#include "visibility.h"
#include "guests.h"
#include "winprocesshp.h"

Functions
INTSTATUS	IntWinGetStartUpTime (QWORD *StartUpTime)
	Gets the system startup time. More...

static void	IntWinDumpPrivilegesMask (QWORD Mask)
	Prints the name of the privileges available. More...

INTSTATUS	IntWinDumpPrivileges (INTRO_TOKEN_PRIVILEGES const *Privileges)
	Prints a INTRO_TOKEN_PRIVILEGES structure. More...

INTSTATUS	IntWinReadSid (QWORD SidAndAttributesGva, INTRO_SID_ATTRIBUTES *Sid)
	Reads the contents of a _SID_AND_ATTRIBUTES Windows structure. More...

INTSTATUS	IntWinReadToken (QWORD TokenGva, INTRO_WIN_TOKEN *Token)
	Reads the contents of a _TOKEN Windows structure. More...

INTSTATUS	IntWinGetAccessTokenFromProcess (DWORD ProcessId, QWORD EprocessGva, INTRO_WIN_TOKEN *Token)
	Reads the contents of a _TOKEN Windows structure assigned to a process. More...

INTSTATUS	IntWinGetAccesTokenFromThread (QWORD EthreadGva, INTRO_WIN_TOKEN *Token)
	Reads the contents of a _TOKEN Windows structure assigned to a thread. More...

void	IntWinDumpSid (INTRO_SID_ATTRIBUTES const *Sid)
	Prints a INTRO_SID_ATTRIBUTES structure. More...

void	IntWinDumpToken (INTRO_WIN_TOKEN const *Token)
	Prints a INTRO_WIN_TOKEN structure. More...

Function Documentation

◆ IntWinDumpPrivileges()

INTSTATUS IntWinDumpPrivileges ( INTRO_TOKEN_PRIVILEGES const * Privileges )

Prints a INTRO_TOKEN_PRIVILEGES structure.

Parameters

[in] Privileges Pointer to a structure to dump. This is obtained from a INTRO_WIN_TOKEN structure.

Return values

INT_STATUS_SUCCESS	in case of success.
INT_STATUS_INVALID_PARAMETER_1	if Privileges is NULL.

Definition at line 164 of file visibility.c.

Referenced by IntWinDumpToken().

◆ IntWinDumpPrivilegesMask()

static void IntWinDumpPrivilegesMask ( QWORD Mask )

static

Prints the name of the privileges available.

See https://docs.microsoft.com/en-us/windows/win32/secauthz/privilege-constants

Parameters

[in] Mask Bitfield of privileges. This is one of the INTRO_TOKEN_PRIVILEGES fields

Definition at line 92 of file visibility.c.

Referenced by IntWinDumpPrivileges().

◆ IntWinDumpSid()

void IntWinDumpSid ( INTRO_SID_ATTRIBUTES const * Sid )

Prints a INTRO_SID_ATTRIBUTES structure.

Parameters

[in] Sid Pointer to a INTRO_SID_ATTRIBUTES structure to print.

Definition at line 583 of file visibility.c.

Referenced by IntWinDumpToken().

◆ IntWinDumpToken()

void IntWinDumpToken ( INTRO_WIN_TOKEN const * Token )

Prints a INTRO_WIN_TOKEN structure.

Parameters

[in] Token Pointer to a INTRO_WIN_TOKEN structure to print.

Definition at line 626 of file visibility.c.

Referenced by DbgDumpEthreadToken(), and DbgDumpProcToken().

◆ IntWinGetAccessTokenFromProcess()

INTSTATUS IntWinGetAccessTokenFromProcess	(	DWORD	ProcessId,
		QWORD	EprocessGva,
		INTRO_WIN_TOKEN *	Token
	)

Reads the contents of a _TOKEN Windows structure assigned to a process.

This function obtains the address of the _TOKEN structure associated with the given process and then uses IntWinReadToken to read it. Note that the pointer saved inside _EPROCESS is a _EX_FAST_REF (see EX_FAST_REF_TO_PTR).

Parameters

[in]	ProcessId	The ID of the process. If EprocessGva is 0 will search the process by this ID; ignored if EprocessGva is not 0.
[in]	EprocessGva	The guest virtual address of the _EPROCESS structure from which to obtain the token. If 0 will use ProcessId to find the process.
[out]	Token	On success, will contain the _TOKEN structure.

Returns: INT_STATUS_SUCCESS if successful, or an appropriate INTSTATUS error value

Definition at line 458 of file visibility.c.

Referenced by DbgDumpProcToken(), and IntAlertFillWinProcess().

◆ IntWinGetAccesTokenFromThread()

INTSTATUS IntWinGetAccesTokenFromThread	(	QWORD	EthreadGva,
		INTRO_WIN_TOKEN *	Token
	)

Reads the contents of a _TOKEN Windows structure assigned to a thread.

This function obtains the address of the _TOKEN structure associated with the given thread and then uses IntWinReadToken to read it. Note that the pointer saved inside _ETHREAD is a _PS_CLIENT_SECURITY_CONTEXT, bits [0:2] must be cleared before using it as a pointer.

Parameters

[in]	EthreadGva	The guest virtual address of the _ETHREAD structure from which to obtain the token.
[out]	Token	On success, will contain the _TOKEN structure.

Returns: INT_STATUS_SUCCESS if successful, or an appropriate INTSTATUS error value

Definition at line 524 of file visibility.c.

Referenced by DbgDumpEthreadToken(), and IntAlertFillWinProcess().

◆ IntWinGetStartUpTime()

INTSTATUS IntWinGetStartUpTime ( QWORD * StartUpTime )

Gets the system startup time.

This will return the creation time of the system process, which is a Windows FILETIME structure (see https://docs.microsoft.com/en-us/windows/win32/api/minwinbase/ns-minwinbase-filetime). This remains unchanged on sleep/hibernate events, as the system process remains the same. Note that the CreationTime field in _EPROCESS seems to not have the same meaning for other processes.

Parameters

[out] StartUpTime The startup time as a FILETIME value

Return values

INT_STATUS_SUCCESS	in case of success
INT_STATUS_INVALID_PARAMETER_1	if StartUpTime is NULL
INT_STATUS_NOT_INITIALIZED	if the system process is not yet started

Definition at line 14 of file visibility.c.

Referenced by IntGuestGetInfo().

◆ IntWinReadSid()

INTSTATUS IntWinReadSid	(	QWORD	SidAndAttributesGva,
		INTRO_SID_ATTRIBUTES *	Sid
	)

Reads the contents of a _SID_AND_ATTRIBUTES Windows structure.

If the SubAuthority array inside the guest structure contains more than INTRO_WIN_SID_MAX_SUB_AUTHORITIES entries, only the first INTRO_WIN_SID_MAX_SUB_AUTHORITIES entries will be read.

Parameters

[in]	SidAndAttributesGva	Guest virtual address of the _SID_AND_ATTRIBUTES structure.
[out]	Sid	On success, will contain the _SID_AND_ATTRIBUTES structure.

Return values

INT_STATUS_SUCCESS	in case of success
INT_STATUS_INVALID_PARAMETER_1	if SidAndAttributesGva is not a kernel pointer.
INT_STATUS_INVALID_PARAMETER_2	if Sid is NULL.
INT_STATUS_INVALID_DATA_VALUE	if pointers inside the guest _SID_AND_ATTRIBUTES structure are not valid kernel pointers.

Definition at line 197 of file visibility.c.

Referenced by IntWinReadToken().

◆ IntWinReadToken()

INTSTATUS IntWinReadToken	(	QWORD	TokenGva,
		INTRO_WIN_TOKEN *	Token
	)

Reads the contents of a _TOKEN Windows structure.

If the Sid or RestrictedSid arrays inside the guest have more than INTRO_SIDS_MAX_COUNT entries, only the first INTRO_SIDS_MAX_COUNT will be read and the SidsBufferTooSmall or RestrictedSidsBufferTooSmall will be set to True.

Parameters

[in]	TokenGva	Guest virtual address from which to read the _TOKEN structure.
[out]	Token	On success, will contain the _TOKEN structure.

Return values

INT_STATUS_SUCCESS	in case of success
INT_STATUS_INVALID_PARAMETER_1	if TokenGva is not a valid kernel pointer
INT_STATUS_INVALID_PARAMETER_2	if Token is NULL
INT_STATUS_NOT_FOUND	if parts of the structure could not be read

Definition at line 279 of file visibility.c.

Referenced by IntWinGetAccessTokenFromProcess(), and IntWinGetAccesTokenFromThread().

Functions

Function Documentation

◆ IntWinDumpPrivileges()

◆ IntWinDumpPrivilegesMask()

◆ IntWinDumpSid()

◆ IntWinDumpToken()

◆ IntWinGetAccessTokenFromProcess()

◆ IntWinGetAccesTokenFromThread()

◆ IntWinGetStartUpTime()

◆ IntWinReadSid()

◆ IntWinReadToken()