/** @file si_common.h @brief Copy of System Interceptors common structures for driver usage @details Copyright (c) 2024 Acronis International GmbH @author Denis Kopyrin ([email protected]) @since $Id: $ */ #pragma once #include "transport_protocol.h" // !!! Properties here must match exactly av-sdk !!! #if !defined PACKED #define PACKED __attribute__((packed)) #endif typedef msg_type_t SiOperationType; typedef enum { SI_PI_UNKNOWN = 0, SI_PI_EVENT_UID, SI_PI_THREAD_ID, SI_PI_THREAD_UID, SI_PI_PROCESS_ID, SI_PI_PROCESS_UID, SI_PI_PARENT_PROCESS_ID, SI_PI_PARENT_PROCESS_UID, SI_PI_OBJECT_NAME, SI_PI_TARGET_NAME, SI_PI_OBJECT_ID, SI_PI_TARGET_ID, SI_PI_OBJECT_REGION, SI_PI_FLAGS, SI_PI_IMAGE_FILE_NAME, SI_PI_COMMAND_LINE, SI_PI_PROCESS_FILE_NAME_IS_NOT_PATH, SI_PI_TERMINATED_PROCESS, // ... SI_PI_FILE_MODIFIED = 39, // ... SI_PI_ACCESS_MODE = 41, SI_PI_FILE_POS, SI_PI_PROTECTION, SI_PI_CONTROL_COMMAND, SI_PI_CONTROL_ARG, SI_PI_USER_ID, SI_PI_GROUP_ID, // ... SI_PI_EVENT_TIMESTAMP = 53, SI_PI_PROCESS_START_TIMESTAMP, // ... SI_PI_VOLUME_ID_LOW = 80, SI_PI_VOLUME_ID_HIGH, // ... SI_PI_CURRENT_WORKING_DIRECTORY = 89, // ... SI_PI_SYSTEM_TIME_OLD_TIMESTAMP = 93, SI_PI_SYSTEM_TIME_NEW_TIMESTAMP, SI_PI_ARTIFICIAL_PROCESS_START_TIMESTAMP, SI_PI_PARENT_ARTIFICIAL_PROCESS_START_TIMESTAMP, // ... SI_PI_EFFECTIVE_USER_ID = 99, SI_PI_EFFECTIVE_GROUP_ID, SI_PI_FILE_TYPE, SI_PI_SAVED_USER_ID, SI_PI_SAVED_GROUP_ID, SI_PI_AUDIT_USER_ID, SI_PI_AUDIT_SESSION_ID, SI_PI_PROCESS_ID_VERSION, SI_PI_RESPONSIBLE_PROCESS_ID, SI_PI_RESPONSIBLE_PROCESS_ARTIFICIAL_START_TIMESTAMP, SI_PI_FILE_ATTRIBUTES, SI_PI_FILE_CHANGE_TIME, SI_PI_FILE_BIRTH_TIME, SI_PI_FILE_ACCESS_TIME, SI_PI_FILE_MODIFICATION_TIME, SI_PI_UNIX_EXEC_TYPE, // ... SI_PI_OBJECT_FILE_HANDLE = 116, // ... SI_PI_PARENT_PROCESS_START_TIMESTAMP = 119, // ... SI_PI_SOCKET_PORT = 124, SI_PI_SOCKET_FAMILY, SI_PI_SOCKET_PROTOCOL, SI_PI_SOCKET_ADDRESS, SI_PI_NETWORK_HOST, SI_PI_NETWORK_URL, SI_PI_HTTP_METHOD, SI_PI_CGROUP_NAME, } SiPropertyId; typedef enum { SI_VT_SIGNED8_TYPE = 0, SI_VT_SIGNED16_TYPE, SI_VT_SIGNED32_TYPE, SI_VT_SIGNED64_TYPE, SI_VT_UNSIGNED8_TYPE, SI_VT_UNSIGNED16_TYPE, SI_VT_UNSIGNED32_TYPE, SI_VT_UNSIGNED64_TYPE, SI_VT_BYTE_ARRAY_TYPE, ///< SiVector SI_VT_UTF8_STRING_TYPE, ///< SiVector SI_VT_UTF16_STRING_TYPE, ///< SiVector SI_VT_OBJECT_ID_TYPE, ///< SiObjectId SI_VT_REGION_TYPE, ///< SiRegion SI_VT_BOOLEAN_TYPE, ///< uint8_t : 0 = false, not 0 = true SI_VT_BLOB_TYPE, ///< SiBLOB SI_VT_MAX_PROPERTY_VALUE_TYPE } SiPropertyValueType; typedef struct PACKED { uint32_t SizeInBytes; uint8_t VectorBuffer[]; } SiVector; typedef struct PACKED { uint32_t Size; uint16_t PropertyId; ///< SiPropertyId enum type uint8_t ValueType; ///< SiPropertyValueType enum type uint8_t ValueBuffer[]; } SiProperty; typedef struct PACKED { uint64_t Start; uint64_t Length; } SiRegion; typedef enum { SI_CT_PRE_CALLBACK, SI_CT_POST_CALLBACK, } SiOpCallbackType; typedef enum { // Process performed 'exec' syscall SI_UNIX_EXEC_TYPE_EXEC, // Process created as a result of 'posix_spawn' syscall SI_UNIX_EXEC_TYPE_POSIX_SPAWN, // Process was detected to have audit token EXEC for which was not sent previously. // Such event triggers 'fake' EXEC for BE to handle SI_UNIX_EXEC_TYPE_GENERATED, } SiUnixExecType; typedef struct PACKED { uint32_t Size; uint16_t Operation; ///< SiOperationType enum type uint16_t CallbackType; ///< SiOpCallbackType enum type uint64_t ProcessUID; uint32_t PropertiesNumber; SiProperty FirstProperty[]; } SiEvent; typedef struct PACKED { uint32_t Size; uint32_t PropertiesNumber; SiProperty FirstProperty[]; } SiInfo; typedef struct PACKED { uint64_t DeviceId; uint64_t Id; } SiObjectId; typedef struct PACKED { uint64_t microseconds; } SiTimeMicroseconds; // Mapped to SiRegion typedef struct PACKED { uint64_t seconds; uint64_t nanoseconds; } SiTimeSpec; typedef struct { const char* value; uint32_t length; } SiSizedString; typedef struct { const void* value; uint32_t length; } SiSizedBuffer;