Bitdefender Hypervisor Memory Introspection
|
Exposes the types, constants and functions used to handle Windows processes events (creation, termination, memory reads/writes, etc.). More...
#include "winumpath.h"
#include "winguest.h"
#include "update_guests.h"
#include "windpi.h"
#include "winsecdesc.h"
Go to the source code of this file.
Data Structures | |
struct | _WIN_PROCESS_SUBSYSTEM |
Windows process subsystem. More... | |
struct | _WIN_PROCESS_OBJECT |
This structure describes a running process inside the guest. More... | |
Macros | |
#define | WIN_STATUS_ACCESS_DENIED 0xC0000022 |
Equivalent to NTSTATUS STATUS_ACCESS_DENIED. More... | |
#define | WIN_STATUS_SUCCESS 0x00000000 |
Equivalent to NTSTATUS STATUS_SUCCESS. More... | |
Typedefs | |
typedef enum _WIN_SUBSYTEM_TYPE | WIN_SUBSYTEM_TYPE |
The Windows subsystem types. More... | |
typedef enum _WINPROC_GUEST_EXITS | WINPROC_GUEST_EXITS |
Windows guest exit types. More... | |
typedef struct _WIN_PROCESS_SUBSYSTEM | WIN_PROCESS_SUBSYSTEM |
Windows process subsystem. More... | |
typedef struct _WIN_PROCESS_SUBSYSTEM * | PWIN_PROCESS_SUBSYSTEM |
typedef struct _WIN_PROCESS_OBJECT | WIN_PROCESS_OBJECT |
This structure describes a running process inside the guest. More... | |
typedef struct _WIN_PROCESS_OBJECT * | PWIN_PROCESS_OBJECT |
Enumerations | |
enum | _WIN_SUBSYTEM_TYPE { winSubsysUnknown = 0, winSubsys64Bit, winSubsys32Bit } |
The Windows subsystem types. More... | |
enum | _WINPROC_GUEST_EXITS { winProcExitVad = 0x01, winProcExitWriteMemory = 0x02, winProcExitReadMemory = 0x04, winProcExitThreadCtx = 0x08, winProcExitQueueApc = 0x10, winProcExitSetProcInfo = 0x20 } |
Windows guest exit types. More... | |
Functions | |
static QWORD | IntWinProcGetProtOption (const WIN_PROCESS_OBJECT *Process) |
Get the protection type for the given process. More... | |
static BOOLEAN | IntWinProcPolicyIsBeta (const WIN_PROCESS_OBJECT *Process, QWORD Flag) |
Checks if the given process is protected with the provided flag (in beta mode). More... | |
static BOOLEAN | IntWinProcPolicyIsFeedback (const WIN_PROCESS_OBJECT *Process, QWORD Flag) |
Checks if the given process is protected with the provided flag (in feedback mode). More... | |
INTSTATUS | IntWinProcHandleCreate (void *Detour) |
Detour handler for the PspInsertProcess Windows kernel API.The actual process creation is handled by IntWinProcHandleCreateInternal. This function establishes the context of the creation and, if needed, blocks the process creation. More... | |
INTSTATUS | IntWinProcHandleTerminate (void *Detour) |
This functions handles the termination of a Windows process.This function is invoked every time "MmCleanProcessAddressSpace" is called (a process is being terminated) and is responsible for removing the process from all the internal structures. More... | |
INTSTATUS | IntWinProcHandleCopyMemory (void *Detour) |
This functions is responsible handling process read/write operations.This function is invoked every time "MmCopyVirtualMemory" is called (a process is writing/reading another process), its purpose being to block malicious operations, such as a credential dump (reading from lsass.exe). More... | |
INTSTATUS | IntWinProcSwapIn (void *Detour) |
Detour handler for the MmInSwapProcess Windows kernel API.The detour on MmInSwapProcess is set inside the function after/before the EPROCESS.OutSwapped bit is disabled. The guest virtual address of EPROCESS structure is stored in a register and is provided by 'IntDetGetArgument'. An example for an instruction that is detoured is 'lock and dword ptr [rbx+440h],0FFFFFF7Fh'; in this case the guest virtual address of the EPROCESS is stored in RBX register. More... | |
INTSTATUS | IntWinProcSwapOut (void *Detour) |
Detour handler for the KiOutSwapProcess Windows kernel API.The detour on KiOutSwapProcess is set after the MiOutSwapProcess is called (e.g. 'xor r15b, r15b'). The guest virtual address of EPROCESS structure is stored in a register and is provided by 'IntDetGetArgument'. An example for that is detoured sequence is 'mov rcx, rbx / call nt!MmOutSwapProcess / xor r15b, r15b' ; in this case the guest virtual address of the EPROCESS is stored in RBX register. More... | |
INTSTATUS | IntWinProcPatchCopyMemoryDetour (QWORD FunctionAddress, void *Handler, void *Descriptor) |
This functions is responsible for patching the detour that handles the "MmCopyVirtualMemory".This function is invoked every time "MmCopyVirtualMemory" is called (a process is writing/reading another process) but before the actual handler IntWinProcHandleCopyMemory, its purpose being to modify the hook code (see winhkhnd.c). More... | |
INTSTATUS | IntWinProcPatchPspInsertProcess86 (QWORD FunctionAddress, void *Handler, void *Descriptor) |
This functions is responsible for patching the detour that handles the "PspInsertProcess". More... | |
INTSTATUS | IntWinProcPatchSwapOut64 (QWORD FunctionAddress, void *Handler, void *Descriptor) |
This functions is responsible for patching the detour that handles the "KiOutSwapProcesses". More... | |
INTSTATUS | IntWinProcPatchSwapOut32 (QWORD FunctionAddress, void *Handler, void *Descriptor) |
This functions is responsible for patching the detour that handles the "KiOutSwapProcesses". More... | |
INTSTATUS | IntWinProcProtect (WIN_PROCESS_OBJECT *Process) |
Protects a new process. More... | |
INTSTATUS | IntWinProcUnprotect (WIN_PROCESS_OBJECT *Process) |
Remove a process from protection. More... | |
const PROTECTED_PROCESS_INFO * | IntWinProcGetProtectedInfoEx (PWCHAR Path, BOOLEAN IsSystem) |
Returns a pointer to the PROTECTED_PROCESS_INFO structure for the given process Path. More... | |
INTSTATUS | IntWinProcUpdateProtection (void) |
Iterates trough the global process list (gWinProcesses) in order to update the protection state for each process. More... | |
INTSTATUS | IntWinProcCreateProcessObject (WIN_PROCESS_OBJECT **Process, QWORD EprocessAddress, PBYTE EprocessBuffer, QWORD ParentEprocess, QWORD RealParentEprocess, QWORD Cr3, DWORD Pid, BOOLEAN StaticScan) |
Allocates a WIN_PROCESS_OBJECT structure for the given process. More... | |
INTSTATUS | IntWinProcValidateSystemCr3 (void) |
This function checks if the system CR3 value was modified and if GUEST_STATE::KernelBetaDetections is NOT set, it restores the original value. More... | |
INTSTATUS | IntWinProcAddProtectedProcess (const WCHAR *Path, DWORD ProtectionMask, QWORD Context) |
This function adds the provided process to the protected process list. More... | |
INTSTATUS | IntWinProcRemoveProtectedProcess (const WCHAR *Path) |
This function removed the provided process from the protected process list. More... | |
INTSTATUS | IntWinProcRemoveAllProtectedProcesses (void) |
This function removed all the processes from the protected process list. More... | |
void | IntWinProcDumpProtected (void) |
Log all the protected processes. More... | |
void | IntWinProcUninit (void) |
This function removes all process objects from the list, and registers the calls the cleanup function for each process. More... | |
INTSTATUS | IntWinProcGetObjectByPid (DWORD Pid, WIN_PROCESS_OBJECT **Process) |
This function looks for a process with the given PID inside gWinProcesses and returns its WIN_PROCESS_OBJECT. More... | |
INTSTATUS | IntWinProcReadCommandLine (WIN_PROCESS_OBJECT *Process) |
Reads the command line of the given process using IntSwapMemReadData. More... | |
INTSTATUS | IntWinProcChangeProtectionFlags (WIN_PROCESS_OBJECT *Process, DWORD OldMask, DWORD NewMask) |
This function changes the protection flags for the given process. More... | |
void | IntWinProcUpdateProtectedProcess (const void *Name, const CAMI_STRING_ENCODING Encoding, const CAMI_PROT_OPTIONS *Options) |
This function updates the protection for the given process. More... | |
INTSTATUS | IntWinProcHandleInstrument (void *Detour) |
Handles an exit on NtSetInformationProcess calls where the InformationClass argument is 40 (instrumentation callback).The originator is considered to be the current process (by cr3). The victim is taken from the first argument of the API call, which is a handle to the target process. However, we receive an _EPROCESS address thanks to the hook handler. More... | |
INTSTATUS | IntWinProcPrepareInstrument (QWORD FunctionAddress, void *Handler, void *Descriptor) |
This function is responsible for patching the detour that handles "NtSetInformationProcess". More... | |
Exposes the types, constants and functions used to handle Windows processes events (creation, termination, memory reads/writes, etc.).
Definition in file winprocess.h.
#define WIN_STATUS_ACCESS_DENIED 0xC0000022 |
Equivalent to NTSTATUS STATUS_ACCESS_DENIED.
Definition at line 23 of file winprocess.h.
Referenced by IntWinProcHandleCopyMemory(), IntWinProcHandleInstrument(), IntWinThrHandleQueueApc(), and IntWinThrHandleThreadHijack().
#define WIN_STATUS_SUCCESS 0x00000000 |
Equivalent to NTSTATUS STATUS_SUCCESS.
Definition at line 24 of file winprocess.h.
Referenced by IntWinProcHandleCopyMemory(), IntWinProcHandleInstrument(), IntWinThrHandleQueueApc(), and IntWinThrHandleThreadHijack().
typedef struct _WIN_PROCESS_OBJECT * PWIN_PROCESS_OBJECT |
typedef struct _WIN_PROCESS_SUBSYSTEM * PWIN_PROCESS_SUBSYSTEM |
typedef struct _WIN_PROCESS_OBJECT WIN_PROCESS_OBJECT |
This structure describes a running process inside the guest.
typedef struct _WIN_PROCESS_SUBSYSTEM WIN_PROCESS_SUBSYSTEM |
Windows process subsystem.
typedef enum _WIN_SUBSYTEM_TYPE WIN_SUBSYTEM_TYPE |
The Windows subsystem types.
typedef enum _WINPROC_GUEST_EXITS WINPROC_GUEST_EXITS |
Windows guest exit types.
enum _WIN_SUBSYTEM_TYPE |
The Windows subsystem types.
Enumerator | |
---|---|
winSubsysUnknown | Process subsystem type unknown. |
winSubsys64Bit | Process subsystem type 64 bit. |
winSubsys32Bit | Process subsystem type 32 bit. |
Definition at line 30 of file winprocess.h.
enum _WINPROC_GUEST_EXITS |
Windows guest exit types.
Definition at line 40 of file winprocess.h.
This function adds the provided process to the protected process list.
[in] | Path | The full process path. |
[in] | ProtectionMask | The process protection mask. |
[in] | Context | Protection policy context. |
INT_STATUS_SUCCESS | On success. |
Definition at line 3712 of file winprocess.c.
Referenced by IntAddRemoveProtectedProcessUtf16(), IntAddRemoveProtectedProcessUtf8(), and IntWinProcPolicyIsFeedback().
INTSTATUS IntWinProcChangeProtectionFlags | ( | WIN_PROCESS_OBJECT * | Process, |
DWORD | OldMask, | ||
DWORD | NewMask | ||
) |
This function changes the protection flags for the given process.
[in] | Process | The process to update the protection flags for. |
[in] | OldMask | The old protection flag mask. |
[in] | NewMask | The new protection flag mask. |
INT_STATUS_SUCCESS | On success. |
INT_STATUS_INVALID_PARAMETER_1 | The process object is NULL. |
INT_STATUS_NOT_NEEDED_HINT | The masks are identical. |
Definition at line 4046 of file winprocess.c.
Referenced by IntWinProcPolicyIsFeedback(), IntWinProcProtect(), IntWinProcUnprotect(), and IntWinProcUpdateProtection().
INTSTATUS IntWinProcCreateProcessObject | ( | WIN_PROCESS_OBJECT ** | Process, |
QWORD | EprocessAddress, | ||
PBYTE | EprocessBuffer, | ||
QWORD | ParentEprocess, | ||
QWORD | RealParentEprocess, | ||
QWORD | Cr3, | ||
DWORD | Pid, | ||
BOOLEAN | StaticScan | ||
) |
Allocates a WIN_PROCESS_OBJECT structure for the given process.
This function is responsible for allocating a WIN_PROCESS_OBJECT structure for the given process, reading its command line if necessary, importing its main module VAD, protecting the process, sending a notification to the integrator, etc.
If the process is swapped-out we no longer:
The protection is activated when the process is swapped-in (IntWinProcSwapIn).
[out] | Process | The internally allocate process object. |
[in] | EprocessAddress | The EPROCESS address of the process. |
[in] | EprocessBuffer | The address of the EPROCESS mapping. |
[in] | ParentEprocess | The EPROCESS address of the parent process. |
[in] | RealParentEprocess | The EPROCESS address of the real parent process. |
[in] | Cr3 | The address space. |
[in] | Pid | The process identifier. |
[in] | StaticScan | TRUE if the process already existed but was found only now (when initializing the introspection), FALSE if this process was just created. |
INT_STATUS_SUCCESS | On success. |
Definition at line 1544 of file winprocess.c.
Referenced by IntWinProcAdd(), IntWinProcHandleCreateInternal(), IntWinProcPolicyIsFeedback(), and IntWinProcSwapIn().
void IntWinProcDumpProtected | ( | void | ) |
Log all the protected processes.
Definition at line 3912 of file winprocess.c.
Referenced by DbgProcList(), and IntWinProcPolicyIsFeedback().
INTSTATUS IntWinProcGetObjectByPid | ( | DWORD | Pid, |
WIN_PROCESS_OBJECT ** | Process | ||
) |
This function looks for a process with the given PID inside gWinProcesses and returns its WIN_PROCESS_OBJECT.
[in] | Pid | The process identifier. |
[out] | Process | The process object for the given PID. |
INT_STATUS_SUCCESS | On success. |
INT_STATUS_NOT_FOUND | If the process was not found. |
Definition at line 4003 of file winprocess.c.
Referenced by IntWinGetAccessTokenFromProcess(), and IntWinProcPolicyIsFeedback().
const PROTECTED_PROCESS_INFO* IntWinProcGetProtectedInfoEx | ( | PWCHAR | Path, |
BOOLEAN | IsSystem | ||
) |
Returns a pointer to the PROTECTED_PROCESS_INFO structure for the given process Path.
[in] | Path | The path of the process. |
[in] | IsSystem | TRUE if the process is system process, FALSE otherwise. |
PROTECTED_PROCESS_INFO | If the process is protected. |
NULL | If the process is NOT protected. |
Definition at line 1070 of file winprocess.c.
Referenced by IntWinModHandleModulePathInMemory(), IntWinProcPolicyIsFeedback(), and IntWinProcUpdateProtection().
|
static |
Get the protection type for the given process.
[in] | Process | The process object. |
INTRO_OPT_PROT_UM_SYS_PROCS | If the given process is system process. |
INTRO_OPT_PROT_UM_MISC_PROCS | If the given process is NOT system process. |
Definition at line 375 of file winprocess.h.
Referenced by IntPolicyGetProcProt(), IntWinProcPolicyIsBeta(), and IntWinProcPolicyIsFeedback().
INTSTATUS IntWinProcPatchPspInsertProcess86 | ( | QWORD | FunctionAddress, |
void * | Handler, | ||
void * | Descriptor | ||
) |
This functions is responsible for patching the detour that handles the "PspInsertProcess".
This function is invoked every time "PspInsertProcess" is called (a process is created) but before the actual handler IntWinProcHandleCreate, its purpose being to modify the hook code (see winhkhnd.c). On some 32 Bit versions of the Windows, the a RET N instructions is used so the code must take that into account when blocking a process creation.
[in] | FunctionAddress | The address of the function. |
[in] | Handler | An API_HOOK_HANDLER structure. |
[in] | Descriptor | Pointer to a structure that describes the hook and the detour handler. |
INT_STATUS_SUCCESS | On success. |
Definition at line 2346 of file winprocess.c.
Referenced by IntWinProcPolicyIsFeedback().
This functions is responsible for patching the detour that handles the "KiOutSwapProcesses".
[in] | FunctionAddress | The address of the function. |
[in] | Handler | An API_HOOK_HANDLER structure. |
[in] | Descriptor | Pointer to a structure that describes the hook and the detour handler. |
INT_STATUS_SUCCESS | On success. |
Definition at line 2443 of file winprocess.c.
Referenced by IntWinProcPolicyIsFeedback().
This functions is responsible for patching the detour that handles the "KiOutSwapProcesses".
[in] | FunctionAddress | The address of the function. |
[in] | Handler | An API_HOOK_HANDLER structure. |
[in] | Descriptor | Pointer to a structure that describes the hook and the detour handler. |
INT_STATUS_SUCCESS | On success. |
Definition at line 2387 of file winprocess.c.
Referenced by IntWinProcPolicyIsFeedback().
|
static |
Checks if the given process is protected with the provided flag (in beta mode).
[in] | Process | The process object. |
[in] | Flag | The protection flag to be checked. |
TRUE | If the process is protected with the provided flag (in beta mode). |
FALSE | If the process is NOT protected with the provided flag (in beta mode). |
Definition at line 391 of file winprocess.h.
Referenced by IntPolicyProcIsBeta().
|
static |
Checks if the given process is protected with the provided flag (in feedback mode).
[in] | Process | The process object. |
[in] | Flag | The protection flag to be checked. |
TRUE | If the process is protected with the provided flag (in feedback mode). |
FALSE | If the process is NOT protected with the provided flag (in feedback mode). |
Definition at line 411 of file winprocess.h.
Referenced by IntPolicyProcIsFeedback().
This function is responsible for patching the detour that handles "NtSetInformationProcess".
This function is called before the hook is placed in the guest memory in order "patch" the values of any exports or field offsets that it may need. Specifically, this patches PsProcessType, ObReferenceObjectByHandle, ObDereferenceObject and the offset to Spare in the _EPROCESS structure.
[in] | FunctionAddress | The guest virtual address of the hooked function. |
[in] | Handler | Optional pointer to a API_HOOK_HANDLER structure. |
[in] | Descriptor | Pointer to a structure that describes the hook and the detour handler. |
Definition at line 4623 of file winprocess.c.
Referenced by IntWinProcPolicyIsFeedback().
INTSTATUS IntWinProcProtect | ( | WIN_PROCESS_OBJECT * | Process | ) |
Protects a new process.
[in] | Process | The process to be protected. |
INT_STATUS_SUCCESS | On success. |
INT_STATUS_INVALID_PARAMETER_1 | If the process is NULL. |
INT_STATUS_NOT_NEEDED_HINT | If the process is already protected. |
Definition at line 3287 of file winprocess.c.
Referenced by IntWinProcCreateProcessObject(), IntWinProcPolicyIsFeedback(), and IntWinProcUpdateProtection().
INTSTATUS IntWinProcReadCommandLine | ( | WIN_PROCESS_OBJECT * | Process | ) |
Reads the command line of the given process using IntSwapMemReadData.
[in] | Process | The process to read the command line from. |
INT_STATUS_SUCCESS | On success. |
Definition at line 900 of file winprocess.c.
Referenced by IntWinProcCreateProcessObject(), and IntWinProcPolicyIsFeedback().
INTSTATUS IntWinProcRemoveAllProtectedProcesses | ( | void | ) |
This function removed all the processes from the protected process list.
INT_STATUS_SUCCESS | On success. |
Definition at line 3880 of file winprocess.c.
Referenced by IntRemoveAllProtectedProcesses(), and IntWinProcPolicyIsFeedback().
This function removed the provided process from the protected process list.
[in] | Path | The full process path. |
INT_STATUS_SUCCESS | On success. |
Definition at line 3826 of file winprocess.c.
Referenced by IntAddRemoveProtectedProcessUtf16(), IntAddRemoveProtectedProcessUtf8(), and IntWinProcPolicyIsFeedback().
void IntWinProcUninit | ( | void | ) |
This function removes all process objects from the list, and registers the calls the cleanup function for each process.
Definition at line 3940 of file winprocess.c.
Referenced by IntWinGuestUninit(), and IntWinProcPolicyIsFeedback().
INTSTATUS IntWinProcUnprotect | ( | WIN_PROCESS_OBJECT * | Process | ) |
Remove a process from protection.
[in] | Process | The process to be removed from protection. |
INT_STATUS_SUCCESS | On success. |
INT_STATUS_INVALID_PARAMETER_1 | If the process is NULL. |
Definition at line 3247 of file winprocess.c.
Referenced by IntWinModHandleModulePathInMemory(), IntWinProcDeleteProcessObject(), IntWinProcPolicyIsFeedback(), IntWinProcProtect(), IntWinProcSwapOut(), IntWinProcUninit(), and IntWinProcUpdateProtection().
void IntWinProcUpdateProtectedProcess | ( | const void * | Name, |
const CAMI_STRING_ENCODING | Encoding, | ||
const CAMI_PROT_OPTIONS * | Options | ||
) |
This function updates the protection for the given process.
[in] | Name | The name of the process. |
[in] | Encoding | The encoding used by the Name variable. |
[in] | Options | The protection options to be applied. |
Definition at line 3657 of file winprocess.c.
Referenced by IntCamiUpdateProcessProtectionItems(), and IntWinProcPolicyIsFeedback().
INTSTATUS IntWinProcUpdateProtection | ( | void | ) |
Iterates trough the global process list (gWinProcesses) in order to update the protection state for each process.
INT_STATUS_SUCCESS | On success. |
Definition at line 1162 of file winprocess.c.
Referenced by IntCamiSetProcProtOptions(), IntGuestUpdateCoreOptions(), IntWinProcAddProtectedProcess(), IntWinProcPolicyIsFeedback(), and IntWinProcRemoveProtectedProcess().
INTSTATUS IntWinProcValidateSystemCr3 | ( | void | ) |
This function checks if the system CR3 value was modified and if GUEST_STATE::KernelBetaDetections is NOT set, it restores the original value.
INT_STATUS_SUCCESS | On success. |
INT_STATUS_NOT_FOUND | If the system process was not found within the gWinProcesses. |
INT_STATUS_NOT_INITIALIZED_HINT | If the introcore is not fully initialized. |
Definition at line 3371 of file winprocess.c.
Referenced by IntHandleTimer(), and IntWinProcPolicyIsFeedback().