security
ANTITAMPER PROBE
Tamper resistance, sandboxing, remote scan policy, and security deep dives.
Context Rail
Tags and Themes
On This Page
Anti-Tamper Probe Integration
This document explains how anti-tamper probes work today in Mutant, including the exact enablement gates and how runner enforcement differs from builtin diagnostic calls.
1. Architecture
Core files:
security/antitamper_probe.go(engine + enablement gate)security/antitamper_routing.go(probe dispatch)security/antitamper_detectors.go(cross-platform heuristics)security/antitamper_windows.go(windows process-protection heuristics)runner/runner.go(enforcement)builtin/security_status.go(diagnostic exposure)
Telemetry events used by this subsystem:
anti_tamper_probe_invokedanti_tamper_probe_errorprocess_protection_detected
2. Enablement Model (Important)
Anti-tamper probing has two gates:
- Master probe gate:
runtime setting=1 - Runner process-protection gate:
runtime setting
Behavior:
- If gate #1 is not
1,RunAntiTamperProbereturnsenabled=falseand no probes run. - Gate #2 only matters when gate #1 is enabled and runner enforcement is being evaluated.
- Gate #2 defaults to enabled when unset; disable values are
0,false,off,no.
3. Probe Output Shape
Each probe returns one AntiTamperSignal with:
namedetectedconfidencedetail
Interpretation:
detectedis evidence for that probe only.confidenceis a per-probe confidence score, not a global verdict.- policy action is decided by caller logic (runner or builtin consumer).
4. Implemented Probes (Current)
hardware_breakpointtimingsyscallfrida_ptraceld_preloadcpuid_hypervisorrdtsc_driftacpi_pcigpu_feature(placeholder)iat_gotsyscall_tabletrampolineprocess_injectionmodule_integritymemory_page_anomaly
5. Runner Enforcement vs Builtin Diagnostics
Runner enforcement probe set (hardcoded in runner/runner.go):
process_injectiontrampolineiat_gotmodule_integritymemory_page_anomaly
Runner threshold:
- any signal with
detected=trueandconfidence >= 80triggersprocess_protection_detectedpolicy flow.
Builtin diagnostics (builtin/security_status.go) use broader probe sets for
visibility and troubleshooting. This is expected and independent of runner
enforcement scope.
6. Platform Notes
Windows:
process_injectionuses environment and tasklist marker heuristics.trampolinechecks selected API prologues for common hook patterns.iat_gotchecks sensitive export memory ownership against expected module.module_integritychecks suspicious loaded module markers.memory_page_anomalychecks for RWX pages on sensitive API addresses.
Linux:
frida_ptracechecks FRIDA env markers and/proc/self/statustracer PID.ld_preloadreports activeLD_PRELOADmarkers.
macOS/unsupported paths:
- unsupported probes return neutral signals with explanatory detail.
7. Student Notes
- Probe enablement and enforcement are not the same thing.
- Builtin probe output is diagnostic; runner probe output can become policy action.
- Always read
detailbefore acting on a single signal.