#include "introtypes.h"

Macros
#define	THS_CHECK_ONLY 0x00000001
	Will check for safeness, without moving any RIP or stack value. More...

#define	THS_CHECK_DETOURS 0x00000010
	Will check if any RIP is inside detours. More...

#define	THS_CHECK_MEMTABLES 0x00000020
	Will check if any RIP is inside memtables. More...

#define	THS_CHECK_TRAMPOLINE 0x00000040
	Will check if any RIP is inside the agent loader. More...

#define	THS_CHECK_PTFILTER 0x00000080
	Will check if any RIP is inside the PT filter agent. More...

#define	THS_CHECK_VEFILTER 0x00000100
	Will check if any RIP is inside the VE filter agent. More...

#define	THS_CHECK_SWAPGS 0x00000200
	Will check if any RIP is inside a mitigated SWAPGS gadget. More...

Enumerations
enum	THS_PTR_TYPE { ptrLiveRip, ptrStackValue }
	The type of pointer to be checked. More...

Functions
INTSTATUS	IntThrSafeCheckThreads (QWORD Options)
	Checks if any of the guest threads have their RIP or have any stack pointers pointing to regions of code owned by Introcore. More...

Enumeration Type Documentation

◆ THS_PTR_TYPE

The type of pointer to be checked.

Enumerator
ptrLiveRip	The RIP of a thread.
ptrStackValue	A stack value.

Definition at line 28 of file thread_safeness.h.

INTSTATUS IntThrSafeCheckThreads ( QWORD Options )

Checks if any of the guest threads have their RIP or have any stack pointers pointing to regions of code owned by Introcore.

This is done by iterating the in-guest thread lists. This function assumes that all the VCPUs are paused.

Parameters

[in] Options Options that control the checks that will be made. Can be a combination of Thread safeness options values

Return values

INT_STATUS_SUCCESS	in case of success; this means that no guest state points to code or data owned by Introcore
INT_STATUS_NOT_SUPPORTED	if the type of the guest OS is not known or supported
INT_STATUS_CANNOT_UNLOAD	if it is not safe to unload given the current guest state

Definition at line 986 of file thread_safeness.c.