138 #define IG_IA32_SYSENTER_CS 0x00000174 139 #define IG_IA32_SYSENTER_ESP 0x00000175 140 #define IG_IA32_SYSENTER_EIP 0x00000176 141 #define IG_IA32_MISC_ENABLE 0x000001A0 142 #define IG_IA32_PAT 0x00000277 143 #define IG_IA32_MC0_CTL 0x00000400 144 #define IG_IA32_EFER 0xC0000080 145 #define IG_IA32_STAR 0xC0000081 146 #define IG_IA32_LSTAR 0xC0000082 147 #define IG_IA32_FS_BASE 0xC0000100 148 #define IG_IA32_GS_BASE 0xC0000101 149 #define IG_IA32_KERNEL_GS_BASE 0xC0000102 150 #define IG_IA32_LBR_TOS 0x000001C9 151 #define IG_IA32_DEBUGCTL 0x000001D9 324 #define IG_CURRENT_VCPU 0xFFFFFFFF 327 #define IG_CURRENT_EPT 0xFFFFFFFF 329 #define IG_INVALID_TIME 0xFFFFFFFFFFFFFFFF 365 #define IG_DISABLE_IGNORE_SAFENESS 0x02 368 #define IG_PHYSMAP_NO_CACHE 0x00000001 371 #define IG_TIMER_FREQUENCY 1 429 _In_ void *GuestHandle,
435 _In_ IG_EPT_ACCESS Type
458 _In_ void *GuestHandle,
484 _In_ void *GuestHandle,
500 _In_ void *GuestHandle
519 _In_ void *GuestHandle,
544 _In_ void *GuestHandle,
569 _In_ void *GuestHandle,
591 _In_ void *GuestHandle,
611 _In_ void *GuestHandle,
634 _In_ void *GuestHandle,
661 _In_ void *GuestHandle,
683 _In_ void *GuestHandle,
686 _In_ size_t EventSize
706 _In_ void *GuestHandle,
723 _In_ void *GuestHandle,
742 _In_ void *GuestHandle,
759 _In_ void *GuestHandle,
774 _In_ void *GuestHandle,
794 _In_ void *GuestHandle,
817 _In_ void *GuestHandle,
836 _In_ void *GuestHandle,
852 _In_ void *GuestHandle,
867 _In_ void *GuestHandle,
880 _In_ void *GuestHandle
894 _In_ void *GuestHandle,
910 _In_ void *GuestHandle,
927 _In_ void *GuestHandle,
940 _In_ void *GuestHandle
953 _In_ void *GuestHandle,
966 _In_ void *GuestHandle
979 _In_ void *GuestHandle,
992 _In_ void *GuestHandle
1005 _In_ void *GuestHandle,
1018 _In_ void *GuestHandle
1031 _In_ void *GuestHandle,
1045 _In_ void *GuestHandle,
1059 _In_ void *GuestHandle,
1072 _In_ void *GuestHandle
1085 _In_ void *GuestHandle,
1098 _In_ void *GuestHandle
1111 _In_ void *GuestHandle,
1124 _In_ void *GuestHandle
1137 _In_ void *GuestHandle,
1150 _In_ void *GuestHandle
1165 _In_ void *GuestHandle,
1180 _In_ void *GuestHandle
1194 _In_ void *GuestHandle
1208 _In_ void *GuestHandle
1223 _In_ void *GuestHandle,
1241 _In_ void *GuestHandle,
1258 _In_ void *GuestHandle,
1274 _In_ void *GuestHandle,
1288 _In_ void *GuestHandle
1300 _In_ void *GuestHandle
1323 _In_ void *GuestHandle,
1343 _In_ void *GuestHandle,
1363 _In_ void *GuestHandle,
1378 _In_ void *GuestHandle,
1412 _In_ void *GuestHandle,
1433 _In_ void *GuestHandle,
1461 _In_ void *GuestHandle,
1488 _In_ void *GuestHandle,
1508 _In_ void *GuestHandle,
1530 _In_ void *GuestHandle,
1549 _In_ void *GuestHandle,
1575 _In_ void *GuestHandle,
1576 _In_ const void *Event,
1595 _In_ void *GuestHandle
1613 _In_ void *GuestHandle,
1636 _In_ void *GuestHandle,
1662 _In_ void *GuestHandle,
1677 _In_ void *GuestHandle,
1694 _In_ void *GuestHandle
1707 _In_ void *GuestHandle,
1708 _In_ IG_GUEST_POWER_STATE PowerState
1711 #define IG_MAX_COMMAND_LINE_LENGTH 1024 1712 #define IG_MAX_AGENT_NAME_LENGTH 32 1736 _In_ void *GuestHandle,
1760 _In_ void *GuestHandle,
1779 _In_ void *GuestHandle,
1798 _In_ void *GuestHandle,
1832 _In_ void *GuestHandle,
1849 _In_ void *GuestHandle,
1865 _In_ void *GuestHandle
1881 _In_ void *GuestHandle,
1895 _In_ void *GuestHandle,
1896 _In_ IG_LOG_LEVEL LogLevel
1938 _In_ void *GuestHandle,
1960 _In_ void *GuestHandle,
1977 _In_ void *GuestHandle,
1993 _In_ void *GuestHandle,
2009 _In_ void *GuestHandle,
2027 _In_ void *GuestHandle,
2047 _In_ void *GuestHandle,
2066 _In_ void* GuestHandle
2224 #define GLUE_IFACE_VERSION_1 0x00010111 2225 #define GLUE_IFACE_VERSION_1_SIZE sizeof(GLUE_IFACE) 2227 #define GLUE_IFACE_VERSION_LATEST GLUE_IFACE_VERSION_1 2228 #define GLUE_IFACE_VERSION_LATEST_SIZE GLUE_IFACE_VERSION_1_SIZE 2243 _In_ PGLUE_IFACE GlueInterface,
2271 #endif // _GLUEIFACE_H_
INTSTATUS(* PFUNC_IntUnregisterXcrWriteHandler)(void *GuestHandle)
Unregisters the current extended control register write callback, unsubscribing introcore from XCR ev...
Get the guest XCR0 value for a VCPU.
INTSTATUS(* PFUNC_IntGetGuestInfo)(void *GuestHandle, PGUEST_INFO GuestInfo)
Get a description of the introspected guest.
PFUNC_IntNotifyNewGuest NewGuestNotification
PFUNC_IntUnregisterBreakpointHandler UnregisterBreakpointHandler
PFUNC_IntUnregisterIntroCallHandler UnregisterIntroCallHandler
QWORD Value
The value of the MSR.
INTSTATUS(* PFUNC_IntGetSPPPageProtection)(void *GuestHandle, QWORD Address, QWORD *SppValue)
Returns the SPP protection rights for a guest physical address. This API is optional.
Describes an XSAVE area format.
PFUNC_IntGetExceptionsVersion GetExceptionsVersion
struct _IG_XSAVE_AREA IG_XSAVE_AREA
Describes an XSAVE area format.
Dummy agent used to demo the feature.
PFUNC_IntGetCurrentInstructionMnemonic GetCurrentInstructionMnemonic
INTSTATUS(* PFUNC_IntModifyDynamicOptions)(void *GuestHandle, QWORD NewDynamicOptions)
Modifies the introcore options.
void(* PFUNC_IntPreinit)(void)
PFUNC_IntNotifyIntrospectionDetectedOs NotifyIntrospectionDetectedOs
INTSTATUS(* PFUNC_IntGetCurrentIntroOptions)(void *GuestHandle, QWORD *IntroOptions)
Get the currently used introcore options.
PFUNC_IntRegisterXcrWriteHandler RegisterXcrWriteHandler
PFUNC_IntGetEPTPageProtection GetEPTPageProtection
The Linux version of the remediation tool.
PFUNC_IntUnregisterDescriptorTableHandler UnregisterDtrHandler
PFUNC_IntRemoveAllProtectedProcesses RemoveAllProtectedProcesses
INTSTATUS(* PFUNC_IntRegisterMSRHandler)(void *GuestHandle, PFUNC_IntMSRViolationCallback Callback)
Registers a MSR exit handler.
PFUNC_IntGetAgentContent GetAgentContent
#define _Out_writes_bytes_(expr)
INTSTATUS(* PFUNC_IntNotifyIntroAlert)(void *GuestHandle, DWORD EventClass, void *Parameters, size_t EventSize)
Used by introcore to report events to the integrator.
IG_QUERY_INFO_CLASS
Describes the type of query done by GLUE_IFACE.QueryGuestInfo.
PFUNC_IntRegisterVmxTimerHandler RegisterIntroTimerHandler
Get the availability of the IDTR/GDTR exits.
INTSTATUS(* PFUNC_VirtualAddressSpaceCallback)(QWORD Cr3, QWORD VirtualAddress, QWORD Entry, QWORD PageSize)
The type of callback invoked by PFUNC_IntIterateVaSpace while iterating the guest virtual address spa...
INTSTATUS(* PFUNC_IntNotifyIntrospectionErrorState)(void *GuestHandle, INTRO_ERROR_STATE Error, PINTRO_ERROR_CONTEXT Context)
Notifies the integrator about an error encountered by the introspection engine.
PFUNC_IntPhysMemUnmap PhysMemUnmap
_IG_DESC_ACCESS
Descriptor table access flags.
PFUNC_IntUnregisterVmxTimerHandler UnregisterIntroTimerHandler
PFUNC_IntRequestVcpusResume ResumeVcpus
PFUNC_IntInjectTrap InjectTrap
Interface that exposes basic services to the introspection engines.
INTSTATUS(* PFUNC_IntRegisterBreakpointHandler)(void *GuestHandle, PFUNC_IntBreakpointCallback Callback)
Registers a break point event callback.
enum _IG_GUEST_POWER_STATE IG_GUEST_POWER_STATE
The guest power state.
INTSTATUS(* PFUNC_IntQueryGuestInfo)(void *GuestHandle, DWORD InfoClass, void *InfoParam, void *Buffer, DWORD BufferLength)
API exposed by the integrator that allows introcore to obtain various information about the guest...
INTSTATUS(* PFUNC_IntRegisterIntroCallHandler)(void *GuestHandle, PFUNC_IntIntroCallCallback Callback)
Registers a VMCALL exit handler.
DWORD Version
The version of the interface. Must match GLUE_IFACE_VERSION_1.
PFUNC_IntFlushGpaCache FlushGpaCache
PFUNC_IntCreateEPT CreateEPT
PFUNC_IntGetEPTPageConvertible GetEPTPageConvertible
Exposes the types and constants used by various Introcore APIs defined in glueiface.h.
Holds segment register state.
INTSTATUS(* PFUNC_IntUpdateSupport)(void *GuestHandle, PBYTE Buffer, DWORD Length)
Loads a new CAMI version.
The remediation tool agent.
INTSTATUS(* PFUNC_IntGetSupportVersion)(void *GuestHandle, DWORD *MajorVersion, DWORD *MinorVersion, DWORD *BuildNumber)
Get the current version of CAMI.
PFUNC_IntDestroyEPT DestroyEPT
INTSTATUS(* PFUNC_IntEPTViolationCallback)(void *GuestHandle, QWORD PhysicalAddress, DWORD Length, QWORD VirtualAddress, DWORD CpuNumber, INTRO_ACTION *Action, IG_EPT_ACCESS Type)
struct _IG_QUERY_MSR * PIG_QUERY_MSR
PFUNC_IntAddRemoveProtectedProcessUtf16 AddRemoveProtectedProcessUtf16
Get the current privilege level for a VCPU. Buffer points to a IG_CS_RING enum.
struct _IG_SEG_REGS * PIG_SEG_REGS
PFUNC_IntPhysMemMapToHost PhysMemMapToHost
PFUNC_IntFlushAlertExceptions FlushAlertExceptions
Shows informational logs and logs with a higher level.
INTSTATUS(* PFUNC_IntGetVersionString)(DWORD FullStringSize, DWORD VersionStringSize, CHAR *FullString, CHAR *VersionString)
Get the version string information for the current guest.
int INTSTATUS
The status data type.
INTSTATUS(* PFUNC_IntGetCurrentInstructionMnemonic)(void *GuestHandle, DWORD CpuNumber, CHAR *Mnemonic)
Returns the mnemonic of the instruction at which the current guest RIP points.
INTSTATUS(* PFUNC_IntSetSPPPageProtection)(void *GuestHandle, QWORD Address, QWORD SppValue)
Set the SPP protection rights for a guest physical address. This API is optional. ...
_IG_LOG_LEVEL
Controls the verbosity of the logs.
Shows only critical logs.
INTSTATUS(* PFUNC_IntGetEPTPageProtection)(void *GuestHandle, DWORD EptIndex, QWORD Address, BYTE *Read, BYTE *Write, BYTE *Execute)
Returns the EPT access rights for a guest physical page.
PFUNC_IntRegisterMSRHandler RegisterMSRHandler
INTSTATUS(* PFUNC_IntPhysMemMapToHost)(void *GuestHandle, QWORD PhysAddress, DWORD Length, DWORD Flags, void **HostPtr)
Maps a guest physical address to the host virtual space.
INTSTATUS(* PFUNC_IntFlushGpaCache)(void *GuestHandle)
Flushed the introcore GPA cache.
INTSTATUS(* PFUNC_IntMSRViolationCallback)(void *GuestHandle, DWORD Msr, IG_MSR_HOOK_TYPE Flags, INTRO_ACTION *Action, QWORD OriginalValue, QWORD *NewValue, DWORD CpuNumber)
INTSTATUS(* PFUNC_IntGetPhysicalPageTypeFromMtrrs)(void *GuestHandle, QWORD Gpa, IG_MEMTYPE *MemType)
Returns the memory type of a guest physical page, as taken from the MTRRs.
IG_CS_RING
The current protection level.
INTSTATUS(* PFUNC_IntSetIntroEmulatorContext)(void *GuestHandle, DWORD CpuNumber, QWORD VirtualAddress, DWORD BufferSize, PBYTE Buffer)
Sets the memory contents with which an instruction will be emulated by the hypervisor.
Interface used for communicating between the introspection engine and the integrator.
PFUNC_IntUnregisterEPTHandler UnregisterEPTHandler
INTSTATUS(* PFUNC_IntFlushAlertExceptions)(void *GuestHandle)
Removes all the custom exceptions added with GLUE_IFACE.AddExceptionFromAlert.
PFUNC_IntAddExceptionFromAlert AddExceptionFromAlert
PFUNC_IntInjectFileAgent InjectFileAgent
PFUNC_IntDisableCrWriteExit DisableCrWriteExit
INTSTATUS(* PFUNC_IntIntroDescriptorTableCallback)(void *GuestHandle, DWORD Flags, DWORD CpuNumber, INTRO_ACTION *Action)
PFUNC_IntRegisterBreakpointHandler RegisterBreakpointHandler
INTSTATUS(* PFUNC_IntUnregisterBreakpointHandler)(void *GuestHandle)
Unregisters the current break point event callback, unsubscribing introcore from BP events...
PFUNC_IntNotifyGuestPowerStateChange NotifyGuestPowerStateChange
INTSTATUS(* PFUNC_IntGetCurrentInstructionLength)(void *GuestHandle, DWORD CpuNumber, BYTE *Length)
Returns the length of the instruction at which the current guest RIP points.
PFUNC_IntSetEPTPageConvertible SetEPTPageConvertible
INTSTATUS(* PFUNC_IntUninit)(void)
INTSTATUS(* PFUNC_IntBreakpointCallback)(void *GuestHandle, QWORD PhysicalAddress, DWORD CpuNumber)
IG_CS_TYPE
The type of the code segment.
Defines an interface that exposes various services to the introspection engine.
BOOLEAN(* PFUNC_IntCheckCompatibility)(DWORD IntegratorMajor, DWORD IntegratorMinor, DWORD IntegratorRevision, DWORD IntegratorBuild, DWORD *IntroMajor, DWORD *IntroMinor, DWORD *IntroRevision, DWORD *IntroBuild, DWORD Reserved)
PFUNC_IntGetSupportVersion GetSupportVersion
Get the number of VCPUs available to the guest.
INTSTATUS(* PFUNC_IntRegisterEnginesResultCallback)(void *GuestHandle, PFUNC_IntEventEnginesResultCallback Callback)
Registers a third party scan result callback. This API is optional.
INTSTATUS(* PFUNC_IntDestroyEPT)(void *GuestHandle, DWORD EptIndex)
Destroys an EPT.
struct _IG_ARCH_REGS * PIG_ARCH_REGS
Shows warning logs and logs with a higher level.
PFUNC_IntSetIntroEmulatorContext SetIntroEmulatorContext
INTSTATUS(* PFUNC_IntRegisterXcrWriteHandler)(void *GuestHandle, PFUNC_IntXcrWriteCallback Callback)
Registers an extended control register write callback.
PFUNC_IntNotifyIntroAlert NotifyIntrospectionAlert
INTSTATUS(* PFUNC_IntNotifyGuestPowerStateChange)(void *GuestHandle, IG_GUEST_POWER_STATE PowerState)
Notifies introcore about a guest power state change.
INTSTATUS(* PFUNC_IntRemoveException)(void *GuestHandle, QWORD Context)
Removes a custom exception added with GLUE_IFACE.AddExceptionFromAlert.
The guest is shutting down by force.
The guest is resuming from hibernate or sleep.
INTSTATUS(* PFUNC_IntRemoveAllProtectedProcesses)(void *GuestHandle)
Removes the protection policies for all processes.
The process killer agent.
PFUNC_IntNotifyIntrospectionErrorState NotifyIntrospectionErrorState
PFUNC_IntSetVeInfoPage SetVeInfoPage
PFUNC_IntEnableMsrExit EnableMSRExit
INTSTATUS(* PFUNC_IntEnableMsrExit)(void *GuestHandle, DWORD Msr, BOOLEAN *OldValue)
Enables VMEXIT events for a MSR.
INTSTATUS(* PFUNC_IntDisableCrWriteExit)(void *GuestHandle, DWORD Cr)
Disable VMEXIT events for a control register.
INTSTATUS(* PFUNC_IntInjectFileAgent)(void *GuestHandle, PBYTE FileContent, DWORD FileSize, const CHAR *Name)
Drops a file on the guest hard disk.
PFUNC_IntRegisterDescriptorTableHandler RegisterDtrHandler
INTSTATUS(* PFUNC_IntReleaseBuffer)(void *GuestHandle, void *Buffer, DWORD Size)
Frees all the resources associated with the given buffer.
INTSTATUS(* PFUNC_IntEventInjectionCallback)(void *GuestHandle, DWORD Vector, QWORD ErrorCode, QWORD Cr2, DWORD CpuNumber)
PFUNC_IntRegisterIntroCallHandler RegisterIntroCallHandler
The context of an error state.
Get the guest XSAVE area for a VCPU.
INTSTATUS(* PFUNC_IntGetEPTPageConvertible)(void *GuestHandle, DWORD EptIndex, QWORD Address, BOOLEAN *Convertible)
Get the convertible status of a guest physical page.
PFUNC_IntRegisterEnginesResultCallback RegisterEnginesResultCallback
PFUNC_IntRemoveException RemoveException
PFUNC_IntSetEPTPageProtection SetEPTPageProtection
INTSTATUS(* PFUNC_IntSetVeInfoPage)(void *GuestHandle, DWORD CpuNumber, QWORD VeInfoGpa)
Set the Virtualization exception info page.
INTSTATUS(* PFUNC_IntGetExceptionsVersion)(void *GuestHandle, WORD *Major, WORD *Minor, DWORD *BuildNumber)
Get the current exceptions version.
PFUNC_IntInjectProcessAgent InjectProcessAgent
PFUNC_IntGpaToHpa GpaToHpa
INTSTATUS(* PFUNC_IntPhysMemUnmap)(void *GuestHandle, void **HostPtr)
Frees any resources allocated by a GLUE_IFACE.PhysMemMapToHost call.
PFUNC_IntToggleRepOptimization ToggleRepOptimization
INTSTATUS(* PFUNC_IntFlushEPTPermissions)(void *GuestHandle)
Flushes the EPT access permissions. Once this function returns, the caller can be assured that all mo...
INTSTATUS(* PFUNC_IntSetEPTPageProtection)(void *GuestHandle, DWORD EptIndex, QWORD Address, BYTE Read, BYTE Write, BYTE Execute)
Sets the EPT access rights for a guest physical page.
PFUNC_IntGetCurrentIntroOptions GetCurrentIntroOptions
INTSTATUS(* PFUNC_IntRegisterVmxTimerHandler)(void *GuestHandle, PFUNC_IntIntroTimerCallback Callback)
Registers a timer callback.
Shows error logs and logs with a higher level.
INTSTATUS(* PFUNC_IntInjectTrap)(void *GuestHandle, DWORD CpuNumber, BYTE TrapNumber, DWORD ErrorCode, QWORD Cr2)
Injects an exception inside the guest.
INTSTATUS(* PFUNC_IntAddRemoveProtectedProcessUtf8)(void *GuestHandle, const CHAR *FullPath, DWORD ProtectionMask, BOOLEAN Add, QWORD Context)
Toggles protection for a process.
PFUNC_IntUpdateExceptions UpdateExceptions
PFUNC_IntRegisterEventInjectionHandler RegisterEventInjectionHandler
DWORD Size
The size of the interface.Must match GLUE_IFACE_VERSION_1_SIZE.
INTSTATUS(* PFUNC_IntAddExceptionFromAlert)(void *GuestHandle, const void *Event, INTRO_EVENT_TYPE Type, BOOLEAN Exception, QWORD Context)
Adds an exception for an alert reported by introcore.
INTSTATUS(* PFUNC_IntRegisterDescriptorTableHandler)(void *GuestHandle, PFUNC_IntIntroDescriptorTableCallback Callback)
Registers a descriptor table access callback.
PFUNC_IntSwitchEPT SwitchEPT
INTSTATUS(* PFUNC_IntSetEPTPageConvertible)(void *GuestHandle, DWORD EptIndex, QWORD Address, BOOLEAN Convertible)
Set the convertible status of a guest physical page.
PFUNC_IntFlushEPTPermissions FlushEPTPermissions
INTSTATUS(* PFUNC_IntRegisterEventInjectionHandler)(void *GuestHandle, PFUNC_IntEventInjectionCallback Callback)
Registers an event injection callback.
DWORD MsrId
The ID of the MSR, as defined by Intel.
Get the current VCPU number.
struct _IG_QUERY_MSR IG_QUERY_MSR
The MSR query structure.
INTSTATUS(* PFUNC_IntInjectProcessAgent)(void *GuestHandle, DWORD AgentTag, PBYTE AgentContent, DWORD AgentSize, const CHAR *Name, const CHAR *Args)
Requests a process agent injection inside the guest.
PFUNC_IntSetSPPPageProtection SetSPPPageProtection
Dummy agent used to demo the feature.
INTSTATUS(* PFUNC_IntReserveVaSpaceWithPt)(void *GuestHandle, void **FirstPageBase, DWORD *PagesCount, void **PtBase)
Reserves a dedicated memory region inside the hypervisor page tables. This API is optional...
struct _GLUE_IFACE * PGLUE_IFACE
INTSTATUS(* PFUNC_IntEventEnginesResultCallback)(void *GuestHandle, PENG_NOTIFICATION_HEADER EngineNotification)
PFUNC_IntDebugProcessCommand DebugProcessCommand
INTSTATUS(* PFUNC_IntSetIntroAbortStatus)(void *GuestHandle, BOOLEAN Abort)
Abort the introcore loading process.
#define _Outptr_result_bytebuffer_(expr)
INTSTATUS(* PFUNC_IntRequestVcpusPause)(void *GuestHandle)
Pauses all the VCPUs assigned to a guest.
INTSTATUS(* PFUNC_IntUpdateExceptions)(void *GuestHandle, PBYTE Buffer, DWORD Length, DWORD Flags)
Loads a new exceptions version.
PFUNC_IntDisableMsrExit DisableMSRExit
The guest is entering sleep.
PFUNC_IntAddRemoveProtectedProcessUtf8 AddRemoveProtectedProcessUtf8
INTSTATUS(* PFUNC_IntNotifyIntrospectionDeactivated)(void *GuestHandle)
Notifies the integrator that the introspection engine is no longer active.
PFUNC_IntNotifyEngines NotifyScanEngines
PFUNC_IntReserveVaSpaceWithPt ReserveVaSpaceWithPt
INTSTATUS(* PFUNC_IntInit)(PGLUE_IFACE GlueInterface, PUPPER_IFACE UpperInterface)
INTSTATUS(* PFUNC_IntUnregisterMSRHandler)(void *GuestHandle)
Unregisters the current MSR exit callback, unsubscribing introcore from MSR violation events...
struct _IG_ARCH_REGS IG_ARCH_REGS
Holds register state.
PFUNC_IntModifyDynamicOptions ModifyDynamicOptions
INTSTATUS(* PFUNC_IntUnregisterIntroCallHandler)(void *GuestHandle)
Unregisters the current VMCALL exit callback, unsubscribing introcore from VMCALL events...
INTSTATUS(* PFUNC_IntAddRemoveProtectedProcessUtf16)(void *GuestHandle, const WCHAR *FullPath, DWORD ProtectionMask, BOOLEAN Add, QWORD Context)
Toggles protection for a process.
PFUNC_IntUnregisterCrWriteHandler UnregisterCrWriteHandler
PFUNC_IntUnregisterEventInjectionHandler UnregisterEventInjectionHandler
INTSTATUS(* PFUNC_IntIntroCallCallback)(void *GuestHandle, QWORD Rip, DWORD Cpu)
INTSTATUS(* PFUNC_IntNotifyIntrospectionActivated)(void *GuestHandle)
Notifies the integrator that the introspection engine is active.
PFUNC_IntUpdateSupport UpdateSupport
IG_MSR_HOOK_TYPE
The type of the MSR access.
Get the segment registers for the current VCPU. Buffer points to a IG_SEG_REGS structure.
PFUNC_IntGetCurrentInstructionLength GetCurrentInstructionLength
enum _INTRO_ACTION INTRO_ACTION
Event actions.
#define _In_reads_bytes_(expr)
PFUNC_IntIterateVaSpace IterateVirtualAddressSpace
INTSTATUS(* PFUNC_IntIterateVaSpace)(void *GuestHandle, QWORD Cr3, PFUNC_VirtualAddressSpaceCallback Callback)
Iterates over the guest virtual address space.
INTSTATUS(* PFUNC_IntCreateEPT)(void *GuestHandle, DWORD *EptIndex)
Creates a new EPT.
PFUNC_IntGetSPPPageProtection GetSPPPageProtection
No access type. This can be used for swap hooks.
INTSTATUS(* PFUNC_IntCrWriteCallback)(void *GuestHandle, DWORD Cr, DWORD CpuNumber, QWORD OldValue, QWORD NewValue, INTRO_ACTION *Action)
The remediation tool agent.
Get the availability of the VMFUNC feature in hardware and the hypervisor.
IG_AGENT_TAG
Deployable agent tags.
_IG_EPT_HOOK_TYPE
Ept violation types.
PFUNC_IntGetGuestInfo GetGuestInfo
INTSTATUS(* PFUNC_IntUnregisterEventInjectionHandler)(void *GuestHandle)
Unregisters the current event injection callback.
INTSTATUS(* PFUNC_IntUnregisterCrWriteHandler)(void *GuestHandle)
Unregisters the current control register write callback, unsubscribing introcore from CR events...
PFUNC_IntQueryGuestInfo QueryGuestInfo
INTSTATUS(* PFUNC_IntGpaToHpa)(void *GuestHandle, QWORD Gpa, QWORD *Hpa)
Translates a guest physical address to a host physical address.
INTSTATUS(* PFUNC_IntSetLogLevel)(void *GuestHandle, IG_LOG_LEVEL LogLevel)
Sets the log level.
PFUNC_IntDisableIntro DisableIntro
INTSTATUS(* PFUNC_IntIntroTimerCallback)(void *GuestHandle)
INTSTATUS(* PFUNC_IntToggleRepOptimization)(void *GuestHandle, BOOLEAN Enable)
Enables or disables the REP optimization.
Set the guest XSAVE area for a VCPU. This query is optional.
struct _GLUE_IFACE GLUE_IFACE
Interface used for communicating between the introspection engine and the integrator.
Similar to IG_QUERY_INFO_CLASS_REGISTER_STATE, but will get only the general purpose registers...
enum _IG_DESC_ACCESS IG_DESC_ACCESS
Descriptor table access flags.
INTSTATUS(* PFUNC_IntRequestVcpusResume)(void *GuestHandle)
Resumes all the VCPUs assigned to a guest that were previously paused with a GLUE_IFACE.PauseVcpus call.
INTRO_ERROR_STATE
Error states.
#define _When_(expr, arg)
enum _IG_LOG_LEVEL IG_LOG_LEVEL
Controls the verbosity of the logs.
PFUNC_IntUnregisterMSRHandler UnregisterMSRHandler
Get the size of the guest XSAVE area for a VCPU.
The page table filtering agent.
PFUNC_IntGetVersionString GetVersionString
INTSTATUS(* PFUNC_IntDebugProcessCommand)(void *GuestHandle, DWORD CpuNumber, DWORD Argc, CHAR *Argv[])
Executes a debugger command.
INTSTATUS(* PFUNC_IntRegisterCrWriteHandler)(void *GuestHandle, PFUNC_IntCrWriteCallback Callback)
Registers a control register write callback.
PFUNC_IntUnregisterEnginesResultCalback UnregisterEnginesResultCalback
Get the guest register state for a VCPU. Buffer points to a IG_ARCH_REGS structure.
PFUNC_IntNotifyIntrospectionDeactivated NotifyIntrospectionDeactivated
INTSTATUS(* PFUNC_IntUnregisterVmxTimerHandler)(void *GuestHandle)
Unregisters the current timer callback, unsubscribing introcore from timer events.
struct _IG_SEG_REGS IG_SEG_REGS
Holds segment register state.
INTSTATUS(* PFUNC_IntGetAgentContent)(void *GuestHandle, DWORD AgentTag, BOOLEAN Is64, DWORD *Size, PBYTE *Content)
Gets the content of the agent file. This API is optional.
PFUNC_IntUnregisterXcrWriteHandler UnregisterXcrWriteHandler
PFUNC_IntEnableCrWriteExit EnableCrWriteExit
INTSTATUS(* PFUNC_IntSwitchEPT)(void *GuestHandle, DWORD NewEptIndex)
Switches the currently loaded EPT.
Get the value of the IDT base for a VCPU.
PFUNC_IntRegisterCrWriteHandler RegisterCrWriteHandler
The virtualization exception driver.
The guest is shutting down.
INTSTATUS(* PFUNC_IntUnregisterDescriptorTableHandler)(void *GuestHandle)
Unregisters the current descriptor table access callback, unsubscribing introcore from DTR events...
IG_MEMTYPE
Memory type values.
PFUNC_IntNotifyIntrospectionActivated NotifyIntrospectionActivated
The Virtualization exception driver.
enum _INTRO_EVENT_TYPE INTRO_EVENT_TYPE
Event classes.
Get the availability of the SPP feature in hardware and the hypervisor.
INTSTATUS(* PFUNC_IntEnableCrWriteExit)(void *GuestHandle, DWORD Cr)
Enables VMEXIT events for a control register.
INTSTATUS(* PFUNC_IntDisableIntro)(void *GuestHandle, QWORD Flags)
Disables the introspection engine.
Get the availability of the Virtualization Exception feature in hardware and the hypervisor.
Get the value of a MSR for a VCPU. Buffer points to a IG_QUERY_MSR structure.
struct _IG_XSAVE_AREA * PIG_XSAVE_AREA
The process killer agent.
PFUNC_IntSetIntroAbortStatus SetIntroAbortStatus
PFUNC_IntGetPhysicalPageTypeFromMtrrs PhysMemGetTypeFromMtrrs
INTSTATUS(* PFUNC_IntNotifyEngines)(void *GuestHandle, void *Parameters)
If implemented, introcore can use this API to signal that an additional memory scan. can be done.
PFUNC_IntSetLogLevel SetLogLevel
Get the current EPTP index for the current VCPU.
Get the value of the IDT base for a VCPU.
enum _IG_EPT_HOOK_TYPE IG_EPT_HOOK_TYPE
Ept violation types.
PFUNC_IntRegisterEPTHandler RegisterEPTHandler
INTSTATUS(* PFUNC_IntUnregisterEnginesResultCalback)(void *GuestHandle)
Unregisters the current third party scan result callback.
INTSTATUS(* PFUNC_IntNotifyNewGuest)(void *GuestHandle, QWORD Options, PBYTE UpdateBuffer, DWORD BufferLength)
Notifies introcore that the guest must be introspected.
The page table filtering agent.
The Linux version of the remediation tool.
PFUNC_IntRequestVcpusPause PauseVcpus
INTSTATUS(* PFUNC_IntRegisterEPTHandler)(void *GuestHandle, PFUNC_IntEPTViolationCallback Callback)
Registers and EPT exit callback.
INTSTATUS(* PFUNC_IntXcrWriteCallback)(void *GuestHandle, DWORD CpuNumber, INTRO_ACTION *Action)
Notification header for scan engines alerts.
_IG_GUEST_POWER_STATE
The guest power state.
PFUNC_IntReleaseBuffer ReleaseBuffer
Get the code segment type for a VCPU. Buffer points to a IG_CS_TYPE enum.
INTSTATUS(* PFUNC_IntUnregisterEPTHandler)(void *GuestHandle)
Unregisters the current EPT exit callback, unsubscribing introcore from EPT violation events...
INTSTATUS(* PFUNC_IntNotifyIntrospectionDetectedOs)(void *GuestHandle, PGUEST_INFO GuestInfo)
Notifies the integrator that the introspection engine detected an operating system.
INTSTATUS(* PFUNC_IntDisableMsrExit)(void *GuestHandle, DWORD Msr, BOOLEAN *OldValue)
Disable VMEXIT events for a MSR.
1.8.13