- Generated by
1.8.13
|
Bitdefender Hypervisor Memory Introspection
|
#include "guests.h"#include "callbacks.h"#include "cr_protection.h"#include "decoder.h"#include "dtr_protection.h"#include "exceptions.h"#include "gpacache.h"#include "hook.h"#include "hook_cr.h"#include "hook_dtr.h"#include "hook_msr.h"#include "hook_xcr.h"#include "icache.h"#include "lixapi.h"#include "lixidt.h"#include "lixkernel.h"#include "lixvdso.h"#include "memcloak.h"#include "memtables.h"#include "msr_protection.h"#include "ptfilter.h"#include "slack.h"#include "swapgs.h"#include "swapmem.h"#include "unpacker.h"#include "vasmonitor.h"#include "vecore.h"#include "visibility.h"#include "winapi.h"#include "winhal.h"#include "winidt.h"#include "wininfinityhook.h"#include "winobj.h"#include "winpfn.h"#include "winselfmap.h"#include "wintoken.h"#include "winsud.h"#include "winintobj.h"Go to the source code of this file.
Macros | |
| #define | SYSCALL_SIG_FLAG_KPTI 0x80000000 |
| Indicates that a syscall pattern belongs to a KPTI enabled OS. More... | |
| #define | MAX_INIT_RETRIES 32 |
Functions | |
| void | IntGuestSetIntroErrorState (INTRO_ERROR_STATE State, INTRO_ERROR_CONTEXT *Context) |
| Updates the value of the gErrorState and the value of the gErrorStateContext. More... | |
| INTRO_ERROR_STATE | IntGuestGetIntroErrorState (void) |
| Gets the last reported error-state. More... | |
| INTRO_ERROR_CONTEXT * | IntGuestGetIntroErrorStateContext (void) |
| Gets the last reported error-context appropriate to the error-state. More... | |
| BOOLEAN | IntGuestShouldNotifyErrorState (void) |
| Checks if an event should be sent to the integrator. More... | |
| static void | IntGuestIsKptiActive (BYTE *SyscallBuffer, DWORD Size, BOOLEAN *IsKptiActive) |
| Checks if the Syscall handler is specific to a System with KPTI enabled. More... | |
| static INTSTATUS | IntGuestDetectOsSysCall (QWORD SyscallHandler, INTRO_GUEST_TYPE *OsType, BOOLEAN *KptiInstalled, BOOLEAN *KptiActive) |
| Checks if any of the predefined syscall signatures match to the given syscall handler. More... | |
| static INTSTATUS | IntGuestDetectOs (INTRO_GUEST_TYPE *OsType, BOOLEAN *KptiInstalled, BOOLEAN *KptiActive) |
| Detect the type of the currently running guest kernel. More... | |
| INTSTATUS | IntGuestGetInfo (PGUEST_INFO GuestInfo) |
| Get basic information about the guest. More... | |
| static PAGING_MODE | IntGuestGetPagingMode (QWORD Efer, QWORD Cr4, QWORD Cr0) |
| Get the paging mode used by the guest on the current VCPU. More... | |
| static INTSTATUS | IntGuestInitMemoryInfo (void) |
| Initializes gGuest.Mm. More... | |
| static INTSTATUS | IntGuestHandleCr3Write (void *Context, DWORD Cr, QWORD OldValue, QWORD NewValue, INTRO_ACTION *Action) |
| Handles Cr3 writes done by the guest. This is used to initialize the introspection engine. More... | |
| INTSTATUS | IntGuestInit (QWORD Options) |
| Initialize the given guest state. More... | |
| void | IntGuestPrepareUninit (void) |
| Prepares introcore to be unloaded. More... | |
| void | IntGuestUninit (void) |
| Completely unloads the introspection engine. More... | |
| static BOOLEAN | IntGuestIsSafeToDisable (void) |
| Checks if it is safe to unload. More... | |
| INTSTATUS | IntGuestDisableIntro (QWORD Flags) |
| Disables and unloads the introspection engine. More... | |
| INTSTATUS | IntGuestPreReturnCallback (DWORD Options) |
| Handles all the operations that must be done before returning from a VMEXIT event handler. More... | |
| void | IntGuestUpdateShemuOptions (QWORD NewOptions) |
| Update shemu options. More... | |
| void | IntGuestUpdateCoreOptions (QWORD NewOptions) |
| Updates Introcore options. More... | |
| INTSTATUS | IntGuestGetLastGpa (QWORD *MaxGpa) |
| Get the upper limit of the guest physical memory range. More... | |
Variables | |
| GUEST_STATE | gGuest = {0} |
| The current guest state. More... | |
| VCPU_STATE * | gVcpu = NULL |
| The state of the current VCPU. More... | |
| static DWORD | gInitRetryCount = 0 |
| The number of times initialization was tried. More... | |
| static INTRO_ERROR_STATE | gErrorState |
| The last error reported. More... | |
| static INTRO_ERROR_CONTEXT * | gErrorStateContext |
| The last error-context reported. More... | |
| PATTERN_SIGNATURE * | gSysenterSignatures |
| The syscall and sysenter signatures used to identify an OS. More... | |
| DWORD | gSysenterSignaturesCount |
| The number of entries in the gSysenterSignatures array. More... | |
| static HOOK_CR * | gCr3WriteHook = NULL |
| The Cr2 write hook handle used for initialization. More... | |
| #define MAX_INIT_RETRIES 32 |
Referenced by IntGuestHandleCr3Write().
| #define SYSCALL_SIG_FLAG_KPTI 0x80000000 |
Indicates that a syscall pattern belongs to a KPTI enabled OS.
Definition at line 71 of file guests.c.
Referenced by IntGuestDetectOsSysCall().
|
static |
Detect the type of the currently running guest kernel.
| [out] | OsType | On success, the type of the operating system |
| [out] | KptiInstalled | On success, True if the kernel has KPTI patches installed |
| [out] | KptiActive | On success, True if KPTI mitigations are active |
| INT_STATUS_SUCCESS | in case of success |
| INT_STATUS_NOT_FOUND | if the OS type was not detected |
Definition at line 282 of file guests.c.
Referenced by IntGuestHandleCr3Write().
|
static |
Checks if any of the predefined syscall signatures match to the given syscall handler.
| [in] | SyscallHandler | The address of the syscall handler |
| [out] | OsType | On success, the type of the detected operating system |
| [out] | KptiInstalled | On success, True if the kernel has KPTI patches installed |
| [out] | KptiActive | On success, True if KPTI mitigations are active |
| INT_STATUS_SUCCESS | in case of success |
| INT_STATUS_NOT_FOUND | if no signature matched |
Definition at line 195 of file guests.c.
Referenced by IntGuestDetectOs().
Disables and unloads the introspection engine.
This will deactivate every Introcore subsystem and remove any hooks placed by Introcore. This is done with all the VCPUs paused.
| [in] | Flags | Flags controlling the disable operation. Can be 0 or IG_DISABLE_IGNORE_SAFENESS. If IG_DISABLE_IGNORE_SAFENESS is used, Introcore will forcibly unload even it is not safe to do that at the moment. This may leave the guest in an unstable state. |
| INT_STATUS_SUCCESS | in case of success. |
| INT_STATUS_CANNOT_UNLOAD | if Introcore can not unload. |
Definition at line 1203 of file guests.c.
Referenced by IntDisableIntro(), IntHandleBreakpoint(), IntHandleCrWrite(), IntHandleDtrViolation(), IntHandleEptViolation(), IntHandleIntroCall(), IntHandleMsrViolation(), and IntHandleXcrWrite().
| INTSTATUS IntGuestGetInfo | ( | PGUEST_INFO | GuestInfo | ) |
Get basic information about the guest.
| [out] | GuestInfo | On success, will hold information about the guest |
| INT_STATUS_SUCCESS | in case of success |
| INT_STATUS_INVALID_PARAMETER_1 | if GuestInfo is NULL |
| INT_STATUS_NOT_INITIALIZED | if the type of the guest is not yet known |
Definition at line 350 of file guests.c.
Referenced by IntGetGuestInfo().
| INTRO_ERROR_STATE IntGuestGetIntroErrorState | ( | void | ) |
Gets the last reported error-state.
| Returns | the type of the last reported error (INTRO_ERROR_STATE). |
Definition at line 107 of file guests.c.
Referenced by IntGuestDisableIntro().
| INTRO_ERROR_CONTEXT* IntGuestGetIntroErrorStateContext | ( | void | ) |
Gets the last reported error-context appropriate to the error-state.
| Returns | the last reported error-context (INTRO_ERROR_CONTEXT). |
Definition at line 121 of file guests.c.
Referenced by IntGuestDisableIntro().
Get the upper limit of the guest physical memory range.
This value is cached inside the GUEST_STATE and subsequent calls will return the cached value.
| [out] | MaxGpa | On success, the upper limit of the guest physical memory range. This is the first page after the last one that the guest can access, meaning that the available physical address range is [0, MaxGpa - 1] (inclusive). Note that gaps may be present inside this range. |
| INT_STATUS_SUCCESS | in case of success. |
Definition at line 1735 of file guests.c.
Referenced by IntVeInit().
|
static |
Get the paging mode used by the guest on the current VCPU.
| [in] | Efer | The value of the IA 32 EFER MSR. If 0, it will be read from the current VCPU. |
| [in] | Cr4 | The value of the Cr4 register. If 0, it will be read from the current VCPU. |
| [in] | Cr0 | The value of the Cr0 register. If 0, it will be read from the current VCPU. |
Definition at line 405 of file guests.c.
Referenced by IntGuestInitMemoryInfo().
|
static |
Handles Cr3 writes done by the guest. This is used to initialize the introspection engine.
In order to properly initialize the introspection engine, we need to start the process when the guest is executing kernel code. There are multiple possible choices (for example, when the syscall MSR is written), but some of them split the initialization flow in two big cases: either we catch the OS during a fresh boot, in which case a lot of things become a lot easier; or, the OS may already be running, in which case some events will never trigger (for example, the syscall MSR is not re-written by the OS once it booted). Writes to the Cr3 register are done pretty frequently by the OS, so they are a good candidate for this. Since keeping the Cr3 exits active once Introcore is properly loaded will lead to huge performance issues, once we have enough information about the guest, this hook is removed and Cr3 exits are deactivated. This hook is set by IntGuestInit, using gCr3WriteHook as the hook handle. Since we may need multiple tries in order to be able to obtain all the needed information, this function will retry it multiple times using gInitRetryCount as a counter, for at maximum 32 times.
| [in] | Context | Ignored |
| [in] | Cr | Ignored. We know this is a Cr3 write |
| [in] | OldValue | The old, original Cr3 value |
| [in] | NewValue | The value written to the cr |
| [out] | Action | The action to be taken. This is always introGuestAllowed because we don't want to block such an event, we just want to collect some information about the guest |
| INT_STATUS_SUCCESS | in case of success |
| INT_STATUS_NOT_SUPPORTED | if the guest is using 5-level paging |
| INT_STATUS_GUEST_OS_NOT_SUPPORTED | is the type of the OS is not supported |
| INT_STATUS_LOAD_ABORTED | is loading was aborted by setting gAbortLoad |
Definition at line 513 of file guests.c.
Referenced by IntGuestInit().
Initialize the given guest state.
Any global, per guest initialization steps which do not depend on the guest type must be placed here. Initialization steps which do depend on the guest type or version is done later in IntWinGuestNew or IntLixGuestNew, where data about that guest is available. This will initialize the hooking subsystem and will query basic guest information and hypervisor feature availability. In order to properly initialize the guest, a Cr3 write hook is placed. Initialization will be done on its handler: IntGuestHandleCr3Write.
| [in] | Options | Options to be used. See Activation and protection flags. |
| INT_STATUS_SUCCESS | in case of success. This means that initialization has been successfully started, but it may still fail at further steps. The guest is not yet introspected. |
| INT_STATUS_INSUFFICIENT_RESOURCES | if not enough memory is available |
Definition at line 755 of file guests.c.
Referenced by IntNewGuestNotification().
|
static |
Initializes gGuest.Mm.
Definition at line 463 of file guests.c.
Referenced by IntGuestHandleCr3Write().
|
static |
Checks if the Syscall handler is specific to a System with KPTI enabled.
It searches for Cr3 switches in the signature of the syscall handler.
| [in] | SyscallBuffer | A buffer containing the code in the syscall handler |
| [in] | Size | The size of SyscallBuffer |
| [out] | IsKptiActive | True if KPTI is active, False if it is not |
Definition at line 149 of file guests.c.
Referenced by IntGuestDetectOsSysCall().
|
static |
Checks if it is safe to unload.
If no guest threads are executing or returning to code injected by introcore inside the guest, it is safe to unload the introspection engine now.
| True | if it is safe to unload |
| False | if it is not safe to unload |
Definition at line 1166 of file guests.c.
Referenced by IntGuestDisableIntro().
| void IntGuestPrepareUninit | ( | void | ) |
Prepares introcore to be unloaded.
Disables most subsystems (cancels pending agents, disables protections, etc), but does not yet modify the guest memory, so any hooks placed by Introcore will still be present. This allows us to more safely clean up the guest state. After this function exits, GUEST_STATE.UninitPrepared will be set to True. If the initialization Cr3 hook is still active, it will be disabled.
Definition at line 984 of file guests.c.
Referenced by IntGuestDisableIntro(), and IntNewGuestNotification().
Handles all the operations that must be done before returning from a VMEXIT event handler.
Certain operations can not be done while we are inside one of our own callbacks, so they are delegated here.
| [in] | Options | A combination of PRE_RET_OPTIONS values that control the operations done |
| INT_STATUS_SUCCESS | always |
Definition at line 1280 of file guests.c.
Referenced by IntApiLeave(), IntHandleBreakpoint(), IntHandleCrWrite(), IntHandleDtrViolation(), IntHandleEptViolation(), IntHandleEventInjection(), IntHandleIntroCall(), IntHandleMsrViolation(), IntHandleTimer(), and IntHandleXcrWrite().
| void IntGuestSetIntroErrorState | ( | INTRO_ERROR_STATE | State, |
| INTRO_ERROR_CONTEXT * | Context | ||
| ) |
Updates the value of the gErrorState and the value of the gErrorStateContext.
| [in] | State | The type of the error. |
| [in] | Context | A context appropriate to the error. |
Definition at line 90 of file guests.c.
Referenced by IntGuestDetectOs(), IntGuestDisableIntro(), IntLixGuestInitAgentCompletion(), IntLixGuestNew(), IntWinApiHookAll(), IntWinGuestFindDriversNamespace(), IntWinGuestFinishInit(), IntWinGuestNew(), IntWinObjCheckDrvDirSearchState(), and IntWinObjHandleRootDirTagInMemory().
| BOOLEAN IntGuestShouldNotifyErrorState | ( | void | ) |
Checks if an event should be sent to the integrator.
| True | if the error-state event should be sent to the integrator. |
Definition at line 135 of file guests.c.
Referenced by IntGuestDisableIntro().
| void IntGuestUninit | ( | void | ) |
Completely unloads the introspection engine.
Any generic unload routine must be placed here. Guest specific unload steps must be placed in IntWinGuestUninit or IntLixGuestUninit. This function will call the guest-specific routines, then will disable every introcore subsystem and remove any code or data injected by introcore inside the guest (detours, agents, etc). After this function returns GUEST_STATE.VcpuArray, gWinGuest, and gLixGuest are no longer valid and the entire gGuest state is zeroed.
Definition at line 1036 of file guests.c.
Referenced by IntGuestDisableIntro(), IntGuestInit(), and IntNewGuestNotification().
| void IntGuestUpdateCoreOptions | ( | QWORD | NewOptions | ) |
Updates Introcore options.
This will set the gGuest.CoreOptions based on NewOptions and will enable or disable any protection or service that was toggled by the new options. These operations are done with the VCPUs paused.
| [in] | NewOptions | The new options to be used. See Activation and protection flags for valid values |
Definition at line 1426 of file guests.c.
Referenced by DbgSetCoreOptions(), IntCamiSetCoreOptions(), IntGuestPrepareUninit(), IntHandleTimer(), IntModifyDynamicOptions(), IntWinDrvForceDisableReadNtEat(), and IntWinPowHandleHibernateEvent().
| void IntGuestUpdateShemuOptions | ( | QWORD | NewOptions | ) |
Update shemu options.
This will set the gGuest.ShemuOptions based on NewOptions and will enable or disable any shemu feature that was toggled by the new options.
| [in] | NewOptions | The new options to be used. |
Definition at line 1397 of file guests.c.
Referenced by IntCamiSetShemuOptions().
|
static |
|
static |
The last error reported.
Definition at line 65 of file guests.c.
Referenced by IntGuestGetIntroErrorState(), IntGuestSetIntroErrorState(), and IntGuestShouldNotifyErrorState().
|
static |
The last error-context reported.
Definition at line 68 of file guests.c.
Referenced by IntGuestGetIntroErrorStateContext().
| GUEST_STATE gGuest = {0} |
The current guest state.
Since we always have only one guest and all events are serialized, it is safe to have this as a global variable, since no two threads will access it at the same time
Definition at line 50 of file guests.c.
Referenced by _IntLixTaskRead(), _IntLixTaskStartMap(), DbgCheckEpt(), DbgDumpCodeblocks(), DbgDumpCpuState(), DbgDumpExceptions(), DbgDumpGpaCache(), DbgDumpGuestModules(), DbgDumpPfn(), DbgDumpProcesses(), DbgDumpVadRoot(), DbgLogCoreOptions(), DbgLogKpcr(), DbgProcList(), DbgSetCoreOptions(), DbgVaSpaceIterationCallbackCount(), IntAbortEnableIntro(), IntAddExceptionFromAlert(), IntAddRemoveProtectedProcessUtf16(), IntAddRemoveProtectedProcessUtf8(), IntAgentActivatePendingAgent(), IntAgentDisablePendingAgents(), IntAgentEnableInjection(), IntAgentGetState(), IntAgentHandleInt3(), IntAgentHandleLogGatherVmcall(), IntAgentHandleRemediationVmcall(), IntAgentHandleVmcall(), IntAgentIsPtrInTrampoline(), IntAlertCoreGetFlags(), IntAlertCreateDtrException(), IntAlertCreateIdtSignature(), IntAlertCreateIntegrityException(), IntAlertDtrFill(), IntAlertEptFillFromVictimZone(), IntAlertFillCodeBlocks(), IntAlertFillConnection(), IntAlertFillDpiExtraInfo(), IntAlertFillVersionInfo(), IntAlertProcGetFlags(), IntApiEnter(), IntCamiLoadProtOptionsWin(), IntCamiLoadWindows(), IntCamiSetCoreOptions(), IntCamiSetProcProtOptions(), IntCamiSetShemuOptions(), IntCamiUpdateProcessProtectionInfo(), IntCamiUpdateProcessProtectionItems(), IntCr4HandleWrite(), IntCrSendAlert(), IntDbgCheckHooks(), IntDecDecodeInstructionAtRipWithCache(), IntDecEmulatePageWalk(), IntDecEmulatePTWrite(), IntDecEmulateRead(), IntDecGetSetSseRegValue(), IntDepInjectFile(), IntDepInjectProcess(), IntDepRunCommand(), IntDetCallCallback(), IntDetDisableDetour(), IntDetDumpDetours(), IntDetGetArgumentInternal(), IntDetGetArguments(), IntDetHandleWrite(), IntDetIsPtrInHandler(), IntDetPatchArgument(), IntDetPermanentlyDisableDetour(), IntDetRelocate(), IntDetSendIntegrityAlert(), IntDetSetHook(), IntDisableIntro(), IntDisasmBuffer(), IntDisasmGva(), IntDispatchVeAsEpt(), IntDriverDump(), IntDriverFindByAddress(), IntDriverFindByName(), IntDriverFindByPath(), IntDriverLoadHandler(), IntDriverUninit(), IntDriverUnloadHandler(), IntDtrHandleWrite(), IntDtrSendAlert(), IntEngFillExecDetails(), IntEnginesResultCallback(), IntExcept(), IntExceptAlertRemove(), IntExceptDumpSignatures(), IntExceptGetOriginatorFromModification(), IntExceptGetVictimDtr(), IntExceptGetVictimEpt(), IntExceptGetVictimIntegrity(), IntExceptGetVictimMsr(), IntExceptGetVictimProcess(), IntExceptGetVictimProcessCreation(), IntExceptInit(), IntExceptKernel(), IntExceptKernelGetOriginator(), IntExceptKernelLogInformation(), IntExceptKernelLogLinuxInformation(), IntExceptKernelLogWindowsInformation(), IntExceptKernelMatchVictim(), IntExceptKernelUser(), IntExceptKernelUserLogInformation(), IntExceptKernelUserLogWindowsInformation(), IntExceptKernelUserMatchArch(), IntExceptKernelUserMatchProcessHash(), IntExceptKernelUserMatchVictim(), IntExceptLixGetVictimDriver(), IntExceptLixKernelGetOriginator(), IntExceptMatchException(), IntExceptPrintDrvObjInfo(), IntExceptPrintIdtInfo(), IntExceptPrintMsrInfo(), IntExceptPrintWinKmModInfo(), IntExceptPrintWinModInfo(), IntExceptPrintWinProcInfo(), IntExceptRemove(), IntExceptUninit(), IntExceptUser(), IntExceptUserGetExecOriginator(), IntExceptUserGetOriginator(), IntExceptUserLogInformation(), IntExceptUserLogWindowsInformation(), IntExceptUserMatchArchitecture(), IntExceptUserMatchChild(), IntExceptUserMatchProcessGlob(), IntExceptUserMatchProcessHash(), IntExceptUserMatchSystemProcess(), IntExceptUserVerifyExtra(), IntExceptUserVerifyExtraGlobMatch(), IntExceptVerifyCodeBlocksSig(), IntExceptVerifyExportSig(), IntExceptVerifyIdtSignature(), IntExceptVerifyProcessCreationSignature(), IntExceptVerifyValueCodeSig(), IntExceptVerifyValueSig(), IntExceptVerifyVersionIntroSignature(), IntExceptVerifyVersionOsSignature(), IntExceptWinGetVictimDriver(), IntExceptWinKernelGetOriginator(), IntFlushAlertExceptions(), IntFlushGpaCache(), IntGdtrProtect(), IntGetCurrentInstructionLength(), IntGetCurrentInstructionMnemonic(), IntGetCurrentIntroOptions(), IntGetExceptionsVersion(), IntGetGprs(), IntGetGuestInfo(), IntGetSupportVersion(), IntGetVersionString(), IntGuestUninitOnBugcheck(), IntHandleBreakpoint(), IntHandleCrWrite(), IntHandleDtrViolation(), IntHandleEptViolation(), IntHandleEventInjection(), IntHandleIntroCall(), IntHandleMemAccess(), IntHandleMsrViolation(), IntHandleTimer(), IntHandleXcrWrite(), IntHookCrCommit(), IntHookCrDeleteHook(), IntHookCrInit(), IntHookCrRemoveAllHooks(), IntHookCrRemoveHook(), IntHookCrSetHook(), IntHookCrUninit(), IntHookDtrCommit(), IntHookDtrDeleteHook(), IntHookDtrInit(), IntHookDtrRemoveAllHooks(), IntHookDtrSetHook(), IntHookDtrUninit(), IntHookGpaDump(), IntHookGpaEnableDisablePtCache(), IntHookGpaEnableDisableVe(), IntHookGpaFindConvertible(), IntHookGpaGetEPTPageProtection(), IntHookGpaInit(), IntHookGpaSetHook(), IntHookGpaSetNewPageProtection(), IntHookGvaEnableHooks(), IntHookGvaSetHook(), IntHookMsrCommit(), IntHookMsrDeleteHook(), IntHookMsrInit(), IntHookMsrRemoveAllHooks(), IntHookMsrRemoveHook(), IntHookMsrSetHook(), IntHookMsrUninit(), IntHookPtmAddTable(), IntHookPtmSetHook(), IntHookPtmWriteCallback(), IntHookPtsCheckIntegrity(), IntHookPtsCreateEntry(), IntHookPtsHandleModification(), IntHookPtsSetHook(), IntHookPtsWriteCallback(), IntHookPtwEmulateWrite(), IntHookPtwProcessWrite(), IntHookXcrCommit(), IntHookXcrDeleteHook(), IntHookXcrInit(), IntHookXcrRemoveAllHooks(), IntHookXcrSetHook(), IntHookXcrUninit(), IntIcAddInvdForInstruction(), IntIcDumpIcache(), IntIcSwapHandler(), IntIcWriteHandler(), IntIdtGetEntry(), IntIdtrProtect(), IntInjectExceptionInGuest(), IntInjectFileAgentInGuest(), IntInjectProcessAgentInGuest(), IntIntegrityAddRegion(), IntIntegrityCheckAll(), IntIntegrityRecalculate(), IntIterateVaSpace(), IntKernVirtMemFetchWordSize(), IntKernVirtMemPatchWordSize(), IntKernVirtMemRead(), IntKernVirtMemWrite(), IntKsymFindByAddress(), IntKsymFindByName(), IntKsymFindIndexesTableStart(), IntKsymFindMarkersReducedTableEnd(), IntKsymFindMarkersTableEnd(), IntKsymFindNamesTableEnd(), IntKsymInit(), IntKsymInitAbsolute(), IntKsymRelativeFindOffsetTableEnd(), IntKsymRelativeFindOffsetTableStart(), IntLixAgentActivatePendingAgent(), IntLixAgentAllocate(), IntLixAgentCreateThreadHypercall(), IntLixAgentFillDataFromMemory(), IntLixAgentFree(), IntLixAgentUninit(), IntLixApiHookAll(), IntLixApiUpdateHooks(), IntLixCrashDumpDmesg(), IntLixCrashPanicHandler(), IntLixCredAdd(), IntLixCredCheckIntegrity(), IntLixCredInitMap(), IntLixCredsDump(), IntLixCredsVerify(), IntLixDepDeployFileHypercall(), IntLixDepGetInternalContent(), IntLixDepInjectFile(), IntLixDepInjectProcess(), IntLixDepRunCommand(), IntLixDrvActivateProtection(), IntLixDrvCreateDriverObject(), IntLixDrvCreateKernel(), IntLixDrvFindList(), IntLixDrvSendEvent(), IntLixDrvSendViolationEvent(), IntLixDrvUpdateProtection(), IntLixDrvValidate(), IntLixDumpStacktrace(), IntLixFsrInitMap(), IntLixFsrRead(), IntLixGetInitTask(), IntLixGetKernelCr3(), IntLixGuestActivateProtection(), IntLixGuestAllocate(), IntLixGuestAllocateFill(), IntLixGuestAllocateHook(), IntLixGuestClearGuestMemory(), IntLixGuestDeployUninitAgent(), IntLixGuestFindKernel(), IntLixGuestFindKernelBase(), IntLixGuestFindKernelVersionAndRo(), IntLixGuestInit(), IntLixGuestInitAgentCompletion(), IntLixGuestInitAgentHypercall(), IntLixGuestIsKptiActive(), IntLixGuestIsSupported(), IntLixGuestNew(), IntLixGuestSetOsVersion(), IntLixGuestUninit(), IntLixHookKernelRead(), IntLixHookKernelWrite(), IntLixIdtProtectAll(), IntLixIdtProtectOnCpu(), IntLixIdtUnprotectAll(), IntLixKernelHandleRead(), IntLixKernelReadUnprotect(), IntLixKernelWriteUnprotect(), IntLixMmGetInitMm(), IntLixMsrHandleWrite(), IntLixNetIterateTaskConnections(), IntLixNetSendGuestConnections(), IntLixPatchSwapgs(), IntLixResolveExeFileOffset(), IntLixStackTraceGet(), IntLixStackTraceGetReg(), IntLixTaskActivateProtection(), IntLixTaskAdjustProtections(), IntLixTaskCreate(), IntLixTaskCreateFromBinprm(), IntLixTaskDeactivateExploitProtection(), IntLixTaskDestroy(), IntLixTaskFetchCmdLine(), IntLixTaskFetchMm(), IntLixTaskGuestTerminating(), IntLixTaskHandleExec(), IntLixTaskMarkAgent(), IntLixTaskSendCredViolationEvent(), IntLixTaskSendExceptionEvent(), IntLixTaskSendTaskEvent(), IntLixTaskShouldProtect(), IntLixUnhookKernelRead(), IntLixUnhookKernelWrite(), IntLixUnpatchSwapgs(), IntLixVdsoFixedProtect(), IntLixVmaGetPageCount(), IntLixVmaHandlePageExecution(), IntLogContextRecord(), IntLogCriticalStructureCoruption(), IntLogCurrentIP(), IntLogExceptionRecord(), IntLogGuestRegisters(), IntLogProcessInfo(), IntLogStackTrace(), IntLogTrapFrame(), IntMapGpaForTranslation(), IntMemClkCloakRegion(), IntModifyDynamicOptions(), IntMsrSyscallProtect(), IntMtblCheckAccess(), IntMtblDisable(), IntMtblPatchInstruction(), IntMtblRemoveEntry(), IntNetConvertState(), IntNewGuestNotification(), IntNotifyGuestPowerStateChange(), IntPeFindFunctionByPattern(), IntPeFindKernelExport(), IntPeListSectionsHeaders(), IntPolicyCoreIsOptionBeta(), IntPolicyCoreTakeAction(), IntPolicyGetProcProt(), IntPolicyIsCoreOptionFeedback(), IntPolicyProcIsBeta(), IntPolicyProcIsFeedback(), IntPolicyProcTakeAction(), IntPtiCacheAdd(), IntPtiCacheRemove(), IntPtiCompleteLoader(), IntPtiDeleteInstruction(), IntPtiDeliverDriverForLoad(), IntPtiDisableFiltering(), IntPtiEnableFiltering(), IntPtiHandleGuestResumeFromSleep(), IntPtiHookPtDriver(), IntPtiInjectPtFilter(), IntPtiMonitorAllPtWriteCandidates(), IntPtiRemoveInstruction(), IntPtiRemovePtFilter(), IntReadString(), IntRemoveAllProtectedProcesses(), IntRemoveException(), IntRtlpVirtualUnwindCheckAccess(), IntSerializeCodeBlocksGetExtractLevel(), IntSerializeDpiWinPivotedStack(), IntSerializeHeader(), IntSerializeIdt(), IntSerializeKernelDriver(), IntSerializeKmMisc(), IntSerializeKmOriginator(), IntSerializeKmVictim(), IntSerializeLixKmMisc(), IntSerializeProcess(), IntSerializeRawDump(), IntSerializeUmMisc(), IntSerializeUmOriginator(), IntSerializeUmVictim(), IntSerializeVad(), IntSerializeWinKmMisc(), IntShcIsSuspiciousCode(), IntSlackAlloc(), IntSlackAllocLinux(), IntSlackAllocWindows(), IntSlackSendIntegrityAlert(), IntSplitVirtualAddress(), IntStackAnalyzePointer(), IntStatsDumpAll(), IntStatStart(), IntStatStop(), IntSwapgsDisable(), IntSwapgsInstallHandler(), IntSwapgsStartMitigation(), IntSwapMemInjectMiniSwapper(), IntSwapMemInjectPendingPF(), IntSwapMemReadData(), IntSwapMemReinjectFailedPF(), IntThrGetStackSize(), IntThrSafeCheckThreads(), IntThrSafeInspectRunningThreads(), IntThrSafeIsStackPtrInIntro(), IntThrSafeMoveReturn(), IntThrSafeMoveRip(), IntThrSafeWinGetCurrentStack(), IntThrSafeWinInspectRunningThreadOnCpu(), IntThrSafeWinInspectWaitingThread(), IntTranslateVirtualAddressEx(), IntUDRemoveAllEntriesForCr3(), IntUninit(), IntUnmapGpaForTranslation(), IntUpdateAddCbSignature(), IntUpdateAddExceptionFromAlert(), IntUpdateAddExportSignature(), IntUpdateAddIdtSignature(), IntUpdateAddKernelException(), IntUpdateAddKernelExceptionInOrder(), IntUpdateAddKernelUserException(), IntUpdateAddKernelUserExceptionInOrder(), IntUpdateAddKmException(), IntUpdateAddKmUmException(), IntUpdateAddProcessCreationSignature(), IntUpdateAddUmException(), IntUpdateAddUserException(), IntUpdateAddUserExceptionGlob(), IntUpdateAddUserExceptionInOrder(), IntUpdateAddValueCodeSignature(), IntUpdateAddValueSignature(), IntUpdateAddVersionIntroSignature(), IntUpdateAddVersionOsSignature(), IntUpdateAreExceptionsLoaded(), IntUpdateAssignAlertSignatureIds(), IntUpdateExceptions(), IntUpdateFlushAlertExceptions(), IntUpdateGetVersion(), IntUpdateIsDuplicateCbSignature(), IntUpdateIsDuplicateExportSignature(), IntUpdateIsDuplicateIdtSignature(), IntUpdateIsDuplicateKernelException(), IntUpdateIsDuplicateKernelUserException(), IntUpdateIsDuplicateUserException(), IntUpdateLoadExceptions(), IntUpdateRemoveException(), IntUpdateRemoveSignaturesForException(), IntUpdateSetIdForException(), IntUpdateSupport(), IntValidateRangeForWrite(), IntVasPageTableWriteCallback(), IntVasStartMonitorVaSpace(), IntVeCompleteLoader(), IntVeDeliverDriverForLoad(), IntVeDeployAgent(), IntVeDumpStats(), IntVeDumpVeInfoPage(), IntVeDumpVeInfoPages(), IntVeEnableDisableDriverAccessInProtectedView(), IntVeFindKernelKvaShadowAndKernelExit(), IntVeHandleAccess(), IntVeHandleEPTViolationInProtectedView(), IntVeHandleGuestResumeFromSleep(), IntVeHandleSwap(), IntVeHookVeDriver(), IntVeInit(), IntVeIsAgentRemapped(), IntVePatchVeCoreJmpKiKernelExit(), IntVePatchVeCoreJmpTrampoline(), IntVeRemoveAgent(), IntVeSetVeInfoPage(), IntVeUnhookVeAgent(), IntVeUnInit(), IntVeUpdateCacheEntry(), IntVirtMemFetchWordSize(), IntVirtMemPatchWordSize(), IntVirtMemSafeWrite(), IntWinAgentActivatePendingAgent(), IntWinAgentDeployWinDriver(), IntWinAgentFindInstruction(), IntWinAgentFindPropperSyscall(), IntWinAgentFindSyscallLinkage(), IntWinAgentHandleAppVmcall(), IntWinAgentHandleDriverVmcall(), IntWinAgentHandleLoader1Hypercall(), IntWinAgentInject(), IntWinAgentInjectBreakpoint(), IntWinAgentInjectTrampoline(), IntWinAgentReleaseBootstrap(), IntWinAgentReleaseBootstrapAddress(), IntWinAgentSelectBootstrapAddress(), IntWinAgentSelectTokens(), IntWinApiFindFunctionRva(), IntWinApiHook(), IntWinApiHookAll(), IntWinApiHookVeHandler(), IntWinApiUpdateHookDescriptor(), IntWinApiUpdateHooks(), IntWinBcHandleBugCheck(), IntWinBcLogBsodEvent(), IntWinBcSendBsodEvent(), IntWinCrashHandleDepViolation(), IntWinDepInjectProcess(), IntWinDpiForceFeedbackIfNeeded(), IntWinDpiGatherDpiInfo(), IntWinDpiGetProcessDebugFlag(), IntWinDpiHandleDpiAclEdit(), IntWinDpiHandleDpiDebug(), IntWinDpiHandleDpiHeapSpray(), IntWinDpiHandleDpiPivotedStack(), IntWinDpiHandleDpiSecDesc(), IntWinDpiHandleDpiStolenToken(), IntWinDpiHandleDpiThreadStart(), IntWinDpiHandleDpiTokenPrivs(), IntWinDpiValidateHeapSpray(), IntWinDpiValidateThreadStart(), IntWinDrvCreateFromAddress(), IntWinDrvForceDisableReadNtEat(), IntWinDrvHandleDriverEntry(), IntWinDrvHandleRead(), IntWinDrvHeadersInMemory(), IntWinDrvIsListHead(), IntWinDrvIsProtected(), IntWinDrvIterateLoadedModules(), IntWinDrvObjCreateFromAddress(), IntWinDrvObjHandleModification(), IntWinDrvObjHandleWrite(), IntWinDrvObjIsProtected(), IntWinDrvObjIsValidDriverObject(), IntWinDrvObjRemoveFromAddress(), IntWinDrvRemoveFromAddress(), IntWinDrvSendEvent(), IntWinFillRegsFromExceptionInfo(), IntWinGetAccessTokenFromProcess(), IntWinGetAccesTokenFromThread(), IntWinGetActiveCpuCount(), IntWinGetPrcoCmdLineHandleCmdLineInMemory(), IntWinGetPrcoCmdLineHandleUserParamsInMemory(), IntWinGuestActivateProtection(), IntWinGuestFetchProductType(), IntWinGuestFindBuildNumber(), IntWinGuestFindDriversNamespace(), IntWinGuestFindDriversNamespaceNoBuffer(), IntWinGuestFindIdleCr3(), IntWinGuestFindKernel(), IntWinGuestFindKernelCr3(), IntWinGuestFindKernelObjects(), IntWinGuestFindKernelObjectsInternal(), IntWinGuestFindSelfMapIndex(), IntWinGuestFinishInit(), IntWinGuestInit(), IntWinGuestIsIncreasedUserVa(), IntWinGuestIsSupported(), IntWinGuestKernelHeadersInMemory(), IntWinGuestNew(), IntWinGuestReadKernel(), IntWinGuestResolveImports(), IntWinGuestUninit(), IntWinGuestValidateKernel(), IntWinHalCreateHalData(), IntWinHalFindHalHeapAndInterruptController(), IntWinHalFindInterruptController(), IntWinHalFindPerformanceCounter(), IntWinHalFindPerformanceCounterInternal(), IntWinHalHandleDispatchTableWrite(), IntWinHalHandleHalHeapExec(), IntWinHalHandlePerfCounterModification(), IntWinHalIsIntController(), IntWinHalProtectHalHeapExecs(), IntWinHalProtectHalPerfCounter(), IntWinHalReadHal(), IntWinHalSendPerfCntIntegrityAlert(), IntWinHalUpdateProtection(), IntWinHandleException(), IntWinIdtProtectAll(), IntWinIdtProtectOnCpu(), IntWinIdtProtectOnCpuEpt(), IntWinIdtProtectOnCpuIntegrity(), IntWinIdtSendIntegrityAlert(), IntWinIdtUnprotectAll(), IntWinIdtUnprotectOnCpu(), IntWinIdtUnprotectOnCpuEpt(), IntWinIdtUnprotectOnCpuIntergity(), IntWinInfCheckCtxLoggerOnRelocation(), IntWinInfHookGetCircularCtxLogger(), IntWinInfHookGetCpuClockIntegrityCallback(), IntWinInfHookGetEtwpDebuggerData(), IntWinInfHookGetWmiLoggerGetCpuClock(), IntWinInfHookHookSppWmiGetClock(), IntWinInfHookIntegrityHandleWrite(), IntWinInfHookIntegritySendAlert(), IntWinInfHookProtect(), IntWinInfHookSiloWmiPtrIntegrityCallback(), IntWinInfHookSppHookWmiSiloPtr(), IntWinInfHookSppViolationCallbackWmiPtrChanged(), IntWinIntObjHandleArrayModification(), IntWinIntObjHandleModification(), IntWinIntObjHandleObjectModification(), IntWinIntObjProtect(), IntWinIntObjSendIntegrityAlert(), IntWinIntObjUnprotect(), IntWinIsUmTrapFrame(), IntWinModCacheCreate(), IntWinModFillInjectionData(), IntWinModHandleLoadFromVad(), IntWinModHandleModulePathInMemory(), IntWinModHandleWrite(), IntWinMsrSendAlert(), IntWinNetCheckPartition(), IntWinNetFillTcpStruct(), IntWinNetFindTcpBitmap(), IntWinNetFindTcpObjects(), IntWinNetFindTcpPartition(), IntWinNetGetAddrFam(), IntWinNetGetAddrInfo(), IntWinNetGetListenerAddressInfo(), IntWinNetGetLocalAddr(), IntWinNetGetOwner(), IntWinNetGetPortsAndState(), IntWinNetGetTcpPortPool(), IntWinNetIterateLinkedList(), IntWinNetIterateSlinkedList(), IntWinNetParseTcpBitmap(), IntWinNetParseTcpPartition(), IntWinNetSearchForAlloc(), IntWinNetSendProcessConnections(), IntWinObjCheckDrvDirSearchState(), IntWinObjFindRootDirectory(), IntWinObjGetObjectNameInfo(), IntWinObjGetPoolHeaderForObject(), IntWinObjHandleDirectoryEntryInMemory(), IntWinObjHandleDriverDirectoryEntryInMemory(), IntWinObjHandleObjectInMemory(), IntWinObjHandleRootDirTagInMemory(), IntWinObjIsTypeObject(), IntWinObjParseDriverDirectory(), IntWinPatchVadHandleCommit(), IntWinPfnHandleTranslationChange(), IntWinPfnIsMmPfnDatabase(), IntWinPfnLockAddress(), IntWinPfnModifyRefCount(), IntWinPfnRemoveLock(), IntWinPfnUnlockAddress(), IntWinPoolGetPoolHeaderInPage(), IntWinPowGetRequestedPowerState(), IntWinPowHandleEventCommon(), IntWinPowHandleHibernateEvent(), IntWinProcAdd(), IntWinProcAddProtectedProcess(), IntWinProcChangeProtectionFlags(), IntWinProcCreateProcessObject(), IntWinProcDeleteProcessObject(), IntWinProcEnforceProcessDep(), IntWinProcFillSystemPath(), IntWinProcGetProtectedInfo(), IntWinProcGetProtectedInfoEx(), IntWinProcHandleCopyMemory(), IntWinProcHandleCreateInternal(), IntWinProcHandleTerminate(), IntWinProcIsExploitGuardEnabled(), IntWinProcIsPsActiveProcessHead(), IntWinProcIterateGuestProcesses(), IntWinProcLockCr3(), IntWinProcMapEprocess(), IntWinProcMarkAgent(), IntWinProcPatchCopyMemoryDetour(), IntWinProcPatchPspInsertProcess86(), IntWinProcPatchSpareValue(), IntWinProcPrepareInstrument(), IntWinProcReadCommandLine(), IntWinProcRemoveProcess(), IntWinProcSendDllEvent(), IntWinProcSendProcessEvent(), IntWinProcSendProcessExceptionEvent(), IntWinProcSetUserCr3(), IntWinProcSwapIn(), IntWinProcUninit(), IntWinProcUpdateProtection(), IntWinProcValidateSystemCr3(), IntWinProtectReadNtEat(), IntWinReadSid(), IntWinReadToken(), IntWinSDCheckAclIntegrity(), IntWinSDCheckIntegrity(), IntWinSDCheckSecDescIntegrity(), IntWinSDFetchSecDescAddress(), IntWinSDReadSecDesc(), IntWinSelfMapCheckSelfMapEntry(), IntWinSelfMapDisableSelfMapEntryProtection(), IntWinSelfMapEnableSelfMapEntryProtection(), IntWinSelfMapGetAndCheckSelfMapEntry(), IntWinSelfMapProtectSelfMapIndex(), IntWinSelfMapValidateSelfMapEntries(), IntWinSetUmExceptionEvent(), IntWinStackHandleUserStackPagedOut(), IntWinStackTraceGet(), IntWinStackTraceGet32(), IntWinStackTraceGet64(), IntWinStackTraceGetUser(), IntWinStackUserCheckIsPivoted(), IntWinStackUserTrapFrameGet32(), IntWinStackUserTrapFrameGet64(), IntWinStackUserTrapFrameGetGeneric(), IntWinStackWow64CheckIsPivoted(), IntWinSudCheckIntegrity(), IntWinSudHandleFieldModification(), IntWinSudProtectSudExec(), IntWinThrGetCurrentThread(), IntWinThrGetCurrentTib(), IntWinThrHandleQueueApc(), IntWinThrHandleThreadHijack(), IntWinThrPatchThreadHijackHandler(), IntWinThrPrepareApcHandler(), IntWinTokenCheckCurrentPrivileges(), IntWinTokenCheckIntegrity(), IntWinTokenFetchTokenAddress(), IntWinTokenPrivsHandleSwap(), IntWinTokenPrivsHandleWrite(), IntWinTokenPrivsProtectOnProcess(), IntWinTokenPrivsShouldHook(), IntWinTokenProtectPrivs(), IntWinTokenProtectPrivsInternal(), IntWinTokenPtrCheckIntegrityOnProcess(), IntWinTokenPtrIsStolen(), IntWinTokenUnprotectPrivs(), IntWinUmCheckInitializationInjection(), IntWinUmModCacheFetch(), IntWinUnprotectReadNtEat(), IntWinVadFetchImageName(), IntWinVadFindNodeInGuestSpace(), IntWinVadHandleProtectGeneric(), IntWinVadHandleVirtualProtect(), IntWinVadImportProcessTree(), IntWinVadInOrderRecursiveTraversal(), IntWinVadIsExecSuspicious(), IntWinVadIsInTree(), IntWinVadMapShortVad(), IntWinVadPatchDeleteVaRange(), IntWinVadPatchFinishVadDeletion(), IntWinVadPatchInsert(), IntWinVadPatchInsertMap(), IntWinVadPatchInsertPrivate(), IntWinVadPatchVirtualProtect(), IntWinVadProcImportMainModuleVad(), IntWinVadRescanVad(), IntWinVadShortDump(), IntWinVadStaticInsertNodeIntoProcess(), IsInitializationDone(), and ShouldIgnoreInjection().
|
static |
The number of times initialization was tried.
Definition at line 62 of file guests.c.
Referenced by IntGuestHandleCr3Write(), and IntGuestInit().
| PATTERN_SIGNATURE* gSysenterSignatures |
The syscall and sysenter signatures used to identify an OS.
Pointer to the syscall signatures that will be loaded from the update buffer.
The signatures are plain binary chunks that must be found at the syscall entry point. 0x100 can be used as a wild card in order to match anything.
| DWORD gSysenterSignaturesCount |
The number of entries in the gSysenterSignatures array.
Holds the number of loaded syscall signatures.
Definition at line 81 of file guests.c.
Referenced by IntCamiLoadSyscalls(), and IntGuestDetectOsSysCall().
| VCPU_STATE* gVcpu = NULL |
The state of the current VCPU.
Since all events are serialized, we will always have only one current VCPU, it is safe to have this as a global variable. Set by every event handler. Will point to one entry from gGuest.VcpuArray.
Definition at line 59 of file guests.c.
Referenced by DbgCrWriteTestCallback(), DbgLogCurrentProcess(), IntAlertCoreGetFlags(), IntAlertEptFillFromVictimZone(), IntAlertFillCpuContext(), IntAlertFillExecContext(), IntAlertFillLixCurrentProcess(), IntAlertProcGetFlags(), IntApiEnter(), IntCr0Read(), IntCr3Read(), IntCr4Read(), IntCr8Read(), IntCrLixHandleWrite(), IntDecEmulatePTWrite(), IntDecEmulateRead(), IntDetCallCallback(), IntDetGetArgumentInternal(), IntDetGetArguments(), IntDetPatchArgument(), IntDetSetReturnValue(), IntDisableIntro(), IntDispatchPtAsEpt(), IntDispatchVeAsEpt(), IntDriverLoadHandler(), IntDriverUnloadHandler(), IntDtrHandleWrite(), IntDumpCodeAndRegs(), IntEngFillExecDetails(), IntExceptGetVictimEpt(), IntExceptKernelGetOriginator(), IntExceptLixKernelGetOriginator(), IntExceptUserGetExecOriginator(), IntExceptUserHandleMemoryFunctions(), IntExceptUserLogInformation(), IntExceptVerifyCodeBlocksSig(), IntExceptVerifyValueCodeSig(), IntExceptWinKernelGetOriginator(), IntFindKernelPcr(), IntGetCurrentInstructionLength(), IntGetCurrentInstructionMnemonic(), IntGetGprs(), IntHandleBreakpoint(), IntHandleCowOnPage(), IntHandleCrWrite(), IntHandleDtrViolation(), IntHandleEptViolation(), IntHandleEventInjection(), IntHandleFetchRetryOnPageBoundary(), IntHandleIntroCall(), IntHandleMemAccess(), IntHandleMsrViolation(), IntHandleTimer(), IntHandleXcrWrite(), IntHookCrRemoveHook(), IntHookDtrRemoveHook(), IntHookMsrRemoveHook(), IntHookPtwEmulateWrite(), IntHookPtwProcessWrite(), IntHookXcrRemoveHook(), IntLixAccessRemoteVmHandler(), IntLixAgentCreateThreadCompletion(), IntLixAgentCreateThreadHypercall(), IntLixAgentError(), IntLixAgentExit(), IntLixAgentHandleBreakpoint(), IntLixAgentHandleInt3(), IntLixAgentHandleKernelVmcall(), IntLixAgentHandleUserVmcall(), IntLixAgentHandleVmcall(), IntLixAgentStart(), IntLixAgentThreadError(), IntLixAgentThreadHandleBreakpoint(), IntLixCommitCredsHandle(), IntLixCrashHandle(), IntLixDepDeployFileHypercall(), IntLixDrvIsLegitimateTextPoke(), IntLixDumpStacktrace(), IntLixGuestAgentContentHandler(), IntLixGuestAllocateFill(), IntLixGuestDetourDataHandler(), IntLixGuestInitAgentCompletion(), IntLixIdtWriteHandler(), IntLixJumpLabelHandler(), IntLixKernelHandleRead(), IntLixPatchHandler(), IntLixTaskGetCurrentTaskStruct(), IntLixTaskHandleDoExit(), IntLixTaskHandleExec(), IntLixTaskHandleFork(), IntLixTaskHandleInjection(), IntLixTaskHandlePtrace(), IntLixTaskHandleVmRw(), IntLixVdsoHandleKernelModeWrite(), IntLixVdsoHandleUserModeWrite(), IntLixVdsoHandleWrite(), IntLixVdsoHandleWriteCommon(), IntLixVmaAdjust(), IntLixVmaChangeProtection(), IntLixVmaExpandDownwards(), IntLixVmaHandlePageExecution(), IntLixVmaInsert(), IntLixVmaRemove(), IntLogGuestRegisters(), IntLogProcessInfo(), IntLogStackTrace(), IntMemClkHandleRead(), IntMtblCheckAccess(), IntMtblPatchInstruction(), IntProcessDebugCommand(), IntPtiHandleExecute(), IntPtiHandleInt3(), IntPtiHandleWrite(), IntPtiInspectInstruction(), IntPtiRemoveInstruction(), IntRipRead(), IntRtlpVirtualUnwindCheckAccess(), IntSerializeArchRegs(), IntSerializeRipCode(), IntSetGprs(), IntSwapMemCancelPendingPF(), IntSwapMemHandleBreakpointAgent(), IntSwapMemInjectPendingPF(), IntThrSafeInspectRunningThreads(), IntThrSafeIsStackPtrInIntro(), IntTranslateVirtualAddressEx(), IntUnpPageExecuteCallback(), IntValidatePageRights(), IntValidatePageRightsEx(), IntValidateTranslation(), IntVasPageTableWriteCallback(), IntVeFindKernelKvaShadowAndKernelExit(), IntVeHandleAccess(), IntVeHandleEPTViolationInProtectedView(), IntVeHandleHypercall(), IntVeIsCurrentRipInAgent(), IntWinAgentActivatePendingAgent(), IntWinAgentHandleDriverVmcall(), IntWinAgentHandleInt3(), IntWinAgentHandleVmcall(), IntWinBcHandleBugCheck(), IntWinCrashHandleDepViolation(), IntWinDagentSendDoubleAgentAlert(), IntWinDpiGetProcessDebugFlag(), IntWinDpiValidateThreadStart(), IntWinDrvHandleDriverEntry(), IntWinDrvHandleRead(), IntWinDrvObjHandleWrite(), IntWinDrvObjSendEptAlert(), IntWinDrvSendAlert(), IntWinGuestFindIdleCr3(), IntWinHalHandleHalHeapExec(), IntWinHalSendAlert(), IntWinHandleException(), IntWinIdtWriteHandler(), IntWinInfHookEptSppHandleWrite(), IntWinInfHookEptSppSendAlert(), IntWinInfHookHandleSiloFirstWrite(), IntWinInfHookSppViolationCallbackWmiPtrChanged(), IntWinLogVAInfo(), IntWinModBlockHandleExecution(), IntWinModFillInjectionData(), IntWinModHandleKernelWrite(), IntWinModHandleUserWrite(), IntWinModHandleWrite(), IntWinModPolyHandler(), IntWinPowGetRequestedPowerState(), IntWinProcHandleCopyMemory(), IntWinProcHandleCreate(), IntWinProcHandleCreateInternal(), IntWinProcHandleInstrument(), IntWinSelfMapHandleCr3SelfMapWrite(), IntWinSetUmExceptionEvent(), IntWinStackHandleUserStackPagedOut(), IntWinStackUserCheckIsPivoted(), IntWinSudHandleKernelSudExec(), IntWinSudHandleSudExec(), IntWinSudHandleUserSudExec(), IntWinSudSendSudExecAlert(), IntWinThrGetCurrentStackBaseAndLimit(), IntWinThrGetCurrentTib(), IntWinThrHandleQueueApc(), IntWinThrHandleThreadHijack(), IntWinTokenPrivsHandleWrite(), IntWinTokenPrivsSendEptAlert(), IntWinVadHandleCommit(), IntWinVadHandleDeleteVaRange(), IntWinVadHandleFinishVadDeletion(), IntWinVadHandleInsertMap(), IntWinVadHandleInsertPrivate(), IntWinVadHandlePageExecution(), and IntWinVadIsExecSuspicious().
1.8.13