13 #define INTRO_MATCH_TRUNCATED 0x00000001 39 #define RB_TREE_INIT(Name, Free, Compare) \ 56 # define MIN_HEAP_SIZE_PERCENT (20) 58 # define MIN_HEAP_SIZE_PERCENT (30) 61 #define MAX_TRANSLATION_DEPTH 5 82 #define TRFLG_NONE 0x00000000 83 #define TRFLG_CACHING_ATTR 0x00000001 84 #define TRFLG_NORMAL_MODE 0x10000000 85 #define TRFLG_PAE_MODE 0x20000000 86 #define TRFLG_4_LEVEL_MODE 0x30000000 87 #define TRFLG_5_LEVEL_MODE 0x40000000 88 #define TRFLG_MODE_MASK 0xF0000000 89 #define TRFLG_ALL (TRFLG_CACHING_ATTR) 91 #define TRFLG_PG_MODE (gGuest.LA57 ? TRFLG_5_LEVEL_MODE : \ 93 gGuest.Guest64 ? TRFLG_4_LEVEL_MODE : \ 94 gGuest.PaeEnabled ? TRFLG_PAE_MODE : \ 373 #define IntEnterDebugger() IntEnterDebugger2(__FILE__, __LINE__) 381 #define IntDbgEnterDebugger() IntDbgEnterDebugger2(__FILE__, __LINE__) 385 _In_ void const *Detour
437 _In_ void const *Process,
475 #endif // _INTROCORE_H_
QWORD PhysicalAddress
The physical address to which VirtualAddress translates to.
enum _INTRO_ACTION_REASON INTRO_ACTION_REASON
The reason for which an INTRO_ACTION was taken.
PAGING_MODE PagingMode
The paging mode used for this translation.
INTSTATUS IntVirtMemUnmap(void **HostPtr)
Unmaps a memory range previously mapped with IntVirtMemMap.
void * gLock
A lock that ensures that all the events are serialized inside introcore.
Exposes the functions used to used to dump (log) code and registers.
INTSTATUS IntPhysicalMemRead(QWORD PhysicalAddress, DWORD Length, void *Buffer, DWORD *RetLength)
Reads data from a guest physical memory range, but only for a single page.
BOOLEAN IntPolicyCoreForceBetaIfNeeded(QWORD Flag, INTRO_ACTION *Action)
Checks if a forced action should be taken even if the log-only mode is active.
INTSTATUS IntKernVirtMemPatchWordSize(QWORD GuestVirtualAddress, QWORD Data)
Writes a guest pointer inside the guest kernel memory.
INTSTATUS IntKernVirtMemWrite(QWORD KernelGva, DWORD Length, void *Buffer)
Writes data to a guest kernel virtual memory range.
INTSTATUS IntKernVirtMemPatchDword(QWORD GuestVirtualAddress, DWORD Data)
Writes 4 bytes in the guest kernel memory.
BOOLEAN IntPolicyCoreTakeAction(QWORD Flag, INTRO_ACTION *Action, INTRO_ACTION_REASON *Reason)
Returns the action that should be taken for a core introspection option.
INTSTATUS IntPhysicalMemWriteAnySize(QWORD PhysicalAddress, DWORD Length, void *Buffer)
Writes data to a guest physical memory range, regardless of how many pages it spans across...
INTSTATUS IntReadString(QWORD StrGva, DWORD MinimumLength, BOOLEAN AnsiOnly, char **String, DWORD *StringLength)
Reads a string from the guest kernel memory.
BOOLEAN IsWritable
True if this page is writable.
#define _Out_writes_bytes_(expr)
INTSTATUS IntVirtMemPatchWordSize(QWORD GuestVirtualAddress, QWORD Cr3, QWORD Data)
Writes a guest pointer inside the guest memory.
QWORD IntPolicyGetProcProt(const void *Process)
Gets the protection policy for a process.
Interface that exposes basic services to the introspection engines.
INTRO_ERROR_CONTEXT gErrorContext
Global storage for the error context used by GLUE_IFACE.NotifyIntrospectionErrorState.
INTSTATUS IntResumeVcpus(void)
Resumes the VCPUs previously paused with IntPauseVcpus.
BYTE CachingAttribute
The caching attributes used for this translation.
INTSTATUS IntVirtMemFetchQword(QWORD GuestVirtualAddress, QWORD Cr3, QWORD *Data)
Reads 8 bytes from the guest memory.
INTSTATUS IntVirtMemWrite(QWORD Gva, DWORD Length, QWORD Cr3, void *Buffer)
Writes data to a guest virtual memory range.
INTSTATUS IntKernVirtMemFetchWordSize(QWORD GuestVirtualAddress, void *Data)
Reads a guest pointer from the guest kernel memory.
int INTSTATUS
The status data type.
QWORD gEventId
The ID of the current event.
BOOLEAN IsExecutable
True if this page is executable.
INTSTATUS IntInjectExceptionInGuest(BYTE Vector, QWORD Cr2, DWORD ErrorCode, DWORD CpuNumber)
Injects an exception inside the guest.
BOOLEAN IntMatchPatternUtf8(const CHAR *Pattern, const CHAR *String, DWORD Flags)
Matches a pattern using glob match.
INTSTATUS IntPhysicalMemWrite(QWORD PhysicalAddress, DWORD Length, void *Buffer)
Writes data to a guest physical memory range, but only for a single page.
void IntEnterDebugger2(PCHAR File, DWORD Line)
Traps to a debugger.
BOOLEAN IntPolicyIsCoreOptionFeedback(QWORD Flag)
Checks if a core protection option is in feedback-only mode.
INTSTATUS IntPauseVcpus(void)
Pauses all the guest VCPUs.
void * gIntHandle
The guest handle provided by the integrator at initialization.
Interface used for communicating between the introspection engine and the integrator.
INTSTATUS IntVirtMemFetchWordSize(QWORD GuestVirtualAddress, QWORD Cr3, void *Data)
Reads a guest pointer from the guest memory.
INTSTATUS IntVirtMemPatchQword(QWORD GuestVirtualAddress, QWORD Cr3, QWORD Data)
Writes 8 bytes in the guest memory.
INTSTATUS IntVirtMemFetchDword(QWORD GuestVirtualAddress, QWORD Cr3, DWORD *Data)
Reads 4 bytes from the guest memory.
BOOLEAN IntPolicyProcIsBeta(const void *Process, QWORD Flag)
Checks if a process protection policy is in log-only mode.
BOOLEAN IntPolicyCoreIsOptionBeta(QWORD Flag)
Checks if one of the kernel protection options is in log-only mode.
INTSTATUS IntGuestUninitOnBugcheck(void const *Detour)
Prepares Introcore unload in case of a guest crash in order to clean up the code and data injected in...
BOOLEAN gAbortLoad
Set to True if introcore should abort the initialization process.
DWORD MappingsCount
The number of entries inside the MappingsTrace and MappingsEntries arrays.
INTSTATUS IntVirtMemSet(QWORD VirtualAddress, DWORD Length, QWORD Cr3, BYTE Value)
QWORD Flags
The entry that maps VirtualAddress to PhysicalAddress, together with all the control bits...
INTSTATUS IntKernVirtMemFetchDword(QWORD GuestVirtualAddress, DWORD *Data)
Reads 4 bytes from the guest kernel memory.
void IntDbgEnterDebugger2(PCHAR File, DWORD Line)
Traps to a debugger and dumps the Introcore state.
BOOLEAN IntPolicyProcTakeAction(QWORD Flag, void const *Process, INTRO_ACTION *Action, INTRO_ACTION_REASON *Reason)
Returns the action that should be taken for a process protection option.
The context of an error state.
INTSTATUS IntKernVirtMemFetchQword(QWORD GuestVirtualAddress, QWORD *Data)
Reads 8 bytes from the guest kernel memory.
QWORD MappingsEntries[MAX_TRANSLATION_DEPTH]
Contains the entry in which paging table.
BOOLEAN IntMatchPatternUtf16(const WCHAR *Pattern, const WCHAR *String, DWORD Flags)
Matches a pattern using glob match.
QWORD Cr3
The Cr3 used for this translation.
const QWORD gByteMaskToBitMask[256]
Converts a byte number to a mask having the bits in those bytes set.
INTSTATUS IntTranslateVirtualAddress(QWORD Gva, QWORD Cr3, QWORD *PhysicalAddress)
Translates a guest virtual address to a guest physical address.
INTSTATUS IntUninit(void)
Disables and uninitializes Introcore.
struct _VA_TRANSLATION VA_TRANSLATION
Encapsulates information about a virtual to physical memory translation.
INTSTATUS IntTranslateVirtualAddressEx(QWORD Gva, QWORD Cr3, DWORD Flags, VA_TRANSLATION *Translation)
Translates a guest virtual address to a guest physical address.
#define _Outptr_result_bytebuffer_(expr)
void IntPreinit(void)
Initializes the global variables used throughout the project.
struct _VA_TRANSLATION * PVA_TRANSLATION
INTSTATUS IntVirtMemFetchString(QWORD Gva, DWORD MaxLength, QWORD Cr3, void *Buffer)
Reads a NULL-terminated string from the guest.
enum _INTRO_ACTION INTRO_ACTION
Event actions.
BOOLEAN IntPolicyProcForceBetaIfNeeded(QWORD Flag, void *Process, INTRO_ACTION *Action)
Checks if a forced action should be taken even if the process log-only mode is active.
#define _In_reads_bytes_(expr)
__must_check INTSTATUS IntVirtMemMap(QWORD Gva, DWORD Length, QWORD Cr3, DWORD Flags, void **HostPtr)
Maps a guest virtual memory range inside Introcore virtual address space.
INTSTATUS IntVirtMemRead(QWORD Gva, DWORD Length, QWORD Cr3, void *Buffer, DWORD *RetLength)
Reads data from a guest virtual memory range.
QWORD PageSize
The page size used for this translation.
INTSTATUS IntPhysicalMemReadAnySize(QWORD PhysicalAddress, DWORD Length, void *Buffer, DWORD *RetLength)
Reads data from a guest physical memory range, regardless of how many pages it spans across...
QWORD MappingsTrace[MAX_TRANSLATION_DEPTH]
Contains the physical address of each entry within the translation tables.
BOOLEAN IntPolicyProcIsFeedback(const void *Process, QWORD Flag)
Checks if a process protection policy is in feedback-only mode.
QWORD VirtualAddress
The translated virtual address.
INTSTATUS IntKernVirtMemRead(QWORD KernelGva, DWORD Length, void *Buffer, DWORD *RetLength)
Reads data from a guest kernel virtual memory range.
INTSTATUS IntKernVirtMemPatchQword(QWORD GuestVirtualAddress, QWORD Data)
Writes 8 bytes in the guest kernel memory.
#define _Out_writes_z_(expr)
Encapsulates information about a virtual to physical memory translation.
char * utf16_for_log(const WCHAR *WString)
Converts a UTF-16 to a UTF-8 string to be used inside logging macros.
INTSTATUS IntVirtMemPatchDword(QWORD GuestVirtualAddress, QWORD Cr3, DWORD Data)
Writes 4 bytes in the guest memory.
BOOLEAN IsUser
True if this page is accessible to user mode code.
INTSTATUS IntInit(GLUE_IFACE *GlueInterface, UPPER_IFACE const *UpperInterface)
Initializes introcore.
#define MAX_TRANSLATION_DEPTH
Maximum depth of the translation hierarchy.
1.8.13