Bitdefender Hypervisor Memory Introspection
|
Exposes the functions responsible for DPI (Deep Process Inspection) information gathering (used to determine if a process creation should be allowed or not). More...
#include "winguest.h"
Go to the source code of this file.
Data Structures | |
struct | _DPI_EXTRA_INFO |
Macros | |
#define | HEAP_SPRAY_NR_PAGES 0xF |
Typedefs | |
typedef struct _WIN_PROCESS_OBJECT | WIN_PROCESS_OBJECT |
typedef struct _WIN_PROCESS_OBJECT * | PWIN_PROCESS_OBJECT |
typedef struct _DPI_EXTRA_INFO | DPI_EXTRA_INFO |
typedef struct _DPI_EXTRA_INFO * | PDPI_EXTRA_INFO |
Functions | |
void | IntWinDpiGatherDpiInfo (WIN_PROCESS_OBJECT *Process, WIN_PROCESS_OBJECT *Parent, QWORD DebugHandle) |
Gathers all the necessary DPI (Deep Process Inspection) information that will later be used to decide if the process creation should be allowed or not. More... | |
INTRO_ACTION | IntWinDpiCheckCreation (WIN_PROCESS_OBJECT *Child, WIN_PROCESS_OBJECT *RealParent) |
Analyzes all the process creations rules in order to decided if the process creation should be allowed or not. More... | |
Exposes the functions responsible for DPI (Deep Process Inspection) information gathering (used to determine if a process creation should be allowed or not).
Definition in file windpi.h.
#define HEAP_SPRAY_NR_PAGES 0xF |
The maximum number to be checked on DPI heap spray, representing pages from 0x01010000 to 0x0f0f0000.
Definition at line 22 of file windpi.h.
Referenced by IntAlertFillDpiExtraInfo(), IntExceptUserLogWindowsInformation(), IntSerializeDpiWinHeapSpray(), IntWinDpiGetViolationAddress(), and IntWinDpiValidateHeapSpray().
typedef struct _DPI_EXTRA_INFO DPI_EXTRA_INFO |
Extra info extracted while checking if any DPI heuristic has been violated.
typedef struct _DPI_EXTRA_INFO * PDPI_EXTRA_INFO |
typedef struct _WIN_PROCESS_OBJECT * PWIN_PROCESS_OBJECT |
typedef struct _WIN_PROCESS_OBJECT WIN_PROCESS_OBJECT |
INTRO_ACTION IntWinDpiCheckCreation | ( | WIN_PROCESS_OBJECT * | Child, |
WIN_PROCESS_OBJECT * | RealParent | ||
) |
Analyzes all the process creations rules in order to decided if the process creation should be allowed or not.
This function is responsible for analyzing if the the process creation respects all the activated DPI (Deep Process Inspection) rules such as: "Normal" Creation Rights (the parent has the PROC_OPT_PROT_PREVENT_CHILD_CREATION flag set), stolen token (the child process stole a security token), pivoted stack (the parent process has a pivoted stack), debug (the child process is being debugged) and heap spray (the parent process has been heap sprayed).
[in] | Child | The child process. |
[in] | RealParent | The real parent process. |
Definition at line 749 of file windpi.c.
Referenced by IntWinProcHandleCreateInternal().
void IntWinDpiGatherDpiInfo | ( | WIN_PROCESS_OBJECT * | Process, |
WIN_PROCESS_OBJECT * | Parent, | ||
QWORD | DebugHandle | ||
) |
Gathers all the necessary DPI (Deep Process Inspection) information that will later be used to decide if the process creation should be allowed or not.
[in] | Process | The child process. |
[in] | Parent | The parent process. |
[in] | DebugHandle | The debug handle. |
Definition at line 1517 of file windpi.c.
Referenced by IntWinProcHandleCreateInternal().