12 #define MAX_BOOTSTRAP_SIZE 512u 17 #define AG_OPT_INJECT_ON_RIP_POWSTATE_CHANGE 0x00000001 266 #endif // _WIN_AGENT_H_ INTSTATUS IntWinAgentUnInit(void)
Uninit the agents state.
struct _WIN_AGENT * PWIN_AGENT
AG_WAITSTATE IntWinAgentGetState(DWORD *Tag)
Gets the global agents state.
INTSTATUS IntWinAgentHandleInt3(QWORD Rip, DWORD CpuNumber)
Handle a breakpoint that was initiated inside the guest.
BOOLEAN InstructionRestored
True if the detours instruction has been restored.
INTSTATUS IntWinAgentEnableInjection(void)
enables agent injections.
DWORD Options
Agent options.
BYTE BootStrap[MAX_BOOTSTRAP_SIZE]
The bootstrap code.
QWORD DriverAddress
Address of the boot driver.
void IntWinAgentDisablePendingAgents(void)
Disables all pending agents.
void IntWinAgentInit(void)
Initialize the agents state.
#define IG_MAX_AGENT_NAME_LENGTH
struct _WIN_AGENT WIN_AGENT
DWORD DriverEntryPoint
Entry point of the boot driver.
QWORD BootstrapAddress
Address where the bootstrap was allocated.
BYTE InstructionLen
Detoured instruction length.
PFUNC_AgentCompletion CompletionCallback
Completion callback.
int INTSTATUS
The status data type.
enum _AGENT_HCALL AGENT_HCALL
QWORD Token2
Token used by the bootstrap code.
PBYTE AgentContent
Agent contents. Can be a file, process, driver, etc.
DWORD Agid
Agent ID. Unique for each injected agent.
void IntWinAgentCheckIfProcessAgentAndIncrement(CHAR *ImageName, BOOLEAN *IsAgent, DWORD *Tag)
Checks if a process is an agent or not, and increments the ref count of that name.
#define MAX_BOOTSTRAP_SIZE
Maximum size of the bootstrap code.
CHAR Name[IG_MAX_AGENT_NAME_LENGTH]
Agent name.
CHAR Args[IG_MAX_COMMAND_LINE_LENGTH]
Agent arguments.
void * Context
Optional context. Passed along to the 3 callbacks above.
INTSTATUS(* PFUNC_AgentCompletion)(QWORD GuestVirtualAddress, DWORD ErrorCode, DWORD AgentTag, void *Context)
Completion callback.
#define IG_MAX_COMMAND_LINE_LENGTH
DWORD BootstrapSize
The size of the bootstrap.
This file contains the private, undocumented hypercalls. They are used only by the loaders and the ag...
INTSTATUS(* PFUNC_AgentInjection)(QWORD GuestVirtualAddress, DWORD AgentTag, void *Context)
Injection callback.
AGENT_HCALL HcallType
Hyper call type.
SIZE_T ArgsLen
Length of the arguments.
PFUNC_AgentDeliver DeliverCallback
Delivery callback.
QWORD Token3
Token used by the bootstrap code.
INTSTATUS IntWinAgentInject(PFUNC_AgentInjection InjectionCallback, PFUNC_AgentCompletion CompletionCallback, PFUNC_AgentDeliver DeliverCallback, void *Context, PBYTE AgentContent, DWORD AgentSize, BOOLEAN AgentInternal, DWORD AgentTag, AGENT_TYPE AgentType, const CHAR *Name, DWORD Options, const CHAR *Args, DWORD Pid, PWIN_AGENT *Agent)
Schedule an agent injection inside the guest.
enum _AGENT_TYPE AGENT_TYPE
DWORD AgentPosition
Current pointer inside the agent, used to track which chunk must be injected inside the guest...
WORD OffsetJumpBack
Offset of the trampoline code which jumps back to the detoured instruction.
BOOLEAN AgentInternal
True if the agent is internal to Introcore.
BYTE InstructionBytes[16]
Detoured instruction bytes.
AGENT_TYPE AgentType
Agent type.
THS_PTR_TYPE
The type of pointer to be checked.
DWORD Flags
Agent flags & state.
void IntWinAgentCheckIfProcessAgentAndDecrement(CHAR *ImageName, BOOLEAN *IsAgent, DWORD *Tag, BOOLEAN *Removed)
Checks if a process is an agent or not, and decrements the ref count of that name.
BOOLEAN IntWinAgentIsRipInsideCurrentAgent(QWORD Rip)
Return true if the given RIP points inside the currently active boot driver.
INTSTATUS IntWinAgentInjectBreakpoint(PFUNC_AgentInjection InjectionCallback, void *Context, PWIN_AGENT *Agent)
Injects a breakpoint agent inside the guest.
DWORD Pid
PID of the process that will be the parent of the injected process.
void IntWinAgentRemoveEntryByAgid(DWORD Counter, DWORD *Tag)
Removes an agent name from the list of names, using the ID.
LIST_ENTRY Link
List entry element.
INTSTATUS IntWinAgentHandleVmcall(QWORD Rip)
Handle a VMCALL that was executed inside the guest.
QWORD(* PFUNC_AgentDeliver)(QWORD GuestVirtualAddress, DWORD MaxSize, void *Context)
Called for VE and PT initialization.
void * BootCloakRegion
Cloak handle used to hide the bootstrap code.
enum _AG_WAITSTATE AG_WAITSTATE
BOOLEAN IntWinAgentIsPtrInTrampoline(QWORD Ptr, THS_PTR_TYPE Type)
Check if the provided address points inside the agent trampoline.
INTSTATUS IntWinAgentInjectTrampoline(void)
Inject the agent trampoline inside the guest.
QWORD Token1
Token used by the bootstrap code.
void * InsCloakRegion
Cloak handle used to hide the detoured instruction.
QWORD InstructionAddress
Address of the detoured instruction.
DWORD DriverSize
Size of the boot driver.
INTSTATUS IntWinAgentActivatePendingAgent(void)
Activates a pending agent that waits to be injected.
PFUNC_AgentInjection InjectionCallback
Injection callback.
1.8.13