32 IntroGprs->RegRax = ArchRegs->Rax;
33 IntroGprs->RegRcx = ArchRegs->Rcx;
34 IntroGprs->RegRdx = ArchRegs->Rdx;
35 IntroGprs->RegRbx = ArchRegs->Rbx;
36 IntroGprs->RegRsp = ArchRegs->Rsp;
37 IntroGprs->RegRbp = ArchRegs->Rbp;
38 IntroGprs->RegRsi = ArchRegs->Rsi;
39 IntroGprs->RegRdi = ArchRegs->Rdi;
40 IntroGprs->RegR8 = ArchRegs->R8;
41 IntroGprs->RegR9 = ArchRegs->R9;
42 IntroGprs->RegR10 = ArchRegs->R10;
43 IntroGprs->RegR11 = ArchRegs->R11;
44 IntroGprs->RegR12 = ArchRegs->R12;
45 IntroGprs->RegR13 = ArchRegs->R13;
46 IntroGprs->RegR14 = ArchRegs->R14;
47 IntroGprs->RegR15 = ArchRegs->R15;
48 IntroGprs->RegFlags = ArchRegs->Flags;
49 IntroGprs->RegRip = ArchRegs->Rip;
50 IntroGprs->RegCr2 = ArchRegs->Cr2;
51 IntroGprs->RegDr7 = ArchRegs->Dr7;
67 ArchRegs->Rax = IntroGprs->RegRax;
68 ArchRegs->Rcx = IntroGprs->RegRcx;
69 ArchRegs->Rdx = IntroGprs->RegRdx;
70 ArchRegs->Rbx = IntroGprs->RegRbx;
71 ArchRegs->Rsp = IntroGprs->RegRsp;
72 ArchRegs->Rbp = IntroGprs->RegRbp;
73 ArchRegs->Rsi = IntroGprs->RegRsi;
74 ArchRegs->Rdi = IntroGprs->RegRdi;
75 ArchRegs->R8 = IntroGprs->RegR8;
76 ArchRegs->R9 = IntroGprs->RegR9;
77 ArchRegs->R10 = IntroGprs->RegR10;
78 ArchRegs->R11 = IntroGprs->RegR11;
79 ArchRegs->R12 = IntroGprs->RegR12;
80 ArchRegs->R13 = IntroGprs->RegR13;
81 ArchRegs->R14 = IntroGprs->RegR14;
82 ArchRegs->R15 = IntroGprs->RegR15;
83 ArchRegs->Flags = IntroGprs->RegFlags;
84 ArchRegs->Rip = IntroGprs->RegRip;
85 ArchRegs->Cr2 = IntroGprs->RegCr2;
86 ArchRegs->Dr7 = IntroGprs->RegDr7;
103 DWORD offset, csType;
107 offset = ExecNotification->ExecutionData.ExecContext.Registers.RegRip &
PAGE_OFFSET;
109 pPage = ExecNotification->ExecutionData.ExecContext.RipCode;
135 memzero(pEvent,
sizeof(*pEvent));
141 pEvent->
Header.
Action = ExecNotification->Header.RequestedAction;
161 WARNING(
"[WARNING] IntNotifyIntroEvent failed: 0x%08x\n", status);
185 if (NULL == Registers)
190 if (NULL == ExecNotification)
201 ERROR(
"[ERROR] IntGetCurrentMode failed: 0x%08x\n", status);
205 ExecNotification->ExecutionData.Code64 =
IG_CS_TYPE_64B == csType;
234 pExecNotification = NULL;
241 if (NULL == Registers)
246 if (NULL == ExecInfo)
252 if (NULL == pExecNotification)
254 ERROR(
"[ERROR] HpAllocWithTag failed!");
256 goto _cleanup_and_exit;
265 WARNING(
"[WARNING] IntEngFillExecDetails failed: 0x%08x\n", status);
266 goto _cleanup_and_exit;
274 ERROR(
"[ERROR] IntNotifyEngines failed: 0x%08x\n", status);
282 if (pExecNotification)
312 pExecNotification = NULL;
319 if (NULL == Registers)
324 if (NULL == ExecInfo)
330 if (NULL == pExecNotification)
332 ERROR(
"[ERROR] HpAllocWithTag failed!");
334 goto _cleanup_and_exit;
343 WARNING(
"[WARNING] IntEngFillExecDetails failed: 0x%08x\n", status);
344 goto _cleanup_and_exit;
352 ERROR(
"[ERROR] IntNotifyEngines failed: 0x%08x\n", status);
360 if (pExecNotification)
389 goto _cleanup_and_exit;
392 LOG(
"[CODE EXECUTION] [%s] [code execution violation] Process: %s with PID:%u CR3:0x%llx " 393 "and command line:%s has been exploited! Detection name: %s\n",
395 ExecNotification->ExecutionData.Process.ImageName,
396 ExecNotification->ExecutionData.Process.Pid,
397 ExecNotification->ExecutionData.Process.Cr3,
398 strlen_s(ExecNotification->ExecutionData.Process.CmdLine, 512) == 0 ?
399 "N/A" : ExecNotification->ExecutionData.Process.CmdLine,
400 ExecNotification->Header.DetectionName
403 LOG(
"^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ MALWARE ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n\n");
410 WARNING(
"[ERROR] IntEngSendExecViolation failed: 0x%08x\n", status);
415 if (ExecNotification)
INTRO_EXEC_CONTEXT ExecContext
The context of the execution.
TIMER_FRIENDLY void IntDumpArchRegs(IG_ARCH_REGS const *Registers)
This function dumps the register values in a user friendly format.
enum _INTRO_ACTION_REASON INTRO_ACTION_REASON
The reason for which an INTRO_ACTION was taken.
INTRO_EXEC_DATA ExecutionData
Execution information.
static INTSTATUS IntEngSendExecViolation(PENG_NOTIFICATION_CODE_EXEC ExecNotification)
Send an EVENT_ENGINES_DETECTION_VIOLATION event to the integrator (a malicious code execution was det...
DWORD Index
The VCPU number.
MITRE_ID MitreID
The Mitre ID that corresponds to this attack.
#define INT_STATUS_SUCCESS
INTRO_ENG_NOTIF_TYPE Type
The type of the alert.
Holds register state information.
void IntAlertFillWinProcess(const WIN_PROCESS_OBJECT *Process, INTRO_PROCESS *EventProcess)
Saves information about a windows process inside an alert.
static void IntEngCopyIntroGprsToArchRegs(PINTRO_GPRS IntroGprs, PIG_ARCH_REGS ArchRegs)
Obtains an IG_ARCH_REGS structure from an INTRO_GPRS structure.
static INTSTATUS IntEngFillExecDetails(PIG_ARCH_REGS Registers, PENG_NOTIFICATION_CODE_EXEC ExecNotification)
Fill the execution details inside the ENG_NOTIFICATION_CODE_EXEC structure.
#define INT_SUCCESS(Status)
QWORD Flags
A combination of ALERT_FLAG_* values describing the alert.
Sent for third party engines detections. See EVENT_ENGINES_DETECTION_VIOLATION.
#define HpAllocWithTag(Len, Tag)
int INTSTATUS
The status data type.
INTSTATUS IntHandleExecCallback(PENG_NOTIFICATION_CODE_EXEC ExecNotification)
Handle the code execution scan result provided by the engines.
INTRO_VIOLATION_HEADER Header
The alert header.
INTRO_GUEST_TYPE OSType
The type of the guest.
#define ALERT_MAX_DETECTION_NAME
The maximum size of a detection name as given by a third party scan engine.
QWORD IntAlertProcGetFlags(QWORD ProtectionFlag, const void *Process, INTRO_ACTION_REASON Reason, QWORD AdditionalFlags)
Returns the flags for an alert.
INTRO_ACTION_REASON Reason
The reason for which Action was taken.
Exposes the functions used to schedule an asynchronous code execution scan and receives its result...
INTSTATUS IntGetCurrentMode(DWORD CpuNumber, DWORD *Mode)
Read the current CS type.
GENERIC_ALERT gAlert
Global alert buffer.
INTSTATUS IntLixEngExecSendNotification(LIX_TASK_OBJECT *Task, PIG_ARCH_REGS Registers, PINTRO_EXEC_INFO ExecInfo)
Notify the scan engines about a possible malicious code execution in a Linux guest.
Event structure for detections provided by additional scan engines.
INTSTATUS IntNotifyIntroEvent(INTRO_EVENT_TYPE EventClass, void *Param, size_t EventSize)
Notifies the integrator about an introspection alert.
static void IntEngCopyArchRegsToIntroGprs(PIG_ARCH_REGS ArchRegs, PINTRO_GPRS IntroGprs)
Obtains an INTRO_GPRS structure from an IG_ARCH_REGS structure.
Execution notification for scan engines.
#define HpFreeAndNullWithTag(Add, Tag)
INTSTATUS IntNotifyEngines(void *Parameters)
void IntDumpCode(BYTE *Page, DWORD Offset, IG_CS_TYPE CsType, IG_ARCH_REGS *Registers)
This function dumps an entire page (textual disassembly and opcodes).
INTRO_PROCESS Process
The process in which the execution was attempted.
#define ALERT_FLAG_FROM_ENGINES
If set, the alert was generated due to a third party scan engines detection.
INTSTATUS IntWinEngExecSendNotification(PWIN_PROCESS_OBJECT Process, PIG_ARCH_REGS Registers, PINTRO_EXEC_INFO ExecInfo)
Notify the scan engines about a possible malicious code execution in a Windows guest.
The action was allowed, but it has the BETA flag (Introcore is in log-only mode). ...
GUEST_STATE gGuest
The current guest state.
INTRO_EXEC_INFO StackInfo
Stack information.
Execution attempt result.
static INTSTATUS IntEngDumpCodeAndRegs(PENG_NOTIFICATION_CODE_EXEC ExecNotification)
Dump the malicious code and registers (used when a malicious code execution is detected).
CHAR EnginesVersion[ALERT_MAX_ENGINES_VERSION]
A NULL-terminated string with the engines versions.
CHAR DetectionName[ALERT_MAX_DETECTION_NAME]
A NULL-terminated string with the detection name, as provided by the engines.
INTRO_ACTION Action
The action that was taken as the result of this alert.
Holds the data related to an execution attempt.
Holds information about an execution attempt.
#define INT_STATUS_INVALID_PARAMETER_1
INTRO_PROCESS CurrentProcess
The current process.
VCPU_STATE * gVcpu
The state of the current VCPU.
#define ALERT_MAX_ENGINES_VERSION
The maximum size of the third party scan engines version.
Exploitation for Client Execution.
Describes a guest process.
EVENT_ENGINES_DETECTION_VIOLATION EngineDetection
void IntAlertFillLixProcess(const LIX_TASK_OBJECT *Task, INTRO_PROCESS *EventProcess)
Saves information about a Linux process inside an event.
INTSTATUS IntAlertFillExecContext(QWORD Cr3, INTRO_EXEC_CONTEXT *ExecContext)
Fills the current execution context.
#define INT_STATUS_INVALID_PARAMETER_2
INTRO_EXEC_DATA ExecViolation
Execution context.
This structure describes a running process inside the guest.
#define INT_STATUS_INSUFFICIENT_RESOURCES
#define INT_STATUS_INVALID_PARAMETER_3