29 if (Process->Cr3 == ModifiedCr3)
31 Process->SelfMapEntryValue = NewValue;
35 Process->UserSelfMapEntryValue = NewValue;
68 WARNING(
"[WARNING] Self-mapping entry modified for process '%s' with CR3 %llx (%s), addr %llx, " 69 "from 0x%016llx to 0x%016llx\n", Process->Name, Cr3, Cr3 == Process->Cr3 ?
"kernel" :
"user",
74 LOG(
"^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ (B) ROOTKIT ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n\n");
78 LOG(
"^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ROOTKIT ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n\n");
85 ERROR(
"[ERROR] IntPhysMemMap failed: 0x%08x\n", status);
86 goto _just_send_alert;
90 pPage[0] = NewValue & (~
PT_US);
107 if (Process->SystemProcess)
132 WARNING(
"[WARNING] IntNotifyIntroEvent failed: 0x%08x\n", status);
166 QWORD currentKern, currentUser;
169 if (Process->Outswapped)
174 if (NULL == CurrentKernelValue)
179 ERROR(
"[ERROR] IntPhysicalMemRead failed: 0x%08x\n", status);
185 currentKern = *CurrentKernelValue;
188 if (NULL == CurrentUserValue && Process->Cr3 != Process->UserCr3)
193 ERROR(
"[ERROR] IntPhysicalMemRead failed: 0x%08x\n", status);
197 else if (Process->Cr3 != Process->UserCr3)
199 currentUser = *CurrentUserValue;
203 goto _only_kern_check;
210 if (Process->Cr3 != Process->UserCr3)
219 ERROR(
"[ERROR] IntWinSelfMapCr3SelfMapModification failed: 0x%x\n", status);
222 else if (Process->UserSelfMapEntryValue != currentUser)
224 Process->UserSelfMapEntryValue = currentUser;
233 Process->SelfMapEntryValue,
238 ERROR(
"[ERROR] IntWinSelfMapCr3SelfMapModification failed: 0x%x\n", status);
241 else if (Process->SelfMapEntryValue != currentKern)
243 Process->SelfMapEntryValue = currentKern;
299 goto cleanup_and_exit;
325 ERROR(
"[ERROR] IntHookGpaRemoveHook failed: 0x%08x\n", status);
339 goto cleanup_and_exit;
347 WARNING(
"[WARNING] IntExceptKernelGetOriginator failed: 0x%08x\n", status);
357 ERROR(
"[ERROR] Failed getting zone details: 0x%08x\n", status);
358 goto _exit_exceptions;
377 WARNING(
"[WARNING] Self-mapping entry modified for process '%s' with CR3 %llx (%s), " 378 "addr %llx, from 0x%016llx to 0x%016llx from RIP 0x%016llx\n",
381 cr3Modified == pProc->
Cr3 ?
"kernel" :
"user",
394 ERROR(
"[ERROR] IntPhysMemMap failed: 0x%08x\n", status);
395 goto just_send_alert;
434 WARNING(
"[WARNING] IntNotifyIntroEvent failed: 0x%08x\n", status);
494 pList = gWinProcesses.
Flink;
495 while (pList != &gWinProcesses)
500 pList = pList->
Flink;
505 ERROR(
"[ERROR] IntWinCheckSelfMapEntry failed: 0x%08x\n", status);
550 pList = gWinProcesses.
Flink;
551 while (pList != &gWinProcesses)
556 pList = pList->
Flink;
569 ERROR(
"[ERROR] IntWinProtectSelfMapIndex failed: 0x%08x\n", status);
601 QWORD currentKern, currentUser;
628 ERROR(
"[ERROR] IntPhysicalMemRead failed: 0x%08x\n", status);
633 Process->SelfMapEntryValue = (currentKern & (~
PT_US));
638 ERROR(
"[ERROR] IntPhysicalMemRead failed: 0x%08x\n", status);
643 Process->UserSelfMapEntryValue = (currentUser & (~
PT_US));
689 pList = gWinProcesses.
Flink;
690 while (pList != &gWinProcesses)
695 pList = pList->
Flink;
700 ERROR(
"[ERROR] IntWinSelfMapUnprotectSelfMapIndex failed: 0x%08x\n", status);
756 bShouldProtect = Process->Pid == 4;
758 TRACE(
"[INFO] Protecting self-mapping entry for process %s, pid %d with CR3: %llx, UserCR3: %llx with %s\n",
759 Process->Name, Process->Pid, Process->Cr3, Process->UserCr3, bShouldProtect ?
"EPT" :
"INTEGRITY");
763 if (Process->SelfMapHook == NULL)
775 ERROR(
"[ERROR] IntHookGpaSetHook failed: 0x%08x\n", status);
780 if (Process->Cr3 != Process->UserCr3 && Process->UserSelfMapHook == NULL)
792 ERROR(
"[ERROR] IntHookGpaSetHook failed: 0x%08x\n", status);
823 TRACE(
"[INFO] Deactivating self-map index protection for %s (pid %d, cr3: kernel %016llx, user: %016llx)\n",
824 Process->Name, Process->Pid, Process->Cr3, Process->UserCr3);
826 if (Process->SelfMapHook != NULL)
831 ERROR(
"[ERROR] IntHookGpaRemoveHook failed: 0x%08x\n", status);
835 if (Process->UserSelfMapHook != NULL)
840 ERROR(
"[ERROR] IntHookGpaRemoveHook failed: 0x%08x\n", status);
Measures kernel mode exceptions checks.
enum _INTRO_ACTION_REASON INTRO_ACTION_REASON
The reason for which an INTRO_ACTION was taken.
INTRO_CODEBLOCKS CodeBlocks
Code blocks extracted for the alert.
#define CONTAINING_RECORD(List, Type, Member)
BOOLEAN Valid
Set to True if the information in the structure is valid, False otherwise.
QWORD IntAlertCoreGetFlags(QWORD ProtectionFlag, INTRO_ACTION_REASON Reason)
Returns the flags for an alert.
DWORD Size
The size of the access.
static INTSTATUS IntWinSelfMapHandleCr3SelfMapWrite(WIN_PROCESS_OBJECT *Context, void *Hook, QWORD Address, INTRO_ACTION *Action)
Handles writes done to the self map entry inside a process page tables.
An internal error occurred (no memory, pages not present, etc.).
INTSTATUS IntPhysicalMemRead(QWORD PhysicalAddress, DWORD Length, void *Buffer, DWORD *RetLength)
Reads data from a guest physical memory range, but only for a single page.
BOOLEAN IntPolicyCoreForceBetaIfNeeded(QWORD Flag, INTRO_ACTION *Action)
Checks if a forced action should be taken even if the log-only mode is active.
IG_ARCH_REGS Regs
The current state of the guest registers.
MITRE_ID MitreID
The Mitre ID that corresponds to this attack.
INTSTATUS IntHookGpaRemoveHook(HOOK_GPA **Hook, DWORD Flags)
Remove a GPA hook.
#define CLEAN_PHYS_ADDRESS64(x)
#define INT_STATUS_SUCCESS
BOOLEAN IntPolicyCoreTakeAction(QWORD Flag, INTRO_ACTION *Action, INTRO_ACTION_REASON *Reason)
Returns the action that should be taken for a core introspection option.
QWORD NewValue[8]
The written value. Only the first Size bytes are valid.
struct _LIST_ENTRY * Flink
#define INT_SUCCESS(Status)
QWORD Flags
A combination of ALERT_FLAG_* values describing the alert.
BOOLEAN ProtectionActivated
The action was not allowed because there was no reason to allow it.
BOOLEAN KernelBetaDetections
True if the kernel protection is in beta (log-only) mode.
INTRO_VIOLATION_HEADER Header
The alert header.
struct _EVENT_TRANSLATION_VIOLATION::@301 Victim
#define INT_STATUS_NOT_NEEDED_HINT
#define ALERT_FLAG_ASYNC
If set, the alert was generated in an async manner.
INTSTATUS IntWinSelfMapEnableSelfMapEntryProtection(void)
Enables the self map protection mechanism for the entire system.
int INTSTATUS
The status data type.
TIMER_FRIENDLY INTSTATUS IntWinSelfMapValidateSelfMapEntries(void)
Validates the self map entries for every process in the system.
LIST_HEAD gWinProcesses
The list of all the processes inside the guest.
QWORD VirtualAddress
The Virtual Address whose translation is being modified.
Event structure for illegal paging-structures modifications.
void * UserSelfMapHook
The user self mapping memory hook.
Describes a kernel-mode originator.
EVENT_TRANSLATION_VIOLATION Translation
INTRO_GUEST_TYPE OSType
The type of the guest.
void IntAlertFillCpuContext(BOOLEAN CopyInstruction, INTRO_CPUCTX *CpuContext)
Fills the current CPU context for an alert.
INTSTATUS IntHookGpaSetHook(QWORD Gpa, DWORD Length, BYTE Type, PFUNC_EptViolationCallback Callback, void *Context, void *ParentHook, DWORD Flags, HOOK_GPA **Hook)
Places an EPT hook on the indicated memory range.
void IntAlertFillVersionInfo(INTRO_VIOLATION_HEADER *Header)
Fills version information for an alert.
#define INTRO_OPT_PROT_KM_SELF_MAP_ENTRY
INTRO_VIOLATION_HEADER Header
The alert header.
BOOLEAN IntPolicyCoreIsOptionBeta(QWORD Flag)
Checks if one of the kernel protection options is in log-only mode.
#define HOOK_FLG_HIGH_PRIORITY
If flag is set, the callback associated to this hook will have a higher priority than the others...
TRANS_VIOLATION_TYPE ViolationType
INTRO_ACTION_REASON Reason
The reason for which Action was taken.
#define HOOK_FLG_PAGING_STRUCTURE
If flag is set, the hook is set on paging structures.
INTSTATUS IntAlertFillCodeBlocks(QWORD Rip, QWORD Cr3, BOOLEAN Execute, INTRO_CODEBLOCKS *CodeBlocks)
Fills the code blocks pattern for an alert.
QWORD Cr3
Process PDBR. Includes PCID.
void IntAlertEptFillFromKmOriginator(const EXCEPTION_KM_ORIGINATOR *Originator, EVENT_EPT_VIOLATION *EptViolation)
Fills kernel mode originator information inside an EPT alert.
GENERIC_ALERT gAlert
Global alert buffer.
void IntAlertEptFillFromVictimZone(const EXCEPTION_VICTIM_ZONE *Victim, EVENT_EPT_VIOLATION *EptViolation)
Fills the victim information inside an EPT alert.
INTRO_CPUCTX CpuContext
The context of the CPU that triggered the alert.
INTSTATUS IntNotifyIntroEvent(INTRO_EVENT_TYPE EventClass, void *Param, size_t EventSize)
Notifies the integrator about an introspection alert.
QWORD New
The new, to be written, value of the page table entry.
INTSTATUS IntExceptGetVictimEpt(void *Context, QWORD Gpa, QWORD Gva, INTRO_OBJECT_TYPE Type, DWORD ZoneFlags, EXCEPTION_VICTIM_ZONE *Victim)
Fills an EXCEPTION_VICTIM_ZONE with relevant information from an EPT violation.
CHAR Name[IMAGE_BASE_NAME_LEN]
Process base name.
QWORD Current
The currently used options.
QWORD Old
The old, original, value of the written page table entry.
QWORD UserCr3
Process user PDBR. Includes PCID.
INTSTATUS IntWinSelfMapProtectSelfMapIndex(WIN_PROCESS_OBJECT *Process)
Protects the self map index of a process by placing an EPT write hook on it.
INTRO_WRITE_INFO WriteInfo
The original and new address to which VirtualAddress translates.
BOOLEAN GuestInitialized
True if the OS-specific portion has been initialized.
#define SELF_MAP_ENTRY(Cr3)
Computes the self map entry physical address based on a given Cr3.
INTSTATUS IntWinSelfMapUnprotectSelfMapIndex(WIN_PROCESS_OBJECT *Process)
Removes the EPT protection for the self map entry index of a process.
Sent for virtual address translation alerts. See EVENT_TRANSLATION_VIOLATION.
#define SELF_MAP_ENTRY_IS_DETECTION(entry)
Decides if a self map entry value is malicious or not.
INTRO_EXEC_CONTEXT ExecContext
Information about the instruction that triggered the alert.
BOOLEAN Valid
Set to True if the information in the structure is valid, False otherwise.
Sent when an EPT violation triggers an alert. See EVENT_EPT_VIOLATION.
static INTSTATUS IntWinSelfMapHandleCr3SelfMapModification(QWORD NewValue, QWORD OldValue, WIN_PROCESS_OBJECT *Process, QWORD Cr3)
Handles self map entry modifications for a process.
Describes the modified zone.
void * SelfMapHook
The self mapping memory hook.
struct _EXCEPTION_VICTIM_ZONE::@58::@60 WriteInfo
BOOLEAN Valid
Set to True if the information in the structure is valid, False otherwise.
enum _INTRO_ACTION INTRO_ACTION
Event actions.
QWORD Rip
The RIP from where the call to the exported function came.
QWORD OldValue[8]
The original value. Only the first Size bytes are valid.
#define SELF_MAP_ENTRY_VA
Computes the virtual address at which the self map entry is mapped for this guest.
INTSTATUS IntWinSelfMapDisableSelfMapEntryProtection(void)
Disables the self map entry protection for all the processes on the system.
Measures the self map entry validation.
MM Mm
Guest memory information, such as paging mode, system Cr3 value, etc.
#define ALERT_FLAG_SYSPROC
If set, the alert is on system process.
Self mapping index in PDBR.
INTRO_MODULE Module
The module that modified the translation.
DWORD SystemProcess
TRUE if this is a system process.
GUEST_STATE gGuest
The current guest state.
void IntAlertFillWinProcessByCr3(QWORD ProcessCr3, INTRO_PROCESS *EventProcess)
Saves information about a Windows process inside an alert. The process is searched by its kernel CR3...
static void IntWinSelfMapSelfMapUpdate(QWORD ModifiedCr3, WIN_PROCESS_OBJECT *Process, QWORD NewValue)
Updates the self map entry value for a process.
struct _EXCEPTION_KM_ORIGINATOR::@64 Original
INTRO_ACTION Action
The action that was taken as the result of this alert.
PAGING_MODE Mode
The paging mode used by the guest.
__must_check INTSTATUS IntPhysMemMap(QWORD PhysAddress, DWORD Length, DWORD Flags, void **HostPtr)
Maps a guest physical address inside Introcore VA space.
static INTSTATUS IntWinSelfMapCheckSelfMapEntry(WIN_PROCESS_OBJECT *Process, const QWORD *CurrentKernelValue, const QWORD *CurrentUserValue)
Checks the self map entry for a given process.
#define INT_STATUS_NOT_INITIALIZED_HINT
struct _EVENT_TRANSLATION_VIOLATION::@300 Originator
INTSTATUS IntWinSelfMapGetAndCheckSelfMapEntry(WIN_PROCESS_OBJECT *Process)
Sets and validates the self map entry values for a process.
#define INT_STATUS_INVALID_PARAMETER_1
INTRO_PROCESS CurrentProcess
The current process.
VCPU_STATE * gVcpu
The state of the current VCPU.
The action was blocked because there was no exception for it.
Event structure for EPT violations.
BOOLEAN Valid
True if the information in this structure is valid; False it it is not.
PTEMU_BUFFER PtEmuBuffer
The page table write emulator buffer.
INTSTATUS IntPhysMemUnmap(void **HostPtr)
Unmaps an address previously mapped with IntPhysMemMap.
INTSTATUS IntExceptKernelGetOriginator(EXCEPTION_KM_ORIGINATOR *Originator, DWORD Options)
This function is used to get the information about the kernel-mode originator.
INTSTATUS IntAlertFillExecContext(QWORD Cr3, INTRO_EXEC_CONTEXT *ExecContext)
Fills the current execution context.
#define ZONE_WRITE
Used for write violation.
INTRO_PROT_OPTIONS CoreOptions
The activation and protection options for this guest.
void IntExcept(EXCEPTION_VICTIM_ZONE *Victim, void *Originator, EXCEPTION_TYPE Type, INTRO_ACTION *Action, INTRO_ACTION_REASON *Reason, INTRO_EVENT_TYPE EventClass)
This function is the entry point for the exception mechanism.
This structure describes a running process inside the guest.
1.8.13