- Generated by
1.8.13
|
Bitdefender Hypervisor Memory Introspection
|
Guest support and policy update mechanism. More...
Files | |
| file | update_guests.h |
| Exposes the definitions used by the CAMI parser and the functions used to load guest support information or update protection policies. | |
| file | update_guests.c |
| The CAMI parser. | |
Data Structures | |
| struct | _LIX_OPAQUE_FIELDS |
| Contains information about various Linux structures. More... | |
| struct | _LIX_SYMBOL |
| Describes a Linux ksym. More... | |
| struct | _LIX_ACTIVE_PATCH |
| Describes the information about a Linux active-patch. More... | |
| struct | _WIN_OPAQUE_FIELDS |
| Contains information about various Windows user mode and kernel mode structures.Everything about a structure of interest should be placed here (size, field offsets, etc). The Km structure contains information about kernel objects, while the Um field contains information about user mode objects. Each structure has a specific tag (WIN_KM_STRUCTURE for Km, WIN_UM_STRUCTURE for Um) which is used to identify it. Each entry inside an array contains specific information. The specific WIN_UM_FIELD and WIN_KM_FIELD structures describe the information found at each index in these arrays. For example, the WIN_KM_FIELD_PROCESS enum describes the information found in the Km.Process array. If the offset at which the name of a process is found inside the kernel _EPROCESS structure is needed, it can be obtained by looking at Km.Process[winKmFieldProcessName]. In order to simplify this, the WIN_KM_FIELD macro can be used: WIN_OPAQUE_FIELDS(Process, Name). A similar approach is available for user mode fields with the WIN_UM_FIELD macro. These fields are set when a CAMI file is loaded at initialization time, in the IntCamiLoadOpaqueFields function. If the loaded CAMI file contains a structure that is not known by introcore, or contains more field than the current introcore version uses, the extra information is discarded. This is why new fields should be added right before the End tags, in order to preserve the current order and allow older introcore versions to load newer CAMI files. More... | |
Macros | |
| #define | LIX_FIELD(Structure, Field) gLixGuest->OsSpecificFields.OpaqueFields.Structure[lixField##Structure##Field] |
| Macro used to access fields inside the LIX_OPAQUE_FIELDS structure. More... | |
| #define | WIN_KM_FIELD(Structure, Field) gWinGuest->OsSpecificFields.Km.Structure[winKmField##Structure##Field] |
| Macro used to access kernel mode fields inside the WIN_OPAQUE_FIELDS structure. More... | |
| #define | WIN_SYSCALL_NUMBER(Syscall) WIN_KM_FIELD(SyscallNumbers, Syscall) |
| Macro used to access syscall numbers from inside the WIN_OPAQUE_FIELDS structure. More... | |
| #define | WIN_UM_FIELD(Structure, Field) gWinGuest->OsSpecificFields.Um.Structure[winUmField##Structure##Field] |
| Macro used to access user mode fields inside the WIN_OPAQUE_FIELDS structure. More... | |
Typedefs | |
| typedef enum LIX_STRUCTURE | LIX_STRUCTURE |
| Structure tags used for the Linux structures. More... | |
| typedef enum _LIX_FIELD_INFO | LIX_FIELD_INFO |
| Describes information about a Linux guest. More... | |
| typedef enum _LIX_FIELD_MODULE | LIX_FIELD_MODULE |
| The index for offsets of 'struct module'. More... | |
| typedef enum _LIX_FIELD_BINPRM | LIX_FIELD_BINPRM |
| The index for offsets of 'struct linux_binprm'. More... | |
| typedef enum _LIX_FIELD_VMA | LIX_FIELD_VMA |
| The index for offsets of 'struct vm_area_struct'. More... | |
| typedef enum _LIX_FIELD_DENTRY | LIX_FIELD_DENTRY |
| The index for offsets of 'struct dentry'. More... | |
| typedef enum _LIX_FIELD_MMSTRUCT | LIX_FIELD_MMSTRUCT |
| The index for offsets of 'struct mm_struct'. More... | |
| typedef enum _LIX_FIELD_TASKSTRUCT | LIX_FIELD_TASKSTRUCT |
| The index for offsets of 'struct task-struct'. More... | |
| typedef enum _LIX_FIELD_FS | LIX_FIELD_FS |
| The index for offsets of 'struct fs_struct'. More... | |
| typedef enum _LIX_FIELD_FDTABLE | LIX_FIELD_FDTABLE |
| The index for offsets of 'struct fdtable'. More... | |
| typedef enum _LIX_FIELD_FILES | LIX_FIELD_FILES |
| The index for offsets of 'struct files_struct'. More... | |
| typedef enum _LIX_FIELD_INODE | LIX_FIELD_INODE |
| The index for offsets of 'struct inode'. More... | |
| typedef enum _LIX_FIELD_SOCKET | LIX_FIELD_SOCKET |
| The index for offsets of 'struct socket'. More... | |
| typedef enum _LIX_FIELD_SOCK | LIX_FIELD_SOCK |
| The index for offsets of 'struct sock'. More... | |
| typedef enum _LIX_FIELD_CRED | LIX_FIELD_CRED |
| The index for offsets of 'struct cred'. More... | |
| typedef enum _LIX_FIELD_NSPROXY | LIX_FIELD_NSPROXY |
| The index for offsets of 'struct nsproxy'. More... | |
| typedef enum _LIX_FIELD_UNGROUPED | LIX_FIELD_UNGROUPED |
| The index for offsets of structures that are not grouped. More... | |
| typedef struct _LIX_OPAQUE_FIELDS | LIX_OPAQUE_FIELDS |
| Contains information about various Linux structures. More... | |
| typedef struct _LIX_OPAQUE_FIELDS * | PLIX_OPAQUE_FIELDS |
| typedef struct _LIX_SYMBOL | LIX_SYMBOL |
| Describes a Linux ksym. More... | |
| typedef struct _LIX_SYMBOL * | PLIX_SYMBOL |
| typedef enum _LIX_ACTIVE_PATCH_TYPE | LIX_ACTIVE_PATCH_TYPE |
| Describes the type of an Linux active-patch. More... | |
| typedef struct _LIX_ACTIVE_PATCH | LIX_ACTIVE_PATCH |
| Describes the information about a Linux active-patch. More... | |
| typedef enum _WIN_UM_FIELD_DLL | WIN_UM_FIELD_DLL |
| Indexes in the WIN_OPAQUE_FIELDS.Um.Dll array, containing offsets inside the _LDR_DATA_TABLE_ENTRY structure. More... | |
| typedef enum _WIN_UM_FIELD_PEB | WIN_UM_FIELD_PEB |
| Indexes in the WIN_OPAQUE_FIELDS.Um.Peb array, containing offsets inside the _PEB structure.These are the indexes of the offsets inside the WIN_OPAQUE_FIELDS.Um.Peb array. The WIN_UM_FIELD can be used to access these more easily. More... | |
| typedef enum _WIN_UM_FIELD_TEB | WIN_UM_FIELD_TEB |
| Indexes in the WIN_OPAQUE_FIELDS.Um.Teb array, containing offsets inside the _TEB structure.The WIN_UM_FIELD macro can be used to access these more easily. More... | |
| typedef enum _WIN_KM_STRUCTURE | WIN_KM_STRUCTURE |
| Structure tags used for the kernel mode structures.Each of these refers to a WIN_OPAQUE_FIELDS.Km field. More... | |
| typedef enum _WIN_UM_STRUCTURE | WIN_UM_STRUCTURE |
| Structure tags used for the user mode structures.Each of these refers to a WIN_OPAQUE_FIELDS.Um field. More... | |
| typedef enum _WIN_KM_FIELD_PROCESS | WIN_KM_FIELD_PROCESS |
| Indexes in the WIN_OPAQUE_FIELDS.Km.Process array, containing offsets inside the _EPROCESS structure.The WIN_KM_FIELD macro can be used to access these more easily. More... | |
| typedef enum _WIN_KM_FIELD_THREAD | WIN_KM_FIELD_THREAD |
| Indexes in the WIN_OPAQUE_FIELDS.Km.Thread array, containing offsets inside the _ETHREAD structure.The WIN_KM_FIELD macro can be used to access these more easily. More... | |
| typedef enum _WIN_KM_FIELD_DRVOBJ | WIN_KM_FIELD_DRVOBJ |
| Indexes in the WIN_OPAQUE_FIELDS.Km.DrvObj array, containing information about the _DRIVER_OBJECT structure.The WIN_KM_FIELD macro can be used to access these more easily. More... | |
| typedef enum _WIN_KM_FIELD_PCR | WIN_KM_FIELD_PCR |
| Indexes in the WIN_OPAQUE_FIELDS.Km.Pcr array, containing information about the _KPCR structure.The WIN_KM_FIELD macro can be used to access these more easily. More... | |
| typedef enum _WIN_KM_FIELD_POOLDESCRIPTOR | WIN_KM_FIELD_POOLDESCRIPTOR |
| Indexes in the WIN_OPAQUE_FIELDS.Km.PoolDescriptor array, containing information about the _POOL_DESCRIPTOR structure.The WIN_KM_FIELD macro can be used to access these more easily. More... | |
| typedef enum _WIN_KM_FIELD_MMPFN | WIN_KM_FIELD_MMPFN |
| Indexes in the WIN_OPAQUE_FIELDS.Km.Mmpfn array, containing information about the _MMPFN structure.For 32-bit versions of the OS, this is split into two sections: PAE and non-PAE, as Windows versions prior to Windows 8 were able to boot without PAE support and in those cases the _MMPFN structure was different. For 32-bit guests with PAE enabled (gGuest->Mm.Mode is PAGING_PAE_MODE in those cases) the Pae version of the tags should be used. For the other guests, the normal versions should be used. More... | |
| typedef enum _WIN_KM_FIELD_TOKEN | WIN_KM_FIELD_TOKEN |
| Indexes in the WIN_OPAQUE_FIELDS.Km.Token array, containing information about the _TOKEN structure.The WIN_KM_FIELD macro can be used to access these more easily. More... | |
| typedef enum _WIN_KM_FIELD_UNGROUPED | WIN_KM_FIELD_UNGROUPED |
| Indexes in the WIN_OPAQUE_FIELDS.Km.Ungrouped array, containing information about various kernel structures or data.The WIN_KM_FIELD macro can be used to access these more easily. More... | |
| typedef enum _WIN_KM_FIELD_EPROCESSFLAGS | WIN_KM_FIELD_EPROCESSFLAGS |
| Indexes in the WIN_OPAQUE_FIELDS.Km.EprocessFlags array, containing information about the flags inside the _EPROCESS structure.The WIN_KM_FIELD macro can be used to access these more easily. More... | |
| typedef enum _WIN_KM_FIELD_VAD_SHORT | WIN_KM_FIELD_VAD_SHORT |
| Indexes in the WIN_OPAQUE_FIELDS.Km.VadShort array, containing information about the _MMVAD_SHORT structure.The WIN_KM_FIELD macro can be used to access these more easily. More... | |
| typedef enum _WIN_KM_FIELD_VAD_LONG | WIN_KM_FIELD_VAD_LONG |
| Indexes in the WIN_OPAQUE_FIELDS.Km.VadLong array, containing information about the _MMVAD_LONG structure.The WIN_KM_FIELD macro can be used to access these more easily. More... | |
| typedef enum _WIN_KM_FIELD_VADFLAGS | WIN_KM_FIELD_VADFLAGS |
| Indexes in the WIN_OPAQUE_FIELDS.Km.VadFlags array, containing information about the bits in the winKmFieldVadShortFlags field.Certain values are parsed by shifting the flags value and then applying a mask, while boolean values are stored as the bit that must be checked in order to know if that bit is set or not. For example, in order to obtain the type from a 32-bit flags value you need to: More... | |
| typedef enum _WIN_KM_FIELD_SYSCALL_NUMBERS | WIN_KM_FIELD_SYSCALL_NUMBERS |
| Indexes in the WIN_OPAQUE_FIELDS.Km.SyscallNumbers array, containing syscall numbers.The WIN_SYSCALL_NUMBER or WIN_KM_FIELD macros can be used to access these more easily. More... | |
| typedef enum _WIN_KM_FIELD_FILE_OBJECT | WIN_KM_FIELD_FILE_OBJECT |
| Indexes in the WIN_OPAQUE_FIELDS.Km.FileObject array, containing information about the _FILE_OBJECT structure.The WIN_KM_FIELD macros can be used to access these more easily. More... | |
| typedef struct _WIN_OPAQUE_FIELDS | WIN_OPAQUE_FIELDS |
| Contains information about various Windows user mode and kernel mode structures.Everything about a structure of interest should be placed here (size, field offsets, etc). The Km structure contains information about kernel objects, while the Um field contains information about user mode objects. Each structure has a specific tag (WIN_KM_STRUCTURE for Km, WIN_UM_STRUCTURE for Um) which is used to identify it. Each entry inside an array contains specific information. The specific WIN_UM_FIELD and WIN_KM_FIELD structures describe the information found at each index in these arrays. For example, the WIN_KM_FIELD_PROCESS enum describes the information found in the Km.Process array. If the offset at which the name of a process is found inside the kernel _EPROCESS structure is needed, it can be obtained by looking at Km.Process[winKmFieldProcessName]. In order to simplify this, the WIN_KM_FIELD macro can be used: WIN_OPAQUE_FIELDS(Process, Name). A similar approach is available for user mode fields with the WIN_UM_FIELD macro. These fields are set when a CAMI file is loaded at initialization time, in the IntCamiLoadOpaqueFields function. If the loaded CAMI file contains a structure that is not known by introcore, or contains more field than the current introcore version uses, the extra information is discarded. This is why new fields should be added right before the End tags, in order to preserve the current order and allow older introcore versions to load newer CAMI files. More... | |
| typedef struct _WIN_OPAQUE_FIELDS * | PWIN_OPAQUE_FIELDS |
Guest support and policy update mechanism.
CAMI is an Introcore sub module serving mainly as an OS specific info database. However, it may include other features that can control Introspection behavior, such as hooked kernel APIs or enforced options (forcing features to be on or off).
| #define LIX_FIELD | ( | Structure, | |
| Field | |||
| ) | gLixGuest->OsSpecificFields.OpaqueFields.Structure[lixField##Structure##Field] |
Macro used to access fields inside the LIX_OPAQUE_FIELDS structure.
| [in] | Structure | The structure name. This is identical to the name of the array in the LIX_OPAQUE_FIELDS. |
| [in] | Field | The name of the field. |
Definition at line 426 of file lixguest.h.
Referenced by IntKsymGetAddress(), IntKsymInit(), IntKsymRelativeFindOffsetTableEnd(), IntKsymRelativeFindOffsetTableStart(), IntLixAgentFindInstruction(), IntLixCommitCredsHandle(), IntLixCredCalculateChecksum(), IntLixCredInitMap(), IntLixDentryGetName(), IntLixDepInjectProcess(), IntLixDrvCreateDriverObject(), IntLixDrvCreateFromAddress(), IntLixDrvFindList(), IntLixDrvIterateList(), IntLixDrvSystemBooting(), IntLixDrvValidate(), IntLixFileGetDentry(), IntLixFileGetPath(), IntLixFileReadDentry(), IntLixGetInitTask(), IntLixGuestAllocateDeploy(), IntLixGuestInit(), IntLixGuestInitAgentCompletion(), IntLixGuestNew(), IntLixMmFindVmaInLinkedList(), IntLixMmFindVmaInRbTree(), IntLixMmGetInitMm(), IntLixMmListVmasInternal(), IntLixMmPopulateVmasInternal(), IntLixNetFileIsSocket(), IntLixNetGetConnectionFromSocket(), IntLixNetSendTaskConnections(), IntLixResolveExeFileOffset(), IntLixTaskActivateExploitProtection(), IntLixTaskAdd(), IntLixTaskCreate(), IntLixTaskCreateFromBinprm(), IntLixTaskCreateInitTask(), IntLixTaskDeactivateExploitProtection(), IntLixTaskDumpTree(), IntLixTaskFetchCmdLine(), IntLixTaskFetchMm(), IntLixTaskGetTrapFrame(), IntLixTaskGuestTerminating(), IntLixTaskIsUserStackPivoted(), IntLixTaskIterateGuestTasks(), IntLixTaskIterateThreadGroup(), IntLixTaskIterateThreadNode(), IntLixTaskIterateThreads(), IntLixTaskMarkAgent(), IntLixTaskSendCredViolationEvent(), IntLixVdsoFetchAddress(), IntLixVdsoFixedProtect(), IntLixVdsoResolveDynamicOffset(), IntLixVmaAdjustInternal(), IntLixVmaChangeProtection(), IntLixVmaExpandDownwards(), IntLixVmaFill(), IntThrGetStackSize(), IntThrSafeLixGetCurrentStack(), IntThrSafeLixInspectWaitingThread(), and IntVmaMarkProtection().
| #define WIN_KM_FIELD | ( | Structure, | |
| Field | |||
| ) | gWinGuest->OsSpecificFields.Km.Structure[winKmField##Structure##Field] |
Macro used to access kernel mode fields inside the WIN_OPAQUE_FIELDS structure.
| [in] | Structure | The structure name. This is identical to the name of the array in the WIN_OPAQUE_FIELDS.Km structure which contains the needed information. |
| [in] | Field | The name of the field. For example, if the value of the winKmFieldProcessName field is needed, this will simply be Field. |
Definition at line 726 of file winguest.h.
Referenced by DbgDumpPfn(), DbgDumpVadRoot(), IntPtiDeliverDriverForLoad(), IntThrSafeWinGetCurrentStack(), IntThrSafeWinInspectWaitingThread(), IntWinDpiGetProcessDebugFlag(), IntWinDpiValidateThreadStart(), IntWinDrvObjHandleModification(), IntWinDrvObjHandleWrite(), IntWinDrvObjIsValidDriverObject(), IntWinDrvObjProtect(), IntWinDrvObjProtectFastIoDispatch(), IntWinDrvObjRemoveFromAddress(), IntWinGetAccessTokenFromProcess(), IntWinGetAccesTokenFromThread(), IntWinGetStartUpTime(), IntWinGuestFindKernelObjects(), IntWinHalIsIntController(), IntWinHalProtectHalIntCtrl(), IntWinInfCheckCtxLoggerOnRelocation(), IntWinInfHookEptSppHandleWrite(), IntWinInfHookGetCircularCtxLogger(), IntWinInfHookGetCpuClockIntegrityCallback(), IntWinInfHookGetEtwpDebuggerData(), IntWinInfHookGetWmiLoggerGetCpuClock(), IntWinInfHookHookSppWmiGetClock(), IntWinInfHookIntegrityHandleWrite(), IntWinInfHookProtect(), IntWinInfHookSiloWmiPtrIntegrityCallback(), IntWinPatchVadHandleCommit(), IntWinPfnIsMmPfnDatabase(), IntWinPfnModifyRefCount(), IntWinProcAdd(), IntWinProcCreateProcessObject(), IntWinProcDeleteProcessObject(), IntWinProcDumpEgFlags(), IntWinProcEnforceProcessDep(), IntWinProcGetNameFromEprocess(), IntWinProcHandleCreateInternal(), IntWinProcHandleTerminate(), IntWinProcIsExploitGuardEnabled(), IntWinProcIsPsActiveProcessHead(), IntWinProcIterateGuestProcesses(), IntWinProcMarkAgent(), IntWinProcMarkAsSystemProcess(), IntWinProcPatchCopyMemoryDetour(), IntWinProcPatchSpareValue(), IntWinProcRemoveProcess(), IntWinProcSetUserCr3(), IntWinProcValidateSystemCr3(), IntWinReadToken(), IntWinStackUserTrapFrameGetGeneric(), IntWinThrGetCurrentThread(), IntWinThrGetCurrentTib(), IntWinThrHandleQueueApc(), IntWinThrHandleThreadHijack(), IntWinThrIterateThreads(), IntWinThrPatchThreadHijackHandler(), IntWinThrPrepareApcHandler(), IntWinTokenCheckCurrentPrivileges(), IntWinTokenFetchTokenAddress(), IntWinTokenPrivsHandleWrite(), IntWinTokenPrivsProtectOnProcess(), IntWinTokenPtrCheckIntegrityOnProcess(), IntWinVadFetchImageName(), IntWinVadFetchVadFromMemory(), IntWinVadHandleProtectGeneric(), IntWinVadImportProcessTree(), IntWinVadMapShortVad(), IntWinVadPatchDeleteVaRange(), IntWinVadPatchFinishVadDeletion(), IntWinVadPatchInsert(), IntWinVadPatchInsertMap(), IntWinVadPatchInsertPrivate(), IntWinVadPatchVirtualProtect(), IntWinVadProcImportMainModuleVad(), and IntWinVadRescanVad().
| #define WIN_SYSCALL_NUMBER | ( | Syscall | ) | WIN_KM_FIELD(SyscallNumbers, Syscall) |
Macro used to access syscall numbers from inside the WIN_OPAQUE_FIELDS structure.
| [in] | Syscall | The syscall name. For example, if the value of winKmFieldSyscallNumbersNtCreateThreadEx is is needed, this will simply be NtCreateThreadEx. |
Definition at line 744 of file winguest.h.
| #define WIN_UM_FIELD | ( | Structure, | |
| Field | |||
| ) | gWinGuest->OsSpecificFields.Um.Structure[winUmField##Structure##Field] |
Macro used to access user mode fields inside the WIN_OPAQUE_FIELDS structure.
| [in] | Structure | The structure name. This is identical to the name of the array in the WIN_OPAQUE_FIELDS.Um structure which contains the needed information. |
| [in] | Field | The name of the field. For example, if the value of the winUmFieldTebWow64SaveArea field is needed, this will simply be Wow64SaveArea. |
Definition at line 764 of file winguest.h.
Referenced by IntExceptUserMatchZoneType(), IntWinStackWow64CheckIsPivoted(), and IntWinUmCheckInitializationInjection().
| typedef struct _LIX_ACTIVE_PATCH LIX_ACTIVE_PATCH |
Describes the information about a Linux active-patch.
| typedef enum _LIX_ACTIVE_PATCH_TYPE LIX_ACTIVE_PATCH_TYPE |
Describes the type of an Linux active-patch.
| typedef enum _LIX_FIELD_BINPRM LIX_FIELD_BINPRM |
The index for offsets of 'struct linux_binprm'.
| typedef enum _LIX_FIELD_CRED LIX_FIELD_CRED |
The index for offsets of 'struct cred'.
| typedef enum _LIX_FIELD_DENTRY LIX_FIELD_DENTRY |
The index for offsets of 'struct dentry'.
| typedef enum _LIX_FIELD_FDTABLE LIX_FIELD_FDTABLE |
The index for offsets of 'struct fdtable'.
| typedef enum _LIX_FIELD_FILES LIX_FIELD_FILES |
The index for offsets of 'struct files_struct'.
| typedef enum _LIX_FIELD_FS LIX_FIELD_FS |
The index for offsets of 'struct fs_struct'.
| typedef enum _LIX_FIELD_INFO LIX_FIELD_INFO |
Describes information about a Linux guest.
| typedef enum _LIX_FIELD_INODE LIX_FIELD_INODE |
The index for offsets of 'struct inode'.
| typedef enum _LIX_FIELD_MMSTRUCT LIX_FIELD_MMSTRUCT |
The index for offsets of 'struct mm_struct'.
| typedef enum _LIX_FIELD_MODULE LIX_FIELD_MODULE |
The index for offsets of 'struct module'.
| typedef enum _LIX_FIELD_NSPROXY LIX_FIELD_NSPROXY |
The index for offsets of 'struct nsproxy'.
| typedef enum _LIX_FIELD_SOCK LIX_FIELD_SOCK |
The index for offsets of 'struct sock'.
| typedef enum _LIX_FIELD_SOCKET LIX_FIELD_SOCKET |
The index for offsets of 'struct socket'.
| typedef enum _LIX_FIELD_TASKSTRUCT LIX_FIELD_TASKSTRUCT |
The index for offsets of 'struct task-struct'.
| typedef enum _LIX_FIELD_UNGROUPED LIX_FIELD_UNGROUPED |
The index for offsets of structures that are not grouped.
| typedef enum _LIX_FIELD_VMA LIX_FIELD_VMA |
The index for offsets of 'struct vm_area_struct'.
| typedef struct _LIX_OPAQUE_FIELDS LIX_OPAQUE_FIELDS |
Contains information about various Linux structures.
| typedef enum LIX_STRUCTURE LIX_STRUCTURE |
Structure tags used for the Linux structures.
| typedef struct _LIX_SYMBOL LIX_SYMBOL |
Describes a Linux ksym.
| typedef struct _LIX_OPAQUE_FIELDS * PLIX_OPAQUE_FIELDS |
| typedef struct _LIX_SYMBOL * PLIX_SYMBOL |
| typedef struct _WIN_OPAQUE_FIELDS * PWIN_OPAQUE_FIELDS |
| typedef enum _WIN_KM_FIELD_DRVOBJ WIN_KM_FIELD_DRVOBJ |
Indexes in the WIN_OPAQUE_FIELDS.Km.DrvObj array, containing information about the _DRIVER_OBJECT structure.The WIN_KM_FIELD macro can be used to access these more easily.
| typedef enum _WIN_KM_FIELD_EPROCESSFLAGS WIN_KM_FIELD_EPROCESSFLAGS |
Indexes in the WIN_OPAQUE_FIELDS.Km.EprocessFlags array, containing information about the flags inside the _EPROCESS structure.The WIN_KM_FIELD macro can be used to access these more easily.
| typedef enum _WIN_KM_FIELD_FILE_OBJECT WIN_KM_FIELD_FILE_OBJECT |
Indexes in the WIN_OPAQUE_FIELDS.Km.FileObject array, containing information about the _FILE_OBJECT structure.The WIN_KM_FIELD macros can be used to access these more easily.
| typedef enum _WIN_KM_FIELD_MMPFN WIN_KM_FIELD_MMPFN |
Indexes in the WIN_OPAQUE_FIELDS.Km.Mmpfn array, containing information about the _MMPFN structure.For 32-bit versions of the OS, this is split into two sections: PAE and non-PAE, as Windows versions prior to Windows 8 were able to boot without PAE support and in those cases the _MMPFN structure was different. For 32-bit guests with PAE enabled (gGuest->Mm.Mode is PAGING_PAE_MODE in those cases) the Pae version of the tags should be used. For the other guests, the normal versions should be used.
The WIN_KM_FIELD macro can be used to access these more easily.
| typedef enum _WIN_KM_FIELD_PCR WIN_KM_FIELD_PCR |
Indexes in the WIN_OPAQUE_FIELDS.Km.Pcr array, containing information about the _KPCR structure.The WIN_KM_FIELD macro can be used to access these more easily.
| typedef enum _WIN_KM_FIELD_POOLDESCRIPTOR WIN_KM_FIELD_POOLDESCRIPTOR |
Indexes in the WIN_OPAQUE_FIELDS.Km.PoolDescriptor array, containing information about the _POOL_DESCRIPTOR structure.The WIN_KM_FIELD macro can be used to access these more easily.
| typedef enum _WIN_KM_FIELD_PROCESS WIN_KM_FIELD_PROCESS |
Indexes in the WIN_OPAQUE_FIELDS.Km.Process array, containing offsets inside the _EPROCESS structure.The WIN_KM_FIELD macro can be used to access these more easily.
Indexes in the WIN_OPAQUE_FIELDS.Km.SyscallNumbers array, containing syscall numbers.The WIN_SYSCALL_NUMBER or WIN_KM_FIELD macros can be used to access these more easily.
| typedef enum _WIN_KM_FIELD_THREAD WIN_KM_FIELD_THREAD |
Indexes in the WIN_OPAQUE_FIELDS.Km.Thread array, containing offsets inside the _ETHREAD structure.The WIN_KM_FIELD macro can be used to access these more easily.
| typedef enum _WIN_KM_FIELD_TOKEN WIN_KM_FIELD_TOKEN |
Indexes in the WIN_OPAQUE_FIELDS.Km.Token array, containing information about the _TOKEN structure.The WIN_KM_FIELD macro can be used to access these more easily.
| typedef enum _WIN_KM_FIELD_UNGROUPED WIN_KM_FIELD_UNGROUPED |
Indexes in the WIN_OPAQUE_FIELDS.Km.Ungrouped array, containing information about various kernel structures or data.The WIN_KM_FIELD macro can be used to access these more easily.
| typedef enum _WIN_KM_FIELD_VAD_LONG WIN_KM_FIELD_VAD_LONG |
Indexes in the WIN_OPAQUE_FIELDS.Km.VadLong array, containing information about the _MMVAD_LONG structure.The WIN_KM_FIELD macro can be used to access these more easily.
| typedef enum _WIN_KM_FIELD_VAD_SHORT WIN_KM_FIELD_VAD_SHORT |
Indexes in the WIN_OPAQUE_FIELDS.Km.VadShort array, containing information about the _MMVAD_SHORT structure.The WIN_KM_FIELD macro can be used to access these more easily.
| typedef enum _WIN_KM_FIELD_VADFLAGS WIN_KM_FIELD_VADFLAGS |
Indexes in the WIN_OPAQUE_FIELDS.Km.VadFlags array, containing information about the bits in the winKmFieldVadShortFlags field.Certain values are parsed by shifting the flags value and then applying a mask, while boolean values are stored as the bit that must be checked in order to know if that bit is set or not. For example, in order to obtain the type from a 32-bit flags value you need to:
While checking if private fix-up is set:
The WIN_KM_FIELD macro can be used to access these more easily.
| typedef enum _WIN_KM_STRUCTURE WIN_KM_STRUCTURE |
Structure tags used for the kernel mode structures.Each of these refers to a WIN_OPAQUE_FIELDS.Km field.
| typedef struct _WIN_OPAQUE_FIELDS WIN_OPAQUE_FIELDS |
Contains information about various Windows user mode and kernel mode structures.Everything about a structure of interest should be placed here (size, field offsets, etc). The Km structure contains information about kernel objects, while the Um field contains information about user mode objects. Each structure has a specific tag (WIN_KM_STRUCTURE for Km, WIN_UM_STRUCTURE for Um) which is used to identify it. Each entry inside an array contains specific information. The specific WIN_UM_FIELD and WIN_KM_FIELD structures describe the information found at each index in these arrays. For example, the WIN_KM_FIELD_PROCESS enum describes the information found in the Km.Process array. If the offset at which the name of a process is found inside the kernel _EPROCESS structure is needed, it can be obtained by looking at Km.Process[winKmFieldProcessName]. In order to simplify this, the WIN_KM_FIELD macro can be used: WIN_OPAQUE_FIELDS(Process, Name). A similar approach is available for user mode fields with the WIN_UM_FIELD macro. These fields are set when a CAMI file is loaded at initialization time, in the IntCamiLoadOpaqueFields function. If the loaded CAMI file contains a structure that is not known by introcore, or contains more field than the current introcore version uses, the extra information is discarded. This is why new fields should be added right before the End tags, in order to preserve the current order and allow older introcore versions to load newer CAMI files.
| typedef enum _WIN_UM_FIELD_DLL WIN_UM_FIELD_DLL |
Indexes in the WIN_OPAQUE_FIELDS.Um.Dll array, containing offsets inside the _LDR_DATA_TABLE_ENTRY structure.
The WIN_UM_FIELD macro can be used to access these more easily.
| typedef enum _WIN_UM_FIELD_PEB WIN_UM_FIELD_PEB |
Indexes in the WIN_OPAQUE_FIELDS.Um.Peb array, containing offsets inside the _PEB structure.These are the indexes of the offsets inside the WIN_OPAQUE_FIELDS.Um.Peb array. The WIN_UM_FIELD can be used to access these more easily.
| typedef enum _WIN_UM_FIELD_TEB WIN_UM_FIELD_TEB |
Indexes in the WIN_OPAQUE_FIELDS.Um.Teb array, containing offsets inside the _TEB structure.The WIN_UM_FIELD macro can be used to access these more easily.
| typedef enum _WIN_UM_STRUCTURE WIN_UM_STRUCTURE |
Structure tags used for the user mode structures.Each of these refers to a WIN_OPAQUE_FIELDS.Um field.
Describes the type of an Linux active-patch.
| Enumerator | |
|---|---|
| lixActivePatchTextPoke | Used for 'text_poke'. |
| lixActivePatchFtrace | Used for 'ftrace'. |
| lixActivePatchJmpLabel | Used for 'arch_jump_label_transform'. |
| lixActivePatchCount | The number of entries. |
Definition at line 444 of file lixguest.h.
| enum _LIX_FIELD_BINPRM |
The index for offsets of 'struct linux_binprm'.
Definition at line 142 of file lixguest.h.
| enum _LIX_FIELD_CRED |
The index for offsets of 'struct cred'.
| Enumerator | |
|---|---|
| lixFieldCredSizeof | The value of sizeof(struct cred). |
| lixFieldCredUsage | The offset of cred.usage. |
| lixFieldCredRcu | The offset of cred.rcu. |
| lixFieldCredEnd | The end of tags. |
Definition at line 336 of file lixguest.h.
| enum _LIX_FIELD_DENTRY |
The index for offsets of 'struct dentry'.
Definition at line 178 of file lixguest.h.
| enum _LIX_FIELD_FDTABLE |
The index for offsets of 'struct fdtable'.
| Enumerator | |
|---|---|
| lixFieldFdTableMaxFds | The offset of fdtable.max_fds. |
| lixFieldFdTableFd | The offset of fs_struct.fd. |
| lixFieldFdTableEnd | The end of tags. |
Definition at line 264 of file lixguest.h.
| enum _LIX_FIELD_FILES |
The index for offsets of 'struct files_struct'.
| Enumerator | |
|---|---|
| lixFieldFilesSizeof | The value of sizeof(struct files_struct). |
| lixFieldFilesFdt | The offset of fs_struct.fdt. |
| lixFieldFilesEnd | The end of tags. |
Definition at line 276 of file lixguest.h.
| enum _LIX_FIELD_FS |
The index for offsets of 'struct fs_struct'.
| Enumerator | |
|---|---|
| lixFieldFsSizeof | The value of sizeof(struct fs_struct). |
| lixFieldFsRoot | The offset of fs_struct.root. |
| lixFieldFsPwd | The offset of fs_struct.pwd. |
| lixFieldFsEnd | The end of tags. |
Definition at line 251 of file lixguest.h.
| enum _LIX_FIELD_INFO |
Describes information about a Linux guest.
Definition at line 87 of file lixguest.h.
| enum _LIX_FIELD_INODE |
The index for offsets of 'struct inode'.
Definition at line 288 of file lixguest.h.
| enum _LIX_FIELD_MMSTRUCT |
The index for offsets of 'struct mm_struct'.
Definition at line 192 of file lixguest.h.
| enum _LIX_FIELD_MODULE |
The index for offsets of 'struct module'.
Definition at line 113 of file lixguest.h.
| enum _LIX_FIELD_NSPROXY |
The index for offsets of 'struct nsproxy'.
Definition at line 349 of file lixguest.h.
| enum _LIX_FIELD_SOCK |
The index for offsets of 'struct sock'.
Definition at line 316 of file lixguest.h.
| enum _LIX_FIELD_SOCKET |
The index for offsets of 'struct socket'.
Definition at line 302 of file lixguest.h.
The index for offsets of 'struct task-struct'.
Definition at line 216 of file lixguest.h.
| enum _LIX_FIELD_UNGROUPED |
The index for offsets of structures that are not grouped.
Definition at line 365 of file lixguest.h.
| enum _LIX_FIELD_VMA |
The index for offsets of 'struct vm_area_struct'.
Definition at line 160 of file lixguest.h.
| enum _WIN_KM_FIELD_DRVOBJ |
Indexes in the WIN_OPAQUE_FIELDS.Km.DrvObj array, containing information about the _DRIVER_OBJECT structure.The WIN_KM_FIELD macro can be used to access these more easily.
| Enumerator | |
|---|---|
| winKmFieldDrvObjSize | The size of the _DRIVER_OBJECT structure. This is the size protected by introcore when protecting driver objects due to the INTRO_OPT_PROT_KM_DRVOBJ protection flag. |
| winKmFieldDrvObjFiodispSize | The size of the _FAST_IO_DISPATCH structure. This is the size protected by introcore when protecting driver objects due to the INTRO_OPT_PROT_KM_DRVOBJ protection flag. |
| winKmFieldDrvObjAllocationGap | The size of the allocation that precedes a driver object, excluding the POOL_HEADER (0x8/0x10 bytes). |
| winKmFieldDrvObjFiodisp | Offset of FastIoDispatch. |
| winKmFieldDrvObjStart | Offset of DriverStart. |
| winKmFieldDrvObjEnd | The end of the fields. This must always be the last entry in this enum. New entries must be added right before this one in order to preserve the existing order of entries. |
Definition at line 330 of file winguest.h.
Indexes in the WIN_OPAQUE_FIELDS.Km.EprocessFlags array, containing information about the flags inside the _EPROCESS structure.The WIN_KM_FIELD macro can be used to access these more easily.
Definition at line 462 of file winguest.h.
Indexes in the WIN_OPAQUE_FIELDS.Km.FileObject array, containing information about the _FILE_OBJECT structure.The WIN_KM_FIELD macros can be used to access these more easily.
Definition at line 629 of file winguest.h.
| enum _WIN_KM_FIELD_MMPFN |
Indexes in the WIN_OPAQUE_FIELDS.Km.Mmpfn array, containing information about the _MMPFN structure.For 32-bit versions of the OS, this is split into two sections: PAE and non-PAE, as Windows versions prior to Windows 8 were able to boot without PAE support and in those cases the _MMPFN structure was different. For 32-bit guests with PAE enabled (gGuest->Mm.Mode is PAGING_PAE_MODE in those cases) the Pae version of the tags should be used. For the other guests, the normal versions should be used.
The WIN_KM_FIELD macro can be used to access these more easily.
Definition at line 396 of file winguest.h.
| enum _WIN_KM_FIELD_PCR |
Indexes in the WIN_OPAQUE_FIELDS.Km.Pcr array, containing information about the _KPCR structure.The WIN_KM_FIELD macro can be used to access these more easily.
Definition at line 358 of file winguest.h.
Indexes in the WIN_OPAQUE_FIELDS.Km.PoolDescriptor array, containing information about the _POOL_DESCRIPTOR structure.The WIN_KM_FIELD macro can be used to access these more easily.
Definition at line 375 of file winguest.h.
Indexes in the WIN_OPAQUE_FIELDS.Km.Process array, containing offsets inside the _EPROCESS structure.The WIN_KM_FIELD macro can be used to access these more easily.
Definition at line 263 of file winguest.h.
Indexes in the WIN_OPAQUE_FIELDS.Km.SyscallNumbers array, containing syscall numbers.The WIN_SYSCALL_NUMBER or WIN_KM_FIELD macros can be used to access these more easily.
Definition at line 611 of file winguest.h.
| enum _WIN_KM_FIELD_THREAD |
Indexes in the WIN_OPAQUE_FIELDS.Km.Thread array, containing offsets inside the _ETHREAD structure.The WIN_KM_FIELD macro can be used to access these more easily.
Definition at line 303 of file winguest.h.
| enum _WIN_KM_FIELD_TOKEN |
Indexes in the WIN_OPAQUE_FIELDS.Km.Token array, containing information about the _TOKEN structure.The WIN_KM_FIELD macro can be used to access these more easily.
Definition at line 419 of file winguest.h.
Indexes in the WIN_OPAQUE_FIELDS.Km.Ungrouped array, containing information about various kernel structures or data.The WIN_KM_FIELD macro can be used to access these more easily.
Definition at line 439 of file winguest.h.
Indexes in the WIN_OPAQUE_FIELDS.Km.VadLong array, containing information about the _MMVAD_LONG structure.The WIN_KM_FIELD macro can be used to access these more easily.
Definition at line 534 of file winguest.h.
Indexes in the WIN_OPAQUE_FIELDS.Km.VadShort array, containing information about the _MMVAD_SHORT structure.The WIN_KM_FIELD macro can be used to access these more easily.
| Enumerator | |
|---|---|
| winKmFieldVadShortParent | Offset of ParentValue. |
| winKmFieldVadShortLeft | Offset of LeftChild. |
| winKmFieldVadShortRight | Offset of RightChild. |
| winKmFieldVadShortStartingVpn | Offset of StartingVpn. Since the size of the field may vary from a Windows version to another, #winKmFieldVadShortVpnSize should be checked in order to know how much to read from the guest. |
| winKmFieldVadShortStartingVpnHigh | Offset of StartingVpnHigh. Not all Windows versions have this. If it is 0, it is not used. |
| winKmFieldVadShortEndingVpn | Offset of EndingVpn. Since the size of the field may vary from a Windows version to another, #winKmFieldVadShortVpnSize should be checked in order to know how much to read from the guest. |
| winKmFieldVadShortEndingVpnHigh | Offset of EndingVpnHigh. Not all Windows versions have this. If it is 0, it is not used. |
| winKmFieldVadShortFlags | Offset of VadFlags. The size of the field varies. Check #winKmFieldVadShortFlagsSize in order to know the valid size. |
| winKmFieldVadShortFlagsSize | The minimum size that must be read from the guest in order to properly parse winKmFieldVadShortFlags. |
| winKmFieldVadShortVpnSize | The size of winKmFieldVadShortStartingVpn and winKmFieldVadShortEndingVpn. #winKmFieldVadShortStartingVpnHigh and #winKmFieldVadShortEndingVpnHigh are always 1 in size. |
| winKmFieldVadShortSize | The minimum size that must be read from the guest in order to properly parse a _MMVAD_SHORT structure. |
| winKmFieldVadShortEnd | The end of the fields. This must always be the last entry in this enum. New entries must be added right before this one in order to preserve the existing order of entries |
Definition at line 483 of file winguest.h.
Indexes in the WIN_OPAQUE_FIELDS.Km.VadFlags array, containing information about the bits in the winKmFieldVadShortFlags field.Certain values are parsed by shifting the flags value and then applying a mask, while boolean values are stored as the bit that must be checked in order to know if that bit is set or not. For example, in order to obtain the type from a 32-bit flags value you need to:
While checking if private fix-up is set:
The WIN_KM_FIELD macro can be used to access these more easily.
| Enumerator | |
|---|---|
| winKmFieldVadFlagsTypeShift | The right shift that must be applied to the flags field before applying the winKmFieldVadFlagsTypeMask mask in order to obtain the Type value. |
| winKmFieldVadFlagsTypeMask | The mask that must be applied in order to obtain the Type value. The flags value must first be right shifted with #winKmFieldVadFlagsTypeShift. |
| winKmFieldVadFlagsProtectionShift | The right shift that must be applied to the flags field before applying the winKmFieldVadFlagsProtectionMask mask in order to obtain the Protection value. |
| winKmFieldVadFlagsProtectionMask | The mask that must be applied in order to obtain the Protection value. The flags value must first be right shifted with #winKmFieldVadFlagsProtectionShift. |
| winKmFieldVadFlagsNoChangeBit | The index of the NoChange bit. Since this can be in the upper 32-bits of a 64-bit value and CAMI can not send 64-bit values, it is stored as the bit index. For example: QWORD flags = ... BOOLEAN noChange = 0 != (flags & BIT(WIN_KM_FIELD(VadFlags, NoChangeBit))); |
| winKmFieldVadFlagsPrivateFixupMask | The mask that must be applied for the private fix-up setting. |
| winKmFieldVadFlagsDeleteInProgressMask | The mask for the DeleteInProgressBit. Not all Windows versions use this. If it is not used it is 0. |
| winKmFieldVadFlagsEnd | The end of the fields. This must always be the last entry in this enum. New entries must be added right before this one in order to preserve the existing order of entries |
Definition at line 563 of file winguest.h.
| enum _WIN_KM_STRUCTURE |
Structure tags used for the kernel mode structures.Each of these refers to a WIN_OPAQUE_FIELDS.Km field.
Definition at line 218 of file winguest.h.
| enum _WIN_UM_FIELD_DLL |
Indexes in the WIN_OPAQUE_FIELDS.Um.Dll array, containing offsets inside the _LDR_DATA_TABLE_ENTRY structure.
The WIN_UM_FIELD macro can be used to access these more easily.
Definition at line 160 of file winguest.h.
| enum _WIN_UM_FIELD_PEB |
Indexes in the WIN_OPAQUE_FIELDS.Um.Peb array, containing offsets inside the _PEB structure.These are the indexes of the offsets inside the WIN_OPAQUE_FIELDS.Um.Peb array. The WIN_UM_FIELD can be used to access these more easily.
Definition at line 181 of file winguest.h.
| enum _WIN_UM_FIELD_TEB |
Indexes in the WIN_OPAQUE_FIELDS.Um.Teb array, containing offsets inside the _TEB structure.The WIN_UM_FIELD macro can be used to access these more easily.
| Enumerator | |
|---|---|
| winUmFieldTeb64Size | The relevant size of the _TEB for 64-bit processes. |
| winUmFieldTeb32Size | The relevant size of the _TEB for 32-bit processes |
| winUmFieldTebWow64SaveArea | The offset of the area in which a thread of a WoW64 application saves its general purpose registers when jumping to 64-bit code in order to issue a syscall |
| winUmFieldTebWow64StackInSaveArea | The offset of the ESP in the winUmFieldTebWow64SaveArea. |
| winUmFieldTebEnd | The end of the fields. This must always be the last entry in this enum. New entries must be added right before this one in order to preserve the existing order of entries |
Definition at line 197 of file winguest.h.
| enum _WIN_UM_STRUCTURE |
Structure tags used for the user mode structures.Each of these refers to a WIN_OPAQUE_FIELDS.Um field.
Definition at line 246 of file winguest.h.
| enum LIX_STRUCTURE |
Structure tags used for the Linux structures.
| Enumerator | |
|---|---|
| lixStructureInfo | The tag for LIX_FIELD_INFO. |
| lixStructureModule | The tag for LIX_FIELD_MODULE. |
| lixStructureBinprm | The tag for LIX_FIELD_BINPRM. |
| lixStructureVma | The tag for LIX_FIELD_VMA. |
| lixStructureDentry | The tag for LIX_FIELD_DENTRY. |
| lixStructureMmStruct | The tag for LIX_FIELD_MMSTRUCT. |
| lixStructureTaskStruct | The tag for LIX_FIELD_TASKSTRUCT. |
| lixStructureFs | The tag for LIX_FIELD_FS. |
| lixStructureFdTable | The tag for LIX_FIELD_FDTABLE. |
| lixStructureFiles | The tag for LIX_FIELD_FILES. |
| lixStructureInode | The tag for LIX_FIELD_INODE. |
| lixStructureSocket | The tag for LIX_FIELD_SOCKET. |
| lixStructureSock | The tag for LIX_FIELD_SOCK. |
| lixStructureCred | The tag for LIX_FIELD_CRED. |
| lixStructureNsProxy | The tag for LIX_FIELD_NSPROXY. |
| lixStructureUngrouped | The tag for LIX_FIELD_UNGROUPED. |
| lixStructureEnd | The end of tags. |
Definition at line 61 of file lixguest.h.
1.8.13