39 _In_ const char *Argv[]
61 LOG(
"[DEBUG] Swapped %d bytes from GLA 0x%016llx, GPA 0x%016llx, CR3 0x%016llx, flags %d\n",
62 DataSize, VirtualAddress, PhysicalAddress, Cr3, Flags);
87 LOG(
"Modified GVA 0x%016llx, Context %p, from 0x%016llx to 0x%016llx, size 0x%016llx to 0x%016llx\n",
88 VirtualAddress, Context, OldEntry, NewEntry, OldPageSize, NewPageSize);
107 LOG(
"[ITVA] CR3 0x%016llx, GVA 0x%016llx -> GPA 0x%016llx, size %llx ********\n",
108 Cr3, VirtualAddress, Entry, PageSize);
139 if (VirtualAddress >= 0xFFFF800000000000)
141 if (PhysicalAddress &
PT_RW)
150 if (PhysicalAddress &
PT_D)
159 if (VirtualAddress < 0xFFFF800000000000)
161 if (PhysicalAddress &
PT_RW)
170 if (PhysicalAddress &
PT_D)
196 for (j = 0; j < 3; j++)
213 list = table[i].
Flink;
215 while (list != &table[i])
224 ERROR(
"[ERROR] IntGetEPTPageProtection failed: 0x%08x\n", status);
229 ERROR(
"[ERROR] Invalid {read} internal state: hook %p\n", pHook);
234 ERROR(
"[ERROR] Invalid {write} internal state: hook %p\n", pHook);
239 ERROR(
"[ERROR] Invalid {execute} internal state: hook %p\n", pHook);
253 LOG(
"%p : OriginatorName: %08x, Victim: %08x, Flg: %08x, Type: %02d, Sig: %d\n",
254 Exception, Exception->OriginatorNameHash,
255 Exception->VictimNameHash, Exception->Flags, Exception->Type, Exception->SigCount);
257 if (Exception->SigCount > 0)
261 int ret, rem =
sizeof(siglist);
263 ret = snprintf(l, rem,
"--> Signatures:");
264 if (ret < 0 || ret >= rem)
266 ERROR(
"[ERROR] snprintf error: %d, size %d\n", ret, rem);
275 for (
DWORD i = 0; i < Exception->SigCount; i++)
277 ret = snprintf(l, rem,
" 0x%04x", Exception->Signatures[i].Value);
278 if (ret < 0 || ret >= rem)
280 ERROR(
"[ERROR] snprintf error: %d, size %d\n", ret, rem);
290 LOG(
"%s\n", siglist);
300 LOG(
"%p : Originator: %08x, Victim: %08x, Process: %08x, Flg: %08x, Type: %02d, Sig: %d\n",
301 Exception, Exception->OriginatorNameHash, Exception->Victim.NameHash,
302 Exception->Victim.ProcessHash, Exception->Flags, Exception->Type, Exception->SigCount);
304 if (Exception->SigCount > 0)
308 int ret, rem =
sizeof(siglist);
310 ret = snprintf(l, rem,
"--> Signatures:");
311 if (ret < 0 || ret >= rem)
313 ERROR(
"[ERROR] snprintf error: %d, size %d\n", ret, rem);
322 for (
DWORD i = 0; i < Exception->SigCount; i++)
324 ret = snprintf(l, rem,
" 0x%04x", Exception->Signatures[i].Value);
325 if (ret < 0 || ret >= rem)
327 ERROR(
"[ERROR] snprintf error: %d, size %d\n", ret, rem);
337 LOG(
"%s\n", siglist);
348 LOG(
"%p : Originator: %s, Victim: %s, Process: %s, Flg: %08x, Type: %02d, Sig: %d\n",
349 Exception, Exception->OriginatorNameGlob, Exception->Victim.NameGlob,
350 Exception->Victim.ProcessGlob, Exception->Flags, Exception->Type, Exception->SigCount);
352 if (Exception->SigCount > 0)
356 int ret, rem =
sizeof(siglist);
358 ret = snprintf(l, rem,
"--> Signatures:");
359 if (ret < 0 || ret >= rem)
361 ERROR(
"[ERROR] snprintf error: %d, size %d\n", ret, rem);
370 for (
DWORD i = 0; i < Exception->SigCount; i++)
372 ret = snprintf(l, rem,
" 0x%4x", Exception->Signatures[i].Value);
373 if (ret < 0 || ret >= rem)
375 ERROR(
"[ERROR] snprintf error: %d, size %d\n", ret, rem);
385 LOG(
"%s\n", siglist);
407 LOG(
"[CPU %d] Written CR%d from 0x0x%016llx to 0x0x%016llx\n",
gVcpu->
Index, Cr, OldValue, NewValue);
415 #ifdef DEBUG_MEM_ALLOCS 417 typedef struct _DBG_ALLOCATION
426 } DBG_ALLOCATION, *PDBG_ALLOCATION;
439 IntDbgCompareAllocNode(
448 a1 = (size_t)p1->Address;
449 a2 = (
size_t)p2->Address;
466 static size_t gTotalMemUsed = 0;
467 static size_t gTotalAllocations = 0;
468 static size_t gTotalFrees = 0;
470 static size_t gMaxMemUsed = 0;
471 static size_t gMaxAllocations = 0;
473 static RBTREE gAllocTree =
RB_TREE_INIT(gAllocTree, IntDbgFreeAllocNode, IntDbgCompareAllocNode);
477 __attribute__((malloc))
478 __attribute__ ((alloc_size (1)))
483 _In_ const char *FileName,
487 DBG_ALLOCATION *pAlloc;
490 addr = IntAllocWithTag(Size, Tag, FileName, Line);
496 pAlloc = IntAllocWithTag(
sizeof(*pAlloc),
IC_TAG_ALLOC, FileName, Line);
499 IntFreeWithTag(&addr, Tag, __LINE__);
503 pAlloc->Address = addr;
506 pAlloc->File = FileName;
513 gTotalMemUsed += Size;
515 if (gTotalMemUsed > gMaxMemUsed)
517 gMaxMemUsed = gTotalMemUsed;
520 if (gTotalAllocations > gMaxAllocations)
522 gMaxAllocations = gTotalAllocations;
531 _Inout_ _At_(*Address, _Post_null_)
void **Address,
536 DBG_ALLOCATION target;
539 target.Address = *Address;
547 if (Tag != pAlloc->Tag)
549 ERROR(
"[ERROR] Tag different from what was requested: %08x != %08x for allocation from %s:%d\n",
550 pAlloc->Tag, Tag, pAlloc->File, pAlloc->Line);
553 gTotalMemUsed -= pAlloc->Size;
562 ERROR(
"[CRITICAL] Trying to free an invalid address: %p\n", *Address);
579 list = gAllocations.
Flink;
580 while (list != &gAllocations)
585 if (0 == Tag || Tag == pAlloc->Tag)
587 LOG(
"Alloc: %p:%6d, tag %08x (%c%c%c%c), from %s:%d\n",
591 (pAlloc->Tag & 0xFF),
592 (pAlloc->Tag >> 8) & 0xFF,
593 (pAlloc->Tag >> 16) & 0xFF,
594 (pAlloc->Tag >> 24) & 0xFF,
599 size += pAlloc->Size;
603 LOG(
"%lld allocations with %lld bytes\n", total, size);
604 LOG(
"Total memory allocated: %lld bytes\n", gTotalMemUsed);
617 list = gAllocations.
Flink;
618 while (list != &gAllocations)
621 BYTE *pp = (
BYTE *)pAlloc->Address - 8;
623 if (*((
QWORD *)pp) != 0xBDBDBDBDBDBDBDBD)
625 LOG(
"Buffer underflow for alloc at %p (struct: %p)!\n", pAlloc->Address, pAlloc);
628 if (*((
QWORD *)(pp + 8 + pAlloc->Size)) != 0xBDBDBDBDBDBDBDBD)
630 LOG(
"Buffer overflow for alloc at %p (struct: %p)!\n", pAlloc->Address, pAlloc);
636 LOG(
"Total memory allocated: %lld bytes\n", gTotalMemUsed);
661 if (currentModule == 0)
663 LOG(
"gWinGuest->PsLoadedModuleList is 0\n");
674 currentModule &= 0xFFFFFFFF;
678 ERROR(
"[ERROR] Failed getting the Flink value of MODULE at 0x%016llx: 0x%08x\n", currentModule, status);
687 DWORD nameLength, sizeOfImage;
688 QWORD nameAddress, moduleBase;
692 status =
IntVirtMemMap(currentModule,
sizeof(*pModEntry64), 0, 0, &pModEntry64);
696 status =
IntVirtMemMap(currentModule,
sizeof(*pModEntry32), 0, 0, &pModEntry32);
700 ERROR(
"[ERROR] Failed to map the modules info at 0x%016llx: 0x%08x\n", currentModule, status);
708 moduleBase = pModEntry64->
DllBase;
709 sizeOfImage = 0xffffffff & pModEntry64->
SizeOfImage;
715 moduleBase = 0xffffffff & pModEntry32->
DllBase;
728 ERROR(
"[ERROR] Failed reading module's path from VA 0x%016llx with length %x: 0x%08x\n",
729 nameAddress, nameLength, status);
733 moduleName[nameLength / 2] = 0;
735 LOG(
" #%03d Base: 0x%016llx, SizeOfImage: 0x%08x, Path: %s\n",
736 count++, moduleBase, sizeOfImage,
utf16_for_log(moduleName));
747 currentModule &= 0xFFFFFFFF;
757 _In_ const char *Argv[]
766 ERROR(
"[ERROR] Invalid number of arguments!");
770 address =
strtoull(Argv[1], NULL, 0);
776 ERROR(
"[ERROR] IntInjectExceptionInGuest failed: 0x%08x\n", status);
784 _In_ const char *Argv[]
787 QWORD address, gpa, pfnAddress;
791 WORD refCount, flags;
795 ERROR(
"[ERROR] MmPfnDatabase is 0\n");
801 ERROR(
"[ERROR] Invalid number of arguments!\n");
805 address =
strtoull(Argv[2], NULL, 0);
808 ERROR(
"[ERROR] %s is not a valid address\n", Argv[2]);
812 if (Argv[1][0] ==
'v')
817 ERROR(
"[ERROR] GVA 0x%016llx to GPA failed: 0x%08x\n", address, status);
821 else if (Argv[1][0] ==
'p')
827 ERROR(
"[ERROR] Give `v` or `p` for the address type\n");
841 status =
IntVirtMemMap(pfnAddress, pfnSize, 0, 0, &pfnBuffer);
844 ERROR(
"[ERROR] Failed mapping PFN structure from 0x%016llx: 0x%08x\n", pfnAddress, status);
848 LOG(
"PFN %llx at 0x%016llx for GPA 0x%016llx\n", gpa >> 12, pfnAddress, gpa);
874 LOG(
"RefCount: %x\t\tFlags: %x\n", refCount, flags);
883 _In_ const char *Argv[]
886 QWORD addressStart, rip;
893 ERROR(
"[ERROR] Minimum number of arguments expected: 2\n");
897 addressStart =
strtoull(Argv[1], NULL, 0);
898 if (0 == addressStart)
900 WARNING(
"[WARNING] %s is not a valid address\n", Argv[1]);
906 length =
strtoul(Argv[2], NULL, 0);
909 WARNING(
"[WARNING] %s is not a valid length\n", Argv[2]);
921 rip =
strtoul(Argv[3], NULL, 0);
924 WARNING(
"[WARNING] %s is not a valid rip\n", Argv[3]);
935 level =
strtoul(Argv[4], NULL, 0);
936 if (1 != level && 2 != level)
938 WARNING(
"[WARNING] %s is not a valid level\n", Argv[4]);
956 ERROR(
"[ERROR] Failed reading from GVA 0x%016llx: 0x%08x\n", addressStart, length);
960 LOG(
"[CODEBLOCKS] Dumping codeblocks for RIP 0x%016llx (from 0x%016llx to 0x%016llx)\n",
961 rip, addressStart, addressStart + length);
972 ERROR(
"[ERROR] Failed extracting blocks from VA 0x%016llx: 0x%08x\n", addressStart, status);
992 if (NULL == pExceptions)
994 LOG(
"[DBGINTRO] There are no exceptions loaded!\n");
1000 LOG(
"[DBGINTRO] Kernel exceptions:\n");
1038 LOG(
"[DBGINTRO] User exceptions:\n");
1092 LOG(
"[DBGINTRO] Codeblocks signatures:\n");
1100 LOG(
"%p : Id: %04x, Flags: %08x, Score: %02d, Lists: %02d\n",
1110 int ret, rem =
sizeof(hashes);
1112 ret = snprintf(l, rem,
"--> List(%u):", pSigHash->
Count);
1113 if (ret < 0 || ret >= rem)
1115 ERROR(
"[ERROR] snprintf error: %d, size %d\n", ret, rem);
1126 ret = snprintf(l, rem,
" %08x", pSigHash->
Hashes[j]);
1127 if (ret < 0 || ret >= rem)
1129 ERROR(
"[ERROR] snprintf error: %d, size %d\n", ret, rem);
1139 LOG(
"%s\n", hashes);
1146 LOG(
"[DBGINTRO] Export signatures:\n");
1154 LOG(
"%p : Id: %04x, Flags: %08x, Library: %08x, Lists: %02d\n",
1160 LOG(
"--> List(%d): Delta: %02x, Hash: %08x\n", j, pSigHash[j].Delta, pSigHash[j].Hash);
1164 LOG(
"[DBGINTRO] Value signatures:\n");
1172 LOG(
"%p : Id: %04x, Flags: %08x, Score: %02d, Lists: %02d\n",
1178 LOG(
"--> List(%d): Offset: %02x, Size: %02x, Hash: %08x\n",
1179 j, pSigHash[j].Offset, pSigHash[j].Size, pSigHash[j].Hash);
1183 LOG(
"[DBGINTRO] Idt signatures:\n");
1190 LOG(
"%p : Id: %04x, Flags: %08x, Entry: %0d \n",
1194 LOG(
"[DBGINTRO] Value code signatures:\n");
1202 LOG(
"%p : Id: %04x, Flags: %08x, Offset: %02d, Length: %02d\n",
1208 LOG(
"--> Item(%d): %02x\n", j, pPattern[j]);
1212 LOG(
"[DBGINTRO] Version OS signatures:\n");
1219 LOG(
"%p : Id: %04x, Flags: %08x, Minimum: 0x%llx, Maximum: 0x%llx\n",
1223 LOG(
"[DBGINTRO] Version Introcore signatures:\n");
1230 LOG(
"%p : Id: %04x, Flags: %08x, Minimum: %d.%d.%d, Maximum: %d.%d.%d\n",
1236 LOG(
"[DBGINTRO] Process creation signatures:\n");
1243 LOG(
"%p : Id: %04x, Flags: %08x, Create-Mask: 0x%08x\n",
1262 LOG(
"GVA hooks:\n");
1271 LOG(
"%04d: GVA: 0x%016llx, Offset: %04x, Length: %04x, Flags: %08x, " 1272 "Type: %d, integrity: %s, writable: %s, GPA hook: %p\n",
1284 LOG(
"Removed hooks queue:\n");
1290 LOG(
"%04d: GVA: 0x%016llx, Offset: %04x, Length: %04x, Flags: %08x, Type: %d, GPA hook: %p\n",
1319 _In_ const char *Argv[]
1326 ERROR(
"[ERROR] Invalid number of arguments!\n");
1330 if (Argc > 3 || Argv[1][0] ==
'\'' || Argv[1][0] ==
'\"')
1335 memset(fullPath, 0,
sizeof(fullPath));
1337 for (arg = 1; arg < Argc - 1; arg++)
1339 size_t len = strlen(Argv[arg]);
1344 if (Argv[arg][0] ==
'\"' || Argv[arg][0] ==
'\'')
1347 strlcpy(&fullPath[last], &Argv[arg][1],
sizeof(fullPath) - last);
1352 strlcpy(&fullPath[last], Argv[arg],
sizeof(fullPath) - last);
1357 strlcpy(&fullPath[last], Argv[arg],
sizeof(fullPath) - last);
1364 fullPath[last] =
' ';
1370 if (fullPath[last - 1] ==
'\"' || fullPath[last - 1] ==
'\'')
1373 fullPath[last - 1] = 0;
1391 _In_ const char *Argv[]
1398 ERROR(
"[ERROR] Invalid number of arguments!\n");
1402 if (Argc > 2 || Argv[1][0] ==
'\'' || Argv[1][0] ==
'\"')
1407 memset(fullPath, 0,
sizeof(fullPath));
1409 for (arg = 1; arg < Argc; arg++)
1411 size_t len = strlen(Argv[arg]);
1416 if (Argv[arg][0] ==
'\"' || Argv[arg][0] ==
'\'')
1419 strlcpy(&fullPath[last], &Argv[arg][1],
sizeof(fullPath) - last);
1424 strlcpy(&fullPath[last], Argv[arg],
sizeof(fullPath) - last);
1429 strlcpy(&fullPath[last], Argv[arg],
sizeof(fullPath) - last);
1436 fullPath[last] =
' ';
1442 if (fullPath[last - 1] ==
'\"' || fullPath[last - 1] ==
'\'')
1445 fullPath[last - 1] = 0;
1496 _In_ const char *Argv[]
1504 ERROR(
"[ERROR] Invalid number of arguments!\n");
1508 address =
strtoull(Argv[1], NULL, 0);
1511 ERROR(
"[ERROR] %s is not a valid address\n", Argv[1]);
1515 size =
strtoul(Argv[2], NULL, 0);
1518 ERROR(
"[ERROR] %s is not a valid size\n", Argv[2]);
1528 _In_ const char *Argv[]
1537 ERROR(
"[ERROR] Invalid number of arguments!\n");
1542 tag =
strtoul(Argv[2], NULL, 0);
1547 ERROR(
"[ERROR] IntDepInjectAgent failed: 0x%08x\n", status);
1555 _In_ const char *Argv[]
1560 CHAR *content =
"abcdefghijklmnopqrstuvwxyz";
1564 ERROR(
"[ERROR] Invalid number of arguments!\n");
1573 ERROR(
"[ERROR] IntDepInjectAgent failed: 0x%08x\n", status);
1581 _In_ const char *Argv[]
1588 ERROR(
"[ERROR] Invalid number of arguments!\n");
1593 gTargetPML4 =
strtoull(Argv[2], NULL, 0);
1595 LOG(
"[DBGINTRO] Begin iterate VA space 0x%016llx, search for 0x%016llx!\n", cr3, gTargetPML4);
1599 LOG(
"[DBGINTRO] Done!\n");
1610 gPagesRead = gPagesWrite = gPagesDirty = 0;
1614 if (NULL == gPagesBitmap)
1619 list = gWinProcesses.
Flink;
1620 while (list != &gWinProcesses)
1626 LOG(
"[DBGINTRO] Iterating VA space of process %s with CR3 %llx\n", pProc->
Name, pProc->
Cr3);
1631 LOG(
"[DBGINTRO] %lld total present physical pages, %lld readable pages, %lld writable pages, %lld dirty pages\n",
1632 gPagesRead + gPagesWrite, gPagesRead, gPagesWrite, gPagesDirty);
1641 _In_ const char *Argv[]
1644 QWORD gla = 0, cr3 = 0;
1650 ERROR(
"[ERROR] Invalid number of arguments!\n");
1660 ERROR(
"[ERROR] IntTranslateVirtualAddressEx failed: 0x%08x\n", status);
1664 LOG(
"%llx translated to %llx, %d levels, user: %d, write: %d, exec: %d\n",
1678 _In_ const char *Argv[]
1689 ERROR(
"[ERROR] Invalid number of arguments!\n");
1700 ERROR(
"[ERROR] IntHookPtSetHook failed: 0x%08x\n", status);
1704 LOG(
"-> %p\n", pPts);
1712 _In_ const char *Argv[]
1720 ERROR(
"[ERROR] Invalid number of arguments!\n");
1730 ERROR(
"[ERROR] IntHookPtsRemoveHook failed: 0x%08x\n", status);
1738 _In_ const char *Argv[]
1742 QWORD oldvalue, newvalue;
1747 ERROR(
"[ERROR] Invalid number of arguments!\n");
1753 oldvalue =
strtoull(Argv[2], NULL, 0);
1755 newvalue =
strtoull(Argv[3], NULL, 0);
1760 ERROR(
"[ERROR] IntHookPtsWriteEntry failed: 0x%08x\n", status);
1797 _In_ const char *Argv[]
1804 ERROR(
"[ERROR] Invalid number of arguments!\n");
1808 newValue =
strtoull(Argv[1], NULL, 0);
1825 ERROR(
"[ERROR] No process found for the current CR3: 0x%016llx\n",
gVcpu->
Regs.
Cr3);
1837 _In_ const char *Argv[]
1846 ERROR(
"[ERROR] Invalid number of arguments!\n");
1853 if (Argv[1][0] ==
'0')
1860 LOG(
"No symbol at GVA 0x%016llx\n", gva);
1864 LOG(
"Symbol at GVA 0x%016llx -> 0x%016llx: %s\n", gva, symEnd, symName);
1872 LOG(
"Can't find symbol %s\n", Argv[1]);
1876 LOG(
"Symbol %s at GVA 0x%016llx -> 0x%016llx\n", symName, gva, symEnd);
1894 LOG(
"CPU %d seems to be inactive, will skip.\n", i);
1901 ERROR(
"[ERROR] IntFindKernelPcr failed for %d: 0x%08x\n", i, status);
1906 LOG(
"CPU %d seems to be inactive, will skip.\n", i);
1910 LOG(
"KPCR on CPU %d is 0x%016llx\n", i, pcrBase);
1918 _In_ const char *Argv[]
1927 ERROR(
"[ERROR] Invalid number of arguments!\n");
1942 ERROR(
"[ERROR] IntWinGetAccessTokenFromProcess failed for %d: 0x%x\n", pid, status);
1956 _In_ const char *Argv[]
1965 ERROR(
"[ERROR] Invalid number of arguments!\n");
1980 LOG(
"No Impersonation Token found for Ethread %llx\n", ethread);
1984 ERROR(
"[ERROR] IntWinGetAccesTokenFromThread failed for %llx: 0x%x\n", ethread, status);
1998 _In_ const char *Argv[]
2006 ERROR(
"[ERROR] Invalid number of arguments!\n");
2015 ERROR(
"[ERROR] IntVasDump failed: 0x%08x\n", status);
2023 _In_ const char *Argv[]
2034 ERROR(
"[ERROR] Invalid number of arguments!\n");
2040 len =
strtoul(Argv[3], NULL, 0);
2041 mod =
strtoul(Argv[4], NULL, 0);
2046 ERROR(
"[ERROR] IntSwapMemReadData failed: 0x%08x\n", status);
2054 _In_ const char *Argv[]
2062 ERROR(
"[ERROR] Invalid number of arguments!\n");
2072 QWORD eproc, rootPtr;
2074 if (0 != strncasecmp(Argv[1],
"eproc",
sizeof(
"eproc")))
2079 eproc =
strtoull(Argv[2], NULL, 0);
2082 LOG(
"Fetching VAD root @ 0x%016llx from eprocess 0x%016llx\n", eproc, rootPtr);
2087 ERROR(
"[ERROR] IntKernVirtMemFetchQword failed: 0x%08x\n", status);
2094 ERROR(
"[ERROR] VAD Root must be a kernel pointer! 0x%016llx\n", root);
2101 ERROR(
"[ERROR] IntWinVadInOrderTraversal failed: 0x%08x\n", status);
2109 _In_ const char *Argv[]
2112 const char *pName = NULL;
2119 LOG(
"Dumping VADs for %s...\n", pName ? pName :
"all processes");
2128 _In_ const char *Argv[]
2131 QWORD vadroot, startpage, endpage, res;
2135 ERROR(
"[ERROR] Invalid number of arguments!\n");
2140 startpage =
strtoull(Argv[2], 0, 0);
2143 LOG(
"Searching for VAD [%llx, %llx] starting with %llx...\n", startpage, endpage, vadroot);
2147 LOG(
"Found VAD at %llx\n", res);
2154 _In_ const char *Argv[]
2160 WARNING(
"[WARNING] Not implemented\n");
2203 _In_ const char *Argv[]
2207 BYTE instruction[16];
2210 CHAR text[ND_MIN_BUF_SIZE];
2214 ERROR(
"[ERROR] Invalid number of arguments!\n");
2234 for (i = 1; i < Argc; i++)
2236 instruction[i - 1] = (
BYTE)
strtoul(Argv[i], NULL, 0);
2241 NdToText(&instrux, 0, ND_MIN_BUF_SIZE, text);
2247 LOG(
"Got %d accesses for '%s':\n", count, text);
2249 for (i = 0; i < count; i++)
2251 LOG(
" Access at %llx, size %d, access %d\n", glas[i].Gla, glas[i].Size, glas[i].Access);
2259 _In_ const char *Argv[]
2264 BYTE patchedData[16] = { 0x0, 0x1, 0x2, 0x3, 0x4, 0x5, 0x6, 0x7, 0x8, 0x9, 0xA, 0xB, 0xC, 0xD, 0xE, 0xF };
2270 ERROR(
"[ERROR] Invalid number of arguments!\n");
2279 ERROR(
"[ERROR] IntKernVirtMemRead failed: 0x%08x\n", status);
2286 ERROR(
"[ERROR] IntMemClkCloakRegion failed: 0x%08x\n", status);
2295 _In_ const char *Argv[]
2304 ERROR(
"[ERROR] Invalid number of arguments!\n");
2308 cr =
strtoul(Argv[1], NULL, 0);
2313 ERROR(
"[ERROR] IntHookCrSetHook failed: 0x%08x\n", status);
2317 LOG(
"HOOK -> %p\n", hook);
2325 _In_ const char *Argv[]
2333 ERROR(
"[ERROR] Invalid number of arguments!\n");
2342 ERROR(
"[ERROR] IntHookCrRemoveHook failed: 0x%08x\n", status);
2363 for (
QWORD page = 0; page < 8 * 1024 * 1024; page++)
2371 LOG(
"EPT check failed on: %llx\n", page << 12);
2381 _In_ const char *Argv[]
2388 ERROR(
"[ERROR] Invalid number of arguments!\n");
2395 ERROR(
"[ERROR] Invalid log level %d\n", logLevel);
2408 _In_ const char *Argv[]
2417 LOG(
"Enabled SWAPGS mitigation!\n");
2423 LOG(
"Disabled SWAPGS mitigation!\n");
2447 .Help =
"show help",
2451 .Command =
"!stats",
2452 .Help =
"timing statistics for introspection callbacks",
2456 .Command =
"!resetstats",
2457 .Help =
"reset all the introcore statistics",
2460 #ifdef DEBUG_MEM_ALLOCS 2462 .Command =
"!allocs",
2463 .Help =
"lists active memory allocations",
2464 .FunctionNoArgs = IntDbgDumpAllocs,
2467 .Command =
"!check_allocs",
2468 .Help =
"checks the current heap allocations for corruption",
2469 .FunctionNoArgs = IntDbgCheckAllocs,
2473 .Command =
"!detours",
2474 .Help =
"list the detours",
2478 .Command =
"!pfnlocks",
2479 .Help =
"list the pfn locked pages (windows only)",
2483 .Command =
"!drivers_intro",
2484 .Help =
"lists the drivers list inside the introspection",
2488 .Command =
"!drivers_guest",
2489 .Help =
"lists the drivers loaded inside the guest",
2494 .Help =
"force page fault in guest",
2495 .Parameters =
"gva: uint64; cr3: uint64; write: 0|1",
2500 .Help =
"dump the pfn contents of the given virtual/physical address",
2501 .Parameters =
"type: char v|p; addr: uint64",
2505 .Command =
"!dumpcb",
2506 .Help =
"dump codeblocks from the given address",
2507 .Parameters =
"gva: uint64; length: uint32 [default=end of page]; " 2508 "rip: uint64 [default=gva]; level: uint32 [default=1]",
2512 .Command =
"!exceptions",
2513 .Help =
"dump exceptions",
2517 .Command =
"!hooks_gpa",
2518 .Help =
"dump gpa hooks",
2522 .Command =
"!hooks_gva",
2523 .Help =
"dump gva hooks",
2527 .Command =
"!hooks_check",
2528 .Help =
"check hooks",
2532 .Command =
"!processes",
2533 .Help =
"dump the list of active processes",
2537 .Command =
"!process_tree",
2538 .Help =
"dump the list of active processes as a tree (linux only)",
2542 .Command =
"!procadd",
2543 .Help =
"adds the process to the protected processes list",
2544 .Parameters =
"process: string; protection: uint64",
2548 .Command =
"!procrem",
2549 .Help =
"removes the process from the protected processes",
2550 .Parameters =
"process: string",
2554 .Command =
"!procclr",
2555 .Help =
"remove all the protected processes",
2559 .Command =
"!proclst",
2560 .Help =
"dump the list of protected processes",
2564 .Command =
"!icache",
2565 .Help =
"dump the instruction cache",
2569 .Command =
"!gpacache",
2570 .Help =
"dump the gpa cache",
2574 .Command =
"!disasm",
2575 .Help =
"disassembles instructions from the given address",
2576 .Parameters =
"gva: uint64; size: uint32",
2580 .Command =
"!integrity",
2581 .Help =
"dump the integrity zones",
2585 .Command =
"!agent_inj",
2586 .Help =
"inject an agent with the given name and tag",
2587 .Parameters =
"name: string; tag: uint32",
2591 .Command =
"!file_inj",
2592 .Help =
"inject an file agent with the given name",
2593 .Parameters =
"name: string",
2598 .Help =
"iterate the given VA space, searching for a specific pml4",
2599 .Parameters =
"cr3: uint64; pml4: uint64",
2603 .Command =
"!itvaall",
2604 .Help =
"iterate the VA space of all processes",
2608 .Command =
"!pwalk",
2609 .Help =
"dump the GVA -> GPA translation",
2610 .Parameters =
"gva: uin64; cr3: uint64",
2614 .Command =
"!pts_hook",
2615 .Help =
"place a hook for the given GVA inside the given VA-space",
2616 .Parameters =
"cr3: uint64; va: uint64; id: uint64",
2620 .Command =
"!pts_unhook",
2621 .Help =
"remove the given hook",
2622 .Parameters =
"pts: HOOK_PTS",
2626 .Command =
"!pts_dump",
2627 .Help =
"dump all the PTS hooks",
2631 .Command =
"!pts_write",
2632 .Help =
"simulate a write inside the given pts entry",
2633 .Parameters =
"pts: HOOK_PTS_ENTRY; oldvalue: uint64; newvalue: uint64",
2638 .Help =
"dump the cpu state",
2642 .Command =
"!get_options",
2643 .Help =
"dump the introcore current options",
2647 .Command =
"!set_options",
2648 .Help =
"set the introcore current options",
2649 .Parameters =
"options: uint64",
2653 .Command =
"!curproc",
2654 .Help =
"dump the current process (windows only)",
2658 .Command =
"!findksym",
2659 .Help =
"dump the symbol name at the given address or address of the given symbol name",
2660 .Parameters =
"gva|name: uint64|string",
2664 .Command =
"!winpcr",
2665 .Help =
"log the KPCR for all cpus (windows only)",
2669 .Command =
"!ptoken",
2670 .Help =
"dump the process token for the given process (windows only)",
2671 .Parameters =
"pid: uint32",
2675 .Command =
"!ttoken",
2676 .Help =
"dump the process token for the given ethread (windows only)",
2677 .Parameters =
"ethread: uint64",
2681 .Command =
"!vasdump",
2682 .Help =
"dump the whole VA space of the given CR3",
2683 .Parameters =
"cr3: uint64",
2688 .Help =
"make the given GVA present (injecting a #PF if needed)",
2689 .Parameters =
"cr3: uint64; gva: uin64; length: uint32; options: uint32",
2693 .Command =
"!transactions",
2694 .Help =
"dump the swap transactions",
2699 .Help =
"dump all the vads for the given vad root (windows only)",
2700 .Parameters =
"vad_root: uint64",
2704 .Command =
"!dump_vads",
2705 .Help =
"dump the vad for the given process (or all process)",
2706 .Parameters =
"name: string [optional]",
2710 .Command =
"!findvad",
2711 .Help =
"find and dump the given VAD inside de the given vad root (windows only)",
2712 .Parameters =
"vadroot: uint64; startpage: uint64; endpage: uint64",
2716 .Command =
"!showfile",
2717 .Help =
"log the file path for the given `struct file` (linux only)",
2718 .Parameters =
"struct_file: uint64",
2722 .Command =
"!exploitguard",
2723 .Help =
"dump the exploit guard mitigation flags for all processes (windows only)",
2727 .Command =
"!netscan",
2728 .Help =
"dump all the opened connections (windows only)",
2732 .Command =
"!dump_clk",
2733 .Help =
"dump all memory cloaks",
2737 .Command =
"!pt_load",
2738 .Help =
"inject the pt loader",
2742 .Command =
"!pt_unload",
2743 .Help =
"inject the pt unloader",
2747 .Command =
"!ptstatsall",
2748 .Help =
"dump the pt stats",
2752 .Command =
"!ve_load",
2753 .Help =
"inject the ve loader",
2757 .Command =
"!ve_unload",
2758 .Help =
"inject the ve unloader",
2762 .Command =
"!veinfo",
2763 .Help =
"dump the ve pages",
2767 .Command =
"!vestats",
2768 .Help =
"dump the ve stats",
2772 .Command =
"!testsse",
2773 .Help =
"test sse instructions (access size)",
2774 .Parameters =
"instr_bytes: BYTE[]",
2778 .Command =
"!testread",
2779 .Help =
"put a memcloak on the given GVA (16 bytes)",
2780 .Parameters =
"gva: uint64",
2784 .Command =
"!testcrhookset",
2785 .Help =
"set a hook on the given CR",
2786 .Parameters =
"cr: uint32",
2790 .Command =
"!testcrhookrem",
2791 .Help =
"remove the given cr hook",
2792 .Parameters =
"cr_hook: HOOK_CR",
2796 .Command =
"!failallocs",
2797 .Help =
"fail allocations",
2801 .Command =
"!checkept",
2802 .Help =
"preform an EPT check",
2806 .Command =
"!setloglevel",
2807 .Help =
"sets the log level",
2808 .Parameters =
"log_level: IG_LOG_LEVEL",
2812 .Command =
"!swapgsmit",
2813 .Help =
"mitigate SWAPGS",
2830 if (strcmp(gDbgCommands[i].Command, gDbgCommands[j].Command) > 0)
2833 gDbgCommands[i] = gDbgCommands[j];
2834 gDbgCommands[j] = cmd;
2859 _In_ const char *Argv[]
2881 if (0 != strcmp(pCmd->
Command, Argv[0]))
2902 ERROR(
"[ERROR] Invalid command: `%s`\n", Argv[0]);
static void DbgDumpUmExceptionGlobMatch(UM_EXCEPTION_GLOB *Exception)
EXCEPTION_SIGNATURE_ID Id
An unique id (EXCEPTION_SIGNATURE_ID).
INTSTATUS IntDecGetAccessedMem(PINSTRUX Instrux, PIG_ARCH_REGS Registers, PIG_XSAVE_AREA XsaveArea, MEMADDR *Gla, DWORD *Count)
Decode each accessed address by an instruction.
QWORD PhysicalAddress
The physical address to which VirtualAddress translates to.
void IntIcDumpIcache(void)
Dumps the entire contents of the implicit, per guest, instruction cache.
#define CONTAINING_RECORD(List, Type, Member)
static void DbgLogKpcr(void)
#define GPA_HOOK_TABLE_SIZE
Size of the GPA hook hash.
HOOK_HEADER Header
Hook header.
INTSTATUS IntVirtMemUnmap(void **HostPtr)
Unmaps a memory range previously mapped with IntVirtMemMap.
PFUNC_DebuggerFunctionNoArgs FunctionNoArgs
void(* PFUNC_DebuggerFunctionArgs)(DWORD Argc, const char *Argv[])
QWORD MmPfnDatabase
Guest virtual address of the PFN data base.
LIST_HEAD GpaHooksWrite[GPA_HOOK_TABLE_SIZE]
Hash table of write hooks.
BOOLEAN IsPageWritable
True if the page is writable, false otherwise.
A Windows token structure as reported by Introcore alerts.
Describe a export signature hash.
WINDOWS_GUEST * gWinGuest
Global variable holding the state of a Windows guest.
static void DbgSearchVaSpace(DWORD Argc, const char *Argv[])
Describes a process-creation signature.
LIST_HEAD ValueCodeSignatures
Linked list used for value-code signatures.
HOOK_GVA_STATE GvaHooks
GVA hooks state.
IG_ARCH_REGS Regs
The current state of the guest registers.
DWORD Index
The VCPU number.
static void DbgDumpUmException(UM_EXCEPTION *Exception)
static void DbgDumpEthreadToken(DWORD Argc, const char *Argv[])
static void DbgVadFind(DWORD Argc, const char *Argv[])
QWORD SystemCr3
The Cr3 used to map the kernel.
#define INT_STATUS_SUCCESS
LIST_ENTRY64 InLoadOrderLinks
BYTE Score
The number of (minimum) hashes from a list that need to match.
INTSTATUS IntHookPtsWriteEntry(PHOOK_PTS_ENTRY Entry, QWORD OldValue, QWORD NewValue)
Tests the translation modification handler.
LIST_HEAD NoNameKernelExceptions
Linked list used for kernel-mode exceptions that don't have a valid originator (-).
#define PAGE_REMAINING(addr)
BOOLEAN IsWritable
True if this page is writable.
Describes a value signature.
PFUNC_HpFreeWithTagAndInfo MemFreeWithTagAndInfo
void IntVeDumpStats(void)
Dump VE statistics.
static uint8_t _bittestandset64(int64_t *BitBase, int64_t BitPos)
static void DbgDumpGpaCache(void)
LIST_HEAD GenericUserExceptions
Linked list used for user-mode exceptions that have a generic originator(*).
INTSTATUS IntSwapMemReadData(QWORD Cr3, QWORD VirtualAddress, DWORD Length, DWORD Options, void *Context, DWORD ContextTag, PFUNC_PagesReadCallback Callback, PFUNC_PreInjectCallback PreInject, void **SwapHandle)
Reads a region of guest virtual memory, and calls the indicated callback when all the data is availab...
struct _LIST_ENTRY * Flink
static void DbgDumpExceptions(void)
LIST_HEAD ExportSignatures
Linked list used for export signatures.
INTSTATUS IntHookCrSetHook(DWORD Cr, DWORD Flags, PFUNC_CrWriteHookCallback Callback, void *Context, HOOK_CR **Hook)
Set a control register write hook.
WORD Object[]
Contains list of opcodes.
INTSTATUS IntKsymFindByAddress(QWORD Gva, DWORD Length, char *SymName, QWORD *SymStart, QWORD *SymEnd)
Finds the symbol which is located at the given address.
Describes a memory address, as used in an instruction.
struct _HOOK_PTS_ENTRY * PHOOK_PTS_ENTRY
void FUNC_RbTreeNodeFree(RBNODE *Node)
struct _SIG_CODEBLOCK_HASH SIG_CODEBLOCK_HASH
Describe a codeblocks signature hash.
#define INT_SUCCESS(Status)
static void DbgMitigateSwapgs(DWORD Argc, const char *Argv[])
BOOLEAN IsIntegrityOn
True if integrity checks are enabled for this page. Integrity checks are enabled if the this is a wri...
EXCEPTION_SIGNATURE_ID Id
An unique id (_EXCEPTION_SIGNATURE_ID).
LIST_HEAD gWinProcesses
The list of all the processes inside the guest.
WORD Offset
Offset inside the 4K page, interval [0, 4095].
LIST_HEAD RemovedHooksList
IntHookGvaCommitHooks function is called.
EXCEPTION_SIGNATURE_ID Id
An unique id (EXCEPTION_SIGNATURE_ID).
INTSTATUS IntDepInjectFile(BYTE *FileContent, DWORD FileSize, const CHAR *Name)
Inject a file inside the guest.
LIST_HEAD VersionIntroSignatures
Linked list used for introspection version signatures.
static void DbgDumpPfn(DWORD Argc, const char *Argv[])
Describe a user-mode glob exception.
INTSTATUS RbLookupNode(RBTREE *Tree, RBNODE *NodeToSearch, RBNODE **NodeFound)
INTSTATUS IntVasDump(QWORD Cr3)
Dump the monitored tables for the indicated Cr3.
IG_LOG_LEVEL gLogLevel
The currently used log level.
LIST_HEAD ProcessCreationSignatures
Linked list used for process-creation signatures.
BYTE ListsCount
The number of the list of hashes.
INTSTATUS IntWinGetAccesTokenFromThread(QWORD EthreadGva, INTRO_WIN_TOKEN *Token)
Reads the contents of a _TOKEN Windows structure assigned to a thread.
void IntWinProcDumpVads(const char *ProcessName)
Prints information about the VADs loaded in a process.
BYTE EptHookType
The type of the hook in EPT (see IG_EPT_HOOK_TYPE)
static void DbgFindKsym(DWORD Argc, const char *Argv[])
LIST_HEAD IdtSignatures
Linked list used for IDT signatures.
EXCEPTION_SIGNATURE_ID Id
An unique id (EXCEPTION_SIGNATURE_ID).
#define INT_STATUS_NOT_NEEDED_HINT
BYTE Entry
The number of the IDT entry.
INTSTATUS IntWinNetDumpConnections(void)
Dump all active guest connections.
static void DbgLoadPt(void)
LIST_ENTRY32 InLoadOrderLinks
BOOLEAN gInjectVeUnloader
#define HpAllocWithTag(Len, Tag)
INTSTATUS IntWinGetAccessTokenFromProcess(DWORD ProcessId, QWORD EprocessGva, INTRO_WIN_TOKEN *Token)
Reads the contents of a _TOKEN Windows structure assigned to a process.
DWORD Buffer
The guest virtual address at which the wide-character string is located.
LIST_HEAD UserExceptions[EXCEPTION_TABLE_SIZE]
Array of linked lists used for user-mode exceptions.
int INTSTATUS
The status data type.
QWORD GvaPage
Guest virtual page base address, aligned to 4K.
static void DbgSetLogLevel(DWORD Argc, const char *Argv[])
Shows only critical logs.
int FUNC_RbTreeNodeCompare(RBNODE *Left, RBNODE *Right)
#define INT_STATUS_NOT_FOUND
void IntStatsResetAll(void)
Resets all the stats.
HOOK_STATE * gHooks
Global hooks state.
static void DbgProcAdd(DWORD Argc, const char *Argv[])
void IntSwapgsUninit(void)
Uninit the SWAPGS mitigation.
EXCEPTION_SIGNATURE_ID Id
An unique id (EXCEPTION_SIGNATURE_ID).
void IntSwapMemDump(void)
Dump all active transactions & pages.
BOOLEAN IsExecutable
True if this page is executable.
INTSTATUS IntInjectExceptionInGuest(BYTE Vector, QWORD Cr2, DWORD ErrorCode, DWORD CpuNumber)
Injects an exception inside the guest.
#define TRFLG_NONE
No special options.
UNICODE_STRING32 DriverPath
#define MAX_PATH
The maximum size of a path (260 characters on windows).
union _SIG_VERSION_INTRO::@38 Minimum
PVCPU_STATE VcpuArray
Array of the VCPUs assigned to this guest. The index in this array matches the VCPU number...
static void DbgDumpHooksGva(void)
INTRO_GUEST_TYPE OSType
The type of the guest.
static void DbgLogCoreOptions(void)
void * gIntHandle
The guest handle provided by the integrator at initialization.
INTSTATUS IntIterateVirtualAddressSpace(QWORD Cr3, PFUNC_VirtualAddressSpaceCallback Callback)
Iterate an entire virtual address space.
static INTSTATUS DbgCrWriteTestCallback(void *Context, DWORD Cr, QWORD OldValue, QWORD NewValue, INTRO_ACTION *Action)
BYTE ListsCount
The number of the list of hashes.
static void DbgProcClear(void)
Describes a value signature.
INTSTATUS IntHookPtsSetHook(QWORD Cr3, QWORD VirtualAddress, PFUNC_SwapCallback Callback, void *Context, void *Parent, DWORD Flags, PHOOK_PTS *Hook)
Start monitoring translation modifications for the given VirtualAddress.
void IntLixTaskDumpProtected(void)
Dumps the list with processes that Introcore should protect.
INTSTATUS IntFragDumpBlocks(PBYTE Buffer, QWORD StartAddress, DWORD MaxBufferSize, IG_CS_TYPE CsType, CB_EXTRACT_LEVEL ExtractLevel, QWORD Rip, BOOLEAN ReturnRip)
Dumps code-blocks that can then be used to generate an exception signature.
static void DbgSetCoreOptions(DWORD Argc, const char *Argv[])
static INTSTATUS DbgSwapCallback(void *Context, QWORD Cr3, QWORD VirtualAddress, QWORD PhysicalAddress, void *Data, DWORD DataSize, DWORD Flags)
INTSTATUS IntAddRemoveProtectedProcessUtf8(void *GuestHandle, const CHAR *FullPath, DWORD ProtectionMask, BOOLEAN Add, QWORD Context)
Toggles protection options for a process.
static void DbgPtsHook(DWORD Argc, const char *Argv[])
DWORD Flags
Contains any flags from SIGNATURE_FLG.
QWORD Cr3
Process PDBR. Includes PCID.
DWORD MappingsCount
The number of entries inside the MappingsTrace and MappingsEntries arrays.
static void DbgDumpProcesses(void)
The _LDR_DATA_TABLE_ENTRY structure used by 64-bit guests.
static void DbgDumpVads(DWORD Argc, const char *Argv[])
LIST_HEAD CbSignatures
Linked list used for codeblocks signatures.
void IntLixTaskDump(void)
Dumps the process list.
LIST_HEAD GpaHooksRead[GPA_HOOK_TABLE_SIZE]
Hash table of read hooks.
static void DbgTestSse(DWORD Argc, const char *Argv[])
INTSTATUS IntDbgProcessCommand(DWORD Argc, const char *Argv[])
static void DbgPtsUnhook(DWORD Argc, const char *Argv[])
INTSTATUS IntKernVirtMemFetchDword(QWORD GuestVirtualAddress, DWORD *Data)
Reads 4 bytes from the guest kernel memory.
INTSTATUS IntFindKernelPcr(DWORD CpuNumber, QWORD *Pcr)
Finds the address of the Windows kernel _KPCR.
void IntWinProcDumpProtected(void)
Log all the protected processes.
EXCEPTIONS * Exceptions
The exceptions that are currently loaded.
INTSTATUS IntRemoveAllProtectedProcesses(void *GuestHandle)
Removes the protection policies for all processes.
void IntHookGpaDump(void)
Dump the entire contents of the GPA hook system, listing each hook.
QWORD PsLoadedModuleList
Guest virtual address of the PsLoadedModuleList kernel variable.
static void IntDbgCheckHooks(void)
INTSTATUS IntKernVirtMemFetchQword(QWORD GuestVirtualAddress, QWORD *Data)
Reads 8 bytes from the guest kernel memory.
DWORD LibraryNameHash
The name-hash of the modified library.
BOOLEAN PaeEnabled
True if Physical Address Extension is enabled.
QWORD MappingsEntries[MAX_TRANSLATION_DEPTH]
Contains the entry in which paging table.
static INTSTATUS DbgVaModificationHandler(void *Context, QWORD VirtualAddress, QWORD OldEntry, QWORD NewEntry, QWORD OldPageSize, QWORD NewPageSize)
DWORD Flags
Contains any flags from SIGNATURE_FLG.
struct _DEBUGGER_COMMAND DEBUGGER_COMMAND
static BOOLEAN RemoveEntryList(LIST_ENTRY *Entry)
static void DbgDumpGuestModules(void)
CPU_STATE State
The state of this VCPU. Describes what action is the VCPU currently doing.
UINT16 Length
The length, in bytes, of the string in Buffer, not including the NULL terminator, if any...
BOOLEAN Guest64
True if this is a 64-bit guest, False if it is a 32-bit guest.
CHAR Object[]
Contains lists of (SIG_EXPORT_HASH).
CHAR Name[IMAGE_BASE_NAME_LEN]
Process base name.
QWORD Current
The currently used options.
static void DbgDumpCpuState(void)
QWORD IdtBase
Original IDT base.
void IntDetDumpDetours(void)
Prints all the detours in the gDetours list of detours.
EXCEPTION_SIGNATURE_ID Id
An unique id (EXCEPTION_SIGNATURE_ID).
INTSTATUS IntTranslateVirtualAddress(QWORD Gva, QWORD Cr3, QWORD *PhysicalAddress)
Translates a guest virtual address to a guest physical address.
static void DbgLoadVe(void)
HOOK_HEADER Header
The hook header.
void * GpaCache
The currently used GPA cache.
QWORD GpaPage
The page where the hook is set.
void IntWinDumpToken(INTRO_WIN_TOKEN const *Token)
Prints a INTRO_WIN_TOKEN structure.
INTSTATUS IntDecDecodeInstructionFromBuffer(PBYTE Buffer, size_t BufferSize, IG_CS_TYPE CsType, void *Instrux)
Decode an instruction from the provided buffer.
static void DbgTestCrHookRem(DWORD Argc, const char *Argv[])
#define IS_KERNEL_POINTER_WIN(is64, p)
Checks if a guest virtual address resides inside the Windows kernel address space.
Describe a value signature hash.
Describes a introspection version signature.
INTSTATUS IntDepInjectProcess(DWORD AgentTag, BYTE *AgentContent, DWORD AgentSize, const CHAR *Name, const CHAR *Args)
Injects a process inside the guest.
#define HpFreeAndNullWithTag(Add, Tag)
This includes instructions until codeInsBt.
INTSTATUS IntHookPtsRemoveHook(HOOK_PTS **Hook, DWORD Flags)
Remove a PTS hook.
static void DbgDumpKmException(KM_EXCEPTION *Exception)
INTSTATUS IntMemClkCloakRegion(QWORD VirtualAddress, QWORD Cr3, DWORD Size, DWORD Options, PBYTE OriginalData, PBYTE PatchedData, PFUNC_IntMemCloakWriteHandle WriteHandler, void **CloakHandle)
Hides a memory zone from the guest.
INTSTATUS IntHookCrRemoveHook(HOOK_CR *Hook)
Remove a control register hook.
Describes the internal exceptions data.
DWORD Flags
Contains any flags from SIGNATURE_FLG.
static void DbgProcRem(DWORD Argc, const char *Argv[])
static void DbgDisasm(DWORD Argc, const char *Argv[])
EXCEPTION_SIGNATURE_ID Id
An unique id (EXCEPTION_SIGNATURE_ID).
The _LDR_DATA_TABLE_ENTRY structure used by 32-bit guests.
static void DbgInjectFileAgent(DWORD Argc, const char *Argv[])
LIST_HEAD GvaHooks
The list of GVA hooks.
Describes a export signature.
static void InsertTailList(LIST_ENTRY *ListHead, LIST_ENTRY *Entry)
INTSTATUS IntTranslateVirtualAddressEx(QWORD Gva, QWORD Cr3, DWORD Flags, VA_TRANSLATION *Translation)
Translates a guest virtual address to a guest physical address.
size_t strlcpy(char *dst, const char *src, size_t dest_size)
static INTSTATUS DbgVaSpaceIterationCallback(QWORD Cr3, QWORD VirtualAddress, QWORD Entry, QWORD PageSize)
DWORD Flags
Contains any flags from SIGNATURE_FLG.
static void DbgDumpTranslation(DWORD Argc, const char *Argv[])
DWORD Pid
Process ID (the one used by Windows).
HOOK_GPA_STATE GpaHooks
GPA hooks state.
static void DbgUnloadPt(void)
#define LIX_SYMBOL_NAME_LEN
The max length of the ksym as defined by Linux kernel.
DWORD CpuCount
The number of logical CPUs.
static void DbgTestCrHookSet(DWORD Argc, const char *Argv[])
void IntWinProcDump(void)
Prints information about all the processes in the system.
#define UNREFERENCED_PARAMETER(P)
static INTSTATUS DbgVaSpaceIterationCallbackCount(QWORD Cr3, QWORD VirtualAddress, QWORD PhysicalAddress, QWORD PageSize)
void IntMemClkDump(void)
Dumps all the active cloak regions.
void IntStatsDumpAll(void)
Prints all the non-zero stats.
void IntWinPfnDump(void)
Prints all the PFN locks.
Describe a kernel-mode exception.
union _SIG_VERSION_INTRO::@39 Maximum
Describe a user-mode exception.
PHOOK_GPA GpaHook
The actual guest physical page hook. Valid as long as the page is mapped.
#define WIN_KM_FIELD(Structure, Field)
Macro used to access kernel mode fields inside the WIN_OPAQUE_FIELDS structure.
static void DbgShowHelp(void)
#define WIN_PFN_GET_STRUCT_VA(MmPfn, Gpa)
Get the address of a guest _MMPFN structure.
#define EXCEPTION_TABLE_SIZE
DWORD Hashes[]
The list of hashes.
void IntPtiDumpStats(void)
Dump PT filtering statistics.
static DEBUGGER_COMMAND gDbgCommands[]
static void DbgSwap(DWORD Argc, const char *Argv[])
LIST_HEAD GlobUserExceptions
Linked list used for user-mode exceptions that contains glob content.
BYTE Count
The number of hashes from the list.
enum _INTRO_ACTION INTRO_ACTION
Event actions.
#define _In_reads_bytes_(expr)
static void DbgInjectAgent(DWORD Argc, const char *Argv[])
LIST_HEAD GenericKernelExceptions
Linked list used for kernel-mode exceptions that have a generic originator (*).
UINT64 __cdecl strtoull(const INT8 *nptr, INT8 **endptr, INT32 ibase)
INTSTATUS IntGetEPTPageProtection(DWORD EptIndex, QWORD Gpa, BYTE *Read, BYTE *Write, BYTE *Execute)
static void DbgIterateVaSpace(void)
static void DbgCheckEpt(void)
static void DbgInjectPf(DWORD Argc, const char *Argv[])
__must_check INTSTATUS IntVirtMemMap(QWORD Gva, DWORD Length, QWORD Cr3, DWORD Flags, void **HostPtr)
Maps a guest virtual memory range inside Introcore virtual address space.
UNICODE_STRING64 DriverPath
MM Mm
Guest memory information, such as paging mode, system Cr3 value, etc.
void IntGpaCacheDump(PGPA_CACHE Cache)
Dumps the entire contents of the GPA cache.
QWORD EprocessAddress
This will be the address of the ActiveProcess field.
LIST_HEAD ValueSignatures
Linked list used for value signatures.
DWORD Flags
Contains any flags from SIGNATURE_FLG.
void IntLixTaskDumpAsTree(void)
Dump the process tree.
DWORD Flags
Contains any flags from SIGNATURE_FLG.
UINT32 __cdecl strtoul(const INT8 *nptr, INT8 **endptr, INT32 ibase)
GUEST_STATE gGuest
The current guest state.
void IntIntegrityDump(void)
Dumps all the INTEGRITY_REGION structures from gIntegrityRegions. Used mainly for debugging...
#define _Function_class_(expr)
static void DbgUnloadVe(void)
static void DbgPtsWrite(DWORD Argc, const char *Argv[])
#define FIX_GUEST_POINTER(is64, x)
Masks the unused part of a Windows guest virtual address.
LIST_HEAD GpaHooksExecute[GPA_HOOK_TABLE_SIZE]
Hash table of execute hooks.
static void DbgDumpCodeblocks(DWORD Argc, const char *Argv[])
enum _IG_LOG_LEVEL IG_LOG_LEVEL
Controls the verbosity of the logs.
void(* PFUNC_DebuggerFunctionNoArgs)(void)
struct _HOOK_PTS * PHOOK_PTS
QWORD MappingsTrace[MAX_TRANSLATION_DEPTH]
Contains the physical address of each entry within the translation tables.
BYTE Score
The number of (minimum) hashes from a list that need to match.
void RbDeleteNode(RBTREE *Tree, RBNODE *Node)
DWORD Flags
Contains any flags from SIGNATURE_FLG.
static void DbgLogFilePath(DWORD Argc, const char *Argv[])
static void DbgLogCurrentProcess(void)
WORD Length
The length of the opcode pattern.
INTSTATUS IntKernVirtMemRead(QWORD KernelGva, DWORD Length, void *Buffer, DWORD *RetLength)
Reads data from a guest kernel virtual memory range.
LIST_HEAD KernelExceptions[EXCEPTION_TABLE_SIZE]
Array of linked lists used for kernel-mode exceptions.
BYTE ListsCount
The number of the list of hashes.
INTSTATUS IntSwapgsStartMitigation(void)
Scan the kernel for vulnerable SWAPGS gadgets, and mitigate CVE-2019-1125, when such gadgets are foun...
INTSTATUS IntWinVadInOrderRecursiveTraversal(QWORD VadNodeGva, DWORD Level, PFUNC_WinVadTraversalCallback Callback, void *Context)
Traverses a guest VAD tree.
#define LIST_HEAD_INIT(Name)
INTSTATUS RbInsertNode(RBTREE *Tree, RBNODE *Node)
WORD Length
The length, in bytes, of the string in Buffer, not including the NULL terminator, if any...
QWORD Value
Contains the minimum build number of the operating system (used for windows).
Describes a idt signature.
Encapsulates information about a virtual to physical memory translation.
char * utf16_for_log(const WCHAR *WString)
Converts a UTF-16 to a UTF-8 string to be used inside logging macros.
DWORD Value
Contains an unique value.
static UPPER_IFACE gUpIface
The instance of UPPER_IFACE that is being used.
VCPU_STATE * gVcpu
The state of the current VCPU.
#define _next(_var, _member)
DWORD CreateMask
Contains the DPI mask.
static void DbgDumpProcToken(DWORD Argc, const char *Argv[])
void IntGuestUpdateCoreOptions(QWORD NewOptions)
Updates Introcore options.
void IntDriverDump(void)
Prints all the currently loaded drivers.
INT16 Offset
The displacement from the beginning of the modified zone.
void IntDisasmGva(QWORD Gva, DWORD Length)
This function disassembles a code buffer (given its GVA) and then dumps the instructions (textual dis...
DWORD Flags
Generic flags. Check out EPT Hook flags.
INTSTATUS IntWinVadShortDump(QWORD VadNodeGva, DWORD Level, void *Context)
Prints a _MMVAD_SHORT structure.
CHAR Object[]
Contains list of (SIG_CODEBLOCK_HASH).
#define UNREFERENCED_LOCAL_VARIABLE(V)
void IntWinProcDumpEgFlags(void)
Prints the mitigation flags of a process.
static void DbgTestRead(DWORD Argc, const char *Argv[])
#define RB_TREE_INIT(Name, Free, Compare)
Initializes a RBTREE structure.
union _SIG_VERSION_OS::@33 Maximum
#define IntWinGetCurrentProcess()
PFUNC_DebuggerFunctionArgs FunctionArgs
QWORD IntKsymFindByName(const char *Name, QWORD *SymEnd)
Searches the given Name in kallsyms and returns the Start & End offset.
static void DbgFailAllocs(void)
CHAR Object[]
Contains lists of (SIG_VALUE_HASH).
EXCEPTION_SIGNATURE_ID Id
An unique id (EXCEPTION_SIGNATURE_ID).
static void DbgDumpVadRoot(DWORD Argc, const char *Argv[])
Describes a codeblocks signature.
DWORD Flags
Contains any flags from _SIGNATURE_FLG.
BOOLEAN IsUser
True if this page is accessible to user mode code.
DWORD UntrustedEptIndex
The EPTP index of the untrusted EPT.
QWORD Buffer
The guest virtual address at which the wide-character string is located.
void IntVeDumpVeInfoPages(void)
Dumps the VE info pages on all VCPUs.
#define INT_STATUS_INVALID_PARAMETER_2
INTRO_PROT_OPTIONS CoreOptions
The activation and protection options for this guest.
union _SIG_VERSION_OS::@32 Minimum
static BYTE * gPagesBitmap
static void DbgDumpVaSpace(DWORD Argc, const char *Argv[])
LIST_HEAD NoNameUserExceptions
Linked list used for user-mode exceptions that don't have a valid originator (-). ...
Describe a codeblocks signature hash.
Describes a operating system version signature.
void IntHookPtsDump(void)
Prints all the page table hooks.
BOOLEAN gInsideDebugger
Set to True when introcore is inside a debugger.
static void DbgProcList(void)
This structure describes a running process inside the guest.
LIST_HEAD VersionOsSignatures
Linked list used for operating system version signatures.
QWORD IntWinVadFindNodeInGuestSpace(QWORD VadRoot, QWORD StartPage, QWORD EndPage, DWORD Level, QWORD OldStartPage, BOOLEAN LastBranchRight)
Searches for a VAD node inside a guest VAD tree.