Bitdefender Hypervisor Memory Introspection
|
This file handles Windows Processes related events (Creation, Termination, Copy Memory, etc.). More...
#include "winprocess.h"
#include "alerts.h"
#include "crc32.h"
#include "gpacache.h"
#include "icache.h"
#include "kernvm.h"
#include "ptfilter.h"
#include "swapmem.h"
#include "winagent.h"
#include "winobj.h"
#include "winpfn.h"
#include "winprocesshp.h"
#include "winselfmap.h"
#include "wincmdline.h"
#include "windpi.h"
#include "wintoken.h"
#include "winpe.h"
#include "winsecdesc.h"
Go to the source code of this file.
Macros | |
#define | CMDLINE_LEN_NO_SCAN ALERT_CMDLINE_MAX_LEN |
The maximum length (in bytes) of the data read from the guest when reading the command line of a process that is not protected with the PROC_OPT_PROT_SCAN_CMD_LINE. More... | |
#define | CMDLINE_MAX_LEN (WORD_MAX - 1) |
The maximum length (in bytes) of the data read from the guest when reading the command line of a process protected with PROC_OPT_PROT_SCAN_CMD_LINE. More... | |
#define | NACL_CMD_LINE "--type=nacl-loader" |
Functions | |
static INTSTATUS | IntWinProcDeleteProcessObject (QWORD EprocessAddress, QWORD Cr3, DWORD Pid) |
Used to delete the process from the Introcore internal structures. More... | |
static INTSTATUS | IntWinProcRemoveProcess (WIN_PROCESS_OBJECT *Process) |
Used to free the memory allocations and swap memory transactions used by a PWIN_PROCESS_OBJECT. More... | |
static INTSTATUS | IntWinProcCreateProcessSubsystem (WIN_PROCESS_OBJECT *Process, WIN_PROCESS_SUBSYSTEM **Subsystem, BYTE SubsystemType) |
Create a process subsystem for the given process. More... | |
static BOOLEAN | IntWinProcIsExploitGuardEnabled (QWORD EprocessAddress, BYTE *Eprocess) |
Checks if the exploit guard is enabled for a certain process. More... | |
static INTSTATUS | IntWinProcEnforceProcessDep (WIN_PROCESS_OBJECT *Process) |
Enables DEP (Data Execution Prevention) for a certain process. More... | |
static INTSTATUS | IntWinProcPatchSpareValue (WIN_PROCESS_OBJECT *Process) |
Saves the process protection info within an EPROCESS spare field. More... | |
static INTSTATUS | IntWinProcMarkAgent (WIN_PROCESS_OBJECT *Process, BOOLEAN Mark) |
Mark the given process as being an agent. More... | |
static INTSTATUS | IntWinProcSendAgentEvent (WIN_PROCESS_OBJECT *Process, BOOLEAN Created) |
Send a process creation/termination event that symbolizes an agent. More... | |
static INTSTATUS | IntWinProcSendProcessEvent (WIN_PROCESS_OBJECT *Process, BOOLEAN Created, BOOLEAN Crashed) |
Send a process creation/termination event. More... | |
static INTSTATUS | IntWinProcSendProcessExceptionEvent (WIN_PROCESS_OBJECT *Process) |
Send a process exception event. More... | |
static void | IntWinProcFillSystemPath (WIN_PROCESS_SUBSYSTEM *Subsystem) |
Fill the system directory path for the given subsystem. More... | |
static INTSTATUS | IntWinProcRemoveSubsystem (WIN_PROCESS_SUBSYSTEM *Subsystem) |
Removes a process subsystem. More... | |
static INTSTATUS | IntWinGetProcCmdLineHandleBufferInMemory (void *Context, QWORD Cr3, QWORD VirtualAddress, QWORD PhysicalAddress, void *Data, DWORD DataSize, DWORD Flags) |
Called from within IntSwapMemReadData when the command line buffer of a process has been fully read. More... | |
static INTSTATUS | IntWinGetPrcoCmdLineHandleCmdLineInMemory (void *Context, QWORD Cr3, QWORD VirtualAddress, QWORD PhysicalAddress, void *Data, DWORD DataSize, DWORD Flags) |
Called from within IntSwapMemReadData when the UNICODE_STRING32 or UNICODE_STRING64 structure that contains the command line buffer of a process has been read. More... | |
static INTSTATUS | IntWinGetPrcoCmdLineHandleUserParamsInMemory (void *Context, QWORD Cr3, QWORD VirtualAddress, QWORD PhysicalAddress, void *Data, DWORD DataSize, DWORD Flags) |
Called from within IntSwapMemReadData when the RTL_USER_PROCESS_PARAMETERS32 or RTL_USER_PROCESS_PARAMETERS64 structure of the process (Context) has been read. More... | |
INTSTATUS | IntWinProcReadCommandLine (WIN_PROCESS_OBJECT *Process) |
Reads the command line of the given process using IntSwapMemReadData. More... | |
static void | IntWinProcGetImageBaseNameFromPath (const WCHAR *FullPath, CHAR *BaseName, const WCHAR **FullName) |
Get the BaseName and FullName of an image from the FullPath. More... | |
static const PROTECTED_PROCESS_INFO * | IntWinProcGetProtectedInfo (CHAR BaseName[IMAGE_BASE_NAME_LEN], BOOLEAN IsSystem) |
Returns a pointer to the PROTECTED_PROCESS_INFO structure for the given process BaseName. More... | |
const PROTECTED_PROCESS_INFO * | IntWinProcGetProtectedInfoEx (PWCHAR Path, BOOLEAN IsSystem) |
Returns a pointer to the PROTECTED_PROCESS_INFO structure for the given process Path. More... | |
INTSTATUS | IntWinProcUpdateProtection (void) |
Iterates trough the global process list (gWinProcesses) in order to update the protection state for each process. More... | |
static void | IntWinProcHandleDuplicate (QWORD Cr3, QWORD Eprocess) |
Ensures that a newly created process does not exist already. More... | |
static void | IntWinProcSetUserCr3 (WIN_PROCESS_OBJECT *Process, const BYTE *EprocessBuffer) |
Sets the User CR3 value for a newly created process. More... | |
static INTSTATUS | IntWinProcLockCr3 (WIN_PROCESS_OBJECT *Process) |
Locks the kernel and user Cr3 of a process in memory. More... | |
static INTSTATUS | IntWinProcUnlockCr3 (WIN_PROCESS_OBJECT *Process) |
Unlocks the kernel and user Cr3 of a process in memory. More... | |
static void | IntWinProcMarkAsSystemProcess (WIN_PROCESS_OBJECT *Process, const WIN_PROCESS_OBJECT *Parent) |
Mark the process as being a system process. More... | |
INTSTATUS | IntWinProcCreateProcessObject (WIN_PROCESS_OBJECT **Process, QWORD EprocessAddress, PBYTE EprocessBuffer, QWORD ParentEprocess, QWORD RealParentEprocess, QWORD Cr3, DWORD Pid, BOOLEAN StaticScan) |
Allocates a WIN_PROCESS_OBJECT structure for the given process. More... | |
INTSTATUS | IntWinProcPatchPspInsertProcess86 (QWORD FunctionAddress, void *Handler, void *Descriptor) |
This functions is responsible for patching the detour that handles the "PspInsertProcess". More... | |
INTSTATUS | IntWinProcPatchSwapOut64 (QWORD FunctionAddress, void *Handler, void *Descriptor) |
This functions is responsible for patching the detour that handles the "KiOutSwapProcesses". More... | |
INTSTATUS | IntWinProcPatchSwapOut32 (QWORD FunctionAddress, void *Handler, void *Descriptor) |
This functions is responsible for patching the detour that handles the "KiOutSwapProcesses". More... | |
static WIN_PROCESS_OBJECT * | IntWinProcHandleCreateInternal (QWORD NewEprocess, QWORD ParentEprocess, QWORD DebugHandle, INTRO_ACTION *Action) |
Handles process creation for Windows guests. More... | |
INTSTATUS | IntWinProcHandleCreate (void *Detour) |
Detour handler for the PspInsertProcess Windows kernel API.The actual process creation is handled by IntWinProcHandleCreateInternal. This function establishes the context of the creation and, if needed, blocks the process creation. More... | |
INTSTATUS | IntWinProcHandleTerminate (void *Detour) |
This functions handles the termination of a Windows process.This function is invoked every time "MmCleanProcessAddressSpace" is called (a process is being terminated) and is responsible for removing the process from all the internal structures. More... | |
INTSTATUS | IntWinProcPatchCopyMemoryDetour (QWORD FunctionAddress, void *Handler, void *Descriptor) |
This functions is responsible for patching the detour that handles the "MmCopyVirtualMemory".This function is invoked every time "MmCopyVirtualMemory" is called (a process is writing/reading another process) but before the actual handler IntWinProcHandleCopyMemory, its purpose being to modify the hook code (see winhkhnd.c). More... | |
static BOOLEAN | IntWinProcHandleReadFromLsass (QWORD SourceAddress, DWORD ReadSize, const WIN_PROCESS_OBJECT *Lsass, WIN_PROCESS_MODULE **VictimModule) |
Handles reads from lsass.exe. More... | |
INTSTATUS | IntWinProcHandleCopyMemory (void *Detour) |
This functions is responsible handling process read/write operations.This function is invoked every time "MmCopyVirtualMemory" is called (a process is writing/reading another process), its purpose being to block malicious operations, such as a credential dump (reading from lsass.exe). More... | |
INTSTATUS | IntWinProcUnprotect (WIN_PROCESS_OBJECT *Process) |
Remove a process from protection. More... | |
INTSTATUS | IntWinProcProtect (WIN_PROCESS_OBJECT *Process) |
Protects a new process. More... | |
TIMER_FRIENDLY INTSTATUS | IntWinProcValidateSystemCr3 (void) |
This function checks if the system CR3 value was modified and if GUEST_STATE::KernelBetaDetections is NOT set, it restores the original value. More... | |
static BOOLEAN | IntWinProcIsFullPath (const WCHAR *Path) |
This function checks if the provided path is a full path. More... | |
static BOOLEAN | IntWinProcExistsProtectedProcess (CHAR BaseName[IMAGE_BASE_NAME_LEN], const WCHAR *FullPath, DWORD ProtectionMask, QWORD Context) |
This function checks if the provided process is already protected with the given flags. More... | |
static INTSTATUS | IntWinProcRemoveProtectedProcessInternal (CHAR BaseName[IMAGE_BASE_NAME_LEN], const WCHAR *FullPath) |
This function removes the protection for the given process. More... | |
void | IntWinProcUpdateProtectedProcess (const void *Name, const CAMI_STRING_ENCODING Encoding, const CAMI_PROT_OPTIONS *Options) |
This function updates the protection for the given process. More... | |
INTSTATUS | IntWinProcAddProtectedProcess (const WCHAR *Path, DWORD ProtectionMask, QWORD Context) |
This function adds the provided process to the protected process list. More... | |
INTSTATUS | IntWinProcRemoveProtectedProcess (const WCHAR *Path) |
This function removed the provided process from the protected process list. More... | |
INTSTATUS | IntWinProcRemoveAllProtectedProcesses (void) |
This function removed all the processes from the protected process list. More... | |
void | IntWinProcDumpProtected (void) |
Log all the protected processes. More... | |
void | IntWinProcUninit (void) |
This function removes all process objects from the list, and registers the calls the cleanup function for each process. More... | |
INTSTATUS | IntWinProcGetObjectByPid (DWORD Pid, WIN_PROCESS_OBJECT **Process) |
This function looks for a process with the given PID inside gWinProcesses and returns its WIN_PROCESS_OBJECT. More... | |
INTSTATUS | IntWinProcChangeProtectionFlags (WIN_PROCESS_OBJECT *Process, DWORD OldMask, DWORD NewMask) |
This function changes the protection flags for the given process. More... | |
INTSTATUS | IntWinProcSwapIn (void *Detour) |
Detour handler for the MmInSwapProcess Windows kernel API.The detour on MmInSwapProcess is set inside the function after/before the EPROCESS.OutSwapped bit is disabled. The guest virtual address of EPROCESS structure is stored in a register and is provided by 'IntDetGetArgument'. An example for an instruction that is detoured is 'lock and dword ptr [rbx+440h],0FFFFFF7Fh'; in this case the guest virtual address of the EPROCESS is stored in RBX register. More... | |
INTSTATUS | IntWinProcSwapOut (void *Detour) |
Detour handler for the KiOutSwapProcess Windows kernel API.The detour on KiOutSwapProcess is set after the MiOutSwapProcess is called (e.g. 'xor r15b, r15b'). The guest virtual address of EPROCESS structure is stored in a register and is provided by 'IntDetGetArgument'. An example for that is detoured sequence is 'mov rcx, rbx / call nt!MmOutSwapProcess / xor r15b, r15b' ; in this case the guest virtual address of the EPROCESS is stored in RBX register. More... | |
INTSTATUS | IntWinProcHandleInstrument (void *Detour) |
Handles an exit on NtSetInformationProcess calls where the InformationClass argument is 40 (instrumentation callback).The originator is considered to be the current process (by cr3). The victim is taken from the first argument of the API call, which is a handle to the target process. However, we receive an _EPROCESS address thanks to the hook handler. More... | |
INTSTATUS | IntWinProcPrepareInstrument (QWORD FunctionAddress, void *Handler, void *Descriptor) |
This function is responsible for patching the detour that handles "NtSetInformationProcess". More... | |
Variables | |
LIST_HEAD | gWinProcesses |
The list of all the processes inside the guest. More... | |
RBTREE | gWinProcTreeCr3 |
Tree of all the processes inside the guest, using the kernel CR3 as the key. More... | |
RBTREE | gWinProcTreeUserCr3 |
Tree of all the processes inside the guest, using the user-mode CR3 as the key/. More... | |
RBTREE | gWinProcTreeEprocess |
Tree of all the processes inside the guest, using the _EPROCESS address as the key. More... | |
static LIST_HEAD | gWinProtectedProcesses = LIST_HEAD_INIT(gWinProtectedProcesses) |
A list with all the protected processes (containing PROTECTED_PROCESS_INFO elements). More... | |
static DWORD | gTotalProtectedProcs = 0 |
The total number of protected processes. More... | |
const WCHAR | gSystemPath [] = u"\\windows\\system32\\" |
The system path. More... | |
const WCHAR | gSysWowPath [] = u"\\windows\\syswow64\\" |
The syswow path (32 bit process on a 64 bit OS). More... | |
const PROTECTED_PROCESS_INFO | gSystemProcesses [] |
This is a list with system processes and their default protection mask. More... | |
const PROTECTED_PROCESS_INFO | gWinForcedProtectedProcesses [] |
This is a list with non system processes that have a default protection mask. More... | |
static const char * | gCmdLineProcesses [] |
This is a list of processes for which we want to read the command line (not to be confused with PROC_OPT_PROT_SCAN_CMD_LINE. More... | |
This file handles Windows Processes related events (Creation, Termination, Copy Memory, etc.).
In order to protect Windows processes, introcore places some hooks (see winhkhnd.c) on functions such as "PspInserProcess" (used for process creation) or "MmCleanProcessAddressSpace" (used for process termination) in order to keep a list of all the running processes (gWinProcesses). When a process is being started, DPI (Deep Process Inspection) checks are being carries out in order to determine if the creation should be allowed or not (see windpi.c). Also at process creation, the protection for the newly created process is enabled (according to the protection flags (WINPROC_PROT_MASK_*). Apart from process creation/termination, this file contains the detour functions that handle process memory reads/writes (IPC).
Definition in file winprocess.c.
#define CMDLINE_LEN_NO_SCAN ALERT_CMDLINE_MAX_LEN |
The maximum length (in bytes) of the data read from the guest when reading the command line of a process that is not protected with the PROC_OPT_PROT_SCAN_CMD_LINE.
This is usually a process from the gCmdLineProcesses list. Note that this must always be an even number because it represents the length of a WCHAR string.
Definition at line 29 of file winprocess.c.
Referenced by IntWinGetPrcoCmdLineHandleCmdLineInMemory().
#define CMDLINE_MAX_LEN (WORD_MAX - 1) |
The maximum length (in bytes) of the data read from the guest when reading the command line of a process protected with PROC_OPT_PROT_SCAN_CMD_LINE.
Note that this must always be an even number because it represents the length of a WCHAR string. This is enough to cover the 32767 maximum character limit imposed by CreateProcess. See https://devblogs.microsoft.com/oldnewthing/20031210-00/?p=41553 for details.
Definition at line 37 of file winprocess.c.
Referenced by IntWinGetPrcoCmdLineHandleCmdLineInMemory().
#define NACL_CMD_LINE "--type=nacl-loader" |
Referenced by IntWinGetProcCmdLineHandleBufferInMemory().
|
static |
Called from within IntSwapMemReadData when the UNICODE_STRING32 or UNICODE_STRING64 structure that contains the command line buffer of a process has been read.
[in] | Context | The WIN_PROCESS_OBJECT structure. |
[in] | Cr3 | The virtual address space. |
[in] | VirtualAddress | The base virtual address read. |
[in] | PhysicalAddress | The physical address of the first page (VirtualAddress) read. |
[in] | Data | Buffer containing the read data. This will be freed once the callback returns! |
[in] | DataSize | Size of the Data buffer. |
[in] | Flags | Swap flags. Check out SWAPMEM_FLG* for more info. |
INT_STATUS_SUCCESS | On success. |
Definition at line 749 of file winprocess.c.
Referenced by IntWinGetPrcoCmdLineHandleUserParamsInMemory().
|
static |
Called from within IntSwapMemReadData when the RTL_USER_PROCESS_PARAMETERS32 or RTL_USER_PROCESS_PARAMETERS64 structure of the process (Context) has been read.
[in] | Context | The WIN_PROCESS_OBJECT structure. |
[in] | Cr3 | The virtual address space. |
[in] | VirtualAddress | The base virtual address read. |
[in] | PhysicalAddress | The physical address of the first page (VirtualAddress) read. |
[in] | Data | Buffer containing the read data. This will be freed once the callback returns! |
[in] | DataSize | Size of the Data buffer. |
[in] | Flags | Swap flags. Check out SWAPMEM_FLG* for more info. |
INT_STATUS_SUCCESS | On success. |
Definition at line 826 of file winprocess.c.
Referenced by IntWinProcReadCommandLine().
|
static |
Called from within IntSwapMemReadData when the command line buffer of a process has been fully read.
This function will copy the command line to the WIN_PROCESS_OBJECT::CommandLine and inspect it if PROC_OPT_PROT_SCAN_CMD_LINE is set for the process in questions.
[in] | Context | The WIN_PROCESS_OBJECT structure. |
[in] | Cr3 | The virtual address space. |
[in] | VirtualAddress | The base virtual address read. |
[in] | PhysicalAddress | The physical address of the first page (VirtualAddress) read. |
[in] | Data | Buffer containing the read data. This will be freed once the callback returns! |
[in] | DataSize | Size of the Data buffer. |
[in] | Flags | Swap flags. Check out SWAPMEM_FLG* for more info. |
INT_STATUS_SUCCESS | On success. |
Definition at line 655 of file winprocess.c.
Referenced by IntWinGetPrcoCmdLineHandleCmdLineInMemory().
This function adds the provided process to the protected process list.
[in] | Path | The full process path. |
[in] | ProtectionMask | The process protection mask. |
[in] | Context | Protection policy context. |
INT_STATUS_SUCCESS | On success. |
Definition at line 3712 of file winprocess.c.
Referenced by IntAddRemoveProtectedProcessUtf16(), IntAddRemoveProtectedProcessUtf8(), and IntWinProcPolicyIsFeedback().
INTSTATUS IntWinProcChangeProtectionFlags | ( | WIN_PROCESS_OBJECT * | Process, |
DWORD | OldMask, | ||
DWORD | NewMask | ||
) |
This function changes the protection flags for the given process.
[in] | Process | The process to update the protection flags for. |
[in] | OldMask | The old protection flag mask. |
[in] | NewMask | The new protection flag mask. |
INT_STATUS_SUCCESS | On success. |
INT_STATUS_INVALID_PARAMETER_1 | The process object is NULL. |
INT_STATUS_NOT_NEEDED_HINT | The masks are identical. |
Definition at line 4046 of file winprocess.c.
Referenced by IntWinProcPolicyIsFeedback(), IntWinProcProtect(), IntWinProcUnprotect(), and IntWinProcUpdateProtection().
INTSTATUS IntWinProcCreateProcessObject | ( | WIN_PROCESS_OBJECT ** | Process, |
QWORD | EprocessAddress, | ||
PBYTE | EprocessBuffer, | ||
QWORD | ParentEprocess, | ||
QWORD | RealParentEprocess, | ||
QWORD | Cr3, | ||
DWORD | Pid, | ||
BOOLEAN | StaticScan | ||
) |
Allocates a WIN_PROCESS_OBJECT structure for the given process.
This function is responsible for allocating a WIN_PROCESS_OBJECT structure for the given process, reading its command line if necessary, importing its main module VAD, protecting the process, sending a notification to the integrator, etc.
If the process is swapped-out we no longer:
The protection is activated when the process is swapped-in (IntWinProcSwapIn).
[out] | Process | The internally allocate process object. |
[in] | EprocessAddress | The EPROCESS address of the process. |
[in] | EprocessBuffer | The address of the EPROCESS mapping. |
[in] | ParentEprocess | The EPROCESS address of the parent process. |
[in] | RealParentEprocess | The EPROCESS address of the real parent process. |
[in] | Cr3 | The address space. |
[in] | Pid | The process identifier. |
[in] | StaticScan | TRUE if the process already existed but was found only now (when initializing the introspection), FALSE if this process was just created. |
INT_STATUS_SUCCESS | On success. |
Definition at line 1544 of file winprocess.c.
Referenced by IntWinProcAdd(), IntWinProcHandleCreateInternal(), IntWinProcPolicyIsFeedback(), and IntWinProcSwapIn().
|
static |
Create a process subsystem for the given process.
[in] | Process | The process to create the subsystem for. |
[out] | Subsystem | The allocated subsystem. |
[in] | SubsystemType | The subsystem type (SUBSYSTEM_32BIT or SUBSYSTEM_64BIT). |
INT_STATUS_SUCCESS | On success. |
INT_STATUS_INSUFFICIENT_RESOURCES | If the memory allocation failed. |
Definition at line 578 of file winprocess.c.
Referenced by IntWinProcCreateProcessObject().
|
static |
Used to delete the process from the Introcore internal structures.
This function is responsible for finding the process in the internal list (gWinProcesses), sending any necessary notifications to the integrator (process terminated, process crashed or agent process terminated), disabling the protection, deleting the process object, etc.
[in] | EprocessAddress | The address of the eprocess to be deleted. |
[in] | Cr3 | The address space. |
[in] | Pid | The process identifier. |
INT_STATUS_SUCCESS | On success. |
INT_STATUS_NOT_FOUND | If the process was not found in the internal list (gWinProcesses). |
Definition at line 2171 of file winprocess.c.
Referenced by IntWinProcHandleCreate(), IntWinProcHandleDuplicate(), IntWinProcHandleTerminate(), and IntWinProcSwapIn().
void IntWinProcDumpProtected | ( | void | ) |
Log all the protected processes.
Definition at line 3912 of file winprocess.c.
Referenced by DbgProcList(), and IntWinProcPolicyIsFeedback().
|
static |
Enables DEP (Data Execution Prevention) for a certain process.
[in] | Process | The process to enable DEP for. |
INT_STATUS_SUCCESS | On success. |
Definition at line 224 of file winprocess.c.
Referenced by IntWinProcChangeProtectionFlags().
|
static |
This function checks if the provided process is already protected with the given flags.
This function iterates trough the gWinProtectedProcesses and looks for the given process. If the BaseName, FullPath and ProtectionMask match, the PROTECTED_PROCESS_INFO::Context is set to the given Context.
[in] | BaseName | The name of the process (limited to IMAGE_BASE_NAME_LEN) |
[in] | FullPath | The full process path. |
[in] | ProtectionMask | The process protection mask. |
[in] | Context | Protection policy context. |
TRUE | The process is already protected using the given protection mask and context. |
FALSE | The process is NOT protected at all or with a different protection mask. |
Definition at line 3552 of file winprocess.c.
Referenced by IntWinProcAddProtectedProcess().
|
static |
Fill the system directory path for the given subsystem.
[in] | Subsystem | The subsystem to for which the system directory path needs to be filled. |
Definition at line 557 of file winprocess.c.
Referenced by IntWinProcCreateProcessSubsystem().
|
static |
Get the BaseName and FullName of an image from the FullPath.
[in] | FullPath | The full path of an image. |
[out] | BaseName | The base name of an image (limited to IMAGE_BASE_NAME_LEN). |
[out] | FullName | The full name of an image. |
Definition at line 957 of file winprocess.c.
Referenced by IntWinProcAddProtectedProcess(), IntWinProcGetProtectedInfoEx(), and IntWinProcRemoveProtectedProcess().
INTSTATUS IntWinProcGetObjectByPid | ( | DWORD | Pid, |
WIN_PROCESS_OBJECT ** | Process | ||
) |
This function looks for a process with the given PID inside gWinProcesses and returns its WIN_PROCESS_OBJECT.
[in] | Pid | The process identifier. |
[out] | Process | The process object for the given PID. |
INT_STATUS_SUCCESS | On success. |
INT_STATUS_NOT_FOUND | If the process was not found. |
Definition at line 4003 of file winprocess.c.
Referenced by IntWinGetAccessTokenFromProcess(), and IntWinProcPolicyIsFeedback().
|
static |
Returns a pointer to the PROTECTED_PROCESS_INFO structure for the given process BaseName.
[in] | BaseName | The name of the process. |
[in] | IsSystem | TRUE if the process is system process, FALSE otherwise. |
PROTECTED_PROCESS_INFO | If the process is protected. |
NULL | If the process is NOT protected. |
Definition at line 1012 of file winprocess.c.
Referenced by IntWinProcCreateProcessObject(), and IntWinProcUpdateProtection().
const PROTECTED_PROCESS_INFO* IntWinProcGetProtectedInfoEx | ( | PWCHAR | Path, |
BOOLEAN | IsSystem | ||
) |
Returns a pointer to the PROTECTED_PROCESS_INFO structure for the given process Path.
[in] | Path | The path of the process. |
[in] | IsSystem | TRUE if the process is system process, FALSE otherwise. |
PROTECTED_PROCESS_INFO | If the process is protected. |
NULL | If the process is NOT protected. |
Definition at line 1070 of file winprocess.c.
Referenced by IntWinModHandleModulePathInMemory(), IntWinProcPolicyIsFeedback(), and IntWinProcUpdateProtection().
|
static |
Handles process creation for Windows guests.
This function extracts the needed information from the newly created EPROCESS and created a new WIN_PROCESS_OBJECT using IntWinProcCreateProcessObject. It also triggers the deep process inspection checks using IntWinDpiGatherDpiInfo.
[in] | NewEprocess | The guest virtual address of the EPROCESS structure of the newly created process. |
[in] | ParentEprocess | The guest virtual address of the EPROCESS structure of the parent process, as set by the Windows kernel. |
[in] | DebugHandle | The debug handle used for this process. Can be 0. |
[out] | Action | The action to be taken. Will be introGuestNotAllowed if this process creation is not allowed (either due to the PROC_OPT_PROT_PREVENT_CHILD_CREATION process protection option, or due to one of the INTRO_OPT_PROT_DPI options). |
Definition at line 2494 of file winprocess.c.
Referenced by IntWinProcHandleCreate().
Ensures that a newly created process does not exist already.
Duplicates are searched by Cr3 and Eprocess GLA. If one exists, it is removed as it's probably terminated by now. Note that we don't need to invalidate caches or terminate protection, as this scenario only happens on resume from hibernate, where we iterate the process list, and we identify a process that has been terminated, but it wasn't removed from the process list just yet. We will remove it from our list as soon as another process with the same CR3 is created. Until then, it can simply remain there, as it doesn't pose any issues.
[in] | Cr3 | The Cr3 of the newly created process. For process for which KPTI is on this is the kernel Cr3. |
[in] | Eprocess | The GLA of the newly created EPROCESS. |
Definition at line 1276 of file winprocess.c.
Referenced by IntWinProcCreateProcessObject().
|
static |
Handles reads from lsass.exe.
[in] | SourceAddress | The guest linear address from where data is read. |
[in] | ReadSize | The size of the memory copy operation. |
[in] | Lsass | Pointer to the lsass.exe WIN_PROCESS_OBJECT structure. |
[out] | VictimModule | Will contain a pointer to the module loaded inside lsass.exe from which data is read. If data is not copied from any module will be NULL. |
True | if this read should be allowed without doing any extra checks. |
False | if this read should be further analyzed. |
Definition at line 2794 of file winprocess.c.
Referenced by IntWinProcHandleCopyMemory().
Checks if the exploit guard is enabled for a certain process.
[in] | EprocessAddress | The eprocess - GVA. |
[in] | Eprocess | The eprocess - Introcore mapped value. |
TRUE | If the exploit guard is enabled. |
FALSE | If the exploit guard is disabled. |
Definition at line 185 of file winprocess.c.
Referenced by IntWinProcCreateProcessObject().
This function checks if the provided path is a full path.
Definition at line 3525 of file winprocess.c.
Referenced by IntWinProcAddProtectedProcess().
|
static |
Locks the kernel and user Cr3 of a process in memory.
We do not want the OS to change the process CR3. If this fails, introcore is disabled.
Locking is done using IntWinPfnLockGpa.
[in,out] | Process | The process for which to lock the CR3. The WIN_PFN_LOCK handle will be saved inside the process object. |
Definition at line 1376 of file winprocess.c.
Referenced by IntWinProcCreateProcessObject().
|
static |
Mark the given process as being an agent.
In order to improve performance, we will store a '?' character in the ImageName[14] for the agent processes. In case the Introcore will start again, we will know this is an agent.
[in] | Process | The agent process. |
[in] | Mark | TRUE if the process needs to be marked, FALSE otherwise. |
INT_STATUS_SUCCESS | On success. |
Definition at line 364 of file winprocess.c.
Referenced by IntWinProcUninit().
|
static |
Mark the process as being a system process.
A process is considered system if:
Initially, the System is the only System process, so he is the root of all system processes.
[in,out] | Process | The process to be checked. The WIN_PROCESS_OBJECT.SystemProcess field will be set to TRUE if the process is a system process. |
[in] | Parent | The parent process. |
Definition at line 1468 of file winprocess.c.
Referenced by IntWinProcCreateProcessObject().
INTSTATUS IntWinProcPatchPspInsertProcess86 | ( | QWORD | FunctionAddress, |
void * | Handler, | ||
void * | Descriptor | ||
) |
This functions is responsible for patching the detour that handles the "PspInsertProcess".
This function is invoked every time "PspInsertProcess" is called (a process is created) but before the actual handler IntWinProcHandleCreate, its purpose being to modify the hook code (see winhkhnd.c). On some 32 Bit versions of the Windows, the a RET N instructions is used so the code must take that into account when blocking a process creation.
[in] | FunctionAddress | The address of the function. |
[in] | Handler | An API_HOOK_HANDLER structure. |
[in] | Descriptor | Pointer to a structure that describes the hook and the detour handler. |
INT_STATUS_SUCCESS | On success. |
Definition at line 2346 of file winprocess.c.
Referenced by IntWinProcPolicyIsFeedback().
|
static |
Saves the process protection info within an EPROCESS spare field.
It uses an EPROCESS spare field to store the protection info for a given process (the first byte is '*', while the second one saves the protection information as a bitmask).
[in] | Process | The process to save the information for. |
INT_STATUS_SUCCESS | On success. |
Definition at line 291 of file winprocess.c.
Referenced by IntWinProcChangeProtectionFlags().
This functions is responsible for patching the detour that handles the "KiOutSwapProcesses".
[in] | FunctionAddress | The address of the function. |
[in] | Handler | An API_HOOK_HANDLER structure. |
[in] | Descriptor | Pointer to a structure that describes the hook and the detour handler. |
INT_STATUS_SUCCESS | On success. |
Definition at line 2443 of file winprocess.c.
Referenced by IntWinProcPolicyIsFeedback().
This functions is responsible for patching the detour that handles the "KiOutSwapProcesses".
[in] | FunctionAddress | The address of the function. |
[in] | Handler | An API_HOOK_HANDLER structure. |
[in] | Descriptor | Pointer to a structure that describes the hook and the detour handler. |
INT_STATUS_SUCCESS | On success. |
Definition at line 2387 of file winprocess.c.
Referenced by IntWinProcPolicyIsFeedback().
This function is responsible for patching the detour that handles "NtSetInformationProcess".
This function is called before the hook is placed in the guest memory in order "patch" the values of any exports or field offsets that it may need. Specifically, this patches PsProcessType, ObReferenceObjectByHandle, ObDereferenceObject and the offset to Spare in the _EPROCESS structure.
[in] | FunctionAddress | The guest virtual address of the hooked function. |
[in] | Handler | Optional pointer to a API_HOOK_HANDLER structure. |
[in] | Descriptor | Pointer to a structure that describes the hook and the detour handler. |
Definition at line 4623 of file winprocess.c.
Referenced by IntWinProcPolicyIsFeedback().
INTSTATUS IntWinProcProtect | ( | WIN_PROCESS_OBJECT * | Process | ) |
Protects a new process.
[in] | Process | The process to be protected. |
INT_STATUS_SUCCESS | On success. |
INT_STATUS_INVALID_PARAMETER_1 | If the process is NULL. |
INT_STATUS_NOT_NEEDED_HINT | If the process is already protected. |
Definition at line 3287 of file winprocess.c.
Referenced by IntWinProcCreateProcessObject(), IntWinProcPolicyIsFeedback(), and IntWinProcUpdateProtection().
INTSTATUS IntWinProcReadCommandLine | ( | WIN_PROCESS_OBJECT * | Process | ) |
Reads the command line of the given process using IntSwapMemReadData.
[in] | Process | The process to read the command line from. |
INT_STATUS_SUCCESS | On success. |
Definition at line 900 of file winprocess.c.
Referenced by IntWinProcCreateProcessObject(), and IntWinProcPolicyIsFeedback().
INTSTATUS IntWinProcRemoveAllProtectedProcesses | ( | void | ) |
This function removed all the processes from the protected process list.
INT_STATUS_SUCCESS | On success. |
Definition at line 3880 of file winprocess.c.
Referenced by IntRemoveAllProtectedProcesses(), and IntWinProcPolicyIsFeedback().
|
static |
Used to free the memory allocations and swap memory transactions used by a PWIN_PROCESS_OBJECT.
This function is responsible for restoring the EPROCESS spare value, removing any pending swap memory transactions and freeing the WIN_PROCESS_OBJECT structure.
[in] | Process | The process object to be removed. |
INT_STATUS_SUCCESS | On success. |
Definition at line 2031 of file winprocess.c.
Referenced by IntWinProcCreateProcessObject(), IntWinProcDeleteProcessObject(), and IntWinProcUninit().
This function removed the provided process from the protected process list.
[in] | Path | The full process path. |
INT_STATUS_SUCCESS | On success. |
Definition at line 3826 of file winprocess.c.
Referenced by IntAddRemoveProtectedProcessUtf16(), IntAddRemoveProtectedProcessUtf8(), and IntWinProcPolicyIsFeedback().
|
static |
This function removes the protection for the given process.
This function iterates trough the gWinProtectedProcesses and looks for the given process. If the BaseName and FullPath match, the process is removed from the list.
[in] | BaseName | The name of the process (limited to IMAGE_BASE_NAME_LEN) |
[in] | FullPath | The full process path. |
INT_STATUS_SUCCESS | On success. |
Definition at line 3614 of file winprocess.c.
Referenced by IntWinProcAddProtectedProcess(), and IntWinProcRemoveProtectedProcess().
|
static |
Removes a process subsystem.
[in] | Subsystem | The subsystem to be removed. |
INT_STATUS_SUCCESS | On success. |
INT_STATUS_INVALID_PARAMETER_1 | If the Subsystem parameter is NULL. |
Definition at line 614 of file winprocess.c.
Referenced by IntWinProcRemoveProcess().
|
static |
Send a process creation/termination event that symbolizes an agent.
If the current process is and agent, send an agent process creation/termination event.
[in] | Process | The agent process. |
[in] | Created | TRUE if the process was created, FALSE otherwise. |
INT_STATUS_SUCCESS | On success. |
Definition at line 401 of file winprocess.c.
Referenced by IntWinProcCreateProcessObject(), and IntWinProcDeleteProcessObject().
|
static |
Send a process creation/termination event.
If INTRO_OPT_EVENT_PROCESSES is set, send a process creation/termination event.
[in] | Process | The process to send the event for. |
[in] | Created | TRUE if the process was created, FALSE otherwise. |
[in] | Crashed | TRUE if the process was terminated because a crash occurred. |
INT_STATUS_SUCCESS | On success. |
Definition at line 448 of file winprocess.c.
Referenced by IntWinProcCreateProcessObject(), and IntWinProcDeleteProcessObject().
|
static |
Send a process exception event.
If INTRO_OPT_EVENT_PROCESS_CRASH is set, send a process exception event.
[in] | Process | The process to send the event for. |
INT_STATUS_SUCCESS | On success. |
INT_STATUS_NOT_NEEDED_HINT | If there was no exception or the event is not activated. |
Definition at line 507 of file winprocess.c.
Referenced by IntWinProcDeleteProcessObject().
|
static |
Sets the User CR3 value for a newly created process.
Handles all possible cases.
[in,out] | Process | The process object for which to set the WIN_PROCESS_OBJECT.UserCr3 field. For 64-bit guests with KPTI active, this is the value of the UserCr3 EPROCESS field (see winKmFieldProcessUserCr3), as long as it is at least 0x1000. For 32-bit processes, this will be the kernel Cr3 or'ed with 0x20. If KPTI is not active this will have the same value as the kernel Cr3. |
[in] | EprocessBuffer | A buffer that maps the EPROCESS structure. The buffer should be large enough to fir the UserCr3 field. |
Definition at line 1327 of file winprocess.c.
Referenced by IntWinProcCreateProcessObject().
void IntWinProcUninit | ( | void | ) |
This function removes all process objects from the list, and registers the calls the cleanup function for each process.
Definition at line 3940 of file winprocess.c.
Referenced by IntWinGuestUninit(), and IntWinProcPolicyIsFeedback().
|
static |
Unlocks the kernel and user Cr3 of a process in memory.
Unlocking is done using IntWinPfnRemoveLock.
[in,out] | Process | The process for which to unlock the CR3. The WIN_PFN_LOCK handle will be saved inside the process object. |
Definition at line 1425 of file winprocess.c.
Referenced by IntWinProcSwapOut().
INTSTATUS IntWinProcUnprotect | ( | WIN_PROCESS_OBJECT * | Process | ) |
Remove a process from protection.
[in] | Process | The process to be removed from protection. |
INT_STATUS_SUCCESS | On success. |
INT_STATUS_INVALID_PARAMETER_1 | If the process is NULL. |
Definition at line 3247 of file winprocess.c.
Referenced by IntWinModHandleModulePathInMemory(), IntWinProcDeleteProcessObject(), IntWinProcPolicyIsFeedback(), IntWinProcProtect(), IntWinProcSwapOut(), IntWinProcUninit(), and IntWinProcUpdateProtection().
void IntWinProcUpdateProtectedProcess | ( | const void * | Name, |
const CAMI_STRING_ENCODING | Encoding, | ||
const CAMI_PROT_OPTIONS * | Options | ||
) |
This function updates the protection for the given process.
[in] | Name | The name of the process. |
[in] | Encoding | The encoding used by the Name variable. |
[in] | Options | The protection options to be applied. |
Definition at line 3657 of file winprocess.c.
Referenced by IntCamiUpdateProcessProtectionItems(), and IntWinProcPolicyIsFeedback().
INTSTATUS IntWinProcUpdateProtection | ( | void | ) |
Iterates trough the global process list (gWinProcesses) in order to update the protection state for each process.
INT_STATUS_SUCCESS | On success. |
Definition at line 1162 of file winprocess.c.
Referenced by IntCamiSetProcProtOptions(), IntGuestUpdateCoreOptions(), IntWinProcAddProtectedProcess(), IntWinProcPolicyIsFeedback(), and IntWinProcRemoveProtectedProcess().
TIMER_FRIENDLY INTSTATUS IntWinProcValidateSystemCr3 | ( | void | ) |
This function checks if the system CR3 value was modified and if GUEST_STATE::KernelBetaDetections is NOT set, it restores the original value.
INT_STATUS_SUCCESS | On success. |
INT_STATUS_NOT_FOUND | If the system process was not found within the gWinProcesses. |
INT_STATUS_NOT_INITIALIZED_HINT | If the introcore is not fully initialized. |
Definition at line 3371 of file winprocess.c.
Referenced by IntHandleTimer(), and IntWinProcPolicyIsFeedback().
|
static |
This is a list of processes for which we want to read the command line (not to be confused with PROC_OPT_PROT_SCAN_CMD_LINE.
Definition at line 146 of file winprocess.c.
Referenced by IntWinProcCreateProcessObject().
const WCHAR gSystemPath[] = u"\\windows\\system32\\" |
The system path.
Definition at line 72 of file winprocess.c.
Referenced by IntWinProcFillSystemPath().
const PROTECTED_PROCESS_INFO gSystemProcesses[] |
This is a list with system processes and their default protection mask.
Definition at line 82 of file winprocess.c.
const WCHAR gSysWowPath[] = u"\\windows\\syswow64\\" |
The syswow path (32 bit process on a 64 bit OS).
Definition at line 77 of file winprocess.c.
Referenced by IntWinProcFillSystemPath().
|
static |
The total number of protected processes.
Definition at line 67 of file winprocess.c.
Referenced by IntWinProcProtect(), IntWinProcUnprotect(), and IntWinProcUpdateProtection().
const PROTECTED_PROCESS_INFO gWinForcedProtectedProcesses[] |
This is a list with non system processes that have a default protection mask.
Definition at line 131 of file winprocess.c.
LIST_HEAD gWinProcesses |
The list of all the processes inside the guest.
Definition at line 11 of file winprocesshp.c.
RBTREE gWinProcTreeCr3 |
Tree of all the processes inside the guest, using the kernel CR3 as the key.
Definition at line 13 of file winprocesshp.c.
RBTREE gWinProcTreeEprocess |
Tree of all the processes inside the guest, using the _EPROCESS address as the key.
Definition at line 18 of file winprocesshp.c.
RBTREE gWinProcTreeUserCr3 |
Tree of all the processes inside the guest, using the user-mode CR3 as the key/.
Definition at line 15 of file winprocesshp.c.
|
static |
A list with all the protected processes (containing PROTECTED_PROCESS_INFO elements).
Definition at line 62 of file winprocess.c.