MCPcopy Create free account
hub / github.com/D4stiny/PeaceMaker / PushStackViolationAlert

Method PushStackViolationAlert

PeaceMaker Kernel/DetectionLogic.cpp:102–161  ·  view source on GitHub ↗

Create and push a stack violation alert. @param DetectionSource - The filter we are checking the stack of. @param ViolatingAddress - If the origin of this alert is from an audit address operation, log the specific address. @param SourceProcessId - The source of the audit. @param SourcePath - The source path. @param TargetPath - The target path. @param StackHistory - A variable-length array o

Source from the content-addressed store, hash-verified

100 @param StackHistorySize - Size of the StackHistory array.
101*/
102VOID
103DetectionLogic::PushStackViolationAlert(
104 _In_ DETECTION_SOURCE DetectionSource,
105 _In_ PVOID ViolatingAddress,
106 _In_ HANDLE SourceProcessId,
107 _In_ PUNICODE_STRING SourcePath,
108 _In_ PUNICODE_STRING TargetPath,
109 _In_ STACK_RETURN_INFO StackHistory[],
110 _In_ ULONG StackHistorySize
111 )
112{
113 ULONG stackHistoryBytes;
114 PSTACK_VIOLATION_ALERT stackViolationAlert;
115
116 //
117 // Calculate the size of the StackHistory array in bytes.
118 //
119 stackHistoryBytes = sizeof(STACK_RETURN_INFO) * (StackHistorySize-1);
120
121 //
122 // Allocate space for the alert depending on the size of StackHistory.
123 //
124 stackViolationAlert = RCAST<PSTACK_VIOLATION_ALERT>(ExAllocatePoolWithTag(PagedPool, sizeof(STACK_VIOLATION_ALERT) + stackHistoryBytes, STACK_VIOLATION_TAG));
125 if (stackViolationAlert == NULL)
126 {
127 DBGPRINT("DetectionLogic!PushStackViolationAlert: Failed to allocate space for the alert.");
128 return;
129 }
130 memset(stackViolationAlert, 0, sizeof(STACK_VIOLATION_ALERT) + stackHistoryBytes);
131
132 //
133 // Fill the fields of the alert.
134 //
135 stackViolationAlert->AlertInformation.AlertType = StackViolation;
136 stackViolationAlert->AlertInformation.AlertSource = DetectionSource;
137 stackViolationAlert->ViolatingAddress = ViolatingAddress;
138 stackViolationAlert->AlertInformation.SourceId = SourceProcessId;
139
140 if (SourcePath)
141 {
142 RtlStringCbCopyUnicodeString(stackViolationAlert->AlertInformation.SourcePath, MAX_PATH, SourcePath);
143 }
144 if (TargetPath)
145 {
146 RtlStringCbCopyUnicodeString(stackViolationAlert->AlertInformation.TargetPath, MAX_PATH, TargetPath);
147 }
148
149 stackViolationAlert->StackHistorySize = StackHistorySize;
150 memcpy(&stackViolationAlert->StackHistory, StackHistory, sizeof(STACK_RETURN_INFO) * StackHistorySize);
151
152 //
153 // Push the alert.
154 //
155 this->alerts->PushAlert(RCAST<PBASE_ALERT_INFO>(stackViolationAlert), sizeof(STACK_VIOLATION_ALERT) + stackHistoryBytes);
156
157 //
158 // PushAlert copies the alert, so we can free our copy.
159 //

Callers 2

AuditUserStackWalkMethod · 0.95
AuditUserPointerMethod · 0.95

Calls 1

PushAlertMethod · 0.80

Tested by

no test coverage detected