71 #define SYSCALL_SIG_FLAG_KPTI 0x80000000 102 gErrorStateContext = Context;
166 *IsKptiActive =
FALSE;
168 for (
DWORD it = 0; it < Size;)
182 if (instrux.Instruction == ND_INS_MOV_CR &&
183 ND_IS_OP_REG(&instrux.Operands[0], ND_REG_CR, (
DWORD)gGuest.
WordSize, NDR_CR3))
185 *IsKptiActive =
TRUE;
189 it += instrux.Length;
219 *KptiInstalled =
FALSE;
225 ERROR(
"[ERROR] IntKernVirtMemRead failed for %llx: 0x%08x\n", SyscallHandler, status);
232 ERROR(
"[ERROR] IntCamiLoadSection failed: 0x%08x\n", status);
240 for (j = 0; j < gSysenterSignatures[i].
Length; j++)
242 if (gSysenterSignatures[i].Pattern[j] != 0x100 && gSysenterSignatures[i].Pattern[j] != buffer[j])
251 TRACE(
"[INTRO-INIT] Found the syscall handler %d address at 0x%016llx\n", i, SyscallHandler);
253 *OsType = gSysenterSignatures[i].
SignatureId & 0xFF;
263 LOG(
"Syscall/interrupt @0x%016llx handler not identified... Dumping %zu bytes from it!\n",
264 SyscallHandler,
sizeof(buffer));
266 for (i = 0; i <
sizeof(buffer); i += 8)
268 NLOG(
"%02x %02x %02x %02x %02x %02x %02x %02x\n", buffer[i], buffer[i + 1], buffer[i + 2], buffer[i + 3],
269 buffer[i + 4], buffer[i + 5], buffer[i + 6], buffer[i + 7]);
299 QWORD analyzeAddress[3] = {0};
302 *KptiInstalled =
FALSE;
308 ERROR(
"[ERROR] Failed reading SYSCALL MSRs: 0x%08x\n", status);
316 ERROR(
"[ERROR] Failed reading SYSENTER MSRs: 0x%08x\n", status);
324 ERROR(
"[ERROR] Failed reading INT 0 handler: 0x%08x\n", status);
331 if (analyzeAddress[l] == 0)
339 TRACE(
"[INTRO-INIT] Found the syscall/interrupt handler address at %llx\n", analyzeAddress[l]);
363 if (NULL == GuestInfo)
368 GuestInfo->Guest64 = gGuest.
Guest64;
385 GuestInfo->StartupTime = time;
426 ERROR(
"[ERROR] IntEferRead failed: 0x%08x\n", status);
445 else if (0 != (Efer & EFER_LMA))
453 else if (0 != (Cr0 &
CR0_PG))
480 ERROR(
"[ERROR] IntEferRead failed: 0x%08x\n", status);
548 #define MAX_INIT_RETRIES 32 553 BOOLEAN bKptiInstalled, bKptiActive, bSameCr3;
562 ERROR(
"[ERROR] Introspection is already initialized, this should not happen... Remove the hook!\n");
565 gCr3WriteHook = NULL;
579 ERROR(
"[ERROR] IntGuestInitMemoryInfo failed: 0x%08x\n", status);
586 ERROR(
"[ERROR] IntSyscallRead failed: 0x%08x\n", status);
593 ERROR(
"[ERROR] IntSysenterRead failed: 0x%08x\n", status);
597 if (0 == syscall && 0 == sysenter)
623 ERROR(
"[ERROR] Guest has activated LA57 mode, we don't support it yet!\n");
641 ERROR(
"[ERROR] IntGuestInitMemoryInfo failed: %08x\n", status);
642 goto _resume_and_leave;
645 LOG(
"[INTRO-INIT] Will try %d time to static init the guest on CPU %02d with EFER 0x%08llx and %s paging mode...\n",
658 ERROR(
"[ERROR] IntGetGprs failed on CPU %d: %08x\n", i, status);
659 goto _resume_and_leave;
662 LOG(
"[INTRO-INIT] CPU %02d: CR0 = %08llx, CR3 = %016llx, CR4 = %08llx, RIP = %016llx\n",
673 ERROR(
"[ERROR] IntGuestDetectOs failed: 0x%08x\n", status);
674 goto _resume_and_leave;
677 LOG(
"[INTRO-INIT] Identified OS type %s\n",
685 TRACE(
"[INTRO-INIT] Guest has KPTI installed: %d, enabled: %d\n",
702 goto _resume_and_leave;
708 ERROR(
"[ERROR] IntCallbacksInit failed: 0x%08x\n", status);
712 goto _resume_and_leave;
715 TRACE(
"[INTRO-INIT] Callbacks initialized successfully!\n");
721 gCr3WriteHook = NULL;
725 ERROR(
"[ERROR] IntHookCrRemoveHook failed: %08x\n", status2);
731 ERROR(
"[ERROR] [CRITICAL] Tried %d times to init the introspection, bail out...\n",
gInitRetryCount);
738 ERROR(
"[ERROR] An error occurred in init: %08x, %d. Will uninit the introspection!\n",
750 #undef MAX_INIT_RETRIES 777 memzero(&gGuest,
sizeof(gGuest));
791 ERROR(
"[ERROR] IntQueryGuestInfo failed for feature CPU COUNT: 0x%08x\n", status);
792 goto _cleanup_and_exit;
799 ERROR(
"[ERROR] IntQueryGuestInfo failed for feature TSC SPEED: 0x%08x\n", status);
802 TRACE(
"[INTRO-INIT] TSC speed = 0x%016llx ticks/second\n", gGuest.
TscSpeed);
808 WARNING(
"[WARNING] IntQueryGuestInfo failed for feature #VE: 0x%08x\n", status);
815 WARNING(
"[WARNING] IntQueryGuestInfo failed for feature VMFUNC: 0x%08x\n", status);
822 WARNING(
"[WARNING] IntQueryGuestInfo failed for feature SPP: 0x%08x\n", status);
829 WARNING(
"[WARNING] IntQueryGuestInfo failed for feature DTR: 0x%08x\n", status);
833 LOG(
"[INTRO-INIT] CPU/HV support: #VE: %s, VMFUNC: %s, SPP: %s, DTR events: %s\n",
842 goto _cleanup_and_exit;
856 TRACE(
"[INTRO-INIT] Stats module initialized successfully!\n");
861 ERROR(
"[ERROR] IntHookInit failed: 0x%08x\n", status);
862 goto _cleanup_and_exit;
864 TRACE(
"[INTRO-INIT] New Hook module initialized successfully!\n");
869 ERROR(
"[ERROR] IntHookMsrInit failed: 0x%08x\n", status);
870 goto _cleanup_and_exit;
872 TRACE(
"[INTRO-INIT] MSR Hook module initialized successfully!\n");
877 ERROR(
"[ERROR] IntHookDtrInit failed: 0x%08x\n", status);
878 goto _cleanup_and_exit;
880 TRACE(
"[INTRO-INIT] DTR Hook module initialized successfully!\n");
885 ERROR(
"[ERROR] IntHookCrInit failed: 0x%08x\n", status);
886 goto _cleanup_and_exit;
888 TRACE(
"[INTRO-INIT] CR Hook module initialized successfully!\n");
893 ERROR(
"[ERROR] IntHookXcrInit failed: 0x%08x\n", status);
894 goto _cleanup_and_exit;
896 TRACE(
"[INTRO-INIT] XCR Hook module initialized successfully!\n");
901 ERROR(
"[ERROR] IntIcCreate failed: 0x%08x\n", status);
902 goto _cleanup_and_exit;
904 TRACE(
"[INTRO-INIT] Instruction cache module initialized successfully!\n");
914 ERROR(
"[ERROR] IntGpaCacheInit failed: 0x%08x\n", status);
915 goto _cleanup_and_exit;
917 TRACE(
"[INTRO-INIT] GPA cache module initialized successfully!\n");
922 ERROR(
"[ERROR] IntSwapMemInit failed: 0x%08x\n", status);
923 goto _cleanup_and_exit;
925 TRACE(
"[INTRO-INIT] Swapmem module initialized successfully!\n");
930 ERROR(
"[ERROR] IntVasInit failed: 0x%08x\n", status);
931 goto _cleanup_and_exit;
933 TRACE(
"[INTRO-INIT] VAS Monitor module initialized successfully!\n");
938 ERROR(
"[ERROR] IntExceptInit failed: 0x%08x\n", status);
939 goto _cleanup_and_exit;
941 TRACE(
"[INTRO-INIT] Kernel-mode exception module initialized successfully!\n");
950 WARNING(
"[WARNING] Both INTRO_OPT_IN_GUEST_PT_FILTER and INTRO_OPT_VE are set, " 951 "will ignore INTRO_OPT_IN_GUEST_PT_FILTER, because #VE is initialized!\n");
957 WARNING(
"[WARNING] Both INTRO_OPT_IN_GUEST_PT_FILTER and INTRO_OPT_VE are set, " 958 "will ignore INTRO_OPT_VE, because #VE is NOT initialized!\n");
967 ERROR(
"[ERROR] IntHookCrSetHook failed: 0x%08x\n", status);
968 goto _cleanup_and_exit;
1026 gCr3WriteHook = NULL;
1057 gCr3WriteHook = NULL;
1062 TRACE(
"[INTRO-UNINIT] Uninit the Windows guest...\n");
1067 TRACE(
"[INTRO-UNINIT] Uninit the Linux guest...\n");
1071 TRACE(
"[INTRO-UNINIT] Uninit #VE...\n");
1074 TRACE(
"[INTRO-UNINIT] Uninit exceptions...\n");
1077 TRACE(
"[INTRO-UNINIT] Uninit integrity...\n");
1080 TRACE(
"[INTRO-UNINIT] Uninit VAS monitor...\n");
1083 TRACE(
"[INTRO-UNINIT] Uninit memory tables...\n");
1086 TRACE(
"[INTRO-UNINIT] Uninit SWAPGS mitigations...\n");
1089 TRACE(
"[INTRO-UNINIT] Uninit detours-guest...\n");
1092 TRACE(
"[INTRO-UNINIT] Uninit slack...\n");
1095 TRACE(
"[INTRO-UNINIT] Uninit instruction cache...\n");
1101 TRACE(
"[INTRO-UNINIT] Uninit memcloak...\n");
1104 TRACE(
"[INTRO-UNINIT] Uninit swapmem...\n");
1110 TRACE(
"[INTRO-UNINIT] Uninit windows pfn locks...\n");
1114 TRACE(
"[INTRO-UNINIT] Uninit unpack...\n");
1117 TRACE(
"[INTRO-UNINIT] Uninit new hooks...\n");
1120 TRACE(
"[INTRO-UNINIT] Uninit hooker-msr...\n");
1123 TRACE(
"[INTRO-UNINIT] Uninit hooker-dtr...\n");
1126 TRACE(
"[INTRO-UNINIT] Uninit hooker-cr...\n");
1129 TRACE(
"[INTRO-UNINIT] Uninit hooker-xcr...\n");
1132 TRACE(
"[INTRO-UNINIT] Uninit GPA cache...\n");
1141 TRACE(
"[INTRO-UNINIT] Uninit callbacks...\n");
1144 TRACE(
"[INTRO-UNINIT] Free cami protected processes array ...\n");
1155 TRACE(
"Calling the notification callback...\n");
1159 memzero(&gGuest,
sizeof(gGuest));
1161 TRACE(
"All done!\n");
1184 if (agWaitState !=
agNone)
1186 WARNING(
"[SAFENESS] We have a %s agent with tag %u!\n",
1187 agWaitState ==
agActive ?
"Active" :
"Waiting", agTag);
1226 LOG(
"Introcore shutdown requested while the guest is transitioning into hibernate...\n");
1246 LOG(
"[INFO] Ignore safeness!\n");
1252 LOG(
"[INFO] It's not safe to unload yet!\n");
1255 goto resume_and_exit;
1265 goto resume_and_exit;
1298 LOG(
"[PTCORE] Will try to reinject the PT Filter...\n");
1302 ERROR(
"[ERROR] IntPtiInjectPtFilter failed: 0x%08x\n", status);
1307 skipAgentActivation =
TRUE;
1308 LOG(
"[PTCORE] PT Filter was re-injected with success!\n");
1313 LOG(
"[VECORE] Will try to reinject the #VE Agent...\n");
1317 ERROR(
"[ERROR] IntVeDeployAgent failed: 0x%08x\n", status);
1322 skipAgentActivation =
TRUE;
1323 LOG(
"[VECORE] The #VE Agent was re-injected with success!\n");
1327 if (!skipAgentActivation)
1334 ERROR(
"[ERROR] IntAgentActivatePendingAgent failed: 0x%08x\n", status);
1343 ERROR(
"[ERROR] IntHookCommitAllHooks failed: 0x%08x\n", status);
1352 ERROR(
"[ERROR] IntHookMsrCommit failed: 0x%08x\n", status);
1361 ERROR(
"[ERROR] IntHookDtrCommit failed: 0x%08x\n", status);
1370 ERROR(
"[ERROR] IntHookCrCommit failed: 0x%08x\n", status);
1379 ERROR(
"[ERROR] IntHookXcrCommit failed: 0x%08x\n", status);
1388 ERROR(
"[ERROR] IntSwapMemInjectPendingPF failed: 0x%08x\n", status);
1450 WARNING(
"[WARNING] Cannot modify options now, an uninit is pending!\n");
1460 WARNING(
"[WARNING] Both INTRO_OPT_IN_GUEST_PT_FILTER and INTRO_OPT_VE are set, will ignore" 1461 "INTRO_OPT_IN_GUEST_PT_FILTER, because #VE is initialized!\n");
1462 NewOptions &= ~INTRO_OPT_IN_GUEST_PT_FILTER;
1467 WARNING(
"[WARNING] Both INTRO_OPT_IN_GUEST_PT_FILTER and INTRO_OPT_VE are set, will ignore INTRO_OPT_VE, " 1468 "because #VE is NOT initialized!\n");
1469 NewOptions &= ~INTRO_OPT_VE;
1758 ERROR(
"[ERROR] IntGetMaxGpfn failed: 0x%08x\n", status);
void IntUnpUninit(void)
Uninit the unpacker. This will stop the monitor on all pages.
#define INT_STATUS_GUEST_OS_NOT_SUPPORTED
Indicates that the guest operating system is not supported.
#define THS_CHECK_SWAPGS
Will check if any RIP is inside a mitigated SWAPGS gadget.
INTSTATUS IntHookXcrCommit(void)
Commit the extended control register hooks.
INTSTATUS IntLixGuestNew(void)
Starts the initialization and enable protection for a new Linux guest.
INTSTATUS IntPtiInjectPtFilter(void)
Inject the PT filter inside the guest.
INTSTATUS IntWinDrvUpdateProtection(void)
Used to update the protection for all the loaded modules (gKernelDrivers).
BOOLEAN SupportDTR
Set to True if support for DTR access exits was detected.
INTSTATUS IntGuestInit(QWORD Options)
Initialize the given guest state.
#define INTRO_OPT_VE
Enable the Virtualization exception page table access pre-filtering agent (64-bit Windows only)...
void IntCamiClearUpdateBuffer(void)
Uninitialize the update buffer and notify the integrator that we don't need it anymore.
INTSTATUS IntVasUnInit(void)
Uninit the VAS monitor state.
DWORD gSysenterSignaturesCount
The number of entries in the gSysenterSignatures array.
Commit all the MSR hooks.
INTSTATUS IntHookInit(void)
Initialize the global hook system.
INTSTATUS IntIdtrUnprotect(void)
Remove the IDTR protection.
void IntSwapgsDisable(void)
Disable SWAPGS mitigations. Must be used only for PrepareUninit.
WINDOWS_GUEST * gWinGuest
Global variable holding the state of a Windows guest.
VCPU_STATE * gVcpu
The state of the current VCPU.
No active/pending agents.
IG_ARCH_REGS Regs
The current state of the guest registers.
INTSTATUS IntIdtGetEntry(DWORD CpuNumber, DWORD Entry, QWORD *Handler)
Get the handler of an interrupt from the IDT.
DWORD Index
The VCPU number.
INTSTATUS IntIdtrProtect(void)
Enable IDTR protection.
INTSTATUS IntLixKernelReadProtect(void)
Activates kernel protection.
BOOLEAN Initialized
True if the VCPU is initialized and used by the guest, False if it is not.
INTSTATUS IntAgentActivatePendingAgent(void)
Activate a pending Windows or Linux agent.
INTSTATUS IntHookCommitAllHooks(void)
Commits all the hooks.
QWORD SystemCr3
The Cr3 used to map the kernel.
#define INT_STATUS_SUCCESS
INTSTATUS IntGetGprs(DWORD CpuNumber, PIG_ARCH_REGS Regs)
Get the current guest GPR state.
INTSTATUS IntVasInit(void)
Initialize the VAS monitor state.
#define INTRO_OPT_PROT_KM_LX
Enable kernel image protection (Linux only).
static INTSTATUS IntGuestDetectOs(INTRO_GUEST_TYPE *OsType, BOOLEAN *KptiInstalled, BOOLEAN *KptiActive)
Detect the type of the currently running guest kernel.
Get the availability of the IDTR/GDTR exits.
static PAGING_MODE IntGuestGetPagingMode(QWORD Efer, QWORD Cr4, QWORD Cr0)
Get the paging mode used by the guest on the current VCPU.
BOOLEAN SysprocBetaDetections
INTSTATUS IntHookCrSetHook(DWORD Cr, DWORD Flags, PFUNC_CrWriteHookCallback Callback, void *Context, HOOK_CR **Hook)
Set a control register write hook.
void IntWinPfnUnInit(void)
Uninits the PFN locks.
static void IntGuestIsKptiActive(BYTE *SyscallBuffer, DWORD Size, BOOLEAN *IsKptiActive)
Checks if the Syscall handler is specific to a System with KPTI enabled.
DWORD IntGetCurrentCpu(void)
Returns the current CPU number.
void IntDetUninit(void)
Uninitializes the detour module.
BOOLEAN Initialized
True if this structure was initialized and can be used.
INTSTATUS IntWinInfHookProtect(void)
This function initializes protection against infinity hook mechanism.
INTSTATUS IntHookMsrInit(void)
Initialize the model specific registers hook state.
#define INT_SUCCESS(Status)
INTSTATUS IntWinSudProtectIntegrity(void)
Initializes the SharedUserData integrity protection.
INTSTATUS IntWinTokenUnprotectPrivs(void)
Unprotects all the currently protected tokens belonging to processes against privileges manipulation...
A critical structure was not found inside the guest kernel.
#define CR3_LONG_MODE_MASK
INTSTATUS IntResumeVcpus(void)
Resumes the VCPUs previously paused with IntPauseVcpus.
void IntStatsInit(void)
Initialization routine.
void IntWinApiUpdateHooks(void)
Iterate through all hookable APIs and enable or disable them according to the current Introcore optio...
BOOLEAN KernelBetaDetections
True if the kernel protection is in beta (log-only) mode.
#define INTRO_OPT_PROT_KM_LX_TEXT_READS
Enable kernel '_text' section read protection (Linux only).
INTSTATUS IntHookCrUninit(void)
Uninit the control register hooks state.
BOOLEAN SafeToApplyOptions
True if the current options can be changed dynamically.
INTSTATUS IntWinTokenProtectPrivs(void)
Protects all the currently unprotected tokens belonging to processes against privileges manipulation...
INTSTATUS IntGpaCacheInit(PGPA_CACHE *Cache, DWORD LinesCount, DWORD EntriesCount)
Initialize a GPA cache.
void IntWinObjCleanup(void)
Cleans up any resources allocated by the object search.
INTSTATUS IntHookDtrCommit(void)
Commit the descriptor registers hooks.
#define HpAllocWithTag(Len, Tag)
int INTSTATUS
The status data type.
The operating system version is not supported.
INTSTATUS IntHookXcrInit(void)
Initialize the extended control registers hook state.
INTSTATUS IntMsrSyscallProtect(void)
Enable protection for all SYSCALL and SYSENTER MSRs.
DWORD OSVersion
Os version.
INTSTATUS IntGetMaxGpfn(QWORD *MaxGpfn)
Get the last physical page frame number accessible by the guest.
#define INT_STATUS_NOT_FOUND
BOOLEAN SupportVMFUNC
Set to True if support for VMFUNC was detected.
INTSTATUS IntQueryGuestInfo(DWORD InfoClass, void *InfoParam, void *Buffer, DWORD BufferLength)
INTSTATUS IntMemClkUnInit(void)
Uninits the memory cloak subsystem.
void IntSwapgsUninit(void)
Uninit the SWAPGS mitigation.
INTSTATUS IntExceptUninit(void)
This function removes and frees all exceptions and signatures.
INTSTATUS IntWinIntObjProtect(void)
Protects the interrupt objects which are present in the KPRCB's InterruptObject array.
#define INTRO_OPT_PROT_KM_SUD_INTEGRITY
Enable integrity checks over various SharedUserData fields, as well as the zero-filled zone after the...
INTSTATUS IntSwapMemInit(void)
Init the swapmem system.
static HOOK_CR * gCr3WriteHook
The Cr2 write hook handle used for initialization.
INTSTATUS IntCallbacksUnInit(void)
Uninit all the Introcore callbacks.
PVCPU_STATE VcpuArray
Array of the VCPUs assigned to this guest. The index in this array matches the VCPU number...
#define INT_STATUS_LOAD_ABORTED
Indicates that Introcore loading was aborted.
INTSTATUS IntIcCreate(INS_CACHE **Cache, DWORD LinesCount, DWORD EntriesCount, DWORD InvCount)
Create anew instruction cache.
INTSTATUS IntCr4Unprotect(void)
Disables the CR4 protection.
INTSTATUS IntHookXcrUninit(void)
Uninit the extended control register hooks state.
INTSTATUS IntPauseVcpus(void)
Pauses all the guest VCPUs.
void IntLixVdsoUnprotect(void)
Remove protection for the vDSO image and VSYSCALL.
#define INTRO_OPT_PROT_KM_IDT
INTRO_GUEST_TYPE OSType
The type of the guest.
BOOLEAN VeAgentWaiting
True if the #VE agent was not yet injected, but it should be.
INTSTATUS IntSwapMemUnInit(void)
Uninit the swapmem system.
Commit all the memory hooks.
INTSTATUS IntHookDtrUninit(void)
Uninit the descriptor registers hooks state.
QWORD Cr4
Cr4 value used when deducing the paging mode.
INTSTATUS IntVeUnInit(void)
Uninit the VE system.
INTSTATUS IntThrSafeCheckThreads(QWORD Options)
Checks if any of the guest threads have their RIP or have any stack pointers pointing to regions of c...
void IntLixGuestUninitGuestCode(void)
Removes the EPT hooks from detours/agents memory zone and clears these memory zones.
void IntLixApiUpdateHooks(void)
Update the hookable APIs according to the current Introcore options.
void IntMtblDisable(void)
Disables mem-table instructions instrumentation.
#define INTRO_OPT_PROT_KM_VDSO
Enable vDSO image protection (Linux only).
INTSTATUS IntWinDrvObjUpdateProtection(void)
Updates the protection for all the driver objects in the gWinDriverObjects list.
void IntLixDrvUpdateProtection(void)
Update Linux drivers protection according to the new core options.
INTSTATUS IntWinGuestNew(void)
Starts the initialization and protection process for a new Windows guest.
INTSTATUS IntWinUnprotectReadNtEat(void)
Used to remove the EAT read hook from ntoskrnl.exe.
static DWORD gInitRetryCount
The number of times initialization was tried.
INTSTATUS IntGdtrProtect(void)
Enable GDTR protection.
#define INTRO_OPT_PROT_KM_SELF_MAP_ENTRY
BOOLEAN PtFilterWaiting
True if the in-guest PT filter was not yet injected, but it should be.
INTSTATUS IntWinIdtUnprotectAll(void)
Removes the IDT protection for all the guest CPUs.
BOOLEAN IntLixGuestDeployUninitAgent(void)
Inject the 'uninit' agent to free the previously allocated memory for detours/agents.
BOOLEAN KptiActive
True if KPTI is enabled on this guest, False if it is not.
#define INTRO_OPT_SYSPROC_BETA_DETECTIONS
Enable system processes beta (log only) detection.
INTSTATUS IntHookCrInit(void)
Initialize the control registers hook state.
INTSTATUS IntHookCrCommit(void)
Commit the control register hooks.
#define INTRO_OPT_PROT_KM_MSR_SYSCALL
Get the number of VCPUs available to the guest.
BOOLEAN gAbortLoad
Set to True if introcore should abort the initialization process.
INTSTATUS IntWinSudProtectSudExec(void)
Protects SharedUserData against executions by establishing an EPT hook on it.
DWORD Length
The valid size of the Pattern array.
BOOLEAN SupportSPP
Set to True if support for SPP was detected.
#define INT_STATUS_CANNOT_UNLOAD
Indicates that Introcore can not unload in a safely manner.
INTSTATUS IntLixIdtUnprotectAll(void)
Disable protection for IDT on all CPUs.
INTSTATUS IntWinSudUnprotectSudExec(void)
Removes the execution EPT hook on SharedUserData.
The context of an error state.
INTSTATUS IntIntegrityUninit(void)
Uninits the integrity mechanism by removing every integrity region from the list. ...
#define INT_STATUS_NOT_INITIALIZED
INTSTATUS IntSysenterRead(DWORD CpuNumber, QWORD *SysCs, QWORD *SysEip, QWORD *SysEsp)
Queries the IA32_SYSENTER_CS, IA32_SYSENTER_EIP, and IA32_SYSENTER_ESP guest MSRs.
#define IG_CURRENT_VCPU
For APIs that take a VCPU number as a parameter, this can be used to specify that the current VCPU sh...
BOOLEAN PaeEnabled
True if Physical Address Extension is enabled.
INTSTATUS IntHookUninit(void)
Uninit the global hooks system.
#define IG_DISABLE_IGNORE_SAFENESS
PATTERN_SIGNATURE * gSysenterSignatures
The syscall and sysenter signatures used to identify an OS.
INTSTATUS IntCamiProtectedProcessFree(void)
Uninitialize the global holding custom process protection options.
Reinject the #VE or PT filtering agent, based on the active options.
BOOLEAN Guest64
True if this is a 64-bit guest, False if it is a 32-bit guest.
static INTRO_ERROR_STATE gErrorState
The last error reported.
QWORD Current
The currently used options.
#define INTRO_OPT_PROT_KM_IDTR
Enable interrupt descriptor-table registers protection.
INTSTATUS IntGuestPreReturnCallback(DWORD Options)
Handles all the operations that must be done before returning from a VMEXIT event handler...
BOOLEAN IntGuestShouldNotifyErrorState(void)
Checks if an event should be sent to the integrator.
Structure encapsulating VCPU-specific information.
void IntDetDumpDetours(void)
Prints all the detours in the gDetours list of detours.
INTSTATUS IntLixVdsoProtect(void)
Activates protection for the vDSO image and VSYSCALL.
#define INTRO_OPT_PROT_KM_INTERRUPT_OBJ
Enable protection against modifications of interrupt objects from KPRCB's InterruptObject.
void * GpaCache
The currently used GPA cache.
INTSTATUS IntWinIntObjUnprotect(void)
Uninitializes the interrupt objects protection.
#define CR3_LEGACY_PAE_MASK
INTSTATUS IntDecDecodeInstructionFromBuffer(PBYTE Buffer, size_t BufferSize, IG_CS_TYPE CsType, void *Instrux)
Decode an instruction from the provided buffer.
QWORD LastGpa
The upper limit of the guest physical address range.
BOOLEAN GuestInitialized
True if the OS-specific portion has been initialized.
#define HpFreeAndNullWithTag(Add, Tag)
INTSTATUS IntVeRemoveAgent(DWORD AgOpts)
Removes the VE agent from guest memory.
INTSTATUS IntGdtrUnprotect(void)
Remove the GDTR protection.
INTSTATUS IntIcDestroy(PINS_CACHE *Cache)
Destroy an instruction cache.
INTRO_ERROR_STATE IntGuestGetIntroErrorState(void)
Gets the last reported error-state.
INTSTATUS IntHookCrRemoveHook(HOOK_CR *Hook)
Remove a control register hook.
#define CR3_LEGACY_NON_PAE_MASK
BYTE WordSize
Guest word size. Will be 4 for 32-bit guests and 8 for 64-bit guests.
static INTSTATUS IntGuestHandleCr3Write(void *Context, DWORD Cr, QWORD OldValue, QWORD NewValue, INTRO_ACTION *Action)
Handles Cr3 writes done by the guest. This is used to initialize the introspection engine...
INTSTATUS IntExceptInit(void)
This function allocates the exceptions data and initialize the exception lists and the signature list...
INTRO_ERROR_CONTEXT * IntGuestGetIntroErrorStateContext(void)
Gets the last reported error-context appropriate to the error-state.
INTSTATUS IntNotifyIntroInactive(void)
void IntLixKernelReadUnprotect(void)
Deactivates the kernel protection against read.
static INTRO_ERROR_CONTEXT * gErrorStateContext
The last error-context reported.
QWORD ForceOff
Options that are forcibly disabled.
void IntGuestUninit(void)
Completely unloads the introspection engine.
void IntGuestPrepareUninit(void)
Prepares introcore to be unloaded.
#define SYSCALL_SIG_FLAG_KPTI
Indicates that a syscall pattern belongs to a KPTI enabled OS.
#define INTRO_OPT_PROT_KM_NT_EAT_READS
Enable kernel EAT read protection (Windows only).
DWORD CpuCount
The number of logical CPUs.
INTSTATUS IntSwapMemInjectPendingPF(void)
Inject a PF for a pending page.
#define UNREFERENCED_PARAMETER(P)
void IntStatsDumpAll(void)
Prints all the non-zero stats.
INTSTATUS IntGuestGetLastGpa(QWORD *MaxGpa)
Get the upper limit of the guest physical memory range.
INTRO_GUEST_TYPE
The type of the introspected operating system.
void * InstructionCache
The currently used instructions cache.
#define INTRO_OPT_KM_BETA_DETECTIONS
INTSTATUS IntWinGetStartUpTime(QWORD *StartUpTime)
Gets the system startup time.
#define THS_CHECK_DETOURS
Will check if any RIP is inside detours.
INTSTATUS IntSyscallRead(DWORD CpuNumber, QWORD *SysStar, QWORD *SysLstar)
Queries the IA32_STAR, and IA32_LSTAR guest MSRs.
INTSTATUS IntGuestDisableIntro(QWORD Flags)
Disables and unloads the introspection engine.
INTSTATUS IntWinHalUpdateProtection(void)
Updates any of the HAL protections.
INTSTATUS IntGpaCacheUnInit(PGPA_CACHE *Cache)
Uninit a GPA cache.
INTSTATUS IntWinProtectReadNtEat(void)
Used to place a read hook on the ntoskrnl.exe EAT.
void IntSlackUninit(void)
Uninit the slack system. Must be called only during uninit.
enum _INTRO_ACTION INTRO_ACTION
Event actions.
INTSTATUS IntGuestGetInfo(PGUEST_INFO GuestInfo)
Get basic information about the guest.
BOOLEAN VeInitialized
Set to True if #VE initialization was done.
GUEST_STATE gGuest
The current guest state.
void IntWinGuestUninit(void)
Uninits a Windows guest.
void IntAgentDisablePendingAgents(void)
Disable the Windows or Linux pending agents.
void IntLixTaskUpdateProtection(void)
Adjusts protection for all active Linux processes.
BOOLEAN EnterHibernate
True if the guest is entering into hibernate.
QWORD Cr0
Cr0 value used when deducing the paging mode.
Get the availability of the VMFUNC feature in hardware and the hypervisor.
MM Mm
Guest memory information, such as paging mode, system Cr3 value, etc.
void IntGuestUpdateCoreOptions(QWORD NewOptions)
Updates Introcore options.
void IntDetDisableAllHooks(void)
Removes all detours from the guest.
static BOOLEAN IntGuestIsSafeToDisable(void)
Checks if it is safe to unload.
INTSTATUS IntWinProcUpdateProtection(void)
Iterates trough the global process list (gWinProcesses) in order to update the protection state for e...
INTSTATUS IntWinIdtProtectAll(void)
Activates the IDT protection for all the guest CPUs.
INTSTATUS IntHookMsrCommit(void)
Commit the model specific register hooks.
INTSTATUS IntMsrSyscallUnprotect(void)
Remove protection from all protected MSRs.
INTRO_ERROR_STATE
Error states.
void IntLixKernelWriteUnprotect(void)
Deactivates the kernel protection against write.
INTRO_PROT_OPTIONS ShemuOptions
Flags which describe the way shemu will give detections.
#define THS_CHECK_ONLY
Will check for safeness, without moving any RIP or stack value.
Commit all the XCR hooks.
INTSTATUS IntKernVirtMemRead(QWORD KernelGva, DWORD Length, void *Buffer, DWORD *RetLength)
Reads data from a guest kernel virtual memory range.
#define SIG_MAX_PATTERN
The maximum size of a pattern.
BOOLEAN KptiInstalled
True if KPTI was detected as installed (not necessarily active).
QWORD Original
The original options as received from GLUE_IFACE.NewGuestNotification. This is updated when GLUE_IFAC...
void IntGuestSetIntroErrorState(INTRO_ERROR_STATE State, INTRO_ERROR_CONTEXT *Context)
Updates the value of the gErrorState and the value of the gErrorStateContext.
BOOLEAN SupportVE
Set to True if support for #VE was detected.
BOOLEAN LA57
True if 5-level paging is being used.
PAGING_MODE Mode
The paging mode used by the guest.
#define THS_CHECK_TRAMPOLINE
Will check if any RIP is inside the agent loader.
void IntGuestUpdateShemuOptions(QWORD NewOptions)
Update shemu options.
void IntLixGuestUninit(void)
Uninitialize the Linux guest.
INTSTATUS IntLixIdtProtectAll(void)
Activates protection for IDT on all CPUs.
INTSTATUS IntPtiRemovePtFilter(DWORD AgOpts)
Removes the PT filter.
QWORD TscSpeed
Number of ticks/second of this given guest. Should be the same as the global (physical) one...
void IntWinGuestCancelKernelRead(void)
Cancels the kernel read.
INTSTATUS IntWinSelfMapEnableSelfMapEntryProtection(void)
Enables the self map protection mechanism for the entire system.
INTSTATUS IntWinSudUnprotectIntegrity(void)
Uninitializes the SharedUserData integrity protection.
#define INT_STATUS_INVALID_PARAMETER_1
#define INT_STATUS_NOT_SUPPORTED
#define INTRO_OPT_PROT_KM_SUD_EXEC
Enable protection against executions on SharedUserData.
#define INTRO_OPT_PROT_KM_TOKEN_PRIVS
Enable protection over Token Privileges bitmaps.
INTSTATUS IntNotifyIntroErrorState(INTRO_ERROR_STATE State, INTRO_ERROR_CONTEXT *Context)
DWORD NtBuildNumberValue
The value of the NtBuildNumber kernel variable.
Get the availability of the SPP feature in hardware and the hypervisor.
Describes a signature that can be used for searching or matching guest contents.
enum _AG_WAITSTATE AG_WAITSTATE
#define INTRO_OPT_PROT_KM_CR4
Enable CR4.SMEP and CR4.SMAP protection.
BOOLEAN BugCheckInProgress
Get the availability of the Virtualization Exception feature in hardware and the hypervisor.
BOOLEAN PtFilterFlagRemoved
Set to True if the INTRO_OPT_IN_GUEST_PT_FILTER was given, but it was removed.
INTSTATUS IntCallbacksInit(void)
Initialize the callbacks.
BOOLEAN DisableOnReturn
Set to True if after returning from this event handler, introcore must be unloaded.
BYTE Version
The version field of the version string.
#define INTRO_OPT_IN_GUEST_PT_FILTER
Enable in-guest page-table filtering (64-bit Windows only).
DWORD SignatureId
Signature ID.
INTSTATUS IntLixKernelWriteProtect(void)
Activates kernel protection.
INTSTATUS IntCr4Protect(void)
Activates the Cr4 protection.
We have an active agent, currently injected inside the guest.
INTSTATUS IntVeDeployAgent(void)
Inject the VE agent inside the guest.
INTSTATUS IntWinInfHookUnprotect(void)
Removes the protection against infinity hook.
INTSTATUS IntHookDtrInit(void)
Initialize the descriptor registers hook state.
Section will contain syscall signatures.
#define THS_CHECK_MEMTABLES
Will check if any RIP is inside memtables.
INTSTATUS IntHookMsrUninit(void)
Uninit the model specific register hooks state.
void IntVeDumpVeInfoPages(void)
Dumps the VE info pages on all VCPUs.
INTSTATUS IntWinSelfMapDisableSelfMapEntryProtection(void)
Disables the self map entry protection for all the processes on the system.
INTRO_PROT_OPTIONS CoreOptions
The activation and protection options for this guest.
static INTSTATUS IntGuestInitMemoryInfo(void)
Initializes gGuest.Mm.
INTSTATUS IntEferRead(QWORD CpuNumber, QWORD *Efer)
Reads the value of the guest IA32 EFER MSR.
static INTSTATUS IntGuestDetectOsSysCall(QWORD SyscallHandler, INTRO_GUEST_TYPE *OsType, BOOLEAN *KptiInstalled, BOOLEAN *KptiActive)
Checks if any of the predefined syscall signatures match to the given syscall handler.
#define INTRO_OPT_PROT_KM_LOGGER_CONTEXT
Enable protection on WMI_LOGGER_CONTEXT.GetCpuClock used by InfinityHook (Windows only)...
#define INTRO_OPT_PROT_KM_GDTR
Enable global descriptor-table registers protection.
LINUX_GUEST * gLixGuest
Global variable holding the state of a Linux guest.
Inject pending page faults.
Commit all the DTR hooks.
INTSTATUS IntCamiLoadSection(DWORD CamiSectionHint)
Load CAMI objects from section with given hint.
AG_WAITSTATE IntAgentGetState(DWORD *Tag)
Get the current Windows or Linux agent state.
INTSTATUS IntMtblUninit(void)
Completely uninit the mem-tables, removing all the handlers from the NT slack space.
#define INT_STATUS_INSUFFICIENT_RESOURCES
1.8.13