Exposes the functions responsible for DPI (Deep Process Inspection) information gathering (used to determine if a process creation should be allowed or not). More...

#include "winguest.h"

Data Structures
struct	_DPI_EXTRA_INFO

Macros
#define	HEAP_SPRAY_NR_PAGES 0xF

Typedefs
typedef struct _WIN_PROCESS_OBJECT	WIN_PROCESS_OBJECT

typedef struct _WIN_PROCESS_OBJECT *	PWIN_PROCESS_OBJECT

typedef struct _DPI_EXTRA_INFO	DPI_EXTRA_INFO

typedef struct _DPI_EXTRA_INFO *	PDPI_EXTRA_INFO

Functions
void	IntWinDpiGatherDpiInfo (WIN_PROCESS_OBJECT Process, WIN_PROCESS_OBJECT Parent, QWORD DebugHandle)
	Gathers all the necessary DPI (Deep Process Inspection) information that will later be used to decide if the process creation should be allowed or not. More...

INTRO_ACTION	IntWinDpiCheckCreation (WIN_PROCESS_OBJECT Child, WIN_PROCESS_OBJECT RealParent)
	Analyzes all the process creations rules in order to decided if the process creation should be allowed or not. More...

Detailed Description

Exposes the functions responsible for DPI (Deep Process Inspection) information gathering (used to determine if a process creation should be allowed or not).

Definition in file windpi.h.

Macro Definition Documentation

◆ HEAP_SPRAY_NR_PAGES

#define HEAP_SPRAY_NR_PAGES 0xF

The maximum number to be checked on DPI heap spray, representing pages from 0x01010000 to 0x0f0f0000.

Definition at line 22 of file windpi.h.

Referenced by IntAlertFillDpiExtraInfo(), IntExceptUserLogWindowsInformation(), IntSerializeDpiWinHeapSpray(), IntWinDpiGetViolationAddress(), and IntWinDpiValidateHeapSpray().

Typedef Documentation

◆ DPI_EXTRA_INFO

typedef struct _DPI_EXTRA_INFO DPI_EXTRA_INFO

Extra info extracted while checking if any DPI heuristic has been violated.

◆ PDPI_EXTRA_INFO

typedef struct _DPI_EXTRA_INFO * PDPI_EXTRA_INFO

◆ PWIN_PROCESS_OBJECT

typedef struct _WIN_PROCESS_OBJECT * PWIN_PROCESS_OBJECT

Definition at line 17 of file windpi.h.

◆ WIN_PROCESS_OBJECT

typedef struct _WIN_PROCESS_OBJECT WIN_PROCESS_OBJECT

Definition at line 17 of file windpi.h.

Function Documentation

◆ IntWinDpiCheckCreation()

INTRO_ACTION IntWinDpiCheckCreation	(	WIN_PROCESS_OBJECT *	Child,
		WIN_PROCESS_OBJECT *	RealParent
	)

Analyzes all the process creations rules in order to decided if the process creation should be allowed or not.

This function is responsible for analyzing if the the process creation respects all the activated DPI (Deep Process Inspection) rules such as: "Normal" Creation Rights (the parent has the PROC_OPT_PROT_PREVENT_CHILD_CREATION flag set), stolen token (the child process stole a security token), pivoted stack (the parent process has a pivoted stack), debug (the child process is being debugged) and heap spray (the parent process has been heap sprayed).

Parameters

[in]	Child	The child process.
[in]	RealParent	The real parent process.

Returns: The action to be taken.

Definition at line 749 of file windpi.c.

Referenced by IntWinProcHandleCreateInternal().

◆ IntWinDpiGatherDpiInfo()

void IntWinDpiGatherDpiInfo	(	WIN_PROCESS_OBJECT *	Process,
		WIN_PROCESS_OBJECT *	Parent,
		QWORD	DebugHandle
	)

Gathers all the necessary DPI (Deep Process Inspection) information that will later be used to decide if the process creation should be allowed or not.