Exposes the types and constants used by various Introcore APIs defined in glueiface.h. More...

#include "env.h"
#include <stddef.h>
#include <stdint.h>
#include <stdbool.h>
#include "intro_sal.h"

Data Structures
struct	_INTRO_TOKEN_PRIVILEGES
	Windows process token privileges. More...

struct	_INTRO_ACL
	Windows process access control list (SACL/DACL) More...

struct	_INTRO_WIN_SID
	A security identifier. More...

struct	_INTRO_SID_ATTRIBUTES
	Windows SID attributes. More...

struct	_INTRO_WIN_TOKEN
	A Windows token structure as reported by Introcore alerts. More...

union	_INTRO_TOKEN
	Contains privileges and security identifiers information. More...

struct	_INTRO_PROCESS
	Describes a guest process. More...

struct	_INTRO_MODULE
	Describes a user-mode or kernel-mode module. More...

struct	_INTRO_DRVOBJ
	Describes a driver object. More...

struct	_INTRO_CPUCTX
	Holds the CPU context for an event. More...

struct	_INTRO_WRITE_INFO
	Holds information about a memory write attempt. More...

struct	_INTRO_READ_INFO
	Holds information about a memory read attempt. More...

struct	_INTRO_EXEC_INFO
	Holds information about an execution attempt. More...

struct	_INTRO_SEC_DESC_INFO
	Holds information about a security descriptor write attempt. More...

struct	_INTRO_CODEBLOCKS
	Holds code block patterns information. More...

struct	_INTRO_CODEBLOCKS::_INTRO_CODE_BLOCK
	Array of actual code block patterns. More...

struct	_INTRO_VERSION_INFO
	Holds version information for Introcore and the currently loaded exceptions and CAMI files. More...

struct	_INTRO_GPRS
	Holds register state information. More...

struct	_INTRO_EXEC_CONTEXT
	Holds the context in which an execution attempt was detected. More...

struct	_INTRO_EXEC_DATA
	Holds the data related to an execution attempt. More...

struct	_INTRO_ALERT_EXCEPTION_HEADER
	The common header used by exception information. More...

struct	_INTRO_VIOLATION_HEADER
	Common violation header. More...

struct	_EVENT_EPT_VIOLATION
	Event structure for EPT violations. More...

struct	_EVENT_MSR_VIOLATION
	Event structure for MSR violation. More...

struct	_EVENT_CR_VIOLATION
	Event structure for CR violation. More...

struct	_EVENT_XCR_VIOLATION
	Event structure for XCR violation. More...

struct	_EVENT_MEMCOPY_VIOLATION
	Memory access violations that cross a process boundary. More...

struct	_EVENT_TRANSLATION_VIOLATION
	Event structure for illegal paging-structures modifications. More...

struct	_EVENT_INTEGRITY_VIOLATION
	Event structure for integrity violations on monitored structures. More...

struct	_EVENT_DTR_VIOLATION
	Event structure for GDTR/IDTR descriptor tables modifications. More...

union	_INTRO_DPI_EXTRA_INFO
	Structure for keeping the relevant DPI violation information. More...

struct	_EVENT_PROCESS_CREATION_VIOLATION
	Event structure for process creation violation events. More...

struct	_EVENT_MODULE_LOAD_VIOLATION
	Event structure for suspicious module load into processes. More...

struct	_EVENT_ENGINES_DETECTION_VIOLATION
	Event structure for detections provided by additional scan engines. More...

struct	_EVENT_INTROSPECTION_MESSAGE
	Event structure for plain data/message passing. More...

struct	_EVENT_PROCESS_EVENT
	Event structure for process creation/termination. More...

struct	_EVENT_MODULE_EVENT
	Event structure for module loading and unloading. More...

struct	_EVENT_CRASH_EVENT
	Event structure for guest OS crashes. More...

struct	_EVENT_EXCEPTION_EVENT
	Event structure for process exceptions. More...

struct	_EVENT_CONNECTION_EVENT
	Event structure for connections. More...

struct	_ENG_NOTIFICATION_HEADER
	Notification header for scan engines alerts. More...

struct	_ENG_NOTIFICATION_CODE_EXEC
	Execution notification for scan engines. More...

struct	_ENG_NOTIFICATION_CMD_LINE
	Command line notification for scan engines. More...

struct	_AGENT_REM_EVENT_HEADER
	Common header for all remediation tool events. More...

struct	_AGENT_REM_EVENT
	A remediation tool event. More...

struct	_AGENT_LGT_EVENT_HEADER
	Common header for all log gather tool events. More...

struct	_AGENT_LGT_EVENT
	Describes an event sent by the log gathering tool. More...

struct	_EVENT_AGENT_EVENT
	Event structure for agent injection and termination. More...

struct	_GUEST_INFO
	Guest information. More...

union	_INT_VERSION_INFO
	Introspection version info. More...

union	_INTRO_ERROR_CONTEXT
	The context of an error state. More...

Macros
#define	TRUE true

#define	FALSE false

#define	PROC_OPT_NONE 0x00000000
	No protection policy. The process is not protected. More...

#define	PROC_OPT_PROT_CORE_HOOKS 0x00000004
	Blocks hooks being set on core user-mode DLLs. More...

#define	PROC_OPT_PROT_UNPACK 0x00000008
	Identifies unpacking/decryption attempts in the main executable. More...

#define	PROC_OPT_PROT_WRITE_MEM 0x00000010
	Blocks foreign write inside the target process. More...

#define	PROC_OPT_PROT_WSOCK_HOOKS 0x00000020
	Blocks hooks being set on Wininet user-mode DLLs (Windows only). More...

#define	PROC_OPT_PROT_EXPLOIT 0x00000040
	Blocks malicious execution attempts. More...

#define	PROC_OPT_PROT_SET_THREAD_CTX 0x00000080
	Blocks thread hijacking attempts inside the target process (Windows only). More...

#define	PROC_OPT_PROT_PTRACE 0x00000080
	Blocks thread hijacking attempts inside the target process (Linux only). More...

#define	PROC_OPT_PROT_QUEUE_APC 0x00000100
	Blocks APC queuing inside the target process (Windows only). More...

#define	PROC_OPT_PROT_PREVENT_CHILD_CREATION 0x00000200
	Prevent the process from creating child processes (other than instances of itself). More...

#define	PROC_OPT_PROT_DOUBLE_AGENT 0x00000400
	Blocks double agent attacks (malicious DLL loading) (Windows only). More...

#define	PROC_OPT_PROT_SCAN_CMD_LINE 0x00000800
	Uses third party engines to scan the command line of a process. More...

#define	PROC_OPT_PROT_INSTRUMENT 0x00001000
	Blocks foreing processes from setting instrumentation callbacks inside the target process (Windows only). More...

#define	PROC_OPT_REMEDIATE 0x20000000
	Any event inside the process will trigger the injection of the remediation tool. More...

#define	PROC_OPT_KILL_ON_EXPLOIT 0x40000000

#define	PROC_OPT_BETA 0x80000000
	Process is monitored, but in log-only mode so no actions will be blocked. More...

#define	PROC_OPT_PROT_INJECTION
	Aggregates all the flags that will generate introEventInjectionViolation events. More...

#define	PROC_OPT_PROT_ALL
	Aggregates all the process protection flags. More...

#define	INTRO_OPT_PROT_KM_NT 0x0000000000000001ull
	Enable kernel image protection (Windows only). More...

#define	INTRO_OPT_PROT_KM_LX 0x0000000000000001ull
	Enable kernel image protection (Linux only). More...

#define	INTRO_OPT_PROT_KM_HAL 0x0000000000000002ull
	Enable HAL protection (Windows only). More...

#define	INTRO_OPT_PROT_KM_SSDT 0x0000000000000004ull
	Enable SSDT protection (Windows only). More...

#define	INTRO_OPT_PROT_KM_IDT 0x0000000000000008ull

#define	INTRO_OPT_PROT_KM_HAL_DISP_TABLE 0x0000000000000010ull
	Enable HDT (Hal Dispatch Table) protection (Windows only). More...

#define	INTRO_OPT_PROT_KM_SYSTEM_CR3 0x0000000000000020ull
	Enable System process PDBR protection. More...

#define	INTRO_OPT_PROT_KM_TOKEN_PTR 0x0000000000000040ull
	Enable process token protection (Windows only). More...

#define	INTRO_OPT_PROT_KM_CREDS 0x0000000000000040ull

#define	INTRO_OPT_PROT_KM_NT_DRIVERS 0x0000000000000080ull
	Enable core NT drivers protection (Windows only). More...

#define	INTRO_OPT_PROT_KM_LX_MODULES 0x0000000000000080ull
	Enable Linux kernel modules protection (Linux only). More...

#define	INTRO_OPT_PROT_KM_AV_DRIVERS 0x0000000000000100ull
	Enable AV drivers protection (Windows only). More...

#define	INTRO_OPT_PROT_KM_XEN_DRIVERS 0x0000000000000200ull

#define	INTRO_OPT_PROT_KM_DRVOBJ 0x0000000000000400ull
	Enable driver object & fast I/O dispatch protection. More...

#define	INTRO_OPT_PROT_KM_CR4 0x0000000000000800ull
	Enable CR4.SMEP and CR4.SMAP protection. More...

#define	INTRO_OPT_PROT_KM_MSR_SYSCALL 0x0000000000001000ull

#define	INTRO_OPT_PROT_KM_IDTR 0x0000000000002000ull
	Enable interrupt descriptor-table registers protection. More...

#define	INTRO_OPT_PROT_KM_HAL_HEAP_EXEC 0x0000000000004000ull
	Enable execution prevention on the Hal Heap when it is not ASLR'd (Windows only). More...

#define	INTRO_OPT_PROT_KM_HAL_INT_CTRL 0x0000000000008000ull
	Enable Hal Interrupt Controller write protection. More...

#define	INTRO_OPT_PROT_UM_MISC_PROCS 0x0000000000010000ull

#define	INTRO_OPT_PROT_UM_SYS_PROCS 0x0000000000020000ull
	Enable user-mode system processes protection (injection only). More...

#define	INTRO_OPT_PROT_KM_SELF_MAP_ENTRY 0x0000000000040000ull

#define	INTRO_OPT_PROT_KM_GDTR 0x0000000000080000ull
	Enable global descriptor-table registers protection. More...

#define	INTRO_OPT_EVENT_PROCESSES 0x0000000000100000ull
	Enable process creation and termination events (generates introEventProcessEvent events). More...

#define	INTRO_OPT_EVENT_MODULES 0x0000000000200000ull
	Enable user mode and kernel mode module load and unload events (generates introEventModuleEvent events). More...

#define	INTRO_OPT_EVENT_OS_CRASH 0x0000000000400000ull
	Enable OS crash events (generates introEventCrashEvent events). More...

#define	INTRO_OPT_EVENT_PROCESS_CRASH 0x0000000000800000ull
	Enable application crash events (generates introEventExceptionEvent). More...

#define	INTRO_OPT_AGENT_INJECTION 0x0000000001000000ull
	Enable agent injections. More...

#define	INTRO_OPT_FULL_PATH 0x0000000002000000ull
	Enable full-path protection of processes. More...

#define	INTRO_OPT_KM_BETA_DETECTIONS 0x0000000004000000ull

#define	INTRO_OPT_NOTIFY_ENGINES 0x0000000008000000ull
	Send suspicious pages to be scanned by third party scan engines. More...

#define	INTRO_OPT_IN_GUEST_PT_FILTER 0x0000000010000000ull
	Enable in-guest page-table filtering (64-bit Windows only). More...

#define	INTRO_OPT_BUGCHECK_CLEANUP 0x0000000020000000ull
	Enable memory cleanup after an OS crash (Windows). More...

#define	INTRO_OPT_PANIC_CLEANUP 0x0000000020000000ull
	Enable memory cleanup after an OS crash (Linux). More...

#define	INTRO_OPT_SYSPROC_BETA_DETECTIONS 0x0000000040000000ull
	Enable system processes beta (log only) detection. More...

#define	INTRO_OPT_VE 0x0000000080000000ull
	Enable the Virtualization exception page table access pre-filtering agent (64-bit Windows only). More...

#define	INTRO_OPT_EVENT_CONNECTIONS 0x0000000100000000ull
	Enable connection events. More...

#define	INTRO_OPT_PROT_KM_LOGGER_CONTEXT 0x0000000200000000ull
	Enable protection on WMI_LOGGER_CONTEXT.GetCpuClock used by InfinityHook (Windows only). More...

#define	INTRO_OPT_PROT_DPI_DEBUG 0x0000000400000000ull
	Enable process creation protection for child processes created with debug flag. More...

#define	INTRO_OPT_PROT_DPI_STACK_PIVOT 0x0000000800000000ull
	Enable process creation protection for pivoted stack. More...

#define	INTRO_OPT_PROT_DPI_TOKEN_STEAL 0x0000001000000000ull
	Enable process creation protection for stolen token. More...

#define	INTRO_OPT_PROT_DPI_HEAP_SPRAY 0x0000002000000000ull
	Enable process creation protection for heap sprayed parent. More...

#define	INTRO_OPT_PROT_KM_NT_EAT_READS 0x0000004000000000ull
	Enable kernel EAT read protection (Windows only). More...

#define	INTRO_OPT_PROT_KM_LX_TEXT_READS 0x0000008000000000ull
	Enable kernel '_text' section read protection (Linux only). More...

#define	INTRO_OPT_PROT_KM_VDSO 0x0000010000000000ull
	Enable vDSO image protection (Linux only). More...

#define	INTRO_OPT_PROT_KM_SWAPGS 0x0000020000000000ull
	Enable SWAPGS (CVE-2019-1125) mitigation. More...

#define	INTRO_OPT_PROT_KM_TOKEN_PRIVS 0x0000040000000000ull
	Enable protection over Token Privileges bitmaps. More...

#define	INTRO_OPT_PROT_DPI_TOKEN_PRIVS 0x0000080000000000ull
	Enable process creation protection for parent which has violated Token privileges constraints. More...

#define	INTRO_OPT_PROT_DPI_THREAD_SHELL 0x0000100000000000ull
	Examines the code where the current thread started execution when the current thread creates a process. More...

#define	INTRO_OPT_PROT_KM_SUD_EXEC 0x0000200000000000ull
	Enable protection against executions on SharedUserData. More...

#define	INTRO_OPT_PROT_KM_HAL_PERF_CNT 0x0000400000000000ull
	Enable protection over HalPerformanceCounter's function pointer, which is called inside KeQueryPerformanceCounter. More...

#define	INTRO_OPT_PROT_KM_SD_ACL 0x0000800000000000ull
	Enable integrity protection over the Security Descriptor pointer and the 2 ACLs (SACL/DACL). More...

#define	INTRO_OPT_PROT_DPI_SD_ACL 0x0001000000000000ull
	Enable detection of Security Descriptor pointer modifications and ACL modifications on process creation. More...

#define	INTRO_OPT_PROT_KM_SUD_INTEGRITY 0x0002000000000000ull
	Enable integrity checks over various SharedUserData fields, as well as the zero-filled zone after the SharedUserData structure. More...

#define	INTRO_OPT_PROT_KM_INTERRUPT_OBJ 0x0004000000000000ull
	Enable protection against modifications of interrupt objects from KPRCB's InterruptObject. More...

#define	INTRO_OPT_PROT_DPI
	Aggregates all the deep process inspection flags. More...

#define	INTRO_OPT_ENABLE_KM_PROTECTION
	Aggregates all the kernel mode protection flags. More...

#define	INTRO_OPT_ENABLE_UM_PROTECTION
	Aggregates all the user mode protection flags. More...

#define	INTRO_OPT_ENABLE_AV_PROTECTION (INTRO_OPT_PROT_KM_AV_DRIVERS)
	Aggregates all the AV protection flags. More...

#define	INTRO_OPT_ENABLE_CR_PROTECTION (INTRO_OPT_PROT_KM_CR4)
	Aggregates all the control register protection flags. More...

#define	INTRO_OPT_ENABLE_MSR_PROTECTION (INTRO_OPT_PROT_KM_MSR_SYSCALL)
	Aggregates all the MSR protection flags. More...

#define	INTRO_OPT_ENABLE_INTEGRITY_CHECKS
	Aggregates all the integrity protection flags. More...

#define	INTRO_OPT_ENABLE_DTR_PROTECTION
	Aggregates all the descriptor table register protection flags. More...

#define	INTRO_OPT_ENABLE_KM_BETA_DETECTIONS (INTRO_OPT_KM_BETA_DETECTIONS)
	Aggregates all the kernel log-only detection flags. More...

#define	INTRO_OPT_ENABLE_FULL_PATH (INTRO_OPT_FULL_PATH)
	Aggregates all the full path protection flags. More...

#define	INTRO_OPT_ENABLE_XEN_PROTECTION (INTRO_OPT_PROT_KM_XEN_DRIVERS)
	Aggregates all the XEN-related protection flags. More...

#define	INTRO_OPT_ENABLE_MANUAL_AGENT_INJ (INTRO_OPT_AGENT_INJECTION)
	Aggregates all the agent injection flags. More...

#define	INTRO_OPT_ENABLE_MISC_EVENTS
	Aggregates all the miscellaneous protection flags. More...

#define	INTRO_OPT_DYNAMIC_OPTIONS_MASK (0xffffffffffffffff)
	All the flags that can be modified without unloading Introcore. More...

#define	INTRO_OPT_DEFAULT_OPTIONS
	Aggregates all the default options. More...

#define	INTRO_OPT_DEFAULT_XEN_OPTIONS
	Aggregates all the default XEN options. More...

#define	INTRO_OPT_ONLY_KERNEL
	Aggregates all the kernel-only protection and activation flags. More...

#define	POLICY_KM_BETA_FLAGS
	Aggregates all the flags that are affected by the INTRO_OPT_ENABLE_KM_BETA_DETECTIONS flag. More...

#define	ALERT_FLAG_BETA 0x0000000000000001
	If set, the alert is a BETA alert. No action was taken. More...

#define	ALERT_FLAG_ANTIVIRUS 0x0000000000000002
	If set, the alert is on anti virus object. More...

#define	ALERT_FLAG_SYSPROC 0x0000000000000004
	If set, the alert is on system process. More...

#define	ALERT_FLAG_NOT_RING0 0x0000000000000008
	If set, the alert was triggered in ring 1, 2 or 3. More...

#define	ALERT_FLAG_ASYNC 0x0000000000000010
	If set, the alert was generated in an async manner. More...

#define	ALERT_FLAG_LINUX 0x0000000000000020

#define	ALERT_FLAG_FROM_ENGINES 0x0000000000000040
	If set, the alert was generated due to a third party scan engines detection. More...

#define	ALERT_FLAG_FEEDBACK_ONLY 0x0000000000000080
	If set, the alert is a feedback only alert. More...

#define	ALERT_FLAG_DEP_VIOLATION 0x0000000000000100
	If set, the alert was generated by a DEP violation. More...

#define	ALERT_FLAG_PROTECTED_VIEW 0x0000000000000200

#define	ALERT_FLAG_KM_UM 0x0000000000000400
	If set, the alert was generated by a kernel to user mode violation. More...

#define	ALERT_PATH_MAX_LEN 260u
	The maximum size of a path inside an alert structure. More...

#define	ALERT_IMAGE_NAME_LEN 16u

#define	ALERT_MAX_MESSAGE_SIZE 256u
	The maximum size of an Introcore message inside EVENT_INTROSPECTION_MESSAGE. More...

#define	ALERT_MAX_INSTRUX_LEN 128u

#define	ALERT_MAX_SECTION_NAME_LEN 8u
	The maximum size of an executable section name inside an alert structure. More...

#define	ALERT_MAX_FUNCTIONS 4u
	The maximum number of functions included in an alert structure. More...

#define	ALERT_MAX_FUNCTION_NAME_LEN 32u
	The maximum size of a function name inside an alert structure. More...

#define	ALERT_MAX_INJ_DUMP_SIZE 512u
	The maximum size of an injection buffer inside an alert structure. More...

#define	ALERT_MAX_CODEBLOCKS 64u
	The maximum number of code blocks included in an alert structure. More...

#define	ALERT_CMDLINE_MAX_LEN 512u
	The maximum size of a command line included in an alert structure. More...

#define	ALERT_EXCEPTION_SIZE 255u

#define	ALERT_MAX_DETECTION_NAME 128u
	The maximum size of a detection name as given by a third party scan engine. More...

#define	ALERT_MAX_ENGINES_VERSION 32u
	The maximum size of the third party scan engines version. More...

#define	INTRO_SECURITY_DESCRIPTOR_SIZE 1024u
	The size of the buffers in which we store the security descriptors. The security descriptor is composed by its 2 Access Control Lists (SACL/DACL) and their corresponding Access Control Entries. Below there is an example of the memory map for the security descriptor dumped in winsecdesc.c. Although the size is only 0x6C, we want to have some room left for processes with more ACEs. More...

#define	VICTIM_PROCESS_CREDENTIALS u"Process Credentials"
	Printable name used for introObjectTypeCreds objects. More...

#define	VICTIM_DRIVER_OBJECT u"Driver Object"
	Printable name used for introObjectTypeDriverObject objects. More...

#define	VICTIM_HAL_DISPATCH_TABLE u"HalDispatchTable"
	Printable name used for introObjectTypeHalDispatchTable objects. More...

#define	VICTIM_IDT u"IDT"
	Printable name used for introObjectTypeIdt. More...

#define	VICTIM_CIRCULAR_KERNEL_CTX_LOGGER u"Circular Kernel Context Logger"
	Printable name used for introObjectTypeKmLoggerContext objects. More...

#define	VICTIM_PROCESS_TOKEN u"Process Token"
	Printable name used for introObjectTypeTokenPtr objects. More...

#define	VICTIM_TOKEN_PRIVILEGES u"Token privileges"
	Printable name used for introObjectTypeTokenPrivs objects. More...

#define	VICTIM_HAL_PERFORMANCE_COUNTER u"HalPerformanceCounter"
	Printable name used for introObjectTypeHalPerfCounter objects. More...

#define	VICTIM_PROCESS_SECURITY_DESCRIPTOR u"Security Descriptor"
	Printable name used for introObjectTypeSecDesc objects. More...

#define	VICTIM_PROCESS_ACL u"Access Control List"
	Printable name used for introObjectTypeAcl objects. More...

#define	VICTIM_INTERRUPT_OBJECT u"Interrupt Object"
	Printable name used for introObjectTypeInterruptObject. More...

#define	INTRO_VIOLATION_VERSION 1
	Violation header version. More...

#define	INTRO_WIN_SID_MAX_SUB_AUTHORITIES 15
	The maximum number of sub authorities contained in a SID. More...

#define	INTRO_WIN_SID_MAX_SIZE (sizeof(INTRO_WIN_SID) - sizeof(DWORD) + (INTRO_WIN_SID_MAX_SUB_AUTHORITIES * sizeof(DWORD)))
	The maximum size of a INTRO_WIN_SID structure. More...

#define	INTRO_SIDS_MAX_COUNT 4
	The maximum SID count included in an alert. More...

#define	AGENT_HCALL_REM_TOOL 100
	Used by the remediation tool. More...

#define	AGENT_HCALL_GATHER_TOOL 500
	Log gathering tool. More...

#define	AGENT_HCALL_KILLER_TOOL 600
	Agent killer tool. More...

#define	AGENT_HCALL_INTERNAL 753200
	Reserved for internal use. More...

#define	REM_MAX_OBJECT_PATH_LEN 512
	The maximum object path size in bytes, including the NULL terminator. More...

#define	REM_MAX_DETECTION_LEN 128
	The maximum detection name size in bytes, including the NULL terminator. More...

#define	REM_EVENT_VERSION 0x00010000
	Remediation event version. More...

#define	REM_EVENT_SIZE sizeof(AGENT_REM_EVENT)
	Remediation event size. More...

#define	LGT_MAX_DATA_SIZE 4096
	The maximum size of a log gather tool data chunk. More...

#define	LGT_EVENT_VERSION 0x00010000
	Log gather agent event version. More...

#define	LGT_EVENT_SIZE sizeof(AGENT_LGT_EVENT)
	Log gather agent event size. More...

Typedefs
typedef uint8_t	UINT8

typedef uint8_t *	PUINT8

typedef uint16_t	UINT16

typedef uint16_t *	PUINT16

typedef uint32_t	UINT32

typedef uint32_t *	PUINT32

typedef unsigned long long	UINT64

typedef unsigned long long *	PUINT64

typedef int8_t	INT8

typedef int8_t *	PINT8

typedef int16_t	INT16

typedef int16_t *	PINT16

typedef int32_t	INT32

typedef int32_t *	PINT32

typedef long long	INT64

typedef long long *	PINT64

typedef uint8_t	BYTE

typedef uint8_t *	PBYTE

typedef uint16_t	WORD

typedef uint16_t *	PWORD

typedef uint32_t	DWORD

typedef uint32_t *	PDWORD

typedef unsigned long long	QWORD

typedef unsigned long long *	PQWORD

typedef unsigned char	UCHAR

typedef unsigned char *	PUCHAR

typedef char	CHAR

typedef char *	PCHAR

typedef _Bool	BOOLEAN

typedef size_t	SIZE_T

typedef uint16_t	WCHAR

typedef uint16_t *	PWCHAR

typedef enum _INTRO_EVENT_TYPE	INTRO_EVENT_TYPE
	Event classes. More...

typedef enum _INTRO_ENG_NOTIFICATION_TYPE	INTRO_ENG_NOTIF_TYPE
	Scan engine alert types. More...

typedef enum _INTRO_ACTION	INTRO_ACTION
	Event actions. More...

typedef enum _INTRO_ACTION_REASON	INTRO_ACTION_REASON
	The reason for which an INTRO_ACTION was taken. More...

typedef enum _INTRO_OBJECT_TYPE	INTRO_OBJECT_TYPE
	The type of the object protected by an EPT hook. More...

typedef enum _INTRO_NET_AF	INTRO_NET_AF
	Address family. More...

typedef enum _INTRO_NET_STATE	INTRO_NET_STATE
	Connection states. More...

typedef struct _INTRO_TOKEN_PRIVILEGES	INTRO_TOKEN_PRIVILEGES
	Windows process token privileges. More...

typedef struct _INTRO_TOKEN_PRIVILEGES *	PINTRO_TOKEN_PRIVILEGES

typedef struct _INTRO_ACL	INTRO_ACL
	Windows process access control list (SACL/DACL) More...

typedef struct _INTRO_ACL *	PINTRO_ACL

typedef struct _INTRO_WIN_SID	INTRO_WIN_SID
	A security identifier. More...

typedef struct _INTRO_WIN_SID *	PINTRO_WIN_SID

typedef struct _INTRO_SID_ATTRIBUTES	INTRO_SID_ATTRIBUTES
	Windows SID attributes. More...

typedef struct _INTRO_SID_ATTRIBUTES *	PINTRO_SID_ATTRIBUTES

typedef struct _INTRO_WIN_TOKEN	INTRO_WIN_TOKEN
	A Windows token structure as reported by Introcore alerts. More...

typedef struct _INTRO_WIN_TOKEN *	PINTRO_WIN_TOKEN

typedef union _INTRO_TOKEN	INTRO_TOKEN
	Contains privileges and security identifiers information. More...

typedef union _INTRO_TOKEN *	PINTRO_TOKEN

typedef struct _INTRO_PROCESS	INTRO_PROCESS
	Describes a guest process. More...

typedef struct _INTRO_PROCESS *	PINTRO_PROCESS

typedef struct _INTRO_MODULE	INTRO_MODULE
	Describes a user-mode or kernel-mode module. More...

typedef struct _INTRO_MODULE *	PINTRO_MODULE

typedef struct _INTRO_DRVOBJ	INTRO_DRVOBJ
	Describes a driver object. More...

typedef struct _INTRO_DRVOBJ *	PINTRO_DRVOBJ

typedef struct _INTRO_CPUCTX	INTRO_CPUCTX
	Holds the CPU context for an event. More...

typedef struct _INTRO_CPUCTX *	PINTRO_CPUCTX

typedef struct _INTRO_WRITE_INFO	INTRO_WRITE_INFO
	Holds information about a memory write attempt. More...

typedef struct _INTRO_WRITE_INFO *	PINTRO_WRITE_INFO

typedef struct _INTRO_READ_INFO	INTRO_READ_INFO
	Holds information about a memory read attempt. More...

typedef struct _INTRO_READ_INFO *	PINTRO_READ_INFO

typedef struct _INTRO_EXEC_INFO	INTRO_EXEC_INFO
	Holds information about an execution attempt. More...

typedef struct _INTRO_EXEC_INFO *	PINTRO_EXEC_INFO

typedef struct _INTRO_SEC_DESC_INFO	INTRO_SEC_DESC_INFO
	Holds information about a security descriptor write attempt. More...

typedef struct _INTRO_SEC_DESC_INFO *	PINTRO_SEC_DESC_INFO

typedef struct _INTRO_CODEBLOCKS	INTRO_CODEBLOCKS
	Holds code block patterns information. More...

typedef struct _INTRO_CODEBLOCKS *	PINTRO_CODEBLOCKS

typedef struct _INTRO_VERSION_INFO	INTRO_VERSION_INFO
	Holds version information for Introcore and the currently loaded exceptions and CAMI files. More...

typedef struct _INTRO_VERSION_INFO *	PINTRO_VERSION_INFO

typedef struct _INTRO_GPRS	INTRO_GPRS
	Holds register state information. More...

typedef struct _INTRO_GPRS *	PINTRO_GPRS

typedef struct _INTRO_EXEC_CONTEXT	INTRO_EXEC_CONTEXT
	Holds the context in which an execution attempt was detected. More...

typedef struct _INTRO_EXEC_CONTEXT *	PINTRO_EXEC_CONTEXT

typedef struct _INTRO_EXEC_DATA	INTRO_EXEC_DATA
	Holds the data related to an execution attempt. More...

typedef struct _INTRO_EXEC_DATA *	PINTRO_EXEC_DATA

typedef enum _MITRE_ID	MITRE_ID
	Mitre attack techniques. More...

typedef struct _INTRO_ALERT_EXCEPTION_HEADER	INTRO_ALERT_EXCEPTION_HEADER
	The common header used by exception information. More...

typedef struct _INTRO_VIOLATION_HEADER	INTRO_VIOLATION_HEADER
	Common violation header. More...

typedef struct _INTRO_VIOLATION_HEADER *	PINTRO_VIOLATION_HEADER

typedef struct _EVENT_EPT_VIOLATION	EVENT_EPT_VIOLATION
	Event structure for EPT violations. More...

typedef struct _EVENT_EPT_VIOLATION *	PEVENT_EPT_VIOLATION

typedef struct _EVENT_MSR_VIOLATION	EVENT_MSR_VIOLATION
	Event structure for MSR violation. More...

typedef struct _EVENT_MSR_VIOLATION *	PEVENT_MSR_VIOLATION

typedef struct _EVENT_CR_VIOLATION	EVENT_CR_VIOLATION
	Event structure for CR violation. More...

typedef struct _EVENT_CR_VIOLATION *	PEVENT_CR_VIOLATION

typedef struct _EVENT_XCR_VIOLATION	EVENT_XCR_VIOLATION
	Event structure for XCR violation. More...

typedef struct _EVENT_XCR_VIOLATION *	PEVENT_XCR_VIOLATION

typedef enum _MEMCOPY_VIOLATION_TYPE	MEMCOPY_VIOLATION_TYPE
	The type of a memory copy violation. More...

typedef struct _EVENT_MEMCOPY_VIOLATION	EVENT_MEMCOPY_VIOLATION
	Memory access violations that cross a process boundary. More...

typedef struct _EVENT_MEMCOPY_VIOLATION *	PEVENT_MEMCOPY_VIOLATION

typedef enum _TRANS_VIOLATION_TYPE	TRANS_VIOLATION_TYPE
	Translation violation types. More...

typedef struct _EVENT_TRANSLATION_VIOLATION	EVENT_TRANSLATION_VIOLATION
	Event structure for illegal paging-structures modifications. More...

typedef struct _EVENT_TRANSLATION_VIOLATION *	PEVENT_TRANSLATION_VIOLATION

typedef struct _EVENT_INTEGRITY_VIOLATION	EVENT_INTEGRITY_VIOLATION
	Event structure for integrity violations on monitored structures. More...

typedef struct _EVENT_INTEGRITY_VIOLATION *	PEVENT_INTEGRITY_VIOLATION

typedef struct _EVENT_DTR_VIOLATION	EVENT_DTR_VIOLATION
	Event structure for GDTR/IDTR descriptor tables modifications. More...

typedef struct _EVENT_DTR_VIOLATION *	PEVENT_DTR_VIOLATION

typedef union _INTRO_DPI_EXTRA_INFO	INTRO_DPI_EXTRA_INFO
	Structure for keeping the relevant DPI violation information. More...

typedef union _INTRO_DPI_EXTRA_INFO *	PINTRO_DPI_EXTRA_INFO

typedef struct _EVENT_PROCESS_CREATION_VIOLATION	EVENT_PROCESS_CREATION_VIOLATION
	Event structure for process creation violation events. More...

typedef struct _EVENT_PROCESS_CREATION_VIOLATION *	PEVENT_PROCESS_CREATION_VIOLATION

typedef struct _EVENT_MODULE_LOAD_VIOLATION	EVENT_MODULE_LOAD_VIOLATION
	Event structure for suspicious module load into processes. More...

typedef struct _EVENT_MODULE_LOAD_VIOLATION *	PEVENT_MODULE_LOAD_VIOLATION

typedef struct _EVENT_ENGINES_DETECTION_VIOLATION	EVENT_ENGINES_DETECTION_VIOLATION
	Event structure for detections provided by additional scan engines. More...

typedef struct _EVENT_ENGINES_DETECTION_VIOLATION *	PEVENT_ENGINES_DETECTION_VIOLATION

typedef struct _EVENT_INTROSPECTION_MESSAGE	EVENT_INTROSPECTION_MESSAGE
	Event structure for plain data/message passing. More...

typedef struct _EVENT_INTROSPECTION_MESSAGE *	PEVENT_INTROSPECTION_MESSAGE

typedef struct _EVENT_PROCESS_EVENT	EVENT_PROCESS_EVENT
	Event structure for process creation/termination. More...

typedef struct _EVENT_PROCESS_EVENT *	PEVENT_PROCESS_EVENT

typedef struct _EVENT_MODULE_EVENT	EVENT_MODULE_EVENT
	Event structure for module loading and unloading. More...

typedef struct _EVENT_MODULE_EVENT *	PEVENT_MODULE_EVENT

typedef struct _EVENT_CRASH_EVENT	EVENT_CRASH_EVENT
	Event structure for guest OS crashes. More...

typedef struct _EVENT_CRASH_EVENT *	PEVENT_CRASH_EVENT

typedef struct _EVENT_EXCEPTION_EVENT	EVENT_EXCEPTION_EVENT
	Event structure for process exceptions. More...

typedef struct _EVENT_EXCEPTION_EVENT *	PEVENT_EXCEPTION_EVENT

typedef struct _EVENT_CONNECTION_EVENT	EVENT_CONNECTION_EVENT
	Event structure for connections. More...

typedef struct _EVENT_CONNECTION_EVENT *	PEVENT_CONNECTION_EVENT

typedef struct _ENG_NOTIFICATION_HEADER	ENG_NOTIFICATION_HEADER
	Notification header for scan engines alerts. More...

typedef struct _ENG_NOTIFICATION_HEADER *	PENG_NOTIFICATION_HEADER

typedef struct _ENG_NOTIFICATION_CODE_EXEC	ENG_NOTIFICATION_CODE_EXEC
	Execution notification for scan engines. More...

typedef struct _ENG_NOTIFICATION_CODE_EXEC *	PENG_NOTIFICATION_CODE_EXEC

typedef struct _ENG_NOTIFICATION_CMD_LINE	ENG_NOTIFICATION_CMD_LINE
	Command line notification for scan engines. More...

typedef struct _ENG_NOTIFICATION_CMD_LINE *	PENG_NOTIFICATION_CMD_LINE

typedef struct _AGENT_REM_EVENT_HEADER	AGENT_REM_EVENT_HEADER
	Common header for all remediation tool events. More...

typedef struct _AGENT_REM_EVENT_HEADER *	PAGENT_REM_EVENT_HEADER

typedef struct _AGENT_REM_EVENT	AGENT_REM_EVENT
	A remediation tool event. More...

typedef struct _AGENT_REM_EVENT *	PAGENT_REM_EVENT

typedef struct _AGENT_LGT_EVENT_HEADER	AGENT_LGT_EVENT_HEADER
	Common header for all log gather tool events. More...

typedef struct _AGENT_LGT_EVENT_HEADER *	PAGENT_LGT_EVENT_HEADER

typedef struct _AGENT_LGT_EVENT	AGENT_LGT_EVENT
	Describes an event sent by the log gathering tool. More...

typedef struct _AGENT_LGT_EVENT *	PAGENT_LGT_EVENT

typedef struct _EVENT_AGENT_EVENT	EVENT_AGENT_EVENT
	Event structure for agent injection and termination. More...

typedef struct _EVENT_AGENT_EVENT *	PEVENT_AGENT_EVENT

typedef struct _GUEST_INFO	GUEST_INFO
	Guest information. More...

typedef struct _GUEST_INFO *	PGUEST_INFO

typedef union _INT_VERSION_INFO	INT_VERSION_INFO
	Introspection version info. More...

typedef union _INT_VERSION_INFO *	PINT_VERSION_INFO

typedef union _INTRO_ERROR_CONTEXT	INTRO_ERROR_CONTEXT
	The context of an error state. More...

typedef union _INTRO_ERROR_CONTEXT *	PINTRO_ERROR_CONTEXT

Enumerations
enum	_INTRO_EVENT_TYPE { introEventEptViolation = 1, introEventMsrViolation, introEventCrViolation, introEventXcrViolation, introEventIntegrityViolation, introEventTranslationViolation, introEventInjectionViolation, introEventDtrViolation, introEventMessage, introEventProcessEvent, introEventAgentEvent, introEventModuleEvent, introEventCrashEvent, introEventExceptionEvent, introEventConnectionEvent, introEventProcessCreationViolation, introEventModuleLoadViolation, introEventEnginesDetectionViolation }
	Event classes. More...

enum	_INTRO_ENG_NOTIFICATION_TYPE { introEngineNotificationCodeExecution = 1, introEngineNotificationCmdLine }
	Scan engine alert types. More...

enum	_INTRO_ACTION { introGuestAllowed = 0, introGuestAllowedVirtual, introGuestAllowedPatched, introGuestNotAllowed, introGuestIgnore, introGuestRetry }
	Event actions. More...

enum	_INTRO_ACTION_REASON { introReasonAllowed = 0, introReasonAllowedFeedback, introReasonSignatureNotMatched, introReasonNoException, introReasonExtraChecksFailed, introReasonExceptionsNotLoaded, introReasonInternalError, introReasonValueCodeNotMatched, introReasonValueNotMatched, introReasonExportNotMatched, introReasonIdtNotMatched, introReasonVersionOsNotMatched, introReasonVersionIntroNotMatched, introReasonProcessCreationNotMatched, introReasonSameValue, introReasonUnknown }
	The reason for which an INTRO_ACTION was taken. More...

enum	_INTRO_OBJECT_TYPE { introObjectTypeRaw = 1, introObjectTypeInternal, introObjectTypeSsdt, introObjectTypeFastIoDispatch, introObjectTypeDriverObject, introObjectTypeKmModule, introObjectTypeIdt, introObjectTypeGdt, introObjectTypeKmUnpack, introObjectTypeProcess, introObjectTypeUmInternal, introObjectTypeUmUnpack, introObjectTypeUmHeap, introObjectTypeUmStack, introObjectTypeUmGenericNxZone, introObjectTypeUmModule, introObjectTypeDetourRead, introObjectTypeTokenPtr, introObjectTypeCreds = introObjectTypeTokenPtr, introObjectTypeHalDispatchTable, introObjectTypeHalIntController, introObjectTypeSelfMapEntry, introObjectTypeHalHeap, introObjectTypeVdso, introObjectTypeVsyscall, introObjectTypeExTable, introObjectTypeVeAgent, introObjectTypeIdtr, introObjectTypeGdtr, introObjectTypeProcessCreation, introObjectTypeExecSuspiciousDll, introObjectTypeKmLoggerContext, introObjectTypeProcessCreationDpi, introObjectTypeTokenPrivs, introObjectTypeSudExec, introObjectTypeHalPerfCounter, introObjectTypeHookedFunction, introObjectTypeSlackSpace, introObjectTypeSecDesc, introObjectTypeAcl, introObjectTypeSudIntegrity, introObjectTypeInterruptObject, introObjectTypeTest }
	The type of the object protected by an EPT hook. More...

enum	_INTRO_NET_AF { introNetAfIpv4 = 0, introNetAfIpv6, introNetAfUnknown }
	Address family. More...

enum	_INTRO_NET_STATE { introNetStateEstablished = 0, introNetStateSynSent, introNetStateSynRecv, introNetStateFinWait, introNetStateFinWait2, introNetStateTimeWait, introNetStateClosed, introNetStateCloseWait, introNetStateLastAck, introNetStateListening, introNetStateClosing, introNetStateNewSynRecv, introNetStateDeleteTcb, introNetStateUnknown }
	Connection states. More...

enum	INTRO_EPT_ACCESS_TYPE { INTRO_EPT_NONE = 0, INTRO_EPT_READ, INTRO_EPT_WRITE, INTRO_EPT_EXECUTE }
	EPT access types. More...

enum	INTRO_MSR_ACCESS_TYPE { INTRO_MSR_READ = 1, INTRO_MSR_WRITE = 2 }
	MSR access types. More...

enum	_MITRE_ID { idCredDump = 1003, idRootkit = 1014, idSoftwarePacking = 1045, idProcInject = 1055, idScripting = 1064, idExploitPrivEsc = 1068, idPowerShell = 1086, idProcHollowing = 1093, idExecApi = 1106, idExecModLoad = 1129, idAccessToken = 1134, idHooking = 1179, idEWMI = 1181, idProcDoppelganging = 1186, idExploitClientExec = 1203, idTrustedDevUtil = 1127, idExploitRemote = 1210, idKernModExt = 1215 }
	Mitre attack techniques. More...

enum	_MEMCOPY_VIOLATION_TYPE { memCopyViolationWrite = 0, memCopyViolationRead, memCopyViolationSetContextThread, memCopyViolationQueueApcThread, memCopyViolationInstrument }
	The type of a memory copy violation. More...

enum	_TRANS_VIOLATION_TYPE { transViolationPageHash, transViolationProcessCr3, transViolationSelfMap, transViolationWatchdog, transViolationVeAgent }
	Translation violation types. More...

enum	INTRO_PC_VIOLATION_TYPE { INT_PC_VIOLATION_NORMAL_PROCESS_CREATION = 0, INT_PC_VIOLATION_DPI_DEBUG_FLAG = (1 << 0), INT_PC_VIOLATION_DPI_PIVOTED_STACK = (1 << 1), INT_PC_VIOLATION_DPI_STOLEN_TOKEN = (1 << 2), INT_PC_VIOLATION_DPI_HEAP_SPRAY = (1 << 3), INT_PC_VIOLATION_DPI_TOKEN_PRIVS = (1 << 4), INT_PC_VIOLATION_DPI_THREAD_START = (1 << 5), INT_PC_VIOLATION_DPI_SEC_DESC = (1 << 6), INT_PC_VIOLATION_DPI_ACL_EDIT = (1 << 7) }
	Process creation violation flags. More...

enum	INTRO_GUEST_TYPE { introGuestUnknown, introGuestWindows, introGuestLinux }
	The type of the introspected operating system. More...

enum	AGENT_EVENT_TYPE { agentInjected = 0, agentInitialized, agentStarted, agentTerminated, agentMessage, agentError, agentInvalid = -1 }
	The state of an agent. More...

enum	AGENT_REM_EVENT_TYPE { remEventNone = 0, remEventStart, remEventDetection, remEventDisinfection, remEventProgress, remEventReboot, remEventFinish }
	Remediation tool events types. More...

enum	AGENT_LGT_EVENT_TYPE { lgtEventNone = 0, lgtEventError, lgtEventData }
	Log gather tool events. More...

enum	INTRO_DEP_AG_TAGS { INTRO_AGENT_TAG_DUMMY_TOOL = 0, INTRO_AGENT_TAG_REMEDIATION_TOOL = 1, INTRO_AGENT_TAG_VISIBILITY_TOOL = 2, INTRO_AGENT_TAG_REMEDIATION_TOOL_LINUX = 3, INTRO_AGENT_TAG_LOG_GATHER_TOOL = 4, INTRO_AGENT_TAG_AGENT_KILLER_TOOL = 5, INTRO_AGENT_TAG_VE_DRIVER = 10, INTRO_AGENT_TAG_PT_DRIVER = 11, INTRO_AGENT_TAG_CUSTOM_TOOL = 100 }
	Deployable agents tags. More...

enum	INTRO_ERROR_STATE { intErrNone = 0, intErrGuestNotIdentified, intErrGuestNotSupported, intErrGuestKernelNotFound, intErrGuestApiNotFound, intErrGuestExportNotFound, intErrGuestStructureNotFound, intErrUpdateFileNotSupported, intErrProcNotProtectedNoMemory, intErrProcNotProtectedInternalError }
	Error states. More...

Detailed Description

Exposes the types and constants used by various Introcore APIs defined in glueiface.h.

These are used to describe Introcore options, alerts, and other events that may be generated by an introspected guest.

Definition in file intro_types.h.

Macro Definition Documentation

◆ AGENT_HCALL_GATHER_TOOL

#define AGENT_HCALL_GATHER_TOOL 500

Log gathering tool.

Definition at line 2119 of file intro_types.h.

Referenced by IntLixAgentHandleUserVmcall(), and IntWinAgentHandleAppVmcall().

◆ AGENT_HCALL_INTERNAL

#define AGENT_HCALL_INTERNAL 753200

Reserved for internal use.

Definition at line 2123 of file intro_types.h.

Referenced by IntLixAgentHandleUserVmcall(), and IntWinAgentHandleAppVmcall().

◆ AGENT_HCALL_KILLER_TOOL

#define AGENT_HCALL_KILLER_TOOL 600

Agent killer tool.

Definition at line 2121 of file intro_types.h.

◆ AGENT_HCALL_REM_TOOL

#define AGENT_HCALL_REM_TOOL 100

Used by the remediation tool.

Definition at line 2117 of file intro_types.h.

Referenced by IntLixAgentHandleUserVmcall(), and IntWinAgentHandleAppVmcall().

◆ ALERT_CMDLINE_MAX_LEN

#define ALERT_CMDLINE_MAX_LEN 512u

The maximum size of a command line included in an alert structure.

Definition at line 706 of file intro_types.h.

◆ ALERT_EXCEPTION_SIZE

#define ALERT_EXCEPTION_SIZE 255u

The maximum size of an exception included in an alert structure.

Definition at line 707 of file intro_types.h.

Referenced by IntUpdateAddExceptionFromAlert().

◆ ALERT_IMAGE_NAME_LEN

#define ALERT_IMAGE_NAME_LEN 16u

The maximum size of a name inside an alert structure.

Definition at line 696 of file intro_types.h.

◆ ALERT_MAX_CODEBLOCKS

#define ALERT_MAX_CODEBLOCKS 64u

The maximum number of code blocks included in an alert structure.

Definition at line 705 of file intro_types.h.

Referenced by IntAlertCreateCbSignature(), IntAlertFillCodeBlocks(), IntSerializeCodeBlocksPattern(), and IntSerializeExtractCodeBlocks().

◆ ALERT_MAX_DETECTION_NAME

#define ALERT_MAX_DETECTION_NAME 128u

The maximum size of a detection name as given by a third party scan engine.

Definition at line 709 of file intro_types.h.

Referenced by IntEngSendExecViolation(), IntLixCmdLineSendViolationEvent(), and IntWinSendCmdLineViolation().

◆ ALERT_MAX_ENGINES_VERSION

#define ALERT_MAX_ENGINES_VERSION 32u

The maximum size of the third party scan engines version.

Definition at line 710 of file intro_types.h.

Referenced by IntEngSendExecViolation(), IntLixCmdLineSendViolationEvent(), and IntWinSendCmdLineViolation().

◆ ALERT_MAX_FUNCTION_NAME_LEN

#define ALERT_MAX_FUNCTION_NAME_LEN 32u

The maximum size of a function name inside an alert structure.

Definition at line 703 of file intro_types.h.

Referenced by IntAlertEptFillFromVictimZone(), IntWinProcHandleCopyMemory(), IntWinThrHandleQueueApc(), and IntWinThrHandleThreadHijack().

◆ ALERT_MAX_FUNCTIONS

#define ALERT_MAX_FUNCTIONS 4u

The maximum number of functions included in an alert structure.

Definition at line 702 of file intro_types.h.

Referenced by IntAlertEptFillFromVictimZone().

◆ ALERT_MAX_INJ_DUMP_SIZE

#define ALERT_MAX_INJ_DUMP_SIZE 512u

The maximum size of an injection buffer inside an alert structure.

Definition at line 704 of file intro_types.h.

◆ ALERT_MAX_INSTRUX_LEN

#define ALERT_MAX_INSTRUX_LEN 128u

The maximum size of an instruction inside an alert structure.

Definition at line 699 of file intro_types.h.

◆ ALERT_MAX_MESSAGE_SIZE

#define ALERT_MAX_MESSAGE_SIZE 256u

The maximum size of an Introcore message inside EVENT_INTROSPECTION_MESSAGE.

Definition at line 698 of file intro_types.h.

◆ ALERT_MAX_SECTION_NAME_LEN

#define ALERT_MAX_SECTION_NAME_LEN 8u

The maximum size of an executable section name inside an alert structure.

Definition at line 701 of file intro_types.h.

◆ ALERT_PATH_MAX_LEN

#define ALERT_PATH_MAX_LEN 260u

The maximum size of a path inside an alert structure.

Definition at line 695 of file intro_types.h.

◆ FALSE

#define FALSE false

Definition at line 34 of file intro_types.h.

◆ INTRO_SECURITY_DESCRIPTOR_SIZE

#define INTRO_SECURITY_DESCRIPTOR_SIZE 1024u

The size of the buffers in which we store the security descriptors. The security descriptor is composed by its 2 Access Control Lists (SACL/DACL) and their corresponding Access Control Entries. Below there is an example of the memory map for the security descriptor dumped in winsecdesc.c. Although the size is only 0x6C, we want to have some room left for processes with more ACEs.

0x00 /////////////////////////////// /// SECURITY_DESCRIPTOR /// /////////////////////////////// 0x14 /////////////////////////////// | /// SACL Header /// | /// AclRev=2 AclSize=0x1C-///------—| Total SACL size 0x1C /// AceCount=1 /// | /////////////////////////////// | 0x1C /////////////////////////////// | /// ACE[0] /// | /////////////////////////////// | 0x30 /////////////////////////////// | /// DACL Header /// | /// AclRev=2 AclSize=0x3C-///-—| /// AceCount=2 /// | /////////////////////////////// | Total DACL size 0x3C 0x38 /////////////////////////////// | /// ACE[0] /// | /////////////////////////////// | /////////////////////////////// | /// ACE[1] /// | /////////////////////////////// | 0x6C

Definition at line 740 of file intro_types.h.

Referenced by IntWinDpiValidateParentAclEdit(), IntWinDpiValidateParentSecDesc(), IntWinSDCheckAclIntegrity(), IntWinSDCheckSecDescIntegrity(), IntWinSDGatherAcl(), and IntWinSDReadSecDesc().

◆ INTRO_SIDS_MAX_COUNT

#define INTRO_SIDS_MAX_COUNT 4

The maximum SID count included in an alert.

Definition at line 856 of file intro_types.h.

Referenced by IntWinReadToken().

◆ INTRO_VIOLATION_VERSION

#define INTRO_VIOLATION_VERSION 1

Violation header version.

Definition at line 788 of file intro_types.h.

Referenced by IntAlertFillVersionInfo().

◆ INTRO_WIN_SID_MAX_SIZE

#define INTRO_WIN_SID_MAX_SIZE (sizeof(INTRO_WIN_SID) - sizeof(DWORD) + (INTRO_WIN_SID_MAX_SUB_AUTHORITIES * sizeof(DWORD)))

The maximum size of a INTRO_WIN_SID structure.

Definition at line 834 of file intro_types.h.

◆ INTRO_WIN_SID_MAX_SUB_AUTHORITIES

#define INTRO_WIN_SID_MAX_SUB_AUTHORITIES 15

The maximum number of sub authorities contained in a SID.

Definition at line 831 of file intro_types.h.

Referenced by IntWinReadSid().

◆ LGT_EVENT_SIZE

#define LGT_EVENT_SIZE sizeof(AGENT_LGT_EVENT)

Log gather agent event size.

Definition at line 2251 of file intro_types.h.

Referenced by IntAgentHandleLogGatherVmcall().

◆ LGT_EVENT_VERSION

#define LGT_EVENT_VERSION 0x00010000

Log gather agent event version.

Definition at line 2249 of file intro_types.h.

Referenced by IntAgentHandleLogGatherVmcall().

◆ LGT_MAX_DATA_SIZE

#define LGT_MAX_DATA_SIZE 4096

The maximum size of a log gather tool data chunk.

Definition at line 2246 of file intro_types.h.

◆ REM_EVENT_SIZE

#define REM_EVENT_SIZE sizeof(AGENT_REM_EVENT)

Remediation event size.

Definition at line 2152 of file intro_types.h.

Referenced by IntAgentHandleRemediationVmcall().

◆ REM_EVENT_VERSION

#define REM_EVENT_VERSION 0x00010000

Remediation event version.

Definition at line 2150 of file intro_types.h.

Referenced by IntAgentHandleRemediationVmcall().

◆ REM_MAX_DETECTION_LEN

#define REM_MAX_DETECTION_LEN 128

The maximum detection name size in bytes, including the NULL terminator.

Definition at line 2147 of file intro_types.h.

◆ REM_MAX_OBJECT_PATH_LEN

#define REM_MAX_OBJECT_PATH_LEN 512

The maximum object path size in bytes, including the NULL terminator.

Definition at line 2145 of file intro_types.h.

◆ TRUE

#define TRUE true

Definition at line 30 of file intro_types.h.

◆ VICTIM_CIRCULAR_KERNEL_CTX_LOGGER

#define VICTIM_CIRCULAR_KERNEL_CTX_LOGGER u"Circular Kernel Context Logger"

Printable name used for introObjectTypeKmLoggerContext objects.

Definition at line 751 of file intro_types.h.

Referenced by IntWinInfHookIntegritySendAlert().

◆ VICTIM_DRIVER_OBJECT

#define VICTIM_DRIVER_OBJECT u"Driver Object"

Printable name used for introObjectTypeDriverObject objects.

Definition at line 745 of file intro_types.h.

Referenced by IntWinDrvObjSendIntegrityAlert().

◆ VICTIM_HAL_DISPATCH_TABLE

#define VICTIM_HAL_DISPATCH_TABLE u"HalDispatchTable"

Printable name used for introObjectTypeHalDispatchTable objects.

Definition at line 747 of file intro_types.h.

Referenced by IntWinHalHandleDispatchTableWrite().

◆ VICTIM_HAL_PERFORMANCE_COUNTER

#define VICTIM_HAL_PERFORMANCE_COUNTER u"HalPerformanceCounter"

Printable name used for introObjectTypeHalPerfCounter objects.

Definition at line 757 of file intro_types.h.

Referenced by IntWinHalSendPerfCntIntegrityAlert().

◆ VICTIM_IDT

#define VICTIM_IDT u"IDT"

Printable name used for introObjectTypeIdt.

Definition at line 749 of file intro_types.h.

Referenced by IntWinIdtSendIntegrityAlert().

◆ VICTIM_INTERRUPT_OBJECT

#define VICTIM_INTERRUPT_OBJECT u"Interrupt Object"

Printable name used for introObjectTypeInterruptObject.

Definition at line 763 of file intro_types.h.

Referenced by IntWinIntObjSendIntegrityAlert().

◆ VICTIM_PROCESS_ACL

#define VICTIM_PROCESS_ACL u"Access Control List"

Printable name used for introObjectTypeAcl objects.

Definition at line 761 of file intro_types.h.

Referenced by IntWinSDSendAclIntegrityViolation().

◆ VICTIM_PROCESS_CREDENTIALS

#define VICTIM_PROCESS_CREDENTIALS u"Process Credentials"

Printable name used for introObjectTypeCreds objects.

Definition at line 743 of file intro_types.h.

Referenced by IntLixTaskSendCredViolationEvent().

◆ VICTIM_PROCESS_SECURITY_DESCRIPTOR

#define VICTIM_PROCESS_SECURITY_DESCRIPTOR u"Security Descriptor"

Printable name used for introObjectTypeSecDesc objects.

Definition at line 759 of file intro_types.h.

Referenced by IntWinSDSendSecDescIntViolation().

◆ VICTIM_PROCESS_TOKEN

#define VICTIM_PROCESS_TOKEN u"Process Token"

Printable name used for introObjectTypeTokenPtr objects.

Definition at line 753 of file intro_types.h.

Referenced by IntWinTokenPtrCheckIntegrityOnProcess().

◆ VICTIM_TOKEN_PRIVILEGES

#define VICTIM_TOKEN_PRIVILEGES u"Token privileges"

Printable name used for introObjectTypeTokenPrivs objects.

Definition at line 755 of file intro_types.h.

Referenced by IntWinTokenPrivsSendIntegrityAlert().

Typedef Documentation

◆ AGENT_LGT_EVENT

typedef struct _AGENT_LGT_EVENT AGENT_LGT_EVENT

Describes an event sent by the log gathering tool.

These will contain raw log lines.

◆ AGENT_LGT_EVENT_HEADER

typedef struct _AGENT_LGT_EVENT_HEADER AGENT_LGT_EVENT_HEADER

Common header for all log gather tool events.

Events of these type are sent when the log gathering tool has been injected and started inside the guest and it is executing intro calls (VMCALLs), reporting back to Introcore.

◆ AGENT_REM_EVENT

typedef struct _AGENT_REM_EVENT AGENT_REM_EVENT

A remediation tool event.

Events of these type are sent when the remediation tool has been injected and started inside the guest and it is executing intro calls (VMCALLs), reporting back to Introcore.

◆ AGENT_REM_EVENT_HEADER

typedef struct _AGENT_REM_EVENT_HEADER AGENT_REM_EVENT_HEADER

Common header for all remediation tool events.

◆ BOOLEAN

typedef _Bool BOOLEAN

Definition at line 58 of file intro_types.h.

◆ BYTE

typedef uint8_t BYTE

Definition at line 47 of file intro_types.h.

◆ CHAR

typedef char CHAR

Definition at line 56 of file intro_types.h.

◆ DWORD

typedef uint32_t DWORD

Definition at line 49 of file intro_types.h.

◆ ENG_NOTIFICATION_CMD_LINE

typedef struct _ENG_NOTIFICATION_CMD_LINE ENG_NOTIFICATION_CMD_LINE

Command line notification for scan engines.

◆ ENG_NOTIFICATION_CODE_EXEC

typedef struct _ENG_NOTIFICATION_CODE_EXEC ENG_NOTIFICATION_CODE_EXEC

Execution notification for scan engines.

◆ ENG_NOTIFICATION_HEADER

typedef struct _ENG_NOTIFICATION_HEADER ENG_NOTIFICATION_HEADER

Notification header for scan engines alerts.

◆ EVENT_AGENT_EVENT

typedef struct _EVENT_AGENT_EVENT EVENT_AGENT_EVENT

Event structure for agent injection and termination.

◆ EVENT_CONNECTION_EVENT

typedef struct _EVENT_CONNECTION_EVENT EVENT_CONNECTION_EVENT

Event structure for connections.

Available only if Introcore received the INTRO_OPT_EVENT_CONNECTIONS activation flag. If process is protected with the PROC_OPT_PROT_EXPLOIT flag and an exploit attempt is detected, when the exploit alert is sent, one event of this type will be sent for every connection that the process has open.

◆ EVENT_CR_VIOLATION

typedef struct _EVENT_CR_VIOLATION EVENT_CR_VIOLATION

Event structure for CR violation.

◆ EVENT_CRASH_EVENT

typedef struct _EVENT_CRASH_EVENT EVENT_CRASH_EVENT

Event structure for guest OS crashes.

◆ EVENT_DTR_VIOLATION

typedef struct _EVENT_DTR_VIOLATION EVENT_DTR_VIOLATION

Event structure for GDTR/IDTR descriptor tables modifications.

◆ EVENT_ENGINES_DETECTION_VIOLATION

typedef struct _EVENT_ENGINES_DETECTION_VIOLATION EVENT_ENGINES_DETECTION_VIOLATION

Event structure for detections provided by additional scan engines.

◆ EVENT_EPT_VIOLATION

typedef struct _EVENT_EPT_VIOLATION EVENT_EPT_VIOLATION

Event structure for EPT violations.

This event can describe multiple memory access violations: read, write, and execute.

◆ EVENT_EXCEPTION_EVENT

typedef struct _EVENT_EXCEPTION_EVENT EVENT_EXCEPTION_EVENT

Event structure for process exceptions.

This is usually sent when during the runtime of a user mode process a hardware exception is triggered.

◆ EVENT_INTEGRITY_VIOLATION

typedef struct _EVENT_INTEGRITY_VIOLATION EVENT_INTEGRITY_VIOLATION

Event structure for integrity violations on monitored structures.

These events are triggered by the integrity check mechanism, which is invoked on the timer event, so Introcore may not always be able to block them. For the same reason the information needed for the alert may no longer be present in the guest memory when Introcore detects the violation.

◆ EVENT_INTROSPECTION_MESSAGE

typedef struct _EVENT_INTROSPECTION_MESSAGE EVENT_INTROSPECTION_MESSAGE

Event structure for plain data/message passing.

◆ EVENT_MEMCOPY_VIOLATION

typedef struct _EVENT_MEMCOPY_VIOLATION EVENT_MEMCOPY_VIOLATION

Memory access violations that cross a process boundary.

Represents an attempt to write or read the memory of another process, or to hijack the execution flow of

◆ EVENT_MODULE_EVENT

typedef struct _EVENT_MODULE_EVENT EVENT_MODULE_EVENT

Event structure for module loading and unloading.

User mode events are sent only when an alert is sent for a process, due to performance concerns. Sending one event for each user mode module load and unload when it happens may severely impact the guest.

◆ EVENT_MODULE_LOAD_VIOLATION

typedef struct _EVENT_MODULE_LOAD_VIOLATION EVENT_MODULE_LOAD_VIOLATION

Event structure for suspicious module load into processes.

◆ EVENT_MSR_VIOLATION

typedef struct _EVENT_MSR_VIOLATION EVENT_MSR_VIOLATION

Event structure for MSR violation.

◆ EVENT_PROCESS_CREATION_VIOLATION

typedef struct _EVENT_PROCESS_CREATION_VIOLATION EVENT_PROCESS_CREATION_VIOLATION

Event structure for process creation violation events.

◆ EVENT_PROCESS_EVENT

typedef struct _EVENT_PROCESS_EVENT EVENT_PROCESS_EVENT

Event structure for process creation/termination.

This is an informational event, not an alert.

◆ EVENT_TRANSLATION_VIOLATION

typedef struct _EVENT_TRANSLATION_VIOLATION EVENT_TRANSLATION_VIOLATION

Event structure for illegal paging-structures modifications.

◆ EVENT_XCR_VIOLATION

typedef struct _EVENT_XCR_VIOLATION EVENT_XCR_VIOLATION

Event structure for XCR violation.

◆ GUEST_INFO

typedef struct _GUEST_INFO GUEST_INFO

Guest information.

◆ INT16

typedef int16_t INT16

Definition at line 43 of file intro_types.h.

◆ INT32

typedef int32_t INT32

Definition at line 44 of file intro_types.h.

◆ INT64

typedef long long INT64

Definition at line 45 of file intro_types.h.

◆ INT8

typedef int8_t INT8

Definition at line 42 of file intro_types.h.

◆ INT_VERSION_INFO

typedef union _INT_VERSION_INFO INT_VERSION_INFO

Introspection version info.

◆ INTRO_ACL

typedef struct _INTRO_ACL INTRO_ACL

Windows process access control list (SACL/DACL)

◆ INTRO_ACTION

typedef enum _INTRO_ACTION INTRO_ACTION

Event actions.

Priority of the action increases as its value increases (introGuestAllowed has the lowest priority, while introGuestRetry has the highest priority).

◆ INTRO_ACTION_REASON

typedef enum _INTRO_ACTION_REASON INTRO_ACTION_REASON

The reason for which an INTRO_ACTION was taken.

◆ INTRO_ALERT_EXCEPTION_HEADER

typedef struct _INTRO_ALERT_EXCEPTION_HEADER INTRO_ALERT_EXCEPTION_HEADER

The common header used by exception information.

This is used internally by Introcore in order to facilitate the add exception from alert mechanism used by GLUE_IFACE.AddExceptionFromAlert.

◆ INTRO_CODEBLOCKS

typedef struct _INTRO_CODEBLOCKS INTRO_CODEBLOCKS

Holds code block patterns information.

This is used by the exception mechanism as a signature for the code that generated an alert. These are extracted from the memory area around the instruction that generated an alert. Since certain operations that fill the fields in this structure may fail, the Valid field should be checked before using any information present in the structure.

◆ INTRO_CPUCTX

typedef struct _INTRO_CPUCTX INTRO_CPUCTX

Holds the CPU context for an event.

Since certain operations that fill the fields in this structure may fail, the Valid field should be checked before using any information present in the structure.

◆ INTRO_DPI_EXTRA_INFO

typedef union _INTRO_DPI_EXTRA_INFO INTRO_DPI_EXTRA_INFO

Structure for keeping the relevant DPI violation information.

◆ INTRO_DRVOBJ

typedef struct _INTRO_DRVOBJ INTRO_DRVOBJ

Describes a driver object.

Since certain operations that fill the fields in this structure may fail, the Valid field should be checked before using any information present in the structure. This is available only for Windows guests.

◆ INTRO_ENG_NOTIF_TYPE

typedef enum _INTRO_ENG_NOTIFICATION_TYPE INTRO_ENG_NOTIF_TYPE

Scan engine alert types.

◆ INTRO_ERROR_CONTEXT

typedef union _INTRO_ERROR_CONTEXT INTRO_ERROR_CONTEXT

The context of an error state.

This is optionally supplied to GLUE_IFACE.NotifyIntrospectionErrorState calls for certain error classes.

◆ INTRO_EVENT_TYPE

typedef enum _INTRO_EVENT_TYPE INTRO_EVENT_TYPE

Event classes.

◆ INTRO_EXEC_CONTEXT

typedef struct _INTRO_EXEC_CONTEXT INTRO_EXEC_CONTEXT

Holds the context in which an execution attempt was detected.

◆ INTRO_EXEC_DATA

typedef struct _INTRO_EXEC_DATA INTRO_EXEC_DATA

Holds the data related to an execution attempt.

◆ INTRO_EXEC_INFO

typedef struct _INTRO_EXEC_INFO INTRO_EXEC_INFO

Holds information about an execution attempt.

◆ INTRO_GPRS

typedef struct _INTRO_GPRS INTRO_GPRS

Holds register state information.

◆ INTRO_MODULE

typedef struct _INTRO_MODULE INTRO_MODULE

Describes a user-mode or kernel-mode module.

Since certain operations that fill the fields in this structure may fail, the Valid field should be checked before using any information present in the structure.

◆ INTRO_NET_AF

typedef enum _INTRO_NET_AF INTRO_NET_AF

Address family.

◆ INTRO_NET_STATE

typedef enum _INTRO_NET_STATE INTRO_NET_STATE

Connection states.

◆ INTRO_OBJECT_TYPE

typedef enum _INTRO_OBJECT_TYPE INTRO_OBJECT_TYPE

The type of the object protected by an EPT hook.

◆ INTRO_PROCESS

typedef struct _INTRO_PROCESS INTRO_PROCESS

Describes a guest process.

Since certain operations that fill the fields in this structure may fail, the Valid field should be checked before using any information present in the structure.

◆ INTRO_READ_INFO

typedef struct _INTRO_READ_INFO INTRO_READ_INFO

Holds information about a memory read attempt.

◆ INTRO_SEC_DESC_INFO

typedef struct _INTRO_SEC_DESC_INFO INTRO_SEC_DESC_INFO

Holds information about a security descriptor write attempt.

◆ INTRO_SID_ATTRIBUTES

typedef struct _INTRO_SID_ATTRIBUTES INTRO_SID_ATTRIBUTES

Windows SID attributes.

◆ INTRO_TOKEN

typedef union _INTRO_TOKEN INTRO_TOKEN

Contains privileges and security identifiers information.

◆ INTRO_TOKEN_PRIVILEGES

typedef struct _INTRO_TOKEN_PRIVILEGES INTRO_TOKEN_PRIVILEGES

Windows process token privileges.

Each field is a bitmap.

◆ INTRO_VERSION_INFO

typedef struct _INTRO_VERSION_INFO INTRO_VERSION_INFO

Holds version information for Introcore and the currently loaded exceptions and CAMI files.

◆ INTRO_VIOLATION_HEADER

typedef struct _INTRO_VIOLATION_HEADER INTRO_VIOLATION_HEADER

Common violation header.

◆ INTRO_WIN_SID

typedef struct _INTRO_WIN_SID INTRO_WIN_SID

A security identifier.

See https://docs.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-sid

◆ INTRO_WIN_TOKEN

typedef struct _INTRO_WIN_TOKEN INTRO_WIN_TOKEN

A Windows token structure as reported by Introcore alerts.

◆ INTRO_WRITE_INFO

typedef struct _INTRO_WRITE_INFO INTRO_WRITE_INFO

Holds information about a memory write attempt.

◆ MEMCOPY_VIOLATION_TYPE

typedef enum _MEMCOPY_VIOLATION_TYPE MEMCOPY_VIOLATION_TYPE

The type of a memory copy violation.

◆ MITRE_ID

typedef enum _MITRE_ID MITRE_ID

Mitre attack techniques.

This is the Mitre Attack Technique ID, as defined at https://attack.mitre.org/techniques/enterprise/

◆ PAGENT_LGT_EVENT

typedef struct _AGENT_LGT_EVENT * PAGENT_LGT_EVENT

◆ PAGENT_LGT_EVENT_HEADER

typedef struct _AGENT_LGT_EVENT_HEADER * PAGENT_LGT_EVENT_HEADER

◆ PAGENT_REM_EVENT

typedef struct _AGENT_REM_EVENT * PAGENT_REM_EVENT

◆ PAGENT_REM_EVENT_HEADER

typedef struct _AGENT_REM_EVENT_HEADER * PAGENT_REM_EVENT_HEADER

◆ PBYTE

typedef uint8_t * PBYTE

Definition at line 47 of file intro_types.h.

◆ PCHAR

typedef char * PCHAR

Definition at line 56 of file intro_types.h.

◆ PDWORD

typedef uint32_t * PDWORD

Definition at line 49 of file intro_types.h.

◆ PENG_NOTIFICATION_CMD_LINE

typedef struct _ENG_NOTIFICATION_CMD_LINE * PENG_NOTIFICATION_CMD_LINE

◆ PENG_NOTIFICATION_CODE_EXEC

typedef struct _ENG_NOTIFICATION_CODE_EXEC * PENG_NOTIFICATION_CODE_EXEC

◆ PENG_NOTIFICATION_HEADER

typedef struct _ENG_NOTIFICATION_HEADER * PENG_NOTIFICATION_HEADER

◆ PEVENT_AGENT_EVENT

typedef struct _EVENT_AGENT_EVENT * PEVENT_AGENT_EVENT

◆ PEVENT_CONNECTION_EVENT

typedef struct _EVENT_CONNECTION_EVENT * PEVENT_CONNECTION_EVENT

◆ PEVENT_CR_VIOLATION

typedef struct _EVENT_CR_VIOLATION * PEVENT_CR_VIOLATION

◆ PEVENT_CRASH_EVENT

typedef struct _EVENT_CRASH_EVENT * PEVENT_CRASH_EVENT

◆ PEVENT_DTR_VIOLATION

typedef struct _EVENT_DTR_VIOLATION * PEVENT_DTR_VIOLATION

◆ PEVENT_ENGINES_DETECTION_VIOLATION

typedef struct _EVENT_ENGINES_DETECTION_VIOLATION * PEVENT_ENGINES_DETECTION_VIOLATION

◆ PEVENT_EPT_VIOLATION

typedef struct _EVENT_EPT_VIOLATION * PEVENT_EPT_VIOLATION

◆ PEVENT_EXCEPTION_EVENT

typedef struct _EVENT_EXCEPTION_EVENT * PEVENT_EXCEPTION_EVENT

◆ PEVENT_INTEGRITY_VIOLATION

typedef struct _EVENT_INTEGRITY_VIOLATION * PEVENT_INTEGRITY_VIOLATION

◆ PEVENT_INTROSPECTION_MESSAGE

typedef struct _EVENT_INTROSPECTION_MESSAGE * PEVENT_INTROSPECTION_MESSAGE

◆ PEVENT_MEMCOPY_VIOLATION

typedef struct _EVENT_MEMCOPY_VIOLATION * PEVENT_MEMCOPY_VIOLATION

◆ PEVENT_MODULE_EVENT

typedef struct _EVENT_MODULE_EVENT * PEVENT_MODULE_EVENT

◆ PEVENT_MODULE_LOAD_VIOLATION

typedef struct _EVENT_MODULE_LOAD_VIOLATION * PEVENT_MODULE_LOAD_VIOLATION

◆ PEVENT_MSR_VIOLATION

typedef struct _EVENT_MSR_VIOLATION * PEVENT_MSR_VIOLATION

◆ PEVENT_PROCESS_CREATION_VIOLATION

typedef struct _EVENT_PROCESS_CREATION_VIOLATION * PEVENT_PROCESS_CREATION_VIOLATION

◆ PEVENT_PROCESS_EVENT

typedef struct _EVENT_PROCESS_EVENT * PEVENT_PROCESS_EVENT

◆ PEVENT_TRANSLATION_VIOLATION

typedef struct _EVENT_TRANSLATION_VIOLATION * PEVENT_TRANSLATION_VIOLATION

◆ PEVENT_XCR_VIOLATION

typedef struct _EVENT_XCR_VIOLATION * PEVENT_XCR_VIOLATION

◆ PGUEST_INFO

typedef struct _GUEST_INFO * PGUEST_INFO

◆ PINT16

typedef int16_t * PINT16

Definition at line 43 of file intro_types.h.

◆ PINT32

typedef int32_t * PINT32

Definition at line 44 of file intro_types.h.

◆ PINT64

typedef long long * PINT64

Definition at line 45 of file intro_types.h.

◆ PINT8

typedef int8_t * PINT8

Definition at line 42 of file intro_types.h.

◆ PINT_VERSION_INFO

typedef union _INT_VERSION_INFO * PINT_VERSION_INFO

◆ PINTRO_ACL

typedef struct _INTRO_ACL * PINTRO_ACL

◆ PINTRO_CODEBLOCKS

typedef struct _INTRO_CODEBLOCKS * PINTRO_CODEBLOCKS

◆ PINTRO_CPUCTX

typedef struct _INTRO_CPUCTX * PINTRO_CPUCTX

◆ PINTRO_DPI_EXTRA_INFO

typedef union _INTRO_DPI_EXTRA_INFO * PINTRO_DPI_EXTRA_INFO

◆ PINTRO_DRVOBJ

typedef struct _INTRO_DRVOBJ * PINTRO_DRVOBJ

◆ PINTRO_ERROR_CONTEXT

typedef union _INTRO_ERROR_CONTEXT * PINTRO_ERROR_CONTEXT

◆ PINTRO_EXEC_CONTEXT

typedef struct _INTRO_EXEC_CONTEXT * PINTRO_EXEC_CONTEXT

◆ PINTRO_EXEC_DATA

typedef struct _INTRO_EXEC_DATA * PINTRO_EXEC_DATA

◆ PINTRO_EXEC_INFO

typedef struct _INTRO_EXEC_INFO * PINTRO_EXEC_INFO

◆ PINTRO_GPRS

typedef struct _INTRO_GPRS * PINTRO_GPRS

◆ PINTRO_MODULE

typedef struct _INTRO_MODULE * PINTRO_MODULE

◆ PINTRO_PROCESS

typedef struct _INTRO_PROCESS * PINTRO_PROCESS

◆ PINTRO_READ_INFO

typedef struct _INTRO_READ_INFO * PINTRO_READ_INFO

◆ PINTRO_SEC_DESC_INFO

typedef struct _INTRO_SEC_DESC_INFO * PINTRO_SEC_DESC_INFO

◆ PINTRO_SID_ATTRIBUTES

typedef struct _INTRO_SID_ATTRIBUTES * PINTRO_SID_ATTRIBUTES

◆ PINTRO_TOKEN

typedef union _INTRO_TOKEN * PINTRO_TOKEN

◆ PINTRO_TOKEN_PRIVILEGES

typedef struct _INTRO_TOKEN_PRIVILEGES * PINTRO_TOKEN_PRIVILEGES

◆ PINTRO_VERSION_INFO

typedef struct _INTRO_VERSION_INFO * PINTRO_VERSION_INFO

◆ PINTRO_VIOLATION_HEADER

typedef struct _INTRO_VIOLATION_HEADER * PINTRO_VIOLATION_HEADER

◆ PINTRO_WIN_SID

typedef struct _INTRO_WIN_SID * PINTRO_WIN_SID

◆ PINTRO_WIN_TOKEN

typedef struct _INTRO_WIN_TOKEN * PINTRO_WIN_TOKEN

◆ PINTRO_WRITE_INFO

typedef struct _INTRO_WRITE_INFO * PINTRO_WRITE_INFO

◆ PQWORD

typedef unsigned long long * PQWORD

Definition at line 53 of file intro_types.h.

◆ PUCHAR

typedef unsigned char * PUCHAR

Definition at line 55 of file intro_types.h.

◆ PUINT16

typedef uint16_t * PUINT16

Definition at line 38 of file intro_types.h.

◆ PUINT32

typedef uint32_t * PUINT32

Definition at line 39 of file intro_types.h.

◆ PUINT64

typedef unsigned long long * PUINT64

Definition at line 40 of file intro_types.h.

◆ PUINT8

typedef uint8_t * PUINT8

Definition at line 37 of file intro_types.h.

◆ PWCHAR

typedef uint16_t * PWCHAR

Definition at line 63 of file intro_types.h.

◆ PWORD

typedef uint16_t * PWORD

Definition at line 48 of file intro_types.h.

◆ QWORD

typedef unsigned long long QWORD

Definition at line 53 of file intro_types.h.

◆ SIZE_T

typedef size_t SIZE_T

Definition at line 60 of file intro_types.h.

◆ TRANS_VIOLATION_TYPE

typedef enum _TRANS_VIOLATION_TYPE TRANS_VIOLATION_TYPE

Translation violation types.

◆ UCHAR

typedef unsigned char UCHAR

Definition at line 55 of file intro_types.h.

◆ UINT16

typedef uint16_t UINT16

Definition at line 38 of file intro_types.h.

◆ UINT32

typedef uint32_t UINT32

Definition at line 39 of file intro_types.h.

◆ UINT64

typedef unsigned long long UINT64

Definition at line 40 of file intro_types.h.

◆ UINT8

typedef uint8_t UINT8

Definition at line 37 of file intro_types.h.

◆ WCHAR

typedef uint16_t WCHAR

Definition at line 63 of file intro_types.h.

◆ WORD

typedef uint16_t WORD

Definition at line 48 of file intro_types.h.

Enumeration Type Documentation

◆ _INTRO_ACTION

enum _INTRO_ACTION

Event actions.

Priority of the action increases as its value increases (introGuestAllowed has the lowest priority, while introGuestRetry has the highest priority).

Enumerator
introGuestAllowed	The guest was allowed to perform the operation leading to the event. The guest used got real values (the guest state was modified).
introGuestAllowedVirtual	The guest was allowed to perform the operation leading to the event, but the operation was performed using virtual - i.e. Hypervisor maintained shadow values.
introGuestAllowedPatched	The guest is allowed to do the desired action, but with the artificial supplied data. For example, when trying to conceal something inside the guest memory.
introGuestNotAllowed	The guest was not allowed to perform the operation leading to the event (the operation was skipped in the host the guest state was not modified). For example, modifying the LSTAR MSR is not allowed.
introGuestIgnore	The action was ignored and allowed.
introGuestRetry	Retry the execution of the very same instruction. This is used when the violated GVA gets swapped out. In that case, we will simply retry execution of the instruction until it remains swapped in.

Definition at line 145 of file intro_types.h.

◆ _INTRO_ACTION_REASON

enum _INTRO_ACTION_REASON

The reason for which an INTRO_ACTION was taken.

Enumerator
introReasonAllowed	The action was not allowed because there was no reason to allow it.
introReasonAllowedFeedback	The action was allowed, but it has the BETA flag (Introcore is in log-only mode).
introReasonSignatureNotMatched	The action was blocked because no exception signature matched.
introReasonNoException	The action was blocked because there was no exception for it.
introReasonExtraChecksFailed	The exception (and signature, where's the case) matched, but the extra checks failed.
introReasonExceptionsNotLoaded	The exception file was not loaded (there are no exceptions).
introReasonInternalError	An internal error occurred (no memory, pages not present, etc.).
introReasonValueCodeNotMatched	A valid exception was found, but the action was blocked because the value code signature did not match the one from the exception.
introReasonValueNotMatched	A valid exception was found, but the action was blocked because the value signature did not match the one from the exception.
introReasonExportNotMatched	A valid exception was found, but the action was blocked because the modified export did not match the one from the exception.
introReasonIdtNotMatched	A valid exception was found, but the action was blocked because the modified IDT entry did not match the one from the exception.
introReasonVersionOsNotMatched	A valid exception was found, but the action was blocked because the OS version did not match the one from the exception.
introReasonVersionIntroNotMatched	A valid exception was found, but the action was blocked because the Introcore version did not match the one from the exception.
introReasonProcessCreationNotMatched	A valid exception was found, but the action was blocked because the process-creation flags did not match the ones from the exception.
introReasonSameValue	The action was allowed because the OldValue is the same as the NewValue (in the WriteInfo structure) - caused by events such as calls to ProbeForWrite.
introReasonUnknown	Not a valid reason. Must always be the last value defined.

Definition at line 180 of file intro_types.h.

◆ _INTRO_ENG_NOTIFICATION_TYPE

enum _INTRO_ENG_NOTIFICATION_TYPE

Scan engine alert types.

Enumerator

introEngineNotificationCodeExecution

Execution attempt result.

The result is of type ENG_NOTIFICATION_CODE_EXEC.

introEngineNotificationCmdLine

Command line scan results.

The result is of type ENG_NOTIFICATION_CMD_LINE.

Definition at line 126 of file intro_types.h.

◆ _INTRO_EVENT_TYPE

enum _INTRO_EVENT_TYPE

Event classes.

Enumerator
introEventEptViolation	Sent when an EPT violation triggers an alert. See EVENT_EPT_VIOLATION.
introEventMsrViolation	Sent when a MSR violation triggers an alert.See EVENT_MSR_VIOLATION.
introEventCrViolation	Sent when a CR violation triggers an alert. See EVENT_CR_VIOLATION.
introEventXcrViolation	Sent when a CR violation triggers an alert. See EVENT_XCR_VIOLATION.
introEventIntegrityViolation	Sent for integrity violation alerts. See EVENT_INTEGRITY_VIOLATION.
introEventTranslationViolation	Sent for virtual address translation alerts. See EVENT_TRANSLATION_VIOLATION.
introEventInjectionViolation	Sent for code/data injection alerts. See EVENT_MEMCOPY_VIOLATION.
introEventDtrViolation	Sent when a DTR violation triggers an alert. See EVENT_DTR_VIOLATION.
introEventMessage	Plain text message sent from Introcore to the integrator. See EVENT_INTROSPECTION_MESSAGE.
introEventProcessEvent	Informational event sent when a process is created or terminated by the guest. See EVENT_PROCESS_EVENT.
introEventAgentEvent	Informational event sent when the remediation tool is injected or terminated. See EVENT_AGENT_EVENT.
introEventModuleEvent	Informational event sent when kernel module is loaded or when a module is loaded inside a protected process. See EVENT_MODULE_EVENT.
introEventCrashEvent	Informational event sent when the guest crashes. See EVENT_CRASH_EVENT.
introEventExceptionEvent	Informational event sent when a hardware exception is triggered by a guest process. See EVENT_EXCEPTION_EVENT.
introEventConnectionEvent	Informational event containing the connections opened by a process. See EVENT_CONNECTION_EVENT.
introEventProcessCreationViolation	Sent for unauthorized process creation alerts. See EVENT_PROCESS_CREATION_VIOLATION.
introEventModuleLoadViolation	Sent for suspicious module loads alerts. See EVENT_MODULE_LOAD_VIOLATION.
introEventEnginesDetectionViolation	Sent for third party engines detections. See EVENT_ENGINES_DETECTION_VIOLATION.

Definition at line 81 of file intro_types.h.

◆ _INTRO_NET_AF

enum _INTRO_NET_AF

Address family.

Enumerator
introNetAfIpv4	IPv4.
introNetAfIpv6	IPv6.
introNetAfUnknown	Unknown.

Definition at line 298 of file intro_types.h.

◆ _INTRO_NET_STATE

enum _INTRO_NET_STATE

Connection states.

Enumerator
introNetStateEstablished
introNetStateSynSent
introNetStateSynRecv
introNetStateFinWait
introNetStateFinWait2
introNetStateTimeWait
introNetStateClosed
introNetStateCloseWait
introNetStateLastAck
introNetStateListening
introNetStateClosing
introNetStateNewSynRecv	Available only on Linux.
introNetStateDeleteTcb	Available only on Windows.
introNetStateUnknown

Definition at line 310 of file intro_types.h.

◆ _INTRO_OBJECT_TYPE

enum _INTRO_OBJECT_TYPE

The type of the object protected by an EPT hook.

Enumerator
introObjectTypeRaw	Raw hook.
introObjectTypeInternal	Internal kernel structures - they don't generate alerts.
introObjectTypeSsdt	SSDT (Windows only).
introObjectTypeFastIoDispatch	Fast IO Dispatch (Windows only).
introObjectTypeDriverObject	Driver object.
introObjectTypeKmModule	Kernel module (ntoskrnl.exe, hal.dll, etc.).
introObjectTypeIdt	IDT.
introObjectTypeGdt	GDT.
introObjectTypeKmUnpack	Kernel unpacker.
introObjectTypeProcess	User process.
introObjectTypeUmInternal	Internal user-mode structure.
introObjectTypeUmUnpack	User-mode unpacker.
introObjectTypeUmHeap	User-mode heap.
introObjectTypeUmStack	User-mode stack.
introObjectTypeUmGenericNxZone	User-mode non executable zone.
introObjectTypeUmModule	User-mode library.
introObjectTypeDetourRead	Hooked page against PG reads.
introObjectTypeTokenPtr	Access Token pointer.
introObjectTypeCreds	Access 'struct creds' fields.
introObjectTypeHalDispatchTable	Hal dispatch table.
introObjectTypeHalIntController	Hal interrupt controller.
introObjectTypeSelfMapEntry	Self mapping index in PDBR.
introObjectTypeHalHeap	Hal heap.
introObjectTypeVdso	Virtual dynamic shared object (user-mode, Linux-only).
introObjectTypeVsyscall	Virtual SYSCALL (user-mode, Linux-only).
introObjectTypeExTable	Exception Table (Linux-only).
introObjectTypeVeAgent	The Virtualization exception agent injected inside the guest.
introObjectTypeIdtr	IDTR.
introObjectTypeGdtr	GDTR.
introObjectTypeProcessCreation	Process creation violation.
introObjectTypeExecSuspiciousDll	Executions in suspicious DLL loads.
introObjectTypeKmLoggerContext	Infinity hook modifications of WMI_LOGGER_CONTEXT.GetCpuClock.
introObjectTypeProcessCreationDpi	Process creation violation DPI.
introObjectTypeTokenPrivs	Token privileges.
introObjectTypeSudExec	Executions inside the SharedUserData region.
introObjectTypeHalPerfCounter	Write protection over HalPerformanceCounter.
introObjectTypeHookedFunction	The function is already hooked.
introObjectTypeSlackSpace	The slack space is not 0-filled/NOP-filled.
introObjectTypeSecDesc	Process security descriptor pointer.
introObjectTypeAcl	Process ACL (SACL/DACL) was modified.
introObjectTypeSudIntegrity	Integrity protection of SharedUserData region.
introObjectTypeInterruptObject	An interrupt object from KPRCB.
introObjectTypeTest

Definition at line 231 of file intro_types.h.

◆ _MEMCOPY_VIOLATION_TYPE

enum _MEMCOPY_VIOLATION_TYPE

The type of a memory copy violation.

Enumerator
memCopyViolationWrite	This is a classic code injection attempt that simply modifies the memory of the victim process.
memCopyViolationRead	This represents a read done from another process.
memCopyViolationSetContextThread	This represents an attempt of modifying the context of another thread.
memCopyViolationQueueApcThread	This represents an attempt to queue an APC into the victim process.
memCopyViolationInstrument	This represents an attempt to set an instrument callback inside the victim process.

Definition at line 1408 of file intro_types.h.

◆ _MITRE_ID

enum _MITRE_ID

Mitre attack techniques.

This is the Mitre Attack Technique ID, as defined at https://attack.mitre.org/techniques/enterprise/

Enumerator
idCredDump	Credential Dumping.
idRootkit	Rootkit.
idSoftwarePacking	Software Packing.
idProcInject	Process Injection.
idScripting	Scripting.
idExploitPrivEsc	Exploitation for Privilege Escalation.
idPowerShell	PowerShell.
idProcHollowing	Process Hollowing.
idExecApi	Execution through API call.
idExecModLoad	Execution through module load.
idAccessToken	Access Token Manipulation.
idHooking	Hooking.
idEWMI	Extra Window Memory Injection.
idProcDoppelganging	Process Doppelganging.
idExploitClientExec	Exploitation for Client Execution.
idTrustedDevUtil	Trusted Developer Utilities.
idExploitRemote	Exploitation of Remote Services.
idKernModExt	Kernel Modules and Extensions.

Definition at line 1141 of file intro_types.h.

◆ _TRANS_VIOLATION_TYPE

enum _TRANS_VIOLATION_TYPE

Translation violation types.

Enumerator
transViolationPageHash	After a page was swapped-in, its hash no longer matches the one it had when it was swapped-out.
transViolationProcessCr3	The CR3 of a process was changed.
transViolationSelfMap	The self-map entry inside a root page-table changed.
transViolationWatchdog	A translation was modified without us intercepting it. This points to a bug in Introcore.
transViolationVeAgent	A translation inside the #VE agent was changed.

Definition at line 1526 of file intro_types.h.

◆ AGENT_EVENT_TYPE

enum AGENT_EVENT_TYPE

The state of an agent.

Enumerator
agentInjected	The agent has been successfully injected.
agentInitialized	The agent has been initialized.
agentStarted	The agent process started execution.
agentTerminated	The agent process finished execution.
agentMessage	The agent sent a message.
agentError	The agent or the process stub reports an error.
agentInvalid	Invalid.

Definition at line 2097 of file intro_types.h.

◆ AGENT_LGT_EVENT_TYPE

enum AGENT_LGT_EVENT_TYPE

Log gather tool events.

Enumerator
lgtEventNone	No event.
lgtEventError	Error event.
lgtEventData	Data gather event.

Definition at line 2238 of file intro_types.h.

◆ AGENT_REM_EVENT_TYPE

enum AGENT_REM_EVENT_TYPE

Remediation tool events types.

Enumerator
remEventNone	No event.
remEventStart	Start event.
remEventDetection	Detection event.
remEventDisinfection	Disinfection event.
remEventProgress	Progress report event.
remEventReboot	Reboot event.
remEventFinish	Stop event.

Definition at line 2133 of file intro_types.h.

◆ INTRO_DEP_AG_TAGS

enum INTRO_DEP_AG_TAGS

Deployable agents tags.

Enumerator
INTRO_AGENT_TAG_DUMMY_TOOL	Dummy agent used to demo the feature.
INTRO_AGENT_TAG_REMEDIATION_TOOL	The remediation tool agent.
INTRO_AGENT_TAG_VISIBILITY_TOOL	The visibility tool used to extract information from inside the guest.
INTRO_AGENT_TAG_REMEDIATION_TOOL_LINUX	The Linux version of the remediation tool.
INTRO_AGENT_TAG_LOG_GATHER_TOOL	The log gathering agent.
INTRO_AGENT_TAG_AGENT_KILLER_TOOL	The process killer agent.
INTRO_AGENT_TAG_VE_DRIVER	The virtualization exception driver.
INTRO_AGENT_TAG_PT_DRIVER	The page table filtering agent.
INTRO_AGENT_TAG_CUSTOM_TOOL	A custom tool.

Definition at line 2312 of file intro_types.h.

◆ INTRO_EPT_ACCESS_TYPE

enum INTRO_EPT_ACCESS_TYPE

EPT access types.

Enumerator
INTRO_EPT_NONE	No access.
INTRO_EPT_READ	Read access.
INTRO_EPT_WRITE	Write access.
INTRO_EPT_EXECUTE	Execute access.

Definition at line 768 of file intro_types.h.

◆ INTRO_ERROR_STATE

enum INTRO_ERROR_STATE

Error states.

These are reported by GLUE_IFACE.NotifyIntrospectionErrorState.

Enumerator
intErrNone	Success.
intErrGuestNotIdentified	The SYSCALL/SYSENTER code pattern was not recognized.
intErrGuestNotSupported	The operating system version is not supported.
intErrGuestKernelNotFound	The kernel image was not found.
intErrGuestApiNotFound	A critical API function was not found inside the guest kernel.
intErrGuestExportNotFound	A kernel export was not found.
intErrGuestStructureNotFound	A critical structure was not found inside the guest kernel.
intErrUpdateFileNotSupported	The version of the provided CAMI file is not supported.
intErrProcNotProtectedNoMemory	The process was not protected because there is not enough memory available.
intErrProcNotProtectedInternalError	The process was not protected due to an internal error.

Definition at line 2433 of file intro_types.h.

◆ INTRO_GUEST_TYPE

enum INTRO_GUEST_TYPE

The type of the introspected operating system.

Enumerator
introGuestUnknown	Unknown.
introGuestWindows	Windows.
introGuestLinux	Linux.

Definition at line 2040 of file intro_types.h.

◆ INTRO_MSR_ACCESS_TYPE

enum INTRO_MSR_ACCESS_TYPE

MSR access types.

Enumerator
INTRO_MSR_READ	Read access.
INTRO_MSR_WRITE	Write access.

Definition at line 780 of file intro_types.h.

◆ INTRO_PC_VIOLATION_TYPE

enum INTRO_PC_VIOLATION_TYPE

Process creation violation flags.

Enumerator
INT_PC_VIOLATION_NORMAL_PROCESS_CREATION	Process creation violation without any DPI heuristic being triggered.
INT_PC_VIOLATION_DPI_DEBUG_FLAG	The parent of a process tried to obtain debug privileges over the child.
INT_PC_VIOLATION_DPI_PIVOTED_STACK	The parent of a process had a pivoted stack when it created the child.
INT_PC_VIOLATION_DPI_STOLEN_TOKEN	The parent of a process has a stolen access token when it created the child.
INT_PC_VIOLATION_DPI_HEAP_SPRAY	The creation of a process was attempted while the parent had its heap sprayed.
INT_PC_VIOLATION_DPI_TOKEN_PRIVS	The creation of a process was attempted with token privileges altered in a malicious way.
INT_PC_VIOLATION_DPI_THREAD_START	The thread which created the process has started execution on some suspicious code.
INT_PC_VIOLATION_DPI_SEC_DESC	The parent of a process has an altered security descriptor pointer.
INT_PC_VIOLATION_DPI_ACL_EDIT	The parent of a process has an altered access control entry (inside SACL or DACL).

Definition at line 1651 of file intro_types.h.

Data Structures

Macros

Typedefs

Enumerations

Detailed Description

Macro Definition Documentation

◆ AGENT_HCALL_GATHER_TOOL

◆ AGENT_HCALL_INTERNAL

◆ AGENT_HCALL_KILLER_TOOL

◆ AGENT_HCALL_REM_TOOL

◆ ALERT_CMDLINE_MAX_LEN

◆ ALERT_EXCEPTION_SIZE

◆ ALERT_IMAGE_NAME_LEN

◆ ALERT_MAX_CODEBLOCKS

◆ ALERT_MAX_DETECTION_NAME

◆ ALERT_MAX_ENGINES_VERSION

◆ ALERT_MAX_FUNCTION_NAME_LEN

◆ ALERT_MAX_FUNCTIONS

◆ ALERT_MAX_INJ_DUMP_SIZE

◆ ALERT_MAX_INSTRUX_LEN

◆ ALERT_MAX_MESSAGE_SIZE

◆ ALERT_MAX_SECTION_NAME_LEN

◆ ALERT_PATH_MAX_LEN

◆ FALSE

◆ INTRO_SECURITY_DESCRIPTOR_SIZE

◆ INTRO_SIDS_MAX_COUNT

◆ INTRO_VIOLATION_VERSION

◆ INTRO_WIN_SID_MAX_SIZE

◆ INTRO_WIN_SID_MAX_SUB_AUTHORITIES

◆ LGT_EVENT_SIZE

◆ LGT_EVENT_VERSION

◆ LGT_MAX_DATA_SIZE

◆ REM_EVENT_SIZE

◆ REM_EVENT_VERSION

◆ REM_MAX_DETECTION_LEN

◆ REM_MAX_OBJECT_PATH_LEN

◆ TRUE

◆ VICTIM_CIRCULAR_KERNEL_CTX_LOGGER

◆ VICTIM_DRIVER_OBJECT

◆ VICTIM_HAL_DISPATCH_TABLE

◆ VICTIM_HAL_PERFORMANCE_COUNTER

◆ VICTIM_IDT

◆ VICTIM_INTERRUPT_OBJECT

◆ VICTIM_PROCESS_ACL

◆ VICTIM_PROCESS_CREDENTIALS

◆ VICTIM_PROCESS_SECURITY_DESCRIPTOR

◆ VICTIM_PROCESS_TOKEN

◆ VICTIM_TOKEN_PRIVILEGES

Typedef Documentation

◆ AGENT_LGT_EVENT

◆ AGENT_LGT_EVENT_HEADER

◆ AGENT_REM_EVENT

◆ AGENT_REM_EVENT_HEADER

◆ BOOLEAN

◆ BYTE

◆ CHAR

◆ DWORD

◆ ENG_NOTIFICATION_CMD_LINE

◆ ENG_NOTIFICATION_CODE_EXEC

◆ ENG_NOTIFICATION_HEADER

◆ EVENT_AGENT_EVENT

◆ EVENT_CONNECTION_EVENT

◆ EVENT_CR_VIOLATION

◆ EVENT_CRASH_EVENT

◆ EVENT_DTR_VIOLATION

◆ EVENT_ENGINES_DETECTION_VIOLATION

◆ EVENT_EPT_VIOLATION

◆ EVENT_EXCEPTION_EVENT

◆ EVENT_INTEGRITY_VIOLATION

◆ EVENT_INTROSPECTION_MESSAGE

◆ EVENT_MEMCOPY_VIOLATION

◆ EVENT_MODULE_EVENT

◆ EVENT_MODULE_LOAD_VIOLATION

◆ EVENT_MSR_VIOLATION

◆ EVENT_PROCESS_CREATION_VIOLATION

◆ EVENT_PROCESS_EVENT

◆ EVENT_TRANSLATION_VIOLATION

◆ EVENT_XCR_VIOLATION

◆ GUEST_INFO

◆ INT16