Create and push a stack violation alert. @param DetectionSource - The filter we are checking the stack of. @param ViolatingAddress - If the origin of this alert is from an audit address operation, log the specific address. @param SourceProcessId - The source of the audit. @param SourcePath - The source path. @param TargetPath - The target path. @param StackHistory - A variable-length array o
| 100 | @param StackHistorySize - Size of the StackHistory array. |
| 101 | */ |
| 102 | VOID |
| 103 | DetectionLogic::PushStackViolationAlert( |
| 104 | _In_ DETECTION_SOURCE DetectionSource, |
| 105 | _In_ PVOID ViolatingAddress, |
| 106 | _In_ HANDLE SourceProcessId, |
| 107 | _In_ PUNICODE_STRING SourcePath, |
| 108 | _In_ PUNICODE_STRING TargetPath, |
| 109 | _In_ STACK_RETURN_INFO StackHistory[], |
| 110 | _In_ ULONG StackHistorySize |
| 111 | ) |
| 112 | { |
| 113 | ULONG stackHistoryBytes; |
| 114 | PSTACK_VIOLATION_ALERT stackViolationAlert; |
| 115 | |
| 116 | // |
| 117 | // Calculate the size of the StackHistory array in bytes. |
| 118 | // |
| 119 | stackHistoryBytes = sizeof(STACK_RETURN_INFO) * (StackHistorySize-1); |
| 120 | |
| 121 | // |
| 122 | // Allocate space for the alert depending on the size of StackHistory. |
| 123 | // |
| 124 | stackViolationAlert = RCAST<PSTACK_VIOLATION_ALERT>(ExAllocatePoolWithTag(PagedPool, sizeof(STACK_VIOLATION_ALERT) + stackHistoryBytes, STACK_VIOLATION_TAG)); |
| 125 | if (stackViolationAlert == NULL) |
| 126 | { |
| 127 | DBGPRINT("DetectionLogic!PushStackViolationAlert: Failed to allocate space for the alert."); |
| 128 | return; |
| 129 | } |
| 130 | memset(stackViolationAlert, 0, sizeof(STACK_VIOLATION_ALERT) + stackHistoryBytes); |
| 131 | |
| 132 | // |
| 133 | // Fill the fields of the alert. |
| 134 | // |
| 135 | stackViolationAlert->AlertInformation.AlertType = StackViolation; |
| 136 | stackViolationAlert->AlertInformation.AlertSource = DetectionSource; |
| 137 | stackViolationAlert->ViolatingAddress = ViolatingAddress; |
| 138 | stackViolationAlert->AlertInformation.SourceId = SourceProcessId; |
| 139 | |
| 140 | if (SourcePath) |
| 141 | { |
| 142 | RtlStringCbCopyUnicodeString(stackViolationAlert->AlertInformation.SourcePath, MAX_PATH, SourcePath); |
| 143 | } |
| 144 | if (TargetPath) |
| 145 | { |
| 146 | RtlStringCbCopyUnicodeString(stackViolationAlert->AlertInformation.TargetPath, MAX_PATH, TargetPath); |
| 147 | } |
| 148 | |
| 149 | stackViolationAlert->StackHistorySize = StackHistorySize; |
| 150 | memcpy(&stackViolationAlert->StackHistory, StackHistory, sizeof(STACK_RETURN_INFO) * StackHistorySize); |
| 151 | |
| 152 | // |
| 153 | // Push the alert. |
| 154 | // |
| 155 | this->alerts->PushAlert(RCAST<PBASE_ALERT_INFO>(stackViolationAlert), sizeof(STACK_VIOLATION_ALERT) + stackHistoryBytes); |
| 156 | |
| 157 | // |
| 158 | // PushAlert copies the alert, so we can free our copy. |
| 159 | // |
no test coverage detected