Bitdefender Hypervisor Memory Introspection
winthread.h
Go to the documentation of this file.
1 /*
2  * Copyright (c) 2020 Bitdefender
3  * SPDX-License-Identifier: Apache-2.0
4  */
10 
11 #ifndef _WINTHREAD_H_
12 #define _WINTHREAD_H_
13 
14 #include "introtypes.h"
15 
16 INTSTATUS
17 IntWinThrIterateThreads(
18  _In_ QWORD Eprocess,
19  _In_ PFUNC_IterateListCallback Callback,
20  _In_ QWORD Aux
21  );
22 
23 INTSTATUS
24 IntWinThrGetCurrentThread(
25  _In_ DWORD CpuNumber,
26  _Out_ QWORD *EthreadAddress
27  );
28 
29 INTSTATUS
30 IntWinThrGetCurrentTib(
31  _In_ IG_CS_RING CurrentRing,
32  _In_ IG_CS_TYPE CsType,
33  _Out_ QWORD *Tib
34  );
35 
36 INTSTATUS
37 IntWinThrGetUmStackBaseAndLimitFromTib(
38  _In_ QWORD Tib,
39  _In_ IG_CS_TYPE CsType,
40  _In_ QWORD Cr3,
41  _Out_ QWORD *StackBase,
42  _Out_ QWORD *StackLimit
43  );
44 
45 INTSTATUS
46 IntWinThrGetCurrentStackBaseAndLimit(
47  _Out_ QWORD *TibBase,
48  _Out_ QWORD *StackBase,
49  _Out_ QWORD *StackLimit
50  );
51 
52 INTSTATUS
53 IntWinThrHandleThreadHijack(
54  _In_ void *Detour
55  );
56 
57 INTSTATUS
58 IntWinThrHandleQueueApc(
59  _In_ void *Detour
60  );
61 
62 INTSTATUS
63 IntWinThrPrepareApcHandler(
64  _In_ QWORD FunctionAddress,
65  _Inout_ void *Handler,
66  _In_ void *Descriptor
67  );
68 
69 INTSTATUS
70 IntWinThrPatchThreadHijackHandler(
71  _In_ QWORD FunctionAddress,
72  _Inout_ void *Handler,
73  _In_ void *Descriptor
74  );
75 
76 #endif // _WINTHREAD_H_
_Out_
#define _Out_
Definition: intro_sal.h:22
IntWinThrGetCurrentStackBaseAndLimit
INTSTATUS IntWinThrGetCurrentStackBaseAndLimit(QWORD *TibBase, QWORD *StackBase, QWORD *StackLimit)
Obtains the stack base, stack limit and TIB address of the current thread.
Definition: winthread.c:321
_In_
#define _In_
Definition: intro_sal.h:21
IntWinThrPatchThreadHijackHandler
INTSTATUS IntWinThrPatchThreadHijackHandler(QWORD FunctionAddress, void *Handler, void *Descriptor)
This functions is responsible for patching the detour that handles the "PspSetContextThreadInternal"...
Definition: winthread.c:1036
IntWinThrGetCurrentTib
INTSTATUS IntWinThrGetCurrentTib(IG_CS_RING CurrentRing, IG_CS_TYPE CsType, QWORD *Tib)
Obtain the TIB (Thread Information Block) of the thread running on the current CPU.
Definition: winthread.c:170
IntWinThrGetCurrentThread
INTSTATUS IntWinThrGetCurrentThread(DWORD CpuNumber, QWORD *EthreadAddress)
Get the ETHREAD structure address of the thread currently running on the given CPU.
Definition: winthread.c:26
IntWinThrHandleQueueApc
INTSTATUS IntWinThrHandleQueueApc(void *Detour)
Handles a NtQueueApcThreadEx call - blocking process injections.Asynchronous Procedure Call (APC) inj...
Definition: winthread.c:758
INTSTATUS
int INTSTATUS
The status data type.
Definition: introstatus.h:24
IG_CS_RING
IG_CS_RING
The current protection level.
Definition: glueiface.h:195
IntWinThrHandleThreadHijack
INTSTATUS IntWinThrHandleThreadHijack(void *Detour)
Handles a SetContextThread call - blocking thread hijacking.Thread hijacking (amongst others) is an a...
Definition: winthread.c:429
IG_CS_TYPE
IG_CS_TYPE
The type of the code segment.
Definition: glueiface.h:183
_WIN_PROCESS_OBJECT::Cr3
QWORD Cr3
Process PDBR. Includes PCID.
Definition: winprocess.h:98
_Inout_
#define _Inout_
Definition: intro_sal.h:20
QWORD
unsigned long long QWORD
Definition: intro_types.h:53
PFUNC_IterateListCallback
INTSTATUS(* PFUNC_IterateListCallback)(QWORD Node, QWORD Aux)
Definition: introtypes.h:71
IntWinThrGetUmStackBaseAndLimitFromTib
INTSTATUS IntWinThrGetUmStackBaseAndLimitFromTib(QWORD Tib, IG_CS_TYPE CsType, QWORD Cr3, QWORD *StackBase, QWORD *StackLimit)
Obtains the user mode stack base and stack limit values.
Definition: winthread.c:259
DWORD
uint32_t DWORD
Definition: intro_types.h:49
IntWinThrPrepareApcHandler
INTSTATUS IntWinThrPrepareApcHandler(QWORD FunctionAddress, void *Handler, void *Descriptor)
This functions is responsible for patching the detour that handles the "NtQueueApcThreadEx".This function is called before the hook is placed into memory in order to "patch" the addresses of guest functions or guest file offsets that are used by the hook handler. Specifically, this patches the addresses of PsThreadType, ObReferenceObjectByHandle, ObDereferenceObject and the offsets of the AttachedProcess and Process fields of _KTHREAD and the Spare field of _KPROCESS, but also patches the "retn" instruction accordingly.
Definition: winthread.c:1108
IntWinThrIterateThreads
INTSTATUS IntWinThrIterateThreads(QWORD Eprocess, PFUNC_IterateListCallback Callback, QWORD Aux)
Iterate all the threads of the given process and invoke the callback for each one of them...
Definition: winthread.c:96