52 PBYTE pObject, pModule;
83 goto cleanup_and_exit;
88 goto cleanup_and_exit;
93 goto cleanup_and_exit;
100 goto cleanup_and_exit;
105 goto cleanup_and_exit;
110 goto cleanup_and_exit;
116 goto cleanup_and_exit;
122 goto cleanup_and_exit;
128 ERROR(
"[ERROR] IntPeValidateHeader failed: 0x%08x\n", status);
129 goto cleanup_and_exit;
134 goto cleanup_and_exit;
139 goto cleanup_and_exit;
149 goto cleanup_and_exit;
154 goto cleanup_and_exit;
159 goto cleanup_and_exit;
166 goto cleanup_and_exit;
171 goto cleanup_and_exit;
176 goto cleanup_and_exit;
182 goto cleanup_and_exit;
188 goto cleanup_and_exit;
194 ERROR(
"[ERROR] IntPeValidateHeader failed: 0x%08x\n", status);
195 goto cleanup_and_exit;
200 goto cleanup_and_exit;
205 goto cleanup_and_exit;
255 QWORD driverNameAddress;
257 driverNameAddress = 0;
263 WARNING(
"[WARNING] Driver object at 0x%016llx is already present as \"%s\", will ignore\n",
265 if (NULL != DriverObject)
267 *DriverObject = pDrvObj;
280 pDrvObj->
Aligned = !StaticDetected;
285 ERROR(
"[ERROR] Failed translating GVA 0x%016llx: 0x%08x\n", GuestAddress, status);
293 DriverName.Length), &driverNameLen);
298 DriverName.Length), &driverNameLen);
302 goto cleanup_and_exit;
309 DriverName.Buffer), &driverNameAddress);
314 DriverName.Buffer), &driverNameAddress);
318 goto cleanup_and_exit;
321 driverNameLen = (driverNameLen & 0xFFFF);
324 if ((driverNameLen < 2) || (driverNameLen >= 256))
327 goto cleanup_and_exit;
332 if (NULL == pDrvObj->
Name)
335 goto cleanup_and_exit;
342 ERROR(
"[ERROR] Failed reading the driver name: 0x%08x\n", status);
343 goto cleanup_and_exit;
346 pDrvObj->
NameLen = driverNameLen / 2;
366 ERROR(
"[ERROR] Failed reading the driver start: 0x%08x\n", status);
367 goto cleanup_and_exit;
384 ERROR(
"[ERROR] IntKernVirtMemFetchQword failed: 0x%08x\n", status);
402 ERROR(
"[ERROR] IntWinHookDriverObject failed: 0x%08x\n", status);
414 if (NULL != DriverObject)
416 *DriverObject = pDrvObj;
436 while (list != &gWinDriverObjects)
465 while (list != &gWinDriverObjects)
469 if (pDrvObj->
Owner == Owner)
506 memzero(pEptViol,
sizeof(*pEptViol));
529 WARNING(
"[WARNING] IntNotifyIntroEvent failed: 0x%08x\n", status);
558 memzero(pIntViol,
sizeof(*pIntViol));
560 pIntViol->
BaseAddress = Victim->Integrity.StartVirtualAddress;
561 pIntViol->
VirtualAddress = Victim->Integrity.StartVirtualAddress + Victim->Integrity.Offset;
563 pIntViol->
Size = Victim->Integrity.TotalLength;
592 WARNING(
"[WARNING] IntNotifyIntroEvent failed: 0x%08x\n", status);
656 fastIoPtrWritten =
TRUE;
664 fastIoPtrWritten =
TRUE;
668 if (fastIoPtrWritten)
673 ERROR(
"[ERROR] IntDecGetWrittenValueFromInstruction failed: 0x%08x\n", status);
677 goto cleanup_and_exit;
683 ERROR(
"[ERROR] [DRVOBJ] Fast I/O dispatch table of driver object '%s' not in kernel: 0x%016llx\n",
688 goto cleanup_and_exit;
693 goto _block_fastio_reloc;
696 TRACE(
"[DRVOBJ] Fast I/O dispatch table of driver object '%s' has been written: 0x%016llx\n",
702 ERROR(
"[ERROR] IntWinDrvObjUnprotectFastIoDispatch failed: 0x%08x\n", status);
713 ERROR(
"[ERROR] IntWinDrvObjHookFastIODispatch failed: 0x%08x\n", status);
721 fastIoUpdated =
TRUE;
723 goto cleanup_and_exit;
732 WARNING(
"[WARNING] IntTranslateVirtualAddress failed: 0x%08x\n", status);
736 WARNING(
"[WARNING] The driver object Gpa 0x%016llx is different from actual Gpa 0x%016llx!\n",
747 memzero(&victim,
sizeof(victim));
748 memzero(&originator,
sizeof(originator));
753 exitAfterInformation =
FALSE;
757 gva < pDrvObj->FastIOTableAddress +
WIN_KM_FIELD(DrvObj, FiodispSize))
766 exitAfterInformation =
TRUE;
771 exitAfterInformation =
TRUE;
772 ERROR(
"[ERROR] Failed getting originator: 0x%08x\n", status);
784 ERROR(
"[ERROR] Failed getting zone details: 0x%08x\n", status);
785 exitAfterInformation =
TRUE;
788 if (exitAfterInformation)
814 ERROR(
"[ERROR] IntWinDrvObjUnprotectFastIoDispatch failed with status: 0x%08x\n", status);
826 ERROR(
"[ERROR] IntWinDrvObjUnprotectFastIoDispatch failed with status: 0x%08x\n", status);
851 #define NAMEHASH_FLTMGR 0x4283398b 861 ERROR(
"[ERROR] Invalid integrity region type: %d\n", IntegrityRegion->Type);
870 while (offset < IntegrityRegion->Length)
876 memzero(&victim,
sizeof(victim));
877 memzero(&originator,
sizeof(originator));
888 ERROR(
"[ERROR] Failed getting integrity zone: 0x%08x\n", status);
911 ERROR(
"[ERROR] Failed getting originator: 0x%08x\n", status);
946 ERROR(
"[ERROR] IntWinDrvObjUnprotectFastIoDispatch failed with status: 0x%08x\n", status);
947 goto _cleanup_and_exit;
964 ERROR(
"[ERROR] IntWinDrvObjUnprotectFastIoDispatch failed with status: 0x%08x\n", status);
965 goto _cleanup_and_exit;
992 ERROR(
"[ERROR] IntKernVirtMemWrite failed for gva 0x%016llx: 0x%08x\n",
994 goto _cleanup_and_exit;
1009 #undef NAMEHASH_FLTMGR 1028 if (!DriverObject->FiodispProtected)
1033 TRACE(
"[DRVOBJ] Removing protection on Fast I/OP dispatch on driver object '%s' at %llx...\n",
1034 utf16_for_log(DriverObject->Name), DriverObject->FastIOTableAddress);
1036 if (DriverObject->FiodispIntegrityObject != NULL)
1041 ERROR(
"[ERROR] Failed removing the integrity region from structure at address 0x%016llx: 0x%08x\n",
1042 DriverObject->FastIOTableAddress, status);
1044 DriverObject->FiodispIntegrityObject = NULL;
1047 DriverObject->FiodispProtected =
FALSE;
1072 if (0 == DriverObject->FastIOTableAddress)
1077 TRACE(
"[DRVOBJ] Adding protection on Fast I/O dispatch for driver object '%s' at 0x%016llx (integrity)\n",
1078 utf16_for_log(DriverObject->Name), DriverObject->FastIOTableAddress);
1086 &DriverObject->FiodispIntegrityObject);
1089 ERROR(
"[ERROR] IntIntegrityAddRegion failed: 0x%08x\n", status);
1093 DriverObject->FiodispProtected =
TRUE;
1117 if (NULL == DriverObject)
1122 if (!DriverObject->DrvobjProtected)
1127 TRACE(
"[DRVOBJ] Removing protection on driver object '%s' at %llx...\n",
1128 utf16_for_log(DriverObject->Name), DriverObject->DriverObjectGva);
1133 ERROR(
"[ERROR] IntWinDrvObjFiodispUnHook failed: 0x%08x\n", status);
1136 if (DriverObject->DrvobjIntegrityObject != NULL)
1141 ERROR(
"[ERROR] Failed removing the integrity region from structure at address 0x%016llx: 0x%08x\n",
1142 DriverObject->DriverObjectGva, status);
1144 DriverObject->DrvobjIntegrityObject = NULL;
1147 if (DriverObject->DrvobjHookObject != NULL)
1152 ERROR(
"[ERROR] Failed removing the hook from structure at address 0x%016llx: 0x%08x\n",
1153 DriverObject->FastIOTableAddress, status);
1157 DriverObject->DrvobjProtected =
FALSE;
1181 if (DriverObject == NULL)
1189 ERROR(
"[ERROR] IntWinHookFastIODispatch failed: 0x%08x\n", status);
1193 if (!DriverObject->Aligned)
1195 TRACE(
"[DRVOBJ] Adding protection on driver object '%s' at %llx (integrity)...\n",
1196 utf16_for_log(DriverObject->Name), DriverObject->DriverObjectGva);
1204 &DriverObject->DrvobjIntegrityObject);
1207 ERROR(
"[ERROR] IntIntegrityAddRegion failed: 0x%08x\n", status);
1213 TRACE(
"[DRVOBJ] Adding protection on driver object '%s' at %llx (ept)...\n",
1214 utf16_for_log(DriverObject->Name), DriverObject->DriverObjectGva);
1219 ERROR(
"[ERROR] IntHookObjectCreate failed: 0x%08x\n", status);
1225 DriverObject->DriverObjectGva +
WIN_KM_FIELD(DrvObj, Fiodisp),
1234 ERROR(
"[ERROR] IntHookObjectHookRegion failed: 0x%08x\n", status);
1239 DriverObject->DrvobjProtected =
TRUE;
1268 ERROR(
"[ERROR] IntTranslateVirtualAddress failed for GVA 0x%016llx: 0x%08x\n", DriverObjectAddress, status);
1272 list = gWinDriverObjects.
Flink;
1273 while (list != &gWinDriverObjects)
1290 ERROR(
"[ERROR] IntWinDrvObjRemoveDriverObject failed: 0x%08x\n", status);
1304 ERROR(
"[ERROR] IntWinDrvObjUnprotectFastIoDispatch failed: 0x%08x\n", status);
1334 if (NULL != DriverObject->Name)
1361 if (NULL == DriverObject)
1367 if (NULL != pKmDriver)
1375 ERROR(
"[ERROR] IntWinDrvObjUnprotect failed: 0x%08x\n", status);
1396 TRACE(
"[DRVOBJ] Updating driver objects protections...\n");
1398 for (
LIST_ENTRY *list = gWinDriverObjects.
Flink; list != &gWinDriverObjects; list = list->
Flink)
1409 ERROR(
"[ERROR] IntWinDrvObjProtect failed for '%s': 0x%08x\n",
1418 ERROR(
"[ERROR] IntWinDrvObjUnprotect failed for '%s': 0x%08x\n",
1443 while (list != &gWinDriverObjects)
1454 ERROR(
"[ERROR] IntWinDrvObjRemoveDriverObject failed: 0x%08x\n", status);
Measures kernel mode exceptions checks.
LIST_ENTRY Link
Entry inside the gWinDriverObjects list.
QWORD DriverObjectGva
The guest virtual address of the guest _DRIVER_OBJECT represented by this structure.
QWORD PhysicalAddress
The physical address to which VirtualAddress translates to.
enum _INTRO_ACTION_REASON INTRO_ACTION_REASON
The reason for which an INTRO_ACTION was taken.
INTRO_CODEBLOCKS CodeBlocks
Code blocks extracted for the alert.
#define CONTAINING_RECORD(List, Type, Member)
PWIN_DRIVER_OBJECT IntWinDrvObjFindByOwnerAddress(QWORD Owner)
Finds a driver object in the gWinDriverObjects list by the base of the kernel module that owns it...
#define INTRO_OPT_PROT_KM_DRVOBJ
Enable driver object & fast I/O dispatch protection.
INTSTATUS IntVirtMemUnmap(void **HostPtr)
Unmaps a memory range previously mapped with IntVirtMemMap.
QWORD IntAlertCoreGetFlags(QWORD ProtectionFlag, INTRO_ACTION_REASON Reason)
Returns the flags for an alert.
const PROTECTED_MODULE_INFO * IntWinDrvObjIsProtected(const WIN_DRIVER_OBJECT *DriverObject)
Get the protected module information for a kernel driver object.
An internal error occurred (no memory, pages not present, etc.).
BOOLEAN IntPolicyCoreForceBetaIfNeeded(QWORD Flag, INTRO_ACTION *Action)
Checks if a forced action should be taken even if the log-only mode is active.
The _DRIVER_OBJECT structure used by 64-bit guests.
#define OFFSET_OF(Type, Member)
INTSTATUS IntKernVirtMemWrite(QWORD KernelGva, DWORD Length, void *Buffer)
Writes data to a guest kernel virtual memory range.
INTSTATUS IntHookObjectDestroy(HOOK_OBJECT_DESCRIPTOR **Object, DWORD Flags)
Destroy an entire hook object. All regions belonging to this object will be removed.
IG_ARCH_REGS Regs
The current state of the guest registers.
MITRE_ID MitreID
The Mitre ID that corresponds to this attack.
QWORD SystemCr3
The Cr3 used to map the kernel.
#define INT_STATUS_SUCCESS
BOOLEAN IntPolicyCoreTakeAction(QWORD Flag, INTRO_ACTION *Action, INTRO_ACTION_REASON *Reason)
Returns the action that should be taken for a core introspection option.
Fast IO Dispatch (Windows only).
WIN_KERNEL_DRIVER Win
Valid only for Windows guests.
static INTSTATUS IntWinDrvObjHandleWrite(WIN_DRIVER_OBJECT *Context, HOOK_GPA const *Hook, QWORD Address, INTRO_ACTION *Action)
Handles writes done over a protected driver object.
Event structure for integrity violations on monitored structures.
INTSTATUS IntIntegrityAddRegion(QWORD VirtualAddress, DWORD Length, INTRO_OBJECT_TYPE Type, void *Context, PFUNC_IntegrityViolationCallback Callback, BOOLEAN CopyContent, void **Descriptor)
Creates an INTEGRITY_REGION object and adds it to the gIntegrityRegions list.
struct _LIST_ENTRY * Flink
#define INT_SUCCESS(Status)
#define DRIVER_OBJECT_TYPE
The type of a _DRIVER_OBJECT structure.
QWORD Flags
A combination of ALERT_FLAG_* values describing the alert.
INTSTATUS IntResumeVcpus(void)
Resumes the VCPUs previously paused with IntPauseVcpus.
Exposes the types, constants and functions used to describe protected Windows Kernel modules and driv...
struct _EVENT_INTEGRITY_VIOLATION::@304 Victim
#define INT_STATUS_NOT_NEEDED_HINT
INTSTATUS IntWinDrvObjProtect(WIN_DRIVER_OBJECT *DriverObject)
Protects a driver object and its fast IO dispatch table, if one exists.
#define ALERT_FLAG_ASYNC
If set, the alert was generated in an async manner.
#define HpAllocWithTag(Len, Tag)
INTSTATUS IntKernVirtMemFetchWordSize(QWORD GuestVirtualAddress, void *Data)
Reads a guest pointer from the guest kernel memory.
INTSTATUS IntWinDrvObjUnprotect(WIN_DRIVER_OBJECT *DriverObject)
Deactivates protection for a driver object and its fast IO dispatch structure.
int INTSTATUS
The status data type.
QWORD GvaPage
Guest virtual page base address, aligned to 4K.
#define INT_STATUS_NOT_FOUND
DWORD Offset
The offset of the modification.
#define TRFLG_NONE
No special options.
Describes a kernel-mode originator.
INTSTATUS IntWinDrvObjUninit(void)
Removes all the driver objects in the gWinDriverObjects.
INTSTATUS IntPauseVcpus(void)
Pauses all the guest VCPUs.
void IntAlertFillCpuContext(BOOLEAN CopyInstruction, INTRO_CPUCTX *CpuContext)
Fills the current CPU context for an alert.
INSTRUX Instruction
The current instruction, pointed by the guest RIP.
Describes a kernel driver.
void IntAlertFillVersionInfo(INTRO_VIOLATION_HEADER *Header)
Fills version information for an alert.
BOOLEAN IntWinDrvObjIsValidDriverObject(QWORD DriverObjectAddress)
Checks if a guest memory area contains a valid _DRIVER_OBJECT structure.
INTRO_VIOLATION_HEADER Header
The alert header.
INTRO_ACTION_REASON Reason
The reason for which Action was taken.
EXCEPTION_VICTIM_OBJECT Object
The modified object.
The _DRIVER_OBJECT structure used by 32-bit guests.
INTSTATUS IntAlertFillCodeBlocks(QWORD Rip, QWORD Cr3, BOOLEAN Execute, INTRO_CODEBLOCKS *CodeBlocks)
Fills the code blocks pattern for an alert.
void IntAlertEptFillFromKmOriginator(const EXCEPTION_KM_ORIGINATOR *Originator, EVENT_EPT_VIOLATION *EptViolation)
Fills kernel mode originator information inside an EPT alert.
GENERIC_ALERT gAlert
Global alert buffer.
INTSTATUS IntIntegrityRecalculate(INTEGRITY_REGION *IntegrityRegion)
Recalculates the hash and reads the original content again for a given region.
static INTSTATUS IntWinDrvObjSendEptAlert(EXCEPTION_VICTIM_ZONE const *Victim, EXCEPTION_KM_ORIGINATOR const *Originator, INTRO_ACTION Action, INTRO_ACTION_REASON Reason)
Sends an introEventEptViolation alert for a protected driver object.
QWORD Flags
The entry that maps VirtualAddress to PhysicalAddress, together with all the control bits...
INTSTATUS IntKernVirtMemFetchDword(QWORD GuestVirtualAddress, DWORD *Data)
Reads 4 bytes from the guest kernel memory.
static LIST_HEAD gWinDriverObjects
List of all the loaded Windows driver objects.
void IntAlertFillWriteInfo(const EXCEPTION_VICTIM_ZONE *Victim, INTRO_WRITE_INFO *WriteInfo)
Fills the write information for an alert.
#define INITIAL_CRC_VALUE
#define INT_STATUS_EXCEPTION_BLOCK
DWORD Size
The size of the modified memory area.
Describes an operand value.
static void IntWinDrvObjFreeDriverObject(WIN_DRIVER_OBJECT *DriverObject)
Frees a driver object.
void IntAlertEptFillFromVictimZone(const EXCEPTION_VICTIM_ZONE *Victim, EVENT_EPT_VIOLATION *EptViolation)
Fills the victim information inside an EPT alert.
QWORD FastIOTableAddress
The guest virtual address of the _FAST_IO_DISPATCH structure used by this driver object. May be 0.
QWORD QwordValues[ND_MAX_REGISTER_SIZE/8]
WIN_DRIVER_OBJECT * DriverObject
Used when a driver object / fastio dispatch table is modified.
INTRO_CPUCTX CpuContext
The context of the CPU that triggered the alert.
INTSTATUS IntNotifyIntroEvent(INTRO_EVENT_TYPE EventClass, void *Param, size_t EventSize)
Notifies the integrator about an introspection alert.
INTSTATUS IntWinDrvObjUpdateProtection(void)
Updates the protection for all the driver objects in the gWinDriverObjects list.
static BOOLEAN RemoveEntryList(LIST_ENTRY *Entry)
Holds information about a driver object.
BOOLEAN Guest64
True if this is a 64-bit guest, False if it is a 32-bit guest.
INTSTATUS IntExceptGetVictimEpt(void *Context, QWORD Gpa, QWORD Gva, INTRO_OBJECT_TYPE Type, DWORD ZoneFlags, EXCEPTION_VICTIM_ZONE *Victim)
Fills an EXCEPTION_VICTIM_ZONE with relevant information from an EPT violation.
DWORD NameHash
Hash of the Name.
QWORD Owner
Guest virtual address of the kernel module that owns this driver object.
void * ParentHook
The parent hook. For a GPA hook, for example, a GVA hook or a PagedHook will be the parent hook...
INTRO_MODULE Module
The module that modified the monitored region.
INTSTATUS IntWinDrvObjRemove(WIN_DRIVER_OBJECT *DriverObject)
Removes a driver object and updates its owner module.
INTSTATUS IntTranslateVirtualAddress(QWORD Gva, QWORD Cr3, QWORD *PhysicalAddress)
Translates a guest virtual address to a guest physical address.
HOOK_HEADER Header
The hook header.
int strlower_utf16(WCHAR *buf, size_t len)
QWORD VirtualAddress
The guest virtual address which was modified.
static INTSTATUS IntWinDrvObjHandleModification(INTEGRITY_REGION *IntegrityRegion)
Handles writes done over a protected driver object.
INTRO_VIOLATION_HEADER Header
The alert header.
union _OPERAND_VALUE::@22 Value
The actual operand value.
#define IS_KERNEL_POINTER_WIN(is64, p)
Checks if a guest virtual address resides inside the Windows kernel address space.
INTSTATUS IntExceptGetVictimIntegrity(INTEGRITY_REGION *IntegrityRegion, DWORD *Offset, EXCEPTION_VICTIM_ZONE *Victim)
This function is used to get the information about the modified zone from the integrity region...
#define HpFreeAndNullWithTag(Add, Tag)
void IntExceptKernelLogInformation(EXCEPTION_VICTIM_ZONE *Victim, EXCEPTION_KM_ORIGINATOR *Originator, INTRO_ACTION Action, INTRO_ACTION_REASON Reason)
Print the information about a kernel-mode violation and dumps the code-blocks.
INTSTATUS IntWinDrvObjRemoveFromAddress(QWORD DriverObjectAddress)
Frees and removes protection for a driver object by its address.
QWORD DriverObjectGpa
The guest physical address of the guest _DRIVER_OBJECT represented by this structure.
BYTE WordSize
Guest word size. Will be 4 for 32-bit guests and 8 for 64-bit guests.
static void InsertTailList(LIST_ENTRY *ListHead, LIST_ENTRY *Entry)
INTSTATUS IntTranslateVirtualAddressEx(QWORD Gva, QWORD Cr3, DWORD Flags, VA_TRANSLATION *Translation)
Translates a guest virtual address to a guest physical address.
INTRO_EXEC_CONTEXT ExecContext
Information about the instruction that triggered the alert.
static INTSTATUS IntWinDrvObjProtectFastIoDispatch(WIN_DRIVER_OBJECT *DriverObject)
Deactivates the protection for the fast IO dispatch structure of a driver object. ...
Sent when an EPT violation triggers an alert. See EVENT_EPT_VIOLATION.
DWORD Crc32Wstring(const WCHAR *String, DWORD InitialCrc)
Computes the CRC for a NULL-terminated wide char string.
Describes the modified zone.
struct _EXCEPTION_VICTIM_ZONE::@58::@60 WriteInfo
#define WIN_KM_FIELD(Structure, Field)
Macro used to access kernel mode fields inside the WIN_OPAQUE_FIELDS structure.
WCHAR Name[ALERT_PATH_MAX_LEN]
NULL-terminated string with a human readable description of the modified object.
void IntAlertFillDriverObject(const WIN_DRIVER_OBJECT *DriverObject, INTRO_DRVOBJ *EventDrvObj)
Saves driver object information inside an alert. Available only for Windows guests.
DWORD EntryPoint
Entry point (RVA).
BOOLEAN Valid
Set to True if the information in the structure is valid, False otherwise.
INTSTATUS IntPeValidateHeader(QWORD ImageBase, BYTE *ImageBaseBuffer, DWORD ImageBaseBufferSize, INTRO_PE_INFO *PeInfo, QWORD Cr3)
Validates a PE header.
static INTSTATUS IntWinDrvObjUnprotectFastIoDispatch(WIN_DRIVER_OBJECT *DriverObject)
Deactivates the protection for the fast IO dispatch structure of a driver object. ...
enum _INTRO_ACTION INTRO_ACTION
Event actions.
INTSTATUS IntIntegrityRemoveRegion(void *Descriptor)
Removes an integrity region from the gIntegrityRegions list.
PWCHAR Name
NULL-terminated wide-char string containing the name of the driver, as taken from the guest driver ob...
INTRO_WRITE_INFO WriteInfo
DWORD DwordValues[ND_MAX_REGISTER_SIZE/4]
#define IntDbgEnterDebugger()
__must_check INTSTATUS IntVirtMemMap(QWORD Gva, DWORD Length, QWORD Cr3, DWORD Flags, void **HostPtr)
Maps a guest virtual memory range inside Introcore virtual address space.
QWORD Cr3
The value of the guest CR3 register when the event was generated.
MM Mm
Guest memory information, such as paging mode, system Cr3 value, etc.
GUEST_STATE gGuest
The current guest state.
void IntAlertFillWinProcessByCr3(QWORD ProcessCr3, INTRO_PROCESS *EventProcess)
Saves information about a Windows process inside an alert. The process is searched by its kernel CR3...
BOOLEAN Aligned
True if the driver object allocation is page aligned.
Encapsulates a protected Windows kernel module.
PWIN_DRIVER_OBJECT IntWinDrvObjFindByDrvObj(QWORD Gva)
Finds a driver object in the gWinDriverObjects list by its guest virtual address. ...
EVENT_INTEGRITY_VIOLATION Integrity
struct _EXCEPTION_KM_ORIGINATOR::@64 Original
struct _EVENT_INTEGRITY_VIOLATION::@302 Originator
INTRO_ACTION Action
The action that was taken as the result of this alert.
INTSTATUS IntKernVirtMemRead(QWORD KernelGva, DWORD Length, void *Buffer, DWORD *RetLength)
Reads data from a guest kernel virtual memory range.
KERNEL_DRIVER * IntDriverFindByAddress(QWORD Gva)
Returns the driver in which Gva resides.
QWORD BaseAddress
The guest virtual address at which the monitored integrity region starts.
#define LIST_HEAD_INIT(Name)
INTSTATUS IntHookObjectHookRegion(void *Object, QWORD Cr3, QWORD Gla, SIZE_T Length, BYTE Type, void *Callback, void *Context, DWORD Flags, HOOK_REGION_DESCRIPTOR **Region)
Hook a contiguous region of virtual memory inside the provided virtual address space.
#define VICTIM_DRIVER_OBJECT
Printable name used for introObjectTypeDriverObject objects.
__must_check INTSTATUS IntPhysMemMap(QWORD PhysAddress, DWORD Length, DWORD Flags, void **HostPtr)
Maps a guest physical address inside Introcore VA space.
INTSTATUS IntExceptGetOriginatorFromModification(EXCEPTION_VICTIM_ZONE *Victim, EXCEPTION_KM_ORIGINATOR *Originator)
This function is used for integrity violations to get the information about the kernel-mode originato...
Encapsulates information about a virtual to physical memory translation.
char * utf16_for_log(const WCHAR *WString)
Converts a UTF-16 to a UTF-8 string to be used inside logging macros.
#define INT_STATUS_INVALID_PARAMETER_1
#define INT_STATUS_NOT_SUPPORTED
INTRO_PROCESS CurrentProcess
The current process.
VCPU_STATE * gVcpu
The state of the current VCPU.
INTSTATUS IntDecGetWrittenValueFromInstruction(PINSTRUX Instrux, PIG_ARCH_REGS Registers, PBYTE MemoryValue, OPERAND_VALUE *WrittenValue)
Decode a written value from a memory write instruction.
The action was blocked because there was no exception for it.
Sent for integrity violation alerts. See EVENT_INTEGRITY_VIOLATION.
EXCEPTION_VICTIM_INTEGRITY Integrity
Valid if the modified zone is Integrity.
DWORD SizeOfImage
Size of the image.
Event structure for EPT violations.
BOOLEAN DrvobjProtected
True if the driver object structure is protected.
PWIN_DRIVER_OBJECT DriverObject
The driver object.
void IntAlertFillWinKmModule(const KERNEL_DRIVER *Driver, INTRO_MODULE *EventModule)
Saves kernel module information inside an alert.
static INTSTATUS IntWinDrvObjSendIntegrityAlert(EXCEPTION_VICTIM_ZONE const *Victim, EXCEPTION_KM_ORIGINATOR const *Originator, INTRO_ACTION Action, INTRO_ACTION_REASON Reason)
Sends an introEventIntegrityViolation alert for a protected driver object.
INTSTATUS IntPhysMemUnmap(void **HostPtr)
Unmaps an address previously mapped with IntPhysMemMap.
INTSTATUS IntExceptKernelGetOriginator(EXCEPTION_KM_ORIGINATOR *Originator, DWORD Options)
This function is used to get the information about the kernel-mode originator.
INTSTATUS IntAlertFillExecContext(QWORD Cr3, INTRO_EXEC_CONTEXT *ExecContext)
Fills the current execution context.
#define ZONE_WRITE
Used for write violation.
INTSTATUS IntHookObjectCreate(DWORD ObjectType, QWORD Cr3, void **Object)
Create a new hook object.
void IntExcept(EXCEPTION_VICTIM_ZONE *Victim, void *Originator, EXCEPTION_TYPE Type, INTRO_ACTION *Action, INTRO_ACTION_REASON *Reason, INTRO_EVENT_TYPE EventClass)
This function is the entry point for the exception mechanism.
INTSTATUS IntWinDrvObjCreateFromAddress(QWORD GuestAddress, BOOLEAN StaticDetected, PWIN_DRIVER_OBJECT *DriverObject)
Creates a new driver object.
#define INT_STATUS_EXCEPTION_ALLOW
INTRO_DRVOBJ DriverObject
The modified driver object. Valid only if Type is introObjectTypeDriverObject.
DWORD NameHash
The namehash of the originator return driver.
#define INT_STATUS_INSUFFICIENT_RESOURCES
DWORD NameLen
The length, in characters, of Name, not including the NULL-terminator.
1.8.13