Bitdefender Hypervisor Memory Introspection
visibility.h
Go to the documentation of this file.
1 /*
2  * Copyright (c) 2020 Bitdefender
3  * SPDX-License-Identifier: Apache-2.0
4  */
5 #ifndef _VISIBILITY_H_
6 #define _VISIBILITY_H_
7 
8 #include "introcore.h"
9 
10 INTSTATUS
11 IntWinGetStartUpTime(
12  _Out_ QWORD *StartUpTime);
13 
14 //
15 // Privileges bit in _TOKEN_PRIVILEGES bitmap (obtained from WinDbg);
16 // bits who are not defined here are not used (marked as Unknown in WinDbg)
17 //
18 
19 #define PRIV_CREATE_TOKEN BIT(2)
20 #define PRIV_ASSIGN_PRIMARY_TOKEN BIT(3)
21 #define PRIV_LOCK_MEMORY BIT(4)
22 #define PRIV_INCREASE_QUOTA BIT(5)
23 #define PRIV_MACHINE_ACCOUNT BIT(6)
24 #define PRIV_TCB BIT(7)
25 #define PRIV_SECURITY BIT(8)
26 #define PRIV_TAKE_OWNERSHIP BIT(9)
27 #define PRIV_LOAD_DRIVER BIT(10)
28 #define PRIV_SYSTEM_PROFILE BIT(11)
29 #define PRIV_SYSTEM_TIME BIT(12)
30 #define PRIV_PROFILE_SINGLE_PROCESS BIT(13)
31 #define PRIV_INCREASE_BASE_PRIORITY BIT(14)
32 #define PRIV_CREATE_PAGEFILE BIT(15)
33 #define PRIV_CREATE_PERMANENT BIT(16)
34 #define PRIV_BACKUP BIT(17)
35 #define PRIV_RESTORE BIT(18)
36 #define PRIV_SHUTDOWN BIT(19)
37 #define PRIV_DEBUG BIT(20)
38 #define PRIV_AUDOT BIT(21)
39 #define PRIV_SYSTEM_ENVIRONMENT BIT(22)
40 #define PRIV_CHANGE_NOTIFY BIT(23)
41 #define PRIV_REMOTE_SHUTDOWN BIT(24)
42 #define PRIV_UNDOCK BIT(25)
43 #define PRIV_SYNC_AGENT BIT(26)
44 #define PRIV_ENABLE_DELEGATION BIT(27)
45 #define PRIV_MANAGE_VOLUME BIT(28)
46 #define PRIV_IMPERSONATE BIT(29)
47 #define PRIV_CREATE_GLOBAL BIT(30)
48 #define PRIV_TRUSTED_CRED_MAN_ACCESS BIT(31)
49 #define PRIV_RELABLE BIT(32)
50 #define PRIV_INCREASE_WORKING_SET BIT(33)
51 #define PRIV_TIMEZONE BIT(34)
52 #define PRIV_CREATE_SYMBOLIC_LINK BIT(35)
53 
54 #define FIRST_KNOWN_PRIVILEGE 02
55 #define LAST_KNOWN_PRIVILEGE 35
56 
57 INTSTATUS
58 IntWinDumpPrivileges(
59  _In_ INTRO_TOKEN_PRIVILEGES const *Privileges
60  );
61 
62 INTSTATUS
63 IntWinReadSid(
64  _In_ QWORD SidAndAttributesGva,
65  _Out_ INTRO_SID_ATTRIBUTES *Sid
66  );
67 
68 INTSTATUS
69 IntWinReadToken(
70  _In_ QWORD TokenGva,
71  _Out_ INTRO_WIN_TOKEN *Token
72  );
73 
74 INTSTATUS
75 IntWinGetAccessTokenFromProcess(
76  _In_ DWORD ProcessId,
77  _In_ QWORD EprocessGva,
78  _Out_ INTRO_WIN_TOKEN *Token
79  );
80 
81 INTSTATUS
82 IntWinGetAccesTokenFromThread(
83  _In_ QWORD EthreadGva,
84  _Out_ INTRO_WIN_TOKEN *Token
85  );
86 
87 void
88 IntWinDumpToken(
89  _In_ INTRO_WIN_TOKEN const *Token
90  );
91 
92 void
93 IntWinDumpSid(
94  _In_ INTRO_SID_ATTRIBUTES const *Sid
95  );
96 
97 #endif // _VISIBILITY_H_
_Out_
#define _Out_
Definition: intro_sal.h:22
_INTRO_WIN_TOKEN
A Windows token structure as reported by Introcore alerts.
Definition: intro_types.h:861
_In_
#define _In_
Definition: intro_sal.h:21
_INTRO_SID_ATTRIBUTES
Windows SID attributes.
Definition: intro_types.h:840
IntWinGetAccesTokenFromThread
INTSTATUS IntWinGetAccesTokenFromThread(QWORD EthreadGva, INTRO_WIN_TOKEN *Token)
Reads the contents of a _TOKEN Windows structure assigned to a thread.
Definition: visibility.c:524
IntWinGetAccessTokenFromProcess
INTSTATUS IntWinGetAccessTokenFromProcess(DWORD ProcessId, QWORD EprocessGva, INTRO_WIN_TOKEN *Token)
Reads the contents of a _TOKEN Windows structure assigned to a process.
Definition: visibility.c:458
INTSTATUS
int INTSTATUS
The status data type.
Definition: introstatus.h:24
IntWinDumpPrivileges
INTSTATUS IntWinDumpPrivileges(INTRO_TOKEN_PRIVILEGES const *Privileges)
Prints a INTRO_TOKEN_PRIVILEGES structure.
Definition: visibility.c:164
_INTRO_TOKEN_PRIVILEGES
Windows process token privileges.
Definition: intro_types.h:796
QWORD
unsigned long long QWORD
Definition: intro_types.h:53
IntWinDumpToken
void IntWinDumpToken(INTRO_WIN_TOKEN const *Token)
Prints a INTRO_WIN_TOKEN structure.
Definition: visibility.c:626
DWORD
uint32_t DWORD
Definition: intro_types.h:49
IntWinGetStartUpTime
INTSTATUS IntWinGetStartUpTime(QWORD *StartUpTime)
Gets the system startup time.
Definition: visibility.c:14
IntWinReadSid
INTSTATUS IntWinReadSid(QWORD SidAndAttributesGva, INTRO_SID_ATTRIBUTES *Sid)
Reads the contents of a _SID_AND_ATTRIBUTES Windows structure.
Definition: visibility.c:197
IntWinReadToken
INTSTATUS IntWinReadToken(QWORD TokenGva, INTRO_WIN_TOKEN *Token)
Reads the contents of a _TOKEN Windows structure.
Definition: visibility.c:279
IntWinDumpSid
void IntWinDumpSid(INTRO_SID_ATTRIBUTES const *Sid)
Prints a INTRO_SID_ATTRIBUTES structure.
Definition: visibility.c:583