27 #define EXCEPTION_INTROUNIT_NAME_HASH 0x1036c1b7 28 #define EXCEPTION_NO_NAME "<no name>" 29 #define EXCEPTION_NO_WNAME u"<no name>" 30 #define EXCEPTION_NO_INSTRUCTION "<generic>" 31 #define EXCEPTION_NO_SYMBOL "<no sym>" 33 #define EXPORT_BEGIN_WRITE_ERR_RANGE 0x10 34 #define EXPORT_NAME_UNKNOWN "<unknown>" 36 #define EXCEPTION_UM_GLOB_LENGTH 64 49 #define EXCEPTION_TABLE_SIZE 0x10 50 #define EXCEPTION_TABLE_ID(H) (((H) & 0xF0000000) >> 0x1c) 53 #define EXCEPTION_CODEBLOCKS_OFFSET 0x250 721 #define ZONE_LIB_IMPORTS 0x000000001ULL 722 #define ZONE_LIB_EXPORTS 0x000000002ULL 723 #define ZONE_LIB_CODE 0x000000004ULL 724 #define ZONE_LIB_DATA 0x000000008ULL 725 #define ZONE_LIB_RESOURCES 0x000000010ULL 728 #define ZONE_PROC_THREAD_CTX 0x000000020ULL 729 #define ZONE_PROC_THREAD_APC 0x000000040ULL 730 #define ZONE_DEP_EXECUTION 0x000000080ULL 731 #define ZONE_MODULE_LOAD 0x000000100ULL 732 #define ZONE_PROC_INSTRUMENT 0x000000200ULL 734 #define ZONE_WRITE 0x010000000ULL 735 #define ZONE_READ 0x020000000ULL 736 #define ZONE_EXECUTE 0x040000000ULL 738 #define ZONE_INTEGRITY 0x100000000ULL 805 BYTE InterruptObjIndex;
1053 #define EXCEPTION_KM_ORIGINATOR_OPT_DO_NOT_BLOCK 0x00000001u 1060 #define EXCEPTION_KM_ORIGINATOR_OPT_FULL_STACK 0x00000002u 1066 #define for_each_km_exception(_ex_head, _var_name) \ 1067 list_for_each(_ex_head, KM_EXCEPTION, _var_name) 1068 #define for_each_kum_exception(_ex_head, _var_name) \ 1069 list_for_each(_ex_head, KUM_EXCEPTION, _var_name) 1070 #define for_each_um_exception(_ex_head, _var_name) \ 1071 list_for_each(_ex_head, UM_EXCEPTION, _var_name) 1072 #define for_each_um_glob_exception(_ex_head, _var_name) \ 1073 list_for_each(_ex_head, UM_EXCEPTION_GLOB, _var_name) 1074 #define for_each_cb_signature(_ex_head, _var_name) \ 1075 list_for_each(_ex_head, SIG_CODEBLOCKS, _var_name) 1076 #define for_each_export_signature(_ex_head, _var_name) \ 1077 list_for_each(_ex_head, SIG_EXPORT, _var_name) 1078 #define for_each_value_signature(_ex_head, _var_name) \ 1079 list_for_each(_ex_head, SIG_VALUE, _var_name) 1080 #define for_each_value_code_signature(_ex_head, _var_name) \ 1081 list_for_each(_ex_head, SIG_VALUE_CODE, _var_name) 1082 #define for_each_idt_signature(_ex_head, _var_name) \ 1083 list_for_each(_ex_head, SIG_IDT, _var_name) 1084 #define for_each_version_os_signature(_ex_head, _var_name) \ 1085 list_for_each(_ex_head, SIG_VERSION_OS, _var_name) 1086 #define for_each_version_intro_signature(_ex_head, _var_name) \ 1087 list_for_each(_ex_head, SIG_VERSION_INTRO, _var_name) 1088 #define for_each_process_creation_signature(_ex_head, _var_name) \ 1089 list_for_each(_ex_head, SIG_PROCESS_CREATION, _var_name) 1178 _In_ void *Originator,
1299 _In_ void *Originator,
1300 _In_ void *Exception,
1317 _In_ void *Exception,
1355 _In_ void *Originator,
1384 #define IntExceptErase(Ptr, Tag) \ 1386 RemoveEntryList(&((Ptr)->Link)); \ 1387 HpFreeAndNullWithTag(&(Ptr), (Tag)); \ 1390 #endif // _EXCEPTIONS_H_ The range-identifier used for value-code signature.
struct _EXCEPTION_VICTIM_INTEGRITY EXCEPTION_VICTIM_INTEGRITY
Describes a integrity victim.
struct _SIG_VALUE * PSIG_VALUE
struct _EXCEPTION_VICTIM_INTEGRITY * PEXCEPTION_VICTIM_INTEGRITY
struct _SIG_IDT SIG_IDT
Describes a idt signature.
EXCEPTION_SIGNATURE_ID Id
An unique id (EXCEPTION_SIGNATURE_ID).
void * Module
The internal structure of a module.
The object allows only dlls which are detected as suspicous (e.g. module loads before kernel32...
EXCEPTION_VICTIM_CR Cr
Valid if the modified zone is CR.
INTSTATUS IntExceptKernel(EXCEPTION_VICTIM_ZONE *Victim, EXCEPTION_KM_ORIGINATOR *Originator, INTRO_ACTION *Action, INTRO_ACTION_REASON *Reason)
This function iterates through exception lists and tries to find an exception that matches the origin...
WORD SigCount
Contains the number of signatures.
QWORD Context
Contains the context given by the integrator.
enum _INTRO_ACTION_REASON INTRO_ACTION_REASON
The reason for which an INTRO_ACTION was taken.
Describes a victim module.
BOOLEAN AlertSignature
True if the signature is added from alert.
INTSTATUS IntExceptKernelVerifyExtra(EXCEPTION_VICTIM_ZONE *Victim, EXCEPTION_UM_ORIGINATOR *Originator, UM_EXCEPTION *Exception)
This function is used as an extra step in exception mechanism.
struct _SIG_VERSION_OS SIG_VERSION_OS
Describes a operating system version signature.
void IntExceptInvCbCacheByGva(QWORD Gva)
Invalidate the cache used for code blocks for a given guest virtual address.
The exception ID. The layout consists of the exception type and the unique identifier of the exceptio...
The value hash is for the process command line (valid only for value signature).
int IntExceptPrintWinProcInfo(WIN_PROCESS_OBJECT *Process, char *Header, char *Line, int MaxLength, DWORD NameAlignment)
Print the data from the provided WIN_PROCESS_OBJECT.
struct _UM_EXCEPTION UM_EXCEPTION
Describe a user-mode exception.
Describe a export signature hash.
QWORD ZoneFlags
The flags of the modified zone.
struct _EXCEPTION_VICTIM_OBJECT * PEXCEPTION_VICTIM_OBJECT
Describes a process-creation signature.
LIST_HEAD KernelUserExceptions[EXCEPTION_TABLE_SIZE]
Array of linked lists used for kernel-user mode exceptions.
LIST_HEAD ValueCodeSignatures
Linked list used for value-code signatures.
The modified object is anything inside the HAL heap zone.
Describe a kernel-user mode exception.
LIX_TASK_OBJECT * LixProc
The Linux process object from which the write originates.
The name is the operating system kernel name.
The signature is valid only on 64 bit systems/processes.
BYTE Score
The number of (minimum) hashes from a list that need to match.
QWORD Context
Contains the context given by the integrator.
EXCEPTION_VICTIM_EPT Ept
Valid if the modified zone is EPT.
WORD Offset
The displacement from the beginning of the modified zone.
LIST_HEAD NoNameKernelExceptions
Linked list used for kernel-mode exceptions that don't have a valid originator (-).
The name can be any string.
DWORD DriverHash
Contains the originator driver name-hash.
struct _SIG_VALUE SIG_VALUE
Describes a value signature.
Describes a value signature.
WORD Delta
The number of bytes that are modified.
The modified object is only the driver's EAT.
INTSTATUS IntExceptKernelUserVerifyExtra(EXCEPTION_VICTIM_ZONE *Victim, EXCEPTION_UM_ORIGINATOR *Originator, UM_EXCEPTION *Exception)
This function is used as an extra step in exception mechanism.
struct _EXCEPTION_VICTIM_INJECTION * PEXCEPTION_VICTIM_INJECTION
LIST_HEAD GenericUserExceptions
Linked list used for user-mode exceptions that have a generic originator(*).
QWORD Context
Contains the context given by the integrator.
struct _EXCEPTION_VICTIM_MODULE * PEXCEPTION_VICTIM_MODULE
The modified object is anything inside the structure CONTEXT (valid only for windows).
QWORD Context
Contains the context given by the integrator.
LIST_HEAD ExportSignatures
Linked list used for export signatures.
union _EXCEPTION_SIGNATURE_ID EXCEPTION_SIGNATURE_ID
The exception ID. The layout consists of the exception type and the unique identifier of the exceptio...
Signals an attempt to set an insturmentation callback.
LIST_HEAD ProcessCreationAlertExceptions
Linked list used for process-creation exceptions that are added from alert.
The modified object represents an execution inside SharedUserData.
struct _KUM_EXCEPTION * PKUM_EXCEPTION
The exception sends a feedback alert.
The exception will take into consideration the return driver/dll.
struct _SIG_CODEBLOCK_HASH SIG_CODEBLOCK_HASH
Describe a codeblocks signature hash.
KM_EXCEPTION_OBJECT Type
Contains the type of the exception (KM_EXCEPTION_OBJECT).
QWORD StackBase
The stack base for the thread that attempted the execution.
The name is the operating system vsyscall (valid only for Linux).
EXCEPTION_SIGNATURE_ID Id
An unique id (_EXCEPTION_SIGNATURE_ID).
INTSTATUS IntExceptGetVictimProcessCreation(void *Process, INTRO_OBJECT_TYPE ObjectType, EXCEPTION_VICTIM_ZONE *Victim)
This function is used to get the information about the victim for process-creation violation...
DWORD OriginatorNameHash
Contains the originator name-hash.
INTRO_PC_VIOLATION_TYPE
Process creation violation flags.
EXCEPTION_SIGNATURE_ID Id
An unique id (EXCEPTION_SIGNATURE_ID).
The modified object is inside an EPT hook.
LIST_HEAD VersionIntroSignatures
Linked list used for introspection version signatures.
BOOLEAN IntUpdateAreExceptionsLoaded(void)
Checks if the exceptions are loaded.
QWORD Gva
The guest virtual address to be written.
Describe a user-mode glob exception.
enum _UM_EXCEPTION_OBJECT UM_EXCEPTION_OBJECT
Object type of the user-mode exception.
Structure that describes a stack trace element.
enum _SIGNATURE_FLG SIGNATURE_FLG
Describes the flags that can be used by an signature.
int IntExceptPrintWinModInfo(WIN_PROCESS_MODULE *Module, char *Header, char *Line, int MaxLength, DWORD NameAlignment)
Print the data from the provided WIN_PROCESS_MODULE.
The modified object is HalPerformanceCounter.
LIST_HEAD ProcessCreationSignatures
Linked list used for process-creation signatures.
BYTE ListsCount
The number of the list of hashes.
The exception is valid only for read violation.
_EXCEPTION_SIGNATURE_TYPE
The identifier that describes a range of signatures.
LIST_HEAD IdtSignatures
Linked list used for IDT signatures.
BOOLEAN AlertSignature
True if the signature is added from alert.
EXCEPTION_SIGNATURE_ID Id
An unique id (EXCEPTION_SIGNATURE_ID).
BYTE Entry
The number of the IDT entry.
The exception is valid only if the write comes due to an injection from user-mode.
LIST_HEAD UserAlertExceptions
Linked list used for user-mode exceptions that are added from alert.
Describes a user-mode originator.
Used to indicate an invalid user-mode exception name.
KERNEL_DRIVER * Driver
The driver that's modifying the memory.
INSTRUX * Instruction
The modifying instruction (at the OriginalRip). There's no point in getting the instruction at Rip...
The modified object is only the driver's data sections.
struct _SIG_VALUE_HASH SIG_VALUE_HASH
Describe a value signature hash.
The name can be any string.
The range-identifier used for idt signature.
LIST_HEAD UserExceptions[EXCEPTION_TABLE_SIZE]
Array of linked lists used for user-mode exceptions.
INTSTATUS IntExceptMatchException(void *Victim, void *Originator, void *Exception, EXCEPTION_TYPE ExceptionType, INTRO_ACTION *Action, INTRO_ACTION_REASON *Reason)
This function tries to find a exception for the current violation..
int INTSTATUS
The status data type.
QWORD StackLimit
The stack limit for the thread that attempted the execution.
BYTE * Buffer
The buffer to be written.
DWORD NameHash
The namehash of the process.
struct _EXCEPTION_VICTIM_EPT * PEXCEPTION_VICTIM_EPT
_ZONE_TYPE
Describes the zone types that can be excepted.
BOOLEAN Loaded
True if the exceptions are loaded.
struct _EXCEPTION_VICTIM_OBJECT EXCEPTION_VICTIM_OBJECT
Describes a victim object.
KUM_EXCEPTION_OBJECT Type
Contains the type of the exception (KM_EXCEPTION_OBJECT).
The exception will match only for the init phase of a driver/process.
The exception is valid only for Linux.
The exception is valid only if the originator process is a system process.
enum _KM_EXCEPTION_OBJECT KM_EXCEPTION_OBJECT
Object type of the kernel-mode exception.
INTSTATUS IntExceptAlertRemove(void)
This function removes and frees all exceptions and signatures that have been added from alert...
EXCEPTION_SIGNATURE_ID Id
An unique id (EXCEPTION_SIGNATURE_ID).
PCHAR Name
The process name of the originator (saved as CHAR).
INTSTATUS IntExceptUninit(void)
This function removes and frees all exceptions and signatures.
DWORD Offset
The offset of the modification.
Describes a integrity victim.
LIST_HEAD KernelAlertExceptions
Linked list used for kernel-mode exceptions that are added from alert.
INTSTATUS IntExceptUserVerifyExtra(EXCEPTION_VICTIM_ZONE *Victim, EXCEPTION_UM_ORIGINATOR *Originator, UM_EXCEPTION *Exception)
This function is used as an extra step in exception mechanism that verify the initialization flags of...
void IntExceptKernelUserLogInformation(EXCEPTION_VICTIM_ZONE *Victim, EXCEPTION_KM_ORIGINATOR *Originator, INTRO_ACTION Action, INTRO_ACTION_REASON Reason)
Print the information about a kernel-user mode violation and dumps the code-blocks.
enum _KM_EXCEPTION_NAME KM_EXCEPTION_NAME
The predefined names for kernel-user-mode exception.
struct _SIG_PROCESS_CREATION SIG_PROCESS_CREATION
Describes a process-creation signature.
_KUM_EXCEPTION_OBJECT
Object type of the kernel-user mode exception.
Describes a kernel-mode originator.
LIX_TASK_OBJECT * LixProc
The internal structure of the modified Linux process.
The modified object is only the driver's IAT.
User-mode exception that accepts glob content.
WORD Size
The size of of the modified zone.
struct _EXCEPTION_CB_SIGNATURE SIG_CODEBLOCKS
Describes a codeblocks signature.
Codeblocks were extracted at a medium level.
BOOLEAN Smep
True if SMEP is modified.
The modified object is any with the modified name.
INTRO_OBJECT_TYPE Type
The type of the modified object.
The range-identifier used for value signature.
BOOLEAN Kernel
This field is set to TRUE for a write due to an injection from kernel-mode.
enum _KUM_EXCEPTION_NAME KUM_EXCEPTION_NAME
The predefined names for kernel-mode exception.
void * Process
The process that's modifying the memory (always present).
BOOLEAN AlertSignature
True if the signature is added from alert.
The exception is valid only for write violation.
The range-identifier used for process creation signature.
struct _EXCEPTION_VICTIM_ZONE * PEXCEPTION_VICTIM_ZONE
WIN_PROCESS_OBJECT * WinProc
The windows process that's modifying the memory (always present).
struct _EXCEPTION_VICTIM_CR * PEXCEPTION_VICTIM_CR
DWORD Flags
Contains any flags from EXCEPTION_FLG.
INTRO_PC_VIOLATION_TYPE PcType
Valid if the current violation is DPI Process Creation Violation.
struct _EXCEPTIONS EXCEPTIONS
Describes the internal exceptions data.
BYTE ListsCount
The number of the list of hashes.
struct _KUM_EXCEPTION KUM_EXCEPTION
Describe a kernel-user mode exception.
enum _ZONE_TYPE ZONE_TYPE
Describes the zone types that can be excepted.
_KUM_EXCEPTION_NAME
The predefined names for kernel-mode exception.
The modified object is anything inside the driver.
QWORD SourceVA
The GVA from where the injection is.
Describes a value signature.
Describes a kernel driver.
struct _EXCEPTION_CB_SIGNATURE * PSIG_CODEBLOCKS
The modified object is only another process (injection basically).
BYTE * Buffer
The new security descriptor buffer (valid only if INTRO_OBJECT_TYPE is introObjectTypeSecDesc or intr...
DWORD PathHash
The pathhash of the originator return driver.
EXCEPTION_VICTIM_OBJECT Object
The modified object.
struct _SIG_CODEBLOCK_HASH * PSIG_CODEBLOCK_HASH
DWORD ProcessHash
Contains the originator process name-hash.
DWORD Flags
Contains any flags from SIGNATURE_FLG.
The modified object is a SharedUserData field.
void * Library
The library that's modifying the memory (if that's the case).
The modified object is IDTR/GDTR.
EXCEPTION_VICTIM_MODULE Module
Used when a module is modified.
BOOLEAN AlertSignature
True if the signature is added from alert.
struct _KM_EXCEPTION KM_EXCEPTION
Describe a kernel-mode exception.
_UM_EXCEPTION_OBJECT
Object type of the user-mode exception.
LIST_HEAD CbSignatures
Linked list used for codeblocks signatures.
DWORD BufferSize
The size of the new security descriptor buffer (valid only if INTRO_OBJECT_TYPE is introObjectTypeSec...
#define EXCEPTION_UM_GLOB_LENGTH
enum _INTRO_OBJECT_TYPE INTRO_OBJECT_TYPE
The type of the object protected by an EPT hook.
QWORD BaseAddress
Depending on INTRO_OBJECT_TYPE we have: CR3 for processes / ModuleBase for km drivers and um dll...
The exception is valid only for CR4.SMEP write.
The range-identifier used for export signature.
struct _EXCEPTION_VICTIM_EPT EXCEPTION_VICTIM_EPT
Describes an EPT victim.
DWORD Flags
Contains any flags from EXCEPTION_FLG.
DWORD BufferSize
The buffer size to be written.
PWCHAR NameWide
The module name of the originator (saved as WCHAR).
LIST_HEAD KernelUserAlertExceptions
Linked list used for kernel-user mode exceptions that are added from alert.
BOOLEAN User
This field is set to TRUE for a write due to an injection from user-mode.
QWORD Rsp
The value of the guest RSP register at the moment of execution.
The modified object is inside an integrity hook.
The exception is valid only for CR4.SMAP write.
WIN_DRIVER_OBJECT * DriverObject
Used when a driver object / fastio dispatch table is modified.
DWORD LibraryNameHash
The name-hash of the modified library.
DWORD Hash
The hash of the modified zone.
_EXCEPTION_FLG
Describes the flags that can be used by an exception.
DWORD Flags
Contains any flags from _EXCEPTION_FLG.
struct _KM_EXCEPTION * PKM_EXCEPTION
WORD SigCount
Contains the number of signatures.
DWORD Flags
Contains any flags from SIGNATURE_FLG.
LIX_TASK_OBJECT * LixProc
The Linux process that's modifying the memory (always present).
LIST_HEAD KernelFeedbackExceptions
Linked list used for kernel-mode exceptions that have the feedback flag.
Holds information about a driver object.
struct _EXCEPTION_UM_ORIGINATOR * PEXCEPTION_UM_ORIGINATOR
struct _SIG_PROCESS_CREATION * PSIG_PROCESS_CREATION
The exception is valid only for execute violation.
INTSTATUS IntExceptGetVictimEpt(void *Context, QWORD Gpa, QWORD Gva, INTRO_OBJECT_TYPE Type, DWORD ZoneFlags, EXCEPTION_VICTIM_ZONE *Victim)
Fills an EXCEPTION_VICTIM_ZONE with relevant information from an EPT violation.
DWORD VictimNameHash
Contains the victim name-hash.
The modified object is only the driver's code sections.
The name is the operating system kernel name.
enum _EXCEPTION_TYPE EXCEPTION_TYPE
The type of an exception.
The signature is valid only on 32 bit systems/processes.
struct _SIG_VERSION_INTRO * PSIG_VERSION_INTRO
struct _EXCEPTION_VICTIM_DTR * PEXCEPTION_VICTIM_DTR
QWORD Gpa
The modified guest physical address.
enum _EXCEPTION_FLG EXCEPTION_FLG
Describes the flags that can be used by an exception.
void IntExceptUserLogInformation(EXCEPTION_VICTIM_ZONE *Victim, EXCEPTION_UM_ORIGINATOR *Originator, INTRO_ACTION Action, INTRO_ACTION_REASON Reason)
Print the information about a user-mode violation, dumps the code-blocks and the injection buffer...
The name is any object belonging to this process (child not included).
struct _SIG_IDT * PSIG_IDT
EXCEPTION_SIGNATURE_ID Id
An unique id (EXCEPTION_SIGNATURE_ID).
INTSTATUS IntExceptGetVictimCr(QWORD NewValue, QWORD OldValue, DWORD Cr, EXCEPTION_VICTIM_ZONE *Victim)
This function is used to get the information about the CR victim.
INTSTATUS IntExceptGetVictimMsr(QWORD NewValue, QWORD OldValue, DWORD Msr, EXCEPTION_VICTIM_ZONE *Victim)
This function is used to get the information about the MSR victim.
_KM_EXCEPTION_OBJECT
Object type of the kernel-mode exception.
QWORD StartVirtualAddress
The start address of the integrity zone.
Describe a value signature hash.
Describes a introspection version signature.
BOOLEAN AlertSignature
True if the signature is added from alert.
INTSTATUS IntExceptGetVictimIntegrity(INTEGRITY_REGION *IntegrityRegion, DWORD *Offset, EXCEPTION_VICTIM_ZONE *Victim)
This function is used to get the information about the modified zone from the integrity region...
The exception is valid only if the write comes due to an injection from kernel-mode.
struct _SIG_EXPORT SIG_EXPORT
Describes a export signature.
The range-identifier used for version operating system signature.
Allow modification of it's own driver object.
EXCEPTION_VICTIM_DTR Dtr
Valid if the modified zone is DTR.
INTSTATUS IntExceptKernelUser(EXCEPTION_VICTIM_ZONE *Victim, EXCEPTION_KM_ORIGINATOR *Originator, INTRO_ACTION *Action, INTRO_ACTION_REASON *Reason)
This function iterates through exception lists and tries to find an exception that matches the origin...
struct _EXCEPTIONS::@26 Version
Loaded exceptions binary version.
The modified object is SSDT (valid only on windows x86).
The modified object is the self map entry inside PDBR.
DWORD NameHash
The hash of the modified object.
Describes the internal exceptions data.
DWORD Flags
Contains any flags from SIGNATURE_FLG.
EXCEPTION_SIGNATURE_ID Id
An unique id (EXCEPTION_SIGNATURE_ID).
void IntExceptKernelLogInformation(EXCEPTION_VICTIM_ZONE *Victim, EXCEPTION_KM_ORIGINATOR *Originator, INTRO_ACTION Action, INTRO_ACTION_REASON Reason)
Print the information about a kernel-mode violation and dumps the code-blocks.
Describes a victim object.
INTSTATUS IntExceptUserVerifyExtraGlobMatch(EXCEPTION_VICTIM_ZONE *Victim, EXCEPTION_UM_ORIGINATOR *Originator, UM_EXCEPTION_GLOB *Exception)
This function is used as an extra step in exception mechanism that verify the initialization flags of...
DWORD Length
The length of the instruction.
INTRO_OBJECT_TYPE Type
The type of the modified object.
Describes a export signature.
ZONE_TYPE ZoneType
The type of the modified zone.
DWORD NameHash
Contains the originator name-hash.
INTSTATUS IntExceptInit(void)
This function allocates the exceptions data and initialize the exception lists and the signature list...
LIST_HEAD KernelUserFeedbackExceptions
Linked list used for kernel-user mode exceptions that have the feedback flag.
enum _UM_EXCEPTION_NAME UM_EXCEPTION_NAME
The predefined names for user-mode exception.
The modified object is anything inside of the PEB32 structure.
DWORD Length
The length of the write.
struct _SIG_VALUE_CODE * PSIG_VALUE_CODE
struct _EXCEPTION_VICTIM_MODULE EXCEPTION_VICTIM_MODULE
Describes a victim module.
The modified object is a MSR.
DWORD Flags
Contains any flags from SIGNATURE_FLG.
The name is the operating system HAL name (valid only for windows).
The exception will take into consideration the return driver.
The modified object is inside the process module's EAT.
struct _SIG_VERSION_OS * PSIG_VERSION_OS
The modified object is the privileges field inside the nt!_TOKEN structure.
INTSTATUS IntExceptUserGetOriginator(void *Process, BOOLEAN ModuleWrite, QWORD Address, INSTRUX *Instrux, EXCEPTION_UM_ORIGINATOR *Originator)
This function is used to get the information about the user-mode originator.
The modified object is SMEP and/or SMAP bits of CR4.
struct _EXCEPTION_VICTIM_ZONE EXCEPTION_VICTIM_ZONE
Describes the modified zone.
DWORD Flags
Contains any flags from EXCEPTION_FLG.
A descriptor table register. Valid for IDTR and GDTR.
The modified object is inside the process module's IAT.
Describes the modified zone.
struct _UM_EXCEPTION_GLOB * PUM_EXCEPTION_GLOB
This exception will be ignored.
The name can be any string.
struct _UM_EXCEPTION * PUM_EXCEPTION
The modified object is IDTR.
The modified object is inside the process module's IAT.
Describe a kernel-mode exception.
Used to indicate an invalid kernel-mode exception name.
Describe a user-mode exception.
struct _SIG_EXPORT_HASH * PSIG_EXPORT_HASH
struct _SIG_VALUE_HASH * PSIG_VALUE_HASH
#define EXCEPTION_TABLE_SIZE
The exception is valid only for integrity zone.
The modified object is anything inside the driver's fast IO dispatch table.
LIST_HEAD GlobUserExceptions
Linked list used for user-mode exceptions that contains glob content.
The name is the operating system vdso (valid only for Linux).
DWORD Hash
The hash of the modified function name.
BYTE Count
The number of hashes from the list.
union _EXCEPTION_SIGNATURE_ID * PEXCEPTION_SIGNATURE_ID
The modified object is any with the modified name.
enum _INTRO_ACTION INTRO_ACTION
Event actions.
LIST_HEAD ProcessCreationExceptions
Linked list used for process creations exceptions.
struct _EXCEPTION_KM_ORIGINATOR * PEXCEPTION_KM_ORIGINATOR
_UM_EXCEPTION_NAME
The predefined names for user-mode exception.
The exception is valid only if the modified process is a child of the originator process.
QWORD Rip
The RIP from where the call to the exported function came.
The name is the operating system vdso (valid only for Linux).
QWORD Gva
The modified guest virtual address.
int IntExceptPrintWinKmModInfo(KERNEL_DRIVER *Module, char *Header, char *Line, int MaxLength, DWORD NameAlignment)
Print the information about the provided KERNEL_DRIVER (windows guest).
DWORD AccessSize
The actual size of the write.
Signals an execution inside SharedUserData.
LIST_HEAD GenericKernelExceptions
Linked list used for kernel-mode exceptions that have a generic originator (*).
UM_EXCEPTION_OBJECT Type
Contains the type of the exception (UM_EXCEPTION_OBJECT).
void IntExceptInvCbCacheByCr3(QWORD Cr3)
Invalidate the cache used for code blocks for a given CR3.
UM_EXCEPTION_OBJECT Type
Contains the type of the exception (UM_EXCEPTION_OBJECT).
WIN_PROCESS_OBJECT * WinProc
The internal structure of the modified Windows process.
LIST_HEAD ValueSignatures
Linked list used for value signatures.
DWORD Flags
Contains any flags from SIGNATURE_FLG.
DWORD Flags
Contains any flags from SIGNATURE_FLG.
The modified object is inside a process.
QWORD ProtectionFlag
The protection flags of the modified zone.
DWORD OriginatorNameHash
Contains the originator name-hash.
The modified object is any IDT entry.
struct _EXCEPTION_VICTIM_MSR * PEXCEPTION_VICTIM_MSR
The signature is valid only on Linux.
INTSTATUS IntExceptGetVictimProcess(void *Process, QWORD DestinationGva, DWORD Length, QWORD ZoneFlags, EXCEPTION_VICTIM_ZONE *Victim)
This function is used to get the information about the victim process for injection violations...
struct _SIG_EXPORT * PSIG_EXPORT
WORD SigCount
Contains the number of signatures.
The modified object is inside the process modules.
LIST_HEAD NoNameKernelUserExceptions
Linked list used for kernel-user mode exceptions that don't have a valid originator (-)...
struct _EXCEPTION_KM_ORIGINATOR EXCEPTION_KM_ORIGINATOR
Describes a kernel-mode originator.
WIN_PROCESS_MODULE * WinLib
The windows library that's modifying the memory (if that's the case).
DWORD Type
Contains a type of signature (EXCEPTION_SIGNATURE_TYPE).
LIST_HEAD ProcessCreationFeedbackExceptions
Linked list used for process-creation exceptions that have the feedback flag.
The modified object is an ACL (SACL/DACL) of a process.
void * Process
The internal structure of the modified process.
BOOLEAN AlertSignature
True if the signature is added from alert.
BYTE Score
The number of (minimum) hashes from a list that need to match.
struct _EXCEPTION_VICTIM_INJECTION EXCEPTION_VICTIM_INJECTION
Describes an injection.
WIN_PROCESS_OBJECT * WinProc
The Windows process object from which the write originates.
DWORD Flags
Contains any flags from SIGNATURE_FLG.
LIST_HEAD UserFeedbackExceptions
Linked list used for user-mode exceptions that have the feedback flag.
QWORD NewDriverBase
The module base where the new value is.
The name is the operating system vsyscall (valid only for Linux).
_SIGNATURE_FLG
Describes the flags that can be used by an signature.
char * Name
The modified process name.
WORD Length
The length of the opcode pattern.
WCHAR * NameWide
The modified module name.
LIST_HEAD KernelExceptions[EXCEPTION_TABLE_SIZE]
Array of linked lists used for kernel-mode exceptions.
struct _SIG_VALUE_CODE SIG_VALUE_CODE
Describes a value signature.
BYTE ListsCount
The number of the list of hashes.
_EXCEPTION_TYPE
The type of an exception.
The modified object is WMI_LOGGER_CONTEXT.GetCpuClock used by InfinityHook (valid only on windows)...
DWORD Msr
The MSR written.
struct _SIG_VERSION_INTRO SIG_VERSION_INTRO
Describes a introspection version signature.
BOOLEAN IsEntryPoint
The the Return-Rip is insied the 'INIT' section.
EXCEPTION_VICTIM_INJECTION Injection
Valid if the modified zone is Injection.
BOOLEAN AlertSignature
True if the signature is added from alert.
void IntExceptDumpSignatures(void *Originator, EXCEPTION_VICTIM_ZONE *Victim, BOOLEAN KernelMode, BOOLEAN ReturnDrv)
Dump code blocks from the originator's RIP.
INTSTATUS IntExceptGetOriginatorFromModification(EXCEPTION_VICTIM_ZONE *Victim, EXCEPTION_KM_ORIGINATOR *Originator)
This function is used for integrity violations to get the information about the kernel-mode originato...
INTSTATUS IntExceptUserGetExecOriginator(void *Process, EXCEPTION_UM_ORIGINATOR *Originator)
This function is used to get the originator for heap execution.
QWORD Value
Contains the minimum build number of the operating system (used for windows).
The modified object is an interrupt object from KPRCB.
The modified object is any with the modified name.
The range-identifier used for codeblocks signature.
LIST_HEAD GenericKernelUserExceptions
Linked list used for kernel-user mode exceptions that have a generic originator(*).
Describes a idt signature.
struct _EXCEPTION_VICTIM_CR EXCEPTION_VICTIM_CR
Describes a CR victim.
int IntExceptPrintLixTaskInfo(const LIX_TASK_OBJECT *Task, char *Header, char *Line, int MaxLength, DWORD NameAlignment)
Print the information about the provided LIX_TASK_OBJECT.
DWORD Value
Contains an unique value.
EXCEPTION_VICTIM_MODULE Library
The victim module of the modified library.
The modified object is a CR.
Kernel-User mode exception.
struct _EXCEPTIONS * PEXCEPTIONS
struct _EXCEPTION_VICTIM_MSR EXCEPTION_VICTIM_MSR
Describes a MSR victim.
enum _INTRO_EVENT_TYPE INTRO_EVENT_TYPE
Event classes.
DWORD CreateMask
Contains the DPI mask.
EXCEPTION_VICTIM_INTEGRITY Integrity
Valid if the modified zone is Integrity.
_KM_EXCEPTION_NAME
The predefined names for kernel-user-mode exception.
The modified object is the thread which was performed an asynchronous procedure call on...
VAD * Vad
The internal structure of the modified VAD.
INTSTATUS IntExceptKernelUserMatchVictim(EXCEPTION_VICTIM_ZONE *Victim, EXCEPTION_KM_ORIGINATOR *Originator, KUM_EXCEPTION *Exception)
This function checks if the exception matches the originator and the modified zone.
The original RIP is outside a driver and it returns into a driver (which is the originator name)...
Used for process-creation violations.
Allow modification of it's own driver object.
WORD SigCount
Contains the number of signatures.
enum _KUM_EXCEPTION_OBJECT KUM_EXCEPTION_OBJECT
Object type of the kernel-user mode exception.
INT16 Offset
The displacement from the beginning of the modified zone.
Structure that describes a stack trace.
INTSTATUS IntExceptUserMatchVictim(EXCEPTION_VICTIM_ZONE *Victim, EXCEPTION_UM_ORIGINATOR *Originator, void *Exception, EXCEPTION_TYPE ExceptionType)
This function checks if the exception matches the originator and the modified zone.
WIN_PROCESS_MODULE * WinMod
The internal structure of a windows module.
The exception is valid only on 32 bit systems/process.
INSTRUX * Instruction
The modifying/executing instruction (valid when Rip != 0).
The range-identifier used for version introspection signature.
The modified object is anything inside the driver object.
BOOLEAN Smap
True if SMAP is modified.
struct _EXCEPTION_UM_ORIGINATOR EXCEPTION_UM_ORIGINATOR
Describes a user-mode originator.
The exception is valid only for apphelp process.
Used to indicate an invalid kernel-mode exception name.
EXCEPTION_SIGNATURE_ID Id
An unique id (EXCEPTION_SIGNATURE_ID).
The modified object is only the driver's resources sections.
void * Process
The process object from which the write originates. Valid only for KM-UM writes due to an injection o...
The name is the #VE Agent.
BOOLEAN IsIntegrity
True if the originator is found by an integrity check.
A representation of a Windows VAD structure.
Describes a codeblocks signature.
INTSTATUS IntExceptGetVictimDtr(DTR *NewValue, DTR *OldValue, INTRO_OBJECT_TYPE Type, EXCEPTION_VICTIM_ZONE *Victim)
This function is used to get the information about the DTR victim.
DWORD Flags
Contains any flags from _SIGNATURE_FLG.
INTSTATUS IntExceptKernelGetOriginator(EXCEPTION_KM_ORIGINATOR *Originator, DWORD Options)
This function is used to get the information about the kernel-mode originator.
BOOLEAN AlertSignature
True if the signature is added from alert.
INTSTATUS IntExceptUser(EXCEPTION_VICTIM_ZONE *Victim, EXCEPTION_UM_ORIGINATOR *Originator, INTRO_ACTION *Action, INTRO_ACTION_REASON *Reason)
This function iterates through exception lists and tries to find an exception that matches the origin...
The exception is valid only once.
LIST_HEAD NoNameUserExceptions
Linked list used for user-mode exceptions that don't have a valid originator (-). ...
QWORD Rip
Where the write/exec came.
The modified object is the security descriptor pointer of a process.
struct _UM_EXCEPTION_GLOB UM_EXCEPTION_GLOB
Describe a user-mode glob exception.
Describe a codeblocks signature hash.
The name is the operating system HAL name (valid only for windows).
WINUM_CACHE_EXPORT * Export
The export cache for the modified module.
The process object creates another process using DPI flags.
Describes a operating system version signature.
void IntExcept(EXCEPTION_VICTIM_ZONE *Victim, void *Originator, EXCEPTION_TYPE Type, INTRO_ACTION *Action, INTRO_ACTION_REASON *Reason, INTRO_EVENT_TYPE EventClass)
This function is the entry point for the exception mechanism.
The object that has a NX zone is executed.
The modified object is a MSR.
struct _EXCEPTION_VICTIM_DTR EXCEPTION_VICTIM_DTR
Describes a DTR victim.
INTSTATUS IntExceptRemove(void)
This function removes and frees all exceptions and signatures that have been added from exception bin...
EXCEPTION_VICTIM_MSR Msr
Valid if the modified zone is MSR.
struct _SIG_EXPORT_HASH SIG_EXPORT_HASH
Describe a export signature hash.
INTSTATUS IntExceptKernelMatchVictim(EXCEPTION_VICTIM_ZONE *Victim, EXCEPTION_KM_ORIGINATOR *Originator, KM_EXCEPTION *Exception)
This function checks if the exception matches the originator and the modified zone.
DWORD NameHash
The namehash of the originator return driver.
This structure describes a running process inside the guest.
enum _EXCEPTION_SIGNATURE_TYPE EXCEPTION_SIGNATURE_TYPE
The identifier that describes a range of signatures.
LIST_HEAD VersionOsSignatures
Linked list used for operating system version signatures.
The modified object is inside the process modules.
1.8.13