doxygen/html/lixnet_8c_source.html

 /*
  * Copyright (c) 2020 Bitdefender
  * SPDX-License-Identifier: Apache-2.0
  */
 #include "lixnet.h"
 #include "alerts.h"
 #include "guests.h"

 #define LIX_FDTABLE_MAX_FDS_CAP     2048u

 typedef struct _SOCK_PROTO
 {
     QWORD   Gva;
     CHAR    Name[32];
 } SOCK_PROTO;


 static void
 IntLixNetSendConnectionEvent(
     _In_ INTRONET_ENDPOINT *Connection
     )
 {
     INTSTATUS status;
     PEVENT_CONNECTION_EVENT pConnectionEvent;

     pConnectionEvent = &gAlert.Connection;

     IntAlertFillConnection(Connection, pConnectionEvent);

     status = IntNotifyIntroEvent(introEventConnectionEvent, pConnectionEvent, sizeof(*pConnectionEvent));
     if (!INT_SUCCESS(status))
     {
         WARNING("[WARNING] IntNotifyIntroEvent failed: 0x%08x\n", status);
     }
 }


 _Success_(return == INT_STATUS_SUCCESS)
 static INTSTATUS
 IntLixNetGetConnectionFromSocket(
     _In_ QWORD SocketGva,
     _Out_ INTRONET_ENDPOINT *Connection
     )
 {
     INTSTATUS status;

     QWORD sock, proto;
     CHAR protoName[32];
     DWORD sockState = 0;

     DWORD iProto;

     static SOCK_PROTO protos[] =
     {
         {
             .Name = "TCP"
         },
         {
             .Name = "TCPv6"
         },
     };

     status = IntKernVirtMemFetchQword(SocketGva + LIX_FIELD(Socket, Sk), &sock);
     if (!INT_SUCCESS(status))
     {
         ERROR("[ERROR] IntKernVirtMemFetchQword failed for GVA 0x%016llx: 0x%08x\n",
               SocketGva + LIX_FIELD(Socket, Sk), status);
         return status;
     }

     status = IntKernVirtMemFetchQword(sock + LIX_FIELD(Sock, Proto), &proto);
     if (!INT_SUCCESS(status))
     {
         ERROR("[ERROR] IntKernVirtMemFetchQword failed for GVA 0x%016llx: 0x%08x\n",
               sock + LIX_FIELD(Sock, Proto), status);
         return status;
     }

     if (!IS_KERNEL_POINTER_LIX(proto))
     {
         WARNING("[WARNING] Sock 0x%016llx has NULL proto pointer.", sock);
         return INT_STATUS_NOT_NEEDED_HINT;
     }

     for (iProto = 0; iProto < ARRAYSIZE(protos); iProto++)
     {
         if (proto == protos[iProto].Gva)
         {
             break;
         }
     }

     if (iProto == ARRAYSIZE(protos))
     {
         status = IntKernVirtMemRead(proto + LIX_FIELD(Ungrouped, ProtoName), sizeof(protoName), protoName, NULL);
         if (!INT_SUCCESS(status))
         {
             ERROR("[ERROR] IntKernVirtMemRead failed for GVA 0x%016llx: 0x%08x\n",
                   proto + LIX_FIELD(Ungrouped, ProtoName), status);
             return INT_STATUS_SUCCESS;
         }

         for (iProto = 0; iProto < ARRAYSIZE(protos); iProto++)
         {
             if (!strcmp(protos[iProto].Name, protoName))
             {
                 protos[iProto].Gva = proto;
                 break;
             }
         }

         if (iProto == ARRAYSIZE(protos))
         {
             return INT_STATUS_NOT_NEEDED_HINT;
         }
     }

     status = IntKernVirtMemRead(sock + LIX_FIELD(Sock, State), 1,  &sockState, NULL);
     if (!INT_SUCCESS(status))
     {
         ERROR("[ERROR] IntKernVirtMemRead failed for GVA 0x%016llx: 0x%08x\n",
               sock + LIX_FIELD(Sock, State), status);
         return status;
     }

     Connection->State = IntNetConvertState(sockState);
     Connection->AddressFamily = (iProto == 0 ? introNetAfIpv4 : introNetAfIpv6);
     Connection->Endpoint = sock;

     memset(&Connection->LocalAddress, 0, sizeof(Connection->LocalAddress));
     memset(&Connection->RemoteAddress, 0, sizeof(Connection->RemoteAddress));

     if (introNetAfIpv6 == Connection->AddressFamily)
     {
         status = IntKernVirtMemRead(sock + LIX_FIELD(Sock, RcvSaddr), 16, &Connection->LocalAddress, NULL);
         if (!INT_SUCCESS(status))
         {
             ERROR("[ERROR] IntKernVirtMemRead failed for GVA 0x%016llx: 0x%08x\n",
                   sock + LIX_FIELD(Sock, V6RcvSaddr), status);
             return status;
         }

         status = IntKernVirtMemRead(sock + LIX_FIELD(Sock, V6Daddr), 16, &Connection->RemoteAddress, NULL);
         if (!INT_SUCCESS(status))
         {
             ERROR("[ERROR] IntKernVirtMemRead failed for GVA 0x%016llx: 0x%08x\n",
                   sock + LIX_FIELD(Sock, V6RcvSaddr), status);
             return status;
         }
     }
     else
     {
         status = IntKernVirtMemRead(sock + LIX_FIELD(Sock, RcvSaddr), 4, &Connection->LocalAddress, NULL);
         if (!INT_SUCCESS(status))
         {
             ERROR("[ERROR] IntKernVirtMemRead failed for GVA 0x%016llx: 0x%08x\n",
                   sock + LIX_FIELD(Sock, RcvSaddr), status);
             return status;
         }

         status = IntKernVirtMemRead(sock + LIX_FIELD(Sock, Daddr), 4, &Connection->RemoteAddress, NULL);
         if (!INT_SUCCESS(status))
         {
             ERROR("[ERROR] IntKernVirtMemRead failed for GVA 0x%016llx: 0x%08x\n",
                   sock + LIX_FIELD(Sock, RcvSaddr), status);
             return status;
         }
     }

     status = IntKernVirtMemRead(sock + LIX_FIELD(Sock, Num), 2, &Connection->LocalPort, NULL);
     if (!INT_SUCCESS(status))
     {
         ERROR("[ERROR] IntKernVirtMemRead failed for GVA 0x%016llx: 0x%08x\n",
               sock + LIX_FIELD(Sock, Num), status);
         return status;
     }

     status = IntKernVirtMemRead(sock + LIX_FIELD(Sock, Dport), 2, &Connection->RemotePort, NULL);
     if (!INT_SUCCESS(status))
     {
         ERROR("[ERROR] IntKernVirtMemRead failed for GVA 0x%016llx: 0x%08x\n",
               sock + LIX_FIELD(Sock, Dport), status);
         return status;
     }

     return INT_STATUS_SUCCESS;
 }


 static BOOLEAN
 IntLixNetFileIsSocket(
     _In_ QWORD StructFileGva,
     _Out_ QWORD *SocketGva
     )
 {
     INTSTATUS status;
     QWORD dentry, inode;
     UINT16 imode;

     *SocketGva = 0;

     status = IntKernVirtMemFetchQword(StructFileGva + LIX_FIELD(Ungrouped, FileDentry), &dentry);
     if (!INT_SUCCESS(status))
     {
         ERROR("[ERROR] IntKernVirtMemFetchQword failed for GVA 0x%016llx: 0x%08x\n",
               StructFileGva + LIX_FIELD(Ungrouped, FileDentry), status);
         return FALSE;
     }

     status = IntKernVirtMemFetchQword(dentry + LIX_FIELD(Dentry, Inode), &inode);
     if (!INT_SUCCESS(status))
     {
         ERROR("[ERROR] IntKernVirtMemFetchQword failed for GVA 0x%016llx: 0x%08x\n",
               dentry + LIX_FIELD(Dentry, Inode), status);
         return FALSE;
     }

     status = IntKernVirtMemRead(inode + LIX_FIELD(Inode, Imode), sizeof(imode), &imode, NULL);
     if (!INT_SUCCESS(status))
     {
         ERROR("[ERROR] IntKernVirtMemRead failed for GVA 0x%016llx: 0x%08x\n",
               dentry + LIX_FIELD(Dentry, Inode), status);
         return FALSE;
     }

     if (!S_ISSOCK(imode))
     {
         return FALSE;
     }

     *SocketGva = inode - LIX_FIELD(Ungrouped, SocketAllocVfsInode);
     return TRUE;

 }


 INTSTATUS
 IntLixNetSendTaskConnections(
     _In_ LIX_TASK_OBJECT *Task
     )
 {
     INTSTATUS status;

     INTRONET_ENDPOINT conn;
     CHAR ipString[INTRONET_MIN_BUFFER_SIZE];

     QWORD files, fdt, fd;
     DWORD maxFds;

     if (gGuest.OSType != introGuestLinux)
     {
         BUG_ON(TRUE);

         return INT_STATUS_NOT_SUPPORTED;
     }

     if (!(gGuest.CoreOptions.Current & INTRO_OPT_EVENT_CONNECTIONS))
     {
         return INT_STATUS_NOT_NEEDED_HINT;
     }

     if (NULL == Task)
     {
         return INT_STATUS_INVALID_PARAMETER_1;
     }

     status = IntKernVirtMemFetchQword(Task->Gva + LIX_FIELD(TaskStruct, Files), &files);
     if (!INT_SUCCESS(status))
     {
         ERROR("[ERROR] IntKernVirtMemFetchQword failed for %llx: 0x%08x\n",
               Task->Gva + LIX_FIELD(TaskStruct, Files), status);
         return status;
     }

     status = IntKernVirtMemFetchQword(files + LIX_FIELD(Files, Fdt), &fdt);
     if (!INT_SUCCESS(status))
     {
         ERROR("[ERROR] IntKernVirtMemFetchQword failed for %llx: 0x%08x\n", files + LIX_FIELD(Files, Fdt), status);
         return status;
     }

     status = IntKernVirtMemFetchDword(fdt + LIX_FIELD(FdTable, MaxFds), &maxFds);
     if (!INT_SUCCESS(status))
     {
         ERROR("[ERROR] IntKernVirtMemFetchQword failed for %llx: 0x%08x\n", fdt + LIX_FIELD(FdTable, MaxFds), status);
         return status;
     }

     status = IntKernVirtMemFetchQword(fdt + LIX_FIELD(FdTable, Fd), &fd);
     if (!INT_SUCCESS(status))
     {
         ERROR("[ERROR] IntKernVirtMemFetchQword failed for %llx: 0x%08x\n", files + LIX_FIELD(FdTable, Fd), status);
         return status;
     }

     conn.OwnerTask = Task;

     maxFds = MIN(maxFds, LIX_FDTABLE_MAX_FDS_CAP);
     for (DWORD iFd = 0; iFd < maxFds; iFd++)
     {
         QWORD file;
         QWORD socketGva;

         status = IntKernVirtMemFetchQword(fd + iFd * sizeof(QWORD), &file);
         if (!INT_SUCCESS(status))
         {
             ERROR("[ERROR] IntKernVirtMemFetchQword failed for %llx: 0x%08x\n", fd + iFd * 8ull, status);
             return status;
         }

         if ((!IS_KERNEL_POINTER_LIX(file)) || (!IntLixNetFileIsSocket(file, &socketGva)))
         {
             continue;
         }

         status = IntLixNetGetConnectionFromSocket(socketGva, &conn);
         if (!INT_SUCCESS(status))
         {
             ERROR("[ERROR] IntLixSocketGetConnection failed for socket %llx : 0x%08x\n", socketGva, status);
             continue;
         }

         if (INT_STATUS_NOT_NEEDED_HINT == status)
         {
             continue;
         }

         IntLixNetSendConnectionEvent(&conn);

         IntNetAddrToStr(conn.AddressFamily, &conn.RemoteAddress, ipString);
         TRACE("[CONNECTION] Owner %s | Family: %u | State %s | LocalPort: %hu | RemoteAddress: %s | Endpoint %016llx\n",
               conn.OwnerTask->Comm, conn.AddressFamily, IntNetStateToString(conn.State),
               conn.LocalPort, ipString, conn.Endpoint);

     }

     return INT_STATUS_SUCCESS;
 }


 INTSTATUS
 IntLixNetSendGuestConnections(
     void
     )
 {
     INTSTATUS status;

     if (gGuest.OSType != introGuestLinux)
     {
         BUG_ON(TRUE);

         return INT_STATUS_NOT_SUPPORTED;
     }

     if (!(gGuest.CoreOptions.Current & INTRO_OPT_EVENT_CONNECTIONS))
     {
         return INT_STATUS_NOT_NEEDED_HINT;
     }

     status = IntLixTaskIterateTasks(IntLixNetSendTaskConnections);
     if (!INT_SUCCESS(status))
     {
         ERROR("[ERROR] IntLixTaskIterateTasks failed: 0x%08x\n", status);
     }

     return status;
 }
BOOLEAN
_Bool BOOLEAN
Definition: intro_types.h:58

_Out_
#define _Out_
Definition: intro_sal.h:22

_GENERIC_ALERT::Connection
EVENT_CONNECTION_EVENT Connection
Definition: alerts.h:30

_In_
#define _In_
Definition: intro_sal.h:21

INT_STATUS_SUCCESS
#define INT_STATUS_SUCCESS
Definition: introstatus.h:54

_INTRONET_ENDPOINT::LocalPort
INTRONET_PORT LocalPort
Local port.
Definition: intronet.h:37

_SOCK_PROTO
An internal structure used to cache the "struct proto" addresses of required connection types...
Definition: lixnet.c:14

_SOCK_PROTO::Name
CHAR Name[32]
The protocol name as defined in Linux kernel.
Definition: lixnet.c:17

_Success_
#define _Success_(expr)
Definition: intro_sal.h:47

INT_SUCCESS
#define INT_SUCCESS(Status)
Definition: introstatus.h:42

BUG_ON
#define BUG_ON(cond)
Definition: introdefs.h:236

ARRAYSIZE
#define ARRAYSIZE(A)
Definition: introdefs.h:101

SOCK_PROTO
struct _SOCK_PROTO SOCK_PROTO
An internal structure used to cache the "struct proto" addresses of required connection types...

INT_STATUS_NOT_NEEDED_HINT
#define INT_STATUS_NOT_NEEDED_HINT
Definition: introstatus.h:317

ERROR
#define ERROR(fmt,...)
Definition: glue.h:62

_INTRONET_ENDPOINT::AddressFamily
INTRO_NET_AF AddressFamily
Address family.
Definition: intronet.h:29

INTSTATUS
int INTSTATUS
The status data type.
Definition: introstatus.h:24

introNetAfIpv4
IPv4.
Definition: intro_types.h:289

_INTRONET_ENDPOINT::OwnerTask
LIX_TASK_OBJECT * OwnerTask
Pointer to the task that owns the connection.
Definition: intronet.h:53

IntNetStateToString
const char * IntNetStateToString(INTRO_NET_STATE State)
Converts a connection state to a string.
Definition: intronet.h:69

_GUEST_STATE::OSType
INTRO_GUEST_TYPE OSType
The type of the guest.
Definition: guests.h:274

INTRO_OPT_EVENT_CONNECTIONS
#define INTRO_OPT_EVENT_CONNECTIONS
Enable connection events.
Definition: intro_types.h:466

IntLixNetGetConnectionFromSocket
static INTSTATUS IntLixNetGetConnectionFromSocket(QWORD SocketGva, INTRONET_ENDPOINT *Connection)
Fills an INTRONET_ENDPOINT structure from a TCP/IP socket GVA.
Definition: lixnet.c:48

MIN
#define MIN(a, b)
Definition: introdefs.h:146

guests.h

IntLixNetFileIsSocket
static BOOLEAN IntLixNetFileIsSocket(QWORD StructFileGva, QWORD *SocketGva)
Check if a give file object is a socked and return the socket GVA.
Definition: lixnet.c:214

INTRONET_MIN_BUFFER_SIZE
#define INTRONET_MIN_BUFFER_SIZE
The minimum buffer size needed for the textual representation of an IP address.
Definition: intronet.h:12

gAlert
GENERIC_ALERT gAlert
Global alert buffer.
Definition: alerts.c:27

IntKernVirtMemFetchDword
INTSTATUS IntKernVirtMemFetchDword(QWORD GuestVirtualAddress, DWORD *Data)
Reads 4 bytes from the guest kernel memory.
Definition: introcore.c:829

introGuestLinux
Linux.
Definition: intro_types.h:1881

IS_KERNEL_POINTER_LIX
#define IS_KERNEL_POINTER_LIX(p)
Definition: lixguest.h:11

IntKernVirtMemFetchQword
INTSTATUS IntKernVirtMemFetchQword(QWORD GuestVirtualAddress, QWORD *Data)
Reads 8 bytes from the guest kernel memory.
Definition: introcore.c:811

IntNotifyIntroEvent
INTSTATUS IntNotifyIntroEvent(INTRO_EVENT_TYPE EventClass, void *Param, size_t EventSize)
Notifies the integrator about an introspection alert.
Definition: glue.c:1042

QWORD
unsigned long long QWORD
Definition: intro_types.h:53

IntNetAddrToStr
DWORD IntNetAddrToStr(const INTRO_NET_AF Family, const INTRONET_ADDRESS *Address, CHAR *String)
Converts an IP address to a string.
Definition: intronet.c:11

_INTRO_PROT_OPTIONS::Current
QWORD Current
The currently used options.
Definition: guests.h:232

_INTRONET_ENDPOINT
An endpoint.
Definition: intronet.h:26

TRUE
#define TRUE
Definition: intro_types.h:30

alerts.h

LIX_FDTABLE_MAX_FDS_CAP
#define LIX_FDTABLE_MAX_FDS_CAP
The maximum number of file descriptors to be iterated.
Definition: lixnet.c:9

LIX_FIELD
#define LIX_FIELD(Structure, Field)
Macro used to access fields inside the LIX_OPAQUE_FIELDS structure.
Definition: lixguest.h:426

TRACE
#define TRACE(fmt,...)
Definition: glue.h:58

_INTRONET_ENDPOINT::State
INTRO_NET_STATE State
Connection state.
Definition: intronet.h:32

introEventConnectionEvent
Informational event containing the connections opened by a process. See EVENT_CONNECTION_EVENT.
Definition: intro_types.h:113

_LIX_TASK_OBJECT
Definition: lixprocess.h:38

WARNING
#define WARNING(fmt,...)
Definition: glue.h:60

DWORD
uint32_t DWORD
Definition: intro_types.h:49

IntLixNetSendConnectionEvent
static void IntLixNetSendConnectionEvent(INTRONET_ENDPOINT *Connection)
Sends a connection event to the integrator.
Definition: lixnet.c:22

_LIX_TASK_OBJECT::Comm
char Comm[LIX_COMM_SIZE]
The short name of the executable.
Definition: lixprocess.h:44

gGuest
GUEST_STATE gGuest
The current guest state.
Definition: guests.c:48

IntLixNetSendGuestConnections
INTSTATUS IntLixNetSendGuestConnections(void)
Sends all active in-guest TCP/IP connections as events to the integrator.
Definition: lixnet.c:388

_INTRONET_ENDPOINT::RemoteAddress
INTRONET_ADDRESS RemoteAddress
Remote address.
Definition: intronet.h:42

S_ISSOCK
#define S_ISSOCK(m)
Definition: lixddefs.h:253

IntKernVirtMemRead
INTSTATUS IntKernVirtMemRead(QWORD KernelGva, DWORD Length, void *Buffer, DWORD *RetLength)
Reads data from a guest kernel virtual memory range.
Definition: introcore.c:674

UINT16
uint16_t UINT16
Definition: intro_types.h:38

INT_STATUS_INVALID_PARAMETER_1
#define INT_STATUS_INVALID_PARAMETER_1
Definition: introstatus.h:62

INT_STATUS_NOT_SUPPORTED
#define INT_STATUS_NOT_SUPPORTED
Definition: introstatus.h:287

IntLixTaskIterateTasks
INTSTATUS IntLixTaskIterateTasks(PFUNC_LixTaskIterateTasks Callback)
Call the Callback parameter for each task saved internally.
Definition: lixprocess.c:4850

_EVENT_CONNECTION_EVENT
Event structure for connections.
Definition: intro_types.h:1843

IntLixNetSendTaskConnections
INTSTATUS IntLixNetSendTaskConnections(LIX_TASK_OBJECT *Task)
Sends all active TCP/IP connections from a task to the integrator.
Definition: lixnet.c:271

IntAlertFillConnection
void IntAlertFillConnection(const INTRONET_ENDPOINT *Connection, EVENT_CONNECTION_EVENT *Event)
Saves information about a guest connection in an event.
Definition: alerts.c:1328

_SOCK_PROTO::Gva
QWORD Gva
The GVA of the "struct proto" object.
Definition: lixnet.c:16

introNetAfIpv6
IPv6.
Definition: intro_types.h:290

CHAR
char CHAR
Definition: intro_types.h:56

_INTRONET_ENDPOINT::Endpoint
QWORD Endpoint
Guest virtual address of the endpoint/socket object.
Definition: intronet.h:61

_GUEST_STATE::CoreOptions
INTRO_PROT_OPTIONS CoreOptions
The activation and protection options for this guest.
Definition: guests.h:267

IntNetConvertState
INTRO_NET_STATE IntNetConvertState(const DWORD State)
Converts a guest connection state to an Introcore connection state.
Definition: intronet.c:168

lixnet.h

FALSE
#define FALSE
Definition: intro_types.h:34