Bitdefender Hypervisor Memory Introspection
update_exceptions.c
Go to the documentation of this file.
1 /*
2  * Copyright (c) 2020 Bitdefender
3  * SPDX-License-Identifier: Apache-2.0
4  */
10 
11 #include "update_exceptions.h"
12 #include "alert_exceptions.h"
13 #include "guests.h"
14 #include "utils.h"
15 
17 #define UPDATE_VALIDATE_FILE_SIZE 0x1
18 #define UPDATE_VALIDATE_HEADER_SIZE 0x2
20 #define UPDATE_VALIDATE_ALL (UPDATE_VALIDATE_FILE_SIZE | UPDATE_VALIDATE_HEADER_SIZE)
22 
24 static EXCEPTION_SIGNATURE_ID gCurrentSignatureId = { .Field = { .Value = BIT(22) / 2, .Type = 0} };
25 
30 typedef struct _UPDATE_ITEM_SIZE
31 {
32  DWORD EntrySize;
33  DWORD RemainingFileSize;
34 } UPDATE_ITEM_SIZE, *PUPDATE_ITEM_SIZE;
35 
36 
37 INTSTATUS
38 IntUpdateGetVersion(
39  _Out_ WORD *MajorVersion,
40  _Out_ WORD *MinorVersion,
41  _Out_ DWORD *BuildNumber
42  )
56 {
57  if (NULL == MajorVersion)
58  {
59  return INT_STATUS_INVALID_PARAMETER_1;
60  }
61 
62  if (NULL == MinorVersion)
63  {
64  return INT_STATUS_INVALID_PARAMETER_2;
65  }
66 
67  if (NULL == BuildNumber)
68  {
69  return INT_STATUS_INVALID_PARAMETER_3;
70  }
71 
72  if (NULL == gGuest.Exceptions || !gGuest.Exceptions->Loaded)
73  {
74  return INT_STATUS_NOT_INITIALIZED;
75  }
76 
77  *MajorVersion = gGuest.Exceptions->Version.Major;
78  *MinorVersion = gGuest.Exceptions->Version.Minor;
79  *BuildNumber = gGuest.Exceptions->Version.Build;
80 
81  return INT_STATUS_SUCCESS;
82 }
83 
84 
85 static __forceinline EXCEPTION_SIGNATURE_ID
86 IntUpdateGetUniqueSigId(
87  _In_ EXCEPTION_SIGNATURE_TYPE Type
88  )
96 {
97  gCurrentSignatureId.Field.Value++;
98  gCurrentSignatureId.Field.Type = Type;
99 
100  return gCurrentSignatureId;
101 }
102 
103 
104 static BOOLEAN
105 IntUpdateIsValidEntry(
106  _In_ DWORD Size,
107  _In_ UPDATE_ITEM_SIZE *Item,
108  _In_ DWORD Flags
109  )
119 {
120  if (Flags & UPDATE_VALIDATE_HEADER_SIZE)
121  {
122  if (Size != Item->EntrySize)
123  {
124  ERROR("[ERROR] The exceptions file is corrupted. The size of the entry (%d) is different from the size "
125  "provided by the header (%d)\n", Size, Item->EntrySize);
126  return FALSE;
127  }
128  }
129 
130  if (Flags & UPDATE_VALIDATE_FILE_SIZE)
131  {
132  if (Size > Item->RemainingFileSize)
133  {
134  ERROR("[ERROR] The exceptions file is corrupted. The size of the entry (%d) exceed the remaining size "
135  "of the exceptions file (%d)\n", Size, Item->RemainingFileSize);
136  return FALSE;
137  }
138  }
139 
140  return TRUE;
141 }
142 
143 
144 static INTSTATUS
145 IntUpdateAddKernelException(
146  _In_ UPDATE_KM_EXCEPTION *UpdateException,
147  _In_ UPDATE_ITEM_SIZE *Item
148  )
165 {
166  DWORD extraSize;
167  KM_EXCEPTION *pException;
168  LIST_HEAD *head;
169 
170  if (!IntUpdateIsValidEntry(sizeof(*UpdateException), Item, UPDATE_VALIDATE_FILE_SIZE))
171  {
172  return INT_STATUS_INVALID_DATA_STATE;
173  }
174 
175  extraSize = UpdateException->SigCount * sizeof(EXCEPTION_SIGNATURE_ID);
176 
177  if (!IntUpdateIsValidEntry(sizeof(*UpdateException) + extraSize, Item, UPDATE_VALIDATE_ALL))
178  {
179  return INT_STATUS_INVALID_DATA_STATE;
180  }
181 
182  if ((gGuest.OSType == introGuestWindows && (UpdateException->Flags & EXCEPTION_FLG_LINUX)) ||
183  (gGuest.OSType == introGuestLinux && !(UpdateException->Flags & EXCEPTION_FLG_LINUX)))
184  {
185  return INT_STATUS_NOT_NEEDED_HINT;
186  }
187 
188  if (UpdateException->Flags & EXCEPTION_FLG_IGNORE)
189  {
190  TRACE("[UPDATE] Dropped an ignored KM exception. No problem here!\n");
191  return INT_STATUS_NOT_NEEDED_HINT;
192  }
193 
194  // SigCount is a WORD, multiplied by sizeof(EXCEPTION_SIGNATURE_ID), so the size won't overflow.
195  pException = HpAllocWithTag(sizeof(*pException) + extraSize, IC_TAG_EXKM);
196  if (NULL == pException)
197  {
198  return INT_STATUS_INSUFFICIENT_RESOURCES;
199  }
200 
201  pException->OriginatorNameHash = UpdateException->Originator.NameHash;
202  pException->VictimNameHash = UpdateException->VictimNameHash;
203  pException->Flags = UpdateException->Flags;
204  pException->Type = UpdateException->Type;
205  pException->SigCount = UpdateException->SigCount;
206 
207  // This is an old exceptions.bin, so add the write flag manually
208  if (0 == (pException->Flags & (EXCEPTION_FLG_READ | EXCEPTION_FLG_WRITE | EXCEPTION_FLG_EXECUTE)))
209  {
210  pException->Flags |= EXCEPTION_FLG_WRITE;
211  }
212 
213  // Only copy if we have signatures
214  if (UpdateException->SigCount > 0)
215  {
216  memcpy(&pException->Signatures[0], &UpdateException->SigIds[0],
217  UpdateException->SigCount * sizeof(EXCEPTION_SIGNATURE_ID));
218  }
219 
220  //
221  // Now, let's find in which list this exception is
222  //
223  if (pException->OriginatorNameHash == kmExcNameAny)
224  {
225  if (UpdateException->Flags & EXCEPTION_FLG_FEEDBACK)
226  {
227  head = &gGuest.Exceptions->KernelFeedbackExceptions;
228  }
229  else
230  {
231  head = &gGuest.Exceptions->GenericKernelExceptions;
232  }
233  }
234  else if (pException->OriginatorNameHash == kmExcNameNone)
235  {
236  if (UpdateException->Flags & EXCEPTION_FLG_FEEDBACK)
237  {
238  head = &gGuest.Exceptions->KernelFeedbackExceptions;
239  }
240  else
241  {
242  head = &gGuest.Exceptions->NoNameKernelExceptions;
243  }
244  }
245  else
246  {
247  if (UpdateException->Flags & EXCEPTION_FLG_FEEDBACK)
248  {
249  head = &gGuest.Exceptions->KernelFeedbackExceptions;
250  }
251  else
252  {
253  DWORD id = EXCEPTION_TABLE_ID(pException->OriginatorNameHash);
254  head = &gGuest.Exceptions->KernelExceptions[id];
255  }
256  }
257 
258  InsertTailList(head, &pException->Link);
259 
260  return INT_STATUS_SUCCESS;
261 }
262 
263 
264 static INTSTATUS
265 IntUpdateAddKernelUserException(
266  _In_ UPDATE_KUM_EXCEPTION *UpdateException,
267  _In_ UPDATE_ITEM_SIZE *Item
268  )
285 {
286  DWORD extraSize;
287  KUM_EXCEPTION *pException;
288  LIST_HEAD *head;
289 
290  if (!IntUpdateIsValidEntry(sizeof(*UpdateException), Item, UPDATE_VALIDATE_FILE_SIZE))
291  {
292  return INT_STATUS_INVALID_DATA_STATE;
293  }
294 
295  extraSize = UpdateException->SigCount * sizeof(EXCEPTION_SIGNATURE_ID);
296 
297  if (!IntUpdateIsValidEntry(sizeof(*UpdateException) + extraSize, Item, UPDATE_VALIDATE_ALL))
298  {
299  return INT_STATUS_INVALID_DATA_STATE;
300  }
301 
302  if ((gGuest.OSType == introGuestWindows && (UpdateException->Flags & EXCEPTION_FLG_LINUX)) ||
303  (gGuest.OSType == introGuestLinux && !(UpdateException->Flags & EXCEPTION_FLG_LINUX)))
304  {
305  return INT_STATUS_NOT_NEEDED_HINT;
306  }
307 
308  if (UpdateException->Flags & EXCEPTION_FLG_IGNORE)
309  {
310  TRACE("[UPDATE] Dropped an ignored KM exception. No problem here!\n");
311  return INT_STATUS_NOT_NEEDED_HINT;
312  }
313 
314  // SigCount is a WORD, multiplied by sizeof(EXCEPTION_SIGNATURE_ID), so the size won't overflow.
315  pException = HpAllocWithTag(sizeof(*pException) + extraSize, IC_TAG_EXKU);
316  if (NULL == pException)
317  {
318  return INT_STATUS_INSUFFICIENT_RESOURCES;
319  }
320 
321  pException->OriginatorNameHash = UpdateException->OriginatorNameHash;
322  pException->Victim.NameHash = UpdateException->Victim.NameHash;
323  pException->Victim.ProcessHash = UpdateException->Victim.ProcessHash;
324  pException->Flags = UpdateException->Flags;
325  pException->Type = UpdateException->Type;
326  pException->SigCount = UpdateException->SigCount;
327 
328  // Only copy if we have signatures
329  if (UpdateException->SigCount > 0)
330  {
331  memcpy(&pException->Signatures[0], &UpdateException->SigIds[0],
332  UpdateException->SigCount * sizeof(EXCEPTION_SIGNATURE_ID));
333  }
334 
335  //
336  // Now, let's find in which list this exception is
337  //
338  if (pException->OriginatorNameHash == kmExcNameAny)
339  {
340  if (UpdateException->Flags & EXCEPTION_FLG_FEEDBACK)
341  {
342  head = &gGuest.Exceptions->KernelUserFeedbackExceptions;
343  }
344  else
345  {
346  head = &gGuest.Exceptions->GenericKernelUserExceptions;
347  }
348  }
349  else if (pException->OriginatorNameHash == kmExcNameNone)
350  {
351  if (UpdateException->Flags & EXCEPTION_FLG_FEEDBACK)
352  {
353  head = &gGuest.Exceptions->KernelUserFeedbackExceptions;
354  }
355  else
356  {
357  head = &gGuest.Exceptions->NoNameKernelExceptions;
358  }
359  }
360  else
361  {
362  if (UpdateException->Flags & EXCEPTION_FLG_FEEDBACK)
363  {
364  head = &gGuest.Exceptions->KernelUserFeedbackExceptions;
365  }
366  else
367  {
368  DWORD id = EXCEPTION_TABLE_ID(pException->OriginatorNameHash);
369  head = &gGuest.Exceptions->KernelUserExceptions[id];
370  }
371  }
372 
373  InsertTailList(head, &pException->Link);
374 
375  return INT_STATUS_SUCCESS;
376 }
377 
378 
379 static INTSTATUS
380 IntUpdateAddUserException(
381  _In_ UPDATE_UM_EXCEPTION *UpdateException,
382  _In_ UPDATE_ITEM_SIZE *Item
383  )
402 {
403  DWORD extraSize;
404  UM_EXCEPTION *pException;
405  LIST_HEAD *head;
406 
407  if (!IntUpdateIsValidEntry(sizeof(*UpdateException), Item, UPDATE_VALIDATE_FILE_SIZE))
408  {
409  return INT_STATUS_INVALID_DATA_STATE;
410  }
411 
412  extraSize = UpdateException->SigCount * sizeof(EXCEPTION_SIGNATURE_ID);
413 
414  if (!IntUpdateIsValidEntry(sizeof(*UpdateException) + extraSize, Item, UPDATE_VALIDATE_ALL))
415  {
416  return INT_STATUS_INVALID_DATA_STATE;
417  }
418 
419  if ((gGuest.OSType == introGuestWindows && (UpdateException->Flags & EXCEPTION_FLG_LINUX)) ||
420  (gGuest.OSType == introGuestLinux && !(UpdateException->Flags & EXCEPTION_FLG_LINUX)))
421  {
422  return INT_STATUS_NOT_NEEDED_HINT;
423  }
424 
425  if (UpdateException->Flags & EXCEPTION_FLG_IGNORE)
426  {
427  TRACE("[UPDATE] Dropped an ignored UM exception. No problem here!\n");
428  return INT_STATUS_NOT_NEEDED_HINT;
429  }
430 
431  pException = HpAllocWithTag(sizeof(*pException) + extraSize, IC_TAG_EXUM);
432  if (NULL == pException)
433  {
434  return INT_STATUS_INSUFFICIENT_RESOURCES;
435  }
436 
437  pException->OriginatorNameHash = UpdateException->OriginatorNameHash;
438  pException->Victim.NameHash = UpdateException->Victim.NameHash;
439  pException->Victim.ProcessHash = UpdateException->Victim.ProcessHash;
440  pException->Flags = UpdateException->Flags;
441  pException->Type = UpdateException->Type;
442  pException->SigCount = UpdateException->SigCount;
443 
444  // This is an old exceptions.bin, so add the write/exec flag manually
445  if (0 == (pException->Flags & (EXCEPTION_FLG_READ | EXCEPTION_FLG_WRITE | EXCEPTION_FLG_EXECUTE)))
446  {
447  if (pException->Type == umObjNxZone)
448  {
449  pException->Flags |= EXCEPTION_FLG_EXECUTE;
450  }
451  else
452  {
453  pException->Flags |= EXCEPTION_FLG_WRITE;
454  }
455  }
456 
457  if (UpdateException->SigCount > 0)
458  {
459  // We have calculated the size occupied by the exception, so it's safe to use memcpy for signatures
460  memcpy(pException->Signatures, UpdateException->SigIds,
461  UpdateException->SigCount * sizeof(EXCEPTION_SIGNATURE_ID));
462  }
463 
464  // Now, let's find in which list this exception is
465  if (pException->Type == umObjProcessCreation)
466  {
467  if (UpdateException->Flags & EXCEPTION_FLG_FEEDBACK)
468  {
469  head = &gGuest.Exceptions->ProcessCreationFeedbackExceptions;
470  }
471  else
472  {
473  head = &gGuest.Exceptions->ProcessCreationExceptions;
474  }
475  }
476  else if (pException->OriginatorNameHash == umExcNameAny)
477  {
478  if (UpdateException->Flags & EXCEPTION_FLG_FEEDBACK)
479  {
480  head = &gGuest.Exceptions->UserFeedbackExceptions;
481  }
482  else
483  {
484  head = &gGuest.Exceptions->GenericUserExceptions;
485  }
486  }
487  else if (pException->OriginatorNameHash == umExcNameNone)
488  {
489  if (UpdateException->Flags & EXCEPTION_FLG_FEEDBACK)
490  {
491  head = &gGuest.Exceptions->UserFeedbackExceptions;
492  }
493  else
494  {
495  head = &gGuest.Exceptions->NoNameUserExceptions;
496  }
497  }
498  else
499  {
500  if (UpdateException->Flags & EXCEPTION_FLG_FEEDBACK)
501  {
502  head = &gGuest.Exceptions->UserFeedbackExceptions;
503  }
504  else
505  {
506  DWORD id = EXCEPTION_TABLE_ID(pException->OriginatorNameHash);
507  head = &gGuest.Exceptions->UserExceptions[id];
508  }
509  }
510 
511  InsertTailList(head, &pException->Link);
512 
513  return INT_STATUS_SUCCESS;
514 }
515 
516 
517 static INTSTATUS
518 IntUpdateAddUserExceptionGlob(
519  _In_ UPDATE_UM_EXCEPTION_GLOB *UpdateException,
520  _In_ UPDATE_ITEM_SIZE *Item
521  )
535 {
536  DWORD extraSize = 0;
537  DWORD size = 0;
538  DWORD remainingSize = Item->RemainingFileSize;
539  char *pOriginatorName = NULL;
540  size_t originatorNameLen = 0;
541  char *pVictimName = NULL;
542  size_t victimNameLen = 0;
543  char *pProcName = NULL;
544  size_t procNameLen = 0;
545  UM_EXCEPTION_GLOB *pException;
546 
547  if (!IntUpdateIsValidEntry(sizeof(*UpdateException), Item, UPDATE_VALIDATE_FILE_SIZE))
548  {
549  return INT_STATUS_INVALID_DATA_STATE;
550  }
551 
552  size = sizeof(UpdateException->Flags) + sizeof(UpdateException->Type) + sizeof(UpdateException->_Reserved)
553  + sizeof(UpdateException->SigCount);
554  remainingSize -= size;
555 
556  if (UpdateException->Flags & EXCEPTION_FLG_IGNORE)
557  {
558  TRACE("[UPDATE] Dropped an ignored UM exception. No problem here!\n");
559  return INT_STATUS_NOT_NEEDED_HINT;
560  }
561 
562  pOriginatorName = UpdateException->OriginatorNameGlob;
563  originatorNameLen = strlen_s(pOriginatorName, MIN((DWORD)EXCEPTION_UM_GLOB_LENGTH, remainingSize)) + 1;
564  size += (DWORD)originatorNameLen;
565  remainingSize -= (DWORD)originatorNameLen;
566 
567  if (originatorNameLen <= 1)
568  {
569  ERROR("[ERROR] The originator name length is invalid (%zu)\n", originatorNameLen);
570  return INT_STATUS_INVALID_DATA_STATE;
571  }
572 
573  if (!IntUpdateIsValidEntry(sizeof(*UpdateException) + size, Item, UPDATE_VALIDATE_FILE_SIZE))
574  {
575  return INT_STATUS_INVALID_DATA_STATE;
576  }
577 
578  if (originatorNameLen > EXCEPTION_UM_GLOB_LENGTH)
579  {
580  ERROR("[ERROR] Originator Name length is longer than the supported one (%d)\n", EXCEPTION_UM_GLOB_LENGTH);
581  return INT_STATUS_NOT_SUPPORTED;
582  }
583 
584  pVictimName = pOriginatorName + originatorNameLen;
585  victimNameLen = strlen_s(pVictimName, MIN((DWORD)EXCEPTION_UM_GLOB_LENGTH, remainingSize)) + 1;
586  size += (DWORD)victimNameLen;
587  remainingSize -= (DWORD)victimNameLen;
588 
589  if (victimNameLen <= 1)
590  {
591  ERROR("[ERROR] The victim name length is invalid (%zu)\n", victimNameLen);
592  return INT_STATUS_INVALID_DATA_STATE;
593  }
594 
595  if (!IntUpdateIsValidEntry(sizeof(*UpdateException) + size, Item, UPDATE_VALIDATE_FILE_SIZE))
596  {
597  return INT_STATUS_INVALID_DATA_STATE;
598  }
599 
600  if (victimNameLen > EXCEPTION_UM_GLOB_LENGTH)
601  {
602  ERROR("[ERROR] Victim Name length is longer than the supported one (%d)\n", EXCEPTION_UM_GLOB_LENGTH);
603  return INT_STATUS_NOT_SUPPORTED;
604  }
605 
606  pProcName = pVictimName + victimNameLen;
607  procNameLen = strlen_s(pProcName, MIN((DWORD)EXCEPTION_UM_GLOB_LENGTH, remainingSize)) + 1;
608  size += (DWORD)procNameLen;
609 
610  if (procNameLen <= 1)
611  {
612  ERROR("[ERROR] The process name length is invalid (%zu)\n", procNameLen);
613  return INT_STATUS_INVALID_DATA_STATE;
614  }
615 
616 
617  if (!IntUpdateIsValidEntry(sizeof(*UpdateException) + size, Item, UPDATE_VALIDATE_FILE_SIZE))
618  {
619  return INT_STATUS_INVALID_DATA_STATE;
620  }
621 
622  if (procNameLen > EXCEPTION_UM_GLOB_LENGTH)
623  {
624  ERROR("[ERROR] Victim Process length is longer than the supported one (%d)\n", EXCEPTION_UM_GLOB_LENGTH);
625  return INT_STATUS_NOT_SUPPORTED;
626  }
627 
628  extraSize = UpdateException->SigCount * sizeof(EXCEPTION_SIGNATURE_ID);
629  size += extraSize;
630 
631  if (!IntUpdateIsValidEntry(size, Item, UPDATE_VALIDATE_ALL))
632  {
633  return INT_STATUS_INVALID_OBJECT_TYPE;
634  }
635 
636  if ((gGuest.OSType == introGuestWindows && (UpdateException->Flags & EXCEPTION_FLG_LINUX)) ||
637  (gGuest.OSType == introGuestLinux && !(UpdateException->Flags & EXCEPTION_FLG_LINUX)))
638  {
639  return INT_STATUS_NOT_NEEDED_HINT;
640  }
641 
642  pException = HpAllocWithTag(sizeof(*pException) + extraSize, IC_TAG_EXUM);
643  if (NULL == pException)
644  {
645  return INT_STATUS_INSUFFICIENT_RESOURCES;
646  }
647 
648  pException->Flags = UpdateException->Flags;
649  pException->Type = UpdateException->Type;
650  pException->SigCount = UpdateException->SigCount;
651 
652  if (originatorNameLen > 1)
653  {
654  strlcpy(pException->OriginatorNameGlob, pOriginatorName, sizeof(pException->OriginatorNameGlob));
655  }
656 
657  if (victimNameLen > 1)
658  {
659  strlcpy(pException->Victim.NameGlob, pVictimName, sizeof(pException->Victim.NameGlob));
660  }
661 
662  if (procNameLen > 1)
663  {
664  strlcpy(pException->Victim.ProcessGlob, pProcName, sizeof(pException->Victim.ProcessGlob));
665  }
666 
667  if (UpdateException->SigCount > 0)
668  {
669  // We have calculated the size occupied by the exception, so it's safe to use memcpy for signatures
670  void *pSigStart = pProcName + procNameLen;
671  memcpy(pException->Signatures, pSigStart, UpdateException->SigCount * sizeof(EXCEPTION_SIGNATURE_ID));
672  }
673 
674  InsertTailList(&gGuest.Exceptions->GlobUserExceptions, &pException->Link);
675 
676  return INT_STATUS_SUCCESS;
677 }
678 
679 
680 static INTSTATUS
681 IntUpdateAddCbSignature(
682  _In_ UPDATE_CB_SIGNATURE *UpdateSignature,
683  _In_ UPDATE_ITEM_SIZE *Item
684  )
695 {
696  DWORD extraSize = 0;
697  DWORD size = 0;
698  UPDATE_CB_HASH *pHashList;
699  SIG_CODEBLOCKS *pSignature;
700  SIG_CODEBLOCK_HASH *pSigHash;
701 
702  // Now see how many hashes we have in each signature
703  if (!IntUpdateIsValidEntry(sizeof(*UpdateSignature) + sizeof(UPDATE_CB_HASH), Item, UPDATE_VALIDATE_FILE_SIZE))
704  {
705  return INT_STATUS_INVALID_DATA_STATE;
706  }
707 
708  pHashList = (PUPDATE_CB_HASH)UpdateSignature->HashesList;
709  for (DWORD i = 0; i < UpdateSignature->ListsCount; i++)
710  {
711  DWORD updateHashSize;
712  DWORD hashSize;
713 
714  // Make sure that we can actually use pHashList
715  if (!IntUpdateIsValidEntry(sizeof(*UpdateSignature) + size + sizeof(*pHashList),
716  Item, UPDATE_VALIDATE_FILE_SIZE))
717  {
718  return INT_STATUS_INVALID_DATA_STATE;
719  }
720 
721  // The sizes are not the same due to alignment
722  updateHashSize = sizeof(UPDATE_CB_HASH) + pHashList->Count * sizeof(DWORD);
723  hashSize = sizeof(SIG_CODEBLOCK_HASH) + pHashList->Count * sizeof(DWORD);
724 
725  extraSize += hashSize;
726  size += updateHashSize;
727 
728  // This will check that the hashes up to this point (size) + the size of the signature structure don't spill
729  // outside the file
730  if (!IntUpdateIsValidEntry(sizeof(*UpdateSignature) + size, Item, UPDATE_VALIDATE_FILE_SIZE))
731  {
732  return INT_STATUS_INVALID_DATA_STATE;
733  }
734 
735  // advance to the next hash list
736  pHashList = (UPDATE_CB_HASH *)((BYTE *)pHashList + updateHashSize);
737  }
738 
739  if (!IntUpdateIsValidEntry(sizeof(*UpdateSignature) + size, Item, UPDATE_VALIDATE_ALL))
740  {
741  return INT_STATUS_INVALID_DATA_STATE;
742  }
743 
744  if ((gGuest.OSType == introGuestWindows && (UpdateSignature->Flags & SIGNATURE_FLG_LINUX)) ||
745  (gGuest.OSType == introGuestLinux && !(UpdateSignature->Flags & SIGNATURE_FLG_LINUX)))
746  {
747  return INT_STATUS_NOT_NEEDED_HINT;
748  }
749 
750  pSignature = HpAllocWithTag(sizeof(*pSignature) + extraSize, IC_TAG_ESIG);
751  if (NULL == pSignature)
752  {
753  return INT_STATUS_INSUFFICIENT_RESOURCES;
754  }
755 
756  pSignature->Id.Value = UpdateSignature->Id;
757  pSignature->Flags = UpdateSignature->Flags;
758  pSignature->Score = UpdateSignature->Score;
759  pSignature->ListsCount = UpdateSignature->ListsCount;
760  pSignature->AlertSignature = FALSE;
761 
762  // Now copy the hashes lists
763  pHashList = (UPDATE_CB_HASH *)UpdateSignature->HashesList;
764  pSigHash = (SIG_CODEBLOCK_HASH *)pSignature->Object;
765  for (DWORD i = 0; i < UpdateSignature->ListsCount; i++)
766  {
767  // The sizes are not the same due to alignment
768  DWORD updateHashSize = sizeof(*pHashList) + pHashList->Count * sizeof(DWORD);
769  DWORD hashSize = sizeof(*pSigHash) + pHashList->Count * sizeof(DWORD);
770 
771  pSigHash->Count = pHashList->Count;
772  for (DWORD j = 0; j < pHashList->Count; j++)
773  {
774  pSigHash->Hashes[j] = pHashList->Hashes[j];
775  }
776 
777  // advance to the next hash list
778  pHashList = (UPDATE_CB_HASH *)((BYTE *)pHashList + updateHashSize);
779  pSigHash = (SIG_CODEBLOCK_HASH *)((BYTE *)pSigHash + hashSize);
780  }
781 
782  InsertTailList(&gGuest.Exceptions->CbSignatures, &pSignature->Link);
783 
784  return INT_STATUS_SUCCESS;
785 }
786 
787 
788 static INTSTATUS
789 IntUpdateAddValueSignature(
790  _In_ UPDATE_VALUE_SIGNATURE *UpdateSignature,
791  _In_ UPDATE_ITEM_SIZE *Item
792  )
803 {
804  DWORD size;
805  DWORD extraSize;
806  SIG_VALUE *pSignature;
807  UPDATE_VALUE_HASH *pHashList;
808  SIG_VALUE_HASH *pSigHash;
809 
810  if (!IntUpdateIsValidEntry(sizeof(*UpdateSignature), Item, UPDATE_VALIDATE_FILE_SIZE))
811  {
812  return INT_STATUS_INVALID_DATA_STATE;
813  }
814 
815  size = UpdateSignature->ListsCount * sizeof(UPDATE_VALUE_HASH);
816  if (!IntUpdateIsValidEntry(sizeof(*UpdateSignature) + size, Item, UPDATE_VALIDATE_ALL))
817  {
818  return INT_STATUS_INVALID_DATA_STATE;
819  }
820 
821  if ((gGuest.OSType == introGuestWindows && (UpdateSignature->Flags & SIGNATURE_FLG_LINUX)) ||
822  (gGuest.OSType == introGuestLinux && !(UpdateSignature->Flags & SIGNATURE_FLG_LINUX)))
823  {
824  return INT_STATUS_NOT_NEEDED_HINT;
825  }
826 
827  extraSize = UpdateSignature->ListsCount * sizeof(SIG_VALUE_HASH);
828 
829  pSignature = HpAllocWithTag(sizeof(*pSignature) + extraSize, IC_TAG_ESIG);
830  if (NULL == pSignature)
831  {
832  return INT_STATUS_INSUFFICIENT_RESOURCES;
833  }
834 
835  pSignature->Id.Value = UpdateSignature->Id;
836  pSignature->Flags = UpdateSignature->Flags;
837  pSignature->Score = UpdateSignature->Score;
838  pSignature->ListsCount = UpdateSignature->ListsCount;
839  pSignature->AlertSignature = FALSE;
840 
841  // Now copy the hashes lists
842  pHashList = (UPDATE_VALUE_HASH *)UpdateSignature->HashesList;
843  pSigHash = (SIG_VALUE_HASH *)pSignature->Object;
844 
845  for (DWORD i = 0; i < UpdateSignature->ListsCount; i++)
846  {
847  pSigHash[i].Offset = pHashList[i].Offset;
848  pSigHash[i].Size = pHashList[i].Size;
849  pSigHash[i].Hash = pHashList[i].Hash;
850  }
851 
852  InsertTailList(&gGuest.Exceptions->ValueSignatures, &pSignature->Link);
853 
854  return INT_STATUS_SUCCESS;
855 }
856 
857 
858 static INTSTATUS
859 IntUpdateAddIdtSignature(
860  _In_ UPDATE_IDT_SIGNATURE *UpdateSignature,
861  _In_ UPDATE_ITEM_SIZE *Item
862  )
873 {
874  SIG_IDT *pSignature;
875 
876  if (!IntUpdateIsValidEntry(sizeof(*UpdateSignature), Item, UPDATE_VALIDATE_ALL))
877  {
878  return INT_STATUS_INVALID_DATA_STATE;
879  }
880 
881  if ((gGuest.OSType == introGuestWindows && (UpdateSignature->Flags & SIGNATURE_FLG_LINUX)) ||
882  (gGuest.OSType == introGuestLinux && !(UpdateSignature->Flags & SIGNATURE_FLG_LINUX)))
883  {
884  return INT_STATUS_NOT_NEEDED_HINT;
885  }
886 
887  pSignature = HpAllocWithTag(sizeof(*pSignature), IC_TAG_ESIG);
888  if (NULL == pSignature)
889  {
890  return INT_STATUS_INSUFFICIENT_RESOURCES;
891  }
892 
893  pSignature->Id.Value = UpdateSignature->Id;
894  pSignature->Flags = UpdateSignature->Flags;
895  pSignature->Entry = UpdateSignature->Entry;
896  pSignature->AlertSignature = FALSE;
897 
898  InsertTailList(&gGuest.Exceptions->IdtSignatures, &pSignature->Link);
899 
900  return INT_STATUS_SUCCESS;
901 }
902 
903 
904 static INTSTATUS
905 IntUpdateAddValueCodeSignature(
906  _In_ UPDATE_VALUE_CODE_SIGNATURE *UpdateSignature,
907  _In_ UPDATE_ITEM_SIZE *Item
908  )
919 {
920  DWORD size;
921  SIG_VALUE_CODE *pSignature;
922  WORD *pUpdatePattern;
923  WORD *pExceptionPattern;
924 
925  if (!IntUpdateIsValidEntry(sizeof(*UpdateSignature), Item, UPDATE_VALIDATE_FILE_SIZE))
926  {
927  return INT_STATUS_INVALID_DATA_STATE;
928  }
929 
930  size = UpdateSignature->Length * sizeof(WORD);
931 
932  if (!IntUpdateIsValidEntry(sizeof(*UpdateSignature) + size, Item, UPDATE_VALIDATE_ALL))
933  {
934  return INT_STATUS_INVALID_DATA_STATE;
935  }
936 
937  if ((gGuest.OSType == introGuestWindows && (UpdateSignature->Flags & SIGNATURE_FLG_LINUX)) ||
938  (gGuest.OSType == introGuestLinux && !(UpdateSignature->Flags & SIGNATURE_FLG_LINUX)))
939  {
940  return INT_STATUS_NOT_NEEDED_HINT;
941  }
942 
943  pSignature = HpAllocWithTag(sizeof(*pSignature) + size, IC_TAG_ESIG);
944  if (NULL == pSignature)
945  {
946  return INT_STATUS_INSUFFICIENT_RESOURCES;
947  }
948 
949  pSignature->Id.Value = UpdateSignature->Id;
950  pSignature->Offset = UpdateSignature->Offset;
951  pSignature->Flags = UpdateSignature->Flags;
952  pSignature->Length = UpdateSignature->Length;
953  pSignature->AlertSignature = FALSE;
954 
955  pUpdatePattern = &UpdateSignature->Pattern[0];
956  pExceptionPattern = &pSignature->Object[0];
957 
958  // We have only one pattern for each signature
959  for (DWORD i = 0; i < UpdateSignature->Length; i++)
960  {
961  pExceptionPattern[i] = pUpdatePattern[i];
962  }
963 
964  InsertTailList(&gGuest.Exceptions->ValueCodeSignatures, &pSignature->Link);
965 
966  return INT_STATUS_SUCCESS;
967 }
968 
969 
970 static INTSTATUS
971 IntUpdateAddVersionOsSignature(
972  _In_ UPDATE_VERSION_OS_SIGNATURE *UpdateSignature,
973  _In_ UPDATE_ITEM_SIZE *Item
974  )
985 {
986  if (!IntUpdateIsValidEntry(sizeof(*UpdateSignature), Item, UPDATE_VALIDATE_ALL))
987  {
988  return INT_STATUS_INVALID_DATA_STATE;
989  }
990 
991  if ((gGuest.OSType == introGuestWindows && (UpdateSignature->Flags & SIGNATURE_FLG_LINUX)) ||
992  (gGuest.OSType == introGuestLinux && !(UpdateSignature->Flags & SIGNATURE_FLG_LINUX)))
993  {
994  return INT_STATUS_NOT_NEEDED_HINT;
995  }
996 
997  SIG_VERSION_OS *pSignature = HpAllocWithTag(sizeof(*pSignature), IC_TAG_ESIG);
998  if (pSignature == NULL)
999  {
1000  return INT_STATUS_INSUFFICIENT_RESOURCES;
1001  }
1002 
1003  pSignature->Id.Value = UpdateSignature->Id;
1004  pSignature->Flags = UpdateSignature->Flags;
1005  pSignature->AlertSignature = FALSE;
1006  pSignature->Minimum.Value = UpdateSignature->Minimum.Value;
1007  pSignature->Maximum.Value = UpdateSignature->Maximum.Value;
1008 
1009  InsertTailList(&gGuest.Exceptions->VersionOsSignatures, &pSignature->Link);
1010 
1011  return INT_STATUS_SUCCESS;
1012 }
1013 
1014 
1015 static INTSTATUS
1016 IntUpdateAddVersionIntroSignature(
1017  _In_ UPDATE_VERSION_INTRO_SIGNATURE *UpdateSignature,
1018  _In_ UPDATE_ITEM_SIZE *Item
1019  )
1030 {
1031  if (!IntUpdateIsValidEntry(sizeof(*UpdateSignature), Item, UPDATE_VALIDATE_ALL))
1032  {
1033  return INT_STATUS_INVALID_DATA_STATE;
1034  }
1035 
1036  if ((gGuest.OSType == introGuestWindows && (UpdateSignature->Flags & SIGNATURE_FLG_LINUX)) ||
1037  (gGuest.OSType == introGuestLinux && !(UpdateSignature->Flags & SIGNATURE_FLG_LINUX)))
1038  {
1039  return INT_STATUS_NOT_NEEDED_HINT;
1040  }
1041 
1042  SIG_VERSION_INTRO *pSignature = HpAllocWithTag(sizeof(*pSignature), IC_TAG_ESIG);
1043  if (pSignature == NULL)
1044  {
1045  return INT_STATUS_INSUFFICIENT_RESOURCES;
1046  }
1047 
1048  pSignature->Id.Value = UpdateSignature->Id;
1049  pSignature->Flags = UpdateSignature->Flags;
1050  pSignature->AlertSignature = FALSE;
1051  pSignature->Minimum.Raw = UpdateSignature->Minimum.Raw;
1052  pSignature->Maximum.Raw = UpdateSignature->Maximum.Raw;
1053 
1054  InsertTailList(&gGuest.Exceptions->VersionIntroSignatures, &pSignature->Link);
1055 
1056  return INT_STATUS_SUCCESS;
1057 }
1058 
1059 
1060 static INTSTATUS
1061 IntUpdateAddExportSignature(
1062  _In_ UPDATE_EXPORT_SIGNATURE *UpdateSignature,
1063  _In_ UPDATE_ITEM_SIZE *Item
1064  )
1075 {
1076  if (!IntUpdateIsValidEntry(sizeof(*UpdateSignature), Item, UPDATE_VALIDATE_FILE_SIZE))
1077  {
1078  return INT_STATUS_INVALID_DATA_STATE;
1079  }
1080 
1081  DWORD size = UpdateSignature->ListsCount * sizeof(UPDATE_EXPORT_HASH);
1082  if (!IntUpdateIsValidEntry(sizeof(*UpdateSignature) + size, Item, UPDATE_VALIDATE_ALL))
1083  {
1084  return INT_STATUS_INVALID_DATA_STATE;
1085  }
1086 
1087  if ((gGuest.OSType == introGuestWindows && (UpdateSignature->Flags & SIGNATURE_FLG_LINUX)) ||
1088  (gGuest.OSType == introGuestLinux && !(UpdateSignature->Flags & SIGNATURE_FLG_LINUX)))
1089  {
1090  return INT_STATUS_NOT_NEEDED_HINT;
1091  }
1092 
1093  DWORD extraSize = UpdateSignature->ListsCount * sizeof(SIG_EXPORT_HASH);
1094 
1095  SIG_EXPORT *pSignature = HpAllocWithTag(sizeof(*pSignature) + extraSize, IC_TAG_ESIG);
1096  if (NULL == pSignature)
1097  {
1098  return INT_STATUS_INSUFFICIENT_RESOURCES;
1099  }
1100 
1101  pSignature->Id.Value = UpdateSignature->Id;
1102  pSignature->Flags = UpdateSignature->Flags;
1103  pSignature->ListsCount = UpdateSignature->ListsCount;
1104  pSignature->AlertSignature = FALSE;
1105 
1106  // Now copy the hashes lists
1107  UPDATE_EXPORT_HASH *pHashList = (UPDATE_EXPORT_HASH *)UpdateSignature->HashesList;
1108  SIG_EXPORT_HASH *pSigHash = (SIG_EXPORT_HASH *)pSignature->Object;
1109 
1110  for (DWORD i = 0; i < UpdateSignature->ListsCount; i++)
1111  {
1112  pSigHash[i].Hash = pHashList[i].Hash;
1113  pSigHash[i].Delta = pHashList[i].Delta;
1114  }
1115 
1116  InsertTailList(&gGuest.Exceptions->ExportSignatures, &pSignature->Link);
1117 
1118  return INT_STATUS_SUCCESS;
1119 }
1120 
1121 
1122 static INTSTATUS
1123 IntUpdateAddProcessCreationSignature(
1124  _In_ UPDATE_PROCESS_CREATION_SIGNATURE *UpdateSignature,
1125  _In_ UPDATE_ITEM_SIZE *Item
1126  )
1137 {
1138  if (!IntUpdateIsValidEntry(sizeof(*UpdateSignature), Item, UPDATE_VALIDATE_ALL))
1139  {
1140  return INT_STATUS_INVALID_DATA_STATE;
1141  }
1142 
1143  if ((gGuest.OSType == introGuestWindows && (UpdateSignature->Flags & SIGNATURE_FLG_LINUX)) ||
1144  (gGuest.OSType == introGuestLinux && !(UpdateSignature->Flags & SIGNATURE_FLG_LINUX)))
1145  {
1146  return INT_STATUS_NOT_NEEDED_HINT;
1147  }
1148 
1149  SIG_PROCESS_CREATION *pSignature = HpAllocWithTag(sizeof(*pSignature), IC_TAG_ESIG);
1150  if (pSignature == NULL)
1151  {
1152  return INT_STATUS_INSUFFICIENT_RESOURCES;
1153  }
1154 
1155  pSignature->Id.Value = UpdateSignature->Id;
1156  pSignature->Flags = UpdateSignature->Flags;
1157  pSignature->AlertSignature = FALSE;
1158  pSignature->CreateMask = UpdateSignature->CreateMask;
1159 
1160  InsertTailList(&gGuest.Exceptions->ProcessCreationSignatures, &pSignature->Link);
1161 
1162  return INT_STATUS_SUCCESS;
1163 }
1164 
1165 
1166 static void
1167 IntUpdateSetIdForException(
1168  _In_ EXCEPTION_SIGNATURE_ID *Signatures,
1169  _In_ DWORD Count
1170  )
1180 {
1181  for (DWORD i = 0; i < Count; i++)
1182  {
1183  switch (Signatures[i].Field.Type)
1184  {
1185  case signatureTypeExport :
1186  {
1187  for_each_export_signature(gGuest.Exceptions->ExportSignatures, pSignature)
1188  {
1189  if (pSignature->AlertSignature && pSignature->Id.Value == Signatures[i].Value)
1190  {
1191  pSignature->Id = IntUpdateGetUniqueSigId(pSignature->Id.Field.Type);
1192  Signatures[i] = pSignature->Id;
1193 
1194  break;
1195  }
1196  }
1197 
1198  break;
1199  }
1200 
1201  case signatureTypeCodeBlocks:
1202  {
1203  for_each_cb_signature(gGuest.Exceptions->CbSignatures, pSignature)
1204  {
1205  if (pSignature->AlertSignature && pSignature->Id.Value == Signatures[i].Value)
1206  {
1207  pSignature->Id = IntUpdateGetUniqueSigId(pSignature->Id.Field.Type);
1208  Signatures[i] = pSignature->Id;
1209 
1210  break;
1211  }
1212  }
1213 
1214  break;
1215  }
1216 
1217  case signatureTypeIdt:
1218  {
1219  for_each_idt_signature(gGuest.Exceptions->IdtSignatures, pSignature)
1220  {
1221  if (pSignature->AlertSignature && pSignature->Id.Value == Signatures[i].Value)
1222  {
1223  pSignature->Id = IntUpdateGetUniqueSigId(pSignature->Id.Field.Type);
1224  Signatures[i] = pSignature->Id;
1225 
1226  break;
1227  }
1228  }
1229 
1230  break;
1231  }
1232 
1233  default:
1234  {
1235  ERROR("[ERROR] Should not reach here. Type is '%d'n", Signatures[i].Field.Type);
1236  return;
1237  }
1238  }
1239  }
1240 }
1241 
1242 
1243 void
1244 IntUpdateAssignAlertSignatureIds(
1245  void
1246  )
1250 {
1251  for_each_um_exception(gGuest.Exceptions->UserAlertExceptions, pException)
1252  {
1253  IntUpdateSetIdForException(pException->Signatures, pException->SigCount);
1254  }
1255 
1256  for_each_km_exception(gGuest.Exceptions->KernelAlertExceptions, pException)
1257  {
1258  IntUpdateSetIdForException(pException->Signatures, pException->SigCount);
1259  }
1260 
1261  for_each_um_exception(gGuest.Exceptions->ProcessCreationAlertExceptions, pException)
1262  {
1263  IntUpdateSetIdForException(pException->Signatures, pException->SigCount);
1264  }
1265 }
1266 
1267 
1268 INTSTATUS
1269 IntUpdateLoadExceptions(
1270  _In_ void *Buffer,
1271  _In_ DWORD Length,
1272  _In_ DWORD Flags
1273  )
1288 {
1289  INTSTATUS status;
1290  BYTE *address;
1291  UPDATE_FILE_HEADER *fileHeader;
1292 
1293  UNREFERENCED_PARAMETER(Flags);
1294 
1295  if (NULL == Buffer)
1296  {
1297  return INT_STATUS_INVALID_PARAMETER_1;
1298  }
1299 
1300  if (Length <= sizeof(UPDATE_FILE_HEADER))
1301  {
1302  return INT_STATUS_INVALID_PARAMETER_2;
1303  }
1304 
1305  address = Buffer;
1306  fileHeader = Buffer;
1307 
1308  LOG("[UPDATE] Requested to update the intro exceptions...\n");
1309 
1310  if (fileHeader->Magic != UPDATE_MAGIC_WORD)
1311  {
1312  ERROR("[ERROR] Exception file header doesn't have the right magic word (%c%c%c%c)\n",
1313  (fileHeader->Magic & 0xff000000) >> 24, (fileHeader->Magic & 0xff0000) >> 16,
1314  (fileHeader->Magic & 0xff00) >> 8, fileHeader->Magic & 0xff);
1315 
1316  return INT_STATUS_INVALID_OBJECT_TYPE;
1317  }
1318 
1319  if (fileHeader->Version.Major != UPDATE_EXCEPTIONS_MIN_VER_MAJOR)
1320  {
1321  ERROR("[ERROR] Update's file major (%d.%d) version is different form ours (%d.%d)\n",
1322  fileHeader->Version.Major, fileHeader->Version.Minor, UPDATE_EXCEPTIONS_MIN_VER_MAJOR,
1323  UPDATE_EXCEPTIONS_MIN_VER_MINOR);
1324 
1325  return INT_STATUS_NOT_SUPPORTED;
1326  }
1327 
1328  if (fileHeader->Version.Minor > UPDATE_EXCEPTIONS_MIN_VER_MINOR)
1329  {
1330  WARNING("[WARNING] Update's file minor (%d.%d) version is newer than ours (%d.%d). "
1331  "Not all features will be available!\n", fileHeader->Version.Major, fileHeader->Version.Minor,
1332  UPDATE_EXCEPTIONS_MIN_VER_MAJOR, UPDATE_EXCEPTIONS_MIN_VER_MINOR);
1333  }
1334  else if (fileHeader->Version.Minor < UPDATE_EXCEPTIONS_MIN_VER_MINOR)
1335  {
1336  ERROR("[ERROR] Update's file minor (%d.%d) version is older than ours (%d.%d). "
1337  "Will not update the exceptions.\n", fileHeader->Version.Major, fileHeader->Version.Minor,
1338  UPDATE_EXCEPTIONS_MIN_VER_MAJOR, UPDATE_EXCEPTIONS_MIN_VER_MINOR);
1339 
1340  return INT_STATUS_NOT_SUPPORTED;
1341  }
1342 
1343  if (fileHeader->KernelExceptionsCount == 0 &&
1344  fileHeader->UserExceptionsCount == 0 &&
1345  fileHeader->KernelUserExceptionsCount == 0 &&
1346  fileHeader->UserExceptionsGlobCount == 0)
1347  {
1348  WARNING("[WARNING] Requested update with 0 kernel exceptions and 0 user exceptions. We cannot do that...\n");
1349 
1350  return INT_STATUS_INVALID_OBJECT_TYPE;
1351  }
1352 
1353  if (NULL == gGuest.Exceptions)
1354  {
1355  return INT_STATUS_INVALID_INTERNAL_STATE;
1356  }
1357 
1358  status = IntExceptRemove();
1359  if (!INT_SUCCESS(status))
1360  {
1361  ERROR("[ERROR] IntExceptRemove failed: 0x%08x\n", status);
1362  return status;
1363  }
1364 
1365  // Reset the last signature ID (will be updated again when adding signatures)
1366  gCurrentSignatureId.Field.Value = BIT(22) / 2;
1367 
1368  // skip over the file header
1369  address += sizeof(UPDATE_FILE_HEADER);
1370 
1371  while (address < (PBYTE)(size_t)Buffer + Length)
1372  {
1373  if ((QWORD)(address + sizeof(UPDATE_HEADER)) > ((QWORD)Buffer + Length))
1374  {
1375  ERROR("[ERROR] The address of 'UPDATE_HEADER' structure exceeds the exception buffer "
1376  "(0x%016llx/0x%016llx)\n", (QWORD)(address + sizeof(UPDATE_HEADER)), ((QWORD)Buffer + Length));
1377  return INT_STATUS_INVALID_DATA_SIZE;
1378  }
1379 
1380  UPDATE_HEADER *header = (UPDATE_HEADER *)address;
1381  PBYTE structure = address + sizeof(UPDATE_HEADER);
1382  UPDATE_ITEM_SIZE item = { 0 };
1383 
1384  item.EntrySize = header->Size;
1385  item.RemainingFileSize = (DWORD)((QWORD)((QWORD)(Buffer) + Length) - (QWORD)structure);
1386 
1387  address += sizeof(UPDATE_HEADER) + header->Size;
1388 
1389  switch (header->Type)
1390  {
1391  case UPDATE_TYPE_KM_EXCEPTION:
1392  status = IntUpdateAddKernelException((UPDATE_KM_EXCEPTION *)structure, &item);
1393  break;
1394 
1395  case UPDATE_TYPE_UM_EXCEPTION:
1396  status = IntUpdateAddUserException((UPDATE_UM_EXCEPTION *)structure, &item);
1397  break;
1398 
1399  case UPDATE_TYPE_UM_EXCEPTION_GLOB_MATCH:
1400  status = IntUpdateAddUserExceptionGlob((UPDATE_UM_EXCEPTION_GLOB *)structure, &item);
1401  break;
1402 
1403  case UPDATE_TYPE_CB_SIGNATURE:
1404  status = IntUpdateAddCbSignature((UPDATE_CB_SIGNATURE *)structure, &item);
1405  break;
1406 
1407  case UPDATE_TYPE_EXPORT_SIGNATURE:
1408  status = IntUpdateAddExportSignature((UPDATE_EXPORT_SIGNATURE *)structure, &item);
1409  break;
1410 
1411  case UPDATE_TYPE_VALUE_SIGNATURE:
1412  status = IntUpdateAddValueSignature((UPDATE_VALUE_SIGNATURE *)structure, &item);
1413  break;
1414 
1415  case UPDATE_TYPE_VALUE_CODE_SIGNATURE:
1416  status = IntUpdateAddValueCodeSignature((UPDATE_VALUE_CODE_SIGNATURE *)structure, &item);
1417  break;
1418 
1419  case UPDATE_TYPE_IDT_SIGNATURE:
1420  status = IntUpdateAddIdtSignature((UPDATE_IDT_SIGNATURE *)structure, &item);
1421  break;
1422 
1423  case UPDATE_TYPE_VERSION_OS_SIGNATURE:
1424  status = IntUpdateAddVersionOsSignature((UPDATE_VERSION_OS_SIGNATURE *)structure, &item);
1425  break;
1426 
1427  case UPDATE_TYPE_VERSION_INTRO_SIGNATURE:
1428  status = IntUpdateAddVersionIntroSignature((UPDATE_VERSION_INTRO_SIGNATURE *)structure, &item);
1429  break;
1430 
1431  case UPDATE_TYPE_APC_UM_EXCEPTION:
1432  status = IntUpdateAddUserException((UPDATE_UM_EXCEPTION *)structure, &item);
1433  break;
1434 
1435  case UPDATE_TYPE_PROCESS_CREATION_SIGNATURE:
1436  status = IntUpdateAddProcessCreationSignature((UPDATE_PROCESS_CREATION_SIGNATURE *)structure, &item);
1437  break;
1438 
1439  case UPDATE_TYPE_KUM_EXCEPTION:
1440  status = IntUpdateAddKernelUserException((UPDATE_KUM_EXCEPTION *)structure, &item);
1441  break;
1442 
1443  default:
1444  // For future versions: ignore unknown types
1445  WARNING("[WARNING] Unknown exception/signature type '%d'. Will ignore ...\n", header->Type);
1446  status = INT_STATUS_NOT_NEEDED_HINT;
1447  break;
1448  }
1449 
1450  if (!INT_SUCCESS(status))
1451  {
1452  ERROR("[ERROR] Failed adding exception/signature. Will abort the update. Reason=0x%08x\n", status);
1453  return status;
1454  }
1455  }
1456 
1457  IntUpdateAssignAlertSignatureIds();
1458 
1459  gGuest.Exceptions->Version.Build = fileHeader->BuildNumber;
1460  gGuest.Exceptions->Version.Major = fileHeader->Version.Major;
1461  gGuest.Exceptions->Version.Minor = fileHeader->Version.Minor;
1462 
1463  gGuest.Exceptions->Loaded = TRUE;
1464 
1465  LOG("[UPDATE] Updated exceptions to version %d.%d.%d\n",
1466  fileHeader->Version.Major, fileHeader->Version.Minor, fileHeader->BuildNumber);
1467 
1468  return INT_STATUS_SUCCESS;
1469 }
1470 
1471 
1472 static void
1473 IntUpdateAddUserExceptionInOrder(
1474  _In_ UM_EXCEPTION *Exception
1475  )
1484 {
1485  LIST_HEAD *head;
1486 
1487  TRACE("[UPDATE] Add exception %08x -> %08x, %08x, %d, %08x\n",
1488  Exception->OriginatorNameHash, Exception->Victim.ProcessHash, Exception->Victim.NameHash,
1489  Exception->Type, Exception->Flags);
1490 
1491  if (Exception->SigCount == 1)
1492  {
1493  TRACE("[UPDATE] sig: 0x%08x\n", Exception->Signatures[0].Value);
1494  }
1495  else if (Exception->SigCount > 0)
1496  {
1497  TRACE("[UPDATE] sig: %d signatures\n", Exception->SigCount);
1498  }
1499 
1500  if (Exception->Type == umObjProcessCreation)
1501  {
1502  head = &gGuest.Exceptions->ProcessCreationAlertExceptions;
1503  }
1504  else
1505  {
1506  head = &gGuest.Exceptions->UserAlertExceptions;
1507  }
1508 
1509  for_each_um_exception((*head), pEx)
1510  {
1511  // Every list is ordered, so break when we got to a hash bigger than ours
1512  if (pEx->OriginatorNameHash > Exception->OriginatorNameHash)
1513  {
1514  pEx = CONTAINING_RECORD(pEx->Link.Blink, UM_EXCEPTION, Link);
1515 
1516  InsertAfterList(&pEx->Link, &Exception->Link);
1517 
1518  return;
1519  }
1520  }
1521 
1522  // We didn't found an exception that has a hash bigger than ours. Insert at the end of the list!
1523  InsertTailList(head, &Exception->Link);
1524 }
1525 
1526 
1527 static void
1528 IntUpdateAddKernelExceptionInOrder(
1529  _In_ KM_EXCEPTION *Exception
1530  )
1538 {
1539  TRACE("[UPDATE] Add exception %08x -> %08x, %d, %08x\n",
1540  Exception->OriginatorNameHash, Exception->VictimNameHash,
1541  Exception->Type, Exception->Flags);
1542 
1543  if (Exception->SigCount == 1)
1544  {
1545  TRACE("[UPDATE] sig: %d\n", Exception->Signatures[0].Value);
1546  }
1547  else if (Exception->SigCount > 0)
1548  {
1549  TRACE("[UPDATE] sig: %d signatures\n", Exception->SigCount);
1550  }
1551 
1552  for_each_km_exception(gGuest.Exceptions->KernelAlertExceptions, pEx)
1553  {
1554  // Every list is ordered, so break when we got to a hash bigger than ours
1555  if (pEx->OriginatorNameHash > Exception->OriginatorNameHash)
1556  {
1557  pEx = CONTAINING_RECORD(pEx->Link.Blink, KM_EXCEPTION, Link);
1558 
1559  InsertAfterList(&pEx->Link, &Exception->Link);
1560 
1561  return;
1562  }
1563  }
1564 
1565  // We didn't found an exception that has a hash bigger than ours. Insert at the end of the list!
1566  InsertTailList(&gGuest.Exceptions->KernelAlertExceptions, &Exception->Link);
1567 }
1568 
1569 
1570 static void
1571 IntUpdateAddKernelUserExceptionInOrder(
1572  _In_ KUM_EXCEPTION *Exception
1573  )
1581 {
1582  TRACE("[UPDATE] Add exception %08x -> %08x %08x, %d, %08x\n",
1583  Exception->OriginatorNameHash, Exception->Victim.NameHash, Exception->Victim.ProcessHash,
1584  Exception->Type, Exception->Flags);
1585 
1586  TRACE("[UPDATE] Signatures = %d \n", Exception->SigCount);
1587 
1588  for_each_kum_exception(gGuest.Exceptions->KernelUserAlertExceptions, pEx)
1589  {
1590  // Every list is ordered, so break when we got to a hash bigger than ours
1591  if (pEx->OriginatorNameHash > Exception->OriginatorNameHash)
1592  {
1593  pEx = CONTAINING_RECORD(pEx->Link.Blink, KUM_EXCEPTION, Link);
1594 
1595  InsertAfterList(&pEx->Link, &Exception->Link);
1596 
1597  return;
1598  }
1599  }
1600 
1601  // We didn't found an exception that has a hash bigger than ours. Insert at the end of the list!
1602  InsertTailList(&gGuest.Exceptions->KernelUserAlertExceptions, &Exception->Link);
1603 }
1604 
1605 
1606 static INTSTATUS
1607 IntUpdateCreateExportSignatureFromAlert(
1608  _In_ const ALERT_EXPORT_SIGNATURE *AlertSig,
1609  _Out_ SIG_EXPORT **Signature
1610  )
1621 {
1622  if (AlertSig->Header.Version != ALERT_EXPORT_SIGNATURE_VERSION)
1623  {
1624  ERROR("[ERROR] Unsupported export signature version: %d. We have %d\n",
1625  AlertSig->Header.Version, ALERT_EXPORT_SIGNATURE_VERSION);
1626  return INT_STATUS_UNSUPPORTED_DATA_VALUE;
1627  }
1628 
1629  SIG_EXPORT *pSig = HpAllocWithTag(sizeof(*pSig) + sizeof(SIG_EXPORT_HASH), IC_TAG_ESIG);
1630  if (NULL == pSig)
1631  {
1632  return INT_STATUS_INSUFFICIENT_RESOURCES;
1633  }
1634 
1635  pSig->Id = IntUpdateGetUniqueSigId(signatureTypeExport);
1636  pSig->LibraryNameHash = AlertSig->Library;
1637  pSig->Flags = AlertSig->Flags;
1638  pSig->ListsCount = 1;
1639  pSig->AlertSignature = TRUE;
1640 
1641  SIG_EXPORT_HASH *pSigHash = (SIG_EXPORT_HASH *)pSig->Object;
1642 
1643  pSigHash->Hash = AlertSig->Function;
1644  pSigHash->Delta = (WORD)(AlertSig->Delta + AlertSig->WriteSize);
1645 
1646  TRACE("[INFO] Add Export signature on 0x%08x (0x%08x) with delta %d\n",
1647  AlertSig->Function, AlertSig->Library, pSigHash->Delta);
1648 
1649  *Signature = pSig;
1650 
1651  return INT_STATUS_SUCCESS;
1652 }
1653 
1654 
1655 static INTSTATUS
1656 IntUpdateCreateIdtSignatureFromAlert(
1657  _In_ const ALERT_IDT_SIGNATURE *AlertSig,
1658  _Out_ SIG_IDT **Signature
1659  )
1670 
1671 {
1672  if (AlertSig->Header.Version != ALERT_IDT_SIGNATURE_VERSION)
1673  {
1674  ERROR("[ERROR] Unsupported idt signature version: %d. We have %d\n",
1675  AlertSig->Header.Version, ALERT_IDT_SIGNATURE_VERSION);
1676  return INT_STATUS_UNSUPPORTED_DATA_VALUE;
1677  }
1678 
1679  SIG_IDT *pSignature = HpAllocWithTag(sizeof(*pSignature), IC_TAG_ESIG);
1680  if (NULL == pSignature)
1681  {
1682  return INT_STATUS_INSUFFICIENT_RESOURCES;
1683  }
1684 
1685  pSignature->Id = IntUpdateGetUniqueSigId(signatureTypeIdt);
1686  pSignature->Entry = AlertSig->Entry;
1687  pSignature->Flags = AlertSig->Flags;
1688  pSignature->AlertSignature = TRUE;
1689 
1690  TRACE("[INFO] Add Idt Signature on %d entry.", pSignature->Entry);
1691 
1692  *Signature = pSignature;
1693 
1694  return INT_STATUS_SUCCESS;
1695 }
1696 
1697 
1698 static INTSTATUS
1699 IntUpdateCreateCbSignatureFromAlert(
1700  _In_ const ALERT_CB_SIGNATURE *AlertSig,
1701  _Out_ SIG_CODEBLOCKS **Signature
1702  )
1713 
1714 {
1715  if (AlertSig->Header.Version != ALERT_CB_SIGNATURE_VERSION)
1716  {
1717  WARNING("[WARNING] Unsupported cb signature version: %d. We have %d\n",
1718  AlertSig->Header.Version, ALERT_CB_SIGNATURE_VERSION);
1719  return INT_STATUS_UNSUPPORTED_DATA_VALUE;
1720  }
1721 
1722  if (AlertSig->Count > ALERT_HASH_COUNT)
1723  {
1724  return INT_STATUS_INVALID_DATA_SIZE;
1725  }
1726 
1727  SIG_CODEBLOCKS *pSignature;
1728  SIG_CODEBLOCK_HASH *pSigHash;
1729 
1730  DWORD totalSize = sizeof(*pSignature) + sizeof(*pSigHash) + AlertSig->Count * sizeof(DWORD);
1731 
1732  pSignature = HpAllocWithTag(totalSize, IC_TAG_ESIG);
1733  if (NULL == pSignature)
1734  {
1735  return INT_STATUS_INSUFFICIENT_RESOURCES;
1736  }
1737 
1738  pSignature->Id = IntUpdateGetUniqueSigId(signatureTypeCodeBlocks);
1739 
1740  pSignature->Score = AlertSig->Score;
1741  pSignature->ListsCount = 1;
1742  pSignature->AlertSignature = TRUE;
1743  pSignature->Flags = AlertSig->Flags;
1744 
1745  pSigHash = (SIG_CODEBLOCK_HASH *)pSignature->Object;
1746 
1747  pSigHash->Count = AlertSig->Count;
1748  for (DWORD i = 0; i < pSigHash->Count; i++)
1749  {
1750  pSigHash->Hashes[i] = AlertSig->CodeBlocks[i];
1751  }
1752 
1753  // The code blocks are already sorted (see IntAlertCreateCbSignature), but considering that the exception buffer is
1754  // an external data, we should sort them again.
1755  UtilQuickSort(pSigHash->Hashes, pSigHash->Count, sizeof(pSigHash->Hashes[0]));
1756 
1757  *Signature = pSignature;
1758 
1759  return INT_STATUS_SUCCESS;
1760 }
1761 
1762 
1763 static INTSTATUS
1764 IntUpdateCreateProcessCreationSignatureFromAlert(
1765  _In_ const ALERT_PROCESS_CREATION_SIGNATURE *AlertSig,
1766  _Out_ SIG_PROCESS_CREATION **Signature
1767  )
1778 {
1779  if (AlertSig->Header.Version != ALERT_PROCESS_CREATION_SIGNATURE_VERSION)
1780  {
1781  ERROR("[ERROR] Unsupported process-creation signature version: %d. We have %d\n",
1782  AlertSig->Header.Version, ALERT_PROCESS_CREATION_SIGNATURE_VERSION);
1783  return INT_STATUS_UNSUPPORTED_DATA_VALUE;
1784  }
1785 
1786  SIG_PROCESS_CREATION *pSignature;
1787 
1788  pSignature = HpAllocWithTag(sizeof(SIG_PROCESS_CREATION), IC_TAG_ESIG);
1789  if (NULL == pSignature)
1790  {
1791  return INT_STATUS_INSUFFICIENT_RESOURCES;
1792  }
1793 
1794  pSignature->Id = IntUpdateGetUniqueSigId(signatureTypeProcessCreation);
1795 
1796  pSignature->AlertSignature = TRUE;
1797  pSignature->Flags = AlertSig->Flags;
1798  pSignature->CreateMask = AlertSig->CreateMask;
1799 
1800  *Signature = pSignature;
1801 
1802  return INT_STATUS_SUCCESS;
1803 }
1804 
1805 
1806 __nonnull() static BOOLEAN
1807 IntUpdateIsDuplicateCbSignature(
1808  _In_ const ALERT_CB_SIGNATURE *Signature,
1809  _In_ const EXCEPTION_SIGNATURE_ID *SigIds,
1810  _In_ DWORD SigCount
1811  )
1821 {
1822  if (!Signature->Valid)
1823  {
1824  return FALSE;
1825  }
1826 
1827  for_each_cb_signature(gGuest.Exceptions->CbSignatures, pSig)
1828  {
1829  DWORD sigSize = 0;
1830 
1831  for (DWORD i = 0; i < SigCount; i++)
1832  {
1833  if (pSig->Id.Value != SigIds[i].Value)
1834  {
1835  continue;
1836  }
1837 
1838  for (DWORD j = 0; j < pSig->ListsCount; j++)
1839  {
1840  const SIG_CODEBLOCK_HASH *pHash = (const SIG_CODEBLOCK_HASH *)(pSig->Object + sigSize);
1841  sigSize += pHash->Count * sizeof(DWORD) + sizeof(*pHash);
1842 
1843  if (pHash->Count != Signature->Count)
1844  {
1845  continue;
1846  }
1847 
1848  if (0 == memcmp(pHash->Hashes, Signature->CodeBlocks, sizeof(DWORD) * pHash->Count))
1849  {
1850  return TRUE;
1851  }
1852  }
1853  }
1854  }
1855 
1856  return FALSE;
1857 }
1858 
1859 
1860 static BOOLEAN
1861 IntUpdateIsDuplicateIdtSignature(
1862  _In_ const ALERT_IDT_SIGNATURE *Signature,
1863  _In_ const EXCEPTION_SIGNATURE_ID *SigIds,
1864  _In_ DWORD SigCount
1865  )
1875 {
1876  if (!Signature->Valid)
1877  {
1878  return FALSE;
1879  }
1880 
1881  for_each_idt_signature(gGuest.Exceptions->IdtSignatures, pSignature)
1882  {
1883  for (DWORD iSig = 0; iSig < SigCount; iSig++)
1884  {
1885  if (pSignature->Id.Value != SigIds[iSig].Value)
1886  {
1887  continue;
1888  }
1889 
1890  if (Signature->Entry == pSignature->Entry)
1891  {
1892  return TRUE;
1893  }
1894  }
1895  }
1896 
1897  return FALSE;
1898 }
1899 
1900 
1901 static BOOLEAN
1902 IntUpdateIsDuplicateExportSignature(
1903  _In_ const ALERT_EXPORT_SIGNATURE *Signature,
1904  _In_ const EXCEPTION_SIGNATURE_ID *SigIds,
1905  _In_ DWORD SigCount
1906  )
1916 {
1917  if (!Signature->Valid)
1918  {
1919  return FALSE;
1920  }
1921 
1922  for (DWORD i = 0; i < SigCount; i++)
1923  {
1924  for_each_export_signature(gGuest.Exceptions->ExportSignatures, pSig)
1925  {
1926  SIG_EXPORT_HASH *pSigHash = (SIG_EXPORT_HASH *)pSig->Object;
1927 
1928  if (pSig->Id.Value != SigIds[i].Value)
1929  {
1930  continue;
1931  }
1932 
1933  if (pSig->LibraryNameHash != Signature->Library)
1934  {
1935  continue;
1936  }
1937 
1938  for (DWORD j = 0; j < pSig->ListsCount; j++)
1939  {
1940  if (pSigHash[j].Hash == Signature->Function && pSigHash[j].Delta >= Signature->Delta)
1941  {
1942  return TRUE;
1943  }
1944  }
1945  }
1946  }
1947 
1948  return FALSE;
1949 }
1950 
1951 
1952 static BOOLEAN
1953 IntUpdateIsDuplicateKernelException(
1954  _In_ const ALERT_KM_EXCEPTION *Exception
1955  )
1965 {
1966  for_each_km_exception(gGuest.Exceptions->KernelAlertExceptions, pEx)
1967  {
1968  if (Exception->Originator == pEx->OriginatorNameHash &&
1969  Exception->Victim == pEx->VictimNameHash &&
1970  Exception->Flags == pEx->Flags &&
1971  Exception->Type == pEx->Type)
1972  {
1973  if (pEx->SigCount != 0)
1974  {
1975  BOOLEAN isCbDuplicate = FALSE;
1976  BOOLEAN isIdtDuplicate = FALSE;
1977 
1978  if (IntUpdateIsDuplicateCbSignature(&Exception->CodeBlocks, pEx->Signatures, pEx->SigCount))
1979  {
1980  isCbDuplicate = TRUE;
1981  }
1982 
1983  if (IntUpdateIsDuplicateIdtSignature(&Exception->Idt, pEx->Signatures, pEx->SigCount))
1984  {
1985  isIdtDuplicate = TRUE;
1986  }
1987 
1988  if ((isIdtDuplicate && isCbDuplicate) ||
1989  (isCbDuplicate && !Exception->Idt.Valid) ||
1990  (isIdtDuplicate && !Exception->CodeBlocks.Valid))
1991  {
1992  TRACE("[UPDATE] Ignoring duplicate exception with signature: %08x -> %08x, %d, %08x\n",
1993  pEx->OriginatorNameHash, pEx->VictimNameHash, pEx->Type, pEx->Flags);
1994 
1995  return TRUE;
1996  }
1997  }
1998  else if (!Exception->CodeBlocks.Valid && !Exception->Idt.Valid)
1999  {
2000  // We didn't give a signature, nor we have one in the current exception
2001  TRACE("[UPDATE] Ignoring duplicate exception: %08x -> %08x, %d, %08x\n",
2002  pEx->OriginatorNameHash, pEx->VictimNameHash, pEx->Type, pEx->Flags);
2003 
2004  return TRUE;
2005  }
2006  }
2007 
2008  // Every list is ordered, so break when we got to a hash bigger than ours
2009  if (pEx->OriginatorNameHash > Exception->Originator)
2010  {
2011  break;
2012  }
2013  }
2014 
2015  return FALSE;
2016 }
2017 
2018 static BOOLEAN
2019 IntUpdateIsDuplicateKernelUserException(
2020  _In_ const ALERT_KUM_EXCEPTION *Exception
2021  )
2031 {
2032  for_each_kum_exception(gGuest.Exceptions->KernelUserAlertExceptions, pEx)
2033  {
2034  if (Exception->Originator == pEx->OriginatorNameHash &&
2035  Exception->Victim == pEx->Victim.NameHash &&
2036  Exception->Process == pEx->Victim.ProcessHash &&
2037  Exception->Flags == pEx->Flags &&
2038  Exception->Type == pEx->Type)
2039  {
2040  if (pEx->SigCount != 0)
2041  {
2042  if (IntUpdateIsDuplicateCbSignature(&Exception->CodeBlocks, pEx->Signatures, pEx->SigCount))
2043  {
2044  TRACE("[UPDATE] Ignoring duplicate exception with signature: %08x -> %08x - %08x, %d, %08x\n",
2045  pEx->OriginatorNameHash, pEx->Victim.NameHash, pEx->Victim.ProcessHash, pEx->Type, pEx->Flags);
2046 
2047  return TRUE;
2048  }
2049  }
2050  else if (!Exception->CodeBlocks.Valid)
2051  {
2052  // We didn't give a signature, nor we have one in the current exception
2053  TRACE("[UPDATE] Ignoring duplicate exception: %08x -> %08x %08x, %d, %08x\n",
2054  pEx->OriginatorNameHash, pEx->Victim.NameHash, pEx->Victim.ProcessHash, pEx->Type, pEx->Flags);
2055  return TRUE;
2056  }
2057  }
2058 
2059  // Every list is ordered, so break when we got to a hash bigger than ours
2060  if (pEx->OriginatorNameHash > Exception->Originator)
2061  {
2062  break;
2063  }
2064  }
2065 
2066  return FALSE;
2067 }
2068 
2069 
2070 static BOOLEAN
2071 IntUpdateIsDuplicateUserException(
2072  _In_ const ALERT_UM_EXCEPTION *Exception
2073  )
2083 {
2084  LIST_HEAD *head;
2085 
2086  if (Exception->Type == umObjProcessCreation)
2087  {
2088  head = &gGuest.Exceptions->ProcessCreationAlertExceptions;
2089  }
2090  else
2091  {
2092  head = &gGuest.Exceptions->UserAlertExceptions;
2093  }
2094 
2095  for_each_um_exception((*head), pEx)
2096  {
2097  if (Exception->Originator == pEx->OriginatorNameHash &&
2098  Exception->Victim == pEx->Victim.NameHash &&
2099  Exception->Process == pEx->Victim.ProcessHash &&
2100  Exception->Type == pEx->Type)
2101  {
2102  if (pEx->SigCount != 0)
2103  {
2104  BOOLEAN isCbDuplicate = FALSE;
2105  BOOLEAN isExportDuplicate = FALSE;
2106 
2107  if (IntUpdateIsDuplicateCbSignature(&Exception->CodeBlocks, pEx->Signatures, pEx->SigCount))
2108  {
2109  isCbDuplicate = TRUE;
2110  }
2111 
2112  if (IntUpdateIsDuplicateExportSignature(&Exception->Export, pEx->Signatures, pEx->SigCount))
2113  {
2114  isExportDuplicate = TRUE;
2115  }
2116 
2117  if ((isExportDuplicate && isCbDuplicate) ||
2118  (isCbDuplicate && !Exception->Export.Valid) ||
2119  (isExportDuplicate && !Exception->CodeBlocks.Valid))
2120  {
2121  TRACE("[UPDATE] Ignoring duplicate exception with signature: %08x -> %08x, %08x, %d, %08x\n",
2122  pEx->OriginatorNameHash, pEx->Victim.ProcessHash,
2123  pEx->Victim.NameHash, pEx->Type, pEx->Flags);
2124 
2125  return TRUE;
2126  }
2127  }
2128  else if (!Exception->CodeBlocks.Valid && !Exception->Export.Valid)
2129  {
2130  // We didn't give a signature, nor we have one in the current exception
2131  TRACE("[UPDATE] Ignoring duplicate exception: %08x -> %08x, %08x, %d, %08x\n",
2132  pEx->OriginatorNameHash, pEx->Victim.ProcessHash, pEx->Victim.NameHash,
2133  pEx->Type, pEx->Flags);
2134 
2135  return TRUE;
2136  }
2137  }
2138 
2139  // Every list is ordered, so break when we got to a hash bigger than ours
2140  if (pEx->OriginatorNameHash > Exception->Originator)
2141  {
2142  break;
2143  }
2144  }
2145 
2146  return FALSE;
2147 }
2148 
2149 
2150 static INTSTATUS
2151 IntUpdateAddUmException(
2152  _In_ const ALERT_UM_EXCEPTION *Exception,
2153  _In_ QWORD Context
2154  )
2170 {
2171  INTSTATUS status;
2172  DWORD sigCount = (Exception->CodeBlocks.Valid != 0) +
2173  (Exception->Export.Valid != 0) + (Exception->ProcessCreation.Valid);
2174  SIG_EXPORT *pExpSignature = NULL;
2175  SIG_CODEBLOCKS *pCbSignature = NULL;
2176  SIG_PROCESS_CREATION *pProcessCreationSignature = NULL;
2177 
2178  if (Exception->Header.Version != ALERT_UM_EXCEPTION_VERSION)
2179  {
2180  ERROR("[ERROR] Unsupported um exception version: %d. We have %d\n",
2181  Exception->Header.Version, ALERT_UM_EXCEPTION_VERSION);
2182  return INT_STATUS_UNSUPPORTED_DATA_VALUE;
2183  }
2184 
2185  if (IntUpdateIsDuplicateUserException(Exception))
2186  {
2187  return INT_STATUS_NOT_NEEDED_HINT;
2188  }
2189 
2190  UM_EXCEPTION *pUmException = HpAllocWithTag(sizeof(*pUmException) + sigCount * sizeof(DWORD), IC_TAG_EXUM);
2191  if (NULL == pUmException)
2192  {
2193  return INT_STATUS_INSUFFICIENT_RESOURCES;
2194  }
2195 
2196  pUmException->Context = Context;
2197 
2198  pUmException->OriginatorNameHash = Exception->Originator;
2199  pUmException->Victim.NameHash = Exception->Victim;
2200  pUmException->Victim.ProcessHash = Exception->Process;
2201  pUmException->Flags = Exception->Flags;
2202  pUmException->Type = Exception->Type;
2203 
2204  if (Exception->CodeBlocks.Valid)
2205  {
2206  status = IntUpdateCreateCbSignatureFromAlert(&Exception->CodeBlocks, &pCbSignature);
2207  if (!INT_SUCCESS(status))
2208  {
2209  ERROR("[ERROR] IntUpdateCreateCbSignatureFromAlert failed with status: 0x%08x\n", status);
2210  goto _exit;
2211  }
2212  else
2213  {
2214  pUmException->Signatures[pUmException->SigCount] = pCbSignature->Id;
2215  pUmException->SigCount++;
2216 
2217  InsertTailList(&gGuest.Exceptions->CbSignatures, &pCbSignature->Link);
2218  }
2219  }
2220 
2221  if (Exception->Export.Valid)
2222  {
2223  status = IntUpdateCreateExportSignatureFromAlert(&Exception->Export, &pExpSignature);
2224  if (!INT_SUCCESS(status))
2225  {
2226  WARNING("[WARNING] IntUpdateCreateExportSignatureFromAlert failed with status: 0x%08x.\n", status);
2227  goto _exit;
2228  }
2229  else
2230  {
2231  pUmException->Signatures[pUmException->SigCount] = pExpSignature->Id;
2232  pUmException->SigCount++;
2233 
2234  InsertTailList(&gGuest.Exceptions->ExportSignatures, &pExpSignature->Link);
2235  }
2236  }
2237 
2238  if (Exception->ProcessCreation.Valid)
2239  {
2240  status = IntUpdateCreateProcessCreationSignatureFromAlert(&Exception->ProcessCreation,
2241  &pProcessCreationSignature);
2242  if (!INT_SUCCESS(status))
2243  {
2244  ERROR("[ERROR] IntUpdateCreateProcessCreationSignatureFromAlert failed with status: 0x%08x.\n", status);
2245  goto _exit;
2246  }
2247  else
2248  {
2249  pUmException->Signatures[pUmException->SigCount] = pProcessCreationSignature->Id;
2250  pUmException->SigCount++;
2251 
2252  InsertTailList(&gGuest.Exceptions->ProcessCreationSignatures, &pProcessCreationSignature->Link);
2253  }
2254  }
2255 
2256  IntUpdateAddUserExceptionInOrder(pUmException);
2257 
2258  return INT_STATUS_SUCCESS;
2259 
2260 _exit:
2261  if (pCbSignature != NULL)
2262  {
2263  IntExceptErase(pCbSignature, IC_TAG_ESIG);
2264  }
2265 
2266  if (pProcessCreationSignature != NULL)
2267  {
2268  IntExceptErase(pProcessCreationSignature, IC_TAG_ESIG);
2269  }
2270 
2271  if (pExpSignature != NULL)
2272  {
2273  IntExceptErase(pExpSignature, IC_TAG_ESIG);
2274  }
2275 
2276  HpFreeAndNullWithTag(&pUmException, IC_TAG_EXUM);
2277 
2278  return status;
2279 }
2280 
2281 
2282 static INTSTATUS
2283 IntUpdateAddKmException(
2284  _In_ const ALERT_KM_EXCEPTION *Exception,
2285  _In_ QWORD Context
2286  )
2302 {
2303  INTSTATUS status;
2304 
2305  DWORD sigCount = (Exception->Idt.Valid != 0) + (Exception->CodeBlocks.Valid != 0);
2306  SIG_CODEBLOCKS *pCbSignature = NULL;
2307  SIG_IDT *pIdtSignature = NULL;
2308 
2309  if (Exception->Header.Version != ALERT_KM_EXCEPTION_VERSION)
2310  {
2311  ERROR("[ERROR] Unsupported km exception version: %d. We have %d\n",
2312  Exception->Header.Version, ALERT_KM_EXCEPTION_VERSION);
2313  return INT_STATUS_UNSUPPORTED_DATA_VALUE;
2314  }
2315 
2316  if (IntUpdateIsDuplicateKernelException(Exception))
2317  {
2318  return INT_STATUS_NOT_NEEDED_HINT;
2319  }
2320 
2321  KM_EXCEPTION *pKmException = HpAllocWithTag(sizeof(*pKmException) + sigCount * sizeof(DWORD), IC_TAG_EXKM);
2322  if (NULL == pKmException)
2323  {
2324  return INT_STATUS_INSUFFICIENT_RESOURCES;
2325  }
2326 
2327  pKmException->Context = Context;
2328  pKmException->OriginatorNameHash = Exception->Originator;
2329  pKmException->VictimNameHash = Exception->Victim;
2330  pKmException->Flags = Exception->Flags;
2331  pKmException->Type = Exception->Type;
2332 
2333  if (Exception->Idt.Valid)
2334  {
2335  status = IntUpdateCreateIdtSignatureFromAlert(&Exception->Idt, &pIdtSignature);
2336  if (!INT_SUCCESS(status))
2337  {
2338  ERROR("[ERROR] IntUpdateCreateIdtSignatureFromAlert failed with status: 0x%08x.\n", status);
2339  goto _exit;
2340  }
2341  else
2342  {
2343  pKmException->Signatures[pKmException->SigCount] = pIdtSignature->Id;
2344  pKmException->SigCount++;
2345 
2346  InsertTailList(&gGuest.Exceptions->IdtSignatures, &pIdtSignature->Link);
2347  }
2348  }
2349 
2350  if (Exception->CodeBlocks.Valid)
2351  {
2352  status = IntUpdateCreateCbSignatureFromAlert(&Exception->CodeBlocks, &pCbSignature);
2353  if (!INT_SUCCESS(status))
2354  {
2355  ERROR("[ERROR] IntUpdateCreateCbSignatureFromAlert failed with status: 0x%08x.\n", status);
2356  goto _exit;
2357  }
2358  else
2359  {
2360  pKmException->Signatures[pKmException->SigCount] = pCbSignature->Id;
2361  pKmException->SigCount++;
2362 
2363  InsertTailList(&gGuest.Exceptions->CbSignatures, &pCbSignature->Link);
2364  }
2365  }
2366 
2367  IntUpdateAddKernelExceptionInOrder(pKmException);
2368 
2369  return INT_STATUS_SUCCESS;
2370 
2371 _exit:
2372  if (pCbSignature != NULL)
2373  {
2374  IntExceptErase(pCbSignature, IC_TAG_ESIG);
2375  }
2376 
2377  if (pIdtSignature != NULL)
2378  {
2379  IntExceptErase(pIdtSignature, IC_TAG_ESIG);
2380  }
2381 
2382  HpFreeAndNullWithTag(&pKmException, IC_TAG_EXKM);
2383 
2384  return status;
2385 }
2386 
2387 
2388 static INTSTATUS
2389 IntUpdateAddKmUmException(
2390  _In_ const ALERT_KUM_EXCEPTION *Exception,
2391  _In_ QWORD Context
2392  )
2408 {
2409  INTSTATUS status;
2410  DWORD sigCount = (Exception->CodeBlocks.Valid != 0);
2411  SIG_CODEBLOCKS *pCbSignature = NULL;
2412 
2413  if (Exception->Header.Version != ALERT_KM_EXCEPTION_VERSION)
2414  {
2415  ERROR("[ERROR] Unsupported km exception version: %d. We have %d\n",
2416  Exception->Header.Version, ALERT_KM_EXCEPTION_VERSION);
2417  return INT_STATUS_UNSUPPORTED_DATA_VALUE;
2418  }
2419 
2420  if (IntUpdateIsDuplicateKernelUserException(Exception))
2421  {
2422  return INT_STATUS_NOT_NEEDED_HINT;
2423  }
2424 
2425  KUM_EXCEPTION *pException = HpAllocWithTag(sizeof(*pException) + sigCount * sizeof(DWORD), IC_TAG_EXKU);
2426  if (NULL == pException)
2427  {
2428  return INT_STATUS_INSUFFICIENT_RESOURCES;
2429  }
2430 
2431  pException->Context = Context;
2432  pException->OriginatorNameHash = Exception->Originator;
2433  pException->Victim.NameHash = Exception->Victim;
2434  pException->Victim.ProcessHash = Exception->Process;
2435  pException->Flags = Exception->Flags;
2436  pException->Type = Exception->Type;
2437 
2438  if (Exception->CodeBlocks.Valid)
2439  {
2440  status = IntUpdateCreateCbSignatureFromAlert(&Exception->CodeBlocks, &pCbSignature);
2441  if (!INT_SUCCESS(status))
2442  {
2443  ERROR("[ERROR] IntUpdateCreateCbSignatureFromAlert failed with status: 0x%08x.\n", status);
2444  goto _exit;
2445  }
2446  else
2447  {
2448  pException->Signatures[pException->SigCount] = pCbSignature->Id;
2449  pException->SigCount++;
2450 
2451  InsertTailList(&gGuest.Exceptions->CbSignatures, &pCbSignature->Link);
2452  }
2453  }
2454 
2455  IntUpdateAddKernelUserExceptionInOrder(pException);
2456 
2457  return INT_STATUS_SUCCESS;
2458 
2459 _exit:
2460  if (pCbSignature != NULL)
2461  {
2462  IntExceptErase(pCbSignature, IC_TAG_ESIG);
2463  }
2464 
2465  HpFreeAndNullWithTag(&pException, IC_TAG_EXKU);
2466 
2467  return status;
2468 }
2469 
2470 
2471 INTSTATUS
2472 IntUpdateAddExceptionFromAlert(
2473  _In_ const void *Event,
2474  _In_ INTRO_EVENT_TYPE Type,
2475  _In_ BOOLEAN Exception,
2476  _In_ QWORD Context
2477  )
2498 {
2499  INTSTATUS status;
2500  const void *pException;
2501  QWORD violationFlags;
2502  BYTE pBuff[ALERT_EXCEPTION_SIZE] = { 0 };
2503 
2504  if (NULL == Event)
2505  {
2506  return INT_STATUS_INVALID_PARAMETER_1;
2507  }
2508 
2509  if (!IntAlertIsEventTypeViolation(Type))
2510  {
2511  ERROR("[ERROR] Failed to add exception of type %d!\n", Type);
2512  return INT_STATUS_NOT_SUPPORTED;
2513  }
2514 
2515  if (Exception)
2516  {
2517  const INTRO_ALERT_EXCEPTION_HEADER *header = Event;
2518 
2519  pException = Event;
2520  violationFlags = header->ViolationFlags;
2521 
2522  if (!header->Valid)
2523  {
2524  ERROR("[ERROR] Exception of type %d is invalid!\n", Type);
2525  return INT_STATUS_INVALID_DATA_STATE;
2526  }
2527  }
2528  else
2529  {
2530  const INTRO_VIOLATION_HEADER *header = Event;
2531 
2532  violationFlags = header->Flags;
2533 
2534  status = IntAlertCreateException(Event, Type, TRUE, pBuff);
2535  if (!INT_SUCCESS(status))
2536  {
2537  ERROR("[ERROR] IntAlertCreateException failed: %08x\n", status);
2538  return status;
2539  }
2540 
2541  pException = (const void *)pBuff;
2542  }
2543 
2544  if (NULL == gGuest.Exceptions)
2545  {
2546  status = IntExceptInit();
2547  if (!INT_SUCCESS(status))
2548  {
2549  ERROR("[ERROR] IntExceptInit failed: 0x%08x\n", status);
2550  return status;
2551  }
2552  }
2553 
2554  if (Type == introEventEptViolation)
2555  {
2556  if (violationFlags & ALERT_FLAG_KM_UM)
2557  {
2558  status = IntUpdateAddKmUmException(pException, Context);
2559  }
2560  else if (violationFlags & ALERT_FLAG_NOT_RING0)
2561  {
2562  status = IntUpdateAddUmException(pException, Context);
2563  }
2564  else
2565  {
2566  status = IntUpdateAddKmException(pException, Context);
2567  }
2568  }
2569  else if (introEventMsrViolation == Type ||
2570  introEventCrViolation == Type ||
2571  introEventDtrViolation == Type ||
2572  introEventIntegrityViolation == Type)
2573  {
2574  status = IntUpdateAddKmException(pException, Context);
2575  }
2576  else if (introEventInjectionViolation == Type ||
2577  introEventProcessCreationViolation == Type ||
2578  introEventModuleLoadViolation == Type)
2579  {
2580  status = IntUpdateAddUmException(pException, Context);
2581  }
2582  else
2583  {
2584  status = INT_STATUS_NOT_SUPPORTED;
2585  }
2586 
2587  if (!INT_SUCCESS(status))
2588  {
2589  ERROR("[ERROR] Failed to add exception of type %d: 0x%08x\n", Type, status);
2590  }
2591 
2592  return status;
2593 }
2594 
2595 
2596 static void
2597 IntUpdateRemoveSignaturesForException(
2598  _In_ EXCEPTION_SIGNATURE_ID *Signatures,
2599  _In_ DWORD Count
2600  )
2607 {
2608  for (DWORD i = 0; i < Count; i++)
2609  {
2610  switch (Signatures[i].Field.Type)
2611  {
2612  case signatureTypeExport :
2613  {
2614  for_each_export_signature(gGuest.Exceptions->ExportSignatures, pSignature)
2615  {
2616  if (pSignature->AlertSignature && pSignature->Id.Value == Signatures[i].Value)
2617  {
2618  IntExceptErase(pSignature, IC_TAG_ESIG);
2619  break;
2620  }
2621  }
2622 
2623  break;
2624  }
2625 
2626  case signatureTypeCodeBlocks :
2627  {
2628  for_each_cb_signature(gGuest.Exceptions->CbSignatures, pSignature)
2629  {
2630  if (pSignature->AlertSignature && pSignature->Id.Value == Signatures[i].Value)
2631  {
2632  IntExceptErase(pSignature, IC_TAG_ESIG);
2633  break;
2634  }
2635  }
2636 
2637  break;
2638  }
2639 
2640  case signatureTypeIdt :
2641  {
2642  for_each_idt_signature(gGuest.Exceptions->IdtSignatures, pSignature)
2643  {
2644  if (pSignature->AlertSignature && pSignature->Id.Value == Signatures[i].Value)
2645  {
2646  IntExceptErase(pSignature, IC_TAG_ESIG);
2647  break;
2648  }
2649  }
2650 
2651  break;
2652  }
2653 
2654  default:
2655  {
2656  ERROR("[ERROR] Should not reach here. Type is %d\n", Signatures[i].Field.Type);
2657  return;
2658  }
2659  }
2660  }
2661 }
2662 
2663 
2664 INTSTATUS
2665 IntUpdateRemoveException(
2666  _In_opt_ QWORD Context
2667  )
2679 {
2680  if (NULL == gGuest.Exceptions)
2681  {
2682  return INT_STATUS_NOT_INITIALIZED;
2683  }
2684 
2685  for_each_um_exception(gGuest.Exceptions->UserAlertExceptions, pException)
2686  {
2687  if (pException->Context == Context)
2688  {
2689  IntUpdateRemoveSignaturesForException(pException->Signatures, pException->SigCount);
2690  IntExceptErase(pException, IC_TAG_EXUM);
2691  return INT_STATUS_SUCCESS;
2692  }
2693  }
2694 
2695  for_each_km_exception(gGuest.Exceptions->KernelAlertExceptions, pException)
2696  {
2697  if (pException->Context == Context)
2698  {
2699  IntUpdateRemoveSignaturesForException(pException->Signatures, pException->SigCount);
2700  IntExceptErase(pException, IC_TAG_EXUM);
2701  return INT_STATUS_SUCCESS;
2702  }
2703  }
2704 
2705  for_each_um_exception(gGuest.Exceptions->ProcessCreationAlertExceptions, pException)
2706  {
2707  if (pException->Context == Context)
2708  {
2709  IntUpdateRemoveSignaturesForException(pException->Signatures, pException->SigCount);
2710  IntExceptErase(pException, IC_TAG_EXUM);
2711  return INT_STATUS_SUCCESS;
2712  }
2713  }
2714 
2715  return INT_STATUS_NOT_FOUND;
2716 }
2717 
2718 
2719 INTSTATUS
2720 IntUpdateFlushAlertExceptions(
2721  void
2722  )
2729 {
2730  INTSTATUS status;
2731 
2732  if (NULL == gGuest.Exceptions)
2733  {
2734  return INT_STATUS_NOT_INITIALIZED;
2735  }
2736 
2737  TRACE("[INFO] Requesting to flush alert exceptions!\n");
2738 
2739  status = IntExceptAlertRemove();
2740  if (!INT_SUCCESS(status))
2741  {
2742  return status;
2743  }
2744 
2745  return INT_STATUS_SUCCESS;
2746 }
2747 
2748 
2749 BOOLEAN
2750 IntUpdateAreExceptionsLoaded(
2751  void
2752  )
2758 {
2759  return gGuest.Exceptions && gGuest.Exceptions->Loaded;
2760 }
_INTRO_ALERT_EXCEPTION_HEADER::ViolationFlags
QWORD ViolationFlags
A combination of Alert flags values describing the alert.
Definition: intro_types.h:1064
_INTRO_ALERT_EXCEPTION_HEADER::Valid
BOOLEAN Valid
Set to True if the information in the structure is valid, False otherwise.
Definition: intro_types.h:1065
_SIG_VALUE_CODE::Id
EXCEPTION_SIGNATURE_ID Id
An unique id (EXCEPTION_SIGNATURE_ID).
Definition: exceptions.h:409
_In_opt_
#define _In_opt_
Definition: intro_sal.h:16
_KM_EXCEPTION::SigCount
WORD SigCount
Contains the number of signatures.
Definition: exceptions.h:262
_UM_EXCEPTION::Context
QWORD Context
Contains the context given by the integrator.
Definition: exceptions.h:316
_UPDATE_HEADER
The header of an exception or a signature.
Definition: update_exceptions.h:52
BOOLEAN
_Bool BOOLEAN
Definition: intro_types.h:58
_Out_
#define _Out_
Definition: intro_sal.h:22
CONTAINING_RECORD
#define CONTAINING_RECORD(List, Type, Member)
Definition: introlists.h:36
IntUpdateCreateCbSignatureFromAlert
static INTSTATUS IntUpdateCreateCbSignatureFromAlert(const ALERT_CB_SIGNATURE *AlertSig, SIG_CODEBLOCKS **Signature)
Creates a new code-blocks signature from an /ref ALERT_CB_SIGNATURE.
Definition: update_exceptions.c:1699
introEventProcessCreationViolation
Sent for unauthorized process creation alerts. See EVENT_PROCESS_CREATION_VIOLATION.
Definition: intro_types.h:115
_EXCEPTION_CB_SIGNATURE::AlertSignature
BOOLEAN AlertSignature
True if the signature is added from alert.
Definition: exceptions.h:396
IntUpdateRemoveSignaturesForException
static void IntUpdateRemoveSignaturesForException(EXCEPTION_SIGNATURE_ID *Signatures, DWORD Count)
This function removes and frees all signature from the provided array.
Definition: update_exceptions.c:2597
UPDATE_TYPE_KUM_EXCEPTION
#define UPDATE_TYPE_KUM_EXCEPTION
Definition: update_exceptions.h:386
_UPDATE_ITEM_SIZE::RemainingFileSize
DWORD RemainingFileSize
The remaining bytes for the exceptions file.
Definition: update_exceptions.c:33
_EXCEPTION_SIGNATURE_ID
The exception ID. The layout consists of the exception type and the unique identifier of the exceptio...
Definition: exceptions.h:233
BYTE
uint8_t BYTE
Definition: intro_types.h:47
IntUpdateAddIdtSignature
static INTSTATUS IntUpdateAddIdtSignature(UPDATE_IDT_SIGNATURE *UpdateSignature, UPDATE_ITEM_SIZE *Item)
Creates a new IDT signature and adds it to our internal list.
Definition: update_exceptions.c:859
_SIG_EXPORT_HASH
Describe a export signature hash.
Definition: exceptions.h:377
UPDATE_TYPE_EXPORT_SIGNATURE
#define UPDATE_TYPE_EXPORT_SIGNATURE
Definition: update_exceptions.h:378
_SIG_PROCESS_CREATION
Describes a process-creation signature.
Definition: exceptions.h:564
_EXCEPTIONS::KernelUserExceptions
LIST_HEAD KernelUserExceptions[EXCEPTION_TABLE_SIZE]
Array of linked lists used for kernel-user mode exceptions.
Definition: exceptions.h:109
_UPDATE_ITEM_SIZE::EntrySize
DWORD EntrySize
The size of the current exception/signature.
Definition: update_exceptions.c:32
_EXCEPTIONS::ValueCodeSignatures
LIST_HEAD ValueCodeSignatures
Linked list used for value-code signatures.
Definition: exceptions.h:134
_In_
#define _In_
Definition: intro_sal.h:21
_KUM_EXCEPTION
Describe a kernel-user mode exception.
Definition: exceptions.h:270
_ALERT_EXPORT_SIGNATURE
Definition: alert_exceptions.h:56
INT_STATUS_SUCCESS
#define INT_STATUS_SUCCESS
Definition: introstatus.h:54
IntUpdateAddVersionIntroSignature
static INTSTATUS IntUpdateAddVersionIntroSignature(UPDATE_VERSION_INTRO_SIGNATURE *UpdateSignature, UPDATE_ITEM_SIZE *Item)
Creates a new introspection version signature and adds it to our internal list.
Definition: update_exceptions.c:1016
ALERT_IDT_SIGNATURE_VERSION
#define ALERT_IDT_SIGNATURE_VERSION
Definition: alert_exceptions.h:37
_EXCEPTION_CB_SIGNATURE::Score
BYTE Score
The number of (minimum) hashes from a list that need to match.
Definition: exceptions.h:394
BIT
#define BIT(x)
Definition: common.h:51
_KUM_EXCEPTION::Context
QWORD Context
Contains the context given by the integrator.
Definition: exceptions.h:287
gCurrentSignatureId
static EXCEPTION_SIGNATURE_ID gCurrentSignatureId
The current signature ID. Changes every time a new ID is generated.
Definition: update_exceptions.c:24
_SIG_VALUE_HASH::Offset
WORD Offset
The displacement from the beginning of the modified zone.
Definition: exceptions.h:368
_EXCEPTIONS::NoNameKernelExceptions
LIST_HEAD NoNameKernelExceptions
Linked list used for kernel-mode exceptions that don&#39;t have a valid originator (-).
Definition: exceptions.h:98
kmExcNameAny
The name can be any string.
Definition: exceptions.h:626
UPDATE_TYPE_APC_UM_EXCEPTION
#define UPDATE_TYPE_APC_UM_EXCEPTION
Definition: update_exceptions.h:375
WORD
uint16_t WORD
Definition: intro_types.h:48
_SIG_VALUE_CODE
Describes a value signature.
Definition: exceptions.h:405
_UPDATE_CB_HASH
Describe a code-blocks hash in binary format.
Definition: update_exceptions.h:165
_SIG_EXPORT_HASH::Delta
WORD Delta
The number of bytes that are modified.
Definition: exceptions.h:379
_UM_EXCEPTION::Victim
struct _UM_EXCEPTION::@29 Victim
_ALERT_KM_EXCEPTION
Describes a kernel-mode alert-exception.
Definition: alert_exceptions.h:96
_UPDATE_KM_EXCEPTION
Describe a kernel-mode exception in binary format.
Definition: update_exceptions.h:62
UPDATE_EXCEPTIONS_MIN_VER_MAJOR
#define UPDATE_EXCEPTIONS_MIN_VER_MAJOR
Definition: update_exceptions.h:388
_EXCEPTIONS::Build
DWORD Build
Definition: exceptions.h:142
UPDATE_TYPE_IDT_SIGNATURE
#define UPDATE_TYPE_IDT_SIGNATURE
Definition: update_exceptions.h:382
UPDATE_VALIDATE_FILE_SIZE
#define UPDATE_VALIDATE_FILE_SIZE
Validate that an object fits inside the exception buffer.
Definition: update_exceptions.c:17
introEventDtrViolation
Sent when a DTR violation triggers an alert. See EVENT_DTR_VIOLATION.
Definition: intro_types.h:98
_EXCEPTIONS::GenericUserExceptions
LIST_HEAD GenericUserExceptions
Linked list used for user-mode exceptions that have a generic originator(*).
Definition: exceptions.h:92
IntUpdateFlushAlertExceptions
INTSTATUS IntUpdateFlushAlertExceptions(void)
This function removes all exceptions that were added from alerts.
Definition: update_exceptions.c:2720
_UM_EXCEPTION_GLOB::OriginatorNameGlob
char OriginatorNameGlob[EXCEPTION_UM_GLOB_LENGTH]
Contains the name (a string that can contain glob items) of the originator.
Definition: exceptions.h:331
IntUpdateLoadExceptions
INTSTATUS IntUpdateLoadExceptions(void *Buffer, DWORD Length, DWORD Flags)
Handles the exceptions coming from the integrator.
Definition: update_exceptions.c:1269
_KM_EXCEPTION::Context
QWORD Context
Contains the context given by the integrator.
Definition: exceptions.h:260
_EXCEPTIONS::ExportSignatures
LIST_HEAD ExportSignatures
Linked list used for export signatures.
Definition: exceptions.h:132
EXCEPTION_SIGNATURE_ID
union _EXCEPTION_SIGNATURE_ID EXCEPTION_SIGNATURE_ID
The exception ID. The layout consists of the exception type and the unique identifier of the exceptio...
_EXCEPTIONS::ProcessCreationAlertExceptions
LIST_HEAD ProcessCreationAlertExceptions
Linked list used for process-creation exceptions that are added from alert.
Definition: exceptions.h:123
_SIG_VALUE_CODE::Object
WORD Object[]
Contains list of opcodes.
Definition: exceptions.h:416
UPDATE_TYPE_UM_EXCEPTION_GLOB_MATCH
#define UPDATE_TYPE_UM_EXCEPTION_GLOB_MATCH
Definition: update_exceptions.h:374
EXCEPTION_FLG_FEEDBACK
The exception sends a feedback alert.
Definition: exceptions.h:585
SIG_CODEBLOCK_HASH
struct _SIG_CODEBLOCK_HASH SIG_CODEBLOCK_HASH
Describe a codeblocks signature hash.
IntUpdateAddUserExceptionGlob
static INTSTATUS IntUpdateAddUserExceptionGlob(UPDATE_UM_EXCEPTION_GLOB *UpdateException, UPDATE_ITEM_SIZE *Item)
Creates a new glob user-exception and adds it to our internal list.
Definition: update_exceptions.c:518
_KM_EXCEPTION::Type
KM_EXCEPTION_OBJECT Type
Contains the type of the exception (KM_EXCEPTION_OBJECT).
Definition: exceptions.h:258
INT_SUCCESS
#define INT_SUCCESS(Status)
Definition: introstatus.h:42
_UPDATE_EXPORT_HASH
Describe a export hash in binary format.
Definition: update_exceptions.h:189
introEventCrViolation
Sent when a CR violation triggers an alert. See EVENT_CR_VIOLATION.
Definition: intro_types.h:88
_EXCEPTION_CB_SIGNATURE::Id
EXCEPTION_SIGNATURE_ID Id
An unique id (_EXCEPTION_SIGNATURE_ID).
Definition: exceptions.h:391
_SIG_VERSION_INTRO::Raw
QWORD Raw
Definition: exceptions.h:541
_INTRO_VIOLATION_HEADER::Flags
QWORD Flags
A combination of ALERT_FLAG_* values describing the alert.
Definition: intro_types.h:1087
_KM_EXCEPTION::OriginatorNameHash
DWORD OriginatorNameHash
Contains the originator name-hash.
Definition: exceptions.h:252
_UPDATE_VERSION_OS_SIGNATURE
Describe a version OS signature in binary format.
Definition: update_exceptions.h:276
UPDATE_MAGIC_WORD
#define UPDATE_MAGIC_WORD
Definition: update_exceptions.h:370
_SIG_PROCESS_CREATION::Id
EXCEPTION_SIGNATURE_ID Id
An unique id (EXCEPTION_SIGNATURE_ID).
Definition: exceptions.h:568
_UPDATE_PROCESS_CREATION_SIGNATURE
Describe a process-creation signature in binary format.
Definition: update_exceptions.h:356
_EXCEPTIONS::VersionIntroSignatures
LIST_HEAD VersionIntroSignatures
Linked list used for introspection version signatures.
Definition: exceptions.h:137
_UM_EXCEPTION_GLOB
Describe a user-mode glob exception.
Definition: exceptions.h:326
_EXCEPTIONS::ProcessCreationSignatures
LIST_HEAD ProcessCreationSignatures
Linked list used for process-creation signatures.
Definition: exceptions.h:138
_SIG_EXPORT::ListsCount
BYTE ListsCount
The number of the list of hashes.
Definition: exceptions.h:432
EXCEPTION_FLG_READ
The exception is valid only for read violation.
Definition: exceptions.h:595
IntUpdateIsDuplicateUserException
static BOOLEAN IntUpdateIsDuplicateUserException(const ALERT_UM_EXCEPTION *Exception)
Checks if the provided user-mode exception already exists in out list.
Definition: update_exceptions.c:2071
UPDATE_VALUE_HASH
struct _UPDATE_VALUE_HASH UPDATE_VALUE_HASH
Describe a value hash in binary format.
_EXCEPTIONS::IdtSignatures
LIST_HEAD IdtSignatures
Linked list used for IDT signatures.
Definition: exceptions.h:135
_SIG_VALUE::AlertSignature
BOOLEAN AlertSignature
True if the signature is added from alert.
Definition: exceptions.h:451
_SIG_EXPORT::Id
EXCEPTION_SIGNATURE_ID Id
An unique id (EXCEPTION_SIGNATURE_ID).
Definition: exceptions.h:427
INT_STATUS_NOT_NEEDED_HINT
#define INT_STATUS_NOT_NEEDED_HINT
Definition: introstatus.h:317
IntAlertIsEventTypeViolation
BOOLEAN IntAlertIsEventTypeViolation(INTRO_EVENT_TYPE Type)
Definition: alert_exceptions.h:178
IntExceptErase
#define IntExceptErase(Ptr, Tag)
Frees an exception or a signature buffer and removes it from the list it is currently in...
Definition: exceptions.h:1316
ERROR
#define ERROR(fmt,...)
Definition: glue.h:62
_SIG_IDT::Entry
BYTE Entry
The number of the IDT entry.
Definition: exceptions.h:467
_EXCEPTIONS::UserAlertExceptions
LIST_HEAD UserAlertExceptions
Linked list used for user-mode exceptions that are added from alert.
Definition: exceptions.h:125
_SIG_EXPORT::Link
LIST_ENTRY Link
Definition: exceptions.h:425
for_each_um_exception
#define for_each_um_exception(_ex_head, _var_name)
Definition: exceptions.h:1002
_ALERT_CB_SIGNATURE
Definition: alert_exceptions.h:22
SIG_VALUE_HASH
struct _SIG_VALUE_HASH SIG_VALUE_HASH
Describe a value signature hash.
HpAllocWithTag
#define HpAllocWithTag(Len, Tag)
Definition: glue.h:516
IntUpdateIsValidEntry
static BOOLEAN IntUpdateIsValidEntry(DWORD Size, UPDATE_ITEM_SIZE *Item, DWORD Flags)
Checks if the provided Size can be read from the exceptions file without exceeding its size...
Definition: update_exceptions.c:105
umExcNameAny
The name can be any string.
Definition: exceptions.h:652
signatureTypeIdt
The range-identifier used for idt signature.
Definition: exceptions.h:78
_EXCEPTIONS::UserExceptions
LIST_HEAD UserExceptions[EXCEPTION_TABLE_SIZE]
Array of linked lists used for user-mode exceptions.
Definition: exceptions.h:110
INTSTATUS
int INTSTATUS
The status data type.
Definition: introstatus.h:24
_EXCEPTIONS::Loaded
BOOLEAN Loaded
True if the exceptions are loaded.
Definition: exceptions.h:147
_UPDATE_FILE_HEADER::Minor
WORD Minor
The minor version of the exceptions binary file.
Definition: update_exceptions.h:33
_UPDATE_ITEM_SIZE
Contains the information about the sizes of an entry (exception/signature) and about the size of the ...
Definition: update_exceptions.c:30
INT_STATUS_NOT_FOUND
#define INT_STATUS_NOT_FOUND
Definition: introstatus.h:284
_KUM_EXCEPTION::Type
KUM_EXCEPTION_OBJECT Type
Contains the type of the exception (KM_EXCEPTION_OBJECT).
Definition: exceptions.h:285
EXCEPTION_FLG_LINUX
The exception is valid only for Linux.
Definition: exceptions.h:593
IntExceptAlertRemove
INTSTATUS IntExceptAlertRemove(void)
This function removes and frees all exceptions and signatures that have been added from alert...
Definition: exceptions.c:382
_SIG_VALUE::Id
EXCEPTION_SIGNATURE_ID Id
An unique id (EXCEPTION_SIGNATURE_ID).
Definition: exceptions.h:446
IntUpdateRemoveException
INTSTATUS IntUpdateRemoveException(QWORD Context)
This function removes an exception for a given context.
Definition: update_exceptions.c:2665
_UM_EXCEPTION::NameHash
DWORD NameHash
Definition: exceptions.h:306
_EXCEPTIONS::KernelAlertExceptions
LIST_HEAD KernelAlertExceptions
Linked list used for kernel-mode exceptions that are added from alert.
Definition: exceptions.h:127
kmExcNameNone
The name is missing.
Definition: exceptions.h:630
introEventInjectionViolation
Sent for code/data injection alerts. See EVENT_MEMCOPY_VIOLATION.
Definition: intro_types.h:96
_SIG_VALUE_HASH::Size
WORD Size
The size of of the modified zone.
Definition: exceptions.h:369
IC_TAG_ESIG
#define IC_TAG_ESIG
Exception signatures structures.
Definition: memtags.h:26
for_each_idt_signature
#define for_each_idt_signature(_ex_head, _var_name)
Definition: exceptions.h:1014
_GUEST_STATE::OSType
INTRO_GUEST_TYPE OSType
The type of the guest.
Definition: guests.h:274
ALERT_EXPORT_SIGNATURE_VERSION
#define ALERT_EXPORT_SIGNATURE_VERSION
Definition: alert_exceptions.h:54
IntUpdateIsDuplicateKernelException
static BOOLEAN IntUpdateIsDuplicateKernelException(const ALERT_KM_EXCEPTION *Exception)
Checks if the provided kernel-mode exception already exists in out list.
Definition: update_exceptions.c:1953
_SIG_VERSION_INTRO::AlertSignature
BOOLEAN AlertSignature
True if the signature is added from alert.
Definition: exceptions.h:528
_UPDATE_VALUE_HASH
Describe a value hash in binary format.
Definition: update_exceptions.h:177
EXCEPTION_FLG_WRITE
The exception is valid only for write violation.
Definition: exceptions.h:596
signatureTypeProcessCreation
The range-identifier used for process creation signature.
Definition: exceptions.h:75
_UPDATE_IDT_SIGNATURE
Describe an IDT signature in binary format.
Definition: update_exceptions.h:248
MIN
#define MIN(a, b)
Definition: introdefs.h:146
_KM_EXCEPTION::Flags
DWORD Flags
Contains any flags from EXCEPTION_FLG.
Definition: exceptions.h:256
_KUM_EXCEPTION::Victim
struct _KUM_EXCEPTION::@28 Victim
_SIG_VALUE::ListsCount
BYTE ListsCount
The number of the list of hashes.
Definition: exceptions.h:450
_UPDATE_VALUE_CODE_SIGNATURE
Describe a value-code signature in binary format.
Definition: update_exceptions.h:261
IntUpdateCreateProcessCreationSignatureFromAlert
static INTSTATUS IntUpdateCreateProcessCreationSignatureFromAlert(const ALERT_PROCESS_CREATION_SIGNATURE *AlertSig, SIG_PROCESS_CREATION **Signature)
Creates a new process-creation signature from an /ref ALERT_PROCESS_CREATION_SIGNATURE.
Definition: update_exceptions.c:1764
_UPDATE_HEADER::Size
WORD Size
The size of the exception/signature.
Definition: update_exceptions.h:55
IntUpdateAddValueSignature
static INTSTATUS IntUpdateAddValueSignature(UPDATE_VALUE_SIGNATURE *UpdateSignature, UPDATE_ITEM_SIZE *Item)
Creates a new value signature and adds it to our internal list.
Definition: update_exceptions.c:789
UPDATE_TYPE_PROCESS_CREATION_SIGNATURE
#define UPDATE_TYPE_PROCESS_CREATION_SIGNATURE
Definition: update_exceptions.h:385
LOG
#define LOG(fmt,...)
Definition: glue.h:61
umExcNameNone
The name is missing.
Definition: exceptions.h:657
_SIG_VALUE
Describes a value signature.
Definition: exceptions.h:442
ALERT_FLAG_KM_UM
#define ALERT_FLAG_KM_UM
If set, the alert was generated by a kernel to user mode violation.
Definition: intro_types.h:649
_EXCEPTIONS::Major
WORD Major
Definition: exceptions.h:143
_ALERT_UM_EXCEPTION
Describes a user-mode alert-exception.
Definition: alert_exceptions.h:140
IntUpdateAddKernelUserException
static INTSTATUS IntUpdateAddKernelUserException(UPDATE_KUM_EXCEPTION *UpdateException, UPDATE_ITEM_SIZE *Item)
Creates a new kernel-user mode exception and adds it to our internal list.
Definition: update_exceptions.c:265
_SIG_VERSION_INTRO::Minimum
union _SIG_VERSION_INTRO::@37 Minimum
_UPDATE_FILE_HEADER::BuildNumber
DWORD BuildNumber
The build number of the exceptions binary file.
Definition: update_exceptions.h:40
_KUM_EXCEPTION::ProcessHash
DWORD ProcessHash
Contains the name-hash of the process in which the modification takes place.
Definition: exceptions.h:280
_SIG_PROCESS_CREATION::Flags
DWORD Flags
Contains any flags from SIGNATURE_FLG.
Definition: exceptions.h:569
IntUpdateAddKernelException
static INTSTATUS IntUpdateAddKernelException(UPDATE_KM_EXCEPTION *UpdateException, UPDATE_ITEM_SIZE *Item)
Creates a new kernel-exception and adds it to our internal list.
Definition: update_exceptions.c:145
_SIG_VALUE_CODE::AlertSignature
BOOLEAN AlertSignature
True if the signature is added from alert.
Definition: exceptions.h:414
IntUpdateIsDuplicateExportSignature
static BOOLEAN IntUpdateIsDuplicateExportSignature(const ALERT_EXPORT_SIGNATURE *Signature, const EXCEPTION_SIGNATURE_ID *SigIds, DWORD SigCount)
Checks if the provided export alert-signature already exists in our list.
Definition: update_exceptions.c:1902
_EXCEPTIONS::CbSignatures
LIST_HEAD CbSignatures
Linked list used for codeblocks signatures.
Definition: exceptions.h:131
IntUpdateCreateIdtSignatureFromAlert
static INTSTATUS IntUpdateCreateIdtSignatureFromAlert(const ALERT_IDT_SIGNATURE *AlertSig, SIG_IDT **Signature)
Creates a new IDT signature from an /ref ALERT_IDT_SIGNATURE.
Definition: update_exceptions.c:1656
IntUpdateAssignAlertSignatureIds
void IntUpdateAssignAlertSignatureIds(void)
Generates IDs for exceptions that were added from alert.
Definition: update_exceptions.c:1244
EXCEPTION_UM_GLOB_LENGTH
#define EXCEPTION_UM_GLOB_LENGTH
Definition: exceptions.h:36
update_exceptions.h
signatureTypeExport
The range-identifier used for export signature.
Definition: exceptions.h:76
_UM_EXCEPTION_GLOB::Flags
DWORD Flags
Contains any flags from EXCEPTION_FLG.
Definition: exceptions.h:342
IntUpdateAddUserException
static INTSTATUS IntUpdateAddUserException(UPDATE_UM_EXCEPTION *UpdateException, UPDATE_ITEM_SIZE *Item)
Creates a new user-exception and adds it to our internal list.
Definition: update_exceptions.c:380
IntUpdateAreExceptionsLoaded
BOOLEAN IntUpdateAreExceptionsLoaded(void)
Checks if the exceptions are loaded.
Definition: update_exceptions.c:2750
UPDATE_ITEM_SIZE
struct _UPDATE_ITEM_SIZE UPDATE_ITEM_SIZE
Contains the information about the sizes of an entry (exception/signature) and about the size of the ...
_EXCEPTIONS::KernelUserAlertExceptions
LIST_HEAD KernelUserAlertExceptions
Linked list used for kernel-user mode exceptions that are added from alert.
Definition: exceptions.h:129
_ALERT_PROCESS_CREATION_SIGNATURE
Describe a process-creation alert-signature.
Definition: alert_exceptions.h:78
introGuestLinux
Linux.
Definition: intro_types.h:1881
_GUEST_STATE::Exceptions
EXCEPTIONS * Exceptions
The exceptions that are currently loaded.
Definition: guests.h:388
INT_STATUS_NOT_INITIALIZED
#define INT_STATUS_NOT_INITIALIZED
Definition: introstatus.h:266
UPDATE_FILE_HEADER
struct _UPDATE_FILE_HEADER UPDATE_FILE_HEADER
The header of the exceptions binary file.
IntUpdateGetUniqueSigId
static EXCEPTION_SIGNATURE_ID IntUpdateGetUniqueSigId(EXCEPTION_SIGNATURE_TYPE Type)
Get an unique signature ID for a given type.
Definition: update_exceptions.c:86
UPDATE_VALIDATE_HEADER_SIZE
#define UPDATE_VALIDATE_HEADER_SIZE
Validate the size of the exception header.
Definition: update_exceptions.c:19
_KUM_EXCEPTION::Signatures
EXCEPTION_SIGNATURE_ID Signatures[]
Contains a array of signatures ID.
Definition: exceptions.h:290
_UPDATE_FILE_HEADER::Version
struct _UPDATE_FILE_HEADER::@138 Version
_SIG_EXPORT::LibraryNameHash
DWORD LibraryNameHash
The name-hash of the modified library.
Definition: exceptions.h:430
IntUpdateAddValueCodeSignature
static INTSTATUS IntUpdateAddValueCodeSignature(UPDATE_VALUE_CODE_SIGNATURE *UpdateSignature, UPDATE_ITEM_SIZE *Item)
Creates a new value-code signature and adds it to our internal list.
Definition: update_exceptions.c:905
_EXCEPTION_CB_SIGNATURE::Link
LIST_ENTRY Link
Definition: exceptions.h:389
_SIG_VALUE_HASH::Hash
DWORD Hash
The hash of the modified zone.
Definition: exceptions.h:370
PBYTE
uint8_t * PBYTE
Definition: intro_types.h:47
_UM_EXCEPTION::Flags
DWORD Flags
Contains any flags from _EXCEPTION_FLG.
Definition: exceptions.h:312
_KUM_EXCEPTION::SigCount
WORD SigCount
Contains the number of signatures.
Definition: exceptions.h:289
_SIG_IDT::Flags
DWORD Flags
Contains any flags from SIGNATURE_FLG.
Definition: exceptions.h:465
_EXCEPTIONS::KernelFeedbackExceptions
LIST_HEAD KernelFeedbackExceptions
Linked list used for kernel-mode exceptions that have the feedback flag.
Definition: exceptions.h:116
IC_TAG_EXKM
#define IC_TAG_EXKM
Kernel exceptions structures.
Definition: memtags.h:23
_UM_EXCEPTION::Link
LIST_ENTRY Link
Definition: exceptions.h:300
EXCEPTION_FLG_EXECUTE
The exception is valid only for execute violation.
Definition: exceptions.h:597
_UPDATE_VALUE_HASH::Hash
DWORD Hash
The hash of the modified zone.
Definition: update_exceptions.h:182
_KM_EXCEPTION::VictimNameHash
DWORD VictimNameHash
Contains the victim name-hash.
Definition: exceptions.h:254
_SIG_EXPORT::Object
CHAR Object[]
Contains lists of (SIG_EXPORT_HASH).
Definition: exceptions.h:435
QWORD
unsigned long long QWORD
Definition: intro_types.h:53
_INTRO_ALERT_EXCEPTION_HEADER
The common header used by exception information.
Definition: intro_types.h:1061
_ALERT_IDT_SIGNATURE
Describes an idt alert-signature.
Definition: alert_exceptions.h:42
_UM_EXCEPTION_GLOB::NameGlob
CHAR NameGlob[EXCEPTION_UM_GLOB_LENGTH]
Contains the name (a string that can contain glob items) of the modified process. ...
Definition: exceptions.h:336
_ALERT_KUM_EXCEPTION
Describes a kernel-mode alert-exception.
Definition: alert_exceptions.h:117
IntUpdateAddKernelExceptionInOrder
static void IntUpdateAddKernelExceptionInOrder(KM_EXCEPTION *Exception)
Adds a kernel-mode exceptions from alert in the sorted list.
Definition: update_exceptions.c:1528
_KUM_EXCEPTION::OriginatorNameHash
DWORD OriginatorNameHash
Contains the originator name-hash.
Definition: exceptions.h:274
_UPDATE_FILE_HEADER
The header of the exceptions binary file.
Definition: update_exceptions.h:26
_SIG_IDT::Id
EXCEPTION_SIGNATURE_ID Id
An unique id (EXCEPTION_SIGNATURE_ID).
Definition: exceptions.h:464
IntUpdateAddUserExceptionInOrder
static void IntUpdateAddUserExceptionInOrder(UM_EXCEPTION *Exception)
Adds a user-mode exceptions from alert in the sorted list.
Definition: update_exceptions.c:1473
_UM_EXCEPTION_GLOB::ProcessGlob
CHAR ProcessGlob[EXCEPTION_UM_GLOB_LENGTH]
Contains the name of the process(a string that can contain glob items) in which the modification take...
Definition: exceptions.h:339
IntUpdateAddCbSignature
static INTSTATUS IntUpdateAddCbSignature(UPDATE_CB_SIGNATURE *UpdateSignature, UPDATE_ITEM_SIZE *Item)
Creates a new code-blocks signature and adds it to our internal list.
Definition: update_exceptions.c:681
_SIG_VERSION_INTRO::Maximum
union _SIG_VERSION_INTRO::@38 Maximum
introEventModuleLoadViolation
Sent for suspicious module loads alerts. See EVENT_MODULE_LOAD_VIOLATION.
Definition: intro_types.h:117
TRUE
#define TRUE
Definition: intro_types.h:30
_KUM_EXCEPTION::Link
LIST_ENTRY Link
Definition: exceptions.h:272
_SIG_VALUE_HASH
Describe a value signature hash.
Definition: exceptions.h:366
_SIG_VERSION_INTRO
Describes a introspection version signature.
Definition: exceptions.h:521
_SIG_VERSION_OS::AlertSignature
BOOLEAN AlertSignature
True if the signature is added from alert.
Definition: exceptions.h:483
HpFreeAndNullWithTag
#define HpFreeAndNullWithTag(Add, Tag)
Definition: glue.h:517
TRACE
#define TRACE(fmt,...)
Definition: glue.h:58
INT_STATUS_INVALID_DATA_STATE
#define INT_STATUS_INVALID_DATA_STATE
Definition: introstatus.h:183
INT_STATUS_INVALID_INTERNAL_STATE
#define INT_STATUS_INVALID_INTERNAL_STATE
Definition: introstatus.h:272
_EXCEPTIONS::Version
struct _EXCEPTIONS::@26 Version
Loaded exceptions binary version.
_UPDATE_HEADER::Type
BYTE Type
The type of the exception/signature.
Definition: update_exceptions.h:54
for_each_kum_exception
#define for_each_kum_exception(_ex_head, _var_name)
Definition: exceptions.h:1000
_SIG_EXPORT::Flags
DWORD Flags
Contains any flags from SIGNATURE_FLG.
Definition: exceptions.h:428
_SIG_VERSION_OS::Id
EXCEPTION_SIGNATURE_ID Id
An unique id (EXCEPTION_SIGNATURE_ID).
Definition: exceptions.h:480
InsertAfterList
static void InsertAfterList(LIST_ENTRY *Pivot, LIST_ENTRY *Item)
Definition: introlists.h:169
IntUpdateAddVersionOsSignature
static INTSTATUS IntUpdateAddVersionOsSignature(UPDATE_VERSION_OS_SIGNATURE *UpdateSignature, UPDATE_ITEM_SIZE *Item)
Creates a new operating system version signature and adds it to our internal list.
Definition: update_exceptions.c:971
_SIG_IDT::Link
LIST_ENTRY Link
Definition: exceptions.h:462
_UPDATE_VALUE_SIGNATURE
Describe a value signature in binary format.
Definition: update_exceptions.h:232
_KM_EXCEPTION::Link
LIST_ENTRY Link
Definition: exceptions.h:250
IntUpdateAddKmException
static INTSTATUS IntUpdateAddKmException(const ALERT_KM_EXCEPTION *Exception, QWORD Context)
Creates a new kernel-mode exception from an alert-exception structure ALERT_UM_EXCEPTION and adds it ...
Definition: update_exceptions.c:2283
UPDATE_TYPE_VERSION_INTRO_SIGNATURE
#define UPDATE_TYPE_VERSION_INTRO_SIGNATURE
Definition: update_exceptions.h:384
_SIG_EXPORT
Describes a export signature.
Definition: exceptions.h:423
_KUM_EXCEPTION::NameHash
DWORD NameHash
Definition: exceptions.h:278
introGuestWindows
Windows.
Definition: intro_types.h:1880
InsertTailList
static void InsertTailList(LIST_ENTRY *ListHead, LIST_ENTRY *Entry)
Definition: introlists.h:135
IntExceptInit
INTSTATUS IntExceptInit(void)
This function allocates the exceptions data and initialize the exception lists and the signature list...
Definition: exceptions.c:441
_EXCEPTIONS::KernelUserFeedbackExceptions
LIST_HEAD KernelUserFeedbackExceptions
Linked list used for kernel-user mode exceptions that have the feedback flag.
Definition: exceptions.h:118
_UPDATE_KUM_EXCEPTION
Describe a kernel-user mode exception in binary format.
Definition: update_exceptions.h:140
strlcpy
size_t strlcpy(char *dst, const char *src, size_t dest_size)
Definition: introcrt.c:1093
_EXCEPTIONS::Minor
WORD Minor
Definition: exceptions.h:144
UPDATE_TYPE_CB_SIGNATURE
#define UPDATE_TYPE_CB_SIGNATURE
Definition: update_exceptions.h:377
IntUpdateCreateExportSignatureFromAlert
static INTSTATUS IntUpdateCreateExportSignatureFromAlert(const ALERT_EXPORT_SIGNATURE *AlertSig, SIG_EXPORT **Signature)
Creates a new export signature from an ALERT_EXPORT_SIGNATURE.
Definition: update_exceptions.c:1607
_SIG_VERSION_OS::Maximum
union _SIG_VERSION_OS::@32 Maximum
_SIG_VALUE_CODE::Flags
DWORD Flags
Contains any flags from SIGNATURE_FLG.
Definition: exceptions.h:410
WARNING
#define WARNING(fmt,...)
Definition: glue.h:60
introEventEptViolation
Sent when an EPT violation triggers an alert. See EVENT_EPT_VIOLATION.
Definition: intro_types.h:84
ALERT_FLAG_NOT_RING0
#define ALERT_FLAG_NOT_RING0
If set, the alert was triggered in ring 1, 2 or 3.
Definition: intro_types.h:636
_KUM_EXCEPTION::Flags
DWORD Flags
Contains any flags from EXCEPTION_FLG.
Definition: exceptions.h:283
IC_TAG_EXUM
#define IC_TAG_EXUM
User exceptions structures.
Definition: memtags.h:25
UNREFERENCED_PARAMETER
#define UNREFERENCED_PARAMETER(P)
Definition: introdefs.h:29
EXCEPTION_FLG_IGNORE
This exception will be ignored.
Definition: exceptions.h:599
ALERT_CB_SIGNATURE_VERSION
#define ALERT_CB_SIGNATURE_VERSION
Definition: alert_exceptions.h:19
IntAlertCreateException
INTSTATUS IntAlertCreateException(const void *Event, INTRO_EVENT_TYPE Type, BOOLEAN LogErrors, void *Exception)
This function will dispatch the exception creation to the appropriate function, depending on the even...
Definition: alert_exceptions.c:1358
_KM_EXCEPTION
Describe a kernel-mode exception.
Definition: exceptions.h:248
for_each_km_exception
#define for_each_km_exception(_ex_head, _var_name)
Definition: exceptions.h:998
_UPDATE_FILE_HEADER::Magic
DWORD Magic
The magic value; must be UPDATE_MAGIC_WORD.
Definition: update_exceptions.h:28
__forceinline
#define __forceinline
Definition: introtypes.h:61
_UM_EXCEPTION
Describe a user-mode exception.
Definition: exceptions.h:298
UPDATE_HEADER
struct _UPDATE_HEADER UPDATE_HEADER
The header of an exception or a signature.
_UPDATE_FILE_HEADER::UserExceptionsCount
DWORD UserExceptionsCount
The number of the user-mode exceptions.
Definition: update_exceptions.h:37
UPDATE_TYPE_VALUE_CODE_SIGNATURE
#define UPDATE_TYPE_VALUE_CODE_SIGNATURE
Definition: update_exceptions.h:381
DWORD
uint32_t DWORD
Definition: intro_types.h:49
ALERT_KM_EXCEPTION_VERSION
#define ALERT_KM_EXCEPTION_VERSION
Definition: alert_exceptions.h:91
_UPDATE_CB_HASH::Count
BYTE Count
The number of hashes from the list.
Definition: update_exceptions.h:167
_INTRO_VIOLATION_HEADER
Common violation header.
Definition: intro_types.h:1078
_SIG_CODEBLOCK_HASH::Hashes
DWORD Hashes[]
The list of hashes.
Definition: exceptions.h:359
IntUpdateAddKmUmException
static INTSTATUS IntUpdateAddKmUmException(const ALERT_KUM_EXCEPTION *Exception, QWORD Context)
Creates a new kernel-user mode exception from an alert-exception structure ALERT_KUM_EXCEPTION and ad...
Definition: update_exceptions.c:2389
strlen_s
#define strlen_s(s, n)
Definition: introcrt.h:34
_SIG_VERSION_INTRO::Link
LIST_ENTRY Link
Definition: exceptions.h:523
_EXCEPTIONS::GlobUserExceptions
LIST_HEAD GlobUserExceptions
Linked list used for user-mode exceptions that contains glob content.
Definition: exceptions.h:106
UPDATE_EXCEPTIONS_MIN_VER_MINOR
#define UPDATE_EXCEPTIONS_MIN_VER_MINOR
Definition: update_exceptions.h:389
_SIG_EXPORT_HASH::Hash
DWORD Hash
The hash of the modified function name.
Definition: exceptions.h:380
_SIG_CODEBLOCK_HASH::Count
BYTE Count
The number of hashes from the list.
Definition: exceptions.h:358
ALERT_HASH_COUNT
#define ALERT_HASH_COUNT
Definition: alert_exceptions.h:17
_EXCEPTIONS::ProcessCreationExceptions
LIST_HEAD ProcessCreationExceptions
Linked list used for process creations exceptions.
Definition: exceptions.h:111
_UM_EXCEPTION_GLOB::Victim
struct _UM_EXCEPTION_GLOB::@30 Victim
INT_STATUS_INVALID_OBJECT_TYPE
#define INT_STATUS_INVALID_OBJECT_TYPE
Definition: introstatus.h:145
_EXCEPTIONS::GenericKernelExceptions
LIST_HEAD GenericKernelExceptions
Linked list used for kernel-mode exceptions that have a generic originator (*).
Definition: exceptions.h:90
_UM_EXCEPTION::Type
UM_EXCEPTION_OBJECT Type
Contains the type of the exception (UM_EXCEPTION_OBJECT).
Definition: exceptions.h:314
_UM_EXCEPTION_GLOB::Type
UM_EXCEPTION_OBJECT Type
Contains the type of the exception (UM_EXCEPTION_OBJECT).
Definition: exceptions.h:344
_EXCEPTIONS::ValueSignatures
LIST_HEAD ValueSignatures
Linked list used for value signatures.
Definition: exceptions.h:133
_SIG_VALUE::Flags
DWORD Flags
Contains any flags from SIGNATURE_FLG.
Definition: exceptions.h:447
_SIG_VERSION_OS::Flags
DWORD Flags
Contains any flags from SIGNATURE_FLG.
Definition: exceptions.h:481
IntUpdateAddProcessCreationSignature
static INTSTATUS IntUpdateAddProcessCreationSignature(UPDATE_PROCESS_CREATION_SIGNATURE *UpdateSignature, UPDATE_ITEM_SIZE *Item)
Creates a new process-creation signature and adds it to our internal list.
Definition: update_exceptions.c:1123
ALERT_EXCEPTION_SIZE
#define ALERT_EXCEPTION_SIZE
Definition: intro_types.h:669
_SIG_PROCESS_CREATION::Link
LIST_ENTRY Link
Definition: exceptions.h:566
gGuest
GUEST_STATE gGuest
The current guest state.
Definition: guests.c:48
_UM_EXCEPTION::OriginatorNameHash
DWORD OriginatorNameHash
Contains the originator name-hash.
Definition: exceptions.h:302
_UPDATE_FILE_HEADER::UserExceptionsGlobCount
DWORD UserExceptionsGlobCount
The number of the user-mode exceptions that contains glob items.
Definition: update_exceptions.h:42
SIGNATURE_FLG_LINUX
The signature is valid only on Linux.
Definition: exceptions.h:678
_SIG_VALUE_CODE::Link
LIST_ENTRY Link
Definition: exceptions.h:407
_SIG_VERSION_OS::Minimum
union _SIG_VERSION_OS::@31 Minimum
_UPDATE_VERSION_INTRO_SIGNATURE
Describe a version introspection signature in binary format.
Definition: update_exceptions.h:317
_UM_EXCEPTION_GLOB::SigCount
WORD SigCount
Contains the number of signatures.
Definition: exceptions.h:348
_UPDATE_FILE_HEADER::KernelExceptionsCount
DWORD KernelExceptionsCount
The number of the kernel-mode exceptions.
Definition: update_exceptions.h:36
_UPDATE_EXPORT_SIGNATURE
Describe an export signature in binary format.
Definition: update_exceptions.h:215
_UPDATE_VALUE_HASH::Offset
WORD Offset
The displacement from the beginning of the modified zone.
Definition: update_exceptions.h:179
for_each_cb_signature
#define for_each_cb_signature(_ex_head, _var_name)
Definition: exceptions.h:1006
_EXCEPTION_SIGNATURE_ID::Type
DWORD Type
Contains a type of signature (EXCEPTION_SIGNATURE_TYPE).
Definition: exceptions.h:238
_EXCEPTIONS::ProcessCreationFeedbackExceptions
LIST_HEAD ProcessCreationFeedbackExceptions
Linked list used for process-creation exceptions that have the feedback flag.
Definition: exceptions.h:120
EXCEPTION_TABLE_ID
#define EXCEPTION_TABLE_ID(H)
Definition: exceptions.h:51
INT_STATUS_UNSUPPORTED_DATA_VALUE
#define INT_STATUS_UNSUPPORTED_DATA_VALUE
Definition: introstatus.h:225
ALERT_PROCESS_CREATION_SIGNATURE_VERSION
#define ALERT_PROCESS_CREATION_SIGNATURE_VERSION
Definition: alert_exceptions.h:73
_SIG_PROCESS_CREATION::AlertSignature
BOOLEAN AlertSignature
True if the signature is added from alert.
Definition: exceptions.h:571
_SIG_VALUE::Score
BYTE Score
The number of (minimum) hashes from a list that need to match.
Definition: exceptions.h:449
_SIG_VERSION_INTRO::Flags
DWORD Flags
Contains any flags from SIGNATURE_FLG.
Definition: exceptions.h:526
_EXCEPTIONS::UserFeedbackExceptions
LIST_HEAD UserFeedbackExceptions
Linked list used for user-mode exceptions that have the feedback flag.
Definition: exceptions.h:114
_UPDATE_CB_SIGNATURE
Describe a code-blocks signature in binary format.
Definition: update_exceptions.h:200
_UM_EXCEPTION::ProcessHash
DWORD ProcessHash
Contains the name-hash of the process in which the modification takes place (missing for injections)...
Definition: exceptions.h:309
_SIG_VALUE_CODE::Length
WORD Length
The length of the opcode pattern.
Definition: exceptions.h:413
IntUpdateIsDuplicateIdtSignature
static BOOLEAN IntUpdateIsDuplicateIdtSignature(const ALERT_IDT_SIGNATURE *Signature, const EXCEPTION_SIGNATURE_ID *SigIds, DWORD SigCount)
Checks if the provided IDT alert-signature already exists in our list.
Definition: update_exceptions.c:1861
_EXCEPTIONS::KernelExceptions
LIST_HEAD KernelExceptions[EXCEPTION_TABLE_SIZE]
Array of linked lists used for kernel-mode exceptions.
Definition: exceptions.h:108
_EXCEPTION_CB_SIGNATURE::ListsCount
BYTE ListsCount
The number of the list of hashes.
Definition: exceptions.h:395
IntUpdateAddUmException
static INTSTATUS IntUpdateAddUmException(const ALERT_UM_EXCEPTION *Exception, QWORD Context)
Creates a new user-mode exception from an alert-exception structure ALERT_UM_EXCEPTION and adds it to...
Definition: update_exceptions.c:2151
_EXCEPTION_SIGNATURE_ID::Field
struct _EXCEPTION_SIGNATURE_ID::@27 Field
IC_TAG_EXKU
#define IC_TAG_EXKU
Kernel-User mode exceptions structures.
Definition: memtags.h:24
UPDATE_TYPE_VERSION_OS_SIGNATURE
#define UPDATE_TYPE_VERSION_OS_SIGNATURE
Definition: update_exceptions.h:383
UPDATE_TYPE_VALUE_SIGNATURE
#define UPDATE_TYPE_VALUE_SIGNATURE
Definition: update_exceptions.h:379
_UM_EXCEPTION_GLOB::Signatures
EXCEPTION_SIGNATURE_ID Signatures[]
Contains an array of signatures ID.
Definition: exceptions.h:349
_SIG_IDT::AlertSignature
BOOLEAN AlertSignature
True if the signature is added from alert.
Definition: exceptions.h:469
IntUpdateAddKernelUserExceptionInOrder
static void IntUpdateAddKernelUserExceptionInOrder(KUM_EXCEPTION *Exception)
Adds a kernel-user mode exceptions from alert in the sorted list.
Definition: update_exceptions.c:1571
IntUpdateGetVersion
INTSTATUS IntUpdateGetVersion(WORD *MajorVersion, WORD *MinorVersion, DWORD *BuildNumber)
Get the version of the loaded exceptions binary file.
Definition: update_exceptions.c:38
_SIG_VERSION_OS::Value
QWORD Value
Contains the minimum build number of the operating system (used for windows).
Definition: exceptions.h:497
_UPDATE_CB_HASH::Hashes
DWORD Hashes[]
The hashes list.
Definition: update_exceptions.h:170
signatureTypeCodeBlocks
The range-identifier used for codeblocks signature.
Definition: exceptions.h:80
_EXCEPTIONS::GenericKernelUserExceptions
LIST_HEAD GenericKernelUserExceptions
Linked list used for kernel-user mode exceptions that have a generic originator(*).
Definition: exceptions.h:95
_SIG_IDT
Describes a idt signature.
Definition: exceptions.h:460
PUPDATE_CB_HASH
struct _UPDATE_CB_HASH * PUPDATE_CB_HASH
_EXCEPTION_SIGNATURE_ID::Value
DWORD Value
Contains an unique value.
Definition: exceptions.h:237
INT_STATUS_INVALID_PARAMETER_1
#define INT_STATUS_INVALID_PARAMETER_1
Definition: introstatus.h:62
INT_STATUS_NOT_SUPPORTED
#define INT_STATUS_NOT_SUPPORTED
Definition: introstatus.h:287
ALERT_UM_EXCEPTION_VERSION
#define ALERT_UM_EXCEPTION_VERSION
Definition: alert_exceptions.h:135
_KM_EXCEPTION::Signatures
EXCEPTION_SIGNATURE_ID Signatures[]
Contains a array of signatures ID.
Definition: exceptions.h:263
_UPDATE_UM_EXCEPTION_GLOB
Describe a user-mode-glob exception in binary format.
Definition: update_exceptions.h:110
UPDATE_TYPE_UM_EXCEPTION
#define UPDATE_TYPE_UM_EXCEPTION
Definition: update_exceptions.h:373
_UPDATE_FILE_HEADER::Major
WORD Major
The major version of the exceptions binary file.
Definition: update_exceptions.h:32
INTRO_EVENT_TYPE
enum _INTRO_EVENT_TYPE INTRO_EVENT_TYPE
Event classes.
introEventIntegrityViolation
Sent for integrity violation alerts. See EVENT_INTEGRITY_VIOLATION.
Definition: intro_types.h:92
_SIG_PROCESS_CREATION::CreateMask
DWORD CreateMask
Contains the DPI mask.
Definition: exceptions.h:573
_SIG_VALUE::Link
LIST_ENTRY Link
Definition: exceptions.h:444
alert_exceptions.h
IntUpdateIsDuplicateCbSignature
static BOOLEAN IntUpdateIsDuplicateCbSignature(const ALERT_CB_SIGNATURE *Signature, const EXCEPTION_SIGNATURE_ID *SigIds, DWORD SigCount)
Checks if the provided code-blocks alert-signature already exists in our list.
Definition: update_exceptions.c:1807
_UPDATE_EXPORT_HASH::Hash
DWORD Hash
The hash of the modified function name.
Definition: update_exceptions.h:193
_UM_EXCEPTION::SigCount
WORD SigCount
Contains the number of signatures.
Definition: exceptions.h:318
UPDATE_EXPORT_HASH
struct _UPDATE_EXPORT_HASH UPDATE_EXPORT_HASH
Describe a export hash in binary format.
_SIG_VALUE_CODE::Offset
INT16 Offset
The displacement from the beginning of the modified zone.
Definition: exceptions.h:412
UPDATE_VALIDATE_ALL
#define UPDATE_VALIDATE_ALL
All exception validation options.
Definition: update_exceptions.c:21
introEventMsrViolation
Sent when a MSR violation triggers an alert.See EVENT_MSR_VIOLATION.
Definition: intro_types.h:86
_EXCEPTION_CB_SIGNATURE::Object
CHAR Object[]
Contains list of (SIG_CODEBLOCK_HASH).
Definition: exceptions.h:398
IntUpdateSetIdForException
static void IntUpdateSetIdForException(EXCEPTION_SIGNATURE_ID *Signatures, DWORD Count)
Generate a new ID for each signature.
Definition: update_exceptions.c:1167
PUPDATE_ITEM_SIZE
struct _UPDATE_ITEM_SIZE * PUPDATE_ITEM_SIZE
UPDATE_CB_HASH
struct _UPDATE_CB_HASH UPDATE_CB_HASH
Describe a code-blocks hash in binary format.
IntUpdateAddExportSignature
static INTSTATUS IntUpdateAddExportSignature(UPDATE_EXPORT_SIGNATURE *UpdateSignature, UPDATE_ITEM_SIZE *Item)
Creates a new export signature and adds it to our internal list.
Definition: update_exceptions.c:1061
_UPDATE_VALUE_HASH::Size
WORD Size
The size of of the modified zone.
Definition: update_exceptions.h:180
IntUpdateIsDuplicateKernelUserException
static BOOLEAN IntUpdateIsDuplicateKernelUserException(const ALERT_KUM_EXCEPTION *Exception)
Checks if the provided kernel-user mode exception already exists in out list.
Definition: update_exceptions.c:2019
_SIG_VALUE::Object
CHAR Object[]
Contains lists of (SIG_VALUE_HASH).
Definition: exceptions.h:453
_SIG_VERSION_INTRO::Id
EXCEPTION_SIGNATURE_ID Id
An unique id (EXCEPTION_SIGNATURE_ID).
Definition: exceptions.h:525
_UM_EXCEPTION::Signatures
EXCEPTION_SIGNATURE_ID Signatures[]
Contains an array of signatures ID.
Definition: exceptions.h:319
_EXCEPTION_CB_SIGNATURE
Describes a codeblocks signature.
Definition: exceptions.h:387
_EXCEPTION_CB_SIGNATURE::Flags
DWORD Flags
Contains any flags from _SIGNATURE_FLG.
Definition: exceptions.h:392
_UM_EXCEPTION_GLOB::Link
LIST_ENTRY Link
Definition: exceptions.h:328
_UPDATE_FILE_HEADER::KernelUserExceptionsCount
DWORD KernelUserExceptionsCount
The number of the kernel-user mode exceptions.
Definition: update_exceptions.h:43
_UPDATE_UM_EXCEPTION
Describe a user-mode exception in binary format.
Definition: update_exceptions.h:86
UPDATE_TYPE_KM_EXCEPTION
#define UPDATE_TYPE_KM_EXCEPTION
Definition: update_exceptions.h:372
INT_STATUS_INVALID_PARAMETER_2
#define INT_STATUS_INVALID_PARAMETER_2
Definition: introstatus.h:65
_SIG_EXPORT::AlertSignature
BOOLEAN AlertSignature
True if the signature is added from alert.
Definition: exceptions.h:433
_EXCEPTIONS::NoNameUserExceptions
LIST_HEAD NoNameUserExceptions
Linked list used for user-mode exceptions that don&#39;t have a valid originator (-). ...
Definition: exceptions.h:100
_SIG_CODEBLOCK_HASH
Describe a codeblocks signature hash.
Definition: exceptions.h:356
UtilQuickSort
void UtilQuickSort(void *Array, const DWORD NumberOfElements, const BYTE ElementSize)
Definition: utils.c:267
_SIG_VERSION_OS
Describes a operating system version signature.
Definition: exceptions.h:476
_UPDATE_EXPORT_HASH::Delta
WORD Delta
The number of bytes that are modified.
Definition: update_exceptions.h:191
umObjNxZone
The object that has a NX zone is executed.
Definition: exceptions.h:208
IntUpdateAddExceptionFromAlert
INTSTATUS IntUpdateAddExceptionFromAlert(const void *Event, INTRO_EVENT_TYPE Type, BOOLEAN Exception, QWORD Context)
Handles all types of supported exceptions that can be added from alerts.
Definition: update_exceptions.c:2472
INT_STATUS_INVALID_DATA_SIZE
#define INT_STATUS_INVALID_DATA_SIZE
Definition: introstatus.h:142
_LIST_ENTRY
Definition: introlists.h:16
IntExceptRemove
INTSTATUS IntExceptRemove(void)
This function removes and frees all exceptions and signatures that have been added from exception bin...
Definition: exceptions.c:257
_SIG_VERSION_OS::Link
LIST_ENTRY Link
Definition: exceptions.h:478
for_each_export_signature
#define for_each_export_signature(_ex_head, _var_name)
Definition: exceptions.h:1008
SIG_EXPORT_HASH
struct _SIG_EXPORT_HASH SIG_EXPORT_HASH
Describe a export signature hash.
FALSE
#define FALSE
Definition: intro_types.h:34
INT_STATUS_INSUFFICIENT_RESOURCES
#define INT_STATUS_INSUFFICIENT_RESOURCES
Definition: introstatus.h:281
EXCEPTION_SIGNATURE_TYPE
enum _EXCEPTION_SIGNATURE_TYPE EXCEPTION_SIGNATURE_TYPE
The identifier that describes a range of signatures.
INT_STATUS_INVALID_PARAMETER_3
#define INT_STATUS_INVALID_PARAMETER_3
Definition: introstatus.h:68
_EXCEPTIONS::VersionOsSignatures
LIST_HEAD VersionOsSignatures
Linked list used for operating system version signatures.
Definition: exceptions.h:136