69 #define SYSCALL_SIG_FLAG_KPTI 0x80000000 100 gErrorStateContext = Context;
164 *IsKptiActive =
FALSE;
166 for (
DWORD it = 0; it < Size;)
180 if (instrux.Instruction == ND_INS_MOV_CR &&
181 ND_IS_OP_REG(&instrux.Operands[0], ND_REG_CR, (
DWORD)gGuest.
WordSize, NDR_CR3))
183 *IsKptiActive =
TRUE;
187 it += instrux.Length;
217 *KptiInstalled =
FALSE;
223 ERROR(
"[ERROR] IntKernVirtMemRead failed for %llx: 0x%08x\n", SyscallHandler, status);
230 ERROR(
"[ERROR] IntCamiLoadSection failed: 0x%08x\n", status);
238 for (j = 0; j < gSysenterSignatures[i].
Length; j++)
240 if (gSysenterSignatures[i].Pattern[j] != 0x100 && gSysenterSignatures[i].Pattern[j] != buffer[j])
249 TRACE(
"[INTRO-INIT] Found the syscall handler %d address at 0x%016llx\n", i, SyscallHandler);
251 *OsType = gSysenterSignatures[i].
SignatureId & 0xFF;
261 LOG(
"Syscall/interrupt @0x%016llx handler not identified... Dumping %zu bytes from it!\n",
262 SyscallHandler,
sizeof(buffer));
264 for (i = 0; i <
sizeof(buffer); i += 8)
266 NLOG(
"%02x %02x %02x %02x %02x %02x %02x %02x\n", buffer[i], buffer[i + 1], buffer[i + 2], buffer[i + 3],
267 buffer[i + 4], buffer[i + 5], buffer[i + 6], buffer[i + 7]);
297 QWORD analyzeAddress[3] = {0};
300 *KptiInstalled =
FALSE;
306 ERROR(
"[ERROR] Failed reading SYSCALL MSRs: 0x%08x\n", status);
314 ERROR(
"[ERROR] Failed reading SYSENTER MSRs: 0x%08x\n", status);
322 ERROR(
"[ERROR] Failed reading INT 0 handler: 0x%08x\n", status);
329 if (analyzeAddress[l] == 0)
337 TRACE(
"[INTRO-INIT] Found the syscall/interrupt handler address at %llx\n", analyzeAddress[l]);
361 if (NULL == GuestInfo)
366 GuestInfo->Guest64 = gGuest.
Guest64;
383 GuestInfo->StartupTime = time;
424 ERROR(
"[ERROR] IntEferRead failed: 0x%08x\n", status);
443 else if (0 != (Efer & EFER_LMA))
451 else if (0 != (Cr0 &
CR0_PG))
478 ERROR(
"[ERROR] IntEferRead failed: 0x%08x\n", status);
546 #define MAX_INIT_RETRIES 32 551 BOOLEAN bKptiInstalled, bKptiActive, bSameCr3;
560 ERROR(
"[ERROR] Introspection is already initialized, this should not happen... Remove the hook!\n");
563 gCr3WriteHook = NULL;
577 ERROR(
"[ERROR] IntGuestInitMemoryInfo failed: 0x%08x\n", status);
584 ERROR(
"[ERROR] IntSyscallRead failed: 0x%08x\n", status);
591 ERROR(
"[ERROR] IntSysenterRead failed: 0x%08x\n", status);
595 if (0 == syscall && 0 == sysenter)
621 ERROR(
"[ERROR] Guest has activated LA57 mode, we don't support it yet!\n");
639 ERROR(
"[ERROR] IntGuestInitMemoryInfo failed: %08x\n", status);
640 goto _resume_and_leave;
643 LOG(
"[INTRO-INIT] Will try %d time to static init the guest on CPU %02d with EFER 0x%08llx and %s paging mode...\n",
656 ERROR(
"[ERROR] IntGetGprs failed on CPU %d: %08x\n", i, status);
657 goto _resume_and_leave;
660 LOG(
"[INTRO-INIT] CPU %02d: CR0 = %08llx, CR3 = %016llx, CR4 = %08llx, RIP = %016llx\n",
671 ERROR(
"[ERROR] IntGuestDetectOs failed: 0x%08x\n", status);
672 goto _resume_and_leave;
675 LOG(
"[INTRO-INIT] Identified OS type %s\n",
683 TRACE(
"[INTRO-INIT] Guest has KPTI installed: %d, enabled: %d\n",
700 goto _resume_and_leave;
706 ERROR(
"[ERROR] IntCallbacksInit failed: 0x%08x\n", status);
710 goto _resume_and_leave;
713 TRACE(
"[INTRO-INIT] Callbacks initialized successfully!\n");
719 gCr3WriteHook = NULL;
723 ERROR(
"[ERROR] IntHookCrRemoveHook failed: %08x\n", status2);
729 ERROR(
"[ERROR] [CRITICAL] Tried %d times to init the introspection, bail out...\n",
gInitRetryCount);
736 ERROR(
"[ERROR] An error occurred in init: %08x, %d. Will uninit the introspection!\n",
748 #undef MAX_INIT_RETRIES 775 memzero(&gGuest,
sizeof(gGuest));
789 ERROR(
"[ERROR] IntQueryGuestInfo failed for feature CPU COUNT: 0x%08x\n", status);
790 goto _cleanup_and_exit;
797 ERROR(
"[ERROR] IntQueryGuestInfo failed for feature TSC SPEED: 0x%08x\n", status);
800 TRACE(
"[INTRO-INIT] TSC speed = 0x%016llx ticks/second\n", gGuest.
TscSpeed);
806 WARNING(
"[WARNING] IntQueryGuestInfo failed for feature #VE: 0x%08x\n", status);
813 WARNING(
"[WARNING] IntQueryGuestInfo failed for feature VMFUNC: 0x%08x\n", status);
820 WARNING(
"[WARNING] IntQueryGuestInfo failed for feature SPP: 0x%08x\n", status);
827 WARNING(
"[WARNING] IntQueryGuestInfo failed for feature DTR: 0x%08x\n", status);
831 LOG(
"[INTRO-INIT] CPU/HV support: #VE: %s, VMFUNC: %s, SPP: %s, DTR events: %s\n",
840 goto _cleanup_and_exit;
854 TRACE(
"[INTRO-INIT] Stats module initialized successfully!\n");
859 ERROR(
"[ERROR] IntHookInit failed: 0x%08x\n", status);
860 goto _cleanup_and_exit;
862 TRACE(
"[INTRO-INIT] New Hook module initialized successfully!\n");
867 ERROR(
"[ERROR] IntHookMsrInit failed: 0x%08x\n", status);
868 goto _cleanup_and_exit;
870 TRACE(
"[INTRO-INIT] MSR Hook module initialized successfully!\n");
875 ERROR(
"[ERROR] IntHookDtrInit failed: 0x%08x\n", status);
876 goto _cleanup_and_exit;
878 TRACE(
"[INTRO-INIT] DTR Hook module initialized successfully!\n");
883 ERROR(
"[ERROR] IntHookCrInit failed: 0x%08x\n", status);
884 goto _cleanup_and_exit;
886 TRACE(
"[INTRO-INIT] CR Hook module initialized successfully!\n");
891 ERROR(
"[ERROR] IntHookXcrInit failed: 0x%08x\n", status);
892 goto _cleanup_and_exit;
894 TRACE(
"[INTRO-INIT] XCR Hook module initialized successfully!\n");
899 ERROR(
"[ERROR] IntIcCreate failed: 0x%08x\n", status);
900 goto _cleanup_and_exit;
902 TRACE(
"[INTRO-INIT] Instruction cache module initialized successfully!\n");
912 ERROR(
"[ERROR] IntGpaCacheInit failed: 0x%08x\n", status);
913 goto _cleanup_and_exit;
915 TRACE(
"[INTRO-INIT] GPA cache module initialized successfully!\n");
920 ERROR(
"[ERROR] IntSwapMemInit failed: 0x%08x\n", status);
921 goto _cleanup_and_exit;
923 TRACE(
"[INTRO-INIT] Swapmem module initialized successfully!\n");
928 ERROR(
"[ERROR] IntVasInit failed: 0x%08x\n", status);
929 goto _cleanup_and_exit;
931 TRACE(
"[INTRO-INIT] VAS Monitor module initialized successfully!\n");
936 ERROR(
"[ERROR] IntExceptInit failed: 0x%08x\n", status);
937 goto _cleanup_and_exit;
939 TRACE(
"[INTRO-INIT] Kernel-mode exception module initialized successfully!\n");
948 WARNING(
"[WARNING] Both INTRO_OPT_IN_GUEST_PT_FILTER and INTRO_OPT_VE are set, " 949 "will ignore INTRO_OPT_IN_GUEST_PT_FILTER, because #VE is initialized!\n");
955 WARNING(
"[WARNING] Both INTRO_OPT_IN_GUEST_PT_FILTER and INTRO_OPT_VE are set, " 956 "will ignore INTRO_OPT_VE, because #VE is NOT initialized!\n");
965 ERROR(
"[ERROR] IntHookCrSetHook failed: 0x%08x\n", status);
966 goto _cleanup_and_exit;
1024 gCr3WriteHook = NULL;
1055 gCr3WriteHook = NULL;
1060 TRACE(
"[INTRO-UNINIT] Uninit the Windows guest...\n");
1065 TRACE(
"[INTRO-UNINIT] Uninit the Linux guest...\n");
1069 TRACE(
"[INTRO-UNINIT] Uninit #VE...\n");
1072 TRACE(
"[INTRO-UNINIT] Uninit exceptions...\n");
1075 TRACE(
"[INTRO-UNINIT] Uninit integrity...\n");
1078 TRACE(
"[INTRO-UNINIT] Uninit VAS monitor...\n");
1081 TRACE(
"[INTRO-UNINIT] Uninit memory tables...\n");
1084 TRACE(
"[INTRO-UNINIT] Uninit SWAPGS mitigations...\n");
1087 TRACE(
"[INTRO-UNINIT] Uninit detours-guest...\n");
1090 TRACE(
"[INTRO-UNINIT] Uninit slack...\n");
1093 TRACE(
"[INTRO-UNINIT] Uninit instruction cache...\n");
1099 TRACE(
"[INTRO-UNINIT] Uninit memcloak...\n");
1102 TRACE(
"[INTRO-UNINIT] Uninit swapmem...\n");
1108 TRACE(
"[INTRO-UNINIT] Uninit windows pfn locks...\n");
1112 TRACE(
"[INTRO-UNINIT] Uninit unpack...\n");
1115 TRACE(
"[INTRO-UNINIT] Uninit new hooks...\n");
1118 TRACE(
"[INTRO-UNINIT] Uninit hooker-msr...\n");
1121 TRACE(
"[INTRO-UNINIT] Uninit hooker-dtr...\n");
1124 TRACE(
"[INTRO-UNINIT] Uninit hooker-cr...\n");
1127 TRACE(
"[INTRO-UNINIT] Uninit hooker-xcr...\n");
1130 TRACE(
"[INTRO-UNINIT] Uninit GPA cache...\n");
1139 TRACE(
"[INTRO-UNINIT] Uninit callbacks...\n");
1142 TRACE(
"[INTRO-UNINIT] Free cami protected processes array ...\n");
1153 TRACE(
"Calling the notification callback...\n");
1157 memzero(&gGuest,
sizeof(gGuest));
1159 TRACE(
"All done!\n");
1182 if (agWaitState !=
agNone)
1184 WARNING(
"[SAFENESS] We have a %s agent with tag %u!\n",
1185 agWaitState ==
agActive ?
"Active" :
"Waiting", agTag);
1224 LOG(
"Introcore shutdown requested while the guest is transitioning into hibernate...\n");
1244 LOG(
"[INFO] Ignore safeness!\n");
1250 LOG(
"[INFO] It's not safe to unload yet!\n");
1253 goto resume_and_exit;
1263 goto resume_and_exit;
1296 LOG(
"[PTCORE] Will try to reinject the PT Filter...\n");
1300 ERROR(
"[ERROR] IntPtiInjectPtFilter failed: 0x%08x\n", status);
1305 skipAgentActivation =
TRUE;
1306 LOG(
"[PTCORE] PT Filter was re-injected with success!\n");
1311 LOG(
"[VECORE] Will try to reinject the #VE Agent...\n");
1315 ERROR(
"[ERROR] IntVeDeployAgent failed: 0x%08x\n", status);
1320 skipAgentActivation =
TRUE;
1321 LOG(
"[VECORE] The #VE Agent was re-injected with success!\n");
1325 if (!skipAgentActivation)
1332 ERROR(
"[ERROR] IntAgentActivatePendingAgent failed: 0x%08x\n", status);
1341 ERROR(
"[ERROR] IntHookCommitAllHooks failed: 0x%08x\n", status);
1350 ERROR(
"[ERROR] IntHookMsrCommit failed: 0x%08x\n", status);
1359 ERROR(
"[ERROR] IntHookDtrCommit failed: 0x%08x\n", status);
1368 ERROR(
"[ERROR] IntHookCrCommit failed: 0x%08x\n", status);
1377 ERROR(
"[ERROR] IntHookXcrCommit failed: 0x%08x\n", status);
1386 ERROR(
"[ERROR] IntSwapMemInjectPendingPF failed: 0x%08x\n", status);
1448 WARNING(
"[WARNING] Cannot modify options now, an uninit is pending!\n");
1458 WARNING(
"[WARNING] Both INTRO_OPT_IN_GUEST_PT_FILTER and INTRO_OPT_VE are set, will ignore" 1459 "INTRO_OPT_IN_GUEST_PT_FILTER, because #VE is initialized!\n");
1460 NewOptions &= ~INTRO_OPT_IN_GUEST_PT_FILTER;
1465 WARNING(
"[WARNING] Both INTRO_OPT_IN_GUEST_PT_FILTER and INTRO_OPT_VE are set, will ignore INTRO_OPT_VE, " 1466 "because #VE is NOT initialized!\n");
1467 NewOptions &= ~INTRO_OPT_VE;
1738 ERROR(
"[ERROR] IntGetMaxGpfn failed: 0x%08x\n", status);
void IntUnpUninit(void)
Uninit the unpacker. This will stop the monitor on all pages.
#define INT_STATUS_GUEST_OS_NOT_SUPPORTED
Indicates that the guest operating system is not supported.
#define THS_CHECK_SWAPGS
Will check if any RIP is inside a mitigated SWAPGS gadget.
INTSTATUS IntHookXcrCommit(void)
Commit the extended control register hooks.
INTSTATUS IntLixGuestNew(void)
Starts the initialization and enable protection for a new Linux guest.
INTSTATUS IntPtiInjectPtFilter(void)
Inject the PT filter inside the guest.
INTSTATUS IntWinDrvUpdateProtection(void)
Used to update the protection for all the loaded modules (gKernelDrivers).
BOOLEAN SupportDTR
Set to True if support for DTR access exits was detected.
INTSTATUS IntGuestInit(QWORD Options)
Initialize the given guest state.
#define INTRO_OPT_VE
Enable the Virtualization exception page table access pre-filtering agent (64-bit Windows only)...
void IntCamiClearUpdateBuffer(void)
Uninitialize the update buffer and notify the integrator that we don't need it anymore.
INTSTATUS IntVasUnInit(void)
Uninit the VAS monitor state.
DWORD gSysenterSignaturesCount
The number of entries in the gSysenterSignatures array.
Commit all the MSR hooks.
INTSTATUS IntHookInit(void)
Initialize the global hook system.
INTSTATUS IntIdtrUnprotect(void)
Remove the IDTR protection.
void IntSwapgsDisable(void)
Disable SWAPGS mitigations. Must be used only for PrepareUninit.
WINDOWS_GUEST * gWinGuest
Global variable holding the state of a Windows guest.
VCPU_STATE * gVcpu
The state of the current VCPU.
No active/pending agents.
IG_ARCH_REGS Regs
The current state of the guest registers.
INTSTATUS IntIdtGetEntry(DWORD CpuNumber, DWORD Entry, QWORD *Handler)
Get the handler of an interrupt from the IDT.
DWORD Index
The VCPU number.
INTSTATUS IntIdtrProtect(void)
Enable IDTR protection.
INTSTATUS IntLixKernelReadProtect(void)
Activates kernel protection.
BOOLEAN Initialized
True if the VCPU is initialized and used by the guest, False if it is not.
INTSTATUS IntAgentActivatePendingAgent(void)
Activate a pending Windows or Linux agent.
INTSTATUS IntHookCommitAllHooks(void)
Commits all the hooks.
QWORD SystemCr3
The Cr3 used to map the kernel.
#define INT_STATUS_SUCCESS
INTSTATUS IntGetGprs(DWORD CpuNumber, PIG_ARCH_REGS Regs)
Get the current guest GPR state.
INTSTATUS IntVasInit(void)
Initialize the VAS monitor state.
#define INTRO_OPT_PROT_KM_LX
Enable kernel image protection (Linux only).
static INTSTATUS IntGuestDetectOs(INTRO_GUEST_TYPE *OsType, BOOLEAN *KptiInstalled, BOOLEAN *KptiActive)
Detect the type of the currently running guest kernel.
Get the availability of the IDTR/GDTR exits.
static PAGING_MODE IntGuestGetPagingMode(QWORD Efer, QWORD Cr4, QWORD Cr0)
Get the paging mode used by the guest on the current VCPU.
BOOLEAN SysprocBetaDetections
INTSTATUS IntHookCrSetHook(DWORD Cr, DWORD Flags, PFUNC_CrWriteHookCallback Callback, void *Context, HOOK_CR **Hook)
Set a control register write hook.
void IntWinPfnUnInit(void)
Uninits the PFN locks.
static void IntGuestIsKptiActive(BYTE *SyscallBuffer, DWORD Size, BOOLEAN *IsKptiActive)
Checks if the Syscall handler is specific to a System with KPTI enabled.
INTSTATUS IntWinGuestUnprotectSudExec(void)
Removes the execution EPT hook on SharedUserData.
DWORD IntGetCurrentCpu(void)
Returns the current CPU number.
void IntDetUninit(void)
Uninitializes the detour module.
BOOLEAN Initialized
True if this structure was initialized and can be used.
INTSTATUS IntWinInfHookProtect(void)
This function initializes protection against infinity hook mechanism.
INTSTATUS IntHookMsrInit(void)
Initialize the model specific registers hook state.
#define INT_SUCCESS(Status)
INTSTATUS IntWinTokenUnprotectPrivs(void)
Unprotects all the currently protected tokens belonging to processes against privileges manipulation...
A critical structure was not found inside the guest kernel.
#define CR3_LONG_MODE_MASK
INTSTATUS IntResumeVcpus(void)
Resumes the VCPUs previously paused with IntPauseVcpus.
void IntStatsInit(void)
Initialization routine.
void IntWinApiUpdateHooks(void)
Iterate through all hookable APIs and enable or disable them according to the current Introcore optio...
BOOLEAN KernelBetaDetections
True if the kernel protection is in beta (log-only) mode.
#define INTRO_OPT_PROT_KM_LX_TEXT_READS
Enable kernel '_text' section read protection (Linux only).
INTSTATUS IntHookCrUninit(void)
Uninit the control register hooks state.
BOOLEAN SafeToApplyOptions
True if the current options can be changed dynamically.
INTSTATUS IntWinTokenProtectPrivs(void)
Protects all the currently unprotected tokens belonging to processes against privileges manipulation...
INTSTATUS IntGpaCacheInit(PGPA_CACHE *Cache, DWORD LinesCount, DWORD EntriesCount)
Initialize a GPA cache.
void IntWinObjCleanup(void)
Cleans up any resources allocated by the object search.
INTSTATUS IntHookDtrCommit(void)
Commit the descriptor registers hooks.
#define HpAllocWithTag(Len, Tag)
int INTSTATUS
The status data type.
The operating system version is not supported.
INTSTATUS IntHookXcrInit(void)
Initialize the extended control registers hook state.
INTSTATUS IntMsrSyscallProtect(void)
Enable protection for all SYSCALL and SYSENTER MSRs.
DWORD OSVersion
Os version.
INTSTATUS IntGetMaxGpfn(QWORD *MaxGpfn)
Get the last physical page frame number accessible by the guest.
#define INT_STATUS_NOT_FOUND
BOOLEAN SupportVMFUNC
Set to True if support for VMFUNC was detected.
INTSTATUS IntQueryGuestInfo(DWORD InfoClass, void *InfoParam, void *Buffer, DWORD BufferLength)
INTSTATUS IntMemClkUnInit(void)
Uninits the memory cloak subsystem.
void IntSwapgsUninit(void)
Uninit the SWAPGS mitigation.
INTSTATUS IntExceptUninit(void)
This function removes and frees all exceptions and signatures.
INTSTATUS IntSwapMemInit(void)
Init the swapmem system.
static HOOK_CR * gCr3WriteHook
The Cr2 write hook handle used for initialization.
INTSTATUS IntCallbacksUnInit(void)
Uninit all the Introcore callbacks.
PVCPU_STATE VcpuArray
Array of the VCPUs assigned to this guest. The index in this array matches the VCPU number...
#define INT_STATUS_LOAD_ABORTED
Indicates that Introcore loading was aborted.
INTSTATUS IntIcCreate(INS_CACHE **Cache, DWORD LinesCount, DWORD EntriesCount, DWORD InvCount)
Create anew instruction cache.
INTSTATUS IntCr4Unprotect(void)
Disables the CR4 protection.
INTSTATUS IntHookXcrUninit(void)
Uninit the extended control register hooks state.
INTSTATUS IntPauseVcpus(void)
Pauses all the guest VCPUs.
void IntLixVdsoUnprotect(void)
Remove protection for the vDSO image and VSYSCALL.
#define INTRO_OPT_PROT_KM_IDT
INTRO_GUEST_TYPE OSType
The type of the guest.
BOOLEAN VeAgentWaiting
True if the #VE agent was not yet injected, but it should be.
INTSTATUS IntSwapMemUnInit(void)
Uninit the swapmem system.
Commit all the memory hooks.
INTSTATUS IntHookDtrUninit(void)
Uninit the descriptor registers hooks state.
QWORD Cr4
Cr4 value used when deducing the paging mode.
INTSTATUS IntVeUnInit(void)
Uninit the VE system.
INTSTATUS IntThrSafeCheckThreads(QWORD Options)
Checks if any of the guest threads have their RIP or have any stack pointers pointing to regions of c...
void IntLixGuestUninitGuestCode(void)
Removes the EPT hooks from detours/agents memory zone and clears these memory zones.
void IntLixApiUpdateHooks(void)
Update the hookable APIs according to the current Introcore options.
void IntMtblDisable(void)
Disables mem-table instructions instrumentation.
#define INTRO_OPT_PROT_KM_VDSO
Enable vDSO image protection (Linux only).
INTSTATUS IntWinDrvObjUpdateProtection(void)
Updates the protection for all the driver objects in the gWinDriverObjects list.
void IntLixDrvUpdateProtection(void)
Update Linux drivers protection according to the new core options.
INTSTATUS IntWinGuestNew(void)
Starts the initialization and protection process for a new Windows guest.
INTSTATUS IntWinUnprotectReadNtEat(void)
Used to remove the EAT read hook from ntoskrnl.exe.
static DWORD gInitRetryCount
The number of times initialization was tried.
INTSTATUS IntGdtrProtect(void)
Enable GDTR protection.
#define INTRO_OPT_PROT_KM_SELF_MAP_ENTRY
BOOLEAN PtFilterWaiting
True if the in-guest PT filter was not yet injected, but it should be.
INTSTATUS IntWinIdtUnprotectAll(void)
Removes the IDT protection for all the guest CPUs.
BOOLEAN IntLixGuestDeployUninitAgent(void)
Inject the 'uninit' agent to free the previously allocated memory for detours/agents.
BOOLEAN KptiActive
True if KPTI is enabled on this guest, False if it is not.
#define INTRO_OPT_SYSPROC_BETA_DETECTIONS
Enable system processes beta (log only) detection.
INTSTATUS IntHookCrInit(void)
Initialize the control registers hook state.
INTSTATUS IntHookCrCommit(void)
Commit the control register hooks.
#define INTRO_OPT_PROT_KM_MSR_SYSCALL
Get the number of VCPUs available to the guest.
BOOLEAN gAbortLoad
Set to True if introcore should abort the initialization process.
DWORD Length
The valid size of the Pattern array.
BOOLEAN SupportSPP
Set to True if support for SPP was detected.
#define INT_STATUS_CANNOT_UNLOAD
Indicates that Introcore can not unload in a safely manner.
INTSTATUS IntLixIdtUnprotectAll(void)
Disable protection for IDT on all CPUs.
The context of an error state.
INTSTATUS IntIntegrityUninit(void)
Uninits the integrity mechanism by removing every integrity region from the list. ...
#define INT_STATUS_NOT_INITIALIZED
INTSTATUS IntSysenterRead(DWORD CpuNumber, QWORD *SysCs, QWORD *SysEip, QWORD *SysEsp)
Queries the IA32_SYSENTER_CS, IA32_SYSENTER_EIP, and IA32_SYSENTER_ESP guest MSRs.
#define IG_CURRENT_VCPU
For APIs that take a VCPU number as a parameter, this can be used to specify that the current VCPU sh...
BOOLEAN PaeEnabled
True if Physical Address Extension is enabled.
INTSTATUS IntHookUninit(void)
Uninit the global hooks system.
#define IG_DISABLE_IGNORE_SAFENESS
PATTERN_SIGNATURE * gSysenterSignatures
The syscall and sysenter signatures used to identify an OS.
INTSTATUS IntCamiProtectedProcessFree(void)
Uninitialize the global holding custom process protection options.
Reinject the #VE or PT filtering agent, based on the active options.
BOOLEAN Guest64
True if this is a 64-bit guest, False if it is a 32-bit guest.
static INTRO_ERROR_STATE gErrorState
The last error reported.
QWORD Current
The currently used options.
#define INTRO_OPT_PROT_KM_IDTR
Enable interrupt descriptor-table registers protection.
INTSTATUS IntGuestPreReturnCallback(DWORD Options)
Handles all the operations that must be done before returning from a VMEXIT event handler...
BOOLEAN IntGuestShouldNotifyErrorState(void)
Checks if an event should be sent to the integrator.
Structure encapsulating VCPU-specific information.
void IntDetDumpDetours(void)
Prints all the detours in the gDetours list of detours.
INTSTATUS IntLixVdsoProtect(void)
Activates protection for the vDSO image and VSYSCALL.
void * GpaCache
The currently used GPA cache.
#define CR3_LEGACY_PAE_MASK
INTSTATUS IntDecDecodeInstructionFromBuffer(PBYTE Buffer, size_t BufferSize, IG_CS_TYPE CsType, void *Instrux)
Decode an instruction from the provided buffer.
QWORD LastGpa
The upper limit of the guest physical address range.
BOOLEAN GuestInitialized
True if the OS-specific portion has been initialized.
#define HpFreeAndNullWithTag(Add, Tag)
INTSTATUS IntVeRemoveAgent(DWORD AgOpts)
Removes the VE agent from guest memory.
INTSTATUS IntGdtrUnprotect(void)
Remove the GDTR protection.
INTSTATUS IntIcDestroy(PINS_CACHE *Cache)
Destroy an instruction cache.
INTRO_ERROR_STATE IntGuestGetIntroErrorState(void)
Gets the last reported error-state.
INTSTATUS IntHookCrRemoveHook(HOOK_CR *Hook)
Remove a control register hook.
#define CR3_LEGACY_NON_PAE_MASK
BYTE WordSize
Guest word size. Will be 4 for 32-bit guests and 8 for 64-bit guests.
static INTSTATUS IntGuestHandleCr3Write(void *Context, DWORD Cr, QWORD OldValue, QWORD NewValue, INTRO_ACTION *Action)
Handles Cr3 writes done by the guest. This is used to initialize the introspection engine...
INTSTATUS IntExceptInit(void)
This function allocates the exceptions data and initialize the exception lists and the signature list...
INTRO_ERROR_CONTEXT * IntGuestGetIntroErrorStateContext(void)
Gets the last reported error-context appropriate to the error-state.
INTSTATUS IntNotifyIntroInactive(void)
void IntLixKernelReadUnprotect(void)
Deactivates the kernel protection against read.
static INTRO_ERROR_CONTEXT * gErrorStateContext
The last error-context reported.
QWORD ForceOff
Options that are forcibly disabled.
void IntGuestUninit(void)
Completely unloads the introspection engine.
void IntGuestPrepareUninit(void)
Prepares introcore to be unloaded.
#define SYSCALL_SIG_FLAG_KPTI
Indicates that a syscall pattern belongs to a KPTI enabled OS.
#define INTRO_OPT_PROT_KM_NT_EAT_READS
Enable kernel EAT read protection (Windows only).
DWORD CpuCount
The number of logical CPUs.
INTSTATUS IntSwapMemInjectPendingPF(void)
Inject a PF for a pending page.
#define UNREFERENCED_PARAMETER(P)
void IntStatsDumpAll(void)
Prints all the non-zero stats.
INTSTATUS IntGuestGetLastGpa(QWORD *MaxGpa)
Get the upper limit of the guest physical memory range.
INTRO_GUEST_TYPE
The type of the introspected operating system.
void * InstructionCache
The currently used instructions cache.
#define INTRO_OPT_KM_BETA_DETECTIONS
INTSTATUS IntWinGetStartUpTime(QWORD *StartUpTime)
Gets the system startup time.
#define THS_CHECK_DETOURS
Will check if any RIP is inside detours.
INTSTATUS IntSyscallRead(DWORD CpuNumber, QWORD *SysStar, QWORD *SysLstar)
Queries the IA32_STAR, and IA32_LSTAR guest MSRs.
INTSTATUS IntGuestDisableIntro(QWORD Flags)
Disables and unloads the introspection engine.
INTSTATUS IntWinHalUpdateProtection(void)
Updates any of the HAL protections.
INTSTATUS IntGpaCacheUnInit(PGPA_CACHE *Cache)
Uninit a GPA cache.
INTSTATUS IntWinProtectReadNtEat(void)
Used to place a read hook on the ntoskrnl.exe EAT.
void IntSlackUninit(void)
Uninit the slack system. Must be called only during uninit.
enum _INTRO_ACTION INTRO_ACTION
Event actions.
INTSTATUS IntGuestGetInfo(PGUEST_INFO GuestInfo)
Get basic information about the guest.
BOOLEAN VeInitialized
Set to True if #VE initialization was done.
GUEST_STATE gGuest
The current guest state.
void IntWinGuestUninit(void)
Uninits a Windows guest.
void IntAgentDisablePendingAgents(void)
Disable the Windows or Linux pending agents.
void IntLixTaskUpdateProtection(void)
Adjusts protection for all active Linux processes.
BOOLEAN EnterHibernate
True if the guest is entering into hibernate.
QWORD Cr0
Cr0 value used when deducing the paging mode.
Get the availability of the VMFUNC feature in hardware and the hypervisor.
MM Mm
Guest memory information, such as paging mode, system Cr3 value, etc.
void IntGuestUpdateCoreOptions(QWORD NewOptions)
Updates Introcore options.
void IntDetDisableAllHooks(void)
Removes all detours from the guest.
static BOOLEAN IntGuestIsSafeToDisable(void)
Checks if it is safe to unload.
INTSTATUS IntWinProcUpdateProtection(void)
Iterates trough the global process list (gWinProcesses) in order to update the protection state for e...
INTSTATUS IntWinIdtProtectAll(void)
Activates the IDT protection for all the guest CPUs.
INTSTATUS IntHookMsrCommit(void)
Commit the model specific register hooks.
INTSTATUS IntMsrSyscallUnprotect(void)
Remove protection from all protected MSRs.
INTRO_ERROR_STATE
Error states.
void IntLixKernelWriteUnprotect(void)
Deactivates the kernel protection against write.
INTRO_PROT_OPTIONS ShemuOptions
Flags which describe the way shemu will give detections.
#define THS_CHECK_ONLY
Will check for safeness, without moving any RIP or stack value.
Commit all the XCR hooks.
INTSTATUS IntWinGuestProtectSudExec(void)
Protects SharedUserData against executions by establishing an EPT hook on it.
INTSTATUS IntKernVirtMemRead(QWORD KernelGva, DWORD Length, void *Buffer, DWORD *RetLength)
Reads data from a guest kernel virtual memory range.
#define SIG_MAX_PATTERN
The maximum size of a pattern.
BOOLEAN KptiInstalled
True if KPTI was detected as installed (not necessarily active).
QWORD Original
The original options as received from GLUE_IFACE.NewGuestNotification. This is updated when GLUE_IFAC...
void IntGuestSetIntroErrorState(INTRO_ERROR_STATE State, INTRO_ERROR_CONTEXT *Context)
Updates the value of the gErrorState and the value of the gErrorStateContext.
BOOLEAN SupportVE
Set to True if support for #VE was detected.
BOOLEAN LA57
True if 5-level paging is being used.
PAGING_MODE Mode
The paging mode used by the guest.
#define THS_CHECK_TRAMPOLINE
Will check if any RIP is inside the agent loader.
void IntGuestUpdateShemuOptions(QWORD NewOptions)
Update shemu options.
void IntLixGuestUninit(void)
Uninitialize the Linux guest.
INTSTATUS IntLixIdtProtectAll(void)
Activates protection for IDT on all CPUs.
INTSTATUS IntPtiRemovePtFilter(DWORD AgOpts)
Removes the PT filter.
QWORD TscSpeed
Number of ticks/second of this given guest. Should be the same as the global (physical) one...
void IntWinGuestCancelKernelRead(void)
Cancels the kernel read.
INTSTATUS IntWinSelfMapEnableSelfMapEntryProtection(void)
Enables the self map protection mechanism for the entire system.
#define INT_STATUS_INVALID_PARAMETER_1
#define INT_STATUS_NOT_SUPPORTED
#define INTRO_OPT_PROT_KM_SUD_EXEC
Enable protection against executions on SharedUserData.
#define INTRO_OPT_PROT_KM_TOKEN_PRIVS
Enable protection over Token Privileges bitmaps.
INTSTATUS IntNotifyIntroErrorState(INTRO_ERROR_STATE State, INTRO_ERROR_CONTEXT *Context)
DWORD NtBuildNumberValue
The value of the NtBuildNumber kernel variable.
Get the availability of the SPP feature in hardware and the hypervisor.
Describes a signature that can be used for searching or matching guest contents.
enum _AG_WAITSTATE AG_WAITSTATE
#define INTRO_OPT_PROT_KM_CR4
Enable CR4.SMEP and CR4.SMAP protection.
BOOLEAN BugCheckInProgress
Get the availability of the Virtualization Exception feature in hardware and the hypervisor.
BOOLEAN PtFilterFlagRemoved
Set to True if the INTRO_OPT_IN_GUEST_PT_FILTER was given, but it was removed.
INTSTATUS IntCallbacksInit(void)
Initialize the callbacks.
BOOLEAN DisableOnReturn
Set to True if after returning from this event handler, introcore must be unloaded.
BYTE Version
The version field of the version string.
#define INTRO_OPT_IN_GUEST_PT_FILTER
Enable in-guest page-table filtering (64-bit Windows only).
DWORD SignatureId
Signature ID.
INTSTATUS IntLixKernelWriteProtect(void)
Activates kernel protection.
INTSTATUS IntCr4Protect(void)
Activates the Cr4 protection.
We have an active agent, currently injected inside the guest.
INTSTATUS IntVeDeployAgent(void)
Inject the VE agent inside the guest.
INTSTATUS IntWinInfHookUnprotect(void)
Removes the protection against infinity hook.
INTSTATUS IntHookDtrInit(void)
Initialize the descriptor registers hook state.
Section will contain syscall signatures.
#define THS_CHECK_MEMTABLES
Will check if any RIP is inside memtables.
INTSTATUS IntHookMsrUninit(void)
Uninit the model specific register hooks state.
void IntVeDumpVeInfoPages(void)
Dumps the VE info pages on all VCPUs.
INTSTATUS IntWinSelfMapDisableSelfMapEntryProtection(void)
Disables the self map entry protection for all the processes on the system.
INTRO_PROT_OPTIONS CoreOptions
The activation and protection options for this guest.
static INTSTATUS IntGuestInitMemoryInfo(void)
Initializes gGuest.Mm.
INTSTATUS IntEferRead(QWORD CpuNumber, QWORD *Efer)
Reads the value of the guest IA32 EFER MSR.
static INTSTATUS IntGuestDetectOsSysCall(QWORD SyscallHandler, INTRO_GUEST_TYPE *OsType, BOOLEAN *KptiInstalled, BOOLEAN *KptiActive)
Checks if any of the predefined syscall signatures match to the given syscall handler.
#define INTRO_OPT_PROT_KM_LOGGER_CONTEXT
Enable protection on WMI_LOGGER_CONTEXT.GetCpuClock used by InfinityHook (Windows only)...
#define INTRO_OPT_PROT_KM_GDTR
Enable global descriptor-table registers protection.
LINUX_GUEST * gLixGuest
Global variable holding the state of a Linux guest.
Inject pending page faults.
Commit all the DTR hooks.
INTSTATUS IntCamiLoadSection(DWORD CamiSectionHint)
Load CAMI objects from section with given hint.
AG_WAITSTATE IntAgentGetState(DWORD *Tag)
Get the current Windows or Linux agent state.
INTSTATUS IntMtblUninit(void)
Completely uninit the mem-tables, removing all the handlers from the NT slack space.
#define INT_STATUS_INSUFFICIENT_RESOURCES
1.8.13