- Generated by
1.8.13
|
Bitdefender Hypervisor Memory Introspection
|
Go to the source code of this file.
Data Structures | |
| struct | _VA_TRANSLATION |
| Encapsulates information about a virtual to physical memory translation. More... | |
Macros | |
| #define | INTRO_MATCH_TRUNCATED 0x00000001 |
| If set, matching functions like IntMatchPatternUtf8 will match up until the first wild char encountered. More... | |
| #define | RB_TREE_INIT(Name, Free, Compare) |
| Initializes a RBTREE structure. More... | |
| #define | MIN_HEAP_SIZE_PERCENT (30) |
| Minimum amount of free heap needed in order to activate process protection. More... | |
| #define | MAX_TRANSLATION_DEPTH 5 |
| Maximum depth of the translation hierarchy. More... | |
| #define | TRFLG_NONE 0x00000000 |
| No special options. More... | |
| #define | TRFLG_CACHING_ATTR 0x00000001 |
| Obtain caching information from the guest's IA32_PAT MSR. More... | |
| #define | TRFLG_NORMAL_MODE 0x10000000 |
| Hint that the paging mode is PAGING_NORMAL_MODE. More... | |
| #define | TRFLG_PAE_MODE 0x20000000 |
| Hint that the paging mode is PAGING_PAE_MODE. More... | |
| #define | TRFLG_4_LEVEL_MODE 0x30000000 |
| Hint that the paging mode is PAGING_4_LEVEL_MODE. More... | |
| #define | TRFLG_5_LEVEL_MODE 0x40000000 |
| Hint that the paging mode is PAGING_5_LEVEL_MODE. More... | |
| #define | TRFLG_MODE_MASK 0xF0000000 |
| Mask used to isolate only the paging mode flags. More... | |
| #define | TRFLG_ALL (TRFLG_CACHING_ATTR) |
| All translation flags, excluding the paging mode. More... | |
| #define | TRFLG_PG_MODE |
| Obtains the translation mode flag for the currently used paging mode. More... | |
| #define | IntEnterDebugger() IntEnterDebugger2(__FILE__, __LINE__) |
| #define | IntDbgEnterDebugger() IntDbgEnterDebugger2(__FILE__, __LINE__) |
Typedefs | |
| typedef struct _VA_TRANSLATION | VA_TRANSLATION |
| Encapsulates information about a virtual to physical memory translation. More... | |
| typedef struct _VA_TRANSLATION * | PVA_TRANSLATION |
Enumerations | |
| enum | PAGING_MODE { PAGING_NONE = 0, PAGING_NORMAL_MODE, PAGING_PAE_MODE, PAGING_4_LEVEL_MODE, PAGING_5_LEVEL_MODE } |
| Paging modes. More... | |
Functions | |
| void | IntPreinit (void) |
| Initializes the global variables used throughout the project. More... | |
| INTSTATUS | IntInit (GLUE_IFACE *GlueInterface, UPPER_IFACE const *UpperInterface) |
| Initializes introcore. More... | |
| INTSTATUS | IntUninit (void) |
| Disables and uninitializes Introcore. More... | |
| INTSTATUS | IntVirtMemRead (QWORD Gva, DWORD Length, QWORD Cr3, void *Buffer, DWORD *RetLength) |
| Reads data from a guest virtual memory range. More... | |
| INTSTATUS | IntVirtMemWrite (QWORD Gva, DWORD Length, QWORD Cr3, void *Buffer) |
| Writes data to a guest virtual memory range. More... | |
| INTSTATUS | IntKernVirtMemRead (QWORD KernelGva, DWORD Length, void *Buffer, DWORD *RetLength) |
| Reads data from a guest kernel virtual memory range. More... | |
| INTSTATUS | IntKernVirtMemWrite (QWORD KernelGva, DWORD Length, void *Buffer) |
| Writes data to a guest kernel virtual memory range. More... | |
| INTSTATUS | IntVirtMemSet (QWORD VirtualAddress, DWORD Length, QWORD Cr3, BYTE Value) |
| INTSTATUS | IntPhysicalMemRead (QWORD PhysicalAddress, DWORD Length, void *Buffer, DWORD *RetLength) |
| Reads data from a guest physical memory range, but only for a single page. More... | |
| INTSTATUS | IntPhysicalMemWrite (QWORD PhysicalAddress, DWORD Length, void *Buffer) |
| Writes data to a guest physical memory range, but only for a single page. More... | |
| INTSTATUS | IntPhysicalMemReadAnySize (QWORD PhysicalAddress, DWORD Length, void *Buffer, DWORD *RetLength) |
| Reads data from a guest physical memory range, regardless of how many pages it spans across. More... | |
| INTSTATUS | IntPhysicalMemWriteAnySize (QWORD PhysicalAddress, DWORD Length, void *Buffer) |
| Writes data to a guest physical memory range, regardless of how many pages it spans across. More... | |
| INTSTATUS | IntKernVirtMemFetchQword (QWORD GuestVirtualAddress, QWORD *Data) |
| Reads 8 bytes from the guest kernel memory. More... | |
| INTSTATUS | IntKernVirtMemFetchDword (QWORD GuestVirtualAddress, DWORD *Data) |
| Reads 4 bytes from the guest kernel memory. More... | |
| INTSTATUS | IntKernVirtMemFetchWordSize (QWORD GuestVirtualAddress, void *Data) |
| Reads a guest pointer from the guest kernel memory. More... | |
| INTSTATUS | IntVirtMemFetchQword (QWORD GuestVirtualAddress, QWORD Cr3, QWORD *Data) |
| Reads 8 bytes from the guest memory. More... | |
| INTSTATUS | IntVirtMemFetchDword (QWORD GuestVirtualAddress, QWORD Cr3, DWORD *Data) |
| Reads 4 bytes from the guest memory. More... | |
| INTSTATUS | IntVirtMemFetchWordSize (QWORD GuestVirtualAddress, QWORD Cr3, void *Data) |
| Reads a guest pointer from the guest memory. More... | |
| INTSTATUS | IntKernVirtMemPatchQword (QWORD GuestVirtualAddress, QWORD Data) |
| Writes 8 bytes in the guest kernel memory. More... | |
| INTSTATUS | IntKernVirtMemPatchDword (QWORD GuestVirtualAddress, DWORD Data) |
| Writes 4 bytes in the guest kernel memory. More... | |
| INTSTATUS | IntKernVirtMemPatchWordSize (QWORD GuestVirtualAddress, QWORD Data) |
| Writes a guest pointer inside the guest kernel memory. More... | |
| INTSTATUS | IntVirtMemPatchQword (QWORD GuestVirtualAddress, QWORD Cr3, QWORD Data) |
| Writes 8 bytes in the guest memory. More... | |
| INTSTATUS | IntVirtMemPatchDword (QWORD GuestVirtualAddress, QWORD Cr3, DWORD Data) |
| Writes 4 bytes in the guest memory. More... | |
| INTSTATUS | IntVirtMemPatchWordSize (QWORD GuestVirtualAddress, QWORD Cr3, QWORD Data) |
| Writes a guest pointer inside the guest memory. More... | |
| INTSTATUS | IntVirtMemFetchString (QWORD Gva, DWORD MaxLength, QWORD Cr3, void *Buffer) |
| Reads a NULL-terminated string from the guest. More... | |
| INTSTATUS | IntTranslateVirtualAddressEx (QWORD Gva, QWORD Cr3, DWORD Flags, VA_TRANSLATION *Translation) |
| Translates a guest virtual address to a guest physical address. More... | |
| INTSTATUS | IntTranslateVirtualAddress (QWORD Gva, QWORD Cr3, QWORD *PhysicalAddress) |
| Translates a guest virtual address to a guest physical address. More... | |
| __must_check INTSTATUS | IntVirtMemMap (QWORD Gva, DWORD Length, QWORD Cr3, DWORD Flags, void **HostPtr) |
| Maps a guest virtual memory range inside Introcore virtual address space. More... | |
| INTSTATUS | IntVirtMemUnmap (void **HostPtr) |
| Unmaps a memory range previously mapped with IntVirtMemMap. More... | |
| INTSTATUS | IntInjectExceptionInGuest (BYTE Vector, QWORD Cr2, DWORD ErrorCode, DWORD CpuNumber) |
| Injects an exception inside the guest. More... | |
| INTSTATUS | IntPauseVcpus (void) |
| Pauses all the guest VCPUs. More... | |
| INTSTATUS | IntResumeVcpus (void) |
| Resumes the VCPUs previously paused with IntPauseVcpus. More... | |
| void | IntEnterDebugger2 (PCHAR File, DWORD Line) |
| Traps to a debugger. More... | |
| void | IntDbgEnterDebugger2 (PCHAR File, DWORD Line) |
| Traps to a debugger and dumps the Introcore state. More... | |
| INTSTATUS | IntGuestUninitOnBugcheck (void const *Detour) |
| Prepares Introcore unload in case of a guest crash in order to clean up the code and data injected inside the guestIf the INTRO_OPT_BUGCHECK_CLEANUP activation flag is not set, this function does nothing. Will set BugCheckInProgress inside gGuest to True. More... | |
| BOOLEAN | IntMatchPatternUtf8 (const CHAR *Pattern, const CHAR *String, DWORD Flags) |
| Matches a pattern using glob match. More... | |
| BOOLEAN | IntMatchPatternUtf16 (const WCHAR *Pattern, const WCHAR *String, DWORD Flags) |
| Matches a pattern using glob match. More... | |
| BOOLEAN | IntPolicyProcIsBeta (const void *Process, QWORD Flag) |
| Checks if a process protection policy is in log-only mode. More... | |
| BOOLEAN | IntPolicyCoreIsOptionBeta (QWORD Flag) |
| Checks if one of the kernel protection options is in log-only mode. More... | |
| BOOLEAN | IntPolicyProcIsFeedback (const void *Process, QWORD Flag) |
| Checks if a process protection policy is in feedback-only mode. More... | |
| QWORD | IntPolicyGetProcProt (const void *Process) |
| Gets the protection policy for a process. More... | |
| BOOLEAN | IntPolicyCoreTakeAction (QWORD Flag, INTRO_ACTION *Action, INTRO_ACTION_REASON *Reason) |
| Returns the action that should be taken for a core introspection option. More... | |
| BOOLEAN | IntPolicyProcTakeAction (QWORD Flag, void const *Process, INTRO_ACTION *Action, INTRO_ACTION_REASON *Reason) |
| Returns the action that should be taken for a process protection option. More... | |
| BOOLEAN | IntPolicyProcForceBetaIfNeeded (QWORD Flag, void *Process, INTRO_ACTION *Action) |
| Checks if a forced action should be taken even if the process log-only mode is active. More... | |
| BOOLEAN | IntPolicyCoreForceBetaIfNeeded (QWORD Flag, INTRO_ACTION *Action) |
| Checks if a forced action should be taken even if the log-only mode is active. More... | |
| BOOLEAN | IntPolicyIsCoreOptionFeedback (QWORD Flag) |
| Checks if a core protection option is in feedback-only mode. More... | |
| char * | utf16_for_log (const WCHAR *WString) |
| Converts a UTF-16 to a UTF-8 string to be used inside logging macros. More... | |
| INTSTATUS | IntReadString (QWORD StrGva, DWORD MinimumLength, BOOLEAN AnsiOnly, char **String, DWORD *StringLength) |
| Reads a string from the guest kernel memory. More... | |
Variables | |
| void * | gLock |
| A lock that ensures that all the events are serialized inside introcore. More... | |
| void * | gIntHandle |
| The guest handle provided by the integrator at initialization. More... | |
| INTRO_ERROR_CONTEXT | gErrorContext |
| Global storage for the error context used by GLUE_IFACE.NotifyIntrospectionErrorState. More... | |
| const QWORD | gByteMaskToBitMask [256] |
| Converts a byte number to a mask having the bits in those bytes set. More... | |
| BOOLEAN | gAbortLoad |
| Set to True if introcore should abort the initialization process. More... | |
| QWORD | gEventId |
| The ID of the current event. More... | |
| #define IntDbgEnterDebugger | ( | ) | IntDbgEnterDebugger2(__FILE__, __LINE__) |
Definition at line 381 of file introcore.h.
Referenced by IntApiLeave(), IntDriverLoadHandler(), IntDriverUnloadHandler(), IntHandleEptViolation(), IntHookGpaRemoveHookInternal(), IntHookPtsHandleModification(), IntHookPtsMergeEntry(), IntHookPtsWriteCallback(), IntMemClkHandleRead(), IntMemClkHandleSwap(), IntPauseVcpus(), IntResumeVcpus(), IntVasPageTableWriteCallback(), IntWinAgentRemove(), IntWinAgentUnInit(), IntWinDrvObjHandleWrite(), IntWinVadHandleDeleteGeneric(), and IntWinVadHandleInsertGeneric().
| #define IntEnterDebugger | ( | ) | IntEnterDebugger2(__FILE__, __LINE__) |
Definition at line 373 of file introcore.h.
Referenced by IntHookGpaCommitHooks(), IntHookGpaSetHook(), IntHookGvaCommitHooks(), IntHookPtmCommitHooks(), IntHookPtsCleanupList(), IntHookPtsCommitHooks(), IntHookPtwEmulateWrite(), IntHookPtwProcessWrite(), IntLixAgentExit(), IntLixAgentStart(), IntMemClkHandleRead(), IntPtiAllocMemtableSpace(), IntPtiHandleExecute(), IntPtiHandleWrite(), IntPtiRemoveInstruction(), IntSetGprs(), IntVeCompleteLoader(), IntVeHandleHypercall(), and IntVeHandleSwap().
| #define INTRO_MATCH_TRUNCATED 0x00000001 |
If set, matching functions like IntMatchPatternUtf8 will match up until the first wild char encountered.
Definition at line 13 of file introcore.h.
Referenced by IntLixTaskAdjustProtections(), IntLixTaskShouldProtect(), IntMatchPatternUtf8(), IntWinProcGetProtectedInfo(), and IntWinProcGetProtectedInfoEx().
| #define MAX_TRANSLATION_DEPTH 5 |
Maximum depth of the translation hierarchy.
Definition at line 61 of file introcore.h.
| #define MIN_HEAP_SIZE_PERCENT (30) |
Minimum amount of free heap needed in order to activate process protection.
Definition at line 58 of file introcore.h.
Referenced by IntWinProcIsEnoughHeapAvailable().
| #define RB_TREE_INIT | ( | Name, | |
| Free, | |||
| Compare | |||
| ) |
Initializes a RBTREE structure.
| [in,out] | Name | The RBTREE structure to be initialized |
| [in] | Free | The PFUNC_RbTreeNodeFree function used to cleanup the tree. Called by RbUninit for each node in the tree |
| [in] | Compare | The PFUNC_RbTreeNodeCompare used to compare elements of the tree. Used by RbSearch and RbInsertNode |
Definition at line 39 of file introcore.h.
Referenced by DbgCrWriteTestCallback().
| typedef struct _VA_TRANSLATION * PVA_TRANSLATION |
| typedef struct _VA_TRANSLATION VA_TRANSLATION |
Encapsulates information about a virtual to physical memory translation.
| enum PAGING_MODE |
Paging modes.
| Enumerator | |
|---|---|
| PAGING_NONE | No paging. |
| PAGING_NORMAL_MODE | 32-bit paging |
| PAGING_PAE_MODE | 32-bit paging with PAE |
| PAGING_4_LEVEL_MODE | 4-level paging |
| PAGING_5_LEVEL_MODE | 5-level paging |
Definition at line 66 of file introcore.h.
Traps to a debugger and dumps the Introcore state.
This function should not be used directly, the IntDbgEnterDebugger macro should be used instead.
| [in] | File | NULL-terminated string containing the name of the file from which this function was called |
| [in] | Line | The line number from which this function was called |
Definition at line 2411 of file introcore.c.
Traps to a debugger.
This function should not be used directly, the IntEnterDebugger macro should be used instead.
| [in] | File | NULL-terminated string containing the name of the file from which this function was called |
| [in] | Line | The line number from which this function was called |
Definition at line 2388 of file introcore.c.
| INTSTATUS IntInit | ( | GLUE_IFACE * | GlueInterface, |
| UPPER_IFACE const * | UpperInterface | ||
| ) |
Initializes introcore.
This will validate and initialize the GLUE_IFACE and UPPER_IFACE instances, as well as the gLock lock.
| [in,out] | GlueInterface | The instance of GLUE_IFACE to be used. The part that must be implemented by the integrator must be implemented. Introcore will fill initialize the APIs it exposes. |
| [in] | UpperInterface | The instance of UPPER_IFACE to be used. All the mandatory APIs must be implemented |
Definition at line 186 of file introcore.c.
Injects an exception inside the guest.
Note that even if this function exits with success, there is still no guarantee that the exception was injected inside the guest, as the hypervisor may have other exceptions to inject. In order to be sure that the exception we scheduled was injected, the IntHandleEventInjection callback registered with GLUE_IFACE.RegisterEventInjectionHandler is used.
| [in] | Vector | Vector to be injected |
| [in] | Cr2 | Cr2 value. Ignored if Vector is not 14 (page fault) |
| [in] | ErrorCode | The error code of the exception. Ignored for exceptions that do not have an error code |
| [in] | CpuNumber | The CPU on which the exception should be injected. IG_CURRENT_VCPU is not a valid value |
| INT_STATUS_SUCCESS | in case of success |
| INT_STATUS_INVALID_PARAMETER_4 | is the CPU number is not valid |
| INT_STATUS_ALREADY_INITIALIZED | if an exception is already scheduled on the specified CPU |
Definition at line 2264 of file introcore.c.
Referenced by DbgInjectPf(), IntHandleCowOnPage(), IntHandleFetchRetryOnPageBoundary(), IntLixVmaHandlePageExecution(), IntSwapMemHandleBreakpointAgent(), IntSwapMemInjectPendingPF(), IntWinModBlockHandleExecution(), IntWinSudHandleSudExec(), and IntWinVadHandlePageExecution().
Reads 4 bytes from the guest kernel memory.
| [in] | GuestVirtualAddress | Virtual address from which to read |
| [out] | Data | Data read from the guest |
Definition at line 829 of file introcore.c.
Referenced by DbgDumpGuestModules(), IntKsymRelativeFindOffsetTableEnd(), IntLixCommitCredsHandle(), IntLixCrashDumpDmesg(), IntLixDrvCreateFromAddress(), IntLixGuestGetSystemState(), IntLixGuestIsKptiActive(), IntLixNetIterateTaskConnections(), IntLixTaskActivateExploitProtection(), IntLixTaskCreateFromBinprm(), IntLixTaskCreateInitTask(), IntLixTaskDumpKernelThreadTree(), IntLixTaskDumpTree(), IntLixTaskIterateThreadGroup(), IntLixTaskIterateThreadNode(), IntLogStackTrace(), IntPeFindExportByName(), IntPeFindExportByOrdinal(), IntPeGetExportNameByRva(), IntPeGetRuntimeFunction(), IntThrSafeLixInspectWaitingThread(), IntWinBcHandleBugCheck(), IntWinDrvHandleDriverEntry(), IntWinDrvIterateLoadedModules(), IntWinDrvObjCreateFromAddress(), IntWinGetAccessTokenFromProcess(), IntWinGetAccesTokenFromThread(), IntWinGuestFetchProductType(), IntWinGuestIsIncreasedUserVa(), IntWinGuestResolveImports(), IntWinModFillInjectionData(), IntWinNetCheckPartition(), IntWinNetFindTcpBitmap(), IntWinNetGetTcpPortPoolFromCompartment(), IntWinNetSearchForAlloc(), IntWinProcDeleteProcessObject(), IntWinProcHandleTerminate(), IntWinReadToken(), IntWinStackTraceGet32(), and IntWinStackUserTrapFrameGetGeneric().
Reads 8 bytes from the guest kernel memory.
| [in] | GuestVirtualAddress | Virtual address from which to read |
| [out] | Data | Data read from the guest |
Definition at line 811 of file introcore.c.
Referenced by DbgDumpGuestModules(), DbgDumpVadRoot(), IntKsymRelativeFindOffsetTableEnd(), IntLixCrashDumpDmesg(), IntLixDrvIterateList(), IntLixFileGetDentry(), IntLixFileGetPath(), IntLixGetInitTask(), IntLixGuestNew(), IntLixJumpLabelHandler(), IntLixMmFindVmaInLinkedList(), IntLixMmFindVmaInRbTree(), IntLixMmGetInitMm(), IntLixMmListVmasInternal(), IntLixMmPopulateVmasInternal(), IntLixNetFileIsSocket(), IntLixNetGetConnectionFromSocket(), IntLixNetIterateTaskConnections(), IntLixStackTraceGet(), IntLixStackTraceGetReg(), IntLixTaskActivateExploitProtection(), IntLixTaskCreate(), IntLixTaskCreateInitTask(), IntLixTaskDeactivateExploitProtection(), IntLixTaskFetchMm(), IntLixTaskGetCurrentTaskStruct(), IntLixTaskGetTrapFrame(), IntLixTaskIsUserStackPivoted(), IntLixTaskIterateGuestTasks(), IntLixTaskIterateThreadGroup(), IntLixTaskIterateThreadNode(), IntLixTaskSendCredViolationEvent(), IntLixVdsoFetchAddress(), IntLixVdsoResolveDynamicOffset(), IntLixVdsoResolveImageAddress(), IntLixVmaChangeProtection(), IntLixVmaExpandDownwards(), IntLogStackTrace(), IntStackAnalyzePointer(), IntThrSafeLixGetCurrentStack(), IntThrSafeLixInspectWaitingThread(), IntVmaMarkProtection(), IntWinBcHandleBugCheck(), IntWinDrvIsListHead(), IntWinDrvIterateLoadedModules(), IntWinGetAccessTokenFromProcess(), IntWinGetAccesTokenFromThread(), IntWinGetStartUpTime(), IntWinGuestFindKernelObjects(), IntWinModFillInjectionData(), IntWinPfnIsMmPfnDatabase(), IntWinProcCreateProcessObject(), IntWinProcHandleTerminate(), IntWinReadToken(), IntWinStackTraceGet64(), and IntWinStackUserTrapFrameGetGeneric().
Reads a guest pointer from the guest kernel memory.
| [in] | GuestVirtualAddress | Virtual address from which to read |
| [out] | Data | Data read from the guest. Must be at least 8 bytes long for 64-bit guests, and at least 4 bytes long for 32-bit guests. |
Definition at line 847 of file introcore.c.
Referenced by IntWinDpiValidateThreadStart(), IntWinDrvObjCreateFromAddress(), IntWinHalFindPerformanceCounterInternal(), IntWinHalIsHalPerf(), IntWinIntObjHandleModification(), IntWinIntObjProtect(), IntWinModFillProcessInjectionData(), IntWinNetGetLocalAddr(), IntWinNetGetTcpPortPoolFromCompartment(), IntWinNetIterateLinkedList(), IntWinNetIterateSlinkedList(), IntWinNetParseTcpBitmap(), IntWinNetParseTcpPartition(), IntWinProcIsPsActiveProcessHead(), IntWinStackHandleUserStackPagedOut(), IntWinThrIterateThreads(), IntWinTokenPrivsHandleSwap(), and IntWinTokenPrivsHandleWrite().
Writes 4 bytes in the guest kernel memory.
| [in] | GuestVirtualAddress | Virtual address at which the write is done |
| [out] | Data | Data to write inside the guest |
Definition at line 950 of file introcore.c.
Referenced by IntPtiDeliverDriverForLoad().
Writes 8 bytes in the guest kernel memory.
| [in] | GuestVirtualAddress | Virtual address at which the write is done |
| [out] | Data | Data to write inside the guest |
Definition at line 932 of file introcore.c.
Referenced by IntDetDisableLixHypercall(), IntLixApiUpdateHooks(), IntLixTaskActivateExploitProtection(), IntLixTaskDeactivateExploitProtection(), IntPtiDeliverDriverForLoad(), and IntVmaMarkProtection().
Writes a guest pointer inside the guest kernel memory.
For 64-bit guests, this will write 8 bytes. For 32-bit guests, this will write 4 bytes.
| [in] | GuestVirtualAddress | Virtual address at which the write is done |
| [out] | Data | Data to write inside the guest. For 32-bit guests, only the low 32-bits will be written. |
Definition at line 968 of file introcore.c.
Reads data from a guest kernel virtual memory range.
Similar to IntVirtMemRead, but will always use the system Cr3 saved in gGuest.
| [in] | KernelGva | The start of the guest virtual memory range |
| [in] | Length | The size of the memory range |
| [out] | Buffer | Buffer in which data will be read. Must be at least Length bytes in size. |
| [out] | RetLength | The size we managed to read. In case of success, it will always be equal to Length. May be NULL. |
Definition at line 674 of file introcore.c.
Referenced by DbgDumpCodeblocks(), DbgDumpGuestModules(), DbgTestRead(), IntDetCallCallback(), IntDetCreateObjectLix(), IntDetGetArgumentInternal(), IntDetGetArguments(), IntDetRelocate(), IntDetSetHook(), IntDetSetLixHook(), IntExceptGetVictimEpt(), IntFindKernelPcr(), IntGuestDetectOsSysCall(), IntIdtGetEntry(), IntKernVirtMemFetchDword(), IntKernVirtMemFetchQword(), IntKernVirtMemFetchWordSize(), IntKsymFindIndexesTableStart(), IntKsymInit(), IntLixAgentFindInstruction(), IntLixDentryGetName(), IntLixDrvIsLegitimateTextPoke(), IntLixFileReadDentry(), IntLixGetInitTask(), IntLixGuestIsKptiActive(), IntLixNetFileIsSocket(), IntLixNetGetConnectionFromSocket(), IntLixPatchHandler(), IntLixPatchSwapgs(), IntLixTaskCreateInitTask(), IntLixTaskDumpTree(), IntLixTaskGetTrapFrame(), IntLogContextRecord(), IntLogExceptionRecord(), IntLogTrapFrame(), IntMtblPatchInstruction(), IntPeFindExportByName(), IntPeFindExportByOrdinal(), IntPeFindExportByRva(), IntPeFindFunctionByPattern(), IntPeGetExportNameByRva(), IntPeGetRuntimeFunction(), IntPeGetSectionHeaderByIndex(), IntPtiRemoveInstruction(), IntReadString(), IntRtlpVirtualUnwindCheckAccess(), IntSlackAllocWindows(), IntStackAnalyzePointer(), IntThrSafeWinGetCurrentStack(), IntVeDeliverDriverForLoad(), IntVeFindKernelKvaShadowAndKernelExit(), IntWinAgentActivatePendingAgent(), IntWinAgentFindInstruction(), IntWinAgentHandleDriverVmcall(), IntWinAgentHandleLoader1Hypercall(), IntWinAgentInjectTrampoline(), IntWinAgentRestoreState32(), IntWinAgentRestoreState64(), IntWinApiHookVeHandler(), IntWinCrashHandleDepViolation(), IntWinDpiGetProcessDebugFlag(), IntWinDrvCreateFromAddress(), IntWinDrvHeadersInMemory(), IntWinDrvIsListHead(), IntWinDrvObjCreateFromAddress(), IntWinGuestFindDriversNamespaceNoBuffer(), IntWinGuestFindIdleCr3(), IntWinGuestFindKernelCr3(), IntWinGuestFindKernelObjects(), IntWinGuestReadKernel(), IntWinHalHandleHalHeapExec(), IntWinHalIsIntController(), IntWinHalReadHal(), IntWinHandleException(), IntWinInfCheckCtxLoggerOnRelocation(), IntWinInfHookGetCircularCtxLogger(), IntWinInfHookGetCpuClockIntegrityCallback(), IntWinInfHookGetWmiLoggerGetCpuClock(), IntWinInfHookSiloWmiPtrIntegrityCallback(), IntWinModFillInjectionData(), IntWinNetFindTcpPartition(), IntWinNetGetAddrFam(), IntWinNetGetAddrInfo(), IntWinNetGetLocalAddr(), IntWinNetGetTcpPortPool(), IntWinNetParseTcpBitmap(), IntWinNetParseTcpPartition(), IntWinObjGetObjectNameInfo(), IntWinObjGetPoolHeaderForObject(), IntWinObjHandleRootDirTagInMemory(), IntWinObjIsTypeObject(), IntWinObjParseDriverDirectory(), IntWinPfnIsMmPfnDatabase(), IntWinPowGetRequestedPowerState(), IntWinProcCreateProcessObject(), IntWinProcDumpEgFlags(), IntWinProcEnforceProcessDep(), IntWinProcGetNameFromEprocess(), IntWinProcIsPsActiveProcessHead(), IntWinProcIterateGuestProcesses(), IntWinReadSid(), IntWinReadToken(), IntWinSDReadSecDesc(), IntWinStackUserTrapFrameGetGeneric(), IntWinSudCheckIntegrity(), IntWinSudProtectIntegrity(), IntWinThrGetCurrentThread(), IntWinThrGetCurrentTib(), IntWinThrHandleQueueApc(), IntWinThrHandleThreadHijack(), IntWinVadFetchImageName(), IntWinVadHandleProtectGeneric(), IntWinVadHandleVirtualProtect(), IntWinVadImportProcessTree(), IntWinVadProcImportMainModuleVad(), and IntWinVadRescanVad().
Writes data to a guest kernel virtual memory range.
Similar to IntVirtMemWrite, but will always use the system Cr3 saved in gGuest.
| [in] | KernelGva | The start of the guest virtual memory range |
| [in] | Length | The size of the memory range |
| [out] | Buffer | Buffer with the data to be written. Must be at least Length bytes in size. |
Definition at line 699 of file introcore.c.
Referenced by IntDetSetLixHook(), IntKernVirtMemPatchDword(), IntKernVirtMemPatchQword(), IntKernVirtMemPatchWordSize(), IntLixAgentActivatePendingAgent(), IntLixApiHookAll(), IntLixGuestAllocateDeploy(), IntLixPatchSwapgs(), IntLixUnpatchSwapgs(), IntMemClkUncloakRegionInternal(), IntMtblPatchInstruction(), IntPtiAllocMemtableSpace(), IntRtlpVirtualUnwindCheckAccess(), IntWinAgentRestoreState32(), IntWinAgentRestoreState64(), IntWinDrvObjHandleModification(), IntWinHalHandleDispatchTableWrite(), IntWinHalHandleHalHeapExec(), IntWinHalHandlePerfCounterModification(), IntWinIdtHandleModification(), IntWinInfCheckCtxLoggerOnRelocation(), IntWinInfHookGetCpuClockIntegrityCallback(), and IntWinSudHandleFieldModification().
Matches a pattern using glob match.
This function simply converts the input parameters to UTF-8 and uses IntMatchPatternUtf8.
| [in] | Pattern | A NULL-terminated string containing the pattern |
| [in] | String | A NULL-terminated string against which the pattern is matched |
| [in] | Flags | Flags containing the match. Can be 0, in which case a standard glob match is done, or INTRO_MATCH_TRUNCATED, in which case the match will be done up to the first "*" found inside Pattern |
| True | if a match is found |
| False | if a match is not found |
Definition at line 2491 of file introcore.c.
Referenced by IntCamiUpdateProcessProtectionInfoWin(), IntWinProcGetProtectedInfoEx(), and IntWinProcUpdateProtectedProcess().
Matches a pattern using glob match.
| [in] | Pattern | A NULL-terminated string containing the pattern |
| [in] | String | A NULL-terminated string against which the pattern is matched |
| [in] | Flags | Flags containing the match. Can be 0, in which case a standard glob match is done, or INTRO_MATCH_TRUNCATED, in which case the match will be done up to the first "*" found inside Pattern |
| True | if a match is found |
| False | if a match is not found |
Definition at line 2454 of file introcore.c.
Referenced by IntCamiUpdateProcessProtectionInfoLix(), IntCamiUpdateProcessProtectionInfoWin(), IntLixProcUpdateProtectedProcess(), IntLixTaskAdjustProtections(), IntLixTaskShouldProtect(), IntMatchPatternUtf16(), IntWinProcGetProtectedInfo(), IntWinProcGetProtectedInfoEx(), and IntWinProcUpdateProtectedProcess().
| INTSTATUS IntPauseVcpus | ( | void | ) |
Pauses all the guest VCPUs.
If gInsideDebugger is True, the function does nothing. VCPUs should be resumed using the IntResumeVcpus function. It is safe to call this multiple times in a row, but each call must match a IntResumeVcpus call.
Definition at line 2320 of file introcore.c.
Referenced by IntAddRemoveProtectedProcessUtf16(), IntAddRemoveProtectedProcessUtf8(), IntAgentHandleLogGatherVmcall(), IntAgentHandleRemediationVmcall(), IntDetHandleWrite(), IntDisableIntro(), IntDispatchVeAsEpt(), IntEnginesResultCallback(), IntFlushEPTPermissions(), IntGuestDisableIntro(), IntGuestHandleCr3Write(), IntGuestUpdateCoreOptions(), IntHandleBreakpoint(), IntHandleCrWrite(), IntHandleDtrViolation(), IntHandleEptViolation(), IntHandleEventInjection(), IntHandleIntroCall(), IntHandleMsrViolation(), IntHandleTimer(), IntHandleXcrWrite(), IntHookPtsCheckIntegrity(), IntHookPtsInvokeCallbacks(), IntLixAgentActivatePendingAgent(), IntLixApiUpdateHooks(), IntLixGuestInitAgentCompletion(), IntLixGuestInitAgentHypercall(), IntMemClkCloakRegion(), IntMemClkModifyPatchedData(), IntMemClkUncloakRegionInternal(), IntMtblPatchInstruction(), IntPtiDeliverDriverForLoad(), IntPtiDeliverDriverForUnload(), IntPtiDisableFiltering(), IntPtiEnableFiltering(), IntRtlpVirtualUnwindCheckAccess(), IntSwapgsStartMitigation(), IntVasHookTables(), IntVeCompleteLoader(), IntVeDeliverDriverForLoad(), IntVeDeliverDriverForUnload(), IntVeUnhookVeAgent(), IntWinAgentActivatePendingAgent(), IntWinAgentDeployWinDriver(), IntWinAgentHandleDriverVmcall(), IntWinAgentRemove(), IntWinDrvObjHandleModification(), IntWinGuestKernelHeadersInMemory(), IntWinGuestSectionInMemory(), IntWinHalHandlePerfCounterModification(), IntWinHalSectionInMemory(), IntWinIdtHandleModification(), IntWinInfCheckCtxLoggerOnRelocation(), IntWinInfHookGetCpuClockIntegrityCallback(), IntWinIntObjHandleArrayModification(), IntWinIntObjHandleObjectModification(), IntWinPowDisableSpinWait(), IntWinPowEnableSpinWait(), IntWinProcValidateSystemCr3(), IntWinSDCheckAclIntegrity(), IntWinSDCheckSecDescIntegrity(), IntWinSudHandleFieldModification(), IntWinTokenPtrCheckIntegrityOnProcess(), and IntWinVadHandleDeleteGeneric().
| INTSTATUS IntPhysicalMemRead | ( | QWORD | PhysicalAddress, |
| DWORD | Length, | ||
| void * | Buffer, | ||
| DWORD * | RetLength | ||
| ) |
Reads data from a guest physical memory range, but only for a single page.
| [in] | PhysicalAddress | The start of the guest physical memory range |
| [in] | Length | The size of the memory range |
| [out] | Buffer | Buffer in which data will be read. Must be at least Length bytes in size. |
| [out] | RetLength | The size we managed to read. In case of success, it will always be equal to Length. May be NULL. |
Definition at line 721 of file introcore.c.
Referenced by IntHookPtsDumpPtsEntry(), IntMemClkHashRegion(), IntShcIsSuspiciousCode(), IntWinSelfMapCheckSelfMapEntry(), and IntWinSelfMapGetAndCheckSelfMapEntry().
| INTSTATUS IntPhysicalMemReadAnySize | ( | QWORD | PhysicalAddress, |
| DWORD | Length, | ||
| void * | Buffer, | ||
| DWORD * | RetLength | ||
| ) |
Reads data from a guest physical memory range, regardless of how many pages it spans across.
This is useful when reading contents from large pages, for example.
| [in] | PhysicalAddress | The start of the guest physical memory range |
| [in] | Length | The size of the memory range |
| [out] | Buffer | Buffer in which data will be read. Must be at least Length bytes in size. |
| [out] | RetLength | The size we managed to read. In case of success, it will always be equal to Length. May be NULL. |
Definition at line 764 of file introcore.c.
Referenced by IntSwapMemPageSwappedIn(), and IntSwapMemReadData().
Writes data to a guest physical memory range, but only for a single page.
| [in] | PhysicalAddress | The start of the guest physical memory range |
| [in] | Length | The size of the memory range |
| [out] | Buffer | Buffer that contains the data to be written. Must be at least Length bytes in size. |
Definition at line 744 of file introcore.c.
Referenced by IntMemClkHandleSwap(), and IntWinSudHandleSudExec().
Writes data to a guest physical memory range, regardless of how many pages it spans across.
This is useful when writing to large pages, for example.
| [in] | PhysicalAddress | The start of the guest physical memory range |
| [in] | Length | The size of the memory range |
| [out] | Buffer | Buffer that contains the data to be written. Must be at least Length bytes in size. |
Definition at line 789 of file introcore.c.
| BOOLEAN IntPolicyCoreForceBetaIfNeeded | ( | QWORD | Flag, |
| INTRO_ACTION * | Action | ||
| ) |
Checks if a forced action should be taken even if the log-only mode is active.
| [in] | Flag | Protection option for which the check is done. Must be one of the Activation and protection flags values. |
| [in,out] | Action | Action to be taken |
Definition at line 2803 of file introcore.c.
Referenced by IntCrLixHandleWrite(), IntCrWinHandleWrite(), IntDtrHandleWrite(), IntLixDrvHandleWrite(), IntLixIdtWriteHandler(), IntLixKernelHandleRead(), IntLixMsrHandleWrite(), IntLixValidateProcessCreationRights(), IntLixVdsoHandleWriteCommon(), IntWinDpiCheckCreation(), IntWinDrvHandleRead(), IntWinDrvHandleWrite(), IntWinDrvObjHandleModification(), IntWinDrvObjHandleWrite(), IntWinHalHandleHalHeapExec(), IntWinHalHandleHalIntCtrlWrite(), IntWinHalHandlePerfCounterModification(), IntWinIdtHandleModification(), IntWinIdtWriteHandler(), IntWinInfHookEptSppHandleWrite(), IntWinInfHookIntegrityHandleWrite(), IntWinIntObjHandleModification(), IntWinMsrHandleWrite(), IntWinSelfMapHandleCr3SelfMapWrite(), IntWinSudHandleFieldModification(), IntWinSudHandleKernelSudExec(), IntWinSudHandleUserSudExec(), and IntWinTokenPrivsHandleWrite().
Checks if one of the kernel protection options is in log-only mode.
If the option is one of the POLICY_KM_BETA_FLAGS options and the INTRO_OPT_KM_BETA_DETECTIONS option was also used, the function will always return True. Otherwise the beta options from CAMI are checked.
| [in] | Flag | The option to check. Must be one of the Activation and protection flags values. |
Definition at line 2603 of file introcore.c.
Referenced by IntAlertCoreGetFlags(), IntLixProcPolicyIsBeta(), IntPolicyCoreForceBetaIfNeeded(), IntPolicyCoreTakeAction(), IntWinHalHandleDispatchTableWrite(), IntWinHalHandleHalHeapExec(), IntWinProcPolicyIsBeta(), IntWinSelfMapHandleCr3SelfMapModification(), and IntWinSelfMapHandleCr3SelfMapWrite().
| BOOLEAN IntPolicyCoreTakeAction | ( | QWORD | Flag, |
| INTRO_ACTION * | Action, | ||
| INTRO_ACTION_REASON * | Reason | ||
| ) |
Returns the action that should be taken for a core introspection option.
| [in] | Flag | Protection option for which the policy is returned. Must be one of the Activation and protection flags values. |
| [in,out] | Action | Action to be taken |
| [in,out] | Reason | The reason for which Action is taken |
Definition at line 2693 of file introcore.c.
Referenced by IntCrLixHandleWrite(), IntCrWinHandleWrite(), IntDtrHandleWrite(), IntLixDrvHandleWrite(), IntLixIdtWriteHandler(), IntLixKernelHandleRead(), IntLixMsrHandleWrite(), IntLixValidateProcessCreationRights(), IntLixVdsoHandleWriteCommon(), IntWinDpiCheckCreation(), IntWinDrvHandleRead(), IntWinDrvHandleWrite(), IntWinDrvObjHandleModification(), IntWinDrvObjHandleWrite(), IntWinHalHandleHalHeapExec(), IntWinHalHandleHalIntCtrlWrite(), IntWinHalHandlePerfCounterModification(), IntWinIdtHandleModification(), IntWinIdtWriteHandler(), IntWinInfHookEptSppHandleWrite(), IntWinInfHookIntegrityHandleWrite(), IntWinIntObjHandleModification(), IntWinMsrHandleWrite(), IntWinSelfMapHandleCr3SelfMapModification(), IntWinSelfMapHandleCr3SelfMapWrite(), IntWinSudHandleFieldModification(), IntWinSudHandleKernelSudExec(), IntWinSudHandleUserSudExec(), IntWinTokenPrivsCheckIntegrityOnProcess(), and IntWinTokenPrivsHandleWrite().
| QWORD IntPolicyGetProcProt | ( | const void * | Process | ) |
Gets the protection policy for a process.
| [in] | Process | Process for which the protection policy is returned. For Windows guests this is a pointer to a WIN_PROCESS_OBJECT structure; for Linux guests this is a pointer to a LIX_TASK_OBJECT structure |
Definition at line 2661 of file introcore.c.
Referenced by IntAlertProcGetFlags(), and IntPolicyProcTakeAction().
Checks if a core protection option is in feedback-only mode.
| [in] | Flag | Protection option for which the check is done. Must be one of the Activation and protection flags values. |
Definition at line 2829 of file introcore.c.
Referenced by IntAlertCoreGetFlags(), IntLixProcPolicyIsFeedback(), and IntWinProcPolicyIsFeedback().
| BOOLEAN IntPolicyProcForceBetaIfNeeded | ( | QWORD | Flag, |
| void * | Process, | ||
| INTRO_ACTION * | Action | ||
| ) |
Checks if a forced action should be taken even if the process log-only mode is active.
| [in] | Flag | Protection option for which the check is done. Must be one of the Process protection options values. |
| [in] | Process | Process for which the check is done. For Windows guests this is a pointer to a WIN_PROCESS_OBJECT structure; for Linux guests this is a pointer to a LIX_TASK_OBJECT structure |
| [in,out] | Action | Action to be taken |
Definition at line 2773 of file introcore.c.
Referenced by IntLixAccessRemoteVmHandler(), IntLixTaskHandleInjection(), IntLixValidateProcessCreationRights(), IntLixVmaHandlePageExecution(), IntWinDagentHandleDoubleAgent(), IntWinModHandleKernelWrite(), IntWinModHandleUserWrite(), IntWinProcHandleCopyMemory(), IntWinProcHandleInstrument(), IntWinThrHandleQueueApc(), IntWinThrHandleThreadHijack(), and IntWinVadHandlePageExecution().
Checks if a process protection policy is in log-only mode.
| [in] | Process | The process for which the check is done. For Windows guests this is a pointer to a WIN_PROCESS_OBJECT structure; for Linux guests this is a pointer to a LIX_TASK_OBJECT structure |
| [in] | Flag | Protection option to be checked. This must be one of the Process protection options values |
Definition at line 2569 of file introcore.c.
Referenced by IntAlertProcGetFlags(), IntPolicyProcForceBetaIfNeeded(), IntPolicyProcTakeAction(), IntWinDagentSendDoubleAgentAlert(), and IntWinProcEnforceProcessDep().
Checks if a process protection policy is in feedback-only mode.
| [in] | Process | The process for which the check is done. For Windows guests this is a pointer to a WIN_PROCESS_OBJECT structure; for Linux guests this is a pointer to a LIX_TASK_OBJECT structure |
| [in] | Flag | Protection option to be checked. This must be one of the Process protection options values |
Definition at line 2627 of file introcore.c.
Referenced by IntAlertProcGetFlags(), and IntPolicyProcTakeAction().
| BOOLEAN IntPolicyProcTakeAction | ( | QWORD | Flag, |
| void const * | Process, | ||
| INTRO_ACTION * | Action, | ||
| INTRO_ACTION_REASON * | Reason | ||
| ) |
Returns the action that should be taken for a process protection option.
| [in] | Flag | Protection option for which the policy is returned. Must be one of the Process protection options values. |
| [in] | Process | Process for which the protection policy is checked. For Windows guests this is a pointer to a WIN_PROCESS_OBJECT structure; for Linux guests this is a pointer to a LIX_TASK_OBJECT structure |
| [in,out] | Action | Action to be taken |
| [in,out] | Reason | The reason for which Action is taken |
Definition at line 2732 of file introcore.c.
Referenced by IntLixAccessRemoteVmHandler(), IntLixTaskHandleInjection(), IntLixValidateProcessCreationRights(), IntWinDagentHandleDoubleAgent(), IntWinModHandleKernelWrite(), IntWinModHandleUserWrite(), IntWinProcHandleCopyMemory(), IntWinProcHandleInstrument(), IntWinThrHandleQueueApc(), IntWinThrHandleThreadHijack(), and IntWinVadIsExecSuspicious().
| void IntPreinit | ( | void | ) |
Initializes the global variables used throughout the project.
This should be called before IntInit in order to ensure that the global state is properly zeroed before introcore starts.
Definition at line 166 of file introcore.c.
| INTSTATUS IntReadString | ( | QWORD | StrGva, |
| DWORD | MinimumLength, | ||
| BOOLEAN | AnsiOnly, | ||
| char ** | String, | ||
| DWORD * | StringLength | ||
| ) |
Reads a string from the guest kernel memory.
| [in] | StrGva | Guest virtual address from which to read the string |
| [in] | MinimumLength | The minimum length the string should have |
| [in] | AnsiOnly | If the string should be an ANSI string |
| [in,out] | String | On success, will point to the string. This will be allocated with HpAllocWithTag. The caller is responsible of freeing this memory with HpFreeAndNullWithTag. |
| [out] | StringLength | The length of the string. May be NULL. |
| INT_STATUS_SUCCESS | in case of success |
| INT_STATUS_INVALID_PARAMETER_1 | if StrGva does not point inside the kernel |
| INT_STATUS_INVALID_PARAMETER_2 | is MinimumLength is 0 or more than PAGE_SIZE. Note that the string can still span across two pages |
| INT_STATUS_NOT_FOUND | if no valid string is found |
| INT_STATUS_INSUFFICIENT_RESOURCES | if not enough memory could be allocated for the string |
Definition at line 2880 of file introcore.c.
Referenced by IntLixTaskCreateFromBinprm(), IntLixTaskPathGetByDentry(), and IntWinGuestResolveImports().
| INTSTATUS IntResumeVcpus | ( | void | ) |
Resumes the VCPUs previously paused with IntPauseVcpus.
If gInsideDebugger is True, the function does nothing. It is an error to call this more times than IntPauseVcpus was called.
Definition at line 2355 of file introcore.c.
Referenced by IntAddRemoveProtectedProcessUtf16(), IntAddRemoveProtectedProcessUtf8(), IntAgentHandleLogGatherVmcall(), IntAgentHandleRemediationVmcall(), IntDetHandleWrite(), IntDisableIntro(), IntDispatchVeAsEpt(), IntEnginesResultCallback(), IntFlushEPTPermissions(), IntGuestDisableIntro(), IntGuestHandleCr3Write(), IntGuestUpdateCoreOptions(), IntHandleBreakpoint(), IntHandleCrWrite(), IntHandleDtrViolation(), IntHandleEptViolation(), IntHandleEventInjection(), IntHandleIntroCall(), IntHandleMsrViolation(), IntHandleTimer(), IntHandleXcrWrite(), IntHookPtsCheckIntegrity(), IntHookPtsInvokeCallbacks(), IntLixAgentActivatePendingAgent(), IntLixApiUpdateHooks(), IntLixGuestInitAgentCompletion(), IntLixGuestInitAgentHypercall(), IntMemClkCloakRegion(), IntMemClkModifyPatchedData(), IntMemClkUncloakRegionInternal(), IntMtblPatchInstruction(), IntPtiDeliverDriverForLoad(), IntPtiDeliverDriverForUnload(), IntPtiDisableFiltering(), IntPtiEnableFiltering(), IntRtlpVirtualUnwindCheckAccess(), IntSwapgsStartMitigation(), IntVasHookTables(), IntVeCompleteLoader(), IntVeDeliverDriverForLoad(), IntVeDeliverDriverForUnload(), IntVeUnhookVeAgent(), IntWinAgentActivatePendingAgent(), IntWinAgentDeployWinDriver(), IntWinAgentHandleDriverVmcall(), IntWinAgentRemove(), IntWinDrvObjHandleModification(), IntWinGuestKernelHeadersInMemory(), IntWinGuestSectionInMemory(), IntWinHalHandlePerfCounterModification(), IntWinHalSectionInMemory(), IntWinIdtHandleModification(), IntWinInfCheckCtxLoggerOnRelocation(), IntWinInfHookGetCpuClockIntegrityCallback(), IntWinIntObjHandleArrayModification(), IntWinIntObjHandleObjectModification(), IntWinPowDisableSpinWait(), IntWinPowEnableSpinWait(), IntWinProcValidateSystemCr3(), IntWinSDCheckAclIntegrity(), IntWinSDCheckSecDescIntegrity(), IntWinSudHandleFieldModification(), IntWinTokenPtrCheckIntegrityOnProcess(), and IntWinVadHandleDeleteGeneric().
Translates a guest virtual address to a guest physical address.
This is a wrapper over IntTranslateVirtualAddressEx, but instead of returning the entire translation information, it will return only the physical address to which Gva maps. This function will fail if Gva is not present.
| [in] | Gva | Guest virtual address to be translated |
| [in] | Cr3 | The Cr3 to be used for the translation. If 0, the currently loaded kernel Cr3 will be used. If the current process has different page directory table base registers for user mode and kernel mode due to KPTI, the kernel Cr3 will be used even if the user mode Cr3 is currently loaded |
| [out] | PhysicalAddress | On success, the physical address to which Gva maps. |
| INT_STATUS_SUCCESS | in case of success |
| INT_STATUS_INVALID_PARAMETER_3 | if PhysicalAddress is NULL |
| INT_STATUS_PAGE_NOT_PRESENT | if Gva is not present or if the paging mode is PAGING_NONE |
| INT_STATUS_NO_MAPPING_STRUCTURES | if at any given point, the translation fails because a mapping structure can't be accessed |
Definition at line 1999 of file introcore.c.
Referenced by DbgDumpPfn(), IntAlertEptFillFromVictimZone(), IntHandleDtrViolation(), IntHandleEptViolation(), IntIntegrityCheckAll(), IntLixDrvSendViolationEvent(), IntLixGuestNew(), IntLixMmListVmasInternal(), IntLixTaskFetchMm(), IntLixVdsoDynamicProtectRelocate(), IntLixVdsoFixedProtect(), IntPeFindFunctionStart(), IntVeDumpVeInfoPage(), IntVeEnableDisableDriverAccessInProtectedView(), IntVeSetVeInfoPage(), IntWinCrashHandleDepViolation(), IntWinDpiValidateThreadStart(), IntWinDrvObjCreateFromAddress(), IntWinDrvObjHandleWrite(), IntWinDrvObjRemoveFromAddress(), IntWinHalProtectHalHeapExecs(), and IntWinStackHandleUserStackPagedOut().
| INTSTATUS IntTranslateVirtualAddressEx | ( | QWORD | Gva, |
| QWORD | Cr3, | ||
| DWORD | Flags, | ||
| VA_TRANSLATION * | Translation | ||
| ) |
Translates a guest virtual address to a guest physical address.
If error is returned, an incomplete trace is stored in the translation, and the translated physical address is not valid. If success is returned, a complete trace is stored inside the translation, however, it may still be possible that the page frame is not present. The caller must check the translation flags upon successful exit.
| [in] | Gva | Guest virtual address to be translated |
| [in] | Cr3 | The Cr3 used for the translation |
| [in] | Flags | Flags controlling the translation. May be 0 or a combination of Translation flags values. If it does not specify a paging mode, the function will deduce it by using the memory information inside gGuest. If TRFLG_CACHING_ATTR is set, will also obtain the caching attributes using the guest's IA32_PAT MSR. |
| [out] | Translation | Translation information |
| INT_STATUS_SUCCESS | in case of success. This does not guarantee that Gva is present inside the leaf page table |
| INT_STATUS_NO_MAPPING_STRUCTURES | if at any given point, the translation fails because a mapping structure can't be accessed. |
Definition at line 1863 of file introcore.c.
Referenced by DbgDumpTranslation(), IntDecEmulatePageWalk(), IntHandleCowOnPage(), IntHookPtsCheckIntegrity(), IntIcAddInvdForInstruction(), IntLixGuestAllocateFill(), IntLixGuestFindKernelVersionAndRo(), IntSwapMemInjectPendingPF(), IntSwapMemReadData(), IntTranslateVirtualAddress(), IntValidateRangeForWrite(), IntValidateTranslation(), IntVeDumpVeInfoPage(), IntVeHandleEPTViolationInProtectedView(), IntVirtMemMap(), IntVirtMemSafeWrite(), IntWinDpiValidateHeapSpray(), IntWinDrvObjIsValidDriverObject(), IntWinGuestFindSystemCr3(), IntWinGuestIsSystemCr3(), IntWinHalFindHalHeapAndInterruptController(), IntWinLogVAInfo(), IntWinPfnIsMmPfnDatabase(), IntWinPfnLockAddress(), IntWinProcValidateSystemCr3(), IntWinSDFetchSecDescAddress(), IntWinSDReadSecDesc(), and IntWinTokenFetchTokenAddress().
| INTSTATUS IntUninit | ( | void | ) |
Disables and uninitializes Introcore.
This will disable introspection engine, remove the guest protection and uninitialize the global state. Note that if a guest is initialized, disabling the protection for it will be done using the IG_DISABLE_IGNORE_SAFENESS option. This will also unmap everything in the gMultiPageMaps list of mappings, reset the GLUE_IFACE and UPPER_IFACE instances and uninitialize the gLock lock.
Definition at line 266 of file introcore.c.
Reads 4 bytes from the guest memory.
| [in] | GuestVirtualAddress | Virtual address from which to read |
| [in] | Cr3 | The Cr3 used to translate GuestVirtualAddress. If 0, the current kernel Cr3 will be used. |
| [out] | Data | Data read from the guest |
Definition at line 887 of file introcore.c.
Referenced by IntWinProcHandleInstrument().
Reads 8 bytes from the guest memory.
| [in] | GuestVirtualAddress | Virtual address from which to read |
| [in] | Cr3 | The Cr3 used to translate GuestVirtualAddress. If 0, the current kernel Cr3 will be used. |
| [out] | Data | Data read from the guest |
Definition at line 866 of file introcore.c.
Referenced by IntLixDrvFindList(), and IntLixStackDumpUmStackTrace().
Reads a NULL-terminated string from the guest.
| [in] | Gva | Guest virtual address from which the read starts |
| [in] | MaxLength | Maximum length to be read. If a NULL terminator is not found before MaxLength bytes are read, the read stops. |
| [in] | Cr3 | The Cr3 used to translate Gva. If 0, the current kernel Cr3 will be used. |
| [out] | Buffer | Buffer containing the data read from the guest |
| INT_STATUS_SUCCESS | in case of success |
| INT_STATUS_INVALID_PARAMETER_4 | is Buffer is NULL |
| INT_STATUS_NOT_FOUND | if a NULL terminator is not found before MaxLength bytes are read |
Definition at line 1053 of file introcore.c.
Reads a guest pointer from the guest memory.
For 64-bit guests, this will read 8 bytes. For 32-bit guests, this will read 4 bytes.
| [in] | GuestVirtualAddress | Virtual address from which to read |
| [in] | Cr3 | The Cr3 used to translate GuestVirtualAddress. If 0, the current kernel Cr3 will be used. |
| [out] | Data | Data read from the guest. The buffer must be at least 8 bytes in size for 64-bit guests, and 4 bytes in size for 32-bit guests. |
Definition at line 908 of file introcore.c.
Referenced by IntWinProcHandleInstrument().
| __must_check INTSTATUS IntVirtMemMap | ( | QWORD | Gva, |
| DWORD | Length, | ||
| QWORD | Cr3, | ||
| DWORD | Flags, | ||
| void ** | HostPtr | ||
| ) |
Maps a guest virtual memory range inside Introcore virtual address space.
If the virtual range spans across multiple pages, IntVirtMemMapMultiPage will be used
| [in] | Gva | Guest virtual address to be mapped |
| [in] | Length | The length of the virtual range |
| [in] | Cr3 | Cr3 used to translate Gva. If 0, the current kernel Cr3 will be used |
| [in] | Flags | Ignored. TODO: remove |
| [out] | HostPtr | On success, will contain a pointer to the mapped memory |
| INT_STATUS_SUCCESS | in case of success |
| INT_STATUS_INVALID_PARAMETER_2 | if Length is 0 |
| INT_STATUS_PAGE_NOT_PRESENT | if Gva is not present or if the paging mode is PAGING_NONE |
| INT_STATUS_NO_MAPPING_STRUCTURES | if at any given point, the translation fails because a mapping structure can't be accessed |
Definition at line 2134 of file introcore.c.
Referenced by _IntLixTaskRead(), _IntLixTaskStartMap(), DbgDumpGuestModules(), DbgDumpPfn(), IntAlertFillCodeBlocks(), IntDecDecodeInstruction(), IntExceptDumpSignatures(), IntExceptGetVictimIntegrity(), IntExceptUserLogWindowsInformation(), IntExceptVerifyCodeBlocksSig(), IntExceptVerifyValueCodeSig(), IntIntegrityAddRegion(), IntIntegrityRecalculate(), IntKsymFindIndexesTableStart(), IntKsymFindMarkersReducedTableEnd(), IntKsymFindMarkersTableEnd(), IntKsymFindNamesTableEnd(), IntKsymInitAbsolute(), IntKsymRelativeFindOffsetTableEnd(), IntKsymRelativeFindOffsetTableStart(), IntLixAgentFree(), IntLixCrashDumpDmesg(), IntLixCredInitMap(), IntLixCredsDump(), IntLixDrvCreateDriverObject(), IntLixDrvFindList(), IntLixDrvValidate(), IntLixDumpStacktrace(), IntLixFsrInitMap(), IntLixFsrRead(), IntLixGetInitTask(), IntLixGuestClearGuestMemory(), IntLixGuestFindKernelBase(), IntLixMmGetInitMm(), IntLixPatchSwapgs(), IntLixStackTraceGet(), IntLixTaskCreateFromBinprm(), IntLixTaskFetchCmdLine(), IntPeFindExportByName(), IntPeFindExportByOrdinal(), IntPeFindExportByRva(), IntPeFindFunctionByPattern(), IntPeFindFunctionStart(), IntPeGetDirectory(), IntPeGetExportNameByRva(), IntPeGetRuntimeFunction(), IntPeGetSectionHeaderByIndex(), IntPeGetSectionHeaderByRva(), IntPeGetSectionHeadersByName(), IntPeListSectionsHeaders(), IntPeParseUnwindData(), IntPeValidateHeader(), IntPtiCacheAdd(), IntPtiCacheRemove(), IntPtiMonitorAllPtWriteCandidates(), IntPtiRemovePtFilter(), IntReadString(), IntSerializeExtractCodeBlocks(), IntSlackAllocLinux(), IntThrSafeIsStackPtrInIntro(), IntThrSafeMoveReturn(), IntThrSafeWinInspectWaitingThread(), IntVeRemoveAgent(), IntVeUpdateCacheEntry(), IntVirtMemReadWrite(), IntVirtMemSet(), IntWinDpiValidateHeapSpray(), IntWinDrvObjIsValidDriverObject(), IntWinDrvRemoveFromAddress(), IntWinGuestFindBuildNumber(), IntWinGuestFindDriversNamespaceNoBuffer(), IntWinGuestFindIdleCr3(), IntWinGuestFindKernel(), IntWinGuestFindKernelCr3(), IntWinGuestFindKernelObjectsInternal(), IntWinGuestReadKernel(), IntWinGuestValidateKernel(), IntWinHalFindHalHeapAndInterruptController(), IntWinHalFindInterruptController(), IntWinHalHandleDispatchTableWrite(), IntWinHalReadHal(), IntWinIntObjHandleArrayModification(), IntWinModHookPoly(), IntWinNetFillTcpStruct(), IntWinNetFindTcpBitmap(), IntWinNetFindTcpObjects(), IntWinNetFindTcpPartition(), IntWinNetSearchForAlloc(), IntWinPfnModifyRefCount(), IntWinProcMapEprocess(), IntWinStackTraceGet32(), IntWinStackTraceGet64(), IntWinStackTraceGetUser32(), IntWinStackTraceGetUser64(), IntWinStackUserTrapFrameGet32(), IntWinStackUserTrapFrameGet64(), IntWinSudHandleFieldModification(), IntWinTokenPrivsShouldHook(), and IntWinVadMapShortVad().
Writes 4 bytes in the guest memory.
| [in] | GuestVirtualAddress | Virtual address at which the write is done |
| [in] | Cr3 | The Cr3 used to translate GuestVirtualAddress. If 0, the current kernel Cr3 will be used. |
| [out] | Data | Data to write inside the guest |
Definition at line 1010 of file introcore.c.
Writes 8 bytes in the guest memory.
| [in] | GuestVirtualAddress | Virtual address at which the write is done |
| [in] | Cr3 | The Cr3 used to translate GuestVirtualAddress. If 0, the current kernel Cr3 will be used. |
| [out] | Data | Data to write inside the guest |
Definition at line 989 of file introcore.c.
Writes a guest pointer inside the guest memory.
| [in] | GuestVirtualAddress | Virtual address at which the write is done |
| [in] | Cr3 | The Cr3 used to translate GuestVirtualAddress. If 0, the current kernel Cr3 will be used. |
| [out] | Data | Data to write inside the guest. For 32-bit guests, only the low 32-bits will be written. |
Definition at line 1031 of file introcore.c.
Reads data from a guest virtual memory range.
| [in] | Gva | The start of the guest virtual memory range |
| [in] | Length | The size of the memory range |
| [in] | Cr3 | The Cr3 used to translate Gva. If 0, the current kernel Cr3 will be used. |
| [out] | Buffer | Buffer in which data will be read. Must be at least Length bytes in size. |
| [out] | RetLength | The size we managed to read. In case of success, it will always be equal to Length. May be NULL. |
Definition at line 627 of file introcore.c.
Referenced by IntAgentHandleLogGatherVmcall(), IntAgentHandleRemediationVmcall(), IntAlertFillDpiExtraInfo(), IntAlertFillExecContext(), IntDisasmGva(), IntDumpGvaEx(), IntExceptGetVictimEpt(), IntExceptVerifyValueCodeSig(), IntExceptVerifyValueSig(), IntGetValueFromOperand(), IntHandleDtrViolation(), IntHandleFetchRetryOnPageBoundary(), IntKsymRelativeFindOffsetTableStart(), IntLixAgentFillDataFromMemory(), IntMemClkHandleRead(), IntSerializeDpiWinHeapSpray(), IntSerializeDpiWinPivotedStack(), IntSerializeDpiWinThreadStart(), IntSerializeRawDump(), IntSerializeRipCode(), IntShcIsSuspiciousCode(), IntVirtMemFetchDword(), IntVirtMemFetchQword(), IntVirtMemFetchString(), IntVirtMemFetchWordSize(), IntVirtMemMapMultiPage(), IntWinCrashHandleDepViolation(), IntWinGuestFindIdleCr3(), IntWinModBlockHandleExecution(), IntWinObjHandleDriverDirectoryEntryInMemory(), IntWinProcHandleCopyMemory(), IntWinProcHandleInstrument(), IntWinStackTraceGetUser(), IntWinStackTraceGetUser32(), IntWinStackWow64CheckIsPivoted(), IntWinThrGetCurrentStackBaseAndLimit(), IntWinThrGetUmStackBaseAndLimitFromTib(), IntWinThrHandleQueueApc(), IntWinThrHandleThreadHijack(), IntWinTokenCheckCurrentPrivileges(), and IntWinTokenPrivsProtectOnProcess().
Definition at line 414 of file introcore.c.
Referenced by IntLixGuestInitAgentCompletion().
| INTSTATUS IntVirtMemUnmap | ( | void ** | HostPtr | ) |
Unmaps a memory range previously mapped with IntVirtMemMap.
| [in] | HostPtr | Points to the memory area allocated when the map was done. After this function returns, it will point to NULL. |
Definition at line 2234 of file introcore.c.
Referenced by _IntLixTaskFinishMap(), DbgDumpGuestModules(), DbgDumpPfn(), IntAlertFillCodeBlocks(), IntDecDecodeInstruction(), IntExceptDumpSignatures(), IntExceptGetVictimIntegrity(), IntExceptUserLogWindowsInformation(), IntExceptVerifyCodeBlocksSig(), IntExceptVerifyValueCodeSig(), IntIntegrityAddRegion(), IntIntegrityRecalculate(), IntKsymFindIndexesTableStart(), IntKsymFindMarkersReducedTableEnd(), IntKsymFindMarkersTableEnd(), IntKsymFindNamesTableEnd(), IntKsymInitAbsolute(), IntKsymRelativeFindOffsetTableEnd(), IntKsymRelativeFindOffsetTableStart(), IntLixAgentFree(), IntLixCrashDumpDmesg(), IntLixCredsDump(), IntLixCredUninitMap(), IntLixDrvCreateDriverObject(), IntLixDrvFindList(), IntLixDrvValidate(), IntLixDumpStacktrace(), IntLixFsrUninitMap(), IntLixGetInitTask(), IntLixGuestClearGuestMemory(), IntLixGuestFindKernelBase(), IntLixMmGetInitMm(), IntLixPatchSwapgs(), IntLixStackTraceGet(), IntLixTaskCreateFromBinprm(), IntLixTaskFetchCmdLine(), IntPeFindExportByName(), IntPeFindExportByOrdinal(), IntPeFindExportByRva(), IntPeFindFunctionByPattern(), IntPeFindFunctionStart(), IntPeGetDirectory(), IntPeGetExportNameByRva(), IntPeGetRuntimeFunction(), IntPeGetSectionHeaderByIndex(), IntPeGetSectionHeaderByRva(), IntPeGetSectionHeadersByName(), IntPeListSectionsHeaders(), IntPeParseUnwindData(), IntPeValidateHeader(), IntPhysMemReadWriteAnySize(), IntPtiCacheAdd(), IntPtiCacheRemove(), IntPtiMonitorAllPtWriteCandidates(), IntPtiRemovePtFilter(), IntReadString(), IntSerializeExtractCodeBlocks(), IntSlackAllocLinux(), IntThrSafeIsStackPtrInIntro(), IntThrSafeMoveReturn(), IntThrSafeWinInspectWaitingThread(), IntVeDeliverDriverForUnload(), IntVeHandleSwap(), IntVeRemoveAgent(), IntVirtMemReadWrite(), IntVirtMemSet(), IntWinDpiValidateHeapSpray(), IntWinDrvObjIsValidDriverObject(), IntWinDrvRemoveFromAddress(), IntWinGuestFindBuildNumber(), IntWinGuestFindDriversNamespaceNoBuffer(), IntWinGuestFindIdleCr3(), IntWinGuestFindKernel(), IntWinGuestFindKernelCr3(), IntWinGuestFindKernelObjectsInternal(), IntWinGuestReadKernel(), IntWinGuestValidateKernel(), IntWinHalFindHalHeapAndInterruptController(), IntWinHalFindInterruptController(), IntWinHalHandleDispatchTableWrite(), IntWinHalReadHal(), IntWinIntObjHandleArrayModification(), IntWinModHookPoly(), IntWinNetFillTcpStruct(), IntWinNetFindTcpBitmap(), IntWinNetFindTcpObjects(), IntWinNetFindTcpPartition(), IntWinNetSearchForAlloc(), IntWinPfnModifyRefCount(), IntWinProcAdd(), IntWinProcHandleCreateInternal(), IntWinProcSwapIn(), IntWinStackTraceGet32(), IntWinStackTraceGet64(), IntWinStackTraceGetUser32(), IntWinStackTraceGetUser64(), IntWinStackUserTrapFrameGet32(), IntWinStackUserTrapFrameGet64(), IntWinSudHandleFieldModification(), IntWinTokenPrivsShouldHook(), and IntWinVadFetchVadFromMemory().
Writes data to a guest virtual memory range.
| [in] | Gva | The start of the guest virtual memory range |
| [in] | Length | The size of the memory range |
| [in] | Cr3 | The Cr3 used to translate Gva. If 0, the current kernel Cr3 will be used. |
| [out] | Buffer | Buffer with the data to be written. Must be at least Length bytes in size. |
Definition at line 652 of file introcore.c.
Referenced by IntDetRelocate(), IntLixAgentCreateThreadHypercall(), IntMemClkCloakRegion(), IntMemClkModifyPatchedData(), IntVirtMemPatchDword(), IntVirtMemPatchQword(), IntVirtMemPatchWordSize(), and IntWinDagentHandleSlackWritable().
| char* utf16_for_log | ( | const WCHAR * | WString | ) |
Converts a UTF-16 to a UTF-8 string to be used inside logging macros.
This function should be called only from one of the log macros (TRACE, INFO. WARNING, LOG, ERROR, CRITICAL). Note that each string is limited to a size of 1KB and calling this function more than 8 times in a row (in the same logging macro) is an error. The log macros will reset the global state used for conversion. This is needed because not all logging implementations can handle wide char strings.
| [in] | WString | NULL-terminated string to be converted |
Definition at line 2845 of file introcore.c.
Referenced by DbgDumpGuestModules(), IntAgentHandleLogGatherVmcall(), IntAgentHandleRemediationVmcall(), IntDetSetHook(), IntDriverDump(), IntExceptKernelLogWindowsInformation(), IntExceptKernelUserLogWindowsInformation(), IntExceptUserLogWindowsInformation(), IntLogCurrentIP(), IntLogProcessInfo(), IntLogStackTrace(), IntModBlockHandleBlockModHeadersInMemory(), IntModBlockHandlePreInjection(), IntWinAgentSelectBootstrapAddress(), IntWinApiHook(), IntWinDagentCheckNativeSubsystem(), IntWinDagentHandleDoubleAgent(), IntWinDagentHandleSuspModExecution(), IntWinDrvCreateFromAddress(), IntWinDrvForceDisableReadNtEat(), IntWinDrvHeadersInMemory(), IntWinDrvObjCreateFromAddress(), IntWinDrvObjHandleWrite(), IntWinDrvObjProtect(), IntWinDrvObjProtectFastIoDispatch(), IntWinDrvObjUnprotect(), IntWinDrvObjUnprotectFastIoDispatch(), IntWinDrvObjUpdateProtection(), IntWinDrvUnprotect(), IntWinDrvUpdateProtection(), IntWinModBlockHandleExecution(), IntWinModCacheCreate(), IntWinModHandleExportsInMemory(), IntWinModHandleModulePathInMemory(), IntWinModHandlePreInjection(), IntWinModHookModule(), IntWinModulesChangeProtectionFlags(), IntWinProcAddProtectedProcess(), IntWinProcCreateProcessObject(), IntWinProcDump(), IntWinProcDumpProtected(), IntWinProcHandleCopyMemory(), IntWinProcSwapIn(), IntWinProcSwapOut(), IntWinUmModCacheFetch(), IntWinUmModCacheFillExports(), IntWinUmModCacheFillHeaders(), IntWinUmPathCreate(), and IntWinVadDump().
| BOOLEAN gAbortLoad |
Set to True if introcore should abort the initialization process.
Definition at line 59 of file introcore.c.
Referenced by IntAbortEnableIntro(), and IntGuestHandleCr3Write().
| const QWORD gByteMaskToBitMask[256] |
Converts a byte number to a mask having the bits in those bytes set.
For example, for 5, will return 0x0000000000ff00ff which has bytes 0 and 1 filled.
Definition at line 73 of file introcore.c.
Referenced by IntHookPtwProcessWrite().
| INTRO_ERROR_CONTEXT gErrorContext |
Global storage for the error context used by GLUE_IFACE.NotifyIntrospectionErrorState.
Since API calls are serialized, all the error notifications use this as the context in order to avoid allocating extra memory when reporting an error, as some errors may be triggered by low memory conditions and we would like to avoid memory allocations in those situations.
Definition at line 43 of file introcore.c.
Referenced by IntWinProcProtect(), and IntWinProcUpdateProtection().
| QWORD gEventId |
The ID of the current event.
Each event handler increments this when a new event is triggered. It is reset back to zero by IntGlueReset. This can be used to tag events and caches.
Definition at line 55 of file glue.c.
Referenced by IncStatsCallsCount(), IntAddExceptionFromAlert(), IntApiEnter(), IntCr0Read(), IntCr3Read(), IntCr4Read(), IntCr8Read(), IntEnginesResultCallback(), IntExceptVerifyCodeBlocksSig(), IntFlushAlertExceptions(), IntGetCurrentIntroOptions(), IntGetExceptionsVersion(), IntGetGprs(), IntGetSupportVersion(), IntGetVersionString(), IntGlueReset(), IntHandleBreakpoint(), IntHandleCrWrite(), IntHandleDtrViolation(), IntHandleEptViolation(), IntHandleEventInjection(), IntHandleIntroCall(), IntHandleMsrViolation(), IntHandleTimer(), IntHandleXcrWrite(), IntLixGuestNew(), IntModifyDynamicOptions(), IntMtblCheckAccess(), IntNewGuestNotification(), IntRemoveException(), IntRipRead(), IntSetGprs(), IntStatsDumpAll(), IntStatStart(), IntStatStop(), and IntWinGuestFinishInit().
| void* gIntHandle |
The guest handle provided by the integrator at initialization.
This is used when communicating between the introspection engine and the integrator and is treated as an opaque pointer by introcore.
Definition at line 49 of file glue.c.
Referenced by DbgProcAdd(), DbgProcClear(), DbgProcRem(), GluePauseVcpus(), GlueResumeVcpus(), IntCreateEPT(), IntDestroyEPT(), IntDisableCrWriteExit(), IntDisableMsrExit(), IntEnableCrWriteExit(), IntEnableMsrExit(), IntFlushEPTPermissions(), IntGetAgentContent(), IntGetEPTPageConvertible(), IntGetEPTPageProtection(), IntGetSPPPageProtection(), IntGlueReset(), IntGpaToHpa(), IntInjectTrap(), IntNewGuestNotification(), IntNotifyEngines(), IntNotifyIntroActive(), IntNotifyIntroDetectedOs(), IntNotifyIntroErrorState(), IntNotifyIntroEvent(), IntNotifyIntroInactive(), IntPhysMemGetTypeFromMtrrs(), IntPhysMemMap(), IntPhysMemUnmap(), IntQueryGuestInfo(), IntRegisterBreakpointHandler(), IntRegisterCrWriteHandler(), IntRegisterDtrHandler(), IntRegisterEnginesResultCallback(), IntRegisterEPTHandler(), IntRegisterEventInjectionHandler(), IntRegisterIntroCallHandler(), IntRegisterMSRHandler(), IntRegisterVmxTimerHandler(), IntRegisterXcrWriteHandler(), IntReleaseBuffer(), IntReserveVaSpaceWithPt(), IntSetEPTPageConvertible(), IntSetEPTPageProtection(), IntSetIntroEmulatorContext(), IntSetSPPPageProtection(), IntSetVEInfoPage(), IntSwitchEPT(), IntToggleRepOptimization(), IntUninit(), IntUnregisterBreakpointHandler(), IntUnregisterCrWriteHandler(), IntUnregisterDtrHandler(), IntUnregisterEnginesResultCalback(), IntUnregisterEPTHandler(), IntUnregisterEventInjectionHandler(), IntUnregisterIntroCallHandler(), IntUnregisterMSRHandler(), IntUnregisterVmxTimerHandler(), and IntUnregisterXcrWriteHandler().
| void* gLock |
A lock that ensures that all the events are serialized inside introcore.
This essentially makes introcore act as a single threaded library, since only one callback will be executing at a time. Since events on Xen are already synchronized this is already true for VMX events even without this lock. It just ensures that this behavior is consistent across all APIs, not just event handlers. Not acquiring this lock is a fatal error as all the code in introcore assumes that this lock is held.
Definition at line 24 of file introcore.c.
Referenced by IntAddExceptionFromAlert(), IntAddRemoveProtectedProcessUtf16(), IntAddRemoveProtectedProcessUtf8(), IntDisableIntro(), IntEnginesResultCallback(), IntFlushAlertExceptions(), IntFlushGpaCache(), IntGetCurrentInstructionLength(), IntGetCurrentInstructionMnemonic(), IntGetCurrentIntroOptions(), IntGetExceptionsVersion(), IntGetGuestInfo(), IntGetSupportVersion(), IntGetVersionString(), IntHandleBreakpoint(), IntHandleCrWrite(), IntHandleDtrViolation(), IntHandleEptViolation(), IntHandleEventInjection(), IntHandleIntroCall(), IntHandleMsrViolation(), IntHandleTimer(), IntHandleXcrWrite(), IntInit(), IntInjectFileAgentInGuest(), IntInjectProcessAgentInGuest(), IntIterateVaSpace(), IntModifyDynamicOptions(), IntNewGuestNotification(), IntNotifyGuestPowerStateChange(), IntRemoveAllProtectedProcesses(), IntRemoveException(), IntSetLogLevel(), IntUninit(), IntUpdateExceptions(), and IntUpdateSupport().
1.8.13