Bitdefender Hypervisor Memory Introspection
|
Go to the source code of this file.
Functions | |
INTSTATUS | IntWinGetStartUpTime (QWORD *StartUpTime) |
Gets the system startup time. More... | |
static void | IntWinDumpPrivilegesMask (QWORD Mask) |
Prints the name of the privileges available. More... | |
INTSTATUS | IntWinDumpPrivileges (INTRO_TOKEN_PRIVILEGES const *Privileges) |
Prints a INTRO_TOKEN_PRIVILEGES structure. More... | |
INTSTATUS | IntWinReadSid (QWORD SidAndAttributesGva, INTRO_SID_ATTRIBUTES *Sid) |
Reads the contents of a _SID_AND_ATTRIBUTES Windows structure. More... | |
INTSTATUS | IntWinReadToken (QWORD TokenGva, INTRO_WIN_TOKEN *Token) |
Reads the contents of a _TOKEN Windows structure. More... | |
INTSTATUS | IntWinGetAccessTokenFromProcess (DWORD ProcessId, QWORD EprocessGva, INTRO_WIN_TOKEN *Token) |
Reads the contents of a _TOKEN Windows structure assigned to a process. More... | |
INTSTATUS | IntWinGetAccesTokenFromThread (QWORD EthreadGva, INTRO_WIN_TOKEN *Token) |
Reads the contents of a _TOKEN Windows structure assigned to a thread. More... | |
void | IntWinDumpSid (INTRO_SID_ATTRIBUTES const *Sid) |
Prints a INTRO_SID_ATTRIBUTES structure. More... | |
void | IntWinDumpToken (INTRO_WIN_TOKEN const *Token) |
Prints a INTRO_WIN_TOKEN structure. More... | |
INTSTATUS IntWinDumpPrivileges | ( | INTRO_TOKEN_PRIVILEGES const * | Privileges | ) |
Prints a INTRO_TOKEN_PRIVILEGES structure.
[in] | Privileges | Pointer to a structure to dump. This is obtained from a INTRO_WIN_TOKEN structure. |
INT_STATUS_SUCCESS | in case of success. |
INT_STATUS_INVALID_PARAMETER_1 | if Privileges is NULL. |
Definition at line 164 of file visibility.c.
Referenced by IntWinDumpToken().
|
static |
Prints the name of the privileges available.
See https://docs.microsoft.com/en-us/windows/win32/secauthz/privilege-constants
[in] | Mask | Bitfield of privileges. This is one of the INTRO_TOKEN_PRIVILEGES fields |
Definition at line 92 of file visibility.c.
Referenced by IntWinDumpPrivileges().
void IntWinDumpSid | ( | INTRO_SID_ATTRIBUTES const * | Sid | ) |
Prints a INTRO_SID_ATTRIBUTES structure.
[in] | Sid | Pointer to a INTRO_SID_ATTRIBUTES structure to print. |
Definition at line 583 of file visibility.c.
Referenced by IntWinDumpToken().
void IntWinDumpToken | ( | INTRO_WIN_TOKEN const * | Token | ) |
Prints a INTRO_WIN_TOKEN structure.
[in] | Token | Pointer to a INTRO_WIN_TOKEN structure to print. |
Definition at line 626 of file visibility.c.
Referenced by DbgDumpEthreadToken(), and DbgDumpProcToken().
INTSTATUS IntWinGetAccessTokenFromProcess | ( | DWORD | ProcessId, |
QWORD | EprocessGva, | ||
INTRO_WIN_TOKEN * | Token | ||
) |
Reads the contents of a _TOKEN Windows structure assigned to a process.
This function obtains the address of the _TOKEN structure associated with the given process and then uses IntWinReadToken to read it. Note that the pointer saved inside _EPROCESS is a _EX_FAST_REF (see EX_FAST_REF_TO_PTR).
[in] | ProcessId | The ID of the process. If EprocessGva is 0 will search the process by this ID; ignored if EprocessGva is not 0. |
[in] | EprocessGva | The guest virtual address of the _EPROCESS structure from which to obtain the token. If 0 will use ProcessId to find the process. |
[out] | Token | On success, will contain the _TOKEN structure. |
Definition at line 458 of file visibility.c.
Referenced by DbgDumpProcToken(), and IntAlertFillWinProcess().
INTSTATUS IntWinGetAccesTokenFromThread | ( | QWORD | EthreadGva, |
INTRO_WIN_TOKEN * | Token | ||
) |
Reads the contents of a _TOKEN Windows structure assigned to a thread.
This function obtains the address of the _TOKEN structure associated with the given thread and then uses IntWinReadToken to read it. Note that the pointer saved inside _ETHREAD is a _PS_CLIENT_SECURITY_CONTEXT, bits [0:2] must be cleared before using it as a pointer.
[in] | EthreadGva | The guest virtual address of the _ETHREAD structure from which to obtain the token. |
[out] | Token | On success, will contain the _TOKEN structure. |
Definition at line 524 of file visibility.c.
Referenced by DbgDumpEthreadToken(), and IntAlertFillWinProcess().
Gets the system startup time.
This will return the creation time of the system process, which is a Windows FILETIME structure (see https://docs.microsoft.com/en-us/windows/win32/api/minwinbase/ns-minwinbase-filetime). This remains unchanged on sleep/hibernate events, as the system process remains the same. Note that the CreationTime field in _EPROCESS seems to not have the same meaning for other processes.
[out] | StartUpTime | The startup time as a FILETIME value |
INT_STATUS_SUCCESS | in case of success |
INT_STATUS_INVALID_PARAMETER_1 | if StartUpTime is NULL |
INT_STATUS_NOT_INITIALIZED | if the system process is not yet started |
Definition at line 14 of file visibility.c.
Referenced by IntGuestGetInfo().
INTSTATUS IntWinReadSid | ( | QWORD | SidAndAttributesGva, |
INTRO_SID_ATTRIBUTES * | Sid | ||
) |
Reads the contents of a _SID_AND_ATTRIBUTES Windows structure.
If the SubAuthority array inside the guest structure contains more than INTRO_WIN_SID_MAX_SUB_AUTHORITIES entries, only the first INTRO_WIN_SID_MAX_SUB_AUTHORITIES entries will be read.
[in] | SidAndAttributesGva | Guest virtual address of the _SID_AND_ATTRIBUTES structure. |
[out] | Sid | On success, will contain the _SID_AND_ATTRIBUTES structure. |
INT_STATUS_SUCCESS | in case of success |
INT_STATUS_INVALID_PARAMETER_1 | if SidAndAttributesGva is not a kernel pointer. |
INT_STATUS_INVALID_PARAMETER_2 | if Sid is NULL. |
INT_STATUS_INVALID_DATA_VALUE | if pointers inside the guest _SID_AND_ATTRIBUTES structure are not valid kernel pointers. |
Definition at line 197 of file visibility.c.
Referenced by IntWinReadToken().
INTSTATUS IntWinReadToken | ( | QWORD | TokenGva, |
INTRO_WIN_TOKEN * | Token | ||
) |
Reads the contents of a _TOKEN Windows structure.
If the Sid or RestrictedSid arrays inside the guest have more than INTRO_SIDS_MAX_COUNT entries, only the first INTRO_SIDS_MAX_COUNT will be read and the SidsBufferTooSmall or RestrictedSidsBufferTooSmall will be set to True.
[in] | TokenGva | Guest virtual address from which to read the _TOKEN structure. |
[out] | Token | On success, will contain the _TOKEN structure. |
INT_STATUS_SUCCESS | in case of success |
INT_STATUS_INVALID_PARAMETER_1 | if TokenGva is not a valid kernel pointer |
INT_STATUS_INVALID_PARAMETER_2 | if Token is NULL |
INT_STATUS_NOT_FOUND | if parts of the structure could not be read |
Definition at line 279 of file visibility.c.
Referenced by IntWinGetAccessTokenFromProcess(), and IntWinGetAccesTokenFromThread().