43 if (NULL == pNotification)
57 pNotification->
CmdLineSize = Process->CommandLineSize;
59 if (NULL == pNotification->
CmdLine)
65 memcpy(pNotification->
CmdLine, Process->CommandLine, Process->CommandLineSize);
67 LOG(
"[CMDLINE] Asking the engines to scan process:%s with PID:%u command line:%s - with size:%u\n",
75 ERROR(
"[ERROR] IntNotifyEngines failed: 0x%x\n", status);
113 memzero(pEvent,
sizeof(*pEvent));
117 pEvent->
Header.
Action = EngineNotification->Header.RequestedAction;
124 if (0 == strcasecmp(
"powershell.exe", EngineNotification->Child.ImageName))
143 WARNING(
"[WARNING] IntNotifyIntroEvent failed: 0x%08x\n", status);
166 LOG(
"[CMDLINE] process:%s with PID:%u used a clean command line\n",
167 EngineNotification->Child.ImageName, EngineNotification->Child.Pid);
171 LOG(
"[CMDLINE] [command line violation] process:%s with PID:%u, CR3:0x%llx and command line:%s created " 172 "process:%s with PID:%u, CR3:0x%llx using the malicious command line:%s\n",
173 EngineNotification->Parent.ImageName,
174 EngineNotification->Parent.Pid,
175 EngineNotification->Parent.Cr3,
176 EngineNotification->Parent.CmdLine,
177 EngineNotification->Child.ImageName,
178 EngineNotification->Child.Pid,
179 EngineNotification->Child.Cr3,
180 EngineNotification->Child.CmdLine
182 LOG(
"^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ MALWARE ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n\n");
187 ERROR(
"[ERROR] IntWinPsSendCmdLineViolation failed with status: 0x%08x\n", status);
191 if (NULL != EngineNotification->CmdLine)
BYTE * CmdLine
The command line to be scanned.
enum _INTRO_ACTION_REASON INTRO_ACTION_REASON
The reason for which an INTRO_ACTION was taken.
INTRO_PROCESS Parent
The parent process that provided the command line.
MITRE_ID MitreID
The Mitre ID that corresponds to this attack.
#define INT_STATUS_SUCCESS
INTRO_ENG_NOTIF_TYPE Type
The type of the alert.
void IntAlertFillWinProcess(const WIN_PROCESS_OBJECT *Process, INTRO_PROCESS *EventProcess)
Saves information about a windows process inside an alert.
#define INT_SUCCESS(Status)
QWORD Flags
A combination of ALERT_FLAG_* values describing the alert.
Sent for third party engines detections. See EVENT_ENGINES_DETECTION_VIOLATION.
INTSTATUS IntWinHandleCmdLineCallback(PENG_NOTIFICATION_CMD_LINE EngineNotification)
Handle a command line scan response.
#define HpAllocWithTag(Len, Tag)
int INTSTATUS
The status data type.
INTRO_VIOLATION_HEADER Header
The alert header.
INTRO_ENG_NOTIF_TYPE Type
The type of the notification.
ENG_NOTIFICATION_HEADER Header
Notification header.
#define ALERT_MAX_DETECTION_NAME
The maximum size of a detection name as given by a third party scan engine.
void IntAlertFillVersionInfo(INTRO_VIOLATION_HEADER *Header)
Fills version information for an alert.
QWORD IntAlertProcGetFlags(QWORD ProtectionFlag, const void *Process, INTRO_ACTION_REASON Reason, QWORD AdditionalFlags)
Returns the flags for an alert.
INTRO_ACTION_REASON Reason
The reason for which Action was taken.
Command line notification for scan engines.
GENERIC_ALERT gAlert
Global alert buffer.
DWORD CmdLineSize
The size of the command line buffer.
Event structure for detections provided by additional scan engines.
INTSTATUS IntNotifyIntroEvent(INTRO_EVENT_TYPE EventClass, void *Param, size_t EventSize)
Notifies the integrator about an introspection alert.
#define HpFreeAndNullWithTag(Add, Tag)
INTSTATUS IntNotifyEngines(void *Parameters)
#define ALERT_FLAG_FROM_ENGINES
If set, the alert was generated due to a third party scan engines detection.
Command line scan results.
struct _EVENT_ENGINES_DETECTION_VIOLATION::@320::@322 CmdLineViolation
Command line of the process.
#define ALERT_FLAG_NOT_RING0
If set, the alert was triggered in ring 1, 2 or 3.
INTRO_GUEST_TYPE OsType
The guest operating system type.
static INTSTATUS IntWinSendCmdLineViolation(PENG_NOTIFICATION_CMD_LINE EngineNotification)
Send a command line violation event.
The action was allowed, but it has the BETA flag (Introcore is in log-only mode). ...
PWIN_PROCESS_OBJECT IntWinProcFindObjectByEprocess(QWORD Eprocess)
Finds a process by the address of its _EPROCESS structure.
CHAR EnginesVersion[ALERT_MAX_ENGINES_VERSION]
A NULL-terminated string with the engines versions.
CHAR DetectionName[ALERT_MAX_DETECTION_NAME]
A NULL-terminated string with the detection name, as provided by the engines.
INTRO_ACTION Action
The action that was taken as the result of this alert.
INTRO_PROCESS Child
The child process that received the command line.
CHAR ImageName[ALERT_IMAGE_NAME_LEN]
Image base name of the current process..
INTRO_PROCESS CurrentProcess
The current process.
#define ALERT_MAX_ENGINES_VERSION
The maximum size of the third party scan engines version.
DWORD Pid
The PID of the process.
Describes a guest process.
EVENT_ENGINES_DETECTION_VIOLATION EngineDetection
Exposes the functions used to schedule an asynchronous command line scan and receives its result...
INTSTATUS IntWinInspectCommandLine(PWIN_PROCESS_OBJECT Process)
Send a command line scan request to the scan engines.
This structure describes a running process inside the guest.
#define INT_STATUS_INSUFFICIENT_RESOURCES