Inside Windows Defender System Guard Runtime Monitor
What is System Guard Runtime Monitor? (SGRM)
System Guard Runtime Monitor (SGRM) is a component of Windows Defender (WD), that was introduced in the Windows 10 1709 update and has been present since as a key component to ensure system integrity.
Another name for this component is Octagon, which is assumed to be an internal project name for Microsoft, where System Guard Runtime Monitor is used as the public name for marketing Windows Defender. For SGRM to work, a device must have Virtual Secure Mode enabled on their system, as the protection makes use of Virtual Trust Levels to minimize the attack surface on the core attestation Lua engine. Microsoft, in this 2018 blog, describe SGRM as "If important security features should fail, users should be aware. Windows Defender System Guard runtime attestation, a new Windows platform security technology, fills this need". Simply put, SGRM is an anti-tampering mechanism for your modern Windows device.
In this post, I’ll go into the details behind how SGRM works, the Lua component, integrity checks performed, the RPC service, and more from a brief reverse engineering standpoint of this WD component.
Components
We’ll quickly take a look at some of the components of SGRM, to provide some context before going through the details of each individual component.
| Component | Usage |
|---|---|
| SgrmBroker.exe | Provides a client API, exposing assists to the SGRM runtime when doing assertions. |
| Sgrm.sys | The agent driver, exposes functionality for use within the assertion assists wrappers used by SgrmBroker. |
| SgrmEnclave.dll | Lua assertion engine, also called the enclave controller shim, contains the Lua runtime, SgrmEnclave_secure.dll runs in VTL-1, or another mode of operation. Talks to SgrmBroker.exe via the API. |
| SgrmLpac.exe | A local RPC service, which exposes a method to send an HTTP POST request to a specified endpoint |
SgrmAgent.sys
Content was cut in order to protect the source.Please visit the source for the rest of the article.Read the original article: