Bitdefender Hypervisor Memory Introspection
Functions
wincmdline.c File Reference

This file handles command line scanning. More...

#include "wincmdline.h"
#include "winprocesshp.h"
#include "alerts.h"

Go to the source code of this file.

Functions

INTSTATUS IntWinInspectCommandLine (PWIN_PROCESS_OBJECT Process)
 Send a command line scan request to the scan engines. More...
 
static INTSTATUS IntWinSendCmdLineViolation (PENG_NOTIFICATION_CMD_LINE EngineNotification)
 Send a command line violation event. More...
 
INTSTATUS IntWinHandleCmdLineCallback (PENG_NOTIFICATION_CMD_LINE EngineNotification)
 Handle a command line scan response. More...
 

Detailed Description

This file handles command line scanning.

Introcore may request the AV engines to scan the command line of certain processes (for example, Powershell). Unfortunately, the scheduling of a command line scan could bring a considerable performance penalty so the scan will be carried out in an asynchronous fashion. If the scan scheduling was successful, the integrator must invoke the registered callback (PFUNC_IntEventEnginesResultCallback) in order to provide the scan result. For now, if a malicious command line is being used, the process will not be blocked (since the scan is asynchronous, blocking it would require the injection of an agent).

Definition in file wincmdline.c.

Function Documentation

◆ IntWinHandleCmdLineCallback()

INTSTATUS IntWinHandleCmdLineCallback ( PENG_NOTIFICATION_CMD_LINE  EngineNotification)

Handle a command line scan response.

Parameters
[in]EngineNotificationThe engine notification containing the scan result.
Return values
INT_STATUS_SUCCESSOn success.

Definition at line 151 of file wincmdline.c.

Referenced by IntEnginesResultCallback().

◆ IntWinInspectCommandLine()

INTSTATUS IntWinInspectCommandLine ( PWIN_PROCESS_OBJECT  Process)

Send a command line scan request to the scan engines.

If this function succeeds, the integrator must call the PFUNC_IntEventEnginesResultCallback, otherwise a memory leak will occur.

Parameters
[in]ProcessThe process structure (it contains the command line and other fields).
Return values
INT_STATUS_SUCCESSOn success.

Definition at line 24 of file wincmdline.c.

Referenced by IntWinGetProcCmdLineHandleBufferInMemory().

◆ IntWinSendCmdLineViolation()

static INTSTATUS IntWinSendCmdLineViolation ( PENG_NOTIFICATION_CMD_LINE  EngineNotification)
static

Send a command line violation event.

Parameters
[in]EngineNotificationThe engine notification containing the scan result.
Return values
INT_STATUS_SUCCESSOn success.

Definition at line 97 of file wincmdline.c.

Referenced by IntWinHandleCmdLineCallback().