- Generated by
1.8.13
|
Bitdefender Hypervisor Memory Introspection
|
Defines an interface used by the introspection engine to communicate with an integrator. More...
Go to the source code of this file.
Data Structures | |
| struct | _IG_ARCH_REGS |
| Holds register state. More... | |
| struct | _IG_SEG_REGS |
| Holds segment register state. More... | |
| struct | _IG_XSAVE_AREA |
| Describes an XSAVE area format. More... | |
| struct | _IG_QUERY_MSR |
| The MSR query structure. More... | |
| struct | _GLUE_IFACE |
| Interface used for communicating between the introspection engine and the integrator. More... | |
Macros | |
| #define | IG_IA32_SYSENTER_CS 0x00000174 |
| #define | IG_IA32_SYSENTER_ESP 0x00000175 |
| #define | IG_IA32_SYSENTER_EIP 0x00000176 |
| #define | IG_IA32_MISC_ENABLE 0x000001A0 |
| #define | IG_IA32_PAT 0x00000277 |
| #define | IG_IA32_MC0_CTL 0x00000400 |
| #define | IG_IA32_EFER 0xC0000080 |
| #define | IG_IA32_STAR 0xC0000081 |
| #define | IG_IA32_LSTAR 0xC0000082 |
| #define | IG_IA32_FS_BASE 0xC0000100 |
| #define | IG_IA32_GS_BASE 0xC0000101 |
| #define | IG_IA32_KERNEL_GS_BASE 0xC0000102 |
| #define | IG_IA32_LBR_TOS 0x000001C9 |
| #define | IG_IA32_DEBUGCTL 0x000001D9 |
| #define | IG_CURRENT_VCPU 0xFFFFFFFF |
| For APIs that take a VCPU number as a parameter, this can be used to specify that the current VCPU should be used. More... | |
| #define | IG_CURRENT_EPT 0xFFFFFFFF |
| For APIs that take an ETPT index as a parameter, this can be used to specify that the current EPT should be used. More... | |
| #define | IG_INVALID_TIME 0xFFFFFFFFFFFFFFFF |
| #define | IG_DISABLE_IGNORE_SAFENESS 0x02 |
| #define | IG_PHYSMAP_NO_CACHE 0x00000001 |
| Signals that a physical mapping request should bypass any existing caches. More... | |
| #define | IG_TIMER_FREQUENCY 1 |
| The timer frequency (1 call per second). More... | |
| #define | IG_MAX_COMMAND_LINE_LENGTH 1024 |
| #define | IG_MAX_AGENT_NAME_LENGTH 32 |
| #define | GLUE_IFACE_VERSION_1 0x00010111 |
| #define | GLUE_IFACE_VERSION_1_SIZE sizeof(GLUE_IFACE) |
| #define | GLUE_IFACE_VERSION_LATEST GLUE_IFACE_VERSION_1 |
| #define | GLUE_IFACE_VERSION_LATEST_SIZE GLUE_IFACE_VERSION_1_SIZE |
Typedefs | |
| typedef struct _IG_ARCH_REGS | IG_ARCH_REGS |
| Holds register state. More... | |
| typedef struct _IG_ARCH_REGS * | PIG_ARCH_REGS |
| typedef struct _IG_SEG_REGS | IG_SEG_REGS |
| Holds segment register state. More... | |
| typedef struct _IG_SEG_REGS * | PIG_SEG_REGS |
| typedef struct _IG_XSAVE_AREA | IG_XSAVE_AREA |
| Describes an XSAVE area format. More... | |
| typedef struct _IG_XSAVE_AREA * | PIG_XSAVE_AREA |
| typedef struct _IG_QUERY_MSR | IG_QUERY_MSR |
| The MSR query structure. More... | |
| typedef struct _IG_QUERY_MSR * | PIG_QUERY_MSR |
| typedef enum _IG_EPT_HOOK_TYPE | IG_EPT_HOOK_TYPE |
| Ept violation types. More... | |
| typedef BYTE | IG_EPT_ACCESS |
| typedef enum _IG_DESC_ACCESS | IG_DESC_ACCESS |
| Descriptor table access flags. More... | |
| typedef enum _IG_GUEST_POWER_STATE | IG_GUEST_POWER_STATE |
| The guest power state. More... | |
| typedef enum _IG_LOG_LEVEL | IG_LOG_LEVEL |
| Controls the verbosity of the logs. More... | |
| typedef INTSTATUS(* | PFUNC_IntEPTViolationCallback) (void *GuestHandle, QWORD PhysicalAddress, DWORD Length, QWORD VirtualAddress, DWORD CpuNumber, INTRO_ACTION *Action, IG_EPT_ACCESS Type) |
| typedef INTSTATUS(* | PFUNC_IntMSRViolationCallback) (void *GuestHandle, DWORD Msr, IG_MSR_HOOK_TYPE Flags, INTRO_ACTION *Action, QWORD OriginalValue, QWORD *NewValue, DWORD CpuNumber) |
| typedef INTSTATUS(* | PFUNC_IntIntroCallCallback) (void *GuestHandle, QWORD Rip, DWORD Cpu) |
| typedef INTSTATUS(* | PFUNC_IntIntroTimerCallback) (void *GuestHandle) |
| typedef INTSTATUS(* | PFUNC_IntIntroDescriptorTableCallback) (void *GuestHandle, DWORD Flags, DWORD CpuNumber, INTRO_ACTION *Action) |
| typedef INTSTATUS(* | PFUNC_IntCrWriteCallback) (void *GuestHandle, DWORD Cr, DWORD CpuNumber, QWORD OldValue, QWORD NewValue, INTRO_ACTION *Action) |
| typedef INTSTATUS(* | PFUNC_IntXcrWriteCallback) (void *GuestHandle, DWORD CpuNumber, INTRO_ACTION *Action) |
| typedef INTSTATUS(* | PFUNC_IntBreakpointCallback) (void *GuestHandle, QWORD PhysicalAddress, DWORD CpuNumber) |
| typedef INTSTATUS(* | PFUNC_IntEventInjectionCallback) (void *GuestHandle, DWORD Vector, QWORD ErrorCode, QWORD Cr2, DWORD CpuNumber) |
| typedef INTSTATUS(* | PFUNC_IntEventEnginesResultCallback) (void *GuestHandle, PENG_NOTIFICATION_HEADER EngineNotification) |
| typedef INTSTATUS(* | PFUNC_IntQueryGuestInfo) (void *GuestHandle, DWORD InfoClass, void *InfoParam, void *Buffer, DWORD BufferLength) |
| API exposed by the integrator that allows introcore to obtain various information about the guest. More... | |
| typedef INTSTATUS(* | PFUNC_IntNotifyIntroAlert) (void *GuestHandle, DWORD EventClass, void *Parameters, size_t EventSize) |
| Used by introcore to report events to the integrator. More... | |
| typedef INTSTATUS(* | PFUNC_IntNotifyEngines) (void *GuestHandle, void *Parameters) |
| If implemented, introcore can use this API to signal that an additional memory scan. can be done. More... | |
| typedef INTSTATUS(* | PFUNC_IntGpaToHpa) (void *GuestHandle, QWORD Gpa, QWORD *Hpa) |
| Translates a guest physical address to a host physical address. More... | |
| typedef INTSTATUS(* | PFUNC_IntPhysMemMapToHost) (void *GuestHandle, QWORD PhysAddress, DWORD Length, DWORD Flags, void **HostPtr) |
| Maps a guest physical address to the host virtual space. More... | |
| typedef INTSTATUS(* | PFUNC_IntPhysMemUnmap) (void *GuestHandle, void **HostPtr) |
| Frees any resources allocated by a GLUE_IFACE.PhysMemMapToHost call. More... | |
| typedef INTSTATUS(* | PFUNC_IntGetPhysicalPageTypeFromMtrrs) (void *GuestHandle, QWORD Gpa, IG_MEMTYPE *MemType) |
| Returns the memory type of a guest physical page, as taken from the MTRRs. More... | |
| typedef INTSTATUS(* | PFUNC_IntGetEPTPageProtection) (void *GuestHandle, DWORD EptIndex, QWORD Address, BYTE *Read, BYTE *Write, BYTE *Execute) |
| Returns the EPT access rights for a guest physical page. More... | |
| typedef INTSTATUS(* | PFUNC_IntSetEPTPageProtection) (void *GuestHandle, DWORD EptIndex, QWORD Address, BYTE Read, BYTE Write, BYTE Execute) |
| Sets the EPT access rights for a guest physical page. More... | |
| typedef INTSTATUS(* | PFUNC_IntGetSPPPageProtection) (void *GuestHandle, QWORD Address, QWORD *SppValue) |
| Returns the SPP protection rights for a guest physical address. This API is optional. More... | |
| typedef INTSTATUS(* | PFUNC_IntSetSPPPageProtection) (void *GuestHandle, QWORD Address, QWORD SppValue) |
| Set the SPP protection rights for a guest physical address. This API is optional. More... | |
| typedef INTSTATUS(* | PFUNC_IntRegisterEPTHandler) (void *GuestHandle, PFUNC_IntEPTViolationCallback Callback) |
| Registers and EPT exit callback. More... | |
| typedef INTSTATUS(* | PFUNC_IntUnregisterEPTHandler) (void *GuestHandle) |
| Unregisters the current EPT exit callback, unsubscribing introcore from EPT violation events. More... | |
| typedef INTSTATUS(* | PFUNC_IntEnableMsrExit) (void *GuestHandle, DWORD Msr, BOOLEAN *OldValue) |
| Enables VMEXIT events for a MSR. More... | |
| typedef INTSTATUS(* | PFUNC_IntDisableMsrExit) (void *GuestHandle, DWORD Msr, BOOLEAN *OldValue) |
| Disable VMEXIT events for a MSR. More... | |
| typedef INTSTATUS(* | PFUNC_IntRegisterMSRHandler) (void *GuestHandle, PFUNC_IntMSRViolationCallback Callback) |
| Registers a MSR exit handler. More... | |
| typedef INTSTATUS(* | PFUNC_IntUnregisterMSRHandler) (void *GuestHandle) |
| Unregisters the current MSR exit callback, unsubscribing introcore from MSR violation events. More... | |
| typedef INTSTATUS(* | PFUNC_IntRegisterIntroCallHandler) (void *GuestHandle, PFUNC_IntIntroCallCallback Callback) |
| Registers a VMCALL exit handler. More... | |
| typedef INTSTATUS(* | PFUNC_IntUnregisterIntroCallHandler) (void *GuestHandle) |
| Unregisters the current VMCALL exit callback, unsubscribing introcore from VMCALL events. More... | |
| typedef INTSTATUS(* | PFUNC_IntRegisterVmxTimerHandler) (void *GuestHandle, PFUNC_IntIntroTimerCallback Callback) |
| Registers a timer callback. More... | |
| typedef INTSTATUS(* | PFUNC_IntUnregisterVmxTimerHandler) (void *GuestHandle) |
| Unregisters the current timer callback, unsubscribing introcore from timer events. More... | |
| typedef INTSTATUS(* | PFUNC_IntRegisterDescriptorTableHandler) (void *GuestHandle, PFUNC_IntIntroDescriptorTableCallback Callback) |
| Registers a descriptor table access callback. More... | |
| typedef INTSTATUS(* | PFUNC_IntUnregisterDescriptorTableHandler) (void *GuestHandle) |
| Unregisters the current descriptor table access callback, unsubscribing introcore from DTR events. More... | |
| typedef INTSTATUS(* | PFUNC_IntEnableCrWriteExit) (void *GuestHandle, DWORD Cr) |
| Enables VMEXIT events for a control register. More... | |
| typedef INTSTATUS(* | PFUNC_IntDisableCrWriteExit) (void *GuestHandle, DWORD Cr) |
| Disable VMEXIT events for a control register. More... | |
| typedef INTSTATUS(* | PFUNC_IntRegisterCrWriteHandler) (void *GuestHandle, PFUNC_IntCrWriteCallback Callback) |
| Registers a control register write callback. More... | |
| typedef INTSTATUS(* | PFUNC_IntUnregisterCrWriteHandler) (void *GuestHandle) |
| Unregisters the current control register write callback, unsubscribing introcore from CR events. More... | |
| typedef INTSTATUS(* | PFUNC_IntRegisterXcrWriteHandler) (void *GuestHandle, PFUNC_IntXcrWriteCallback Callback) |
| Registers an extended control register write callback. More... | |
| typedef INTSTATUS(* | PFUNC_IntUnregisterXcrWriteHandler) (void *GuestHandle) |
| Unregisters the current extended control register write callback, unsubscribing introcore from XCR events. More... | |
| typedef INTSTATUS(* | PFUNC_IntRegisterBreakpointHandler) (void *GuestHandle, PFUNC_IntBreakpointCallback Callback) |
| Registers a break point event callback. More... | |
| typedef INTSTATUS(* | PFUNC_IntUnregisterBreakpointHandler) (void *GuestHandle) |
| Unregisters the current break point event callback, unsubscribing introcore from BP events. More... | |
| typedef INTSTATUS(* | PFUNC_IntRegisterEventInjectionHandler) (void *GuestHandle, PFUNC_IntEventInjectionCallback Callback) |
| Registers an event injection callback. More... | |
| typedef INTSTATUS(* | PFUNC_IntUnregisterEventInjectionHandler) (void *GuestHandle) |
| Unregisters the current event injection callback. More... | |
| typedef INTSTATUS(* | PFUNC_IntRegisterEnginesResultCallback) (void *GuestHandle, PFUNC_IntEventEnginesResultCallback Callback) |
| Registers a third party scan result callback. This API is optional. More... | |
| typedef INTSTATUS(* | PFUNC_IntUnregisterEnginesResultCalback) (void *GuestHandle) |
| Unregisters the current third party scan result callback. More... | |
| typedef INTSTATUS(* | PFUNC_IntRequestVcpusPause) (void *GuestHandle) |
| Pauses all the VCPUs assigned to a guest. More... | |
| typedef INTSTATUS(* | PFUNC_IntRequestVcpusResume) (void *GuestHandle) |
| Resumes all the VCPUs assigned to a guest that were previously paused with a GLUE_IFACE.PauseVcpus call. More... | |
| typedef INTSTATUS(* | PFUNC_IntReserveVaSpaceWithPt) (void *GuestHandle, void **FirstPageBase, DWORD *PagesCount, void **PtBase) |
| Reserves a dedicated memory region inside the hypervisor page tables. This API is optional. More... | |
| typedef INTSTATUS(* | PFUNC_IntInjectTrap) (void *GuestHandle, DWORD CpuNumber, BYTE TrapNumber, DWORD ErrorCode, QWORD Cr2) |
| Injects an exception inside the guest. More... | |
| typedef INTSTATUS(* | PFUNC_IntNotifyIntrospectionDetectedOs) (void *GuestHandle, PGUEST_INFO GuestInfo) |
| Notifies the integrator that the introspection engine detected an operating system. More... | |
| typedef INTSTATUS(* | PFUNC_IntNotifyIntrospectionErrorState) (void *GuestHandle, INTRO_ERROR_STATE Error, PINTRO_ERROR_CONTEXT Context) |
| Notifies the integrator about an error encountered by the introspection engine. More... | |
| typedef INTSTATUS(* | PFUNC_IntNotifyIntrospectionActivated) (void *GuestHandle) |
| Notifies the integrator that the introspection engine is active. More... | |
| typedef INTSTATUS(* | PFUNC_IntNotifyIntrospectionDeactivated) (void *GuestHandle) |
| Notifies the integrator that the introspection engine is no longer active. More... | |
| typedef INTSTATUS(* | PFUNC_IntSetIntroEmulatorContext) (void *GuestHandle, DWORD CpuNumber, QWORD VirtualAddress, DWORD BufferSize, PBYTE Buffer) |
| Sets the memory contents with which an instruction will be emulated by the hypervisor. More... | |
| typedef INTSTATUS(* | PFUNC_IntGetAgentContent) (void *GuestHandle, DWORD AgentTag, BOOLEAN Is64, DWORD *Size, PBYTE *Content) |
| Gets the content of the agent file. This API is optional. More... | |
| typedef INTSTATUS(* | PFUNC_IntReleaseBuffer) (void *GuestHandle, void *Buffer, DWORD Size) |
| Frees all the resources associated with the given buffer. More... | |
| typedef INTSTATUS(* | PFUNC_IntToggleRepOptimization) (void *GuestHandle, BOOLEAN Enable) |
| Enables or disables the REP optimization. More... | |
| typedef INTSTATUS(* | PFUNC_IntNotifyNewGuest) (void *GuestHandle, QWORD Options, PBYTE UpdateBuffer, DWORD BufferLength) |
| Notifies introcore that the guest must be introspected. More... | |
| typedef INTSTATUS(* | PFUNC_IntDisableIntro) (void *GuestHandle, QWORD Flags) |
| Disables the introspection engine. More... | |
| typedef INTSTATUS(* | PFUNC_IntUpdateExceptions) (void *GuestHandle, PBYTE Buffer, DWORD Length, DWORD Flags) |
| Loads a new exceptions version. More... | |
| typedef INTSTATUS(* | PFUNC_IntUpdateSupport) (void *GuestHandle, PBYTE Buffer, DWORD Length) |
| Loads a new CAMI version. More... | |
| typedef INTSTATUS(* | PFUNC_IntGetSupportVersion) (void *GuestHandle, DWORD *MajorVersion, DWORD *MinorVersion, DWORD *BuildNumber) |
| Get the current version of CAMI. More... | |
| typedef INTSTATUS(* | PFUNC_IntGetExceptionsVersion) (void *GuestHandle, WORD *Major, WORD *Minor, DWORD *BuildNumber) |
| Get the current exceptions version. More... | |
| typedef INTSTATUS(* | PFUNC_IntGetGuestInfo) (void *GuestHandle, PGUEST_INFO GuestInfo) |
| Get a description of the introspected guest. More... | |
| typedef INTSTATUS(* | PFUNC_IntAddExceptionFromAlert) (void *GuestHandle, const void *Event, INTRO_EVENT_TYPE Type, BOOLEAN Exception, QWORD Context) |
| Adds an exception for an alert reported by introcore. More... | |
| typedef INTSTATUS(* | PFUNC_IntFlushAlertExceptions) (void *GuestHandle) |
| Removes all the custom exceptions added with GLUE_IFACE.AddExceptionFromAlert. More... | |
| typedef INTSTATUS(* | PFUNC_IntRemoveException) (void *GuestHandle, QWORD Context) |
| Removes a custom exception added with GLUE_IFACE.AddExceptionFromAlert. More... | |
| typedef INTSTATUS(* | PFUNC_IntAddRemoveProtectedProcessUtf16) (void *GuestHandle, const WCHAR *FullPath, DWORD ProtectionMask, BOOLEAN Add, QWORD Context) |
| Toggles protection for a process. More... | |
| typedef INTSTATUS(* | PFUNC_IntAddRemoveProtectedProcessUtf8) (void *GuestHandle, const CHAR *FullPath, DWORD ProtectionMask, BOOLEAN Add, QWORD Context) |
| Toggles protection for a process. More... | |
| typedef INTSTATUS(* | PFUNC_IntSetIntroAbortStatus) (void *GuestHandle, BOOLEAN Abort) |
| Abort the introcore loading process. More... | |
| typedef INTSTATUS(* | PFUNC_IntRemoveAllProtectedProcesses) (void *GuestHandle) |
| Removes the protection policies for all processes. More... | |
| typedef INTSTATUS(* | PFUNC_IntNotifyGuestPowerStateChange) (void *GuestHandle, IG_GUEST_POWER_STATE PowerState) |
| Notifies introcore about a guest power state change. More... | |
| typedef INTSTATUS(* | PFUNC_IntInjectProcessAgent) (void *GuestHandle, DWORD AgentTag, PBYTE AgentContent, DWORD AgentSize, const CHAR *Name, const CHAR *Args) |
| Requests a process agent injection inside the guest. More... | |
| typedef INTSTATUS(* | PFUNC_IntInjectFileAgent) (void *GuestHandle, PBYTE FileContent, DWORD FileSize, const CHAR *Name) |
| Drops a file on the guest hard disk. More... | |
| typedef INTSTATUS(* | PFUNC_IntGetCurrentInstructionLength) (void *GuestHandle, DWORD CpuNumber, BYTE *Length) |
| Returns the length of the instruction at which the current guest RIP points. More... | |
| typedef INTSTATUS(* | PFUNC_IntGetCurrentInstructionMnemonic) (void *GuestHandle, DWORD CpuNumber, CHAR *Mnemonic) |
| Returns the mnemonic of the instruction at which the current guest RIP points. More... | |
| typedef INTSTATUS(* | PFUNC_VirtualAddressSpaceCallback) (QWORD Cr3, QWORD VirtualAddress, QWORD Entry, QWORD PageSize) |
| The type of callback invoked by PFUNC_IntIterateVaSpace while iterating the guest virtual address space. More... | |
| typedef INTSTATUS(* | PFUNC_IntIterateVaSpace) (void *GuestHandle, QWORD Cr3, PFUNC_VirtualAddressSpaceCallback Callback) |
| Iterates over the guest virtual address space. More... | |
| typedef INTSTATUS(* | PFUNC_IntModifyDynamicOptions) (void *GuestHandle, QWORD NewDynamicOptions) |
| Modifies the introcore options. More... | |
| typedef INTSTATUS(* | PFUNC_IntFlushGpaCache) (void *GuestHandle) |
| Flushed the introcore GPA cache. More... | |
| typedef INTSTATUS(* | PFUNC_IntGetCurrentIntroOptions) (void *GuestHandle, QWORD *IntroOptions) |
| Get the currently used introcore options. More... | |
| typedef INTSTATUS(* | PFUNC_IntSetLogLevel) (void *GuestHandle, IG_LOG_LEVEL LogLevel) |
| Sets the log level. More... | |
| typedef INTSTATUS(* | PFUNC_IntGetVersionString) (DWORD FullStringSize, DWORD VersionStringSize, CHAR *FullString, CHAR *VersionString) |
| Get the version string information for the current guest. More... | |
| typedef INTSTATUS(* | PFUNC_IntDebugProcessCommand) (void *GuestHandle, DWORD CpuNumber, DWORD Argc, CHAR *Argv[]) |
| Executes a debugger command. More... | |
| typedef INTSTATUS(* | PFUNC_IntSetVeInfoPage) (void *GuestHandle, DWORD CpuNumber, QWORD VeInfoGpa) |
| Set the Virtualization exception info page. More... | |
| typedef INTSTATUS(* | PFUNC_IntCreateEPT) (void *GuestHandle, DWORD *EptIndex) |
| Creates a new EPT. More... | |
| typedef INTSTATUS(* | PFUNC_IntDestroyEPT) (void *GuestHandle, DWORD EptIndex) |
| Destroys an EPT. More... | |
| typedef INTSTATUS(* | PFUNC_IntSwitchEPT) (void *GuestHandle, DWORD NewEptIndex) |
| Switches the currently loaded EPT. More... | |
| typedef INTSTATUS(* | PFUNC_IntGetEPTPageConvertible) (void *GuestHandle, DWORD EptIndex, QWORD Address, BOOLEAN *Convertible) |
| Get the convertible status of a guest physical page. More... | |
| typedef INTSTATUS(* | PFUNC_IntSetEPTPageConvertible) (void *GuestHandle, DWORD EptIndex, QWORD Address, BOOLEAN Convertible) |
| Set the convertible status of a guest physical page. More... | |
| typedef INTSTATUS(* | PFUNC_IntFlushEPTPermissions) (void *GuestHandle) |
| Flushes the EPT access permissions. Once this function returns, the caller can be assured that all modifications made to the EPT ar globally visible for the guest. More... | |
| typedef struct _GLUE_IFACE | GLUE_IFACE |
| Interface used for communicating between the introspection engine and the integrator. More... | |
| typedef struct _GLUE_IFACE * | PGLUE_IFACE |
| typedef void(* | PFUNC_IntPreinit) (void) |
| typedef INTSTATUS(* | PFUNC_IntInit) (PGLUE_IFACE GlueInterface, PUPPER_IFACE UpperInterface) |
| typedef INTSTATUS(* | PFUNC_IntUninit) (void) |
| typedef BOOLEAN(* | PFUNC_IntCheckCompatibility) (DWORD IntegratorMajor, DWORD IntegratorMinor, DWORD IntegratorRevision, DWORD IntegratorBuild, DWORD *IntroMajor, DWORD *IntroMinor, DWORD *IntroRevision, DWORD *IntroBuild, DWORD Reserved) |
Defines an interface used by the introspection engine to communicate with an integrator.
Part of the interface is implemented by the introspection engine, allowing an integrator to control its behavior, while the other part needs support from the underlying hypervisor.
Definition in file glueiface.h.
| #define GLUE_IFACE_VERSION_1 0x00010111 |
Definition at line 2224 of file glueiface.h.
| #define GLUE_IFACE_VERSION_1_SIZE sizeof(GLUE_IFACE) |
Definition at line 2225 of file glueiface.h.
| #define GLUE_IFACE_VERSION_LATEST GLUE_IFACE_VERSION_1 |
Definition at line 2227 of file glueiface.h.
Referenced by IntGlueInit().
| #define GLUE_IFACE_VERSION_LATEST_SIZE GLUE_IFACE_VERSION_1_SIZE |
Definition at line 2228 of file glueiface.h.
Referenced by IntGlueInit().
| #define IG_CURRENT_EPT 0xFFFFFFFF |
For APIs that take an ETPT index as a parameter, this can be used to specify that the current EPT should be used.
Definition at line 327 of file glueiface.h.
| #define IG_CURRENT_VCPU 0xFFFFFFFF |
For APIs that take a VCPU number as a parameter, this can be used to specify that the current VCPU should be used.
Definition at line 324 of file glueiface.h.
Referenced by IntAddRemoveProtectedProcessUtf16(), IntAddRemoveProtectedProcessUtf8(), IntAlertFillCodeBlocks(), IntAlertFillExecContext(), IntAlertFillWinProcess(), IntAlertFillWinProcessCurrent(), IntApiEnter(), IntCr0Read(), IntCr3Read(), IntCr4Read(), IntCr8Read(), IntDecComputeLinearAddress(), IntDecComputeVsibLinearAddresses(), IntDecDecodeOperandSize(), IntDecEmulateRead(), IntDecGetAccessedMem(), IntDecGetMaxvl(), IntDecGetSetSseRegValue(), IntDecGetWrittenValueFromInstruction(), IntDisableIntro(), IntDisasmBuffer(), IntDisasmGva(), IntDumpGvaEx(), IntExceptDumpSignatures(), IntExceptKernelLogLinuxInformation(), IntExceptVerifyCodeBlocksSig(), IntExceptVerifyValueCodeSig(), IntFlushGpaCache(), IntGetCurrentInstructionLength(), IntGetGprs(), IntGetGuestInfo(), IntGetValueFromOperand(), IntGetVersionString(), IntGetXsaveAreaSize(), IntGuestDetectOs(), IntGuestHandleCr3Write(), IntHookGpaInit(), IntInjectFileAgentInGuest(), IntInjectProcessAgentInGuest(), IntIterateVaSpace(), IntIterateVirtualAddressSpace(), IntLixGuestIsKptiActive(), IntLixGuestNew(), IntLixTaskGetCurrentTaskStruct(), IntPeFindFunctionStart(), IntRemoveAllProtectedProcesses(), IntRipRead(), IntSerializeExtractCodeBlocks(), IntSerializeRipCode(), IntSetGprs(), IntSetValueForOperand(), IntShcIsSuspiciousCode(), IntSwapMemInjectPendingPF(), IntTranslateVirtualAddress(), IntTranslateVirtualAddressEx(), IntUpdateSupport(), IntVeFindKernelKvaShadowAndKernelExit(), IntVeHandleEPTViolationInProtectedView(), IntVeIsPtrInAgent(), IntVirtMemMap(), IntVirtMemReadWrite(), IntVirtMemSafeWrite(), IntVirtMemSet(), IntWinAgentDeployWinDriver(), IntWinAgentHandleDriverVmcall(), IntWinAgentHandleLoader1Hypercall(), IntWinAgentRestoreState32(), IntWinAgentRestoreState64(), IntWinApiHookVeHandler(), IntWinGuestFindIdleCr3(), IntWinGuestFindKernelCr3(), IntWinGuestFindSystemCr3(), IntWinGuestNew(), IntWinStackTraceGetUser(), IntWinStackUserTrapFrameGetGeneric(), IntWinThrGetCurrentStackBaseAndLimit(), IntWinThrGetCurrentThread(), and IntWinThrGetCurrentTib().
| #define IG_DISABLE_IGNORE_SAFENESS 0x02 |
If passed to GLUE_IFACE.DisableIntro, will cause introcore to unload even if this will left the guest in an unstable state.
Definition at line 365 of file glueiface.h.
Referenced by IntGuestDisableIntro(), and IntUninit().
| #define IG_IA32_DEBUGCTL 0x000001D9 |
Definition at line 151 of file glueiface.h.
Referenced by IntDebugCtlRead().
| #define IG_IA32_EFER 0xC0000080 |
Definition at line 144 of file glueiface.h.
Referenced by IntEferRead().
| #define IG_IA32_FS_BASE 0xC0000100 |
Definition at line 147 of file glueiface.h.
Referenced by IntFsRead().
| #define IG_IA32_GS_BASE 0xC0000101 |
Definition at line 148 of file glueiface.h.
Referenced by IntGsRead().
| #define IG_IA32_KERNEL_GS_BASE 0xC0000102 |
Definition at line 149 of file glueiface.h.
Referenced by IntKernelGsRead().
| #define IG_IA32_LBR_TOS 0x000001C9 |
Definition at line 150 of file glueiface.h.
Referenced by IntLbrRead().
| #define IG_IA32_LSTAR 0xC0000082 |
Definition at line 146 of file glueiface.h.
Referenced by IntExceptPrintMsrInfo(), IntHandleMsrViolation(), IntLixMsrHandleWrite(), IntMsrSyscallProtect(), IntSyscallRead(), and IntWinMsrHandleWrite().
| #define IG_IA32_MC0_CTL 0x00000400 |
Definition at line 143 of file glueiface.h.
| #define IG_IA32_MISC_ENABLE 0x000001A0 |
Definition at line 141 of file glueiface.h.
| #define IG_IA32_PAT 0x00000277 |
Definition at line 142 of file glueiface.h.
Referenced by IntTranslateVirtualAddressEx().
| #define IG_IA32_STAR 0xC0000081 |
Definition at line 145 of file glueiface.h.
Referenced by IntExceptPrintMsrInfo(), IntLixMsrHandleWrite(), IntMsrSyscallProtect(), IntSyscallRead(), and IntWinMsrHandleWrite().
| #define IG_IA32_SYSENTER_CS 0x00000174 |
Definition at line 138 of file glueiface.h.
Referenced by IntExceptPrintMsrInfo(), IntLixMsrHandleWrite(), IntMsrSyscallProtect(), IntSysenterRead(), and IntWinMsrHandleWrite().
| #define IG_IA32_SYSENTER_EIP 0x00000176 |
Definition at line 140 of file glueiface.h.
Referenced by IntExceptPrintMsrInfo(), IntLixMsrHandleWrite(), IntMsrSyscallProtect(), IntSysenterRead(), and IntWinMsrHandleWrite().
| #define IG_IA32_SYSENTER_ESP 0x00000175 |
Definition at line 139 of file glueiface.h.
Referenced by IntExceptPrintMsrInfo(), IntLixMsrHandleWrite(), IntMsrSyscallProtect(), IntSysenterRead(), and IntWinMsrHandleWrite().
| #define IG_INVALID_TIME 0xFFFFFFFFFFFFFFFF |
Definition at line 329 of file glueiface.h.
Referenced by IntGuestGetInfo(), and IntNotifyIntroDetectedOs().
| #define IG_MAX_AGENT_NAME_LENGTH 32 |
Definition at line 1712 of file glueiface.h.
Referenced by IntWinAgentInject().
| #define IG_MAX_COMMAND_LINE_LENGTH 1024 |
Definition at line 1711 of file glueiface.h.
Referenced by IntWinAgentInject().
| #define IG_PHYSMAP_NO_CACHE 0x00000001 |
Signals that a physical mapping request should bypass any existing caches.
Definition at line 368 of file glueiface.h.
Referenced by IntVirtMemMap().
| #define IG_TIMER_FREQUENCY 1 |
The timer frequency (1 call per second).
Definition at line 371 of file glueiface.h.
Referenced by IntHandleTimer().
| typedef struct _GLUE_IFACE GLUE_IFACE |
Interface used for communicating between the introspection engine and the integrator.
Before using any of the function pointers in the structure, it must be validated using the GLUE_IFACE.Version and GLUE_IFACE.Size fields in order to ensure that the introcore version used matches the one for which this header file was published.
Documentation for each function from the interface is found on the documentation for that specific function pointer.
| typedef struct _IG_ARCH_REGS IG_ARCH_REGS |
Holds register state.
| typedef enum _IG_DESC_ACCESS IG_DESC_ACCESS |
Descriptor table access flags.
IG_DESC_ACCESS_READ and IG_DESC_ACCESS_WRITE can be combined with any of the other values, describing both the descriptor table register that was accessed and the access type.
| typedef BYTE IG_EPT_ACCESS |
Definition at line 303 of file glueiface.h.
| typedef enum _IG_EPT_HOOK_TYPE IG_EPT_HOOK_TYPE |
Ept violation types.
| typedef enum _IG_GUEST_POWER_STATE IG_GUEST_POWER_STATE |
The guest power state.
| typedef enum _IG_LOG_LEVEL IG_LOG_LEVEL |
Controls the verbosity of the logs.
| typedef struct _IG_QUERY_MSR IG_QUERY_MSR |
The MSR query structure.
On GLUE_IFACE.QueryGuestInfo calls that have InfoClass set to IG_QUERY_INFO_CLASS_READ_MSR, the Buffer parameter will point to a structure of this type.
| typedef struct _IG_SEG_REGS IG_SEG_REGS |
Holds segment register state.
| typedef struct _IG_XSAVE_AREA IG_XSAVE_AREA |
Describes an XSAVE area format.
| typedef INTSTATUS(* PFUNC_IntAddRemoveProtectedProcessUtf16) (void *GuestHandle, const WCHAR *FullPath, DWORD ProtectionMask, BOOLEAN Add, QWORD Context) |
Toggles protection for a process.
| [in] | GuestHandle | Integrator-specific guest identifier. |
| [in] | FullPath | The name or the full path of the process. |
| [in] | ProtectionMask | Protection flags. A combination of the Process protection options values. Ignored if Add is False. |
| [in] | Add | True if the process should be protected, False if the protection should be removed. |
| [in] | Context | Integrator-specific context that will be passed back by introcore when sending notifications related tot his process. |
| INT_STATUS_SUCCESS | in case of success. |
| INT_STATUS_POWER_STATE_BLOCK | if the operation can not be completed because the guest is transitioning to another power state. |
| INT_STATUS_NOT_SUPPORTED | if the introspection engine is preparing to unload. |
| INT_STATUS_ALREADY_INITIALIZED_HINT | if an identical protection policy already exists. |
Definition at line 1635 of file glueiface.h.
| typedef INTSTATUS(* PFUNC_IntAddRemoveProtectedProcessUtf8) (void *GuestHandle, const CHAR *FullPath, DWORD ProtectionMask, BOOLEAN Add, QWORD Context) |
Toggles protection for a process.
| [in] | GuestHandle | Integrator-specific guest identifier. |
| [in] | FullPath | The name or the full path of the process. |
| [in] | ProtectionMask | Protection flags. A combination of the Process protection options values. Ignored if Add is False. |
| [in] | Add | True if the process should be protected, False if the protection should be removed. |
| [in] | Context | Integrator-specific context that will be passed back by introcore when sending notifications related tot his process. |
| INT_STATUS_SUCCESS | in case of success. |
| INT_STATUS_POWER_STATE_BLOCK | if the operation can not be completed because the guest is transitioning to another power state. |
| INT_STATUS_NOT_SUPPORTED | if the introspection engine is preparing to unload. |
| INT_STATUS_ALREADY_INITIALIZED_HINT | if an identical protection policy already exists. |
Definition at line 1661 of file glueiface.h.
| typedef INTSTATUS(* PFUNC_IntBreakpointCallback) (void *GuestHandle, QWORD PhysicalAddress, DWORD CpuNumber) |
Callback that must be invoked when the guest hits a breakpoint. The introspection engine registers a callback of this type with the GLUE_IFACE.RegisterBreakpointHandler API.
| [in] | GuestHandle | Integrator-specific guest identifier. |
| [in] | PhysicalAddress | The guest physical address at which the instruction that triggered the breakpoint is located. |
| [in] | CpuNumber | The VCPU on which the access was attempted. |
| INT_STATUS_SUCCESS | in case of success. |
| INT_STATUS_NOT_INITIALIZED_HINT | if the introspection engine was not initialized. |
| INT_STATUS_NOT_FOUND | if this INT3 is not monitored by introcore. |
| INT_STATUS_INVALID_INTERNAL_STATE | if the exit could not be handled due to an internal error. |
| INT_STATUS_FATAL_ERROR | if an unrecoverable error was encountered. |
Definition at line 590 of file glueiface.h.
| typedef BOOLEAN(* PFUNC_IntCheckCompatibility) (DWORD IntegratorMajor, DWORD IntegratorMinor, DWORD IntegratorRevision, DWORD IntegratorBuild, DWORD *IntroMajor, DWORD *IntroMinor, DWORD *IntroRevision, DWORD *IntroBuild, DWORD Reserved) |
Definition at line 2253 of file glueiface.h.
Creates a new EPT.
This API is optional
| [in] | GuestHandle | Integrator-specific guest identifier. |
| [out] | EptIndex | The EPTP index for the newly created EPT. |
Definition at line 1976 of file glueiface.h.
| typedef INTSTATUS(* PFUNC_IntCrWriteCallback) (void *GuestHandle, DWORD Cr, DWORD CpuNumber, QWORD OldValue, QWORD NewValue, INTRO_ACTION *Action) |
Callback that must be invoked when the guest tries to modify a control register. The introspection engine registers a callback of this type with the GLUE_IFACE.RegisterCrWriteHandler API.
| [in] | GuestHandle | Integrator-specific guest identifier. |
| [in] | Cr | The control register that was accessed. |
| [in] | CpuNumber | The VCPU on which the access was attempted. |
| [in] | OldValue | The original value of the register. |
| [in] | NewValue | The value that the guest attempted to write. |
| [out] | Action | The action that must be taken. |
| INT_STATUS_SUCCESS | in case of success. |
| INT_STATUS_NOT_INITIALIZED_HINT | if the introspection engine was not initialized. |
| INT_STATUS_NOT_FOUND | if introcore is not monitoring this control register. |
| INT_STATUS_INVALID_INTERNAL_STATE | if the exit could not be handled due to an internal error. |
| INT_STATUS_FATAL_ERROR | if an unrecoverable error was encountered. |
Definition at line 543 of file glueiface.h.
| typedef INTSTATUS(* PFUNC_IntDebugProcessCommand) (void *GuestHandle, DWORD CpuNumber, DWORD Argc, CHAR *Argv[]) |
Executes a debugger command.
| [in] | GuestHandle | Integrator-specific guest identifier. |
| [in] | CpuNumber | The current VCPU number. |
| [in] | Argc | The number of arguments. |
| [in] | Argv | An array of NULL terminated strings. |
| INT_STATUS_SUCCESS | in case of success. |
Definition at line 1937 of file glueiface.h.
Destroys an EPT.
This API is optional.
| [in] | GuestHandle | Integrator-specific guest identifier. |
| [in] | EptIndex | The EPTP index of the EPT that will be deleted. |
Definition at line 1992 of file glueiface.h.
Disable VMEXIT events for a control register.
| [in] | GuestHandle | Integrator-specific guest identifier. |
| [in] | Cr | The control register for which the exit is disabled. |
Definition at line 1044 of file glueiface.h.
Disables the introspection engine.
| [in] | GuestHandle | Integrator-specific guest identifier. |
| [in] | Flags | Flags that control the disable method. Can be 0 or IG_DISABLE_IGNORE_SAFENESS. |
| INT_STATUS_SUCCESS | if the operation completed with success. |
| INT_STATUS_CANNOT_UNLOAD | if introcore can not be disabled at the moment. In these cases the integrator should let the guest run for a while (1 second, for example) and then try to disable introcore again. This status can not be returned if Flags is set to IG_DISABLE_IGNORE_SAFENESS. |
Definition at line 1432 of file glueiface.h.
Disable VMEXIT events for a MSR.
| [in] | GuestHandle | Integrator-specific guest identifier. |
| [in] | Msr | The MSR for which the exit is disabled. |
| [out] | OldValue | True if the exit was enabled before this call, False otherwise. |
Definition at line 909 of file glueiface.h.
Enables VMEXIT events for a control register.
| [in] | GuestHandle | Integrator-specific guest identifier. |
| [in] | Cr | The control register for which the exit is enabled. |
Definition at line 1030 of file glueiface.h.
Enables VMEXIT events for a MSR.
| [in] | GuestHandle | Integrator-specific guest identifier. |
| [in] | Msr | The MSR for which the exit is enabled. |
| [out] | OldValue | True if the exit was already enabled, False otherwise. |
Definition at line 893 of file glueiface.h.
| typedef INTSTATUS(* PFUNC_IntEPTViolationCallback) (void *GuestHandle, QWORD PhysicalAddress, DWORD Length, QWORD VirtualAddress, DWORD CpuNumber, INTRO_ACTION *Action, IG_EPT_ACCESS Type) |
Callback that must be invoked on EPT violation VMEXITs. The introspection engines registers a callback of this type with the GLUE_IFACE.RegisterEPTHandler API.
| [in] | GuestHandle | Integrator-specific guest identifier. |
| [in] | PhysicalAddress | The physical address for which the exit was triggered. |
| [in] | Length | The size of the access that triggered exit. |
| [in] | VirtualAddress | The guest linear address for which the exit was triggered. |
| [in] | CpuNumber | The virtual CPU for which the exit was triggered. |
| [out] | Action | The action that must be taken. |
| [in] | Type | The type of the access. Can be a combination of IG_EPT_HOOK_TYPE values. |
| INT_STATUS_SUCCESS | in case of success. |
| INT_STATUS_NOT_INITIALIZED_HINT | if the introspection engine was not initialized. |
| INT_STATUS_FORCE_ACTION_ON_BETA | if the action should be taken even if the introspection engine is in log only (beta) mode. |
| INT_STATUS_INVALID_INTERNAL_STATE | if the exit could not be handled due to an internal error. |
| INT_STATUS_FATAL_ERROR | if an unrecoverable error was encountered. |
Definition at line 428 of file glueiface.h.
| typedef INTSTATUS(* PFUNC_IntEventEnginesResultCallback) (void *GuestHandle, PENG_NOTIFICATION_HEADER EngineNotification) |
Optional callback that must be invoked with the result of additional, external, scanning methods. The introspection engine registers a callback of this type with the GLUE_IFACE.RegisterEnginesResultCallback API.
| [in] | GuestHandle | Integrator-specific guest identifier. |
| [in] | EngineNotification | A pointer to a engine notification structure that was provided by introcore with a GLUE_IFACE.NotifyScanEngines API call. |
| INT_STATUS_SUCCESS | in case of success. |
| INT_STATUS_NOT_INITIALIZED_HINT | if the introspection engine was not initialized. |
Definition at line 633 of file glueiface.h.
| typedef INTSTATUS(* PFUNC_IntEventInjectionCallback) (void *GuestHandle, DWORD Vector, QWORD ErrorCode, QWORD Cr2, DWORD CpuNumber) |
Callback that must be invoked when an exception is successfully injected inside the guest. The introspection engine registers a callback of this type with the GLUE_IFACE.RegisterEventInjectionHandler API.
| [in] | GuestHandle | Integrator-specific guest identifier |
| [in] | Vector | The exception vector that was injected |
| [in] | ErrorCode | The error code of the injected exception, if it exists |
| [in] | Cr2 | The Cr3 value. This parameter is valid only for page fault injections |
| [in] | CpuNumber | The VCPU on which the access was attempted |
| INT_STATUS_SUCCESS | in case of success. |
| INT_STATUS_NOT_INITIALIZED_HINT | if the introspection engine was not initialized. |
Definition at line 610 of file glueiface.h.
| typedef INTSTATUS(* PFUNC_IntFlushEPTPermissions) (void *GuestHandle) |
Flushes the EPT access permissions. Once this function returns, the caller can be assured that all modifications made to the EPT ar globally visible for the guest.
This API is optional.
| [in] | GuestHandle | Integrator-specific guest identifier. |
Definition at line 2065 of file glueiface.h.
| typedef INTSTATUS(* PFUNC_IntFlushGpaCache) (void *GuestHandle) |
Flushed the introcore GPA cache.
| [in] | GuestHandle | Integrator-specific guest identifier. |
| INT_STATUS_SUCCESS | in case of success. |
| INT_STATUS_NOT_NEEDED_HINT | if there is no active GPA cache. |
| INT_STATUS_POWER_STATE_BLOCK | if the operation can not be completed because the guest is transitioning to another power state. |
Definition at line 1864 of file glueiface.h.
| typedef INTSTATUS(* PFUNC_IntGetAgentContent) (void *GuestHandle, DWORD AgentTag, BOOLEAN Is64, DWORD *Size, PBYTE *Content) |
Gets the content of the agent file. This API is optional.
| [in] | GuestHandle | Integrator-specific guest identifier. |
| [in] | AgentTag | The tag of the agent. See IG_AGENT_TAG for possible values. |
| [in] | Is64 | True if the contents will be for a 64-bit agent, False if not. |
| [out] | Size | The size of the agent contents. |
| [out] | Content | The pointer to the agent contents. |
Definition at line 1342 of file glueiface.h.
| typedef INTSTATUS(* PFUNC_IntGetCurrentInstructionLength) (void *GuestHandle, DWORD CpuNumber, BYTE *Length) |
Returns the length of the instruction at which the current guest RIP points.
| [in] | GuestHandle | Integrator-specific guest identifier. |
| [in] | CpuNumber | The VCPU for which the query is done. This can not be IG_CURRENT_VCPU. |
| [out] | Length | The length of the instruction. |
| INT_STATUS_SUCCESS | in case of success. |
| INT_STATUS_POWER_STATE_BLOCK | if the operation can not be completed because the guest is transitioning to another power state. |
Definition at line 1778 of file glueiface.h.
| typedef INTSTATUS(* PFUNC_IntGetCurrentInstructionMnemonic) (void *GuestHandle, DWORD CpuNumber, CHAR *Mnemonic) |
Returns the mnemonic of the instruction at which the current guest RIP points.
| [in] | GuestHandle | Integrator-specific guest identifier. |
| [in] | CpuNumber | The VCPU for which the query is done. This can not be IG_CURRENT_VCPU. |
| [out] | Mnemonic | NULL-terminated string containing the mnemonic. This buffer should have a size of at least ND_MAX_MNEMONIC_LENGTH. |
| INT_STATUS_SUCCESS | in case of success. |
| INT_STATUS_POWER_STATE_BLOCK | if the operation can not be completed because the guest is transitioning to another power state. |
Definition at line 1797 of file glueiface.h.
Get the currently used introcore options.
| [in] | GuestHandle | Integrator-specific guest identifier |
| [out] | IntroOptions | The options that are used. Will be a combination of Activation and protection flags values. |
| INT_STATUS_SUCCESS | in case of success. |
| INT_STATUS_NOT_INITIALIZED | if no guest is currently introspected. |
| INT_STATUS_POWER_STATE_BLOCK | if the operation can not be completed because the guest is transitioning to another power state. |
Definition at line 1880 of file glueiface.h.
| typedef INTSTATUS(* PFUNC_IntGetEPTPageConvertible) (void *GuestHandle, DWORD EptIndex, QWORD Address, BOOLEAN *Convertible) |
Get the convertible status of a guest physical page.
This API is optional.
| [in] | GuestHandle | Integrator-specific guest identifier. |
| [in] | EptIndex | The index of the EPT for which the query is done. Can be IG_CURRENT_EPT. |
| [in] | Address | The guest physical address for which the query is done. |
| [out] | Convertible | True if the page is convertible, False if it is not. |
Definition at line 2026 of file glueiface.h.
| typedef INTSTATUS(* PFUNC_IntGetEPTPageProtection) (void *GuestHandle, DWORD EptIndex, QWORD Address, BYTE *Read, BYTE *Write, BYTE *Execute) |
Returns the EPT access rights for a guest physical page.
| [in] | GuestHandle | Integrator-specific guest identifier |
| [in] | EptIndex | The EPTP index of the EPT for which the query is done. Can be IG_CURRENT_EPT to signal that the currently loaded EPT should be used. |
| [in] | Address | The guest physical address for which the access rights are requested. |
| [out] | Read | 1 if the page is readable, 0 otherwise. Ignored on unsuccessful calls. |
| [out] | Write | 1 if the page is writable, 0 otherwise. Ignored on unsuccessful calls. |
| [out] | Execute | 1 if the page is executable, 0 otherwise. Ignored on unsuccessful calls. |
Definition at line 793 of file glueiface.h.
| typedef INTSTATUS(* PFUNC_IntGetGuestInfo) (void *GuestHandle, PGUEST_INFO GuestInfo) |
Get a description of the introspected guest.
| [in] | GuestHandle | Integrator-specific guest identifier. |
| [out] | GuestInfo | A pointer to a GUEST_INFO structure that will contain information about the guest. |
| INT_STATUS_SUCCESS | in case of success. |
| INT_STATUS_ALREADY_INITIALIZED_HINT | if the guest is already introspected. |
| INT_STATUS_POWER_STATE_BLOCK | if the operation can not be completed because the guest is transitioning to another power state. |
Definition at line 1548 of file glueiface.h.
| typedef INTSTATUS(* PFUNC_IntGetPhysicalPageTypeFromMtrrs) (void *GuestHandle, QWORD Gpa, IG_MEMTYPE *MemType) |
Returns the memory type of a guest physical page, as taken from the MTRRs.
| [in] | GuestHandle | Integrator-specific guest identifier. |
| [in] | Gpa | The guest physical address for which the memory type is requested. |
| [out] | MemType | The memory type of the Gpa. |
Definition at line 773 of file glueiface.h.
| typedef INTSTATUS(* PFUNC_IntGetSPPPageProtection) (void *GuestHandle, QWORD Address, QWORD *SppValue) |
Returns the SPP protection rights for a guest physical address. This API is optional.
| [in] | GuestHandle | Integrator-specific guest identifier. |
| [in] | Address | The guest physical address for which the query is done. |
| [out] | SppValue | On success, will contain the SPP table entry for Address. |
Definition at line 835 of file glueiface.h.
| typedef INTSTATUS(* PFUNC_IntGetSupportVersion) (void *GuestHandle, DWORD *MajorVersion, DWORD *MinorVersion, DWORD *BuildNumber) |
Get the current version of CAMI.
| [in] | GuestHandle | Integrator-specific guest identifier. |
| [out] | MajorVersion | The major version. |
| [out] | MinorVersion | The minor version. |
| [out] | BuildNumber | The build number. |
| INT_STATUS_SUCCESS | in case of success. |
| INT_STATUS_ALREADY_INITIALIZED_HINT | if the guest is already introspected. |
| INT_STATUS_POWER_STATE_BLOCK | if the operation can not be completed because the guest is transitioning to another power state. |
Definition at line 1507 of file glueiface.h.
| typedef INTSTATUS(* PFUNC_IntGetVersionString) (DWORD FullStringSize, DWORD VersionStringSize, CHAR *FullString, CHAR *VersionString) |
Get the version string information for the current guest.
| [in] | FullStringSize | The size, in bytes, of the FullString buffer, including the NULL terminator. |
| [in] | VersionStringSize | The size, in bytes, of the VersionString buffer, including the NULL terminator. |
| [out] | FullString | A NULL-terminated string containing detailed version information. |
| [out] | VersionString | A NULL-terminated string containing human-readable version information. |
| INT_STATUS_SUCCESS | in case of success. |
| INT_STATUS_NOT_INITIALIZED | if no guest is currently introspected. |
| INT_STATUS_POWER_STATE_BLOCK | if the operation can not be completed because the guest is transitioning to another power state. |
| INT_STATUS_DATA_BUFFER_TOO_SMALL | if one or both of the buffers are not large enough. |
Definition at line 1914 of file glueiface.h.
Translates a guest physical address to a host physical address.
This API is optional.
| [in] | GuestHandle | Integrator-specific guest identifier. |
| [in] | Gpa | Guest physical address to be translated. |
| [out] | Hpa | Host physical address at which the GPA is mapped. |
Definition at line 722 of file glueiface.h.
| typedef INTSTATUS(* PFUNC_IntInit) (PGLUE_IFACE GlueInterface, PUPPER_IFACE UpperInterface) |
Definition at line 2242 of file glueiface.h.
| typedef INTSTATUS(* PFUNC_IntInjectFileAgent) (void *GuestHandle, PBYTE FileContent, DWORD FileSize, const CHAR *Name) |
Drops a file on the guest hard disk.
| [in] | GuestHandle | Integrator-specific guest identifier. |
| [in] | FileContent | The contents of the file. |
| [in] | FileSize | The size of the file, in bytes. |
| [in] | Name | A NULL-terminated string containing the name of the file. |
| INT_STATUS_SUCCESS | in case of success. |
| INT_STATUS_POWER_STATE_BLOCK | if the operation can not be completed because the guest is transitioning to another power state. |
| INT_STATUS_NOT_SUPPORTED | if the introspection engine is preparing to unload. |
| INT_STATUS_UNINIT_BUGCHECK | if introcore is unloading as a result of a guest crash. |
Definition at line 1759 of file glueiface.h.
| typedef INTSTATUS(* PFUNC_IntInjectProcessAgent) (void *GuestHandle, DWORD AgentTag, PBYTE AgentContent, DWORD AgentSize, const CHAR *Name, const CHAR *Args) |
Requests a process agent injection inside the guest.
This function will create a new process inside the guest, running the executable provided by the integrator.
| [in] | GuestHandle | Integrator-specific guest identifier. |
| [in] | AgentTag | The tag of the agent. |
| [in] | AgentContent | The contents of the agent. If AgentTag is not IG_AGENT_TAG_CUSTOM_TOOL this buffer can not be NULL. |
| [in] | AgentSize | The size of the AgentContent buffer, in bytes. |
| [in] | Name | A NULL-terminated string that contains the name the process will have inside the guest. |
| [in] | Args | A NULL-terminated string containing the arguments that will be passed to the process. Can be NULL. |
| INT_STATUS_SUCCESS | in case of success. |
| INT_STATUS_POWER_STATE_BLOCK | if the operation can not be completed because the guest is transitioning to another power state. |
| INT_STATUS_NOT_SUPPORTED | if the introspection engine is preparing to unload. |
| INT_STATUS_UNINIT_BUGCHECK | if introcore is unloading as a result of a guest crash. |
Definition at line 1735 of file glueiface.h.
| typedef INTSTATUS(* PFUNC_IntInjectTrap) (void *GuestHandle, DWORD CpuNumber, BYTE TrapNumber, DWORD ErrorCode, QWORD Cr2) |
Injects an exception inside the guest.
| [in] | GuestHandle | Integrator-specific guest identifier. |
| [in] | CpuNumber | The VCPU on which the injection will be done. |
| [in] | TrapNumber | The exception number. |
| [in] | ErrorCode | The error code, for exceptions that have one. |
| [in] | Cr2 | For page fault injections, the value of the CR2, ignored for other types. |
Definition at line 1240 of file glueiface.h.
Callback that must be invoked when the guest executes a VMCALL. The introspection engine registers a callback of this type with the GLUE_IFACE.RegisterIntroCallHandler API.
| [in] | GuestHandle | Integrator-specific guest identifier. |
| [in] | Rip | The guest linear address of the VMCALL instruction. |
| [in] | Cpu | The VCPU number on which the VMCALL was executed. |
| INT_STATUS_SUCCESS | in case of success. |
| INT_STATUS_NOT_INITIALIZED_HINT | if the introspection engine was not initialized. |
| INT_STATUS_NOT_FOUND | if this VMCALL was not issued for the introspection engine. |
| INT_STATUS_UNINIT_BUGCHECK | if introcore is unloading as a result of a guest crash. |
| INT_STATUS_INVALID_INTERNAL_STATE | if the exit could not be handled due to an internal error. |
| INT_STATUS_FATAL_ERROR | if an unrecoverable error was encountered. |
Definition at line 483 of file glueiface.h.
| typedef INTSTATUS(* PFUNC_IntIntroDescriptorTableCallback) (void *GuestHandle, DWORD Flags, DWORD CpuNumber, INTRO_ACTION *Action) |
Callback that must be invoked when the guest accesses a descriptor table register. The introspection engine registers a callback of this type with the GLUE_IFACE.RegisterDtrHandler API.
| [in] | GuestHandle | Integrator-specific guest identifier. |
| [in] | Flags | Flags that describe the access. Can be a combination of IG_DESC_ACCESS values. |
| [in] | CpuNumber | The VCPU on which the access was attempted. |
| [out] | Action | Action that must be taken. |
| INT_STATUS_SUCCESS | in case of success. |
| INT_STATUS_NOT_INITIALIZED_HINT | if the introspection engine was not initialized. |
| INT_STATUS_INVALID_INTERNAL_STATE | if the exit could not be handled due to an internal error. |
| INT_STATUS_FATAL_ERROR | if an unrecoverable error was encountered. |
Definition at line 518 of file glueiface.h.
| typedef INTSTATUS(* PFUNC_IntIntroTimerCallback) (void *GuestHandle) |
A periodic timer callback that must be invoked once per second. The introspection engine registers a callback of this type with the GLUE_IFACE.RegisterIntroTimerHandler API.
| [in] | GuestHandle | Integrator-specific guest identifier. |
| INT_STATUS_SUCCESS | in case of success. |
| INT_STATUS_NOT_INITIALIZED_HINT | if the introspection engine was not initialized. |
Definition at line 499 of file glueiface.h.
| typedef INTSTATUS(* PFUNC_IntIterateVaSpace) (void *GuestHandle, QWORD Cr3, PFUNC_VirtualAddressSpaceCallback Callback) |
Iterates over the guest virtual address space.
| [in] | GuestHandle | Integrator-specific guest identifier. |
| [in] | Cr3 | The guest CR3 that describes the address space over which to iterate. |
| [in] | Callback | Callback that will be invoked for every valid page. |
Definition at line 1831 of file glueiface.h.
Modifies the introcore options.
| [in] | GuestHandle | Integrator-specific guest identifier. |
| [in] | NewDynamicOptions | The new options. These are a combination of Activation and protection flags values. |
| INT_STATUS_SUCCESS | in case of success. |
| INT_STATUS_POWER_STATE_BLOCK | if the operation can not be completed because the guest is transitioning to another power state. |
Definition at line 1848 of file glueiface.h.
| typedef INTSTATUS(* PFUNC_IntMSRViolationCallback) (void *GuestHandle, DWORD Msr, IG_MSR_HOOK_TYPE Flags, INTRO_ACTION *Action, QWORD OriginalValue, QWORD *NewValue, DWORD CpuNumber) |
Callback that must be invoked on MSR violation VMEXITs. The introspection engines registers a callback of this type with the GLUE_IFACE.RegisterMSRHandler API.
| [in] | GuestHandle | Integrator-specific guest identifier. |
| [in] | Msr | The physical MSR for which the exit was triggered. |
| [in] | Flags | Flags describing the access. |
| [out] | Action | The action that must be taken. |
| [in] | OriginalValue | The original value of the MSR. |
| [out] | NewValue | The new value of the MSR, after introcore handled the access. |
| [in] | CpuNumber | The virtual CPU for which the exit was triggered. |
| INT_STATUS_SUCCESS | in case of success. |
| INT_STATUS_NOT_INITIALIZED_HINT | if the introspection engine was not initialized. |
| INT_STATUS_NOT_FOUND | if introcore is not monitoring accesses done to this MSR. |
| INT_STATUS_INVALID_INTERNAL_STATE | if the exit could not be handled due to an internal error. |
| INT_STATUS_FATAL_ERROR | if an unrecoverable error was encountered. |
Definition at line 457 of file glueiface.h.
| typedef INTSTATUS(* PFUNC_IntNotifyEngines) (void *GuestHandle, void *Parameters) |
If implemented, introcore can use this API to signal that an additional memory scan. can be done.
| [in] | GuestHandle | Integrator-specific guest identifier |
| [in] | Parameters | A pointer to an event specific structure: either ENG_NOTIFICATION_CODE_EXEC, or ENG_NOTIFICATION_CMD_LINE. The buffer always starts with a ENG_NOTIFICATION_HEADER, so the type of the event can be determined based on ENG_NOTIFICATION_HEADER.Type. The buffer remains valid after this function returns so the scan can be done asynchronously. The integrator is responsible of notifying introcore when the buffer is no longer needed by invoking the notification callback registered with GLUE_IFACE.RegisterEnginesResultCallback. |
Definition at line 705 of file glueiface.h.
| typedef INTSTATUS(* PFUNC_IntNotifyGuestPowerStateChange) (void *GuestHandle, IG_GUEST_POWER_STATE PowerState) |
Notifies introcore about a guest power state change.
| [in] | GuestHandle | Integrator-specific guest identifier. |
| [in] | PowerState | The power state to which the guest is transitioning. |
| INT_STATUS_SUCCESS | in case of success. |
Definition at line 1706 of file glueiface.h.
| typedef INTSTATUS(* PFUNC_IntNotifyIntroAlert) (void *GuestHandle, DWORD EventClass, void *Parameters, size_t EventSize) |
Used by introcore to report events to the integrator.
| [in] | GuestHandle | Integrator-specific guest identifier. |
| [in] | EventClass | One of the INTRO_EVENT_TYPE values, specifying the type of event. |
| [in] | Parameters | A pointer to a event specific structure. Once this function returns, the Parameters buffer is no longer valid. |
| [in] | EventSize | The size of the Parameters buffer. |
Definition at line 682 of file glueiface.h.
| typedef INTSTATUS(* PFUNC_IntNotifyIntrospectionActivated) (void *GuestHandle) |
Notifies the integrator that the introspection engine is active.
| [in] | GuestHandle | Integrator-specific guest identifier. |
Definition at line 1287 of file glueiface.h.
| typedef INTSTATUS(* PFUNC_IntNotifyIntrospectionDeactivated) (void *GuestHandle) |
Notifies the integrator that the introspection engine is no longer active.
| [in] | GuestHandle | Integrator-specific guest identifier. |
Definition at line 1299 of file glueiface.h.
| typedef INTSTATUS(* PFUNC_IntNotifyIntrospectionDetectedOs) (void *GuestHandle, PGUEST_INFO GuestInfo) |
Notifies the integrator that the introspection engine detected an operating system.
| [in] | GuestHandle | Integrator-specific guest identifier. |
| [in] | GuestInfo | Information about the type and version of the detected operating system. |
Definition at line 1257 of file glueiface.h.
| typedef INTSTATUS(* PFUNC_IntNotifyIntrospectionErrorState) (void *GuestHandle, INTRO_ERROR_STATE Error, PINTRO_ERROR_CONTEXT Context) |
Notifies the integrator about an error encountered by the introspection engine.
| [in] | GuestHandle | Integrator-specific guest identifier. |
| [in] | Error | The encountered error. |
| [in] | Context | Error specific context. Not all INTRO_ERROR_STATE values have a context. Once this function returns, the Context pointer is no longer valid. |
Definition at line 1273 of file glueiface.h.
| typedef INTSTATUS(* PFUNC_IntNotifyNewGuest) (void *GuestHandle, QWORD Options, PBYTE UpdateBuffer, DWORD BufferLength) |
Notifies introcore that the guest must be introspected.
| [in] | GuestHandle | Integrator-specific guest identifier. The introspection engine treats this as an opaque value. It will be passed back to the integrator when calling GLUE_IFACE APIs. It must not change while the introspection engine is running. |
| [in] | Options | Activation and protection flags. See Activation and protection flags. |
| [in] | UpdateBuffer | The CAMI buffer that will be used by introcore for information about the guest. It must remain valid until introcore calls GLUE_FACE.ReleaseBuffer. |
| [in] | BufferLength | The size of the buffer, in bytes. |
| INT_STATUS_SUCCESS | in case of success. |
| INT_STATUS_ALREADY_INITIALIZED_HINT | if the guest is already introspected. |
| INT_STATUS_POWER_STATE_BLOCK | if introcore can not introspect this guest because it is transitioning to another power state. |
| INT_STATUS_INVALID_DATA_SIZE | if the CAMI buffer is not big enough. This usually points to a corruption in the buffer. |
| INT_STATUS_INVALID_DATA_TYPE | if the CAMI buffer is corrupted. |
| INT_STATUS_NOT_SUPPORTED | if the CAMI version is not supported. |
Definition at line 1411 of file glueiface.h.
| typedef INTSTATUS(* PFUNC_IntPhysMemMapToHost) (void *GuestHandle, QWORD PhysAddress, DWORD Length, DWORD Flags, void **HostPtr) |
Maps a guest physical address to the host virtual space.
| [in] | GuestHandle | Integrator-specific guest identifier. |
| [in] | PhysAddress | The guest physical address that must be mapped. |
| [in] | Length | The size of the region that must be mapped, in bytes. |
| [in] | Flags | Additional flags. Currently, the only available flag is IG_PHYSMAP_NO_CACHE. |
| [out] | HostPtr | A pointer to the pointer that will map the physical memory area. This pointer must remain valid until introcore calls GLUE_IFACE.PhysMemUnmap. |
Definition at line 741 of file glueiface.h.
| typedef INTSTATUS(* PFUNC_IntPhysMemUnmap) (void *GuestHandle, void **HostPtr) |
Frees any resources allocated by a GLUE_IFACE.PhysMemMapToHost call.
| [in] | GuestHandle | Integrator-specific guest identifier. |
| [in,out] | HostPtr | A pointer to the pointer that maps the physical memory previously mapped. |
Definition at line 758 of file glueiface.h.
| typedef void(* PFUNC_IntPreinit) (void) |
Definition at line 2237 of file glueiface.h.
| typedef INTSTATUS(* PFUNC_IntQueryGuestInfo) (void *GuestHandle, DWORD InfoClass, void *InfoParam, void *Buffer, DWORD BufferLength) |
API exposed by the integrator that allows introcore to obtain various information about the guest.
Based on the InfoClass value, the functions should get or set different guest attributes, as follows. See IG_QUERY_INFO_CLASS.
| [in] | GuestHandle | Integrator-specific guest identifier. |
| [in] | InfoClass | Can be any of the IG_QUERY_INFO_CLASS values. The other parameters. have different meanings based on the value of this parameter |
| [in] | InfoParam | For IG_QUERY_INFO_CLASS values that specify a VCPU number, it is the VCPU number. For the others it is not used. It can be IG_CURRENT_VCPU for the current VCPU. |
| [in,out] | Buffer | It has different meanings based on InfoClass. See above for details. |
| [in] | BufferLength | The size of Buffer, in bytes. |
Definition at line 660 of file glueiface.h.
| typedef INTSTATUS(* PFUNC_IntRegisterBreakpointHandler) (void *GuestHandle, PFUNC_IntBreakpointCallback Callback) |
Registers a break point event callback.
| [in] | GuestHandle | Integrator-specific guest identifier. |
| [in] | Callback | The callback that must be invoked on break point exits. |
Definition at line 1110 of file glueiface.h.
| typedef INTSTATUS(* PFUNC_IntRegisterCrWriteHandler) (void *GuestHandle, PFUNC_IntCrWriteCallback Callback) |
Registers a control register write callback.
| [in] | GuestHandle | Integrator-specific guest identifier. |
| [in] | Callback | The callback that must be invoked on CR write violation exits. |
Definition at line 1058 of file glueiface.h.
| typedef INTSTATUS(* PFUNC_IntRegisterDescriptorTableHandler) (void *GuestHandle, PFUNC_IntIntroDescriptorTableCallback Callback) |
Registers a descriptor table access callback.
| [in] | GuestHandle | Integrator-specific guest identifier. |
| [in] | Callback | The callback that must be invoked on DTR violation exits. |
Definition at line 1004 of file glueiface.h.
| typedef INTSTATUS(* PFUNC_IntRegisterEnginesResultCallback) (void *GuestHandle, PFUNC_IntEventEnginesResultCallback Callback) |
Registers a third party scan result callback. This API is optional.
If this API is implemented, PFUNC_IntUnregisterEnginesResultCalback should also be implemented.
| [in] | GuestHandle | Integrator-specific guest identifier. |
| [in] | Callback | The callback that must be invoked when the third party tools finished a scan. |
Definition at line 1164 of file glueiface.h.
| typedef INTSTATUS(* PFUNC_IntRegisterEPTHandler) (void *GuestHandle, PFUNC_IntEPTViolationCallback Callback) |
Registers and EPT exit callback.
| [in] | GuestHandle | Integrator-specific guest identifier. |
| [in] | Callback | The callback that must be invoked on EPT violation exits. |
Definition at line 866 of file glueiface.h.
| typedef INTSTATUS(* PFUNC_IntRegisterEventInjectionHandler) (void *GuestHandle, PFUNC_IntEventInjectionCallback Callback) |
Registers an event injection callback.
| [in] | GuestHandle | Integrator-specific guest identifier. |
| [in] | Callback | The callback that must be invoked when an exception is injected inside the guest. |
Definition at line 1136 of file glueiface.h.
| typedef INTSTATUS(* PFUNC_IntRegisterIntroCallHandler) (void *GuestHandle, PFUNC_IntIntroCallCallback Callback) |
Registers a VMCALL exit handler.
| [in] | GuestHandle | Integrator-specific guest identifier. |
| [in] | Callback | The callback that must be invoked on VMCALL exits. |
Definition at line 952 of file glueiface.h.
| typedef INTSTATUS(* PFUNC_IntRegisterMSRHandler) (void *GuestHandle, PFUNC_IntMSRViolationCallback Callback) |
Registers a MSR exit handler.
| [in] | GuestHandle | Integrator-specific guest identifier. |
| [in] | Callback | The callback that must be invoked on MSR violation exits. |
Definition at line 926 of file glueiface.h.
| typedef INTSTATUS(* PFUNC_IntRegisterVmxTimerHandler) (void *GuestHandle, PFUNC_IntIntroTimerCallback Callback) |
Registers a timer callback.
| [in] | GuestHandle | Integrator-specific guest identifier. |
| [in] | Callback | The callback. |
Definition at line 978 of file glueiface.h.
| typedef INTSTATUS(* PFUNC_IntRegisterXcrWriteHandler) (void *GuestHandle, PFUNC_IntXcrWriteCallback Callback) |
Registers an extended control register write callback.
| [in] | GuestHandle | Integrator-specific guest identifier. |
| [in] | Callback | The callback that must be invoked on XCR write violation exits. |
Definition at line 1084 of file glueiface.h.
Frees all the resources associated with the given buffer.
This is primarily used by the CAMI update mechanism to notify the integrator when the CAMI buffer can safely be freed.
| [in] | GuestHandle | Integrator-specific guest identifier. |
| [in] | Buffer | The buffer to be freed. |
| [in] | Size | The size of the buffer. |
Definition at line 1362 of file glueiface.h.
| typedef INTSTATUS(* PFUNC_IntRemoveAllProtectedProcesses) (void *GuestHandle) |
Removes the protection policies for all processes.
| [in] | GuestHandle | Integrator-specific guest identifier. |
| INT_STATUS_SUCCESS | in case of success. |
| INT_STATUS_POWER_STATE_BLOCK | if the operation can not be completed because the guest is transitioning to another power state. |
| INT_STATUS_NOT_SUPPORTED | if the introspection engine is preparing to unload. |
| INT_STATUS_ALREADY_INITIALIZED_HINT | if an identical protection policy already exists. |
Definition at line 1693 of file glueiface.h.
| typedef INTSTATUS(* PFUNC_IntRequestVcpusPause) (void *GuestHandle) |
Pauses all the VCPUs assigned to a guest.
| [in] | GuestHandle | Integrator-specific guest identifier. |
Definition at line 1193 of file glueiface.h.
| typedef INTSTATUS(* PFUNC_IntRequestVcpusResume) (void *GuestHandle) |
Resumes all the VCPUs assigned to a guest that were previously paused with a GLUE_IFACE.PauseVcpus call.
| [in] | GuestHandle | Integrator-specific guest identifier. |
Definition at line 1207 of file glueiface.h.
| typedef INTSTATUS(* PFUNC_IntReserveVaSpaceWithPt) (void *GuestHandle, void **FirstPageBase, DWORD *PagesCount, void **PtBase) |
Reserves a dedicated memory region inside the hypervisor page tables. This API is optional.
| [in] | GuestHandle | Integrator-specific guest identifier. |
| [out] | FirstPageBase | The virtual address of the first virtual address space reserved. |
| [out] | PagesCount | The number of reserved pages. |
| [out] | PtBase | Pointer to the base of the page tables. |
Definition at line 1222 of file glueiface.h.
| typedef INTSTATUS(* PFUNC_IntSetEPTPageConvertible) (void *GuestHandle, DWORD EptIndex, QWORD Address, BOOLEAN Convertible) |
Set the convertible status of a guest physical page.
This API is optional.
| [in] | GuestHandle | Integrator-specific guest identifier. |
| [in] | EptIndex | The index of the EPT for which the query is done. Can be IG_CURRENT_EPT. |
| [in] | Address | The guest physical address for which the query is done. |
| [in] | Convertible | True if the page will be made convertible, False if it will be made not convertible. |
Definition at line 2046 of file glueiface.h.
| typedef INTSTATUS(* PFUNC_IntSetEPTPageProtection) (void *GuestHandle, DWORD EptIndex, QWORD Address, BYTE Read, BYTE Write, BYTE Execute) |
Sets the EPT access rights for a guest physical page.
| [in] | GuestHandle | Integrator-specific guest identifier. |
| [in] | EptIndex | The EPTP index of the EPT for which the query is done. Can be IG_CURRENT_EPT to signal that the currently loaded EPT should be used. |
| [in] | Address | The guest physical address for which the access rights are requested. |
| [in] | Read | 1 if the read permission is granted, 0 if not. |
| [in] | Write | 1 if the write permission is granted, 0 if not. |
| [in] | Execute | 1 if the execute permission is granted, 0 if not. |
Definition at line 816 of file glueiface.h.
Abort the introcore loading process.
| [in] | GuestHandle | Integrator-specific guest identifier. |
| INT_STATUS_SUCCESS | in case of success. |
Definition at line 1676 of file glueiface.h.
| typedef INTSTATUS(* PFUNC_IntSetIntroEmulatorContext) (void *GuestHandle, DWORD CpuNumber, QWORD VirtualAddress, DWORD BufferSize, PBYTE Buffer) |
Sets the memory contents with which an instruction will be emulated by the hypervisor.
When this function is called, the emulation of the instruction that caused the current VMEXIT should use Buffer contents instead of the real memory contents when emulating accesses in the range [VirtualAddress, VirtualAddress + BufferSize).
| [in] | GuestHandle | Integrator-specific guest identifier. |
| [in] | CpuNumber | The VCPU number. Can be IG_CURRENT_VCPU. |
| [in] | VirtualAddress | The virtual address for which the Buffer contents will be used. It is important that the hypervisor uses this address, and not the one reported by the VMEXIT as they can be different. |
| [in] | BufferSize | The size of the buffer, in bytes. |
| [in] | Buffer | The emulator context buffer. |
Definition at line 1322 of file glueiface.h.
| typedef INTSTATUS(* PFUNC_IntSetLogLevel) (void *GuestHandle, IG_LOG_LEVEL LogLevel) |
Sets the log level.
| [in] | GuestHandle | Integrator-specific guest identifier. |
| [in] | LogLevel | The new log level. |
| INT_STATUS_SUCCESS | in case of success. |
Definition at line 1894 of file glueiface.h.
| typedef INTSTATUS(* PFUNC_IntSetSPPPageProtection) (void *GuestHandle, QWORD Address, QWORD SppValue) |
Set the SPP protection rights for a guest physical address. This API is optional.
| [in] | GuestHandle | Integrator-specific guest identifier. |
| [in] | Address | The guest physical address for which the query is done. |
| [out] | SppValue | The SPP table entry for Address. |
Definition at line 851 of file glueiface.h.
Set the Virtualization exception info page.
| [in] | GuestHandle | Integrator-specific guest identifier. |
| [in] | CpuNumber | The VCPU Number for which the setting is done. |
| [in] | VeInfoGpa | The guest physical address at which the info page resides. |
Definition at line 1959 of file glueiface.h.
Switches the currently loaded EPT.
This API is optional.
| [in] | GuestHandle | Integrator-specific guest identifier. |
| [in] | EptIndex | The index of the EPT that will be loaded. |
Definition at line 2008 of file glueiface.h.
Enables or disables the REP optimization.
| [in] | GuestHandle | Integrator-specific guest identifier. |
| [in] | Enable | True if the optimizations will be enabled, False if not. |
Definition at line 1377 of file glueiface.h.
| typedef INTSTATUS(* PFUNC_IntUninit) (void) |
Definition at line 2248 of file glueiface.h.
| typedef INTSTATUS(* PFUNC_IntUnregisterBreakpointHandler) (void *GuestHandle) |
Unregisters the current break point event callback, unsubscribing introcore from BP events.
| [in] | GuestHandle | Integrator-specific guest identifier. |
Definition at line 1123 of file glueiface.h.
| typedef INTSTATUS(* PFUNC_IntUnregisterCrWriteHandler) (void *GuestHandle) |
Unregisters the current control register write callback, unsubscribing introcore from CR events.
| [in] | GuestHandle | Integrator-specific guest identifier. |
Definition at line 1071 of file glueiface.h.
| typedef INTSTATUS(* PFUNC_IntUnregisterDescriptorTableHandler) (void *GuestHandle) |
Unregisters the current descriptor table access callback, unsubscribing introcore from DTR events.
| [in] | GuestHandle | Integrator-specific guest identifier. |
Definition at line 1017 of file glueiface.h.
| typedef INTSTATUS(* PFUNC_IntUnregisterEnginesResultCalback) (void *GuestHandle) |
Unregisters the current third party scan result callback.
This API is optional, but it should be implemented if PFUNC_IntRegisterEnginesResultCallback was implemented.
| [in] | GuestHandle | Integrator-specific guest identifier. |
Definition at line 1179 of file glueiface.h.
| typedef INTSTATUS(* PFUNC_IntUnregisterEPTHandler) (void *GuestHandle) |
Unregisters the current EPT exit callback, unsubscribing introcore from EPT violation events.
| [in] | GuestHandle | Integrator-specific guest identifier. |
Definition at line 879 of file glueiface.h.
| typedef INTSTATUS(* PFUNC_IntUnregisterEventInjectionHandler) (void *GuestHandle) |
Unregisters the current event injection callback.
| [in] | GuestHandle | Integrator-specific guest identifier. |
Definition at line 1149 of file glueiface.h.
| typedef INTSTATUS(* PFUNC_IntUnregisterIntroCallHandler) (void *GuestHandle) |
Unregisters the current VMCALL exit callback, unsubscribing introcore from VMCALL events.
| [in] | GuestHandle | Integrator-specific guest identifier. |
Definition at line 965 of file glueiface.h.
| typedef INTSTATUS(* PFUNC_IntUnregisterMSRHandler) (void *GuestHandle) |
Unregisters the current MSR exit callback, unsubscribing introcore from MSR violation events.
| [in] | GuestHandle | Integrator-specific guest identifier. |
Definition at line 939 of file glueiface.h.
| typedef INTSTATUS(* PFUNC_IntUnregisterVmxTimerHandler) (void *GuestHandle) |
Unregisters the current timer callback, unsubscribing introcore from timer events.
| [in] | GuestHandle | Integrator-specific guest identifier. |
Definition at line 991 of file glueiface.h.
| typedef INTSTATUS(* PFUNC_IntUnregisterXcrWriteHandler) (void *GuestHandle) |
Unregisters the current extended control register write callback, unsubscribing introcore from XCR events.
| [in] | GuestHandle | Integrator-specific guest identifier. |
Definition at line 1097 of file glueiface.h.
Loads a new CAMI version.
| [in] | GuestHandle | Integrator-specific guest identifier. |
| [in] | Buffer | Buffer with the update contents. This buffer should remain valid until GLUE_IFACE.ReleaseBuffer is called. |
| [in] | Length | The size of the buffer, in bytes. |
| INT_STATUS_SUCCESS | in case of success. |
| INT_STATUS_ALREADY_INITIALIZED_HINT | if the guest is already introspected. |
| INT_STATUS_POWER_STATE_BLOCK | if the operation can not be completed because the guest is transitioning to another power state. |
| INT_STATUS_INVALID_DATA_SIZE | if the CAMI buffer is not big enough. This usually points to a corruption in the buffer. |
| INT_STATUS_INVALID_DATA_TYPE | if the CAMI buffer is corrupted. |
| INT_STATUS_NOT_SUPPORTED | if the CAMI version is not supported. |
Definition at line 1487 of file glueiface.h.
| typedef INTSTATUS(* PFUNC_IntXcrWriteCallback) (void *GuestHandle, DWORD CpuNumber, INTRO_ACTION *Action) |
Callback that must be invoked when the guest tries to modify an extended control register. The introspection engine registers a callback of this type with the GLUE_IFACE.RegisterXcrWriteHandler API.
| [in] | GuestHandle | Integrator-specific guest identifier. |
| [in] | CpuNumber | The VCPU on which the access was attempted. |
| [out] | Action | The action that must be taken. |
| INT_STATUS_SUCCESS | in case of success. |
| INT_STATUS_NOT_INITIALIZED_HINT | if the introspection engine was not initialized. |
| INT_STATUS_NOT_FOUND | if introcore is not monitoring this control register. |
| INT_STATUS_UNINIT_BUGCHECK | if introcore is unloading as a result of a guest crash. |
| INT_STATUS_INVALID_INTERNAL_STATE | if the exit could not be handled due to an internal error. |
| INT_STATUS_FATAL_ERROR | if an unrecoverable error was encountered. |
Definition at line 568 of file glueiface.h.
| typedef INTSTATUS(* PFUNC_VirtualAddressSpaceCallback) (QWORD Cr3, QWORD VirtualAddress, QWORD Entry, QWORD PageSize) |
The type of callback invoked by PFUNC_IntIterateVaSpace while iterating the guest virtual address space.
| [in] | Cr3 | The guest CR3 that describes the address space over which to iterate. |
| [in] | VirtualAddress | The guest virtual address of the current page. |
| [in] | Entry | The page table entry that maps VirtualAddress. |
| [in] | PageSize | The size of the page that maps VirtualAddress. |
Definition at line 1814 of file glueiface.h.
| typedef struct _GLUE_IFACE * PGLUE_IFACE |
| typedef struct _IG_ARCH_REGS * PIG_ARCH_REGS |
| typedef struct _IG_QUERY_MSR * PIG_QUERY_MSR |
| typedef struct _IG_SEG_REGS * PIG_SEG_REGS |
| typedef struct _IG_XSAVE_AREA * PIG_XSAVE_AREA |
| enum _IG_DESC_ACCESS |
Descriptor table access flags.
IG_DESC_ACCESS_READ and IG_DESC_ACCESS_WRITE can be combined with any of the other values, describing both the descriptor table register that was accessed and the access type.
Definition at line 311 of file glueiface.h.
| enum _IG_EPT_HOOK_TYPE |
Ept violation types.
| Enumerator | |
|---|---|
| IG_EPT_HOOK_NONE | No access type. This can be used for swap hooks. |
| IG_EPT_HOOK_READ | Read-access hook. |
| IG_EPT_HOOK_WRITE | Write-access hook. |
| IG_EPT_HOOK_EXECUTE | Execute-access hook. |
Definition at line 295 of file glueiface.h.
The guest power state.
Definition at line 377 of file glueiface.h.
| enum _IG_LOG_LEVEL |
Controls the verbosity of the logs.
Definition at line 389 of file glueiface.h.
| enum IG_AGENT_TAG |
Deployable agent tags.
Definition at line 335 of file glueiface.h.
| enum IG_CS_RING |
The current protection level.
| Enumerator | |
|---|---|
| IG_CS_RING_0 | |
| IG_CS_RING_1 | |
| IG_CS_RING_2 | |
| IG_CS_RING_3 | |
Definition at line 195 of file glueiface.h.
| enum IG_CS_TYPE |
The type of the code segment.
| Enumerator | |
|---|---|
| IG_CS_TYPE_INVALID | Invalid selector. |
| IG_CS_TYPE_16B | 16-bit selector. |
| IG_CS_TYPE_32B | 32-bit selector. |
| IG_CS_TYPE_64B | 64-bit selector. |
Definition at line 183 of file glueiface.h.
| enum IG_MEMTYPE |
Memory type values.
| Enumerator | |
|---|---|
| IG_MEM_UC | Uncacheable. |
| IG_MEM_WC | Write-combining. |
| IG_MEM_WT | Write-through. |
| IG_MEM_WP | Write-protect. |
| IG_MEM_WB | Write-back. |
| IG_MEM_UC_MINUS | |
| IG_MEM_UNKNOWN | Unknown memory type. |
Definition at line 157 of file glueiface.h.
| enum IG_MSR_HOOK_TYPE |
The type of the MSR access.
| Enumerator | |
|---|---|
| IG_MSR_HOOK_READ | Read access. |
| IG_MSR_HOOK_WRITE | Write access. |
| IG_MSR_HOOK_BOTH | Read-write access. |
Definition at line 171 of file glueiface.h.
| enum IG_QUERY_INFO_CLASS |
Describes the type of query done by GLUE_IFACE.QueryGuestInfo.
| Enumerator | |
|---|---|
| IG_QUERY_INFO_CLASS_REGISTER_STATE | Get the guest register state for a VCPU. Buffer points to a IG_ARCH_REGS structure. |
| IG_QUERY_INFO_CLASS_READ_MSR | Get the value of a MSR for a VCPU. Buffer points to a IG_QUERY_MSR structure. |
| IG_QUERY_INFO_CLASS_IDT | Get the value of the IDT base for a VCPU. |
| IG_QUERY_INFO_CLASS_GDT | Get the value of the IDT base for a VCPU. |
| IG_QUERY_INFO_CLASS_CPU_COUNT | Get the number of VCPUs available to the guest. |
| IG_QUERY_INFO_CLASS_SET_REGISTERS | Set the guest register state for a certain VCPU. Buffer points to a IG_ARCH_REGS structure. Should not set IG_ARCH_REGS.IdtBase, IG_ARCH_REGS.IdtLimit, IG_ARCH_REGS.GdtBase or IG_ARCH_REGS.GdtLimit. |
| IG_QUERY_INFO_CLASS_TSC_SPEED | Get the TSC speed. |
| IG_QUERY_INFO_CLASS_CURRENT_TID | Get the current VCPU number. |
| IG_QUERY_INFO_CLASS_REGISTER_STATE_GPRS | Similar to IG_QUERY_INFO_CLASS_REGISTER_STATE, but will get only the general purpose registers, from RAX to R15. |
| IG_QUERY_INFO_CLASS_CS_TYPE | Get the code segment type for a VCPU. Buffer points to a IG_CS_TYPE enum. |
| IG_QUERY_INFO_CLASS_CS_RING | Get the current privilege level for a VCPU. Buffer points to a IG_CS_RING enum. |
| IG_QUERY_INFO_CLASS_SEG_REGISTERS | Get the segment registers for the current VCPU. Buffer points to a IG_SEG_REGS structure. |
| IG_QUERY_INFO_CLASS_XSAVE_SIZE | Get the size of the guest XSAVE area for a VCPU. |
| IG_QUERY_INFO_CLASS_XSAVE_AREA | Get the guest XSAVE area for a VCPU. |
| IG_QUERY_INFO_CLASS_EPTP_INDEX | Get the current EPTP index for the current VCPU. |
| IG_QUERY_INFO_CLASS_MAX_GPFN | Get the max guest physical frame number available to the guest. This should be the last valid PFN available to the guest. |
| IG_QUERY_INFO_CLASS_SET_XSAVE_AREA | Set the guest XSAVE area for a VCPU. This query is optional. |
| IG_QUERY_INFO_CLASS_GET_XCR0 | Get the guest XCR0 value for a VCPU. |
| IG_QUERY_INFO_CLASS_VE_SUPPORT | Get the availability of the Virtualization Exception feature in hardware and the hypervisor. |
| IG_QUERY_INFO_CLASS_VMFUNC_SUPPORT | Get the availability of the VMFUNC feature in hardware and the hypervisor. |
| IG_QUERY_INFO_CLASS_SPP_SUPPORT | Get the availability of the SPP feature in hardware and the hypervisor. |
| IG_QUERY_INFO_CLASS_DTR_SUPPORT | Get the availability of the IDTR/GDTR exits. |
Definition at line 220 of file glueiface.h.
1.8.13