/**
@file si_common.h
@brief Copy of System Interceptors common structures for driver usage
@details Copyright (c) 2024 Acronis International GmbH
@author Denis Kopyrin (denis.kopyrin@acronis.com)
@since $Id: $
*/
#pragma once
#include "transport_protocol.h"
// !!! Properties here must match exactly av-sdk !!!
#if !defined PACKED
#define PACKED __attribute__((packed))
#endif
typedef msg_type_t SiOperationType;
typedef enum {
SI_PI_UNKNOWN = 0,
SI_PI_EVENT_UID,
SI_PI_THREAD_ID,
SI_PI_THREAD_UID,
SI_PI_PROCESS_ID,
SI_PI_PROCESS_UID,
SI_PI_PARENT_PROCESS_ID,
SI_PI_PARENT_PROCESS_UID,
SI_PI_OBJECT_NAME,
SI_PI_TARGET_NAME,
SI_PI_OBJECT_ID,
SI_PI_TARGET_ID,
SI_PI_OBJECT_REGION,
SI_PI_FLAGS,
SI_PI_IMAGE_FILE_NAME,
SI_PI_COMMAND_LINE,
SI_PI_PROCESS_FILE_NAME_IS_NOT_PATH,
SI_PI_TERMINATED_PROCESS,
// ...
SI_PI_FILE_MODIFIED = 39,
// ...
SI_PI_ACCESS_MODE = 41,
SI_PI_FILE_POS,
SI_PI_PROTECTION,
SI_PI_CONTROL_COMMAND,
SI_PI_CONTROL_ARG,
SI_PI_USER_ID,
SI_PI_GROUP_ID,
// ...
SI_PI_EVENT_TIMESTAMP = 53,
SI_PI_PROCESS_START_TIMESTAMP,
// ...
SI_PI_VOLUME_ID_LOW = 80,
SI_PI_VOLUME_ID_HIGH,
// ...
SI_PI_CURRENT_WORKING_DIRECTORY = 89,
// ...
SI_PI_SYSTEM_TIME_OLD_TIMESTAMP = 93,
SI_PI_SYSTEM_TIME_NEW_TIMESTAMP,
SI_PI_ARTIFICIAL_PROCESS_START_TIMESTAMP,
SI_PI_PARENT_ARTIFICIAL_PROCESS_START_TIMESTAMP,
// ...
SI_PI_EFFECTIVE_USER_ID = 99,
SI_PI_EFFECTIVE_GROUP_ID,
SI_PI_FILE_TYPE,
SI_PI_SAVED_USER_ID,
SI_PI_SAVED_GROUP_ID,
SI_PI_AUDIT_USER_ID,
SI_PI_AUDIT_SESSION_ID,
SI_PI_PROCESS_ID_VERSION,
SI_PI_RESPONSIBLE_PROCESS_ID,
SI_PI_RESPONSIBLE_PROCESS_ARTIFICIAL_START_TIMESTAMP,
SI_PI_FILE_ATTRIBUTES,
SI_PI_FILE_CHANGE_TIME,
SI_PI_FILE_BIRTH_TIME,
SI_PI_FILE_ACCESS_TIME,
SI_PI_FILE_MODIFICATION_TIME,
SI_PI_UNIX_EXEC_TYPE,
// ...
SI_PI_OBJECT_FILE_HANDLE = 116,
// ...
SI_PI_PARENT_PROCESS_START_TIMESTAMP = 119,
// ...
SI_PI_SOCKET_PORT = 124,
SI_PI_SOCKET_FAMILY,
SI_PI_SOCKET_PROTOCOL,
SI_PI_SOCKET_ADDRESS,
SI_PI_NETWORK_HOST,
SI_PI_NETWORK_URL,
SI_PI_HTTP_METHOD,
SI_PI_CGROUP_NAME,
} SiPropertyId;
typedef enum {
SI_VT_SIGNED8_TYPE = 0,
SI_VT_SIGNED16_TYPE,
SI_VT_SIGNED32_TYPE,
SI_VT_SIGNED64_TYPE,
SI_VT_UNSIGNED8_TYPE,
SI_VT_UNSIGNED16_TYPE,
SI_VT_UNSIGNED32_TYPE,
SI_VT_UNSIGNED64_TYPE,
SI_VT_BYTE_ARRAY_TYPE, ///< SiVector
SI_VT_UTF8_STRING_TYPE, ///< SiVector
SI_VT_UTF16_STRING_TYPE, ///< SiVector
SI_VT_OBJECT_ID_TYPE, ///< SiObjectId
SI_VT_REGION_TYPE, ///< SiRegion
SI_VT_BOOLEAN_TYPE, ///< uint8_t : 0 = false, not 0 = true
SI_VT_BLOB_TYPE, ///< SiBLOB
SI_VT_MAX_PROPERTY_VALUE_TYPE
} SiPropertyValueType;
typedef struct PACKED {
uint32_t SizeInBytes;
uint8_t VectorBuffer[];
} SiVector;
typedef struct PACKED {
uint32_t Size;
uint16_t PropertyId; ///< SiPropertyId enum type
uint8_t ValueType; ///< SiPropertyValueType enum type
uint8_t ValueBuffer[];
} SiProperty;
typedef struct PACKED {
uint64_t Start;
uint64_t Length;
} SiRegion;
typedef enum {
SI_CT_PRE_CALLBACK,
SI_CT_POST_CALLBACK,
} SiOpCallbackType;
typedef enum {
// Process performed 'exec' syscall
SI_UNIX_EXEC_TYPE_EXEC,
// Process created as a result of 'posix_spawn' syscall
SI_UNIX_EXEC_TYPE_POSIX_SPAWN,
// Process was detected to have audit token EXEC for which was not sent previously.
// Such event triggers 'fake' EXEC for BE to handle
SI_UNIX_EXEC_TYPE_GENERATED,
} SiUnixExecType;
typedef struct PACKED {
uint32_t Size;
uint16_t Operation; ///< SiOperationType enum type
uint16_t CallbackType; ///< SiOpCallbackType enum type
uint64_t ProcessUID;
uint32_t PropertiesNumber;
SiProperty FirstProperty[];
} SiEvent;
typedef struct PACKED {
uint32_t Size;
uint32_t PropertiesNumber;
SiProperty FirstProperty[];
} SiInfo;
typedef struct PACKED {
uint64_t DeviceId;
uint64_t Id;
} SiObjectId;
typedef struct PACKED {
uint64_t microseconds;
} SiTimeMicroseconds;
// Mapped to SiRegion
typedef struct PACKED {
uint64_t seconds;
uint64_t nanoseconds;
} SiTimeSpec;
typedef struct {
const char* value;
uint32_t length;
} SiSizedString;
typedef struct {
const void* value;
uint32_t length;
} SiSizedBuffer;
|