22 #define __init_detour_entry(fn_name, callback, flags) \ 24 .FunctionName = #fn_name, \ 25 .HijackFunctionName = NULL, \ 26 .Callback = (callback), \ 27 .Id = det_ ## fn_name, \ 28 .EnableFlags = (flags), \ 38 #define __init_detour_entry_regex(fn_name, regex, callback, flags) \ 40 .FunctionName = #fn_name regex, \ 41 .HijackFunctionName = NULL, \ 42 .Callback = callback, \ 43 .Id = det_ ## fn_name, \ 44 .EnableFlags = flags, \ 55 #define __init_detour_entry_hijack(fn_name, hijack_fn_name, callback, flags) \ 57 .FunctionName = #fn_name, \ 58 .HijackFunctionName = #hijack_fn_name, \ 59 .Callback = callback, \ 60 .Id = det_ ## fn_name ## _ ## hijack_fn_name, \ 61 .EnableFlags = flags, \ 128 QWORD ksymHijack = 0;
135 ERROR(
"[ERROR] IntLixGuestFindKsymByName failed with status: 0x%08x. (%s)\n",
136 status, FnDetour->HijackFunctionName);
143 ERROR(
"[ERROR] IntLixGuestFindKsymByName failed with status: 0x%08x. (%s)\n", status, FnDetour->FunctionName);
147 while (ksymStart < ksymEnd)
152 ERROR(
"[ERROR] IntDecDecodeInstruction failed with status: 0x%08x.\n", status);
156 if (instrux.Instruction == ND_INS_CALLNR)
158 QWORD hijackRelativeAddr = ksymHijack - (ksymStart + 5);
160 if (hijackRelativeAddr == instrux.Operands[0].Info.RelativeOffset.Rel)
162 *Address = ksymStart;
168 ksymStart += instrux.Length;
196 QWORD functionAddress = 0;
198 if (FnDetour->HijackFunctionName == NULL)
201 if (!functionAddress)
203 ERROR(
"[ERROR] Critical API '%s' not found! Aborting!\n", FnDetour->FunctionName);
207 TRACE(
"[DETOUR] Found function '%s' @ 0x%016llx\n", FnDetour->FunctionName, functionAddress);
214 ERROR(
"[ERROR] Critical API '%s' not found! Aborting!\n", FnDetour->FunctionName);
217 TRACE(
"[DETOUR] Found hijack function '%s' inside function '%s' @ 0x%016llx\n",
218 FnDetour->HijackFunctionName, FnDetour->FunctionName, functionAddress);
221 *MustValidateThreads =
TRUE;
226 ERROR(
"[ERROR] Failed to detour %s: 0x%08x\n", FnDetour->FunctionName, status);
239 _In_ const char *Name,
275 DWORD descriptorCount = 0;
283 if (descriptorCount != descriptorNumber)
292 status =
IntLixApiHook(&gLixHookHandlersx64[j], &mustValidate);
295 ERROR(
"[ERROR] Failed to set hook, status: 0x%x\n", status);
301 validateThreads =
TRUE;
312 ERROR(
"[ERROR] IntKernVirtMemWrite failed for 0x%llx with status: 0x%08x\n",
318 TRACE(
"[DETOUR] Linux detours activated... \n");
320 if (!validateThreads)
322 LOG(
"[LIXAPI] No need for validating threads!\n");
326 LOG(
"[LIXAPI] Ensuring no thread will return into our hooks!\n");
331 ERROR(
"[ERROR] IntThrSafeCheckThreads failed: 0x%08x\n", status);
359 ERROR(
"[ERROR] IntKernVirtMemPatchQword failed with status: 0x%08x\n", status);
INTSTATUS IntLixTaskHandleDoExit(void *Detour)
Handles the exit() system call.
#define DETOUR_ENABLE_ALWAYS
Can be used as the API_HOOK_DESCRIPTOR.EnableFlags to always enable the detour.
LIX_OPAQUE_FIELDS OsSpecificFields
OS-dependent and specific information.
INTSTATUS IntLixTaskHandleFork(void *Detour)
Handles the fork() system call performed by a linux process.
INTSTATUS IntLixVmaAdjust(void *Detour)
Detour handler for in-guest functions adjusting VMA ranges.
#define OFFSET_OF(Type, Member)
INTSTATUS IntKernVirtMemWrite(QWORD KernelGva, DWORD Length, void *Buffer)
Writes data to a guest kernel virtual memory range.
DWORD HookHandler
Used to identify the index of the LIX_FN_DETOUR the in the gLixHookHandlersx64.
#define INT_STATUS_SUCCESS
#define __init_detour_entry_hijack(fn_name, hijack_fn_name, callback, flags)
Create a new LIX_FN_DETOUR entry that is used for middle-function detours.
INTSTATUS IntLixFtraceHandler(void *Detour)
Handles the incoming 'text_poke' patches from the guest.
void IntLixApiUpdateHooks(void)
Update the hookable APIs according to the current Introcore options.
__default_fn_attr void module_param_sysfs_setup(void *module)
INTSTATUS IntLixCrashPanicHandler(void *Detour)
Called if the 'panic' or 'kcrash_exec' handler is hit.
#define INT_SUCCESS(Status)
DWORD FunctionsCount
The number of function to be hooked.
INTSTATUS IntResumeVcpus(void)
Resumes the VCPUs previously paused with IntPauseVcpus.
#define INTRO_OPT_PROT_KM_LX_TEXT_READS
Enable kernel '_text' section read protection (Linux only).
INTSTATUS IntLixTaskHandleVmRw(void *Detour)
Handles the process_vm_writev() system call.
__default_fn_attr void text_poke(void *addr, const void *opcode, size_t len)
__default_fn_attr void change_protection(long vma, unsigned long start, unsigned long end, unsigned long newprot, int dirty_accountable, int prot_numa)
__default_fn_attr long arch_ptrace(long child, long request)
INTSTATUS IntDriverUnloadHandler(void const *Detour)
The detour handler that will be invoked when a guest driver is unloaded.This handles driver unloading...
INTSTATUS IntLixApiHookAll(void)
Iterates through all APIs that can be hooked and sets requested hooks.
int INTSTATUS
The status data type.
INTSTATUS IntLixVmaRemove(void *Detour)
Detour handler for functions that unmap memory for processes.
#define INT_STATUS_NOT_FOUND
const LIX_FN_DETOUR gLixHookHandlersx64[]
An array of the LIX_FN_DETOUR that contains all detours used by the introspection engine...
__default_fn_attr void vma_adjust(long _vma, unsigned long _start, unsigned long _end, unsigned long _pgoff, void *_insert, void *_expand, long *_skip_call, long saved_vma, long next, long prev)
__default_fn_attr int complete_signal(int sig, void *task, enum pid_type type)
INTSTATUS IntLixJumpLabelHandler(void *Detour)
Handles the incoming read (arch_jmp_label_transform) from the guest.
INTSTATUS IntPauseVcpus(void)
Pauses all the guest VCPUs.
INTSTATUS IntThrSafeCheckThreads(QWORD Options)
Checks if any of the guest threads have their RIP or have any stack pointers pointing to regions of c...
__default_fn_attr void module_param_sysfs_remove(void *module)
INTSTATUS IntLixVmaInsert(void *Detour)
Detour handler for "__vma_link_rb" function.
__default_fn_attr void wake_up_new_task(long task)
INTSTATUS IntDriverLoadHandler(void const *Detour)
The detour handler that will be invoked when a guest loads a new driver.This handles driver loading i...
static INTSTATUS IntLixApiHook(const LIX_FN_DETOUR *FnDetour, BOOLEAN *MustValidateThreads)
Will hook one function as described by the FnDetour.
INTSTATUS IntLixVmaChangeProtection(void *Detour)
Detour handler for "change_protection" function.
__default_fn_attr void expand_downwards(long vma, unsigned long address)
__default_fn_attr size_t process_vm_rw_core(int pid, void *iter, void *rvec, unsigned long riovcnt, unsigned long flags, int vm_write)
#define INITIAL_CRC_VALUE
INTSTATUS IntLixCommitCredsHandle(void *Detour)
Detour handler for "commit_creds" function.
INTSTATUS IntLixTaskHandleExec(void *Detour)
Handles the exec() system call of a linux process.
QWORD Current
The currently used options.
__default_fn_attr void __access_remote_vm(void *task, void *mm, unsigned long addr, void *buf, int len, unsigned int gup_flags)
static BOOLEAN IntLixApiCmpFunctionNameWithHash(const char *Name, DWORD NameHash)
Check if the crc32 of the Name is equal to the provided NameHash.
__default_fn_attr void panic(const char *fmt)
INTSTATUS IntLixAccessRemoteVmHandler(void *Detour)
Detour handler for __access_remote_vm.
__default_fn_attr void do_exit(long code)
INTSTATUS IntDetSetLixHook(QWORD FunctionAddress, const LIX_FN_DETOUR *FnDetour, BOOLEAN *MultipleInstructions)
Detours a function from guest.
__default_fn_attr void ftrace_write(unsigned long ip, const char *val, int size)
LIX_FUNCTION * Functions
An array of LIX_FUNCTION to be hooked.
#define INTRO_OPT_ENABLE_UM_PROTECTION
Aggregates all the user mode protection flags.
#define THS_CHECK_DETOURS
Will check if any RIP is inside detours.
__default_fn_attr void arch_jump_label_transform(void *entry, enum jump_label_type type)
INTSTATUS IntLixTextPokeHandler(void *Detour)
Handles the incoming 'text_poke' patches from the guest.
GUEST_STATE gGuest
The current guest state.
#define INTRO_OPT_PANIC_CLEANUP
Enable memory cleanup after an OS crash (Linux).
struct _LINUX_GUEST::@125::@128 Detour
#define INTRO_OPT_EVENT_OS_CRASH
Enable OS crash events (generates introEventCrashEvent events).
__default_fn_attr void commit_creds(long *creds)
DWORD NameHash
Crc32 of the function name.
INTSTATUS IntLixTaskHandlePtrace(void *Detour)
Handles the ptrace() system call.
INTSTATUS IntKernVirtMemPatchQword(QWORD GuestVirtualAddress, QWORD Data)
Writes 8 bytes in the guest kernel memory.
#define __init_detour_entry_regex(fn_name, regex, callback, flags)
Create a new LIX_FN_DETOUR entry that appends the provided 'regex' to the end of the 'FunctioName'...
INTSTATUS IntLixCrashHandle(void *Detour)
Sends an event that contains the information about signal received by the current task...
DWORD Crc32String(const char *String, DWORD InitialCrc)
Computes the CRC for a NULL-terminated utf-8 string.
__default_fn_attr void vma_rb_erase(long vma, void *root)
__default_fn_attr void __vma_link_rb(void *mm, void *vma, void **rb_link, void *rb_parent)
void IntDisasmGva(QWORD Gva, DWORD Length)
This function disassembles a code buffer (given its GVA) and then dumps the instructions (textual dis...
__default_fn_attr int flush_old_exec(long binprm)
QWORD IntKsymFindByName(const char *Name, QWORD *SymEnd)
Searches the given Name in kallsyms and returns the Start & End offset.
INTSTATUS IntLixVmaExpandDownwards(void *Detour)
Detour handler for "expand_downwards" function.
#define __init_detour_entry(fn_name, callback, flags)
Create a new LIX_FN_DETOUR entry.
static INTSTATUS IntLixApiHijackHook(const LIX_FN_DETOUR *FnDetour, QWORD *Address)
Fetch the address of the hijack function name provided by the LIX_FN_DETOUR.
struct _LINUX_GUEST::@125 MmAlloc
INTRO_PROT_OPTIONS CoreOptions
The activation and protection options for this guest.
INTSTATUS IntDecDecodeInstruction(IG_CS_TYPE CsType, QWORD Gva, void *Instrux)
Decode an instruction from the provided guest linear address.
LINUX_GUEST * gLixGuest
Global variable holding the state of a Linux guest.
Describes a Linux-function to be hooked.
1.8.13