29 if (Process->Cr3 == ModifiedCr3)
31 Process->SelfMapEntryValue = NewValue;
35 Process->UserSelfMapEntryValue = NewValue;
68 WARNING(
"[WARNING] Self-mapping entry modified for process '%s' with CR3 %llx (%s), addr %llx, " 69 "from 0x%016llx to 0x%016llx\n", Process->Name, Cr3, Cr3 == Process->Cr3 ?
"kernel" :
"user",
74 LOG(
"^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ (B) ROOTKIT ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n\n");
78 LOG(
"^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ROOTKIT ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n\n");
85 ERROR(
"[ERROR] IntPhysMemMap failed: 0x%08x\n", status);
86 goto _just_send_alert;
90 pPage[0] = NewValue & (~
PT_US);
107 if (Process->SystemProcess)
132 WARNING(
"[WARNING] IntNotifyIntroEvent failed: 0x%08x\n", status);
163 QWORD currentKern, currentUser;
166 if (NULL == CurrentKernelValue)
171 ERROR(
"[ERROR] IntPhysicalMemRead failed: 0x%08x\n", status);
177 currentKern = *CurrentKernelValue;
180 if (NULL == CurrentUserValue && Process->Cr3 != Process->UserCr3)
185 ERROR(
"[ERROR] IntPhysicalMemRead failed: 0x%08x\n", status);
189 else if (Process->Cr3 != Process->UserCr3)
191 currentUser = *CurrentUserValue;
195 goto _only_kern_check;
202 if (Process->Cr3 != Process->UserCr3)
211 ERROR(
"[ERROR] IntWinSelfMapCr3SelfMapModification failed: 0x%x\n", status);
214 else if (Process->UserSelfMapEntryValue != currentUser)
216 Process->UserSelfMapEntryValue = currentUser;
225 Process->SelfMapEntryValue,
230 ERROR(
"[ERROR] IntWinSelfMapCr3SelfMapModification failed: 0x%x\n", status);
233 else if (Process->SelfMapEntryValue != currentKern)
235 Process->SelfMapEntryValue = currentKern;
291 goto cleanup_and_exit;
317 ERROR(
"[ERROR] IntHookGpaRemoveHook failed: 0x%08x\n", status);
331 goto cleanup_and_exit;
339 WARNING(
"[WARNING] IntExceptKernelGetOriginator failed: 0x%08x\n", status);
349 ERROR(
"[ERROR] Failed getting zone details: 0x%08x\n", status);
350 goto _exit_exceptions;
369 WARNING(
"[WARNING] Self-mapping entry modified for process '%s' with CR3 %llx (%s), " 370 "addr %llx, from 0x%016llx to 0x%016llx from RIP 0x%016llx\n",
373 cr3Modified == pProc->
Cr3 ?
"kernel" :
"user",
386 ERROR(
"[ERROR] IntPhysMemMap failed: 0x%08x\n", status);
387 goto just_send_alert;
426 WARNING(
"[WARNING] IntNotifyIntroEvent failed: 0x%08x\n", status);
486 pList = gWinProcesses.
Flink;
487 while (pList != &gWinProcesses)
492 pList = pList->
Flink;
497 ERROR(
"[ERROR] IntWinCheckSelfMapEntry failed: 0x%08x\n", status);
542 pList = gWinProcesses.
Flink;
543 while (pList != &gWinProcesses)
548 pList = pList->
Flink;
561 ERROR(
"[ERROR] IntWinProtectSelfMapIndex failed: 0x%08x\n", status);
592 QWORD currentKern, currentUser;
619 ERROR(
"[ERROR] IntPhysicalMemRead failed: 0x%08x\n", status);
624 Process->SelfMapEntryValue = (currentKern & (~
PT_US));
629 ERROR(
"[ERROR] IntPhysicalMemRead failed: 0x%08x\n", status);
634 Process->UserSelfMapEntryValue = (currentUser & (~
PT_US));
680 pList = gWinProcesses.
Flink;
681 while (pList != &gWinProcesses)
686 pList = pList->
Flink;
691 ERROR(
"[ERROR] IntWinSelfMapUnprotectSelfMapIndex failed: 0x%08x\n", status);
747 bShouldProtect = Process->Pid == 4;
749 TRACE(
"[INFO] Protecting self-mapping entry for process %s, pid %d with CR3: %llx, UserCR3: %llx with %s\n",
750 Process->Name, Process->Pid, Process->Cr3, Process->UserCr3, bShouldProtect ?
"EPT" :
"INTEGRITY");
754 if (Process->SelfMapHook == NULL)
766 ERROR(
"[ERROR] IntHookGpaSetHook failed: 0x%08x\n", status);
771 if (Process->Cr3 != Process->UserCr3 && Process->UserSelfMapHook == NULL)
783 ERROR(
"[ERROR] IntHookGpaSetHook failed: 0x%08x\n", status);
814 TRACE(
"[INFO] Deactivating self-map index protection for %s (pid %d, cr3: kernel %016llx, user: %016llx)\n",
815 Process->Name, Process->Pid, Process->Cr3, Process->UserCr3);
817 if (Process->SelfMapHook != NULL)
822 ERROR(
"[ERROR] IntHookGpaRemoveHook failed: 0x%08x\n", status);
826 if (Process->UserSelfMapHook != NULL)
831 ERROR(
"[ERROR] IntHookGpaRemoveHook failed: 0x%08x\n", status);
Measures kernel mode exceptions checks.
struct _EXCEPTION_KM_ORIGINATOR::@63 Original
enum _INTRO_ACTION_REASON INTRO_ACTION_REASON
The reason for which an INTRO_ACTION was taken.
INTRO_CODEBLOCKS CodeBlocks
Code blocks extracted for the alert.
#define CONTAINING_RECORD(List, Type, Member)
BOOLEAN Valid
Set to True if the information in the structure is valid, False otherwise.
QWORD IntAlertCoreGetFlags(QWORD ProtectionFlag, INTRO_ACTION_REASON Reason)
Returns the flags for an alert.
DWORD Size
The size of the access.
static INTSTATUS IntWinSelfMapHandleCr3SelfMapWrite(WIN_PROCESS_OBJECT *Context, void *Hook, QWORD Address, INTRO_ACTION *Action)
Handles writes done to the self map entry inside a process page tables.
An internal error occurred (no memory, pages not present, etc.).
INTSTATUS IntPhysicalMemRead(QWORD PhysicalAddress, DWORD Length, void *Buffer, DWORD *RetLength)
Reads data from a guest physical memory range, but only for a single page.
BOOLEAN IntPolicyCoreForceBetaIfNeeded(QWORD Flag, INTRO_ACTION *Action)
Checks if a forced action should be taken even if the log-only mode is active.
IG_ARCH_REGS Regs
The current state of the guest registers.
MITRE_ID MitreID
The Mitre ID that corresponds to this attack.
INTSTATUS IntHookGpaRemoveHook(HOOK_GPA **Hook, DWORD Flags)
Remove a GPA hook.
#define CLEAN_PHYS_ADDRESS64(x)
#define INT_STATUS_SUCCESS
BOOLEAN IntPolicyCoreTakeAction(QWORD Flag, INTRO_ACTION *Action, INTRO_ACTION_REASON *Reason)
Returns the action that should be taken for a core introspection option.
QWORD NewValue[8]
The written value. Only the first Size bytes are valid.
struct _LIST_ENTRY * Flink
struct _EXCEPTION_VICTIM_ZONE::@57::@59 WriteInfo
#define INT_SUCCESS(Status)
QWORD Flags
A combination of ALERT_FLAG_* values describing the alert.
BOOLEAN ProtectionActivated
The action was not allowed because there was no reason to allow it.
BOOLEAN KernelBetaDetections
True if the kernel protection is in beta (log-only) mode.
INTRO_VIOLATION_HEADER Header
The alert header.
#define INT_STATUS_NOT_NEEDED_HINT
#define ALERT_FLAG_ASYNC
If set, the alert was generated in an async manner.
INTSTATUS IntWinSelfMapEnableSelfMapEntryProtection(void)
Enables the self map protection mechanism for the entire system.
int INTSTATUS
The status data type.
TIMER_FRIENDLY INTSTATUS IntWinSelfMapValidateSelfMapEntries(void)
Validates the self map entries for every process in the system.
LIST_HEAD gWinProcesses
The list of all the processes inside the guest.
QWORD VirtualAddress
The Virtual Address whose translation is being modified.
Event structure for illegal paging-structures modifications.
void * UserSelfMapHook
The user self mapping memory hook.
Describes a kernel-mode originator.
EVENT_TRANSLATION_VIOLATION Translation
INTRO_GUEST_TYPE OSType
The type of the guest.
void IntAlertFillCpuContext(BOOLEAN CopyInstruction, INTRO_CPUCTX *CpuContext)
Fills the current CPU context for an alert.
INTSTATUS IntHookGpaSetHook(QWORD Gpa, DWORD Length, BYTE Type, PFUNC_EptViolationCallback Callback, void *Context, void *ParentHook, DWORD Flags, HOOK_GPA **Hook)
Places an EPT hook on the indicated memory range.
void IntAlertFillVersionInfo(INTRO_VIOLATION_HEADER *Header)
Fills version information for an alert.
#define INTRO_OPT_PROT_KM_SELF_MAP_ENTRY
INTRO_VIOLATION_HEADER Header
The alert header.
BOOLEAN IntPolicyCoreIsOptionBeta(QWORD Flag)
Checks if one of the kernel protection options is in log-only mode.
#define HOOK_FLG_HIGH_PRIORITY
If flag is set, the callback associated to this hook will have a higher priority than the others...
TRANS_VIOLATION_TYPE ViolationType
INTRO_ACTION_REASON Reason
The reason for which Action was taken.
#define HOOK_FLG_PAGING_STRUCTURE
If flag is set, the hook is set on paging structures.
INTSTATUS IntAlertFillCodeBlocks(QWORD Rip, QWORD Cr3, BOOLEAN Execute, INTRO_CODEBLOCKS *CodeBlocks)
Fills the code blocks pattern for an alert.
QWORD Cr3
Process PDBR. Includes PCID.
void IntAlertEptFillFromKmOriginator(const EXCEPTION_KM_ORIGINATOR *Originator, EVENT_EPT_VIOLATION *EptViolation)
Fills kernel mode originator information inside an EPT alert.
GENERIC_ALERT gAlert
Global alert buffer.
struct _EVENT_TRANSLATION_VIOLATION::@292 Originator
void IntAlertEptFillFromVictimZone(const EXCEPTION_VICTIM_ZONE *Victim, EVENT_EPT_VIOLATION *EptViolation)
Fills the victim information inside an EPT alert.
INTRO_CPUCTX CpuContext
The context of the CPU that triggered the alert.
INTSTATUS IntNotifyIntroEvent(INTRO_EVENT_TYPE EventClass, void *Param, size_t EventSize)
Notifies the integrator about an introspection alert.
QWORD New
The new, to be written, value of the page table entry.
INTSTATUS IntExceptGetVictimEpt(void *Context, QWORD Gpa, QWORD Gva, INTRO_OBJECT_TYPE Type, DWORD ZoneFlags, EXCEPTION_VICTIM_ZONE *Victim)
Fills an EXCEPTION_VICTIM_ZONE with relevant information from an EPT violation.
CHAR Name[IMAGE_BASE_NAME_LEN]
Process base name.
QWORD Current
The currently used options.
QWORD Old
The old, original, value of the written page table entry.
QWORD UserCr3
Process user PDBR. Includes PCID.
INTSTATUS IntWinSelfMapProtectSelfMapIndex(WIN_PROCESS_OBJECT *Process)
Protects the self map index of a process by placing an EPT write hook on it.
INTRO_WRITE_INFO WriteInfo
The original and new address to which VirtualAddress translates.
struct _EVENT_TRANSLATION_VIOLATION::@293 Victim
BOOLEAN GuestInitialized
True if the OS-specific portion has been initialized.
#define SELF_MAP_ENTRY(Cr3)
Computes the self map entry physical address based on a given Cr3.
INTSTATUS IntWinSelfMapUnprotectSelfMapIndex(WIN_PROCESS_OBJECT *Process)
Removes the EPT protection for the self map entry index of a process.
Sent for virtual address translation alerts. See EVENT_TRANSLATION_VIOLATION.
#define SELF_MAP_ENTRY_IS_DETECTION(entry)
Decides if a self map entry value is malicious or not.
INTRO_EXEC_CONTEXT ExecContext
Information about the instruction that triggered the alert.
BOOLEAN Valid
Set to True if the information in the structure is valid, False otherwise.
Sent when an EPT violation triggers an alert. See EVENT_EPT_VIOLATION.
static INTSTATUS IntWinSelfMapHandleCr3SelfMapModification(QWORD NewValue, QWORD OldValue, WIN_PROCESS_OBJECT *Process, QWORD Cr3)
Handles self map entry modifications for a process.
Describes the modified zone.
void * SelfMapHook
The self mapping memory hook.
BOOLEAN Valid
Set to True if the information in the structure is valid, False otherwise.
enum _INTRO_ACTION INTRO_ACTION
Event actions.
QWORD Rip
The RIP from where the call to the exported function came.
QWORD OldValue[8]
The original value. Only the first Size bytes are valid.
#define SELF_MAP_ENTRY_VA
Computes the virtual address at which the self map entry is mapped for this guest.
INTSTATUS IntWinSelfMapDisableSelfMapEntryProtection(void)
Disables the self map entry protection for all the processes on the system.
Measures the self map entry validation.
MM Mm
Guest memory information, such as paging mode, system Cr3 value, etc.
#define ALERT_FLAG_SYSPROC
If set, the alert is on system process.
Self mapping index in PDBR.
INTRO_MODULE Module
The module that modified the translation.
DWORD SystemProcess
TRUE if this is a system process.
GUEST_STATE gGuest
The current guest state.
void IntAlertFillWinProcessByCr3(QWORD ProcessCr3, INTRO_PROCESS *EventProcess)
Saves information about a Windows process inside an alert. The process is searched by its kernel CR3...
static void IntWinSelfMapSelfMapUpdate(QWORD ModifiedCr3, WIN_PROCESS_OBJECT *Process, QWORD NewValue)
Updates the self map entry value for a process.
INTRO_ACTION Action
The action that was taken as the result of this alert.
PAGING_MODE Mode
The paging mode used by the guest.
__must_check INTSTATUS IntPhysMemMap(QWORD PhysAddress, DWORD Length, DWORD Flags, void **HostPtr)
Maps a guest physical address inside Introcore VA space.
static INTSTATUS IntWinSelfMapCheckSelfMapEntry(WIN_PROCESS_OBJECT *Process, const QWORD *CurrentKernelValue, const QWORD *CurrentUserValue)
Checks the self map entry for a given process.
#define INT_STATUS_NOT_INITIALIZED_HINT
INTSTATUS IntWinSelfMapGetAndCheckSelfMapEntry(WIN_PROCESS_OBJECT *Process)
Sets and validates the self map entry values for a process.
#define INT_STATUS_INVALID_PARAMETER_1
INTRO_PROCESS CurrentProcess
The current process.
VCPU_STATE * gVcpu
The state of the current VCPU.
The action was blocked because there was no exception for it.
Event structure for EPT violations.
BOOLEAN Valid
True if the information in this structure is valid; False it it is not.
PTEMU_BUFFER PtEmuBuffer
The page table write emulator buffer.
INTSTATUS IntPhysMemUnmap(void **HostPtr)
Unmaps an address previously mapped with IntPhysMemMap.
INTSTATUS IntExceptKernelGetOriginator(EXCEPTION_KM_ORIGINATOR *Originator, DWORD Options)
This function is used to get the information about the kernel-mode originator.
INTSTATUS IntAlertFillExecContext(QWORD Cr3, INTRO_EXEC_CONTEXT *ExecContext)
Fills the current execution context.
#define ZONE_WRITE
Used for write violation.
INTRO_PROT_OPTIONS CoreOptions
The activation and protection options for this guest.
void IntExcept(EXCEPTION_VICTIM_ZONE *Victim, void *Originator, EXCEPTION_TYPE Type, INTRO_ACTION *Action, INTRO_ACTION_REASON *Reason, INTRO_EVENT_TYPE EventClass)
This function is the entry point for the exception mechanism.
This structure describes a running process inside the guest.
1.8.13