12 #ifndef _WINPROCESS_H_ 13 #define _WINPROCESS_H_ 23 #define WIN_STATUS_ACCESS_DENIED 0xC0000022 24 #define WIN_STATUS_SUCCESS 0x00000000 210 DWORD ProtThreadCtx : 1;
214 DWORD ProtCreation: 1;
221 DWORD ProtRemediate : 1;
369 } SecurityDescriptor;
405 return Process->BetaDetections ||
407 (Process->BetaMask & Flag) != 0;
425 return ((Process->FeedbackMask & Flag) ||
458 _In_ void *Descriptor
465 _In_ void *Descriptor
472 _In_ void *Descriptor
479 _In_ void *Descriptor
567 _In_ const void *Name,
581 _In_ void *Descriptor
584 #endif // _WINPROCESS_H_ DWORD CommandLineSize
Includes the NULL terminator.
PCHAR CommandLine
The command line with which the process was created (can be NULL).
INTSTATUS IntWinProcPatchPspInsertProcess86(QWORD FunctionAddress, void *Handler, void *Descriptor)
This functions is responsible for patching the detour that handles the "PspInsertProcess".
Process subsystem type unknown.
PWIN_PROCESS_SUBSYSTEM Subsystemx64
The x64 subsystem. Note that a 32 bit process on a 64 bit OS may have both subsystems valid...
INTSTATUS IntWinProcHandleInstrument(void *Detour)
Handles an exit on NtSetInformationProcess calls where the InformationClass argument is 40 (instrumen...
BOOLEAN EnforcedDep
TRUE is the DEP (Data Execution Prevention) has been enforced.
DWORD Flags
Windows process flags (possible values for this bitmask are described below).
DWORD NtdllSize
The size of ntdll.dll.
DWORD MonitorModules
TRUE if we need to monitor module load/unloads.
BOOLEAN PrivsChangeOneBit
Set to TRUE when the difference between Enabled and Present privileges is just one bit...
void * UserCr3PageLockObject
The UserCR3 will be locked in memory, to prevent the OS from dynamically modifying the CR3 of a runni...
_WINPROC_GUEST_EXITS
Windows guest exit types.
Describe the introcore protection options.
struct _WIN_PROCESS_OBJECT * PWIN_PROCESS_OBJECT
LIST_ENTRY Link
Entry within gWinProcesses (Doubly Linked List).
const WCHAR * SystemDirPath
The location of the system directory (where the system DLLs are located). For wow64 processes...
DWORD ProtInstrument
Protect the process agains instrumentation callback attacks.
QWORD RealParentEprocess
The active EPROCESS at the moment of creation.
INTSTATUS IntWinProcRemoveAllProtectedProcesses(void)
This function removed all the processes from the protected process list.
enum _WIN_SUBSYTEM_TYPE WIN_SUBSYTEM_TYPE
The Windows subsystem types.
CAMI_STRING_ENCODING
Describes the encoding of a string received from the CAMI file.
void * ParamsSwapHandle
The swap memory handle for Process->Peb->ProcessParameters (used to read the command line of the proc...
DWORD ProtCoreModules
Protect the core module loaded by the process.
QWORD FeedbackMask
The protection mask in feedback mode.
Exits caused by "MmCopyVirtualMemory".
ACL Dacl
The Discretionary Access Control List header.
INTSTATUS IntWinProcUnprotect(WIN_PROCESS_OBJECT *Process)
Remove a process from protection.
DWORD Lsass
TRUE if this is the lsass process.
BOOLEAN LastExceptionContinuable
TRUE if the last exception is continuable (for example a #PF that was caused due to the way the OS do...
INTSTATUS IntWinProcSwapOut(void *Detour)
Detour handler for the KiOutSwapProcess Windows kernel API.The detour on KiOutSwapProcess is set afte...
#define INTRO_SECURITY_DESCRIPTOR_SIZE
The size of the buffers in which we store the security descriptors. The security descriptor is compos...
QWORD SecurityDescriptorGva
Security descriptor address.
static BOOLEAN IntWinProcPolicyIsFeedback(const WIN_PROCESS_OBJECT *Process, QWORD Flag)
Checks if the given process is protected with the provided flag (in feedback mode).
DWORD ProtReserved1
RESERVED.
INTSTATUS IntWinProcSwapIn(void *Detour)
Detour handler for the MmInSwapProcess Windows kernel API.The detour on MmInSwapProcess is set inside...
QWORD Context
Context from integrator if the process is protected, 0 otherwise.
BOOLEAN FirstDominoJavaIgnored
TRUE if the first Domino Java execution VAD was ignored.
Windows process subsystem.
DWORD UnpackProtected
TRUE if the main module has been protected against unpacks.
WORD OriginalSpareValue
We put in guest * and some flags in order to decide whether to raise a VM exit on a process...
BYTE InjectionsCount
The number of injections allowed at the initialization.
BYTE PebWrittenCount
The number writes to the (Process Environment Block).
Exits caused by "NtQueueApcThreadEx".
DWORD RawBufferSize
The used actual size of the RawBuffer.
INTSTATUS IntWinProcHandleTerminate(void *Detour)
This functions handles the termination of a Windows process.This function is invoked every time "MmCl...
INTSTATUS IntWinProcPrepareInstrument(QWORD FunctionAddress, void *Handler, void *Descriptor)
This function is responsible for patching the detour that handles "NtSetInformationProcess".
int INTSTATUS
The status data type.
BOOLEAN ImageIsFromNativeSubsystem
TRUE if the process image is from the native subsystem.
struct _WIN_PROCESS_OBJECT WIN_PROCESS_OBJECT
This structure describes a running process inside the guest.
DWORD OneTimeInjectionDone
The one time injection already took place (exception).
struct _WIN_PROCESS_SUBSYSTEM * PWIN_PROCESS_SUBSYSTEM
DWORD NameHash
Name hash, as used by the exceptions module.
ACL Sacl
The System Access Control List header.
DWORD ProtectedModulesCount
Number of protected modules inside this process.
QWORD Peb64Address
PEB 64 address (on x86 OSes, this will be 0).
QWORD DebuggerEprocess
This will keep the EPROCESS of the debugger process (if any).
void * UserSelfMapHook
The user self mapping memory hook.
#define IMAGE_BASE_NAME_LEN
The maximum length of a process name.
BOOLEAN IntPolicyIsCoreOptionFeedback(QWORD Flag)
Checks if a core protection option is in feedback-only mode.
QWORD MainModuleAddress
The address of the main module.
BOOLEAN IsDominoJava
True if this is a Java IBM process and j9jit.dll is loaded.
_WIN_SUBSYTEM_TYPE
The Windows subsystem types.
QWORD ParentEprocess
The EPROCESS of the parent process.
#define INTRO_OPT_PROT_UM_SYS_PROCS
Enable user-mode system processes protection (injection only).
Process subsystem type 32 bit.
INTSTATUS IntWinProcValidateSystemCr3(void)
This function checks if the system CR3 value was modified and if GUEST_STATE::KernelBetaDetections is...
DWORD Protected
TRUE if this is a protected process. If this is FALSE, most of the above fields aren't used at all...
Encapsulates a protected Windows process.
DWORD Wow64Process
TRUE if this is a 32 bit process on a 64 bit OS.
DWORD InjectedApphelp
TRUE if AppHelp was injected.
BOOLEAN IntPolicyCoreIsOptionBeta(QWORD Flag)
Checks if one of the kernel protection options is in log-only mode.
const PROTECTED_PROCESS_INFO * IntWinProcGetProtectedInfoEx(PWCHAR Path, BOOLEAN IsSystem)
Returns a pointer to the PROTECTED_PROCESS_INFO structure for the given process Path.
static BOOLEAN IntWinProcPolicyIsBeta(const WIN_PROCESS_OBJECT *Process, QWORD Flag)
Checks if the given process is protected with the provided flag (in beta mode).
DWORD LastPebWriteDone
TRUE if the write into PEB is done (used for initialization checks).
QWORD NtdllBase
The base address for ntdll.dll.
QWORD Cr3
Process PDBR. Includes PCID.
DWORD MainModuleLoaded
TRUE if the main module has been loaded.
BOOLEAN MainModuleLoaded
TRUE if the MainModule was loaded.
QWORD OriginalPresentPrivs
Saved value of the Privileges Present bitfield inside the nt!_TOKEN structure assigned to the current...
DWORD LateProtection
TRUE if the protection was not activated right from start.
QWORD CreationTime
The creation time of the process, as stored inside the EPROCESS.
INTSTATUS IntWinProcPatchCopyMemoryDetour(QWORD FunctionAddress, void *Handler, void *Descriptor)
This functions is responsible for patching the detour that handles the "MmCopyVirtualMemory".This function is invoked every time "MmCopyVirtualMemory" is called (a process is writing/reading another process) but before the actual handler IntWinProcHandleCopyMemory, its purpose being to modify the hook code (see winhkhnd.c).
BOOLEAN ParentHasEditedAcl
The parent process has an altered ACL (SACL/DACL).
static QWORD IntWinProcGetProtOption(const WIN_PROCESS_OBJECT *Process)
Get the protection type for the given process.
WINUM_PATH * Path
Will point inside the loaded modules list to the full process path.
void IntWinProcDumpProtected(void)
Log all the protected processes.
INTSTATUS IntWinProcAddProtectedProcess(const WCHAR *Path, DWORD ProtectionMask, QWORD Context)
This function adds the provided process to the protected process list.
DWORD IsPreviousAgent
TRUE if this is an agent injected in a previous session.
DWORD ProtDoubleAgent
Protect the process against double agent attacks.
RBNODE NodeEproc
Entry within gWinProcTreeEprocess (RB Tree).
#define INTRO_OPT_PROT_UM_MISC_PROCS
Exits caused by "NtSetInformationProcess".
DWORD LoadedModulesCount
The number of modules that were loaded.
BOOLEAN HasNaClEnabled
Only valid for chromium-based browsers; TRUE if this is a NaCl process.
QWORD UserCr3
Process user PDBR. Includes PCID.
DWORD Terminating
TRUE if the process is terminating (cleanup pending).
BYTE NtdllLoadCount
Number of ntdll.dll loads.
void * TokenSwapHook
Hook object for notifications over the swap-in/swap-out of the current process TOKEN. We need to place this hook in order to verify on translation modifications of the current TOKEN if it is still assigned to the current process. The token might get deallocated in the mean-time and the page can be used, for example, for mapping other physical pages, thus leading to translation violations when the hashes of the contents are checked. For this purpose we will verify on every translation modification event if the current token is still used, and re-establish the hook over the token if it was previously de-allocated.
DWORD StartInitializing
TRUE if the process actually started initializing (there is a time windows from the moment we add the...
DWORD ProtectionMask
Protection mask: tells us what level of protection will be activated for this process.
BOOLEAN ParentThreadSuspicious
The parent thread start address was considered suspicious.
QWORD LastExceptionRip
The RIP of the last exception that took place.
DWORD ExitStatus
The exit status of the process (used when sending the process terminated event).
DWORD Peb64ContextWritten
TURE if the Process Environment Block (x64) context was written (valid only on Windows 7)...
DPI_EXTRA_INFO DpiExtraInfo
Represents the gathered extra info while checking the DPI heuristics.
INTSTATUS IntWinProcPatchSwapOut64(QWORD FunctionAddress, void *Handler, void *Descriptor)
This functions is responsible for patching the detour that handles the "KiOutSwapProcesses".
Exits caused by "MiCommitExistingVad".
INTSTATUS IntWinProcGetObjectByPid(DWORD Pid, WIN_PROCESS_OBJECT **Process)
This function looks for a process with the given PID inside gWinProcesses and returns its WIN_PROCESS...
struct _WIN_PROCESS_OBJECT * Process
The process object related to this subsystem.
Exposes the definitions used by the CAMI parser and the functions used to load guest support informat...
void * TokenHook
Hook object for the ept hook over nt!_TOKEN Privileges field.
QWORD SelfMapEntryValue
The self mapping memory entry value.
QWORD BetaMask
The protection mask in beta mode.
BYTE Kernel32LoadCount
Number of kernel32.dll loads.
INTSTATUS IntWinProcCreateProcessObject(WIN_PROCESS_OBJECT **Process, QWORD EprocessAddress, PBYTE EprocessBuffer, QWORD ParentEprocess, QWORD RealParentEprocess, QWORD Cr3, DWORD Pid, BOOLEAN StaticScan)
Allocates a WIN_PROCESS_OBJECT structure for the given process.
DWORD Pid
Process ID (the one used by Windows).
Process subsystem type 64 bit.
QWORD TokenStolenFromEprocess
This will keep the EPROCESS of the process from which the current process stole the token...
RBTREE VadTree
RB-Tree of process VADs.
DWORD InjectedAppHelpSize
The size of the injected apphelp (during initialization).
DWORD BetaDetections
TRUE if BETA is enabled for this particular process.
INTSTATUS IntWinProcChangeProtectionFlags(WIN_PROCESS_OBJECT *Process, DWORD OldMask, DWORD NewMask)
This function changes the protection flags for the given process.
void * SelfMapHook
The self mapping memory hook.
QWORD Peb32Address
PEB 32 address (on pure x64 processes, this will be 0).
void IntWinProcUninit(void)
This function removes all process objects from the list, and registers the calls the cleanup function...
QWORD OriginalTokenPtr
Original Token pointer inside EPROCESS (should never change).
enum _WINPROC_GUEST_EXITS WINPROC_GUEST_EXITS
Windows guest exit types.
BOOLEAN PrivsChangeDetected
Set to TRUE when a token privilege change has been detected. This is useful for DPI, in the case where a write has been detected over the privileges, but because of the detect only mechanism, we have overwritten the OriginalPresentPrivs and OriginalEnabledPrivs values, thus DPI will not raise an alert on process creation due to the fact that the mechanism doesn't see any change. For this purpose, we'll analyze every process creation in DPI from the moment the privileges have changed and a detection took place on integrity.
INTSTATUS IntWinProcPatchSwapOut32(QWORD FunctionAddress, void *Handler, void *Descriptor)
This functions is responsible for patching the detour that handles the "KiOutSwapProcesses".
void * Cr3PageLockObject
The CR3 will be locked in memory, to prevent the OS from dynamically modifying the CR3 of a running p...
LIST_HEAD ProcessModules
List of process modules.
RBNODE NodeUserCr3
Entry within gWinProcTreeUserCr3 (RB Tree).
QWORD UserSelfMapEntryValue
The user self mapping memory entry value.
void * CmdBufSwapHandle
The swap memory handle for the command line buffer.
DWORD ExploitGuardEnabled
TRUE if any Exploit Guard mitigation option is set for this process.
INTSTATUS IntWinProcHandleCopyMemory(void *Detour)
This functions is responsible handling process read/write operations.This function is invoked every t...
DWORD ProtWriteMem
Protect the the memory against writes.
QWORD EprocessAddress
This will be the address of the ActiveProcess field.
BOOLEAN SkipPrivsNextCheck
Signals whether the next privileges check on integrity should be skipped for the current process...
QWORD OriginalEnabledPrivs
Saved value of the Privileges Enabled bitfield inside the nt!_TOKEN structure assigned to the current...
void IntWinProcUpdateProtectedProcess(const void *Name, const CAMI_STRING_ENCODING Encoding, const CAMI_PROT_OPTIONS *Options)
This function updates the protection for the given process.
DWORD ParentWow64
TRUE if the parent is a 32 bit process on a 64 bit OS.
DWORD SystemProcess
TRUE if this is a system process.
INTSTATUS IntWinProcUpdateProtection(void)
Iterates trough the global process list (gWinProcesses) in order to update the protection state for e...
DWORD ProtScanCmdLine
Scan the cmd line of the process.
void * CmdLineSwapHandle
The swap memory handle for the UNICODE_STRING containing the command line of the a process...
INTSTATUS IntWinProcHandleCreate(void *Detour)
Detour handler for the PspInsertProcess Windows kernel API.The actual process creation is handled by ...
WIN_SUBSYTEM_TYPE SubsystemType
Process subsystem type.
QWORD PebAddress
The Process Environment Block of this subsystem.
INTSTATUS IntWinProcProtect(WIN_PROCESS_OBJECT *Process)
Protects a new process.
DWORD MonitorVad
TRUE if we need to handle VAD events for this process.
DWORD StaticDetected
TRUE if the process was detected using a static scan (during static init).
void * VasMonRoot
Virtual Address Space monitor root.
DWORD LastException
The code of the last exception that took place.
struct _WIN_PROCESS_SUBSYSTEM WIN_PROCESS_SUBSYSTEM
Windows process subsystem.
DWORD ProtUnpack
Protect process against unpacking attempts.
BOOLEAN IsVerifierLoaded
TRUE if app verifier is loaded.
DWORD IsAgent
TRUE if this is an injected agent.
DWORD Outswapped
TRUE if the process is outswapped.
INTSTATUS IntWinProcReadCommandLine(WIN_PROCESS_OBJECT *Process)
Reads the command line of the given process using IntSwapMemReadData.
BOOLEAN ParentHasAlteredSecDescPtr
The parent process has an altered security descriptor pointer.
Exits caused by "MmCopyVirtualMemory".
Exits caused by "PspSetContextThreadInternal".
DWORD ProtWsockModules
Protect the Windows Socket related modules.
BOOLEAN ParentHasBeenHeapSprayed
The parent process has been heap sprayed.
void * MainModuleVad
Used for keeping the main module VAD (used for dereferencing paths) as the unprotected processes don'...
PWIN_PROCESS_SUBSYSTEM Subsystemx86
The x86 subsystem. Note that a 32 bit process on a 64 bit OS may have both subsystems valid...
RBNODE NodeCr3
Entry within gWinProcTreeCr3 (RB Tree).
Exposes the functions responsible for DPI (Deep Process Inspection) information gathering (used to de...
DWORD AgentTag
If IsAgent is TRUE, this will be the agent tag.
QWORD InjectedApphelpAddress
The address of the injected apphelp (during initialization).
BOOLEAN ParentHasPivotedStack
The parent process has a pivoted stack.
DWORD Peb32ContextWritten
TURE if the Process Environment Block (x86) context was written (valid only on Windows 7)...
BOOLEAN ParentHasTokenPrivsAltered
The parent process has the token privileges altered in a malicious way, most probably due to a privil...
INTSTATUS IntWinProcRemoveProtectedProcess(const WCHAR *Path)
This function removed the provided process from the protected process list.
LIST_HEAD * VadPages
Vad pages Hash-Table.
This structure describes a running process inside the guest.
1.8.13