10 #ifndef _ALERT_EXCEPTIONS_H_ 11 #define _ALERT_EXCEPTIONS_H_ 17 #define ALERT_HASH_COUNT 6u 19 #define ALERT_CB_SIGNATURE_VERSION 1 37 #define ALERT_IDT_SIGNATURE_VERSION 1 54 #define ALERT_EXPORT_SIGNATURE_VERSION 1 73 #define ALERT_PROCESS_CREATION_SIGNATURE_VERSION 1 91 #define ALERT_KM_EXCEPTION_VERSION 1 112 #define ALERT_KUM_EXCEPTION_VERSION 1 133 "The ALERT_KM_EXCEPTION structure exceeds ALERT_EXCEPTION_SIZE, possible buffer overflow!");
135 #define ALERT_UM_EXCEPTION_VERSION 1 158 "The ALERT_UM_EXCEPTION structure exceeds ALERT_EXCEPTION_SIZE, possible buffer overflow!");
165 _In_ const void *Event,
194 #endif // _ALERT_EXCEPTIONS_H_ STATIC_ASSERT(sizeof(ALERT_KM_EXCEPTION)<=ALERT_EXCEPTION_SIZE, "The ALERT_KM_EXCEPTION structure exceeds ALERT_EXCEPTION_SIZE, possible buffer overflow!")
BOOLEAN Valid
True if the alert-signature is valid, otherwise false.
Sent for unauthorized process creation alerts. See EVENT_PROCESS_CREATION_VIOLATION.
UM_EXCEPTION_OBJECT Type
The type of the exception; any type from _UM_EXCEPTION_OBJECT.
KM_EXCEPTION_OBJECT Type
The type of the exception; any type from _KM_EXCEPTION_OBJECT.
DWORD Flags
Contains any flags from _SIGNATURE_FLG.
ALERT_IDT_SIGNATURE Idt
The idt alert-signature, if any.
INTRO_ALERT_EXCEPTION_HEADER Header
The header used by alert-signature.
Describes a kernel-mode alert-exception.
Sent when a DTR violation triggers an alert. See EVENT_DTR_VIOLATION.
ALERT_CB_SIGNATURE CodeBlocks
The code-blocks alert-signature, if any.
BYTE WriteSize
The number of bytes that are modified.
struct _ALERT_KM_EXCEPTION ALERT_KM_EXCEPTION
Describes a kernel-mode alert-exception.
Sent when a CR violation triggers an alert. See EVENT_CR_VIOLATION.
BOOLEAN Valid
True if the alert-signature is valid, otherwise false.
enum _UM_EXCEPTION_OBJECT UM_EXCEPTION_OBJECT
Object type of the user-mode exception.
WORD Delta
The number of modified bytes that will be excepted.
INTRO_ALERT_EXCEPTION_HEADER Header
The header used by alert-signature.
BOOLEAN IntAlertIsEventTypeViolation(INTRO_EVENT_TYPE Type)
int INTSTATUS
The status data type.
enum _KM_EXCEPTION_OBJECT KM_EXCEPTION_OBJECT
Object type of the kernel-mode exception.
ALERT_EXPORT_SIGNATURE Export
The export alert-signature, if any.
Sent for code/data injection alerts. See EVENT_MEMCOPY_VIOLATION.
INTSTATUS IntAlertCreateExceptionInEvent(void *Event, INTRO_EVENT_TYPE Type)
This function creates an alert-exception for each alert sent to the integrator.
DWORD Process
The name-hash of the process in which the modification takes place.
DWORD Flags
The flags of the exception; any flags from _EXCEPTION_FLG.
DWORD Flags
The flags of the exception; any flags from _EXCEPTION_FLG.
Describes a user-mode alert-exception.
DWORD Flags
Contains any flags from _SIGNATURE_FLG.
DWORD Originator
The name-hash of the originator.
Describe a process-creation alert-signature.
DWORD Originator
The name-hash of the originator.
INTRO_ALERT_EXCEPTION_HEADER Header
The header used by alert-signature.
DWORD Library
The name-hash of the modified library.
The common header used by exception information.
Describes an idt alert-signature.
Describes a kernel-mode alert-exception.
INTRO_ALERT_EXCEPTION_HEADER Header
The header used by alert-exception.
DWORD Flags
The flags of the exception; any flags from _EXCEPTION_FLG.
Sent for suspicious module loads alerts. See EVENT_MODULE_LOAD_VIOLATION.
DWORD CreateMask
The deep-process-inspection creation bit-mask.
DWORD Function
The name-hash of the modified function.
struct _ALERT_CB_SIGNATURE ALERT_CB_SIGNATURE
Sent when an EPT violation triggers an alert. See EVENT_EPT_VIOLATION.
BYTE Count
The number of the code-blocks.
INTSTATUS IntAlertCreateException(const void *Event, INTRO_EVENT_TYPE Type, BOOLEAN LogErrors, void *Exception)
This function will dispatch the exception creation to the appropriate function, depending on the even...
struct _ALERT_UM_EXCEPTION ALERT_UM_EXCEPTION
Describes a user-mode alert-exception.
INTRO_ALERT_EXCEPTION_HEADER Header
The header used by alert-exception.
struct _ALERT_IDT_SIGNATURE ALERT_IDT_SIGNATURE
Describes an idt alert-signature.
BYTE Score
The number of (minimum) hashes from a list that need to match.
DWORD Flags
Contains any flags from _SIGNATURE_FLG.
INTRO_ALERT_EXCEPTION_HEADER Header
The header used by alert-exception.
BOOLEAN Valid
True if the alert-signature is valid, otherwise false.
#define ALERT_EXCEPTION_SIZE
ALERT_PROCESS_CREATION_SIGNATURE ProcessCreation
The process-creation alert-signature, if any.
KUM_EXCEPTION_OBJECT Type
The type of the exception; any type from _KUM_EXCEPTION_OBJECT.
DWORD Victim
The name-hash of the victim.
DWORD Process
The name-hash of the process.
DWORD Victim
The name-hash of the victim.
DWORD Victim
The name-hash of the victim.
struct _ALERT_EXPORT_SIGNATURE ALERT_EXPORT_SIGNATURE
enum _INTRO_EVENT_TYPE INTRO_EVENT_TYPE
Event classes.
Sent for integrity violation alerts. See EVENT_INTEGRITY_VIOLATION.
DWORD CodeBlocks[ALERT_HASH_COUNT]
An array that contains the code-blocks.
struct _ALERT_KUM_EXCEPTION ALERT_KUM_EXCEPTION
Describes a kernel-mode alert-exception.
enum _KUM_EXCEPTION_OBJECT KUM_EXCEPTION_OBJECT
Object type of the kernel-user mode exception.
Sent when a MSR violation triggers an alert.See EVENT_MSR_VIOLATION.
ALERT_CB_SIGNATURE CodeBlocks
The code-blocks alert-signature, if any.
BOOLEAN Valid
True if the alert-signature is valid, otherwise false.
INTRO_ALERT_EXCEPTION_HEADER Header
The header used by alert-signature.
ALERT_CB_SIGNATURE CodeBlocks
The code-blocks alert-signature, if any.
DWORD Flags
Contains any flags from _SIGNATURE_FLG.
struct _ALERT_PROCESS_CREATION_SIGNATURE ALERT_PROCESS_CREATION_SIGNATURE
Describe a process-creation alert-signature.
BYTE Entry
The number of the IDT entry.
DWORD Originator
The name-hash of the originator.
1.8.13