- Generated by
1.8.13
|
Bitdefender Hypervisor Memory Introspection
|
This file confers protection against the infinity hook technique. More...
#include "wininfinityhook.h"#include "decoder.h"#include "hook.h"#include "winpe.h"#include "alerts.h"Go to the source code of this file.
Data Structures | |
| struct | _WIN_LOGGER_CTX_STATE |
Macros | |
| #define | WMI_PTR_MASK 0xFFFFFFFFFFFFFFFE |
Typedefs | |
| typedef struct _WIN_LOGGER_CTX_STATE | WIN_LOGGER_CTX_STATE |
| typedef struct _WIN_LOGGER_CTX_STATE * | PWIN_LOGGER_CTX_STATE |
Functions | |
| static INTSTATUS | IntWinInfHookIntegrityHandleWrite (QWORD OldValue, QWORD NewValue, INTEGRITY_REGION *IntegrityRegion, INTRO_ACTION *Action) |
| Handles a detected modification on GetCpuClock field inside the WMI_LOGGER_CONTEXT structure. More... | |
| static INTSTATUS | IntWinInfCheckCtxLoggerOnRelocation (void) |
| Checks the WMI_LOGGER_CONTEXT when the pointer to the old structure has changed in the EtwDebuggerDataSilo structure. More... | |
| static INTSTATUS | IntWinInfHookEptSppSendAlert (EXCEPTION_VICTIM_ZONE *Victim, EXCEPTION_KM_ORIGINATOR *Originator, INTRO_ACTION Action, INTRO_ACTION_REASON Reason) |
| Sends an alert for an EPT violation. Used only when SPP mechanism is supported. More... | |
| static INTSTATUS | IntWinInfHookEptSppHandleWrite (INTRO_ACTION *Action) |
| Handles a write detected through EPT over WMI_LOGGER_CONTEXT's GetCpuClock function pointer and takes an action based on the exceptions, sending an alert if necessary. More... | |
| static INTSTATUS | IntWinInfHookWmiGetCpuClockSppCallback (void *Context, void *Hook, QWORD Address, INTRO_ACTION *Action) |
| EPT callback for writes over WMI_LOGGER_CONTEXT's GetCpuClock. More... | |
| static INTSTATUS | IntWinInfHookWmiGetCpuClockSppStatsCallback (void *Context, void *Hook, QWORD Address, INTRO_ACTION *Action) |
| EPT callback for the SPP region on which exits will always occur on the GetCpuClock EPT hook. More... | |
| static INTSTATUS | IntWinInfHookHookSppWmiGetClock (void) |
| Establishes the EPT hook on the WMI_LOGGER_CONTEXT's GetCpuClock field. More... | |
| static INTSTATUS | IntWinInfHookSppViolationCallbackWmiPtrChanged (void *Context, void *Hook, QWORD Address, INTRO_ACTION *Action) |
| EPT callback for writes over the WMI_LOGGER_CONTEXT pointer inside the EtwDebuggerDataSilo structure. More... | |
| static INTSTATUS | IntWinInfHookSppWmiSiloStatsCallback (void *Context, void *Hook, QWORD Address, INTRO_ACTION *Action) |
| EPT callback for the SPP region on which exits will always occur on the EtwpDebuggerDataSilo EPT hook. More... | |
| static INTSTATUS | IntWinInfHookSppHookWmiSiloPtr (void) |
| Establishes the EPT hook on EtwpDebuggerDataSilo on the pointer to WMI_LOGGER_CONTEXT. More... | |
| static INTSTATUS | IntWinInfHookIntegritySendAlert (EXCEPTION_VICTIM_ZONE *Victim, EXCEPTION_KM_ORIGINATOR *Originator, INTRO_ACTION Action, INTRO_ACTION_REASON Reason) |
| Sends an integrity alert when a modification on WMI_LOGGER_CONTEXT's GetCpuClock has been detected through the integrity mechanism. More... | |
| static INTSTATUS | IntWinInfHookGetCpuClockIntegrityCallback (void *IntegrityRegion) |
| Function called whenever a modification has been detected through the integrity mechanism on WMI_LOGGER_CONTEXT's GetCpuClock field. More... | |
| INTSTATUS | IntWinInfHookSiloWmiPtrIntegrityCallback (void *IntegrityRegion) |
| Integrity callback for modifications over the WMI_LOGGER_CONTEXT pointer inside the EtwDebuggerDataSilo structure. More... | |
| static INTSTATUS | IntWinInfHookGetEtwpDebuggerData (QWORD *EtwpDebuggerData) |
| Finds the EtwpDebuggerData guest virtual address in the guest's kernel. More... | |
| static INTSTATUS | IntWinInfHookHandleSiloFirstWrite (void *Context, void *Hook, QWORD Address, INTRO_ACTION *Action) |
| EPT callback to handle the first write over EtwpDebuggerData, where the pointer of EtwDebuggerDataSilo should be. More... | |
| static INTSTATUS | IntWinInfHookGetCircularCtxLogger (QWORD *KernelCtxLogger) |
| Fetches the WMI_LOGGER_CONTEXT pointer from EtwDebuggerDataSilo, if possible. More... | |
| static INTSTATUS | IntWinInfHookGetWmiLoggerGetCpuClock (QWORD *GetCpuClockGva, QWORD *WmiLoggerCtx) |
| Gets the GetCpuClock field inside the WMI_LOGGER_CONTEXT structure, and the structure guest virtual address if needed. More... | |
| INTSTATUS | IntWinInfHookProtect (void) |
| This function initializes protection against infinity hook mechanism. More... | |
| INTSTATUS | IntWinInfHookUnprotect (void) |
| Removes the protection against infinity hook. More... | |
Variables | |
| WIN_LOGGER_CTX_STATE | gLoggerCtxState = { 0 } |
This file confers protection against the infinity hook technique.
The infinity hook technique consists in modifying the GetCpuClock field of the WMI_LOGGER_CONTEXT structure. By hooking this function pointer, one can then activate the Etw tracing mechanism on syscalls, meaning that, on every syscall, the GetCpuClock function will get called. In this manner, one can detour all the system calls, which can therefore be used for a variety of malicious purposes. In order to perform this technique, one must first search for the WMI_LOGGER_CONTEXT structure. One must start with the EtwpDebuggerData structure, which may be found through search for a specific hard coded pattern, namely "0x2c 0x08 0x04 0x38 0x0c", which is a signature at offset 2 inside this structure. After this, one should get the EtwpDebuggerDataSilo field, where the third pointer represents the WMI_LOGGER_CONTEXT structure for the Circular Kernel Context Logger used in Etw tracing. In order to protect this field, the introspection engine can either verify the GetCpuClock through the integrity mechanism, once every second, either hook the structure through EPT in order to trigger violations right when the pointer is modified. The last options would obviously cause a high performance impact, since the WMI_LOGGER_CONTEXT structure is a data structure, thus we will hook it through EPT only if the SPP support is present, minimizing the number of irrelevant writes.
Definition in file wininfinityhook.c.
| #define WMI_PTR_MASK 0xFFFFFFFFFFFFFFFE |
The WMI_LOGGER_CONTEXT pointer is always aligned to 0x10. The lower bits are used sometimes for other things and are not taken into consideration. For now it seems that only the first bit is set to signal that the logger should be closed. If it is set the kernel will call nt!EtwpCloseLogger at the very first nt!EtwpLogKernelEvent that is called. This mask is used in order to clear this bit for proper access to the WMI_LOGGER_CONTEXT structure.
Definition at line 41 of file wininfinityhook.c.
Referenced by IntWinInfCheckCtxLoggerOnRelocation(), IntWinInfHookGetWmiLoggerGetCpuClock(), IntWinInfHookSiloWmiPtrIntegrityCallback(), and IntWinInfHookSppViolationCallbackWmiPtrChanged().
| typedef struct _WIN_LOGGER_CTX_STATE * PWIN_LOGGER_CTX_STATE |
| typedef struct _WIN_LOGGER_CTX_STATE WIN_LOGGER_CTX_STATE |
Object containing the current state of the protected WMI_LOGGER_CONTEXT structure.
|
static |
Checks the WMI_LOGGER_CONTEXT when the pointer to the old structure has changed in the EtwDebuggerDataSilo structure.
As seen on various Windows versions, the WMI_LOGGER_CONTEXT structure tends to relocate in some cases. When a relocation occurs, we must check if the new pointer contains a GetCpuClock which can lead to malicious actions on the system. For this reason, if the GetCpuClock pointer is not inside the kernel or is not equal to the old known one we will handle the modification in the same manner in which a modification would be detected through the integrity mechanism, by calling IntWinInfHookIntegrityHandleWrite. If there is no known old pointer, we will also go through the exception mechanism to check the new pointer, and send an alert if necessary.
| INT_STATUS_SUCCESS | On success |
| INT_STATUS_NOT_INITIALIZED | If the current pointer is 0 or if the first bit in the pointer is set. See WMI_PTR_MASK for more details. |
Definition at line 105 of file wininfinityhook.c.
Referenced by IntWinInfHookProtect(), IntWinInfHookSiloWmiPtrIntegrityCallback(), and IntWinInfHookSppViolationCallbackWmiPtrChanged().
|
static |
Handles a write detected through EPT over WMI_LOGGER_CONTEXT's GetCpuClock function pointer and takes an action based on the exceptions, sending an alert if necessary.
| [in,out] | Action | A pointer to the INTRO_ACTION which is being taken by the exception mechanism. |
| INT_STATUS_SUCCESS | On success. |
Definition at line 278 of file wininfinityhook.c.
Referenced by IntWinInfHookWmiGetCpuClockSppCallback().
|
static |
Sends an alert for an EPT violation. Used only when SPP mechanism is supported.
When a write occurs on the GetCpuClock an EPT violation will occur when the SPP mechanism is supported (due to performance reasons). If, after checking the exceptions, the write is considered malicious, an alert will be sent through this function.
| [in] | Victim | The EXCEPTION_VICTIM_ZONE describing the victim, in this case the Circular Kernel Context Logger. |
| [in] | Originator | The EXCEPTION_KM_ORIGINATOR describing the originator who made the write, in this case a kernel driver. |
| [in] | Action | The action taken by the exception mechanism. |
| [in] | Reason | The reason why the exception mechanism took the given action. |
| INT_STATUS_SUCCESS | On success. |
Definition at line 217 of file wininfinityhook.c.
Referenced by IntWinInfHookEptSppHandleWrite().
Fetches the WMI_LOGGER_CONTEXT pointer from EtwDebuggerDataSilo, if possible.
Firstly, this function will get the EtwpDebuggerData structure, by searching it by a hard coded pattern through a call to IntWinInfHookGetEtwpDebuggerData. After that, it will check the EtwDebuggerDataSilo field in this structure. If it is 0, then an EPT hook will be set in order to be notified when this field is written and continue initialization. If it is initialized, then the WMI_LOGGER_CONTEXT will be fetched, which is the third pointer in the EtwpDebuggerDataSilo structure.
| [out] | KernelCtxLogger | The returned pointer to the WMI_LOGGER_CONTEXT structure. |
| INT_STATUS_SUCCESS | On success. |
| INT_STATUS_NOT_INITIALIZED_HINT | When the EtwpDebuggerDataSilo is not yet initialized. |
Definition at line 1278 of file wininfinityhook.c.
Referenced by IntWinInfHookGetWmiLoggerGetCpuClock().
|
static |
Function called whenever a modification has been detected through the integrity mechanism on WMI_LOGGER_CONTEXT's GetCpuClock field.
| [in] | IntegrityRegion | The INTEGRITY_REGION object associated with the protected field. |
| INT_STATUS_SUCCESS | On success. |
Definition at line 960 of file wininfinityhook.c.
Referenced by IntWinInfHookProtect(), and IntWinInfHookSiloWmiPtrIntegrityCallback().
Finds the EtwpDebuggerData guest virtual address in the guest's kernel.
This function will search for the pattern "0x2c 0x08 0x04 0x38 0x0c" inside the Windows kernel, first in the .data section, then in .rdata section, then in every section of the kernel if there was no address found in the first two. This is needed because on some Windows versions, such as Windows 7 x86, it seems that the EtwpDebuggerData structure resides at the end of .text section.
| [out] | EtwpDebuggerData | The returned virtual address of the EtwpDebuggerData structure. |
| INT_STATUS_SUCCESS | On success. |
Definition at line 1132 of file wininfinityhook.c.
Referenced by IntWinInfHookGetCircularCtxLogger().
|
static |
Gets the GetCpuClock field inside the WMI_LOGGER_CONTEXT structure, and the structure guest virtual address if needed.
The WMI_LOGGER_CONTEXT may not be initialized when this function is called, thus, the GetCpuClock will be considered to be equal to 0, and, during relocation checks, the zero value will mean that the mechanism does not know yet the actual GetCpuClock value.
| [out] | GetCpuClockGva | The returned value which is present inside WMI_LOGGER_CONTEXT's GetCpuClock field. |
| [out] | WmiLoggerCtx | The guest virtual address of the WMI_LOGGER_CONTEXT. This parameter is optional. |
| INT_STATUS_SUCCESS | On success. |
Definition at line 1368 of file wininfinityhook.c.
Referenced by IntWinInfHookProtect().
|
static |
EPT callback to handle the first write over EtwpDebuggerData, where the pointer of EtwDebuggerDataSilo should be.
On some Windows versions, the EtwpDebuggerDataSilo is not initialized at boot time directly, but a little bit later. For this purpose, we hook the EtwpDebuggerData structure in order to see when the EtwpDebuggerDataSilo pointer is written inside it. At this point we can continue infinity hook protection initialization on the next timer tick.
| [in] | Context | The user provided context set when the hook was established. |
| [in] | Hook | The EPT hook object for which the callback was called. |
| [in] | Address | The address on which the EPT violation occurred. |
| [in,out] | Action | A pointer to an INTRO_ACTION, which will always be set to introGuestAllowed, since this is a notification callback rather than a protection callback. |
| INT_STATUS_SUCCESS | On success. |
Definition at line 1216 of file wininfinityhook.c.
Referenced by IntWinInfHookGetCircularCtxLogger().
|
static |
Establishes the EPT hook on the WMI_LOGGER_CONTEXT's GetCpuClock field.
If OPT_SET_WMI_SPP_STATS is defined it will also set an EPT hook in order to measure the total number of writes in the SPP region in which the GetCpuClock field resides.
| INT_STATUS_SUCCESS | On success. |
| INT_STATUS_ALREADY_INITIALIZED | If the hook is already established. |
Definition at line 439 of file wininfinityhook.c.
Referenced by IntWinInfHookProtect(), and IntWinInfHookSppViolationCallbackWmiPtrChanged().
|
static |
Handles a detected modification on GetCpuClock field inside the WMI_LOGGER_CONTEXT structure.
Whenever a modification is detected on GetCpuClock, either by the integrity mechanism or when the WMI_LOGGER_CONTEXT is relocated by changing the pointer in the EtwDebuggerDataSilo structure, this function will be called in order to check the exceptions and, if the exception mechanism decides that the modification is malicious, it will send an alert through a subsequent call to IntWinInfHookIntegritySendAlert. Note that it has been observed on Windows 20h1 that the GetCpuClock is not a kernel pointer, but rather an index to an array of functions which can be called when GetCpuClock is needed. For now, this case is not handled.
| [in] | OldValue | The known value of GetCpuClock before the modification has been detected. |
| [in] | NewValue | The current modified value of GetCpuClock, which triggered the integrity mechanism or was detected on relocation. |
| [in] | IntegrityRegion | The INTEGRITY_REGION object for which the integrity mechanism has detected a modification. Will be NULL when called on WMI_LOGGER_CONTEXT relocation. |
| [in,out] | Action | A pointer to an INTRO_ACTION which will be completed by this function based on the decision of the exception mechanism. |
| INT_STATUS_SUCCESS | On success or when the current value does not reside in kernel. |
Definition at line 848 of file wininfinityhook.c.
Referenced by IntWinInfCheckCtxLoggerOnRelocation(), and IntWinInfHookGetCpuClockIntegrityCallback().
|
static |
Sends an integrity alert when a modification on WMI_LOGGER_CONTEXT's GetCpuClock has been detected through the integrity mechanism.
Every second the GetCpuClock field inside the WMI_LOGGER_CONTEXT will be checked to ensure that no modification was made on it, in the case when SPP is not supported, as normal EPT hooks will induce a major performance impact. If a modification was detected, the exceptions will be consulted, and if the modification is considered malicious, an alert will be sent through this function.
| [in] | Victim | The EXCEPTION_VICTIM_ZONE describing the victim, in this case the Circular Kernel Context Logger. |
| [in] | Originator | The EXCEPTION_KM_ORIGINATOR describing the originator who made the write, in this case a kernel driver. |
| [in] | Action | The action taken by the exception mechanism. |
| [in] | Reason | The reason why the exception mechanism took the given action. |
| INT_STATUS_SUCCESS | On success. |
Definition at line 769 of file wininfinityhook.c.
Referenced by IntWinInfHookIntegrityHandleWrite().
| INTSTATUS IntWinInfHookProtect | ( | void | ) |
This function initializes protection against infinity hook mechanism.
Called on timer once every second, it will try to initialize the infinity hook protection mechanism. If the initialization has already failed, the function will bail out. Note that this function might be called multiple times since EtwpDebuggerDataSilo may not be initialized and once everything is set up, it will try once again to initialize protection on timer when a write to the pointer in order to initialize it has been made.
| INT_STATUS_SUCCESS | On success. |
| INT_STATUS_ALREADY_INITIALIZED_HINT | When the protection is already initialized or it already failed to initialize. |
| INT_STATUS_NOT_NEEDED_HINT | When, based on the current options, the infinity hook protection is not activated. |
| INT_STATUS_NOT_INITIALIZED_HINT | When we don't have yet a kernel driver, thus the protection cannot be established yet. |
| INT_STATUS_ALREADY_INITIALIZED | When the hooks are already established but the protection is not considered initialized. Indicates an error in properly setting the gLoggerCtxState fields. |
Definition at line 1451 of file wininfinityhook.c.
Referenced by IntGuestUpdateCoreOptions(), and IntHandleTimer().
| INTSTATUS IntWinInfHookSiloWmiPtrIntegrityCallback | ( | void * | IntegrityRegion | ) |
Integrity callback for modifications over the WMI_LOGGER_CONTEXT pointer inside the EtwDebuggerDataSilo structure.
When a modification is detected on the WMI_LOGGER_CONTEXT pointer, this function will be called. It is needed to intercept modifications on this pointer in order to find when the WMI_LOGGER_CONTEXT is relocated, so that the integrity protection on GetCpuClock can be adjusted if needed. Also, it is a measure of protection in case of malicious relocations. For example, a malicious driver can change the pointer to a structure having the GetCpuClock function pointer already hooked. For this reasons, checks are made in order to determine whether the relocation is a malicious or not, and an alert will be sent if, after consulting the exception mechanism, it is decided that it is malicious. Note: Even if the relocation took place between two timer calls, and writes were done over the old WMI_LOGGER_CONTEXT virtual address, which is now most probably used for other purposes inside the guest, the EtwDebuggerDataSilo integrity callback will always be called before, as it is added in the integrity hook list before. This will ensure that this function can remove the GetCpuClock integrity region before actually checking modifications over it, so that we avoid false positives.
| [in] | IntegrityRegion | The INTEGRITY_REGION object associated with the region containing the WMI_LOGGER_CONTEXT pointer inside the EtwDebuggerDataSilo structure. |
| INT_STATUS_SUCCESS | On success. |
Definition at line 1029 of file wininfinityhook.c.
Referenced by IntWinInfHookProtect().
|
static |
Establishes the EPT hook on EtwpDebuggerDataSilo on the pointer to WMI_LOGGER_CONTEXT.
If OPT_SET_WMI_SPP_STATS it will also set an EPT hook in order to measure the total number of writes in the SPP region in which the WMI_LOGGER_CONTEXT pointer resides.
| INT_STATUS_SUCCESS | On success. |
| INT_STATUS_ALREADY_INITIALIZED | If the hook is already established. |
| INT_STATUS_NOT_SUPPORTED | If SPP is not supported, as without SPP mechanism the hook will induce a major performance impact. |
Definition at line 683 of file wininfinityhook.c.
Referenced by IntWinInfHookProtect().
|
static |
EPT callback for writes over the WMI_LOGGER_CONTEXT pointer inside the EtwDebuggerDataSilo structure.
When a write occurs over the WMI_LOGGER_CONTEXT pointer, this function will be called. It is needed to intercept writes over this pointer in order to find when the WMI_LOGGER_CONTEXT is relocated, so that the EPT hook on GetCpuClock can be adjusted if needed. Also, it is a measure of protection in case of malicious relocations. For example, a malicious driver can change the pointer to a structure having the GetCpuClock function pointer already hooked. For this reasons, checks are made in order to determine whether the relocation is a malicious or not, and an alert will be sent if, after consulting the exception mechanism, it is decided that it is malicious.
| [in] | Context | The user provided context set when the hook was established. |
| [in] | Hook | The EPT hook object for which the callback was called. |
| [in] | Address | The address on which the EPT violation occurred. |
| [in,out] | Action | A pointer to an INTRO_ACTION, which will always be set to introGuestAllowed, as the relocation must occur, but the GetCpuClock will be overwritten with the original value if the relocation is considered malicious. |
| INT_STATUS_SUCCESS | On success. |
Definition at line 518 of file wininfinityhook.c.
Referenced by IntWinInfHookSppHookWmiSiloPtr().
|
static |
EPT callback for the SPP region on which exits will always occur on the EtwpDebuggerDataSilo EPT hook.
This function will be called when any write in the range [EtwpDebuggerDataSilo & 0x80, EtwpDebuggerDataSilo & 0x80 + 0x80] is made, in order to measure the total number of writes in the SPP region. Used only for statistics, when OPT_SET_WMI_SPP_STATS is defined.
| [in] | Context | The user provided context set when the hook was established. |
| [in] | Hook | The EPT hook object for which the callback was called. |
| [in] | Address | The address on which the EPT violation occurred. |
| [in,out] | Action | A pointer to an INTRO_ACTION, which will always be set to introGuestAllowed as this callback is used only for statistics. |
| INT_STATUS_SUCCESS | On success. |
Definition at line 639 of file wininfinityhook.c.
Referenced by IntWinInfHookSppHookWmiSiloPtr().
| INTSTATUS IntWinInfHookUnprotect | ( | void | ) |
Removes the protection against infinity hook.
It will remove all the established hooks, and reset the state. Note that the FailedToInitialize field in gLoggerCtxState will remain in the same value, in order to avoid retrying to establish the hooks if the protection failed if there are protection flags changes which disable and then re-enable the infinity hook protection.
| INT_STATUS_SUCCESS | On success. |
Definition at line 1611 of file wininfinityhook.c.
Referenced by IntGuestUpdateCoreOptions(), and IntWinInfHookProtect().
|
static |
EPT callback for writes over WMI_LOGGER_CONTEXT's GetCpuClock.
This function serves as a wrapper for IntWinInfHookEptSppHandleWrite, also increasing the number of interesting writes for the purpose of measuring the improvements which SPP mechanism brings.
| [in] | Context | The user provided context set when the hook was established. |
| [in] | Hook | The EPT hook object for which the callback was called. |
| [in] | Address | The address on which the EPT violation occurred. |
| [in,out] | Action | A pointer to an INTRO_ACTION, which is to be completed based on the exception mechanism decision. |
| INT_STATUS_SUCCESS | On success. |
Definition at line 354 of file wininfinityhook.c.
Referenced by IntWinInfHookHookSppWmiGetClock().
|
static |
EPT callback for the SPP region on which exits will always occur on the GetCpuClock EPT hook.
This function will be called when any write in the range [WMI_LOGGER_CONTEXT & 0x80, WMI_LOGGER_CONTEXT & 0x80 + 0x80] is made, in order to measure the total number of writes in the SPP region. Used only for statistics, when OPT_SET_WMI_SPP_STATS is defined.
| [in] | Context | The user provided context set when the hook was established. |
| [in] | Hook | The EPT hook object for which the callback was called. |
| [in] | Address | The address on which the EPT violation occurred. |
| [in,out] | Action | A pointer to an INTRO_ACTION, which will always be set to introGuestAllowed as this callback is used only for statistics. |
| INT_STATUS_SUCCESS | On success. |
Definition at line 397 of file wininfinityhook.c.
Referenced by IntWinInfHookHookSppWmiGetClock().
| WIN_LOGGER_CTX_STATE gLoggerCtxState = { 0 } |
Global structure containing the state of the WMI_LOGGER_CONTEXT structure protection.
Definition at line 92 of file wininfinityhook.c.
1.8.13