- Generated by
1.8.13
|
Bitdefender Hypervisor Memory Introspection
|
Go to the source code of this file.
Functions | |
| static DWORD | IntAlertGetHashForLinuxName (const WCHAR *Originator, const size_t MaxLength) |
| Compute the crc32-hash for the provided string. More... | |
| static DWORD | IntAlertGetHashForWindowsName (const WCHAR *Originator, const size_t MaxLength) |
| Compute the crc32-hash for the provided string. More... | |
| static DWORD | IntAlertGetHashForName (const WCHAR *Originator, BOOLEAN LinuxGuest, BOOLEAN KernelMode, size_t MaxLength) |
| Compute the crc32-hash for the provided string. More... | |
| static DWORD | IntAlertGetEptExceptionFlags (const EVENT_EPT_VIOLATION *Event) |
| Get the flags for an exception based on the information from the provided event. More... | |
| static void | IntAlertCreateCbSignature (const INTRO_CODEBLOCKS *CodeBlocks, BOOLEAN LinuxAlert, BOOLEAN ExecAlert, ALERT_CB_SIGNATURE *Signature) |
| Creates an alert-signature structure. More... | |
| static void | IntAlertCreateProcessCreationSignature (DWORD PcType, BOOLEAN LinuxAlert, ALERT_PROCESS_CREATION_SIGNATURE *Signature) |
| Creates a process-creation alert-signature structure. More... | |
| static void | IntAlertCreateIdtSignature (const BYTE Entry, BOOLEAN LinuxAlert, ALERT_IDT_SIGNATURE *Signature) |
| Creates a IDT alert-signature structure. More... | |
| static void | IntAlertCreateExportSignature (const INTRO_MODULE *Module, const char *FunctionName, DWORD FunctionNameHash, DWORD Delta, DWORD WriteSize, BOOLEAN LinuxEvent, ALERT_EXPORT_SIGNATURE *Signature) |
| Creates an export alert-signature structure. More... | |
| static INTSTATUS | IntAlertCreateEptException (const EVENT_EPT_VIOLATION *Event, BOOLEAN LogErrors, void *Exception) |
| Creates an alert-exception structure from an EPT violation event. More... | |
| static INTSTATUS | IntAlertCreateMsrException (const EVENT_MSR_VIOLATION *Event, BOOLEAN LogErrors, void *Exception) |
| Creates an alert-exception structure from an MSR violation event. More... | |
| static INTSTATUS | IntAlertCreateCrException (const EVENT_CR_VIOLATION *Event, BOOLEAN LogErrors, void *Exception) |
| Creates an alert-exception structure from an CR violation event. More... | |
| static INTSTATUS | IntAlertCreateInjectionException (const EVENT_MEMCOPY_VIOLATION *Event, BOOLEAN LogErrors, void *Exception) |
| Creates an alert-exception structure from an Injection violation event. More... | |
| static INTSTATUS | IntAlertCreateProcessCreationException (const EVENT_PROCESS_CREATION_VIOLATION *Event, BOOLEAN LogErrors, void *Exception) |
| Creates an alert-exception structure from an process-creation violation event. More... | |
| static INTSTATUS | IntAlertCreateModuleLoadException (const EVENT_MODULE_LOAD_VIOLATION *Event, BOOLEAN LogErrors, void *Exception) |
| Creates an alert-exception structure from an module-load violation event. More... | |
| static INTSTATUS | IntAlertCreateIntegrityException (const EVENT_INTEGRITY_VIOLATION *Event, BOOLEAN LogErrors, void *Exception) |
| Creates an alert-exception structure from an integrity violation event. More... | |
| static INTSTATUS | IntAlertCreateDtrException (const EVENT_DTR_VIOLATION *Event, BOOLEAN LogErrors, void *Exception) |
| Creates an alert-exception structure from an process-creation violation event. More... | |
| INTSTATUS | IntAlertCreateException (const void *Event, INTRO_EVENT_TYPE Type, BOOLEAN LogErrors, void *Exception) |
| This function will dispatch the exception creation to the appropriate function, depending on the event type. More... | |
| INTSTATUS | IntAlertCreateExceptionInEvent (void *Event, INTRO_EVENT_TYPE Type) |
| This function creates an alert-exception for each alert sent to the integrator. More... | |
|
static |
Creates an alert-signature structure.
For each alert-structure is assigned an internal version that is incremented for every change in the structure that breaks the backwards-compatibility. If the alert was not generated from an execution violation the codeblocks in the alert-signature are taken around the rip-index codeblock.
| [in] | CodeBlocks | Array of actual code block patterns. |
| [in] | LinuxAlert | True if the signature is used for a Linux guest. |
| [in] | ExecAlert | True if the alert was generated for an execution violation. |
| [out] | Signature | The newly created alert signature structure. |
Definition at line 204 of file alert_exceptions.c.
Referenced by IntAlertCreateCrException(), IntAlertCreateDtrException(), IntAlertCreateEptException(), and IntAlertCreateMsrException().
|
static |
Creates an alert-exception structure from an CR violation event.
For each alert-exception is assigned an internal version that is incremented for every change in the structure that breaks the backwards-compatibility. This function also creates codeblocks (if any) signatures that is assigned to the exception.
| [in] | Event | The event structure for CR violation. |
| [in] | LogErrors | True if the function should log errors, otherwise false. |
| [out] | Exception | A raw buffer to store the alert-exception. |
| INT_STATUS_SUCCESS | On success. |
Definition at line 839 of file alert_exceptions.c.
Referenced by IntAlertCreateException().
|
static |
Creates an alert-exception structure from an process-creation violation event.
For each alert-exception is assigned an internal version that is incremented for every change in the structure that breaks the backwards-compatibility. This function also creates code-blocks (if any) signatures that is assigned to the exception.
| [in] | Event | The event structure for process-creation violation. |
| [in] | LogErrors | True if the function should log errors, otherwise false. |
| [out] | Exception | A raw buffer to store the alert-exception. |
| INT_STATUS_SUCCESS | On success. |
| INT_STATUS_NOT_SUPPORTED | If the victim type is not kmObjIdtr or kmObjGdtr. |
Definition at line 1281 of file alert_exceptions.c.
Referenced by IntAlertCreateException().
|
static |
Creates an alert-exception structure from an EPT violation event.
For each alert-exception is assigned an internal version that is incremented for every change in the structure that breaks the backwards-compatibility. This function creates a user-mode or kernel-mode alert-exception based on the event flags; if the ALERT_FLAG_NOT_RING0 is set, an user-mode alert-exception the function creates an user-mode exception, otherwise an kernel-mode alert-exception is created. The flags, originator, victim, type fields of the alert-exception are extracted from the event. This function also creates code blocks and/or IDT signatures that is assigned to the exception.
| [in] | Event | The event structure for EPT violation. |
| [in] | LogErrors | True if the function should log errors, otherwise false. |
| [out] | Exception | A raw buffer to store the alert-exception. |
| INT_STATUS_SUCCESS | On success. |
| INT_STATUS_NOT_SUPPORTED | If the information about the violation is invalid or incomplete. |
Definition at line 428 of file alert_exceptions.c.
Referenced by IntAlertCreateException().
| INTSTATUS IntAlertCreateException | ( | const void * | Event, |
| INTRO_EVENT_TYPE | Type, | ||
| BOOLEAN | LogErrors, | ||
| void * | Exception | ||
| ) |
This function will dispatch the exception creation to the appropriate function, depending on the event type.
| [in] | Event | The event structure for process-creation violation. |
| [in] | Type | The type of the event. |
| [in] | LogErrors | True if the function should log errors, otherwise False. |
| [in,out] | Exception | A raw buffer to store the alert-exception. |
| INT_STATUS_SUCCESS | On success. |
| INT_STATUS_NOT_SUPPORTED | If the provided type is not supported. |
Definition at line 1358 of file alert_exceptions.c.
Referenced by IntAlertCreateExceptionInEvent(), and IntUpdateAddExceptionFromAlert().
| INTSTATUS IntAlertCreateExceptionInEvent | ( | void * | Event, |
| INTRO_EVENT_TYPE | Type | ||
| ) |
This function creates an alert-exception for each alert sent to the integrator.
| [in] | Event | The event structure for process-creation violation. |
| [in] | Type | The type of the event. |
| INT_STATUS_SUCCESS | On success. |
| INT_STATUS_NOT_SUPPORTED | If the provided type is not supported. |
Definition at line 1441 of file alert_exceptions.c.
Referenced by IntNotifyIntroEvent().
|
static |
Creates an export alert-signature structure.
For each alert-structure is assigned an internal version that is incremented for every change in the structure that breaks the backwards-compatibility. If the function name is missing the kmExcNameAny is used as a function name.
| [in] | Module | A user-mode or kernel-mode module |
| [in] | FunctionName | The function name from the provided module. |
| [in] | FunctionNameHash | The function name hash of the provided function. |
| [in] | Delta | The number of bytes that are modified from the beginning of the write. |
| [in] | WriteSize | The number of bytes that are modified. |
| [in] | LinuxEvent | True if the signature is used for a Linux guest. |
| [out] | Signature | The newly created alert signature structure. |
Definition at line 365 of file alert_exceptions.c.
Referenced by IntAlertCreateInjectionException().
|
static |
Creates a IDT alert-signature structure.
For each alert-structure is assigned an internal version that is incremented for every change in the structure that breaks the backwards-compatibility.
| [in] | Entry | The entry number of the IDT entry. |
| [in] | LinuxAlert | True if the signature is used for a Linux guest. |
| [out] | Signature | The newly created alert signature structure. |
Definition at line 334 of file alert_exceptions.c.
Referenced by IntAlertCreateEptException(), and IntAlertCreateIntegrityException().
|
static |
Creates an alert-exception structure from an Injection violation event.
For each alert-exception is assigned an internal version that is incremented for every change in the structure that breaks the backwards-compatibility. This function also creates export (if any) signatures that is assigned to the exception.
| [in] | Event | The event structure for MSR violation. |
| [in] | LogErrors | True if the function should log errors, otherwise false. |
| [out] | Exception | A raw buffer to store the alert-exception. |
| INT_STATUS_SUCCESS | On success. |
| INT_STATUS_NOT_SUPPORTED | If the originator/victim is invalid. |
Definition at line 901 of file alert_exceptions.c.
Referenced by IntAlertCreateException().
|
static |
Creates an alert-exception structure from an integrity violation event.
For each alert-exception is assigned an internal version that is incremented for every change in the structure that breaks the backwards-compatibility.
| [in] | Event | The event structure for integrity violation. |
| [in] | LogErrors | True if the function should log errors, otherwise false. |
| [out] | Exception | A raw buffer to store the alert-exception. |
| INT_STATUS_SUCCESS | On success. |
| INT_STATUS_NOT_SUPPORTED | If the current guest operating system is Linux. |
Definition at line 1146 of file alert_exceptions.c.
Referenced by IntAlertCreateException().
|
static |
Creates an alert-exception structure from an module-load violation event.
For each alert-exception is assigned an internal version that is incremented for every change in the structure that breaks the backwards-compatibility.
| [in] | Event | The event structure for module-load violation. |
| [in] | LogErrors | True if the function should log errors, otherwise false. |
| [out] | Exception | A raw buffer to store the alert-exception. |
| INT_STATUS_SUCCESS | On success. |
| INT_STATUS_NOT_SUPPORTED | If the originator/victim is invalid. |
Definition at line 1075 of file alert_exceptions.c.
Referenced by IntAlertCreateException().
|
static |
Creates an alert-exception structure from an MSR violation event.
For each alert-exception is assigned an internal version that is incremented for every change in the structure that breaks the backwards-compatibility. This function also creates codeblocks (if any) signatures that is assigned to the exception.
| [in] | Event | The event structure for MSR violation. |
| [in] | LogErrors | True if the function should log errors, otherwise false. |
| [out] | Exception | A raw buffer to store the alert-exception. |
| INT_STATUS_SUCCESS | On success. |
Definition at line 778 of file alert_exceptions.c.
Referenced by IntAlertCreateException().
|
static |
Creates an alert-exception structure from an process-creation violation event.
For each alert-exception is assigned an internal version that is incremented for every change in the structure that breaks the backwards-compatibility. This function also creates process-creation (if any) signatures that is assigned to the exception.
| [in] | Event | The event structure for process-creation violation. |
| [in] | LogErrors | True if the function should log errors, otherwise false. |
| [out] | Exception | A raw buffer to store the alert-exception. |
| INT_STATUS_SUCCESS | On success. |
| INT_STATUS_NOT_SUPPORTED | If the originator/victim is invalid. |
Definition at line 1001 of file alert_exceptions.c.
Referenced by IntAlertCreateException().
|
static |
Creates a process-creation alert-signature structure.
For each alert-structure is assigned an internal version that is incremented for every change in the structure that breaks the backwards-compatibility.
| [in] | PcType | The process creation violation type. |
| [in] | LinuxAlert | True if the signature is used for a Linux guest. |
| [out] | Signature | The newly created alert signature structure. |
Definition at line 303 of file alert_exceptions.c.
Referenced by IntAlertCreateProcessCreationException().
|
static |
Get the flags for an exception based on the information from the provided event.
This function always set the 32 and the 64 bits process/system flag; if the event was generated by a linux guest, the exception flag for linux is set; the execute/read/write flags is set according to the event violation type.
| [in] | Event | The event structure provided by the integrator. |
| The | flags generated based on the information from the provided event. |
Definition at line 165 of file alert_exceptions.c.
Referenced by IntAlertCreateEptException().
|
static |
Compute the crc32-hash for the provided string.
The crc32-hash is not computed in the following cases:
| [in] | Originator | The string for witch the crc32-hash must be computed. |
| [in] | MaxLength | The maximum length of the given buffer. |
| The | value of the crc32-hash of the provided string. |
Definition at line 17 of file alert_exceptions.c.
Referenced by IntAlertGetHashForName().
|
static |
Compute the crc32-hash for the provided string.
If the provided string is missing the kmExcNameNone/umExcNameNone is returned. The function dispatch the crc32-hash compute to the appropriate function, depending on the operating system.
| [in] | Originator | The string for witch the crc32-hash must be computed. |
| [in] | LinuxGuest | True if the provided string is used for a Linux guest, otherwise false. |
| [in] | KernelMode | True if the provided string is used for kernel-mode, otherwise false. |
| [in] | MaxLength | The maximum length of the given Originator buffer. |
| The | value of the crc32-hash of the provided string. |
Definition at line 121 of file alert_exceptions.c.
Referenced by IntAlertCreateCrException(), IntAlertCreateDtrException(), IntAlertCreateEptException(), IntAlertCreateExportSignature(), IntAlertCreateIntegrityException(), IntAlertCreateModuleLoadException(), and IntAlertCreateMsrException().
|
static |
Compute the crc32-hash for the provided string.
The function parse the provided string (the string is a path) and extracts only the file name; the crc32-hash is computed only for the extracted file name. The crc32-hash is not computed in the following cases:
| [in] | Originator | The string for witch the crc32-hash must be computed. |
| [in] | MaxLength | The maximum length of the buffer. |
| The | value of the crc32-hash of the provided string. |
Definition at line 54 of file alert_exceptions.c.
Referenced by IntAlertGetHashForName().
1.8.13