Bitdefender Hypervisor Memory Introspection
|
Go to the source code of this file.
Data Structures | |
union | _GENERIC_ALERT |
Holds all the alert types. More... | |
Typedefs | |
typedef union _GENERIC_ALERT | GENERIC_ALERT |
Holds all the alert types. More... | |
Functions | |
INTSTATUS | IntAlertFillExecContext (QWORD Cr3, INTRO_EXEC_CONTEXT *ExecContext) |
Fills the current execution context. More... | |
INTSTATUS | IntAlertFillCodeBlocks (QWORD Rip, QWORD Cr3, BOOLEAN Execute, INTRO_CODEBLOCKS *CodeBlocks) |
Fills the code blocks pattern for an alert. More... | |
void | IntAlertFillVersionInfo (INTRO_VIOLATION_HEADER *Header) |
Fills version information for an alert. More... | |
QWORD | IntAlertCoreGetFlags (QWORD ProtectionFlag, INTRO_ACTION_REASON Reason) |
Returns the flags for an alert. More... | |
QWORD | IntAlertProcGetFlags (QWORD ProtectionFlag, const void *Process, INTRO_ACTION_REASON Reason, QWORD AdditionalFlags) |
Returns the flags for an alert. More... | |
void | IntAlertFillCpuContext (BOOLEAN CopyInstruction, INTRO_CPUCTX *CpuContext) |
Fills the current CPU context for an alert. More... | |
void | IntAlertFillDriverObject (const WIN_DRIVER_OBJECT *DriverObject, INTRO_DRVOBJ *EventDrvObj) |
Saves driver object information inside an alert. Available only for Windows guests. More... | |
void | IntAlertFillWinKmModule (const KERNEL_DRIVER *Driver, INTRO_MODULE *EventModule) |
Saves kernel module information inside an alert. More... | |
void | IntAlertFillWinUmModule (const WIN_PROCESS_MODULE *Module, INTRO_MODULE *EventModule) |
Fills information about a user mode module inside an alert. More... | |
void | IntAlertFillWinProcess (const WIN_PROCESS_OBJECT *Process, INTRO_PROCESS *EventProcess) |
Saves information about a windows process inside an alert. More... | |
void | IntAlertFillWinProcessByCr3 (QWORD ProcessCr3, INTRO_PROCESS *EventProcess) |
Saves information about a Windows process inside an alert. The process is searched by its kernel CR3. More... | |
void | IntAlertFillWinProcessCurrent (INTRO_PROCESS *EventProcess) |
Saves information about the current Windows process inside an alert. More... | |
void | IntAlertEptFillFromUmOriginator (const EXCEPTION_UM_ORIGINATOR *Originator, EVENT_EPT_VIOLATION *EptViolation) |
Fills user mode originator information inside an EPT alert. More... | |
void | IntAlertEptFillFromKmOriginator (const EXCEPTION_KM_ORIGINATOR *Originator, EVENT_EPT_VIOLATION *EptViolation) |
Fills kernel mode originator information inside an EPT alert. More... | |
void | IntAlertEptFillFromVictimZone (const EXCEPTION_VICTIM_ZONE *Victim, EVENT_EPT_VIOLATION *EptViolation) |
Fills the victim information inside an EPT alert. More... | |
void | IntAlertMsrFill (const EXCEPTION_VICTIM_ZONE *Victim, const EXCEPTION_KM_ORIGINATOR *Originator, EVENT_MSR_VIOLATION *MsrViolation) |
Saves information about a MSR write attempt in an event. More... | |
void | IntAlertDtrFill (const EXCEPTION_VICTIM_ZONE *Victim, const EXCEPTION_KM_ORIGINATOR *Originator, EVENT_DTR_VIOLATION *DtrViolation) |
Saves information about a DTR write attempt in an event. More... | |
void | IntAlertCrFill (const EXCEPTION_VICTIM_ZONE *Victim, const EXCEPTION_KM_ORIGINATOR *Originator, EVENT_CR_VIOLATION *CrViolation) |
Saves information about a CR write attempt in an event. More... | |
void | IntAlertFillLixKmModule (const KERNEL_DRIVER *Driver, INTRO_MODULE *EventModule) |
Saves information about a kernel module inside an alert. More... | |
void | IntAlertFillLixProcess (const LIX_TASK_OBJECT *Task, INTRO_PROCESS *EventProcess) |
Saves information about a Linux process inside an event. More... | |
void | IntAlertFillLixCurrentProcess (INTRO_PROCESS *EventProcess) |
Saves the current Linux process inside an event. More... | |
void | IntAlertFillWriteInfo (const EXCEPTION_VICTIM_ZONE *Victim, INTRO_WRITE_INFO *WriteInfo) |
Fills the write information for an alert. More... | |
void | IntAlertFillConnection (const INTRONET_ENDPOINT *Connection, EVENT_CONNECTION_EVENT *Event) |
Saves information about a guest connection in an event. More... | |
INTSTATUS | IntAlertFillDpiExtraInfo (DPI_EXTRA_INFO *CollectedExtraInfo, INTRO_PC_VIOLATION_TYPE PcType, WIN_PROCESS_OBJECT *VictimProcess, INTRO_DPI_EXTRA_INFO *ExtraInfo) |
Fills the collected DPI extra information. More... | |
Variables | |
GENERIC_ALERT | gAlert |
Global alert buffer. More... | |
typedef union _GENERIC_ALERT GENERIC_ALERT |
Holds all the alert types.
QWORD IntAlertCoreGetFlags | ( | QWORD | ProtectionFlag, |
INTRO_ACTION_REASON | Reason | ||
) |
Returns the flags for an alert.
[in] | ProtectionFlag | The core protection flag for each the alert was generated. This is one of the Activation and protection flags values. |
[in] | Reason | The reason for which the alert was generated. |
Definition at line 366 of file alerts.c.
Referenced by IntCrSendAlert(), IntDtrSendAlert(), IntHookGvaEnableHooks(), IntHookPtsCheckIntegrity(), IntLixDrvSendViolationEvent(), IntLixIdtWriteHandler(), IntLixKernelHandleRead(), IntLixMsrHandleWrite(), IntLixVdsoHandleWriteCommon(), IntVeHandleAccess(), IntVeHandleEPTViolationInProtectedView(), IntWinDrvObjSendEptAlert(), IntWinDrvObjSendIntegrityAlert(), IntWinDrvSendAlert(), IntWinHalHandleDispatchTableWrite(), IntWinHalHandleHalHeapExec(), IntWinHalSendAlert(), IntWinHalSendPerfCntIntegrityAlert(), IntWinIdtSendIntegrityAlert(), IntWinIdtWriteHandler(), IntWinInfHookEptSppSendAlert(), IntWinInfHookIntegritySendAlert(), IntWinIntObjSendIntegrityAlert(), IntWinMsrSendAlert(), IntWinSDSendAclIntegrityViolation(), IntWinSDSendSecDescIntViolation(), IntWinSelfMapHandleCr3SelfMapModification(), IntWinSelfMapHandleCr3SelfMapWrite(), IntWinSudSendSudExecAlert(), IntWinSudSendSudIntegrityAlert(), IntWinTokenPrivsSendEptAlert(), and IntWinTokenPrivsSendIntegrityAlert().
void IntAlertCrFill | ( | const EXCEPTION_VICTIM_ZONE * | Victim, |
const EXCEPTION_KM_ORIGINATOR * | Originator, | ||
EVENT_CR_VIOLATION * | CrViolation | ||
) |
Saves information about a CR write attempt in an event.
This will save the modified CR, it's original and new value, and the driver that made the change, as well as the driver in which it returns, if one exists.
[in] | Victim | Information about the victim. |
[in] | Originator | Information about the originator. |
[out] | CrViolation | Information to be included in the alert. |
Definition at line 1210 of file alerts.c.
Referenced by IntCrSendAlert().
void IntAlertDtrFill | ( | const EXCEPTION_VICTIM_ZONE * | Victim, |
const EXCEPTION_KM_ORIGINATOR * | Originator, | ||
EVENT_DTR_VIOLATION * | DtrViolation | ||
) |
Saves information about a DTR write attempt in an event.
This will save the modified DTR (IDTR, GDTR), it's original and new value, and the driver that made the change, as well as the driver in which it returns, if one exists.
[in] | Victim | Information about the victim. |
[in] | Originator | Information about the originator. |
[out] | DtrViolation | Information to be included in the alert. |
Definition at line 1176 of file alerts.c.
Referenced by IntDtrSendAlert().
void IntAlertEptFillFromKmOriginator | ( | const EXCEPTION_KM_ORIGINATOR * | Originator, |
EVENT_EPT_VIOLATION * | EptViolation | ||
) |
Fills kernel mode originator information inside an EPT alert.
This will save the originator kernel mode module and, if it exists, the return module.
[in] | Originator | Information about who generated the alert. |
[out] | EptViolation | The event in which the information is saved. |
Definition at line 832 of file alerts.c.
Referenced by IntVeHandleAccess(), IntVeHandleEPTViolationInProtectedView(), IntWinDrvObjSendEptAlert(), IntWinDrvSendAlert(), IntWinHalHandleHalHeapExec(), IntWinHalSendAlert(), IntWinInfHookEptSppSendAlert(), IntWinModHandleKernelWrite(), IntWinSelfMapHandleCr3SelfMapWrite(), IntWinSudSendSudExecAlert(), and IntWinTokenPrivsSendEptAlert().
void IntAlertEptFillFromUmOriginator | ( | const EXCEPTION_UM_ORIGINATOR * | Originator, |
EVENT_EPT_VIOLATION * | EptViolation | ||
) |
Fills user mode originator information inside an EPT alert.
This will save the originator user mode module and, if it exists, the return module.
[in] | Originator | Information about who generated the alert. |
[out] | EptViolation | The event in which the information is saved. |
Definition at line 807 of file alerts.c.
Referenced by IntWinModHandleUserWrite().
void IntAlertEptFillFromVictimZone | ( | const EXCEPTION_VICTIM_ZONE * | Victim, |
EVENT_EPT_VIOLATION * | EptViolation | ||
) |
Fills the victim information inside an EPT alert.
Based on the INTRO_OBJECT_TYPE of the victim, different information is saved.
[in] | Victim | Information about the victim. |
[out] | EptViolation | The event in which the information is saved. |
Definition at line 868 of file alerts.c.
Referenced by IntLixDrvSendViolationEvent(), IntLixIdtWriteHandler(), IntLixKernelHandleRead(), IntLixVmaHandlePageExecution(), IntVeHandleAccess(), IntVeHandleEPTViolationInProtectedView(), IntWinDrvObjSendEptAlert(), IntWinDrvSendAlert(), IntWinHalHandleHalHeapExec(), IntWinHalSendAlert(), IntWinIdtWriteHandler(), IntWinInfHookEptSppSendAlert(), IntWinModHandleKernelWrite(), IntWinModHandleUserWrite(), IntWinSelfMapHandleCr3SelfMapWrite(), IntWinSudSendSudExecAlert(), IntWinTokenPrivsSendEptAlert(), and IntWinVadIsExecSuspicious().
INTSTATUS IntAlertFillCodeBlocks | ( | QWORD | Rip, |
QWORD | Cr3, | ||
BOOLEAN | Execute, | ||
INTRO_CODEBLOCKS * | CodeBlocks | ||
) |
Fills the code blocks pattern for an alert.
Code blocks are extracted for the page in which Rip resides.
[in] | Rip | The guest RIP for which to extract code blocks. |
[in] | Cr3 | The CR3 used to read the guest memory. |
[in] | Execute | True if this is an execution alert; for execute alerts the function extracts EXCEPTION_CODEBLOCKS_OFFSET (0x250) even if more than one page must be mapped, otherwise the function extracts codeblocks only from the RIP page. |
[out] | CodeBlocks | On success, will contain the code blocks extracted. |
Definition at line 71 of file alerts.c.
Referenced by IntCrSendAlert(), IntDtrSendAlert(), IntLixDrvSendViolationEvent(), IntLixIdtWriteHandler(), IntLixKernelHandleRead(), IntLixMsrHandleWrite(), IntLixVdsoHandleWriteCommon(), IntVeHandleAccess(), IntVeHandleEPTViolationInProtectedView(), IntWinDrvObjSendEptAlert(), IntWinDrvSendAlert(), IntWinHalSendAlert(), IntWinIdtWriteHandler(), IntWinInfHookEptSppSendAlert(), IntWinModHandleKernelWrite(), IntWinModHandleUserWrite(), IntWinMsrSendAlert(), IntWinSelfMapHandleCr3SelfMapWrite(), IntWinSudSendSudExecAlert(), IntWinTokenPrivsSendEptAlert(), and IntWinVadIsExecSuspicious().
void IntAlertFillConnection | ( | const INTRONET_ENDPOINT * | Connection, |
EVENT_CONNECTION_EVENT * | Event | ||
) |
Saves information about a guest connection in an event.
[in] | Connection | Connection to save. |
[out] | Event | The event. |
Definition at line 1331 of file alerts.c.
Referenced by IntLixNetSendConnectionEvent(), and IntWinNetSendConnectionEvent().
void IntAlertFillCpuContext | ( | BOOLEAN | CopyInstruction, |
INTRO_CPUCTX * | CpuContext | ||
) |
Fills the current CPU context for an alert.
[in] | CopyInstruction | True if the textual form of the instruction that generated this even must be included in the alert. |
[out] | CpuContext | The CPU context. If CopyInstruction is False, the INTRO_CPUCTX.Instruction field will not be valid. |
Definition at line 492 of file alerts.c.
Referenced by IntCrSendAlert(), IntDetSendIntegrityAlert(), IntDtrSendAlert(), IntHookGvaEnableHooks(), IntHookPtsCheckIntegrity(), IntLixDrvSendViolationEvent(), IntLixIdtWriteHandler(), IntLixKernelHandleRead(), IntLixMsrHandleWrite(), IntLixTaskSendBlockedEvent(), IntLixTaskSendInjectionEvent(), IntLixVdsoHandleWriteCommon(), IntLixVmaHandlePageExecution(), IntSlackSendIntegrityAlert(), IntVeHandleAccess(), IntVeHandleEPTViolationInProtectedView(), IntWinDagentSendDoubleAgentAlert(), IntWinDpiSendProcessCreationViolation(), IntWinDrvObjSendEptAlert(), IntWinDrvObjSendIntegrityAlert(), IntWinDrvSendAlert(), IntWinHalHandleHalHeapExec(), IntWinHalSendAlert(), IntWinHalSendPerfCntIntegrityAlert(), IntWinIdtWriteHandler(), IntWinInfHookEptSppSendAlert(), IntWinInfHookIntegritySendAlert(), IntWinModHandleKernelWrite(), IntWinModHandleUserWrite(), IntWinMsrSendAlert(), IntWinProcHandleCopyMemory(), IntWinProcHandleInstrument(), IntWinSelfMapHandleCr3SelfMapModification(), IntWinSelfMapHandleCr3SelfMapWrite(), IntWinSudSendSudExecAlert(), IntWinSudSendSudIntegrityAlert(), IntWinThrHandleQueueApc(), IntWinThrHandleThreadHijack(), IntWinTokenPrivsSendEptAlert(), IntWinTokenPrivsSendIntegrityAlert(), and IntWinVadIsExecSuspicious().
INTSTATUS IntAlertFillDpiExtraInfo | ( | DPI_EXTRA_INFO * | CollectedExtraInfo, |
INTRO_PC_VIOLATION_TYPE | PcType, | ||
WIN_PROCESS_OBJECT * | VictimProcess, | ||
INTRO_DPI_EXTRA_INFO * | ExtraInfo | ||
) |
Fills the collected DPI extra information.
[in] | CollectedExtraInfo | The DPI_EXTRA_INFO structure containing the collected information. |
[in] | PcType | The INTRO_PC_VIOLATION_TYPE of the triggered alert. |
[in] | VictimProcess | The victim process object of the violation. |
[out] | ExtraInfo | The INTRO_DPI_EXTRA_INFO to be filled. |
Definition at line 1371 of file alerts.c.
Referenced by IntWinDpiSendProcessCreationViolation().
void IntAlertFillDriverObject | ( | const WIN_DRIVER_OBJECT * | DriverObject, |
INTRO_DRVOBJ * | EventDrvObj | ||
) |
Saves driver object information inside an alert. Available only for Windows guests.
[in] | DriverObject | The driver object to be saved. |
[out] | EventDrvObj | Alert driver object information. |
Definition at line 592 of file alerts.c.
Referenced by IntAlertEptFillFromVictimZone(), and IntWinDrvObjSendIntegrityAlert().
INTSTATUS IntAlertFillExecContext | ( | QWORD | Cr3, |
INTRO_EXEC_CONTEXT * | ExecContext | ||
) |
Fills the current execution context.
This will save the current execution mode, guest registers, and the code in the memory page in which the guest RIP resides.
[in] | Cr3 | The guest CR3 to be used in order to read code from the guest. If 0, the CR3 saved in the gVcpu register cache will be used. |
[out] | ExecContext | On success, will contain the guest execution context. |
Definition at line 31 of file alerts.c.
Referenced by IntCrSendAlert(), IntDtrSendAlert(), IntLixDrvSendViolationEvent(), IntLixEngExecSendNotification(), IntLixIdtWriteHandler(), IntLixKernelHandleRead(), IntLixMsrHandleWrite(), IntLixVdsoHandleWriteCommon(), IntLixVmaHandlePageExecution(), IntVeHandleAccess(), IntVeHandleEPTViolationInProtectedView(), IntWinDrvObjSendEptAlert(), IntWinDrvSendAlert(), IntWinEngExecSendNotification(), IntWinHalHandleHalHeapExec(), IntWinHalSendAlert(), IntWinIdtWriteHandler(), IntWinInfHookEptSppSendAlert(), IntWinModHandleKernelWrite(), IntWinModHandleUserWrite(), IntWinMsrSendAlert(), IntWinSelfMapHandleCr3SelfMapWrite(), IntWinSudSendSudExecAlert(), IntWinTokenPrivsSendEptAlert(), and IntWinVadIsExecSuspicious().
void IntAlertFillLixCurrentProcess | ( | INTRO_PROCESS * | EventProcess | ) |
Saves the current Linux process inside an event.
[out] | EventProcess | The saved process. |
Definition at line 1310 of file alerts.c.
Referenced by IntAgentHandleLogGatherVmcall(), IntAgentHandleRemediationVmcall(), IntCrSendAlert(), IntDtrSendAlert(), IntLixCrashSendPanicEvent(), IntLixDrvSendEvent(), IntLixDrvSendViolationEvent(), IntLixIdtWriteHandler(), IntLixKernelHandleRead(), IntLixMsrHandleWrite(), IntLixTaskSendInjectionEvent(), IntLixTaskSendTaskEvent(), and IntLixVdsoHandleWriteCommon().
void IntAlertFillLixKmModule | ( | const KERNEL_DRIVER * | Driver, |
INTRO_MODULE * | EventModule | ||
) |
Saves information about a kernel module inside an alert.
[in] | Driver | The kernel module to save. |
[out] | EventModule | The kernel module saved in the event. |
Definition at line 1235 of file alerts.c.
Referenced by IntAlertDtrFill(), IntDetSendIntegrityAlert(), IntLixDrvSendEvent(), IntLixDrvSendViolationEvent(), IntLixIdtWriteHandler(), IntLixKernelHandleRead(), IntLixMsrHandleWrite(), IntLixVdsoHandleWriteCommon(), and IntSlackSendIntegrityAlert().
void IntAlertFillLixProcess | ( | const LIX_TASK_OBJECT * | Task, |
INTRO_PROCESS * | EventProcess | ||
) |
Saves information about a Linux process inside an event.
[in] | Task | The process to save. |
[out] | EventProcess | The process saved in the event. |
Definition at line 1264 of file alerts.c.
Referenced by IntAlertFillConnection(), IntAlertFillLixCurrentProcess(), IntLixCmdLineInspect(), IntLixEngExecSendNotification(), IntLixTaskSendAgentEvent(), IntLixTaskSendBlockedEvent(), IntLixTaskSendCredViolationEvent(), IntLixTaskSendExceptionEvent(), IntLixTaskSendInjectionEvent(), IntLixTaskSendTaskEvent(), and IntLixVmaHandlePageExecution().
void IntAlertFillVersionInfo | ( | INTRO_VIOLATION_HEADER * | Header | ) |
Fills version information for an alert.
[out] | Header | The header of the event. Will contain information about the current versions of Introcore, exceptions, and CAMI. |
Definition at line 327 of file alerts.c.
Referenced by IntCrSendAlert(), IntDetSendIntegrityAlert(), IntDtrSendAlert(), IntHookGvaEnableHooks(), IntHookPtsCheckIntegrity(), IntLixCmdLineSendViolationEvent(), IntLixDrvSendViolationEvent(), IntLixIdtWriteHandler(), IntLixKernelHandleRead(), IntLixMsrHandleWrite(), IntLixTaskSendBlockedEvent(), IntLixTaskSendCredViolationEvent(), IntLixTaskSendInjectionEvent(), IntLixVdsoHandleWriteCommon(), IntLixVmaHandlePageExecution(), IntSlackSendIntegrityAlert(), IntVeHandleAccess(), IntVeHandleEPTViolationInProtectedView(), IntWinCrashHandleDepViolation(), IntWinDagentSendDoubleAgentAlert(), IntWinDpiSendProcessCreationViolation(), IntWinDrvObjSendEptAlert(), IntWinDrvObjSendIntegrityAlert(), IntWinDrvSendAlert(), IntWinHalHandleDispatchTableWrite(), IntWinHalHandleHalHeapExec(), IntWinHalSendAlert(), IntWinHalSendPerfCntIntegrityAlert(), IntWinIdtSendIntegrityAlert(), IntWinIdtWriteHandler(), IntWinInfHookEptSppSendAlert(), IntWinInfHookIntegritySendAlert(), IntWinIntObjSendIntegrityAlert(), IntWinModHandleKernelWrite(), IntWinModHandleUserWrite(), IntWinModPolyHandler(), IntWinMsrSendAlert(), IntWinProcHandleCopyMemory(), IntWinProcHandleInstrument(), IntWinProcValidateSystemCr3(), IntWinSDSendAclIntegrityViolation(), IntWinSDSendSecDescIntViolation(), IntWinSelfMapHandleCr3SelfMapModification(), IntWinSelfMapHandleCr3SelfMapWrite(), IntWinSendCmdLineViolation(), IntWinSudSendSudExecAlert(), IntWinSudSendSudIntegrityAlert(), IntWinThrHandleQueueApc(), IntWinThrHandleThreadHijack(), IntWinTokenPrivsSendEptAlert(), IntWinTokenPrivsSendIntegrityAlert(), IntWinTokenPtrCheckIntegrityOnProcess(), and IntWinVadIsExecSuspicious().
void IntAlertFillWinKmModule | ( | const KERNEL_DRIVER * | Driver, |
INTRO_MODULE * | EventModule | ||
) |
Saves kernel module information inside an alert.
[in] | Driver | The kernel driver for which the information will be saved. |
[out] | EventModule | Alert driver object information. |
Definition at line 617 of file alerts.c.
Referenced by IntAlertCrFill(), IntAlertDtrFill(), IntAlertEptFillFromKmOriginator(), IntAlertEptFillFromVictimZone(), IntAlertMsrFill(), IntDetSendIntegrityAlert(), IntHookGvaEnableHooks(), IntHookPtsCheckIntegrity(), IntSlackSendIntegrityAlert(), IntWinDrvObjSendIntegrityAlert(), IntWinDrvSendEvent(), IntWinHalHandleDispatchTableWrite(), IntWinHalSendPerfCntIntegrityAlert(), IntWinIdtSendIntegrityAlert(), IntWinIdtWriteHandler(), IntWinInfHookIntegritySendAlert(), and IntWinIntObjSendIntegrityAlert().
void IntAlertFillWinProcess | ( | const WIN_PROCESS_OBJECT * | Process, |
INTRO_PROCESS * | EventProcess | ||
) |
Saves information about a windows process inside an alert.
[in] | Process | The process to be saved. |
[out] | EventProcess | The information saved inside the alert. |
Definition at line 689 of file alerts.c.
Referenced by IntAlertFillConnection(), IntAlertFillDpiExtraInfo(), IntAlertFillWinProcessByCr3(), IntWinCrashHandleDepViolation(), IntWinDagentSendDoubleAgentAlert(), IntWinDpiSendProcessCreationViolation(), IntWinEngExecSendNotification(), IntWinInspectCommandLine(), IntWinModHandleKernelWrite(), IntWinModPolyHandler(), IntWinProcHandleCopyMemory(), IntWinProcHandleInstrument(), IntWinProcProtect(), IntWinProcSendDllEvent(), IntWinProcSendProcessEvent(), IntWinProcSendProcessExceptionEvent(), IntWinProcUpdateProtection(), IntWinSDSendAclIntegrityViolation(), IntWinSDSendSecDescIntViolation(), IntWinSudSendSudIntegrityAlert(), IntWinThrHandleQueueApc(), IntWinThrHandleThreadHijack(), IntWinTokenPrivsSendIntegrityAlert(), IntWinTokenPtrCheckIntegrityOnProcess(), and IntWinVadIsExecSuspicious().
void IntAlertFillWinProcessByCr3 | ( | QWORD | ProcessCr3, |
INTRO_PROCESS * | EventProcess | ||
) |
Saves information about a Windows process inside an alert. The process is searched by its kernel CR3.
If no process is found, INTRO_PROCESS.Valid will be set to False.
[in] | ProcessCr3 | The kernel CR3 of the process. |
[out] | EventProcess | The information saved inside the alert. |
Definition at line 756 of file alerts.c.
Referenced by IntAlertFillWinProcessCurrent(), IntCrSendAlert(), IntDtrSendAlert(), IntVeHandleAccess(), IntVeHandleEPTViolationInProtectedView(), IntWinDpiSendProcessCreationViolation(), IntWinDrvObjSendEptAlert(), IntWinDrvObjSendIntegrityAlert(), IntWinDrvSendAlert(), IntWinHalSendAlert(), IntWinHalSendPerfCntIntegrityAlert(), IntWinIdtWriteHandler(), IntWinInfHookEptSppSendAlert(), IntWinInfHookIntegritySendAlert(), IntWinModHandleKernelWrite(), IntWinModHandleUserWrite(), IntWinMsrSendAlert(), IntWinProcHandleCopyMemory(), IntWinSelfMapHandleCr3SelfMapModification(), IntWinSelfMapHandleCr3SelfMapWrite(), IntWinSudSendSudExecAlert(), IntWinThrHandleQueueApc(), IntWinThrHandleThreadHijack(), and IntWinTokenPrivsSendEptAlert().
void IntAlertFillWinProcessCurrent | ( | INTRO_PROCESS * | EventProcess | ) |
Saves information about the current Windows process inside an alert.
The process is searched by using the currently loaded kernel CR3.
[out] | EventProcess | The information saved inside the alert. |
Definition at line 781 of file alerts.c.
Referenced by IntAgentHandleLogGatherVmcall(), IntAgentHandleRemediationVmcall(), IntHookGvaEnableHooks(), IntHookPtsCheckIntegrity(), IntWinBcSendBsodEvent(), IntWinDagentSendDoubleAgentAlert(), IntWinDrvSendEvent(), IntWinHalHandleDispatchTableWrite(), IntWinHalHandleHalHeapExec(), IntWinProcSendAgentEvent(), IntWinProcSendProcessEvent(), and IntWinProcValidateSystemCr3().
void IntAlertFillWinUmModule | ( | const WIN_PROCESS_MODULE * | Module, |
INTRO_MODULE * | EventModule | ||
) |
Fills information about a user mode module inside an alert.
[in] | Module | The module to be saved inside the alert. |
[out] | EventModule | The module information saved inside the alert. |
Definition at line 653 of file alerts.c.
Referenced by IntAlertEptFillFromUmOriginator(), IntAlertEptFillFromVictimZone(), IntWinDagentSendDoubleAgentAlert(), IntWinModPolyHandler(), IntWinProcHandleCopyMemory(), IntWinProcSendDllEvent(), IntWinSudSendSudExecAlert(), IntWinThrHandleQueueApc(), IntWinThrHandleThreadHijack(), and IntWinVadIsExecSuspicious().
void IntAlertFillWriteInfo | ( | const EXCEPTION_VICTIM_ZONE * | Victim, |
INTRO_WRITE_INFO * | WriteInfo | ||
) |
Fills the write information for an alert.
[in] | Victim | The information about the victim inside the alert. |
[out] | WriteInfo | The original and the new written value for the alert. |
Definition at line 521 of file alerts.c.
Referenced by IntAlertCrFill(), IntAlertDtrFill(), IntAlertEptFillFromVictimZone(), IntAlertMsrFill(), IntWinDrvObjSendIntegrityAlert(), IntWinHalSendPerfCntIntegrityAlert(), IntWinIdtSendIntegrityAlert(), IntWinInfHookIntegritySendAlert(), IntWinIntObjSendIntegrityAlert(), IntWinSudSendSudIntegrityAlert(), and IntWinTokenPrivsSendIntegrityAlert().
void IntAlertMsrFill | ( | const EXCEPTION_VICTIM_ZONE * | Victim, |
const EXCEPTION_KM_ORIGINATOR * | Originator, | ||
EVENT_MSR_VIOLATION * | MsrViolation | ||
) |
Saves information about a MSR write attempt in an event.
This will save the modified MSR, it's original and new value, and the driver that made the change, as well as the driver in which it returns, if one exists.
[in] | Victim | Information about the victim. |
[in] | Originator | Information about the originator. |
[out] | MsrViolation | Information to be included in the alert. |
Definition at line 1150 of file alerts.c.
Referenced by IntWinMsrSendAlert().
QWORD IntAlertProcGetFlags | ( | QWORD | ProtectionFlag, |
const void * | Process, | ||
INTRO_ACTION_REASON | Reason, | ||
QWORD | AdditionalFlags | ||
) |
Returns the flags for an alert.
[in] | ProtectionFlag | The process protection flag for each the alert was generated. This is one of the Process protection options values. |
[in] | Process | The process for which the alert was generated. For Windows guests this is a pointer to a WIN_PROCESS_OBJECT structure, for Linux guests this is a pointer to a LIX_TASK_OBJECT structure. |
[in] | Reason | The reason for which the alert was generated. |
[in] | AdditionalFlags | Additional flags to be set in the returned value. |
Definition at line 425 of file alerts.c.
Referenced by IntEngSendExecViolation(), IntLixCmdLineSendViolationEvent(), IntLixTaskSendBlockedEvent(), IntLixTaskSendInjectionEvent(), IntLixVmaHandlePageExecution(), IntWinCrashHandleDepViolation(), IntWinDagentSendDoubleAgentAlert(), IntWinDpiSendProcessCreationViolation(), IntWinModHandleKernelWrite(), IntWinModHandleUserWrite(), IntWinModPolyHandler(), IntWinProcHandleCopyMemory(), IntWinProcHandleInstrument(), IntWinSendCmdLineViolation(), IntWinThrHandleQueueApc(), IntWinThrHandleThreadHijack(), and IntWinVadIsExecSuspicious().
GENERIC_ALERT gAlert |
Global alert buffer.
There is no point in allocating a new alert buffer every time an alert is sent. Two threads can not send an alert at the same time, so this global buffer can be safely used. According to the GLUE_IFACE.NotifyIntrospectionAlert documentation, the alert buffer is no longer valid after the function returns, so the integrator must not use this buffer after control is given back to Introcore.
Users of this buffer must zero it before using it, in order to make sure that previously sent information will not be included in a new alert.
Definition at line 27 of file alerts.c.
Referenced by IntAgentHandleLogGatherVmcall(), IntAgentHandleRemediationVmcall(), IntCrSendAlert(), IntDetSendIntegrityAlert(), IntDtrSendAlert(), IntEngSendExecViolation(), IntHookGvaEnableHooks(), IntHookPtsCheckIntegrity(), IntLixAgentHandleUserVmcall(), IntLixAgentSendEvent(), IntLixCmdLineSendViolationEvent(), IntLixCrashSendPanicEvent(), IntLixDrvSendEvent(), IntLixDrvSendViolationEvent(), IntLixIdtWriteHandler(), IntLixKernelHandleRead(), IntLixMsrHandleWrite(), IntLixNetSendConnectionEvent(), IntLixTaskSendAgentEvent(), IntLixTaskSendBlockedEvent(), IntLixTaskSendCredViolationEvent(), IntLixTaskSendExceptionEvent(), IntLixTaskSendInjectionEvent(), IntLixTaskSendTaskEvent(), IntLixVdsoHandleWriteCommon(), IntLixVmaHandlePageExecution(), IntSlackSendIntegrityAlert(), IntVeHandleAccess(), IntVeHandleEPTViolationInProtectedView(), IntWinAgentHandleAppVmcall(), IntWinAgentHandleDriverVmcall(), IntWinBcSendBsodEvent(), IntWinCrashHandleDepViolation(), IntWinDagentSendDoubleAgentAlert(), IntWinDepComplete(), IntWinDepDeploy(), IntWinDpiSendProcessCreationViolation(), IntWinDrvObjSendEptAlert(), IntWinDrvObjSendIntegrityAlert(), IntWinDrvSendAlert(), IntWinDrvSendEvent(), IntWinHalHandleDispatchTableWrite(), IntWinHalHandleHalHeapExec(), IntWinHalSendAlert(), IntWinHalSendPerfCntIntegrityAlert(), IntWinIdtSendIntegrityAlert(), IntWinIdtWriteHandler(), IntWinInfHookEptSppSendAlert(), IntWinInfHookIntegritySendAlert(), IntWinIntObjSendIntegrityAlert(), IntWinModHandleKernelWrite(), IntWinModHandleUserWrite(), IntWinModPolyHandler(), IntWinMsrSendAlert(), IntWinNetSendConnectionEvent(), IntWinProcHandleCopyMemory(), IntWinProcHandleInstrument(), IntWinProcSendAgentEvent(), IntWinProcSendDllEvent(), IntWinProcSendProcessEvent(), IntWinProcSendProcessExceptionEvent(), IntWinProcValidateSystemCr3(), IntWinSDSendAclIntegrityViolation(), IntWinSDSendSecDescIntViolation(), IntWinSelfMapHandleCr3SelfMapModification(), IntWinSelfMapHandleCr3SelfMapWrite(), IntWinSendCmdLineViolation(), IntWinSudSendSudExecAlert(), IntWinSudSendSudIntegrityAlert(), IntWinThrHandleQueueApc(), IntWinThrHandleThreadHijack(), IntWinTokenPrivsSendEptAlert(), IntWinTokenPrivsSendIntegrityAlert(), IntWinTokenPtrCheckIntegrityOnProcess(), and IntWinVadIsExecSuspicious().