64 _In_ size_t ProtectedCount
76 for (
DWORD i = 0; i < ProtectedCount; i++)
120 if (Loaded && Module->LoadEventSent)
125 if (!Loaded && Module->UnloadEventSent)
130 if ((NULL == Module->Path) || (0 == Module->VirtualBase) || (0 == Module->Size))
136 memzero(pModEvent,
sizeof(*pModEvent));
138 pModEvent->
Loaded = Loaded;
139 pModEvent->
Protected = Module->ShouldProtHooks || Module->ShouldProtUnpack;
149 WARNING(
"[WARNING] IntNotifyIntroEvent failed: 0x%08x\n", status);
154 Module->LoadEventSent =
TRUE;
158 Module->UnloadEventSent =
TRUE;
183 list = Subsystem->ProcessModules.
Flink;
184 while (list != &Subsystem->ProcessModules)
209 if (NULL != Process->Subsystemx86)
214 if (NULL != Process->Subsystemx64)
241 strstr(pProc->
Name,
"java"))
314 if ((Data[0] !=
'M') || (Data[1] !=
'Z'))
316 ERROR(
"[ERROR] Module is not a valid MZ image: %x%x, 0x%016llx:0x%016llx\n", Data[0], Data[1], ModuleBase,
321 TRACE(
"[MODULE] Main module for process %llx (subsystem %d) has loaded!\n",
326 TRACE(
"[MODULE] Protecting module with base 0x%016llx -> 0x%016llx against unpacking.\n", ModuleBase, Cr3);
331 ERROR(
"[ERROR] IntWinModHookPoly failed: 0x%08x\n", status);
370 while ((k <
MAX_PATH) && (0 != targetPath[k]))
376 while ((k + 1 <
MAX_PATH) && (0 != TestModule[l]))
378 targetPath[k] = TestModule[l];
386 return wstrncasecmp_len(targetPath, Module->Path->Path, k, Module->Path->PathSize / 2);
449 QWORD copyMemFunc = 0;
457 for (
DWORD trace = 0; trace < Originator->StackTrace.NumberOfTraces; trace++)
459 if (Originator->StackTrace.Traces[trace].CalledAddress == copyMemFunc)
467 *IsInjection =
FALSE;
497 Originator->Injection.Kernel =
TRUE;
498 Originator->Return.Driver = pDrv;
499 Originator->Return.Rip = ReturnRip;
505 Originator->Return.NameHash = pDrv->
NameHash;
514 WARNING(
"[WARNING] IntPeGetSectionHeaderByRva failed: 0x%08x\n", status);
518 memcpy(Originator->Return.Section, sectionHeader.
Name,
sizeof(sectionHeader.
Name));
560 ERROR(
"[ERROR] IntKernVirtMemFetchWordSize failed: 0x%08x\n", status);
567 ERROR(
"[ERROR] IntWinProcFindObjectByEprocess failed for 0x%016llx\n", eprocess);
571 Originator->Injection.User =
TRUE;
572 Originator->Process.WinProc = pProc;
604 BYTE previousMode = 0;
609 ERROR(
"[ERROR] IntWinThrGetCurrentThread failed: 0x%08x\n", status);
616 ERROR(
"[ERROR] IntKernVirtMemRead failed: 0x%08x\n", status);
620 if (previousMode == 0)
622 QWORD realRsp = 0, realRet = 0;
632 ERROR(
"[ERROR] IntKernVirtMemFetchQword failed: 0x%08x\n", status);
639 ERROR(
"[ERROR] IntKernVirtMemFetchQword failed: 0x%08x\n", status);
646 ERROR(
"[ERROR] IntWinModFillDriverInjectionData failed: 0x%08x\n", status);
654 ERROR(
"[ERROR] IntWinModFillProcessInjectionData failed: 0x%08x\n", status);
667 ERROR(
"[ERROR] IntWinThrGetCurrentThread failed: 0x%08x\n", status);
674 ERROR(
"[ERROR] IntKernVirtMemFetchDword failed: 0x%08x\n", status);
681 ERROR(
"[ERROR] IntKernVirtMemRead failed: 0x%08x\n", status);
711 ERROR(
"[ERROR] IntWinModFillDriverInjectionData failed: 0x%08x\n", status);
719 ERROR(
"[ERROR] IntWinModFillProcessInjectionData failed: 0x%08x\n", status);
763 ERROR(
"[ERROR] IntExceptKernelGetOriginator failed with status: 0x%08x\n", status);
766 informationOnly =
TRUE;
772 ERROR(
"[ERROR] IntWinModIsKernelWriteInjection failed: 0x%08x\n", status);
780 ERROR(
"[ERROR] IntWinModFillInjectionData failed: 0x%08x\n", status);
792 ERROR(
"[ERROR] IntExceptGetVictimEpt failed with status: 0x%08x\n", status);
795 informationOnly =
TRUE;
813 memzero(pEptViol,
sizeof(*pEptViol));
842 WARNING(
"[WARNING] IntNotifyIntroEvent failed: 0x%08x\n", status);
887 DWORD iatidx, iatesz;
903 WARNING(
"[WARNING] [SPECIAL-CASE] Process (pid: %d, eproc %llx, cr3 %llx, usercr3 %llx, name %s) " 904 "is not the current one (current cr3 %llx, gva %llx, gpa %llx, ac %d)\n",
909 WARNING(
"[WARNING] [SPECIAL-CASE] Process (pid: %d, eproc %llx, cr3 %llx, usercr3 %llx, name %s) " 923 goto _cleanup_and_exit;
944 goto _cleanup_and_exit;
950 memzero(&originator,
sizeof(originator));
951 memzero(&victim,
sizeof(victim));
960 goto _send_notification;
967 ERROR(
"[ERROR] Failed getting originator: 0x%08x\n", status);
968 goto _send_notification;
982 ERROR(
"[ERROR] Failed getting modified zone: 0x%08x\n", status);
983 goto _send_notification;
998 memzero(pEptViol,
sizeof(*pEptViol));
1022 WARNING(
"[WARNING] IntNotifyIntroEvent failed: 0x%08x\n", status);
1055 if (NULL == Context)
1097 DWORD sectionRva = 0;
1098 DWORD sectionCount = 0;
1103 pProc = Module->Subsystem->Process;
1105 if (NULL == Module->Cache || NULL == Module->Cache->Headers)
1107 ERROR(
"[ERROR] Invalid state where module doesn't has cache (%p) or headers!\n", Module->Cache);
1111 #define MAX_IAT_ENTRIES 4096 1113 Module->IATEntries = Module->Cache->Info.IatSize / (Module->Is64BitModule ? 8 : 4);
1116 WARNING(
"[WARNING] Module `%s` has %d IAT entries. Will use MAX_IAT_ENTRIES.",
1122 if (Module->IATEntries != 0)
1127 if (NULL == Module->IATBitmap)
1136 ERROR(
"[ERROR] IntHookObjectCreate failed: 0x%08x\n", status);
1143 Module->Cache->Headers,
1149 ERROR(
"[ERROR] IntPeListSectionsHeaders failed with status: 0x%08x\n", status);
1153 TRACE(
"[MODULE] Protecting module '%s' loaded at 0x%016llx\n",
1157 for (i = 0; i < sectionCount; i++, sec++)
1166 INFO(
"[INFO] Skipping section from VA 0x%08x, size 0x%08x, which is larger than VadSize 0x%016llx\n",
1174 memcpy(name, sec->
Name,
sizeof(sec->
Name));
1175 name[
sizeof(sec->
Name)] = 0;
1177 TRACE(
"[MODULE] Protecting pageable region: 0x%016llx, VA space 0x%016llx, length %x Name `%s`\n",
1192 ERROR(
"[ERROR] IntHookObjectHookRegion failed: 0x%08x\n", status);
1196 Module->IsProtected =
TRUE;
1198 Module->Subsystem->ProtectedModulesCount++;
1225 if (Module->ShouldProtUnpack && Module->Subsystem->Process->UnpackProtected)
1230 ERROR(
"[ERROR] IntUnpUnWatchVaSpacePages failed: 0x%08x\n", status);
1235 if (NULL != Module->HookObject)
1240 ERROR(
"[ERROR] IntHookObjectDestroy failed: 0x%08x\n", status);
1244 if (NULL != Module->ModBlockObject)
1249 ERROR(
"[ERROR] IntWinModBlockRemoveBlockObject failed: 0x%08x\n", status);
1253 if (Module->IsProtected)
1255 Module->Subsystem->ProtectedModulesCount--;
1258 Module->IsProtected =
FALSE;
1301 LOG(
"[WINMODULE] The VAD 0x%016llx belonging to module %s seems to not be inside the tree yet, " 1352 if (NULL == Context)
1381 TRACE(
"[MODULE] Protecting module with base 0x%016llx -> 0x%016llx against hooking.\n", VirtualAddress, Cr3);
1386 ERROR(
"[ERROR] IntWinModHookModule failed: 0x%08x\n", status);
1420 pSubs = Module->Subsystem;
1437 if (
wstrncasecmp(Module->Path->Path, u
"\\windows\\syswow64\\",
CWSTRLEN(u
"\\windows\\syswow64\\")) == 0)
1439 Module->IsSystemModule =
TRUE;
1445 if (
wstrncasecmp(Module->Path->Path, u
"\\windows\\system32\\",
CWSTRLEN(u
"\\windows\\system32\\")) == 0)
1447 Module->IsSystemModule =
TRUE;
1453 TRACE(
"[MODULE] Module '%s' (%08x) just loaded at 0x%016llx in process '%s' (pid = %d)\n",
1454 utf16_for_log(Module->Path->Path), Module->Path->NameHash, Module->VirtualBase, pProc->
Name, pProc->
Pid);
1460 Module->IsMainModule =
TRUE;
1476 TRACE(
"[INFO] Application '%s' was not found among the protected ones, will remove protection.\n",
1482 ERROR(
"[ERROR] IntWinProcUnprotect failed: 0x%08x\n", status);
1489 if (Module->IsSystemModule)
1492 (0 ==
wstrcasecmp(Module->Path->Name, u
"ntdll.dll")))
1494 Module->Subsystem->NtdllBase = Module->VirtualBase;
1495 Module->Subsystem->NtdllSize = Module->Size;
1497 Module->Subsystem->NtdllLoadCount++;
1500 (0 ==
wstrcasecmp(Module->Path->Name, u
"kernel32.dll")))
1502 Module->Subsystem->Kernel32LoadCount++;
1511 Module->ShouldGetCache =
TRUE;
1519 Module->ShouldGetCache =
TRUE;
1524 Module->ShouldGetCache =
TRUE;
1531 Module->ShouldProtUnpack =
TRUE;
1534 if (Module->ShouldGetCache)
1538 if (NULL == Module->Cache)
1540 ERROR(
"[ERROR] Module->Cache is NULL after IntWinUmModCacheGet!\n");
1545 Module->VirtualBase,
1552 &Module->HeadersSwapHandle);
1555 ERROR(
"[ERROR] IntSwapMemReadData failed: 0x%08x\n", status);
1561 if (Module->ShouldProtUnpack)
1564 Module->VirtualBase,
1571 &Module->HeadersSwapHandle);
1574 ERROR(
"[ERROR] IntSwapMemReadData failed: 0x%08x\n", status);
1607 if (Vad->PageCount *
PAGE_SIZE > 0xFFFFFFFF)
1609 ERROR(
"[ERROR] Module greater than 4GB!\n");
1627 if (!Process->Wow64Process)
1629 pMod->
Subsystem = Process->Subsystemx64;
1644 if (
wstrncasecmp(Vad->Path->Path, u
"\\windows\\system32\\",
wstrlen(u
"\\windows\\system32\\")) == 0)
1646 pMod->
Subsystem = Process->Subsystemx64;
1651 pMod->
Subsystem = Process->Subsystemx86;
1658 pMod->
Subsystem = Process->Subsystemx86;
1667 ERROR(
"[ERROR] IntWinModHandleModuleNameInMemory failed: 0x%08x\n", status);
1684 pMod64->
Subsystem = Process->Subsystemx64;
1694 ERROR(
"[ERROR] IntWinModHandleModuleNameInMemory failed: 0x%08x\n", status);
1724 list = Subsystem->ProcessModules.
Flink;
1725 while (list != &Subsystem->ProcessModules)
1781 if (NULL != Process->Subsystemx86)
1790 if (NULL != Process->Subsystemx64)
1826 if (NULL == Context)
1834 if (NULL == pMod->
Cache)
1874 pProc = Module->Subsystem->Process;
1879 ERROR(
"[ERROR] IntVirtMemMap failed: 0x%08x\n", status);
1886 ERROR(
"[ERROR] IntPeValidateHeader failed: 0x%08x\n", status);
1887 goto cleanup_and_exit;
1908 TRACE(
"[MODULE] Protecting pageable section: 0x%016llx, VA space 0x%016llx, length %x\n",
1911 for (
DWORD j = 0; j < secsize; j += 0x1000)
1920 ERROR(
"[ERROR] IntUnpWatchPage failed: 0x%08x\n", status);
1943 _In_ PINSTRUX Instrux,
1962 char text[ND_MIN_BUF_SIZE];
1965 if (NULL == Instrux)
1970 if (NULL == Context)
1982 status = NdToText(Instrux, VirtualAddress, ND_MIN_BUF_SIZE, text);
1985 strlcpy(text,
"INVALID",
sizeof(text));
1988 LOG(
"[ALERT] [UNPACK DETECTED] Unpacked/decrypted page detected @ 0x%016llx:0x%016llx: %s\n", VirtualAddress, Cr3,
1998 memzero(pEptViol,
sizeof(*pEptViol));
2034 WARNING(
"[WARNING] IntNotifyIntroEvent failed: 0x%08x\n", status);
2072 if (NULL != Module->HeadersSwapHandle)
2077 ERROR(
"[ERROR] IntSwapMemRemoveTransaction failed: 0x%08x\n", status);
2080 Module->HeadersSwapHandle = NULL;
2083 if (NULL != Module->ExportsSwapHandle)
2088 ERROR(
"[ERROR] IntSwapMemRemoveTransaction failed: 0x%08x\n", status);
2091 Module->ExportsSwapHandle = NULL;
2094 if (NULL != Module->SlackSpaceSwapHandle)
2099 ERROR(
"[ERROR] IntSwapMemRemoveTransaction failed: 0x%08x\n", status);
2102 Module->SlackSpaceSwapHandle = NULL;
2105 if (NULL != Module->MainModHeadersSwapHandle)
2110 ERROR(
"[ERROR] IntSwapMemRemoveTransaction failed: 0x%08x\n", status);
2113 Module->MainModHeadersSwapHandle = NULL;
2118 if (Module->IsMainModule)
2121 Module->Subsystem->Process->MainModuleLoaded =
FALSE;
2126 if (NULL != Module->IATBitmap)
2153 pList = Subsystem->ProcessModules.
Flink;
2154 while (pList != &Subsystem->ProcessModules)
2158 pList = pList->
Flink;
2167 if ((
winSubsys64Bit == Subsystem->SubsystemType) && (Subsystem->Process->Wow64Process))
2173 TRACE(
"[WINMODULE] PROC_PROT_MASK_CORE_HOOKS enabled -> disabled for %s (Process %d)\n",
2177 else if (!pMod->
ShouldProtHooks && Subsystem->Process->ProtCoreModules)
2179 TRACE(
"[WINMODULE] PROC_PROT_MASK_CORE_HOOKS disabled -> enabled for %s (Process %d)\n",
2185 TRACE(
"[WINMODULE] PROC_PROT_MASK_CORE_HOOKS did not changed for %s (Process %d)\n",
2196 TRACE(
"[WINMODULE] PROC_PROT_MASK_CORE_HOOKS enabled -> disabled for %s (Process %d)\n",
2200 else if (!pMod->
ShouldProtHooks && Subsystem->Process->ProtCoreModules)
2202 TRACE(
"[WINMODULE] PROC_PROT_MASK_CORE_HOOKS disabled -> enabled for %s (Process %d)\n",
2208 TRACE(
"[WINMODULE] PROC_PROT_MASK_CORE_HOOKS did not changed for %s (Process %d)\n",
2218 TRACE(
"[WINMODULE] PROC_PROT_MASK_WSOCK_HOOKS enabled -> disabled for %s (Process %d)\n",
2222 else if (!pMod->
ShouldProtHooks && Subsystem->Process->ProtWsockModules)
2224 TRACE(
"[WINMODULE] PROC_PROT_MASK_WSOCK_HOOKS disabled -> enabled for %s (Process %d)\n",
2230 TRACE(
"[WINMODULE] PROC_PROT_MASK_WSOCK_HOOKS did not changed for %s (Process %d)\n",
2244 TRACE(
"[WINMODULE] PROC_PROT_MASK_UNPACK enabled -> disabled for %s (Process %d). " 2246 Subsystem->Process->Pid, Subsystem->Process->Cr3);
2251 ERROR(
"[ERROR] IntUnpUnWatchVaSpacePages failed: 0x%x\n", status);
2260 TRACE(
"[WINMODULE] PROC_PROT_MASK_UNPACK disabled -> enabled for %s (Process %d)\n",
2266 ERROR(
"[ERROR] IntWinModHookPoly failed: 0x%x\n", status);
2273 TRACE(
"[WINMODULE] PROC_PROT_MASK_UNPACK did not changed for %s (Process %d)\n",
2282 TRACE(
"[WINMODULE] Protecting module with base 0x%016llx -> 0x%016llx against hooking.\n",
2288 ERROR(
"[ERROR] IntWinModHookModule failed for %s (Process %d): 0x%x\n",
2294 TRACE(
"[WINMODULE] Removing protection for module with base 0x%016llx -> 0x%016llx\n",
2321 if (NULL != Process->Subsystemx64)
2323 list = Process->Subsystemx64->ProcessModules.
Flink;
2324 while (list != &Process->Subsystemx64->ProcessModules)
2336 if (NULL != Process->Subsystemx86)
2338 list = Process->Subsystemx86->ProcessModules.
Flink;
2339 while (list != &Process->Subsystemx86->ProcessModules)
WINUM_PATH * Path
Module path.
#define IMAGE_SCN_MEM_EXECUTE
int wstrncasecmp(const WCHAR *buf1, const WCHAR *buf2, size_t len)
DWORD Is64BitModule
TRUE if the module is 64 bit.
PBYTE IATBitmap
A bitmap indicating which IAT entries have been initialized.
struct _EVENT_EPT_VIOLATION::@284 Victim
enum _INTRO_ACTION_REASON INTRO_ACTION_REASON
The reason for which an INTRO_ACTION was taken.
INTRO_CODEBLOCKS CodeBlocks
Code blocks extracted for the alert.
INTSTATUS IntPeGetSectionHeaderByRva(QWORD ImageBase, BYTE *ImageBaseBuffer, DWORD GuestRva, IMAGE_SECTION_HEADER *SectionHeader)
Given a relative virtual address, return the section header which describes the section the RVA lies ...
#define CONTAINING_RECORD(List, Type, Member)
#define ROUND_UP(what, to)
DWORD NtdllSize
The size of ntdll.dll.
static INTSTATUS IntWinModHookModule(PWIN_PROCESS_MODULE Module)
Hook a user-mode module against attacks.
INTSTATUS IntVirtMemUnmap(void **HostPtr)
Unmaps a memory range previously mapped with IntVirtMemMap.
An internal error occurred (no memory, pages not present, etc.).
static INTSTATUS IntWinModFillDriverInjectionData(QWORD ReturnRip, EXCEPTION_KM_ORIGINATOR *Originator)
Fills the return driver data in the Originator when the write is caused by an injection which was mad...
INTSTATUS IntHookObjectDestroy(HOOK_OBJECT_DESCRIPTOR **Object, DWORD Flags)
Destroy an entire hook object. All regions belonging to this object will be removed.
BYTE Violation
The type of the access. It must be one of the IG_EPT_HOOK_TYPE values.
#define NAMEHASH_KERNELBASE
IG_ARCH_REGS Regs
The current state of the guest registers.
DWORD IatSize
Size of the imports table.
DWORD Index
The VCPU number.
MITRE_ID MitreID
The Mitre ID that corresponds to this attack.
#define NAMEHASH_WOW64CPU
#define INT_STATUS_SUCCESS
const VAD * Vad
The VAD which describes this module.
Measures user mode exceptions checks.
static INTSTATUS IntWinModFillInjectionData(EXCEPTION_KM_ORIGINATOR *Originator)
Fills the originating caller which led to the detected injection and respectively the current KM-UM w...
DWORD ShouldProtHooks
TRUE if the module should be protected against hooks.
WIN_KERNEL_DRIVER Win
Valid only for Windows guests.
#define IMAGE_SCN_MEM_READ
static INTSTATUS IntWinModHandleModulePathInMemory(WIN_PROCESS_MODULE *Module, WINUM_PATH *Path)
Handles a module path in memory.
#define MODULE_MATCH(m, p)
void IntAlertFillWinProcess(const WIN_PROCESS_OBJECT *Process, INTRO_PROCESS *EventProcess)
Saves information about a windows process inside an alert.
DWORD ProtCoreModules
Protect the core module loaded by the process.
void IntWinUmModCacheRelease(WINUM_MODULE_CACHE *Cache)
Removes a module cache, if it was written (it's dirty).
INTSTATUS IntSwapMemReadData(QWORD Cr3, QWORD VirtualAddress, DWORD Length, DWORD Options, void *Context, DWORD ContextTag, PFUNC_PagesReadCallback Callback, PFUNC_PreInjectCallback PreInject, void **SwapHandle)
Reads a region of guest virtual memory, and calls the indicated callback when all the data is availab...
struct _LIST_ENTRY * Flink
INTSTATUS IntWinProcUnprotect(WIN_PROCESS_OBJECT *Process)
Remove a process from protection.
static INTSTATUS IntWinModHandleMainModuleInMemory(void *Context, QWORD Cr3, QWORD ModuleBase, QWORD PhysicalAddress, PBYTE Data, DWORD DataSize, DWORD Flags)
Callback called when the main module headers are present in physical memory.
QWORD BaseVa
The guest virtual address of the kernel module that owns this driver object.
QWORD HookStartPhysical
The start of the monitored guest physical memory area for which this alert was generated.
#define IMAGE_SCN_MEM_WRITE
static int IntWinModComparePaths(const WIN_PROCESS_MODULE *Module, const WCHAR *SystemDirPath, const WCHAR *TestModule)
Tests whether the Module's path is the same as the TestModules' path inside the provided SystemDirPat...
#define INT_SUCCESS(Status)
INTSTATUS IntWinThrGetCurrentThread(DWORD CpuNumber, QWORD *EthreadAddress)
Get the ETHREAD structure address of the thread currently running on the given CPU.
Event structure for module loading and unloading.
void IntWinModulesChangeProtectionFlags(PWIN_PROCESS_SUBSYSTEM Subsystem)
Change the protection flags applied to the process modules that are currently loaded.
QWORD Flags
A combination of ALERT_FLAG_* values describing the alert.
#define PROC_OPT_PROT_WSOCK_HOOKS
Blocks hooks being set on Wininet user-mode DLLs (Windows only).
QWORD SectionOffset
Offset of the first section header.
The action was not allowed because there was no reason to allow it.
CHAR Instruction[ALERT_MAX_INSTRUX_LEN]
The instruction found at RIP, in textual form.
BOOLEAN FirstDominoJavaIgnored
TRUE if the first Domino Java execution VAD was ignored.
EVENT_MODULE_EVENT Module
QWORD IntHookGetGlaFromGpaHook(HOOK_GPA const *Hook, QWORD Address)
Gets the GLA from a GPA hook.
INTSTATUS IntWinModHandleWrite(void *Context, void *Hook, QWORD Address, INTRO_ACTION *Action)
Handle writes inside a protected user-mode module wrapper. Will dispatch appropriately to either the ...
Windows process subsystem.
DWORD UnpackProtected
TRUE if the main module has been protected against unpacks.
PBYTE MzPeHeaders
The driver`s MZ/PE headers (cached internally).
Writes done from kernel mode over user mode.
#define INT_STATUS_NOT_NEEDED_HINT
Describes a user-mode originator.
struct _EVENT_EPT_VIOLATION::@283 Originator
#define HpAllocWithTag(Len, Tag)
INTSTATUS IntKernVirtMemFetchWordSize(QWORD GuestVirtualAddress, void *Data)
Reads a guest pointer from the guest kernel memory.
int INTSTATUS
The status data type.
struct _WINUM_MODULE_CACHE::@242 Info
INTSTATUS IntWinModPolyHandler(QWORD Cr3, QWORD VirtualAddress, PINSTRUX Instrux, void *Context)
Handle an unpack event for the indicated address.
void IntWinUmPathDereference(WINUM_PATH **Path)
Dereferences a WINUM_PATH object, releasing the resources if the reference count has reached 0...
INTSTATUS IntWinModHandleLoadFromVad(WIN_PROCESS_OBJECT *Process, const VAD *Vad)
Handle a module load from a VAD.
#define INT_STATUS_NOT_FOUND
static INTSTATUS IntWinModHookPoly(PWIN_PROCESS_MODULE Module)
Hooks the given module against unpacks.
DWORD IsProtected
TRUE if the module is actually hooked.
#define MAX_PATH
The maximum size of a path (260 characters on windows).
void IntExceptKernelUserLogInformation(EXCEPTION_VICTIM_ZONE *Victim, EXCEPTION_KM_ORIGINATOR *Originator, INTRO_ACTION Action, INTRO_ACTION_REASON Reason)
Print the information about a kernel-user mode violation and dumps the code-blocks.
QWORD Rip
The value of the guest RIP register when the event was generated.
struct _WIN_PROCESS_MODULE * PWIN_PROCESS_MODULE
INTSTATUS IntWinModRemoveModule(PWIN_PROCESS_MODULE Module)
Removes a Windows module.
Describes a kernel-mode originator.
static INTSTATUS IntWinModHandleUserWrite(void *Context, void *Hook, QWORD Address, INTRO_ACTION *Action)
Handle user-mode writes inside a protected user-mode module.
BOOLEAN UserMode
True if this is a user mode module, False if it is a kernel mode module.
BOOLEAN Kernel
This field is set to TRUE for a write due to an injection from kernel-mode.
void IntAlertFillCpuContext(BOOLEAN CopyInstruction, INTRO_CPUCTX *CpuContext)
Fills the current CPU context for an alert.
INSTRUX Instruction
The current instruction, pointed by the guest RIP.
QWORD VirtualBase
Guest virtual address of the loaded module.
QWORD VadGva
The guest virtual address at which the corresponding Windows _MMVAD structure is located.
QWORD MainModuleAddress
The address of the main module.
BOOLEAN IsDominoJava
True if this is a Java IBM process and j9jit.dll is loaded.
QWORD HookStartVirtual
The start of the monitored guest virtual memory area for which this alert was generated.
INTSTATUS IntWinModUnHookModule(PWIN_PROCESS_MODULE Module)
Remove the protection from the indicated module.
Process subsystem type 32 bit.
DWORD Protected
TRUE if this is a protected process. If this is FALSE, most of the above fields aren't used at all...
Describes a kernel driver.
#define ALERT_FLAG_KM_UM
If set, the alert was generated by a kernel to user mode violation.
void IntAlertFillVersionInfo(INTRO_VIOLATION_HEADER *Header)
Fills version information for an alert.
DWORD Wow64Process
TRUE if this is a 32 bit process on a 64 bit OS.
DWORD AccessSize
The size of the memory access. Valid only for EPT exits.
QWORD IntAlertProcGetFlags(QWORD ProtectionFlag, const void *Process, INTRO_ACTION_REASON Reason, QWORD AdditionalFlags)
Returns the flags for an alert.
INTRO_VIOLATION_HEADER Header
The alert header.
const PROTECTED_PROCESS_INFO * IntWinProcGetProtectedInfoEx(PWCHAR Path, BOOLEAN IsSystem)
Returns a pointer to the PROTECTED_PROCESS_INFO structure for the given process Path.
DWORD NameHash
The hash of the name.
INTRO_ACTION_REASON Reason
The reason for which Action was taken.
INTSTATUS IntAlertFillCodeBlocks(QWORD Rip, QWORD Cr3, BOOLEAN Execute, INTRO_CODEBLOCKS *CodeBlocks)
Fills the code blocks pattern for an alert.
QWORD NtdllBase
The base address for ntdll.dll.
Exposes the functions used to provide Windows Threads related support.
QWORD Cr3
Process PDBR. Includes PCID.
DWORD MainModuleLoaded
TRUE if the main module has been loaded.
BOOLEAN MainModuleLoaded
TRUE if the MainModule was loaded.
void IntAlertEptFillFromKmOriginator(const EXCEPTION_KM_ORIGINATOR *Originator, EVENT_EPT_VIOLATION *EptViolation)
Fills kernel mode originator information inside an EPT alert.
GENERIC_ALERT gAlert
Global alert buffer.
static INTSTATUS IntWinModHandleUnload(PWIN_PROCESS_SUBSYSTEM Subsystem, QWORD VirtualBase)
Handle a module unload from the given subsystem.
INTSTATUS IntSwapMemRemoveTransaction(void *Transaction)
Remove a transaction.
WINUM_PATH * Path
Will point inside the loaded modules list to the full process path.
INTSTATUS IntKernVirtMemFetchDword(QWORD GuestVirtualAddress, DWORD *Data)
Reads 4 bytes from the guest kernel memory.
#define INITIAL_CRC_VALUE
BOOLEAN IntPolicyProcTakeAction(QWORD Flag, void const *Process, INTRO_ACTION *Action, INTRO_ACTION_REASON *Reason)
Returns the action that should be taken for a process protection option.
BOOLEAN User
This field is set to TRUE for a write due to an injection from user-mode.
void IntAlertEptFillFromVictimZone(const EXCEPTION_VICTIM_ZONE *Victim, EVENT_EPT_VIOLATION *EptViolation)
Fills the victim information inside an EPT alert.
size_t wstrlen(const WCHAR *str)
INTSTATUS IntKernVirtMemFetchQword(QWORD GuestVirtualAddress, QWORD *Data)
Reads 8 bytes from the guest kernel memory.
INTRO_CPUCTX CpuContext
The context of the CPU that triggered the alert.
INTSTATUS IntWinProcSendAllDllEventsForProcess(PWIN_PROCESS_OBJECT Process)
Send DLL load events for all modules loaded in all subsystems of a process.
static QWORD IntWinModGetProtectionOptionForModule(WIN_PROCESS_MODULE *Module)
Get the protection options for provided module.
INTSTATUS IntNotifyIntroEvent(INTRO_EVENT_TYPE EventClass, void *Param, size_t EventSize)
Notifies the integrator about an introspection alert.
static BOOLEAN RemoveEntryList(LIST_ENTRY *Entry)
BOOLEAN Guest64
True if this is a 64-bit guest, False if it is a 32-bit guest.
INTSTATUS IntExceptGetVictimEpt(void *Context, QWORD Gpa, QWORD Gva, INTRO_OBJECT_TYPE Type, DWORD ZoneFlags, EXCEPTION_VICTIM_ZONE *Victim)
Fills an EXCEPTION_VICTIM_ZONE with relevant information from an EPT violation.
static INTSTATUS IntWinProcSendAllDllEventsForSubsystem(PWIN_PROCESS_SUBSYSTEM Subsystem)
Send a module load event for each loaded module inside a subsystem.
CHAR Name[IMAGE_BASE_NAME_LEN]
Process base name.
static void IntWinModCheckSpecialCases(PWIN_PROCESS_MODULE Module)
Check if the process is DominoJava process.
QWORD Current
The currently used options.
DWORD LoadedModulesCount
The number of modules that were loaded.
static INTSTATUS IntWinModHandleModuleHeadersInMemory(void *Context, QWORD Cr3, QWORD VirtualAddress, QWORD PhysicalAddress, PBYTE Data, DWORD DataSize, DWORD Flags)
Called as soon as the module headers are swapped in memory.
INTSTATUS IntPeListSectionsHeaders(QWORD ImageBase, BYTE *ImageBuffer, DWORD ImageBufferSize, DWORD *FirstSectionOffset, DWORD *SectionCount)
Will get the offset to the first section header and the number of sections from the given module...
DWORD ShouldProtUnpack
TRUE if the module should be protected against unpack.
QWORD UserCr3
Process user PDBR. Includes PCID.
#define IN_RANGE_LEN(x, start, len)
#define INT_STATUS_INVALID_PARAMETER_4
BYTE NtdllLoadCount
Number of ntdll.dll loads.
#define IS_KERNEL_POINTER_WIN(is64, p)
Checks if a guest virtual address resides inside the Windows kernel address space.
QWORD NumberOfSections
Number of sections.
#define EXCEPTION_KM_ORIGINATOR_OPT_FULL_STACK
Flag that can be passed to IntExceptKernelGetOriginator when the full stack is needed.
QWORD Gpa
The accessed guest physical address. Valid only for EPT exits.
#define HpFreeAndNullWithTag(Add, Tag)
PWIN_PROCESS_OBJECT IntWinProcFindObjectByCr3(QWORD Cr3)
Finds a process by its kernel CR3.
BOOLEAN IntWinVadIsInTree(const VAD *Vad)
Checks if a VAD is inserted in a guest VAD tree.
#define INT_STATUS_INVALID_PARAMETER_5
#define INT_STATUS_INVALID_INTERNAL_STATE
static INTSTATUS IntWinModHandleKernelWrite(void *Context, void *Hook, QWORD Address, INTRO_ACTION *Action)
Handle writes inside a protected user-mode module from kernel-mode.
#define INTRO_OPT_EVENT_MODULES
Enable user mode and kernel mode module load and unload events (generates introEventModuleEvent event...
INTSTATUS IntWinModHandleUnloadFromVad(PWIN_PROCESS_OBJECT Process, PVAD Vad)
Handle a module unload.
struct _WIN_PROCESS_OBJECT * Process
The process object related to this subsystem.
union _IMAGE_SECTION_HEADER::@214 Misc
static void InsertTailList(LIST_ENTRY *ListHead, LIST_ENTRY *Entry)
WINUM_PATH * IntWinUmPathReference(WINUM_PATH *Path)
Increases the reference count of the given WINUM_PATH object.
INTRO_EXEC_CONTEXT ExecContext
Information about the instruction that triggered the alert.
BOOLEAN Loaded
True if the module was loaded, False if it was unloaded.
size_t strlcpy(char *dst, const char *src, size_t dest_size)
BYTE Kernel32LoadCount
Number of kernel32.dll loads.
#define INT_STATUS_ALREADY_INITIALIZED_HINT
DWORD Pid
Process ID (the one used by Windows).
Process subsystem type 64 bit.
INTSTATUS IntExceptUserGetOriginator(void *Process, BOOLEAN ModuleWrite, QWORD Address, INSTRUX *Instrux, EXCEPTION_UM_ORIGINATOR *Originator)
This function is used to get the information about the user-mode originator.
Sent when an EPT violation triggers an alert. See EVENT_EPT_VIOLATION.
Describes the modified zone.
static BOOLEAN IntWinModWriteValidHandler(QWORD Cr3, QWORD Address, void *Context)
Checks if a write inside a code section is legitimate or not.
struct _EXCEPTION_KM_ORIGINATOR::@66 Injection
#define UNREFERENCED_PARAMETER(P)
DWORD NameHash
The CRC32 hash of the name. Used for fast matching.
void IntWinUmModCacheGet(WIN_PROCESS_MODULE *Module)
Initializes the cache for the provided module.
const PROTECTED_DLL_INFO gProtectedWowModules[]
#define WIN_KM_FIELD(Structure, Field)
Macro used to access kernel mode fields inside the WIN_OPAQUE_FIELDS structure.
INTSTATUS IntUnpUnWatchVaSpacePages(QWORD Cr3)
Stop monitoring all pages belonging to a virtual address space.
#define PROC_OPT_PROT_CORE_HOOKS
Blocks hooks being set on core user-mode DLLs.
static INTSTATUS IntWinModFillProcessInjectionData(QWORD CurrentThread, EXCEPTION_KM_ORIGINATOR *Originator)
Fills the originating process data in the Originator when the write is caused by an injection which w...
void IntAlertEptFillFromUmOriginator(const EXCEPTION_UM_ORIGINATOR *Originator, EVENT_EPT_VIOLATION *EptViolation)
Fills user mode originator information inside an EPT alert.
INTRO_PROCESS CurrentProcess
The currently active process.
INTSTATUS IntPeValidateHeader(QWORD ImageBase, BYTE *ImageBaseBuffer, DWORD ImageBaseBufferSize, INTRO_PE_INFO *PeInfo, QWORD Cr3)
Validates a PE header.
LIST_ENTRY Link
List entry element.
enum _INTRO_ACTION INTRO_ACTION
Event actions.
BOOLEAN IntPolicyProcForceBetaIfNeeded(QWORD Flag, void *Process, INTRO_ACTION *Action)
Checks if a forced action should be taken even if the process log-only mode is active.
#define IMAGE_SCN_CNT_CODE
#define _In_reads_bytes_(expr)
QWORD Rip
The RIP from where the call to the exported function came.
static INTSTATUS IntWinModIsKernelWriteInjection(EXCEPTION_KM_ORIGINATOR *Originator, BOOLEAN *IsInjection)
Verifies if the current KM-UM write is due to an injection.
#define INT_STATUS_INVALID_OBJECT_TYPE
INTRO_MODULE Module
The module for which this event was triggered.
DWORD UnpackAlertSent
TRUE if unpack alerts have been sent.
WCHAR * Name
The name of the module contained in the path.
LIST_HEAD ProcessModules
List of process modules.
DWORD Offset
The offset inside the page where the violation took place.
__must_check INTSTATUS IntVirtMemMap(QWORD Gva, DWORD Length, QWORD Cr3, DWORD Flags, void **HostPtr)
Maps a guest virtual memory range inside Introcore virtual address space.
void * HeadersSwapHandle
Swap handle for the headers.
QWORD Cr3
The value of the guest CR3 register when the event was generated.
INTSTATUS IntWinModHandlePreInjection(void *Context, QWORD Cr3, QWORD VirtualAddress)
Module base page-fault pre-injection callback.
const PROTECTED_DLL_INFO gProtectedModules[]
QWORD EprocessAddress
This will be the address of the ActiveProcess field.
#define ALERT_FLAG_SYSPROC
If set, the alert is on system process.
DWORD SystemProcess
TRUE if this is a system process.
GUEST_STATE gGuest
The current guest state.
WINUM_MODULE_CACHE * Cache
Module headers cache.
void IntAlertFillWinProcessByCr3(QWORD ProcessCr3, INTRO_PROCESS *EventProcess)
Saves information about a Windows process inside an alert. The process is searched by its kernel CR3...
INTRO_PROCESS Process
The process that did the malicious access.
Exposes the types, constants and functions needed to block Windows module loads (used to block double...
#define IMAGE_SCN_MEM_DISCARDABLE
#define CWSTRLEN(Wstring)
static INTSTATUS IntWinProcSendDllEvent(PWIN_PROCESS_MODULE Module, BOOLEAN Loaded)
Send a DLL load/unload event to the integrator.
#define INT_STATUS_STACK_SWAPPED_OUT
Indicates that the stack was needed in order to match the exceptions, but it is swapped out...
PWIN_PROCESS_OBJECT IntWinProcFindObjectByEprocess(QWORD Eprocess)
Finds a process by the address of its _EPROCESS structure.
WIN_SUBSYTEM_TYPE SubsystemType
Process subsystem type.
struct _EXCEPTION_KM_ORIGINATOR::@64 Original
INTRO_ACTION Action
The action that was taken as the result of this alert.
int wstrcasecmp(const WCHAR *buf1, const WCHAR *buf2)
INTSTATUS IntKernVirtMemRead(QWORD KernelGva, DWORD Length, void *Buffer, DWORD *RetLength)
Reads data from a guest kernel virtual memory range.
PWIN_PROCESS_MODULE IntWinUmModFindByAddress(PWIN_PROCESS_OBJECT Process, QWORD Gva)
Searches for a user-mode module which contains the indicated guest virtual address.
KERNEL_DRIVER * IntDriverFindByAddress(QWORD Gva)
Returns the driver in which Gva resides.
INTSTATUS IntWinDagentCheckSuspiciousDllLoad(WIN_PROCESS_MODULE *Module)
Checks if the given module is suspicious of loading through the double agent technique and calls the ...
QWORD VirtualPage
The guest virtual page in which the access was made.
INTSTATUS IntHookObjectHookRegion(void *Object, QWORD Cr3, QWORD Gla, SIZE_T Length, BYTE Type, void *Callback, void *Context, DWORD Flags, HOOK_REGION_DESCRIPTOR **Region)
Hook a contiguous region of virtual memory inside the provided virtual address space.
DWORD ProtUnpack
Protect process against unpacking attempts.
DWORD IATEntries
Number of IAT entries.
#define INT_STATUS_NOT_INITIALIZED_HINT
char * utf16_for_log(const WCHAR *WString)
Converts a UTF-16 to a UTF-8 string to be used inside logging macros.
#define INT_STATUS_INVALID_PARAMETER_1
DWORD StaticScan
TRUE if the module was found by statically enumerating process modules.
INTRO_PROCESS CurrentProcess
The current process.
Kernel-User mode exception.
VCPU_STATE * gVcpu
The state of the current VCPU.
void IntAlertFillWinUmModule(const WIN_PROCESS_MODULE *Module, INTRO_MODULE *EventModule)
Fills information about a user mode module inside an alert.
static int wstrncasecmp_len(const WCHAR *buf1, const WCHAR *buf2, size_t len_buf1, size_t len_buf2)
UINT8 Name[IMAGE_SIZEOF_SHORT_NAME]
INTRO_MODULE Module
The module that did the malicious access.
struct _EVENT_EPT_VIOLATION::@283::@288 Injection
DWORD SizeOfImage
Size of the image.
INTRO_EXEC_INFO ExecInfo
Execution information. Valid only if Violation is IG_EPT_HOOK_EXECUTE.
Event structure for EPT violations.
DWORD ProtWsockModules
Protect the Windows Socket related modules.
INTSTATUS IntDetGetFunctionAddressByTag(DETOUR_TAG Tag, QWORD *FunctionAddress)
Get a detour function address by its tag.
PWIN_PROCESS_SUBSYSTEM Subsystem
Module subsystem.
INTSTATUS IntWinUmModCacheSetHeaders(WIN_PROCESS_MODULE *Module, BYTE *Headers)
Sets the MZ/PE headers in the cache of a given module.
DWORD Length
The length of the instruction.
#define NAMEHASH_KERNEL32
INTSTATUS IntUnpWatchPage(QWORD Cr3, QWORD VirtualAddress, PFUNC_PageUnpackedCallback UnpackCallback, PFUNC_PageIsWriteValid WriteCheckCallback, void *CallbackContext)
Monitor a page against unpacking.
DWORD PathHash
CRC32 hash value for the driver`s path.
DWORD IatRva
RVA of the imports table.
void * Process
The process object from which the write originates. Valid only for KM-UM writes due to an injection o...
static BOOLEAN IntWinModIsProtected(const WIN_PROCESS_MODULE *Module, const PROTECTED_DLL_INFO *ProtectedList, size_t ProtectedCount)
Check if the given module is in the provided list of protected modules.
A representation of a Windows VAD structure.
DWORD IsMainModule
TRUE if this is the main module.
DWORD IsSystemModule
TRUE if this is a system module (loaded from system32 or syswow64).
INTSTATUS IntExceptKernelGetOriginator(EXCEPTION_KM_ORIGINATOR *Originator, DWORD Options)
This function is used to get the information about the kernel-mode originator.
INTSTATUS IntAlertFillExecContext(QWORD Cr3, INTRO_EXEC_CONTEXT *ExecContext)
Fills the current execution context.
#define ZONE_WRITE
Used for write violation.
#define INT_STATUS_INVALID_PARAMETER_2
INTRO_PROT_OPTIONS CoreOptions
The activation and protection options for this guest.
DWORD Size
Virtual size of the module.
QWORD Gla
The accessed guest virtual address. Valid only for EPT exits.
#define NAMEHASH_WOW64WIN
INTSTATUS IntHookObjectCreate(DWORD ObjectType, QWORD Cr3, void **Object)
Create a new hook object.
const WCHAR * strstr_utf16(const WCHAR *buf1, const WCHAR *buf2)
#define SWAPMEM_OPT_UM_FAULT
If set, the PF must be injected only while in user-mode. Use it when reading user-mode memory...
void IntExcept(EXCEPTION_VICTIM_ZONE *Victim, void *Originator, EXCEPTION_TYPE Type, INTRO_ACTION *Action, INTRO_ACTION_REASON *Reason, INTRO_EVENT_TYPE EventClass)
This function is the entry point for the exception mechanism.
BOOLEAN Protected
True if the module is protected.
INTSTATUS IntWinModBlockRemoveBlockObject(void *BlockObject)
This function is used in order to destroy a WIN_MOD_BLOCK_OBJECT structure.
INTRO_OBJECT_TYPE Type
The type of the accessed memory area.
This structure describes a running process inside the guest.
#define INT_STATUS_INSUFFICIENT_RESOURCES
WCHAR * Path
The string which represents the user-mode module path.
const PROTECTED_DLL_INFO gProtectedNetModules[]