19 _In_ const size_t MaxLength
33 if (
wstrnlen(Originator, MaxLength) == MaxLength)
56 _In_ const size_t MaxLength
73 size_t i, len =
wstrnlen(Originator, MaxLength);
80 if (Originator[0] == u
'\\' ||
81 (((Originator[0] >= u
'C' && Originator[0] <= u
'Z') ||
82 (Originator[0] >= u
'c' && Originator[0] <= u
'z')) &&
83 Originator[1] == u
':' &&
84 Originator[2] == u
'\\'))
86 for (i = len - 1; i > 0; i--)
88 if (Originator[i] == u
'\\')
125 _In_ size_t MaxLength
141 if (Originator == NULL)
225 if (!CodeBlocks->Valid)
227 Signature->Valid =
FALSE;
243 ERROR(
"[ERROR] The index (%d) of the RIP's codeblock is grater than the ALERT_MAX_CODEBLOCKS (%d)\n",
246 Signature->Valid =
FALSE;
252 ERROR(
"[ERROR] The number of codeblocks (%d) is grater than the ALERT_MAX_CODEBLOCKS (%d)\n",
255 Signature->Valid =
FALSE;
266 else if (CodeBlocks->RipCbIndex + (
ALERT_HASH_COUNT / 2) >= CodeBlocks->Count)
279 if (Signature->Count == 0)
281 WARNING(
"[WARNING] Codeblocks count is zero\n");
282 Signature->Valid =
FALSE;
287 Signature->Score =
MAX(Signature->Count - 1, 1);
289 for (
int i = 0; i < Signature->Count; i++)
291 Signature->CodeBlocks[i] = CodeBlocks->CodeBlocks[i + offset].Value;
296 sizeof(Signature->CodeBlocks[0]));
298 Signature->Valid =
TRUE;
327 Signature->CreateMask = PcType;
329 Signature->Valid =
TRUE;
358 Signature->Entry = Entry;
360 Signature->Valid =
TRUE;
367 _In_ const char *FunctionName,
390 if (!Module->Valid || Module->Name[0] == 0)
392 Signature->Valid =
FALSE;
407 Signature->Valid =
FALSE;
413 Signature->Function = FunctionNameHash;
420 Signature->Delta = (
BYTE)Delta;
421 Signature->WriteSize = (
BYTE)WriteSize;
423 Signature->Valid =
TRUE;
452 const WCHAR *originator = NULL;
453 const WCHAR *victim = NULL;
463 if (Event->Originator.Module.Valid)
465 originator = Event->Originator.Module.Name;
467 else if (Event->Originator.ReturnModule.Valid)
469 originator = Event->Originator.ReturnModule.Name;
486 if (Event->Originator.Injection.User)
491 sizeof(Event->Originator.Process.ImageName),
499 else if (Event->Originator.Injection.Kernel)
505 sizeof(Event->Originator.ReturnModule.Name));
516 sizeof(Event->Originator.Module.Name));
540 ERROR(
"[ERROR] Invalid victim type (%d) for kernel-user exceptions!", Event->Victim.Type);
549 sizeof(Event->Victim.Module.Name));
563 sizeof(Event->Header.CurrentProcess.ImageName),
582 !Event->Victim.DriverObject.Valid))
597 sizeof(Event->Originator.Module.Name));
609 victim = Event->Victim.Module.Name;
628 sizeof(Event->Victim.Module.Name));
672 victim = Event->Victim.DriverObject.Name;
676 sizeof(Event->Victim.DriverObject.Name),
727 (!Event->Header.CurrentProcess.Valid))
763 sizeof(Event->Originator.Module.Name));
772 sizeof(Event->Victim.Module.Name));
786 sizeof(Event->Header.CurrentProcess.ImageName),
810 _Out_ void *Exception
827 const WCHAR *originator = NULL;
835 if (Event->Originator.Module.Valid)
837 originator = Event->Originator.Module.Name;
852 sizeof(Event->Originator.Module.Name));
871 _Out_ void *Exception
888 const WCHAR *originator = NULL;
896 if (Event->Originator.Module.Valid)
898 originator = Event->Originator.Module.Name;
914 sizeof(Event->Originator.Module.Name));
933 _Out_ void *Exception
959 if (Event->Originator.Process.ImageName[0] == 0 ||
960 Event->Victim.Process.ImageName[0] == 0)
972 switch (Event->ViolationType)
1002 sizeof(Event->Originator.Process.ImageName),
1011 sizeof(Event->Victim.Process.ImageName),
1019 Event->FunctionName,
1020 Event->FunctionNameHash,
1063 if (Event->Originator.ImageName[0] == 0 ||
1064 Event->Victim.ImageName[0] == 0)
1078 sizeof(Event->Originator.ImageName),
1087 sizeof(Event->Victim.ImageName),
1095 if (Event->PcType != 0)
1111 _Out_ void *Exception
1136 if (Event->Originator.Module.Name[0] == 0 ||
1137 Event->Victim.ImageName[0] == 0)
1152 sizeof(Event->Originator.Module.Name));
1160 sizeof(Event->Victim.ImageName),
1182 _In_ void *Exception
1199 const WCHAR *originator = NULL;
1209 ERROR(
"[ERROR] Integrity exceptions are not supported on linux guests!\n");
1259 ERROR(
"[ERROR] The given event is not supported: %d!\n", Event->Victim.Type);
1265 if (Event->Originator.Module.Valid)
1267 originator = Event->Originator.Module.Name;
1284 sizeof(Event->Originator.Module.Name));
1291 switch (Event->Victim.Type)
1295 if (!Event->Victim.DriverObject.Valid)
1302 sizeof(Event->Victim.DriverObject.Name),
1311 sizeof(Event->Victim.Process.ImageName),
1317 char buffer[
sizeof(Event->Victim.Name) / 2];
1319 utf16toutf8(buffer, Event->Victim.Name,
sizeof(buffer));
1356 _Out_ void *Exception
1375 const WCHAR *originator = NULL;
1392 ERROR(
"[ERROR] The given event is not supported: %d!\n", Event->Victim.Type);
1398 if (Event->Originator.Module.Valid)
1400 originator = Event->Originator.Module.Name;
1414 sizeof(Event->Originator.Module.Name));
1431 _In_ const void *Event,
QWORD ViolationFlags
A combination of Alert flags values describing the alert.
BOOLEAN Valid
Set to True if the information in the structure is valid, False otherwise.
The object allows only dlls which are detected as suspicous (e.g. module loads before kernel32...
Sent for unauthorized process creation alerts. See EVENT_PROCESS_CREATION_VIOLATION.
char * utf16toutf8(char *Destination, const WCHAR *Source, DWORD DestinationMaxLength)
UM_EXCEPTION_OBJECT Type
The type of the exception; any type from _UM_EXCEPTION_OBJECT.
static DWORD IntAlertGetHashForWindowsName(const WCHAR *Originator, const size_t MaxLength)
Compute the crc32-hash for the provided string.
Event structure for CR violation.
Kernel module (ntoskrnl.exe, hal.dll, etc.).
KM_EXCEPTION_OBJECT Type
The type of the exception; any type from _KM_EXCEPTION_OBJECT.
The signature is valid only on 64 bit systems/processes.
#define INT_STATUS_SUCCESS
Fast IO Dispatch (Windows only).
ALERT_IDT_SIGNATURE Idt
The idt alert-signature, if any.
#define ALERT_IDT_SIGNATURE_VERSION
An interrupt object from KPRCB.
The name can be any string.
Infinity hook modifications of WMI_LOGGER_CONTEXT.GetCpuClock.
This represents an attempt of modifying the context of another thread.
The modified object is only the driver's EAT.
Event structure for process creation violation events.
Describes a kernel-mode alert-exception.
Event structure for integrity violations on monitored structures.
DWORD Crc32WstringLen(const WCHAR *String, DWORD InitialCrc, size_t MaxLength, BOOLEAN *Valid)
Computes the CRC for a NULL-terminated wide char string, but without exceeding a maximum number of ch...
#define ZONE_LIB_RESOURCES
Used for the resources section (usually .rsrc inside a driver or dll).
User-mode non executable zone.
Sent when a DTR violation triggers an alert. See EVENT_DTR_VIOLATION.
ALERT_CB_SIGNATURE CodeBlocks
The code-blocks alert-signature, if any.
The modified object is anything inside the structure CONTEXT (valid only for windows).
Signals an attempt to set an insturmentation callback.
The name is the operating system vsyscall (valid only for Linux).
Sent when a CR violation triggers an alert. See EVENT_CR_VIOLATION.
size_t wstrnlen(const WCHAR *s, size_t maxlen)
Holds code block patterns information.
The modified object is HalPerformanceCounter.
The exception is valid only for read violation.
BOOLEAN IntAlertIsEventTypeViolation(INTRO_EVENT_TYPE Type)
The exception is valid only if the write comes due to an injection from user-mode.
Used to indicate an invalid user-mode exception name.
The modified object is only the driver's data sections.
The name can be any string.
int INTSTATUS
The status data type.
The exception is valid only for Linux.
DWORD Crc32StringLen(const char *String, DWORD InitialCrc, size_t MaxLength, BOOLEAN *Valid)
Computes the CRC for a NULL-terminated utf-8 string, but without exceeding a maximum number of charac...
ALERT_EXPORT_SIGNATURE Export
The export alert-signature, if any.
Integrity protection of SharedUserData region.
The modified object is only the driver's IAT.
Sent for code/data injection alerts. See EVENT_MEMCOPY_VIOLATION.
#define ALERT_MAX_CODEBLOCKS
The maximum number of code blocks included in an alert structure.
INTRO_GUEST_TYPE OSType
The type of the guest.
#define ALERT_EXPORT_SIGNATURE_VERSION
The exception is valid only for write violation.
DWORD Process
The name-hash of the process in which the modification takes place.
Process ACL (SACL/DACL) was modified.
static DWORD IntAlertGetHashForLinuxName(const WCHAR *Originator, const size_t MaxLength)
Compute the crc32-hash for the provided string.
DWORD Flags
The flags of the exception; any flags from _EXCEPTION_FLG.
INTSTATUS IntAlertCreateExceptionInEvent(void *Event, INTRO_EVENT_TYPE Type)
This function creates an alert-exception for each alert sent to the integrator.
#define ALERT_FLAG_KM_UM
If set, the alert was generated by a kernel to user mode violation.
static INTSTATUS IntAlertCreateInjectionException(const EVENT_MEMCOPY_VIOLATION *Event, BOOLEAN LogErrors, void *Exception)
Creates an alert-exception structure from an Injection violation event.
DWORD Flags
The flags of the exception; any flags from _EXCEPTION_FLG.
static void IntAlertCreateExportSignature(const INTRO_MODULE *Module, const char *FunctionName, DWORD FunctionNameHash, DWORD Delta, DWORD WriteSize, BOOLEAN LinuxEvent, ALERT_EXPORT_SIGNATURE *Signature)
Creates an export alert-signature structure.
The modified object is only another process (injection basically).
static DWORD IntAlertGetHashForName(const WCHAR *Originator, BOOLEAN LinuxGuest, BOOLEAN KernelMode, size_t MaxLength)
Compute the crc32-hash for the provided string.
Describes a user-mode alert-exception.
DWORD Originator
The name-hash of the originator.
The modified object is a SharedUserData field.
static void IntAlertCreateProcessCreationSignature(DWORD PcType, BOOLEAN LinuxAlert, ALERT_PROCESS_CREATION_SIGNATURE *Signature)
Creates a process-creation alert-signature structure.
The exception is valid only for CR4.SMEP write.
#define ZONE_LIB_CODE
Used for a generic code zone.
#define INITIAL_CRC_VALUE
Describe a process-creation alert-signature.
The exception is valid only for CR4.SMAP write.
DWORD Originator
The name-hash of the originator.
Event structure for MSR violation.
This represents an attempt to queue an APC into the victim process.
The exception is valid only for execute violation.
BOOLEAN Guest64
True if this is a 64-bit guest, False if it is a 32-bit guest.
The modified object is only the driver's code sections.
The common header used by exception information.
Describes an idt alert-signature.
The name is the operating system kernel name.
Describes a kernel-mode alert-exception.
The signature is valid only on 32 bit systems/processes.
Event structure for suspicious module load into processes.
Write protection over HalPerformanceCounter.
DWORD Flags
The flags of the exception; any flags from _EXCEPTION_FLG.
Sent for suspicious module loads alerts. See EVENT_MODULE_LOAD_VIOLATION.
static INTSTATUS IntAlertCreateProcessCreationException(const EVENT_PROCESS_CREATION_VIOLATION *Event, BOOLEAN LogErrors, void *Exception)
Creates an alert-exception structure from an process-creation violation event.
The exception is valid only if the write comes due to an injection from kernel-mode.
This represents an attempt to set an instrument callback inside the victim process.
The modified object is SSDT (valid only on windows x86).
WORD Version
The version of the exception information.
Memory access violations that cross a process boundary.
#define ZONE_LIB_EXPORTS
Used for the exports of a dll, driver, etc.
The modified object is inside the process module's EAT.
Event structure for GDTR/IDTR descriptor tables modifications.
The modified object is the privileges field inside the nt!_TOKEN structure.
Sent when an EPT violation triggers an alert. See EVENT_EPT_VIOLATION.
The modified object is SMEP and/or SMAP bits of CR4.
#define ALERT_FLAG_NOT_RING0
If set, the alert was triggered in ring 1, 2 or 3.
The modified object is inside the process module's IAT.
DWORD Crc32Wstring(const WCHAR *String, DWORD InitialCrc)
Computes the CRC for a NULL-terminated wide char string.
#define UNREFERENCED_PARAMETER(P)
The modified object is IDTR.
The modified object is inside the process module's IAT.
#define ALERT_CB_SIGNATURE_VERSION
Executions inside the SharedUserData region.
#define ALERT_KM_EXCEPTION_VERSION
The exception is valid only for integrity zone.
The modified object is anything inside the driver's fast IO dispatch table.
The name is the operating system vdso (valid only for Linux).
Signals an execution inside SharedUserData.
static INTSTATUS IntAlertCreateMsrException(const EVENT_MSR_VIOLATION *Event, BOOLEAN LogErrors, void *Exception)
Creates an alert-exception structure from an MSR violation event.
GUEST_STATE gGuest
The current guest state.
ALERT_PROCESS_CREATION_SIGNATURE ProcessCreation
The process-creation alert-signature, if any.
KUM_EXCEPTION_OBJECT Type
The type of the exception; any type from _KUM_EXCEPTION_OBJECT.
The modified object is any IDT entry.
static INTSTATUS IntAlertCreateCrException(const EVENT_CR_VIOLATION *Event, BOOLEAN LogErrors, void *Exception)
Creates an alert-exception structure from an CR violation event.
The signature is valid only on Linux.
static void IntAlertCreateCbSignature(const INTRO_CODEBLOCKS *CodeBlocks, BOOLEAN LinuxAlert, BOOLEAN ExecAlert, ALERT_CB_SIGNATURE *Signature)
Creates an alert-signature structure.
The modified object is inside the process modules.
DWORD Victim
The name-hash of the victim.
#define CWSTRLEN(Wstring)
DWORD Process
The name-hash of the process.
The modified object is an ACL (SACL/DACL) of a process.
#define ALERT_PROCESS_CREATION_SIGNATURE_VERSION
Virtual SYSCALL (user-mode, Linux-only).
int wstrcasecmp(const WCHAR *buf1, const WCHAR *buf2)
DWORD Victim
The name-hash of the victim.
The modified object is WMI_LOGGER_CONTEXT.GetCpuClock used by InfinityHook (valid only on windows)...
static void IntAlertCreateIdtSignature(const BYTE Entry, BOOLEAN LinuxAlert, ALERT_IDT_SIGNATURE *Signature)
Creates a IDT alert-signature structure.
static INTSTATUS IntAlertCreateIntegrityException(const EVENT_INTEGRITY_VIOLATION *Event, BOOLEAN LogErrors, void *Exception)
Creates an alert-exception structure from an integrity violation event.
static INTSTATUS IntAlertCreateDtrException(const EVENT_DTR_VIOLATION *Event, BOOLEAN LogErrors, void *Exception)
Creates an alert-exception structure from an process-creation violation event.
DWORD Victim
The name-hash of the victim.
Virtual dynamic shared object (user-mode, Linux-only).
The modified object is an interrupt object from KPRCB.
#define INT_STATUS_NOT_SUPPORTED
#define ALERT_UM_EXCEPTION_VERSION
static int wstrncasecmp_len(const WCHAR *buf1, const WCHAR *buf2, size_t len_buf1, size_t len_buf2)
enum _INTRO_EVENT_TYPE INTRO_EVENT_TYPE
Event classes.
Sent for integrity violation alerts. See EVENT_INTEGRITY_VIOLATION.
DWORD Crc32String(const char *String, DWORD InitialCrc)
Computes the CRC for a NULL-terminated utf-8 string.
The modified object is the thread which was performed an asynchronous procedure call on...
#define ZONE_LIB_IMPORTS
Used for the imports of a dll, driver, etc.
Event structure for EPT violations.
Sent when a MSR violation triggers an alert.See EVENT_MSR_VIOLATION.
The exception is valid only on 32 bit systems/process.
ALERT_CB_SIGNATURE CodeBlocks
The code-blocks alert-signature, if any.
The modified object is anything inside the driver object.
Used to indicate an invalid kernel-mode exception name.
Describes a user-mode or kernel-mode module.
This represents a read done from another process.
The modified object is only the driver's resources sections.
Process security descriptor pointer.
ALERT_CB_SIGNATURE CodeBlocks
The code-blocks alert-signature, if any.
static DWORD IntAlertGetEptExceptionFlags(const EVENT_EPT_VIOLATION *Event)
Get the flags for an exception based on the information from the provided event.
The modified object is the security descriptor pointer of a process.
The name is the operating system HAL name (valid only for windows).
void UtilQuickSort(void *Array, const DWORD NumberOfElements, const BYTE ElementSize)
The process object creates another process using DPI flags.
The object that has a NX zone is executed.
static INTSTATUS IntAlertCreateModuleLoadException(const EVENT_MODULE_LOAD_VIOLATION *Event, BOOLEAN LogErrors, void *Exception)
Creates an alert-exception structure from an module-load violation event.
The modified object is a MSR.
#define INT_STATUS_INVALID_DATA_SIZE
#define ALERT_KUM_EXCEPTION_VERSION
INTSTATUS IntAlertCreateException(const void *Event, INTRO_EVENT_TYPE Type, BOOLEAN LogErrors, void *Exception)
This function will dispatch the exception creation to the appropriate function, depending on the even...
DWORD Originator
The name-hash of the originator.
static INTSTATUS IntAlertCreateEptException(const EVENT_EPT_VIOLATION *Event, BOOLEAN LogErrors, void *Exception)
Creates an alert-exception structure from an EPT violation event.
The modified object is inside the process modules.