44 return "Pivoted Stack";
47 return "Stolen token";
56 return "Thread Start";
59 return "Security Descriptor";
99 ret = snprintf(Line, MaxLength,
"%s(%-*s", Header, NameAlignment, Task->ProcName);
103 ret = snprintf(Line, MaxLength,
"%s(%s", Header, Task->ProcName);
106 if (ret < 0 || ret >= MaxLength)
108 ERROR(
"[ERROR] snprintf error: %d, size %d\n", ret, MaxLength);
117 ret = snprintf(Line, MaxLength,
" '%s' [0x%08x], %016llx, %016llx, %016llx, %d/%d",
118 Task->Comm, Task->CommHash, Task->Gva, Task->Cr3, Task->MmGva, Task->Pid, Task->Tgid);
120 if (ret < 0 || ret >= MaxLength)
122 ERROR(
"[ERROR] snprintf error: %d, size %d\n", ret, MaxLength);
133 ret = snprintf(Line, MaxLength,
", CLI:`%s`", Task->CmdLine);
135 if (ret < 0 || ret >= MaxLength)
137 ERROR(
"[ERROR] snprintf error: %d, size %d\n", ret, MaxLength);
147 ret = snprintf(Line, MaxLength,
")");
149 if (ret < 0 || ret >= MaxLength)
151 ERROR(
"[ERROR] snprintf error: %d, size %d\n", ret, MaxLength);
180 DWORD procNameAlignment;
185 if (NULL == Originator->LixProc)
187 ERROR(
"[ERROR] Originator process is NULL!\n");
191 procNameAlignment = 0;
192 if (Victim->Object.LixProc)
195 MAX(Victim->Object.LixProc->ProcNameLength,
196 Originator->LixProc->ProcNameLength));
211 ret = snprintf(l, rem,
", VA: %016llx", Originator->SourceVA);
215 ret = snprintf(l, rem,
", RIP: %016llx", Originator->Rip);
218 if (ret < 0 || ret >= rem)
220 ERROR(
"[ERROR] snprintf error: %d, size %d\n", ret, rem);
243 if (ret < 0 || ret >= rem)
245 ERROR(
"[ERROR] snprintf error: %d, size %d\n", ret, rem);
266 ret = snprintf(l, rem,
", RIP: %016llx", Originator->Rip);
268 if (ret < 0 || ret >= rem)
270 ERROR(
"[ERROR] snprintf error: %d, size %d\n", ret, rem);
279 ", Parent: ", l, rem, 0);
298 ret = snprintf(l, rem,
", InjInfo: (%u, %016llx)",
299 Victim->Injection.Length, Victim->Injection.Gva);
303 ret = snprintf(l, rem,
", ExecInfo: (%016llx, %016llx), Stack: (0x%016llx, 0x%16llx), RSP = 0x%016llx",
304 Victim->Ept.Gva, Victim->Ept.Gpa, Victim->ExecInfo.StackBase, Victim->ExecInfo.StackLimit,
305 Victim->ExecInfo.Rsp);
308 if (ret < 0 || ret >= rem)
310 ERROR(
"[ERROR] snprintf error: %d, size %d\n", ret, rem);
319 ", Parent: ", l, rem, 0);
340 const char *libName = (Victim->Object.Type ==
introObjectTypeVdso) ?
"[vdso]" :
"[vsyscall]";
346 ret = snprintf(l, rem,
", Address: (%0llx, %0llx), Lib: %s, WriteInfo: (%u, %016llx -> %016llx)",
347 Victim->Ept.Gva, Victim->Ept.Gpa,
348 libName, Victim->WriteInfo.AccessSize,
349 Victim->WriteInfo.OldValue[0],
350 Victim->WriteInfo.NewValue[0]);
352 if (ret < 0 || ret >= rem)
354 ERROR(
"[ERROR] snprintf error: %d, size %d\n", ret, rem);
370 ret = snprintf(l, rem,
"^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^%sMALWARE (user-mode) ",
371 (Victim->Object.LixProc && Victim->Object.LixProc->Protection.Mask &
PROC_OPT_BETA) ?
374 if (ret < 0 || ret >= rem)
376 ERROR(
"[ERROR] snprintf error: %d, size %d\n", ret, rem);
387 ret = snprintf(l, rem,
"(no sig)");
390 ret = snprintf(l, rem,
"(no exc)");
393 ret = snprintf(l, rem,
"(extra)");
396 ret = snprintf(l, rem,
"(error)");
399 ret = snprintf(l, rem,
"(value)");
402 ret = snprintf(l, rem,
"(value code)");
405 ret = snprintf(l, rem,
"(idt)");
408 ret = snprintf(l, rem,
"(version os)");
411 ret = snprintf(l, rem,
"(version intro)");
414 ret = snprintf(l, rem,
"(export)");
417 ret = snprintf(l, rem,
"(process creation)");
420 ret = snprintf(l, rem,
"(unknown)");
423 ret = snprintf(l, rem,
"(%d)", Reason);
427 if (ret < 0 || ret >= rem)
429 ERROR(
"[ERROR] snprintf error: %d, size %d\n", ret, rem);
437 ret = snprintf(l, rem,
" ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^");
439 if (ret < 0 || ret >= rem)
441 ERROR(
"[ERROR] snprintf error: %d, size %d\n", ret, rem);
483 ret = snprintf(Line, MaxLength,
"%s(%-*s", Header, NameAlignment, Process->Name);
487 ret = snprintf(Line, MaxLength,
"%s(%s", Header, Process->Name);
490 if (ret < 0 || ret >= MaxLength)
492 ERROR(
"[ERROR] snprintf error: %d, size %d\n", ret, MaxLength);
501 ret = snprintf(Line, MaxLength,
" [0x%08x], %0*llx, %0*llx, %u, F%x",
505 if (ret < 0 || ret >= MaxLength)
507 ERROR(
"[ERROR] snprintf error: %d, size %d\n", ret, MaxLength);
516 if (Process->Wow64Process)
518 ret = snprintf(Line, MaxLength,
", WOW64");
520 if (ret < 0 || ret >= MaxLength)
522 ERROR(
"[ERROR] snprintf error: %d, size %d\n", ret, MaxLength);
532 if (Process->SystemProcess)
534 ret = snprintf(Line, MaxLength,
", SYS");
536 if (ret < 0 || ret >= MaxLength)
538 ERROR(
"[ERROR] snprintf error: %d, size %d\n", ret, MaxLength);
548 if (Process->Peb64Address)
550 ret = snprintf(Line, MaxLength,
", PEB64: %0*llx",
gGuest.
WordSize * 2, Process->Peb64Address);
552 if (ret < 0 || ret >= MaxLength)
554 ERROR(
"[ERROR] snprintf error: %d, size %d\n", ret, MaxLength);
564 if (Process->Peb32Address)
566 ret = snprintf(Line, MaxLength,
", PEB32: %0*llx",
gGuest.
WordSize * 2, Process->Peb32Address);
568 if (ret < 0 || ret >= MaxLength)
570 ERROR(
"[ERROR] snprintf error: %d, size %d\n", ret, MaxLength);
580 if (Process->CommandLine)
582 ret = snprintf(Line, MaxLength,
", CLI:`%s`", Process->CommandLine);
584 if (ret < 0 || ret >= MaxLength)
586 ERROR(
"[ERROR] snprintf error: %d, size %d\n", ret, MaxLength);
596 ret = snprintf(Line, MaxLength,
")");
598 if (ret < 0 || ret >= MaxLength)
600 ERROR(
"[ERROR] snprintf error: %d, size %d\n", ret, MaxLength);
644 wName = Module->Path->Path;
645 nameHash = Module->Path->NameHash;
664 ret = snprintf(Line, MaxLength,
"%s(%-*s", Header, NameAlignment, name);
668 ret = snprintf(Line, MaxLength,
"%s(%s", Header, name);
671 if (ret < 0 || ret >= MaxLength)
673 ERROR(
"[ERROR] snprintf error: %d, size %d\n", ret, MaxLength);
682 ret = snprintf(Line, MaxLength,
" [0x%08x], %0*llx, F%x",
683 nameHash,
gGuest.
WordSize * 2, Module->VirtualBase, Module->Flags);
685 if (ret < 0 || ret >= MaxLength)
687 ERROR(
"[ERROR] snprintf error: %d, size %d\n", ret, MaxLength);
696 if (Module->Cache && Module->Cache->Info.TimeDateStamp)
698 ret = snprintf(Line, MaxLength,
", VerInfo: %x:%x",
699 Module->Cache->Info.TimeDateStamp, Module->Cache->Info.SizeOfImage);
701 if (ret < 0 || ret >= MaxLength)
703 ERROR(
"[ERROR] snprintf error: %d, size %d\n", ret, MaxLength);
713 if (Module->Cache && (Module->Cache->Info.IatRva || Module->Cache->Info.IatSize))
715 ret = snprintf(Line, MaxLength,
", IAT: %x:%x",
716 Module->Cache->Info.IatRva, Module->Cache->Info.IatSize);
717 if (ret < 0 || ret >= MaxLength)
719 ERROR(
"[ERROR] snprintf error: %d, size %d\n", ret, MaxLength);
729 ret = snprintf(Line, MaxLength,
")");
730 if (ret < 0 || ret >= MaxLength)
732 ERROR(
"[ERROR] snprintf error: %d, size %d\n", ret, MaxLength);
761 DWORD modNameAlignment;
766 if (NULL == Originator->WinProc)
768 ERROR(
"[ERROR] Originator process is NULL!\n");
774 Originator->WinLib->DoubleAgentAlertSent)
779 modNameAlignment = 0;
782 if (Victim->Object.Library.WinMod && Originator->WinLib)
785 MAX(Victim->Object.Library.WinMod->Path->PathSize,
786 Originator->WinLib->Path->PathSize) >> 1);
805 ret = snprintf(l, rem,
", VA: %0*llx",
gGuest.
WordSize * 2, Originator->SourceVA);
809 ret = snprintf(l, rem,
", RIP: %0*llx",
gGuest.
WordSize * 2, Originator->Rip);
812 if (ret < 0 || ret >= rem)
814 ERROR(
"[ERROR] snprintf error: %d, size %d\n", ret, rem);
830 Originator->Return.Library &&
831 Originator->Return.Rip != Originator->Rip)
837 "Return -> Module: ",
841 if (ret < 0 || ret >= rem)
843 ERROR(
"[ERROR] snprintf error: %d, size %d\n", ret, rem);
851 ret = snprintf(l, rem,
", RIP %0*llx",
gGuest.
WordSize * 2, Originator->Return.Rip);
853 if (ret < 0 || ret >= rem)
855 ERROR(
"[ERROR] snprintf error: %d, size %d\n", ret, rem);
877 if (ret < 0 || ret >= rem)
879 ERROR(
"[ERROR] snprintf error: %d, size %d\n", ret, rem);
895 CHAR instr[ND_MIN_BUF_SIZE];
898 ndstatus = NdToText(Originator->Instruction, Originator->Rip,
sizeof(instr), instr);
899 if (!ND_SUCCESS(ndstatus))
905 if (ret < 0 || ret >= rem)
907 ERROR(
"[ERROR] snprintf error: %d, size %d\n", ret, rem);
915 ret = snprintf(l, rem,
", RIP %0*llx",
gGuest.
WordSize * 2, Originator->Rip);
917 if (ret < 0 || ret >= rem)
919 ERROR(
"[ERROR] snprintf error: %d, size %d\n", ret, rem);
931 ret = snprintf(l, rem,
", Instr: %s", instr);
933 if (ret < 0 || ret >= rem)
935 ERROR(
"[ERROR] snprintf error: %d, size %d\n", ret, rem);
945 if (Originator->Return.Library && Originator->Return.Rip != Originator->Rip)
951 "Return -> Module: ",
955 if (ret < 0 || ret >= rem)
957 ERROR(
"[ERROR] snprintf error: %d, size %d\n", ret, rem);
965 ret = snprintf(l, rem,
", RIP %0*llx",
gGuest.
WordSize * 2, Originator->Return.Rip);
967 if (ret < 0 || ret >= rem)
969 ERROR(
"[ERROR] snprintf error: %d, size %d\n", ret, rem);
996 ret = snprintf(l, rem,
", InjInfo: (%u, %0*llx), Init: (%u, %u)",
998 Victim->Injection.Gva, Victim->Object.WinProc->StartInitializing,
999 Victim->Object.WinProc->Initialized);
1004 ret = snprintf(l, rem,
", ExecInfo: (0x%0*llx, 0x%0*llx), Stack: (0x%0*llx, 0x%0*llx), SP = 0x%0*llx",
1007 Victim->ExecInfo.StackLimit,
gGuest.
WordSize * 2, Victim->ExecInfo.Rsp);
1010 if (ret < 0 || ret >= rem)
1012 ERROR(
"[ERROR] snprintf error: %d, size %d\n", ret, rem);
1026 if (Victim->Object.Vad)
1030 if (Victim->Object.Vad->Path)
1032 path = Victim->Object.Vad->Path->Path;
1034 else if (Victim->Object.Vad->IsStack)
1039 LOG(
"Victim -> VAD: [%llx - %llx], Prot: %x, VadProt: %x, Type: %d, Name: %s\n",
1040 Victim->Object.Vad->StartPage, Victim->Object.Vad->EndPage, Victim->Object.Vad->Protection,
1041 Victim->Object.Vad->VadProtection, Victim->Object.Vad->VadType,
utf16_for_log(path));
1044 if (Victim->Object.Library.WinMod)
1046 QWORD startGva, exportGva;
1053 if (ret < 0 || ret >= rem)
1055 ERROR(
"[ERROR] snprintf error: %d, size %d\n", ret, rem);
1065 startGva = exportGva = Victim->Injection.Gva;
1069 startGva = exportGva = Victim->Ept.Gva;
1072 if (Victim->Object.Library.Export == NULL)
1078 pExport = Victim->Object.Library.Export;
1081 if (pExport != NULL)
1083 ret = snprintf(l, rem,
", Exports (%u) : [", pExport->
NumberOfOffsets);
1085 if (ret < 0 || ret >= rem)
1087 ERROR(
"[ERROR] snprintf error: %d, size %d\n", ret, rem);
1099 ret = snprintf(l, rem,
"'%s'", pExport->
Names[export]);
1103 ret = snprintf(l, rem,
"'%s',", pExport->
Names[export]);
1106 if (ret < 0 || ret >= rem)
1108 ERROR(
"[ERROR] snprintf error: %d, size %d\n", ret, rem);
1117 ret = snprintf(l, rem,
"], Delta: +%02x, ",
1118 (
DWORD)(Victim->Ept.Gva - Victim->Object.Library.WinMod->VirtualBase - pExport->
Rva));
1120 if (ret < 0 || ret >= rem)
1122 ERROR(
"[ERROR] snprintf error: %d, size %d\n", ret, rem);
1153 "Victim -> Module: ",
1157 if (ret < 0 || ret >= rem)
1159 ERROR(
"[ERROR] snprintf error: %d, size %d\n", ret, rem);
1168 if (Victim->Object.Library.Export == NULL)
1174 pExport = Victim->Object.Library.Export;
1177 if (pExport != NULL)
1179 ret = snprintf(l, rem,
", Exports (%u) : [", pExport->
NumberOfOffsets);
1181 if (ret < 0 || ret >= rem)
1183 ERROR(
"[ERROR] snprintf error: %d, size %d\n", ret, rem);
1195 ret = snprintf(l, rem,
"'%s'", pExport->
Names[export]);
1199 ret = snprintf(l, rem,
"'%s',", pExport->
Names[export]);
1202 if (ret < 0 || ret >= rem)
1204 ERROR(
"[ERROR] snprintf error: %d, size %d\n", ret, rem);
1214 ret = snprintf(l, rem,
"], Delta: +%02x, ",
1215 (
DWORD)(Victim->Ept.Gva - Victim->Object.Library.WinMod->VirtualBase - pExport->
Rva));
1217 if (ret < 0 || ret >= rem)
1219 ERROR(
"[ERROR] snprintf error: %d, size %d\n", ret, rem);
1228 ret = snprintf(l, rem,
", Address: (%0*llx, %0*llx)",
1232 if (ret < 0 || ret >= rem)
1234 ERROR(
"[ERROR] snprintf error: %d, size %d\n", ret, rem);
1242 ret = snprintf(l, rem,
", WriteInfo: (%u, %016llx -> %016llx)",
1243 Victim->WriteInfo.AccessSize,
1244 Victim->WriteInfo.OldValue[0],
1245 Victim->WriteInfo.NewValue[0]);
1247 if (ret < 0 || ret >= rem)
1249 ERROR(
"[ERROR] snprintf error: %d, size %d\n", ret, rem);
1257 if (Victim->ZoneFlags)
1259 ret = snprintf(l, rem,
", Flags:%s%s%s%s%s (0x%llx)",
1265 (
unsigned long long)Victim->ZoneFlags);
1267 if (ret < 0 || ret >= rem)
1269 ERROR(
"[ERROR] snprintf error: %d, size %d\n", ret, rem);
1286 ret = snprintf(l, rem,
"^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^%sMALWARE (user-mode) ",
1287 (Victim->Object.WinProc->BetaDetections) ?
" (B) " :
" ");
1289 if (ret < 0 || ret >= rem)
1291 ERROR(
"[ERROR] snprintf error: %d, size %d\n", ret, rem);
1302 ret = snprintf(l, rem,
"(no sig)");
1305 ret = snprintf(l, rem,
"(no exc)");
1308 ret = snprintf(l, rem,
"(extra)");
1311 ret = snprintf(l, rem,
"(error)");
1314 ret = snprintf(l, rem,
"(value)");
1317 ret = snprintf(l, rem,
"(value code)");
1320 ret = snprintf(l, rem,
"(export)");
1323 ret = snprintf(l, rem,
"(idt)");
1326 ret = snprintf(l, rem,
"(version os)");
1329 ret = snprintf(l, rem,
"(version intro)");
1332 ret = snprintf(l, rem,
"(process creation)");
1335 ret = snprintf(l, rem,
"(unknown)");
1338 ret = snprintf(l, rem,
"(%d)", Reason);
1342 if (ret < 0 || ret >= rem)
1344 ERROR(
"[ERROR] snprintf error: %d, size %d\n", ret, rem);
1352 ret = snprintf(l, rem,
" ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^");
1354 if (ret < 0 || ret >= rem)
1356 ERROR(
"[ERROR] snprintf error: %d, size %d\n", ret, rem);
1375 if (NULL == pDebugger)
1377 LOG(
"[DPI] Process %s [0x%08x] (%d, 0x%016llx) is debugged by process %s!\n",
1382 LOG(
"[DPI] Process %s [0x%08x] (%d, 0x%016llx) is debugged by process %s [0x%08x] (%d, 0x%016llx)!\n",
1392 LOG(
"[DPI] Process %s [0x%08x] (%d, 0x%016llx) attempted to start process %s [0x%08x] " 1393 "(%d, 0x%016llx) with a pivoted stack!\n",
1397 LOG(
"[DPI] Current stack 0x%016llx [base 0x%016llx, limit 0x%016llx], wow64 " 1398 "stack 0x%016llx [base 0x%016llx, limit 0x%016llx]\n",
1419 ERROR(
"[ERROR] IntVirtMemMap failed for 0x%016llx: 0x%08x\n",
1423 goto _skip_trap_frame;
1443 ERROR(
"[ERROR] IntVirtMemMap failed for 0x%016llx: 0x%08x\n",
1447 goto _skip_trap_frame;
1464 LOG(
"[DPI] Process %s [0x%08x] (%d, 0x%016llx) started with " 1465 "a stolen token from %s [0x%08x] (%d, 0x%016llx)!\n",
1473 WORD maxNumberOfHeapVals = 0;
1474 DWORD detectedPage = 0, maxPageHeapVals = 0;
1476 LOG(
"[DPI] Process %s [0x%08x] (%d, 0x%016llx) started from %s " 1477 "[0x%08x] (%d, 0x%016llx) after it has been heap sprayed! (shell code flags: 0x%016llx)\n",
1490 DWORD checkedPage = ((val << 24) | (val << 16) | (val << 8) | val) &
PAGE_MASK;
1492 LOG(
"[DPI] For page 0x%08x, %s %s %s (offset 0x%03x), number of heap values: %d\n",
1495 "was mapped" :
"was not mapped",
1497 "was detected" :
"was not detected",
1499 "executable" :
"not executable",
1505 detectedPage = checkedPage;
1510 >= maxNumberOfHeapVals &&
1513 maxNumberOfHeapVals =
1515 maxPageHeapVals = checkedPage;
1519 LOG(
"[INFO] Page detected: 0x%08x, maximum number of heap values: 0x%08x (%d)\n",
1520 detectedPage, maxPageHeapVals, maxNumberOfHeapVals);
1524 if (0 != detectedPage)
1526 LOG(
"[INFO] Dumping page: 0x%08x...\n", detectedPage);
1531 if (detectedPage != maxPageHeapVals)
1533 LOG(
"[INFO] Dumping page: 0x%08x...\n", maxPageHeapVals);
1543 LOG(
"[DPI] Process %s [0x%08x] (%d, 0x%016llx) started from %s [0x%08x] (%d, 0x%016llx) " 1544 "after it didn't pass privileges checks!\n",
1554 LOG(
"[DPI] Privileges: Enabled: old: 0x%016llx, new: 0x%016llx, Present: old: 0x%016llx, new: 0x%016llx\n",
1565 LOG(
"[DPI] Process %s [0x%08x] (%d, 0x%016llx) started from %s " 1566 "[0x%08x] (%d, 0x%016llx) from a thread considered suspicious (start 0x%016llx, shellcode flags: 0x%016llx)!\n",
1592 LOG(
"[DPI] Process %s [0x%08x] (%d, 0x%016llx) was created by %s [0x%08x] (%d, 0x%016llx) " 1593 "using an altered SD (stolen from process %s [0x%08x] (%d, 0x%016llx))\n",
1602 pStolenFrom ? pStolenFrom->
Name :
"NULL",
1603 pStolenFrom ? pStolenFrom->
NameHash : 0,
1604 pStolenFrom ? pStolenFrom->
Pid : 0,
1609 LOG(
"[DPI] SACL/DACL for process 0x%llx (%d / %s) have been modified\n",
1614 LOG(
"[DPI] Old SACL AclSize:0x%x, AceCount:0x%x, AclRevision:0x%x " 1615 "New SACL AclSize:0x%x, AceCount:0x%x, AclRevision:0x%x " 1616 "Old DACL AclSize:0x%x, AceCount:0x%x, AclRevision:0x%x " 1617 "New DACL AclSize:0x%x, AceCount:0x%x, AclRevision:0x%x\n",
1633 ERROR(
"[ERROR] Victim has type introObjectTypeProcessCreationDpi but no known flag was given, " 1634 "flags: 0x%x\n", Originator->PcType);
1772 if (Victim->Injection.Gva >= Victim->Object.WinProc->Peb32Address &&
1773 Victim->Injection.Gva < Victim->Object.WinProc->Peb32Address +
WIN_UM_FIELD(Peb, 32Size))
1780 if (Victim->Injection.Gva >= Victim->Object.WinProc->Peb64Address &&
1781 Victim->Injection.Gva < Victim->Object.WinProc->Peb64Address +
WIN_UM_FIELD(Peb, 64Size))
1812 LOG(
"[ERROR] This is a corruption in the update/exception. Type = %d!\n", ZoneType);
1845 if (ExceptionFlags & EXCEPTION_FLG_32)
1848 match = !
gGuest.
Guest64 || Originator->WinProc->Wow64Process;
1850 else if (ExceptionFlags & EXCEPTION_FLG_64)
1853 match =
gGuest.
Guest64 && !Originator->WinProc->Wow64Process;
1859 if (ExceptionFlags & EXCEPTION_FLG_32)
1863 else if (ExceptionFlags & EXCEPTION_FLG_64)
1898 if (Victim->Object.WinProc->ParentEprocess != Originator->WinProc->EprocessAddress)
1905 if (Victim->Object.LixProc->ActualParent != Originator->LixProc->Gva)
1943 if (!Victim->Object.WinProc->SystemProcess)
1950 if (!Originator->WinProc->SystemProcess)
1959 if ((Victim->Object.WinProc->InjectedApphelpAddress != Victim->Injection.Gva) ||
1960 (Victim->Object.WinProc->InjectedAppHelpSize != Victim->Injection.Length))
1970 if (Originator->WinProc->OneTimeInjectionDone)
1976 Originator->WinProc->OneTimeInjectionDone =
TRUE;
1981 if (Victim->Object.WinProc->OneTimeInjectionDone)
1987 Victim->Object.WinProc->OneTimeInjectionDone =
TRUE;
2047 else if (Originator->LixProc->Path)
2072 Exception->Victim.NameHash == Victim->Object.NameHash);
2101 match = Exception->Victim.ProcessHash == Originator->WinProc->NameHash;
2105 match = Exception->Victim.ProcessHash == Originator->LixProc->CommHash;
2126 return ((Item ==
'*') || (Item ==
'?') || (Item ==
']') || (Item ==
'[') || (Item ==
'/'));
2177 if (Victim->Object.WinProc->Lsass && (Victim->ZoneFlags &
ZONE_READ))
2179 logInjection =
FALSE;
2183 if (logInjection && Originator->Process)
2189 cr3 = Originator->WinProc->Cr3;
2193 cr3 = Originator->LixProc->Cr3;
2197 if (Victim->Injection.Buffer &&
2198 Victim->Injection.BufferSize == Victim->Injection.Length)
2201 Originator->SourceVA,
2202 Victim->Injection.BufferSize,
2208 else if ((Victim->ZoneFlags &
2212 Victim->Injection.Length,
2236 Originator->Process = Process;
2237 Originator->Library = NULL;
2239 Originator->Execute =
TRUE;
2246 memzero(&stack,
sizeof(stack));
2247 stack.
Traces = stackElements;
2252 WARNING(
"[WARNING] IntWinStackTraceGetUser failed: %08x\n", status);
2302 #define MEMORY_FUNC_SIZE 0x400 2304 isUcrtbase = 0 ==
wstrcasecmp(Module->Path->Name, u
"ucrtbase.dll");
2308 DWORD rva = (
DWORD)(Originator->Rip - Module->VirtualBase);
2311 if (NULL == Module->Cache || !Module->Cache->MemoryFuncsRead)
2316 for (
DWORD i = 0; i <
ARRAYSIZE(Module->Cache->MemFuncs.FuncArray); i++)
2318 if (0 == Module->Cache->MemFuncs.FuncArray[i])
2323 if (rva > Module->Cache->MemFuncs.FuncArray[i] &&
2326 foundMemFunc =
TRUE;
2336 else if (((Module->Path->NameSize < 10 || 0 != memcmp(Module->Path->Name, u
"msvcr", 10)) &&
2337 (Module->Path->NameSize < 18 || 0 != memcmp(Module->Path->Name, u
"vcruntime", 18))) &&
2344 memzero(&stack,
sizeof(stack));
2345 stack.
Traces = stackElements;
2361 ERROR(
"[ERROR] IntWinStackTraceGetUser failed: %08x\n", status);
2367 if (stack.
Bits64 && !isUcrtbase && !Process->ExploitGuardEnabled)
2387 if (isUcrtbase && Process->ExploitGuardEnabled)
2404 Originator->Return.Library = pModule;
2406 Originator->Return.NameWide = pModule->
Path->
Name;
2430 #undef MEMORY_FUNC_SIZE 2456 if (NULL == Process)
2461 if (NULL == Originator)
2466 Originator->Process = Process;
2467 Originator->Library = NULL;
2468 Originator->Execute =
FALSE;
2475 Originator->Rip = Address;
2476 Originator->Instruction = Instrux;
2478 Originator->Library = pMod;
2479 if (NULL != Originator->Library)
2481 Originator->NameHash = Originator->WinLib->
Path->
NameHash;
2482 Originator->NameWide = Originator->WinLib->Path->Name;
2487 Originator->Name = NULL;
2493 WARNING(
"[WARNING] IntExceptUserHandleMemoryFunctions failed: %08x\n", status);
2505 Originator->Rip = Address;
2506 Originator->Instruction = Instrux;
2509 Originator->Name = NULL;
2511 else if (!ModuleWrite)
2513 Originator->SourceVA = Address;
2551 if (Process == NULL)
2566 Victim->Object.Type = ObjectType;
2567 Victim->Object.Process = Process;
2576 Victim->Object.BaseAddress = pProcess->
Cr3;
2577 Victim->Object.NameHash = pProcess->
NameHash;
2578 Victim->Object.Name = pProcess->
Name;
2584 Victim->Object.BaseAddress = pTask->
Cr3;
2585 Victim->Object.NameHash = pTask->
CommHash;
2586 Victim->Object.Name = pTask->
Comm;
2615 if (NULL == Process)
2627 Victim->ZoneFlags = ZoneFlags;
2629 Victim->Injection.Gva = DestinationGva;
2630 Victim->Injection.Length = Length;
2632 Victim->Object.Process = Process;
2638 Victim->Object.BaseAddress = pProc->
Cr3;
2639 Victim->Object.NameHash = pProc->
NameHash;
2640 Victim->Object.Name = pProc->
Name;
2650 Victim->Object.Library.Module = pMod;
2662 Victim->Object.BaseAddress = pTask->
Cr3;
2663 Victim->Object.NameHash = pTask->
CommHash;
2664 Victim->Object.Name = pTask->
Comm;
2735 _In_ void *Exception,
2760 switch (ExceptionType)
2776 ERROR(
"[ERROR] Shouldn't reach here. Exception Type is %d...\n", ExceptionType);
2780 switch (ExceptionType)
2797 ERROR(
"[ERROR] Shouldn't reach here. Exception Type is %d...\n", ExceptionType);
2804 switch (ExceptionType)
2821 ERROR(
"[ERROR] Shouldn't reach here. Exception Type is %d...\n", ExceptionType);
2825 switch (ExceptionType)
2842 ERROR(
"[ERROR] Shouldn't reach here. Exception Type is %d...\n", ExceptionType);
2846 switch (ExceptionType)
2863 ERROR(
"[ERROR] Shouldn't reach here. Exception Type is %d...\n", ExceptionType);
2867 switch (ExceptionType)
2884 ERROR(
"[ERROR] Shouldn't reach here. Exception Type is %d...\n", ExceptionType);
2888 switch (ExceptionType)
2905 ERROR(
"[ERROR] Shouldn't reach here. Exception Type is %d...\n", ExceptionType);
2949 if (NULL == Originator)
2966 if (showNotLoadedWarning)
2968 LOG(
"**************************************************\n");
2969 LOG(
"************Exceptions are not loaded*************\n");
2970 LOG(
"**************************************************\n");
2972 showNotLoadedWarning =
FALSE;
2988 !memcmp(Victim->WriteInfo.OldValue, Victim->WriteInfo.NewValue,
2989 MIN(Victim->WriteInfo.AccessSize,
sizeof(Victim->WriteInfo.NewValue)))))
3003 goto _match_ex_alert;
3008 goto _match_ex_alert;
3011 if (pEx->OriginatorNameHash > Originator->NameHash)
3015 else if (pEx->OriginatorNameHash != Originator->NameHash)
3034 goto _match_ex_alert_process;
3038 if (pEx->OriginatorNameHash > Originator->NameHash)
3042 else if (pEx->OriginatorNameHash < Originator->NameHash)
3047 _match_ex_alert_process:
3059 goto _match_ex_process;
3063 if (pEx->OriginatorNameHash > Originator->NameHash)
3067 else if (pEx->OriginatorNameHash < Originator->NameHash)
3112 if (Originator->Name != NULL)
3118 if ((Originator->Name[0] < pEx->OriginatorNameGlob[0]) &&
3124 if ((Originator->Name[0] != pEx->OriginatorNameGlob[0]) &&
3130 if (Originator->Library == NULL && Originator->Name != NULL)
3137 else if (Originator->Library != NULL && Originator->NameWide != NULL)
3152 TRACE(
"[EXCEPTION] IntExceptMatchException (GLOB) returned INT_STATUS_EXCEPTION_ALLOW.");
3167 if (pEx->OriginatorNameHash > Originator->NameHash)
3171 else if (pEx->OriginatorNameHash < Originator->NameHash)
3189 if (Originator->Library && Originator->Return.Library &&
3190 (Originator->Rip == Originator->Return.Rip))
3192 goto _beta_exceptions;
3199 if (pEx->OriginatorNameHash > Originator->Return.NameHash)
3203 else if (pEx->OriginatorNameHash < Originator->Return.NameHash)
3235 if (pEx->OriginatorNameHash != Originator->Return.NameHash)
3242 if (pEx->OriginatorNameHash != Originator->NameHash)
3260 goto _match_process_beta_ex;
3265 goto _match_process_beta_ex;
3270 if (pEx->OriginatorNameHash != Originator->Return.NameHash)
3277 if (pEx->OriginatorNameHash != Originator->NameHash)
3283 _match_process_beta_ex:
WINUM_PATH * Path
Module path.
The object allows only dlls which are detected as suspicous (e.g. module loads before kernel32...
INTSTATUS IntExceptUserVerifyExtra(EXCEPTION_VICTIM_ZONE *Victim, EXCEPTION_UM_ORIGINATOR *Originator, UM_EXCEPTION *Exception)
This function is used as an extra step in exception mechanism that verify the initialization flags of...
BOOLEAN Bits64
TRUE if we got the stack frame in 64-bit mode (RBP) or 32 (EBP)
enum _INTRO_ACTION_REASON INTRO_ACTION_REASON
The reason for which an INTRO_ACTION was taken.
#define INT_STATUS_EXCEPTION_NOT_MATCHED
int IntExceptPrintWinProcInfo(WIN_PROCESS_OBJECT *Process, char *Header, char *Line, int MaxLength, DWORD NameAlignment)
Print the data from the provided WIN_PROCESS_OBJECT.
struct _DPI_EXTRA_INFO::@206::@210 HeapPages[HEAP_SPRAY_NR_PAGES]
QWORD Cr3
The CR3 for this process.
#define HEAP_SPRAY_NR_PAGES
DWORD MonitorModules
TRUE if we need to monitor module load/unloads.
char * utf16toutf8(char *Destination, const WCHAR *Source, DWORD DestinationMaxLength)
INTSTATUS IntVirtMemUnmap(void **HostPtr)
Unmaps a memory range previously mapped with IntVirtMemMap.
INTSTATUS IntExceptUserGetOriginator(void *Process, BOOLEAN ModuleWrite, QWORD Address, INSTRUX *Instrux, EXCEPTION_UM_ORIGINATOR *Originator)
This function is used to get the information about the user-mode originator.
The creation of a process was attempted while the parent had its heap sprayed.
An internal error occurred (no memory, pages not present, etc.).
static __inline BOOLEAN IntExceptUserMatchProcessHash(EXCEPTION_UM_ORIGINATOR *Originator, UM_EXCEPTION *Exception)
Checks if the exception process name-hash of the current exception matches the process name-hash of t...
static void InsertHeadList(LIST_ENTRY *ListHead, LIST_ENTRY *Entry)
IG_ARCH_REGS Regs
The current state of the guest registers.
QWORD SystemCr3
The Cr3 used to map the kernel.
#define INT_STATUS_SUCCESS
struct _DPI_EXTRA_INFO::@204 DpiPivotedStackExtraInfo
BOOLEAN glob_match_utf8(char const *Pattern, char const *String, BOOLEAN IgnoreCase, BOOLEAN Truncated)
BOOLEAN glob_match_utf16(char const *Pattern, WCHAR const *String, BOOLEAN IgnoreCase, BOOLEAN Truncated)
struct _DPI_EXTRA_INFO::@209 DpiSecDescAclExtraInfo
#define ZONE_LIB_RESOURCES
Used for the resources section (usually .rsrc inside a driver or dll).
User-mode non executable zone.
LIST_HEAD GenericUserExceptions
Linked list used for user-mode exceptions that have a generic originator(*).
QWORD TrapFrameAddress
The address of the trap frame. Used for more information gathering when sending the alert...
Process creation violation.
The modified object is anything inside the structure CONTEXT (valid only for windows).
QWORD Wow64StackLimit
The known stack limit in WoW64 mode. Valid only if the process is WoW64.
Signals an attempt to set an insturmentation callback.
LIST_HEAD ProcessCreationAlertExceptions
Linked list used for process-creation exceptions that are added from alert.
QWORD NewEnabled
The new value from parent's token Privileges.Enabled field, which was deemed malicious.
struct _WIN_PROCESS_OBJECT::@232 CreationInfo
DWORD NumberOfOffsets
Number of symbols pointing to the exported RVA.
#define WIN_UM_FIELD(Structure, Field)
Macro used to access user mode fields inside the WIN_OPAQUE_FIELDS structure.
The exception will take into consideration the return driver/dll.
static __inline BOOLEAN IntExceptUserMatchChild(EXCEPTION_VICTIM_ZONE *Victim, EXCEPTION_UM_ORIGINATOR *Originator, DWORD ExceptionFlags)
Checks if the victim is a child of the originator.
#define INT_SUCCESS(Status)
void IntDumpWinTrapFrame32(KTRAP_FRAME32 *TrapFrame)
This function dumps a windows 64 guest trap frame.
#define EXCEPTION_NO_NAME
QWORD StartAddress
The address on which the parent's thread started execution.
ACL OldDacl
The old DACL header.
INTRO_PC_VIOLATION_TYPE
Process creation violation flags.
The modified object is inside an EPT hook.
#define INT_STATUS_EXCEPTION_CHECKS_OK
Describe a user-mode glob exception.
enum _UM_EXCEPTION_OBJECT UM_EXCEPTION_OBJECT
Object type of the user-mode exception.
Structure that describes a stack trace element.
The exception is valid only for read violation.
#define INT_STATUS_NOT_NEEDED_HINT
Process creation violation DPI.
DWORD NumberOfTraces
Number of elements inside Traces.
LIST_HEAD UserAlertExceptions
Linked list used for user-mode exceptions that are added from alert.
Describes a user-mode originator.
#define for_each_um_exception(_ex_head, _var_name)
INTSTATUS IntExceptUser(EXCEPTION_VICTIM_ZONE *Victim, EXCEPTION_UM_ORIGINATOR *Originator, INTRO_ACTION *Action, INTRO_ACTION_REASON *Reason)
This function iterates through exception lists and tries to find an exception that matches the origin...
The name can be any string.
QWORD StolenFromEprocess
The EPROCESS address from which the token was stolen.
LIST_HEAD UserExceptions[EXCEPTION_TABLE_SIZE]
Array of linked lists used for user-mode exceptions.
INTSTATUS IntExceptMatchException(void *Victim, void *Originator, void *Exception, EXCEPTION_TYPE ExceptionType, INTRO_ACTION *Action, INTRO_ACTION_REASON *Reason)
This function tries to find a exception for the current violation..
int INTSTATUS
The status data type.
BOOLEAN Loaded
True if the exceptions are loaded.
DWORD NameHash
Name hash, as used by the exceptions module.
The exception will match only for the init phase of a driver/process.
static __inline BOOLEAN IntExceptUserMatchZoneType(EXCEPTION_VICTIM_ZONE *Victim, UM_EXCEPTION_OBJECT ZoneType)
Checks if the zone-type of the current exception matches the zone-type of the victim.
The exception is valid only if the originator process is a system process.
static char * IntExceptUserGetPcTypeString(INTRO_PC_VIOLATION_TYPE Type)
Returns a string that contains the descriptions of the porovided process creation violation type...
QWORD DebuggerEprocess
This will keep the EPROCESS of the debugger process (if any).
#define MAX_PATH
The maximum size of a path (260 characters on windows).
struct _WIN_PROCESS_MODULE * PWIN_PROCESS_MODULE
User-mode exception that accepts glob content.
static __inline BOOLEAN IntExceptUserMatchProcessGlob(EXCEPTION_UM_ORIGINATOR *Originator, UM_EXCEPTION_GLOB *Exception)
Checks if the exception process glob-name of the current exception matches the process glob-name of t...
ACL NewSacl
The new SACL header.
INTRO_GUEST_TYPE OSType
The type of the guest.
QWORD Wow64StackBase
The known stack base in WoW64 mode. Valid only if the process is WoW64.
INTSTATUS IntExceptUserGetExecOriginator(void *Process, EXCEPTION_UM_ORIGINATOR *Originator)
This function is used to get the originator for heap execution.
INSTRUX Instruction
The current instruction, pointed by the guest RIP.
INTSTATUS IntExceptGetVictimProcess(void *Process, QWORD DestinationGva, DWORD Length, QWORD ZoneFlags, EXCEPTION_VICTIM_ZONE *Victim)
This function is used to get the information about the victim process for injection violations...
The exception is valid only for write violation.
STACK_ELEMENT * Traces
Array describing the stack trace elements.
DWORD CommHash
The CRC32 checksum of the Comm field.
#define ZONE_PROC_INSTRUMENT
Used for exceptions for instrumentation callback.
The modified object is only another process (injection basically).
void * ReturnModule
The module to which the function belongs.
PWIN_PROCESS_MODULE IntWinUmModFindByAddress(PWIN_PROCESS_OBJECT Process, QWORD Gva)
Searches for a user-mode module which contains the indicated guest virtual address.
static __inline BOOLEAN IntExceptUserMatchNameHash(EXCEPTION_VICTIM_ZONE *Victim, UM_EXCEPTION *Exception)
Checks if the exception name-hash of the current exception matches the name-hash of the victim...
QWORD Cr3
Process PDBR. Includes PCID.
enum _INTRO_OBJECT_TYPE INTRO_OBJECT_TYPE
The type of the object protected by an EPT hook.
#define ZONE_LIB_CODE
Used for a generic code zone.
#define INITIAL_CRC_VALUE
EXCEPTIONS * Exceptions
The exceptions that are currently loaded.
static INTSTATUS IntExceptUserHandleMemoryFunctions(WIN_PROCESS_OBJECT *Process, WIN_PROCESS_MODULE *Module, EXCEPTION_UM_ORIGINATOR *Originator)
This function is used to check if the write has been made using a function that write/read memory (eg...
static BOOLEAN RemoveEntryList(LIST_ENTRY *Entry)
#define ZONE_EXECUTE
Used for execute violation.
The parent of a process has a stolen access token when it created the child.
The exception is valid only for execute violation.
BOOLEAN Guest64
True if this is a 64-bit guest, False if it is a 32-bit guest.
#define ZONE_PROC_THREAD_APC
Used for the APC thread hijacking technique.
CHAR Name[IMAGE_BASE_NAME_LEN]
Process base name.
enum _EXCEPTION_TYPE EXCEPTION_TYPE
The type of an exception.
The creation of a process was attempted with token privileges altered in a malicious way...
static void IntExceptUserLogWindowsInformation(EXCEPTION_VICTIM_ZONE *Victim, EXCEPTION_UM_ORIGINATOR *Originator, INTRO_ACTION Action, INTRO_ACTION_REASON Reason)
Print the information about a violation (windows guest).
static __inline BOOLEAN IntExceptUserMatchNameGlob(EXCEPTION_VICTIM_ZONE *Victim, UM_EXCEPTION_GLOB *Exception)
Checks if the exception glob-name of the current exception matches the glob-name of the victim...
#define INT_STATUS_INVALID_PARAMETER_4
INTSTATUS IntExceptUserVerifyExtraGlobMatch(EXCEPTION_VICTIM_ZONE *Victim, EXCEPTION_UM_ORIGINATOR *Originator, UM_EXCEPTION_GLOB *Exception)
This function is used as an extra step in exception mechanism that verify the initialization flags of...
The parent of a process had a pivoted stack when it created the child.
QWORD CurrentWow64Stack
The current stack of the process in WoW64 mode. Valid only if the process is WoW64.
int IntExceptPrintWinModInfo(WIN_PROCESS_MODULE *Module, char *Header, char *Line, int MaxLength, DWORD NameAlignment)
Print the data from the provided WIN_PROCESS_MODULE.
TIMER_FRIENDLY void IntDumpBuffer(const void *Buffer, QWORD Gva, DWORD Length, DWORD RowLength, DWORD ElementLength, BOOLEAN LogHeader, BOOLEAN DumpAscii)
This function dumps a given buffer in a user friendly format.
#define INT_STATUS_INVALID_PARAMETER_5
DPI_EXTRA_INFO DpiExtraInfo
Represents the gathered extra info while checking the DPI heuristics.
QWORD ReturnAddress
The address where the current stack frame will return (@ ret)
QWORD SecDescStolenFromEproc
If the parent security descriptor has been stolen, this variable may indicate (in case we find it) th...
QWORD NewPresent
The new value from parent's token Privileges.Present field, which was deemed malicious.
QWORD CurrentStack
The current stack of the process at the point of process creation.
void IntDumpWinTrapFrame64(KTRAP_FRAME64 *TrapFrame)
This function dumps a windows 64 guest trap frame.
BYTE WordSize
Guest word size. Will be 4 for 32-bit guests and 8 for 64-bit guests.
The modified object is anything inside of the PEB32 structure.
ACL OldSacl
The old SACL header.
void IntExceptUserLogInformation(EXCEPTION_VICTIM_ZONE *Victim, EXCEPTION_UM_ORIGINATOR *Originator, INTRO_ACTION Action, INTRO_ACTION_REASON Reason)
Print the information about a user-mode violation, dumps the code-blocks and the injection buffer...
DWORD Pid
Process ID (the one used by Windows).
#define ZONE_LIB_EXPORTS
Used for the exports of a dll, driver, etc.
static __inline BOOLEAN IntExceptUserMatchZoneFlags(EXCEPTION_VICTIM_ZONE *Victim, DWORD ZoneFlags)
Checks if the zone-flags of the current exception match the zone flags of the victim.
The modified object is inside the process module's IAT.
Describes the modified zone.
struct _DPI_EXTRA_INFO::@205 DpiStolenTokenExtraInfo
DWORD NameHash
The CRC32 hash of the name. Used for fast matching.
ACL NewDacl
The new DACL header.
Describe a user-mode exception.
DWORD Rva
The RVA of this export.
Executions inside the SharedUserData region.
struct _DPI_EXTRA_INFO::@208 DpiThreadStartExtraInfo
QWORD StackBase
The known stack base present in TIB at the moment of process creation.
struct _DPI_EXTRA_INFO::@206 DpiHeapSprayExtraInfo
LIST_HEAD GlobUserExceptions
Linked list used for user-mode exceptions that contains glob content.
#define EXCEPTION_NO_WNAME
#define for_each_um_glob_exception(_ex_head, _var_name)
The exception file was not loaded (there are no exceptions).
enum _INTRO_ACTION INTRO_ACTION
Event actions.
LIST_HEAD ProcessCreationExceptions
Linked list used for process creations exceptions.
static __inline BOOLEAN IntExceptUserMatchArchitecture(EXCEPTION_UM_ORIGINATOR *Originator, DWORD ExceptionFlags)
Checks if the architecture-flags of the current exception match the architecture-flags of the origina...
The exception is valid only if the modified process is a child of the originator process.
INTSTATUS IntWinUmCheckInitializationInjection(PEXCEPTION_VICTIM_ZONE Victim, PEXCEPTION_UM_ORIGINATOR Originator)
This function is used by the exception mechanism in order to verify the initialization state of a pro...
static BOOLEAN IntExceptUserIsGlobItem(char Item)
Checks if the provided char is a glob char.
int IntExceptPrintLixTaskInfo(const LIX_TASK_OBJECT *Task, char *Header, char *Line, int MaxLength, DWORD NameAlignment)
Print the information about the provided LIX_TASK_OBJECT.
Signals an execution inside SharedUserData.
The action was allowed, but it has the BETA flag (Introcore is in log-only mode). ...
static __inline BOOLEAN IntExceptUserMatchSystemProcess(EXCEPTION_VICTIM_ZONE *Victim, EXCEPTION_UM_ORIGINATOR *Originator, DWORD ExceptionFlags)
Checks if the originator is a system process; for process-creation violation this function checks if ...
WCHAR * Name
The name of the module contained in the path.
struct _DPI_EXTRA_INFO::@207 DpiTokenPrivsExtraInfo
__must_check INTSTATUS IntVirtMemMap(QWORD Gva, DWORD Length, QWORD Cr3, DWORD Flags, void **HostPtr)
Maps a guest virtual memory range inside Introcore virtual address space.
INTSTATUS IntExceptUserMatchVictim(EXCEPTION_VICTIM_ZONE *Victim, EXCEPTION_UM_ORIGINATOR *Originator, void *Exception, EXCEPTION_TYPE ExceptionType)
This function checks if the exception matches the originator and the modified zone.
MM Mm
Guest memory information, such as paging mode, system Cr3 value, etc.
static void IntExceptUserLogLinuxInformation(EXCEPTION_VICTIM_ZONE *Victim, EXCEPTION_UM_ORIGINATOR *Originator, INTRO_ACTION Action, INTRO_ACTION_REASON Reason)
Print the information about a violation (Linux guest).
QWORD EprocessAddress
This will be the address of the ActiveProcess field.
char Comm[LIX_COMM_SIZE]
The short name of the executable.
The parent of a process tried to obtain debug privileges over the child.
The parent of a process has an altered security descriptor pointer.
GUEST_STATE gGuest
The current guest state.
The modified object is inside a process.
char gExcLogLine[2 *ONE_KILOBYTE]
The exception log line.
VAD * IntWinVadFindAndUpdateIfNecessary(WIN_PROCESS_OBJECT *Process, QWORD StartHint, QWORD LengthHint)
Searches for a VAD in the Introcore VAD tree. If no VAD is found, or if the found one does not fully ...
The modified object is inside the process modules.
TIMER_FRIENDLY void IntDumpGva(QWORD Gva, DWORD Length, QWORD Cr3)
This function is a wrapper over IntDumpGvaEx (it uses RowLength = 16, ElementLength = 1...
LIST_HEAD ProcessCreationFeedbackExceptions
Linked list used for process-creation exceptions that have the feedback flag.
#define EXCEPTION_TABLE_ID(H)
#define INT_STATUS_STACK_SWAPPED_OUT
Indicates that the stack was needed in order to match the exceptions, but it is swapped out...
PWIN_PROCESS_OBJECT IntWinProcFindObjectByEprocess(QWORD Eprocess)
Finds a process by the address of its _EPROCESS structure.
LIST_HEAD UserFeedbackExceptions
Linked list used for user-mode exceptions that have the feedback flag.
The thread which created the process has started execution on some suspicious code.
Virtual SYSCALL (user-mode, Linux-only).
#define PROC_OPT_BETA
Process is monitored, but in log-only mode so no actions will be blocked.
int wstrcasecmp(const WCHAR *buf1, const WCHAR *buf2)
#define ZONE_READ
Used for read violation.
WINUM_CACHE_EXPORT * IntWinUmCacheGetExportFromRange(WIN_PROCESS_MODULE *Module, QWORD Gva, DWORD Length)
Tries to find an export in the range [Gva - Length, Gva].
DWORD MonitorVad
TRUE if we need to handle VAD events for this process.
The action was blocked because no exception signature matched.
PCHAR Names[MAX_OFFSETS_PER_NAME]
The names pointing to this RVA. Each name will point inside the Names structure inside WINUM_CACHE_EX...
void IntExceptDumpSignatures(void *Originator, EXCEPTION_VICTIM_ZONE *Victim, BOOLEAN KernelMode, BOOLEAN ReturnDrv)
Dump code blocks from the originator's RIP.
Virtual dynamic shared object (user-mode, Linux-only).
The modified object is any with the modified name.
char * utf16_for_log(const WCHAR *WString)
Converts a UTF-16 to a UTF-8 string to be used inside logging macros.
Exposes the function used to perform initialization checks on Windows processes.
LIX_TASK_OBJECT * IntLixTaskFindByGva(QWORD TaskStruct)
Finds Linux process with the provided "task_struct" guest virtual address.
#define INT_STATUS_INVALID_PARAMETER_1
#define INT_STATUS_NOT_SUPPORTED
VCPU_STATE * gVcpu
The state of the current VCPU.
The action was blocked because there was no exception for it.
The modified object is the thread which was performed an asynchronous procedure call on...
#define ZONE_PROC_THREAD_CTX
Used for the CONTEXT structure of a thread.
#define ZONE_LIB_IMPORTS
Used for the imports of a dll, driver, etc.
Used for process-creation violations.
Structure that describes a stack trace.
The exception is valid only on 32 bit systems/process.
The parent of a process has an altered access control entry (inside SACL or DACL).
#define EXPORT_NAME_UNKNOWN
QWORD ShellcodeFlags
Contains the flags on the first page which was detected through shemu.
The exception is valid only for apphelp process.
INTSTATUS IntExceptGetVictimProcessCreation(void *Process, INTRO_OBJECT_TYPE ObjectType, EXCEPTION_VICTIM_ZONE *Victim)
This function is used to get the information about the victim for process-creation violation...
#define ZONE_MODULE_LOAD
Used for exceptions for double agent.
Measures glob-match exceptions.
#define ZONE_WRITE
Used for write violation.
#define INT_STATUS_INVALID_PARAMETER_2
The exception is valid only once.
LIST_HEAD NoNameUserExceptions
Linked list used for user-mode exceptions that don't have a valid originator (-). ...
Process creation violation without any DPI heuristic being triggered.
INTSTATUS IntWinStackTraceGetUser(PIG_ARCH_REGS Registers, PWIN_PROCESS_OBJECT Process, DWORD MaxNumberOfTraces, STACK_TRACE *StackTrace)
Get the user stack trace of a windows process.
The process object creates another process using DPI flags.
The object that has a NX zone is executed.
#define INT_STATUS_EXCEPTION_ALLOW
This structure describes a running process inside the guest.
The exception (and signature, where's the case) matched, but the extra checks failed.
#define INT_STATUS_INVALID_PARAMETER_3