52 PBYTE pObject, pModule;
83 goto cleanup_and_exit;
88 goto cleanup_and_exit;
93 goto cleanup_and_exit;
100 goto cleanup_and_exit;
105 goto cleanup_and_exit;
110 goto cleanup_and_exit;
116 goto cleanup_and_exit;
122 goto cleanup_and_exit;
128 ERROR(
"[ERROR] IntPeValidateHeader failed: 0x%08x\n", status);
129 goto cleanup_and_exit;
134 goto cleanup_and_exit;
139 goto cleanup_and_exit;
149 goto cleanup_and_exit;
154 goto cleanup_and_exit;
159 goto cleanup_and_exit;
166 goto cleanup_and_exit;
171 goto cleanup_and_exit;
176 goto cleanup_and_exit;
182 goto cleanup_and_exit;
188 goto cleanup_and_exit;
194 ERROR(
"[ERROR] IntPeValidateHeader failed: 0x%08x\n", status);
195 goto cleanup_and_exit;
200 goto cleanup_and_exit;
205 goto cleanup_and_exit;
255 QWORD driverNameAddress;
257 driverNameAddress = 0;
263 WARNING(
"[WARNING] Driver object at 0x%016llx is already present as \"%s\", will ignore\n",
265 if (NULL != DriverObject)
267 *DriverObject = pDrvObj;
280 pDrvObj->
Aligned = !StaticDetected;
285 ERROR(
"[ERROR] Failed translating GVA 0x%016llx: 0x%08x\n", GuestAddress, status);
293 DriverName.Length), &driverNameLen);
298 DriverName.Length), &driverNameLen);
302 goto cleanup_and_exit;
309 DriverName.Buffer), &driverNameAddress);
314 DriverName.Buffer), &driverNameAddress);
318 goto cleanup_and_exit;
321 driverNameLen = (driverNameLen & 0xFFFF);
324 if ((driverNameLen < 2) || (driverNameLen >= 256))
327 goto cleanup_and_exit;
332 if (NULL == pDrvObj->
Name)
335 goto cleanup_and_exit;
342 ERROR(
"[ERROR] Failed reading the driver name: 0x%08x\n", status);
343 goto cleanup_and_exit;
346 pDrvObj->
NameLen = driverNameLen / 2;
366 ERROR(
"[ERROR] Failed reading the driver start: 0x%08x\n", status);
367 goto cleanup_and_exit;
384 ERROR(
"[ERROR] IntKernVirtMemFetchQword failed: 0x%08x\n", status);
402 ERROR(
"[ERROR] IntWinHookDriverObject failed: 0x%08x\n", status);
414 if (NULL != DriverObject)
416 *DriverObject = pDrvObj;
436 while (list != &gWinDriverObjects)
465 while (list != &gWinDriverObjects)
469 if (pDrvObj->
Owner == Owner)
506 memzero(pEptViol,
sizeof(*pEptViol));
529 WARNING(
"[WARNING] IntNotifyIntroEvent failed: 0x%08x\n", status);
558 memzero(pIntViol,
sizeof(*pIntViol));
560 pIntViol->
BaseAddress = Victim->Integrity.StartVirtualAddress;
561 pIntViol->
VirtualAddress = Victim->Integrity.StartVirtualAddress + Victim->Integrity.Offset;
563 pIntViol->
Size = Victim->Integrity.TotalLength;
592 WARNING(
"[WARNING] IntNotifyIntroEvent failed: 0x%08x\n", status);
655 fastIoPtrWritten =
TRUE;
663 fastIoPtrWritten =
TRUE;
667 if (fastIoPtrWritten)
672 ERROR(
"[ERROR] IntDecGetWrittenValueFromInstruction failed: 0x%08x\n", status);
676 goto cleanup_and_exit;
682 ERROR(
"[ERROR] [DRVOBJ] Fast I/O dispatch table of driver object '%s' not in kernel: 0x%016llx\n",
687 goto cleanup_and_exit;
692 goto _block_fastio_reloc;
695 TRACE(
"[DRVOBJ] Fast I/O dispatch table of driver object '%s' has been written: 0x%016llx\n",
701 ERROR(
"[ERROR] IntWinDrvObjUnprotectFastIoDispatch failed: 0x%08x\n", status);
712 ERROR(
"[ERROR] IntWinDrvObjHookFastIODispatch failed: 0x%08x\n", status);
720 goto cleanup_and_exit;
729 WARNING(
"[WARNING] IntTranslateVirtualAddress failed: 0x%08x\n", status);
733 WARNING(
"[WARNING] The driver object Gpa 0x%016llx is different from actual Gpa 0x%016llx!\n",
744 memzero(&victim,
sizeof(victim));
745 memzero(&originator,
sizeof(originator));
750 exitAfterInformation =
FALSE;
754 gva < pDrvObj->FastIOTableAddress +
WIN_KM_FIELD(DrvObj, FiodispSize))
763 exitAfterInformation =
TRUE;
768 exitAfterInformation =
TRUE;
769 ERROR(
"[ERROR] Failed getting originator: 0x%08x\n", status);
781 ERROR(
"[ERROR] Failed getting zone details: 0x%08x\n", status);
782 exitAfterInformation =
TRUE;
785 if (exitAfterInformation)
823 #define NAMEHASH_FLTMGR 0x4283398b 833 ERROR(
"[ERROR] Invalid integrity region type: %d\n", IntegrityRegion->Type);
843 while (offset < IntegrityRegion->Length)
849 memzero(&victim,
sizeof(victim));
850 memzero(&originator,
sizeof(originator));
861 ERROR(
"[ERROR] Failed getting integrity zone: 0x%08x\n", status);
884 ERROR(
"[ERROR] Failed getting originator: 0x%08x\n", status);
937 ERROR(
"[ERROR] IntKernVirtMemWrite failed for gva 0x%016llx: 0x%08x\n",
939 goto _cleanup_and_exit;
954 #undef NAMEHASH_FLTMGR 973 if (!DriverObject->FiodispProtected)
978 TRACE(
"[DRVOBJ] Removing protection on Fast I/OP dispatch on driver object '%s' at %llx...\n",
979 utf16_for_log(DriverObject->Name), DriverObject->FastIOTableAddress);
981 if (DriverObject->FiodispIntegrityObject != NULL)
986 ERROR(
"[ERROR] Failed removing the integrity region from structure at address 0x%016llx: 0x%08x\n",
987 DriverObject->FastIOTableAddress, status);
989 DriverObject->FiodispIntegrityObject = NULL;
992 DriverObject->FiodispProtected =
FALSE;
1017 if (0 == DriverObject->FastIOTableAddress)
1022 TRACE(
"[DRVOBJ] Adding protection on Fast I/O dispatch for driver object '%s' at 0x%016llx (integrity)\n",
1023 utf16_for_log(DriverObject->Name), DriverObject->FastIOTableAddress);
1031 &DriverObject->FiodispIntegrityObject);
1034 ERROR(
"[ERROR] IntIntegrityAddRegion failed: 0x%08x\n", status);
1038 DriverObject->FiodispProtected =
TRUE;
1062 if (NULL == DriverObject)
1067 if (!DriverObject->DrvobjProtected)
1072 TRACE(
"[DRVOBJ] Removing protection on driver object '%s' at %llx...\n",
1073 utf16_for_log(DriverObject->Name), DriverObject->DriverObjectGva);
1078 ERROR(
"[ERROR] IntWinDrvObjFiodispUnHook failed: 0x%08x\n", status);
1081 if (DriverObject->DrvobjIntegrityObject != NULL)
1086 ERROR(
"[ERROR] Failed removing the integrity region from structure at address 0x%016llx: 0x%08x\n",
1087 DriverObject->DriverObjectGva, status);
1089 DriverObject->DrvobjIntegrityObject = NULL;
1092 if (DriverObject->DrvobjHookObject != NULL)
1097 ERROR(
"[ERROR] Failed removing the hook from structure at address 0x%016llx: 0x%08x\n",
1098 DriverObject->FastIOTableAddress, status);
1102 DriverObject->DrvobjProtected =
FALSE;
1126 if (DriverObject == NULL)
1134 ERROR(
"[ERROR] IntWinHookFastIODispatch failed: 0x%08x\n", status);
1138 if (!DriverObject->Aligned)
1140 TRACE(
"[DRVOBJ] Adding protection on driver object '%s' at %llx (integrity)...\n",
1141 utf16_for_log(DriverObject->Name), DriverObject->DriverObjectGva);
1149 &DriverObject->DrvobjIntegrityObject);
1152 ERROR(
"[ERROR] IntIntegrityAddRegion failed: 0x%08x\n", status);
1158 TRACE(
"[DRVOBJ] Adding protection on driver object '%s' at %llx (ept)...\n",
1159 utf16_for_log(DriverObject->Name), DriverObject->DriverObjectGva);
1164 ERROR(
"[ERROR] IntHookObjectCreate failed: 0x%08x\n", status);
1170 DriverObject->DriverObjectGva +
WIN_KM_FIELD(DrvObj, Fiodisp),
1179 ERROR(
"[ERROR] IntHookObjectHookRegion failed: 0x%08x\n", status);
1184 DriverObject->DrvobjProtected =
TRUE;
1213 ERROR(
"[ERROR] IntTranslateVirtualAddress failed for GVA 0x%016llx: 0x%08x\n", DriverObjectAddress, status);
1217 list = gWinDriverObjects.
Flink;
1218 while (list != &gWinDriverObjects)
1235 ERROR(
"[ERROR] IntWinDrvObjRemoveDriverObject failed: 0x%08x\n", status);
1249 ERROR(
"[ERROR] IntWinDrvObjUnprotectFastIoDispatch failed: 0x%08x\n", status);
1279 if (NULL != DriverObject->Name)
1306 if (NULL == DriverObject)
1312 if (NULL != pKmDriver)
1320 ERROR(
"[ERROR] IntWinDrvObjUnprotect failed: 0x%08x\n", status);
1341 TRACE(
"[DRVOBJ] Updating driver objects protections...\n");
1343 for (
LIST_ENTRY *list = gWinDriverObjects.
Flink; list != &gWinDriverObjects; list = list->
Flink)
1354 ERROR(
"[ERROR] IntWinDrvObjProtect failed for '%s': 0x%08x\n",
1363 ERROR(
"[ERROR] IntWinDrvObjUnprotect failed for '%s': 0x%08x\n",
1388 while (list != &gWinDriverObjects)
1399 ERROR(
"[ERROR] IntWinDrvObjRemoveDriverObject failed: 0x%08x\n", status);
Measures kernel mode exceptions checks.
LIST_ENTRY Link
Entry inside the gWinDriverObjects list.
QWORD DriverObjectGva
The guest virtual address of the guest _DRIVER_OBJECT represented by this structure.
QWORD PhysicalAddress
The physical address to which VirtualAddress translates to.
struct _EXCEPTION_KM_ORIGINATOR::@63 Original
enum _INTRO_ACTION_REASON INTRO_ACTION_REASON
The reason for which an INTRO_ACTION was taken.
INTRO_CODEBLOCKS CodeBlocks
Code blocks extracted for the alert.
#define CONTAINING_RECORD(List, Type, Member)
PWIN_DRIVER_OBJECT IntWinDrvObjFindByOwnerAddress(QWORD Owner)
Finds a driver object in the gWinDriverObjects list by the base of the kernel module that owns it...
#define INTRO_OPT_PROT_KM_DRVOBJ
Enable driver object & fast I/O dispatch protection.
INTSTATUS IntVirtMemUnmap(void **HostPtr)
Unmaps a memory range previously mapped with IntVirtMemMap.
QWORD IntAlertCoreGetFlags(QWORD ProtectionFlag, INTRO_ACTION_REASON Reason)
Returns the flags for an alert.
const PROTECTED_MODULE_INFO * IntWinDrvObjIsProtected(const WIN_DRIVER_OBJECT *DriverObject)
Get the protected module information for a kernel driver object.
An internal error occurred (no memory, pages not present, etc.).
BOOLEAN IntPolicyCoreForceBetaIfNeeded(QWORD Flag, INTRO_ACTION *Action)
Checks if a forced action should be taken even if the log-only mode is active.
The _DRIVER_OBJECT structure used by 64-bit guests.
#define OFFSET_OF(Type, Member)
INTSTATUS IntKernVirtMemWrite(QWORD KernelGva, DWORD Length, void *Buffer)
Writes data to a guest kernel virtual memory range.
INTSTATUS IntHookObjectDestroy(HOOK_OBJECT_DESCRIPTOR **Object, DWORD Flags)
Destroy an entire hook object. All regions belonging to this object will be removed.
IG_ARCH_REGS Regs
The current state of the guest registers.
MITRE_ID MitreID
The Mitre ID that corresponds to this attack.
QWORD SystemCr3
The Cr3 used to map the kernel.
#define INT_STATUS_SUCCESS
BOOLEAN IntPolicyCoreTakeAction(QWORD Flag, INTRO_ACTION *Action, INTRO_ACTION_REASON *Reason)
Returns the action that should be taken for a core introspection option.
Fast IO Dispatch (Windows only)
WIN_KERNEL_DRIVER Win
Valid only for Windows guests.
static INTSTATUS IntWinDrvObjHandleWrite(WIN_DRIVER_OBJECT *Context, HOOK_GPA const *Hook, QWORD Address, INTRO_ACTION *Action)
Handles writes done over a protected driver object.
Event structure for integrity violations on monitored structures.
INTSTATUS IntIntegrityAddRegion(QWORD VirtualAddress, DWORD Length, INTRO_OBJECT_TYPE Type, void *Context, PFUNC_IntegrityViolationCallback Callback, BOOLEAN CopyContent, void **Descriptor)
Creates an INTEGRITY_REGION object and adds it to the gIntegrityRegions list.
struct _LIST_ENTRY * Flink
#define INT_SUCCESS(Status)
#define DRIVER_OBJECT_TYPE
The type of a _DRIVER_OBJECT structure.
QWORD Flags
A combination of ALERT_FLAG_* values describing the alert.
INTSTATUS IntResumeVcpus(void)
Resumes the VCPUs previously paused with IntPauseVcpus.
Exposes the types, constants and functions used to describe protected Windows Kernel modules and driv...
The action was not allowed because there was no reason to allow it.
#define INT_STATUS_NOT_NEEDED_HINT
INTSTATUS IntWinDrvObjProtect(WIN_DRIVER_OBJECT *DriverObject)
Protects a driver object and its fast IO dispatch table, if one exists.
#define ALERT_FLAG_ASYNC
If set, the alert was generated in an async manner.
#define HpAllocWithTag(Len, Tag)
INTSTATUS IntKernVirtMemFetchWordSize(QWORD GuestVirtualAddress, void *Data)
Reads a guest pointer from the guest kernel memory.
INTSTATUS IntWinDrvObjUnprotect(WIN_DRIVER_OBJECT *DriverObject)
Deactivates protection for a driver object and its fast IO dispatch structure.
int INTSTATUS
The status data type.
QWORD GvaPage
Guest virtual page base address, aligned to 4K.
#define INT_STATUS_NOT_FOUND
DWORD Offset
The offset of the modification.
#define TRFLG_NONE
No special options.
Describes a kernel-mode originator.
INTSTATUS IntWinDrvObjUninit(void)
Removes all the driver objects in the gWinDriverObjects.
INTSTATUS IntPauseVcpus(void)
Pauses all the guest VCPUs.
void IntAlertFillCpuContext(BOOLEAN CopyInstruction, INTRO_CPUCTX *CpuContext)
Fills the current CPU context for an alert.
INSTRUX Instruction
The current instruction, pointed by the guest RIP.
Describes a kernel driver.
void IntAlertFillVersionInfo(INTRO_VIOLATION_HEADER *Header)
Fills version information for an alert.
BOOLEAN IntWinDrvObjIsValidDriverObject(QWORD DriverObjectAddress)
Checks if a guest memory area contains a valid _DRIVER_OBJECT structure.
INTRO_VIOLATION_HEADER Header
The alert header.
INTRO_ACTION_REASON Reason
The reason for which Action was taken.
The _DRIVER_OBJECT structure used by 32-bit guests.
INTSTATUS IntAlertFillCodeBlocks(QWORD Rip, QWORD Cr3, BOOLEAN Execute, INTRO_CODEBLOCKS *CodeBlocks)
Fills the code blocks pattern for an alert.
void IntAlertEptFillFromKmOriginator(const EXCEPTION_KM_ORIGINATOR *Originator, EVENT_EPT_VIOLATION *EptViolation)
Fills kernel mode originator information inside an EPT alert.
GENERIC_ALERT gAlert
Global alert buffer.
INTSTATUS IntIntegrityRecalculate(INTEGRITY_REGION *IntegrityRegion)
Recalculates the hash and reads the original content again for a given region.
static INTSTATUS IntWinDrvObjSendEptAlert(EXCEPTION_VICTIM_ZONE const *Victim, EXCEPTION_KM_ORIGINATOR const *Originator, INTRO_ACTION Action, INTRO_ACTION_REASON Reason)
Sends an introEventEptViolation alert for a protected driver object.
QWORD Flags
The entry that maps VirtualAddress to PhysicalAddress, together with all the control bits...
INTSTATUS IntKernVirtMemFetchDword(QWORD GuestVirtualAddress, DWORD *Data)
Reads 4 bytes from the guest kernel memory.
static LIST_HEAD gWinDriverObjects
List of all the loaded Windows driver objects.
void IntAlertFillWriteInfo(const EXCEPTION_VICTIM_ZONE *Victim, INTRO_WRITE_INFO *WriteInfo)
Fills the write information for an alert.
#define INITIAL_CRC_VALUE
#define INT_STATUS_EXCEPTION_BLOCK
DWORD Size
The size of the modified memory area.
Describes an operand value.
static void IntWinDrvObjFreeDriverObject(WIN_DRIVER_OBJECT *DriverObject)
Frees a driver object.
void IntAlertEptFillFromVictimZone(const EXCEPTION_VICTIM_ZONE *Victim, EVENT_EPT_VIOLATION *EptViolation)
Fills the victim information inside an EPT alert.
QWORD FastIOTableAddress
The guest virtual address of the _FAST_IO_DISPATCH structure used by this driver object. May be 0.
QWORD QwordValues[ND_MAX_REGISTER_SIZE/8]
INTRO_CPUCTX CpuContext
The context of the CPU that triggered the alert.
INTSTATUS IntNotifyIntroEvent(INTRO_EVENT_TYPE EventClass, void *Param, size_t EventSize)
Notifies the integrator about an introspection alert.
INTSTATUS IntWinDrvObjUpdateProtection(void)
Updates the protection for all the driver objects in the gWinDriverObjects list.
static BOOLEAN RemoveEntryList(LIST_ENTRY *Entry)
Holds information about a driver object.
BOOLEAN Guest64
True if this is a 64-bit guest, False if it is a 32-bit guest.
INTSTATUS IntExceptGetVictimEpt(void *Context, QWORD Gpa, QWORD Gva, INTRO_OBJECT_TYPE Type, DWORD ZoneFlags, EXCEPTION_VICTIM_ZONE *Victim)
Fills an EXCEPTION_VICTIM_ZONE with relevant information from an EPT violation.
DWORD NameHash
Hash of the Name.
QWORD Owner
Guest virtual address of the kernel module that owns this driver object.
void * ParentHook
The parent hook. For a GPA hook, for example, a GVA hook or a PagedHook will be the parent hook...
INTRO_MODULE Module
The module that modified the translation.
INTSTATUS IntWinDrvObjRemove(WIN_DRIVER_OBJECT *DriverObject)
Removes a driver object and updates its owner module.
struct _EVENT_INTEGRITY_VIOLATION::@295 Victim
INTSTATUS IntTranslateVirtualAddress(QWORD Gva, QWORD Cr3, QWORD *PhysicalAddress)
Translates a guest virtual address to a guest physical address.
HOOK_HEADER Header
The hook header.
int strlower_utf16(WCHAR *buf, size_t len)
QWORD VirtualAddress
The guest virtual address which was modified.
static INTSTATUS IntWinDrvObjHandleModification(INTEGRITY_REGION *IntegrityRegion)
Handles writes done over a protected driver object.
INTRO_VIOLATION_HEADER Header
The alert header.
union _OPERAND_VALUE::@22 Value
The actual operand value.
#define IS_KERNEL_POINTER_WIN(is64, p)
Checks if a guest virtual address resides inside the Windows kernel address space.
INTSTATUS IntExceptGetVictimIntegrity(INTEGRITY_REGION *IntegrityRegion, DWORD *Offset, EXCEPTION_VICTIM_ZONE *Victim)
This function is used to get the information about the modified zone from the integrity region...
#define HpFreeAndNullWithTag(Add, Tag)
void IntExceptKernelLogInformation(EXCEPTION_VICTIM_ZONE *Victim, EXCEPTION_KM_ORIGINATOR *Originator, INTRO_ACTION Action, INTRO_ACTION_REASON Reason)
Print the information about a kernel-mode violation and dumps the code-blocks.
INTSTATUS IntWinDrvObjRemoveFromAddress(QWORD DriverObjectAddress)
Frees and removes protection for a driver object by its address.
QWORD DriverObjectGpa
The guest physical address of the guest _DRIVER_OBJECT represented by this structure.
BYTE WordSize
Guest word size. Will be 4 for 32-bit guests and 8 for 64-bit guests.
static void InsertTailList(LIST_ENTRY *ListHead, LIST_ENTRY *Entry)
INTSTATUS IntTranslateVirtualAddressEx(QWORD Gva, QWORD Cr3, DWORD Flags, VA_TRANSLATION *Translation)
Translates a guest virtual address to a guest physical address.
INTRO_EXEC_CONTEXT ExecContext
Information about the instruction that triggered the alert.
static INTSTATUS IntWinDrvObjProtectFastIoDispatch(WIN_DRIVER_OBJECT *DriverObject)
Deactivates the protection for the fast IO dispatch structure of a driver object. ...
Sent when an EPT violation triggers an alert. See EVENT_EPT_VIOLATION.
DWORD Crc32Wstring(const WCHAR *String, DWORD InitialCrc)
Computes the CRC for a NULL-terminated wide char string.
Describes the modified zone.
#define WIN_KM_FIELD(Structure, Field)
Macro used to access kernel mode fields inside the WIN_OPAQUE_FIELDS structure.
WCHAR Name[ALERT_PATH_MAX_LEN]
NULL-terminated string with a human readable description of the modified object.
void IntAlertFillDriverObject(const WIN_DRIVER_OBJECT *DriverObject, INTRO_DRVOBJ *EventDrvObj)
Saves driver object information inside an alert. Available only for Windows guests.
DWORD EntryPoint
Entry point (RVA).
BOOLEAN Valid
Set to True if the information in the structure is valid, False otherwise.
INTSTATUS IntPeValidateHeader(QWORD ImageBase, BYTE *ImageBaseBuffer, DWORD ImageBaseBufferSize, INTRO_PE_INFO *PeInfo, QWORD Cr3)
Validates a PE header.
static INTSTATUS IntWinDrvObjUnprotectFastIoDispatch(WIN_DRIVER_OBJECT *DriverObject)
Deactivates the protection for the fast IO dispatch structure of a driver object. ...
enum _INTRO_ACTION INTRO_ACTION
Event actions.
INTSTATUS IntIntegrityRemoveRegion(void *Descriptor)
Removes an integrity region from the gIntegrityRegions list.
PWCHAR Name
NULL-terminated wide-char string containing the name of the driver, as taken from the guest driver ob...
INTRO_WRITE_INFO WriteInfo
The original and the new value.
#define IntDbgEnterDebugger()
__must_check INTSTATUS IntVirtMemMap(QWORD Gva, DWORD Length, QWORD Cr3, DWORD Flags, void **HostPtr)
Maps a guest virtual memory range inside Introcore virtual address space.
QWORD Cr3
The value of the guest CR3 register when the event was generated.
MM Mm
Guest memory information, such as paging mode, system Cr3 value, etc.
GUEST_STATE gGuest
The current guest state.
void IntAlertFillWinProcessByCr3(QWORD ProcessCr3, INTRO_PROCESS *EventProcess)
Saves information about a Windows process inside an alert. The process is searched by its kernel CR3...
BOOLEAN Aligned
True if the driver object allocation is page aligned.
Encapsulates a protected Windows kernel module.
PWIN_DRIVER_OBJECT IntWinDrvObjFindByDrvObj(QWORD Gva)
Finds a driver object in the gWinDriverObjects list by its guest virtual address. ...
EVENT_INTEGRITY_VIOLATION Integrity
INTRO_ACTION Action
The action that was taken as the result of this alert.
INTSTATUS IntKernVirtMemRead(QWORD KernelGva, DWORD Length, void *Buffer, DWORD *RetLength)
Reads data from a guest kernel virtual memory range.
KERNEL_DRIVER * IntDriverFindByAddress(QWORD Gva)
Returns the driver in which Gva resides.
QWORD BaseAddress
The guest virtual address at which the monitored integrity region starts.
struct _EVENT_INTEGRITY_VIOLATION::@294 Originator
#define LIST_HEAD_INIT(Name)
INTSTATUS IntHookObjectHookRegion(void *Object, QWORD Cr3, QWORD Gla, SIZE_T Length, BYTE Type, void *Callback, void *Context, DWORD Flags, HOOK_REGION_DESCRIPTOR **Region)
Hook a contiguous region of virtual memory inside the provided virtual address space.
#define VICTIM_DRIVER_OBJECT
Printable name used for introObjectTypeDriverObject objects.
__must_check INTSTATUS IntPhysMemMap(QWORD PhysAddress, DWORD Length, DWORD Flags, void **HostPtr)
Maps a guest physical address inside Introcore VA space.
INTSTATUS IntExceptGetOriginatorFromModification(EXCEPTION_VICTIM_ZONE *Victim, EXCEPTION_KM_ORIGINATOR *Originator)
This function is used for integrity violations to get the information about the kernel-mode originato...
Encapsulates information about a virtual to physical memory translation.
char * utf16_for_log(const WCHAR *WString)
Converts a UTF-16 to a UTF-8 string to be used inside logging macros.
#define INT_STATUS_INVALID_PARAMETER_1
#define INT_STATUS_NOT_SUPPORTED
INTRO_PROCESS CurrentProcess
The current process.
VCPU_STATE * gVcpu
The state of the current VCPU.
INTSTATUS IntDecGetWrittenValueFromInstruction(PINSTRUX Instrux, PIG_ARCH_REGS Registers, PBYTE MemoryValue, OPERAND_VALUE *WrittenValue)
Decode a written value from a memory write instruction.
The action was blocked because there was no exception for it.
Sent for integrity violation alerts. See EVENT_INTEGRITY_VIOLATION.
EXCEPTION_VICTIM_INTEGRITY Integrity
Valid if the modified zone is Integrity.
DWORD SizeOfImage
Size of the image.
Event structure for EPT violations.
BOOLEAN DrvobjProtected
True if the driver object structure is protected.
PWIN_DRIVER_OBJECT DriverObject
The driver object.
void IntAlertFillWinKmModule(const KERNEL_DRIVER *Driver, INTRO_MODULE *EventModule)
Saves kernel module information inside an alert.
static INTSTATUS IntWinDrvObjSendIntegrityAlert(EXCEPTION_VICTIM_ZONE const *Victim, EXCEPTION_KM_ORIGINATOR const *Originator, INTRO_ACTION Action, INTRO_ACTION_REASON Reason)
Sends an introEventIntegrityViolation alert for a protected driver object.
INTSTATUS IntPhysMemUnmap(void **HostPtr)
Unmaps an address previously mapped with IntPhysMemMap.
INTSTATUS IntExceptKernelGetOriginator(EXCEPTION_KM_ORIGINATOR *Originator, DWORD Options)
This function is used to get the information about the kernel-mode originator.
INTSTATUS IntAlertFillExecContext(QWORD Cr3, INTRO_EXEC_CONTEXT *ExecContext)
Fills the current execution context.
#define ZONE_WRITE
Used for write violation.
INTSTATUS IntHookObjectCreate(DWORD ObjectType, QWORD Cr3, void **Object)
Create a new hook object.
void IntExcept(EXCEPTION_VICTIM_ZONE *Victim, void *Originator, EXCEPTION_TYPE Type, INTRO_ACTION *Action, INTRO_ACTION_REASON *Reason, INTRO_EVENT_TYPE EventClass)
This function is the entry point for the exception mechanism.
INTSTATUS IntWinDrvObjCreateFromAddress(QWORD GuestAddress, BOOLEAN StaticDetected, PWIN_DRIVER_OBJECT *DriverObject)
Creates a new driver object.
#define INT_STATUS_EXCEPTION_ALLOW
INTRO_DRVOBJ DriverObject
The modified driver object. Valid only if Type is introObjectTypeDriverObject.
DWORD NameHash
The namehash of the originator return driver.
#define INT_STATUS_INSUFFICIENT_RESOURCES
DWORD NameLen
The length, in characters, of Name, not including the NULL-terminator.
1.8.13