Bitdefender Hypervisor Memory Introspection
Functions | Variables
windrv_protected.c File Reference

This file contains Windows Kernel Driver and Driver Object related protection options. More...

#include "drivers.h"
#include "windrvobj.h"
#include "guests.h"
#include "winguest.h"
#include "windrv_protected.h"

Go to the source code of this file.

Functions

static const PROTECTED_MODULE_INFOIntWinDrvGetProtInfoByName (const PROTECTED_MODULE_INFO *Info, size_t InfoSize, const WCHAR *Name)
 Perform a search for a driver by name in an array of protected kernel modules. More...
 
static const PROTECTED_MODULE_INFOIntWinDrvObjGetProtInfoByName (const PROTECTED_MODULE_INFO *Info, size_t InfoSize, const WCHAR *Name)
 Perform a search for a driver object by name in an array of protected kernel modules. More...
 
const PROTECTED_MODULE_INFOIntWinDrvIsProtected (const KERNEL_DRIVER *Driver)
 Get the protected module information for a kernel driver. More...
 
const PROTECTED_MODULE_INFOIntWinDrvObjIsProtected (const WIN_DRIVER_OBJECT *Driver)
 Get the protected module information for a kernel driver object. More...
 
BOOLEAN IntWinDrvHasDriverObject (const KERNEL_DRIVER *Driver)
 Check wether a kernel driver has a driver object that we care to protect. More...
 
BOOLEAN IntWinDrvIsProtectedAv (const WCHAR *Driver)
 Check wether a kernel driver is a known and protected antivirus. More...
 
BOOLEAN IntWinDrvObjIsProtectedAv (const WCHAR *DrvObj)
 Checks if a driver object belongs to a known and protected antivirus. More...
 

Variables

static const PROTECTED_MODULE_INFO gNtModule
 Describe protection information for the NT Kernel. More...
 
static const PROTECTED_MODULE_INFO gHalModule
 Describe protection information for HAL. More...
 
static const PROTECTED_MODULE_INFO gCoreModules []
 Describe protection information for the core Kernel modules. More...
 
static const PROTECTED_MODULE_INFO gAvModules []
 Describe protection information for antivirus Kernel modules. More...
 
static const PROTECTED_MODULE_INFO gXenModules []
 Describe protection information for XEN Kernel modules. More...
 

Detailed Description

This file contains Windows Kernel Driver and Driver Object related protection options.

Definition in file windrv_protected.c.

Function Documentation

◆ IntWinDrvGetProtInfoByName()

static const PROTECTED_MODULE_INFO* IntWinDrvGetProtInfoByName ( const PROTECTED_MODULE_INFO Info,
size_t  InfoSize,
const WCHAR Name 
)
static

Perform a search for a driver by name in an array of protected kernel modules.

Parameters
[in]InfoThe array of protected modules to search into.
[in]InfoSizeThe number of elements in the array.
[in]NameThe name of the driver to search for.
Returns
The desired protection information or NULL if not found.

Definition at line 421 of file windrv_protected.c.

Referenced by IntWinDrvIsProtected(), and IntWinDrvIsProtectedAv().

◆ IntWinDrvHasDriverObject()

BOOLEAN IntWinDrvHasDriverObject ( const KERNEL_DRIVER Driver)

Check wether a kernel driver has a driver object that we care to protect.

Parameters
[in]DriverPointer to a kernel driver to be checked.
Returns
TRUE if the driver has a driver object, FALSE otherwise.

Definition at line 577 of file windrv_protected.c.

Referenced by IntWinDrvCreateFromAddress().

◆ IntWinDrvIsProtected()

const PROTECTED_MODULE_INFO* IntWinDrvIsProtected ( const KERNEL_DRIVER Driver)

Get the protected module information for a kernel driver.

Parameters
[in]DriverPointer to a kernel driver for which to search a protection information.
Returns
The desired protection information or NULL if not found.

Definition at line 484 of file windrv_protected.c.

Referenced by IntWinDrvCreateFromAddress(), IntWinDrvHasDriverObject(), and IntWinDrvUpdateProtection().

◆ IntWinDrvIsProtectedAv()

BOOLEAN IntWinDrvIsProtectedAv ( const WCHAR Driver)

Check wether a kernel driver is a known and protected antivirus.

Parameters
[in]DriverPointer to a WCHAR string describing the drivers name.
Returns
TRUE if the driver is a known and protected antivirus, FALSE otherwise.

Definition at line 595 of file windrv_protected.c.

Referenced by IntAlertEptFillFromVictimZone().

◆ IntWinDrvObjGetProtInfoByName()

static const PROTECTED_MODULE_INFO* IntWinDrvObjGetProtInfoByName ( const PROTECTED_MODULE_INFO Info,
size_t  InfoSize,
const WCHAR Name 
)
static

Perform a search for a driver object by name in an array of protected kernel modules.

Parameters
[in]InfoThe array of protected modules to search into.
[in]InfoSizeThe number of elements in the array.
[in]NameThe name of the driver object to search for.
Returns
The desired protection information or NULL if not found.

Definition at line 450 of file windrv_protected.c.

Referenced by IntWinDrvObjIsProtected(), and IntWinDrvObjIsProtectedAv().

◆ IntWinDrvObjIsProtected()

const PROTECTED_MODULE_INFO* IntWinDrvObjIsProtected ( const WIN_DRIVER_OBJECT Driver)

Get the protected module information for a kernel driver object.

Parameters
[in]DriverPointer to a driver object for which to search a protection information.
Returns
The desired protection information or NULL if not found.

Definition at line 536 of file windrv_protected.c.

Referenced by IntWinDrvObjCreateFromAddress(), and IntWinDrvObjUpdateProtection().

◆ IntWinDrvObjIsProtectedAv()

BOOLEAN IntWinDrvObjIsProtectedAv ( const WCHAR DrvObj)

Checks if a driver object belongs to a known and protected antivirus.

Parameters
[in]DrvObjPointer to a WCHAR string describing the driver objects name.
Returns
TRUE if the driver object belongs to a known and protected antivirus, FALSE otherwise.

Definition at line 611 of file windrv_protected.c.

Referenced by IntAlertEptFillFromVictimZone().

Variable Documentation

◆ gAvModules

const PROTECTED_MODULE_INFO gAvModules[]
static

Describe protection information for antivirus Kernel modules.

Definition at line 177 of file windrv_protected.c.

Referenced by IntWinDrvIsProtected(), and IntWinDrvObjIsProtected().

◆ gCoreModules

const PROTECTED_MODULE_INFO gCoreModules[]
static

Describe protection information for the core Kernel modules.

Definition at line 37 of file windrv_protected.c.

Referenced by IntWinDrvIsProtected(), and IntWinDrvObjIsProtected().

◆ gHalModule

const PROTECTED_MODULE_INFO gHalModule
static
Initial value:
=
{
.Type = winModCore,
.Name = u"hal.dll",
.Path = u"\\SystemRoot\\System32\\hal.dll",
.RequiredFlags = INTRO_OPT_PROT_KM_HAL,
}
INTRO_OPT_PROT_KM_HAL
#define INTRO_OPT_PROT_KM_HAL
Enable HAL protection (Windows only).
Definition: intro_types.h:410
winModCore
Core Windows kernel modules.
Definition: winguest.h:118

Describe protection information for HAL.

Definition at line 28 of file windrv_protected.c.

Referenced by IntWinDrvIsProtected().

◆ gNtModule

const PROTECTED_MODULE_INFO gNtModule
static
Initial value:
=
{
.Type = winModCore,
.Name = u"ntoskrnl.exe",
.Path = u"\\SystemRoot\\System32\\ntoskrnl.exe",
.RequiredFlags = INTRO_OPT_PROT_KM_NT,
}
INTRO_OPT_PROT_KM_NT
#define INTRO_OPT_PROT_KM_NT
Enable kernel image protection (Windows only).
Definition: intro_types.h:408
winModCore
Core Windows kernel modules.
Definition: winguest.h:118

Describe protection information for the NT Kernel.

Definition at line 19 of file windrv_protected.c.

Referenced by IntWinDrvIsProtected().

◆ gXenModules

const PROTECTED_MODULE_INFO gXenModules[]
static

Describe protection information for XEN Kernel modules.

Definition at line 309 of file windrv_protected.c.

Referenced by IntWinDrvIsProtected(), and IntWinDrvObjIsProtected().