winapi.h File Reference

#include "winguest.h"

Go to the source code of this file.

Functions
INTSTATUS	IntWinApiHookAll (void)
	Iterates through all hookable APIs and sets requested hooks. More...
void	IntWinApiUpdateHooks (void)
	Iterate through all hookable APIs and enable or disable them according to the current Introcore options. More...
INTSTATUS	IntWinApiHookVeHandler (QWORD NewHandler, void **Cloak, QWORD *OldHandler, DWORD *ReplacedCodeLen, BYTE *ReplacedCode)
	Hooks the #VE handler. More...
INTSTATUS	IntWinApiUpdateHookDescriptor (WIN_UNEXPORTED_FUNCTION *Function, DWORD ArgumentsCount, const DWORD *Arguments)
	Update a hook descriptor with corresponding function patterns and argument list from CAMI. More...

Function Documentation

IntWinApiHookAll()

INTSTATUS IntWinApiHookAll

(

void

)

Iterates through all hookable APIs and sets requested hooks.

Returns

INT_STATUS_SUCCESS if successful, or an appropriate INTSTATUS error value.

Definition at line 229 of file winapi.c.

Referenced by IntWinGuestFinishInit().

IntWinApiHookVeHandler()

INTSTATUS IntWinApiHookVeHandler	(	QWORD	NewHandler,
		void **	Cloak,
		QWORD *	OldHandler,
		DWORD *	ReplacedCodeLen,
		BYTE *	ReplacedCode
	)

Hooks the #VE handler.

Hook the original #VE handler and make it point to our handler. The code sequence is:

CALL $+4
LFENCE
MOV dword [rsp], NewHandle low
MOV dword [rsp + 4], NewHandle high
ret

Guests older than RS3 are not aware of the VirtualizationException, and the first instruction is a "PUSH 0x14". On these, there are two cases:

KPTI on  - "PUSH 0x14/JMP KiIsrThunkShadow"
KPTI off - "PUSH 0x14/PUSH rbp/JMP KiUnexpectedInterrupt"

We search for the JMP, which directs us to the effective handler.

If the guest has the KPTI patches, the IDT points to the shadow, so we search for the real one.

Parameters

[in]	NewHandler	Address of our handler.
[out]	Cloak	Will receive the memory cloak used to hide the hook.
[out]	OldHandler	Will receive the address of the old handler.
[out]	ReplacedCodeLen	Will receive the size of the code replaced by this function.
[out]	ReplacedCode	Will receive the code replaced by this function.

Returns

INT_STATUS_SUCCESS if successfully, or an appropriate INTSTATUS error value.

Minimum Code length in bytes to be replaced by our int20 hook.

Definition at line 367 of file winapi.c.

Referenced by IntPtiDeliverDriverForLoad(), and IntVeDeliverDriverForLoad().

IntWinApiUpdateHookDescriptor()

INTSTATUS IntWinApiUpdateHookDescriptor	(	WIN_UNEXPORTED_FUNCTION *	Function,
		DWORD	ArgumentsCount,
		const DWORD *	Arguments
	)

Update a hook descriptor with corresponding function patterns and argument list from CAMI.

Parameters

[in]	Function	Patterns given from CAMI, also contains the name hash.
[in]	ArgumentsCount	Number of elements in Arguments.
[in]	Arguments	List of arguments from CAMI.

Returns

INT_STATUS_SUCCESS if successful, or an appropriate INTSTATUS error value.

Definition at line 615 of file winapi.c.

Referenced by IntCamiLoadWindows().

IntWinApiUpdateHooks()

void IntWinApiUpdateHooks

(

void

)

Iterate through all hookable APIs and enable or disable them according to the current Introcore options.

Definition at line 317 of file winapi.c.

Referenced by IntGuestUpdateCoreOptions(), and IntWinApiHookAll().