Bitdefender Hypervisor Memory Introspection
|
#include "introcore.h"
Go to the source code of this file.
Functions | |
INTSTATUS | IntWinGetStartUpTime (QWORD *StartUpTime) |
Gets the system startup time. More... | |
INTSTATUS | IntWinDumpPrivileges (INTRO_TOKEN_PRIVILEGES const *Privileges) |
Prints a INTRO_TOKEN_PRIVILEGES structure. More... | |
INTSTATUS | IntWinReadSid (QWORD SidAndAttributesGva, INTRO_SID_ATTRIBUTES *Sid) |
Reads the contents of a _SID_AND_ATTRIBUTES Windows structure. More... | |
INTSTATUS | IntWinReadToken (QWORD TokenGva, INTRO_WIN_TOKEN *Token) |
Reads the contents of a _TOKEN Windows structure. More... | |
INTSTATUS | IntWinGetAccessTokenFromProcess (DWORD ProcessId, QWORD EprocessGva, INTRO_WIN_TOKEN *Token) |
Reads the contents of a _TOKEN Windows structure assigned to a process. More... | |
INTSTATUS | IntWinGetAccesTokenFromThread (QWORD EthreadGva, INTRO_WIN_TOKEN *Token) |
Reads the contents of a _TOKEN Windows structure assigned to a thread. More... | |
void | IntWinDumpToken (INTRO_WIN_TOKEN const *Token) |
Prints a INTRO_WIN_TOKEN structure. More... | |
void | IntWinDumpSid (INTRO_SID_ATTRIBUTES const *Sid) |
Prints a INTRO_SID_ATTRIBUTES structure. More... | |
#define FIRST_KNOWN_PRIVILEGE 02 |
Definition at line 54 of file visibility.h.
#define LAST_KNOWN_PRIVILEGE 35 |
Definition at line 55 of file visibility.h.
#define PRIV_ASSIGN_PRIMARY_TOKEN BIT(3) |
Definition at line 20 of file visibility.h.
#define PRIV_AUDOT BIT(21) |
Definition at line 38 of file visibility.h.
#define PRIV_BACKUP BIT(17) |
Definition at line 34 of file visibility.h.
#define PRIV_CHANGE_NOTIFY BIT(23) |
Definition at line 40 of file visibility.h.
#define PRIV_CREATE_GLOBAL BIT(30) |
Definition at line 47 of file visibility.h.
#define PRIV_CREATE_PAGEFILE BIT(15) |
Definition at line 32 of file visibility.h.
#define PRIV_CREATE_PERMANENT BIT(16) |
Definition at line 33 of file visibility.h.
#define PRIV_CREATE_SYMBOLIC_LINK BIT(35) |
Definition at line 52 of file visibility.h.
#define PRIV_CREATE_TOKEN BIT(2) |
Definition at line 19 of file visibility.h.
#define PRIV_DEBUG BIT(20) |
Definition at line 37 of file visibility.h.
#define PRIV_ENABLE_DELEGATION BIT(27) |
Definition at line 44 of file visibility.h.
#define PRIV_IMPERSONATE BIT(29) |
Definition at line 46 of file visibility.h.
#define PRIV_INCREASE_BASE_PRIORITY BIT(14) |
Definition at line 31 of file visibility.h.
#define PRIV_INCREASE_QUOTA BIT(5) |
Definition at line 22 of file visibility.h.
#define PRIV_INCREASE_WORKING_SET BIT(33) |
Definition at line 50 of file visibility.h.
#define PRIV_LOAD_DRIVER BIT(10) |
Definition at line 27 of file visibility.h.
#define PRIV_LOCK_MEMORY BIT(4) |
Definition at line 21 of file visibility.h.
#define PRIV_MACHINE_ACCOUNT BIT(6) |
Definition at line 23 of file visibility.h.
#define PRIV_MANAGE_VOLUME BIT(28) |
Definition at line 45 of file visibility.h.
#define PRIV_PROFILE_SINGLE_PROCESS BIT(13) |
Definition at line 30 of file visibility.h.
#define PRIV_RELABLE BIT(32) |
Definition at line 49 of file visibility.h.
#define PRIV_REMOTE_SHUTDOWN BIT(24) |
Definition at line 41 of file visibility.h.
#define PRIV_RESTORE BIT(18) |
Definition at line 35 of file visibility.h.
#define PRIV_SECURITY BIT(8) |
Definition at line 25 of file visibility.h.
#define PRIV_SHUTDOWN BIT(19) |
Definition at line 36 of file visibility.h.
#define PRIV_SYNC_AGENT BIT(26) |
Definition at line 43 of file visibility.h.
#define PRIV_SYSTEM_ENVIRONMENT BIT(22) |
Definition at line 39 of file visibility.h.
#define PRIV_SYSTEM_PROFILE BIT(11) |
Definition at line 28 of file visibility.h.
#define PRIV_SYSTEM_TIME BIT(12) |
Definition at line 29 of file visibility.h.
#define PRIV_TAKE_OWNERSHIP BIT(9) |
Definition at line 26 of file visibility.h.
#define PRIV_TCB BIT(7) |
Definition at line 24 of file visibility.h.
#define PRIV_TIMEZONE BIT(34) |
Definition at line 51 of file visibility.h.
#define PRIV_TRUSTED_CRED_MAN_ACCESS BIT(31) |
Definition at line 48 of file visibility.h.
#define PRIV_UNDOCK BIT(25) |
Definition at line 42 of file visibility.h.
INTSTATUS IntWinDumpPrivileges | ( | INTRO_TOKEN_PRIVILEGES const * | Privileges | ) |
Prints a INTRO_TOKEN_PRIVILEGES structure.
[in] | Privileges | Pointer to a structure to dump. This is obtained from a INTRO_WIN_TOKEN structure. |
INT_STATUS_SUCCESS | in case of success. |
INT_STATUS_INVALID_PARAMETER_1 | if Privileges is NULL. |
Definition at line 164 of file visibility.c.
Referenced by IntWinDumpToken().
void IntWinDumpSid | ( | INTRO_SID_ATTRIBUTES const * | Sid | ) |
Prints a INTRO_SID_ATTRIBUTES structure.
[in] | Sid | Pointer to a INTRO_SID_ATTRIBUTES structure to print. |
Definition at line 583 of file visibility.c.
Referenced by IntWinDumpToken().
void IntWinDumpToken | ( | INTRO_WIN_TOKEN const * | Token | ) |
Prints a INTRO_WIN_TOKEN structure.
[in] | Token | Pointer to a INTRO_WIN_TOKEN structure to print. |
Definition at line 626 of file visibility.c.
Referenced by DbgDumpEthreadToken(), and DbgDumpProcToken().
INTSTATUS IntWinGetAccessTokenFromProcess | ( | DWORD | ProcessId, |
QWORD | EprocessGva, | ||
INTRO_WIN_TOKEN * | Token | ||
) |
Reads the contents of a _TOKEN Windows structure assigned to a process.
This function obtains the address of the _TOKEN structure associated with the given process and then uses IntWinReadToken to read it. Note that the pointer saved inside _EPROCESS is a _EX_FAST_REF (see EX_FAST_REF_TO_PTR).
[in] | ProcessId | The ID of the process. If EprocessGva is 0 will search the process by this ID; ignored if EprocessGva is not 0. |
[in] | EprocessGva | The guest virtual address of the _EPROCESS structure from which to obtain the token. If 0 will use ProcessId to find the process. |
[out] | Token | On success, will contain the _TOKEN structure. |
Definition at line 458 of file visibility.c.
Referenced by DbgDumpProcToken(), and IntAlertFillWinProcess().
INTSTATUS IntWinGetAccesTokenFromThread | ( | QWORD | EthreadGva, |
INTRO_WIN_TOKEN * | Token | ||
) |
Reads the contents of a _TOKEN Windows structure assigned to a thread.
This function obtains the address of the _TOKEN structure associated with the given thread and then uses IntWinReadToken to read it. Note that the pointer saved inside _ETHREAD is a _PS_CLIENT_SECURITY_CONTEXT, bits [0:2] must be cleared before using it as a pointer.
[in] | EthreadGva | The guest virtual address of the _ETHREAD structure from which to obtain the token. |
[out] | Token | On success, will contain the _TOKEN structure. |
Definition at line 524 of file visibility.c.
Referenced by DbgDumpEthreadToken(), and IntAlertFillWinProcess().
Gets the system startup time.
This will return the creation time of the system process, which is a Windows FILETIME structure (see https://docs.microsoft.com/en-us/windows/win32/api/minwinbase/ns-minwinbase-filetime). This remains unchanged on sleep/hibernate events, as the system process remains the same. Note that the CreationTime field in _EPROCESS seems to not have the same meaning for other processes.
[out] | StartUpTime | The startup time as a FILETIME value |
INT_STATUS_SUCCESS | in case of success |
INT_STATUS_INVALID_PARAMETER_1 | if StartUpTime is NULL |
INT_STATUS_NOT_INITIALIZED | if the system process is not yet started |
Definition at line 14 of file visibility.c.
Referenced by IntGuestGetInfo().
INTSTATUS IntWinReadSid | ( | QWORD | SidAndAttributesGva, |
INTRO_SID_ATTRIBUTES * | Sid | ||
) |
Reads the contents of a _SID_AND_ATTRIBUTES Windows structure.
If the SubAuthority array inside the guest structure contains more than INTRO_WIN_SID_MAX_SUB_AUTHORITIES entries, only the first INTRO_WIN_SID_MAX_SUB_AUTHORITIES entries will be read.
[in] | SidAndAttributesGva | Guest virtual address of the _SID_AND_ATTRIBUTES structure. |
[out] | Sid | On success, will contain the _SID_AND_ATTRIBUTES structure. |
INT_STATUS_SUCCESS | in case of success |
INT_STATUS_INVALID_PARAMETER_1 | if SidAndAttributesGva is not a kernel pointer. |
INT_STATUS_INVALID_PARAMETER_2 | if Sid is NULL. |
INT_STATUS_INVALID_DATA_VALUE | if pointers inside the guest _SID_AND_ATTRIBUTES structure are not valid kernel pointers. |
Definition at line 197 of file visibility.c.
Referenced by IntWinReadToken().
INTSTATUS IntWinReadToken | ( | QWORD | TokenGva, |
INTRO_WIN_TOKEN * | Token | ||
) |
Reads the contents of a _TOKEN Windows structure.
If the Sid or RestrictedSid arrays inside the guest have more than INTRO_SIDS_MAX_COUNT entries, only the first INTRO_SIDS_MAX_COUNT will be read and the SidsBufferTooSmall or RestrictedSidsBufferTooSmall will be set to True.
[in] | TokenGva | Guest virtual address from which to read the _TOKEN structure. |
[out] | Token | On success, will contain the _TOKEN structure. |
INT_STATUS_SUCCESS | in case of success |
INT_STATUS_INVALID_PARAMETER_1 | if TokenGva is not a valid kernel pointer |
INT_STATUS_INVALID_PARAMETER_2 | if Token is NULL |
INT_STATUS_NOT_FOUND | if parts of the structure could not be read |
Definition at line 279 of file visibility.c.
Referenced by IntWinGetAccessTokenFromProcess(), and IntWinGetAccesTokenFromThread().