29 #define CMDLINE_LEN_NO_SCAN ALERT_CMDLINE_MAX_LEN 37 #define CMDLINE_MAX_LEN (WORD_MAX - 1) 87 .FullPathPattern = u
"c:\\windows\\system32\\smss.exe",
88 .FullNamePattern = u
"smss.exe" 92 .ImageBaseNamePattern =
"csrss.exe",
94 .FullPathPattern = u
"c:\\windows\\system32\\csrss.exe",
95 .FullNamePattern = u
"csrss.exe" 99 .ImageBaseNamePattern =
"wininit.exe",
101 .FullPathPattern = u
"c:\\windows\\system32\\wininit.exe",
102 .FullNamePattern = u
"wininit.exe" 106 .ImageBaseNamePattern =
"winlogon.exe",
108 .FullPathPattern = u
"c:\\windows\\system32\\winlogon.exe",
109 .FullNamePattern = u
"winlogon.exe" 113 .ImageBaseNamePattern =
"lsass.EXE",
115 .FullPathPattern = u
"c:\\windows\\system32\\lsass.EXE",
116 .FullNamePattern = u
"lsass.exe" 120 .ImageBaseNamePattern =
"services.EXE",
122 .FullPathPattern = u
"c:\\windows\\system32\\services.EXE",
123 .FullNamePattern = u
"services.exe" 136 .FullPathPattern = u
"c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe",
137 .FullNamePattern = u
"powershell.exe" 209 WARNING(
"[WARNING] MitigationFlags2 Offset in Eprocess is not known for Windows version %d!\n",
215 memcpy(&flags2, Eprocess +
WIN_KM_FIELD(Process, MitigationFlags2),
sizeof(flags2));
217 TRACE(
"[WINPROC] Process @ 0x%016llx has Mitigation Flags 2 = 0x%08x\n", EprocessAddress, flags2.
Flags);
219 return flags2.
Flags != 0;
240 Process->EnforcedDep =
FALSE;
243 if (!Process->ProtExploits)
269 ERROR(
"[ERROR] Failed fetching the _KEXECUTE_OPTIONS from %llx: 0x%08x\n", Process->EprocessAddress, status);
280 ERROR(
"[ERROR] Failed patching the _KEXECUTE_OPTIONS at %llx: 0x%08x\n", Process->EprocessAddress, status);
284 Process->EnforcedDep =
TRUE;
308 if (!Process->Protected)
310 memcpy(c, &Process->OriginalSpareValue, 2);
317 if (Process->MonitorVad)
322 if (Process->ProtWriteMem)
332 if (Process->ProtThreadCtx)
337 if (Process->ProtQueueApc)
342 if (Process->ProtInstrument)
349 Process->EprocessAddress +
WIN_KM_FIELD(Process, Spare),
355 ERROR(
"[ERROR] IntVirtMemSafeWrite failed: 0x%08x\n", status);
383 c = Mark ?
'?' :
'\0';
386 Process->EprocessAddress +
WIN_KM_FIELD(Process, Name) + 14,
392 ERROR(
"[ERROR] IntVirtMemSafeWrite failed: 0x%08x\n", status);
419 if (!Process->IsAgent)
425 memzero(pAgentEvent,
sizeof(*pAgentEvent));
428 pAgentEvent->
AgentTag = Process->AgentTag;
432 pAgentEvent->
ErrorCode = Process->ExitStatus;
440 WARNING(
"[WARNING] IntNotifyIntroEvent failed: 0x%08x\n", status);
475 memzero(pProcEvent,
sizeof(*pProcEvent));
499 WARNING(
"[WARNING] IntNotifyIntroEvent failed: 0x%08x\n", status);
529 if (0 == Process->LastException)
534 LOG(
"[PROCESS] Last exception encountered in %s: 0x%08x @ RIP 0x%016llx\n",
535 Process->Name, Process->LastException, Process->LastExceptionRip);
538 memzero(pExceptionEvent,
sizeof(*pExceptionEvent));
540 pExceptionEvent->
Continuable = Process->LastExceptionContinuable;
542 pExceptionEvent->
Rip = Process->LastExceptionRip;
549 WARNING(
"[WARNING] IntNotifyIntroEvent failed: 0x%08x\n", status);
629 if (NULL == Subsystem)
634 listMod = Subsystem->ProcessModules.
Flink;
635 while (listMod != &Subsystem->ProcessModules)
639 listMod = listMod->
Flink;
683 PCHAR pCmdLine = NULL;
711 if (NULL == pCmdLine)
719 TRACE(
"[PROCESS] Process `%s` with PID %d and EPROCESS `0x%016llx` started with command line `%s`\n",
723 if (0 == strcasecmp(pProcess->
Name,
"chrome.exe"))
725 #define NACL_CMD_LINE "--type=nacl-loader" // NaCl processes have this switch in the command line 729 LOG(
"[WINPROC] Process `%s` (%d) with command line `%s` has NaCl enabled!\n",
740 ERROR(
"[ERROR] IntWinPsInspectCommandLine failed: 0x%x\n", status);
803 readLength =
MIN(readLength, pUsCmdLine->
Length);
810 readLength =
MIN(readLength, pUsCmdLine->
Length);
818 ERROR(
"[ERROR] IntSwapMemReadData failed: 0x%x\n", status);
853 QWORD usersParamsGva;
875 usersParamsGva = *(
DWORD *)Data;
881 usersParamsGva = *(
QWORD *)Data;
892 ERROR(
"[ERROR] IntSwapMemReadData failed: 0x%x\n", status);
922 if (0 == Process->Peb32Address)
924 WARNING(
"[WARNING] Peb32 is NULL!\n");
929 readSize =
sizeof(
DWORD);
933 if (0 == Process->Peb64Address)
935 WARNING(
"[WARNING] Peb64 is NULL!\n");
941 readSize =
sizeof(
QWORD);
949 ERROR(
"[ERROR] IntSwapMemReadData failed: 0x%x\n", status);
978 pivot = FullPath + fplen;
983 }
while ((pivot >= FullPath) && (*pivot != u
'\\'));
989 for (i = 0; (i < 15) && (pivot[i] != 0); i++)
991 BaseName[i] = (
CHAR)pivot[i];
1030 for (
DWORD i = 0; i <
ARRAYSIZE(gWinForcedProtectedProcesses); i++)
1036 return &gWinForcedProtectedProcesses[i];
1040 list = gWinProtectedProcesses.
Flink;
1041 while (list != &gWinProtectedProcesses)
1060 return &gSystemProcesses[i];
1086 const WCHAR *fullName;
1096 for (
DWORD i = 0; i <
ARRAYSIZE(gWinForcedProtectedProcesses); i++)
1104 match = match &&
IntMatchPatternUtf16(gWinForcedProtectedProcesses[i].FullNamePattern, fullName, 0);
1108 return &gWinForcedProtectedProcesses[i];
1112 list = gWinProtectedProcesses.
Flink;
1113 while (list != &gWinProtectedProcesses)
1152 return &gSystemProcesses[i];
1173 while (pList != &gWinProcesses)
1179 pList = pList->
Flink;
1187 if (NULL != pProc->
Path)
1196 if (NULL != pProtInfo)
1213 LOG(
"[PROCESS] Changing protection flags for process %s (Eprocess %llx): 0x%x -> 0x%x\n",
1224 ERROR(
"[ERROR] IntWinProcUnprotect failed: 0x%08x\n", status2);
1238 LOG(
"[PROCESS] Process %s (Eprocess %llx) has already started, will activate static protection\n",
1250 ERROR(
"[ERROR] IntWinProcActivateProtection failed: 0x%x\n", status);
1258 LOG(
"[PROCESS] Deactivating protection for process %s (Pid %d, Cr3 0x%016llx)\n",
1264 ERROR(
"[ERROR] IntWinProcUnhookProcess failed for 0x%016llx (Cr3 0x%016llx): 0x%08x\n",
1297 if (NULL != duplicate)
1301 ERROR(
"[ERROR] Duplicate process for CR3 0x%016llx: '%s', will remove it.\n", Cr3, duplicate->
Name);
1306 ERROR(
"[ERROR] IntWinProcDeleteProcessObject failed: 0x%08x\n", status);
1311 if (NULL != duplicate)
1315 ERROR(
"[ERROR] Duplicate process for EPROCESS 0x%016llx: '%s', will remove it.\n", Eprocess, duplicate->
Name);
1320 ERROR(
"[ERROR] IntWinProcDeleteProcessObject failed: 0x%08x\n", status);
1349 Process->UserCr3 = *(
QWORD const *)(EprocessBuffer +
WIN_KM_FIELD(Process, UserCr3));
1353 Process->UserCr3 = Process->Cr3;
1358 if (Process->Pid != 4)
1360 Process->UserCr3 = Process->Cr3 | 0x20;
1364 Process->UserCr3 = Process->Cr3;
1370 Process->UserCr3 = Process->Cr3;
1398 ERROR(
"[ERROR] IntWinPfnLockGpa failed for process '%s', eprocess %llx, cr3 %llx: 0x%08x\n",
1399 Process->Name, Process->EprocessAddress, Process->Cr3, status);
1406 if ((Process->UserCr3 != Process->Cr3) && (Process->UserCr3 >=
PAGE_SIZE))
1411 ERROR(
"[ERROR] IntWinPfnLockGpa failed for process '%s', eprocess %llx, user cr3 %llx: 0x%08x\n",
1412 Process->Name, Process->EprocessAddress, Process->UserCr3, status);
1441 if (NULL != Process->Cr3PageLockObject)
1446 ERROR(
"[ERROR] IntWinPfnRemoveLock failed: 0x%08x\n", status);
1449 Process->Cr3PageLockObject = NULL;
1452 if (NULL != Process->UserCr3PageLockObject)
1457 ERROR(
"[ERROR] IntWinPfnRemoveLock failed: 0x%08x\n", status);
1460 Process->UserCr3PageLockObject = NULL;
1494 if ((NULL != Parent) && (Parent->SystemProcess))
1496 if (0 == strcasecmp(
"services.exe", Parent->Name))
1498 WARNING(
"[WARNING] Process '%s' is started by services.exe! Will not be flagged as system!\n",
1503 Process->SystemProcess =
TRUE;
1506 else if (NULL == Parent && 0 == Process->ParentEprocess)
1516 Process->SystemProcess =
TRUE;
1520 if (!Process->SystemProcess)
1525 WARNING(
"[WARNING] Process '%s' is not in fact system; parent is 0x%016llx\n",
1526 Process->Name, Process->ParentEprocess);
1533 ERROR(
"[ERROR] IntVirtMemSafeWrite failed: 0x%08x\n", status);
1590 if (NULL == Process)
1595 if (0 == EprocessAddress)
1600 if (NULL == EprocessBuffer)
1625 if ((pProc->
Name[0] == 0) && (4 == Pid))
1654 goto cleanup_and_exit;
1693 ERROR(
"[ERROR] IntKernVirtMemFetchQword failed for %llx (EWOW64): 0x%08x\n",
1697 goto cleanup_and_exit;
1729 ERROR(
"[ERROR] IntWinTokenPrivsProtectOnProcess failed: 0x%08x\n", status);
1735 WARNING(
"[WARNING] IntWinSDProtectSecDesc failed: 0x%08x\n", status);
1744 ERROR(
"[ERROR] IntKernVirtMemRead failed: 0x%08x\n", status);
1745 goto cleanup_and_exit;
1750 WARNING(
"[WARNING] Spare value for eprocess 0x%016llx at offset %x is not 0! (0x%04x)\n",
1758 if (protTokenPtr && !StaticScan)
1760 if (pParent != NULL)
1765 WARNING(
"[WARNING] IntWinTokenPtrCheckIntegrityOnProcess failed for parent 0x%016llx: 0x%x\n",
1770 if (pRealParent != NULL)
1775 WARNING(
"[WARNING] IntWinTokenPtrCheckIntegrityOnProcess failed for real parent 0x%016llx: 0x%x\n",
1781 if (protTokenPrivs && !StaticScan)
1783 if (pParent != NULL)
1788 WARNING(
"[WARNING] IntWinTokenPrivsCheckIntegrityOnProcess failed for parent 0x%016llx: 0x%x\n",
1793 if (pRealParent != NULL)
1798 WARNING(
"[WARNING] IntWinTokenPrivsCheckIntegrityOnProcess failed for real parent 0x%016llx: 0x%x\n",
1811 WARNING(
"[WARNING] Possible System CR3 (0x%016llx) mismatch: " 1812 "System process (0x%016llx) has CR3 0x%016llx\n",
1820 if (0 == strcasecmp(pProc->
Name,
"services.exe"))
1825 ERROR(
"[ERROR] IntAgentEnableInjection failed: 0x%08x\n", status);
1831 ERROR(
"[ERROR] IntWinGuestFindDriversNamespace: 0x%08x\n", status);
1840 if (0 == strcasecmp(pProc->
Name,
"lsass.exe"))
1855 ERROR(
"[ERROR] IntWinProcCreateProcessSubsystem failed: 0x%08x\n", status);
1856 goto cleanup_and_exit;
1865 TRACE(
"------------> Special case %s (0x%016llx) / 32 -> %s (0x%016llx) / 64\n",
1879 ERROR(
"[ERROR] IntWinProcCreateProcessSubsystem failed: 0x%08x\n", status);
1880 goto cleanup_and_exit;
1894 if (NULL != pProtInfo)
1915 ERROR(
"[ERROR] IntWinProcReadCommandLine failed: 0x%x\n", status);
1927 ERROR(
"[ERROR] IntWinProcReadCommandLine failed: 0x%x\n", status);
1948 TRACE(
"[WINPROC] Process `%s` has Exploit Guard %s\n",
1964 ERROR(
"[ERROR] IntWinProcGetAndCheckSelfMapEntry failed: 0x%08x\n", status);
1973 ERROR(
"[ERROR] IntWinProcProtectSelfMapIndex failed: 0x%08x\n", status);
1982 ERROR(
"[ERROR] IntWinProcProtect failed: 0x%08x\n", status);
1993 ERROR(
"[ERROR] IntWinProcImportMainModuleVad failed: 0x%08x\n", status);
2000 ERROR(
"[ERROR] IntWinProcSendProcessEvent failed: 0x%08x\n", status);
2006 ERROR(
"[ERROR] IntWinProcSendAgentEvent failed: 0x%08x\n", status);
2009 TRACE(
"[PROCESS] '%s' (%08x), path %s, pid %d, EPROCESS 0x%016llx, CR3 0x%016llx, " 2010 "UserCR3 0x%016llx, parent at 0x%016llx/0x%016llx; %s, %s %s\n",
2047 if (NULL != Process->Cr3PageLockObject)
2052 ERROR(
"[ERROR] IntWinPfnRemoveLock failed: 0x%08x\n", status);
2055 Process->Cr3PageLockObject = NULL;
2058 if (NULL != Process->UserCr3PageLockObject)
2063 ERROR(
"[ERROR] IntWinPfnRemoveLock failed: 0x%08x\n", status);
2066 Process->UserCr3PageLockObject = NULL;
2071 Process->EprocessAddress +
WIN_KM_FIELD(Process, Spare),
2073 &Process->OriginalSpareValue,
2077 ERROR(
"[ERROR] IntKernVirtMemWrite failed: 0x%08x\n", status);
2081 if (NULL != Process->CmdBufSwapHandle)
2086 ERROR(
"[ERROR] IntSwapMemRemoveTransaction failed: 0x%08x\n", status);
2089 Process->CmdBufSwapHandle = NULL;
2092 if (NULL != Process->CmdLineSwapHandle)
2097 ERROR(
"[ERROR] IntSwapMemRemoveTransaction failed: 0x%08x\n", status);
2100 Process->CmdLineSwapHandle = NULL;
2103 if (NULL != Process->ParamsSwapHandle)
2108 ERROR(
"[ERROR] IntSwapMemRemoveTransaction failed: 0x%08x\n", status);
2111 Process->ParamsSwapHandle = NULL;
2114 if (NULL != Process->Subsystemx64)
2119 ERROR(
"[ERROR] IntWinProcRemoveSubsystem failed: 0x%08x\n", status);
2122 Process->Subsystemx64 = NULL;
2125 if (NULL != Process->Subsystemx86)
2130 ERROR(
"[ERROR] IntWinProcRemoveSubsystem failed: 0x%08x\n", status);
2133 Process->Subsystemx86 = NULL;
2136 if (NULL != Process->MainModuleVad)
2151 ERROR(
"[ERROR] IntSwapMemRemoveTransactionsForVaSpace failed: 0x%08x\n", status);
2154 if (NULL != Process->VadPages)
2159 if (NULL != Process->CommandLine)
2196 while (list != &gWinProcesses)
2229 ERROR(
"[ERROR] IntKernVirtMemFetchDword failed for 0x%016llx: 0x%08x\n",
2234 bCrashed = 0 != (
WIN_KM_FIELD(EprocessFlags, 3Crashed) & flags3);
2244 ERROR(
"[ERROR] IntKernVirtMemFetchDword failed for 0x%016llx: 0x%08x\n",
2245 EprocessAddress +
WIN_KM_FIELD(Process, ExitStatus), status);
2251 TRACE(
"[PROCESS] Process `%d` with Eprocess at 0x%016llx and Cr3 0x%016llx crashed.\n",
2258 TRACE(
"[PROCESS] '%s', pid %d, EPROCESS 0x%016llx, CR3 0x%016llx, UserCR3 0x%016llx just terminated\n",
2264 ERROR(
"[ERROR] IntWinProcSendProcessExceptionEvent failed: 0x%08x\n", status);
2270 ERROR(
"[ERROR] IntWinProcSendProcessEvent failed: 0x%08x\n", status);
2278 ERROR(
"[ERROR] IntWinProcSendAgentEvent failed: 0x%08x\n", status);
2287 ERROR(
"[ERROR] IntWinProcUnprotectSelfMapIndex failed: 0x%08x\n", status);
2295 ERROR(
"[ERROR] IntWinProcUnprotect failed: 0x%08x\n", status);
2305 ERROR(
"[ERROR] IntWinTokenPrivsCheckIntegrityOnProcess failed: 0x%08x\n", status);
2315 ERROR(
"[ERROR] IntWinProcTokenCheckIntegrityInternal failed: 0x%08x\n", status);
2322 ERROR(
"[ERROR] IntWinSelfMapGetAndCheckSelfMapEntry failed: 0x%08x\n", status);
2328 ERROR(
"[ERROR] IntWinProcRemoveProcess failed: 0x%08x\n", status);
2349 _In_ void *Descriptor
2367 DWORD offsetRetn = 0x09;
2374 pHandler->
Code[offsetRetn] = 0x1C;
2379 pHandler->
Code[offsetRetn] = 0x20;
2390 _In_ void *Descriptor
2404 DWORD offset = 0x01;
2405 BYTE instruction[7] = { 0 };
2409 instruction[0] = 0x48;
2410 instruction[1] = 0x8b;
2415 instruction[2] = 0x83;
2419 instruction[2] = 0x87;
2423 instruction[2] = 0x86;
2427 instruction[1] = 0x85;
2436 memcpy(pHandler->
Code + offset, instruction,
sizeof(instruction));
2446 _In_ void *Descriptor
2460 BYTE instruction[6] = { 0 };
2461 DWORD offset = 0x01;
2465 instruction[0] = 0x8b;
2470 instruction[1] = 0x86;
2474 instruction[1] = 0x83;
2478 instruction[1] = 0x87;
2487 memcpy(pHandler->
Code + offset, instruction,
sizeof(instruction));
2521 QWORD cr3, realParentEproc;
2522 PBYTE eprocessBuffer = NULL;
2527 pProc = pParent = NULL;
2532 ERROR(
"[ERROR] IntWinProcMapEprocess failed: 0x%08x\n", status);
2533 goto _set_action_and_leave;
2549 if (NULL == pParent)
2558 else if (NULL == pParent)
2560 CRITICAL(
"[ERROR] Both the real parent (Cr3 = 0x%016llx) and the parent " 2561 "(eprocess = 0x%016llx) are NULL for pid %d!\n", pRegs->
Cr3, ParentEprocess, pid);
2563 goto _cleanup_and_leave;
2570 realParentEproc, cr3, pid,
FALSE);
2573 ERROR(
"[ERROR] IntWinProcCreateProcessObject failed: 0x%08x\n", status);
2574 goto _cleanup_and_leave;
2579 INFO(
"[INFO] Process %s (%d/0x%016llx) doesn't have either parent or real parent, will skip all checks\n",
2581 goto _cleanup_and_leave;
2602 _set_action_and_leave:
2626 QWORD args[3] = { 0 };
2627 QWORD eprocess, parentEproc;
2628 QWORD possibleDebugHandle;
2635 ERROR(
"[ERROR] IntDetGetArguments failed: 0x%08x\n", status);
2640 parentEproc = args[1];
2641 possibleDebugHandle = args[2];
2644 if (newProc == NULL)
2646 ERROR(
"[ERROR] IntWinProcHandleCreateInternal failed for 0x%016llx\n", eprocess);
2657 ERROR(
"[ERROR] IntWinProcDeleteProcessObject failed: 0x%08x\n", status);
2673 ERROR(
"[ERROR] IntSetGprs failed: 0x%08x\n", status);
2699 QWORD eprocess, pdbrBase;
2707 ERROR(
"[ERROR] IntDetGetArgument failed: 0x%08x\n", status);
2708 goto cleanup_and_exit;
2714 ERROR(
"[ERROR] IntKernVirtMemFetchDword failed: 0x%08x\n", status);
2715 goto cleanup_and_exit;
2722 ERROR(
"IntKernVirtMemFetchQword failed for 0x%016llx: 0x%08x\n",
2724 goto cleanup_and_exit;
2729 pdbrBase &= 0xFFFFFFFF;
2735 ERROR(
"[ERROR] IntWinProcDeleteProcessObject failed for EPROCESS %llx, CR3 %llx, pid %d: 0x%08x\n",
2736 eprocess, pdbrBase, pid, status);
2749 _In_ void *Descriptor
2813 QWORD srcEnd = SourceAddress + ReadSize - 1;
2818 if (Lsass->Subsystemx64)
2820 head = &Lsass->Subsystemx64->ProcessModules;
2824 head = &Lsass->Subsystemx86->ProcessModules;
2829 while (list != head)
2837 (SourceAddress < pLsassMod->VirtualBase + pLsassMod->
Size)) ||
2839 (srcEnd < pLsassMod->VirtualBase + pLsassMod->
Size)))
2847 *VictimModule = pLsassMod;
2849 if (NULL != pLsassMod)
2889 QWORD srcCr3, dstCr3;
2890 QWORD srcEproc, dstEproc;
2891 QWORD srcAddress, dstAddress;
2902 pSrcProc = pDstProc = NULL;
2913 goto cleanup_and_exit;
2919 ERROR(
"[ERROR] IntDetGetArguments failed: 0x%08x\n", status);
2920 goto cleanup_and_exit;
2924 srcAddress = args[1];
2926 dstAddress = args[3];
2927 size = (
DWORD)args[4];
2932 goto cleanup_and_exit;
2936 if (NULL == pDstProc)
2939 WARNING(
"[WARNING] IntWinProcFindObjectByEprocess failed for process 0x%016llx, " 2940 "current CR3 0x%016llx: 0x%08x\n",
2941 dstEproc, pRegs->
Cr3, status);
2943 goto cleanup_and_exit;
2947 if (NULL == pSrcProc)
2949 goto cleanup_and_exit;
2952 dstCr3 = pDstProc->
Cr3;
2954 srcCr3 = pSrcProc->
Cr3;
2958 if (srcCr3 == dstCr3)
2961 goto cleanup_and_exit;
2964 if (dstCr3 == pRegs->
Cr3)
2978 if (isRead && pDstProc->
IsAgent)
2986 if (pSrcProc->
Lsass && isRead)
3014 if (0 == strcasecmp(pSrcProc->
Name,
"csrss.exe"))
3020 goto check_injection;
3045 pSrcProc = pDstProc;
3048 auxaddr = srcAddress;
3049 srcAddress = dstAddress;
3050 dstAddress = auxaddr;
3053 memzero(&originator,
sizeof(originator));
3054 memzero(&victim,
sizeof(victim));
3064 ERROR(
"[ERROR] Failed getting originator: 0x%08x\n", status);
3065 goto _stop_count_and_notify;
3074 ERROR(
"[ERROR] Failed getting modified zone: 0x%08x\n", status);
3075 goto _stop_count_and_notify;
3083 WARNING(
"[WARNING] Injection (read: %d) from %s (%u) into %s " 3084 "(%u) for VA %llx with ""size %d (which has no VAD)!\n",
3085 isRead, pSrcProc->
Name, pSrcProc->
Pid, pDstProc->
Name,
3086 pDstProc->
Pid, dstAddress, size);
3088 for (
QWORD currentDst = dstAddress; currentDst < dstAddress + size;)
3093 WARNING(
"[WARNING] Vad-> [%llx -> %llx] (path: %s, stack: %d)\n",
3107 _stop_count_and_notify:
3115 LOG(
"[WINPROCESS] Suspicious read from lsass.exe: %s from process %s at address %llx:%d\n",
3123 memzero(pInjEvent,
sizeof(*pInjEvent));
3125 LOG(
"[ALERT] [INJECTION DETECTED] Injection took place from EPROCESS 0x%016llx with CR3 0x%016llx in " \
3126 "EPROCESS 0x%016llx with CR3 0x%016llx. CR3: 0x%016llx, IsRead: %s\n",
3127 srcEproc, srcCr3, dstEproc, dstCr3, pRegs->
Cr3, isRead ?
"yes" :
"no");
3132 if (isRead && isLsass)
3170 if (pModule != NULL)
3217 WARNING(
"[WARNING] IntNotifyIntroEvent failed: 0x%08x\n", status);
3229 if (pDstProc != NULL)
3239 ERROR(
"[ERROR] IntDetSetReturnValue failed: 0x%08x\n", status);
3261 if (NULL == Process)
3266 if (Process->Protected)
3271 Process->Context = 0;
3277 ERROR(
"[ERROR] IntWinProcChangeProtectionFlags failed: 0x%08x\n", status);
3302 if (NULL == Process)
3307 if (!Process->Protected)
3319 WARNING(
"[WARNING] Not enough heap is available. Will NOT protect the process '%s'.\n", Process->Name);
3321 goto cleanup_and_exit;
3324 TRACE(
"[PROCESS] Protecting process %s with CR3 0x%016llx, EPROC 0x%016llx, WOW64 %d, PEB at 0x%016llx," \
3325 "PEB32 at 0x%016llx, Parent 0x%016llx, ProtMask: 0x%08x, the process is %s.\n",
3328 Process->EprocessAddress,
3329 Process->Wow64Process,
3330 Process->Peb64Address,
3331 Process->Peb32Address,
3332 Process->ParentEprocess,
3333 Process->ProtectionMask,
3334 Process->StaticDetected ?
"already created" :
"being created");
3340 ERROR(
"[ERROR] IntWinProcChangeProtectionFlags failed: 0x%08x\n", status);
3341 goto cleanup_and_exit;
3354 ERROR(
"[ERROR] IntWinProcUnprotect failed: 0x%08x\n", status2);
3417 if (4 != pProc->
Pid)
3419 ERROR(
"[ERROR] First process is not System: PID = %d\n", pProc->
Pid);
3430 ERROR(
"[ERROR] IntTranslateVirtualAddressEx failed: 0x%08x\n", status);
3443 ERROR(
"[ERROR] IntGpaCacheFetchAndAdd failed: 0x%08x\n", status);
3453 if (cr3 != pProc->
Cr3)
3472 ERROR(
"[ERROR] IntVirtMemSafeWrite failed: 0x%x\n", status);
3484 memzero(pTrViol,
sizeof(*pTrViol));
3514 WARNING(
"[WARNING] IntNotifyIntroEvent failed: 0x%08x\n", status);
3537 while (Path[i] != 0)
3539 if ((Path[i] == u
'\\') || (Path[i] == u
'/'))
3575 list = gWinProtectedProcesses.
Flink;
3576 while (list != &gWinProtectedProcesses)
3587 if (pProc->
Context != Context)
3591 pList = gWinProcesses.
Flink;
3592 while (pList != &gWinProcesses)
3596 pList = pList->
Flink;
3598 if (!strcasecmp(pProcObject->
Name, BaseName))
3600 pProcObject->
Context = Context;
3632 list = gWinProtectedProcesses.
Flink;
3633 while (list != &gWinProtectedProcesses)
3658 _In_ const void *Name,
3671 while (list != &gWinProtectedProcesses)
3693 WARNING(
"[WARNING] Unsupported string encoding: %d\n", Encoding);
3702 TRACE(
"[CAMI] Protected process info updated '%s'. Original : 0x%x, " 3703 "Current : 0x%x, Beta : 0x%llx, Feedback : 0x%llx\n",
3731 const WCHAR *fullName;
3741 if ((Path[0] | 0x20) >=
'a' && (Path[0] | 0x20) <=
'z' && Path[1] ==
':')
3747 if ((0 == fplen) || (fplen >= 0x10000))
3759 TRACE(
"[INFO] A policy for process '%s', base name '%s', flags 0x%08x already exits.\n",
3817 ERROR(
"[ERROR] IntWinProcUpdateProtection failed: 0x%08x\n", status);
3839 const WCHAR *fullName;
3847 if ((Path[0] | 0x20) >=
'a' && (Path[0] | 0x20) <=
'z' && Path[1] ==
':')
3862 ERROR(
"[ERROR] IntWinProcRemoveProtectedProcessInternal failed: 0x%08x\n", status);
3863 goto cleanup_and_exit;
3869 ERROR(
"[ERROR] IntWinProcUpdateProtection failed: 0x%08x\n", status);
3870 goto cleanup_and_exit;
3891 list = gWinProtectedProcesses.
Flink;
3892 while (list != &gWinProtectedProcesses)
3922 list != &gWinProtectedProcesses;
3927 LOG(
"# %04d %s, %08x, '%s':'%s'\n",
3951 list = gWinProtectedProcesses.
Flink;
3952 while (list != &gWinProtectedProcesses)
3968 list = gWinProcesses.
Flink;
3969 while (list != &gWinProcesses)
3989 ERROR(
"[ERROR] IntWinProcUnprotect failed: 0x%08x\n", status);
3996 ERROR(
"[ERROR] IntWinProcRemoveProcess failed: 0x%08x\n", status);
4020 if (NULL == Process)
4025 list = gWinProcesses.
Flink;
4026 while (list != &gWinProcesses)
4030 if (pProc->
Pid == Pid)
4066 if (NULL == Process)
4071 if (OldMask == NewMask)
4076 vadWasMonitored = !!Process->MonitorVad;
4078 Process->ProtectionMask = NewMask;
4079 Process->Protected = NewMask != 0;
4081 if (!Process->Protected)
4088 ERROR(
"[ERROR] IntIcFlushVaSpace failed: 0x%08x\n", status);
4093 if (Process->SystemProcess)
4099 Process->BetaDetections = !!(Process->ProtectionMask &
PROC_OPT_BETA);
4104 Process->MonitorModules =
FALSE;
4105 Process->MonitorVad =
FALSE;
4110 !Process->SystemProcess) ||
4111 (Process->ProtCoreModules || Process->ProtWsockModules || Process->ProtUnpack ||
4112 Process->Lsass || Process->ProtDoubleAgent);
4115 Process->MonitorVad = (Process->MonitorModules || Process->ProtExploits);
4124 ERROR(
"[ERROR] IntWinProcPatchSpareValue failed: 0x%08x\n", status);
4131 if ((NewMask & PROC_OPT_PROT_INJECTION) != 0 && Process->LateProtection)
4133 Process->Initialized =
TRUE;
4139 if (OldMask & PROC_OPT_PROT_EXPLOIT)
4148 ERROR(
"[ERROR] IntWinProcEnforceProcessDep failed: 0x%08x\n", status);
4157 if (NULL != Process->Subsystemx86)
4162 if (NULL != Process->Subsystemx64)
4168 if (vadWasMonitored && !Process->MonitorVad)
4174 ERROR(
"[ERROR] IntWinVadRemoveProcessTree failed: 0x%08x\n", status);
4178 else if (!vadWasMonitored && Process->MonitorVad)
4184 ERROR(
"[ERROR] IntWinVadImportProcessTree failed: 0x%08x\n", status);
4190 if (Process->Protected && NULL == Process->SelfMapHook)
4195 ERROR(
"[ERROR] IntWinProcProtectSelfMapIndex failed: 0x%08x\n", status);
4199 else if (!Process->Protected && NULL != Process->SelfMapHook)
4204 ERROR(
"[ERROR] IntWinProcUnprotectSelfMapIndex failed: 0x%08x\n", status);
4239 QWORD eprocessAddr = 0;
4240 BYTE *pEprocessBuffer = NULL;
4241 QWORD eprocessParentAddr = 0;
4242 QWORD eprocessRealParentAddr = 0;
4255 ERROR(
"[ERROR] IntWinProcFindObjectByEprocess failed for Eprocess 0x%016llx with status: 0x%08x",
4256 eprocessAddr, status);
4262 ERROR(
"[ERROR] Process '%s' swapped-in, but not swapped out!", pProcess->
Name);
4268 TRACE(
"[PROCESS-SWAP] Swapped in: '%s' (%08x), path %s, pid %d, EPROCESS 0x%016llx, CR3 0x%016llx, " 4269 "UserCR3 0x%016llx, parent at 0x%016llx/0x%016llx; %s, %s\n",
4276 pid = pProcess->
Pid;
4281 ERROR(
"[ERROR] IntWinProcDeleteProcessObject failed with status: 0x%08x\n", status);
4289 ERROR(
"[ERROR] IntWinProcMapEprocess failed: 0x%08x\n", status);
4305 eprocessRealParentAddr, cr3, pid,
TRUE);
4308 ERROR(
"[ERROR] IntWinProcCreateProcessObject failed with status: 0x%08x\n", status);
4340 QWORD eprocessAddr = 0;
4351 ERROR(
"[ERROR] IntWinProcFindObjectByEprocess failed for Eprocess 0x%016llx with status: 0x%08x",
4352 eprocessAddr, status);
4358 ERROR(
"[ERROR] Process '%s' already outswapped!", pProcess->
Name);
4367 ERROR(
"[ERROR] IntWinProcUnlockCr3 failed for 0x%016llx with status: 0x%08x\n", pProcess->
Cr3, status);
4375 ERROR(
"[ERROR] IntSwapMemRemoveTransaction failed: 0x%08x\n", status);
4388 ERROR(
"[ERROR] IntSwapMemRemoveTransaction failed: 0x%08x\n", status);
4401 ERROR(
"[ERROR] IntSwapMemRemoveTransaction failed: 0x%08x\n", status);
4412 ERROR(
"[ERROR] IntWinProcUnprotect failed: 0x%08x\n", status);
4418 ERROR(
"[ERROR] IntSwapMemRemoveTransactionsForVaSpace failed for CR3 0x%016llx with status: 0x%08x\n",
4419 pProcess->
Cr3, status);
4422 TRACE(
"[PROCESS-SWAP] Swapped out: '%s' (%08x), path %s, pid %d, EPROCESS 0x%016llx, CR3 0x%016llx, " 4423 "UserCR3 0x%016llx, parent at 0x%016llx/0x%016llx; %s, %s\n",
4498 ERROR(
"[ERROR] IntDetGetArguments failed: 0x%08x\n", status);
4499 goto _cleanup_and_exit;
4505 ERROR(
"[ERROR] Failed to get source process by cr3 0x%016llx\n", regs->
Cr3);
4507 goto _cleanup_and_exit;
4513 ERROR(
"[ERROR] Failed to get destination process by eprocess 0x%016llx\n", args.DstEproc);
4515 goto _cleanup_and_exit;
4532 ERROR(
"[ERROR] IntVirtMemFetchWordSize failed: 0x%08x\n", status);
4533 goto _cleanup_and_exit;
4541 ERROR(
"[ERROR] IntExceptUserGetOriginator failed: 0x%08x\n", status);
4543 goto _send_notification;
4549 ERROR(
"[EROR] IntExceptGetVictimProcess failed: 0x%08x\n", status);
4551 goto _send_notification;
4561 goto _cleanup_and_exit;
4568 LOG(
"[INSTRUMENTATION] From process '%s' into process '%s' to rip 0x%016llx\n", pOrig->
Name, pVic->
Name, rip);
4578 WARNING(
"[WARNING] IntVirtMemRead failed: 0x%08x\n", status);
4600 WARNING(
"[WARNING] IntNotifyIntroEvent failed: 0x%08x\n", status);
4613 ERROR(
"[ERROR] IntDetSetReturnValue failed: 0x%08x\n", status);
4626 _In_ void *Descriptor
4651 { .Name =
"ObReferenceObjectByHandle", .Addr = &h->
Code[
gGuest.
Guest64 ? 0x3b : 0x3c] },
4652 { .Name =
"ObDereferenceObject", .Addr = &h->
Code[
gGuest.
Guest64 ? 0x86 : 0x65] },
4658 for (
size_t i = 0; i <
ARRAYSIZE(exports); i++)
4666 ERROR(
"[ERROR] IntPeFindKernelExport failed for %s: 0x%08x\n", exports[i].Name, status);
4670 TRACE(
"[INFO] Export %s found at gva 0x%016llx\n", exports[i].Name, addr);
4674 *(
QWORD *)(exports[i].Addr) = addr;
WINUM_PATH * Path
Module path.
DWORD CommandLineSize
Includes the NULL terminator.
PCHAR CommandLine
The command line with which the process was created (can be NULL).
static WIN_PROCESS_OBJECT * IntWinProcHandleCreateInternal(QWORD NewEprocess, QWORD ParentEprocess, QWORD DebugHandle, INTRO_ACTION *Action)
Handles process creation for Windows guests.
void * Module
The internal structure of a module.
#define INT_STATUS_PAGE_NOT_PRESENT
Indicates that a virtual address is not present.
INTSTATUS IntWinProcRemoveProtectedProcess(const WCHAR *Path)
This function removed the provided process from the protected process list.
INTSTATUS IntPtiInjectPtFilter(void)
Inject the PT filter inside the guest.
QWORD PhysicalAddress
The physical address to which VirtualAddress translates to.
struct _EVENT_MEMCOPY_VIOLATION::@297 Originator
enum _INTRO_ACTION_REASON INTRO_ACTION_REASON
The reason for which an INTRO_ACTION was taken.
PWIN_PROCESS_SUBSYSTEM Subsystemx64
The x64 subsystem. Note that a 32 bit process on a 64 bit OS may have both subsystems valid...
INTSTATUS IntWinProcHandleInstrument(void *Detour)
Handles an exit on NtSetInformationProcess calls where the InformationClass argument is 40 (instrumen...
static INTSTATUS IntWinProcCreateProcessSubsystem(WIN_PROCESS_OBJECT *Process, WIN_PROCESS_SUBSYSTEM **Subsystem, BYTE SubsystemType)
Create a process subsystem for the given process.
#define CONTAINING_RECORD(List, Type, Member)
Exposes the types, constants and functions used to handle Windows processes events (creation...
static INTSTATUS IntWinProcLockCr3(WIN_PROCESS_OBJECT *Process)
Locks the kernel and user Cr3 of a process in memory.
BOOLEAN Valid
Set to True if the information in the structure is valid, False otherwise.
INTSTATUS IntVirtMemUnmap(void **HostPtr)
Unmaps a memory range previously mapped with IntVirtMemMap.
char Name[ALERT_MAX_FUNCTIONS][ALERT_MAX_FUNCTION_NAME_LEN]
Array of all the extracted function names.
DWORD Size
The size of the access.
DWORD Original
The original protection flags as received from GLUE_IFACE.AddRemoveProtectedProcessUtf16 or GLUE_IFAC...
INTRO_MODULE Module
The module which was written or read.
#define EX_FAST_REF_TO_PTR(is64, p)
Converts a _EX_FAST_REF value to a pointer.
An internal error occurred (no memory, pages not present, etc.).
The process was not protected due to an internal error.
void IntWinProcLstInsertProcess(WIN_PROCESS_OBJECT *Process)
Inserts a WIN_PROCESS_OBJECT structure into the process lists and trees.
Describe the introcore protection options.
static BOOLEAN IntWinProcExistsProtectedProcess(CHAR BaseName[IMAGE_BASE_NAME_LEN], const WCHAR *FullPath, DWORD ProtectionMask, QWORD Context)
This function checks if the provided process is already protected with the given flags.
IG_ARCH_REGS Regs
The current state of the guest registers.
BOOLEAN Created
True if the process was created, False if it was terminated.
DWORD Index
The VCPU number.
EVENT_EXCEPTION_EVENT Exception
This is the structure as documented in winternl.h.
INTSTATUS IntSwapMemRemoveTransactionsForVaSpace(QWORD Cr3)
Remove all transactions initiated for a virtual address space.
MITRE_ID MitreID
The Mitre ID that corresponds to this attack.
void IntWinDpiGatherDpiInfo(WIN_PROCESS_OBJECT *Process, WIN_PROCESS_OBJECT *Parent, QWORD DebugHandle)
Gathers all the necessary DPI (Deep Process Inspection) information that will later be used to decide...
INTSTATUS IntPeFindKernelExport(const char *Name, QWORD *ExportGva)
Find an export inside the NT kernel image.
static const char * gCmdLineProcesses[]
This is a list of processes for which we want to read the command line (not to be confused with PROC_...
#define INTRO_OPT_PROT_KM_SYSTEM_CR3
Enable System process PDBR protection.
QWORD RealParentEprocess
The active EPROCESS at the moment of creation.
QWORD SystemCr3
The Cr3 used to map the kernel.
#define INT_STATUS_SUCCESS
QWORD Context
The context supplied in the protection policy.
Event structure for process creation/termination.
INTRO_PROCESS Process
The process that attempted the access.
Measures user mode exceptions checks.
QWORD NewValue[8]
The written value. Only the first Size bytes are valid.
CHAR FunctionName[ALERT_MAX_FUNCTION_NAME_LEN]
The name of the accessed function, if any.
#define WIN_STATUS_SUCCESS
Equivalent to NTSTATUS STATUS_SUCCESS.
INTSTATUS IntWinVadImportProcessTree(WIN_PROCESS_OBJECT *Process)
Scans the guest VAD tree and imports the nodes into our VAD tree.
static INTSTATUS IntWinProcUnlockCr3(WIN_PROCESS_OBJECT *Process)
Unlocks the kernel and user Cr3 of a process in memory.
INTSTATUS IntWinTokenPrivsCheckIntegrityOnProcess(WIN_PROCESS_OBJECT *Process)
This function checks if the privileges bitfields for the given process have been changed in a malicio...
CAMI_STRING_ENCODING
Describes the encoding of a string received from the CAMI file.
void IntWinVadStopExploitMonitor(WIN_PROCESS_OBJECT *Process)
Disables the exploit monitoring for a process.
void * ParamsSwapHandle
The swap memory handle for Process->Peb->ProcessParameters (used to read the command line of the proc...
void IntAlertFillWinProcess(const WIN_PROCESS_OBJECT *Process, INTRO_PROCESS *EventProcess)
Saves information about a windows process inside an alert.
#define INTRO_OPT_ENABLE_FULL_PATH
Aggregates all the full path protection flags.
INTSTATUS IntWinProcAddProtectedProcess(const WCHAR *Path, DWORD ProtectionMask, QWORD Context)
This function adds the provided process to the protected process list.
QWORD FeedbackMask
The protection mask in feedback mode.
Exits caused by "MmCopyVirtualMemory".
struct _UNICODE_STRING64 UNICODE_STRING64
The Windows UNICODE_STRING structure used for 64-bit guests.
Described a detour handler.
static INTSTATUS IntWinProcSendAgentEvent(WIN_PROCESS_OBJECT *Process, BOOLEAN Created)
Send a process creation/termination event that symbolizes an agent.
INTSTATUS IntSwapMemReadData(QWORD Cr3, QWORD VirtualAddress, DWORD Length, DWORD Options, void *Context, DWORD ContextTag, PFUNC_PagesReadCallback Callback, PFUNC_PreInjectCallback PreInject, void **SwapHandle)
Reads a region of guest virtual memory, and calls the indicated callback when all the data is availab...
struct _LIST_ENTRY * Flink
INTSTATUS IntWinVadRemoveProcessTree(WIN_PROCESS_OBJECT *Process)
Removes the VAD tree from a process.
AGENT_EVENT_TYPE Event
The type of the agent.
INTRO_PROCESS Process
The process that could not be protected.
DWORD Lsass
TRUE if this is the lsass process.
INTSTATUS IntWinVadProcImportMainModuleVad(WIN_PROCESS_OBJECT *Process)
Imports the VAD that describes the main module of a process.
BOOLEAN SysprocBetaDetections
TIMER_FRIENDLY INTSTATUS IntWinProcValidateSystemCr3(void)
This function checks if the system CR3 value was modified and if GUEST_STATE::KernelBetaDetections is...
DWORD NumberOfOffsets
Number of symbols pointing to the exported RVA.
#define INTRO_OPT_PROT_KM_TOKEN_PTR
Enable process token protection (Windows only).
INTSTATUS IntWinProcSwapOut(void *Detour)
Detour handler for the KiOutSwapProcess Windows kernel API.The detour on KiOutSwapProcess is set afte...
INTRO_ERROR_CONTEXT gErrorContext
Global storage for the error context used by GLUE_IFACE.NotifyIntrospectionErrorState.
BOOLEAN ShutDown
True if the system process protection is in beta (log-only) mode.
struct _INTRO_ERROR_CONTEXT::@340 ProcessProtection
Process protection errors.
INTSTATUS IntWinProcReadCommandLine(WIN_PROCESS_OBJECT *Process)
Reads the command line of the given process using IntSwapMemReadData.
#define INT_SUCCESS(Status)
RBTREE gWinProcTreeCr3
Tree of all the processes inside the guest, using the kernel CR3 as the key.
static BOOLEAN IsListEmpty(const LIST_ENTRY *ListHead)
INTSTATUS IntDetSetReturnValue(DETOUR const *Detour, IG_ARCH_REGS *Registers, QWORD ReturnValue)
Sets the return value for a hooked guest function.
The process was not protected because there is not enough memory available.
static void IntWinProcHandleDuplicate(QWORD Cr3, QWORD Eprocess)
Ensures that a newly created process does not exist already.
static INTSTATUS IntWinProcEnforceProcessDep(WIN_PROCESS_OBJECT *Process)
Enables DEP (Data Execution Prevention) for a certain process.
QWORD Flags
A combination of ALERT_FLAG_* values describing the alert.
INTSTATUS IntResumeVcpus(void)
Resumes the VCPUs previously paused with IntPauseVcpus.
#define PROC_OPT_PROT_WSOCK_HOOKS
Blocks hooks being set on Wininet user-mode DLLs (Windows only).
BOOLEAN ProtectionActivated
static INTSTATUS IntWinGetPrcoCmdLineHandleUserParamsInMemory(void *Context, QWORD Cr3, QWORD VirtualAddress, QWORD PhysicalAddress, void *Data, DWORD DataSize, DWORD Flags)
Called from within IntSwapMemReadData when the RTL_USER_PROCESS_PARAMETERS32 or RTL_USER_PROCESS_PARA...
The action was not allowed because there was no reason to allow it.
INTSTATUS IntWinProcSwapIn(void *Detour)
Detour handler for the MmInSwapProcess Windows kernel API.The detour on MmInSwapProcess is set inside...
QWORD Context
Context from integrator if the process is protected, 0 otherwise.
BOOLEAN KernelBetaDetections
True if the kernel protection is in beta (log-only) mode.
Event structure for agent injection and termination.
Measures the IntWinProcHandleCopyMemory detour handler.
The agent process finished execution.
INTSTATUS IntWinProcMapEprocess(QWORD Eprocess, void **Ptr)
Maps a _EPROCESS structure.
BOOLEAN IntWinProcIsEnoughHeapAvailable(void)
Checks if enough heap is available in order to protect a new process.
INTRO_VIOLATION_HEADER Header
The alert header.
Windows process subsystem.
DWORD Delta
The offset inside the affected function at which the access was made.
struct _EVENT_TRANSLATION_VIOLATION::@301 Victim
WORD OriginalSpareValue
We put in guest * and some flags in order to decide whether to raise a VM exit on a process...
DWORD Current
The currently used protection flags.
#define INT_STATUS_NOT_NEEDED_HINT
INTSTATUS IntWinProcPatchSwapOut64(QWORD FunctionAddress, void *Handler, void *Descriptor)
This functions is responsible for patching the detour that handles the "KiOutSwapProcesses".
Exits caused by "NtQueueApcThreadEx".
Describes a user-mode originator.
#define ALERT_FLAG_ASYNC
If set, the alert was generated in an async manner.
static LIST_HEAD gWinProtectedProcesses
A list with all the protected processes (containing PROTECTED_PROCESS_INFO elements).
#define CMDLINE_MAX_LEN
The maximum length (in bytes) of the data read from the guest when reading the command line of a proc...
QWORD Feedback
Flags that will be forced to feedback only mode.
INTSTATUS IntWinProcHandleTerminate(void *Detour)
This functions handles the termination of a Windows process.This function is invoked every time "MmCl...
#define HpAllocWithTag(Len, Tag)
INTSTATUS IntWinPfnRemoveLock(WIN_PFN_LOCK *PfnLock, BOOLEAN Force)
Removes a PFN lock.
DWORD Buffer
The guest virtual address at which the wide-character string is located.
int INTSTATUS
The status data type.
static void IntWinProcFillSystemPath(WIN_PROCESS_SUBSYSTEM *Subsystem)
Fill the system directory path for the given subsystem.
const WCHAR gSysWowPath[]
The syswow path (32 bit process on a 64 bit OS).
INTSTATUS IntWinSelfMapGetAndCheckSelfMapEntry(WIN_PROCESS_OBJECT *Process)
Sets and validates the self map entry values for a process.
DWORD ExitStatus
The exit code of the process.
DWORD OSVersion
Os version.
#define KEXEC_OPT_PERMANENT
Freezes the DEP settings for a process.
DWORD OneTimeInjectionDone
The one time injection already took place (exception).
#define INT_STATUS_NOT_FOUND
DWORD NameHash
Name hash, as used by the exceptions module.
char * utf16tolowerutf8(char *Destination, const WCHAR *Source, DWORD DestinationMaxLength)
QWORD VirtualAddress
The Virtual Address whose translation is being modified.
BOOLEAN Continuable
True if the exception is considered to be continuable.
QWORD Peb64Address
PEB 64 address (on x86 OSes, this will be 0).
Event structure for illegal paging-structures modifications.
static const PROTECTED_PROCESS_INFO * IntWinProcGetProtectedInfo(CHAR BaseName[IMAGE_BASE_NAME_LEN], BOOLEAN IsSystem)
Returns a pointer to the PROTECTED_PROCESS_INFO structure for the given process BaseName.
DWORD Flags
Flags that describe the protection mode.
BOOLEAN IntMatchPatternUtf8(const CHAR *Pattern, const CHAR *String, DWORD Flags)
Matches a pattern using glob match.
#define ALERT_MAX_FUNCTION_NAME_LEN
The maximum size of a function name inside an alert structure.
INTSTATUS IntWinSelfMapProtectSelfMapIndex(WIN_PROCESS_OBJECT *Process)
Protects the self map index of a process by placing an EPT write hook on it.
INTRO_PROCESS CurrentProcess
The agent process.
Measures the process creation checks.
INTSTATUS IntWinProcPrepareInstrument(QWORD FunctionAddress, void *Handler, void *Descriptor)
This function is responsible for patching the detour that handles "NtSetInformationProcess".
Sent for code/data injection alerts. See EVENT_MEMCOPY_VIOLATION.
INTSTATUS IntWinProcUnprotect(WIN_PROCESS_OBJECT *Process)
Remove a process from protection.
#define IMAGE_BASE_NAME_LEN
The maximum length of a process name.
INTSTATUS IntPauseVcpus(void)
Pauses all the guest VCPUs.
EVENT_TRANSLATION_VIOLATION Translation
INTRO_GUEST_TYPE OSType
The type of the guest.
void IntAlertFillCpuContext(BOOLEAN CopyInstruction, INTRO_CPUCTX *CpuContext)
Fills the current CPU context for an alert.
QWORD VirtualBase
Guest virtual address of the loaded module.
DWORD ErrorCode
The error code of the event. Success is 0.
QWORD MainModuleAddress
The address of the main module.
INTSTATUS IntVirtMemFetchWordSize(QWORD GuestVirtualAddress, QWORD Cr3, void *Data)
Reads a guest pointer from the guest memory.
INTSTATUS IntWinSelfMapUnprotectSelfMapIndex(WIN_PROCESS_OBJECT *Process)
Removes the EPT protection for the self map entry index of a process.
INTSTATUS IntVirtMemFetchDword(QWORD GuestVirtualAddress, QWORD Cr3, DWORD *Data)
Reads 4 bytes from the guest memory.
QWORD ParentEprocess
The EPROCESS of the parent process.
#define INTRO_MATCH_TRUNCATED
If set, matching functions like IntMatchPatternUtf8 will match up until the first wild char encounter...
#define INTRO_OPT_PROT_UM_SYS_PROCS
Enable user-mode system processes protection (injection only).
Process subsystem type 32 bit.
DWORD Protected
TRUE if this is a protected process. If this is FALSE, most of the above fields aren't used at all...
BOOLEAN IntPolicyProcIsBeta(const void *Process, QWORD Flag)
Checks if a process protection policy is in log-only mode.
Encapsulates a protected Windows process.
#define ZONE_PROC_INSTRUMENT
Used for exceptions for instrumentation callback.
void IntAlertFillVersionInfo(INTRO_VIOLATION_HEADER *Header)
Fills version information for an alert.
#define INTRO_OPT_EVENT_PROCESS_CRASH
Enable application crash events (generates introEventExceptionEvent).
DWORD Wow64Process
TRUE if this is a 32 bit process on a 64 bit OS.
RBTREE gWinProcTreeUserCr3
Tree of all the processes inside the guest, using the user-mode CR3 as the key/.
The Windows UNICODE_STRING structure used for 32-bit guests.
QWORD IntAlertProcGetFlags(QWORD ProtectionFlag, const void *Process, INTRO_ACTION_REASON Reason, QWORD AdditionalFlags)
Returns the flags for an alert.
void IntWinAgentCheckIfProcessAgentAndIncrement(CHAR *ImageName, BOOLEAN *IsAgent, DWORD *Tag)
Checks if a process is an agent or not, and increments the ref count of that name.
BOOLEAN KptiActive
True if KPTI is enabled on this guest, False if it is not.
INTSTATUS IntWinTokenPrivsProtectOnProcess(WIN_PROCESS_OBJECT *Process)
Updates the stored original Privileges bitfields (Present and Enabled) and hooks through EPT the Priv...
TRANS_VIOLATION_TYPE ViolationType
INTRO_ACTION_REASON Reason
The reason for which Action was taken.
EXCEPTION_VICTIM_OBJECT Object
The modified object.
void IntUDRemoveAllEntriesForCr3(const QWORD Cr3)
Remove all pending UD entries for a given virtual address space.
QWORD Cr3
Process PDBR. Includes PCID.
#define ALERT_FLAG_BETA
If set, the alert is a BETA alert. No action was taken.
MEMCOPY_VIOLATION_TYPE ViolationType
The type of the access.
GENERIC_ALERT gAlert
Global alert buffer.
void IntWinModulesChangeProtectionFlags(PWIN_PROCESS_SUBSYSTEM Subsystem)
Change the protection flags applied to the process modules that are currently loaded.
DWORD LateProtection
TRUE if the protection was not activated right from start.
static INTSTATUS IntWinProcRemoveProcess(WIN_PROCESS_OBJECT *Process)
Used to free the memory allocations and swap memory transactions used by a PWIN_PROCESS_OBJECT.
QWORD CreationTime
The creation time of the process, as stored inside the EPROCESS.
INTSTATUS IntWinProcPatchCopyMemoryDetour(QWORD FunctionAddress, void *Handler, void *Descriptor)
This functions is responsible for patching the detour that handles the "MmCopyVirtualMemory".This function is invoked every time "MmCopyVirtualMemory" is called (a process is writing/reading another process) but before the actual handler IntWinProcHandleCopyMemory, its purpose being to modify the hook code (see winhkhnd.c).
INTSTATUS IntSwapMemRemoveTransaction(void *Transaction)
Remove a transaction.
WINUM_PATH * Path
Will point inside the loaded modules list to the full process path.
QWORD Flags
The entry that maps VirtualAddress to PhysicalAddress, together with all the control bits...
INTSTATUS IntKernVirtMemFetchDword(QWORD GuestVirtualAddress, DWORD *Data)
Reads 4 bytes from the guest kernel memory.
INTRO_VIOLATION_HEADER Header
The alert header.
DETOUR_ARGS Arguments
Encoding of the arguments needed by introcore from the hooked function.
INTSTATUS IntCamiUpdateProcessProtectionInfo(void *ProtectedProcess)
Update a process' protection flags using the ones from CAMI.
EVENT_MEMCOPY_VIOLATION Injection
static void IntWinProcMarkAsSystemProcess(WIN_PROCESS_OBJECT *Process, const WIN_PROCESS_OBJECT *Parent)
Mark the process as being a system process.
#define CMDLINE_LEN_NO_SCAN
The maximum length (in bytes) of the data read from the guest when reading the command line of a proc...
#define INITIAL_CRC_VALUE
BOOLEAN IntPolicyProcTakeAction(QWORD Flag, void const *Process, INTRO_ACTION *Action, INTRO_ACTION_REASON *Reason)
Returns the action that should be taken for a process protection option.
DWORD CopySize
The size of the access.
size_t wstrlen(const WCHAR *str)
INTSTATUS IntKernVirtMemFetchQword(QWORD GuestVirtualAddress, QWORD *Data)
Reads 8 bytes from the guest kernel memory.
EVENT_PROCESS_EVENT Process
struct _PROTECTED_PROCESS_INFO::@211 Protection
The protection flags used for this process.
The CR3 of a process was changed.
INTRO_CPUCTX CpuContext
The context of the CPU that triggered the alert.
DWORD Argv[DET_ARGS_MAX]
Argument encoding. See DET_ARG_REGS and DET_ARG_ON_STACK.
DWORD IsPreviousAgent
TRUE if this is an agent injected in a previous session.
#define INTRO_OPT_EVENT_PROCESSES
Enable process creation and termination events (generates introEventProcessEvent events).
BOOLEAN IntMatchPatternUtf16(const WCHAR *Pattern, const WCHAR *String, DWORD Flags)
Matches a pattern using glob match.
INTSTATUS IntNotifyIntroEvent(INTRO_EVENT_TYPE EventClass, void *Param, size_t EventSize)
Notifies the integrator about an introspection alert.
static INTSTATUS IntWinProcPatchSpareValue(WIN_PROCESS_OBJECT *Process)
Saves the process protection info within an EPROCESS spare field.
static BOOLEAN RemoveEntryList(LIST_ENTRY *Entry)
RBTREE gWinProcTreeEprocess
Tree of all the processes inside the guest, using the _EPROCESS address as the key.
#define INTRO_OPT_PROT_UM_MISC_PROCS
LIST_ENTRY Link
Entry inside the gWinProtectedProcesses list.
INTSTATUS IntGpaCacheFetchAndAdd(PGPA_CACHE Cache, QWORD Gpa, DWORD Size, PBYTE Buffer)
Fetch data from a cached entry, or add it to the cache, of not already present.
UINT16 Length
The length, in bytes, of the string in Buffer, not including the NULL terminator, if any...
BOOLEAN Guest64
True if this is a 64-bit guest, False if it is a 32-bit guest.
INTSTATUS IntAgentEnableInjection(void)
Enable Windows or Linux agent injection.
CHAR Name[IMAGE_BASE_NAME_LEN]
Process base name.
QWORD Current
The currently used options.
Exits caused by "NtSetInformationProcess".
INTRO_PROCESS CurrentProcess
The currently active process.
BYTE Code[DETOUR_MAX_HANDLER_SIZE]
The code of the detour handler. Only CodeLength bytes are valid.
BOOLEAN HasNaClEnabled
Only valid for chromium-based browsers; TRUE if this is a NaCl process.
QWORD UserCr3
Process user PDBR. Includes PCID.
CHAR ImageBaseNamePattern[IMAGE_BASE_NAME_LEN]
Process name pattern.
Informational event sent when the remediation tool is injected or terminated. See EVENT_AGENT_EVENT...
INTRO_PROCESS Child
The process that is being created or terminated.
Measures the handling of memory reads in which a write protection policy exists.
DWORD Terminating
TRUE if the process is terminating (cleanup pending).
int strlower_utf16(WCHAR *buf, size_t len)
void * GpaCache
The currently used GPA cache.
#define KEXEC_OPT_EXEC_ENABLE
Enables execution rights for memory that contains data. Disables DEP.
QWORD Beta
Flags that were forced to beta (log-only) mode.
DWORD Hash[ALERT_MAX_FUNCTIONS]
Array of all the extracted function hashes.Export.Hash[i] is the hash for Export.Name[i].
INTRO_WRITE_INFO WriteInfo
The original and new address to which VirtualAddress translates.
DWORD StartInitializing
TRUE if the process actually started initializing (there is a time windows from the moment we add the...
#define IS_KERNEL_POINTER_WIN(is64, p)
Checks if a guest virtual address resides inside the Windows kernel address space.
#define PROT_PROC_FLAG_NO_PATH
Flag used to represent internally that a process is protected by name, not by path.
DWORD ProtectionMask
Protection mask: tells us what level of protection will be activated for this process.
BOOLEAN GuestInitialized
True if the OS-specific portion has been initialized.
This is a classic code injection attempt that simply modifies the memory of the victim process...
TIMER_FRIENDLY void IntDumpBuffer(const void *Buffer, QWORD Gva, DWORD Length, DWORD RowLength, DWORD ElementLength, BOOLEAN LogHeader, BOOLEAN DumpAscii)
This function dumps a given buffer in a user friendly format.
#define HpFreeAndNullWithTag(Add, Tag)
PWIN_PROCESS_OBJECT IntWinProcFindObjectByCr3(QWORD Cr3)
Finds a process by its kernel CR3.
DWORD ExitStatus
The exit status of the process (used when sending the process terminated event).
This represents an attempt to set an instrument callback inside the victim process.
#define INT_STATUS_INVALID_PARAMETER_5
Sent for virtual address translation alerts. See EVENT_TRANSLATION_VIOLATION.
Memory access violations that cross a process boundary.
DWORD AgentTag
Unique agent tag. See INTRO_DEP_AG_TAGS.
BOOLEAN DumpValid
True if the contents of RawDump are valid, False if not.
Exits caused by "MiCommitExistingVad".
INTRO_ACTION IntWinDpiCheckCreation(WIN_PROCESS_OBJECT *Child, WIN_PROCESS_OBJECT *RealParent)
Analyzes all the process creations rules in order to decided if the process creation should be allowe...
struct _UNICODE_STRING32 UNICODE_STRING32
The Windows UNICODE_STRING structure used for 32-bit guests.
void IntAlertFillWinProcessCurrent(INTRO_PROCESS *EventProcess)
Saves information about the current Windows process inside an alert.
struct _WIN_PROCESS_OBJECT * Process
The process object related to this subsystem.
Informational event sent when a process is created or terminated by the guest. See EVENT_PROCESS_EVEN...
BYTE WordSize
Guest word size. Will be 4 for 32-bit guests and 8 for 64-bit guests.
BOOLEAN Protected
True if the process is protected.
String will be encoded in utf-8.
#define PROC_OPT_PROT_SCAN_CMD_LINE
Uses third party engines to scan the command line of a process.
static void InsertTailList(LIST_ENTRY *ListHead, LIST_ENTRY *Entry)
INTSTATUS IntTranslateVirtualAddressEx(QWORD Gva, QWORD Cr3, DWORD Flags, VA_TRANSLATION *Translation)
Translates a guest virtual address to a guest physical address.
static BOOLEAN IntWinProcIsExploitGuardEnabled(QWORD EprocessAddress, BYTE *Eprocess)
Checks if the exploit guard is enabled for a certain process.
size_t strlcpy(char *dst, const char *src, size_t dest_size)
QWORD BetaMask
The protection mask in beta mode.
INTSTATUS IntDetGetArgument(void const *Detour, DWORD Index, BYTE const *StackBuffer, DWORD StackBufferSize, QWORD *Value)
Reads the specified argument for a detour.
#define INT_STATUS_ALREADY_INITIALIZED_HINT
DWORD Pid
Process ID (the one used by Windows).
INTSTATUS IntWinTokenPtrCheckIntegrityOnProcess(WIN_PROCESS_OBJECT *Process)
This function checks if the security token of a given process has been stone from another process...
Process subsystem type 64 bit.
static void IntWinProcSetUserCr3(WIN_PROCESS_OBJECT *Process, const BYTE *EprocessBuffer)
Sets the User CR3 value for a newly created process.
PWCHAR FullPathPattern
Full application path pattern.
#define INTRO_OPT_FULL_PATH
Enable full-path protection of processes.
INTSTATUS IntExceptUserGetOriginator(void *Process, BOOLEAN ModuleWrite, QWORD Address, INSTRUX *Instrux, EXCEPTION_UM_ORIGINATOR *Originator)
This function is used to get the information about the user-mode originator.
void IntWinProcLstRemoveProcess(WIN_PROCESS_OBJECT *Process)
Removes a WIN_PROCESS_OBJECT structure from the process lists and trees.
#define ALERT_FLAG_NOT_RING0
If set, the alert was triggered in ring 1, 2 or 3.
static INTSTATUS IntWinProcRemoveProtectedProcessInternal(CHAR BaseName[IMAGE_BASE_NAME_LEN], const WCHAR *FullPath)
This function removes the protection for the given process.
static void InitializeListHead(LIST_ENTRY *ListHead)
#define INTRO_OPT_ENABLE_UM_PROTECTION
Aggregates all the user mode protection flags.
INTSTATUS IntVirtMemSafeWrite(QWORD Cr3, QWORD VirtualAddress, DWORD Size, void *Buffer, DWORD Ring)
Safely modify guest memory.
The Windows UNICODE_STRING structure used for 64-bit guests.
Describes the modified zone.
#define UNREFERENCED_PARAMETER(P)
#define PROC_OPT_PROT_EXPLOIT
Blocks malicious execution attempts.
#define TRFLG_PG_MODE
Obtains the translation mode flag for the currently used paging mode.
DWORD NameHash
The CRC32 hash of the name. Used for fast matching.
void * InstructionCache
The currently used instructions cache.
DWORD BetaDetections
TRUE if BETA is enabled for this particular process.
INTSTATUS IntWinTokenPrivsUnprotectOnProcess(WIN_PROCESS_OBJECT *Process)
DWORD Rva
The RVA of this export.
QWORD ExceptionCode
The code of the exception.
#define WIN_KM_FIELD(Structure, Field)
Macro used to access kernel mode fields inside the WIN_OPAQUE_FIELDS structure.
QWORD Peb32Address
PEB 32 address (on pure x64 processes, this will be 0).
static BOOLEAN IntWinProcIsFullPath(const WCHAR *Path)
This function checks if the provided path is a full path.
const WCHAR gSystemPath[]
The system path.
#define PROC_OPT_PROT_CORE_HOOKS
Blocks hooks being set on core user-mode DLLs.
INTSTATUS IntDetGetArguments(void const *Detour, DWORD Argc, QWORD *Argv)
Reads multiple arguments from a detour.
QWORD OriginalTokenPtr
Original Token pointer inside EPROCESS (should never change).
BOOLEAN Valid
Set to True if the information in the structure is valid, False otherwise.
LIST_ENTRY Link
List entry element.
static DWORD gTotalProtectedProcs
The total number of protected processes.
INTSTATUS IntWinProcRemoveAllProtectedProcesses(void)
This function removed all the processes from the protected process list.
enum _INTRO_ACTION INTRO_ACTION
Event actions.
BOOLEAN IntPolicyProcForceBetaIfNeeded(QWORD Flag, void *Process, INTRO_ACTION *Action)
Checks if a forced action should be taken even if the process log-only mode is active.
#define _In_reads_bytes_(expr)
QWORD OldValue[8]
The original value. Only the first Size bytes are valid.
Measures IntWinProcHandleCopyMemory invocations done for memory reads.
INTSTATUS IntWinProcGetObjectByPid(DWORD Pid, WIN_PROCESS_OBJECT **Process)
This function looks for a process with the given PID inside gWinProcesses and returns its WIN_PROCESS...
INTRO_PROCESS CurrentProcess
The process in which the exception was triggered.
void IntWinVadDestroyObject(VAD **Vad)
Frees a VAD and all the resources held by it.
INTSTATUS IntSetGprs(DWORD CpuNumber, PIG_ARCH_REGS Regs)
Sets the values of the guest GPRs.
#define WIN_STATUS_ACCESS_DENIED
Equivalent to NTSTATUS STATUS_ACCESS_DENIED.
WCHAR * Name
The name of the module contained in the path.
LIST_HEAD ProcessModules
List of process modules.
void IntExceptInvCbCacheByCr3(QWORD Cr3)
Invalidate the cache used for code blocks for a given CR3.
static BOOLEAN IntWinProcHandleReadFromLsass(QWORD SourceAddress, DWORD ReadSize, const WIN_PROCESS_OBJECT *Lsass, WIN_PROCESS_MODULE **VictimModule)
Handles reads from lsass.exe.
Event structure for process exceptions.
DWORD NameLens[MAX_OFFSETS_PER_NAME]
Length of each name pointing to this RVA.
QWORD Cr3
The value of the guest CR3 register when the event was generated.
MM Mm
Guest memory information, such as paging mode, system Cr3 value, etc.
void * CmdBufSwapHandle
The swap memory handle for the command line buffer.
DWORD ExploitGuardEnabled
TRUE if any Exploit Guard mitigation option is set for this process.
INTSTATUS IntWinProcHandleCopyMemory(void *Detour)
This functions is responsible handling process read/write operations.This function is invoked every t...
DWORD ProtWriteMem
Protect the the memory against writes.
QWORD EprocessAddress
This will be the address of the ActiveProcess field.
#define ALERT_FLAG_SYSPROC
If set, the alert is on system process.
struct _EVENT_MEMCOPY_VIOLATION::@299 Export
All the names used to export the modified function.
DWORD ParentWow64
TRUE if the parent is a 32 bit process on a 64 bit OS.
DWORD FunctionNameHash
The hash of the FunctionName. It is the same as Export.Hash[0].
DWORD SystemProcess
TRUE if this is a system process.
GUEST_STATE gGuest
The current guest state.
void IntAlertFillWinProcessByCr3(QWORD ProcessCr3, INTRO_PROCESS *EventProcess)
Saves information about a Windows process inside an alert. The process is searched by its kernel CR3...
static INTSTATUS IntWinProcMarkAgent(WIN_PROCESS_OBJECT *Process, BOOLEAN Mark)
Mark the given process as being an agent.
static INTSTATUS IntWinProcDeleteProcessObject(QWORD EprocessAddress, QWORD Cr3, DWORD Pid)
Used to delete the process from the Introcore internal structures.
void * CmdLineSwapHandle
The swap memory handle for the UNICODE_STRING containing the command line of the a process...
VAD * IntWinVadFindAndUpdateIfNecessary(WIN_PROCESS_OBJECT *Process, QWORD StartHint, QWORD LengthHint)
Searches for a VAD in the Introcore VAD tree. If no VAD is found, or if the found one does not fully ...
INTSTATUS IntVirtMemRead(QWORD Gva, DWORD Length, QWORD Cr3, void *Buffer, DWORD *RetLength)
Reads data from a guest virtual memory range.
BYTE RawDump[ALERT_MAX_INJ_DUMP_SIZE]
The source buffer contents.
This is the structure as documented in winternl.h.
#define INT_STATUS_INVALID_DATA_TYPE
DWORD Count
The number of currently protected processes.
INTSTATUS IntExceptGetVictimProcess(void *Process, QWORD DestinationGva, DWORD Length, QWORD ZoneFlags, EXCEPTION_VICTIM_ZONE *Victim)
This function is used to get the information about the victim process for injection violations...
static void IntWinProcGetImageBaseNameFromPath(const WCHAR *FullPath, CHAR *BaseName, const WCHAR **FullName)
Get the BaseName and FullName of an image from the FullPath.
void IntWinAgentCheckIfProcessAgentAndDecrement(CHAR *ImageName, BOOLEAN *IsAgent, DWORD *Tag, BOOLEAN *Removed)
Checks if a process is an agent or not, and decrements the ref count of that name.
INTSTATUS IntWinProcPatchPspInsertProcess86(QWORD FunctionAddress, void *Handler, void *Descriptor)
This functions is responsible for patching the detour that handles the "PspInsertProcess".
INTSTATUS IntWinProcHandleCreate(void *Detour)
Detour handler for the PspInsertProcess Windows kernel API.The actual process creation is handled by ...
#define PROC_OPT_PROT_INJECTION
Aggregates all the flags that will generate introEventInjectionViolation events.
struct _EVENT_MEMCOPY_VIOLATION::@298 Victim
#define STATIC_ASSERT(Cond, Msg)
INTSTATUS IntWinPfnLockGpa(QWORD Gpa, WIN_PFN_LOCK **PfnLock)
Locks a guest physical address.
INTSTATUS IntWinSDProtectSecDesc(WIN_PROCESS_OBJECT *Process)
This function saves the security descriptor address and ACLs into the WIN_PROCESS_OBJECT structure...
PWIN_PROCESS_OBJECT IntWinProcFindObjectByEprocess(QWORD Eprocess)
Finds a process by the address of its _EPROCESS structure.
INTSTATUS IntWinProcChangeProtectionFlags(WIN_PROCESS_OBJECT *Process, DWORD OldMask, DWORD NewMask)
This function changes the protection flags for the given process.
#define FIELD_OFFSET(type, field)
WIN_SUBSYTEM_TYPE SubsystemType
Process subsystem type.
BOOLEAN GlueIsScanEnginesApiAvailable(void)
Checks if the third party memory scanning engines are present.
QWORD PebAddress
The Process Environment Block of this subsystem.
#define PROC_OPT_BETA
Process is monitored, but in log-only mode so no actions will be blocked.
INTRO_ACTION Action
The action that was taken as the result of this alert.
int wstrcasecmp(const WCHAR *buf1, const WCHAR *buf2)
INTSTATUS IntKernVirtMemRead(QWORD KernelGva, DWORD Length, void *Buffer, DWORD *RetLength)
Reads data from a guest kernel virtual memory range.
#define PROC_OPT_PROT_WRITE_MEM
Blocks foreign write inside the target process.
#define ZONE_READ
Used for read violation.
QWORD PageCount
The number of 4K pages in the VAD.
DWORD MonitorVad
TRUE if we need to handle VAD events for this process.
#define PROC_OPT_PROT_UNPACK
Identifies unpacking/decryption attempts in the main executable.
DWORD StaticDetected
TRUE if the process was detected using a static scan (during static init).
QWORD Rip
The RIP at which the exception was triggered.
#define LIST_HEAD_INIT(Name)
#define _Out_writes_z_(expr)
Measures the handling of memory reads in which a read protection policy exists.
PCHAR Names[MAX_OFFSETS_PER_NAME]
The names pointing to this RVA. Each name will point inside the Names structure inside WINUM_CACHE_EX...
WORD Length
The length, in bytes, of the string in Buffer, not including the NULL terminator, if any...
#define INT_STATUS_NOT_INITIALIZED_HINT
Encapsulates information about a virtual to physical memory translation.
char * utf16_for_log(const WCHAR *WString)
Converts a UTF-16 to a UTF-8 string to be used inside logging macros.
static INTSTATUS IntWinProcSendProcessEvent(WIN_PROCESS_OBJECT *Process, BOOLEAN Created, BOOLEAN Crashed)
Send a process creation/termination event.
#define PROC_OPT_PROT_INSTRUMENT
Blocks foreing processes from setting instrumentation callbacks inside the target process (Windows on...
Measures the information gathering for the DPI mechanism.
INTSTATUS IntWinProcPatchSwapOut32(QWORD FunctionAddress, void *Handler, void *Descriptor)
This functions is responsible for patching the detour that handles the "KiOutSwapProcesses".
void IntWinProcDumpProtected(void)
Log all the protected processes.
EXCEPTION_VICTIM_MODULE Library
The victim module of the modified library.
#define INT_STATUS_INVALID_PARAMETER_1
#define INT_STATUS_NOT_SUPPORTED
LIST_HEAD gWinProcesses
The list of all the processes inside the guest.
INTRO_PROCESS CurrentProcess
The current process.
VCPU_STATE * gVcpu
The state of the current VCPU.
#define INTRO_OPT_PROT_KM_TOKEN_PRIVS
Enable protection over Token Privileges bitmaps.
BOOLEAN Crashed
True if the process crashed.
The action was blocked because there was no exception for it.
DWORD IsAgent
TRUE if this is an injected agent.
INTSTATUS IntNotifyIntroErrorState(INTRO_ERROR_STATE State, INTRO_ERROR_CONTEXT *Context)
INTSTATUS IntWinInspectCommandLine(PWIN_PROCESS_OBJECT Process)
Send a command line scan request to the scan engines.
void IntAlertFillWinUmModule(const WIN_PROCESS_MODULE *Module, INTRO_MODULE *EventModule)
Fills information about a user mode module inside an alert.
DWORD Outswapped
TRUE if the process is outswapped.
DWORD Crc32String(const char *String, DWORD InitialCrc)
Computes the CRC for a NULL-terminated utf-8 string.
INTSTATUS IntIcFlushVaSpace(PINS_CACHE Cache, QWORD Cr3)
Flush an entire virtual address space.
The agent process started execution.
static INTSTATUS IntWinProcSendProcessExceptionEvent(WIN_PROCESS_OBJECT *Process)
Send a process exception event.
This is the structure as documented in winternl.h.
VAD * Vad
The internal structure of the modified VAD.
const PROTECTED_PROCESS_INFO gSystemProcesses[]
This is a list with system processes and their default protection mask.
#define CRITICAL(fmt,...)
const PROTECTED_PROCESS_INFO gWinForcedProtectedProcesses[]
This is a list with non system processes that have a default protection mask.
Measures exits on NtSetInformationProcess.
INTSTATUS IntWinModRemoveModule(PWIN_PROCESS_MODULE Module)
Removes a Windows module.
Exits caused by "MmCopyVirtualMemory".
Exits caused by "PspSetContextThreadInternal".
void IntWinProcUpdateProtectedProcess(const void *Name, const CAMI_STRING_ENCODING Encoding, const CAMI_PROT_OPTIONS *Options)
This function updates the protection for the given process.
Informational event sent when a hardware exception is triggered by a guest process. See EVENT_EXCEPTION_EVENT.
INTRO_PROCESS Parent
The parent of the process.
const PROTECTED_PROCESS_INFO * IntWinProcGetProtectedInfoEx(PWCHAR Path, BOOLEAN IsSystem)
Returns a pointer to the PROTECTED_PROCESS_INFO structure for the given process Path.
QWORD SourceVirtualAddress
The virtual address of the source buffer.
INTSTATUS IntWinGuestFindDriversNamespace(void)
Runs the driver object namespace search.
QWORD DestinationVirtualAddress
The virtual address of the destination buffer.
void IntWinProcUninit(void)
This function removes all process objects from the list, and registers the calls the cleanup function...
BOOLEAN DisableOnReturn
Set to True if after returning from this event handler, introcore must be unloaded.
#define INTRO_OPT_IN_GUEST_PT_FILTER
Enable in-guest page-table filtering (64-bit Windows only).
#define KEXEC_OPT_EXEC_DISABLE
Disables execution rights for memory that contains data. Enables DEP.
static INTSTATUS IntWinGetProcCmdLineHandleBufferInMemory(void *Context, QWORD Cr3, QWORD VirtualAddress, QWORD PhysicalAddress, void *Data, DWORD DataSize, DWORD Flags)
Called from within IntSwapMemReadData when the command line buffer of a process has been fully read...
PWCHAR FullNamePattern
Full application name pattern.
This represents a read done from another process.
PWIN_PROCESS_SUBSYSTEM Subsystemx86
The x86 subsystem. Note that a 32 bit process on a 64 bit OS may have both subsystems valid...
void IntWinVadProcessInit(WIN_PROCESS_OBJECT *Process)
Initializes a WIN_PROCESS_OBJECT.VadTree.
struct _WIN_PROCESS_OBJECT * PWIN_PROCESS_OBJECT
This is the structure as documented in winternl.h.
INTSTATUS IntWinModUnHookModule(PWIN_PROCESS_MODULE Module)
Remove the protection from the indicated module.
String will be encoded in utf-16.
static INTSTATUS IntWinGetPrcoCmdLineHandleCmdLineInMemory(void *Context, QWORD Cr3, QWORD VirtualAddress, QWORD PhysicalAddress, void *Data, DWORD DataSize, DWORD Flags)
Called from within IntSwapMemReadData when the UNICODE_STRING32 or UNICODE_STRING64 structure that co...
Exposes the functions responsible for DPI (Deep Process Inspection) information gathering (used to de...
DWORD AgentTag
If IsAgent is TRUE, this will be the agent tag.
INTSTATUS IntWinProcCreateProcessObject(WIN_PROCESS_OBJECT **Process, QWORD EprocessAddress, PBYTE EprocessBuffer, QWORD ParentEprocess, QWORD RealParentEprocess, QWORD Cr3, DWORD Pid, BOOLEAN StaticScan)
Allocates a WIN_PROCESS_OBJECT structure for the given process.
A representation of a Windows VAD structure.
DWORD IsMainModule
TRUE if this is the main module.
INTSTATUS IntWinProcProtect(WIN_PROCESS_OBJECT *Process)
Protects a new process.
#define ZONE_WRITE
Used for write violation.
QWORD Buffer
The guest virtual address at which the wide-character string is located.
#define INT_STATUS_INVALID_PARAMETER_2
INTRO_PROT_OPTIONS CoreOptions
The activation and protection options for this guest.
DWORD Size
Virtual size of the module.
DWORD IsStack
Set if the memory range represented by this VAD is a stack.
WINUM_CACHE_EXPORT * Export
The export cache for the modified module.
Describes a function to be hooked.
int strlower_utf8(char *buf, size_t len)
#define SWAPMEM_OPT_UM_FAULT
If set, the PF must be injected only while in user-mode. Use it when reading user-mode memory...
void IntExcept(EXCEPTION_VICTIM_ZONE *Victim, void *Originator, EXCEPTION_TYPE Type, INTRO_ACTION *Action, INTRO_ACTION_REASON *Reason, INTRO_EVENT_TYPE EventClass)
This function is the entry point for the exception mechanism.
INTSTATUS IntWinProcUpdateProtection(void)
Iterates trough the global process list (gWinProcesses) in order to update the protection state for e...
Exposes the functions used to schedule an asynchronous command line scan and receives its result...
static INTSTATUS IntWinProcRemoveSubsystem(WIN_PROCESS_SUBSYSTEM *Subsystem)
Removes a process subsystem.
This structure describes a running process inside the guest.
#define INT_STATUS_INSUFFICIENT_RESOURCES
#define INT_STATUS_INVALID_PARAMETER_3
WCHAR * Path
The string which represents the user-mode module path.