Bitdefender Hypervisor Memory Introspection
winsecdesc.h
Go to the documentation of this file.
1 /*
2  * Copyright (c) 2020 Bitdefender
3  * SPDX-License-Identifier: Apache-2.0
4  */
5 #ifndef _WINSECDESC_H_
6 #define _WINSECDESC_H_
7 
8 #include "intro_types.h"
9 
11 #define INT_STD_ACE_MAX_SIZE 0x14
12 
21 #define COPY_ACL_TO_INTRO_ACL(Acl, IntroAcl) do { \
22  IntroAcl.AclRevision = Acl.AclRevision; \
23  IntroAcl.AclSize = Acl.AclSize; \
24  IntroAcl.AceCount = Acl.AceCount; \
25  } while(0);
26 
27 typedef struct _WIN_PROCESS_OBJECT WIN_PROCESS_OBJECT, *PWIN_PROCESS_OBJECT;
28 
30 typedef struct _SID_INTERNAL
31 {
33  UCHAR Revision;
35  UCHAR SubAuthorityCount;
37  SID_IDENTIFIER_AUTHORITY IdentifierAuthority;
38 } SID_INTERNAL, *PSID_INTERNAL;
39 
41 typedef struct _ACE_BODY
42 {
44  DWORD Mask;
46  SID_INTERNAL Sid;
47 } ACE_BODY, *PACE_BODY;
48 
49 INTSTATUS
50 IntWinSDProtectSecDesc(
51  _Inout_ WIN_PROCESS_OBJECT *Process
52  );
53 
54 INTSTATUS
55 IntWinSDCheckIntegrity(
56  void
57  );
58 
59 _Success_(return == TRUE)
60 BOOLEAN
61 IntWinSDIsSecDescPtrAltered(
62  _In_ WIN_PROCESS_OBJECT *Process,
63  _Inout_opt_ WIN_PROCESS_OBJECT **VictimProcess,
64  _Out_opt_ QWORD *OldValue,
65  _Out_opt_ QWORD *NewValue
66  );
67 
68 _Success_(return == TRUE)
69 BOOLEAN
70 IntWinSDIsAclEdited(
71  _In_ WIN_PROCESS_OBJECT *Process,
72  _In_ DWORD BufferSize,
73  _Out_writes_bytes_(BufferSize) BYTE *SecurityDescriptorBuffer,
74  _Out_ DWORD *ReadSize,
75  _Out_ ACL **NewSacl,
76  _Out_ ACL **NewDacl
77  );
78 
79 INTSTATUS
80 IntWinSDReadSecDesc(
81  _In_ QWORD SecurityDescriptorGva,
82  _In_ DWORD BufferSize,
83  _Out_writes_bytes_(BufferSize) BYTE *SecurityDescriptorBuffer,
84  _Out_ DWORD *ReadSize,
85  _Out_ ACL **Sacl,
86  _Out_ ACL **Dacl
87  );
88 
89 #endif //_WINSECDESC_H_
_Out_
#define _Out_
Definition: intro_sal.h:22
BOOLEAN
_Bool BOOLEAN
Definition: intro_types.h:58
IntWinSDIsAclEdited
BOOLEAN IntWinSDIsAclEdited(WIN_PROCESS_OBJECT *Process, DWORD BufferSize, BYTE *SecurityDescriptorBuffer, DWORD *ReadSize, ACL **NewSacl, ACL **NewDacl)
This function reads the ACLs for the given process (returning the data using the provided buffer and ...
Definition: winsecdesc.c:916
_ACE_BODY::Mask
DWORD Mask
The access mask of the given SID (https://docs.microsoft.com/en-us/windows/win32/secauthz/access-mask...
Definition: winsecdesc.h:44
BYTE
uint8_t BYTE
Definition: intro_types.h:47
_In_
#define _In_
Definition: intro_sal.h:21
_Out_writes_bytes_
#define _Out_writes_bytes_(expr)
Definition: intro_sal.h:38
_Success_
#define _Success_(expr)
Definition: intro_sal.h:47
PWIN_PROCESS_OBJECT
struct _WIN_PROCESS_OBJECT * PWIN_PROCESS_OBJECT
Definition: winsecdesc.h:27
PACE_BODY
struct _ACE_BODY * PACE_BODY
intro_types.h
Exposes the types and constants used by various Introcore APIs defined in glueiface.h.
ACE_BODY
struct _ACE_BODY ACE_BODY
The internal representation of an Access Control Entry body.
INTSTATUS
int INTSTATUS
The status data type.
Definition: introstatus.h:24
SID_INTERNAL
struct _SID_INTERNAL SID_INTERNAL
The internal representation of the SID structure.
_SID_INTERNAL::Revision
UCHAR Revision
S-1-5-32-554 - The SID revision (in this case 1).
Definition: winsecdesc.h:33
_ACL
An access control list.
Definition: wddefs.h:637
_SID_INTERNAL::IdentifierAuthority
SID_IDENTIFIER_AUTHORITY IdentifierAuthority
S-1-5-32-554 - The authority (in this case 5).
Definition: winsecdesc.h:37
_Inout_opt_
#define _Inout_opt_
Definition: intro_sal.h:31
_Inout_
#define _Inout_
Definition: intro_sal.h:20
_Out_opt_
#define _Out_opt_
Definition: intro_sal.h:30
IntWinSDIsSecDescPtrAltered
BOOLEAN IntWinSDIsSecDescPtrAltered(WIN_PROCESS_OBJECT *Process, WIN_PROCESS_OBJECT **VictimProcess, QWORD *OldValue, QWORD *NewValue)
This function checks if the security descriptor pointer of a process has been altered or not...
Definition: winsecdesc.c:829
QWORD
unsigned long long QWORD
Definition: intro_types.h:53
_ACE_BODY::Sid
SID_INTERNAL Sid
The containing SID.
Definition: winsecdesc.h:46
TRUE
#define TRUE
Definition: intro_types.h:30
UCHAR
unsigned char UCHAR
Definition: intro_types.h:55
PSID_INTERNAL
struct _SID_INTERNAL * PSID_INTERNAL
IntWinSDCheckIntegrity
INTSTATUS IntWinSDCheckIntegrity(void)
This function checks the integrity of the security descriptor for all the processes inside gWinProces...
Definition: winsecdesc.c:1656
DWORD
uint32_t DWORD
Definition: intro_types.h:49
_SID_INTERNAL::SubAuthorityCount
UCHAR SubAuthorityCount
S-1-5-32-554 - The number of sub authorities (in this case 2 -> sub-authority 32 and sub-authority 54...
Definition: winsecdesc.h:35
IntWinSDReadSecDesc
INTSTATUS IntWinSDReadSecDesc(QWORD SecurityDescriptorGva, DWORD BufferSize, BYTE *SecurityDescriptorBuffer, DWORD *ReadSize, ACL **Sacl, ACL **Dacl)
This function reads the ACLs (along with the ACEs) from the given GVA and returns the data using the ...
Definition: winsecdesc.c:362
IntWinSDProtectSecDesc
INTSTATUS IntWinSDProtectSecDesc(WIN_PROCESS_OBJECT *Process)
This function saves the security descriptor address and ACLs into the WIN_PROCESS_OBJECT structure...
Definition: winsecdesc.c:750
_SID_IDENTIFIER_AUTHORITY
Definition: wddefs.h:607
_ACE_BODY
The internal representation of an Access Control Entry body.
Definition: winsecdesc.h:41
_SID_INTERNAL
The internal representation of the SID structure.
Definition: winsecdesc.h:30
_WIN_PROCESS_OBJECT
This structure describes a running process inside the guest.
Definition: winprocess.h:83