Bitdefender Hypervisor Memory Introspection
|
Exposes the types and constants used by various Introcore APIs defined in glueiface.h. More...
#include "env.h"
#include <stddef.h>
#include <stdint.h>
#include <stdbool.h>
#include "intro_sal.h"
Go to the source code of this file.
Data Structures | |
struct | _INTRO_TOKEN_PRIVILEGES |
Windows process token privileges. More... | |
struct | _INTRO_ACL |
Windows process access control list (SACL/DACL) More... | |
struct | _INTRO_WIN_SID |
A security identifier. More... | |
struct | _INTRO_SID_ATTRIBUTES |
Windows SID attributes. More... | |
struct | _INTRO_WIN_TOKEN |
A Windows token structure as reported by Introcore alerts. More... | |
union | _INTRO_TOKEN |
Contains privileges and security identifiers information. More... | |
struct | _INTRO_PROCESS |
Describes a guest process. More... | |
struct | _INTRO_MODULE |
Describes a user-mode or kernel-mode module. More... | |
struct | _INTRO_DRVOBJ |
Describes a driver object. More... | |
struct | _INTRO_CPUCTX |
Holds the CPU context for an event. More... | |
struct | _INTRO_WRITE_INFO |
Holds information about a memory write attempt. More... | |
struct | _INTRO_READ_INFO |
Holds information about a memory read attempt. More... | |
struct | _INTRO_EXEC_INFO |
Holds information about an execution attempt. More... | |
struct | _INTRO_SEC_DESC_INFO |
Holds information about a security descriptor write attempt. More... | |
struct | _INTRO_CODEBLOCKS |
Holds code block patterns information. More... | |
struct | _INTRO_CODEBLOCKS::_INTRO_CODE_BLOCK |
Array of actual code block patterns. More... | |
struct | _INTRO_VERSION_INFO |
Holds version information for Introcore and the currently loaded exceptions and CAMI files. More... | |
struct | _INTRO_GPRS |
Holds register state information. More... | |
struct | _INTRO_EXEC_CONTEXT |
Holds the context in which an execution attempt was detected. More... | |
struct | _INTRO_EXEC_DATA |
Holds the data related to an execution attempt. More... | |
struct | _INTRO_ALERT_EXCEPTION_HEADER |
The common header used by exception information. More... | |
struct | _INTRO_VIOLATION_HEADER |
Common violation header. More... | |
struct | _EVENT_EPT_VIOLATION |
Event structure for EPT violations. More... | |
struct | _EVENT_MSR_VIOLATION |
Event structure for MSR violation. More... | |
struct | _EVENT_CR_VIOLATION |
Event structure for CR violation. More... | |
struct | _EVENT_XCR_VIOLATION |
Event structure for XCR violation. More... | |
struct | _EVENT_MEMCOPY_VIOLATION |
Memory access violations that cross a process boundary. More... | |
struct | _EVENT_TRANSLATION_VIOLATION |
Event structure for illegal paging-structures modifications. More... | |
struct | _EVENT_INTEGRITY_VIOLATION |
Event structure for integrity violations on monitored structures. More... | |
struct | _EVENT_DTR_VIOLATION |
Event structure for GDTR/IDTR descriptor tables modifications. More... | |
union | _INTRO_DPI_EXTRA_INFO |
Structure for keeping the relevant DPI violation information. More... | |
struct | _EVENT_PROCESS_CREATION_VIOLATION |
Event structure for process creation violation events. More... | |
struct | _EVENT_MODULE_LOAD_VIOLATION |
Event structure for suspicious module load into processes. More... | |
struct | _EVENT_ENGINES_DETECTION_VIOLATION |
Event structure for detections provided by additional scan engines. More... | |
struct | _EVENT_INTROSPECTION_MESSAGE |
Event structure for plain data/message passing. More... | |
struct | _EVENT_PROCESS_EVENT |
Event structure for process creation/termination. More... | |
struct | _EVENT_MODULE_EVENT |
Event structure for module loading and unloading. More... | |
struct | _EVENT_CRASH_EVENT |
Event structure for guest OS crashes. More... | |
struct | _EVENT_EXCEPTION_EVENT |
Event structure for process exceptions. More... | |
struct | _EVENT_CONNECTION_EVENT |
Event structure for connections. More... | |
struct | _ENG_NOTIFICATION_HEADER |
Notification header for scan engines alerts. More... | |
struct | _ENG_NOTIFICATION_CODE_EXEC |
Execution notification for scan engines. More... | |
struct | _ENG_NOTIFICATION_CMD_LINE |
Command line notification for scan engines. More... | |
struct | _AGENT_REM_EVENT_HEADER |
Common header for all remediation tool events. More... | |
struct | _AGENT_REM_EVENT |
A remediation tool event. More... | |
struct | _AGENT_LGT_EVENT_HEADER |
Common header for all log gather tool events. More... | |
struct | _AGENT_LGT_EVENT |
Describes an event sent by the log gathering tool. More... | |
struct | _EVENT_AGENT_EVENT |
Event structure for agent injection and termination. More... | |
struct | _GUEST_INFO |
Guest information. More... | |
union | _INT_VERSION_INFO |
Introspection version info. More... | |
union | _INTRO_ERROR_CONTEXT |
The context of an error state. More... | |
Macros | |
#define | TRUE true |
#define | FALSE false |
#define | PROC_OPT_NONE 0x00000000 |
No protection policy. The process is not protected. More... | |
#define | PROC_OPT_PROT_CORE_HOOKS 0x00000004 |
Blocks hooks being set on core user-mode DLLs. More... | |
#define | PROC_OPT_PROT_UNPACK 0x00000008 |
Identifies unpacking/decryption attempts in the main executable. More... | |
#define | PROC_OPT_PROT_WRITE_MEM 0x00000010 |
Blocks foreign write inside the target process. More... | |
#define | PROC_OPT_PROT_WSOCK_HOOKS 0x00000020 |
Blocks hooks being set on Wininet user-mode DLLs (Windows only). More... | |
#define | PROC_OPT_PROT_EXPLOIT 0x00000040 |
Blocks malicious execution attempts. More... | |
#define | PROC_OPT_PROT_SET_THREAD_CTX 0x00000080 |
Blocks thread hijacking attempts inside the target process (Windows only). More... | |
#define | PROC_OPT_PROT_PTRACE 0x00000080 |
Blocks thread hijacking attempts inside the target process (Linux only). More... | |
#define | PROC_OPT_PROT_QUEUE_APC 0x00000100 |
Blocks APC queuing inside the target process (Windows only). More... | |
#define | PROC_OPT_PROT_PREVENT_CHILD_CREATION 0x00000200 |
Prevent the process from creating child processes (other than instances of itself). More... | |
#define | PROC_OPT_PROT_DOUBLE_AGENT 0x00000400 |
Blocks double agent attacks (malicious DLL loading) (Windows only). More... | |
#define | PROC_OPT_PROT_SCAN_CMD_LINE 0x00000800 |
Uses third party engines to scan the command line of a process. More... | |
#define | PROC_OPT_PROT_INSTRUMENT 0x00001000 |
Blocks foreing processes from setting instrumentation callbacks inside the target process (Windows only). More... | |
#define | PROC_OPT_REMEDIATE 0x20000000 |
Any event inside the process will trigger the injection of the remediation tool. More... | |
#define | PROC_OPT_KILL_ON_EXPLOIT 0x40000000 |
#define | PROC_OPT_BETA 0x80000000 |
Process is monitored, but in log-only mode so no actions will be blocked. More... | |
#define | PROC_OPT_PROT_INJECTION |
Aggregates all the flags that will generate introEventInjectionViolation events. More... | |
#define | PROC_OPT_PROT_ALL |
Aggregates all the process protection flags. More... | |
#define | INTRO_OPT_PROT_KM_NT 0x0000000000000001ull |
Enable kernel image protection (Windows only). More... | |
#define | INTRO_OPT_PROT_KM_LX 0x0000000000000001ull |
Enable kernel image protection (Linux only). More... | |
#define | INTRO_OPT_PROT_KM_HAL 0x0000000000000002ull |
Enable HAL protection (Windows only). More... | |
#define | INTRO_OPT_PROT_KM_SSDT 0x0000000000000004ull |
Enable SSDT protection (Windows only). More... | |
#define | INTRO_OPT_PROT_KM_IDT 0x0000000000000008ull |
#define | INTRO_OPT_PROT_KM_HAL_DISP_TABLE 0x0000000000000010ull |
Enable HDT (Hal Dispatch Table) protection (Windows only). More... | |
#define | INTRO_OPT_PROT_KM_SYSTEM_CR3 0x0000000000000020ull |
Enable System process PDBR protection. More... | |
#define | INTRO_OPT_PROT_KM_TOKEN_PTR 0x0000000000000040ull |
Enable process token protection (Windows only). More... | |
#define | INTRO_OPT_PROT_KM_CREDS 0x0000000000000040ull |
#define | INTRO_OPT_PROT_KM_NT_DRIVERS 0x0000000000000080ull |
Enable core NT drivers protection (Windows only). More... | |
#define | INTRO_OPT_PROT_KM_LX_MODULES 0x0000000000000080ull |
Enable Linux kernel modules protection (Linux only). More... | |
#define | INTRO_OPT_PROT_KM_AV_DRIVERS 0x0000000000000100ull |
Enable AV drivers protection (Windows only). More... | |
#define | INTRO_OPT_PROT_KM_XEN_DRIVERS 0x0000000000000200ull |
#define | INTRO_OPT_PROT_KM_DRVOBJ 0x0000000000000400ull |
Enable driver object & fast I/O dispatch protection. More... | |
#define | INTRO_OPT_PROT_KM_CR4 0x0000000000000800ull |
Enable CR4.SMEP and CR4.SMAP protection. More... | |
#define | INTRO_OPT_PROT_KM_MSR_SYSCALL 0x0000000000001000ull |
#define | INTRO_OPT_PROT_KM_IDTR 0x0000000000002000ull |
Enable interrupt descriptor-table registers protection. More... | |
#define | INTRO_OPT_PROT_KM_HAL_HEAP_EXEC 0x0000000000004000ull |
Enable execution prevention on the Hal Heap when it is not ASLR'd (Windows only). More... | |
#define | INTRO_OPT_PROT_KM_HAL_INT_CTRL 0x0000000000008000ull |
Enable Hal Interrupt Controller write protection. More... | |
#define | INTRO_OPT_PROT_UM_MISC_PROCS 0x0000000000010000ull |
#define | INTRO_OPT_PROT_UM_SYS_PROCS 0x0000000000020000ull |
Enable user-mode system processes protection (injection only). More... | |
#define | INTRO_OPT_PROT_KM_SELF_MAP_ENTRY 0x0000000000040000ull |
#define | INTRO_OPT_PROT_KM_GDTR 0x0000000000080000ull |
Enable global descriptor-table registers protection. More... | |
#define | INTRO_OPT_EVENT_PROCESSES 0x0000000000100000ull |
Enable process creation and termination events (generates introEventProcessEvent events). More... | |
#define | INTRO_OPT_EVENT_MODULES 0x0000000000200000ull |
Enable user mode and kernel mode module load and unload events (generates introEventModuleEvent events). More... | |
#define | INTRO_OPT_EVENT_OS_CRASH 0x0000000000400000ull |
Enable OS crash events (generates introEventCrashEvent events). More... | |
#define | INTRO_OPT_EVENT_PROCESS_CRASH 0x0000000000800000ull |
Enable application crash events (generates introEventExceptionEvent). More... | |
#define | INTRO_OPT_AGENT_INJECTION 0x0000000001000000ull |
Enable agent injections. More... | |
#define | INTRO_OPT_FULL_PATH 0x0000000002000000ull |
Enable full-path protection of processes. More... | |
#define | INTRO_OPT_KM_BETA_DETECTIONS 0x0000000004000000ull |
#define | INTRO_OPT_NOTIFY_ENGINES 0x0000000008000000ull |
Send suspicious pages to be scanned by third party scan engines. More... | |
#define | INTRO_OPT_IN_GUEST_PT_FILTER 0x0000000010000000ull |
Enable in-guest page-table filtering (64-bit Windows only). More... | |
#define | INTRO_OPT_BUGCHECK_CLEANUP 0x0000000020000000ull |
Enable memory cleanup after an OS crash (Windows). More... | |
#define | INTRO_OPT_PANIC_CLEANUP 0x0000000020000000ull |
Enable memory cleanup after an OS crash (Linux). More... | |
#define | INTRO_OPT_SYSPROC_BETA_DETECTIONS 0x0000000040000000ull |
Enable system processes beta (log only) detection. More... | |
#define | INTRO_OPT_VE 0x0000000080000000ull |
Enable the Virtualization exception page table access pre-filtering agent (64-bit Windows only). More... | |
#define | INTRO_OPT_EVENT_CONNECTIONS 0x0000000100000000ull |
Enable connection events. More... | |
#define | INTRO_OPT_PROT_KM_LOGGER_CONTEXT 0x0000000200000000ull |
Enable protection on WMI_LOGGER_CONTEXT.GetCpuClock used by InfinityHook (Windows only). More... | |
#define | INTRO_OPT_PROT_DPI_DEBUG 0x0000000400000000ull |
Enable process creation protection for child processes created with debug flag. More... | |
#define | INTRO_OPT_PROT_DPI_STACK_PIVOT 0x0000000800000000ull |
Enable process creation protection for pivoted stack. More... | |
#define | INTRO_OPT_PROT_DPI_TOKEN_STEAL 0x0000001000000000ull |
Enable process creation protection for stolen token. More... | |
#define | INTRO_OPT_PROT_DPI_HEAP_SPRAY 0x0000002000000000ull |
Enable process creation protection for heap sprayed parent. More... | |
#define | INTRO_OPT_PROT_KM_NT_EAT_READS 0x0000004000000000ull |
Enable kernel EAT read protection (Windows only). More... | |
#define | INTRO_OPT_PROT_KM_LX_TEXT_READS 0x0000008000000000ull |
Enable kernel '_text' section read protection (Linux only). More... | |
#define | INTRO_OPT_PROT_KM_VDSO 0x0000010000000000ull |
Enable vDSO image protection (Linux only). More... | |
#define | INTRO_OPT_PROT_KM_SWAPGS 0x0000020000000000ull |
Enable SWAPGS (CVE-2019-1125) mitigation. More... | |
#define | INTRO_OPT_PROT_KM_TOKEN_PRIVS 0x0000040000000000ull |
Enable protection over Token Privileges bitmaps. More... | |
#define | INTRO_OPT_PROT_DPI_TOKEN_PRIVS 0x0000080000000000ull |
Enable process creation protection for parent which has violated Token privileges constraints. More... | |
#define | INTRO_OPT_PROT_DPI_THREAD_SHELL 0x0000100000000000ull |
Examines the code where the current thread started execution when the current thread creates a process. More... | |
#define | INTRO_OPT_PROT_KM_SUD_EXEC 0x0000200000000000ull |
Enable protection against executions on SharedUserData. More... | |
#define | INTRO_OPT_PROT_KM_HAL_PERF_CNT 0x0000400000000000ull |
Enable protection over HalPerformanceCounter's function pointer, which is called inside KeQueryPerformanceCounter. More... | |
#define | INTRO_OPT_PROT_KM_SD_ACL 0x0000800000000000ull |
Enable integrity protection over the Security Descriptor pointer and the 2 ACLs (SACL/DACL). More... | |
#define | INTRO_OPT_PROT_DPI_SD_ACL 0x0001000000000000ull |
Enable detection of Security Descriptor pointer modifications and ACL modifications on process creation. More... | |
#define | INTRO_OPT_PROT_KM_SUD_INTEGRITY 0x0002000000000000ull |
Enable integrity checks over various SharedUserData fields, as well as the zero-filled zone after the SharedUserData structure. More... | |
#define | INTRO_OPT_PROT_KM_INTERRUPT_OBJ 0x0004000000000000ull |
Enable protection against modifications of interrupt objects from KPRCB's InterruptObject. More... | |
#define | INTRO_OPT_PROT_DPI |
Aggregates all the deep process inspection flags. More... | |
#define | INTRO_OPT_ENABLE_KM_PROTECTION |
Aggregates all the kernel mode protection flags. More... | |
#define | INTRO_OPT_ENABLE_UM_PROTECTION |
Aggregates all the user mode protection flags. More... | |
#define | INTRO_OPT_ENABLE_AV_PROTECTION (INTRO_OPT_PROT_KM_AV_DRIVERS) |
Aggregates all the AV protection flags. More... | |
#define | INTRO_OPT_ENABLE_CR_PROTECTION (INTRO_OPT_PROT_KM_CR4) |
Aggregates all the control register protection flags. More... | |
#define | INTRO_OPT_ENABLE_MSR_PROTECTION (INTRO_OPT_PROT_KM_MSR_SYSCALL) |
Aggregates all the MSR protection flags. More... | |
#define | INTRO_OPT_ENABLE_INTEGRITY_CHECKS |
Aggregates all the integrity protection flags. More... | |
#define | INTRO_OPT_ENABLE_DTR_PROTECTION |
Aggregates all the descriptor table register protection flags. More... | |
#define | INTRO_OPT_ENABLE_KM_BETA_DETECTIONS (INTRO_OPT_KM_BETA_DETECTIONS) |
Aggregates all the kernel log-only detection flags. More... | |
#define | INTRO_OPT_ENABLE_FULL_PATH (INTRO_OPT_FULL_PATH) |
Aggregates all the full path protection flags. More... | |
#define | INTRO_OPT_ENABLE_XEN_PROTECTION (INTRO_OPT_PROT_KM_XEN_DRIVERS) |
Aggregates all the XEN-related protection flags. More... | |
#define | INTRO_OPT_ENABLE_MANUAL_AGENT_INJ (INTRO_OPT_AGENT_INJECTION) |
Aggregates all the agent injection flags. More... | |
#define | INTRO_OPT_ENABLE_MISC_EVENTS |
Aggregates all the miscellaneous protection flags. More... | |
#define | INTRO_OPT_DYNAMIC_OPTIONS_MASK (0xffffffffffffffff) |
All the flags that can be modified without unloading Introcore. More... | |
#define | INTRO_OPT_DEFAULT_OPTIONS |
Aggregates all the default options. More... | |
#define | INTRO_OPT_DEFAULT_XEN_OPTIONS |
Aggregates all the default XEN options. More... | |
#define | INTRO_OPT_ONLY_KERNEL |
Aggregates all the kernel-only protection and activation flags. More... | |
#define | POLICY_KM_BETA_FLAGS |
Aggregates all the flags that are affected by the INTRO_OPT_ENABLE_KM_BETA_DETECTIONS flag. More... | |
#define | ALERT_FLAG_BETA 0x0000000000000001 |
If set, the alert is a BETA alert. No action was taken. More... | |
#define | ALERT_FLAG_ANTIVIRUS 0x0000000000000002 |
If set, the alert is on anti virus object. More... | |
#define | ALERT_FLAG_SYSPROC 0x0000000000000004 |
If set, the alert is on system process. More... | |
#define | ALERT_FLAG_NOT_RING0 0x0000000000000008 |
If set, the alert was triggered in ring 1, 2 or 3. More... | |
#define | ALERT_FLAG_ASYNC 0x0000000000000010 |
If set, the alert was generated in an async manner. More... | |
#define | ALERT_FLAG_LINUX 0x0000000000000020 |
#define | ALERT_FLAG_FROM_ENGINES 0x0000000000000040 |
If set, the alert was generated due to a third party scan engines detection. More... | |
#define | ALERT_FLAG_FEEDBACK_ONLY 0x0000000000000080 |
If set, the alert is a feedback only alert. More... | |
#define | ALERT_FLAG_DEP_VIOLATION 0x0000000000000100 |
If set, the alert was generated by a DEP violation. More... | |
#define | ALERT_FLAG_PROTECTED_VIEW 0x0000000000000200 |
#define | ALERT_FLAG_KM_UM 0x0000000000000400 |
If set, the alert was generated by a kernel to user mode violation. More... | |
#define | ALERT_PATH_MAX_LEN 260u |
The maximum size of a path inside an alert structure. More... | |
#define | ALERT_IMAGE_NAME_LEN 16u |
#define | ALERT_MAX_MESSAGE_SIZE 256u |
The maximum size of an Introcore message inside EVENT_INTROSPECTION_MESSAGE. More... | |
#define | ALERT_MAX_INSTRUX_LEN 128u |
#define | ALERT_MAX_SECTION_NAME_LEN 8u |
The maximum size of an executable section name inside an alert structure. More... | |
#define | ALERT_MAX_FUNCTIONS 4u |
The maximum number of functions included in an alert structure. More... | |
#define | ALERT_MAX_FUNCTION_NAME_LEN 32u |
The maximum size of a function name inside an alert structure. More... | |
#define | ALERT_MAX_INJ_DUMP_SIZE 512u |
The maximum size of an injection buffer inside an alert structure. More... | |
#define | ALERT_MAX_CODEBLOCKS 64u |
The maximum number of code blocks included in an alert structure. More... | |
#define | ALERT_CMDLINE_MAX_LEN 512u |
The maximum size of a command line included in an alert structure. More... | |
#define | ALERT_EXCEPTION_SIZE 255u |
#define | ALERT_MAX_DETECTION_NAME 128u |
The maximum size of a detection name as given by a third party scan engine. More... | |
#define | ALERT_MAX_ENGINES_VERSION 32u |
The maximum size of the third party scan engines version. More... | |
#define | INTRO_SECURITY_DESCRIPTOR_SIZE 1024u |
The size of the buffers in which we store the security descriptors. The security descriptor is composed by its 2 Access Control Lists (SACL/DACL) and their corresponding Access Control Entries. Below there is an example of the memory map for the security descriptor dumped in winsecdesc.c. Although the size is only 0x6C, we want to have some room left for processes with more ACEs. More... | |
#define | VICTIM_PROCESS_CREDENTIALS u"Process Credentials" |
Printable name used for introObjectTypeCreds objects. More... | |
#define | VICTIM_DRIVER_OBJECT u"Driver Object" |
Printable name used for introObjectTypeDriverObject objects. More... | |
#define | VICTIM_HAL_DISPATCH_TABLE u"HalDispatchTable" |
Printable name used for introObjectTypeHalDispatchTable objects. More... | |
#define | VICTIM_IDT u"IDT" |
Printable name used for introObjectTypeIdt. More... | |
#define | VICTIM_CIRCULAR_KERNEL_CTX_LOGGER u"Circular Kernel Context Logger" |
Printable name used for introObjectTypeKmLoggerContext objects. More... | |
#define | VICTIM_PROCESS_TOKEN u"Process Token" |
Printable name used for introObjectTypeTokenPtr objects. More... | |
#define | VICTIM_TOKEN_PRIVILEGES u"Token privileges" |
Printable name used for introObjectTypeTokenPrivs objects. More... | |
#define | VICTIM_HAL_PERFORMANCE_COUNTER u"HalPerformanceCounter" |
Printable name used for introObjectTypeHalPerfCounter objects. More... | |
#define | VICTIM_PROCESS_SECURITY_DESCRIPTOR u"Security Descriptor" |
Printable name used for introObjectTypeSecDesc objects. More... | |
#define | VICTIM_PROCESS_ACL u"Access Control List" |
Printable name used for introObjectTypeAcl objects. More... | |
#define | VICTIM_INTERRUPT_OBJECT u"Interrupt Object" |
Printable name used for introObjectTypeInterruptObject. More... | |
#define | INTRO_VIOLATION_VERSION 1 |
Violation header version. More... | |
#define | INTRO_WIN_SID_MAX_SUB_AUTHORITIES 15 |
The maximum number of sub authorities contained in a SID. More... | |
#define | INTRO_WIN_SID_MAX_SIZE (sizeof(INTRO_WIN_SID) - sizeof(DWORD) + (INTRO_WIN_SID_MAX_SUB_AUTHORITIES * sizeof(DWORD))) |
The maximum size of a INTRO_WIN_SID structure. More... | |
#define | INTRO_SIDS_MAX_COUNT 4 |
The maximum SID count included in an alert. More... | |
#define | AGENT_HCALL_REM_TOOL 100 |
Used by the remediation tool. More... | |
#define | AGENT_HCALL_GATHER_TOOL 500 |
Log gathering tool. More... | |
#define | AGENT_HCALL_KILLER_TOOL 600 |
Agent killer tool. More... | |
#define | AGENT_HCALL_INTERNAL 753200 |
Reserved for internal use. More... | |
#define | REM_MAX_OBJECT_PATH_LEN 512 |
The maximum object path size in bytes, including the NULL terminator. More... | |
#define | REM_MAX_DETECTION_LEN 128 |
The maximum detection name size in bytes, including the NULL terminator. More... | |
#define | REM_EVENT_VERSION 0x00010000 |
Remediation event version. More... | |
#define | REM_EVENT_SIZE sizeof(AGENT_REM_EVENT) |
Remediation event size. More... | |
#define | LGT_MAX_DATA_SIZE 4096 |
The maximum size of a log gather tool data chunk. More... | |
#define | LGT_EVENT_VERSION 0x00010000 |
Log gather agent event version. More... | |
#define | LGT_EVENT_SIZE sizeof(AGENT_LGT_EVENT) |
Log gather agent event size. More... | |
Typedefs | |
typedef uint8_t | UINT8 |
typedef uint8_t * | PUINT8 |
typedef uint16_t | UINT16 |
typedef uint16_t * | PUINT16 |
typedef uint32_t | UINT32 |
typedef uint32_t * | PUINT32 |
typedef unsigned long long | UINT64 |
typedef unsigned long long * | PUINT64 |
typedef int8_t | INT8 |
typedef int8_t * | PINT8 |
typedef int16_t | INT16 |
typedef int16_t * | PINT16 |
typedef int32_t | INT32 |
typedef int32_t * | PINT32 |
typedef long long | INT64 |
typedef long long * | PINT64 |
typedef uint8_t | BYTE |
typedef uint8_t * | PBYTE |
typedef uint16_t | WORD |
typedef uint16_t * | PWORD |
typedef uint32_t | DWORD |
typedef uint32_t * | PDWORD |
typedef unsigned long long | QWORD |
typedef unsigned long long * | PQWORD |
typedef unsigned char | UCHAR |
typedef unsigned char * | PUCHAR |
typedef char | CHAR |
typedef char * | PCHAR |
typedef _Bool | BOOLEAN |
typedef size_t | SIZE_T |
typedef uint16_t | WCHAR |
typedef uint16_t * | PWCHAR |
typedef enum _INTRO_EVENT_TYPE | INTRO_EVENT_TYPE |
Event classes. More... | |
typedef enum _INTRO_ENG_NOTIFICATION_TYPE | INTRO_ENG_NOTIF_TYPE |
Scan engine alert types. More... | |
typedef enum _INTRO_ACTION | INTRO_ACTION |
Event actions. More... | |
typedef enum _INTRO_ACTION_REASON | INTRO_ACTION_REASON |
The reason for which an INTRO_ACTION was taken. More... | |
typedef enum _INTRO_OBJECT_TYPE | INTRO_OBJECT_TYPE |
The type of the object protected by an EPT hook. More... | |
typedef enum _INTRO_NET_AF | INTRO_NET_AF |
Address family. More... | |
typedef enum _INTRO_NET_STATE | INTRO_NET_STATE |
Connection states. More... | |
typedef struct _INTRO_TOKEN_PRIVILEGES | INTRO_TOKEN_PRIVILEGES |
Windows process token privileges. More... | |
typedef struct _INTRO_TOKEN_PRIVILEGES * | PINTRO_TOKEN_PRIVILEGES |
typedef struct _INTRO_ACL | INTRO_ACL |
Windows process access control list (SACL/DACL) More... | |
typedef struct _INTRO_ACL * | PINTRO_ACL |
typedef struct _INTRO_WIN_SID | INTRO_WIN_SID |
A security identifier. More... | |
typedef struct _INTRO_WIN_SID * | PINTRO_WIN_SID |
typedef struct _INTRO_SID_ATTRIBUTES | INTRO_SID_ATTRIBUTES |
Windows SID attributes. More... | |
typedef struct _INTRO_SID_ATTRIBUTES * | PINTRO_SID_ATTRIBUTES |
typedef struct _INTRO_WIN_TOKEN | INTRO_WIN_TOKEN |
A Windows token structure as reported by Introcore alerts. More... | |
typedef struct _INTRO_WIN_TOKEN * | PINTRO_WIN_TOKEN |
typedef union _INTRO_TOKEN | INTRO_TOKEN |
Contains privileges and security identifiers information. More... | |
typedef union _INTRO_TOKEN * | PINTRO_TOKEN |
typedef struct _INTRO_PROCESS | INTRO_PROCESS |
Describes a guest process. More... | |
typedef struct _INTRO_PROCESS * | PINTRO_PROCESS |
typedef struct _INTRO_MODULE | INTRO_MODULE |
Describes a user-mode or kernel-mode module. More... | |
typedef struct _INTRO_MODULE * | PINTRO_MODULE |
typedef struct _INTRO_DRVOBJ | INTRO_DRVOBJ |
Describes a driver object. More... | |
typedef struct _INTRO_DRVOBJ * | PINTRO_DRVOBJ |
typedef struct _INTRO_CPUCTX | INTRO_CPUCTX |
Holds the CPU context for an event. More... | |
typedef struct _INTRO_CPUCTX * | PINTRO_CPUCTX |
typedef struct _INTRO_WRITE_INFO | INTRO_WRITE_INFO |
Holds information about a memory write attempt. More... | |
typedef struct _INTRO_WRITE_INFO * | PINTRO_WRITE_INFO |
typedef struct _INTRO_READ_INFO | INTRO_READ_INFO |
Holds information about a memory read attempt. More... | |
typedef struct _INTRO_READ_INFO * | PINTRO_READ_INFO |
typedef struct _INTRO_EXEC_INFO | INTRO_EXEC_INFO |
Holds information about an execution attempt. More... | |
typedef struct _INTRO_EXEC_INFO * | PINTRO_EXEC_INFO |
typedef struct _INTRO_SEC_DESC_INFO | INTRO_SEC_DESC_INFO |
Holds information about a security descriptor write attempt. More... | |
typedef struct _INTRO_SEC_DESC_INFO * | PINTRO_SEC_DESC_INFO |
typedef struct _INTRO_CODEBLOCKS | INTRO_CODEBLOCKS |
Holds code block patterns information. More... | |
typedef struct _INTRO_CODEBLOCKS * | PINTRO_CODEBLOCKS |
typedef struct _INTRO_VERSION_INFO | INTRO_VERSION_INFO |
Holds version information for Introcore and the currently loaded exceptions and CAMI files. More... | |
typedef struct _INTRO_VERSION_INFO * | PINTRO_VERSION_INFO |
typedef struct _INTRO_GPRS | INTRO_GPRS |
Holds register state information. More... | |
typedef struct _INTRO_GPRS * | PINTRO_GPRS |
typedef struct _INTRO_EXEC_CONTEXT | INTRO_EXEC_CONTEXT |
Holds the context in which an execution attempt was detected. More... | |
typedef struct _INTRO_EXEC_CONTEXT * | PINTRO_EXEC_CONTEXT |
typedef struct _INTRO_EXEC_DATA | INTRO_EXEC_DATA |
Holds the data related to an execution attempt. More... | |
typedef struct _INTRO_EXEC_DATA * | PINTRO_EXEC_DATA |
typedef enum _MITRE_ID | MITRE_ID |
Mitre attack techniques. More... | |
typedef struct _INTRO_ALERT_EXCEPTION_HEADER | INTRO_ALERT_EXCEPTION_HEADER |
The common header used by exception information. More... | |
typedef struct _INTRO_VIOLATION_HEADER | INTRO_VIOLATION_HEADER |
Common violation header. More... | |
typedef struct _INTRO_VIOLATION_HEADER * | PINTRO_VIOLATION_HEADER |
typedef struct _EVENT_EPT_VIOLATION | EVENT_EPT_VIOLATION |
Event structure for EPT violations. More... | |
typedef struct _EVENT_EPT_VIOLATION * | PEVENT_EPT_VIOLATION |
typedef struct _EVENT_MSR_VIOLATION | EVENT_MSR_VIOLATION |
Event structure for MSR violation. More... | |
typedef struct _EVENT_MSR_VIOLATION * | PEVENT_MSR_VIOLATION |
typedef struct _EVENT_CR_VIOLATION | EVENT_CR_VIOLATION |
Event structure for CR violation. More... | |
typedef struct _EVENT_CR_VIOLATION * | PEVENT_CR_VIOLATION |
typedef struct _EVENT_XCR_VIOLATION | EVENT_XCR_VIOLATION |
Event structure for XCR violation. More... | |
typedef struct _EVENT_XCR_VIOLATION * | PEVENT_XCR_VIOLATION |
typedef enum _MEMCOPY_VIOLATION_TYPE | MEMCOPY_VIOLATION_TYPE |
The type of a memory copy violation. More... | |
typedef struct _EVENT_MEMCOPY_VIOLATION | EVENT_MEMCOPY_VIOLATION |
Memory access violations that cross a process boundary. More... | |
typedef struct _EVENT_MEMCOPY_VIOLATION * | PEVENT_MEMCOPY_VIOLATION |
typedef enum _TRANS_VIOLATION_TYPE | TRANS_VIOLATION_TYPE |
Translation violation types. More... | |
typedef struct _EVENT_TRANSLATION_VIOLATION | EVENT_TRANSLATION_VIOLATION |
Event structure for illegal paging-structures modifications. More... | |
typedef struct _EVENT_TRANSLATION_VIOLATION * | PEVENT_TRANSLATION_VIOLATION |
typedef struct _EVENT_INTEGRITY_VIOLATION | EVENT_INTEGRITY_VIOLATION |
Event structure for integrity violations on monitored structures. More... | |
typedef struct _EVENT_INTEGRITY_VIOLATION * | PEVENT_INTEGRITY_VIOLATION |
typedef struct _EVENT_DTR_VIOLATION | EVENT_DTR_VIOLATION |
Event structure for GDTR/IDTR descriptor tables modifications. More... | |
typedef struct _EVENT_DTR_VIOLATION * | PEVENT_DTR_VIOLATION |
typedef union _INTRO_DPI_EXTRA_INFO | INTRO_DPI_EXTRA_INFO |
Structure for keeping the relevant DPI violation information. More... | |
typedef union _INTRO_DPI_EXTRA_INFO * | PINTRO_DPI_EXTRA_INFO |
typedef struct _EVENT_PROCESS_CREATION_VIOLATION | EVENT_PROCESS_CREATION_VIOLATION |
Event structure for process creation violation events. More... | |
typedef struct _EVENT_PROCESS_CREATION_VIOLATION * | PEVENT_PROCESS_CREATION_VIOLATION |
typedef struct _EVENT_MODULE_LOAD_VIOLATION | EVENT_MODULE_LOAD_VIOLATION |
Event structure for suspicious module load into processes. More... | |
typedef struct _EVENT_MODULE_LOAD_VIOLATION * | PEVENT_MODULE_LOAD_VIOLATION |
typedef struct _EVENT_ENGINES_DETECTION_VIOLATION | EVENT_ENGINES_DETECTION_VIOLATION |
Event structure for detections provided by additional scan engines. More... | |
typedef struct _EVENT_ENGINES_DETECTION_VIOLATION * | PEVENT_ENGINES_DETECTION_VIOLATION |
typedef struct _EVENT_INTROSPECTION_MESSAGE | EVENT_INTROSPECTION_MESSAGE |
Event structure for plain data/message passing. More... | |
typedef struct _EVENT_INTROSPECTION_MESSAGE * | PEVENT_INTROSPECTION_MESSAGE |
typedef struct _EVENT_PROCESS_EVENT | EVENT_PROCESS_EVENT |
Event structure for process creation/termination. More... | |
typedef struct _EVENT_PROCESS_EVENT * | PEVENT_PROCESS_EVENT |
typedef struct _EVENT_MODULE_EVENT | EVENT_MODULE_EVENT |
Event structure for module loading and unloading. More... | |
typedef struct _EVENT_MODULE_EVENT * | PEVENT_MODULE_EVENT |
typedef struct _EVENT_CRASH_EVENT | EVENT_CRASH_EVENT |
Event structure for guest OS crashes. More... | |
typedef struct _EVENT_CRASH_EVENT * | PEVENT_CRASH_EVENT |
typedef struct _EVENT_EXCEPTION_EVENT | EVENT_EXCEPTION_EVENT |
Event structure for process exceptions. More... | |
typedef struct _EVENT_EXCEPTION_EVENT * | PEVENT_EXCEPTION_EVENT |
typedef struct _EVENT_CONNECTION_EVENT | EVENT_CONNECTION_EVENT |
Event structure for connections. More... | |
typedef struct _EVENT_CONNECTION_EVENT * | PEVENT_CONNECTION_EVENT |
typedef struct _ENG_NOTIFICATION_HEADER | ENG_NOTIFICATION_HEADER |
Notification header for scan engines alerts. More... | |
typedef struct _ENG_NOTIFICATION_HEADER * | PENG_NOTIFICATION_HEADER |
typedef struct _ENG_NOTIFICATION_CODE_EXEC | ENG_NOTIFICATION_CODE_EXEC |
Execution notification for scan engines. More... | |
typedef struct _ENG_NOTIFICATION_CODE_EXEC * | PENG_NOTIFICATION_CODE_EXEC |
typedef struct _ENG_NOTIFICATION_CMD_LINE | ENG_NOTIFICATION_CMD_LINE |
Command line notification for scan engines. More... | |
typedef struct _ENG_NOTIFICATION_CMD_LINE * | PENG_NOTIFICATION_CMD_LINE |
typedef struct _AGENT_REM_EVENT_HEADER | AGENT_REM_EVENT_HEADER |
Common header for all remediation tool events. More... | |
typedef struct _AGENT_REM_EVENT_HEADER * | PAGENT_REM_EVENT_HEADER |
typedef struct _AGENT_REM_EVENT | AGENT_REM_EVENT |
A remediation tool event. More... | |
typedef struct _AGENT_REM_EVENT * | PAGENT_REM_EVENT |
typedef struct _AGENT_LGT_EVENT_HEADER | AGENT_LGT_EVENT_HEADER |
Common header for all log gather tool events. More... | |
typedef struct _AGENT_LGT_EVENT_HEADER * | PAGENT_LGT_EVENT_HEADER |
typedef struct _AGENT_LGT_EVENT | AGENT_LGT_EVENT |
Describes an event sent by the log gathering tool. More... | |
typedef struct _AGENT_LGT_EVENT * | PAGENT_LGT_EVENT |
typedef struct _EVENT_AGENT_EVENT | EVENT_AGENT_EVENT |
Event structure for agent injection and termination. More... | |
typedef struct _EVENT_AGENT_EVENT * | PEVENT_AGENT_EVENT |
typedef struct _GUEST_INFO | GUEST_INFO |
Guest information. More... | |
typedef struct _GUEST_INFO * | PGUEST_INFO |
typedef union _INT_VERSION_INFO | INT_VERSION_INFO |
Introspection version info. More... | |
typedef union _INT_VERSION_INFO * | PINT_VERSION_INFO |
typedef union _INTRO_ERROR_CONTEXT | INTRO_ERROR_CONTEXT |
The context of an error state. More... | |
typedef union _INTRO_ERROR_CONTEXT * | PINTRO_ERROR_CONTEXT |
Exposes the types and constants used by various Introcore APIs defined in glueiface.h.
These are used to describe Introcore options, alerts, and other events that may be generated by an introspected guest.
Definition in file intro_types.h.
#define AGENT_HCALL_GATHER_TOOL 500 |
Log gathering tool.
Definition at line 2119 of file intro_types.h.
Referenced by IntLixAgentHandleUserVmcall(), and IntWinAgentHandleAppVmcall().
#define AGENT_HCALL_INTERNAL 753200 |
Reserved for internal use.
Definition at line 2123 of file intro_types.h.
Referenced by IntLixAgentHandleUserVmcall(), and IntWinAgentHandleAppVmcall().
#define AGENT_HCALL_KILLER_TOOL 600 |
Agent killer tool.
Definition at line 2121 of file intro_types.h.
#define AGENT_HCALL_REM_TOOL 100 |
Used by the remediation tool.
Definition at line 2117 of file intro_types.h.
Referenced by IntLixAgentHandleUserVmcall(), and IntWinAgentHandleAppVmcall().
#define ALERT_CMDLINE_MAX_LEN 512u |
The maximum size of a command line included in an alert structure.
Definition at line 706 of file intro_types.h.
#define ALERT_EXCEPTION_SIZE 255u |
The maximum size of an exception included in an alert structure.
Definition at line 707 of file intro_types.h.
Referenced by IntUpdateAddExceptionFromAlert().
#define ALERT_IMAGE_NAME_LEN 16u |
The maximum size of a name inside an alert structure.
Definition at line 696 of file intro_types.h.
#define ALERT_MAX_CODEBLOCKS 64u |
The maximum number of code blocks included in an alert structure.
Definition at line 705 of file intro_types.h.
Referenced by IntAlertCreateCbSignature(), IntAlertFillCodeBlocks(), IntSerializeCodeBlocksPattern(), and IntSerializeExtractCodeBlocks().
#define ALERT_MAX_DETECTION_NAME 128u |
The maximum size of a detection name as given by a third party scan engine.
Definition at line 709 of file intro_types.h.
Referenced by IntEngSendExecViolation(), IntLixCmdLineSendViolationEvent(), and IntWinSendCmdLineViolation().
#define ALERT_MAX_ENGINES_VERSION 32u |
The maximum size of the third party scan engines version.
Definition at line 710 of file intro_types.h.
Referenced by IntEngSendExecViolation(), IntLixCmdLineSendViolationEvent(), and IntWinSendCmdLineViolation().
#define ALERT_MAX_FUNCTION_NAME_LEN 32u |
The maximum size of a function name inside an alert structure.
Definition at line 703 of file intro_types.h.
Referenced by IntAlertEptFillFromVictimZone(), IntWinProcHandleCopyMemory(), IntWinThrHandleQueueApc(), and IntWinThrHandleThreadHijack().
#define ALERT_MAX_FUNCTIONS 4u |
The maximum number of functions included in an alert structure.
Definition at line 702 of file intro_types.h.
Referenced by IntAlertEptFillFromVictimZone().
#define ALERT_MAX_INJ_DUMP_SIZE 512u |
The maximum size of an injection buffer inside an alert structure.
Definition at line 704 of file intro_types.h.
#define ALERT_MAX_INSTRUX_LEN 128u |
The maximum size of an instruction inside an alert structure.
Definition at line 699 of file intro_types.h.
#define ALERT_MAX_MESSAGE_SIZE 256u |
The maximum size of an Introcore message inside EVENT_INTROSPECTION_MESSAGE.
Definition at line 698 of file intro_types.h.
#define ALERT_MAX_SECTION_NAME_LEN 8u |
The maximum size of an executable section name inside an alert structure.
Definition at line 701 of file intro_types.h.
#define ALERT_PATH_MAX_LEN 260u |
The maximum size of a path inside an alert structure.
Definition at line 695 of file intro_types.h.
#define FALSE false |
Definition at line 34 of file intro_types.h.
Referenced by DbgDumpCodeblocks(), DbgDumpGuestModules(), DbgMitigateSwapgs(), DbgProcRem(), DbgVadFind(), glob_match_numeric_utf8(), glob_match_utf16(), glob_match_utf8(), IntAgentIsPtrInTrampoline(), IntAlertCreateCbSignature(), IntAlertCreateCrException(), IntAlertCreateDtrException(), IntAlertCreateEptException(), IntAlertCreateExceptionInEvent(), IntAlertCreateExportSignature(), IntAlertCreateInjectionException(), IntAlertCreateIntegrityException(), IntAlertCreateModuleLoadException(), IntAlertCreateMsrException(), IntAlertCreateProcessCreationException(), IntAlertFillLixCurrentProcess(), IntAlertFillWinKmModule(), IntAlertFillWinProcess(), IntAlertFillWinProcessByCr3(), IntAlertFillWinProcessCurrent(), IntAlertFillWinUmModule(), IntCamiUpdateProcessProtectionInfoLix(), IntCamiUpdateProcessProtectionInfoWin(), IntCrLixHandleWrite(), IntCrSendAlert(), IntCrWinHandleWrite(), IntDbgProcessCommand(), IntDecDecodeInstruction(), IntDecDecodeInstructionAtRipWithCache(), IntDecEmulatePTWrite(), IntDecEmulateRead(), IntDecGetSseRegValue(), IntDecGetWrittenValueFromInstruction(), IntDetCallCallback(), IntDetEnableHypercall(), IntDetIsPtrInHandler(), IntDetIsPtrInRelocatedCode(), IntDetRelocate(), IntDetSendIntegrityAlert(), IntDetSetHook(), IntDetSetLixHook(), IntDispatchPtAsEpt(), IntDispatchVeAsEpt(), IntDtrHandleWrite(), IntDtrSendAlert(), IntDumpInstruction(), IntExcept(), IntExceptDumpSignatures(), IntExceptExtendedPatternMatch(), IntExceptGetVictimIntegrity(), IntExceptInit(), IntExceptKernel(), IntExceptKernelLogInformation(), IntExceptKernelMatchVictim(), IntExceptKernelUser(), IntExceptKernelUserLogInformation(), IntExceptKernelUserMatchArch(), IntExceptKernelUserMatchNameHash(), IntExceptKernelUserMatchObjectType(), IntExceptKernelUserMatchProcessHash(), IntExceptKernelUserMatchVictim(), IntExceptKernelUserMatchZoneFlags(), IntExceptLixKernelIsMemoryFunc(), IntExceptRemove(), IntExceptSignaturesHasType(), IntExceptUser(), IntExceptUserGetOriginator(), IntExceptUserHandleMemoryFunctions(), IntExceptUserLogInformation(), IntExceptUserMatchArchitecture(), IntExceptUserMatchChild(), IntExceptUserMatchNameGlob(), IntExceptUserMatchProcessGlob(), IntExceptUserMatchProcessHash(), IntExceptUserMatchSystemProcess(), IntExceptUserMatchZoneFlags(), IntExceptUserMatchZoneType(), IntExceptVerifyCodeBlocksSig(), IntExceptVerifyExportSig(), IntExceptVerifyValueSig(), IntExceptVerifyVersionIntroSignature(), IntExceptVerifyVersionOsSignature(), IntFragLogCodeBlocks(), IntGpaCacheAddEntry(), IntGpaCacheFlush(), IntGpaCacheLookupEntry(), IntGpaCacheRelease(), IntGuestDetectOs(), IntGuestDetectOsSysCall(), IntGuestHandleCr3Write(), IntGuestInit(), IntGuestInitMemoryInfo(), IntGuestIsKptiActive(), IntGuestIsSafeToDisable(), IntGuestPreReturnCallback(), IntGuestUpdateCoreOptions(), IntHandleBreakpoint(), IntHandleCowOnPage(), IntHandleCrWrite(), IntHandleDtrViolation(), IntHandleEptViolation(), IntHandleEventInjection(), IntHandleFetchRetryOnPageBoundary(), IntHandleIntroCall(), IntHandleMemAccess(), IntHandleMsrViolation(), IntHandlePageBoundaryCow(), IntHandleTimer(), IntHandleXcrWrite(), IntHookCommitAllHooks(), IntHookCrRemoveHook(), IntHookCrSetHook(), IntHookGpaCommitHooks(), IntHookGpaDisablePtCache(), IntHookGpaDisableVe(), IntHookGpaEnableDisableVe(), IntHookGpaInit(), IntHookGpaSetHook(), IntHookGpaSetNewPageProtection(), IntHookGvaCommitHooks(), IntHookGvaEnableHooks(), IntHookGvaHandleSwap(), IntHookGvaSetHook(), IntHookMsrRemoveHook(), IntHookMsrSetHook(), IntHookObjectCommit(), IntHookObjectCreate(), IntHookPtmCommitHooks(), IntHookPtmRemoveTableHook(), IntHookPtmWriteCallback(), IntHookPtsCheckIntegrity(), IntHookPtsCloneCallbacks(), IntHookPtsCommitHooks(), IntHookPtsCreateEntry(), IntHookPtsDisableEntry(), IntHookPtsHandleModification(), IntHookPtsInit(), IntHookPtsInvokeCallbacks(), IntHookPtsRemoveHookInternal(), IntHookPtsRemovePteHook(), IntHookPtsSetHook(), IntHookPtsWriteCallback(), IntHookPtwProcessWrite(), IntHookXcrSetHook(), IntIcAddInstruction(), IntIcAddInvdForInstruction(), IntIcFlush(), IntIcSwapHandler(), IntIcWriteHandler(), IntIntegrityAddRegion(), IntIntegrityCheckAll(), IntIntegrityIsOverlappedRegions(), IntKernVirtMemRead(), IntKsymExpandSymbol(), IntKsymFindIndexesTableStart(), IntKsymInitAbsolute(), IntKsymRelativeFindOffsetTableEnd(), IntKsymUninit(), IntLdrLoadPEImage(), IntLixAccessRemoteVmHandler(), IntLixAgentActivatePendingAgent(), IntLixAgentAllocate(), IntLixAgentDecProcRef(), IntLixAgentFindInstruction(), IntLixAgentNameIsRunning(), IntLixApiHookAll(), IntLixCrashEnoughHeapAvailable(), IntLixCredAnalyzeStack(), IntLixCredCheckIntegrity(), IntLixCredsVerify(), IntLixDrvActivateProtection(), IntLixDrvDeactivateProtection(), IntLixDrvFindList(), IntLixDrvHandleWrite(), IntLixDrvIsActivePatch(), IntLixDrvRemoveDuplicate(), IntLixDrvRemoveFromAddress(), IntLixDrvSendEvent(), IntLixDrvSendViolationEvent(), IntLixDrvSystemBooting(), IntLixFileCachePathIsValid(), IntLixGetInitTask(), IntLixGuestDeployUninitAgent(), IntLixGuestFindKernelVersionAndRo(), IntLixGuestIsKptiActive(), IntLixGuestIsSupported(), IntLixGuestNew(), IntLixGuestParseVersion(), IntLixGuestUninit(), IntLixIdtWriteHandler(), IntLixKernelHandleRead(), IntLixMmFetchVma(), IntLixMmGetInitMm(), IntLixMmListVmas(), IntLixMmPopulateVmas(), IntLixMmPopulateVmasInternal(), IntLixMsrHandleWrite(), IntLixNetFileIsSocket(), IntLixPatchHandler(), IntLixStackTraceGet(), IntLixTaskActivateProtection(), IntLixTaskAddProtected(), IntLixTaskChangeProtectionFlags(), IntLixTaskCreate(), IntLixTaskCreateFromBinprm(), IntLixTaskCreateInitTask(), IntLixTaskDeactivateProtection(), IntLixTaskDestroy(), IntLixTaskGuestTerminating(), IntLixTaskHandleExec(), IntLixTaskHandleFork(), IntLixTaskHandleInjection(), IntLixTaskHandlePtrace(), IntLixTaskHandleVmRw(), IntLixTaskIsUserStackPivoted(), IntLixTaskPathGetByDentry(), IntLixTaskSendCredViolationEvent(), IntLixTaskSendInjectionEvent(), IntLixTaskSendTaskEvent(), IntLixTaskUpdateProtection(), IntLixUnhookKernelRead(), IntLixUnhookKernelWrite(), IntLixUnpatchSwapgs(), IntLixValidateProcessCreationRights(), IntLixVdsoHandleKernelModeWrite(), IntLixVdsoHandleUserModeWrite(), IntLixVdsoHandleWriteCommon(), IntLixVmaChangeProtection(), IntLixVmaHandlePageExecution(), IntLixVmaIntervalChanged(), IntLixVmaRemoveProtection(), IntMatchPatternUtf8(), IntMemClkIsPtrInCloak(), IntMemClkUnInit(), IntMsrSyscallUnprotect(), IntMtblCheckAccess(), IntMtblInsRelocated(), IntMtblIsPtrInReloc(), IntMtblPatchInstruction(), IntMtblRemoveEntry(), IntNetAddrToStr(), IntPatternMatch(), IntPeFindExportByName(), IntPeFindExportByOrdinal(), IntPeFindExportByRva(), IntPeFindFunctionByPattern(), IntPeFindFunctionByPatternInBuffer(), IntPeFindFunctionStart(), IntPeFindFunctionStartInBuffer(), IntPeGetDirectory(), IntPeGetExportNameByRva(), IntPeGetRuntimeFunction(), IntPeGetRuntimeFunctionInBuffer(), IntPeGetSectionHeaderByRva(), IntPeGetSectionHeadersByName(), IntPeParseUnwindData(), IntPeParseUnwindDataInBuffer(), IntPeValidateOptionalHeader(), IntPhysicalMemRead(), IntPhysicalMemReadAnySize(), IntPolicyCoreForceBetaIfNeeded(), IntPolicyProcForceBetaIfNeeded(), IntPolicyProcIsBeta(), IntPolicyProcIsFeedback(), IntPtiCompleteLoader(), IntPtiDeliverDriverForUnload(), IntPtiDisableFiltering(), IntPtiInjectPtFilter(), IntPtiIsPtrInAgent(), IntPtiMonitorAllPtWriteCandidates(), IntPtiResetState(), IntPtiRestoreAllPtWriteCandidates(), IntReadString(), IntRtlpVirtualUnwindCheckAccess(), IntSerializeLixKmMisc(), IntSerializeStringIsWcharAscii(), IntSerializeValidObjectSize(), IntSerializeWinKmMisc(), IntSetValueForOperand(), IntSlackSendIntegrityAlert(), IntStackAnalyzePointer(), IntSwapgsInstallHandler(), IntSwapgsIsPtrInHandler(), IntSwapgsUninit(), IntSwapMemCancelPendingPF(), IntSwapMemCancelTransaction(), IntSwapMemInjectPendingPF(), IntSwapMemPageSwappedIn(), IntSwapMemReadData(), IntSwapMemReinjectFailedPF(), IntSwapMemRemoveTransaction(), IntSwapMemRemoveTransactionsForVaSpace(), IntThrSafeCheckThreads(), IntThrSafeIsLiveRIPInIntro(), IntThrSafeIsStackPtrInIntro(), IntThrSafeLixInspectWaitingThread(), IntThrSafeMoveReturn(), IntThrSafeWinInspectRunningThreadOnCpu(), IntThrSafeWinInspectWaitingThread(), IntTranslateVa32(), IntUnpPageWriteCallback(), IntUpdateAddCbSignature(), IntUpdateAddExportSignature(), IntUpdateAddIdtSignature(), IntUpdateAddProcessCreationSignature(), IntUpdateAddValueCodeSignature(), IntUpdateAddValueSignature(), IntUpdateAddVersionIntroSignature(), IntUpdateAddVersionOsSignature(), IntUpdateIsDuplicateCbSignature(), IntUpdateIsDuplicateExportSignature(), IntUpdateIsDuplicateIdtSignature(), IntUpdateIsDuplicateKernelException(), IntUpdateIsDuplicateKernelUserException(), IntUpdateIsDuplicateUserException(), IntUpdateIsValidEntry(), IntValidatePageRightsEx(), IntValidateTranslation(), IntVasUnInit(), IntVeCompleteLoader(), IntVeFindKernelKvaShadowAndKernelExit(), IntVeHandleAccess(), IntVeHandleEPTViolationInProtectedView(), IntVeIsAgentRemapped(), IntVeIsCurrentRipInAgent(), IntVeIsPtrInAgent(), IntVeResetState(), IntVeUnhookVeAgent(), IntVeUnInit(), IntVeUpdateCacheEntry(), IntVirtMemRead(), IntVirtMemUnmapMultiPage(), IntWinAgentActivatePendingAgent(), IntWinAgentCheckIfProcessAgentAndDecrement(), IntWinAgentCheckIfProcessAgentAndIncrement(), IntWinAgentFindInstruction(), IntWinAgentHandleDriverVmcall(), IntWinAgentInit(), IntWinAgentInjectTrampoline(), IntWinAgentIsPtrInTrampoline(), IntWinAgentIsRipInsideCurrentAgent(), IntWinAgentReleaseBootstrapAddress(), IntWinAgentSelectBootstrapAddress(), IntWinAgentUnInit(), IntWinApiHook(), IntWinApiHookAll(), IntWinApiHookVeHandler(), IntWinCrashHandleDepViolation(), IntWinDagentCheckNativeSubsystem(), IntWinDagentHandleSuspModHeaders(), IntWinDagentIsInitialDll(), IntWinDagentSendDoubleAgentAlert(), IntWinDepInjectFile(), IntWinDepInjectProcess(), IntWinDpiCheckCreation(), IntWinDpiIsDpiWhiteListed(), IntWinDpiIsSelf(), IntWinDpiValidateHeapSpray(), IntWinDpiValidatePivotedStack(), IntWinDpiValidateTokenPrivs(), IntWinDrvHandleDriverEntry(), IntWinDrvHandleRead(), IntWinDrvHandleWrite(), IntWinDrvHeadersInMemory(), IntWinDrvIsListHead(), IntWinDrvObjHandleModification(), IntWinDrvObjHandleWrite(), IntWinDrvObjIsValidDriverObject(), IntWinDrvObjRemoveFromAddress(), IntWinDrvObjSendEptAlert(), IntWinDrvObjSendIntegrityAlert(), IntWinDrvObjUnprotect(), IntWinDrvObjUnprotectFastIoDispatch(), IntWinDrvRemoveFromAddress(), IntWinDrvSendAlert(), IntWinDrvUnprotect(), IntWinGetActiveCpuCount(), IntWinGuestFindBuildNumber(), IntWinGuestFindDriversNamespace(), IntWinGuestFindIdleCr3(), IntWinGuestFindKernel(), IntWinGuestFindKernelCr3(), IntWinGuestFindSelfMapIndex(), IntWinGuestIsIncreasedUserVa(), IntWinGuestIsSystemCr3(), IntWinGuestReadKernel(), IntWinGuestResolveImports(), IntWinGuestUninit(), IntWinGuestValidateKernel(), IntWinHalHandleDispatchTableWrite(), IntWinHalHandleHalHeapExec(), IntWinHalHandleHalIntCtrlWrite(), IntWinHalHandlePerfCounterModification(), IntWinHalIsHalPerf(), IntWinHalIsIntController(), IntWinHalReadHal(), IntWinHalSendAlert(), IntWinHalSendPerfCntIntegrityAlert(), IntWinIdtHandleModification(), IntWinIdtSendIntegrityAlert(), IntWinIdtWriteHandler(), IntWinInfHookEptSppHandleWrite(), IntWinInfHookEptSppSendAlert(), IntWinInfHookGetEtwpDebuggerData(), IntWinInfHookHandleSiloFirstWrite(), IntWinInfHookIntegrityHandleWrite(), IntWinInfHookIntegritySendAlert(), IntWinInfHookSiloWmiPtrIntegrityCallback(), IntWinInfHookSppViolationCallbackWmiPtrChanged(), IntWinIntObjHandleArrayModification(), IntWinIntObjSendIntegrityAlert(), IntWinIsUmTrapFrame(), IntWinModBlockHandleExecution(), IntWinModBlockRegisterCallbackForReason(), IntWinModCheckSpecialCases(), IntWinModHandleKernelWrite(), IntWinModHandleLoadFromVad(), IntWinModHandleUserWrite(), IntWinModIsKernelWriteInjection(), IntWinModIsProtected(), IntWinModRemoveModule(), IntWinModulesChangeProtectionFlags(), IntWinModUnHookModule(), IntWinModWriteValidHandler(), IntWinMsrHandleWrite(), IntWinMsrSendAlert(), IntWinNetFindTcpPartition(), IntWinNetGetTcpEndpoint(), IntWinNetGetTcpListener(), IntWinObjCancelRootTransactions(), IntWinObjHandleRootDirTagInMemory(), IntWinObjIsRootSearchOver(), IntWinObjIsTypeObject(), IntWinObjReinitGlobalState(), IntWinPfnHandleTranslationChange(), IntWinPfnIsMmPfnDatabase(), IntWinPfnLockAddress(), IntWinPfnLockGva(), IntWinPfnModifyRefCount(), IntWinPfnMoveLock(), IntWinPfnRemoveLock(), IntWinPfnUnlockAddress(), IntWinPreProcessException(), IntWinProcChangeProtectionFlags(), IntWinProcCreateProcessObject(), IntWinProcDeleteProcessObject(), IntWinProcEnforceProcessDep(), IntWinProcExistsProtectedProcess(), IntWinProcHandleCopyMemory(), IntWinProcHandleCreateInternal(), IntWinProcHandleInstrument(), IntWinProcHandleReadFromLsass(), IntWinProcIsEnoughHeapAvailable(), IntWinProcIsExploitGuardEnabled(), IntWinProcIsFullPath(), IntWinProcRemoveProcess(), IntWinProcSendProcessEvent(), IntWinProcSwapIn(), IntWinProcUnlockCr3(), IntWinProcUpdateProtectedProcess(), IntWinProcValidateSystemCr3(), IntWinReadToken(), IntWinSDCheckAclIntegrity(), IntWinSDCheckSecDescIntegrity(), IntWinSDDumpSecDesc(), IntWinSDIsAceInsideAcl(), IntWinSDIsAceInsideBuffer(), IntWinSDIsAclEdited(), IntWinSDIsSecDescPtrAltered(), IntWinSDSendAclIntegrityViolation(), IntWinSDSendSecDescIntViolation(), IntWinSelfMapHandleCr3SelfMapModification(), IntWinSelfMapHandleCr3SelfMapWrite(), IntWinSelfMapProtectSelfMapIndex(), IntWinStackHandleUserStackPagedOut(), IntWinStackTraceGet32(), IntWinStackTraceGet64(), IntWinStackTraceGetUser(), IntWinStackTraceGetUser32(), IntWinStackUserCheckIsPivoted(), IntWinStackUserTrapFrameGet32(), IntWinStackUserTrapFrameGet64(), IntWinSudCheckIntegrity(), IntWinSudFetchFieldCurrentValue(), IntWinSudHandleKernelSudExec(), IntWinSudHandleUserSudExec(), IntWinSudProtectIntegrity(), IntWinSudSendSudIntegrityAlert(), IntWinSudUnprotectIntegrity(), IntWinThrHandleQueueApc(), IntWinThrHandleThreadHijack(), IntWinTokenCheckCurrentPrivileges(), IntWinTokenPrivsCheckIntegrityOnProcess(), IntWinTokenPrivsHandleWrite(), IntWinTokenPrivsSendEptAlert(), IntWinTokenPrivsSendIntegrityAlert(), IntWinTokenPrivsShouldHook(), IntWinTokenPtrCheckIntegrityOnProcess(), IntWinTokenPtrIsStolen(), IntWinUmCacheIsExportDirRead(), IntWinUmModMustCacheExports(), IntWinVadDump(), IntWinVadFetchByRange(), IntWinVadFindNodeInGuestSpace(), IntWinVadHandleCommit(), IntWinVadHandleInsert(), IntWinVadHandleInsertMap(), IntWinVadHandleInsertPrivate(), IntWinVadHandleProtectGeneric(), IntWinVadHandleVirtualProtect(), IntWinVadIsExecSuspicious(), IntWinVadIsInTree(), IntWinVadProcImportMainModuleVad(), IntWinVadRemoveRanges(), IntWinVadRescanVad(), IntWinVadShortDump(), IsInitializationDone(), IsPeb32Write(), IsPeb64Write(), IsSse42Supported(), RbWalkInorderTree(), ShouldIgnoreInjection(), UtilIsBufferZero(), and UtilSortQwords().
#define INTRO_SECURITY_DESCRIPTOR_SIZE 1024u |
The size of the buffers in which we store the security descriptors. The security descriptor is composed by its 2 Access Control Lists (SACL/DACL) and their corresponding Access Control Entries. Below there is an example of the memory map for the security descriptor dumped in winsecdesc.c. Although the size is only 0x6C, we want to have some room left for processes with more ACEs.
0x00 /////////////////////////////// /// SECURITY_DESCRIPTOR /// /////////////////////////////// 0x14 /////////////////////////////// | /// SACL Header /// | /// AclRev=2 AclSize=0x1C-///------—| Total SACL size 0x1C /// AceCount=1 /// | /////////////////////////////// | 0x1C /////////////////////////////// | /// ACE[0] /// | /////////////////////////////// | 0x30 /////////////////////////////// | /// DACL Header /// | /// AclRev=2 AclSize=0x3C-///-—| /// AceCount=2 /// | /////////////////////////////// | Total DACL size 0x3C 0x38 /////////////////////////////// | /// ACE[0] /// | /////////////////////////////// | /////////////////////////////// | /// ACE[1] /// | /////////////////////////////// | 0x6C
Definition at line 740 of file intro_types.h.
Referenced by IntWinDpiValidateParentAclEdit(), IntWinDpiValidateParentSecDesc(), IntWinSDCheckAclIntegrity(), IntWinSDCheckSecDescIntegrity(), IntWinSDGatherAcl(), and IntWinSDReadSecDesc().
#define INTRO_SIDS_MAX_COUNT 4 |
The maximum SID count included in an alert.
Definition at line 856 of file intro_types.h.
Referenced by IntWinReadToken().
#define INTRO_VIOLATION_VERSION 1 |
Violation header version.
Definition at line 788 of file intro_types.h.
Referenced by IntAlertFillVersionInfo().
#define INTRO_WIN_SID_MAX_SIZE (sizeof(INTRO_WIN_SID) - sizeof(DWORD) + (INTRO_WIN_SID_MAX_SUB_AUTHORITIES * sizeof(DWORD))) |
The maximum size of a INTRO_WIN_SID structure.
Definition at line 834 of file intro_types.h.
#define INTRO_WIN_SID_MAX_SUB_AUTHORITIES 15 |
The maximum number of sub authorities contained in a SID.
Definition at line 831 of file intro_types.h.
Referenced by IntWinReadSid().
#define LGT_EVENT_SIZE sizeof(AGENT_LGT_EVENT) |
Log gather agent event size.
Definition at line 2251 of file intro_types.h.
Referenced by IntAgentHandleLogGatherVmcall().
#define LGT_EVENT_VERSION 0x00010000 |
Log gather agent event version.
Definition at line 2249 of file intro_types.h.
Referenced by IntAgentHandleLogGatherVmcall().
#define LGT_MAX_DATA_SIZE 4096 |
The maximum size of a log gather tool data chunk.
Definition at line 2246 of file intro_types.h.
#define REM_EVENT_SIZE sizeof(AGENT_REM_EVENT) |
Remediation event size.
Definition at line 2152 of file intro_types.h.
Referenced by IntAgentHandleRemediationVmcall().
#define REM_EVENT_VERSION 0x00010000 |
Remediation event version.
Definition at line 2150 of file intro_types.h.
Referenced by IntAgentHandleRemediationVmcall().
#define REM_MAX_DETECTION_LEN 128 |
The maximum detection name size in bytes, including the NULL terminator.
Definition at line 2147 of file intro_types.h.
#define REM_MAX_OBJECT_PATH_LEN 512 |
The maximum object path size in bytes, including the NULL terminator.
Definition at line 2145 of file intro_types.h.
#define TRUE true |
Definition at line 30 of file intro_types.h.
Referenced by DbgLoadPt(), DbgLoadVe(), DbgMitigateSwapgs(), DbgProcAdd(), DbgUnloadPt(), DbgUnloadVe(), glob_match_numeric_utf8(), glob_match_utf16(), glob_match_utf8(), IntAlertCreateCbSignature(), IntAlertCreateCrException(), IntAlertCreateDtrException(), IntAlertCreateEptException(), IntAlertCreateExportSignature(), IntAlertCreateIdtSignature(), IntAlertCreateInjectionException(), IntAlertCreateIntegrityException(), IntAlertCreateModuleLoadException(), IntAlertCreateMsrException(), IntAlertCreateProcessCreationException(), IntAlertCreateProcessCreationSignature(), IntAlertFillCodeBlocks(), IntAlertFillCpuContext(), IntAlertFillDriverObject(), IntAlertFillLixKmModule(), IntAlertFillLixProcess(), IntAlertFillWinKmModule(), IntAlertFillWinProcess(), IntAlertFillWinUmModule(), IntCamiUpdateProcessProtectionInfoLix(), IntCamiUpdateProcessProtectionInfoWin(), IntCrLixHandleWrite(), IntCrSendAlert(), IntCrWinHandleWrite(), IntDbgProcessCommand(), IntDecDecodeInstruction(), IntDecDecodeInstructionAtRipWithCache(), IntDecEmulateInstruction(), IntDecEmulateRead(), IntDecGetWrittenValueFromInstruction(), IntDecSetSseRegValue(), IntDetCallCallback(), IntDetDisableLixHypercall(), IntDetDisableWinHypercall(), IntDetHandleWrite(), IntDetIsPtrInHandler(), IntDetIsPtrInRelocatedCode(), IntDetSetLixHook(), IntDispatchPtAsEpt(), IntDispatchVeAsEpt(), IntDtrHandleWrite(), IntDtrSendAlert(), IntDumpGva(), IntDumpInstruction(), IntExcept(), IntExceptDumpSignatures(), IntExceptExtendedPatternMatch(), IntExceptGetOriginatorFromModification(), IntExceptGetVictimIntegrity(), IntExceptKernel(), IntExceptKernelLogInformation(), IntExceptKernelMatchVictim(), IntExceptKernelUser(), IntExceptKernelUserLogInformation(), IntExceptKernelUserMatchArch(), IntExceptKernelUserMatchNameHash(), IntExceptKernelUserMatchObjectType(), IntExceptKernelUserMatchProcessHash(), IntExceptKernelUserMatchVictim(), IntExceptKernelUserMatchZoneFlags(), IntExceptLixKernelIsMemoryFunc(), IntExceptSignaturesHasType(), IntExceptUser(), IntExceptUserGetExecOriginator(), IntExceptUserHandleMemoryFunctions(), IntExceptUserLogInformation(), IntExceptUserMatchArchitecture(), IntExceptUserMatchChild(), IntExceptUserMatchNameGlob(), IntExceptUserMatchProcessGlob(), IntExceptUserMatchProcessHash(), IntExceptUserMatchSystemProcess(), IntExceptUserMatchZoneFlags(), IntExceptUserMatchZoneType(), IntExceptVerifyExportSig(), IntExceptVerifyVersionIntroSignature(), IntExceptVerifyVersionOsSignature(), IntExceptWinKernelGetOriginator(), IntFragLogCodeBlocks(), IntGetCurrentInstructionLength(), IntGetCurrentInstructionMnemonic(), IntGpaCacheAddEntry(), IntGpaCacheLookupEntry(), IntGpaCacheRelease(), IntGuestDetectOsSysCall(), IntGuestHandleCr3Write(), IntGuestInit(), IntGuestInitMemoryInfo(), IntGuestIsKptiActive(), IntGuestIsSafeToDisable(), IntGuestPrepareUninit(), IntGuestPreReturnCallback(), IntGuestUninitOnBugcheck(), IntGuestUpdateCoreOptions(), IntHandleBreakpoint(), IntHandleCowOnPage(), IntHandleCrWrite(), IntHandleDtrViolation(), IntHandleEptViolation(), IntHandleFetchRetryOnPageBoundary(), IntHandleIntroCall(), IntHandleMemAccess(), IntHandleMsrViolation(), IntHandleXcrWrite(), IntHookCrRemoveHook(), IntHookCrSetHook(), IntHookDtrRemoveHook(), IntHookGpaEnablePtCache(), IntHookGpaEnableVe(), IntHookGpaRemoveHookInternal(), IntHookGpaSetHook(), IntHookGpaSetNewPageProtection(), IntHookGvaEnableHooks(), IntHookGvaHandleSwap(), IntHookGvaRemoveHookInternal(), IntHookGvaSetHook(), IntHookMsrRemoveHook(), IntHookMsrSetHook(), IntHookObjectDestroy(), IntHookObjectDestroyAll(), IntHookObjectHookRegion(), IntHookObjectRemoveRegionInternal(), IntHookPtmAddTable(), IntHookPtmRemoveHookInternal(), IntHookPtmSetHook(), IntHookPtsCheckIntegrity(), IntHookPtsCloneCallbacks(), IntHookPtsCreateEntry(), IntHookPtsEnableEntry(), IntHookPtsInvokeCallbacks(), IntHookPtsRemoveHookInternal(), IntHookPtsRemovePteHook(), IntHookPtsSetHook(), IntHookPtsWriteCallback(), IntHookPtwEmulateWrite(), IntHookPtwProcessWrite(), IntHookXcrRemoveHook(), IntIcAddInstruction(), IntIcAddInvdForInstruction(), IntIcSwapHandler(), IntIcWriteHandler(), IntInjectExceptionInGuest(), IntInjectFileAgentInGuest(), IntInjectProcessAgentInGuest(), IntIntegrityCheckAll(), IntIntegrityDeleteRegion(), IntIntegrityIsOverlappedRegions(), IntKernVirtMemWrite(), IntKsymExpandSymbol(), IntKsymFindByName(), IntKsymFindIndexesTableStart(), IntKsymInit(), IntKsymInitAbsolute(), IntKsymRelativeFindOffsetTableEnd(), IntLdrLoadPEImage(), IntLixAgentCreate(), IntLixAgentDecProcRef(), IntLixAgentEnableInjection(), IntLixAgentFindInstruction(), IntLixAgentInit(), IntLixAgentNameIsRunning(), IntLixAgentStart(), IntLixApiHook(), IntLixApiHookAll(), IntLixCrashPanicHandler(), IntLixCredAnalyzeStack(), IntLixCredCheckIntegrity(), IntLixCredsVerify(), IntLixDrvActivateProtection(), IntLixDrvCreateFromAddress(), IntLixDrvCreateKernel(), IntLixDrvFindList(), IntLixDrvHandleWrite(), IntLixDrvInitVfreeHandler(), IntLixDrvIsActivePatch(), IntLixDrvSendEvent(), IntLixDrvSendViolationEvent(), IntLixDrvSystemBooting(), IntLixFileCachePathIsValid(), IntLixGetInitTask(), IntLixGuestActivateProtection(), IntLixGuestAllocateFill(), IntLixGuestDeployUninitAgent(), IntLixGuestFindKernelVersionAndRo(), IntLixGuestInit(), IntLixGuestInitAgentCompletion(), IntLixGuestInitAgentHypercall(), IntLixGuestIsKptiActive(), IntLixGuestIsSupported(), IntLixGuestParseVersion(), IntLixGuestUninitGuestCode(), IntLixHookKernelRead(), IntLixHookKernelWrite(), IntLixIdtWriteHandler(), IntLixKernelHandleRead(), IntLixMmFetchVma(), IntLixMmGetInitMm(), IntLixMmListVmas(), IntLixMmPopulateVmas(), IntLixMsrHandleWrite(), IntLixNetFileIsSocket(), IntLixNetIterateTaskConnections(), IntLixNetSendGuestConnections(), IntLixPatchHandler(), IntLixPatchSwapgs(), IntLixStackTraceGet(), IntLixTaskActivateProtection(), IntLixTaskChangeProtectionFlags(), IntLixTaskCreate(), IntLixTaskCreateFromBinprm(), IntLixTaskCreateInitTask(), IntLixTaskDeactivateProtection(), IntLixTaskDestroy(), IntLixTaskGuestTerminating(), IntLixTaskHandleExec(), IntLixTaskHandleVmRw(), IntLixTaskIsUserStackPivoted(), IntLixTaskPathGetByDentry(), IntLixTaskRemoveProtected(), IntLixTaskSendBlockedEvent(), IntLixVdsoHandleKernelModeWrite(), IntLixVdsoHandleUserModeWrite(), IntLixVdsoHandleWriteCommon(), IntLixVmaChangeProtection(), IntLixVmaDestroy(), IntLixVmaHandlePageExecution(), IntLixVmaProtect(), IntLogCriticalStructureCoruption(), IntMatchPatternUtf8(), IntMemClkDump(), IntMemClkHandleRead(), IntMemClkIsPtrInCloak(), IntMemClkUnInit(), IntMsrSyscallProtect(), IntMtblCheckAccess(), IntMtblInsRelocated(), IntMtblIsPtrInReloc(), IntMtblPatchInstruction(), IntNetAddrToStr(), IntNotifyGuestPowerStateChange(), IntPatternMatch(), IntPeFindExportByName(), IntPeFindExportByRva(), IntPeFindFunctionByPattern(), IntPeFindFunctionByPatternInBuffer(), IntPeFindFunctionStart(), IntPeFindFunctionStartInBuffer(), IntPeGetDirectory(), IntPeGetExportNameByRva(), IntPeGetRuntimeFunction(), IntPeGetRuntimeFunctionInBuffer(), IntPeGetSectionHeaderByRva(), IntPeGetSectionHeadersByName(), IntPeParseUnwindData(), IntPeParseUnwindDataInBuffer(), IntPeValidateHeader(), IntPeValidateOptionalHeader(), IntPhysicalMemWrite(), IntPhysicalMemWriteAnySize(), IntPolicyCoreForceBetaIfNeeded(), IntPolicyCoreIsOptionBeta(), IntPolicyCoreTakeAction(), IntPolicyProcForceBetaIfNeeded(), IntPolicyProcTakeAction(), IntPtiCompleteLoader(), IntPtiDeliverDriverForLoad(), IntPtiDeliverDriverForUnload(), IntPtiEnableFiltering(), IntPtiInjectPtFilter(), IntPtiMonitorAllPtWriteCandidates(), IntPtiRemovePtFilter(), IntReadString(), IntRtlpVirtualUnwindCheckAccess(), IntSerializeStringIsWcharAscii(), IntSerializeValidObjectSize(), IntSetValueForOperand(), IntSlackAllocWindows(), IntStackAnalyzePointer(), IntSwapgsIsPtrInHandler(), IntSwapgsStartMitigation(), IntSwapMemCancelPendingPF(), IntSwapMemInit(), IntSwapMemInjectPendingPF(), IntSwapMemPageSwappedIn(), IntSwapMemReadData(), IntSwapMemReinjectFailedPF(), IntThrSafeCheckThreads(), IntThrSafeIsLiveRIPInIntro(), IntThrSafeIsStackPtrInIntro(), IntThrSafeWinInspectRunningThreadOnCpu(), IntTranslateVa32Pae(), IntTranslateVa64(), IntTranslateVa64La57(), IntTranslateVirtualAddressEx(), IntUpdateAddExceptionFromAlert(), IntUpdateCreateCbSignatureFromAlert(), IntUpdateCreateExportSignatureFromAlert(), IntUpdateCreateIdtSignatureFromAlert(), IntUpdateCreateProcessCreationSignatureFromAlert(), IntUpdateIsDuplicateCbSignature(), IntUpdateIsDuplicateExportSignature(), IntUpdateIsDuplicateIdtSignature(), IntUpdateIsDuplicateKernelException(), IntUpdateIsDuplicateKernelUserException(), IntUpdateIsDuplicateUserException(), IntUpdateIsValidEntry(), IntUpdateLoadExceptions(), IntValidatePageRightsEx(), IntValidateTranslation(), IntVasInit(), IntVeCompleteLoader(), IntVeDeliverDriverForLoad(), IntVeDeployAgent(), IntVeFindKernelKvaShadowAndKernelExit(), IntVeHandleAccess(), IntVeHandleEPTViolationInProtectedView(), IntVeInit(), IntVeIsAgentRemapped(), IntVeRemoveAgent(), IntVeUpdateCacheEntry(), IntVirtMemUnmapMultiPage(), IntVirtMemWrite(), IntWinAgentCheckIfProcessAgentAndDecrement(), IntWinAgentCheckIfProcessAgentAndIncrement(), IntWinAgentEnableInjection(), IntWinAgentFindInstruction(), IntWinAgentFindPropperSyscall(), IntWinAgentFindSyscallLinkage(), IntWinAgentHandleBreakpointAgent(), IntWinAgentHandleDriverVmcall(), IntWinAgentHandleLoader1Hypercall(), IntWinAgentInit(), IntWinAgentInject(), IntWinAgentInjectBreakpoint(), IntWinAgentIsPtrInTrampoline(), IntWinAgentIsRipInsideCurrentAgent(), IntWinAgentRemove(), IntWinAgentSelectBootstrapAddress(), IntWinApiHook(), IntWinApiHookAll(), IntWinApiHookVeHandler(), IntWinBcHandleBugCheck(), IntWinCrashHandleDepViolation(), IntWinDagentCheckNativeSubsystem(), IntWinDagentCheckSuspiciousDllLoad(), IntWinDagentHandleDoubleAgent(), IntWinDagentHandleSuspModHeaders(), IntWinDagentHandleVerifierReason(), IntWinDagentIsInitialDll(), IntWinDepInjectProcess(), IntWinDpiIsDpiWhiteListed(), IntWinDpiSendProcessCreationViolation(), IntWinDpiValidateHeapSpray(), IntWinDpiValidateParentAclEdit(), IntWinDpiValidateParentProcessToken(), IntWinDpiValidateParentSecDesc(), IntWinDpiValidatePivotedStack(), IntWinDpiValidateThreadStart(), IntWinDpiValidateTokenPrivs(), IntWinDrvCreateFromAddress(), IntWinDrvHandleRead(), IntWinDrvHandleWrite(), IntWinDrvHeadersInMemory(), IntWinDrvIsListHead(), IntWinDrvObjHandleModification(), IntWinDrvObjHandleWrite(), IntWinDrvObjIsValidDriverObject(), IntWinDrvObjProtect(), IntWinDrvObjProtectFastIoDispatch(), IntWinDrvObjRemoveFromAddress(), IntWinDrvObjSendEptAlert(), IntWinDrvProtect(), IntWinDrvSendAlert(), IntWinGetProcCmdLineHandleBufferInMemory(), IntWinGuestActivateProtection(), IntWinGuestFindBuildNumber(), IntWinGuestFindDriversNamespace(), IntWinGuestFindDriversNamespaceNoBuffer(), IntWinGuestFindIdleCr3(), IntWinGuestFindKernel(), IntWinGuestFindKernelCr3(), IntWinGuestFindSelfMapIndex(), IntWinGuestFinishInit(), IntWinGuestInit(), IntWinGuestIsSupported(), IntWinGuestIsSystemCr3(), IntWinGuestKernelHeadersInMemory(), IntWinGuestNew(), IntWinGuestReadKernel(), IntWinGuestValidateKernel(), IntWinHalHandleHalHeapExec(), IntWinHalHandleHalIntCtrlWrite(), IntWinHalHandlePerfCounterModification(), IntWinHalIsHalPerf(), IntWinHalIsIntController(), IntWinHalProtectHalDispatchTable(), IntWinHalProtectHalPerfCounter(), IntWinHalReadHal(), IntWinHalSendAlert(), IntWinIdtHandleModification(), IntWinIdtProtectOnCpuIntegrity(), IntWinIdtWriteHandler(), IntWinInfHookEptSppHandleWrite(), IntWinInfHookEptSppSendAlert(), IntWinInfHookGetCircularCtxLogger(), IntWinInfHookGetEtwpDebuggerData(), IntWinInfHookIntegrityHandleWrite(), IntWinInfHookProtect(), IntWinInfHookSiloWmiPtrIntegrityCallback(), IntWinIntObjHandleArrayModification(), IntWinIntObjProtect(), IntWinIsUmTrapFrame(), IntWinModBlockHandleExecution(), IntWinModBlockRegisterCallbackForReason(), IntWinModCacheFixNamePointers(), IntWinModCheckSpecialCases(), IntWinModFillDriverInjectionData(), IntWinModFillProcessInjectionData(), IntWinModHandleExportsInMemory(), IntWinModHandleKernelWrite(), IntWinModHandleLoadFromVad(), IntWinModHandleMainModuleInMemory(), IntWinModHandleModulePathInMemory(), IntWinModHandleUserWrite(), IntWinModHookModule(), IntWinModIsKernelWriteInjection(), IntWinModIsProtected(), IntWinModPolyHandler(), IntWinModulesChangeProtectionFlags(), IntWinModWriteValidHandler(), IntWinMsrHandleWrite(), IntWinMsrSendAlert(), IntWinNetFillTcpStruct(), IntWinNetFindTcpBitmap(), IntWinNetFindTcpPartition(), IntWinNetGetPortsAndState(), IntWinNetGetTcpEndpoint(), IntWinNetGetTcpListener(), IntWinObjCheckDrvDirSearchState(), IntWinObjHandleDriverDirectoryEntryInMemory(), IntWinObjHandleRootDirTagInMemory(), IntWinObjIsRootSearchOver(), IntWinObjIsTypeObject(), IntWinPfnHandleTranslationChange(), IntWinPfnLockAddress(), IntWinPfnLockGpa(), IntWinPfnModifyRefCount(), IntWinPfnMoveLock(), IntWinPfnUnInit(), IntWinPowHandleHibernateEvent(), IntWinPreProcessException(), IntWinProcAdd(), IntWinProcChangeProtectionFlags(), IntWinProcCreateProcessObject(), IntWinProcDeleteProcessObject(), IntWinProcEnforceProcessDep(), IntWinProcExistsProtectedProcess(), IntWinProcHandleCopyMemory(), IntWinProcHandleCreateInternal(), IntWinProcHandleInstrument(), IntWinProcHandleReadFromLsass(), IntWinProcIsEnoughHeapAvailable(), IntWinProcIsFullPath(), IntWinProcLockCr3(), IntWinProcMarkAsSystemProcess(), IntWinProcSendAllDllEventsForSubsystem(), IntWinProcSendDllEvent(), IntWinProcSendProcessEvent(), IntWinProcSwapIn(), IntWinProcSwapOut(), IntWinProcUninit(), IntWinProcUpdateProtectedProcess(), IntWinProcUpdateProtection(), IntWinReadToken(), IntWinSDCheckAclIntegrity(), IntWinSDCheckSecDescIntegrity(), IntWinSDDumpSecDesc(), IntWinSDFetchSecDescValues(), IntWinSDIsAceInsideAcl(), IntWinSDIsAceInsideBuffer(), IntWinSDIsAclEdited(), IntWinSDIsSecDescPtrAltered(), IntWinSelfMapHandleCr3SelfMapWrite(), IntWinStackHandleUserStackPagedOut(), IntWinStackTraceGet32(), IntWinStackTraceGet64(), IntWinStackTraceGetUser(), IntWinStackTraceGetUser32(), IntWinStackUserCheckIsPivoted(), IntWinStackUserTrapFrameGet64(), IntWinStackWow64CheckIsPivoted(), IntWinSudCheckIntegrity(), IntWinSudFetchFieldCurrentValue(), IntWinSudHandleFieldModification(), IntWinSudHandleKernelSudExec(), IntWinSudHandleUserSudExec(), IntWinSudProtectIntegrity(), IntWinSudSendSudExecAlert(), IntWinThrHandleQueueApc(), IntWinThrHandleThreadHijack(), IntWinTokenCheckCurrentPrivileges(), IntWinTokenFetchTokenAddress(), IntWinTokenPrivsCheckIntegrityOnProcess(), IntWinTokenPrivsHandleWrite(), IntWinTokenPrivsProtectOnProcess(), IntWinTokenPrivsSendEptAlert(), IntWinTokenPrivsShouldHook(), IntWinTokenPtrIsStolen(), IntWinUmCheckInitializationInjection(), IntWinUmModMustCacheExports(), IntWinVadCreateObject(), IntWinVadDump(), IntWinVadFetchByRange(), IntWinVadFindNodeInGuestSpace(), IntWinVadHandleInsertGeneric(), IntWinVadHandlePageExecution(), IntWinVadHandleProtectGeneric(), IntWinVadIsExecSuspicious(), IntWinVadIsInTree(), IntWinVadProcImportMainModuleVad(), IntWinVadRemoveRanges(), IntWinVadStaticInsertNodeIntoProcess(), IsInitializationDone(), IsPeb32Write(), IsPeb64Write(), IsSse42Supported(), ShouldIgnoreInjection(), and UtilSortQwords().
#define VICTIM_CIRCULAR_KERNEL_CTX_LOGGER u"Circular Kernel Context Logger" |
Printable name used for introObjectTypeKmLoggerContext objects.
Definition at line 751 of file intro_types.h.
Referenced by IntWinInfHookIntegritySendAlert().
#define VICTIM_DRIVER_OBJECT u"Driver Object" |
Printable name used for introObjectTypeDriverObject objects.
Definition at line 745 of file intro_types.h.
Referenced by IntWinDrvObjSendIntegrityAlert().
#define VICTIM_HAL_DISPATCH_TABLE u"HalDispatchTable" |
Printable name used for introObjectTypeHalDispatchTable objects.
Definition at line 747 of file intro_types.h.
Referenced by IntWinHalHandleDispatchTableWrite().
#define VICTIM_HAL_PERFORMANCE_COUNTER u"HalPerformanceCounter" |
Printable name used for introObjectTypeHalPerfCounter objects.
Definition at line 757 of file intro_types.h.
Referenced by IntWinHalSendPerfCntIntegrityAlert().
#define VICTIM_IDT u"IDT" |
Printable name used for introObjectTypeIdt.
Definition at line 749 of file intro_types.h.
Referenced by IntWinIdtSendIntegrityAlert().
#define VICTIM_INTERRUPT_OBJECT u"Interrupt Object" |
Printable name used for introObjectTypeInterruptObject.
Definition at line 763 of file intro_types.h.
Referenced by IntWinIntObjSendIntegrityAlert().
#define VICTIM_PROCESS_ACL u"Access Control List" |
Printable name used for introObjectTypeAcl objects.
Definition at line 761 of file intro_types.h.
Referenced by IntWinSDSendAclIntegrityViolation().
#define VICTIM_PROCESS_CREDENTIALS u"Process Credentials" |
Printable name used for introObjectTypeCreds objects.
Definition at line 743 of file intro_types.h.
Referenced by IntLixTaskSendCredViolationEvent().
#define VICTIM_PROCESS_SECURITY_DESCRIPTOR u"Security Descriptor" |
Printable name used for introObjectTypeSecDesc objects.
Definition at line 759 of file intro_types.h.
Referenced by IntWinSDSendSecDescIntViolation().
#define VICTIM_PROCESS_TOKEN u"Process Token" |
Printable name used for introObjectTypeTokenPtr objects.
Definition at line 753 of file intro_types.h.
Referenced by IntWinTokenPtrCheckIntegrityOnProcess().
#define VICTIM_TOKEN_PRIVILEGES u"Token privileges" |
Printable name used for introObjectTypeTokenPrivs objects.
Definition at line 755 of file intro_types.h.
Referenced by IntWinTokenPrivsSendIntegrityAlert().
typedef struct _AGENT_LGT_EVENT AGENT_LGT_EVENT |
Describes an event sent by the log gathering tool.
These will contain raw log lines.
typedef struct _AGENT_LGT_EVENT_HEADER AGENT_LGT_EVENT_HEADER |
Common header for all log gather tool events.
Events of these type are sent when the log gathering tool has been injected and started inside the guest and it is executing intro calls (VMCALLs), reporting back to Introcore.
typedef struct _AGENT_REM_EVENT AGENT_REM_EVENT |
A remediation tool event.
Events of these type are sent when the remediation tool has been injected and started inside the guest and it is executing intro calls (VMCALLs), reporting back to Introcore.
typedef struct _AGENT_REM_EVENT_HEADER AGENT_REM_EVENT_HEADER |
Common header for all remediation tool events.
typedef _Bool BOOLEAN |
Definition at line 58 of file intro_types.h.
typedef uint8_t BYTE |
Definition at line 47 of file intro_types.h.
typedef char CHAR |
Definition at line 56 of file intro_types.h.
typedef uint32_t DWORD |
Definition at line 49 of file intro_types.h.
typedef struct _ENG_NOTIFICATION_CMD_LINE ENG_NOTIFICATION_CMD_LINE |
Command line notification for scan engines.
typedef struct _ENG_NOTIFICATION_CODE_EXEC ENG_NOTIFICATION_CODE_EXEC |
Execution notification for scan engines.
typedef struct _ENG_NOTIFICATION_HEADER ENG_NOTIFICATION_HEADER |
Notification header for scan engines alerts.
typedef struct _EVENT_AGENT_EVENT EVENT_AGENT_EVENT |
Event structure for agent injection and termination.
typedef struct _EVENT_CONNECTION_EVENT EVENT_CONNECTION_EVENT |
Event structure for connections.
Available only if Introcore received the INTRO_OPT_EVENT_CONNECTIONS activation flag. If process is protected with the PROC_OPT_PROT_EXPLOIT flag and an exploit attempt is detected, when the exploit alert is sent, one event of this type will be sent for every connection that the process has open.
typedef struct _EVENT_CR_VIOLATION EVENT_CR_VIOLATION |
Event structure for CR violation.
typedef struct _EVENT_CRASH_EVENT EVENT_CRASH_EVENT |
Event structure for guest OS crashes.
typedef struct _EVENT_DTR_VIOLATION EVENT_DTR_VIOLATION |
Event structure for GDTR/IDTR descriptor tables modifications.
Event structure for detections provided by additional scan engines.
typedef struct _EVENT_EPT_VIOLATION EVENT_EPT_VIOLATION |
Event structure for EPT violations.
This event can describe multiple memory access violations: read, write, and execute.
typedef struct _EVENT_EXCEPTION_EVENT EVENT_EXCEPTION_EVENT |
Event structure for process exceptions.
This is usually sent when during the runtime of a user mode process a hardware exception is triggered.
typedef struct _EVENT_INTEGRITY_VIOLATION EVENT_INTEGRITY_VIOLATION |
Event structure for integrity violations on monitored structures.
These events are triggered by the integrity check mechanism, which is invoked on the timer event, so Introcore may not always be able to block them. For the same reason the information needed for the alert may no longer be present in the guest memory when Introcore detects the violation.
typedef struct _EVENT_INTROSPECTION_MESSAGE EVENT_INTROSPECTION_MESSAGE |
Event structure for plain data/message passing.
typedef struct _EVENT_MEMCOPY_VIOLATION EVENT_MEMCOPY_VIOLATION |
Memory access violations that cross a process boundary.
Represents an attempt to write or read the memory of another process, or to hijack the execution flow of
typedef struct _EVENT_MODULE_EVENT EVENT_MODULE_EVENT |
Event structure for module loading and unloading.
User mode events are sent only when an alert is sent for a process, due to performance concerns. Sending one event for each user mode module load and unload when it happens may severely impact the guest.
typedef struct _EVENT_MODULE_LOAD_VIOLATION EVENT_MODULE_LOAD_VIOLATION |
Event structure for suspicious module load into processes.
typedef struct _EVENT_MSR_VIOLATION EVENT_MSR_VIOLATION |
Event structure for MSR violation.
Event structure for process creation violation events.
typedef struct _EVENT_PROCESS_EVENT EVENT_PROCESS_EVENT |
Event structure for process creation/termination.
This is an informational event, not an alert.
typedef struct _EVENT_TRANSLATION_VIOLATION EVENT_TRANSLATION_VIOLATION |
Event structure for illegal paging-structures modifications.
typedef struct _EVENT_XCR_VIOLATION EVENT_XCR_VIOLATION |
Event structure for XCR violation.
typedef struct _GUEST_INFO GUEST_INFO |
Guest information.
typedef int16_t INT16 |
Definition at line 43 of file intro_types.h.
typedef int32_t INT32 |
Definition at line 44 of file intro_types.h.
typedef long long INT64 |
Definition at line 45 of file intro_types.h.
typedef int8_t INT8 |
Definition at line 42 of file intro_types.h.
typedef union _INT_VERSION_INFO INT_VERSION_INFO |
Introspection version info.
typedef struct _INTRO_ACL INTRO_ACL |
Windows process access control list (SACL/DACL)
typedef enum _INTRO_ACTION INTRO_ACTION |
Event actions.
Priority of the action increases as its value increases (introGuestAllowed has the lowest priority, while introGuestRetry has the highest priority).
typedef enum _INTRO_ACTION_REASON INTRO_ACTION_REASON |
The reason for which an INTRO_ACTION was taken.
typedef struct _INTRO_ALERT_EXCEPTION_HEADER INTRO_ALERT_EXCEPTION_HEADER |
The common header used by exception information.
This is used internally by Introcore in order to facilitate the add exception from alert mechanism used by GLUE_IFACE.AddExceptionFromAlert.
typedef struct _INTRO_CODEBLOCKS INTRO_CODEBLOCKS |
Holds code block patterns information.
This is used by the exception mechanism as a signature for the code that generated an alert. These are extracted from the memory area around the instruction that generated an alert. Since certain operations that fill the fields in this structure may fail, the Valid field should be checked before using any information present in the structure.
typedef struct _INTRO_CPUCTX INTRO_CPUCTX |
Holds the CPU context for an event.
Since certain operations that fill the fields in this structure may fail, the Valid field should be checked before using any information present in the structure.
typedef union _INTRO_DPI_EXTRA_INFO INTRO_DPI_EXTRA_INFO |
Structure for keeping the relevant DPI violation information.
typedef struct _INTRO_DRVOBJ INTRO_DRVOBJ |
Describes a driver object.
Since certain operations that fill the fields in this structure may fail, the Valid field should be checked before using any information present in the structure. This is available only for Windows guests.
typedef enum _INTRO_ENG_NOTIFICATION_TYPE INTRO_ENG_NOTIF_TYPE |
Scan engine alert types.
typedef union _INTRO_ERROR_CONTEXT INTRO_ERROR_CONTEXT |
The context of an error state.
This is optionally supplied to GLUE_IFACE.NotifyIntrospectionErrorState calls for certain error classes.
typedef enum _INTRO_EVENT_TYPE INTRO_EVENT_TYPE |
Event classes.
typedef struct _INTRO_EXEC_CONTEXT INTRO_EXEC_CONTEXT |
Holds the context in which an execution attempt was detected.
typedef struct _INTRO_EXEC_DATA INTRO_EXEC_DATA |
Holds the data related to an execution attempt.
typedef struct _INTRO_EXEC_INFO INTRO_EXEC_INFO |
Holds information about an execution attempt.
typedef struct _INTRO_GPRS INTRO_GPRS |
Holds register state information.
typedef struct _INTRO_MODULE INTRO_MODULE |
Describes a user-mode or kernel-mode module.
Since certain operations that fill the fields in this structure may fail, the Valid field should be checked before using any information present in the structure.
typedef enum _INTRO_NET_AF INTRO_NET_AF |
Address family.
typedef enum _INTRO_NET_STATE INTRO_NET_STATE |
Connection states.
typedef enum _INTRO_OBJECT_TYPE INTRO_OBJECT_TYPE |
The type of the object protected by an EPT hook.
typedef struct _INTRO_PROCESS INTRO_PROCESS |
Describes a guest process.
Since certain operations that fill the fields in this structure may fail, the Valid field should be checked before using any information present in the structure.
typedef struct _INTRO_READ_INFO INTRO_READ_INFO |
Holds information about a memory read attempt.
typedef struct _INTRO_SEC_DESC_INFO INTRO_SEC_DESC_INFO |
Holds information about a security descriptor write attempt.
typedef struct _INTRO_SID_ATTRIBUTES INTRO_SID_ATTRIBUTES |
Windows SID attributes.
typedef union _INTRO_TOKEN INTRO_TOKEN |
Contains privileges and security identifiers information.
typedef struct _INTRO_TOKEN_PRIVILEGES INTRO_TOKEN_PRIVILEGES |
Windows process token privileges.
Each field is a bitmap.
typedef struct _INTRO_VERSION_INFO INTRO_VERSION_INFO |
Holds version information for Introcore and the currently loaded exceptions and CAMI files.
typedef struct _INTRO_VIOLATION_HEADER INTRO_VIOLATION_HEADER |
Common violation header.
typedef struct _INTRO_WIN_SID INTRO_WIN_SID |
A security identifier.
See https://docs.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-sid
typedef struct _INTRO_WIN_TOKEN INTRO_WIN_TOKEN |
A Windows token structure as reported by Introcore alerts.
typedef struct _INTRO_WRITE_INFO INTRO_WRITE_INFO |
Holds information about a memory write attempt.
typedef enum _MEMCOPY_VIOLATION_TYPE MEMCOPY_VIOLATION_TYPE |
The type of a memory copy violation.
Mitre attack techniques.
This is the Mitre Attack Technique ID, as defined at https://attack.mitre.org/techniques/enterprise/
typedef struct _AGENT_LGT_EVENT * PAGENT_LGT_EVENT |
typedef struct _AGENT_LGT_EVENT_HEADER * PAGENT_LGT_EVENT_HEADER |
typedef struct _AGENT_REM_EVENT * PAGENT_REM_EVENT |
typedef struct _AGENT_REM_EVENT_HEADER * PAGENT_REM_EVENT_HEADER |
typedef uint8_t * PBYTE |
Definition at line 47 of file intro_types.h.
typedef char * PCHAR |
Definition at line 56 of file intro_types.h.
typedef uint32_t * PDWORD |
Definition at line 49 of file intro_types.h.
typedef struct _ENG_NOTIFICATION_CMD_LINE * PENG_NOTIFICATION_CMD_LINE |
typedef struct _ENG_NOTIFICATION_CODE_EXEC * PENG_NOTIFICATION_CODE_EXEC |
typedef struct _ENG_NOTIFICATION_HEADER * PENG_NOTIFICATION_HEADER |
typedef struct _EVENT_AGENT_EVENT * PEVENT_AGENT_EVENT |
typedef struct _EVENT_CONNECTION_EVENT * PEVENT_CONNECTION_EVENT |
typedef struct _EVENT_CR_VIOLATION * PEVENT_CR_VIOLATION |
typedef struct _EVENT_CRASH_EVENT * PEVENT_CRASH_EVENT |
typedef struct _EVENT_DTR_VIOLATION * PEVENT_DTR_VIOLATION |
typedef struct _EVENT_ENGINES_DETECTION_VIOLATION * PEVENT_ENGINES_DETECTION_VIOLATION |
typedef struct _EVENT_EPT_VIOLATION * PEVENT_EPT_VIOLATION |
typedef struct _EVENT_EXCEPTION_EVENT * PEVENT_EXCEPTION_EVENT |
typedef struct _EVENT_INTEGRITY_VIOLATION * PEVENT_INTEGRITY_VIOLATION |
typedef struct _EVENT_INTROSPECTION_MESSAGE * PEVENT_INTROSPECTION_MESSAGE |
typedef struct _EVENT_MEMCOPY_VIOLATION * PEVENT_MEMCOPY_VIOLATION |
typedef struct _EVENT_MODULE_EVENT * PEVENT_MODULE_EVENT |
typedef struct _EVENT_MODULE_LOAD_VIOLATION * PEVENT_MODULE_LOAD_VIOLATION |
typedef struct _EVENT_MSR_VIOLATION * PEVENT_MSR_VIOLATION |
typedef struct _EVENT_PROCESS_CREATION_VIOLATION * PEVENT_PROCESS_CREATION_VIOLATION |
typedef struct _EVENT_PROCESS_EVENT * PEVENT_PROCESS_EVENT |
typedef struct _EVENT_TRANSLATION_VIOLATION * PEVENT_TRANSLATION_VIOLATION |
typedef struct _EVENT_XCR_VIOLATION * PEVENT_XCR_VIOLATION |
typedef struct _GUEST_INFO * PGUEST_INFO |
typedef int16_t * PINT16 |
Definition at line 43 of file intro_types.h.
typedef int32_t * PINT32 |
Definition at line 44 of file intro_types.h.
typedef long long * PINT64 |
Definition at line 45 of file intro_types.h.
typedef int8_t * PINT8 |
Definition at line 42 of file intro_types.h.
typedef union _INT_VERSION_INFO * PINT_VERSION_INFO |
typedef struct _INTRO_ACL * PINTRO_ACL |
typedef struct _INTRO_CODEBLOCKS * PINTRO_CODEBLOCKS |
typedef struct _INTRO_CPUCTX * PINTRO_CPUCTX |
typedef union _INTRO_DPI_EXTRA_INFO * PINTRO_DPI_EXTRA_INFO |
typedef struct _INTRO_DRVOBJ * PINTRO_DRVOBJ |
typedef union _INTRO_ERROR_CONTEXT * PINTRO_ERROR_CONTEXT |
typedef struct _INTRO_EXEC_CONTEXT * PINTRO_EXEC_CONTEXT |
typedef struct _INTRO_EXEC_DATA * PINTRO_EXEC_DATA |
typedef struct _INTRO_EXEC_INFO * PINTRO_EXEC_INFO |
typedef struct _INTRO_GPRS * PINTRO_GPRS |
typedef struct _INTRO_MODULE * PINTRO_MODULE |
typedef struct _INTRO_PROCESS * PINTRO_PROCESS |
typedef struct _INTRO_READ_INFO * PINTRO_READ_INFO |
typedef struct _INTRO_SEC_DESC_INFO * PINTRO_SEC_DESC_INFO |
typedef struct _INTRO_SID_ATTRIBUTES * PINTRO_SID_ATTRIBUTES |
typedef union _INTRO_TOKEN * PINTRO_TOKEN |
typedef struct _INTRO_TOKEN_PRIVILEGES * PINTRO_TOKEN_PRIVILEGES |
typedef struct _INTRO_VERSION_INFO * PINTRO_VERSION_INFO |
typedef struct _INTRO_VIOLATION_HEADER * PINTRO_VIOLATION_HEADER |
typedef struct _INTRO_WIN_SID * PINTRO_WIN_SID |
typedef struct _INTRO_WIN_TOKEN * PINTRO_WIN_TOKEN |
typedef struct _INTRO_WRITE_INFO * PINTRO_WRITE_INFO |
typedef unsigned long long * PQWORD |
Definition at line 53 of file intro_types.h.
typedef unsigned char * PUCHAR |
Definition at line 55 of file intro_types.h.
typedef uint16_t * PUINT16 |
Definition at line 38 of file intro_types.h.
typedef uint32_t * PUINT32 |
Definition at line 39 of file intro_types.h.
typedef unsigned long long * PUINT64 |
Definition at line 40 of file intro_types.h.
typedef uint8_t * PUINT8 |
Definition at line 37 of file intro_types.h.
typedef uint16_t * PWCHAR |
Definition at line 63 of file intro_types.h.
typedef uint16_t * PWORD |
Definition at line 48 of file intro_types.h.
typedef unsigned long long QWORD |
Definition at line 53 of file intro_types.h.
typedef size_t SIZE_T |
Definition at line 60 of file intro_types.h.
typedef enum _TRANS_VIOLATION_TYPE TRANS_VIOLATION_TYPE |
Translation violation types.
typedef unsigned char UCHAR |
Definition at line 55 of file intro_types.h.
typedef uint16_t UINT16 |
Definition at line 38 of file intro_types.h.
typedef uint32_t UINT32 |
Definition at line 39 of file intro_types.h.
typedef unsigned long long UINT64 |
Definition at line 40 of file intro_types.h.
typedef uint8_t UINT8 |
Definition at line 37 of file intro_types.h.
typedef uint16_t WCHAR |
Definition at line 63 of file intro_types.h.
typedef uint16_t WORD |
Definition at line 48 of file intro_types.h.
enum _INTRO_ACTION |
Event actions.
Priority of the action increases as its value increases (introGuestAllowed has the lowest priority, while introGuestRetry has the highest priority).
Definition at line 145 of file intro_types.h.
enum _INTRO_ACTION_REASON |
The reason for which an INTRO_ACTION was taken.
Definition at line 180 of file intro_types.h.
Scan engine alert types.
Enumerator | |
---|---|
introEngineNotificationCodeExecution | Execution attempt result. The result is of type ENG_NOTIFICATION_CODE_EXEC. |
introEngineNotificationCmdLine | Command line scan results. The result is of type ENG_NOTIFICATION_CMD_LINE. |
Definition at line 126 of file intro_types.h.
enum _INTRO_EVENT_TYPE |
Event classes.
Enumerator | |
---|---|
introEventEptViolation | Sent when an EPT violation triggers an alert. See EVENT_EPT_VIOLATION. |
introEventMsrViolation | Sent when a MSR violation triggers an alert.See EVENT_MSR_VIOLATION. |
introEventCrViolation | Sent when a CR violation triggers an alert. See EVENT_CR_VIOLATION. |
introEventXcrViolation | Sent when a CR violation triggers an alert. See EVENT_XCR_VIOLATION. |
introEventIntegrityViolation | Sent for integrity violation alerts. See EVENT_INTEGRITY_VIOLATION. |
introEventTranslationViolation | Sent for virtual address translation alerts. See EVENT_TRANSLATION_VIOLATION. |
introEventInjectionViolation | Sent for code/data injection alerts. See EVENT_MEMCOPY_VIOLATION. |
introEventDtrViolation | Sent when a DTR violation triggers an alert. See EVENT_DTR_VIOLATION. |
introEventMessage | Plain text message sent from Introcore to the integrator. See EVENT_INTROSPECTION_MESSAGE. |
introEventProcessEvent | Informational event sent when a process is created or terminated by the guest. See EVENT_PROCESS_EVENT. |
introEventAgentEvent | Informational event sent when the remediation tool is injected or terminated. See EVENT_AGENT_EVENT. |
introEventModuleEvent | Informational event sent when kernel module is loaded or when a module is loaded inside a protected process. See EVENT_MODULE_EVENT. |
introEventCrashEvent | Informational event sent when the guest crashes. See EVENT_CRASH_EVENT. |
introEventExceptionEvent | Informational event sent when a hardware exception is triggered by a guest process. See EVENT_EXCEPTION_EVENT. |
introEventConnectionEvent | Informational event containing the connections opened by a process. See EVENT_CONNECTION_EVENT. |
introEventProcessCreationViolation | Sent for unauthorized process creation alerts. See EVENT_PROCESS_CREATION_VIOLATION. |
introEventModuleLoadViolation | Sent for suspicious module loads alerts. See EVENT_MODULE_LOAD_VIOLATION. |
introEventEnginesDetectionViolation | Sent for third party engines detections. See EVENT_ENGINES_DETECTION_VIOLATION. |
Definition at line 81 of file intro_types.h.
enum _INTRO_NET_AF |
Address family.
Enumerator | |
---|---|
introNetAfIpv4 | IPv4. |
introNetAfIpv6 | IPv6. |
introNetAfUnknown | Unknown. |
Definition at line 298 of file intro_types.h.
enum _INTRO_NET_STATE |
Connection states.
Definition at line 310 of file intro_types.h.
enum _INTRO_OBJECT_TYPE |
The type of the object protected by an EPT hook.
Definition at line 231 of file intro_types.h.
The type of a memory copy violation.
Definition at line 1408 of file intro_types.h.
enum _MITRE_ID |
Mitre attack techniques.
This is the Mitre Attack Technique ID, as defined at https://attack.mitre.org/techniques/enterprise/
Definition at line 1141 of file intro_types.h.
Translation violation types.
Definition at line 1526 of file intro_types.h.
enum AGENT_EVENT_TYPE |
The state of an agent.
Definition at line 2097 of file intro_types.h.
enum AGENT_LGT_EVENT_TYPE |
Log gather tool events.
Enumerator | |
---|---|
lgtEventNone | No event. |
lgtEventError | Error event. |
lgtEventData | Data gather event. |
Definition at line 2238 of file intro_types.h.
enum AGENT_REM_EVENT_TYPE |
Remediation tool events types.
Definition at line 2133 of file intro_types.h.
enum INTRO_DEP_AG_TAGS |
Deployable agents tags.
Definition at line 2312 of file intro_types.h.
EPT access types.
Enumerator | |
---|---|
INTRO_EPT_NONE | No access. |
INTRO_EPT_READ | Read access. |
INTRO_EPT_WRITE | Write access. |
INTRO_EPT_EXECUTE | Execute access. |
Definition at line 768 of file intro_types.h.
enum INTRO_ERROR_STATE |
Error states.
These are reported by GLUE_IFACE.NotifyIntrospectionErrorState.
Definition at line 2433 of file intro_types.h.
enum INTRO_GUEST_TYPE |
The type of the introspected operating system.
Enumerator | |
---|---|
introGuestUnknown | Unknown. |
introGuestWindows | Windows. |
introGuestLinux | Linux. |
Definition at line 2040 of file intro_types.h.
MSR access types.
Enumerator | |
---|---|
INTRO_MSR_READ | Read access. |
INTRO_MSR_WRITE | Write access. |
Definition at line 780 of file intro_types.h.
Process creation violation flags.
Definition at line 1651 of file intro_types.h.