Except guest behavior that will normally be blocked. More...

Files
file	alert_exceptions.h

file	exceptions.h

file	update_exceptions.h

file	alert_exceptions.c

file	exceptions.c

file	exceptions_kern.c
	Kernel mode exceptions.

file	exceptions_krnusr.c

file	exceptions_user.c
	User mode exceptions.

file	update_exceptions.c
	Handles exception updates.

Macros
#define	INT_STATUS_EXCEPTION_ALLOW INT_MAKE_STATUS(INT_STATUS_SEVERITY_INFORMATIONAL, INT_FACILITY_HVI, 0x00E1)

#define	INT_STATUS_EXCEPTION_CHECKS_OK INT_MAKE_STATUS(INT_STATUS_SEVERITY_INFORMATIONAL, INT_FACILITY_HVI, 0x00E2)

#define	INT_STATUS_SIGNATURE_MATCHED INT_MAKE_STATUS(INT_STATUS_SEVERITY_INFORMATIONAL, INT_FACILITY_HVI, 0x00E3)

#define	INT_STATUS_EXCEPTION_NOT_MATCHED INT_MAKE_STATUS(INT_STATUS_SEVERITY_ERROR, INT_FACILITY_HVI, 0x00E1)

#define	INT_STATUS_EXCEPTION_CHECKS_FAILED INT_MAKE_STATUS(INT_STATUS_SEVERITY_ERROR, INT_FACILITY_HVI, 0x00E2)

#define	INT_STATUS_SIGNATURE_NOT_FOUND INT_MAKE_STATUS(INT_STATUS_SEVERITY_ERROR, INT_FACILITY_HVI, 0x00E3)

#define	INT_STATUS_EXCEPTION_BLOCK INT_MAKE_STATUS(INT_STATUS_SEVERITY_ERROR, INT_FACILITY_HVI, 0x00EF)

Typedefs
typedef INTSTATUS(*	PFUNC_IntUpdateExceptions) (void *GuestHandle, PBYTE Buffer, DWORD Length, DWORD Flags)
	Loads a new exceptions version. More...

typedef INTSTATUS(*	PFUNC_IntGetExceptionsVersion) (void GuestHandle, WORD Major, WORD Minor, DWORD BuildNumber)
	Get the current exceptions version. More...

typedef INTSTATUS(*	PFUNC_IntAddExceptionFromAlert) (void GuestHandle, const void Event, INTRO_EVENT_TYPE Type, BOOLEAN Exception, QWORD Context)
	Adds an exception for an alert reported by introcore. More...

typedef INTSTATUS(*	PFUNC_IntFlushAlertExceptions) (void *GuestHandle)
	Removes all the custom exceptions added with GLUE_IFACE.AddExceptionFromAlert. More...

typedef INTSTATUS(*	PFUNC_IntRemoveException) (void *GuestHandle, QWORD Context)
	Removes a custom exception added with GLUE_IFACE.AddExceptionFromAlert. More...

Functions
INTSTATUS	IntGetExceptionsVersion (void GuestHandle, WORD MajorVersion, WORD MinorVersion, DWORD BuildNumber)
	Get the current exceptions version.See PFUNC_IntGetExceptionsVersion for details. More...

INTSTATUS	IntUpdateExceptions (void *GuestHandle, PBYTE Buffer, DWORD Length, DWORD Flags)
	Loads a new exceptions version.See PFUNC_IntUpdateExceptions for details. More...

INTSTATUS	IntAddExceptionFromAlert (void GuestHandle, const void Event, INTRO_EVENT_TYPE Type, BOOLEAN Exception, QWORD Context)
	Adds an exception for an alert reported by introcore.See PFUNC_IntAddExceptionFromAlert for details. More...

INTSTATUS	IntRemoveException (void *GuestHandle, QWORD Context)
	Removes a custom exception added with GLUE_IFACE.AddExceptionFromAlert.See PFUNC_IntRemoveException for details. More...

INTSTATUS	IntFlushAlertExceptions (void *GuestHandle)
	Removes all the custom exceptions added with GLUE_IFACE.AddExceptionFromAlert.See PFUNC_IntFlushAlertExceptions for details. More...

Detailed Description

Except guest behavior that will normally be blocked.

Macro Definition Documentation

◆ INT_STATUS_EXCEPTION_ALLOW

#define INT_STATUS_EXCEPTION_ALLOW INT_MAKE_STATUS(INT_STATUS_SEVERITY_INFORMATIONAL, INT_FACILITY_HVI, 0x00E1)

Indicates that an exception matched and the event must be allowed.

Definition at line 391 of file introstatus.h.

Referenced by IntExceptGetOriginatorFromModification(), IntExceptKernel(), IntExceptKernelMatchVictim(), IntExceptKernelUser(), IntExceptKernelUserMatchVictim(), IntExceptMatchException(), IntExceptUser(), IntExceptUserMatchVictim(), IntExceptVerifyValueSig(), and IntWinDrvObjHandleModification().

◆ INT_STATUS_EXCEPTION_BLOCK

#define INT_STATUS_EXCEPTION_BLOCK INT_MAKE_STATUS(INT_STATUS_SEVERITY_ERROR, INT_FACILITY_HVI, 0x00EF)

Block the event and return to the guest. No more checks are to be done after this status.

Definition at line 421 of file introstatus.h.

Referenced by IntCrLixHandleWrite(), IntCrWinHandleWrite(), IntDtrHandleWrite(), IntExceptGetOriginatorFromModification(), IntExceptWinKernelGetOriginator(), IntLixDrvHandleWrite(), IntLixMsrHandleWrite(), IntLixVdsoHandleKernelModeWrite(), IntLixVdsoHandleUserModeWrite(), IntVeHandleAccess(), IntVeHandleEPTViolationInProtectedView(), IntWinDrvHandleRead(), IntWinDrvHandleWrite(), IntWinDrvObjHandleModification(), IntWinDrvObjHandleWrite(), IntWinHalHandleDispatchTableWrite(), IntWinHalHandleHalHeapExec(), IntWinHalHandleHalIntCtrlWrite(), IntWinHalHandlePerfCounterModification(), IntWinInfHookEptSppHandleWrite(), IntWinInfHookIntegrityHandleWrite(), IntWinMsrHandleWrite(), IntWinSudHandleKernelSudExec(), and IntWinTokenPrivsHandleWrite().

◆ INT_STATUS_EXCEPTION_CHECKS_FAILED

#define INT_STATUS_EXCEPTION_CHECKS_FAILED INT_MAKE_STATUS(INT_STATUS_SEVERITY_ERROR, INT_FACILITY_HVI, 0x00E2)

The checks on the exception failed (a wrong value, a invalid pointer, etc).

Definition at line 411 of file introstatus.h.

Referenced by IntExceptMatchException(), and IntWinUmCheckInitializationInjection().

◆ INT_STATUS_EXCEPTION_CHECKS_OK

#define INT_STATUS_EXCEPTION_CHECKS_OK INT_MAKE_STATUS(INT_STATUS_SEVERITY_INFORMATIONAL, INT_FACILITY_HVI, 0x00E2)

Indicates that the current event is part of the process initialization phase and should be allowed.

Definition at line 396 of file introstatus.h.

Referenced by IntExceptKernelUserVerifyExtra(), IntExceptKernelVerifyExtra(), IntExceptMatchException(), IntExceptUserVerifyExtra(), IntExceptUserVerifyExtraGlobMatch(), and IntWinUmCheckInitializationInjection().

◆ INT_STATUS_EXCEPTION_NOT_MATCHED

#define INT_STATUS_EXCEPTION_NOT_MATCHED INT_MAKE_STATUS(INT_STATUS_SEVERITY_ERROR, INT_FACILITY_HVI, 0x00E1)

No exception matched.

Definition at line 406 of file introstatus.h.

Referenced by IntExcept(), IntExceptKernel(), IntExceptKernelMatchVictim(), IntExceptKernelUser(), IntExceptKernelUserMatchVictim(), IntExceptMatchException(), IntExceptUser(), and IntExceptUserMatchVictim().

◆ INT_STATUS_SIGNATURE_MATCHED

#define INT_STATUS_SIGNATURE_MATCHED INT_MAKE_STATUS(INT_STATUS_SEVERITY_INFORMATIONAL, INT_FACILITY_HVI, 0x00E3)

Indicates that an exception signature matched.

Definition at line 401 of file introstatus.h.

Referenced by IntExceptMatchException(), IntExceptVerifyCodeBlocksSig(), IntExceptVerifyExportSig(), IntExceptVerifyIdtSignature(), IntExceptVerifyProcessCreationSignature(), IntExceptVerifySignature(), IntExceptVerifyValueCodeSig(), IntExceptVerifyValueSig(), IntExceptVerifyVersionIntroSignature(), IntExceptVerifyVersionOsSignature(), and IntFragMatchSignature().

◆ INT_STATUS_SIGNATURE_NOT_FOUND

#define INT_STATUS_SIGNATURE_NOT_FOUND INT_MAKE_STATUS(INT_STATUS_SEVERITY_ERROR, INT_FACILITY_HVI, 0x00E3)

No signature matched.

Definition at line 416 of file introstatus.h.

Referenced by IntExceptMatchException(), IntExceptVerifyCodeBlocksSig(), IntExceptVerifyExportSig(), IntExceptVerifyIdtSignature(), IntExceptVerifyProcessCreationSignature(), IntExceptVerifySignature(), IntExceptVerifyValueCodeSig(), IntExceptVerifyValueSig(), IntExceptVerifyVersionIntroSignature(), IntExceptVerifyVersionOsSignature(), and IntFragMatchSignature().

Typedef Documentation

◆ PFUNC_IntAddExceptionFromAlert

typedef INTSTATUS(* PFUNC_IntAddExceptionFromAlert) (void *GuestHandle, const void *Event, INTRO_EVENT_TYPE Type, BOOLEAN Exception, QWORD Context)

Adds an exception for an alert reported by introcore.

Parameters

[in]	GuestHandle	Integrator-specific guest identifier
[in]	Event	Exception information supplied by introcore on GLUE_IFACE.NotifyIntrospectionAlert calls. If Exception is True, this buffer has the contents of the INTRO_VIOLATION_HEADER.Exception field. If it is set to False, this buffer should contains the entire alert.
[in]	Type	The type of the event.
[in]	Exception	The type of contents in the buffer.
[in]	Context	Integrator-specific exception identifier. Can be 0.

Return values

INT_STATUS_SUCCESS	in case of success.
INT_STATUS_ALREADY_INITIALIZED_HINT	if the guest is already introspected.
INT_STATUS_POWER_STATE_BLOCK	if the operation can not be completed because the guest is transitioning to another power state.
INT_STATUS_NOT_SUPPORTED	if the type of event can not be excepted.
INT_STATUS_INVALID_DATA_STATE	if the size of the buffer is not valid.

Definition at line 1574 of file glueiface.h.

◆ PFUNC_IntFlushAlertExceptions

typedef INTSTATUS(* PFUNC_IntFlushAlertExceptions) (void *GuestHandle)

Removes all the custom exceptions added with GLUE_IFACE.AddExceptionFromAlert.

Parameters

[in] GuestHandle Integrator-specific guest identifier.

Return values

INT_STATUS_SUCCESS	in case of success.
INT_STATUS_ALREADY_INITIALIZED_HINT	if the guest is already introspected.
INT_STATUS_POWER_STATE_BLOCK	if the operation can not be completed because the guest is transitioning to another power state.

Definition at line 1594 of file glueiface.h.

◆ PFUNC_IntGetExceptionsVersion

typedef INTSTATUS(* PFUNC_IntGetExceptionsVersion) (void *GuestHandle, WORD *Major, WORD *Minor, DWORD *BuildNumber)

Get the current exceptions version.

Parameters

[in]	GuestHandle	Integrator-specific guest identifier.
[out]	MajorVersion	The major version.
[out]	MinorVersion	The minor version.
[out]	BuildNumber	The build number.

Return values

INT_STATUS_SUCCESS	in case of success.
INT_STATUS_ALREADY_INITIALIZED_HINT	if the guest is already introspected.
INT_STATUS_POWER_STATE_BLOCK	if the operation can not be completed because the guest is transitioning to another power state.

Definition at line 1529 of file glueiface.h.

◆ PFUNC_IntRemoveException

typedef INTSTATUS(* PFUNC_IntRemoveException) (void *GuestHandle, QWORD Context)

Removes a custom exception added with GLUE_IFACE.AddExceptionFromAlert.

Parameters

[in]	GuestHandle	Integrator-specific guest identifier
[in]	Context	The context of the exception that must be removed. All exceptions that share the same context will be removed.

Return values

INT_STATUS_SUCCESS	in case of success.
INT_STATUS_ALREADY_INITIALIZED_HINT	if the guest is already introspected.
INT_STATUS_POWER_STATE_BLOCK	if the operation can not be completed because the guest is transitioning to another power state.

Definition at line 1612 of file glueiface.h.

◆ PFUNC_IntUpdateExceptions

typedef INTSTATUS(* PFUNC_IntUpdateExceptions) (void *GuestHandle, PBYTE Buffer, DWORD Length, DWORD Flags)

Loads a new exceptions version.

Parameters

[in]	GuestHandle	Integrator-specific guest identifier.
[in]	Buffer	Buffer with the exception contents. This buffer should remain valid until this function returns.
[in]	Length	The size of the buffer, in bytes.
[in]	Flags	Optional flags that control the update. No such flags exist at the moment.

Return values

INT_STATUS_SUCCESS	in case of success.
INT_STATUS_ALREADY_INITIALIZED_HINT	if the guest is already introspected.
INT_STATUS_POWER_STATE_BLOCK	if the operation can not be completed because the guest is transitioning to another power state.
INT_STATUS_INVALID_OBJECT_TYPE	if the update buffer is corrupted.
INT_STATUS_NOT_SUPPORTED	if the exceptions version is not supported.
INT_STATUS_INVALID_INTERNAL_STATE	if introcore detected a fatal error during the update.

Remarks: After a successful call, the previously loaded exceptions are removed. Exceptions loaded with GLUE_IFACE.AddExceptionFromAlert are not removed.

Definition at line 1460 of file glueiface.h.

Function Documentation

◆ IntAddExceptionFromAlert()

INTSTATUS IntAddExceptionFromAlert	(	void *	GuestHandle,
		const void *	Event,
		INTRO_EVENT_TYPE	Type,
		BOOLEAN	Exception,
		QWORD	Context
	)

Adds an exception for an alert reported by introcore.See PFUNC_IntAddExceptionFromAlert for details.

Return values

INT_STATUS_SUCCESS in case of success.

Definition at line 1402 of file introapi.c.

Referenced by IntInit().

◆ IntFlushAlertExceptions()

INTSTATUS IntFlushAlertExceptions ( void * GuestHandle )

Removes all the custom exceptions added with GLUE_IFACE.AddExceptionFromAlert.See PFUNC_IntFlushAlertExceptions for details.

Return values

INT_STATUS_SUCCESS in case of success.

Definition at line 1499 of file introapi.c.

Referenced by IntInit().

◆ IntGetExceptionsVersion()

INTSTATUS IntGetExceptionsVersion	(	void *	GuestHandle,
		WORD *	MajorVersion,
		WORD *	MinorVersion,
		DWORD *	BuildNumber
	)

Get the current exceptions version.See PFUNC_IntGetExceptionsVersion for details.

Return values

INT_STATUS_SUCCESS in case of success.

Definition at line 1303 of file introapi.c.

Referenced by IntInit().

◆ IntRemoveException()

INTSTATUS IntRemoveException	(	void *	GuestHandle,
		QWORD	Context
	)

Removes a custom exception added with GLUE_IFACE.AddExceptionFromAlert.See PFUNC_IntRemoveException for details.

Return values

INT_STATUS_SUCCESS in case of success.

Definition at line 1452 of file introapi.c.

Referenced by IntInit().

◆ IntUpdateExceptions()

INTSTATUS IntUpdateExceptions	(	void *	GuestHandle,
		PBYTE	Buffer,
		DWORD	Length,
		DWORD	Flags
	)

Loads a new exceptions version.See PFUNC_IntUpdateExceptions for details.

Return values

INT_STATUS_SUCCESS in case of success.

Definition at line 1352 of file introapi.c.

Referenced by IntInit().

Files

Macros

Typedefs

Functions

Detailed Description

Macro Definition Documentation

◆ INT_STATUS_EXCEPTION_ALLOW

◆ INT_STATUS_EXCEPTION_BLOCK

◆ INT_STATUS_EXCEPTION_CHECKS_FAILED

◆ INT_STATUS_EXCEPTION_CHECKS_OK

◆ INT_STATUS_EXCEPTION_NOT_MATCHED

◆ INT_STATUS_SIGNATURE_MATCHED

◆ INT_STATUS_SIGNATURE_NOT_FOUND

Typedef Documentation

◆ PFUNC_IntAddExceptionFromAlert

◆ PFUNC_IntFlushAlertExceptions

◆ PFUNC_IntGetExceptionsVersion

◆ PFUNC_IntRemoveException

◆ PFUNC_IntUpdateExceptions

Function Documentation

◆ IntAddExceptionFromAlert()

◆ IntFlushAlertExceptions()

◆ IntGetExceptionsVersion()

◆ IntRemoveException()

◆ IntUpdateExceptions()