45 if (NULL == EthreadAddress)
67 ERROR(
"[ERROR] IntFindKernelPcr failed: 0x%08x\n", status);
74 TRACE(
"[CPU %d] Could not find a kernel KPCR, will not cache anything: 0x%016llx\n",
92 #define THREADS_MAX_COUNT 65536 114 QWORD currentThread = 0, count;
116 if (NULL == Callback)
126 ERROR(
"[ERROR] IntKernVirtMemFetchQword failed for VA 0x%016llx: 0x%08x\n", Eprocess, status);
131 while ((currentThread != Eprocess +
WIN_KM_FIELD(Process, ThreadListHead)) &&
134 QWORD ethreadAddress;
136 ethreadAddress = currentThread -
WIN_KM_FIELD(Thread, ThreadListEntry);
138 status = Callback(ethreadAddress, Aux);
142 goto _cleanup_and_exit;
146 ERROR(
"[ERROR] Callback failed for thread 0x%016llx, proc 0x%016llx: 0x%08x\n",
147 ethreadAddress, Eprocess, status);
153 ERROR(
"[ERROR] Failed getting the next thread: 0x%08x\n", status);
216 ERROR(
"[ERROR] IntGs/FsRead failed: 0x%08x\n", status);
229 ERROR(
"[ERROR] IntGsRead failed: 0x%08x\n", status);
236 QWORD currentEthread = 0;
240 ERROR(
"[ERROR] IntWinThrGetCurrentThread failed: 0x%08x\n", status);
247 ERROR(
"[ERROR] IntKernVirtMemRead failed for 0x%016llx: 0x%08x\n",
280 QWORD buffer[2] = { 0 };
282 if (NULL == StackBase)
287 if (NULL == StackLimit)
301 ERROR(
"[ERROR] IntVirtMemRead failed: 0x%08x\n", status);
307 *StackBase = ((
DWORD *)&buffer)[0];
308 *StackLimit = ((
DWORD *)&buffer)[1];
312 *StackBase = buffer[0];
313 *StackLimit = buffer[1];
338 QWORD tibBase, buffer[2] = { 0 };
349 if (NULL == StackBase)
354 if (NULL == StackLimit)
365 ERROR(
"[ERROR] IntGetGprs failed: 0x%08x\n", status);
373 ERROR(
"[ERROR] IntGetCurrentMode failed: 0x%08x\n", status);
380 ERROR(
"[ERROR] IntGetCurrentRing failed: 0x%08x\n", status);
389 ERROR(
"[ERROR] IntWinThrGetCurrentTib failed: 0x%08x\n", status);
397 ERROR(
"[ERROR] TIB base is 0!\n");
409 ERROR(
"[ERROR] IntVirtMemRead failed: 0x%08x\n", status);
415 *StackBase = ((
DWORD *)&buffer)[0];
416 *StackLimit = ((
DWORD *)&buffer)[1];
420 *StackBase = buffer[0];
421 *StackLimit = buffer[1];
450 QWORD kthreadOriginator, eprocessOriginator;
451 QWORD kthreadVictim, eprocessVictim;
452 QWORD dstAddress, rip;
463 } threadContext = { 0 };
468 eprocessOriginator = eprocessVictim = kthreadVictim = dstAddress = rip = 0;
469 pProcOrig = pProcVictim = NULL;
474 kthreadOriginator = regs->
Rax;
479 ERROR(
"[ERROR] IntDetGetArguments failed: 0x%08x\n", status);
481 goto cleanup_and_exit;
484 kthreadVictim = args[0];
485 dstAddress = args[1];
487 eprocessOriginator = kthreadOriginator +
WIN_KM_FIELD(Thread, Process);
492 LOG(
"[ERROR] IntKernVirtMemRead failed for %llx: 0x%08x\n", eprocessOriginator, status);
494 goto cleanup_and_exit;
498 if (pProcOrig == NULL)
500 ERROR(
"[ERROR] Failed to find originator with eprocess: %llx\n", eprocessOriginator);
502 goto cleanup_and_exit;
505 eprocessVictim = kthreadVictim +
WIN_KM_FIELD(Thread, Process);
510 ERROR(
"[ERROR] IntKernVirtMemRead failed for %llx: 0x%08x\n", eprocessVictim, status);
512 goto cleanup_and_exit;
516 if (pProcVictim == NULL)
518 ERROR(
"[ERROR] Failed to find victim with eprocess: %llx\n", eprocessVictim);
520 goto cleanup_and_exit;
525 TRACE(
"[THREAD HIJACK] Hijack detected in same process, will allow...\n");
527 goto cleanup_and_exit;
533 goto cleanup_and_exit;
543 ERROR(
"[ERROR] IntVirtMemRead failed for %llx: 0x%08x\n", dstAddress, status);
544 bIsDumpValid =
FALSE;
547 rip = threadContext.threadContext64.Rip;
556 ERROR(
"[ERROR] IntVirtMemRead failed for %llx: 0x%08x\n", dstAddress, status);
557 bIsDumpValid =
FALSE;
560 rip = threadContext.threadContext32.Eip;
565 memzero(&originator,
sizeof(originator));
566 memzero(&victim,
sizeof(victim));
571 ERROR(
"[ERROR] IntExceptUserGetOriginator failed: 0x%08x\n", status);
574 goto send_notification;
584 ERROR(
"[ERROR] IntExceptGetModifiedProcess failed: 0x%08x\n", status);
587 goto send_notification;
599 memzero(pInjEvent,
sizeof(*pInjEvent));
601 LOG(
"[THREAD HIJACK] Thread Hijack detected from KTHREAD: %llx, Process `%s` (pid = %d) into KTHREAD: " 602 "%llx from Process `%s` (pid = %d)\n",
603 kthreadOriginator, pProcOrig->
Name, pProcOrig->
Pid, kthreadVictim, pProcVictim->
Name, pProcVictim->
Pid);
613 LOG(
"Dumping CONTEXT registers %llx...", dstAddress);
614 LOG(
"ContextFlags: %d\n", threadContext.threadContext64.ContextFlags);
615 LOG(
"Rax: 0x%08llx Rbx: 0x%08llx Rcx: 0x%08llx Rdx: 0x%08llx Rsp: 0x%08llx Rbp: 0x%08llx Rsi: 0x%08llx" 616 "Rdi: 0x%08llx R8: 0x%08llx R9: 0x%08llx R10: 0x%08llx R11: 0x%08llx R12: 0x%08llx R13: 0x%08llx " 618 "R15: 0x%08llx Rip: 0x%08llx\n", threadContext.threadContext64.Rax,
619 threadContext.threadContext64.Rbx, threadContext.threadContext64.Rcx,
620 threadContext.threadContext64.Rdx, threadContext.threadContext64.Rsp,
621 threadContext.threadContext64.Rbp, threadContext.threadContext64.Rsi,
622 threadContext.threadContext64.Rdi, threadContext.threadContext64.R8,
623 threadContext.threadContext64.R9, threadContext.threadContext64.R10,
624 threadContext.threadContext64.R11, threadContext.threadContext64.R12,
625 threadContext.threadContext64.R13, threadContext.threadContext64.R14,
626 threadContext.threadContext64.R15, threadContext.threadContext64.Rip);
629 &threadContext.threadContext64,
653 LOG(
"Dumping CONTEXT registers %llx...", dstAddress);
654 LOG(
"ContextFlags: %d\n", threadContext.threadContext32.ContextFlags);
655 LOG(
"Eax: 0x%08x Ebx: 0x%08x Ecx: 0x%08x Edx: 0x%08x Esp: 0x%08x Ebp: 0x%08x Esi: 0x%08x Edi: 0x%08x " 656 "Eip: 0x%08x\n", threadContext.threadContext32.Eax, threadContext.threadContext32.Ebx,
657 threadContext.threadContext32.Ecx, threadContext.threadContext32.Edx,
658 threadContext.threadContext32.Esp, threadContext.threadContext32.Ebp,
659 threadContext.threadContext32.Esi, threadContext.threadContext32.Edi,
660 threadContext.threadContext32.Eip);
663 &threadContext.threadContext32,
742 WARNING(
"[WARNING] IntNotifyIntroEvent failed: 0x%08x\n", status);
749 if (NULL != pProcVictim)
758 ERROR(
"[ERROR] IntDetSetReturnValue failed: 0x%08x\n", status);
788 QWORD ethreadOriginator;
789 QWORD eprocessOriginator;
791 QWORD eprocessVictim;
796 QWORD functionAddr, functionParameter;
804 pVictimProc = pOrigProc = NULL;
806 currentExport = NULL;
807 rip = functionAddr = functionParameter = 0;
812 ERROR(
"[ERROR] IntDetGetArguments failed: 0x%08x\n", status);
813 goto cleanup_and_exit;
816 victimThread = args[0];
817 functionAddr = args[1];
818 functionParameter = args[2];
819 ethreadOriginator = args[3];
821 eprocessOriginator = ethreadOriginator +
WIN_KM_FIELD(Thread, Process);
826 ERROR(
"[ERROR] IntKernVirtMemRead failed: 0x%08x\n", status);
827 goto cleanup_and_exit;
831 if (pOrigProc == NULL)
833 LOG(
"IntWinProcFindObjectByEprocess failed for originator! \n");
835 goto cleanup_and_exit;
838 eprocessVictim = victimThread +
WIN_KM_FIELD(Thread, Process);
843 ERROR(
"[ERROR] IntKernVirtMemRead failed: 0x%08x\n", status);
844 goto cleanup_and_exit;
848 if (pVictimProc == NULL)
850 LOG(
"IntWinProcFindObjectByEprocess failed for victim! \n");
852 goto cleanup_and_exit;
857 goto cleanup_and_exit;
860 if (eprocessVictim == eprocessOriginator)
862 goto cleanup_and_exit;
867 memzero(&originator,
sizeof(originator));
868 memzero(&victim,
sizeof(victim));
873 ERROR(
"[ERROR] IntExceptUserGetOriginator failed: 0x%08x\n", status);
875 goto send_notification;
884 rip = (functionAddr * (-1)) >> 2;
905 goto not_rtl_dispatch;
909 if (currentExport == NULL)
911 goto not_rtl_dispatch;
918 if (0 == strncasecmp(currentExport->
Names[i],
"RtlDispatchApc", currentExport->
NameLens[i]))
922 rip = functionParameter;
934 ERROR(
"[ERROR] IntExceptGetModifiedProcess failed: 0x%08x\n", status);
936 goto send_notification;
948 memzero(pInjEvent,
sizeof(*pInjEvent));
950 LOG(
"[APC HIJACKING] From process '%s' into process '%s' (%llx [%llx] -> %llx [%llx]) to rip %llx\n",
951 pOrigProc->
Name, pVictimProc->
Name, eprocessOriginator, ethreadOriginator,
952 eprocessVictim, victimThread, rip);
961 WARNING(
"[WARNING] IntVirtMemRead failed: 0x%08x\n", status);
1007 if (pModule != NULL)
1035 WARNING(
"[WARNING] IntNotifyIntroEvent failed: 0x%08x\n", status);
1041 if (NULL != pVictimProc)
1050 ERROR(
"[ERROR] IntDetSetReturnValue failed: 0x%08x\n", status);
1100 pHandler->
Code[0x41] = 0x14;
1107 *(
DWORD *)(pHandler->
Code + 0x2) = 0x90909090;
1111 pHandler->
Code[0x2f] = 0x00;
1114 pHandler->
Code[0x41] = 0x0C;
1153 QWORD *threadType, *referenceObj, *derefObj;
1154 DWORD *attachedProc, *process, *spare;
1155 DWORD *threadType32, *referenceObj32, *derefObj32;
1156 PCHAR exports[3] = {
"PsThreadType",
"ObReferenceObjectByHandle",
"ObDereferenceObject" };
1157 QWORD gvas[3] = { 0, 0, 0 };
1158 DWORD offsetCallObReferenceObject, offsetCallObDereference,
1159 offsetPsThreadType, offsetAttachedProcess, offsetProcess, offsetSpare;
1164 threadType = referenceObj = derefObj = NULL;
1165 threadType32 = referenceObj32 = derefObj32 = NULL;
1166 attachedProc = process = spare = NULL;
1172 offsetCallObReferenceObject = 0x3b;
1173 offsetCallObDereference = 0xa0;
1174 offsetPsThreadType = 0x11;
1175 offsetAttachedProcess = 0x5f;
1176 offsetProcess = 0x6b;
1179 threadType = (
QWORD *)&pHandler->
Code[offsetPsThreadType];
1180 referenceObj = (
QWORD *)&pHandler->
Code[offsetCallObReferenceObject];
1181 derefObj = (
QWORD *)&pHandler->
Code[offsetCallObDereference];
1182 attachedProc = (
DWORD *)&pHandler->
Code[offsetAttachedProcess];
1183 process = (
DWORD *)&pHandler->
Code[offsetProcess];
1184 spare = (
DWORD *)&pHandler->
Code[offsetSpare];
1188 offsetPsThreadType = 0x1d;
1189 offsetCallObReferenceObject = 0x25;
1190 offsetCallObDereference = 0x67;
1191 offsetAttachedProcess = 0x35;
1192 offsetProcess = 0x3f;
1195 threadType32 = (
DWORD *)&pHandler->
Code[offsetPsThreadType];
1196 referenceObj32 = (
DWORD *)&pHandler->
Code[offsetCallObReferenceObject];
1197 derefObj32 = (
DWORD *)&pHandler->
Code[offsetCallObDereference];
1198 attachedProc = (
DWORD *)&pHandler->
Code[offsetAttachedProcess];
1199 process = (
DWORD *)&pHandler->
Code[offsetProcess];
1200 spare = (
DWORD *)&pHandler->
Code[offsetSpare];
1203 for (
DWORD i = 0; i < 3; i++)
1208 ERROR(
"[ERROR] Cannot find export %s for patching APC thread handler!\n", exports[i]);
1213 TRACE(
"[INFO] Export %s found at gva %016llx\n", exports[i], gvas[i]);
1219 threadType[0] = gvas[0];
1220 referenceObj[0] = gvas[1];
1221 derefObj[0] = gvas[2];
1222 attachedProc[0] =
WIN_KM_FIELD(Thread, AttachedProcess);
1228 threadType32[0] = (
DWORD)gvas[0];
1229 referenceObj32[0] = (
DWORD)gvas[1];
1230 derefObj32[0] = (
DWORD)gvas[2];
1231 attachedProc[0] =
WIN_KM_FIELD(Thread, AttachedProcess);
1236 TRACE(
"[INFO] Successfully patched NtQueueApcThreadEx handler!\n");
void * Module
The internal structure of a module.
#define INT_STATUS_PAGE_NOT_PRESENT
Indicates that a virtual address is not present.
enum _INTRO_ACTION_REASON INTRO_ACTION_REASON
The reason for which an INTRO_ACTION was taken.
char Name[ALERT_MAX_FUNCTIONS][ALERT_MAX_FUNCTION_NAME_LEN]
Array of all the extracted function names.
INTRO_MODULE Module
The module which was written or read.
struct _EVENT_MEMCOPY_VIOLATION::@290 Victim
An internal error occurred (no memory, pages not present, etc.).
struct _API_HOOK_HANDLER * PAPI_HOOK_HANDLER
#define OFFSET_OF(Type, Member)
IG_ARCH_REGS Regs
The current state of the guest registers.
#define PROC_OPT_PROT_QUEUE_APC
Blocks APC queuing inside the target process (Windows only).
DWORD Index
The VCPU number.
DWORD Crc32Compute(const void *Buffer, size_t Size, DWORD InitialCrc)
Computes the CRC for a byte array.
MITRE_ID MitreID
The Mitre ID that corresponds to this attack.
INTSTATUS IntPeFindKernelExport(const char *Name, QWORD *ExportGva)
Find an export inside the NT kernel image.
#define INT_STATUS_SUCCESS
INTRO_PROCESS Process
The process that attempted the access.
INTSTATUS IntFsRead(DWORD CpuNumber, QWORD *FsValue)
Reads the IA32_FS_BASE guest MSR.
Measures user mode exceptions checks.
This represents an attempt of modifying the context of another thread.
CHAR FunctionName[ALERT_MAX_FUNCTION_NAME_LEN]
The name of the accessed function, if any.
#define WIN_STATUS_SUCCESS
Equivalent to NTSTATUS STATUS_SUCCESS.
INTSTATUS IntGetGprs(DWORD CpuNumber, PIG_ARCH_REGS Regs)
Get the current guest GPR state.
void IntAlertFillWinProcess(const WIN_PROCESS_OBJECT *Process, INTRO_PROCESS *EventProcess)
Saves information about a windows process inside an alert.
Described a detour handler.
DWORD IntGetCurrentCpu(void)
Returns the current CPU number.
DWORD NumberOfOffsets
Number of symbols pointing to the exported RVA.
#define INT_SUCCESS(Status)
INTSTATUS IntDetSetReturnValue(DETOUR const *Detour, IG_ARCH_REGS *Registers, QWORD ReturnValue)
Sets the return value for a hooked guest function.
#define PROC_OPT_PROT_SET_THREAD_CTX
Blocks thread hijacking attempts inside the target process (Windows only).
QWORD Flags
A combination of ALERT_FLAG_* values describing the alert.
INTSTATUS IntWinThrHandleQueueApc(void *Detour)
Handles a NtQueueApcThreadEx call - blocking process injections.Asynchronous Procedure Call (APC) inj...
The action was not allowed because there was no reason to allow it.
DWORD Delta
The offset inside the affected function at which the access was made.
Describes a user-mode originator.
INTSTATUS IntKernVirtMemFetchWordSize(QWORD GuestVirtualAddress, void *Data)
Reads a guest pointer from the guest kernel memory.
int INTSTATUS
The status data type.
DWORD OSVersion
Os version.
#define INT_STATUS_NOT_FOUND
#define ALERT_MAX_FUNCTION_NAME_LEN
The maximum size of a function name inside an alert structure.
PVCPU_STATE VcpuArray
Array of the VCPUs assigned to this guest. The index in this array matches the VCPU number...
Sent for code/data injection alerts. See EVENT_MEMCOPY_VIOLATION.
WINUM_CACHE_EXPORT * IntWinUmModCacheExportFind(WIN_PROCESS_MODULE *Module, DWORD Rva, DWORD ErrorRange)
Tries to find an export in the range [Rva, Rva + ErrorRange].
void IntAlertFillCpuContext(BOOLEAN CopyInstruction, INTRO_CPUCTX *CpuContext)
Fills the current CPU context for an alert.
QWORD VirtualBase
Guest virtual address of the loaded module.
IG_CS_RING
The current protection level.
DWORD Protected
TRUE if this is a protected process. If this is FALSE, most of the above fields aren't used at all...
#define INT_STATUS_BREAK_ITERATION
Can be used by iteration callbacks to break the iteration early.
void IntAlertFillVersionInfo(INTRO_VIOLATION_HEADER *Header)
Fills version information for an alert.
DWORD Wow64Process
TRUE if this is a 32 bit process on a 64 bit OS.
struct _EVENT_MEMCOPY_VIOLATION::@289 Originator
QWORD IntAlertProcGetFlags(QWORD ProtectionFlag, const void *Process, INTRO_ACTION_REASON Reason, QWORD AdditionalFlags)
Returns the flags for an alert.
INTSTATUS IntWinThrHandleThreadHijack(void *Detour)
Handles a SetContextThread call - blocking thread hijacking.Thread hijacking (amongst others) is an a...
IG_CS_TYPE
The type of the code segment.
Context Frame for 32-bit guests.
INTRO_ACTION_REASON Reason
The reason for which Action was taken.
EXCEPTION_VICTIM_OBJECT Object
The modified object.
PWIN_PROCESS_MODULE IntWinUmModFindByAddress(PWIN_PROCESS_OBJECT Process, QWORD Gva)
Searches for a user-mode module which contains the indicated guest virtual address.
INTSTATUS IntWinThrPatchThreadHijackHandler(QWORD FunctionAddress, void *Handler, QWORD HandlerAddress)
This functions is responsible for patching the detour that handles the "PspSetContextThreadInternal"...
Exposes the functions used to provide Windows Threads related support.
QWORD Cr3
Process PDBR. Includes PCID.
INTSTATUS IntGetCurrentMode(DWORD CpuNumber, DWORD *Mode)
Read the current CS type.
MEMCOPY_VIOLATION_TYPE ViolationType
The type of the access.
GENERIC_ALERT gAlert
Global alert buffer.
INTRO_VIOLATION_HEADER Header
The alert header.
EVENT_MEMCOPY_VIOLATION Injection
#define INITIAL_CRC_VALUE
INTSTATUS IntFindKernelPcr(DWORD CpuNumber, QWORD *Pcr)
Finds the address of the Windows kernel _KPCR.
BOOLEAN IntPolicyProcTakeAction(QWORD Flag, void const *Process, INTRO_ACTION *Action, INTRO_ACTION_REASON *Reason)
Returns the action that should be taken for a process protection option.
DWORD CopySize
The size of the access.
#define IG_CURRENT_VCPU
For APIs that take a VCPU number as a parameter, this can be used to specify that the current VCPU sh...
INTRO_CPUCTX CpuContext
The context of the CPU that triggered the alert.
INTSTATUS IntNotifyIntroEvent(INTRO_EVENT_TYPE EventClass, void *Param, size_t EventSize)
Notifies the integrator about an introspection alert.
#define THREADS_MAX_COUNT
The maximum number of threads for one single process (if something happens, IntWinThrIterateThreads w...
This represents an attempt to queue an APC into the victim process.
BOOLEAN Guest64
True if this is a 64-bit guest, False if it is a 32-bit guest.
#define ZONE_PROC_THREAD_APC
Used for the APC thread hijacking technique.
CHAR Name[IMAGE_BASE_NAME_LEN]
Process base name.
INTSTATUS IntWinThrGetCurrentThread(DWORD CpuNumber, QWORD *EthreadAddress)
Get the ETHREAD structure address of the thread currently running on the given CPU.
BYTE Code[DETOUR_MAX_HANDLER_SIZE]
The code of the detour handler. Only CodeLength bytes are valid.
INTSTATUS(* PFUNC_IterateListCallback)(QWORD Node, QWORD Aux)
#define INT_STATUS_INVALID_PARAMETER_4
DWORD Hash[ALERT_MAX_FUNCTIONS]
Array of all the extracted function hashes.Export.Hash[i] is the hash for Export.Name[i].
#define IS_KERNEL_POINTER_WIN(is64, p)
Checks if a guest virtual address resides inside the Windows kernel address space.
INTSTATUS IntGsRead(DWORD CpuNumber, QWORD *GsValue)
Reads the IA32_GS_BASE guest MSR.
#define INT_STATUS_INVALID_PARAMETER_5
INTSTATUS IntWinThrGetCurrentStackBaseAndLimit(QWORD *TibBase, QWORD *StackBase, QWORD *StackLimit)
Obtains the stack base, stack limit and TIB address of the current thread.
Memory access violations that cross a process boundary.
BOOLEAN DumpValid
True if the contents of RawDump are valid, False if not.
BYTE WordSize
Guest word size. Will be 4 for 32-bit guests and 8 for 64-bit guests.
size_t strlcpy(char *dst, const char *src, size_t dest_size)
INTSTATUS IntWinThrIterateThreads(QWORD Eprocess, PFUNC_IterateListCallback Callback, QWORD Aux)
Iterate all the threads of the given process and invoke the callback for each one of them...
DWORD Pid
Process ID (the one used by Windows).
INTSTATUS IntExceptUserGetOriginator(void *Process, BOOLEAN ModuleWrite, QWORD Address, INSTRUX *Instrux, EXCEPTION_UM_ORIGINATOR *Originator)
This function is used to get the information about the user-mode originator.
#define ALERT_FLAG_NOT_RING0
If set, the alert was triggered in ring 1, 2 or 3.
DWORD ProtThreadCtx
Protect the thread context (protection against thread hijacking).
DWORD CpuCount
The number of logical CPUs.
Describes the modified zone.
#define UNREFERENCED_PARAMETER(P)
#define PROC_OPT_PROT_EXPLOIT
Blocks malicious execution attempts.
DWORD Rva
The RVA of this export.
#define WIN_KM_FIELD(Structure, Field)
Macro used to access kernel mode fields inside the WIN_OPAQUE_FIELDS structure.
INTSTATUS IntDetGetArguments(void const *Detour, DWORD Argc, QWORD *Argv)
Reads multiple arguments from a detour.
enum _INTRO_ACTION INTRO_ACTION
Event actions.
BOOLEAN IntPolicyProcForceBetaIfNeeded(QWORD Flag, void *Process, INTRO_ACTION *Action)
Checks if a forced action should be taken even if the process log-only mode is active.
struct _EVENT_MEMCOPY_VIOLATION::@291 Export
All the names used to export the modified function.
#define WIN_STATUS_ACCESS_DENIED
Equivalent to NTSTATUS STATUS_ACCESS_DENIED.
DWORD NameLens[MAX_OFFSETS_PER_NAME]
Length of each name pointing to this RVA.
QWORD Cr3
The value of the guest CR3 register when the event was generated.
QWORD EprocessAddress
This will be the address of the ActiveProcess field.
#define ALERT_FLAG_SYSPROC
If set, the alert is on system process.
DWORD FunctionNameHash
The hash of the FunctionName. It is the same as Export.Hash[0].
DWORD SystemProcess
TRUE if this is a system process.
GUEST_STATE gGuest
The current guest state.
void IntAlertFillWinProcessByCr3(QWORD ProcessCr3, INTRO_PROCESS *EventProcess)
Saves information about a Windows process inside an alert. The process is searched by its kernel CR3...
INTSTATUS IntVirtMemRead(QWORD Gva, DWORD Length, QWORD Cr3, void *Buffer, DWORD *RetLength)
Reads data from a guest virtual memory range.
BYTE RawDump[ALERT_MAX_INJ_DUMP_SIZE]
The source buffer contents.
INTSTATUS IntExceptGetVictimProcess(void *Process, QWORD DestinationGva, DWORD Length, QWORD ZoneFlags, EXCEPTION_VICTIM_ZONE *Victim)
This function is used to get the information about the victim process for injection violations...
PWIN_PROCESS_OBJECT IntWinProcFindObjectByEprocess(QWORD Eprocess)
Finds a process by the address of its _EPROCESS structure.
TIMER_FRIENDLY void IntDumpBuffer(void *Buffer, QWORD Gva, DWORD Length, DWORD RowLength, DWORD ElementLength, BOOLEAN LogHeader, BOOLEAN DumpAscii)
This function dumps a given buffer in a user friendly format.
INTRO_ACTION Action
The action that was taken as the result of this alert.
INTSTATUS IntKernVirtMemRead(QWORD KernelGva, DWORD Length, void *Buffer, DWORD *RetLength)
Reads data from a guest kernel virtual memory range.
#define INT_STATUS_NO_MAPPING_STRUCTURES
Indicates that not all mapping structures of a virtual address are present.
PCHAR Names[MAX_OFFSETS_PER_NAME]
The names pointing to this RVA. Each name will point inside the Names structure inside WINUM_CACHE_EX...
EXCEPTION_VICTIM_MODULE Library
The victim module of the modified library.
#define INT_STATUS_INVALID_PARAMETER_1
#define INT_STATUS_NOT_SUPPORTED
INTRO_PROCESS CurrentProcess
The current process.
VCPU_STATE * gVcpu
The state of the current VCPU.
void IntAlertFillWinUmModule(const WIN_PROCESS_MODULE *Module, INTRO_MODULE *EventModule)
Fills information about a user mode module inside an alert.
#define ZONE_PROC_THREAD_CTX
Used for the CONTEXT structure of a thread.
INTSTATUS IntGetCurrentRing(DWORD CpuNumber, DWORD *Ring)
Read the current protection level.
QWORD SourceVirtualAddress
The virtual address of the source buffer.
QWORD DestinationVirtualAddress
The virtual address of the destination buffer.
Context Frame for 64-bit guests.
QWORD PcrGla
The guest linear address of the _KPCR structure loaded by this CPU.
#define ZONE_WRITE
Used for write violation.
#define INT_STATUS_INVALID_PARAMETER_2
WINUM_CACHE_EXPORT * Export
The export cache for the modified module.
INTSTATUS IntWinThrGetUmStackBaseAndLimitFromTib(QWORD Tib, IG_CS_TYPE CsType, QWORD Cr3, QWORD *StackBase, QWORD *StackLimit)
Obtains the user mode stack base and stack limit values.
void IntExcept(EXCEPTION_VICTIM_ZONE *Victim, void *Originator, EXCEPTION_TYPE Type, INTRO_ACTION *Action, INTRO_ACTION_REASON *Reason, INTRO_EVENT_TYPE EventClass)
This function is the entry point for the exception mechanism.
INTSTATUS IntWinThrGetCurrentTib(IG_CS_RING CurrentRing, IG_CS_TYPE CsType, QWORD *Tib)
Obtain the TIB (Thread Information Block) of the thread running on the current CPU.
This structure describes a running process inside the guest.
#define INT_STATUS_INVALID_PARAMETER_3
INTSTATUS IntWinThrPrepareApcHandler(QWORD FunctionAddress, void *Handler, QWORD HandlerAddress)
This functions is responsible for patching the detour that handles the "NtQueueApcThreadEx".This function is invoked every time "NtQueueApcThreadEx" is called (and APC has been queued) but before the actual handler IntWinThrHandleQueueApc, its purpose being to modify the hook code (see winhkhnd.h).
1.8.13