39 #define DET_ARG_REGS(Arg) (gGuest.Guest64 ? ((DWORD)(Arg) < 16) : ((DWORD)(Arg) < 8)) 49 #define DET_ARG_STACK(Index) (((DWORD)(Index) << 16) | 0xFFFF) 57 #define DET_ARG_ON_STACK(Arg) (((Arg) & 0xFFFF) == 0xFFFF) 66 #define DET_ARG_STACK_OFFSET(Arg) (((Arg) >> 16) * gGuest.WordSize) 69 #define DET_ARGS_MAX 8 72 #define DET_ARGS_DEFAULT_LIX {.Argc = DET_ARGS_MAX, .Argv = {NDR_RDI, NDR_RSI, NDR_RDX, NDR_RCX, \ 73 NDR_R8, NDR_R9, DET_ARG_STACK(1), DET_ARG_STACK(2)}} 80 #define DET_ARGS_DEFAULT_WIN64 {.Argc = DET_ARGS_MAX, .Argv = {NDR_RCX, NDR_RDX, NDR_R8, NDR_R9, \ 81 DET_ARG_STACK(5), DET_ARG_STACK(6), DET_ARG_STACK(7), DET_ARG_STACK(8)}} 86 #define DET_ARGS_DEFAULT_WIN86 {.Argc = DET_ARGS_MAX, \ 87 .Argv = {DET_ARG_STACK(1), DET_ARG_STACK(2), DET_ARG_STACK(3), DET_ARG_STACK(4),\ 88 DET_ARG_STACK(5), DET_ARG_STACK(6), DET_ARG_STACK(7), DET_ARG_STACK(8)}} 194 #define DETOUR_MAX_HANDLER_SIZE 512 195 #define DETOUR_MAX_HANDLERS 8 235 _In_ void *Descriptor
255 #define PUBLIC_DATA_MAX_NAME_SIZE 16 256 #define PUBLIC_DATA_MAX_DESCRIPTORS 5 314 #define DETOUR_MIN_VERSION_ANY 0 315 #define DETOUR_MAX_VERSION_ANY 0xFFFFFFFF 321 #define DETOUR_INVALID_HYPERCALL 0xFF 420 char *HijackFunctionName;
429 #define DETOUR_ENABLE_ALWAYS 0xFFFFFFFFFFFFFFFF 593 _In_ void const *Detour,
602 _In_ void const *Detour,
609 _In_ void const *Detour,
617 _In_ void const *Data,
619 _In_ char const *PublicDataName
628 #endif // _DETOURS_H_
QWORD LixGuestDetour
The address of the linux-detour header.
BOOLEAN IntDetIsPtrInRelocatedCode(QWORD Ptr, DETOUR_TAG *Tag)
Checks if a guest pointer is inside the modified prologue of a function.
PWCHAR ModuleName
NULL-terminated string of the kernel module in which the function is found.
QWORD HandlerAddress
The guest virtual address of the detour handler.
INTSTATUS IntDetEnableDetour(DETOUR_TAG Tag)
Enables a detour based on its tag.
DWORD HandlersCount
The number of valid entries inside the Handlers array.
QWORD EnableFlags
Core activation and protection flags that must be set in order to set and activate this hook...
BYTE NrPublicDataOffsets
The number of valid entries inside the PublicDataOffsets array.
DWORD Argc
The number of valid entries inside the Argv array.
struct _API_HOOK_HANDLER * PAPI_HOOK_HANDLER
BYTE HypercallOffset
The offset inside the handler at which the hypercall instruction is placed.
DWORD MaxVersion
The maximum version of the OS for which this handler works.
INTSTATUS(* PFUNC_PostDetourCallback)(void *Handler)
The type of a callback invoked after a detour is set.
Described a detour handler.
QWORD HitCount
The number of times this detour issued a hypercall.
Describes a detour set inside the guest memory.
DWORD MinVersion
The minimum version of the OS for which this handler works.
void IntDetUninit(void)
Uninitializes the detour module.
INTSTATUS IntDetSetReturnValue(DETOUR const *Detour, IG_ARCH_REGS *Registers, QWORD ReturnValue)
Sets the return value for a hooked guest function.
QWORD HypercallAddress
The guest virtual address at which the hypercall is placed.
struct _DETOUR_ARGS DETOUR_ARGS
Describes the arguments passed by a in-guest detour handler to introcore.
struct _API_HOOK_PUBLIC_DATA API_HOOK_PUBLIC_DATA
Public data which allows for external modification to a in-guest hook handler.
int INTSTATUS
The status data type.
struct _DETOUR DETOUR
Describes a detour set inside the guest memory.
QWORD EnableFlags
These are checked against the current options from gGuest.
DWORD CodeLength
The size of the handler. Must not be larger than DETOUR_MAX_HANDLER_SIZE.
#define DETOUR_MAX_HANDLERS
The maximum number of handlers a detour can have.
QWORD DisableFlags
Core activation and protection flags that will cause introcore to skip this hook. ...
#define _Out_writes_(expr)
The detour will use a INT3 instruction in order to notify introcore about an event.
PFUNC_DetourCallback Callback
Callback to be invoked when the detour issues a hypercall. May be NULL.
DWORD MaxVersion
The maximum OS version for which this hook should be applied.
PFUNC_DetourCallback Callback
Callback to be invoked when the detour issues a hypercall. May be NULL.
void * FunctionCloakHandle
The memory cloak handle used to hide the modified function start. See Memory cloaking.
No hypercall. This detour does not generate events.
BYTE HypercallOffset
Offset, relative to HandlerAddress, where the hypercall instruction is found.
DETOUR_ARGS Arguments
Encoding of the arguments needed by introcore from the hooked function.
DWORD Argv[DET_ARGS_MAX]
Argument encoding. See DET_ARG_REGS and DET_ARG_ON_STACK.
INTSTATUS IntDetModifyPublicData(DETOUR_TAG Tag, void const *Data, DWORD DataSize, char const *PublicDataName)
Modifies public parts of a detour handler.
INTSTATUS IntDetGetAddrAndTag(QWORD Ptr, QWORD *Address, DWORD *Size, DETOUR_TAG *Tag)
Checks if Ptr is inside a detour handler and returns the detour's handler address, size and tag.
Public data which allows for external modification to a in-guest hook handler.
PAPI_HOOK_DESCRIPTOR Descriptor
The hook descriptor for which this hook was set.
HYPERCALL_TYPE HypercallType
The type of the hypercall that this detour uses.
void IntDetDumpDetours(void)
Prints all the detours in the gDetours list of detours.
Must always be the last one.
INTSTATUS IntDetSetHook(QWORD FunctionAddress, QWORD ModuleBase, API_HOOK_DESCRIPTOR *Descriptor, API_HOOK_HANDLER *Handler)
Will inject code inside the guest.
#define DETOUR_MAX_HANDLER_SIZE
The maximum size of a in-guest detour handler.
BOOLEAN IntDetIsPtrInHandler(QWORD Ptr, THS_PTR_TYPE Type, DETOUR_TAG *Tag)
Checks if a guest pointer is inside a detour handler.
INTSTATUS IntDetSetLixHook(QWORD FunctionAddress, const LIX_FN_DETOUR *FnDetour, BOOLEAN *MultipleInstructions)
Detours a function from guest.
HYPERCALL_TYPE HypercallType
The type of hypercall used.
QWORD FunctionAddress
The guest virtual address of the hooked function.
INTSTATUS IntDetGetArgument(void const *Detour, DWORD Index, BYTE const *StackBuffer, DWORD StackBufferSize, QWORD *Value)
Reads the specified argument for a detour.
INTSTATUS(* PFUNC_PreDetourCallback)(QWORD FunctionAddress, void *Handler, void *Descriptor)
The type of a callback invoked before setting a detour.
INTSTATUS IntDetCallCallback(void)
Calls the appropriate detour handler for hypercall.
PFUNC_PostDetourCallback PostCallback
Callback to be invoked after the detour has been set. May be NULL.
PFUNC_PreDetourCallback PreCallback
Callback to be invoked before the detour is written inside the guest. May be NULL.
Describes a function that is not exported.
HYPERCALL_TYPE
The type of the hypercall used by a detour.
DWORD HandlerSize
The size of the detour handler.
INTSTATUS IntDetPatchArgument(void const *Detour, DWORD Index, QWORD Value)
Modifies the value of a detour argument.
DWORD MinVersion
The minimum OS version for which this hook should be applied.
INTSTATUS IntDetDisableDetour(DETOUR_TAG Tag)
Disables a detour based on its tag.
INTSTATUS IntDetGetArguments(void const *Detour, DWORD Argc, QWORD *Argv)
Reads multiple arguments from a detour.
LIST_ENTRY Link
The link inside the DETOURS_STATE.DetoursList list.
BYTE JumpBackOffset
Offset, relative to HandlerAddress, where the jump that returns control to the hooked function is fou...
BOOLEAN Exported
True if this function is exported by the module that owns it.
struct _API_HOOK_DESCRIPTOR API_HOOK_DESCRIPTOR
Describes a function to be hooked.
DETOUR_ID Id
The DETOUR_ID of the linux detour descriptor.
Describes the arguments passed by a in-guest detour handler to introcore.
void IntDetDisableAllHooks(void)
Removes all detours from the guest.
THS_PTR_TYPE
The type of pointer to be checked.
WIN_UNEXPORTED_FUNCTION * Patterns
Array of code patterns used to find this function.
QWORD ModuleBase
The guest virtual address of the base of the kernel module that owns the hooked function.
BYTE PublicDataOffset
The offset at which the data is available inside the detour handler.
BYTE RelocatedCodeLength
The size of the relocated code.
void * HandlerCloakHandle
The memory cloak handle used to hide the detour handler. See Memory cloaking.
INTSTATUS(* PFUNC_DetourCallback)(void *Detour)
The type of a detour callback.
const LIX_FN_DETOUR * LixFnDetour
struct _LIX_FN_DETOUR LIX_FN_DETOUR
Describes a Linux-function to be hooked.
BYTE RelocatedCodeOffset
The offset inside the handler at which the original instructions were relocated.
BYTE NrPublicDataOffsets
The number of valid entries inside the PublicDataOffsets array.
struct _API_HOOK_DESCRIPTOR * PAPI_HOOK_DESCRIPTOR
BOOLEAN NotCritical
If True, this hook is not critical.
PFUNC_LixDetourCallback Callback
Callback to be invoked when the detour issues a hypercall.
QWORD IntDetRelocatePtrIfNeeded(QWORD Ptr)
Returns the new value Ptr should have if it is currently pointing inside a relocated prologue...
INTSTATUS(* PFUNC_LixDetourCallback)(void *Detour)
The type of a linux-detour callback.
BYTE PublicDataSize
The size of the data.
INTSTATUS IntDetGetFunctionAddressByTag(DETOUR_TAG Tag, QWORD *FunctionAddress)
Get a detour function address by its tag.
DETOUR_TAG
Unique tag used to identify a detour.
BOOLEAN Disabled
True if this detour has been disabled.
struct _API_HOOK_PUBLIC_DATA * PAPI_HOOK_PUBLIC_DATA
INTSTATUS IntDetGetByTag(DETOUR_TAG Tag, QWORD *Address, DWORD *Size)
Get a detour handler address and size by its tag.
PCHAR FunctionName
NULL-terminated string of the function name.
DETOUR_TAG Tag
Detour tag.
BYTE RelocatedCodeOffset
Offset, relative to HandlerAddress, where the prologue that has been replaced by our jump at the begi...
struct _API_HOOK_HANDLER API_HOOK_HANDLER
Described a detour handler.
#define DET_ARGS_MAX
The maximum number of arguments passed from the guest to introcore.
Describes a function to be hooked.
The detour will use a VMCALL instruction in order to notify introcore about an event.
DETOUR_TAG Tag
Detour tag.
#define PUBLIC_DATA_MAX_NAME_SIZE
The maximum size of the PublicDataName field inside the API_HOOK_PUBLIC_DATA structure.
Describes a Linux-function to be hooked.
#define PUBLIC_DATA_MAX_DESCRIPTORS
The maximum number of entries in the PublicDataOffsets array inside the API_HOOK_HANDLER structure...
1.8.13