Bitdefender Hypervisor Memory Introspection
|
#include "intro_types.h"
Go to the source code of this file.
Data Structures | |
struct | _SID_INTERNAL |
The internal representation of the SID structure. More... | |
struct | _ACE_BODY |
The internal representation of an Access Control Entry body. More... | |
Macros | |
#define | INT_STD_ACE_MAX_SIZE 0x14 |
The maximum size of a standard access control entry (empirically chosen value). More... | |
#define | COPY_ACL_TO_INTRO_ACL(Acl, IntroAcl) |
Converts an ACL to an INTRO_ACL. More... | |
Typedefs | |
typedef struct _WIN_PROCESS_OBJECT | WIN_PROCESS_OBJECT |
typedef struct _WIN_PROCESS_OBJECT * | PWIN_PROCESS_OBJECT |
typedef struct _SID_INTERNAL | SID_INTERNAL |
The internal representation of the SID structure. More... | |
typedef struct _SID_INTERNAL * | PSID_INTERNAL |
typedef struct _ACE_BODY | ACE_BODY |
The internal representation of an Access Control Entry body. More... | |
typedef struct _ACE_BODY * | PACE_BODY |
Functions | |
INTSTATUS | IntWinSDProtectSecDesc (WIN_PROCESS_OBJECT *Process) |
This function saves the security descriptor address and ACLs into the WIN_PROCESS_OBJECT structure. More... | |
INTSTATUS | IntWinSDCheckIntegrity (void) |
This function checks the integrity of the security descriptor for all the processes inside gWinProcesses. More... | |
BOOLEAN | IntWinSDIsSecDescPtrAltered (WIN_PROCESS_OBJECT *Process, WIN_PROCESS_OBJECT **VictimProcess, QWORD *OldValue, QWORD *NewValue) |
This function checks if the security descriptor pointer of a process has been altered or not. More... | |
BOOLEAN | IntWinSDIsAclEdited (WIN_PROCESS_OBJECT *Process, DWORD BufferSize, BYTE *SecurityDescriptorBuffer, DWORD *ReadSize, ACL **NewSacl, ACL **NewDacl) |
This function reads the ACLs for the given process (returning the data using the provided buffer and the Sacl/Dacl pointers) and then compares the read data with the one stored within the WIN_PROCESS_OBJECT structure. More... | |
INTSTATUS | IntWinSDReadSecDesc (QWORD SecurityDescriptorGva, DWORD BufferSize, BYTE *SecurityDescriptorBuffer, DWORD *ReadSize, ACL **Sacl, ACL **Dacl) |
This function reads the ACLs (along with the ACEs) from the given GVA and returns the data using the provided buffer and the Sacl/Dacl pointers. This function will read the SECURITY_DESCRIPTOR structure that acts as a header, the SACL header and then use the SACL size to find the DACL. If an attacker were to alter the SACL/DACL size such that it will not fit in the given buffer, the function will fail with INT_STATUS_DATA_BUFFER_TOO_SMALL - check the returned Sacl/Dacl values. More... | |
#define COPY_ACL_TO_INTRO_ACL | ( | Acl, | |
IntroAcl | |||
) |
Converts an ACL to an INTRO_ACL.
Internally, Windows uses a structure called Access Control List (ACL) which has some 0 padding fields. Since we want to provide the integrator with the information contained within the ACL structure, we implemented another structure INTRO_ACL that only has the relevant fields. This macro converts an ACL to an INTRO_ACL.
Definition at line 21 of file winsecdesc.h.
Referenced by IntAlertFillDpiExtraInfo().
#define INT_STD_ACE_MAX_SIZE 0x14 |
The maximum size of a standard access control entry (empirically chosen value).
Definition at line 11 of file winsecdesc.h.
Referenced by IntWinSDProcessAcl().
typedef struct _SID_INTERNAL * PSID_INTERNAL |
typedef struct _WIN_PROCESS_OBJECT * PWIN_PROCESS_OBJECT |
Definition at line 27 of file winsecdesc.h.
typedef struct _SID_INTERNAL SID_INTERNAL |
The internal representation of the SID structure.
typedef struct _WIN_PROCESS_OBJECT WIN_PROCESS_OBJECT |
Definition at line 27 of file winsecdesc.h.
INTSTATUS IntWinSDCheckIntegrity | ( | void | ) |
This function checks the integrity of the security descriptor for all the processes inside gWinProcesses.
INT_STATUS_SUCCESS | On success. |
Definition at line 1656 of file winsecdesc.c.
Referenced by IntHandleTimer().
BOOLEAN IntWinSDIsAclEdited | ( | WIN_PROCESS_OBJECT * | Process, |
DWORD | BufferSize, | ||
BYTE * | SecurityDescriptorBuffer, | ||
DWORD * | ReadSize, | ||
ACL ** | NewSacl, | ||
ACL ** | NewDacl | ||
) |
This function reads the ACLs for the given process (returning the data using the provided buffer and the Sacl/Dacl pointers) and then compares the read data with the one stored within the WIN_PROCESS_OBJECT structure.
[in] | Process | The process the check the ACLs integrity for. |
[in] | BufferSize | The size in bytes of the given buffer (SecurityDescriptorBuffer). |
[out] | SecurityDescriptorBuffer | The buffer where the ACLs (along with the ACEs) will be stored. |
[out] | ReadSize | The size in bytes of the returned security descriptor. |
[out] | NewSacl | The current SACL header. |
[out] | NewDacl | The current DACL header. |
Definition at line 916 of file winsecdesc.c.
Referenced by IntWinDpiValidateParentAclEdit(), and IntWinSDCheckAclIntegrity().
BOOLEAN IntWinSDIsSecDescPtrAltered | ( | WIN_PROCESS_OBJECT * | Process, |
WIN_PROCESS_OBJECT ** | VictimProcess, | ||
QWORD * | OldValue, | ||
QWORD * | NewValue | ||
) |
This function checks if the security descriptor pointer of a process has been altered or not.
[in] | Process | The process to query the information for. |
[out] | VictimProcess | The process where the security descriptor has been stolen from (it can be NULL if the security descriptor was not altered or it was altered but the source is not the security descriptor of a known process). |
[out] | OldValue | The original security descriptor value. |
[out] | NewValue | The current security descriptor value. |
TRUE | The security descriptor has been altered. |
FALSE | The security descriptor has NOT been altered. |
Definition at line 829 of file winsecdesc.c.
Referenced by IntWinDpiValidateParentSecDesc(), and IntWinSDCheckSecDescIntegrity().
INTSTATUS IntWinSDProtectSecDesc | ( | WIN_PROCESS_OBJECT * | Process | ) |
This function saves the security descriptor address and ACLs into the WIN_PROCESS_OBJECT structure.
[in] | Process | The process to save the security descriptor for. |
INT_STATUS_SUCCESS | On success. |
INT_STATUS_INVALID_PARAMETER_1 | If the given Process is NULL. |
Definition at line 750 of file winsecdesc.c.
Referenced by IntWinProcCreateProcessObject().
INTSTATUS IntWinSDReadSecDesc | ( | QWORD | SecurityDescriptorGva, |
DWORD | BufferSize, | ||
BYTE * | SecurityDescriptorBuffer, | ||
DWORD * | ReadSize, | ||
ACL ** | Sacl, | ||
ACL ** | Dacl | ||
) |
This function reads the ACLs (along with the ACEs) from the given GVA and returns the data using the provided buffer and the Sacl/Dacl pointers. This function will read the SECURITY_DESCRIPTOR structure that acts as a header, the SACL header and then use the SACL size to find the DACL. If an attacker were to alter the SACL/DACL size such that it will not fit in the given buffer, the function will fail with INT_STATUS_DATA_BUFFER_TOO_SMALL - check the returned Sacl/Dacl values.
[in] | SecurityDescriptorGva | The GVA of the security descriptor. |
[in] | BufferSize | The size in bytes of the given buffer (SecurityDescriptorBuffer). |
[out] | SecurityDescriptorBuffer | The buffer where the ACLs (along with the ACEs) will be stored. |
[out] | ReadSize | The size in bytes of the returned security descriptor. |
[out] | Sacl | Points to the SACL header inside the SecurityDescriptorBuffer. |
[out] | Dacl | Points to the DACL header inside the SecurityDescriptorBuffer. |
INT_STATUS_SUCCESS | On success. |
INT_STATUS_PAGE_NOT_PRESENT | If the given GVA is not mapped. |
INT_STATUS_DATA_BUFFER_TOO_SMALL | If the security descriptor is larger than the provided buffer. |
Definition at line 362 of file winsecdesc.c.
Referenced by IntWinDpiValidateParentSecDesc(), IntWinSDCheckAclIntegrity(), IntWinSDCheckSecDescIntegrity(), IntWinSDGatherAcl(), and IntWinSDIsAclEdited().