46 #define IS_CAMI_FILEOFFSET_OK(FileOffset) __likely((FileOffset) < gUpdateBufferSize) 49 #define IS_CAMI_FILEPOINTER_OK(FilePointer) __likely((const BYTE*)(FilePointer) >= (const BYTE*)gUpdateBuffer) && \ 50 ((const BYTE*)(FilePointer) < (const BYTE*)gUpdateBuffer + \ 54 #define IS_CAMI_STRUCTURE_OK(FilePointer) __likely(IS_CAMI_FILEPOINTER_OK(FilePointer) && \ 55 IS_CAMI_FILEPOINTER_OK(((const BYTE*)((FilePointer) + 1) - 1))) 58 #define IS_CAMI_ARRAY_OK(StartPointer, Count) __likely(IS_CAMI_FILEPOINTER_OK(StartPointer) && \ 59 ((Count) < CAMI_MAX_ENTRY_COUNT) && \ 60 (((DWORD)(Count) == 0) || \ 61 (IS_CAMI_FILEPOINTER_OK((const BYTE*)((StartPointer) + \ 62 (DWORD)(Count)) - 1)))) 70 #define GET_CAMI_STRUCT(Type, Offset) ((Type)(const void *)((const BYTE*)gUpdateBuffer + (DWORD)(Offset))) 278 minVer.
Raw = MinIntroVersion;
279 maxVer.
Raw = MaxIntroVersion;
285 return IntHviVersion.
Raw >= minVer.
Raw && IntHviVersion.
Raw <= maxVer.
Raw;
309 ERROR(
"[ERROR] Sections table entries are outside the update buffer!\n");
313 for (
DWORD i = 0; i < CamiHeader->NumberOfSections; i++)
315 if ((pHeaders[i].Hint & SectionHint) == SectionHint)
317 return (pHeaders + i);
347 char *pBasePtr = NULL;
363 for (
DWORD iStruct = 0; iStruct < Count; iStruct++)
365 const DWORD *pFields;
367 if (CamiStructures->MembersCount < ToLoad->MembersCount)
369 ERROR(
"[ERROR] For structure %d we need at least %d fields, got only %d\n",
370 iStruct, ToLoad->MembersCount, CamiStructures->MembersCount);
377 ERROR(
"[ERROR] Members for structure %d are outside the update buffer!\n", iStruct);
381 memcpy(pBasePtr + ToLoad->Offset, pFields,
sizeof(
DWORD) * ToLoad->MembersCount);
413 LOG(
"[ERROR] Pattern signature descriptors are outside the update buffer!");
417 if (SectionHeader->EntryCount == 0)
419 ERROR(
"[ERROR] Invalid entry count for the pattern signature array: %u\n", SectionHeader->EntryCount);
424 if (NULL == *PatternSignatures)
429 *PatternSignaturesCount = 0;
431 for (
DWORD i = 0; i < SectionHeader->EntryCount; i++)
435 const WORD *pPatternHash;
437 pCamiPat = pCamiSignatures + i;
438 pPat = *PatternSignatures + i;
443 ERROR(
"[ERROR] Hash for signature %d is outside the update buffer!\n", i);
456 *PatternSignaturesCount = SectionHeader->EntryCount;
479 ERROR(
"[ERROR] Failed to find syscalls section header\n");
504 ERROR(
"[ERROR] Failed to find syscalls section header\n");
524 if (Dst->ForceOff != Src->ForceOff)
526 LOG(
"[CAMI] New force off options: 0x%016llx\n", Src->ForceOff);
529 Dst->ForceOff = Src->ForceOff;
531 if (Dst->Beta != Src->ForceBeta)
533 LOG(
"[CAMI] New force beta options: 0x%016llx\n", Src->ForceBeta);
536 Dst->Beta = Src->ForceBeta;
538 if (Dst->Feedback != Src->ForceFeedback)
540 LOG(
"[CAMI] New force feedback options: 0x%016llx\n", Src->ForceFeedback);
543 Dst->Feedback = Src->ForceFeedback;
559 LOG(
"[CAMI] Will set new core options!\n");
581 LOG(
"[CAMI] Will set new shemu options!\n");
603 for (
DWORD index = 0; index < gCamiProcessProtectionData.
Count; index++)
608 WARNING(
"[WARNING] Unsupported process name encoding: %d. Will skip...\n",
614 ProtectedProcess->CommPattern,
623 ProtectedProcess->Protection.Current =
624 ProtectedProcess->Protection.Original & ~(gCamiProcessProtectionData.
Items[index].
Options.
ForceOff);
628 TRACE(
"[CAMI] Protection options for '%s': %llx %llx %llx", ProtectedProcess->CommPattern,
629 ProtectedProcess->Protection.Current, ProtectedProcess->Protection.Beta,
630 ProtectedProcess->Protection.Feedback);
650 for (
DWORD index = 0; index < gCamiProcessProtectionData.
Count; index++)
658 ProtectedProcess->FullNamePattern,
668 ProtectedProcess->ImageBaseNamePattern,
677 WARNING(
"[WARNING] Unsupported process name encoding: %d. Will skip...\n",
684 ProtectedProcess->Protection.Current =
685 ProtectedProcess->Protection.Original & ~(gCamiProcessProtectionData.
Items[index].
Options.
ForceOff);
689 TRACE(
"[CAMI] Protection options for '%s': %x %llx %llx", ProtectedProcess->ImageBaseNamePattern,
690 ProtectedProcess->Protection.Current, ProtectedProcess->Protection.Beta,
691 ProtectedProcess->Protection.Feedback);
702 _In_ void *ProtectedProcess
766 for (
DWORD index = 0; index < TableCount; index++)
771 ERROR(
"[ERROR] CAMI_PROT_OPTIONS struct is invalid! (%p)", pOptions);
775 memcpy(gCamiProcessProtectionData.
Items[index].
Name.
Name8, Table[index].Name8, 64);
777 gCamiProcessProtectionData.
Items[index].
Options = *pOptions;
779 TRACE(
"[CAMI] NameHash : %s -> ForceOff : 0x%llx, ForceBeta: 0x%llx, ForceFeedback: 0x%llx",
852 if (0 == OptionsFileOffset)
898 ERROR(
"[ERROR] IntCamiProtectedProcessAllocate failed with status: 0x%08x.", status);
905 ERROR(
"[ERROR] IntCamiSetProcProtOptions failed with status: 0x%08x.\n", status);
913 ERROR(
"[ERROR] IntCamiSetCoreOptions failed with status: 0x%08x.\n", status);
920 ERROR(
"[ERROR] IntCamiSetShemuOptions failed with status: 0x%08x.\n", status);
953 ERROR(
"[ERROR] Failed to find Linux section header\n");
960 ERROR(
"[ERROR] Linux supported OS descriptors are outside the update buffer!");
970 pLix = pLixOsList + i;
974 ERROR(
"[ERROR] Version string is not null terminated.");
985 LOG(
"[WARNING] This OS is no longer supported by introcore!\n");
997 ERROR(
"[ERROR] Unsupported number of hooks! Got %d, expected a max of %d!\n",
1005 ERROR(
"[ERROR] Fields for OS %s are outside the update buffer.", pLix->
VersionString);
1012 ERROR(
"[ERROR] Hooks for OS %s are outside the update buffer.", pLix->
VersionString);
1019 ERROR(
"[ERROR] Failed to load introcore options for this OS. Status: 0x%08x\n", status);
1026 ERROR(
"[ERROR] IntCamiLoadOpaqueFields failed for linux fields. Status: 0x%08x\n", status);
1084 ERROR(
"[ERROR] Failed to find Windows section header\n");
1091 ERROR(
"[ERROR] Windows supported OS descriptors are outside the update buffer!");
1102 pWin = pWinOsList + i;
1113 LOG(
"[WARNING] This OS is no longer supported by introcore!\n");
1120 ERROR(
"[ERROR] Functions for OS %d KPTI %d is64 %d are outside the update buffer. ",
1128 ERROR(
"[ERROR] Km Structures for OS %d KPTI %d is64 %d are outside the update buffer. \n",
1136 ERROR(
"[ERROR] CAMI_WIN_VERSION_STRING struct is invalid! (%p)", pCamiVersionString);
1174 ERROR(
"[ERROR] Um Structures for OS %d KPTI %d is64 %d are outside the update buffer. \n",
1194 ERROR(
"[ERROR] Failed to load introcore options for this OS. Status: 0x%08x\n", status);
1201 ERROR(
"[ERROR] IntCamiLoadOpaqueFields failed for win km structures: 0x%08x\n", status);
1208 ERROR(
"[ERROR] IntCamiLoadOpaqueFields failed for win um structures: 0x%08x\n", status);
1221 ERROR(
"[ERROR] Function %d has patterns outside the update buffer. \n", j);
1228 ERROR(
"[ERROR] Function %d has arguments outside the update buffer. Will skip!\n", j);
1243 const WORD *pPatHash;
1248 ERROR(
"[ERROR] Hash for pattern %d of function 0x%x spills outside the update buffer. Will skip!",
1249 k, pFunTable[j].NameHash);
1255 if (pPatterns[k].Extended != 0)
1258 const DWORD *pArgs2;
1263 ERROR(
"[ERROR] Extension for pattern %d (function 0x%x) spills outside the update buffer.\n",
1264 k, pFunTable[j].NameHash);
1273 ERROR(
"[ERROR] Arguments array for pattern %d (function 0x%x) are outside the update buffer\n",
1274 k, pFunTable[j].NameHash);
1282 ERROR(
"[ERROR] Too many arguments for pattern %d (function 0x%x)\n",
1283 k, pFunTable[j].NameHash);
1321 WARNING(
"[WARNING] Failed to add function %d %x to a hook descriptor: 0x%08x\n",
1322 j, pFunTable[j].NameHash, status);
1355 ERROR(
"[ERROR] Failed to find Linux section header\n");
1362 ERROR(
"[ERROR] Linux supported OS descriptors are outside the update buffer!");
1372 ERROR(
"[ERROR] Version string is not null terminated.");
1395 ERROR(
"[ERROR] Failed to load introcore options for this OS. Status: 0x%08x\n", status);
1426 ERROR(
"[ERROR] Failed to find windows section header\n");
1433 ERROR(
"[ERROR] Windows supported OS descriptors are outside the update buffer!");
1456 ERROR(
"[ERROR] Failed to load introcore options for this OS: 0x%08x\n", status);
1496 DWORD i, lastNt, cnt;
1503 if (NULL != NtBuildNumberList && 0 == *Count)
1517 ERROR(
"[ERROR] Failed to find windows section header\n");
1524 ERROR(
"[ERROR] Windows supported OS descriptors are outside the update buffer!");
1532 pWin = pWinOsList + i;
1535 Guest64 != pWin->
Is64 || KptiInstalled != pWin->
Kpti)
1544 if (NULL != NtBuildNumberList)
1551 NtBuildNumberList[cnt] = lastNt;
1631 ERROR(
"[ERROR] Failed loading from hint 0x%08x: 0x%08x\n", CamiSectionHint, status);
1654 if (NULL == UpdateBuffer)
1659 if (0 == BufferLength)
1664 if (
sizeof(*pHeader) > BufferLength)
1666 ERROR(
"[ERROR] BufferLength is smaller than file header (%d vs %zu)\n", BufferLength,
sizeof(*pHeader));
1678 if (BufferLength != pHeader->
FileSize)
1680 LOG(
"[ERROR] Buffer length is not equal with header file size. (%d vs %d)\n", BufferLength, pHeader->
FileSize);
1684 LOG(
"[INFO] Loaded cami version %u.%u build %u\n",
1687 memcpy(&gCamiVersion, &pHeader->
Version,
sizeof(pHeader->
Version));
1691 ERROR(
"[ERROR] Update's file major (%d.%d) version is different form ours (%d.%d)\n",
1699 WARNING(
"[WARNING] Update's file minor (%d.%d) version is newer than ours (%d.%d). " 1700 "Not all features will be available!\n",
1705 ERROR(
"[ERROR] Update's file minor (%d.%d) version is older than ours (%d.%d). Will not load.\n",
1734 #ifdef INT_COMPILER_GNUC 1735 # pragma GCC diagnostic push 1736 # pragma GCC diagnostic ignored "-Wcast-qual" 1741 #ifdef INT_COMPILER_GNUC 1742 # pragma GCC diagnostic pop 1747 WARNING(
"[WARNING] IntReleaseBuffer failed: 0x%08x\n", status);
1750 gUpdateBuffer = NULL;
1771 if (NULL == MajorVersion)
1776 if (NULL == MinorVersion)
1781 if (NULL == BuildNumber)
1786 *MajorVersion = gCamiVersion.
Major;
1787 *MinorVersion = gCamiVersion.
Minor;
1806 if (gCamiProcessProtectionData.
Items != NULL)
1808 ERROR(
"[ERROR] Cami protected processes array already allocated!");
1818 if (gCamiProcessProtectionData.
Items == NULL)
1823 gCamiProcessProtectionData.
Count = Items;
1837 if (gCamiProcessProtectionData.
Items == NULL)
1843 gCamiProcessProtectionData.
Items = NULL;
1844 gCamiProcessProtectionData.
Count = 0;
QWORD MaxIntroVersion
Maximum introcore version which supports this OS.
CAMI_STRING_ENCODING Encoding
Encoding of the name.
CHAR ServerVersionString[MAX_VERSION_STRING_SIZE]
The version string if the OS is a server.
LIX_OPAQUE_FIELDS OsSpecificFields
OS-dependent and specific information.
Describes a Linux function used by the detour mechanism.
static INTSTATUS IntCamiLoadProtOptionsWin(const CAMI_HEADER *CamiHeader)
Load and apply all of the enforced protection options for Windows guests.
INTSTATUS IntCamiUpdateProcessProtectionInfo(void *ProtectedProcess)
Update a process' protection flags using the ones from CAMI.
Exposes the types, constants and functions used to handle Windows processes events (creation...
Describe process protection options.
Used for the WIN_OPAQUE_FIELDS.Um.Peb array.
The tag for LIX_FIELD_MMSTRUCT.
DWORD Argc
The number of valid entries inside the Argv array.
DWORD CustomProtectionOffset
Protection flags for this OS. (pointer to a CAMI_CUSTOM_OS_PROTECTION struct)
#define OFFSET_OF(Type, Member)
WINDOWS_GUEST * gWinGuest
Global variable holding the state of a Windows guest.
DWORD SignatureId
The unique ID of the signature.
DWORD HookHandler
Used to identify the index of the LIX_FN_DETOUR the in the gLixHookHandlersx64.
Describe the introcore protection options.
DWORD gLinuxDistSigsCount
Holds the number of loaded linux distribution signatures.
#define INT_STATUS_SUCCESS
BOOLEAN SkipOnBoot
Unused.
INTSTATUS IntCamiSetUpdateBuffer(const BYTE *UpdateBuffer, DWORD BufferLength)
Initialize the update buffer with the one from the integrator.
DWORD CoreOptionsOffset
Intro core options. File pointer to a CAMI_PROT_OPTIONS structure.
Used for the WIN_OPAQUE_FIELDS.Um.Dll array.
WORD Pattern[SIG_MAX_PATTERN]
DWORD gSysenterSignaturesCount
Holds the number of loaded syscall signatures.
static INTSTATUS IntCamiUpdateProcessProtectionInfoWin(PROTECTED_PROCESS_INFO *ProtectedProcess)
Update a windows process' protection flags using the ones from CAMI.
CAMI_STRING_ENCODING
Describes the encoding of a string received from the CAMI file.
Used for the WIN_OPAQUE_FIELDS.Km.VadLong array.
DWORD BuildNumber
Build number for this Windows OS.
WORD PatternLength
The length of the pattern. (count of DWORDs)
static const CAMI_STRUCTURE gLinuxStructures[lixStructureEnd]
Describe the Linux fields to be loaded from the update buffer.
struct _CAMI_PROCESS_PROTECTION_DATA * PCAMI_PROCESS_PROTECTION_DATA
The tag for LIX_FIELD_DENTRY.
BYTE SkipOnBoot
TRUE if this function should not be hooked on boot.
QWORD MinIntroVersion
Minimum introcore version which supports this OS.
#define GET_CAMI_STRUCT(Type, Offset)
Get a CAMI structure from an update buffer.
void IntCamiUpdateProcessProtectionItems(void *Name, CAMI_STRING_ENCODING Encoding, CAMI_PROT_OPTIONS *Options)
Update a protected process protection flags.
DWORD UmStructuresTable
UM opaque fields file pointer (pointer to a CAMI_OPAQUE_STRUCTURE array.
DWORD ProcOptionsCount
The number of entries in the ProcOptionsTable.
#define INT_SUCCESS(Status)
DWORD FunctionsCount
The number of function to be hooked.
DWORD Minor
Minor version of this file.
INTSTATUS IntCamiLoadSection(DWORD CamiSectionHint)
Load CAMI objects from section with given hint.
static INTSTATUS IntCamiLoadLinux(const CAMI_HEADER *CamiHeader)
Loads all of the necessary information about the current windows guest that is needed by intro to sup...
static INTSTATUS IntCamiLoadWindows(const CAMI_HEADER *CamiHeader)
Loads all of the necessary information about the current windows guest that is needed by intro to sup...
static INTSTATUS IntCamiLoadPatternSignatures(const CAMI_SECTION_HEADER *SectionHeader, PATTERN_SIGNATURE **PatternSignatures, DWORD *PatternSignaturesCount)
Allocate and load pattern signatures.
The tag for LIX_FIELD_FILES.
DWORD Offset
Offset inside the tested buffer at which the pattern should be found.
Describe a CAMI file windows descriptor. Load support for a windows guest.
#define INT_STATUS_NOT_NEEDED_HINT
Section will contain linux related information.
static INTSTATUS IntCamiLoadSyscalls(const CAMI_HEADER *CamiHeader)
Loads the syscall signatures from their section.
Describe the introcore protection options for a process.
#define HpAllocWithTag(Len, Tag)
int INTSTATUS
The status data type.
#define UPDATE_CAMI_MIN_VER_MAJOR
DWORD OSVersion
Os version.
Used for the WIN_OPAQUE_FIELDS.Km.Mmpfn array.
INT_VERSION_INFO IntHviVersion
The HVI version. Used to check for compatibility issues with the cami version.
DWORD ArgumentsCount
Arguments count.
#define INT_STATUS_CORRUPTED_DATA
#define INT_STATUS_NOT_FOUND
void IntCamiClearUpdateBuffer(void)
Uninitialize the update buffer and notify the integrator that we don't need it anymore.
DWORD VersionStringOffset
VersionString pointer (pointer to a CAMI_WIN_VERSION_STRING struct)
Describe the CAMI version.
Used for the WIN_OPAQUE_FIELDS.Km.VadFlags array.
Used for the WIN_OPAQUE_FIELDS.Km.EprocessFlags array.
Used for the WIN_OPAQUE_FIELDS.Km.Pcr array.
QWORD MinIntroVersion
Minimum introcore version which supports this OS.
DWORD StructureTag
Specifies which opaque field structure to load.
BOOLEAN IntMatchPatternUtf8(const CHAR *Pattern, const CHAR *String, DWORD Flags)
Matches a pattern using glob match.
The tag for LIX_FIELD_MODULE.
#define IS_CAMI_STRUCTURE_OK(FilePointer)
Check whether a whole structure resides inside the update buffer.
PCHAR ServerVersionString
A NULL terminated string containing Windows server version information.
size_t Offset
Offset of the structure to be loaded inside the OpaqueFields.
static INTSTATUS IntCamiResetCoreOptions(void)
The tag for LIX_FIELD_SOCK.
#define UPDATE_CAMI_MIN_VER_MINOR
INTSTATUS IntCamiProtectedProcessAllocate(DWORD Items)
Initialize the global variable holding custom process protection options.
INTRO_GUEST_TYPE OSType
The type of the guest.
Describe a pattern signature.
QWORD Raw
Raw version information.
Encapsulates a protected Linux process.
static INTSTATUS IntCamiUpdateProcessProtectionInfoLix(LIX_PROTECTED_PROCESS *ProtectedProcess)
Update a Linux process' protection flags using the ones from CAMI.
Describe a function to be hooked by introcore.
Section will contain information about a supported OS.
Describe the CAMI file header.
Used for the WIN_OPAQUE_FIELDS.Km.Token array.
Describe a CAMI file Linux descriptor. Load support for a Linux guest.
Encapsulates a protected Windows process.
static CAMI_PROCESS_PROTECTION_DATA gCamiProcessProtectionData
Loaded process protection data from CAMI.
DWORD Offset
Offset inside the buffer.
The tag for LIX_FIELD_BINPRM.
Describe a function to be hooked by introcore.
DWORD EntryCount
How many entries of this type are in the DescriptorTable.
DWORD DescriptorTable
Pointer to a CAMI descriptor table.
Describe the arguments for a function.
struct _CAMI_STRUCTURE CAMI_STRUCTURE
Describe the way we load the guest offsets from the update buffer.
static const CAMI_STRUCTURE gWinUmStructures[winUmStructureEnd]
Describe the windows um fields to be loaded from the update buffer.
DWORD Count
The number of elements in Items.
DWORD HooksTable
Hooked functions file pointer. (pointer to a CAMI_LIX_HOOK array).
DWORD Length
The valid size of the Pattern array.
QWORD ServerVersionStringSize
Size of the server version string, if exists.
Describe a CAMI file section header.
BOOLEAN Is64
If this OS is 64 bits.
static INTSTATUS IntCamiLoadOpaqueFields(const CAMI_OPAQUE_STRUCTURE *CamiStructures, const CAMI_STRUCTURE *ToLoad, DWORD Count, INTRO_GUEST_TYPE OsType)
Load a set of opaque filed offsets from the update buffer.
QWORD VersionStringSize
Size of the version string.
DWORD BuildNumber
Build number.
DWORD ShemuOptionsOffset
Shemu options. File pointer to a CAMI_PROT_OPTIONS structure.
DWORD ProcOptionsTable
Process protection options. Pointer to a CAMI_PROC_PROT_OPTIONS array.
DWORD FileSize
The size of the update file. Should be equal with the value of BufferSize.
#define INT_STATUS_NOT_INITIALIZED
BYTE HookHandler
The hook handler index from the API_HOOK_DESCRIPTOR.
Used for the WIN_OPAQUE_FIELDS.Km.Process array.
The tag for LIX_FIELD_NSPROXY.
DWORD Argv[DET_ARGS_MAX]
Argument encoding. See DET_ARG_REGS and DET_ARG_ON_STACK.
#define MAX_VERSION_STRING_SIZE
Maximum size of a version string.
BOOLEAN IntMatchPatternUtf16(const WCHAR *Pattern, const WCHAR *String, DWORD Flags)
Matches a pattern using glob match.
BOOLEAN Guest64
True if this is a 64-bit guest, False if it is a 32-bit guest.
Section will contain protection flags.
QWORD MaxIntroVersion
Maximum introcore version which supports this OS.
CHAR VersionString[MAX_VERSION_LENGTH]
The version string.
#define INT_STATUS_INVALID_PARAMETER_4
static INTSTATUS IntCamiSetCoreOptions(const CAMI_PROT_OPTIONS *Options)
Update the guest protection flags using the ones from CAMI.
DWORD ArgumentsTable
Arguments file offset. (pointer to a DWORD array)
#define IS_CAMI_ARRAY_OK(StartPointer, Count)
Check whether a whole array resides inside the update buffer.
CHAR SectionHint[8]
Optional section name hint.
#define HpFreeAndNullWithTag(Add, Tag)
struct _CAMI_PROCESS_PROTECTION_DATA CAMI_PROCESS_PROTECTION_DATA
Describe a list of process protection options.
The tag for LIX_FIELD_FS.
#define INT_STATUS_INVALID_DATA_STATE
The tag for LIX_FIELD_VMA.
static const CAMI_SECTION_HEADER * IntCamiFindSectionHeaderByHint(const CAMI_HEADER *CamiHeader, DWORD SectionHint)
Iterate through all of the section headers from the update buffer and return the one matching the hin...
Used for the WIN_OPAQUE_FIELDS.Km.Thread array.
String will be encoded in utf-8.
struct _CAMI_PROCESS_PROTECTION_INFO * PCAMI_PROCESS_PROTECTION_INFO
Exposes the definitions used by the CAMI parser and the functions used to load guest support informat...
size_t strlcpy(char *dst, const char *src, size_t dest_size)
QWORD ForceFeedback
Options feedback only.
void IntLixProcUpdateProtectedProcess(const void *Name, const CAMI_STRING_ENCODING Encoding, const CAMI_PROT_OPTIONS *Options)
Updates the protection flags for Linux tasks that should be protected based on options received via C...
CAMI_VERSION Version
Version.
DWORD PatternOffset
Pattern file pointer. (pointer to a DWORD array)
struct _INT_VERSION_INFO::@339 VersionInfo
Structured version information.
PATTERN_SIGNATURE * gSysenterSignatures
Pointer to the syscall signatures that will be loaded from the update buffer.
Describe windows version strings.
LIX_FUNCTION * Functions
An array of LIX_FUNCTION to be hooked.
CHAR VersionString[MAX_VERSION_STRING_SIZE]
The versions string used to match this OS.
Describes a function that is not exported.
WCHAR Name16[32]
The process name as a wide char string.
INTSTATUS IntReleaseBuffer(void *Buffer, DWORD Size)
INTRO_GUEST_TYPE
The type of the introspected operating system.
static INTSTATUS IntCamiSetProcProtOptions(const CAMI_PROC_PROT_OPTIONS *Table, DWORD TableCount)
Loads all the process protection flags from CAMI.
The tag for LIX_FIELD_INODE.
#define LIX_MAX_HOOKED_FN_COUNT
Used for the WIN_OPAQUE_FIELDS.Km.DrvObj array.
The tag for LIX_FIELD_SOCKET.
PCHAR VersionString
A NULL terminated string containing Windows version information.
void IntGuestUpdateShemuOptions(QWORD NewOptions)
Update shemu options.
Used for the WIN_OPAQUE_FIELDS.Km.Ungrouped array.
BOOLEAN glob_match_numeric_utf8(char const *Pattern, char const *String)
Holds information about a Windows guest.
INTSTATUS IntCamiProtectedProcessFree(void)
Uninitialize the global holding custom process protection options.
void IntLixTaskUpdateProtection(void)
Adjusts protection for all active Linux processes.
QWORD ForceOff
Options which will be disabled.
Used for the WIN_OPAQUE_FIELDS.Km.PoolDescriptor array.
The tag for LIX_FIELD_INFO.
INTSTATUS IntCamiGetWinSupportedList(BOOLEAN KptiInstalled, BOOLEAN Guest64, DWORD *NtBuildNumberList, DWORD *Count)
Return a list of supported Windows NtBuildNumbers.
void IntWinProcUpdateProtectedProcess(const void *Name, const CAMI_STRING_ENCODING Encoding, const CAMI_PROT_OPTIONS *Options)
This function updates the protection for the given process.
Describe the members of a guest opaque structure.
PATTERN_SIGNATURE Signature
The pattern signature.
GUEST_STATE gGuest
The current guest state.
INTSTATUS IntWinProcUpdateProtection(void)
Iterates trough the global process list (gWinProcesses) in order to update the protection state for e...
Used for the WIN_OPAQUE_FIELDS.Km.VadShort array.
static INTSTATUS IntCamiLoadProtOptionsLinux(const CAMI_HEADER *CamiHeader)
Load and apply all of the enforced protection options for Linux guests.
Describe a function pattern.
#define INT_STATUS_INVALID_DATA_TYPE
CHAR VersionString[MAX_VERSION_STRING_SIZE]
The version string.
DWORD PatternsCount
The number of entries in the Patterns array.
CAMI_PROCESS_PROTECTION_INFO * Items
Array of process protection options.
INTSTATUS IntWinApiUpdateHookDescriptor(WIN_UNEXPORTED_FUNCTION *Function, DWORD ArgumentsCount, const DWORD *Arguments)
Update a hook descriptor with corresponding function patterns and argument list from CAMI...
static void IntCamiUpdateProtOptions(const CAMI_PROT_OPTIONS *Src, INTRO_PROT_OPTIONS *Dst)
Updates the current protection options.
Introspection version info.
static const BYTE * gUpdateBuffer
The buffer holding the update file.
Section will contain windows related information.
DWORD Magic
Magic value. Should be CAMI_MAGIC_WORD.
DWORD NameHash
Crc32 of the function name.
INTRO_PROT_OPTIONS ShemuOptions
Flags which describe the way shemu will give detections.
DWORD NameHash
Crc32 checksum of the function name.
DWORD NameHash
Function name hash.
static CAMI_VERSION gCamiVersion
The version of the loaded update file.
#define SIG_MAX_PATTERN
The maximum size of a pattern.
BOOLEAN KptiInstalled
True if KPTI was detected as installed (not necessarily active).
QWORD Original
The original options as received from GLUE_IFACE.NewGuestNotification. This is updated when GLUE_IFAC...
BOOLEAN Kpti
If this OS has KPTI support.
#define CAMI_MAGIC_WORD
Cami header magic number.
The tag for LIX_FIELD_FDTABLE.
DWORD StructuresTable
Opaque structures file pointer. (pointer to a CAMI_OPAQUE_STRUCTURE array).
static BOOLEAN IntCamiCheckIntroVersion(QWORD MinIntroVersion, QWORD MaxIntroVersion)
Check if the CAMI buffer is compatible with the Intro version.
Describe a list of process protection options.
#define INT_STATUS_INVALID_PARAMETER_1
#define INT_STATUS_NOT_SUPPORTED
static const CAMI_STRUCTURE gWinKmStructures[winKmStructureEnd]
Describe the windows km fields to be loaded from the update buffer.
DWORD FunctionTable
Functions file pointer. (pointer to a CAMI_WIN_FUNCTION array.
struct _CAMI_PROCESS_PROTECTION_INFO CAMI_PROCESS_PROTECTION_INFO
Describe process protection options.
void IntGuestUpdateCoreOptions(QWORD NewOptions)
Updates Introcore options.
static INTSTATUS IntCamiSetShemuOptions(const CAMI_PROT_OPTIONS *Options)
Update the shemu flags using the ones from CAMI.
Describes a signature that can be used for searching or matching guest contents.
#define INT_STATUS_INVALID_PARAMETER_MIX
Describes options for this guest.
INTSTATUS IntCamiGetVersion(DWORD *MajorVersion, DWORD *MinorVersion, DWORD *BuildNumber)
Get the version of the loaded CAMI support file.
CHAR Name8[64]
The process name as a char string.
BYTE SectionHint[8]
Section hint where this pattern should be found.
static INTSTATUS IntCamiLoadOsOptions(DWORD OptionsFileOffset)
Load custom protection options for the guest OS or for protected processes.
Section will contain distribution signatures.
struct _CAMI_PROCESS_PROTECTION_INFO::@276 Name
The process name.
Describe the introcore protection options for a guest.
DWORD Major
Major version of this file.
DWORD SignatureId
Signature ID.
PATTERN_SIGNATURE * gLinuxDistSigs
Pointer to the linux distribution signatures that will be loaded from the update buffer.
The tag for LIX_FIELD_UNGROUPED.
CAMI_PROT_OPTIONS Options
Specifies the process protection.
String will be encoded in utf-16.
static DWORD gUpdateBufferSize
The size of the update buffer.
Used for the WIN_OPAQUE_FIELDS.Km.SyscallNumbers array.
Section will contain syscall signatures.
The tag for LIX_FIELD_CRED.
static INTSTATUS IntCamiResetShemuOptions(void)
#define INT_STATUS_INVALID_PARAMETER_2
INTRO_PROT_OPTIONS CoreOptions
The activation and protection options for this guest.
Describe the way we load the guest offsets from the update buffer.
DWORD MembersCount
The number of fields to be loaded.
DWORD NameHash
Function name hash.
QWORD ForceBeta
Options beta only.
The tag for LIX_FIELD_TASKSTRUCT.
LINUX_GUEST * gLixGuest
Global variable holding the state of a Linux guest.
WIN_UNEXPORTED_FUNCTION_PATTERN Patterns[0]
The patterns used to search for this function.
DWORD CustomProtectionOffset
Protection flags for this OS. (pointer to a CAMI_CUSTOM_OS_PROTECTION).
#define INT_STATUS_INVALID_DATA_SIZE
static INTSTATUS IntCamiLoadLixDistSigs(const CAMI_HEADER *CamiHeader)
Loads the Linux distribution signatures from their section.
Status values returned by most functions that can signal different success or failure states...
DWORD KmStructuresTable
KM opaque fields file pointer. (pointer to a CAMI_OPAQUE_STRUCTURE array.
#define INT_STATUS_INSUFFICIENT_RESOURCES
#define INT_STATUS_INVALID_PARAMETER_3
1.8.13