#include "cr_protection.h"
#include "alerts.h"
#include "guests.h"
#include "hook_cr.h"

Functions
static void	IntCrSendAlert (EXCEPTION_VICTIM_ZONE const Victim, EXCEPTION_KM_ORIGINATOR const Originator, INTRO_ACTION Action, INTRO_ACTION_REASON Reason)
	Sends a CR violation alert. More...

static INTSTATUS	IntCrWinHandleWrite (void Context, DWORD Cr, QWORD OldValue, QWORD NewValue, INTRO_ACTION Action)
	Handles a control register write attempt done by a Windows guest. More...

static INTSTATUS	IntCrLixHandleWrite (void Context, DWORD Cr, QWORD OldValue, QWORD NewValue, INTRO_ACTION Action)
	Handles a control register write attempt done by a Linux guest. More...

static INTSTATUS	IntCr4HandleWrite (void Context, DWORD Cr, QWORD OldValue, QWORD NewValue, INTRO_ACTION Action)
	Handles CR4 writes. More...

INTSTATUS	IntCr4Protect (void)
	Activates the Cr4 protection. More...

INTSTATUS	IntCr4Unprotect (void)
	Disables the CR4 protection. More...

Variables
static HOOK_CR *	gCr4Hook = NULL
	The Cr4 hook handle. More...

Function Documentation

◆ IntCr4HandleWrite()

static INTSTATUS IntCr4HandleWrite	(	void *	Context,
		DWORD	Cr,
		QWORD	OldValue,
		QWORD	NewValue,
		INTRO_ACTION *	Action
	)

static

Handles CR4 writes.

This is the hook handler set by IntCr4Protect. The handle is gCr4Hook. Will delegate the actual handling to a guest-specific handler: IntCrWinHandleWrite or IntCrLixHandleWrite.

Parameters

[in]	Context	The context set by the function that hooked the CR. Nothing in this case
[in]	Cr	The number of the written register. Will always be 4.
[in]	OldValue	The original value of the register
[in]	NewValue	The value that the guest attempted to write
[out]	Action	The action that must be taken

Returns: INT_STATUS_SUCCESS if successful, or an appropriate INTSTATUS error value

Definition at line 277 of file cr_protection.c.

Referenced by IntCr4Protect().

◆ IntCr4Protect()

INTSTATUS IntCr4Protect ( void )

Activates the Cr4 protection.

Enables exits for Cr4 writes and sets IntCr4HandleWrite as the hook handler.

Returns: INT_STATUS_SUCCESS if successful, or an appropriate INTSTATUS error value

Definition at line 313 of file cr_protection.c.

Referenced by IntGuestUpdateCoreOptions(), IntLixGuestActivateProtection(), and IntWinGuestActivateProtection().

◆ IntCr4Unprotect()

INTSTATUS IntCr4Unprotect ( void )

Disables the CR4 protection.

Returns: INT_STATUS_SUCCESS if successful, or an appropriate INTSTATUS error value

Definition at line 345 of file cr_protection.c.

Referenced by IntGuestUpdateCoreOptions(), IntLixGuestUninit(), and IntWinGuestUninit().

◆ IntCrLixHandleWrite()

static INTSTATUS IntCrLixHandleWrite	(	void *	Context,
		DWORD	Cr,
		QWORD	OldValue,
		QWORD	NewValue,
		INTRO_ACTION *	Action
	)

static

Handles a control register write attempt done by a Linux guest.

Will analyze the write and will decide if it is malicious. If the SMEP or SMAP bits are disabled it will generate an alert, unless an exception matches this write.

Parameters

[in]	Context	Ignored
[in]	Cr	The written control register. This will always be 4
[in]	OldValue	The old, original value of the register. If the action is blocked, the register will keep this value
[in]	NewValue	The written value
[out]	Action	The action that must be taken

Returns: INT_STATUS_SUCCESS if successful, or an appropriate INTSTATUS error value

Definition at line 175 of file cr_protection.c.

Referenced by IntCr4HandleWrite().

◆ IntCrSendAlert()

static void IntCrSendAlert	(	EXCEPTION_VICTIM_ZONE const *	Victim,
		EXCEPTION_KM_ORIGINATOR const *	Originator,
		INTRO_ACTION	Action,
		INTRO_ACTION_REASON	Reason
	)

static

Sends a CR violation alert.

This will send an introEventCrViolation event to the integrator. These alerts are controlled by the INTRO_OPT_ENABLE_CR_PROTECTION options.

Parameters

[in]	Victim	The victim information. This is obtained from IntExceptGetVictimCr.
[in]	Originator	Information about the attacker. This is obtained from IntExceptKernelGetOriginator.
[in]	Action	The action that was taken
[in]	Reason	The reason for which Action was taken

Definition at line 17 of file cr_protection.c.

Referenced by IntCrLixHandleWrite(), and IntCrWinHandleWrite().

◆ IntCrWinHandleWrite()

static INTSTATUS IntCrWinHandleWrite	(	void *	Context,
		DWORD	Cr,
		QWORD	OldValue,
		QWORD	NewValue,
		INTRO_ACTION *	Action
	)

static

Handles a control register write attempt done by a Windows guest.

Will analyze the write and will decide if it is malicious. If the SMEP or SMAP bits are disabled it will generate an alert, unless an exception matches this write.

Parameters

[in]	Context	Ignored
[in]	Cr	The written control register. This will always be 4
[in]	OldValue	The old, original value of the register. If the action is blocked, the register will keep this value
[in]	NewValue	The written value
[out]	Action	The action that must be taken

Returns: INT_STATUS_SUCCESS if successful, or an appropriate INTSTATUS error value

Definition at line 83 of file cr_protection.c.

Referenced by IntCr4HandleWrite().

Variable Documentation

◆ gCr4Hook

HOOK_CR* gCr4Hook = NULL

static

The Cr4 hook handle.

Created in IntCr4Protect and destroyed in IntCr4Unprotect

Definition at line 13 of file cr_protection.c.

Functions

Variables

Function Documentation

◆ IntCr4HandleWrite()

◆ IntCr4Protect()

◆ IntCr4Unprotect()

◆ IntCrLixHandleWrite()

◆ IntCrSendAlert()

◆ IntCrWinHandleWrite()

Variable Documentation

◆ gCr4Hook