Activation & Protection Options¶
Global Introcore options¶
The global options control most of the Introcore behavior - the kernel and the global protection policies. The options are given to the IntNewGuestNotification
API via the Options
argument. Global options can be dynamically modified, while the guest is running using the IntModifyDynamicOptions
API.
The protection options are:
Kernel protection options¶
Option Name | Win | Lix | Type | Mitre | Description |
---|---|---|---|---|---|
INTRO_OPT_PROT_KM_NT
INTRO_OPT_PROT_KM_LX
|
yes | yes | protection | Rootkit | Enable Windows NT kernel image protection (on Windows) or Linux kernel image protection (on Linux). Writes to these areas will be blocked. |
INTRO_OPT_PROT_KM_SSDT | yes | no | protection | Rootkit | Enable Windows SSDT (System Service Dispatch Table) protection. Modifications to the SSDT will be blocked. |
INTRO_OPT_PROT_KM_VDSO | no | yes | protection | Hooking | Protect the vDSO page on Linux. |
INTRO_OPT_PROT_KM_NT_EAT_READS | yes | no | protection | Exploit remote | Enables NT EAT read protection. Attempts to read the EAT from suspicious memory regions will be blocked. |
INTRO_OPT_PROT_KM_LX_TEXT_READS | no | yes | protection | Exploit remote | Enable Linux kernel _text section read protection. |
INTRO_OPT_PROT_KM_SUD_EXEC | yes | no | protection | Exploit remote | Enable execution prevention inside the SharedUserData page on Windows systems. |
HAL protection options¶
Option Name | Win | Lix | Type | Mitre | Description |
---|---|---|---|---|---|
INTRO_OPT_PROT_KM_HAL | yes | no | protection | Rootkit | Enable Windows HAL (Hardware Abstraction Layer) protection. Writes inside hal.dll will be blocked. |
INTRO_OPT_PROT_KM_HAL_DISP_TABLE | yes | no | protection | Exploit privesc | Enable HDT (Hal Dispatch Table) protection for privilege-escalation detection. Modifications to the HDT will be blocked. |
INTRO_OPT_PROT_KM_HAL_HEAP_EXEC | yes | no | protection | Exploit remote | Enable HAL Heap execution prevention. Attempts to execute code from the HAL heap region will be blocked. |
INTRO_OPT_PROT_KM_HAL_INT_CTRL | yes | no | protection | Rootkit | Enable HAL Interrupt Controller write protection. Attempts to modify pointers inside the HAL Interrupt Controller will be blocked. |
INTRO_OPT_PROT_KM_HAL_PERF_CNT | yes | no | protection | Rootkit | Enable HAL Performance Counter integrity protection. Modifications which are detected on the function pointer inside HalPerformanceCounter that gets called on KeQueryPerformanceCounter will be blocked. |
Driver & driver object protection options¶
Option Name | Win | Lix | Type | Mitre | Description |
---|---|---|---|---|---|
INTRO_OPT_PROT_KM_NT_DRIVERS
INTRO_OPT_PROT_KM_LX_MODULES
|
yes | yes | protection | Rootkit | On Windows, enable NT core drivers protection. Modifications made to them will be blocked.
The protected drivers are:
- iastor.sys
- ndis.sys
- netio.sys
- iastorV.sys
- iastorAV.sys
- disk.sys
- atapi.sys
- storahci.sys
- ataport.sys
- ntfs.sys
- tcpip.sys
- srv.sys
- srv2.sys
- srvnet.sys
On Linux, enables write protection for all loaded modules.
|
INTRO_OPT_PROT_KM_AV_DRIVERS | yes | no | protection | Rootkit | Enable Bitdefender drivers protection. Modifications made to them will be blocked.
The protected drivers are:
- avc3.sys
- avckf.sys
- winguest.sys
- trufos.sys
- bdselfpr.sys
- gzflt.sys
- bdvedisk.sys
- bdsandbox.sys
- bdfndisf6.sys
- bdfwfpf.sys
- bdelam.sys
- bddci.sys
- edrsensor.sys
- ignis.sys
- gemma.sys
|
INTRO_OPT_PROT_KM_XEN_DRIVERS | yes | no | protection | Rootkit | Enable Xen drivers protection. Modifications made to them will be blocked.
The protected drivers are:
- picadm.sys
- ctxad.sys
- ctxusbb.sys
- ctxsmcdrv.sys
- picapar.sys
- picaser.sys
- picakbm.sys
- picakbf.sys
- picamouf.sys
- picaTwComms.sys
- picavc.sys
- picacdd2.sys
- picadd.sys
|
INTRO_OPT_PROT_KM_DRVOBJ | yes | no | protection | Rootkit | Enable Driver Object and Fast I/O Dispatch protection for every protected driver.
It must be used when a combination of INTRO_OPT_PROT_KM_NT_DRIVERS, INTRO_OPT_PROT_KM_AV_DRIVERS, and INTRO_OPT_PROT_KM_XEN_DRIVERS is used.
Modifications to the IRP M/J functions or Fast I/O dispatch routines will be blocked.
|
CPU specific structures and registers¶
Option Name | Win | Lix | Type | Mitre | Description |
---|---|---|---|---|---|
INTRO_OPT_PROT_KM_IDT | yes | yes | protection | Rootkit | Enable IDT (Interrupt Descriptor Table) protection. Modifications to the IDT entries will be blocked.
Note that this option only protects the IDT table, not the register.
|
INTRO_OPT_PROT_KM_IDTR | yes | yes | protection | Rootkit | Enable IDTR protection. Attempts to modify the IDTR via LIDT will be blocked.
Available starting with Xen 4.11.
|
INTRO_OPT_PROT_KM_GDTR | yes | yes | protection | Rootkit | Enable GDTR protection. Attempts to modify the GDTR using LGDT will be blocked.
Available starting with Xen 4.11.
|
INTRO_OPT_PROT_KM_CR4 | yes | yes | protection | Enable CR4.SMEP (Supervisor Mode Execution Prevention) and CR4.SMAP (Supervisor Mode Access Prevention) protection for privilege-escalation detection.
Attempts to disable SMEP or SMAP will be blocked.
|
|
INTRO_OPT_PROT_KM_MSR_SYSCALL | yes | yes | protection | Rootkit | Enable SYSCALL/SYSENTER MSR protection. Attempts to modify these MSRs will be blocked.
The protected MSRs are:
- IA32_SYSENTER_EIP
- IA32_SYSENTER_ESP
- IA32_SYSENTER_CS
- IA32_STAR
- IA32_LSTAR
|
Misc integrity checks¶
Option Name | Win | Lix | Type | Mitre | Description |
---|---|---|---|---|---|
INTRO_OPT_PROT_KM_SYSTEM_CR3 | yes | no | protection | Rootkit | Enable System process PDBR protection. Changes of System CR3 will lead to an alert. |
INTRO_OPT_PROT_KM_SELF_MAP_ENTRY | yes | no | protection | Rootkit | Enable protection against writes on the self-mapping entry in all the page tables from the system, on x64 systems.
It will protect this entry in the following way:
- For protected processes and the kernel page table on Windows < RS4 - EPT hook on the page table at the self-mapping index.
- For unprotected processes on Windows < RS4 or all processes and kernel page table on Windows >= RS4 - Integrity checking once every second that the self map entry is not modified. Attempts to modify the self-map entry inside the Cr3 (for example, by making it accessible to user mode) will be blocked.
|
INTRO_OPT_PROT_KM_LOGGER_CONTEXT | yes | no | protection | Rootkit | Enable the Windows kernel logger context protection against malicious modifications (most commonly known as infinity hook). |
INTRO_OPT_PROT_KM_SUD_INTEGRITY | yes | no | protection | Rootkit | Enable integrity checks over various SharedUserData fields, as well as the zero-filled zone after the SharedUserData structure. |
INTRO_OPT_PROT_KM_INTERRUPT_OBJ | yes | no | protection | Rootkit | Enable protection against modifications of interrupt objects from KPRCB’s InterruptObject. |
Process credentials, tokens & privileges¶
Option Name | Win | Lix | Type | Mitre | Description |
---|---|---|---|---|---|
INTRO_OPT_PROT_KM_TOKEN_PTR
INTRO_OPT_PROT_KM_CREDS
|
yes | yes | protection | Token | Enable process token pointer (Windows) or creds protection (Linux) for privilege-escalation detection.
Processes which run with a stolen token or modified creds will trigger an alert.
This feature protects the token pointer inside the EPROCESS (on Windows) or the contents of the creds structure (on Linux).
|
INTRO_OPT_PROT_KM_TOKEN_PRIVS | yes | no | protection | Token | Enable SEP_TOKEN_PRIVIELEGES protection for each process. Suspicious modifications of the Enabled/Present bitmaps inside the TOKEN structure will be blocked. |
INTRO_OPT_PROT_KM_SD_ACL | yes | no | protection | Token | Enable integrity protection for the security descriptor pointer and Access Control List (ACL) of each process. Suspicious modifications of the security desciptor pointer or the ACLs (SACL/DACL) pointed by it will be blocked. |
Instrumentation based protection features¶
Option Name | Win | Lix | Type | Mitre | Description |
---|---|---|---|---|---|
INTRO_OPT_PROT_KM_SWAPGS | yes | yes | protection | N/A | Enable SWAPGS vulnerability (CVE-2019-1125) mitigations.
If enabled, Introcore will parse the Windows/Linux kernel, it will identify vulnerable SWAPGS gadgets, and it will serialize them, thus mitigating the main attack vector for this vulnerability.
This option cannot be toggled dynamically. To enable SWAPGS mitigation, this option must be set when starting Introcore. It will be disabled only when Introcore is unloaded. Changing this option requires an Introcore restart.
This option will not generate any kind of event. Since it mitigates a Spectre variant, there’s no way to know if an attacker tried to exploit it or not.
|
DPI - Deep Process Introspection options¶
Option Name | Win | Lix | Type | Mitre | Description |
---|---|---|---|---|---|
INTRO_OPT_PROT_DPI_DEBUG | yes | no | protection | Dev util | Enable protection against malicious attempts of starting a process as a debugged process, which will allow the parent to control and inspect it.
Applies to all processes, not just protected ones.
|
INTRO_OPT_PROT_DPI_STACK_PIVOT | yes | yes | protection | Exploit client | Enable protection against process creation with a pivoted stack. |
INTRO_OPT_PROT_DPI_HEAP_SPRAY | yes | no | protection | Exploit client | Enable protection against process creation if the parent process heap contains patterns of a heap spray attack. |
INTRO_OPT_PROT_DPI_TOKEN_STEAL | yes | yes | protection | Token | Enable protection against process creation with a stolen token. |
INTRO_OPT_PROT_DPI_TOKEN_PRIVS | yes | no | protection | Token | Enable protection against process creation with manipulated Present/Enabled bitmaps inside the token structure of the parent process. |
INTRO_OPT_PROT_DPI_THREAD_SHELL | yes | no | protection | Exploit client | Enable protection against process creation from a stray thread, which contains shellcode-like code (either dynamically injected, or as part of an exploit). |
INTRO_OPT_PROT_DPI_SD_ACL | yes | no | protection | Token | Enable protection against process creation if the parent process has an altered security descriptor pointer or Access Control List (ACL) (SACL/DACL). |
Process introspection and protection¶
Option Name | Win | Lix | Type | Mitre | Description |
---|---|---|---|---|---|
INTRO_OPT_PROT_UM_MISC_PROCS | yes | yes | protection | See per process options. | Enable misc user-mode process protection.
Separate policy has to be applied for each protected process (by default, no user-mode process is protected, except when using INTRO_OPT_PROT_UM_SYS_PROCS - check the below option).
|
INTRO_OPT_PROT_UM_SYS_PROCS | yes | no | protection | Enable system process protection against injections. Only for Windows guests.
In addition, enables mimikatz-like behavior (any read from within lsass.exe) prevention.
The system processes are:
- smss.exe
- csrss.exe
- wininit.exe
- winlogon.exe
- lsass.exe
- services.exe
Attempts to inject code or data into these processes will be blocked.
Attempts to read code or data from lsass.exe will be blocked.
|
|
INTRO_OPT_NOTIFY_ENGINES | yes | yes | protection | Enables engine scan. Certain buffers may then be sent to scanning engines, to be scanned for malware.
Currently, the following types of buffers are supported:
- Executed memory pages - on execution attempts, the code buffer will be sent to the AM engines (if HVI doesn’t detect something first).
- Process command lines - if PROC_OPT_PROT_SCAN_CMD_LINE is set for a process, its command line will be read and sent to the AM engines.
The engines will do the scan asynchronously. The scan result will be available later - during this time, the VM will continue to run; this means that HVI cannot block detections issued by the engines.
|
Global protection control¶
Option Name | Win | Lix | Type | Mitre | Description |
---|---|---|---|---|---|
INTRO_OPT_KM_BETA_DETECTIONS | yes | yes | option | N/A | Enable report-only mode for Kernel Mode. This means that KM alerts will be triggered normally, but no action will be blocked. |
INTRO_OPT_SYSPROC_BETA_DETECTIONS | yes | no | option | N/A | Enable beta detections (or report-only mode) for system processes. This means that system processes alerts will be triggered normally, but no action will be blocked. |
Misc events generation¶
Option Name | Win | Lix | Type | Mitre | Description |
---|---|---|---|---|---|
INTRO_OPT_EVENT_PROCESSES | yes | yes | event | N/A | Enable process creation and termination events on Windows and Linux. |
INTRO_OPT_EVENT_MODULES | yes | yes | event | N/A | Enable drivers load and unload events on Windows and Linux.
On Windows, it also enables dll load/unload events for protected processes.
|
INTRO_OPT_EVENT_OS_CRASH | yes | yes | event | N/A | Enable Windows BSOD events and Linux kernel panic events. |
INTRO_OPT_EVENT_PROCESS_CRASH | yes | yes | event | N/A | Enable application crash events on Windows & Linux . |
INTRO_OPT_EVENT_CONNECTIONS | yes | yes | event | N/A | Enable connection events on Windows & Linux.
Will only send TCP connections that are not in TIME_WAIT state.
Currently, connection events are sent on exploit detections only, but the mechanism can be extended to send them any time.
|
Misc options¶
Option Name | Win | Lix | Type | Mitre | Description |
---|---|---|---|---|---|
INTRO_OPT_AGENT_INJECTION | yes | yes | option | N/A | Enable agent injections. Agents must be manually injected when needed. |
INTRO_OPT_FULL_PATH | yes | no | option | N/A | Enable full-path protection for designated processes. |
INTRO_OPT_BUGCHECK_CLEANUP
INTRO_OPT_PANIC_CLEANUP
|
yes | yes | option | N/A | Enable memory dump cleanup, ensuring that all (or most of) the code that the introspection engine injects inside the host will not be saved in the memory dump.
It is recommended to be used on market builds. Most internal tests should be done with this option disabled.
|
Optimizations using in-guest agents¶
Option Name | Win | Lix | Type | Mitre | Description |
---|---|---|---|---|---|
INTRO_OPT_IN_GUEST_PT_FILTER | yes | no | option | N/A | Enable the in-guest page table filtering (without EPT hooks).
Its use is recommended in order to avoid performance issues on Windows 10 RS4 x64.
Note that it can result in a loss of protection against certain type of attacks. Generally speaking, this flag should always be set and toggling it on and off a lot is not recommended.
This option is ignored on Linux and any Windows different from 10 RS4 x64.
|
INTRO_OPT_VE | yes | no | option | N/A | Enable #VE-based in-guest agent.
The agent filters page-table accesses and ensures increased performance, if #VE and VMFUNC features are present.
If both INTRO_OPT_VE and INTRO_OPT_IN_GUEST_PT_FILTER are set, Introcore will prefer using INTRO_OPT_VE, if #VE and VMFUNC features are present. Otherwise, it will use INTRO_OPT_IN_GUEST_PT_FILTER.
Xen >= 4.11 is required for this option to function. If #VE or VMFUNC features are not present, this option is ignored.
#VE filtering works only on 64 bit Windows, where the number of page-table accesses is very high. It is not yet needed on 32 bit Windows or Linux.
|
Process Options¶
Per-process protection flags are set for each protected process, and they will be applied for every process which matches the indicated image name.
Adding protection for a process can be done using the IntAddRemoveProtectedProcessUtf8
and IntAddRemoveProtectedProcessUtf16
APIs. The FullPath
argument indicates the process path to be protected (the path may be missing, and only an image-name can be used).
The ProtectionMask
argument contains a combination of the following flags:
DLL hook protection¶
Option Name | Win | Lix | Mitre | Description |
---|---|---|---|---|
PROC_OPT_PROT_CORE_HOOKS | yes | no | Hooking | Enable hook protection inside core Windows DLLs.
The protected DLLs are:
- ntdll.dll
- kernel32.dll
- kernelbase.dll
- user32.dll
- wow64.dll
- wow64win.dll
- wow64cpu.dll
Write attempts to these dlls will be blocked.
|
PROC_OPT_PROT_WSOCK_HOOKS | yes | no | Hooking | Enable hook prevention inside core Windows network access libraries:
- wininet.dll
- ws2_32.dll
Write attempts to these dlls will be blocked.
|
Injection protection¶
Option Name | Win | Lix | Mitre | Description |
---|---|---|---|---|
PROC_OPT_PROT_WRITE_MEM | yes | yes | Injection | Enables injection protection inside the target process, using the WriteProcessMemory technique (Windows).
Enables injection protection inside the target process, using the process_vm_rw, __access_remote_vm and ptrace (if the PTRACE_POKETEXT / PTRACE_POKEDATA request is used) techniques (Linux).
|
PROC_OPT_PROT_SET_THREAD_CTX
PROC_OPT_PROT_PTRACE
|
yes | yes | Injection | Enables injection protection inside the target process, using the SetThreadContext technique (Windows).
Enables injection protection inside the target process, using the ptrace (if the PTRACE_SETFPREGS / PTRACE_SETFPXREGS / PTRACE_SETREGS request is used) technique (Linux).
|
PROC_OPT_PROT_QUEUE_APC | yes | no | Injection | Enable injection protection inside the target process, using the QueueUserApc technique (Windows). |
PROC_OPT_PROT_DOUBLE_AGENT | yes | no | Injection | Prevents module loads before kernel32.dll, in processes that load kernel32.dll (e.g. the processes from subsystem native will not load kernel32.dll at all).
It is used for double agent detection and prevention.
|
PROC_OPT_PROT_INSTRUMENT | yes | no | Injection | Enable injection protection inside the target process, using the instrumentation callback NtSetInformationProcess technique (Windows). |
Exploit protection¶
Option Name | Win | Lix | Mitre | Description |
---|---|---|---|---|
PROC_OPT_PROT_EXPLOIT | yes | yes | Exploit client | Enable generic exploit protection
This covers any memory region inside the process address space, including stack and heaps.
Attempts to execute code from suspicious memory regions will be blocked.
|
Unpack detection¶
Option Name | Win | Lix | Mitre | Description |
---|---|---|---|---|
PROC_OPT_PROT_UNPACK | yes | no | N/A | Enable unpack/decryption events for the main module only.
This option does not block anything, instead provides hint with regard to packed/encrypted code.
This option can be used to detected unpacked/decrypted code in main process modules.
|
Misc protection¶
Option Name | Win | Lix | Mitre | Description |
---|---|---|---|---|
PROC_OPT_PROT_PREVENT_CHILD_CREATION | yes | yes | Exec API | Prevents the process from creating child processes (other than instances of itself).
For example, we want to allow chrome.exe to create new chrome.exe processes (tabs/windows), but we want to prevent it from starting other processes.
Use it with care, as it is very prone to false-positives.
|
PROC_OPT_PROT_SCAN_CMD_LINE | yes | no | The command lines of the processes protected with this flag will be sent to the scan engines, to be scanned for malware. |
Misc process options¶
Option Name | Win | Lix | Mitre | Description |
---|---|---|---|---|
PROC_OPT_KILL_ON_EXPLOIT | yes | yes | N/A | If set, exploit detection inside the given process will lead to process termination .
The process may not terminate immediately, depending how exceptions are handled, but the code stream that triggered the exploit detection is guaranteed to be terminated by an exception injection.
|
PROC_OPT_BETA | yes | yes | N/A | Enables report only detections for this process only
This will enable generation of events but without actually blocking them (very useful for untested processes).
|
The indicated APIs can be used to add protection for processes that have already been started. In addition, the protection flags for active, protected processes can also be modified using the indicated flags. If any of these APIs is called two times for the same process, but with different options, the last call will be considered.