Bitdefender Hypervisor Memory Introspection
|
This structure describes a running process inside the guest. More...
#include <winprocess.h>
Data Fields | |
LIST_ENTRY | Link |
Entry within gWinProcesses (Doubly Linked List). More... | |
RBNODE | NodeCr3 |
Entry within gWinProcTreeCr3 (RB Tree). More... | |
RBNODE | NodeUserCr3 |
Entry within gWinProcTreeUserCr3 (RB Tree). More... | |
RBNODE | NodeEproc |
Entry within gWinProcTreeEprocess (RB Tree). More... | |
QWORD | EprocessAddress |
This will be the address of the ActiveProcess field. More... | |
QWORD | ParentEprocess |
The EPROCESS of the parent process. More... | |
QWORD | RealParentEprocess |
The active EPROCESS at the moment of creation. More... | |
QWORD | CreationTime |
The creation time of the process, as stored inside the EPROCESS. More... | |
QWORD | Cr3 |
Process PDBR. Includes PCID. More... | |
QWORD | UserCr3 |
Process user PDBR. Includes PCID. More... | |
DWORD | Pid |
Process ID (the one used by Windows). More... | |
DWORD | NameHash |
Name hash, as used by the exceptions module. More... | |
QWORD | Peb64Address |
PEB 64 address (on x86 OSes, this will be 0). More... | |
QWORD | Peb32Address |
PEB 32 address (on pure x64 processes, this will be 0). More... | |
QWORD | MainModuleAddress |
The address of the main module. More... | |
CHAR | Name [IMAGE_BASE_NAME_LEN] |
Process base name. More... | |
WINUM_PATH * | Path |
Will point inside the loaded modules list to the full process path. More... | |
PCHAR | CommandLine |
The command line with which the process was created (can be NULL). More... | |
DWORD | CommandLineSize |
Includes the NULL terminator. More... | |
union { | |
DWORD Flags | |
Windows process flags (possible values for this bitmask are described below). More... | |
struct { | |
DWORD Wow64Process: 1 | |
TRUE if this is a 32 bit process on a 64 bit OS. More... | |
DWORD Terminating: 1 | |
TRUE if the process is terminating (cleanup pending). More... | |
DWORD Protected: 1 | |
TRUE if this is a protected process. If this is FALSE, most of the above fields aren't used at all. More... | |
DWORD IsAgent: 1 | |
TRUE if this is an injected agent. More... | |
DWORD MainModuleLoaded: 1 | |
TRUE if the main module has been loaded. More... | |
DWORD UnpackProtected: 1 | |
TRUE if the main module has been protected against unpacks. More... | |
DWORD Initialized: 1 | |
DWORD BetaDetections: 1 | |
TRUE if BETA is enabled for this particular process. More... | |
DWORD SystemProcess: 1 | |
TRUE if this is a system process. More... | |
DWORD Lsass: 1 | |
TRUE if this is the lsass process. More... | |
DWORD StaticDetected: 1 | |
TRUE if the process was detected using a static scan (during static init). More... | |
DWORD LastPebWriteDone: 1 | |
TRUE if the write into PEB is done (used for initialization checks). More... | |
DWORD InjectedApphelp: 1 | |
TRUE if AppHelp was injected. More... | |
DWORD ParentWow64: 1 | |
TRUE if the parent is a 32 bit process on a 64 bit OS. More... | |
DWORD StartInitializing: 1 | |
TRUE if the process actually started initializing (there is a time windows from the moment we add the inside out lists to the point when it actually starts its initialization steps when the process is "invalid"). More... | |
DWORD OneTimeInjectionDone: 1 | |
The one time injection already took place (exception). More... | |
DWORD LateProtection: 1 | |
TRUE if the protection was not activated right from start. More... | |
DWORD Peb32ContextWritten: 1 | |
TURE if the Process Environment Block (x86) context was written (valid only on Windows 7). More... | |
DWORD Peb64ContextWritten: 1 | |
TURE if the Process Environment Block (x64) context was written (valid only on Windows 7). More... | |
DWORD MonitorVad: 1 | |
TRUE if we need to handle VAD events for this process. More... | |
DWORD MonitorModules: 1 | |
TRUE if we need to monitor module load/unloads. More... | |
DWORD IsPreviousAgent: 1 | |
TRUE if this is an agent injected in a previous session. More... | |
DWORD ExploitGuardEnabled: 1 | |
TRUE if any Exploit Guard mitigation option is set for this process. More... | |
DWORD Outswapped: 1 | |
TRUE if the process is outswapped. More... | |
} | |
}; | |
BYTE | InjectionsCount |
The number of injections allowed at the initialization. More... | |
BYTE | PebWrittenCount |
The number writes to the (Process Environment Block). More... | |
QWORD | InjectedApphelpAddress |
The address of the injected apphelp (during initialization). More... | |
DWORD | InjectedAppHelpSize |
The size of the injected apphelp (during initialization). More... | |
DWORD | LastException |
The code of the last exception that took place. More... | |
QWORD | LastExceptionRip |
The RIP of the last exception that took place. More... | |
BOOLEAN | LastExceptionContinuable |
TRUE if the last exception is continuable (for example a #PF that was caused due to the way the OS does the lazy memory mappings). More... | |
BOOLEAN | HasNaClEnabled |
Only valid for chromium-based browsers; TRUE if this is a NaCl process. More... | |
BOOLEAN | EnforcedDep |
TRUE is the DEP (Data Execution Prevention) has been enforced. More... | |
DWORD | ExitStatus |
The exit status of the process (used when sending the process terminated event). More... | |
BOOLEAN | IsDominoJava |
True if this is a Java IBM process and j9jit.dll is loaded. More... | |
BOOLEAN | FirstDominoJavaIgnored |
TRUE if the first Domino Java execution VAD was ignored. More... | |
union { | |
DWORD ProtectionMask | |
Protection mask: tells us what level of protection will be activated for this process. More... | |
struct { | |
DWORD ProtReserved1: 2 | |
RESERVED. More... | |
DWORD ProtCoreModules: 1 | |
Protect the core module loaded by the process. More... | |
DWORD ProtUnpack: 1 | |
Protect process against unpacking attempts. More... | |
DWORD ProtWriteMem: 1 | |
Protect the the memory against writes. More... | |
DWORD ProtWsockModules: 1 | |
Protect the Windows Socket related modules. More... | |
DWORD ProtExploits: 1 | |
DWORD ProtThreadCtx: 1 | |
Protect the thread context (protection against thread hijacking). More... | |
DWORD ProtQueueApc: 1 | |
DWORD ProtCreation: 1 | |
Prevent this process from creating child processes (other than other instances of itself). More... | |
DWORD ProtDoubleAgent: 1 | |
Protect the process against double agent attacks. More... | |
DWORD ProtScanCmdLine: 1 | |
Scan the cmd line of the process. More... | |
DWORD ProtInstrument: 1 | |
Protect the process agains instrumentation callback attacks. More... | |
DWORD ProtReserved2: 16 | |
DWORD ProtRemediate: 1 | |
Any event inside the process will trigger the injection of the remediation tool. More... | |
DWORD ProtKillExploit: 1 | |
DWORD ProtBeta: 1 | |
Process is monitored, but in log-only mode so no actions will be blocked. More... | |
} | |
}; | |
QWORD | BetaMask |
The protection mask in beta mode. More... | |
QWORD | FeedbackMask |
The protection mask in feedback mode. More... | |
DWORD | AgentTag |
If IsAgent is TRUE, this will be the agent tag. More... | |
void * | Cr3PageLockObject |
The CR3 will be locked in memory, to prevent the OS from dynamically modifying the CR3 of a running process. More... | |
void * | UserCr3PageLockObject |
The UserCR3 will be locked in memory, to prevent the OS from dynamically modifying the CR3 of a running process. More... | |
RBTREE | VadTree |
RB-Tree of process VADs. More... | |
void * | VasMonRoot |
Virtual Address Space monitor root. More... | |
LIST_HEAD * | VadPages |
Vad pages Hash-Table. More... | |
QWORD | OriginalTokenPtr |
Original Token pointer inside EPROCESS (should never change). More... | |
void * | ParamsSwapHandle |
The swap memory handle for Process->Peb->ProcessParameters (used to read the command line of the process). More... | |
void * | CmdLineSwapHandle |
The swap memory handle for the UNICODE_STRING containing the command line of the a process. More... | |
void * | CmdBufSwapHandle |
The swap memory handle for the command line buffer. More... | |
void * | SelfMapHook |
The self mapping memory hook. More... | |
void * | UserSelfMapHook |
The user self mapping memory hook. More... | |
QWORD | SelfMapEntryValue |
The self mapping memory entry value. More... | |
QWORD | UserSelfMapEntryValue |
The user self mapping memory entry value. More... | |
QWORD | Context |
Context from integrator if the process is protected, 0 otherwise. More... | |
BOOLEAN | ImageIsFromNativeSubsystem |
TRUE if the process image is from the native subsystem. More... | |
BOOLEAN | IsVerifierLoaded |
TRUE if app verifier is loaded. More... | |
WORD | OriginalSpareValue |
We put in guest * and some flags in order to decide whether to raise a VM exit on a process. Here we keep the overwritten original value of the spare field. More... | |
void * | MainModuleVad |
Used for keeping the main module VAD (used for dereferencing paths) as the unprotected processes don't have a VAD RB-Tree. More... | |
struct { | |
BOOLEAN ParentHasPivotedStack | |
The parent process has a pivoted stack. More... | |
QWORD DebuggerEprocess | |
This will keep the EPROCESS of the debugger process (if any). More... | |
QWORD TokenStolenFromEprocess | |
This will keep the EPROCESS of the process from which the current process stole the token. More... | |
BOOLEAN ParentHasBeenHeapSprayed | |
The parent process has been heap sprayed. More... | |
BOOLEAN ParentHasTokenPrivsAltered | |
The parent process has the token privileges altered in a malicious way, most probably due to a privilege escalation. More... | |
BOOLEAN ParentThreadSuspicious | |
The parent thread start address was considered suspicious. More... | |
BOOLEAN ParentHasAlteredSecDescPtr | |
The parent process has an altered security descriptor pointer. More... | |
BOOLEAN ParentHasEditedAcl | |
The parent process has an altered ACL (SACL/DACL). More... | |
} | CreationInfo |
DPI_EXTRA_INFO | DpiExtraInfo |
Represents the gathered extra info while checking the DPI heuristics. More... | |
PWIN_PROCESS_SUBSYSTEM | Subsystemx86 |
The x86 subsystem. Note that a 32 bit process on a 64 bit OS may have both subsystems valid. In that case, we need to handle & protect both of them. More... | |
PWIN_PROCESS_SUBSYSTEM | Subsystemx64 |
The x64 subsystem. Note that a 32 bit process on a 64 bit OS may have both subsystems valid. In that case, we need to handle & protect both of them. More... | |
void * | TokenHook |
Hook object for the ept hook over nt!_TOKEN Privileges field. More... | |
void * | TokenSwapHook |
Hook object for notifications over the swap-in/swap-out of the current process TOKEN. We need to place this hook in order to verify on translation modifications of the current TOKEN if it is still assigned to the current process. The token might get deallocated in the mean-time and the page can be used, for example, for mapping other physical pages, thus leading to translation violations when the hashes of the contents are checked. For this purpose we will verify on every translation modification event if the current token is still used, and re-establish the hook over the token if it was previously de-allocated. More... | |
QWORD | OriginalPresentPrivs |
Saved value of the Privileges Present bitfield inside the nt!_TOKEN structure assigned to the current process. More... | |
QWORD | OriginalEnabledPrivs |
Saved value of the Privileges Enabled bitfield inside the nt!_TOKEN structure assigned to the current process. More... | |
BOOLEAN | SkipPrivsNextCheck |
Signals whether the next privileges check on integrity should be skipped for the current process. Is set if, for example, we could not fetch the privileges when the process was created. More... | |
BOOLEAN | PrivsChangeDetected |
Set to TRUE when a token privilege change has been detected. This is useful for DPI, in the case where a write has been detected over the privileges, but because of the detect only mechanism, we have overwritten the OriginalPresentPrivs and OriginalEnabledPrivs values, thus DPI will not raise an alert on process creation due to the fact that the mechanism doesn't see any change. For this purpose, we'll analyze every process creation in DPI from the moment the privileges have changed and a detection took place on integrity. More... | |
BOOLEAN | PrivsChangeOneBit |
Set to TRUE when the difference between Enabled and Present privileges is just one bit. As on some OS versions, when a privilege is removed for a token belonging to a process, firstly the kernel removes the Present bit, and on the next instruction it removes the Enabled bit, it will cause a possible race condition. If the timer exit comes just between those instructions, we will wrongfully give a detection. For this purpose, we'll set this variable if there is just one bit difference, and we expect on the next timer check that the difference is not present anymore. However, if there's one bit difference again on the next exit, then it is likely due to a malicious behavior. More... | |
struct { | |
QWORD SecurityDescriptorGva | |
Security descriptor address. More... | |
BYTE RawBuffer [INTRO_SECURITY_DESCRIPTOR_SIZE] | |
The entire security descriptor contents. More... | |
DWORD RawBufferSize | |
The used actual size of the RawBuffer. More... | |
ACL Sacl | |
The System Access Control List header. More... | |
ACL Dacl | |
The Discretionary Access Control List header. More... | |
} | SecurityDescriptor |
This structure describes a running process inside the guest.
Definition at line 83 of file winprocess.h.
union { ... } |
union { ... } |
DWORD _WIN_PROCESS_OBJECT::AgentTag |
If IsAgent is TRUE, this will be the agent tag.
Definition at line 233 of file winprocess.h.
Referenced by IntWinProcCreateProcessObject(), and IntWinProcDeleteProcessObject().
DWORD _WIN_PROCESS_OBJECT::BetaDetections |
TRUE if BETA is enabled for this particular process.
Definition at line 135 of file winprocess.h.
Referenced by IntWinProcUpdateProtection().
QWORD _WIN_PROCESS_OBJECT::BetaMask |
The protection mask in beta mode.
Definition at line 230 of file winprocess.h.
Referenced by IntWinProcCreateProcessObject(), and IntWinProcUpdateProtection().
void* _WIN_PROCESS_OBJECT::CmdBufSwapHandle |
The swap memory handle for the command line buffer.
Definition at line 257 of file winprocess.h.
Referenced by IntWinGetPrcoCmdLineHandleCmdLineInMemory(), IntWinGetProcCmdLineHandleBufferInMemory(), and IntWinProcSwapOut().
void* _WIN_PROCESS_OBJECT::CmdLineSwapHandle |
The swap memory handle for the UNICODE_STRING containing the command line of the a process.
Definition at line 255 of file winprocess.h.
Referenced by IntWinGetPrcoCmdLineHandleCmdLineInMemory(), IntWinGetPrcoCmdLineHandleUserParamsInMemory(), and IntWinProcSwapOut().
PCHAR _WIN_PROCESS_OBJECT::CommandLine |
The command line with which the process was created (can be NULL).
Definition at line 114 of file winprocess.h.
Referenced by IntExceptVerifyValueSig(), and IntWinGetProcCmdLineHandleBufferInMemory().
DWORD _WIN_PROCESS_OBJECT::CommandLineSize |
Includes the NULL terminator.
Definition at line 116 of file winprocess.h.
Referenced by IntWinGetProcCmdLineHandleBufferInMemory().
QWORD _WIN_PROCESS_OBJECT::Context |
Context from integrator if the process is protected, 0 otherwise.
Definition at line 266 of file winprocess.h.
Referenced by IntWinProcCreateProcessObject(), IntWinProcExistsProtectedProcess(), and IntWinProcUpdateProtection().
QWORD _WIN_PROCESS_OBJECT::Cr3 |
Process PDBR. Includes PCID.
Definition at line 98 of file winprocess.h.
Referenced by DbgIterateVaSpace(), IntDispatchVeAsEpt(), IntExceptGetVictimProcess(), IntExceptGetVictimProcessCreation(), IntExceptUserLogWindowsInformation(), IntExceptVerifyCodeBlocksSig(), IntExceptVerifyValueCodeSig(), IntExceptVerifyValueSig(), IntGetGprs(), IntLogCriticalProcessHasDied(), IntLogProcessInfo(), IntSerializeDpiWinHeapSpray(), IntSerializeDpiWinThreadStart(), IntWinDagentHandleSlackWritable(), IntWinGetPrcoCmdLineHandleCmdLineInMemory(), IntWinGetPrcoCmdLineHandleUserParamsInMemory(), IntWinModBlockHandleExecution(), IntWinModHandleModulePathInMemory(), IntWinModHandleUserWrite(), IntWinModHookModule(), IntWinModHookPoly(), IntWinProcCreateProcessObject(), IntWinProcDeleteProcessObject(), IntWinProcDump(), IntWinProcFindObjectByCr3(), IntWinProcHandleCopyMemory(), IntWinProcHandleCreate(), IntWinProcHandleDuplicate(), IntWinProcHandleInstrument(), IntWinProcRbTreeNodeCompareCr3(), IntWinProcSwapIn(), IntWinProcSwapOut(), IntWinProcUpdateProtection(), IntWinProcValidateSystemCr3(), IntWinSelfMapHandleCr3SelfMapWrite(), IntWinSetUmExceptionEvent(), IntWinThrHandleQueueApc(), IntWinThrHandleThreadHijack(), and IntWinVadHandlePageExecution().
void* _WIN_PROCESS_OBJECT::Cr3PageLockObject |
The CR3 will be locked in memory, to prevent the OS from dynamically modifying the CR3 of a running process.
Definition at line 237 of file winprocess.h.
struct { ... } _WIN_PROCESS_OBJECT::CreationInfo |
QWORD _WIN_PROCESS_OBJECT::CreationTime |
The creation time of the process, as stored inside the EPROCESS.
Definition at line 95 of file winprocess.h.
Referenced by IntLogProcessInfo(), and IntWinProcCreateProcessObject().
ACL _WIN_PROCESS_OBJECT::Dacl |
The Discretionary Access Control List header.
Definition at line 368 of file winprocess.h.
QWORD _WIN_PROCESS_OBJECT::DebuggerEprocess |
This will keep the EPROCESS of the debugger process (if any).
Definition at line 284 of file winprocess.h.
Referenced by IntExceptUserLogWindowsInformation(), IntSerializeDpiWinDebug(), and IntWinDpiGetProcessDebugFlag().
DPI_EXTRA_INFO _WIN_PROCESS_OBJECT::DpiExtraInfo |
Represents the gathered extra info while checking the DPI heuristics.
Definition at line 304 of file winprocess.h.
Referenced by IntExceptUserLogWindowsInformation(), IntSerializeDpiWinHeapSpray(), IntSerializeDpiWinPivotedStack(), IntSerializeDpiWinSecDesc(), IntSerializeDpiWinStolenToken(), IntSerializeDpiWinThreadStart(), and IntSerializeDpiWinTokenPrivs().
BOOLEAN _WIN_PROCESS_OBJECT::EnforcedDep |
TRUE is the DEP (Data Execution Prevention) has been enforced.
Definition at line 189 of file winprocess.h.
Referenced by IntWinCrashHandleDepViolation().
QWORD _WIN_PROCESS_OBJECT::EprocessAddress |
This will be the address of the ActiveProcess field.
Definition at line 90 of file winprocess.h.
Referenced by DbgLogCurrentProcess(), IntExceptUserLogWindowsInformation(), IntLogCriticalProcessHasDied(), IntLogProcessInfo(), IntWinDpiValidateParentProcessToken(), IntWinDpiValidateParentSecDesc(), IntWinGetAccessTokenFromProcess(), IntWinGetProcCmdLineHandleBufferInMemory(), IntWinGetStartUpTime(), IntWinModHandleMainModuleInMemory(), IntWinModHandleUserWrite(), IntWinProcAdd(), IntWinProcCreateProcessObject(), IntWinProcDeleteProcessObject(), IntWinProcDump(), IntWinProcDumpEgFlags(), IntWinProcDumpVads(), IntWinProcFindObjectByEprocess(), IntWinProcGetNameFromInternalEprocess(), IntWinProcHandleCreate(), IntWinProcHandleCreateInternal(), IntWinProcHandleDuplicate(), IntWinProcRbTreeNodeCompareEproc(), IntWinProcSwapIn(), IntWinProcSwapOut(), IntWinProcUpdateProtection(), IntWinProcValidateSystemCr3(), IntWinThrHandleThreadHijack(), IntWinTokenPrivsHandleSwap(), IntWinTokenPrivsHandleWrite(), IntWinTokenPtrCheckIntegrityOnProcess(), IntWinUmCheckInitializationInjection(), IntWinVadHandleInsertPrivate(), and IntWinVadHandleVirtualProtect().
DWORD _WIN_PROCESS_OBJECT::ExitStatus |
The exit status of the process (used when sending the process terminated event).
Definition at line 192 of file winprocess.h.
Referenced by IntLogProcessInfo(), and IntWinProcDeleteProcessObject().
DWORD _WIN_PROCESS_OBJECT::ExploitGuardEnabled |
TRUE if any Exploit Guard mitigation option is set for this process.
Definition at line 167 of file winprocess.h.
Referenced by IntWinProcCreateProcessObject().
QWORD _WIN_PROCESS_OBJECT::FeedbackMask |
The protection mask in feedback mode.
Definition at line 231 of file winprocess.h.
Referenced by IntWinProcCreateProcessObject(), and IntWinProcUpdateProtection().
BOOLEAN _WIN_PROCESS_OBJECT::FirstDominoJavaIgnored |
TRUE if the first Domino Java execution VAD was ignored.
Definition at line 195 of file winprocess.h.
Referenced by IntWinModCheckSpecialCases(), and IntWinVadHandlePageExecution().
DWORD _WIN_PROCESS_OBJECT::Flags |
Windows process flags (possible values for this bitmask are described below).
Definition at line 121 of file winprocess.h.
Referenced by IntLogProcessInfo().
BOOLEAN _WIN_PROCESS_OBJECT::HasNaClEnabled |
Only valid for chromium-based browsers; TRUE if this is a NaCl process.
Definition at line 187 of file winprocess.h.
Referenced by IntWinGetProcCmdLineHandleBufferInMemory().
BOOLEAN _WIN_PROCESS_OBJECT::ImageIsFromNativeSubsystem |
TRUE if the process image is from the native subsystem.
Definition at line 268 of file winprocess.h.
Referenced by IntWinDagentCheckNativeSubsystem(), and IntWinDagentHandleSuspModExecution().
DWORD _WIN_PROCESS_OBJECT::Initialized |
Definition at line 134 of file winprocess.h.
Referenced by IntWinProcCreateProcessObject(), IntWinProcHandleCopyMemory(), and IntWinUmCheckInitializationInjection().
DWORD _WIN_PROCESS_OBJECT::InjectedApphelp |
TRUE if AppHelp was injected.
Definition at line 144 of file winprocess.h.
QWORD _WIN_PROCESS_OBJECT::InjectedApphelpAddress |
The address of the injected apphelp (during initialization).
Definition at line 176 of file winprocess.h.
DWORD _WIN_PROCESS_OBJECT::InjectedAppHelpSize |
The size of the injected apphelp (during initialization).
Definition at line 177 of file winprocess.h.
BYTE _WIN_PROCESS_OBJECT::InjectionsCount |
The number of injections allowed at the initialization.
Definition at line 173 of file winprocess.h.
Referenced by IntWinUmCheckInitializationInjection().
DWORD _WIN_PROCESS_OBJECT::IsAgent |
TRUE if this is an injected agent.
Definition at line 131 of file winprocess.h.
Referenced by IntWinAgentHandleAppVmcall(), IntWinProcCreateProcessObject(), IntWinProcDeleteProcessObject(), IntWinProcGetAgentsAsCli(), IntWinProcHandleCopyMemory(), IntWinProcSwapIn(), IntWinProcSwapOut(), and IntWinProcUninit().
BOOLEAN _WIN_PROCESS_OBJECT::IsDominoJava |
True if this is a Java IBM process and j9jit.dll is loaded.
Definition at line 194 of file winprocess.h.
Referenced by IntWinModCheckSpecialCases().
DWORD _WIN_PROCESS_OBJECT::IsPreviousAgent |
TRUE if this is an agent injected in a previous session.
Definition at line 164 of file winprocess.h.
Referenced by IntWinAgentHandleAppVmcall(), and IntWinProcCreateProcessObject().
BOOLEAN _WIN_PROCESS_OBJECT::IsVerifierLoaded |
TRUE if app verifier is loaded.
Definition at line 269 of file winprocess.h.
Referenced by IntWinDagentHandleSuspModExecution().
DWORD _WIN_PROCESS_OBJECT::LastException |
The code of the last exception that took place.
Definition at line 179 of file winprocess.h.
Referenced by IntWinSetUmExceptionEvent().
BOOLEAN _WIN_PROCESS_OBJECT::LastExceptionContinuable |
TRUE if the last exception is continuable (for example a #PF that was caused due to the way the OS does the lazy memory mappings).
Definition at line 184 of file winprocess.h.
Referenced by IntWinSetUmExceptionEvent().
QWORD _WIN_PROCESS_OBJECT::LastExceptionRip |
The RIP of the last exception that took place.
Definition at line 180 of file winprocess.h.
Referenced by IntWinSetUmExceptionEvent().
DWORD _WIN_PROCESS_OBJECT::LastPebWriteDone |
TRUE if the write into PEB is done (used for initialization checks).
Definition at line 143 of file winprocess.h.
Referenced by IntWinUmCheckInitializationInjection().
DWORD _WIN_PROCESS_OBJECT::LateProtection |
TRUE if the protection was not activated right from start.
Definition at line 154 of file winprocess.h.
Referenced by IntWinProcCreateProcessObject(), and IntWinProcUpdateProtection().
LIST_ENTRY _WIN_PROCESS_OBJECT::Link |
Entry within gWinProcesses (Doubly Linked List).
Definition at line 85 of file winprocess.h.
DWORD _WIN_PROCESS_OBJECT::Lsass |
TRUE if this is the lsass process.
Definition at line 137 of file winprocess.h.
Referenced by IntWinProcCreateProcessObject(), and IntWinProcHandleCopyMemory().
QWORD _WIN_PROCESS_OBJECT::MainModuleAddress |
The address of the main module.
Definition at line 106 of file winprocess.h.
Referenced by IntWinModHandleModulePathInMemory(), and IntWinProcCreateProcessObject().
DWORD _WIN_PROCESS_OBJECT::MainModuleLoaded |
TRUE if the main module has been loaded.
Definition at line 132 of file winprocess.h.
Referenced by IntWinModHandleModulePathInMemory().
void* _WIN_PROCESS_OBJECT::MainModuleVad |
Used for keeping the main module VAD (used for dereferencing paths) as the unprotected processes don't have a VAD RB-Tree.
Definition at line 277 of file winprocess.h.
DWORD _WIN_PROCESS_OBJECT::MonitorModules |
TRUE if we need to monitor module load/unloads.
Definition at line 163 of file winprocess.h.
Referenced by IntExceptGetVictimProcess().
DWORD _WIN_PROCESS_OBJECT::MonitorVad |
TRUE if we need to handle VAD events for this process.
Definition at line 162 of file winprocess.h.
Referenced by IntExceptGetVictimProcess(), IntWinProcCreateProcessObject(), IntWinProcHandleCopyMemory(), IntWinVadHandleCommit(), IntWinVadHandleDeleteVaRange(), IntWinVadHandleFinishVadDeletion(), IntWinVadHandleInsert(), IntWinVadHandleInsertMap(), IntWinVadHandleInsertPrivate(), and IntWinVadHandleVirtualProtect().
CHAR _WIN_PROCESS_OBJECT::Name[IMAGE_BASE_NAME_LEN] |
Process base name.
Definition at line 108 of file winprocess.h.
Referenced by DbgIterateVaSpace(), DbgLogCurrentProcess(), IntExceptGetVictimEpt(), IntExceptGetVictimProcess(), IntExceptGetVictimProcessCreation(), IntExceptUserLogWindowsInformation(), IntLogCriticalProcessHasDied(), IntLogProcessInfo(), IntWinAgentHandleAppVmcall(), IntWinDagentHandleSuspModExecution(), IntWinGetProcCmdLineHandleBufferInMemory(), IntWinModCheckSpecialCases(), IntWinModHandleModulePathInMemory(), IntWinModHandleUserWrite(), IntWinProcCreateProcessObject(), IntWinProcDeleteProcessObject(), IntWinProcDump(), IntWinProcDumpEgFlags(), IntWinProcDumpVads(), IntWinProcExistsProtectedProcess(), IntWinProcFindObjectByName(), IntWinProcGetAgentsAsCli(), IntWinProcGetNameFromInternalEprocess(), IntWinProcHandleCopyMemory(), IntWinProcHandleCreateInternal(), IntWinProcHandleDuplicate(), IntWinProcHandleInstrument(), IntWinProcSwapIn(), IntWinProcSwapOut(), IntWinProcUpdateProtection(), IntWinSelfMapHandleCr3SelfMapWrite(), IntWinSetUmExceptionEvent(), IntWinThrHandleQueueApc(), IntWinThrHandleThreadHijack(), IntWinTokenProtectPrivs(), IntWinTokenPtrCheckIntegrityOnProcess(), IntWinUmCheckInitializationInjection(), and IntWinVadHandlePageExecution().
DWORD _WIN_PROCESS_OBJECT::NameHash |
Name hash, as used by the exceptions module.
Definition at line 101 of file winprocess.h.
Referenced by IntExceptGetVictimEpt(), IntExceptGetVictimProcess(), IntExceptGetVictimProcessCreation(), IntExceptUserLogWindowsInformation(), IntWinProcCreateProcessObject(), IntWinProcSwapIn(), and IntWinProcSwapOut().
RBNODE _WIN_PROCESS_OBJECT::NodeCr3 |
Entry within gWinProcTreeCr3 (RB Tree).
Definition at line 86 of file winprocess.h.
Referenced by IntWinProcFindObjectByCr3().
RBNODE _WIN_PROCESS_OBJECT::NodeEproc |
Entry within gWinProcTreeEprocess (RB Tree).
Definition at line 88 of file winprocess.h.
Referenced by IntWinProcFindObjectByEprocess().
RBNODE _WIN_PROCESS_OBJECT::NodeUserCr3 |
Entry within gWinProcTreeUserCr3 (RB Tree).
Definition at line 87 of file winprocess.h.
Referenced by IntWinProcFindObjectByUserCr3().
DWORD _WIN_PROCESS_OBJECT::OneTimeInjectionDone |
The one time injection already took place (exception).
Definition at line 153 of file winprocess.h.
Referenced by IntWinProcCreateProcessObject().
QWORD _WIN_PROCESS_OBJECT::OriginalEnabledPrivs |
Saved value of the Privileges Enabled bitfield inside the nt!_TOKEN structure assigned to the current process.
Definition at line 330 of file winprocess.h.
QWORD _WIN_PROCESS_OBJECT::OriginalPresentPrivs |
Saved value of the Privileges Present bitfield inside the nt!_TOKEN structure assigned to the current process.
Definition at line 326 of file winprocess.h.
WORD _WIN_PROCESS_OBJECT::OriginalSpareValue |
We put in guest * and some flags in order to decide whether to raise a VM exit on a process. Here we keep the overwritten original value of the spare field.
Definition at line 273 of file winprocess.h.
Referenced by IntWinProcCreateProcessObject().
QWORD _WIN_PROCESS_OBJECT::OriginalTokenPtr |
Original Token pointer inside EPROCESS (should never change).
Definition at line 247 of file winprocess.h.
Referenced by IntLogProcessInfo(), IntWinProcCreateProcessObject(), IntWinProcDump(), IntWinTokenPrivsHandleSwap(), IntWinTokenPrivsHandleWrite(), and IntWinTokenPtrIsStolen().
DWORD _WIN_PROCESS_OBJECT::Outswapped |
TRUE if the process is outswapped.
Definition at line 169 of file winprocess.h.
Referenced by IntWinProcCreateProcessObject(), IntWinProcSwapIn(), and IntWinProcSwapOut().
void* _WIN_PROCESS_OBJECT::ParamsSwapHandle |
The swap memory handle for Process->Peb->ProcessParameters (used to read the command line of the process).
Definition at line 251 of file winprocess.h.
Referenced by IntWinGetPrcoCmdLineHandleUserParamsInMemory(), and IntWinProcSwapOut().
QWORD _WIN_PROCESS_OBJECT::ParentEprocess |
The EPROCESS of the parent process.
Definition at line 91 of file winprocess.h.
Referenced by IntLogProcessInfo(), IntWinProcCreateProcessObject(), IntWinProcDeleteProcessObject(), IntWinProcDump(), IntWinProcSwapIn(), and IntWinProcSwapOut().
BOOLEAN _WIN_PROCESS_OBJECT::ParentHasAlteredSecDescPtr |
The parent process has an altered security descriptor pointer.
Definition at line 298 of file winprocess.h.
BOOLEAN _WIN_PROCESS_OBJECT::ParentHasBeenHeapSprayed |
The parent process has been heap sprayed.
Definition at line 289 of file winprocess.h.
BOOLEAN _WIN_PROCESS_OBJECT::ParentHasEditedAcl |
The parent process has an altered ACL (SACL/DACL).
Definition at line 301 of file winprocess.h.
BOOLEAN _WIN_PROCESS_OBJECT::ParentHasPivotedStack |
The parent process has a pivoted stack.
Definition at line 281 of file winprocess.h.
BOOLEAN _WIN_PROCESS_OBJECT::ParentHasTokenPrivsAltered |
The parent process has the token privileges altered in a malicious way, most probably due to a privilege escalation.
Definition at line 293 of file winprocess.h.
BOOLEAN _WIN_PROCESS_OBJECT::ParentThreadSuspicious |
The parent thread start address was considered suspicious.
Definition at line 295 of file winprocess.h.
DWORD _WIN_PROCESS_OBJECT::ParentWow64 |
TRUE if the parent is a 32 bit process on a 64 bit OS.
Definition at line 146 of file winprocess.h.
Referenced by IntWinProcCreateProcessObject().
WINUM_PATH* _WIN_PROCESS_OBJECT::Path |
Will point inside the loaded modules list to the full process path.
Definition at line 111 of file winprocess.h.
Referenced by IntLogProcessInfo(), IntWinModHandleModulePathInMemory(), IntWinProcCreateProcessObject(), IntWinProcSwapIn(), IntWinProcSwapOut(), and IntWinProcUpdateProtection().
QWORD _WIN_PROCESS_OBJECT::Peb32Address |
PEB 32 address (on pure x64 processes, this will be 0).
Definition at line 104 of file winprocess.h.
Referenced by IntLogProcessInfo(), IntWinProcCreateProcessObject(), and IntWinUmCheckInitializationInjection().
DWORD _WIN_PROCESS_OBJECT::Peb32ContextWritten |
TURE if the Process Environment Block (x86) context was written (valid only on Windows 7).
Definition at line 157 of file winprocess.h.
QWORD _WIN_PROCESS_OBJECT::Peb64Address |
PEB 64 address (on x86 OSes, this will be 0).
Definition at line 103 of file winprocess.h.
Referenced by IntLogProcessInfo(), IntWinProcCreateProcessObject(), and IntWinUmCheckInitializationInjection().
DWORD _WIN_PROCESS_OBJECT::Peb64ContextWritten |
TURE if the Process Environment Block (x64) context was written (valid only on Windows 7).
Definition at line 160 of file winprocess.h.
BYTE _WIN_PROCESS_OBJECT::PebWrittenCount |
The number writes to the (Process Environment Block).
Definition at line 174 of file winprocess.h.
Referenced by IntWinUmCheckInitializationInjection().
DWORD _WIN_PROCESS_OBJECT::Pid |
Process ID (the one used by Windows).
Definition at line 100 of file winprocess.h.
Referenced by DbgLogCurrentProcess(), IntExceptUserLogWindowsInformation(), IntLogCriticalProcessHasDied(), IntLogProcessInfo(), IntWinAgentHandleAppVmcall(), IntWinAgentHandleDriverVmcall(), IntWinDagentHandleSuspModExecution(), IntWinGetProcCmdLineHandleBufferInMemory(), IntWinModHandleModulePathInMemory(), IntWinModHandleUserWrite(), IntWinProcCreateProcessObject(), IntWinProcDeleteProcessObject(), IntWinProcDump(), IntWinProcDumpVads(), IntWinProcFindObjectByPid(), IntWinProcGetAgentsAsCli(), IntWinProcGetObjectByPid(), IntWinProcHandleCopyMemory(), IntWinProcHandleCreate(), IntWinProcHandleCreateInternal(), IntWinProcHandleDuplicate(), IntWinProcSwapIn(), IntWinProcSwapOut(), IntWinProcUpdateProtection(), IntWinProcValidateSystemCr3(), IntWinSetUmExceptionEvent(), IntWinThrHandleThreadHijack(), IntWinTokenProtectPrivs(), and IntWinTokenPtrCheckIntegrityOnProcess().
BOOLEAN _WIN_PROCESS_OBJECT::PrivsChangeDetected |
Set to TRUE when a token privilege change has been detected. This is useful for DPI, in the case where a write has been detected over the privileges, but because of the detect only mechanism, we have overwritten the OriginalPresentPrivs and OriginalEnabledPrivs values, thus DPI will not raise an alert on process creation due to the fact that the mechanism doesn't see any change. For this purpose, we'll analyze every process creation in DPI from the moment the privileges have changed and a detection took place on integrity.
Definition at line 342 of file winprocess.h.
BOOLEAN _WIN_PROCESS_OBJECT::PrivsChangeOneBit |
Set to TRUE when the difference between Enabled and Present privileges is just one bit. As on some OS versions, when a privilege is removed for a token belonging to a process, firstly the kernel removes the Present bit, and on the next instruction it removes the Enabled bit, it will cause a possible race condition. If the timer exit comes just between those instructions, we will wrongfully give a detection. For this purpose, we'll set this variable if there is just one bit difference, and we expect on the next timer check that the difference is not present anymore. However, if there's one bit difference again on the next exit, then it is likely due to a malicious behavior.
Definition at line 351 of file winprocess.h.
DWORD _WIN_PROCESS_OBJECT::ProtBeta |
Process is monitored, but in log-only mode so no actions will be blocked.
Definition at line 226 of file winprocess.h.
DWORD _WIN_PROCESS_OBJECT::ProtCoreModules |
Protect the core module loaded by the process.
Definition at line 205 of file winprocess.h.
Referenced by IntWinModHandleModulePathInMemory().
DWORD _WIN_PROCESS_OBJECT::ProtCreation |
Prevent this process from creating child processes (other than other instances of itself).
Definition at line 215 of file winprocess.h.
DWORD _WIN_PROCESS_OBJECT::ProtDoubleAgent |
Protect the process against double agent attacks.
Definition at line 217 of file winprocess.h.
DWORD _WIN_PROCESS_OBJECT::Protected |
TRUE if this is a protected process. If this is FALSE, most of the above fields aren't used at all.
Definition at line 130 of file winprocess.h.
Referenced by IntLogCriticalProcessHasDied(), IntWinCrashHandleDepViolation(), IntWinModHandleModuleHeadersInMemory(), IntWinProcCreateProcessObject(), IntWinProcDeleteProcessObject(), IntWinProcHandleCopyMemory(), IntWinProcUninit(), IntWinProcUpdateProtection(), IntWinSetUmExceptionEvent(), IntWinThrHandleQueueApc(), IntWinThrHandleThreadHijack(), and IntWinVadHandleCommit().
DWORD _WIN_PROCESS_OBJECT::ProtectionMask |
Protection mask: tells us what level of protection will be activated for this process.
Definition at line 200 of file winprocess.h.
Referenced by IntWinGetPrcoCmdLineHandleCmdLineInMemory(), IntWinGetProcCmdLineHandleBufferInMemory(), IntWinProcCreateProcessObject(), IntWinProcDump(), and IntWinProcUpdateProtection().
DWORD _WIN_PROCESS_OBJECT::ProtExploits |
Protect the process against exploits.
Definition at line 209 of file winprocess.h.
Referenced by IntWinCrashHandleDepViolation(), IntWinVadHandlePageExecution(), IntWinVadHandleProtectGeneric(), and IntWinVadHandleVirtualProtect().
DWORD _WIN_PROCESS_OBJECT::ProtInstrument |
Protect the process agains instrumentation callback attacks.
Definition at line 219 of file winprocess.h.
DWORD _WIN_PROCESS_OBJECT::ProtKillExploit |
The process will be killed if an exploit is detected.
Definition at line 224 of file winprocess.h.
Referenced by IntWinVadHandlePageExecution().
DWORD _WIN_PROCESS_OBJECT::ProtQueueApc |
Protect APC Queue of the process (APC hijacking).
Definition at line 213 of file winprocess.h.
Referenced by IntWinThrHandleQueueApc().
DWORD _WIN_PROCESS_OBJECT::ProtRemediate |
Any event inside the process will trigger the injection of the remediation tool.
Definition at line 222 of file winprocess.h.
DWORD _WIN_PROCESS_OBJECT::ProtReserved1 |
RESERVED.
Definition at line 204 of file winprocess.h.
DWORD _WIN_PROCESS_OBJECT::ProtReserved2 |
RESERVED.
Definition at line 220 of file winprocess.h.
DWORD _WIN_PROCESS_OBJECT::ProtScanCmdLine |
Scan the cmd line of the process.
Definition at line 218 of file winprocess.h.
DWORD _WIN_PROCESS_OBJECT::ProtThreadCtx |
Protect the thread context (protection against thread hijacking).
Definition at line 211 of file winprocess.h.
Referenced by IntWinThrHandleThreadHijack().
DWORD _WIN_PROCESS_OBJECT::ProtUnpack |
Protect process against unpacking attempts.
Definition at line 206 of file winprocess.h.
Referenced by IntWinModHandleModulePathInMemory().
DWORD _WIN_PROCESS_OBJECT::ProtWriteMem |
Protect the the memory against writes.
Definition at line 207 of file winprocess.h.
Referenced by IntWinProcHandleCopyMemory().
DWORD _WIN_PROCESS_OBJECT::ProtWsockModules |
Protect the Windows Socket related modules.
Definition at line 208 of file winprocess.h.
Referenced by IntWinModHandleModulePathInMemory().
BYTE _WIN_PROCESS_OBJECT::RawBuffer[INTRO_SECURITY_DESCRIPTOR_SIZE] |
The entire security descriptor contents.
Definition at line 359 of file winprocess.h.
DWORD _WIN_PROCESS_OBJECT::RawBufferSize |
The used actual size of the RawBuffer.
Definition at line 362 of file winprocess.h.
QWORD _WIN_PROCESS_OBJECT::RealParentEprocess |
The active EPROCESS at the moment of creation.
Definition at line 92 of file winprocess.h.
Referenced by IntLogProcessInfo(), IntWinProcCreateProcessObject(), IntWinProcDeleteProcessObject(), IntWinProcDump(), IntWinProcSwapIn(), and IntWinProcSwapOut().
ACL _WIN_PROCESS_OBJECT::Sacl |
The System Access Control List header.
Definition at line 365 of file winprocess.h.
struct { ... } _WIN_PROCESS_OBJECT::SecurityDescriptor |
QWORD _WIN_PROCESS_OBJECT::SecurityDescriptorGva |
Security descriptor address.
Definition at line 356 of file winprocess.h.
QWORD _WIN_PROCESS_OBJECT::SelfMapEntryValue |
The self mapping memory entry value.
Definition at line 262 of file winprocess.h.
void* _WIN_PROCESS_OBJECT::SelfMapHook |
The self mapping memory hook.
Definition at line 259 of file winprocess.h.
Referenced by IntWinSelfMapEnableSelfMapEntryProtection(), and IntWinSelfMapHandleCr3SelfMapWrite().
BOOLEAN _WIN_PROCESS_OBJECT::SkipPrivsNextCheck |
Signals whether the next privileges check on integrity should be skipped for the current process. Is set if, for example, we could not fetch the privileges when the process was created.
Definition at line 334 of file winprocess.h.
DWORD _WIN_PROCESS_OBJECT::StartInitializing |
TRUE if the process actually started initializing (there is a time windows from the moment we add the inside out lists to the point when it actually starts its initialization steps when the process is "invalid").
Definition at line 151 of file winprocess.h.
Referenced by IntWinProcCreateProcessObject(), IntWinProcHandleCopyMemory(), and IntWinUmCheckInitializationInjection().
DWORD _WIN_PROCESS_OBJECT::StaticDetected |
TRUE if the process was detected using a static scan (during static init).
Definition at line 140 of file winprocess.h.
Referenced by IntWinProcCreateProcessObject().
PWIN_PROCESS_SUBSYSTEM _WIN_PROCESS_OBJECT::Subsystemx64 |
The x64 subsystem. Note that a 32 bit process on a 64 bit OS may have both subsystems valid. In that case, we need to handle & protect both of them.
Definition at line 312 of file winprocess.h.
Referenced by IntWinProcCreateProcessObject(), and IntWinProcDump().
PWIN_PROCESS_SUBSYSTEM _WIN_PROCESS_OBJECT::Subsystemx86 |
The x86 subsystem. Note that a 32 bit process on a 64 bit OS may have both subsystems valid. In that case, we need to handle & protect both of them.
Definition at line 308 of file winprocess.h.
Referenced by IntWinProcCreateProcessObject(), and IntWinProcDump().
DWORD _WIN_PROCESS_OBJECT::SystemProcess |
TRUE if this is a system process.
Definition at line 136 of file winprocess.h.
Referenced by IntWinCrashHandleDepViolation(), IntWinModHandleModulePathInMemory(), IntWinModPolyHandler(), IntWinProcCreateProcessObject(), IntWinProcDump(), IntWinProcFindObjectByName(), IntWinProcHandleCopyMemory(), IntWinProcSwapIn(), IntWinProcSwapOut(), IntWinProcUpdateProtection(), and IntWinSelfMapHandleCr3SelfMapWrite().
DWORD _WIN_PROCESS_OBJECT::Terminating |
TRUE if the process is terminating (cleanup pending).
Definition at line 126 of file winprocess.h.
Referenced by IntWinProcDeleteProcessObject(), and IntWinProcUninit().
void* _WIN_PROCESS_OBJECT::TokenHook |
Hook object for the ept hook over nt!_TOKEN Privileges field.
Definition at line 314 of file winprocess.h.
Referenced by IntWinTokenUnprotectPrivs().
QWORD _WIN_PROCESS_OBJECT::TokenStolenFromEprocess |
This will keep the EPROCESS of the process from which the current process stole the token.
Definition at line 287 of file winprocess.h.
Referenced by IntWinDpiValidateParentProcessToken().
void* _WIN_PROCESS_OBJECT::TokenSwapHook |
Hook object for notifications over the swap-in/swap-out of the current process TOKEN. We need to place this hook in order to verify on translation modifications of the current TOKEN if it is still assigned to the current process. The token might get deallocated in the mean-time and the page can be used, for example, for mapping other physical pages, thus leading to translation violations when the hashes of the contents are checked. For this purpose we will verify on every translation modification event if the current token is still used, and re-establish the hook over the token if it was previously de-allocated.
Definition at line 322 of file winprocess.h.
Referenced by IntWinTokenUnprotectPrivs().
DWORD _WIN_PROCESS_OBJECT::UnpackProtected |
TRUE if the main module has been protected against unpacks.
Definition at line 133 of file winprocess.h.
Referenced by IntWinModHandleMainModuleInMemory().
QWORD _WIN_PROCESS_OBJECT::UserCr3 |
Process user PDBR. Includes PCID.
Definition at line 99 of file winprocess.h.
Referenced by IntDispatchVeAsEpt(), IntLogCriticalProcessHasDied(), IntLogProcessInfo(), IntWinModHandleUserWrite(), IntWinProcCreateProcessObject(), IntWinProcDeleteProcessObject(), IntWinProcFindObjectByUserCr3(), IntWinProcHandleInstrument(), IntWinProcRbTreeNodeCompareUserCr3(), IntWinProcSwapIn(), IntWinProcSwapOut(), and IntWinSelfMapHandleCr3SelfMapWrite().
void* _WIN_PROCESS_OBJECT::UserCr3PageLockObject |
The UserCR3 will be locked in memory, to prevent the OS from dynamically modifying the CR3 of a running process.
Definition at line 241 of file winprocess.h.
QWORD _WIN_PROCESS_OBJECT::UserSelfMapEntryValue |
The user self mapping memory entry value.
Definition at line 263 of file winprocess.h.
void* _WIN_PROCESS_OBJECT::UserSelfMapHook |
The user self mapping memory hook.
Definition at line 260 of file winprocess.h.
Referenced by IntWinSelfMapEnableSelfMapEntryProtection(), and IntWinSelfMapHandleCr3SelfMapWrite().
LIST_HEAD* _WIN_PROCESS_OBJECT::VadPages |
Vad pages Hash-Table.
Definition at line 245 of file winprocess.h.
RBTREE _WIN_PROCESS_OBJECT::VadTree |
RB-Tree of process VADs.
Definition at line 243 of file winprocess.h.
void* _WIN_PROCESS_OBJECT::VasMonRoot |
Virtual Address Space monitor root.
Definition at line 244 of file winprocess.h.
DWORD _WIN_PROCESS_OBJECT::Wow64Process |
TRUE if this is a 32 bit process on a 64 bit OS.
Definition at line 125 of file winprocess.h.
Referenced by IntExceptVerifyCodeBlocksSig(), IntExceptVerifyExportSig(), IntExceptVerifyValueCodeSig(), IntExceptVerifyValueSig(), IntWinGetPrcoCmdLineHandleCmdLineInMemory(), IntWinGetPrcoCmdLineHandleUserParamsInMemory(), IntWinModHandleModulePathInMemory(), IntWinProcCreateProcessObject(), IntWinProcDump(), IntWinProcHandleInstrument(), IntWinThrHandleQueueApc(), IntWinThrHandleThreadHijack(), and IntWinUmCheckInitializationInjection().