19 #define VAD_SEARCH_LIMIT 1000 20 #define MAX_VAD_EXECS 64u 68 #define VAD_SHORT_FIELD_PTR(type_, ptr_, field_) (type_ *)((BYTE *)(ptr_) + WIN_KM_FIELD(VadShort, field_)) 78 #define VAD_LONG_FIELD_PTR(type_, ptr_, field_) (type_ *)((BYTE *)(ptr_) + WIN_KM_FIELD(VadLong, field_)) 90 #define VadShortByte(ptr_, field_) *VAD_SHORT_FIELD_PTR(BYTE, ptr_, field_) 102 #define VadShortWord(ptr_, field_) *VAD_SHORT_FIELD_PTR(WORD, ptr_, field_) 114 #define VadShortDword(ptr_, field_) *VAD_SHORT_FIELD_PTR(DWORD, ptr_, field_) 126 #define VadShortQword(ptr_, field_) *VAD_SHORT_FIELD_PTR(QWORD, ptr_, field_) 139 #define VadShortPtrSize(ptr_, field_) gGuest.Guest64 ? VadShortQword(ptr_, field_) : VadShortDword(ptr_, field_) 151 #define VadShortAnySize(size_, ptr_, field_) (size_) == 8 ? VadShortQword(ptr_, field_) : \ 152 (size_) == 4 ? VadShortDword(ptr_, field_) : \ 153 (size_) == 2 ? VadShortWord(ptr_, field_) : \ 154 (size_) == 1 ? VadShortByte(ptr_, field_) : 0 170 return Vad->Process->HasNaClEnabled && 16 == Vad->PageCount &&
VadNone == Vad->VadType;
190 return Vad->VadType ==
VadNone &&
192 Vad->Process->IsDominoJava &&
193 !Vad->Process->FirstDominoJavaIgnored;
221 if (NULL == Vad->VadPages)
228 DWORD pos = (
DWORD)((curpg - Vad->StartPage) >> 12);
230 if (NULL == Vad->VadPages[pos])
235 if (NULL != Vad->VadPages[pos]->ExecHook)
241 ERROR(
"[ERROR] IntHookGvaRemoveHook failed: 0x%08x\n", status);
269 if (NULL != Vad->VadPages)
274 ERROR(
"[ERROR] IntWinVadRemoveRange failed for VAD 0x%016llx: 0x%08x\n", Vad->VadGva, status);
301 if (NULL == Vad || NULL == *Vad)
315 ERROR(
"[ERROR] IntSwapMemRemoveTransactionsForAddress failed: 0x%08x\n", status);
326 ERROR(
"[ERROR] IntWinModHandleUnloadFromVad failed: 0x%08x\n", status);
495 VmProtection &= 0xFF;
497 switch (VmProtection)
535 VadProtection &= 0xFF;
537 switch (VadProtection)
575 VadProtection &= 0xFF;
577 switch (VadProtection)
720 QWORD newPageCount = 0, newPageIdx = 0;
724 newPageCount = ((NewEndPage - NewStartPage) >> 12) + 1;
726 if (NULL == Vad->VadPages)
732 if (NULL == pNewVadPages)
739 QWORD pos = ((curpg - Vad->StartPage) >> 12);
741 if (curpg >= NewStartPage && curpg <= NewEndPage)
743 if (NULL == Vad->VadPages[pos])
745 pNewVadPages[newPageIdx++] = NULL;
749 Vad->VadPages[pos]->
RangeStart =
MAX(Vad->VadPages[pos]->RangeStart, NewStartPage);
750 Vad->VadPages[pos]->RangeEnd =
MIN(Vad->VadPages[pos]->RangeEnd, NewEndPage);
752 pNewVadPages[newPageIdx++] = Vad->VadPages[pos];
757 if (NULL != Vad->VadPages[pos])
759 if (NULL != Vad->VadPages[pos]->ExecHook)
765 ERROR(
"[ERROR] IntHookGvaRemoveHook failed: 0x%08x\n", status);
776 Vad->VadPages = pNewVadPages;
779 Vad->StartPage = NewStartPage;
780 Vad->EndPage = NewEndPage;
781 Vad->PageCount = newPageCount;
821 char text[ND_MIN_BUF_SIZE] = { 0 };
823 QWORD tibBase, stackBase, stackLimit;
832 tibBase = stackBase = stackLimit = 0;
833 detected = feedback =
FALSE;
851 isCurrentProcess = Process->Cr3 == regs->
Cr3;
856 LOG(
"TIB is not present! Will inject #PF for %llx!\n", tibBase);
863 NULL, 0, NULL, NULL, NULL);
866 ERROR(
"[ERROR] IntSwapMemReadData failed: 0x%08x\n", status);
879 ERROR(
"[ERROR] IntWinThrGetCurrentStackBaseAndLimit failed: 0x%08x\n", status);
880 stackLimit = stackBase = 0;
886 if ((stackLimit == 0) && (stackBase == 0))
888 bRspOut = bIsStack =
FALSE;
894 bRspOut = ((regs->
Rsp < stackLimit - 0x3000) || (regs->
Rsp >= stackBase));
895 bIsStack = (VirtualAddress >= stackLimit) && (VirtualAddress < stackBase);
904 if (bRspOut || bIsStack)
909 else if (0 != scflags)
931 executionInfo.
Rsp = regs->
Rsp;
934 executionInfo.
Length = instrux->Length;
939 WARNING(
"[WARNING] IntWinEngExecSendNotification failed: 0x%08x\n", status);
944 goto _send_notification;
950 ERROR(
"[ERROR] Failed getting originator: 0x%08x\n", status);
951 goto _send_notification;
962 ERROR(
"[ERROR] Failed getting modified zone: 0x%08x\n", status);
963 goto _send_notification;
982 memzero(pEptViol,
sizeof(*pEptViol));
984 status = NdToText(instrux, regs->
Rip, ND_MIN_BUF_SIZE, text);
987 ERROR(
"[ERROR] NdToText failed: 0x%08x\n", status);
991 LOG(
"[VADNX] [CPU %d] EXPLOIT detected! Execution attempted at 0x%016llx! Instruction: %s\n",
994 LOG(
"[VADNX] Current address: %llx, current stack: %llx, known stack: %llx/%llx, TIB: %llx\n",
995 regs->
Rip, regs->
Rsp, stackBase, stackLimit, tibBase);
997 LOG(
"[VADNX] RSP out: %d; Is stack: %d; Shellcode flags: %llx;\n",
998 bRspOut, bIsStack, scflags);
1025 WARNING(
"[WARNING] IntNotifyIntroEvent failed: 0x%08x\n", status);
1031 WARNING(
"[WARNING] IntWinNetSendProcessConnections failed: 0x%08x\n", status);
1042 _In_ void const *Hook,
1120 QWORD currentThread = 0;
1132 isCurrentProcess = pProc->
Cr3 == regs->
Cr3;
1136 if (!isCurrentProcess)
1165 TRACE(
"[WINVAD] Removing VAD hook on 0x%016llx for process `%s` (Cr3 0x%016llx). " 1166 "Current process is `%s` (Cr3 0x%016llx)\n",
1171 goto cleanup_and_exit;
1186 ERROR(
"[ERROR] IntWinThrGetCurrentThread failed: 0x%08x\n", status);
1191 if (NULL != entryPendingUD)
1193 goto retry_inject_ud;
1202 goto cleanup_and_exit;
1208 ERROR(
"[ERROR] IntWinVadIsExecSuspicious failed: 0x%08x\n", status);
1209 goto cleanup_and_exit;
1230 ERROR(
"[ERROR] IntHookGvaRemoveHook failed: 0x%08x\n", status);
1257 ERROR(
"[ERROR] IntWinVadRemoveRanges failed: 0x%08x\n", status);
1265 isCurrentProcess) ||
1266 NULL != entryPendingUD)
1271 if (entryPendingUD != NULL &&
gVcpu->
CurrentUD == entryPendingUD)
1279 ERROR(
"[ERROR] IntInjectExceptionInGuest failed, process will not be killed: %08x\n", status2);
1283 if (NULL == entryPendingUD)
1290 ERROR(
"[ERROR] IntUDAddToPendingList failed: 0x%08x\n", status);
1335 PVAD pVad = Context;
1363 if (NULL == Process)
1400 QWORD startVpn, endVpn;
1402 if (NULL == vadBuffer)
1407 Vad->VadGva = VadGva;
1414 startVpn = endVpn = 0;
1437 Vad->StartPage = startVpn << 12;
1438 Vad->EndPage = endVpn << 12;
1440 if (FailOnCorruptRange && Vad->EndPage < Vad->StartPage)
1442 ERROR(
"[ERROR] VAD EndPage is before StartPage: start = 0x%016llx, end = 0x%016llx, vad at 0x%016llx\n",
1443 Vad->StartPage, Vad->EndPage, VadGva);
1456 Vad->NoChange = 0 != (flags &
BIT(
WIN_KM_FIELD(VadFlags, NoChangeBit)));
1461 Vad->DeleteInProgress = 0 != (flags &
WIN_KM_FIELD(VadFlags, DeleteInProgressMask));
1462 Vad->PrivateFixup = 0 != (flags &
WIN_KM_FIELD(VadFlags, PrivateFixupMask));
1464 Vad->PageCount = (((Vad->EndPage - Vad->StartPage) >> 12) + 1);
1469 Vad->Process = NULL;
1496 DWORD subsecOffsetInVad;
1497 DWORD ctlAreaOffsetInSubsec;
1498 DWORD fileObjectOffsetInCtlArea;
1499 DWORD fileLengthOffsetInFileObject;
1500 DWORD fileBufferOffsetInFileObject;
1503 if (NULL != Vad->Path)
1509 ctlAreaOffsetInSubsec =
WIN_KM_FIELD(Ungrouped, SubsectionCtlArea);
1510 fileObjectOffsetInCtlArea =
WIN_KM_FIELD(Ungrouped, CtlAreaFile);
1511 fileLengthOffsetInFileObject =
WIN_KM_FIELD(FileObject, NameLength);
1512 fileBufferOffsetInFileObject =
WIN_KM_FIELD(FileObject, NameBuffer);
1526 Vad->SubsectionGva = tmp;
1529 if (NULL != Vad->Path)
1577 ERROR(
"[ERROR] IntSwapMemReadData failed: 0x%08x\n", status);
1624 ERROR(
"[ERROR] IntWinVadFetchVadFromMemory failed from GVA %llx: 0x%08x\n", VadGva, status);
1631 TRACE(
"[WINVAD] Vad with type %d created at [0x%016llx, 0x%016llx]. Will ignore it.\n",
1648 ERROR(
"[ERROR] IntWinVadFetchImageName failed for VAD 0x%016llx: 0x%08x\n", pVad->
VadGva, status);
1674 const PCHAR prot[] =
1676 "noaccess",
"readonly",
"execute",
"execute-read",
"readwrite",
1677 "writecopy",
"execute-readwrite",
"execute-writecopy" 1696 NLOG(
"0x%016llx (%d): [0x%016llx, 0x%016llx]: Type: %d Prot: 0x%04x (%s)\n",
1720 const char *vadTypes[] =
1723 "VadDevicePhysicalMemory",
1728 "VadRotatePhysical",
1729 "VadLargePageSection",
1739 NLOG(
" VAD @ 0x%016llx for [0x%016llx, 0x%016llx], type %-24s, protection: 0x%08x (%c%c%c) " 1740 "Ignored: %d, ExecCount: %d",
1741 Vad->VadGva, Vad->StartPage, Vad->EndPage,
1742 Vad->VadType <
sizeof(vadTypes) /
sizeof(vadTypes[0]) ? vadTypes[Vad->VadType] :
"unknown",
1744 (Vad->Protection &
PROT_READ) ?
'R' :
'-',
1746 (Vad->Protection &
PROT_EXEC) ?
'X' :
'-',
1750 if (NULL != Vad->Path)
1759 if (NULL != Vad->VadPages)
1761 for (i = 0; i < Vad->PageCount; i++)
1763 if (NULL != Vad->VadPages[i])
1765 NLOG(
" PAGE @ %llx, protection %c%c%c, hook at %p\n",
1766 Vad->VadPages[i]->Address,
1767 (Vad->VadPages[i]->Protection &
PROT_READ) ?
'R' :
'-',
1768 (Vad->VadPages[i]->Protection &
PROT_WRITE) ?
'W' :
'-',
1769 (Vad->VadPages[i]->Protection &
PROT_EXEC) ?
'X' :
'-',
1770 Vad->VadPages[i]->ExecHook);
1865 ERROR(
"[ERROR] Max recursion level reached, will bail out\n");
1877 ERROR(
"[ERROR] IntWinVadFetchVadFromMemory failed: 0x%08x\n", status);
1886 if (Level > 0 && vad.
StartPage <= OldStartPage && LastBranchRight)
1888 ERROR(
"[ERROR] The in-guest VAD tree seems to be corrupted! Last branch right, " 1889 "current start page: 0x%16llx, old start page: 0x%16llx\n",
1894 if (Level > 0 && vad.
StartPage >= OldStartPage && !LastBranchRight)
1896 ERROR(
"[ERROR] The in-guest VAD tree seems to be corrupted! Last branch left, " 1897 "current start page: 0x%16llx, old start page: 0x%16llx\n",
1953 #define MAX_LEVEL 64 1960 if (NULL == Callback)
1967 ERROR(
"[ERROR] Too much recursion: requested level: %d, max level: %d\n", Level,
MAX_LEVEL);
1983 ERROR(
"[ERROR] IntWinVadFetchVadFromMemory failed for 0x%016llx: 0x%08x\n", VadNodeGva, status);
1995 failStatus = status;
2003 TRACE(
"[WINVAD] -------> Special Win 7/8 case: 0x%016llx is not an actual VAD. Left = 0x%016llx " 2004 "Right = 0x%016llx\n", VadNodeGva, left, right);
2008 Callback(VadNodeGva, Level, Context);
2016 failStatus = status;
2041 if (NULL == Process)
2046 if (NULL == Callback)
2082 QWORD vadroot = 0, vadgva = 0;
2088 ERROR(
"[ERROR] IntKernVirtMemRead failed: 0x%08x\n", status);
2097 TRACE(
"[WINVAD] VAD for range [0x%016llx, 0x%016llx] found at 0x%016llx. Tries: %u\n",
2098 StartPage, EndPage, vadgva, tries);
2105 LOG(
"IntWinVadFindNodeInGuestSpace failed for range [0x%016llx, 0x%016llx] in process %u\n",
2106 StartPage, EndPage, Process->Pid);
2113 ERROR(
"[ERROR] IntWinVadHandleInsertGeneric failed for VAD %llx: 0x%08x\n", vadgva, status);
2142 const QWORD endPage = (StartHint + LengthHint - 1) & PAGE_MASK;
2144 if (NULL != vad && startPage >= vad->
StartPage && endPage <= vad->EndPage)
2152 LOG(
"IntWinVadRescanVad failed for [0x%016llx, 0x%016llx] in process %u\n",
2153 startPage, endPage, Process->Pid);
2210 if (EndPage < StartPage)
2219 QWORD vadroot = 0, vadgva = 0;
2221 TRACE(
"[WINVAD] Range [%llx, %llx] not cached, searching guest space for VAD...\n", StartPage, EndPage);
2229 ERROR(
"[ERROR] IntKernVirtMemRead failed: 0x%08x\n", status);
2246 WARNING(
"[WARNING] IntWinVadFindNodeInGuestSpacefailed to find a VAD for range [%llx, %llx] " 2247 "in process %d\n", StartPage, EndPage, Process->Pid);
2251 TRACE(
"[WINVAD] VAD for range [%llx, %llx] found at %llx\n", StartPage, EndPage, vadgva);
2256 ERROR(
"[ERROR] IntWinVadHandleInsertGeneric failed for VAD %llx: 0x%08x\n", vadgva, status);
2261 if ((StartPage < pVad->StartPage) || (StartPage > pVad->
EndPage))
2263 ERROR(
"[ERROR] The start page lies outside the VAD range: 0x%016llx vs [0x%016llx, 0x%016llx]\n",
2268 if ((EndPage < pVad->StartPage) || (EndPage > pVad->
EndPage))
2270 ERROR(
"[ERROR] The end page lies outside the VAD range: 0x%016llx vs [0x%016llx, 0x%016llx]\n",
2277 WARNING(
"[WARNING] Protecting range [0x%016llx, 0x%016llx] of huge VAD [0x%016llx, 0x%016llx] " 2278 "with %llu pages at GVA 0x%016llx\n",
2286 TRACE(
"[INFO] Ignoring VAD @ 0x%016llx [0x%016llx, 0x%016llx] for process `%s` (%d)\n",
2303 if (pVad->
NoChange && !AtInsertion)
2365 ERROR(
"[ERROR] IntHookGvaSetHook failed: 0x%08x\n", status);
2375 ERROR(
"[ERROR] IntHookGvaRemoveHook failed: 0x%08x\n", status);
2403 ERROR(
"[ERROR] IntWinVadRemoveProcessTree failed: 0x%08x\n", status);
2410 ERROR(
"[ERROR] IntWinVadImportProcessTree failed: 0x%08x\n", status);
2471 WARNING(
"[WARNING] Exceeded max recursion level for VAD deletion @ [0x%016llx, 0x%016llx] %s:%d\n",
2472 StartPage, EndPage, Process->Name, Process->Pid);
2477 if (EndPage < StartPage)
2479 WARNING(
"[WARNING] EndPage is LESS than StartPage: [0x%016llx, 0x%016llx]\n", StartPage, EndPage);
2501 TRACE(
"[WINVAD] Adjusting VAD 0x%016llx. Old start: 0x%016llx New start: 0x%016llx " 2502 "for process %s:%d (0x%016llx)\n",
2503 pVad->
VadGva, pVad->
StartPage, newStart, Process->Name, Process->Pid, Process->EprocessAddress);
2508 ERROR(
"[ERROR] IntWinVadAdjustRange failed for [0x%016llx, 0x%016llx] in VAD 0x%016llx " 2509 "process 0x%016llx: 0x%08x\n",
2510 StartPage, EndPage, pVad->
VadGva, Process->EprocessAddress, status);
2513 else if (EndPage == pVad->
EndPage)
2518 TRACE(
"[WINVAD] Adjusting VAD 0x%016llx. Old end: 0x%016llx New end: 0x%016llx for process %s:%d (0x%016llx)\n",
2519 pVad->
VadGva, pVad->
EndPage, newEnd, Process->Name, Process->Pid, Process->EprocessAddress);
2524 ERROR(
"[ERROR] IntWinVadAdjustRange failed for [0x%016llx, 0x%016llx] in VAD 0x%016llx " 2525 "process 0x%016llx: 0x%08x\n",
2526 StartPage, EndPage, pVad->
VadGva, Process->EprocessAddress, status);
2531 TRACE(
"[WINVAD] Guest attempts to delete VAD [%016llx, %016llx], but we matched with VAD [%016llx, %016llx]" 2532 ", will reimport process tree for %s:%d\n",
2534 Process->Name, Process->Pid);
2541 ERROR(
"[ERROR] IntWinVadReimportProcessTree failed: 0x%08x\n", status);
2542 goto _resume_maybe_enter_dbg;
2548 ERROR(
"[ERROR] IntWinVadHandleDeleteGeneric failed: 0x%08x\n", status);
2549 goto _resume_maybe_enter_dbg;
2552 _resume_maybe_enter_dbg:
2612 previouslyMonitored = !!(Process->MonitorVad);
2617 ERROR(
"[ERROR] IntWinVadCreateObject failed: 0x%08x\n", status);
2622 if (NULL != pVad && Process->MonitorVad)
2639 WARNING(
"[WARNING] [WINVAD] Special case `INT_STATUS_KEY_ALREADY_EXISTS` while inserting 0x%016llx " 2640 "[0x%016llx, 0x%016llx] in 0x%016llx (PID %u)\n",
2644 if (NULL == toRemove)
2646 ERROR(
"[ERROR] IntWinVadFindByRange failed for [%016llx, %016llx]\n", pVad->
StartPage, pVad->
EndPage);
2656 ERROR(
"[ERROR] IntWinVadHandleDeleteGeneric failed for [0x%016llx, 0x%016llx] " 2657 "in process 0x%016llx: 0x%08x\n",
2662 }
while (tryCount < maxTries);
2665 ERROR(
"[ERROR] RbInsertNode failed for [0x%016llx, 0x%016llx] in process PID %u: 0x%08x\n",
2676 TRACE(
"[INFO] Ignoring VAD @ 0x%016llx [0x%016llx, 0x%016llx] for process `%s` (%d)\n",
2690 ERROR(
"[ERROR] IntWinVadHandleProtectGeneric failed: 0x%08x\n", status);
2694 else if (pVad != NULL && previouslyMonitored)
2748 if (!Process->MonitorVad)
2756 ERROR(
"[ERROR] IntWinVadHandleInsertGeneric failed for 0x%016llx in process %d: 0x%08x\n",
2757 VadNodeGva, Process->Pid, status);
2761 TRACE(
"[WINVAD] VAD 0x%016llx found at static scan on level %d\n", VadNodeGva, Level);
2786 if (NULL == Process)
2797 ERROR(
"[ERROR] IntKernVirtMemRead failed: 0x%08x\n", status);
2803 TRACE(
"[WINVAD] Skipping static scan for process 0x%016llx because root @ 0x%016llx is 0\n",
2804 Process->EprocessAddress, Process->EprocessAddress +
WIN_KM_FIELD(Process, VadRoot));
2808 TRACE(
"[WINVAD] Starting static scan for process 0x%016llx from root @ 0x%016llx = 0x%016llx\n",
2809 Process->EprocessAddress,
2810 Process->EprocessAddress +
WIN_KM_FIELD(Process, VadRoot),
2816 ERROR(
"[ERROR] IntWinVadInOrderRecursiveTraversal failed for root 0x%016llx: 0x%08x\n", root, status);
2826 _In_ void const *Detour
2865 ERROR(
"[ERROR] IntDetGetArguments failed: 0x%08x\n", status);
2866 goto cleanup_and_exit;
2870 eprocessGva = args[1];
2877 goto cleanup_and_exit;
2883 ERROR(
"[ERROR] IntWinVadHandleInsertionGeneric failed for process 0x%016llx VAD 0x%016llx: 0x%08x\n",
2884 eprocessGva, vadGva, status);
2885 goto cleanup_and_exit;
2898 _In_ void const *Detour
2932 ERROR(
"[ERROR] IntDetGetArgument failed: 0x%08x\n", status);
2933 goto cleanup_and_exit;
2940 goto cleanup_and_exit;
2946 ERROR(
"[ERROR] IntWinVadHandleInsertionGeneric failed for process 0x%016llx VAD 0x%016llx: 0x%08x\n",
2948 goto cleanup_and_exit;
2963 _In_ void *Descriptor
3003 *(
BYTE *)(pHandler->
Code + 0x3) = 0x10;
3008 *(
BYTE *)(pHandler->
Code + 0x3) = 0x8;
3027 _In_ void const *Detour
3070 QWORD args[4] = {0};
3081 goto cleanup_and_exit;
3087 ERROR(
"[ERROR] IntDetGetArgument failed: 0x%08x\n", status);
3088 goto cleanup_and_exit;
3094 vmProt = (
DWORD)args[3];
3100 if (gvaVad != pVad->
VadGva)
3106 ERROR(
"[ERROR] IntWinVadHandleInsertGeneric failed for 0x%016llx: 0x%08x\n", gvaVad, status);
3107 goto cleanup_and_exit;
3116 ERROR(
"[ERROR] IntWinVadHandleInsertGeneric failed for 0x%016llx: 0x%08x\n", gvaVad, status);
3117 goto cleanup_and_exit;
3123 endPage = (protPage + protSize - 1) &
PAGE_MASK;
3129 ERROR(
"[ERROR] IntWinVadHandleProtectGeneric failed for [0x%016llx, 0x%016llx]: 0x%08x\n",
3130 protPage, endPage, status);
3131 goto cleanup_and_exit;
3143 _In_ void const *Detour
3176 ERROR(
"[ERROR] IntDetGetArgument failed: 0x%08x\n", status);
3189 ERROR(
"[ERROR] IntWinVadHandleInsertionGeneric failed for VAD 0x%016llx: 0x%08x\n", vadGva, status);
3198 _In_ void const *Detour
3235 ERROR(
"[ERROR] IntDetGetArguments failed: 0x%08x\n", status);
3239 startPage = args[0];
3259 ERROR(
"[ERROR] IntWinVadHandleDeleteGeneric failed: 0x%08x\n", status);
3269 _In_ void const *Detour
3306 ERROR(
"[ERROR] IntDetGetArguments failed: 0x%08x\n", status);
3310 startPage = args[0];
3330 ERROR(
"[ERROR] IntWinVadHandleDeleteGeneric failed: 0x%08x\n", status);
3340 _In_ void const *Detour
3371 QWORD startPage = 0;
3381 ERROR(
"[ERROR] IntDetGetArgument failed: 0x%08x\n", status);
3382 goto cleanup_and_exit;
3389 goto cleanup_and_exit;
3395 ERROR(
"[ERROR] IntDetGetArguments failed: 0x%08x\n", status);
3396 goto cleanup_and_exit;
3402 ERROR(
"[ERROR] IntKernVirtMemRead failed: 0x%08x\n", status);
3403 goto cleanup_and_exit;
3409 ERROR(
"[ERROR] IntKernVirtMemRead failed: 0x%08x\n", status);
3410 goto cleanup_and_exit;
3413 newRights = args[3] & 0xFFFFFFFF;
3419 endPage = (baseGva + length - 1) &
PAGE_MASK;
3425 ERROR(
"[ERROR] IntWinVadHandleProtectGeneric failed for [0x%016llx, 0x%016llx] in process 0x%016llx: 0x%08x\n",
3427 goto cleanup_and_exit;
3465 ERROR(
"[ERROR] Could not fetch VAD 0x%016llx from memory: 0x%08x\n", Vad->VadGva, status);
3473 ((dummy.
Parent >= 0xFFFFFFF0) && (dummy.
Parent <= 0xFFFFFFFF)) ||
3474 ((dummy.
Parent >= 0xFFFFFFFFFFFFFFF0) && (dummy.
Parent <= 0xFFFFFFFFFFFFFFFF)))
3483 WARNING(
"[WARNING] IntWinVadFetchVadFromMemory failed for parent 0x%016llx: 0x%08x\n",
3484 dummy.
Parent & (~3), status);
3489 if (parent.
Left != Vad->VadGva && parent.
Right != Vad->VadGva)
3491 WARNING(
"[WARNING] The current VAD's parent doesn't have as a child 0x%016llx " 3492 "(left 0x%016llx, right: 0x%016llx)\n",
3493 Vad->VadGva, parent.
Left, parent.
Right);
3497 if (Vad->NoChange != Vad->PrivateFixup || Vad->DeleteInProgress)
3499 WARNING(
"[WARNING] NoChange is %d, PrivateFixup is %d, DeleteInProgress is %d, " 3500 "the VAD doesn't seem to be considered in the tree!\n",
3501 Vad->NoChange, Vad->PrivateFixup, Vad->DeleteInProgress);
3515 _In_ void *Descriptor
3575 _In_ void *Descriptor
3624 _In_ void *Descriptor
3681 _In_ void *Descriptor
3729 _In_ void *Descriptor
3773 _In_ void *Descriptor
3835 if (NULL == Process)
3846 ERROR(
"[ERROR] IntKernVirtMemRead failed: 0x%08x\n", status);
3869 ERROR(
"[ERROR] IntWinVadCreateObject failed: 0x%08x\n", status);
3919 EndPage & PAGE_MASK,
3925 TRACE(
"[WINVAD] VAD for range [0x%016llx, 0x%016llx] found at 0x%016llx. Tries: %u\n",
3926 StartPage, EndPage, vadNode, tries);
3933 ERROR(
"[ERROR] Vad [0x%016llx, 0x%016llx] not found starting from root 0x%016llx\n",
3945 #undef VAD_SHORT_FIELD_PTR 3946 #undef VAD_LONG_FIELD_PTR 3950 #undef VadShortDword 3951 #undef VadShortQword 3952 #undef VadShortPtrSize 3953 #undef VadShortAnySize INTSTATUS IntWinVadPatchInsert(QWORD FunctionAddress, API_HOOK_HANDLER *Handler, void *Descriptor)
This is the PFUNC_PreDetourCallback for the MiInsertVad guest API detour.It will be invoked before th...
#define INT_STATUS_PAGE_NOT_PRESENT
Indicates that a virtual address is not present.
enum _INTRO_ACTION_REASON INTRO_ACTION_REASON
The reason for which an INTRO_ACTION was taken.
INTRO_CODEBLOCKS CodeBlocks
Code blocks extracted for the alert.
int FUNC_RbTreeNodeCustomCompare(RBNODE *Node, void *Key)
static BOOLEAN IntWinVadRemoveRanges(VAD *Vad, void *Context)
Removes all pages from a VAD.
#define CONTAINING_RECORD(List, Type, Member)
static INTSTATUS IntWinVadCreateObject(WIN_PROCESS_OBJECT *Process, QWORD VadGva, VAD **Vad, BOOLEAN StaticScan)
Creates and initializes a VAD structure.
INTSTATUS IntWinVadHandleInsert(void const *Detour)
The detour handler that will be invoked when the guest inserts a new VAD in the tree.This is the detour handler for the MiInsertVad guest API.
INTSTATUS IntVirtMemUnmap(void **HostPtr)
Unmaps a memory range previously mapped with IntVirtMemMap.
void IntWinVadProcessInit(WIN_PROCESS_OBJECT *Process)
Initializes a WIN_PROCESS_OBJECT.VadTree.
INTSTATUS IntWinThrGetCurrentStackBaseAndLimit(QWORD *TibBase, QWORD *StackBase, QWORD *StackLimit)
Obtains the stack base, stack limit and TIB address of the current thread.
#define EX_FAST_REF_TO_PTR(is64, p)
Converts a _EX_FAST_REF value to a pointer.
INTSTATUS IntWinVadHandleDeleteVaRange(void const *Detour)
The detour handler that will be invoked when a memory range contained by a VAD is deleted...
#define VadShortQword(ptr_, field_)
Reads a qword from a VAD short buffer.
INTSTATUS IntWinVadFetchByRange(QWORD VadRoot, QWORD StartPage, QWORD EndPage, VAD *Vad)
Fetches and returns a VAD object containing the range represented by [StartPage, EndPage].
INTSTATUS IntWinVadPatchInsertMap(QWORD FunctionAddress, API_HOOK_HANDLER *Handler, void *Descriptor)
This is the PFUNC_PreDetourCallback for the MiGetWsAndInsertVad guest API detour.It will be invoked b...
IG_ARCH_REGS Regs
The current state of the guest registers.
DWORD Index
The VCPU number.
MITRE_ID MitreID
The Mitre ID that corresponds to this attack.
#define VadShortAnySize(size_, ptr_, field_)
Reads a certain size from a VAD short buffer.
QWORD SystemCr3
The Cr3 used to map the kernel.
#define INT_STATUS_SUCCESS
WINUM_PATH * IntWinUmPathFetchAndReferenceBySubsection(QWORD SubsectionGva)
Fetches a WINUM_PATH object by the unique identifier and increments the reference counter on it...
struct _EXCEPTION_UM_ORIGINATOR::@75 Return
#define VadShortPtrSize(ptr_, field_)
Reads a guest pointer from a VAD short buffer.
QWORD ReturnRip
The RIP at which the code that triggered the alert returns.
#define VadShortDword(ptr_, field_)
Reads a dword from a VAD short buffer.
void IntAlertFillWinProcess(const WIN_PROCESS_OBJECT *Process, INTRO_PROCESS *EventProcess)
Saves information about a windows process inside an alert.
#define RTL_BALANCED_NODE_PARENT_TO_PTR(Parent)
Gets the pointer to the parent of a _RTL_BALANCED_NODE.
Described a detour handler.
User-mode non executable zone.
INTSTATUS IntSwapMemReadData(QWORD Cr3, QWORD VirtualAddress, DWORD Length, DWORD Options, void *Context, DWORD ContextTag, PFUNC_PagesReadCallback Callback, PFUNC_PreInjectCallback PreInject, void **SwapHandle)
Reads a region of guest virtual memory, and calls the indicated callback when all the data is availab...
#define VadShortByte(ptr_, field_)
Reads a byte from a VAD short buffer.
VAD * IntWinVadFindAndUpdateIfNecessary(WIN_PROCESS_OBJECT *Process, QWORD StartHint, QWORD LengthHint)
Searches for a VAD in the Introcore VAD tree. If no VAD is found, or if the found one does not fully ...
Memory used by video drivers to transfer data between the GPU and a process.
QWORD Feedback
Options that will be forced to feedback only mode.
void FUNC_RbTreeNodeFree(RBNODE *Node)
#define INT_SUCCESS(Status)
INTSTATUS IntWinThrGetCurrentThread(DWORD CpuNumber, QWORD *EthreadAddress)
Get the ETHREAD structure address of the thread currently running on the given CPU.
QWORD Flags
A combination of ALERT_FLAG_* values describing the alert.
INTSTATUS IntResumeVcpus(void)
Resumes the VCPUs previously paused with IntPauseVcpus.
static INTSTATUS IntWinVadHandleFilePathInMemory(VAD *Context, QWORD Cr3, QWORD VirtualAddress, QWORD PhysicalAddress, void *Data, DWORD DataSize, DWORD Flags)
Handles the swap-in of a file path taken from a Windows VAD structure.
The action was not allowed because there was no reason to allow it.
#define SWAPMEM_OPT_NO_DUPS
If set, will make sure that a single PF is scheduled for this page.
INTSTATUS IntWinVadHandleVirtualProtect(void const *Detour)
The detour handler that will be invoked when a memory range contained by a VAD has the protection rig...
BOOLEAN FirstDominoJavaIgnored
TRUE if the first Domino Java execution VAD was ignored.
INTSTATUS RbLookupNode(RBTREE *Tree, RBNODE *NodeToSearch, RBNODE **NodeFound)
INFO_UD_PENDING * IntUDGetEntry(const QWORD Cr3, const QWORD Rip, const QWORD Thread)
Get a UD entry for the provided Cr3, Rip and Thread ID.
#define WIN_MM_PAGE_GUARD
Defined by Windows as PAGE_GUARD in winnt.h.
INTSTATUS RbWalkInorderTree(RBTREE *Tree, PFUNC_RbTreeWalkCallback Callback, void *WalkContext)
#define INT_STATUS_NOT_NEEDED_HINT
INTSTATUS RbLookupNodeCustomCompare(RBTREE *Tree, PFUNC_RbTreeNodeCustomCompare CompareFunc, void *Key, RBNODE **NodeFound)
Describes a user-mode originator.
#define WIN_MM_PAGE_EXECUTE_READ
Defined by Windows as PAGE_EXECUTE_READ in winnt.h.
INTSTATUS IntShcIsSuspiciousCode(QWORD Gva, QWORD Gpa, DWORD CsType, IG_ARCH_REGS *Registers, QWORD *ShellcodeFlags)
Checks if the code located at the given guest virtual address is suspicious or not.
struct _EVENT_EPT_VIOLATION::@283 Originator
static int IntWinVadRbTreeNodeCompareVa(RBNODE const *Node, void *Key)
Custom compare function for a VAD RBTREE. This will compare VADs against a given guest virtual addres...
#define HpAllocWithTag(Len, Tag)
int INTSTATUS
The status data type.
INTSTATUS IntWinVadImportProcessTree(WIN_PROCESS_OBJECT *Process)
Scans the guest VAD tree and imports the nodes into our VAD tree.
#define PROT_EXEC
One of the Introcore VAD protection constants. This means that the page is executable.
void IntWinUmPathDereference(WINUM_PATH **Path)
Dereferences a WINUM_PATH object, releasing the resources if the reference count has reached 0...
DWORD OSVersion
Os version.
INTSTATUS RbInit(RBTREE *Tree, PFUNC_RbTreeNodeFree NodeFree, PFUNC_RbTreeNodeCompare NodeCompare)
int FUNC_RbTreeNodeCompare(RBNODE *Left, RBNODE *Right)
#define INT_STATUS_NOT_FOUND
INTSTATUS IntWinVadRemoveProcessTree(WIN_PROCESS_OBJECT *Process)
Removes the VAD tree from a process.
INTSTATUS IntInjectExceptionInGuest(BYTE Vector, QWORD Cr2, DWORD ErrorCode, DWORD CpuNumber)
Injects an exception inside the guest.
#define VAD_SEARCH_LIMIT
The maximum number of tries to make when searching for a VAD inside the guest.
INTSTATUS IntWinVadHandleCommit(void const *Detour)
The detour handler that will be invoked when an existing VAD is committed by the guest.This is the detour handler for the MiCommitExistingVad guest API. Due to the way we ignore certain VADs, this can be invoked either when protection is changed for a known VAD, in which case we have to adjust our protection; or, when protection is changed for a previously unknown VAD in a way that makes it relevant for Introcore, in which case we treat as a newly created VAD.
INTSTATUS IntPauseVcpus(void)
Pauses all the guest VCPUs.
static INTSTATUS IntWinVadFetchImageName(VAD *Vad)
Reads the path of the image file mapped by a _MMVAD_LONG structure.
INTSTATUS IntDumpCodeAndRegs(QWORD Gva, QWORD Gpa, IG_ARCH_REGS *Registers)
This function dumps an entire page (textual disassembly and opcodes) as well as the values of the reg...
void IntAlertFillCpuContext(BOOLEAN CopyInstruction, INTRO_CPUCTX *CpuContext)
Fills the current CPU context for an alert.
BOOLEAN Legitimate
True if an execution from this page was attempted and it was deemed to no be malicious.
INSTRUX Instruction
The current instruction, pointed by the guest RIP.
#define INT_STATUS_BUFFER_OVERFLOW
QWORD VadGva
The guest virtual address at which the corresponding Windows _MMVAD structure is located.
DWORD Protected
TRUE if this is a protected process. If this is FALSE, most of the above fields aren't used at all...
static INTSTATUS IntWinVadRemoveRange(VAD *Vad, QWORD StartPage, QWORD EndPage)
Removes a memory range from a VAD.
static INTSTATUS IntWinVadHandlePageExecution(VAD_PAGE *Context, void const *Hook, QWORD Address, INTRO_ACTION *Action)
Handles execution attempts from a page owned by a monitored VAD.
void IntWinVadStopExploitMonitor(WIN_PROCESS_OBJECT *Process)
Disables the exploit monitoring for a process.
INTSTATUS IntHookGvaSetHook(QWORD Cr3, QWORD Gva, DWORD Length, BYTE Type, void *Callback, void *Context, void *ParentHook, DWORD Flags, HOOK_GVA **GvaHook)
Set a read, write, execute or swap hook on a guest virtual address.
void IntAlertFillVersionInfo(INTRO_VIOLATION_HEADER *Header)
Fills version information for an alert.
QWORD IntAlertProcGetFlags(QWORD ProtectionFlag, const void *Process, INTRO_ACTION_REASON Reason, QWORD AdditionalFlags)
Returns the flags for an alert.
INTRO_VIOLATION_HEADER Header
The alert header.
static DWORD IntWinVadVadProtectionToIntroProtection(WIN_VAD_PROT VadProtection)
Converts Windows VAD protection rights to Introcore protection rights.
INTRO_ACTION_REASON Reason
The reason for which Action was taken.
BOOLEAN IntWinVadDump(VAD const *Vad, void *Context)
Prints a VAD structure.
static VAD * IntWinVadFindByRange(PWIN_PROCESS_OBJECT Process, QWORD StartPage, QWORD EndPage)
Finds a VAD by the range it maps.
INTSTATUS IntAlertFillCodeBlocks(QWORD Rip, QWORD Cr3, BOOLEAN Execute, INTRO_CODEBLOCKS *CodeBlocks)
Fills the code blocks pattern for an alert.
WIN_VAD_PROT
VAD protection flags as used by the Windows kernel. These represent the values in the Protection port...
Exposes the functions used to provide Windows Threads related support.
QWORD Cr3
Process PDBR. Includes PCID.
Exposes the functions used to schedule an asynchronous code execution scan and receives its result...
void * Library
The library that's modifying the memory (if that's the case).
#define MAX_VAD_EXECS
The maximum number of execution from a VAD that Introcore will take into consideration.
QWORD IntWinVadFindNodeInGuestSpace(QWORD VadRoot, QWORD StartPage, QWORD EndPage, DWORD Level, QWORD OldStartPage, BOOLEAN LastBranchRight)
Searches for a VAD node inside a guest VAD tree.
DWORD ExecCount
The number of execution violations triggered by pages inside this VAD.
GENERIC_ALERT gAlert
Global alert buffer.
QWORD Address
The base address of the page.
#define WIN_MM_PAGE_EXECUTE_WRITECOPY
Defined by Windows as PAGE_EXECUTE_WRITECOPY in winnt.h.
INTSTATUS IntSwapMemRemoveTransaction(void *Transaction)
Remove a transaction.
static BOOLEAN IntWinVadIsProbablyNaCl(VAD const *Vad)
Checks if a VAD is used by the Chrome's NaCl mechanism.
static DWORD IntWinVadVmProtectionToIntroProtection(DWORD VmProtection)
Converts Windows memory protection constants to Introcore protection flags.
BOOLEAN IntPolicyProcTakeAction(QWORD Flag, void const *Process, INTRO_ACTION *Action, INTRO_ACTION_REASON *Reason)
Returns the action that should be taken for a process protection option.
void IntAlertEptFillFromVictimZone(const EXCEPTION_VICTIM_ZONE *Victim, EVENT_EPT_VIOLATION *EptViolation)
Fills the victim information inside an EPT alert.
INTSTATUS IntWinVadPatchVirtualProtect(QWORD FunctionAddress, API_HOOK_HANDLER *Handler, void *Descriptor)
This is the PFUNC_PreDetourCallback for the MiProtectVirtualMemory guest API detour.It will be invoked before the detour is placed inside the guest and will patch the detour handler with the value of winKmFieldProcessSpare.
INTRO_CPUCTX CpuContext
The context of the CPU that triggered the alert.
INTSTATUS IntNotifyIntroEvent(INTRO_EVENT_TYPE EventClass, void *Param, size_t EventSize)
Notifies the integrator about an introspection alert.
#define ZONE_EXECUTE
Used for execute violation.
static INTSTATUS IntWinVadHandleInsertGeneric(WIN_PROCESS_OBJECT *Process, QWORD VadAddress, BOOLEAN StaticScan, VAD **Vad)
Handles the insertion of a VAD into a process VAD tree.
#define PROT_WRITE
One of the Introcore VAD protection constants. This means that the page is writable.
static INTSTATUS IntWinVadFetchVadFromMemory(QWORD VadGva, VAD *Vad, BOOLEAN FailOnCorruptRange)
Reads a _MMVAD structure from the Windows kernel and creates a corresponding VAD structure.
void * ExecHook
Execution hook handle, if one exists.
BOOLEAN Guest64
True if this is a 64-bit guest, False if it is a 32-bit guest.
INTSTATUS IntExceptGetVictimEpt(void *Context, QWORD Gpa, QWORD Gva, INTRO_OBJECT_TYPE Type, DWORD ZoneFlags, EXCEPTION_VICTIM_ZONE *Victim)
Fills an EXCEPTION_VICTIM_ZONE with relevant information from an EPT violation.
CHAR Name[IMAGE_BASE_NAME_LEN]
Process base name.
QWORD Current
The currently used options.
BYTE Code[DETOUR_MAX_HANDLER_SIZE]
The code of the detour handler. Only CodeLength bytes are valid.
Measures the IntWinVadHandleCommit detour handler.
INTSTATUS IntWinVadPatchDeleteVaRange(QWORD FunctionAddress, API_HOOK_HANDLER *Handler, void *Descriptor)
This is the PFUNC_PreDetourCallback for the MiDeleteVirtualAddresses guest API detour.It will be invoked before the detour is placed inside the guest and will patch the detour handler with the value of winKmFieldProcessSpare.
#define WIN_MM_PAGE_READWRITE
Defined by Windows as PAGE_READWRITE in winnt.h.
#define INT_STATUS_INVALID_PARAMETER_4
INTSTATUS IntWinVadHandleInsertPrivate(void const *Detour)
The detour handler that will be invoked when the guest inserts a new VAD in the tree.This is the detour handler for the MiInsertPrivateVad guest API.
VAD * IntWinVadFindByVa(WIN_PROCESS_OBJECT *Process, QWORD Va)
Finds a VAD that contains a given guest virtual address.
static BYTE * IntWinVadMapShortVad(QWORD Gva)
Maps a _MMVAD_SHORT structure inside Introcore.
#define IS_KERNEL_POINTER_WIN(is64, p)
Checks if a guest virtual address resides inside the Windows kernel address space.
INTSTATUS IntWinVadPatchFinishVadDeletion(QWORD FunctionAddress, API_HOOK_HANDLER *Handler, void *Descriptor)
This is the PFUNC_PreDetourCallback for the MiFinishVadDeletion guest API detour.It will be invoked b...
#define HpFreeAndNullWithTag(Add, Tag)
INFO_UD_PENDING * CurrentUD
The currently pending #UD injection on this CPU.
PWIN_PROCESS_OBJECT IntWinProcFindObjectByCr3(QWORD Cr3)
Finds a process by its kernel CR3.
#define INT_STATUS_INVALID_DATA_STATE
#define INT_STATUS_KEY_ALREADY_EXISTS
INTSTATUS IntWinVadProcImportMainModuleVad(WIN_PROCESS_OBJECT *Process)
Imports the VAD that describes the main module of a process.
QWORD StackLimit
The stack limit for the thread that attempted the execution.
static INTSTATUS IntWinVadStaticInsertNodeIntoProcess(QWORD VadNodeGva, DWORD Level, WIN_PROCESS_OBJECT *Process)
Inserts a VAD found by a memory scan inside a Introcore process VAD tree.
#define WIN_MM_PAGE_EXECUTE
Defined by Windows as PAGE_EXECUTE in winnt.h.
static void IntWinVadRbTreeNodeFree(RBNODE *Node)
The node free callback used by the WIN_PROCESS_OBJECT.VadTree tree.
BYTE WordSize
Guest word size. Will be 4 for 32-bit guests and 8 for 64-bit guests.
struct _VAD * Vad
The VAD containing this page.
void RbUninit(RBTREE *Tree)
INTRO_EXEC_CONTEXT ExecContext
Information about the instruction that triggered the alert.
VAD_TYPE VadType
The type of the VAD.
static INTSTATUS IntWinVadReimportProcessTree(WIN_PROCESS_OBJECT *Process)
Re-scans and re-imports the VAD tree of a process.
INTSTATUS IntDetGetArgument(void const *Detour, DWORD Index, BYTE const *StackBuffer, DWORD StackBufferSize, QWORD *Value)
Reads the specified argument for a detour.
INTSTATUS(* PFUNC_PreDetourCallback)(QWORD FunctionAddress, void *Handler, void *Descriptor)
The type of a callback invoked before setting a detour.
INTSTATUS IntHookGvaRemoveHook(HOOK_GVA **Hook, DWORD Flags)
Remove a GVA hook.
Sent when an EPT violation triggers an alert. See EVENT_EPT_VIOLATION.
RBNODE RbNode
The node inside the WIN_PROCESS_OBJECT.VadTree tree.
INTSTATUS IntWinPatchVadHandleCommit(QWORD FunctionAddress, API_HOOK_HANDLER *Handler, void *Descriptor)
This is the PFUNC_PreDetourCallback for the MiCommitExistingVad guest API detour.It will be invoked b...
#define WIN_MM_PAGE_NOACCESS
Defined by Windows as PAGE_NOACCESS in winnt.h.
static INTSTATUS IntWinVadIsExecSuspicious(WIN_PROCESS_OBJECT *Process, QWORD VirtualAddress, QWORD PhysicalAddress, INTRO_ACTION *Action)
Handle code execution from a memory page.
Describes the modified zone.
void RbPreinit(RBTREE *Tree)
#define UNREFERENCED_PARAMETER(P)
#define PROC_OPT_PROT_EXPLOIT
Blocks malicious execution attempts.
A representation of a memory page included in a VAD structure.
DWORD StaticScan
Set if the VAD was statically detected by a scan, after it was created.
WIN_PROCESS_OBJECT * Process
The process to which this VAD belongs to.
#define WIN_KM_FIELD(Structure, Field)
Macro used to access kernel mode fields inside the WIN_OPAQUE_FIELDS structure.
INTSTATUS IntWinEngExecSendNotification(PWIN_PROCESS_OBJECT Process, PIG_ARCH_REGS Registers, PINTRO_EXEC_INFO ExecInfo)
Notify the scan engines about a possible malicious code execution in a Windows guest.
INTSTATUS IntDetGetArguments(void const *Detour, DWORD Argc, QWORD *Argv)
Reads multiple arguments from a detour.
None. Normal allocations have this type.
INTSTATUS IntWinVadHandleInsertMap(void const *Detour)
The detour handler that will be invoked when a VAD is inserted in the guest VAD tree.This is the detour handler for the MiGetWsAndInsertVad guest API.
INTSTATUS IntWinVadPatchInsertPrivate(QWORD FunctionAddress, API_HOOK_HANDLER *Handler, void *Descriptor)
This is the PFUNC_PreDetourCallback for the MiInsertPrivateVad guest API detour.It will be invoked be...
INTSTATUS IntWinModHandleLoadFromVad(WIN_PROCESS_OBJECT *Process, const VAD *Vad)
Handle a module load from a VAD.
BOOLEAN IntWinVadIsInTree(const VAD *Vad)
Checks if a VAD is inserted in a guest VAD tree.
enum _INTRO_ACTION INTRO_ACTION
Event actions.
BOOLEAN IntPolicyProcForceBetaIfNeeded(QWORD Flag, void *Process, INTRO_ACTION *Action)
Checks if a forced action should be taken even if the process log-only mode is active.
static int IntWinVadRbTreeNodeCompare(RBNODE const *Left, RBNODE const *Right)
The node compare callback used by the WIN_PROCESS_OBJECT.VadTree tree.
FUNC_RbTreeWalkCallback * PFUNC_RbTreeWalkCallback
#define _In_reads_bytes_(expr)
WINUM_PATH * IntWinUmPathCreate(const WCHAR *Path, DWORD PathSize, QWORD SubsectionGva)
Creates a WINUM_PATH object from the given parameters.
static INTSTATUS IntWinVadRemoveAllPages(VAD *Vad)
Removes all pages from a VAD.
#define WIN_MM_PAGE_EXECUTE_READWRITE
Defined by Windows as PAGE_EXECUTE_READWRITE in winnt.h.
INTSTATUS IntWinVadHandleFinishVadDeletion(void const *Detour)
The detour handler that will be invoked when a memory range contained by a VAD is deleted...
#define SWAPMEM_OPT_BP_FAULT
If set, the #PF will be generated from an int3 detour. Use this when injecting kernel PFs...
The action was allowed, but it has the BETA flag (Introcore is in log-only mode). ...
#define IntDbgEnterDebugger()
__must_check INTSTATUS IntVirtMemMap(QWORD Gva, DWORD Length, QWORD Cr3, DWORD Flags, void **HostPtr)
Maps a guest virtual memory range inside Introcore virtual address space.
MM Mm
Guest memory information, such as paging mode, system Cr3 value, etc.
QWORD EprocessAddress
This will be the address of the ActiveProcess field.
GUEST_STATE gGuest
The current guest state.
static DWORD IntWinVadVadProtectionToVmProtection(WIN_VAD_PROT VadProtection)
Converts Windows VAD protection rights to a Windows memory protection constant.
#define _Function_class_(expr)
void IntWinVadDestroyObject(VAD **Vad)
Frees a VAD and all the resources held by it.
static int IntWinVadRbTreeNodeCompareBases(RBNODE const *Node, void *Key)
Custom compare function for a VAD RBTREE. This will compare a VAD start page with a given guest virtu...
static INTSTATUS IntWinVadHandleDeleteGeneric(WIN_PROCESS_OBJECT *Process, QWORD StartPage, QWORD EndPage, DWORD Level)
Handles the deletion of a VAD or of memory range from a VAD.
PWIN_PROCESS_OBJECT IntWinProcFindObjectByEprocess(QWORD Eprocess)
Finds a process by the address of its _EPROCESS structure.
void RbDeleteNode(RBTREE *Tree, RBNODE *Node)
#define PROT_READ
One of the Introcore VAD protection constants. This means that the page is readable.
QWORD Rsp
The value of the guest RSP register at the moment of execution.
INTRO_PROT_OPTIONS ShemuOptions
Flags which describe the way shemu will give detections.
INTSTATUS(* PFUNC_WinVadTraversalCallback)(QWORD VadNodeGva, DWORD Level, void *Context)
Callback type used for in-guest VAD tree traversals.
INTRO_ACTION Action
The action that was taken as the result of this alert.
INTSTATUS IntKernVirtMemRead(QWORD KernelGva, DWORD Length, void *Buffer, DWORD *RetLength)
Reads data from a guest kernel virtual memory range.
#define INT_STATUS_NO_MAPPING_STRUCTURES
Indicates that not all mapping structures of a virtual address are present.
INTSTATUS IntUDAddToPendingList(const QWORD Cr3, const QWORD Rip, const QWORD Thread, INFO_UD_PENDING **CurrentPendingUD)
Add a new UD to the list of pending injections.
QWORD PageCount
The number of 4K pages in the VAD.
DWORD MonitorVad
TRUE if we need to handle VAD events for this process.
The type of an allocation that specified the MEM_WRITE_WATCH VirtualAlloc flag.
Holds information about an execution attempt.
INTSTATUS RbInsertNode(RBTREE *Tree, RBNODE *Node)
INTSTATUS IntExceptUserGetExecOriginator(void *Process, EXCEPTION_UM_ORIGINATOR *Originator)
This function is used to get the originator for heap execution.
#define INT_STATUS_NOT_INITIALIZED_HINT
char * utf16_for_log(const WCHAR *WString)
Converts a UTF-16 to a UTF-8 string to be used inside logging macros.
QWORD StackBase
The stack base for the thread that attempted the execution.
INTSTATUS IntWinVadShortDump(QWORD VadNodeGva, DWORD Level, void *Context)
Prints a _MMVAD_SHORT structure.
BOOLEAN FUNC_RbTreeWalkCallback(RBNODE *Node, void *WalkContext)
#define INT_STATUS_INVALID_PARAMETER_1
INTRO_PROCESS CurrentProcess
The current process.
VCPU_STATE * gVcpu
The state of the current VCPU.
#define WIN_MM_PAGE_WRITECOPY
Defined by Windows as PAGE_WRITECOPY in winnt.h.
void IntAlertFillWinUmModule(const WIN_PROCESS_MODULE *Module, INTRO_MODULE *EventModule)
Fills information about a user mode module inside an alert.
static INTSTATUS IntWinVadAdjustRange(VAD *Vad, QWORD NewStartPage, QWORD NewEndPage)
Modifies the range of pages owned by a VAD.
INTSTATUS IntWinVadInOrderRecursiveTraversal(QWORD VadNodeGva, DWORD Level, PFUNC_WinVadTraversalCallback Callback, void *Context)
Traverses a guest VAD tree.
INTSTATUS IntWinVadWalkTree(PWIN_PROCESS_OBJECT Process, PFUNC_RbTreeWalkCallback Callback)
Walks the VAD tree of a process.
#define INT_STATUS_INVALID_PARAMETER_MIX
Event structure for EPT violations.
static PVAD IntWinVadFindByBase(PWIN_PROCESS_OBJECT Process, QWORD Base)
Finds a VAD by the start of the virtual address range it represents.
DWORD HugeVad
Set if the memory range represented by this VAD has a size of at least 4G.
Exploitation for Client Execution.
DWORD Length
The length of the instruction.
DWORD NoChange
Set if the NoChange bit inside the VadFlags field is set.
static BOOLEAN IntWinVadIsProbablyDominoJava(VAD const *Vad)
Checks if a VAD is used by Domino Java.
A representation of a Windows VAD structure.
static INTSTATUS IntWinVadHandleProtectGeneric(WIN_PROCESS_OBJECT *Process, QWORD StartPage, QWORD EndPage, DWORD VmProtection, BOOLEAN AtInsertion)
Handles a VAD protection change.
DWORD IsIgnored
Set if this VAD is not monitored regardless of the protection rights it has.
struct _VAD_PAGE VAD_PAGE
A representation of a memory page included in a VAD structure.
INTSTATUS IntAlertFillExecContext(QWORD Cr3, INTRO_EXEC_CONTEXT *ExecContext)
Fills the current execution context.
#define INT_STATUS_INVALID_PARAMETER_2
INTRO_PROT_OPTIONS CoreOptions
The activation and protection options for this guest.
DWORD IsStack
Set if the memory range represented by this VAD is a stack.
QWORD Rip
Where the write/exec came.
static PVAD IntWinVadRescanVad(WIN_PROCESS_OBJECT *Process, QWORD StartPage, QWORD EndPage)
Searches for a VAD inside the guest tree and inserts it into our VAD tree.
#define WIN_MM_PAGE_READONLY
Defined by Windows as PAGE_READONLY in winnt.h.
#define SWAPMEM_OPT_UM_FAULT
If set, the PF must be injected only while in user-mode. Use it when reading user-mode memory...
void IntExcept(EXCEPTION_VICTIM_ZONE *Victim, void *Originator, EXCEPTION_TYPE Type, INTRO_ACTION *Action, INTRO_ACTION_REASON *Reason, INTRO_EVENT_TYPE EventClass)
This function is the entry point for the exception mechanism.
INTSTATUS IntWinNetSendProcessConnections(WIN_PROCESS_OBJECT *Process)
Send connection events for all active connections whose owner is the given process.
INTSTATUS IntWinModHandleUnloadFromVad(PWIN_PROCESS_OBJECT Process, PVAD Vad)
Handle a module unload.
VAD_PAGE ** VadPages
An array representing each page in the VAD. It has PageCount entries.
INTRO_MODULE ReturnModule
The module to which the current code returns to.
#define INTRO_OPT_NOTIFY_ENGINES
Send suspicious pages to be scanned by third party scan engines.
This structure describes a running process inside the guest.
#define INT_STATUS_INSUFFICIENT_RESOURCES
#define INT_STATUS_INVALID_PARAMETER_3