32 memzero(pEvent,
sizeof(*pEvent));
34 pEvent->
BaseAddress = Victim->Integrity.StartVirtualAddress;
35 pEvent->
VirtualAddress = Victim->Integrity.StartVirtualAddress + Victim->Integrity.Offset;
63 WARNING(
"[WARNING] IntNotifyIntroEvent failed: 0x%08x\n", status);
97 for (
DWORD offset = 0; offset < IntegrityRegion->Length;)
113 ERROR(
"[ERROR] Failed getting integrity zone: 0x%08x\n", status);
120 ERROR(
"[ERROR] Failed getting originator: 0x%08x\n", status);
151 ERROR(
"[ERROR] IntKernVirtMemWrite failed for gva 0x%016llx: 0x%08x\n",
153 goto cleanup_and_exit;
216 ERROR(
"[ERROR] IntGuestGetIdtFromGla failed: 0x%08x, the write on 0x%016llx " 217 "(gpa 0x%016llx) from cpu %d seems to be outside any idt!\n",
230 memzero(&victim,
sizeof(victim));
231 memzero(&originator,
sizeof(originator));
236 ERROR(
"[ERROR] Failed getting originator: 0x%08x\n", status);
248 ERROR(
"[ERROR] Failed getting zone details: 0x%08x\n", status);
259 memzero(pEptViol,
sizeof(*pEptViol));
290 WARNING(
"[WARNING] IntNotifyIntroEvent failed: 0x%08x\n", status);
324 TRACE(
"[HOOK] Adding IDT protection (EPT) on CPU %d at 0x%016llx (limit 0x%x)...\n",
330 ERROR(
"[ERROR] IntHookObjectCreate failed: 0x%08x\n", status);
348 ERROR(
"[ERROR] Failed hooking IDT at 0x%016llx for CPU %d: 0x%08x\n",
381 TRACE(
"[HOOK] Adding IDT protection (Integrity) on CPU %d at 0x%016llx (limit 0x%x)...\n",
396 ERROR(
"[ERROR] Failed to add IDT to integrity checks: 0x%08x\n", status);
426 TRACE(
"[HOOK] Removing IDT protection (EPT) on CPU %d at 0x%016llx...\n", CpuNumber,
432 ERROR(
"[ERROR] Failed removing idt hook object: 0x%08x\n", status);
462 TRACE(
"[HOOK] Removing IDT protection (Integrity) on CPU %d at 0x%016llx...\n",
468 ERROR(
"[ERROR] IntIntegrityRemoveRegion failed: 0x%08x\n", status);
Measures kernel mode exceptions checks.
#define DESCRIPTOR_SIZE_32
enum _INTRO_ACTION_REASON INTRO_ACTION_REASON
The reason for which an INTRO_ACTION was taken.
INTRO_CODEBLOCKS CodeBlocks
Code blocks extracted for the alert.
BOOLEAN Valid
Set to True if the information in the structure is valid, False otherwise.
QWORD IntAlertCoreGetFlags(QWORD ProtectionFlag, INTRO_ACTION_REASON Reason)
Returns the flags for an alert.
An internal error occurred (no memory, pages not present, etc.).
BOOLEAN IntPolicyCoreForceBetaIfNeeded(QWORD Flag, INTRO_ACTION *Action)
Checks if a forced action should be taken even if the log-only mode is active.
INTSTATUS IntKernVirtMemWrite(QWORD KernelGva, DWORD Length, void *Buffer)
Writes data to a guest kernel virtual memory range.
INTSTATUS IntHookObjectDestroy(HOOK_OBJECT_DESCRIPTOR **Object, DWORD Flags)
Destroy an entire hook object. All regions belonging to this object will be removed.
IG_ARCH_REGS Regs
The current state of the guest registers.
DWORD Index
The VCPU number.
MITRE_ID MitreID
The Mitre ID that corresponds to this attack.
static INTSTATUS IntWinIdtProtectOnCpuIntegrity(DWORD CpuNumber)
Protects the IDT on a guest CPU against writes using the integrity mechanism.
#define INT_STATUS_SUCCESS
BOOLEAN IntPolicyCoreTakeAction(QWORD Flag, INTRO_ACTION *Action, INTRO_ACTION_REASON *Reason)
Returns the action that should be taken for a core introspection option.
void * IdtIntegrityObject
The integrity region used to protect the IDT.
Event structure for integrity violations on monitored structures.
INTSTATUS IntIntegrityAddRegion(QWORD VirtualAddress, DWORD Length, INTRO_OBJECT_TYPE Type, void *Context, PFUNC_IntegrityViolationCallback Callback, BOOLEAN CopyContent, void **Descriptor)
Creates an INTEGRITY_REGION object and adds it to the gIntegrityRegions list.
WORD IdtLimit
The current IDT limit.
INTSTATUS IntWinIdtUnprotectAll(void)
Removes the IDT protection for all the guest CPUs.
#define INT_SUCCESS(Status)
QWORD Flags
A combination of ALERT_FLAG_* values describing the alert.
INTSTATUS IntResumeVcpus(void)
Resumes the VCPUs previously paused with IntPauseVcpus.
The action was not allowed because there was no reason to allow it.
void * IdtHookObject
The EPT hook object used to protect the IDT.
struct _EVENT_INTEGRITY_VIOLATION::@304 Victim
#define INT_STATUS_NOT_NEEDED_HINT
#define ALERT_FLAG_ASYNC
If set, the alert was generated in an async manner.
KERNEL_DRIVER * Driver
The driver that's modifying the memory.
struct _EVENT_EPT_VIOLATION::@283 Originator
int INTSTATUS
The status data type.
DWORD OSVersion
Os version.
#define INT_STATUS_NOT_FOUND
INTSTATUS IntWinIdtUnprotectOnCpu(DWORD CpuNumber)
Removes the IDT write protection for a CPU.
DWORD Offset
The offset of the modification.
Describes a kernel-mode originator.
PVCPU_STATE VcpuArray
Array of the VCPUs assigned to this guest. The index in this array matches the VCPU number...
static INTSTATUS IntWinIdtSendIntegrityAlert(EXCEPTION_VICTIM_ZONE *Victim, EXCEPTION_KM_ORIGINATOR *Originator, INTRO_ACTION Action, INTRO_ACTION_REASON Reason)
Sends an introEventIntegrityViolation alert for an IDT entry.
#define VICTIM_IDT
Printable name used for introObjectTypeIdt.
INTSTATUS IntPauseVcpus(void)
Pauses all the guest VCPUs.
BYTE IdtEntry
The modified IDT entry. Valid only if Type is introObjectTypeIdt.
#define INTRO_OPT_PROT_KM_IDT
void IntAlertFillCpuContext(BOOLEAN CopyInstruction, INTRO_CPUCTX *CpuContext)
Fills the current CPU context for an alert.
struct _EXCEPTION_KM_ORIGINATOR::@63 Return
INTSTATUS IntWinIdtProtectAll(void)
Activates the IDT protection for all the guest CPUs.
void IntAlertFillVersionInfo(INTRO_VIOLATION_HEADER *Header)
Fills version information for an alert.
INTRO_VIOLATION_HEADER Header
The alert header.
INTRO_ACTION_REASON Reason
The reason for which Action was taken.
INTSTATUS IntAlertFillCodeBlocks(QWORD Rip, QWORD Cr3, BOOLEAN Execute, INTRO_CODEBLOCKS *CodeBlocks)
Fills the code blocks pattern for an alert.
GENERIC_ALERT gAlert
Global alert buffer.
INTSTATUS IntIntegrityRecalculate(INTEGRITY_REGION *IntegrityRegion)
Recalculates the hash and reads the original content again for a given region.
void IntAlertFillWriteInfo(const EXCEPTION_VICTIM_ZONE *Victim, INTRO_WRITE_INFO *WriteInfo)
Fills the write information for an alert.
DWORD Size
The size of the modified memory area.
void IntAlertEptFillFromVictimZone(const EXCEPTION_VICTIM_ZONE *Victim, EVENT_EPT_VIOLATION *EptViolation)
Fills the victim information inside an EPT alert.
INTRO_CPUCTX CpuContext
The context of the CPU that triggered the alert.
INTSTATUS IntNotifyIntroEvent(INTRO_EVENT_TYPE EventClass, void *Param, size_t EventSize)
Notifies the integrator about an introspection alert.
BOOLEAN Guest64
True if this is a 64-bit guest, False if it is a 32-bit guest.
INTSTATUS IntExceptGetVictimEpt(void *Context, QWORD Gpa, QWORD Gva, INTRO_OBJECT_TYPE Type, DWORD ZoneFlags, EXCEPTION_VICTIM_ZONE *Victim)
Fills an EXCEPTION_VICTIM_ZONE with relevant information from an EPT violation.
QWORD IdtBase
Original IDT base.
static INTSTATUS IntWinIdtUnprotectOnCpuIntergity(DWORD CpuNumber)
Removes the integrity protection for a IDT.
INTRO_MODULE Module
The module that modified the monitored region.
QWORD VirtualAddress
The guest virtual address which was modified.
#define INT_STATUS_INVALID_PARAMETER_4
INTRO_VIOLATION_HEADER Header
The alert header.
#define IS_KERNEL_POINTER_WIN(is64, p)
Checks if a guest virtual address resides inside the Windows kernel address space.
QWORD Gpa
The accessed guest physical address. Valid only for EPT exits.
INTSTATUS IntExceptGetVictimIntegrity(INTEGRITY_REGION *IntegrityRegion, DWORD *Offset, EXCEPTION_VICTIM_ZONE *Victim)
This function is used to get the information about the modified zone from the integrity region...
INTSTATUS IntWinIdtProtectOnCpu(DWORD CpuNumber)
Protects the IDT against writes on a CPU.
INTRO_EXEC_CONTEXT ExecContext
Information about the instruction that triggered the alert.
#define DESCRIPTOR_SIZE_64
#define INT_STATUS_ALREADY_INITIALIZED_HINT
INTSTATUS IntGuestGetIdtFromGla(QWORD Address, QWORD *IdtBase, QWORD *IdtLimit)
Checks if an address is inside one of the guest's IDTs.
Sent when an EPT violation triggers an alert. See EVENT_EPT_VIOLATION.
#define IDT_DESC_SIZE64
The size of a 64-bit interrupt descriptor.
static INTSTATUS IntWinIdtWriteHandler(void *Context, void *Hook, QWORD Address, INTRO_ACTION *Action)
Handles IDT modifications detected by the EPT mechanism. This is the EPT callback set by IntWinIdtPro...
DWORD CpuCount
The number of logical CPUs.
Describes the modified zone.
#define UNREFERENCED_PARAMETER(P)
struct _EXCEPTION_VICTIM_ZONE::@58::@60 WriteInfo
WCHAR Name[ALERT_PATH_MAX_LEN]
NULL-terminated string with a human readable description of the modified object.
static INTSTATUS IntWinIdtUnprotectOnCpuEpt(DWORD CpuNumber)
Removes the EPT write protection for a IDT.
BOOLEAN Valid
Set to True if the information in the structure is valid, False otherwise.
enum _INTRO_ACTION INTRO_ACTION
Event actions.
QWORD Rip
The RIP from where the call to the exported function came.
INTSTATUS IntIntegrityRemoveRegion(void *Descriptor)
Removes an integrity region from the gIntegrityRegions list.
INTRO_WRITE_INFO WriteInfo
INTSTATUS(* PFUNC_EptViolationCallback)(void *Context, void *Hook, QWORD Address, INTRO_ACTION *Action)
EPT callback handler.
GUEST_STATE gGuest
The current guest state.
void IntAlertFillWinProcessByCr3(QWORD ProcessCr3, INTRO_PROCESS *EventProcess)
Saves information about a Windows process inside an alert. The process is searched by its kernel CR3...
#define _Function_class_(expr)
EVENT_INTEGRITY_VIOLATION Integrity
struct _EXCEPTION_KM_ORIGINATOR::@64 Original
struct _EVENT_INTEGRITY_VIOLATION::@302 Originator
INTRO_ACTION Action
The action that was taken as the result of this alert.
QWORD BaseAddress
The guest virtual address at which the monitored integrity region starts.
INTSTATUS IntHookObjectHookRegion(void *Object, QWORD Cr3, QWORD Gla, SIZE_T Length, BYTE Type, void *Callback, void *Context, DWORD Flags, HOOK_REGION_DESCRIPTOR **Region)
Hook a contiguous region of virtual memory inside the provided virtual address space.
INTSTATUS IntExceptGetOriginatorFromModification(EXCEPTION_VICTIM_ZONE *Victim, EXCEPTION_KM_ORIGINATOR *Originator)
This function is used for integrity violations to get the information about the kernel-mode originato...
#define INT_STATUS_NOT_INITIALIZED_HINT
INTRO_PROCESS CurrentProcess
The current process.
VCPU_STATE * gVcpu
The state of the current VCPU.
Sent for integrity violation alerts. See EVENT_INTEGRITY_VIOLATION.
INTRO_MODULE Module
The module that did the malicious access.
static INTSTATUS IntWinIdtProtectOnCpuEpt(DWORD CpuNumber)
Protects the IDT on a guest CPU against writes using an EPT hook.
EXCEPTION_VICTIM_INTEGRITY Integrity
Valid if the modified zone is Integrity.
Event structure for EPT violations.
static INTSTATUS IntWinIdtHandleModification(INTEGRITY_REGION *IntegrityRegion)
Handles IDT modifications detected by the integrity mechanism. This is the integrity callback set by ...
void IntAlertFillWinKmModule(const KERNEL_DRIVER *Driver, INTRO_MODULE *EventModule)
Saves kernel module information inside an alert.
#define IDT_DESC_SIZE32
The size of a 32-bit interrupt descriptor.
INTSTATUS IntExceptKernelGetOriginator(EXCEPTION_KM_ORIGINATOR *Originator, DWORD Options)
This function is used to get the information about the kernel-mode originator.
INTSTATUS IntAlertFillExecContext(QWORD Cr3, INTRO_EXEC_CONTEXT *ExecContext)
Fills the current execution context.
#define ZONE_WRITE
Used for write violation.
#define INT_STATUS_INVALID_PARAMETER_2
QWORD Gla
The accessed guest virtual address. Valid only for EPT exits.
INTSTATUS IntHookObjectCreate(DWORD ObjectType, QWORD Cr3, void **Object)
Create a new hook object.
void IntExcept(EXCEPTION_VICTIM_ZONE *Victim, void *Originator, EXCEPTION_TYPE Type, INTRO_ACTION *Action, INTRO_ACTION_REASON *Reason, INTRO_EVENT_TYPE EventClass)
This function is the entry point for the exception mechanism.
INTRO_MODULE ReturnModule
The module to which the current code returns to.