13 #define LIX_COMM_SIZE 16u 15 #define LIX_PROCESSES_MAX_COUNT 65536 157 (Process->Protection.Beta & Flag) != 0;
175 return ((Process->Protection.Feedback & Flag) ||
291 _In_ const char *ProcessName,
298 _In_ const char *ProcessName
367 #endif // _LIXPROCESS_H_ INTSTATUS IntLixTaskHandleDoExit(void *Detour)
Handles the exit() system call.
BOOLEAN StolenTokens
TRUE if credentials for this process have been altered.
char * ProcName
The process name that is always valid. It's set depending which info is available in order: Path...
INTSTATUS IntLixTaskHandleFork(void *Detour)
Handles the fork() system call performed by a linux process.
QWORD Cr3
The CR3 for this process.
static QWORD IntLixProcGetProtOption(const LIX_TASK_OBJECT *Process)
Returns the introcore options related to user mode protection.
LIX_TASK_OBJECT * IntLixTaskFindByCr3(QWORD Cr3)
Finds the Linux process having the provided Cr3.
SIZE_T ProcNameLength
The length of the ProcName field.
Describe the introcore protection options.
INTSTATUS IntLixTaskAdd(QWORD TaskGva, QWORD StaticDetected)
Creates and adds a Linux process in the internal list.
DWORD MustKill
Will kill the process with the first occasion.
enum _LIX_AGENT_TAG LIX_AGENT_TAG
Tag used to identify an agent with a handler.
BOOLEAN IsPivoted
TRUE if this process stack is pivoted (used for DPI)
LIX_TASK_OBJECT * IntLixTaskProtFindByMm(QWORD MmGva)
Finds the protected Linux process having the provided mm guest virtual address.
CAMI_STRING_ENCODING
Describes the encoding of a string received from the CAMI file.
#define _Out_writes_bytes_(expr)
QWORD RootProtectionMask
The protection that children will inherit.
QWORD Gva
The guest virtual address of the task_struct.
static BOOLEAN IntLixProcPolicyIsFeedback(const LIX_TASK_OBJECT *Process, QWORD Flag)
Verifies whether a specific process protection flag is in feedback only mode or not for a Linux proce...
QWORD Beta
The protection flags for this process that are in beta mode.
INTSTATUS IntLixTaskHandleVmRw(void *Detour)
Handles the process_vm_writev() system call.
QWORD Parent
Depends if this is a thread or a process.
DWORD Tgid
The task Thread-Group-ID.
LIX_TASK_PATH * Path
The path of the file executed.
int INTSTATUS
The status data type.
QWORD CreationTime
The creation timestamp for this process.
INTSTATUS IntLixTaskIsUserStackPivoted(LIX_TASK_OBJECT *Task, QWORD Ptr, BOOLEAN *IsPivoted)
Verifies whether the stack of a Linux process is pivoted or not.
DWORD IsPreviousAgent
TRUE if this process is an agent remaining from a previous session.
QWORD Base
The user mode stack base.
DWORD RefCount
The number of references for this cache entry.
DWORD InterpLength
The length of the Interpreter field.
Describes a path cache entry.
BOOLEAN IntPolicyIsCoreOptionFeedback(QWORD Flag)
Checks if a core protection option is in feedback-only mode.
QWORD RealParent
The process which called fork()
INTSTATUS(* PFUNC_LixTaskIterateTasks)(LIX_TASK_OBJECT *Task)
DWORD CommHash
The CRC32 checksum of the Comm field.
char * CmdLine
The process command line.
void IntLixTaskDumpProtected(void)
Dumps the list with processes that Introcore should protect.
BOOLEAN IntPolicyCoreIsOptionBeta(QWORD Flag)
Checks if one of the kernel protection options is in log-only mode.
QWORD ExeFileDentry
The guest virtual address of the executable file's "dentry" structure.
QWORD Limit
The user mode stack limit.
LIX_TASK_OBJECT * IntLixTaskFindByMm(QWORD MmGva)
Finds the Linux process having the provided mm guest virtual address.
void IntLixTaskDump(void)
Dumps the process list.
INTSTATUS IntLixTaskIterateGuestTasks(PFUNC_IterateListCallback Callback, QWORD Aux)
Iterates the guest process list and calls the provided callback for each process and thread found...
Describes one set of credentials.
INTSTATUS IntLixTaskHandleExec(void *Detour)
Handles the exec() system call of a linux process.
#define INTRO_OPT_PROT_UM_MISC_PROCS
DWORD Exec
TRUE if the process did exec at least once.
struct _LIX_TASK_OBJECT LIX_TASK_OBJECT
QWORD IntLixGetKernelCr3(QWORD Cr3)
Transforms an user CR3 into a kernel CR3 on systems with KPTI enabled and active. ...
BOOLEAN Valid
TRUE if the values inside this structure are valid.
INTSTATUS IntLixTaskAddProtected(const char *ProcessName, QWORD ProtectionMask, QWORD Context)
Adds a protected process name pattern.
DWORD IsThread
TRUE if it's a thread, not a process.
static BOOLEAN IntLixProcPolicyIsBeta(const LIX_TASK_OBJECT *Process, QWORD Flag)
Verifies whether a specific process protection flag is in beta mode or not for a Linux process...
INTSTATUS(* PFUNC_IterateListCallback)(QWORD Node, QWORD Aux)
void IntLixTaskEnum(DWORD *Pids, DWORD BufferSize)
INTSTATUS IntLixAccessRemoteVmHandler(void *Detour)
Detour handler for __access_remote_vm.
INTSTATUS IntLixTaskGetAgentsAsCli(char *CommandLine, DWORD Length)
Returns a string with the command lines of all active agents.
DWORD ReExecToSelf
TRUE if the process is re-executed to self (exec to same executable).
QWORD Context
Context from integrator.
Exposes the definitions used by the CAMI parser and the functions used to load guest support informat...
LIST_ENTRY ExploitProtProcLink
Linkage in the protected processes list.
void IntLixProcUpdateProtectedProcess(const void *Name, const CAMI_STRING_ENCODING Encoding, const CAMI_PROT_OPTIONS *Options)
Updates the protection flags for Linux tasks that should be protected based on options received via C...
INTSTATUS IntLixTaskRemoveProtected(const char *ProcessName)
Removes a pattern of processes to be protected.
DWORD KernelMode
TRUE if this process/thread is inside kernel mode.
#define UNREFERENCED_PARAMETER(P)
DWORD IntLixTaskGetExecCount(void)
Returns the number of processes that have performed an exec.
char * Name
The path base name.
size_t NameLength
The size of the base name.
LIX_CREDS * Creds
The LIX_CREDS reference for the credentials of this process.
INTSTATUS IntLixTaskGetTrapFrame(const LIX_TASK_OBJECT *Task, LIX_TRAP_FRAME *TrapFrame)
Retrieves the trap frame for a Linux task.
char * Interpreter
If this was a script executed through an interpretor.
QWORD DentryGva
The guest virtual address of the "dentry" structure associated with this path.
void IntLixTaskUpdateProtection(void)
Adjusts protection for all active Linux processes.
INTSTATUS IntLixTaskGetUserStack(LIX_TASK_OBJECT *Task, QWORD *StackPointer, QWORD *StackBase, QWORD *StackLimit)
Finds the user mode stack limits for a Linux process.
DWORD CmdLineLength
The length of the CmdLine field.
QWORD Feedback
The protection flags for this process that are in feedback-only mode.
void IntLixTaskUninit(void)
Uninitializes the Linux process subsystem.
BOOLEAN IntLixTaskGuestTerminating(void)
Check whether the guest OS is terminating or not.
size_t PathLength
The size of the path.
#define LIX_COMM_SIZE
The maximum size of the process comm.
void IntLixTaskDumpAsTree(void)
Dump the process tree.
INTSTATUS IntLixTaskGetCurrentTaskStruct(DWORD CpuNumber, QWORD *TaskStruct)
Reads the guest virtual address of the task currently running on a CPU.
QWORD MmGva
The guest virtual address of the "mm_struct".
LIST_ENTRY Link
The list node.
INTSTATUS IntLixGetInitTask(QWORD *InitTask)
Finds the guest virtual address of the "init_task".
LIST_ENTRY Link
Linkage in the global task list.
struct _LIX_TASK_PATH LIX_TASK_PATH
Describes a path cache entry.
#define PROC_OPT_BETA
Process is monitored, but in log-only mode so no actions will be blocked.
INTSTATUS IntLixTaskHandlePtrace(void *Detour)
Handles the ptrace() system call.
DWORD Protected
TRUE if the process is protected.
LIX_TASK_OBJECT * IntLixTaskFindByGva(QWORD TaskStruct)
Finds Linux process with the provided "task_struct" guest virtual address.
INTSTATUS IntLixTaskIterateTasks(PFUNC_LixTaskIterateTasks Callback)
Call the Callback parameter for each task saved internally.
LIX_TASK_OBJECT * IntLixTaskGetCurrent(DWORD CpuNumber)
Finds the task that is currently running on the given CPU.
char * Path
The full path string.
void * HookObject
The HookObject used for EPT hooks set inside this process's memory space.
QWORD ActualParent
The parent, based on tgid. Only relevant for threads.
LIX_TASK_OBJECT * IntLixTaskFindByPid(DWORD Pid)
Finds the Linux process having the provided PID.
LIST_HEAD Vmas
The list head for the VMAs from the memory space of this process.
DWORD StaticDetected
TRUE if the process was detected using a static scan (during static init).
QWORD Mask
The protection flags enabled for this process.
LIX_AGENT_TAG AgentTag
The agent tag, if this process is an agent.