52 #define DRIVER_MAX_ITERATIONS 4096 61 _In_ void *PsLoadedModuleList,
137 #endif // _WINDRIVER_H_
INTSTATUS IntWinDrvHandleRead(void *Context, void *Hook, QWORD Address, INTRO_ACTION *Action)
Used to notify the introspection engine when a read took place on a protected driver (used only for n...
INTSTATUS IntWinDrvUpdateProtection(void)
Used to update the protection for all the loaded modules (gKernelDrivers).
QWORD EatReadCount
The number of EAT reads that took place from withing known drivers.
DWORD PathLength
The driver`s path length (number of WCHARS).
struct _WIN_KERNEL_DRIVER * PWIN_KERNEL_DRIVER
PBYTE MzPeHeaders
The driver`s MZ/PE headers (cached internally).
int INTSTATUS
The status data type.
void * HeadersSwapHandle
The swap handle used to read the driver`s headers.
INTSTATUS IntWinDrvCreateFromAddress(QWORD ModuleInfo, QWORD Flags)
Adds a driver to introspection's LoadedModuleList (gKernelDrivers). This way we avoid lots of mapping...
DWORD TimeDateStamp
The driver`s internal timestamp (from the _IMAGE_FILE_HEADER).
Describes a kernel driver.
INTSTATUS IntWinUnprotectReadNtEat(void)
Used to remove the EAT read hook from ntoskrnl.exe.
INTSTATUS IntWinDrvHandleDriverEntry(void *Context, void *Hook, QWORD Address, INTRO_ACTION *Action)
Used to notify the introspection engine when the DriverEntry of a module starts executing.
INTSTATUS IntWinDrvProtect(KERNEL_DRIVER *Driver, QWORD ProtectionFlag)
Used to enable protection for the given driver.
Holds information about a driver object.
struct _WIN_KERNEL_DRIVER WIN_KERNEL_DRIVER
INTSTATUS(* PFUNC_IterateListCallback)(QWORD Node, QWORD Aux)
INTSTATUS IntWinDrvRemoveEntry(KERNEL_DRIVER *Driver)
Removes the KERNEL_DRIVER from the internal structures.
INTSTATUS IntWinDrvIsListHead(QWORD PsLoadedModuleListGva, void *PsLoadedModuleList, QWORD KernelLdr)
Used to identify WINDOWS_GUEST::PsLoadedModuleList.
PWCHAR Path
The driver`s path.
void * EatReadHook
The read hook placed on the driver`s EAT.
QWORD ProtectionFlag
The introcore option that decided that this driver must be protected.
INTSTATUS IntWinProtectReadNtEat(void)
Used to place a read hook on the ntoskrnl.exe EAT.
enum _INTRO_ACTION INTRO_ACTION
Event actions.
INTSTATUS IntWinDrvRemoveFromAddress(QWORD ModuleInfo)
Removes a driver from the introspection's loaded modules list (gKernelDrivers).
INTSTATUS IntWinDrvIterateLoadedModules(PFUNC_IterateListCallback Callback, QWORD Aux)
Used to iterate trough the WINDOWS_GUEST::PsLoadedModuleList.
void * EpHookObject
The EP hook placed on the driver (we will be notified when the execution began) - useful to obtain th...
INTSTATUS IntWinDrvUnprotect(KERNEL_DRIVER *Driver)
Used to disable protection for the given driver.
PWIN_DRIVER_OBJECT DriverObject
The driver object.
DWORD PathHash
CRC32 hash value for the driver`s path.
INTSTATUS IntWinDrvHandleWrite(void *Context, void *Hook, QWORD Address, INTRO_ACTION *Action)
Used to notify the introspection engine when a write took place on a protected driver.
struct _KERNEL_DRIVER * PKERNEL_DRIVER