11 #define LIX_AGENT_MAX_FUNCTIONS 256 13 #define LIX_AGENT_MAX_NAME_LENGTH 128 14 #define LIX_AGENT_MAX_ARGS_LENGTH 1024 431 _In_ const char *Name
436 _In_ const char *Name,
462 _In_ LIX_AGENT_TAG AgentTag
467 _In_ LIX_AGENT_TAG AgentTag,
468 _In_ LIX_AGENT_TAG ThreadTag
478 #endif // !_LIX_AGENT_H_
WORD DataSize
The size (bytes) of the data.
void IntLixAgentDisablePendingAgents(void)
Disables all pending agents.
struct _LIX_AGENT_UNINIT_ARGS * PLIX_AGENT_UNINIT_ARGS
LIX_AGENT_TAG Tag
The internal tag.
WORD CodeSize
The size (byes) of the code.
Describes a handlers that contains the data required by the agent.
QWORD ModuleLength
The module memory allocation size.
LIX_AGENT_DATA Data
The data used by the agent.
QWORD ModuleAddress
The address of the allocated memory (module).
QWORD Completion
The token used by completion callback.
No active/pending agents.
struct _LIX_AGENT_TOKEN LIX_AGENT_TOKEN
The tokens used by an agent.
LIX_AGENT_HANDLER * IntLixAgentGetHandlerByTag(LIX_AGENT_TAG AgentTag)
Iterates through all agent handlers and search the entry that has the provided tag.
INTSTATUS IntLixAgentHandleVmcall(QWORD Rip)
Handle a VMCALL that was executed inside the guest.
_LIX_AGENT_TAG
Tag used to identify an agent with a handler.
LIX_AGENT_HEADER Header
The header of the agent's data.
DWORD Count
The number of function names.
enum _LIX_AGENT_TAG LIX_AGENT_TAG
Tag used to identify an agent with a handler.
QWORD UhmWaitExec
The value of UMH_WAIT_EXEC of current guest.
struct _LIX_AGENT_THREAD LIX_AGENT_THREAD
Describes an agent-thread running inside the guest.
DWORD Size
The size (bytes) of the injected agent.
LIX_AGENT_HYPERCALL HypercallType
The hypercall type used.
Arguments of the run command-line agent.
Describes an agent-thread running inside the guest.
INTSTATUS(* PFUNC_AgentCallbackHypercall)(void *Context)
Hypercall callback prototype.
LIST_ENTRY Link
List entry element.
void IntLixAgentNameRemoveByAgid(DWORD Agid)
Iterates through all agent names and removes the entry that contains the provided ID...
QWORD UhmWaitProc
The value of UMH_WAIT_PROC of current guest.
Hypercall using INT3 instruction.
char Root
The root directory (eg. '/')
struct _LIX_AGENT_HEADER LIX_AGENT_HEADER
Header with information about running code inside the guest.
LIX_AGENT_TAG IntLixAgentDecProcRef(const char *Name, BOOLEAN *Removed)
Checks if a process is an agent or not, and decrements the ref count of that name.
QWORD PerCpuAddress
The address of the allocated memory (per-CPU).
AGENT_EVENT_TYPE
The state of an agent.
DWORD TagEx
The tag provided by the integrator.
#define IG_MAX_AGENT_NAME_LENGTH
QWORD PerCpuLength
The per-CPU memory allocation size.
Hypercall using VMCALL instruction.
QWORD Hypercall
The token used by hypercall callback.
Describe an agent running inside the guest.
Arguments of the exec agent.
INTSTATUS(* PFUNC_AgentCallbackCompletion)(void *Context)
Completion callback prototype.
INTSTATUS IntLixAgentUninit(void)
Uninit the agents state.
Arguments of the deploy-file agent.
QWORD KernelVersion
The current guest kernel version.
Header with information about running code inside the guest.
int INTSTATUS
The status data type.
INTSTATUS IntLixAgentThreadInject(LIX_AGENT_TAG Tag, DWORD TagEx, AGENT_TYPE AgentType, PFUNC_AgentCallbackHypercall HypercallCallback, PFUNC_AgentCallbackCompletion CompletionCallback, const char *Name, BYTE *ContentAddress, DWORD ContentSize)
Schedule an thread-agent injection inside the guest.
QWORD Length
The memory allocation size to deploy the provided content; to deploy the file, we use chunks...
struct _LIX_AGENT_CREATE_THREAD_ARGS LIX_AGENT_CREATE_THREAD_ARGS
Arguments of the create-thread agent.
LIX_AGENT_THREAD * Thread
A pointer to a agent-thread, if any.
QWORD UhmWaitProc
The value of UMH_WAIT_PROC of current guest.
struct _LIX_AGENT_INIT_ARGS * PLIX_AGENT_INIT_ARGS
struct _LIX_AGENT_THREAD_DEPLOY_FILE_EXEC_ARGS LIX_AGENT_THREAD_DEPLOY_FILE_EXEC_ARGS
Arguments of the exec agent.
struct _LIX_AGENT_HANDLER * Content
An array that contains LIX_AGENT_HANDLER entries.
INTSTATUS IntLixAgentActivatePendingAgent(void)
Activates a pending agent that waits to be injected.
DWORD Count
The number of the functions list.
LIX_AGENT_FUNCTIONS * Content
An array that contains LIX_AGENT_FUNCTIONS entries.
struct _LIX_AGENT_THREAD_DEPLOY_FILE_ARGS LIX_AGENT_THREAD_DEPLOY_FILE_ARGS
Arguments of the deploy-file agent.
struct _LIX_AGENT_HANDLER * PLIX_AGENT_HANDLER
struct _LIX_AGENT * PLIX_AGENT
QWORD UhmWaitExec
The value of UMH_WAIT_EXEC of current guest.
BYTE * Address
A pointer to the content provided by the integrator.
struct _LIX_AGENT_INIT_ARGS LIX_AGENT_INIT_ARGS
Arguments of the init agent.
BYTE * Code
A buffer that contains the in-guest agent code/data.
void * CloakHandle
Cloak handle used to hide the detoured instruction.
struct _LIX_AGENT_THREAD_DEPLOY_FILE_EXEC_ARGS * PLIX_AGENT_THREAD_DEPLOY_FILE_EXEC_ARGS
QWORD Length
The allocation size of the kthread data.
LIX_AGENT_TAG Tag
The internal tag.
enum _LIX_AGENT_HYPERCALL LIX_AGENT_HYPERCALL
Agent hypercall type.
This file contains the private, undocumented hypercalls. They are used only by the loaders and the ag...
struct _LIX_AGENT_HEADER * PLIX_AGENT_HEADER
INTSTATUS IntLixAgentHandleInt3(QWORD Rip)
Called when a INT3 instruction from the current running agent is executed.
QWORD MaskSet
The page attributes that must be set.
DWORD IntLixAgentNameGetTagByAgid(DWORD Agid)
Iterates through all agent names and returns the tag of the agent that has the provided agent ID...
QWORD Context
Context from integrator.
Arguments of the uninit agent.
void IntLixAgentSendEvent(AGENT_EVENT_TYPE Event, DWORD AgentTag, DWORD ErrorCode)
Send an event to the integrator that contains the AGENT_EVENT_TYPE, tag of the agent and the last err...
struct _LIX_AGENT_FUNCTIONS_LIST LIX_AGENT_FUNCTIONS_LIST
A list of functions required by agent.
struct _LIX_AGENT_HANDLER LIX_AGENT_HANDLER
Describes a handlers that contains the data required by the agent.
struct _LIX_AGENT LIX_AGENT
Describe an agent running inside the guest.
enum _AGENT_TYPE AGENT_TYPE
struct _LIX_AGENT_THREAD_DEPLOY_FILE_ARGS * PLIX_AGENT_THREAD_DEPLOY_FILE_ARGS
_LIX_AGENT_HYPERCALL
Agent hypercall type.
QWORD UhmWaitProc
The value of UMH_WAIT_PROC of current guest.
WORD Length
The size (bytes) of the arguments.
QWORD Address
The address of the kthread.
Execute a file (process).
struct _LIX_AGENT_HANDLER::@104 Threads
#define LIX_AGENT_MAX_NAME_LENGTH
QWORD KernelVersion
The current guest kernel version.
void IntLixAgentInit(void)
Initialize the agents state.
struct _LIX_AGENT_CREATE_THREAD_ARGS * PLIX_AGENT_CREATE_THREAD_ARGS
The tokens used by an agent.
struct _LIX_AGENT_THREAD_RUN_CLI_ARGS * PLIX_AGENT_THREAD_RUN_CLI_ARGS
INTSTATUS IntLixAgentInject(LIX_AGENT_TAG Tag, PFUNC_AgentCallbackHypercall HypercallCallback, PFUNC_AgentCallbackCompletion CompletionCallback)
Schedule an agent injection inside the guest.
DWORD CurrentOffset
Used when the HypecallCallback is called as an offset in the content buffer.
LIX_AGENT_TAG IntLixAgentIncProcRef(const char *Name)
Checks if a process is an agent or not, and increments the ref count of that name.
struct _LIX_AGENT_DATA LIX_AGENT_DATA
Describes the data of an agent.
QWORD Address
Address of the detoured instruction.
char Root
The root directory (eg. '/')
QWORD MaskClear
The page attributes that must be cleared.
PFUNC_AgentCallbackCompletion Completion
Completion callback.
void * Content
The content of the arguments.
LIX_AGENT_HYPERCALL HypercallType
The hypercall type.
The functions required by the agent.
struct _LIX_AGENT_UNINIT_ARGS LIX_AGENT_UNINIT_ARGS
Arguments of the uninit agent.
Arguments of the create-thread agent.
Describes the data of an agent.
LIX_AGENT_HANDLER * IntLixAgentThreadGetHandlerByTag(LIX_AGENT_TAG AgentTag, LIX_AGENT_TAG ThreadTag)
Iterates through all thread-agent handlers and search the entry that has the provided tag...
struct _LIX_AGENT_FUNCTIONS_LIST * PLIX_AGENT_FUNCTIONS_LIST
struct _LIX_AGENT_DATA * PLIX_AGENT_DATA
DWORD Count
The number of the functions.
DWORD Required
The number of required function addresses for the 'Name' array.
QWORD Error
The token used by error callback.
A list of functions required by agent.
QWORD FilePathOffset
The offset of struct file.path.
QWORD UhmWaitExec
The value of UMH_WAIT_EXEC of current guest.
QWORD Address
The guest virtual address of the injected agent.
AG_WAITSTATE IntLixAgentGetState(DWORD *Tag)
Gets the global agents state.
enum _AG_WAITSTATE AG_WAITSTATE
LIX_AGENT_DATA Data
The data used by the agent.
struct _LIX_AGENT_THREAD_RUN_CLI_ARGS LIX_AGENT_THREAD_RUN_CLI_ARGS
Arguments of the run command-line agent.
struct _LIX_AGENT_FUNCTINS LIX_AGENT_FUNCTIONS
The functions required by the agent.
LIX_AGENT_TOKEN Token
The tokens of the agent.
PFUNC_AgentCallbackHypercall Hypercall
Hypercall callback.
QWORD Length
The memory allocation size to deploy the provided content; to deploy the file, we use chunks...
BYTE Length
Detoured instruction length.
PFUNC_AgentCallbackCompletion Completion
Completion callback.
DWORD Tag
The LIX_AGENT_TAG.
struct _LIX_AGENT_THREAD * PLIX_AGENT_THREAD
Arguments of the init agent.
void IntLixAgentEnableInjection(void)
Enables agent injections.
PFUNC_AgentCallbackHypercall Hypercall
Hypercall callback.
struct _LIX_AGENT_FUNCTINS * PLIX_AGENT_FUNCTIONS
DWORD Size
The size of the content provided by the integrator.
WORD ExitOffset
The offset of the INT3 instruction that represent the exit point.
#define LIX_AGENT_MAX_ARGS_LENGTH
BOOLEAN Restored
True if the detours instruction has been restored.
1.8.13