#include "exceptions.h"
#include "intronet.h"

Data Structures
union	_GENERIC_ALERT
	Holds all the alert types. More...

Typedefs
typedef union _GENERIC_ALERT	GENERIC_ALERT
	Holds all the alert types. More...

Functions
INTSTATUS	IntAlertFillExecContext (QWORD Cr3, INTRO_EXEC_CONTEXT *ExecContext)
	Fills the current execution context. More...

INTSTATUS	IntAlertFillCodeBlocks (QWORD Rip, QWORD Cr3, BOOLEAN Execute, INTRO_CODEBLOCKS *CodeBlocks)
	Fills the code blocks pattern for an alert. More...

void	IntAlertFillVersionInfo (INTRO_VIOLATION_HEADER *Header)
	Fills version information for an alert. More...

QWORD	IntAlertCoreGetFlags (QWORD ProtectionFlag, INTRO_ACTION_REASON Reason)
	Returns the flags for an alert. More...

QWORD	IntAlertProcGetFlags (QWORD ProtectionFlag, const void *Process, INTRO_ACTION_REASON Reason, QWORD AdditionalFlags)
	Returns the flags for an alert. More...

void	IntAlertFillCpuContext (BOOLEAN CopyInstruction, INTRO_CPUCTX *CpuContext)
	Fills the current CPU context for an alert. More...

void	IntAlertFillDriverObject (const WIN_DRIVER_OBJECT DriverObject, INTRO_DRVOBJ EventDrvObj)
	Saves driver object information inside an alert. Available only for Windows guests. More...

void	IntAlertFillWinKmModule (const KERNEL_DRIVER Driver, INTRO_MODULE EventModule)
	Saves kernel module information inside an alert. More...

void	IntAlertFillWinUmModule (const WIN_PROCESS_MODULE Module, INTRO_MODULE EventModule)
	Fills information about a user mode module inside an alert. More...

void	IntAlertFillWinProcess (const WIN_PROCESS_OBJECT Process, INTRO_PROCESS EventProcess)
	Saves information about a windows process inside an alert. More...

void	IntAlertFillWinProcessByCr3 (QWORD ProcessCr3, INTRO_PROCESS *EventProcess)
	Saves information about a Windows process inside an alert. The process is searched by its kernel CR3. More...

void	IntAlertFillWinProcessCurrent (INTRO_PROCESS *EventProcess)
	Saves information about the current Windows process inside an alert. More...

void	IntAlertEptFillFromUmOriginator (const EXCEPTION_UM_ORIGINATOR Originator, EVENT_EPT_VIOLATION EptViolation)
	Fills user mode originator information inside an EPT alert. More...

void	IntAlertEptFillFromKmOriginator (const EXCEPTION_KM_ORIGINATOR Originator, EVENT_EPT_VIOLATION EptViolation)
	Fills kernel mode originator information inside an EPT alert. More...

void	IntAlertEptFillFromVictimZone (const EXCEPTION_VICTIM_ZONE Victim, EVENT_EPT_VIOLATION EptViolation)
	Fills the victim information inside an EPT alert. More...

void	IntAlertMsrFill (const EXCEPTION_VICTIM_ZONE Victim, const EXCEPTION_KM_ORIGINATOR Originator, EVENT_MSR_VIOLATION *MsrViolation)
	Saves information about a MSR write attempt in an event. More...

void	IntAlertDtrFill (const EXCEPTION_VICTIM_ZONE Victim, const EXCEPTION_KM_ORIGINATOR Originator, EVENT_DTR_VIOLATION *DtrViolation)
	Saves information about a DTR write attempt in an event. More...

void	IntAlertCrFill (const EXCEPTION_VICTIM_ZONE Victim, const EXCEPTION_KM_ORIGINATOR Originator, EVENT_CR_VIOLATION *CrViolation)
	Saves information about a CR write attempt in an event. More...

void	IntAlertFillLixKmModule (const KERNEL_DRIVER Driver, INTRO_MODULE EventModule)
	Saves information about a kernel module inside an alert. More...

void	IntAlertFillLixProcess (const LIX_TASK_OBJECT Task, INTRO_PROCESS EventProcess)
	Saves information about a Linux process inside an event. More...

void	IntAlertFillLixCurrentProcess (INTRO_PROCESS *EventProcess)
	Saves the current Linux process inside an event. More...

void	IntAlertFillWriteInfo (const EXCEPTION_VICTIM_ZONE Victim, INTRO_WRITE_INFO WriteInfo)
	Fills the write information for an alert. More...

void	IntAlertFillConnection (const INTRONET_ENDPOINT Connection, EVENT_CONNECTION_EVENT Event)
	Saves information about a guest connection in an event. More...

INTSTATUS	IntAlertFillDpiExtraInfo (DPI_EXTRA_INFO CollectedExtraInfo, INTRO_PC_VIOLATION_TYPE PcType, WIN_PROCESS_OBJECT VictimProcess, INTRO_DPI_EXTRA_INFO *ExtraInfo)
	Fills the collected DPI extra information. More...

Variables
GENERIC_ALERT	gAlert
	Global alert buffer. More...

Typedef Documentation

◆ GENERIC_ALERT

typedef union _GENERIC_ALERT GENERIC_ALERT

Holds all the alert types.

Function Documentation

◆ IntAlertCoreGetFlags()

QWORD IntAlertCoreGetFlags	(	QWORD	ProtectionFlag,
		INTRO_ACTION_REASON	Reason
	)

Returns the flags for an alert.

Parameters

[in]	ProtectionFlag	The core protection flag for each the alert was generated. This is one of the Activation and protection flags values.
[in]	Reason	The reason for which the alert was generated.

Returns: The alert flags for the alert. A combination of Alert flags values.

Definition at line 366 of file alerts.c.

Referenced by IntCrSendAlert(), IntDtrSendAlert(), IntHookGvaEnableHooks(), IntHookPtsCheckIntegrity(), IntLixDrvSendViolationEvent(), IntLixIdtWriteHandler(), IntLixKernelHandleRead(), IntLixMsrHandleWrite(), IntLixVdsoHandleWriteCommon(), IntVeHandleAccess(), IntVeHandleEPTViolationInProtectedView(), IntWinDrvObjSendEptAlert(), IntWinDrvObjSendIntegrityAlert(), IntWinDrvSendAlert(), IntWinHalHandleDispatchTableWrite(), IntWinHalHandleHalHeapExec(), IntWinHalSendAlert(), IntWinHalSendPerfCntIntegrityAlert(), IntWinIdtSendIntegrityAlert(), IntWinIdtWriteHandler(), IntWinInfHookEptSppSendAlert(), IntWinInfHookIntegritySendAlert(), IntWinIntObjSendIntegrityAlert(), IntWinMsrSendAlert(), IntWinSDSendAclIntegrityViolation(), IntWinSDSendSecDescIntViolation(), IntWinSelfMapHandleCr3SelfMapModification(), IntWinSelfMapHandleCr3SelfMapWrite(), IntWinSudSendSudExecAlert(), IntWinSudSendSudIntegrityAlert(), IntWinTokenPrivsSendEptAlert(), and IntWinTokenPrivsSendIntegrityAlert().

◆ IntAlertCrFill()

void IntAlertCrFill	(	const EXCEPTION_VICTIM_ZONE *	Victim,
		const EXCEPTION_KM_ORIGINATOR *	Originator,
		EVENT_CR_VIOLATION *	CrViolation
	)

Saves information about a CR write attempt in an event.

This will save the modified CR, it's original and new value, and the driver that made the change, as well as the driver in which it returns, if one exists.

Parameters

[in]	Victim	Information about the victim.
[in]	Originator	Information about the originator.
[out]	CrViolation	Information to be included in the alert.

Definition at line 1210 of file alerts.c.

Referenced by IntCrSendAlert().

◆ IntAlertDtrFill()

void IntAlertDtrFill	(	const EXCEPTION_VICTIM_ZONE *	Victim,
		const EXCEPTION_KM_ORIGINATOR *	Originator,
		EVENT_DTR_VIOLATION *	DtrViolation
	)

Saves information about a DTR write attempt in an event.

This will save the modified DTR (IDTR, GDTR), it's original and new value, and the driver that made the change, as well as the driver in which it returns, if one exists.

Parameters

[in]	Victim	Information about the victim.
[in]	Originator	Information about the originator.
[out]	DtrViolation	Information to be included in the alert.

Definition at line 1176 of file alerts.c.

Referenced by IntDtrSendAlert().

◆ IntAlertEptFillFromKmOriginator()

void IntAlertEptFillFromKmOriginator	(	const EXCEPTION_KM_ORIGINATOR *	Originator,
		EVENT_EPT_VIOLATION *	EptViolation
	)

Fills kernel mode originator information inside an EPT alert.

This will save the originator kernel mode module and, if it exists, the return module.

Parameters

[in]	Originator	Information about who generated the alert.
[out]	EptViolation	The event in which the information is saved.

Definition at line 832 of file alerts.c.

Referenced by IntVeHandleAccess(), IntVeHandleEPTViolationInProtectedView(), IntWinDrvObjSendEptAlert(), IntWinDrvSendAlert(), IntWinHalHandleHalHeapExec(), IntWinHalSendAlert(), IntWinInfHookEptSppSendAlert(), IntWinModHandleKernelWrite(), IntWinSelfMapHandleCr3SelfMapWrite(), IntWinSudSendSudExecAlert(), and IntWinTokenPrivsSendEptAlert().

◆ IntAlertEptFillFromUmOriginator()

void IntAlertEptFillFromUmOriginator	(	const EXCEPTION_UM_ORIGINATOR *	Originator,
		EVENT_EPT_VIOLATION *	EptViolation
	)

Fills user mode originator information inside an EPT alert.

This will save the originator user mode module and, if it exists, the return module.

Parameters

[in]	Originator	Information about who generated the alert.
[out]	EptViolation	The event in which the information is saved.

Definition at line 807 of file alerts.c.

Referenced by IntWinModHandleUserWrite().

◆ IntAlertEptFillFromVictimZone()

void IntAlertEptFillFromVictimZone	(	const EXCEPTION_VICTIM_ZONE *	Victim,
		EVENT_EPT_VIOLATION *	EptViolation
	)

Fills the victim information inside an EPT alert.

Based on the INTRO_OBJECT_TYPE of the victim, different information is saved.

Parameters

[in]	Victim	Information about the victim.
[out]	EptViolation	The event in which the information is saved.

Definition at line 868 of file alerts.c.

Referenced by IntLixDrvSendViolationEvent(), IntLixIdtWriteHandler(), IntLixKernelHandleRead(), IntLixVmaHandlePageExecution(), IntVeHandleAccess(), IntVeHandleEPTViolationInProtectedView(), IntWinDrvObjSendEptAlert(), IntWinDrvSendAlert(), IntWinHalHandleHalHeapExec(), IntWinHalSendAlert(), IntWinIdtWriteHandler(), IntWinInfHookEptSppSendAlert(), IntWinModHandleKernelWrite(), IntWinModHandleUserWrite(), IntWinSelfMapHandleCr3SelfMapWrite(), IntWinSudSendSudExecAlert(), IntWinTokenPrivsSendEptAlert(), and IntWinVadIsExecSuspicious().

◆ IntAlertFillCodeBlocks()

INTSTATUS IntAlertFillCodeBlocks	(	QWORD	Rip,
		QWORD	Cr3,
		BOOLEAN	Execute,
		INTRO_CODEBLOCKS *	CodeBlocks
	)

Fills the code blocks pattern for an alert.

Code blocks are extracted for the page in which Rip resides.

Parameters

[in]	Rip	The guest RIP for which to extract code blocks.
[in]	Cr3	The CR3 used to read the guest memory.
[in]	Execute	True if this is an execution alert; for execute alerts the function extracts EXCEPTION_CODEBLOCKS_OFFSET (0x250) even if more than one page must be mapped, otherwise the function extracts codeblocks only from the RIP page.
[out]	CodeBlocks	On success, will contain the code blocks extracted.

Returns: INT_STATUS_SUCCESS if successful, or an appropriate INTSTATUS error value

Definition at line 71 of file alerts.c.

Referenced by IntCrSendAlert(), IntDtrSendAlert(), IntLixDrvSendViolationEvent(), IntLixIdtWriteHandler(), IntLixKernelHandleRead(), IntLixMsrHandleWrite(), IntLixVdsoHandleWriteCommon(), IntVeHandleAccess(), IntVeHandleEPTViolationInProtectedView(), IntWinDrvObjSendEptAlert(), IntWinDrvSendAlert(), IntWinHalSendAlert(), IntWinIdtWriteHandler(), IntWinInfHookEptSppSendAlert(), IntWinModHandleKernelWrite(), IntWinModHandleUserWrite(), IntWinMsrSendAlert(), IntWinSelfMapHandleCr3SelfMapWrite(), IntWinSudSendSudExecAlert(), IntWinTokenPrivsSendEptAlert(), and IntWinVadIsExecSuspicious().

◆ IntAlertFillConnection()

void IntAlertFillConnection	(	const INTRONET_ENDPOINT *	Connection,
		EVENT_CONNECTION_EVENT *	Event
	)

Saves information about a guest connection in an event.

Parameters

[in]	Connection	Connection to save.
[out]	Event	The event.

Definition at line 1331 of file alerts.c.

Referenced by IntLixNetSendConnectionEvent(), and IntWinNetSendConnectionEvent().

◆ IntAlertFillCpuContext()

void IntAlertFillCpuContext	(	BOOLEAN	CopyInstruction,
		INTRO_CPUCTX *	CpuContext
	)

Fills the current CPU context for an alert.

Parameters

[in]	CopyInstruction	True if the textual form of the instruction that generated this even must be included in the alert.
[out]	CpuContext	The CPU context. If CopyInstruction is False, the INTRO_CPUCTX.Instruction field will not be valid.

Definition at line 492 of file alerts.c.

Referenced by IntCrSendAlert(), IntDetSendIntegrityAlert(), IntDtrSendAlert(), IntHookGvaEnableHooks(), IntHookPtsCheckIntegrity(), IntLixDrvSendViolationEvent(), IntLixIdtWriteHandler(), IntLixKernelHandleRead(), IntLixMsrHandleWrite(), IntLixTaskSendBlockedEvent(), IntLixTaskSendInjectionEvent(), IntLixVdsoHandleWriteCommon(), IntLixVmaHandlePageExecution(), IntSlackSendIntegrityAlert(), IntVeHandleAccess(), IntVeHandleEPTViolationInProtectedView(), IntWinDagentSendDoubleAgentAlert(), IntWinDpiSendProcessCreationViolation(), IntWinDrvObjSendEptAlert(), IntWinDrvObjSendIntegrityAlert(), IntWinDrvSendAlert(), IntWinHalHandleHalHeapExec(), IntWinHalSendAlert(), IntWinHalSendPerfCntIntegrityAlert(), IntWinIdtWriteHandler(), IntWinInfHookEptSppSendAlert(), IntWinInfHookIntegritySendAlert(), IntWinModHandleKernelWrite(), IntWinModHandleUserWrite(), IntWinMsrSendAlert(), IntWinProcHandleCopyMemory(), IntWinProcHandleInstrument(), IntWinSelfMapHandleCr3SelfMapModification(), IntWinSelfMapHandleCr3SelfMapWrite(), IntWinSudSendSudExecAlert(), IntWinSudSendSudIntegrityAlert(), IntWinThrHandleQueueApc(), IntWinThrHandleThreadHijack(), IntWinTokenPrivsSendEptAlert(), IntWinTokenPrivsSendIntegrityAlert(), and IntWinVadIsExecSuspicious().

◆ IntAlertFillDpiExtraInfo()

INTSTATUS IntAlertFillDpiExtraInfo	(	DPI_EXTRA_INFO *	CollectedExtraInfo,
		INTRO_PC_VIOLATION_TYPE	PcType,
		WIN_PROCESS_OBJECT *	VictimProcess,
		INTRO_DPI_EXTRA_INFO *	ExtraInfo
	)

Fills the collected DPI extra information.

Parameters

[in]	CollectedExtraInfo	The DPI_EXTRA_INFO structure containing the collected information.
[in]	PcType	The INTRO_PC_VIOLATION_TYPE of the triggered alert.
[in]	VictimProcess	The victim process object of the violation.
[out]	ExtraInfo	The INTRO_DPI_EXTRA_INFO to be filled.

Definition at line 1371 of file alerts.c.

Referenced by IntWinDpiSendProcessCreationViolation().

◆ IntAlertFillDriverObject()

void IntAlertFillDriverObject	(	const WIN_DRIVER_OBJECT *	DriverObject,
		INTRO_DRVOBJ *	EventDrvObj
	)

Saves driver object information inside an alert. Available only for Windows guests.

Parameters

[in]	DriverObject	The driver object to be saved.
[out]	EventDrvObj	Alert driver object information.

Definition at line 592 of file alerts.c.

Referenced by IntAlertEptFillFromVictimZone(), and IntWinDrvObjSendIntegrityAlert().

◆ IntAlertFillExecContext()

INTSTATUS IntAlertFillExecContext	(	QWORD	Cr3,
		INTRO_EXEC_CONTEXT *	ExecContext
	)

Fills the current execution context.

This will save the current execution mode, guest registers, and the code in the memory page in which the guest RIP resides.

Parameters

[in]	Cr3	The guest CR3 to be used in order to read code from the guest. If 0, the CR3 saved in the gVcpu register cache will be used.
[out]	ExecContext	On success, will contain the guest execution context.

Returns: INT_STATUS_SUCCESS if successful, or an appropriate INTSTATUS error value.

Definition at line 31 of file alerts.c.

Referenced by IntCrSendAlert(), IntDtrSendAlert(), IntLixDrvSendViolationEvent(), IntLixEngExecSendNotification(), IntLixIdtWriteHandler(), IntLixKernelHandleRead(), IntLixMsrHandleWrite(), IntLixVdsoHandleWriteCommon(), IntLixVmaHandlePageExecution(), IntVeHandleAccess(), IntVeHandleEPTViolationInProtectedView(), IntWinDrvObjSendEptAlert(), IntWinDrvSendAlert(), IntWinEngExecSendNotification(), IntWinHalHandleHalHeapExec(), IntWinHalSendAlert(), IntWinIdtWriteHandler(), IntWinInfHookEptSppSendAlert(), IntWinModHandleKernelWrite(), IntWinModHandleUserWrite(), IntWinMsrSendAlert(), IntWinSelfMapHandleCr3SelfMapWrite(), IntWinSudSendSudExecAlert(), IntWinTokenPrivsSendEptAlert(), and IntWinVadIsExecSuspicious().

◆ IntAlertFillLixCurrentProcess()

void IntAlertFillLixCurrentProcess ( INTRO_PROCESS * EventProcess )

Saves the current Linux process inside an event.

Parameters

[out] EventProcess The saved process.

Definition at line 1310 of file alerts.c.

Referenced by IntAgentHandleLogGatherVmcall(), IntAgentHandleRemediationVmcall(), IntCrSendAlert(), IntDtrSendAlert(), IntLixCrashSendPanicEvent(), IntLixDrvSendEvent(), IntLixDrvSendViolationEvent(), IntLixIdtWriteHandler(), IntLixKernelHandleRead(), IntLixMsrHandleWrite(), IntLixTaskSendInjectionEvent(), IntLixTaskSendTaskEvent(), and IntLixVdsoHandleWriteCommon().

◆ IntAlertFillLixKmModule()

void IntAlertFillLixKmModule	(	const KERNEL_DRIVER *	Driver,
		INTRO_MODULE *	EventModule
	)

Saves information about a kernel module inside an alert.

Parameters

[in]	Driver	The kernel module to save.
[out]	EventModule	The kernel module saved in the event.

Definition at line 1235 of file alerts.c.

Referenced by IntAlertDtrFill(), IntDetSendIntegrityAlert(), IntLixDrvSendEvent(), IntLixDrvSendViolationEvent(), IntLixIdtWriteHandler(), IntLixKernelHandleRead(), IntLixMsrHandleWrite(), IntLixVdsoHandleWriteCommon(), and IntSlackSendIntegrityAlert().

◆ IntAlertFillLixProcess()

void IntAlertFillLixProcess	(	const LIX_TASK_OBJECT *	Task,
		INTRO_PROCESS *	EventProcess
	)

Saves information about a Linux process inside an event.

Parameters

[in]	Task	The process to save.
[out]	EventProcess	The process saved in the event.

Definition at line 1264 of file alerts.c.

Referenced by IntAlertFillConnection(), IntAlertFillLixCurrentProcess(), IntLixCmdLineInspect(), IntLixEngExecSendNotification(), IntLixTaskSendAgentEvent(), IntLixTaskSendBlockedEvent(), IntLixTaskSendCredViolationEvent(), IntLixTaskSendExceptionEvent(), IntLixTaskSendInjectionEvent(), IntLixTaskSendTaskEvent(), and IntLixVmaHandlePageExecution().

◆ IntAlertFillVersionInfo()

void IntAlertFillVersionInfo ( INTRO_VIOLATION_HEADER * Header )

Fills version information for an alert.

Parameters

[out] Header The header of the event. Will contain information about the current versions of Introcore, exceptions, and CAMI.

Definition at line 327 of file alerts.c.

Referenced by IntCrSendAlert(), IntDetSendIntegrityAlert(), IntDtrSendAlert(), IntHookGvaEnableHooks(), IntHookPtsCheckIntegrity(), IntLixCmdLineSendViolationEvent(), IntLixDrvSendViolationEvent(), IntLixIdtWriteHandler(), IntLixKernelHandleRead(), IntLixMsrHandleWrite(), IntLixTaskSendBlockedEvent(), IntLixTaskSendCredViolationEvent(), IntLixTaskSendInjectionEvent(), IntLixVdsoHandleWriteCommon(), IntLixVmaHandlePageExecution(), IntSlackSendIntegrityAlert(), IntVeHandleAccess(), IntVeHandleEPTViolationInProtectedView(), IntWinCrashHandleDepViolation(), IntWinDagentSendDoubleAgentAlert(), IntWinDpiSendProcessCreationViolation(), IntWinDrvObjSendEptAlert(), IntWinDrvObjSendIntegrityAlert(), IntWinDrvSendAlert(), IntWinHalHandleDispatchTableWrite(), IntWinHalHandleHalHeapExec(), IntWinHalSendAlert(), IntWinHalSendPerfCntIntegrityAlert(), IntWinIdtSendIntegrityAlert(), IntWinIdtWriteHandler(), IntWinInfHookEptSppSendAlert(), IntWinInfHookIntegritySendAlert(), IntWinIntObjSendIntegrityAlert(), IntWinModHandleKernelWrite(), IntWinModHandleUserWrite(), IntWinModPolyHandler(), IntWinMsrSendAlert(), IntWinProcHandleCopyMemory(), IntWinProcHandleInstrument(), IntWinProcValidateSystemCr3(), IntWinSDSendAclIntegrityViolation(), IntWinSDSendSecDescIntViolation(), IntWinSelfMapHandleCr3SelfMapModification(), IntWinSelfMapHandleCr3SelfMapWrite(), IntWinSendCmdLineViolation(), IntWinSudSendSudExecAlert(), IntWinSudSendSudIntegrityAlert(), IntWinThrHandleQueueApc(), IntWinThrHandleThreadHijack(), IntWinTokenPrivsSendEptAlert(), IntWinTokenPrivsSendIntegrityAlert(), IntWinTokenPtrCheckIntegrityOnProcess(), and IntWinVadIsExecSuspicious().

◆ IntAlertFillWinKmModule()

void IntAlertFillWinKmModule	(	const KERNEL_DRIVER *	Driver,
		INTRO_MODULE *	EventModule
	)

Saves kernel module information inside an alert.

Parameters

[in]	Driver	The kernel driver for which the information will be saved.
[out]	EventModule	Alert driver object information.

Definition at line 617 of file alerts.c.

Referenced by IntAlertCrFill(), IntAlertDtrFill(), IntAlertEptFillFromKmOriginator(), IntAlertEptFillFromVictimZone(), IntAlertMsrFill(), IntDetSendIntegrityAlert(), IntHookGvaEnableHooks(), IntHookPtsCheckIntegrity(), IntSlackSendIntegrityAlert(), IntWinDrvObjSendIntegrityAlert(), IntWinDrvSendEvent(), IntWinHalHandleDispatchTableWrite(), IntWinHalSendPerfCntIntegrityAlert(), IntWinIdtSendIntegrityAlert(), IntWinIdtWriteHandler(), IntWinInfHookIntegritySendAlert(), and IntWinIntObjSendIntegrityAlert().

◆ IntAlertFillWinProcess()

void IntAlertFillWinProcess	(	const WIN_PROCESS_OBJECT *	Process,
		INTRO_PROCESS *	EventProcess
	)

Saves information about a windows process inside an alert.

Parameters

[in]	Process	The process to be saved.
[out]	EventProcess	The information saved inside the alert.

Definition at line 689 of file alerts.c.

Referenced by IntAlertFillConnection(), IntAlertFillDpiExtraInfo(), IntAlertFillWinProcessByCr3(), IntWinCrashHandleDepViolation(), IntWinDagentSendDoubleAgentAlert(), IntWinDpiSendProcessCreationViolation(), IntWinEngExecSendNotification(), IntWinInspectCommandLine(), IntWinModHandleKernelWrite(), IntWinModPolyHandler(), IntWinProcHandleCopyMemory(), IntWinProcHandleInstrument(), IntWinProcProtect(), IntWinProcSendDllEvent(), IntWinProcSendProcessEvent(), IntWinProcSendProcessExceptionEvent(), IntWinProcUpdateProtection(), IntWinSDSendAclIntegrityViolation(), IntWinSDSendSecDescIntViolation(), IntWinSudSendSudIntegrityAlert(), IntWinThrHandleQueueApc(), IntWinThrHandleThreadHijack(), IntWinTokenPrivsSendIntegrityAlert(), IntWinTokenPtrCheckIntegrityOnProcess(), and IntWinVadIsExecSuspicious().

◆ IntAlertFillWinProcessByCr3()

void IntAlertFillWinProcessByCr3	(	QWORD	ProcessCr3,
		INTRO_PROCESS *	EventProcess
	)

Saves information about a Windows process inside an alert. The process is searched by its kernel CR3.

If no process is found, INTRO_PROCESS.Valid will be set to False.

Parameters

[in]	ProcessCr3	The kernel CR3 of the process.
[out]	EventProcess	The information saved inside the alert.

Definition at line 756 of file alerts.c.

Referenced by IntAlertFillWinProcessCurrent(), IntCrSendAlert(), IntDtrSendAlert(), IntVeHandleAccess(), IntVeHandleEPTViolationInProtectedView(), IntWinDpiSendProcessCreationViolation(), IntWinDrvObjSendEptAlert(), IntWinDrvObjSendIntegrityAlert(), IntWinDrvSendAlert(), IntWinHalSendAlert(), IntWinHalSendPerfCntIntegrityAlert(), IntWinIdtWriteHandler(), IntWinInfHookEptSppSendAlert(), IntWinInfHookIntegritySendAlert(), IntWinModHandleKernelWrite(), IntWinModHandleUserWrite(), IntWinMsrSendAlert(), IntWinProcHandleCopyMemory(), IntWinSelfMapHandleCr3SelfMapModification(), IntWinSelfMapHandleCr3SelfMapWrite(), IntWinSudSendSudExecAlert(), IntWinThrHandleQueueApc(), IntWinThrHandleThreadHijack(), and IntWinTokenPrivsSendEptAlert().

◆ IntAlertFillWinProcessCurrent()

void IntAlertFillWinProcessCurrent ( INTRO_PROCESS * EventProcess )

Saves information about the current Windows process inside an alert.

The process is searched by using the currently loaded kernel CR3.

Parameters

[out] EventProcess The information saved inside the alert.

Definition at line 781 of file alerts.c.

Referenced by IntAgentHandleLogGatherVmcall(), IntAgentHandleRemediationVmcall(), IntHookGvaEnableHooks(), IntHookPtsCheckIntegrity(), IntWinBcSendBsodEvent(), IntWinDagentSendDoubleAgentAlert(), IntWinDrvSendEvent(), IntWinHalHandleDispatchTableWrite(), IntWinHalHandleHalHeapExec(), IntWinProcSendAgentEvent(), IntWinProcSendProcessEvent(), and IntWinProcValidateSystemCr3().

◆ IntAlertFillWinUmModule()

void IntAlertFillWinUmModule	(	const WIN_PROCESS_MODULE *	Module,
		INTRO_MODULE *	EventModule
	)

Fills information about a user mode module inside an alert.

Parameters

[in]	Module	The module to be saved inside the alert.
[out]	EventModule	The module information saved inside the alert.

Definition at line 653 of file alerts.c.

Referenced by IntAlertEptFillFromUmOriginator(), IntAlertEptFillFromVictimZone(), IntWinDagentSendDoubleAgentAlert(), IntWinModPolyHandler(), IntWinProcHandleCopyMemory(), IntWinProcSendDllEvent(), IntWinSudSendSudExecAlert(), IntWinThrHandleQueueApc(), IntWinThrHandleThreadHijack(), and IntWinVadIsExecSuspicious().

◆ IntAlertFillWriteInfo()

void IntAlertFillWriteInfo	(	const EXCEPTION_VICTIM_ZONE *	Victim,
		INTRO_WRITE_INFO *	WriteInfo
	)

Fills the write information for an alert.

Parameters

[in]	Victim	The information about the victim inside the alert.
[out]	WriteInfo	The original and the new written value for the alert.

Definition at line 521 of file alerts.c.

Referenced by IntAlertCrFill(), IntAlertDtrFill(), IntAlertEptFillFromVictimZone(), IntAlertMsrFill(), IntWinDrvObjSendIntegrityAlert(), IntWinHalSendPerfCntIntegrityAlert(), IntWinIdtSendIntegrityAlert(), IntWinInfHookIntegritySendAlert(), IntWinIntObjSendIntegrityAlert(), IntWinSudSendSudIntegrityAlert(), and IntWinTokenPrivsSendIntegrityAlert().

◆ IntAlertMsrFill()

void IntAlertMsrFill	(	const EXCEPTION_VICTIM_ZONE *	Victim,
		const EXCEPTION_KM_ORIGINATOR *	Originator,
		EVENT_MSR_VIOLATION *	MsrViolation
	)

Saves information about a MSR write attempt in an event.

This will save the modified MSR, it's original and new value, and the driver that made the change, as well as the driver in which it returns, if one exists.

Parameters

[in]	Victim	Information about the victim.
[in]	Originator	Information about the originator.
[out]	MsrViolation	Information to be included in the alert.

Definition at line 1150 of file alerts.c.

Referenced by IntWinMsrSendAlert().

◆ IntAlertProcGetFlags()

QWORD IntAlertProcGetFlags	(	QWORD	ProtectionFlag,
		const void *	Process,
		INTRO_ACTION_REASON	Reason,
		QWORD	AdditionalFlags
	)

Returns the flags for an alert.

Parameters

[in]	ProtectionFlag	The process protection flag for each the alert was generated. This is one of the Process protection options values.
[in]	Process	The process for which the alert was generated. For Windows guests this is a pointer to a WIN_PROCESS_OBJECT structure, for Linux guests this is a pointer to a LIX_TASK_OBJECT structure.
[in]	Reason	The reason for which the alert was generated.
[in]	AdditionalFlags	Additional flags to be set in the returned value.

Returns: The alert flags for the alert. A combination of Alert flags values.

Definition at line 425 of file alerts.c.

Referenced by IntEngSendExecViolation(), IntLixCmdLineSendViolationEvent(), IntLixTaskSendBlockedEvent(), IntLixTaskSendInjectionEvent(), IntLixVmaHandlePageExecution(), IntWinCrashHandleDepViolation(), IntWinDagentSendDoubleAgentAlert(), IntWinDpiSendProcessCreationViolation(), IntWinModHandleKernelWrite(), IntWinModHandleUserWrite(), IntWinModPolyHandler(), IntWinProcHandleCopyMemory(), IntWinProcHandleInstrument(), IntWinSendCmdLineViolation(), IntWinThrHandleQueueApc(), IntWinThrHandleThreadHijack(), and IntWinVadIsExecSuspicious().

Variable Documentation

◆ gAlert

GENERIC_ALERT gAlert

Global alert buffer.

There is no point in allocating a new alert buffer every time an alert is sent. Two threads can not send an alert at the same time, so this global buffer can be safely used. According to the GLUE_IFACE.NotifyIntrospectionAlert documentation, the alert buffer is no longer valid after the function returns, so the integrator must not use this buffer after control is given back to Introcore.

Users of this buffer must zero it before using it, in order to make sure that previously sent information will not be included in a new alert.

Definition at line 27 of file alerts.c.

Referenced by IntAgentHandleLogGatherVmcall(), IntAgentHandleRemediationVmcall(), IntCrSendAlert(), IntDetSendIntegrityAlert(), IntDtrSendAlert(), IntEngSendExecViolation(), IntHookGvaEnableHooks(), IntHookPtsCheckIntegrity(), IntLixAgentHandleUserVmcall(), IntLixAgentSendEvent(), IntLixCmdLineSendViolationEvent(), IntLixCrashSendPanicEvent(), IntLixDrvSendEvent(), IntLixDrvSendViolationEvent(), IntLixIdtWriteHandler(), IntLixKernelHandleRead(), IntLixMsrHandleWrite(), IntLixNetSendConnectionEvent(), IntLixTaskSendAgentEvent(), IntLixTaskSendBlockedEvent(), IntLixTaskSendCredViolationEvent(), IntLixTaskSendExceptionEvent(), IntLixTaskSendInjectionEvent(), IntLixTaskSendTaskEvent(), IntLixVdsoHandleWriteCommon(), IntLixVmaHandlePageExecution(), IntSlackSendIntegrityAlert(), IntVeHandleAccess(), IntVeHandleEPTViolationInProtectedView(), IntWinAgentHandleAppVmcall(), IntWinAgentHandleDriverVmcall(), IntWinBcSendBsodEvent(), IntWinCrashHandleDepViolation(), IntWinDagentSendDoubleAgentAlert(), IntWinDepComplete(), IntWinDepDeploy(), IntWinDpiSendProcessCreationViolation(), IntWinDrvObjSendEptAlert(), IntWinDrvObjSendIntegrityAlert(), IntWinDrvSendAlert(), IntWinDrvSendEvent(), IntWinHalHandleDispatchTableWrite(), IntWinHalHandleHalHeapExec(), IntWinHalSendAlert(), IntWinHalSendPerfCntIntegrityAlert(), IntWinIdtSendIntegrityAlert(), IntWinIdtWriteHandler(), IntWinInfHookEptSppSendAlert(), IntWinInfHookIntegritySendAlert(), IntWinIntObjSendIntegrityAlert(), IntWinModHandleKernelWrite(), IntWinModHandleUserWrite(), IntWinModPolyHandler(), IntWinMsrSendAlert(), IntWinNetSendConnectionEvent(), IntWinProcHandleCopyMemory(), IntWinProcHandleInstrument(), IntWinProcSendAgentEvent(), IntWinProcSendDllEvent(), IntWinProcSendProcessEvent(), IntWinProcSendProcessExceptionEvent(), IntWinProcValidateSystemCr3(), IntWinSDSendAclIntegrityViolation(), IntWinSDSendSecDescIntViolation(), IntWinSelfMapHandleCr3SelfMapModification(), IntWinSelfMapHandleCr3SelfMapWrite(), IntWinSendCmdLineViolation(), IntWinSudSendSudExecAlert(), IntWinSudSendSudIntegrityAlert(), IntWinThrHandleQueueApc(), IntWinThrHandleThreadHijack(), IntWinTokenPrivsSendEptAlert(), IntWinTokenPrivsSendIntegrityAlert(), IntWinTokenPtrCheckIntegrityOnProcess(), and IntWinVadIsExecSuspicious().

Data Structures

Typedefs

Functions

Variables

Typedef Documentation

◆ GENERIC_ALERT

Function Documentation

◆ IntAlertCoreGetFlags()

◆ IntAlertCrFill()

◆ IntAlertDtrFill()

◆ IntAlertEptFillFromKmOriginator()

◆ IntAlertEptFillFromUmOriginator()

◆ IntAlertEptFillFromVictimZone()

◆ IntAlertFillCodeBlocks()

◆ IntAlertFillConnection()

◆ IntAlertFillCpuContext()

◆ IntAlertFillDpiExtraInfo()

◆ IntAlertFillDriverObject()

◆ IntAlertFillExecContext()

◆ IntAlertFillLixCurrentProcess()

◆ IntAlertFillLixKmModule()

◆ IntAlertFillLixProcess()

◆ IntAlertFillVersionInfo()

◆ IntAlertFillWinKmModule()

◆ IntAlertFillWinProcess()

◆ IntAlertFillWinProcessByCr3()

◆ IntAlertFillWinProcessCurrent()

◆ IntAlertFillWinUmModule()

◆ IntAlertFillWriteInfo()

◆ IntAlertMsrFill()

◆ IntAlertProcGetFlags()

Variable Documentation

◆ gAlert