Bitdefender Hypervisor Memory Introspection
windrv_protected.c
Go to the documentation of this file.
1 /*
2  * Copyright (c) 2020 Bitdefender
3  * SPDX-License-Identifier: Apache-2.0
4  */
11 
12 #include "drivers.h"
13 #include "windrvobj.h"
14 #include "guests.h"
15 #include "winguest.h"
16 #include "windrv_protected.h"
17 
19 static const PROTECTED_MODULE_INFO gNtModule =
20 {
21  .Type = winModCore,
22  .Name = u"ntoskrnl.exe",
23  .Path = u"\\SystemRoot\\System32\\ntoskrnl.exe",
24  .RequiredFlags = INTRO_OPT_PROT_KM_NT,
25 };
26 
28 static const PROTECTED_MODULE_INFO gHalModule =
29 {
30  .Type = winModCore,
31  .Name = u"hal.dll",
32  .Path = u"\\SystemRoot\\System32\\hal.dll",
33  .RequiredFlags = INTRO_OPT_PROT_KM_HAL,
34 };
35 
37 static const PROTECTED_MODULE_INFO gCoreModules[] =
38 {
39  {
40  .Type = winModCore,
41  .Name = u"iastor.sys",
42  .Path = u"\\SystemRoot\\System32\\drivers\\iastor.sys",
43  .DriverObject = u"\\driver\\iastor",
44  .RequiredFlags = INTRO_OPT_PROT_KM_NT_DRIVERS,
45  },
46 
47  {
48  .Type = winModCore,
49  .Name = u"ndis.sys",
50  .Path = u"\\SystemRoot\\System32\\drivers\\ndis.sys",
51  .DriverObject = u"\\driver\\ndis",
52  .RequiredFlags = INTRO_OPT_PROT_KM_NT_DRIVERS,
53  },
54 
55  {
56  .Type = winModCore,
57  .Name = u"netio.sys",
58  .Path = u"\\SystemRoot\\System32\\drivers\\netio.sys",
59  .DriverObject = NULL,
60  .RequiredFlags = INTRO_OPT_PROT_KM_NT_DRIVERS,
61  },
62 
63  {
64  .Type = winModCore,
65  .Name = u"iastorV.sys",
66  .Path = u"\\SystemRoot\\System32\\drivers\\iastorV.sys",
67  .DriverObject = u"\\driver\\iastorv",
68  .RequiredFlags = INTRO_OPT_PROT_KM_NT_DRIVERS,
69  },
70 
71  {
72  .Type = winModCore,
73  .Name = u"iastorAV.sys",
74  .Path = u"\\SystemRoot\\System32\\drivers\\iastorAV.sys",
75  .DriverObject = u"\\driver\\iastorav",
76  .RequiredFlags = INTRO_OPT_PROT_KM_NT_DRIVERS,
77  },
78 
79  {
80  .Type = winModCore,
81  .Name = u"disk.sys",
82  .Path = u"\\SystemRoot\\System32\\drivers\\disk.sys",
83  .DriverObject = u"\\driver\\disk",
84  .RequiredFlags = INTRO_OPT_PROT_KM_NT_DRIVERS,
85  },
86 
87  {
88  .Type = winModCore,
89  .Name = u"atapi.sys",
90  .Path = u"\\SystemRoot\\System32\\drivers\\atapi.sys",
91  .DriverObject = u"\\driver\\atapi",
92  .RequiredFlags = INTRO_OPT_PROT_KM_NT_DRIVERS,
93  },
94 
95  {
96  .Type = winModCore,
97  .Name = u"storahci.sys",
98  .Path = u"\\SystemRoot\\System32\\drivers\\storahci.sys",
99  .DriverObject = u"\\driver\\storahci",
100  .RequiredFlags = INTRO_OPT_PROT_KM_NT_DRIVERS,
101  },
102 
103  {
104  .Type = winModCore,
105  .Name = u"ataport.sys",
106  .Path = u"\\SystemRoot\\System32\\drivers\\ataport.sys",
107  .DriverObject = NULL,
108  .RequiredFlags = INTRO_OPT_PROT_KM_NT_DRIVERS,
109  },
110 
111  {
112  .Type = winModCore,
113  .Name = u"ntfs.sys",
114  .Path = u"\\SystemRoot\\System32\\drivers\\ntfs.sys",
115  .DriverObject = u"\\filesystem\\ntfs",
116  .RequiredFlags = INTRO_OPT_PROT_KM_NT_DRIVERS,
117  },
118 
119  {
120  .Type = winModCore,
121  .Name = u"refs.sys",
122  .Path = u"\\SystemRoot\\System32\\drivers\\refs.sys",
123  .DriverObject = u"\\filesystem\\refs",
124  .RequiredFlags = INTRO_OPT_PROT_KM_NT_DRIVERS,
125  },
126 
127  {
128  .Type = winModCore,
129  .Name = u"tcpip.sys",
130  .Path = u"\\SystemRoot\\System32\\drivers\\tcpip.sys",
131  .DriverObject = u"\\driver\\tcpip",
132  .RequiredFlags = INTRO_OPT_PROT_KM_NT_DRIVERS,
133  },
134 
135  {
136  .Type = winModCore,
137  .Name = u"srv.sys",
138  .Path = u"\\SystemRoot\\System32\\drivers\\srv.sys",
139  .DriverObject = NULL, // \\filesystem\\srv
140  .RequiredFlags = INTRO_OPT_PROT_KM_NT_DRIVERS,
141  },
142 
143  {
144  .Type = winModCore,
145  .Name = u"srv2.sys",
146  .Path = u"\\SystemRoot\\System32\\drivers\\srv2.sys",
147  .DriverObject = NULL, // \\filesystem\\srv2
148  .RequiredFlags = INTRO_OPT_PROT_KM_NT_DRIVERS,
149  },
150 
151  {
152  .Type = winModCore,
153  .Name = u"srvnet.sys",
154  .Path = u"\\SystemRoot\\System32\\drivers\\srvnet.sys",
155  .DriverObject = NULL, // \\filesystem\\srvnet
156  .RequiredFlags = INTRO_OPT_PROT_KM_NT_DRIVERS,
157  },
158 
159  {
160  .Type = winModCore,
161  .Name = u"lxss.sys",
162  .Path = u"\\SystemRoot\\system32\\drivers\\lxss.sys",
163  .DriverObject = u"\\Driver\\lxss",
164  .RequiredFlags = INTRO_OPT_PROT_KM_NT_DRIVERS,
165  },
166 
167  {
168  .Type = winModCore,
169  .Name = u"lxcore.sys",
170  .Path = u"\\SystemRoot\\system32\\drivers\\LXCORE.SYS",
171  .DriverObject = NULL,
172  .RequiredFlags = INTRO_OPT_PROT_KM_NT_DRIVERS,
173  },
174 };
175 
177 static const PROTECTED_MODULE_INFO gAvModules[] =
178 {
179  {
180  .Type = winModAntivirus,
181  .Name = u"avc3.sys",
182  .Path = u"\\systemroot\\system32\\drivers\\avc3.sys",
183  .DriverObject = u"\\filesystem\\avc3",
184  .RequiredFlags = INTRO_OPT_PROT_KM_AV_DRIVERS,
185  },
186 
187  {
188  .Type = winModAntivirus,
189  .Name = u"avckf.sys",
190  .Path = u"\\systemroot\\system32\\drivers\\avckf.sys",
191  .DriverObject = u"\\filesystem\\avckf",
192  .RequiredFlags = INTRO_OPT_PROT_KM_AV_DRIVERS,
193  },
194 
195  {
196  .Type = winModAntivirus,
197  .Name = u"winguest.sys",
198  .Path = u"\\systemroot\\system32\\drivers\\winguest.sys",
199  .DriverObject = u"\\driver\\winguest",
200  .RequiredFlags = INTRO_OPT_PROT_KM_AV_DRIVERS,
201  },
202 
203  {
204  .Type = winModAntivirus,
205  .Name = u"trufos.sys",
206  .Path = u"\\systemroot\\system32\\drivers\\trufos.sys",
207  .DriverObject = u"\\filesystem\\trufos",
208  .RequiredFlags = INTRO_OPT_PROT_KM_AV_DRIVERS,
209  },
210 
211  {
212  .Type = winModAntivirus,
213  .Name = u"trufosalt.sys",
214  .Path = u"\\systemroot\\system32\\drivers\\trufosalt.sys",
215  .DriverObject = u"\\filesystem\\trufosalt",
216  .RequiredFlags = INTRO_OPT_PROT_KM_AV_DRIVERS,
217  },
218 
219  {
220  .Type = winModAntivirus,
221  .Name = u"gzflt.sys",
222  .Path = u"\\systemroot\\system32\\drivers\\gzflt.sys",
223  .DriverObject = u"\\filesystem\\gzflt",
224  .RequiredFlags = INTRO_OPT_PROT_KM_AV_DRIVERS,
225  },
226 
227  {
228  .Type = winModAntivirus,
229  .Name = u"bdvedisk.sys",
230  .Path = u"\\systemroot\\system32\\drivers\\bdvedisk.sys",
231  .DriverObject = u"\\driver\\bdvedisk",
232  .RequiredFlags = INTRO_OPT_PROT_KM_AV_DRIVERS,
233  },
234 
235  {
236  .Type = winModAntivirus,
237  .Name = u"bdsandbox.sys",
238  .Path = u"\\systemroot\\system32\\drivers\\bdsandbox.sys",
239  .DriverObject = u"\\filesystem\\BDSandBox",
240  .RequiredFlags = INTRO_OPT_PROT_KM_AV_DRIVERS,
241  },
242 
243  {
244  .Type = winModAntivirus,
245  .Name = u"bdfndisf6.sys",
246  .Path = u"\\systemroot\\system32\\drivers\\bdfndisf6.sys",
247  .DriverObject = u"\\driver\\BdfNdisf",
248  .RequiredFlags = INTRO_OPT_PROT_KM_AV_DRIVERS,
249  },
250 
251  {
252  .Type = winModAntivirus,
253  .Name = u"bdfwfpf.sys",
254  .Path = u"\\systemroot\\system32\\drivers\\bdfwfpf.sys",
255  .DriverObject = u"\\driver\\bdfwfpf",
256  .RequiredFlags = INTRO_OPT_PROT_KM_AV_DRIVERS,
257  },
258 
259  {
260  .Type = winModAntivirus,
261  .Name = u"bdelam.sys",
262  .Path = u"\\systemroot\\system32\\drivers\\bdelam.sys",
263  .DriverObject = u"\\driver\\bdelam",
264  .RequiredFlags = INTRO_OPT_PROT_KM_AV_DRIVERS,
265  },
266 
267  {
268  .Type = winModAntivirus,
269  .Name = u"bddci.sys",
270  .Path = u"\\systemroot\\system32\\drivers\\bddci.sys",
271  .DriverObject = u"\\driver\\bddci",
272  .RequiredFlags = INTRO_OPT_PROT_KM_AV_DRIVERS,
273  },
274 
275  {
276  .Type = winModAntivirus,
277  .Name = u"edrsensor.sys",
278  .Path = u"\\systemroot\\system32\\drivers\\edrsensor.sys",
279  .DriverObject = u"\\filesystem\\edrsensor",
280  .RequiredFlags = INTRO_OPT_PROT_KM_AV_DRIVERS,
281  },
282 
283  {
284  .Type = winModAntivirus,
285  .Name = u"ignis.sys",
286  .Path = u"\\systemroot\\system32\\drivers\\ignis.sys",
287  .DriverObject = u"\\driver\\ignis",
288  .RequiredFlags = INTRO_OPT_PROT_KM_AV_DRIVERS,
289  },
290 
291  {
292  .Type = winModAntivirus,
293  .Name = u"atc.sys",
294  .Path = u"\\systemroot\\system32\\drivers\\atc.sys",
295  .DriverObject = u"\\filesystem\\atc",
296  .RequiredFlags = INTRO_OPT_PROT_KM_AV_DRIVERS,
297  },
298 
299  {
300  .Type = winModAntivirus,
301  .Name = u"gemma.sys",
302  .Path = u"\\systemroot\\system32\\drivers\\gemma.sys",
303  .DriverObject = u"\\filesystem\\gemma",
304  .RequiredFlags = INTRO_OPT_PROT_KM_AV_DRIVERS,
305  },
306 };
307 
309 static const PROTECTED_MODULE_INFO gXenModules[] =
310 {
311  {
312  .Type = winModCitrix,
313  .Name = u"picadm.sys",
314  .Path = u"\\SystemRoot\\System32\\drivers\\picadm.sys",
315  .DriverObject = u"\\FileSystem\\picadm",
316  .RequiredFlags = INTRO_OPT_PROT_KM_XEN_DRIVERS,
317  },
318 
319  {
320  .Type = winModCitrix,
321  .Name = u"ctxad.sys",
322  .Path = u"\\SystemRoot\\System32\\drivers\\ctxad.sys",
323  .DriverObject = u"\\Driver\\ctxad",
324  .RequiredFlags = INTRO_OPT_PROT_KM_XEN_DRIVERS,
325  },
326 
327  {
328  .Type = winModCitrix,
329  .Name = u"ctxusbb.sys",
330  .Path = u"\\SystemRoot\\System32\\drivers\\ctxusbb.sys",
331  .DriverObject = u"\\Driver\\ctxusbb",
332  .RequiredFlags = INTRO_OPT_PROT_KM_XEN_DRIVERS,
333  },
334 
335  {
336  .Type = winModCitrix,
337  .Name = u"ctxsmcdrv.sys",
338  .Path = u"\\SystemRoot\\System32\\drivers\\ctxsmcdrv.sys",
339  .DriverObject = u"\\Driver\\ctxsmcdrv",
340  .RequiredFlags = INTRO_OPT_PROT_KM_XEN_DRIVERS,
341  },
342 
344  // bad bad bad // bad bad bad // bad bad bad
345  {
346  .Type = winModCitrix,
347  .Name = u"picapar.sys",
348  .Path = u"\\SystemRoot\\System32\\drivers\\picapar.sys",
349  .DriverObject = u"\\FileSystem\\picapar",
350  .RequiredFlags = INTRO_OPT_PROT_KM_XEN_DRIVERS,
351  },
353 
354  {
355  .Type = winModCitrix,
356  .Name = u"picaser.sys",
357  .Path = u"\\SystemRoot\\System32\\drivers\\picaser.sys",
358  .DriverObject = u"\\FileSystem\\picaser",
359  .RequiredFlags = INTRO_OPT_PROT_KM_XEN_DRIVERS,
360  },
361 
362  {
363  .Type = winModCitrix,
364  .Name = u"picakbm.sys",
365  .Path = u"\\SystemRoot\\System32\\drivers\\picakbm.sys",
366  .DriverObject = u"\\Driver\\picakbm",
367  .RequiredFlags = INTRO_OPT_PROT_KM_XEN_DRIVERS,
368  },
369 
370  {
371  .Type = winModCitrix,
372  .Name = u"picakbf.sys",
373  .Path = u"\\SystemRoot\\System32\\drivers\\picakbf.sys",
374  .DriverObject = u"\\Driver\\picakbf",
375  .RequiredFlags = INTRO_OPT_PROT_KM_XEN_DRIVERS,
376  },
377 
378  {
379  .Type = winModCitrix,
380  .Name = u"picamouf.sys",
381  .Path = u"\\SystemRoot\\System32\\drivers\\picamouf.sys",
382  .DriverObject = u"\\Driver\\picamouf",
383  .RequiredFlags = INTRO_OPT_PROT_KM_XEN_DRIVERS,
384  },
385 
386  {
387  .Type = winModCitrix,
388  .Name = u"picaTwComms.sys",
389  .Path = u"\\SystemRoot\\System32\\drivers\\picaTwComms.sys",
390  .DriverObject = NULL,
391  .RequiredFlags = INTRO_OPT_PROT_KM_XEN_DRIVERS,
392  },
393 
394  {
395  .Type = winModCitrix,
396  .Name = u"picavc.sys",
397  .Path = u"\\SystemRoot\\System32\\drivers\\picavc.sys",
398  .DriverObject = NULL,
399  .RequiredFlags = INTRO_OPT_PROT_KM_XEN_DRIVERS,
400  },
401 
402  {
403  .Type = winModCitrix,
404  .Name = u"picacdd2.sys",
405  .Path = u"\\SystemRoot\\System32\\drivers\\picacdd2.sys",
406  .DriverObject = NULL,
407  .RequiredFlags = INTRO_OPT_PROT_KM_XEN_DRIVERS,
408  },
409 
410  {
411  .Type = winModCitrix,
412  .Name = u"picadd.sys",
413  .Path = u"\\SystemRoot\\System32\\drivers\\picadd.sys",
414  .DriverObject = NULL,
415  .RequiredFlags = INTRO_OPT_PROT_KM_XEN_DRIVERS,
416  },
417 };
418 
419 _Success_(return != NULL)
420 static __forceinline const PROTECTED_MODULE_INFO *
421 IntWinDrvGetProtInfoByName(
422  _In_reads_(InfoSize) const PROTECTED_MODULE_INFO *Info,
423  _In_ size_t InfoSize,
424  _In_ const WCHAR *Name
425  )
435 {
436  for (size_t i = 0; i < InfoSize; i++)
437  {
438  if (!wstrcasecmp(Info[i].Name, Name))
439  {
440  return &Info[i];
441  }
442  }
443 
444  return NULL;
445 }
446 
447 
448 _Success_(return != NULL)
449 static __forceinline const PROTECTED_MODULE_INFO *
450 IntWinDrvObjGetProtInfoByName(
451  _In_reads_(InfoSize) const PROTECTED_MODULE_INFO *Info,
452  _In_ size_t InfoSize,
453  _In_ const WCHAR *Name
454  )
464 {
465  if (NULL == Name)
466  {
467  return NULL;
468  }
469 
470  for (size_t i = 0; i < InfoSize; i++)
471  {
472  if (NULL != Info[i].DriverObject && !wstrcasecmp(Info[i].DriverObject, Name))
473  {
474  return &Info[i];
475  }
476  }
477 
478  return NULL;
479 }
480 
481 
482 _Success_(return != NULL)
483 const PROTECTED_MODULE_INFO *
484 IntWinDrvIsProtected(
485  _In_ const KERNEL_DRIVER *Driver
486  )
494 {
495  static const struct
496  {
497  const PROTECTED_MODULE_INFO *Info;
498  size_t Size;
499  QWORD RequiredProtection;
500  } pms[] =
501  {
502  { .Info = &gNtModule, .Size = 1, .RequiredProtection = INTRO_OPT_PROT_KM_NT },
503  { .Info = &gHalModule, .Size = 1, .RequiredProtection = INTRO_OPT_PROT_KM_HAL },
504  { .Info = gCoreModules, .Size = ARRAYSIZE(gCoreModules),.RequiredProtection = INTRO_OPT_PROT_KM_NT_DRIVERS },
505  { .Info = gAvModules, .Size = ARRAYSIZE(gAvModules), .RequiredProtection = INTRO_OPT_PROT_KM_AV_DRIVERS },
506  { .Info = gXenModules, .Size = ARRAYSIZE(gXenModules), .RequiredProtection = INTRO_OPT_PROT_KM_XEN_DRIVERS },
507  };
508 
509  if (NULL == Driver)
510  {
511  return NULL;
512  }
513 
514  for (size_t i = 0; i < ARRAYSIZE(pms); i++)
515  {
516  const PROTECTED_MODULE_INFO *pm;
517 
518  if (0 == (gGuest.CoreOptions.Current & pms[i].RequiredProtection))
519  {
520  continue;
521  }
522 
523  pm = IntWinDrvGetProtInfoByName(pms[i].Info, pms[i].Size, Driver->Name);
524  if (NULL != pm)
525  {
526  return pm;
527  }
528  }
529 
530  return NULL;
531 }
532 
533 
534 _Success_(return != NULL)
535 const PROTECTED_MODULE_INFO *
536 IntWinDrvObjIsProtected(
537  _In_ const WIN_DRIVER_OBJECT *Driver
538  )
546 {
547  static const struct
548  {
549  const PROTECTED_MODULE_INFO *Info;
550  size_t Size;
551  } pms[] =
552  {
553  { .Info = gCoreModules, .Size = ARRAYSIZE(gCoreModules) },
554  { .Info = gAvModules, .Size = ARRAYSIZE(gAvModules) },
555  { .Info = gXenModules, .Size = ARRAYSIZE(gXenModules) }
556  };
557 
558  if (NULL == Driver || 0 == (gGuest.CoreOptions.Current & INTRO_OPT_PROT_KM_DRVOBJ))
559  {
560  return NULL;
561  }
562 
563  for (size_t i = 0; i < ARRAYSIZE(pms); i++)
564  {
565  const PROTECTED_MODULE_INFO *pm = IntWinDrvObjGetProtInfoByName(pms[i].Info, pms[i].Size, Driver->Name);
566  if (NULL != pm)
567  {
568  return pm;
569  }
570  }
571 
572  return NULL;
573 }
574 
575 
576 BOOLEAN
577 IntWinDrvHasDriverObject(
578  _In_ const KERNEL_DRIVER *Driver
579  )
587 {
588  const PROTECTED_MODULE_INFO *pm = IntWinDrvIsProtected(Driver);
589 
590  return NULL != pm && NULL != pm->DriverObject;
591 }
592 
593 
594 BOOLEAN
595 IntWinDrvIsProtectedAv(
596  _In_ const WCHAR *Driver
597  )
605 {
606  return NULL != Driver && NULL != IntWinDrvGetProtInfoByName(gAvModules, ARRAYSIZE(gAvModules), Driver);
607 }
608 
609 
610 BOOLEAN
611 IntWinDrvObjIsProtectedAv(
612  _In_ const WCHAR *DrvObj
613  )
621 {
622  return NULL != DrvObj && NULL != IntWinDrvObjGetProtInfoByName(gAvModules, ARRAYSIZE(gAvModules), DrvObj);
623 }
624 
BOOLEAN
_Bool BOOLEAN
Definition: intro_types.h:58
INTRO_OPT_PROT_KM_DRVOBJ
#define INTRO_OPT_PROT_KM_DRVOBJ
Enable driver object & fast I/O dispatch protection.
Definition: intro_types.h:425
gAvModules
static const PROTECTED_MODULE_INFO gAvModules[]
Describe protection information for antivirus Kernel modules.
Definition: windrv_protected.c:177
_PROTECTED_MODULE_INFO::Type
PROTECTED_MODULE_TYPE Type
The type of the module.
Definition: winguest.h:128
INTRO_OPT_PROT_KM_AV_DRIVERS
#define INTRO_OPT_PROT_KM_AV_DRIVERS
Enable AV drivers protection (Windows only).
Definition: intro_types.h:422
gNtModule
static const PROTECTED_MODULE_INFO gNtModule
Describe protection information for the NT Kernel.
Definition: windrv_protected.c:19
_In_
#define _In_
Definition: intro_sal.h:21
INTRO_OPT_PROT_KM_NT
#define INTRO_OPT_PROT_KM_NT
Enable kernel image protection (Windows only).
Definition: intro_types.h:408
_Success_
#define _Success_(expr)
Definition: intro_sal.h:47
windrv_protected.h
Exposes the types, constants and functions used to describe protected Windows Kernel modules and driv...
ARRAYSIZE
#define ARRAYSIZE(A)
Definition: introdefs.h:101
_In_reads_
#define _In_reads_(expr)
Definition: intro_sal.h:27
INTRO_OPT_PROT_KM_HAL
#define INTRO_OPT_PROT_KM_HAL
Enable HAL protection (Windows only).
Definition: intro_types.h:410
gCoreModules
static const PROTECTED_MODULE_INFO gCoreModules[]
Describe protection information for the core Kernel modules.
Definition: windrv_protected.c:37
_KERNEL_DRIVER
Describes a kernel driver.
Definition: drivers.h:30
IntWinDrvHasDriverObject
BOOLEAN IntWinDrvHasDriverObject(const KERNEL_DRIVER *Driver)
Check wether a kernel driver has a driver object that we care to protect.
Definition: windrv_protected.c:577
winModAntivirus
Antivirus modules.
Definition: winguest.h:119
IntWinDrvObjIsProtected
const PROTECTED_MODULE_INFO * IntWinDrvObjIsProtected(const WIN_DRIVER_OBJECT *Driver)
Get the protected module information for a kernel driver object.
Definition: windrv_protected.c:536
_WIN_DRIVER_OBJECT
Holds information about a driver object.
Definition: windrvobj.h:13
gXenModules
static const PROTECTED_MODULE_INFO gXenModules[]
Describe protection information for XEN Kernel modules.
Definition: windrv_protected.c:309
QWORD
unsigned long long QWORD
Definition: intro_types.h:53
_INTRO_PROT_OPTIONS::Current
QWORD Current
The currently used options.
Definition: guests.h:236
winModCitrix
Xen-specific Citrix modules.
Definition: winguest.h:120
_PROTECTED_MODULE_INFO::DriverObject
const WCHAR * DriverObject
The driver object that must be protected when protecting this module.
Definition: winguest.h:134
IntWinDrvIsProtectedAv
BOOLEAN IntWinDrvIsProtectedAv(const WCHAR *Driver)
Check wether a kernel driver is a known and protected antivirus.
Definition: windrv_protected.c:595
__forceinline
#define __forceinline
Definition: introtypes.h:61
WCHAR
uint16_t WCHAR
Definition: intro_types.h:63
IntWinDrvObjIsProtectedAv
BOOLEAN IntWinDrvObjIsProtectedAv(const WCHAR *DrvObj)
Checks if a driver object belongs to a known and protected antivirus.
Definition: windrv_protected.c:611
IntWinDrvObjGetProtInfoByName
static const PROTECTED_MODULE_INFO * IntWinDrvObjGetProtInfoByName(const PROTECTED_MODULE_INFO *Info, size_t InfoSize, const WCHAR *Name)
Perform a search for a driver object by name in an array of protected kernel modules.
Definition: windrv_protected.c:450
INTRO_OPT_PROT_KM_XEN_DRIVERS
#define INTRO_OPT_PROT_KM_XEN_DRIVERS
Definition: intro_types.h:423
gGuest
GUEST_STATE gGuest
The current guest state.
Definition: guests.c:50
_PROTECTED_MODULE_INFO
Encapsulates a protected Windows kernel module.
Definition: winguest.h:126
wstrcasecmp
int wstrcasecmp(const WCHAR *buf1, const WCHAR *buf2)
Definition: introcrt.c:98
gHalModule
static const PROTECTED_MODULE_INFO gHalModule
Describe protection information for HAL.
Definition: windrv_protected.c:28
IntWinDrvGetProtInfoByName
static const PROTECTED_MODULE_INFO * IntWinDrvGetProtInfoByName(const PROTECTED_MODULE_INFO *Info, size_t InfoSize, const WCHAR *Name)
Perform a search for a driver by name in an array of protected kernel modules.
Definition: windrv_protected.c:421
winModCore
Core Windows kernel modules.
Definition: winguest.h:118
IntWinDrvIsProtected
const PROTECTED_MODULE_INFO * IntWinDrvIsProtected(const KERNEL_DRIVER *Driver)
Get the protected module information for a kernel driver.
Definition: windrv_protected.c:484
INTRO_OPT_PROT_KM_NT_DRIVERS
#define INTRO_OPT_PROT_KM_NT_DRIVERS
Enable core NT drivers protection (Windows only).
Definition: intro_types.h:419
_GUEST_STATE::CoreOptions
INTRO_PROT_OPTIONS CoreOptions
The activation and protection options for this guest.
Definition: guests.h:271