103 "INTRO_SECURITY_DESCRIPTOR_SIZE is too small");
108 #define INT_MAX_ACE_COUNT 1820 125 switch (AceTypeValue)
204 _In_ BYTE *SecurityDescriptorBuffer,
230 BufferSize <
sizeof(
ACL) ||
241 if ((
QWORD)sacl >= (
QWORD)SecurityDescriptorBuffer + BufferSize ||
242 (
QWORD)sacl +
sizeof(
ACL) >= (
QWORD)SecurityDescriptorBuffer + BufferSize ||
252 WARNING(
"[WARNING] It seems that the SaclSize is unexpected\n");
265 if ((
QWORD)dacl >= (
QWORD)SecurityDescriptorBuffer + BufferSize ||
266 (
QWORD)dacl +
sizeof(
ACL) >= (
QWORD)SecurityDescriptorBuffer + BufferSize ||
276 WARNING(
"[WARNING] It seems that the DaclSize is unexpected\n");
305 if (NULL == Acl || NULL == Ace)
312 if ((
QWORD)Ace >= (
QWORD)Acl + Acl->AclSize ||
314 (
QWORD)Ace + Ace->AceSize > (
QWORD)Acl + Acl->AclSize ||
315 Ace->AceSize >= Acl->AclSize ||
342 if (NULL == Buffer || NULL == Ace)
347 if ((
QWORD)Ace >= (
QWORD)Buffer + BufferSize ||
351 Ace->AceSize > BufferSize ||
392 if (0 == SecurityDescriptorGva || NULL == SecurityDescriptorBuffer ||
393 NULL == ReadSize || NULL == Sacl || NULL == Dacl)
410 WARNING(
"[WARNING] IntTranslateVirtualAddressEx failed: 0x%08x\n", status);
422 (
BYTE *)SecurityDescriptorBuffer);
426 status =
IntKernVirtMemRead(SecurityDescriptorGva, BufferSize, SecurityDescriptorBuffer, NULL);
431 ERROR(
"[ERROR] IntKernVirtMemRead failed: 0x%08x\n", status);
438 ERROR(
"[ERROR] IntGpaCacheFetchAndAdd failed: 0x%08x\n", status);
445 SecurityDescriptorBuffer,
451 WARNING(
"[WARNING] IntWinSDFindAcls failed: 0x%08x\n", status);
462 _In_ BYTE *SecurityDescriptorBuffer,
475 #define INT_SID_CHAR_SIZE 512 476 #define INT_MAX_SUB_AUTHORITY_COUT 30 483 char *aclName = IsSacl ?
"Sacl" :
"Dacl";
484 char *aceType = NULL;
487 LOG(
"->%s :\n", aclName);
488 LOG(
"->%s : ->AclRevision : 0x%x\n", aclName, Acl->AclRevision);
489 LOG(
"->%s : ->Sbz1 : 0x%x\n", aclName, Acl->Sbz1);
490 LOG(
"->%s : ->AclSize : 0x%x\n", aclName, Acl->AclSize);
491 LOG(
"->%s : ->AceCount : 0x%x\n", aclName, Acl->AceCount);
492 LOG(
"->%s : ->Sbz2 : 0x%x\n", aclName, Acl->Sbz2);
496 WARNING(
"[WARNING] The maximum number of ACEs has been exceeded:0x%x\n", Acl->AceCount);
502 for (
DWORD i = 0; i < Acl->AceCount; i++)
513 writtenBytes = snprintf(sidChar,
INT_SID_CHAR_SIZE,
"->%s : ->Ace[%d] : ->SID: S-%u-%u",
518 ERROR(
"[ERROR] snprintf failed with return value: %d, buffer size: %d\n", writtenBytes,
INT_SID_CHAR_SIZE);
525 LOG(
"->%s : ->Ace[%d] : ->AceType: %s\n", aclName, i, aceType);
529 LOG(
"->%s : ->Ace[%d] : ->AceType: UNKNOWN(0x%x)\n", aclName, i, (
BYTE)aceHeader->
AceType);
532 LOG(
"->%s : ->Ace[%d] : ->AceFlags: 0x%x\n", aclName, i, (
BYTE)aceHeader->
AceFlags);
533 LOG(
"->%s : ->Ace[%d] : ->AceSize: 0x0%x\n", aclName, i, (
WORD)aceHeader->
AceSize);
534 LOG(
"->%s : ->Ace[%d] : ->Mask: 0x%08x\n", aclName, i, (
DWORD)aceBody->
Mask);
542 WARNING(
"[WARNING] The maximum number of sub authorities has been exceeded:0x%x\n",
547 if ((
QWORD)&subAuthority[j] >= (
QWORD)SecurityDescriptorBuffer + BufferSize ||
548 (
QWORD)&subAuthority[j] +
sizeof(
DWORD) > (
QWORD)SecurityDescriptorBuffer + BufferSize)
554 "-%u", subAuthority[j]);
565 LOG(
"%s\n", sidChar);
566 LOG(
"->%s :\n", aclName);
571 #undef INT_SID_CHAR_SIZE 572 #undef INT_MAX_SUB_AUTHORITY_COUT 579 _In_ BYTE *SecurityDescriptorBuffer,
601 LOG(
"[ACL] Dumping %s security descriptor for process 0x%llx (%d / %s)\n",
602 Original ?
"OLD" :
"NEW",
603 Process->EprocessAddress, Process->Pid, Process->Name);
612 LOG(
"->Sbz1: 0x%x\n", secDesc->
Sbz1);
614 LOG(
"->Owner: 0x%llx\n", secDesc->
Owner);
615 LOG(
"->Group: 0x%llx\n", secDesc->
Group);
618 SecurityDescriptorBuffer,
624 WARNING(
"[WARNING] IntWinSDFindAcls failed: 0x%08x\n", status);
653 if (0 == Process->SecurityDescriptor.SecurityDescriptorGva)
664 securityDescriptorBuffer,
674 WARNING(
"[WARNING] IntWinSDReadSecDesc failed for process 0x%llx (%d / %s) with status : 0x%08x\n",
675 Process->EprocessAddress, Process->Pid, Process->Name, status);
680 TRACE(
"[ACL] SACL/DACL for process 0x%llx (%d / %s) have been found: SD:0x%llx SACL AclSize:0x%x, AceCount:0x%x " 681 "AclRevision:0x%x - DACL AclSize:0x%x, AceCount:0x%x, AclRevision:0x%x - Total size 0x%x\n",
682 Process->EprocessAddress, Process->Pid, Process->Name,
683 Process->SecurityDescriptor.SecurityDescriptorGva,
687 Process->SecurityDescriptor.RawBufferSize = totalSize;
688 memcpy(&Process->SecurityDescriptor.RawBuffer[0], securityDescriptorBuffer, totalSize);
689 memcpy(&Process->SecurityDescriptor.Sacl, sacl,
sizeof(
ACL));
690 memcpy(&Process->SecurityDescriptor.Dacl, dacl,
sizeof(
ACL));
714 *SecurityDescriptorAddressGva = 0;
724 ERROR(
"[ERROR] IntTranslateVirtualAddressEx failed: 0x%08x\n", status);
736 (
PBYTE)SecurityDescriptorAddressGva);
739 ERROR(
"[ERROR] IntGpaCacheFetchAndAdd failed: 0x%08x\n", status);
763 QWORD securityDescriptor = 0;
773 ERROR(
"[ERROR] IntWinSDFetchSecDescAddress failed: 0x%08x\n", status);
777 Process->SecurityDescriptor.SecurityDescriptorGva = securityDescriptor;
783 Process->SecurityDescriptor.SecurityDescriptorGva = 0;
785 WARNING(
"[WARNING] IntWinSDGatherAcl failed: 0x%08x\n", status);
816 ERROR(
"[ERROR] IntWinSDFetchSecDescAddress failed: 0x%08x\n", status);
820 *OldValue = Process->SecurityDescriptor.SecurityDescriptorGva;
821 *NewValue = newValue;
857 ERROR(
"[ERROR] Process is NULL\n");
864 ERROR(
"[ERROR] IntWinSDFetchSecDescAddress failed: 0x%08x\n", status);
870 *OldValue = oldValue;
875 *NewValue = newValue;
878 if (0 == oldValue && 0 != newValue)
881 Process->SecurityDescriptor.SecurityDescriptorGva = newValue;
885 WARNING(
"[WARNING] IntWinSDGatherAcl failed: 0x%08x\n", status);
891 if (oldValue == newValue)
898 if (pProcess->SecurityDescriptor.SecurityDescriptorGva == newValue &&
899 pProcess->EprocessAddress != Process->EprocessAddress)
901 victimProcess = pProcess;
907 *VictimProcess = victimProcess;
946 if (NULL == Process || 0 == Process->SecurityDescriptor.SecurityDescriptorGva || 0 == BufferSize ||
947 NULL == SecurityDescriptorBuffer || NULL == ReadSize || NULL == NewSacl || NULL == NewDacl)
949 goto cleanup_and_exit;
957 SecurityDescriptorBuffer,
963 goto cleanup_and_exit;
967 WARNING(
"[WARNING] IntWinSDReadSecDesc failed for process 0x%llx (%d / %s): 0x%08x\n",
968 Process->EprocessAddress, Process->Pid, Process->Name, status);
970 goto cleanup_and_exit;
978 if (0 != sacl->
AclSize && 0 == Process->SecurityDescriptor.Sacl.AclSize)
981 updateSecurityDescriptorInfo =
TRUE;
982 goto cleanup_and_exit;
985 if (sacl->
AclSize != Process->SecurityDescriptor.Sacl.AclSize)
987 securityDescriptorAltered =
TRUE;
988 goto cleanup_and_exit;
996 if (0 != dacl->
AclSize && 0 == Process->SecurityDescriptor.Dacl.AclSize)
999 updateSecurityDescriptorInfo =
TRUE;
1000 goto cleanup_and_exit;
1003 if (dacl->
AclSize != Process->SecurityDescriptor.Dacl.AclSize)
1005 securityDescriptorAltered =
TRUE;
1006 goto cleanup_and_exit;
1010 if (*ReadSize != Process->SecurityDescriptor.RawBufferSize)
1012 securityDescriptorAltered =
TRUE;
1013 goto cleanup_and_exit;
1017 Process->SecurityDescriptor.RawBuffer,
1019 Process->SecurityDescriptor.RawBufferSize))
1021 securityDescriptorAltered =
TRUE;
1022 goto cleanup_and_exit;
1026 if (updateSecurityDescriptorInfo)
1028 Process->SecurityDescriptor.RawBufferSize = *ReadSize;
1030 memcpy(&Process->SecurityDescriptor.RawBuffer[0], SecurityDescriptorBuffer, *ReadSize);
1034 memcpy(&Process->SecurityDescriptor.Sacl, sacl,
sizeof(
ACL));
1039 memcpy(&Process->SecurityDescriptor.Dacl, dacl,
sizeof(
ACL));
1043 return securityDescriptorAltered;
1079 memzero(pIntViolation,
sizeof(*pIntViolation));
1099 pIntViolation->
Size = SecDescSize;
1100 pIntViolation->
BaseAddress = Process->SecurityDescriptor.SecurityDescriptorGva;
1101 pIntViolation->
VirtualAddress = Process->SecurityDescriptor.SecurityDescriptorGva;
1123 WARNING(
"[WARNING] IntNotifyIntroEvent failed: 0x%08x\n", status);
1156 memzero(pIntViolation,
sizeof(*pIntViolation));
1171 pIntViolation->
Size = SecDescSize;
1172 pIntViolation->
BaseAddress = Process->SecurityDescriptor.SecurityDescriptorGva;
1173 pIntViolation->
VirtualAddress = Process->SecurityDescriptor.SecurityDescriptorGva;
1198 WARNING(
"[WARNING] IntNotifyIntroEvent failed: 0x%08x\n", status);
1220 aclEnd = (
BYTE *)((
QWORD)Acl + CalculatedSize);
1221 sizeToClear = Acl->AclSize - CalculatedSize;
1223 if (Acl->AclSize <= CalculatedSize ||
1224 (
QWORD)aclEnd + sizeToClear > (
QWORD)Acl + Acl->AclSize)
1229 memset(aclEnd, 0, sizeToClear);
1263 WARNING(
"[WARNING] The maximum number of ACEs has been exceeded:0x%x\n", Acl->AceCount);
1267 for (
DWORD i = 0; i < Acl->AceCount; i++)
1285 if (Acl->AclSize != totalSize)
1312 DWORD processedSecDescHash = 0;
1318 DWORD totalSize = 0;
1319 ACL *newSacl = NULL;
1320 ACL *newDacl = NULL;
1322 if (NULL == Process)
1342 goto check_exceptions;
1347 securityDescriptorBuffer,
1357 WARNING(
"[WARNING] IntWinSDReadSecDesc failed for process 0x%llx (%d / %s): 0x%08x\n",
1358 Process->EprocessAddress, Process->Pid, Process->Name, status);
1365 if (NULL == newSacl || NULL == newDacl)
1367 Process->SecurityDescriptor.SecurityDescriptorGva = newValue;
1371 WARNING(
"[WARNING] IntWinSDGatherAcl failed: 0x%08x\n", status);
1406 memcpy(&victim.
WriteInfo.OldValue[0], &Process->SecurityDescriptor.Sacl,
sizeof(
ACL));
1409 memcpy(&victim.
WriteInfo.NewValue[0], newSacl,
sizeof(
ACL));
1412 memcpy(&victim.
WriteInfo.OldValue[1], &Process->SecurityDescriptor.Dacl,
sizeof(
ACL));
1415 memcpy(&victim.
WriteInfo.NewValue[1], newDacl,
sizeof(
ACL));
1418 victim.
WriteInfo.OldValue[2] = oldValue;
1419 victim.
WriteInfo.NewValue[2] = newValue;
1429 securityDescriptorBuffer,
1436 Process->SecurityDescriptor.RawBuffer,
1437 Process->SecurityDescriptor.RawBufferSize,
1443 securityDescriptorBuffer, totalSize, processedSecDescHash,
1447 ERROR(
"[ERROR] IntWinSDSendSecDescIntViolation failed: 0x%08x\n", status);
1454 Process->SecurityDescriptor.SecurityDescriptorGva = newValue;
1458 WARNING(
"[WARNING] IntWinSDGatherAcl failed: 0x%08x\n", status);
1474 ERROR(
"[ERROR] IntVirtMemSafeWrite failed: 0x%08x\n", status);
1499 ACL *newSacl = NULL;
1500 ACL *newDacl = NULL;
1501 DWORD processedSecDescHash = 0;
1508 DWORD totalSize = 0;
1511 if (0 == Process->SecurityDescriptor.SecurityDescriptorGva)
1519 &totalSize, &newSacl, &newDacl))
1526 if (NULL == newSacl || NULL == newDacl)
1528 LOG(
"[WARNING] SACL or DACL is NULL for process process 0x%llx (%d / %s)\n",
1529 Process->EprocessAddress, Process->Pid, Process->Name);
1560 memcpy(&victim.
WriteInfo.OldValue[0], &Process->SecurityDescriptor.Sacl,
sizeof(
ACL));
1563 memcpy(&victim.
WriteInfo.NewValue[0], newSacl,
sizeof(
ACL));
1566 memcpy(&victim.
WriteInfo.OldValue[1], &Process->SecurityDescriptor.Dacl,
sizeof(
ACL));
1569 memcpy(&victim.
WriteInfo.NewValue[1], newDacl,
sizeof(
ACL));
1577 if (pProcess->SecurityDescriptor.SecurityDescriptorGva == Process->SecurityDescriptor.SecurityDescriptorGva)
1586 bestAction = action;
1587 bestReason = reason;
1592 goto found_exception;
1604 securityDescriptorBuffer,
1611 Process->SecurityDescriptor.RawBuffer,
1612 Process->SecurityDescriptor.RawBufferSize,
1618 processedSecDescHash, bestAction, bestReason);
1621 ERROR(
"[ERROR] IntWinSDSendAclIntegrityViolation failed: 0x%08x\n", status);
1631 WARNING(
"[WARNING] IntWinSDGatherAcl failed: 0x%08x\n", status);
1639 Process->SecurityDescriptor.SecurityDescriptorGva,
1640 Process->SecurityDescriptor.RawBufferSize,
1641 Process->SecurityDescriptor.RawBuffer,
1645 ERROR(
"[ERROR] IntVirtMemSafeWrite failed: 0x%08x\n", status);
1691 ERROR(
"[ERROR] IntWinSDCheckSecDescIntegrity failed for process 0x%llx (%d / %s) " 1693 pProcess->EprocessAddress, pProcess->Pid, pProcess->Name, status);
1702 ERROR(
"[ERROR] IntWinSDCheckAclIntegrity failed for process 0x%llx (%d / %s) " 1704 pProcess->EprocessAddress, pProcess->Pid, pProcess->Name, status);
static INTSTATUS IntWinSDCheckSecDescIntegrity(WIN_PROCESS_OBJECT *Process)
This function checks the integrity of the security descriptor for the given process. In case the security descriptor pointer has been altered, the VCPUs will be paused in order to restore the original value, the victim process will be found (in case there is one) and an alert will be sent.
static INTSTATUS IntWinSDFetchSecDescAddress(WIN_PROCESS_OBJECT *Process, QWORD *SecurityDescriptorAddressGva)
This function reads the security descriptor address for the given process using the GPA cache...
#define ACCESS_DENIED_OBJECT_ACE_TYPE_STRING
Printable version of ACCESS_DENIED_OBJECT_ACE_TYPE.
#define ACCESS_ALLOWED_OBJECT_ACE_TYPE_STRING
Printable version of ACCESS_ALLOWED_OBJECT_ACE_TYPE.
#define INT_STATUS_PAGE_NOT_PRESENT
Indicates that a virtual address is not present.
QWORD PhysicalAddress
The physical address to which VirtualAddress translates to.
enum _INTRO_ACTION_REASON INTRO_ACTION_REASON
The reason for which an INTRO_ACTION was taken.
#define INT_MAX_ACE_COUNT
The maximum number of ACEs that are allowed within a single ACL. "The maximum size of an ACL is 64 ki...
Measures the integrity checks on the process security descriptor.
static void IntWinSDDumpSecDesc(WIN_PROCESS_OBJECT *Process, BYTE *SecurityDescriptorBuffer, DWORD BufferSize, BOOLEAN Original)
This function dumps the security descriptor for a given process.
QWORD IntAlertCoreGetFlags(QWORD ProtectionFlag, INTRO_ACTION_REASON Reason)
Returns the flags for an alert.
#define INT_STATUS_SKIP_OTHER_CALLBACKS
#define EX_FAST_REF_TO_PTR(is64, p)
Converts a _EX_FAST_REF value to a pointer.
DWORD Mask
The access mask of the given SID (https://docs.microsoft.com/en-us/windows/win32/secauthz/access-mask...
#define SYSTEM_SCOPED_POLICY_ID_ACE_TYPE_STRING
Printable version of SYSTEM_SCOPED_POLICY_ID_ACE_TYPE.
#define SYSTEM_ALARM_ACE_TYPES_STRING
Printable version of SYSTEM_ALARM_ACE_TYPE.
QWORD ZoneFlags
The flags of the modified zone.
DWORD Crc32Compute(const void *Buffer, size_t Size, DWORD InitialCrc)
Computes the CRC for a byte array.
MITRE_ID MitreID
The Mitre ID that corresponds to this attack.
QWORD SystemCr3
The Cr3 used to map the kernel.
#define INT_STATUS_SUCCESS
struct _SECURITY_DESCRIPTOR SECURITY_DESCRIPTOR
struct _ACE_HEADER ACE_HEADER
An access control entry header.
#define SYSTEM_ACCESS_FILTER_ACE_TYPE_STRING
Printable version of SYSTEM_ACCESS_FILTER_ACE_TYPE.
#define _Out_writes_bytes_(expr)
void IntAlertFillWinProcess(const WIN_PROCESS_OBJECT *Process, INTRO_PROCESS *EventProcess)
Saves information about a windows process inside an alert.
#define SYSTEM_AUDIT_ACE_TYPE_STRING
Printable version of SYSTEM_AUDIT_ACE_TYPE.
Event structure for integrity violations on monitored structures.
#define ACCESS_ALLOWED_CALLBACK_OBJECT_ACE_TYPE_STRING
Printable version of ACCESS_ALLOWED_CALLBACK_OBJECT_ACE_TYPE.
#define INT_SUCCESS(Status)
#define SYSTEM_AUDIT_CALLBACK_ACE_TYPE_STRING
Printable version of SYSTEM_AUDIT_CALLBACK_ACE_TYPE.
static BOOLEAN IntWinSDIsAceInsideBuffer(BYTE *Buffer, DWORD BufferSize, ACE_HEADER *Ace)
This function checks whether the ACE fits inside the given buffer.
#define INTRO_SECURITY_DESCRIPTOR_SIZE
The size of the buffers in which we store the security descriptors. The security descriptor is compos...
BOOLEAN IntWinSDIsAclEdited(WIN_PROCESS_OBJECT *Process, DWORD BufferSize, BYTE *SecurityDescriptorBuffer, DWORD *ReadSize, ACL **NewSacl, ACL **NewDacl)
This function reads the ACLs for the given process (returning the data using the provided buffer and ...
QWORD Flags
A combination of ALERT_FLAG_* values describing the alert.
INTSTATUS IntResumeVcpus(void)
Resumes the VCPUs previously paused with IntPauseVcpus.
BOOLEAN ProtectionActivated
The action was not allowed because there was no reason to allow it.
struct _EVENT_INTEGRITY_VIOLATION::@304 Victim
BOOLEAN IntWinSDIsSecDescPtrAltered(WIN_PROCESS_OBJECT *Process, WIN_PROCESS_OBJECT **VictimProcess, QWORD *OldValue, QWORD *NewValue)
This function checks if the security descriptor pointer of a process has been altered or not...
#define SYSTEM_ALARM_CALLBACK_ACE_TYPE_STRING
Printable version of SYSTEM_ALARM_CALLBACK_ACE_TYPE.
#define ACCESS_ALLOWED_CALLBACK_ACE_TYPE_STRING
Printable version of ACCESS_ALLOWED_CALLBACK_ACE_TYPE.
#define INT_STATUS_NOT_NEEDED_HINT
struct _ACE_BODY ACE_BODY
The internal representation of an Access Control Entry body.
int INTSTATUS
The status data type.
static int memcmp_len(const void *buf1, const void *buf2, size_t len_buf1, size_t len_buf2)
static BOOLEAN IntWinSDIsAceInsideAcl(ACL *Acl, ACE_HEADER *Ace)
This function checks whether the ACE fits inside the ACL (the ACL structure must be obtained using In...
static void IntWinSDClearAclEnd(ACL *Acl, WORD CalculatedSize)
This function clears the last bytes of the ACL in case the ACL size is greater than the sum of its AC...
#define SYSTEM_AUDIT_CALLBACK_OBJECT_ACE_TYPE_STRING
Printable version of SYSTEM_AUDIT_CALLBACK_OBJECT_ACE_TYPE.
#define INT_STD_ACE_MAX_SIZE
The maximum size of a standard access control entry (empirically chosen value).
Describes a kernel-mode originator.
#define ACCESS_ALLOWED_ACE_TYPE_STRING
Printable version of ACCESS_ALLOWED_ACE_TYPE.
INTSTATUS IntPauseVcpus(void)
Pauses all the guest VCPUs.
static INTSTATUS IntWinSDSendAclIntegrityViolation(WIN_PROCESS_OBJECT *Process, BYTE *SecDescBuffer, DWORD SecDescSize, DWORD SecDescHash, INTRO_ACTION Action, INTRO_ACTION_REASON Reason)
This function sends an integrity violation caused by a modified ACL (SACL/DACL).
INTRO_GUEST_TYPE OSType
The type of the guest.
LIST_HEAD gWinProcesses
The list of all the processes inside the guest.
Process ACL (SACL/DACL) was modified.
struct _EXCEPTION_KM_ORIGINATOR::@63 Return
static INTSTATUS IntWinSDGatherAcl(WIN_PROCESS_OBJECT *Process)
This function gathers the 2 ACLs (SACL/DACL) and stores them in the WIN_PROCESS_OBJECT structure of t...
UCHAR Revision
S-1-5-32-554 - The SID revision (in this case 1).
#define INTRO_OPT_PROT_KM_SD_ACL
Enable integrity protection over the Security Descriptor pointer and the 2 ACLs (SACL/DACL).
SID_IDENTIFIER_AUTHORITY IdentifierAuthority
S-1-5-32-554 - The authority (in this case 5).
struct _ACL ACL
An access control list.
static void IntWinSDProcessAcl(ACL *Acl)
This function clears the SIDs that have more than one sub authority for a given ACL.
void IntAlertFillVersionInfo(INTRO_VIOLATION_HEADER *Header)
Fills version information for an alert.
#define VICTIM_PROCESS_ACL
Printable name used for introObjectTypeAcl objects.
BYTE * Buffer
The new security descriptor buffer (valid only if INTRO_OBJECT_TYPE is introObjectTypeSecDesc or intr...
#define ZONE_INTEGRITY
Used for integrity zone.
#define SYSTEM_RESOURCE_ATTRIBUTE_ACE_TYPE_STRING
Printable version of SYSTEM_RESOURCE_ATTRIBUTE_ACE_TYPE.
INTSTATUS IntWinSDFindAcls(DWORD BufferSize, BYTE *SecurityDescriptorBuffer, DWORD *ReadSize, ACL **Sacl, ACL **Dacl)
This function looks for the Sacl/Dacl within the SecurityDescriptorBuffer and makes sure they are wit...
Access Token Manipulation.
INTRO_ACTION_REASON Reason
The reason for which Action was taken.
EXCEPTION_VICTIM_OBJECT Object
The modified object.
#define ACCESS_ALLOWED_COMPOUND_ACE_TYPE_STRING
Printable version of ACCESS_ALLOWED_COMPOUND_ACE_TYPE.
DWORD BufferSize
The size of the new security descriptor buffer (valid only if INTRO_OBJECT_TYPE is introObjectTypeSec...
GENERIC_ALERT gAlert
Global alert buffer.
QWORD Flags
The entry that maps VirtualAddress to PhysicalAddress, together with all the control bits...
#define SYSTEM_MANDATORY_LABEL_ACE_TYPE_STRING
Printable version of SYSTEM_MANDATORY_LABEL_ACE_TYPE.
#define INITIAL_CRC_VALUE
DWORD Size
The size of the modified memory area.
#define ACCESS_DENIED_ACE_TYPE_STRING
Printable version of ACCESS_DENIED_ACE_TYPE.
The modified object is inside an integrity hook.
INTRO_CPUCTX CpuContext
The context of the CPU that triggered the alert.
INTSTATUS IntNotifyIntroEvent(INTRO_EVENT_TYPE EventClass, void *Param, size_t EventSize)
Notifies the integrator about an introspection alert.
static INTSTATUS IntWinSDCheckAclIntegrity(WIN_PROCESS_OBJECT *Process)
This function checks the integrity of the ACLs (SACL/DACL) for the given process. In case the ACLs ha...
INTSTATUS IntGpaCacheFetchAndAdd(PGPA_CACHE Cache, QWORD Gpa, DWORD Size, PBYTE Buffer)
Fetch data from a cached entry, or add it to the cache, of not already present.
BOOLEAN Guest64
True if this is a 64-bit guest, False if it is a 32-bit guest.
QWORD Current
The currently used options.
SID_INTERNAL Sid
The containing SID.
TIMER_FRIENDLY INTSTATUS IntWinSDCheckIntegrity(void)
This function checks the integrity of the security descriptor for all the processes inside gWinProces...
void * GpaCache
The currently used GPA cache.
QWORD VirtualAddress
The guest virtual address which was modified.
INTRO_VIOLATION_HEADER Header
The alert header.
BOOLEAN GuestInitialized
True if the OS-specific portion has been initialized.
#define ACCESS_DENIED_CALLBACK_ACE_TYPE_STRING
Printable version of ACCESS_DENIED_CALLBACK_ACE_TYPE.
DWORD NameHash
The hash of the modified object.
static void IntWinSDDumpAclEntries(ACL *Acl, BOOLEAN IsSacl, BYTE *SecurityDescriptorBuffer, DWORD BufferSize)
This function dumps the access control entries (ACE) for a given access control list (ACL)...
BYTE WordSize
Guest word size. Will be 4 for 32-bit guests and 8 for 64-bit guests.
#define INT_SID_CHAR_SIZE
INTRO_OBJECT_TYPE Type
The type of the modified object.
ZONE_TYPE ZoneType
The type of the modified zone.
DWORD OldSecDescSize
The size of the old security descriptor buffer (valid only if INTRO_OBJECT_TYPE is introObjectTypeSec...
BYTE OldSecDesc[INTRO_SECURITY_DESCRIPTOR_SIZE]
The old security descriptor buffer (valid only if INTRO_OBJECT_TYPE is introObjectTypeSecDesc or intr...
INTSTATUS IntTranslateVirtualAddressEx(QWORD Gva, QWORD Cr3, DWORD Flags, VA_TRANSLATION *Translation)
Translates a guest virtual address to a guest physical address.
An access control entry header.
#define SYSTEM_AUDIT_OBJECT_ACE_TYPE_STRING
Printable version of SYSTEM_AUDIT_OBJECT_ACE_TYPE.
INTSTATUS IntVirtMemSafeWrite(QWORD Cr3, QWORD VirtualAddress, DWORD Size, void *Buffer, DWORD Ring)
Safely modify guest memory.
Describes the modified zone.
#define TRFLG_PG_MODE
Obtains the translation mode flag for the currently used paging mode.
BYTE NewSecDesc[INTRO_SECURITY_DESCRIPTOR_SIZE]
The new security descriptor buffer (valid only if INTRO_OBJECT_TYPE is introObjectTypeSecDesc or intr...
#define ACCESS_DENIED_CALLBACK_OBJECT_ACE_TYPE_STRING
Printable version of ACCESS_DENIED_CALLBACK_OBJECT_ACE_TYPE.
#define INT_STATUS_DATA_BUFFER_TOO_SMALL
struct _EXCEPTION_VICTIM_ZONE::@58::@60 WriteInfo
static char * IntWinSDGetAceTypeName(BYTE AceTypeValue)
This function obtains the printable name for a given ACE type.
WCHAR Name[ALERT_PATH_MAX_LEN]
NULL-terminated string with a human readable description of the modified object.
BOOLEAN Valid
Set to True if the information in the structure is valid, False otherwise.
enum _INTRO_ACTION INTRO_ACTION
Event actions.
static INTSTATUS IntWinSDSendSecDescIntViolation(WIN_PROCESS_OBJECT *Process, WIN_PROCESS_OBJECT *Victim, QWORD OldValue, QWORD NewValue, BYTE *SecDescBuffer, DWORD SecDescSize, DWORD SecDescHash, INTRO_ACTION Action, INTRO_ACTION_REASON Reason)
This function sends an integrity violation caused by a modified security descriptor pointer...
#define SYSTEM_ALARM_CALLBACK_OBJECT_ACE_TYPE_STRING
Printable version of SYSTEM_ALARM_CALLBACK_OBJECT_ACE_TYPE.
The action was allowed, but it has the BETA flag (Introcore is in log-only mode). ...
static INTSTATUS IntWinSDFetchSecDescValues(WIN_PROCESS_OBJECT *Process, QWORD *OldValue, QWORD *NewValue)
This function obtains the original security descriptor value (from the WIN_PROCESS_OBJECT structure) ...
UCHAR SubAuthorityCount
S-1-5-32-554 - The number of sub authorities (in this case 2 -> sub-authority 32 and sub-authority 54...
MM Mm
Guest memory information, such as paging mode, system Cr3 value, etc.
INTSTATUS IntWinSDProtectSecDesc(WIN_PROCESS_OBJECT *Process)
This function saves the security descriptor address and ACLs into the WIN_PROCESS_OBJECT structure...
SECURITY_DESCRIPTOR_CONTROL Control
GUEST_STATE gGuest
The current guest state.
INTSTATUS IntWinSDReadSecDesc(QWORD SecurityDescriptorGva, DWORD BufferSize, BYTE *SecurityDescriptorBuffer, DWORD *ReadSize, ACL **Sacl, ACL **Dacl)
This function reads the ACLs (along with the ACEs) from the given GVA and returns the data using the ...
void * Process
The internal structure of the modified process.
DWORD NewSecDescHash
The CRC32 hash of the new security descriptor (after zeroing out SIDs with more than one sub-authorit...
EVENT_INTEGRITY_VIOLATION Integrity
#define SYSTEM_PROCESS_TRUST_LABEL_ACE_TYPE_STRING
Printable version of SYSTEM_PROCESS_TRUST_LABEL_ACE_TYPE.
struct _EXCEPTION_KM_ORIGINATOR::@64 Original
STATIC_ASSERT(sizeof(ACL)==sizeof(QWORD), "Sizeof of ACL is not a QWORD")
We are using the EXCEPTION_VICTIM_ZONE.WriteInfo to send the New/Old SACL/DACL.
struct _EVENT_INTEGRITY_VIOLATION::@302 Originator
INTRO_ACTION Action
The action that was taken as the result of this alert.
INTSTATUS IntKernVirtMemRead(QWORD KernelGva, DWORD Length, void *Buffer, DWORD *RetLength)
Reads data from a guest kernel virtual memory range.
#define INT_STATUS_NO_MAPPING_STRUCTURES
Indicates that not all mapping structures of a virtual address are present.
QWORD BaseAddress
The guest virtual address at which the monitored integrity region starts.
#define INT_STATUS_NOT_INITIALIZED_HINT
Encapsulates information about a virtual to physical memory translation.
INTRO_PROCESS Process
The module to which the current code return to.
QWORD OldAddress
The old security descriptor address.
#define INT_STATUS_INVALID_PARAMETER_1
#define INT_STATUS_NOT_SUPPORTED
INTRO_PROCESS CurrentProcess
The current process.
#define INT_MAX_SUB_AUTHORITY_COUT
The action was blocked because there was no exception for it.
The internal representation of an Access Control Entry body.
Sent for integrity violation alerts. See EVENT_INTEGRITY_VIOLATION.
EXCEPTION_VICTIM_INTEGRITY Integrity
Valid if the modified zone is Integrity.
#define VICTIM_PROCESS_SECURITY_DESCRIPTOR
Printable name used for introObjectTypeSecDesc objects.
#define SYSTEM_ALARM_OBJECT_ACE_TYPE_STRING
Printable version of SYSTEM_ALARM_OBJECT_ACE_TYPE.
#define INT_STATUS_INVALID_PARAMETER
#define list_for_each(_head, _struct_type, _var)
Process security descriptor pointer.
#define ZONE_WRITE
Used for write violation.
INTRO_PROT_OPTIONS CoreOptions
The activation and protection options for this guest.
DWORD NewSecDescSize
The size of the new security descriptor buffer (valid only if INTRO_OBJECT_TYPE is introObjectTypeSec...
void IntExcept(EXCEPTION_VICTIM_ZONE *Victim, void *Originator, EXCEPTION_TYPE Type, INTRO_ACTION *Action, INTRO_ACTION_REASON *Reason, INTRO_EVENT_TYPE EventClass)
This function is the entry point for the exception mechanism.
INTRO_SEC_DESC_INFO SecDescWriteInfo
DWORD NameHash
The namehash of the originator return driver.
This structure describes a running process inside the guest.