Bitdefender Hypervisor Memory Introspection
alert_exceptions.c
Go to the documentation of this file.
1 /*
2  * Copyright (c) 2020 Bitdefender
3  * SPDX-License-Identifier: Apache-2.0
4  */
9 
10 #include "alert_exceptions.h"
11 #include "crc32.h"
12 #include "guests.h"
13 #include "utils.h"
14 
15 
16 static DWORD
17 IntAlertGetHashForLinuxName(
18  _In_ const WCHAR *Originator,
19  _In_ const size_t MaxLength
20  )
32 {
33  if (wstrnlen(Originator, MaxLength) == MaxLength)
34  {
35  return kmExcNameInvalid;
36  }
37 
38  if (0 == wstrcasecmp(Originator, u"kernel"))
39  {
40  return kmExcNameKernel;
41  }
42  else
43  {
44  CHAR name[64];
45 
46  utf16toutf8(name, Originator, sizeof(name));
47 
48  return Crc32String(name, INITIAL_CRC_VALUE);
49  }
50 }
51 
52 
53 static DWORD
54 IntAlertGetHashForWindowsName(
55  _In_ const WCHAR *Originator,
56  _In_ const size_t MaxLength
57  )
72 {
73  size_t i, len = wstrnlen(Originator, MaxLength);
74 
75  if (len == MaxLength)
76  {
77  return kmExcNameInvalid;
78  }
79 
80  if (Originator[0] == u'\\' ||
81  (((Originator[0] >= u'C' && Originator[0] <= u'Z') ||
82  (Originator[0] >= u'c' && Originator[0] <= u'z')) &&
83  Originator[1] == u':' &&
84  Originator[2] == u'\\'))
85  {
86  for (i = len - 1; i > 0; i--)
87  {
88  if (Originator[i] == u'\\')
89  {
90  i++;
91  break;
92  }
93  }
94  }
95  else
96  {
97  i = 0;
98  }
99 
100  if (0 == wstrncasecmp_len(&Originator[i], u"ntkrnlmp.exe", len - i, CWSTRLEN(u"ntkrnlmp.exe")) ||
101  0 == wstrncasecmp_len(&Originator[i], u"ntkrnlpa.exe", len - i, CWSTRLEN(u"ntkrnlpa.exe")) ||
102  0 == wstrncasecmp_len(&Originator[i], u"ntkrpamp.exe", len - i, CWSTRLEN(u"ntkrpamp.exe")) ||
103  0 == wstrncasecmp_len(&Originator[i], u"ntoskrnl.exe", len - i, CWSTRLEN(u"ntoskrnl.exe")))
104  {
105  return kmExcNameKernel;
106  }
107  else if (0 == wstrncasecmp_len(&Originator[i], u"hal.dll", len - i, CWSTRLEN(u"hal.dll")) ||
108  0 == wstrncasecmp_len(&Originator[i], u"halmacpi.dll", len - i, CWSTRLEN(u"halmacpi.dll")) ||
109  0 == wstrncasecmp_len(&Originator[i], u"halacpi.dll", len - i, CWSTRLEN(u"halacpi.dll")))
110  {
111  return kmExcNameHal;
112  }
113  else
114  {
115  return Crc32Wstring(&Originator[i], INITIAL_CRC_VALUE);
116  }
117 }
118 
119 
120 static DWORD
121 IntAlertGetHashForName(
122  _In_opt_ const WCHAR *Originator,
123  _In_ BOOLEAN LinuxGuest,
124  _In_ BOOLEAN KernelMode,
125  _In_ size_t MaxLength
126  )
140 {
141  if (Originator == NULL)
142  {
143  if (KernelMode)
144  {
145  return kmExcNameNone;
146  }
147  else
148  {
149  return umExcNameNone;
150  }
151  }
152 
153  if (LinuxGuest)
154  {
155  return IntAlertGetHashForLinuxName(Originator, MaxLength);
156  }
157  else
158  {
159  return IntAlertGetHashForWindowsName(Originator, MaxLength);
160  }
161 }
162 
163 
164 static DWORD
165 IntAlertGetEptExceptionFlags(
166  _In_ const EVENT_EPT_VIOLATION *Event
167  )
178 {
179  DWORD flags = EXCEPTION_FLG_32 | EXCEPTION_FLG_64;
180 
181  if (Event->Violation == IG_EPT_HOOK_EXECUTE)
182  {
183  flags |= EXCEPTION_FLG_EXECUTE;
184  }
185  else if (Event->Violation == IG_EPT_HOOK_READ)
186  {
187  flags |= EXCEPTION_FLG_READ;
188  }
189  else
190  {
191  flags |= EXCEPTION_FLG_WRITE;
192  }
193 
194  if (Event->Header.Flags & ALERT_FLAG_LINUX)
195  {
196  flags |= EXCEPTION_FLG_LINUX;
197  }
198 
199  return flags;
200 }
201 
202 
203 static void
204 IntAlertCreateCbSignature(
205  _In_ const INTRO_CODEBLOCKS *CodeBlocks,
206  _In_ BOOLEAN LinuxAlert,
207  _In_ BOOLEAN ExecAlert,
208  _Out_ ALERT_CB_SIGNATURE *Signature
209  )
222 {
223  DWORD offset;
224 
225  if (!CodeBlocks->Valid)
226  {
227  Signature->Valid = FALSE;
228  return;
229  }
230 
231  offset = 0;
232 
233  Signature->Header.Version = ALERT_CB_SIGNATURE_VERSION;
234  Signature->Flags = SIGNATURE_FLG_32 | SIGNATURE_FLG_64;
235 
236  if (LinuxAlert)
237  {
238  Signature->Flags |= SIGNATURE_FLG_LINUX;
239  }
240 
241  if (CodeBlocks->RipCbIndex > ALERT_MAX_CODEBLOCKS)
242  {
243  ERROR("[ERROR] The index (%d) of the RIP's codeblock is grater than the ALERT_MAX_CODEBLOCKS (%d)\n",
244  CodeBlocks->RipCbIndex, ALERT_MAX_CODEBLOCKS);
245 
246  Signature->Valid = FALSE;
247  return;
248  }
249 
250  if (CodeBlocks->Count > ALERT_MAX_CODEBLOCKS)
251  {
252  ERROR("[ERROR] The number of codeblocks (%d) is grater than the ALERT_MAX_CODEBLOCKS (%d)\n",
253  CodeBlocks->RipCbIndex, ALERT_MAX_CODEBLOCKS);
254 
255  Signature->Valid = FALSE;
256  return;
257  }
258 
259  if (!ExecAlert)
260  {
261  if (CodeBlocks->RipCbIndex < (ALERT_HASH_COUNT / 2))
262  {
263  // [0; ALERT_HASH_COUNT]
264  offset = 0;
265  }
266  else if (CodeBlocks->RipCbIndex + (ALERT_HASH_COUNT / 2) >= CodeBlocks->Count)
267  {
268  // [Count - ALERT_HASH_COUNT; Count]
269  offset = CodeBlocks->Count >= ALERT_HASH_COUNT ? CodeBlocks->Count - ALERT_HASH_COUNT : 0;
270  }
271  else
272  {
273  // before & after rip
274  offset = CodeBlocks->RipCbIndex - (ALERT_HASH_COUNT / 2);
275  }
276  }
277 
278  Signature->Count = (BYTE)MIN(CodeBlocks->Count, ALERT_HASH_COUNT);
279  if (Signature->Count == 0)
280  {
281  WARNING("[WARNING] Codeblocks count is zero\n");
282  Signature->Valid = FALSE;
283 
284  return;
285  }
286 
287  Signature->Score = MAX(Signature->Count - 1, 1);
288 
289  for (int i = 0; i < Signature->Count; i++)
290  {
291  Signature->CodeBlocks[i] = CodeBlocks->CodeBlocks[i + offset].Value;
292  }
293 
294  UtilQuickSort(Signature->CodeBlocks,
295  Signature->Count,
296  sizeof(Signature->CodeBlocks[0]));
297 
298  Signature->Valid = TRUE;
299 }
300 
301 
302 static void
303 IntAlertCreateProcessCreationSignature(
304  _In_ DWORD PcType,
305  _In_ BOOLEAN LinuxAlert,
306  _Out_ ALERT_PROCESS_CREATION_SIGNATURE *Signature
307  )
318 {
319  Signature->Header.Version = ALERT_PROCESS_CREATION_SIGNATURE_VERSION;
320  Signature->Flags = SIGNATURE_FLG_32 | SIGNATURE_FLG_64;
321 
322  if (LinuxAlert)
323  {
324  Signature->Flags |= SIGNATURE_FLG_LINUX;
325  }
326 
327  Signature->CreateMask = PcType;
328 
329  Signature->Valid = TRUE;
330 }
331 
332 
333 static void
334 IntAlertCreateIdtSignature(
335  _In_ const BYTE Entry,
336  _In_ BOOLEAN LinuxAlert,
337  _Out_ ALERT_IDT_SIGNATURE *Signature
338  )
349 {
350  Signature->Header.Version = ALERT_IDT_SIGNATURE_VERSION;
351  Signature->Flags = gGuest.Guest64 ? SIGNATURE_FLG_64 : SIGNATURE_FLG_32;
352 
353  if (LinuxAlert)
354  {
355  Signature->Flags |= SIGNATURE_FLG_LINUX;
356  }
357 
358  Signature->Entry = Entry;
359 
360  Signature->Valid = TRUE;
361 }
362 
363 
364 static void
365 IntAlertCreateExportSignature(
366  _In_ const INTRO_MODULE *Module,
367  _In_ const char *FunctionName,
368  _In_ DWORD FunctionNameHash,
369  _In_ DWORD Delta,
370  _In_ DWORD WriteSize,
371  _In_ BOOLEAN LinuxEvent,
372  _Out_ ALERT_EXPORT_SIGNATURE *Signature
373  )
389 {
390  if (!Module->Valid || Module->Name[0] == 0)
391  {
392  Signature->Valid = FALSE;
393  return;
394  }
395 
396  Signature->Header.Version = ALERT_EXPORT_SIGNATURE_VERSION;
397  Signature->Flags = SIGNATURE_FLG_32 | SIGNATURE_FLG_64;
398 
399  if (LinuxEvent)
400  {
401  Signature->Flags |= SIGNATURE_FLG_LINUX;
402  }
403 
404  Signature->Library = IntAlertGetHashForName(Module->Name, LinuxEvent, FALSE, sizeof(Module->Name));
405  if (Signature->Library == kmExcNameInvalid)
406  {
407  Signature->Valid = FALSE;
408  return;
409  }
410 
411  if (FunctionName[0])
412  {
413  Signature->Function = FunctionNameHash;
414  }
415  else
416  {
417  Signature->Function = umExcNameAny;
418  }
419 
420  Signature->Delta = (BYTE)Delta;
421  Signature->WriteSize = (BYTE)WriteSize;
422 
423  Signature->Valid = TRUE;
424 }
425 
426 
427 static INTSTATUS
428 IntAlertCreateEptException(
429  _In_ const EVENT_EPT_VIOLATION *Event,
430  _In_ BOOLEAN LogErrors,
431  _Inout_ void *Exception
432  )
451 {
452  const WCHAR *originator = NULL;
453  const WCHAR *victim = NULL;
454  BOOLEAN linuxAlert;
455  INTRO_ALERT_EXCEPTION_HEADER *header = Exception;
456 
457  UNREFERENCED_PARAMETER(LogErrors);
458 
459  header->Valid = FALSE;
460 
461  // Don't take into consideration the return driver, except when the original one it's missing. It's safer this way.
462  // Anyway, we don't have a proper way on choosing between them...
463  if (Event->Originator.Module.Valid)
464  {
465  originator = Event->Originator.Module.Name;
466  }
467  else if (Event->Originator.ReturnModule.Valid)
468  {
469  originator = Event->Originator.ReturnModule.Name;
470  }
471 
472  linuxAlert = (Event->Header.Flags & ALERT_FLAG_LINUX) != 0;
473 
474  if (Event->Header.Flags & ALERT_FLAG_KM_UM)
475  {
476  ALERT_KUM_EXCEPTION *pException = Exception;
477  BOOLEAN valid = FALSE;
478 
479  if (linuxAlert)
480  {
481  pException->Flags |= SIGNATURE_FLG_LINUX;
482  }
483 
484  pException->Flags |= IntAlertGetEptExceptionFlags(Event);
485  pException->Originator = IntAlertGetHashForName(originator,
486  linuxAlert,
487  TRUE,
488  sizeof(Event->Originator.Module.Name));
489  if (pException->Originator == kmExcNameInvalid)
490  {
491  return INT_STATUS_INVALID_DATA_SIZE;
492  }
493 
494  if (Event->Victim.Type == introObjectTypeUmModule)
495  {
496  if (Event->ZoneTypes & ZONE_LIB_IMPORTS)
497  {
498  pException->Type = kumObjModuleImports;
499  }
500  else if (Event->ZoneTypes & ZONE_LIB_EXPORTS)
501  {
502  pException->Type = kumObjModuleExports;
503  }
504  else
505  {
506  pException->Type = kumObjModule;
507  }
508  }
509  else
510  {
511  ERROR("[ERROR] Invalid victim type (%d) for kernel-user exceptions!", Event->Victim.Type);
512  return INT_STATUS_NOT_SUPPORTED;
513  }
514 
515  if (Event->Violation != IG_EPT_HOOK_EXECUTE)
516  {
517  pException->Victim = IntAlertGetHashForName(Event->Victim.Module.Name,
518  linuxAlert,
519  FALSE,
520  sizeof(Event->Victim.Module.Name));
521  if (pException->Victim == umExcNameInvalid)
522  {
523  return INT_STATUS_INVALID_DATA_SIZE;
524  }
525  }
526  else
527  {
528  pException->Victim = umExcNameAny;
529  pException->Originator = umExcNameNone;
530  }
531 
532  pException->Process = Crc32StringLen(Event->Header.CurrentProcess.ImageName,
533  INITIAL_CRC_VALUE,
534  sizeof(Event->Header.CurrentProcess.ImageName),
535  &valid);
536  if (!valid)
537  {
538  return INT_STATUS_INVALID_DATA_SIZE;
539  }
540 
541  IntAlertCreateCbSignature(&Event->CodeBlocks,
542  linuxAlert,
543  Event->Violation == IG_EPT_HOOK_EXECUTE,
544  &pException->CodeBlocks);
545  }
546  else if (!(Event->Header.Flags & ALERT_FLAG_NOT_RING0))
547  {
548  ALERT_KM_EXCEPTION *pKmException = Exception;
549 
550  if ((Event->Victim.Type == introObjectTypeKmModule && !Event->Victim.Module.Valid) ||
551  ((Event->Victim.Type == introObjectTypeDriverObject ||
552  Event->Victim.Type == introObjectTypeFastIoDispatch) &&
553  !Event->Victim.DriverObject.Valid))
554  {
555  return INT_STATUS_NOT_SUPPORTED;
556  }
557 
558  if (linuxAlert)
559  {
560  pKmException->Flags |= SIGNATURE_FLG_LINUX;
561  }
562 
563  pKmException->Flags |= IntAlertGetEptExceptionFlags(Event);
564 
565  pKmException->Originator = IntAlertGetHashForName(originator,
566  linuxAlert,
567  TRUE,
568  sizeof(Event->Originator.Module.Name));
569  if (pKmException->Originator == kmExcNameInvalid)
570  {
571  return INT_STATUS_INVALID_DATA_SIZE;
572  }
573 
574  if (Event->Victim.Type == introObjectTypeKmModule ||
575  Event->Victim.Type == introObjectTypeSsdt ||
576  Event->Victim.Type == introObjectTypeTokenPrivs ||
577  (linuxAlert && (Event->Victim.Type == introObjectTypeVdso ||
578  Event->Victim.Type == introObjectTypeVsyscall)))
579  {
580  victim = Event->Victim.Module.Name;
581 
582  if (Event->Victim.Type == introObjectTypeVsyscall)
583  {
584  pKmException->Victim = kmExcNameVsyscall;
585  }
586  else if (Event->Victim.Type == introObjectTypeVdso)
587  {
588  pKmException->Victim = kmExcNameVdso;
589  }
590  else if (Event->Victim.Type == introObjectTypeTokenPrivs)
591  {
592  pKmException->Victim = Crc32String(Event->Header.CurrentProcess.ImageName, INITIAL_CRC_VALUE);
593  }
594  else
595  {
596  pKmException->Victim = IntAlertGetHashForName(victim,
597  linuxAlert,
598  TRUE,
599  sizeof(Event->Victim.Module.Name));
600  if (pKmException->Victim == kmExcNameInvalid)
601  {
602  return INT_STATUS_INVALID_DATA_SIZE;
603  }
604  }
605 
606  if (Event->Victim.Type == introObjectTypeSsdt)
607  {
608  pKmException->Type = kmObjSsdt;
609  }
610  else if (Event->Victim.Type == introObjectTypeTokenPrivs)
611  {
612  pKmException->Type = kmObjTokenPrivs;
613  }
614  else if (Event->ZoneTypes & ZONE_LIB_IMPORTS)
615  {
616  pKmException->Type = kmObjDriverImports;
617  }
618  else if (Event->ZoneTypes & ZONE_LIB_EXPORTS)
619  {
620  pKmException->Type = kmObjDriverExports;
621  }
622  else if (Event->ZoneTypes & ZONE_LIB_CODE)
623  {
624  pKmException->Type = kmObjDriverCode;
625  }
626  else if (Event->ZoneTypes & ZONE_LIB_DATA)
627  {
628  pKmException->Type = kmObjDriverData;
629  }
630  else if (Event->ZoneTypes & ZONE_LIB_RESOURCES)
631  {
632  pKmException->Type = kmObjDriverResources;
633  }
634  else
635  {
636  return INT_STATUS_NOT_SUPPORTED;
637  }
638  }
639  else if (Event->Victim.Type == introObjectTypeDriverObject ||
640  Event->Victim.Type == introObjectTypeFastIoDispatch)
641  {
642  BOOLEAN valid = FALSE;
643  victim = Event->Victim.DriverObject.Name;
644 
645  pKmException->Victim = Crc32WstringLen(victim,
646  INITIAL_CRC_VALUE,
647  sizeof(Event->Victim.DriverObject.Name),
648  &valid);
649  if (!valid)
650  {
651  return INT_STATUS_INVALID_DATA_SIZE;
652  }
653 
654  if (Event->Victim.Type == introObjectTypeDriverObject)
655  {
656  pKmException->Type = kmObjDrvObj;
657  }
658  else if (Event->Victim.Type == introObjectTypeFastIoDispatch)
659  {
660  pKmException->Type = kmObjFastIo;
661  }
662  }
663  else if (Event->Victim.Type == introObjectTypeIdt)
664  {
665  pKmException->Victim = kmExcNameAny;
666  pKmException->Type = kmObjIdt;
667 
668  IntAlertCreateIdtSignature(Event->Victim.IdtEntry, linuxAlert, &pKmException->Idt);
669  }
670  else if (Event->Victim.Type == introObjectTypeKmLoggerContext)
671  {
672  pKmException->Victim = kmExcNameAny;
673  pKmException->Type = kmObjLoggerCtx;
674  }
675  else
676  {
677  return INT_STATUS_NOT_SUPPORTED;
678  }
679 
680  IntAlertCreateCbSignature(&Event->CodeBlocks,
681  linuxAlert,
682  Event->Violation == IG_EPT_HOOK_EXECUTE,
683  &pKmException->CodeBlocks);
684  }
685  else
686  {
687  ALERT_UM_EXCEPTION *pUmException = Exception;
688  BOOLEAN valid;
689 
690  if (linuxAlert)
691  {
692  pUmException->Flags |= SIGNATURE_FLG_LINUX;
693  }
694 
695  if ((Event->Victim.Type != introObjectTypeUmModule &&
696  Event->Victim.Type != introObjectTypeUmGenericNxZone &&
697  Event->Victim.Type != introObjectTypeSharedUserData) ||
698  (!Event->Header.CurrentProcess.Valid))
699  {
700  return INT_STATUS_NOT_SUPPORTED;
701  }
702 
703  pUmException->Flags = IntAlertGetEptExceptionFlags(Event);
704 
705  if (Event->Victim.Type == introObjectTypeUmModule)
706  {
707  if (Event->ZoneTypes & ZONE_LIB_IMPORTS)
708  {
709  pUmException->Type = umObjModuleImports;
710  }
711  else if (Event->ZoneTypes & ZONE_LIB_EXPORTS)
712  {
713  pUmException->Type = umObjModuleExports;
714  }
715  else
716  {
717  pUmException->Type = umObjModule;
718  }
719  }
720  else if (Event->Victim.Type == introObjectTypeUmGenericNxZone)
721  {
722  pUmException->Type = umObjNxZone;
723  }
724  else if (Event->Victim.Type == introObjectTypeSharedUserData)
725  {
726  pUmException->Type = umObjSharedUserData;
727  }
728 
729  if (Event->Violation != IG_EPT_HOOK_EXECUTE)
730  {
731  pUmException->Originator = IntAlertGetHashForName(originator,
732  linuxAlert,
733  FALSE,
734  sizeof(Event->Originator.Module.Name));
735  if (pUmException->Originator == umExcNameInvalid)
736  {
737  return INT_STATUS_INVALID_DATA_SIZE;
738  }
739 
740  pUmException->Victim = IntAlertGetHashForName(Event->Victim.Module.Name,
741  linuxAlert,
742  FALSE,
743  sizeof(Event->Victim.Module.Name));
744  if (pUmException->Victim == umExcNameInvalid)
745  {
746  return INT_STATUS_INVALID_DATA_SIZE;
747  }
748  }
749  else
750  {
751  pUmException->Victim = umExcNameAny;
752  pUmException->Originator = umExcNameNone;
753  }
754 
755  pUmException->Process = Crc32StringLen(Event->Header.CurrentProcess.ImageName,
756  INITIAL_CRC_VALUE,
757  sizeof(Event->Header.CurrentProcess.ImageName),
758  &valid);
759  if (!valid)
760  {
761  return INT_STATUS_INVALID_DATA_SIZE;
762  }
763 
764  IntAlertCreateCbSignature(&Event->CodeBlocks,
765  linuxAlert,
766  Event->Violation == IG_EPT_HOOK_EXECUTE,
767  &pUmException->CodeBlocks);
768  }
769 
770  header->ViolationFlags = Event->Header.Flags;
771  header->Valid = TRUE;
772 
773  return INT_STATUS_SUCCESS;
774 }
775 
776 
777 static INTSTATUS
778 IntAlertCreateMsrException(
779  _In_ const EVENT_MSR_VIOLATION *Event,
780  _In_ BOOLEAN LogErrors,
781  _Out_ void *Exception
782  )
796 {
797  ALERT_KM_EXCEPTION *pKmException = Exception;
798  const WCHAR *originator = NULL;
799  BOOLEAN linuxAlert = (Event->Header.Flags & ALERT_FLAG_LINUX) != 0;
800  INTRO_ALERT_EXCEPTION_HEADER *header = Exception;
801 
802  UNREFERENCED_PARAMETER(LogErrors);
803 
804  header->Valid = FALSE;
805 
806  if (Event->Originator.Module.Valid)
807  {
808  originator = Event->Originator.Module.Name;
809  }
810 
811  pKmException->Flags = EXCEPTION_FLG_32 | EXCEPTION_FLG_64 | EXCEPTION_FLG_WRITE;
812 
813  if (linuxAlert)
814  {
815  pKmException->Flags |= EXCEPTION_FLG_LINUX;
816  }
817 
818  pKmException->Victim = kmExcNameAny;
819  pKmException->Type = kmObjMsr;
820  pKmException->Originator = IntAlertGetHashForName(originator,
821  linuxAlert,
822  TRUE,
823  sizeof(Event->Originator.Module.Name));
824  if (pKmException->Originator == kmExcNameInvalid)
825  {
826  return INT_STATUS_INVALID_DATA_SIZE;
827  }
828 
829  IntAlertCreateCbSignature(&Event->CodeBlocks, linuxAlert, FALSE, &pKmException->CodeBlocks);
830 
831  header->ViolationFlags = Event->Header.Flags;
832  header->Valid = TRUE;
833 
834  return INT_STATUS_SUCCESS;
835 }
836 
837 
838 static INTSTATUS
839 IntAlertCreateCrException(
840  _In_ const EVENT_CR_VIOLATION *Event,
841  _In_ BOOLEAN LogErrors,
842  _Out_ void *Exception
843  )
857 {
858  ALERT_KM_EXCEPTION *pKmException = Exception;
859  const WCHAR *originator = NULL;
860  BOOLEAN linuxAlert = (Event->Header.Flags & ALERT_FLAG_LINUX) != 0;
861  INTRO_ALERT_EXCEPTION_HEADER *header = Exception;
862 
863  UNREFERENCED_PARAMETER(LogErrors);
864 
865  header->Valid = FALSE;
866 
867  if (Event->Originator.Module.Valid)
868  {
869  originator = Event->Originator.Module.Name;
870  }
871 
872  pKmException->Flags = EXCEPTION_FLG_32 | EXCEPTION_FLG_64 |
873  EXCEPTION_KM_FLG_SMEP | EXCEPTION_KM_FLG_SMAP | EXCEPTION_FLG_WRITE;
874 
875  if (linuxAlert)
876  {
877  pKmException->Flags |= EXCEPTION_FLG_LINUX;
878  }
879 
880  pKmException->Victim = kmExcNameAny;
881  pKmException->Type = kmObjCr4;
882  pKmException->Originator = IntAlertGetHashForName(originator,
883  linuxAlert,
884  TRUE,
885  sizeof(Event->Originator.Module.Name));
886  if (pKmException->Originator == kmExcNameInvalid)
887  {
888  return INT_STATUS_INVALID_DATA_SIZE;
889  }
890 
891  IntAlertCreateCbSignature(&Event->CodeBlocks, linuxAlert, FALSE, &pKmException->CodeBlocks);
892 
893  header->ViolationFlags = Event->Header.Flags;
894  header->Valid = TRUE;
895 
896  return INT_STATUS_SUCCESS;
897 }
898 
899 
900 static INTSTATUS
901 IntAlertCreateInjectionException(
902  _In_ const EVENT_MEMCOPY_VIOLATION *Event,
903  _In_ BOOLEAN LogErrors,
904  _Out_ void *Exception
905  )
920 {
921  ALERT_UM_EXCEPTION *pException = Exception;
922  BOOLEAN linuxAlert = (Event->Header.Flags & ALERT_FLAG_LINUX) != 0;
923  INTRO_ALERT_EXCEPTION_HEADER *header = Exception;
924  BOOLEAN valid;
925 
926  UNREFERENCED_PARAMETER(LogErrors);
927 
928  header->Valid = FALSE;
929 
930  if (Event->Originator.Process.ImageName[0] == 0 ||
931  Event->Victim.Process.ImageName[0] == 0)
932  {
933  return INT_STATUS_NOT_SUPPORTED;
934  }
935 
936  pException->Flags = EXCEPTION_FLG_32 | EXCEPTION_FLG_64;
937 
938  if (linuxAlert)
939  {
940  pException->Flags |= EXCEPTION_FLG_LINUX;
941  }
942 
943  switch (Event->ViolationType)
944  {
945  case memCopyViolationRead:
946  pException->Flags |= EXCEPTION_FLG_READ;
947  break;
948  default:
949  pException->Flags |= EXCEPTION_FLG_WRITE;
950  break;
951  }
952 
953  if (Event->ViolationType == memCopyViolationSetContextThread)
954  {
955  pException->Type = umObjProcessThreadContext;
956  }
957  else if (Event->ViolationType == memCopyViolationQueueApcThread)
958  {
959  pException->Type = umObjProcessApcThread;
960  }
961  else
962  {
963  pException->Type = umObjProcess;
964  }
965 
966  pException->Process = umExcNameAny;
967  pException->Originator = Crc32StringLen(Event->Originator.Process.ImageName,
968  INITIAL_CRC_VALUE,
969  sizeof(Event->Originator.Process.ImageName),
970  &valid);
971  if (!valid)
972  {
973  return INT_STATUS_INVALID_DATA_SIZE;
974  }
975 
976  pException->Victim = Crc32StringLen(Event->Victim.Process.ImageName,
977  INITIAL_CRC_VALUE,
978  sizeof(Event->Victim.Process.ImageName),
979  &valid);
980  if (!valid)
981  {
982  return INT_STATUS_INVALID_DATA_SIZE;
983  }
984 
985  IntAlertCreateExportSignature(&Event->Victim.Module,
986  Event->FunctionName,
987  Event->FunctionNameHash,
988  Event->Delta,
989  Event->CopySize,
990  linuxAlert,
991  &pException->Export);
992 
993  header->ViolationFlags = Event->Header.Flags;
994  header->Valid = TRUE;
995 
996  return INT_STATUS_SUCCESS;
997 }
998 
999 
1000 static INTSTATUS
1001 IntAlertCreateProcessCreationException(
1002  _In_ const EVENT_PROCESS_CREATION_VIOLATION *Event,
1003  _In_ BOOLEAN LogErrors,
1004  _Inout_ void *Exception
1005  )
1020 {
1021  ALERT_UM_EXCEPTION *pException = Exception;
1022  BOOLEAN linuxAlert = (Event->Header.Flags & ALERT_FLAG_LINUX) != 0;
1023  INTRO_ALERT_EXCEPTION_HEADER *header = Exception;
1024  BOOLEAN valid;
1025 
1026  UNREFERENCED_PARAMETER(LogErrors);
1027 
1028  header->Valid = FALSE;
1029 
1030  if (Event->Originator.ImageName[0] == 0 ||
1031  Event->Victim.ImageName[0] == 0)
1032  {
1033  return INT_STATUS_NOT_SUPPORTED;
1034  }
1035 
1036  if (linuxAlert)
1037  {
1038  pException->Flags |= EXCEPTION_FLG_LINUX;
1039  }
1040 
1041  pException->Flags |= EXCEPTION_FLG_32 | EXCEPTION_FLG_64 | EXCEPTION_FLG_EXECUTE;
1042  pException->Type = Event->PcType ? umObjProcessCreation : umObjProcessCreationDpi;
1043  pException->Originator = Crc32StringLen(Event->Originator.ImageName,
1044  INITIAL_CRC_VALUE,
1045  sizeof(Event->Originator.ImageName),
1046  &valid);
1047  if (!valid)
1048  {
1049  return INT_STATUS_INVALID_DATA_SIZE;
1050  }
1051 
1052  pException->Victim = Crc32StringLen(Event->Victim.ImageName,
1053  INITIAL_CRC_VALUE,
1054  sizeof(Event->Victim.ImageName),
1055  &valid);
1056  if (!valid)
1057  {
1058  return INT_STATUS_INVALID_DATA_SIZE;
1059  }
1060  pException->Process = umExcNameAny;
1061 
1062  if (Event->PcType != 0)
1063  {
1064  IntAlertCreateProcessCreationSignature(Event->PcType, linuxAlert, &pException->ProcessCreation);
1065  }
1066 
1067  header->ViolationFlags = Event->Header.Flags;
1068  header->Valid = TRUE;
1069 
1070  return INT_STATUS_SUCCESS;
1071 }
1072 
1073 
1074 static INTSTATUS
1075 IntAlertCreateModuleLoadException(
1076  _In_ const EVENT_MODULE_LOAD_VIOLATION *Event,
1077  _In_ BOOLEAN LogErrors,
1078  _Out_ void *Exception
1079  )
1093 {
1094  ALERT_UM_EXCEPTION *pException = Exception;
1095  BOOLEAN linuxAlert = (Event->Header.Flags & ALERT_FLAG_LINUX) != 0;
1096  INTRO_ALERT_EXCEPTION_HEADER *header = Exception;
1097  BOOLEAN valid;
1098 
1099  UNREFERENCED_PARAMETER(LogErrors);
1100 
1101  header->Valid = FALSE;
1102 
1103  if (Event->Originator.Module.Name[0] == 0 ||
1104  Event->Victim.ImageName[0] == 0)
1105  {
1106  return INT_STATUS_NOT_SUPPORTED;
1107  }
1108 
1109  pException->Flags = EXCEPTION_FLG_32 | EXCEPTION_FLG_64;
1110 
1111  if (linuxAlert)
1112  {
1113  pException->Flags |= EXCEPTION_FLG_LINUX;
1114  }
1115 
1116  pException->Originator = IntAlertGetHashForName(Event->Originator.Module.Name,
1117  linuxAlert,
1118  FALSE,
1119  sizeof(Event->Originator.Module.Name));
1120  if (pException->Originator == kmExcNameInvalid)
1121  {
1122  return INT_STATUS_INVALID_DATA_SIZE;
1123  }
1124 
1125  pException->Victim = Crc32StringLen(Event->Victim.ImageName,
1126  INITIAL_CRC_VALUE,
1127  sizeof(Event->Victim.ImageName),
1128  &valid);
1129  if (!valid)
1130  {
1131  return INT_STATUS_INVALID_DATA_SIZE;
1132  }
1133 
1134  pException->Process = pException->Victim;
1135  pException->Flags |= EXCEPTION_FLG_WRITE;
1136  pException->Type = umObjModuleLoad;
1137 
1138  header->ViolationFlags = Event->Header.Flags;
1139  header->Valid = TRUE;
1140 
1141  return INT_STATUS_SUCCESS;
1142 }
1143 
1144 
1145 static INTSTATUS
1146 IntAlertCreateIntegrityException(
1147  _In_ const EVENT_INTEGRITY_VIOLATION *Event,
1148  _In_ BOOLEAN LogErrors,
1149  _In_ void *Exception
1150  )
1164 {
1165  ALERT_KM_EXCEPTION *pKmException = Exception;
1166  const WCHAR *originator = NULL;
1167  INTRO_ALERT_EXCEPTION_HEADER *header = Exception;
1168  BOOLEAN valid = TRUE;
1169 
1170  header->Valid = FALSE;
1171 
1172  if (gGuest.OSType == introGuestLinux)
1173  {
1174  if (LogErrors)
1175  {
1176  ERROR("[ERROR] Integrity exceptions are not supported on linux guests!\n");
1177  }
1178 
1179  return INT_STATUS_NOT_SUPPORTED;
1180  }
1181 
1182  if (Event->Victim.Type == introObjectTypeDriverObject)
1183  {
1184  pKmException->Type = kmObjDrvObj;
1185  }
1186  else if (Event->Victim.Type == introObjectTypeFastIoDispatch)
1187  {
1188  pKmException->Type = kmObjFastIo;
1189  }
1190  else if (Event->Victim.Type == introObjectTypeKmLoggerContext)
1191  {
1192  pKmException->Type = kmObjLoggerCtx;
1193  }
1194  else if (Event->Victim.Type == introObjectTypeIdt)
1195  {
1196  pKmException->Type = kmObjIdt;
1197  }
1198  else if (Event->Victim.Type == introObjectTypeTokenPrivs)
1199  {
1200  pKmException->Type = kmObjTokenPrivs;
1201  }
1202  else
1203  {
1204  if (LogErrors)
1205  {
1206  ERROR("[ERROR] The given event is not supported: %d!\n", Event->Victim.Type);
1207  }
1208 
1209  return INT_STATUS_NOT_SUPPORTED;
1210  }
1211 
1212  if (Event->Originator.Module.Valid)
1213  {
1214  originator = Event->Originator.Module.Name;
1215  }
1216 
1217  pKmException->Flags = EXCEPTION_FLG_32 | EXCEPTION_FLG_64 | EXCEPTION_KM_FLG_INTEGRITY | EXCEPTION_FLG_WRITE;
1218 
1219  if (Event->Victim.Type == introObjectTypeTokenPrivs)
1220  {
1221  pKmException->Originator = kmExcNameNone;
1222  }
1223  else
1224  {
1225  pKmException->Originator = IntAlertGetHashForName(originator,
1226  FALSE,
1227  TRUE,
1228  sizeof(Event->Originator.Module.Name));
1229  if (pKmException->Originator == kmExcNameInvalid)
1230  {
1231  return INT_STATUS_INVALID_DATA_SIZE;
1232  }
1233  }
1234 
1235  switch (Event->Victim.Type)
1236  {
1237  case introObjectTypeFastIoDispatch:
1238  case introObjectTypeDriverObject:
1239  if (!Event->Victim.DriverObject.Valid)
1240  {
1241  return INT_STATUS_NOT_SUPPORTED;
1242  }
1243 
1244  pKmException->Victim = Crc32WstringLen(Event->Victim.DriverObject.Name,
1245  INITIAL_CRC_VALUE,
1246  sizeof(Event->Victim.DriverObject.Name),
1247  &valid);
1248  break;
1249 
1250  case introObjectTypeTokenPrivs:
1251  pKmException->Victim = Crc32StringLen(Event->Victim.Process.ImageName,
1252  INITIAL_CRC_VALUE,
1253  sizeof(Event->Victim.Process.ImageName),
1254  &valid);
1255  break;
1256 
1257  default:
1258  pKmException->Victim = kmExcNameAny;
1259  break;
1260  }
1261 
1262  if (!valid)
1263  {
1264  return INT_STATUS_INVALID_DATA_SIZE;
1265  }
1266 
1267 
1268  if (Event->Victim.Type == introObjectTypeIdt)
1269  {
1270  IntAlertCreateIdtSignature(Event->Victim.IdtEntry, FALSE, &pKmException->Idt);
1271  }
1272 
1273  header->ViolationFlags = Event->Header.Flags;
1274  header->Valid = TRUE;
1275 
1276  return INT_STATUS_SUCCESS;
1277 }
1278 
1279 
1280 static INTSTATUS
1281 IntAlertCreateDtrException(
1282  _In_ const EVENT_DTR_VIOLATION *Event,
1283  _In_ BOOLEAN LogErrors,
1284  _Out_ void *Exception
1285  )
1300 {
1301  ALERT_KM_EXCEPTION *pKmException = Exception;
1302  BOOLEAN linuxAlert = (Event->Header.Flags & ALERT_FLAG_LINUX) != 0;
1303  const WCHAR *originator = NULL;
1304  INTRO_ALERT_EXCEPTION_HEADER *header = Exception;
1305 
1306  header->Valid = FALSE;
1307 
1308  if (Event->Victim.Type == introObjectTypeIdtr)
1309  {
1310  pKmException->Type = kmObjIdtr;
1311  }
1312  else if (Event->Victim.Type == introObjectTypeGdtr)
1313  {
1314  pKmException->Type = kmObjGdtr;
1315  }
1316  else
1317  {
1318  if (LogErrors)
1319  {
1320  ERROR("[ERROR] The given event is not supported: %d!\n", Event->Victim.Type);
1321  }
1322 
1323  return INT_STATUS_NOT_SUPPORTED;
1324  }
1325 
1326  if (Event->Originator.Module.Valid)
1327  {
1328  originator = Event->Originator.Module.Name;
1329  }
1330 
1331  pKmException->Flags = (gGuest.Guest64 ? EXCEPTION_FLG_64 : EXCEPTION_FLG_32) | EXCEPTION_FLG_WRITE;
1332 
1333  if (linuxAlert)
1334  {
1335  pKmException->Flags |= EXCEPTION_FLG_LINUX;
1336  }
1337 
1338  pKmException->Victim = kmExcNameAny;
1339  pKmException->Originator = IntAlertGetHashForName(originator,
1340  linuxAlert,
1341  TRUE,
1342  sizeof(Event->Originator.Module.Name));
1343  if (pKmException->Originator == kmExcNameInvalid)
1344  {
1345  return INT_STATUS_INVALID_DATA_SIZE;
1346  }
1347 
1348  IntAlertCreateCbSignature(&Event->CodeBlocks, linuxAlert, FALSE, &pKmException->CodeBlocks);
1349 
1350  header->ViolationFlags = Event->Header.Flags;
1351  header->Valid = TRUE;
1352 
1353  return INT_STATUS_SUCCESS;
1354 }
1355 
1356 
1357 INTSTATUS
1358 IntAlertCreateException(
1359  _In_ const void *Event,
1360  _In_ INTRO_EVENT_TYPE Type,
1361  _In_ BOOLEAN LogErrors,
1362  _Inout_ void *Exception
1363  )
1376 {
1377  INTRO_ALERT_EXCEPTION_HEADER *pHeader = Exception;
1378 
1379  if (Type == introEventEptViolation)
1380  {
1381  if (!(((const EVENT_EPT_VIOLATION *)Event)->Header.Flags & ALERT_FLAG_KM_UM))
1382  {
1383  pHeader->Version = ALERT_KUM_EXCEPTION_VERSION;
1384  }
1385  else if (!(((const EVENT_EPT_VIOLATION *)Event)->Header.Flags & ALERT_FLAG_NOT_RING0))
1386  {
1387  pHeader->Version = ALERT_KM_EXCEPTION_VERSION;
1388  }
1389  else
1390  {
1391  pHeader->Version = ALERT_UM_EXCEPTION_VERSION;
1392  }
1393  }
1394  else if (introEventMsrViolation == Type ||
1395  introEventCrViolation == Type ||
1396  introEventDtrViolation == Type ||
1397  introEventIntegrityViolation == Type)
1398  {
1399  pHeader->Version = ALERT_KM_EXCEPTION_VERSION;
1400  }
1401  else if (introEventInjectionViolation == Type ||
1402  introEventProcessCreationViolation == Type ||
1403  introEventModuleLoadViolation == Type)
1404  {
1405  pHeader->Version = ALERT_UM_EXCEPTION_VERSION;
1406  }
1407 
1408  switch (Type)
1409  {
1410  case introEventEptViolation:
1411  return IntAlertCreateEptException(Event, LogErrors, Exception);
1412 
1413  case introEventMsrViolation:
1414  return IntAlertCreateMsrException(Event, LogErrors, Exception);
1415 
1416  case introEventCrViolation:
1417  return IntAlertCreateCrException(Event, LogErrors, Exception);
1418 
1419  case introEventInjectionViolation:
1420  return IntAlertCreateInjectionException(Event, LogErrors, Exception);
1421 
1422  case introEventIntegrityViolation:
1423  return IntAlertCreateIntegrityException(Event, LogErrors, Exception);
1424 
1425  case introEventDtrViolation:
1426  return IntAlertCreateDtrException(Event, LogErrors, Exception);
1427 
1428  case introEventProcessCreationViolation:
1429  return IntAlertCreateProcessCreationException(Event, LogErrors, Exception);
1430 
1431  case introEventModuleLoadViolation:
1432  return IntAlertCreateModuleLoadException(Event, LogErrors, Exception);
1433 
1434  default:
1435  return INT_STATUS_NOT_SUPPORTED;
1436  }
1437 }
1438 
1439 
1440 INTSTATUS
1441 IntAlertCreateExceptionInEvent(
1442  _Inout_ void *Event,
1443  _In_ INTRO_EVENT_TYPE Type
1444  )
1454 {
1455  if (!IntAlertIsEventTypeViolation(Type))
1456  {
1457  return INT_STATUS_NOT_SUPPORTED;
1458  }
1459 
1460  return IntAlertCreateException(Event, Type, FALSE, &((INTRO_VIOLATION_HEADER *)Event)->Exception);
1461 }
_INTRO_ALERT_EXCEPTION_HEADER::ViolationFlags
QWORD ViolationFlags
A combination of Alert flags values describing the alert.
Definition: intro_types.h:1064
_INTRO_ALERT_EXCEPTION_HEADER::Valid
BOOLEAN Valid
Set to True if the information in the structure is valid, False otherwise.
Definition: intro_types.h:1065
umObjModuleLoad
The object allows only dlls which are detected as suspicous (e.g. module loads before kernel32...
Definition: exceptions.h:219
_In_opt_
#define _In_opt_
Definition: intro_sal.h:16
_Out_
#define _Out_
Definition: intro_sal.h:22
BOOLEAN
_Bool BOOLEAN
Definition: intro_types.h:58
introEventProcessCreationViolation
Sent for unauthorized process creation alerts. See EVENT_PROCESS_CREATION_VIOLATION.
Definition: intro_types.h:115
utf16toutf8
char * utf16toutf8(char *Destination, const WCHAR *Source, DWORD DestinationMaxLength)
Definition: introcrt.c:460
_ALERT_UM_EXCEPTION::Type
UM_EXCEPTION_OBJECT Type
The type of the exception; any type from _UM_EXCEPTION_OBJECT.
Definition: alert_exceptions.h:150
IntAlertGetHashForWindowsName
static DWORD IntAlertGetHashForWindowsName(const WCHAR *Originator, const size_t MaxLength)
Compute the crc32-hash for the provided string.
Definition: alert_exceptions.c:54
_EVENT_CR_VIOLATION
Event structure for CR violation.
Definition: intro_types.h:1228
introObjectTypeKmModule
Kernel module (ntoskrnl.exe, hal.dll, etc.)
Definition: intro_types.h:235
BYTE
uint8_t BYTE
Definition: intro_types.h:47
IG_EPT_HOOK_READ
Read-access hook.
Definition: glueiface.h:298
_In_
#define _In_
Definition: intro_sal.h:21
_ALERT_KM_EXCEPTION::Type
KM_EXCEPTION_OBJECT Type
The type of the exception; any type from _KM_EXCEPTION_OBJECT.
Definition: alert_exceptions.h:105
_ALERT_EXPORT_SIGNATURE
Definition: alert_exceptions.h:56
SIGNATURE_FLG_64
The signature is valid only on 64 bit systems/processes.
Definition: exceptions.h:671
INT_STATUS_SUCCESS
#define INT_STATUS_SUCCESS
Definition: introstatus.h:54
introObjectTypeDriverObject
Driver object.
Definition: intro_types.h:234
introObjectTypeFastIoDispatch
Fast IO Dispatch (Windows only)
Definition: intro_types.h:233
_ALERT_KM_EXCEPTION::Idt
ALERT_IDT_SIGNATURE Idt
The idt alert-signature, if any.
Definition: alert_exceptions.h:108
ALERT_IDT_SIGNATURE_VERSION
#define ALERT_IDT_SIGNATURE_VERSION
Definition: alert_exceptions.h:37
kmExcNameAny
The name can be any string.
Definition: exceptions.h:626
introObjectTypeKmLoggerContext
Infinity hook modifications of WMI_LOGGER_CONTEXT.GetCpuClock.
Definition: intro_types.h:261
memCopyViolationSetContextThread
This represents an attempt of modifying the context of another thread.
Definition: intro_types.h:1299
kmObjDriverImports
The modified object is only the driver&#39;s EAT.
Definition: exceptions.h:159
_EVENT_PROCESS_CREATION_VIOLATION
Event structure for process creation violation events.
Definition: intro_types.h:1610
_ALERT_KM_EXCEPTION
Describes a kernel-mode alert-exception.
Definition: alert_exceptions.h:96
_EVENT_INTEGRITY_VIOLATION
Event structure for integrity violations on monitored structures.
Definition: intro_types.h:1450
Crc32WstringLen
DWORD Crc32WstringLen(const WCHAR *String, DWORD InitialCrc, size_t MaxLength, BOOLEAN *Valid)
Computes the CRC for a NULL-terminated wide char string, but without exceeding a maximum number of ch...
Definition: crc32.c:259
ZONE_LIB_RESOURCES
#define ZONE_LIB_RESOURCES
Used for the resources section (usually .rsrc inside a driver or dll).
Definition: exceptions.h:691
introObjectTypeUmGenericNxZone
User-mode non executable zone.
Definition: intro_types.h:244
introEventDtrViolation
Sent when a DTR violation triggers an alert. See EVENT_DTR_VIOLATION.
Definition: intro_types.h:98
_ALERT_UM_EXCEPTION::CodeBlocks
ALERT_CB_SIGNATURE CodeBlocks
The code-blocks alert-signature, if any.
Definition: alert_exceptions.h:152
umObjProcessThreadContext
The modified object is anything inside the structure CONTEXT (valid only for windows).
Definition: exceptions.h:211
kmExcNameVsyscall
The name is the operating system vsyscall (valid only for Linux).
Definition: exceptions.h:636
introEventCrViolation
Sent when a CR violation triggers an alert. See EVENT_CR_VIOLATION.
Definition: intro_types.h:88
wstrnlen
size_t wstrnlen(const WCHAR *s, size_t maxlen)
Definition: introcrt.c:1064
_INTRO_CODEBLOCKS
Holds code block patterns information.
Definition: intro_types.h:930
EXCEPTION_FLG_READ
The exception is valid only for read violation.
Definition: exceptions.h:595
IntAlertIsEventTypeViolation
BOOLEAN IntAlertIsEventTypeViolation(INTRO_EVENT_TYPE Type)
Definition: alert_exceptions.h:178
ERROR
#define ERROR(fmt,...)
Definition: glue.h:62
umExcNameInvalid
Used to indicate an invalid user-mode exception name.
Definition: exceptions.h:661
_ALERT_CB_SIGNATURE
Definition: alert_exceptions.h:22
kmObjDriverData
The modified object is only the driver&#39;s data sections.
Definition: exceptions.h:161
umExcNameAny
The name can be any string.
Definition: exceptions.h:652
INTSTATUS
int INTSTATUS
The status data type.
Definition: introstatus.h:24
EXCEPTION_FLG_LINUX
The exception is valid only for Linux.
Definition: exceptions.h:593
kmExcNameNone
The name is missing.
Definition: exceptions.h:630
Crc32StringLen
DWORD Crc32StringLen(const char *String, DWORD InitialCrc, size_t MaxLength, BOOLEAN *Valid)
Computes the CRC for a NULL-terminated utf-8 string, but without exceeding a maximum number of charac...
Definition: crc32.c:301
_ALERT_UM_EXCEPTION::Export
ALERT_EXPORT_SIGNATURE Export
The export alert-signature, if any.
Definition: alert_exceptions.h:153
kmObjDriverExports
The modified object is only the driver&#39;s IAT.
Definition: exceptions.h:175
introEventInjectionViolation
Sent for code/data injection alerts. See EVENT_MEMCOPY_VIOLATION.
Definition: intro_types.h:96
ALERT_FLAG_LINUX
#define ALERT_FLAG_LINUX
Definition: intro_types.h:638
ALERT_MAX_CODEBLOCKS
#define ALERT_MAX_CODEBLOCKS
The maximum number of code blocks included in an alert structure.
Definition: intro_types.h:667
_GUEST_STATE::OSType
INTRO_GUEST_TYPE OSType
The type of the guest.
Definition: guests.h:274
ALERT_EXPORT_SIGNATURE_VERSION
#define ALERT_EXPORT_SIGNATURE_VERSION
Definition: alert_exceptions.h:54
EXCEPTION_FLG_WRITE
The exception is valid only for write violation.
Definition: exceptions.h:596
_ALERT_UM_EXCEPTION::Process
DWORD Process
The name-hash of the process in which the modification takes place.
Definition: alert_exceptions.h:146
MIN
#define MIN(a, b)
Definition: introdefs.h:146
IntAlertGetHashForLinuxName
static DWORD IntAlertGetHashForLinuxName(const WCHAR *Originator, const size_t MaxLength)
Compute the crc32-hash for the provided string.
Definition: alert_exceptions.c:17
_ALERT_KUM_EXCEPTION::Flags
DWORD Flags
The flags of the exception; any flags from _EXCEPTION_FLG.
Definition: alert_exceptions.h:125
IntAlertCreateExceptionInEvent
INTSTATUS IntAlertCreateExceptionInEvent(void *Event, INTRO_EVENT_TYPE Type)
This function creates an alert-exception for each alert sent to the integrator.
Definition: alert_exceptions.c:1441
umExcNameNone
The name is missing.
Definition: exceptions.h:657
ALERT_FLAG_KM_UM
#define ALERT_FLAG_KM_UM
If set, the alert was generated by a kernel to user mode violation.
Definition: intro_types.h:649
IntAlertCreateInjectionException
static INTSTATUS IntAlertCreateInjectionException(const EVENT_MEMCOPY_VIOLATION *Event, BOOLEAN LogErrors, void *Exception)
Creates an alert-exception structure from an Injection violation event.
Definition: alert_exceptions.c:901
_ALERT_KM_EXCEPTION::Flags
DWORD Flags
The flags of the exception; any flags from _EXCEPTION_FLG.
Definition: alert_exceptions.h:103
IntAlertCreateExportSignature
static void IntAlertCreateExportSignature(const INTRO_MODULE *Module, const char *FunctionName, DWORD FunctionNameHash, DWORD Delta, DWORD WriteSize, BOOLEAN LinuxEvent, ALERT_EXPORT_SIGNATURE *Signature)
Creates an export alert-signature structure.
Definition: alert_exceptions.c:365
umObjProcess
The modified object is only another process (injection basically).
Definition: exceptions.h:205
IntAlertGetHashForName
static DWORD IntAlertGetHashForName(const WCHAR *Originator, BOOLEAN LinuxGuest, BOOLEAN KernelMode, size_t MaxLength)
Compute the crc32-hash for the provided string.
Definition: alert_exceptions.c:121
_ALERT_UM_EXCEPTION
Describes a user-mode alert-exception.
Definition: alert_exceptions.h:140
_ALERT_UM_EXCEPTION::Originator
DWORD Originator
The name-hash of the originator.
Definition: alert_exceptions.h:144
introObjectTypeTokenPrivs
Token privileges.
Definition: intro_types.h:263
IntAlertCreateProcessCreationSignature
static void IntAlertCreateProcessCreationSignature(DWORD PcType, BOOLEAN LinuxAlert, ALERT_PROCESS_CREATION_SIGNATURE *Signature)
Creates a process-creation alert-signature structure.
Definition: alert_exceptions.c:303
_Inout_
#define _Inout_
Definition: intro_sal.h:20
EXCEPTION_KM_FLG_SMEP
The exception is valid only for CR4.SMEP write.
Definition: exceptions.h:606
ZONE_LIB_CODE
#define ZONE_LIB_CODE
Used for a generic code zone.
Definition: exceptions.h:688
INITIAL_CRC_VALUE
#define INITIAL_CRC_VALUE
Definition: introdefs.h:221
_ALERT_PROCESS_CREATION_SIGNATURE
Describe a process-creation alert-signature.
Definition: alert_exceptions.h:78
introGuestLinux
Linux.
Definition: intro_types.h:1881
EXCEPTION_KM_FLG_SMAP
The exception is valid only for CR4.SMAP write.
Definition: exceptions.h:605
_ALERT_KM_EXCEPTION::Originator
DWORD Originator
The name-hash of the originator.
Definition: alert_exceptions.h:100
_EVENT_MSR_VIOLATION
Event structure for MSR violation.
Definition: intro_types.h:1198
memCopyViolationQueueApcThread
This represents an attempt to queue an APC into the victim process.
Definition: intro_types.h:1302
EXCEPTION_FLG_EXECUTE
The exception is valid only for execute violation.
Definition: exceptions.h:597
_GUEST_STATE::Guest64
BOOLEAN Guest64
True if this is a 64-bit guest, False if it is a 32-bit guest.
Definition: guests.h:286
kmObjDriverCode
The modified object is only the driver&#39;s code sections.
Definition: exceptions.h:160
_INTRO_ALERT_EXCEPTION_HEADER
The common header used by exception information.
Definition: intro_types.h:1061
_ALERT_IDT_SIGNATURE
Describes an idt alert-signature.
Definition: alert_exceptions.h:42
kmExcNameKernel
The name is the operating system kernel name.
Definition: exceptions.h:628
_ALERT_KUM_EXCEPTION
Describes a kernel-mode alert-exception.
Definition: alert_exceptions.h:117
SIGNATURE_FLG_32
The signature is valid only on 32 bit systems/processes.
Definition: exceptions.h:670
_EVENT_MODULE_LOAD_VIOLATION
Event structure for suspicious module load into processes.
Definition: intro_types.h:1675
_ALERT_UM_EXCEPTION::Flags
DWORD Flags
The flags of the exception; any flags from _EXCEPTION_FLG.
Definition: alert_exceptions.h:148
introEventModuleLoadViolation
Sent for suspicious module loads alerts. See EVENT_MODULE_LOAD_VIOLATION.
Definition: intro_types.h:117
introObjectTypeIdtr
IDTR.
Definition: intro_types.h:257
TRUE
#define TRUE
Definition: intro_types.h:30
IntAlertCreateProcessCreationException
static INTSTATUS IntAlertCreateProcessCreationException(const EVENT_PROCESS_CREATION_VIOLATION *Event, BOOLEAN LogErrors, void *Exception)
Creates an alert-exception structure from an process-creation violation event.
Definition: alert_exceptions.c:1001
introObjectTypeSharedUserData
Executions inside the SharedUserData region.
Definition: intro_types.h:264
kmObjSsdt
The modified object is SSDT (valid only on windows x86).
Definition: exceptions.h:163
_INTRO_ALERT_EXCEPTION_HEADER::Version
WORD Version
The version of the exception information.
Definition: intro_types.h:1063
_EVENT_MEMCOPY_VIOLATION
Memory access violations that cross a process boundary.
Definition: intro_types.h:1312
WARNING
#define WARNING(fmt,...)
Definition: glue.h:60
ZONE_LIB_EXPORTS
#define ZONE_LIB_EXPORTS
Used for the exports of a dll, driver, etc.
Definition: exceptions.h:687
kumObjModuleExports
The modified object is inside the process module&#39;s EAT.
Definition: exceptions.h:192
_EVENT_DTR_VIOLATION
Event structure for GDTR/IDTR descriptor tables modifications.
Definition: intro_types.h:1490
kmObjTokenPrivs
The modified object is the privileges field inside the nt!_TOKEN structure.
Definition: exceptions.h:176
introEventEptViolation
Sent when an EPT violation triggers an alert. See EVENT_EPT_VIOLATION.
Definition: intro_types.h:84
kmObjCr4
The modified object is SMEP and/or SMAP bits of CR4.
Definition: exceptions.h:167
ALERT_FLAG_NOT_RING0
#define ALERT_FLAG_NOT_RING0
If set, the alert was triggered in ring 1, 2 or 3.
Definition: intro_types.h:636
umObjModuleImports
The modified object is inside the process module&#39;s IAT.
Definition: exceptions.h:207
Crc32Wstring
DWORD Crc32Wstring(const WCHAR *String, DWORD InitialCrc)
Computes the CRC for a NULL-terminated wide char string.
Definition: crc32.c:226
UNREFERENCED_PARAMETER
#define UNREFERENCED_PARAMETER(P)
Definition: introdefs.h:29
kmObjIdtr
The modified object is IDTR.
Definition: exceptions.h:171
kumObjModuleImports
The modified object is inside the process module&#39;s IAT.
Definition: exceptions.h:191
ALERT_CB_SIGNATURE_VERSION
#define ALERT_CB_SIGNATURE_VERSION
Definition: alert_exceptions.h:19
WCHAR
uint16_t WCHAR
Definition: intro_types.h:63
DWORD
uint32_t DWORD
Definition: intro_types.h:49
ALERT_KM_EXCEPTION_VERSION
#define ALERT_KM_EXCEPTION_VERSION
Definition: alert_exceptions.h:91
_INTRO_VIOLATION_HEADER
Common violation header.
Definition: intro_types.h:1078
EXCEPTION_KM_FLG_INTEGRITY
The exception is valid only for integrity zone.
Definition: exceptions.h:608
kmObjFastIo
The modified object is anything inside the driver&#39;s fast IO dispatch table.
Definition: exceptions.h:165
introObjectTypeUmModule
User-mode library.
Definition: intro_types.h:245
kmExcNameVdso
The name is the operating system vdso (valid only for Linux).
Definition: exceptions.h:635
ALERT_HASH_COUNT
#define ALERT_HASH_COUNT
Definition: alert_exceptions.h:17
umObjSharedUserData
Signals an execution inside SharedUserData.
Definition: exceptions.h:221
MAX
#define MAX(a, b)
Definition: introdefs.h:151
IntAlertCreateMsrException
static INTSTATUS IntAlertCreateMsrException(const EVENT_MSR_VIOLATION *Event, BOOLEAN LogErrors, void *Exception)
Creates an alert-exception structure from an MSR violation event.
Definition: alert_exceptions.c:778
ZONE_LIB_DATA
#define ZONE_LIB_DATA
Definition: exceptions.h:689
gGuest
GUEST_STATE gGuest
The current guest state.
Definition: guests.c:48
_ALERT_UM_EXCEPTION::ProcessCreation
ALERT_PROCESS_CREATION_SIGNATURE ProcessCreation
The process-creation alert-signature, if any.
Definition: alert_exceptions.h:154
_ALERT_KUM_EXCEPTION::Type
KUM_EXCEPTION_OBJECT Type
The type of the exception; any type from _KUM_EXCEPTION_OBJECT.
Definition: alert_exceptions.h:127
kmObjIdt
The modified object is any IDT entry.
Definition: exceptions.h:170
IntAlertCreateCrException
static INTSTATUS IntAlertCreateCrException(const EVENT_CR_VIOLATION *Event, BOOLEAN LogErrors, void *Exception)
Creates an alert-exception structure from an CR violation event.
Definition: alert_exceptions.c:839
SIGNATURE_FLG_LINUX
The signature is valid only on Linux.
Definition: exceptions.h:678
IntAlertCreateCbSignature
static void IntAlertCreateCbSignature(const INTRO_CODEBLOCKS *CodeBlocks, BOOLEAN LinuxAlert, BOOLEAN ExecAlert, ALERT_CB_SIGNATURE *Signature)
Creates an alert-signature structure.
Definition: alert_exceptions.c:204
umObjModule
The modified object is inside the process modules.
Definition: exceptions.h:206
introObjectTypeSsdt
SSDT (Windows only)
Definition: intro_types.h:232
_ALERT_UM_EXCEPTION::Victim
DWORD Victim
The name-hash of the victim.
Definition: alert_exceptions.h:145
CWSTRLEN
#define CWSTRLEN(Wstring)
Definition: introdefs.h:104
_ALERT_KUM_EXCEPTION::Process
DWORD Process
The name-hash of the process.
Definition: alert_exceptions.h:123
ALERT_PROCESS_CREATION_SIGNATURE_VERSION
#define ALERT_PROCESS_CREATION_SIGNATURE_VERSION
Definition: alert_exceptions.h:73
introObjectTypeVsyscall
Virtual SYSCALL (user-mode, Linux-only)
Definition: intro_types.h:254
introObjectTypeGdtr
GDTR.
Definition: intro_types.h:258
wstrcasecmp
int wstrcasecmp(const WCHAR *buf1, const WCHAR *buf2)
Definition: introcrt.c:98
_ALERT_KUM_EXCEPTION::Victim
DWORD Victim
The name-hash of the victim.
Definition: alert_exceptions.h:122
kmObjGdtr
The modified object is WMI_LOGGER_CONTEXT.GetCpuClock used by InfinityHook (valid only on windows)...
Definition: exceptions.h:172
IntAlertCreateIdtSignature
static void IntAlertCreateIdtSignature(const BYTE Entry, BOOLEAN LinuxAlert, ALERT_IDT_SIGNATURE *Signature)
Creates a IDT alert-signature structure.
Definition: alert_exceptions.c:334
IntAlertCreateIntegrityException
static INTSTATUS IntAlertCreateIntegrityException(const EVENT_INTEGRITY_VIOLATION *Event, BOOLEAN LogErrors, void *Exception)
Creates an alert-exception structure from an integrity violation event.
Definition: alert_exceptions.c:1146
IntAlertCreateDtrException
static INTSTATUS IntAlertCreateDtrException(const EVENT_DTR_VIOLATION *Event, BOOLEAN LogErrors, void *Exception)
Creates an alert-exception structure from an process-creation violation event.
Definition: alert_exceptions.c:1281
_ALERT_KM_EXCEPTION::Victim
DWORD Victim
The name-hash of the victim.
Definition: alert_exceptions.h:101
introObjectTypeVdso
Virtual dynamic shared object (user-mode, Linux-only)
Definition: intro_types.h:253
INT_STATUS_NOT_SUPPORTED
#define INT_STATUS_NOT_SUPPORTED
Definition: introstatus.h:287
ALERT_UM_EXCEPTION_VERSION
#define ALERT_UM_EXCEPTION_VERSION
Definition: alert_exceptions.h:135
wstrncasecmp_len
static int wstrncasecmp_len(const WCHAR *buf1, const WCHAR *buf2, size_t len_buf1, size_t len_buf2)
Definition: introcrt.h:221
INTRO_EVENT_TYPE
enum _INTRO_EVENT_TYPE INTRO_EVENT_TYPE
Event classes.
introEventIntegrityViolation
Sent for integrity violation alerts. See EVENT_INTEGRITY_VIOLATION.
Definition: intro_types.h:92
Crc32String
DWORD Crc32String(const char *String, DWORD InitialCrc)
Computes the CRC for a NULL-terminated utf-8 string.
Definition: crc32.c:200
umObjProcessApcThread
The modified object is the thread which was performed an asynchronous procedure call on...
Definition: exceptions.h:215
alert_exceptions.h
ZONE_LIB_IMPORTS
#define ZONE_LIB_IMPORTS
Used for the imports of a dll, driver, etc.
Definition: exceptions.h:686
_EVENT_EPT_VIOLATION
Event structure for EPT violations.
Definition: intro_types.h:1104
introEventMsrViolation
Sent when a MSR violation triggers an alert.See EVENT_MSR_VIOLATION.
Definition: intro_types.h:86
IG_EPT_HOOK_EXECUTE
Execute-access hook.
Definition: glueiface.h:300
EXCEPTION_FLG_32
The exception is valid only on 32 bit systems/process.
Definition: exceptions.h:586
_ALERT_KM_EXCEPTION::CodeBlocks
ALERT_CB_SIGNATURE CodeBlocks
The code-blocks alert-signature, if any.
Definition: alert_exceptions.h:107
kmObjDrvObj
The modified object is anything inside the driver object.
Definition: exceptions.h:164
CHAR
char CHAR
Definition: intro_types.h:56
kmExcNameInvalid
Used to indicate an invalid kernel-mode exception name.
Definition: exceptions.h:642
_INTRO_MODULE
Describes a user-mode or kernel-mode module.
Definition: intro_types.h:839
memCopyViolationRead
This represents a read done from another process.
Definition: intro_types.h:1296
kmObjDriverResources
The modified object is only the driver&#39;s resources sections.
Definition: exceptions.h:162
_ALERT_KUM_EXCEPTION::CodeBlocks
ALERT_CB_SIGNATURE CodeBlocks
The code-blocks alert-signature, if any.
Definition: alert_exceptions.h:129
IntAlertGetEptExceptionFlags
static DWORD IntAlertGetEptExceptionFlags(const EVENT_EPT_VIOLATION *Event)
Get the flags for an exception based on the information from the provided event.
Definition: alert_exceptions.c:165
kmExcNameHal
The name is the operating system HAL name (valid only for windows).
Definition: exceptions.h:629
UtilQuickSort
void UtilQuickSort(void *Array, const DWORD NumberOfElements, const BYTE ElementSize)
Definition: utils.c:267
umObjProcessCreationDpi
The process object creates another process using DPI flags.
Definition: exceptions.h:220
umObjNxZone
The object that has a NX zone is executed.
Definition: exceptions.h:208
IntAlertCreateModuleLoadException
static INTSTATUS IntAlertCreateModuleLoadException(const EVENT_MODULE_LOAD_VIOLATION *Event, BOOLEAN LogErrors, void *Exception)
Creates an alert-exception structure from an module-load violation event.
Definition: alert_exceptions.c:1075
kmObjMsr
The modified object is a MSR.
Definition: exceptions.h:166
INT_STATUS_INVALID_DATA_SIZE
#define INT_STATUS_INVALID_DATA_SIZE
Definition: introstatus.h:142
ALERT_KUM_EXCEPTION_VERSION
#define ALERT_KUM_EXCEPTION_VERSION
Definition: alert_exceptions.h:112
introObjectTypeIdt
IDT.
Definition: intro_types.h:236
IntAlertCreateException
INTSTATUS IntAlertCreateException(const void *Event, INTRO_EVENT_TYPE Type, BOOLEAN LogErrors, void *Exception)
This function will dispatch the exception creation to the appropriate function, depending on the even...
Definition: alert_exceptions.c:1358
_ALERT_KUM_EXCEPTION::Originator
DWORD Originator
The name-hash of the originator.
Definition: alert_exceptions.h:121
FALSE
#define FALSE
Definition: intro_types.h:34
IntAlertCreateEptException
static INTSTATUS IntAlertCreateEptException(const EVENT_EPT_VIOLATION *Event, BOOLEAN LogErrors, void *Exception)
Creates an alert-exception structure from an EPT violation event.
Definition: alert_exceptions.c:428
kumObjModule
The modified object is inside the process modules.
Definition: exceptions.h:190