Activation & Protection Options

Global Introcore options

The global options control most of the Introcore behavior - the kernel and the global protection policies. The options are given to the IntNewGuestNotification API via the Options argument. Global options can be dynamically modified, while the guest is running using the IntModifyDynamicOptions API. The protection options are:

Kernel protection options

Option Name Win Lix Type Mitre Description
INTRO_OPT_PROT_KM_NT
INTRO_OPT_PROT_KM_LX
yes yes protection Rootkit Enable Windows NT kernel image protection (on Windows) or Linux kernel image protection (on Linux). Writes to these areas will be blocked.
INTRO_OPT_PROT_KM_SSDT yes no protection Rootkit Enable Windows SSDT (System Service Dispatch Table) protection. Modifications to the SSDT will be blocked.
INTRO_OPT_PROT_KM_VDSO no yes protection Hooking Protect the vDSO page on Linux.
INTRO_OPT_PROT_KM_NT_EAT_READS yes no protection Exploit remote Enables NT EAT read protection. Attempts to read the EAT from suspicious memory regions will be blocked.
INTRO_OPT_PROT_KM_LX_TEXT_READS no yes protection Exploit remote Enable Linux kernel _text section read protection.
INTRO_OPT_PROT_KM_SUD_EXEC yes no protection Exploit remote Enable execution prevention inside the SharedUserData page on Windows systems.

HAL protection options

Option Name Win Lix Type Mitre Description
INTRO_OPT_PROT_KM_HAL yes no protection Rootkit Enable Windows HAL (Hardware Abstraction Layer) protection. Writes inside hal.dll will be blocked.
INTRO_OPT_PROT_KM_HAL_DISP_TABLE yes no protection Exploit privesc Enable HDT (Hal Dispatch Table) protection for privilege-escalation detection. Modifications to the HDT will be blocked.
INTRO_OPT_PROT_KM_HAL_HEAP_EXEC yes no protection Exploit remote Enable HAL Heap execution prevention. Attempts to execute code from the HAL heap region will be blocked.
INTRO_OPT_PROT_KM_HAL_INT_CTRL yes no protection Rootkit Enable HAL Interrupt Controller write protection. Attempts to modify pointers inside the HAL Interrupt Controller will be blocked.
INTRO_OPT_PROT_KM_HAL_PERF_CNT yes no protection Rootkit Enable HAL Performance Counter integrity protection. Modifications which are detected on the function pointer inside HalPerformanceCounter that gets called on KeQueryPerformanceCounter will be blocked.

Driver & driver object protection options

Option Name Win Lix Type Mitre Description
INTRO_OPT_PROT_KM_NT_DRIVERS
INTRO_OPT_PROT_KM_LX_MODULES
yes yes protection Rootkit
On Windows, enable NT core drivers protection. Modifications made to them will be blocked.
The protected drivers are:
- iastor.sys
- ndis.sys
- netio.sys
- iastorV.sys
- iastorAV.sys
- disk.sys
- atapi.sys
- storahci.sys
- ataport.sys
- ntfs.sys
- tcpip.sys
- srv.sys
- srv2.sys
- srvnet.sys
On Linux, enables write protection for all loaded modules.
INTRO_OPT_PROT_KM_AV_DRIVERS yes no protection Rootkit
Enable Bitdefender drivers protection. Modifications made to them will be blocked.
The protected drivers are:
- avc3.sys
- avckf.sys
- winguest.sys
- trufos.sys
- bdselfpr.sys
- gzflt.sys
- bdvedisk.sys
- bdsandbox.sys
- bdfndisf6.sys
- bdfwfpf.sys
- bdelam.sys
- bddci.sys
- edrsensor.sys
- ignis.sys
- gemma.sys
INTRO_OPT_PROT_KM_XEN_DRIVERS yes no protection Rootkit
Enable Xen drivers protection. Modifications made to them will be blocked.
The protected drivers are:
- picadm.sys
- ctxad.sys
- ctxusbb.sys
- ctxsmcdrv.sys
- picapar.sys
- picaser.sys
- picakbm.sys
- picakbf.sys
- picamouf.sys
- picaTwComms.sys
- picavc.sys
- picacdd2.sys
- picadd.sys
INTRO_OPT_PROT_KM_DRVOBJ yes no protection Rootkit
Enable Driver Object and Fast I/O Dispatch protection for every protected driver.
It must be used when a combination of INTRO_OPT_PROT_KM_NT_DRIVERS, INTRO_OPT_PROT_KM_AV_DRIVERS, and INTRO_OPT_PROT_KM_XEN_DRIVERS is used.
Modifications to the IRP M/J functions or Fast I/O dispatch routines will be blocked.

CPU specific structures and registers

Option Name Win Lix Type Mitre Description
INTRO_OPT_PROT_KM_IDT yes yes protection Rootkit
Enable IDT (Interrupt Descriptor Table) protection. Modifications to the IDT entries will be blocked.
Note that this option only protects the IDT table, not the register.
INTRO_OPT_PROT_KM_IDTR yes yes protection Rootkit
Enable IDTR protection. Attempts to modify the IDTR via LIDT will be blocked.
Available starting with Xen 4.11.
INTRO_OPT_PROT_KM_GDTR yes yes protection Rootkit
Enable GDTR protection. Attempts to modify the GDTR using LGDT will be blocked.
Available starting with Xen 4.11.
INTRO_OPT_PROT_KM_CR4 yes yes protection
Enable CR4.SMEP (Supervisor Mode Execution Prevention) and CR4.SMAP (Supervisor Mode Access Prevention) protection for privilege-escalation detection.
Attempts to disable SMEP or SMAP will be blocked.
INTRO_OPT_PROT_KM_MSR_SYSCALL yes yes protection Rootkit
Enable SYSCALL/SYSENTER MSR protection. Attempts to modify these MSRs will be blocked.
The protected MSRs are:
- IA32_SYSENTER_EIP
- IA32_SYSENTER_ESP
- IA32_SYSENTER_CS
- IA32_STAR
- IA32_LSTAR

Misc integrity checks

Option Name Win Lix Type Mitre Description
INTRO_OPT_PROT_KM_SYSTEM_CR3 yes no protection Rootkit Enable System process PDBR protection. Changes of System CR3 will lead to an alert.
INTRO_OPT_PROT_KM_SELF_MAP_ENTRY yes no protection Rootkit
Enable protection against writes on the self-mapping entry in all the page tables from the system, on x64 systems.
It will protect this entry in the following way:
- For protected processes and the kernel page table on Windows < RS4 - EPT hook on the page table at the self-mapping index.
- For unprotected processes on Windows < RS4 or all processes and kernel page table on Windows >= RS4 - Integrity checking once every second that the self map entry is not modified. Attempts to modify the self-map entry inside the Cr3 (for example, by making it accessible to user mode) will be blocked.
INTRO_OPT_PROT_KM_LOGGER_CONTEXT yes no protection Rootkit Enable the Windows kernel logger context protection against malicious modifications (most commonly known as infinity hook).
INTRO_OPT_PROT_KM_SUD_INTEGRITY yes no protection Rootkit Enable integrity checks over various SharedUserData fields, as well as the zero-filled zone after the SharedUserData structure.
INTRO_OPT_PROT_KM_INTERRUPT_OBJ yes no protection Rootkit Enable protection against modifications of interrupt objects from KPRCB’s InterruptObject.

Process credentials, tokens & privileges

Option Name Win Lix Type Mitre Description
INTRO_OPT_PROT_KM_TOKEN_PTR
INTRO_OPT_PROT_KM_CREDS
yes yes protection Token
Enable process token pointer (Windows) or creds protection (Linux) for privilege-escalation detection.
Processes which run with a stolen token or modified creds will trigger an alert.
This feature protects the token pointer inside the EPROCESS (on Windows) or the contents of the creds structure (on Linux).
INTRO_OPT_PROT_KM_TOKEN_PRIVS yes no protection Token Enable SEP_TOKEN_PRIVIELEGES protection for each process. Suspicious modifications of the Enabled/Present bitmaps inside the TOKEN structure will be blocked.
INTRO_OPT_PROT_KM_SD_ACL yes no protection Token Enable integrity protection for the security descriptor pointer and Access Control List (ACL) of each process. Suspicious modifications of the security desciptor pointer or the ACLs (SACL/DACL) pointed by it will be blocked.

Instrumentation based protection features

Option Name Win Lix Type Mitre Description
INTRO_OPT_PROT_KM_SWAPGS yes yes protection N/A
Enable SWAPGS vulnerability (CVE-2019-1125) mitigations.
If enabled, Introcore will parse the  Windows/Linux kernel, it will identify vulnerable SWAPGS gadgets, and it will serialize them, thus mitigating the main attack vector for this vulnerability.
This option cannot be toggled dynamically. To enable SWAPGS mitigation, this option must be set when starting Introcore. It will be disabled only when Introcore is unloaded. Changing this option requires an Introcore restart.
This option will not generate any kind of event. Since it mitigates a Spectre variant, there’s no way to know if an attacker tried to exploit it or not.

DPI - Deep Process Introspection options

Option Name Win Lix Type Mitre Description
INTRO_OPT_PROT_DPI_DEBUG yes no protection Dev util
Enable protection against malicious attempts of starting a process as a debugged process, which will allow the parent to control and inspect it.
Applies to all processes, not just protected ones.
INTRO_OPT_PROT_DPI_STACK_PIVOT yes yes protection Exploit client Enable protection against process creation with a pivoted stack.
INTRO_OPT_PROT_DPI_HEAP_SPRAY yes no protection Exploit client Enable protection against process creation if the parent process heap contains patterns of a heap spray attack.
INTRO_OPT_PROT_DPI_TOKEN_STEAL yes yes protection Token Enable protection against process creation with a stolen token.
INTRO_OPT_PROT_DPI_TOKEN_PRIVS yes no protection Token Enable protection against process creation with manipulated Present/Enabled bitmaps inside the token structure of the parent process.
INTRO_OPT_PROT_DPI_THREAD_SHELL yes no protection Exploit client Enable protection against process creation from a stray thread, which contains shellcode-like code (either dynamically injected, or as part of an exploit).
INTRO_OPT_PROT_DPI_SD_ACL yes no protection Token Enable protection against process creation if the parent process has an altered security descriptor pointer or Access Control List (ACL) (SACL/DACL).

Process introspection and protection

Option Name Win Lix Type Mitre Description
INTRO_OPT_PROT_UM_MISC_PROCS yes yes protection See per process options.
Enable misc user-mode process protection.
Separate policy has to be applied for each protected process (by default, no user-mode process is protected, except when using INTRO_OPT_PROT_UM_SYS_PROCS - check the below option).
INTRO_OPT_PROT_UM_SYS_PROCS yes no protection
Enable system process protection against injections. Only for Windows guests.
In addition, enables mimikatz-like behavior (any read from within lsass.exe) prevention.
The system processes are:
- smss.exe
- csrss.exe
- wininit.exe
- winlogon.exe
- lsass.exe
- services.exe
Attempts to inject code or data into these processes will be blocked.
Attempts to read code or data from lsass.exe will be blocked.
INTRO_OPT_NOTIFY_ENGINES yes yes protection
Enables engine scan. Certain buffers may then be sent to scanning engines, to be scanned for malware.
Currently, the following types of buffers are supported:
- Executed memory pages - on execution attempts, the code buffer will be sent to the AM engines (if HVI doesn’t detect something first).
- Process command lines - if PROC_OPT_PROT_SCAN_CMD_LINE is set for a process, its command line will be read and sent to the AM engines.
The engines will do the scan asynchronously. The scan result will be available later - during this time, the VM will continue to run; this means that HVI cannot block detections issued by the engines.

Global protection control

Option Name Win Lix Type Mitre Description
INTRO_OPT_KM_BETA_DETECTIONS yes yes option N/A Enable report-only mode for Kernel Mode. This means that KM alerts will be triggered normally, but no action will be blocked.
INTRO_OPT_SYSPROC_BETA_DETECTIONS yes no option N/A Enable beta detections (or report-only mode) for system processes. This means that system processes alerts will be triggered normally, but no action will be blocked.

Misc events generation

Option Name Win Lix Type Mitre Description
INTRO_OPT_EVENT_PROCESSES yes yes event N/A Enable process creation and termination events on Windows and Linux.
INTRO_OPT_EVENT_MODULES yes yes event N/A
Enable drivers load and unload events on Windows and Linux.
On Windows, it also enables dll load/unload events for protected processes.
INTRO_OPT_EVENT_OS_CRASH yes yes event N/A Enable Windows BSOD events and Linux kernel panic events.
INTRO_OPT_EVENT_PROCESS_CRASH yes yes event N/A Enable application crash events on Windows & Linux .
INTRO_OPT_EVENT_CONNECTIONS yes yes event N/A
Enable connection events on Windows & Linux.
Will only send TCP connections that are not in TIME_WAIT state.
Currently, connection events are sent on exploit detections only, but the mechanism can be extended to send them any time.

Misc options

Option Name Win Lix Type Mitre Description
INTRO_OPT_AGENT_INJECTION yes yes option N/A Enable agent injections. Agents must be manually injected when needed.
INTRO_OPT_FULL_PATH yes no option N/A Enable full-path protection for designated processes.
INTRO_OPT_BUGCHECK_CLEANUP
INTRO_OPT_PANIC_CLEANUP
yes yes option N/A
Enable memory dump cleanup, ensuring that all (or most of) the code that the introspection engine injects inside the host will not be saved in the memory dump.
It is recommended to be used on market builds. Most internal tests should be done with this option disabled.

Optimizations using in-guest agents

Option Name Win Lix Type Mitre Description
INTRO_OPT_IN_GUEST_PT_FILTER yes no option N/A
Enable the in-guest page table filtering (without EPT hooks).
Its use is recommended in order to avoid performance issues on Windows 10 RS4 x64.
Note that it can result in a loss of protection against certain type of attacks. Generally speaking, this flag should always be set and toggling it on and off a lot is not recommended.
This option is ignored on Linux and any Windows different from 10 RS4 x64.
INTRO_OPT_VE yes no option N/A
Enable #VE-based in-guest agent.
The agent filters page-table accesses and ensures increased performance, if #VE and VMFUNC features are present.
If both INTRO_OPT_VE  and INTRO_OPT_IN_GUEST_PT_FILTER are set, Introcore will prefer using INTRO_OPT_VE, if #VE and VMFUNC features are present. Otherwise, it will use INTRO_OPT_IN_GUEST_PT_FILTER.
Xen >= 4.11 is required for this option to function. If #VE or VMFUNC features are not present, this option is ignored.
#VE filtering works only on 64 bit Windows, where the number of page-table accesses is very high. It is not yet needed on 32 bit Windows or Linux.

Process Options

Per-process protection flags are set for each protected process, and they will be applied for every process which matches the indicated image name.

Adding protection for a process can be done using the IntAddRemoveProtectedProcessUtf8 and IntAddRemoveProtectedProcessUtf16 APIs. The FullPath argument indicates the process path to be protected (the path may be missing, and only an image-name can be used). The ProtectionMask argument contains a combination of the following flags:

DLL hook protection

Option Name Win Lix Mitre Description
PROC_OPT_PROT_CORE_HOOKS yes no Hooking
Enable hook protection inside core Windows DLLs.
The protected DLLs are:
- ntdll.dll
- kernel32.dll
- kernelbase.dll
- user32.dll
- wow64.dll
- wow64win.dll
- wow64cpu.dll
Write attempts to these dlls will be blocked.
PROC_OPT_PROT_WSOCK_HOOKS yes no Hooking
Enable hook prevention inside core Windows network access libraries:
- wininet.dll
- ws2_32.dll
Write attempts to these dlls will be blocked.

Injection protection

Option Name Win Lix Mitre Description
PROC_OPT_PROT_WRITE_MEM yes yes Injection
Enables injection protection inside the target process, using the WriteProcessMemory technique (Windows).
Enables injection protection inside the target process, using the process_vm_rw, __access_remote_vm and ptrace (if the PTRACE_POKETEXT / PTRACE_POKEDATA request is used) techniques (Linux).
PROC_OPT_PROT_SET_THREAD_CTX
PROC_OPT_PROT_PTRACE
yes yes Injection
Enables injection protection inside the target process, using the SetThreadContext technique (Windows).
Enables injection protection inside the target process, using the ptrace (if the PTRACE_SETFPREGS / PTRACE_SETFPXREGS / PTRACE_SETREGS request is used) technique (Linux).
PROC_OPT_PROT_QUEUE_APC yes no Injection Enable injection protection inside the target process, using the QueueUserApc technique (Windows).
PROC_OPT_PROT_DOUBLE_AGENT yes no Injection
Prevents module loads before kernel32.dll, in processes that load kernel32.dll (e.g. the processes from subsystem native will not load kernel32.dll at all).
It is used for double agent detection and prevention.
PROC_OPT_PROT_INSTRUMENT yes no Injection Enable injection protection inside the target process, using the instrumentation callback NtSetInformationProcess technique (Windows).

Exploit protection

Option Name Win Lix Mitre Description
PROC_OPT_PROT_EXPLOIT yes yes Exploit client
Enable generic exploit protection
This covers any memory region inside the process address space, including stack and heaps.
Attempts to execute code from suspicious memory regions will be blocked.

Unpack detection

Option Name Win Lix Mitre Description
PROC_OPT_PROT_UNPACK yes no N/A
Enable unpack/decryption events for the main module only.
This option does not block anything, instead provides hint with regard to packed/encrypted code.
This option can be used to detected unpacked/decrypted code in main process modules.

Misc protection

Option Name Win Lix Mitre Description
PROC_OPT_PROT_PREVENT_CHILD_CREATION yes yes Exec API
Prevents the process from creating child processes (other than instances of itself).
For example, we want to allow chrome.exe to create new chrome.exe processes (tabs/windows), but we want to prevent it from starting other processes.
Use it with care, as it is very prone to false-positives.
PROC_OPT_PROT_SCAN_CMD_LINE yes no The command lines of the processes protected with this flag will be sent to the scan engines, to be scanned for malware.

Misc process options

Option Name Win Lix Mitre Description
PROC_OPT_KILL_ON_EXPLOIT yes yes N/A
If set, exploit detection inside the given process will lead to process termination .
The process may not terminate immediately, depending how exceptions are handled, but the code stream that triggered the exploit detection is guaranteed to be terminated by an exception injection.
PROC_OPT_BETA yes yes N/A
Enables report only detections for this process only
This will enable generation of events but without actually blocking them (very useful for untested processes).

The indicated APIs can be used to add protection for processes that have already been started. In addition, the protection flags for active, protected processes can also be modified using the indicated flags. If any of these APIs is called two times for the same process, but with different options, the last call will be considered.