Bitdefender Hypervisor Memory Introspection
hnd_remediation.c
Go to the documentation of this file.
1 /*
2  * Copyright (c) 2020 Bitdefender
3  * SPDX-License-Identifier: Apache-2.0
4  */
5 #include "hnd_remediation.h"
6 #include "alerts.h"
7 #include "guests.h"
8 
9 
10 INTSTATUS
11 IntAgentHandleRemediationVmcall(
12  _In_opt_ void *Reserved,
13  _In_ PIG_ARCH_REGS Registers
14  )
29 {
30  INTSTATUS status;
31  QWORD dataAddr;
32  DWORD retLen;
33  PEVENT_AGENT_EVENT agentEvent;
34  AGENT_REM_EVENT_HEADER header;
35 
36  UNREFERENCED_PARAMETER(Reserved);
37 
38  if (NULL == Registers)
39  {
40  return INT_STATUS_INVALID_PARAMETER_3;
41  }
42 
43  retLen = 0;
44  agentEvent = &gAlert.Agent;
45  memset(agentEvent, 0, sizeof(*agentEvent));
46  memset(&header, 0, sizeof(header));
47 
48  // Data address will be in RCX on x64 and ESI on x86.
49  dataAddr = gGuest.Guest64 ? Registers->Rbx : (Registers->Rsi & 0xFFFFFFFF);
50 
51  if (0 == dataAddr)
52  {
53  ERROR("[ERROR] Data address is 0!\n");
54  return INT_STATUS_NOT_FOUND;
55  }
56 
57  // Read the event structure.
58  agentEvent->AgentTag = IG_AGENT_TAG_REMEDIATION_TOOL;
59  agentEvent->Event = agentMessage;
60  agentEvent->ErrorCode = 0;
61 
62  if (gGuest.OSType == introGuestWindows)
63  {
64  IntAlertFillWinProcessCurrent(&agentEvent->CurrentProcess);
65  }
66  else if (gGuest.OSType == introGuestLinux)
67  {
68  IntAlertFillLixCurrentProcess(&agentEvent->CurrentProcess);
69  }
70  else
71  {
72  return INT_STATUS_NOT_SUPPORTED;
73  }
74 
75  // Pause the VCPUs while we read.
76  IntPauseVcpus();
77 
78  status = IntVirtMemRead(dataAddr, sizeof(AGENT_REM_EVENT_HEADER), Registers->Cr3, &header, &retLen);
79  if (!INT_SUCCESS(status))
80  {
81  ERROR("[ERROR] IntVirtMemRead failed: 0x%08x\n", status);
82  goto resume_and_exit;
83  }
84 
85  if (header.Version != REM_EVENT_VERSION)
86  {
87  ERROR("[ERROR] Version mismatch: %x (read) vs %x (known).\n", header.Version, REM_EVENT_VERSION);
88  status = INT_STATUS_NOT_SUPPORTED;
89  goto resume_and_exit;
90  }
91 
92  if (header.Size != REM_EVENT_SIZE)
93  {
94  ERROR("[ERROR] Size mismatch: %d (read) vs %lu (known).\n", header.Size, REM_EVENT_SIZE);
95  status = INT_STATUS_NOT_SUPPORTED;
96  goto resume_and_exit;
97  }
98 
99  status = IntVirtMemRead(dataAddr, sizeof(AGENT_REM_EVENT), Registers->Cr3, &agentEvent->RemediationEvent, &retLen);
100  if (!INT_SUCCESS(status))
101  {
102  ERROR("[ERROR] IntVirtMemRead failed: 0x%08x\n", status);
103  goto resume_and_exit;
104  }
105 
106  if (retLen != sizeof(AGENT_REM_EVENT))
107  {
108  ERROR("[ERROR] Read only %d bytes, needed %zu!\n", retLen, sizeof(AGENT_REM_EVENT));
109  status = INT_STATUS_INVALID_DATA_SIZE;
110  goto resume_and_exit;
111  }
112 
113  // Log
114  switch (agentEvent->RemediationEvent.Header.EventType)
115  {
116  case remEventDetection:
117  TRACE("[REMTOOL] Detection: %s infected with %s, flags %d\n",
118  utf16_for_log(agentEvent->RemediationEvent.DetectionEvent.ObjectPath),
119  utf16_for_log(agentEvent->RemediationEvent.DetectionEvent.Detection),
120  agentEvent->RemediationEvent.DetectionEvent.DetectionFlag);
121  break;
122  case remEventDisinfection:
123  TRACE("[REMTOOL] Disinfection: %s infected with %s, status %d\n",
124  utf16_for_log(agentEvent->RemediationEvent.DetectionEvent.ObjectPath),
125  utf16_for_log(agentEvent->RemediationEvent.DetectionEvent.Detection),
126  agentEvent->RemediationEvent.DetectionEvent.ActionResult);
127  break;
128  case remEventStart:
129  TRACE("[REMTOOL] Scan start: %d\n",
130  agentEvent->RemediationEvent.StartEvent.ScanStatus);
131  break;
132  case remEventFinish:
133  TRACE("[REMTOOL] Scan finish: %d\n",
134  agentEvent->RemediationEvent.FinishEvent.ScanResult);
135  break;
136  case remEventProgress:
137  TRACE("[REMTOOL] Progress: %d\n",
138  agentEvent->RemediationEvent.ProgressEvent.Progress);
139  break;
140  case remEventReboot:
141  TRACE("[REMTOOL] Reboot: %d\n",
142  agentEvent->RemediationEvent.RebootEvent.RebootNeeded);
143  break;
144  default:
145  TRACE("Unknown event: %d\n", agentEvent->RemediationEvent.Header.EventType);
146  }
147 
148  status = INT_STATUS_SUCCESS;
149 
150 resume_and_exit:
151  IntResumeVcpus();
152 
153  if (INT_SUCCESS(status))
154  {
155  status = IntNotifyIntroEvent(introEventAgentEvent, agentEvent, sizeof(*agentEvent));
156  if (!INT_SUCCESS(status))
157  {
158  ERROR("[ERROR] IntNotifyIntroEvent failed: 0x%08x\n", status);
159  return status;
160  }
161  }
162 
163  return status;
164 }
_In_opt_
#define _In_opt_
Definition: intro_sal.h:16
_AGENT_REM_EVENT::RebootEvent
struct _AGENT_REM_EVENT::@313::@318 RebootEvent
Reboot event. Valid if Header.EventType is remEventReboot.
_AGENT_REM_EVENT_HEADER::Version
DWORD Version
Event version. Must match REM_EVENT_VERSION.
Definition: intro_types.h:1997
remEventStart
Start event.
Definition: intro_types.h:1973
remEventDisinfection
Disinfection event.
Definition: intro_types.h:1975
_In_
#define _In_
Definition: intro_sal.h:21
INT_STATUS_SUCCESS
#define INT_STATUS_SUCCESS
Definition: introstatus.h:54
remEventDetection
Detection event.
Definition: intro_types.h:1974
remEventFinish
Stop event.
Definition: intro_types.h:1978
remEventReboot
Reboot event.
Definition: intro_types.h:1977
_EVENT_AGENT_EVENT::Event
AGENT_EVENT_TYPE Event
The type of the agent.
Definition: intro_types.h:2184
REM_EVENT_SIZE
#define REM_EVENT_SIZE
Remediation event size.
Definition: intro_types.h:1989
INT_SUCCESS
#define INT_SUCCESS(Status)
Definition: introstatus.h:42
IntResumeVcpus
INTSTATUS IntResumeVcpus(void)
Resumes the VCPUs previously paused with IntPauseVcpus.
Definition: introcore.c:2355
_EVENT_AGENT_EVENT
Event structure for agent injection and termination.
Definition: intro_types.h:2182
IG_AGENT_TAG_REMEDIATION_TOOL
The remediation tool agent.
Definition: glueiface.h:341
ERROR
#define ERROR(fmt,...)
Definition: glue.h:62
INTSTATUS
int INTSTATUS
The status data type.
Definition: introstatus.h:24
_AGENT_REM_EVENT::ProgressEvent
struct _AGENT_REM_EVENT::@313::@317 ProgressEvent
Progress event. Valid if Header.EventType is remEventProgress.
INT_STATUS_NOT_FOUND
#define INT_STATUS_NOT_FOUND
Definition: introstatus.h:284
_EVENT_AGENT_EVENT::CurrentProcess
INTRO_PROCESS CurrentProcess
The agent process.
Definition: intro_types.h:2192
IntPauseVcpus
INTSTATUS IntPauseVcpus(void)
Pauses all the guest VCPUs.
Definition: introcore.c:2320
_GUEST_STATE::OSType
INTRO_GUEST_TYPE OSType
The type of the guest.
Definition: guests.h:274
_EVENT_AGENT_EVENT::ErrorCode
DWORD ErrorCode
The error code of the event. Success is 0.
Definition: intro_types.h:2186
IntAgentHandleRemediationVmcall
INTSTATUS IntAgentHandleRemediationVmcall(void *Reserved, PIG_ARCH_REGS Registers)
Handle a VMCALL issued by a remediation agent.
Definition: hnd_remediation.c:11
gAlert
GENERIC_ALERT gAlert
Global alert buffer.
Definition: alerts.c:27
_AGENT_REM_EVENT
A remediation tool event.
Definition: intro_types.h:2009
REM_EVENT_VERSION
#define REM_EVENT_VERSION
Remediation event version.
Definition: intro_types.h:1987
introGuestLinux
Linux.
Definition: intro_types.h:1881
_AGENT_REM_EVENT::DetectionEvent
struct _AGENT_REM_EVENT::@313::@319 DetectionEvent
Detection event. Valid if Header.EventType is remEventDetection.
IntNotifyIntroEvent
INTSTATUS IntNotifyIntroEvent(INTRO_EVENT_TYPE EventClass, void *Param, size_t EventSize)
Notifies the integrator about an introspection alert.
Definition: glue.c:1042
_GUEST_STATE::Guest64
BOOLEAN Guest64
True if this is a 64-bit guest, False if it is a 32-bit guest.
Definition: guests.h:286
QWORD
unsigned long long QWORD
Definition: intro_types.h:53
introEventAgentEvent
Informational event sent when the remediation tool is injected or terminated. See EVENT_AGENT_EVENT...
Definition: intro_types.h:104
TRACE
#define TRACE(fmt,...)
Definition: glue.h:58
_EVENT_AGENT_EVENT::AgentTag
DWORD AgentTag
Unique agent tag. See INTRO_DEP_AG_TAGS.
Definition: intro_types.h:2185
IntAlertFillWinProcessCurrent
void IntAlertFillWinProcessCurrent(INTRO_PROCESS *EventProcess)
Saves information about the current Windows process inside an alert.
Definition: alerts.c:781
introGuestWindows
Windows.
Definition: intro_types.h:1880
hnd_remediation.h
UNREFERENCED_PARAMETER
#define UNREFERENCED_PARAMETER(P)
Definition: introdefs.h:29
agentMessage
The agent sent a message.
Definition: intro_types.h:1940
_GENERIC_ALERT::Agent
EVENT_AGENT_EVENT Agent
Definition: alerts.h:29
DWORD
uint32_t DWORD
Definition: intro_types.h:49
_AGENT_REM_EVENT::StartEvent
struct _AGENT_REM_EVENT::@313::@315 StartEvent
Start event. Valid if Header.EventType is remEventStart.
_AGENT_REM_EVENT_HEADER
Common header for all remediation tool events.
Definition: intro_types.h:1995
gGuest
GUEST_STATE gGuest
The current guest state.
Definition: guests.c:48
IntVirtMemRead
INTSTATUS IntVirtMemRead(QWORD Gva, DWORD Length, QWORD Cr3, void *Buffer, DWORD *RetLength)
Reads data from a guest virtual memory range.
Definition: introcore.c:627
_AGENT_REM_EVENT::FinishEvent
struct _AGENT_REM_EVENT::@313::@316 FinishEvent
Finish event. Valid if Header.EventType is remEventFinish.
_AGENT_REM_EVENT_HEADER::Size
DWORD Size
Event size. Must match REM_EVENT_SIZE.
Definition: intro_types.h:1998
remEventProgress
Progress report event.
Definition: intro_types.h:1976
_AGENT_REM_EVENT::Header
AGENT_REM_EVENT_HEADER Header
Event header.
Definition: intro_types.h:2011
utf16_for_log
char * utf16_for_log(const WCHAR *WString)
Converts a UTF-16 to a UTF-8 string to be used inside logging macros.
Definition: introcore.c:2845
INT_STATUS_NOT_SUPPORTED
#define INT_STATUS_NOT_SUPPORTED
Definition: introstatus.h:287
_IG_ARCH_REGS
Holds register state.
Definition: glueiface.h:30
IntAlertFillLixCurrentProcess
void IntAlertFillLixCurrentProcess(INTRO_PROCESS *EventProcess)
Saves the current Linux process inside an event.
Definition: alerts.c:1307
_EVENT_AGENT_EVENT::RemediationEvent
AGENT_REM_EVENT RemediationEvent
Remediation tool event.
Definition: intro_types.h:2202
_AGENT_REM_EVENT_HEADER::EventType
AGENT_REM_EVENT_TYPE EventType
Event type.
Definition: intro_types.h:2000
INT_STATUS_INVALID_DATA_SIZE
#define INT_STATUS_INVALID_DATA_SIZE
Definition: introstatus.h:142
INT_STATUS_INVALID_PARAMETER_3
#define INT_STATUS_INVALID_PARAMETER_3
Definition: introstatus.h:68