Bitdefender Hypervisor Memory Introspection
|
This file handles Windows Deep Process Inspection checks. More...
#include "windpi.h"
#include "alerts.h"
#include "winprocesshp.h"
#include "winselfmap.h"
#include "winstack.h"
#include "winthread.h"
#include "wintoken.h"
#include "shellcode.h"
#include "winsecdesc.h"
Go to the source code of this file.
Typedefs | |
typedef INTSTATUS(* | PFUNC_IntWinDpiProcessCreationHandler) (WIN_PROCESS_OBJECT *Child, WIN_PROCESS_OBJECT *RealParent, WIN_PROCESS_OBJECT **Originator, WIN_PROCESS_OBJECT **Victim, INTRO_PC_VIOLATION_TYPE *PcType) |
Process creation callback, used to check if a process creation breaks one of the currently enabled policies. More... | |
Functions | |
static MITRE_ID | IntWinDpiGetDpiMitreId (INTRO_PC_VIOLATION_TYPE Flags) |
Get the MITRE attack technique ID for the given DPI (Deep Process Inspection) flags. More... | |
static INTSTATUS | IntWinDpiSendProcessCreationViolation (WIN_PROCESS_OBJECT *VictimProc, WIN_PROCESS_OBJECT *OriginatorProc, INTRO_ACTION Action, INTRO_ACTION_REASON Reason, INTRO_PC_VIOLATION_TYPE PcType) |
Send a process creation violation event. More... | |
static BOOLEAN | IntWinDpiIsSelf (WIN_PROCESS_OBJECT const *First, WIN_PROCESS_OBJECT const *Second) |
static INTSTATUS | IntWinDpiHandleNormalCreationRights (WIN_PROCESS_OBJECT *Child, WIN_PROCESS_OBJECT *RealParent, WIN_PROCESS_OBJECT **Originator, WIN_PROCESS_OBJECT **Victim, INTRO_PC_VIOLATION_TYPE *PcType) |
Checks if a process creation contradicts the non-DPI process creation policy set by the PROC_OPT_PROT_PREVENT_CHILD_CREATION protection option. More... | |
static INTSTATUS | IntWinDpiHandleDpiStolenToken (WIN_PROCESS_OBJECT *Child, WIN_PROCESS_OBJECT *RealParent, WIN_PROCESS_OBJECT **Originator, WIN_PROCESS_OBJECT **Victim, INTRO_PC_VIOLATION_TYPE *PcType) |
Checks if a process creation breaks the DPI token steal policy set by INTRO_OPT_PROT_DPI_TOKEN_STEAL. More... | |
static INTSTATUS | IntWinDpiHandleDpiTokenPrivs (WIN_PROCESS_OBJECT *Child, WIN_PROCESS_OBJECT *RealParent, WIN_PROCESS_OBJECT **Originator, WIN_PROCESS_OBJECT **Victim, INTRO_PC_VIOLATION_TYPE *PcType) |
Checks if a process creation breaks the DPI token privileges policy set by INTRO_OPT_PROT_DPI_TOKEN_PRIVS. More... | |
static INTSTATUS | IntWinDpiHandleDpiSecDesc (WIN_PROCESS_OBJECT *Child, WIN_PROCESS_OBJECT *RealParent, WIN_PROCESS_OBJECT **Originator, WIN_PROCESS_OBJECT **Victim, INTRO_PC_VIOLATION_TYPE *PcType) |
Checks if a process creation breaks the DPI security descriptor policy set by INTRO_OPT_PROT_DPI_SD_ACL (modified security descriptor). More... | |
static INTSTATUS | IntWinDpiHandleDpiAclEdit (WIN_PROCESS_OBJECT *Child, WIN_PROCESS_OBJECT *RealParent, WIN_PROCESS_OBJECT **Originator, WIN_PROCESS_OBJECT **Victim, INTRO_PC_VIOLATION_TYPE *PcType) |
Checks if a process creation breaks the DPI security descriptor policy set by INTRO_OPT_PROT_DPI_SD_ACL (SACL/DACL). More... | |
static INTSTATUS | IntWinDpiHandleDpiPivotedStack (WIN_PROCESS_OBJECT *Child, WIN_PROCESS_OBJECT *RealParent, WIN_PROCESS_OBJECT **Originator, WIN_PROCESS_OBJECT **Victim, INTRO_PC_VIOLATION_TYPE *PcType) |
Checks if a process creation breaks the DPI pivoted stack policy set by INTRO_OPT_PROT_DPI_STACK_PIVOT. More... | |
static INTSTATUS | IntWinDpiHandleDpiDebug (WIN_PROCESS_OBJECT *Child, WIN_PROCESS_OBJECT *RealParent, WIN_PROCESS_OBJECT **Originator, WIN_PROCESS_OBJECT **Victim, INTRO_PC_VIOLATION_TYPE *PcType) |
Checks if a process creation breaks the DPI debug flag policy set by INTRO_OPT_PROT_DPI_DEBUG. More... | |
static INTSTATUS | IntWinDpiHandleDpiHeapSpray (WIN_PROCESS_OBJECT *Child, WIN_PROCESS_OBJECT *RealParent, WIN_PROCESS_OBJECT **Originator, WIN_PROCESS_OBJECT **Victim, INTRO_PC_VIOLATION_TYPE *PcType) |
Checks if a process creation breaks the DPI heap spray policy set by INTRO_OPT_PROT_DPI_HEAP_SPRAY. More... | |
static INTSTATUS | IntWinDpiHandleDpiThreadStart (WIN_PROCESS_OBJECT *Child, WIN_PROCESS_OBJECT *RealParent, WIN_PROCESS_OBJECT **Originator, WIN_PROCESS_OBJECT **Victim, INTRO_PC_VIOLATION_TYPE *PcType) |
Checks if a process creation was triggered from a thread which started executing suspicious code. More... | |
static QWORD | IntWinDpiGetViolationAddress (INTRO_PC_VIOLATION_TYPE PcType, WIN_PROCESS_OBJECT *Originator, WIN_PROCESS_OBJECT *Victim) |
Gets the violation address, sent through Originator in exception mechanism. More... | |
void | IntWinDpiForceFeedbackIfNeeded (INTRO_PC_VIOLATION_TYPE PcType, WIN_PROCESS_OBJECT *Originator, WIN_PROCESS_OBJECT *Victim, INTRO_ACTION *Action, INTRO_ACTION_REASON *Reason) |
Enforces feedback-only alert on the current DPI violation based on different rules. More... | |
INTRO_ACTION | IntWinDpiCheckCreation (WIN_PROCESS_OBJECT *Child, WIN_PROCESS_OBJECT *RealParent) |
Analyzes all the process creations rules in order to decided if the process creation should be allowed or not. More... | |
static INTSTATUS | IntWinDpiGetProcessDebugFlag (WIN_PROCESS_OBJECT *Process, QWORD DebugHandle) |
Determines if the process is being debugged and sets the WIN_PROCESS_OBJECT.CreationInfo field debugger information to the process that is the debugger. More... | |
static INTSTATUS | IntWinDpiValidatePivotedStack (WIN_PROCESS_OBJECT *Process, WIN_PROCESS_OBJECT *RealParent) |
Determines if the parent process has a pivoted stack. More... | |
static INTSTATUS | IntWinDpiValidateParentProcessToken (WIN_PROCESS_OBJECT *Process, WIN_PROCESS_OBJECT *Parent) |
Determines if the child process stole the security token from any other process. More... | |
static INTSTATUS | IntWinDpiValidateParentSecDesc (WIN_PROCESS_OBJECT *Process, WIN_PROCESS_OBJECT *Parent) |
Determines if the parent process has a an altered security descriptor pointer. More... | |
static INTSTATUS | IntWinDpiValidateParentAclEdit (WIN_PROCESS_OBJECT *Process, WIN_PROCESS_OBJECT *Parent) |
Determines if the parent process has a an altered ACL (SACL/DACL). More... | |
static INTSTATUS | IntWinDpiValidateTokenPrivs (WIN_PROCESS_OBJECT *Process, WIN_PROCESS_OBJECT *Parent) |
Determines if the parent process token privileges have not been altered in a malicious way. More... | |
static INTSTATUS | IntWinDpiValidateHeapSpray (WIN_PROCESS_OBJECT *Process, WIN_PROCESS_OBJECT *Parent) |
Determines if the parent process has been heap sprayed. More... | |
static INTSTATUS | IntWinDpiValidateThreadStart (WIN_PROCESS_OBJECT *Process, WIN_PROCESS_OBJECT *Parent) |
Determines if the current thread from the parent process has been started in order to execute some suspicious code which led to the current process creation. More... | |
static BOOLEAN | IntWinDpiIsDpiWhiteListed (WIN_PROCESS_OBJECT *Process, WIN_PROCESS_OBJECT *Parent) |
Used to whitelist some DPI (Deep Process Inspection) corner cases. More... | |
void | IntWinDpiGatherDpiInfo (WIN_PROCESS_OBJECT *Process, WIN_PROCESS_OBJECT *Parent, QWORD DebugHandle) |
Gathers all the necessary DPI (Deep Process Inspection) information that will later be used to decide if the process creation should be allowed or not. More... | |
This file handles Windows Deep Process Inspection checks.
When a Windows process starts, introcore can perform additional checks that will determine if the process creation should take place or not. The possible DPI checks are defined by the macro INTRO_OPT_PROT_DPI, but can be enabled separately. This file also contains the implementation for PROC_OPT_PROT_PREVENT_CHILD_CREATION.
Definition in file windpi.c.
typedef INTSTATUS(* PFUNC_IntWinDpiProcessCreationHandler) (WIN_PROCESS_OBJECT *Child, WIN_PROCESS_OBJECT *RealParent, WIN_PROCESS_OBJECT **Originator, WIN_PROCESS_OBJECT **Victim, INTRO_PC_VIOLATION_TYPE *PcType) |
Process creation callback, used to check if a process creation breaks one of the currently enabled policies.
The exception mechanism is checked before taken any action. If the action is introGuestNotAllowed and the reason is not introReasonAllowedFeedback, the following callbacks are not invoked. This is done because we block the action only once, and sending more than one alert for the same blocked action is confusing. For feedback only we want to keep sending the events, as the user will not see any of them.
[in] | Child | The process that is being created. |
[in] | RealParent | The real parent of the Child process. |
[out] | Originator | On success, will contain a pointer to the process that is the originator of the attack. |
[out] | Victim | On success, will contain a pointer to the process that is the originator of the attack. |
[out] | PcType | On success, will contain the type of the process creation violation, which is one of the INTRO_PC_VIOLATION_TYPE, or 0 if this is not a DPI violation. |
INTRO_ACTION IntWinDpiCheckCreation | ( | WIN_PROCESS_OBJECT * | Child, |
WIN_PROCESS_OBJECT * | RealParent | ||
) |
Analyzes all the process creations rules in order to decided if the process creation should be allowed or not.
This function is responsible for analyzing if the the process creation respects all the activated DPI (Deep Process Inspection) rules such as: "Normal" Creation Rights (the parent has the PROC_OPT_PROT_PREVENT_CHILD_CREATION flag set), stolen token (the child process stole a security token), pivoted stack (the parent process has a pivoted stack), debug (the child process is being debugged) and heap spray (the parent process has been heap sprayed).
[in] | Child | The child process. |
[in] | RealParent | The real parent process. |
Definition at line 749 of file windpi.c.
Referenced by IntWinProcHandleCreateInternal().
void IntWinDpiForceFeedbackIfNeeded | ( | INTRO_PC_VIOLATION_TYPE | PcType, |
WIN_PROCESS_OBJECT * | Originator, | ||
WIN_PROCESS_OBJECT * | Victim, | ||
INTRO_ACTION * | Action, | ||
INTRO_ACTION_REASON * | Reason | ||
) |
Enforces feedback-only alert on the current DPI violation based on different rules.
For example, we'll check the shellcode flags from INT_PC_VIOLATION_DPI_HEAP_SPRAY or INT_PC_VIOLATION_DPI_THREAD_START, if there are any, against the ShemuOptions feedback only flags received through cami, and we'll enforce feedback only if needed.
[in] | PcType | The INTRO_PC_VIOLATION_TYPE describing the type of the current violation. |
[in] | Originator | The WIN_PROCESS_OBJECT considered as originator for the current violation. |
[in] | Victim | The WIN_PROCESS_OBJECT considered as victim for the current violation. |
[in,out] | Action | The INTRO_ACTION which will get overwritten with introGuestAllowed if feedback-only is to be enforced. |
[in,out] | Reason | The INTRO_ACTION_REASON which will get overwritten with introReasonAllowedFeedback if feedback-only is to be enforced. |
Definition at line 684 of file windpi.c.
Referenced by IntWinDpiCheckCreation().
void IntWinDpiGatherDpiInfo | ( | WIN_PROCESS_OBJECT * | Process, |
WIN_PROCESS_OBJECT * | Parent, | ||
QWORD | DebugHandle | ||
) |
Gathers all the necessary DPI (Deep Process Inspection) information that will later be used to decide if the process creation should be allowed or not.
[in] | Process | The child process. |
[in] | Parent | The parent process. |
[in] | DebugHandle | The debug handle. |
Definition at line 1517 of file windpi.c.
Referenced by IntWinProcHandleCreateInternal().
|
static |
Get the MITRE attack technique ID for the given DPI (Deep Process Inspection) flags.
[in] | Flags | The DPI (Deep Process Inspection) flags. |
The | MITRE attack ID. |
Definition at line 59 of file windpi.c.
Referenced by IntWinDpiSendProcessCreationViolation().
|
static |
Determines if the process is being debugged and sets the WIN_PROCESS_OBJECT.CreationInfo field debugger information to the process that is the debugger.
It is worth noting the way the debug rights are inherited on Windows. If a process creates another process with the DEBUG_PROCESS flag passed to a creation process API, the parent will debug the newly created process and all the processes it creates, unless the chain is broken when one of the created processes becomes a debugger for another process. If DEBUG_ONLY_THIS_PROCESS is used, only the child process is debugged. See https://docs.microsoft.com/en-us/windows/win32/procthread/process-creation-flags for details. We have to take this into account when determining the process that is the debugger. If the PspInsertProcess API receives a non NULL debug handle parameter, that means that the real parent is the actual debugger. If not, we need to look at the current thread's attached process and figure it out from there. If the NoInheritDebug flag (winKmFieldEprocessFlagsNoDebugInherit) is not set, and the debug port field (winKmFieldProcessDebugPort) from the _EPROCESS is non NULL, the process is debugged by whoever debugs the attached process.
[in] | Process | The process object. |
[in] | DebugHandle | The debug handle (explained within the function implementation). |
INT_STATUS_SUCCESS | On success. |
INT_STATUS_NOT_FOUND | If the debugger EPROCESS was not found inside the internal structures. |
Definition at line 878 of file windpi.c.
Referenced by IntWinDpiGatherDpiInfo().
|
static |
Gets the violation address, sent through Originator in exception mechanism.
This is used in order to match value code exceptions on INT_PC_VIOLATION_DPI_HEAP_SPRAY.
[in] | PcType | The INTRO_PC_VIOLATION_TYPE for which the violation was triggered. |
[in] | Originator | The process which is considered as the originator of the violation. |
[in] | Victim | The process which is considered the victim of the violation. |
Definition at line 630 of file windpi.c.
Referenced by IntWinDpiCheckCreation().
|
static |
Checks if a process creation breaks the DPI security descriptor policy set by INTRO_OPT_PROT_DPI_SD_ACL (SACL/DACL).
[in] | Child | The child process. |
[in] | RealParent | The real parent process. |
[out] | Originator | On success, will contain a pointer to the originator process. |
[out] | Victim | On success, will contain a pointer to the victim process. |
[out] | PcType | The DPI flags. This will either be 0, if no violation was detected, or INT_PC_VIOLATION_DPI_ACL_EDIT. |
INT_STATUS_NOT_NEEDED_HINT | Signals that there is no reason to treat this as a malicious action. |
INT_STATUS_SUCCESS | Signals that an alert should be sent. |
Definition at line 392 of file windpi.c.
Referenced by IntWinDpiCheckCreation().
|
static |
Checks if a process creation breaks the DPI debug flag policy set by INTRO_OPT_PROT_DPI_DEBUG.
[in] | Child | The child process. |
[in] | RealParent | The real parent process. |
[out] | Originator | On success, will contain a pointer to the originator process. |
[out] | Victim | On success, will contain a pointer to the victim process. |
[out] | PcType | The DPI (Deep Process Inspection) flags. This will either be 0, if no violation was detected, or INT_PC_VIOLATION_DPI_DEBUG_FLAG. |
INT_STATUS_NOT_NEEDED_HINT | Signals that there is no reason to treat this as a malicious action. |
INT_STATUS_SUCCESS | Signals that an alert should be sent. |
Definition at line 491 of file windpi.c.
Referenced by IntWinDpiCheckCreation().
|
static |
Checks if a process creation breaks the DPI heap spray policy set by INTRO_OPT_PROT_DPI_HEAP_SPRAY.
[in] | Child | The child process. |
[in] | RealParent | The real parent process. |
[out] | Originator | On success, will contain a pointer to the originator process. |
[out] | Victim | On success, will contain a pointer to the victim process. |
[out] | PcType | The DPI (Deep Process Inspection) flags. This will either be 0, if no violation was detected, or INT_PC_VIOLATION_DPI_HEAP_SPRAY. |
INT_STATUS_NOT_NEEDED_HINT | Signals that there is no reason to treat this as a malicious action. |
INT_STATUS_SUCCESS | Signals that an alert should be sent. |
Definition at line 540 of file windpi.c.
Referenced by IntWinDpiCheckCreation().
|
static |
Checks if a process creation breaks the DPI pivoted stack policy set by INTRO_OPT_PROT_DPI_STACK_PIVOT.
[in] | Child | The child process. |
[in] | RealParent | The real parent process. |
[out] | Originator | On success, will contain a pointer to the originator process. |
[out] | Victim | On success, will contain a pointer to the victim process. |
[out] | PcType | The DPI (Deep Process Inspection) flags. This will either be 0, if no violation was detected, or INT_PC_VIOLATION_DPI_PIVOTED_STACK. |
INT_STATUS_NOT_NEEDED_HINT | Signals that there is no reason to treat this as a malicious action. |
INT_STATUS_SUCCESS | Signals that an alert should be sent. |
Definition at line 439 of file windpi.c.
Referenced by IntWinDpiCheckCreation().
|
static |
Checks if a process creation breaks the DPI security descriptor policy set by INTRO_OPT_PROT_DPI_SD_ACL (modified security descriptor).
[in] | Child | The child process. |
[in] | RealParent | The real parent process. |
[out] | Originator | On success, will contain a pointer to the originator process. |
[out] | Victim | On success, will contain a pointer to the victim process. |
[out] | PcType | The DPI flags. This will either be 0, if no violation was detected, or INT_PC_VIOLATION_DPI_SEC_DESC. |
INT_STATUS_NOT_NEEDED_HINT | Signals that there is no reason to treat this as a malicious action. |
INT_STATUS_SUCCESS | Signals that an alert should be sent. |
Definition at line 345 of file windpi.c.
Referenced by IntWinDpiCheckCreation().
|
static |
Checks if a process creation breaks the DPI token steal policy set by INTRO_OPT_PROT_DPI_TOKEN_STEAL.
[in] | Child | The child process. |
[in] | RealParent | The real parent process. |
[out] | Originator | On success, will contain a pointer to the originator process. |
[out] | Victim | On success, will contain a pointer to the victim process. |
[out] | PcType | The DPI flags. This will either be 0, if no violation was detected, or INT_PC_VIOLATION_DPI_STOLEN_TOKEN. |
INT_STATUS_NOT_NEEDED_HINT | Signals that there is no reason to treat this as a malicious action. |
INT_STATUS_SUCCESS | Signals that an alert should be sent. |
Definition at line 251 of file windpi.c.
Referenced by IntWinDpiCheckCreation().
|
static |
Checks if a process creation was triggered from a thread which started executing suspicious code.
[in] | Child | The child process. |
[in] | RealParent | The real parent process. |
[out] | Originator | On success, will contain a pointer to the originator process. |
[out] | Victim | On success, will contain a pointer to the victim process. |
[out] | PcType | The DPI (Deep Process Inspection) flags. This will either be 0, if no violation was detected, or INT_PC_VIOLATION_DPI_THREAD_START. |
INT_STATUS_NOT_NEEDED_HINT | Signals that there is no reason to treat this as a malicious action. |
INT_STATUS_SUCCESS | Signals that an alert should be sent. |
Definition at line 585 of file windpi.c.
Referenced by IntWinDpiCheckCreation().
|
static |
Checks if a process creation breaks the DPI token privileges policy set by INTRO_OPT_PROT_DPI_TOKEN_PRIVS.
[in] | Child | The child process. |
[in] | RealParent | The real parent process. |
[out] | Originator | On success, will contain a pointer to the originator process. |
[out] | Victim | On success, will contain a pointer to the victim process. |
[out] | PcType | The DPI flags. This will either be 0, if no violation was detected, or INT_PC_VIOLATION_DPI_TOKEN_PRIVS. |
INT_STATUS_NOT_NEEDED_HINT | Signals that there is no reason to treat this as a malicious action. |
INT_STATUS_SUCCESS | Signals that an alert should be sent. |
Definition at line 295 of file windpi.c.
Referenced by IntWinDpiCheckCreation().
|
static |
Checks if a process creation contradicts the non-DPI process creation policy set by the PROC_OPT_PROT_PREVENT_CHILD_CREATION protection option.
[in] | Child | The child process. |
[in] | RealParent | The real parent process. |
[out] | Originator | On success, will contain a pointer to the originator process. |
[out] | Victim | On success, will contain a pointer to the victim process. |
[out] | PcType | The DPI flags. Since this checks for a normal process creation violation, this will always be 0. |
INT_STATUS_NOT_NEEDED_HINT | Signals that there is no reason to treat this as a malicious action. |
INT_STATUS_SUCCESS | Signals that an alert should be sent. |
Definition at line 206 of file windpi.c.
Referenced by IntWinDpiCheckCreation().
|
static |
Used to whitelist some DPI (Deep Process Inspection) corner cases.
[in] | Process | The child process. |
[in] | Parent | The parent process. |
INT_STATUS_SUCCESS | On success. |
Definition at line 1490 of file windpi.c.
Referenced by IntWinDpiGatherDpiInfo().
|
static |
Definition at line 192 of file windpi.c.
Referenced by IntWinDpiHandleDpiDebug(), IntWinDpiHandleDpiPivotedStack(), and IntWinDpiHandleNormalCreationRights().
|
static |
Send a process creation violation event.
[in] | VictimProc | The victim process. |
[in] | OriginatorProc | The originator process. |
[in] | Action | Taken action. |
[in] | Reason | Reason for the taken reason. |
[in] | PcType | The DPI (Deep Process Inspection) flags. |
INT_STATUS_SUCCESS | On success. |
Definition at line 120 of file windpi.c.
Referenced by IntWinDpiCheckCreation().
|
static |
Determines if the parent process has been heap sprayed.
[in,out] | Process | The child process. |
[in] | Parent | The parent process. |
INT_STATUS_SUCCESS | On success. |
Definition at line 1241 of file windpi.c.
Referenced by IntWinDpiGatherDpiInfo().
|
static |
Determines if the parent process has a an altered ACL (SACL/DACL).
[in] | Process | The child process. |
[in] | Parent | The parent process. |
INT_STATUS_SUCCESS | On success. |
Definition at line 1147 of file windpi.c.
Referenced by IntWinDpiGatherDpiInfo().
|
static |
Determines if the child process stole the security token from any other process.
[in] | Process | The child process. |
[in] | Parent | The parent process. |
INT_STATUS_SUCCESS | On success. |
Definition at line 1060 of file windpi.c.
Referenced by IntWinDpiGatherDpiInfo().
|
static |
Determines if the parent process has a an altered security descriptor pointer.
[in] | Process | The child process. |
[in] | Parent | The parent process. |
INT_STATUS_SUCCESS | On success. |
Definition at line 1086 of file windpi.c.
Referenced by IntWinDpiGatherDpiInfo().
|
static |
Determines if the parent process has a pivoted stack.
[in] | Process | The child process. |
[in] | RealParent | The real parent process. |
INT_STATUS_SUCCESS | On success. |
Definition at line 978 of file windpi.c.
Referenced by IntWinDpiGatherDpiInfo().
|
static |
Determines if the current thread from the parent process has been started in order to execute some suspicious code which led to the current process creation.
[in,out] | Process | The child process. |
[in] | Parent | The parent process. |
INT_STATUS_SUCCESS | On success. |
Definition at line 1381 of file windpi.c.
Referenced by IntWinDpiGatherDpiInfo().
|
static |
Determines if the parent process token privileges have not been altered in a malicious way.
[in] | Process | The child process. |
[in] | Parent | The parent process. |
INT_STATUS_SUCCESS | On success. |
Definition at line 1190 of file windpi.c.
Referenced by IntWinDpiGatherDpiInfo().