43 #define IS_CAMI_FILEOFFSET_OK(FileOffset) __likely((FileOffset) < gUpdateBufferSize) 46 #define IS_CAMI_FILEPOINTER_OK(FilePointer) __likely((const BYTE*)(FilePointer) >= (const BYTE*)gUpdateBuffer) && \ 47 ((const BYTE*)(FilePointer) < (const BYTE*)gUpdateBuffer + \ 51 #define IS_CAMI_STRUCTURE_OK(FilePointer) __likely(IS_CAMI_FILEPOINTER_OK(FilePointer) && \ 52 IS_CAMI_FILEPOINTER_OK(((const BYTE*)((FilePointer) + 1) - 1))) 55 #define IS_CAMI_ARRAY_OK(StartPointer, Count) __likely(IS_CAMI_FILEPOINTER_OK(StartPointer) && \ 56 ((Count) < CAMI_MAX_ENTRY_COUNT) && \ 57 (((DWORD)(Count) == 0) || \ 58 (IS_CAMI_FILEPOINTER_OK((const BYTE*)((StartPointer) + \ 59 (DWORD)(Count)) - 1)))) 67 #define GET_CAMI_STRUCT(Type, Offset) ((Type)(const void *)((const BYTE*)gUpdateBuffer + (DWORD)(Offset))) 275 minVer.
Raw = MinIntroVersion;
276 maxVer.
Raw = MaxIntroVersion;
282 return IntHviVersion.
Raw >= minVer.
Raw && IntHviVersion.
Raw <= maxVer.
Raw;
306 ERROR(
"[ERROR] Sections table entries are outside the update buffer!\n");
310 for (
DWORD i = 0; i < CamiHeader->NumberOfSections; i++)
312 if ((pHeaders[i].Hint & SectionHint) == SectionHint)
314 return (pHeaders + i);
344 char *pBasePtr = NULL;
360 for (
DWORD iStruct = 0; iStruct < Count; iStruct++)
362 const DWORD *pFields;
364 if (CamiStructures->MembersCount < ToLoad->MembersCount)
366 ERROR(
"[ERROR] For structure %d we need at least %d fields, got only %d\n",
367 iStruct, ToLoad->MembersCount, CamiStructures->MembersCount);
374 ERROR(
"[ERROR] Members for structure %d are outside the update buffer!\n", iStruct);
378 memcpy(pBasePtr + ToLoad->Offset, pFields,
sizeof(
DWORD) * ToLoad->MembersCount);
410 LOG(
"[ERROR] Pattern signature descriptors are outside the update buffer!");
414 if (SectionHeader->EntryCount == 0)
416 ERROR(
"[ERROR] Invalid entry count for the pattern signature array: %u\n", SectionHeader->EntryCount);
421 if (NULL == *PatternSignatures)
426 *PatternSignaturesCount = 0;
428 for (
DWORD i = 0; i < SectionHeader->EntryCount; i++)
432 const WORD *pPatternHash;
434 pCamiPat = pCamiSignatures + i;
435 pPat = *PatternSignatures + i;
440 ERROR(
"[ERROR] Hash for signature %d is outside the update buffer!\n", i);
453 *PatternSignaturesCount = SectionHeader->EntryCount;
476 ERROR(
"[ERROR] Failed to find syscalls section header\n");
501 ERROR(
"[ERROR] Failed to find syscalls section header\n");
521 if (Dst->ForceOff != Src->ForceOff)
523 LOG(
"[CAMI] New force off options: 0x%016llx\n", Src->ForceOff);
526 Dst->ForceOff = Src->ForceOff;
528 if (Dst->Beta != Src->ForceBeta)
530 LOG(
"[CAMI] New force beta options: 0x%016llx\n", Src->ForceBeta);
533 Dst->Beta = Src->ForceBeta;
535 if (Dst->Feedback != Src->ForceFeedback)
537 LOG(
"[CAMI] New force feedback options: 0x%016llx\n", Src->ForceFeedback);
540 Dst->Feedback = Src->ForceFeedback;
556 LOG(
"[CAMI] Will set new core options!\n");
578 LOG(
"[CAMI] Will set new shemu options!\n");
600 for (
DWORD index = 0; index < gCamiProcessProtectionData.
Count; index++)
605 WARNING(
"[WARNING] Unsupported process name encoding: %d. Will skip...\n",
611 ProtectedProcess->CommPattern,
620 ProtectedProcess->Protection.Current =
621 ProtectedProcess->Protection.Original & ~(gCamiProcessProtectionData.
Items[index].
Options.
ForceOff);
625 TRACE(
"[CAMI] Protection options for '%s': %llx %llx %llx", ProtectedProcess->CommPattern,
626 ProtectedProcess->Protection.Current, ProtectedProcess->Protection.Beta,
627 ProtectedProcess->Protection.Feedback);
647 for (
DWORD index = 0; index < gCamiProcessProtectionData.
Count; index++)
655 ProtectedProcess->FullNamePattern,
665 ProtectedProcess->ImageBaseNamePattern,
674 WARNING(
"[WARNING] Unsupported process name encoding: %d. Will skip...\n",
681 ProtectedProcess->Protection.Current =
682 ProtectedProcess->Protection.Original & ~(gCamiProcessProtectionData.
Items[index].
Options.
ForceOff);
686 TRACE(
"[CAMI] Protection options for '%s': %x %llx %llx", ProtectedProcess->ImageBaseNamePattern,
687 ProtectedProcess->Protection.Current, ProtectedProcess->Protection.Beta,
688 ProtectedProcess->Protection.Feedback);
699 _In_ void *ProtectedProcess
763 for (
DWORD index = 0; index < TableCount; index++)
768 ERROR(
"[ERROR] CAMI_PROT_OPTIONS struct is invalid! (%p)", pOptions);
772 memcpy(gCamiProcessProtectionData.
Items[index].
Name.
Name8, Table[index].Name8, 64);
774 gCamiProcessProtectionData.
Items[index].
Options = *pOptions;
776 TRACE(
"[CAMI] NameHash : %s -> ForceOff : 0x%llx, ForceBeta: 0x%llx, ForceFeedback: 0x%llx",
848 if (0 == OptionsFileOffset)
891 ERROR(
"[ERROR] IntCamiProtectedProcessAllocate failed with status: 0x%08x.", status);
898 ERROR(
"[ERROR] IntCamiSetProcProtOptions failed with status: 0x%08x.\n", status);
906 ERROR(
"[ERROR] IntCamiSetCoreOptions failed with status: 0x%08x.\n", status);
913 ERROR(
"[ERROR] IntCamiSetShemuOptions failed with status: 0x%08x.\n", status);
946 ERROR(
"[ERROR] Failed to find Linux section header\n");
953 ERROR(
"[ERROR] Linux supported OS descriptors are outside the update buffer!");
963 pLix = pLixOsList + i;
972 LOG(
"[WARNING] This OS is no longer supported by introcore!\n");
984 ERROR(
"[ERROR] Unsupported number of hooks! Got %d, expected a max of %d!\n",
992 ERROR(
"[ERROR] Fields for OS %s are outside the update buffer.", pLix->
VersionString);
1006 ERROR(
"[ERROR] Failed to load introcore options for this OS. Status: 0x%08x\n", status);
1013 ERROR(
"[ERROR] IntCamiLoadOpaqueFields failed for linux fields. Status: 0x%08x\n", status);
1071 ERROR(
"[ERROR] Failed to find Windows section header\n");
1078 ERROR(
"[ERROR] Windows supported OS descriptors are outside the update buffer!");
1089 pWin = pWinOsList + i;
1100 LOG(
"[WARNING] This OS is no longer supported by introcore!\n");
1107 ERROR(
"[ERROR] Functions for OS %d KPTI %d is64 %d are outside the update buffer. ",
1115 ERROR(
"[ERROR] Km Structures for OS %d KPTI %d is64 %d are outside the update buffer. \n",
1123 ERROR(
"[ERROR] CAMI_WIN_VERSION_STRING struct is invalid! (%p)", pCamiVersionString);
1161 ERROR(
"[ERROR] Um Structures for OS %d KPTI %d is64 %d are outside the update buffer. \n",
1181 ERROR(
"[ERROR] Failed to load introcore options for this OS. Status: 0x%08x\n", status);
1188 ERROR(
"[ERROR] IntCamiLoadOpaqueFields failed for win km structures: 0x%08x\n", status);
1195 ERROR(
"[ERROR] IntCamiLoadOpaqueFields failed for win um structures: 0x%08x\n", status);
1208 ERROR(
"[ERROR] Function %d has patterns outside the update buffer. \n", j);
1215 ERROR(
"[ERROR] Function %d has arguments outside the update buffer. Will skip!\n", j);
1230 const WORD *pPatHash;
1235 ERROR(
"[ERROR] Hash for pattern %d of function %d spills outside the update buffer. Will skip!",
1253 WARNING(
"[WARNING] Failed to add function %d %x to a hook descriptor: 0x%08x\n",
1254 j, pFunTable[j].NameHash, status);
1287 ERROR(
"[ERROR] Failed to find Linux section header\n");
1294 ERROR(
"[ERROR] Linux supported OS descriptors are outside the update buffer!");
1321 ERROR(
"[ERROR] Failed to load introcore options for this OS. Status: 0x%08x\n", status);
1352 ERROR(
"[ERROR] Failed to find windows section header\n");
1359 ERROR(
"[ERROR] Windows supported OS descriptors are outside the update buffer!");
1382 ERROR(
"[ERROR] Failed to load introcore options for this OS: 0x%08x\n", status);
1422 DWORD i, lastNt, cnt;
1429 if (NULL != NtBuildNumberList && 0 == *Count)
1443 ERROR(
"[ERROR] Failed to find windows section header\n");
1450 ERROR(
"[ERROR] Windows supported OS descriptors are outside the update buffer!");
1458 pWin = pWinOsList + i;
1461 Guest64 != pWin->
Is64 || KptiInstalled != pWin->
Kpti)
1470 if (NULL != NtBuildNumberList)
1477 NtBuildNumberList[cnt] = lastNt;
1557 ERROR(
"[ERROR] Failed loading from hint 0x%08x: 0x%08x\n", CamiSectionHint, status);
1580 if (NULL == UpdateBuffer)
1585 if (0 == BufferLength)
1590 if (
sizeof(*pHeader) > BufferLength)
1592 ERROR(
"[ERROR] BufferLength is smaller than file header (%d vs %zu)\n", BufferLength,
sizeof(*pHeader));
1604 if (BufferLength != pHeader->
FileSize)
1606 LOG(
"[ERROR] Buffer length is not equal with header file size. (%d vs %d)\n", BufferLength, pHeader->
FileSize);
1610 LOG(
"[INFO] Loaded cami version %u.%u build %u\n",
1613 memcpy(&gCamiVersion, &pHeader->
Version,
sizeof(pHeader->
Version));
1617 ERROR(
"[ERROR] Update's file major (%d.%d) version is different form ours (%d.%d)\n",
1625 WARNING(
"[WARNING] Update's file minor (%d.%d) version is newer than ours (%d.%d). " 1626 "Not all features will be available!\n",
1631 ERROR(
"[ERROR] Update's file minor (%d.%d) version is older than ours (%d.%d). Will not load.\n",
1660 #ifdef INT_COMPILER_GNUC 1661 # pragma GCC diagnostic push 1662 # pragma GCC diagnostic ignored "-Wcast-qual" 1667 #ifdef INT_COMPILER_GNUC 1668 # pragma GCC diagnostic pop 1673 WARNING(
"[WARNING] IntReleaseBuffer failed: 0x%08x\n", status);
1676 gUpdateBuffer = NULL;
1697 if (NULL == MajorVersion)
1702 if (NULL == MinorVersion)
1707 if (NULL == BuildNumber)
1712 *MajorVersion = gCamiVersion.
Major;
1713 *MinorVersion = gCamiVersion.
Minor;
1732 if (gCamiProcessProtectionData.
Items != NULL)
1734 ERROR(
"[ERROR] Cami protected processes array already allocated!");
1744 if (gCamiProcessProtectionData.
Items == NULL)
1749 gCamiProcessProtectionData.
Count = Items;
1763 if (gCamiProcessProtectionData.
Items == NULL)
1769 gCamiProcessProtectionData.
Items = NULL;
1770 gCamiProcessProtectionData.
Count = 0;
QWORD MaxIntroVersion
Maximum introcore version which supports this OS.
CAMI_STRING_ENCODING Encoding
Encoding of the name.
CHAR ServerVersionString[MAX_VERSION_STRING_SIZE]
The version string if the OS is a server.
LIX_OPAQUE_FIELDS OsSpecificFields
OS-dependent and specific information.
Describes a Linux function used by the detour mechanism.
static INTSTATUS IntCamiLoadProtOptionsWin(const CAMI_HEADER *CamiHeader)
Load and apply all of the enforced protection options for Windows guests.
INTSTATUS IntCamiUpdateProcessProtectionInfo(void *ProtectedProcess)
Update a process' protection flags using the ones from CAMI.
Exposes the types, constants and functions used to handle Windows processes events (creation...
Describe process protection options.
Used for the WIN_OPAQUE_FIELDS.Um.Peb array.
The tag for LIX_FIELD_MMSTRUCT.
DWORD CustomProtectionOffset
Protection flags for this OS. (pointer to a CAMI_CUSTOM_OS_PROTECTION struct)
#define OFFSET_OF(Type, Member)
WINDOWS_GUEST * gWinGuest
Global variable holding the state of a Windows guest.
DWORD SignatureId
The unique ID of the signature.
DWORD HookHandler
Used to identify the index of the LIX_FN_DETOUR the in the gLixHookHandlersx64.
Describe the introcore protection options.
DWORD gLinuxDistSigsCount
Holds the number of loaded linux distribution signatures.
#define INT_STATUS_SUCCESS
BOOLEAN SkipOnBoot
Unused.
INTSTATUS IntCamiSetUpdateBuffer(const BYTE *UpdateBuffer, DWORD BufferLength)
Initialize the update buffer with the one from the integrator.
DWORD CoreOptionsOffset
Intro core options. File pointer to a CAMI_PROT_OPTIONS structure.
Used for the WIN_OPAQUE_FIELDS.Um.Dll array.
WORD Pattern[SIG_MAX_PATTERN]
DWORD gSysenterSignaturesCount
Holds the number of loaded syscall signatures.
static INTSTATUS IntCamiUpdateProcessProtectionInfoWin(PROTECTED_PROCESS_INFO *ProtectedProcess)
Update a windows process' protection flags using the ones from CAMI.
CAMI_STRING_ENCODING
Describes the encoding of a string received from the CAMI file.
Used for the WIN_OPAQUE_FIELDS.Km.VadLong array.
DWORD BuildNumber
Build number for this Windows OS.
WORD PatternLength
The length of the pattern. (count of DWORDs)
static const CAMI_STRUCTURE gLinuxStructures[lixStructureEnd]
Describe the Linux fields to be loaded from the update buffer.
struct _CAMI_PROCESS_PROTECTION_DATA * PCAMI_PROCESS_PROTECTION_DATA
The tag for LIX_FIELD_DENTRY.
BYTE SkipOnBoot
TRUE if this function should not be hooked on boot.
QWORD MinIntroVersion
Minimum introcore version which supports this OS.
#define GET_CAMI_STRUCT(Type, Offset)
Get a CAMI structure from an update buffer.
void IntCamiUpdateProcessProtectionItems(void *Name, CAMI_STRING_ENCODING Encoding, CAMI_PROT_OPTIONS *Options)
Update a protected process protection flags.
DWORD UmStructuresTable
UM opaque fields file pointer (pointer to a CAMI_OPAQUE_STRUCTURE array.
DWORD ProcOptionsCount
The number of entries in the ProcOptionsTable.
#define INT_SUCCESS(Status)
DWORD FunctionsCount
The number of function to be hooked.
DWORD Minor
Minor version of this file.
INTSTATUS IntCamiLoadSection(DWORD CamiSectionHint)
Load CAMI objects from section with given hint.
static INTSTATUS IntCamiLoadLinux(const CAMI_HEADER *CamiHeader)
Loads all of the necessary information about the current windows guest that is needed by intro to sup...
static INTSTATUS IntCamiLoadWindows(const CAMI_HEADER *CamiHeader)
Loads all of the necessary information about the current windows guest that is needed by intro to sup...
static INTSTATUS IntCamiLoadPatternSignatures(const CAMI_SECTION_HEADER *SectionHeader, PATTERN_SIGNATURE **PatternSignatures, DWORD *PatternSignaturesCount)
Allocate and load pattern signatures.
The tag for LIX_FIELD_FILES.
DWORD Offset
Offset inside the tested buffer at which the pattern should be found.
Describe a CAMI file windows descriptor. Load support for a windows guest.
#define INT_STATUS_NOT_NEEDED_HINT
Section will contain linux related information.
static INTSTATUS IntCamiLoadSyscalls(const CAMI_HEADER *CamiHeader)
Loads the syscall signatures from their section.
Describe the introcore protection options for a process.
#define HpAllocWithTag(Len, Tag)
int INTSTATUS
The status data type.
#define UPDATE_CAMI_MIN_VER_MAJOR
DWORD OSVersion
Os version.
Used for the WIN_OPAQUE_FIELDS.Km.Mmpfn array.
INT_VERSION_INFO IntHviVersion
The HVI version. Used to check for compatibility issues with the cami version.
#define INT_STATUS_NOT_FOUND
void IntCamiClearUpdateBuffer(void)
Uninitialize the update buffer and notify the integrator that we don't need it anymore.
DWORD VersionStringOffset
VersionString pointer (pointer to a CAMI_WIN_VERSION_STRING struct)
Describe the CAMI version.
Used for the WIN_OPAQUE_FIELDS.Km.VadFlags array.
Used for the WIN_OPAQUE_FIELDS.Km.EprocessFlags array.
Used for the WIN_OPAQUE_FIELDS.Km.Pcr array.
QWORD MinIntroVersion
Minimum introcore version which supports this OS.
DWORD StructureTag
Specifies which opaque field structure to load.
BOOLEAN IntMatchPatternUtf8(const CHAR *Pattern, const CHAR *String, DWORD Flags)
Matches a pattern using glob match.
The tag for LIX_FIELD_MODULE.
#define IS_CAMI_STRUCTURE_OK(FilePointer)
Check whether a whole structure resides inside the update buffer.
PCHAR ServerVersionString
A NULL terminated string containing Windows server version information.
size_t Offset
Offset of the structure to be loaded inside the OpaqueFields.
static INTSTATUS IntCamiResetCoreOptions(void)
The tag for LIX_FIELD_SOCK.
#define UPDATE_CAMI_MIN_VER_MINOR
INTSTATUS IntCamiProtectedProcessAllocate(DWORD Items)
Initialize the global variable holding custom process protection options.
INTRO_GUEST_TYPE OSType
The type of the guest.
Describe a pattern signature.
QWORD Raw
Raw version information.
Encapsulates a protected Linux process.
static INTSTATUS IntCamiUpdateProcessProtectionInfoLix(LIX_PROTECTED_PROCESS *ProtectedProcess)
Update a Linux process' protection flags using the ones from CAMI.
Describe a function to be hooked by introcore.
Section will contain information about a supported OS.
Describe the CAMI file header.
Used for the WIN_OPAQUE_FIELDS.Km.Token array.
Describe a CAMI file Linux descriptor. Load support for a Linux guest.
Encapsulates a protected Windows process.
static CAMI_PROCESS_PROTECTION_DATA gCamiProcessProtectionData
Loaded process protection data from CAMI.
DWORD Offset
Offset inside the buffer.
The tag for LIX_FIELD_BINPRM.
Describe a function to be hooked by introcore.
DWORD EntryCount
How many entries of this type are in the DescriptorTable.
DWORD DescriptorTable
Pointer to a CAMI descriptor table.
struct _CAMI_STRUCTURE CAMI_STRUCTURE
Describe the way we load the guest offsets from the update buffer.
static const CAMI_STRUCTURE gWinUmStructures[winUmStructureEnd]
Describe the windows um fields to be loaded from the update buffer.
DWORD Count
The number of elements in Items.
DWORD HooksTable
Hooked functions file pointer. (pointer to a CAMI_LIX_HOOK array).
DWORD Length
The valid size of the Pattern array.
QWORD ServerVersionStringSize
Size of the server version string, if exists.
Describe a CAMI file section header.
BOOLEAN Is64
If this OS is 64 bits.
static INTSTATUS IntCamiLoadOpaqueFields(const CAMI_OPAQUE_STRUCTURE *CamiStructures, const CAMI_STRUCTURE *ToLoad, DWORD Count, INTRO_GUEST_TYPE OsType)
Load a set of opaque filed offsets from the update buffer.
QWORD VersionStringSize
Size of the version string.
DWORD BuildNumber
Build number.
DWORD ShemuOptionsOffset
Shemu options. File pointer to a CAMI_PROT_OPTIONS structure.
DWORD ProcOptionsTable
Process protection options. Pointer to a CAMI_PROC_PROT_OPTIONS array.
DWORD FileSize
The size of the update file. Should be equal with the value of BufferSize.
#define INT_STATUS_NOT_INITIALIZED
BYTE HookHandler
The hook handler index from the API_HOOK_DESCRIPTOR.
Used for the WIN_OPAQUE_FIELDS.Km.Process array.
The tag for LIX_FIELD_NSPROXY.
#define MAX_VERSION_STRING_SIZE
Maximum size of a version string.
BOOLEAN IntMatchPatternUtf16(const WCHAR *Pattern, const WCHAR *String, DWORD Flags)
Matches a pattern using glob match.
BOOLEAN Guest64
True if this is a 64-bit guest, False if it is a 32-bit guest.
Section will contain protection flags.
QWORD MaxIntroVersion
Maximum introcore version which supports this OS.
CHAR VersionString[MAX_VERSION_LENGTH]
The version string.
#define INT_STATUS_INVALID_PARAMETER_4
static INTSTATUS IntCamiSetCoreOptions(const CAMI_PROT_OPTIONS *Options)
Update the guest protection flags using the ones from CAMI.
#define IS_CAMI_ARRAY_OK(StartPointer, Count)
Check whether a whole array resides inside the update buffer.
CHAR SectionHint[8]
Optional section name hint.
#define HpFreeAndNullWithTag(Add, Tag)
struct _CAMI_PROCESS_PROTECTION_DATA CAMI_PROCESS_PROTECTION_DATA
Describe a list of process protection options.
The tag for LIX_FIELD_FS.
#define INT_STATUS_INVALID_DATA_STATE
The tag for LIX_FIELD_VMA.
#define IS_CAMI_FILEOFFSET_OK(FileOffset)
Check whether a file offset overflows the update buffer.
static const CAMI_SECTION_HEADER * IntCamiFindSectionHeaderByHint(const CAMI_HEADER *CamiHeader, DWORD SectionHint)
Iterate through all of the section headers from the update buffer and return the one matching the hin...
Used for the WIN_OPAQUE_FIELDS.Km.Thread array.
String will be encoded in utf-8.
struct _CAMI_PROCESS_PROTECTION_INFO * PCAMI_PROCESS_PROTECTION_INFO
Exposes the definitions used by the CAMI parser and the functions used to load guest support informat...
size_t strlcpy(char *dst, const char *src, size_t dest_size)
QWORD ForceFeedback
Options feedback only.
void IntLixProcUpdateProtectedProcess(const void *Name, const CAMI_STRING_ENCODING Encoding, const CAMI_PROT_OPTIONS *Options)
Updates the protection flags for Linux tasks that should be protected based on options received via C...
struct _CAMI_PROCESS_PROTECTION_INFO::@269 Name
The process name.
CAMI_VERSION Version
Version.
DWORD PatternOffset
Pattern file pointer. (pointer to a DWORD array)
PATTERN_SIGNATURE * gSysenterSignatures
Pointer to the syscall signatures that will be loaded from the update buffer.
Describe windows version strings.
LIX_FUNCTION * Functions
An array of LIX_FUNCTION to be hooked.
CHAR VersionString[MAX_VERSION_STRING_SIZE]
The versions string used to match this OS.
Describes a function that is not exported.
WCHAR Name16[32]
The process name as a wide char string.
INTSTATUS IntReleaseBuffer(void *Buffer, DWORD Size)
INTRO_GUEST_TYPE
The type of the introspected operating system.
static INTSTATUS IntCamiSetProcProtOptions(const CAMI_PROC_PROT_OPTIONS *Table, DWORD TableCount)
Loads all the process protection flags from CAMI.
The tag for LIX_FIELD_INODE.
#define LIX_MAX_HOOKED_FN_COUNT
Used for the WIN_OPAQUE_FIELDS.Km.DrvObj array.
The tag for LIX_FIELD_SOCKET.
PCHAR VersionString
A NULL terminated string containing Windows version information.
void IntGuestUpdateShemuOptions(QWORD NewOptions)
Update shemu options.
Used for the WIN_OPAQUE_FIELDS.Km.Ungrouped array.
BOOLEAN glob_match_numeric_utf8(char const *Pattern, char const *String)
Holds information about a Windows guest.
INTSTATUS IntCamiProtectedProcessFree(void)
Uninitialize the global holding custom process protection options.
void IntLixTaskUpdateProtection(void)
Adjusts protection for all active Linux processes.
QWORD ForceOff
Options which will be disabled.
Used for the WIN_OPAQUE_FIELDS.Km.PoolDescriptor array.
The tag for LIX_FIELD_INFO.
INTSTATUS IntCamiGetWinSupportedList(BOOLEAN KptiInstalled, BOOLEAN Guest64, DWORD *NtBuildNumberList, DWORD *Count)
Return a list of supported Windows NtBuildNumbers.
void IntWinProcUpdateProtectedProcess(const void *Name, const CAMI_STRING_ENCODING Encoding, const CAMI_PROT_OPTIONS *Options)
This function updates the protection for the given process.
Describe the members of a guest opaque structure.
PATTERN_SIGNATURE Signature
The pattern signature.
GUEST_STATE gGuest
The current guest state.
INTSTATUS IntWinProcUpdateProtection(void)
Iterates trough the global process list (gWinProcesses) in order to update the protection state for e...
Used for the WIN_OPAQUE_FIELDS.Km.VadShort array.
static INTSTATUS IntCamiLoadProtOptionsLinux(const CAMI_HEADER *CamiHeader)
Load and apply all of the enforced protection options for Linux guests.
Describe a function pattern.
#define INT_STATUS_INVALID_DATA_TYPE
CHAR VersionString[MAX_VERSION_STRING_SIZE]
The version string.
DWORD PatternsCount
The number of entries in the Patterns array.
CAMI_PROCESS_PROTECTION_INFO * Items
Array of process protection options.
INTSTATUS IntWinApiUpdateHookDescriptor(WIN_UNEXPORTED_FUNCTION *Function, DWORD ArgumentsCount, const DWORD *Arguments)
Update a hook descriptor with corresponding function patterns and argument list from CAMI...
static void IntCamiUpdateProtOptions(const CAMI_PROT_OPTIONS *Src, INTRO_PROT_OPTIONS *Dst)
Updates the current protection options.
Introspection version info.
static const BYTE * gUpdateBuffer
The buffer holding the update file.
Section will contain windows related information.
DWORD Magic
Magic value. Should be CAMI_MAGIC_WORD.
DWORD NameHash
Crc32 of the function name.
INTRO_PROT_OPTIONS ShemuOptions
Flags which describe the way shemu will give detections.
DWORD NameHash
Crc32 checksum of the function name.
DWORD NameHash
Function name hash.
static CAMI_VERSION gCamiVersion
The version of the loaded update file.
#define SIG_MAX_PATTERN
The maximum size of a pattern.
BOOLEAN KptiInstalled
True if KPTI was detected as installed (not necessarily active).
QWORD Original
The original options as received from GLUE_IFACE.NewGuestNotification. This is updated when GLUE_IFAC...
BOOLEAN Kpti
If this OS has KPTI support.
#define CAMI_MAGIC_WORD
Cami header magic number.
The tag for LIX_FIELD_FDTABLE.
DWORD StructuresTable
Opaque structures file pointer. (pointer to a CAMI_OPAQUE_STRUCTURE array).
static BOOLEAN IntCamiCheckIntroVersion(QWORD MinIntroVersion, QWORD MaxIntroVersion)
Check if the CAMI buffer is compatible with the Intro version.
Describe a list of process protection options.
#define INT_STATUS_INVALID_PARAMETER_1
#define INT_STATUS_NOT_SUPPORTED
static const CAMI_STRUCTURE gWinKmStructures[winKmStructureEnd]
Describe the windows km fields to be loaded from the update buffer.
DWORD FunctionTable
Functions file pointer. (pointer to a CAMI_WIN_FUNCTION array.
struct _CAMI_PROCESS_PROTECTION_INFO CAMI_PROCESS_PROTECTION_INFO
Describe process protection options.
void IntGuestUpdateCoreOptions(QWORD NewOptions)
Updates Introcore options.
static INTSTATUS IntCamiSetShemuOptions(const CAMI_PROT_OPTIONS *Options)
Update the shemu flags using the ones from CAMI.
Describes a signature that can be used for searching or matching guest contents.
#define INT_STATUS_INVALID_PARAMETER_MIX
Describes options for this guest.
INTSTATUS IntCamiGetVersion(DWORD *MajorVersion, DWORD *MinorVersion, DWORD *BuildNumber)
Get the version of the loaded CAMI support file.
CHAR Name8[64]
The process name as a char string.
BYTE SectionHint[8]
Section hint where this pattern should be found.
static INTSTATUS IntCamiLoadOsOptions(DWORD OptionsFileOffset)
Load custom protection options for the guest OS or for protected processes.
Section will contain distribution signatures.
Describe the introcore protection options for a guest.
DWORD Major
Major version of this file.
DWORD SignatureId
Signature ID.
PATTERN_SIGNATURE * gLinuxDistSigs
Pointer to the linux distribution signatures that will be loaded from the update buffer.
The tag for LIX_FIELD_UNGROUPED.
CAMI_PROT_OPTIONS Options
Specifies the process protection.
String will be encoded in utf-16.
static DWORD gUpdateBufferSize
The size of the update buffer.
Used for the WIN_OPAQUE_FIELDS.Km.SyscallNumbers array.
Section will contain syscall signatures.
The tag for LIX_FIELD_CRED.
static INTSTATUS IntCamiResetShemuOptions(void)
#define INT_STATUS_INVALID_PARAMETER_2
INTRO_PROT_OPTIONS CoreOptions
The activation and protection options for this guest.
Describe the way we load the guest offsets from the update buffer.
DWORD MembersCount
The number of fields to be loaded.
DWORD NameHash
Function name hash.
QWORD ForceBeta
Options beta only.
The tag for LIX_FIELD_TASKSTRUCT.
LINUX_GUEST * gLixGuest
Global variable holding the state of a Linux guest.
WIN_UNEXPORTED_FUNCTION_PATTERN Patterns[0]
The patterns used to search for this function.
DWORD CustomProtectionOffset
Protection flags for this OS. (pointer to a CAMI_CUSTOM_OS_PROTECTION).
#define INT_STATUS_INVALID_DATA_SIZE
static INTSTATUS IntCamiLoadLixDistSigs(const CAMI_HEADER *CamiHeader)
Loads the Linux distribution signatures from their section.
struct _INT_VERSION_INFO::@327 VersionInfo
Structured version information.
DWORD KmStructuresTable
KM opaque fields file pointer. (pointer to a CAMI_OPAQUE_STRUCTURE array.
#define INT_STATUS_INSUFFICIENT_RESOURCES
#define INT_STATUS_INVALID_PARAMETER_3
1.8.13