Bitdefender Hypervisor Memory Introspection
|
Exposes the functions used to provide Windows Threads related support. More...
#include "introtypes.h"
Go to the source code of this file.
Functions | |
INTSTATUS | IntWinThrIterateThreads (QWORD Eprocess, PFUNC_IterateListCallback Callback, QWORD Aux) |
Iterate all the threads of the given process and invoke the callback for each one of them, while passing the auxiliary value as a parameter. More... | |
INTSTATUS | IntWinThrGetCurrentThread (DWORD CpuNumber, QWORD *EthreadAddress) |
Get the ETHREAD structure address of the thread currently running on the given CPU. More... | |
INTSTATUS | IntWinThrGetCurrentTib (IG_CS_RING CurrentRing, IG_CS_TYPE CsType, QWORD *Tib) |
Obtain the TIB (Thread Information Block) of the thread running on the current CPU. More... | |
INTSTATUS | IntWinThrGetUmStackBaseAndLimitFromTib (QWORD Tib, IG_CS_TYPE CsType, QWORD Cr3, QWORD *StackBase, QWORD *StackLimit) |
Obtains the user mode stack base and stack limit values. More... | |
INTSTATUS | IntWinThrGetCurrentStackBaseAndLimit (QWORD *TibBase, QWORD *StackBase, QWORD *StackLimit) |
Obtains the stack base, stack limit and TIB address of the current thread. More... | |
INTSTATUS | IntWinThrHandleThreadHijack (void *Detour) |
Handles a SetContextThread call - blocking thread hijacking.Thread hijacking (amongst others) is an approach to the process injection attack technique which allows an attacker to execute arbitrary code in the context of another process. An attacker would achieve this by opening a victim process, writing some malicious code to its memory, pausing a running thread and modifying the thread`s execution context so that it will run the malicious code after the thread`s execution is resumed. If PROC_OPT_PROT_SET_THREAD_CTX is set, this detour handler will block malicious SetContextThread calls and send an alert. More... | |
INTSTATUS | IntWinThrHandleQueueApc (void *Detour) |
Handles a NtQueueApcThreadEx call - blocking process injections.Asynchronous Procedure Call (APC) injection involves attaching malicious code to the APC Queue of a process's thread. Queued APC functions are executed when the thread enters an alterable state. A variation of APC injection, dubbed "Early Bird injection", involves creating a suspended process in which malicious code can be written and executed before the process' entry point (and potentially subsequent anti-malware hooks) via an APC. AtomBombing is another variation that utilizes APCs to invoke malicious code previously written to the global atom table. https://attack.mitre.org/techniques/T1055/. More... | |
INTSTATUS | IntWinThrPrepareApcHandler (QWORD FunctionAddress, void *Handler, void *Descriptor) |
This functions is responsible for patching the detour that handles the "NtQueueApcThreadEx".This function is called before the hook is placed into memory in order to "patch" the addresses of guest functions or guest file offsets that are used by the hook handler. Specifically, this patches the addresses of PsThreadType, ObReferenceObjectByHandle, ObDereferenceObject and the offsets of the AttachedProcess and Process fields of _KTHREAD and the Spare field of _KPROCESS, but also patches the "retn" instruction accordingly. More... | |
INTSTATUS | IntWinThrPatchThreadHijackHandler (QWORD FunctionAddress, void *Handler, void *Descriptor) |
This functions is responsible for patching the detour that handles the "PspSetContextThreadInternal".This function is called before the hook is placed into memory in order to "patch" the addresses of guest functions or guest file offsets that are used by the hook handler. Specifically, this patches the offsets of the AttachedProcess and Process fields of _KTHREAD and the Spare field of _KPROCESS, but also patches the "retn" instruction accordingly. More... | |
Exposes the functions used to provide Windows Threads related support.
Definition in file winthread.h.
INTSTATUS IntWinThrGetCurrentStackBaseAndLimit | ( | QWORD * | TibBase, |
QWORD * | StackBase, | ||
QWORD * | StackLimit | ||
) |
Obtains the stack base, stack limit and TIB address of the current thread.
[out] | TibBase | The TIB address of the thread running on the current CPU. |
[out] | StackBase | The stack base of the thread running on the current CPU. |
[out] | StackLimit | The stack limit of the thread running on the current CPU. |
INT_STATUS_SUCCESS | On success. |
INT_STATUS_NOT_FOUND | The TIB was not found. |
Definition at line 321 of file winthread.c.
Referenced by IntExceptGetVictimEpt(), IntWinStackHandleUserStackPagedOut(), and IntWinVadIsExecSuspicious().
Get the ETHREAD structure address of the thread currently running on the given CPU.
This function assumes that it is called while the guest is in kernel mode. Also, this only works for the current CPU or if the requested CPU is paused.
[in] | CpuNumber | The CPU number to get the running thread for (it can be IG_CURRENT_VCPU). |
[out] | EthreadAddress | The ETRHEAD structure address of the running thread. |
INT_STATUS_SUCCESS | On success. |
INT_STATUS_NOT_FOUND | KPCR (Kernel Processor Control Region) was not found. |
Definition at line 26 of file winthread.c.
Referenced by IntAlertFillWinProcess(), IntThrSafeWinGetCurrentStack(), IntWinDpiGetProcessDebugFlag(), IntWinDpiValidateThreadStart(), IntWinModFillInjectionData(), IntWinStackUserTrapFrameGetGeneric(), IntWinSudHandleSudExec(), IntWinThrGetCurrentTib(), and IntWinVadHandlePageExecution().
INTSTATUS IntWinThrGetCurrentTib | ( | IG_CS_RING | CurrentRing, |
IG_CS_TYPE | CsType, | ||
QWORD * | Tib | ||
) |
Obtain the TIB (Thread Information Block) of the thread running on the current CPU.
[in] | CurrentRing | The current execution ring. |
[in] | CsType | The code segment type. |
[out] | Tib | The TIB address. |
INT_STATUS_SUCCESS | On success. |
INT_STATUS_INVALID_PARAMETER_2 | A 64 bit code segment was provided but the guest is NOT 64 bit based. |
INT_STATUS_INVALID_PARAMETER_3 | The provided Tib parameter is NULL. |
Definition at line 170 of file winthread.c.
Referenced by IntWinCrashHandleDepViolation(), IntWinStackUserCheckIsPivoted(), IntWinStackWow64CheckIsPivoted(), and IntWinThrGetCurrentStackBaseAndLimit().
INTSTATUS IntWinThrGetUmStackBaseAndLimitFromTib | ( | QWORD | Tib, |
IG_CS_TYPE | CsType, | ||
QWORD | Cr3, | ||
QWORD * | StackBase, | ||
QWORD * | StackLimit | ||
) |
Obtains the user mode stack base and stack limit values.
[in] | Tib | The TIB address of the thread to get the stack base and limit for. |
[in] | CsType | The code segment type. |
[in] | Cr3 | The address space. |
[out] | StackBase | The stack base. |
[out] | StackLimit | The stack limit. |
INT_STATUS_SUCCESS | On success. |
Definition at line 259 of file winthread.c.
Referenced by IntWinCrashHandleDepViolation(), and IntWinStackUserCheckIsPivoted().
INTSTATUS IntWinThrIterateThreads | ( | QWORD | Eprocess, |
PFUNC_IterateListCallback | Callback, | ||
QWORD | Aux | ||
) |
Iterate all the threads of the given process and invoke the callback for each one of them, while passing the auxiliary value as a parameter.
[in] | Eprocess | The EPROCESS address of the process to iterate the threads for. |
[in] | Callback | The callback to be invoked for each thread. |
[in] | Aux | The auxiliary value to be passed as a parameter to the callback function (can be NULL). |
INT_STATUS_SUCCESS | On success. |
INT_STATUS_NOT_SUPPORTED | There were more than THREADS_MAX_COUNT threads (this should not happen). |
Definition at line 96 of file winthread.c.
Referenced by IntThrSafeWinInspectWaitingFromGuestList().