46 ERROR(
"[ERROR] IntDetGetArguments failed: 0x%08x\n", status);
47 goto cleanup_and_exit;
51 size = (
DWORD)args[1];
96 ERROR(
"[ERROR] IntDetPatchArgument failed: 0x%08x\n", status);
97 goto cleanup_and_exit;
135 ERROR(
"[ERROR] IntDetGetArguments failed: 0x%08x\n", status);
136 goto cleanup_and_exit;
139 tag = (
DWORD)args[0];
143 if ((tag == 0xF6697244) || (tag == 0x76697244) || (tag == 0x69664d46))
148 ERROR(
"[ERROR] IntWinDrvObjRemove failed: 0x%08x\n", status);
#define WIN_POOL_TAG_TOKE2
#define WIN_POOL_TAG_FMFI
#define INT_SUCCESS(Status)
int INTSTATUS
The status data type.
#define INT_STATUS_NOT_FOUND
const POOL_HEADER * IntWinPoolGetPoolHeaderInPage(const void *Page, DWORD StartOffset, DWORD Tag)
Search for a pool header with given tag in a buffer.
#define WIN_POOL_HEADER_SIZE
INTSTATUS IntWinPoolHandleAlloc(void *Detour)
Detour callback for ExAllocatePoolWithTag.Handles allocations within a Windows guest, executed using the ExAllocatePoolWithTag API. Basically, it will check the tag of the allocation, and if it identifies an allocation for a driver object or a fast I/O dispatch, it will patch the Size argument of the call so that it's almost a page. This ensures us that critical structures protected by the introspection will be allocated alone in each page, which gives us an enormous performance boost.
#define WIN_POOL_TAG_TOKE
BOOLEAN Guest64
True if this is a 64-bit guest, False if it is a 32-bit guest.
#define WIN_POOL_TAG_DRIV
#define WIN_POOL_TAG_DRIV2
INTSTATUS IntWinPoolHandleFree(void *Detour)
Detour callback for ExFreePoolWithTag.This function handles de-allocation requests executed by the gu...
INTSTATUS IntDetPatchArgument(void const *Detour, DWORD Index, QWORD Value)
Modifies the value of a detour argument.
INTSTATUS IntDetGetArguments(void const *Detour, DWORD Argc, QWORD *Argv)
Reads multiple arguments from a detour.
GUEST_STATE gGuest
The current guest state.
#define INT_STATUS_INVALID_PARAMETER_1
VE_CACHE_LINE * Page
Mapped page inside Introspection virtual address space.
INTSTATUS IntWinDrvObjRemoveFromAddress(QWORD DriverObjectAddress)
Frees and removes protection for a driver object by its address.