56 #define for_each_slack(_var_name) list_for_each(gSlackAllocations, SLACK_SPACE, _var_name) 79 memzero(pEvent,
sizeof(*pEvent));
116 WARNING(
"[WARNING] IntNotifyIntroEvent failed: 0x%08x\n", status);
169 BYTE *moduleBuffer = NULL;
170 DWORD bufferSize = 0;
182 ERROR(
"[ERROR] IntPeValidateHeader failed with status: 0x%08x\n", status);
203 ERROR(
"[ERROR] Failed reading IMAGE_SECTION_HEADER %d for module 0x%016llx: 0x%08x\n",
204 i, ModuleBase, status);
209 if ((0 != SecHint) && (0 != memcmp(&SecHint, sec.
Name, 8)))
225 if ((memcmp(sec.
Name,
"INITKDBG", 8) == 0))
239 DWORD totalUsedSpace;
249 if ((pSlack->Windows.Section == i) && (pSlack->ModuleBase == ModuleBase))
251 if (pSlack->Windows.SectionOffset > maxOffset)
253 maxOffset = pSlack->Windows.SectionOffset;
255 totalUsedSpace = maxOffset - sec.
Misc.
VirtualSize + pSlack->AllocationSize;
261 if (totalSpace - totalUsedSpace >= Size)
277 ERROR(
"[ERROR] IntKernVirtMemRead failed GVA 0x%016llx: 0x%08x\n", gva, status);
281 for (j = 0; j < Size; j++)
287 ERROR(
"[ERROR] Slack buffer not 0-filled! 0x%016llx\n", gva + j);
302 TRACE(
"[SLACK] Found %d bytes of space, used %d bytes, in section %d, " 303 "at offset %08x in module 0x%016llx\n", totalSpace, totalUsedSpace, i,
316 *Buffer = pSlack->
Gva;
378 ERROR(
"[ERROR] IntVirtMemMap failed for %llx: 0x%08x\n", gva, status);
382 for (
DWORD offset = 0; offset < maxOffset; offset++)
387 while (offset < maxOffset && (p[offset] != opcode))
397 while ((foundSize < Size) && (p[offset + foundSize] == opcode))
402 if (foundSize == Size)
411 pSlack->
Gva = gva + offset;
415 TRACE(
"[SLACK] Found %d bytes of space at 0x%016llx\n", foundSize, pSlack->
Gva);
419 *Buffer = pSlack->
Gva;
521 if (pSlack->Gva == Buffer)
#define IMAGE_SCN_MEM_EXECUTE
#define CONTAINING_RECORD(List, Type, Member)
INTSTATUS IntVirtMemUnmap(void **HostPtr)
Unmaps a memory range previously mapped with IntVirtMemMap.
INTSTATUS IntSlackFree(QWORD Buffer)
Free slack space.
DWORD Size
The size of the access.
WINDOWS_GUEST * gWinGuest
Global variable holding the state of a Windows guest.
MITRE_ID MitreID
The Mitre ID that corresponds to this attack.
QWORD SystemCr3
The Cr3 used to map the kernel.
#define INT_STATUS_SUCCESS
#define PAGE_REMAINING(addr)
QWORD NewValue[8]
The written value. Only the first Size bytes are valid.
Event structure for integrity violations on monitored structures.
DWORD AllocationSize
The number of bytes allocated.
#define IMAGE_SCN_MEM_WRITE
#define INT_SUCCESS(Status)
static BOOLEAN IsListEmpty(const LIST_ENTRY *ListHead)
#define for_each_slack(_var_name)
QWORD Flags
A combination of ALERT_FLAG_* values describing the alert.
QWORD SectionOffset
Offset of the first section header.
The action was not allowed because there was no reason to allow it.
struct _EVENT_INTEGRITY_VIOLATION::@304 Victim
DWORD SectionOffset
The offset inside the section of the allocation.
#define HpAllocWithTag(Len, Tag)
int INTSTATUS
The status data type.
#define INT_STATUS_NOT_FOUND
void IntSlackUninit(void)
Uninit the slack system. Must be called only during uninit.
INTRO_GUEST_TYPE OSType
The type of the guest.
void IntAlertFillCpuContext(BOOLEAN CopyInstruction, INTRO_CPUCTX *CpuContext)
Fills the current CPU context for an alert.
struct _SLACK_SPACE * PSLACK_SPACE
struct _SLACK_SPACE SLACK_SPACE
Describes a kernel driver.
void IntAlertFillVersionInfo(INTRO_VIOLATION_HEADER *Header)
Fills version information for an alert.
INTRO_ACTION_REASON Reason
The reason for which Action was taken.
GENERIC_ALERT gAlert
Global alert buffer.
void IntAlertFillLixKmModule(const KERNEL_DRIVER *Driver, INTRO_MODULE *EventModule)
Saves information about a kernel module inside an alert.
DWORD Size
The size of the modified memory area.
static INTSTATUS IntSlackSendIntegrityAlert(QWORD VirtualAddress, DWORD Size, BYTE Value)
Sends an integrity alert if the slack buffer not 0-filled/NOP-filled.
INTRO_CPUCTX CpuContext
The context of the CPU that triggered the alert.
INTSTATUS IntNotifyIntroEvent(INTRO_EVENT_TYPE EventClass, void *Param, size_t EventSize)
Notifies the integrator about an introspection alert.
QWORD Gva
The guest virtual address of the actual allocation.
static BOOLEAN RemoveEntryList(LIST_ENTRY *Entry)
INTRO_MODULE Module
The module that modified the monitored region.
QWORD VirtualAddress
The guest virtual address which was modified.
#define INT_STATUS_INVALID_PARAMETER_4
INTRO_VIOLATION_HEADER Header
The alert header.
QWORD NumberOfSections
Number of sections.
#define LIX_FIELD(Structure, Field)
Macro used to access fields inside the LIX_OPAQUE_FIELDS structure.
TIMER_FRIENDLY void IntDumpBuffer(const void *Buffer, QWORD Gva, DWORD Length, DWORD RowLength, DWORD ElementLength, BOOLEAN LogHeader, BOOLEAN DumpAscii)
This function dumps a given buffer in a user friendly format.
#define HpFreeAndNullWithTag(Add, Tag)
INTSTATUS IntSlackAlloc(QWORD ModuleBase, BOOLEAN Pageable, DWORD Size, QWORD *Buffer, QWORD SecHint)
Allocate slack inside the guest.
QWORD KernelVa
The guest virtual address at which the kernel image.
union _IMAGE_SECTION_HEADER::@214 Misc
static void InsertTailList(LIST_ENTRY *ListHead, LIST_ENTRY *Entry)
#define ALERT_FLAG_NOT_RING0
If set, the alert was triggered in ring 1, 2 or 3.
DWORD AllocationOffset
The allocation offset, within the last page of the section.
QWORD ModuleBase
The module base used for the allocation.
DWORD KernelBufferSize
The size of the KernelBuffer.
static LIST_HEAD gSlackAllocations
static INTSTATUS IntSlackAllocLinux(DWORD Size, QWORD *Buffer)
Allocate slack space on Linux.
INTSTATUS IntPeValidateHeader(QWORD ImageBase, BYTE *ImageBaseBuffer, DWORD ImageBaseBufferSize, INTRO_PE_INFO *PeInfo, QWORD Cr3)
Validates a PE header.
BOOLEAN Valid
Set to True if the information in the structure is valid, False otherwise.
DWORD SectionSize
The size of the section.
INTRO_WRITE_INFO WriteInfo
__must_check INTSTATUS IntVirtMemMap(QWORD Gva, DWORD Length, QWORD Cr3, DWORD Flags, void **HostPtr)
Maps a guest virtual memory range inside Introcore virtual address space.
struct _SLACK_SPACE::@273::@275 Windows
MM Mm
Guest memory information, such as paging mode, system Cr3 value, etc.
GUEST_STATE gGuest
The current guest state.
The slack space is not 0-filled/NOP-filled.
#define IMAGE_SCN_MEM_DISCARDABLE
EVENT_INTEGRITY_VIOLATION Integrity
struct _EVENT_INTEGRITY_VIOLATION::@302 Originator
INTRO_ACTION Action
The action that was taken as the result of this alert.
INTSTATUS IntKernVirtMemRead(QWORD KernelGva, DWORD Length, void *Buffer, DWORD *RetLength)
Reads data from a guest kernel virtual memory range.
KERNEL_DRIVER * IntDriverFindByAddress(QWORD Gva)
Returns the driver in which Gva resides.
QWORD BaseAddress
The guest virtual address at which the monitored integrity region starts.
#define LIST_HEAD_INIT(Name)
BYTE * KernelBuffer
A buffer containing the entire kernel image.
#define INT_STATUS_INVALID_PARAMETER_1
#define INT_STATUS_NOT_SUPPORTED
struct _LIST_ENTRY * Blink
UINT8 Name[IMAGE_SIZEOF_SHORT_NAME]
Sent for integrity violation alerts. See EVENT_INTEGRITY_VIOLATION.
static INTSTATUS IntSlackAllocWindows(BOOLEAN Pageable, QWORD ModuleBase, DWORD Size, QWORD *Buffer, QWORD SecHint)
Allocate memory inside the guest.
void IntAlertFillWinKmModule(const KERNEL_DRIVER *Driver, INTRO_MODULE *EventModule)
Saves kernel module information inside an alert.
LIST_ENTRY Link
List entry element.
#define IMAGE_SCN_MEM_NOT_PAGED
DWORD Section
The section index (zero based) inside the module.
#define INT_STATUS_INSUFFICIENT_RESOURCES
#define INT_STATUS_INVALID_PARAMETER_3