Bitdefender Hypervisor Memory Introspection
msr_protection.c
Go to the documentation of this file.
1 /*
2  * Copyright (c) 2020 Bitdefender
3  * SPDX-License-Identifier: Apache-2.0
4  */
5 #include "msr_protection.h"
6 #include "alerts.h"
7 #include "guests.h"
8 #include "hook_msr.h"
9 
10 
11 static BOOLEAN gMsrHookSet;
12 static void *gSysenterEipHook;
13 static void *gSysenterEspHook;
14 static void *gSysenterCsHook;
15 static void *gSyscallLstarHook;
16 static void *gSyscallStarHook;
17 
18 
19 static INTSTATUS
20 IntWinMsrSendAlert(
21  _In_ PEXCEPTION_VICTIM_ZONE Victim,
22  _In_ PEXCEPTION_KM_ORIGINATOR Originator,
23  _In_ INTRO_ACTION Action,
24  _In_ INTRO_ACTION_REASON Reason
25  )
39 {
40  INTSTATUS status;
41  PEVENT_MSR_VIOLATION pMsrViol;
42 
43  pMsrViol = &gAlert.Msr;
44  memzero(pMsrViol, sizeof(*pMsrViol));
45 
46  pMsrViol->Header.Action = Action;
47  pMsrViol->Header.Reason = Reason;
48 
49  pMsrViol->Header.Flags = IntAlertCoreGetFlags(INTRO_OPT_PROT_KM_MSR_SYSCALL, Reason);
50  pMsrViol->Header.MitreID = idRootkit;
51 
52  IntAlertMsrFill(Victim, Originator, pMsrViol);
53 
54  IntAlertFillCpuContext(TRUE, &pMsrViol->Header.CpuContext);
55 
56  IntAlertFillWinProcessByCr3(pMsrViol->Header.CpuContext.Cr3, &pMsrViol->Header.CurrentProcess);
57 
58  IntAlertFillCodeBlocks(Originator->Original.Rip, gGuest.Mm.SystemCr3, FALSE, &pMsrViol->CodeBlocks);
59  IntAlertFillExecContext(gGuest.Mm.SystemCr3, &pMsrViol->ExecContext);
60 
61  IntAlertFillVersionInfo(&pMsrViol->Header);
62 
63  status = IntNotifyIntroEvent(introEventMsrViolation, pMsrViol, sizeof(*pMsrViol));
64  if (!INT_SUCCESS(status))
65  {
66  WARNING("[WARNING] IntNotifyIntroEvent failed: 0x%08x\n", status);
67  }
68 
69  return status;
70 }
71 
72 
73 static INTSTATUS
74 IntLixMsrHandleWrite(
75  _In_ DWORD Msr,
76  _In_ DWORD Flags,
77  _Out_ INTRO_ACTION *Action,
78  _In_opt_ void *Context,
79  _In_opt_ QWORD OriginalValue,
80  _In_opt_ const QWORD *NewValue
81  )
99 {
100  INTSTATUS status;
101  EXCEPTION_VICTIM_ZONE victim;
102  EXCEPTION_KM_ORIGINATOR originator;
103  BOOLEAN exitAfterInformation;
104  INTRO_ACTION_REASON reason;
105 
106  UNREFERENCED_PARAMETER(Flags);
107  UNREFERENCED_PARAMETER(Context);
108 
109  if (NULL == Action)
110  {
111  return INT_STATUS_INVALID_PARAMETER_3;
112  }
113 
114  if (NULL == NewValue)
115  {
116  return INT_STATUS_INVALID_PARAMETER_6;
117  }
118 
119  // If the MSR is sysenter/syscall MSR, and the OldValue is zero, we allow the write.
120  if (((Msr == IG_IA32_SYSENTER_CS) || (Msr == IG_IA32_SYSENTER_EIP) ||
121  (Msr == IG_IA32_SYSENTER_ESP) || (Msr == IG_IA32_STAR) || (Msr == IG_IA32_LSTAR)) &&
122  (0 == OriginalValue))
123  {
124  *Action = introGuestAllowed;
125  return INT_STATUS_SUCCESS;
126  }
127 
128  // If the same value is written again in the MSR, we're done.
129  if (OriginalValue == *NewValue)
130  {
131  *Action = introGuestAllowed;
132  return INT_STATUS_SUCCESS;
133  }
134 
135  STATS_ENTER(statsExceptionsKern);
136 
137  *Action = introGuestNotAllowed;
138  reason = introReasonUnknown;
139  exitAfterInformation = FALSE;
140 
141  memzero(&originator, sizeof(originator));
142  memzero(&victim, sizeof(victim));
143 
144  status = IntExceptKernelGetOriginator(&originator, 0);
145  if (status == INT_STATUS_EXCEPTION_BLOCK)
146  {
147  reason = introReasonNoException;
148  exitAfterInformation = TRUE;
149  }
150  else if (!INT_SUCCESS(status))
151  {
152  reason = introReasonInternalError;
153  ERROR("[ERROR] Failed getting originator: 0x%08x\n", status);
154  exitAfterInformation = TRUE;
155  }
156 
157  status = IntExceptGetVictimMsr(*NewValue, OriginalValue, Msr, &victim);
158  if (!INT_SUCCESS(status))
159  {
160  reason = introReasonInternalError;
161  ERROR("[ERROR] Failed getting zone details: 0x%08x\n", status);
162  exitAfterInformation = TRUE;
163  }
164 
165  if (exitAfterInformation)
166  {
167  IntExceptKernelLogInformation(&victim, &originator, *Action, reason);
168  }
169  else
170  {
171  IntExcept(&victim, &originator, exceptionTypeKm, Action, &reason, introEventMsrViolation);
172  }
173 
174  STATS_EXIT(statsExceptionsKern);
175 
176  if (IntPolicyCoreTakeAction(INTRO_OPT_PROT_KM_MSR_SYSCALL, Action, &reason))
177  {
178  EVENT_MSR_VIOLATION *pMsrViol = &gAlert.Msr;
179 
180  memzero(pMsrViol, sizeof(*pMsrViol));
181 
182  pMsrViol->Header.Action = *Action;
183  pMsrViol->Header.Reason = reason;
184 
185  IntAlertFillCpuContext(TRUE, &pMsrViol->Header.CpuContext);
186 
187  pMsrViol->Header.Flags = IntAlertCoreGetFlags(INTRO_OPT_PROT_KM_MSR_SYSCALL, reason);
188  pMsrViol->Header.MitreID = idRootkit;
189 
190  IntAlertFillLixCurrentProcess(&pMsrViol->Header.CurrentProcess);
191 
192  IntAlertFillLixKmModule(originator.Original.Driver, &pMsrViol->Originator.Module);
193  IntAlertFillLixKmModule(originator.Return.Driver, &pMsrViol->Originator.ReturnModule);
194 
195  pMsrViol->Victim.Msr = Msr;
196 
197  pMsrViol->WriteInfo.NewValue[0] = *NewValue;
198  pMsrViol->WriteInfo.OldValue[0] = OriginalValue;
199 
200  IntAlertFillVersionInfo(&pMsrViol->Header);
201 
202  IntAlertFillCodeBlocks(originator.Original.Rip, gGuest.Mm.SystemCr3, FALSE, &pMsrViol->CodeBlocks);
203  IntAlertFillExecContext(gGuest.Mm.SystemCr3, &pMsrViol->ExecContext);
204 
205  status = IntNotifyIntroEvent(introEventMsrViolation, pMsrViol, sizeof(*pMsrViol));
206  if (!INT_SUCCESS(status))
207  {
208  WARNING("[WARNING] IntNotifyIntroEvent failed: 0x%08x\n", status);
209  }
210  }
211 
212  IntPolicyCoreForceBetaIfNeeded(INTRO_OPT_PROT_KM_MSR_SYSCALL, Action);
213 
214  return INT_STATUS_SUCCESS;
215 }
216 
217 
218 static INTSTATUS
219 IntWinMsrHandleWrite(
220  _In_ DWORD Msr,
221  _In_ DWORD Flags,
222  _Out_ INTRO_ACTION *Action,
223  _In_opt_ void *Context,
224  _In_opt_ QWORD OriginalValue,
225  _In_opt_ const QWORD *NewValue
226  )
244 {
245  INTSTATUS status;
246  EXCEPTION_VICTIM_ZONE victim;
247  EXCEPTION_KM_ORIGINATOR originator;
248  BOOLEAN exitAfterInformation;
249  INTRO_ACTION_REASON reason;
250 
251  UNREFERENCED_PARAMETER(Flags);
252  UNREFERENCED_PARAMETER(Context);
253 
254  if (NULL == Action)
255  {
256  return INT_STATUS_INVALID_PARAMETER_3;
257  }
258 
259  if (NULL == NewValue)
260  {
261  return INT_STATUS_INVALID_PARAMETER_6;
262  }
263 
264  // LAN: If the MSR is sysenter/syscall MSR, and the OldValue is zero, we allow the write.
265  if (((Msr == IG_IA32_SYSENTER_CS) || (Msr == IG_IA32_SYSENTER_EIP) ||
266  (Msr == IG_IA32_SYSENTER_ESP) || (Msr == IG_IA32_STAR) || (Msr == IG_IA32_LSTAR)) &&
267  (0 == OriginalValue))
268  {
269  *Action = introGuestAllowed;
270  return INT_STATUS_SUCCESS;
271  }
272 
273  // If the same value is written again in the MSR, we're done.
274  if (OriginalValue == *NewValue)
275  {
276  *Action = introGuestAllowed;
277  return INT_STATUS_SUCCESS;
278  }
279 
280  STATS_ENTER(statsExceptionsKern);
281 
282  memzero(&victim, sizeof(victim));
283  memzero(&originator, sizeof(originator));
284 
285  // By default we do not allow this
286  *Action = introGuestNotAllowed;
287  reason = introReasonUnknown;
288  exitAfterInformation = FALSE;
289 
290  status = IntExceptKernelGetOriginator(&originator, 0);
291  if (status == INT_STATUS_EXCEPTION_BLOCK)
292  {
293  reason = introReasonNoException;
294  exitAfterInformation = TRUE;
295  }
296  else if (!INT_SUCCESS(status))
297  {
298  reason = introReasonInternalError;
299  ERROR("[ERROR] Failed getting originator: 0x%08x\n", status);
300  exitAfterInformation = TRUE;
301  }
302 
303  status = IntExceptGetVictimMsr(*NewValue, OriginalValue, Msr, &victim);
304  if (!INT_SUCCESS(status))
305  {
306  reason = introReasonInternalError;
307  ERROR("[ERROR] Failed getting zone details: 0x%08x\n", status);
308  exitAfterInformation = TRUE;
309  }
310 
311  if (exitAfterInformation)
312  {
313  IntExceptKernelLogInformation(&victim, &originator, *Action, reason);
314  }
315  else
316  {
317  IntExcept(&victim, &originator, exceptionTypeKm, Action, &reason, introEventMsrViolation);
318  }
319 
320  STATS_EXIT(statsExceptionsKern);
321 
322  if (IntPolicyCoreTakeAction(INTRO_OPT_PROT_KM_MSR_SYSCALL, Action, &reason))
323  {
324  IntWinMsrSendAlert(&victim, &originator, *Action, reason);
325  }
326 
327  IntPolicyCoreForceBetaIfNeeded(INTRO_OPT_PROT_KM_MSR_SYSCALL, Action);
328 
329  return status;
330 }
331 
332 
333 INTSTATUS
334 IntMsrSyscallProtect(
335  void
336  )
343 {
344  INTSTATUS status;
345  BOOLEAN hookX64Msrs, hookX86Msrs;
346  PFUNC_MsrReadWriteHookCallback pCallback;
347 
348  if (gMsrHookSet)
349  {
350  return INT_STATUS_ALREADY_INITIALIZED_HINT;
351  }
352 
353  if (gGuest.OSType == introGuestWindows)
354  {
355  hookX64Msrs = gGuest.Guest64;
356  hookX86Msrs = !hookX64Msrs;
357 
358  pCallback = IntWinMsrHandleWrite;
359  }
360  else
361  {
362  hookX64Msrs = hookX86Msrs = TRUE;
363 
364  pCallback = IntLixMsrHandleWrite;
365  }
366 
367  if (hookX86Msrs)
368  {
369  TRACE("[MSR] Adding protection on MSR IA32_SYSENTER_EIP...\n");
370 
371  status = IntHookMsrSetHook(IG_IA32_SYSENTER_EIP, IG_MSR_HOOK_WRITE, pCallback, NULL, &gSysenterEipHook);
372  if (!INT_SUCCESS(status))
373  {
374  ERROR("[ERROR] Failed hooking the MSR!\n");
375  return status;
376  }
377 
378 
379  TRACE("[MSR] Adding protection on MSR IA32_SYSENTER_ESP...\n");
380 
381  status = IntHookMsrSetHook(IG_IA32_SYSENTER_ESP, IG_MSR_HOOK_WRITE, pCallback, NULL, &gSysenterEspHook);
382  if (!INT_SUCCESS(status))
383  {
384  ERROR("[ERROR] Failed hooking the MSR!\n");
385  return status;
386  }
387 
388 
389  TRACE("[MSR] Adding protection on MSR IA32_SYSENTER_CS...\n");
390 
391  status = IntHookMsrSetHook(IG_IA32_SYSENTER_CS, IG_MSR_HOOK_WRITE, pCallback, NULL, &gSysenterCsHook);
392  if (!INT_SUCCESS(status))
393  {
394  ERROR("[ERROR] Failed hooking the MSR!\n");
395  return status;
396  }
397  }
398 
399  if (hookX64Msrs)
400  {
401  TRACE("[MSR] Adding protection on MSR IA32_STAR...\n");
402 
403  status = IntHookMsrSetHook(IG_IA32_STAR, IG_MSR_HOOK_WRITE, pCallback, NULL, &gSyscallStarHook);
404  if (!INT_SUCCESS(status))
405  {
406  ERROR("[ERROR] Failed hooking the MSR!\n");
407  return status;
408  }
409 
410  TRACE("[MSR] Adding protection on MSR IA32_LSTAR...\n");
411 
412  status = IntHookMsrSetHook(IG_IA32_LSTAR, IG_MSR_HOOK_WRITE, pCallback, NULL, &gSyscallLstarHook);
413  if (!INT_SUCCESS(status))
414  {
415  ERROR("[ERROR] Failed hooking the MSR!\n");
416  return status;
417  }
418  }
419 
420  gMsrHookSet = TRUE;
421 
422  return INT_STATUS_SUCCESS;
423 }
424 
425 
426 INTSTATUS
427 IntMsrSyscallUnprotect(
428  void
429  )
436 {
437  if (!gMsrHookSet)
438  {
439  return INT_STATUS_NOT_NEEDED_HINT;
440  }
441 
442  if (NULL != gSyscallLstarHook)
443  {
444  TRACE("[MSR] Removing protection on MSR IA32_LSTAR...\n");
445 
446  IntHookMsrRemoveHook(gSyscallLstarHook);
447 
448  gSyscallLstarHook = NULL;
449  }
450 
451  if (NULL != gSyscallStarHook)
452  {
453  TRACE("[MSR] Removing protection on MSR IA32_STAR...\n");
454 
455  IntHookMsrRemoveHook(gSyscallStarHook);
456 
457  gSyscallStarHook = NULL;
458  }
459 
460  if (NULL != gSysenterCsHook)
461  {
462  TRACE("[MSR] Removing protection on MSR IA32_SYSENTER_CS...\n");
463 
464  IntHookMsrRemoveHook(gSysenterCsHook);
465 
466  gSysenterCsHook = NULL;
467  }
468 
469  if (NULL != gSysenterEipHook)
470  {
471  TRACE("[MSR] Removing protection on MSR IA32_SYSENTER_Eip...\n");
472 
473  IntHookMsrRemoveHook(gSysenterEipHook);
474 
475  gSysenterEipHook = NULL;
476  }
477 
478  if (NULL != gSysenterEspHook)
479  {
480  TRACE("[MSR] Removing protection on MSR IA32_SYSENTER_ESP...\n");
481 
482  IntHookMsrRemoveHook(gSysenterEspHook);
483 
484  gSysenterEspHook = NULL;
485  }
486 
487  gMsrHookSet = FALSE;
488 
489  return INT_STATUS_SUCCESS;
490 }
statsExceptionsKern
Measures kernel mode exceptions checks.
Definition: stats.h:51
_In_opt_
#define _In_opt_
Definition: intro_sal.h:16
hook_msr.h
INTRO_ACTION_REASON
enum _INTRO_ACTION_REASON INTRO_ACTION_REASON
The reason for which an INTRO_ACTION was taken.
_Out_
#define _Out_
Definition: intro_sal.h:22
BOOLEAN
_Bool BOOLEAN
Definition: intro_types.h:58
IG_IA32_SYSENTER_ESP
#define IG_IA32_SYSENTER_ESP
Definition: glueiface.h:139
IntAlertCoreGetFlags
QWORD IntAlertCoreGetFlags(QWORD ProtectionFlag, INTRO_ACTION_REASON Reason)
Returns the flags for an alert.
Definition: alerts.c:366
introReasonInternalError
An internal error occurred (no memory, pages not present, etc.).
Definition: intro_types.h:195
IntPolicyCoreForceBetaIfNeeded
BOOLEAN IntPolicyCoreForceBetaIfNeeded(QWORD Flag, INTRO_ACTION *Action)
Checks if a forced action should be taken even if the log-only mode is active.
Definition: introcore.c:2803
_In_
#define _In_
Definition: intro_sal.h:21
_INTRO_VIOLATION_HEADER::MitreID
MITRE_ID MitreID
The Mitre ID that corresponds to this attack.
Definition: intro_types.h:1199
IG_MSR_HOOK_WRITE
Write access.
Definition: glueiface.h:174
_MM::SystemCr3
QWORD SystemCr3
The Cr3 used to map the kernel.
Definition: guests.h:211
INT_STATUS_SUCCESS
#define INT_STATUS_SUCCESS
Definition: introstatus.h:54
IntPolicyCoreTakeAction
BOOLEAN IntPolicyCoreTakeAction(QWORD Flag, INTRO_ACTION *Action, INTRO_ACTION_REASON *Reason)
Returns the action that should be taken for a core introspection option.
Definition: introcore.c:2693
_INTRO_WRITE_INFO::NewValue
QWORD NewValue[8]
The written value. Only the first Size bytes are valid.
Definition: intro_types.h:981
STATS_EXIT
#define STATS_EXIT(id)
Definition: stats.h:160
IntAlertMsrFill
void IntAlertMsrFill(const EXCEPTION_VICTIM_ZONE *Victim, const EXCEPTION_KM_ORIGINATOR *Originator, EVENT_MSR_VIOLATION *MsrViolation)
Saves information about a MSR write attempt in an event.
Definition: alerts.c:1150
introGuestNotAllowed
Definition: intro_types.h:164
_EVENT_MSR_VIOLATION::ReturnModule
INTRO_MODULE ReturnModule
The module to which the current code return to.
Definition: intro_types.h:1326
INT_SUCCESS
#define INT_SUCCESS(Status)
Definition: introstatus.h:42
_INTRO_VIOLATION_HEADER::Flags
QWORD Flags
A combination of ALERT_FLAG_* values describing the alert.
Definition: intro_types.h:1198
gSysenterEspHook
static void * gSysenterEspHook
IA32_SYSENTER_ESP hook.
Definition: msr_protection.c:13
IG_IA32_SYSENTER_EIP
#define IG_IA32_SYSENTER_EIP
Definition: glueiface.h:140
INT_STATUS_NOT_NEEDED_HINT
#define INT_STATUS_NOT_NEEDED_HINT
Definition: introstatus.h:317
ERROR
#define ERROR(fmt,...)
Definition: glue.h:62
_EXCEPTION_KM_ORIGINATOR::Driver
KERNEL_DRIVER * Driver
The driver that's modifying the memory.
Definition: exceptions.h:949
INTSTATUS
int INTSTATUS
The status data type.
Definition: introstatus.h:24
IntMsrSyscallUnprotect
INTSTATUS IntMsrSyscallUnprotect(void)
Remove protection from all protected MSRs.
Definition: msr_protection.c:427
_EVENT_MSR_VIOLATION::ExecContext
INTRO_EXEC_CONTEXT ExecContext
Information about the instruction that triggered the alert.
Definition: intro_types.h:1339
gMsrHookSet
static BOOLEAN gMsrHookSet
True if the SYSCALL/SYSENTER MSRs are protected.
Definition: msr_protection.c:11
idRootkit
Rootkit.
Definition: intro_types.h:1144
_EXCEPTION_KM_ORIGINATOR
Describes a kernel-mode originator.
Definition: exceptions.h:943
gSysenterEipHook
static void * gSysenterEipHook
IA32_SYSENTER_EIP hook.
Definition: msr_protection.c:12
_GUEST_STATE::OSType
INTRO_GUEST_TYPE OSType
The type of the guest.
Definition: guests.h:278
IntAlertFillCpuContext
void IntAlertFillCpuContext(BOOLEAN CopyInstruction, INTRO_CPUCTX *CpuContext)
Fills the current CPU context for an alert.
Definition: alerts.c:492
_EXCEPTION_KM_ORIGINATOR::Return
struct _EXCEPTION_KM_ORIGINATOR::@63 Return
IntAlertFillVersionInfo
void IntAlertFillVersionInfo(INTRO_VIOLATION_HEADER *Header)
Fills version information for an alert.
Definition: alerts.c:327
_EVENT_MSR_VIOLATION::Originator
struct _EVENT_MSR_VIOLATION::@291 Originator
gSysenterCsHook
static void * gSysenterCsHook
IA32_SYSENTER_CS hook.
Definition: msr_protection.c:14
INTRO_OPT_PROT_KM_MSR_SYSCALL
#define INTRO_OPT_PROT_KM_MSR_SYSCALL
Definition: intro_types.h:427
_INTRO_VIOLATION_HEADER::Reason
INTRO_ACTION_REASON Reason
The reason for which Action was taken.
Definition: intro_types.h:1195
IntAlertFillCodeBlocks
INTSTATUS IntAlertFillCodeBlocks(QWORD Rip, QWORD Cr3, BOOLEAN Execute, INTRO_CODEBLOCKS *CodeBlocks)
Fills the code blocks pattern for an alert.
Definition: alerts.c:71
IntWinMsrSendAlert
static INTSTATUS IntWinMsrSendAlert(PEXCEPTION_VICTIM_ZONE Victim, PEXCEPTION_KM_ORIGINATOR Originator, INTRO_ACTION Action, INTRO_ACTION_REASON Reason)
Send an MSR alert.
Definition: msr_protection.c:20
gSyscallStarHook
static void * gSyscallStarHook
IA32_STAR hook.
Definition: msr_protection.c:16
gAlert
GENERIC_ALERT gAlert
Global alert buffer.
Definition: alerts.c:27
IntAlertFillLixKmModule
void IntAlertFillLixKmModule(const KERNEL_DRIVER *Driver, INTRO_MODULE *EventModule)
Saves information about a kernel module inside an alert.
Definition: alerts.c:1235
_EVENT_MSR_VIOLATION::CodeBlocks
INTRO_CODEBLOCKS CodeBlocks
Code blocks extracted for the alert.
Definition: intro_types.h:1337
INT_STATUS_EXCEPTION_BLOCK
#define INT_STATUS_EXCEPTION_BLOCK
Definition: introstatus.h:421
STATS_ENTER
#define STATS_ENTER(id)
Definition: stats.h:153
_INTRO_VIOLATION_HEADER::CpuContext
INTRO_CPUCTX CpuContext
The context of the CPU that triggered the alert.
Definition: intro_types.h:1196
IntNotifyIntroEvent
INTSTATUS IntNotifyIntroEvent(INTRO_EVENT_TYPE EventClass, void *Param, size_t EventSize)
Notifies the integrator about an introspection alert.
Definition: glue.c:1042
memzero
#define memzero(a, s)
Definition: introcrt.h:35
_EVENT_MSR_VIOLATION
Event structure for MSR violation.
Definition: intro_types.h:1316
_GUEST_STATE::Guest64
BOOLEAN Guest64
True if this is a 64-bit guest, False if it is a 32-bit guest.
Definition: guests.h:290
QWORD
unsigned long long QWORD
Definition: intro_types.h:53
IG_IA32_STAR
#define IG_IA32_STAR
Definition: glueiface.h:145
TRUE
#define TRUE
Definition: intro_types.h:30
IntExceptGetVictimMsr
INTSTATUS IntExceptGetVictimMsr(QWORD NewValue, QWORD OldValue, DWORD Msr, EXCEPTION_VICTIM_ZONE *Victim)
This function is used to get the information about the MSR victim.
Definition: exceptions_kern.c:2815
gSyscallLstarHook
static void * gSyscallLstarHook
IA32_LSTAR hook.
Definition: msr_protection.c:15
TRACE
#define TRACE(fmt,...)
Definition: glue.h:58
IntExceptKernelLogInformation
void IntExceptKernelLogInformation(EXCEPTION_VICTIM_ZONE *Victim, EXCEPTION_KM_ORIGINATOR *Originator, INTRO_ACTION Action, INTRO_ACTION_REASON Reason)
Print the information about a kernel-mode violation and dumps the code-blocks.
Definition: exceptions_kern.c:2032
exceptionTypeKm
Kernel-mode exception.
Definition: exceptions.h:61
IG_IA32_LSTAR
#define IG_IA32_LSTAR
Definition: glueiface.h:146
introGuestWindows
Windows.
Definition: intro_types.h:2043
IntHookMsrRemoveHook
INTSTATUS IntHookMsrRemoveHook(HOOK_MSR *Hook)
Remove a model specific register hook.
Definition: hook_msr.c:138
INT_STATUS_ALREADY_INITIALIZED_HINT
#define INT_STATUS_ALREADY_INITIALIZED_HINT
Definition: introstatus.h:323
IntWinMsrHandleWrite
static INTSTATUS IntWinMsrHandleWrite(DWORD Msr, DWORD Flags, INTRO_ACTION *Action, void *Context, QWORD OriginalValue, const QWORD *NewValue)
Handles a model specific register write attempt done by a Windows guest.
Definition: msr_protection.c:219
_EVENT_MSR_VIOLATION::Module
INTRO_MODULE Module
The module that did the malicious access.
Definition: intro_types.h:1325
WARNING
#define WARNING(fmt,...)
Definition: glue.h:60
_EXCEPTION_VICTIM_ZONE
Describes the modified zone.
Definition: exceptions.h:893
UNREFERENCED_PARAMETER
#define UNREFERENCED_PARAMETER(P)
Definition: introdefs.h:29
_GENERIC_ALERT::Msr
EVENT_MSR_VIOLATION Msr
Definition: alerts.h:17
DWORD
uint32_t DWORD
Definition: intro_types.h:49
INT_STATUS_INVALID_PARAMETER_6
#define INT_STATUS_INVALID_PARAMETER_6
Definition: introstatus.h:77
INTRO_ACTION
enum _INTRO_ACTION INTRO_ACTION
Event actions.
_EXCEPTION_KM_ORIGINATOR::Rip
QWORD Rip
The RIP from where the call to the exported function came.
Definition: exceptions.h:950
_INTRO_WRITE_INFO::OldValue
QWORD OldValue[8]
The original value. Only the first Size bytes are valid.
Definition: intro_types.h:980
IntHookMsrSetHook
INTSTATUS IntHookMsrSetHook(DWORD Msr, DWORD Flags, PFUNC_MsrReadWriteHookCallback Callback, void *Context, void **Hook)
Set a model-specific register write hook.
Definition: hook_msr.c:11
introReasonUnknown
Definition: intro_types.h:224
_INTRO_CPUCTX::Cr3
QWORD Cr3
The value of the guest CR3 register when the event was generated.
Definition: intro_types.h:970
_GUEST_STATE::Mm
MM Mm
Guest memory information, such as paging mode, system Cr3 value, etc.
Definition: guests.h:374
gGuest
GUEST_STATE gGuest
The current guest state.
Definition: guests.c:50
IntAlertFillWinProcessByCr3
void IntAlertFillWinProcessByCr3(QWORD ProcessCr3, INTRO_PROCESS *EventProcess)
Saves information about a Windows process inside an alert. The process is searched by its kernel CR3...
Definition: alerts.c:756
introGuestAllowed
Definition: intro_types.h:149
IntMsrSyscallProtect
INTSTATUS IntMsrSyscallProtect(void)
Enable protection for all SYSCALL and SYSENTER MSRs.
Definition: msr_protection.c:334
PFUNC_MsrReadWriteHookCallback
INTSTATUS(* PFUNC_MsrReadWriteHookCallback)(DWORD Msr, DWORD Flags, INTRO_ACTION *Action, void *Context, QWORD OriginalValue, QWORD *NewValue)
Model specific register access callback.
Definition: hook_msr.h:23
_EXCEPTION_KM_ORIGINATOR::Original
struct _EXCEPTION_KM_ORIGINATOR::@64 Original
IntLixMsrHandleWrite
static INTSTATUS IntLixMsrHandleWrite(DWORD Msr, DWORD Flags, INTRO_ACTION *Action, void *Context, QWORD OriginalValue, const QWORD *NewValue)
Handles a model specific register write attempt done by a Linux guest.
Definition: msr_protection.c:74
_INTRO_VIOLATION_HEADER::Action
INTRO_ACTION Action
The action that was taken as the result of this alert.
Definition: intro_types.h:1194
_EVENT_MSR_VIOLATION::Victim
union _EVENT_MSR_VIOLATION::@292 Victim
_INTRO_VIOLATION_HEADER::CurrentProcess
INTRO_PROCESS CurrentProcess
The current process.
Definition: intro_types.h:1197
_EVENT_MSR_VIOLATION::Header
INTRO_VIOLATION_HEADER Header
The alert header.
Definition: intro_types.h:1318
introReasonNoException
The action was blocked because there was no exception for it.
Definition: intro_types.h:189
_EVENT_MSR_VIOLATION::Msr
DWORD Msr
The ID of the MSR as defined by the Intel documentation.
Definition: intro_types.h:1331
introEventMsrViolation
Sent when a MSR violation triggers an alert.See EVENT_MSR_VIOLATION.
Definition: intro_types.h:86
IntAlertFillLixCurrentProcess
void IntAlertFillLixCurrentProcess(INTRO_PROCESS *EventProcess)
Saves the current Linux process inside an event.
Definition: alerts.c:1310
IntExceptKernelGetOriginator
INTSTATUS IntExceptKernelGetOriginator(EXCEPTION_KM_ORIGINATOR *Originator, DWORD Options)
This function is used to get the information about the kernel-mode originator.
Definition: exceptions_kern.c:2520
IntAlertFillExecContext
INTSTATUS IntAlertFillExecContext(QWORD Cr3, INTRO_EXEC_CONTEXT *ExecContext)
Fills the current execution context.
Definition: alerts.c:31
IG_IA32_SYSENTER_CS
#define IG_IA32_SYSENTER_CS
Definition: glueiface.h:138
msr_protection.h
IntExcept
void IntExcept(EXCEPTION_VICTIM_ZONE *Victim, void *Originator, EXCEPTION_TYPE Type, INTRO_ACTION *Action, INTRO_ACTION_REASON *Reason, INTRO_EVENT_TYPE EventClass)
This function is the entry point for the exception mechanism.
Definition: exceptions.c:3357
_EVENT_MSR_VIOLATION::WriteInfo
INTRO_WRITE_INFO WriteInfo
The original value of the MSR and the value that the guest tried to write.
Definition: intro_types.h:1335
FALSE
#define FALSE
Definition: intro_types.h:34
INT_STATUS_INVALID_PARAMETER_3
#define INT_STATUS_INVALID_PARAMETER_3
Definition: introstatus.h:68