63 _In_ size_t ProtectedCount
75 for (
DWORD i = 0; i < ProtectedCount; i++)
119 if (Loaded && Module->LoadEventSent)
124 if (!Loaded && Module->UnloadEventSent)
129 if ((NULL == Module->Path) || (0 == Module->VirtualBase) || (0 == Module->Size))
135 memzero(pModEvent,
sizeof(*pModEvent));
137 pModEvent->
Loaded = Loaded;
138 pModEvent->
Protected = Module->ShouldProtHooks || Module->ShouldProtUnpack;
148 WARNING(
"[WARNING] IntNotifyIntroEvent failed: 0x%08x\n", status);
153 Module->LoadEventSent =
TRUE;
157 Module->UnloadEventSent =
TRUE;
182 list = Subsystem->ProcessModules.
Flink;
183 while (list != &Subsystem->ProcessModules)
208 if (NULL != Process->Subsystemx86)
213 if (NULL != Process->Subsystemx64)
240 strstr(pProc->
Name,
"java"))
313 if ((Data[0] !=
'M') || (Data[1] !=
'Z'))
315 ERROR(
"[ERROR] Module is not a valid MZ image: %x%x, 0x%016llx:0x%016llx\n", Data[0], Data[1], ModuleBase,
320 TRACE(
"[MODULE] Main module for process %llx (subsystem %d) has loaded!\n",
325 TRACE(
"[MODULE] Protecting module with base 0x%016llx -> 0x%016llx against unpacking.\n", ModuleBase, Cr3);
330 ERROR(
"[ERROR] IntWinModHookPoly failed: 0x%08x\n", status);
369 while ((k <
MAX_PATH) && (0 != targetPath[k]))
375 while ((k + 1 <
MAX_PATH) && (0 != TestModule[l]))
377 targetPath[k] = TestModule[l];
385 return wstrncasecmp_len(targetPath, Module->Path->Path, k, Module->Path->PathSize / 2);
462 ERROR(
"[ERROR] IntExceptKernelGetOriginator failed with status: 0x%08x\n", status);
465 informationOnly =
TRUE;
476 ERROR(
"[ERROR] IntExceptGetVictimEpt failed with status: 0x%08x\n", status);
479 informationOnly =
TRUE;
497 memzero(pEptViol,
sizeof(*pEptViol));
521 WARNING(
"[WARNING] IntNotifyIntroEvent failed: 0x%08x\n", status);
566 DWORD iatidx, iatesz;
582 WARNING(
"[WARNING] [SPECIAL-CASE] Process (pid: %d, eproc %llx, cr3 %llx, usercr3 %llx, name %s) " 583 "is not the current one (current cr3 %llx, gva %llx, gpa %llx, ac %d)\n",
588 WARNING(
"[WARNING] [SPECIAL-CASE] Process (pid: %d, eproc %llx, cr3 %llx, usercr3 %llx, name %s) " 602 goto _cleanup_and_exit;
623 goto _cleanup_and_exit;
629 memzero(&originator,
sizeof(originator));
630 memzero(&victim,
sizeof(victim));
640 ERROR(
"[ERROR] Failed getting originator: 0x%08x\n", status);
641 goto _send_notification;
655 ERROR(
"[ERROR] Failed getting modified zone: 0x%08x\n", status);
656 goto _send_notification;
671 memzero(pEptViol,
sizeof(*pEptViol));
695 WARNING(
"[WARNING] IntNotifyIntroEvent failed: 0x%08x\n", status);
770 DWORD sectionRva = 0;
771 DWORD sectionCount = 0;
776 pProc = Module->Subsystem->Process;
778 if (NULL == Module->Cache || NULL == Module->Cache->Headers)
780 ERROR(
"[ERROR] Invalid state where module doesn't has cache (%p) or headers!\n", Module->Cache);
784 #define MAX_IAT_ENTRIES 4096 786 Module->IATEntries = Module->Cache->Info.IatSize / (Module->Is64BitModule ? 8 : 4);
789 WARNING(
"[WARNING] Module `%s` has %d IAT entries. Will use MAX_IAT_ENTRIES.",
795 if (Module->IATEntries != 0)
800 if (NULL == Module->IATBitmap)
809 ERROR(
"[ERROR] IntHookObjectCreate failed: 0x%08x\n", status);
816 Module->Cache->Headers,
822 ERROR(
"[ERROR] IntPeListSectionsHeaders failed with status: 0x%08x\n", status);
826 TRACE(
"[MODULE] Protecting module '%s' loaded at 0x%016llx\n",
830 for (i = 0; i < sectionCount; i++, sec++)
839 INFO(
"[INFO] Skipping section from VA 0x%08x, size 0x%08x, which is larger than VadSize 0x%016llx\n",
847 memcpy(name, sec->
Name,
sizeof(sec->
Name));
848 name[
sizeof(sec->
Name)] = 0;
850 TRACE(
"[MODULE] Protecting pageable region: 0x%016llx, VA space 0x%016llx, length %x Name `%s`\n",
865 ERROR(
"[ERROR] IntHookObjectHookRegion failed: 0x%08x\n", status);
869 Module->IsProtected =
TRUE;
871 Module->Subsystem->ProtectedModulesCount++;
898 if (Module->ShouldProtUnpack && Module->Subsystem->Process->UnpackProtected)
903 ERROR(
"[ERROR] IntUnpUnWatchVaSpacePages failed: 0x%08x\n", status);
908 if (NULL != Module->HookObject)
913 ERROR(
"[ERROR] IntHookObjectDestroy failed: 0x%08x\n", status);
917 if (NULL != Module->ModBlockObject)
922 ERROR(
"[ERROR] IntWinModBlockRemoveBlockObject failed: 0x%08x\n", status);
926 if (Module->IsProtected)
928 Module->Subsystem->ProtectedModulesCount--;
931 Module->IsProtected =
FALSE;
974 LOG(
"[WINMODULE] The VAD 0x%016llx belonging to module %s seems to not be inside the tree yet, " 1025 if (NULL == Context)
1054 TRACE(
"[MODULE] Protecting module with base 0x%016llx -> 0x%016llx against hooking.\n", VirtualAddress, Cr3);
1059 ERROR(
"[ERROR] IntWinModHookModule failed: 0x%08x\n", status);
1093 pSubs = Module->Subsystem;
1110 if (
wstrncasecmp(Module->Path->Path, u
"\\windows\\syswow64\\",
CWSTRLEN(u
"\\windows\\syswow64\\")) == 0)
1112 Module->IsSystemModule =
TRUE;
1118 if (
wstrncasecmp(Module->Path->Path, u
"\\windows\\system32\\",
CWSTRLEN(u
"\\windows\\system32\\")) == 0)
1120 Module->IsSystemModule =
TRUE;
1126 TRACE(
"[MODULE] Module '%s' (%08x) just loaded at 0x%016llx in process '%s' (pid = %d)\n",
1127 utf16_for_log(Module->Path->Path), Module->Path->NameHash, Module->VirtualBase, pProc->
Name, pProc->
Pid);
1133 Module->IsMainModule =
TRUE;
1149 TRACE(
"[INFO] Application '%s' was not found among the protected ones, will remove protection.\n",
1155 ERROR(
"[ERROR] IntWinProcUnprotect failed: 0x%08x\n", status);
1162 if (Module->IsSystemModule)
1165 (0 ==
wstrcasecmp(Module->Path->Name, u
"ntdll.dll")))
1167 Module->Subsystem->NtdllBase = Module->VirtualBase;
1168 Module->Subsystem->NtdllSize = Module->Size;
1170 Module->Subsystem->NtdllLoadCount++;
1173 (0 ==
wstrcasecmp(Module->Path->Name, u
"kernel32.dll")))
1175 Module->Subsystem->Kernel32LoadCount++;
1184 Module->ShouldGetCache =
TRUE;
1192 Module->ShouldGetCache =
TRUE;
1197 Module->ShouldGetCache =
TRUE;
1204 Module->ShouldProtUnpack =
TRUE;
1207 if (Module->ShouldGetCache)
1211 if (NULL == Module->Cache)
1213 ERROR(
"[ERROR] Module->Cache is NULL after IntWinUmModCacheGet!\n");
1218 Module->VirtualBase,
1225 &Module->HeadersSwapHandle);
1228 ERROR(
"[ERROR] IntSwapMemReadData failed: 0x%08x\n", status);
1234 if (Module->ShouldProtUnpack)
1237 Module->VirtualBase,
1244 &Module->HeadersSwapHandle);
1247 ERROR(
"[ERROR] IntSwapMemReadData failed: 0x%08x\n", status);
1280 if (Vad->PageCount *
PAGE_SIZE > 0xFFFFFFFF)
1282 ERROR(
"[ERROR] Module greater than 4GB!\n");
1300 if (!Process->Wow64Process)
1302 pMod->
Subsystem = Process->Subsystemx64;
1317 if (
wstrncasecmp(Vad->Path->Path, u
"\\windows\\system32\\",
wstrlen(u
"\\windows\\system32\\")) == 0)
1319 pMod->
Subsystem = Process->Subsystemx64;
1324 pMod->
Subsystem = Process->Subsystemx86;
1331 pMod->
Subsystem = Process->Subsystemx86;
1340 ERROR(
"[ERROR] IntWinModHandleModuleNameInMemory failed: 0x%08x\n", status);
1357 pMod64->
Subsystem = Process->Subsystemx64;
1367 ERROR(
"[ERROR] IntWinModHandleModuleNameInMemory failed: 0x%08x\n", status);
1397 list = Subsystem->ProcessModules.
Flink;
1398 while (list != &Subsystem->ProcessModules)
1454 if (NULL != Process->Subsystemx86)
1463 if (NULL != Process->Subsystemx64)
1499 if (NULL == Context)
1507 if (NULL == pMod->
Cache)
1547 pProc = Module->Subsystem->Process;
1552 ERROR(
"[ERROR] IntVirtMemMap failed: 0x%08x\n", status);
1559 ERROR(
"[ERROR] IntPeValidateHeader failed: 0x%08x\n", status);
1560 goto cleanup_and_exit;
1579 TRACE(
"[MODULE] Protecting pageable section: 0x%016llx, VA space 0x%016llx, length %x\n",
1591 ERROR(
"[ERROR] IntUnpWatchPage failed: 0x%08x\n", status);
1614 _In_ PINSTRUX Instrux,
1633 char text[ND_MIN_BUF_SIZE];
1636 if (NULL == Instrux)
1641 if (NULL == Context)
1653 status = NdToText(Instrux, VirtualAddress, ND_MIN_BUF_SIZE, text);
1656 strlcpy(text,
"INVALID",
sizeof(text));
1659 LOG(
"[ALERT] [UNPACK DETECTED] Unpacked/decrypted page detected @ 0x%016llx:0x%016llx: %s\n", VirtualAddress, Cr3,
1669 memzero(pEptViol,
sizeof(*pEptViol));
1705 WARNING(
"[WARNING] IntNotifyIntroEvent failed: 0x%08x\n", status);
1743 if (NULL != Module->HeadersSwapHandle)
1748 ERROR(
"[ERROR] IntSwapMemRemoveTransaction failed: 0x%08x\n", status);
1751 Module->HeadersSwapHandle = NULL;
1754 if (NULL != Module->ExportsSwapHandle)
1759 ERROR(
"[ERROR] IntSwapMemRemoveTransaction failed: 0x%08x\n", status);
1762 Module->ExportsSwapHandle = NULL;
1765 if (NULL != Module->SlackSpaceSwapHandle)
1770 ERROR(
"[ERROR] IntSwapMemRemoveTransaction failed: 0x%08x\n", status);
1773 Module->SlackSpaceSwapHandle = NULL;
1776 if (NULL != Module->MainModHeadersSwapHandle)
1781 ERROR(
"[ERROR] IntSwapMemRemoveTransaction failed: 0x%08x\n", status);
1784 Module->MainModHeadersSwapHandle = NULL;
1789 if (Module->IsMainModule)
1792 Module->Subsystem->Process->MainModuleLoaded =
FALSE;
1797 if (NULL != Module->IATBitmap)
1824 pList = Subsystem->ProcessModules.
Flink;
1825 while (pList != &Subsystem->ProcessModules)
1829 pList = pList->
Flink;
1838 if ((
winSubsys64Bit == Subsystem->SubsystemType) && (Subsystem->Process->Wow64Process))
1844 TRACE(
"[WINMODULE] PROC_PROT_MASK_CORE_HOOKS enabled -> disabled for %s (Process %d)\n",
1848 else if (!pMod->
ShouldProtHooks && Subsystem->Process->ProtCoreModules)
1850 TRACE(
"[WINMODULE] PROC_PROT_MASK_CORE_HOOKS disabled -> enabled for %s (Process %d)\n",
1856 TRACE(
"[WINMODULE] PROC_PROT_MASK_CORE_HOOKS did not changed for %s (Process %d)\n",
1867 TRACE(
"[WINMODULE] PROC_PROT_MASK_CORE_HOOKS enabled -> disabled for %s (Process %d)\n",
1871 else if (!pMod->
ShouldProtHooks && Subsystem->Process->ProtCoreModules)
1873 TRACE(
"[WINMODULE] PROC_PROT_MASK_CORE_HOOKS disabled -> enabled for %s (Process %d)\n",
1879 TRACE(
"[WINMODULE] PROC_PROT_MASK_CORE_HOOKS did not changed for %s (Process %d)\n",
1889 TRACE(
"[WINMODULE] PROC_PROT_MASK_WSOCK_HOOKS enabled -> disabled for %s (Process %d)\n",
1893 else if (!pMod->
ShouldProtHooks && Subsystem->Process->ProtWsockModules)
1895 TRACE(
"[WINMODULE] PROC_PROT_MASK_WSOCK_HOOKS disabled -> enabled for %s (Process %d)\n",
1901 TRACE(
"[WINMODULE] PROC_PROT_MASK_WSOCK_HOOKS did not changed for %s (Process %d)\n",
1915 TRACE(
"[WINMODULE] PROC_PROT_MASK_UNPACK enabled -> disabled for %s (Process %d). " 1917 Subsystem->Process->Pid, Subsystem->Process->Cr3);
1922 ERROR(
"[ERROR] IntUnpUnWatchVaSpacePages failed: 0x%x\n", status);
1931 TRACE(
"[WINMODULE] PROC_PROT_MASK_UNPACK disabled -> enabled for %s (Process %d)\n",
1937 ERROR(
"[ERROR] IntWinModHookPoly failed: 0x%x\n", status);
1944 TRACE(
"[WINMODULE] PROC_PROT_MASK_UNPACK did not changed for %s (Process %d)\n",
1953 TRACE(
"[WINMODULE] Protecting module with base 0x%016llx -> 0x%016llx against hooking.\n",
1959 ERROR(
"[ERROR] IntWinModHookModule failed for %s (Process %d): 0x%x\n",
1965 TRACE(
"[WINMODULE] Removing protection for module with base 0x%016llx -> 0x%016llx\n",
1992 if (NULL != Process->Subsystemx64)
1994 list = Process->Subsystemx64->ProcessModules.
Flink;
1995 while (list != &Process->Subsystemx64->ProcessModules)
2007 if (NULL != Process->Subsystemx86)
2009 list = Process->Subsystemx86->ProcessModules.
Flink;
2010 while (list != &Process->Subsystemx86->ProcessModules)
WINUM_PATH * Path
Module path.
#define IMAGE_SCN_MEM_EXECUTE
int wstrncasecmp(const WCHAR *buf1, const WCHAR *buf2, size_t len)
DWORD Is64BitModule
TRUE if the module is 64 bit.
struct _EXCEPTION_KM_ORIGINATOR::@63 Original
PBYTE IATBitmap
A bitmap indicating which IAT entries have been initialized.
enum _INTRO_ACTION_REASON INTRO_ACTION_REASON
The reason for which an INTRO_ACTION was taken.
INTRO_CODEBLOCKS CodeBlocks
Code blocks extracted for the alert.
#define CONTAINING_RECORD(List, Type, Member)
#define ROUND_UP(what, to)
DWORD NtdllSize
The size of ntdll.dll.
static INTSTATUS IntWinModHookModule(PWIN_PROCESS_MODULE Module)
Hook a user-mode module against attacks.
INTSTATUS IntVirtMemUnmap(void **HostPtr)
Unmaps a memory range previously mapped with IntVirtMemMap.
An internal error occurred (no memory, pages not present, etc.).
INTSTATUS IntHookObjectDestroy(HOOK_OBJECT_DESCRIPTOR **Object, DWORD Flags)
Destroy an entire hook object. All regions belonging to this object will be removed.
BYTE Violation
The type of the access. It must be one of the IG_EPT_HOOK_TYPE values.
#define NAMEHASH_KERNELBASE
IG_ARCH_REGS Regs
The current state of the guest registers.
DWORD IatSize
Size of the imports table.
DWORD Index
The VCPU number.
MITRE_ID MitreID
The Mitre ID that corresponds to this attack.
#define NAMEHASH_WOW64CPU
#define INT_STATUS_SUCCESS
const VAD * Vad
The VAD which describes this module.
Measures user mode exceptions checks.
DWORD ShouldProtHooks
TRUE if the module should be protected against hooks.
#define IMAGE_SCN_MEM_READ
static INTSTATUS IntWinModHandleModulePathInMemory(WIN_PROCESS_MODULE *Module, WINUM_PATH *Path)
Handles a module path in memory.
#define MODULE_MATCH(m, p)
void IntAlertFillWinProcess(const WIN_PROCESS_OBJECT *Process, INTRO_PROCESS *EventProcess)
Saves information about a windows process inside an alert.
DWORD ProtCoreModules
Protect the core module loaded by the process.
void IntWinUmModCacheRelease(WINUM_MODULE_CACHE *Cache)
Removes a module cache, if it was written (it's dirty).
INTSTATUS IntSwapMemReadData(QWORD Cr3, QWORD VirtualAddress, DWORD Length, DWORD Options, void *Context, DWORD ContextTag, PFUNC_PagesReadCallback Callback, PFUNC_PreInjectCallback PreInject, void **SwapHandle)
Reads a region of guest virtual memory, and calls the indicated callback when all the data is availab...
struct _LIST_ENTRY * Flink
INTSTATUS IntWinProcUnprotect(WIN_PROCESS_OBJECT *Process)
Remove a process from protection.
static INTSTATUS IntWinModHandleMainModuleInMemory(void *Context, QWORD Cr3, QWORD ModuleBase, QWORD PhysicalAddress, PBYTE Data, DWORD DataSize, DWORD Flags)
Callback called when the main module headers are present in physical memory.
QWORD HookStartPhysical
The start of the monitored guest physical memory area for which this alert was generated.
struct _WINUM_MODULE_CACHE::@236 Info
#define IMAGE_SCN_MEM_WRITE
static int IntWinModComparePaths(const WIN_PROCESS_MODULE *Module, const WCHAR *SystemDirPath, const WCHAR *TestModule)
Tests whether the Module's path is the same as the TestModules' path inside the provided SystemDirPat...
#define INT_SUCCESS(Status)
Event structure for module loading and unloading.
void IntWinModulesChangeProtectionFlags(PWIN_PROCESS_SUBSYSTEM Subsystem)
Change the protection flags applied to the process modules that are currently loaded.
struct _EVENT_EPT_VIOLATION::@277 Victim
QWORD Flags
A combination of ALERT_FLAG_* values describing the alert.
#define PROC_OPT_PROT_WSOCK_HOOKS
Blocks hooks being set on Wininet user-mode DLLs (Windows only).
QWORD SectionOffset
Offset of the first section header.
The action was not allowed because there was no reason to allow it.
CHAR Instruction[ALERT_MAX_INSTRUX_LEN]
The instruction found at RIP, in textual form.
BOOLEAN FirstDominoJavaIgnored
TRUE if the first Domino Java execution VAD was ignored.
EVENT_MODULE_EVENT Module
QWORD IntHookGetGlaFromGpaHook(HOOK_GPA const *Hook, QWORD Address)
Gets the GLA from a GPA hook.
INTSTATUS IntWinModHandleWrite(void *Context, void *Hook, QWORD Address, INTRO_ACTION *Action)
Handle writes inside a protected user-mode module wrapper. Will dispatch appropriately to either the ...
Windows process subsystem.
DWORD UnpackProtected
TRUE if the main module has been protected against unpacks.
Writes done from kernel mode over user mode.
#define INT_STATUS_NOT_NEEDED_HINT
Describes a user-mode originator.
#define HpAllocWithTag(Len, Tag)
int INTSTATUS
The status data type.
INTSTATUS IntWinModPolyHandler(QWORD Cr3, QWORD VirtualAddress, PINSTRUX Instrux, void *Context)
Handle an unpack event for the indicated address.
void IntWinUmPathDereference(WINUM_PATH **Path)
Dereferences a WINUM_PATH object, releasing the resources if the reference count has reached 0...
INTSTATUS IntWinModHandleLoadFromVad(WIN_PROCESS_OBJECT *Process, const VAD *Vad)
Handle a module load from a VAD.
#define INT_STATUS_NOT_FOUND
static INTSTATUS IntWinModHookPoly(PWIN_PROCESS_MODULE Module)
Hooks the given module against unpacks.
DWORD IsProtected
TRUE if the module is actually hooked.
#define MAX_PATH
The maximum size of a path (260 characters on windows).
void IntExceptKernelUserLogInformation(EXCEPTION_VICTIM_ZONE *Victim, EXCEPTION_KM_ORIGINATOR *Originator, INTRO_ACTION Action, INTRO_ACTION_REASON Reason)
Print the information about a kernel-user mode violation and dumps the code-blocks.
QWORD Rip
The value of the guest RIP register when the event was generated.
struct _WIN_PROCESS_MODULE * PWIN_PROCESS_MODULE
INTSTATUS IntWinModRemoveModule(PWIN_PROCESS_MODULE Module)
Removes a Windows module.
Describes a kernel-mode originator.
static INTSTATUS IntWinModHandleUserWrite(void *Context, void *Hook, QWORD Address, INTRO_ACTION *Action)
Handle user-mode writes inside a protected user-mode module.
BOOLEAN UserMode
True if this is a user mode module, False if it is a kernel mode module.
void IntAlertFillCpuContext(BOOLEAN CopyInstruction, INTRO_CPUCTX *CpuContext)
Fills the current CPU context for an alert.
INSTRUX Instruction
The current instruction, pointed by the guest RIP.
QWORD VirtualBase
Guest virtual address of the loaded module.
QWORD VadGva
The guest virtual address at which the corresponding Windows _MMVAD structure is located.
QWORD MainModuleAddress
The address of the main module.
BOOLEAN IsDominoJava
True if this is a Java IBM process and j9jit.dll is loaded.
QWORD HookStartVirtual
The start of the monitored guest virtual memory area for which this alert was generated.
INTSTATUS IntWinModUnHookModule(PWIN_PROCESS_MODULE Module)
Remove the protection from the indicated module.
Process subsystem type 32 bit.
DWORD Protected
TRUE if this is a protected process. If this is FALSE, most of the above fields aren't used at all...
#define ALERT_FLAG_KM_UM
If set, the alert was generated by a kernel to user mode violation.
void IntAlertFillVersionInfo(INTRO_VIOLATION_HEADER *Header)
Fills version information for an alert.
DWORD Wow64Process
TRUE if this is a 32 bit process on a 64 bit OS.
DWORD AccessSize
The size of the memory access. Valid only for EPT exits.
QWORD IntAlertProcGetFlags(QWORD ProtectionFlag, const void *Process, INTRO_ACTION_REASON Reason, QWORD AdditionalFlags)
Returns the flags for an alert.
INTRO_VIOLATION_HEADER Header
The alert header.
const PROTECTED_PROCESS_INFO * IntWinProcGetProtectedInfoEx(PWCHAR Path, BOOLEAN IsSystem)
Returns a pointer to the PROTECTED_PROCESS_INFO structure for the given process Path.
INTRO_ACTION_REASON Reason
The reason for which Action was taken.
INTSTATUS IntAlertFillCodeBlocks(QWORD Rip, QWORD Cr3, BOOLEAN Execute, INTRO_CODEBLOCKS *CodeBlocks)
Fills the code blocks pattern for an alert.
QWORD NtdllBase
The base address for ntdll.dll.
QWORD Cr3
Process PDBR. Includes PCID.
DWORD MainModuleLoaded
TRUE if the main module has been loaded.
BOOLEAN MainModuleLoaded
TRUE if the MainModule was loaded.
void IntAlertEptFillFromKmOriginator(const EXCEPTION_KM_ORIGINATOR *Originator, EVENT_EPT_VIOLATION *EptViolation)
Fills kernel mode originator information inside an EPT alert.
GENERIC_ALERT gAlert
Global alert buffer.
static INTSTATUS IntWinModHandleUnload(PWIN_PROCESS_SUBSYSTEM Subsystem, QWORD VirtualBase)
Handle a module unload from the given subsystem.
INTSTATUS IntSwapMemRemoveTransaction(void *Transaction)
Remove a transaction.
WINUM_PATH * Path
Will point inside the loaded modules list to the full process path.
BOOLEAN IntPolicyProcTakeAction(QWORD Flag, void const *Process, INTRO_ACTION *Action, INTRO_ACTION_REASON *Reason)
Returns the action that should be taken for a process protection option.
void IntAlertEptFillFromVictimZone(const EXCEPTION_VICTIM_ZONE *Victim, EVENT_EPT_VIOLATION *EptViolation)
Fills the victim information inside an EPT alert.
size_t wstrlen(const WCHAR *str)
INTRO_CPUCTX CpuContext
The context of the CPU that triggered the alert.
INTSTATUS IntWinProcSendAllDllEventsForProcess(PWIN_PROCESS_OBJECT Process)
Send DLL load events for all modules loaded in all subsystems of a process.
static QWORD IntWinModGetProtectionOptionForModule(WIN_PROCESS_MODULE *Module)
Get the protection options for provided module.
INTSTATUS IntNotifyIntroEvent(INTRO_EVENT_TYPE EventClass, void *Param, size_t EventSize)
Notifies the integrator about an introspection alert.
static BOOLEAN RemoveEntryList(LIST_ENTRY *Entry)
BOOLEAN Guest64
True if this is a 64-bit guest, False if it is a 32-bit guest.
INTSTATUS IntExceptGetVictimEpt(void *Context, QWORD Gpa, QWORD Gva, INTRO_OBJECT_TYPE Type, DWORD ZoneFlags, EXCEPTION_VICTIM_ZONE *Victim)
Fills an EXCEPTION_VICTIM_ZONE with relevant information from an EPT violation.
static INTSTATUS IntWinProcSendAllDllEventsForSubsystem(PWIN_PROCESS_SUBSYSTEM Subsystem)
Send a module load event for each loaded module inside a subsystem.
CHAR Name[IMAGE_BASE_NAME_LEN]
Process base name.
static void IntWinModCheckSpecialCases(PWIN_PROCESS_MODULE Module)
Check if the process is DominoJava process.
QWORD Current
The currently used options.
DWORD LoadedModulesCount
The number of modules that were loaded.
static INTSTATUS IntWinModHandleModuleHeadersInMemory(void *Context, QWORD Cr3, QWORD VirtualAddress, QWORD PhysicalAddress, PBYTE Data, DWORD DataSize, DWORD Flags)
Called as soon as the module headers are swapped in memory.
INTSTATUS IntPeListSectionsHeaders(QWORD ImageBase, BYTE *ImageBuffer, DWORD ImageBufferSize, DWORD *FirstSectionOffset, DWORD *SectionCount)
Will get the offset to the first section header and the number of sections from the given module...
union _IMAGE_SECTION_HEADER::@209 Misc
DWORD ShouldProtUnpack
TRUE if the module should be protected against unpack.
QWORD UserCr3
Process user PDBR. Includes PCID.
#define IN_RANGE_LEN(x, start, len)
#define INT_STATUS_INVALID_PARAMETER_4
BYTE NtdllLoadCount
Number of ntdll.dll loads.
#define IS_KERNEL_POINTER_WIN(is64, p)
Checks if a guest virtual address resides inside the Windows kernel address space.
QWORD NumberOfSections
Number of sections.
QWORD Gpa
The accessed guest physical address. Valid only for EPT exits.
#define HpFreeAndNullWithTag(Add, Tag)
PWIN_PROCESS_OBJECT IntWinProcFindObjectByCr3(QWORD Cr3)
Finds a process by its kernel CR3.
BOOLEAN IntWinVadIsInTree(const VAD *Vad)
Checks if a VAD is inserted in a guest VAD tree.
#define INT_STATUS_INVALID_PARAMETER_5
#define INT_STATUS_INVALID_INTERNAL_STATE
static INTSTATUS IntWinModHandleKernelWrite(void *Context, void *Hook, QWORD Address, INTRO_ACTION *Action)
Handle writes inside a protected user-mode module from kernel-mode.
#define INTRO_OPT_EVENT_MODULES
Enable user mode and kernel mode module load and unload events (generates introEventModuleEvent event...
INTSTATUS IntWinModHandleUnloadFromVad(PWIN_PROCESS_OBJECT Process, PVAD Vad)
Handle a module unload.
struct _WIN_PROCESS_OBJECT * Process
The process object related to this subsystem.
static void InsertTailList(LIST_ENTRY *ListHead, LIST_ENTRY *Entry)
WINUM_PATH * IntWinUmPathReference(WINUM_PATH *Path)
Increases the reference count of the given WINUM_PATH object.
INTRO_EXEC_CONTEXT ExecContext
Information about the instruction that triggered the alert.
BOOLEAN Loaded
True if the module was loaded, False if it was unloaded.
size_t strlcpy(char *dst, const char *src, size_t dest_size)
BYTE Kernel32LoadCount
Number of kernel32.dll loads.
#define INT_STATUS_ALREADY_INITIALIZED_HINT
DWORD Pid
Process ID (the one used by Windows).
Process subsystem type 64 bit.
INTSTATUS IntExceptUserGetOriginator(void *Process, BOOLEAN ModuleWrite, QWORD Address, INSTRUX *Instrux, EXCEPTION_UM_ORIGINATOR *Originator)
This function is used to get the information about the user-mode originator.
Sent when an EPT violation triggers an alert. See EVENT_EPT_VIOLATION.
Describes the modified zone.
static BOOLEAN IntWinModWriteValidHandler(QWORD Cr3, QWORD Address, void *Context)
Checks if a write inside a code section is legitimate or not.
#define UNREFERENCED_PARAMETER(P)
DWORD NameHash
The CRC32 hash of the name. Used for fast matching.
void IntWinUmModCacheGet(WIN_PROCESS_MODULE *Module)
Initializes the cache for the provided module.
const PROTECTED_DLL_INFO gProtectedWowModules[]
INTSTATUS IntUnpUnWatchVaSpacePages(QWORD Cr3)
Stop monitoring all pages belonging to a virtual address space.
#define PROC_OPT_PROT_CORE_HOOKS
Blocks hooks being set on core user-mode DLLs.
void IntAlertEptFillFromUmOriginator(const EXCEPTION_UM_ORIGINATOR *Originator, EVENT_EPT_VIOLATION *EptViolation)
Fills user mode originator information inside an EPT alert.
INTRO_PROCESS CurrentProcess
The currently active process.
INTSTATUS IntPeValidateHeader(QWORD ImageBase, BYTE *ImageBaseBuffer, DWORD ImageBaseBufferSize, INTRO_PE_INFO *PeInfo, QWORD Cr3)
Validates a PE header.
LIST_ENTRY Link
List entry element.
enum _INTRO_ACTION INTRO_ACTION
Event actions.
BOOLEAN IntPolicyProcForceBetaIfNeeded(QWORD Flag, void *Process, INTRO_ACTION *Action)
Checks if a forced action should be taken even if the process log-only mode is active.
#define IMAGE_SCN_CNT_CODE
#define _In_reads_bytes_(expr)
QWORD Rip
The RIP from where the call to the exported function came.
#define INT_STATUS_INVALID_OBJECT_TYPE
INTRO_MODULE Module
The module for which this event was triggered.
DWORD UnpackAlertSent
TRUE if unpack alerts have been sent.
WCHAR * Name
The name of the module contained in the path.
LIST_HEAD ProcessModules
List of process modules.
DWORD Offset
The offset inside the page where the violation took place.
__must_check INTSTATUS IntVirtMemMap(QWORD Gva, DWORD Length, QWORD Cr3, DWORD Flags, void **HostPtr)
Maps a guest virtual memory range inside Introcore virtual address space.
void * HeadersSwapHandle
Swap handle for the headers.
QWORD Cr3
The value of the guest CR3 register when the event was generated.
INTSTATUS IntWinModHandlePreInjection(void *Context, QWORD Cr3, QWORD VirtualAddress)
Module base page-fault pre-injection callback.
const PROTECTED_DLL_INFO gProtectedModules[]
QWORD EprocessAddress
This will be the address of the ActiveProcess field.
#define ALERT_FLAG_SYSPROC
If set, the alert is on system process.
DWORD SystemProcess
TRUE if this is a system process.
GUEST_STATE gGuest
The current guest state.
WINUM_MODULE_CACHE * Cache
Module headers cache.
void IntAlertFillWinProcessByCr3(QWORD ProcessCr3, INTRO_PROCESS *EventProcess)
Saves information about a Windows process inside an alert. The process is searched by its kernel CR3...
Exposes the types, constants and functions needed to block Windows module loads (used to block double...
#define IMAGE_SCN_MEM_DISCARDABLE
#define CWSTRLEN(Wstring)
static INTSTATUS IntWinProcSendDllEvent(PWIN_PROCESS_MODULE Module, BOOLEAN Loaded)
Send a DLL load/unload event to the integrator.
WIN_SUBSYTEM_TYPE SubsystemType
Process subsystem type.
INTRO_ACTION Action
The action that was taken as the result of this alert.
int wstrcasecmp(const WCHAR *buf1, const WCHAR *buf2)
PWIN_PROCESS_MODULE IntWinUmModFindByAddress(PWIN_PROCESS_OBJECT Process, QWORD Gva)
Searches for a user-mode module which contains the indicated guest virtual address.
INTSTATUS IntWinDagentCheckSuspiciousDllLoad(WIN_PROCESS_MODULE *Module)
Checks if the given module is suspicious of loading through the double agent technique and calls the ...
QWORD VirtualPage
The guest virtual page in which the access was made.
INTSTATUS IntHookObjectHookRegion(void *Object, QWORD Cr3, QWORD Gla, SIZE_T Length, BYTE Type, void *Callback, void *Context, DWORD Flags, HOOK_REGION_DESCRIPTOR **Region)
Hook a contiguous region of virtual memory inside the provided virtual address space.
DWORD ProtUnpack
Protect process against unpacking attempts.
DWORD IATEntries
Number of IAT entries.
#define INT_STATUS_NOT_INITIALIZED_HINT
char * utf16_for_log(const WCHAR *WString)
Converts a UTF-16 to a UTF-8 string to be used inside logging macros.
#define INT_STATUS_INVALID_PARAMETER_1
DWORD StaticScan
TRUE if the module was found by statically enumerating process modules.
INTRO_PROCESS CurrentProcess
The current process.
Kernel-User mode exception.
VCPU_STATE * gVcpu
The state of the current VCPU.
void IntAlertFillWinUmModule(const WIN_PROCESS_MODULE *Module, INTRO_MODULE *EventModule)
Fills information about a user mode module inside an alert.
static int wstrncasecmp_len(const WCHAR *buf1, const WCHAR *buf2, size_t len_buf1, size_t len_buf2)
UINT8 Name[IMAGE_SIZEOF_SHORT_NAME]
INTRO_MODULE Module
The module that did the malicious access.
DWORD SizeOfImage
Size of the image.
INTRO_EXEC_INFO ExecInfo
Execution information. Valid only if Violation is IG_EPT_HOOK_EXECUTE.
Event structure for EPT violations.
DWORD ProtWsockModules
Protect the Windows Socket related modules.
PWIN_PROCESS_SUBSYSTEM Subsystem
Module subsystem.
INTSTATUS IntWinUmModCacheSetHeaders(WIN_PROCESS_MODULE *Module, BYTE *Headers)
Sets the MZ/PE headers in the cache of a given module.
DWORD Length
The length of the instruction.
#define NAMEHASH_KERNEL32
INTSTATUS IntUnpWatchPage(QWORD Cr3, QWORD VirtualAddress, PFUNC_PageUnpackedCallback UnpackCallback, PFUNC_PageIsWriteValid WriteCheckCallback, void *CallbackContext)
Monitor a page against unpacking.
DWORD IatRva
RVA of the imports table.
static BOOLEAN IntWinModIsProtected(const WIN_PROCESS_MODULE *Module, const PROTECTED_DLL_INFO *ProtectedList, size_t ProtectedCount)
Check if the given module is in the provided list of protected modules.
A representation of a Windows VAD structure.
DWORD IsMainModule
TRUE if this is the main module.
DWORD IsSystemModule
TRUE if this is a system module (loaded from system32 or syswow64).
INTSTATUS IntExceptKernelGetOriginator(EXCEPTION_KM_ORIGINATOR *Originator, DWORD Options)
This function is used to get the information about the kernel-mode originator.
INTSTATUS IntAlertFillExecContext(QWORD Cr3, INTRO_EXEC_CONTEXT *ExecContext)
Fills the current execution context.
#define ZONE_WRITE
Used for write violation.
#define INT_STATUS_INVALID_PARAMETER_2
INTRO_PROT_OPTIONS CoreOptions
The activation and protection options for this guest.
DWORD Size
Virtual size of the module.
QWORD Gla
The accessed guest virtual address. Valid only for EPT exits.
#define NAMEHASH_WOW64WIN
INTSTATUS IntHookObjectCreate(DWORD ObjectType, QWORD Cr3, void **Object)
Create a new hook object.
const WCHAR * strstr_utf16(const WCHAR *buf1, const WCHAR *buf2)
#define SWAPMEM_OPT_UM_FAULT
If set, the PF must be injected only while in user-mode. Use it when reading user-mode memory...
void IntExcept(EXCEPTION_VICTIM_ZONE *Victim, void *Originator, EXCEPTION_TYPE Type, INTRO_ACTION *Action, INTRO_ACTION_REASON *Reason, INTRO_EVENT_TYPE EventClass)
This function is the entry point for the exception mechanism.
BOOLEAN Protected
True if the module is protected.
INTSTATUS IntWinModBlockRemoveBlockObject(void *BlockObject)
This function is used in order to destroy a WIN_MOD_BLOCK_OBJECT structure.
INTRO_OBJECT_TYPE Type
The type of the accessed memory area.
This structure describes a running process inside the guest.
#define INT_STATUS_INSUFFICIENT_RESOURCES
WCHAR * Path
The string which represents the user-mode module path.
const PROTECTED_DLL_INFO gProtectedNetModules[]
1.8.13