Inside Windows Defender System Guard Runtime Monitor
What is System Guard Runtime Monitor? (SGRM)
SGRM is a component of Windows Defender, it was introduced in the Windows 10 1709 update and has been persistent as a key component to ensure system integrity ever since.
Another name for this component is Octagon, which I assume is an internal project name for Microsoft, and System Guard Runtime Monitor is more for marketing Windows Defender. For System Guard Runtime Monitor to work, a device must have Virtual Secure Mode enabled on their system, as the protection makes use of Virtual Trust Levels to mimimise the attack surface on the core attestation Lua engine. Microsoft, in this 2018 blog, describe SGRM as "If important security features should fail, users should be aware. Windows Defender System Guard runtime attestation, a new Windows platform security technology, fills this need". Simply put, SGRM is an anti-tampering mechanism for your modern Windows device.
In this post, I’ll go into details as to how it works, the Lua component, integrity checks taken out, the RPC service, and more from a brief reverse engineering standpoint of this WD component.
Components
We’ll quickly take a look at some of the components of Octagon, so that we have some context when going through different components individually.
| Component | Usage |
|---|---|
| SgrmBroker.exe | Provides a client API, exposing assists to the SGRM runtime when doing assertions. |
| Sgrm.sys | The agent driver, exposes functionality for use within the assertion assists wrappers used by SgrmBroker. |
| SgrmEnclave.dll | Lua assertion engine, also called the enclave controller shim, contains the Lua runtime, SgrmEnclave_secure.dll runs in VTL-1. Talks to SgrmBroker.exe via their API. |
| SgrmLpac.exe | A local RPC service, which exposes a method to send an HTTP POST request to a specified endpoint |
Read the original article: