- Generated by
1.8.13
|
Bitdefender Hypervisor Memory Introspection
|
#include "introcore.h"#include "debugger.h"#include "guests.h"#include "introapi.h"#include "introcpu.h"#include "gpacache.h"#include "winprocess.h"#include "lixprocess.h"Go to the source code of this file.
Data Structures | |
| struct | _MULTI_PAGE_MAP |
| Holds information about page mappings that contain multiple pages. More... | |
Typedefs | |
| typedef struct _MULTI_PAGE_MAP | MULTI_PAGE_MAP |
| Holds information about page mappings that contain multiple pages. More... | |
| typedef struct _MULTI_PAGE_MAP * | PMULTI_PAGE_MAP |
Functions | |
| static BOOLEAN | IsSse42Supported (void) |
| Checks if support for SSE 4.2 is present. More... | |
| void | IntPreinit (void) |
| Initializes the global variables used throughout the project. More... | |
| INTSTATUS | IntInit (GLUE_IFACE *GlueInterface, UPPER_IFACE const *UpperInterface) |
| Initializes introcore. More... | |
| INTSTATUS | IntUninit (void) |
| Disables and uninitializes Introcore. More... | |
| static INTSTATUS | IntVirtMemReadWrite (QWORD VirtualAddress, DWORD Length, QWORD Cr3, void *Buffer, DWORD *RetLength, BOOLEAN Write) |
| Transfers memory between a guest virtual memory range and Introcore. More... | |
| INTSTATUS | IntVirtMemSet (QWORD VirtualAddress, DWORD Length, QWORD Cr3, BYTE Value) |
| static INTSTATUS | IntPhysMemReadWriteAnySize (QWORD PhysicalAddress, DWORD Length, void *Buffer, DWORD *RetLength, BOOLEAN Write) |
| Transfers memory between a guest physical memory range and Introcore. More... | |
| static INTSTATUS | IntPhysMemReadWrite (QWORD PhysicalAddress, DWORD Length, void *Buffer, DWORD *RetLength, BOOLEAN Write) |
| Transfers memory between a guest physical memory range and Introcore, but only for a single memory page. More... | |
| INTSTATUS | IntVirtMemRead (QWORD Gva, DWORD Length, QWORD Cr3, void *Buffer, DWORD *RetLength) |
| Reads data from a guest virtual memory range. More... | |
| INTSTATUS | IntVirtMemWrite (QWORD Gva, DWORD Length, QWORD Cr3, void *Buffer) |
| Writes data to a guest virtual memory range. More... | |
| INTSTATUS | IntKernVirtMemRead (QWORD KernelGva, DWORD Length, void *Buffer, DWORD *RetLength) |
| Reads data from a guest kernel virtual memory range. More... | |
| INTSTATUS | IntKernVirtMemWrite (QWORD KernelGva, DWORD Length, void *Buffer) |
| Writes data to a guest kernel virtual memory range. More... | |
| INTSTATUS | IntPhysicalMemRead (QWORD PhysicalAddress, DWORD Length, void *Buffer, DWORD *RetLength) |
| Reads data from a guest physical memory range, but only for a single page. More... | |
| INTSTATUS | IntPhysicalMemWrite (QWORD PhysicalAddress, DWORD Length, void *Buffer) |
| Writes data to a guest physical memory range, but only for a single page. More... | |
| INTSTATUS | IntPhysicalMemReadAnySize (QWORD PhysicalAddress, DWORD Length, void *Buffer, DWORD *RetLength) |
| Reads data from a guest physical memory range, regardless of how many pages it spans across. More... | |
| INTSTATUS | IntPhysicalMemWriteAnySize (QWORD PhysicalAddress, DWORD Length, void *Buffer) |
| Writes data to a guest physical memory range, regardless of how many pages it spans across. More... | |
| INTSTATUS | IntKernVirtMemFetchQword (QWORD GuestVirtualAddress, QWORD *Data) |
| Reads 8 bytes from the guest kernel memory. More... | |
| INTSTATUS | IntKernVirtMemFetchDword (QWORD GuestVirtualAddress, DWORD *Data) |
| Reads 4 bytes from the guest kernel memory. More... | |
| INTSTATUS | IntKernVirtMemFetchWordSize (QWORD GuestVirtualAddress, void *Data) |
| Reads a guest pointer from the guest kernel memory. More... | |
| INTSTATUS | IntVirtMemFetchQword (QWORD GuestVirtualAddress, QWORD Cr3, QWORD *Data) |
| Reads 8 bytes from the guest memory. More... | |
| INTSTATUS | IntVirtMemFetchDword (QWORD GuestVirtualAddress, QWORD Cr3, DWORD *Data) |
| Reads 4 bytes from the guest memory. More... | |
| INTSTATUS | IntVirtMemFetchWordSize (QWORD GuestVirtualAddress, QWORD Cr3, void *Data) |
| Reads a guest pointer from the guest memory. More... | |
| INTSTATUS | IntKernVirtMemPatchQword (QWORD GuestVirtualAddress, QWORD Data) |
| Writes 8 bytes in the guest kernel memory. More... | |
| INTSTATUS | IntKernVirtMemPatchDword (QWORD GuestVirtualAddress, DWORD Data) |
| Writes 4 bytes in the guest kernel memory. More... | |
| INTSTATUS | IntKernVirtMemPatchWordSize (QWORD GuestVirtualAddress, QWORD Data) |
| Writes a guest pointer inside the guest kernel memory. More... | |
| INTSTATUS | IntVirtMemPatchQword (QWORD GuestVirtualAddress, QWORD Cr3, QWORD Data) |
| Writes 8 bytes in the guest memory. More... | |
| INTSTATUS | IntVirtMemPatchDword (QWORD GuestVirtualAddress, QWORD Cr3, DWORD Data) |
| Writes 4 bytes in the guest memory. More... | |
| INTSTATUS | IntVirtMemPatchWordSize (QWORD GuestVirtualAddress, QWORD Cr3, QWORD Data) |
| Writes a guest pointer inside the guest memory. More... | |
| INTSTATUS | IntVirtMemFetchString (QWORD Gva, DWORD MaxLength, QWORD Cr3, void *Buffer) |
| Reads a NULL-terminated string from the guest. More... | |
| static INTSTATUS | IntMapGpaForTranslation (QWORD Gpa, void **HostPtr) |
| Maps a guest physical address used for memory translation in Introcore address space. More... | |
| static INTSTATUS | IntUnmapGpaForTranslation (QWORD Gpa, void **HostPtr) |
| Unmaps an address that was previously mapped with IntMapGpaForTranslation. More... | |
| static INTSTATUS | IntTranslateVa32 (UINT32 Gva, UINT32 Cr3, VA_TRANSLATION *Translation) |
| Translates a guest virtual address when 32-bit paging is used. More... | |
| static INTSTATUS | IntTranslateVa32Pae (UINT64 Gva, UINT64 Cr3, VA_TRANSLATION *Translation) |
| Translates a guest virtual address when 32-bit PAE paging is used. More... | |
| static INTSTATUS | IntTranslateVa64 (UINT64 Gva, UINT64 Cr3, VA_TRANSLATION *Translation) |
| Translates a guest virtual address when 4-level paging is used. More... | |
| static INTSTATUS | IntTranslateVa64La57 (UINT64 Gva, UINT64 Cr3, VA_TRANSLATION *Translation) |
| Translates a guest virtual address when 5-level paging is used. More... | |
| INTSTATUS | IntTranslateVirtualAddressEx (QWORD Gva, QWORD Cr3, DWORD Flags, VA_TRANSLATION *Translation) |
| Translates a guest virtual address to a guest physical address. More... | |
| INTSTATUS | IntTranslateVirtualAddress (QWORD Gva, QWORD Cr3, QWORD *PhysicalAddress) |
| Translates a guest virtual address to a guest physical address. More... | |
| static INTSTATUS | IntVirtMemMapMultiPage (QWORD GuestVirtualAddress, DWORD Length, QWORD Cr3, void **HostPtr) |
| Maps a guest kernel virtual memory range inside Introcore virtual address space regardless of the number of pages it spans across. More... | |
| __must_check INTSTATUS | IntVirtMemMap (QWORD Gva, DWORD Length, QWORD Cr3, DWORD Flags, void **HostPtr) |
| Maps a guest virtual memory range inside Introcore virtual address space. More... | |
| static BOOLEAN | IntVirtMemUnmapMultiPage (void **HostPtr) |
| Unamps a memory range previously mapped with IntVirtMemMapMultiPage. More... | |
| INTSTATUS | IntVirtMemUnmap (void **HostPtr) |
| Unmaps a memory range previously mapped with IntVirtMemMap. More... | |
| INTSTATUS | IntInjectExceptionInGuest (BYTE Vector, QWORD Cr2, DWORD ErrorCode, DWORD CpuNumber) |
| Injects an exception inside the guest. More... | |
| INTSTATUS | IntPauseVcpus (void) |
| Pauses all the guest VCPUs. More... | |
| INTSTATUS | IntResumeVcpus (void) |
| Resumes the VCPUs previously paused with IntPauseVcpus. More... | |
| void | IntEnterDebugger2 (PCHAR File, DWORD Line) |
| Traps to a debugger. More... | |
| void | IntDbgEnterDebugger2 (PCHAR File, DWORD Line) |
| Traps to a debugger and dumps the Introcore state. More... | |
| BOOLEAN | IntMatchPatternUtf8 (const CHAR *Pattern, const CHAR *String, DWORD Flags) |
| Matches a pattern using glob match. More... | |
| BOOLEAN | IntMatchPatternUtf16 (const WCHAR *Pattern, const WCHAR *String, DWORD Flags) |
| Matches a pattern using glob match. More... | |
| INTSTATUS | IntGuestUninitOnBugcheck (void const *Detour) |
| Prepares Introcore unload in case of a guest crash in order to clean up the code and data injected inside the guestIf the INTRO_OPT_BUGCHECK_CLEANUP activation flag is not set, this function does nothing. Will set BugCheckInProgress inside gGuest to True. More... | |
| BOOLEAN | IntPolicyProcIsBeta (const void *Process, QWORD Flag) |
| Checks if a process protection policy is in log-only mode. More... | |
| BOOLEAN | IntPolicyCoreIsOptionBeta (QWORD Flag) |
| Checks if one of the kernel protection options is in log-only mode. More... | |
| BOOLEAN | IntPolicyProcIsFeedback (const void *Process, QWORD Flag) |
| Checks if a process protection policy is in feedback-only mode. More... | |
| QWORD | IntPolicyGetProcProt (const void *Process) |
| Gets the protection policy for a process. More... | |
| BOOLEAN | IntPolicyCoreTakeAction (QWORD Flag, INTRO_ACTION *Action, INTRO_ACTION_REASON *Reason) |
| Returns the action that should be taken for a core introspection option. More... | |
| BOOLEAN | IntPolicyProcTakeAction (QWORD Flag, void const *Process, INTRO_ACTION *Action, INTRO_ACTION_REASON *Reason) |
| Returns the action that should be taken for a process protection option. More... | |
| BOOLEAN | IntPolicyProcForceBetaIfNeeded (QWORD Flag, void *Process, INTRO_ACTION *Action) |
| Checks if a forced action should be taken even if the process log-only mode is active. More... | |
| BOOLEAN | IntPolicyCoreForceBetaIfNeeded (QWORD Flag, INTRO_ACTION *Action) |
| Checks if a forced action should be taken even if the log-only mode is active. More... | |
| BOOLEAN | IntPolicyIsCoreOptionFeedback (QWORD Flag) |
| Checks if a core protection option is in feedback-only mode. More... | |
| char * | utf16_for_log (const WCHAR *WString) |
| Converts a UTF-16 to a UTF-8 string to be used inside logging macros. More... | |
| INTSTATUS | IntReadString (QWORD StrGva, DWORD MinimumLength, BOOLEAN AnsiOnly, char **String, DWORD *StringLength) |
| Reads a string from the guest kernel memory. More... | |
Variables | |
| void * | gLock = NULL |
| A lock that ensures that all the events are serialized inside introcore. More... | |
| const INT_VERSION_INFO | IntHviVersion |
| The version of the introcore library. More... | |
| INTRO_ERROR_CONTEXT | gErrorContext = { 0 } |
| Global storage for the error context used by GLUE_IFACE.NotifyIntrospectionErrorState. More... | |
| LIST_HEAD | gMultiPageMaps = LIST_HEAD_INIT(gMultiPageMaps) |
| List of all the currently valid multi page maps. More... | |
| BOOLEAN | gAbortLoad = FALSE |
| Set to True if introcore should abort the initialization process. More... | |
| BOOLEAN | gSse42Supported |
| Set to True if support for SSE 4.2 was detected. More... | |
| BOOLEAN | gInsideDebugger |
| Set to True when introcore is inside a debugger. More... | |
| const QWORD | gByteMaskToBitMask [256] |
| Converts a byte number to a mask having the bits in those bytes set. More... | |
| typedef struct _MULTI_PAGE_MAP MULTI_PAGE_MAP |
Holds information about page mappings that contain multiple pages.
| typedef struct _MULTI_PAGE_MAP * PMULTI_PAGE_MAP |
Traps to a debugger and dumps the Introcore state.
This function should not be used directly, the IntDbgEnterDebugger macro should be used instead.
| [in] | File | NULL-terminated string containing the name of the file from which this function was called |
| [in] | Line | The line number from which this function was called |
Definition at line 2411 of file introcore.c.
Traps to a debugger.
This function should not be used directly, the IntEnterDebugger macro should be used instead.
| [in] | File | NULL-terminated string containing the name of the file from which this function was called |
| [in] | Line | The line number from which this function was called |
Definition at line 2388 of file introcore.c.
| INTSTATUS IntInit | ( | GLUE_IFACE * | GlueInterface, |
| UPPER_IFACE const * | UpperInterface | ||
| ) |
Initializes introcore.
This will validate and initialize the GLUE_IFACE and UPPER_IFACE instances, as well as the gLock lock.
| [in,out] | GlueInterface | The instance of GLUE_IFACE to be used. The part that must be implemented by the integrator must be implemented. Introcore will fill initialize the APIs it exposes. |
| [in] | UpperInterface | The instance of UPPER_IFACE to be used. All the mandatory APIs must be implemented |
Definition at line 186 of file introcore.c.
Injects an exception inside the guest.
Note that even if this function exits with success, there is still no guarantee that the exception was injected inside the guest, as the hypervisor may have other exceptions to inject. In order to be sure that the exception we scheduled was injected, the IntHandleEventInjection callback registered with GLUE_IFACE.RegisterEventInjectionHandler is used.
| [in] | Vector | Vector to be injected |
| [in] | Cr2 | Cr2 value. Ignored if Vector is not 14 (page fault) |
| [in] | ErrorCode | The error code of the exception. Ignored for exceptions that do not have an error code |
| [in] | CpuNumber | The CPU on which the exception should be injected. IG_CURRENT_VCPU is not a valid value |
| INT_STATUS_SUCCESS | in case of success |
| INT_STATUS_INVALID_PARAMETER_4 | is the CPU number is not valid |
| INT_STATUS_ALREADY_INITIALIZED | if an exception is already scheduled on the specified CPU |
Definition at line 2264 of file introcore.c.
Referenced by DbgInjectPf(), IntHandleCowOnPage(), IntHandleFetchRetryOnPageBoundary(), IntLixVmaHandlePageExecution(), IntSwapMemHandleBreakpointAgent(), IntSwapMemInjectPendingPF(), IntWinModBlockHandleExecution(), IntWinSudHandleSudExec(), and IntWinVadHandlePageExecution().
Reads 4 bytes from the guest kernel memory.
| [in] | GuestVirtualAddress | Virtual address from which to read |
| [out] | Data | Data read from the guest |
Definition at line 829 of file introcore.c.
Referenced by DbgDumpGuestModules(), IntKsymRelativeFindOffsetTableEnd(), IntLixCommitCredsHandle(), IntLixCrashDumpDmesg(), IntLixDrvCreateFromAddress(), IntLixGuestGetSystemState(), IntLixGuestIsKptiActive(), IntLixNetIterateTaskConnections(), IntLixTaskActivateExploitProtection(), IntLixTaskCreateFromBinprm(), IntLixTaskCreateInitTask(), IntLixTaskDumpKernelThreadTree(), IntLixTaskDumpTree(), IntLixTaskIterateThreadGroup(), IntLixTaskIterateThreadNode(), IntLogStackTrace(), IntPeFindExportByName(), IntPeFindExportByOrdinal(), IntPeGetExportNameByRva(), IntPeGetRuntimeFunction(), IntThrSafeLixInspectWaitingThread(), IntWinBcHandleBugCheck(), IntWinDrvHandleDriverEntry(), IntWinDrvIterateLoadedModules(), IntWinDrvObjCreateFromAddress(), IntWinGetAccessTokenFromProcess(), IntWinGetAccesTokenFromThread(), IntWinGuestFetchProductType(), IntWinGuestIsIncreasedUserVa(), IntWinGuestResolveImports(), IntWinModFillInjectionData(), IntWinNetCheckPartition(), IntWinNetFindTcpBitmap(), IntWinNetGetTcpPortPoolFromCompartment(), IntWinNetSearchForAlloc(), IntWinProcDeleteProcessObject(), IntWinProcHandleTerminate(), IntWinReadToken(), IntWinStackTraceGet32(), and IntWinStackUserTrapFrameGetGeneric().
Reads 8 bytes from the guest kernel memory.
| [in] | GuestVirtualAddress | Virtual address from which to read |
| [out] | Data | Data read from the guest |
Definition at line 811 of file introcore.c.
Referenced by DbgDumpGuestModules(), DbgDumpVadRoot(), IntKsymRelativeFindOffsetTableEnd(), IntLixCrashDumpDmesg(), IntLixDrvIterateList(), IntLixFileGetDentry(), IntLixFileGetPath(), IntLixGetInitTask(), IntLixGuestNew(), IntLixJumpLabelHandler(), IntLixMmFindVmaInLinkedList(), IntLixMmFindVmaInRbTree(), IntLixMmGetInitMm(), IntLixMmListVmasInternal(), IntLixMmPopulateVmasInternal(), IntLixNetFileIsSocket(), IntLixNetGetConnectionFromSocket(), IntLixNetIterateTaskConnections(), IntLixStackTraceGet(), IntLixStackTraceGetReg(), IntLixTaskActivateExploitProtection(), IntLixTaskCreate(), IntLixTaskCreateInitTask(), IntLixTaskDeactivateExploitProtection(), IntLixTaskFetchMm(), IntLixTaskGetCurrentTaskStruct(), IntLixTaskGetTrapFrame(), IntLixTaskIsUserStackPivoted(), IntLixTaskIterateGuestTasks(), IntLixTaskIterateThreadGroup(), IntLixTaskIterateThreadNode(), IntLixTaskSendCredViolationEvent(), IntLixVdsoFetchAddress(), IntLixVdsoResolveDynamicOffset(), IntLixVdsoResolveImageAddress(), IntLixVmaChangeProtection(), IntLixVmaExpandDownwards(), IntLogStackTrace(), IntStackAnalyzePointer(), IntThrSafeLixGetCurrentStack(), IntThrSafeLixInspectWaitingThread(), IntVmaMarkProtection(), IntWinBcHandleBugCheck(), IntWinDrvIsListHead(), IntWinDrvIterateLoadedModules(), IntWinGetAccessTokenFromProcess(), IntWinGetAccesTokenFromThread(), IntWinGetStartUpTime(), IntWinGuestFindKernelObjects(), IntWinModFillInjectionData(), IntWinPfnIsMmPfnDatabase(), IntWinProcCreateProcessObject(), IntWinProcHandleTerminate(), IntWinReadToken(), IntWinStackTraceGet64(), and IntWinStackUserTrapFrameGetGeneric().
Reads a guest pointer from the guest kernel memory.
| [in] | GuestVirtualAddress | Virtual address from which to read |
| [out] | Data | Data read from the guest. Must be at least 8 bytes long for 64-bit guests, and at least 4 bytes long for 32-bit guests. |
Definition at line 847 of file introcore.c.
Referenced by IntWinDpiValidateThreadStart(), IntWinDrvObjCreateFromAddress(), IntWinHalFindPerformanceCounterInternal(), IntWinHalIsHalPerf(), IntWinIntObjHandleModification(), IntWinIntObjProtect(), IntWinModFillProcessInjectionData(), IntWinNetGetLocalAddr(), IntWinNetGetTcpPortPoolFromCompartment(), IntWinNetIterateLinkedList(), IntWinNetIterateSlinkedList(), IntWinNetParseTcpBitmap(), IntWinNetParseTcpPartition(), IntWinProcIsPsActiveProcessHead(), IntWinStackHandleUserStackPagedOut(), IntWinThrIterateThreads(), IntWinTokenPrivsHandleSwap(), and IntWinTokenPrivsHandleWrite().
Writes 4 bytes in the guest kernel memory.
| [in] | GuestVirtualAddress | Virtual address at which the write is done |
| [out] | Data | Data to write inside the guest |
Definition at line 950 of file introcore.c.
Referenced by IntPtiDeliverDriverForLoad().
Writes 8 bytes in the guest kernel memory.
| [in] | GuestVirtualAddress | Virtual address at which the write is done |
| [out] | Data | Data to write inside the guest |
Definition at line 932 of file introcore.c.
Referenced by IntDetDisableLixHypercall(), IntLixApiUpdateHooks(), IntLixTaskActivateExploitProtection(), IntLixTaskDeactivateExploitProtection(), IntPtiDeliverDriverForLoad(), and IntVmaMarkProtection().
Writes a guest pointer inside the guest kernel memory.
For 64-bit guests, this will write 8 bytes. For 32-bit guests, this will write 4 bytes.
| [in] | GuestVirtualAddress | Virtual address at which the write is done |
| [out] | Data | Data to write inside the guest. For 32-bit guests, only the low 32-bits will be written. |
Definition at line 968 of file introcore.c.
Reads data from a guest kernel virtual memory range.
Similar to IntVirtMemRead, but will always use the system Cr3 saved in gGuest.
| [in] | KernelGva | The start of the guest virtual memory range |
| [in] | Length | The size of the memory range |
| [out] | Buffer | Buffer in which data will be read. Must be at least Length bytes in size. |
| [out] | RetLength | The size we managed to read. In case of success, it will always be equal to Length. May be NULL. |
Definition at line 674 of file introcore.c.
Referenced by DbgDumpCodeblocks(), DbgDumpGuestModules(), DbgTestRead(), IntDetCallCallback(), IntDetCreateObjectLix(), IntDetGetArgumentInternal(), IntDetGetArguments(), IntDetRelocate(), IntDetSetHook(), IntDetSetLixHook(), IntExceptGetVictimEpt(), IntFindKernelPcr(), IntGuestDetectOsSysCall(), IntIdtGetEntry(), IntKernVirtMemFetchDword(), IntKernVirtMemFetchQword(), IntKernVirtMemFetchWordSize(), IntKsymFindIndexesTableStart(), IntKsymInit(), IntLixAgentFindInstruction(), IntLixDentryGetName(), IntLixDrvIsLegitimateTextPoke(), IntLixFileReadDentry(), IntLixGetInitTask(), IntLixGuestIsKptiActive(), IntLixNetFileIsSocket(), IntLixNetGetConnectionFromSocket(), IntLixPatchHandler(), IntLixPatchSwapgs(), IntLixTaskCreateInitTask(), IntLixTaskDumpTree(), IntLixTaskGetTrapFrame(), IntLogContextRecord(), IntLogExceptionRecord(), IntLogTrapFrame(), IntMtblPatchInstruction(), IntPeFindExportByName(), IntPeFindExportByOrdinal(), IntPeFindExportByRva(), IntPeFindFunctionByPattern(), IntPeGetExportNameByRva(), IntPeGetRuntimeFunction(), IntPeGetSectionHeaderByIndex(), IntPtiRemoveInstruction(), IntReadString(), IntRtlpVirtualUnwindCheckAccess(), IntSlackAllocWindows(), IntStackAnalyzePointer(), IntThrSafeWinGetCurrentStack(), IntVeDeliverDriverForLoad(), IntVeFindKernelKvaShadowAndKernelExit(), IntWinAgentActivatePendingAgent(), IntWinAgentFindInstruction(), IntWinAgentHandleDriverVmcall(), IntWinAgentHandleLoader1Hypercall(), IntWinAgentInjectTrampoline(), IntWinAgentRestoreState32(), IntWinAgentRestoreState64(), IntWinApiHookVeHandler(), IntWinCrashHandleDepViolation(), IntWinDpiGetProcessDebugFlag(), IntWinDrvCreateFromAddress(), IntWinDrvHeadersInMemory(), IntWinDrvIsListHead(), IntWinDrvObjCreateFromAddress(), IntWinGuestFindDriversNamespaceNoBuffer(), IntWinGuestFindIdleCr3(), IntWinGuestFindKernelCr3(), IntWinGuestFindKernelObjects(), IntWinGuestReadKernel(), IntWinHalHandleHalHeapExec(), IntWinHalIsIntController(), IntWinHalReadHal(), IntWinHandleException(), IntWinInfCheckCtxLoggerOnRelocation(), IntWinInfHookGetCircularCtxLogger(), IntWinInfHookGetCpuClockIntegrityCallback(), IntWinInfHookGetWmiLoggerGetCpuClock(), IntWinInfHookSiloWmiPtrIntegrityCallback(), IntWinModFillInjectionData(), IntWinNetFindTcpPartition(), IntWinNetGetAddrFam(), IntWinNetGetAddrInfo(), IntWinNetGetLocalAddr(), IntWinNetGetTcpPortPool(), IntWinNetParseTcpBitmap(), IntWinNetParseTcpPartition(), IntWinObjGetObjectNameInfo(), IntWinObjGetPoolHeaderForObject(), IntWinObjHandleRootDirTagInMemory(), IntWinObjIsTypeObject(), IntWinObjParseDriverDirectory(), IntWinPfnIsMmPfnDatabase(), IntWinPowGetRequestedPowerState(), IntWinProcCreateProcessObject(), IntWinProcDumpEgFlags(), IntWinProcEnforceProcessDep(), IntWinProcGetNameFromEprocess(), IntWinProcIsPsActiveProcessHead(), IntWinProcIterateGuestProcesses(), IntWinReadSid(), IntWinReadToken(), IntWinSDReadSecDesc(), IntWinStackUserTrapFrameGetGeneric(), IntWinSudCheckIntegrity(), IntWinSudProtectIntegrity(), IntWinThrGetCurrentThread(), IntWinThrGetCurrentTib(), IntWinThrHandleQueueApc(), IntWinThrHandleThreadHijack(), IntWinVadFetchImageName(), IntWinVadHandleProtectGeneric(), IntWinVadHandleVirtualProtect(), IntWinVadImportProcessTree(), IntWinVadProcImportMainModuleVad(), and IntWinVadRescanVad().
Writes data to a guest kernel virtual memory range.
Similar to IntVirtMemWrite, but will always use the system Cr3 saved in gGuest.
| [in] | KernelGva | The start of the guest virtual memory range |
| [in] | Length | The size of the memory range |
| [out] | Buffer | Buffer with the data to be written. Must be at least Length bytes in size. |
Definition at line 699 of file introcore.c.
Referenced by IntDetSetLixHook(), IntKernVirtMemPatchDword(), IntKernVirtMemPatchQword(), IntKernVirtMemPatchWordSize(), IntLixAgentActivatePendingAgent(), IntLixApiHookAll(), IntLixGuestAllocateDeploy(), IntLixPatchSwapgs(), IntLixUnpatchSwapgs(), IntMemClkUncloakRegionInternal(), IntMtblPatchInstruction(), IntPtiAllocMemtableSpace(), IntRtlpVirtualUnwindCheckAccess(), IntWinAgentRestoreState32(), IntWinAgentRestoreState64(), IntWinDrvObjHandleModification(), IntWinHalHandleDispatchTableWrite(), IntWinHalHandleHalHeapExec(), IntWinHalHandlePerfCounterModification(), IntWinIdtHandleModification(), IntWinInfCheckCtxLoggerOnRelocation(), IntWinInfHookGetCpuClockIntegrityCallback(), and IntWinSudHandleFieldModification().
Maps a guest physical address used for memory translation in Introcore address space.
IntMapGpaForTranslation should be used to free any resources allocated for this mapping.
| [in] | Gpa | Guest physical address to map |
| [out] | HostPtr | On success, will contain a pointer to the mapped address |
Definition at line 1117 of file introcore.c.
Referenced by IntTranslateVa32(), IntTranslateVa32Pae(), IntTranslateVa64(), and IntTranslateVa64La57().
Matches a pattern using glob match.
This function simply converts the input parameters to UTF-8 and uses IntMatchPatternUtf8.
| [in] | Pattern | A NULL-terminated string containing the pattern |
| [in] | String | A NULL-terminated string against which the pattern is matched |
| [in] | Flags | Flags containing the match. Can be 0, in which case a standard glob match is done, or INTRO_MATCH_TRUNCATED, in which case the match will be done up to the first "*" found inside Pattern |
| True | if a match is found |
| False | if a match is not found |
Definition at line 2491 of file introcore.c.
Referenced by IntCamiUpdateProcessProtectionInfoWin(), IntWinProcGetProtectedInfoEx(), and IntWinProcUpdateProtectedProcess().
Matches a pattern using glob match.
| [in] | Pattern | A NULL-terminated string containing the pattern |
| [in] | String | A NULL-terminated string against which the pattern is matched |
| [in] | Flags | Flags containing the match. Can be 0, in which case a standard glob match is done, or INTRO_MATCH_TRUNCATED, in which case the match will be done up to the first "*" found inside Pattern |
| True | if a match is found |
| False | if a match is not found |
Definition at line 2454 of file introcore.c.
Referenced by IntCamiUpdateProcessProtectionInfoLix(), IntCamiUpdateProcessProtectionInfoWin(), IntLixProcUpdateProtectedProcess(), IntLixTaskAdjustProtections(), IntLixTaskShouldProtect(), IntMatchPatternUtf16(), IntWinProcGetProtectedInfo(), IntWinProcGetProtectedInfoEx(), and IntWinProcUpdateProtectedProcess().
| INTSTATUS IntPauseVcpus | ( | void | ) |
Pauses all the guest VCPUs.
If gInsideDebugger is True, the function does nothing. VCPUs should be resumed using the IntResumeVcpus function. It is safe to call this multiple times in a row, but each call must match a IntResumeVcpus call.
Definition at line 2320 of file introcore.c.
Referenced by IntAddRemoveProtectedProcessUtf16(), IntAddRemoveProtectedProcessUtf8(), IntAgentHandleLogGatherVmcall(), IntAgentHandleRemediationVmcall(), IntDetHandleWrite(), IntDisableIntro(), IntDispatchVeAsEpt(), IntEnginesResultCallback(), IntFlushEPTPermissions(), IntGuestDisableIntro(), IntGuestHandleCr3Write(), IntGuestUpdateCoreOptions(), IntHandleBreakpoint(), IntHandleCrWrite(), IntHandleDtrViolation(), IntHandleEptViolation(), IntHandleEventInjection(), IntHandleIntroCall(), IntHandleMsrViolation(), IntHandleTimer(), IntHandleXcrWrite(), IntHookPtsCheckIntegrity(), IntHookPtsInvokeCallbacks(), IntLixAgentActivatePendingAgent(), IntLixApiUpdateHooks(), IntLixGuestInitAgentCompletion(), IntLixGuestInitAgentHypercall(), IntMemClkCloakRegion(), IntMemClkModifyPatchedData(), IntMemClkUncloakRegionInternal(), IntMtblPatchInstruction(), IntPtiDeliverDriverForLoad(), IntPtiDeliverDriverForUnload(), IntPtiDisableFiltering(), IntPtiEnableFiltering(), IntRtlpVirtualUnwindCheckAccess(), IntSwapgsStartMitigation(), IntVasHookTables(), IntVeCompleteLoader(), IntVeDeliverDriverForLoad(), IntVeDeliverDriverForUnload(), IntVeUnhookVeAgent(), IntWinAgentActivatePendingAgent(), IntWinAgentDeployWinDriver(), IntWinAgentHandleDriverVmcall(), IntWinAgentRemove(), IntWinDrvObjHandleModification(), IntWinGuestKernelHeadersInMemory(), IntWinGuestSectionInMemory(), IntWinHalHandlePerfCounterModification(), IntWinHalSectionInMemory(), IntWinIdtHandleModification(), IntWinInfCheckCtxLoggerOnRelocation(), IntWinInfHookGetCpuClockIntegrityCallback(), IntWinIntObjHandleArrayModification(), IntWinIntObjHandleObjectModification(), IntWinPowDisableSpinWait(), IntWinPowEnableSpinWait(), IntWinProcValidateSystemCr3(), IntWinSDCheckAclIntegrity(), IntWinSDCheckSecDescIntegrity(), IntWinSudHandleFieldModification(), IntWinTokenPtrCheckIntegrityOnProcess(), and IntWinVadHandleDeleteGeneric().
| INTSTATUS IntPhysicalMemRead | ( | QWORD | PhysicalAddress, |
| DWORD | Length, | ||
| void * | Buffer, | ||
| DWORD * | RetLength | ||
| ) |
Reads data from a guest physical memory range, but only for a single page.
| [in] | PhysicalAddress | The start of the guest physical memory range |
| [in] | Length | The size of the memory range |
| [out] | Buffer | Buffer in which data will be read. Must be at least Length bytes in size. |
| [out] | RetLength | The size we managed to read. In case of success, it will always be equal to Length. May be NULL. |
Definition at line 721 of file introcore.c.
Referenced by IntHookPtsDumpPtsEntry(), IntMemClkHashRegion(), IntShcIsSuspiciousCode(), IntWinSelfMapCheckSelfMapEntry(), and IntWinSelfMapGetAndCheckSelfMapEntry().
| INTSTATUS IntPhysicalMemReadAnySize | ( | QWORD | PhysicalAddress, |
| DWORD | Length, | ||
| void * | Buffer, | ||
| DWORD * | RetLength | ||
| ) |
Reads data from a guest physical memory range, regardless of how many pages it spans across.
This is useful when reading contents from large pages, for example.
| [in] | PhysicalAddress | The start of the guest physical memory range |
| [in] | Length | The size of the memory range |
| [out] | Buffer | Buffer in which data will be read. Must be at least Length bytes in size. |
| [out] | RetLength | The size we managed to read. In case of success, it will always be equal to Length. May be NULL. |
Definition at line 764 of file introcore.c.
Referenced by IntSwapMemPageSwappedIn(), and IntSwapMemReadData().
Writes data to a guest physical memory range, but only for a single page.
| [in] | PhysicalAddress | The start of the guest physical memory range |
| [in] | Length | The size of the memory range |
| [out] | Buffer | Buffer that contains the data to be written. Must be at least Length bytes in size. |
Definition at line 744 of file introcore.c.
Referenced by IntMemClkHandleSwap(), and IntWinSudHandleSudExec().
Writes data to a guest physical memory range, regardless of how many pages it spans across.
This is useful when writing to large pages, for example.
| [in] | PhysicalAddress | The start of the guest physical memory range |
| [in] | Length | The size of the memory range |
| [out] | Buffer | Buffer that contains the data to be written. Must be at least Length bytes in size. |
Definition at line 789 of file introcore.c.
|
static |
Transfers memory between a guest physical memory range and Introcore, but only for a single memory page.
This function will copy the contents of a physical memory page to a designated buffer, or a designated buffer inside a physical memory page. It will not work if the memory range spans across multiple pages. If it returns INT_STATUS_SUCCESS, for write operations, the memory range will contain Length bytes from Buffer; for read operations, Buffer will contain Length bytes from the physical address range. If RetLength is not NULL, it will contain the value Length. If it doesn't return INT_STATUS_SUCCESS, RetLength will contain the number of bytes successfully transferred (which will most likely be less than Length).
| [in] | PhysicalAddress | The start of the physical memory range |
| [in] | Length | The size of the physical memory range |
| [in,out] | Buffer | If Write is True, the buffer from which contents will be copied inside the guest's memory. If Write is False, the buffer in which the contents of the guest memory will be copied to. Must be at least Length bytes in size. |
| [out] | RetLength | The actual size that we managed to transfer from the guest to Introcore. If INT_STATUS_SUCCES is returned, this will be equal to Length. May be NULL. |
| [in] | Write | True for write operations, False for read operations. |
| INT_STATUS_SUCCESS | in case of success |
| INT_STATUS_INVALID_PARAMETER_1 | if the physical memory range spans across multiple pages |
| INT_STATUS_INVALID_PARAMETER_2 | is Length is 0 |
Definition at line 548 of file introcore.c.
Referenced by IntPhysicalMemRead(), and IntPhysicalMemWrite().
|
static |
Transfers memory between a guest physical memory range and Introcore.
This function will copy a physical-address range to a designated buffer, or a designated buffer inside a physical-address range. If the range spans across multiple pages, it will map each page individually, but no more than one page at a time. If it returns INT_STATUS_SUCCESS, for write operations, the memory range will contain Length bytes from Buffer; for read operations, Buffer will contain Length bytes from the physical address range. If RetLength is not NULL, it will contain the value Length. If it doesn't return INT_STATUS_SUCCESS, RetLength will contain the number of bytes successfully transferred (which will most likely be less than Length). Note that the guest physical address space is not guaranteed to be contiguous, so calling this function for a range that spans across multiple pages must be done only in very specific cases when the caller can guarantee that those pages are contiguous.
| [in] | PhysicalAddress | The start of the physical memory range |
| [in] | Length | The size of the physical memory range |
| [in,out] | Buffer | If Write is True, the buffer from which contents will be copied inside the guest's memory. If Write is False, the buffer in which the contents of the guest memory will be copied to. Must be at least Length bytes in size. |
| [out] | RetLength | The actual size that we managed to transfer from the guest to introcore. If INT_STATUS_SUCCES is returned, this will be equal to Length. May be NULL. |
| [in] | Write | True for write operations, False for read operations. |
| INT_STATUS_SUCCESS | in case of success |
| INT_STATUS_INVALID_PARAMETER_2 | is Length is 0 |
Definition at line 462 of file introcore.c.
Referenced by IntPhysicalMemReadAnySize(), and IntPhysicalMemWriteAnySize().
| BOOLEAN IntPolicyCoreForceBetaIfNeeded | ( | QWORD | Flag, |
| INTRO_ACTION * | Action | ||
| ) |
Checks if a forced action should be taken even if the log-only mode is active.
| [in] | Flag | Protection option for which the check is done. Must be one of the Activation and protection flags values. |
| [in,out] | Action | Action to be taken |
Definition at line 2803 of file introcore.c.
Referenced by IntCrLixHandleWrite(), IntCrWinHandleWrite(), IntDtrHandleWrite(), IntLixDrvHandleWrite(), IntLixIdtWriteHandler(), IntLixKernelHandleRead(), IntLixMsrHandleWrite(), IntLixValidateProcessCreationRights(), IntLixVdsoHandleWriteCommon(), IntWinDpiCheckCreation(), IntWinDrvHandleRead(), IntWinDrvHandleWrite(), IntWinDrvObjHandleModification(), IntWinDrvObjHandleWrite(), IntWinHalHandleHalHeapExec(), IntWinHalHandleHalIntCtrlWrite(), IntWinHalHandlePerfCounterModification(), IntWinIdtHandleModification(), IntWinIdtWriteHandler(), IntWinInfHookEptSppHandleWrite(), IntWinInfHookIntegrityHandleWrite(), IntWinIntObjHandleModification(), IntWinMsrHandleWrite(), IntWinSelfMapHandleCr3SelfMapWrite(), IntWinSudHandleFieldModification(), IntWinSudHandleKernelSudExec(), IntWinSudHandleUserSudExec(), and IntWinTokenPrivsHandleWrite().
Checks if one of the kernel protection options is in log-only mode.
If the option is one of the POLICY_KM_BETA_FLAGS options and the INTRO_OPT_KM_BETA_DETECTIONS option was also used, the function will always return True. Otherwise the beta options from CAMI are checked.
| [in] | Flag | The option to check. Must be one of the Activation and protection flags values. |
Definition at line 2603 of file introcore.c.
Referenced by IntAlertCoreGetFlags(), IntLixProcPolicyIsBeta(), IntPolicyCoreForceBetaIfNeeded(), IntPolicyCoreTakeAction(), IntWinHalHandleDispatchTableWrite(), IntWinHalHandleHalHeapExec(), IntWinProcPolicyIsBeta(), IntWinSelfMapHandleCr3SelfMapModification(), and IntWinSelfMapHandleCr3SelfMapWrite().
| BOOLEAN IntPolicyCoreTakeAction | ( | QWORD | Flag, |
| INTRO_ACTION * | Action, | ||
| INTRO_ACTION_REASON * | Reason | ||
| ) |
Returns the action that should be taken for a core introspection option.
| [in] | Flag | Protection option for which the policy is returned. Must be one of the Activation and protection flags values. |
| [in,out] | Action | Action to be taken |
| [in,out] | Reason | The reason for which Action is taken |
Definition at line 2693 of file introcore.c.
Referenced by IntCrLixHandleWrite(), IntCrWinHandleWrite(), IntDtrHandleWrite(), IntLixDrvHandleWrite(), IntLixIdtWriteHandler(), IntLixKernelHandleRead(), IntLixMsrHandleWrite(), IntLixValidateProcessCreationRights(), IntLixVdsoHandleWriteCommon(), IntWinDpiCheckCreation(), IntWinDrvHandleRead(), IntWinDrvHandleWrite(), IntWinDrvObjHandleModification(), IntWinDrvObjHandleWrite(), IntWinHalHandleHalHeapExec(), IntWinHalHandleHalIntCtrlWrite(), IntWinHalHandlePerfCounterModification(), IntWinIdtHandleModification(), IntWinIdtWriteHandler(), IntWinInfHookEptSppHandleWrite(), IntWinInfHookIntegrityHandleWrite(), IntWinIntObjHandleModification(), IntWinMsrHandleWrite(), IntWinSelfMapHandleCr3SelfMapModification(), IntWinSelfMapHandleCr3SelfMapWrite(), IntWinSudHandleFieldModification(), IntWinSudHandleKernelSudExec(), IntWinSudHandleUserSudExec(), IntWinTokenPrivsCheckIntegrityOnProcess(), and IntWinTokenPrivsHandleWrite().
| QWORD IntPolicyGetProcProt | ( | const void * | Process | ) |
Gets the protection policy for a process.
| [in] | Process | Process for which the protection policy is returned. For Windows guests this is a pointer to a WIN_PROCESS_OBJECT structure; for Linux guests this is a pointer to a LIX_TASK_OBJECT structure |
Definition at line 2661 of file introcore.c.
Referenced by IntAlertProcGetFlags(), and IntPolicyProcTakeAction().
Checks if a core protection option is in feedback-only mode.
| [in] | Flag | Protection option for which the check is done. Must be one of the Activation and protection flags values. |
Definition at line 2829 of file introcore.c.
Referenced by IntAlertCoreGetFlags(), IntLixProcPolicyIsFeedback(), and IntWinProcPolicyIsFeedback().
| BOOLEAN IntPolicyProcForceBetaIfNeeded | ( | QWORD | Flag, |
| void * | Process, | ||
| INTRO_ACTION * | Action | ||
| ) |
Checks if a forced action should be taken even if the process log-only mode is active.
| [in] | Flag | Protection option for which the check is done. Must be one of the Process protection options values. |
| [in] | Process | Process for which the check is done. For Windows guests this is a pointer to a WIN_PROCESS_OBJECT structure; for Linux guests this is a pointer to a LIX_TASK_OBJECT structure |
| [in,out] | Action | Action to be taken |
Definition at line 2773 of file introcore.c.
Referenced by IntLixAccessRemoteVmHandler(), IntLixTaskHandleInjection(), IntLixValidateProcessCreationRights(), IntLixVmaHandlePageExecution(), IntWinDagentHandleDoubleAgent(), IntWinModHandleKernelWrite(), IntWinModHandleUserWrite(), IntWinProcHandleCopyMemory(), IntWinProcHandleInstrument(), IntWinThrHandleQueueApc(), IntWinThrHandleThreadHijack(), and IntWinVadHandlePageExecution().
Checks if a process protection policy is in log-only mode.
| [in] | Process | The process for which the check is done. For Windows guests this is a pointer to a WIN_PROCESS_OBJECT structure; for Linux guests this is a pointer to a LIX_TASK_OBJECT structure |
| [in] | Flag | Protection option to be checked. This must be one of the Process protection options values |
Definition at line 2569 of file introcore.c.
Referenced by IntAlertProcGetFlags(), IntPolicyProcForceBetaIfNeeded(), IntPolicyProcTakeAction(), IntWinDagentSendDoubleAgentAlert(), and IntWinProcEnforceProcessDep().
Checks if a process protection policy is in feedback-only mode.
| [in] | Process | The process for which the check is done. For Windows guests this is a pointer to a WIN_PROCESS_OBJECT structure; for Linux guests this is a pointer to a LIX_TASK_OBJECT structure |
| [in] | Flag | Protection option to be checked. This must be one of the Process protection options values |
Definition at line 2627 of file introcore.c.
Referenced by IntAlertProcGetFlags(), and IntPolicyProcTakeAction().
| BOOLEAN IntPolicyProcTakeAction | ( | QWORD | Flag, |
| void const * | Process, | ||
| INTRO_ACTION * | Action, | ||
| INTRO_ACTION_REASON * | Reason | ||
| ) |
Returns the action that should be taken for a process protection option.
| [in] | Flag | Protection option for which the policy is returned. Must be one of the Process protection options values. |
| [in] | Process | Process for which the protection policy is checked. For Windows guests this is a pointer to a WIN_PROCESS_OBJECT structure; for Linux guests this is a pointer to a LIX_TASK_OBJECT structure |
| [in,out] | Action | Action to be taken |
| [in,out] | Reason | The reason for which Action is taken |
Definition at line 2732 of file introcore.c.
Referenced by IntLixAccessRemoteVmHandler(), IntLixTaskHandleInjection(), IntLixValidateProcessCreationRights(), IntWinDagentHandleDoubleAgent(), IntWinModHandleKernelWrite(), IntWinModHandleUserWrite(), IntWinProcHandleCopyMemory(), IntWinProcHandleInstrument(), IntWinThrHandleQueueApc(), IntWinThrHandleThreadHijack(), and IntWinVadIsExecSuspicious().
| void IntPreinit | ( | void | ) |
Initializes the global variables used throughout the project.
This should be called before IntInit in order to ensure that the global state is properly zeroed before introcore starts.
Definition at line 166 of file introcore.c.
| INTSTATUS IntReadString | ( | QWORD | StrGva, |
| DWORD | MinimumLength, | ||
| BOOLEAN | AnsiOnly, | ||
| char ** | String, | ||
| DWORD * | StringLength | ||
| ) |
Reads a string from the guest kernel memory.
| [in] | StrGva | Guest virtual address from which to read the string |
| [in] | MinimumLength | The minimum length the string should have |
| [in] | AnsiOnly | If the string should be an ANSI string |
| [in,out] | String | On success, will point to the string. This will be allocated with HpAllocWithTag. The caller is responsible of freeing this memory with HpFreeAndNullWithTag. |
| [out] | StringLength | The length of the string. May be NULL. |
| INT_STATUS_SUCCESS | in case of success |
| INT_STATUS_INVALID_PARAMETER_1 | if StrGva does not point inside the kernel |
| INT_STATUS_INVALID_PARAMETER_2 | is MinimumLength is 0 or more than PAGE_SIZE. Note that the string can still span across two pages |
| INT_STATUS_NOT_FOUND | if no valid string is found |
| INT_STATUS_INSUFFICIENT_RESOURCES | if not enough memory could be allocated for the string |
Definition at line 2880 of file introcore.c.
Referenced by IntLixTaskCreateFromBinprm(), IntLixTaskPathGetByDentry(), and IntWinGuestResolveImports().
| INTSTATUS IntResumeVcpus | ( | void | ) |
Resumes the VCPUs previously paused with IntPauseVcpus.
If gInsideDebugger is True, the function does nothing. It is an error to call this more times than IntPauseVcpus was called.
Definition at line 2355 of file introcore.c.
Referenced by IntAddRemoveProtectedProcessUtf16(), IntAddRemoveProtectedProcessUtf8(), IntAgentHandleLogGatherVmcall(), IntAgentHandleRemediationVmcall(), IntDetHandleWrite(), IntDisableIntro(), IntDispatchVeAsEpt(), IntEnginesResultCallback(), IntFlushEPTPermissions(), IntGuestDisableIntro(), IntGuestHandleCr3Write(), IntGuestUpdateCoreOptions(), IntHandleBreakpoint(), IntHandleCrWrite(), IntHandleDtrViolation(), IntHandleEptViolation(), IntHandleEventInjection(), IntHandleIntroCall(), IntHandleMsrViolation(), IntHandleTimer(), IntHandleXcrWrite(), IntHookPtsCheckIntegrity(), IntHookPtsInvokeCallbacks(), IntLixAgentActivatePendingAgent(), IntLixApiUpdateHooks(), IntLixGuestInitAgentCompletion(), IntLixGuestInitAgentHypercall(), IntMemClkCloakRegion(), IntMemClkModifyPatchedData(), IntMemClkUncloakRegionInternal(), IntMtblPatchInstruction(), IntPtiDeliverDriverForLoad(), IntPtiDeliverDriverForUnload(), IntPtiDisableFiltering(), IntPtiEnableFiltering(), IntRtlpVirtualUnwindCheckAccess(), IntSwapgsStartMitigation(), IntVasHookTables(), IntVeCompleteLoader(), IntVeDeliverDriverForLoad(), IntVeDeliverDriverForUnload(), IntVeUnhookVeAgent(), IntWinAgentActivatePendingAgent(), IntWinAgentDeployWinDriver(), IntWinAgentHandleDriverVmcall(), IntWinAgentRemove(), IntWinDrvObjHandleModification(), IntWinGuestKernelHeadersInMemory(), IntWinGuestSectionInMemory(), IntWinHalHandlePerfCounterModification(), IntWinHalSectionInMemory(), IntWinIdtHandleModification(), IntWinInfCheckCtxLoggerOnRelocation(), IntWinInfHookGetCpuClockIntegrityCallback(), IntWinIntObjHandleArrayModification(), IntWinIntObjHandleObjectModification(), IntWinPowDisableSpinWait(), IntWinPowEnableSpinWait(), IntWinProcValidateSystemCr3(), IntWinSDCheckAclIntegrity(), IntWinSDCheckSecDescIntegrity(), IntWinSudHandleFieldModification(), IntWinTokenPtrCheckIntegrityOnProcess(), and IntWinVadHandleDeleteGeneric().
|
static |
Translates a guest virtual address when 32-bit paging is used.
| [in] | Gva | Guest virtual address to translate |
| [in] | Cr3 | Cr3 used for the translation |
| [out] | Translation | Translation information |
| INT_STATUS_SUCCESS | in case of success. This does not guarantee that Gva is present inside the leaf page table |
| INT_STATUS_NO_MAPPING_STRUCTURES | if at any given point, the translation fails because a mapping structure can't be accessed. |
ERROR("[ERROR] Failed mapping cr3 0x%016llx (cached: %d): 0x%08x\n", Cr3, pCache != NULL, status);
Definition at line 1175 of file introcore.c.
Referenced by IntTranslateVirtualAddressEx().
|
static |
Translates a guest virtual address when 32-bit PAE paging is used.
| [in] | Gva | Guest virtual address to translate |
| [in] | Cr3 | Cr3 used for the translation |
| [out] | Translation | Translation information |
| INT_STATUS_SUCCESS | in case of success. This does not guarantee that Gva is present inside the leaf page table |
| INT_STATUS_NO_MAPPING_STRUCTURES | if at any given point, the translation fails because a mapping structure can't be accessed. |
ERROR("[ERROR] Failed mapping cr3 0x%016llx (cached: %d): 0x%08x\n", Cr3, pCache != NULL, status);
ERROR("[ERROR] Failed mapping pd 0x%016llx (cached: %d): 0x%08x\n", pdpe, pCache != NULL, status);
Definition at line 1295 of file introcore.c.
Referenced by IntTranslateVirtualAddressEx().
|
static |
Translates a guest virtual address when 4-level paging is used.
| [in] | Gva | Guest virtual address to translate |
| [in] | Cr3 | Cr3 used for the translation |
| [out] | Translation | Translation information |
| INT_STATUS_SUCCESS | in case of success. This does not guarantee that Gva is present inside the leaf page table |
| INT_STATUS_NO_MAPPING_STRUCTURES | if at any given point, the translation fails because a mapping structure can't be accessed. |
ERROR("[ERROR] Failed mapping cr3 0x%016llx (cached: %d): 0x%08x\n", Cr3, pCache != NULL, status);
ERROR("[ERROR] Failed mapping pdp 0x%016llx (cached: %d): 0x%08x\n", pml4e, pCache != NULL, status);
Definition at line 1452 of file introcore.c.
Referenced by IntTranslateVirtualAddressEx().
|
static |
Translates a guest virtual address when 5-level paging is used.
| [in] | Gva | Guest virtual address to translate |
| [in] | Cr3 | Cr3 used for the translation |
| [out] | Translation | Translation information |
| INT_STATUS_SUCCESS | in case of success. This does not guarantee that Gva is present inside the leaf page table |
| INT_STATUS_NO_MAPPING_STRUCTURES | if at any given point, the translation fails because a mapping structure can't be accessed. |
Definition at line 1646 of file introcore.c.
Referenced by IntTranslateVirtualAddressEx().
Translates a guest virtual address to a guest physical address.
This is a wrapper over IntTranslateVirtualAddressEx, but instead of returning the entire translation information, it will return only the physical address to which Gva maps. This function will fail if Gva is not present.
| [in] | Gva | Guest virtual address to be translated |
| [in] | Cr3 | The Cr3 to be used for the translation. If 0, the currently loaded kernel Cr3 will be used. If the current process has different page directory table base registers for user mode and kernel mode due to KPTI, the kernel Cr3 will be used even if the user mode Cr3 is currently loaded |
| [out] | PhysicalAddress | On success, the physical address to which Gva maps. |
| INT_STATUS_SUCCESS | in case of success |
| INT_STATUS_INVALID_PARAMETER_3 | if PhysicalAddress is NULL |
| INT_STATUS_PAGE_NOT_PRESENT | if Gva is not present or if the paging mode is PAGING_NONE |
| INT_STATUS_NO_MAPPING_STRUCTURES | if at any given point, the translation fails because a mapping structure can't be accessed |
Definition at line 1999 of file introcore.c.
Referenced by DbgDumpPfn(), IntAlertEptFillFromVictimZone(), IntHandleDtrViolation(), IntHandleEptViolation(), IntIntegrityCheckAll(), IntLixDrvSendViolationEvent(), IntLixGuestNew(), IntLixMmListVmasInternal(), IntLixTaskFetchMm(), IntLixVdsoDynamicProtectRelocate(), IntLixVdsoFixedProtect(), IntPeFindFunctionStart(), IntVeDumpVeInfoPage(), IntVeEnableDisableDriverAccessInProtectedView(), IntVeSetVeInfoPage(), IntWinCrashHandleDepViolation(), IntWinDpiValidateThreadStart(), IntWinDrvObjCreateFromAddress(), IntWinDrvObjHandleWrite(), IntWinDrvObjRemoveFromAddress(), IntWinHalProtectHalHeapExecs(), and IntWinStackHandleUserStackPagedOut().
| INTSTATUS IntTranslateVirtualAddressEx | ( | QWORD | Gva, |
| QWORD | Cr3, | ||
| DWORD | Flags, | ||
| VA_TRANSLATION * | Translation | ||
| ) |
Translates a guest virtual address to a guest physical address.
If error is returned, an incomplete trace is stored in the translation, and the translated physical address is not valid. If success is returned, a complete trace is stored inside the translation, however, it may still be possible that the page frame is not present. The caller must check the translation flags upon successful exit.
| [in] | Gva | Guest virtual address to be translated |
| [in] | Cr3 | The Cr3 used for the translation |
| [in] | Flags | Flags controlling the translation. May be 0 or a combination of Translation flags values. If it does not specify a paging mode, the function will deduce it by using the memory information inside gGuest. If TRFLG_CACHING_ATTR is set, will also obtain the caching attributes using the guest's IA32_PAT MSR. |
| [out] | Translation | Translation information |
| INT_STATUS_SUCCESS | in case of success. This does not guarantee that Gva is present inside the leaf page table |
| INT_STATUS_NO_MAPPING_STRUCTURES | if at any given point, the translation fails because a mapping structure can't be accessed. |
Definition at line 1863 of file introcore.c.
Referenced by DbgDumpTranslation(), IntDecEmulatePageWalk(), IntHandleCowOnPage(), IntHookPtsCheckIntegrity(), IntIcAddInvdForInstruction(), IntLixGuestAllocateFill(), IntLixGuestFindKernelVersionAndRo(), IntSwapMemInjectPendingPF(), IntSwapMemReadData(), IntTranslateVirtualAddress(), IntValidateRangeForWrite(), IntValidateTranslation(), IntVeDumpVeInfoPage(), IntVeHandleEPTViolationInProtectedView(), IntVirtMemMap(), IntVirtMemSafeWrite(), IntWinDpiValidateHeapSpray(), IntWinDrvObjIsValidDriverObject(), IntWinGuestFindSystemCr3(), IntWinGuestIsSystemCr3(), IntWinHalFindHalHeapAndInterruptController(), IntWinLogVAInfo(), IntWinPfnIsMmPfnDatabase(), IntWinPfnLockAddress(), IntWinProcValidateSystemCr3(), IntWinSDFetchSecDescAddress(), IntWinSDReadSecDesc(), and IntWinTokenFetchTokenAddress().
| INTSTATUS IntUninit | ( | void | ) |
Disables and uninitializes Introcore.
This will disable introspection engine, remove the guest protection and uninitialize the global state. Note that if a guest is initialized, disabling the protection for it will be done using the IG_DISABLE_IGNORE_SAFENESS option. This will also unmap everything in the gMultiPageMaps list of mappings, reset the GLUE_IFACE and UPPER_IFACE instances and uninitialize the gLock lock.
Definition at line 266 of file introcore.c.
Unmaps an address that was previously mapped with IntMapGpaForTranslation.
| [in] | Gpa | Guest physical address that was mapped |
| [in,out] | HostPtr | Pointer to the allocated memory |
Definition at line 1148 of file introcore.c.
Referenced by IntTranslateVa32(), IntTranslateVa32Pae(), IntTranslateVa64(), and IntTranslateVa64La57().
Reads 4 bytes from the guest memory.
| [in] | GuestVirtualAddress | Virtual address from which to read |
| [in] | Cr3 | The Cr3 used to translate GuestVirtualAddress. If 0, the current kernel Cr3 will be used. |
| [out] | Data | Data read from the guest |
Definition at line 887 of file introcore.c.
Referenced by IntWinProcHandleInstrument().
Reads 8 bytes from the guest memory.
| [in] | GuestVirtualAddress | Virtual address from which to read |
| [in] | Cr3 | The Cr3 used to translate GuestVirtualAddress. If 0, the current kernel Cr3 will be used. |
| [out] | Data | Data read from the guest |
Definition at line 866 of file introcore.c.
Referenced by IntLixDrvFindList(), and IntLixStackDumpUmStackTrace().
Reads a NULL-terminated string from the guest.
| [in] | Gva | Guest virtual address from which the read starts |
| [in] | MaxLength | Maximum length to be read. If a NULL terminator is not found before MaxLength bytes are read, the read stops. |
| [in] | Cr3 | The Cr3 used to translate Gva. If 0, the current kernel Cr3 will be used. |
| [out] | Buffer | Buffer containing the data read from the guest |
| INT_STATUS_SUCCESS | in case of success |
| INT_STATUS_INVALID_PARAMETER_4 | is Buffer is NULL |
| INT_STATUS_NOT_FOUND | if a NULL terminator is not found before MaxLength bytes are read |
Definition at line 1053 of file introcore.c.
Reads a guest pointer from the guest memory.
For 64-bit guests, this will read 8 bytes. For 32-bit guests, this will read 4 bytes.
| [in] | GuestVirtualAddress | Virtual address from which to read |
| [in] | Cr3 | The Cr3 used to translate GuestVirtualAddress. If 0, the current kernel Cr3 will be used. |
| [out] | Data | Data read from the guest. The buffer must be at least 8 bytes in size for 64-bit guests, and 4 bytes in size for 32-bit guests. |
Definition at line 908 of file introcore.c.
Referenced by IntWinProcHandleInstrument().
| __must_check INTSTATUS IntVirtMemMap | ( | QWORD | Gva, |
| DWORD | Length, | ||
| QWORD | Cr3, | ||
| DWORD | Flags, | ||
| void ** | HostPtr | ||
| ) |
Maps a guest virtual memory range inside Introcore virtual address space.
If the virtual range spans across multiple pages, IntVirtMemMapMultiPage will be used
| [in] | Gva | Guest virtual address to be mapped |
| [in] | Length | The length of the virtual range |
| [in] | Cr3 | Cr3 used to translate Gva. If 0, the current kernel Cr3 will be used |
| [in] | Flags | Ignored. TODO: remove |
| [out] | HostPtr | On success, will contain a pointer to the mapped memory |
| INT_STATUS_SUCCESS | in case of success |
| INT_STATUS_INVALID_PARAMETER_2 | if Length is 0 |
| INT_STATUS_PAGE_NOT_PRESENT | if Gva is not present or if the paging mode is PAGING_NONE |
| INT_STATUS_NO_MAPPING_STRUCTURES | if at any given point, the translation fails because a mapping structure can't be accessed |
Definition at line 2134 of file introcore.c.
Referenced by _IntLixTaskRead(), _IntLixTaskStartMap(), DbgDumpGuestModules(), DbgDumpPfn(), IntAlertFillCodeBlocks(), IntDecDecodeInstruction(), IntExceptDumpSignatures(), IntExceptGetVictimIntegrity(), IntExceptUserLogWindowsInformation(), IntExceptVerifyCodeBlocksSig(), IntExceptVerifyValueCodeSig(), IntIntegrityAddRegion(), IntIntegrityRecalculate(), IntKsymFindIndexesTableStart(), IntKsymFindMarkersReducedTableEnd(), IntKsymFindMarkersTableEnd(), IntKsymFindNamesTableEnd(), IntKsymInitAbsolute(), IntKsymRelativeFindOffsetTableEnd(), IntKsymRelativeFindOffsetTableStart(), IntLixAgentFree(), IntLixCrashDumpDmesg(), IntLixCredInitMap(), IntLixCredsDump(), IntLixDrvCreateDriverObject(), IntLixDrvFindList(), IntLixDrvValidate(), IntLixDumpStacktrace(), IntLixFsrInitMap(), IntLixFsrRead(), IntLixGetInitTask(), IntLixGuestClearGuestMemory(), IntLixGuestFindKernelBase(), IntLixMmGetInitMm(), IntLixPatchSwapgs(), IntLixStackTraceGet(), IntLixTaskCreateFromBinprm(), IntLixTaskFetchCmdLine(), IntPeFindExportByName(), IntPeFindExportByOrdinal(), IntPeFindExportByRva(), IntPeFindFunctionByPattern(), IntPeFindFunctionStart(), IntPeGetDirectory(), IntPeGetExportNameByRva(), IntPeGetRuntimeFunction(), IntPeGetSectionHeaderByIndex(), IntPeGetSectionHeaderByRva(), IntPeGetSectionHeadersByName(), IntPeListSectionsHeaders(), IntPeParseUnwindData(), IntPeValidateHeader(), IntPtiCacheAdd(), IntPtiCacheRemove(), IntPtiMonitorAllPtWriteCandidates(), IntPtiRemovePtFilter(), IntReadString(), IntSerializeExtractCodeBlocks(), IntSlackAllocLinux(), IntThrSafeIsStackPtrInIntro(), IntThrSafeMoveReturn(), IntThrSafeWinInspectWaitingThread(), IntVeRemoveAgent(), IntVeUpdateCacheEntry(), IntVirtMemReadWrite(), IntVirtMemSet(), IntWinDpiValidateHeapSpray(), IntWinDrvObjIsValidDriverObject(), IntWinDrvRemoveFromAddress(), IntWinGuestFindBuildNumber(), IntWinGuestFindDriversNamespaceNoBuffer(), IntWinGuestFindIdleCr3(), IntWinGuestFindKernel(), IntWinGuestFindKernelCr3(), IntWinGuestFindKernelObjectsInternal(), IntWinGuestReadKernel(), IntWinGuestValidateKernel(), IntWinHalFindHalHeapAndInterruptController(), IntWinHalFindInterruptController(), IntWinHalHandleDispatchTableWrite(), IntWinHalReadHal(), IntWinIntObjHandleArrayModification(), IntWinModHookPoly(), IntWinNetFillTcpStruct(), IntWinNetFindTcpBitmap(), IntWinNetFindTcpObjects(), IntWinNetFindTcpPartition(), IntWinNetSearchForAlloc(), IntWinPfnModifyRefCount(), IntWinProcMapEprocess(), IntWinStackTraceGet32(), IntWinStackTraceGet64(), IntWinStackTraceGetUser32(), IntWinStackTraceGetUser64(), IntWinStackUserTrapFrameGet32(), IntWinStackUserTrapFrameGet64(), IntWinSudHandleFieldModification(), IntWinTokenPrivsShouldHook(), and IntWinVadMapShortVad().
|
static |
Maps a guest kernel virtual memory range inside Introcore virtual address space regardless of the number of pages it spans across.
| [in] | GuestVirtualAddress | The start of the guest virtual address range |
| [in] | Length | The size of the memory range |
| [in] | Cr3 | The Cr3 used to translate GuestVirtualAddress. If 0, the current kernel Cr3 will be used |
| [out] | HostPtr | On success, will contain a pointer to the mapped memory |
| INT_STATUS_SUCCESS | in case of success |
| INT_STATUS_INSUFFICIENT_RESOURCES | if not enough memory is available |
| INT_STATUS_INVALID_INTERNAL_STATE | is an inconsistency was detected |
Definition at line 2060 of file introcore.c.
Referenced by IntVirtMemMap().
Writes 4 bytes in the guest memory.
| [in] | GuestVirtualAddress | Virtual address at which the write is done |
| [in] | Cr3 | The Cr3 used to translate GuestVirtualAddress. If 0, the current kernel Cr3 will be used. |
| [out] | Data | Data to write inside the guest |
Definition at line 1010 of file introcore.c.
Writes 8 bytes in the guest memory.
| [in] | GuestVirtualAddress | Virtual address at which the write is done |
| [in] | Cr3 | The Cr3 used to translate GuestVirtualAddress. If 0, the current kernel Cr3 will be used. |
| [out] | Data | Data to write inside the guest |
Definition at line 989 of file introcore.c.
Writes a guest pointer inside the guest memory.
| [in] | GuestVirtualAddress | Virtual address at which the write is done |
| [in] | Cr3 | The Cr3 used to translate GuestVirtualAddress. If 0, the current kernel Cr3 will be used. |
| [out] | Data | Data to write inside the guest. For 32-bit guests, only the low 32-bits will be written. |
Definition at line 1031 of file introcore.c.
Reads data from a guest virtual memory range.
| [in] | Gva | The start of the guest virtual memory range |
| [in] | Length | The size of the memory range |
| [in] | Cr3 | The Cr3 used to translate Gva. If 0, the current kernel Cr3 will be used. |
| [out] | Buffer | Buffer in which data will be read. Must be at least Length bytes in size. |
| [out] | RetLength | The size we managed to read. In case of success, it will always be equal to Length. May be NULL. |
Definition at line 627 of file introcore.c.
Referenced by IntAgentHandleLogGatherVmcall(), IntAgentHandleRemediationVmcall(), IntAlertFillDpiExtraInfo(), IntAlertFillExecContext(), IntDisasmGva(), IntDumpGvaEx(), IntExceptGetVictimEpt(), IntExceptVerifyValueCodeSig(), IntExceptVerifyValueSig(), IntGetValueFromOperand(), IntHandleDtrViolation(), IntHandleFetchRetryOnPageBoundary(), IntKsymRelativeFindOffsetTableStart(), IntLixAgentFillDataFromMemory(), IntMemClkHandleRead(), IntSerializeDpiWinHeapSpray(), IntSerializeDpiWinPivotedStack(), IntSerializeDpiWinThreadStart(), IntSerializeRawDump(), IntSerializeRipCode(), IntShcIsSuspiciousCode(), IntVirtMemFetchDword(), IntVirtMemFetchQword(), IntVirtMemFetchString(), IntVirtMemFetchWordSize(), IntVirtMemMapMultiPage(), IntWinCrashHandleDepViolation(), IntWinGuestFindIdleCr3(), IntWinModBlockHandleExecution(), IntWinObjHandleDriverDirectoryEntryInMemory(), IntWinProcHandleCopyMemory(), IntWinProcHandleInstrument(), IntWinStackTraceGetUser(), IntWinStackTraceGetUser32(), IntWinStackWow64CheckIsPivoted(), IntWinThrGetCurrentStackBaseAndLimit(), IntWinThrGetUmStackBaseAndLimitFromTib(), IntWinThrHandleQueueApc(), IntWinThrHandleThreadHijack(), IntWinTokenCheckCurrentPrivileges(), and IntWinTokenPrivsProtectOnProcess().
|
static |
Transfers memory between a guest virtual memory range and Introcore.
This function will copy a virtual-address range to a designated buffer, or a designated buffer inside a virtual-address range. If the range spans across multiple pages, it will map each page individually, but no more than one page at a time. If it returns INT_STATUS_SUCCESS, for write operations, the memory range will contain Length bytes from Buffer; for read operations, Buffer will contain Length bytes from the physical address range. If RetLength is not NULL, it will contain the value Length. If it doesn't return INT_STATUS_SUCCESS, RetLength will contain the number of bytes successfully transferred (which will most likely be less than Length). Note that write operations will be done even if Address is not writable inside the guest's page tables.
| [in] | VirtualAddress | The start of the virtual address range |
| [in] | Length | The size to be read or written |
| [in] | Cr3 | The Cr3 used to translate VirtualAddress to a physical address. If 0, the current Cr3 used by the guest will be used. If KPTI is enabled and the current process has different user mode and kernel mode page directory base registers, the one for the kernel will be used, even if the user mode Cr3 is loaded. |
| [in,out] | Buffer | If Write is True, the buffer from which contents will be copied inside the guest's memory. If Write is False, the buffer in which the contents of the guest memory will be copied to. Must be at least Length bytes in size. |
| [out] | RetLength | The actual size that we managed to transfer from the guest to introcore. If INT_STATUS_SUCCES is returned, this will be equal to Length. May be NULL. |
| [in] | Write | True for write operations, False for read operations. |
| INT_STATUS_SUCCESS | in case of success |
| INT_STATUS_INVALID_PARAMETER_2 | is Length is 0 |
| INT_STATUS_PAGE_NOT_PRESENT | if VirtualAddress is not present inside the guest page tables |
Definition at line 315 of file introcore.c.
Referenced by IntKernVirtMemRead(), IntKernVirtMemWrite(), IntVirtMemRead(), and IntVirtMemWrite().
Definition at line 414 of file introcore.c.
Referenced by IntLixGuestInitAgentCompletion().
| INTSTATUS IntVirtMemUnmap | ( | void ** | HostPtr | ) |
Unmaps a memory range previously mapped with IntVirtMemMap.
| [in] | HostPtr | Points to the memory area allocated when the map was done. After this function returns, it will point to NULL. |
Definition at line 2234 of file introcore.c.
Referenced by _IntLixTaskFinishMap(), DbgDumpGuestModules(), DbgDumpPfn(), IntAlertFillCodeBlocks(), IntDecDecodeInstruction(), IntExceptDumpSignatures(), IntExceptGetVictimIntegrity(), IntExceptUserLogWindowsInformation(), IntExceptVerifyCodeBlocksSig(), IntExceptVerifyValueCodeSig(), IntIntegrityAddRegion(), IntIntegrityRecalculate(), IntKsymFindIndexesTableStart(), IntKsymFindMarkersReducedTableEnd(), IntKsymFindMarkersTableEnd(), IntKsymFindNamesTableEnd(), IntKsymInitAbsolute(), IntKsymRelativeFindOffsetTableEnd(), IntKsymRelativeFindOffsetTableStart(), IntLixAgentFree(), IntLixCrashDumpDmesg(), IntLixCredsDump(), IntLixCredUninitMap(), IntLixDrvCreateDriverObject(), IntLixDrvFindList(), IntLixDrvValidate(), IntLixDumpStacktrace(), IntLixFsrUninitMap(), IntLixGetInitTask(), IntLixGuestClearGuestMemory(), IntLixGuestFindKernelBase(), IntLixMmGetInitMm(), IntLixPatchSwapgs(), IntLixStackTraceGet(), IntLixTaskCreateFromBinprm(), IntLixTaskFetchCmdLine(), IntPeFindExportByName(), IntPeFindExportByOrdinal(), IntPeFindExportByRva(), IntPeFindFunctionByPattern(), IntPeFindFunctionStart(), IntPeGetDirectory(), IntPeGetExportNameByRva(), IntPeGetRuntimeFunction(), IntPeGetSectionHeaderByIndex(), IntPeGetSectionHeaderByRva(), IntPeGetSectionHeadersByName(), IntPeListSectionsHeaders(), IntPeParseUnwindData(), IntPeValidateHeader(), IntPhysMemReadWriteAnySize(), IntPtiCacheAdd(), IntPtiCacheRemove(), IntPtiMonitorAllPtWriteCandidates(), IntPtiRemovePtFilter(), IntReadString(), IntSerializeExtractCodeBlocks(), IntSlackAllocLinux(), IntThrSafeIsStackPtrInIntro(), IntThrSafeMoveReturn(), IntThrSafeWinInspectWaitingThread(), IntVeDeliverDriverForUnload(), IntVeHandleSwap(), IntVeRemoveAgent(), IntVirtMemReadWrite(), IntVirtMemSet(), IntWinDpiValidateHeapSpray(), IntWinDrvObjIsValidDriverObject(), IntWinDrvRemoveFromAddress(), IntWinGuestFindBuildNumber(), IntWinGuestFindDriversNamespaceNoBuffer(), IntWinGuestFindIdleCr3(), IntWinGuestFindKernel(), IntWinGuestFindKernelCr3(), IntWinGuestFindKernelObjectsInternal(), IntWinGuestReadKernel(), IntWinGuestValidateKernel(), IntWinHalFindHalHeapAndInterruptController(), IntWinHalFindInterruptController(), IntWinHalHandleDispatchTableWrite(), IntWinHalReadHal(), IntWinIntObjHandleArrayModification(), IntWinModHookPoly(), IntWinNetFillTcpStruct(), IntWinNetFindTcpBitmap(), IntWinNetFindTcpObjects(), IntWinNetFindTcpPartition(), IntWinNetSearchForAlloc(), IntWinPfnModifyRefCount(), IntWinProcAdd(), IntWinProcHandleCreateInternal(), IntWinProcSwapIn(), IntWinStackTraceGet32(), IntWinStackTraceGet64(), IntWinStackTraceGetUser32(), IntWinStackTraceGetUser64(), IntWinStackUserTrapFrameGet32(), IntWinStackUserTrapFrameGet64(), IntWinSudHandleFieldModification(), IntWinTokenPrivsShouldHook(), and IntWinVadFetchVadFromMemory().
|
static |
Unamps a memory range previously mapped with IntVirtMemMapMultiPage.
| [in,out] | HostPtr | Pointer to the mapped region. On success, it will point to NULL |
Definition at line 2202 of file introcore.c.
Referenced by IntVirtMemUnmap().
Writes data to a guest virtual memory range.
| [in] | Gva | The start of the guest virtual memory range |
| [in] | Length | The size of the memory range |
| [in] | Cr3 | The Cr3 used to translate Gva. If 0, the current kernel Cr3 will be used. |
| [out] | Buffer | Buffer with the data to be written. Must be at least Length bytes in size. |
Definition at line 652 of file introcore.c.
Referenced by IntDetRelocate(), IntLixAgentCreateThreadHypercall(), IntMemClkCloakRegion(), IntMemClkModifyPatchedData(), IntVirtMemPatchDword(), IntVirtMemPatchQword(), IntVirtMemPatchWordSize(), and IntWinDagentHandleSlackWritable().
|
static |
Checks if support for SSE 4.2 is present.
Definition at line 143 of file introcore.c.
Referenced by IntInit().
| char* utf16_for_log | ( | const WCHAR * | WString | ) |
Converts a UTF-16 to a UTF-8 string to be used inside logging macros.
This function should be called only from one of the log macros (TRACE, INFO. WARNING, LOG, ERROR, CRITICAL). Note that each string is limited to a size of 1KB and calling this function more than 8 times in a row (in the same logging macro) is an error. The log macros will reset the global state used for conversion. This is needed because not all logging implementations can handle wide char strings.
| [in] | WString | NULL-terminated string to be converted |
Definition at line 2845 of file introcore.c.
Referenced by DbgDumpGuestModules(), IntAgentHandleLogGatherVmcall(), IntAgentHandleRemediationVmcall(), IntDetSetHook(), IntDriverDump(), IntExceptKernelLogWindowsInformation(), IntExceptKernelUserLogWindowsInformation(), IntExceptUserLogWindowsInformation(), IntLogCurrentIP(), IntLogProcessInfo(), IntLogStackTrace(), IntModBlockHandleBlockModHeadersInMemory(), IntModBlockHandlePreInjection(), IntWinAgentSelectBootstrapAddress(), IntWinApiHook(), IntWinDagentCheckNativeSubsystem(), IntWinDagentHandleDoubleAgent(), IntWinDagentHandleSuspModExecution(), IntWinDrvCreateFromAddress(), IntWinDrvForceDisableReadNtEat(), IntWinDrvHeadersInMemory(), IntWinDrvObjCreateFromAddress(), IntWinDrvObjHandleWrite(), IntWinDrvObjProtect(), IntWinDrvObjProtectFastIoDispatch(), IntWinDrvObjUnprotect(), IntWinDrvObjUnprotectFastIoDispatch(), IntWinDrvObjUpdateProtection(), IntWinDrvUnprotect(), IntWinDrvUpdateProtection(), IntWinModBlockHandleExecution(), IntWinModCacheCreate(), IntWinModHandleExportsInMemory(), IntWinModHandleModulePathInMemory(), IntWinModHandlePreInjection(), IntWinModHookModule(), IntWinModulesChangeProtectionFlags(), IntWinProcAddProtectedProcess(), IntWinProcCreateProcessObject(), IntWinProcDump(), IntWinProcDumpProtected(), IntWinProcHandleCopyMemory(), IntWinProcSwapIn(), IntWinProcSwapOut(), IntWinUmModCacheFetch(), IntWinUmModCacheFillExports(), IntWinUmModCacheFillHeaders(), IntWinUmPathCreate(), and IntWinVadDump().
Set to True if introcore should abort the initialization process.
Definition at line 59 of file introcore.c.
Referenced by IntAbortEnableIntro(), and IntGuestHandleCr3Write().
| const QWORD gByteMaskToBitMask[256] |
Converts a byte number to a mask having the bits in those bytes set.
For example, for 5, will return 0x0000000000ff00ff which has bytes 0 and 1 filled.
Definition at line 73 of file introcore.c.
Referenced by IntHookPtwProcessWrite().
| INTRO_ERROR_CONTEXT gErrorContext = { 0 } |
Global storage for the error context used by GLUE_IFACE.NotifyIntrospectionErrorState.
Since API calls are serialized, all the error notifications use this as the context in order to avoid allocating extra memory when reporting an error, as some errors may be triggered by low memory conditions and we would like to avoid memory allocations in those situations.
Definition at line 43 of file introcore.c.
Referenced by IntWinProcProtect(), and IntWinProcUpdateProtection().
| BOOLEAN gInsideDebugger |
Set to True when introcore is inside a debugger.
This is used to avoid pausing VCPUs while trapped inside a debugger, as that can lead to deadlocks
Definition at line 28 of file debugger.c.
Referenced by IntDbgProcessCommand(), IntPauseVcpus(), and IntResumeVcpus().
| void* gLock = NULL |
A lock that ensures that all the events are serialized inside introcore.
This essentially makes introcore act as a single threaded library, since only one callback will be executing at a time. Since events on Xen are already synchronized this is already true for VMX events even without this lock. It just ensures that this behavior is consistent across all APIs, not just event handlers. Not acquiring this lock is a fatal error as all the code in introcore assumes that this lock is held.
Definition at line 24 of file introcore.c.
Referenced by IntAddExceptionFromAlert(), IntAddRemoveProtectedProcessUtf16(), IntAddRemoveProtectedProcessUtf8(), IntDisableIntro(), IntEnginesResultCallback(), IntFlushAlertExceptions(), IntFlushGpaCache(), IntGetCurrentInstructionLength(), IntGetCurrentInstructionMnemonic(), IntGetCurrentIntroOptions(), IntGetExceptionsVersion(), IntGetGuestInfo(), IntGetSupportVersion(), IntGetVersionString(), IntHandleBreakpoint(), IntHandleCrWrite(), IntHandleDtrViolation(), IntHandleEptViolation(), IntHandleEventInjection(), IntHandleIntroCall(), IntHandleMsrViolation(), IntHandleTimer(), IntHandleXcrWrite(), IntInit(), IntInjectFileAgentInGuest(), IntInjectProcessAgentInGuest(), IntIterateVaSpace(), IntModifyDynamicOptions(), IntNewGuestNotification(), IntNotifyGuestPowerStateChange(), IntRemoveAllProtectedProcesses(), IntRemoveException(), IntSetLogLevel(), IntUninit(), IntUpdateExceptions(), and IntUpdateSupport().
| LIST_HEAD gMultiPageMaps = LIST_HEAD_INIT(gMultiPageMaps) |
List of all the currently valid multi page maps.
Definition at line 56 of file introcore.c.
| BOOLEAN gSse42Supported |
Set to True if support for SSE 4.2 was detected.
Definition at line 99 of file crc32.c.
Referenced by Crc32ComputeFast(), and IntInit().
| const INT_VERSION_INFO IntHviVersion |
The version of the introcore library.
The HVI version. Used to check for compatibility issues with the cami version.
Definition at line 27 of file introcore.c.
1.8.13