#include <windpi.h>

Data Fields
struct {
QWORD _Reserved
	Reserved for further use. More...

}	DpiDebugExtraInfo

struct {
QWORD CurrentStack
	The current stack of the process at the point of process creation. More...

QWORD StackBase
	The known stack base present in TIB at the moment of process creation. More...

QWORD StackLimit

QWORD TrapFrameAddress
	The address of the trap frame. Used for more information gathering when sending the alert. More...

QWORD CurrentWow64Stack
	The current stack of the process in WoW64 mode. Valid only if the process is WoW64. More...

QWORD Wow64StackBase
	The known stack base in WoW64 mode. Valid only if the process is WoW64. More...

QWORD Wow64StackLimit
	The known stack limit in WoW64 mode. Valid only if the process is WoW64. More...

}	DpiPivotedStackExtraInfo

struct {
QWORD StolenFromEprocess
	The EPROCESS address from which the token was stolen. More...

}	DpiStolenTokenExtraInfo

struct {
struct {
DWORD Mapped: 1

DWORD Detected: 1
	The bit is set if the i-th page was detected as malicious by shemu. More...

DWORD HeapValCount: 11
	The number of heap values in the page. Since the max value can be 1024, 11 bits are needed. More...

DWORD Offset: 12
	The offset where the detection on the given page was given, if Detection is equal to 1. More...

DWORD Executable: 1
	True if the page is executable in the translation. More...

DWORD Reserved: 7
	Reserved for further use. More...

} HeapPages [HEAP_SPRAY_NR_PAGES]

QWORD ShellcodeFlags
	Contains the flags on the first page which was detected through shemu. More...

}	DpiHeapSprayExtraInfo

struct {
QWORD OldEnabled

QWORD NewEnabled
	The new value from parent's token Privileges.Enabled field, which was deemed malicious. More...

QWORD OldPresent

QWORD NewPresent
	The new value from parent's token Privileges.Present field, which was deemed malicious. More...

}	DpiTokenPrivsExtraInfo

struct {
QWORD StartAddress
	The address on which the parent's thread started execution. More...

QWORD ShellcodeFlags
	Contains the flags of the starting page detected through shemu. More...

}	DpiThreadStartExtraInfo

struct {
QWORD SecDescStolenFromEproc
	If the parent security descriptor has been stolen, this variable may indicate (in case we find it) the victim process (where security descriptor has been stolen from) - it can be NULL. More...

QWORD OldPtrValue
	Old value. More...

QWORD NewPtrValue
	New value. More...

ACL OldSacl
	The old SACL header. More...

ACL OldDacl
	The old DACL header. More...

ACL NewSacl
	The new SACL header. More...

ACL NewDacl
	The new DACL header. More...

}	DpiSecDescAclExtraInfo

Detailed Description

Extra info extracted while checking if any DPI heuristic has been violated.

Definition at line 27 of file windpi.h.

Field Documentation

◆ _Reserved

QWORD _DPI_EXTRA_INFO::_Reserved

Reserved for further use.

Definition at line 31 of file windpi.h.

◆ CurrentStack

QWORD _DPI_EXTRA_INFO::CurrentStack

The current stack of the process at the point of process creation.

Definition at line 36 of file windpi.h.

Referenced by IntExceptUserLogWindowsInformation(), and IntSerializeDpiWinPivotedStack().

◆ CurrentWow64Stack

QWORD _DPI_EXTRA_INFO::CurrentWow64Stack

The current stack of the process in WoW64 mode. Valid only if the process is WoW64.

Definition at line 42 of file windpi.h.

Referenced by IntExceptUserLogWindowsInformation(), and IntSerializeDpiWinPivotedStack().

◆ Detected

DWORD _DPI_EXTRA_INFO::Detected

The bit is set if the i-th page was detected as malicious by shemu.

Definition at line 58 of file windpi.h.

◆ DpiDebugExtraInfo

struct { ... } _DPI_EXTRA_INFO::DpiDebugExtraInfo

◆ DpiHeapSprayExtraInfo

struct { ... } _DPI_EXTRA_INFO::DpiHeapSprayExtraInfo

Referenced by IntExceptUserLogWindowsInformation(), and IntSerializeDpiWinHeapSpray().

◆ DpiPivotedStackExtraInfo

struct { ... } _DPI_EXTRA_INFO::DpiPivotedStackExtraInfo

Referenced by IntExceptUserLogWindowsInformation(), and IntSerializeDpiWinPivotedStack().

◆ DpiSecDescAclExtraInfo

struct { ... } _DPI_EXTRA_INFO::DpiSecDescAclExtraInfo

Referenced by IntExceptUserLogWindowsInformation(), and IntSerializeDpiWinSecDesc().

◆ DpiStolenTokenExtraInfo

struct { ... } _DPI_EXTRA_INFO::DpiStolenTokenExtraInfo

Referenced by IntExceptUserLogWindowsInformation(), and IntSerializeDpiWinStolenToken().

◆ DpiThreadStartExtraInfo

struct { ... } _DPI_EXTRA_INFO::DpiThreadStartExtraInfo

Referenced by IntExceptUserLogWindowsInformation(), and IntSerializeDpiWinThreadStart().

◆ DpiTokenPrivsExtraInfo

struct { ... } _DPI_EXTRA_INFO::DpiTokenPrivsExtraInfo

Referenced by IntExceptUserLogWindowsInformation(), and IntSerializeDpiWinTokenPrivs().

◆ Executable

DWORD _DPI_EXTRA_INFO::Executable

True if the page is executable in the translation.

Definition at line 63 of file windpi.h.

◆ HeapPages

struct { ... } _DPI_EXTRA_INFO::HeapPages[HEAP_SPRAY_NR_PAGES]

Referenced by IntExceptUserLogWindowsInformation(), and IntSerializeDpiWinHeapSpray().

◆ HeapValCount

DWORD _DPI_EXTRA_INFO::HeapValCount

The number of heap values in the page. Since the max value can be 1024, 11 bits are needed.

Definition at line 60 of file windpi.h.

◆ Mapped

DWORD _DPI_EXTRA_INFO::Mapped

The bit is set if the i-th page could be mapped.

Definition at line 56 of file windpi.h.

◆ NewDacl

ACL _DPI_EXTRA_INFO::NewDacl

The new DACL header.

Definition at line 99 of file windpi.h.

Referenced by IntExceptUserLogWindowsInformation().

◆ NewEnabled

QWORD _DPI_EXTRA_INFO::NewEnabled

The new value from parent's token Privileges.Enabled field, which was deemed malicious.

Definition at line 74 of file windpi.h.

Referenced by IntExceptUserLogWindowsInformation(), and IntSerializeDpiWinTokenPrivs().

◆ NewPresent

QWORD _DPI_EXTRA_INFO::NewPresent

The new value from parent's token Privileges.Present field, which was deemed malicious.

Definition at line 77 of file windpi.h.

Referenced by IntExceptUserLogWindowsInformation(), and IntSerializeDpiWinTokenPrivs().

◆ NewPtrValue

QWORD _DPI_EXTRA_INFO::NewPtrValue

New value.

Definition at line 93 of file windpi.h.

◆ NewSacl

ACL _DPI_EXTRA_INFO::NewSacl

The new SACL header.

Definition at line 98 of file windpi.h.

Referenced by IntExceptUserLogWindowsInformation().

◆ Offset

DWORD _DPI_EXTRA_INFO::Offset

The offset where the detection on the given page was given, if Detection is equal to 1.

Definition at line 62 of file windpi.h.

◆ OldDacl

ACL _DPI_EXTRA_INFO::OldDacl

The old DACL header.

Definition at line 96 of file windpi.h.

Referenced by IntExceptUserLogWindowsInformation().

◆ OldEnabled

QWORD _DPI_EXTRA_INFO::OldEnabled

The old value from parent's token Privileges.Enabled field.

Definition at line 72 of file windpi.h.

Referenced by IntExceptUserLogWindowsInformation(), and IntSerializeDpiWinTokenPrivs().

◆ OldPresent

QWORD _DPI_EXTRA_INFO::OldPresent

The old value from parent's token Privileges.Present field.

Definition at line 75 of file windpi.h.

Referenced by IntExceptUserLogWindowsInformation(), and IntSerializeDpiWinTokenPrivs().

◆ OldPtrValue

QWORD _DPI_EXTRA_INFO::OldPtrValue

Old value.

Definition at line 92 of file windpi.h.

◆ OldSacl

ACL _DPI_EXTRA_INFO::OldSacl

The old SACL header.

Definition at line 95 of file windpi.h.

Referenced by IntExceptUserLogWindowsInformation().

◆ Reserved

DWORD _DPI_EXTRA_INFO::Reserved

Reserved for further use.

Definition at line 64 of file windpi.h.

◆ SecDescStolenFromEproc

QWORD _DPI_EXTRA_INFO::SecDescStolenFromEproc

If the parent security descriptor has been stolen, this variable may indicate (in case we find it) the victim process (where security descriptor has been stolen from) - it can be NULL.

Definition at line 90 of file windpi.h.

Referenced by IntExceptUserLogWindowsInformation(), and IntSerializeDpiWinSecDesc().

◆ ShellcodeFlags

QWORD _DPI_EXTRA_INFO::ShellcodeFlags

Contains the flags on the first page which was detected through shemu.

Contains the flags of the starting page detected through shemu.

Definition at line 67 of file windpi.h.

Referenced by IntExceptUserLogWindowsInformation(), IntSerializeDpiWinHeapSpray(), and IntSerializeDpiWinThreadStart().

◆ StackBase

QWORD _DPI_EXTRA_INFO::StackBase

The known stack base present in TIB at the moment of process creation.

Definition at line 37 of file windpi.h.

Referenced by IntExceptUserLogWindowsInformation(), and IntSerializeDpiWinPivotedStack().

◆ StackLimit

QWORD _DPI_EXTRA_INFO::StackLimit

The known stack limit present in TIB at the moment of process creation.

Definition at line 38 of file windpi.h.

Referenced by IntExceptUserLogWindowsInformation(), and IntSerializeDpiWinPivotedStack().

◆ StartAddress

QWORD _DPI_EXTRA_INFO::StartAddress

The address on which the parent's thread started execution.

Definition at line 82 of file windpi.h.

Referenced by IntExceptUserLogWindowsInformation(), and IntSerializeDpiWinThreadStart().

◆ StolenFromEprocess

QWORD _DPI_EXTRA_INFO::StolenFromEprocess

The EPROCESS address from which the token was stolen.

Definition at line 49 of file windpi.h.

Referenced by IntExceptUserLogWindowsInformation(), and IntSerializeDpiWinStolenToken().

◆ TrapFrameAddress

QWORD _DPI_EXTRA_INFO::TrapFrameAddress

The address of the trap frame. Used for more information gathering when sending the alert.

Definition at line 40 of file windpi.h.

Referenced by IntExceptUserLogWindowsInformation(), and IntSerializeDpiWinPivotedStack().

◆ Wow64StackBase

QWORD _DPI_EXTRA_INFO::Wow64StackBase

The known stack base in WoW64 mode. Valid only if the process is WoW64.

Definition at line 43 of file windpi.h.

Referenced by IntExceptUserLogWindowsInformation(), and IntSerializeDpiWinPivotedStack().

◆ Wow64StackLimit

QWORD _DPI_EXTRA_INFO::Wow64StackLimit

The known stack limit in WoW64 mode. Valid only if the process is WoW64.

Definition at line 44 of file windpi.h.

Referenced by IntExceptUserLogWindowsInformation(), and IntSerializeDpiWinPivotedStack().

The documentation for this struct was generated from the following file:

introcore/include/windpi.h

Data Fields

Detailed Description

Field Documentation

◆ _Reserved

◆ CurrentStack

◆ CurrentWow64Stack

◆ Detected

◆ DpiDebugExtraInfo

◆ DpiHeapSprayExtraInfo

◆ DpiPivotedStackExtraInfo

◆ DpiSecDescAclExtraInfo

◆ DpiStolenTokenExtraInfo

◆ DpiThreadStartExtraInfo

◆ DpiTokenPrivsExtraInfo

◆ Executable

◆ HeapPages

◆ HeapValCount

◆ Mapped

◆ NewDacl

◆ NewEnabled

◆ NewPresent

◆ NewPtrValue

◆ NewSacl

◆ Offset

◆ OldDacl

◆ OldEnabled

◆ OldPresent

◆ OldPtrValue

◆ OldSacl

◆ Reserved

◆ SecDescStolenFromEproc

◆ ShellcodeFlags

◆ StackBase

◆ StackLimit

◆ StartAddress

◆ StolenFromEprocess

◆ TrapFrameAddress

◆ Wow64StackBase

◆ Wow64StackLimit