39 memzero(pEvent,
sizeof(*pEvent));
41 pEvent->
Header.
Action = EngineNotification->Header.RequestedAction;
62 WARNING(
"[WARNING] IntNotifyIntroEvent failed: 0x%08x\n", status);
90 if (pNotification == NULL)
104 if (NULL == pNotification->
CmdLine)
110 memcpy(pNotification->
CmdLine, Task->CmdLine, Task->CmdLineLength);
112 LOG(
"[LIX-CMDLINE] Scan request for task '%s' with PID %u using command line '%s' (%u)\n",
118 ERROR(
"[ERROR] IntNotifyEngines failed with status: 0x%08x\n", status);
125 if (pNotification != NULL)
155 TRACE(
"[LIX-CMDLINE] Task '%s' with PID %u used a clean command line...\n",
156 EngineNotification->Child.ImageName, EngineNotification->Child.Pid);
160 LOG(
"[LIX-CMDLINE] Parent task '%s' (%u) CR3 = 0x%016llx with command line '%s'\n",
161 EngineNotification->Parent.ImageName, EngineNotification->Parent.Pid, EngineNotification->Parent.Cr3,
162 EngineNotification->Parent.CmdLine);
163 LOG(
"[LIX-CMDLINE] Child task '%s' (%u) CR3 = 0x%016llx with command line '%s'\n",
164 EngineNotification->Child.ImageName, EngineNotification->Child.Pid, EngineNotification->Child.Cr3,
165 EngineNotification->Child.CmdLine);
166 LOG(
"[LIX-CMDLINE] Detection name: '%s'\n", EngineNotification->Header.DetectionName);
168 LOG(
"^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ MALWARE ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n\n");
173 ERROR(
"[ERROR] IntLixCmdLineSendViolationEvent failed with status: 0x%08x\n", status);
177 if (NULL != EngineNotification->CmdLine)
BYTE * CmdLine
The command line to be scanned.
enum _INTRO_ACTION_REASON INTRO_ACTION_REASON
The reason for which an INTRO_ACTION was taken.
INTRO_PROCESS Parent
The parent process that provided the command line.
LIX_TASK_OBJECT * IntLixTaskFindByCr3(QWORD Cr3)
Finds the Linux process having the provided Cr3.
MITRE_ID MitreID
The Mitre ID that corresponds to this attack.
#define INT_STATUS_SUCCESS
INTRO_ENG_NOTIF_TYPE Type
The type of the alert.
#define INT_SUCCESS(Status)
QWORD Flags
A combination of ALERT_FLAG_* values describing the alert.
Sent for third party engines detections. See EVENT_ENGINES_DETECTION_VIOLATION.
INTSTATUS IntLixHandleCmdLineCallback(ENG_NOTIFICATION_CMD_LINE *EngineNotification)
Send a command line violation event.
#define HpAllocWithTag(Len, Tag)
int INTSTATUS
The status data type.
INTRO_VIOLATION_HEADER Header
The alert header.
INTRO_ENG_NOTIF_TYPE Type
The type of the notification.
ENG_NOTIFICATION_HEADER Header
Notification header.
#define ALERT_MAX_DETECTION_NAME
The maximum size of a detection name as given by a third party scan engine.
void IntAlertFillVersionInfo(INTRO_VIOLATION_HEADER *Header)
Fills version information for an alert.
QWORD IntAlertProcGetFlags(QWORD ProtectionFlag, const void *Process, INTRO_ACTION_REASON Reason, QWORD AdditionalFlags)
Returns the flags for an alert.
INTRO_ACTION_REASON Reason
The reason for which Action was taken.
Command line notification for scan engines.
GENERIC_ALERT gAlert
Global alert buffer.
DWORD CmdLineSize
The size of the command line buffer.
Event structure for detections provided by additional scan engines.
INTSTATUS IntNotifyIntroEvent(INTRO_EVENT_TYPE EventClass, void *Param, size_t EventSize)
Notifies the integrator about an introspection alert.
#define HpFreeAndNullWithTag(Add, Tag)
INTSTATUS IntNotifyEngines(void *Parameters)
#define PROC_OPT_PROT_SCAN_CMD_LINE
Uses third party engines to scan the command line of a process.
#define ALERT_FLAG_FROM_ENGINES
If set, the alert was generated due to a third party scan engines detection.
Command line scan results.
struct _EVENT_ENGINES_DETECTION_VIOLATION::@320::@322 CmdLineViolation
Command line of the process.
#define ALERT_FLAG_NOT_RING0
If set, the alert was triggered in ring 1, 2 or 3.
Exposes the functions used to schedule an asynchronous command line scan and receives its result...
INTRO_GUEST_TYPE OsType
The guest operating system type.
The action was allowed, but it has the BETA flag (Introcore is in log-only mode). ...
INTSTATUS IntLixCmdLineInspect(LIX_TASK_OBJECT *Task)
Send a command line scan request to the scan engines.
static INTSTATUS IntLixCmdLineSendViolationEvent(ENG_NOTIFICATION_CMD_LINE *EngineNotification)
Send a command line violation event.
CHAR EnginesVersion[ALERT_MAX_ENGINES_VERSION]
A NULL-terminated string with the engines versions.
CHAR DetectionName[ALERT_MAX_DETECTION_NAME]
A NULL-terminated string with the detection name, as provided by the engines.
INTRO_ACTION Action
The action that was taken as the result of this alert.
INTRO_PROCESS Child
The child process that received the command line.
CHAR ImageName[ALERT_IMAGE_NAME_LEN]
Image base name of the current process..
LIX_TASK_OBJECT * IntLixTaskFindByGva(QWORD TaskStruct)
Finds Linux process with the provided "task_struct" guest virtual address.
INTRO_PROCESS CurrentProcess
The current process.
#define ALERT_MAX_ENGINES_VERSION
The maximum size of the third party scan engines version.
DWORD Pid
The PID of the process.
Describes a guest process.
EVENT_ENGINES_DETECTION_VIOLATION EngineDetection
void IntAlertFillLixProcess(const LIX_TASK_OBJECT *Task, INTRO_PROCESS *EventProcess)
Saves information about a Linux process inside an event.
#define INT_STATUS_INSUFFICIENT_RESOURCES