11 #define IS_KERNEL_POINTER_LIX(p) (((p) >= 0xFFFF800000000000) && ((p) < 0xffffffffffe00000)) 40 #define LIX_MAX_HOOKED_FN_COUNT 512 41 #define LIX_MAX_VERSION_STRINGS 3 43 #define MAX_VERSION_LENGTH 256 429 #define LIX_FIELD(Structure, Field) gLixGuest->OsSpecificFields.OpaqueFields.Structure[lixField##Structure##Field] 585 #define LIX_SYMBOL_NAME_LEN 128 592 #define LIX_GET_VERSION(Version) ((Version) >> 24) 593 #define LIX_GET_PATCH(Version) (((Version) & 0x00ff0000) >> 16) 594 #define LIX_GET_SUBLEVEL(Version) (((Version) & 0x0000ffff)) 596 #define LIX_CREATE_VERSION(K, Patch, Sublevel) ((Sublevel) | ((Patch) << 16) | ((K) << 24)) INTSTATUS IntLixGuestNew(void)
Starts the initialization and enable protection for a new Linux guest.
The offset of proto.name.
The offset of task_struct.pid.
The guest has is build with VSYSCALL support.
DWORD CurrentCpuOffset
The offset of the CPU from GS.
The offset of cred.usage.
LIX_OPAQUE_FIELDS OsSpecificFields
OS-dependent and specific information.
Describes a Linux function used by the detour mechanism.
The offset of task_struct.nsproxy.
struct _LIX_SYMBOL LIX_SYMBOL
Describes a Linux ksym.
_LIX_FIELD_INFO
Describes information about a Linux guest.
INTSTATUS IntLixGuestIsKptiActive(QWORD SyscallGva)
Checks if the Linux guest has the KPTI active.
#define MAX_VERSION_LENGTH
struct _LIX_PROTECTED_PROCESS LIX_PROTECTED_PROCESS
Encapsulates a protected Linux process.
The offset of mm_struct.end_data.
Describes the information about a Linux active-patch.
The offset of module.init.
The offset of task_struct.group_leader.
The tag for LIX_FIELD_MMSTRUCT.
The offset of vm_area_struct.vm_start.
QWORD OriginalPagesAttr
The original page protection-attributes for the allocated region.
The offset of linux_binprm.argc.
QWORD End
The end guest virtual address of ksym (exclusive).
INTSTATUS IntGetVersionStringLinux(DWORD FullStringSize, DWORD VersionStringSize, CHAR *FullString, CHAR *VersionString)
Gets the version string for a Linux guest.
The offset of task_struct.thread_node.
The offset of linux_binprm.file.
The offset of module.init_layout.
DWORD HookHandler
Used to identify the index of the LIX_FN_DETOUR the in the gLixHookHandlersx64.
The offset of nsproxy.net_ns.
The offset of mm_struct.start_code.
The size of a 'kallsym_markers' entry is 4.
BYTE Patch
The patch field of the version string.
INTSTATUS IntLixFtraceHandler(void *Detour)
Handles the incoming 'text_poke' patches from the guest.
The value of sizeof(struct fs_struct).
BOOLEAN SkipOnBoot
Unused.
The offset of fdtable.max_fds.
The offset of task_struct.execve.
The value of the system_state.RUNNING.
The offset of module.init_layout.
The offset of task_struct.exit_code.
_LIX_FIELD_SOCKET
The index for offsets of 'struct socket'.
struct _LIX_PROTECTED_PROCESS * PLIX_PROTECTED_PROCESS
The offset of inode.i_uid.
The tag for LIX_FIELD_DENTRY.
_LIX_FIELD_FDTABLE
The index for offsets of 'struct fdtable'.
The offset of task_struct.usage.
The offset of mm_struct.flags.
QWORD Start
The start guest virtual address of ksym.
QWORD RoDataStart
The guest virtual address where the read-only data starts.
The offset of task_struct.mm.
enum _LIX_FIELD_MMSTRUCT LIX_FIELD_MMSTRUCT
The index for offsets of 'struct mm_struct'.
The offset of mm_struct.context.vdso.
struct _LIX_OPAQUE_FIELDS * PLIX_OPAQUE_FIELDS
DWORD FunctionsCount
The number of function to be hooked.
The guest emit an absolute value in the range [0, S32_MAX] or a relative value in the range [base...
The offset of module.sum_syms.
The offset of dentry.d_hash.
The offset of vm_area_struct.flags.
The offset of sock.sk_dport.
void * InitProcessObj
The LIX_TASK_OBJECT of the 'init' process.
The offset of signal_struct.nr_threads.
The tag for LIX_FIELD_FILES.
WORD Length
The patch length.
QWORD Vdso32Start
The guest virtual address where the vDSO x32 starts.
The offset of task_struct.cred.
The offset of task_struct.tgid.
The offset of fs_struct.fdt.
enum _LIX_FIELD_CRED LIX_FIELD_CRED
The index for offsets of 'struct cred'.
The offset of linux_binprm.vma.
The offset of socket.type.
The offset of mm_struct.end_code.
The binprm->cred is altered by LSM.
The offset of mm_struct.start_data.
int INTSTATUS
The status data type.
QWORD Vdso32End
The guest virtual address where the vDSO x32 end.
The offset of fs_struct.pwd.
QWORD CodeEnd
The guest virtual address where the code ends.
enum _LIX_FIELD_MODULE LIX_FIELD_MODULE
The index for offsets of 'struct module'.
_LIX_FIELD_CRED
The index for offsets of 'struct cred'.
QWORD CodeStart
The guest virtual address where the code starts.
_LIX_FIELD_UNGROUPED
The index for offsets of structures that are not grouped.
The offset of linux_binprm.interp.
int IntLixGuestGetSystemState(void)
Get the system state of the Linux guest.
The offset of task_struct.in_execve.
The offset of task_struct.stack.
The offset of task_struct.thread_group.
QWORD PerCpuAddress
The guest virtual address of the 'per-cpu' allocated region.
The value of sizeof(struct files_struct).
DWORD ThreadStructOffset
The offset of the thread_struct from task_struct.
The tag for LIX_FIELD_MODULE.
PCHAR NamePattern
Full application file name.
The offset of linux_binprm.mm.
The offset of task_struct.exit_signal.
_LIX_FIELD_FILES
The index for offsets of 'struct files_struct'.
The offset of sock.sk_v6_daddr.
The offset of module.core_layout.size.
The offset of module.init_layout.size.
The tag for LIX_FIELD_SOCK.
The offset of module.core_layout.text_size.
INTSTATUS IntLixJumpLabelHandler(void *Detour)
Handles the incoming read (arch_jmp_label_transform) from the guest.
The offset of module.init_layout.text_size.
The offset of module.list.
The offset of mm_struct.pgd.
Encapsulates a protected Linux process.
The offset of sock.sk_daddr.
_LIX_FIELD_BINPRM
The index for offsets of 'struct linux_binprm'.
void IntLixGuestUninitGuestCode(void)
Removes the EPT hooks from detours/agents memory zone and clears these memory zones.
The guest has module layout.
The offset of mm_struct.mm_users.
struct _LIX_SYMBOL * PLIX_SYMBOL
The offset of vm_area_struct.vm_end.
struct _LIX_ACTIVE_PATCH LIX_ACTIVE_PATCH
Describes the information about a Linux active-patch.
enum _LIX_FIELD_FILES LIX_FIELD_FILES
The index for offsets of 'struct files_struct'.
The offset of sock.sk_state.
The tag for LIX_FIELD_BINPRM.
DWORD PerCpuLength
The length (bytes) of the 'per-cpu' region.
The offset of dentry.d_parent.
BOOLEAN IntLixGuestDeployUninitAgent(void)
Inject the 'uninit' agent to free the previously allocated memory for detours/agents.
The offset of mm_struct.mmlist.
QWORD Feedback
Flags that will be forced to feedback only mode.
The offset of socket.state.
QWORD ExTableStart
The guest virtual address where the ex-table starts.
The guest emit the symbol references in the kallsyms table as 32-bit entries, each containing a relat...
The offset of mm_struct.start_stack.
Used for 'arch_jump_label_transform'.
enum _LIX_FIELD_NSPROXY LIX_FIELD_NSPROXY
The index for offsets of 'struct nsproxy'.
The offset of vm_area_struct.vm_prev.
The offset of module.core_layout.ro_size.
QWORD Current
The currently used protection flags.
The offset of task_struct.fs.
The offset of mm_struct.mmap.
LIX_STRUCTURE
Structure tags used for the Linux structures.
QWORD DataStart
The guest virtual address where the data starts.
_LIX_ACTIVE_PATCH_TYPE
Describes the type of an Linux active-patch.
The offset of nsproxy.count.
The offset of module.core_layout.
The offset of nsproxy.uts_ns.
The guest has the vdso image struct.
The tag for LIX_FIELD_NSPROXY.
Used for 'text_poke'.
The offset of dentry.d_iname.
_LIX_FIELD_MMSTRUCT
The index for offsets of 'struct mm_struct'.
The offset of module.symbols.
DWORD Value
The Linux full version number.
The offset of task_struct.flags.
QWORD Original
The original protection flags as received from integrator.
The offset of file.f_path.
The offset of socket.flags.
The offset of dentry.d_inode.
The offset of module.num_gpl_syms.
enum _LIX_FIELD_VMA LIX_FIELD_VMA
The index for offsets of 'struct vm_area_struct'.
enum _LIX_FIELD_FDTABLE LIX_FIELD_FDTABLE
The index for offsets of 'struct fdtable'.
void * HookObject
The hook-object for detours-code region.
_LIX_FIELD_SOCK
The index for offsets of 'struct sock'.
enum _LIX_FIELD_SOCK LIX_FIELD_SOCK
The index for offsets of 'struct sock'.
The offset of task_struct.real_parent.
The offset of module.gpl_syms.
enum _LIX_FIELD_INFO LIX_FIELD_INFO
Describes information about a Linux guest.
The tag for LIX_FIELD_FS.
PCHAR CommFullPattern
Full application name pattern.
The offset of task_struct.tasks.
QWORD Context
The context supplied in the protection policy.
QWORD VdsoEnd
The guest virtual address where the vDSO ends.
WORD Sublevel
The sublevel field of the version string.
struct _LIX_OPAQUE_FIELDS LIX_OPAQUE_FIELDS
Contains information about various Linux structures.
The tag for LIX_FIELD_VMA.
const LIX_FN_DETOUR gLixHookHandlersx64[]
An array that contains the descriptors about the function that will be hooked (see lixapi...
struct _LIX_FUNCTION LIX_FUNCTION
Describes a Linux function used by the detour mechanism.
The offset of fs_struct.root.
The offset of linux_binprm.cred.
The value of sizeof(struct inode).
CHAR CommPattern[16]
Process name pattern (supports glob patterns). Will be used if there is no path.
The slack region contains INT3s.
The guest has an additional table that contains the sizes of the functions/variables.
The offset of nsproxy.ipc_ns.
LIX_FUNCTION * Functions
An array of LIX_FUNCTION to be hooked.
_LIX_FIELD_FS
The index for offsets of 'struct fs_struct'.
DWORD HooksId
What versions of OS are supported by this fields.
The offset of vm_area_struct.vm_rb.
The offset of vm_area_struct.file.
The offset of task_struct.comm.
_LIX_FIELD_MODULE
The index for offsets of 'struct module'.
The offset of alternate stack.
The offset of sock.sk_family.
The offset of task_struct.signal.
The tag for LIX_FIELD_INODE.
LIST_ENTRY Link
Entry inside the gLixProtectedTasks list.
The offset of task_struct.files.
The tag for LIX_FIELD_SOCKET.
The offset of task_struct.thread_struct.sp.
The guest virtual address of the 'struct socket *sock_alloc(void);' function.
The offset of task_struct.start_time.
The offset of sock.sk_num.
QWORD DataEnd
The guest virtual address where the data ends.
The offset of sock.sk_prot.
_LIX_FIELD_INODE
The index for offsets of 'struct inode'.
The offset of file.f_path.dentry.
QWORD RoDataEnd
The guest virtual address where the read-only data ends.
enum _LIX_FIELD_UNGROUPED LIX_FIELD_UNGROUPED
The index for offsets of structures that are not grouped.
The tag for LIX_FIELD_INFO.
INTSTATUS IntLixTextPokeHandler(void *Detour)
Handles the incoming 'text_poke' patches from the guest.
enum _LIX_FIELD_BINPRM LIX_FIELD_BINPRM
The index for offsets of 'struct linux_binprm'.
The offset of mm_struct.end_data.exe_file.
enum _LIX_FIELD_SOCKET LIX_FIELD_SOCKET
The index for offsets of 'struct socket'.
The value of sizeof(struct sock).
The offset of vm_area_struct.vm_mm.
The offset of mm_struct.mm_count.
The value of sizeof(struct cred).
The offset of dentry.d_name.
The offset of module.core_layout.
enum _LIX_FIELD_INODE LIX_FIELD_INODE
The index for offsets of 'struct inode'.
enum _LIX_FIELD_DENTRY LIX_FIELD_DENTRY
The index for offsets of 'struct dentry'.
Contains information about various Linux structures.
QWORD Vsyscall
The guest virtual address of the vsyscall.
DWORD NameHash
Crc32 of the function name.
The offset of sock.sk_receive_addr.
QWORD Address
The guest virtual address of the detours-code.
_LIX_FIELD_TASKSTRUCT
The index for offsets of 'struct task-struct'.
The offset of module.state.
The value of sizeof(struct module).
void IntLixGuestUninit(void)
Uninitialize the Linux guest.
The offset of vm_area_struct.vm_next.
enum _LIX_FIELD_TASKSTRUCT LIX_FIELD_TASKSTRUCT
The index for offsets of 'struct task-struct'.
_LIX_FIELD_DENTRY
The index for offsets of 'struct dentry'.
The offset of mm_struct.mm_rb.
The offset of fs_struct.fd.
QWORD Beta
Flags that were forced to beta mode.
The tag for LIX_FIELD_FDTABLE.
QWORD SyscallAddress
The guest virtual address of the syscall.
_LIX_FIELD_VMA
The index for offsets of 'struct vm_area_struct'.
The offset of module.init_layout.ro_size.
DWORD Length
The length (bytes) of the detours-code.
The value of sizeof(struct linux_binprm).
WORD Backport
The backport field of the version string.
BOOLEAN Cleared
True if the detours-code/data region is cleared.
The offset of nsproxy.pid_ns_for_children.
_LIX_FIELD_NSPROXY
The index for offsets of 'struct nsproxy'.
Used for 'ftrace'.
The guest has an alternative syscall handler.
The offset of task_struct.parent.
enum _LIX_ACTIVE_PATCH_TYPE LIX_ACTIVE_PATCH_TYPE
Describes the type of an Linux active-patch.
struct _LIX_PROTECTED_PROCESS::@123 Protection
What protection policies should be applied.
DETOUR_TAG
Unique tag used to identify a detour.
QWORD Gva
The start of the region which follows to be patched.
BYTE Version
The version field of the version string.
The tag for LIX_FIELD_UNGROUPED.
QWORD VdsoStart
The guest virtual address where the vDSO starts.
DWORD CurrentTaskOffset
The offset of the current task from GS.
The offset of inode.i_mode.
The tag for LIX_FIELD_CRED.
BOOLEAN Initialized
True if the guest is initialized.
QWORD ExTableEnd
The guest virtual address where the ex-table ends.
The tag for LIX_FIELD_TASKSTRUCT.
QWORD PropperSyscallGva
The guest virtual address of the 'real' syscall.
enum _LIX_FIELD_FS LIX_FIELD_FS
The index for offsets of 'struct fs_struct'.
QWORD Flags
Flags that describe the protection mode.
The offset of module.name.
struct _LINUX_GUEST LINUX_GUEST
Describes a Linux guest.
The offset of sock.sk_v6_daddr.
struct _LINUX_GUEST * PLINUX_GUEST
The offset of inode.i_gid.
The offset of linux_binprm.filename.
Describes a Linux-function to be hooked.
The offset of nsproxy.mnt_ns.
1.8.13