Bitdefender Hypervisor Memory Introspection
|
Go to the source code of this file.
Macros | |
#define | IS_INVALID_PTR(ptr) |
#define | PROCESSES_MAX_COUNT 65535 |
Functions | |
void | IntWinProcLstUnsafeReInit (void) |
Reinitializes the Windows process lists and trees, without doing any cleanup. More... | |
void | IntWinProcLstInsertProcess (WIN_PROCESS_OBJECT *Process) |
Inserts a WIN_PROCESS_OBJECT structure into the process lists and trees. More... | |
void | IntWinProcLstRemoveProcess (WIN_PROCESS_OBJECT *Process) |
Removes a WIN_PROCESS_OBJECT structure from the process lists and trees. More... | |
PWIN_PROCESS_OBJECT | IntWinProcFindObjectByEprocess (QWORD Eprocess) |
Finds a process by the address of its _EPROCESS structure. More... | |
PWIN_PROCESS_OBJECT | IntWinProcFindObjectByPid (DWORD Pid) |
Finds a process by its ID. More... | |
PWIN_PROCESS_OBJECT | IntWinProcFindObjectByName (CHAR const *Name, BOOLEAN MustBeSystem) |
Finds a process by name. More... | |
PWIN_PROCESS_OBJECT | IntWinProcFindObjectByCr3 (QWORD Cr3) |
Finds a process by its kernel CR3. More... | |
PWIN_PROCESS_OBJECT | IntWinProcFindObjectByUserCr3 (QWORD Cr3) |
Finds a process by its user CR3. More... | |
INTSTATUS | IntWinProcIsPsActiveProcessHead (QWORD Gva) |
Checks if a guest memory area is the list head of the process list (PsActiveProcessHead) More... | |
INTSTATUS | IntWinProcAdd (QWORD Eprocess, QWORD Aux) |
Adds a new process to the Introcore list of processes. More... | |
INTSTATUS | IntWinProcIterateGuestProcesses (PFUNC_IterateListCallback Callback, QWORD Aux) |
Iterates the in-guest process list and calls Callback for each entry. More... | |
INTSTATUS | IntWinProcGetNameFromEprocess (QWORD Eprocess, CHAR *Name) |
Reads a process name from the guest memory. More... | |
INTSTATUS | IntWinProcGetNameFromInternalEprocess (QWORD Eprocess, CHAR *Name) |
Get a process name from the internal Introcore buffers. More... | |
BOOLEAN | IntWinProcIsEnoughHeapAvailable (void) |
Checks if enough heap is available in order to protect a new process. More... | |
void | IntWinProcRbTreeNodeFree (RBNODE *Node) |
The NodeFree routine for the process RBTREE structures. More... | |
int | IntWinProcRbTreeNodeCompareCr3 (RBNODE const *Left, RBNODE const *Right) |
int | IntWinProcRbTreeNodeCompareUserCr3 (RBNODE const *Left, RBNODE const *Right) |
int | IntWinProcRbTreeNodeCompareEproc (RBNODE const *Left, RBNODE const *Right) |
INTSTATUS | IntWinProcGetAgentsAsCli (PCHAR CommandLine, DWORD Length) |
Returns the name and ID for all the processes injected as agents inside the guest. More... | |
void | IntWinProcDump (void) |
Prints information about all the processes in the system. More... | |
void | IntWinProcDumpVads (const char *ProcessName) |
Prints information about the VADs loaded in a process. More... | |
void | IntWinProcDumpEgFlags (void) |
Prints the mitigation flags of a process. More... | |
INTSTATUS | IntWinProcMapEprocess (QWORD Eprocess, void **Ptr) |
Maps a _EPROCESS structure. More... | |
Variables | |
LIST_HEAD | gWinProcesses = LIST_HEAD_INIT(gWinProcesses) |
The list of all the processes inside the guest. More... | |
RBTREE | gWinProcTreeCr3 = RB_TREE_INIT(gWinProcTreeCr3, IntWinProcRbTreeNodeFree, IntWinProcRbTreeNodeCompareCr3) |
Tree of all the processes inside the guest, using the kernel CR3 as the key. More... | |
RBTREE | gWinProcTreeUserCr3 |
Tree of all the processes inside the guest, using the user-mode CR3 as the key/. More... | |
RBTREE | gWinProcTreeEprocess |
Tree of all the processes inside the guest, using the _EPROCESS address as the key. More... | |
#define IS_INVALID_PTR | ( | ptr | ) |
Referenced by IntWinProcIsPsActiveProcessHead().
#define PROCESSES_MAX_COUNT 65535 |
Referenced by IntWinProcIterateGuestProcesses().
Adds a new process to the Introcore list of processes.
This function is used for statically detecting processes that were spawned before Introcore started.
This does some preliminary checks and then delegates much of the work to IntWinProcCreateProcessObject. If any of the Delete, Exiting, or VmDeleted flags are set, or if the HasAddrSpace flag is not set, the process is ignored as it is no longer active and won't become active again, but the OS did not remove it from the list of processes yet.
If possible, this function will try to find the parent of the current process.
[in] | Eprocess | Guest virtual address of the _EPROCESS structure for the new process. |
[in] | Aux | Ignored. |
Definition at line 396 of file winprocesshp.c.
Referenced by IntWinGuestFinishInit().
void IntWinProcDump | ( | void | ) |
Prints information about all the processes in the system.
Definition at line 864 of file winprocesshp.c.
Referenced by DbgDumpProcesses().
void IntWinProcDumpEgFlags | ( | void | ) |
Prints the mitigation flags of a process.
Definition at line 1005 of file winprocesshp.c.
void IntWinProcDumpVads | ( | const char * | ProcessName | ) |
Prints information about the VADs loaded in a process.
[in] | ProcessName | NULL-terminated string with a process name. May be NULL. If it is not NULL, only the processes with a matching name will be printed. |
Definition at line 977 of file winprocesshp.c.
Referenced by DbgDumpVads().
PWIN_PROCESS_OBJECT IntWinProcFindObjectByCr3 | ( | QWORD | Cr3 | ) |
Finds a process by its kernel CR3.
[in] | Cr3 | Process kernel CR3 to search for. |
Definition at line 195 of file winprocesshp.c.
Referenced by IntAlertFillWinProcessByCr3(), IntDecDecodeInstructionAtRipWithCache(), IntDispatchVeAsEpt(), IntLogProcessInfo(), IntWinAgentHandleAppVmcall(), IntWinCrashHandleDepViolation(), IntWinModHandleUserWrite(), IntWinProcHandleCreateInternal(), IntWinProcHandleDuplicate(), IntWinProcHandleInstrument(), IntWinSudHandleUserSudExec(), IntWinVadHandleCommit(), IntWinVadHandleDeleteVaRange(), IntWinVadHandleFinishVadDeletion(), IntWinVadHandleInsertMap(), IntWinVadHandleInsertPrivate(), and IntWinVadHandlePageExecution().
PWIN_PROCESS_OBJECT IntWinProcFindObjectByEprocess | ( | QWORD | Eprocess | ) |
Finds a process by the address of its _EPROCESS structure.
[in] | Eprocess | The guest virtual address of the _EPROCESS structure. |
Definition at line 96 of file winprocesshp.c.
Referenced by IntAlertFillDpiExtraInfo(), IntExceptUserLogWindowsInformation(), IntLogCriticalProcessHasDied(), IntSerializeDpiWinDebug(), IntSerializeDpiWinSecDesc(), IntSerializeDpiWinStolenToken(), IntSerializeWinUmOriginator(), IntSerializeWinUmVictim(), IntWinDpiGetProcessDebugFlag(), IntWinInspectCommandLine(), IntWinModFillProcessInjectionData(), IntWinNetGetOwner(), IntWinProcAdd(), IntWinProcCreateProcessObject(), IntWinProcHandleCopyMemory(), IntWinProcHandleCreateInternal(), IntWinProcHandleDuplicate(), IntWinProcHandleInstrument(), IntWinProcSendProcessEvent(), IntWinProcSwapIn(), IntWinProcSwapOut(), IntWinThrHandleQueueApc(), IntWinThrHandleThreadHijack(), IntWinVadHandleInsert(), and IntWinVadHandleVirtualProtect().
PWIN_PROCESS_OBJECT IntWinProcFindObjectByName | ( | CHAR const * | Name, |
BOOLEAN | MustBeSystem | ||
) |
Finds a process by name.
[in] | Name | NULL-terminated string with the name of the process. |
[in] | MustBeSystem | True if the process must be a system process. |
Definition at line 157 of file winprocesshp.c.
Referenced by IntWinAgentHandleDriverVmcall().
PWIN_PROCESS_OBJECT IntWinProcFindObjectByPid | ( | DWORD | Pid | ) |
Finds a process by its ID.
[in] | Pid | Process ID to search for. |
Definition at line 126 of file winprocesshp.c.
Referenced by IntWinGetStartUpTime(), and IntWinProcAdd().
PWIN_PROCESS_OBJECT IntWinProcFindObjectByUserCr3 | ( | QWORD | Cr3 | ) |
Finds a process by its user CR3.
If KPTI is not active, or the process has the same CR3 for both kernel and user mode, this is the same as IntWinProcFindObjectByCr3.
[in] | Cr3 | Process user CR3 to search for. |
Definition at line 225 of file winprocesshp.c.
Referenced by IntGetGprs().
Returns the name and ID for all the processes injected as agents inside the guest.
This is useful for the killer agent.
[out] | CommandLine | On success, will contain a NULL-terminated string with the names and IDs of the agent processes. |
[in] | Length | The size of the CommandLine buffer. |
INT_STATUS_SUCCESS | in case of success. |
INT_STATUS_DATA_BUFFER_TOO_SMALL | if there is not enough space in the CommandLine buffer. |
Definition at line 812 of file winprocesshp.c.
Referenced by IntWinFormatAgentKillerCommandLine().
Reads a process name from the guest memory.
This reads the name from the _EPROCESS ImageFileName field. If the process name has more than 15 characters, only the first 15 characters will be available.
[in] | Eprocess | The guest virtual address of the _EPROCESS structure. |
[out] | Name | On success, will contain a NULL-terminated string with the process name. Must be at least IMAGE_BASE_NAME_LEN in size. |
Definition at line 615 of file winprocesshp.c.
Get a process name from the internal Introcore buffers.
[in] | Eprocess | The guest virtual address of the _EPROCESS structure. |
[out] | Name | On success, will contain a NULL-terminated string with the process name. Must be at least IMAGE_BASE_NAME_LEN in size. |
INT_STATUS_SUCCESS | if a process was found for the provided _EPROCESS address. |
INT_STATUS_NOT_FOUND | if no process was found. |
Definition at line 648 of file winprocesshp.c.
Referenced by IntWinProcDump().
BOOLEAN IntWinProcIsEnoughHeapAvailable | ( | void | ) |
Checks if enough heap is available in order to protect a new process.
We consider that enough memory is available if a percentage of MIN_HEAP_SIZE_PERCENT is free from the total amount of available memory.
Definition at line 685 of file winprocesshp.c.
Referenced by IntWinProcProtect().
Checks if a guest memory area is the list head of the process list (PsActiveProcessHead)
Gva must point to the ActiveProcessLinks field of the System _EPROCESS.
The check is based on a series of invariants:
[in] | Gva | Guest virtual address to check. |
INT_STATUS_SUCCESS | if Gva points to PsActiveProcessHead. |
INT_STATUS_INVALID_OBJECT_TYPE | if Gva does not point to PsActiveProcessHead. |
Definition at line 258 of file winprocesshp.c.
Referenced by IntWinGuestFindKernelObjectsInternal().
INTSTATUS IntWinProcIterateGuestProcesses | ( | PFUNC_IterateListCallback | Callback, |
QWORD | Aux | ||
) |
Iterates the in-guest process list and calls Callback for each entry.
This function will stop if it iterates more than 10000 entries, as in that case something is most likely wrong.
[in] | Callback | Function to invoke for each entry in the process list. |
[in] | Aux | Optional argument to pass to Callback. |
INT_STATUS_SUCCESS | in case of success. Note that errors returned by Callback are not propagated and success is still reported. |
INT_STATUS_INVALID_PARAMETER_1 | if Callback is NULL. |
INT_STATUS_NOT_INITIALIZED_HINT | if PsActiveProcessHead is not set yet. |
INT_STATUS_OUT_OF_RANGE | if more than 10000 processes are found in the list. |
Definition at line 501 of file winprocesshp.c.
Referenced by IntThrSafeCheckThreads(), and IntWinGuestFinishInit().
void IntWinProcLstInsertProcess | ( | WIN_PROCESS_OBJECT * | Process | ) |
Inserts a WIN_PROCESS_OBJECT structure into the process lists and trees.
This will add the process to the gWinProcesses list, and gWinProcTreeCr3, gWinProcTreeUserCr3, and gWinProcTreeEprocess trees.
[in] | Process | The process to be inserted. |
Definition at line 46 of file winprocesshp.c.
Referenced by IntWinProcCreateProcessObject().
void IntWinProcLstRemoveProcess | ( | WIN_PROCESS_OBJECT * | Process | ) |
Removes a WIN_PROCESS_OBJECT structure from the process lists and trees.
This will remove the process from the gWinProcesses list, and gWinProcTreeCr3, gWinProcTreeUserCr3, and gWinProcTreeEprocess trees.
[in] | Process | The process to be removed. |
Definition at line 73 of file winprocesshp.c.
Referenced by IntWinProcDeleteProcessObject(), and IntWinProcUninit().
void IntWinProcLstUnsafeReInit | ( | void | ) |
Reinitializes the Windows process lists and trees, without doing any cleanup.
This resets the gWinProcesses lists, and the gWinProcTreeCr3, gWinProcTreeUserCr3, and gWinProcTreeEprocess trees. This function does no cleanup, so if there are any processes inside the list or trees those will not be freed, the hooks placed in their context will not be removed, etc.
Definition at line 22 of file winprocesshp.c.
Maps a _EPROCESS structure.
This will map the minimum necessary size for Introcore to parse an _EPROCESS. IntVirtMemUnmap must be used to unmap a mapped process.
[in] | Eprocess | Guest virtual address of the _EPROCESS structure to be mapped. |
[out] | Ptr | On success, will contain a pointer to the mapped memory. |
Definition at line 1142 of file winprocesshp.c.
Referenced by IntWinProcAdd(), IntWinProcHandleCreateInternal(), and IntWinProcSwapIn().
Definition at line 735 of file winprocesshp.c.
Referenced by IntWinProcLstUnsafeReInit().
Definition at line 789 of file winprocesshp.c.
Referenced by IntWinProcLstUnsafeReInit().
Definition at line 762 of file winprocesshp.c.
Referenced by IntWinProcLstUnsafeReInit().
void IntWinProcRbTreeNodeFree | ( | RBNODE * | Node | ) |
The NodeFree routine for the process RBTREE structures.
Definition at line 723 of file winprocesshp.c.
Referenced by IntWinProcLstUnsafeReInit().
LIST_HEAD gWinProcesses = LIST_HEAD_INIT(gWinProcesses) |
The list of all the processes inside the guest.
Definition at line 11 of file winprocesshp.c.
RBTREE gWinProcTreeCr3 = RB_TREE_INIT(gWinProcTreeCr3, IntWinProcRbTreeNodeFree, IntWinProcRbTreeNodeCompareCr3) |
Tree of all the processes inside the guest, using the kernel CR3 as the key.
Definition at line 13 of file winprocesshp.c.
RBTREE gWinProcTreeEprocess |
Tree of all the processes inside the guest, using the _EPROCESS address as the key.
Definition at line 18 of file winprocesshp.c.
RBTREE gWinProcTreeUserCr3 |
Tree of all the processes inside the guest, using the user-mode CR3 as the key/.
Definition at line 15 of file winprocesshp.c.