doxygen/html/windpi_8h_source.html

 /*
  * Copyright (c) 2020 Bitdefender
  * SPDX-License-Identifier: Apache-2.0
  */

 #ifndef _WINDPI_H_
 #define _WINDPI_H_

 #include "winguest.h"

 typedef struct _WIN_PROCESS_OBJECT WIN_PROCESS_OBJECT, *PWIN_PROCESS_OBJECT;

 #define HEAP_SPRAY_NR_PAGES 0xF

 typedef struct _DPI_EXTRA_INFO
 {
     struct
     {
         QWORD _Reserved;
     } DpiDebugExtraInfo;

     struct
     {
         QWORD CurrentStack;
         QWORD StackBase;
         QWORD StackLimit;
         QWORD TrapFrameAddress;
         QWORD CurrentWow64Stack;
         QWORD Wow64StackBase;
         QWORD Wow64StackLimit;
     } DpiPivotedStackExtraInfo;

     struct
     {
         QWORD StolenFromEprocess;
     } DpiStolenTokenExtraInfo;

     struct
     {
         struct
         {
             DWORD Mapped : 1;
             DWORD Detected : 1;
             DWORD HeapValCount : 11;
             DWORD Offset : 12;
             DWORD Executable : 1;
             DWORD Reserved : 7;
         } HeapPages[HEAP_SPRAY_NR_PAGES];

         QWORD ShellcodeFlags;
     } DpiHeapSprayExtraInfo;

     struct
     {
         QWORD OldEnabled;
         QWORD NewEnabled;
         QWORD OldPresent;
         QWORD NewPresent;
     } DpiTokenPrivsExtraInfo;

     struct
     {
         QWORD StartAddress;
         QWORD ShellcodeFlags;
     } DpiThreadStartExtraInfo;

     struct
     {
         QWORD SecDescStolenFromEproc;

         QWORD OldPtrValue;
         QWORD NewPtrValue;

         ACL OldSacl;
         ACL OldDacl;

         ACL NewSacl;
         ACL NewDacl;
     } DpiSecDescAclExtraInfo;

 } DPI_EXTRA_INFO, *PDPI_EXTRA_INFO;

 void
 IntWinDpiGatherDpiInfo(
     _Inout_ WIN_PROCESS_OBJECT *Process,
     _In_ WIN_PROCESS_OBJECT *Parent,
     _In_ QWORD DebugHandle
     );

 INTRO_ACTION
 IntWinDpiCheckCreation(
     _In_ WIN_PROCESS_OBJECT *Child,
     _In_ WIN_PROCESS_OBJECT *RealParent
     );

 #endif // _WINDPI_H_
_DPI_EXTRA_INFO::HeapPages
struct _DPI_EXTRA_INFO::@206::@210 HeapPages[HEAP_SPRAY_NR_PAGES]

_DPI_EXTRA_INFO::OldPtrValue
QWORD OldPtrValue
Old value.
Definition: windpi.h:92

HEAP_SPRAY_NR_PAGES
#define HEAP_SPRAY_NR_PAGES
Definition: windpi.h:22

_In_
#define _In_
Definition: intro_sal.h:21

IntWinDpiGatherDpiInfo
void IntWinDpiGatherDpiInfo(WIN_PROCESS_OBJECT *Process, WIN_PROCESS_OBJECT *Parent, QWORD DebugHandle)
Gathers all the necessary DPI (Deep Process Inspection) information that will later be used to decide...
Definition: windpi.c:1517

_DPI_EXTRA_INFO::DpiPivotedStackExtraInfo
struct _DPI_EXTRA_INFO::@204 DpiPivotedStackExtraInfo

_DPI_EXTRA_INFO::DpiSecDescAclExtraInfo
struct _DPI_EXTRA_INFO::@209 DpiSecDescAclExtraInfo

_DPI_EXTRA_INFO::TrapFrameAddress
QWORD TrapFrameAddress
The address of the trap frame. Used for more information gathering when sending the alert...
Definition: windpi.h:40

_DPI_EXTRA_INFO::Wow64StackLimit
QWORD Wow64StackLimit
The known stack limit in WoW64 mode. Valid only if the process is WoW64.
Definition: windpi.h:44

_DPI_EXTRA_INFO::NewEnabled
QWORD NewEnabled
The new value from parent&#39;s token Privileges.Enabled field, which was deemed malicious.
Definition: windpi.h:74

_DPI_EXTRA_INFO::StartAddress
QWORD StartAddress
The address on which the parent&#39;s thread started execution.
Definition: windpi.h:82

_DPI_EXTRA_INFO::OldDacl
ACL OldDacl
The old DACL header.
Definition: windpi.h:96

_DPI_EXTRA_INFO::StolenFromEprocess
QWORD StolenFromEprocess
The EPROCESS address from which the token was stolen.
Definition: windpi.h:49

PDPI_EXTRA_INFO
struct _DPI_EXTRA_INFO * PDPI_EXTRA_INFO

_DPI_EXTRA_INFO::NewSacl
ACL NewSacl
The new SACL header.
Definition: windpi.h:98

_DPI_EXTRA_INFO::Wow64StackBase
QWORD Wow64StackBase
The known stack base in WoW64 mode. Valid only if the process is WoW64.
Definition: windpi.h:43

_ACL
An access control list.
Definition: wddefs.h:637

_DPI_EXTRA_INFO::Offset
DWORD Offset
The offset where the detection on the given page was given, if Detection is equal to 1...
Definition: windpi.h:62

_DPI_EXTRA_INFO::Reserved
DWORD Reserved
Reserved for further use.
Definition: windpi.h:64

_Inout_
#define _Inout_
Definition: intro_sal.h:20

QWORD
unsigned long long QWORD
Definition: intro_types.h:53

_DPI_EXTRA_INFO::CurrentWow64Stack
QWORD CurrentWow64Stack
The current stack of the process in WoW64 mode. Valid only if the process is WoW64.
Definition: windpi.h:42

_DPI_EXTRA_INFO::SecDescStolenFromEproc
QWORD SecDescStolenFromEproc
If the parent security descriptor has been stolen, this variable may indicate (in case we find it) th...
Definition: windpi.h:90

_DPI_EXTRA_INFO::NewPresent
QWORD NewPresent
The new value from parent&#39;s token Privileges.Present field, which was deemed malicious.
Definition: windpi.h:77

_DPI_EXTRA_INFO::CurrentStack
QWORD CurrentStack
The current stack of the process at the point of process creation.
Definition: windpi.h:36

IntWinDpiCheckCreation
INTRO_ACTION IntWinDpiCheckCreation(WIN_PROCESS_OBJECT *Child, WIN_PROCESS_OBJECT *RealParent)
Analyzes all the process creations rules in order to decided if the process creation should be allowe...
Definition: windpi.c:749

_DPI_EXTRA_INFO::OldSacl
ACL OldSacl
The old SACL header.
Definition: windpi.h:95

_DPI_EXTRA_INFO::DpiStolenTokenExtraInfo
struct _DPI_EXTRA_INFO::@205 DpiStolenTokenExtraInfo

_DPI_EXTRA_INFO::OldEnabled
QWORD OldEnabled
Definition: windpi.h:72

_DPI_EXTRA_INFO::NewDacl
ACL NewDacl
The new DACL header.
Definition: windpi.h:99

DWORD
uint32_t DWORD
Definition: intro_types.h:49

_DPI_EXTRA_INFO::DpiThreadStartExtraInfo
struct _DPI_EXTRA_INFO::@208 DpiThreadStartExtraInfo

_DPI_EXTRA_INFO::StackBase
QWORD StackBase
The known stack base present in TIB at the moment of process creation.
Definition: windpi.h:37

_DPI_EXTRA_INFO::DpiHeapSprayExtraInfo
struct _DPI_EXTRA_INFO::@206 DpiHeapSprayExtraInfo

INTRO_ACTION
enum _INTRO_ACTION INTRO_ACTION
Event actions.

_DPI_EXTRA_INFO::NewPtrValue
QWORD NewPtrValue
New value.
Definition: windpi.h:93

_DPI_EXTRA_INFO::OldPresent
QWORD OldPresent
Definition: windpi.h:75

winguest.h

_DPI_EXTRA_INFO::Mapped
DWORD Mapped
Definition: windpi.h:56

_DPI_EXTRA_INFO::DpiTokenPrivsExtraInfo
struct _DPI_EXTRA_INFO::@207 DpiTokenPrivsExtraInfo

_DPI_EXTRA_INFO::DpiDebugExtraInfo
struct _DPI_EXTRA_INFO::@203 DpiDebugExtraInfo

_DPI_EXTRA_INFO::HeapValCount
DWORD HeapValCount
The number of heap values in the page. Since the max value can be 1024, 11 bits are needed...
Definition: windpi.h:60

_DPI_EXTRA_INFO::Detected
DWORD Detected
The bit is set if the i-th page was detected as malicious by shemu.
Definition: windpi.h:58

_DPI_EXTRA_INFO::_Reserved
QWORD _Reserved
Reserved for further use.
Definition: windpi.h:31

_DPI_EXTRA_INFO::StackLimit
QWORD StackLimit
Definition: windpi.h:38

_DPI_EXTRA_INFO::ShellcodeFlags
QWORD ShellcodeFlags
Contains the flags on the first page which was detected through shemu.
Definition: windpi.h:67

PWIN_PROCESS_OBJECT
struct _WIN_PROCESS_OBJECT * PWIN_PROCESS_OBJECT
Definition: windpi.h:17

_DPI_EXTRA_INFO
Definition: windpi.h:27

DPI_EXTRA_INFO
struct _DPI_EXTRA_INFO DPI_EXTRA_INFO

_DPI_EXTRA_INFO::Executable
DWORD Executable
True if the page is executable in the translation.
Definition: windpi.h:63

_WIN_PROCESS_OBJECT
This structure describes a running process inside the guest.
Definition: winprocess.h:83