22 #define HEAP_SPRAY_NR_PAGES 0xF struct _DPI_EXTRA_INFO::@206::@210 HeapPages[HEAP_SPRAY_NR_PAGES]
QWORD OldPtrValue
Old value.
#define HEAP_SPRAY_NR_PAGES
void IntWinDpiGatherDpiInfo(WIN_PROCESS_OBJECT *Process, WIN_PROCESS_OBJECT *Parent, QWORD DebugHandle)
Gathers all the necessary DPI (Deep Process Inspection) information that will later be used to decide...
struct _DPI_EXTRA_INFO::@204 DpiPivotedStackExtraInfo
struct _DPI_EXTRA_INFO::@209 DpiSecDescAclExtraInfo
QWORD TrapFrameAddress
The address of the trap frame. Used for more information gathering when sending the alert...
QWORD Wow64StackLimit
The known stack limit in WoW64 mode. Valid only if the process is WoW64.
QWORD NewEnabled
The new value from parent's token Privileges.Enabled field, which was deemed malicious.
QWORD StartAddress
The address on which the parent's thread started execution.
ACL OldDacl
The old DACL header.
QWORD StolenFromEprocess
The EPROCESS address from which the token was stolen.
struct _DPI_EXTRA_INFO * PDPI_EXTRA_INFO
ACL NewSacl
The new SACL header.
QWORD Wow64StackBase
The known stack base in WoW64 mode. Valid only if the process is WoW64.
DWORD Offset
The offset where the detection on the given page was given, if Detection is equal to 1...
DWORD Reserved
Reserved for further use.
QWORD CurrentWow64Stack
The current stack of the process in WoW64 mode. Valid only if the process is WoW64.
QWORD SecDescStolenFromEproc
If the parent security descriptor has been stolen, this variable may indicate (in case we find it) th...
QWORD NewPresent
The new value from parent's token Privileges.Present field, which was deemed malicious.
QWORD CurrentStack
The current stack of the process at the point of process creation.
INTRO_ACTION IntWinDpiCheckCreation(WIN_PROCESS_OBJECT *Child, WIN_PROCESS_OBJECT *RealParent)
Analyzes all the process creations rules in order to decided if the process creation should be allowe...
ACL OldSacl
The old SACL header.
struct _DPI_EXTRA_INFO::@205 DpiStolenTokenExtraInfo
ACL NewDacl
The new DACL header.
struct _DPI_EXTRA_INFO::@208 DpiThreadStartExtraInfo
QWORD StackBase
The known stack base present in TIB at the moment of process creation.
struct _DPI_EXTRA_INFO::@206 DpiHeapSprayExtraInfo
enum _INTRO_ACTION INTRO_ACTION
Event actions.
QWORD NewPtrValue
New value.
struct _DPI_EXTRA_INFO::@207 DpiTokenPrivsExtraInfo
struct _DPI_EXTRA_INFO::@203 DpiDebugExtraInfo
DWORD HeapValCount
The number of heap values in the page. Since the max value can be 1024, 11 bits are needed...
DWORD Detected
The bit is set if the i-th page was detected as malicious by shemu.
QWORD _Reserved
Reserved for further use.
QWORD ShellcodeFlags
Contains the flags on the first page which was detected through shemu.
struct _WIN_PROCESS_OBJECT * PWIN_PROCESS_OBJECT
struct _DPI_EXTRA_INFO DPI_EXTRA_INFO
DWORD Executable
True if the page is executable in the translation.
This structure describes a running process inside the guest.