72 #define SHEMU_SHELLCODE_SIZE 0x2000 73 #define SHEMU_STACK_SIZE 0x2000 74 #define SHEMU_MAX_INSTRUCTIONS 256 532 for (
DWORD cpuIndex = 0; cpuIndex < gGuest.
CpuCount; cpuIndex++)
CPU_STATE
The various states in which a VCPU can be.
QWORD GdtBase
Original GDT base.
DWORD EptpIndex
The index of the current loaded EPT.
BOOLEAN SupportDTR
Set to True if support for DTR access exits was detected.
struct _PTEMU_BUFFER * PPTEMU_BUFFER
void IntGuestSetIntroErrorState(INTRO_ERROR_STATE State, INTRO_ERROR_CONTEXT *Context)
Updates the value of the gErrorState and the value of the gErrorStateContext.
Commit all the MSR hooks.
BOOLEAN SingleStep
True if th VCPU is currently single-stepping the current instruction.
BYTE Vector
The injected exception number.
BOOLEAN PtContext
Set to True if we are in the context of a PT filter VMCALL.
WINDOWS_GUEST * gWinGuest
Global variable holding the state of a Windows guest.
IG_ARCH_REGS Regs
The current state of the guest registers.
DWORD Index
The VCPU number.
SHEMU_CONTEXT Shemucontext
Shellcode emulator context.
BOOLEAN Initialized
True if the VCPU is initialized and used by the guest, False if it is not.
INTSTATUS IntGuestDisableIntro(QWORD Flags)
Disables and unloads the introspection engine.
Handling an event injection.
QWORD SystemCr3
The Cr3 used to map the kernel.
#define INT_STATUS_SUCCESS
void * IdtIntegrityObject
The integrity region used to protect the IDT.
DWORD KernelSize
The size of the kernel.
CR_HOOK_STATE * CrHooks
CR hook state.
struct _GUEST_STATE GUEST_STATE
Describes a guest.
WORD IdtLimit
The current IDT limit.
BOOLEAN SysprocBetaDetections
QWORD AllowOnExecRip
The RIP which was allowed to execute on an exec violation.
BOOLEAN RepOptDisabled
The state of the rep optimization feature.
BOOLEAN Initialized
True if this structure was initialized and can be used.
QWORD Feedback
Options that will be forced to feedback only mode.
BOOLEAN ShutDown
True if the system process protection is in beta (log-only) mode.
PRE_RET_OPTIONS
Flags that control the behavior of IntGuestPreReturnCallback.
struct _PTWRITE_CACHE PTWRITE_CACHE
Will contain the last successfully written page-table entry. This will be used by newly placed hooks ...
BOOLEAN ProtectionActivated
#define SHEMU_SHELLCODE_SIZE
The shell code buffer size. It should be at least 2 pages in size.
void * IdtHookObject
The EPT hook object used to protect the IDT.
QWORD ExitAccess
The access type for which the EPT violation was generated.
struct _VCPU_STATE VCPU_STATE
Structure encapsulating VCPU-specific information.
BOOLEAN SafeToApplyOptions
True if the current options can be changed dynamically.
void IntGuestPrepareUninit(void)
Prepares introcore to be unloaded.
QWORD Gla
The guest linear address for which the buffer is filled.
int INTSTATUS
The status data type.
BOOLEAN Partial
True if the write is partial and not the entire page table entry is modified.
DWORD OSVersion
Os version.
BOOLEAN AllowOnExec
True if we returned introGuestAllowed on an execution alert.
#define INT_STATUS_NOT_FOUND
BOOLEAN BootstrapAgentAllocated
True if the slack space for the bootstrap agent has been allocated.
BOOLEAN SupportVMFUNC
Set to True if support for VMFUNC was detected.
QWORD IntroActiveEventId
The event ID on which introcore became active.
WINDOWS_GUEST _WindowsGuest
Linux specific information. Valid when OSType is introGuestWindows.
PVCPU_STATE VcpuArray
Array of the VCPUs assigned to this guest. The index in this array matches the VCPU number...
BOOLEAN Valid
True if Data is valid, False if it is not.
INTRO_GUEST_TYPE OSType
The type of the guest.
BOOLEAN VeAgentWaiting
True if the #VE agent was not yet injected, but it should be.
INSTRUX Instruction
The current instruction, pointed by the guest RIP.
Commit all the memory hooks.
BOOLEAN Emulated
True if the access was already emulated; False if it was not emulated.
QWORD Cr4
Cr4 value used when deducing the paging mode.
struct _GUEST_STATE * PGUEST_STATE
PVECPU VeInfoPage
Pointer to the VEINFO page used for this VCPU.
Describes a kernel driver.
QWORD Beta
Options that were forced to beta (log-only) mode.
MSR_HOOK_STATE * MsrHooks
MSR hook state.
struct _INTRO_PROT_OPTIONS INTRO_PROT_OPTIONS
Describes options for this guest.
BOOLEAN PtFilterWaiting
True if the in-guest PT filter was not yet injected, but it should be.
DWORD AccessSize
The size of the memory access. Valid only for EPT exits.
BOOLEAN IntGuestShouldNotifyErrorState(void)
Checks if an event should be sent to the integrator.
BOOLEAN KptiActive
True if KPTI is enabled on this guest, False if it is not.
struct _PATCH_BUFFER * PPATCH_BUFFER
This file is common between the VE driver and the introspection engine.
BOOLEAN SupportSPP
Set to True if support for SPP was detected.
INTSTATUS IntGuestGetLastGpa(QWORD *MaxGpa)
Get the upper limit of the guest physical memory range.
The context of an error state.
EXCEPTIONS * Exceptions
The exceptions that are currently loaded.
QWORD AllowOnExecGpa
The GPA which was allowed to execute on an exec violation.
INTSTATUS IntGuestPreReturnCallback(DWORD Options)
Handles all the operations that must be done before returning from a VMEXIT event handler...
struct _VCPU_STATE * PVCPU_STATE
BOOLEAN PaeEnabled
True if Physical Address Extension is enabled.
QWORD New
The new, to be written, value of the page table entry.
XCR_HOOK_STATE * XcrHooks
XCR hook state.
CPU_STATE State
The state of this VCPU. Describes what action is the VCPU currently doing.
Will contain the last successfully written page-table entry. This will be used by newly placed hooks ...
Reinject the #VE or PT filtering agent, based on the active options.
BOOLEAN Guest64
True if this is a 64-bit guest, False if it is a 32-bit guest.
QWORD Current
The currently used options.
QWORD Old
The old, original, value of the written page table entry.
struct _PTWRITE_CACHE * PPTWRITE_CACHE
PTWRITE_CACHE PtWriteCache
The last written PT entry.
Handling a breakpoint (int3).
Contains information about the buffer used to emulate page table writes.
QWORD IdtBase
Original IDT base.
struct _PATCH_BUFFER PATCH_BUFFER
Contains information about the patch buffer.
Structure encapsulating VCPU-specific information.
void * GpaCache
The currently used GPA cache.
BOOLEAN GuestInitialized
True if the OS-specific portion has been initialized.
QWORD Gpa
The accessed guest physical address. Valid only for EPT exits.
INFO_UD_PENDING * CurrentUD
The currently pending #UD injection on this CPU.
Contains information about the patch buffer.
Describes the internal exceptions data.
QWORD ExitGpa
The accessed guest physical address, for which the EPT violation was generated.
QWORD KernelVa
The guest virtual address at which the kernel image.
struct _PTEMU_BUFFER PTEMU_BUFFER
Contains information about the buffer used to emulate page table writes.
BYTE WordSize
Guest word size. Will be 4 for 32-bit guests and 8 for 64-bit guests.
DWORD RepOptsDisableCount
The number of times the rep optimizations have been disabled.
QWORD Cr2
The Cr2. Valid only if Vector is 14 (Page Fault)
INTRO_ERROR_STATE IntGuestGetIntroErrorState(void)
Gets the last reported error-state.
QWORD Xcr0
The value of XCR0. Updated by IntHandleXcrWrite.
DWORD SelfMapIndex
The self map index.
INTSTATUS IntGuestGetIdtFromGla(QWORD Address, QWORD *IdtBase, QWORD *IdtLimit)
Checks if an address is inside one of the guest's IDTs.
QWORD ForceOff
Options that are forcibly disabled.
DTR_HOOK_STATE * DtrHooks
DTR hook state.
DWORD CpuCount
The number of logical CPUs.
INTRO_ERROR_CONTEXT * IntGuestGetIntroErrorStateContext(void)
Gets the last reported error-context appropriate to the error-state.
INTRO_GUEST_TYPE
The type of the introspected operating system.
void * InstructionCache
The currently used instructions cache.
void IntGuestUninit(void)
Completely unloads the introspection engine.
struct _MM MM
Memory information structure.
Memory information structure.
DWORD ProtectedEptIndex
The EPTP index of the trusted EPT.
void IntGuestUpdateShemuOptions(QWORD NewOptions)
Update shemu options.
BOOLEAN VeInitialized
Set to True if #VE initialization was done.
#define SHEMU_STACK_SIZE
The size of the stack buffer used by shemu.
Holds information about a Windows guest.
QWORD Ia32Efer
The value of the guest IA32 EFER MSR.
QWORD Cr0
Cr0 value used when deducing the paging mode.
MM Mm
Guest memory information, such as paging mode, system Cr3 value, etc.
PATCH_BUFFER PatchBuffer
The patch buffer used to emulate reads.
GUEST_STATE gGuest
The current guest state.
BOOLEAN VeContext
Set to True if we are in the context of the #VE agent.
QWORD ExitGla
The accessed guest linear address, for which the EPT violation was generated.
INTRO_ERROR_STATE
Error states.
DWORD ErrorCode
The error code, for exceptions that have an error code.
QWORD TimerCalls
The number of times the timer callback has been invoked.
INTRO_PROT_OPTIONS ShemuOptions
Flags which describe the way shemu will give detections.
Commit all the XCR hooks.
LINUX_GUEST _LinuxGuest
Linux specific information. Valid when OSType is introGuestLinux.
BOOLEAN KptiInstalled
True if KPTI was detected as installed (not necessarily active).
QWORD Original
The original options as received from GLUE_IFACE.NewGuestNotification. This is updated when GLUE_IFAC...
BOOLEAN SupportVE
Set to True if support for #VE was detected.
BOOLEAN LA57
True if 5-level paging is being used.
PAGING_MODE Mode
The paging mode used by the guest.
DWORD Size
The valid size of the Data buffer.
QWORD TscSpeed
Number of ticks/second of this given guest. Should be the same as the global (physical) one...
KERNEL_DRIVER * KernelDriver
Points to the driver object that describes the kernel image.
BOOLEAN Valid
True if the fields are valid; False if they are not.
VCPU_STATE * gVcpu
The state of the current VCPU.
void IntGuestUpdateCoreOptions(QWORD NewOptions)
Updates Introcore options.
DWORD ActiveCpuCount
The number of CPUs actually used by the guest.
Describes options for this guest.
BOOLEAN BugCheckInProgress
BOOLEAN PtFilterFlagRemoved
Set to True if the INTRO_OPT_IN_GUEST_PT_FILTER was given, but it was removed.
BOOLEAN Valid
True if the information in this structure is valid; False it it is not.
QWORD LixProcessGva
The guest virtual address of the running task on the current vCPU (valid only for Linux / thread safe...
INTSTATUS IntGuestGetInfo(PGUEST_INFO GuestInfo)
Get basic information about the guest.
PTEMU_BUFFER PtEmuBuffer
The page table write emulator buffer.
QWORD PcrGla
The guest linear address of the _KPCR structure loaded by this CPU.
DWORD UntrustedEptIndex
The EPTP index of the untrusted EPT.
BYTE Data[ND_MAX_REGISTER_SIZE]
The actual contents of the buffer.
INTRO_PROT_OPTIONS CoreOptions
The activation and protection options for this guest.
QWORD Gla
The accessed guest virtual address. Valid only for EPT exits.
QWORD EventId
EventId for which VCPU_STATE.Regs is valid.
LINUX_GUEST * gLixGuest
Global variable holding the state of a Linux guest.
Inject pending page faults.
Commit all the DTR hooks.
INTSTATUS IntGuestInit(QWORD Options)
Initialize the given guest state.
1.8.13