45 if (NULL == EthreadAddress)
67 ERROR(
"[ERROR] IntFindKernelPcr failed: 0x%08x\n", status);
74 TRACE(
"[CPU %d] Could not find a kernel KPCR, will not cache anything: 0x%016llx\n",
92 #define THREADS_MAX_COUNT 65536 114 QWORD currentThread = 0, count;
116 if (NULL == Callback)
126 ERROR(
"[ERROR] IntKernVirtMemFetchQword failed for VA 0x%016llx: 0x%08x\n", Eprocess, status);
131 while ((currentThread != Eprocess +
WIN_KM_FIELD(Process, ThreadListHead)) &&
134 QWORD ethreadAddress;
136 ethreadAddress = currentThread -
WIN_KM_FIELD(Thread, ThreadListEntry);
138 status = Callback(ethreadAddress, Aux);
142 goto _cleanup_and_exit;
146 ERROR(
"[ERROR] Callback failed for thread 0x%016llx, proc 0x%016llx: 0x%08x\n",
147 ethreadAddress, Eprocess, status);
153 ERROR(
"[ERROR] Failed getting the next thread: 0x%08x\n", status);
216 ERROR(
"[ERROR] IntGs/FsRead failed: 0x%08x\n", status);
229 ERROR(
"[ERROR] IntGsRead failed: 0x%08x\n", status);
236 QWORD currentEthread = 0;
240 ERROR(
"[ERROR] IntWinThrGetCurrentThread failed: 0x%08x\n", status);
247 ERROR(
"[ERROR] IntKernVirtMemRead failed for 0x%016llx: 0x%08x\n",
280 QWORD buffer[2] = { 0 };
282 if (NULL == StackBase)
287 if (NULL == StackLimit)
301 ERROR(
"[ERROR] IntVirtMemRead failed: 0x%08x\n", status);
307 *StackBase = ((
DWORD *)&buffer)[0];
308 *StackLimit = ((
DWORD *)&buffer)[1];
312 *StackBase = buffer[0];
313 *StackLimit = buffer[1];
338 QWORD tibBase, buffer[2] = { 0 };
349 if (NULL == StackBase)
354 if (NULL == StackLimit)
365 ERROR(
"[ERROR] IntGetGprs failed: 0x%08x\n", status);
373 ERROR(
"[ERROR] IntGetCurrentMode failed: 0x%08x\n", status);
380 ERROR(
"[ERROR] IntGetCurrentRing failed: 0x%08x\n", status);
389 ERROR(
"[ERROR] IntWinThrGetCurrentTib failed: 0x%08x\n", status);
397 ERROR(
"[ERROR] TIB base is 0!\n");
409 ERROR(
"[ERROR] IntVirtMemRead failed: 0x%08x\n", status);
415 *StackBase = ((
DWORD *)&buffer)[0];
416 *StackLimit = ((
DWORD *)&buffer)[1];
420 *StackBase = buffer[0];
421 *StackLimit = buffer[1];
450 QWORD kthreadOriginator, eprocessOriginator;
451 QWORD kthreadVictim, eprocessVictim;
452 QWORD dstAddress, rip;
463 } threadContext = { 0 };
468 eprocessOriginator = eprocessVictim = kthreadVictim = dstAddress = rip = 0;
469 pProcOrig = pProcVictim = NULL;
474 kthreadOriginator = regs->
Rax;
479 ERROR(
"[ERROR] IntDetGetArguments failed: 0x%08x\n", status);
481 goto cleanup_and_exit;
484 kthreadVictim = args[0];
485 dstAddress = args[1];
487 eprocessOriginator = kthreadOriginator +
WIN_KM_FIELD(Thread, Process);
492 LOG(
"[ERROR] IntKernVirtMemRead failed for %llx: 0x%08x\n", eprocessOriginator, status);
494 goto cleanup_and_exit;
498 if (pProcOrig == NULL)
500 ERROR(
"[ERROR] Failed to find originator with eprocess: %llx\n", eprocessOriginator);
502 goto cleanup_and_exit;
505 eprocessVictim = kthreadVictim +
WIN_KM_FIELD(Thread, Process);
510 ERROR(
"[ERROR] IntKernVirtMemRead failed for %llx: 0x%08x\n", eprocessVictim, status);
512 goto cleanup_and_exit;
516 if (pProcVictim == NULL)
518 ERROR(
"[ERROR] Failed to find victim with eprocess: %llx\n", eprocessVictim);
520 goto cleanup_and_exit;
525 TRACE(
"[THREAD HIJACK] Hijack detected in same process, will allow...\n");
527 goto cleanup_and_exit;
533 goto cleanup_and_exit;
543 ERROR(
"[ERROR] IntVirtMemRead failed for %llx: 0x%08x\n", dstAddress, status);
544 bIsDumpValid =
FALSE;
547 rip = threadContext.threadContext64.Rip;
556 ERROR(
"[ERROR] IntVirtMemRead failed for %llx: 0x%08x\n", dstAddress, status);
557 bIsDumpValid =
FALSE;
560 rip = threadContext.threadContext32.Eip;
565 memzero(&originator,
sizeof(originator));
566 memzero(&victim,
sizeof(victim));
571 ERROR(
"[ERROR] IntExceptUserGetOriginator failed: 0x%08x\n", status);
574 goto send_notification;
584 ERROR(
"[ERROR] IntExceptGetModifiedProcess failed: 0x%08x\n", status);
587 goto send_notification;
599 memzero(pInjEvent,
sizeof(*pInjEvent));
601 LOG(
"[THREAD HIJACK] Thread Hijack detected from KTHREAD: %llx, Process `%s` (pid = %d) into KTHREAD: " 602 "%llx from Process `%s` (pid = %d)\n",
603 kthreadOriginator, pProcOrig->
Name, pProcOrig->
Pid, kthreadVictim, pProcVictim->
Name, pProcVictim->
Pid);
613 LOG(
"Dumping CONTEXT registers %llx...", dstAddress);
614 LOG(
"ContextFlags: %d\n", threadContext.threadContext64.ContextFlags);
615 LOG(
"Rax: 0x%08llx Rbx: 0x%08llx Rcx: 0x%08llx Rdx: 0x%08llx Rsp: 0x%08llx Rbp: 0x%08llx Rsi: 0x%08llx" 616 "Rdi: 0x%08llx R8: 0x%08llx R9: 0x%08llx R10: 0x%08llx R11: 0x%08llx R12: 0x%08llx R13: 0x%08llx " 618 "R15: 0x%08llx Rip: 0x%08llx\n", threadContext.threadContext64.Rax,
619 threadContext.threadContext64.Rbx, threadContext.threadContext64.Rcx,
620 threadContext.threadContext64.Rdx, threadContext.threadContext64.Rsp,
621 threadContext.threadContext64.Rbp, threadContext.threadContext64.Rsi,
622 threadContext.threadContext64.Rdi, threadContext.threadContext64.R8,
623 threadContext.threadContext64.R9, threadContext.threadContext64.R10,
624 threadContext.threadContext64.R11, threadContext.threadContext64.R12,
625 threadContext.threadContext64.R13, threadContext.threadContext64.R14,
626 threadContext.threadContext64.R15, threadContext.threadContext64.Rip);
629 &threadContext.threadContext64,
653 LOG(
"Dumping CONTEXT registers %llx...", dstAddress);
654 LOG(
"ContextFlags: %d\n", threadContext.threadContext32.ContextFlags);
655 LOG(
"Eax: 0x%08x Ebx: 0x%08x Ecx: 0x%08x Edx: 0x%08x Esp: 0x%08x Ebp: 0x%08x Esi: 0x%08x Edi: 0x%08x " 656 "Eip: 0x%08x\n", threadContext.threadContext32.Eax, threadContext.threadContext32.Ebx,
657 threadContext.threadContext32.Ecx, threadContext.threadContext32.Edx,
658 threadContext.threadContext32.Esp, threadContext.threadContext32.Ebp,
659 threadContext.threadContext32.Esi, threadContext.threadContext32.Edi,
660 threadContext.threadContext32.Eip);
663 &threadContext.threadContext32,
734 WARNING(
"[WARNING] IntNotifyIntroEvent failed: 0x%08x\n", status);
741 if (NULL != pProcVictim)
750 ERROR(
"[ERROR] IntDetSetReturnValue failed: 0x%08x\n", status);
780 QWORD ethreadOriginator;
781 QWORD eprocessOriginator;
783 QWORD eprocessVictim;
788 QWORD functionAddr, functionParameter;
796 pVictimProc = pOrigProc = NULL;
798 currentExport = NULL;
799 rip = functionAddr = functionParameter = 0;
804 ERROR(
"[ERROR] IntDetGetArguments failed: 0x%08x\n", status);
805 goto cleanup_and_exit;
808 victimThread = args[0];
809 functionAddr = args[1];
810 functionParameter = args[2];
811 ethreadOriginator = args[3];
813 eprocessOriginator = ethreadOriginator +
WIN_KM_FIELD(Thread, Process);
818 ERROR(
"[ERROR] IntKernVirtMemRead failed: 0x%08x\n", status);
819 goto cleanup_and_exit;
823 if (pOrigProc == NULL)
825 LOG(
"IntWinProcFindObjectByEprocess failed for originator! \n");
827 goto cleanup_and_exit;
830 eprocessVictim = victimThread +
WIN_KM_FIELD(Thread, Process);
835 ERROR(
"[ERROR] IntKernVirtMemRead failed: 0x%08x\n", status);
836 goto cleanup_and_exit;
840 if (pVictimProc == NULL)
842 LOG(
"IntWinProcFindObjectByEprocess failed for victim! \n");
844 goto cleanup_and_exit;
849 goto cleanup_and_exit;
852 if (eprocessVictim == eprocessOriginator)
854 goto cleanup_and_exit;
859 memzero(&originator,
sizeof(originator));
860 memzero(&victim,
sizeof(victim));
865 ERROR(
"[ERROR] IntExceptUserGetOriginator failed: 0x%08x\n", status);
867 goto send_notification;
876 rip = (functionAddr * (-1)) >> 2;
897 goto not_rtl_dispatch;
901 if (currentExport == NULL)
903 goto not_rtl_dispatch;
910 if (0 == strncasecmp(currentExport->
Names[i],
"RtlDispatchApc", currentExport->
NameLens[i]))
914 rip = functionParameter;
926 ERROR(
"[ERROR] IntExceptGetModifiedProcess failed: 0x%08x\n", status);
928 goto send_notification;
940 memzero(pInjEvent,
sizeof(*pInjEvent));
942 LOG(
"[APC HIJACKING] From process '%s' into process '%s' (%llx [%llx] -> %llx [%llx]) to rip %llx\n",
943 pOrigProc->
Name, pVictimProc->
Name, eprocessOriginator, ethreadOriginator,
944 eprocessVictim, victimThread, rip);
953 WARNING(
"[WARNING] IntVirtMemRead failed: 0x%08x\n", status);
1012 WARNING(
"[WARNING] IntNotifyIntroEvent failed: 0x%08x\n", status);
1018 if (NULL != pVictimProc)
1027 ERROR(
"[ERROR] IntDetSetReturnValue failed: 0x%08x\n", status);
1039 _In_ void *Descriptor
1077 pHandler->
Code[0x41] = 0x14;
1084 *(
DWORD *)(pHandler->
Code + 0x2) = 0x90909090;
1088 pHandler->
Code[0x2f] = 0x00;
1091 pHandler->
Code[0x41] = 0x0C;
1111 _In_ void *Descriptor
1131 QWORD *threadType, *referenceObj, *derefObj;
1132 DWORD *attachedProc, *process, *spare;
1133 DWORD *threadType32, *referenceObj32, *derefObj32;
1134 PCHAR exports[3] = {
"PsThreadType",
"ObReferenceObjectByHandle",
"ObDereferenceObject" };
1135 QWORD gvas[3] = { 0, 0, 0 };
1136 DWORD offsetCallObReferenceObject, offsetCallObDereference,
1137 offsetPsThreadType, offsetAttachedProcess, offsetProcess, offsetSpare;
1142 threadType = referenceObj = derefObj = NULL;
1143 threadType32 = referenceObj32 = derefObj32 = NULL;
1144 attachedProc = process = spare = NULL;
1150 offsetCallObReferenceObject = 0x3b;
1151 offsetCallObDereference = 0xa0;
1152 offsetPsThreadType = 0x11;
1153 offsetAttachedProcess = 0x5f;
1154 offsetProcess = 0x6b;
1157 threadType = (
QWORD *)&pHandler->
Code[offsetPsThreadType];
1158 referenceObj = (
QWORD *)&pHandler->
Code[offsetCallObReferenceObject];
1159 derefObj = (
QWORD *)&pHandler->
Code[offsetCallObDereference];
1160 attachedProc = (
DWORD *)&pHandler->
Code[offsetAttachedProcess];
1161 process = (
DWORD *)&pHandler->
Code[offsetProcess];
1162 spare = (
DWORD *)&pHandler->
Code[offsetSpare];
1166 offsetPsThreadType = 0x1d;
1167 offsetCallObReferenceObject = 0x25;
1168 offsetCallObDereference = 0x67;
1169 offsetAttachedProcess = 0x35;
1170 offsetProcess = 0x3f;
1173 threadType32 = (
DWORD *)&pHandler->
Code[offsetPsThreadType];
1174 referenceObj32 = (
DWORD *)&pHandler->
Code[offsetCallObReferenceObject];
1175 derefObj32 = (
DWORD *)&pHandler->
Code[offsetCallObDereference];
1176 attachedProc = (
DWORD *)&pHandler->
Code[offsetAttachedProcess];
1177 process = (
DWORD *)&pHandler->
Code[offsetProcess];
1178 spare = (
DWORD *)&pHandler->
Code[offsetSpare];
1181 for (
DWORD i = 0; i < 3; i++)
1186 ERROR(
"[ERROR] Cannot find export %s for patching APC thread handler!\n", exports[i]);
1191 TRACE(
"[INFO] Export %s found at gva %016llx\n", exports[i], gvas[i]);
1197 threadType[0] = gvas[0];
1198 referenceObj[0] = gvas[1];
1199 derefObj[0] = gvas[2];
1200 attachedProc[0] =
WIN_KM_FIELD(Thread, AttachedProcess);
1206 threadType32[0] = (
DWORD)gvas[0];
1207 referenceObj32[0] = (
DWORD)gvas[1];
1208 derefObj32[0] = (
DWORD)gvas[2];
1209 attachedProc[0] =
WIN_KM_FIELD(Thread, AttachedProcess);
1214 TRACE(
"[INFO] Successfully patched NtQueueApcThreadEx handler!\n");
void * Module
The internal structure of a module.
#define INT_STATUS_PAGE_NOT_PRESENT
Indicates that a virtual address is not present.
struct _EVENT_MEMCOPY_VIOLATION::@297 Originator
enum _INTRO_ACTION_REASON INTRO_ACTION_REASON
The reason for which an INTRO_ACTION was taken.
char Name[ALERT_MAX_FUNCTIONS][ALERT_MAX_FUNCTION_NAME_LEN]
Array of all the extracted function names.
INTRO_MODULE Module
The module which was written or read.
An internal error occurred (no memory, pages not present, etc.).
struct _API_HOOK_HANDLER * PAPI_HOOK_HANDLER
#define OFFSET_OF(Type, Member)
IG_ARCH_REGS Regs
The current state of the guest registers.
#define PROC_OPT_PROT_QUEUE_APC
Blocks APC queuing inside the target process (Windows only).
DWORD Index
The VCPU number.
DWORD Crc32Compute(const void *Buffer, size_t Size, DWORD InitialCrc)
Computes the CRC for a byte array.
MITRE_ID MitreID
The Mitre ID that corresponds to this attack.
INTSTATUS IntPeFindKernelExport(const char *Name, QWORD *ExportGva)
Find an export inside the NT kernel image.
INTSTATUS IntWinThrPatchThreadHijackHandler(QWORD FunctionAddress, void *Handler, void *Descriptor)
This functions is responsible for patching the detour that handles the "PspSetContextThreadInternal"...
#define INT_STATUS_SUCCESS
INTRO_PROCESS Process
The process that attempted the access.
INTSTATUS IntFsRead(DWORD CpuNumber, QWORD *FsValue)
Reads the IA32_FS_BASE guest MSR.
Measures user mode exceptions checks.
This represents an attempt of modifying the context of another thread.
CHAR FunctionName[ALERT_MAX_FUNCTION_NAME_LEN]
The name of the accessed function, if any.
#define WIN_STATUS_SUCCESS
Equivalent to NTSTATUS STATUS_SUCCESS.
INTSTATUS IntGetGprs(DWORD CpuNumber, PIG_ARCH_REGS Regs)
Get the current guest GPR state.
void IntAlertFillWinProcess(const WIN_PROCESS_OBJECT *Process, INTRO_PROCESS *EventProcess)
Saves information about a windows process inside an alert.
Described a detour handler.
DWORD IntGetCurrentCpu(void)
Returns the current CPU number.
DWORD NumberOfOffsets
Number of symbols pointing to the exported RVA.
#define INT_SUCCESS(Status)
INTSTATUS IntDetSetReturnValue(DETOUR const *Detour, IG_ARCH_REGS *Registers, QWORD ReturnValue)
Sets the return value for a hooked guest function.
#define PROC_OPT_PROT_SET_THREAD_CTX
Blocks thread hijacking attempts inside the target process (Windows only).
QWORD Flags
A combination of ALERT_FLAG_* values describing the alert.
INTSTATUS IntWinThrHandleQueueApc(void *Detour)
Handles a NtQueueApcThreadEx call - blocking process injections.Asynchronous Procedure Call (APC) inj...
The action was not allowed because there was no reason to allow it.
DWORD Delta
The offset inside the affected function at which the access was made.
Describes a user-mode originator.
INTSTATUS IntKernVirtMemFetchWordSize(QWORD GuestVirtualAddress, void *Data)
Reads a guest pointer from the guest kernel memory.
int INTSTATUS
The status data type.
DWORD OSVersion
Os version.
#define INT_STATUS_NOT_FOUND
#define ALERT_MAX_FUNCTION_NAME_LEN
The maximum size of a function name inside an alert structure.
PVCPU_STATE VcpuArray
Array of the VCPUs assigned to this guest. The index in this array matches the VCPU number...
Sent for code/data injection alerts. See EVENT_MEMCOPY_VIOLATION.
WINUM_CACHE_EXPORT * IntWinUmModCacheExportFind(WIN_PROCESS_MODULE *Module, DWORD Rva, DWORD ErrorRange)
Tries to find an export in the range [Rva, Rva + ErrorRange].
void IntAlertFillCpuContext(BOOLEAN CopyInstruction, INTRO_CPUCTX *CpuContext)
Fills the current CPU context for an alert.
QWORD VirtualBase
Guest virtual address of the loaded module.
IG_CS_RING
The current protection level.
DWORD Protected
TRUE if this is a protected process. If this is FALSE, most of the above fields aren't used at all...
#define INT_STATUS_BREAK_ITERATION
Can be used by iteration callbacks to break the iteration early.
void IntAlertFillVersionInfo(INTRO_VIOLATION_HEADER *Header)
Fills version information for an alert.
DWORD Wow64Process
TRUE if this is a 32 bit process on a 64 bit OS.
QWORD IntAlertProcGetFlags(QWORD ProtectionFlag, const void *Process, INTRO_ACTION_REASON Reason, QWORD AdditionalFlags)
Returns the flags for an alert.
INTSTATUS IntWinThrHandleThreadHijack(void *Detour)
Handles a SetContextThread call - blocking thread hijacking.Thread hijacking (amongst others) is an a...
IG_CS_TYPE
The type of the code segment.
Context Frame for 32-bit guests.
INTRO_ACTION_REASON Reason
The reason for which Action was taken.
EXCEPTION_VICTIM_OBJECT Object
The modified object.
PWIN_PROCESS_MODULE IntWinUmModFindByAddress(PWIN_PROCESS_OBJECT Process, QWORD Gva)
Searches for a user-mode module which contains the indicated guest virtual address.
Exposes the functions used to provide Windows Threads related support.
QWORD Cr3
Process PDBR. Includes PCID.
INTSTATUS IntGetCurrentMode(DWORD CpuNumber, DWORD *Mode)
Read the current CS type.
MEMCOPY_VIOLATION_TYPE ViolationType
The type of the access.
GENERIC_ALERT gAlert
Global alert buffer.
INTRO_VIOLATION_HEADER Header
The alert header.
EVENT_MEMCOPY_VIOLATION Injection
#define INITIAL_CRC_VALUE
INTSTATUS IntFindKernelPcr(DWORD CpuNumber, QWORD *Pcr)
Finds the address of the Windows kernel _KPCR.
BOOLEAN IntPolicyProcTakeAction(QWORD Flag, void const *Process, INTRO_ACTION *Action, INTRO_ACTION_REASON *Reason)
Returns the action that should be taken for a process protection option.
DWORD CopySize
The size of the access.
#define IG_CURRENT_VCPU
For APIs that take a VCPU number as a parameter, this can be used to specify that the current VCPU sh...
INTRO_CPUCTX CpuContext
The context of the CPU that triggered the alert.
INTSTATUS IntNotifyIntroEvent(INTRO_EVENT_TYPE EventClass, void *Param, size_t EventSize)
Notifies the integrator about an introspection alert.
#define THREADS_MAX_COUNT
The maximum number of threads for one single process (if something happens, IntWinThrIterateThreads w...
This represents an attempt to queue an APC into the victim process.
BOOLEAN Guest64
True if this is a 64-bit guest, False if it is a 32-bit guest.
#define ZONE_PROC_THREAD_APC
Used for the APC thread hijacking technique.
CHAR Name[IMAGE_BASE_NAME_LEN]
Process base name.
INTSTATUS IntWinThrGetCurrentThread(DWORD CpuNumber, QWORD *EthreadAddress)
Get the ETHREAD structure address of the thread currently running on the given CPU.
BYTE Code[DETOUR_MAX_HANDLER_SIZE]
The code of the detour handler. Only CodeLength bytes are valid.
INTSTATUS(* PFUNC_IterateListCallback)(QWORD Node, QWORD Aux)
#define INT_STATUS_INVALID_PARAMETER_4
DWORD Hash[ALERT_MAX_FUNCTIONS]
Array of all the extracted function hashes.Export.Hash[i] is the hash for Export.Name[i].
#define IS_KERNEL_POINTER_WIN(is64, p)
Checks if a guest virtual address resides inside the Windows kernel address space.
TIMER_FRIENDLY void IntDumpBuffer(const void *Buffer, QWORD Gva, DWORD Length, DWORD RowLength, DWORD ElementLength, BOOLEAN LogHeader, BOOLEAN DumpAscii)
This function dumps a given buffer in a user friendly format.
INTSTATUS IntGsRead(DWORD CpuNumber, QWORD *GsValue)
Reads the IA32_GS_BASE guest MSR.
#define INT_STATUS_INVALID_PARAMETER_5
INTSTATUS IntWinThrGetCurrentStackBaseAndLimit(QWORD *TibBase, QWORD *StackBase, QWORD *StackLimit)
Obtains the stack base, stack limit and TIB address of the current thread.
Memory access violations that cross a process boundary.
BOOLEAN DumpValid
True if the contents of RawDump are valid, False if not.
BYTE WordSize
Guest word size. Will be 4 for 32-bit guests and 8 for 64-bit guests.
size_t strlcpy(char *dst, const char *src, size_t dest_size)
INTSTATUS IntWinThrIterateThreads(QWORD Eprocess, PFUNC_IterateListCallback Callback, QWORD Aux)
Iterate all the threads of the given process and invoke the callback for each one of them...
DWORD Pid
Process ID (the one used by Windows).
INTSTATUS IntExceptUserGetOriginator(void *Process, BOOLEAN ModuleWrite, QWORD Address, INSTRUX *Instrux, EXCEPTION_UM_ORIGINATOR *Originator)
This function is used to get the information about the user-mode originator.
DWORD ProtThreadCtx
Protect the thread context (protection against thread hijacking).
DWORD CpuCount
The number of logical CPUs.
Describes the modified zone.
#define UNREFERENCED_PARAMETER(P)
DWORD Rva
The RVA of this export.
#define WIN_KM_FIELD(Structure, Field)
Macro used to access kernel mode fields inside the WIN_OPAQUE_FIELDS structure.
INTSTATUS IntDetGetArguments(void const *Detour, DWORD Argc, QWORD *Argv)
Reads multiple arguments from a detour.
enum _INTRO_ACTION INTRO_ACTION
Event actions.
BOOLEAN IntPolicyProcForceBetaIfNeeded(QWORD Flag, void *Process, INTRO_ACTION *Action)
Checks if a forced action should be taken even if the process log-only mode is active.
#define WIN_STATUS_ACCESS_DENIED
Equivalent to NTSTATUS STATUS_ACCESS_DENIED.
DWORD NameLens[MAX_OFFSETS_PER_NAME]
Length of each name pointing to this RVA.
QWORD Cr3
The value of the guest CR3 register when the event was generated.
QWORD EprocessAddress
This will be the address of the ActiveProcess field.
struct _EVENT_MEMCOPY_VIOLATION::@299 Export
All the names used to export the modified function.
DWORD FunctionNameHash
The hash of the FunctionName. It is the same as Export.Hash[0].
GUEST_STATE gGuest
The current guest state.
void IntAlertFillWinProcessByCr3(QWORD ProcessCr3, INTRO_PROCESS *EventProcess)
Saves information about a Windows process inside an alert. The process is searched by its kernel CR3...
INTSTATUS IntWinThrPrepareApcHandler(QWORD FunctionAddress, void *Handler, void *Descriptor)
This functions is responsible for patching the detour that handles the "NtQueueApcThreadEx".This function is called before the hook is placed into memory in order to "patch" the addresses of guest functions or guest file offsets that are used by the hook handler. Specifically, this patches the addresses of PsThreadType, ObReferenceObjectByHandle, ObDereferenceObject and the offsets of the AttachedProcess and Process fields of _KTHREAD and the Spare field of _KPROCESS, but also patches the "retn" instruction accordingly.
INTSTATUS IntVirtMemRead(QWORD Gva, DWORD Length, QWORD Cr3, void *Buffer, DWORD *RetLength)
Reads data from a guest virtual memory range.
BYTE RawDump[ALERT_MAX_INJ_DUMP_SIZE]
The source buffer contents.
INTSTATUS IntExceptGetVictimProcess(void *Process, QWORD DestinationGva, DWORD Length, QWORD ZoneFlags, EXCEPTION_VICTIM_ZONE *Victim)
This function is used to get the information about the victim process for injection violations...
struct _EVENT_MEMCOPY_VIOLATION::@298 Victim
PWIN_PROCESS_OBJECT IntWinProcFindObjectByEprocess(QWORD Eprocess)
Finds a process by the address of its _EPROCESS structure.
INTRO_ACTION Action
The action that was taken as the result of this alert.
INTSTATUS IntKernVirtMemRead(QWORD KernelGva, DWORD Length, void *Buffer, DWORD *RetLength)
Reads data from a guest kernel virtual memory range.
#define INT_STATUS_NO_MAPPING_STRUCTURES
Indicates that not all mapping structures of a virtual address are present.
PCHAR Names[MAX_OFFSETS_PER_NAME]
The names pointing to this RVA. Each name will point inside the Names structure inside WINUM_CACHE_EX...
EXCEPTION_VICTIM_MODULE Library
The victim module of the modified library.
#define INT_STATUS_INVALID_PARAMETER_1
#define INT_STATUS_NOT_SUPPORTED
INTRO_PROCESS CurrentProcess
The current process.
VCPU_STATE * gVcpu
The state of the current VCPU.
void IntAlertFillWinUmModule(const WIN_PROCESS_MODULE *Module, INTRO_MODULE *EventModule)
Fills information about a user mode module inside an alert.
#define ZONE_PROC_THREAD_CTX
Used for the CONTEXT structure of a thread.
INTSTATUS IntGetCurrentRing(DWORD CpuNumber, DWORD *Ring)
Read the current protection level.
QWORD SourceVirtualAddress
The virtual address of the source buffer.
QWORD DestinationVirtualAddress
The virtual address of the destination buffer.
Context Frame for 64-bit guests.
QWORD PcrGla
The guest linear address of the _KPCR structure loaded by this CPU.
#define ZONE_WRITE
Used for write violation.
#define INT_STATUS_INVALID_PARAMETER_2
WINUM_CACHE_EXPORT * Export
The export cache for the modified module.
INTSTATUS IntWinThrGetUmStackBaseAndLimitFromTib(QWORD Tib, IG_CS_TYPE CsType, QWORD Cr3, QWORD *StackBase, QWORD *StackLimit)
Obtains the user mode stack base and stack limit values.
void IntExcept(EXCEPTION_VICTIM_ZONE *Victim, void *Originator, EXCEPTION_TYPE Type, INTRO_ACTION *Action, INTRO_ACTION_REASON *Reason, INTRO_EVENT_TYPE EventClass)
This function is the entry point for the exception mechanism.
INTSTATUS IntWinThrGetCurrentTib(IG_CS_RING CurrentRing, IG_CS_TYPE CsType, QWORD *Tib)
Obtain the TIB (Thread Information Block) of the thread running on the current CPU.
This structure describes a running process inside the guest.
#define INT_STATUS_INVALID_PARAMETER_3