11 #define IS_KERNEL_POINTER_LIX(p) (((p) >= 0xFFFF800000000000) && ((p) < 0xffffffffffe00000)) 40 #define LIX_MAX_HOOKED_FN_COUNT 512 41 #define LIX_MAX_VERSION_STRINGS 3 43 #define MAX_VERSION_LENGTH 256 426 #define LIX_FIELD(Structure, Field) gLixGuest->OsSpecificFields.OpaqueFields.Structure[lixField##Structure##Field] 582 #define LIX_SYMBOL_NAME_LEN 128 589 #define LIX_GET_VERSION(Version) ((Version) >> 24) 590 #define LIX_GET_PATCH(Version) (((Version) & 0x00ff0000) >> 16) 591 #define LIX_GET_SUBLEVEL(Version) (((Version) & 0x0000ffff)) 593 #define LIX_CREATE_VERSION(K, Patch, Sublevel) ((Sublevel) | ((Patch) << 16) | ((K) << 24)) INTSTATUS IntLixGuestNew(void)
Starts the initialization and enable protection for a new Linux guest.
The offset of proto.name.
The offset of task_struct.pid.
The guest has is build with VSYSCALL support.
DWORD CurrentCpuOffset
The offset of the CPU from GS.
The offset of cred.usage.
LIX_OPAQUE_FIELDS OsSpecificFields
OS-dependent and specific information.
Describes a Linux function used by the detour mechanism.
The offset of task_struct.nsproxy.
struct _LIX_SYMBOL LIX_SYMBOL
Describes a Linux ksym.
_LIX_FIELD_INFO
Describes information about a Linux guest.
INTSTATUS IntLixGuestIsKptiActive(QWORD SyscallGva)
Checks if the Linux guest has the KPTI active.
#define MAX_VERSION_LENGTH
struct _LIX_PROTECTED_PROCESS LIX_PROTECTED_PROCESS
Encapsulates a protected Linux process.
The offset of mm_struct.end_data.
Describes the information about a Linux active-patch.
The offset of module.init.
The offset of task_struct.group_leader.
The tag for LIX_FIELD_MMSTRUCT.
The offset of vm_area_struct.vm_start.
QWORD OriginalPagesAttr
The original page protection-attributes for the allocated region.
The offset of linux_binprm.argc.
QWORD End
The end guest virtual address of ksym (exclusive).
INTSTATUS IntGetVersionStringLinux(DWORD FullStringSize, DWORD VersionStringSize, CHAR *FullString, CHAR *VersionString)
Gets the version string for a Linux guest.
The offset of task_struct.thread_node.
The offset of linux_binprm.file.
The offset of module.init_layout.
DWORD HookHandler
Used to identify the index of the LIX_FN_DETOUR the in the gLixHookHandlersx64.
The offset of nsproxy.net_ns.
The offset of mm_struct.start_code.
The size of a 'kallsym_markers' entry is 4.
BYTE Patch
The patch field of the version string.
INTSTATUS IntLixFtraceHandler(void *Detour)
Handles the incoming 'text_poke' patches from the guest.
The value of sizeof(struct fs_struct).
BOOLEAN SkipOnBoot
Unused.
The offset of fdtable.max_fds.
The offset of task_struct.execve.
The value of the system_state.RUNNING.
The offset of module.init_layout.
The offset of task_struct.exit_code.
_LIX_FIELD_SOCKET
The index for offsets of 'struct socket'.
struct _LIX_PROTECTED_PROCESS * PLIX_PROTECTED_PROCESS
The offset of inode.i_uid.
The tag for LIX_FIELD_DENTRY.
_LIX_FIELD_FDTABLE
The index for offsets of 'struct fdtable'.
The offset of task_struct.usage.
The offset of mm_struct.flags.
QWORD Start
The start guest virtual address of ksym.
QWORD RoDataStart
The guest virtual address where the read-only data starts.
The offset of task_struct.mm.
enum _LIX_FIELD_MMSTRUCT LIX_FIELD_MMSTRUCT
The index for offsets of 'struct mm_struct'.
The offset of mm_struct.context.vdso.
struct _LIX_OPAQUE_FIELDS * PLIX_OPAQUE_FIELDS
DWORD FunctionsCount
The number of function to be hooked.
The guest emit an absolute value in the range [0, S32_MAX] or a relative value in the range [base...
The offset of module.sum_syms.
The offset of vm_area_struct.flags.
The offset of sock.sk_dport.
void * InitProcessObj
The LIX_TASK_OBJECT of the 'init' process.
The offset of signal_struct.nr_threads.
The tag for LIX_FIELD_FILES.
WORD Length
The patch length.
QWORD Vdso32Start
The guest virtual address where the vDSO x32 starts.
The offset of task_struct.cred.
The offset of task_struct.tgid.
The offset of fs_struct.fdt.
enum _LIX_FIELD_CRED LIX_FIELD_CRED
The index for offsets of 'struct cred'.
The offset of linux_binprm.vma.
The offset of socket.type.
The offset of mm_struct.end_code.
The offset of mm_struct.start_data.
int INTSTATUS
The status data type.
QWORD Vdso32End
The guest virtual address where the vDSO x32 end.
The offset of fs_struct.pwd.
QWORD CodeEnd
The guest virtual address where the code ends.
enum _LIX_FIELD_MODULE LIX_FIELD_MODULE
The index for offsets of 'struct module'.
_LIX_FIELD_CRED
The index for offsets of 'struct cred'.
QWORD CodeStart
The guest virtual address where the code starts.
_LIX_FIELD_UNGROUPED
The index for offsets of structures that are not grouped.
The offset of linux_binprm.interp.
int IntLixGuestGetSystemState(void)
Get the system state of the Linux guest.
The offset of task_struct.in_execve.
The offset of task_struct.stack.
The offset of task_struct.thread_group.
QWORD PerCpuAddress
The guest virtual address of the 'per-cpu' allocated region.
The value of sizeof(struct files_struct).
DWORD ThreadStructOffset
The offset of the thread_struct from task_struct.
The tag for LIX_FIELD_MODULE.
PCHAR NamePattern
Full application file name.
The offset of linux_binprm.mm.
The offset of task_struct.exit_signal.
_LIX_FIELD_FILES
The index for offsets of 'struct files_struct'.
The offset of sock.sk_v6_daddr.
The offset of module.core_layout.size.
The offset of module.init_layout.size.
The tag for LIX_FIELD_SOCK.
struct _LIX_PROTECTED_PROCESS::@120 Protection
What protection policies should be applied.
The offset of module.core_layout.text_size.
INTSTATUS IntLixJumpLabelHandler(void *Detour)
Handles the incoming read (arch_jmp_label_transform) from the guest.
The offset of module.init_layout.text_size.
The offset of module.list.
The offset of mm_struct.pgd.
Encapsulates a protected Linux process.
The offset of sock.sk_daddr.
_LIX_FIELD_BINPRM
The index for offsets of 'struct linux_binprm'.
void IntLixGuestUninitGuestCode(void)
Removes the EPT hooks from detours/agents memory zone and clears these memory zones.
The guest has module layout.
The offset of mm_struct.mm_users.
struct _LIX_SYMBOL * PLIX_SYMBOL
The offset of vm_area_struct.vm_end.
struct _LIX_ACTIVE_PATCH LIX_ACTIVE_PATCH
Describes the information about a Linux active-patch.
enum _LIX_FIELD_FILES LIX_FIELD_FILES
The index for offsets of 'struct files_struct'.
The offset of sock.sk_state.
The tag for LIX_FIELD_BINPRM.
DWORD PerCpuLength
The length (bytes) of the 'per-cpu' region.
The offset of dentry.d_parent.
BOOLEAN IntLixGuestDeployUninitAgent(void)
Inject the 'uninit' agent to free the previously allocated memory for detours/agents.
The offset of mm_struct.mmlist.
QWORD Feedback
Flags that will be forced to feedback only mode.
The offset of socket.state.
QWORD ExTableStart
The guest virtual address where the ex-table starts.
The guest emit the symbol references in the kallsyms table as 32-bit entries, each containing a relat...
The offset of mm_struct.start_stack.
Used for 'arch_jump_label_transform'.
enum _LIX_FIELD_NSPROXY LIX_FIELD_NSPROXY
The index for offsets of 'struct nsproxy'.
The offset of vm_area_struct.vm_prev.
The offset of module.core_layout.ro_size.
QWORD Current
The currently used protection flags.
The offset of task_struct.fs.
The offset of mm_struct.mmap.
LIX_STRUCTURE
Structure tags used for the Linux structures.
QWORD DataStart
The guest virtual address where the data starts.
_LIX_ACTIVE_PATCH_TYPE
Describes the type of an Linux active-patch.
The offset of nsproxy.count.
The offset of module.core_layout.
The offset of nsproxy.uts_ns.
The guest has the vdso image struct.
The tag for LIX_FIELD_NSPROXY.
Used for 'text_poke'.
The offset of dentry.d_iname.
_LIX_FIELD_MMSTRUCT
The index for offsets of 'struct mm_struct'.
The offset of module.symbols.
DWORD Value
The Linux full version number.
The offset of task_struct.flags.
QWORD Original
The original protection flags as received from integrator.
The offset of file.f_path.
The offset of socket.flags.
The offset of dentry.d_inode.
QWORD VsysCall
The guest virtual address of the vsyscall.
The offset of module.num_gpl_syms.
enum _LIX_FIELD_VMA LIX_FIELD_VMA
The index for offsets of 'struct vm_area_struct'.
enum _LIX_FIELD_FDTABLE LIX_FIELD_FDTABLE
The index for offsets of 'struct fdtable'.
void * HookObject
The hook-object for detours-code region.
_LIX_FIELD_SOCK
The index for offsets of 'struct sock'.
enum _LIX_FIELD_SOCK LIX_FIELD_SOCK
The index for offsets of 'struct sock'.
The offset of task_struct.real_parent.
The offset of module.gpl_syms.
enum _LIX_FIELD_INFO LIX_FIELD_INFO
Describes information about a Linux guest.
The tag for LIX_FIELD_FS.
PCHAR CommFullPattern
Full application name pattern.
The offset of task_struct.tasks.
QWORD Context
The context supplied in the protection policy.
QWORD VdsoEnd
The guest virtual address where the vDSO ends.
WORD Sublevel
The sublevel field of the version string.
struct _LIX_OPAQUE_FIELDS LIX_OPAQUE_FIELDS
Contains information about various Linux structures.
The tag for LIX_FIELD_VMA.
const LIX_FN_DETOUR gLixHookHandlersx64[]
An array that contains the descriptors about the function that will be hooked (see lixapi...
struct _LIX_FUNCTION LIX_FUNCTION
Describes a Linux function used by the detour mechanism.
The offset of fs_struct.root.
The offset of linux_binprm.cred.
The value of sizeof(struct inode).
CHAR CommPattern[16]
Process name pattern (supports glob patterns). Will be used if there is no path.
The guest has an additional table that contains the sizes of the functions/variables.
The offset of nsproxy.ipc_ns.
LIX_FUNCTION * Functions
An array of LIX_FUNCTION to be hooked.
_LIX_FIELD_FS
The index for offsets of 'struct fs_struct'.
DWORD HooksId
What versions of OS are supported by this fields.
The offset of vm_area_struct.vm_rb.
The offset of vm_area_struct.file.
The offset of task_struct.comm.
_LIX_FIELD_MODULE
The index for offsets of 'struct module'.
The offset of alternate stack.
The offset of sock.sk_family.
The offset of task_struct.signal.
The tag for LIX_FIELD_INODE.
LIST_ENTRY Link
Entry inside the gLixProtectedTasks list.
The offset of task_struct.files.
The tag for LIX_FIELD_SOCKET.
The offset of task_struct.thread_struct.sp.
The guest virtual address of the 'struct socket *sock_alloc(void);' function.
The offset of task_struct.start_time.
The offset of sock.sk_num.
QWORD DataEnd
The guest virtual address where the data ends.
The offset of sock.sk_prot.
_LIX_FIELD_INODE
The index for offsets of 'struct inode'.
The offset of file.f_path.dentry.
QWORD RoDataEnd
The guest virtual address where the read-only data ends.
enum _LIX_FIELD_UNGROUPED LIX_FIELD_UNGROUPED
The index for offsets of structures that are not grouped.
The tag for LIX_FIELD_INFO.
INTSTATUS IntLixTextPokeHandler(void *Detour)
Handles the incoming 'text_poke' patches from the guest.
enum _LIX_FIELD_BINPRM LIX_FIELD_BINPRM
The index for offsets of 'struct linux_binprm'.
The offset of mm_struct.end_data.exe_file.
enum _LIX_FIELD_SOCKET LIX_FIELD_SOCKET
The index for offsets of 'struct socket'.
The value of sizeof(struct sock).
The offset of vm_area_struct.vm_mm.
The offset of mm_struct.mm_count.
The value of sizeof(struct cred).
The offset of dentry.d_name.
The offset of module.core_layout.
enum _LIX_FIELD_INODE LIX_FIELD_INODE
The index for offsets of 'struct inode'.
enum _LIX_FIELD_DENTRY LIX_FIELD_DENTRY
The index for offsets of 'struct dentry'.
Contains information about various Linux structures.
DWORD NameHash
Crc32 of the function name.
The offset of sock.sk_receive_addr.
QWORD Address
The guest virtual address of the detours-code.
_LIX_FIELD_TASKSTRUCT
The index for offsets of 'struct task-struct'.
The offset of module.state.
The value of sizeof(struct module).
void IntLixGuestUninit(void)
Uninitialize the Linux guest.
The offset of vm_area_struct.vm_next.
enum _LIX_FIELD_TASKSTRUCT LIX_FIELD_TASKSTRUCT
The index for offsets of 'struct task-struct'.
_LIX_FIELD_DENTRY
The index for offsets of 'struct dentry'.
The offset of mm_struct.mm_rb.
The offset of fs_struct.fd.
QWORD Beta
Flags that were forced to beta mode.
The tag for LIX_FIELD_FDTABLE.
QWORD SyscallAddress
The guest virtual address of the syscall.
_LIX_FIELD_VMA
The index for offsets of 'struct vm_area_struct'.
The offset of module.init_layout.ro_size.
DWORD Length
The length (bytes) of the detours-code.
The value of sizeof(struct linux_binprm).
WORD Backport
The backport field of the version string.
BOOLEAN Cleared
True if the detours-code/data region is cleared.
The offset of nsproxy.pid_ns_for_children.
_LIX_FIELD_NSPROXY
The index for offsets of 'struct nsproxy'.
Used for 'ftrace'.
The guest has an alternative syscall handler.
The offset of task_struct.parent.
enum _LIX_ACTIVE_PATCH_TYPE LIX_ACTIVE_PATCH_TYPE
Describes the type of an Linux active-patch.
DETOUR_TAG
Unique tag used to identify a detour.
QWORD Gva
The start of the region which follows to be patched.
BYTE Version
The version field of the version string.
The tag for LIX_FIELD_UNGROUPED.
QWORD VdsoStart
The guest virtual address where the vDSO starts.
DWORD CurrentTaskOffset
The offset of the current task from GS.
The offset of inode.i_mode.
The tag for LIX_FIELD_CRED.
BOOLEAN Initialized
True if the guest is initialized.
QWORD ExTableEnd
The guest virtual address where the ex-table ends.
The tag for LIX_FIELD_TASKSTRUCT.
QWORD PropperSyscallGva
The guest virtual address of the 'real' syscall.
enum _LIX_FIELD_FS LIX_FIELD_FS
The index for offsets of 'struct fs_struct'.
QWORD Flags
Flags that describe the protection mode.
The offset of module.name.
struct _LINUX_GUEST LINUX_GUEST
Describes a Linux guest.
The offset of sock.sk_v6_daddr.
struct _LINUX_GUEST * PLINUX_GUEST
The offset of inode.i_gid.
The offset of linux_binprm.filename.
Describes a Linux-function to be hooked.
The offset of nsproxy.mnt_ns.
1.8.13