17 #ifndef _INTRO_TYPES_H_ 18 #define _INTRO_TYPES_H_ 23 #ifndef INTROCORE_NOCOMPAT 62 #ifndef INT_COMPILER_MSVC 67 typedef int64_t ssize_t;
68 #endif // !INT_COMPILER_MSVC 70 #endif // !INTROCORE_NOCOMPAT 342 #define PROC_OPT_NONE 0x00000000 343 #define PROC_OPT_PROT_CORE_HOOKS 0x00000004 345 #define PROC_OPT_PROT_UNPACK 0x00000008 347 #define PROC_OPT_PROT_WRITE_MEM 0x00000010 349 #define PROC_OPT_PROT_WSOCK_HOOKS 0x00000020 351 #define PROC_OPT_PROT_EXPLOIT 0x00000040 353 #define PROC_OPT_PROT_SET_THREAD_CTX 0x00000080 355 #define PROC_OPT_PROT_PTRACE 0x00000080 357 #define PROC_OPT_PROT_QUEUE_APC 0x00000100 359 #define PROC_OPT_PROT_PREVENT_CHILD_CREATION 0x00000200 361 #define PROC_OPT_PROT_DOUBLE_AGENT 0x00000400 363 #define PROC_OPT_PROT_SCAN_CMD_LINE 0x00000800 365 #define PROC_OPT_PROT_INSTRUMENT 0x00001000 369 #define PROC_OPT_REMEDIATE 0x20000000 370 #define PROC_OPT_KILL_ON_EXPLOIT 0x40000000 375 #define PROC_OPT_BETA 0x80000000 379 #define PROC_OPT_PROT_INJECTION (PROC_OPT_PROT_WRITE_MEM |\ 380 PROC_OPT_PROT_SET_THREAD_CTX |\ 381 PROC_OPT_PROT_PTRACE |\ 382 PROC_OPT_PROT_QUEUE_APC |\ 383 PROC_OPT_PROT_DOUBLE_AGENT |\ 384 PROC_OPT_PROT_INSTRUMENT) 387 #define PROC_OPT_PROT_ALL (PROC_OPT_PROT_CORE_HOOKS |\ 388 PROC_OPT_PROT_INJECTION |\ 389 PROC_OPT_PROT_WSOCK_HOOKS |\ 390 PROC_OPT_PROT_EXPLOIT |\ 391 PROC_OPT_PROT_PREVENT_CHILD_CREATION |\ 392 PROC_OPT_PROT_SCAN_CMD_LINE |\ 393 PROC_OPT_KILL_ON_EXPLOIT) 408 #define INTRO_OPT_PROT_KM_NT 0x0000000000000001ull 409 #define INTRO_OPT_PROT_KM_LX 0x0000000000000001ull 410 #define INTRO_OPT_PROT_KM_HAL 0x0000000000000002ull 411 #define INTRO_OPT_PROT_KM_SSDT 0x0000000000000004ull 412 #define INTRO_OPT_PROT_KM_IDT 0x0000000000000008ull 413 #define INTRO_OPT_PROT_KM_HAL_DISP_TABLE 0x0000000000000010ull 415 #define INTRO_OPT_PROT_KM_SYSTEM_CR3 0x0000000000000020ull 416 #define INTRO_OPT_PROT_KM_TOKEN_PTR 0x0000000000000040ull 417 #define INTRO_OPT_PROT_KM_CREDS 0x0000000000000040ull 418 #define INTRO_OPT_PROT_KM_NT_DRIVERS 0x0000000000000080ull 420 #define INTRO_OPT_PROT_KM_LX_MODULES 0x0000000000000080ull 422 #define INTRO_OPT_PROT_KM_AV_DRIVERS 0x0000000000000100ull 423 #define INTRO_OPT_PROT_KM_XEN_DRIVERS 0x0000000000000200ull 424 #define INTRO_OPT_PROT_KM_DRVOBJ 0x0000000000000400ull 426 #define INTRO_OPT_PROT_KM_CR4 0x0000000000000800ull 427 #define INTRO_OPT_PROT_KM_MSR_SYSCALL 0x0000000000001000ull 428 #define INTRO_OPT_PROT_KM_IDTR 0x0000000000002000ull 430 #define INTRO_OPT_PROT_KM_HAL_HEAP_EXEC 0x0000000000004000ull 432 #define INTRO_OPT_PROT_KM_HAL_INT_CTRL 0x0000000000008000ull 435 #define INTRO_OPT_PROT_UM_MISC_PROCS 0x0000000000010000ull 436 #define INTRO_OPT_PROT_UM_SYS_PROCS 0x0000000000020000ull 438 #define INTRO_OPT_PROT_KM_SELF_MAP_ENTRY 0x0000000000040000ull 439 #define INTRO_OPT_PROT_KM_GDTR 0x0000000000080000ull 443 #define INTRO_OPT_EVENT_PROCESSES 0x0000000000100000ull 444 #define INTRO_OPT_EVENT_MODULES 0x0000000000200000ull 446 #define INTRO_OPT_EVENT_OS_CRASH 0x0000000000400000ull 448 #define INTRO_OPT_EVENT_PROCESS_CRASH 0x0000000000800000ull 451 #define INTRO_OPT_AGENT_INJECTION 0x0000000001000000ull 453 #define INTRO_OPT_FULL_PATH 0x0000000002000000ull 457 #define INTRO_OPT_KM_BETA_DETECTIONS 0x0000000004000000ull 458 #define INTRO_OPT_NOTIFY_ENGINES 0x0000000008000000ull 460 #define INTRO_OPT_IN_GUEST_PT_FILTER 0x0000000010000000ull 466 #define INTRO_OPT_BUGCHECK_CLEANUP 0x0000000020000000ull 467 #define INTRO_OPT_PANIC_CLEANUP 0x0000000020000000ull 471 #define INTRO_OPT_SYSPROC_BETA_DETECTIONS 0x0000000040000000ull 475 #define INTRO_OPT_VE 0x0000000080000000ull 482 #define INTRO_OPT_EVENT_CONNECTIONS 0x0000000100000000ull 485 #define INTRO_OPT_PROT_KM_LOGGER_CONTEXT 0x0000000200000000ull 488 #define INTRO_OPT_PROT_DPI_DEBUG 0x0000000400000000ull 489 #define INTRO_OPT_PROT_DPI_STACK_PIVOT 0x0000000800000000ull 491 #define INTRO_OPT_PROT_DPI_TOKEN_STEAL 0x0000001000000000ull 493 #define INTRO_OPT_PROT_DPI_HEAP_SPRAY 0x0000002000000000ull 497 #define INTRO_OPT_PROT_KM_NT_EAT_READS 0x0000004000000000ull 498 #define INTRO_OPT_PROT_KM_LX_TEXT_READS 0x0000008000000000ull 500 #define INTRO_OPT_PROT_KM_VDSO 0x0000010000000000ull 502 #define INTRO_OPT_PROT_KM_SWAPGS 0x0000020000000000ull 504 #define INTRO_OPT_PROT_KM_TOKEN_PRIVS 0x0000040000000000ull 506 #define INTRO_OPT_PROT_DPI_TOKEN_PRIVS 0x0000080000000000ull 508 #define INTRO_OPT_PROT_DPI_THREAD_SHELL 0x0000100000000000ull 515 #define INTRO_OPT_PROT_KM_SUD_EXEC 0x0000200000000000ull 519 #define INTRO_OPT_PROT_KM_HAL_PERF_CNT 0x0000400000000000ull 522 #define INTRO_OPT_PROT_KM_SD_ACL 0x0000800000000000ull 523 #define INTRO_OPT_PROT_DPI_SD_ACL 0x0001000000000000ull 528 #define INTRO_OPT_PROT_KM_SUD_INTEGRITY 0x0002000000000000ull 531 #define INTRO_OPT_PROT_KM_INTERRUPT_OBJ 0x0004000000000000ull 534 #define INTRO_OPT_PROT_DPI (INTRO_OPT_PROT_DPI_DEBUG | \ 535 INTRO_OPT_PROT_DPI_STACK_PIVOT | \ 536 INTRO_OPT_PROT_DPI_TOKEN_STEAL | \ 537 INTRO_OPT_PROT_DPI_HEAP_SPRAY | \ 538 INTRO_OPT_PROT_DPI_TOKEN_PRIVS | \ 539 INTRO_OPT_PROT_DPI_THREAD_SHELL | \ 540 INTRO_OPT_PROT_DPI_SD_ACL) 544 #define INTRO_OPT_ENABLE_KM_PROTECTION (INTRO_OPT_PROT_KM_NT | \ 545 INTRO_OPT_PROT_KM_LX | \ 546 INTRO_OPT_PROT_KM_HAL | \ 547 INTRO_OPT_PROT_KM_SSDT | \ 548 INTRO_OPT_PROT_KM_VDSO | \ 549 INTRO_OPT_PROT_KM_NT_DRIVERS | \ 550 INTRO_OPT_PROT_KM_LX_MODULES | \ 551 INTRO_OPT_PROT_KM_NT_EAT_READS | \ 552 INTRO_OPT_PROT_KM_DRVOBJ | \ 553 INTRO_OPT_PROT_KM_HAL_HEAP_EXEC | \ 554 INTRO_OPT_PROT_KM_HAL_INT_CTRL | \ 555 INTRO_OPT_PROT_KM_SELF_MAP_ENTRY| \ 556 INTRO_OPT_PROT_KM_SWAPGS | \ 557 INTRO_OPT_PROT_KM_SUD_EXEC | \ 558 INTRO_OPT_PROT_KM_HAL_PERF_CNT) 561 #define INTRO_OPT_ENABLE_UM_PROTECTION (INTRO_OPT_PROT_UM_MISC_PROCS | \ 562 INTRO_OPT_PROT_UM_SYS_PROCS | \ 566 #define INTRO_OPT_ENABLE_AV_PROTECTION (INTRO_OPT_PROT_KM_AV_DRIVERS) 569 #define INTRO_OPT_ENABLE_CR_PROTECTION (INTRO_OPT_PROT_KM_CR4) 572 #define INTRO_OPT_ENABLE_MSR_PROTECTION (INTRO_OPT_PROT_KM_MSR_SYSCALL) 575 #define INTRO_OPT_ENABLE_INTEGRITY_CHECKS (INTRO_OPT_PROT_KM_IDT | \ 576 INTRO_OPT_PROT_KM_HAL_DISP_TABLE | \ 577 INTRO_OPT_PROT_KM_SYSTEM_CR3 | \ 578 INTRO_OPT_PROT_KM_TOKEN_PTR | \ 579 INTRO_OPT_PROT_KM_CREDS | \ 580 INTRO_OPT_PROT_KM_LOGGER_CONTEXT | \ 581 INTRO_OPT_PROT_KM_TOKEN_PRIVS | \ 582 INTRO_OPT_PROT_KM_SD_ACL | \ 583 INTRO_OPT_PROT_KM_SUD_INTEGRITY | \ 584 INTRO_OPT_PROT_KM_INTERRUPT_OBJ) 587 #define INTRO_OPT_ENABLE_DTR_PROTECTION (INTRO_OPT_PROT_KM_IDTR | \ 588 INTRO_OPT_PROT_KM_GDTR) 591 #define INTRO_OPT_ENABLE_KM_BETA_DETECTIONS (INTRO_OPT_KM_BETA_DETECTIONS) 594 #define INTRO_OPT_ENABLE_FULL_PATH (INTRO_OPT_FULL_PATH) 597 #define INTRO_OPT_ENABLE_XEN_PROTECTION (INTRO_OPT_PROT_KM_XEN_DRIVERS) 600 #define INTRO_OPT_ENABLE_MANUAL_AGENT_INJ (INTRO_OPT_AGENT_INJECTION) 603 #define INTRO_OPT_ENABLE_MISC_EVENTS (INTRO_OPT_EVENT_PROCESSES | \ 604 INTRO_OPT_EVENT_MODULES | \ 605 INTRO_OPT_EVENT_OS_CRASH | \ 606 INTRO_OPT_EVENT_PROCESS_CRASH) 609 #define INTRO_OPT_DYNAMIC_OPTIONS_MASK (0xffffffffffffffff) 612 #define INTRO_OPT_DEFAULT_OPTIONS (INTRO_OPT_ENABLE_KM_PROTECTION |\ 613 INTRO_OPT_ENABLE_UM_PROTECTION |\ 614 INTRO_OPT_ENABLE_AV_PROTECTION |\ 615 INTRO_OPT_ENABLE_XEN_PROTECTION |\ 616 INTRO_OPT_ENABLE_CR_PROTECTION |\ 617 INTRO_OPT_ENABLE_MSR_PROTECTION |\ 618 INTRO_OPT_ENABLE_DTR_PROTECTION |\ 619 INTRO_OPT_ENABLE_KM_BETA_DETECTIONS |\ 620 INTRO_OPT_ENABLE_INTEGRITY_CHECKS |\ 621 INTRO_OPT_ENABLE_FULL_PATH |\ 622 INTRO_OPT_IN_GUEST_PT_FILTER) 625 #define INTRO_OPT_DEFAULT_XEN_OPTIONS (INTRO_OPT_ENABLE_KM_PROTECTION |\ 626 INTRO_OPT_ENABLE_UM_PROTECTION |\ 627 INTRO_OPT_ENABLE_AV_PROTECTION |\ 628 INTRO_OPT_ENABLE_XEN_PROTECTION |\ 629 INTRO_OPT_ENABLE_CR_PROTECTION |\ 630 INTRO_OPT_ENABLE_MSR_PROTECTION |\ 631 INTRO_OPT_ENABLE_DTR_PROTECTION |\ 632 INTRO_OPT_ENABLE_INTEGRITY_CHECKS |\ 633 INTRO_OPT_ENABLE_FULL_PATH |\ 634 INTRO_OPT_ENABLE_MANUAL_AGENT_INJ |\ 635 INTRO_OPT_ENABLE_MISC_EVENTS |\ 636 INTRO_OPT_IN_GUEST_PT_FILTER) 639 #define INTRO_OPT_ONLY_KERNEL (INTRO_OPT_ENABLE_KM_PROTECTION |\ 640 INTRO_OPT_ENABLE_AV_PROTECTION |\ 641 INTRO_OPT_ENABLE_XEN_PROTECTION |\ 642 INTRO_OPT_ENABLE_MSR_PROTECTION |\ 643 INTRO_OPT_ENABLE_DTR_PROTECTION |\ 644 INTRO_OPT_ENABLE_KM_BETA_DETECTIONS |\ 645 INTRO_OPT_ENABLE_INTEGRITY_CHECKS |\ 646 INTRO_OPT_ENABLE_FULL_PATH |\ 647 INTRO_OPT_IN_GUEST_PT_FILTER) 650 #define POLICY_KM_BETA_FLAGS \ 651 (INTRO_OPT_PROT_KM_NT | INTRO_OPT_PROT_KM_HAL | INTRO_OPT_PROT_KM_SSDT | INTRO_OPT_PROT_KM_IDT \ 652 | INTRO_OPT_PROT_KM_HAL_DISP_TABLE | INTRO_OPT_PROT_KM_SYSTEM_CR3 | INTRO_OPT_PROT_KM_TOKEN_PTR \ 653 | INTRO_OPT_PROT_KM_NT_DRIVERS | INTRO_OPT_PROT_KM_AV_DRIVERS | INTRO_OPT_PROT_KM_XEN_DRIVERS \ 654 | INTRO_OPT_PROT_KM_DRVOBJ | INTRO_OPT_PROT_KM_CR4 | INTRO_OPT_PROT_KM_MSR_SYSCALL | INTRO_OPT_PROT_KM_IDTR \ 655 | INTRO_OPT_PROT_KM_HAL_HEAP_EXEC | INTRO_OPT_PROT_KM_HAL_INT_CTRL | INTRO_OPT_PROT_KM_SELF_MAP_ENTRY \ 656 | INTRO_OPT_PROT_KM_GDTR | INTRO_OPT_PROT_KM_LX | INTRO_OPT_PROT_KM_VDSO | INTRO_OPT_PROT_KM_LX_MODULES \ 657 | INTRO_OPT_PROT_KM_CREDS | INTRO_OPT_PROT_KM_TOKEN_PRIVS | INTRO_OPT_PROT_KM_SUD_EXEC \ 658 | INTRO_OPT_PROT_KM_LOGGER_CONTEXT | INTRO_OPT_PROT_KM_NT_EAT_READS | INTRO_OPT_PROT_KM_HAL_PERF_CNT \ 659 | INTRO_OPT_PROT_KM_SD_ACL | INTRO_OPT_PROT_KM_SUD_INTEGRITY | INTRO_OPT_PROT_KM_INTERRUPT_OBJ) 671 #define ALERT_FLAG_BETA 0x0000000000000001 672 #define ALERT_FLAG_ANTIVIRUS 0x0000000000000002 673 #define ALERT_FLAG_SYSPROC 0x0000000000000004 674 #define ALERT_FLAG_NOT_RING0 0x0000000000000008 675 #define ALERT_FLAG_ASYNC 0x0000000000000010 676 #define ALERT_FLAG_LINUX 0x0000000000000020 677 #define ALERT_FLAG_FROM_ENGINES 0x0000000000000040 683 #define ALERT_FLAG_FEEDBACK_ONLY 0x0000000000000080 684 #define ALERT_FLAG_DEP_VIOLATION 0x0000000000000100 685 #define ALERT_FLAG_PROTECTED_VIEW 0x0000000000000200 686 #define ALERT_FLAG_KM_UM 0x0000000000000400 695 #define ALERT_PATH_MAX_LEN 260u 696 #define ALERT_IMAGE_NAME_LEN 16u 697 #define ALERT_MAX_MESSAGE_SIZE 256u 699 #define ALERT_MAX_INSTRUX_LEN 128u 700 #define ALERT_MAX_SECTION_NAME_LEN 8u 702 #define ALERT_MAX_FUNCTIONS 4u 703 #define ALERT_MAX_FUNCTION_NAME_LEN 32u 704 #define ALERT_MAX_INJ_DUMP_SIZE 512u 705 #define ALERT_MAX_CODEBLOCKS 64u 706 #define ALERT_CMDLINE_MAX_LEN 512u 707 #define ALERT_EXCEPTION_SIZE 255u 708 #define ALERT_MAX_DETECTION_NAME 128u 710 #define ALERT_MAX_ENGINES_VERSION 32u 712 #define INTRO_SECURITY_DESCRIPTOR_SIZE 1024u 743 #define VICTIM_PROCESS_CREDENTIALS u"Process Credentials" 744 #define VICTIM_DRIVER_OBJECT u"Driver Object" 746 #define VICTIM_HAL_DISPATCH_TABLE u"HalDispatchTable" 748 #define VICTIM_IDT u"IDT" 750 #define VICTIM_CIRCULAR_KERNEL_CTX_LOGGER u"Circular Kernel Context Logger" 752 #define VICTIM_PROCESS_TOKEN u"Process Token" 754 #define VICTIM_TOKEN_PRIVILEGES u"Token privileges" 756 #define VICTIM_HAL_PERFORMANCE_COUNTER u"HalPerformanceCounter" 758 #define VICTIM_PROCESS_SECURITY_DESCRIPTOR u"Security Descriptor" 760 #define VICTIM_PROCESS_ACL u"Access Control List" 762 #define VICTIM_INTERRUPT_OBJECT u"Interrupt Object" 788 #define INTRO_VIOLATION_VERSION 1 831 #define INTRO_WIN_SID_MAX_SUB_AUTHORITIES 15 834 #define INTRO_WIN_SID_MAX_SIZE \ 835 (sizeof(INTRO_WIN_SID) - sizeof(DWORD) + (INTRO_WIN_SID_MAX_SUB_AUTHORITIES * sizeof(DWORD))) 856 #define INTRO_SIDS_MAX_COUNT 4 1015 DWORD NewSecDescHash;
1120 BYTE RipCode[0x1000];
1164 #pragma pack(push, 1) 1726 BYTE MaxHeapValPageContent[0x1000];
1741 QWORD ShellcodeFlags;
2117 #define AGENT_HCALL_REM_TOOL 100 2119 #define AGENT_HCALL_GATHER_TOOL 500 2121 #define AGENT_HCALL_KILLER_TOOL 600 2123 #define AGENT_HCALL_INTERNAL 753200 2145 #define REM_MAX_OBJECT_PATH_LEN 512 2146 #define REM_MAX_DETECTION_LEN 128 2150 #define REM_EVENT_VERSION 0x00010000 2151 #define REM_EVENT_SIZE sizeof(AGENT_REM_EVENT) 2223 DWORD DetectionFlag;
2226 } DisinfectionEvent;
2246 #define LGT_MAX_DATA_SIZE 4096 2249 #define LGT_EVENT_VERSION 0x00010000 2250 #define LGT_EVENT_SIZE sizeof(AGENT_LGT_EVENT) 2425 } ProcessProtection;
2451 #endif // _INTRO_TYPES_H_ QWORD ViolationFlags
A combination of Alert flags values describing the alert.
BOOLEAN Valid
Set to True if the information in the structure is valid, False otherwise.
INTRO_EXEC_CONTEXT ExecContext
The context of the execution.
#define ALERT_MAX_MESSAGE_SIZE
The maximum size of an Introcore message inside EVENT_INTROSPECTION_MESSAGE.
struct _EVENT_TRANSLATION_VIOLATION EVENT_TRANSLATION_VIOLATION
Event structure for illegal paging-structures modifications.
struct _INTRO_CODEBLOCKS INTRO_CODEBLOCKS
Holds code block patterns information.
DWORD Count
The number of available entries in the CodeBlocks array.
Hooked page against PG reads.
BYTE * CmdLine
The command line to be scanned.
DWORD Attributes
The attributes of the SID.
enum _INTRO_ACTION_REASON INTRO_ACTION_REASON
The reason for which an INTRO_ACTION was taken.
INTRO_CODEBLOCKS CodeBlocks
Code blocks extracted for the alert.
struct _EVENT_PROCESS_CREATION_VIOLATION EVENT_PROCESS_CREATION_VIOLATION
Event structure for process creation violation events.
Trusted Developer Utilities.
INTRO_EXEC_DATA ExecutionData
Execution information.
Execution through module load.
DWORD Version
Event version. Must match REM_EVENT_VERSION.
QWORD EnabledByDefault
The privileges that are enabled by default.
struct _EVENT_INTEGRITY_VIOLATION * PEVENT_INTEGRITY_VIOLATION
struct _ENG_NOTIFICATION_CODE_EXEC ENG_NOTIFICATION_CODE_EXEC
Execution notification for scan engines.
struct _INTRO_MODULE * PINTRO_MODULE
struct _INTRO_TOKEN_PRIVILEGES INTRO_TOKEN_PRIVILEGES
Windows process token privileges.
struct _EVENT_EPT_VIOLATION EVENT_EPT_VIOLATION
Event structure for EPT violations.
Sent for unauthorized process creation alerts. See EVENT_PROCESS_CREATION_VIOLATION.
BOOLEAN Valid
Set to True if the information in the structure is valid, False otherwise.
struct _ENG_NOTIFICATION_CMD_LINE * PENG_NOTIFICATION_CMD_LINE
INTRO_TOKEN_PRIVILEGES Privileges
The privileges associated with this token.
INTRO_PROCESS Parent
The parent process that provided the command line.
QWORD ReturnRip
The RIP from which the suspicious module was called.
struct _EVENT_ENGINES_DETECTION_VIOLATION EVENT_ENGINES_DETECTION_VIOLATION
Event structure for detections provided by additional scan engines.
INTRO_NET_AF Family
Address family.
INTRO_VIOLATION_HEADER Header
The alert header,.
Sent when a CR violation triggers an alert. See EVENT_XCR_VIOLATION.
INTRO_MODULE ReturnModule
The module to which the current code return to.
INTRO_MSR_ACCESS_TYPE
MSR access types.
DWORD Size
The size of the access.
The creation of a process was attempted while the parent had its heap sprayed.
struct _EVENT_CR_VIOLATION EVENT_CR_VIOLATION
Event structure for CR violation.
INTRO_MODULE Module
The module which was written or read.
An internal error occurred (no memory, pages not present, etc.).
INTRO_PROCESS Victim
The process that was compromised.
Event structure for CR violation.
Kernel module (ntoskrnl.exe, hal.dll, etc.).
BOOLEAN Valid
If FALSE, we failed to get the thread and the process token.
struct _INTRO_MODULE INTRO_MODULE
Describes a user-mode or kernel-mode module.
QWORD CurrentStack
The current stack of the parent process.
A Windows token structure as reported by Introcore alerts.
The process was not protected due to an internal error.
_TRANS_VIOLATION_TYPE
Translation violation types.
WORD ExceptionMajor
Exceptions major version.
QWORD StartAddress
The guest linear address from which the code blocks were extracted.
#define REM_MAX_OBJECT_PATH_LEN
The maximum object path size in bytes, including the NULL terminator.
BYTE Violation
The type of the access. It must be one of the IG_EPT_HOOK_TYPE values.
struct _INTRO_EXEC_CONTEXT INTRO_EXEC_CONTEXT
Holds the context in which an execution attempt was detected.
_INTRO_ACTION
Event actions.
#define ALERT_MAX_FUNCTIONS
The maximum number of functions included in an alert structure.
BOOLEAN Created
True if the process was created, False if it was terminated.
struct _EVENT_INTROSPECTION_MESSAGE EVENT_INTROSPECTION_MESSAGE
Event structure for plain data/message passing.
struct _INTRO_CPUCTX INTRO_CPUCTX
Holds the CPU context for an event.
INTRO_MODULE Module
The module that attempted the write.
MITRE_ID MitreID
The Mitre ID that corresponds to this attack.
struct _EVENT_MODULE_EVENT EVENT_MODULE_EVENT
Event structure for module loading and unloading.
struct _AGENT_REM_EVENT_HEADER AGENT_REM_EVENT_HEADER
Common header for all remediation tool events.
struct _EVENT_PROCESS_CREATION_VIOLATION * PEVENT_PROCESS_CREATION_VIOLATION
Event structure for process creation/termination.
INTRO_ENG_NOTIF_TYPE Type
The type of the alert.
Fast IO Dispatch (Windows only).
struct _EVENT_ENGINES_DETECTION_VIOLATION * PEVENT_ENGINES_DETECTION_VIOLATION
INTRO_PROCESS Process
The process that attempted the access.
An interrupt object from KPRCB.
Infinity hook modifications of WMI_LOGGER_CONTEXT.GetCpuClock.
struct _EVENT_EXCEPTION_EVENT * PEVENT_EXCEPTION_EVENT
BOOLEAN ImpersonationToken
TRUE if this is an impersonation token.
This represents an attempt of modifying the context of another thread.
BYTE SubAuthorityCount
The number of valid entries in the SubAuthority array.
Holds register state information.
QWORD ReturnRip
The RIP at which the code that triggered the alert returns.
Event structure for process creation violation events.
union _INT_VERSION_INFO * PINT_VERSION_INFO
QWORD Context
The context supplied when the process was protected.
A critical API function was not found inside the guest kernel.
INTRO_WRITE_INFO WriteInfo
The original value of the register and the value that the guest tried to write.
INTRO_EXEC_CONTEXT ExecContext
Information about the instruction that triggered the alert.
Event structure for integrity violations on monitored structures.
enum _MITRE_ID MITRE_ID
Mitre attack techniques.
User-mode non executable zone.
Sent when a DTR violation triggers an alert. See EVENT_DTR_VIOLATION.
struct _INTRO_PROCESS INTRO_PROCESS
Describes a guest process.
Process creation violation.
_INTRO_EVENT_TYPE
Event classes.
AGENT_EVENT_TYPE Event
The type of the agent.
INTRO_PROCESS Process
The process that could not be protected.
union _INTRO_DPI_EXTRA_INFO * PINTRO_DPI_EXTRA_INFO
INTRO_MODULE ReturnModule
The module to which the current code return to.
QWORD Wow64StackLimit
The known stack limit of the parent process in WoW64 mode.
BOOLEAN RebootNeeded
TRUE if a reboot is needed.
enum _INTRO_ENG_NOTIFICATION_TYPE INTRO_ENG_NOTIF_TYPE
Scan engine alert types.
QWORD Param3
Third parameter.
DWORD Value
A hash of the code represented by this block.
QWORD HookStartPhysical
The start of the monitored guest physical memory area for which this alert was generated.
struct _INTRO_ACL * PINTRO_ACL
INTRO_CODEBLOCKS CodeBlocks
Code blocks extracted for the alert.
union _INTRO_TOKEN INTRO_TOKEN
Contains privileges and security identifiers information.
Describes an event sent by the log gathering tool.
DWORD SidCount
The number of valid entries in the SidsAndAttributes array.
Sent when a CR violation triggers an alert. See EVENT_CR_VIOLATION.
INTRO_EPT_ACCESS_TYPE
EPT access types.
The process was not protected because there is not enough memory available.
Event structure for module loading and unloading.
A critical structure was not found inside the guest kernel.
#define INTRO_SECURITY_DESCRIPTOR_SIZE
The size of the buffers in which we store the security descriptors. The security descriptor is compos...
QWORD Flags
A combination of ALERT_FLAG_* values describing the alert.
struct _EVENT_TRANSLATION_VIOLATION * PEVENT_TRANSLATION_VIOLATION
struct _AGENT_LGT_EVENT_HEADER * PAGENT_LGT_EVENT_HEADER
Sent for third party engines detections. See EVENT_ENGINES_DETECTION_VIOLATION.
AGENT_EVENT_TYPE
The state of an agent.
INTRO_PC_VIOLATION_TYPE
Process creation violation flags.
Access 'struct creds' fields.
Informational event sent when the guest crashes. See EVENT_CRASH_EVENT.
The action was not allowed because there was no reason to allow it.
Event structure for agent injection and termination.
The agent process finished execution.
INTRO_MODULE Module
The loaded module.
INTRO_VIOLATION_HEADER Header
The alert header.
Holds code block patterns information.
INTRO_PROCESS SecDescStolenFrom
This variable may indicate the victim process (where security descriptor has been stolen from)...
enum _INTRO_NET_STATE INTRO_NET_STATE
Connection states.
struct _INTRO_GPRS INTRO_GPRS
Holds register state information.
INTRO_ALERT_EXCEPTION_HEADER ExHeader
The header of the exception information.
DWORD Delta
The offset inside the affected function at which the access was made.
enum _TRANS_VIOLATION_TYPE TRANS_VIOLATION_TYPE
Translation violation types.
struct _EVENT_CONNECTION_EVENT * PEVENT_CONNECTION_EVENT
struct _ENG_NOTIFICATION_CMD_LINE ENG_NOTIFICATION_CMD_LINE
Command line notification for scan engines.
Process creation violation DPI.
Plain text message sent from Introcore to the integrator. See EVENT_INTROSPECTION_MESSAGE.
WORD IntroRevision
Introcore revision.
QWORD StackBase
The known stack base of the parent process.
The function is already hooked.
DWORD ScanResult
Scan result.
The operating system version is not supported.
DWORD ExitStatus
The exit code of the process.
INTRO_EXEC_CONTEXT ExecContext
Information about the instruction that triggered the alert.
QWORD StartAddress
The address where the thread started executing.
struct _INTRO_VERSION_INFO * PINTRO_VERSION_INFO
union _INTRO_DPI_EXTRA_INFO INTRO_DPI_EXTRA_INFO
Structure for keeping the relevant DPI violation information.
struct _EVENT_EXCEPTION_EVENT EVENT_EXCEPTION_EVENT
Event structure for process exceptions.
QWORD VirtualAddress
The Virtual Address whose translation is being modified.
BOOLEAN IsRestricted
TRUE if this was obtained from the RestrictedSids list.
BOOLEAN Continuable
True if the exception is considered to be continuable.
Event structure for illegal paging-structures modifications.
#define ALERT_MAX_FUNCTION_NAME_LEN
The maximum size of a function name inside an alert structure.
INTRO_PROCESS CurrentProcess
The agent process.
QWORD Param1
First parameter.
DWORD HeapValCount
The number of heap values in the page. Since the max value can be 1024, 11 bits are needed...
struct _INTRO_SEC_DESC_INFO INTRO_SEC_DESC_INFO
Holds information about a security descriptor write attempt.
Integrity protection of SharedUserData region.
struct _EVENT_XCR_VIOLATION EVENT_XCR_VIOLATION
Event structure for XCR violation.
Holds information about a security descriptor write attempt.
Sent for code/data injection alerts. See EVENT_MEMCOPY_VIOLATION.
struct _EVENT_PROCESS_EVENT * PEVENT_PROCESS_EVENT
BOOLEAN User
Set if it is a KM-UM write due to an injection from user-mode.
INTRO_WRITE_INFO WriteInfo
The original value of the register and the value that the guest tried to write.
INTRO_VIOLATION_HEADER Header
The alert header.
#define ALERT_MAX_CODEBLOCKS
The maximum number of code blocks included in an alert structure.
BOOLEAN UserMode
True if this is a user mode module, False if it is a kernel mode module.
struct _EVENT_MODULE_EVENT * PEVENT_MODULE_EVENT
BYTE IdtEntry
The modified IDT entry. Valid only if Type is introObjectTypeIdt.
DWORD ActionResult
Action result.
INTRO_ENG_NOTIF_TYPE Type
The type of the notification.
INTRO_ACL NewDacl
The new DACL header.
QWORD Raw
Raw version information.
DWORD _Reserved3
Reserved.
Windows process access control list (SACL/DACL)
Process ACL (SACL/DACL) was modified.
#define INTRO_WIN_SID_MAX_SIZE
The maximum size of a INTRO_WIN_SID structure.
DWORD ErrorCode
The error code of the event. Success is 0.
Event structure for guest OS crashes.
Internal kernel structures - they don't generate alerts.
The action was ignored and allowed.
QWORD HookStartVirtual
The start of the monitored guest virtual memory area for which this alert was generated.
#define ALERT_CMDLINE_MAX_LEN
The maximum size of a command line included in an alert structure.
struct _EVENT_EPT_VIOLATION * PEVENT_EPT_VIOLATION
DWORD Reserved
Reserved for further use.
BYTE Pivot
An instruction identifier used internally by the Introcore engine (see CODE_INS). ...
QWORD StackLimit
The known stack limit of the parent process.
INTRO_PROCESS StolenFrom
The process from which the token was stolen.
QWORD Rip
The value of the guest RIP at the moment of the alert.
ENG_NOTIFICATION_HEADER Header
Notification header.
struct _EVENT_MSR_VIOLATION * PEVENT_MSR_VIOLATION
QWORD OsVer
The version of the introspected operating system.
#define ALERT_MAX_DETECTION_NAME
The maximum size of a detection name as given by a third party scan engine.
struct _INTRO_EXEC_CONTEXT * PINTRO_EXEC_CONTEXT
struct _INTRO_READ_INFO * PINTRO_READ_INFO
BOOLEAN RestrictedSIdsBufferTooSmall
If TRUE, not all the entries from the guest's SidsAndAttributes were returned.
ENG_NOTIFICATION_HEADER Header
Notification header.
INTRO_VIOLATION_HEADER Header
The alert header.
QWORD Base
The guest linear address at which the module is loaded.
QWORD ZoneTypes
The types of the accessed memory area.
Execution through API call.
Available only on Windows.
Executions in suspicious DLL loads.
Access Token Manipulation.
TRANS_VIOLATION_TYPE ViolationType
INTRO_ACTION_REASON Reason
The reason for which Action was taken.
struct _INTRO_WRITE_INFO INTRO_WRITE_INFO
Holds information about a memory write attempt.
The agent has been successfully injected.
struct _INTRO_ACL INTRO_ACL
Windows process access control list (SACL/DACL)
WORD ExceptionMinor
Exceptions minor version.
struct _INTRO_WIN_SID * PINTRO_WIN_SID
INTRO_PROCESS Victim
The process in which the module has loaded.
struct _INTRO_WIN_SID INTRO_WIN_SID
A security identifier.
struct _GUEST_INFO GUEST_INFO
Guest information.
A kernel export was not found.
Command line notification for scan engines.
BOOLEAN Kernel
Set if it is a KM-UM write due to an injection from kernel-mode.
enum _MEMCOPY_VIOLATION_TYPE MEMCOPY_VIOLATION_TYPE
The type of a memory copy violation.
MEMCOPY_VIOLATION_TYPE ViolationType
The type of the access.
struct _EVENT_DTR_VIOLATION EVENT_DTR_VIOLATION
Event structure for GDTR/IDTR descriptor tables modifications.
struct _EVENT_CRASH_EVENT EVENT_CRASH_EVENT
Event structure for guest OS crashes.
A remediation tool event.
enum _INTRO_OBJECT_TYPE INTRO_OBJECT_TYPE
The type of the object protected by an EPT hook.
struct _INTRO_EXEC_DATA * PINTRO_EXEC_DATA
DWORD CmdLineSize
The size of the command line buffer.
INTRO_VIOLATION_HEADER Header
The alert header.
DWORD CamiMinor
CAMI minor version.
DWORD ExceptionBuild
Exceptions build number.
Event structure for detections provided by additional scan engines.
DWORD CamiBuildNumber
CAMI build number.
INTRO_VIOLATION_HEADER Header
The alert header.
INTRO_CODEBLOCKS CodeBlocks
Code blocks extracted for the alert.
_INTRO_NET_STATE
Connection states.
union _INTRO_ERROR_CONTEXT * PINTRO_ERROR_CONTEXT
QWORD ShellcodeFlags
The shellcode flags given by shemu on the detected page.
struct _INTRO_DRVOBJ INTRO_DRVOBJ
Describes a driver object.
DWORD CopySize
The size of the access.
The context of an error state.
Hal interrupt controller.
DWORD Size
The size of the modified memory area.
#define ALERT_MAX_INJ_DUMP_SIZE
The maximum size of an injection buffer inside an alert structure.
Windows process token privileges.
struct _INTRO_DRVOBJ * PINTRO_DRVOBJ
The kernel image was not found.
The CR3 of a process was changed.
INTRO_CPUCTX CpuContext
The context of the CPU that triggered the alert.
#define ALERT_PATH_MAX_LEN
The maximum size of a path inside an alert structure.
BOOLEAN Code64
True if the code was in 64-bit mode, False if it was in 32-bit mode.
struct _INTRO_EXEC_INFO INTRO_EXEC_INFO
Holds information about an execution attempt.
struct _EVENT_DTR_VIOLATION * PEVENT_DTR_VIOLATION
The parent of a process has a stolen access token when it created the child.
INTRO_PROCESS Originator
The process that provided the command line.
_INTRO_ACTION_REASON
The reason for which an INTRO_ACTION was taken.
BOOLEAN Valid
Set to True if the information in the structure is valid, False otherwise.
INTRO_PROCESS CurrentProcess
The currently active process.
QWORD Reason
The bugcheck reason.
Event structure for MSR violation.
This represents an attempt to queue an APC into the victim process.
struct _INTRO_CODEBLOCKS * PINTRO_CODEBLOCKS
struct _EVENT_MODULE_LOAD_VIOLATION * PEVENT_MODULE_LOAD_VIOLATION
INTRO_WIN_TOKEN WindowsToken
A Windows token.
#define INTRO_SIDS_MAX_COUNT
The maximum SID count included in an alert.
The common header used by exception information.
#define ALERT_MAX_INSTRUX_LEN
#define ALERT_IMAGE_NAME_LEN
struct _ENG_NOTIFICATION_HEADER ENG_NOTIFICATION_HEADER
Notification header for scan engines alerts.
INTRO_PROCESS CurrentProcess
The currently active process.
INTRO_PROCESS Owner
The process that owns the connection.
struct _AGENT_REM_EVENT_HEADER * PAGENT_REM_EVENT_HEADER
Event structure for suspicious module load into processes.
BYTE Revision
The revision of the SID.
INTRO_MODULE Module
The module that modified the monitored region.
Informational event sent when the remediation tool is injected or terminated. See EVENT_AGENT_EVENT...
INTRO_PROCESS Child
The process that is being created or terminated.
Contains privileges and security identifiers information.
struct _EVENT_INTEGRITY_VIOLATION EVENT_INTEGRITY_VIOLATION
Event structure for integrity violations on monitored structures.
Write protection over HalPerformanceCounter.
INTRO_OBJECT_TYPE Type
The type of the modified register.
Sent for suspicious module loads alerts. See EVENT_MODULE_LOAD_VIOLATION.
The creation of a process was attempted with token privileges altered in a malicious way...
struct _EVENT_MSR_VIOLATION EVENT_MSR_VIOLATION
Event structure for MSR violation.
QWORD VirtualAddress
The guest virtual address which was modified.
INTRO_VIOLATION_HEADER Header
The alert header.
INTRO_WRITE_INFO WriteInfo
The original and new address to which VirtualAddress translates.
DWORD DetectionFlag
Detection flags.
struct _INTRO_CPUCTX * PINTRO_CPUCTX
struct _INTRO_TOKEN_PRIVILEGES * PINTRO_TOKEN_PRIVILEGES
Execution notification for scan engines.
WORD IntroMinor
Introcore minor version.
DWORD DataSize
Valid Data size.
The parent of a process had a pivoted stack when it created the child.
INTRO_CODEBLOCKS CodeBlocks
Code blocks extracted for the alert.
This is a classic code injection attempt that simply modifies the memory of the victim process...
union _INT_VERSION_INFO INT_VERSION_INFO
Introspection version info.
struct _AGENT_REM_EVENT * PAGENT_REM_EVENT
INTRO_ACL OldDacl
The old DACL header.
INTRO_MODULE ReturnModule
The module to which the current code return to.
QWORD OldPointerValue
Old value.
This represents an attempt to set an instrument callback inside the victim process.
struct _INTRO_WRITE_INFO * PINTRO_WRITE_INFO
struct _AGENT_LGT_EVENT * PAGENT_LGT_EVENT
#define LGT_MAX_DATA_SIZE
The maximum size of a log gather tool data chunk.
DWORD ScanStatus
Start status.
WORD Version
The version of the exception information.
Holds information about a memory read attempt.
Sent for virtual address translation alerts. See EVENT_TRANSLATION_VIOLATION.
struct _AGENT_REM_EVENT AGENT_REM_EVENT
A remediation tool event.
Memory access violations that cross a process boundary.
struct _GUEST_INFO * PGUEST_INFO
DWORD AgentTag
Unique agent tag. See INTRO_DEP_AG_TAGS.
QWORD StackLimit
The stack limit for the thread that attempted the execution.
BOOLEAN DumpValid
True if the contents of RawDump are valid, False if not.
QWORD Wow64StackBase
The known stack base of the parent process in WoW64 mode.
Dummy agent used to demo the feature.
union _INTRO_TOKEN * PINTRO_TOKEN
struct _INTRO_WIN_TOKEN INTRO_WIN_TOKEN
A Windows token structure as reported by Introcore alerts.
Informational event sent when a process is created or terminated by the guest. See EVENT_PROCESS_EVEN...
struct _ENG_NOTIFICATION_CODE_EXEC * PENG_NOTIFICATION_CODE_EXEC
BOOLEAN Protected
True if the process is protected.
struct _EVENT_CR_VIOLATION * PEVENT_CR_VIOLATION
_MITRE_ID
Mitre attack techniques.
Holds the context in which an execution attempt was detected.
Informational event containing the connections opened by a process. See EVENT_CONNECTION_EVENT.
DWORD OldSecDescSize
The size of the old security descriptor buffer (valid only if INTRO_OBJECT_TYPE is introObjectTypeSec...
DWORD Delta
The same as Delta.
Holds information about a memory write attempt.
INTRO_EXEC_CONTEXT ExecContext
Information about the instruction that triggered the alert.
BOOLEAN Loaded
True if the module was loaded, False if it was unloaded.
Array of actual code block patterns.
INTRO_ACL NewSacl
The new SACL header.
struct _INTRO_GPRS * PINTRO_GPRS
DWORD Offset
The offset where the detection on the given page was given, if Detection is equal to 1...
INTRO_PROCESS Process
The process in which the execution was attempted.
INTRO_ACTION RequestedAction
Action requested by the scan engines.
INTRO_PROCESS Victim
The process that received the command line.
INTRO_MODULE Module
The module that did the malicious access.
struct _INTRO_PROCESS * PINTRO_PROCESS
Command line scan results.
BOOLEAN Valid
Set to True if the information in the structure is valid, False otherwise.
DWORD Executable
True if the page is executable in the translation.
Event structure for GDTR/IDTR descriptor tables modifications.
INTRO_CODEBLOCKS CodeBlocks
Code blocks extracted for the alert.
unsigned long long UINT64
WORD RemotePort
Remote port.
Sent when an EPT violation triggers an alert. See EVENT_EPT_VIOLATION.
INTRO_WRITE_INFO WriteInfo
DWORD Size
The size of the access.
DWORD CsType
The type of the code segment. Can be one of the IG_CS_TYPE values.
DWORD RipCbIndex
Index in the CodeBlocks array for the pattern extracted for the instruction at Rip.
struct _EVENT_XCR_VIOLATION * PEVENT_XCR_VIOLATION
union _INTRO_ERROR_CONTEXT INTRO_ERROR_CONTEXT
The context of an error state.
DWORD IntroBuildNumber
Introcore build number.
Exception Table (Linux-only).
INTRO_VIOLATION_HEADER Header
The alert header.
INTRO_GUEST_TYPE
The type of the introspected operating system.
INTRO_WRITE_INFO WriteInfo
The original value and the new value of the register.
The agent sent a message.
unsigned long long * PUINT64
QWORD ExceptionCode
The code of the exception.
Executions inside the SharedUserData region.
The Virtualization exception agent injected inside the guest.
struct _INTRO_ALERT_EXCEPTION_HEADER INTRO_ALERT_EXCEPTION_HEADER
The common header used by exception information.
_INTRO_NET_AF
Address family.
struct _EVENT_MODULE_LOAD_VIOLATION EVENT_MODULE_LOAD_VIOLATION
Event structure for suspicious module load into processes.
INTRO_PROCESS CurrentProcess
The currently active process.
BOOLEAN Valid
Set to True if the information in the structure is valid, False otherwise.
INTRO_GUEST_TYPE OsType
The guest operating system type.
QWORD Enabled
The currently enabled privileges.
INTRO_VIOLATION_HEADER Header
The alert header.
The exception file was not loaded (there are no exceptions).
INTRO_PC_VIOLATION_TYPE PcType
The type of process creation violation.
enum _INTRO_ACTION INTRO_ACTION
Event actions.
struct _INTRO_VERSION_INFO INTRO_VERSION_INFO
Holds version information for Introcore and the currently loaded exceptions and CAMI files...
struct _INTRO_EXEC_INFO * PINTRO_EXEC_INFO
INTRO_WRITE_INFO WriteInfo
QWORD Wow64CurrentStack
The current stack of the parent process in WoW64 mode.
#define ALERT_MAX_SECTION_NAME_LEN
The maximum size of an executable section name inside an alert structure.
INTRO_PROCESS CurrentProcess
The process in which the exception was triggered.
INTRO_MODULE Module
The module for which this event was triggered.
The action was allowed, but it has the BETA flag (Introcore is in log-only mode). ...
The remediation tool agent.
WORD LocalPort
Local port.
DWORD Offset
The offset inside the page where the violation took place.
INTRO_ACL OldSacl
The old SACL header.
Common header for all remediation tool events.
struct _INTRO_EXEC_DATA INTRO_EXEC_DATA
Holds the data related to an execution attempt.
INTRO_MODULE ReturnModule
The module which called the entry function of the suspicious module.
Event structure for process exceptions.
QWORD Cr3
The value of the guest CR3 register when the event was generated.
BYTE IdtEntry
The IDT entry that was modified. Valid only if Type is introObjectTypeIdt.
struct _INTRO_SID_ATTRIBUTES * PINTRO_SID_ATTRIBUTES
struct _INTRO_READ_INFO INTRO_READ_INFO
Holds information about a memory read attempt.
Self mapping index in PDBR.
The parent of a process tried to obtain debug privileges over the child.
struct _EVENT_MEMCOPY_VIOLATION EVENT_MEMCOPY_VIOLATION
Memory access violations that cross a process boundary.
INTRO_MODULE Module
The module that modified the translation.
DWORD FunctionNameHash
The hash of the FunctionName. It is the same as Export.Hash[0].
#define ALERT_EXCEPTION_SIZE
struct _EVENT_CONNECTION_EVENT EVENT_CONNECTION_EVENT
Event structure for connections.
BOOLEAN Wow64
A boolean which is TRUE if the process is WoW64.
The parent of a process has an altered security descriptor pointer.
struct _EVENT_AGENT_EVENT EVENT_AGENT_EVENT
Event structure for agent injection and termination.
DWORD CamiMajor
CAMI major version.
INTRO_EXEC_INFO StackInfo
Stack information.
AGENT_LGT_EVENT_HEADER Header
Event header.
struct _AGENT_LGT_EVENT_HEADER AGENT_LGT_EVENT_HEADER
Common header for all log gather tool events.
Execution attempt result.
INTRO_PROCESS Process
The process that did the malicious access.
Dummy SAL definitions for build environments were SAL is not available.
The slack space is not 0-filled/NOP-filled.
DWORD Count
The number of currently protected processes.
struct _EVENT_AGENT_EVENT * PEVENT_AGENT_EVENT
QWORD Owner
The base of the kernel module that owns this driver object.
DWORD Size
Event size. Must match REM_EVENT_SIZE.
INTRO_ERROR_STATE
Error states.
BOOLEAN Valid
Set to True if the information in the structure is valid, False otherwise.
INTRO_PROCESS Originator
The process that attempted the violation.
Exploitation for Privilege Escalation.
Introspection version info.
QWORD Param4
Fourth parameter.
Kernel Modules and Extensions.
The page table filtering agent.
DWORD EventType
Event type.
struct _INTRO_VIOLATION_HEADER INTRO_VIOLATION_HEADER
Common violation header.
WORD IntroMajor
Introcore major version.
INTRO_MODULE ReturnModule
The module to which the current code return to.
WORD Offset
The page offset from which the pattern was extracted. The page is considered to be StartAddress...
#define REM_MAX_DETECTION_LEN
The maximum detection name size in bytes, including the NULL terminator.
struct _ENG_NOTIFICATION_HEADER * PENG_NOTIFICATION_HEADER
The thread which created the process has started execution on some suspicious code.
AGENT_REM_EVENT_HEADER Header
Event header.
Virtual SYSCALL (user-mode, Linux-only).
QWORD Rsp
The value of the guest RSP register at the moment of execution.
INTRO_PROCESS Debugger
The debugger of the current process. May or may not be the parent.
A translation inside the #VE agent was changed.
INTRO_ACTION Action
The action that was taken as the result of this alert.
The agent or the process stub reports an error.
Holds the data related to an execution attempt.
BOOLEAN SidsBufferTooSmall
If TRUE, not all the entries from the guest's SidsAndAttributes were returned.
INTRO_DPI_EXTRA_INFO DpiExtraInfo
A structure which contains extra information regarding the DPI violation that was detected...
QWORD BaseAddress
The guest virtual address at which the monitored integrity region starts.
AGENT_LGT_EVENT_TYPE
Log gather tool events.
DWORD Reserved1
Reserved for padding/future use.
QWORD Rip
The RIP at which the exception was triggered.
Holds information about an execution attempt.
struct _INTRO_VIOLATION_HEADER * PINTRO_VIOLATION_HEADER
INTRO_DEP_AG_TAGS
Deployable agents tags.
struct _EVENT_MEMCOPY_VIOLATION * PEVENT_MEMCOPY_VIOLATION
The action was blocked because no exception signature matched.
QWORD VirtualPage
The guest virtual page in which the access was made.
DWORD Size
Event size. Should match LGT_EVENT_SIZE/.
Extra Window Memory Injection.
Virtual dynamic shared object (user-mode, Linux-only).
The virtualization exception driver.
_INTRO_ENG_NOTIFICATION_TYPE
Scan engine alert types.
INTRO_PROCESS Child
The child process that received the command line.
INTRO_PROCESS Process
The module to which the current code return to.
The visibility tool used to extract information from inside the guest.
QWORD StackBase
The stack base for the thread that attempted the execution.
QWORD OldAddress
The old security descriptor address.
INTRO_DRVOBJ DriverObject
The driver object that was modified. Valid only if Type is introObjectTypeDriverObject.
struct _EVENT_PROCESS_EVENT EVENT_PROCESS_EVENT
Event structure for process creation/termination.
AGENT_REM_EVENT_TYPE
Remediation tool events types.
INTRO_PROCESS CurrentProcess
The current process.
Describes a driver object.
INTRO_VIOLATION_HEADER Header
The alert header.
BOOLEAN Crashed
True if the process crashed.
The action was blocked because there was no exception for it.
DWORD Cr
The number of the modified control register.
enum _INTRO_EVENT_TYPE INTRO_EVENT_TYPE
Event classes.
Sent for integrity violation alerts. See EVENT_INTEGRITY_VIOLATION.
INTRO_EXEC_CONTEXT ExecContext
Information about the instruction that triggered the alert.
_INTRO_OBJECT_TYPE
The type of the object protected by an EPT hook.
INTRO_MODULE Module
The module that did the malicious access.
Event structure for connections.
The agent process started execution.
Holds the CPU context for an event.
INTRO_MODULE Module
The module that attempted the write.
After a page was swapped-in, its hash no longer matches the one it had when it was swapped-out...
#define ALERT_MAX_ENGINES_VERSION
The maximum size of the third party scan engines version.
INTRO_EXEC_CONTEXT ExecContext
Information about the instruction that triggered the alert.
struct _INTRO_SID_ATTRIBUTES INTRO_SID_ATTRIBUTES
Windows SID attributes.
INTRO_EXEC_INFO ExecInfo
Execution information. Valid only if Violation is IG_EPT_HOOK_EXECUTE.
Event structure for EPT violations.
DWORD RestrictedSidCount
The number of valid entries in the RestrictedSids array.
INTRO_PROCESS Parent
The parent of the process.
Informational event sent when a hardware exception is triggered by a guest process. See EVENT_EXCEPTION_EVENT.
DWORD Msr
The ID of the MSR as defined by the Intel documentation.
QWORD SourceVirtualAddress
The virtual address of the source buffer.
enum _INTRO_NET_AF INTRO_NET_AF
Address family.
Sent when a MSR violation triggers an alert.See EVENT_MSR_VIOLATION.
struct _INTRO_SEC_DESC_INFO * PINTRO_SEC_DESC_INFO
struct _INTRO_WIN_TOKEN * PINTRO_WIN_TOKEN
DWORD Xcr
The number of the modified extended control register.
QWORD NewPointerValue
New value.
The parent of a process has an altered access control entry (inside SACL or DACL).
INTRO_MODULE Module
The module that modified the DTR.
INTRO_WIN_SID Sid
The SID structure.
QWORD DestinationVirtualAddress
The virtual address of the destination buffer.
Exploitation for Client Execution.
_MEMCOPY_VIOLATION_TYPE
The type of a memory copy violation.
The process killer agent.
DWORD Length
The length of the instruction.
The agent has been initialized.
DWORD FunctionNameHash
The hash of the modified function name. This is the same as Export.Hash[0].
unsigned long long * PQWORD
The version of the provided CAMI file is not supported.
DWORD Pid
The PID of the process.
Structure for keeping the relevant DPI violation information.
Describes a user-mode or kernel-mode module.
This represents a read done from another process.
Exploitation of Remote Services.
Internal user-mode structure.
Describes a guest process.
struct _EVENT_CRASH_EVENT * PEVENT_CRASH_EVENT
Process security descriptor pointer.
AGENT_LGT_EVENT LogGatherEvent
Log gather tool event.
DWORD ErrorCode
The error code reported by the tool.
QWORD Present
The present privileges.
QWORD Param2
Second parameter.
The Linux version of the remediation tool.
DWORD NewSecDescSize
The size of the new security descriptor buffer (valid only if INTRO_OBJECT_TYPE is introObjectTypeSec...
AGENT_REM_EVENT RemediationEvent
Remediation tool event.
AGENT_REM_EVENT_TYPE EventType
Event type.
QWORD Address
The guest linear address at which the driver object structure was allocated.
Process creation violation without any DPI heuristic being triggered.
The SYSCALL/SYSENTER code pattern was not recognized.
Notification header for scan engines alerts.
DWORD Ipv4
Valid only if Family is introNetAfIpv4.
INTRO_EXEC_DATA ExecViolation
Execution context.
DWORD _Reserved2
Reserved.
INTRO_MODULE ReturnModule
The module to which the current code return to.
DWORD Reserved
Reserved for padding/future use.
INTRO_WRITE_INFO WriteInfo
The original value of the MSR and the value that the guest tried to write.
Common header for all log gather tool events.
struct _EVENT_INTROSPECTION_MESSAGE * PEVENT_INTROSPECTION_MESSAGE
Holds version information for Introcore and the currently loaded exceptions and CAMI files...
INTRO_VIOLATION_HEADER Header
The alert header.
INTRO_NET_STATE State
The state of the connection.
BOOLEAN Protected
True if the module is protected.
INTRO_GUEST_TYPE Type
Type.
DWORD Version
Event version. Should match LGT_EVENT_VERSION.
INTRO_SEC_DESC_INFO SecDescWriteInfo
Event structure for XCR violation.
INTRO_MODULE ReturnModule
The module to which the current code returns to.
A translation was modified without us intercepting it. This points to a bug in Introcore.
INTRO_OBJECT_TYPE Type
The type of the accessed memory area.
struct _AGENT_LGT_EVENT AGENT_LGT_EVENT
Describes an event sent by the log gathering tool.
INTRO_DRVOBJ DriverObject
The modified driver object. Valid only if Type is introObjectTypeDriverObject.
Event structure for plain data/message passing.
QWORD PhysicalPage
The guest physical page in which the access was made.
The exception (and signature, where's the case) matched, but the extra checks failed.
1.8.13