- Generated by
1.8.13
|
Bitdefender Hypervisor Memory Introspection
|
#include "winguest.h"#include "lixguest.h"#include "bddisasm.h"#include "bdshemu.h"#include "vecommon.h"#include "udlist.h"Go to the source code of this file.
Data Structures | |
| struct | _PATCH_BUFFER |
| Contains information about the patch buffer. More... | |
| struct | _PTEMU_BUFFER |
| Contains information about the buffer used to emulate page table writes. More... | |
| struct | _PTWRITE_CACHE |
| Will contain the last successfully written page-table entry. This will be used by newly placed hooks on page-table entries that were just written during this exit. If we are dealing with a PAE entry, this structure will be initialized only after the entire 8 bytes entry has been written. More... | |
| struct | _VCPU_STATE |
| Structure encapsulating VCPU-specific information. More... | |
| struct | _MM |
| Memory information structure. More... | |
| struct | _INTRO_PROT_OPTIONS |
| Describes options for this guest. More... | |
| struct | _GUEST_STATE |
| Describes a guest. More... | |
Macros | |
| #define | SHEMU_SHELLCODE_SIZE 0x2000 |
| The shell code buffer size. It should be at least 2 pages in size. More... | |
| #define | SHEMU_STACK_SIZE 0x2000 |
| The size of the stack buffer used by shemu. More... | |
| #define | SHEMU_MAX_INSTRUCTIONS 256 |
| The maximum instructions to be emulated by shemu. More... | |
Typedefs | |
| typedef struct _PATCH_BUFFER | PATCH_BUFFER |
| Contains information about the patch buffer. More... | |
| typedef struct _PATCH_BUFFER * | PPATCH_BUFFER |
| typedef struct _PTEMU_BUFFER | PTEMU_BUFFER |
| Contains information about the buffer used to emulate page table writes. More... | |
| typedef struct _PTEMU_BUFFER * | PPTEMU_BUFFER |
| typedef struct _PTWRITE_CACHE | PTWRITE_CACHE |
| Will contain the last successfully written page-table entry. This will be used by newly placed hooks on page-table entries that were just written during this exit. If we are dealing with a PAE entry, this structure will be initialized only after the entire 8 bytes entry has been written. More... | |
| typedef struct _PTWRITE_CACHE * | PPTWRITE_CACHE |
| typedef struct _VCPU_STATE | VCPU_STATE |
| Structure encapsulating VCPU-specific information. More... | |
| typedef struct _VCPU_STATE * | PVCPU_STATE |
| typedef struct _MM | MM |
| Memory information structure. More... | |
| typedef struct _MM * | PMM |
| typedef struct _INTRO_PROT_OPTIONS | INTRO_PROT_OPTIONS |
| Describes options for this guest. More... | |
| typedef struct _MSR_HOOK_STATE | MSR_HOOK_STATE |
| typedef struct _XCR_HOOK_STATE | XCR_HOOK_STATE |
| typedef struct _CR_HOOK_STATE | CR_HOOK_STATE |
| typedef struct _DTR_HOOK_STATE | DTR_HOOK_STATE |
| typedef struct _KERNEL_DRIVER | KERNEL_DRIVER |
| typedef struct _EXCEPTIONS | EXCEPTIONS |
| typedef struct _GUEST_STATE | GUEST_STATE |
| Describes a guest. More... | |
| typedef struct _GUEST_STATE * | PGUEST_STATE |
Enumerations | |
| enum | CPU_STATE { CPU_STATE_NONE = 0x00, CPU_STATE_ACTIVE = 0x01, CPU_STATE_EPT_VIOLATION = 0x02, CPU_STATE_MSR_VIOLATION = 0x03, CPU_STATE_VMCALL = 0x04, CPU_STATE_CR_WRITE = 0x05, CPU_STATE_DTR_LOAD = 0x06, CPU_STATE_TIMER = 0x07, CPU_STATE_XCR_WRITE = 0x08, CPU_STATE_BREAKPOINT = 0x09, CPU_STATE_EVENT_INJECTION = 0x0A } |
| The various states in which a VCPU can be. More... | |
| enum | PRE_RET_OPTIONS { POST_COMMIT_MEM = 0x00000001, POST_COMMIT_MSR = 0x00000002, POST_COMMIT_CR = 0x00000004, POST_COMMIT_XCR = 0x00000008, POST_COMMIT_DTR = 0x00000010, POST_INJECT_PF = 0x00000100, POST_RETRY_PERFAGENT = 0x00000200 } |
| Flags that control the behavior of IntGuestPreReturnCallback. More... | |
Functions | |
| INTSTATUS | IntGuestGetInfo (PGUEST_INFO GuestInfo) |
| Get basic information about the guest. More... | |
| INTSTATUS | IntGuestPreReturnCallback (DWORD Options) |
| Handles all the operations that must be done before returning from a VMEXIT event handler. More... | |
| void | IntGuestUpdateCoreOptions (QWORD NewOptions) |
| Updates Introcore options. More... | |
| void | IntGuestUpdateShemuOptions (QWORD NewOptions) |
| Update shemu options. More... | |
| INTSTATUS | IntGuestInit (QWORD Options) |
| Initialize the given guest state. More... | |
| void | IntGuestPrepareUninit (void) |
| Prepares introcore to be unloaded. More... | |
| void | IntGuestUninit (void) |
| Completely unloads the introspection engine. More... | |
| INTSTATUS | IntGuestDisableIntro (QWORD Flags) |
| Disables and unloads the introspection engine. More... | |
| INTSTATUS | IntGuestGetLastGpa (QWORD *MaxGpa) |
| Get the upper limit of the guest physical memory range. More... | |
| void | IntGuestSetIntroErrorState (INTRO_ERROR_STATE State, INTRO_ERROR_CONTEXT *Context) |
| Updates the value of the gErrorState and the value of the gErrorStateContext. More... | |
| INTRO_ERROR_STATE | IntGuestGetIntroErrorState (void) |
| Gets the last reported error-state. More... | |
| INTRO_ERROR_CONTEXT * | IntGuestGetIntroErrorStateContext (void) |
| Gets the last reported error-context appropriate to the error-state. More... | |
| BOOLEAN | IntGuestShouldNotifyErrorState (void) |
| Checks if an event should be sent to the integrator. More... | |
| INTSTATUS | IntGuestGetIdtFromGla (QWORD Address, QWORD *IdtBase, QWORD *IdtLimit) |
| Checks if an address is inside one of the guest's IDTs. More... | |
Variables | |
| GUEST_STATE | gGuest |
| The current guest state. More... | |
| WINDOWS_GUEST * | gWinGuest |
| Global variable holding the state of a Windows guest. More... | |
| LINUX_GUEST * | gLixGuest |
| Global variable holding the state of a Linux guest. More... | |
| VCPU_STATE * | gVcpu |
| The state of the current VCPU. More... | |
| #define SHEMU_MAX_INSTRUCTIONS 256 |
The maximum instructions to be emulated by shemu.
Definition at line 74 of file guests.h.
Referenced by IntShcIsSuspiciousCode().
| #define SHEMU_SHELLCODE_SIZE 0x2000 |
The shell code buffer size. It should be at least 2 pages in size.
Definition at line 72 of file guests.h.
Referenced by IntShcIsSuspiciousCode().
| #define SHEMU_STACK_SIZE 0x2000 |
The size of the stack buffer used by shemu.
Definition at line 73 of file guests.h.
Referenced by IntShcIsSuspiciousCode().
| typedef struct _CR_HOOK_STATE CR_HOOK_STATE |
| typedef struct _DTR_HOOK_STATE DTR_HOOK_STATE |
| typedef struct _EXCEPTIONS EXCEPTIONS |
| typedef struct _GUEST_STATE GUEST_STATE |
Describes a guest.
| typedef struct _INTRO_PROT_OPTIONS INTRO_PROT_OPTIONS |
Describes options for this guest.
Every field in this structure must be a combination of Activation and protection flags values.
| typedef struct _KERNEL_DRIVER KERNEL_DRIVER |
| typedef struct _MSR_HOOK_STATE MSR_HOOK_STATE |
| typedef struct _PATCH_BUFFER PATCH_BUFFER |
Contains information about the patch buffer.
This is the buffer used by GLUE_IFACE.SetIntroEmulatorContext.
| typedef struct _GUEST_STATE * PGUEST_STATE |
| typedef struct _PATCH_BUFFER * PPATCH_BUFFER |
| typedef struct _PTEMU_BUFFER * PPTEMU_BUFFER |
| typedef struct _PTWRITE_CACHE * PPTWRITE_CACHE |
| typedef struct _PTEMU_BUFFER PTEMU_BUFFER |
Contains information about the buffer used to emulate page table writes.
| typedef struct _PTWRITE_CACHE PTWRITE_CACHE |
Will contain the last successfully written page-table entry. This will be used by newly placed hooks on page-table entries that were just written during this exit. If we are dealing with a PAE entry, this structure will be initialized only after the entire 8 bytes entry has been written.
| typedef struct _VCPU_STATE * PVCPU_STATE |
| typedef struct _VCPU_STATE VCPU_STATE |
Structure encapsulating VCPU-specific information.
| typedef struct _XCR_HOOK_STATE XCR_HOOK_STATE |
| enum CPU_STATE |
The various states in which a VCPU can be.
| enum PRE_RET_OPTIONS |
Flags that control the behavior of IntGuestPreReturnCallback.
Disables and unloads the introspection engine.
This will deactivate every Introcore subsystem and remove any hooks placed by Introcore. This is done with all the VCPUs paused.
| [in] | Flags | Flags controlling the disable operation. Can be 0 or IG_DISABLE_IGNORE_SAFENESS. If IG_DISABLE_IGNORE_SAFENESS is used, Introcore will forcibly unload even it is not safe to do that at the moment. This may leave the guest in an unstable state. |
| INT_STATUS_SUCCESS | in case of success. |
| INT_STATUS_CANNOT_UNLOAD | if Introcore can not unload. |
Definition at line 1203 of file guests.c.
Referenced by IntDisableIntro(), IntHandleBreakpoint(), IntHandleCrWrite(), IntHandleDtrViolation(), IntHandleEptViolation(), IntHandleIntroCall(), IntHandleMsrViolation(), and IntHandleXcrWrite().
Checks if an address is inside one of the guest's IDTs.
| [in] | Address | The guest virtual address to be checked |
| [out] | IdtBase | On success, the base of the IDT in which Address resides |
| [out] | IdtLimit | On success, the limit of the IDT in which Address resides |
| INT_STATUS_SUCCESS | if Address is inside of one IDT |
| INT_STATUS_NOT_FOUND | is Address is not inside any IDT |
Definition at line 526 of file guests.h.
Referenced by IntLixIdtWriteHandler(), and IntWinIdtWriteHandler().
| INTSTATUS IntGuestGetInfo | ( | PGUEST_INFO | GuestInfo | ) |
Get basic information about the guest.
| [out] | GuestInfo | On success, will hold information about the guest |
| INT_STATUS_SUCCESS | in case of success |
| INT_STATUS_INVALID_PARAMETER_1 | if GuestInfo is NULL |
| INT_STATUS_NOT_INITIALIZED | if the type of the guest is not yet known |
Definition at line 350 of file guests.c.
Referenced by IntGetGuestInfo().
| INTRO_ERROR_STATE IntGuestGetIntroErrorState | ( | void | ) |
Gets the last reported error-state.
| Returns | the type of the last reported error (INTRO_ERROR_STATE). |
Definition at line 107 of file guests.c.
Referenced by IntGuestDisableIntro().
| INTRO_ERROR_CONTEXT* IntGuestGetIntroErrorStateContext | ( | void | ) |
Gets the last reported error-context appropriate to the error-state.
| Returns | the last reported error-context (INTRO_ERROR_CONTEXT). |
Definition at line 121 of file guests.c.
Referenced by IntGuestDisableIntro().
Get the upper limit of the guest physical memory range.
This value is cached inside the GUEST_STATE and subsequent calls will return the cached value.
| [out] | MaxGpa | On success, the upper limit of the guest physical memory range. This is the first page after the last one that the guest can access, meaning that the available physical address range is [0, MaxGpa - 1] (inclusive). Note that gaps may be present inside this range. |
| INT_STATUS_SUCCESS | in case of success. |
Definition at line 1735 of file guests.c.
Referenced by IntVeInit().
Initialize the given guest state.
Any global, per guest initialization steps which do not depend on the guest type must be placed here. Initialization steps which do depend on the guest type or version is done later in IntWinGuestNew or IntLixGuestNew, where data about that guest is available. This will initialize the hooking subsystem and will query basic guest information and hypervisor feature availability. In order to properly initialize the guest, a Cr3 write hook is placed. Initialization will be done on its handler: IntGuestHandleCr3Write.
| [in] | Options | Options to be used. See Activation and protection flags. |
| INT_STATUS_SUCCESS | in case of success. This means that initialization has been successfully started, but it may still fail at further steps. The guest is not yet introspected. |
| INT_STATUS_INSUFFICIENT_RESOURCES | if not enough memory is available |
Definition at line 755 of file guests.c.
Referenced by IntNewGuestNotification().
| void IntGuestPrepareUninit | ( | void | ) |
Prepares introcore to be unloaded.
Disables most subsystems (cancels pending agents, disables protections, etc), but does not yet modify the guest memory, so any hooks placed by Introcore will still be present. This allows us to more safely clean up the guest state. After this function exits, GUEST_STATE.UninitPrepared will be set to True. If the initialization Cr3 hook is still active, it will be disabled.
Definition at line 984 of file guests.c.
Referenced by IntGuestDisableIntro(), and IntNewGuestNotification().
Handles all the operations that must be done before returning from a VMEXIT event handler.
Certain operations can not be done while we are inside one of our own callbacks, so they are delegated here.
| [in] | Options | A combination of PRE_RET_OPTIONS values that control the operations done |
| INT_STATUS_SUCCESS | always |
Definition at line 1280 of file guests.c.
Referenced by IntApiLeave(), IntHandleBreakpoint(), IntHandleCrWrite(), IntHandleDtrViolation(), IntHandleEptViolation(), IntHandleEventInjection(), IntHandleIntroCall(), IntHandleMsrViolation(), IntHandleTimer(), and IntHandleXcrWrite().
| void IntGuestSetIntroErrorState | ( | INTRO_ERROR_STATE | State, |
| INTRO_ERROR_CONTEXT * | Context | ||
| ) |
Updates the value of the gErrorState and the value of the gErrorStateContext.
| [in] | State | The type of the error. |
| [in] | Context | A context appropriate to the error. |
Definition at line 90 of file guests.c.
Referenced by IntGuestDetectOs(), IntGuestDisableIntro(), IntLixGuestInitAgentCompletion(), IntLixGuestNew(), IntWinApiHookAll(), IntWinGuestFindDriversNamespace(), IntWinGuestFinishInit(), IntWinGuestNew(), IntWinObjCheckDrvDirSearchState(), and IntWinObjHandleRootDirTagInMemory().
| BOOLEAN IntGuestShouldNotifyErrorState | ( | void | ) |
Checks if an event should be sent to the integrator.
| True | if the error-state event should be sent to the integrator. |
Definition at line 135 of file guests.c.
Referenced by IntGuestDisableIntro().
| void IntGuestUninit | ( | void | ) |
Completely unloads the introspection engine.
Any generic unload routine must be placed here. Guest specific unload steps must be placed in IntWinGuestUninit or IntLixGuestUninit. This function will call the guest-specific routines, then will disable every introcore subsystem and remove any code or data injected by introcore inside the guest (detours, agents, etc). After this function returns GUEST_STATE.VcpuArray, gWinGuest, and gLixGuest are no longer valid and the entire gGuest state is zeroed.
Definition at line 1036 of file guests.c.
Referenced by IntGuestDisableIntro(), IntGuestInit(), and IntNewGuestNotification().
| void IntGuestUpdateCoreOptions | ( | QWORD | NewOptions | ) |
Updates Introcore options.
This will set the gGuest.CoreOptions based on NewOptions and will enable or disable any protection or service that was toggled by the new options. These operations are done with the VCPUs paused.
| [in] | NewOptions | The new options to be used. See Activation and protection flags for valid values |
Definition at line 1426 of file guests.c.
Referenced by DbgSetCoreOptions(), IntCamiSetCoreOptions(), IntGuestPrepareUninit(), IntHandleTimer(), IntModifyDynamicOptions(), IntWinDrvForceDisableReadNtEat(), and IntWinPowHandleHibernateEvent().
| void IntGuestUpdateShemuOptions | ( | QWORD | NewOptions | ) |
Update shemu options.
This will set the gGuest.ShemuOptions based on NewOptions and will enable or disable any shemu feature that was toggled by the new options.
| [in] | NewOptions | The new options to be used. |
Definition at line 1397 of file guests.c.
Referenced by IntCamiSetShemuOptions().
| GUEST_STATE gGuest |
The current guest state.
Since we always have only one guest and all events are serialized, it is safe to have this as a global variable, since no two threads will access it at the same time
Definition at line 50 of file guests.c.
Referenced by _IntLixTaskRead(), _IntLixTaskStartMap(), DbgCheckEpt(), DbgDumpCodeblocks(), DbgDumpCpuState(), DbgDumpExceptions(), DbgDumpGpaCache(), DbgDumpGuestModules(), DbgDumpPfn(), DbgDumpProcesses(), DbgDumpVadRoot(), DbgLogCoreOptions(), DbgLogKpcr(), DbgProcList(), DbgSetCoreOptions(), DbgVaSpaceIterationCallbackCount(), IntAbortEnableIntro(), IntAddExceptionFromAlert(), IntAddRemoveProtectedProcessUtf16(), IntAddRemoveProtectedProcessUtf8(), IntAgentActivatePendingAgent(), IntAgentDisablePendingAgents(), IntAgentEnableInjection(), IntAgentGetState(), IntAgentHandleInt3(), IntAgentHandleLogGatherVmcall(), IntAgentHandleRemediationVmcall(), IntAgentHandleVmcall(), IntAgentIsPtrInTrampoline(), IntAlertCoreGetFlags(), IntAlertCreateDtrException(), IntAlertCreateIdtSignature(), IntAlertCreateIntegrityException(), IntAlertDtrFill(), IntAlertEptFillFromVictimZone(), IntAlertFillCodeBlocks(), IntAlertFillConnection(), IntAlertFillDpiExtraInfo(), IntAlertFillVersionInfo(), IntAlertProcGetFlags(), IntApiEnter(), IntCamiLoadProtOptionsWin(), IntCamiLoadWindows(), IntCamiSetCoreOptions(), IntCamiSetProcProtOptions(), IntCamiSetShemuOptions(), IntCamiUpdateProcessProtectionInfo(), IntCamiUpdateProcessProtectionItems(), IntCr4HandleWrite(), IntCrSendAlert(), IntDbgCheckHooks(), IntDecDecodeInstructionAtRipWithCache(), IntDecEmulatePageWalk(), IntDecEmulatePTWrite(), IntDecEmulateRead(), IntDecGetSetSseRegValue(), IntDepInjectFile(), IntDepInjectProcess(), IntDepRunCommand(), IntDetCallCallback(), IntDetDisableDetour(), IntDetDumpDetours(), IntDetGetArgumentInternal(), IntDetGetArguments(), IntDetHandleWrite(), IntDetIsPtrInHandler(), IntDetPatchArgument(), IntDetPermanentlyDisableDetour(), IntDetRelocate(), IntDetSendIntegrityAlert(), IntDetSetHook(), IntDisableIntro(), IntDisasmBuffer(), IntDisasmGva(), IntDispatchVeAsEpt(), IntDriverDump(), IntDriverFindByAddress(), IntDriverFindByName(), IntDriverFindByPath(), IntDriverLoadHandler(), IntDriverUninit(), IntDriverUnloadHandler(), IntDtrHandleWrite(), IntDtrSendAlert(), IntEngFillExecDetails(), IntEnginesResultCallback(), IntExcept(), IntExceptAlertRemove(), IntExceptDumpSignatures(), IntExceptGetOriginatorFromModification(), IntExceptGetVictimDtr(), IntExceptGetVictimEpt(), IntExceptGetVictimIntegrity(), IntExceptGetVictimMsr(), IntExceptGetVictimProcess(), IntExceptGetVictimProcessCreation(), IntExceptInit(), IntExceptKernel(), IntExceptKernelGetOriginator(), IntExceptKernelLogInformation(), IntExceptKernelLogLinuxInformation(), IntExceptKernelLogWindowsInformation(), IntExceptKernelMatchVictim(), IntExceptKernelUser(), IntExceptKernelUserLogInformation(), IntExceptKernelUserLogWindowsInformation(), IntExceptKernelUserMatchArch(), IntExceptKernelUserMatchProcessHash(), IntExceptKernelUserMatchVictim(), IntExceptLixGetVictimDriver(), IntExceptLixKernelGetOriginator(), IntExceptMatchException(), IntExceptPrintDrvObjInfo(), IntExceptPrintIdtInfo(), IntExceptPrintMsrInfo(), IntExceptPrintWinKmModInfo(), IntExceptPrintWinModInfo(), IntExceptPrintWinProcInfo(), IntExceptRemove(), IntExceptUninit(), IntExceptUser(), IntExceptUserGetExecOriginator(), IntExceptUserGetOriginator(), IntExceptUserLogInformation(), IntExceptUserLogWindowsInformation(), IntExceptUserMatchArchitecture(), IntExceptUserMatchChild(), IntExceptUserMatchProcessGlob(), IntExceptUserMatchProcessHash(), IntExceptUserMatchSystemProcess(), IntExceptUserVerifyExtra(), IntExceptUserVerifyExtraGlobMatch(), IntExceptVerifyCodeBlocksSig(), IntExceptVerifyExportSig(), IntExceptVerifyIdtSignature(), IntExceptVerifyProcessCreationSignature(), IntExceptVerifyValueCodeSig(), IntExceptVerifyValueSig(), IntExceptVerifyVersionIntroSignature(), IntExceptVerifyVersionOsSignature(), IntExceptWinGetVictimDriver(), IntExceptWinKernelGetOriginator(), IntFlushAlertExceptions(), IntFlushGpaCache(), IntGdtrProtect(), IntGetCurrentInstructionLength(), IntGetCurrentInstructionMnemonic(), IntGetCurrentIntroOptions(), IntGetExceptionsVersion(), IntGetGprs(), IntGetGuestInfo(), IntGetSupportVersion(), IntGetVersionString(), IntGuestUninitOnBugcheck(), IntHandleBreakpoint(), IntHandleCrWrite(), IntHandleDtrViolation(), IntHandleEptViolation(), IntHandleEventInjection(), IntHandleIntroCall(), IntHandleMemAccess(), IntHandleMsrViolation(), IntHandleTimer(), IntHandleXcrWrite(), IntHookCrCommit(), IntHookCrDeleteHook(), IntHookCrInit(), IntHookCrRemoveAllHooks(), IntHookCrRemoveHook(), IntHookCrSetHook(), IntHookCrUninit(), IntHookDtrCommit(), IntHookDtrDeleteHook(), IntHookDtrInit(), IntHookDtrRemoveAllHooks(), IntHookDtrSetHook(), IntHookDtrUninit(), IntHookGpaDump(), IntHookGpaEnableDisablePtCache(), IntHookGpaEnableDisableVe(), IntHookGpaFindConvertible(), IntHookGpaGetEPTPageProtection(), IntHookGpaInit(), IntHookGpaSetHook(), IntHookGpaSetNewPageProtection(), IntHookGvaEnableHooks(), IntHookGvaSetHook(), IntHookMsrCommit(), IntHookMsrDeleteHook(), IntHookMsrInit(), IntHookMsrRemoveAllHooks(), IntHookMsrRemoveHook(), IntHookMsrSetHook(), IntHookMsrUninit(), IntHookPtmAddTable(), IntHookPtmSetHook(), IntHookPtmWriteCallback(), IntHookPtsCheckIntegrity(), IntHookPtsCreateEntry(), IntHookPtsHandleModification(), IntHookPtsSetHook(), IntHookPtsWriteCallback(), IntHookPtwEmulateWrite(), IntHookPtwProcessWrite(), IntHookXcrCommit(), IntHookXcrDeleteHook(), IntHookXcrInit(), IntHookXcrRemoveAllHooks(), IntHookXcrSetHook(), IntHookXcrUninit(), IntIcAddInvdForInstruction(), IntIcDumpIcache(), IntIcSwapHandler(), IntIcWriteHandler(), IntIdtGetEntry(), IntIdtrProtect(), IntInjectExceptionInGuest(), IntInjectFileAgentInGuest(), IntInjectProcessAgentInGuest(), IntIntegrityAddRegion(), IntIntegrityCheckAll(), IntIntegrityRecalculate(), IntIterateVaSpace(), IntKernVirtMemFetchWordSize(), IntKernVirtMemPatchWordSize(), IntKernVirtMemRead(), IntKernVirtMemWrite(), IntKsymFindByAddress(), IntKsymFindByName(), IntKsymFindIndexesTableStart(), IntKsymFindMarkersReducedTableEnd(), IntKsymFindMarkersTableEnd(), IntKsymFindNamesTableEnd(), IntKsymInit(), IntKsymInitAbsolute(), IntKsymRelativeFindOffsetTableEnd(), IntKsymRelativeFindOffsetTableStart(), IntLixAgentActivatePendingAgent(), IntLixAgentAllocate(), IntLixAgentCreateThreadHypercall(), IntLixAgentFillDataFromMemory(), IntLixAgentFree(), IntLixAgentUninit(), IntLixApiHookAll(), IntLixApiUpdateHooks(), IntLixCrashDumpDmesg(), IntLixCrashPanicHandler(), IntLixCredAdd(), IntLixCredCheckIntegrity(), IntLixCredInitMap(), IntLixCredsDump(), IntLixCredsVerify(), IntLixDepDeployFileHypercall(), IntLixDepGetInternalContent(), IntLixDepInjectFile(), IntLixDepInjectProcess(), IntLixDepRunCommand(), IntLixDrvActivateProtection(), IntLixDrvCreateDriverObject(), IntLixDrvCreateKernel(), IntLixDrvFindList(), IntLixDrvSendEvent(), IntLixDrvSendViolationEvent(), IntLixDrvUpdateProtection(), IntLixDrvValidate(), IntLixDumpStacktrace(), IntLixFsrInitMap(), IntLixFsrRead(), IntLixGetInitTask(), IntLixGetKernelCr3(), IntLixGuestActivateProtection(), IntLixGuestAllocate(), IntLixGuestAllocateFill(), IntLixGuestAllocateHook(), IntLixGuestClearGuestMemory(), IntLixGuestDeployUninitAgent(), IntLixGuestFindKernel(), IntLixGuestFindKernelBase(), IntLixGuestFindKernelVersionAndRo(), IntLixGuestInit(), IntLixGuestInitAgentCompletion(), IntLixGuestInitAgentHypercall(), IntLixGuestIsKptiActive(), IntLixGuestIsSupported(), IntLixGuestNew(), IntLixGuestSetOsVersion(), IntLixGuestUninit(), IntLixHookKernelRead(), IntLixHookKernelWrite(), IntLixIdtProtectAll(), IntLixIdtProtectOnCpu(), IntLixIdtUnprotectAll(), IntLixKernelHandleRead(), IntLixKernelReadUnprotect(), IntLixKernelWriteUnprotect(), IntLixMmGetInitMm(), IntLixMsrHandleWrite(), IntLixNetIterateTaskConnections(), IntLixNetSendGuestConnections(), IntLixPatchSwapgs(), IntLixResolveExeFileOffset(), IntLixStackTraceGet(), IntLixStackTraceGetReg(), IntLixTaskActivateProtection(), IntLixTaskAdjustProtections(), IntLixTaskCreate(), IntLixTaskCreateFromBinprm(), IntLixTaskDeactivateExploitProtection(), IntLixTaskDestroy(), IntLixTaskFetchCmdLine(), IntLixTaskFetchMm(), IntLixTaskGuestTerminating(), IntLixTaskHandleExec(), IntLixTaskMarkAgent(), IntLixTaskSendCredViolationEvent(), IntLixTaskSendExceptionEvent(), IntLixTaskSendTaskEvent(), IntLixTaskShouldProtect(), IntLixUnhookKernelRead(), IntLixUnhookKernelWrite(), IntLixUnpatchSwapgs(), IntLixVdsoFixedProtect(), IntLixVmaGetPageCount(), IntLixVmaHandlePageExecution(), IntLogContextRecord(), IntLogCriticalStructureCoruption(), IntLogCurrentIP(), IntLogExceptionRecord(), IntLogGuestRegisters(), IntLogProcessInfo(), IntLogStackTrace(), IntLogTrapFrame(), IntMapGpaForTranslation(), IntMemClkCloakRegion(), IntModifyDynamicOptions(), IntMsrSyscallProtect(), IntMtblCheckAccess(), IntMtblDisable(), IntMtblPatchInstruction(), IntMtblRemoveEntry(), IntNetConvertState(), IntNewGuestNotification(), IntNotifyGuestPowerStateChange(), IntPeFindFunctionByPattern(), IntPeFindKernelExport(), IntPeListSectionsHeaders(), IntPolicyCoreIsOptionBeta(), IntPolicyCoreTakeAction(), IntPolicyGetProcProt(), IntPolicyIsCoreOptionFeedback(), IntPolicyProcIsBeta(), IntPolicyProcIsFeedback(), IntPolicyProcTakeAction(), IntPtiCacheAdd(), IntPtiCacheRemove(), IntPtiCompleteLoader(), IntPtiDeleteInstruction(), IntPtiDeliverDriverForLoad(), IntPtiDisableFiltering(), IntPtiEnableFiltering(), IntPtiHandleGuestResumeFromSleep(), IntPtiHookPtDriver(), IntPtiInjectPtFilter(), IntPtiMonitorAllPtWriteCandidates(), IntPtiRemoveInstruction(), IntPtiRemovePtFilter(), IntReadString(), IntRemoveAllProtectedProcesses(), IntRemoveException(), IntRtlpVirtualUnwindCheckAccess(), IntSerializeCodeBlocksGetExtractLevel(), IntSerializeDpiWinPivotedStack(), IntSerializeHeader(), IntSerializeIdt(), IntSerializeKernelDriver(), IntSerializeKmMisc(), IntSerializeKmOriginator(), IntSerializeKmVictim(), IntSerializeLixKmMisc(), IntSerializeProcess(), IntSerializeRawDump(), IntSerializeUmMisc(), IntSerializeUmOriginator(), IntSerializeUmVictim(), IntSerializeVad(), IntSerializeWinKmMisc(), IntShcIsSuspiciousCode(), IntSlackAlloc(), IntSlackAllocLinux(), IntSlackAllocWindows(), IntSlackSendIntegrityAlert(), IntSplitVirtualAddress(), IntStackAnalyzePointer(), IntStatsDumpAll(), IntStatStart(), IntStatStop(), IntSwapgsDisable(), IntSwapgsInstallHandler(), IntSwapgsStartMitigation(), IntSwapMemInjectMiniSwapper(), IntSwapMemInjectPendingPF(), IntSwapMemReadData(), IntSwapMemReinjectFailedPF(), IntThrGetStackSize(), IntThrSafeCheckThreads(), IntThrSafeInspectRunningThreads(), IntThrSafeIsStackPtrInIntro(), IntThrSafeMoveReturn(), IntThrSafeMoveRip(), IntThrSafeWinGetCurrentStack(), IntThrSafeWinInspectRunningThreadOnCpu(), IntThrSafeWinInspectWaitingThread(), IntTranslateVirtualAddressEx(), IntUDRemoveAllEntriesForCr3(), IntUninit(), IntUnmapGpaForTranslation(), IntUpdateAddCbSignature(), IntUpdateAddExceptionFromAlert(), IntUpdateAddExportSignature(), IntUpdateAddIdtSignature(), IntUpdateAddKernelException(), IntUpdateAddKernelExceptionInOrder(), IntUpdateAddKernelUserException(), IntUpdateAddKernelUserExceptionInOrder(), IntUpdateAddKmException(), IntUpdateAddKmUmException(), IntUpdateAddProcessCreationSignature(), IntUpdateAddUmException(), IntUpdateAddUserException(), IntUpdateAddUserExceptionGlob(), IntUpdateAddUserExceptionInOrder(), IntUpdateAddValueCodeSignature(), IntUpdateAddValueSignature(), IntUpdateAddVersionIntroSignature(), IntUpdateAddVersionOsSignature(), IntUpdateAreExceptionsLoaded(), IntUpdateAssignAlertSignatureIds(), IntUpdateExceptions(), IntUpdateFlushAlertExceptions(), IntUpdateGetVersion(), IntUpdateIsDuplicateCbSignature(), IntUpdateIsDuplicateExportSignature(), IntUpdateIsDuplicateIdtSignature(), IntUpdateIsDuplicateKernelException(), IntUpdateIsDuplicateKernelUserException(), IntUpdateIsDuplicateUserException(), IntUpdateLoadExceptions(), IntUpdateRemoveException(), IntUpdateRemoveSignaturesForException(), IntUpdateSetIdForException(), IntUpdateSupport(), IntValidateRangeForWrite(), IntVasPageTableWriteCallback(), IntVasStartMonitorVaSpace(), IntVeCompleteLoader(), IntVeDeliverDriverForLoad(), IntVeDeployAgent(), IntVeDumpStats(), IntVeDumpVeInfoPage(), IntVeDumpVeInfoPages(), IntVeEnableDisableDriverAccessInProtectedView(), IntVeFindKernelKvaShadowAndKernelExit(), IntVeHandleAccess(), IntVeHandleEPTViolationInProtectedView(), IntVeHandleGuestResumeFromSleep(), IntVeHandleSwap(), IntVeHookVeDriver(), IntVeInit(), IntVeIsAgentRemapped(), IntVePatchVeCoreJmpKiKernelExit(), IntVePatchVeCoreJmpTrampoline(), IntVeRemoveAgent(), IntVeSetVeInfoPage(), IntVeUnhookVeAgent(), IntVeUnInit(), IntVeUpdateCacheEntry(), IntVirtMemFetchWordSize(), IntVirtMemPatchWordSize(), IntVirtMemSafeWrite(), IntWinAgentActivatePendingAgent(), IntWinAgentDeployWinDriver(), IntWinAgentFindInstruction(), IntWinAgentFindPropperSyscall(), IntWinAgentFindSyscallLinkage(), IntWinAgentHandleAppVmcall(), IntWinAgentHandleDriverVmcall(), IntWinAgentHandleLoader1Hypercall(), IntWinAgentInject(), IntWinAgentInjectBreakpoint(), IntWinAgentInjectTrampoline(), IntWinAgentReleaseBootstrap(), IntWinAgentReleaseBootstrapAddress(), IntWinAgentSelectBootstrapAddress(), IntWinAgentSelectTokens(), IntWinApiFindFunctionRva(), IntWinApiHook(), IntWinApiHookAll(), IntWinApiHookVeHandler(), IntWinApiUpdateHookDescriptor(), IntWinApiUpdateHooks(), IntWinBcHandleBugCheck(), IntWinBcLogBsodEvent(), IntWinBcSendBsodEvent(), IntWinCrashHandleDepViolation(), IntWinDepInjectProcess(), IntWinDpiForceFeedbackIfNeeded(), IntWinDpiGatherDpiInfo(), IntWinDpiGetProcessDebugFlag(), IntWinDpiHandleDpiAclEdit(), IntWinDpiHandleDpiDebug(), IntWinDpiHandleDpiHeapSpray(), IntWinDpiHandleDpiPivotedStack(), IntWinDpiHandleDpiSecDesc(), IntWinDpiHandleDpiStolenToken(), IntWinDpiHandleDpiThreadStart(), IntWinDpiHandleDpiTokenPrivs(), IntWinDpiValidateHeapSpray(), IntWinDpiValidateThreadStart(), IntWinDrvCreateFromAddress(), IntWinDrvForceDisableReadNtEat(), IntWinDrvHandleDriverEntry(), IntWinDrvHandleRead(), IntWinDrvHeadersInMemory(), IntWinDrvIsListHead(), IntWinDrvIsProtected(), IntWinDrvIterateLoadedModules(), IntWinDrvObjCreateFromAddress(), IntWinDrvObjHandleModification(), IntWinDrvObjHandleWrite(), IntWinDrvObjIsProtected(), IntWinDrvObjIsValidDriverObject(), IntWinDrvObjRemoveFromAddress(), IntWinDrvRemoveFromAddress(), IntWinDrvSendEvent(), IntWinFillRegsFromExceptionInfo(), IntWinGetAccessTokenFromProcess(), IntWinGetAccesTokenFromThread(), IntWinGetActiveCpuCount(), IntWinGetPrcoCmdLineHandleCmdLineInMemory(), IntWinGetPrcoCmdLineHandleUserParamsInMemory(), IntWinGuestActivateProtection(), IntWinGuestFetchProductType(), IntWinGuestFindBuildNumber(), IntWinGuestFindDriversNamespace(), IntWinGuestFindDriversNamespaceNoBuffer(), IntWinGuestFindIdleCr3(), IntWinGuestFindKernel(), IntWinGuestFindKernelCr3(), IntWinGuestFindKernelObjects(), IntWinGuestFindKernelObjectsInternal(), IntWinGuestFindSelfMapIndex(), IntWinGuestFinishInit(), IntWinGuestInit(), IntWinGuestIsIncreasedUserVa(), IntWinGuestIsSupported(), IntWinGuestKernelHeadersInMemory(), IntWinGuestNew(), IntWinGuestReadKernel(), IntWinGuestResolveImports(), IntWinGuestUninit(), IntWinGuestValidateKernel(), IntWinHalCreateHalData(), IntWinHalFindHalHeapAndInterruptController(), IntWinHalFindInterruptController(), IntWinHalFindPerformanceCounter(), IntWinHalFindPerformanceCounterInternal(), IntWinHalHandleDispatchTableWrite(), IntWinHalHandleHalHeapExec(), IntWinHalHandlePerfCounterModification(), IntWinHalIsIntController(), IntWinHalProtectHalHeapExecs(), IntWinHalProtectHalPerfCounter(), IntWinHalReadHal(), IntWinHalSendPerfCntIntegrityAlert(), IntWinHalUpdateProtection(), IntWinHandleException(), IntWinIdtProtectAll(), IntWinIdtProtectOnCpu(), IntWinIdtProtectOnCpuEpt(), IntWinIdtProtectOnCpuIntegrity(), IntWinIdtSendIntegrityAlert(), IntWinIdtUnprotectAll(), IntWinIdtUnprotectOnCpu(), IntWinIdtUnprotectOnCpuEpt(), IntWinIdtUnprotectOnCpuIntergity(), IntWinInfCheckCtxLoggerOnRelocation(), IntWinInfHookGetCircularCtxLogger(), IntWinInfHookGetCpuClockIntegrityCallback(), IntWinInfHookGetEtwpDebuggerData(), IntWinInfHookGetWmiLoggerGetCpuClock(), IntWinInfHookHookSppWmiGetClock(), IntWinInfHookIntegrityHandleWrite(), IntWinInfHookIntegritySendAlert(), IntWinInfHookProtect(), IntWinInfHookSiloWmiPtrIntegrityCallback(), IntWinInfHookSppHookWmiSiloPtr(), IntWinInfHookSppViolationCallbackWmiPtrChanged(), IntWinIntObjHandleArrayModification(), IntWinIntObjHandleModification(), IntWinIntObjHandleObjectModification(), IntWinIntObjProtect(), IntWinIntObjSendIntegrityAlert(), IntWinIntObjUnprotect(), IntWinIsUmTrapFrame(), IntWinModCacheCreate(), IntWinModFillInjectionData(), IntWinModHandleLoadFromVad(), IntWinModHandleModulePathInMemory(), IntWinModHandleWrite(), IntWinMsrSendAlert(), IntWinNetCheckPartition(), IntWinNetFillTcpStruct(), IntWinNetFindTcpBitmap(), IntWinNetFindTcpObjects(), IntWinNetFindTcpPartition(), IntWinNetGetAddrFam(), IntWinNetGetAddrInfo(), IntWinNetGetListenerAddressInfo(), IntWinNetGetLocalAddr(), IntWinNetGetOwner(), IntWinNetGetPortsAndState(), IntWinNetGetTcpPortPool(), IntWinNetIterateLinkedList(), IntWinNetIterateSlinkedList(), IntWinNetParseTcpBitmap(), IntWinNetParseTcpPartition(), IntWinNetSearchForAlloc(), IntWinNetSendProcessConnections(), IntWinObjCheckDrvDirSearchState(), IntWinObjFindRootDirectory(), IntWinObjGetObjectNameInfo(), IntWinObjGetPoolHeaderForObject(), IntWinObjHandleDirectoryEntryInMemory(), IntWinObjHandleDriverDirectoryEntryInMemory(), IntWinObjHandleObjectInMemory(), IntWinObjHandleRootDirTagInMemory(), IntWinObjIsTypeObject(), IntWinObjParseDriverDirectory(), IntWinPatchVadHandleCommit(), IntWinPfnHandleTranslationChange(), IntWinPfnIsMmPfnDatabase(), IntWinPfnLockAddress(), IntWinPfnModifyRefCount(), IntWinPfnRemoveLock(), IntWinPfnUnlockAddress(), IntWinPoolGetPoolHeaderInPage(), IntWinPowGetRequestedPowerState(), IntWinPowHandleEventCommon(), IntWinPowHandleHibernateEvent(), IntWinProcAdd(), IntWinProcAddProtectedProcess(), IntWinProcChangeProtectionFlags(), IntWinProcCreateProcessObject(), IntWinProcDeleteProcessObject(), IntWinProcEnforceProcessDep(), IntWinProcFillSystemPath(), IntWinProcGetProtectedInfo(), IntWinProcGetProtectedInfoEx(), IntWinProcHandleCopyMemory(), IntWinProcHandleCreateInternal(), IntWinProcHandleTerminate(), IntWinProcIsExploitGuardEnabled(), IntWinProcIsPsActiveProcessHead(), IntWinProcIterateGuestProcesses(), IntWinProcLockCr3(), IntWinProcMapEprocess(), IntWinProcMarkAgent(), IntWinProcPatchCopyMemoryDetour(), IntWinProcPatchPspInsertProcess86(), IntWinProcPatchSpareValue(), IntWinProcPrepareInstrument(), IntWinProcReadCommandLine(), IntWinProcRemoveProcess(), IntWinProcSendDllEvent(), IntWinProcSendProcessEvent(), IntWinProcSendProcessExceptionEvent(), IntWinProcSetUserCr3(), IntWinProcSwapIn(), IntWinProcUninit(), IntWinProcUpdateProtection(), IntWinProcValidateSystemCr3(), IntWinProtectReadNtEat(), IntWinReadSid(), IntWinReadToken(), IntWinSDCheckAclIntegrity(), IntWinSDCheckIntegrity(), IntWinSDCheckSecDescIntegrity(), IntWinSDFetchSecDescAddress(), IntWinSDReadSecDesc(), IntWinSelfMapCheckSelfMapEntry(), IntWinSelfMapDisableSelfMapEntryProtection(), IntWinSelfMapEnableSelfMapEntryProtection(), IntWinSelfMapGetAndCheckSelfMapEntry(), IntWinSelfMapProtectSelfMapIndex(), IntWinSelfMapValidateSelfMapEntries(), IntWinSetUmExceptionEvent(), IntWinStackHandleUserStackPagedOut(), IntWinStackTraceGet(), IntWinStackTraceGet32(), IntWinStackTraceGet64(), IntWinStackTraceGetUser(), IntWinStackUserCheckIsPivoted(), IntWinStackUserTrapFrameGet32(), IntWinStackUserTrapFrameGet64(), IntWinStackUserTrapFrameGetGeneric(), IntWinStackWow64CheckIsPivoted(), IntWinSudCheckIntegrity(), IntWinSudHandleFieldModification(), IntWinSudProtectSudExec(), IntWinThrGetCurrentThread(), IntWinThrGetCurrentTib(), IntWinThrHandleQueueApc(), IntWinThrHandleThreadHijack(), IntWinThrPatchThreadHijackHandler(), IntWinThrPrepareApcHandler(), IntWinTokenCheckCurrentPrivileges(), IntWinTokenCheckIntegrity(), IntWinTokenFetchTokenAddress(), IntWinTokenPrivsHandleSwap(), IntWinTokenPrivsHandleWrite(), IntWinTokenPrivsProtectOnProcess(), IntWinTokenPrivsShouldHook(), IntWinTokenProtectPrivs(), IntWinTokenProtectPrivsInternal(), IntWinTokenPtrCheckIntegrityOnProcess(), IntWinTokenPtrIsStolen(), IntWinTokenUnprotectPrivs(), IntWinUmCheckInitializationInjection(), IntWinUmModCacheFetch(), IntWinUnprotectReadNtEat(), IntWinVadFetchImageName(), IntWinVadFindNodeInGuestSpace(), IntWinVadHandleProtectGeneric(), IntWinVadHandleVirtualProtect(), IntWinVadImportProcessTree(), IntWinVadInOrderRecursiveTraversal(), IntWinVadIsExecSuspicious(), IntWinVadIsInTree(), IntWinVadMapShortVad(), IntWinVadPatchDeleteVaRange(), IntWinVadPatchFinishVadDeletion(), IntWinVadPatchInsert(), IntWinVadPatchInsertMap(), IntWinVadPatchInsertPrivate(), IntWinVadPatchVirtualProtect(), IntWinVadProcImportMainModuleVad(), IntWinVadRescanVad(), IntWinVadShortDump(), IntWinVadStaticInsertNodeIntoProcess(), IsInitializationDone(), and ShouldIgnoreInjection().
| LINUX_GUEST* gLixGuest |
Global variable holding the state of a Linux guest.
This is not dynamically allocated. It points to the _LinuxGuest field of the gGuest variable. Its value is set by IntLixGuestNew.
Definition at line 30 of file lixguest.c.
Referenced by IntCamiLoadLinux(), IntCamiLoadOpaqueFields(), IntCamiLoadProtOptionsLinux(), IntDetCallCallback(), IntDetCreateObjectLix(), IntDetHandleWrite(), IntDetIsPtrInHandler(), IntExceptLixKernelIsMemoryFunc(), IntExceptVerifyVersionOsSignature(), IntGuestGetInfo(), IntGuestUninit(), IntKsymInitAbsolute(), IntKsymRelativeFindOffsetTableEnd(), IntKsymRelativeFindOffsetTableStart(), IntLixAgentFillDataFromMemory(), IntLixAgentFindInstruction(), IntLixAgentMatchVersion(), IntLixAgentThreadInject(), IntLixApiHookAll(), IntLixApiUpdateHooks(), IntLixCrashDumpDmesg(), IntLixDepInjectFile(), IntLixDepInjectProcess(), IntLixDrvCreateKernel(), IntLixDrvFindList(), IntLixDrvHandleWrite(), IntLixDrvIsActivePatch(), IntLixDrvIterateList(), IntLixDrvSendViolationEvent(), IntLixDumpStacktrace(), IntLixGetInitTask(), IntLixHookKernelRead(), IntLixHookKernelWrite(), IntLixKernelHandleRead(), IntLixMmGetInitMm(), IntLixPatchSwapgs(), IntLixTaskCreate(), IntLixTaskGetCurrentTaskStruct(), IntLixTaskHandleDoExit(), IntLixTaskHandleExec(), IntLixTaskIterateThreadGroup(), IntLixTaskIterateThreadNode(), IntLixVdsoDynamicProtect(), IntLixVdsoDynamicProtectNonRelocate(), IntLixVdsoDynamicProtectRelocate(), IntLixVdsoFixedProtect(), IntLixVdsoResolveDynamicOffset(), and IntThrSafeLixInspectWaitingThread().
| VCPU_STATE* gVcpu |
The state of the current VCPU.
Since all events are serialized, we will always have only one current VCPU, it is safe to have this as a global variable. Set by every event handler. Will point to one entry from gGuest.VcpuArray.
Definition at line 59 of file guests.c.
Referenced by DbgCrWriteTestCallback(), DbgLogCurrentProcess(), IntAlertCoreGetFlags(), IntAlertEptFillFromVictimZone(), IntAlertFillCpuContext(), IntAlertFillExecContext(), IntAlertFillLixCurrentProcess(), IntAlertProcGetFlags(), IntApiEnter(), IntCr0Read(), IntCr3Read(), IntCr4Read(), IntCr8Read(), IntCrLixHandleWrite(), IntDecEmulatePTWrite(), IntDecEmulateRead(), IntDetCallCallback(), IntDetGetArgumentInternal(), IntDetGetArguments(), IntDetPatchArgument(), IntDetSetReturnValue(), IntDisableIntro(), IntDispatchPtAsEpt(), IntDispatchVeAsEpt(), IntDriverLoadHandler(), IntDriverUnloadHandler(), IntDtrHandleWrite(), IntDumpCodeAndRegs(), IntEngFillExecDetails(), IntExceptGetVictimEpt(), IntExceptKernelGetOriginator(), IntExceptLixKernelGetOriginator(), IntExceptUserGetExecOriginator(), IntExceptUserHandleMemoryFunctions(), IntExceptUserLogInformation(), IntExceptVerifyCodeBlocksSig(), IntExceptVerifyValueCodeSig(), IntExceptWinKernelGetOriginator(), IntFindKernelPcr(), IntGetCurrentInstructionLength(), IntGetCurrentInstructionMnemonic(), IntGetGprs(), IntHandleBreakpoint(), IntHandleCowOnPage(), IntHandleCrWrite(), IntHandleDtrViolation(), IntHandleEptViolation(), IntHandleEventInjection(), IntHandleFetchRetryOnPageBoundary(), IntHandleIntroCall(), IntHandleMemAccess(), IntHandleMsrViolation(), IntHandleTimer(), IntHandleXcrWrite(), IntHookCrRemoveHook(), IntHookDtrRemoveHook(), IntHookMsrRemoveHook(), IntHookPtwEmulateWrite(), IntHookPtwProcessWrite(), IntHookXcrRemoveHook(), IntLixAccessRemoteVmHandler(), IntLixAgentCreateThreadCompletion(), IntLixAgentCreateThreadHypercall(), IntLixAgentError(), IntLixAgentExit(), IntLixAgentHandleBreakpoint(), IntLixAgentHandleInt3(), IntLixAgentHandleKernelVmcall(), IntLixAgentHandleUserVmcall(), IntLixAgentHandleVmcall(), IntLixAgentStart(), IntLixAgentThreadError(), IntLixAgentThreadHandleBreakpoint(), IntLixCommitCredsHandle(), IntLixCrashHandle(), IntLixDepDeployFileHypercall(), IntLixDrvIsLegitimateTextPoke(), IntLixDumpStacktrace(), IntLixGuestAgentContentHandler(), IntLixGuestAllocateFill(), IntLixGuestDetourDataHandler(), IntLixGuestInitAgentCompletion(), IntLixIdtWriteHandler(), IntLixJumpLabelHandler(), IntLixKernelHandleRead(), IntLixPatchHandler(), IntLixTaskGetCurrentTaskStruct(), IntLixTaskHandleDoExit(), IntLixTaskHandleExec(), IntLixTaskHandleFork(), IntLixTaskHandleInjection(), IntLixTaskHandlePtrace(), IntLixTaskHandleVmRw(), IntLixVdsoHandleKernelModeWrite(), IntLixVdsoHandleUserModeWrite(), IntLixVdsoHandleWrite(), IntLixVdsoHandleWriteCommon(), IntLixVmaAdjust(), IntLixVmaChangeProtection(), IntLixVmaExpandDownwards(), IntLixVmaHandlePageExecution(), IntLixVmaInsert(), IntLixVmaRemove(), IntLogGuestRegisters(), IntLogProcessInfo(), IntLogStackTrace(), IntMemClkHandleRead(), IntMtblCheckAccess(), IntMtblPatchInstruction(), IntProcessDebugCommand(), IntPtiHandleExecute(), IntPtiHandleInt3(), IntPtiHandleWrite(), IntPtiInspectInstruction(), IntPtiRemoveInstruction(), IntRipRead(), IntRtlpVirtualUnwindCheckAccess(), IntSerializeArchRegs(), IntSerializeRipCode(), IntSetGprs(), IntSwapMemCancelPendingPF(), IntSwapMemHandleBreakpointAgent(), IntSwapMemInjectPendingPF(), IntThrSafeInspectRunningThreads(), IntThrSafeIsStackPtrInIntro(), IntTranslateVirtualAddressEx(), IntUnpPageExecuteCallback(), IntValidatePageRights(), IntValidatePageRightsEx(), IntValidateTranslation(), IntVasPageTableWriteCallback(), IntVeFindKernelKvaShadowAndKernelExit(), IntVeHandleAccess(), IntVeHandleEPTViolationInProtectedView(), IntVeHandleHypercall(), IntVeIsCurrentRipInAgent(), IntWinAgentActivatePendingAgent(), IntWinAgentHandleDriverVmcall(), IntWinAgentHandleInt3(), IntWinAgentHandleVmcall(), IntWinBcHandleBugCheck(), IntWinCrashHandleDepViolation(), IntWinDagentSendDoubleAgentAlert(), IntWinDpiGetProcessDebugFlag(), IntWinDpiValidateThreadStart(), IntWinDrvHandleDriverEntry(), IntWinDrvHandleRead(), IntWinDrvObjHandleWrite(), IntWinDrvObjSendEptAlert(), IntWinDrvSendAlert(), IntWinGuestFindIdleCr3(), IntWinHalHandleHalHeapExec(), IntWinHalSendAlert(), IntWinHandleException(), IntWinIdtWriteHandler(), IntWinInfHookEptSppHandleWrite(), IntWinInfHookEptSppSendAlert(), IntWinInfHookHandleSiloFirstWrite(), IntWinInfHookSppViolationCallbackWmiPtrChanged(), IntWinLogVAInfo(), IntWinModBlockHandleExecution(), IntWinModFillInjectionData(), IntWinModHandleKernelWrite(), IntWinModHandleUserWrite(), IntWinModHandleWrite(), IntWinModPolyHandler(), IntWinPowGetRequestedPowerState(), IntWinProcHandleCopyMemory(), IntWinProcHandleCreate(), IntWinProcHandleCreateInternal(), IntWinProcHandleInstrument(), IntWinSelfMapHandleCr3SelfMapWrite(), IntWinSetUmExceptionEvent(), IntWinStackHandleUserStackPagedOut(), IntWinStackUserCheckIsPivoted(), IntWinSudHandleKernelSudExec(), IntWinSudHandleSudExec(), IntWinSudHandleUserSudExec(), IntWinSudSendSudExecAlert(), IntWinThrGetCurrentStackBaseAndLimit(), IntWinThrGetCurrentTib(), IntWinThrHandleQueueApc(), IntWinThrHandleThreadHijack(), IntWinTokenPrivsHandleWrite(), IntWinTokenPrivsSendEptAlert(), IntWinVadHandleCommit(), IntWinVadHandleDeleteVaRange(), IntWinVadHandleFinishVadDeletion(), IntWinVadHandleInsertMap(), IntWinVadHandleInsertPrivate(), IntWinVadHandlePageExecution(), and IntWinVadIsExecSuspicious().
| WINDOWS_GUEST* gWinGuest |
Global variable holding the state of a Windows guest.
This is not dynamically allocated. It points to the _WindowsGuest field of the gGuest variable. Its value is set by IntWinGuestNew.
Definition at line 37 of file winguest.c.
Referenced by DbgDumpGuestModules(), DbgDumpPfn(), IntAlertEptFillFromVictimZone(), IntCamiLoadOpaqueFields(), IntCamiLoadWindows(), IntDetSetHook(), IntExceptGetVictimEpt(), IntExceptWinKernelGetOriginator(), IntGuestGetInfo(), IntGuestUninit(), IntMtblCheckAccess(), IntPeFindKernelExport(), IntPtiMonitorAllPtWriteCandidates(), IntSlackAllocWindows(), IntSwapgsStartMitigation(), IntThrSafeCheckThreads(), IntWinAgentFindInstruction(), IntWinAgentFindPropperSyscall(), IntWinAgentFindSyscallLinkage(), IntWinAgentHandleDriverVmcall(), IntWinAgentInject(), IntWinApiFindFunctionRva(), IntWinDrvHeadersInMemory(), IntWinDrvIterateLoadedModules(), IntWinGuestFindDriversNamespace(), IntWinHalFindPerformanceCounterInternal(), IntWinInfHookGetEtwpDebuggerData(), IntWinObjCheckDrvDirSearchState(), IntWinObjFindRootDirectory(), IntWinObjHandleRootDirTagInMemory(), IntWinObjParseDriverDirectory(), IntWinPfnModifyRefCount(), IntWinProcIterateGuestProcesses(), IntWinProcMapEprocess(), and IntWinStackTraceGet64().
1.8.13