15 #define IMAGE_BASE_NAME_LEN 16u 18 #define IMAGE_FULL_PATH_LEN 260u 21 #define PROT_PROC_FLAG_NO_PATH 0x00000001 131 const WCHAR *DriverObject;
740 #define WIN_KM_FIELD(Structure, Field) gWinGuest->OsSpecificFields.Km.Structure[winKmField##Structure##Field] 758 #define WIN_SYSCALL_NUMBER(Syscall) WIN_KM_FIELD(SyscallNumbers, Syscall) 778 #define WIN_UM_FIELD(Structure, Field) gWinGuest->OsSpecificFields.Um.Structure[winUmField##Structure##Field] 902 #endif // _WINGUEST_H_
enum _WIN_KM_FIELD_EPROCESSFLAGS WIN_KM_FIELD_EPROCESSFLAGS
Indexes in the WIN_OPAQUE_FIELDS.Km.EprocessFlags array, containing information about the flags insid...
_WIN_KM_FIELD_VAD_SHORT
Indexes in the WIN_OPAQUE_FIELDS.Km.VadShort array, containing information about the _MMVAD_SHORT str...
The relevant size of the _TEB for 64-bit processes.
Offset of Tcb.ApcState.Process.
Offset of Wow64Process (only for 64-bit guests).
Used for the WIN_OPAQUE_FIELDS.Um.Peb array.
enum _WIN_UM_FIELD_PEB WIN_UM_FIELD_PEB
Indexes in the WIN_OPAQUE_FIELDS.Um.Peb array, containing offsets inside the _PEB structure...
QWORD MmPfnDatabase
Guest virtual address of the PFN data base.
PROTECTED_MODULE_TYPE Type
The type of the module.
QWORD PropperSyscallGva
Guest virtual address of the KiSystemServiceUser function.
DWORD Original
The original protection flags as received from GLUE_IFACE.AddRemoveProtectedProcessUtf16 or GLUE_IFAC...
QWORD FileSystemDirectory
Guest virtual address of the FileSystem namespace directory.
The NtWriteSyscallMemory syscall number.
The minimum offset of Type inside HalInterruptController.
QWORD RequiredFlags
The introcore options that need to be active in order to protect this module.
Offset of PteAddress (or PteLong).
QWORD SyscallAddress
Guest virtual address of the SYSCALL/SYSENTER handler.
QWORD Context
The context supplied in the protection policy.
Offset of PrcbData.CurrentThread.
Used for the WIN_OPAQUE_FIELDS.Um.Dll array.
Offset of Win32StartAddress.
Used for the WIN_OPAQUE_FIELDS.Km.VadLong array.
struct _WIN_UNEXPORTED_FUNCTION_PATTERN * PWIN_UNEXPORTED_FUNCTION_PATTERN
Information not yet loaded.
_WIN_KM_FIELD_SYSCALL_NUMBERS
Indexes in the WIN_OPAQUE_FIELDS.Km.SyscallNumbers array, containing syscall numbers.The WIN_SYSCALL_NUMBER or WIN_KM_FIELD macros can be used to access these more easily.
The product type is unknown.
_WIN_KM_FIELD_MMPFN
Indexes in the WIN_OPAQUE_FIELDS.Km.Mmpfn array, containing information about the _MMPFN structure...
struct _PROTECTED_PROCESS_INFO * PPROTECTED_PROCESS_INFO
The size of the _FAST_IO_DISPATCH structure.
_WIN_UM_FIELD_TEB
Indexes in the WIN_OPAQUE_FIELDS.Um.Teb array, containing offsets inside the _TEB structure...
enum _WIN_KM_FIELD_VAD_LONG WIN_KM_FIELD_VAD_LONG
Indexes in the WIN_OPAQUE_FIELDS.Km.VadLong array, containing information about the _MMVAD_LONG struc...
QWORD ExFreePoolWithTag
Guest virtual address of the ExFreePoolWithTag kernel function.
enum _WIN_UM_FIELD_DLL WIN_UM_FIELD_DLL
Indexes in the WIN_OPAQUE_FIELDS.Um.Dll array, containing offsets inside the _LDR_DATA_TABLE_ENTRY st...
LIST_ENTRY Link
Link inside the WINDOWS_GUEST.InitSwapHandles list.
Mask for Exiting from _EPROCESS.Flags.
struct _PROTECTED_PROCESS_INFO PROTECTED_PROCESS_INFO
Encapsulates a protected Windows process.
Offset of Pcb.UserDirectoryTableBase if it exists, DirectoryTableBase if not.
WIN_PRODUCT_TYPE ProductType
The product type. Obtained directly from the guest during initialization.
enum _WIN_KM_FIELD_VADFLAGS WIN_KM_FIELD_VADFLAGS
Indexes in the WIN_OPAQUE_FIELDS.Km.VadFlags array, containing information about the bits in the winK...
struct _WINDOWS_GUEST WINDOWS_GUEST
Holds information about a Windows guest.
DWORD Current
The currently used protection flags.
enum _WIN_KM_FIELD_PCR WIN_KM_FIELD_PCR
Indexes in the WIN_OPAQUE_FIELDS.Km.Pcr array, containing information about the _KPCR structure...
QWORD Feedback
Flags that will be forced to feedback only mode.
The offset relative tot he EtwDebuggerData structure at which the ETW signature is found...
enum _WIN_KM_FIELD_SYSCALL_NUMBERS WIN_KM_FIELD_SYSCALL_NUMBERS
Indexes in the WIN_OPAQUE_FIELDS.Km.SyscallNumbers array, containing syscall numbers.The WIN_SYSCALL_NUMBER or WIN_KM_FIELD macros can be used to access these more easily.
int INTSTATUS
The status data type.
Offset of PteAddress (or PteLong) when PAE is enabled.
Offset of ControlArea in _SUBSECTION.
Used for the WIN_OPAQUE_FIELDS.Km.Mmpfn array.
Offset of ClientSecurity.
PROTECTED_MODULE_TYPE
Protected kernel module types.
DWORD NumberOfServices
The number of entries in the SSDT.
Used for the WIN_OPAQUE_FIELDS.Km.VadFlags array.
Offset of MitigationFlags if it exists (>= RS3).
Used for the WIN_OPAQUE_FIELDS.Km.EprocessFlags array.
Used for the WIN_OPAQUE_FIELDS.Km.Pcr array.
Offset of GetCpuClock in _WMI_LOGGER_CONTEXT.
DWORD Flags
Flags that describe the protection mode.
QWORD ExAllocatePoolWithTag
Guest virtual address of the ExAllocatePoolWithTag kernel function.
PCHAR ServerVersionString
A NULL terminated string containing Windows server version information.
struct _WIN_MODULE_UNIQUE_KEY WIN_MODULE_UNIQUE_KEY
Information that can identify a module.
#define IMAGE_BASE_NAME_LEN
The maximum length of a process name.
Mask for Delete from _EPROCESS.Flags.
_WIN_KM_FIELD_DRVOBJ
Indexes in the WIN_OPAQUE_FIELDS.Km.DrvObj array, containing information about the _DRIVER_OBJECT str...
struct _WIN_OPAQUE_FIELDS WIN_OPAQUE_FIELDS
Contains information about various Windows user mode and kernel mode structures.Everything about a st...
The minimum size that must be read from the guest in order to properly parse a _MMVAD_SHORT structure...
_WIN_UM_FIELD_PEB
Indexes in the WIN_OPAQUE_FIELDS.Um.Peb array, containing offsets inside the _PEB structure...
Describes a pattern for a kernel function that is not exported.
_WIN_KM_FIELD_UNGROUPED
Indexes in the WIN_OPAQUE_FIELDS.Km.Ungrouped array, containing information about various kernel stru...
Used for the WIN_OPAQUE_FIELDS.Km.Token array.
_WIN_KM_FIELD_VAD_LONG
Indexes in the WIN_OPAQUE_FIELDS.Km.VadLong array, containing information about the _MMVAD_LONG struc...
The mask that must be applied for the private fix-up setting.
Encapsulates a protected Windows process.
INTSTATUS IntWinGuestNew(void)
Starts the initialization and protection process for a new Windows guest.
Offset of Prcb inside KPCR.
_WIN_KM_FIELD_PROCESS
Indexes in the WIN_OPAQUE_FIELDS.Km.Process array, containing offsets inside the _EPROCESS structure...
Offset of ActiveProcessLinks.
enum _WIN_KM_FIELD_FILE_OBJECT WIN_KM_FIELD_FILE_OBJECT
Indexes in the WIN_OPAQUE_FIELDS.Km.FileObject array, containing information about the _FILE_OBJECT s...
QWORD PsCreateSystemThread
Guest virtual address of the PsCreateSystemThread kernel function.
The offset of the SizeOfImage field for 64-bit modules.
QWORD HalpInterruptControllerGva
Guest virtual address of the HalpInterruptController (owned by hal.dll).
enum _WIN_KM_FIELD_VAD_SHORT WIN_KM_FIELD_VAD_SHORT
Indexes in the WIN_OPAQUE_FIELDS.Km.VadShort array, containing information about the _MMVAD_SHORT str...
Mask for Flag3Crashed from _EPROCESS.Flags.
_WIN_KM_FIELD_EPROCESSFLAGS
Indexes in the WIN_OPAQUE_FIELDS.Km.EprocessFlags array, containing information about the flags insid...
The object was detected after it was created.
Offset of u3.ReferenceCount when PAE is enabled.
Offset of InterruptControllerType.
Offset of RestrictedSidCount.
#define _Field_size_(expr)
enum _WIN_KM_FIELD_UNGROUPED WIN_KM_FIELD_UNGROUPED
Indexes in the WIN_OPAQUE_FIELDS.Km.Ungrouped array, containing information about various kernel stru...
DWORD Size
The size of the read.
INTSTATUS IntWinGetVersionString(DWORD FullStringSize, DWORD VersionStringSize, CHAR *FullString, CHAR *VersionString)
Gets the version string for a Windows guest.
struct _WIN_INIT_SWAP WIN_INIT_SWAP
The initialization swap handle.
enum _WIN_KM_FIELD_DRVOBJ WIN_KM_FIELD_DRVOBJ
Indexes in the WIN_OPAQUE_FIELDS.Km.DrvObj array, containing information about the _DRIVER_OBJECT str...
The offset at which spare space is found inside the structure.
QWORD PsActiveProcessHead
Guest virtual address of the PsActiveProcessHead kernel variable.
DWORD TimeDateStamp
The time date stamp of the image, as taken from the MZPE headers.
QWORD PsLoadedModuleList
Guest virtual address of the PsLoadedModuleList kernel variable.
Used for the WIN_OPAQUE_FIELDS.Km.Process array.
struct _PROTECTED_PROCESS_INFO::@211 Protection
The protection flags used for this process.
WIN_PRODUCT_TYPE
The type of the Windows OS.
struct _WIN_OPAQUE_FIELDS * PWIN_OPAQUE_FIELDS
LIST_ENTRY Link
Entry inside the gWinProtectedProcesses list.
INTSTATUS IntWinGuestInit(void)
Initializes a new Windows guest.
enum _WIN_UM_STRUCTURE WIN_UM_STRUCTURE
Structure tags used for the user mode structures.Each of these refers to a WIN_OPAQUE_FIELDS.Um field.
CHAR ImageBaseNamePattern[IMAGE_BASE_NAME_LEN]
Process name pattern.
struct _PROTECTED_MODULE_INFO PROTECTED_MODULE_INFO
Encapsulates a protected Windows kernel module.
Offset of FastIoDispatch.
QWORD Beta
Flags that were forced to beta (log-only) mode.
_WIN_KM_FIELD_PCR
Indexes in the WIN_OPAQUE_FIELDS.Km.Pcr array, containing information about the _KPCR structure...
The relevant size of the _PEB for 64-bit processes.
QWORD Ssdt
Guest virtual address of the SSDT structure inside the kernel.
enum _WIN_KM_FIELD_POOLDESCRIPTOR WIN_KM_FIELD_POOLDESCRIPTOR
Indexes in the WIN_OPAQUE_FIELDS.Km.PoolDescriptor array, containing information about the _POOL_DESC...
Offset of InheritedFromUniqueProcessId.
The minimum size that must be read from the guest in order to properly parse winKmFieldVadShortFlags...
Information that can identify a module.
_WIN_KM_FIELD_VADFLAGS
Indexes in the WIN_OPAQUE_FIELDS.Km.VadFlags array, containing information about the bits in the winK...
WIN_OPAQUE_FIELDS OsSpecificFields
OS-dependent and specific information (variables, offsets, etc).
Offset of Tcb.KernelStack.
Offset of Tcb.ThreadListEntry (not the one found directly in the _ETHREAD).
Used for the WIN_OPAQUE_FIELDS.Km.Thread array.
struct _WINDOWS_GUEST * PWINDOWS_GUEST
Xen-specific Citrix modules.
Offset of Tcb.WaitReason.
QWORD VirtualAddress
The guest virtual address that will be read.
_WIN_UM_FIELD_DLL
Indexes in the WIN_OPAQUE_FIELDS.Um.Dll array, containing offsets inside the _LDR_DATA_TABLE_ENTRY st...
PWCHAR FullPathPattern
Full application path pattern.
struct _WIN_UNEXPORTED_FUNCTION_PATTERN WIN_UNEXPORTED_FUNCTION_PATTERN
Describes a pattern for a kernel function that is not exported.
Describes a function that is not exported.
The size of the _MMPFN structure when PAE is enabled.
enum _WIN_KM_FIELD_PROCESS WIN_KM_FIELD_PROCESS
Indexes in the WIN_OPAQUE_FIELDS.Km.Process array, containing offsets inside the _EPROCESS structure...
_WIN_KM_FIELD_POOLDESCRIPTOR
Indexes in the WIN_OPAQUE_FIELDS.Km.PoolDescriptor array, containing information about the _POOL_DESC...
The offset of the ESP in the winUmFieldTebWow64SaveArea.
enum _WIN_KM_FIELD_THREAD WIN_KM_FIELD_THREAD
Indexes in the WIN_OPAQUE_FIELDS.Km.Thread array, containing offsets inside the _ETHREAD structure...
DWORD KernelBufferSize
The size of the KernelBuffer.
Used for the WIN_OPAQUE_FIELDS.Km.DrvObj array.
Used for the WIN_OPAQUE_FIELDS.Km.Ungrouped array.
void IntWinGuestUninit(void)
Uninits a Windows guest.
Holds information about a Windows guest.
Offset of UniqueProcessId.
Mask for VmDeleted from _EPROCESS.Flags.
_WIN_KM_STRUCTURE
Structure tags used for the kernel mode structures.Each of these refers to a WIN_OPAQUE_FIELDS.Km field.
enum _WIN_KM_STRUCTURE WIN_KM_STRUCTURE
Structure tags used for the kernel mode structures.Each of these refers to a WIN_OPAQUE_FIELDS.Km field.
Offset of Tcb.StackLimit.
The offset of the restored RSP value taken from RBP, which serves as a fake trapframe on Zw* calls on...
Describes the arguments passed by a in-guest detour handler to introcore.
Used for the WIN_OPAQUE_FIELDS.Km.PoolDescriptor array.
struct _PROTECTED_MODULE_INFO * PPROTECTED_MODULE_INFO
Offset of Cid.UniqueThread.
PATTERN_SIGNATURE Signature
The pattern signature.
QWORD KeServiceDescriptorTable
Guest virtual address of the KeServiceDescriptorTable variable.
QWORD ObpRootDirectoryObject
Guest virtual address of the ObpRootDirectoryObject.
Used for the WIN_OPAQUE_FIELDS.Km.VadShort array.
Offset of UserAndGroupCount.
DWORD PatternsCount
The number of entries in the Patterns array.
Encapsulates a protected Windows kernel module.
Offset of FilePointer in _CONTROL_AREA.
_WIN_KM_FIELD_THREAD
Indexes in the WIN_OPAQUE_FIELDS.Km.Thread array, containing offsets inside the _ETHREAD structure...
DWORD NameHash
Crc32 checksum of the function name.
LIST_HEAD InitSwapHandles
A list of swap handles used to read KernelBuffer.
DWORD RemainingSections
The number of kernel sections not yet read into KernelBuffer.
Offset of u3.ReferenceCount.
_WIN_KM_FIELD_FILE_OBJECT
Indexes in the WIN_OPAQUE_FIELDS.Km.FileObject array, containing information about the _FILE_OBJECT s...
The initialization swap handle.
The size of the _DRIVER_OBJECT structure.
The offset of the FullDllName field for 64-bit modules.
QWORD DriverDirectory
Guest virtual address of the Driver namespace directory.
enum _WIN_UM_FIELD_TEB WIN_UM_FIELD_TEB
Indexes in the WIN_OPAQUE_FIELDS.Um.Teb array, containing offsets inside the _TEB structure...
The size of the allocation that precedes a driver object, excluding the POOL_HEADER (0x8/0x10 bytes)...
_WIN_KM_FIELD_TOKEN
Indexes in the WIN_OPAQUE_FIELDS.Km.Token array, containing information about the _TOKEN structure...
Mask for NoDebugInherit from _EPROCESS.Flags.
void IntWinGuestCancelKernelRead(void)
Cancels the kernel read.
BYTE * KernelBuffer
A buffer containing the entire kernel image.
The object was detected when it was created.
The size of the _MMPFN structure.
Core Windows kernel modules.
The maximum offset of Type inside HalInterruptController.
Offset of FileName.Buffer.
The offset of the SizeOfImage field for 64-bit modules.
DWORD NtBuildNumberValue
The value of the NtBuildNumber kernel variable.
Describes a signature that can be used for searching or matching guest contents.
struct _WIN_MODULE_UNIQUE_KEY PWIN_MODULE_UNIQUE_KEY
_WIN_UM_STRUCTURE
Structure tags used for the user mode structures.Each of these refers to a WIN_OPAQUE_FIELDS.Um field.
struct _WIN_INIT_SWAP * PWIN_INIT_SWAP
enum _WIN_KM_FIELD_MMPFN WIN_KM_FIELD_MMPFN
Indexes in the WIN_OPAQUE_FIELDS.Km.Mmpfn array, containing information about the _MMPFN structure...
The offset of the DllBase field for 32-bit modules.
PWCHAR FullNamePattern
Full application name pattern.
const WCHAR * Name
The name of the module.
void * SwapHandle
The actual swap handle returned by IntSwapMemRead.
Offset of TableCode _HANDLE_TABLE.
Used for the WIN_OPAQUE_FIELDS.Km.SyscallNumbers array.
Offset of MitigationFlags2 if it exists (>= RS3).
The NtProtectVirtualMemory syscall number.
Mask for HasAddrSpace from _EPROCESS.Flags.
DWORD ImageSize
The size of image, as taken from the MZPE headers.
The offset of the DllBase field for 64-bit modules.
enum _WIN_KM_FIELD_TOKEN WIN_KM_FIELD_TOKEN
Indexes in the WIN_OPAQUE_FIELDS.Km.Token array, containing information about the _TOKEN structure...
struct _GUEST_STATE * PGUEST_STATE
OBJ_DISCOVERY_TYPE
Describes the mode in which a kernel object was found.
Offset of SectionBaseAddress.
Offset of Pcb.ThreadListHead.
Contains information about various Windows user mode and kernel mode structures.Everything about a st...
Offset of PrcbData.UserTime.
1.8.13