50 memzero(pModEvent,
sizeof(*pModEvent));
52 pModEvent->
Loaded = Loaded;
61 WARNING(
"[WARNING] IntNotifyIntroEvent failed: 0x%08x\n", status);
69 _In_ void *PsLoadedModuleList,
107 TRACE(
"Failed kernel pointer checks on PsLoadedModuleList Flink/Blink = 0x%016llx/0x%016llx\n",
133 TRACE(
"[INFO] Found & skipped shadow module list at 0x%016llx (head->flink->blink should be same as head)\n",
134 PsLoadedModuleListGva);
146 if (name != 0x0073006f0074006e)
174 TRACE(
"Failed kernel pointer checks on PsLoadedModuleList Flink/Blink = 0x%08x/0x%08x\n",
201 TRACE(
"[INFO] Found & skipped shadow module list at 0x%08x (head->flink->blink should be same as head)\n",
202 (
DWORD)PsLoadedModuleListGva);
214 if (name != 0x0073006f0074006e)
244 if (Callback == NULL)
260 ERROR(
"[ERROR] Failed getting the Flink value of MODULE @ 0x%016llx: 0x%08x\n", currentModule, status);
270 status = Callback(currentModule, Aux);
284 currentModule &= 0xFFFFFFFF;
288 ERROR(
"[ERROR] Failed getting the Flink value of LDR_DATA_TABLE_ENTRY @ 0x%016llx: 0x%08x\n",
289 currentModule, status);
326 DWORD nameSize, pathSize;
341 ERROR(
"[ERROR] Failed reading from GVA 0x%016llx to host: 0x%08x\n", ModuleInfo, status);
366 goto _cleanup_and_leave;
387 if (NULL == pDriver->
Name)
390 goto _cleanup_and_leave;
396 ERROR(
"[ERROR] Failed reading driver name: 0x%08x\n", status);
397 goto _cleanup_and_leave;
419 goto _cleanup_and_leave;
440 if (NULL == pDriver->
Name)
443 goto _cleanup_and_leave;
449 ERROR(
"[ERROR] Failed reading driver name from 0x%08x [%d]: 0x%08x\n",
451 goto _cleanup_and_leave;
459 TRACE(
"[DRIVER] Driver '%s' @ 0x%016llx (base: 0x%016llx, hash: 0x%08x) just loaded\n",
475 ERROR(
"[ERROR] IntHookObjectCreate failed: 0x%08x\n", status);
476 goto _cleanup_and_leave;
490 ERROR(
"[ERROR] IntHookObjectHookRegion failed: 0x%08x\n", status);
491 goto _cleanup_and_leave;
501 ERROR(
"[ERROR] IntWinDrvProtect failed: 0x%08x\n", status);
550 ERROR(
"[ERROR] IntVirtMemMap failed for GVA 0x%016llx: 0x%08x\n", ModuleInfo, status);
556 sizeOfImage = 0xffffffff & pModuleInfo64->
SizeOfImage;
557 moduleBase = pModuleInfo64->
DllBase;
560 else if (pModuleInfo32)
574 goto _cleanup_and_leave;
581 if (pDriver->BaseVa == moduleBase && pDriver->Size == sizeOfImage)
585 TRACE(
"[DRIVER] Driver 0x%016llx unloaded\n", pDriver->BaseVa);
594 ERROR(
"[ERROR] IntWinDrvRemoveEntry failed: 0x%08x\n", status);
599 goto _cleanup_and_leave;
603 WARNING(
"[WARNING] Requested unload of the driver 0x%016llx with" 604 "size 0x%08x, LDR 0x%016llx, but it wasn't found...\n",
605 moduleBase, sizeOfImage, ModuleInfo);
612 else if (pModuleInfo32)
649 ERROR(
"[ERROR] IntPeGetDirectory failed: 0x%08x\n", status);
654 eatSize = dataDir.
Size;
660 ERROR(
"[ERROR] eatRva/eatSize are not valid eatRva:0x%08x, eatSize:0x%08x, " 661 "KernelBaseVa:0x%llx, KernelSize:0x%llx\n",
681 ERROR(
"[ERROR] Failed hooking EAT for ntoskrnl.exe 0x%08x\n", status);
714 ERROR(
"[ERROR] IntHookObjectRemoveRegion failed, status: 0x%08x\n", status);
751 DWORD i, iatSize, eatSize, iatRva, eatRva;
770 TRACE(
"[DRIVER] Adding protection on driver '%s' at %llx...\n",
789 ERROR(
"[ERROR] IntPeValidateHeader failed: 0x%08x\n", status);
805 ERROR(
"[ERROR] IntPeGetDirectory failed: 0x%08x\n", status);
810 iatSize = dataDir.
Size;
815 ERROR(
"[ERROR] IntPeGetDirectory failed: 0x%08x\n", status);
820 eatSize = dataDir.
Size;
822 TRACE(
"[DRIVER] %s @ 0x%016llx has timedate stamp 0x%08x and size 0x%08x\n",
828 ERROR(
"[ERROR] IntHookObjectCreate failed: 0x%08x\n", status);
848 ERROR(
"[ERROR] Failed reading IMAGE_SECTION_HEADER %d for driver 0x%016llx\n", i, pDriver->
BaseVa);
869 if (memcmp(sec.
Name,
"INITKDBG", 8) == 0)
871 TRACE(
"[DRIVER] Skipping section INITKDBG...\n");
876 if (memcmp(sec.
Name,
"ERRATA", 6) == 0)
882 if (memcmp(sec.
Name,
"ALMOSTRO", 8) == 0)
889 TRACE(
"[DRIVER] Overriding the hook flag, will hook ALMOSTRO section...\n");
890 hookSection = ignoreAlign =
TRUE;
923 WARNING(
"[WARNING] Section %d of driver '%s' is not aligned (%llx:%llx): alignment %x\n",
930 QWORD curSecStart = 0, curSecEnd = 0, curLastPage = 0, curFirstPage = 0;
944 ERROR(
"[ERROR] Failed reading IMAGE_SECTION_HEADER %d for driver %llx\n",
953 curLastPage = (curSecEnd - 1) & PAGE_MASK;
959 WARNING(
"[WARNING] Section %d overlaps writable section %d (%llx:%llx - %llx:%llx)!\n",
960 i, k, secStart, secEnd, curSecStart, curSecEnd);
968 WARNING(
"[WARNING] Section %d overlaps writable section %d (%llx:%llx - %llx:%llx)!\n",
969 i, k, secStart, secEnd, curSecStart, curSecEnd);
984 secStart = (secStart &
PAGE_MASK) + 0x1000;
988 if (secStart >= secEnd)
990 WARNING(
"[WARNING] Section %d overlaps entirely writable sections; will not hook it.\n", i);
1005 ERROR(
"[ERROR] Failed hooking section %d for driver 0x%016llx: 0x%08x\n", i, pDriver->
BaseVa, status);
1016 pDriver->
BaseVa + iatRva,
1025 ERROR(
"[ERROR] Failed hooking IAT for driver 0x%016llx: 0x%08x\n", pDriver->
BaseVa, status);
1034 pDriver->
BaseVa + eatRva,
1043 ERROR(
"[ERROR] Failed hooking IAT for driver 0x%016llx: 0x%08x\n", pDriver->
BaseVa, status);
1057 ERROR(
"[ERROR] Failed hooking EAT for ntoskrnl.exe, failed: 0x%08x\n", status);
1089 if (Driver->Protected)
1094 Driver->Protected =
TRUE;
1095 Driver->ProtectionFlag = ProtectionFlag;
1120 if (!Driver->Protected)
1125 TRACE(
"[DRIVER] Removing protection on module '%s' at %llx...\n",
1128 if (NULL != Driver->Win.MzPeHeaders)
1133 if (NULL != Driver->HookObject)
1138 if (NULL != Driver->Win.HeadersSwapHandle)
1142 Driver->Win.HeadersSwapHandle = NULL;
1145 Driver->Protected =
FALSE;
1181 if (NULL == Context)
1210 guestAddress = pRegs->
Rcx;
1217 ERROR(
"[ERROR] IntKernVirtMemPatchDword failed: 0x%08x\n", status);
1226 ERROR(
"[ERROR] IntWinDrvObjCreateDriverObject failed: 0x%08x\n", status);
1238 ERROR(
"[ERROR] IntHookObjectDestroy failed: 0x%08x\n", status);
1276 memzero(pEptViol,
sizeof(*pEptViol));
1307 WARNING(
"[WARNING] IntNotifyIntroEvent failed: 0x%08x\n", status);
1339 if (NULL == Context)
1353 memzero(&victim,
sizeof(victim));
1354 memzero(&originator,
sizeof(originator));
1359 exitAfterInformation =
FALSE;
1366 exitAfterInformation =
TRUE;
1370 ERROR(
"[ERROR] Failed getting originator: 0x%08x\n", status);
1372 exitAfterInformation =
TRUE;
1384 ERROR(
"[ERROR] Failed getting zone details: 0x%08x\n", status);
1385 exitAfterInformation =
TRUE;
1388 if (exitAfterInformation)
1425 if (Rip >= pDriver->BaseVa && Rip < pDriver->BaseVa + pDriver->Size)
1456 if (!CurrentOriginator)
1466 ERROR(
"[ERROR] We have reached %llu reads from ntoskrnl.exe EAT, last driver %s, disabling protection\n",
1472 ERROR(
"[ERROR] IntWinUnprotectReadNtEat failed: 0x%08x\n", status);
1510 #define NTOSKRNL_RIP_PAGES_COUNT 20 1511 #define PATCHGUARD_RIP_COUNT 4 1512 #define MAX_KNOWN_DRIVER_READS 100000 1515 static DWORD ntoskrnlRipPagesCount = 0;
1518 static DWORD patchguardRipCount = 0;
1520 if (NULL == Context)
1535 exitAfterInformation =
FALSE;
1543 for (
DWORD i = 0; i < ntoskrnlRipPagesCount; i++)
1545 if (ntoskrnlRipPages[i] == ripPage)
1555 for (
DWORD i = 0; i < patchguardRipCount; i++)
1571 if (pOriginatingDriver)
1587 ERROR(
"[ERROR] IntWinDrvDisableReadNtEat failed: 0x%08x\n", status);
1595 memzero(&victim,
sizeof(victim));
1596 memzero(&originator,
sizeof(originator));
1602 exitAfterInformation =
TRUE;
1606 ERROR(
"[ERROR] Failed getting originator: 0x%08x\n", status);
1608 exitAfterInformation =
TRUE;
1619 ERROR(
"[ERROR] Failed getting zone details: 0x%08x\n", status);
1621 exitAfterInformation =
TRUE;
1624 if (exitAfterInformation)
1650 #undef NTOSKRNL_RIP_PAGES_COUNT 1651 #undef PATCHGUARD_RIP_COUNT 1652 #undef MAX_KNOWN_DRIVER_READS 1674 if (NULL != Driver->Win.Path)
1679 if (NULL != Driver->Name)
1684 if (NULL != Driver->Win.MzPeHeaders)
1717 ERROR(
"[ERROR] IntWinModuleUnHook failed: 0x%08x\n", status);
1720 if (NULL != Driver->Win.EpHookObject)
1725 if (NULL != Driver->Win.DriverObject)
1734 ERROR(
"[ERROR] IntWinDrvObjRemoveDriverObject failed: 0x%08x\n", status);
1737 Driver->Win.DriverObject = NULL;
1743 ERROR(
"[ERROR] IntWinDrvFreeEntry failed: 0x%08x\n", status);
1760 TRACE(
"[DRIVER] Updating kernel drivers protections...\n");
1768 if (!pDriver->Protected && (NULL != pProtInfo))
1773 ERROR(
"[ERROR] IntWinDrvProtect failed for '%s': 0x%08x\n",
1777 else if (pDriver->Protected && (NULL == pProtInfo))
1782 ERROR(
"[ERROR] IntWinDrvUnprotect failed for '%s': 0x%08x\n",
Measures kernel mode exceptions checks.
#define SWAPMEM_OPT_NO_FAULT
If set, no PF will be injected. Introcore will wait for the pages to be naturally swapped in...
LIST_ENTRY Link
Entry inside the gWinDriverObjects list.
enum _INTRO_ACTION_REASON INTRO_ACTION_REASON
The reason for which an INTRO_ACTION was taken.
INTRO_CODEBLOCKS CodeBlocks
Code blocks extracted for the alert.
INTSTATUS IntWinDrvRemoveEntry(KERNEL_DRIVER *Driver)
Removes the KERNEL_DRIVER from the internal structures.
#define ROUND_UP(what, to)
INTSTATUS IntWinDrvIterateLoadedModules(PFUNC_IterateListCallback Callback, QWORD Aux)
Used to iterate trough the WINDOWS_GUEST::PsLoadedModuleList.
INTSTATUS IntVirtMemUnmap(void **HostPtr)
Unmaps a memory range previously mapped with IntVirtMemMap.
QWORD IntAlertCoreGetFlags(QWORD ProtectionFlag, INTRO_ACTION_REASON Reason)
Returns the flags for an alert.
An internal error occurred (no memory, pages not present, etc.).
BOOLEAN IntPolicyCoreForceBetaIfNeeded(QWORD Flag, INTRO_ACTION *Action)
Checks if a forced action should be taken even if the log-only mode is active.
Kernel module (ntoskrnl.exe, hal.dll, etc.).
WINDOWS_GUEST * gWinGuest
Global variable holding the state of a Windows guest.
INTSTATUS IntHookObjectDestroy(HOOK_OBJECT_DESCRIPTOR **Object, DWORD Flags)
Destroy an entire hook object. All regions belonging to this object will be removed.
QWORD EatReadCount
The number of EAT reads that took place from withing known drivers.
IG_ARCH_REGS Regs
The current state of the guest registers.
QWORD RequiredFlags
The introcore options that need to be active in order to protect this module.
INTSTATUS IntPeGetDirectory(QWORD ImageBase, BYTE *ImageBaseBuffer, DWORD DirectoryEntry, IMAGE_DATA_DIRECTORY *Directory)
Validate & return the indicated image data directory.
MITRE_ID MitreID
The Mitre ID that corresponds to this attack.
QWORD SystemCr3
The Cr3 used to map the kernel.
#define INT_STATUS_SUCCESS
#define INT_STATUS_OUT_OF_RANGE
BOOLEAN IntPolicyCoreTakeAction(QWORD Flag, INTRO_ACTION *Action, INTRO_ACTION_REASON *Reason)
Returns the action that should be taken for a core introspection option.
LIST_ENTRY64 InLoadOrderLinks
WIN_KERNEL_DRIVER Win
Valid only for Windows guests.
INTSTATUS IntSwapMemReadData(QWORD Cr3, QWORD VirtualAddress, DWORD Length, DWORD Options, void *Context, DWORD ContextTag, PFUNC_PagesReadCallback Callback, PFUNC_PreInjectCallback PreInject, void **SwapHandle)
Reads a region of guest virtual memory, and calls the indicated callback when all the data is availab...
INTSTATUS IntWinUnprotectReadNtEat(void)
Used to remove the EAT read hook from ntoskrnl.exe.
QWORD BaseVa
The guest virtual address of the kernel module that owns this driver object.
static KERNEL_DRIVER * IntWinGetDriverByGva(QWORD Rip)
Iterates all the loaded drivers to see if the Rip points inside any of them.
#define IMAGE_SCN_MEM_WRITE
#define INT_SUCCESS(Status)
DWORD TimeDateStamp
Time/date stamp.
Event structure for module loading and unloading.
QWORD Flags
A combination of ALERT_FLAG_* values describing the alert.
QWORD SectionOffset
Offset of the first section header.
Exposes the types, constants and functions used to describe protected Windows Kernel modules and driv...
The action was not allowed because there was no reason to allow it.
INTSTATUS IntWinDrvObjCreateFromAddress(QWORD GuestAddress, BOOLEAN StaticDetected, PWIN_DRIVER_OBJECT *DriverObject)
Creates a new driver object.
Measures reads done from the kernel EAT.
DWORD PathLength
The driver`s path length (number of WCHARS).
EVENT_MODULE_EVENT Module
QWORD IntHookGetGlaFromGpaHook(HOOK_GPA const *Hook, QWORD Address)
Gets the GLA from a GPA hook.
PBYTE MzPeHeaders
The driver`s MZ/PE headers (cached internally).
Models a LIST_ENTRY structure used by 32-bit Windows guests.
INTSTATUS IntWinDrvIsListHead(QWORD PsLoadedModuleListGva, void *PsLoadedModuleList, QWORD KernelLdr)
Used to identify WINDOWS_GUEST::PsLoadedModuleList.
#define INT_STATUS_NOT_NEEDED_HINT
LIST_ENTRY32 InLoadOrderLinks
#define HpAllocWithTag(Len, Tag)
DWORD Buffer
The guest virtual address at which the wide-character string is located.
INTSTATUS IntWinDrvCreateFromAddress(QWORD ModuleInfo, QWORD Flags)
Adds a driver to introspection's LoadedModuleList (gKernelDrivers). This way we avoid lots of mapping...
int INTSTATUS
The status data type.
QWORD Size
The size of the kernel module that owns this driver object.
BOOLEAN Protected
True if the driver is protected, False if it is not.
DWORD OSVersion
Os version.
BOOLEAN IntWinDrvHasDriverObject(const KERNEL_DRIVER *Driver)
Check wether a kernel driver has a driver object that we care to protect.
void * HeadersSwapHandle
The swap handle used to read the driver`s headers.
#define INT_STATUS_NOT_FOUND
UNICODE_STRING32 DriverPath
Describes a kernel-mode originator.
DWORD SectionAlignment
Sections alignment.
void IntAlertFillCpuContext(BOOLEAN CopyInstruction, INTRO_CPUCTX *CpuContext)
Fills the current CPU context for an alert.
INTSTATUS IntWinDrvRemoveFromAddress(QWORD ModuleInfo)
Removes a driver from the introspection's loaded modules list (gKernelDrivers).
DWORD TimeDateStamp
The driver`s internal timestamp (from the _IMAGE_FILE_HEADER).
Describes a kernel driver.
#define INT_STATUS_BREAK_ITERATION
Can be used by iteration callbacks to break the iteration early.
void IntAlertFillVersionInfo(INTRO_VIOLATION_HEADER *Header)
Fills version information for an alert.
Models a LIST_ENTRY structure used by 64-bit Windows guests.
INTRO_VIOLATION_HEADER Header
The alert header.
DWORD NameHash
The hash of the name.
INTRO_ACTION_REASON Reason
The reason for which Action was taken.
INTSTATUS IntAlertFillCodeBlocks(QWORD Rip, QWORD Cr3, BOOLEAN Execute, INTRO_CODEBLOCKS *CodeBlocks)
Fills the code blocks pattern for an alert.
static INTSTATUS IntWinDrvHeadersInMemory(void *Context, QWORD Cr3, QWORD VirtualAddress, QWORD PhysicalAddress, void *Data, DWORD DataSize, DWORD Flags)
This callback is called as soon as all the driver headers have been read using IntSwapMemReadData.
The _LDR_DATA_TABLE_ENTRY structure used by 64-bit guests.
#define NTOSKRNL_RIP_PAGES_COUNT
void IntAlertEptFillFromKmOriginator(const EXCEPTION_KM_ORIGINATOR *Originator, EVENT_EPT_VIOLATION *EptViolation)
Fills kernel mode originator information inside an EPT alert.
GENERIC_ALERT gAlert
Global alert buffer.
INTSTATUS IntSwapMemRemoveTransaction(void *Transaction)
Remove a transaction.
INTSTATUS IntKernVirtMemFetchDword(QWORD GuestVirtualAddress, DWORD *Data)
Reads 4 bytes from the guest kernel memory.
#define INITIAL_CRC_VALUE
#define INT_STATUS_EXCEPTION_BLOCK
void IntAlertEptFillFromVictimZone(const EXCEPTION_VICTIM_ZONE *Victim, EVENT_EPT_VIOLATION *EptViolation)
Fills the victim information inside an EPT alert.
QWORD PsLoadedModuleList
Guest virtual address of the PsLoadedModuleList kernel variable.
#define INT_STATUS_NOT_INITIALIZED
INTSTATUS IntKernVirtMemFetchQword(QWORD GuestVirtualAddress, QWORD *Data)
Reads 8 bytes from the guest kernel memory.
SIZE_T NameLength
The length of the Name. This is the number of characters in the Name buffer.
INTRO_CPUCTX CpuContext
The context of the CPU that triggered the alert.
INTSTATUS IntWinDrvObjRemove(WIN_DRIVER_OBJECT *DriverObject)
Removes a driver object and updates its owner module.
INTSTATUS IntNotifyIntroEvent(INTRO_EVENT_TYPE EventClass, void *Param, size_t EventSize)
Notifies the integrator about an introspection alert.
static BOOLEAN RemoveEntryList(LIST_ENTRY *Entry)
Holds information about a driver object.
INTSTATUS IntWinDrvHandleDriverEntry(void *Context, void *Hook, QWORD Address, INTRO_ACTION *Action)
Used to notify the introspection engine when the DriverEntry of a module starts executing.
UINT16 Length
The length, in bytes, of the string in Buffer, not including the NULL terminator, if any...
BOOLEAN Guest64
True if this is a 64-bit guest, False if it is a 32-bit guest.
INTSTATUS IntWinDrvHandleWrite(void *Context, void *Hook, QWORD Address, INTRO_ACTION *Action)
Used to notify the introspection engine when a write took place on a protected driver.
INTSTATUS IntExceptGetVictimEpt(void *Context, QWORD Gpa, QWORD Gva, INTRO_OBJECT_TYPE Type, DWORD ZoneFlags, EXCEPTION_VICTIM_ZONE *Victim)
Fills an EXCEPTION_VICTIM_ZONE with relevant information from an EPT violation.
QWORD Current
The currently used options.
int strlower_utf16(WCHAR *buf, size_t len)
#define IN_RANGE_LEN(x, start, len)
INTSTATUS(* PFUNC_IterateListCallback)(QWORD Node, QWORD Aux)
#define INT_STATUS_INVALID_PARAMETER_4
#define IS_KERNEL_POINTER_WIN(is64, p)
Checks if a guest virtual address resides inside the Windows kernel address space.
QWORD NumberOfSections
Number of sections.
#define HpFreeAndNullWithTag(Add, Tag)
#define INT_STATUS_INVALID_INTERNAL_STATE
#define INTRO_OPT_EVENT_MODULES
Enable user mode and kernel mode module load and unload events (generates introEventModuleEvent event...
void * Name
The name of the driver.
QWORD KernelVa
The guest virtual address at which the kernel image.
The _LDR_DATA_TABLE_ENTRY structure used by 32-bit guests.
void IntExceptKernelLogInformation(EXCEPTION_VICTIM_ZONE *Victim, EXCEPTION_KM_ORIGINATOR *Originator, INTRO_ACTION Action, INTRO_ACTION_REASON Reason)
Print the information about a kernel-mode violation and dumps the code-blocks.
void IntAlertFillWinProcessCurrent(INTRO_PROCESS *EventProcess)
Saves information about the current Windows process inside an alert.
union _IMAGE_SECTION_HEADER::@214 Misc
static void InsertTailList(LIST_ENTRY *ListHead, LIST_ENTRY *Entry)
INTRO_EXEC_CONTEXT ExecContext
Information about the instruction that triggered the alert.
BOOLEAN Loaded
True if the module was loaded, False if it was unloaded.
INTSTATUS IntWinDrvUnprotect(KERNEL_DRIVER *Driver)
Used to disable protection for the given driver.
#define INT_STATUS_ALREADY_INITIALIZED_HINT
#define MAX_KNOWN_DRIVER_READS
void * HookObject
The hook object used to protect this driver. NULL if the driver is not protected. ...
Sent when an EPT violation triggers an alert. See EVENT_EPT_VIOLATION.
PWCHAR Path
The driver`s path.
#define INTRO_OPT_PROT_KM_NT_EAT_READS
Enable kernel EAT read protection (Windows only).
DWORD Crc32Wstring(const WCHAR *String, DWORD InitialCrc)
Computes the CRC for a NULL-terminated wide char string.
Describes the modified zone.
#define UNREFERENCED_PARAMETER(P)
INTSTATUS IntHookObjectRemoveRegion(HOOK_REGION_DESCRIPTOR **Region, DWORD Flags)
Remove a hooked region of memory.
#define KESDT_SIZE
The size of the KeServiceDescriptorTable.
#define IMAGE_DIRECTORY_ENTRY_EXPORT
void * EatReadHook
The read hook placed on the driver`s EAT.
QWORD ProtectionFlag
The introcore option that decided that this driver must be protected.
DWORD EntryPoint
Entry point (RVA).
INTRO_PROCESS CurrentProcess
The currently active process.
INTSTATUS IntPeValidateHeader(QWORD ImageBase, BYTE *ImageBaseBuffer, DWORD ImageBaseBufferSize, INTRO_PE_INFO *PeInfo, QWORD Cr3)
Validates a PE header.
enum _INTRO_ACTION INTRO_ACTION
Event actions.
#define _In_reads_bytes_(expr)
LIST_HEAD gKernelDrivers
List of all the drivers currently loaded inside the guest.
LIST_ENTRY Link
Entry inside the gKernelDrivers list.
#define INT_STATUS_INVALID_OBJECT_TYPE
INTRO_MODULE Module
The module for which this event was triggered.
INTSTATUS IntWinDrvHandleRead(void *Context, void *Hook, QWORD Address, INTRO_ACTION *Action)
Used to notify the introspection engine when a read took place on a protected driver (used only for n...
__must_check INTSTATUS IntVirtMemMap(QWORD Gva, DWORD Length, QWORD Cr3, DWORD Flags, void **HostPtr)
Maps a guest virtual memory range inside Introcore virtual address space.
UNICODE_STRING64 DriverPath
MM Mm
Guest memory information, such as paging mode, system Cr3 value, etc.
UNICODE_STRING32 DriverName
QWORD KeServiceDescriptorTable
Guest virtual address of the KeServiceDescriptorTable variable.
GUEST_STATE gGuest
The current guest state.
static INTSTATUS IntWinDrvFreeEntry(KERNEL_DRIVER *Driver, QWORD Reserved)
Frees the memory allocate for the KERNEL_DRIVER structure.
void IntAlertFillWinProcessByCr3(QWORD ProcessCr3, INTRO_PROCESS *EventProcess)
Saves information about a Windows process inside an alert. The process is searched by its kernel CR3...
#define IMAGE_DIRECTORY_ENTRY_IAT
#define IMAGE_SCN_MEM_DISCARDABLE
BOOLEAN IntWinDrvObjIsValidDriverObject(QWORD DriverObjectAddress)
Checks if a guest memory area contains a valid _DRIVER_OBJECT structure.
Encapsulates a protected Windows kernel module.
BOOLEAN IntWinAgentIsRipInsideCurrentAgent(QWORD Rip)
Return true if the given RIP points inside the currently active boot driver.
void * EpHookObject
The EP hook placed on the driver (we will be notified when the execution began) - useful to obtain th...
INTRO_ACTION Action
The action that was taken as the result of this alert.
INTSTATUS IntKernVirtMemRead(QWORD KernelGva, DWORD Length, void *Buffer, DWORD *RetLength)
Reads data from a guest kernel virtual memory range.
#define ZONE_READ
Used for read violation.
UNICODE_STRING64 DriverName
static void IntWinDrvSendEvent(KERNEL_DRIVER *Driver, BOOLEAN Loaded)
Send a driver loaded/unloaded event.
INTSTATUS IntHookObjectHookRegion(void *Object, QWORD Cr3, QWORD Gla, SIZE_T Length, BYTE Type, void *Callback, void *Context, DWORD Flags, HOOK_REGION_DESCRIPTOR **Region)
Hook a contiguous region of virtual memory inside the provided virtual address space.
WORD Length
The length, in bytes, of the string in Buffer, not including the NULL terminator, if any...
static INTSTATUS IntWinDrvForceDisableReadNtEat(KERNEL_DRIVER *CurrentOriginator)
This function is used to disable the INTRO_OPT_PROT_KM_NT_EAT_READS by removing the hook IntWinDrvHan...
The object was detected when it was created.
KERNEL_DRIVER * KernelDriver
Points to the driver object that describes the kernel image.
char * utf16_for_log(const WCHAR *WString)
Converts a UTF-16 to a UTF-8 string to be used inside logging macros.
#define INT_STATUS_INVALID_PARAMETER_1
#define INT_STATUS_NOT_SUPPORTED
INTRO_PROCESS CurrentProcess
The current process.
VCPU_STATE * gVcpu
The state of the current VCPU.
INTSTATUS IntWinDrvUpdateProtection(void)
Used to update the protection for all the loaded modules (gKernelDrivers).
The action was blocked because there was no exception for it.
UINT8 Name[IMAGE_SIZEOF_SHORT_NAME]
static INTSTATUS IntWinDrvSendAlert(KERNEL_DRIVER *Driver, EXCEPTION_VICTIM_ZONE *Victim, EXCEPTION_KM_ORIGINATOR *Originator, INTRO_ACTION Action, INTRO_ACTION_REASON Reason)
Sends a driver related EPT violation alert.
#define PATCHGUARD_RIP_COUNT
#define DRIVER_MAX_ITERATIONS
When iterating the guest PsLoadedModuleList, we won't go through more than this many entries...
void IntGuestUpdateCoreOptions(QWORD NewOptions)
Updates Introcore options.
INTSTATUS IntWinProtectReadNtEat(void)
Used to place a read hook on the ntoskrnl.exe EAT.
Event structure for EPT violations.
QWORD EntryPoint
The entry point of this driver.
#define INT_STATUS_NOT_READY
PWIN_DRIVER_OBJECT DriverObject
The driver object.
void IntAlertFillWinKmModule(const KERNEL_DRIVER *Driver, INTRO_MODULE *EventModule)
Saves kernel module information inside an alert.
DWORD PathHash
CRC32 hash value for the driver`s path.
INTSTATUS IntWinDrvProtect(KERNEL_DRIVER *Driver, QWORD ProtectionFlag)
Used to enable protection for the given driver.
#define list_for_each(_head, _struct_type, _var)
Exploitation of Remote Services.
const PROTECTED_MODULE_INFO * IntWinDrvIsProtected(const KERNEL_DRIVER *Driver)
Get the protected module information for a kernel driver.
Exposes the types, constants and functions used to handle Windows Drivers related events...
INTSTATUS IntExceptKernelGetOriginator(EXCEPTION_KM_ORIGINATOR *Originator, DWORD Options)
This function is used to get the information about the kernel-mode originator.
INTSTATUS IntAlertFillExecContext(QWORD Cr3, INTRO_EXEC_CONTEXT *ExecContext)
Fills the current execution context.
#define ZONE_WRITE
Used for write violation.
QWORD Buffer
The guest virtual address at which the wide-character string is located.
#define INT_STATUS_INVALID_PARAMETER_2
INTRO_PROT_OPTIONS CoreOptions
The activation and protection options for this guest.
INTSTATUS IntHookObjectCreate(DWORD ObjectType, QWORD Cr3, void **Object)
Create a new hook object.
void IntExcept(EXCEPTION_VICTIM_ZONE *Victim, void *Originator, EXCEPTION_TYPE Type, INTRO_ACTION *Action, INTRO_ACTION_REASON *Reason, INTRO_EVENT_TYPE EventClass)
This function is the entry point for the exception mechanism.
BOOLEAN Protected
True if the module is protected.
void IntDriverCacheInv(const QWORD BaseAddress, const QWORD Length)
Invalidates all cache entries for a given guest memory range.
#define INT_STATUS_INSUFFICIENT_RESOURCES