- Generated by
1.8.13
|
Bitdefender Hypervisor Memory Introspection
|
Handles exception updates. More...
Go to the source code of this file.
Data Structures | |
| struct | _UPDATE_ITEM_SIZE |
| Contains the information about the sizes of an entry (exception/signature) and about the size of the exceptions file. More... | |
Macros | |
| #define | UPDATE_VALIDATE_FILE_SIZE 0x1 |
| Validate that an object fits inside the exception buffer. More... | |
| #define | UPDATE_VALIDATE_HEADER_SIZE 0x2 |
| Validate the size of the exception header. More... | |
| #define | UPDATE_VALIDATE_ALL (UPDATE_VALIDATE_FILE_SIZE | UPDATE_VALIDATE_HEADER_SIZE) |
| All exception validation options. More... | |
Typedefs | |
| typedef struct _UPDATE_ITEM_SIZE | UPDATE_ITEM_SIZE |
| Contains the information about the sizes of an entry (exception/signature) and about the size of the exceptions file. More... | |
| typedef struct _UPDATE_ITEM_SIZE * | PUPDATE_ITEM_SIZE |
Functions | |
| INTSTATUS | IntUpdateGetVersion (WORD *MajorVersion, WORD *MinorVersion, DWORD *BuildNumber) |
| Get the version of the loaded exceptions binary file. More... | |
| static EXCEPTION_SIGNATURE_ID | IntUpdateGetUniqueSigId (EXCEPTION_SIGNATURE_TYPE Type) |
| Get an unique signature ID for a given type. More... | |
| static BOOLEAN | IntUpdateIsValidEntry (DWORD Size, UPDATE_ITEM_SIZE *Item, DWORD Flags) |
| Checks if the provided Size can be read from the exceptions file without exceeding its size. More... | |
| static INTSTATUS | IntUpdateAddKernelException (UPDATE_KM_EXCEPTION *UpdateException, UPDATE_ITEM_SIZE *Item) |
| Creates a new kernel-exception and adds it to our internal list. More... | |
| static INTSTATUS | IntUpdateAddKernelUserException (UPDATE_KUM_EXCEPTION *UpdateException, UPDATE_ITEM_SIZE *Item) |
| Creates a new kernel-user mode exception and adds it to our internal list. More... | |
| static INTSTATUS | IntUpdateAddUserException (UPDATE_UM_EXCEPTION *UpdateException, UPDATE_ITEM_SIZE *Item) |
| Creates a new user-exception and adds it to our internal list. More... | |
| static INTSTATUS | IntUpdateAddUserExceptionGlob (UPDATE_UM_EXCEPTION_GLOB *UpdateException, UPDATE_ITEM_SIZE *Item) |
| Creates a new glob user-exception and adds it to our internal list. More... | |
| static INTSTATUS | IntUpdateAddCbSignature (UPDATE_CB_SIGNATURE *UpdateSignature, UPDATE_ITEM_SIZE *Item) |
| Creates a new code-blocks signature and adds it to our internal list. More... | |
| static INTSTATUS | IntUpdateAddValueSignature (UPDATE_VALUE_SIGNATURE *UpdateSignature, UPDATE_ITEM_SIZE *Item) |
| Creates a new value signature and adds it to our internal list. More... | |
| static INTSTATUS | IntUpdateAddIdtSignature (UPDATE_IDT_SIGNATURE *UpdateSignature, UPDATE_ITEM_SIZE *Item) |
| Creates a new IDT signature and adds it to our internal list. More... | |
| static INTSTATUS | IntUpdateAddValueCodeSignature (UPDATE_VALUE_CODE_SIGNATURE *UpdateSignature, UPDATE_ITEM_SIZE *Item) |
| Creates a new value-code signature and adds it to our internal list. More... | |
| static INTSTATUS | IntUpdateAddVersionOsSignature (UPDATE_VERSION_OS_SIGNATURE *UpdateSignature, UPDATE_ITEM_SIZE *Item) |
| Creates a new operating system version signature and adds it to our internal list. More... | |
| static INTSTATUS | IntUpdateAddVersionIntroSignature (UPDATE_VERSION_INTRO_SIGNATURE *UpdateSignature, UPDATE_ITEM_SIZE *Item) |
| Creates a new introspection version signature and adds it to our internal list. More... | |
| static INTSTATUS | IntUpdateAddExportSignature (UPDATE_EXPORT_SIGNATURE *UpdateSignature, UPDATE_ITEM_SIZE *Item) |
| Creates a new export signature and adds it to our internal list. More... | |
| static INTSTATUS | IntUpdateAddProcessCreationSignature (UPDATE_PROCESS_CREATION_SIGNATURE *UpdateSignature, UPDATE_ITEM_SIZE *Item) |
| Creates a new process-creation signature and adds it to our internal list. More... | |
| static void | IntUpdateSetIdForException (EXCEPTION_SIGNATURE_ID *Signatures, DWORD Count) |
| Generate a new ID for each signature. More... | |
| void | IntUpdateAssignAlertSignatureIds (void) |
| Generates IDs for exceptions that were added from alert. More... | |
| INTSTATUS | IntUpdateLoadExceptions (void *Buffer, DWORD Length, DWORD Flags) |
| Handles the exceptions coming from the integrator. More... | |
| static void | IntUpdateAddUserExceptionInOrder (UM_EXCEPTION *Exception) |
| Adds a user-mode exceptions from alert in the sorted list. More... | |
| static void | IntUpdateAddKernelExceptionInOrder (KM_EXCEPTION *Exception) |
| Adds a kernel-mode exceptions from alert in the sorted list. More... | |
| static void | IntUpdateAddKernelUserExceptionInOrder (KUM_EXCEPTION *Exception) |
| Adds a kernel-user mode exceptions from alert in the sorted list. More... | |
| static INTSTATUS | IntUpdateCreateExportSignatureFromAlert (const ALERT_EXPORT_SIGNATURE *AlertSig, SIG_EXPORT **Signature) |
| Creates a new export signature from an ALERT_EXPORT_SIGNATURE. More... | |
| static INTSTATUS | IntUpdateCreateIdtSignatureFromAlert (const ALERT_IDT_SIGNATURE *AlertSig, SIG_IDT **Signature) |
| Creates a new IDT signature from an /ref ALERT_IDT_SIGNATURE. More... | |
| static INTSTATUS | IntUpdateCreateCbSignatureFromAlert (const ALERT_CB_SIGNATURE *AlertSig, SIG_CODEBLOCKS **Signature) |
| Creates a new code-blocks signature from an /ref ALERT_CB_SIGNATURE. More... | |
| static INTSTATUS | IntUpdateCreateProcessCreationSignatureFromAlert (const ALERT_PROCESS_CREATION_SIGNATURE *AlertSig, SIG_PROCESS_CREATION **Signature) |
| Creates a new process-creation signature from an /ref ALERT_PROCESS_CREATION_SIGNATURE. More... | |
| static BOOLEAN | IntUpdateIsDuplicateCbSignature (const ALERT_CB_SIGNATURE *Signature, const EXCEPTION_SIGNATURE_ID *SigIds, DWORD SigCount) |
| Checks if the provided code-blocks alert-signature already exists in our list. More... | |
| static BOOLEAN | IntUpdateIsDuplicateIdtSignature (const ALERT_IDT_SIGNATURE *Signature, const EXCEPTION_SIGNATURE_ID *SigIds, DWORD SigCount) |
| Checks if the provided IDT alert-signature already exists in our list. More... | |
| static BOOLEAN | IntUpdateIsDuplicateExportSignature (const ALERT_EXPORT_SIGNATURE *Signature, const EXCEPTION_SIGNATURE_ID *SigIds, DWORD SigCount) |
| Checks if the provided export alert-signature already exists in our list. More... | |
| static BOOLEAN | IntUpdateIsDuplicateKernelException (const ALERT_KM_EXCEPTION *Exception) |
| Checks if the provided kernel-mode exception already exists in out list. More... | |
| static BOOLEAN | IntUpdateIsDuplicateKernelUserException (const ALERT_KUM_EXCEPTION *Exception) |
| Checks if the provided kernel-user mode exception already exists in out list. More... | |
| static BOOLEAN | IntUpdateIsDuplicateUserException (const ALERT_UM_EXCEPTION *Exception) |
| Checks if the provided user-mode exception already exists in out list. More... | |
| static INTSTATUS | IntUpdateAddUmException (const ALERT_UM_EXCEPTION *Exception, QWORD Context) |
| Creates a new user-mode exception from an alert-exception structure ALERT_UM_EXCEPTION and adds it to our internal list. More... | |
| static INTSTATUS | IntUpdateAddKmException (const ALERT_KM_EXCEPTION *Exception, QWORD Context) |
| Creates a new kernel-mode exception from an alert-exception structure ALERT_UM_EXCEPTION and adds it to our internal list. More... | |
| static INTSTATUS | IntUpdateAddKmUmException (const ALERT_KUM_EXCEPTION *Exception, QWORD Context) |
| Creates a new kernel-user mode exception from an alert-exception structure ALERT_KUM_EXCEPTION and adds it to our internal list. More... | |
| INTSTATUS | IntUpdateAddExceptionFromAlert (const void *Event, INTRO_EVENT_TYPE Type, BOOLEAN Exception, QWORD Context) |
| Handles all types of supported exceptions that can be added from alerts. More... | |
| static void | IntUpdateRemoveSignaturesForException (EXCEPTION_SIGNATURE_ID *Signatures, DWORD Count) |
| This function removes and frees all signature from the provided array. More... | |
| INTSTATUS | IntUpdateRemoveException (QWORD Context) |
| This function removes an exception for a given context. More... | |
| INTSTATUS | IntUpdateFlushAlertExceptions (void) |
| This function removes all exceptions that were added from alerts. More... | |
| BOOLEAN | IntUpdateAreExceptionsLoaded (void) |
| Checks if the exceptions are loaded. More... | |
Variables | |
| static EXCEPTION_SIGNATURE_ID | gCurrentSignatureId = { .Field = { .Value = BIT(22) / 2, .Type = 0} } |
| The current signature ID. Changes every time a new ID is generated. More... | |
Handles exception updates.
Definition in file update_exceptions.c.
| #define UPDATE_VALIDATE_ALL (UPDATE_VALIDATE_FILE_SIZE | UPDATE_VALIDATE_HEADER_SIZE) |
All exception validation options.
Definition at line 21 of file update_exceptions.c.
Referenced by IntUpdateAddCbSignature(), IntUpdateAddExportSignature(), IntUpdateAddIdtSignature(), IntUpdateAddKernelException(), IntUpdateAddKernelUserException(), IntUpdateAddProcessCreationSignature(), IntUpdateAddUserException(), IntUpdateAddUserExceptionGlob(), IntUpdateAddValueCodeSignature(), IntUpdateAddValueSignature(), IntUpdateAddVersionIntroSignature(), and IntUpdateAddVersionOsSignature().
| #define UPDATE_VALIDATE_FILE_SIZE 0x1 |
Validate that an object fits inside the exception buffer.
Definition at line 17 of file update_exceptions.c.
Referenced by IntUpdateAddCbSignature(), IntUpdateAddExportSignature(), IntUpdateAddKernelException(), IntUpdateAddKernelUserException(), IntUpdateAddUserException(), IntUpdateAddUserExceptionGlob(), IntUpdateAddValueCodeSignature(), IntUpdateAddValueSignature(), and IntUpdateIsValidEntry().
| #define UPDATE_VALIDATE_HEADER_SIZE 0x2 |
Validate the size of the exception header.
Definition at line 19 of file update_exceptions.c.
Referenced by IntUpdateIsValidEntry().
| typedef struct _UPDATE_ITEM_SIZE * PUPDATE_ITEM_SIZE |
| typedef struct _UPDATE_ITEM_SIZE UPDATE_ITEM_SIZE |
Contains the information about the sizes of an entry (exception/signature) and about the size of the exceptions file.
|
static |
Creates a new code-blocks signature and adds it to our internal list.
| [in] | UpdateSignature | The data from the binary file. |
| [in] | Item | The information about the current entry size and the file size. |
| INT_STATUS_SUCCESS | On success. |
| INT_STATUS_NOT_NEEDED_HINT | If the the flags don't match the operating system. |
| INT_STATUS_INSUFFICIENT_RESOURCES | If the HpAllocWithTag fails. |
Definition at line 681 of file update_exceptions.c.
Referenced by IntUpdateLoadExceptions().
| INTSTATUS IntUpdateAddExceptionFromAlert | ( | const void * | Event, |
| INTRO_EVENT_TYPE | Type, | ||
| BOOLEAN | Exception, | ||
| QWORD | Context | ||
| ) |
Handles all types of supported exceptions that can be added from alerts.
If the alert-exception is already created (the Exception parameter is true), this function will dispatch the alert-exception to the appropriate function that can create the exception with the provided type. If the Exception parameter is false, this function calls the IntAlertCreateException to create the alert-exception structure and will dispatch the newly created structure to the appropriate function that can create the exception with the provided type.
| [in] | Event | The event structure that contains the required information to create an exception. |
| [in] | Type | The type of the provided event. |
| [in] | Exception | True if the alert-exceptions structure is already created, otherwise false. |
| [in] | Context | The context provided by the integrator. |
| INT_STATUS_SUCCESS | On success. |
| INT_STATUS_NOT_NEEDED_HINT | If the exception already exists. |
| INT_STATUS_UNSUPPORTED_DATA_VALUE | If the alert-signature's version is different than our internal version. |
| INT_STATUS_INSUFFICIENT_RESOURCES | If not enough memory is available. |
Definition at line 2473 of file update_exceptions.c.
Referenced by IntAddExceptionFromAlert().
|
static |
Creates a new export signature and adds it to our internal list.
| [in] | UpdateSignature | The data from the binary file. |
| [in] | Item | The information about the current entry size and the file size. |
| INT_STATUS_SUCCESS | On success. |
| INT_STATUS_NOT_NEEDED_HINT | If the the flags don't match the operating system. |
| INT_STATUS_INSUFFICIENT_RESOURCES | If not enough memory is available. |
Definition at line 1061 of file update_exceptions.c.
Referenced by IntUpdateLoadExceptions().
|
static |
Creates a new IDT signature and adds it to our internal list.
| [in] | UpdateSignature | The data from the binary file. |
| [in] | Item | The information about the current entry size and the file size. |
| INT_STATUS_SUCCESS | On success. |
| INT_STATUS_NOT_NEEDED_HINT | If the the flags don't match the operation system. |
| INT_STATUS_INSUFFICIENT_RESOURCES | If not enough memory is available. |
Definition at line 859 of file update_exceptions.c.
Referenced by IntUpdateLoadExceptions().
|
static |
Creates a new kernel-exception and adds it to our internal list.
The exception is added to the appropriate list as follows:
| [in] | UpdateException | The data from the binary file. |
| [in] | Item | The information about the current entry size and the file size. |
| INT_STATUS_SUCCESS | On success. |
| INT_STATUS_NOT_NEEDED_HINT | If the exception has the ignore flag or the flags don't match the operating system. |
| INT_STATUS_INSUFFICIENT_RESOURCES | If not enough memory is available. |
Definition at line 145 of file update_exceptions.c.
Referenced by IntUpdateLoadExceptions().
|
static |
Adds a kernel-mode exceptions from alert in the sorted list.
The exception is added to the user-mode alert-exceptions list.
| [in] | Exception | The kernel-mode exception structure. |
Definition at line 1529 of file update_exceptions.c.
Referenced by IntUpdateAddKmException().
|
static |
Creates a new kernel-user mode exception and adds it to our internal list.
The exception is added to the appropriate list as follows:
| [in] | UpdateException | The data from the binary file. |
| [in] | Item | The information about the current entry size and the file size. |
| INT_STATUS_SUCCESS | On success. |
| INT_STATUS_NOT_NEEDED_HINT | If the exception has the ignore flag or the flags don't match the operating system. |
| INT_STATUS_INSUFFICIENT_RESOURCES | If not enough memory is available. |
Definition at line 265 of file update_exceptions.c.
Referenced by IntUpdateLoadExceptions().
|
static |
Adds a kernel-user mode exceptions from alert in the sorted list.
The exception is added to the user-mode alert-exceptions list.
| [in] | Exception | The kernel-mode exception structure. |
Definition at line 1572 of file update_exceptions.c.
Referenced by IntUpdateAddKmUmException().
|
static |
Creates a new kernel-mode exception from an alert-exception structure ALERT_UM_EXCEPTION and adds it to our internal list.
This function also creates code-blocks, export or process-creation signatures, if any, and adds them to the corresponding list of alert exceptions/signatures.
| [in] | Exception | The structure of the alert-exception. |
| [in] | Context | The context provided by integrator. |
| INT_STATUS_SUCCESS | On success. |
| INT_STATUS_NOT_NEEDED_HINT | If the exception already exists. |
| INT_STATUS_UNSUPPORTED_DATA_VALUE | If the alert-signature's version is different than our internal version. |
| INT_STATUS_INSUFFICIENT_RESOURCES | If not enough memory is available. |
Definition at line 2284 of file update_exceptions.c.
Referenced by IntUpdateAddExceptionFromAlert().
|
static |
Creates a new kernel-user mode exception from an alert-exception structure ALERT_KUM_EXCEPTION and adds it to our internal list.
This function also creates code-blocks, export or process-creation signatures, if any, and adds them to the corresponding list of alert exceptions/signatures.
| [in] | Exception | The structure of the alert-exception. |
| [in] | Context | The context provided by integrator. |
| INT_STATUS_SUCCESS | On success. |
| INT_STATUS_NOT_NEEDED_HINT | If the exception already exists. |
| INT_STATUS_UNSUPPORTED_DATA_VALUE | If the alert-signature's version is different than our internal version. |
| INT_STATUS_INSUFFICIENT_RESOURCES | If not enough memory is available. |
Definition at line 2390 of file update_exceptions.c.
Referenced by IntUpdateAddExceptionFromAlert().
|
static |
Creates a new process-creation signature and adds it to our internal list.
| [in] | UpdateSignature | The data from the binary file. |
| [in] | Item | The information about the current entry size and the file size. |
| INT_STATUS_SUCCESS | On success. |
| INT_STATUS_NOT_NEEDED_HINT | If the the flags don't match the operating system. |
| INT_STATUS_INSUFFICIENT_RESOURCES | If not enough memory is available. |
Definition at line 1124 of file update_exceptions.c.
Referenced by IntUpdateLoadExceptions().
|
static |
Creates a new user-mode exception from an alert-exception structure ALERT_UM_EXCEPTION and adds it to our internal list.
This function also creates code-blocks, export or process-creation signatures, if any, and adds them to the corresponding list of alert exceptions/signatures.
| [in] | Exception | The structure of the alert-exception. |
| [in] | Context | The context provided by integrator. |
| INT_STATUS_SUCCESS | On success. |
| INT_STATUS_NOT_NEEDED_HINT | If the exception already exists. |
| INT_STATUS_UNSUPPORTED_DATA_VALUE | If the alert-signature's version is different than our internal version. |
| INT_STATUS_INSUFFICIENT_RESOURCES | If not enough memory is available. |
Definition at line 2152 of file update_exceptions.c.
Referenced by IntUpdateAddExceptionFromAlert().
|
static |
Creates a new user-exception and adds it to our internal list.
The exception is added to the appropriate list as follows:
| [in] | UpdateException | The data from the binary file. |
| [in] | Item | The information about the current entry size and the file size. |
| INT_STATUS_SUCCESS | On success. |
| INT_STATUS_NOT_NEEDED_HINT | If the exception has the ignore flag or the flags don't match the operating system. |
| INT_STATUS_INSUFFICIENT_RESOURCES | If not enough memory is available. |
Definition at line 380 of file update_exceptions.c.
Referenced by IntUpdateLoadExceptions().
|
static |
Creates a new glob user-exception and adds it to our internal list.
| [in] | UpdateException | The data from the binary file. |
| [in] | Item | The information about the current entry size and the file size. |
| INT_STATUS_SUCCESS | On success. |
| INT_STATUS_NOT_NEEDED_HINT | If the exception has the ignore flag or the flags don't match the operating system. |
| INT_STATUS_INSUFFICIENT_RESOURCES | If not enough memory is available. |
| INT_STATUS_NOT_SUPPORTED | If the originator or the victim fields content is longer that EXCEPTION_UM_GLOB_LENGTH. |
Definition at line 518 of file update_exceptions.c.
Referenced by IntUpdateLoadExceptions().
|
static |
Adds a user-mode exceptions from alert in the sorted list.
The exception is added to the list that contains process-creation alert-exceptions list if the object type is umObjProcessCreation, otherwise it is added to the user-mode alert-exceptions list.
| [in] | Exception | The user-mode exception structure. |
Definition at line 1474 of file update_exceptions.c.
Referenced by IntUpdateAddUmException().
|
static |
Creates a new value-code signature and adds it to our internal list.
| [in] | UpdateSignature | The data from the binary file. |
| [in] | Item | The information about the current entry size and the file size. |
| INT_STATUS_SUCCESS | On success. |
| INT_STATUS_NOT_NEEDED_HINT | If the the flags don't match the operating system. |
| INT_STATUS_INSUFFICIENT_RESOURCES | If not enough memory is available. |
Definition at line 905 of file update_exceptions.c.
Referenced by IntUpdateLoadExceptions().
|
static |
Creates a new value signature and adds it to our internal list.
| [in] | UpdateSignature | The data from the binary file. |
| [in] | Item | The information about the current entry size and the file size. |
| INT_STATUS_SUCCESS | On success. |
| INT_STATUS_NOT_NEEDED_HINT | If the the flags don't match the operating system. |
| INT_STATUS_INSUFFICIENT_RESOURCES | If the HpAllocWithTag fails. |
Definition at line 789 of file update_exceptions.c.
Referenced by IntUpdateLoadExceptions().
|
static |
Creates a new introspection version signature and adds it to our internal list.
| [in] | UpdateSignature | The data from the binary file. |
| [in] | Item | The information about the current entry size and the file size. |
| INT_STATUS_SUCCESS | On success. |
| INT_STATUS_NOT_NEEDED_HINT | If the the flags don't match the operating system. |
| INT_STATUS_INSUFFICIENT_RESOURCES | If not enough memory is available. |
Definition at line 1016 of file update_exceptions.c.
Referenced by IntUpdateLoadExceptions().
|
static |
Creates a new operating system version signature and adds it to our internal list.
| [in] | UpdateSignature | The data from the binary file. |
| [in] | Item | The information about the current entry size and the file size. |
| INT_STATUS_SUCCESS | On success. |
| INT_STATUS_NOT_NEEDED_HINT | If the the flags don't match the operating system. |
| INT_STATUS_INSUFFICIENT_RESOURCES | If not enough memory is available. |
Definition at line 971 of file update_exceptions.c.
Referenced by IntUpdateLoadExceptions().
| BOOLEAN IntUpdateAreExceptionsLoaded | ( | void | ) |
Checks if the exceptions are loaded.
| True | if the exceptions are loaded, otherwise false. |
Definition at line 2751 of file update_exceptions.c.
Referenced by IntHandleTimer().
| void IntUpdateAssignAlertSignatureIds | ( | void | ) |
Generates IDs for exceptions that were added from alert.
Definition at line 1245 of file update_exceptions.c.
Referenced by IntUpdateLoadExceptions().
|
static |
Creates a new code-blocks signature from an /ref ALERT_CB_SIGNATURE.
| [in] | AlertSig | The signature created form an alert. |
| [out] | Signature | The newly created signature. |
| INT_STATUS_SUCCESS | On success. |
| INT_STATUS_UNSUPPORTED_DATA_VALUE | If the alert-signature's version is different than our internal version. |
| INT_STATUS_INSUFFICIENT_RESOURCES | If not enough memory is available. |
Definition at line 1700 of file update_exceptions.c.
Referenced by IntUpdateAddKmException(), IntUpdateAddKmUmException(), and IntUpdateAddUmException().
|
static |
Creates a new export signature from an ALERT_EXPORT_SIGNATURE.
| [in] | AlertSig | The signature created form an alert. |
| [out] | Signature | The newly created signature. |
| INT_STATUS_SUCCESS | On success. |
| INT_STATUS_UNSUPPORTED_DATA_VALUE | If the alert-signature's version is different than our internal version. |
| INT_STATUS_INSUFFICIENT_RESOURCES | If not enough memory is available. |
Definition at line 1608 of file update_exceptions.c.
Referenced by IntUpdateAddUmException().
|
static |
Creates a new IDT signature from an /ref ALERT_IDT_SIGNATURE.
| [in] | AlertSig | The signature created form an alert. |
| [out] | Signature | The newly created signature. |
| INT_STATUS_SUCCESS | On success. |
| INT_STATUS_UNSUPPORTED_DATA_VALUE | If the alert-signature's version is different than our internal version. |
| INT_STATUS_INSUFFICIENT_RESOURCES | If not enough memory is available. |
Definition at line 1657 of file update_exceptions.c.
Referenced by IntUpdateAddKmException().
|
static |
Creates a new process-creation signature from an /ref ALERT_PROCESS_CREATION_SIGNATURE.
| [in] | AlertSig | The signature created form an alert. |
| [out] | Signature | The newly created signature. |
| INT_STATUS_SUCCESS | On success. |
| INT_STATUS_UNSUPPORTED_DATA_VALUE | If the alert-signature's version is different than our internal version. |
| INT_STATUS_INSUFFICIENT_RESOURCES | If not enough memory is available. |
Definition at line 1765 of file update_exceptions.c.
Referenced by IntUpdateAddUmException().
| INTSTATUS IntUpdateFlushAlertExceptions | ( | void | ) |
This function removes all exceptions that were added from alerts.
| INT_STATUS_SUCCESS | On success. |
| INT_STATUS_NOT_INITIALIZED | If the exceptions is not initialized. |
Definition at line 2721 of file update_exceptions.c.
Referenced by IntFlushAlertExceptions().
|
static |
Get an unique signature ID for a given type.
| [in] | Type | The type of the signature. |
| An | unique ID. |
Definition at line 86 of file update_exceptions.c.
Referenced by IntUpdateCreateCbSignatureFromAlert(), IntUpdateCreateExportSignatureFromAlert(), IntUpdateCreateIdtSignatureFromAlert(), IntUpdateCreateProcessCreationSignatureFromAlert(), and IntUpdateSetIdForException().
Get the version of the loaded exceptions binary file.
| [out] | MajorVersion | The major version of the exceptions. |
| [out] | MinorVersion | The minor version of the exceptions. |
| [out] | BuildNumber | The build number of the exceptions. |
| INT_STATUS_SUCCESS | On success. |
| INT_STATUS_INVALID_PARAMETER_1 | If the MajorVersion is null. |
| INT_STATUS_INVALID_PARAMETER_2 | If the MinorVersion is null. |
| INT_STATUS_INVALID_PARAMETER_3 | If the BuildNumber is null. |
| INT_STATUS_NOT_INITIALIZED | If the exceptions is not loaded. |
Definition at line 38 of file update_exceptions.c.
Referenced by IntGetExceptionsVersion().
|
static |
Checks if the provided code-blocks alert-signature already exists in our list.
| [in] | Signature | The signature that must be verified if already exists. |
| [in] | SigIds | An array of signature IDs. |
| [in] | SigCount | The number of signatures. |
| True | if the signature already exists; otherwise false. |
Definition at line 1808 of file update_exceptions.c.
Referenced by IntUpdateIsDuplicateKernelException(), IntUpdateIsDuplicateKernelUserException(), and IntUpdateIsDuplicateUserException().
|
static |
Checks if the provided export alert-signature already exists in our list.
| [in] | Signature | The signature that must be verified if already exists |
| [in] | SigIds | An array of signature IDs. |
| [in] | SigCount | The number of signatures. |
| True | if the signature already exists; otherwise false. |
Definition at line 1903 of file update_exceptions.c.
Referenced by IntUpdateIsDuplicateUserException().
|
static |
Checks if the provided IDT alert-signature already exists in our list.
| [in] | Signature | The signature that must be verified if already exists. |
| [in] | SigIds | An array of signature IDs. |
| [in] | SigCount | The number of signatures. |
| True | if the signature already exists; otherwise false. |
Definition at line 1862 of file update_exceptions.c.
Referenced by IntUpdateIsDuplicateKernelException().
|
static |
Checks if the provided kernel-mode exception already exists in out list.
This function also verify if there exists another exception with same signatures.
| [in] | Exception | The exception that must be verified if already exists. |
| True | if the exception already exists; otherwise false. |
Definition at line 1954 of file update_exceptions.c.
Referenced by IntUpdateAddKmException().
|
static |
Checks if the provided kernel-user mode exception already exists in out list.
This function also verify if there exists another exception with same signatures.
| [in] | Exception | The exception that must be verified if already exists. |
| True | if the exception already exists; otherwise false. |
Definition at line 2020 of file update_exceptions.c.
Referenced by IntUpdateAddKmUmException().
|
static |
Checks if the provided user-mode exception already exists in out list.
This function also verify if exists another exception with same signatures.
| [in] | Exception | The exception that must be verified if already exists. |
| True | if the exception already exists; otherwise false. |
Definition at line 2072 of file update_exceptions.c.
Referenced by IntUpdateAddUmException().
|
static |
Checks if the provided Size can be read from the exceptions file without exceeding its size.
| [in] | Size | The size of the entry to be read. |
| [in] | Item | The information about the current entry size and the file size. |
| [in] | Flags | The size (header/file) to be validated. |
| True | if the size of the entry is not valid, otherwise false. |
Definition at line 105 of file update_exceptions.c.
Referenced by IntUpdateAddCbSignature(), IntUpdateAddExportSignature(), IntUpdateAddIdtSignature(), IntUpdateAddKernelException(), IntUpdateAddKernelUserException(), IntUpdateAddProcessCreationSignature(), IntUpdateAddUserException(), IntUpdateAddUserExceptionGlob(), IntUpdateAddValueCodeSignature(), IntUpdateAddValueSignature(), IntUpdateAddVersionIntroSignature(), and IntUpdateAddVersionOsSignature().
Handles the exceptions coming from the integrator.
This function removes the existing exceptions that were not added from alert, then it parse the entire provided buffer and calls the appropriate function that adds a specific type of exception or signature.
| [in] | Buffer | The exceptions buffer. |
| [in] | Length | The length of the exceptions buffer. |
| [in] | Flags | Unused. |
| INT_STATUS_SUCCESS | On success. |
| INT_STATUS_NOT_SUPPORTED | If the exceptions buffer is corrupted or the version of the exceptions is not supported. |
Definition at line 1270 of file update_exceptions.c.
Referenced by IntUpdateExceptions().
This function removes an exception for a given context.
This function iterates all alert-exception list to find a exception that match the given context.
| [in] | Context | The context given by the integrator. |
| INT_STATUS_SUCCESS | On success. |
| INT_STATUS_NOT_INITIALIZED | If the exceptions is not initialized. |
| INT_STATUS_NOT_FOUND | If no exception with the given context exists. |
Definition at line 2666 of file update_exceptions.c.
Referenced by IntRemoveException().
|
static |
This function removes and frees all signature from the provided array.
| [in] | Signatures | An array that contains the signature IDs. |
| [in] | Count | The number of the signatures. |
Definition at line 2598 of file update_exceptions.c.
Referenced by IntUpdateRemoveException().
|
static |
Generate a new ID for each signature.
This function is used when the new binary exceptions is loaded. The exceptions that were added from alert are not removed when a new binary exceptions is loaded and we must reassign the IDs for these signatures.
| [in] | Signatures | The list of exceptions' signatures. |
| [in] | Count | The number of the signatures. |
Definition at line 1168 of file update_exceptions.c.
Referenced by IntUpdateAssignAlertSignatureIds().
|
static |
The current signature ID. Changes every time a new ID is generated.
Definition at line 24 of file update_exceptions.c.
Referenced by IntUpdateGetUniqueSigId().
1.8.13