71 #define CB_CACHE_FLG_RETURN 0x1 72 #define CB_CACHE_FLG_ORIGINAL 0x2 91 memzero(&gCodeBlocksOriginalCache,
sizeof(gCodeBlocksOriginalCache));
96 memzero(&gCodeBlocksReturnCache,
sizeof(gCodeBlocksReturnCache));
114 if (gCodeBlocksOriginalCache.
Cr3 == Cr3)
116 memzero(&gCodeBlocksOriginalCache,
sizeof(gCodeBlocksOriginalCache));
119 if (gCodeBlocksReturnCache.
Cr3 == Cr3)
121 memzero(&gCodeBlocksReturnCache,
sizeof(gCodeBlocksReturnCache));
126 __nonnull()
static DWORD 148 if (IndexPattern + Length > Sig->Length)
153 for (
DWORD i = 0; i < Length; i++)
155 if (Sig->Object[i + IndexPattern] != 0x100 &&
156 Sig->Object[i + IndexPattern] != Buffer[i])
183 while (list != ListHead)
204 while (list != ListHead)
225 while (list != ListHead)
246 while (list != ListHead)
309 if (!pSignature->AlertSignature)
317 if (!pSignature->AlertSignature)
325 if (!pSignature->AlertSignature)
333 if (!pSignature->AlertSignature)
341 if (!pSignature->AlertSignature)
349 if (!pSignature->AlertSignature)
357 if (!pSignature->AlertSignature)
365 if (!pSignature->AlertSignature)
406 if (pSignature->AlertSignature)
414 if (pSignature->AlertSignature)
422 if (pSignature->AlertSignature)
430 if (pSignature->AlertSignature)
552 memzero(&gCodeBlocksOriginalCache,
sizeof(gCodeBlocksOriginalCache));
553 memzero(&gCodeBlocksReturnCache,
sizeof(gCodeBlocksReturnCache));
582 Victim->Object.BaseAddress = Driver->BaseVa;
583 Victim->ProtectionFlag = Driver->ProtectionFlag;
589 else if (0 ==
wstrcasecmp(Driver->Name, u
"hal.dll") ||
598 Victim->Object.NameHash = Driver->NameHash;
602 Driver->Win.MzPeHeaders,
603 (
DWORD)(Victim->Ept.Gva - Driver->BaseVa),
607 ERROR(
"[ERROR] Failed getting the section header of the write address 0x%016llx in module 0x%016llx: 0x%08x\n",
608 Victim->Ept.Gva, Driver->BaseVa, status);
609 TRACE(
"[EXCEPTIONS] Will continue to check exceptions anyway...\n");
613 memcpy(Victim->Object.Module.SectionName, section.
Name, 8);
633 ERROR(
"[ERROR] Failed getting IAT from driver 0x%016llx: 0x%08x\n", Driver->BaseVa, status);
648 ERROR(
"[ERROR] Failed getting EAT from driver 0x%016llx: 0x%08x\n", Driver->BaseVa, status);
663 ERROR(
"[ERROR] Failed getting imports from driver 0x%016llx: 0x%08x\n", Driver->BaseVa, status);
695 QWORD gva = Victim->Ept.Gva;
697 Victim->Object.BaseAddress = Driver->BaseVa;
698 Victim->ProtectionFlag = Driver->ProtectionFlag;
707 Victim->Object.NameHash = Driver->NameHash;
710 if (
IN_RANGE_LEN(gva, Driver->Lix.CoreLayout.Base, Driver->Lix.CoreLayout.TextSize))
712 memcpy(Victim->Object.Module.SectionName,
"text",
sizeof(
"text"));
716 Driver->Lix.CoreLayout.Base + Driver->Lix.CoreLayout.TextSize,
717 Driver->Lix.CoreLayout.Base + Driver->Lix.CoreLayout.RoSize))
719 memcpy(Victim->Object.Module.SectionName,
"text_ro",
sizeof(
"text_ro"));
722 else if (!Driver->Lix.Initialized &&
723 IN_RANGE_LEN(gva, Driver->Lix.InitLayout.Base, Driver->Lix.InitLayout.TextSize))
725 memcpy(Victim->Object.Module.SectionName,
"init",
sizeof(
"init"));
728 else if (!Driver->Lix.Initialized &&
730 Driver->Lix.InitLayout.Base + Driver->Lix.InitLayout.TextSize,
731 Driver->Lix.InitLayout.Base + Driver->Lix.InitLayout.RoSize))
733 memcpy(Victim->Object.Module.SectionName,
"init_ro",
sizeof(
"init_ro"));
805 Victim->Ept.Gva = Gva;
806 Victim->Ept.Gpa = Gpa;
808 Victim->ZoneFlags = ZoneFlags;
822 Victim->Object.Type = Type;
825 switch (Victim->Object.Type)
830 ERROR(
"[ERROR] Writes of type %d are not supported on guests %d\n",
836 Victim->Object.Module.Module = Context;
845 Victim->Object.Module.Module = Context;
861 ERROR(
"[ERROR] Writes of type %d are not supported on guests %d\n",
866 Victim->Object.DriverObject = Context;
874 ERROR(
"[ERROR] Writes of type %d are not supported on guests %d\n",
879 Victim->Object.DriverObject = Context;
892 ERROR(
"[ERROR] Writes of type %d are not supported on guests %d\n",
898 Victim->Object.Library.Module = Context;
921 memcpy(Victim->Object.Library.SectionName, section.
Name, 8);
936 Victim->Object.NameWide = pModule->
Path->
Name;
943 Victim->Object.BaseAddress = Victim->Ept.Gva;
958 Victim->Object.BaseAddress = Gva &
PAGE_MASK;
970 Victim->Object.Name = pProc->
Name;
972 Victim->Object.Process = pProc;
980 Victim->Object.BaseAddress = Gva &
PAGE_MASK;
987 Victim->ExecInfo.StackBase = 0;
988 Victim->ExecInfo.StackLimit = 0;
993 &Victim->ExecInfo.StackLimit);
996 WARNING(
"[WARNING] IntWinThrGetCurrentStackBaseAndLimit failed with status: 0x%08x\n", status);
999 Victim->Object.NameHash = pProc->
NameHash;
1000 Victim->Object.Name = pProc->
Name;
1002 Victim->Object.Process = pProc;
1010 Victim->ExecInfo.StackBase = 0;
1011 Victim->ExecInfo.StackLimit = 0;
1017 Victim->ExecInfo.StackBase = pVma->
Start;
1018 Victim->ExecInfo.StackLimit = pVma->
End;
1024 Victim->Object.NameHash = pTask->
CommHash;
1028 Victim->Object.Name = pTask->
Path->
Name;
1032 Victim->Object.Name = pTask->
Comm;
1035 Victim->Object.Process = pTask;
1050 Victim->Object.BaseAddress = Gva &
PAGE_MASK;
1057 Victim->Object.BaseAddress = *(
QWORD *)Context;
1058 Victim->Object.Name =
"IDT";
1068 Victim->Object.Process = Context;
1071 Victim->Object.BaseAddress = Gva &
PAGE_MASK;
1082 WARNING(
"[WARNING] Shouldn't reach here (for now). Type is %d (original %d)...\n", Victim->Object.Type, Type);
1095 if (writeSize >
sizeof(Victim->WriteInfo.OldValue) || writeSize == 0)
1097 ERROR(
"[ERROR] Accessed size is too large or 0: 0x%x\n", writeSize);
1101 status =
IntVirtMemRead(Gva, writeSize, 0, Victim->WriteInfo.OldValue, NULL);
1104 WARNING(
"[WARNING] IntVirtMemRead failed for GVA 0x%016llx: 0x%08x\n", Gva, status);
1105 Victim->WriteInfo.OldValue[0] = 0xbaddead;
1114 WARNING(
"[WARNING] Failed getting operands for instruction %s: 0x%08x\n",
1118 Victim->WriteInfo.NewValue[0] = 0xbaddead;
1124 Victim->WriteInfo.AccessSize = operandValue.
Size;
1138 Victim->ReadInfo.Value[0] = 0xbaddead;
1152 _In_ void *Exception,
1153 _In_ void *Originator,
1179 DWORD lastChecked = 0;
1181 DWORD startOffset, endOffset, totalSize, csType;
1190 void *pHookObject = NULL;
1197 ERROR(
"[ERROR] IntGetCurrentMode failed: 0x%08x\n", status);
1203 ERROR(
"[ERROR] Unsupported CS type: %d\n", csType);
1207 switch (ExceptionType)
1260 if (pUmOrig->
WinLib != NULL)
1281 LOG(
"[INFO] Special case where process cr3 %llx != VCPU cr3 %llx\n", cr3,
gVcpu->
Regs.
Cr3);
1292 ERROR(
"[ERROR] Shouldn't reach here. Type is %d ...\n", ExceptionType);
1339 totalSize = endOffset - startOffset;
1357 ERROR(
"[ERROR] Invalid codeblocks cache flag %d...\n", cacheFlags);
1366 my_llabs((
long long)(pCodeBlocksCache->
Rip) - (
long long)(rip)) < 0x50 &&
1369 if (pCodeBlocksCache->
Rip == rip &&
1370 pCodeBlocksCache->
CsType == csType &&
1371 pCodeBlocksCache->
Cr3 == cr3)
1373 goto _skip_getting_codeblocks;
1377 pCodeBlocksCache->
Rip = rip;
1378 pCodeBlocksCache->
CsType = csType;
1379 pCodeBlocksCache->
Cr3 = cr3;
1380 pCodeBlocksCache->
Count = totalSize /
sizeof(
DWORD);
1385 pCodeBlocksCache->
Rip == rip &&
1386 pCodeBlocksCache->
CsType == csType)
1388 goto _skip_getting_codeblocks;
1392 pCodeBlocksCache->
Rip = rip;
1393 pCodeBlocksCache->
CsType = csType;
1394 pCodeBlocksCache->
Cr3 = cr3;
1395 pCodeBlocksCache->
Count = totalSize /
sizeof(
DWORD);
1403 WARNING(
"[WARNING] Failed to map range [0x%016llx - 0x%016llx], try to map range [0x%016llx - 0x%016llx]\n",
1404 (rip & PAGE_MASK) + startOffset, (rip & PAGE_MASK) + startOffset + totalSize,
1405 (rip & PAGE_MASK) + startOffset, (rip & PAGE_MASK) + startOffset + (
PAGE_SIZE - startOffset));
1409 pCodeBlocksCache->
EventId = 0;
1411 ERROR(
"[ERROR] Failed mapping VA 0x%016llx to host: 0x%08x\n", rip & PAGE_MASK, status);
1413 goto _clean_and_leave;
1420 pCodeBlocksCache->
EventId = 0;
1422 ERROR(
"[ERROR] Failed mapping VA 0x%016llx to host: 0x%08x\n", rip & PAGE_MASK, status);
1424 goto _clean_and_leave;
1432 pCodeBlocksCache->
EventId = 0;
1433 ERROR(
"[ERROR] Failed extracting blocks from VA 0x%016llx: 0x%08x\n", rip, status);
1434 goto _clean_and_leave;
1439 pCodeBlocksCache->
Count = 0;
1442 goto _clean_and_leave;
1445 _skip_getting_codeblocks:
1455 for (
DWORD i = lastChecked; i < SignatureCount; i++)
1462 if (Signatures[i].Value != pSig->Id.Value)
1482 goto _clean_and_leave;
1486 lastChecked = i + 1;
1508 _In_ void *Exception,
1509 _In_ void *Originator,
1536 DWORD lastChecked = 0;
1539 BYTE *pCodePattern = NULL;
1540 BYTE *pCodePatternBuffer = NULL;
1551 ERROR(
"[ERROR] IntGetCurrentMode failed: 0x%08x\n", status);
1557 ERROR(
"[ERROR] Unsupported CS type: %d\n", csType);
1561 switch (ExceptionType)
1594 cr3 = Victim->Object.WinProc->Cr3;
1595 requires64BitSig = requires64BitSig && !Victim->Object.WinProc->Wow64Process;
1614 LOG(
"[INFO] Special case where process cr3 %llx != VCPU cr3 %llx\n", cr3,
gVcpu->
Regs.
Cr3);
1622 ERROR(
"[ERROR] Shouldn't reach here. Type is %d ...\n", ExceptionType);
1640 for (
DWORD i = lastChecked; i < SignaturesCount; i++)
1643 DWORD pageRemaining;
1651 if (Signatures[i].Value != pSig->Id.Value)
1669 gva = rip + pSig->Offset;
1674 if ((oldGva != alignedGva) || NULL == pCodePattern)
1676 oldGva = alignedGva;
1679 if (NULL != pCodePattern)
1687 WARNING(
"[WARNING] IntVirtMemMap failed for address %llx: 0x%08x\n", alignedGva, status);
1697 lastChecked = i + 1;
1704 if (pageRemaining >= pSig->Length)
1707 goto _clean_and_leave;
1710 gva += pageRemaining;
1713 if (NULL == pCodePatternBuffer)
1716 goto _clean_and_leave;
1719 status =
IntVirtMemRead(gva, pSig->Length - pageRemaining, cr3, pCodePatternBuffer, NULL);
1722 ERROR(
"[ERROR] IntVirtMemMap failed for address %llx: 0x%08x\n", gva, status);
1727 pSig, pageRemaining))
1732 lastChecked = i + 1;
1741 goto _clean_and_leave;
1750 if (NULL != pCodePattern)
1761 _In_ void *Exception,
1762 _In_ void *Originator,
1786 BYTE *pBuffer = NULL;
1789 DWORD lastChecked = 0;
1796 if (Victim->WriteInfo.AccessSize >
sizeof(Victim->WriteInfo.NewValue))
1798 ERROR(
"[ERROR] Access size too large or 0: %d\n", Victim->WriteInfo.AccessSize);
1802 pBuffer = (
BYTE *)&Victim->WriteInfo.NewValue;
1803 size = Victim->WriteInfo.AccessSize;
1806 NULL == Victim->Injection.Buffer)
1811 size = Victim->Injection.Length;
1815 TRACE(
"[EXCEPTIONS] Must realloc old buffer %p with size %d to size %d\n",
1852 ERROR(
"[ERROR] IntVirtMemRead failed for gva %llx, cr3 %llx with size %d: %08x\n", gva, cr3, size, status);
1860 NULL != Victim->Injection.Buffer)
1862 pBuffer = Victim->Injection.Buffer;
1863 size = Victim->Injection.BufferSize;
1870 pBuffer = (
BYTE *)&Victim->WriteInfo.NewValue;
1871 size = Victim->WriteInfo.AccessSize;
1876 pBuffer = Victim->Integrity.Buffer;
1877 size = Victim->Integrity.BufferSize;
1893 switch (ExceptionType)
1909 ERROR(
"[ERROR] Shouldn't reach here. Type is %d ...\n", ExceptionType);
1922 for (
DWORD i = lastChecked; i < SignaturesCount; i++)
1925 DWORD matchedCount = 0;
1932 if (Signatures[i].Value != pSig->Id.Value)
1945 for (
DWORD j = 0; j < pSig->ListsCount; j++)
1951 char *pCommandLine = NULL;
1966 if (pCommandLine == NULL)
1973 if (((
QWORD)pSigHash[j].Offset + (
DWORD)pSigHash[j].Size) > strlen(pCommandLine))
1978 match = (pSigHash[j].
Hash ==
Crc32Compute(pCommandLine + pSigHash[j].Offset,
1991 if (((
DWORD)pSigHash[j].Offset + (
DWORD)pSigHash[j].Size) > size)
2005 if (matchedCount >= pSig->Score)
2014 lastChecked = i + 1;
2028 _In_ void *Exception,
2029 _In_ void *Originator,
2056 DWORD lastChecked = 0;
2062 switch(ExceptionType)
2086 WARNING(
"[WARNING] Unsupported exception type (%d) for export signature\n", ExceptionType);
2092 gva = Victim->Ept.Gva;
2093 accessSize = Victim->WriteInfo.AccessSize;
2097 gva = Victim->Injection.Gva;
2098 accessSize = Victim->Injection.Length;
2105 pModule = Victim->Object.Library.Module;
2108 if (NULL == pModule)
2118 if (Victim->Object.Library.Export == NULL)
2137 for (
DWORD i = lastChecked; i < SignaturesCount; i++)
2146 if (Signatures[i].Value != pSig->Id.Value)
2159 for (
DWORD j = 0; j < pSig->ListsCount; j++)
2169 if (Victim->Object.Library.Export == NULL &&
2176 if (Victim->Object.Library.Export == NULL)
2181 for (
DWORD export = 0; export < Victim->Object.Library.Export->NumberOfOffsets; export++)
2183 if (pSigHash[j].Hash == Victim->Object.Library.Export->NameHashes[export])
2196 offset = (
DWORD)(gva - pModule->
VirtualBase) - Victim->Object.Library.Export->Rva;
2197 if (pSigHash[j].Delta != 0 &&
2198 (offset + accessSize - 1 > pSigHash[j].Delta))
2207 lastChecked = i + 1;
2220 _In_ void *Exception,
2221 _In_ void *Originator,
2245 DWORD lastChecked = 0;
2252 switch (Victim->Object.Type)
2257 idtEntry = (
BYTE)(Victim->Integrity.Offset /
2262 idtEntry = (
BYTE)((Victim->Ept.Gva - Victim->Object.BaseAddress) /
2268 idtEntry = (
BYTE)Victim->Integrity.InterruptObjIndex;
2285 for (
DWORD i = lastChecked; i < SignaturesCount; i++)
2292 if (Signatures[i].Value != pSig->Id.Value)
2304 if (pSig->Entry == idtEntry)
2310 lastChecked = i + 1;
2324 _In_ void *Exception,
2325 _In_ void *Originator,
2348 DWORD lastChecked = 0;
2355 pOriginator = Originator;
2357 mask = pOriginator->
PcType;
2369 for (
DWORD i = lastChecked; i < SignaturesCount; i++)
2376 if (Signatures[i].Value != pSignature->Id.Value)
2388 if ((~(pSignature->CreateMask) & mask) == 0)
2394 lastChecked = i + 1;
2408 _In_ void *Exception,
2426 DWORD lastChecked = 0;
2438 for (
DWORD i = lastChecked; i < SignaturesCount; i++)
2445 if (Signatures[i].Value != pSignature->Id.Value)
2475 goto _check_min_os_done;
2483 goto _check_min_os_done;
2491 goto _check_min_os_done;
2505 goto _check_max_os_done;
2513 goto _check_max_os_done;
2521 goto _check_max_os_done;
2529 goto _check_max_os_done;
2541 if (matchMin && matchMax)
2548 lastChecked = i + 1;
2562 _In_ void *Exception,
2580 DWORD lastChecked = 0;
2592 for (
DWORD i = lastChecked; i < SignaturesCount; i++)
2602 if (Signatures[i].Value != pSignature->Id.Value)
2622 goto _check_min_done;
2630 goto _check_min_done;
2638 goto _check_min_done;
2653 goto _check_max_done;
2661 goto _check_max_done;
2669 goto _check_max_done;
2677 goto _check_max_done;
2689 if (matchMax && matchMin)
2695 lastChecked = i + 1;
2723 for (
DWORD index = 0; index <
Count; index++)
2737 _In_ void *Exception,
2738 _In_ void *Originator,
2766 switch (ExceptionType)
2785 if (NULL != Victim->Object.Library.Module &&
2802 if (NULL != Victim->Object.Library.Module &&
2814 ERROR(
"[ERROR] Shouldn't reach here. Type is %d ...\n", ExceptionType);
2824 while (index < count)
2826 switch (pId[index].Field.
Type)
2951 ERROR(
"[ERROR] Should not reach here. Type is %d ...\n", pId[index].Field.
Type);
2959 ERROR(
"[ERROR] IntExceptVerifySignature failed for signature type %d with status: 0x%08x\n",
2960 pId[index].Field.
Type, status);
2967 while (index < count && pId[index].Field.
Type == pId[index - 1].
Field.
Type)
2979 _In_ void *Originator,
2995 DWORD startOffset, endOffset, totalSize, i, csType;
3001 if (NULL == Originator)
3009 ERROR(
"[ERROR] IntGetCurrentMode failed: 0x%08x\n", status);
3015 ERROR(
"[ERROR] Unsupported CS type: %d\n", csType);
3097 totalSize = endOffset - startOffset;
3119 WARNING(
"[WARNING] Failed to map range [0x%016llx - 0x%016llx], try to map range [0x%016llx - 0x%016llx]\n",
3120 (rip & PAGE_MASK) + startOffset, (rip & PAGE_MASK) + startOffset + totalSize,
3121 (rip & PAGE_MASK) + startOffset, (rip & PAGE_MASK) + startOffset + (
PAGE_SIZE - startOffset));
3133 ERROR(
"[ERROR] Failed mapping VA 0x%016llx to host: 0x%08x\n", rip &
PAGE_MASK, status);
3134 goto _clean_and_leave;
3138 WARNING(
"[WARNING] Failed mapping VA 0x%016llx to host: 0x%08x\n", rip &
PAGE_MASK, status);
3139 goto _clean_and_leave;
3148 KernelMode ? ReturnDrv :
FALSE);
3154 WARNING(
"[WARNING] Failed extracting blocks from VA 0x%016llx: 0x%08x\n", rip, status);
3155 goto _clean_and_leave;
3169 _In_ void *Originator,
3170 _In_ void *Exception,
3196 BOOLEAN feedbackException, linuxException;
3198 switch (ExceptionType)
3221 ERROR(
"[ERROR] Shouldn't reach here. Type is %d ...\n", ExceptionType);
3232 switch (ExceptionType)
3248 ERROR(
"[ERROR] Shouldn't reach here. Type is %d ...\n", ExceptionType);
3266 ERROR(
"[ERROR] IntExceptMatchVictim `%d` failed: 0x%08x. Will ignore this exception!\n",
3267 ExceptionType, status);
3276 switch (ExceptionType)
3295 ERROR(
"[ERROR] Shouldn't reach here. Type is %d ...\n", ExceptionType);
3318 ERROR(
"[ERROR] IntExceptVerfiyExtra Type: `%d` failed: 0x%08x. Will ignore this exception!\n",
3319 ExceptionType, status);
3343 ERROR(
"[ERROR] IntExceptVerifySignature failed: 0x%08x. Will ignore this exception!\n", status);
3359 _In_ void *Originator,
3396 ERROR(
"[ERROR] The 'Victim' argument for exceptions mechanism is invalid!\n");
3400 if (NULL == Originator)
3402 ERROR(
"[ERROR] The 'Originator' argument for exceptions mechanism is invalid!\n");
3408 ERROR(
"[ERROR] The 'Action' argument for exceptions mechanism is invalid!\n");
3414 ERROR(
"[ERROR] The 'Reason' argument for exceptions mechanism is invalid!\n");
3424 if (showNotLoadedWarning)
3426 LOG(
"**************************************************\n");
3427 LOG(
"************Exceptions are not loaded*************\n");
3428 LOG(
"**************************************************\n");
3430 showNotLoadedWarning =
FALSE;
3451 ERROR(
"[ERROR] Invalid exception type (%d)...\n", Type);
3457 ERROR(
"[ERROR] IntExcept failed for type %d with status: 0x%08x . Will ignore this exception!\n", Type, status);
3474 ERROR(
"[ERROR] Invalid exception type (%d)...\n", Type);
WINUM_PATH * Path
Module path.
#define IMAGE_SCN_MEM_EXECUTE
The range-identifier used for value-code signature.
PCHAR CommandLine
The command line with which the process was created (can be NULL).
BOOLEAN ExportDirRead
True if the exports directory has been read.
INTSTATUS IntExceptKernel(EXCEPTION_VICTIM_ZONE *Victim, EXCEPTION_KM_ORIGINATOR *Originator, INTRO_ACTION *Action, INTRO_ACTION_REASON *Reason)
This function iterates through exception lists and tries to find an exception that matches the origin...
void IntExcept(EXCEPTION_VICTIM_ZONE *Victim, void *Originator, EXCEPTION_TYPE Type, INTRO_ACTION *Action, INTRO_ACTION_REASON *Reason, INTRO_EVENT_TYPE EventClass)
This function is the entry point for the exception mechanism.
enum _INTRO_ACTION_REASON INTRO_ACTION_REASON
The reason for which an INTRO_ACTION was taken.
#define DESCRIPTOR_SIZE_32
#define for_each_version_os_signature(_ex_head, _var_name)
#define INT_STATUS_EXCEPTION_NOT_MATCHED
INTSTATUS IntExceptMatchException(void *Victim, void *Originator, void *Exception, EXCEPTION_TYPE ExceptionType, INTRO_ACTION *Action, INTRO_ACTION_REASON *Reason)
This function tries to find a exception for the current violation..
INTSTATUS IntPeGetSectionHeaderByRva(QWORD ImageBase, BYTE *ImageBaseBuffer, DWORD GuestRva, IMAGE_SECTION_HEADER *SectionHeader)
Given a relative virtual address, return the section header which describes the section the RVA lies ...
#define CONTAINING_RECORD(List, Type, Member)
DWORD Count
The number of the code-blocks.
QWORD Cr3
The CR3 for this process.
INTSTATUS IntVirtMemUnmap(void **HostPtr)
Unmaps a memory range previously mapped with IntVirtMemMap.
INTSTATUS IntExceptKernelVerifyExtra(EXCEPTION_VICTIM_ZONE *Victim, EXCEPTION_UM_ORIGINATOR *Originator, UM_EXCEPTION *Exception)
This function is used as an extra step in exception mechanism.
The creation of a process was attempted while the parent had its heap sprayed.
INTSTATUS IntWinThrGetCurrentStackBaseAndLimit(QWORD *TibBase, QWORD *StackBase, QWORD *StackLimit)
Obtains the stack base, stack limit and TIB address of the current thread.
#define INT_STATUS_EXCEPTION_CHECKS_FAILED
An internal error occurred (no memory, pages not present, etc.).
The exception ID. The layout consists of the exception type and the unique identifier of the exceptio...
The value hash is for the process command line (valid only for value signature).
Kernel module (ntoskrnl.exe, hal.dll, etc.).
static INTSTATUS IntExceptWinGetVictimDriver(KERNEL_DRIVER *Driver, EXCEPTION_VICTIM_ZONE *Victim)
This function get the information from KERNEL_DRIVER and fill the information required by EXCEPTION_V...
Describe a export signature hash.
WINDOWS_GUEST * gWinGuest
Global variable holding the state of a Windows guest.
LIST_HEAD KernelUserExceptions[EXCEPTION_TABLE_SIZE]
Array of linked lists used for kernel-user mode exceptions.
LIST_HEAD ValueCodeSignatures
Linked list used for value-code signatures.
IG_ARCH_REGS Regs
The current state of the guest registers.
DWORD IatSize
Size of the imports table.
DWORD Index
The VCPU number.
DWORD Crc32Compute(const void *Buffer, size_t Size, DWORD InitialCrc)
Computes the CRC for a byte array.
Describe a kernel-user mode exception.
INTSTATUS IntPeGetDirectory(QWORD ImageBase, BYTE *ImageBaseBuffer, DWORD DirectoryEntry, IMAGE_DATA_DIRECTORY *Directory)
Validate & return the indicated image data directory.
The signature is valid only on 64 bit systems/processes.
QWORD SystemCr3
The Cr3 used to map the kernel.
#define INT_STATUS_SUCCESS
Fast IO Dispatch (Windows only).
An interrupt object from KPRCB.
LIST_HEAD NoNameKernelExceptions
Linked list used for kernel-mode exceptions that don't have a valid originator (-).
#define PAGE_REMAINING(addr)
Infinity hook modifications of WMI_LOGGER_CONTEXT.GetCpuClock.
Describes a value signature.
INTSTATUS IntExceptKernelUserVerifyExtra(EXCEPTION_VICTIM_ZONE *Victim, EXCEPTION_UM_ORIGINATOR *Originator, UM_EXCEPTION *Exception)
This function is used as an extra step in exception mechanism.
#define for_each_process_creation_signature(_ex_head, _var_name)
void IntExceptInvCbCacheByCr3(QWORD Cr3)
Invalidate the cache used for code blocks for a given CR3.
static void IntExceptRemoveUmGlobListExceptions(LIST_HEAD *ListHead)
This function removes and frees all entries from a user-mode glob exceptions list.
static INTSTATUS IntExceptVerifyVersionIntroSignature(void *Exception, EXCEPTION_SIGNATURE_ID *Signatures, DWORD SignaturesCount)
This function checks if the version of the introspection is in the minimum-maximum range...
#define ZONE_LIB_RESOURCES
Used for the resources section (usually .rsrc inside a driver or dll).
User-mode non executable zone.
LIST_HEAD GenericUserExceptions
Linked list used for user-mode exceptions that have a generic originator(*).
#define INTRO_OPT_PROT_KM_NT
Enable kernel image protection (Windows only).
struct _LIST_ENTRY * Flink
LIST_HEAD ExportSignatures
Linked list used for export signatures.
LIST_HEAD ProcessCreationAlertExceptions
Linked list used for process-creation exceptions that are added from alert.
long long my_llabs(long long value)
The exception sends a feedback alert.
#define INT_SUCCESS(Status)
INTSTATUS IntFragExtractCodeBlocks(BYTE *Buffer, DWORD MaxBufferSize, IG_CS_TYPE CsType, CB_EXTRACT_LEVEL ExtractLevel, DWORD *HashesCount, DWORD *Hashes)
Extract a block of code-block hashes from the given code buffer.
The action was not allowed because there was no reason to allow it.
The modified object is inside an EPT hook.
#define INT_STATUS_SIGNATURE_MATCHED
LIST_HEAD VersionIntroSignatures
Linked list used for introspection version signatures.
#define INT_STATUS_EXCEPTION_CHECKS_OK
Describe a user-mode glob exception.
LIST_HEAD ProcessCreationSignatures
Linked list used for process-creation signatures.
LIST_HEAD IdtSignatures
Linked list used for IDT signatures.
static INTSTATUS IntExceptVerifyIdtSignature(void *Exception, void *Originator, PEXCEPTION_VICTIM_ZONE Victim, EXCEPTION_SIGNATURE_ID *Signatures, DWORD SignaturesCount, EXCEPTION_TYPE ExceptionType)
This function checks if the modified IDT entry matches the entry from the given exception.
#define IntExceptErase(Ptr, Tag)
Frees an exception or a signature buffer and removes it from the list it is currently in...
#define CB_CACHE_FLG_ORIGINAL
Indicates that the gCodeBlocksOriginalCache should be used.
LIST_HEAD UserAlertExceptions
Linked list used for user-mode exceptions that are added from alert.
Describes a user-mode originator.
LIX_TASK_PATH * Path
The path of the file executed.
#define HpAllocWithTag(Len, Tag)
static CB_CACHE gCodeBlocksOriginalCache
Cache for code blocks extracted from an originator.
The name can be any string.
The range-identifier used for idt signature.
LIST_HEAD UserExceptions[EXCEPTION_TABLE_SIZE]
Array of linked lists used for user-mode exceptions.
int INTSTATUS
The status data type.
struct _WINUM_MODULE_CACHE::@242 Info
__pure INTSTATUS IntFragMatchSignature(const DWORD *Hashes, DWORD CodeBlocksCount, const SIG_CODEBLOCKS *ExceptionSignature)
Match a block of code-block hashes against a list of code-block exception signatures.
DWORD OSVersion
Os version.
QWORD gEventId
The ID of the current event.
QWORD Rip
The RIP from which the write came from.
BOOLEAN Loaded
True if the exceptions are loaded.
DWORD CodeBlocks[PAGE_SIZE/sizeof(DWORD)]
The code-blocks array.
#define INT_STATUS_NOT_FOUND
DWORD NameHash
Name hash, as used by the exceptions module.
DWORD NumberOfServices
The number of entries in the SSDT.
The exception is valid only for Linux.
static DWORD gValueBufferSize
The size, in bytes, of the gValueBuffer buffer.
LIST_HEAD KernelAlertExceptions
Linked list used for kernel-mode exceptions that are added from alert.
DWORD EatRva
RVA of the exports table.
INTSTATUS IntExceptUserVerifyExtra(EXCEPTION_VICTIM_ZONE *Victim, EXCEPTION_UM_ORIGINATOR *Originator, UM_EXCEPTION *Exception)
This function is used as an extra step in exception mechanism that verify the initialization flags of...
#define CB_CACHE_FLG_RETURN
Indicated that the gCodeBlocksReturnCache cache should be used.
void IntExceptKernelUserLogInformation(EXCEPTION_VICTIM_ZONE *Victim, EXCEPTION_KM_ORIGINATOR *Originator, INTRO_ACTION Action, INTRO_ACTION_REASON Reason)
Print the information about a kernel-user mode violation and dumps the code-blocks.
Integrity protection of SharedUserData region.
Describes a kernel-mode originator.
User-mode exception that accepts glob content.
Codeblocks were extracted at a medium level.
#define for_each_idt_signature(_ex_head, _var_name)
The range-identifier used for value signature.
INTRO_GUEST_TYPE OSType
The type of the guest.
struct _CB_CACHE CB_CACHE
Describes a code-blocks cache entry.
INSTRUX Instruction
The current instruction, pointed by the guest RIP.
QWORD VirtualBase
Guest virtual address of the loaded module.
Process ACL (SACL/DACL) was modified.
INTSTATUS IntExceptUninit(void)
This function removes and frees all exceptions and signatures.
The range-identifier used for process creation signature.
static INTSTATUS IntExceptVerifySignature(void *Exception, void *Originator, EXCEPTION_VICTIM_ZONE *Victim, EXCEPTION_TYPE ExceptionType, INTRO_ACTION_REASON *Reason)
Iterates all signatures from the given exception and call the suitable function for that signature ty...
WIN_PROCESS_OBJECT * WinProc
The windows process that's modifying the memory (always present).
INTRO_PC_VIOLATION_TYPE PcType
Valid if the current violation is DPI Process Creation Violation.
DWORD CommHash
The CRC32 checksum of the Comm field.
struct _EXCEPTION_KM_ORIGINATOR::@63 Return
void * IntHookObjectFindRegion(QWORD Gva, void *HookObject, BYTE HookType)
Searches for a region of hooked memory inside the provided hook object.
QWORD SourceVA
The GVA from where the injection is.
QWORD Start
Start of the memory described by the VMA.
char * CmdLine
The process command line.
Describes a kernel driver.
DWORD Wow64Process
TRUE if this is a 32 bit process on a 64 bit OS.
INTSTATUS IntFragDumpBlocks(PBYTE Buffer, QWORD StartAddress, DWORD MaxBufferSize, IG_CS_TYPE CsType, CB_EXTRACT_LEVEL ExtractLevel, QWORD Rip, BOOLEAN ReturnRip)
Dumps code-blocks that can then be used to generate an exception signature.
DWORD AccessSize
The size of the memory access. Valid only for EPT exits.
static CB_CACHE gCodeBlocksReturnCache
Cache for code blocks extracted from a return originator.
#define PAGE_FRAME_NUMBER(addr)
static BOOLEAN IntExceptSignaturesHasType(EXCEPTION_SIGNATURE_ID *Signatures, DWORD Count, EXCEPTION_SIGNATURE_TYPE Type)
This function checks if any signature from an signature-array has the given type. ...
Exposes the functions used to provide Windows Threads related support.
QWORD Cr3
Process PDBR. Includes PCID.
INTSTATUS IntGetCurrentMode(DWORD CpuNumber, DWORD *Mode)
Read the current CS type.
LIST_HEAD CbSignatures
Linked list used for codeblocks signatures.
enum _INTRO_OBJECT_TYPE INTRO_OBJECT_TYPE
The type of the object protected by an EPT hook.
#define SIG_FOUND
Signals that a signature matched.
The range-identifier used for export signature.
struct _CB_CACHE * PCB_CACHE
TIMER_FRIENDLY void IntDumpInstruction(INSTRUX *Instruction, QWORD Rip)
This function dumps a given instruction (textual disassembly).
LIST_HEAD KernelUserAlertExceptions
Linked list used for kernel-user mode exceptions that are added from alert.
#define ZONE_LIB_CODE
Used for a generic code zone.
LIX_VMA * IntLixMmFindVmaByRange(const LIX_TASK_OBJECT *Process, QWORD Address)
Finds if a memory address inside a process is being protected and returns the corresponding LIX_VMA s...
#define for_each_value_signature(_ex_head, _var_name)
#define INITIAL_CRC_VALUE
Hal interrupt controller.
EXCEPTIONS * Exceptions
The exceptions that are currently loaded.
Describes an operand value.
#define IS_KERNEL_POINTER_LIX(p)
static INTSTATUS IntExceptVerifyValueSig(void *Exception, void *Originator, EXCEPTION_VICTIM_ZONE *Victim, EXCEPTION_SIGNATURE_ID *Signatures, DWORD SignaturesCount, EXCEPTION_TYPE ExceptionType)
This function checks if the hash of the modified zone from the originator matches the hash from the g...
#define INT_STATUS_NOT_INITIALIZED
#define SIG_NOT_FOUND
Signals that a signature was not matched.
QWORD QwordValues[ND_MAX_REGISTER_SIZE/8]
#define EXCEPTION_CODEBLOCKS_OFFSET
The maximum offset for codeblocks extraction.
#define IG_CURRENT_VCPU
For APIs that take a VCPU number as a parameter, this can be used to specify that the current VCPU sh...
The modified object is inside an integrity hook.
DWORD Hash
The hash of the modified zone.
QWORD EventId
The current event ID.
#define for_each_version_intro_signature(_ex_head, _var_name)
LIX_TASK_OBJECT * LixProc
The Linux process that's modifying the memory (always present).
LIST_HEAD KernelFeedbackExceptions
Linked list used for kernel-mode exceptions that have the feedback flag.
#define IN_RANGE(x, start, end)
Holds information about a driver object.
QWORD End
End of the memory described by the VMA.
BOOLEAN Guest64
True if this is a 64-bit guest, False if it is a 32-bit guest.
CHAR Name[IMAGE_BASE_NAME_LEN]
Process base name.
The name is the operating system kernel name.
enum _EXCEPTION_TYPE EXCEPTION_TYPE
The type of an exception.
The signature is valid only on 32 bit systems/processes.
INTSTATUS IntExceptAlertRemove(void)
This function removes and frees all exceptions and signatures that have been added from alert...
void IntExceptUserLogInformation(EXCEPTION_VICTIM_ZONE *Victim, EXCEPTION_UM_ORIGINATOR *Originator, INTRO_ACTION Action, INTRO_ACTION_REASON Reason)
Print the information about a user-mode violation, dumps the code-blocks and the injection buffer...
#define IN_RANGE_LEN(x, start, len)
static INTSTATUS IntExceptVerifyValueCodeSig(void *Exception, void *Originator, EXCEPTION_VICTIM_ZONE *Victim, EXCEPTION_SIGNATURE_ID *Signatures, DWORD SignaturesCount, EXCEPTION_TYPE ExceptionType)
This function checks if the opcodes from the originator's RIP match the opcodes pattern from the give...
QWORD Ssdt
Guest virtual address of the SSDT structure inside the kernel.
union _OPERAND_VALUE::@22 Value
The actual operand value.
Describe a value signature hash.
TIMER_FRIENDLY void IntDumpBuffer(const void *Buffer, QWORD Gva, DWORD Length, DWORD RowLength, DWORD ElementLength, BOOLEAN LogHeader, BOOLEAN DumpAscii)
This function dumps a given buffer in a user friendly format.
#define HpFreeAndNullWithTag(Add, Tag)
This includes instructions until codeInsBt.
static void IntExceptRemoveUmListExceptions(LIST_HEAD *ListHead)
This function removes and frees all entries from a user-mode exceptions list.
The range-identifier used for version operating system signature.
#define INT_STATUS_INVALID_PARAMETER_5
INTSTATUS IntExceptKernelUser(EXCEPTION_VICTIM_ZONE *Victim, EXCEPTION_KM_ORIGINATOR *Originator, INTRO_ACTION *Action, INTRO_ACTION_REASON *Reason)
This function iterates through exception lists and tries to find an exception that matches the origin...
struct _EXCEPTIONS::@26 Version
Loaded exceptions binary version.
Describes the internal exceptions data.
QWORD KernelVa
The guest virtual address at which the kernel image.
void IntExceptKernelLogInformation(EXCEPTION_VICTIM_ZONE *Victim, EXCEPTION_KM_ORIGINATOR *Originator, INTRO_ACTION Action, INTRO_ACTION_REASON Reason)
Print the information about a kernel-mode violation and dumps the code-blocks.
INTSTATUS IntExceptUserVerifyExtraGlobMatch(EXCEPTION_VICTIM_ZONE *Victim, EXCEPTION_UM_ORIGINATOR *Originator, UM_EXCEPTION_GLOB *Exception)
This function is used as an extra step in exception mechanism that verify the initialization flags of...
struct _WIN_PROCESS_OBJECT * Process
The process object related to this subsystem.
void * HookObject
Module hook object.
#define DESCRIPTOR_SIZE_64
INT_VERSION_INFO IntHviVersion
The version of the introcore library.
LIST_HEAD KernelUserFeedbackExceptions
Linked list used for kernel-user mode exceptions that have the feedback flag.
QWORD Cr3
The CR3 of the process from which the write came from.
void IntExceptDumpSignatures(void *Originator, EXCEPTION_VICTIM_ZONE *Victim, BOOLEAN KernelMode, BOOLEAN ReturnDrv)
Dump code blocks from the originator's RIP.
The modified object is a MSR.
struct _INT_VERSION_INFO::@339 VersionInfo
Structured version information.
The exception will take into consideration the return driver.
#define ZONE_LIB_EXPORTS
Used for the exports of a dll, driver, etc.
DWORD Size
The operand size.
static void InitializeListHead(LIST_ENTRY *ListHead)
static BYTE * gValueBuffer
Pre-allocated buffer used to match value signatures.
Describes the modified zone.
INTSTATUS IntExceptInit(void)
This function allocates the exceptions data and initialize the exception lists and the signature list...
#define UNREFERENCED_PARAMETER(P)
char * Name
The path base name.
#define IMAGE_DIRECTORY_ENTRY_EXPORT
This includes instructions until codeInsFlags.
DWORD NameHash
The CRC32 hash of the name. Used for fast matching.
Describe a kernel-mode exception.
Describe a user-mode exception.
Executions inside the SharedUserData region.
The Virtualization exception agent injected inside the guest.
static INTSTATUS IntExceptLixGetVictimDriver(KERNEL_DRIVER *Driver, EXCEPTION_VICTIM_ZONE *Victim)
Fills an EXCEPTION_VICTIM_ZONE with the relevant information from a KERNEL_DRIVER.
#define EXCEPTION_TABLE_SIZE
LIST_HEAD GlobUserExceptions
Linked list used for user-mode exceptions that contains glob content.
DWORD Hash
The hash of the modified function name.
static INTSTATUS IntExceptVerifyExportSig(void *Exception, void *Originator, EXCEPTION_VICTIM_ZONE *Victim, EXCEPTION_SIGNATURE_ID *Signatures, DWORD SignaturesCount, EXCEPTION_TYPE ExceptionType)
Checks if the modified library from the originator matches the library from the given exception...
char gExcLogLine[2 *ONE_KILOBYTE]
The exception log line.
DWORD EatSize
Size of the exports table.
#define INT_STATUS_INVALID_PARAMETER_6
The exception file was not loaded (there are no exceptions).
enum _INTRO_ACTION INTRO_ACTION
Event actions.
LIST_HEAD ProcessCreationExceptions
Linked list used for process creations exceptions.
#define IMAGE_SCN_CNT_CODE
QWORD Rip
The RIP from where the call to the exported function came.
LIST_HEAD GenericKernelExceptions
Linked list used for kernel-mode exceptions that have a generic originator (*).
The action was allowed, but it has the BETA flag (Introcore is in log-only mode). ...
Describes a code-blocks cache entry.
WCHAR * Name
The name of the module contained in the path.
INTSTATUS IntExceptGetVictimEpt(void *Context, QWORD Gpa, QWORD Gva, INTRO_OBJECT_TYPE Type, DWORD ZoneFlags, EXCEPTION_VICTIM_ZONE *Victim)
Fills an EXCEPTION_VICTIM_ZONE with relevant information from an EPT violation.
#define IMAGE_DIRECTORY_ENTRY_RESOURCE
static DWORD IntExceptExtendedPatternMatch(const BYTE *Buffer, DWORD Length, const SIG_VALUE_CODE *Sig, DWORD IndexPattern)
Try to match the given buffer with the given signature.
__must_check INTSTATUS IntVirtMemMap(QWORD Gva, DWORD Length, QWORD Cr3, DWORD Flags, void **HostPtr)
Maps a guest virtual memory range inside Introcore virtual address space.
MM Mm
Guest memory information, such as paging mode, system Cr3 value, etc.
LIST_HEAD ValueSignatures
Linked list used for value signatures.
char Comm[LIX_COMM_SIZE]
The short name of the executable.
Self mapping index in PDBR.
QWORD KeServiceDescriptorTable
Guest virtual address of the KeServiceDescriptorTable variable.
GUEST_STATE gGuest
The current guest state.
static void IntExceptRemoveKmListExceptions(LIST_HEAD *ListHead)
This function removes and frees all entries from a kernel-mode exceptions list.
The modified object is inside a process.
WINUM_MODULE_CACHE * Cache
Module headers cache.
#define IMAGE_DIRECTORY_ENTRY_IAT
INTSTATUS IntVirtMemRead(QWORD Gva, DWORD Length, QWORD Cr3, void *Buffer, DWORD *RetLength)
Reads data from a guest virtual memory range.
The signature is valid only on Linux.
LIST_HEAD NoNameKernelUserExceptions
Linked list used for kernel-user mode exceptions that don't have a valid originator (-)...
WIN_PROCESS_MODULE * WinLib
The windows library that's modifying the memory (if that's the case).
#define for_each_cb_signature(_ex_head, _var_name)
Introspection version info.
DWORD Type
Contains a type of signature (EXCEPTION_SIGNATURE_TYPE).
LIST_HEAD ProcessCreationFeedbackExceptions
Linked list used for process-creation exceptions that have the feedback flag.
#define for_each_value_code_signature(_ex_head, _var_name)
static INTSTATUS IntExceptVerifyVersionOsSignature(void *Exception, EXCEPTION_SIGNATURE_ID *Signatures, DWORD SignaturesCount)
This function checks if the version of the guest operating system is in the minimum-maximum range...
LIST_HEAD UserFeedbackExceptions
Linked list used for user-mode exceptions that have the feedback flag.
The thread which created the process has started execution on some suspicious code.
Virtual SYSCALL (user-mode, Linux-only).
struct _EXCEPTION_KM_ORIGINATOR::@64 Original
int wstrcasecmp(const WCHAR *buf1, const WCHAR *buf2)
INTSTATUS IntKernVirtMemRead(QWORD KernelGva, DWORD Length, void *Buffer, DWORD *RetLength)
Reads data from a guest kernel virtual memory range.
LIST_HEAD KernelExceptions[EXCEPTION_TABLE_SIZE]
Array of linked lists used for kernel-mode exceptions.
#define ZONE_READ
Used for read violation.
#define ZONE_DEP_EXECUTION
Used for executions inside DEP zones.
WINUM_CACHE_EXPORT * IntWinUmCacheGetExportFromRange(WIN_PROCESS_MODULE *Module, QWORD Gva, DWORD Length)
Tries to find an export in the range [Gva - Length, Gva].
struct _EXCEPTION_SIGNATURE_ID::@27 Field
The action was blocked because no exception signature matched.
Virtual dynamic shared object (user-mode, Linux-only).
The range-identifier used for codeblocks signature.
#define INT_STATUS_NOT_INITIALIZED_HINT
LIST_HEAD GenericKernelUserExceptions
Linked list used for kernel-user mode exceptions that have a generic originator(*).
INTSTATUS IntExceptRemove(void)
This function removes and frees all exceptions and signatures that have been added from exception bin...
#define INT_STATUS_NOT_SUPPORTED
Kernel-User mode exception.
VCPU_STATE * gVcpu
The state of the current VCPU.
INTSTATUS IntDecGetWrittenValueFromInstruction(PINSTRUX Instrux, PIG_ARCH_REGS Registers, PBYTE MemoryValue, OPERAND_VALUE *WrittenValue)
Decode a written value from a memory write instruction.
The action was blocked because there was no exception for it.
LIX_TASK_OBJECT * IntLixTaskGetCurrent(DWORD CpuNumber)
Finds the task that is currently running on the given CPU.
UINT8 Name[IMAGE_SIZEOF_SHORT_NAME]
enum _INTRO_EVENT_TYPE INTRO_EVENT_TYPE
Event classes.
struct _WIN_DRIVER_OBJECT * PWIN_DRIVER_OBJECT
INTSTATUS IntExceptKernelUserMatchVictim(EXCEPTION_VICTIM_ZONE *Victim, EXCEPTION_KM_ORIGINATOR *Originator, KUM_EXCEPTION *Exception)
This function checks if the exception matches the originator and the modified zone.
static INTSTATUS IntExceptVerifyCodeBlocksSig(void *Exception, void *Originator, EXCEPTION_SIGNATURE_ID *Signatures, DWORD SignatureCount, EXCEPTION_TYPE ExceptionType)
This function checks if the code blocks from the originator RIP match the code blocks from the given ...
#define ZONE_LIB_IMPORTS
Used for the imports of a dll, driver, etc.
void * HookObject
The HookObject used for EPT hooks set inside this process's memory space.
Used for process-creation violations.
INTSTATUS IntExceptUserMatchVictim(EXCEPTION_VICTIM_ZONE *Victim, EXCEPTION_UM_ORIGINATOR *Originator, void *Exception, EXCEPTION_TYPE ExceptionType)
This function checks if the exception matches the originator and the modified zone.
PWIN_PROCESS_SUBSYSTEM Subsystem
Module subsystem.
The range-identifier used for version introspection signature.
BYTE Version
The version field of the version string.
DWORD IatRva
RVA of the imports table.
void IntExceptInvCbCacheByGva(QWORD Gva)
Invalidate the cache used for code blocks for a given guest virtual address.
#define ZONE_MODULE_LOAD
Used for exceptions for double agent.
Process security descriptor pointer.
BYTE * Headers
A buffer containing the MZ/PE headers of this module.
#define ZONE_WRITE
Used for write violation.
static INTSTATUS IntExceptVerifyProcessCreationSignature(void *Exception, void *Originator, EXCEPTION_SIGNATURE_ID *Signatures, DWORD SignaturesCount, EXCEPTION_TYPE ExceptionType)
Checks if the DPI mask of the newly created process match the DPI mask from the given exception...
INTSTATUS IntExceptUser(EXCEPTION_VICTIM_ZONE *Victim, EXCEPTION_UM_ORIGINATOR *Originator, INTRO_ACTION *Action, INTRO_ACTION_REASON *Reason)
This function iterates through exception lists and tries to find an exception that matches the origin...
static void IntExceptRemoveKernelUserListExceptions(LIST_HEAD *ListHead)
This function removes and frees all entries from a kernel-user mode exceptions list.
LIST_HEAD NoNameUserExceptions
Linked list used for user-mode exceptions that don't have a valid originator (-). ...
QWORD Rip
Where the write/exec came.
The name is the operating system HAL name (valid only for windows).
#define INT_STATUS_SIGNATURE_NOT_FOUND
static QWORD gUsedRips[255]
Cache of RIPs from which code blocks were already dumped.
LINUX_GUEST * gLixGuest
Global variable holding the state of a Linux guest.
#define for_each_export_signature(_ex_head, _var_name)
#define INT_STATUS_EXCEPTION_ALLOW
INTSTATUS IntExceptKernelMatchVictim(EXCEPTION_VICTIM_ZONE *Victim, EXCEPTION_KM_ORIGINATOR *Originator, KM_EXCEPTION *Exception)
This function checks if the exception matches the originator and the modified zone.
This structure describes a running process inside the guest.
#define INT_STATUS_INSUFFICIENT_RESOURCES
enum _EXCEPTION_SIGNATURE_TYPE EXCEPTION_SIGNATURE_TYPE
The identifier that describes a range of signatures.
The exception (and signature, where's the case) matched, but the extra checks failed.
LIST_HEAD VersionOsSignatures
Linked list used for operating system version signatures.