9 #include "winagent_dummy_Win32.h" 10 #include "winagent_dummy_x64.h" 11 #include "winagent_gather_Win32.h" 12 #include "winagent_gather_x64.h" 13 #include "winagent_killer_Win32.h" 14 #include "winagent_killer_x64.h" 48 LOG(
"[DEPLOYER] Agent with tag %d at 0x%016llx has just been injected!\n", AgentTag, GuestVirtualAddress);
52 event->AgentTag = AgentTag;
58 WARNING(
"[WARNING] IntNotifyIntroEvent failed: 0x%x\n", status);
100 LOG(
"[DEPLOYER] Agent with tag %d at 0x%016llx has just been initialized, error: 0x%08x! " 101 "The process may still be running...\n", AgentTag, GuestVirtualAddress, ErrorCode);
104 event->AgentTag = AgentTag;
105 event->ErrorCode = ErrorCode;
110 WARNING(
"[WARNING] IntNotifyIntroEvent failed: 0x%x\n", status);
175 if (NULL == AgentContent)
183 procSize =
sizeof(gDummyToolx64);
184 procContent = gDummyToolx64;
188 procSize =
sizeof(gDummyToolx86);
189 procContent = gDummyToolx86;
196 procSize =
sizeof(gGatherAgentx64);
197 procContent = gGatherAgentx64;
201 procSize =
sizeof(gGatherAgentWin32);
202 procContent = gGatherAgentWin32;
209 procSize =
sizeof(gAgentKillerx64);
210 procContent = gAgentKillerx64;
214 procSize =
sizeof(gAgentKillerWin32);
215 procContent = gAgentKillerWin32;
223 ERROR(
"[ERROR] IntFormatAgentKillerCommandLine failed: %08x\n", status);
227 if (0 == strlen(localArgs))
234 TRACE(
"[KILLER] Will use `%s` as a command line\n", localArgs);
244 ERROR(
"[ERROR] IntGetAgentContent failed: 0x%08x\n", status);
251 procContent = AgentContent;
252 procSize = AgentSize;
255 if ((NULL == procContent) || (0 == procSize))
257 ERROR(
"[ERROR] No proper agent found!\n");
268 ERROR(
"[ERROR] The provided agent does not look like a valid MZ/PE: 0x%08x\n", status);
274 ERROR(
"[ERROR] The provided agent does not match the OS arch: %s bit\n",
gGuest.
Guest64 ?
"64" :
"32");
283 ERROR(
"[ERROR] IntAgentInject failed: 0x%08x\n", status);
287 LOG(
"[DEPLOYER] Agent with tag %d was scheduled for injection, waiting...\n", AgentTag);
319 ERROR(
"[ERROR] IntAgentInject failed: 0x%08x\n", status);
323 LOG(
"[DEPLOYER] File scheduled for injection!\n");
Dummy agent used to demo the feature.
#define INT_STATUS_SUCCESS
#define _Out_writes_bytes_(expr)
#define INT_SUCCESS(Status)
Event structure for agent injection and termination.
#define INT_STATUS_NOT_NEEDED_HINT
INTSTATUS IntWinDepInjectFile(PBYTE FileContent, DWORD FileSize, const CHAR *Name)
Inject a file inside the Windows guest.
int INTSTATUS
The status data type.
#define MAX_PATH
The maximum size of a path (260 characters on windows).
The agent has been successfully injected.
GENERIC_ALERT gAlert
Global alert buffer.
The process killer agent.
INTSTATUS IntNotifyIntroEvent(INTRO_EVENT_TYPE EventClass, void *Param, size_t EventSize)
Notifies the integrator about an introspection alert.
BOOLEAN Guest64
True if this is a 64-bit guest, False if it is a 32-bit guest.
Informational event sent when the remediation tool is injected or terminated. See EVENT_AGENT_EVENT...
static INTSTATUS IntWinDepDeploy(QWORD GuestVirtualAddress, DWORD AgentTag, void *Context)
Boot agent deployment callback.
INTSTATUS IntWinAgentInject(PFUNC_AgentInjection InjectionCallback, PFUNC_AgentCompletion CompletionCallback, PFUNC_AgentDeliver DeliverCallback, void *Context, PBYTE AgentContent, DWORD AgentSize, BOOLEAN AgentInternal, DWORD AgentTag, AGENT_TYPE AgentType, const CHAR *Name, DWORD Options, const CHAR *Args, DWORD Pid, PWIN_AGENT *Agent)
Schedule an agent injection inside the guest.
#define UNREFERENCED_PARAMETER(P)
INTSTATUS IntPeValidateHeader(QWORD ImageBase, BYTE *ImageBaseBuffer, DWORD ImageBaseBufferSize, INTRO_PE_INFO *PeInfo, QWORD Cr3)
Validates a PE header.
INTSTATUS IntGetAgentContent(DWORD AgentTag, BOOLEAN Is64, DWORD *Size, BYTE **Content)
static INTSTATUS IntWinDepComplete(QWORD GuestVirtualAddress, DWORD ErrorCode, DWORD AgentTag, void *Context)
Called once the boot driver finishes starting the agent inside the guest.
GUEST_STATE gGuest
The current guest state.
INTSTATUS IntWinProcGetAgentsAsCli(PCHAR CommandLine, DWORD Length)
Returns the name and ID for all the processes injected as agents inside the guest.
INTSTATUS IntWinDepInjectProcess(DWORD AgentTag, PBYTE AgentContent, DWORD AgentSize, const CHAR *Name, const CHAR *Args)
Inject a process inside a Windows guest.
Process agent. A process will be injected & started inside the guest.
BOOLEAN Image64Bit
True if the image is 64 bit.
The agent has been initialized.
#define INT_STATUS_INVALID_PARAMETER
#define INT_STATUS_INVALID_PARAMETER_2
File agent. A file will be dropped inside the guest.
static INTSTATUS IntWinFormatAgentKillerCommandLine(char *CommandLine, DWORD Length)
Formats the agent killer command line.