50 memzero(pModEvent,
sizeof(*pModEvent));
52 pModEvent->
Loaded = Loaded;
61 WARNING(
"[WARNING] IntNotifyIntroEvent failed: 0x%08x\n", status);
69 _In_ void *PsLoadedModuleList,
134 if (name != 0x0073006f0074006e)
190 if (name != 0x0073006f0074006e)
197 TRACE(
"[INFO] Found & skipped shadow module list at 0x%08x (head->flink->blink should be same as head)\n",
198 (
DWORD)PsLoadedModuleListGva);
228 if (Callback == NULL)
244 ERROR(
"[ERROR] Failed getting the Flink value of MODULE @ 0x%016llx: 0x%08x\n", currentModule, status);
254 status = Callback(currentModule, Aux);
268 currentModule &= 0xFFFFFFFF;
272 ERROR(
"[ERROR] Failed getting the Flink value of LDR_DATA_TABLE_ENTRY @ 0x%016llx: 0x%08x\n",
273 currentModule, status);
310 DWORD nameSize, pathSize;
325 ERROR(
"[ERROR] Failed reading from GVA 0x%016llx to host: 0x%08x\n", ModuleInfo, status);
350 goto _cleanup_and_leave;
371 if (NULL == pDriver->
Name)
374 goto _cleanup_and_leave;
380 ERROR(
"[ERROR] Failed reading driver name: 0x%08x\n", status);
381 goto _cleanup_and_leave;
403 goto _cleanup_and_leave;
424 if (NULL == pDriver->
Name)
427 goto _cleanup_and_leave;
433 ERROR(
"[ERROR] Failed reading driver name from 0x%08x [%d]: 0x%08x\n",
435 goto _cleanup_and_leave;
443 TRACE(
"[DRIVER] Driver '%s' @ 0x%016llx (base: 0x%016llx, hash: 0x%08x) just loaded\n",
459 ERROR(
"[ERROR] IntHookObjectCreate failed: 0x%08x\n", status);
460 goto _cleanup_and_leave;
474 ERROR(
"[ERROR] IntHookObjectHookRegion failed: 0x%08x\n", status);
475 goto _cleanup_and_leave;
485 ERROR(
"[ERROR] IntWinDrvProtect failed: 0x%08x\n", status);
534 ERROR(
"[ERROR] IntVirtMemMap failed for GVA 0x%016llx: 0x%08x\n", ModuleInfo, status);
540 sizeOfImage = 0xffffffff & pModuleInfo64->
SizeOfImage;
541 moduleBase = pModuleInfo64->
DllBase;
544 else if (pModuleInfo32)
558 goto _cleanup_and_leave;
565 if (pDriver->BaseVa == moduleBase && pDriver->Size == sizeOfImage)
569 TRACE(
"[DRIVER] Driver 0x%016llx unloaded\n", pDriver->BaseVa);
578 ERROR(
"[ERROR] IntWinDrvRemoveEntry failed: 0x%08x\n", status);
583 goto _cleanup_and_leave;
587 WARNING(
"[WARNING] Requested unload of the driver 0x%016llx with" 588 "size 0x%08x, LDR 0x%016llx, but it wasn't found...\n",
589 moduleBase, sizeOfImage, ModuleInfo);
596 else if (pModuleInfo32)
633 ERROR(
"[ERROR] IntPeGetDirectory failed: 0x%08x\n", status);
638 eatSize = dataDir.
Size;
644 ERROR(
"[ERROR] eatRva/eatSize are not valid eatRva:0x%08x, eatSize:0x%08x, " 645 "KernelBaseVa:0x%llx, KernelSize:0x%llx\n",
665 ERROR(
"[ERROR] Failed hooking EAT for ntoskrnl.exe 0x%08x\n", status);
698 ERROR(
"[ERROR] IntHookObjectRemoveRegion failed, status: 0x%08x\n", status);
735 DWORD i, iatSize, eatSize, iatRva, eatRva;
755 TRACE(
"[DRIVER] Adding protection on driver '%s' at %llx...\n",
768 ERROR(
"[ERROR] IntKernVirtMemRead failed: 0x%08x\n", status);
775 ERROR(
"[ERROR] IntPeValidateHeader failed: 0x%08x\n", status);
791 ERROR(
"[ERROR] IntPeGetDirectory failed: 0x%08x\n", status);
796 iatSize = dataDir.
Size;
801 ERROR(
"[ERROR] IntPeGetDirectory failed: 0x%08x\n", status);
806 eatSize = dataDir.
Size;
808 TRACE(
"[DRIVER] %s @ 0x%016llx has timedate stamp 0x%08x and size 0x%08x\n",
814 ERROR(
"[ERROR] IntHookObjectCreate failed: 0x%08x\n", status);
834 ERROR(
"[ERROR] Failed reading IMAGE_SECTION_HEADER %d for driver 0x%016llx\n", i, pDriver->
BaseVa);
855 if (memcmp(sec.
Name,
"INITKDBG", 8) == 0)
857 TRACE(
"[DRIVER] Skipping section INITKDBG...\n");
862 if (memcmp(sec.
Name,
"ERRATA", 6) == 0)
868 if (memcmp(sec.
Name,
"ALMOSTRO", 8) == 0)
875 TRACE(
"[DRIVER] Overriding the hook flag, will hook ALMOSTRO section...\n");
876 hookSection = ignoreAlign =
TRUE;
909 WARNING(
"[WARNING] Section %d of driver '%s' is not aligned (%llx:%llx): alignment %x\n",
916 QWORD curSecStart = 0, curSecEnd = 0, curLastPage = 0, curFirstPage = 0;
930 ERROR(
"[ERROR] Failed reading IMAGE_SECTION_HEADER %d for driver %llx\n",
939 curLastPage = (curSecEnd - 1) & PAGE_MASK;
945 WARNING(
"[WARNING] Section %d overlaps writable section %d (%llx:%llx - %llx:%llx)!\n",
946 i, k, secStart, secEnd, curSecStart, curSecEnd);
954 WARNING(
"[WARNING] Section %d overlaps writable section %d (%llx:%llx - %llx:%llx)!\n",
955 i, k, secStart, secEnd, curSecStart, curSecEnd);
970 secStart = (secStart &
PAGE_MASK) + 0x1000;
974 if (secStart >= secEnd)
976 WARNING(
"[WARNING] Section %d overlaps entirely writable sections; will not hook it.\n", i);
991 ERROR(
"[ERROR] Failed hooking section %d for driver 0x%016llx: 0x%08x\n", i, pDriver->
BaseVa, status);
1002 pDriver->
BaseVa + iatRva,
1011 ERROR(
"[ERROR] Failed hooking IAT for driver 0x%016llx: 0x%08x\n", pDriver->
BaseVa, status);
1020 pDriver->
BaseVa + eatRva,
1029 ERROR(
"[ERROR] Failed hooking IAT for driver 0x%016llx: 0x%08x\n", pDriver->
BaseVa, status);
1043 ERROR(
"[ERROR] Failed hooking EAT for ntoskrnl.exe, failed: 0x%08x\n", status);
1075 if (Driver->Protected)
1080 Driver->Protected =
TRUE;
1081 Driver->ProtectionFlag = ProtectionFlag;
1106 if (!Driver->Protected)
1111 TRACE(
"[DRIVER] Removing protection on module '%s' at %llx...\n",
1114 if (NULL != Driver->Win.MzPeHeaders)
1119 if (NULL != Driver->HookObject)
1124 if (NULL != Driver->Win.HeadersSwapHandle)
1128 Driver->Win.HeadersSwapHandle = NULL;
1131 Driver->Protected =
FALSE;
1167 if (NULL == Context)
1196 guestAddress = pRegs->
Rcx;
1203 ERROR(
"[ERROR] IntKernVirtMemPatchDword failed: 0x%08x\n", status);
1212 ERROR(
"[ERROR] IntWinDrvObjCreateDriverObject failed: 0x%08x\n", status);
1224 ERROR(
"[ERROR] IntHookObjectDestroy failed: 0x%08x\n", status);
1262 memzero(pEptViol,
sizeof(*pEptViol));
1293 WARNING(
"[WARNING] IntNotifyIntroEvent failed: 0x%08x\n", status);
1325 if (NULL == Context)
1339 memzero(&victim,
sizeof(victim));
1340 memzero(&originator,
sizeof(originator));
1345 exitAfterInformation =
FALSE;
1352 exitAfterInformation =
TRUE;
1356 ERROR(
"[ERROR] Failed getting originator: 0x%08x\n", status);
1358 exitAfterInformation =
TRUE;
1370 ERROR(
"[ERROR] Failed getting zone details: 0x%08x\n", status);
1371 exitAfterInformation =
TRUE;
1374 if (exitAfterInformation)
1411 if (Rip >= pDriver->BaseVa && Rip < pDriver->BaseVa + pDriver->Size)
1442 if (!CurrentOriginator)
1452 ERROR(
"[ERROR] We have reached %llu reads from ntoskrnl.exe EAT, last driver %s, disabling protection\n",
1458 ERROR(
"[ERROR] IntWinUnprotectReadNtEat failed: 0x%08x\n", status);
1496 #define NTOSKRNL_RIP_PAGES_COUNT 20 1497 #define PATCHGUARD_RIP_COUNT 4 1498 #define MAX_KNOWN_DRIVER_READS 100000 1501 static DWORD ntoskrnlRipPagesCount = 0;
1504 static DWORD patchguardRipCount = 0;
1506 if (NULL == Context)
1521 exitAfterInformation =
FALSE;
1529 for (
DWORD i = 0; i < ntoskrnlRipPagesCount; i++)
1531 if (ntoskrnlRipPages[i] == ripPage)
1541 for (
DWORD i = 0; i < patchguardRipCount; i++)
1557 if (pOriginatingDriver)
1573 ERROR(
"[ERROR] IntWinDrvDisableReadNtEat failed: 0x%08x\n", status);
1581 memzero(&victim,
sizeof(victim));
1582 memzero(&originator,
sizeof(originator));
1588 exitAfterInformation =
TRUE;
1592 ERROR(
"[ERROR] Failed getting originator: 0x%08x\n", status);
1594 exitAfterInformation =
TRUE;
1605 ERROR(
"[ERROR] Failed getting zone details: 0x%08x\n", status);
1607 exitAfterInformation =
TRUE;
1610 if (exitAfterInformation)
1636 #undef NTOSKRNL_RIP_PAGES_COUNT 1637 #undef PATCHGUARD_RIP_COUNT 1638 #undef MAX_KNOWN_DRIVER_READS 1660 if (NULL != Driver->Win.Path)
1665 if (NULL != Driver->Name)
1670 if (NULL != Driver->Win.MzPeHeaders)
1703 ERROR(
"[ERROR] IntWinModuleUnHook failed: 0x%08x\n", status);
1706 if (NULL != Driver->Win.EpHookObject)
1711 if (NULL != Driver->Win.DriverObject)
1720 ERROR(
"[ERROR] IntWinDrvObjRemoveDriverObject failed: 0x%08x\n", status);
1723 Driver->Win.DriverObject = NULL;
1729 ERROR(
"[ERROR] IntWinDrvFreeEntry failed: 0x%08x\n", status);
1746 TRACE(
"[DRIVER] Updating kernel drivers protections...\n");
1754 if (!pDriver->Protected && (NULL != pProtInfo))
1759 ERROR(
"[ERROR] IntWinDrvProtect failed for '%s': 0x%08x\n",
1763 else if (pDriver->Protected && (NULL == pProtInfo))
1768 ERROR(
"[ERROR] IntWinDrvUnprotect failed for '%s': 0x%08x\n",
Measures kernel mode exceptions checks.
#define SWAPMEM_OPT_NO_FAULT
If set, no PF will be injected. Introcore will wait for the pages to be naturally swapped in...
LIST_ENTRY Link
Entry inside the gWinDriverObjects list.
enum _INTRO_ACTION_REASON INTRO_ACTION_REASON
The reason for which an INTRO_ACTION was taken.
INTRO_CODEBLOCKS CodeBlocks
Code blocks extracted for the alert.
INTSTATUS IntWinDrvRemoveEntry(KERNEL_DRIVER *Driver)
Removes the KERNEL_DRIVER from the internal structures.
#define ROUND_UP(what, to)
INTSTATUS IntWinDrvIterateLoadedModules(PFUNC_IterateListCallback Callback, QWORD Aux)
Used to iterate trough the WINDOWS_GUEST::PsLoadedModuleList.
INTSTATUS IntVirtMemUnmap(void **HostPtr)
Unmaps a memory range previously mapped with IntVirtMemMap.
QWORD IntAlertCoreGetFlags(QWORD ProtectionFlag, INTRO_ACTION_REASON Reason)
Returns the flags for an alert.
An internal error occurred (no memory, pages not present, etc.).
BOOLEAN IntPolicyCoreForceBetaIfNeeded(QWORD Flag, INTRO_ACTION *Action)
Checks if a forced action should be taken even if the log-only mode is active.
Kernel module (ntoskrnl.exe, hal.dll, etc.)
WINDOWS_GUEST * gWinGuest
Global variable holding the state of a Windows guest.
INTSTATUS IntHookObjectDestroy(HOOK_OBJECT_DESCRIPTOR **Object, DWORD Flags)
Destroy an entire hook object. All regions belonging to this object will be removed.
QWORD EatReadCount
The number of EAT reads that took place from withing known drivers.
IG_ARCH_REGS Regs
The current state of the guest registers.
QWORD RequiredFlags
The introcore options that need to be active in order to protect this module.
INTSTATUS IntPeGetDirectory(QWORD ImageBase, BYTE *ImageBaseBuffer, DWORD DirectoryEntry, IMAGE_DATA_DIRECTORY *Directory)
Validate & return the indicated image data directory.
MITRE_ID MitreID
The Mitre ID that corresponds to this attack.
QWORD SystemCr3
The Cr3 used to map the kernel.
#define INT_STATUS_SUCCESS
#define INT_STATUS_OUT_OF_RANGE
BOOLEAN IntPolicyCoreTakeAction(QWORD Flag, INTRO_ACTION *Action, INTRO_ACTION_REASON *Reason)
Returns the action that should be taken for a core introspection option.
LIST_ENTRY64 InLoadOrderLinks
#define PAGE_REMAINING(addr)
WIN_KERNEL_DRIVER Win
Valid only for Windows guests.
INTSTATUS IntSwapMemReadData(QWORD Cr3, QWORD VirtualAddress, DWORD Length, DWORD Options, void *Context, DWORD ContextTag, PFUNC_PagesReadCallback Callback, PFUNC_PreInjectCallback PreInject, void **SwapHandle)
Reads a region of guest virtual memory, and calls the indicated callback when all the data is availab...
INTSTATUS IntWinUnprotectReadNtEat(void)
Used to remove the EAT read hook from ntoskrnl.exe.
QWORD BaseVa
The guest virtual address of the kernel module that owns this driver object.
static KERNEL_DRIVER * IntWinGetDriverByGva(QWORD Rip)
Iterates all the loaded drivers to see if the Rip points inside any of them.
#define IMAGE_SCN_MEM_WRITE
#define INT_SUCCESS(Status)
DWORD TimeDateStamp
Time/date stamp.
Event structure for module loading and unloading.
QWORD Flags
A combination of ALERT_FLAG_* values describing the alert.
QWORD SectionOffset
Offset of the first section header.
Exposes the types, constants and functions used to describe protected Windows Kernel modules and driv...
The action was not allowed because there was no reason to allow it.
INTSTATUS IntWinDrvObjCreateFromAddress(QWORD GuestAddress, BOOLEAN StaticDetected, PWIN_DRIVER_OBJECT *DriverObject)
Creates a new driver object.
Measures reads done from the kernel EAT.
DWORD PathLength
The driver`s path length (number of WCHARS).
EVENT_MODULE_EVENT Module
QWORD IntHookGetGlaFromGpaHook(HOOK_GPA const *Hook, QWORD Address)
Gets the GLA from a GPA hook.
PBYTE MzPeHeaders
The driver`s MZ/PE headers (cached internally).
Models a LIST_ENTRY structure used by 32-bit Windows guests.
INTSTATUS IntWinDrvIsListHead(QWORD PsLoadedModuleListGva, void *PsLoadedModuleList, QWORD KernelLdr)
Used to identify WINDOWS_GUEST::PsLoadedModuleList.
#define INT_STATUS_NOT_NEEDED_HINT
LIST_ENTRY32 InLoadOrderLinks
#define HpAllocWithTag(Len, Tag)
DWORD Buffer
The guest virtual address at which the wide-character string is located.
INTSTATUS IntWinDrvCreateFromAddress(QWORD ModuleInfo, QWORD Flags)
Adds a driver to introspection's LoadedModuleList (gKernelDrivers). This way we avoid lots of mapping...
int INTSTATUS
The status data type.
QWORD Size
The size of the kernel module that owns this driver object.
BOOLEAN Protected
True if the driver is protected, False if it is not.
DWORD OSVersion
Os version.
BOOLEAN IntWinDrvHasDriverObject(const KERNEL_DRIVER *Driver)
Check wether a kernel driver has a driver object that we care to protect.
void * HeadersSwapHandle
The swap handle used to read the driver`s headers.
#define INT_STATUS_NOT_FOUND
UNICODE_STRING32 DriverPath
Describes a kernel-mode originator.
DWORD SectionAlignment
Sections alignment.
void IntAlertFillCpuContext(BOOLEAN CopyInstruction, INTRO_CPUCTX *CpuContext)
Fills the current CPU context for an alert.
INTSTATUS IntWinDrvRemoveFromAddress(QWORD ModuleInfo)
Removes a driver from the introspection's loaded modules list (gKernelDrivers).
DWORD TimeDateStamp
The driver`s internal timestamp (from the _IMAGE_FILE_HEADER).
Describes a kernel driver.
#define INT_STATUS_BREAK_ITERATION
Can be used by iteration callbacks to break the iteration early.
void IntAlertFillVersionInfo(INTRO_VIOLATION_HEADER *Header)
Fills version information for an alert.
Models a LIST_ENTRY structure used by 64-bit Windows guests.
INTRO_VIOLATION_HEADER Header
The alert header.
DWORD NameHash
The hash of the name.
INTRO_ACTION_REASON Reason
The reason for which Action was taken.
INTSTATUS IntAlertFillCodeBlocks(QWORD Rip, QWORD Cr3, BOOLEAN Execute, INTRO_CODEBLOCKS *CodeBlocks)
Fills the code blocks pattern for an alert.
static INTSTATUS IntWinDrvHeadersInMemory(void *Context, QWORD Cr3, QWORD VirtualAddress, QWORD PhysicalAddress, void *Data, DWORD DataSize, DWORD Flags)
This callback is called as soon as all the driver headers have been read using IntSwapMemReadData.
The _LDR_DATA_TABLE_ENTRY structure used by 64-bit guests.
#define NTOSKRNL_RIP_PAGES_COUNT
void IntAlertEptFillFromKmOriginator(const EXCEPTION_KM_ORIGINATOR *Originator, EVENT_EPT_VIOLATION *EptViolation)
Fills kernel mode originator information inside an EPT alert.
GENERIC_ALERT gAlert
Global alert buffer.
INTSTATUS IntSwapMemRemoveTransaction(void *Transaction)
Remove a transaction.
INTSTATUS IntKernVirtMemFetchDword(QWORD GuestVirtualAddress, DWORD *Data)
Reads 4 bytes from the guest kernel memory.
#define INITIAL_CRC_VALUE
#define INT_STATUS_EXCEPTION_BLOCK
void IntAlertEptFillFromVictimZone(const EXCEPTION_VICTIM_ZONE *Victim, EVENT_EPT_VIOLATION *EptViolation)
Fills the victim information inside an EPT alert.
QWORD PsLoadedModuleList
Guest virtual address of the PsLoadedModuleList kernel variable.
#define INT_STATUS_NOT_INITIALIZED
INTSTATUS IntKernVirtMemFetchQword(QWORD GuestVirtualAddress, QWORD *Data)
Reads 8 bytes from the guest kernel memory.
SIZE_T NameLength
The length of the Name. This is the number of characters in the Name buffer.
INTRO_CPUCTX CpuContext
The context of the CPU that triggered the alert.
INTSTATUS IntWinDrvObjRemove(WIN_DRIVER_OBJECT *DriverObject)
Removes a driver object and updates its owner module.
INTSTATUS IntNotifyIntroEvent(INTRO_EVENT_TYPE EventClass, void *Param, size_t EventSize)
Notifies the integrator about an introspection alert.
static BOOLEAN RemoveEntryList(LIST_ENTRY *Entry)
Holds information about a driver object.
INTSTATUS IntWinDrvHandleDriverEntry(void *Context, void *Hook, QWORD Address, INTRO_ACTION *Action)
Used to notify the introspection engine when the DriverEntry of a module starts executing.
UINT16 Length
The length, in bytes, of the string in Buffer, not including the NULL terminator, if any...
BOOLEAN Guest64
True if this is a 64-bit guest, False if it is a 32-bit guest.
INTSTATUS IntWinDrvHandleWrite(void *Context, void *Hook, QWORD Address, INTRO_ACTION *Action)
Used to notify the introspection engine when a write took place on a protected driver.
INTSTATUS IntExceptGetVictimEpt(void *Context, QWORD Gpa, QWORD Gva, INTRO_OBJECT_TYPE Type, DWORD ZoneFlags, EXCEPTION_VICTIM_ZONE *Victim)
Fills an EXCEPTION_VICTIM_ZONE with relevant information from an EPT violation.
QWORD Current
The currently used options.
union _IMAGE_SECTION_HEADER::@209 Misc
int strlower_utf16(WCHAR *buf, size_t len)
#define IN_RANGE_LEN(x, start, len)
INTSTATUS(* PFUNC_IterateListCallback)(QWORD Node, QWORD Aux)
#define INT_STATUS_INVALID_PARAMETER_4
#define IS_KERNEL_POINTER_WIN(is64, p)
Checks if a guest virtual address resides inside the Windows kernel address space.
QWORD NumberOfSections
Number of sections.
#define HpFreeAndNullWithTag(Add, Tag)
#define INT_STATUS_INVALID_INTERNAL_STATE
#define INTRO_OPT_EVENT_MODULES
Enable user mode and kernel mode module load and unload events (generates introEventModuleEvent event...
void * Name
The name of the driver.
QWORD KernelVa
The guest virtual address at which the kernel image.
The _LDR_DATA_TABLE_ENTRY structure used by 32-bit guests.
void IntExceptKernelLogInformation(EXCEPTION_VICTIM_ZONE *Victim, EXCEPTION_KM_ORIGINATOR *Originator, INTRO_ACTION Action, INTRO_ACTION_REASON Reason)
Print the information about a kernel-mode violation and dumps the code-blocks.
void IntAlertFillWinProcessCurrent(INTRO_PROCESS *EventProcess)
Saves information about the current Windows process inside an alert.
static void InsertTailList(LIST_ENTRY *ListHead, LIST_ENTRY *Entry)
INTRO_EXEC_CONTEXT ExecContext
Information about the instruction that triggered the alert.
BOOLEAN Loaded
True if the module was loaded, False if it was unloaded.
INTSTATUS IntWinDrvUnprotect(KERNEL_DRIVER *Driver)
Used to disable protection for the given driver.
#define INT_STATUS_ALREADY_INITIALIZED_HINT
#define MAX_KNOWN_DRIVER_READS
void * HookObject
The hook object used to protect this driver. NULL if the driver is not protected. ...
Sent when an EPT violation triggers an alert. See EVENT_EPT_VIOLATION.
PWCHAR Path
The driver`s path.
#define INTRO_OPT_PROT_KM_NT_EAT_READS
Enable kernel EAT read protection (Windows only).
DWORD Crc32Wstring(const WCHAR *String, DWORD InitialCrc)
Computes the CRC for a NULL-terminated wide char string.
Describes the modified zone.
#define UNREFERENCED_PARAMETER(P)
INTSTATUS IntHookObjectRemoveRegion(HOOK_REGION_DESCRIPTOR **Region, DWORD Flags)
Remove a hooked region of memory.
#define KESDT_SIZE
The size of the KeServiceDescriptorTable.
#define IMAGE_DIRECTORY_ENTRY_EXPORT
void * EatReadHook
The read hook placed on the driver`s EAT.
QWORD ProtectionFlag
The introcore option that decided that this driver must be protected.
DWORD EntryPoint
Entry point (RVA).
INTRO_PROCESS CurrentProcess
The currently active process.
INTSTATUS IntPeValidateHeader(QWORD ImageBase, BYTE *ImageBaseBuffer, DWORD ImageBaseBufferSize, INTRO_PE_INFO *PeInfo, QWORD Cr3)
Validates a PE header.
enum _INTRO_ACTION INTRO_ACTION
Event actions.
#define _In_reads_bytes_(expr)
LIST_HEAD gKernelDrivers
List of all the drivers currently loaded inside the guest.
LIST_ENTRY Link
Entry inside the gKernelDrivers list.
#define INT_STATUS_INVALID_OBJECT_TYPE
INTRO_MODULE Module
The module for which this event was triggered.
INTSTATUS IntWinDrvHandleRead(void *Context, void *Hook, QWORD Address, INTRO_ACTION *Action)
Used to notify the introspection engine when a read took place on a protected driver (used only for n...
__must_check INTSTATUS IntVirtMemMap(QWORD Gva, DWORD Length, QWORD Cr3, DWORD Flags, void **HostPtr)
Maps a guest virtual memory range inside Introcore virtual address space.
UNICODE_STRING64 DriverPath
MM Mm
Guest memory information, such as paging mode, system Cr3 value, etc.
UNICODE_STRING32 DriverName
QWORD KeServiceDescriptorTable
Guest virtual address of the KeServiceDescriptorTable variable.
GUEST_STATE gGuest
The current guest state.
static INTSTATUS IntWinDrvFreeEntry(KERNEL_DRIVER *Driver, QWORD Reserved)
Frees the memory allocate for the KERNEL_DRIVER structure.
void IntAlertFillWinProcessByCr3(QWORD ProcessCr3, INTRO_PROCESS *EventProcess)
Saves information about a Windows process inside an alert. The process is searched by its kernel CR3...
#define IMAGE_DIRECTORY_ENTRY_IAT
#define IMAGE_SCN_MEM_DISCARDABLE
BOOLEAN IntWinDrvObjIsValidDriverObject(QWORD DriverObjectAddress)
Checks if a guest memory area contains a valid _DRIVER_OBJECT structure.
Encapsulates a protected Windows kernel module.
BOOLEAN IntWinAgentIsRipInsideCurrentAgent(QWORD Rip)
Return true if the given RIP points inside the currently active boot driver.
void * EpHookObject
The EP hook placed on the driver (we will be notified when the execution began) - useful to obtain th...
INTRO_ACTION Action
The action that was taken as the result of this alert.
INTSTATUS IntKernVirtMemRead(QWORD KernelGva, DWORD Length, void *Buffer, DWORD *RetLength)
Reads data from a guest kernel virtual memory range.
#define ZONE_READ
Used for read violation.
UNICODE_STRING64 DriverName
static void IntWinDrvSendEvent(KERNEL_DRIVER *Driver, BOOLEAN Loaded)
Send a driver loaded/unloaded event.
INTSTATUS IntHookObjectHookRegion(void *Object, QWORD Cr3, QWORD Gla, SIZE_T Length, BYTE Type, void *Callback, void *Context, DWORD Flags, HOOK_REGION_DESCRIPTOR **Region)
Hook a contiguous region of virtual memory inside the provided virtual address space.
WORD Length
The length, in bytes, of the string in Buffer, not including the NULL terminator, if any...
static INTSTATUS IntWinDrvForceDisableReadNtEat(KERNEL_DRIVER *CurrentOriginator)
This function is used to disable the INTRO_OPT_PROT_KM_NT_EAT_READS by removing the hook IntWinDrvHan...
The object was detected when it was created.
KERNEL_DRIVER * KernelDriver
Points to the driver object that describes the kernel image.
char * utf16_for_log(const WCHAR *WString)
Converts a UTF-16 to a UTF-8 string to be used inside logging macros.
#define INT_STATUS_INVALID_PARAMETER_1
#define INT_STATUS_NOT_SUPPORTED
INTRO_PROCESS CurrentProcess
The current process.
VCPU_STATE * gVcpu
The state of the current VCPU.
INTSTATUS IntWinDrvUpdateProtection(void)
Used to update the protection for all the loaded modules (gKernelDrivers).
The action was blocked because there was no exception for it.
UINT8 Name[IMAGE_SIZEOF_SHORT_NAME]
static INTSTATUS IntWinDrvSendAlert(KERNEL_DRIVER *Driver, EXCEPTION_VICTIM_ZONE *Victim, EXCEPTION_KM_ORIGINATOR *Originator, INTRO_ACTION Action, INTRO_ACTION_REASON Reason)
Sends a driver related EPT violation alert.
#define PATCHGUARD_RIP_COUNT
#define DRIVER_MAX_ITERATIONS
When iterating the guest PsLoadedModuleList, we won't go through more than this many entries...
void IntGuestUpdateCoreOptions(QWORD NewOptions)
Updates Introcore options.
INTSTATUS IntWinProtectReadNtEat(void)
Used to place a read hook on the ntoskrnl.exe EAT.
Event structure for EPT violations.
QWORD EntryPoint
The entry point of this driver.
#define INT_STATUS_NOT_READY
PWIN_DRIVER_OBJECT DriverObject
The driver object.
void IntAlertFillWinKmModule(const KERNEL_DRIVER *Driver, INTRO_MODULE *EventModule)
Saves kernel module information inside an alert.
DWORD PathHash
CRC32 hash value for the driver`s path.
INTSTATUS IntWinDrvProtect(KERNEL_DRIVER *Driver, QWORD ProtectionFlag)
Used to enable protection for the given driver.
#define list_for_each(_head, _struct_type, _var)
Exploitation of Remote Services.
const PROTECTED_MODULE_INFO * IntWinDrvIsProtected(const KERNEL_DRIVER *Driver)
Get the protected module information for a kernel driver.
Exposes the types, constants and functions used to handle Windows Drivers related events...
INTSTATUS IntExceptKernelGetOriginator(EXCEPTION_KM_ORIGINATOR *Originator, DWORD Options)
This function is used to get the information about the kernel-mode originator.
INTSTATUS IntAlertFillExecContext(QWORD Cr3, INTRO_EXEC_CONTEXT *ExecContext)
Fills the current execution context.
#define ZONE_WRITE
Used for write violation.
QWORD Buffer
The guest virtual address at which the wide-character string is located.
#define INT_STATUS_INVALID_PARAMETER_2
INTRO_PROT_OPTIONS CoreOptions
The activation and protection options for this guest.
INTSTATUS IntHookObjectCreate(DWORD ObjectType, QWORD Cr3, void **Object)
Create a new hook object.
void IntExcept(EXCEPTION_VICTIM_ZONE *Victim, void *Originator, EXCEPTION_TYPE Type, INTRO_ACTION *Action, INTRO_ACTION_REASON *Reason, INTRO_EVENT_TYPE EventClass)
This function is the entry point for the exception mechanism.
BOOLEAN Protected
True if the module is protected.
void IntDriverCacheInv(const QWORD BaseAddress, const QWORD Length)
Invalidates all cache entries for a given guest memory range.
#define INT_STATUS_INSUFFICIENT_RESOURCES
1.8.13