- Generated by
1.8.13
|
Bitdefender Hypervisor Memory Introspection
|
Describes a guest. More...
#include <guests.h>
Data Fields | |
| INTRO_PROT_OPTIONS | CoreOptions |
| The activation and protection options for this guest. More... | |
| INTRO_PROT_OPTIONS | ShemuOptions |
| Flags which describe the way shemu will give detections. More... | |
| QWORD | TimerCalls |
| The number of times the timer callback has been invoked. More... | |
| QWORD | TscSpeed |
| Number of ticks/second of this given guest. Should be the same as the global (physical) one. More... | |
| INTRO_GUEST_TYPE | OSType |
| The type of the guest. More... | |
| DWORD | CpuCount |
| The number of logical CPUs. More... | |
| DWORD | ActiveCpuCount |
| The number of CPUs actually used by the guest. More... | |
| DWORD | OSVersion |
| Os version. More... | |
| QWORD | KernelVa |
| The guest virtual address at which the kernel image. More... | |
| DWORD | KernelSize |
| The size of the kernel. More... | |
| BOOLEAN | Initialized |
| True if this structure was initialized and can be used. More... | |
| BOOLEAN | Guest64 |
| True if this is a 64-bit guest, False if it is a 32-bit guest. More... | |
| BOOLEAN | KptiActive |
| True if KPTI is enabled on this guest, False if it is not. More... | |
| BOOLEAN | KptiInstalled |
| True if KPTI was detected as installed (not necessarily active). More... | |
| BOOLEAN | GuestInitialized |
| True if the OS-specific portion has been initialized. More... | |
| BOOLEAN | SafeToApplyOptions |
| True if the current options can be changed dynamically. More... | |
| BOOLEAN | PaeEnabled |
| True if Physical Address Extension is enabled. More... | |
| BOOLEAN | LA57 |
| True if 5-level paging is being used. More... | |
| BOOLEAN | ProtectionActivated |
| BOOLEAN | KernelBetaDetections |
| True if the kernel protection is in beta (log-only) mode. More... | |
| BOOLEAN | SysprocBetaDetections |
| BOOLEAN | ShutDown |
| True if the system process protection is in beta (log-only) mode. More... | |
| BOOLEAN | Terminating |
| BOOLEAN | EnterHibernate |
| True if the guest is entering into hibernate. More... | |
| BOOLEAN | UninitPrepared |
| BOOLEAN | DisableOnReturn |
| Set to True if after returning from this event handler, introcore must be unloaded. More... | |
| BOOLEAN | BootstrapAgentAllocated |
| True if the slack space for the bootstrap agent has been allocated. More... | |
| BOOLEAN | BugCheckInProgress |
| BOOLEAN | PtFilterEnabled |
| If True, the in-guest PT filter is enabled and deployed. More... | |
| BOOLEAN | PtFilterWaiting |
| True if the in-guest PT filter was not yet injected, but it should be. More... | |
| BOOLEAN | VeAgentWaiting |
| True if the #VE agent was not yet injected, but it should be. More... | |
| BOOLEAN | VeInitialized |
| Set to True if #VE initialization was done. More... | |
| BOOLEAN | SupportVE |
| Set to True if support for #VE was detected. More... | |
| BOOLEAN | SupportVMFUNC |
| Set to True if support for VMFUNC was detected. More... | |
| BOOLEAN | SupportSPP |
| Set to True if support for SPP was detected. More... | |
| BOOLEAN | SupportDTR |
| Set to True if support for DTR access exits was detected. More... | |
| BOOLEAN | PtFilterFlagRemoved |
| Set to True if the INTRO_OPT_IN_GUEST_PT_FILTER was given, but it was removed. More... | |
| BYTE | WordSize |
| Guest word size. Will be 4 for 32-bit guests and 8 for 64-bit guests. More... | |
| PVCPU_STATE | VcpuArray |
| Array of the VCPUs assigned to this guest. The index in this array matches the VCPU number. More... | |
| MM | Mm |
| Guest memory information, such as paging mode, system Cr3 value, etc. More... | |
| QWORD | IntroActiveEventId |
| The event ID on which introcore became active. More... | |
| DWORD | RepOptsDisableCount |
| The number of times the rep optimizations have been disabled. More... | |
| KERNEL_DRIVER * | KernelDriver |
| Points to the driver object that describes the kernel image. More... | |
| MSR_HOOK_STATE * | MsrHooks |
| MSR hook state. More... | |
| XCR_HOOK_STATE * | XcrHooks |
| XCR hook state. More... | |
| CR_HOOK_STATE * | CrHooks |
| CR hook state. More... | |
| DTR_HOOK_STATE * | DtrHooks |
| DTR hook state. More... | |
| EXCEPTIONS * | Exceptions |
| The exceptions that are currently loaded. More... | |
| DWORD | UntrustedEptIndex |
| The EPTP index of the untrusted EPT. More... | |
| DWORD | ProtectedEptIndex |
| The EPTP index of the trusted EPT. More... | |
| void * | GpaCache |
| The currently used GPA cache. More... | |
| void * | InstructionCache |
| The currently used instructions cache. More... | |
| SHEMU_CONTEXT | Shemucontext |
| Shellcode emulator context. More... | |
| BYTE | ShemuShellcode [SHEMU_SHELLCODE_SIZE] |
| The shellcode emulator shellcode buffer. More... | |
| BYTE | ShemuStack [SHEMU_STACK_SIZE] |
| The shellcode emulator stack buffer. More... | |
| BYTE | ShemuInternal [SHEMU_SHELLCODE_SIZE+SHEMU_STACK_SIZE] |
| The shellcode emulator internal buffer. More... | |
| union { | |
| LINUX_GUEST _LinuxGuest | |
| Linux specific information. Valid when OSType is introGuestLinux. More... | |
| WINDOWS_GUEST _WindowsGuest | |
| Linux specific information. Valid when OSType is introGuestWindows. More... | |
| }; | |
| Since the guest can be either Windows or Linux we can safely pack their specific states into an enum and use the appropriate field. More... | |
| union { ... } |
Since the guest can be either Windows or Linux we can safely pack their specific states into an enum and use the appropriate field.
| LINUX_GUEST _GUEST_STATE::_LinuxGuest |
Linux specific information. Valid when OSType is introGuestLinux.
Definition at line 419 of file guests.h.
Referenced by IntLixGuestNew().
| WINDOWS_GUEST _GUEST_STATE::_WindowsGuest |
Linux specific information. Valid when OSType is introGuestWindows.
Definition at line 420 of file guests.h.
Referenced by IntWinGuestNew().
| DWORD _GUEST_STATE::ActiveCpuCount |
The number of CPUs actually used by the guest.
Definition at line 280 of file guests.h.
Referenced by IntLixGuestNew(), IntWinGuestNew(), IntWinIntObjProtect(), and IntWinIntObjUnprotect().
| BOOLEAN _GUEST_STATE::BootstrapAgentAllocated |
True if the slack space for the bootstrap agent has been allocated.
Set by IntWinAgentSelectBootstrapAddress and reset by IntWinAgentReleaseBootstrapAddress.
Definition at line 332 of file guests.h.
Referenced by IntMtblCheckAccess(), IntWinAgentReleaseBootstrapAddress(), and IntWinAgentSelectBootstrapAddress().
| BOOLEAN _GUEST_STATE::BugCheckInProgress |
Set to True if the guest is in the process of crashing (BSOD/panic).
Definition at line 333 of file guests.h.
Referenced by IntGuestDisableIntro(), IntGuestUninitOnBugcheck(), IntHandleBreakpoint(), IntHandleIntroCall(), IntInjectFileAgentInGuest(), IntInjectProcessAgentInGuest(), IntLixTaskGuestTerminating(), IntPtiRemovePtFilter(), and IntVeRemoveAgent().
| INTRO_PROT_OPTIONS _GUEST_STATE::CoreOptions |
The activation and protection options for this guest.
Definition at line 271 of file guests.h.
Referenced by DbgLogCoreOptions(), DbgSetCoreOptions(), IntCamiSetCoreOptions(), IntGetCurrentIntroOptions(), IntGuestInit(), IntGuestUninitOnBugcheck(), IntGuestUpdateCoreOptions(), IntHandleTimer(), IntInjectFileAgentInGuest(), IntInjectProcessAgentInGuest(), IntLixApiHookAll(), IntLixApiUpdateHooks(), IntLixCredAdd(), IntLixCredCheckIntegrity(), IntLixCredsVerify(), IntLixDrvActivateProtection(), IntLixDrvSendEvent(), IntLixDrvUpdateProtection(), IntLixGuestActivateProtection(), IntLixKernelReadUnprotect(), IntLixKernelWriteUnprotect(), IntLixNetIterateTaskConnections(), IntLixNetSendGuestConnections(), IntLixPatchSwapgs(), IntLixTaskActivateProtection(), IntLixTaskAdjustProtections(), IntLixTaskHandleExec(), IntLixTaskSendExceptionEvent(), IntLixTaskSendTaskEvent(), IntLixTaskShouldProtect(), IntLixVmaHandlePageExecution(), IntPolicyCoreIsOptionBeta(), IntPolicyCoreTakeAction(), IntPolicyIsCoreOptionFeedback(), IntPolicyProcTakeAction(), IntPtiHandleGuestResumeFromSleep(), IntSwapgsStartMitigation(), IntVeCompleteLoader(), IntVeDumpStats(), IntVeHandleGuestResumeFromSleep(), IntWinApiUpdateHooks(), IntWinBcSendBsodEvent(), IntWinDpiGatherDpiInfo(), IntWinDpiHandleDpiAclEdit(), IntWinDpiHandleDpiDebug(), IntWinDpiHandleDpiHeapSpray(), IntWinDpiHandleDpiPivotedStack(), IntWinDpiHandleDpiSecDesc(), IntWinDpiHandleDpiStolenToken(), IntWinDpiHandleDpiThreadStart(), IntWinDpiHandleDpiTokenPrivs(), IntWinDrvForceDisableReadNtEat(), IntWinDrvHeadersInMemory(), IntWinDrvIsProtected(), IntWinDrvObjIsProtected(), IntWinDrvSendEvent(), IntWinGuestActivateProtection(), IntWinGuestFinishInit(), IntWinHalCreateHalData(), IntWinHalFindPerformanceCounterInternal(), IntWinHalUpdateProtection(), IntWinInfHookProtect(), IntWinNetSendProcessConnections(), IntWinPowHandleEventCommon(), IntWinProcAddProtectedProcess(), IntWinProcChangeProtectionFlags(), IntWinProcCreateProcessObject(), IntWinProcDeleteProcessObject(), IntWinProcGetProtectedInfo(), IntWinProcGetProtectedInfoEx(), IntWinProcHandleCopyMemory(), IntWinProcSendDllEvent(), IntWinProcSendProcessEvent(), IntWinProcSendProcessExceptionEvent(), IntWinProcValidateSystemCr3(), IntWinSDCheckIntegrity(), IntWinSelfMapGetAndCheckSelfMapEntry(), IntWinSelfMapProtectSelfMapIndex(), IntWinSelfMapValidateSelfMapEntries(), IntWinSudCheckIntegrity(), IntWinTokenCheckIntegrity(), IntWinTokenPrivsProtectOnProcess(), IntWinTokenProtectPrivs(), IntWinTokenUnprotectPrivs(), and IntWinVadIsExecSuspicious().
| DWORD _GUEST_STATE::CpuCount |
The number of logical CPUs.
Definition at line 279 of file guests.h.
Referenced by DbgDumpCpuState(), DbgLogKpcr(), IntGuestGetIdtFromGla(), IntGuestHandleCr3Write(), IntGuestInit(), IntGuestUninitOnBugcheck(), IntHandleBreakpoint(), IntHandleCrWrite(), IntHandleDtrViolation(), IntHandleEptViolation(), IntHandleEventInjection(), IntHandleIntroCall(), IntHandleMsrViolation(), IntHandleXcrWrite(), IntInjectExceptionInGuest(), IntLixGuestAllocate(), IntLixGuestNew(), IntLixIdtProtectAll(), IntLixIdtProtectOnCpu(), IntLixIdtUnprotectAll(), IntLixUnpatchSwapgs(), IntLogGuestRegisters(), IntRtlpVirtualUnwindCheckAccess(), IntThrSafeInspectRunningThreads(), IntThrSafeIsStackPtrInIntro(), IntUDRemoveAllEntriesForCr3(), IntVeDeliverDriverForLoad(), IntVeDumpStats(), IntVeDumpVeInfoPages(), IntVeHandleSwap(), IntVeInit(), IntVeUnhookVeAgent(), IntWinGuestNew(), IntWinIdtProtectAll(), IntWinIdtProtectOnCpu(), IntWinIdtUnprotectAll(), IntWinIdtUnprotectOnCpu(), and IntWinThrGetCurrentThread().
| CR_HOOK_STATE* _GUEST_STATE::CrHooks |
CR hook state.
Definition at line 389 of file guests.h.
Referenced by IntHandleCrWrite(), IntHookCrCommit(), IntHookCrDeleteHook(), IntHookCrInit(), IntHookCrRemoveAllHooks(), IntHookCrRemoveHook(), IntHookCrSetHook(), and IntHookCrUninit().
| BOOLEAN _GUEST_STATE::DisableOnReturn |
Set to True if after returning from this event handler, introcore must be unloaded.
When certain errors are encountered (for example, failing to find a kernel object during initialization), introcore must stop and unload, but it can not do that because certain steps of the unload process may need to let the guest run before completing. In order to avoid these complications, this is set to True when a reason to disable introcore exists. Event handlers will check it before returning, and if it is set, the INT_STATUS_FATAL_ERROR status will be returned.
Definition at line 328 of file guests.h.
Referenced by IntGuestHandleCr3Write(), IntHandleBreakpoint(), IntHandleCrWrite(), IntHandleDtrViolation(), IntHandleEptViolation(), IntHandleIntroCall(), IntHandleMsrViolation(), IntHandleXcrWrite(), IntLixCrashPanicHandler(), IntLixGuestInitAgentCompletion(), IntLixGuestInitAgentHypercall(), IntWinApiHookAll(), IntWinGuestFindDriversNamespace(), IntWinGuestFinishInit(), IntWinGuestKernelHeadersInMemory(), IntWinGuestNew(), IntWinObjCheckDrvDirSearchState(), IntWinObjHandleRootDirTagInMemory(), and IntWinProcLockCr3().
| DTR_HOOK_STATE* _GUEST_STATE::DtrHooks |
DTR hook state.
Definition at line 390 of file guests.h.
Referenced by IntHandleDtrViolation(), IntHookDtrCommit(), IntHookDtrDeleteHook(), IntHookDtrInit(), IntHookDtrRemoveAllHooks(), IntHookDtrSetHook(), and IntHookDtrUninit().
| BOOLEAN _GUEST_STATE::EnterHibernate |
True if the guest is entering into hibernate.
If this is True, most API calls will fail with INT_STATUS_POWER_STATE_BLOCK as there is no longer safe to make changes to the guest or the internal introcore state.
Definition at line 319 of file guests.h.
Referenced by IntAbortEnableIntro(), IntAddExceptionFromAlert(), IntAddRemoveProtectedProcessUtf16(), IntAddRemoveProtectedProcessUtf8(), IntFlushAlertExceptions(), IntFlushGpaCache(), IntGetCurrentInstructionLength(), IntGetCurrentInstructionMnemonic(), IntGetCurrentIntroOptions(), IntGetExceptionsVersion(), IntGetGuestInfo(), IntGetSupportVersion(), IntGetVersionString(), IntGuestDisableIntro(), IntInjectFileAgentInGuest(), IntInjectProcessAgentInGuest(), IntIterateVaSpace(), IntModifyDynamicOptions(), IntRemoveAllProtectedProcesses(), IntRemoveException(), IntUpdateExceptions(), IntUpdateSupport(), and IntWinPowHandleHibernateEvent().
| EXCEPTIONS* _GUEST_STATE::Exceptions |
The exceptions that are currently loaded.
Definition at line 392 of file guests.h.
Referenced by DbgDumpExceptions(), IntAlertFillVersionInfo(), IntExcept(), IntExceptAlertRemove(), IntExceptInit(), IntExceptKernel(), IntExceptKernelUser(), IntExceptRemove(), IntExceptUninit(), IntExceptUser(), IntExceptVerifyCodeBlocksSig(), IntExceptVerifyExportSig(), IntExceptVerifyIdtSignature(), IntExceptVerifyProcessCreationSignature(), IntExceptVerifyValueCodeSig(), IntExceptVerifyValueSig(), IntExceptVerifyVersionIntroSignature(), IntExceptVerifyVersionOsSignature(), IntUpdateAddCbSignature(), IntUpdateAddExceptionFromAlert(), IntUpdateAddExportSignature(), IntUpdateAddIdtSignature(), IntUpdateAddKernelException(), IntUpdateAddKernelExceptionInOrder(), IntUpdateAddKernelUserException(), IntUpdateAddKernelUserExceptionInOrder(), IntUpdateAddKmException(), IntUpdateAddKmUmException(), IntUpdateAddProcessCreationSignature(), IntUpdateAddUmException(), IntUpdateAddUserException(), IntUpdateAddUserExceptionGlob(), IntUpdateAddUserExceptionInOrder(), IntUpdateAddValueCodeSignature(), IntUpdateAddValueSignature(), IntUpdateAddVersionIntroSignature(), IntUpdateAddVersionOsSignature(), IntUpdateAreExceptionsLoaded(), IntUpdateAssignAlertSignatureIds(), IntUpdateFlushAlertExceptions(), IntUpdateGetVersion(), IntUpdateIsDuplicateCbSignature(), IntUpdateIsDuplicateExportSignature(), IntUpdateIsDuplicateIdtSignature(), IntUpdateIsDuplicateKernelException(), IntUpdateIsDuplicateKernelUserException(), IntUpdateIsDuplicateUserException(), IntUpdateLoadExceptions(), IntUpdateRemoveException(), IntUpdateRemoveSignaturesForException(), and IntUpdateSetIdForException().
| void* _GUEST_STATE::GpaCache |
The currently used GPA cache.
Definition at line 403 of file guests.h.
Referenced by DbgDumpGpaCache(), IntDecEmulatePTWrite(), IntDispatchVeAsEpt(), IntFlushGpaCache(), IntGuestInit(), IntGuestUninit(), IntHookPtsCreateEntry(), IntHookPtsHandleModification(), IntHookPtwEmulateWrite(), IntIntegrityCheckAll(), IntMapGpaForTranslation(), IntUnmapGpaForTranslation(), IntWinProcValidateSystemCr3(), IntWinSDFetchSecDescAddress(), IntWinSDReadSecDesc(), and IntWinTokenFetchTokenAddress().
| BOOLEAN _GUEST_STATE::Guest64 |
True if this is a 64-bit guest, False if it is a 32-bit guest.
Definition at line 290 of file guests.h.
Referenced by DbgDumpCodeblocks(), DbgDumpGuestModules(), DbgDumpPfn(), DbgDumpVadRoot(), IntAgentHandleLogGatherVmcall(), IntAgentHandleRemediationVmcall(), IntAlertCreateDtrException(), IntAlertCreateIdtSignature(), IntAlertEptFillFromVictimZone(), IntAlertFillCodeBlocks(), IntAlertFillDpiExtraInfo(), IntCamiLoadProtOptionsWin(), IntCamiLoadWindows(), IntDecEmulatePageWalk(), IntDecEmulateRead(), IntDecGetSetSseRegValue(), IntDetRelocate(), IntDetSetHook(), IntExceptGetOriginatorFromModification(), IntExceptGetVictimEpt(), IntExceptGetVictimIntegrity(), IntExceptKernelMatchVictim(), IntExceptKernelUserMatchArch(), IntExceptPrintIdtInfo(), IntExceptUserLogWindowsInformation(), IntExceptUserMatchArchitecture(), IntExceptVerifyCodeBlocksSig(), IntExceptVerifyExportSig(), IntExceptVerifyIdtSignature(), IntExceptVerifyProcessCreationSignature(), IntExceptVerifyValueCodeSig(), IntExceptVerifyValueSig(), IntExceptVerifyVersionIntroSignature(), IntExceptVerifyVersionOsSignature(), IntExceptWinKernelGetOriginator(), IntGuestGetInfo(), IntGuestInitMemoryInfo(), IntGuestIsKptiActive(), IntHandleEptViolation(), IntHandleMemAccess(), IntHookPtsCheckIntegrity(), IntHookPtsSetHook(), IntHookPtwEmulateWrite(), IntHookPtwProcessWrite(), IntIdtGetEntry(), IntIntegrityAddRegion(), IntLixDepGetInternalContent(), IntLixGuestNew(), IntLogContextRecord(), IntLogCriticalStructureCoruption(), IntLogCurrentIP(), IntLogExceptionRecord(), IntLogProcessInfo(), IntLogStackTrace(), IntLogTrapFrame(), IntMsrSyscallProtect(), IntMtblCheckAccess(), IntPtiInjectPtFilter(), IntReadString(), IntRtlpVirtualUnwindCheckAccess(), IntSerializeCodeBlocksGetExtractLevel(), IntSerializeDpiWinPivotedStack(), IntSerializeHeader(), IntSerializeIdt(), IntSplitVirtualAddress(), IntStackAnalyzePointer(), IntSwapgsStartMitigation(), IntThrGetStackSize(), IntThrSafeInspectRunningThreads(), IntThrSafeIsStackPtrInIntro(), IntThrSafeMoveReturn(), IntThrSafeMoveRip(), IntThrSafeWinInspectRunningThreadOnCpu(), IntThrSafeWinInspectWaitingThread(), IntVeDeployAgent(), IntWinAgentActivatePendingAgent(), IntWinAgentDeployWinDriver(), IntWinAgentFindInstruction(), IntWinAgentFindPropperSyscall(), IntWinAgentFindSyscallLinkage(), IntWinAgentHandleAppVmcall(), IntWinAgentHandleDriverVmcall(), IntWinAgentInject(), IntWinAgentInjectTrampoline(), IntWinAgentReleaseBootstrap(), IntWinAgentSelectTokens(), IntWinApiHookAll(), IntWinApiUpdateHookDescriptor(), IntWinApiUpdateHooks(), IntWinBcHandleBugCheck(), IntWinCrashHandleDepViolation(), IntWinDepInjectProcess(), IntWinDpiValidateHeapSpray(), IntWinDpiValidateThreadStart(), IntWinDrvCreateFromAddress(), IntWinDrvHandleDriverEntry(), IntWinDrvIsListHead(), IntWinDrvIterateLoadedModules(), IntWinDrvObjCreateFromAddress(), IntWinDrvObjHandleModification(), IntWinDrvObjHandleWrite(), IntWinDrvObjIsValidDriverObject(), IntWinDrvRemoveFromAddress(), IntWinFillRegsFromExceptionInfo(), IntWinGetAccessTokenFromProcess(), IntWinGetAccesTokenFromThread(), IntWinGetPrcoCmdLineHandleCmdLineInMemory(), IntWinGetPrcoCmdLineHandleUserParamsInMemory(), IntWinGuestFetchProductType(), IntWinGuestFindDriversNamespace(), IntWinGuestFindDriversNamespaceNoBuffer(), IntWinGuestFindIdleCr3(), IntWinGuestFindKernelCr3(), IntWinGuestFindKernelObjects(), IntWinGuestFindKernelObjectsInternal(), IntWinGuestFinishInit(), IntWinGuestIsIncreasedUserVa(), IntWinGuestNew(), IntWinGuestReadKernel(), IntWinGuestResolveImports(), IntWinGuestValidateKernel(), IntWinHalCreateHalData(), IntWinHalFindHalHeapAndInterruptController(), IntWinHalFindInterruptController(), IntWinHalFindPerformanceCounterInternal(), IntWinHalHandleDispatchTableWrite(), IntWinHalIsIntController(), IntWinHalReadHal(), IntWinHandleException(), IntWinIdtProtectOnCpu(), IntWinIdtProtectOnCpuEpt(), IntWinIdtProtectOnCpuIntegrity(), IntWinIdtSendIntegrityAlert(), IntWinIdtUnprotectOnCpu(), IntWinInfHookIntegrityHandleWrite(), IntWinIntObjHandleArrayModification(), IntWinIntObjProtect(), IntWinIsUmTrapFrame(), IntWinModCacheCreate(), IntWinModFillInjectionData(), IntWinModHandleLoadFromVad(), IntWinModHandleModulePathInMemory(), IntWinModHandleWrite(), IntWinNetCheckPartition(), IntWinNetFillTcpStruct(), IntWinNetFindTcpBitmap(), IntWinNetFindTcpObjects(), IntWinNetFindTcpPartition(), IntWinNetGetAddrFam(), IntWinNetGetAddrInfo(), IntWinNetGetListenerAddressInfo(), IntWinNetGetLocalAddr(), IntWinNetGetOwner(), IntWinNetGetPortsAndState(), IntWinNetGetTcpPortPool(), IntWinNetIterateLinkedList(), IntWinNetIterateSlinkedList(), IntWinNetParseTcpBitmap(), IntWinNetParseTcpPartition(), IntWinNetSearchForAlloc(), IntWinObjFindRootDirectory(), IntWinObjGetObjectNameInfo(), IntWinObjGetPoolHeaderForObject(), IntWinObjHandleDirectoryEntryInMemory(), IntWinObjHandleDriverDirectoryEntryInMemory(), IntWinObjHandleObjectInMemory(), IntWinObjHandleRootDirTagInMemory(), IntWinObjIsTypeObject(), IntWinObjParseDriverDirectory(), IntWinPatchVadHandleCommit(), IntWinPfnHandleTranslationChange(), IntWinPfnIsMmPfnDatabase(), IntWinPfnLockAddress(), IntWinPfnModifyRefCount(), IntWinPfnUnlockAddress(), IntWinPoolGetPoolHeaderInPage(), IntWinPowGetRequestedPowerState(), IntWinProcAdd(), IntWinProcCreateProcessObject(), IntWinProcEnforceProcessDep(), IntWinProcFillSystemPath(), IntWinProcHandleCopyMemory(), IntWinProcHandleCreateInternal(), IntWinProcHandleTerminate(), IntWinProcPatchCopyMemoryDetour(), IntWinProcPrepareInstrument(), IntWinProcReadCommandLine(), IntWinProcSetUserCr3(), IntWinProcSwapIn(), IntWinProcValidateSystemCr3(), IntWinReadSid(), IntWinReadToken(), IntWinSDFetchSecDescAddress(), IntWinSetUmExceptionEvent(), IntWinStackHandleUserStackPagedOut(), IntWinStackTraceGet(), IntWinStackTraceGetUser(), IntWinStackUserCheckIsPivoted(), IntWinStackUserTrapFrameGetGeneric(), IntWinThrGetCurrentThread(), IntWinThrGetCurrentTib(), IntWinThrHandleThreadHijack(), IntWinThrPatchThreadHijackHandler(), IntWinThrPrepareApcHandler(), IntWinTokenFetchTokenAddress(), IntWinTokenPrivsHandleSwap(), IntWinTokenPrivsHandleWrite(), IntWinTokenPrivsShouldHook(), IntWinTokenPtrIsStolen(), IntWinUmCheckInitializationInjection(), IntWinUmModCacheFetch(), IntWinVadFetchImageName(), IntWinVadFindNodeInGuestSpace(), IntWinVadInOrderRecursiveTraversal(), IntWinVadIsInTree(), IntWinVadPatchDeleteVaRange(), IntWinVadPatchFinishVadDeletion(), IntWinVadPatchInsert(), IntWinVadPatchInsertMap(), IntWinVadPatchInsertPrivate(), IntWinVadPatchVirtualProtect(), IntWinVadShortDump(), IntWinVadStaticInsertNodeIntoProcess(), and IsInitializationDone().
| BOOLEAN _GUEST_STATE::GuestInitialized |
True if the OS-specific portion has been initialized.
Definition at line 293 of file guests.h.
Referenced by IntAddRemoveProtectedProcessUtf16(), IntAddRemoveProtectedProcessUtf8(), IntEnginesResultCallback(), IntGetGuestInfo(), IntGetVersionString(), IntGuestHandleCr3Write(), IntGuestUpdateCoreOptions(), IntHandleBreakpoint(), IntHandleDtrViolation(), IntInjectFileAgentInGuest(), IntInjectProcessAgentInGuest(), IntLixGuestDeployUninitAgent(), IntLixGuestInit(), IntLixGuestNew(), IntLixGuestUninit(), IntModifyDynamicOptions(), IntRemoveAllProtectedProcesses(), IntThrSafeCheckThreads(), IntUpdateSupport(), IntWinGuestInit(), IntWinGuestUninit(), IntWinProcValidateSystemCr3(), IntWinSDCheckIntegrity(), IntWinSelfMapDisableSelfMapEntryProtection(), IntWinSelfMapEnableSelfMapEntryProtection(), IntWinSelfMapGetAndCheckSelfMapEntry(), IntWinSelfMapValidateSelfMapEntries(), and IntWinTokenCheckIntegrity().
| BOOLEAN _GUEST_STATE::Initialized |
True if this structure was initialized and can be used.
Set in IntGuestInit and unset in IntGuestUninit.
Definition at line 289 of file guests.h.
Referenced by IntAddExceptionFromAlert(), IntDisableIntro(), IntFlushAlertExceptions(), IntFlushGpaCache(), IntGetCurrentInstructionLength(), IntGetCurrentInstructionMnemonic(), IntGetCurrentIntroOptions(), IntGetExceptionsVersion(), IntGetSupportVersion(), IntGuestInit(), IntHandleBreakpoint(), IntHandleCrWrite(), IntHandleEptViolation(), IntHandleEventInjection(), IntHandleIntroCall(), IntHandleMsrViolation(), IntHandleTimer(), IntHandleXcrWrite(), IntNewGuestNotification(), IntRemoveException(), IntUninit(), and IntUpdateExceptions().
| void* _GUEST_STATE::InstructionCache |
The currently used instructions cache.
Definition at line 404 of file guests.h.
Referenced by IntGetCurrentInstructionLength(), IntGetCurrentInstructionMnemonic(), IntGuestInit(), IntGuestUninit(), IntHandleDtrViolation(), IntHandleEptViolation(), IntIcDumpIcache(), IntIcSwapHandler(), IntIcWriteHandler(), IntLixAgentActivatePendingAgent(), IntLixTaskDeactivateExploitProtection(), IntLixTaskDestroy(), IntMtblDisable(), IntMtblPatchInstruction(), IntMtblRemoveEntry(), IntPtiDeleteInstruction(), IntPtiMonitorAllPtWriteCandidates(), IntSwapgsDisable(), IntSwapgsStartMitigation(), IntVirtMemSafeWrite(), IntWinAgentActivatePendingAgent(), and IntWinProcChangeProtectionFlags().
| QWORD _GUEST_STATE::IntroActiveEventId |
The event ID on which introcore became active.
Set in IntWinGuestFinishInit for Windows guests and IntLixGuestNew for Linux guests. This is used in order to disable any stats collecting done before relevant actions are done for introspecting a guest.
Definition at line 381 of file guests.h.
Referenced by IntLixGuestNew(), IntStatStart(), IntStatStop(), and IntWinGuestFinishInit().
| BOOLEAN _GUEST_STATE::KernelBetaDetections |
True if the kernel protection is in beta (log-only) mode.
If this is True, kernel alerts will be generated, but the action will always be introGuestAllowed. Set to True when the INTRO_OPT_KM_BETA_DETECTIONS is passed to GLUE_IFACE.NewGuestNotification or GLUE_IFACE.ModifyDynamicOptions.
Definition at line 303 of file guests.h.
Referenced by IntExceptKernelLogLinuxInformation(), IntExceptKernelLogWindowsInformation(), IntGuestInit(), IntGuestUpdateCoreOptions(), IntHookGvaEnableHooks(), IntHookPtmWriteCallback(), IntHookPtsCheckIntegrity(), IntHookPtsWriteCallback(), IntLixTaskSendCredViolationEvent(), IntPolicyCoreIsOptionBeta(), IntVeHandleAccess(), IntVeHandleEPTViolationInProtectedView(), IntWinBcHandleBugCheck(), IntWinHalSendPerfCntIntegrityAlert(), IntWinInfHookIntegritySendAlert(), IntWinProcValidateSystemCr3(), IntWinSelfMapCheckSelfMapEntry(), and IntWinTokenPtrCheckIntegrityOnProcess().
| KERNEL_DRIVER* _GUEST_STATE::KernelDriver |
Points to the driver object that describes the kernel image.
Definition at line 385 of file guests.h.
Referenced by IntExceptKernelLogLinuxInformation(), IntExceptLixKernelGetOriginator(), IntExceptPrintMsrInfo(), IntHandleTimer(), IntLixDrvCreateKernel(), IntLixDrvUpdateProtection(), IntLixDumpStacktrace(), IntLixHookKernelRead(), IntLixHookKernelWrite(), IntLixUnhookKernelRead(), IntLixUnhookKernelWrite(), IntWinBcLogBsodEvent(), IntWinDrvForceDisableReadNtEat(), IntWinDrvHandleRead(), IntWinDrvHeadersInMemory(), IntWinGuestFinishInit(), IntWinHalCreateHalData(), IntWinInfHookProtect(), IntWinProtectReadNtEat(), and IntWinUnprotectReadNtEat().
| DWORD _GUEST_STATE::KernelSize |
The size of the kernel.
Definition at line 284 of file guests.h.
Referenced by IntDisasmBuffer(), IntDisasmGva(), IntKsymFindByAddress(), IntLixGuestFindKernel(), IntLixGuestInit(), IntMtblCheckAccess(), IntMtblPatchInstruction(), IntRtlpVirtualUnwindCheckAccess(), IntSwapgsStartMitigation(), IntWinGuestFindIdleCr3(), IntWinGuestNew(), IntWinGuestReadKernel(), IntWinHalIsIntController(), and IntWinProcIsPsActiveProcessHead().
| QWORD _GUEST_STATE::KernelVa |
The guest virtual address at which the kernel image.
Definition at line 283 of file guests.h.
Referenced by IntAlertEptFillFromVictimZone(), IntDetDumpDetours(), IntDetSetHook(), IntDisasmBuffer(), IntDisasmGva(), IntExceptGetOriginatorFromModification(), IntExceptLixGetVictimDriver(), IntExceptLixKernelGetOriginator(), IntExceptWinGetVictimDriver(), IntExceptWinKernelGetOriginator(), IntKsymFindByAddress(), IntKsymRelativeFindOffsetTableEnd(), IntLixAgentAllocate(), IntLixGuestFindKernel(), IntLixGuestFindKernelBase(), IntLixGuestInit(), IntMtblCheckAccess(), IntMtblPatchInstruction(), IntPeFindKernelExport(), IntPtiMonitorAllPtWriteCandidates(), IntRtlpVirtualUnwindCheckAccess(), IntSlackAllocLinux(), IntSlackAllocWindows(), IntSwapgsInstallHandler(), IntSwapgsStartMitigation(), IntWinAgentFindPropperSyscall(), IntWinAgentFindSyscallLinkage(), IntWinAgentInjectTrampoline(), IntWinAgentSelectBootstrapAddress(), IntWinApiFindFunctionRva(), IntWinApiHook(), IntWinDrvHandleRead(), IntWinDrvHeadersInMemory(), IntWinGuestFindDriversNamespace(), IntWinGuestFindDriversNamespaceNoBuffer(), IntWinGuestFindIdleCr3(), IntWinGuestFindKernelObjectsInternal(), IntWinGuestFinishInit(), IntWinGuestNew(), IntWinGuestReadKernel(), IntWinGuestResolveImports(), IntWinHalFindPerformanceCounter(), IntWinHalFindPerformanceCounterInternal(), IntWinHalIsIntController(), IntWinHalReadHal(), IntWinInfCheckCtxLoggerOnRelocation(), IntWinInfHookGetEtwpDebuggerData(), IntWinInfHookGetWmiLoggerGetCpuClock(), IntWinInfHookSppViolationCallbackWmiPtrChanged(), IntWinPfnIsMmPfnDatabase(), IntWinProcIsPsActiveProcessHead(), and IntWinStackTraceGet64().
| BOOLEAN _GUEST_STATE::KptiActive |
True if KPTI is enabled on this guest, False if it is not.
Definition at line 291 of file guests.h.
Referenced by IntGetGprs(), IntGuestHandleCr3Write(), IntLixGetKernelCr3(), IntLixGuestIsKptiActive(), IntSwapgsStartMitigation(), IntVeDeliverDriverForLoad(), IntVeFindKernelKvaShadowAndKernelExit(), IntVePatchVeCoreJmpKiKernelExit(), IntWinApiHookVeHandler(), IntWinGuestNew(), and IntWinProcSetUserCr3().
| BOOLEAN _GUEST_STATE::KptiInstalled |
True if KPTI was detected as installed (not necessarily active).
Definition at line 292 of file guests.h.
Referenced by IntCamiLoadProtOptionsWin(), IntCamiLoadWindows(), IntGuestHandleCr3Write(), IntLixGuestIsKptiActive(), IntWinGuestFinishInit(), IntWinGuestIsSupported(), and IntWinGuestNew().
| BOOLEAN _GUEST_STATE::LA57 |
True if 5-level paging is being used.
Definition at line 296 of file guests.h.
Referenced by IntGuestInitMemoryInfo(), and IntSplitVirtualAddress().
| MM _GUEST_STATE::Mm |
Guest memory information, such as paging mode, system Cr3 value, etc.
Definition at line 374 of file guests.h.
Referenced by _IntLixTaskRead(), _IntLixTaskStartMap(), DbgDumpPfn(), DbgVaSpaceIterationCallbackCount(), IntAlertFillDpiExtraInfo(), IntCrSendAlert(), IntDetPatchArgument(), IntDetRelocate(), IntDtrSendAlert(), IntExceptDumpSignatures(), IntExceptGetVictimIntegrity(), IntExceptKernelLogWindowsInformation(), IntExceptUserLogWindowsInformation(), IntExceptVerifyCodeBlocksSig(), IntExceptVerifyValueCodeSig(), IntGuestGetLastGpa(), IntGuestHandleCr3Write(), IntGuestInit(), IntGuestInitMemoryInfo(), IntHandleDtrViolation(), IntHandleEptViolation(), IntHookGvaSetHook(), IntHookPtmSetHook(), IntHookPtmWriteCallback(), IntHookPtsCreateEntry(), IntHookPtsSetHook(), IntIcAddInvdForInstruction(), IntIntegrityAddRegion(), IntIntegrityCheckAll(), IntIntegrityRecalculate(), IntKernVirtMemRead(), IntKernVirtMemWrite(), IntKsymFindIndexesTableStart(), IntKsymFindMarkersReducedTableEnd(), IntKsymFindMarkersTableEnd(), IntKsymFindNamesTableEnd(), IntKsymInitAbsolute(), IntKsymRelativeFindOffsetTableEnd(), IntKsymRelativeFindOffsetTableStart(), IntLixAgentCreateThreadHypercall(), IntLixAgentFillDataFromMemory(), IntLixAgentFree(), IntLixCrashDumpDmesg(), IntLixCredInitMap(), IntLixCredsDump(), IntLixDepDeployFileHypercall(), IntLixDrvCreateDriverObject(), IntLixDrvFindList(), IntLixDrvSendViolationEvent(), IntLixDrvValidate(), IntLixDumpStacktrace(), IntLixFsrInitMap(), IntLixFsrRead(), IntLixGetInitTask(), IntLixGuestAllocateFill(), IntLixGuestAllocateHook(), IntLixGuestClearGuestMemory(), IntLixGuestFindKernelBase(), IntLixGuestFindKernelVersionAndRo(), IntLixGuestInitAgentCompletion(), IntLixGuestNew(), IntLixKernelHandleRead(), IntLixMmGetInitMm(), IntLixMsrHandleWrite(), IntLixPatchSwapgs(), IntLixStackTraceGet(), IntLixStackTraceGetReg(), IntLixTaskCreateFromBinprm(), IntLixTaskFetchCmdLine(), IntLixTaskFetchMm(), IntLixTaskMarkAgent(), IntLixVdsoFixedProtect(), IntLixVmaGetPageCount(), IntLogCriticalStructureCoruption(), IntMemClkCloakRegion(), IntPeFindFunctionByPattern(), IntPeListSectionsHeaders(), IntPtiCacheAdd(), IntPtiCacheRemove(), IntPtiDeliverDriverForLoad(), IntPtiHookPtDriver(), IntPtiMonitorAllPtWriteCandidates(), IntPtiRemoveInstruction(), IntPtiRemovePtFilter(), IntReadString(), IntSerializeDpiWinPivotedStack(), IntSerializeLixKmMisc(), IntSerializeWinKmMisc(), IntSlackAllocLinux(), IntSlackAllocWindows(), IntSwapMemReadData(), IntThrSafeIsStackPtrInIntro(), IntThrSafeMoveReturn(), IntThrSafeWinInspectWaitingThread(), IntTranslateVirtualAddressEx(), IntVasStartMonitorVaSpace(), IntVeDeliverDriverForLoad(), IntVeDumpVeInfoPage(), IntVeEnableDisableDriverAccessInProtectedView(), IntVeHandleEPTViolationInProtectedView(), IntVeHookVeDriver(), IntVeIsAgentRemapped(), IntVePatchVeCoreJmpKiKernelExit(), IntVePatchVeCoreJmpTrampoline(), IntVeRemoveAgent(), IntVeSetVeInfoPage(), IntVeUpdateCacheEntry(), IntWinAgentHandleLoader1Hypercall(), IntWinDrvObjCreateFromAddress(), IntWinDrvObjHandleWrite(), IntWinDrvObjIsValidDriverObject(), IntWinDrvObjRemoveFromAddress(), IntWinDrvRemoveFromAddress(), IntWinGuestFindBuildNumber(), IntWinGuestFindDriversNamespace(), IntWinGuestFindDriversNamespaceNoBuffer(), IntWinGuestFindIdleCr3(), IntWinGuestFindKernel(), IntWinGuestFindKernelCr3(), IntWinGuestFindKernelObjects(), IntWinGuestFindKernelObjectsInternal(), IntWinGuestFindSelfMapIndex(), IntWinGuestNew(), IntWinGuestReadKernel(), IntWinGuestValidateKernel(), IntWinHalFindHalHeapAndInterruptController(), IntWinHalFindInterruptController(), IntWinHalHandleDispatchTableWrite(), IntWinHalHandleHalHeapExec(), IntWinHalProtectHalHeapExecs(), IntWinHalReadHal(), IntWinInfHookGetCircularCtxLogger(), IntWinInfHookHookSppWmiGetClock(), IntWinInfHookSppHookWmiSiloPtr(), IntWinIntObjHandleArrayModification(), IntWinIntObjHandleObjectModification(), IntWinMsrSendAlert(), IntWinNetFillTcpStruct(), IntWinNetFindTcpBitmap(), IntWinNetFindTcpObjects(), IntWinNetFindTcpPartition(), IntWinNetSearchForAlloc(), IntWinPfnIsMmPfnDatabase(), IntWinPfnLockAddress(), IntWinPfnModifyRefCount(), IntWinProcCreateProcessObject(), IntWinProcEnforceProcessDep(), IntWinProcMapEprocess(), IntWinProcMarkAgent(), IntWinProcPatchSpareValue(), IntWinProcRemoveProcess(), IntWinProcValidateSystemCr3(), IntWinSDCheckAclIntegrity(), IntWinSDCheckSecDescIntegrity(), IntWinSDFetchSecDescAddress(), IntWinSDReadSecDesc(), IntWinSelfMapDisableSelfMapEntryProtection(), IntWinSelfMapEnableSelfMapEntryProtection(), IntWinSelfMapGetAndCheckSelfMapEntry(), IntWinSelfMapProtectSelfMapIndex(), IntWinSelfMapValidateSelfMapEntries(), IntWinStackTraceGet32(), IntWinStackTraceGet64(), IntWinStackUserTrapFrameGet32(), IntWinStackUserTrapFrameGet64(), IntWinSudHandleFieldModification(), IntWinSudProtectSudExec(), IntWinTokenCheckCurrentPrivileges(), IntWinTokenFetchTokenAddress(), IntWinTokenPrivsProtectOnProcess(), IntWinTokenPrivsShouldHook(), IntWinTokenProtectPrivsInternal(), and IntWinVadMapShortVad().
| MSR_HOOK_STATE* _GUEST_STATE::MsrHooks |
MSR hook state.
Definition at line 387 of file guests.h.
Referenced by IntHandleMsrViolation(), IntHookMsrCommit(), IntHookMsrDeleteHook(), IntHookMsrInit(), IntHookMsrRemoveAllHooks(), IntHookMsrRemoveHook(), IntHookMsrSetHook(), and IntHookMsrUninit().
| INTRO_GUEST_TYPE _GUEST_STATE::OSType |
The type of the guest.
Definition at line 278 of file guests.h.
Referenced by DbgDumpProcesses(), DbgProcList(), IntAddRemoveProtectedProcessUtf16(), IntAddRemoveProtectedProcessUtf8(), IntAgentActivatePendingAgent(), IntAgentDisablePendingAgents(), IntAgentEnableInjection(), IntAgentGetState(), IntAgentHandleInt3(), IntAgentHandleLogGatherVmcall(), IntAgentHandleRemediationVmcall(), IntAgentHandleVmcall(), IntAgentIsPtrInTrampoline(), IntAlertCoreGetFlags(), IntAlertCreateIntegrityException(), IntAlertDtrFill(), IntAlertEptFillFromVictimZone(), IntAlertFillCodeBlocks(), IntAlertFillConnection(), IntAlertProcGetFlags(), IntCamiSetProcProtOptions(), IntCamiUpdateProcessProtectionInfo(), IntCamiUpdateProcessProtectionItems(), IntCr4HandleWrite(), IntCrSendAlert(), IntDecDecodeInstructionAtRipWithCache(), IntDecEmulateRead(), IntDepInjectFile(), IntDepInjectProcess(), IntDepRunCommand(), IntDetCallCallback(), IntDetDisableDetour(), IntDetDumpDetours(), IntDetHandleWrite(), IntDetIsPtrInHandler(), IntDetPermanentlyDisableDetour(), IntDetSendIntegrityAlert(), IntDetSetHook(), IntDisasmBuffer(), IntDisasmGva(), IntDispatchVeAsEpt(), IntDriverDump(), IntDriverFindByAddress(), IntDriverFindByName(), IntDriverFindByPath(), IntDriverLoadHandler(), IntDriverUninit(), IntDriverUnloadHandler(), IntDtrHandleWrite(), IntDtrSendAlert(), IntEngFillExecDetails(), IntEnginesResultCallback(), IntExceptDumpSignatures(), IntExceptGetOriginatorFromModification(), IntExceptGetVictimEpt(), IntExceptGetVictimIntegrity(), IntExceptGetVictimProcess(), IntExceptGetVictimProcessCreation(), IntExceptKernelGetOriginator(), IntExceptKernelLogInformation(), IntExceptKernelMatchVictim(), IntExceptKernelUser(), IntExceptKernelUserLogInformation(), IntExceptKernelUserLogWindowsInformation(), IntExceptKernelUserMatchProcessHash(), IntExceptKernelUserMatchVictim(), IntExceptMatchException(), IntExceptPrintMsrInfo(), IntExceptUserGetExecOriginator(), IntExceptUserGetOriginator(), IntExceptUserLogInformation(), IntExceptUserMatchArchitecture(), IntExceptUserMatchChild(), IntExceptUserMatchProcessGlob(), IntExceptUserMatchProcessHash(), IntExceptUserMatchSystemProcess(), IntExceptUserVerifyExtra(), IntExceptUserVerifyExtraGlobMatch(), IntExceptVerifyCodeBlocksSig(), IntExceptVerifyExportSig(), IntExceptVerifyIdtSignature(), IntExceptVerifyProcessCreationSignature(), IntExceptVerifyValueCodeSig(), IntExceptVerifyValueSig(), IntExceptVerifyVersionIntroSignature(), IntExceptVerifyVersionOsSignature(), IntGetGprs(), IntGetVersionString(), IntGuestDisableIntro(), IntGuestGetInfo(), IntGuestPrepareUninit(), IntGuestUninit(), IntGuestUninitOnBugcheck(), IntGuestUpdateCoreOptions(), IntHandleTimer(), IntHookGvaEnableHooks(), IntIntegrityAddRegion(), IntKsymFindByName(), IntKsymInit(), IntLixAgentUninit(), IntLixGuestNew(), IntLixNetIterateTaskConnections(), IntLixNetSendGuestConnections(), IntMsrSyscallProtect(), IntMtblCheckAccess(), IntNetConvertState(), IntPolicyGetProcProt(), IntPolicyProcIsBeta(), IntPolicyProcIsFeedback(), IntPtiInjectPtFilter(), IntReadString(), IntRemoveAllProtectedProcesses(), IntRtlpVirtualUnwindCheckAccess(), IntSerializeCodeBlocksGetExtractLevel(), IntSerializeHeader(), IntSerializeKernelDriver(), IntSerializeKmMisc(), IntSerializeKmOriginator(), IntSerializeKmVictim(), IntSerializeProcess(), IntSerializeRawDump(), IntSerializeUmMisc(), IntSerializeUmOriginator(), IntSerializeUmVictim(), IntSerializeVad(), IntShcIsSuspiciousCode(), IntSlackAlloc(), IntSlackSendIntegrityAlert(), IntSwapMemInjectMiniSwapper(), IntThrGetStackSize(), IntThrSafeCheckThreads(), IntThrSafeInspectRunningThreads(), IntThrSafeIsStackPtrInIntro(), IntThrSafeMoveReturn(), IntUpdateAddCbSignature(), IntUpdateAddExportSignature(), IntUpdateAddIdtSignature(), IntUpdateAddKernelException(), IntUpdateAddKernelUserException(), IntUpdateAddProcessCreationSignature(), IntUpdateAddUserException(), IntUpdateAddUserExceptionGlob(), IntUpdateAddValueCodeSignature(), IntUpdateAddValueSignature(), IntUpdateAddVersionIntroSignature(), IntUpdateAddVersionOsSignature(), IntUpdateSupport(), IntVasPageTableWriteCallback(), IntVeDeployAgent(), IntWinAgentDeployWinDriver(), IntWinAgentInject(), IntWinAgentInjectBreakpoint(), IntWinGuestFinishInit(), IntWinGuestNew(), IntWinProcValidateSystemCr3(), IntWinSDCheckIntegrity(), IntWinSelfMapDisableSelfMapEntryProtection(), IntWinSelfMapEnableSelfMapEntryProtection(), IntWinSelfMapGetAndCheckSelfMapEntry(), IntWinSelfMapProtectSelfMapIndex(), IntWinSelfMapValidateSelfMapEntries(), and IntWinTokenCheckIntegrity().
| DWORD _GUEST_STATE::OSVersion |
Os version.
Definition at line 281 of file guests.h.
Referenced by IntAlertFillVersionInfo(), IntCamiLoadProtOptionsWin(), IntCamiLoadWindows(), IntExceptVerifyVersionOsSignature(), IntGuestGetInfo(), IntLixDepInjectFile(), IntLixDepInjectProcess(), IntLixDepRunCommand(), IntLixGuestNew(), IntLixGuestSetOsVersion(), IntLixTaskCreate(), IntPtiInjectPtFilter(), IntRtlpVirtualUnwindCheckAccess(), IntVeDeliverDriverForLoad(), IntWinAgentFindInstruction(), IntWinApiHook(), IntWinApiHookAll(), IntWinApiUpdateHookDescriptor(), IntWinDrvHeadersInMemory(), IntWinGuestFinishInit(), IntWinGuestIsSupported(), IntWinGuestNew(), IntWinHalCreateHalData(), IntWinIdtProtectOnCpu(), IntWinIdtUnprotectOnCpu(), IntWinNetFindTcpBitmap(), IntWinNetFindTcpPartition(), IntWinNetGetAddrInfo(), IntWinNetParseTcpBitmap(), IntWinObjHandleRootDirTagInMemory(), IntWinObjIsTypeObject(), IntWinPatchVadHandleCommit(), IntWinProcCreateProcessObject(), IntWinProcIsExploitGuardEnabled(), IntWinProcPatchPspInsertProcess86(), IntWinThrPatchThreadHijackHandler(), IntWinTokenCheckCurrentPrivileges(), IntWinUmCheckInitializationInjection(), IntWinVadFindNodeInGuestSpace(), IntWinVadInOrderRecursiveTraversal(), IntWinVadPatchDeleteVaRange(), IntWinVadPatchFinishVadDeletion(), IntWinVadPatchInsert(), IntWinVadPatchInsertMap(), IntWinVadPatchInsertPrivate(), IntWinVadPatchVirtualProtect(), IsInitializationDone(), and ShouldIgnoreInjection().
| BOOLEAN _GUEST_STATE::PaeEnabled |
True if Physical Address Extension is enabled.
Definition at line 295 of file guests.h.
Referenced by DbgDumpPfn(), IntDecEmulatePageWalk(), IntGuestInitMemoryInfo(), IntHandleEptViolation(), IntHookPtmAddTable(), IntHookPtmSetHook(), IntHookPtmWriteCallback(), IntHookPtwEmulateWrite(), IntSplitVirtualAddress(), IntWinPfnHandleTranslationChange(), IntWinPfnIsMmPfnDatabase(), and IntWinPfnModifyRefCount().
| DWORD _GUEST_STATE::ProtectedEptIndex |
The EPTP index of the trusted EPT.
When #VE is used, this is the EPT in which the #VE agent is mapped.
Definition at line 401 of file guests.h.
Referenced by IntHandleEptViolation(), IntHookGpaInit(), IntVeDeliverDriverForLoad(), IntVeDumpStats(), IntVeEnableDisableDriverAccessInProtectedView(), IntVeHandleEPTViolationInProtectedView(), IntVeHandleSwap(), IntVeInit(), and IntVeUnInit().
| BOOLEAN _GUEST_STATE::ProtectionActivated |
True if protection was activated for this guest.
Definition at line 297 of file guests.h.
Referenced by IntIntegrityCheckAll(), IntLixGuestActivateProtection(), IntWinGuestActivateProtection(), IntWinProcValidateSystemCr3(), IntWinSDCheckIntegrity(), IntWinSelfMapDisableSelfMapEntryProtection(), IntWinSelfMapEnableSelfMapEntryProtection(), IntWinSelfMapGetAndCheckSelfMapEntry(), IntWinSelfMapValidateSelfMapEntries(), and IntWinTokenCheckIntegrity().
| BOOLEAN _GUEST_STATE::PtFilterEnabled |
If True, the in-guest PT filter is enabled and deployed.
This will happen if the INTRO_OPT_IN_GUEST_PT_FILTER option was provided. Set by IntPtiEnableFiltering and reset by IntPtiDisableFiltering.
Definition at line 338 of file guests.h.
Referenced by IntHookPtsCheckIntegrity(), IntPtiDisableFiltering(), and IntPtiEnableFiltering().
| BOOLEAN _GUEST_STATE::PtFilterFlagRemoved |
Set to True if the INTRO_OPT_IN_GUEST_PT_FILTER was given, but it was removed.
This can happen if both INTRO_OPT_IN_GUEST_PT_FILTER, and INTRO_OPT_VE are given and the #VE mechanism was properly initialized, as we prefer to use #VE instead of the PT filter when possible. If the loading of the #VE agent fails and this is True, we will try to re-activate the PT filter.
Definition at line 365 of file guests.h.
Referenced by IntGuestInit(), IntGuestUpdateCoreOptions(), and IntVeCompleteLoader().
| BOOLEAN _GUEST_STATE::PtFilterWaiting |
True if the in-guest PT filter was not yet injected, but it should be.
This is used to properly re-inject the PT filter agent after a guest resumed from sleep. When the guest resumes, IntPtiHandleGuestResumeFromSleep will set this to True if the INTRO_OPT_IN_GUEST_PT_FILTER option is currently active. While this is True, calling IntGuestPreReturnCallback with the POST_RETRY_PERFAGENT option will inject the agent.
Definition at line 345 of file guests.h.
Referenced by IntGuestPreReturnCallback(), and IntPtiHandleGuestResumeFromSleep().
| DWORD _GUEST_STATE::RepOptsDisableCount |
The number of times the rep optimizations have been disabled.
Definition at line 383 of file guests.h.
Referenced by IntHandleEptViolation().
| BOOLEAN _GUEST_STATE::SafeToApplyOptions |
True if the current options can be changed dynamically.
Definition at line 294 of file guests.h.
Referenced by IntGuestUpdateCoreOptions(), IntLixGuestIsSupported(), IntUpdateSupport(), and IntWinGuestIsSupported().
| SHEMU_CONTEXT _GUEST_STATE::Shemucontext |
Shellcode emulator context.
Definition at line 406 of file guests.h.
Referenced by IntShcIsSuspiciousCode().
| BYTE _GUEST_STATE::ShemuInternal[SHEMU_SHELLCODE_SIZE+SHEMU_STACK_SIZE] |
The shellcode emulator internal buffer.
Definition at line 413 of file guests.h.
Referenced by IntShcIsSuspiciousCode().
| INTRO_PROT_OPTIONS _GUEST_STATE::ShemuOptions |
Flags which describe the way shemu will give detections.
Definition at line 272 of file guests.h.
Referenced by IntCamiSetShemuOptions(), IntGuestUpdateShemuOptions(), IntLixVmaHandlePageExecution(), IntShcIsSuspiciousCode(), IntWinDpiForceFeedbackIfNeeded(), and IntWinVadIsExecSuspicious().
| BYTE _GUEST_STATE::ShemuShellcode[SHEMU_SHELLCODE_SIZE] |
The shellcode emulator shellcode buffer.
Definition at line 409 of file guests.h.
Referenced by IntShcIsSuspiciousCode().
| BYTE _GUEST_STATE::ShemuStack[SHEMU_STACK_SIZE] |
The shellcode emulator stack buffer.
Definition at line 411 of file guests.h.
Referenced by IntShcIsSuspiciousCode().
| BOOLEAN _GUEST_STATE::ShutDown |
True if the system process protection is in beta (log-only) mode.
Since the system processes are protected when the INTRO_OPT_PROT_UM_SYS_PROCS introcore option is used and no actual process protection policy is received via GLUE_IFACE.AddRemoveProtectedProcessUtf16 or GLUE_IFACE.AddRemoveProtectedProcessUtf8, there is no way of letting an integrator set the PROC_OPT_BETA process option for them. In this case, there is an introcore option that can be used: INTRO_OPT_SYSPROC_BETA_DETECTIONS. If this is True, alerts on system processes will be generated, but the action will always be introGuestAllowed. The guest has been shut-down. It is no longer safe to access the guest state.
Definition at line 313 of file guests.h.
Referenced by IntHandleTimer(), IntLixTaskMarkAgent(), IntNotifyGuestPowerStateChange(), IntWinPfnRemoveLock(), and IntWinProcUninit().
| BOOLEAN _GUEST_STATE::SupportDTR |
Set to True if support for DTR access exits was detected.
Definition at line 358 of file guests.h.
Referenced by IntGdtrProtect(), IntGuestInit(), and IntIdtrProtect().
| BOOLEAN _GUEST_STATE::SupportSPP |
Set to True if support for SPP was detected.
Definition at line 357 of file guests.h.
Referenced by IntGuestInit(), IntHookGpaInit(), IntWinInfHookProtect(), IntWinInfHookSppHookWmiSiloPtr(), and IntWinTokenPrivsShouldHook().
| BOOLEAN _GUEST_STATE::SupportVE |
Set to True if support for #VE was detected.
Definition at line 355 of file guests.h.
Referenced by IntGuestInit(), and IntVeInit().
| BOOLEAN _GUEST_STATE::SupportVMFUNC |
Set to True if support for VMFUNC was detected.
Definition at line 356 of file guests.h.
Referenced by IntGuestInit(), and IntVeInit().
| BOOLEAN _GUEST_STATE::SysprocBetaDetections |
Definition at line 304 of file guests.h.
Referenced by IntGuestInit(), IntGuestUpdateCoreOptions(), IntWinProcChangeProtectionFlags(), and IntWinProcUpdateProtection().
| BOOLEAN _GUEST_STATE::Terminating |
The guest is terminating.
Definition at line 314 of file guests.h.
Referenced by IntLixGuestDeployUninitAgent(), and IntNotifyGuestPowerStateChange().
| QWORD _GUEST_STATE::TimerCalls |
The number of times the timer callback has been invoked.
Definition at line 274 of file guests.h.
Referenced by IntHandleTimer(), IntSwapMemInjectPendingPF(), and IntSwapMemReinjectFailedPF().
| QWORD _GUEST_STATE::TscSpeed |
Number of ticks/second of this given guest. Should be the same as the global (physical) one.
Definition at line 276 of file guests.h.
Referenced by IntGuestInit(), and IntStatsDumpAll().
| BOOLEAN _GUEST_STATE::UninitPrepared |
True if uninit is prepared.
Definition at line 320 of file guests.h.
Referenced by IntAddRemoveProtectedProcessUtf16(), IntAddRemoveProtectedProcessUtf8(), IntGetVersionString(), IntGuestPrepareUninit(), IntGuestUpdateCoreOptions(), IntInjectFileAgentInGuest(), IntInjectProcessAgentInGuest(), IntLixGuestInitAgentCompletion(), IntLixGuestInitAgentHypercall(), IntPtiCompleteLoader(), IntPtiInjectPtFilter(), IntRemoveAllProtectedProcesses(), IntStatStart(), IntStatStop(), IntUpdateSupport(), IntVeDeployAgent(), IntWinAgentHandleDriverVmcall(), and IntWinProcSendDllEvent().
| DWORD _GUEST_STATE::UntrustedEptIndex |
The EPTP index of the untrusted EPT.
When #VE is used, this is the EPT in which the guest is mapped.
Definition at line 397 of file guests.h.
Referenced by DbgCheckEpt(), IntDbgCheckHooks(), IntHookGpaDump(), IntHookGpaEnableDisablePtCache(), IntHookGpaEnableDisableVe(), IntHookGpaFindConvertible(), IntHookGpaGetEPTPageProtection(), IntHookGpaInit(), IntHookGpaSetHook(), IntHookGpaSetNewPageProtection(), IntValidateRangeForWrite(), IntVeDeliverDriverForLoad(), IntVeDumpVeInfoPage(), IntVeHandleEPTViolationInProtectedView(), IntVeInit(), IntVirtMemSafeWrite(), and IntWinHalProtectHalHeapExecs().
| PVCPU_STATE _GUEST_STATE::VcpuArray |
Array of the VCPUs assigned to this guest. The index in this array matches the VCPU number.
This is allocated in IntGuestInit and freed in IntGuestUninit.
Definition at line 372 of file guests.h.
Referenced by DbgDumpCpuState(), DbgLogKpcr(), IntApiEnter(), IntGetCurrentInstructionLength(), IntGuestGetIdtFromGla(), IntGuestHandleCr3Write(), IntGuestInit(), IntGuestUninit(), IntGuestUninitOnBugcheck(), IntHandleBreakpoint(), IntHandleCrWrite(), IntHandleDtrViolation(), IntHandleEptViolation(), IntHandleEventInjection(), IntHandleIntroCall(), IntHandleMsrViolation(), IntHandleTimer(), IntHandleXcrWrite(), IntInjectExceptionInGuest(), IntLixGuestNew(), IntLixIdtProtectOnCpu(), IntLixIdtUnprotectAll(), IntLogGuestRegisters(), IntUDRemoveAllEntriesForCr3(), IntVeDeliverDriverForLoad(), IntVeDumpStats(), IntVeDumpVeInfoPage(), IntVeSetVeInfoPage(), IntWinGetActiveCpuCount(), IntWinGuestNew(), IntWinIdtProtectOnCpu(), IntWinIdtProtectOnCpuEpt(), IntWinIdtProtectOnCpuIntegrity(), IntWinIdtUnprotectOnCpu(), IntWinIdtUnprotectOnCpuEpt(), IntWinIdtUnprotectOnCpuIntergity(), IntWinIntObjProtect(), and IntWinThrGetCurrentThread().
| BOOLEAN _GUEST_STATE::VeAgentWaiting |
True if the #VE agent was not yet injected, but it should be.
This is used to properly re-inject the #VE agent after a guest resumed from sleep. When the guest resumes, IntVeHandleGuestResumeFromSleep will set this to True if the INTRO_OPT_VE option is currently active. While this is True, calling IntGuestPreReturnCallback with the POST_RETRY_PERFAGENT option will inject the agent.
Definition at line 352 of file guests.h.
Referenced by IntGuestPreReturnCallback(), and IntVeHandleGuestResumeFromSleep().
| BOOLEAN _GUEST_STATE::VeInitialized |
Set to True if #VE initialization was done.
Definition at line 353 of file guests.h.
Referenced by IntGuestInit(), IntGuestUpdateCoreOptions(), IntVeInit(), and IntVeUnInit().
| BYTE _GUEST_STATE::WordSize |
Guest word size. Will be 4 for 32-bit guests and 8 for 64-bit guests.
Definition at line 367 of file guests.h.
Referenced by IntDetGetArgumentInternal(), IntDetGetArguments(), IntDetPatchArgument(), IntDetSendIntegrityAlert(), IntExceptGetVictimDtr(), IntExceptGetVictimIntegrity(), IntExceptGetVictimMsr(), IntExceptKernelLogWindowsInformation(), IntExceptKernelUserLogWindowsInformation(), IntExceptPrintDrvObjInfo(), IntExceptPrintWinKmModInfo(), IntExceptPrintWinModInfo(), IntExceptPrintWinProcInfo(), IntExceptUserLogWindowsInformation(), IntGuestInitMemoryInfo(), IntGuestIsKptiActive(), IntHandleDtrViolation(), IntKernVirtMemFetchWordSize(), IntKernVirtMemPatchWordSize(), IntLixResolveExeFileOffset(), IntLixStackTraceGet(), IntMtblCheckAccess(), IntThrSafeIsStackPtrInIntro(), IntThrSafeMoveReturn(), IntThrSafeWinGetCurrentStack(), IntThrSafeWinInspectWaitingThread(), IntVirtMemFetchWordSize(), IntVirtMemPatchWordSize(), IntWinAgentHandleLoader1Hypercall(), IntWinDpiGetProcessDebugFlag(), IntWinDrvObjHandleModification(), IntWinGuestFindDriversNamespace(), IntWinGuestFindDriversNamespaceNoBuffer(), IntWinGuestFindIdleCr3(), IntWinGuestFindKernelCr3(), IntWinGuestFindKernelObjects(), IntWinGuestFindKernelObjectsInternal(), IntWinGuestValidateKernel(), IntWinHalCreateHalData(), IntWinHalFindHalHeapAndInterruptController(), IntWinHalFindInterruptController(), IntWinHalHandleDispatchTableWrite(), IntWinHalHandlePerfCounterModification(), IntWinHalIsIntController(), IntWinHalProtectHalPerfCounter(), IntWinInfCheckCtxLoggerOnRelocation(), IntWinInfHookGetCircularCtxLogger(), IntWinInfHookGetCpuClockIntegrityCallback(), IntWinInfHookGetWmiLoggerGetCpuClock(), IntWinInfHookHookSppWmiGetClock(), IntWinInfHookIntegrityHandleWrite(), IntWinInfHookProtect(), IntWinInfHookSiloWmiPtrIntegrityCallback(), IntWinInfHookSppHookWmiSiloPtr(), IntWinIntObjHandleArrayModification(), IntWinIntObjHandleModification(), IntWinIntObjHandleObjectModification(), IntWinIntObjProtect(), IntWinIntObjSendIntegrityAlert(), IntWinNetFindTcpBitmap(), IntWinNetFindTcpObjects(), IntWinNetFindTcpPartition(), IntWinNetGetAddrFam(), IntWinNetGetAddrInfo(), IntWinNetGetListenerAddressInfo(), IntWinNetGetOwner(), IntWinNetGetTcpPortPool(), IntWinNetParseTcpBitmap(), IntWinNetParseTcpPartition(), IntWinNetSearchForAlloc(), IntWinObjFindRootDirectory(), IntWinProcIsPsActiveProcessHead(), IntWinProcIterateGuestProcesses(), IntWinProcMapEprocess(), IntWinProcValidateSystemCr3(), IntWinSDCheckSecDescIntegrity(), IntWinSDFetchSecDescAddress(), IntWinStackHandleUserStackPagedOut(), IntWinStackUserCheckIsPivoted(), IntWinStackWow64CheckIsPivoted(), IntWinThrGetCurrentThread(), IntWinThrGetCurrentTib(), IntWinThrHandleQueueApc(), IntWinThrHandleThreadHijack(), IntWinTokenFetchTokenAddress(), IntWinTokenPtrCheckIntegrityOnProcess(), IntWinVadFetchImageName(), IntWinVadHandleProtectGeneric(), IntWinVadHandleVirtualProtect(), IntWinVadImportProcessTree(), IntWinVadProcImportMainModuleVad(), and IntWinVadRescanVad().
| XCR_HOOK_STATE* _GUEST_STATE::XcrHooks |
XCR hook state.
Definition at line 388 of file guests.h.
Referenced by IntHandleXcrWrite(), IntHookXcrCommit(), IntHookXcrDeleteHook(), IntHookXcrInit(), IntHookXcrRemoveAllHooks(), IntHookXcrSetHook(), and IntHookXcrUninit().
1.8.13