Bitdefender Hypervisor Memory Introspection
|
Exposes the types and constants used by various Introcore APIs defined in glueiface.h. More...
#include "env.h"
#include <stddef.h>
#include <stdint.h>
#include <stdbool.h>
#include "intro_sal.h"
Go to the source code of this file.
Data Structures | |
struct | _INTRO_TOKEN_PRIVILEGES |
Windows process token privileges. More... | |
struct | _INTRO_WIN_SID |
A security identifier. More... | |
struct | _INTRO_SID_ATTRIBUTES |
Windows SID attributes. More... | |
struct | _INTRO_WIN_TOKEN |
A Windows token structure as reported by Introcore alerts. More... | |
union | _INTRO_TOKEN |
Contains privileges and security identifiers information. More... | |
struct | _INTRO_PROCESS |
Describes a guest process. More... | |
struct | _INTRO_MODULE |
Describes a user-mode or kernel-mode module. More... | |
struct | _INTRO_DRVOBJ |
Describes a driver object. More... | |
struct | _INTRO_CPUCTX |
Holds the CPU context for an event. More... | |
struct | _INTRO_WRITE_INFO |
Holds information about a memory write attempt. More... | |
struct | _INTRO_READ_INFO |
Holds information about a memory read attempt. More... | |
struct | _INTRO_EXEC_INFO |
Holds information about an execution attempt. More... | |
struct | _INTRO_CODEBLOCKS |
Holds code block patterns information. More... | |
struct | _INTRO_CODEBLOCKS::_INTRO_CODE_BLOCK |
Array of actual code block patterns. More... | |
struct | _INTRO_VERSION_INFO |
Holds version information for Introcore and the currently loaded exceptions and CAMI files. More... | |
struct | _INTRO_GPRS |
Holds register state information. More... | |
struct | _INTRO_EXEC_CONTEXT |
Holds the context in which an execution attempt was detected. More... | |
struct | _INTRO_EXEC_DATA |
Holds the data related to an execution attempt. More... | |
struct | _INTRO_ALERT_EXCEPTION_HEADER |
The common header used by exception information. More... | |
struct | _INTRO_VIOLATION_HEADER |
Common violation header. More... | |
struct | _EVENT_EPT_VIOLATION |
Event structure for EPT violations. More... | |
struct | _EVENT_MSR_VIOLATION |
Event structure for MSR violation. More... | |
struct | _EVENT_CR_VIOLATION |
Event structure for CR violation. More... | |
struct | _EVENT_XCR_VIOLATION |
Event structure for XCR violation. More... | |
struct | _EVENT_MEMCOPY_VIOLATION |
Memory access violations that cross a process boundary. More... | |
struct | _EVENT_TRANSLATION_VIOLATION |
Event structure for illegal paging-structures modifications. More... | |
struct | _EVENT_INTEGRITY_VIOLATION |
Event structure for integrity violations on monitored structures. More... | |
struct | _EVENT_DTR_VIOLATION |
Event structure for GDTR/IDTR descriptor tables modifications. More... | |
union | _INTRO_DPI_EXTRA_INFO |
Structure for keeping the relevant DPI violation information. More... | |
struct | _EVENT_PROCESS_CREATION_VIOLATION |
Event structure for process creation violation events. More... | |
struct | _EVENT_MODULE_LOAD_VIOLATION |
Event structure for suspicious module load into processes. More... | |
struct | _EVENT_ENGINES_DETECTION_VIOLATION |
Event structure for detections provided by additional scan engines. More... | |
struct | _EVENT_INTROSPECTION_MESSAGE |
Event structure for plain data/message passing. More... | |
struct | _EVENT_PROCESS_EVENT |
Event structure for process creation/termination. More... | |
struct | _EVENT_MODULE_EVENT |
Event structure for module loading and unloading. More... | |
struct | _EVENT_CRASH_EVENT |
Event structure for guest OS crashes. More... | |
struct | _EVENT_EXCEPTION_EVENT |
Event structure for process exceptions. More... | |
struct | _EVENT_CONNECTION_EVENT |
Event structure for connections. More... | |
struct | _ENG_NOTIFICATION_HEADER |
Notification header for scan engines alerts. More... | |
struct | _ENG_NOTIFICATION_CODE_EXEC |
Execution notification for scan engines. More... | |
struct | _ENG_NOTIFICATION_CMD_LINE |
Command line notification for scan engines. More... | |
struct | _AGENT_REM_EVENT_HEADER |
Common header for all remediation tool events. More... | |
struct | _AGENT_REM_EVENT |
A remediation tool event. More... | |
struct | _AGENT_LGT_EVENT_HEADER |
Common header for all log gather tool events. More... | |
struct | _AGENT_LGT_EVENT |
Describes an event sent by the log gathering tool. More... | |
struct | _EVENT_AGENT_EVENT |
Event structure for agent injection and termination. More... | |
struct | _GUEST_INFO |
Guest information. More... | |
union | _INT_VERSION_INFO |
Introspection version info. More... | |
union | _INTRO_ERROR_CONTEXT |
The context of an error state. More... | |
Macros | |
#define | TRUE true |
#define | FALSE false |
#define | PROC_OPT_NONE 0x00000000 |
No protection policy. The process is not protected. More... | |
#define | PROC_OPT_PROT_CORE_HOOKS 0x00000004 |
Blocks hooks being set on core user-mode DLLs. More... | |
#define | PROC_OPT_PROT_UNPACK 0x00000008 |
Identifies unpacking/decryption attempts in the main executable. More... | |
#define | PROC_OPT_PROT_WRITE_MEM 0x00000010 |
Blocks foreign write inside the target process. More... | |
#define | PROC_OPT_PROT_WSOCK_HOOKS 0x00000020 |
Blocks hooks being set on Wininet user-mode DLLs (Windows only). More... | |
#define | PROC_OPT_PROT_EXPLOIT 0x00000040 |
Blocks malicious execution attempts. More... | |
#define | PROC_OPT_PROT_SET_THREAD_CTX 0x00000080 |
Blocks thread hijacking attempts inside the target process (Windows only). More... | |
#define | PROC_OPT_PROT_PTRACE 0x00000080 |
Blocks thread hijacking attempts inside the target process (Linux only). More... | |
#define | PROC_OPT_PROT_QUEUE_APC 0x00000100 |
Blocks APC queuing inside the target process (Windows only). More... | |
#define | PROC_OPT_PROT_PREVENT_CHILD_CREATION 0x00000200 |
Prevent the process from creating child processes (other than instances of itself). More... | |
#define | PROC_OPT_PROT_DOUBLE_AGENT 0x00000400 |
Blocks double agent attacks (malicious DLL loading) (Windows only). More... | |
#define | PROC_OPT_PROT_SCAN_CMD_LINE 0x00000800 |
Uses third party engines to scan the command line of a process. More... | |
#define | PROC_OPT_REMEDIATE 0x20000000 |
Any event inside the process will trigger the injection of the remediation tool. More... | |
#define | PROC_OPT_KILL_ON_EXPLOIT 0x40000000 |
#define | PROC_OPT_BETA 0x80000000 |
Process is monitored, but in log-only mode so no actions will be blocked. More... | |
#define | PROC_OPT_PROT_INJECTION |
Aggregates all the flags that will generate introEventInjectionViolation events. More... | |
#define | PROC_OPT_PROT_ALL |
Aggregates all the process protection flags. More... | |
#define | INTRO_OPT_PROT_KM_NT 0x0000000000000001ull |
Enable kernel image protection (Windows only). More... | |
#define | INTRO_OPT_PROT_KM_LX 0x0000000000000001ull |
Enable kernel image protection (Linux only). More... | |
#define | INTRO_OPT_PROT_KM_HAL 0x0000000000000002ull |
Enable HAL protection (Windows only). More... | |
#define | INTRO_OPT_PROT_KM_SSDT 0x0000000000000004ull |
Enable SSDT protection (Windows only). More... | |
#define | INTRO_OPT_PROT_KM_IDT 0x0000000000000008ull |
#define | INTRO_OPT_PROT_KM_HAL_DISP_TABLE 0x0000000000000010ull |
Enable HDT (Hal Dispatch Table) protection (Windows only). More... | |
#define | INTRO_OPT_PROT_KM_SYSTEM_CR3 0x0000000000000020ull |
Enable System process PDBR protection. More... | |
#define | INTRO_OPT_PROT_KM_TOKEN_PTR 0x0000000000000040ull |
Enable process token protection (Windows only). More... | |
#define | INTRO_OPT_PROT_KM_CREDS 0x0000000000000040ull |
#define | INTRO_OPT_PROT_KM_NT_DRIVERS 0x0000000000000080ull |
Enable core NT drivers protection (Windows only). More... | |
#define | INTRO_OPT_PROT_KM_LX_MODULES 0x0000000000000080ull |
Enable Linux kernel modules protection (Linux only). More... | |
#define | INTRO_OPT_PROT_KM_AV_DRIVERS 0x0000000000000100ull |
Enable AV drivers protection (Windows only). More... | |
#define | INTRO_OPT_PROT_KM_XEN_DRIVERS 0x0000000000000200ull |
#define | INTRO_OPT_PROT_KM_DRVOBJ 0x0000000000000400ull |
Enable driver object & fast I/O dispatch protection. More... | |
#define | INTRO_OPT_PROT_KM_CR4 0x0000000000000800ull |
Enable CR4.SMEP and CR4.SMAP protection. More... | |
#define | INTRO_OPT_PROT_KM_MSR_SYSCALL 0x0000000000001000ull |
#define | INTRO_OPT_PROT_KM_IDTR 0x0000000000002000ull |
Enable interrupt descriptor-table registers protection. More... | |
#define | INTRO_OPT_PROT_KM_HAL_HEAP_EXEC 0x0000000000004000ull |
Enable execution prevention on the Hal Heap when it is not ASLR'd (Windows only). More... | |
#define | INTRO_OPT_PROT_KM_HAL_INT_CTRL 0x0000000000008000ull |
Enable Hal Interrupt Controller write protection. More... | |
#define | INTRO_OPT_PROT_UM_MISC_PROCS 0x0000000000010000ull |
#define | INTRO_OPT_PROT_UM_SYS_PROCS 0x0000000000020000ull |
Enable user-mode system processes protection (injection only). More... | |
#define | INTRO_OPT_PROT_KM_SELF_MAP_ENTRY 0x0000000000040000ull |
#define | INTRO_OPT_PROT_KM_GDTR 0x0000000000080000ull |
Enable global descriptor-table registers protection. More... | |
#define | INTRO_OPT_EVENT_PROCESSES 0x0000000000100000ull |
Enable process creation and termination events (generates introEventProcessEvent events). More... | |
#define | INTRO_OPT_EVENT_MODULES 0x0000000000200000ull |
Enable user mode and kernel mode module load and unload events (generates introEventModuleEvent events). More... | |
#define | INTRO_OPT_EVENT_OS_CRASH 0x0000000000400000ull |
Enable OS crash events (generates introEventCrashEvent events). More... | |
#define | INTRO_OPT_EVENT_PROCESS_CRASH 0x0000000000800000ull |
Enable application crash events (generates introEventExceptionEvent). More... | |
#define | INTRO_OPT_AGENT_INJECTION 0x0000000001000000ull |
Enable agent injections. More... | |
#define | INTRO_OPT_FULL_PATH 0x0000000002000000ull |
Enable full-path protection of processes. More... | |
#define | INTRO_OPT_KM_BETA_DETECTIONS 0x0000000004000000ull |
#define | INTRO_OPT_NOTIFY_ENGINES 0x0000000008000000ull |
Send suspicious pages to be scanned by third party scan engines. More... | |
#define | INTRO_OPT_IN_GUEST_PT_FILTER 0x0000000010000000ull |
Enable in-guest page-table filtering (64-bit Windows only). More... | |
#define | INTRO_OPT_BUGCHECK_CLEANUP 0x0000000020000000ull |
Enable memory cleanup after an OS crash (Windows). More... | |
#define | INTRO_OPT_PANIC_CLEANUP 0x0000000020000000ull |
Enable memory cleanup after an OS crash (Linux). More... | |
#define | INTRO_OPT_SYSPROC_BETA_DETECTIONS 0x0000000040000000ull |
Enable system processes beta (log only) detection. More... | |
#define | INTRO_OPT_VE 0x0000000080000000ull |
Enable the Virtualization exception page table access pre-filtering agent (64-bit Windows only). More... | |
#define | INTRO_OPT_EVENT_CONNECTIONS 0x0000000100000000ull |
Enable connection events. More... | |
#define | INTRO_OPT_PROT_KM_LOGGER_CONTEXT 0x0000000200000000ull |
Enable protection on WMI_LOGGER_CONTEXT.GetCpuClock used by InfinityHook (Windows only). More... | |
#define | INTRO_OPT_PROT_DPI_DEBUG 0x0000000400000000ull |
Enable process creation protection for child processes created with debug flag. More... | |
#define | INTRO_OPT_PROT_DPI_STACK_PIVOT 0x0000000800000000ull |
Enable process creation protection for pivoted stack. More... | |
#define | INTRO_OPT_PROT_DPI_TOKEN_STEAL 0x0000001000000000ull |
Enable process creation protection for stolen token. More... | |
#define | INTRO_OPT_PROT_DPI_HEAP_SPRAY 0x0000002000000000ull |
Enable process creation protection for heap sprayed parent. More... | |
#define | INTRO_OPT_PROT_KM_NT_EAT_READS 0x0000004000000000ull |
Enable kernel EAT read protection (Windows only). More... | |
#define | INTRO_OPT_PROT_KM_LX_TEXT_READS 0x0000008000000000ull |
Enable kernel '_text' section read protection (Linux only). More... | |
#define | INTRO_OPT_PROT_KM_VDSO 0x0000010000000000ull |
Enable vDSO image protection (Linux only). More... | |
#define | INTRO_OPT_PROT_KM_SWAPGS 0x0000020000000000ull |
Enable SWAPGS (CVE-2019-1125) mitigation. More... | |
#define | INTRO_OPT_PROT_KM_TOKEN_PRIVS 0x0000040000000000ull |
Enable protection over Token Privileges bitmaps. More... | |
#define | INTRO_OPT_PROT_DPI_TOKEN_PRIVS 0x0000080000000000ull |
Enable process creation protection for parent which has violated Token privileges constraints. More... | |
#define | INTRO_OPT_PROT_DPI_THREAD_SHELL 0x0000100000000000ull |
Examines the code where the current thread started execution when the current thread creates a process. More... | |
#define | INTRO_OPT_PROT_KM_SUD_EXEC 0x0000200000000000ull |
Enable protection against executions on SharedUserData. More... | |
#define | INTRO_OPT_PROT_DPI |
Aggregates all the deep process inspection flags. More... | |
#define | INTRO_OPT_ENABLE_KM_PROTECTION |
Aggregates all the kernel mode protection flags. More... | |
#define | INTRO_OPT_ENABLE_UM_PROTECTION |
Aggregates all the user mode protection flags. More... | |
#define | INTRO_OPT_ENABLE_AV_PROTECTION (INTRO_OPT_PROT_KM_AV_DRIVERS) |
Aggregates all the AV protection flags. More... | |
#define | INTRO_OPT_ENABLE_CR_PROTECTION (INTRO_OPT_PROT_KM_CR4) |
Aggregates all the control register protection flags. More... | |
#define | INTRO_OPT_ENABLE_MSR_PROTECTION (INTRO_OPT_PROT_KM_MSR_SYSCALL) |
Aggregates all the MSR protection flags. More... | |
#define | INTRO_OPT_ENABLE_INTEGRITY_CHECKS |
Aggregates all the integrity protection flags. More... | |
#define | INTRO_OPT_ENABLE_DTR_PROTECTION |
Aggregates all the descriptor table register protection flags. More... | |
#define | INTRO_OPT_ENABLE_KM_BETA_DETECTIONS (INTRO_OPT_KM_BETA_DETECTIONS) |
Aggregates all the kernel log-only detection flags. More... | |
#define | INTRO_OPT_ENABLE_FULL_PATH (INTRO_OPT_FULL_PATH) |
Aggregates all the full path protection flags. More... | |
#define | INTRO_OPT_ENABLE_XEN_PROTECTION (INTRO_OPT_PROT_KM_XEN_DRIVERS) |
Aggregates all the XEN-related protection flags. More... | |
#define | INTRO_OPT_ENABLE_MANUAL_AGENT_INJ (INTRO_OPT_AGENT_INJECTION) |
Aggregates all the agent injection flags. More... | |
#define | INTRO_OPT_ENABLE_MISC_EVENTS |
Aggregates all the miscellaneous protection flags. More... | |
#define | INTRO_OPT_DYNAMIC_OPTIONS_MASK (0xffffffffffffffff) |
All the flags that can be modified without unloading Introcore. More... | |
#define | INTRO_OPT_DEFAULT_OPTIONS |
Aggregates all the default options. More... | |
#define | INTRO_OPT_DEFAULT_XEN_OPTIONS |
Aggregates all the default XEN options. More... | |
#define | INTRO_OPT_ONLY_KERNEL |
Aggregates all the kernel-only protection and activation flags. More... | |
#define | POLICY_KM_BETA_FLAGS |
Aggregates all the flags that are affected by the INTRO_OPT_ENABLE_KM_BETA_DETECTIONS flag. More... | |
#define | ALERT_FLAG_BETA 0x0000000000000001 |
If set, the alert is a BETA alert. No action was taken. More... | |
#define | ALERT_FLAG_ANTIVIRUS 0x0000000000000002 |
If set, the alert is on anti virus object. More... | |
#define | ALERT_FLAG_SYSPROC 0x0000000000000004 |
If set, the alert is on system process. More... | |
#define | ALERT_FLAG_NOT_RING0 0x0000000000000008 |
If set, the alert was triggered in ring 1, 2 or 3. More... | |
#define | ALERT_FLAG_ASYNC 0x0000000000000010 |
If set, the alert was generated in an async manner. More... | |
#define | ALERT_FLAG_LINUX 0x0000000000000020 |
#define | ALERT_FLAG_FROM_ENGINES 0x0000000000000040 |
If set, the alert was generated due to a third party scan engines detection. More... | |
#define | ALERT_FLAG_FEEDBACK_ONLY 0x0000000000000080 |
If set, the alert is a feedback only alert. More... | |
#define | ALERT_FLAG_DEP_VIOLATION 0x0000000000000100 |
If set, the alert was generated by a DEP violation. More... | |
#define | ALERT_FLAG_PROTECTED_VIEW 0x0000000000000200 |
#define | ALERT_FLAG_KM_UM 0x0000000000000400 |
If set, the alert was generated by a kernel to user mode violation. More... | |
#define | ALERT_PATH_MAX_LEN 260u |
The maximum size of a path inside an alert structure. More... | |
#define | ALERT_IMAGE_NAME_LEN 16u |
#define | ALERT_MAX_MESSAGE_SIZE 256u |
The maximum size of an Introcore message inside EVENT_INTROSPECTION_MESSAGE. More... | |
#define | ALERT_MAX_INSTRUX_LEN 128u |
#define | ALERT_MAX_SECTION_NAME_LEN 8u |
The maximum size of an executable section name inside an alert structure. More... | |
#define | ALERT_MAX_FUNCTIONS 4u |
The maximum number of functions included in an alert structure. More... | |
#define | ALERT_MAX_FUNCTION_NAME_LEN 32u |
The maximum size of a function name inside an alert structure. More... | |
#define | ALERT_MAX_INJ_DUMP_SIZE 512u |
The maximum size of an injection buffer inside an alert structure. More... | |
#define | ALERT_MAX_CODEBLOCKS 64u |
The maximum number of code blocks included in an alert structure. More... | |
#define | ALERT_CMDLINE_MAX_LEN 512u |
The maximum size of a command line included in an alert structure. More... | |
#define | ALERT_EXCEPTION_SIZE 255u |
#define | ALERT_MAX_DETECTION_NAME 128u |
The maximum size of a detection name as given by a third party scan engine. More... | |
#define | ALERT_MAX_ENGINES_VERSION 32u |
The maximum size of the third party scan engines version. More... | |
#define | VICTIM_PROCESS_CREDENTIALS u"Process Credentials" |
Printable name used for introObjectTypeCreds objects. More... | |
#define | VICTIM_DRIVER_OBJECT u"Driver Object" |
Printable name used for introObjectTypeDriverObject objects. More... | |
#define | VICTIM_HAL_DISPATCH_TABLE u"HalDispatchTable" |
Printable name used for introObjectTypeHalDispatchTable objects. More... | |
#define | VICTIM_IDT u"IDT" |
Printable name used for introObjectTypeIdt. More... | |
#define | VICTIM_CIRCULAR_KERNEL_CTX_LOGGER u"Circular Kernel Context Logger" |
Printable name used for introObjectTypeKmLoggerContext objects. More... | |
#define | VICTIM_PROCESS_TOKEN u"Process Token" |
Printable name used for introObjectTypeTokenPtr objects. More... | |
#define | VICTIM_TOKEN_PRIVILEGES u"Token privileges" |
Printable name used for introObjectTypeTokenPrivs objects. More... | |
#define | INTRO_VIOLATION_VERSION 1 |
Violation header version. More... | |
#define | INTRO_WIN_SID_MAX_SUB_AUTHORITIES 15 |
The maximum number of sub authorities contained in a SID. More... | |
#define | INTRO_WIN_SID_MAX_SIZE (sizeof(INTRO_WIN_SID) - sizeof(DWORD) + (INTRO_WIN_SID_MAX_SUB_AUTHORITIES * sizeof(DWORD))) |
The maximum size of a INTRO_WIN_SID structure. More... | |
#define | INTRO_SIDS_MAX_COUNT 4 |
The maximum SID count included in an alert. More... | |
#define | AGENT_HCALL_REM_TOOL 100 |
Used by the remediation tool. More... | |
#define | AGENT_HCALL_GATHER_TOOL 500 |
Log gathering tool. More... | |
#define | AGENT_HCALL_KILLER_TOOL 600 |
Agent killer tool. More... | |
#define | AGENT_HCALL_INTERNAL 753200 |
Reserved for internal use. More... | |
#define | REM_MAX_OBJECT_PATH_LEN 512 |
The maximum object path size in bytes, including the NULL terminator. More... | |
#define | REM_MAX_DETECTION_LEN 128 |
The maximum detection name size in bytes, including the NULL terminator. More... | |
#define | REM_EVENT_VERSION 0x00010000 |
Remediation event version. More... | |
#define | REM_EVENT_SIZE sizeof(AGENT_REM_EVENT) |
Remediation event size. More... | |
#define | LGT_MAX_DATA_SIZE 4096 |
The maximum size of a log gather tool data chunk. More... | |
#define | LGT_EVENT_VERSION 0x00010000 |
Log gather agent event version. More... | |
#define | LGT_EVENT_SIZE sizeof(AGENT_LGT_EVENT) |
Log gather agent event size. More... | |
Typedefs | |
typedef uint8_t | UINT8 |
typedef uint8_t * | PUINT8 |
typedef uint16_t | UINT16 |
typedef uint16_t * | PUINT16 |
typedef uint32_t | UINT32 |
typedef uint32_t * | PUINT32 |
typedef unsigned long long | UINT64 |
typedef unsigned long long * | PUINT64 |
typedef int8_t | INT8 |
typedef int8_t * | PINT8 |
typedef int16_t | INT16 |
typedef int16_t * | PINT16 |
typedef int32_t | INT32 |
typedef int32_t * | PINT32 |
typedef long long | INT64 |
typedef long long * | PINT64 |
typedef uint8_t | BYTE |
typedef uint8_t * | PBYTE |
typedef uint16_t | WORD |
typedef uint16_t * | PWORD |
typedef uint32_t | DWORD |
typedef uint32_t * | PDWORD |
typedef unsigned long long | QWORD |
typedef unsigned long long * | PQWORD |
typedef unsigned char | UCHAR |
typedef unsigned char * | PUCHAR |
typedef char | CHAR |
typedef char * | PCHAR |
typedef _Bool | BOOLEAN |
typedef size_t | SIZE_T |
typedef uint16_t | WCHAR |
typedef uint16_t * | PWCHAR |
typedef enum _INTRO_EVENT_TYPE | INTRO_EVENT_TYPE |
Event classes. More... | |
typedef enum _INTRO_ENG_NOTIFICATION_TYPE | INTRO_ENG_NOTIF_TYPE |
Scan engine alert types. More... | |
typedef enum _INTRO_ACTION | INTRO_ACTION |
Event actions. More... | |
typedef enum _INTRO_ACTION_REASON | INTRO_ACTION_REASON |
The reason for which an INTRO_ACTION was taken. More... | |
typedef enum _INTRO_OBJECT_TYPE | INTRO_OBJECT_TYPE |
The type of the object protected by an EPT hook. More... | |
typedef enum _INTRO_NET_AF | INTRO_NET_AF |
Address family. More... | |
typedef enum _INTRO_NET_STATE | INTRO_NET_STATE |
Connection states. More... | |
typedef struct _INTRO_TOKEN_PRIVILEGES | INTRO_TOKEN_PRIVILEGES |
Windows process token privileges. More... | |
typedef struct _INTRO_TOKEN_PRIVILEGES * | PINTRO_TOKEN_PRIVILEGES |
typedef struct _INTRO_WIN_SID | INTRO_WIN_SID |
A security identifier. More... | |
typedef struct _INTRO_WIN_SID * | PINTRO_WIN_SID |
typedef struct _INTRO_SID_ATTRIBUTES | INTRO_SID_ATTRIBUTES |
Windows SID attributes. More... | |
typedef struct _INTRO_SID_ATTRIBUTES * | PINTRO_SID_ATTRIBUTES |
typedef struct _INTRO_WIN_TOKEN | INTRO_WIN_TOKEN |
A Windows token structure as reported by Introcore alerts. More... | |
typedef struct _INTRO_WIN_TOKEN * | PINTRO_WIN_TOKEN |
typedef union _INTRO_TOKEN | INTRO_TOKEN |
Contains privileges and security identifiers information. More... | |
typedef union _INTRO_TOKEN * | PINTRO_TOKEN |
typedef struct _INTRO_PROCESS | INTRO_PROCESS |
Describes a guest process. More... | |
typedef struct _INTRO_PROCESS * | PINTRO_PROCESS |
typedef struct _INTRO_MODULE | INTRO_MODULE |
Describes a user-mode or kernel-mode module. More... | |
typedef struct _INTRO_MODULE * | PINTRO_MODULE |
typedef struct _INTRO_DRVOBJ | INTRO_DRVOBJ |
Describes a driver object. More... | |
typedef struct _INTRO_DRVOBJ * | PINTRO_DRVOBJ |
typedef struct _INTRO_CPUCTX | INTRO_CPUCTX |
Holds the CPU context for an event. More... | |
typedef struct _INTRO_CPUCTX * | PINTRO_CPUCTX |
typedef struct _INTRO_WRITE_INFO | INTRO_WRITE_INFO |
Holds information about a memory write attempt. More... | |
typedef struct _INTRO_WRITE_INFO * | PINTRO_WRITE_INFO |
typedef struct _INTRO_READ_INFO | INTRO_READ_INFO |
Holds information about a memory read attempt. More... | |
typedef struct _INTRO_READ_INFO * | PINTRO_READ_INFO |
typedef struct _INTRO_EXEC_INFO | INTRO_EXEC_INFO |
Holds information about an execution attempt. More... | |
typedef struct _INTRO_EXEC_INFO * | PINTRO_EXEC_INFO |
typedef struct _INTRO_CODEBLOCKS | INTRO_CODEBLOCKS |
Holds code block patterns information. More... | |
typedef struct _INTRO_CODEBLOCKS * | PINTRO_CODEBLOCKS |
typedef struct _INTRO_VERSION_INFO | INTRO_VERSION_INFO |
Holds version information for Introcore and the currently loaded exceptions and CAMI files. More... | |
typedef struct _INTRO_VERSION_INFO * | PINTRO_VERSION_INFO |
typedef struct _INTRO_GPRS | INTRO_GPRS |
Holds register state information. More... | |
typedef struct _INTRO_GPRS * | PINTRO_GPRS |
typedef struct _INTRO_EXEC_CONTEXT | INTRO_EXEC_CONTEXT |
Holds the context in which an execution attempt was detected. More... | |
typedef struct _INTRO_EXEC_CONTEXT * | PINTRO_EXEC_CONTEXT |
typedef struct _INTRO_EXEC_DATA | INTRO_EXEC_DATA |
Holds the data related to an execution attempt. More... | |
typedef struct _INTRO_EXEC_DATA * | PINTRO_EXEC_DATA |
typedef enum _MITRE_ID | MITRE_ID |
Mitre attack techniques. More... | |
typedef struct _INTRO_ALERT_EXCEPTION_HEADER | INTRO_ALERT_EXCEPTION_HEADER |
The common header used by exception information. More... | |
typedef struct _INTRO_VIOLATION_HEADER | INTRO_VIOLATION_HEADER |
Common violation header. More... | |
typedef struct _INTRO_VIOLATION_HEADER * | PINTRO_VIOLATION_HEADER |
typedef struct _EVENT_EPT_VIOLATION | EVENT_EPT_VIOLATION |
Event structure for EPT violations. More... | |
typedef struct _EVENT_EPT_VIOLATION * | PEVENT_EPT_VIOLATION |
typedef struct _EVENT_MSR_VIOLATION | EVENT_MSR_VIOLATION |
Event structure for MSR violation. More... | |
typedef struct _EVENT_MSR_VIOLATION * | PEVENT_MSR_VIOLATION |
typedef struct _EVENT_CR_VIOLATION | EVENT_CR_VIOLATION |
Event structure for CR violation. More... | |
typedef struct _EVENT_CR_VIOLATION * | PEVENT_CR_VIOLATION |
typedef struct _EVENT_XCR_VIOLATION | EVENT_XCR_VIOLATION |
Event structure for XCR violation. More... | |
typedef struct _EVENT_XCR_VIOLATION * | PEVENT_XCR_VIOLATION |
typedef enum _MEMCOPY_VIOLATION_TYPE | MEMCOPY_VIOLATION_TYPE |
The type of a memory copy violation. More... | |
typedef struct _EVENT_MEMCOPY_VIOLATION | EVENT_MEMCOPY_VIOLATION |
Memory access violations that cross a process boundary. More... | |
typedef struct _EVENT_MEMCOPY_VIOLATION * | PEVENT_MEMCOPY_VIOLATION |
typedef enum _TRANS_VIOLATION_TYPE | TRANS_VIOLATION_TYPE |
Translation violation types. More... | |
typedef struct _EVENT_TRANSLATION_VIOLATION | EVENT_TRANSLATION_VIOLATION |
Event structure for illegal paging-structures modifications. More... | |
typedef struct _EVENT_TRANSLATION_VIOLATION * | PEVENT_TRANSLATION_VIOLATION |
typedef struct _EVENT_INTEGRITY_VIOLATION | EVENT_INTEGRITY_VIOLATION |
Event structure for integrity violations on monitored structures. More... | |
typedef struct _EVENT_INTEGRITY_VIOLATION * | PEVENT_INTEGRITY_VIOLATION |
typedef struct _EVENT_DTR_VIOLATION | EVENT_DTR_VIOLATION |
Event structure for GDTR/IDTR descriptor tables modifications. More... | |
typedef struct _EVENT_DTR_VIOLATION * | PEVENT_DTR_VIOLATION |
typedef union _INTRO_DPI_EXTRA_INFO | INTRO_DPI_EXTRA_INFO |
Structure for keeping the relevant DPI violation information. More... | |
typedef union _INTRO_DPI_EXTRA_INFO * | PINTRO_DPI_EXTRA_INFO |
typedef struct _EVENT_PROCESS_CREATION_VIOLATION | EVENT_PROCESS_CREATION_VIOLATION |
Event structure for process creation violation events. More... | |
typedef struct _EVENT_PROCESS_CREATION_VIOLATION * | PEVENT_PROCESS_CREATION_VIOLATION |
typedef struct _EVENT_MODULE_LOAD_VIOLATION | EVENT_MODULE_LOAD_VIOLATION |
Event structure for suspicious module load into processes. More... | |
typedef struct _EVENT_MODULE_LOAD_VIOLATION * | PEVENT_MODULE_LOAD_VIOLATION |
typedef struct _EVENT_ENGINES_DETECTION_VIOLATION | EVENT_ENGINES_DETECTION_VIOLATION |
Event structure for detections provided by additional scan engines. More... | |
typedef struct _EVENT_ENGINES_DETECTION_VIOLATION * | PEVENT_ENGINES_DETECTION_VIOLATION |
typedef struct _EVENT_INTROSPECTION_MESSAGE | EVENT_INTROSPECTION_MESSAGE |
Event structure for plain data/message passing. More... | |
typedef struct _EVENT_INTROSPECTION_MESSAGE * | PEVENT_INTROSPECTION_MESSAGE |
typedef struct _EVENT_PROCESS_EVENT | EVENT_PROCESS_EVENT |
Event structure for process creation/termination. More... | |
typedef struct _EVENT_PROCESS_EVENT * | PEVENT_PROCESS_EVENT |
typedef struct _EVENT_MODULE_EVENT | EVENT_MODULE_EVENT |
Event structure for module loading and unloading. More... | |
typedef struct _EVENT_MODULE_EVENT * | PEVENT_MODULE_EVENT |
typedef struct _EVENT_CRASH_EVENT | EVENT_CRASH_EVENT |
Event structure for guest OS crashes. More... | |
typedef struct _EVENT_CRASH_EVENT * | PEVENT_CRASH_EVENT |
typedef struct _EVENT_EXCEPTION_EVENT | EVENT_EXCEPTION_EVENT |
Event structure for process exceptions. More... | |
typedef struct _EVENT_EXCEPTION_EVENT * | PEVENT_EXCEPTION_EVENT |
typedef struct _EVENT_CONNECTION_EVENT | EVENT_CONNECTION_EVENT |
Event structure for connections. More... | |
typedef struct _EVENT_CONNECTION_EVENT * | PEVENT_CONNECTION_EVENT |
typedef struct _ENG_NOTIFICATION_HEADER | ENG_NOTIFICATION_HEADER |
Notification header for scan engines alerts. More... | |
typedef struct _ENG_NOTIFICATION_HEADER * | PENG_NOTIFICATION_HEADER |
typedef struct _ENG_NOTIFICATION_CODE_EXEC | ENG_NOTIFICATION_CODE_EXEC |
Execution notification for scan engines. More... | |
typedef struct _ENG_NOTIFICATION_CODE_EXEC * | PENG_NOTIFICATION_CODE_EXEC |
typedef struct _ENG_NOTIFICATION_CMD_LINE | ENG_NOTIFICATION_CMD_LINE |
Command line notification for scan engines. More... | |
typedef struct _ENG_NOTIFICATION_CMD_LINE * | PENG_NOTIFICATION_CMD_LINE |
typedef struct _AGENT_REM_EVENT_HEADER | AGENT_REM_EVENT_HEADER |
Common header for all remediation tool events. More... | |
typedef struct _AGENT_REM_EVENT_HEADER * | PAGENT_REM_EVENT_HEADER |
typedef struct _AGENT_REM_EVENT | AGENT_REM_EVENT |
A remediation tool event. More... | |
typedef struct _AGENT_REM_EVENT * | PAGENT_REM_EVENT |
typedef struct _AGENT_LGT_EVENT_HEADER | AGENT_LGT_EVENT_HEADER |
Common header for all log gather tool events. More... | |
typedef struct _AGENT_LGT_EVENT_HEADER * | PAGENT_LGT_EVENT_HEADER |
typedef struct _AGENT_LGT_EVENT | AGENT_LGT_EVENT |
Describes an event sent by the log gathering tool. More... | |
typedef struct _AGENT_LGT_EVENT * | PAGENT_LGT_EVENT |
typedef struct _EVENT_AGENT_EVENT | EVENT_AGENT_EVENT |
Event structure for agent injection and termination. More... | |
typedef struct _EVENT_AGENT_EVENT * | PEVENT_AGENT_EVENT |
typedef struct _GUEST_INFO | GUEST_INFO |
Guest information. More... | |
typedef struct _GUEST_INFO * | PGUEST_INFO |
typedef union _INT_VERSION_INFO | INT_VERSION_INFO |
Introspection version info. More... | |
typedef union _INT_VERSION_INFO * | PINT_VERSION_INFO |
typedef union _INTRO_ERROR_CONTEXT | INTRO_ERROR_CONTEXT |
The context of an error state. More... | |
typedef union _INTRO_ERROR_CONTEXT * | PINTRO_ERROR_CONTEXT |
Exposes the types and constants used by various Introcore APIs defined in glueiface.h.
These are used to describe Introcore options, alerts, and other events that may be generated by an introspected guest.
Definition in file intro_types.h.
#define AGENT_HCALL_GATHER_TOOL 500 |
Log gathering tool.
Definition at line 1956 of file intro_types.h.
Referenced by IntLixAgentHandleUserVmcall(), and IntWinAgentHandleAppVmcall().
#define AGENT_HCALL_INTERNAL 753200 |
Reserved for internal use.
Definition at line 1960 of file intro_types.h.
Referenced by IntLixAgentHandleUserVmcall(), and IntWinAgentHandleAppVmcall().
#define AGENT_HCALL_KILLER_TOOL 600 |
Agent killer tool.
Definition at line 1958 of file intro_types.h.
#define AGENT_HCALL_REM_TOOL 100 |
Used by the remediation tool.
Definition at line 1954 of file intro_types.h.
Referenced by IntLixAgentHandleUserVmcall(), and IntWinAgentHandleAppVmcall().
#define ALERT_CMDLINE_MAX_LEN 512u |
The maximum size of a command line included in an alert structure.
Definition at line 668 of file intro_types.h.
#define ALERT_EXCEPTION_SIZE 255u |
The maximum size of an exception included in an alert structure.
Definition at line 669 of file intro_types.h.
Referenced by IntUpdateAddExceptionFromAlert().
#define ALERT_IMAGE_NAME_LEN 16u |
The maximum size of a name inside an alert structure.
Definition at line 658 of file intro_types.h.
#define ALERT_MAX_CODEBLOCKS 64u |
The maximum number of code blocks included in an alert structure.
Definition at line 667 of file intro_types.h.
Referenced by IntAlertCreateCbSignature(), IntAlertFillCodeBlocks(), IntSerializeCodeBlocksPattern(), and IntSerializeExtractCodeBlocks().
#define ALERT_MAX_DETECTION_NAME 128u |
The maximum size of a detection name as given by a third party scan engine.
Definition at line 671 of file intro_types.h.
Referenced by IntEngSendExecViolation(), and IntWinSendCmdLineViolation().
#define ALERT_MAX_ENGINES_VERSION 32u |
The maximum size of the third party scan engines version.
Definition at line 672 of file intro_types.h.
Referenced by IntEngSendExecViolation(), and IntWinSendCmdLineViolation().
#define ALERT_MAX_FUNCTION_NAME_LEN 32u |
The maximum size of a function name inside an alert structure.
Definition at line 665 of file intro_types.h.
Referenced by IntAlertEptFillFromVictimZone(), IntWinProcHandleCopyMemory(), IntWinThrHandleQueueApc(), and IntWinThrHandleThreadHijack().
#define ALERT_MAX_FUNCTIONS 4u |
The maximum number of functions included in an alert structure.
Definition at line 664 of file intro_types.h.
Referenced by IntAlertEptFillFromVictimZone().
#define ALERT_MAX_INJ_DUMP_SIZE 512u |
The maximum size of an injection buffer inside an alert structure.
Definition at line 666 of file intro_types.h.
#define ALERT_MAX_INSTRUX_LEN 128u |
The maximum size of an instruction inside an alert structure.
Definition at line 661 of file intro_types.h.
#define ALERT_MAX_MESSAGE_SIZE 256u |
The maximum size of an Introcore message inside EVENT_INTROSPECTION_MESSAGE.
Definition at line 660 of file intro_types.h.
#define ALERT_MAX_SECTION_NAME_LEN 8u |
The maximum size of an executable section name inside an alert structure.
Definition at line 663 of file intro_types.h.
#define ALERT_PATH_MAX_LEN 260u |
The maximum size of a path inside an alert structure.
Definition at line 657 of file intro_types.h.
#define FALSE false |
Definition at line 34 of file intro_types.h.
Referenced by DbgDumpCodeblocks(), DbgDumpGuestModules(), DbgMitigateSwapgs(), DbgProcRem(), DbgVadFind(), glob_match_numeric_utf8(), glob_match_utf16(), glob_match_utf8(), IntAgentIsPtrInTrampoline(), IntAlertCreateCbSignature(), IntAlertCreateCrException(), IntAlertCreateDtrException(), IntAlertCreateEptException(), IntAlertCreateExceptionInEvent(), IntAlertCreateExportSignature(), IntAlertCreateInjectionException(), IntAlertCreateIntegrityException(), IntAlertCreateModuleLoadException(), IntAlertCreateMsrException(), IntAlertCreateProcessCreationException(), IntAlertFillLixCurrentProcess(), IntAlertFillWinKmModule(), IntAlertFillWinProcess(), IntAlertFillWinProcessByCr3(), IntAlertFillWinProcessCurrent(), IntAlertFillWinUmModule(), IntCamiUpdateProcessProtectionInfoLix(), IntCamiUpdateProcessProtectionInfoWin(), IntCrLixHandleWrite(), IntCrSendAlert(), IntCrWinHandleWrite(), IntDbgProcessCommand(), IntDecDecodeInstruction(), IntDecDecodeInstructionAtRipWithCache(), IntDecEmulatePTWrite(), IntDecEmulateRead(), IntDecGetSseRegValue(), IntDecGetWrittenValueFromInstruction(), IntDetCallCallback(), IntDetEnableHypercall(), IntDetIsPtrInHandler(), IntDetIsPtrInRelocatedCode(), IntDetRelocate(), IntDetSetHook(), IntDetSetLixHook(), IntDispatchPtAsEpt(), IntDispatchVeAsEpt(), IntDtrHandleWrite(), IntDtrSendAlert(), IntDumpInstruction(), IntExcept(), IntExceptDumpSignatures(), IntExceptExtendedPatternMatch(), IntExceptGetVictimIntegrity(), IntExceptInit(), IntExceptKernel(), IntExceptKernelLogInformation(), IntExceptKernelMatchVictim(), IntExceptKernelUser(), IntExceptKernelUserLogInformation(), IntExceptKernelUserMatchArch(), IntExceptKernelUserMatchNameHash(), IntExceptKernelUserMatchObjectType(), IntExceptKernelUserMatchProcessHash(), IntExceptKernelUserMatchVictim(), IntExceptKernelUserMatchZoneFlags(), IntExceptLixKernelIsMemoryFunc(), IntExceptRemove(), IntExceptSignaturesHasType(), IntExceptUser(), IntExceptUserGetOriginator(), IntExceptUserHandleMemoryFunctions(), IntExceptUserLogInformation(), IntExceptUserMatchArchitecture(), IntExceptUserMatchChild(), IntExceptUserMatchNameGlob(), IntExceptUserMatchProcessGlob(), IntExceptUserMatchProcessHash(), IntExceptUserMatchSystemProcess(), IntExceptUserMatchZoneFlags(), IntExceptUserMatchZoneType(), IntExceptVerifyCodeBlocksSig(), IntExceptVerifyExportSig(), IntExceptVerifyVersionIntroSignature(), IntExceptVerifyVersionOsSignature(), IntExceptWinKernelGetOriginator(), IntFragLogCodeBlocks(), IntGpaCacheAddEntry(), IntGpaCacheFlush(), IntGpaCacheLookupEntry(), IntGpaCacheRelease(), IntGuestDetectOs(), IntGuestDetectOsSysCall(), IntGuestHandleCr3Write(), IntGuestInit(), IntGuestInitMemoryInfo(), IntGuestIsKptiActive(), IntGuestIsSafeToDisable(), IntGuestPreReturnCallback(), IntGuestUpdateCoreOptions(), IntHandleBreakpoint(), IntHandleCowOnPage(), IntHandleCrWrite(), IntHandleDtrViolation(), IntHandleEptViolation(), IntHandleEventInjection(), IntHandleFetchRetryOnPageBoundary(), IntHandleIntroCall(), IntHandleMemAccess(), IntHandleMsrViolation(), IntHandlePageBoundaryCow(), IntHandleTimer(), IntHandleXcrWrite(), IntHookCommitAllHooks(), IntHookCrRemoveHook(), IntHookCrSetHook(), IntHookGpaCommitHooks(), IntHookGpaDisablePtCache(), IntHookGpaDisableVe(), IntHookGpaEnableDisableVe(), IntHookGpaInit(), IntHookGpaSetHook(), IntHookGpaSetNewPageProtection(), IntHookGvaCommitHooks(), IntHookGvaEnableHooks(), IntHookGvaHandleSwap(), IntHookGvaSetHook(), IntHookMsrRemoveHook(), IntHookMsrSetHook(), IntHookObjectCommit(), IntHookObjectCreate(), IntHookPtmCommitHooks(), IntHookPtmRemoveTableHook(), IntHookPtmWriteCallback(), IntHookPtsCheckIntegrity(), IntHookPtsCloneCallbacks(), IntHookPtsCommitHooks(), IntHookPtsCreateEntry(), IntHookPtsDisableEntry(), IntHookPtsHandleModification(), IntHookPtsInit(), IntHookPtsInvokeCallbacks(), IntHookPtsRemoveHookInternal(), IntHookPtsRemovePteHook(), IntHookPtsSetHook(), IntHookPtsWriteCallback(), IntHookPtwProcessWrite(), IntHookXcrSetHook(), IntIcAddInstruction(), IntIcAddInvdForInstruction(), IntIcFlush(), IntIcSwapHandler(), IntIcWriteHandler(), IntIntegrityAddRegion(), IntIntegrityCheckAll(), IntIntegrityIsOverlappedRegions(), IntKernVirtMemRead(), IntKsymExpandSymbol(), IntKsymFindIndexesTableStart(), IntKsymInitAbsolute(), IntKsymRelativeFindOffsetTableEnd(), IntKsymUninit(), IntLdrLoadPEImage(), IntLixAccessRemoteVmHandler(), IntLixAgentActivatePendingAgent(), IntLixAgentAllocate(), IntLixAgentDecProcRef(), IntLixAgentFindInstruction(), IntLixAgentNameIsRunning(), IntLixApiHookAll(), IntLixCrashEnoughHeapAvailable(), IntLixCredAnalyzeStack(), IntLixCredCheckIntegrity(), IntLixCredsVerify(), IntLixDrvActivateProtection(), IntLixDrvDeactivateProtection(), IntLixDrvFindList(), IntLixDrvHandleWrite(), IntLixDrvIsActivePatch(), IntLixDrvRemoveDuplicate(), IntLixDrvRemoveFromAddress(), IntLixDrvSendEvent(), IntLixDrvSendViolationEvent(), IntLixDrvSystemBooting(), IntLixFileCachePathIsValid(), IntLixGetInitTask(), IntLixGuestDeployUninitAgent(), IntLixGuestFindKernelVersionAndRo(), IntLixGuestIsKptiActive(), IntLixGuestIsSupported(), IntLixGuestParseVersion(), IntLixGuestUninit(), IntLixIdtWriteHandler(), IntLixKernelHandleRead(), IntLixMmFetchVma(), IntLixMmGetInitMm(), IntLixMmListVmas(), IntLixMmPopulateVmas(), IntLixMmPopulateVmasInternal(), IntLixMsrHandleWrite(), IntLixNetFileIsSocket(), IntLixPatchHandler(), IntLixStackTraceGet(), IntLixTaskActivateProtection(), IntLixTaskAddProtected(), IntLixTaskChangeProtectionFlags(), IntLixTaskCreate(), IntLixTaskCreateFromBinprm(), IntLixTaskCreateInitTask(), IntLixTaskDeactivateProtection(), IntLixTaskDestroy(), IntLixTaskGuestTerminating(), IntLixTaskHandleExec(), IntLixTaskHandleFork(), IntLixTaskHandleInjection(), IntLixTaskHandlePtrace(), IntLixTaskHandleVmRw(), IntLixTaskIsUserStackPivoted(), IntLixTaskPathGetByDentry(), IntLixTaskSendCredViolationEvent(), IntLixTaskSendInjectionEvent(), IntLixTaskSendTaskEvent(), IntLixTaskUpdateProtection(), IntLixUnhookKernelRead(), IntLixUnhookKernelWrite(), IntLixUnpatchSwapgs(), IntLixValidateProcessCreationRights(), IntLixVdsoHandleKernelModeWrite(), IntLixVdsoHandleUserModeWrite(), IntLixVdsoHandleWriteCommon(), IntLixVmaChangeProtection(), IntLixVmaHandlePageExecution(), IntLixVmaIntervalChanged(), IntLixVmaRemoveProtection(), IntMatchPatternUtf8(), IntMemClkIsPtrInCloak(), IntMemClkUnInit(), IntMsrSyscallUnprotect(), IntMtblCheckAccess(), IntMtblInsRelocated(), IntMtblIsPtrInReloc(), IntMtblPatchInstruction(), IntMtblRemoveEntry(), IntNetAddrToStr(), IntPatternMatch(), IntPeFindExportByName(), IntPeFindExportByOrdinal(), IntPeFindExportByRva(), IntPeFindFunctionByPattern(), IntPeFindFunctionByPatternInBuffer(), IntPeFindFunctionStart(), IntPeFindFunctionStartInBuffer(), IntPeGetDirectory(), IntPeGetExportNameByRva(), IntPeGetRuntimeFunction(), IntPeGetRuntimeFunctionInBuffer(), IntPeGetSectionHeaderByRva(), IntPeGetSectionHeadersByName(), IntPeParseUnwindData(), IntPeParseUnwindDataInBuffer(), IntPeValidateOptionalHeader(), IntPhysicalMemRead(), IntPhysicalMemReadAnySize(), IntPolicyCoreForceBetaIfNeeded(), IntPolicyProcForceBetaIfNeeded(), IntPolicyProcIsBeta(), IntPolicyProcIsFeedback(), IntPtiCompleteLoader(), IntPtiDeliverDriverForUnload(), IntPtiDisableFiltering(), IntPtiInjectPtFilter(), IntPtiIsPtrInAgent(), IntPtiMonitorAllPtWriteCandidates(), IntPtiResetState(), IntPtiRestoreAllPtWriteCandidates(), IntReadString(), IntRtlpVirtualUnwindCheckAccess(), IntSerializeLixKmMisc(), IntSerializeStringIsWcharAscii(), IntSerializeValidObjectSize(), IntSerializeWinKmMisc(), IntSetValueForOperand(), IntStackAnalyzePointer(), IntSwapgsInstallHandler(), IntSwapgsIsPtrInHandler(), IntSwapgsUninit(), IntSwapMemCancelPendingPF(), IntSwapMemCancelTransaction(), IntSwapMemInjectPendingPF(), IntSwapMemPageSwappedIn(), IntSwapMemReadData(), IntSwapMemReinjectFailedPF(), IntSwapMemRemoveTransaction(), IntSwapMemRemoveTransactionsForVaSpace(), IntThrSafeCheckThreads(), IntThrSafeIsLiveRIPInIntro(), IntThrSafeIsStackPtrInIntro(), IntThrSafeLixInspectWaitingThread(), IntThrSafeMoveReturn(), IntThrSafeWinInspectRunningThreadOnCpu(), IntThrSafeWinInspectWaitingThread(), IntTranslateVa32(), IntUnpPageWriteCallback(), IntUpdateAddCbSignature(), IntUpdateAddExportSignature(), IntUpdateAddIdtSignature(), IntUpdateAddProcessCreationSignature(), IntUpdateAddValueCodeSignature(), IntUpdateAddValueSignature(), IntUpdateAddVersionIntroSignature(), IntUpdateAddVersionOsSignature(), IntUpdateIsDuplicateCbSignature(), IntUpdateIsDuplicateExportSignature(), IntUpdateIsDuplicateIdtSignature(), IntUpdateIsDuplicateKernelException(), IntUpdateIsDuplicateKernelUserException(), IntUpdateIsDuplicateUserException(), IntUpdateIsValidEntry(), IntValidateTranslation(), IntVasUnInit(), IntVeCompleteLoader(), IntVeFindKernelKvaShadowAndKernelExit(), IntVeHandleAccess(), IntVeHandleEPTViolationInProtectedView(), IntVeIsAgentRemapped(), IntVeIsCurrentRipInAgent(), IntVeIsPtrInAgent(), IntVeResetState(), IntVeUnhookVeAgent(), IntVeUnInit(), IntVeUpdateCacheEntry(), IntVirtMemRead(), IntVirtMemUnmapMultiPage(), IntWinAgentActivatePendingAgent(), IntWinAgentCheckIfProcessAgentAndDecrement(), IntWinAgentCheckIfProcessAgentAndIncrement(), IntWinAgentFindInstruction(), IntWinAgentHandleDriverVmcall(), IntWinAgentInit(), IntWinAgentInjectTrampoline(), IntWinAgentIsPtrInTrampoline(), IntWinAgentIsRipInsideCurrentAgent(), IntWinAgentReleaseBootstrapAddress(), IntWinAgentSelectBootstrapAddress(), IntWinAgentUnInit(), IntWinApiHook(), IntWinApiHookAll(), IntWinApiHookVeHandler(), IntWinCrashHandleDepViolation(), IntWinDagentCheckNativeSubsystem(), IntWinDagentHandleSuspModHeaders(), IntWinDagentIsInitialDll(), IntWinDagentSendDoubleAgentAlert(), IntWinDepInjectFile(), IntWinDepInjectProcess(), IntWinDpiCheckCreation(), IntWinDpiIsDpiWhiteListed(), IntWinDpiIsSelf(), IntWinDpiValidateHeapSpray(), IntWinDpiValidatePivotedStack(), IntWinDpiValidateTokenPrivs(), IntWinDrvHandleDriverEntry(), IntWinDrvHandleRead(), IntWinDrvHandleWrite(), IntWinDrvHeadersInMemory(), IntWinDrvIsListHead(), IntWinDrvObjHandleModification(), IntWinDrvObjHandleWrite(), IntWinDrvObjIsValidDriverObject(), IntWinDrvObjRemoveFromAddress(), IntWinDrvObjSendEptAlert(), IntWinDrvObjSendIntegrityAlert(), IntWinDrvObjUnprotect(), IntWinDrvObjUnprotectFastIoDispatch(), IntWinDrvRemoveFromAddress(), IntWinDrvSendAlert(), IntWinDrvUnprotect(), IntWinGetActiveCpuCount(), IntWinGuestFindBuildNumber(), IntWinGuestFindDriversNamespace(), IntWinGuestFindIdleCr3(), IntWinGuestFindKernel(), IntWinGuestFindKernelCr3(), IntWinGuestFindSelfMapIndex(), IntWinGuestHandleKernelSudExec(), IntWinGuestHandleUserSudExec(), IntWinGuestIsIncreasedUserVa(), IntWinGuestIsSystemCr3(), IntWinGuestReadKernel(), IntWinGuestResolveImports(), IntWinGuestUninit(), IntWinGuestValidateKernel(), IntWinHalHandleDispatchTableWrite(), IntWinHalHandleHalHeapExec(), IntWinHalHandleHalIntCtrlWrite(), IntWinHalIsIntController(), IntWinHalSendAlert(), IntWinIdtHandleModification(), IntWinIdtSendIntegrityAlert(), IntWinIdtWriteHandler(), IntWinInfHookEptSppHandleWrite(), IntWinInfHookEptSppSendAlert(), IntWinInfHookGetEtwpDebuggerData(), IntWinInfHookHandleSiloFirstWrite(), IntWinInfHookIntegrityHandleWrite(), IntWinInfHookIntegritySendAlert(), IntWinInfHookSiloWmiPtrIntegrityCallback(), IntWinInfHookSppViolationCallbackWmiPtrChanged(), IntWinIsUmTrapFrame(), IntWinModBlockHandleExecution(), IntWinModBlockRegisterCallbackForReason(), IntWinModCheckSpecialCases(), IntWinModHandleKernelWrite(), IntWinModHandleLoadFromVad(), IntWinModHandleUserWrite(), IntWinModIsProtected(), IntWinModRemoveModule(), IntWinModulesChangeProtectionFlags(), IntWinModUnHookModule(), IntWinModWriteValidHandler(), IntWinMsrHandleWrite(), IntWinMsrSendAlert(), IntWinNetFindTcpPartition(), IntWinNetGetTcpEndpoint(), IntWinNetGetTcpListener(), IntWinObjCancelRootTransactions(), IntWinObjHandleRootDirTagInMemory(), IntWinObjIsRootSearchOver(), IntWinObjReinitGlobalState(), IntWinPfnHandleTranslationChange(), IntWinPfnIsMmPfnDatabase(), IntWinPfnLockAddress(), IntWinPfnLockGva(), IntWinPfnModifyRefCount(), IntWinPfnMoveLock(), IntWinPfnRemoveLock(), IntWinPfnUnlockAddress(), IntWinPreProcessException(), IntWinProcChangeProtectionFlags(), IntWinProcCreateProcessObject(), IntWinProcDeleteProcessObject(), IntWinProcEnforceProcessDep(), IntWinProcExistsProtectedProcess(), IntWinProcHandleCopyMemory(), IntWinProcHandleCreateInternal(), IntWinProcHandleReadFromLsass(), IntWinProcIsEnoughHeapAvailable(), IntWinProcIsExploitGuardEnabled(), IntWinProcIsFullPath(), IntWinProcRemoveProcess(), IntWinProcSendProcessEvent(), IntWinProcUpdateProtectedProcess(), IntWinProcValidateSystemCr3(), IntWinReadToken(), IntWinSelfMapHandleCr3SelfMapModification(), IntWinSelfMapHandleCr3SelfMapWrite(), IntWinSelfMapProtectSelfMapIndex(), IntWinStackTraceGet32(), IntWinStackTraceGet64(), IntWinStackTraceGetUser(), IntWinStackTraceGetUser32(), IntWinStackUserCheckIsPivoted(), IntWinStackUserTrapFrameGet32(), IntWinStackUserTrapFrameGet64(), IntWinThrHandleQueueApc(), IntWinThrHandleThreadHijack(), IntWinTokenCheckCurrentPrivileges(), IntWinTokenPrivsCheckIntegrityOnProcess(), IntWinTokenPrivsHandleWrite(), IntWinTokenPrivsSendEptAlert(), IntWinTokenPrivsSendIntegrityAlert(), IntWinTokenPrivsShouldHook(), IntWinTokenPtrCheckIntegrityOnProcess(), IntWinTokenPtrIsStolen(), IntWinUmCacheIsExportDirRead(), IntWinUmModMustCacheExports(), IntWinVadDump(), IntWinVadFetchByRange(), IntWinVadFindNodeInGuestSpace(), IntWinVadHandleCommit(), IntWinVadHandleInsert(), IntWinVadHandleInsertMap(), IntWinVadHandleInsertPrivate(), IntWinVadHandleProtectGeneric(), IntWinVadHandleVirtualProtect(), IntWinVadIsExecSuspicious(), IntWinVadIsInTree(), IntWinVadProcImportMainModuleVad(), IntWinVadRemoveRanges(), IntWinVadRescanVad(), IsInitializationDone(), IsPeb32Write(), IsPeb64Write(), IsSse42Supported(), RbWalkInorderTree(), ShouldIgnoreInjection(), and UtilSortQwords().
#define INTRO_SIDS_MAX_COUNT 4 |
The maximum SID count included in an alert.
Definition at line 770 of file intro_types.h.
Referenced by IntWinReadToken().
#define INTRO_VIOLATION_VERSION 1 |
Violation header version.
Definition at line 713 of file intro_types.h.
Referenced by IntAlertFillVersionInfo().
#define INTRO_WIN_SID_MAX_SIZE (sizeof(INTRO_WIN_SID) - sizeof(DWORD) + (INTRO_WIN_SID_MAX_SUB_AUTHORITIES * sizeof(DWORD))) |
The maximum size of a INTRO_WIN_SID structure.
Definition at line 748 of file intro_types.h.
#define INTRO_WIN_SID_MAX_SUB_AUTHORITIES 15 |
The maximum number of sub authorities contained in a SID.
Definition at line 745 of file intro_types.h.
Referenced by IntWinReadSid().
#define LGT_EVENT_SIZE sizeof(AGENT_LGT_EVENT) |
Log gather agent event size.
Definition at line 2088 of file intro_types.h.
Referenced by IntAgentHandleLogGatherVmcall().
#define LGT_EVENT_VERSION 0x00010000 |
Log gather agent event version.
Definition at line 2086 of file intro_types.h.
Referenced by IntAgentHandleLogGatherVmcall().
#define LGT_MAX_DATA_SIZE 4096 |
The maximum size of a log gather tool data chunk.
Definition at line 2083 of file intro_types.h.
#define REM_EVENT_SIZE sizeof(AGENT_REM_EVENT) |
Remediation event size.
Definition at line 1989 of file intro_types.h.
Referenced by IntAgentHandleRemediationVmcall().
#define REM_EVENT_VERSION 0x00010000 |
Remediation event version.
Definition at line 1987 of file intro_types.h.
Referenced by IntAgentHandleRemediationVmcall().
#define REM_MAX_DETECTION_LEN 128 |
The maximum detection name size in bytes, including the NULL terminator.
Definition at line 1984 of file intro_types.h.
#define REM_MAX_OBJECT_PATH_LEN 512 |
The maximum object path size in bytes, including the NULL terminator.
Definition at line 1982 of file intro_types.h.
#define TRUE true |
Definition at line 30 of file intro_types.h.
Referenced by DbgLoadPt(), DbgLoadVe(), DbgMitigateSwapgs(), DbgProcAdd(), DbgUnloadPt(), DbgUnloadVe(), glob_match_numeric_utf8(), glob_match_utf16(), glob_match_utf8(), IntAlertCreateCbSignature(), IntAlertCreateCrException(), IntAlertCreateDtrException(), IntAlertCreateEptException(), IntAlertCreateExportSignature(), IntAlertCreateIdtSignature(), IntAlertCreateInjectionException(), IntAlertCreateIntegrityException(), IntAlertCreateModuleLoadException(), IntAlertCreateMsrException(), IntAlertCreateProcessCreationException(), IntAlertCreateProcessCreationSignature(), IntAlertFillCodeBlocks(), IntAlertFillCpuContext(), IntAlertFillDriverObject(), IntAlertFillLixKmModule(), IntAlertFillLixProcess(), IntAlertFillWinKmModule(), IntAlertFillWinProcess(), IntAlertFillWinUmModule(), IntCamiUpdateProcessProtectionInfoLix(), IntCamiUpdateProcessProtectionInfoWin(), IntCrLixHandleWrite(), IntCrSendAlert(), IntCrWinHandleWrite(), IntDbgProcessCommand(), IntDecDecodeInstruction(), IntDecDecodeInstructionAtRipWithCache(), IntDecEmulateInstruction(), IntDecEmulateRead(), IntDecGetWrittenValueFromInstruction(), IntDecSetSseRegValue(), IntDetCallCallback(), IntDetDisableLixHypercall(), IntDetDisableWinHypercall(), IntDetHandleWrite(), IntDetIsPtrInHandler(), IntDetIsPtrInRelocatedCode(), IntDetSetLixHook(), IntDispatchPtAsEpt(), IntDispatchVeAsEpt(), IntDtrHandleWrite(), IntDtrSendAlert(), IntDumpGva(), IntDumpInstruction(), IntExcept(), IntExceptDumpSignatures(), IntExceptExtendedPatternMatch(), IntExceptGetOriginatorFromModification(), IntExceptGetVictimIntegrity(), IntExceptKernel(), IntExceptKernelLogInformation(), IntExceptKernelMatchVictim(), IntExceptKernelUser(), IntExceptKernelUserLogInformation(), IntExceptKernelUserMatchArch(), IntExceptKernelUserMatchNameHash(), IntExceptKernelUserMatchObjectType(), IntExceptKernelUserMatchProcessHash(), IntExceptKernelUserMatchVictim(), IntExceptKernelUserMatchZoneFlags(), IntExceptLixKernelIsMemoryFunc(), IntExceptSignaturesHasType(), IntExceptUser(), IntExceptUserGetExecOriginator(), IntExceptUserHandleMemoryFunctions(), IntExceptUserLogInformation(), IntExceptUserMatchArchitecture(), IntExceptUserMatchChild(), IntExceptUserMatchNameGlob(), IntExceptUserMatchProcessGlob(), IntExceptUserMatchProcessHash(), IntExceptUserMatchSystemProcess(), IntExceptUserMatchZoneFlags(), IntExceptUserMatchZoneType(), IntExceptVerifyExportSig(), IntExceptVerifyVersionIntroSignature(), IntExceptVerifyVersionOsSignature(), IntExceptWinKernelGetOriginator(), IntFragLogCodeBlocks(), IntGetCurrentInstructionLength(), IntGetCurrentInstructionMnemonic(), IntGpaCacheAddEntry(), IntGpaCacheLookupEntry(), IntGpaCacheRelease(), IntGuestDetectOsSysCall(), IntGuestHandleCr3Write(), IntGuestInit(), IntGuestInitMemoryInfo(), IntGuestIsKptiActive(), IntGuestIsSafeToDisable(), IntGuestPrepareUninit(), IntGuestPreReturnCallback(), IntGuestUninitOnBugcheck(), IntGuestUpdateCoreOptions(), IntHandleBreakpoint(), IntHandleCowOnPage(), IntHandleCrWrite(), IntHandleDtrViolation(), IntHandleEptViolation(), IntHandleFetchRetryOnPageBoundary(), IntHandleIntroCall(), IntHandleMemAccess(), IntHandleMsrViolation(), IntHandleXcrWrite(), IntHookCrRemoveHook(), IntHookCrSetHook(), IntHookDtrRemoveHook(), IntHookGpaEnablePtCache(), IntHookGpaEnableVe(), IntHookGpaRemoveHookInternal(), IntHookGpaSetHook(), IntHookGpaSetNewPageProtection(), IntHookGvaEnableHooks(), IntHookGvaHandleSwap(), IntHookGvaRemoveHookInternal(), IntHookGvaSetHook(), IntHookMsrRemoveHook(), IntHookMsrSetHook(), IntHookObjectDestroy(), IntHookObjectDestroyAll(), IntHookObjectHookRegion(), IntHookObjectRemoveRegionInternal(), IntHookPtmAddTable(), IntHookPtmRemoveHookInternal(), IntHookPtmSetHook(), IntHookPtsCheckIntegrity(), IntHookPtsCloneCallbacks(), IntHookPtsCreateEntry(), IntHookPtsEnableEntry(), IntHookPtsInvokeCallbacks(), IntHookPtsRemoveHookInternal(), IntHookPtsRemovePteHook(), IntHookPtsSetHook(), IntHookPtsWriteCallback(), IntHookPtwEmulateWrite(), IntHookPtwProcessWrite(), IntHookXcrRemoveHook(), IntIcAddInstruction(), IntIcAddInvdForInstruction(), IntIcSwapHandler(), IntIcWriteHandler(), IntInjectExceptionInGuest(), IntInjectFileAgentInGuest(), IntInjectProcessAgentInGuest(), IntIntegrityCheckAll(), IntIntegrityDeleteRegion(), IntIntegrityIsOverlappedRegions(), IntKernVirtMemWrite(), IntKsymExpandSymbol(), IntKsymFindByName(), IntKsymFindIndexesTableStart(), IntKsymInit(), IntKsymInitAbsolute(), IntKsymRelativeFindOffsetTableEnd(), IntLdrLoadPEImage(), IntLixAgentCreate(), IntLixAgentDecProcRef(), IntLixAgentEnableInjection(), IntLixAgentFindInstruction(), IntLixAgentInit(), IntLixAgentNameIsRunning(), IntLixAgentStart(), IntLixApiHook(), IntLixApiHookAll(), IntLixCrashPanicHandler(), IntLixCredAnalyzeStack(), IntLixCredCheckIntegrity(), IntLixCredsVerify(), IntLixDrvActivateProtection(), IntLixDrvCreateFromAddress(), IntLixDrvCreateKernel(), IntLixDrvFindList(), IntLixDrvHandleWrite(), IntLixDrvInitVfreeHandler(), IntLixDrvIsActivePatch(), IntLixDrvSendEvent(), IntLixDrvSendViolationEvent(), IntLixDrvSystemBooting(), IntLixFileCachePathIsValid(), IntLixGetInitTask(), IntLixGuestActivateProtection(), IntLixGuestAllocateFill(), IntLixGuestDeployUninitAgent(), IntLixGuestFindKernelVersionAndRo(), IntLixGuestInit(), IntLixGuestInitAgentCompletion(), IntLixGuestInitAgentHypercall(), IntLixGuestIsKptiActive(), IntLixGuestIsSupported(), IntLixGuestParseVersion(), IntLixGuestUninitGuestCode(), IntLixHookKernelRead(), IntLixHookKernelWrite(), IntLixIdtWriteHandler(), IntLixKernelHandleRead(), IntLixMmFetchVma(), IntLixMmGetInitMm(), IntLixMmListVmas(), IntLixMmPopulateVmas(), IntLixMsrHandleWrite(), IntLixNetFileIsSocket(), IntLixNetSendGuestConnections(), IntLixNetSendTaskConnections(), IntLixPatchHandler(), IntLixPatchSwapgs(), IntLixStackTraceGet(), IntLixTaskActivateProtection(), IntLixTaskChangeProtectionFlags(), IntLixTaskCreate(), IntLixTaskCreateFromBinprm(), IntLixTaskCreateInitTask(), IntLixTaskDeactivateProtection(), IntLixTaskDestroy(), IntLixTaskGuestTerminating(), IntLixTaskHandleExec(), IntLixTaskHandleVmRw(), IntLixTaskIsUserStackPivoted(), IntLixTaskPathGetByDentry(), IntLixTaskRemoveProtected(), IntLixTaskSendBlockedEvent(), IntLixVdsoHandleKernelModeWrite(), IntLixVdsoHandleUserModeWrite(), IntLixVdsoHandleWriteCommon(), IntLixVmaChangeProtection(), IntLixVmaDestroy(), IntLixVmaHandlePageExecution(), IntLixVmaProtect(), IntLogCriticalStructureCoruption(), IntMatchPatternUtf8(), IntMemClkDump(), IntMemClkHandleRead(), IntMemClkIsPtrInCloak(), IntMemClkUnInit(), IntMsrSyscallProtect(), IntMtblCheckAccess(), IntMtblInsRelocated(), IntMtblIsPtrInReloc(), IntMtblPatchInstruction(), IntNetAddrToStr(), IntNotifyGuestPowerStateChange(), IntPatternMatch(), IntPeFindExportByName(), IntPeFindExportByRva(), IntPeFindFunctionByPattern(), IntPeFindFunctionByPatternInBuffer(), IntPeFindFunctionStart(), IntPeFindFunctionStartInBuffer(), IntPeGetDirectory(), IntPeGetExportNameByRva(), IntPeGetRuntimeFunction(), IntPeGetRuntimeFunctionInBuffer(), IntPeGetSectionHeaderByRva(), IntPeGetSectionHeadersByName(), IntPeParseUnwindData(), IntPeParseUnwindDataInBuffer(), IntPeValidateHeader(), IntPeValidateOptionalHeader(), IntPhysicalMemWrite(), IntPhysicalMemWriteAnySize(), IntPolicyCoreForceBetaIfNeeded(), IntPolicyCoreIsOptionBeta(), IntPolicyCoreTakeAction(), IntPolicyProcForceBetaIfNeeded(), IntPolicyProcTakeAction(), IntPtiCompleteLoader(), IntPtiDeliverDriverForLoad(), IntPtiDeliverDriverForUnload(), IntPtiEnableFiltering(), IntPtiInjectPtFilter(), IntPtiMonitorAllPtWriteCandidates(), IntPtiRemovePtFilter(), IntReadString(), IntRtlpVirtualUnwindCheckAccess(), IntSerializeStringIsWcharAscii(), IntSerializeValidObjectSize(), IntSetValueForOperand(), IntSlackAllocWindows(), IntStackAnalyzePointer(), IntSwapgsIsPtrInHandler(), IntSwapgsStartMitigation(), IntSwapMemCancelPendingPF(), IntSwapMemInit(), IntSwapMemInjectPendingPF(), IntSwapMemPageSwappedIn(), IntSwapMemReadData(), IntSwapMemReinjectFailedPF(), IntThrSafeCheckThreads(), IntThrSafeIsLiveRIPInIntro(), IntThrSafeIsStackPtrInIntro(), IntThrSafeWinInspectRunningThreadOnCpu(), IntTranslateVa32Pae(), IntTranslateVa64(), IntTranslateVa64La57(), IntTranslateVirtualAddressEx(), IntUpdateAddExceptionFromAlert(), IntUpdateCreateCbSignatureFromAlert(), IntUpdateCreateExportSignatureFromAlert(), IntUpdateCreateIdtSignatureFromAlert(), IntUpdateCreateProcessCreationSignatureFromAlert(), IntUpdateIsDuplicateCbSignature(), IntUpdateIsDuplicateExportSignature(), IntUpdateIsDuplicateIdtSignature(), IntUpdateIsDuplicateKernelException(), IntUpdateIsDuplicateKernelUserException(), IntUpdateIsDuplicateUserException(), IntUpdateIsValidEntry(), IntUpdateLoadExceptions(), IntValidateTranslation(), IntVasInit(), IntVeCompleteLoader(), IntVeDeliverDriverForLoad(), IntVeDeployAgent(), IntVeFindKernelKvaShadowAndKernelExit(), IntVeHandleAccess(), IntVeHandleEPTViolationInProtectedView(), IntVeInit(), IntVeIsAgentRemapped(), IntVeRemoveAgent(), IntVeUpdateCacheEntry(), IntVirtMemUnmapMultiPage(), IntVirtMemWrite(), IntWinAgentCheckIfProcessAgentAndDecrement(), IntWinAgentCheckIfProcessAgentAndIncrement(), IntWinAgentEnableInjection(), IntWinAgentFindInstruction(), IntWinAgentFindPropperSyscall(), IntWinAgentFindSyscallLinkage(), IntWinAgentHandleBreakpointAgent(), IntWinAgentHandleDriverVmcall(), IntWinAgentHandleLoader1Hypercall(), IntWinAgentInit(), IntWinAgentInject(), IntWinAgentInjectBreakpoint(), IntWinAgentIsPtrInTrampoline(), IntWinAgentIsRipInsideCurrentAgent(), IntWinAgentRemove(), IntWinAgentSelectBootstrapAddress(), IntWinApiHook(), IntWinApiHookAll(), IntWinApiHookVeHandler(), IntWinBcHandleBugCheck(), IntWinCrashHandleDepViolation(), IntWinDagentCheckNativeSubsystem(), IntWinDagentCheckSuspiciousDllLoad(), IntWinDagentHandleDoubleAgent(), IntWinDagentHandleSuspModHeaders(), IntWinDagentHandleVerifierReason(), IntWinDagentIsInitialDll(), IntWinDepInjectProcess(), IntWinDpiIsDpiWhiteListed(), IntWinDpiSendProcessCreationViolation(), IntWinDpiValidateHeapSpray(), IntWinDpiValidateParentProcessToken(), IntWinDpiValidatePivotedStack(), IntWinDpiValidateThreadStart(), IntWinDpiValidateTokenPrivs(), IntWinDrvCreateFromAddress(), IntWinDrvHandleRead(), IntWinDrvHandleWrite(), IntWinDrvHeadersInMemory(), IntWinDrvIsListHead(), IntWinDrvObjHandleModification(), IntWinDrvObjHandleWrite(), IntWinDrvObjIsValidDriverObject(), IntWinDrvObjProtect(), IntWinDrvObjProtectFastIoDispatch(), IntWinDrvObjRemoveFromAddress(), IntWinDrvObjSendEptAlert(), IntWinDrvProtect(), IntWinDrvSendAlert(), IntWinGetProcCmdLineHandleBufferInMemory(), IntWinGuestActivateProtection(), IntWinGuestFindBuildNumber(), IntWinGuestFindDriversNamespace(), IntWinGuestFindDriversNamespaceNoBuffer(), IntWinGuestFindIdleCr3(), IntWinGuestFindKernel(), IntWinGuestFindKernelCr3(), IntWinGuestFindSelfMapIndex(), IntWinGuestFinishInit(), IntWinGuestHandleKernelSudExec(), IntWinGuestHandleUserSudExec(), IntWinGuestInit(), IntWinGuestIsSupported(), IntWinGuestIsSystemCr3(), IntWinGuestKernelHeadersInMemory(), IntWinGuestNew(), IntWinGuestReadKernel(), IntWinGuestSendSudAlert(), IntWinGuestValidateKernel(), IntWinHalHandleHalHeapExec(), IntWinHalHandleHalIntCtrlWrite(), IntWinHalIsIntController(), IntWinHalProtectHalDispatchTable(), IntWinHalSendAlert(), IntWinIdtHandleModification(), IntWinIdtProtectOnCpuIntegrity(), IntWinIdtWriteHandler(), IntWinInfHookEptSppHandleWrite(), IntWinInfHookEptSppSendAlert(), IntWinInfHookGetCircularCtxLogger(), IntWinInfHookGetEtwpDebuggerData(), IntWinInfHookIntegrityHandleWrite(), IntWinInfHookProtect(), IntWinInfHookSiloWmiPtrIntegrityCallback(), IntWinIsUmTrapFrame(), IntWinModBlockHandleExecution(), IntWinModBlockRegisterCallbackForReason(), IntWinModCacheFixNamePointers(), IntWinModCheckSpecialCases(), IntWinModHandleExportsInMemory(), IntWinModHandleKernelWrite(), IntWinModHandleLoadFromVad(), IntWinModHandleMainModuleInMemory(), IntWinModHandleModulePathInMemory(), IntWinModHandleUserWrite(), IntWinModHookModule(), IntWinModIsProtected(), IntWinModPolyHandler(), IntWinModulesChangeProtectionFlags(), IntWinModWriteValidHandler(), IntWinMsrHandleWrite(), IntWinMsrSendAlert(), IntWinNetFillTcpStruct(), IntWinNetFindTcpBitmap(), IntWinNetFindTcpPartition(), IntWinNetGetPortsAndState(), IntWinNetGetTcpEndpoint(), IntWinNetGetTcpListener(), IntWinObjCheckDrvDirSearchState(), IntWinObjHandleDriverDirectoryEntryInMemory(), IntWinObjHandleRootDirTagInMemory(), IntWinObjIsRootSearchOver(), IntWinPfnHandleTranslationChange(), IntWinPfnLockAddress(), IntWinPfnLockGpa(), IntWinPfnModifyRefCount(), IntWinPfnMoveLock(), IntWinPfnUnInit(), IntWinPowHandleHibernateEvent(), IntWinPreProcessException(), IntWinProcAdd(), IntWinProcChangeProtectionFlags(), IntWinProcCreateProcessObject(), IntWinProcDeleteProcessObject(), IntWinProcEnforceProcessDep(), IntWinProcExistsProtectedProcess(), IntWinProcHandleCopyMemory(), IntWinProcHandleCreateInternal(), IntWinProcHandleReadFromLsass(), IntWinProcIsEnoughHeapAvailable(), IntWinProcIsFullPath(), IntWinProcLockCr3(), IntWinProcMarkAsSystemProcess(), IntWinProcSendAllDllEventsForSubsystem(), IntWinProcSendDllEvent(), IntWinProcSendProcessEvent(), IntWinProcUninit(), IntWinProcUpdateProtectedProcess(), IntWinProcUpdateProtection(), IntWinReadToken(), IntWinSelfMapHandleCr3SelfMapWrite(), IntWinStackTraceGet32(), IntWinStackTraceGet64(), IntWinStackTraceGetUser(), IntWinStackTraceGetUser32(), IntWinStackUserCheckIsPivoted(), IntWinStackUserTrapFrameGet64(), IntWinStackWow64CheckIsPivoted(), IntWinThrHandleQueueApc(), IntWinThrHandleThreadHijack(), IntWinTokenCheckCurrentPrivileges(), IntWinTokenFetchTokenAddress(), IntWinTokenPrivsCheckIntegrityOnProcess(), IntWinTokenPrivsHandleWrite(), IntWinTokenPrivsProtectOnProcess(), IntWinTokenPrivsSendEptAlert(), IntWinTokenPrivsShouldHook(), IntWinTokenPtrIsStolen(), IntWinUmCheckInitializationInjection(), IntWinUmModMustCacheExports(), IntWinVadDump(), IntWinVadFindNodeInGuestSpace(), IntWinVadHandleInsertGeneric(), IntWinVadHandlePageExecution(), IntWinVadHandleProtectGeneric(), IntWinVadIsExecSuspicious(), IntWinVadIsInTree(), IntWinVadProcImportMainModuleVad(), IntWinVadRemoveRanges(), IntWinVadStaticInsertNodeIntoProcess(), IsInitializationDone(), IsPeb32Write(), IsPeb64Write(), IsSse42Supported(), ShouldIgnoreInjection(), and UtilSortQwords().
#define VICTIM_CIRCULAR_KERNEL_CTX_LOGGER u"Circular Kernel Context Logger" |
Printable name used for introObjectTypeKmLoggerContext objects.
Definition at line 683 of file intro_types.h.
Referenced by IntWinInfHookIntegritySendAlert().
#define VICTIM_DRIVER_OBJECT u"Driver Object" |
Printable name used for introObjectTypeDriverObject objects.
Definition at line 677 of file intro_types.h.
Referenced by IntWinDrvObjSendIntegrityAlert().
#define VICTIM_HAL_DISPATCH_TABLE u"HalDispatchTable" |
Printable name used for introObjectTypeHalDispatchTable objects.
Definition at line 679 of file intro_types.h.
Referenced by IntWinHalHandleDispatchTableWrite().
#define VICTIM_IDT u"IDT" |
Printable name used for introObjectTypeIdt.
Definition at line 681 of file intro_types.h.
Referenced by IntWinIdtSendIntegrityAlert().
#define VICTIM_PROCESS_CREDENTIALS u"Process Credentials" |
Printable name used for introObjectTypeCreds objects.
Definition at line 675 of file intro_types.h.
Referenced by IntLixTaskSendCredViolationEvent().
#define VICTIM_PROCESS_TOKEN u"Process Token" |
Printable name used for introObjectTypeTokenPtr objects.
Definition at line 685 of file intro_types.h.
Referenced by IntWinTokenPtrCheckIntegrityOnProcess().
#define VICTIM_TOKEN_PRIVILEGES u"Token privileges" |
Printable name used for introObjectTypeTokenPrivs objects.
Definition at line 687 of file intro_types.h.
Referenced by IntWinTokenPrivsSendIntegrityAlert().
typedef struct _AGENT_LGT_EVENT AGENT_LGT_EVENT |
Describes an event sent by the log gathering tool.
These will contain raw log lines.
typedef struct _AGENT_LGT_EVENT_HEADER AGENT_LGT_EVENT_HEADER |
Common header for all log gather tool events.
Events of these type are sent when the log gathering tool has been injected and started inside the guest and it is executing intro calls (VMCALLs), reporting back to Introcore.
typedef struct _AGENT_REM_EVENT AGENT_REM_EVENT |
A remediation tool event.
Events of these type are sent when the remediation tool has been injected and started inside the guest and it is executing intro calls (VMCALLs), reporting back to Introcore.
typedef struct _AGENT_REM_EVENT_HEADER AGENT_REM_EVENT_HEADER |
Common header for all remediation tool events.
typedef _Bool BOOLEAN |
Definition at line 58 of file intro_types.h.
typedef uint8_t BYTE |
Definition at line 47 of file intro_types.h.
typedef char CHAR |
Definition at line 56 of file intro_types.h.
typedef uint32_t DWORD |
Definition at line 49 of file intro_types.h.
typedef struct _ENG_NOTIFICATION_CMD_LINE ENG_NOTIFICATION_CMD_LINE |
Command line notification for scan engines.
typedef struct _ENG_NOTIFICATION_CODE_EXEC ENG_NOTIFICATION_CODE_EXEC |
Execution notification for scan engines.
typedef struct _ENG_NOTIFICATION_HEADER ENG_NOTIFICATION_HEADER |
Notification header for scan engines alerts.
typedef struct _EVENT_AGENT_EVENT EVENT_AGENT_EVENT |
Event structure for agent injection and termination.
typedef struct _EVENT_CONNECTION_EVENT EVENT_CONNECTION_EVENT |
Event structure for connections.
Available only if Introcore received the INTRO_OPT_EVENT_CONNECTIONS activation flag. If process is protected with the PROC_OPT_PROT_EXPLOIT flag and an exploit attempt is detected, when the exploit alert is sent, one event of this type will be sent for every connection that the process has open.
typedef struct _EVENT_CR_VIOLATION EVENT_CR_VIOLATION |
Event structure for CR violation.
typedef struct _EVENT_CRASH_EVENT EVENT_CRASH_EVENT |
Event structure for guest OS crashes.
typedef struct _EVENT_DTR_VIOLATION EVENT_DTR_VIOLATION |
Event structure for GDTR/IDTR descriptor tables modifications.
Event structure for detections provided by additional scan engines.
typedef struct _EVENT_EPT_VIOLATION EVENT_EPT_VIOLATION |
Event structure for EPT violations.
This event can describe multiple memory access violations: read, write, and execute.
typedef struct _EVENT_EXCEPTION_EVENT EVENT_EXCEPTION_EVENT |
Event structure for process exceptions.
This is usually sent when during the runtime of a user mode process a hardware exception is triggered.
typedef struct _EVENT_INTEGRITY_VIOLATION EVENT_INTEGRITY_VIOLATION |
Event structure for integrity violations on monitored structures.
These events are triggered by the integrity check mechanism, which is invoked on the timer event, so Introcore may not always be able to block them. For the same reason the information needed for the alert may no longer be present in the guest memory when Introcore detects the violation.
typedef struct _EVENT_INTROSPECTION_MESSAGE EVENT_INTROSPECTION_MESSAGE |
Event structure for plain data/message passing.
typedef struct _EVENT_MEMCOPY_VIOLATION EVENT_MEMCOPY_VIOLATION |
Memory access violations that cross a process boundary.
Represents an attempt to write or read the memory of another process, or to hijack the execution flow of
typedef struct _EVENT_MODULE_EVENT EVENT_MODULE_EVENT |
Event structure for module loading and unloading.
User mode events are sent only when an alert is sent for a process, due to performance concerns. Sending one event for each user mode module load and unload when it happens may severely impact the guest.
typedef struct _EVENT_MODULE_LOAD_VIOLATION EVENT_MODULE_LOAD_VIOLATION |
Event structure for suspicious module load into processes.
typedef struct _EVENT_MSR_VIOLATION EVENT_MSR_VIOLATION |
Event structure for MSR violation.
Event structure for process creation violation events.
typedef struct _EVENT_PROCESS_EVENT EVENT_PROCESS_EVENT |
Event structure for process creation/termination.
This is an informational event, not an alert.
typedef struct _EVENT_TRANSLATION_VIOLATION EVENT_TRANSLATION_VIOLATION |
Event structure for illegal paging-structures modifications.
typedef struct _EVENT_XCR_VIOLATION EVENT_XCR_VIOLATION |
Event structure for XCR violation.
typedef struct _GUEST_INFO GUEST_INFO |
Guest information.
typedef int16_t INT16 |
Definition at line 43 of file intro_types.h.
typedef int32_t INT32 |
Definition at line 44 of file intro_types.h.
typedef long long INT64 |
Definition at line 45 of file intro_types.h.
typedef int8_t INT8 |
Definition at line 42 of file intro_types.h.
typedef union _INT_VERSION_INFO INT_VERSION_INFO |
Introspection version info.
typedef enum _INTRO_ACTION INTRO_ACTION |
Event actions.
Priority of the action increases as its value increases (introGuestAllowed has the lowest priority, while introGuestRetry has the highest priority).
typedef enum _INTRO_ACTION_REASON INTRO_ACTION_REASON |
The reason for which an INTRO_ACTION was taken.
typedef struct _INTRO_ALERT_EXCEPTION_HEADER INTRO_ALERT_EXCEPTION_HEADER |
The common header used by exception information.
This is used internally by Introcore in order to facilitate the add exception from alert mechanism used by GLUE_IFACE.AddExceptionFromAlert.
typedef struct _INTRO_CODEBLOCKS INTRO_CODEBLOCKS |
Holds code block patterns information.
This is used by the exception mechanism as a signature for the code that generated an alert. These are extracted from the memory area around the instruction that generated an alert. Since certain operations that fill the fields in this structure may fail, the Valid field should be checked before using any information present in the structure.
typedef struct _INTRO_CPUCTX INTRO_CPUCTX |
Holds the CPU context for an event.
Since certain operations that fill the fields in this structure may fail, the Valid field should be checked before using any information present in the structure.
typedef union _INTRO_DPI_EXTRA_INFO INTRO_DPI_EXTRA_INFO |
Structure for keeping the relevant DPI violation information.
typedef struct _INTRO_DRVOBJ INTRO_DRVOBJ |
Describes a driver object.
Since certain operations that fill the fields in this structure may fail, the Valid field should be checked before using any information present in the structure. This is available only for Windows guests.
typedef enum _INTRO_ENG_NOTIFICATION_TYPE INTRO_ENG_NOTIF_TYPE |
Scan engine alert types.
typedef union _INTRO_ERROR_CONTEXT INTRO_ERROR_CONTEXT |
The context of an error state.
This is optionally supplied to GLUE_IFACE.NotifyIntrospectionErrorState calls for certain error classes.
typedef enum _INTRO_EVENT_TYPE INTRO_EVENT_TYPE |
Event classes.
typedef struct _INTRO_EXEC_CONTEXT INTRO_EXEC_CONTEXT |
Holds the context in which an execution attempt was detected.
typedef struct _INTRO_EXEC_DATA INTRO_EXEC_DATA |
Holds the data related to an execution attempt.
typedef struct _INTRO_EXEC_INFO INTRO_EXEC_INFO |
Holds information about an execution attempt.
typedef struct _INTRO_GPRS INTRO_GPRS |
Holds register state information.
typedef struct _INTRO_MODULE INTRO_MODULE |
Describes a user-mode or kernel-mode module.
Since certain operations that fill the fields in this structure may fail, the Valid field should be checked before using any information present in the structure.
typedef enum _INTRO_NET_AF INTRO_NET_AF |
Address family.
typedef enum _INTRO_NET_STATE INTRO_NET_STATE |
Connection states.
typedef enum _INTRO_OBJECT_TYPE INTRO_OBJECT_TYPE |
The type of the object protected by an EPT hook.
typedef struct _INTRO_PROCESS INTRO_PROCESS |
Describes a guest process.
Since certain operations that fill the fields in this structure may fail, the Valid field should be checked before using any information present in the structure.
typedef struct _INTRO_READ_INFO INTRO_READ_INFO |
Holds information about a memory read attempt.
typedef struct _INTRO_SID_ATTRIBUTES INTRO_SID_ATTRIBUTES |
Windows SID attributes.
typedef union _INTRO_TOKEN INTRO_TOKEN |
Contains privileges and security identifiers information.
typedef struct _INTRO_TOKEN_PRIVILEGES INTRO_TOKEN_PRIVILEGES |
Windows process token privileges.
Each field is a bitmap.
typedef struct _INTRO_VERSION_INFO INTRO_VERSION_INFO |
Holds version information for Introcore and the currently loaded exceptions and CAMI files.
typedef struct _INTRO_VIOLATION_HEADER INTRO_VIOLATION_HEADER |
Common violation header.
typedef struct _INTRO_WIN_SID INTRO_WIN_SID |
A security identifier.
See https://docs.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-sid
typedef struct _INTRO_WIN_TOKEN INTRO_WIN_TOKEN |
A Windows token structure as reported by Introcore alerts.
typedef struct _INTRO_WRITE_INFO INTRO_WRITE_INFO |
Holds information about a memory write attempt.
typedef enum _MEMCOPY_VIOLATION_TYPE MEMCOPY_VIOLATION_TYPE |
The type of a memory copy violation.
Mitre attack techniques.
This is the Mitre Attack Technique ID, as defined at https://attack.mitre.org/techniques/enterprise/
typedef struct _AGENT_LGT_EVENT * PAGENT_LGT_EVENT |
typedef struct _AGENT_LGT_EVENT_HEADER * PAGENT_LGT_EVENT_HEADER |
typedef struct _AGENT_REM_EVENT * PAGENT_REM_EVENT |
typedef struct _AGENT_REM_EVENT_HEADER * PAGENT_REM_EVENT_HEADER |
typedef uint8_t * PBYTE |
Definition at line 47 of file intro_types.h.
typedef char * PCHAR |
Definition at line 56 of file intro_types.h.
typedef uint32_t * PDWORD |
Definition at line 49 of file intro_types.h.
typedef struct _ENG_NOTIFICATION_CMD_LINE * PENG_NOTIFICATION_CMD_LINE |
typedef struct _ENG_NOTIFICATION_CODE_EXEC * PENG_NOTIFICATION_CODE_EXEC |
typedef struct _ENG_NOTIFICATION_HEADER * PENG_NOTIFICATION_HEADER |
typedef struct _EVENT_AGENT_EVENT * PEVENT_AGENT_EVENT |
typedef struct _EVENT_CONNECTION_EVENT * PEVENT_CONNECTION_EVENT |
typedef struct _EVENT_CR_VIOLATION * PEVENT_CR_VIOLATION |
typedef struct _EVENT_CRASH_EVENT * PEVENT_CRASH_EVENT |
typedef struct _EVENT_DTR_VIOLATION * PEVENT_DTR_VIOLATION |
typedef struct _EVENT_ENGINES_DETECTION_VIOLATION * PEVENT_ENGINES_DETECTION_VIOLATION |
typedef struct _EVENT_EPT_VIOLATION * PEVENT_EPT_VIOLATION |
typedef struct _EVENT_EXCEPTION_EVENT * PEVENT_EXCEPTION_EVENT |
typedef struct _EVENT_INTEGRITY_VIOLATION * PEVENT_INTEGRITY_VIOLATION |
typedef struct _EVENT_INTROSPECTION_MESSAGE * PEVENT_INTROSPECTION_MESSAGE |
typedef struct _EVENT_MEMCOPY_VIOLATION * PEVENT_MEMCOPY_VIOLATION |
typedef struct _EVENT_MODULE_EVENT * PEVENT_MODULE_EVENT |
typedef struct _EVENT_MODULE_LOAD_VIOLATION * PEVENT_MODULE_LOAD_VIOLATION |
typedef struct _EVENT_MSR_VIOLATION * PEVENT_MSR_VIOLATION |
typedef struct _EVENT_PROCESS_CREATION_VIOLATION * PEVENT_PROCESS_CREATION_VIOLATION |
typedef struct _EVENT_PROCESS_EVENT * PEVENT_PROCESS_EVENT |
typedef struct _EVENT_TRANSLATION_VIOLATION * PEVENT_TRANSLATION_VIOLATION |
typedef struct _EVENT_XCR_VIOLATION * PEVENT_XCR_VIOLATION |
typedef struct _GUEST_INFO * PGUEST_INFO |
typedef int16_t * PINT16 |
Definition at line 43 of file intro_types.h.
typedef int32_t * PINT32 |
Definition at line 44 of file intro_types.h.
typedef long long * PINT64 |
Definition at line 45 of file intro_types.h.
typedef int8_t * PINT8 |
Definition at line 42 of file intro_types.h.
typedef union _INT_VERSION_INFO * PINT_VERSION_INFO |
typedef struct _INTRO_CODEBLOCKS * PINTRO_CODEBLOCKS |
typedef struct _INTRO_CPUCTX * PINTRO_CPUCTX |
typedef union _INTRO_DPI_EXTRA_INFO * PINTRO_DPI_EXTRA_INFO |
typedef struct _INTRO_DRVOBJ * PINTRO_DRVOBJ |
typedef union _INTRO_ERROR_CONTEXT * PINTRO_ERROR_CONTEXT |
typedef struct _INTRO_EXEC_CONTEXT * PINTRO_EXEC_CONTEXT |
typedef struct _INTRO_EXEC_DATA * PINTRO_EXEC_DATA |
typedef struct _INTRO_EXEC_INFO * PINTRO_EXEC_INFO |
typedef struct _INTRO_GPRS * PINTRO_GPRS |
typedef struct _INTRO_MODULE * PINTRO_MODULE |
typedef struct _INTRO_PROCESS * PINTRO_PROCESS |
typedef struct _INTRO_READ_INFO * PINTRO_READ_INFO |
typedef struct _INTRO_SID_ATTRIBUTES * PINTRO_SID_ATTRIBUTES |
typedef union _INTRO_TOKEN * PINTRO_TOKEN |
typedef struct _INTRO_TOKEN_PRIVILEGES * PINTRO_TOKEN_PRIVILEGES |
typedef struct _INTRO_VERSION_INFO * PINTRO_VERSION_INFO |
typedef struct _INTRO_VIOLATION_HEADER * PINTRO_VIOLATION_HEADER |
typedef struct _INTRO_WIN_SID * PINTRO_WIN_SID |
typedef struct _INTRO_WIN_TOKEN * PINTRO_WIN_TOKEN |
typedef struct _INTRO_WRITE_INFO * PINTRO_WRITE_INFO |
typedef unsigned long long * PQWORD |
Definition at line 53 of file intro_types.h.
typedef unsigned char * PUCHAR |
Definition at line 55 of file intro_types.h.
typedef uint16_t * PUINT16 |
Definition at line 38 of file intro_types.h.
typedef uint32_t * PUINT32 |
Definition at line 39 of file intro_types.h.
typedef unsigned long long * PUINT64 |
Definition at line 40 of file intro_types.h.
typedef uint8_t * PUINT8 |
Definition at line 37 of file intro_types.h.
typedef uint16_t * PWCHAR |
Definition at line 63 of file intro_types.h.
typedef uint16_t * PWORD |
Definition at line 48 of file intro_types.h.
typedef unsigned long long QWORD |
Definition at line 53 of file intro_types.h.
typedef size_t SIZE_T |
Definition at line 60 of file intro_types.h.
typedef enum _TRANS_VIOLATION_TYPE TRANS_VIOLATION_TYPE |
Translation violation types.
typedef unsigned char UCHAR |
Definition at line 55 of file intro_types.h.
typedef uint16_t UINT16 |
Definition at line 38 of file intro_types.h.
typedef uint32_t UINT32 |
Definition at line 39 of file intro_types.h.
typedef unsigned long long UINT64 |
Definition at line 40 of file intro_types.h.
typedef uint8_t UINT8 |
Definition at line 37 of file intro_types.h.
typedef uint16_t WCHAR |
Definition at line 63 of file intro_types.h.
typedef uint16_t WORD |
Definition at line 48 of file intro_types.h.
enum _INTRO_ACTION |
Event actions.
Priority of the action increases as its value increases (introGuestAllowed has the lowest priority, while introGuestRetry has the highest priority).
Definition at line 145 of file intro_types.h.
enum _INTRO_ACTION_REASON |
The reason for which an INTRO_ACTION was taken.
Definition at line 180 of file intro_types.h.
Scan engine alert types.
Enumerator | |
---|---|
introEngineNotificationCodeExecution | Execution attempt result. The result is of type ENG_NOTIFICATION_CODE_EXEC. |
introEngineNotificationCmdLine | Command line scan results. The result is of type ENG_NOTIFICATION_CMD_LINE. |
Definition at line 126 of file intro_types.h.
enum _INTRO_EVENT_TYPE |
Event classes.
Enumerator | |
---|---|
introEventEptViolation | Sent when an EPT violation triggers an alert. See EVENT_EPT_VIOLATION. |
introEventMsrViolation | Sent when a MSR violation triggers an alert.See EVENT_MSR_VIOLATION. |
introEventCrViolation | Sent when a CR violation triggers an alert. See EVENT_CR_VIOLATION. |
introEventXcrViolation | Sent when a CR violation triggers an alert. See EVENT_XCR_VIOLATION. |
introEventIntegrityViolation | Sent for integrity violation alerts. See EVENT_INTEGRITY_VIOLATION. |
introEventTranslationViolation | Sent for virtual address translation alerts. See EVENT_TRANSLATION_VIOLATION. |
introEventInjectionViolation | Sent for code/data injection alerts. See EVENT_MEMCOPY_VIOLATION. |
introEventDtrViolation | Sent when a DTR violation triggers an alert. See EVENT_DTR_VIOLATION. |
introEventMessage | Plain text message sent from Introcore to the integrator. See EVENT_INTROSPECTION_MESSAGE. |
introEventProcessEvent | Informational event sent when a process is created or terminated by the guest. See EVENT_PROCESS_EVENT. |
introEventAgentEvent | Informational event sent when the remediation tool is injected or terminated. See EVENT_AGENT_EVENT. |
introEventModuleEvent | Informational event sent when kernel module is loaded or when a module is loaded inside a protected process. See EVENT_MODULE_EVENT. |
introEventCrashEvent | Informational event sent when the guest crashes. See EVENT_CRASH_EVENT. |
introEventExceptionEvent | Informational event sent when a hardware exception is triggered by a guest process. See EVENT_EXCEPTION_EVENT. |
introEventConnectionEvent | Informational event containing the connections opened by a process. See EVENT_CONNECTION_EVENT. |
introEventProcessCreationViolation | Sent for unauthorized process creation alerts. See EVENT_PROCESS_CREATION_VIOLATION. |
introEventModuleLoadViolation | Sent for suspicious module loads alerts. See EVENT_MODULE_LOAD_VIOLATION. |
introEventEnginesDetectionViolation | Sent for third party engines detections. See EVENT_ENGINES_DETECTION_VIOLATION. |
Definition at line 81 of file intro_types.h.
enum _INTRO_NET_AF |
Address family.
Enumerator | |
---|---|
introNetAfIpv4 | IPv4. |
introNetAfIpv6 | IPv6. |
introNetAfUnknown | Unknown. |
Definition at line 287 of file intro_types.h.
enum _INTRO_NET_STATE |
Connection states.
Definition at line 299 of file intro_types.h.
enum _INTRO_OBJECT_TYPE |
The type of the object protected by an EPT hook.
Definition at line 228 of file intro_types.h.
The type of a memory copy violation.
Definition at line 1290 of file intro_types.h.
enum _MITRE_ID |
Mitre attack techniques.
This is the Mitre Attack Technique ID, as defined at https://attack.mitre.org/techniques/enterprise/
Definition at line 1030 of file intro_types.h.
Translation violation types.
Definition at line 1404 of file intro_types.h.
enum AGENT_EVENT_TYPE |
The state of an agent.
Definition at line 1934 of file intro_types.h.
enum AGENT_LGT_EVENT_TYPE |
Log gather tool events.
Enumerator | |
---|---|
lgtEventNone | No event. |
lgtEventError | Error event. |
lgtEventData | Data gather event. |
Definition at line 2075 of file intro_types.h.
enum AGENT_REM_EVENT_TYPE |
Remediation tool events types.
Definition at line 1970 of file intro_types.h.
enum INTRO_DEP_AG_TAGS |
Deployable agents tags.
Definition at line 2149 of file intro_types.h.
EPT access types.
Enumerator | |
---|---|
INTRO_EPT_NONE | No access. |
INTRO_EPT_READ | Read access. |
INTRO_EPT_WRITE | Write access. |
INTRO_EPT_EXECUTE | Execute access. |
Definition at line 693 of file intro_types.h.
enum INTRO_ERROR_STATE |
Error states.
These are reported by GLUE_IFACE.NotifyIntrospectionErrorState.
Definition at line 2270 of file intro_types.h.
enum INTRO_GUEST_TYPE |
The type of the introspected operating system.
Enumerator | |
---|---|
introGuestUnknown | Unknown. |
introGuestWindows | Windows. |
introGuestLinux | Linux. |
Definition at line 1877 of file intro_types.h.
MSR access types.
Enumerator | |
---|---|
INTRO_MSR_READ | Read access. |
INTRO_MSR_WRITE | Write access. |
Definition at line 705 of file intro_types.h.
Process creation violation flags.
Definition at line 1516 of file intro_types.h.