17 #define UPDATE_VALIDATE_FILE_SIZE 0x1 18 #define UPDATE_VALIDATE_HEADER_SIZE 0x2 20 #define UPDATE_VALIDATE_ALL (UPDATE_VALIDATE_FILE_SIZE | UPDATE_VALIDATE_HEADER_SIZE) 57 if (NULL == MajorVersion)
62 if (NULL == MinorVersion)
67 if (NULL == BuildNumber)
122 if (Size != Item->EntrySize)
124 ERROR(
"[ERROR] The exceptions file is corrupted. The size of the entry (%d) is different from the size " 125 "provided by the header (%d)\n", Size, Item->EntrySize);
132 if (Size > Item->RemainingFileSize)
134 ERROR(
"[ERROR] The exceptions file is corrupted. The size of the entry (%d) exceed the remaining size " 135 "of the exceptions file (%d)\n", Size, Item->RemainingFileSize);
190 TRACE(
"[UPDATE] Dropped an ignored KM exception. No problem here!\n");
196 if (NULL == pException)
203 pException->
Flags = UpdateException->Flags;
204 pException->
Type = UpdateException->Type;
205 pException->
SigCount = UpdateException->SigCount;
214 if (UpdateException->SigCount > 0)
216 memcpy(&pException->
Signatures[0], &UpdateException->SigIds[0],
310 TRACE(
"[UPDATE] Dropped an ignored KM exception. No problem here!\n");
316 if (NULL == pException)
324 pException->
Flags = UpdateException->Flags;
325 pException->
Type = UpdateException->Type;
326 pException->
SigCount = UpdateException->SigCount;
329 if (UpdateException->SigCount > 0)
331 memcpy(&pException->
Signatures[0], &UpdateException->SigIds[0],
427 TRACE(
"[UPDATE] Dropped an ignored UM exception. No problem here!\n");
432 if (NULL == pException)
440 pException->
Flags = UpdateException->Flags;
441 pException->
Type = UpdateException->Type;
442 pException->
SigCount = UpdateException->SigCount;
457 if (UpdateException->SigCount > 0)
460 memcpy(pException->
Signatures, UpdateException->SigIds,
538 DWORD remainingSize = Item->RemainingFileSize;
539 char *pOriginatorName = NULL;
540 size_t originatorNameLen = 0;
541 char *pVictimName = NULL;
542 size_t victimNameLen = 0;
543 char *pProcName = NULL;
544 size_t procNameLen = 0;
552 size =
sizeof(UpdateException->Flags) +
sizeof(UpdateException->Type) +
sizeof(UpdateException->_Reserved)
553 +
sizeof(UpdateException->SigCount);
554 remainingSize -= size;
558 TRACE(
"[UPDATE] Dropped an ignored UM exception. No problem here!\n");
562 pOriginatorName = UpdateException->OriginatorNameGlob;
564 size += (
DWORD)originatorNameLen;
565 remainingSize -= (
DWORD)originatorNameLen;
567 if (originatorNameLen <= 1)
569 ERROR(
"[ERROR] The originator name length is invalid (%zu)\n", originatorNameLen);
578 if (originatorNameLen > EXCEPTION_UM_GLOB_LENGTH)
580 ERROR(
"[ERROR] Originator Name length is longer than the supported one (%d)\n", EXCEPTION_UM_GLOB_LENGTH);
584 pVictimName = pOriginatorName + originatorNameLen;
585 victimNameLen =
strlen_s(pVictimName,
MIN((
DWORD)EXCEPTION_UM_GLOB_LENGTH, remainingSize)) + 1;
586 size += (
DWORD)victimNameLen;
587 remainingSize -= (
DWORD)victimNameLen;
589 if (victimNameLen <= 1)
591 ERROR(
"[ERROR] The victim name length is invalid (%zu)\n", victimNameLen);
600 if (victimNameLen > EXCEPTION_UM_GLOB_LENGTH)
602 ERROR(
"[ERROR] Victim Name length is longer than the supported one (%d)\n", EXCEPTION_UM_GLOB_LENGTH);
606 pProcName = pVictimName + victimNameLen;
607 procNameLen =
strlen_s(pProcName,
MIN((
DWORD)EXCEPTION_UM_GLOB_LENGTH, remainingSize)) + 1;
608 size += (
DWORD)procNameLen;
610 if (procNameLen <= 1)
612 ERROR(
"[ERROR] The process name length is invalid (%zu)\n", procNameLen);
622 if (procNameLen > EXCEPTION_UM_GLOB_LENGTH)
624 ERROR(
"[ERROR] Victim Process length is longer than the supported one (%d)\n", EXCEPTION_UM_GLOB_LENGTH);
643 if (NULL == pException)
648 pException->
Flags = UpdateException->Flags;
649 pException->
Type = UpdateException->Type;
650 pException->
SigCount = UpdateException->SigCount;
652 if (originatorNameLen > 1)
657 if (victimNameLen > 1)
667 if (UpdateException->SigCount > 0)
670 void *pSigStart = pProcName + procNameLen;
709 for (
DWORD i = 0; i < UpdateSignature->ListsCount; i++)
711 DWORD updateHashSize;
725 extraSize += hashSize;
726 size += updateHashSize;
751 if (NULL == pSignature)
756 pSignature->
Id.
Value = UpdateSignature->Id;
757 pSignature->
Flags = UpdateSignature->Flags;
758 pSignature->
Score = UpdateSignature->Score;
759 pSignature->
ListsCount = UpdateSignature->ListsCount;
765 for (
DWORD i = 0; i < UpdateSignature->ListsCount; i++)
768 DWORD updateHashSize =
sizeof(*pHashList) + pHashList->
Count *
sizeof(
DWORD);
830 if (NULL == pSignature)
835 pSignature->
Id.
Value = UpdateSignature->Id;
836 pSignature->
Flags = UpdateSignature->Flags;
837 pSignature->
Score = UpdateSignature->Score;
838 pSignature->
ListsCount = UpdateSignature->ListsCount;
845 for (
DWORD i = 0; i < UpdateSignature->ListsCount; i++)
848 pSigHash[i].
Size = pHashList[i].
Size;
849 pSigHash[i].
Hash = pHashList[i].
Hash;
888 if (NULL == pSignature)
893 pSignature->
Id.
Value = UpdateSignature->Id;
894 pSignature->
Flags = UpdateSignature->Flags;
895 pSignature->
Entry = UpdateSignature->Entry;
922 WORD *pUpdatePattern;
923 WORD *pExceptionPattern;
930 size = UpdateSignature->Length *
sizeof(
WORD);
944 if (NULL == pSignature)
949 pSignature->
Id.
Value = UpdateSignature->Id;
950 pSignature->
Offset = UpdateSignature->Offset;
951 pSignature->
Flags = UpdateSignature->Flags;
952 pSignature->
Length = UpdateSignature->Length;
955 pUpdatePattern = &UpdateSignature->Pattern[0];
956 pExceptionPattern = &pSignature->
Object[0];
959 for (
DWORD i = 0; i < UpdateSignature->Length; i++)
961 pExceptionPattern[i] = pUpdatePattern[i];
998 if (pSignature == NULL)
1003 pSignature->
Id.
Value = UpdateSignature->Id;
1004 pSignature->
Flags = UpdateSignature->Flags;
1006 pSignature->
Minimum.
Value = UpdateSignature->Minimum.Value;
1007 pSignature->
Maximum.
Value = UpdateSignature->Maximum.Value;
1043 if (pSignature == NULL)
1048 pSignature->
Id.
Value = UpdateSignature->Id;
1049 pSignature->
Flags = UpdateSignature->Flags;
1051 pSignature->
Minimum.
Raw = UpdateSignature->Minimum.Raw;
1052 pSignature->
Maximum.
Raw = UpdateSignature->Maximum.Raw;
1096 if (NULL == pSignature)
1101 pSignature->
Id.
Value = UpdateSignature->Id;
1102 pSignature->
Flags = UpdateSignature->Flags;
1104 pSignature->
ListsCount = UpdateSignature->ListsCount;
1111 for (
DWORD i = 0; i < UpdateSignature->ListsCount; i++)
1113 pSigHash[i].Hash = pHashList[i].
Hash;
1114 pSigHash[i].Delta = pHashList[i].
Delta;
1151 if (pSignature == NULL)
1156 pSignature->
Id.
Value = UpdateSignature->Id;
1157 pSignature->
Flags = UpdateSignature->Flags;
1159 pSignature->
CreateMask = UpdateSignature->CreateMask;
1182 for (
DWORD i = 0; i < Count; i++)
1184 switch (Signatures[i].Field.Type)
1190 if (pSignature->AlertSignature && pSignature->Id.Value == Signatures[i].Value)
1193 Signatures[i] = pSignature->Id;
1206 if (pSignature->AlertSignature && pSignature->Id.Value == Signatures[i].Value)
1209 Signatures[i] = pSignature->Id;
1222 if (pSignature->AlertSignature && pSignature->Id.Value == Signatures[i].Value)
1225 Signatures[i] = pSignature->Id;
1236 ERROR(
"[ERROR] Should not reach here. Type is '%d'n", Signatures[i].Field.Type);
1307 fileHeader = Buffer;
1309 LOG(
"[UPDATE] Requested to update the intro exceptions...\n");
1313 ERROR(
"[ERROR] Exception file header doesn't have the right magic word (%c%c%c%c)\n",
1314 (fileHeader->
Magic & 0xff000000) >> 24, (fileHeader->
Magic & 0xff0000) >> 16,
1315 (fileHeader->
Magic & 0xff00) >> 8, fileHeader->
Magic & 0xff);
1322 ERROR(
"[ERROR] Update's file major (%d.%d) version is different form ours (%d.%d)\n",
1331 WARNING(
"[WARNING] Update's file minor (%d.%d) version is newer than ours (%d.%d). " 1337 ERROR(
"[ERROR] Update's file minor (%d.%d) version is older than ours (%d.%d). " 1349 WARNING(
"[WARNING] Requested update with 0 kernel exceptions and 0 user exceptions. We cannot do that...\n");
1362 ERROR(
"[ERROR] IntExceptRemove failed: 0x%08x\n", status);
1372 while (address < (
PBYTE)(size_t)Buffer + Length)
1376 ERROR(
"[ERROR] The address of 'UPDATE_HEADER' structure exceeds the exception buffer " 1390 switch (header->
Type)
1446 WARNING(
"[WARNING] Unknown exception/signature type '%d'. Will ignore ...\n", header->
Type);
1453 ERROR(
"[ERROR] Failed adding exception/signature. Will abort the update. Reason=0x%08x\n", status);
1466 LOG(
"[UPDATE] Updated exceptions to version %d.%d.%d\n",
1488 TRACE(
"[UPDATE] Add exception %08x -> %08x, %08x, %d, %08x\n",
1489 Exception->OriginatorNameHash, Exception->Victim.ProcessHash, Exception->Victim.NameHash,
1490 Exception->Type, Exception->Flags);
1492 if (Exception->SigCount == 1)
1494 TRACE(
"[UPDATE] sig: 0x%08x\n", Exception->Signatures[0].Value);
1496 else if (Exception->SigCount > 0)
1498 TRACE(
"[UPDATE] sig: %d signatures\n", Exception->SigCount);
1513 if (pEx->OriginatorNameHash > Exception->OriginatorNameHash)
1540 TRACE(
"[UPDATE] Add exception %08x -> %08x, %d, %08x\n",
1541 Exception->OriginatorNameHash, Exception->VictimNameHash,
1542 Exception->Type, Exception->Flags);
1544 if (Exception->SigCount == 1)
1546 TRACE(
"[UPDATE] sig: %d\n", Exception->Signatures[0].Value);
1548 else if (Exception->SigCount > 0)
1550 TRACE(
"[UPDATE] sig: %d signatures\n", Exception->SigCount);
1556 if (pEx->OriginatorNameHash > Exception->OriginatorNameHash)
1583 TRACE(
"[UPDATE] Add exception %08x -> %08x %08x, %d, %08x\n",
1584 Exception->Originator.NameHash, Exception->Victim.NameHash, Exception->Victim.ProcessHash,
1585 Exception->Type, Exception->Flags);
1587 TRACE(
"[UPDATE] Signatures = %d \n", Exception->SigCount);
1592 if (pEx->Originator.NameHash > Exception->Originator.NameHash)
1625 ERROR(
"[ERROR] Unsupported export signature version: %d. We have %d\n",
1638 pSig->
Flags = AlertSig->Flags;
1644 pSigHash->
Hash = AlertSig->Function;
1645 pSigHash->
Delta = (
WORD)(AlertSig->Delta + AlertSig->WriteSize);
1647 TRACE(
"[INFO] Add Export signature on 0x%08x (0x%08x) with delta %d\n",
1648 AlertSig->Function, AlertSig->Library, pSigHash->
Delta);
1675 ERROR(
"[ERROR] Unsupported idt signature version: %d. We have %d\n",
1681 if (NULL == pSignature)
1687 pSignature->
Entry = AlertSig->Entry;
1688 pSignature->
Flags = AlertSig->Flags;
1691 TRACE(
"[INFO] Add Idt Signature on %d entry.", pSignature->
Entry);
1693 *Signature = pSignature;
1718 WARNING(
"[WARNING] Unsupported cb signature version: %d. We have %d\n",
1731 DWORD totalSize =
sizeof(*pSignature) +
sizeof(*pSigHash) + AlertSig->
Count *
sizeof(
DWORD);
1734 if (NULL == pSignature)
1741 pSignature->
Score = AlertSig->Score;
1744 pSignature->
Flags = AlertSig->Flags;
1748 pSigHash->
Count = AlertSig->Count;
1751 pSigHash->
Hashes[i] = AlertSig->CodeBlocks[i];
1758 *Signature = pSignature;
1782 ERROR(
"[ERROR] Unsupported process-creation signature version: %d. We have %d\n",
1790 if (NULL == pSignature)
1798 pSignature->
Flags = AlertSig->Flags;
1799 pSignature->
CreateMask = AlertSig->CreateMask;
1801 *Signature = pSignature;
1823 if (!Signature->Valid)
1832 for (
DWORD i = 0; i < SigCount; i++)
1834 if (pSig->Id.Value != SigIds[i].Value)
1839 for (
DWORD j = 0; j < pSig->ListsCount; j++)
1842 sigSize += pHash->
Count *
sizeof(
DWORD) +
sizeof(*pHash);
1844 if (pHash->
Count != Signature->Count)
1849 if (0 == memcmp(pHash->
Hashes, Signature->CodeBlocks,
sizeof(
DWORD) * pHash->
Count))
1877 if (!Signature->Valid)
1884 for (
DWORD iSig = 0; iSig < SigCount; iSig++)
1886 if (pSignature->Id.Value != SigIds[iSig].Value)
1891 if (Signature->Entry == pSignature->Entry)
1918 if (!Signature->Valid)
1923 for (
DWORD i = 0; i < SigCount; i++)
1929 if (pSig->Id.Value != SigIds[i].Value)
1934 if (pSig->LibraryNameHash != Signature->Library)
1939 for (
DWORD j = 0; j < pSig->ListsCount; j++)
1941 if (pSigHash[j].Hash == Signature->Function && pSigHash[j].
Delta >= Signature->Delta)
1969 if (Exception->Originator == pEx->OriginatorNameHash &&
1970 Exception->Victim == pEx->VictimNameHash &&
1971 Exception->Flags == pEx->Flags &&
1972 Exception->Type == pEx->Type)
1974 if (pEx->SigCount != 0)
1981 isCbDuplicate =
TRUE;
1986 isIdtDuplicate =
TRUE;
1989 if ((isIdtDuplicate && isCbDuplicate) ||
1990 (isCbDuplicate && !Exception->Idt.Valid) ||
1991 (isIdtDuplicate && !Exception->CodeBlocks.Valid))
1993 TRACE(
"[UPDATE] Ignoring duplicate exception with signature: %08x -> %08x, %d, %08x\n",
1994 pEx->OriginatorNameHash, pEx->VictimNameHash, pEx->Type, pEx->Flags);
1999 else if (!Exception->CodeBlocks.Valid && !Exception->Idt.Valid)
2002 TRACE(
"[UPDATE] Ignoring duplicate exception: %08x -> %08x, %d, %08x\n",
2003 pEx->OriginatorNameHash, pEx->VictimNameHash, pEx->Type, pEx->Flags);
2010 if (pEx->OriginatorNameHash > Exception->Originator)
2035 if (Exception->Originator == pEx->Originator.NameHash &&
2036 Exception->Victim == pEx->Victim.NameHash &&
2037 Exception->Process == pEx->Victim.ProcessHash &&
2038 Exception->Flags == pEx->Flags &&
2039 Exception->Type == pEx->Type)
2041 if (pEx->SigCount != 0)
2045 TRACE(
"[UPDATE] Ignoring duplicate exception with signature: %08x -> %08x - %08x, %d, %08x\n",
2046 pEx->Originator.NameHash, pEx->Victim.NameHash, pEx->Victim.ProcessHash, pEx->Type, pEx->Flags);
2051 else if (!Exception->CodeBlocks.Valid)
2054 TRACE(
"[UPDATE] Ignoring duplicate exception: %08x -> %08x %08x, %d, %08x\n",
2055 pEx->Originator.NameHash, pEx->Victim.NameHash, pEx->Victim.ProcessHash, pEx->Type, pEx->Flags);
2061 if (pEx->Originator.NameHash > Exception->Originator)
2098 if (Exception->Originator == pEx->OriginatorNameHash &&
2099 Exception->Victim == pEx->Victim.NameHash &&
2100 Exception->Process == pEx->Victim.ProcessHash &&
2101 Exception->Type == pEx->Type)
2103 if (pEx->SigCount != 0)
2110 isCbDuplicate =
TRUE;
2115 isExportDuplicate =
TRUE;
2118 if ((isExportDuplicate && isCbDuplicate) ||
2119 (isCbDuplicate && !Exception->Export.Valid) ||
2120 (isExportDuplicate && !Exception->CodeBlocks.Valid))
2122 TRACE(
"[UPDATE] Ignoring duplicate exception with signature: %08x -> %08x, %08x, %d, %08x\n",
2123 pEx->OriginatorNameHash, pEx->Victim.ProcessHash,
2124 pEx->Victim.NameHash, pEx->Type, pEx->Flags);
2129 else if (!Exception->CodeBlocks.Valid && !Exception->Export.Valid)
2132 TRACE(
"[UPDATE] Ignoring duplicate exception: %08x -> %08x, %08x, %d, %08x\n",
2133 pEx->OriginatorNameHash, pEx->Victim.ProcessHash, pEx->Victim.NameHash,
2134 pEx->Type, pEx->Flags);
2141 if (pEx->OriginatorNameHash > Exception->Originator)
2173 DWORD sigCount = (Exception->CodeBlocks.Valid != 0) +
2174 (Exception->Export.Valid != 0) + (Exception->ProcessCreation.Valid);
2181 ERROR(
"[ERROR] Unsupported um exception version: %d. We have %d\n",
2192 if (NULL == pUmException)
2197 pUmException->
Context = Context;
2202 pUmException->
Flags = Exception->Flags;
2203 pUmException->
Type = Exception->Type;
2205 if (Exception->CodeBlocks.Valid)
2210 ERROR(
"[ERROR] IntUpdateCreateCbSignatureFromAlert failed with status: 0x%08x\n", status);
2222 if (Exception->Export.Valid)
2227 WARNING(
"[WARNING] IntUpdateCreateExportSignatureFromAlert failed with status: 0x%08x.\n", status);
2239 if (Exception->ProcessCreation.Valid)
2242 &pProcessCreationSignature);
2245 ERROR(
"[ERROR] IntUpdateCreateProcessCreationSignatureFromAlert failed with status: 0x%08x.\n", status);
2262 if (pCbSignature != NULL)
2267 if (pProcessCreationSignature != NULL)
2272 if (pExpSignature != NULL)
2306 DWORD sigCount = (Exception->Idt.Valid != 0) + (Exception->CodeBlocks.Valid != 0);
2308 SIG_IDT *pIdtSignature = NULL;
2312 ERROR(
"[ERROR] Unsupported km exception version: %d. We have %d\n",
2323 if (NULL == pKmException)
2328 pKmException->
Context = Context;
2331 pKmException->
Flags = Exception->Flags;
2332 pKmException->
Type = Exception->Type;
2334 if (Exception->Idt.Valid)
2339 ERROR(
"[ERROR] IntUpdateCreateIdtSignatureFromAlert failed with status: 0x%08x.\n", status);
2351 if (Exception->CodeBlocks.Valid)
2356 ERROR(
"[ERROR] IntUpdateCreateCbSignatureFromAlert failed with status: 0x%08x.\n", status);
2373 if (pCbSignature != NULL)
2378 if (pIdtSignature != NULL)
2411 DWORD sigCount = (Exception->CodeBlocks.Valid != 0);
2416 ERROR(
"[ERROR] Unsupported km exception version: %d. We have %d\n",
2427 if (NULL == pException)
2432 pException->
Context = Context;
2436 pException->
Flags = Exception->Flags;
2437 pException->
Type = Exception->Type;
2439 if (Exception->CodeBlocks.Valid)
2444 ERROR(
"[ERROR] IntUpdateCreateCbSignatureFromAlert failed with status: 0x%08x.\n", status);
2461 if (pCbSignature != NULL)
2474 _In_ const void *Event,
2501 const void *pException;
2502 QWORD violationFlags;
2512 ERROR(
"[ERROR] Failed to add exception of type %d!\n", Type);
2525 ERROR(
"[ERROR] Exception of type %d is invalid!\n", Type);
2533 violationFlags = header->
Flags;
2538 ERROR(
"[ERROR] IntAlertCreateException failed: %08x\n", status);
2542 pException = (
const void *)pBuff;
2550 ERROR(
"[ERROR] IntExceptInit failed: 0x%08x\n", status);
2590 ERROR(
"[ERROR] Failed to add exception of type %d: 0x%08x\n", Type, status);
2609 for (
DWORD i = 0; i < Count; i++)
2611 switch (Signatures[i].Field.Type)
2617 if (pSignature->AlertSignature && pSignature->Id.Value == Signatures[i].Value)
2631 if (pSignature->AlertSignature && pSignature->Id.Value == Signatures[i].Value)
2645 if (pSignature->AlertSignature && pSignature->Id.Value == Signatures[i].Value)
2657 ERROR(
"[ERROR] Should not reach here. Type is %d\n", Signatures[i].Field.Type);
2688 if (pException->Context == Context)
2698 if (pException->Context == Context)
2708 if (pException->Context == Context)
2738 TRACE(
"[INFO] Requesting to flush alert exceptions!\n");
QWORD ViolationFlags
A combination of Alert flags values describing the alert.
BOOLEAN Valid
Set to True if the information in the structure is valid, False otherwise.
EXCEPTION_SIGNATURE_ID Id
An unique id (EXCEPTION_SIGNATURE_ID).
WORD SigCount
Contains the number of signatures.
QWORD Context
Contains the context given by the integrator.
The header of an exception or a signature.
#define CONTAINING_RECORD(List, Type, Member)
static INTSTATUS IntUpdateCreateCbSignatureFromAlert(const ALERT_CB_SIGNATURE *AlertSig, SIG_CODEBLOCKS **Signature)
Creates a new code-blocks signature from an /ref ALERT_CB_SIGNATURE.
Sent for unauthorized process creation alerts. See EVENT_PROCESS_CREATION_VIOLATION.
BOOLEAN AlertSignature
True if the signature is added from alert.
static void IntUpdateRemoveSignaturesForException(EXCEPTION_SIGNATURE_ID *Signatures, DWORD Count)
This function removes and frees all signature from the provided array.
#define UPDATE_TYPE_KUM_EXCEPTION
DWORD RemainingFileSize
The remaining bytes for the exceptions file.
The exception ID. The layout consists of the exception type and the unique identifier of the exceptio...
static INTSTATUS IntUpdateAddIdtSignature(UPDATE_IDT_SIGNATURE *UpdateSignature, UPDATE_ITEM_SIZE *Item)
Creates a new IDT signature and adds it to our internal list.
Describe a export signature hash.
#define UPDATE_TYPE_EXPORT_SIGNATURE
Describes a process-creation signature.
LIST_HEAD KernelUserExceptions[EXCEPTION_TABLE_SIZE]
Array of linked lists used for kernel-user mode exceptions.
DWORD EntrySize
The size of the current exception/signature.
LIST_HEAD ValueCodeSignatures
Linked list used for value-code signatures.
Describe a kernel-user mode exception.
#define INT_STATUS_SUCCESS
static INTSTATUS IntUpdateAddVersionIntroSignature(UPDATE_VERSION_INTRO_SIGNATURE *UpdateSignature, UPDATE_ITEM_SIZE *Item)
Creates a new introspection version signature and adds it to our internal list.
#define ALERT_IDT_SIGNATURE_VERSION
BYTE Score
The number of (minimum) hashes from a list that need to match.
QWORD Context
Contains the context given by the integrator.
static EXCEPTION_SIGNATURE_ID gCurrentSignatureId
The current signature ID. Changes every time a new ID is generated.
WORD Offset
The displacement from the beginning of the modified zone.
LIST_HEAD NoNameKernelExceptions
Linked list used for kernel-mode exceptions that don't have a valid originator (-).
The name can be any string.
#define UPDATE_TYPE_APC_UM_EXCEPTION
Describes a value signature.
Describe a code-blocks hash in binary format.
WORD Delta
The number of bytes that are modified.
Describes a kernel-mode alert-exception.
Describe a kernel-mode exception in binary format.
#define UPDATE_EXCEPTIONS_MIN_VER_MAJOR
#define UPDATE_TYPE_IDT_SIGNATURE
#define UPDATE_VALIDATE_FILE_SIZE
Validate that an object fits inside the exception buffer.
Sent when a DTR violation triggers an alert. See EVENT_DTR_VIOLATION.
LIST_HEAD GenericUserExceptions
Linked list used for user-mode exceptions that have a generic originator(*).
INTSTATUS IntUpdateFlushAlertExceptions(void)
This function removes all exceptions that were added from alerts.
char OriginatorNameGlob[EXCEPTION_UM_GLOB_LENGTH]
Contains the name (a string that can contain glob items) of the originator.
INTSTATUS IntUpdateLoadExceptions(void *Buffer, DWORD Length, DWORD Flags)
Handles the exceptions coming from the integrator.
QWORD Context
Contains the context given by the integrator.
LIST_HEAD ExportSignatures
Linked list used for export signatures.
union _EXCEPTION_SIGNATURE_ID EXCEPTION_SIGNATURE_ID
The exception ID. The layout consists of the exception type and the unique identifier of the exceptio...
LIST_HEAD ProcessCreationAlertExceptions
Linked list used for process-creation exceptions that are added from alert.
WORD Object[]
Contains list of opcodes.
#define UPDATE_TYPE_UM_EXCEPTION_GLOB_MATCH
The exception sends a feedback alert.
struct _SIG_CODEBLOCK_HASH SIG_CODEBLOCK_HASH
Describe a codeblocks signature hash.
static INTSTATUS IntUpdateAddUserExceptionGlob(UPDATE_UM_EXCEPTION_GLOB *UpdateException, UPDATE_ITEM_SIZE *Item)
Creates a new glob user-exception and adds it to our internal list.
KM_EXCEPTION_OBJECT Type
Contains the type of the exception (KM_EXCEPTION_OBJECT).
#define INT_SUCCESS(Status)
Describe a export hash in binary format.
Sent when a CR violation triggers an alert. See EVENT_CR_VIOLATION.
EXCEPTION_SIGNATURE_ID Id
An unique id (_EXCEPTION_SIGNATURE_ID).
QWORD Flags
A combination of ALERT_FLAG_* values describing the alert.
DWORD OriginatorNameHash
Contains the originator name-hash.
Describe a version OS signature in binary format.
#define UPDATE_MAGIC_WORD
EXCEPTION_SIGNATURE_ID Id
An unique id (EXCEPTION_SIGNATURE_ID).
Describe a process-creation signature in binary format.
LIST_HEAD VersionIntroSignatures
Linked list used for introspection version signatures.
Describe a user-mode glob exception.
LIST_HEAD ProcessCreationSignatures
Linked list used for process-creation signatures.
BYTE ListsCount
The number of the list of hashes.
The exception is valid only for read violation.
static BOOLEAN IntUpdateIsDuplicateUserException(const ALERT_UM_EXCEPTION *Exception)
Checks if the provided user-mode exception already exists in out list.
struct _UPDATE_VALUE_HASH UPDATE_VALUE_HASH
Describe a value hash in binary format.
LIST_HEAD IdtSignatures
Linked list used for IDT signatures.
BOOLEAN AlertSignature
True if the signature is added from alert.
EXCEPTION_SIGNATURE_ID Id
An unique id (EXCEPTION_SIGNATURE_ID).
#define INT_STATUS_NOT_NEEDED_HINT
BOOLEAN IntAlertIsEventTypeViolation(INTRO_EVENT_TYPE Type)
#define IntExceptErase(Ptr, Tag)
Frees an exception or a signature buffer and removes it from the list it is currently in...
BYTE Entry
The number of the IDT entry.
LIST_HEAD UserAlertExceptions
Linked list used for user-mode exceptions that are added from alert.
#define for_each_um_exception(_ex_head, _var_name)
struct _SIG_VALUE_HASH SIG_VALUE_HASH
Describe a value signature hash.
#define HpAllocWithTag(Len, Tag)
static BOOLEAN IntUpdateIsValidEntry(DWORD Size, UPDATE_ITEM_SIZE *Item, DWORD Flags)
Checks if the provided Size can be read from the exceptions file without exceeding its size...
The name can be any string.
The range-identifier used for idt signature.
LIST_HEAD UserExceptions[EXCEPTION_TABLE_SIZE]
Array of linked lists used for user-mode exceptions.
int INTSTATUS
The status data type.
BOOLEAN Loaded
True if the exceptions are loaded.
WORD Minor
The minor version of the exceptions binary file.
Contains the information about the sizes of an entry (exception/signature) and about the size of the ...
#define INT_STATUS_NOT_FOUND
KUM_EXCEPTION_OBJECT Type
Contains the type of the exception (KM_EXCEPTION_OBJECT).
The exception is valid only for Linux.
INTSTATUS IntExceptAlertRemove(void)
This function removes and frees all exceptions and signatures that have been added from alert...
EXCEPTION_SIGNATURE_ID Id
An unique id (EXCEPTION_SIGNATURE_ID).
INTSTATUS IntUpdateRemoveException(QWORD Context)
This function removes an exception for a given context.
LIST_HEAD KernelAlertExceptions
Linked list used for kernel-mode exceptions that are added from alert.
union _SIG_VERSION_INTRO::@38 Minimum
Sent for code/data injection alerts. See EVENT_MEMCOPY_VIOLATION.
WORD Size
The size of of the modified zone.
#define for_each_idt_signature(_ex_head, _var_name)
INTRO_GUEST_TYPE OSType
The type of the guest.
#define ALERT_EXPORT_SIGNATURE_VERSION
static BOOLEAN IntUpdateIsDuplicateKernelException(const ALERT_KM_EXCEPTION *Exception)
Checks if the provided kernel-mode exception already exists in out list.
BOOLEAN AlertSignature
True if the signature is added from alert.
Describe a value hash in binary format.
The exception is valid only for write violation.
The range-identifier used for process creation signature.
Describe an IDT signature in binary format.
DWORD Flags
Contains any flags from EXCEPTION_FLG.
BYTE ListsCount
The number of the list of hashes.
Describe a value-code signature in binary format.
static INTSTATUS IntUpdateCreateProcessCreationSignatureFromAlert(const ALERT_PROCESS_CREATION_SIGNATURE *AlertSig, SIG_PROCESS_CREATION **Signature)
Creates a new process-creation signature from an /ref ALERT_PROCESS_CREATION_SIGNATURE.
WORD Size
The size of the exception/signature.
static INTSTATUS IntUpdateAddValueSignature(UPDATE_VALUE_SIGNATURE *UpdateSignature, UPDATE_ITEM_SIZE *Item)
Creates a new value signature and adds it to our internal list.
#define UPDATE_TYPE_PROCESS_CREATION_SIGNATURE
Describes a value signature.
#define ALERT_FLAG_KM_UM
If set, the alert was generated by a kernel to user mode violation.
union _KUM_EXCEPTION::@28 Originator
Describes a user-mode alert-exception.
static INTSTATUS IntUpdateAddKernelUserException(UPDATE_KUM_EXCEPTION *UpdateException, UPDATE_ITEM_SIZE *Item)
Creates a new kernel-user mode exception and adds it to our internal list.
DWORD BuildNumber
The build number of the exceptions binary file.
struct _UM_EXCEPTION::@30 Victim
DWORD ProcessHash
Contains the originator process name-hash.
DWORD Flags
Contains any flags from SIGNATURE_FLG.
static INTSTATUS IntUpdateAddKernelException(UPDATE_KM_EXCEPTION *UpdateException, UPDATE_ITEM_SIZE *Item)
Creates a new kernel-exception and adds it to our internal list.
BOOLEAN AlertSignature
True if the signature is added from alert.
static BOOLEAN IntUpdateIsDuplicateExportSignature(const ALERT_EXPORT_SIGNATURE *Signature, const EXCEPTION_SIGNATURE_ID *SigIds, DWORD SigCount)
Checks if the provided export alert-signature already exists in our list.
LIST_HEAD CbSignatures
Linked list used for codeblocks signatures.
static INTSTATUS IntUpdateCreateIdtSignatureFromAlert(const ALERT_IDT_SIGNATURE *AlertSig, SIG_IDT **Signature)
Creates a new IDT signature from an /ref ALERT_IDT_SIGNATURE.
void IntUpdateAssignAlertSignatureIds(void)
Generates IDs for exceptions that were added from alert.
#define EXCEPTION_UM_GLOB_LENGTH
The range-identifier used for export signature.
DWORD Flags
Contains any flags from EXCEPTION_FLG.
static INTSTATUS IntUpdateAddUserException(UPDATE_UM_EXCEPTION *UpdateException, UPDATE_ITEM_SIZE *Item)
Creates a new user-exception and adds it to our internal list.
BOOLEAN IntUpdateAreExceptionsLoaded(void)
Checks if the exceptions are loaded.
struct _UPDATE_ITEM_SIZE UPDATE_ITEM_SIZE
Contains the information about the sizes of an entry (exception/signature) and about the size of the ...
LIST_HEAD KernelUserAlertExceptions
Linked list used for kernel-user mode exceptions that are added from alert.
Describe a process-creation alert-signature.
EXCEPTIONS * Exceptions
The exceptions that are currently loaded.
#define INT_STATUS_NOT_INITIALIZED
struct _UPDATE_FILE_HEADER UPDATE_FILE_HEADER
The header of the exceptions binary file.
static EXCEPTION_SIGNATURE_ID IntUpdateGetUniqueSigId(EXCEPTION_SIGNATURE_TYPE Type)
Get an unique signature ID for a given type.
#define UPDATE_VALIDATE_HEADER_SIZE
Validate the size of the exception header.
EXCEPTION_SIGNATURE_ID Signatures[]
Contains a array of signatures ID.
DWORD LibraryNameHash
The name-hash of the modified library.
static INTSTATUS IntUpdateAddValueCodeSignature(UPDATE_VALUE_CODE_SIGNATURE *UpdateSignature, UPDATE_ITEM_SIZE *Item)
Creates a new value-code signature and adds it to our internal list.
DWORD Hash
The hash of the modified zone.
DWORD Flags
Contains any flags from _EXCEPTION_FLG.
WORD SigCount
Contains the number of signatures.
DWORD Flags
Contains any flags from SIGNATURE_FLG.
LIST_HEAD KernelFeedbackExceptions
Linked list used for kernel-mode exceptions that have the feedback flag.
The exception is valid only for execute violation.
DWORD Hash
The hash of the modified zone.
DWORD VictimNameHash
Contains the victim name-hash.
CHAR Object[]
Contains lists of (SIG_EXPORT_HASH).
The common header used by exception information.
Describes an idt alert-signature.
CHAR NameGlob[EXCEPTION_UM_GLOB_LENGTH]
Contains the name (a string that can contain glob items) of the modified process. ...
Describes a kernel-mode alert-exception.
static void IntUpdateAddKernelExceptionInOrder(KM_EXCEPTION *Exception)
Adds a kernel-mode exceptions from alert in the sorted list.
The header of the exceptions binary file.
EXCEPTION_SIGNATURE_ID Id
An unique id (EXCEPTION_SIGNATURE_ID).
static void IntUpdateAddUserExceptionInOrder(UM_EXCEPTION *Exception)
Adds a user-mode exceptions from alert in the sorted list.
CHAR ProcessGlob[EXCEPTION_UM_GLOB_LENGTH]
Contains the name of the process(a string that can contain glob items) in which the modification take...
static INTSTATUS IntUpdateAddCbSignature(UPDATE_CB_SIGNATURE *UpdateSignature, UPDATE_ITEM_SIZE *Item)
Creates a new code-blocks signature and adds it to our internal list.
Sent for suspicious module loads alerts. See EVENT_MODULE_LOAD_VIOLATION.
Describe a value signature hash.
Describes a introspection version signature.
BOOLEAN AlertSignature
True if the signature is added from alert.
#define HpFreeAndNullWithTag(Add, Tag)
#define INT_STATUS_INVALID_DATA_STATE
#define INT_STATUS_INVALID_INTERNAL_STATE
struct _EXCEPTIONS::@26 Version
Loaded exceptions binary version.
BYTE Type
The type of the exception/signature.
#define for_each_kum_exception(_ex_head, _var_name)
DWORD Flags
Contains any flags from SIGNATURE_FLG.
EXCEPTION_SIGNATURE_ID Id
An unique id (EXCEPTION_SIGNATURE_ID).
static void InsertAfterList(LIST_ENTRY *Pivot, LIST_ENTRY *Item)
static INTSTATUS IntUpdateAddVersionOsSignature(UPDATE_VERSION_OS_SIGNATURE *UpdateSignature, UPDATE_ITEM_SIZE *Item)
Creates a new operating system version signature and adds it to our internal list.
Describe a value signature in binary format.
static INTSTATUS IntUpdateAddKmException(const ALERT_KM_EXCEPTION *Exception, QWORD Context)
Creates a new kernel-mode exception from an alert-exception structure ALERT_UM_EXCEPTION and adds it ...
#define UPDATE_TYPE_VERSION_INTRO_SIGNATURE
Describes a export signature.
DWORD NameHash
Contains the originator name-hash.
static void InsertTailList(LIST_ENTRY *ListHead, LIST_ENTRY *Entry)
INTSTATUS IntExceptInit(void)
This function allocates the exceptions data and initialize the exception lists and the signature list...
LIST_HEAD KernelUserFeedbackExceptions
Linked list used for kernel-user mode exceptions that have the feedback flag.
Describe a kernel-user mode exception in binary format.
size_t strlcpy(char *dst, const char *src, size_t dest_size)
#define UPDATE_TYPE_CB_SIGNATURE
static INTSTATUS IntUpdateCreateExportSignatureFromAlert(const ALERT_EXPORT_SIGNATURE *AlertSig, SIG_EXPORT **Signature)
Creates a new export signature from an ALERT_EXPORT_SIGNATURE.
DWORD Flags
Contains any flags from SIGNATURE_FLG.
Sent when an EPT violation triggers an alert. See EVENT_EPT_VIOLATION.
#define ALERT_FLAG_NOT_RING0
If set, the alert was triggered in ring 1, 2 or 3.
DWORD Flags
Contains any flags from EXCEPTION_FLG.
struct _UPDATE_FILE_HEADER::@141 Version
#define UNREFERENCED_PARAMETER(P)
This exception will be ignored.
The name can be any string.
#define ALERT_CB_SIGNATURE_VERSION
INTSTATUS IntAlertCreateException(const void *Event, INTRO_EVENT_TYPE Type, BOOLEAN LogErrors, void *Exception)
This function will dispatch the exception creation to the appropriate function, depending on the even...
Describe a kernel-mode exception.
#define for_each_km_exception(_ex_head, _var_name)
union _SIG_VERSION_INTRO::@39 Maximum
DWORD Magic
The magic value; must be UPDATE_MAGIC_WORD.
Describe a user-mode exception.
struct _UPDATE_HEADER UPDATE_HEADER
The header of an exception or a signature.
DWORD UserExceptionsCount
The number of the user-mode exceptions.
#define UPDATE_TYPE_VALUE_CODE_SIGNATURE
#define ALERT_KM_EXCEPTION_VERSION
BYTE Count
The number of hashes from the list.
DWORD Hashes[]
The list of hashes.
static INTSTATUS IntUpdateAddKmUmException(const ALERT_KUM_EXCEPTION *Exception, QWORD Context)
Creates a new kernel-user mode exception from an alert-exception structure ALERT_KUM_EXCEPTION and ad...
LIST_HEAD GlobUserExceptions
Linked list used for user-mode exceptions that contains glob content.
#define UPDATE_EXCEPTIONS_MIN_VER_MINOR
DWORD Hash
The hash of the modified function name.
BYTE Count
The number of hashes from the list.
LIST_HEAD ProcessCreationExceptions
Linked list used for process creations exceptions.
#define INT_STATUS_INVALID_OBJECT_TYPE
LIST_HEAD GenericKernelExceptions
Linked list used for kernel-mode exceptions that have a generic originator (*).
UM_EXCEPTION_OBJECT Type
Contains the type of the exception (UM_EXCEPTION_OBJECT).
UM_EXCEPTION_OBJECT Type
Contains the type of the exception (UM_EXCEPTION_OBJECT).
LIST_HEAD ValueSignatures
Linked list used for value signatures.
DWORD Flags
Contains any flags from SIGNATURE_FLG.
DWORD Flags
Contains any flags from SIGNATURE_FLG.
static INTSTATUS IntUpdateAddProcessCreationSignature(UPDATE_PROCESS_CREATION_SIGNATURE *UpdateSignature, UPDATE_ITEM_SIZE *Item)
Creates a new process-creation signature and adds it to our internal list.
#define ALERT_EXCEPTION_SIZE
GUEST_STATE gGuest
The current guest state.
DWORD OriginatorNameHash
Contains the originator name-hash.
DWORD UserExceptionsGlobCount
The number of the user-mode exceptions that contains glob items.
The signature is valid only on Linux.
Describe a version introspection signature in binary format.
WORD SigCount
Contains the number of signatures.
DWORD KernelExceptionsCount
The number of the kernel-mode exceptions.
Describe an export signature in binary format.
WORD Offset
The displacement from the beginning of the modified zone.
#define for_each_cb_signature(_ex_head, _var_name)
struct _UM_EXCEPTION_GLOB::@31 Victim
DWORD Type
Contains a type of signature (EXCEPTION_SIGNATURE_TYPE).
LIST_HEAD ProcessCreationFeedbackExceptions
Linked list used for process-creation exceptions that have the feedback flag.
#define EXCEPTION_TABLE_ID(H)
#define INT_STATUS_UNSUPPORTED_DATA_VALUE
#define ALERT_PROCESS_CREATION_SIGNATURE_VERSION
BOOLEAN AlertSignature
True if the signature is added from alert.
BYTE Score
The number of (minimum) hashes from a list that need to match.
DWORD Flags
Contains any flags from SIGNATURE_FLG.
LIST_HEAD UserFeedbackExceptions
Linked list used for user-mode exceptions that have the feedback flag.
Describe a code-blocks signature in binary format.
DWORD ProcessHash
Contains the name-hash of the process in which the modification takes place (missing for injections)...
WORD Length
The length of the opcode pattern.
static BOOLEAN IntUpdateIsDuplicateIdtSignature(const ALERT_IDT_SIGNATURE *Signature, const EXCEPTION_SIGNATURE_ID *SigIds, DWORD SigCount)
Checks if the provided IDT alert-signature already exists in our list.
LIST_HEAD KernelExceptions[EXCEPTION_TABLE_SIZE]
Array of linked lists used for kernel-mode exceptions.
BYTE ListsCount
The number of the list of hashes.
static INTSTATUS IntUpdateAddUmException(const ALERT_UM_EXCEPTION *Exception, QWORD Context)
Creates a new user-mode exception from an alert-exception structure ALERT_UM_EXCEPTION and adds it to...
struct _EXCEPTION_SIGNATURE_ID::@27 Field
#define UPDATE_TYPE_VERSION_OS_SIGNATURE
#define UPDATE_TYPE_VALUE_SIGNATURE
EXCEPTION_SIGNATURE_ID Signatures[]
Contains an array of signatures ID.
BOOLEAN AlertSignature
True if the signature is added from alert.
static void IntUpdateAddKernelUserExceptionInOrder(KUM_EXCEPTION *Exception)
Adds a kernel-user mode exceptions from alert in the sorted list.
INTSTATUS IntUpdateGetVersion(WORD *MajorVersion, WORD *MinorVersion, DWORD *BuildNumber)
Get the version of the loaded exceptions binary file.
QWORD Value
Contains the minimum build number of the operating system (used for windows).
DWORD Hashes[]
The hashes list.
The range-identifier used for codeblocks signature.
LIST_HEAD GenericKernelUserExceptions
Linked list used for kernel-user mode exceptions that have a generic originator(*).
Describes a idt signature.
struct _UPDATE_CB_HASH * PUPDATE_CB_HASH
DWORD Value
Contains an unique value.
#define INT_STATUS_INVALID_PARAMETER_1
#define INT_STATUS_NOT_SUPPORTED
#define ALERT_UM_EXCEPTION_VERSION
EXCEPTION_SIGNATURE_ID Signatures[]
Contains a array of signatures ID.
Describe a user-mode-glob exception in binary format.
#define UPDATE_TYPE_UM_EXCEPTION
WORD Major
The major version of the exceptions binary file.
enum _INTRO_EVENT_TYPE INTRO_EVENT_TYPE
Event classes.
Sent for integrity violation alerts. See EVENT_INTEGRITY_VIOLATION.
DWORD CreateMask
Contains the DPI mask.
static BOOLEAN IntUpdateIsDuplicateCbSignature(const ALERT_CB_SIGNATURE *Signature, const EXCEPTION_SIGNATURE_ID *SigIds, DWORD SigCount)
Checks if the provided code-blocks alert-signature already exists in our list.
DWORD Hash
The hash of the modified function name.
WORD SigCount
Contains the number of signatures.
struct _UPDATE_EXPORT_HASH UPDATE_EXPORT_HASH
Describe a export hash in binary format.
INT16 Offset
The displacement from the beginning of the modified zone.
#define UPDATE_VALIDATE_ALL
All exception validation options.
Sent when a MSR violation triggers an alert.See EVENT_MSR_VIOLATION.
CHAR Object[]
Contains list of (SIG_CODEBLOCK_HASH).
static void IntUpdateSetIdForException(EXCEPTION_SIGNATURE_ID *Signatures, DWORD Count)
Generate a new ID for each signature.
struct _UPDATE_ITEM_SIZE * PUPDATE_ITEM_SIZE
union _SIG_VERSION_OS::@33 Maximum
struct _UPDATE_CB_HASH UPDATE_CB_HASH
Describe a code-blocks hash in binary format.
static INTSTATUS IntUpdateAddExportSignature(UPDATE_EXPORT_SIGNATURE *UpdateSignature, UPDATE_ITEM_SIZE *Item)
Creates a new export signature and adds it to our internal list.
WORD Size
The size of of the modified zone.
static BOOLEAN IntUpdateIsDuplicateKernelUserException(const ALERT_KUM_EXCEPTION *Exception)
Checks if the provided kernel-user mode exception already exists in out list.
CHAR Object[]
Contains lists of (SIG_VALUE_HASH).
EXCEPTION_SIGNATURE_ID Id
An unique id (EXCEPTION_SIGNATURE_ID).
EXCEPTION_SIGNATURE_ID Signatures[]
Contains an array of signatures ID.
Describes a codeblocks signature.
DWORD Flags
Contains any flags from _SIGNATURE_FLG.
DWORD KernelUserExceptionsCount
The number of the kernel-user mode exceptions.
Describe a user-mode exception in binary format.
#define UPDATE_TYPE_KM_EXCEPTION
#define INT_STATUS_INVALID_PARAMETER_2
BOOLEAN AlertSignature
True if the signature is added from alert.
union _SIG_VERSION_OS::@32 Minimum
LIST_HEAD NoNameUserExceptions
Linked list used for user-mode exceptions that don't have a valid originator (-). ...
Describe a codeblocks signature hash.
void UtilQuickSort(void *Array, const DWORD NumberOfElements, const BYTE ElementSize)
Describes a operating system version signature.
WORD Delta
The number of bytes that are modified.
The object that has a NX zone is executed.
INTSTATUS IntUpdateAddExceptionFromAlert(const void *Event, INTRO_EVENT_TYPE Type, BOOLEAN Exception, QWORD Context)
Handles all types of supported exceptions that can be added from alerts.
#define INT_STATUS_INVALID_DATA_SIZE
INTSTATUS IntExceptRemove(void)
This function removes and frees all exceptions and signatures that have been added from exception bin...
#define for_each_export_signature(_ex_head, _var_name)
struct _SIG_EXPORT_HASH SIG_EXPORT_HASH
Describe a export signature hash.
#define INT_STATUS_INSUFFICIENT_RESOURCES
enum _EXCEPTION_SIGNATURE_TYPE EXCEPTION_SIGNATURE_TYPE
The identifier that describes a range of signatures.
#define INT_STATUS_INVALID_PARAMETER_3
LIST_HEAD VersionOsSignatures
Linked list used for operating system version signatures.
struct _KUM_EXCEPTION::@29 Victim