12 #define HAL_HEAP_PROT_PAGES_EXEC 0x20 41 memzero(pEptViol,
sizeof(*pEptViol));
64 WARNING(
"[WARNING] IntNotifyIntroEvent failed: 0x%08x\n", status);
103 memzero(&victim,
sizeof(victim));
104 memzero(&originator,
sizeof(originator));
109 exitAfterInformation =
FALSE;
115 exitAfterInformation =
TRUE;
119 ERROR(
"[ERROR] Failed getting originator: 0x%08x\n", status);
121 exitAfterInformation =
TRUE;
133 ERROR(
"[ERROR] Failed getting zone details: 0x%08x\n", status);
134 exitAfterInformation =
TRUE;
137 if (exitAfterInformation)
189 DWORD instructionStart;
191 BYTE buffer[1] = { 0xC3 };
203 LOG(
"[HAL] Code from hal heap (GVA 0x%016llx --- GPA 0x%016llx) has been executed from 0x%016llx.\n",
210 ERROR(
"[ERROR] IntGetCurrentMode failed: 0x%08x\n", status);
218 TRACE(
"[HAL] Real mode execution detected.\n");
226 if (NULL == memoryArea)
232 if ((!
INT_SUCCESS(status)) && (0 == memAreaLength))
234 WARNING(
"[WARNING] IntKernVirtMemRead failed: %08x\n", status);
243 while (instructionStart < memAreaLength)
248 memAreaLength - instructionStart, csType, &instrux);
255 if (ND_INS_VMCALL == instrux.Instruction)
261 instructionStart += instrux.Length;
269 LOG(
"[HAL] Page %llx (physical %llx) seems to be the hypercall page. Will stop monitoring it...\n",
277 memzero(&victim,
sizeof(victim));
278 memzero(&originator,
sizeof(originator));
286 exitAfterInformation =
TRUE;
290 ERROR(
"[ERROR] IntExceptKernelGetOriginator failed: %08x\n", status);
292 exitAfterInformation =
TRUE;
298 ERROR(
"[ERROR] IntExceptGetVictimEpt failed: %08x\n", status);
300 exitAfterInformation =
TRUE;
303 if (exitAfterInformation)
317 memzero(pEptViol,
sizeof(*pEptViol));
346 WARNING(
"[WARNING] IntNotifyIntroEvent failed: 0x%08x\n", status);
358 LOG(
"[HAL] Injecting ret instruction @ GVA 0x%016llx\n", gva);
364 ERROR(
"[ERROR] Could not inject ret! Status: %08x\n", status);
396 BYTE const *pOriginal = NULL;
403 pOriginal = IntegrityRegion->OriginalContent;
408 (((IntegrityRegion->Gva + IntegrityRegion->Length - 1) &
PAGE_MASK) == (IntegrityRegion->Gva &
PAGE_MASK));
413 ERROR(
"[ERROR] Failed to map GVA 0x%016llx: 0x%x\n", IntegrityRegion->Gva, status);
414 goto _cleanup_and_exit;
421 QWORD originalValue = 0;
426 originalValue = *(
QWORD *)((
size_t)pOriginal + (size_t)offset);
427 newValue = *(
QWORD *)((
size_t)pPage + (size_t)offset);
431 originalValue = *(
DWORD *)((
size_t)pOriginal + (size_t)offset);
432 newValue = *(
DWORD *)((
size_t)pPage + (size_t)offset);
435 if (newValue != originalValue)
437 DWORD currentOffset = offset;
439 memzero(&victim,
sizeof(victim));
441 memzero(&originator,
sizeof(originator));
446 ERROR(
"[ERROR] IntExceptGetVictimIntegrity failed: 0x%08x\n", status);
452 TRACE(
"[INFO] IntExceptGetOriginatorFromModification failed: 0x%08x\n", status);
463 LOG(
"[INTEGRITY VIOLATION] HalDispatchTable modification at 0x%016llx : 0x%x " 464 "(index %d). New Value = 0x%016llx, Old Value = 0x%016llx\n",
465 IntegrityRegion->Gva, offset, offset /
gGuest.
WordSize, newValue, originalValue);
469 LOG(
"^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ (B) ROOTKIT ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n\n");
473 LOG(
"^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ROOTKIT ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n\n");
508 ERROR(
"[ERROR] IntIntegrityRecalculate failed: 0x%x\n", status);
517 memzero(pIntViolation,
sizeof(*pIntViolation));
579 QWORD hookAddrStart, hookAddrEnd;
595 hookAddrEnd = hookAddrStart + gHalData.
HalHeapSize;
600 ERROR(
"[ERROR] IntHookObjectCreate failed: 0x%08x\n", status);
604 for (
QWORD gva = hookAddrStart; gva < hookAddrEnd; gva +=
PAGE_SIZE)
612 WARNING(
"[WARNING] Cannot protect hal heap page 0x%016llx\n", gva);
619 WARNING(
"[WARNING] Cannot protect hal heap page 0x%016llx (GPA 0x%016llx)\n", gva, gpa);
625 WARNING(
"[WARNING] Will not protect hal heap page 0x%016llx because it translates to physical page 0\n",
642 ERROR(
"[ERROR] IntHookObjectHookRegion failed: %08x Region (0x%016llx, 0x%016llx)\n",
647 TRACE(
"[HAL] Hooking region (0x%016llx, 0x%016llx) against executions\n", gva, gva +
PAGE_SIZE);
672 TRACE(
"[HAL] Removing Hal Heap hook...\n");
709 ERROR(
"[ERROR] IntHookObjectCreate failed: 0x%08x\n", status);
724 ERROR(
"[ERROR] IntHookObjectHookRegion failed: 0x%08x\n", status);
749 TRACE(
"[HAL] Removing Hal Interrupt Controller hook...\n");
792 ERROR(
"[ERROR] IntIntegrityAddRegion failed: 0x%x\n", status);
817 TRACE(
"[HAL] Removing Hal Dispatch Table hook...\n");
822 ERROR(
"[ERROR] IntIntegrityRemoveRegion failed with status: 0x%08X\n", status);
852 #define MAX_INT_CTRL_TYPE_OFFSET (gGuest.Guest64 ? 0xf0 : 0x6c) 853 #define MIN_INT_CTRL_TYPE_OFFSET (gGuest.Guest64 ? 0xc0 : 0x60) 854 #define MAX_INT_CTRL_COUNT 20 857 QWORD functionPointer;
858 QWORD functionOffset;
860 QWORD initialInterruptController = 0;
861 QWORD halFunction = 0;
862 QWORD entriesOutsideTheHalHeap = 0;
870 initialInterruptController = CheckedAddress;
871 while (maxInterruptControllerCount)
884 if (initialInterruptController < HalHeap)
888 entriesOutsideTheHalHeap++;
891 if (CheckedAddress == initialInterruptController && entriesOutsideTheHalHeap <= 1)
897 maxInterruptControllerCount--;
918 if (0 == halFunction)
920 foundFunctions =
TRUE;
925 if (foundFunctions && (2 == (
DWORD)halFunction))
930 if (((halFunction < gHalData.OwnerHalModule->BaseVa) ||
937 foundFunctions =
TRUE;
940 if (!foundFunctions || 2 != (
DWORD)halFunction)
945 functionOffset = functionPointer - CheckedAddress;
955 #undef MAX_INT_CTRL_COUNT 956 #undef MAX_INT_CTRL_TYPE_OFFSET 957 #undef MIN_INT_CTRL_TYPE_OFFSET 984 QWORD halIntCtrlGva = 0;
985 void *dataSectionMem = NULL;
991 ERROR(
"[ERROR] IntPeGetSectionHeadersByName failed: 0x%08x, number of sections: %d\n", status, nrSec);
1009 ERROR(
"[ERROR] IntVirtMemMap failed: 0x%08x\n", status);
1020 if (halIntCtrlGva < HalHeap || halIntCtrlGva >= HalHeap + HalHeapSize)
1027 *HalInterruptController = halIntCtrlGva;
1071 DWORD pteTableIndex = 0;
1072 QWORD ptePhysicalAddress = 0;
1073 QWORD ptPhysicalAddress = 0;
1074 QWORD halHeapStart = 0;
1075 QWORD deviceAddressCount = 0;
1078 QWORD fallbackHalHeapVA = 0;
1079 QWORD halInterruptController = 0;
1081 void *dataSectionMem = NULL;
1083 #define HAL_HEAP_ORIGINAL 0xFFFFFFFFF0000000 1084 #define MASK_DEVICE_ADDRESS_FEC 0x00000000fec00000 1085 #define MASK_DEVICE_ADDRESS_FED 0x00000000fed00000 1086 #define MASK_DEVICE_ADDRESS_FEE 0x00000000fee00000 1087 #define HAL_HEAP_PHYSICAL_ADDRESS 0x1000 1093 ERROR(
"[ERROR] IntPeGetSectionHeadersByName failed: 0x%08x, number of sections: %d\n", status, nrSec);
1108 ERROR(
"[ERROR] IntVirtMemMap failed: 0x%08x\n", status);
1137 ptePhysicalAddress = halHeapStartTranslation.
MappingsTrace[pteTableIndex];
1162 deviceAddressCount = 0;
1163 for (
DWORD i = 0; i < 512; i++)
1172 deviceAddressCount++;
1177 deviceAddressCount++;
1182 deviceAddressCount++;
1194 if (deviceAddressCount >= 2)
1198 &halInterruptController);
1204 TRACE(
"[HAL] Found HalInterruptController at 0x%016llx\n", halInterruptController);
1207 *HalInterruptController = halInterruptController;
1213 if (fallbackHalHeapVA)
1215 WARNING(
"[WARNING] We could not find the Hal Heap using the mapped devices - fallback using PA:0x1000 " 1216 "VA:%llx\n", fallbackHalHeapVA);
1219 &halInterruptController);
1222 TRACE(
"[HAL] Found HalInterruptController at 0x%016llx\n", halInterruptController);
1224 *HalHeapBaseAddress = fallbackHalHeapVA;
1225 *HalInterruptController = halInterruptController;
1231 ERROR(
"[ERROR] We could not find the Hal Heap using the fallback VA\n");
1236 ERROR(
"[ERROR] We could not find the Hal Heap using the mapped devices and there is no fallback address\n");
1247 #undef HAL_HEAP_ORIGINAL 1248 #undef MASK_DEVICE_ADDRESS_FEC 1249 #undef MASK_DEVICE_ADDRESS_FED 1250 #undef MASK_DEVICE_ADDRESS_FEE 1251 #undef HAL_HEAP_PHYSICAL_ADDRESS 1276 ERROR(
"[ERROR] IntPeFindKernelExport failed for 'HalDispatchTable': 0x%x\n", status);
1293 ERROR(
"[ERROR] Could not find the module containing the Hal\n");
1299 TRACE(
"[HAL] Found HalDispatchTable at %llx, size %d\n",
1307 QWORD halInterruptController = 0;
1311 LOG(
"[HAL] Unable to find the HAL heap\n");
1312 goto _skip_hal_heap;
1329 TRACE(
"[HAL] Hal Intterrupt Controller does not exist on Windows version %d!\n",
gGuest.
OSVersion);
1330 goto _skip_hal_heap;
1335 QWORD halInterruptController = 0;
1337 &halInterruptController);
1340 ERROR(
"[ERROR] Could not find Hal Interrupt Controller!\n");
1341 goto _skip_hal_heap;
1355 ERROR(
"[ERROR] IntWinHalHookHalDispatchTable failed: 0x%08x\n", status);
1365 ERROR(
"[ERROR] IntWinHalHookHalHeapExecs failed: 0x%08x\n", status);
1375 ERROR(
"[ERROR] IntWinHalHookHalIntCtrl failed: 0x%08x\n", status);
1404 ERROR(
"[ERROR] IntWinHalHookHalDispatchTable failed: 0x%08x\n", status);
1418 ERROR(
"[ERROR] IntWinHalHookHalHeapExecs failed: 0x%08x\n", status);
1432 ERROR(
"[ERROR] IntWinHalHookHalIntCtrl failed: 0x%08x\n", status);
Measures kernel mode exceptions checks.
#define WIN_HAL_HEAP_BASE_32
The base address of the HAL heap on 32-bit kernels.
INTSTATUS IntWinHalUnprotectHalHeapExecs(void)
Deactivates the HAL heap execution protection.
QWORD PhysicalAddress
The physical address to which VirtualAddress translates to.
struct _EXCEPTION_KM_ORIGINATOR::@63 Original
enum _INTRO_ACTION_REASON INTRO_ACTION_REASON
The reason for which an INTRO_ACTION was taken.
INTRO_CODEBLOCKS CodeBlocks
Code blocks extracted for the alert.
static int64_t _InterlockedExchange64(int64_t volatile *Target, int64_t Value)
#define VICTIM_HAL_DISPATCH_TABLE
Printable name used for introObjectTypeHalDispatchTable objects.
#define HAL_HEAP_PROT_PAGES_EXEC
The number of HAL heap pages to protect against executions.
INTSTATUS IntVirtMemUnmap(void **HostPtr)
Unmaps a memory range previously mapped with IntVirtMemMap.
QWORD IntAlertCoreGetFlags(QWORD ProtectionFlag, INTRO_ACTION_REASON Reason)
Returns the flags for an alert.
DWORD Size
The size of the access.
An internal error occurred (no memory, pages not present, etc.).
BOOLEAN IntPolicyCoreForceBetaIfNeeded(QWORD Flag, INTRO_ACTION *Action)
Checks if a forced action should be taken even if the log-only mode is active.
INTSTATUS IntHookRemoveChain(PHOOK_GPA HookGpa)
Removes a hook chain, starting with the given GPA hook.
INTSTATUS IntKernVirtMemWrite(QWORD KernelGva, DWORD Length, void *Buffer)
Writes data to a guest kernel virtual memory range.
INTSTATUS IntHookObjectDestroy(HOOK_OBJECT_DESCRIPTOR **Object, DWORD Flags)
Destroy an entire hook object. All regions belonging to this object will be removed.
BYTE Violation
The type of the access. It must be one of the IG_EPT_HOOK_TYPE values.
static INTSTATUS IntWinHalFindHalHeapAndInterruptController(QWORD *HalHeapBaseAddress, QWORD *HalInterruptController)
Attempts to find the Hal Heap and the Hal Interrupt Controller address within the ...
IG_ARCH_REGS Regs
The current state of the guest registers.
DWORD Index
The VCPU number.
MITRE_ID MitreID
The Mitre ID that corresponds to this attack.
INTSTATUS IntPeFindKernelExport(const char *Name, QWORD *ExportGva)
Find an export inside the NT kernel image.
INTSTATUS IntWinHalUpdateProtection(void)
Updates any of the HAL protections.
QWORD SystemCr3
The Cr3 used to map the kernel.
#define INT_STATUS_SUCCESS
BOOLEAN IntPolicyCoreTakeAction(QWORD Flag, INTRO_ACTION *Action, INTRO_ACTION_REASON *Reason)
Returns the action that should be taken for a core introspection option.
WIN_KERNEL_DRIVER Win
Valid only for Windows guests.
QWORD NewValue[8]
The written value. Only the first Size bytes are valid.
DWORD KernelSize
The size of the kernel.
Event structure for integrity violations on monitored structures.
INTSTATUS IntIntegrityAddRegion(QWORD VirtualAddress, DWORD Length, INTRO_OBJECT_TYPE Type, void *Context, PFUNC_IntegrityViolationCallback Callback, BOOLEAN CopyContent, void **Descriptor)
Creates an INTEGRITY_REGION object and adds it to the gIntegrityRegions list.
static void IntWinHalSendAlert(EXCEPTION_VICTIM_ZONE const *Victim, EXCEPTION_KM_ORIGINATOR const *Originator, INTRO_ACTION Action, INTRO_ACTION_REASON Reason)
Sends an introEventEptViolation for HAL alerts.
QWORD BaseVa
The guest virtual address of the kernel module that owns this driver object.
QWORD HookStartPhysical
The start of the monitored guest physical memory area for which this alert was generated.
#define INT_SUCCESS(Status)
struct _EVENT_EPT_VIOLATION::@277 Victim
QWORD Flags
A combination of ALERT_FLAG_* values describing the alert.
The action was not allowed because there was no reason to allow it.
QWORD IntHookGetGlaFromGpaHook(HOOK_GPA const *Hook, QWORD Address)
Gets the GLA from a GPA hook.
#define MASK_DEVICE_ADDRESS_FEE
PBYTE MzPeHeaders
The driver`s MZ/PE headers (cached internally).
#define INT_STATUS_NOT_NEEDED_HINT
#define ALERT_FLAG_ASYNC
If set, the alert was generated in an async manner.
KERNEL_DRIVER * Driver
The driver that's modifying the memory.
INTSTATUS IntPeGetSectionHeadersByName(QWORD ImageBase, BYTE *ImageBaseBuffer, PCHAR Name, DWORD NumberOfSectionHeadersAllocated, QWORD Cr3, IMAGE_SECTION_HEADER *SectionHeaders, DWORD *NumberOfSectionHeadersFilled)
Return all the section headers matching the indicated Name.
#define HpAllocWithTag(Len, Tag)
#define INTRO_OPT_PROT_KM_HAL_HEAP_EXEC
Enable execution prevention on the Hal Heap when it is not ASLR'd (Windows only). ...
int INTSTATUS
The status data type.
QWORD Size
The size of the kernel module that owns this driver object.
DWORD OSVersion
Os version.
#define INT_STATUS_NOT_FOUND
Describes a kernel-mode originator.
#define WIN_HAL_HEAP_BASE_64
The base address of the HAL heap on 64-bit kernels.
void IntAlertFillCpuContext(BOOLEAN CopyInstruction, INTRO_CPUCTX *CpuContext)
Fills the current CPU context for an alert.
QWORD HookStartVirtual
The start of the monitored guest virtual memory area for which this alert was generated.
#define WIN_BUILD_10_20H1
INTSTATUS IntWinHalCreateHalData(void)
Initializes gHalData.
#define HAL_DISPATCH_TABLE_PTR_COUNT
The number of entries inside the hal dispatch table.
Describes a kernel driver.
KERNEL_DRIVER * IntDriverFindByName(const void *Name)
Searches for a driver by its name.
void IntAlertFillVersionInfo(INTRO_VIOLATION_HEADER *Header)
Fills version information for an alert.
INTRO_VIOLATION_HEADER Header
The alert header.
BOOLEAN IntPolicyCoreIsOptionBeta(QWORD Flag)
Checks if one of the kernel protection options is in log-only mode.
QWORD ZoneTypes
The types of the accessed memory area.
INTRO_ACTION_REASON Reason
The reason for which Action was taken.
void * HalIntCtrlWriteHook
The HAL interrupt controller write hook object.
INTSTATUS IntAlertFillCodeBlocks(QWORD Rip, QWORD Cr3, BOOLEAN Execute, INTRO_CODEBLOCKS *CodeBlocks)
Fills the code blocks pattern for an alert.
DWORD MappingsCount
The number of entries inside the MappingsTrace and MappingsEntries arrays.
INTSTATUS IntGetCurrentMode(DWORD CpuNumber, DWORD *Mode)
Read the current CS type.
void IntAlertEptFillFromKmOriginator(const EXCEPTION_KM_ORIGINATOR *Originator, EVENT_EPT_VIOLATION *EptViolation)
Fills kernel mode originator information inside an EPT alert.
INTSTATUS IntWinHalProtectHalDispatchTable(void)
Activates the HAL dispatch table protection.
GENERIC_ALERT gAlert
Global alert buffer.
static INTSTATUS IntWinHalFindInterruptController(QWORD HalHeap, QWORD HalHeapSize, QWORD *HalInterruptController)
Attempts to find the Hal Interrupt Controller address within the .data section of Hal...
INTSTATUS IntIntegrityRecalculate(INTEGRITY_REGION *IntegrityRegion)
Recalculates the hash and reads the original content again for a given region.
static WIN_HAL_DATA gHalData
The HAL information.
DWORD HalHeapSize
The size of the HAL heap.
#define INT_STATUS_EXCEPTION_BLOCK
Hal interrupt controller.
DWORD Size
The size of the modified memory area.
void IntAlertEptFillFromVictimZone(const EXCEPTION_VICTIM_ZONE *Victim, EVENT_EPT_VIOLATION *EptViolation)
Fills the victim information inside an EPT alert.
static INTSTATUS IntWinHalHandleDispatchTableWrite(PINTEGRITY_REGION IntegrityRegion)
Handles modifications done to the HAL dispatch table.
INTRO_CPUCTX CpuContext
The context of the CPU that triggered the alert.
#define INT_STATUS_UNSUCCESSFUL
INTSTATUS IntNotifyIntroEvent(INTRO_EVENT_TYPE EventClass, void *Param, size_t EventSize)
Notifies the integrator about an introspection alert.
#define ZONE_EXECUTE
Used for execute violation.
#define INTRO_OPT_PROT_KM_HAL_INT_CTRL
Enable Hal Interrupt Controller write protection.
void * HalDispatchIntegrityHook
The HAL dispatch table integrity hook object.
BOOLEAN Guest64
True if this is a 64-bit guest, False if it is a 32-bit guest.
INTSTATUS IntExceptGetVictimEpt(void *Context, QWORD Gpa, QWORD Gva, INTRO_OBJECT_TYPE Type, DWORD ZoneFlags, EXCEPTION_VICTIM_ZONE *Victim)
Fills an EXCEPTION_VICTIM_ZONE with relevant information from an EPT violation.
QWORD Current
The currently used options.
static INTSTATUS IntWinHalHandleHalIntCtrlWrite(KERNEL_DRIVER *Context, HOOK_GPA const *Hook, QWORD Address, INTRO_ACTION *Action)
Handles writes done over the HAL interrupt controller.
union _IMAGE_SECTION_HEADER::@209 Misc
INTRO_MODULE Module
The module that modified the translation.
struct _EVENT_INTEGRITY_VIOLATION::@295 Victim
INTSTATUS IntTranslateVirtualAddress(QWORD Gva, QWORD Cr3, QWORD *PhysicalAddress)
Translates a guest virtual address to a guest physical address.
static int32_t _InterlockedExchange(int32_t volatile *Target, int32_t Value)
QWORD VirtualAddress
The guest virtual address which was modified.
INTSTATUS IntDecDecodeInstructionFromBuffer(PBYTE Buffer, size_t BufferSize, IG_CS_TYPE CsType, void *Instrux)
Decode an instruction from the provided buffer.
INTRO_VIOLATION_HEADER Header
The alert header.
#define IS_KERNEL_POINTER_WIN(is64, p)
Checks if a guest virtual address resides inside the Windows kernel address space.
INTSTATUS IntExceptGetVictimIntegrity(INTEGRITY_REGION *IntegrityRegion, DWORD *Offset, EXCEPTION_VICTIM_ZONE *Victim)
This function is used to get the information about the modified zone from the integrity region...
#define HpFreeAndNullWithTag(Add, Tag)
static BOOLEAN IntWinHalIsIntController(QWORD CheckedAddress, QWORD HalHeap)
Checks if a guest memory range is the HAL interrupt controller.
#define MASK_DEVICE_ADDRESS_FED
INTSTATUS IntWinHalProtectHalHeapExecs(void)
Hooks the HAL heap against execution.
QWORD KernelVa
The guest virtual address at which the kernel image.
void IntExceptKernelLogInformation(EXCEPTION_VICTIM_ZONE *Victim, EXCEPTION_KM_ORIGINATOR *Originator, INTRO_ACTION Action, INTRO_ACTION_REASON Reason)
Print the information about a kernel-mode violation and dumps the code-blocks.
void IntAlertFillWinProcessCurrent(INTRO_PROCESS *EventProcess)
Saves information about the current Windows process inside an alert.
BYTE WordSize
Guest word size. Will be 4 for 32-bit guests and 8 for 64-bit guests.
INTSTATUS IntTranslateVirtualAddressEx(QWORD Gva, QWORD Cr3, DWORD Flags, VA_TRANSLATION *Translation)
Translates a guest virtual address to a guest physical address.
INTRO_EXEC_CONTEXT ExecContext
Information about the instruction that triggered the alert.
#define INT_STATUS_ALREADY_INITIALIZED_HINT
#define MASK_DEVICE_ADDRESS_FEC
Sent when an EPT violation triggers an alert. See EVENT_EPT_VIOLATION.
QWORD HalHeapAddress
The guest virtual address of the HAL heap.
Describes the modified zone.
#define UNREFERENCED_PARAMETER(P)
INTSTATUS IntWinHalUnprotectHalIntCtrl(void)
Deactivates the HAL interrupt controller write protection.
#define WIN_KM_FIELD(Structure, Field)
Macro used to access kernel mode fields inside the WIN_OPAQUE_FIELDS structure.
WCHAR Name[ALERT_PATH_MAX_LEN]
NULL-terminated string with a human readable description of the modified object.
DWORD HalDispatchTableSize
The size of the HAL dispatch table.
KERNEL_DRIVER * OwnerHalModule
The hal.dll kernel module or ntoskrnl.exe.
BOOLEAN Valid
Set to True if the information in the structure is valid, False otherwise.
QWORD HalDispatchTableAddress
The guest virtual address of the HAL dispatch table.
enum _INTRO_ACTION INTRO_ACTION
Event actions.
QWORD OldValue[8]
The original value. Only the first Size bytes are valid.
INTSTATUS IntIntegrityRemoveRegion(void *Descriptor)
Removes an integrity region from the gIntegrityRegions list.
INTRO_WRITE_INFO WriteInfo
The original and the new value.
INTSTATUS IntGetEPTPageProtection(DWORD EptIndex, QWORD Gpa, BYTE *Read, BYTE *Write, BYTE *Execute)
DWORD Offset
The offset inside the page where the violation took place.
__must_check INTSTATUS IntVirtMemMap(QWORD Gva, DWORD Length, QWORD Cr3, DWORD Flags, void **HostPtr)
Maps a guest virtual memory range inside Introcore virtual address space.
MM Mm
Guest memory information, such as paging mode, system Cr3 value, etc.
GUEST_STATE gGuest
The current guest state.
void IntAlertFillWinProcessByCr3(QWORD ProcessCr3, INTRO_PROCESS *EventProcess)
Saves information about a Windows process inside an alert. The process is searched by its kernel CR3...
void IntWinHalUninit(void)
Frees any resources held by gHalData and removes all the HAL protections.
Exploitation for Privilege Escalation.
QWORD MappingsTrace[MAX_TRANSLATION_DEPTH]
Contains the physical address of each entry within the translation tables.
EVENT_INTEGRITY_VIOLATION Integrity
#define HAL_HEAP_ORIGINAL
INTRO_ACTION Action
The action that was taken as the result of this alert.
QWORD VirtualAddress
The translated virtual address.
INTSTATUS IntKernVirtMemRead(QWORD KernelGva, DWORD Length, void *Buffer, DWORD *RetLength)
Reads data from a guest kernel virtual memory range.
QWORD HalIntCtrlAddress
The guest virtual address of the HAL interrupt controller.
QWORD BaseAddress
The guest virtual address at which the monitored integrity region starts.
struct _EVENT_INTEGRITY_VIOLATION::@294 Originator
#define MAX_INT_CTRL_TYPE_OFFSET
QWORD VirtualPage
The guest virtual page in which the access was made.
INTSTATUS IntHookObjectHookRegion(void *Object, QWORD Cr3, QWORD Gla, SIZE_T Length, BYTE Type, void *Callback, void *Context, DWORD Flags, HOOK_REGION_DESCRIPTOR **Region)
Hook a contiguous region of virtual memory inside the provided virtual address space.
__must_check INTSTATUS IntPhysMemMap(QWORD PhysAddress, DWORD Length, DWORD Flags, void **HostPtr)
Maps a guest physical address inside Introcore VA space.
INTSTATUS IntExceptGetOriginatorFromModification(EXCEPTION_VICTIM_ZONE *Victim, EXCEPTION_KM_ORIGINATOR *Originator)
This function is used for integrity violations to get the information about the kernel-mode originato...
#define INT_STATUS_NOT_INITIALIZED_HINT
Encapsulates information about a virtual to physical memory translation.
KERNEL_DRIVER * KernelDriver
Points to the driver object that describes the kernel image.
#define INT_STATUS_INVALID_PARAMETER_1
INTRO_PROCESS CurrentProcess
The current process.
VCPU_STATE * gVcpu
The state of the current VCPU.
The action was blocked because there was no exception for it.
#define INTRO_OPT_PROT_KM_HAL_DISP_TABLE
Enable HDT (Hal Dispatch Table) protection (Windows only).
Sent for integrity violation alerts. See EVENT_INTEGRITY_VIOLATION.
#define HAL_HEAP_PHYSICAL_ADDRESS
Event structure for EPT violations.
void IntAlertFillWinKmModule(const KERNEL_DRIVER *Driver, INTRO_MODULE *EventModule)
Saves kernel module information inside an alert.
Exploitation of Remote Services.
void * HalHeapExecHook
The HAL heap execution hook object.
INTSTATUS IntPhysMemUnmap(void **HostPtr)
Unmaps an address previously mapped with IntPhysMemMap.
DWORD UntrustedEptIndex
The EPTP index of the untrusted EPT.
INTSTATUS IntExceptKernelGetOriginator(EXCEPTION_KM_ORIGINATOR *Originator, DWORD Options)
This function is used to get the information about the kernel-mode originator.
INTSTATUS IntAlertFillExecContext(QWORD Cr3, INTRO_EXEC_CONTEXT *ExecContext)
Fills the current execution context.
#define ZONE_WRITE
Used for write violation.
INTRO_PROT_OPTIONS CoreOptions
The activation and protection options for this guest.
static INTSTATUS IntWinHalHandleHalHeapExec(void *Context, HOOK_GPA *Hook, QWORD Address, INTRO_ACTION *Action)
Handles execution attempts from the HAL heap.
INTSTATUS IntHookObjectCreate(DWORD ObjectType, QWORD Cr3, void **Object)
Create a new hook object.
INTSTATUS IntWinHalProtectHalIntCtrl(void)
Protects the HAL interrupt controller against writes.
void IntExcept(EXCEPTION_VICTIM_ZONE *Victim, void *Originator, EXCEPTION_TYPE Type, INTRO_ACTION *Action, INTRO_ACTION_REASON *Reason, INTRO_EVENT_TYPE EventClass)
This function is the entry point for the exception mechanism.
#define MAX_INT_CTRL_COUNT
INTRO_OBJECT_TYPE Type
The type of the accessed memory area.
INTSTATUS IntWinHalUnprotectHalDispatchTable(void)
Deactivates the HAL dispatch table protection.
1.8.13