enum _INTRO_ACTION_REASON INTRO_ACTION_REASON
The reason for which an INTRO_ACTION was taken.
QWORD IntAlertCoreGetFlags(QWORD ProtectionFlag, INTRO_ACTION_REASON Reason)
Returns the flags for an alert.
INTSTATUS IntAlertFillDpiExtraInfo(DPI_EXTRA_INFO *CollectedExtraInfo, INTRO_PC_VIOLATION_TYPE PcType, WIN_PROCESS_OBJECT *VictimProcess, INTRO_DPI_EXTRA_INFO *ExtraInfo)
Fills the collected DPI extra information.
EVENT_CONNECTION_EVENT Connection
Event structure for CR violation.
EVENT_EXCEPTION_EVENT Exception
Event structure for process creation/termination.
Event structure for process creation violation events.
void IntAlertMsrFill(const EXCEPTION_VICTIM_ZONE *Victim, const EXCEPTION_KM_ORIGINATOR *Originator, EVENT_MSR_VIOLATION *MsrViolation)
Saves information about a MSR write attempt in an event.
void IntAlertFillWinProcess(const WIN_PROCESS_OBJECT *Process, INTRO_PROCESS *EventProcess)
Saves information about a windows process inside an alert.
Event structure for integrity violations on monitored structures.
EVENT_MODULE_LOAD_VIOLATION ModuleLoad
Event structure for module loading and unloading.
INTRO_PC_VIOLATION_TYPE
Process creation violation flags.
Event structure for agent injection and termination.
EVENT_MODULE_EVENT Module
Holds code block patterns information.
Describes a user-mode originator.
int INTSTATUS
The status data type.
Event structure for illegal paging-structures modifications.
Describes a kernel-mode originator.
void IntAlertCrFill(const EXCEPTION_VICTIM_ZONE *Victim, const EXCEPTION_KM_ORIGINATOR *Originator, EVENT_CR_VIOLATION *CrViolation)
Saves information about a CR write attempt in an event.
EVENT_PROCESS_CREATION_VIOLATION ProcessCreation
EVENT_TRANSLATION_VIOLATION Translation
void IntAlertFillCpuContext(BOOLEAN CopyInstruction, INTRO_CPUCTX *CpuContext)
Fills the current CPU context for an alert.
Event structure for guest OS crashes.
Describes a kernel driver.
void IntAlertFillVersionInfo(INTRO_VIOLATION_HEADER *Header)
Fills version information for an alert.
QWORD IntAlertProcGetFlags(QWORD ProtectionFlag, const void *Process, INTRO_ACTION_REASON Reason, QWORD AdditionalFlags)
Returns the flags for an alert.
INTSTATUS IntAlertFillCodeBlocks(QWORD Rip, QWORD Cr3, BOOLEAN Execute, INTRO_CODEBLOCKS *CodeBlocks)
Fills the code blocks pattern for an alert.
void IntAlertEptFillFromKmOriginator(const EXCEPTION_KM_ORIGINATOR *Originator, EVENT_EPT_VIOLATION *EptViolation)
Fills kernel mode originator information inside an EPT alert.
GENERIC_ALERT gAlert
Global alert buffer.
void IntAlertFillLixKmModule(const KERNEL_DRIVER *Driver, INTRO_MODULE *EventModule)
Saves information about a kernel module inside an alert.
Event structure for detections provided by additional scan engines.
void IntAlertFillWriteInfo(const EXCEPTION_VICTIM_ZONE *Victim, INTRO_WRITE_INFO *WriteInfo)
Fills the write information for an alert.
EVENT_MEMCOPY_VIOLATION Injection
void IntAlertEptFillFromVictimZone(const EXCEPTION_VICTIM_ZONE *Victim, EVENT_EPT_VIOLATION *EptViolation)
Fills the victim information inside an EPT alert.
EVENT_PROCESS_EVENT Process
Holds information about a driver object.
Event structure for MSR violation.
Event structure for suspicious module load into processes.
Memory access violations that cross a process boundary.
void IntAlertFillWinProcessCurrent(INTRO_PROCESS *EventProcess)
Saves information about the current Windows process inside an alert.
Holds the context in which an execution attempt was detected.
Holds information about a memory write attempt.
Event structure for GDTR/IDTR descriptor tables modifications.
Holds all the alert types.
Describes the modified zone.
void IntAlertFillDriverObject(const WIN_DRIVER_OBJECT *DriverObject, INTRO_DRVOBJ *EventDrvObj)
Saves driver object information inside an alert. Available only for Windows guests.
void IntAlertEptFillFromUmOriginator(const EXCEPTION_UM_ORIGINATOR *Originator, EVENT_EPT_VIOLATION *EptViolation)
Fills user mode originator information inside an EPT alert.
EVENT_INTROSPECTION_MESSAGE Message
Event structure for process exceptions.
union _GENERIC_ALERT GENERIC_ALERT
Holds all the alert types.
void IntAlertFillWinProcessByCr3(QWORD ProcessCr3, INTRO_PROCESS *EventProcess)
Saves information about a Windows process inside an alert. The process is searched by its kernel CR3...
EVENT_INTEGRITY_VIOLATION Integrity
void IntAlertDtrFill(const EXCEPTION_VICTIM_ZONE *Victim, const EXCEPTION_KM_ORIGINATOR *Originator, EVENT_DTR_VIOLATION *DtrViolation)
Saves information about a DTR write attempt in an event.
Describes a driver object.
void IntAlertFillWinUmModule(const WIN_PROCESS_MODULE *Module, INTRO_MODULE *EventModule)
Fills information about a user mode module inside an alert.
Event structure for connections.
Holds the CPU context for an event.
void IntAlertFillConnection(const INTRONET_ENDPOINT *Connection, EVENT_CONNECTION_EVENT *Event)
Saves information about a guest connection in an event.
Event structure for EPT violations.
void IntAlertFillLixCurrentProcess(INTRO_PROCESS *EventProcess)
Saves the current Linux process inside an event.
void IntAlertFillWinKmModule(const KERNEL_DRIVER *Driver, INTRO_MODULE *EventModule)
Saves kernel module information inside an alert.
Structure for keeping the relevant DPI violation information.
Describes a user-mode or kernel-mode module.
Describes a guest process.
EVENT_ENGINES_DETECTION_VIOLATION EngineDetection
void IntAlertFillLixProcess(const LIX_TASK_OBJECT *Task, INTRO_PROCESS *EventProcess)
Saves information about a Linux process inside an event.
INTSTATUS IntAlertFillExecContext(QWORD Cr3, INTRO_EXEC_CONTEXT *ExecContext)
Fills the current execution context.
Event structure for XCR violation.
Event structure for plain data/message passing.
This structure describes a running process inside the guest.