- Generated by
1.8.13
|
Bitdefender Hypervisor Memory Introspection
|
Go to the source code of this file.
Data Structures | |
| struct | _IMAGE_DOS_HEADER |
| struct | _IMAGE_FILE_HEADER |
| struct | _IMAGE_SECTION_HEADER |
| struct | _IMAGE_DATA_DIRECTORY |
| struct | _IMAGE_RESOURCE_DATA_ENTRY |
| struct | _IMAGE_RESOURCE_DIRECTORY_ENTRY |
| struct | _IMAGE_OPTIONAL_HEADER |
| struct | _IMAGE_OPTIONAL_HEADER64 |
| struct | _IMAGE_NT_HEADERS64 |
| struct | _IMAGE_NT_HEADERS |
| struct | _IMAGE_IMPORT_DESCRIPTOR |
| struct | _IMAGE_IMPORT_BY_NAME |
| struct | _IMAGE_THUNK_DATA64 |
| struct | _IMAGE_THUNK_DATA32 |
| struct | _IMAGE_BASE_RELOCATION |
| struct | _IMAGE_EXPORT_DIRECTORY |
| struct | _IMAGE_RESOURCE_DIRECTORY |
| struct | _IMAGE_BOUND_IMPORT_DESCRIPTOR |
| struct | _RUNTIME_FUNCTION |
| struct | _UNWIND_INFO |
| struct | _INTRO_UNWIND_INFO |
| struct | _INTRO_PE_INFO |
Functions | |
| INTSTATUS | IntPeGetRuntimeFunction (QWORD ImageBase, BYTE *ImageBaseBuffer, DWORD Rva, RUNTIME_FUNCTION *RuntimeFunction) |
| Parses the exception directory and gets the runtime function corresponding to the Rva. More... | |
| INTSTATUS | IntPeGetRuntimeFunctionInBuffer (QWORD ImageBase, BYTE *Buffer, DWORD BufferSize, DWORD Rva, RUNTIME_FUNCTION *RuntimeFunction) |
| Parses the exception directory and gets the runtime function corresponding to the Rva. More... | |
| INTSTATUS | IntPeParseUnwindData (QWORD ImageBase, BYTE *ImageBaseBuffer, RUNTIME_FUNCTION *RuntimeFunction, DWORD RipOffset, DWORD *ReservedStack, DWORD *BeginAddress, BOOLEAN *InterruptFunction, BOOLEAN *ExceptionFunction, BOOLEAN *HasFramePointer) |
| Parse the unwind data for the indicated function and return the prologue size. More... | |
| INTSTATUS | IntPeParseUnwindDataInBuffer (QWORD ImageBase, BYTE *Buffer, DWORD BufferSize, RUNTIME_FUNCTION *RuntimeFunction, DWORD RipOffset, DWORD *ReservedStack, DWORD *BeginAddress, BOOLEAN *InterruptFunction, BOOLEAN *ExceptionFunction, BOOLEAN *HasFramePointer) |
| Parse the unwind data for the indicated function and return the prologue size. More... | |
| INTSTATUS | IntPeFindFunctionStartInBuffer (QWORD ImageBase, BYTE *Buffer, DWORD BufferSize, DWORD Rva, DWORD *BeginAddress) |
| Find the start address of a function, given a Rva pointing inside of it. More... | |
| INTSTATUS | IntPeFindExportByNameInBuffer (QWORD ImageBase, BYTE *Buffer, DWORD BufferSize, const char *Name, DWORD *ExportRva) |
| Find the export name a Rva lies in. More... | |
| INTSTATUS | IntPeFindKernelExport (const char *Name, QWORD *ExportGva) |
| Find an export inside the NT kernel image. More... | |
| INTSTATUS | IntPeFindExportByName (QWORD ImageBase, BYTE *ImageBaseBuffer, CHAR *Name, DWORD *ExportRva) |
| Find the export name a Rva lies in. More... | |
| INTSTATUS | IntPeFindExportByOrdinal (QWORD ImageBase, BYTE *ImageBaseBuffer, DWORD Ordinal, DWORD *ExportRva) |
| Find an exported function using its ordinal. More... | |
| INTSTATUS | IntPeGetExportNameByRva (QWORD ImageBase, BYTE *ImageBaseBuffer, DWORD Rva, DWORD ExportNameSize, CHAR *ExportName) |
| Find the export name a Rva lies in. More... | |
| INTSTATUS | IntPeGetExportNameByRvaInBuffer (QWORD ImageBase, BYTE *Buffer, DWORD BufferSize, DWORD Rva, DWORD ExportNameSize, CHAR *ExportName) |
| Find the export name a Rva lies in. More... | |
| INTSTATUS | IntPeFindExportByRvaInBuffer (QWORD ImageBase, BYTE *Buffer, DWORD BufferSize, DWORD Rva) |
| Check if the indicated Rva belongs to an exported function. More... | |
| INTSTATUS | IntPeFindExportByRva (QWORD ImageBase, BYTE *ImageBaseBuffer, DWORD Rva) |
| Check if a RVA lies inside an exported function. More... | |
| INTSTATUS | IntPeFindFunctionStart (QWORD ImageBase, BYTE *ImageBaseBuffer, DWORD Rva, DWORD *BeginAddress) |
| Find the start address of a function, given a Rva pointing inside of it. More... | |
| INTSTATUS | IntPeGetSectionHeaderByRva (QWORD ImageBase, BYTE *ImageBaseBuffer, DWORD GuestRva, IMAGE_SECTION_HEADER *SectionHeader) |
| Given a relative virtual address, return the section header which describes the section the RVA lies in. More... | |
| INTSTATUS | IntPeGetSectionHeaderByIndex (QWORD ImageBase, BYTE *ImageBaseBuffer, DWORD Index, IMAGE_SECTION_HEADER *SectionHeader) |
| Return the section header located on position Index (0 based). More... | |
| INTSTATUS | IntPeGetSectionHeadersByName (QWORD ImageBase, BYTE *ImageBaseBuffer, PCHAR Name, DWORD NumberOfSectionHeadersAllocated, QWORD Cr3, IMAGE_SECTION_HEADER *SectionHeaders, DWORD *NumberOfSectionHeadersFilled) |
| Return all the section headers matching the indicated Name. More... | |
| INTSTATUS | IntPeGetDirectory (QWORD ImageBase, BYTE *ImageBaseBuffer, DWORD DirectoryEntry, IMAGE_DATA_DIRECTORY *Directory) |
| Validate & return the indicated image data directory. More... | |
| INTSTATUS | IntPeValidateHeader (QWORD ImageBase, BYTE *ImageBaseBuffer, DWORD ImageBaseBufferSize, INTRO_PE_INFO *PeInfo, QWORD Cr3) |
| Validates a PE header. More... | |
| INTSTATUS | IntPeListSectionsHeaders (QWORD ImageBase, BYTE *ImageBuffer, DWORD ImageBufferSize, DWORD *FirstSectionOffset, DWORD *SectionCount) |
| Will get the offset to the first section header and the number of sections from the given module. More... | |
| INTSTATUS | IntPeFindFunctionByPattern (QWORD ImageBase, WIN_UNEXPORTED_FUNCTION_PATTERN *Pattern, BOOLEAN IgnoreSectionHint, DWORD *Rva) |
| Find a function using a pattern. More... | |
| INTSTATUS | IntPeFindFunctionByPatternInBuffer (BYTE *Buffer, DWORD BufferSize, WIN_UNEXPORTED_FUNCTION_PATTERN *Pattern, BOOLEAN IgnoreSectionHint, DWORD *Rva) |
| Find a function using a pattern. More... | |
| #define IMAGE_DIRECTORY_ENTRY_BASERELOC 5 |
Definition at line 25 of file winpe.h.
Referenced by IntLdrLoadPEImage().
| #define IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR 14 |
Definition at line 35 of file winpe.h.
Referenced by IntPeGetDirectory().
| #define IMAGE_DIRECTORY_ENTRY_EXCEPTION 3 |
Definition at line 23 of file winpe.h.
Referenced by IntPeGetRuntimeFunction(), and IntPeGetRuntimeFunctionInBuffer().
| #define IMAGE_DIRECTORY_ENTRY_EXPORT 0 |
Definition at line 20 of file winpe.h.
Referenced by IntExceptWinGetVictimDriver(), IntPeFindExportByName(), IntPeFindExportByNameInBuffer(), IntPeFindExportByOrdinal(), IntPeFindExportByRva(), IntPeFindExportByRvaInBuffer(), IntPeGetExportNameByRva(), IntPeGetExportNameByRvaInBuffer(), IntWinDrvHeadersInMemory(), IntWinProtectReadNtEat(), and IntWinUmModCacheFillHeaders().
| #define IMAGE_DIRECTORY_ENTRY_IAT 12 |
Definition at line 33 of file winpe.h.
Referenced by IntExceptWinGetVictimDriver(), IntWinDrvHeadersInMemory(), and IntWinUmModCacheFillHeaders().
| #define IMAGE_DIRECTORY_ENTRY_IMPORT 1 |
Definition at line 21 of file winpe.h.
Referenced by IntLdrLoadPEImage().
| #define IMAGE_DIRECTORY_ENTRY_RESOURCE 2 |
Definition at line 22 of file winpe.h.
Referenced by IntExceptWinGetVictimDriver().
| #define IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE 0x8000 |
| #define IMAGE_DOS_SIGNATURE 0x5A4D |
NOTE: This file contains MZ/PE related structures. As they are publicly documented in multiple sources, they will not be described here at all. The definitions here have been taken from the Windows SDK.
Definition at line 16 of file winpe.h.
Referenced by IntPeValidateHeader().
| #define IMAGE_FILE_MACHINE_AMD64 0x8664 |
Definition at line 505 of file winpe.h.
Referenced by IntLdrLoadPEImage(), and IntPeValidateHeader().
| #define IMAGE_FILE_MACHINE_AXP64 IMAGE_FILE_MACHINE_ALPHA64 |
| #define IMAGE_FILE_MACHINE_I386 0x014c |
Definition at line 480 of file winpe.h.
Referenced by IntLdrLoadPEImage(), and IntPeValidateHeader().
| #define IMAGE_FIRST_SECTION | ( | ntheader | ) |
| #define IMAGE_NT_SIGNATURE 0x00004550 |
Definition at line 17 of file winpe.h.
Referenced by IntPeValidateHeader().
| #define IMAGE_NUMBEROF_DIRECTORY_ENTRIES 16 |
Definition at line 103 of file winpe.h.
Referenced by IntPeValidateOptionalHeader().
| #define IMAGE_OPTIONAL_HEADER_PE32 0x010b |
Definition at line 550 of file winpe.h.
Referenced by IntPeValidateOptionalHeader().
| #define IMAGE_OPTIONAL_HEADER_PE64 0x020b |
Definition at line 551 of file winpe.h.
Referenced by IntPeValidateOptionalHeader().
| #define IMAGE_REL_BASED_ABSOLUTE 0 |
Definition at line 310 of file winpe.h.
Referenced by IntLdrFixRelocations().
| #define IMAGE_REL_BASED_DIR64 10 |
Definition at line 323 of file winpe.h.
Referenced by IntLdrFixRelocations().
| #define IMAGE_REL_BASED_HIGHLOW 3 |
Definition at line 313 of file winpe.h.
Referenced by IntLdrFixRelocations().
| #define IMAGE_SCN_CNT_CODE 0x00000020 |
Definition at line 425 of file winpe.h.
Referenced by IntExceptGetVictimEpt(), IntExceptWinGetVictimDriver(), IntExceptWinKernelGetOriginator(), IntPeFindFunctionStart(), IntWinModHookPoly(), IntWinStackTraceGetUser32(), and IntWinStackTraceGetUser64().
| #define IMAGE_SCN_CNT_UNINITIALIZED_DATA 0x00000080 |
Definition at line 427 of file winpe.h.
Referenced by IntLdrPreLoadImage().
| #define IMAGE_SCN_MEM_DISCARDABLE 0x02000000 |
Definition at line 468 of file winpe.h.
Referenced by IntModBlockHandleBlockModHeadersInMemory(), IntPtiMonitorAllPtWriteCandidates(), IntSlackAllocWindows(), IntSwapgsStartMitigation(), IntWinDrvHeadersInMemory(), IntWinGuestReadKernel(), IntWinGuestValidateKernel(), IntWinHalReadHal(), and IntWinModHookModule().
| #define IMAGE_SCN_MEM_EXECUTE 0x20000000 |
Definition at line 472 of file winpe.h.
Referenced by IntExceptGetVictimEpt(), IntExceptWinGetVictimDriver(), IntExceptWinKernelGetOriginator(), IntModBlockHandleBlockModHeadersInMemory(), IntPeFindFunctionStart(), IntPeFindFunctionStartInBuffer(), IntPtiHookPtDriver(), IntPtiIsPtrInAgent(), IntPtiMonitorAllPtWriteCandidates(), IntSlackAllocWindows(), IntSwapgsStartMitigation(), IntVeEnableDisableDriverAccessInProtectedView(), IntWinGuestValidateKernel(), IntWinModHookPoly(), IntWinStackTraceGet64(), IntWinStackTraceGetUser32(), and IntWinStackTraceGetUser64().
| #define IMAGE_SCN_MEM_NOT_PAGED 0x08000000 |
Definition at line 470 of file winpe.h.
Referenced by IntPtiMonitorAllPtWriteCandidates(), IntSlackAllocWindows(), IntSwapgsStartMitigation(), IntWinGuestReadKernel(), and IntWinHalReadHal().
| #define IMAGE_SCN_MEM_READ 0x40000000 |
Definition at line 473 of file winpe.h.
Referenced by IntWinModHookPoly().
| #define IMAGE_SCN_MEM_WRITE 0x80000000 |
Definition at line 474 of file winpe.h.
Referenced by IntExceptWinKernelGetOriginator(), IntPtiHookPtDriver(), IntSlackAllocWindows(), IntVeEnableDisableDriverAccessInProtectedView(), IntWinDagentHandleSuspModHeaders(), IntWinDrvHeadersInMemory(), IntWinGuestValidateKernel(), IntWinModHookModule(), and IntWinModHookPoly().
| #define IMAGE_SIZEOF_SHORT_NAME 8u |
Definition at line 74 of file winpe.h.
Referenced by IntPeGetSectionHeadersByName().
| #define IMAGE_SUBSYSTEM_NATIVE 1 |
Definition at line 513 of file winpe.h.
Referenced by IntLdrLoadPEImage(), and IntWinDagentCheckNativeSubsystem().
| #define IntPeGetSectionHeaderByName | ( | Base, | |
| Buff, | |||
| Name, | |||
| Cr3, | |||
| Sec | |||
| ) | IntPeGetSectionHeadersByName((Base), (Buff), (Name), 1, (Cr3), (Sec), NULL) |
Definition at line 765 of file winpe.h.
Referenced by IntPtiDeliverDriverForLoad(), IntWinGuestValidateKernel(), and IntWinNetFindTcpObjects().
| #define MAX_FILE_ALIGNMENT 0x10000 |
Definition at line 584 of file winpe.h.
Referenced by IntPeValidateHeader().
| #define MAX_FUNC_LENGTH 0xa00 |
The maximum length (in bytes) of a function.
Definition at line 582 of file winpe.h.
Referenced by IntPeFindFunctionStart(), IntPeFindFunctionStartInBuffer(), and IntWinStackTraceGet64().
| #define MAX_NUMBER_SECTIONS 96 |
the maximum number of sections limited by the Windows loader see https://msdn.microsoft.com/en-us/library/windows/desktop/ms680547(v=vs.85).aspx#file_headers
| #define MAX_PATH 260u |
The maximum size of a path (260 characters on windows).
Definition at line 579 of file winpe.h.
Referenced by DbgDumpGuestModules(), DbgProcAdd(), DbgProcRem(), IntExceptKernelLogLinuxInformation(), IntExceptKernelLogWindowsInformation(), IntExceptPrintDrvObjInfo(), IntExceptPrintWinKmModInfo(), IntExceptPrintWinModInfo(), IntExceptUserLogLinuxInformation(), IntExceptUserLogWindowsInformation(), IntWinDepInjectProcess(), and IntWinModComparePaths().
| #define UNW_FLAG_CHAININFO 0x00000004 |
Definition at line 413 of file winpe.h.
Referenced by IntPeParseUnwindData(), and IntPeParseUnwindDataInBuffer().
| typedef struct _IMAGE_BASE_RELOCATION IMAGE_BASE_RELOCATION |
| typedef struct _IMAGE_BOUND_IMPORT_DESCRIPTOR IMAGE_BOUND_IMPORT_DESCRIPTOR |
| typedef struct _IMAGE_DATA_DIRECTORY IMAGE_DATA_DIRECTORY |
| typedef struct _IMAGE_DOS_HEADER IMAGE_DOS_HEADER |
| typedef struct _IMAGE_EXPORT_DIRECTORY IMAGE_EXPORT_DIRECTORY |
| typedef struct _IMAGE_FILE_HEADER IMAGE_FILE_HEADER |
| typedef struct _IMAGE_IMPORT_BY_NAME IMAGE_IMPORT_BY_NAME |
| typedef struct _IMAGE_IMPORT_DESCRIPTOR IMAGE_IMPORT_DESCRIPTOR |
| typedef struct _IMAGE_NT_HEADERS IMAGE_NT_HEADERS32 |
| typedef struct _IMAGE_NT_HEADERS64 IMAGE_NT_HEADERS64 |
| typedef struct _IMAGE_OPTIONAL_HEADER IMAGE_OPTIONAL_HEADER32 |
| typedef struct _IMAGE_OPTIONAL_HEADER64 IMAGE_OPTIONAL_HEADER64 |
| typedef struct _IMAGE_RESOURCE_DATA_ENTRY IMAGE_RESOURCE_DATA_ENTRY |
| typedef struct _IMAGE_RESOURCE_DIRECTORY IMAGE_RESOURCE_DIRECTORY |
| typedef struct _IMAGE_RESOURCE_DIRECTORY_ENTRY IMAGE_RESOURCE_DIRECTORY_ENTRY |
| typedef struct _IMAGE_SECTION_HEADER IMAGE_SECTION_HEADER |
| typedef struct _IMAGE_THUNK_DATA32 IMAGE_THUNK_DATA32 |
| typedef struct _IMAGE_THUNK_DATA64 IMAGE_THUNK_DATA64 |
| typedef struct _INTRO_PE_INFO INTRO_PE_INFO |
Intro PE info structure.
| typedef struct _INTRO_UNWIND_INFO INTRO_UNWIND_INFO |
Unwind information.
| typedef struct _IMAGE_BOUND_IMPORT_DESCRIPTOR * PIMAGE_BOUND_IMPORT_DESCRIPTOR |
| typedef struct _IMAGE_DATA_DIRECTORY * PIMAGE_DATA_DIRECTORY |
| typedef struct _IMAGE_DOS_HEADER * PIMAGE_DOS_HEADER |
| typedef struct _IMAGE_EXPORT_DIRECTORY * PIMAGE_EXPORT_DIRECTORY |
| typedef struct _IMAGE_FILE_HEADER * PIMAGE_FILE_HEADER |
| typedef struct _IMAGE_IMPORT_BY_NAME * PIMAGE_IMPORT_BY_NAME |
| typedef struct _IMAGE_NT_HEADERS * PIMAGE_NT_HEADERS32 |
| typedef struct _IMAGE_NT_HEADERS64 * PIMAGE_NT_HEADERS64 |
| typedef struct _IMAGE_OPTIONAL_HEADER * PIMAGE_OPTIONAL_HEADER32 |
| typedef struct _IMAGE_OPTIONAL_HEADER64 * PIMAGE_OPTIONAL_HEADER64 |
| typedef struct _IMAGE_RESOURCE_DATA_ENTRY * PIMAGE_RESOURCE_DATA_ENTRY |
| typedef struct _IMAGE_RESOURCE_DIRECTORY * PIMAGE_RESOURCE_DIRECTORY |
| typedef struct _IMAGE_RESOURCE_DIRECTORY_ENTRY * PIMAGE_RESOURCE_DIRECTORY_ENTRY |
| typedef struct _IMAGE_SECTION_HEADER * PIMAGE_SECTION_HEADER |
| typedef struct _IMAGE_THUNK_DATA32 * PIMAGE_THUNK_DATA32 |
| typedef struct _IMAGE_THUNK_DATA64 * PIMAGE_THUNK_DATA64 |
| typedef struct _INTRO_PE_INFO * PINTRO_PE_INFO |
| typedef struct _INTRO_UNWIND_INFO * PINTRO_UNWIND_INFO |
| typedef struct _RUNTIME_FUNCTION * PRUNTIME_FUNCTION |
| typedef struct _UNWIND_INFO * PUNWIND_INFO |
| typedef struct _RUNTIME_FUNCTION RUNTIME_FUNCTION |
| typedef struct _UNWIND_INFO UNWIND_INFO |
| typedef struct _WIN_UNEXPORTED_FUNCTION WIN_UNEXPORTED_FUNCTION |
| INTSTATUS IntPeFindExportByName | ( | QWORD | ImageBase, |
| BYTE * | ImageBaseBuffer, | ||
| CHAR * | Name, | ||
| DWORD * | ExportRva | ||
| ) |
Find the export name a Rva lies in.
| [in] | ImageBase | Guest virtual address of the beginning of the module (headers). |
| [in] | ImageBaseBuffer | Buffer containing the MZ/PE image. |
| [in] | Name | Export name to be found. |
| [out] | ExportRva | Rva the indicated export is found at. |
| INT_STATUS_SUCCESS | On success. |
| INT_STATUS_NOT_FOUND | If no export containing the Rva is found. |
| INT_STATUS_INVALID_PARAMETER | If an invalid parameter is supplied. |
| INT_STATUS_INVALID_OBJECT_TYPE | If the MZ/PE file is malformed or corrupted in any way. |
| INT_STATUS_INSUFFICIENT_RESOURCES | If a memory alloc fails. |
Definition at line 1783 of file winpe.c.
Referenced by IntLdrFixImports(), IntVeDeliverDriverForLoad(), and IntWinApiHook().
| INTSTATUS IntPeFindExportByNameInBuffer | ( | QWORD | ImageBase, |
| BYTE * | Buffer, | ||
| DWORD | BufferSize, | ||
| const char * | Name, | ||
| DWORD * | ExportRva | ||
| ) |
Find the export name a Rva lies in.
| [in] | ImageBase | Guest virtual address of the beginning of the module (headers). |
| [in] | Buffer | Buffer containing the MZ/PE image. |
| [in] | BufferSize | Size of the Buffer containing the MZ/PE image. |
| [in] | Name | Export name to be found. |
| [out] | ExportRva | Rva the indicated export is found at. |
| INT_STATUS_SUCCESS | On success. |
| INT_STATUS_NOT_FOUND | If no export containing the Rva is found. |
| INT_STATUS_INVALID_PARAMETER | If an invalid parameter is supplied. |
| INT_STATUS_INVALID_OBJECT_TYPE | If the MZ/PE file is malformed or corrupted in any way. |
Definition at line 1586 of file winpe.c.
Referenced by IntPeFindKernelExport(), and IntWinHalFindPerformanceCounterInternal().
| INTSTATUS IntPeFindExportByOrdinal | ( | QWORD | ImageBase, |
| BYTE * | ImageBaseBuffer, | ||
| DWORD | Ordinal, | ||
| DWORD * | ExportRva | ||
| ) |
Find an exported function using its ordinal.
| [in] | ImageBase | Guest virtual address of the beginning of the module (headers). |
| [in] | ImageBaseBuffer | Buffer containing the MZ/PE image. |
| [in] | Ordinal | Ordinal used to find the export. |
| [out] | ExportRva | Rva the indicated export is found at. |
| INT_STATUS_SUCCESS | On success. |
| INT_STATUS_NOT_FOUND | If no export containing the Rva is found. |
| INT_STATUS_INVALID_PARAMETER | If an invalid parameter is supplied. |
| INT_STATUS_INVALID_OBJECT_TYPE | If the MZ/PE file is malformed or corrupted in any way. |
Check if a RVA lies inside an exported function.
Will return success if the given RVA is inside an exported function. Does not return the name since that would be slow. For getting the name use the IntPeGetExportNameByRva.
| [in] | ImageBase | Guest virtual address of the beginning of the module (headers). |
| [in] | ImageBaseBuffer | Address where the ImageBase is already mapped in Introcore space, if present. |
| [in] | Rva | The Rva to be checked. |
| INT_STATUS_SUCCESS | If the indicated Rva lies within an export. |
| INT_STATUS_NOT_FOUND | if the RVA isn't inside an exported function |
| INT_STATUS_INVALID_OBJECT_TYPE | if the ImageBase isn't a valid PE/PE+ object |
Definition at line 1103 of file winpe.c.
Referenced by IntExceptWinKernelGetOriginator().
| INTSTATUS IntPeFindExportByRvaInBuffer | ( | QWORD | ImageBase, |
| BYTE * | Buffer, | ||
| DWORD | BufferSize, | ||
| DWORD | Rva | ||
| ) |
Check if the indicated Rva belongs to an exported function.
Will return success if the given RVA is inside an exported function. Does not return the name since that would be slow. For getting the name use the IntPeGetExportNameByRva.
| [in] | ImageBase | Guest virtual address of the beginning of the module (headers). |
| [in] | Buffer | Buffer containing the module. |
| [in] | BufferSize | The size of the buffer containing the module. |
| [in] | Rva | The Rva to be found. |
| INT_STATUS_SUCCESS | If an export is found to contain the given Rva. |
| INT_STATUS_NOT_FOUND | if the RVA isn't inside an exported function |
| STATUS_INVALID_OBJECT_TYPE | if the ImageBase isn't a valid PE/PE+ object |
Definition at line 1223 of file winpe.c.
Referenced by IntExceptWinKernelGetOriginator().
| INTSTATUS IntPeFindFunctionByPattern | ( | QWORD | ImageBase, |
| WIN_UNEXPORTED_FUNCTION_PATTERN * | Pattern, | ||
| BOOLEAN | IgnoreSectionHint, | ||
| DWORD * | Rva | ||
| ) |
Find a function using a pattern.
Searches the indicated guest module for a function matching the provided pattern. This function uses IntPeValidateHeader to validate the MZPE headers before using them.
| [in] | ImageBase | Guest virtual address of the beginning of the module (headers) to be validated. |
| [in] | Pattern | The searched pattern. |
| [in] | IgnoreSectionHint | If true, the pattern section hint will be ignored. |
| [out] | Rva | The Rva the indicated pattern is found at. |
| INT_STATUS_SUCCESS | On success. |
| INT_STATUS_DATA_BUFFER_TOO_SMALL | If a section exceeds the size of the provided buffer. |
| INT_STATUS_NOT_FOUND | If not function matching that pattern is found. |
Definition at line 3150 of file winpe.c.
Referenced by IntWinAgentFindPropperSyscall(), IntWinAgentFindSyscallLinkage(), and IntWinApiFindFunctionRva().
| INTSTATUS IntPeFindFunctionByPatternInBuffer | ( | BYTE * | Buffer, |
| DWORD | BufferSize, | ||
| WIN_UNEXPORTED_FUNCTION_PATTERN * | Pattern, | ||
| BOOLEAN | IgnoreSectionHint, | ||
| DWORD * | Rva | ||
| ) |
Find a function using a pattern.
Searches the indicated buffer for a function matching the provided pattern.
| [in] | Buffer | The buffer to search. |
| [in] | BufferSize | The size of the Buffer to be searched. |
| [in] | Pattern | The searched pattern. |
| [in] | IgnoreSectionHint | If true, the pattern section hint will be ignored. |
| [out] | Rva | The Rva the indicated pattern is found at. |
| INT_STATUS_SUCCESS | On success. |
| INT_STATUS_DATA_BUFFER_TOO_SMALL | If a section exceeds the size of the provided buffer. |
| INT_STATUS_NOT_FOUND | If not function matching that pattern is found. |
Definition at line 3044 of file winpe.c.
Referenced by IntWinAgentFindSyscallLinkage(), IntWinApiFindFunctionRva(), and IntWinInfHookGetEtwpDebuggerData().
| INTSTATUS IntPeFindFunctionStart | ( | QWORD | ImageBase, |
| BYTE * | ImageBaseBuffer, | ||
| DWORD | Rva, | ||
| DWORD * | BeginAddress | ||
| ) |
Find the start address of a function, given a Rva pointing inside of it.
Given a Rva, parse code backwards until we find what looks like the start of the function. This function uses either the exception directory for 64 bit executables or the standard prologue for 32 bit executables to locate the beginning of the function.
| [in] | ImageBase | Guest virtual address of the beginning of the module (headers) to be validated. |
| [in] | ImageBaseBuffer | Address where the ImageBase is already mapped in Introcore space, if present. |
| [in] | Rva | The Rva we will search the function start for. |
| [out] | BeginAddress | The Rva of the identified function start. |
| INT_STATUS_SUCCESS | On success. |
| INT_STATUS_INVALID_PARAMETER | If an invalid parameter is supplied. |
| INT_STATUS_NOT_SUPPORTED | If the Rva lies in a non-executable section. |
| INT_STATUS_NOT_FOUND | If the function start could not be identified. |
Definition at line 3297 of file winpe.c.
Referenced by IntAlertEptFillFromVictimZone(), IntPeFindExportByRva(), and IntPeFindExportByRvaInBuffer().
| INTSTATUS IntPeFindFunctionStartInBuffer | ( | QWORD | ImageBase, |
| BYTE * | Buffer, | ||
| DWORD | BufferSize, | ||
| DWORD | Rva, | ||
| DWORD * | BeginAddress | ||
| ) |
Find the start address of a function, given a Rva pointing inside of it.
Given a Rva, parse code backwards until we find what looks like the start of the function. This function uses either the exception directory for 64 bit executables or the standard prologue for 32 bit executables to locate the beginning of the function. For 64-bit MZPEs IntPeParseUnwindDataInBuffer should be used instead.
| [in] | ImageBase | Guest virtual address of the beginning of the module (headers) to be validated. |
| [in] | Buffer | The buffer containing the MZ/PE image. |
| [in] | BufferSize | The size of the Buffer containing the MZ/PE image. |
| [in] | Rva | The Rva we will search the function start for. |
| [out] | BeginAddress | The Rva of the identified function start. |
| INT_STATUS_SUCCESS | On success. |
| INT_STATUS_INVALID_PARAMETER | If an invalid parameter is supplied. |
| INT_STATUS_NOT_SUPPORTED | If the Rva lies in a non-executable section. |
| INT_STATUS_NOT_FOUND | If the function start could not be identified. |
Definition at line 3624 of file winpe.c.
Referenced by IntAlertEptFillFromVictimZone().
Find an export inside the NT kernel image.
| [in] | Name | Export to be found. |
| [out] | ExportGva | Guest virtual address (NOT RVA!) of the identified export. |
| INT_STATUS_SUCCESS | On success. |
Definition at line 1748 of file winpe.c.
Referenced by IntWinApiHook(), IntWinGuestIsIncreasedUserVa(), IntWinGuestResolveImports(), IntWinHalCreateHalData(), IntWinProcPrepareInstrument(), and IntWinThrPrepareApcHandler().
| INTSTATUS IntPeGetDirectory | ( | QWORD | ImageBase, |
| BYTE * | ImageBaseBuffer, | ||
| DWORD | DirectoryEntry, | ||
| IMAGE_DATA_DIRECTORY * | Directory | ||
| ) |
Validate & return the indicated image data directory.
| [in] | ImageBase | Guest virtual address of the beginning of the module (headers). |
| [in] | ImageBaseBuffer | Address where the ImageBase is already mapped in Introcore space, if present. |
| [in] | DirectoryEntry | Data directory entry to be fetched. |
| [out] | Directory | Will contain, upon successful return, the requested data directory. |
| INT_STATUS_SUCCESS | On success. |
| INT_STATUS_INVALID_PARAMETER | If an invalid parameter is supplied. |
| INT_STATUS_INVALID_OBJECT_TYPE | If the MZ/PE is malformed or corrupted in any way. |
| INT_STATUS_NOT_FOUND | If the indicated data directory is not present. |
Definition at line 552 of file winpe.c.
Referenced by IntExceptWinGetVictimDriver(), IntLdrLoadPEImage(), IntPeFindExportByName(), IntPeFindExportByNameInBuffer(), IntPeFindExportByOrdinal(), IntPeFindExportByRva(), IntPeFindExportByRvaInBuffer(), IntPeGetExportNameByRva(), IntPeGetExportNameByRvaInBuffer(), IntPeGetRuntimeFunction(), IntPeGetRuntimeFunctionInBuffer(), IntWinDrvHeadersInMemory(), IntWinProtectReadNtEat(), and IntWinUmModCacheFillHeaders().
| INTSTATUS IntPeGetExportNameByRva | ( | QWORD | ImageBase, |
| BYTE * | ImageBaseBuffer, | ||
| DWORD | Rva, | ||
| DWORD | ExportNameSize, | ||
| CHAR * | ExportName | ||
| ) |
Find the export name a Rva lies in.
| [in] | ImageBase | Guest virtual address of the beginning of the module (headers). |
| [in] | ImageBaseBuffer | Address where the ImageBase is already mapped in Introcore space, if present. |
| [in] | Rva | The Rva for which we wish to find the export name. |
| [in] | ExportNameSize | Maximum length of the ExportName buffer, which will contain the export name, including the NULL-terminator. |
| [out] | ExportName | Will contain upon successful return the name of the export Rva belongs to. |
| INT_STATUS_SUCCESS | On success. |
| INT_STATUS_NOT_FOUND | If no export containing the Rva is found. |
| INT_STATUS_INVALID_PARAMETER | If an invalid parameter is supplied. |
| INT_STATUS_INVALID_OBJECT_TYPE | If the MZ/PE file is malformed or corrupted in any way. |
Definition at line 1312 of file winpe.c.
Referenced by IntAlertEptFillFromVictimZone().
| INTSTATUS IntPeGetExportNameByRvaInBuffer | ( | QWORD | ImageBase, |
| BYTE * | Buffer, | ||
| DWORD | BufferSize, | ||
| DWORD | Rva, | ||
| DWORD | ExportNameSize, | ||
| CHAR * | ExportName | ||
| ) |
Find the export name a Rva lies in.
| [in] | ImageBase | Guest virtual address of the beginning of the module (headers). |
| [in] | Buffer | Buffer containing the MZ/PE image. |
| [in] | BufferSize | Size of the Buffer containing the MZ/PE image. |
| [in] | Rva | The Rva for which we wish to find the export name. |
| [in] | ExportNameSize | Maximum length of the ExportName buffer, which will contain the export name. |
| [out] | ExportName | Will contain upon successful return the name of the export Rva belongs to. |
| INT_STATUS_SUCCESS | On success. |
| INT_STATUS_NOT_FOUND | If no export containing the Rva is found. |
| INT_STATUS_INVALID_PARAMETER | If an invalid parameter is supplied. |
| INT_STATUS_INVALID_OBJECT_TYPE | If the MZ/PE file is malformed or corrupted in any way. |
Definition at line 1457 of file winpe.c.
Referenced by IntAlertEptFillFromVictimZone().
| INTSTATUS IntPeGetRuntimeFunction | ( | QWORD | ImageBase, |
| BYTE * | ImageBaseBuffer, | ||
| DWORD | Rva, | ||
| RUNTIME_FUNCTION * | RuntimeFunction | ||
| ) |
Parses the exception directory and gets the runtime function corresponding to the Rva.
| [in] | ImageBase | Guest virtual address of the beginning of the module (headers). |
| [in] | ImageBaseBuffer | Buffer containing the MZ/PE image. |
| [in] | Rva | The Rva whose runtime function is to be found. |
| [out] | RuntimeFunction | The identified runtime function for the indicated Rva. |
| INT_STATUS_SUCCESS | On success. |
| INT_STATUS_INVALID_OBJECT_TYPE | If the MZ/PE file is malformed or corrupted in any way. |
| INT_STATUS_NOT_SUPPORTED | If the indicated MZ/PE file is not 64 bit. |
| INT_STATUS_NOT_FOUND | If no function is found at that RVA |
Definition at line 2062 of file winpe.c.
Referenced by IntPeFindFunctionStart(), and IntWinStackTraceGet64().
| INTSTATUS IntPeGetRuntimeFunctionInBuffer | ( | QWORD | ImageBase, |
| BYTE * | Buffer, | ||
| DWORD | BufferSize, | ||
| DWORD | Rva, | ||
| RUNTIME_FUNCTION * | RuntimeFunction | ||
| ) |
Parses the exception directory and gets the runtime function corresponding to the Rva.
| [in] | ImageBase | Guest virtual address of the beginning of the module (headers). |
| [in] | Buffer | Buffer containing the MZ/PE image. |
| [in] | BufferSize | The size of the Buffer containing the MZ/PE image. |
| [in] | Rva | The Rva whose runtime function is to be found. |
| [out] | RuntimeFunction | The identified runtime function for the indicated Rva. |
| INT_STATUS_SUCCESS | On success. |
| INT_STATUS_INVALID_PARAMETER | If an invalid parameter is supplied. |
| INT_STATUS_INVALID_OBJECT_TYPE | If the MZ/PE file is malformed or corrupted in any way. |
| INT_STATUS_NOT_SUPPORTED | If the indicated MZ/PE file is not 64 bit. |
| INT_STATUS_NOT_FOUND | If no function is found at that RVA |
Definition at line 2267 of file winpe.c.
Referenced by IntPeFindFunctionStartInBuffer(), and IntWinStackTraceGet64().
| INTSTATUS IntPeGetSectionHeaderByIndex | ( | QWORD | ImageBase, |
| BYTE * | ImageBaseBuffer, | ||
| DWORD | Index, | ||
| IMAGE_SECTION_HEADER * | SectionHeader | ||
| ) |
Return the section header located on position Index (0 based).
| [in] | ImageBase | Guest virtual address of the beginning of the module (headers). |
| [in] | ImageBaseBuffer | Address where the ImageBase is already mapped in Introcore space, if present. |
| [in] | Index | Index of the section header to be returned (0 based). |
| [out] | SectionHeader | Will contain, upon successful return, the section header located at Index. |
| INT_STATUS_SUCCESS | On success. |
| INT_STATUS_INVALID_PARAMETER | If an invalid parameter is supplied. |
| INT_STATUS_INVALID_OBJECT_TYPE | If the MZ/PE is malformed or corrupted in any way. |
| INT_STATUS_NOT_FOUND | If the section Index is not found. |
Definition at line 838 of file winpe.c.
Referenced by IntPtiMonitorAllPtWriteCandidates().
| INTSTATUS IntPeGetSectionHeaderByRva | ( | QWORD | ImageBase, |
| BYTE * | ImageBaseBuffer, | ||
| DWORD | GuestRva, | ||
| IMAGE_SECTION_HEADER * | SectionHeader | ||
| ) |
Given a relative virtual address, return the section header which describes the section the RVA lies in.
| [in] | ImageBase | Guest virtual address of the beginning of the module (headers). |
| [in] | ImageBaseBuffer | Address where the ImageBase is already mapped in Introcore space, if present. |
| [in] | GuestRva | The RVA to be found. |
| [out] | SectionHeader | Will contain, upon successful return, the section header describing the section that contains the indicated RVA. |
| INT_STATUS_SUCCESS | On success. |
| INT_STATUS_INVALID_PARAMETER | If an invalid parameter is supplied. |
| INT_STATUS_INVALID_OBJECT_TYPE | If the MZ/PE is malformed or corrupted in any way. |
| INT_STATUS_NOT_FOUND | If a section containing the RVA is not found. |
Definition at line 707 of file winpe.c.
Referenced by IntExceptGetVictimEpt(), IntExceptWinGetVictimDriver(), IntExceptWinKernelGetOriginator(), IntPeFindFunctionStart(), IntPeFindFunctionStartInBuffer(), IntPtiIsPtrInAgent(), IntWinDagentSendDoubleAgentAlert(), IntWinGuestValidateKernel(), IntWinModFillDriverInjectionData(), IntWinStackTraceGet64(), IntWinStackTraceGetUser32(), and IntWinStackTraceGetUser64().
| INTSTATUS IntPeGetSectionHeadersByName | ( | QWORD | ImageBase, |
| BYTE * | ImageBaseBuffer, | ||
| PCHAR | Name, | ||
| DWORD | NumberOfSectionHeadersAllocated, | ||
| QWORD | Cr3, | ||
| IMAGE_SECTION_HEADER * | SectionHeaders, | ||
| DWORD * | NumberOfSectionHeadersFilled | ||
| ) |
Return all the section headers matching the indicated Name.
| [in] | ImageBase | Guest virtual address of the beginning of the module (headers). |
| [in] | ImageBaseBuffer | Address where the ImageBase is already mapped in Introcore space, if present. |
| [in] | Name | The name of the searched sections. |
| [in] | NumberOfSectionHeadersAllocated | Number of section headers allocated for the results. |
| [in] | Cr3 | The Cr3 used for mapping the headers in case ImageBaseBuffer is not provided. |
| [out] | SectionHeaders | Buffer containing NumberOfSectionHeadersAllocated slots. |
| [out] | NumberOfSectionHeadersFilled | Number of slots filled in the SectionHeaders = number of sections found to have the indicated Name. |
| INT_STATUS_SUCCESS | On success. |
| INT_STATUS_INVALID_PARAMETER | If an invalid parameter is supplied. |
| INT_STATUS_INVALID_OBJECT_TYPE | If the MZ/PE is malformed or corrupted in any way. |
| INT_STATUS_NOT_FOUND | If no section with the given name is found. |
Definition at line 942 of file winpe.c.
Referenced by IntWinGuestFindDriversNamespace(), IntWinGuestFindDriversNamespaceNoBuffer(), IntWinGuestFindKernelObjectsInternal(), IntWinGuestValidateKernel(), IntWinHalFindHalHeapAndInterruptController(), and IntWinHalFindInterruptController().
| INTSTATUS IntPeListSectionsHeaders | ( | QWORD | ImageBase, |
| BYTE * | ImageBuffer, | ||
| DWORD | ImageBufferSize, | ||
| DWORD * | FirstSectionOffset, | ||
| DWORD * | SectionCount | ||
| ) |
Will get the offset to the first section header and the number of sections from the given module.
| [in] | ImageBase | Guest virtual address of the beginning of the module (headers). |
| [in] | ImageBuffer | Address where the ImageBase is already mapped in Introcore space, if present. |
| [in] | ImageBufferSize | If ImageBaseBuffer is valid, this indicates its size. |
| [out] | FirstSectionOffset | Offset to the first section header. |
| [out] | SectionCount | Number of sections. |
| INT_STATUS_SUCCESS | On success. |
| INT_STATUS_INVALID_PARAMETER | If an invalid parameter is supplied. |
| INT_STATUS_INVALID_OBJECT_TYPE | If the MZ/PE is malformed or corrupted in any way. |
Definition at line 473 of file winpe.c.
Referenced by IntPtiHookPtDriver(), IntVeEnableDisableDriverAccessInProtectedView(), IntVeHookVeDriver(), IntWinDagentHandleSuspModHeaders(), and IntWinModHookModule().
| INTSTATUS IntPeParseUnwindData | ( | QWORD | ImageBase, |
| BYTE * | ImageBaseBuffer, | ||
| RUNTIME_FUNCTION * | RuntimeFunction, | ||
| DWORD | RipOffset, | ||
| DWORD * | ReservedStack, | ||
| DWORD * | BeginAddress, | ||
| BOOLEAN * | InterruptFunction, | ||
| BOOLEAN * | ExceptionFunction, | ||
| BOOLEAN * | HasFramePointer | ||
| ) |
Parse the unwind data for the indicated function and return the prologue size.
Parses the UNWIND_INFO structure(s) of the RuntimeFunction and returns the total space occupied by the function prologue (it can be 0!).
| [in] | ImageBase | Guest virtual address of the beginning of the module (headers). |
| [in] | ImageBaseBuffer | Buffer containing the MZ/PE image. |
| [in] | RuntimeFunction | The runtime function to be parsed. |
| [in] | RipOffset | The offset inside the function where the RIP is. |
| [out] | ReservedStack | Size reserved on the stack for that function. |
| [out] | BeginAddress | The actual beginning of the function (after parsing chained info). |
| [out] | InterruptFunction | True if it's an interrupt handler function. |
| [out] | ExceptionFunction | True if it's an exception handler function. |
| [out] | HasFramePointer | True if the function uses a frame pointer. |
| INT_STATUS_SUCCESS | On success. |
| INT_STATUS_INVALID_PARAMETER | If an invalid parameter is supplied. |
Definition at line 2395 of file winpe.c.
Referenced by IntPeFindFunctionStart(), and IntWinStackTraceGet64().
| INTSTATUS IntPeParseUnwindDataInBuffer | ( | QWORD | ImageBase, |
| BYTE * | Buffer, | ||
| DWORD | BufferSize, | ||
| RUNTIME_FUNCTION * | RuntimeFunction, | ||
| DWORD | RipOffset, | ||
| DWORD * | ReservedStack, | ||
| DWORD * | BeginAddress, | ||
| BOOLEAN * | InterruptFunction, | ||
| BOOLEAN * | ExceptionFunction, | ||
| BOOLEAN * | HasFramePointer | ||
| ) |
Parse the unwind data for the indicated function and return the prologue size.
Parses the UNWIND_INFO structure(s) of the RuntimeFunction and returns the total space occupied by the function prologue (it can be 0!).
| [in] | ImageBase | Guest virtual address of the beginning of the module (headers). |
| [in] | Buffer | Buffer containing the MZ/PE image. |
| [in] | BufferSize | The size of the Buffer containing the MZ/PE image. |
| [in] | RuntimeFunction | The runtime function to be parsed. |
| [in] | RipOffset | The offset inside the function where the RIP is. |
| [out] | ReservedStack | Size reserved on the stack for that function. |
| [out] | BeginAddress | The actual beginning of the function (after parsing chained info). |
| [out] | InterruptFunction | True if it's an interrupt handler function. |
| [out] | ExceptionFunction | True if it's an exception handler function. |
| [out] | HasFramePointer | True if the function uses a frame pointer. |
| INT_STATUS_SUCCESS | On success. |
| INT_STATUS_INVALID_PARAMETER | If an invalid parameter is supplied. |
Definition at line 2726 of file winpe.c.
Referenced by IntPeFindFunctionStartInBuffer(), and IntWinStackTraceGet64().
| INTSTATUS IntPeValidateHeader | ( | QWORD | ImageBase, |
| BYTE * | ImageBaseBuffer, | ||
| DWORD | ImageBaseBufferSize, | ||
| INTRO_PE_INFO * | PeInfo, | ||
| QWORD | Cr3 | ||
| ) |
Validates a PE header.
This function will perform several checks on the given PE header:
| [in] | ImageBase | Guest virtual address of the beginning of the module (headers) to be validated. |
| [in] | ImageBaseBuffer | Address where the ImageBase is already mapped in Introcore space, if present. |
| [in] | ImageBaseBufferSize | If ImageBaseBuffer is valid, this indicates its size. |
| [out] | PeInfo | Will contain upon successful validation relevant PE information. |
| [in] | Cr3 | Optional virtual address space the image lies in. |
| INT_STATUS_SUCCESS | On success. |
| INT_STATUS_NOT_SUPPORTED | If the base of the PE file is not aligned to 4K. |
| INT_STATUS_INVALID_OBJECT_TYPE | If the PE file is malformed or corrupted in any way. |
Definition at line 131 of file winpe.c.
Referenced by IntLdrGetImageSizeAndEntryPoint(), IntLdrLoadPEImage(), IntModBlockHandleBlockModHeadersInMemory(), IntPeFindExportByNameInBuffer(), IntPeFindExportByRvaInBuffer(), IntPeFindFunctionByPattern(), IntPeFindFunctionByPatternInBuffer(), IntPeFindFunctionStart(), IntPeFindFunctionStartInBuffer(), IntPeGetDirectory(), IntPeGetExportNameByRvaInBuffer(), IntPeGetRuntimeFunction(), IntPeGetRuntimeFunctionInBuffer(), IntPeGetSectionHeaderByIndex(), IntPeGetSectionHeaderByRva(), IntPeGetSectionHeadersByName(), IntPeListSectionsHeaders(), IntSlackAllocWindows(), IntWinDagentCheckNativeSubsystem(), IntWinDepInjectProcess(), IntWinDrvHeadersInMemory(), IntWinDrvObjIsValidDriverObject(), IntWinGuestReadKernel(), IntWinHalReadHal(), IntWinModHookPoly(), and IntWinUmModCacheFillHeaders().
1.8.13