114 LOG(
"[ERROR] We do not have any known DPI flag set -> Flags:0x%x\n", Flags);
144 memzero(pEvent,
sizeof(*pEvent));
172 extraInfo = &VictimProc->DpiExtraInfo;
176 extraInfo = &OriginatorProc->DpiExtraInfo;
184 WARNING(
"[WARNING] IntNotifyIntroEvent failed: 0x%08x\n", status);
198 return First->MainModuleAddress == Second->MainModuleAddress;
243 *Victim = RealParent;
281 if (!Child->CreationInfo.TokenStolenFromEprocess)
287 *Victim = RealParent;
326 if (!Child->CreationInfo.ParentHasTokenPrivsAltered)
337 *Victim = RealParent;
376 if (!Child->CreationInfo.ParentHasAlteredSecDescPtr)
384 *Victim = RealParent;
423 if (!Child->CreationInfo.ParentHasEditedAcl)
431 *Victim = RealParent;
469 if (!Child->CreationInfo.ParentHasPivotedStack)
483 *Victim = RealParent;
521 if (!Child->CreationInfo.DebuggerEprocess)
531 *Originator = RealParent;
570 if (!Child->CreationInfo.ParentHasBeenHeapSprayed)
577 *Victim = RealParent;
615 if (!Child->CreationInfo.ParentThreadSuspicious)
622 *Victim = RealParent;
651 WORD maxNumberOfHeapVals = 0;
652 DWORD maxPageHeapVals = 0;
656 QWORD heapVal = (val << 24) | (val << 16) | (val << 8) | val;
658 if (Originator->DpiExtraInfo.DpiHeapSprayExtraInfo.HeapPages[val - 1].Detected)
660 return (heapVal &
PAGE_MASK) + Originator->DpiExtraInfo.DpiHeapSprayExtraInfo.HeapPages[val - 1].Offset;
663 if (Originator->DpiExtraInfo.DpiHeapSprayExtraInfo.HeapPages[val - 1].HeapValCount >= maxNumberOfHeapVals &&
664 Originator->DpiExtraInfo.DpiHeapSprayExtraInfo.HeapPages[val - 1].Mapped)
666 maxNumberOfHeapVals = (
WORD)Originator->DpiExtraInfo.DpiHeapSprayExtraInfo.HeapPages[val - 1].HeapValCount;
672 return maxPageHeapVals;
676 return Originator->DpiExtraInfo.DpiThreadStartExtraInfo.StartAddress;
719 scflags = Originator->DpiExtraInfo.DpiHeapSprayExtraInfo.ShellcodeFlags;
722 scflags = Originator->DpiExtraInfo.DpiThreadStartExtraInfo.ShellcodeFlags;
813 status = handler(Child, RealParent, &procOrig, &procVictim, &pcType);
816 ERROR(
"[ERROR] Process creation violation callback %d failed: 0x%08x\n", i, status);
830 ERROR(
"[ERROR] IntExceptUserGetOriginator failed: 0x%08x\n", status);
840 ERROR(
"[ERROR] IntExceptGetVictimProcessCreation failed: 0x%08x\n", status);
844 originator.
PcType = pcType;
858 ERROR(
"[ERROR] IntWinProcSendProcessCreationViolation failed with status: 0x%08x.\n", status);
865 retAction =
MAX(retAction, action);
905 QWORD currentThread = 0;
906 QWORD attachedEprocess = 0;
923 ERROR(
"[ERROR] IntWinThrGetCurrentThread failed: 0x%08x\n", status);
933 ERROR(
"[ERROR] IntKernVirtMemRead failed: 0x%08x\n", status);
943 ERROR(
"[ERROR] IntKernVirtMemRead failed: 0x%08x\n", status);
953 ERROR(
"[ERROR] IntKernVirtMemRead failed: 0x%08x\n", status);
958 if (NULL == attachedProc)
960 ERROR(
"[ERROR] Attached process with EPROCESS: 0x%016llx is NULL!\n", attachedEprocess);
967 if (debugPort && (flags &
WIN_KM_FIELD(EprocessFlags, NoDebugInherit)) == 0)
1001 fallback = !Process->SystemProcess && RealParent->Pid != 4;
1012 Process->CreationInfo.ParentHasPivotedStack =
FALSE;
1018 ERROR(
"[ERROR] IntWinStackUserTrapFrameGetGeneric failed: 0x%08x\n", status);
1028 if (NULL != RealParent && RealParent->Wow64Process)
1033 ERROR(
"[ERROR] IntWinStackWow64CheckIsPivoted failed: 0x%08x\n", status);
1036 isPivotedWow64 = Process->CreationInfo.ParentHasPivotedStack;
1037 goto _skip_check_64;
1041 &Process->CreationInfo.ParentHasPivotedStack);
1044 ERROR(
"[ERROR] IntWinStackUserCheckIsPivoted failed: 0x%08x.\n", status);
1047 else if (Process->CreationInfo.ParentHasPivotedStack)
1049 WARNING(
"[WARNING] Process 0x%016llx created with pivoted stack\n", Process->EprocessAddress);
1053 Process->CreationInfo.ParentHasPivotedStack = Process->CreationInfo.ParentHasPivotedStack || isPivotedWow64;
1078 Process->DpiExtraInfo.DpiStolenTokenExtraInfo.StolenFromEprocess = pStolenFrom->
EprocessAddress;
1102 DWORD totalSize = 0;
1112 Process->CreationInfo.ParentHasAlteredSecDescPtr =
TRUE;
1114 Parent->DpiExtraInfo.DpiSecDescAclExtraInfo.SecDescStolenFromEproc =
1116 Parent->DpiExtraInfo.DpiSecDescAclExtraInfo.NewPtrValue = newValue;
1117 Parent->DpiExtraInfo.DpiSecDescAclExtraInfo.OldPtrValue = oldValue;
1121 securityDescriptorBuffer,
1129 memcpy(&Parent->DpiExtraInfo.DpiSecDescAclExtraInfo.NewSacl, sacl,
sizeof(
ACL));
1134 memcpy(&Parent->DpiExtraInfo.DpiSecDescAclExtraInfo.NewDacl, dacl,
sizeof(
ACL));
1138 memcpy(&Parent->DpiExtraInfo.DpiSecDescAclExtraInfo.OldSacl, &Parent->SecurityDescriptor.Sacl,
sizeof(
ACL));
1139 memcpy(&Parent->DpiExtraInfo.DpiSecDescAclExtraInfo.OldDacl, &Parent->SecurityDescriptor.Dacl,
sizeof(
ACL));
1169 Process->CreationInfo.ParentHasEditedAcl =
TRUE;
1173 memcpy(&Parent->DpiExtraInfo.DpiSecDescAclExtraInfo.NewSacl, sacl,
sizeof(
ACL));
1178 memcpy(&Parent->DpiExtraInfo.DpiSecDescAclExtraInfo.NewDacl, dacl,
sizeof(
ACL));
1181 memcpy(&Parent->DpiExtraInfo.DpiSecDescAclExtraInfo.OldSacl, &Parent->SecurityDescriptor.Sacl,
sizeof(
ACL));
1182 memcpy(&Parent->DpiExtraInfo.DpiSecDescAclExtraInfo.OldDacl, &Parent->SecurityDescriptor.Dacl,
sizeof(
ACL));
1205 QWORD present = 0, enabled = 0;
1208 Parent->OriginalTokenPtr,
1219 WARNING(
"[WARNING] IntWinTokenCheckCurrentPrivileges failed: 0x%08x\n", status);
1226 if (presentIncreased || enabledIncreased || Parent->PrivsChangeDetected)
1228 Process->CreationInfo.ParentHasTokenPrivsAltered =
TRUE;
1230 Process->DpiExtraInfo.DpiTokenPrivsExtraInfo.OldPresent = Parent->OriginalPresentPrivs;
1231 Process->DpiExtraInfo.DpiTokenPrivsExtraInfo.OldEnabled = Parent->OriginalEnabledPrivs;
1232 Process->DpiExtraInfo.DpiTokenPrivsExtraInfo.NewPresent = present;
1233 Process->DpiExtraInfo.DpiTokenPrivsExtraInfo.NewEnabled = enabled;
1255 DWORD totalHeapValCnt = 0;
1256 DWORD totalMappedPages = 0;
1265 DWORD heapVal = (val << 24) | (val << 16) | (val << 8) | val;
1267 WORD heapValCnt = 0;
1269 DWORD firstNopOccurrence = 0;
1286 Process->DpiExtraInfo.DpiHeapSprayExtraInfo.HeapPages[val - 1].Mapped = 1;
1299 Process->DpiExtraInfo.DpiHeapSprayExtraInfo.HeapPages[val - 1].Executable = tr.
IsExecutable;
1307 if (((
DWORD *)mappedBytes)[i / 4] == heapVal)
1314 if (mappedBytes[i] == 0x90 && !foundFirstNops)
1316 if (i > 0 && mappedBytes[i - 1] == 0x90)
1318 firstNopOccurrence = i;
1319 foundFirstNops =
TRUE;
1326 Process->DpiExtraInfo.DpiHeapSprayExtraInfo.HeapPages[val - 1].HeapValCount = heapValCnt;
1330 if (heapValCnt >= PAGE_SIZE / 16)
1332 Process->CreationInfo.ParentHasBeenHeapSprayed =
TRUE;
1341 regs.
Cr3 = Parent->Cr3;
1353 ERROR(
"[ERROR] IntShcIsSuspiciousCode failed: 0x%08x\n", status);
1359 Process->DpiExtraInfo.DpiHeapSprayExtraInfo.ShellcodeFlags = shflags;
1360 Process->DpiExtraInfo.DpiHeapSprayExtraInfo.HeapPages[val - 1].Detected = 1;
1361 Process->DpiExtraInfo.DpiHeapSprayExtraInfo.HeapPages[val - 1].Offset = firstNopOccurrence;
1362 Process->CreationInfo.ParentHasBeenHeapSprayed =
TRUE;
1371 if (totalMappedPages > 5 && totalHeapValCnt > 500)
1373 Process->CreationInfo.ParentHasBeenHeapSprayed =
TRUE;
1398 QWORD startAddress = 0;
1404 if (Process->IsAgent)
1412 ERROR(
"[ERROR] IntWinThrGetCurrentThread failed: 0x%08x\n", status);
1419 ERROR(
"[ERROR] IntKernVirtMemFetchWordSize failed: 0x%08x\n", status);
1426 WARNING(
"[WARNING] IntTranslateVirtualAddress failed for 0x%016llx: 0x%08x\n", startAddress, status);
1439 regs.
Rip = startAddress;
1440 regs.
Cr3 = Parent->Cr3;
1448 ERROR(
"[ERROR] IntShcIsSuspiciousCode failed: 0x%08x\n", status);
1462 ERROR(
"[ERROR] IntKernVirtMemFetchWordSize failed: 0x%08x\n", status);
1469 ERROR(
"[ERROR] IntWinVadFetchByRange failed: 0x%08x\n", status);
1479 Process->DpiExtraInfo.DpiThreadStartExtraInfo.ShellcodeFlags = scflags;
1480 Process->DpiExtraInfo.DpiThreadStartExtraInfo.StartAddress = startAddress;
1481 Process->CreationInfo.ParentThreadSuspicious =
TRUE;
1504 if (Process->NameHash == 0x56d1611d &&
1505 Parent->LastException != 0)
1543 ERROR(
"[ERROR] IntWinProcGetProcessDebugFlag failed: 0x%08x\n", status);
1559 ERROR(
"[ERROR] IntWinProcValidatePivotedStack failed: 0x%08x\n", status);
1573 ERROR(
"[ERROR] IntWinProcValidateCreatedProcessToken failed: 0x%08x\n", status);
1586 ERROR(
"[ERROR] IntWinDpiValidateTokenPrivs failed: 0x%08x\n", status);
1599 ERROR(
"[ERROR] IntWinProcValidateHeapSpray failed: 0x%08x\n", status);
1612 ERROR(
"[ERROR] IntWinDpiValidateThreadStart failed: 0x%08x\n", status);
1625 ERROR(
"[ERROR] IntWinDpiValidateParentSecDesc failed: 0x%08x\n", status);
1631 ERROR(
"[ERROR] IntWinDpiValidateParentAcl failed: 0x%08x\n", status);
void IntWinDpiForceFeedbackIfNeeded(INTRO_PC_VIOLATION_TYPE PcType, WIN_PROCESS_OBJECT *Originator, WIN_PROCESS_OBJECT *Victim, INTRO_ACTION *Action, INTRO_ACTION_REASON *Reason)
Enforces feedback-only alert on the current DPI violation based on different rules.
#define INT_STATUS_PAGE_NOT_PRESENT
Indicates that a virtual address is not present.
QWORD PhysicalAddress
The physical address to which VirtualAddress translates to.
enum _INTRO_ACTION_REASON INTRO_ACTION_REASON
The reason for which an INTRO_ACTION was taken.
Trusted Developer Utilities.
static BOOLEAN IntWinDpiIsDpiWhiteListed(WIN_PROCESS_OBJECT *Process, WIN_PROCESS_OBJECT *Parent)
Used to whitelist some DPI (Deep Process Inspection) corner cases.
#define HEAP_SPRAY_NR_PAGES
Sent for unauthorized process creation alerts. See EVENT_PROCESS_CREATION_VIOLATION.
#define INTRO_OPT_PROT_DPI_TOKEN_STEAL
Enable process creation protection for stolen token.
Measures the security descriptor DPI protection information gathering.
INTSTATUS IntVirtMemUnmap(void **HostPtr)
Unmaps a memory range previously mapped with IntVirtMemMap.
BOOLEAN IntWinSDIsAclEdited(WIN_PROCESS_OBJECT *Process, DWORD BufferSize, BYTE *SecurityDescriptorBuffer, DWORD *ReadSize, ACL **NewSacl, ACL **NewDacl)
This function reads the ACLs for the given process (returning the data using the provided buffer and ...
The creation of a process was attempted while the parent had its heap sprayed.
INTSTATUS IntAlertFillDpiExtraInfo(DPI_EXTRA_INFO *CollectedExtraInfo, INTRO_PC_VIOLATION_TYPE PcType, WIN_PROCESS_OBJECT *VictimProcess, INTRO_DPI_EXTRA_INFO *ExtraInfo)
Fills the collected DPI extra information.
An internal error occurred (no memory, pages not present, etc.).
INTRO_PROCESS Victim
The process that was compromised.
BOOLEAN IntPolicyCoreForceBetaIfNeeded(QWORD Flag, INTRO_ACTION *Action)
Checks if a forced action should be taken even if the log-only mode is active.
Measures the pivoted stack DPI protection information gathering.
DWORD Index
The VCPU number.
#define INTRO_OPT_PROT_DPI_STACK_PIVOT
Enable process creation protection for pivoted stack.
MITRE_ID MitreID
The Mitre ID that corresponds to this attack.
Measures the debug flag DPI protection information gathering.
#define INT_STATUS_SUCCESS
BOOLEAN IntPolicyCoreTakeAction(QWORD Flag, INTRO_ACTION *Action, INTRO_ACTION_REASON *Reason)
Returns the action that should be taken for a core introspection option.
Event structure for process creation violation events.
void IntAlertFillWinProcess(const WIN_PROCESS_OBJECT *Process, INTRO_PROCESS *EventProcess)
Saves information about a windows process inside an alert.
void IntWinDpiGatherDpiInfo(WIN_PROCESS_OBJECT *Process, WIN_PROCESS_OBJECT *Parent, QWORD DebugHandle)
Gathers all the necessary DPI (Deep Process Inspection) information that will later be used to decide...
static INTSTATUS IntWinDpiSendProcessCreationViolation(WIN_PROCESS_OBJECT *VictimProc, WIN_PROCESS_OBJECT *OriginatorProc, INTRO_ACTION Action, INTRO_ACTION_REASON Reason, INTRO_PC_VIOLATION_TYPE PcType)
Send a process creation violation event.
enum _MITRE_ID MITRE_ID
Mitre attack techniques.
Process creation violation.
struct _WIN_PROCESS_OBJECT::@232 CreationInfo
QWORD Feedback
Options that will be forced to feedback only mode.
#define INT_SUCCESS(Status)
INTSTATUS IntWinThrGetCurrentThread(DWORD CpuNumber, QWORD *EthreadAddress)
Get the ETHREAD structure address of the thread currently running on the given CPU.
#define INTRO_SECURITY_DESCRIPTOR_SIZE
The size of the buffers in which we store the security descriptors. The security descriptor is compos...
QWORD Flags
A combination of ALERT_FLAG_* values describing the alert.
INTSTATUS IntExceptGetVictimProcessCreation(void *Process, INTRO_OBJECT_TYPE ObjectType, EXCEPTION_VICTIM_ZONE *Victim)
This function is used to get the information about the victim for process-creation violation...
static INTSTATUS IntWinDpiValidatePivotedStack(WIN_PROCESS_OBJECT *Process, WIN_PROCESS_OBJECT *RealParent)
Determines if the parent process has a pivoted stack.
INTRO_PC_VIOLATION_TYPE
Process creation violation flags.
static INTSTATUS IntWinDpiHandleDpiPivotedStack(WIN_PROCESS_OBJECT *Child, WIN_PROCESS_OBJECT *RealParent, WIN_PROCESS_OBJECT **Originator, WIN_PROCESS_OBJECT **Victim, INTRO_PC_VIOLATION_TYPE *PcType)
Checks if a process creation breaks the DPI pivoted stack policy set by INTRO_OPT_PROT_DPI_STACK_PIVO...
INTSTATUS IntWinStackWow64CheckIsPivoted(WIN_PROCESS_OBJECT *Process, WIN_PROCESS_OBJECT *RealParent, DPI_EXTRA_INFO *DpiExtraInfo)
Check whether a wow64 process' stack is pivoted.
Measures the stolen token flag DPI protection information gathering.
#define INT_STATUS_NOT_NEEDED_HINT
Process creation violation DPI.
Describes a user-mode originator.
#define INTRO_OPT_PROT_DPI
Aggregates all the deep process inspection flags.
INTSTATUS IntShcIsSuspiciousCode(QWORD Gva, QWORD Gpa, DWORD CsType, IG_ARCH_REGS *Registers, QWORD *ShellcodeFlags)
Checks if the code located at the given guest virtual address is suspicious or not.
INTSTATUS IntKernVirtMemFetchWordSize(QWORD GuestVirtualAddress, void *Data)
Reads a guest pointer from the guest kernel memory.
int INTSTATUS
The status data type.
static INTSTATUS IntWinDpiHandleDpiHeapSpray(WIN_PROCESS_OBJECT *Child, WIN_PROCESS_OBJECT *RealParent, WIN_PROCESS_OBJECT **Originator, WIN_PROCESS_OBJECT **Victim, INTRO_PC_VIOLATION_TYPE *PcType)
Checks if a process creation breaks the DPI heap spray policy set by INTRO_OPT_PROT_DPI_HEAP_SPRAY.
Measures the thread start DPI protection information gathering.
#define INT_STATUS_NOT_FOUND
static INTSTATUS IntWinDpiHandleDpiTokenPrivs(WIN_PROCESS_OBJECT *Child, WIN_PROCESS_OBJECT *RealParent, WIN_PROCESS_OBJECT **Originator, WIN_PROCESS_OBJECT **Victim, INTRO_PC_VIOLATION_TYPE *PcType)
Checks if a process creation breaks the DPI token privileges policy set by INTRO_OPT_PROT_DPI_TOKEN_P...
BOOLEAN IsExecutable
True if this page is executable.
QWORD DebuggerEprocess
This will keep the EPROCESS of the debugger process (if any).
Measures the heap spray DPI protection information gathering.
EVENT_PROCESS_CREATION_VIOLATION ProcessCreation
#define IMAGE_BASE_NAME_LEN
The maximum length of a process name.
void IntAlertFillCpuContext(BOOLEAN CopyInstruction, INTRO_CPUCTX *CpuContext)
Fills the current CPU context for an alert.
INTRO_PC_VIOLATION_TYPE PcType
Valid if the current violation is DPI Process Creation Violation.
#define INTRO_OPT_PROT_DPI_TOKEN_PRIVS
Enable process creation protection for parent which has violated Token privileges constraints...
void IntAlertFillVersionInfo(INTRO_VIOLATION_HEADER *Header)
Fills version information for an alert.
QWORD IntAlertProcGetFlags(QWORD ProtectionFlag, const void *Process, INTRO_ACTION_REASON Reason, QWORD AdditionalFlags)
Returns the flags for an alert.
IG_CS_TYPE
The type of the code segment.
Execution through API call.
Access Token Manipulation.
INTRO_ACTION_REASON Reason
The reason for which Action was taken.
Exposes the functions used to provide Windows Threads related support.
static INTSTATUS IntWinDpiHandleDpiThreadStart(WIN_PROCESS_OBJECT *Child, WIN_PROCESS_OBJECT *RealParent, WIN_PROCESS_OBJECT **Originator, WIN_PROCESS_OBJECT **Victim, INTRO_PC_VIOLATION_TYPE *PcType)
Checks if a process creation was triggered from a thread which started executing suspicious code...
GENERIC_ALERT gAlert
Global alert buffer.
static MITRE_ID IntWinDpiGetDpiMitreId(INTRO_PC_VIOLATION_TYPE Flags)
Get the MITRE attack technique ID for the given DPI (Deep Process Inspection) flags.
INTRO_VIOLATION_HEADER Header
The alert header.
QWORD Flags
The entry that maps VirtualAddress to PhysicalAddress, together with all the control bits...
BOOLEAN IntWinSDIsSecDescPtrAltered(WIN_PROCESS_OBJECT *Process, WIN_PROCESS_OBJECT **VictimProcess, QWORD *OldValue, QWORD *NewValue)
This function checks if the security descriptor pointer of a process has been altered or not...
INTRO_CPUCTX CpuContext
The context of the CPU that triggered the alert.
INTSTATUS IntNotifyIntroEvent(INTRO_EVENT_TYPE EventClass, void *Param, size_t EventSize)
Notifies the integrator about an introspection alert.
static INTSTATUS IntWinDpiValidateHeapSpray(WIN_PROCESS_OBJECT *Process, WIN_PROCESS_OBJECT *Parent)
Determines if the parent process has been heap sprayed.
The parent of a process has a stolen access token when it created the child.
BOOLEAN Guest64
True if this is a 64-bit guest, False if it is a 32-bit guest.
QWORD Current
The currently used options.
static INTSTATUS IntWinDpiHandleDpiAclEdit(WIN_PROCESS_OBJECT *Child, WIN_PROCESS_OBJECT *RealParent, WIN_PROCESS_OBJECT **Originator, WIN_PROCESS_OBJECT **Victim, INTRO_PC_VIOLATION_TYPE *PcType)
Checks if a process creation breaks the DPI security descriptor policy set by INTRO_OPT_PROT_DPI_SD_A...
static INTSTATUS IntWinDpiHandleDpiSecDesc(WIN_PROCESS_OBJECT *Child, WIN_PROCESS_OBJECT *RealParent, WIN_PROCESS_OBJECT **Originator, WIN_PROCESS_OBJECT **Victim, INTRO_PC_VIOLATION_TYPE *PcType)
Checks if a process creation breaks the DPI security descriptor policy set by INTRO_OPT_PROT_DPI_SD_A...
static INTSTATUS IntWinDpiValidateParentAclEdit(WIN_PROCESS_OBJECT *Process, WIN_PROCESS_OBJECT *Parent)
Determines if the parent process has a an altered ACL (SACL/DACL).
BOOLEAN IntWinTokenPtrIsStolen(WIN_PROCESS_OBJECT *Process, BOOLEAN Check, WIN_PROCESS_OBJECT **FromProcess, QWORD *OldValue, QWORD *NewValue)
This function checks if the security token of a given process has been stone from another process...
INTSTATUS IntTranslateVirtualAddress(QWORD Gva, QWORD Cr3, QWORD *PhysicalAddress)
Translates a guest virtual address to a guest physical address.
The creation of a process was attempted with token privileges altered in a malicious way...
The parent of a process had a pivoted stack when it created the child.
static INTSTATUS IntWinDpiValidateTokenPrivs(WIN_PROCESS_OBJECT *Process, WIN_PROCESS_OBJECT *Parent)
Determines if the parent process token privileges have not been altered in a malicious way...
static INTSTATUS IntWinDpiHandleDpiDebug(WIN_PROCESS_OBJECT *Child, WIN_PROCESS_OBJECT *RealParent, WIN_PROCESS_OBJECT **Originator, WIN_PROCESS_OBJECT **Victim, INTRO_PC_VIOLATION_TYPE *PcType)
Checks if a process creation breaks the DPI debug flag policy set by INTRO_OPT_PROT_DPI_DEBUG.
BYTE WordSize
Guest word size. Will be 4 for 32-bit guests and 8 for 64-bit guests.
INTSTATUS IntTranslateVirtualAddressEx(QWORD Gva, QWORD Cr3, DWORD Flags, VA_TRANSLATION *Translation)
Translates a guest virtual address to a guest physical address.
VAD_TYPE VadType
The type of the VAD.
INTSTATUS IntWinTokenCheckCurrentPrivileges(WIN_PROCESS_OBJECT *Process, QWORD TokenPtr, BOOLEAN IntegrityCheck, BOOLEAN *PresentIncreased, BOOLEAN *EnabledIncreased, QWORD *Present, QWORD *Enabled)
Verifies the current token if the current Privileges.Present and Privileges.Enabled fields were not a...
static INTSTATUS IntWinDpiGetProcessDebugFlag(WIN_PROCESS_OBJECT *Process, QWORD DebugHandle)
Determines if the process is being debugged and sets the WIN_PROCESS_OBJECT.CreationInfo field debugg...
QWORD TokenStolenFromEprocess
This will keep the EPROCESS of the process from which the current process stole the token...
INTSTATUS IntExceptUserGetOriginator(void *Process, BOOLEAN ModuleWrite, QWORD Address, INSTRUX *Instrux, EXCEPTION_UM_ORIGINATOR *Originator)
This function is used to get the information about the user-mode originator.
static INTSTATUS IntWinDpiHandleDpiStolenToken(WIN_PROCESS_OBJECT *Child, WIN_PROCESS_OBJECT *RealParent, WIN_PROCESS_OBJECT **Originator, WIN_PROCESS_OBJECT **Victim, INTRO_PC_VIOLATION_TYPE *PcType)
Checks if a process creation breaks the DPI token steal policy set by INTRO_OPT_PROT_DPI_TOKEN_STEAL...
Describes the modified zone.
#define UNREFERENCED_PARAMETER(P)
#define INTRO_OPT_PROT_DPI_HEAP_SPRAY
Enable process creation protection for heap sprayed parent.
#define WIN_KM_FIELD(Structure, Field)
Macro used to access kernel mode fields inside the WIN_OPAQUE_FIELDS structure.
INTSTATUS IntWinVadFetchByRange(QWORD VadRoot, QWORD StartPage, QWORD EndPage, VAD *Vad)
Fetches and returns a VAD object containing the range represented by [StartPage, EndPage].
static INTSTATUS IntWinDpiHandleNormalCreationRights(WIN_PROCESS_OBJECT *Child, WIN_PROCESS_OBJECT *RealParent, WIN_PROCESS_OBJECT **Originator, WIN_PROCESS_OBJECT **Victim, INTRO_PC_VIOLATION_TYPE *PcType)
Checks if a process creation contradicts the non-DPI process creation policy set by the PROC_OPT_PROT...
static INTSTATUS IntWinDpiValidateParentProcessToken(WIN_PROCESS_OBJECT *Process, WIN_PROCESS_OBJECT *Parent)
Determines if the child process stole the security token from any other process.
#define PROC_OPT_PROT_PREVENT_CHILD_CREATION
Prevent the process from creating child processes (other than instances of itself).
INTRO_PC_VIOLATION_TYPE PcType
The type of process creation violation.
enum _INTRO_ACTION INTRO_ACTION
Event actions.
The action was allowed, but it has the BETA flag (Introcore is in log-only mode). ...
__must_check INTSTATUS IntVirtMemMap(QWORD Gva, DWORD Length, QWORD Cr3, DWORD Flags, void **HostPtr)
Maps a guest virtual memory range inside Introcore virtual address space.
INTSTATUS IntWinSDReadSecDesc(QWORD SecurityDescriptorGva, DWORD BufferSize, BYTE *SecurityDescriptorBuffer, DWORD *ReadSize, ACL **Sacl, ACL **Dacl)
This function reads the ACLs (along with the ACEs) from the given GVA and returns the data using the ...
QWORD Cr3
The value of the guest CR3 register when the event was generated.
static INTSTATUS IntWinDpiValidateThreadStart(WIN_PROCESS_OBJECT *Process, WIN_PROCESS_OBJECT *Parent)
Determines if the current thread from the parent process has been started in order to execute some su...
QWORD EprocessAddress
This will be the address of the ActiveProcess field.
static QWORD IntWinDpiGetViolationAddress(INTRO_PC_VIOLATION_TYPE PcType, WIN_PROCESS_OBJECT *Originator, WIN_PROCESS_OBJECT *Victim)
Gets the violation address, sent through Originator in exception mechanism.
The parent of a process tried to obtain debug privileges over the child.
The parent of a process has an altered security descriptor pointer.
GUEST_STATE gGuest
The current guest state.
void IntAlertFillWinProcessByCr3(QWORD ProcessCr3, INTRO_PROCESS *EventProcess)
Saves information about a Windows process inside an alert. The process is searched by its kernel CR3...
#define INTRO_OPT_PROT_DPI_SD_ACL
Enable detection of Security Descriptor pointer modifications and ACL modifications on process creati...
INTRO_PROCESS Originator
The process that attempted the violation.
static INTSTATUS IntWinDpiValidateParentSecDesc(WIN_PROCESS_OBJECT *Process, WIN_PROCESS_OBJECT *Parent)
Determines if the parent process has a an altered security descriptor pointer.
#define INTRO_OPT_PROT_DPI_THREAD_SHELL
Examines the code where the current thread started execution when the current thread creates a proces...
PWIN_PROCESS_OBJECT IntWinProcFindObjectByEprocess(QWORD Eprocess)
Finds a process by the address of its _EPROCESS structure.
The thread which created the process has started execution on some suspicious code.
INTRO_PROT_OPTIONS ShemuOptions
Flags which describe the way shemu will give detections.
INTRO_ACTION Action
The action that was taken as the result of this alert.
INTSTATUS IntKernVirtMemRead(QWORD KernelGva, DWORD Length, void *Buffer, DWORD *RetLength)
Reads data from a guest kernel virtual memory range.
INTRO_ACTION IntWinDpiCheckCreation(WIN_PROCESS_OBJECT *Child, WIN_PROCESS_OBJECT *RealParent)
Analyzes all the process creations rules in order to decided if the process creation should be allowe...
#define INT_STATUS_NO_MAPPING_STRUCTURES
Indicates that not all mapping structures of a virtual address are present.
static BOOLEAN IntWinDpiIsSelf(WIN_PROCESS_OBJECT const *First, WIN_PROCESS_OBJECT const *Second)
INTRO_DPI_EXTRA_INFO DpiExtraInfo
A structure which contains extra information regarding the DPI violation that was detected...
Encapsulates information about a virtual to physical memory translation.
INTRO_PROCESS CurrentProcess
The current process.
VCPU_STATE * gVcpu
The state of the current VCPU.
#define INTRO_OPT_PROT_DPI_DEBUG
Enable process creation protection for child processes created with debug flag.
INTSTATUS IntWinStackUserTrapFrameGetGeneric(QWORD *UserRsp, DWORD *SegCs, BOOLEAN Fallback, DPI_EXTRA_INFO *DpiExtraInfo)
Get a bit trap frame from a kernel stack.
The parent of a process has an altered access control entry (inside SACL or DACL).
Exploitation for Client Execution.
Exposes the functions responsible for DPI (Deep Process Inspection) information gathering (used to de...
A representation of a Windows VAD structure.
INTRO_PROT_OPTIONS CoreOptions
The activation and protection options for this guest.
INTSTATUS(* PFUNC_IntWinDpiProcessCreationHandler)(WIN_PROCESS_OBJECT *Child, WIN_PROCESS_OBJECT *RealParent, WIN_PROCESS_OBJECT **Originator, WIN_PROCESS_OBJECT **Victim, INTRO_PC_VIOLATION_TYPE *PcType)
Process creation callback, used to check if a process creation breaks one of the currently enabled po...
void IntExcept(EXCEPTION_VICTIM_ZONE *Victim, void *Originator, EXCEPTION_TYPE Type, INTRO_ACTION *Action, INTRO_ACTION_REASON *Reason, INTRO_EVENT_TYPE EventClass)
This function is the entry point for the exception mechanism.
INTSTATUS IntWinStackUserCheckIsPivoted(QWORD UserRsp, DWORD SegCs, BOOLEAN IsWow64Stack, DPI_EXTRA_INFO *DpiExtraInfo, BOOLEAN *IsPivoted)
Check whether the stack is pivoted by checking if it's in the bounds of the stack base and limit from...
Measures the token privileges DPI protection information gathering.
This structure describes a running process inside the guest.