Upon initialization, EnclaveControllerVsm checks if the enclave ENCLAVE_TYPE_VBS is supported by the processor. SgrmEnclave_secure.dll is the assertion engine, with the Lua engine embedded. The broker has a helper class named EnclaveControllerVsm in which SgrmEnclave_secure.dll resides. Struct _SGRM_MAILBOX_REQ RTL_PROCESS_MODULE_INFORMATION_EX, * PRTL_PROCESS_MODULE_INFORMATION_EX Virtual Secure Mode Enclave Host Controller
#Systemguard runtime monitor driver
Only Windows TCB signed processes (not to be confused with Thread Control Block) can open a HANDLE (Windows Defender runs as a Protected Process Light (PPL) under the anti-malware context, the trust level would not suffice)įor example, below, if the driver has already been initialized in OctpHandleInitRequest, the driver will write an event to the abovementioned Etw provider and deny access.Within the dispatch routine, the driver can only be initialized once, resulting only in a single handle at a time effectively being open.The device is bound to the SgrmBroker (OctBroker) service SID upon creation with WdmlibIoCreateDeviceSecure.The driver has several checks in place to ensure the integrity of the user-mode caller: This then calls the internal function OctpHandleInitRequest. To initialize the driver, an IOCTL 0x9C402480 must be sent to the driver. A table of extension functions is initialized with a pool tag of 0x2000D.
#Systemguard runtime monitor code
The registering of this host provides straight up, direct kernel access to certain functions, almost as if the agent code was running within ntoskrnl itself. The provider receives violations for checks the driver implements are sent to throughout the execution.Īfter this has completed, the driver requests a kernel extension host from ntoskrnl, using the (mostly undocumented) API ExRegisterHost, under PspOctExtensionHost, from PspOctExtensionInterface. An Event Tracing (Etw) provider is registered under. Upon driver boot new secure device is created under \\Device\\MSSGRMAGENTSYS, with a symbolic link pointing to this device under \\?\\MSSGRMAGENTSYS. The agent driver, %WINDIR%\System32\drivers\SgrmAgent.sys, provides kernel-level assists to the SgrmBroker assist engine, which runs in user-mode. Talks to SgrmBroker.exe via the API.Ī local RPC service, which exposes a method to send an HTTP POST request to a specified endpoint Lua assertion engine, also called the enclave controller shim, contains the Lua runtime, SgrmEnclave_secure.dll runs in VTL-1, or another mode of operation. The agent driver, exposes functionality for use within the assertion assists wrappers used by SgrmBroker. Provides a client API, exposing assists to the SGRM runtime when doing assertions. We'll quickly take a look at some of the components of SGRM, to provide some context before going through the details of each individual component. In this post, I'll go into the details behind how SGRM works, the Lua component, integrity checks performed, the RPC service, and more from a brief reverse engineering standpoint of this WD component. Simply put, SGRM is an anti-tampering mechanism for your modern Windows device. Windows Defender System Guard runtime attestation, a new Windows platform security technology, fills this need". Microsoft, in this 2018 blog, describe SGRM as "If important security features should fail, users should be aware. For SGRM to work, a device must have Virtual Secure Mode enabled on their system, as the protection makes use of Virtual Trust Levels to minimize the attack surface on the core attestation Lua engine. System Guard Runtime Monitor (SGRM) is a component of Windows Defender (WD), that was introduced in the Windupdate and has been present since as a key component to ensure system integrity.Īnother name for this component is Octagon, which is assumed to be an internal project name for Microsoft, where System Guard Runtime Monitor is used as the public name for marketing Windows Defender.
What is System Guard Runtime Monitor? (SGRM)
0 kommentar(er)
