static void | IntLixTaskGetPath (QWORD FileGva, QWORD DPathGva, LIX_TASK_OBJECT *Task) |
| Read and set the path for a Linux process. More... | |
| static INTSTATUS | IntLixTaskCreateFromBinprm (LIX_TASK_OBJECT *OriginalTask, QWORD BinprmGva, QWORD PathGva, LIX_TASK_OBJECT *UpdatedTask) |
| Updates the contents of a previously forked process from it's new linux_binprm (used by the loader). More... | |
| static void | IntLixTaskSendTaskEvent (LIX_TASK_OBJECT *Task, DWORD ExitCode, BOOLEAN Created, BOOLEAN Crashed, BOOLEAN StaticDetected) |
| Sends a process event. More... | |
| static void | IntLixTaskSendAgentEvent (LIX_TASK_OBJECT *Task, DWORD ExitCode, BOOLEAN Created) |
| Sends an agent event. More... | |
| INTSTATUS | IntLixTaskGetUserStack (LIX_TASK_OBJECT *Task, QWORD *StackPointer, QWORD *StackBase, QWORD *StackLimit) |
| Finds the user mode stack limits for a Linux process. More... | |
| static INTSTATUS | IntLixTaskCreate (LIX_TASK_OBJECT *Parent, LIX_TASK_OBJECT *RealParent, QWORD TaskStruct, BOOLEAN StaticDetected, LIX_TASK_OBJECT **Task) |
| Creates a Linux process object. More... | |
| static void | IntLixTaskRemoveEntry (LIX_TASK_OBJECT *Task) |
| Removes a Linux process from the process list. More... | |
| static void | IntLixTaskMarkAgent (LIX_TASK_OBJECT *Task) |
| Marks a Linux process as being an Introcore agent. More... | |
| static void | IntLixTaskDestroy (LIX_TASK_OBJECT *Task, DWORD ExitCode) |
| Destroys a Linux process after protection for it is removed. More... | |
| static DWORD | IntLixTaskGetDpiMitreId (DWORD Flags) |
| Returns the MITRE ID for the process creation violation flag. More... | |
| static void | IntLixTaskSendBlockedEvent (LIX_TASK_OBJECT *OldTask, LIX_TASK_OBJECT *NewTask, INTRO_ACTION Action, INTRO_ACTION_REASON Reason, DWORD PcType) |
| Sends a blocked process creation event. More... | |
| static DWORD | IntLixTaskGetDpiViolationFlags (LIX_TASK_OBJECT *Task) |
| Returns the DPI flags for a Linux process. More... | |
| static void | IntLixValidateProcessCreationRights (LIX_TASK_OBJECT *ChildTask, LIX_TASK_OBJECT *ParentTask, INTRO_OBJECT_TYPE ObjectType, INTRO_ACTION *Action, INTRO_ACTION_REASON *Reason) |
| Validates process creation rights (both PC and DPI). More... | |
| INTSTATUS | IntLixTaskIsUserStackPivoted (LIX_TASK_OBJECT *Task, QWORD Ptr, BOOLEAN *IsPivoted) |
| Verifies whether the stack of a Linux process is pivoted or not. More... | |
| static void | IntLixValidateExecStack (LIX_TASK_OBJECT *ParentTask, LIX_TASK_OBJECT *CurrentTask) |
| Validates the user mode stack of a process upon an exec() system call. More... | |
| INTSTATUS | IntLixTaskHandleExec (void *Detour) |
| Handles the exec() system call of a linux process. More... | |
| INTSTATUS | IntLixTaskHandleFork (void *Detour) |
| Handles the fork() system call performed by a linux process. More... | |
| static void | IntLixTaskSendInjectionEvent (LIX_TASK_OBJECT *Source, LIX_TASK_OBJECT *Victim, INTRO_ACTION Action, INTRO_ACTION_REASON Reason) |
| Sends an injection event. More... | |
| static INTSTATUS | IntLixTaskHandleInjection (QWORD Victim, BOOLEAN Pid, QWORD InjectionFlag, BOOLEAN *Block) |
| Handles the injection into a protected process. More... | |
| INTSTATUS | IntLixTaskHandleVmRw (void *Detour) |
| Handles the process_vm_writev() system call. More... | |
| INTSTATUS | IntLixTaskHandlePtrace (void *Detour) |
| Handles the ptrace() system call. More... | |
| INTSTATUS | IntLixTaskHandleDoExit (void *Detour) |
| Handles the exit() system call. More... | |
| static INTSTATUS | IntLixTaskIterateThreadNode (QWORD TaskStructGva, PFUNC_IterateListCallback Callback, QWORD Aux) |
| Iterates the threads of a Linux process based on the thread node.. More... | |
| static INTSTATUS | IntLixTaskIterateThreadGroup (QWORD TaskStructGva, PFUNC_IterateListCallback Callback, QWORD Aux) |
| Iterates the threads of a Linux process based on the thread group. More... | |
| static INTSTATUS | IntLixTaskIterateThreads (QWORD TaskStructGva, PFUNC_IterateListCallback Callback, QWORD Aux) |
| Iterates the threads of a Linux process. More... | |
| INTSTATUS | IntLixTaskIterateGuestTasks (PFUNC_IterateListCallback Callback, QWORD Aux) |
| Iterates the guest process list and calls the provided callback for each process and thread found. More... | |
| static INTSTATUS | IntLixTaskCreateInitTask (QWORD TaskGva, LIX_TASK_OBJECT **Task) |
| Creates the init task object. More... | |
| INTSTATUS | IntLixTaskAdd (QWORD TaskGva, QWORD StaticDetected) |
| Creates and adds a Linux process in the internal list. More... | |
| static INTSTATUS | IntLixTaskChangeProtectionFlags (LIX_TASK_OBJECT *Task, QWORD NewProtection, QWORD NewRootProtection, QWORD Context) |
| Adjust the protection of a Linux process based on a new set of rules. More... | |
| static INTSTATUS | IntLixTaskAdjustProtections (const LIX_PROTECTED_PROCESS *ProtProc, BOOLEAN Remove) |
| Adjusts the protection flags for processes associated with the LIX_PROTECTED_PROCESS object. More... | |
| INTSTATUS | IntLixTaskAddProtected (const char *ProcessName, QWORD ProtectionMask, QWORD Context) |
| Adds a protected process name pattern. More... | |
| INTSTATUS | IntLixTaskRemoveProtected (const char *ProcessName) |
| Removes a pattern of processes to be protected. More... | |
| void | IntLixTaskUpdateProtection (void) |
| Adjusts protection for all active Linux processes. More... | |
| INTSTATUS | IntLixTaskGetAgentsAsCli (char *CommandLine, DWORD Length) |
| Returns a string with the command lines of all active agents. More... | |
| void | IntLixTaskUninit (void) |
| Uninitializes the Linux process subsystem. More... | |
| static void | IntLixTaskDumpTree (LIX_TASK_OBJECT *Task, DWORD Level) |
| Dumps the user mode tasks tree. More... | |
| static void | IntLixTaskDumpKernelThreadTree (LIX_TASK_OBJECT *Thread, DWORD Level) |
| Dumps the kthreads tree. More... | |
| void | IntLixTaskDumpAsTree (void) |
| Dump the process tree. More... | |
| void | IntLixTaskDump (void) |
| Dumps the process list. More... | |
| void | IntLixTaskDumpProtected (void) |
| Dumps the list with processes that Introcore should protect. More... | |
| INTSTATUS | IntLixTaskIterateTasks (PFUNC_LixTaskIterateTasks Callback) |
| Call the Callback parameter for each task saved internally. More... | |
| BOOLEAN | IntLixTaskGuestTerminating (void) |
| Check whether the guest OS is terminating or not. More... | |
| INTSTATUS | IntLixAccessRemoteVmHandler (void *Detour) |
| Detour handler for __access_remote_vm. More... | |
Variables | |
| LIX_TASK_LOG | gLixTaskLogLevel |
| The global structure controlling linux process logging. More... | |
| static const char * | gLixTerminatingTasks [] |
| Linux processes signaling that the guest OS is shutting down. More... | |
| static LIST_HEAD | gLixTasks = LIST_HEAD_INIT(gLixTasks) |
| The list with all tasks inside the guest OS. More... | |
| static LIST_HEAD | gLixProtectedTasks = LIST_HEAD_INIT(gLixProtectedTasks) |
| The list with all tasks that are currently protected. More... | |
| static LIST_HEAD | gLixTasksToProtect = LIST_HEAD_INIT(gLixTasksToProtect) |
| The list with all tasks that should be protected. More... | |
| static LIST_HEAD | gLixTaskPaths = LIST_HEAD_INIT(gLixTaskPaths) |
| The list with all cached paths. More... | |
| static QWORD | gTaskMapped = 0 |
| static BYTE * | gTaskPtr1 = NULL |
| static BYTE * | gTaskPtr2 = NULL |
| #define for_each_path | ( | _var_name | ) | list_for_each(gLixTaskPaths, LIX_TASK_PATH, _var_name) |
list_for_each wrapper used to iterate cached paths.
Definition at line 117 of file lixprocess.c.
Referenced by IntLixTaskPathGetByDentry().
| #define for_each_protected_task | ( | _var_name | ) |
list_for_each wrapper used to iterate protected tasks.
Definition at line 100 of file lixprocess.c.
Referenced by IntLixTaskProtFindByMm().
| #define for_each_task | ( | _var_name | ) | list_for_each(gLixTasks, LIX_TASK_OBJECT, _var_name) |
list_for_each wrapper used to iterate Linux tasks.
Definition at line 95 of file lixprocess.c.
Referenced by IntLixTaskAdjustProtections(), IntLixTaskDump(), IntLixTaskDumpKernelThreadTree(), IntLixTaskDumpTree(), IntLixTaskFindByCr3(), IntLixTaskFindByGva(), IntLixTaskFindByMm(), IntLixTaskFindByPid(), IntLixTaskGetAgentsAsCli(), IntLixTaskGetExecCount(), IntLixTaskGuestTerminating(), IntLixTaskHandleInjection(), IntLixTaskIterateTasks(), IntLixTaskUninit(), and IntLixTaskUpdateProtection().
| #define for_each_task_to_protect | ( | _var_name | ) | list_for_each(gLixTasksToProtect, LIX_PROTECTED_PROCESS, _var_name) |
list_for_each wrapper used to iterate tasks that should be protected.
Definition at line 106 of file lixprocess.c.
Referenced by IntLixProcUpdateProtectedProcess(), IntLixTaskAddProtected(), IntLixTaskDumpProtected(), IntLixTaskRemoveProtected(), IntLixTaskShouldProtect(), and IntLixTaskUninit().
| #define for_next_task | ( | _task, | |
| _var_name | |||
| ) | list_for_next(_task, gLixTasks, LIX_TASK_OBJECT, _var_name) |
list_for_next wrapper used to iterate tasks from a given node.
Definition at line 90 of file lixprocess.c.
Referenced by IntLixTaskAdjustProtections().
| #define LIX_MM_PROT_MASK BIT(63) |
The bit used to mark a memory space as protected.
Definition at line 19 of file lixprocess.c.
Referenced by IntLixTaskActivateExploitProtection(), and IntLixTaskDeactivateExploitProtection().
| typedef struct _LIX_TASK_LOG LIX_TASK_LOG |
This structure contains control bits for linux process logging.
|
static |
Unmaps a previously mapped "task_struct".
Definition at line 670 of file lixprocess.c.
Referenced by IntLixTaskAdd(), and IntLixTaskCreateFromBinprm().
Perform a read from the previously mapped "task_struct" structure.
| [in] | Offset | The offset inside "task_struct" structure from where the read should be performed. |
| [in] | Size | The size in bytes to be read from the "task_struct". |
| [out] | Buffer | The buffer where the read outcome will be stored. |
Definition at line 607 of file lixprocess.c.
Referenced by IntLixTaskAdd(), IntLixTaskCreate(), IntLixTaskCreateFromBinprm(), and IntLixTaskFetchMm().
Map the task_struct in order to perform further reads from it without any overhead.
NOTE: We can not use the mechanism from lixfastread.c because it will interleave with the VMA filling who is also using it.
| [in] | TaskGva | The guest virtual address of the "task_struct" structure. |
Definition at line 576 of file lixprocess.c.
Referenced by IntLixTaskAdd(), and IntLixTaskCreateFromBinprm().
| char* basename_s | ( | char * | path, |
| size_t | len | ||
| ) |
Returns a pointer inside a path string pointing to the beginning of the file base name.
| [in] | path | A string containing a sanitized Unix path. |
| [in] | len | The length of the path parameter. |
Definition at line 122 of file lixprocess.c.
Referenced by IntLixTaskPathGetByDentry().
| INTSTATUS IntLixAccessRemoteVmHandler | ( | void * | Detour | ) |
Detour handler for __access_remote_vm.
This function will deny any attempt of a process to alter the memory space of another process. Even though _access_remote_vm is also used to also perform reads, the detour handler inside the OS will filter the events and only the ones performing writes will trigger any actions.
| [in] | Detour | Unused. |
Definition at line 5009 of file lixprocess.c.
Finds the guest virtual address of the "init_task".
Searches the linux kernel for the 'init_task' variable. This variable can be exported in kallsyms but some distros (Debian) disable variable exporting in kallsyms, and we must do it our way then.
| [out] | InitTask | Will contain, upon successful return, the guest virtual address of "init_task" variable. |
Definition at line 401 of file lixprocess.c.
Referenced by IntLixTaskIterateGuestTasks().
Transforms an user CR3 into a kernel CR3 on systems with KPTI enabled and active.
| [in] | Cr3 | The user CR3 value. |
Definition at line 919 of file lixprocess.c.
Referenced by IntGetGprs(), and IntLixTaskFindByCr3().
Translates the value of a kernel page global directory to it's corresponding user value when KPTI is active.
| [in] | Pgd | The guest physical address of the page global directory. |
Definition at line 903 of file lixprocess.c.
| void IntLixProcUpdateProtectedProcess | ( | const void * | Name, |
| const CAMI_STRING_ENCODING | Encoding, | ||
| const CAMI_PROT_OPTIONS * | Options | ||
| ) |
Updates the protection flags for Linux tasks that should be protected based on options received via CAMI.
| [in] | Name | The name (or glob pattern) of the task to be protected whose options should be patched. |
| [in] | Encoding | The encoding type of the Name string parameter. Currently only CAMI_STRING_ENCODING_UTF8 are supported for Linux tasks. |
| [in] | Options | The CAMI_PROT_OPTIONS which should by applied for processes matching the supplied Name. |
Definition at line 1173 of file lixprocess.c.
Referenced by IntCamiUpdateProcessProtectionItems().
|
static |
Activates exploit protection for a Linux task.
This function will decide if the supplied task should be protected (it's protection mask activates exploit protection) and then will enable exploit protection. Static detected tasks that are dying are ignored.
| [in] | Task | The Linux task. |
Definition at line 1273 of file lixprocess.c.
Referenced by IntLixTaskActivateProtection(), and IntLixTaskChangeProtectionFlags().
|
static |
Activates protection for a Linux process.
| [in] | Task | The Linux process. |
| [in] | Parent | The process parent. |
Only protections that are CR3-dependent should be removed!
Definition at line 1380 of file lixprocess.c.
Referenced by IntLixTaskCreate(), and IntLixTaskHandleExec().
Creates and adds a Linux process in the internal list.
| [in] | TaskGva | The guest virtual address of the "task_struct" kernel object. |
| [in] | StaticDetected | A value greater than 0 suggest that the process was static detected. |
Definition at line 3996 of file lixprocess.c.
Referenced by IntLixGuestInitAgentCompletion(), and IntLixTaskHandleFork().
Adds a protected process name pattern.
| [in] | ProcessName | The process name pattern. |
| [in] | ProtectionMask | The protection flags set for this process. |
| [in] | Context | The context provided by the integrator. |
Definition at line 4334 of file lixprocess.c.
Referenced by IntAddRemoveProtectedProcessUtf8().
|
static |
Adjusts the protection flags for processes associated with the LIX_PROTECTED_PROCESS object.
| [in] | ProtProc | The protect process pattern. |
| [in] | Remove | If the protection for the processes matching the given pattern should be removed. |
Definition at line 4228 of file lixprocess.c.
Referenced by IntLixTaskAddProtected(), IntLixTaskRemoveProtected(), and IntLixTaskUpdateProtection().
|
static |
Adjust the protection of a Linux process based on a new set of rules.
| [in] | Task | The Linux process. |
| [in] | NewProtection | The new protection flags set. |
| [in] | NewRootProtection | The new root protection flags. (This are the raw flags supplied by the integrator). |
| [in] | Context | The context provided by the integrator. |
Definition at line 4106 of file lixprocess.c.
Referenced by IntLixTaskAdjustProtections().
|
static |
Creates a Linux process object.
NOTE: This may return INT_STATUS_NOT_NEEDED_HINT which is a success status but no task object will be created so be careful when using pTask.
| [in] | Parent | The parent of the Linux process. |
| [in] | RealParent | The real parent of the Linux process. |
| [in] | TaskStruct | The guest virtual address of the "task_struct" structure with the process. |
| [in] | StaticDetected | TRUE if the process was detected statically. |
| [out] | Task | Will contain, upon successful return, the newly created task object. |
NOTE: We should hook the comm field if we want an fully accurate name for threads
Definition at line 2103 of file lixprocess.c.
Referenced by IntLixTaskAdd().
|
static |
Updates the contents of a previously forked process from it's new linux_binprm (used by the loader).
| [in] | OriginalTask | The Linux process that performed the exec() system call. |
| [in] | BinprmGva | The guest virtual address of the "linux_binprm" structure describing this operation. |
| [in] | PathGva | The guest virtual address of the path string. |
| [out] | UpdatedTask | The Linux process that will be updated upon successful return based on the supplied binprm. |
Definition at line 1747 of file lixprocess.c.
Referenced by IntLixTaskHandleExec().
|
static |
Creates the init task object.
| [in] | TaskGva | The guest virtual address of the init task. |
| [out] | Task | Will contain, upon successful return, a reference to the newly created task. |
Definition at line 3893 of file lixprocess.c.
Referenced by IntLixTaskAdd().
|
static |
Deactivates exploit protection for a Linux task.
| [in] | Task | The Linux task. |
Definition at line 1210 of file lixprocess.c.
Referenced by IntLixTaskActivateExploitProtection(), IntLixTaskChangeProtectionFlags(), and IntLixTaskDeactivateProtection().
|
static |
Deactivates protection for a Linux process.
| [in] | Task | The Linux process. |
Definition at line 1498 of file lixprocess.c.
Referenced by IntLixTaskChangeProtectionFlags(), IntLixTaskCreate(), IntLixTaskDestroy(), IntLixTaskHandleExec(), IntLixTaskRemoveEntry(), and IntLixTaskUpdateProtection().
|
static |
Destroys a Linux process after protection for it is removed.
| [in] | Task | The Linux process. |
| [in] | ExitCode | Process exit code. |
Definition at line 2491 of file lixprocess.c.
Referenced by IntLixTaskHandleDoExit().
| void IntLixTaskDump | ( | void | ) |
Dumps the process list.
Definition at line 4797 of file lixprocess.c.
Referenced by DbgDumpProcesses().
| void IntLixTaskDumpAsTree | ( | void | ) |
Dump the process tree.
Definition at line 4784 of file lixprocess.c.
|
static |
Dumps the kthreads tree.
This function will dump all kthreads created by another kthread. If the Thread parameter is NULL then the first created kthread will be on the top of the hierarchy.
| [in] | Thread | The starting kthread. |
| [in] | Level | The hierarchy level. |
Definition at line 4716 of file lixprocess.c.
Referenced by IntLixTaskDumpAsTree().
| void IntLixTaskDumpProtected | ( | void | ) |
Dumps the list with processes that Introcore should protect.
Definition at line 4869 of file lixprocess.c.
Referenced by DbgProcList().
|
static |
Dumps the user mode tasks tree.
| [in] | Task | The Linux process that will act as the root for the nodes bellow. |
| [in] | Level | The level on the hierarchy this process resides on. |
Definition at line 4601 of file lixprocess.c.
Referenced by IntLixTaskDumpAsTree().
|
static |
Fetches the command line for a Linux process on the exec() system call.
| [in] | Process | The Linux process. |
| [in] | BinprmGva | The guest virtual address of the binprm structure holding the exec info. |
Definition at line 1536 of file lixprocess.c.
Referenced by IntLixTaskHandleExec().
|
static |
Fetches the CR3 of a Linux task.
This function will find the CR3 value associated with the supplied task based on it's features, as follows:
Note: If MmStruct parameter is not supplied then the mm guest virtual address will be fetched from the task currently mapped with _IntLixTaskStartMap. Thus, make sure the right task is currently mapped if you are not going to supply this parameter.
| [in] | MmStruct | The guest virtual address of the task's mm structure. |
| [in] | Task | The Linux task. |
| [in] | Parent | The parent task. |
Definition at line 692 of file lixprocess.c.
Referenced by IntLixTaskCreate(), and IntLixTaskCreateFromBinprm().
| LIX_TASK_OBJECT* IntLixTaskFindByCr3 | ( | QWORD | Cr3 | ) |
Finds the Linux process having the provided Cr3.
| [in] | Cr3 | The CR3 value. |
Definition at line 942 of file lixprocess.c.
Referenced by IntDecDecodeInstructionAtRipWithCache(), IntLixAgentHandleUserVmcall(), and IntLixCmdLineSendViolationEvent().
| LIX_TASK_OBJECT* IntLixTaskFindByGva | ( | QWORD | TaskStruct | ) |
Finds Linux process with the provided "task_struct" guest virtual address.
| [in] | TaskStruct | The guest virtual address of the "task_struct". |
Definition at line 1025 of file lixprocess.c.
Referenced by IntExceptKernelLogLinuxInformation(), IntExceptUserLogLinuxInformation(), IntLixCmdLineInspect(), IntLixCommitCredsHandle(), IntLixCrashHandle(), IntLixTaskAdd(), IntLixTaskCreateFromBinprm(), IntLixTaskGetCurrent(), IntLixTaskHandleDoExit(), IntLixTaskHandleExec(), IntLixTaskSendTaskEvent(), IntSerializeLixUmOriginator(), and IntSerializeLixUmVictim().
| LIX_TASK_OBJECT* IntLixTaskFindByMm | ( | QWORD | MmGva | ) |
Finds the Linux process having the provided mm guest virtual address.
| [in] | MmGva | The guest virtual address of a mm struct. |
Definition at line 999 of file lixprocess.c.
Referenced by IntLixAccessRemoteVmHandler(), IntLixVmaAdjust(), IntLixVmaChangeProtection(), IntLixVmaExpandDownwards(), IntLixVmaInsert(), and IntLixVmaRemove().
| LIX_TASK_OBJECT* IntLixTaskFindByPid | ( | DWORD | Pid | ) |
Finds the Linux process having the provided PID.
| [in] | Pid | The task PID. |
Definition at line 1051 of file lixprocess.c.
Referenced by IntLixTaskAdd(), IntLixTaskCreate(), and IntLixVdsoDynamicProtectRelocate().
Returns a string with the command lines of all active agents.
| [out] | CommandLine | Will contain, upon successful return, the agents command lines. |
| [in] | Length | The size of the CommandLine parameter. |
Definition at line 4525 of file lixprocess.c.
Referenced by IntLixDepGetInternalArgs().
| LIX_TASK_OBJECT* IntLixTaskGetCurrent | ( | DWORD | CpuNumber | ) |
Finds the task that is currently running on the given CPU.
This function will read the value of "current_task" from the per-cpu memory region and will return the LIX_TASK_OBJECT corresponding to the read value. Even though at any given time there will be a task running on a CPU, it is not guaranteed that there is a LIX_TASK_OBJECT associated to it. (e.g. idle tasks)
| [in] | CpuNumber | The CPU number. |
Definition at line 858 of file lixprocess.c.
Referenced by IntAlertFillLixCurrentProcess(), IntExceptGetVictimEpt(), IntExceptKernelLogLinuxInformation(), IntLixAccessRemoteVmHandler(), IntLixVdsoHandleUserModeWrite(), and IntThrSafeLixGetCurrentStack().
Reads the guest virtual address of the task currently running on a CPU.
| [in] | CpuNumber | The CPU number. |
| [out] | TaskStruct | Will contain, upon successful return, the guest virtual address of the task currently running on the given CPU. |
Definition at line 795 of file lixprocess.c.
Referenced by IntLixTaskGetCurrent(), IntLixTaskHandleInjection(), and IntThrSafeInspectRunningThreads().
Returns the MITRE ID for the process creation violation flag.
| [in] | Flags | The DPI violation flags. |
Definition at line 2582 of file lixprocess.c.
Referenced by IntLixTaskSendBlockedEvent().
|
static |
Returns the DPI flags for a Linux process.
| [in] | Task | The Linux process. |
Definition at line 2663 of file lixprocess.c.
Referenced by IntLixValidateProcessCreationRights().
| DWORD IntLixTaskGetExecCount | ( | void | ) |
Returns the number of processes that have performed an exec.
Definition at line 1077 of file lixprocess.c.
Referenced by IntLixDrvIterateList().
|
static |
Read and set the path for a Linux process.
| [in] | FileGva | The guest virtual address of the "file" structure associated with the executed file. |
| [in] | DPathGva | The guest virtual address of the "d_path" function call result. |
| [out] | Task | The Linux process. |
Definition at line 1714 of file lixprocess.c.
Referenced by IntLixTaskCreateFromBinprm().
| INTSTATUS IntLixTaskGetTrapFrame | ( | const LIX_TASK_OBJECT * | Task, |
| LIX_TRAP_FRAME * | TrapFrame | ||
| ) |
Retrieves the trap frame for a Linux task.
The kernel implementation for this function is the following:
#define task_pt_regs(task) ({ unsigned long __ptr = (unsigned long)task_stack_page(task); __ptr += THREAD_SIZE - TOP_OF_KERNEL_STACK_PADDING; ((struct pt_regs *)__ptr) - 1; })
Note: On x86_64 configurations TOP_OF_KERNEL_STACK_PADDING is zero so it can be ignored.
| [in] | Task | The Linux task. |
| [out] | TrapFrame | Upon successful return will be filled with with the trap frame of the supplied task. |
Definition at line 1098 of file lixprocess.c.
Referenced by IntLixCredAnalyzeStack(), IntLixStackDumpUmStackTrace(), IntLixTaskGetUserStack(), and IntLixTaskSendExceptionEvent().
| INTSTATUS IntLixTaskGetUserStack | ( | LIX_TASK_OBJECT * | Task, |
| QWORD * | StackPointer, | ||
| QWORD * | StackBase, | ||
| QWORD * | StackLimit | ||
| ) |
Finds the user mode stack limits for a Linux process.
| [in] | Task | The Linux process. |
| [out] | StackPointer | Will contain, upon successful return, the user mode RSP value. |
| [out] | StackBase | Will contain, upon successful return, the user mode stack base. |
| [out] | StackLimit | Will contain, upon successful return, the user mode stack limit. |
Definition at line 2044 of file lixprocess.c.
Referenced by IntLixTaskCreate(), IntLixValidateExecStack(), and IntLixVmaHandlePageExecution().
| BOOLEAN IntLixTaskGuestTerminating | ( | void | ) |
Check whether the guest OS is terminating or not.
This function will firstly attempt to compare the "system_state" kernel variable with the "Running" value. Linux documentation tells us that any state value greater than running means the system is either going down or it's suspending/hibernating. However, is some cases we may not be able to access the "system_state" and we apply the following heuristic to determine if the guest is shutting down:
Definition at line 4923 of file lixprocess.c.
Referenced by IntLixGuestDeployUninitAgent().
| INTSTATUS IntLixTaskHandleDoExit | ( | void * | Detour | ) |
Handles the exit() system call.
| [in] | Detour | Unused. |
Definition at line 3481 of file lixprocess.c.
| INTSTATUS IntLixTaskHandleExec | ( | void * | Detour | ) |
Handles the exec() system call of a linux process.
| [in] | Detour | Unused. |
Definition at line 2947 of file lixprocess.c.
| INTSTATUS IntLixTaskHandleFork | ( | void * | Detour | ) |
Handles the fork() system call performed by a linux process.
| [in] | Detour | Unused. |
Definition at line 3179 of file lixprocess.c.
|
static |
Handles the injection into a protected process.
| [in] | Victim | The PID or guest virtual address of the victim's "task_struct". |
| [in] | Pid | If the Victim parameter represents the process PID. |
| [in] | InjectionFlag | The type of the injection. |
| [out] | Block | Will be set with the action that must be taken. (TRUE means block, FALSE means allow) |
Definition at line 3256 of file lixprocess.c.
Referenced by IntLixTaskHandlePtrace(), and IntLixTaskHandleVmRw().
| INTSTATUS IntLixTaskHandlePtrace | ( | void * | Detour | ) |
Handles the ptrace() system call.
This function will deny any ptrace() request that may taint a process which is being protected. The currently handled requests are PTRACE_POKE* and PTRACE_SET*REGS.
| [in] | Detour | Unused. |
Definition at line 3423 of file lixprocess.c.
| INTSTATUS IntLixTaskHandleVmRw | ( | void * | Detour | ) |
Handles the process_vm_writev() system call.
This function will deny any foreign memory writes attempted into a protected process. Note:Even though the detoured function is "process_vm_rw_core" which handles both reads and writes inside the memory space of another process, this function assumes the code that is detouring this function will filter the actions and will perform the hypercall only when a write is attempted.
| [in] | Detour | Unused. |
Definition at line 3381 of file lixprocess.c.
| INTSTATUS IntLixTaskIsUserStackPivoted | ( | LIX_TASK_OBJECT * | Task, |
| QWORD | Ptr, | ||
| BOOLEAN * | IsPivoted | ||
| ) |
Verifies whether the stack of a Linux process is pivoted or not.
| [in] | Task | The Linux process. |
| [in] | Ptr | The current RSP value. |
| [out] | IsPivoted | Upon successful return, will be set to TRUE if the stack is pivoted, FALSE otherwise. |
Definition at line 2795 of file lixprocess.c.
Referenced by IntLixValidateExecStack().
| INTSTATUS IntLixTaskIterateGuestTasks | ( | PFUNC_IterateListCallback | Callback, |
| QWORD | Aux | ||
| ) |
Iterates the guest process list and calls the provided callback for each process and thread found.
| [in] | Callback | The callback that should be called for each task. |
| [in] | Aux | Context that will be sent as a parameter to the provided callback. |
Definition at line 3799 of file lixprocess.c.
Referenced by IntLixGuestInitAgentCompletion(), and IntThrSafeCheckThreads().
| INTSTATUS IntLixTaskIterateTasks | ( | PFUNC_LixTaskIterateTasks | Callback | ) |
Call the Callback parameter for each task saved internally.
| [in] | Callback | The callback to be called for each task. |
Definition at line 4892 of file lixprocess.c.
Referenced by IntLixNetSendGuestConnections().
|
static |
Iterates the threads of a Linux process based on the thread group.
| [in] | TaskStructGva | The guest virtual address of the process's "task_struct". |
| [in] | Callback | The callback that should be called for each thread found. |
| [in] | Aux | Context that will be sent as a parameter to the provided callback. |
Definition at line 3646 of file lixprocess.c.
Referenced by IntLixTaskIterateThreads().
|
static |
Iterates the threads of a Linux process based on the thread node..
| [in] | TaskStructGva | The guest virtual address of the process's "task_struct". |
| [in] | Callback | The callback that should be called for each thread found. |
| [in] | Aux | Context that will be sent as a parameter to the provided callback. |
Definition at line 3513 of file lixprocess.c.
Referenced by IntLixTaskIterateThreads().
|
static |
Iterates the threads of a Linux process.
| [in] | TaskStructGva | The guest virtual address of the process's "task_struct". |
| [in] | Callback | The callback that should be called for each thread found. |
| [in] | Aux | Context that will be sent as a parameter to the provided callback. |
Definition at line 3766 of file lixprocess.c.
Referenced by IntLixTaskIterateGuestTasks().
|
static |
Marks a Linux process as being an Introcore agent.
| [in] | Task | The Linux process. |
Definition at line 2461 of file lixprocess.c.
Referenced by IntLixTaskUninit().
|
static |
Controls whether information about a task must be logged or not.
| [in] | Task | Pointer to a LIX_TASK_OBJECT. |
| [in] | Protected | Set if the Task sent as a parameter is being protected. |
Definition at line 366 of file lixprocess.c.
Referenced by IntLixTaskActivateProtection(), IntLixTaskCreate(), IntLixTaskDeactivateProtection(), IntLixTaskDestroy(), and IntLixTaskHandleExec().
|
static |
Release a LIX_TASK_PATH object.
This function will firstly decrement the object reference count. If the counter becomes zero, then the object is destroyed and the memory will be freed.
| [in] | Path | Pointer to a LIX_TASK_PATH reference. |
Definition at line 328 of file lixprocess.c.
Referenced by IntLixTaskRemoveEntry().
|
static |
Get the LIX_TASK_PATH object associated with a given path.
This function will initially try to return an existing LIX_TASK_PATH object. If the dentry was not yet cached then a new object is created (based on which of the FileGva or PathGva parameter is set) and inserted in the gLixTaskPaths list.
This function will also increment the object reference counter.
| [in] | FileGva | The guest virtual address of the "file" structure. |
| [in] | PathGva | The guest virtual address of the path string. |
| [in] | DentryGva | The guest virtual address of the "dentry" structure. |
Definition at line 189 of file lixprocess.c.
Referenced by IntLixTaskCreate(), IntLixTaskGetPath(), IntLixTaskPathGetByFile(), and IntLixTaskPathGetByPath().
|
static |
Get a LIX_TASK_PATH object based on the guest virtual address of a "file" structure.
| [in] | FileGva | The guest virtual address of a "file" structure. |
Definition at line 285 of file lixprocess.c.
|
static |
Get a LIX_TASK_PATH object based on the guest virtual address of a path string.
| [in] | PathGva | The guest virtual address of the path string. |
| [in] | DentryGva | The guest virtual address of the "dentry" structure. |
Definition at line 310 of file lixprocess.c.
Referenced by IntLixTaskGetPath().
|
static |
Increases the reference counter for a LIX_TASK_PATH object.
| [in] | Path | Pointer to a LIX_TASK_PATH object. |
Definition at line 168 of file lixprocess.c.
Referenced by IntLixTaskCreate(), and IntLixTaskPathGetByDentry().
| LIX_TASK_OBJECT* IntLixTaskProtFindByMm | ( | QWORD | MmGva | ) |
Finds the protected Linux process having the provided mm guest virtual address.
| [in] | MmGva | The guest virtual address of a mm struct. |
Definition at line 974 of file lixprocess.c.
|
static |
Removes a Linux process from the process list.
| [in] | Task | The Linux process. |
Definition at line 2428 of file lixprocess.c.
Referenced by IntLixTaskDestroy(), IntLixTaskHandleExec(), and IntLixTaskUninit().
| INTSTATUS IntLixTaskRemoveProtected | ( | const char * | ProcessName | ) |
Removes a pattern of processes to be protected.
| [in] | ProcessName | The process pattern. |
Definition at line 4439 of file lixprocess.c.
Referenced by IntAddRemoveProtectedProcessUtf8().
|
static |
Sends an agent event.
| [in] | Task | The Linux process associated with the agent. |
| [in] | ExitCode | The agent exit code. |
| [in] | Created | TRUE If the agent has just been created. |
Definition at line 2003 of file lixprocess.c.
Referenced by IntLixTaskDestroy(), and IntLixTaskHandleExec().
|
static |
Sends a blocked process creation event.
| [in] | OldTask | The process that attempted to spawn the NewTask. |
| [in] | NewTask | The process that tried to be spawned by the OldTask. |
| [in] | Action | The action that was taken. |
| [in] | Reason | The reason the action was taken. |
| [in] | PcType | The process creation violation type. |
Definition at line 2609 of file lixprocess.c.
Referenced by IntLixValidateProcessCreationRights().
|
static |
Sends an injection event.
| [in] | Source | The Linux process that tried to perform the injection. |
| [in] | Victim | The Linux process that was the victim of the injection. |
| [in] | Action | The action that was taken. |
| [in] | Reason | The reason for the action. |
Definition at line 3204 of file lixprocess.c.
Referenced by IntLixAccessRemoteVmHandler(), and IntLixTaskHandleInjection().
|
static |
Sends a process event.
| [in] | Task | The Linux process. |
| [in] | ExitCode | The process exit code. |
| [in] | Created | TRUE if the the process is created. |
| [in] | Crashed | TRUE if the process crashed. |
| [in] | StaticDetected | TRUE if the process was detected statically. |
Definition at line 1934 of file lixprocess.c.
Referenced by IntLixTaskCreate(), IntLixTaskDestroy(), and IntLixTaskHandleExec().
|
static |
Sets the name for a Linux process.
This function will set the process name depending what info is available(path or comm).
| [in] | Task | The Linux process. |
Definition at line 1689 of file lixprocess.c.
Referenced by IntLixTaskCreate(), and IntLixTaskCreateFromBinprm().
|
static |
Checks whether a Linux task should be protected or not.
| [in] | Task | The Linux task. |
Definition at line 1142 of file lixprocess.c.
Referenced by IntLixTaskActivateProtection(), and IntLixTaskUpdateProtection().
| void IntLixTaskUninit | ( | void | ) |
Uninitializes the Linux process subsystem.
Definition at line 4570 of file lixprocess.c.
Referenced by IntLixGuestUninit().
| void IntLixTaskUpdateProtection | ( | void | ) |
Adjusts protection for all active Linux processes.
Definition at line 4495 of file lixprocess.c.
Referenced by IntCamiSetProcProtOptions(), and IntGuestUpdateCoreOptions().
Translates the value of a user page global directory to it's corresponding kernel value when KPTI is active.
| [in] | Pgd | The guest physical address of the page global directory. |
Definition at line 887 of file lixprocess.c.
Referenced by IntLixGetKernelCr3().
|
static |
Validates the user mode stack of a process upon an exec() system call.
| [in] | ParentTask | The process that performed the exec(). |
| [in] | CurrentTask | The process that follows to be spawned. |
Definition at line 2910 of file lixprocess.c.
Referenced by IntLixTaskHandleExec().
|
static |
Validates process creation rights (both PC and DPI).
| [in] | ChildTask | The process whose creation this function will check. |
| [in] | ParentTask | The process that attempted to spawn the child process. (via exec() system call) |
| [in] | ObjectType | The rights that this function should validate. (One of introObjectTypeProcessCreation or introObjectTypeProcessCreationDpi) |
| [out] | Action | The action that must be taken. |
| [out] | Reason | The reason for the action. |
Definition at line 2691 of file lixprocess.c.
Referenced by IntLixTaskHandleExec().
| void sanitize_path | ( | char * | path, |
| size_t | len, | ||
| size_t * | new_len | ||
| ) |
Sanitizes an Unix path by removing trailing path delimiters.
| [in] | path | A string containing a Unix path. |
| [in] | len | The length of the path parameter. |
| [out] | new_len | Will contain the new size of the sanitized path. |
Definition at line 146 of file lixprocess.c.
|
static |
The list with all tasks that are currently protected.
Definition at line 79 of file lixprocess.c.
| LIX_TASK_LOG gLixTaskLogLevel |
The global structure controlling linux process logging.
By default, on debug builds everything is logged, while on release builds only protected processes events are logged.
Definition at line 44 of file lixprocess.c.
|
static |
The list with all cached paths.
Definition at line 112 of file lixprocess.c.
|
static |
The list with all tasks inside the guest OS.
Definition at line 74 of file lixprocess.c.
|
static |
The list with all tasks that should be protected.
Definition at line 84 of file lixprocess.c.
|
static |
Linux processes signaling that the guest OS is shutting down.
Definition at line 62 of file lixprocess.c.
Referenced by IntLixTaskGuestTerminating().
|
static |
Definition at line 570 of file lixprocess.c.
Referenced by _IntLixTaskFinishMap(), _IntLixTaskRead(), and _IntLixTaskStartMap().
|
static |
Definition at line 571 of file lixprocess.c.
Referenced by _IntLixTaskFinishMap(), _IntLixTaskRead(), and _IntLixTaskStartMap().
|
static |
Definition at line 572 of file lixprocess.c.
Referenced by _IntLixTaskFinishMap(), and _IntLixTaskRead().
1.8.13