Bitdefender Hypervisor Memory Introspection
|
#include "guest_stack.h"
#include "drivers.h"
#include "integrity.h"
#include "introcpu.h"
#include "lixprocess.h"
#include "winummodule.h"
Go to the source code of this file.
Data Structures | |
struct | _EXCEPTIONS |
Describes the internal exceptions data. More... | |
union | _EXCEPTION_SIGNATURE_ID |
The exception ID. The layout consists of the exception type and the unique identifier of the exception. More... | |
struct | _KM_EXCEPTION |
Describe a kernel-mode exception. More... | |
struct | _KUM_EXCEPTION |
Describe a kernel-user mode exception. More... | |
struct | _UM_EXCEPTION |
Describe a user-mode exception. More... | |
struct | _UM_EXCEPTION_GLOB |
Describe a user-mode glob exception. More... | |
struct | _SIG_CODEBLOCK_HASH |
Describe a codeblocks signature hash. More... | |
struct | _SIG_VALUE_HASH |
Describe a value signature hash. More... | |
struct | _SIG_EXPORT_HASH |
Describe a export signature hash. More... | |
struct | _EXCEPTION_CB_SIGNATURE |
Describes a codeblocks signature. More... | |
struct | _SIG_VALUE_CODE |
Describes a value signature. More... | |
struct | _SIG_EXPORT |
Describes a export signature. More... | |
struct | _SIG_VALUE |
Describes a value signature. More... | |
struct | _SIG_IDT |
Describes a idt signature. More... | |
struct | _SIG_VERSION_OS |
Describes a operating system version signature. More... | |
struct | _SIG_VERSION_INTRO |
Describes a introspection version signature. More... | |
struct | _SIG_PROCESS_CREATION |
Describes a process-creation signature. More... | |
struct | _EXCEPTION_VICTIM_EPT |
Describes an EPT victim. More... | |
struct | _EXCEPTION_VICTIM_MSR |
Describes a MSR victim. More... | |
struct | _EXCEPTION_VICTIM_CR |
Describes a CR victim. More... | |
struct | _EXCEPTION_VICTIM_DTR |
Describes a DTR victim. More... | |
struct | _EXCEPTION_VICTIM_INTEGRITY |
Describes a integrity victim. More... | |
struct | _EXCEPTION_VICTIM_INJECTION |
Describes an injection. More... | |
struct | _EXCEPTION_VICTIM_MODULE |
Describes a victim module. More... | |
struct | _EXCEPTION_VICTIM_OBJECT |
Describes a victim object. More... | |
struct | _EXCEPTION_VICTIM_ZONE |
Describes the modified zone. More... | |
struct | _EXCEPTION_KM_ORIGINATOR |
Describes a kernel-mode originator. More... | |
struct | _EXCEPTION_UM_ORIGINATOR |
Describes a user-mode originator. More... | |
Macros | |
#define | EXCEPTION_INTROUNIT_NAME_HASH 0x1036c1b7 |
#define | EXCEPTION_NO_NAME "<no name>" |
#define | EXCEPTION_NO_WNAME u"<no name>" |
#define | EXCEPTION_NO_INSTRUCTION "<generic>" |
#define | EXCEPTION_NO_SYMBOL "<no sym>" |
#define | EXPORT_BEGIN_WRITE_ERR_RANGE 0x10 |
#define | EXPORT_NAME_UNKNOWN "<unknown>" |
#define | EXCEPTION_UM_GLOB_LENGTH 64 |
#define | EXCEPTION_TABLE_SIZE 0x10 |
#define | EXCEPTION_TABLE_ID(H) (((H) & 0xF0000000) >> 0x1c) |
#define | EXCEPTION_CODEBLOCKS_OFFSET 0x250 |
The maximum offset for codeblocks extraction. More... | |
#define | ZONE_LIB_IMPORTS 0x000000001ULL |
Used for the imports of a dll, driver, etc. More... | |
#define | ZONE_LIB_EXPORTS 0x000000002ULL |
Used for the exports of a dll, driver, etc. More... | |
#define | ZONE_LIB_CODE 0x000000004ULL |
Used for a generic code zone. More... | |
#define | ZONE_LIB_DATA 0x000000008ULL |
#define | ZONE_LIB_RESOURCES 0x000000010ULL |
Used for the resources section (usually .rsrc inside a driver or dll). More... | |
#define | ZONE_PROC_THREAD_CTX 0x000000020ULL |
Used for the CONTEXT structure of a thread. More... | |
#define | ZONE_PROC_THREAD_APC 0x000000040ULL |
Used for the APC thread hijacking technique. More... | |
#define | ZONE_DEP_EXECUTION 0x000000080ULL |
Used for executions inside DEP zones. More... | |
#define | ZONE_MODULE_LOAD 0x000000100ULL |
Used for exceptions for double agent. More... | |
#define | ZONE_PROC_INSTRUMENT 0x000000200ULL |
Used for exceptions for instrumentation callback. More... | |
#define | ZONE_WRITE 0x010000000ULL |
Used for write violation. More... | |
#define | ZONE_READ 0x020000000ULL |
Used for read violation. More... | |
#define | ZONE_EXECUTE 0x040000000ULL |
Used for execute violation. More... | |
#define | ZONE_INTEGRITY 0x100000000ULL |
Used for integrity zone. More... | |
#define | EXCEPTION_KM_ORIGINATOR_OPT_DO_NOT_BLOCK 0x00000001u |
Flag that can be passed to IntExceptKernelGetOriginator if the action should not be blocked. More... | |
#define | EXCEPTION_KM_ORIGINATOR_OPT_FULL_STACK 0x00000002u |
Flag that can be passed to IntExceptKernelGetOriginator when the full stack is needed. More... | |
#define | for_each_km_exception(_ex_head, _var_name) list_for_each(_ex_head, KM_EXCEPTION, _var_name) |
#define | for_each_kum_exception(_ex_head, _var_name) list_for_each(_ex_head, KUM_EXCEPTION, _var_name) |
#define | for_each_um_exception(_ex_head, _var_name) list_for_each(_ex_head, UM_EXCEPTION, _var_name) |
#define | for_each_um_glob_exception(_ex_head, _var_name) list_for_each(_ex_head, UM_EXCEPTION_GLOB, _var_name) |
#define | for_each_cb_signature(_ex_head, _var_name) list_for_each(_ex_head, SIG_CODEBLOCKS, _var_name) |
#define | for_each_export_signature(_ex_head, _var_name) list_for_each(_ex_head, SIG_EXPORT, _var_name) |
#define | for_each_value_signature(_ex_head, _var_name) list_for_each(_ex_head, SIG_VALUE, _var_name) |
#define | for_each_value_code_signature(_ex_head, _var_name) list_for_each(_ex_head, SIG_VALUE_CODE, _var_name) |
#define | for_each_idt_signature(_ex_head, _var_name) list_for_each(_ex_head, SIG_IDT, _var_name) |
#define | for_each_version_os_signature(_ex_head, _var_name) list_for_each(_ex_head, SIG_VERSION_OS, _var_name) |
#define | for_each_version_intro_signature(_ex_head, _var_name) list_for_each(_ex_head, SIG_VERSION_INTRO, _var_name) |
#define | for_each_process_creation_signature(_ex_head, _var_name) list_for_each(_ex_head, SIG_PROCESS_CREATION, _var_name) |
#define | IntExceptErase(Ptr, Tag) |
Frees an exception or a signature buffer and removes it from the list it is currently in. More... | |
Typedefs | |
typedef enum _EXCEPTION_TYPE | EXCEPTION_TYPE |
The type of an exception. More... | |
typedef enum _EXCEPTION_SIGNATURE_TYPE | EXCEPTION_SIGNATURE_TYPE |
The identifier that describes a range of signatures. More... | |
typedef struct _EXCEPTIONS | EXCEPTIONS |
Describes the internal exceptions data. More... | |
typedef struct _EXCEPTIONS * | PEXCEPTIONS |
typedef enum _KM_EXCEPTION_OBJECT | KM_EXCEPTION_OBJECT |
Object type of the kernel-mode exception. More... | |
typedef enum _KUM_EXCEPTION_OBJECT | KUM_EXCEPTION_OBJECT |
Object type of the kernel-user mode exception. More... | |
typedef enum _UM_EXCEPTION_OBJECT | UM_EXCEPTION_OBJECT |
Object type of the user-mode exception. More... | |
typedef union _EXCEPTION_SIGNATURE_ID | EXCEPTION_SIGNATURE_ID |
The exception ID. The layout consists of the exception type and the unique identifier of the exception. More... | |
typedef union _EXCEPTION_SIGNATURE_ID * | PEXCEPTION_SIGNATURE_ID |
typedef struct _KM_EXCEPTION | KM_EXCEPTION |
Describe a kernel-mode exception. More... | |
typedef struct _KM_EXCEPTION * | PKM_EXCEPTION |
typedef struct _KUM_EXCEPTION | KUM_EXCEPTION |
Describe a kernel-user mode exception. More... | |
typedef struct _KUM_EXCEPTION * | PKUM_EXCEPTION |
typedef struct _UM_EXCEPTION | UM_EXCEPTION |
Describe a user-mode exception. More... | |
typedef struct _UM_EXCEPTION * | PUM_EXCEPTION |
typedef struct _UM_EXCEPTION_GLOB | UM_EXCEPTION_GLOB |
Describe a user-mode glob exception. More... | |
typedef struct _UM_EXCEPTION_GLOB * | PUM_EXCEPTION_GLOB |
typedef struct _SIG_CODEBLOCK_HASH | SIG_CODEBLOCK_HASH |
Describe a codeblocks signature hash. More... | |
typedef struct _SIG_CODEBLOCK_HASH * | PSIG_CODEBLOCK_HASH |
typedef struct _SIG_VALUE_HASH | SIG_VALUE_HASH |
Describe a value signature hash. More... | |
typedef struct _SIG_VALUE_HASH * | PSIG_VALUE_HASH |
typedef struct _SIG_EXPORT_HASH | SIG_EXPORT_HASH |
Describe a export signature hash. More... | |
typedef struct _SIG_EXPORT_HASH * | PSIG_EXPORT_HASH |
typedef struct _EXCEPTION_CB_SIGNATURE | SIG_CODEBLOCKS |
Describes a codeblocks signature. More... | |
typedef struct _EXCEPTION_CB_SIGNATURE * | PSIG_CODEBLOCKS |
typedef struct _SIG_VALUE_CODE | SIG_VALUE_CODE |
Describes a value signature. More... | |
typedef struct _SIG_VALUE_CODE * | PSIG_VALUE_CODE |
typedef struct _SIG_EXPORT | SIG_EXPORT |
Describes a export signature. More... | |
typedef struct _SIG_EXPORT * | PSIG_EXPORT |
typedef struct _SIG_VALUE | SIG_VALUE |
Describes a value signature. More... | |
typedef struct _SIG_VALUE * | PSIG_VALUE |
typedef struct _SIG_IDT | SIG_IDT |
Describes a idt signature. More... | |
typedef struct _SIG_IDT * | PSIG_IDT |
typedef struct _SIG_VERSION_OS | SIG_VERSION_OS |
Describes a operating system version signature. More... | |
typedef struct _SIG_VERSION_OS * | PSIG_VERSION_OS |
typedef struct _SIG_VERSION_INTRO | SIG_VERSION_INTRO |
Describes a introspection version signature. More... | |
typedef struct _SIG_VERSION_INTRO * | PSIG_VERSION_INTRO |
typedef struct _SIG_PROCESS_CREATION | SIG_PROCESS_CREATION |
Describes a process-creation signature. More... | |
typedef struct _SIG_PROCESS_CREATION * | PSIG_PROCESS_CREATION |
typedef enum _EXCEPTION_FLG | EXCEPTION_FLG |
Describes the flags that can be used by an exception. More... | |
typedef enum _KM_EXCEPTION_NAME | KM_EXCEPTION_NAME |
The predefined names for kernel-user-mode exception. More... | |
typedef enum _KUM_EXCEPTION_NAME | KUM_EXCEPTION_NAME |
The predefined names for kernel-mode exception. More... | |
typedef enum _UM_EXCEPTION_NAME | UM_EXCEPTION_NAME |
The predefined names for user-mode exception. More... | |
typedef enum _SIGNATURE_FLG | SIGNATURE_FLG |
Describes the flags that can be used by an signature. More... | |
typedef enum _ZONE_TYPE | ZONE_TYPE |
Describes the zone types that can be excepted. More... | |
typedef struct _EXCEPTION_VICTIM_EPT | EXCEPTION_VICTIM_EPT |
Describes an EPT victim. More... | |
typedef struct _EXCEPTION_VICTIM_EPT * | PEXCEPTION_VICTIM_EPT |
typedef struct _EXCEPTION_VICTIM_MSR | EXCEPTION_VICTIM_MSR |
Describes a MSR victim. More... | |
typedef struct _EXCEPTION_VICTIM_MSR * | PEXCEPTION_VICTIM_MSR |
typedef struct _EXCEPTION_VICTIM_CR | EXCEPTION_VICTIM_CR |
Describes a CR victim. More... | |
typedef struct _EXCEPTION_VICTIM_CR * | PEXCEPTION_VICTIM_CR |
typedef struct _EXCEPTION_VICTIM_DTR | EXCEPTION_VICTIM_DTR |
Describes a DTR victim. More... | |
typedef struct _EXCEPTION_VICTIM_DTR * | PEXCEPTION_VICTIM_DTR |
typedef struct _EXCEPTION_VICTIM_INTEGRITY | EXCEPTION_VICTIM_INTEGRITY |
Describes a integrity victim. More... | |
typedef struct _EXCEPTION_VICTIM_INTEGRITY * | PEXCEPTION_VICTIM_INTEGRITY |
typedef struct _EXCEPTION_VICTIM_INJECTION | EXCEPTION_VICTIM_INJECTION |
Describes an injection. More... | |
typedef struct _EXCEPTION_VICTIM_INJECTION * | PEXCEPTION_VICTIM_INJECTION |
typedef struct _EXCEPTION_VICTIM_MODULE | EXCEPTION_VICTIM_MODULE |
Describes a victim module. More... | |
typedef struct _EXCEPTION_VICTIM_MODULE * | PEXCEPTION_VICTIM_MODULE |
typedef struct _EXCEPTION_VICTIM_OBJECT | EXCEPTION_VICTIM_OBJECT |
Describes a victim object. More... | |
typedef struct _EXCEPTION_VICTIM_OBJECT * | PEXCEPTION_VICTIM_OBJECT |
typedef struct _EXCEPTION_VICTIM_ZONE | EXCEPTION_VICTIM_ZONE |
Describes the modified zone. More... | |
typedef struct _EXCEPTION_VICTIM_ZONE * | PEXCEPTION_VICTIM_ZONE |
typedef struct _EXCEPTION_KM_ORIGINATOR | EXCEPTION_KM_ORIGINATOR |
Describes a kernel-mode originator. More... | |
typedef struct _EXCEPTION_KM_ORIGINATOR * | PEXCEPTION_KM_ORIGINATOR |
typedef struct _EXCEPTION_UM_ORIGINATOR | EXCEPTION_UM_ORIGINATOR |
Describes a user-mode originator. More... | |
typedef struct _EXCEPTION_UM_ORIGINATOR * | PEXCEPTION_UM_ORIGINATOR |
Functions | |
INTSTATUS | IntExceptInit (void) |
This function allocates the exceptions data and initialize the exception lists and the signature lists. More... | |
INTSTATUS | IntExceptUninit (void) |
This function removes and frees all exceptions and signatures. More... | |
INTSTATUS | IntExceptAlertRemove (void) |
This function removes and frees all exceptions and signatures that have been added from alert. More... | |
INTSTATUS | IntExceptRemove (void) |
This function removes and frees all exceptions and signatures that have been added from exception binary file. More... | |
int | IntExceptPrintLixTaskInfo (const LIX_TASK_OBJECT *Task, char *Header, char *Line, int MaxLength, DWORD NameAlignment) |
Print the information about the provided LIX_TASK_OBJECT. More... | |
int | IntExceptPrintWinModInfo (WIN_PROCESS_MODULE *Module, char *Header, char *Line, int MaxLength, DWORD NameAlignment) |
Print the data from the provided WIN_PROCESS_MODULE. More... | |
int | IntExceptPrintWinProcInfo (WIN_PROCESS_OBJECT *Process, char *Header, char *Line, int MaxLength, DWORD NameAlignment) |
Print the data from the provided WIN_PROCESS_OBJECT. More... | |
int | IntExceptPrintWinKmModInfo (KERNEL_DRIVER *Module, char *Header, char *Line, int MaxLength, DWORD NameAlignment) |
Print the information about the provided KERNEL_DRIVER (windows guest). More... | |
void | IntExceptUserLogInformation (EXCEPTION_VICTIM_ZONE *Victim, EXCEPTION_UM_ORIGINATOR *Originator, INTRO_ACTION Action, INTRO_ACTION_REASON Reason) |
Print the information about a user-mode violation, dumps the code-blocks and the injection buffer, if any. More... | |
void | IntExceptKernelLogInformation (EXCEPTION_VICTIM_ZONE *Victim, EXCEPTION_KM_ORIGINATOR *Originator, INTRO_ACTION Action, INTRO_ACTION_REASON Reason) |
Print the information about a kernel-mode violation and dumps the code-blocks. More... | |
void | IntExceptKernelUserLogInformation (EXCEPTION_VICTIM_ZONE *Victim, EXCEPTION_KM_ORIGINATOR *Originator, INTRO_ACTION Action, INTRO_ACTION_REASON Reason) |
Print the information about a kernel-user mode violation and dumps the code-blocks. More... | |
void | IntExceptDumpSignatures (void *Originator, EXCEPTION_VICTIM_ZONE *Victim, BOOLEAN KernelMode, BOOLEAN ReturnDrv) |
Dump code blocks from the originator's RIP. More... | |
INTSTATUS | IntExceptKernelGetOriginator (EXCEPTION_KM_ORIGINATOR *Originator, DWORD Options) |
This function is used to get the information about the kernel-mode originator. More... | |
INTSTATUS | IntExceptUserGetExecOriginator (void *Process, EXCEPTION_UM_ORIGINATOR *Originator) |
This function is used to get the originator for heap execution. More... | |
INTSTATUS | IntExceptUserGetOriginator (void *Process, BOOLEAN ModuleWrite, QWORD Address, INSTRUX *Instrux, EXCEPTION_UM_ORIGINATOR *Originator) |
This function is used to get the information about the user-mode originator. More... | |
INTSTATUS | IntExceptGetOriginatorFromModification (EXCEPTION_VICTIM_ZONE *Victim, EXCEPTION_KM_ORIGINATOR *Originator) |
This function is used for integrity violations to get the information about the kernel-mode originator. More... | |
INTSTATUS | IntExceptGetVictimCr (QWORD NewValue, QWORD OldValue, DWORD Cr, EXCEPTION_VICTIM_ZONE *Victim) |
This function is used to get the information about the CR victim. More... | |
INTSTATUS | IntExceptGetVictimEpt (void *Context, QWORD Gpa, QWORD Gva, INTRO_OBJECT_TYPE Type, DWORD ZoneFlags, EXCEPTION_VICTIM_ZONE *Victim) |
Fills an EXCEPTION_VICTIM_ZONE with relevant information from an EPT violation. More... | |
INTSTATUS | IntExceptGetVictimProcess (void *Process, QWORD DestinationGva, DWORD Length, QWORD ZoneFlags, EXCEPTION_VICTIM_ZONE *Victim) |
This function is used to get the information about the victim process for injection violations. More... | |
INTSTATUS | IntExceptGetVictimIntegrity (INTEGRITY_REGION *IntegrityRegion, DWORD *Offset, EXCEPTION_VICTIM_ZONE *Victim) |
This function is used to get the information about the modified zone from the integrity region. More... | |
INTSTATUS | IntExceptGetVictimMsr (QWORD NewValue, QWORD OldValue, DWORD Msr, EXCEPTION_VICTIM_ZONE *Victim) |
This function is used to get the information about the MSR victim. More... | |
INTSTATUS | IntExceptGetVictimDtr (DTR *NewValue, DTR *OldValue, INTRO_OBJECT_TYPE Type, EXCEPTION_VICTIM_ZONE *Victim) |
This function is used to get the information about the DTR victim. More... | |
INTSTATUS | IntExceptGetVictimProcessCreation (void *Process, INTRO_OBJECT_TYPE ObjectType, EXCEPTION_VICTIM_ZONE *Victim) |
This function is used to get the information about the victim for process-creation violation. More... | |
INTSTATUS | IntExceptKernelVerifyExtra (EXCEPTION_VICTIM_ZONE *Victim, EXCEPTION_UM_ORIGINATOR *Originator, UM_EXCEPTION *Exception) |
This function is used as an extra step in exception mechanism. More... | |
INTSTATUS | IntExceptUserVerifyExtra (EXCEPTION_VICTIM_ZONE *Victim, EXCEPTION_UM_ORIGINATOR *Originator, UM_EXCEPTION *Exception) |
This function is used as an extra step in exception mechanism that verify the initialization flags of a process. More... | |
INTSTATUS | IntExceptKernelUserVerifyExtra (EXCEPTION_VICTIM_ZONE *Victim, EXCEPTION_UM_ORIGINATOR *Originator, UM_EXCEPTION *Exception) |
This function is used as an extra step in exception mechanism. More... | |
INTSTATUS | IntExceptUserVerifyExtraGlobMatch (EXCEPTION_VICTIM_ZONE *Victim, EXCEPTION_UM_ORIGINATOR *Originator, UM_EXCEPTION_GLOB *Exception) |
This function is used as an extra step in exception mechanism that verify the initialization flags of a process. More... | |
INTSTATUS | IntExceptMatchException (void *Victim, void *Originator, void *Exception, EXCEPTION_TYPE ExceptionType, INTRO_ACTION *Action, INTRO_ACTION_REASON *Reason) |
This function tries to find a exception for the current violation.. More... | |
INTSTATUS | IntExceptKernelMatchVictim (EXCEPTION_VICTIM_ZONE *Victim, EXCEPTION_KM_ORIGINATOR *Originator, KM_EXCEPTION *Exception) |
This function checks if the exception matches the originator and the modified zone. More... | |
INTSTATUS | IntExceptUserMatchVictim (EXCEPTION_VICTIM_ZONE *Victim, EXCEPTION_UM_ORIGINATOR *Originator, void *Exception, EXCEPTION_TYPE ExceptionType) |
This function checks if the exception matches the originator and the modified zone. More... | |
INTSTATUS | IntExceptKernelUserMatchVictim (EXCEPTION_VICTIM_ZONE *Victim, EXCEPTION_KM_ORIGINATOR *Originator, KUM_EXCEPTION *Exception) |
This function checks if the exception matches the originator and the modified zone. More... | |
INTSTATUS | IntExceptKernel (EXCEPTION_VICTIM_ZONE *Victim, EXCEPTION_KM_ORIGINATOR *Originator, INTRO_ACTION *Action, INTRO_ACTION_REASON *Reason) |
This function iterates through exception lists and tries to find an exception that matches the originator and the victim. More... | |
INTSTATUS | IntExceptUser (EXCEPTION_VICTIM_ZONE *Victim, EXCEPTION_UM_ORIGINATOR *Originator, INTRO_ACTION *Action, INTRO_ACTION_REASON *Reason) |
This function iterates through exception lists and tries to find an exception that matches the originator and the victim. More... | |
INTSTATUS | IntExceptKernelUser (EXCEPTION_VICTIM_ZONE *Victim, EXCEPTION_KM_ORIGINATOR *Originator, INTRO_ACTION *Action, INTRO_ACTION_REASON *Reason) |
This function iterates through exception lists and tries to find an exception that matches the originator and the victim. More... | |
void | IntExcept (EXCEPTION_VICTIM_ZONE *Victim, void *Originator, EXCEPTION_TYPE Type, INTRO_ACTION *Action, INTRO_ACTION_REASON *Reason, INTRO_EVENT_TYPE EventClass) |
This function is the entry point for the exception mechanism. More... | |
void | IntExceptInvCbCacheByGva (QWORD Gva) |
Invalidate the cache used for code blocks for a given guest virtual address. More... | |
void | IntExceptInvCbCacheByCr3 (QWORD Cr3) |
Invalidate the cache used for code blocks for a given CR3. More... | |
BOOLEAN | IntUpdateAreExceptionsLoaded (void) |
Checks if the exceptions are loaded. More... | |
#define EXCEPTION_CODEBLOCKS_OFFSET 0x250 |
The maximum offset for codeblocks extraction.
Definition at line 53 of file exceptions.h.
Referenced by IntAlertFillCodeBlocks(), IntExceptDumpSignatures(), IntExceptVerifyCodeBlocksSig(), and IntSerializeCodeBlocksGetExtractRange().
#define EXCEPTION_INTROUNIT_NAME_HASH 0x1036c1b7 |
Definition at line 27 of file exceptions.h.
#define EXCEPTION_KM_ORIGINATOR_OPT_DO_NOT_BLOCK 0x00000001u |
Flag that can be passed to IntExceptKernelGetOriginator if the action should not be blocked.
Useful when we want to obtain a EXCEPTION_KM_ORIGINATOR structure, but we do not want to block the action if the structure could not be properly filled.
Definition at line 1053 of file exceptions.h.
Referenced by IntDtrHandleWrite(), and IntExceptWinKernelGetOriginator().
#define EXCEPTION_KM_ORIGINATOR_OPT_FULL_STACK 0x00000002u |
Flag that can be passed to IntExceptKernelGetOriginator when the full stack is needed.
In the usual cases, we fetch only the first return address if the originator RIP is contained inside a valid module. This flag should be used when there is need for at most three extracted stack traces, disregarding whether the originator module is valid or not.
Definition at line 1060 of file exceptions.h.
Referenced by IntExceptWinKernelGetOriginator(), and IntWinModHandleKernelWrite().
#define EXCEPTION_NO_INSTRUCTION "<generic>" |
Definition at line 30 of file exceptions.h.
Referenced by IntExceptKernelLogLinuxInformation(), IntExceptKernelLogWindowsInformation(), and IntExceptKernelUserLogWindowsInformation().
#define EXCEPTION_NO_NAME "<no name>" |
Definition at line 28 of file exceptions.h.
Referenced by IntExceptPrintDrvObjInfo(), IntExceptPrintLixKmDrvInfo(), IntExceptPrintWinKmModInfo(), and IntExceptPrintWinModInfo().
#define EXCEPTION_NO_SYMBOL "<no sym>" |
Definition at line 31 of file exceptions.h.
Referenced by IntExceptKernelLogLinuxInformation(), and IntExceptPrintMsrInfo().
#define EXCEPTION_NO_WNAME u"<no name>" |
Definition at line 29 of file exceptions.h.
Referenced by IntExceptUserLogWindowsInformation().
#define EXCEPTION_TABLE_ID | ( | H | ) | (((H) & 0xF0000000) >> 0x1c) |
Definition at line 50 of file exceptions.h.
Referenced by IntExceptKernel(), IntExceptKernelUser(), IntExceptUser(), IntUpdateAddKernelException(), IntUpdateAddKernelUserException(), and IntUpdateAddUserException().
#define EXCEPTION_TABLE_SIZE 0x10 |
Definition at line 49 of file exceptions.h.
Referenced by DbgDumpExceptions(), IntExceptInit(), and IntExceptRemove().
#define EXCEPTION_UM_GLOB_LENGTH 64 |
Definition at line 36 of file exceptions.h.
Referenced by IntUpdateAddUserExceptionGlob().
#define EXPORT_BEGIN_WRITE_ERR_RANGE 0x10 |
Definition at line 33 of file exceptions.h.
#define EXPORT_NAME_UNKNOWN "<unknown>" |
Definition at line 34 of file exceptions.h.
Referenced by IntExceptKernelLogLinuxInformation(), IntExceptKernelLogWindowsInformation(), IntExceptKernelUserLogWindowsInformation(), and IntExceptUserLogWindowsInformation().
#define for_each_cb_signature | ( | _ex_head, | |
_var_name | |||
) | list_for_each(_ex_head, SIG_CODEBLOCKS, _var_name) |
Definition at line 1074 of file exceptions.h.
Referenced by IntExceptAlertRemove(), IntExceptRemove(), IntExceptVerifyCodeBlocksSig(), IntUpdateIsDuplicateCbSignature(), IntUpdateRemoveSignaturesForException(), and IntUpdateSetIdForException().
#define for_each_export_signature | ( | _ex_head, | |
_var_name | |||
) | list_for_each(_ex_head, SIG_EXPORT, _var_name) |
Definition at line 1076 of file exceptions.h.
Referenced by IntExceptAlertRemove(), IntExceptRemove(), IntExceptVerifyExportSig(), IntUpdateIsDuplicateExportSignature(), IntUpdateRemoveSignaturesForException(), and IntUpdateSetIdForException().
#define for_each_idt_signature | ( | _ex_head, | |
_var_name | |||
) | list_for_each(_ex_head, SIG_IDT, _var_name) |
Definition at line 1082 of file exceptions.h.
Referenced by IntExceptAlertRemove(), IntExceptRemove(), IntExceptVerifyIdtSignature(), IntUpdateIsDuplicateIdtSignature(), IntUpdateRemoveSignaturesForException(), and IntUpdateSetIdForException().
#define for_each_km_exception | ( | _ex_head, | |
_var_name | |||
) | list_for_each(_ex_head, KM_EXCEPTION, _var_name) |
Definition at line 1066 of file exceptions.h.
Referenced by IntExceptKernel(), IntUpdateAddKernelExceptionInOrder(), IntUpdateAssignAlertSignatureIds(), IntUpdateIsDuplicateKernelException(), and IntUpdateRemoveException().
#define for_each_kum_exception | ( | _ex_head, | |
_var_name | |||
) | list_for_each(_ex_head, KUM_EXCEPTION, _var_name) |
Definition at line 1068 of file exceptions.h.
Referenced by IntExceptKernelUser(), IntUpdateAddKernelUserExceptionInOrder(), and IntUpdateIsDuplicateKernelUserException().
#define for_each_process_creation_signature | ( | _ex_head, | |
_var_name | |||
) | list_for_each(_ex_head, SIG_PROCESS_CREATION, _var_name) |
Definition at line 1088 of file exceptions.h.
Referenced by IntExceptAlertRemove(), IntExceptRemove(), and IntExceptVerifyProcessCreationSignature().
#define for_each_um_exception | ( | _ex_head, | |
_var_name | |||
) | list_for_each(_ex_head, UM_EXCEPTION, _var_name) |
Definition at line 1070 of file exceptions.h.
Referenced by IntExceptUser(), IntUpdateAddUserExceptionInOrder(), IntUpdateAssignAlertSignatureIds(), IntUpdateIsDuplicateUserException(), and IntUpdateRemoveException().
#define for_each_um_glob_exception | ( | _ex_head, | |
_var_name | |||
) | list_for_each(_ex_head, UM_EXCEPTION_GLOB, _var_name) |
Definition at line 1072 of file exceptions.h.
Referenced by IntExceptUser().
#define for_each_value_code_signature | ( | _ex_head, | |
_var_name | |||
) | list_for_each(_ex_head, SIG_VALUE_CODE, _var_name) |
Definition at line 1080 of file exceptions.h.
Referenced by IntExceptRemove(), and IntExceptVerifyValueCodeSig().
#define for_each_value_signature | ( | _ex_head, | |
_var_name | |||
) | list_for_each(_ex_head, SIG_VALUE, _var_name) |
Definition at line 1078 of file exceptions.h.
Referenced by IntExceptRemove(), and IntExceptVerifyValueSig().
#define for_each_version_intro_signature | ( | _ex_head, | |
_var_name | |||
) | list_for_each(_ex_head, SIG_VERSION_INTRO, _var_name) |
Definition at line 1086 of file exceptions.h.
Referenced by IntExceptRemove(), and IntExceptVerifyVersionIntroSignature().
#define for_each_version_os_signature | ( | _ex_head, | |
_var_name | |||
) | list_for_each(_ex_head, SIG_VERSION_OS, _var_name) |
Definition at line 1084 of file exceptions.h.
Referenced by IntExceptRemove(), and IntExceptVerifyVersionOsSignature().
#define IntExceptErase | ( | Ptr, | |
Tag | |||
) |
Frees an exception or a signature buffer and removes it from the list it is currently in.
[in,out] | Ptr | Pointer to the exception to be freed. Will be set to NULL. |
[in] | Tag | The tag used when allocating Ptr. |
Definition at line 1384 of file exceptions.h.
Referenced by IntExceptAlertRemove(), IntExceptRemove(), IntExceptRemoveKernelUserListExceptions(), IntExceptRemoveKmListExceptions(), IntExceptRemoveUmGlobListExceptions(), IntExceptRemoveUmListExceptions(), IntUpdateAddKmException(), IntUpdateAddKmUmException(), IntUpdateAddUmException(), IntUpdateRemoveException(), and IntUpdateRemoveSignaturesForException().
#define ZONE_DEP_EXECUTION 0x000000080ULL |
Used for executions inside DEP zones.
Definition at line 730 of file exceptions.h.
Referenced by IntExceptDumpSignatures(), and IntWinCrashHandleDepViolation().
#define ZONE_EXECUTE 0x040000000ULL |
Used for execute violation.
Definition at line 736 of file exceptions.h.
Referenced by IntAlertEptFillFromVictimZone(), IntExceptGetVictimProcessCreation(), IntExceptKernelMatchVictim(), IntExceptKernelUserMatchZoneFlags(), IntExceptUserMatchZoneFlags(), IntLixVmaHandlePageExecution(), IntSerializeAccessInfo(), IntSerializeEpt(), IntVeHandleAccess(), IntVeHandleEPTViolationInProtectedView(), IntWinCrashHandleDepViolation(), IntWinHalHandleHalHeapExec(), IntWinSudHandleKernelSudExec(), IntWinSudHandleUserSudExec(), and IntWinVadIsExecSuspicious().
#define ZONE_INTEGRITY 0x100000000ULL |
Used for integrity zone.
Definition at line 738 of file exceptions.h.
Referenced by IntExceptGetVictimIntegrity(), IntExceptKernelLogInformation(), IntExceptKernelUserLogInformation(), IntWinInfHookIntegrityHandleWrite(), IntWinIntObjHandleModification(), IntWinSDCheckAclIntegrity(), IntWinSDCheckSecDescIntegrity(), IntWinSudHandleFieldModification(), and IntWinTokenPrivsCheckIntegrityOnProcess().
#define ZONE_LIB_CODE 0x000000004ULL |
Used for a generic code zone.
Definition at line 723 of file exceptions.h.
Referenced by IntAlertCreateEptException(), IntExceptGetVictimEpt(), IntExceptKernelLogLinuxInformation(), IntExceptKernelLogWindowsInformation(), IntExceptKernelMatchVictim(), IntExceptKernelUserLogWindowsInformation(), IntExceptLixGetVictimDriver(), IntExceptUserLogWindowsInformation(), IntExceptUserMatchNameGlob(), IntExceptWinGetVictimDriver(), and IntLixVdsoHandleWriteCommon().
#define ZONE_LIB_DATA 0x000000008ULL |
Used for a generic data zone.
Definition at line 724 of file exceptions.h.
Referenced by IntAlertCreateEptException(), IntExceptGetVictimEpt(), IntExceptKernelLogLinuxInformation(), IntExceptKernelLogWindowsInformation(), IntExceptKernelMatchVictim(), IntExceptKernelUserLogWindowsInformation(), IntExceptLixGetVictimDriver(), IntExceptUserLogWindowsInformation(), IntExceptUserMatchNameGlob(), and IntExceptWinGetVictimDriver().
#define ZONE_LIB_EXPORTS 0x000000002ULL |
Used for the exports of a dll, driver, etc.
Definition at line 722 of file exceptions.h.
Referenced by IntAlertCreateEptException(), IntExceptGetVictimEpt(), IntExceptKernelLogLinuxInformation(), IntExceptKernelLogWindowsInformation(), IntExceptKernelMatchVictim(), IntExceptKernelUserLogWindowsInformation(), IntExceptKernelUserMatchObjectType(), IntExceptUserLogWindowsInformation(), IntExceptUserMatchNameGlob(), IntExceptUserMatchZoneType(), and IntExceptWinGetVictimDriver().
#define ZONE_LIB_IMPORTS 0x000000001ULL |
Used for the imports of a dll, driver, etc.
Definition at line 721 of file exceptions.h.
Referenced by IntAlertCreateEptException(), IntAlertEptFillFromVictimZone(), IntExceptGetVictimEpt(), IntExceptKernelLogLinuxInformation(), IntExceptKernelLogWindowsInformation(), IntExceptKernelMatchVictim(), IntExceptKernelUserLogWindowsInformation(), IntExceptKernelUserMatchObjectType(), IntExceptUserLogWindowsInformation(), IntExceptUserMatchNameGlob(), IntExceptUserMatchZoneType(), and IntExceptWinGetVictimDriver().
#define ZONE_LIB_RESOURCES 0x000000010ULL |
Used for the resources section (usually .rsrc inside a driver or dll).
Definition at line 726 of file exceptions.h.
Referenced by IntAlertCreateEptException(), IntExceptKernelLogLinuxInformation(), IntExceptKernelLogWindowsInformation(), IntExceptKernelMatchVictim(), IntExceptKernelUserLogWindowsInformation(), IntExceptUserLogWindowsInformation(), and IntExceptWinGetVictimDriver().
#define ZONE_MODULE_LOAD 0x000000100ULL |
Used for exceptions for double agent.
Definition at line 731 of file exceptions.h.
Referenced by IntExceptUserLogInformation(), IntExceptUserLogWindowsInformation(), IntExceptUserMatchZoneType(), IntExceptVerifySignature(), and IntWinDagentHandleDoubleAgent().
#define ZONE_PROC_INSTRUMENT 0x000000200ULL |
Used for exceptions for instrumentation callback.
Definition at line 732 of file exceptions.h.
Referenced by IntExceptUserLogInformation(), IntExceptUserMatchZoneType(), IntSerializeInjection(), and IntWinProcHandleInstrument().
#define ZONE_PROC_THREAD_APC 0x000000040ULL |
Used for the APC thread hijacking technique.
Definition at line 729 of file exceptions.h.
Referenced by IntExceptUserLogInformation(), IntExceptUserMatchZoneType(), IntSerializeInjection(), and IntWinThrHandleQueueApc().
#define ZONE_PROC_THREAD_CTX 0x000000020ULL |
Used for the CONTEXT structure of a thread.
Definition at line 728 of file exceptions.h.
Referenced by IntExceptUserLogInformation(), IntExceptUserMatchZoneType(), IntSerializeInjection(), and IntWinThrHandleThreadHijack().
#define ZONE_READ 0x020000000ULL |
Used for read violation.
Definition at line 735 of file exceptions.h.
Referenced by IntAlertEptFillFromVictimZone(), IntExceptGetVictimEpt(), IntExceptKernelLogLinuxInformation(), IntExceptKernelLogWindowsInformation(), IntExceptKernelMatchVictim(), IntExceptKernelUserMatchZoneFlags(), IntExceptUserLogInformation(), IntExceptUserMatchZoneFlags(), IntLixKernelHandleRead(), IntSerializeAccessInfo(), IntSerializeEpt(), IntSerializeInjection(), IntVeHandleAccess(), IntVeHandleEPTViolationInProtectedView(), IntWinDrvHandleRead(), IntWinDrvSendAlert(), and IntWinProcHandleCopyMemory().
#define ZONE_WRITE 0x010000000ULL |
Used for write violation.
Definition at line 734 of file exceptions.h.
Referenced by IntAlertEptFillFromVictimZone(), IntExceptGetVictimCr(), IntExceptGetVictimDtr(), IntExceptGetVictimEpt(), IntExceptGetVictimIntegrity(), IntExceptGetVictimMsr(), IntExceptKernel(), IntExceptKernelLogLinuxInformation(), IntExceptKernelLogWindowsInformation(), IntExceptKernelMatchVictim(), IntExceptKernelUser(), IntExceptKernelUserMatchZoneFlags(), IntExceptUser(), IntExceptUserMatchZoneFlags(), IntLixAccessRemoteVmHandler(), IntLixDrvHandleWrite(), IntLixIdtWriteHandler(), IntLixTaskHandleInjection(), IntLixVdsoHandleKernelModeWrite(), IntLixVdsoHandleUserModeWrite(), IntSerializeAccessInfo(), IntSerializeEpt(), IntSerializeInjection(), IntVeHandleAccess(), IntVeHandleEPTViolationInProtectedView(), IntWinDagentHandleDoubleAgent(), IntWinDrvHandleWrite(), IntWinDrvObjHandleWrite(), IntWinHalHandleHalIntCtrlWrite(), IntWinIdtWriteHandler(), IntWinInfHookEptSppHandleWrite(), IntWinInfHookIntegrityHandleWrite(), IntWinIntObjHandleModification(), IntWinModHandleKernelWrite(), IntWinModHandleUserWrite(), IntWinProcHandleCopyMemory(), IntWinProcHandleInstrument(), IntWinSDCheckAclIntegrity(), IntWinSDCheckSecDescIntegrity(), IntWinSelfMapHandleCr3SelfMapWrite(), IntWinSudHandleFieldModification(), IntWinThrHandleQueueApc(), IntWinThrHandleThreadHijack(), IntWinTokenPrivsCheckIntegrityOnProcess(), and IntWinTokenPrivsHandleWrite().
typedef enum _EXCEPTION_FLG EXCEPTION_FLG |
Describes the flags that can be used by an exception.
typedef struct _EXCEPTION_KM_ORIGINATOR EXCEPTION_KM_ORIGINATOR |
Describes a kernel-mode originator.
typedef union _EXCEPTION_SIGNATURE_ID EXCEPTION_SIGNATURE_ID |
The exception ID. The layout consists of the exception type and the unique identifier of the exception.
typedef enum _EXCEPTION_SIGNATURE_TYPE EXCEPTION_SIGNATURE_TYPE |
The identifier that describes a range of signatures.
typedef enum _EXCEPTION_TYPE EXCEPTION_TYPE |
The type of an exception.
typedef struct _EXCEPTION_UM_ORIGINATOR EXCEPTION_UM_ORIGINATOR |
Describes a user-mode originator.
typedef struct _EXCEPTION_VICTIM_CR EXCEPTION_VICTIM_CR |
Describes a CR victim.
typedef struct _EXCEPTION_VICTIM_DTR EXCEPTION_VICTIM_DTR |
Describes a DTR victim.
typedef struct _EXCEPTION_VICTIM_EPT EXCEPTION_VICTIM_EPT |
Describes an EPT victim.
typedef struct _EXCEPTION_VICTIM_INJECTION EXCEPTION_VICTIM_INJECTION |
Describes an injection.
typedef struct _EXCEPTION_VICTIM_INTEGRITY EXCEPTION_VICTIM_INTEGRITY |
Describes a integrity victim.
typedef struct _EXCEPTION_VICTIM_MODULE EXCEPTION_VICTIM_MODULE |
Describes a victim module.
typedef struct _EXCEPTION_VICTIM_MSR EXCEPTION_VICTIM_MSR |
Describes a MSR victim.
typedef struct _EXCEPTION_VICTIM_OBJECT EXCEPTION_VICTIM_OBJECT |
Describes a victim object.
typedef struct _EXCEPTION_VICTIM_ZONE EXCEPTION_VICTIM_ZONE |
Describes the modified zone.
typedef struct _EXCEPTIONS EXCEPTIONS |
Describes the internal exceptions data.
typedef struct _KM_EXCEPTION KM_EXCEPTION |
Describe a kernel-mode exception.
typedef enum _KM_EXCEPTION_NAME KM_EXCEPTION_NAME |
The predefined names for kernel-user-mode exception.
typedef enum _KM_EXCEPTION_OBJECT KM_EXCEPTION_OBJECT |
Object type of the kernel-mode exception.
typedef struct _KUM_EXCEPTION KUM_EXCEPTION |
Describe a kernel-user mode exception.
typedef enum _KUM_EXCEPTION_NAME KUM_EXCEPTION_NAME |
The predefined names for kernel-mode exception.
typedef enum _KUM_EXCEPTION_OBJECT KUM_EXCEPTION_OBJECT |
Object type of the kernel-user mode exception.
typedef struct _EXCEPTION_KM_ORIGINATOR * PEXCEPTION_KM_ORIGINATOR |
typedef union _EXCEPTION_SIGNATURE_ID * PEXCEPTION_SIGNATURE_ID |
typedef struct _EXCEPTION_UM_ORIGINATOR * PEXCEPTION_UM_ORIGINATOR |
typedef struct _EXCEPTION_VICTIM_CR * PEXCEPTION_VICTIM_CR |
typedef struct _EXCEPTION_VICTIM_DTR * PEXCEPTION_VICTIM_DTR |
typedef struct _EXCEPTION_VICTIM_EPT * PEXCEPTION_VICTIM_EPT |
typedef struct _EXCEPTION_VICTIM_INJECTION * PEXCEPTION_VICTIM_INJECTION |
typedef struct _EXCEPTION_VICTIM_INTEGRITY * PEXCEPTION_VICTIM_INTEGRITY |
typedef struct _EXCEPTION_VICTIM_MODULE * PEXCEPTION_VICTIM_MODULE |
typedef struct _EXCEPTION_VICTIM_MSR * PEXCEPTION_VICTIM_MSR |
typedef struct _EXCEPTION_VICTIM_OBJECT * PEXCEPTION_VICTIM_OBJECT |
typedef struct _EXCEPTION_VICTIM_ZONE * PEXCEPTION_VICTIM_ZONE |
typedef struct _EXCEPTIONS * PEXCEPTIONS |
typedef struct _KM_EXCEPTION * PKM_EXCEPTION |
typedef struct _KUM_EXCEPTION * PKUM_EXCEPTION |
typedef struct _SIG_CODEBLOCK_HASH * PSIG_CODEBLOCK_HASH |
typedef struct _EXCEPTION_CB_SIGNATURE * PSIG_CODEBLOCKS |
typedef struct _SIG_EXPORT * PSIG_EXPORT |
typedef struct _SIG_EXPORT_HASH * PSIG_EXPORT_HASH |
typedef struct _SIG_PROCESS_CREATION * PSIG_PROCESS_CREATION |
typedef struct _SIG_VALUE * PSIG_VALUE |
typedef struct _SIG_VALUE_CODE * PSIG_VALUE_CODE |
typedef struct _SIG_VALUE_HASH * PSIG_VALUE_HASH |
typedef struct _SIG_VERSION_INTRO * PSIG_VERSION_INTRO |
typedef struct _SIG_VERSION_OS * PSIG_VERSION_OS |
typedef struct _UM_EXCEPTION * PUM_EXCEPTION |
typedef struct _UM_EXCEPTION_GLOB * PUM_EXCEPTION_GLOB |
typedef struct _SIG_CODEBLOCK_HASH SIG_CODEBLOCK_HASH |
Describe a codeblocks signature hash.
typedef struct _EXCEPTION_CB_SIGNATURE SIG_CODEBLOCKS |
Describes a codeblocks signature.
typedef struct _SIG_EXPORT SIG_EXPORT |
Describes a export signature.
typedef struct _SIG_EXPORT_HASH SIG_EXPORT_HASH |
Describe a export signature hash.
typedef struct _SIG_PROCESS_CREATION SIG_PROCESS_CREATION |
Describes a process-creation signature.
typedef struct _SIG_VALUE SIG_VALUE |
Describes a value signature.
typedef struct _SIG_VALUE_CODE SIG_VALUE_CODE |
Describes a value signature.
typedef struct _SIG_VALUE_HASH SIG_VALUE_HASH |
Describe a value signature hash.
typedef struct _SIG_VERSION_INTRO SIG_VERSION_INTRO |
Describes a introspection version signature.
typedef struct _SIG_VERSION_OS SIG_VERSION_OS |
Describes a operating system version signature.
typedef enum _SIGNATURE_FLG SIGNATURE_FLG |
Describes the flags that can be used by an signature.
typedef struct _UM_EXCEPTION UM_EXCEPTION |
Describe a user-mode exception.
typedef struct _UM_EXCEPTION_GLOB UM_EXCEPTION_GLOB |
Describe a user-mode glob exception.
typedef enum _UM_EXCEPTION_NAME UM_EXCEPTION_NAME |
The predefined names for user-mode exception.
typedef enum _UM_EXCEPTION_OBJECT UM_EXCEPTION_OBJECT |
Object type of the user-mode exception.
typedef enum _ZONE_TYPE ZONE_TYPE |
Describes the zone types that can be excepted.
enum _EXCEPTION_FLG |
Describes the flags that can be used by an exception.
Definition at line 593 of file exceptions.h.
The identifier that describes a range of signatures.
Definition at line 70 of file exceptions.h.
enum _EXCEPTION_TYPE |
The type of an exception.
Enumerator | |
---|---|
exceptionTypeUm | User-mode exception. |
exceptionTypeKm | Kernel-mode exception. |
exceptionTypeUmGlob | User-mode exception that accepts glob content. |
exceptionTypeKmUm | Kernel-User mode exception. |
Definition at line 58 of file exceptions.h.
enum _KM_EXCEPTION_NAME |
The predefined names for kernel-user-mode exception.
Definition at line 638 of file exceptions.h.
enum _KM_EXCEPTION_OBJECT |
Object type of the kernel-mode exception.
Definition at line 153 of file exceptions.h.
enum _KUM_EXCEPTION_NAME |
The predefined names for kernel-mode exception.
Definition at line 664 of file exceptions.h.
Object type of the kernel-user mode exception.
Definition at line 190 of file exceptions.h.
enum _SIGNATURE_FLG |
Describes the flags that can be used by an signature.
Definition at line 703 of file exceptions.h.
enum _UM_EXCEPTION_NAME |
The predefined names for user-mode exception.
Definition at line 685 of file exceptions.h.
enum _UM_EXCEPTION_OBJECT |
Object type of the user-mode exception.
Definition at line 205 of file exceptions.h.
enum _ZONE_TYPE |
Describes the zone types that can be excepted.
Definition at line 744 of file exceptions.h.
void IntExcept | ( | EXCEPTION_VICTIM_ZONE * | Victim, |
void * | Originator, | ||
EXCEPTION_TYPE | Type, | ||
INTRO_ACTION * | Action, | ||
INTRO_ACTION_REASON * | Reason, | ||
INTRO_EVENT_TYPE | EventClass | ||
) |
This function is the entry point for the exception mechanism.
This will dispatch the exception checking to the appropriate function, depending if we are in user-mode or kernel-mode. It will also serialize the exception.
[in] | Originator | The originator structure used by the exceptions mechanism. |
[in] | Victim | The current victim to check. |
[in] | Type | The exception type. |
[out] | Reason | The reason for which Action was taken. |
[out] | Action | The action that was taken. |
[in] | EventClass | The event type for which this function is called. This is needed by the serializer. |
Definition at line 3357 of file exceptions.c.
Referenced by IntCrLixHandleWrite(), IntCrWinHandleWrite(), IntDtrHandleWrite(), IntLixAccessRemoteVmHandler(), IntLixDrvHandleWrite(), IntLixIdtWriteHandler(), IntLixKernelHandleRead(), IntLixMsrHandleWrite(), IntLixTaskHandleInjection(), IntLixValidateProcessCreationRights(), IntLixVdsoHandleKernelModeWrite(), IntLixVdsoHandleUserModeWrite(), IntLixVmaHandlePageExecution(), IntWinDagentHandleDoubleAgent(), IntWinDpiCheckCreation(), IntWinDrvHandleRead(), IntWinDrvHandleWrite(), IntWinDrvObjHandleModification(), IntWinDrvObjHandleWrite(), IntWinHalHandleHalHeapExec(), IntWinHalHandleHalIntCtrlWrite(), IntWinHalHandlePerfCounterModification(), IntWinIdtHandleModification(), IntWinIdtWriteHandler(), IntWinInfHookEptSppHandleWrite(), IntWinInfHookIntegrityHandleWrite(), IntWinIntObjHandleModification(), IntWinModHandleKernelWrite(), IntWinModHandleUserWrite(), IntWinMsrHandleWrite(), IntWinProcHandleCopyMemory(), IntWinProcHandleInstrument(), IntWinSDCheckAclIntegrity(), IntWinSDCheckSecDescIntegrity(), IntWinSelfMapHandleCr3SelfMapWrite(), IntWinSudHandleFieldModification(), IntWinSudHandleKernelSudExec(), IntWinSudHandleUserSudExec(), IntWinThrHandleQueueApc(), IntWinThrHandleThreadHijack(), IntWinTokenPrivsCheckIntegrityOnProcess(), IntWinTokenPrivsHandleWrite(), and IntWinVadIsExecSuspicious().
INTSTATUS IntExceptAlertRemove | ( | void | ) |
This function removes and frees all exceptions and signatures that have been added from alert.
The exceptions that have been added from binary file are not removed or freed.
INT_STATUS_SUCCESS | On success. |
INT_STATUS_NOT_INITIALIZED | If the exceptions data is not initialized. |
Definition at line 382 of file exceptions.c.
Referenced by IntExceptUninit(), and IntUpdateFlushAlertExceptions().
void IntExceptDumpSignatures | ( | void * | Originator, |
EXCEPTION_VICTIM_ZONE * | Victim, | ||
BOOLEAN | KernelMode, | ||
BOOLEAN | ReturnDrv | ||
) |
Dump code blocks from the originator's RIP.
param[in] Originator The originator of the current violation. param[in] Victim The internal structure of the modified zone. param[in] KernelMode True if the kernel-mode originator is given. param[in] ReturnDrv True if the kernel-mode originator has a return driver.
Definition at line 2978 of file exceptions.c.
Referenced by IntExceptKernelLogInformation(), IntExceptKernelUserLogInformation(), and IntExceptUserLogInformation().
INTSTATUS IntExceptGetOriginatorFromModification | ( | EXCEPTION_VICTIM_ZONE * | Victim, |
EXCEPTION_KM_ORIGINATOR * | Originator | ||
) |
This function is used for integrity violations to get the information about the kernel-mode originator.
The function tries to get the address of the originator driver from the written memory zone (victim->WriteInfo).
[in] | Victim | The victim object. |
[out] | Originator | The originator object. |
INT_STATUS_SUCCESS | On success. |
INT_STATUS_EXCEPTION_BLOCK | If the violation should be blocked. |
INT_STATUS_EXCEPTION_ALLOW | If the violation should be allowed. |
INT_STATUS_NOT_SUPPORTED | If the modified object type is not of the following:
|
Definition at line 2567 of file exceptions_kern.c.
Referenced by IntWinDrvObjHandleModification(), IntWinHalHandleDispatchTableWrite(), IntWinHalHandlePerfCounterModification(), IntWinIdtHandleModification(), IntWinInfHookIntegrityHandleWrite(), and IntWinIntObjHandleModification().
INTSTATUS IntExceptGetVictimCr | ( | QWORD | NewValue, |
QWORD | OldValue, | ||
DWORD | Cr, | ||
EXCEPTION_VICTIM_ZONE * | Victim | ||
) |
This function is used to get the information about the CR victim.
[in] | NewValue | The new value (written) of the CR. |
[in] | OldValue | The old value of the CR. |
[in] | Cr | The number of the CR register. |
[out] | Victim | The victim object. |
INT_STATUS_SUCCESS | On success. |
INT_STATUS_NOT_SUPPORTED | If the provided CR is not CR4. |
INT_STATUS_INVALID_PARAMETER_2 | If the provided DTR object is invalid. |
INT_STATUS_INVALID_PARAMETER_4 | If the provided victim object is invalid. |
Definition at line 3047 of file exceptions_kern.c.
Referenced by IntCrLixHandleWrite(), and IntCrWinHandleWrite().
INTSTATUS IntExceptGetVictimDtr | ( | DTR * | NewValue, |
DTR * | OldValue, | ||
INTRO_OBJECT_TYPE | Type, | ||
EXCEPTION_VICTIM_ZONE * | Victim | ||
) |
This function is used to get the information about the DTR victim.
[in] | NewValue | The new value (written) of the DTR. |
[in] | OldValue | The old value of the DTR. |
[in] | Type | Any of the following: introObjectTypeIdtr / introObjectTypeGdtr. |
[out] | Victim | The victim object. |
INT_STATUS_SUCCESS | On success. |
INT_STATUS_INVALID_PARAMETER_1 | If the provided DTR object is invalid. |
INT_STATUS_INVALID_PARAMETER_2 | If the provided DTR object is invalid. |
INT_STATUS_INVALID_PARAMETER_4 | If the provided victim object is invalid. |
Definition at line 2763 of file exceptions_kern.c.
Referenced by IntDtrHandleWrite().
INTSTATUS IntExceptGetVictimEpt | ( | void * | Context, |
QWORD | Gpa, | ||
QWORD | Gva, | ||
INTRO_OBJECT_TYPE | Type, | ||
DWORD | ZoneFlags, | ||
EXCEPTION_VICTIM_ZONE * | Victim | ||
) |
Fills an EXCEPTION_VICTIM_ZONE with relevant information from an EPT violation.
This function can be called from both user-mode and kernel-mode objects.
The type of the Context parameter changes based on the Type value:
[in] | Context | A pointer to a context that depends on the Type value (see the table from above). |
[in] | Gpa | The guest physically address where the read/write/exec violation occurred. |
[in] | Gva | The guest virtual address where the read/write/exec violation occurred. |
[in] | Type | The type of the modified object (INTRO_OBJECT_TYPE). |
[in] | ZoneFlags | The flags of the modified zone. |
[out] | Victim | The victim structure used by the exceptions mechanism. |
INT_STATUS_SUCCESS | On success. |
INT_STATUS_INVALID_PARAMETER_5 | If the zone flags are invalid. |
INT_STATUS_INVALID_PARAMETER_6 | If the pointer to the victim structure is invalid. |
INT_STATUS_NOT_SUPPORTED | If the object type is invalid. |
Definition at line 742 of file exceptions.c.
Referenced by IntLixDrvHandleWrite(), IntLixIdtWriteHandler(), IntLixKernelHandleRead(), IntLixVdsoHandleKernelModeWrite(), IntLixVdsoHandleUserModeWrite(), IntLixVmaHandlePageExecution(), IntVeHandleAccess(), IntVeHandleEPTViolationInProtectedView(), IntWinCrashHandleDepViolation(), IntWinDrvHandleRead(), IntWinDrvHandleWrite(), IntWinDrvObjHandleWrite(), IntWinHalHandleHalHeapExec(), IntWinHalHandleHalIntCtrlWrite(), IntWinIdtWriteHandler(), IntWinInfHookEptSppHandleWrite(), IntWinModHandleKernelWrite(), IntWinModHandleUserWrite(), IntWinSelfMapHandleCr3SelfMapWrite(), IntWinSudHandleKernelSudExec(), IntWinSudHandleUserSudExec(), IntWinTokenPrivsHandleWrite(), and IntWinVadIsExecSuspicious().
INTSTATUS IntExceptGetVictimIntegrity | ( | INTEGRITY_REGION * | IntegrityRegion, |
DWORD * | Offset, | ||
EXCEPTION_VICTIM_ZONE * | Victim | ||
) |
This function is used to get the information about the modified zone from the integrity region.
Will get the old value and new value at the modified address aligned down to 64/32 bits (the upper bytes may be the same, so we won't catch them). Returns the found modification offset so we can call it recursively (we start scanning at the given offset).
[in] | IntegrityRegion | The integrity region object. |
[in] | Offset | The offset in the region (not page) form where to search for modifications (for recursive calls). |
[out] | Victim | The victim object. |
INT_STATUS_SUCCESS | On success. |
INT_STATUS_INVALID_PARAMETER_1 | If the provided integrity-region object is invalid. |
INT_STATUS_INVALID_PARAMETER_2 | If the provided offset pointer is invalid. |
INT_STATUS_INVALID_PARAMETER_4 | If the provided victim object is invalid. |
INT_STATUS_NOT_FOUND | If no modification is found. |
INT_STATUS_BUFFER_OVERFLOW | If the provided region modification won't fit the modified object. |
Definition at line 2861 of file exceptions_kern.c.
Referenced by IntWinDrvObjHandleModification(), IntWinHalHandleDispatchTableWrite(), IntWinHalHandlePerfCounterModification(), IntWinIdtHandleModification(), IntWinInfHookIntegrityHandleWrite(), and IntWinIntObjHandleModification().
INTSTATUS IntExceptGetVictimMsr | ( | QWORD | NewValue, |
QWORD | OldValue, | ||
DWORD | Msr, | ||
EXCEPTION_VICTIM_ZONE * | Victim | ||
) |
This function is used to get the information about the MSR victim.
[in] | NewValue | The new value (written) of the MSR. |
[in] | OldValue | The old value of the MSR. |
[in] | Msr | The number of the MSR. |
[out] | Victim | The victim object. |
INT_STATUS_SUCCESS | On success. |
INT_STATUS_INVALID_PARAMETER_4 | If the provided victim object is invalid. |
Definition at line 2815 of file exceptions_kern.c.
Referenced by IntLixMsrHandleWrite(), and IntWinMsrHandleWrite().
INTSTATUS IntExceptGetVictimProcess | ( | void * | Process, |
QWORD | DestinationGva, | ||
DWORD | Length, | ||
QWORD | ZoneFlags, | ||
EXCEPTION_VICTIM_ZONE * | Victim | ||
) |
This function is used to get the information about the victim process for injection violations.
[in] | Process | The process in which the injection occurred. |
[in] | DestinationGva | The guest virtual address at which the injection violation occurred. |
[in] | Length | The length (bytes) of the injection. |
[in] | ZoneFlags | The flags of the memory zone at which the injection violation occurred. |
[out] | Victim | The victim object. |
INT_STATUS_SUCCESS | On success. |
INT_STATUS_INVALID_PARAMETER_1 | If the provided process is invalid. |
INT_STATUS_INVALID_PARAMETER_5 | If the provided victim object is invalid. |
Definition at line 2594 of file exceptions_user.c.
Referenced by IntLixAccessRemoteVmHandler(), IntLixTaskHandleInjection(), IntWinDagentHandleDoubleAgent(), IntWinProcHandleCopyMemory(), IntWinProcHandleInstrument(), IntWinThrHandleQueueApc(), and IntWinThrHandleThreadHijack().
INTSTATUS IntExceptGetVictimProcessCreation | ( | void * | Process, |
INTRO_OBJECT_TYPE | ObjectType, | ||
EXCEPTION_VICTIM_ZONE * | Victim | ||
) |
This function is used to get the information about the victim for process-creation violation.
[in] | Process | The process in which the violation occurred. |
[in] | ObjectType | The process-creation violation type. |
[out] | Victim | The victim object. |
INT_STATUS_SUCCESS | On success. |
INT_STATUS_INVALID_PARAMETER_1 | If the provided process is invalid. |
INT_STATUS_INVALID_PARAMETER_2 | If the provided object-type is not introObjectTypeProcessCreation or introObjectTypeProcessCreationDpi. |
INT_STATUS_INVALID_PARAMETER_3 | If the provided victim object is invalid. |
Definition at line 2532 of file exceptions_user.c.
Referenced by IntLixValidateProcessCreationRights(), and IntWinDpiCheckCreation().
INTSTATUS IntExceptInit | ( | void | ) |
This function allocates the exceptions data and initialize the exception lists and the signature lists.
This function also allocates a buffer used by the SIG_VALUE signatures.
INT_STATUS_SUCCESS | On success. |
INT_STATUS_INSUFFICIENT_RESOURCES | If not enough memory is available. |
Definition at line 441 of file exceptions.c.
Referenced by IntGuestInit(), and IntUpdateAddExceptionFromAlert().
void IntExceptInvCbCacheByCr3 | ( | QWORD | Cr3 | ) |
Invalidate the cache used for code blocks for a given CR3.
The cache must be invalidated if a process is terminating or for each exception regardless of the action (because the integrator can over-rule our action).
param[in] Cr3 The CR3 for witch the cache must be invalidated.
Definition at line 102 of file exceptions.c.
Referenced by IntWinProcUnprotect().
void IntExceptInvCbCacheByGva | ( | QWORD | Gva | ) |
Invalidate the cache used for code blocks for a given guest virtual address.
The cache must be invalided if a process is terminating or for each exception regardless of the action (because the integrator can over-rule our action).
[in] | Gva | The guest virtual address for witch the cache must be invalidated. |
Definition at line 77 of file exceptions.c.
Referenced by IntExcept().
INTSTATUS IntExceptKernel | ( | EXCEPTION_VICTIM_ZONE * | Victim, |
EXCEPTION_KM_ORIGINATOR * | Originator, | ||
INTRO_ACTION * | Action, | ||
INTRO_ACTION_REASON * | Reason | ||
) |
This function iterates through exception lists and tries to find an exception that matches the originator and the victim.
[in] | Victim | The victim object. |
[in] | Originator | The originator object. |
[out] | Action | The action that was taken. |
[out] | Reason | The reason for which Action was taken. |
INT_STATUS_INVALID_PARAMETER_1 | If the victim object is invalid. |
INT_STATUS_INVALID_PARAMETER_2 | If the originator object is invalid. |
INT_STATUS_INVALID_PARAMETER_3 | If the action is invalid. |
INT_STATUS_INVALID_PARAMETER_4 | If the reason is invalid. |
INT_STATUS_EXCEPTION_ALLOW | If the violation is allowed. |
INT_STATUS_EXCEPTION_NOT_MATCHED | If the violation is not allowed. |
Definition at line 3535 of file exceptions_kern.c.
Referenced by IntExcept().
INTSTATUS IntExceptKernelGetOriginator | ( | EXCEPTION_KM_ORIGINATOR * | Originator, |
DWORD | Options | ||
) |
This function is used to get the information about the kernel-mode originator.
[out] | Originator | The originator object. |
[out] | Options | A mask containing different flags regarding how the originator should be fetched. |
INT_STATUS_SUCCESS | On success. |
INT_STATUS_INVALID_PARAMETER_1 | If the provided originator is invalid. |
INT_STATUS_NOT_SUPPORTED | If the guest type is not supported. |
Definition at line 2520 of file exceptions_kern.c.
Referenced by IntCrLixHandleWrite(), IntCrWinHandleWrite(), IntDtrHandleWrite(), IntHookGvaEnableHooks(), IntHookPtsCheckIntegrity(), IntLixDrvHandleWrite(), IntLixIdtWriteHandler(), IntLixKernelHandleRead(), IntLixMsrHandleWrite(), IntLixVdsoHandleKernelModeWrite(), IntVeHandleAccess(), IntVeHandleEPTViolationInProtectedView(), IntWinDrvHandleRead(), IntWinDrvHandleWrite(), IntWinDrvObjHandleWrite(), IntWinHalHandleHalHeapExec(), IntWinHalHandleHalIntCtrlWrite(), IntWinIdtWriteHandler(), IntWinInfHookEptSppHandleWrite(), IntWinModHandleKernelWrite(), IntWinMsrHandleWrite(), IntWinSelfMapHandleCr3SelfMapWrite(), IntWinSudHandleKernelSudExec(), and IntWinTokenPrivsHandleWrite().
void IntExceptKernelLogInformation | ( | EXCEPTION_VICTIM_ZONE * | Victim, |
EXCEPTION_KM_ORIGINATOR * | Originator, | ||
INTRO_ACTION | Action, | ||
INTRO_ACTION_REASON | Reason | ||
) |
Print the information about a kernel-mode violation and dumps the code-blocks.
[in] | Victim | The victim object. |
[in] | Originator | The originator object. |
[in] | Action | The action that was taken. |
[in] | Reason | The reason for which Action was taken. |
Definition at line 2032 of file exceptions_kern.c.
Referenced by IntCrLixHandleWrite(), IntCrWinHandleWrite(), IntDtrHandleWrite(), IntExcept(), IntLixDrvHandleWrite(), IntLixKernelHandleRead(), IntLixMsrHandleWrite(), IntLixVdsoHandleKernelModeWrite(), IntVeHandleAccess(), IntVeHandleEPTViolationInProtectedView(), IntWinDrvHandleRead(), IntWinDrvHandleWrite(), IntWinDrvObjHandleModification(), IntWinDrvObjHandleWrite(), IntWinHalHandleHalHeapExec(), IntWinHalHandleHalIntCtrlWrite(), IntWinHalHandlePerfCounterModification(), IntWinInfHookEptSppHandleWrite(), IntWinInfHookIntegrityHandleWrite(), IntWinMsrHandleWrite(), IntWinSudHandleKernelSudExec(), and IntWinTokenPrivsHandleWrite().
INTSTATUS IntExceptKernelMatchVictim | ( | EXCEPTION_VICTIM_ZONE * | Victim, |
EXCEPTION_KM_ORIGINATOR * | Originator, | ||
KM_EXCEPTION * | Exception | ||
) |
This function checks if the exception matches the originator and the modified zone.
The following are verified:
[in] | Victim | The victim object. |
[in] | Originator | The originator object. |
[in] | Exception | The current exception object. |
INT_STATUS_EXCEPTION_NOT_MATCHED | If any check fails. |
INT_STATUS_EXCEPTION_ALLOW | If all checks have passed. |
Definition at line 3119 of file exceptions_kern.c.
Referenced by IntExceptMatchException().
INTSTATUS IntExceptKernelUser | ( | EXCEPTION_VICTIM_ZONE * | Victim, |
EXCEPTION_KM_ORIGINATOR * | Originator, | ||
INTRO_ACTION * | Action, | ||
INTRO_ACTION_REASON * | Reason | ||
) |
This function iterates through exception lists and tries to find an exception that matches the originator and the victim.
[in] | Victim | The victim object. |
[in] | Originator | The originator object. |
[out] | Action | The action that was taken. |
[out] | Reason | The reason for which Action was taken. |
INT_STATUS_INVALID_PARAMETER_1 | If the victim object is invalid. |
INT_STATUS_INVALID_PARAMETER_2 | If the originator object is invalid. |
INT_STATUS_INVALID_PARAMETER_3 | If the action is invalid. |
INT_STATUS_INVALID_PARAMETER_4 | If the reason is invalid. |
INT_STATUS_EXCEPTION_ALLOW | If the violation is allowed. |
INT_STATUS_EXCEPTION_NOT_MATCHED | If the violation is not allowed. |
Definition at line 776 of file exceptions_krnusr.c.
Referenced by IntExcept().
void IntExceptKernelUserLogInformation | ( | EXCEPTION_VICTIM_ZONE * | Victim, |
EXCEPTION_KM_ORIGINATOR * | Originator, | ||
INTRO_ACTION | Action, | ||
INTRO_ACTION_REASON | Reason | ||
) |
Print the information about a kernel-user mode violation and dumps the code-blocks.
[in] | Victim | The victim object. |
[in] | Originator | The originator object. |
[in] | Action | The action that was taken. |
[in] | Reason | The reason for which Action was taken. |
Definition at line 414 of file exceptions_krnusr.c.
Referenced by IntExcept(), and IntWinModHandleKernelWrite().
INTSTATUS IntExceptKernelUserMatchVictim | ( | EXCEPTION_VICTIM_ZONE * | Victim, |
EXCEPTION_KM_ORIGINATOR * | Originator, | ||
KUM_EXCEPTION * | Exception | ||
) |
This function checks if the exception matches the originator and the modified zone.
The following are verified:
[in] | Victim | The victim object. |
[in] | Originator | The originator object. |
[in] | Exception | The current exception object. |
INT_STATUS_EXCEPTION_NOT_MATCHED | If any check fails. |
INT_STATUS_EXCEPTION_ALLOW | If all checks have passed. |
Definition at line 635 of file exceptions_krnusr.c.
Referenced by IntExceptMatchException().
INTSTATUS IntExceptKernelUserVerifyExtra | ( | EXCEPTION_VICTIM_ZONE * | Victim, |
EXCEPTION_UM_ORIGINATOR * | Originator, | ||
UM_EXCEPTION * | Exception | ||
) |
This function is used as an extra step in exception mechanism.
[in] | Victim | The victim object. |
[in] | Originator | The originator object. |
[in] | Exception | The current exception object. |
INT_STATUS_EXCEPTION_CHECKS_OK | On success. |
Definition at line 1100 of file exceptions_krnusr.c.
Referenced by IntExceptMatchException().
INTSTATUS IntExceptKernelVerifyExtra | ( | EXCEPTION_VICTIM_ZONE * | Victim, |
EXCEPTION_UM_ORIGINATOR * | Originator, | ||
UM_EXCEPTION * | Exception | ||
) |
This function is used as an extra step in exception mechanism.
[in] | Victim | The victim object. |
[in] | Originator | The originator object. |
[in] | Exception | The current exception object. |
INT_STATUS_EXCEPTION_CHECKS_OK | On success. |
Definition at line 3095 of file exceptions_kern.c.
Referenced by IntExceptMatchException().
INTSTATUS IntExceptMatchException | ( | void * | Victim, |
void * | Originator, | ||
void * | Exception, | ||
EXCEPTION_TYPE | ExceptionType, | ||
INTRO_ACTION * | Action, | ||
INTRO_ACTION_REASON * | Reason | ||
) |
This function tries to find a exception for the current violation..
This mechanism has three steps:
[in] | Exception | The current exception to check. |
[in] | Originator | The originator structure used by the exceptions mechanism. |
[in] | Victim | The current victim to check. |
[in] | ExceptionType | The type of the exception EXCEPTION_TYPE. |
[out] | Reason | The action that was taken. |
[out] | Action | The reason for which Action was taken. |
INT_STATUS_NOT_SUPPORTED | If the exception type is invalid |
INT_STATUS_EXCEPTION_ALLOW | If the exception matched |
INT_STATUS_EXCEPTION_NOT_MATCHED | If no exception matched |
Definition at line 3167 of file exceptions.c.
Referenced by IntExceptKernel(), IntExceptKernelUser(), and IntExceptUser().
int IntExceptPrintLixTaskInfo | ( | const LIX_TASK_OBJECT * | Task, |
char * | Header, | ||
char * | Line, | ||
int | MaxLength, | ||
DWORD | NameAlignment | ||
) |
Print the information about the provided LIX_TASK_OBJECT.
[in] | Task | The task object. |
[in] | Header | The header of the output buffer. |
[in] | Line | The output buffer. |
[in] | MaxLength | The maximum number chars that can be written. |
[in] | NameAlignment | The alignment of the chars in the buffer. |
The | number of written chars. |
Definition at line 71 of file exceptions_user.c.
Referenced by IntExceptKernelLogLinuxInformation(), IntExceptKernelUserLogWindowsInformation(), and IntExceptUserLogLinuxInformation().
int IntExceptPrintWinKmModInfo | ( | KERNEL_DRIVER * | Module, |
char * | Header, | ||
char * | Line, | ||
int | MaxLength, | ||
DWORD | NameAlignment | ||
) |
Print the information about the provided KERNEL_DRIVER (windows guest).
[in] | Module | The driver object. |
[in] | Header | The header of the output buffer. |
[in] | Line | The output buffer. |
[in] | MaxLength | The maximum number chars that can be written. |
[in] | NameAlignment | The alignment of the chars in the buffer. |
The | number of written chars. |
Definition at line 101 of file exceptions_kern.c.
Referenced by IntExceptKernelLogWindowsInformation(), IntExceptKernelUserLogWindowsInformation(), and IntExceptPrintMsrInfo().
int IntExceptPrintWinModInfo | ( | WIN_PROCESS_MODULE * | Module, |
char * | Header, | ||
char * | Line, | ||
int | MaxLength, | ||
DWORD | NameAlignment | ||
) |
Print the data from the provided WIN_PROCESS_MODULE.
[in] | Module | The module object. |
[in] | Header | The header of the output buffer. |
[in] | Line | The output buffer. |
[in] | MaxLength | The maximum number chars that can be written. |
[in] | NameAlignment | The alignment of the chars in the buffer. |
The | number of written chars. |
Definition at line 613 of file exceptions_user.c.
Referenced by IntExceptKernelUserLogWindowsInformation(), and IntExceptUserLogWindowsInformation().
int IntExceptPrintWinProcInfo | ( | WIN_PROCESS_OBJECT * | Process, |
char * | Header, | ||
char * | Line, | ||
int | MaxLength, | ||
DWORD | NameAlignment | ||
) |
Print the data from the provided WIN_PROCESS_OBJECT.
[in] | Process | The process object. |
[in] | Header | The header of the output buffer. |
[in] | Line | The output buffer. |
[in] | MaxLength | The maximum number chars that can be written. |
[in] | NameAlignment | The alignment of the chars in the buffer. |
The | number of written chars. |
Definition at line 455 of file exceptions_user.c.
Referenced by IntExceptKernelUserLogWindowsInformation(), and IntExceptUserLogWindowsInformation().
INTSTATUS IntExceptRemove | ( | void | ) |
This function removes and frees all exceptions and signatures that have been added from exception binary file.
The exceptions that have been added from alerts are not removed or freed.
INT_STATUS_SUCCESS | On success. |
INT_STATUS_NOT_INITIALIZED | If the exceptions data is not initialized. |
Definition at line 257 of file exceptions.c.
Referenced by IntExceptUninit(), and IntUpdateLoadExceptions().
INTSTATUS IntExceptUninit | ( | void | ) |
This function removes and frees all exceptions and signatures.
This function also frees the exception data and the buffer used by the SIG_VALUE signature. The code blocks cache is invalidated and the buffer used for logged RIP is cleaned.
INT_STATUS_SUCCESS | On success. |
INT_STATUS_NOT_INITIALIZED_HINT | If the exceptions data is not initialized. |
Definition at line 513 of file exceptions.c.
Referenced by IntGuestUninit().
INTSTATUS IntExceptUser | ( | EXCEPTION_VICTIM_ZONE * | Victim, |
EXCEPTION_UM_ORIGINATOR * | Originator, | ||
INTRO_ACTION * | Action, | ||
INTRO_ACTION_REASON * | Reason | ||
) |
This function iterates through exception lists and tries to find an exception that matches the originator and the victim.
NOTE: If the exceptions binary is not loaded any violation is allowed.
[in] | Victim | The victim object. |
[in] | Originator | The originator object. |
[out] | Action | The action that was taken. |
[out] | Reason | The reason for which Action was taken. |
INT_STATUS_INVALID_PARAMETER_1 | If the victim object is invalid. |
INT_STATUS_INVALID_PARAMETER_2 | If the originator object is invalid. |
INT_STATUS_INVALID_PARAMETER_3 | If the action is invalid. |
INT_STATUS_INVALID_PARAMETER_4 | If the reason is invalid. |
INT_STATUS_EXCEPTION_ALLOW | If the violation is allowed. |
INT_STATUS_EXCEPTION_NOT_MATCHED | If the violation is not allowed. |
Definition at line 2915 of file exceptions_user.c.
Referenced by IntExcept().
INTSTATUS IntExceptUserGetExecOriginator | ( | void * | Process, |
EXCEPTION_UM_ORIGINATOR * | Originator | ||
) |
This function is used to get the originator for heap execution.
[in] | Process | The process in which the execution occurred. |
[out] | Originator | The exception object. |
INT_STATUS_SUCCESS | On success. |
Definition at line 2220 of file exceptions_user.c.
Referenced by IntLixVmaHandlePageExecution(), IntWinCrashHandleDepViolation(), IntWinSudHandleUserSudExec(), and IntWinVadIsExecSuspicious().
INTSTATUS IntExceptUserGetOriginator | ( | void * | Process, |
BOOLEAN | ModuleWrite, | ||
QWORD | Address, | ||
INSTRUX * | Instrux, | ||
EXCEPTION_UM_ORIGINATOR * | Originator | ||
) |
This function is used to get the information about the user-mode originator.
[in] | Process | The process in which the violation occurred. |
[in] | ModuleWrite | If the violation is write. |
[in] | Address | The modified address. |
[in] | Instrux | The instruction that caused the violation, if any. |
[out] | Originator | The originator object. |
INT_STATUS_SUCCESS | On success. |
INT_STATUS_INVALID_PARAMETER_1 | If the provided process is invalid. |
INT_STATUS_INVALID_PARAMETER_5 | If the provided originator object is invalid. |
Definition at line 2435 of file exceptions_user.c.
Referenced by IntLixAccessRemoteVmHandler(), IntLixTaskHandleInjection(), IntLixValidateProcessCreationRights(), IntLixVdsoHandleUserModeWrite(), IntWinDagentHandleDoubleAgent(), IntWinDpiCheckCreation(), IntWinModHandleUserWrite(), IntWinProcHandleCopyMemory(), IntWinProcHandleInstrument(), IntWinThrHandleQueueApc(), and IntWinThrHandleThreadHijack().
void IntExceptUserLogInformation | ( | EXCEPTION_VICTIM_ZONE * | Victim, |
EXCEPTION_UM_ORIGINATOR * | Originator, | ||
INTRO_ACTION | Action, | ||
INTRO_ACTION_REASON | Reason | ||
) |
Print the information about a user-mode violation, dumps the code-blocks and the injection buffer, if any.
[in] | Victim | The victim object. |
[in] | Originator | The originator object. |
[in] | Action | The action that was taken. |
[in] | Reason | The reason for which Action was taken. |
Definition at line 2131 of file exceptions_user.c.
Referenced by IntExcept(), IntLixVdsoHandleUserModeWrite(), IntWinCrashHandleDepViolation(), and IntWinSudHandleUserSudExec().
INTSTATUS IntExceptUserMatchVictim | ( | EXCEPTION_VICTIM_ZONE * | Victim, |
EXCEPTION_UM_ORIGINATOR * | Originator, | ||
void * | Exception, | ||
EXCEPTION_TYPE | ExceptionType | ||
) |
This function checks if the exception matches the originator and the modified zone.
The following are verified:
[in] | Victim | The victim object. |
[in] | Originator | The originator object. |
[in] | Exception | The current exception object. |
[in] | ExceptionType | The type of the exception object. |
INT_STATUS_EXCEPTION_NOT_MATCHED | If any check fails. |
INT_STATUS_EXCEPTION_ALLOW | If all checks have passed. |
INT_STATUS_NOT_SUPPORTED | If ExceptionType value is invalid. |
Definition at line 2732 of file exceptions_user.c.
Referenced by IntExceptMatchException().
INTSTATUS IntExceptUserVerifyExtra | ( | EXCEPTION_VICTIM_ZONE * | Victim, |
EXCEPTION_UM_ORIGINATOR * | Originator, | ||
UM_EXCEPTION * | Exception | ||
) |
This function is used as an extra step in exception mechanism that verify the initialization flags of a process.
[in] | Victim | The victim object. |
[in] | Originator | The originator object. |
[in] | Exception | The current exception object. |
INT_STATUS_EXCEPTION_CHECKS_OK | On success. |
Definition at line 2672 of file exceptions_user.c.
Referenced by IntExceptMatchException().
INTSTATUS IntExceptUserVerifyExtraGlobMatch | ( | EXCEPTION_VICTIM_ZONE * | Victim, |
EXCEPTION_UM_ORIGINATOR * | Originator, | ||
UM_EXCEPTION_GLOB * | Exception | ||
) |
This function is used as an extra step in exception mechanism that verify the initialization flags of a process.
[in] | Victim | The victim object. |
[in] | Originator | The originator object. |
[in] | Exception | The current exception object. |
INT_STATUS_EXCEPTION_CHECKS_OK | On success. |
Definition at line 2702 of file exceptions_user.c.
Referenced by IntExceptMatchException().
BOOLEAN IntUpdateAreExceptionsLoaded | ( | void | ) |
Checks if the exceptions are loaded.
True | if the exceptions are loaded, otherwise false. |
Definition at line 2751 of file update_exceptions.c.
Referenced by IntHandleTimer().