Bitdefender Hypervisor Memory Introspection
alert_exceptions.c
Go to the documentation of this file.
1 /*
2  * Copyright (c) 2020 Bitdefender
3  * SPDX-License-Identifier: Apache-2.0
4  */
9 
10 #include "alert_exceptions.h"
11 #include "crc32.h"
12 #include "guests.h"
13 #include "utils.h"
14 
15 
16 static DWORD
17 IntAlertGetHashForLinuxName(
18  _In_ const WCHAR *Originator,
19  _In_ const size_t MaxLength
20  )
32 {
33  if (wstrnlen(Originator, MaxLength) == MaxLength)
34  {
35  return kmExcNameInvalid;
36  }
37 
38  if (0 == wstrcasecmp(Originator, u"kernel"))
39  {
40  return kmExcNameKernel;
41  }
42  else
43  {
44  CHAR name[64];
45 
46  utf16toutf8(name, Originator, sizeof(name));
47 
48  return Crc32String(name, INITIAL_CRC_VALUE);
49  }
50 }
51 
52 
53 static DWORD
54 IntAlertGetHashForWindowsName(
55  _In_ const WCHAR *Originator,
56  _In_ const size_t MaxLength
57  )
72 {
73  size_t i, len = wstrnlen(Originator, MaxLength);
74 
75  if (len == MaxLength)
76  {
77  return kmExcNameInvalid;
78  }
79 
80  if (Originator[0] == u'\\' ||
81  (((Originator[0] >= u'C' && Originator[0] <= u'Z') ||
82  (Originator[0] >= u'c' && Originator[0] <= u'z')) &&
83  Originator[1] == u':' &&
84  Originator[2] == u'\\'))
85  {
86  for (i = len - 1; i > 0; i--)
87  {
88  if (Originator[i] == u'\\')
89  {
90  i++;
91  break;
92  }
93  }
94  }
95  else
96  {
97  i = 0;
98  }
99 
100  if (0 == wstrncasecmp_len(&Originator[i], u"ntkrnlmp.exe", len - i, CWSTRLEN(u"ntkrnlmp.exe")) ||
101  0 == wstrncasecmp_len(&Originator[i], u"ntkrnlpa.exe", len - i, CWSTRLEN(u"ntkrnlpa.exe")) ||
102  0 == wstrncasecmp_len(&Originator[i], u"ntkrpamp.exe", len - i, CWSTRLEN(u"ntkrpamp.exe")) ||
103  0 == wstrncasecmp_len(&Originator[i], u"ntoskrnl.exe", len - i, CWSTRLEN(u"ntoskrnl.exe")))
104  {
105  return kmExcNameKernel;
106  }
107  else if (0 == wstrncasecmp_len(&Originator[i], u"hal.dll", len - i, CWSTRLEN(u"hal.dll")) ||
108  0 == wstrncasecmp_len(&Originator[i], u"halmacpi.dll", len - i, CWSTRLEN(u"halmacpi.dll")) ||
109  0 == wstrncasecmp_len(&Originator[i], u"halacpi.dll", len - i, CWSTRLEN(u"halacpi.dll")))
110  {
111  return kmExcNameHal;
112  }
113  else
114  {
115  return Crc32Wstring(&Originator[i], INITIAL_CRC_VALUE);
116  }
117 }
118 
119 
120 static DWORD
121 IntAlertGetHashForName(
122  _In_opt_ const WCHAR *Originator,
123  _In_ BOOLEAN LinuxGuest,
124  _In_ BOOLEAN KernelMode,
125  _In_ size_t MaxLength
126  )
140 {
141  if (Originator == NULL)
142  {
143  if (KernelMode)
144  {
145  return kmExcNameNone;
146  }
147  else
148  {
149  return umExcNameNone;
150  }
151  }
152 
153  if (LinuxGuest)
154  {
155  return IntAlertGetHashForLinuxName(Originator, MaxLength);
156  }
157  else
158  {
159  return IntAlertGetHashForWindowsName(Originator, MaxLength);
160  }
161 }
162 
163 
164 static DWORD
165 IntAlertGetEptExceptionFlags(
166  _In_ const EVENT_EPT_VIOLATION *Event
167  )
178 {
179  DWORD flags = EXCEPTION_FLG_32 | EXCEPTION_FLG_64;
180 
181  if (Event->Violation == IG_EPT_HOOK_EXECUTE)
182  {
183  flags |= EXCEPTION_FLG_EXECUTE;
184  }
185  else if (Event->Violation == IG_EPT_HOOK_READ)
186  {
187  flags |= EXCEPTION_FLG_READ;
188  }
189  else
190  {
191  flags |= EXCEPTION_FLG_WRITE;
192  }
193 
194  if (Event->Header.Flags & ALERT_FLAG_LINUX)
195  {
196  flags |= EXCEPTION_FLG_LINUX;
197  }
198 
199  return flags;
200 }
201 
202 
203 static void
204 IntAlertCreateCbSignature(
205  _In_ const INTRO_CODEBLOCKS *CodeBlocks,
206  _In_ BOOLEAN LinuxAlert,
207  _In_ BOOLEAN ExecAlert,
208  _Out_ ALERT_CB_SIGNATURE *Signature
209  )
222 {
223  DWORD offset;
224 
225  if (!CodeBlocks->Valid)
226  {
227  Signature->Valid = FALSE;
228  return;
229  }
230 
231  offset = 0;
232 
233  Signature->Header.Version = ALERT_CB_SIGNATURE_VERSION;
234  Signature->Flags = SIGNATURE_FLG_32 | SIGNATURE_FLG_64;
235 
236  if (LinuxAlert)
237  {
238  Signature->Flags |= SIGNATURE_FLG_LINUX;
239  }
240 
241  if (CodeBlocks->RipCbIndex > ALERT_MAX_CODEBLOCKS)
242  {
243  ERROR("[ERROR] The index (%d) of the RIP's codeblock is grater than the ALERT_MAX_CODEBLOCKS (%d)\n",
244  CodeBlocks->RipCbIndex, ALERT_MAX_CODEBLOCKS);
245 
246  Signature->Valid = FALSE;
247  return;
248  }
249 
250  if (CodeBlocks->Count > ALERT_MAX_CODEBLOCKS)
251  {
252  ERROR("[ERROR] The number of codeblocks (%d) is grater than the ALERT_MAX_CODEBLOCKS (%d)\n",
253  CodeBlocks->RipCbIndex, ALERT_MAX_CODEBLOCKS);
254 
255  Signature->Valid = FALSE;
256  return;
257  }
258 
259  if (!ExecAlert)
260  {
261  if (CodeBlocks->RipCbIndex < (ALERT_HASH_COUNT / 2))
262  {
263  // [0; ALERT_HASH_COUNT]
264  offset = 0;
265  }
266  else if (CodeBlocks->RipCbIndex + (ALERT_HASH_COUNT / 2) >= CodeBlocks->Count)
267  {
268  // [Count - ALERT_HASH_COUNT; Count]
269  offset = CodeBlocks->Count >= ALERT_HASH_COUNT ? CodeBlocks->Count - ALERT_HASH_COUNT : 0;
270  }
271  else
272  {
273  // before & after rip
274  offset = CodeBlocks->RipCbIndex - (ALERT_HASH_COUNT / 2);
275  }
276  }
277 
278  Signature->Count = (BYTE)MIN(CodeBlocks->Count, ALERT_HASH_COUNT);
279  if (Signature->Count == 0)
280  {
281  WARNING("[WARNING] Codeblocks count is zero\n");
282  Signature->Valid = FALSE;
283 
284  return;
285  }
286 
287  Signature->Score = MAX(Signature->Count - 1, 1);
288 
289  for (int i = 0; i < Signature->Count; i++)
290  {
291  Signature->CodeBlocks[i] = CodeBlocks->CodeBlocks[i + offset].Value;
292  }
293 
294  UtilQuickSort(Signature->CodeBlocks,
295  Signature->Count,
296  sizeof(Signature->CodeBlocks[0]));
297 
298  Signature->Valid = TRUE;
299 }
300 
301 
302 static void
303 IntAlertCreateProcessCreationSignature(
304  _In_ DWORD PcType,
305  _In_ BOOLEAN LinuxAlert,
306  _Out_ ALERT_PROCESS_CREATION_SIGNATURE *Signature
307  )
318 {
319  Signature->Header.Version = ALERT_PROCESS_CREATION_SIGNATURE_VERSION;
320  Signature->Flags = SIGNATURE_FLG_32 | SIGNATURE_FLG_64;
321 
322  if (LinuxAlert)
323  {
324  Signature->Flags |= SIGNATURE_FLG_LINUX;
325  }
326 
327  Signature->CreateMask = PcType;
328 
329  Signature->Valid = TRUE;
330 }
331 
332 
333 static void
334 IntAlertCreateIdtSignature(
335  _In_ const BYTE Entry,
336  _In_ BOOLEAN LinuxAlert,
337  _Out_ ALERT_IDT_SIGNATURE *Signature
338  )
349 {
350  Signature->Header.Version = ALERT_IDT_SIGNATURE_VERSION;
351  Signature->Flags = gGuest.Guest64 ? SIGNATURE_FLG_64 : SIGNATURE_FLG_32;
352 
353  if (LinuxAlert)
354  {
355  Signature->Flags |= SIGNATURE_FLG_LINUX;
356  }
357 
358  Signature->Entry = Entry;
359 
360  Signature->Valid = TRUE;
361 }
362 
363 
364 static void
365 IntAlertCreateExportSignature(
366  _In_ const INTRO_MODULE *Module,
367  _In_ const char *FunctionName,
368  _In_ DWORD FunctionNameHash,
369  _In_ DWORD Delta,
370  _In_ DWORD WriteSize,
371  _In_ BOOLEAN LinuxEvent,
372  _Out_ ALERT_EXPORT_SIGNATURE *Signature
373  )
389 {
390  if (!Module->Valid || Module->Name[0] == 0)
391  {
392  Signature->Valid = FALSE;
393  return;
394  }
395 
396  Signature->Header.Version = ALERT_EXPORT_SIGNATURE_VERSION;
397  Signature->Flags = SIGNATURE_FLG_32 | SIGNATURE_FLG_64;
398 
399  if (LinuxEvent)
400  {
401  Signature->Flags |= SIGNATURE_FLG_LINUX;
402  }
403 
404  Signature->Library = IntAlertGetHashForName(Module->Name, LinuxEvent, FALSE, sizeof(Module->Name));
405  if (Signature->Library == kmExcNameInvalid)
406  {
407  Signature->Valid = FALSE;
408  return;
409  }
410 
411  if (FunctionName[0])
412  {
413  Signature->Function = FunctionNameHash;
414  }
415  else
416  {
417  Signature->Function = umExcNameAny;
418  }
419 
420  Signature->Delta = (BYTE)Delta;
421  Signature->WriteSize = (BYTE)WriteSize;
422 
423  Signature->Valid = TRUE;
424 }
425 
426 
427 static INTSTATUS
428 IntAlertCreateEptException(
429  _In_ const EVENT_EPT_VIOLATION *Event,
430  _In_ BOOLEAN LogErrors,
431  _Inout_ void *Exception
432  )
451 {
452  const WCHAR *originator = NULL;
453  const WCHAR *victim = NULL;
454  BOOLEAN linuxAlert;
455  INTRO_ALERT_EXCEPTION_HEADER *header = Exception;
456 
457  UNREFERENCED_PARAMETER(LogErrors);
458 
459  header->Valid = FALSE;
460 
461  // Don't take into consideration the return driver, except when the original one it's missing. It's safer this way.
462  // Anyway, we don't have a proper way on choosing between them...
463  if (Event->Originator.Module.Valid)
464  {
465  originator = Event->Originator.Module.Name;
466  }
467  else if (Event->Originator.ReturnModule.Valid)
468  {
469  originator = Event->Originator.ReturnModule.Name;
470  }
471 
472  linuxAlert = (Event->Header.Flags & ALERT_FLAG_LINUX) != 0;
473 
474  if (Event->Header.Flags & ALERT_FLAG_KM_UM)
475  {
476  ALERT_KUM_EXCEPTION *pException = Exception;
477  BOOLEAN valid = FALSE;
478 
479  if (linuxAlert)
480  {
481  pException->Flags |= EXCEPTION_FLG_LINUX;
482  }
483 
484  pException->Flags |= IntAlertGetEptExceptionFlags(Event);
485 
486  if (Event->Originator.Injection.User)
487  {
488  pException->Flags |= EXCEPTION_KUM_FLG_USER;
489  pException->Originator = Crc32StringLen(Event->Originator.Process.ImageName,
490  INITIAL_CRC_VALUE,
491  sizeof(Event->Originator.Process.ImageName),
492  &valid);
493  if (!valid)
494  {
495  return INT_STATUS_INVALID_DATA_SIZE;
496  }
497 
498  }
499  else if (Event->Originator.Injection.Kernel)
500  {
501  pException->Flags |= EXCEPTION_KUM_FLG_KERNEL;
502  pException->Originator = IntAlertGetHashForName(Event->Originator.ReturnModule.Name,
503  linuxAlert,
504  TRUE,
505  sizeof(Event->Originator.ReturnModule.Name));
506  if (pException->Originator == kmExcNameInvalid)
507  {
508  return INT_STATUS_INVALID_DATA_SIZE;
509  }
510  }
511  else
512  {
513  pException->Originator = IntAlertGetHashForName(originator,
514  linuxAlert,
515  TRUE,
516  sizeof(Event->Originator.Module.Name));
517  if (pException->Originator == kmExcNameInvalid)
518  {
519  return INT_STATUS_INVALID_DATA_SIZE;
520  }
521  }
522 
523  if (Event->Victim.Type == introObjectTypeUmModule)
524  {
525  if (Event->ZoneTypes & ZONE_LIB_IMPORTS)
526  {
527  pException->Type = kumObjModuleImports;
528  }
529  else if (Event->ZoneTypes & ZONE_LIB_EXPORTS)
530  {
531  pException->Type = kumObjModuleExports;
532  }
533  else
534  {
535  pException->Type = kumObjModule;
536  }
537  }
538  else
539  {
540  ERROR("[ERROR] Invalid victim type (%d) for kernel-user exceptions!", Event->Victim.Type);
541  return INT_STATUS_NOT_SUPPORTED;
542  }
543 
544  if (Event->Violation != IG_EPT_HOOK_EXECUTE)
545  {
546  pException->Victim = IntAlertGetHashForName(Event->Victim.Module.Name,
547  linuxAlert,
548  FALSE,
549  sizeof(Event->Victim.Module.Name));
550  if (pException->Victim == umExcNameInvalid)
551  {
552  return INT_STATUS_INVALID_DATA_SIZE;
553  }
554  }
555  else
556  {
557  pException->Victim = umExcNameAny;
558  pException->Originator = umExcNameNone;
559  }
560 
561  pException->Process = Crc32StringLen(Event->Header.CurrentProcess.ImageName,
562  INITIAL_CRC_VALUE,
563  sizeof(Event->Header.CurrentProcess.ImageName),
564  &valid);
565  if (!valid)
566  {
567  return INT_STATUS_INVALID_DATA_SIZE;
568  }
569 
570  IntAlertCreateCbSignature(&Event->CodeBlocks,
571  linuxAlert,
572  Event->Violation == IG_EPT_HOOK_EXECUTE,
573  &pException->CodeBlocks);
574  }
575  else if (!(Event->Header.Flags & ALERT_FLAG_NOT_RING0))
576  {
577  ALERT_KM_EXCEPTION *pKmException = Exception;
578 
579  if ((Event->Victim.Type == introObjectTypeKmModule && !Event->Victim.Module.Valid) ||
580  ((Event->Victim.Type == introObjectTypeDriverObject ||
581  Event->Victim.Type == introObjectTypeFastIoDispatch) &&
582  !Event->Victim.DriverObject.Valid))
583  {
584  return INT_STATUS_NOT_SUPPORTED;
585  }
586 
587  if (linuxAlert)
588  {
589  pKmException->Flags |= SIGNATURE_FLG_LINUX;
590  }
591 
592  pKmException->Flags |= IntAlertGetEptExceptionFlags(Event);
593 
594  pKmException->Originator = IntAlertGetHashForName(originator,
595  linuxAlert,
596  TRUE,
597  sizeof(Event->Originator.Module.Name));
598  if (pKmException->Originator == kmExcNameInvalid)
599  {
600  return INT_STATUS_INVALID_DATA_SIZE;
601  }
602 
603  if (Event->Victim.Type == introObjectTypeKmModule ||
604  Event->Victim.Type == introObjectTypeSsdt ||
605  Event->Victim.Type == introObjectTypeTokenPrivs ||
606  (linuxAlert && (Event->Victim.Type == introObjectTypeVdso ||
607  Event->Victim.Type == introObjectTypeVsyscall)))
608  {
609  victim = Event->Victim.Module.Name;
610 
611  if (Event->Victim.Type == introObjectTypeVsyscall)
612  {
613  pKmException->Victim = kmExcNameVsyscall;
614  }
615  else if (Event->Victim.Type == introObjectTypeVdso)
616  {
617  pKmException->Victim = kmExcNameVdso;
618  }
619  else if (Event->Victim.Type == introObjectTypeTokenPrivs)
620  {
621  pKmException->Victim = Crc32String(Event->Header.CurrentProcess.ImageName, INITIAL_CRC_VALUE);
622  }
623  else
624  {
625  pKmException->Victim = IntAlertGetHashForName(victim,
626  linuxAlert,
627  TRUE,
628  sizeof(Event->Victim.Module.Name));
629  if (pKmException->Victim == kmExcNameInvalid)
630  {
631  return INT_STATUS_INVALID_DATA_SIZE;
632  }
633  }
634 
635  if (Event->Victim.Type == introObjectTypeSsdt)
636  {
637  pKmException->Type = kmObjSsdt;
638  }
639  else if (Event->Victim.Type == introObjectTypeTokenPrivs)
640  {
641  pKmException->Type = kmObjTokenPrivs;
642  }
643  else if (Event->ZoneTypes & ZONE_LIB_IMPORTS)
644  {
645  pKmException->Type = kmObjDriverImports;
646  }
647  else if (Event->ZoneTypes & ZONE_LIB_EXPORTS)
648  {
649  pKmException->Type = kmObjDriverExports;
650  }
651  else if (Event->ZoneTypes & ZONE_LIB_CODE)
652  {
653  pKmException->Type = kmObjDriverCode;
654  }
655  else if (Event->ZoneTypes & ZONE_LIB_DATA)
656  {
657  pKmException->Type = kmObjDriverData;
658  }
659  else if (Event->ZoneTypes & ZONE_LIB_RESOURCES)
660  {
661  pKmException->Type = kmObjDriverResources;
662  }
663  else
664  {
665  return INT_STATUS_NOT_SUPPORTED;
666  }
667  }
668  else if (Event->Victim.Type == introObjectTypeDriverObject ||
669  Event->Victim.Type == introObjectTypeFastIoDispatch)
670  {
671  BOOLEAN valid = FALSE;
672  victim = Event->Victim.DriverObject.Name;
673 
674  pKmException->Victim = Crc32WstringLen(victim,
675  INITIAL_CRC_VALUE,
676  sizeof(Event->Victim.DriverObject.Name),
677  &valid);
678  if (!valid)
679  {
680  return INT_STATUS_INVALID_DATA_SIZE;
681  }
682 
683  if (Event->Victim.Type == introObjectTypeDriverObject)
684  {
685  pKmException->Type = kmObjDrvObj;
686  }
687  else if (Event->Victim.Type == introObjectTypeFastIoDispatch)
688  {
689  pKmException->Type = kmObjFastIo;
690  }
691  }
692  else if (Event->Victim.Type == introObjectTypeIdt)
693  {
694  pKmException->Victim = kmExcNameAny;
695  pKmException->Type = kmObjIdt;
696 
697  IntAlertCreateIdtSignature(Event->Victim.IdtEntry, linuxAlert, &pKmException->Idt);
698  }
699  else if (Event->Victim.Type == introObjectTypeKmLoggerContext)
700  {
701  pKmException->Victim = kmExcNameAny;
702  pKmException->Type = kmObjLoggerCtx;
703  }
704  else
705  {
706  return INT_STATUS_NOT_SUPPORTED;
707  }
708 
709  IntAlertCreateCbSignature(&Event->CodeBlocks,
710  linuxAlert,
711  Event->Violation == IG_EPT_HOOK_EXECUTE,
712  &pKmException->CodeBlocks);
713  }
714  else
715  {
716  ALERT_UM_EXCEPTION *pUmException = Exception;
717  BOOLEAN valid;
718 
719  if (linuxAlert)
720  {
721  pUmException->Flags |= SIGNATURE_FLG_LINUX;
722  }
723 
724  if ((Event->Victim.Type != introObjectTypeUmModule &&
725  Event->Victim.Type != introObjectTypeUmGenericNxZone &&
726  Event->Victim.Type != introObjectTypeSudExec) ||
727  (!Event->Header.CurrentProcess.Valid))
728  {
729  return INT_STATUS_NOT_SUPPORTED;
730  }
731 
732  pUmException->Flags = IntAlertGetEptExceptionFlags(Event);
733 
734  if (Event->Victim.Type == introObjectTypeUmModule)
735  {
736  if (Event->ZoneTypes & ZONE_LIB_IMPORTS)
737  {
738  pUmException->Type = umObjModuleImports;
739  }
740  else if (Event->ZoneTypes & ZONE_LIB_EXPORTS)
741  {
742  pUmException->Type = umObjModuleExports;
743  }
744  else
745  {
746  pUmException->Type = umObjModule;
747  }
748  }
749  else if (Event->Victim.Type == introObjectTypeUmGenericNxZone)
750  {
751  pUmException->Type = umObjNxZone;
752  }
753  else if (Event->Victim.Type == introObjectTypeSudExec)
754  {
755  pUmException->Type = umObjSharedUserData;
756  }
757 
758  if (Event->Violation != IG_EPT_HOOK_EXECUTE)
759  {
760  pUmException->Originator = IntAlertGetHashForName(originator,
761  linuxAlert,
762  FALSE,
763  sizeof(Event->Originator.Module.Name));
764  if (pUmException->Originator == umExcNameInvalid)
765  {
766  return INT_STATUS_INVALID_DATA_SIZE;
767  }
768 
769  pUmException->Victim = IntAlertGetHashForName(Event->Victim.Module.Name,
770  linuxAlert,
771  FALSE,
772  sizeof(Event->Victim.Module.Name));
773  if (pUmException->Victim == umExcNameInvalid)
774  {
775  return INT_STATUS_INVALID_DATA_SIZE;
776  }
777  }
778  else
779  {
780  pUmException->Victim = umExcNameAny;
781  pUmException->Originator = umExcNameNone;
782  }
783 
784  pUmException->Process = Crc32StringLen(Event->Header.CurrentProcess.ImageName,
785  INITIAL_CRC_VALUE,
786  sizeof(Event->Header.CurrentProcess.ImageName),
787  &valid);
788  if (!valid)
789  {
790  return INT_STATUS_INVALID_DATA_SIZE;
791  }
792 
793  IntAlertCreateCbSignature(&Event->CodeBlocks,
794  linuxAlert,
795  Event->Violation == IG_EPT_HOOK_EXECUTE,
796  &pUmException->CodeBlocks);
797  }
798 
799  header->ViolationFlags = Event->Header.Flags;
800  header->Valid = TRUE;
801 
802  return INT_STATUS_SUCCESS;
803 }
804 
805 
806 static INTSTATUS
807 IntAlertCreateMsrException(
808  _In_ const EVENT_MSR_VIOLATION *Event,
809  _In_ BOOLEAN LogErrors,
810  _Out_ void *Exception
811  )
825 {
826  ALERT_KM_EXCEPTION *pKmException = Exception;
827  const WCHAR *originator = NULL;
828  BOOLEAN linuxAlert = (Event->Header.Flags & ALERT_FLAG_LINUX) != 0;
829  INTRO_ALERT_EXCEPTION_HEADER *header = Exception;
830 
831  UNREFERENCED_PARAMETER(LogErrors);
832 
833  header->Valid = FALSE;
834 
835  if (Event->Originator.Module.Valid)
836  {
837  originator = Event->Originator.Module.Name;
838  }
839 
840  pKmException->Flags = EXCEPTION_FLG_32 | EXCEPTION_FLG_64 | EXCEPTION_FLG_WRITE;
841 
842  if (linuxAlert)
843  {
844  pKmException->Flags |= EXCEPTION_FLG_LINUX;
845  }
846 
847  pKmException->Victim = kmExcNameAny;
848  pKmException->Type = kmObjMsr;
849  pKmException->Originator = IntAlertGetHashForName(originator,
850  linuxAlert,
851  TRUE,
852  sizeof(Event->Originator.Module.Name));
853  if (pKmException->Originator == kmExcNameInvalid)
854  {
855  return INT_STATUS_INVALID_DATA_SIZE;
856  }
857 
858  IntAlertCreateCbSignature(&Event->CodeBlocks, linuxAlert, FALSE, &pKmException->CodeBlocks);
859 
860  header->ViolationFlags = Event->Header.Flags;
861  header->Valid = TRUE;
862 
863  return INT_STATUS_SUCCESS;
864 }
865 
866 
867 static INTSTATUS
868 IntAlertCreateCrException(
869  _In_ const EVENT_CR_VIOLATION *Event,
870  _In_ BOOLEAN LogErrors,
871  _Out_ void *Exception
872  )
886 {
887  ALERT_KM_EXCEPTION *pKmException = Exception;
888  const WCHAR *originator = NULL;
889  BOOLEAN linuxAlert = (Event->Header.Flags & ALERT_FLAG_LINUX) != 0;
890  INTRO_ALERT_EXCEPTION_HEADER *header = Exception;
891 
892  UNREFERENCED_PARAMETER(LogErrors);
893 
894  header->Valid = FALSE;
895 
896  if (Event->Originator.Module.Valid)
897  {
898  originator = Event->Originator.Module.Name;
899  }
900 
901  pKmException->Flags = EXCEPTION_FLG_32 | EXCEPTION_FLG_64 |
902  EXCEPTION_KM_FLG_SMEP | EXCEPTION_KM_FLG_SMAP | EXCEPTION_FLG_WRITE;
903 
904  if (linuxAlert)
905  {
906  pKmException->Flags |= EXCEPTION_FLG_LINUX;
907  }
908 
909  pKmException->Victim = kmExcNameAny;
910  pKmException->Type = kmObjCr4;
911  pKmException->Originator = IntAlertGetHashForName(originator,
912  linuxAlert,
913  TRUE,
914  sizeof(Event->Originator.Module.Name));
915  if (pKmException->Originator == kmExcNameInvalid)
916  {
917  return INT_STATUS_INVALID_DATA_SIZE;
918  }
919 
920  IntAlertCreateCbSignature(&Event->CodeBlocks, linuxAlert, FALSE, &pKmException->CodeBlocks);
921 
922  header->ViolationFlags = Event->Header.Flags;
923  header->Valid = TRUE;
924 
925  return INT_STATUS_SUCCESS;
926 }
927 
928 
929 static INTSTATUS
930 IntAlertCreateInjectionException(
931  _In_ const EVENT_MEMCOPY_VIOLATION *Event,
932  _In_ BOOLEAN LogErrors,
933  _Out_ void *Exception
934  )
949 {
950  ALERT_UM_EXCEPTION *pException = Exception;
951  BOOLEAN linuxAlert = (Event->Header.Flags & ALERT_FLAG_LINUX) != 0;
952  INTRO_ALERT_EXCEPTION_HEADER *header = Exception;
953  BOOLEAN valid;
954 
955  UNREFERENCED_PARAMETER(LogErrors);
956 
957  header->Valid = FALSE;
958 
959  if (Event->Originator.Process.ImageName[0] == 0 ||
960  Event->Victim.Process.ImageName[0] == 0)
961  {
962  return INT_STATUS_NOT_SUPPORTED;
963  }
964 
965  pException->Flags = EXCEPTION_FLG_32 | EXCEPTION_FLG_64;
966 
967  if (linuxAlert)
968  {
969  pException->Flags |= EXCEPTION_FLG_LINUX;
970  }
971 
972  switch (Event->ViolationType)
973  {
974  case memCopyViolationRead:
975  pException->Flags |= EXCEPTION_FLG_READ;
976  break;
977  default:
978  pException->Flags |= EXCEPTION_FLG_WRITE;
979  break;
980  }
981 
982  if (Event->ViolationType == memCopyViolationSetContextThread)
983  {
984  pException->Type = umObjProcessThreadContext;
985  }
986  else if (Event->ViolationType == memCopyViolationQueueApcThread)
987  {
988  pException->Type = umObjProcessApcThread;
989  }
990  else if (Event->ViolationType == memCopyViolationInstrument)
991  {
992  pException->Type = umObjProcessInstrumentation;
993  }
994  else
995  {
996  pException->Type = umObjProcess;
997  }
998 
999  pException->Process = umExcNameAny;
1000  pException->Originator = Crc32StringLen(Event->Originator.Process.ImageName,
1001  INITIAL_CRC_VALUE,
1002  sizeof(Event->Originator.Process.ImageName),
1003  &valid);
1004  if (!valid)
1005  {
1006  return INT_STATUS_INVALID_DATA_SIZE;
1007  }
1008 
1009  pException->Victim = Crc32StringLen(Event->Victim.Process.ImageName,
1010  INITIAL_CRC_VALUE,
1011  sizeof(Event->Victim.Process.ImageName),
1012  &valid);
1013  if (!valid)
1014  {
1015  return INT_STATUS_INVALID_DATA_SIZE;
1016  }
1017 
1018  IntAlertCreateExportSignature(&Event->Victim.Module,
1019  Event->FunctionName,
1020  Event->FunctionNameHash,
1021  Event->Delta,
1022  Event->CopySize,
1023  linuxAlert,
1024  &pException->Export);
1025 
1026  header->ViolationFlags = Event->Header.Flags;
1027  header->Valid = TRUE;
1028 
1029  return INT_STATUS_SUCCESS;
1030 }
1031 
1032 
1033 static INTSTATUS
1034 IntAlertCreateProcessCreationException(
1035  _In_ const EVENT_PROCESS_CREATION_VIOLATION *Event,
1036  _In_ BOOLEAN LogErrors,
1037  _Inout_ void *Exception
1038  )
1053 {
1054  ALERT_UM_EXCEPTION *pException = Exception;
1055  BOOLEAN linuxAlert = (Event->Header.Flags & ALERT_FLAG_LINUX) != 0;
1056  INTRO_ALERT_EXCEPTION_HEADER *header = Exception;
1057  BOOLEAN valid;
1058 
1059  UNREFERENCED_PARAMETER(LogErrors);
1060 
1061  header->Valid = FALSE;
1062 
1063  if (Event->Originator.ImageName[0] == 0 ||
1064  Event->Victim.ImageName[0] == 0)
1065  {
1066  return INT_STATUS_NOT_SUPPORTED;
1067  }
1068 
1069  if (linuxAlert)
1070  {
1071  pException->Flags |= EXCEPTION_FLG_LINUX;
1072  }
1073 
1074  pException->Flags |= EXCEPTION_FLG_32 | EXCEPTION_FLG_64 | EXCEPTION_FLG_EXECUTE;
1075  pException->Type = Event->PcType ? umObjProcessCreation : umObjProcessCreationDpi;
1076  pException->Originator = Crc32StringLen(Event->Originator.ImageName,
1077  INITIAL_CRC_VALUE,
1078  sizeof(Event->Originator.ImageName),
1079  &valid);
1080  if (!valid)
1081  {
1082  return INT_STATUS_INVALID_DATA_SIZE;
1083  }
1084 
1085  pException->Victim = Crc32StringLen(Event->Victim.ImageName,
1086  INITIAL_CRC_VALUE,
1087  sizeof(Event->Victim.ImageName),
1088  &valid);
1089  if (!valid)
1090  {
1091  return INT_STATUS_INVALID_DATA_SIZE;
1092  }
1093  pException->Process = umExcNameAny;
1094 
1095  if (Event->PcType != 0)
1096  {
1097  IntAlertCreateProcessCreationSignature(Event->PcType, linuxAlert, &pException->ProcessCreation);
1098  }
1099 
1100  header->ViolationFlags = Event->Header.Flags;
1101  header->Valid = TRUE;
1102 
1103  return INT_STATUS_SUCCESS;
1104 }
1105 
1106 
1107 static INTSTATUS
1108 IntAlertCreateModuleLoadException(
1109  _In_ const EVENT_MODULE_LOAD_VIOLATION *Event,
1110  _In_ BOOLEAN LogErrors,
1111  _Out_ void *Exception
1112  )
1126 {
1127  ALERT_UM_EXCEPTION *pException = Exception;
1128  BOOLEAN linuxAlert = (Event->Header.Flags & ALERT_FLAG_LINUX) != 0;
1129  INTRO_ALERT_EXCEPTION_HEADER *header = Exception;
1130  BOOLEAN valid;
1131 
1132  UNREFERENCED_PARAMETER(LogErrors);
1133 
1134  header->Valid = FALSE;
1135 
1136  if (Event->Originator.Module.Name[0] == 0 ||
1137  Event->Victim.ImageName[0] == 0)
1138  {
1139  return INT_STATUS_NOT_SUPPORTED;
1140  }
1141 
1142  pException->Flags = EXCEPTION_FLG_32 | EXCEPTION_FLG_64;
1143 
1144  if (linuxAlert)
1145  {
1146  pException->Flags |= EXCEPTION_FLG_LINUX;
1147  }
1148 
1149  pException->Originator = IntAlertGetHashForName(Event->Originator.Module.Name,
1150  linuxAlert,
1151  FALSE,
1152  sizeof(Event->Originator.Module.Name));
1153  if (pException->Originator == kmExcNameInvalid)
1154  {
1155  return INT_STATUS_INVALID_DATA_SIZE;
1156  }
1157 
1158  pException->Victim = Crc32StringLen(Event->Victim.ImageName,
1159  INITIAL_CRC_VALUE,
1160  sizeof(Event->Victim.ImageName),
1161  &valid);
1162  if (!valid)
1163  {
1164  return INT_STATUS_INVALID_DATA_SIZE;
1165  }
1166 
1167  pException->Process = pException->Victim;
1168  pException->Flags |= EXCEPTION_FLG_WRITE;
1169  pException->Type = umObjModuleLoad;
1170 
1171  header->ViolationFlags = Event->Header.Flags;
1172  header->Valid = TRUE;
1173 
1174  return INT_STATUS_SUCCESS;
1175 }
1176 
1177 
1178 static INTSTATUS
1179 IntAlertCreateIntegrityException(
1180  _In_ const EVENT_INTEGRITY_VIOLATION *Event,
1181  _In_ BOOLEAN LogErrors,
1182  _In_ void *Exception
1183  )
1197 {
1198  ALERT_KM_EXCEPTION *pKmException = Exception;
1199  const WCHAR *originator = NULL;
1200  INTRO_ALERT_EXCEPTION_HEADER *header = Exception;
1201  BOOLEAN valid = TRUE;
1202 
1203  header->Valid = FALSE;
1204 
1205  if (gGuest.OSType == introGuestLinux)
1206  {
1207  if (LogErrors)
1208  {
1209  ERROR("[ERROR] Integrity exceptions are not supported on linux guests!\n");
1210  }
1211 
1212  return INT_STATUS_NOT_SUPPORTED;
1213  }
1214 
1215  if (Event->Victim.Type == introObjectTypeDriverObject)
1216  {
1217  pKmException->Type = kmObjDrvObj;
1218  }
1219  else if (Event->Victim.Type == introObjectTypeFastIoDispatch)
1220  {
1221  pKmException->Type = kmObjFastIo;
1222  }
1223  else if (Event->Victim.Type == introObjectTypeKmLoggerContext)
1224  {
1225  pKmException->Type = kmObjLoggerCtx;
1226  }
1227  else if (Event->Victim.Type == introObjectTypeIdt)
1228  {
1229  pKmException->Type = kmObjIdt;
1230  }
1231  else if (Event->Victim.Type == introObjectTypeTokenPrivs)
1232  {
1233  pKmException->Type = kmObjTokenPrivs;
1234  }
1235  else if (Event->Victim.Type == introObjectTypeSecDesc)
1236  {
1237  pKmException->Type = kmObjSecDesc;
1238  }
1239  else if (Event->Victim.Type == introObjectTypeAcl)
1240  {
1241  pKmException->Type = kmObjAcl;
1242  }
1243  else if (Event->Victim.Type == introObjectTypeHalPerfCounter)
1244  {
1245  pKmException->Type = kmObjHalPerfCnt;
1246  }
1247  else if (Event->Victim.Type == introObjectTypeSudIntegrity)
1248  {
1249  pKmException->Type = kmObjSudModification;
1250  }
1251  else if (Event->Victim.Type == introObjectTypeInterruptObject)
1252  {
1253  pKmException->Type = kmObjInterruptObject;
1254  }
1255  else
1256  {
1257  if (LogErrors)
1258  {
1259  ERROR("[ERROR] The given event is not supported: %d!\n", Event->Victim.Type);
1260  }
1261 
1262  return INT_STATUS_NOT_SUPPORTED;
1263  }
1264 
1265  if (Event->Originator.Module.Valid)
1266  {
1267  originator = Event->Originator.Module.Name;
1268  }
1269 
1270  pKmException->Flags = EXCEPTION_FLG_32 | EXCEPTION_FLG_64 | EXCEPTION_KM_FLG_INTEGRITY | EXCEPTION_FLG_WRITE;
1271 
1272  if (Event->Victim.Type == introObjectTypeTokenPrivs ||
1273  Event->Victim.Type == introObjectTypeSecDesc ||
1274  Event->Victim.Type == introObjectTypeAcl ||
1275  Event->Victim.Type == introObjectTypeSudIntegrity)
1276  {
1277  pKmException->Originator = kmExcNameNone;
1278  }
1279  else
1280  {
1281  pKmException->Originator = IntAlertGetHashForName(originator,
1282  FALSE,
1283  TRUE,
1284  sizeof(Event->Originator.Module.Name));
1285  if (pKmException->Originator == kmExcNameInvalid)
1286  {
1287  return INT_STATUS_INVALID_DATA_SIZE;
1288  }
1289  }
1290 
1291  switch (Event->Victim.Type)
1292  {
1293  case introObjectTypeFastIoDispatch:
1294  case introObjectTypeDriverObject:
1295  if (!Event->Victim.DriverObject.Valid)
1296  {
1297  return INT_STATUS_NOT_SUPPORTED;
1298  }
1299 
1300  pKmException->Victim = Crc32WstringLen(Event->Victim.DriverObject.Name,
1301  INITIAL_CRC_VALUE,
1302  sizeof(Event->Victim.DriverObject.Name),
1303  &valid);
1304  break;
1305 
1306  case introObjectTypeTokenPrivs:
1307  case introObjectTypeSecDesc:
1308  case introObjectTypeAcl:
1309  pKmException->Victim = Crc32StringLen(Event->Victim.Process.ImageName,
1310  INITIAL_CRC_VALUE,
1311  sizeof(Event->Victim.Process.ImageName),
1312  &valid);
1313  break;
1314 
1315  case introObjectTypeSudIntegrity:
1316  {
1317  char buffer[sizeof(Event->Victim.Name) / 2];
1318 
1319  utf16toutf8(buffer, Event->Victim.Name, sizeof(buffer));
1320 
1321  pKmException->Victim = Crc32StringLen(buffer,
1322  INITIAL_CRC_VALUE,
1323  sizeof(buffer),
1324  &valid);
1325  break;
1326  }
1327 
1328  default:
1329  pKmException->Victim = kmExcNameAny;
1330  break;
1331  }
1332 
1333  if (!valid)
1334  {
1335  return INT_STATUS_INVALID_DATA_SIZE;
1336  }
1337 
1338 
1339  if (Event->Victim.Type == introObjectTypeIdt ||
1340  Event->Victim.Type == introObjectTypeInterruptObject)
1341  {
1342  IntAlertCreateIdtSignature(Event->Victim.IdtEntry, FALSE, &pKmException->Idt);
1343  }
1344 
1345  header->ViolationFlags = Event->Header.Flags;
1346  header->Valid = TRUE;
1347 
1348  return INT_STATUS_SUCCESS;
1349 }
1350 
1351 
1352 static INTSTATUS
1353 IntAlertCreateDtrException(
1354  _In_ const EVENT_DTR_VIOLATION *Event,
1355  _In_ BOOLEAN LogErrors,
1356  _Out_ void *Exception
1357  )
1372 {
1373  ALERT_KM_EXCEPTION *pKmException = Exception;
1374  BOOLEAN linuxAlert = (Event->Header.Flags & ALERT_FLAG_LINUX) != 0;
1375  const WCHAR *originator = NULL;
1376  INTRO_ALERT_EXCEPTION_HEADER *header = Exception;
1377 
1378  header->Valid = FALSE;
1379 
1380  if (Event->Victim.Type == introObjectTypeIdtr)
1381  {
1382  pKmException->Type = kmObjIdtr;
1383  }
1384  else if (Event->Victim.Type == introObjectTypeGdtr)
1385  {
1386  pKmException->Type = kmObjGdtr;
1387  }
1388  else
1389  {
1390  if (LogErrors)
1391  {
1392  ERROR("[ERROR] The given event is not supported: %d!\n", Event->Victim.Type);
1393  }
1394 
1395  return INT_STATUS_NOT_SUPPORTED;
1396  }
1397 
1398  if (Event->Originator.Module.Valid)
1399  {
1400  originator = Event->Originator.Module.Name;
1401  }
1402 
1403  pKmException->Flags = (gGuest.Guest64 ? EXCEPTION_FLG_64 : EXCEPTION_FLG_32) | EXCEPTION_FLG_WRITE;
1404 
1405  if (linuxAlert)
1406  {
1407  pKmException->Flags |= EXCEPTION_FLG_LINUX;
1408  }
1409 
1410  pKmException->Victim = kmExcNameAny;
1411  pKmException->Originator = IntAlertGetHashForName(originator,
1412  linuxAlert,
1413  TRUE,
1414  sizeof(Event->Originator.Module.Name));
1415  if (pKmException->Originator == kmExcNameInvalid)
1416  {
1417  return INT_STATUS_INVALID_DATA_SIZE;
1418  }
1419 
1420  IntAlertCreateCbSignature(&Event->CodeBlocks, linuxAlert, FALSE, &pKmException->CodeBlocks);
1421 
1422  header->ViolationFlags = Event->Header.Flags;
1423  header->Valid = TRUE;
1424 
1425  return INT_STATUS_SUCCESS;
1426 }
1427 
1428 
1429 INTSTATUS
1430 IntAlertCreateException(
1431  _In_ const void *Event,
1432  _In_ INTRO_EVENT_TYPE Type,
1433  _In_ BOOLEAN LogErrors,
1434  _Inout_ void *Exception
1435  )
1448 {
1449  INTRO_ALERT_EXCEPTION_HEADER *pHeader = Exception;
1450 
1451  if (Type == introEventEptViolation)
1452  {
1453  if (!(((const EVENT_EPT_VIOLATION *)Event)->Header.Flags & ALERT_FLAG_KM_UM))
1454  {
1455  pHeader->Version = ALERT_KUM_EXCEPTION_VERSION;
1456  }
1457  else if (!(((const EVENT_EPT_VIOLATION *)Event)->Header.Flags & ALERT_FLAG_NOT_RING0))
1458  {
1459  pHeader->Version = ALERT_KM_EXCEPTION_VERSION;
1460  }
1461  else
1462  {
1463  pHeader->Version = ALERT_UM_EXCEPTION_VERSION;
1464  }
1465  }
1466  else if (introEventMsrViolation == Type ||
1467  introEventCrViolation == Type ||
1468  introEventDtrViolation == Type ||
1469  introEventIntegrityViolation == Type)
1470  {
1471  pHeader->Version = ALERT_KM_EXCEPTION_VERSION;
1472  }
1473  else if (introEventInjectionViolation == Type ||
1474  introEventProcessCreationViolation == Type ||
1475  introEventModuleLoadViolation == Type)
1476  {
1477  pHeader->Version = ALERT_UM_EXCEPTION_VERSION;
1478  }
1479 
1480  switch (Type)
1481  {
1482  case introEventEptViolation:
1483  return IntAlertCreateEptException(Event, LogErrors, Exception);
1484 
1485  case introEventMsrViolation:
1486  return IntAlertCreateMsrException(Event, LogErrors, Exception);
1487 
1488  case introEventCrViolation:
1489  return IntAlertCreateCrException(Event, LogErrors, Exception);
1490 
1491  case introEventInjectionViolation:
1492  return IntAlertCreateInjectionException(Event, LogErrors, Exception);
1493 
1494  case introEventIntegrityViolation:
1495  return IntAlertCreateIntegrityException(Event, LogErrors, Exception);
1496 
1497  case introEventDtrViolation:
1498  return IntAlertCreateDtrException(Event, LogErrors, Exception);
1499 
1500  case introEventProcessCreationViolation:
1501  return IntAlertCreateProcessCreationException(Event, LogErrors, Exception);
1502 
1503  case introEventModuleLoadViolation:
1504  return IntAlertCreateModuleLoadException(Event, LogErrors, Exception);
1505 
1506  default:
1507  return INT_STATUS_NOT_SUPPORTED;
1508  }
1509 }
1510 
1511 
1512 INTSTATUS
1513 IntAlertCreateExceptionInEvent(
1514  _Inout_ void *Event,
1515  _In_ INTRO_EVENT_TYPE Type
1516  )
1526 {
1527  if (!IntAlertIsEventTypeViolation(Type))
1528  {
1529  return INT_STATUS_NOT_SUPPORTED;
1530  }
1531 
1532  return IntAlertCreateException(Event, Type, FALSE, &((INTRO_VIOLATION_HEADER *)Event)->Exception);
1533 }
_INTRO_ALERT_EXCEPTION_HEADER::ViolationFlags
QWORD ViolationFlags
A combination of Alert flags values describing the alert.
Definition: intro_types.h:1175
_INTRO_ALERT_EXCEPTION_HEADER::Valid
BOOLEAN Valid
Set to True if the information in the structure is valid, False otherwise.
Definition: intro_types.h:1176
umObjModuleLoad
The object allows only dlls which are detected as suspicous (e.g. module loads before kernel32...
Definition: exceptions.h:223
_In_opt_
#define _In_opt_
Definition: intro_sal.h:16
_Out_
#define _Out_
Definition: intro_sal.h:22
BOOLEAN
_Bool BOOLEAN
Definition: intro_types.h:58
introEventProcessCreationViolation
Sent for unauthorized process creation alerts. See EVENT_PROCESS_CREATION_VIOLATION.
Definition: intro_types.h:115
utf16toutf8
char * utf16toutf8(char *Destination, const WCHAR *Source, DWORD DestinationMaxLength)
Definition: introcrt.c:460
_ALERT_UM_EXCEPTION::Type
UM_EXCEPTION_OBJECT Type
The type of the exception; any type from _UM_EXCEPTION_OBJECT.
Definition: alert_exceptions.h:150
IntAlertGetHashForWindowsName
static DWORD IntAlertGetHashForWindowsName(const WCHAR *Originator, const size_t MaxLength)
Compute the crc32-hash for the provided string.
Definition: alert_exceptions.c:54
_EVENT_CR_VIOLATION
Event structure for CR violation.
Definition: intro_types.h:1346
introObjectTypeKmModule
Kernel module (ntoskrnl.exe, hal.dll, etc.).
Definition: intro_types.h:238
BYTE
uint8_t BYTE
Definition: intro_types.h:47
IG_EPT_HOOK_READ
Read-access hook.
Definition: glueiface.h:298
_In_
#define _In_
Definition: intro_sal.h:21
_ALERT_KM_EXCEPTION::Type
KM_EXCEPTION_OBJECT Type
The type of the exception; any type from _KM_EXCEPTION_OBJECT.
Definition: alert_exceptions.h:105
_ALERT_EXPORT_SIGNATURE
Definition: alert_exceptions.h:56
SIGNATURE_FLG_64
The signature is valid only on 64 bit systems/processes.
Definition: exceptions.h:706
INT_STATUS_SUCCESS
#define INT_STATUS_SUCCESS
Definition: introstatus.h:54
introObjectTypeDriverObject
Driver object.
Definition: intro_types.h:237
introObjectTypeFastIoDispatch
Fast IO Dispatch (Windows only).
Definition: intro_types.h:236
_ALERT_KM_EXCEPTION::Idt
ALERT_IDT_SIGNATURE Idt
The idt alert-signature, if any.
Definition: alert_exceptions.h:108
ALERT_IDT_SIGNATURE_VERSION
#define ALERT_IDT_SIGNATURE_VERSION
Definition: alert_exceptions.h:37
introObjectTypeInterruptObject
An interrupt object from KPRCB.
Definition: intro_types.h:274
kmExcNameAny
The name can be any string.
Definition: exceptions.h:640
introObjectTypeKmLoggerContext
Infinity hook modifications of WMI_LOGGER_CONTEXT.GetCpuClock.
Definition: intro_types.h:264
memCopyViolationSetContextThread
This represents an attempt of modifying the context of another thread.
Definition: intro_types.h:1417
kmObjDriverImports
The modified object is only the driver&#39;s EAT.
Definition: exceptions.h:158
_EVENT_PROCESS_CREATION_VIOLATION
Event structure for process creation violation events.
Definition: intro_types.h:1767
_ALERT_KM_EXCEPTION
Describes a kernel-mode alert-exception.
Definition: alert_exceptions.h:96
_EVENT_INTEGRITY_VIOLATION
Event structure for integrity violations on monitored structures.
Definition: intro_types.h:1572
Crc32WstringLen
DWORD Crc32WstringLen(const WCHAR *String, DWORD InitialCrc, size_t MaxLength, BOOLEAN *Valid)
Computes the CRC for a NULL-terminated wide char string, but without exceeding a maximum number of ch...
Definition: crc32.c:259
ZONE_LIB_RESOURCES
#define ZONE_LIB_RESOURCES
Used for the resources section (usually .rsrc inside a driver or dll).
Definition: exceptions.h:726
introObjectTypeUmGenericNxZone
User-mode non executable zone.
Definition: intro_types.h:247
introEventDtrViolation
Sent when a DTR violation triggers an alert. See EVENT_DTR_VIOLATION.
Definition: intro_types.h:98
_ALERT_UM_EXCEPTION::CodeBlocks
ALERT_CB_SIGNATURE CodeBlocks
The code-blocks alert-signature, if any.
Definition: alert_exceptions.h:152
umObjProcessThreadContext
The modified object is anything inside the structure CONTEXT (valid only for windows).
Definition: exceptions.h:215
umObjProcessInstrumentation
Signals an attempt to set an insturmentation callback.
Definition: exceptions.h:226
kmExcNameVsyscall
The name is the operating system vsyscall (valid only for Linux).
Definition: exceptions.h:647
introEventCrViolation
Sent when a CR violation triggers an alert. See EVENT_CR_VIOLATION.
Definition: intro_types.h:88
wstrnlen
size_t wstrnlen(const WCHAR *s, size_t maxlen)
Definition: introcrt.c:1064
_INTRO_CODEBLOCKS
Holds code block patterns information.
Definition: intro_types.h:1041
kmObjHalPerfCnt
The modified object is HalPerformanceCounter.
Definition: exceptions.h:177
EXCEPTION_FLG_READ
The exception is valid only for read violation.
Definition: exceptions.h:605
IntAlertIsEventTypeViolation
BOOLEAN IntAlertIsEventTypeViolation(INTRO_EVENT_TYPE Type)
Definition: alert_exceptions.h:178
ERROR
#define ERROR(fmt,...)
Definition: glue.h:62
EXCEPTION_KUM_FLG_USER
The exception is valid only if the write comes due to an injection from user-mode.
Definition: exceptions.h:629
umExcNameInvalid
Used to indicate an invalid user-mode exception name.
Definition: exceptions.h:696
_ALERT_CB_SIGNATURE
Definition: alert_exceptions.h:22
kmObjDriverData
The modified object is only the driver&#39;s data sections.
Definition: exceptions.h:160
umExcNameAny
The name can be any string.
Definition: exceptions.h:687
INTSTATUS
int INTSTATUS
The status data type.
Definition: introstatus.h:24
EXCEPTION_FLG_LINUX
The exception is valid only for Linux.
Definition: exceptions.h:603
kmExcNameNone
The name is missing.
Definition: exceptions.h:644
Crc32StringLen
DWORD Crc32StringLen(const char *String, DWORD InitialCrc, size_t MaxLength, BOOLEAN *Valid)
Computes the CRC for a NULL-terminated utf-8 string, but without exceeding a maximum number of charac...
Definition: crc32.c:301
_ALERT_UM_EXCEPTION::Export
ALERT_EXPORT_SIGNATURE Export
The export alert-signature, if any.
Definition: alert_exceptions.h:153
introObjectTypeSudIntegrity
Integrity protection of SharedUserData region.
Definition: intro_types.h:273
kmObjDriverExports
The modified object is only the driver&#39;s IAT.
Definition: exceptions.h:174
introEventInjectionViolation
Sent for code/data injection alerts. See EVENT_MEMCOPY_VIOLATION.
Definition: intro_types.h:96
ALERT_FLAG_LINUX
#define ALERT_FLAG_LINUX
Definition: intro_types.h:676
ALERT_MAX_CODEBLOCKS
#define ALERT_MAX_CODEBLOCKS
The maximum number of code blocks included in an alert structure.
Definition: intro_types.h:705
_GUEST_STATE::OSType
INTRO_GUEST_TYPE OSType
The type of the guest.
Definition: guests.h:278
ALERT_EXPORT_SIGNATURE_VERSION
#define ALERT_EXPORT_SIGNATURE_VERSION
Definition: alert_exceptions.h:54
EXCEPTION_FLG_WRITE
The exception is valid only for write violation.
Definition: exceptions.h:606
_ALERT_UM_EXCEPTION::Process
DWORD Process
The name-hash of the process in which the modification takes place.
Definition: alert_exceptions.h:146
introObjectTypeAcl
Process ACL (SACL/DACL) was modified.
Definition: intro_types.h:272
MIN
#define MIN(a, b)
Definition: introdefs.h:146
IntAlertGetHashForLinuxName
static DWORD IntAlertGetHashForLinuxName(const WCHAR *Originator, const size_t MaxLength)
Compute the crc32-hash for the provided string.
Definition: alert_exceptions.c:17
_ALERT_KUM_EXCEPTION::Flags
DWORD Flags
The flags of the exception; any flags from _EXCEPTION_FLG.
Definition: alert_exceptions.h:125
IntAlertCreateExceptionInEvent
INTSTATUS IntAlertCreateExceptionInEvent(void *Event, INTRO_EVENT_TYPE Type)
This function creates an alert-exception for each alert sent to the integrator.
Definition: alert_exceptions.c:1513
umExcNameNone
The name is missing.
Definition: exceptions.h:692
ALERT_FLAG_KM_UM
#define ALERT_FLAG_KM_UM
If set, the alert was generated by a kernel to user mode violation.
Definition: intro_types.h:687
IntAlertCreateInjectionException
static INTSTATUS IntAlertCreateInjectionException(const EVENT_MEMCOPY_VIOLATION *Event, BOOLEAN LogErrors, void *Exception)
Creates an alert-exception structure from an Injection violation event.
Definition: alert_exceptions.c:930
_ALERT_KM_EXCEPTION::Flags
DWORD Flags
The flags of the exception; any flags from _EXCEPTION_FLG.
Definition: alert_exceptions.h:103
IntAlertCreateExportSignature
static void IntAlertCreateExportSignature(const INTRO_MODULE *Module, const char *FunctionName, DWORD FunctionNameHash, DWORD Delta, DWORD WriteSize, BOOLEAN LinuxEvent, ALERT_EXPORT_SIGNATURE *Signature)
Creates an export alert-signature structure.
Definition: alert_exceptions.c:365
umObjProcess
The modified object is only another process (injection basically).
Definition: exceptions.h:209
IntAlertGetHashForName
static DWORD IntAlertGetHashForName(const WCHAR *Originator, BOOLEAN LinuxGuest, BOOLEAN KernelMode, size_t MaxLength)
Compute the crc32-hash for the provided string.
Definition: alert_exceptions.c:121
_ALERT_UM_EXCEPTION
Describes a user-mode alert-exception.
Definition: alert_exceptions.h:140
_ALERT_UM_EXCEPTION::Originator
DWORD Originator
The name-hash of the originator.
Definition: alert_exceptions.h:144
kmObjSudModification
The modified object is a SharedUserData field.
Definition: exceptions.h:180
introObjectTypeTokenPrivs
Token privileges.
Definition: intro_types.h:266
IntAlertCreateProcessCreationSignature
static void IntAlertCreateProcessCreationSignature(DWORD PcType, BOOLEAN LinuxAlert, ALERT_PROCESS_CREATION_SIGNATURE *Signature)
Creates a process-creation alert-signature structure.
Definition: alert_exceptions.c:303
_Inout_
#define _Inout_
Definition: intro_sal.h:20
EXCEPTION_KM_FLG_SMEP
The exception is valid only for CR4.SMEP write.
Definition: exceptions.h:616
ZONE_LIB_CODE
#define ZONE_LIB_CODE
Used for a generic code zone.
Definition: exceptions.h:723
INITIAL_CRC_VALUE
#define INITIAL_CRC_VALUE
Definition: introdefs.h:221
_ALERT_PROCESS_CREATION_SIGNATURE
Describe a process-creation alert-signature.
Definition: alert_exceptions.h:78
introGuestLinux
Linux.
Definition: intro_types.h:2044
EXCEPTION_KM_FLG_SMAP
The exception is valid only for CR4.SMAP write.
Definition: exceptions.h:615
_ALERT_KM_EXCEPTION::Originator
DWORD Originator
The name-hash of the originator.
Definition: alert_exceptions.h:100
_EVENT_MSR_VIOLATION
Event structure for MSR violation.
Definition: intro_types.h:1316
memCopyViolationQueueApcThread
This represents an attempt to queue an APC into the victim process.
Definition: intro_types.h:1420
EXCEPTION_FLG_EXECUTE
The exception is valid only for execute violation.
Definition: exceptions.h:607
_GUEST_STATE::Guest64
BOOLEAN Guest64
True if this is a 64-bit guest, False if it is a 32-bit guest.
Definition: guests.h:290
kmObjDriverCode
The modified object is only the driver&#39;s code sections.
Definition: exceptions.h:159
_INTRO_ALERT_EXCEPTION_HEADER
The common header used by exception information.
Definition: intro_types.h:1172
_ALERT_IDT_SIGNATURE
Describes an idt alert-signature.
Definition: alert_exceptions.h:42
kmExcNameKernel
The name is the operating system kernel name.
Definition: exceptions.h:642
_ALERT_KUM_EXCEPTION
Describes a kernel-mode alert-exception.
Definition: alert_exceptions.h:117
SIGNATURE_FLG_32
The signature is valid only on 32 bit systems/processes.
Definition: exceptions.h:705
_EVENT_MODULE_LOAD_VIOLATION
Event structure for suspicious module load into processes.
Definition: intro_types.h:1838
introObjectTypeHalPerfCounter
Write protection over HalPerformanceCounter.
Definition: intro_types.h:268
_ALERT_UM_EXCEPTION::Flags
DWORD Flags
The flags of the exception; any flags from _EXCEPTION_FLG.
Definition: alert_exceptions.h:148
introEventModuleLoadViolation
Sent for suspicious module loads alerts. See EVENT_MODULE_LOAD_VIOLATION.
Definition: intro_types.h:117
introObjectTypeIdtr
IDTR.
Definition: intro_types.h:260
TRUE
#define TRUE
Definition: intro_types.h:30
IntAlertCreateProcessCreationException
static INTSTATUS IntAlertCreateProcessCreationException(const EVENT_PROCESS_CREATION_VIOLATION *Event, BOOLEAN LogErrors, void *Exception)
Creates an alert-exception structure from an process-creation violation event.
Definition: alert_exceptions.c:1034
EXCEPTION_KUM_FLG_KERNEL
The exception is valid only if the write comes due to an injection from kernel-mode.
Definition: exceptions.h:631
memCopyViolationInstrument
This represents an attempt to set an instrument callback inside the victim process.
Definition: intro_types.h:1423
kmObjSsdt
The modified object is SSDT (valid only on windows x86).
Definition: exceptions.h:162
_INTRO_ALERT_EXCEPTION_HEADER::Version
WORD Version
The version of the exception information.
Definition: intro_types.h:1174
_EVENT_MEMCOPY_VIOLATION
Memory access violations that cross a process boundary.
Definition: intro_types.h:1434
WARNING
#define WARNING(fmt,...)
Definition: glue.h:60
ZONE_LIB_EXPORTS
#define ZONE_LIB_EXPORTS
Used for the exports of a dll, driver, etc.
Definition: exceptions.h:722
kumObjModuleExports
The modified object is inside the process module&#39;s EAT.
Definition: exceptions.h:196
_EVENT_DTR_VIOLATION
Event structure for GDTR/IDTR descriptor tables modifications.
Definition: intro_types.h:1625
kmObjTokenPrivs
The modified object is the privileges field inside the nt!_TOKEN structure.
Definition: exceptions.h:175
introEventEptViolation
Sent when an EPT violation triggers an alert. See EVENT_EPT_VIOLATION.
Definition: intro_types.h:84
kmObjCr4
The modified object is SMEP and/or SMAP bits of CR4.
Definition: exceptions.h:166
ALERT_FLAG_NOT_RING0
#define ALERT_FLAG_NOT_RING0
If set, the alert was triggered in ring 1, 2 or 3.
Definition: intro_types.h:674
umObjModuleImports
The modified object is inside the process module&#39;s IAT.
Definition: exceptions.h:211
Crc32Wstring
DWORD Crc32Wstring(const WCHAR *String, DWORD InitialCrc)
Computes the CRC for a NULL-terminated wide char string.
Definition: crc32.c:226
UNREFERENCED_PARAMETER
#define UNREFERENCED_PARAMETER(P)
Definition: introdefs.h:29
kmObjIdtr
The modified object is IDTR.
Definition: exceptions.h:170
kumObjModuleImports
The modified object is inside the process module&#39;s IAT.
Definition: exceptions.h:195
ALERT_CB_SIGNATURE_VERSION
#define ALERT_CB_SIGNATURE_VERSION
Definition: alert_exceptions.h:19
WCHAR
uint16_t WCHAR
Definition: intro_types.h:63
introObjectTypeSudExec
Executions inside the SharedUserData region.
Definition: intro_types.h:267
DWORD
uint32_t DWORD
Definition: intro_types.h:49
ALERT_KM_EXCEPTION_VERSION
#define ALERT_KM_EXCEPTION_VERSION
Definition: alert_exceptions.h:91
_INTRO_VIOLATION_HEADER
Common violation header.
Definition: intro_types.h:1189
EXCEPTION_KM_FLG_INTEGRITY
The exception is valid only for integrity zone.
Definition: exceptions.h:618
kmObjFastIo
The modified object is anything inside the driver&#39;s fast IO dispatch table.
Definition: exceptions.h:164
introObjectTypeUmModule
User-mode library.
Definition: intro_types.h:248
kmExcNameVdso
The name is the operating system vdso (valid only for Linux).
Definition: exceptions.h:646
ALERT_HASH_COUNT
#define ALERT_HASH_COUNT
Definition: alert_exceptions.h:17
umObjSharedUserData
Signals an execution inside SharedUserData.
Definition: exceptions.h:225
MAX
#define MAX(a, b)
Definition: introdefs.h:151
IntAlertCreateMsrException
static INTSTATUS IntAlertCreateMsrException(const EVENT_MSR_VIOLATION *Event, BOOLEAN LogErrors, void *Exception)
Creates an alert-exception structure from an MSR violation event.
Definition: alert_exceptions.c:807
ZONE_LIB_DATA
#define ZONE_LIB_DATA
Definition: exceptions.h:724
gGuest
GUEST_STATE gGuest
The current guest state.
Definition: guests.c:50
_ALERT_UM_EXCEPTION::ProcessCreation
ALERT_PROCESS_CREATION_SIGNATURE ProcessCreation
The process-creation alert-signature, if any.
Definition: alert_exceptions.h:154
_ALERT_KUM_EXCEPTION::Type
KUM_EXCEPTION_OBJECT Type
The type of the exception; any type from _KUM_EXCEPTION_OBJECT.
Definition: alert_exceptions.h:127
kmObjIdt
The modified object is any IDT entry.
Definition: exceptions.h:169
IntAlertCreateCrException
static INTSTATUS IntAlertCreateCrException(const EVENT_CR_VIOLATION *Event, BOOLEAN LogErrors, void *Exception)
Creates an alert-exception structure from an CR violation event.
Definition: alert_exceptions.c:868
SIGNATURE_FLG_LINUX
The signature is valid only on Linux.
Definition: exceptions.h:713
IntAlertCreateCbSignature
static void IntAlertCreateCbSignature(const INTRO_CODEBLOCKS *CodeBlocks, BOOLEAN LinuxAlert, BOOLEAN ExecAlert, ALERT_CB_SIGNATURE *Signature)
Creates an alert-signature structure.
Definition: alert_exceptions.c:204
umObjModule
The modified object is inside the process modules.
Definition: exceptions.h:210
introObjectTypeSsdt
SSDT (Windows only).
Definition: intro_types.h:235
_ALERT_UM_EXCEPTION::Victim
DWORD Victim
The name-hash of the victim.
Definition: alert_exceptions.h:145
CWSTRLEN
#define CWSTRLEN(Wstring)
Definition: introdefs.h:104
_ALERT_KUM_EXCEPTION::Process
DWORD Process
The name-hash of the process.
Definition: alert_exceptions.h:123
kmObjAcl
The modified object is an ACL (SACL/DACL) of a process.
Definition: exceptions.h:179
ALERT_PROCESS_CREATION_SIGNATURE_VERSION
#define ALERT_PROCESS_CREATION_SIGNATURE_VERSION
Definition: alert_exceptions.h:73
introObjectTypeVsyscall
Virtual SYSCALL (user-mode, Linux-only).
Definition: intro_types.h:257
introObjectTypeGdtr
GDTR.
Definition: intro_types.h:261
wstrcasecmp
int wstrcasecmp(const WCHAR *buf1, const WCHAR *buf2)
Definition: introcrt.c:98
_ALERT_KUM_EXCEPTION::Victim
DWORD Victim
The name-hash of the victim.
Definition: alert_exceptions.h:122
kmObjGdtr
The modified object is WMI_LOGGER_CONTEXT.GetCpuClock used by InfinityHook (valid only on windows)...
Definition: exceptions.h:171
IntAlertCreateIdtSignature
static void IntAlertCreateIdtSignature(const BYTE Entry, BOOLEAN LinuxAlert, ALERT_IDT_SIGNATURE *Signature)
Creates a IDT alert-signature structure.
Definition: alert_exceptions.c:334
IntAlertCreateIntegrityException
static INTSTATUS IntAlertCreateIntegrityException(const EVENT_INTEGRITY_VIOLATION *Event, BOOLEAN LogErrors, void *Exception)
Creates an alert-exception structure from an integrity violation event.
Definition: alert_exceptions.c:1179
IntAlertCreateDtrException
static INTSTATUS IntAlertCreateDtrException(const EVENT_DTR_VIOLATION *Event, BOOLEAN LogErrors, void *Exception)
Creates an alert-exception structure from an process-creation violation event.
Definition: alert_exceptions.c:1353
_ALERT_KM_EXCEPTION::Victim
DWORD Victim
The name-hash of the victim.
Definition: alert_exceptions.h:101
introObjectTypeVdso
Virtual dynamic shared object (user-mode, Linux-only).
Definition: intro_types.h:256
kmObjInterruptObject
The modified object is an interrupt object from KPRCB.
Definition: exceptions.h:181
INT_STATUS_NOT_SUPPORTED
#define INT_STATUS_NOT_SUPPORTED
Definition: introstatus.h:287
ALERT_UM_EXCEPTION_VERSION
#define ALERT_UM_EXCEPTION_VERSION
Definition: alert_exceptions.h:135
wstrncasecmp_len
static int wstrncasecmp_len(const WCHAR *buf1, const WCHAR *buf2, size_t len_buf1, size_t len_buf2)
Definition: introcrt.h:221
INTRO_EVENT_TYPE
enum _INTRO_EVENT_TYPE INTRO_EVENT_TYPE
Event classes.
introEventIntegrityViolation
Sent for integrity violation alerts. See EVENT_INTEGRITY_VIOLATION.
Definition: intro_types.h:92
Crc32String
DWORD Crc32String(const char *String, DWORD InitialCrc)
Computes the CRC for a NULL-terminated utf-8 string.
Definition: crc32.c:200
umObjProcessApcThread
The modified object is the thread which was performed an asynchronous procedure call on...
Definition: exceptions.h:219
alert_exceptions.h
ZONE_LIB_IMPORTS
#define ZONE_LIB_IMPORTS
Used for the imports of a dll, driver, etc.
Definition: exceptions.h:721
_EVENT_EPT_VIOLATION
Event structure for EPT violations.
Definition: intro_types.h:1215
introEventMsrViolation
Sent when a MSR violation triggers an alert.See EVENT_MSR_VIOLATION.
Definition: intro_types.h:86
IG_EPT_HOOK_EXECUTE
Execute-access hook.
Definition: glueiface.h:300
EXCEPTION_FLG_32
The exception is valid only on 32 bit systems/process.
Definition: exceptions.h:596
_ALERT_KM_EXCEPTION::CodeBlocks
ALERT_CB_SIGNATURE CodeBlocks
The code-blocks alert-signature, if any.
Definition: alert_exceptions.h:107
kmObjDrvObj
The modified object is anything inside the driver object.
Definition: exceptions.h:163
CHAR
char CHAR
Definition: intro_types.h:56
kmExcNameInvalid
Used to indicate an invalid kernel-mode exception name.
Definition: exceptions.h:656
_INTRO_MODULE
Describes a user-mode or kernel-mode module.
Definition: intro_types.h:925
memCopyViolationRead
This represents a read done from another process.
Definition: intro_types.h:1414
kmObjDriverResources
The modified object is only the driver&#39;s resources sections.
Definition: exceptions.h:161
introObjectTypeSecDesc
Process security descriptor pointer.
Definition: intro_types.h:271
_ALERT_KUM_EXCEPTION::CodeBlocks
ALERT_CB_SIGNATURE CodeBlocks
The code-blocks alert-signature, if any.
Definition: alert_exceptions.h:129
IntAlertGetEptExceptionFlags
static DWORD IntAlertGetEptExceptionFlags(const EVENT_EPT_VIOLATION *Event)
Get the flags for an exception based on the information from the provided event.
Definition: alert_exceptions.c:165
kmObjSecDesc
The modified object is the security descriptor pointer of a process.
Definition: exceptions.h:178
kmExcNameHal
The name is the operating system HAL name (valid only for windows).
Definition: exceptions.h:643
UtilQuickSort
void UtilQuickSort(void *Array, const DWORD NumberOfElements, const BYTE ElementSize)
Definition: utils.c:267
umObjProcessCreationDpi
The process object creates another process using DPI flags.
Definition: exceptions.h:224
umObjNxZone
The object that has a NX zone is executed.
Definition: exceptions.h:212
IntAlertCreateModuleLoadException
static INTSTATUS IntAlertCreateModuleLoadException(const EVENT_MODULE_LOAD_VIOLATION *Event, BOOLEAN LogErrors, void *Exception)
Creates an alert-exception structure from an module-load violation event.
Definition: alert_exceptions.c:1108
kmObjMsr
The modified object is a MSR.
Definition: exceptions.h:165
INT_STATUS_INVALID_DATA_SIZE
#define INT_STATUS_INVALID_DATA_SIZE
Definition: introstatus.h:142
ALERT_KUM_EXCEPTION_VERSION
#define ALERT_KUM_EXCEPTION_VERSION
Definition: alert_exceptions.h:112
introObjectTypeIdt
IDT.
Definition: intro_types.h:239
IntAlertCreateException
INTSTATUS IntAlertCreateException(const void *Event, INTRO_EVENT_TYPE Type, BOOLEAN LogErrors, void *Exception)
This function will dispatch the exception creation to the appropriate function, depending on the even...
Definition: alert_exceptions.c:1430
_ALERT_KUM_EXCEPTION::Originator
DWORD Originator
The name-hash of the originator.
Definition: alert_exceptions.h:121
FALSE
#define FALSE
Definition: intro_types.h:34
IntAlertCreateEptException
static INTSTATUS IntAlertCreateEptException(const EVENT_EPT_VIOLATION *Event, BOOLEAN LogErrors, void *Exception)
Creates an alert-exception structure from an EPT violation event.
Definition: alert_exceptions.c:428
kumObjModule
The modified object is inside the process modules.
Definition: exceptions.h:194