104 if (Victim->Object.WinProc->SystemProcess)
119 WARNING(
"[WARNING] IntNotifyIntroEvent failed: 0x%08x\n", status);
142 memzero(pIntViol,
sizeof(*pIntViol));
175 WARNING(
"[WARNING] IntNotifyIntroEvent failed: 0x%08x\n", status);
207 DWORD blockSize, desiredBlockSize;
219 if (Process->StaticDetected)
233 ERROR(
"[ERROR] IntVirtMemMap failed for 0x%016llx: 0x%08x\n", NewTokenPtr, status);
245 ERROR(
"[ERROR] IntWinPoolGetPoolHeaderInPage did not found a valid pool header!\n");
254 if (blockSize != desiredBlockSize)
293 if (NULL != Process->TokenHook)
298 ERROR(
"[ERROR] IntHookGvaRemoveHook failed: 0x%08x\n", status);
303 if (NULL != Process->TokenSwapHook)
308 ERROR(
"[ERROR] IntHookGvaRemoveHook failed: 0x%08x\n", status);
326 ERROR(
"[ERROR] IntHookGvaSetHook failed: 0x%08x\n", status);
331 NewTokenPtr & PAGE_MASK,
338 (
HOOK_GVA **)&Process->TokenSwapHook);
341 ERROR(
"[ERROR] IntHookGvaSetHook failed: 0x%08x\n", status);
347 TRACE(
"[INFO] Token at 0x%016llx is not allocated through our hook - we'll protect it only with integrity!\n",
389 QWORD newTokenPtr = 0;
401 ERROR(
"[ERROR] IntKernVirtMemFetchWordSize failed: 0x%08x\n", status);
412 LOG(
"[INFO] Token has been changed during translation modification of 0x%016llx [0x%016llx -> 0x%016llx], " 413 "[0x%016llx -> 0x%016llx]: old = 0x%016llx, new = 0x%016llx\n",
414 VirtualAddress, OldEntry, NewEntry, OldPageSize, NewPageSize, pProc->
OriginalTokenPtr, newTokenPtr);
449 QWORD newTokenPtr = 0;
455 DWORD privsOffsetInPage, writeOffset;
471 ERROR(
"[ERROR] IntKernVirtMemFetchWordSize failed: 0x%08x\n", status);
500 if (writeOffset +
gVcpu->
AccessSize <= privsOffsetInPage || writeOffset >= privsOffsetInPage + 3 *
sizeof(
QWORD))
516 exitAfterInformation =
TRUE;
520 ERROR(
"[ERROR] Failed getting originator: 0x%08x\n", status);
522 exitAfterInformation =
TRUE;
534 ERROR(
"[ERROR] Failed getting zone details: 0x%08x\n", status);
535 goto _exit_exceptions;
538 if (exitAfterInformation)
587 QWORD newValue = 0, oldValue = 0;
595 ERROR(
"[ERROR] IntTranslateVirtualAddressEx failed: 0x%08x\n", status);
608 ERROR(
"[ERROR] IntGpaCacheFetchAndAdd failed: 0x%08x\n", status);
616 *OldValue = oldValue;
617 *NewValue = newValue;
648 QWORD newValue = 0, oldValue = 0;
654 ERROR(
"[ERROR] IntWinTokenFetchTokenAddress failed: 0x%08x\n", status);
661 if (Check || ((newValue != oldValue) && (0 != newValue)))
670 list = gWinProcesses.
Flink;
671 while (list != &gWinProcesses)
690 if (!bFound || (NULL == pProc2))
695 if (NULL != NewValue)
697 *NewValue = newValue;
700 if (NULL != OldValue)
702 *OldValue = oldValue;
705 if (NULL != FromProcess)
707 *FromProcess = pProc2;
749 LOG(
"[INTEGRITY VIOLATION] Token pointer was modified (%llx -> %llx): " 750 "process %llx (%d / %s), token stolen from process %llx (%d / %s)\n",
755 LOG(
"^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ (B) MALWARE ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n\n");
759 LOG(
"^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ MALWARE ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n\n");
766 memzero(pIntViolation,
sizeof(*pIntViolation));
800 WARNING(
"[WARNING] IntNotifyIntroEvent failed: 0x%08x\n", status);
857 QWORD present, enabled;
864 if (NULL == PresentIncreased)
869 if (NULL == EnabledIncreased)
874 *PresentIncreased =
FALSE;
875 *EnabledIncreased =
FALSE;
889 if (Process->OriginalEnabledPrivs == 0 && Process->OriginalPresentPrivs == 0)
895 if ((present & (~Process->OriginalPresentPrivs)) != 0)
897 *PresentIncreased =
TRUE;
903 if ((enabled != Process->OriginalEnabledPrivs || (Process->PrivsChangeOneBit && IntegrityCheck)) &&
904 (enabled & present) != enabled)
912 if (!Process->PrivsChangeOneBit && IntegrityCheck)
914 QWORD diffbits = enabled & (~(enabled & present));
916 if (diffbits != 0 && (diffbits & (diffbits - 1)) == 0)
918 WARNING(
"[WARNING] Special case on OS version: %d, difference 1 bit! 0x%016llx 0x%016llx\n",
921 Process->PrivsChangeOneBit =
TRUE;
930 Process->PrivsChangeOneBit =
FALSE;
933 *EnabledIncreased =
TRUE;
935 else if (IntegrityCheck)
939 Process->PrivsChangeOneBit =
FALSE;
971 QWORD present, enabled;
972 QWORD oldValue = 0, newValue = 0;
987 ERROR(
"[ERROR] IntWinTokenFetchTokenAddress failed: 0x%08x!\n", status);
991 if (oldValue != newValue)
1008 if (Process->SkipPrivsNextCheck)
1013 if (presentIncreased || enabledIncreased)
1028 victim.
WriteInfo.OldValue[0] = Process->OriginalPresentPrivs;
1029 victim.
WriteInfo.OldValue[1] = Process->OriginalEnabledPrivs;
1045 if (presentIncreased)
1047 WARNING(
"[WARNING] Present privileges are higher than the original ones: " 1048 "0x%016llx vs 0x%016llx in process %s:%d\n",
1050 Process->OriginalPresentPrivs,
1054 if (enabledIncreased)
1056 WARNING(
"[WARNING] Enabled privileges are higher than the present ones: " 1057 "0x%016llx vs 0x%016llx in process %s:%d\n",
1078 if (presentIncreased)
1080 Process->PrivsChangeDetected =
TRUE;
1086 Process->OriginalPresentPrivs = present;
1087 Process->OriginalEnabledPrivs = enabled;
1090 Process->SkipPrivsNextCheck =
FALSE;
1126 pList = gWinProcesses.
Flink;
1127 while (pList != &gWinProcesses)
1132 pList = pList->
Flink;
1143 ERROR(
"[ERROR] IntWinTokenPtrCheckIntegrityOnProcess failed: 0x%08x\n", status);
1153 ERROR(
"[ERROR] IntWinTokenPtrCheckIntegrityOnProcess failed: 0x%08x\n", status);
1180 if (NULL == Process)
1185 if (NULL != Process->TokenHook)
1201 Process->SkipPrivsNextCheck =
TRUE;
1205 ERROR(
"[ERROR] IntVirtMemRead failed: 0x%08x\n", status);
1211 Process->OriginalPresentPrivs = privs[0];
1212 Process->OriginalEnabledPrivs = privs[1];
1230 if (NULL == Process)
1235 if (NULL != Process->TokenHook)
1240 ERROR(
"[ERROR] IntHookGvaRemoveHook failed: 0x%08x\n", status);
1244 if (NULL != Process->TokenSwapHook)
1249 ERROR(
"[ERROR] IntHookGvaRemoveHook failed: 0x%08x\n", status);
1276 list = gWinProcesses.
Flink;
1278 while (list != &gWinProcesses)
1287 WARNING(
"[WARNING] IntWinTokenPrivsProtectOnProcess failed for %s:%d: 0x%08x\n",
1317 list = gWinProcesses.
Flink;
1319 while (list != &gWinProcesses)
Measures kernel mode exceptions checks.
#define INT_STATUS_PAGE_NOT_PRESENT
Indicates that a virtual address is not present.
QWORD PhysicalAddress
The physical address to which VirtualAddress translates to.
enum _INTRO_ACTION_REASON INTRO_ACTION_REASON
The reason for which an INTRO_ACTION was taken.
INTRO_CODEBLOCKS CodeBlocks
Code blocks extracted for the alert.
#define WIN_POOL_TAG_TOKE2
#define CONTAINING_RECORD(List, Type, Member)
Exposes the types, constants and functions used to handle Windows processes events (creation...
INTSTATUS IntVirtMemUnmap(void **HostPtr)
Unmaps a memory range previously mapped with IntVirtMemMap.
QWORD IntAlertCoreGetFlags(QWORD ProtectionFlag, INTRO_ACTION_REASON Reason)
Returns the flags for an alert.
DWORD Size
The size of the access.
#define VICTIM_PROCESS_TOKEN
Printable name used for introObjectTypeTokenPtr objects.
#define EX_FAST_REF_TO_PTR(is64, p)
Converts a _EX_FAST_REF value to a pointer.
An internal error occurred (no memory, pages not present, etc.).
BOOLEAN IntPolicyCoreForceBetaIfNeeded(QWORD Flag, INTRO_ACTION *Action)
Checks if a forced action should be taken even if the log-only mode is active.
QWORD ZoneFlags
The flags of the modified zone.
static INTSTATUS IntWinTokenFetchTokenAddress(WIN_PROCESS_OBJECT *Process, QWORD *OldValue, QWORD *NewValue)
Fetches the token pointer from inside the EPROCESS and returns the old token pointer and the new toke...
IG_ARCH_REGS Regs
The current state of the guest registers.
MITRE_ID MitreID
The Mitre ID that corresponds to this attack.
QWORD SystemCr3
The Cr3 used to map the kernel.
#define INT_STATUS_SUCCESS
const POOL_HEADER * IntWinPoolGetPoolHeaderInPage(const void *Page, DWORD StartOffset, DWORD Tag)
Search for a pool header with given tag in a buffer.
BOOLEAN IntPolicyCoreTakeAction(QWORD Flag, INTRO_ACTION *Action, INTRO_ACTION_REASON *Reason)
Returns the action that should be taken for a core introspection option.
QWORD NewValue[8]
The written value. Only the first Size bytes are valid.
static BOOLEAN IntWinTokenPrivsShouldHook(WIN_PROCESS_OBJECT *Process, QWORD NewTokenPtr)
Decides if the given token address should be hooked through EPT or not.
void IntAlertFillWinProcess(const WIN_PROCESS_OBJECT *Process, INTRO_PROCESS *EventProcess)
Saves information about a windows process inside an alert.
Event structure for integrity violations on monitored structures.
struct _LIST_ENTRY * Flink
#define INTRO_OPT_PROT_KM_TOKEN_PTR
Enable process token protection (Windows only).
#define INT_SUCCESS(Status)
QWORD Flags
A combination of ALERT_FLAG_* values describing the alert.
INTSTATUS IntResumeVcpus(void)
Resumes the VCPUs previously paused with IntPauseVcpus.
BOOLEAN ProtectionActivated
BOOLEAN KernelBetaDetections
True if the kernel protection is in beta (log-only) mode.
struct _EVENT_INTEGRITY_VIOLATION::@304 Victim
QWORD IntHookGetGlaFromGpaHook(HOOK_GPA const *Hook, QWORD Address)
Gets the GLA from a GPA hook.
#define INT_STATUS_NOT_NEEDED_HINT
static INTSTATUS IntWinTokenPrivsHandleWrite(void *Context, void *Hook, QWORD Address, INTRO_ACTION *Action)
EPT callback triggered when a write occurs over the Privileges bitfields in a nt!_TOKEN structure pro...
#define ALERT_FLAG_ASYNC
If set, the alert was generated in an async manner.
INTSTATUS IntKernVirtMemFetchWordSize(QWORD GuestVirtualAddress, void *Data)
Reads a guest pointer from the guest kernel memory.
int INTSTATUS
The status data type.
DWORD OSVersion
Os version.
#define INT_STATUS_NOT_FOUND
TIMER_FRIENDLY INTSTATUS IntWinTokenCheckIntegrity(void)
This function checks the integrity of the security token for all the processes inside gWinProcesses...
Describes a kernel-mode originator.
INTSTATUS IntPauseVcpus(void)
Pauses all the guest VCPUs.
INTRO_GUEST_TYPE OSType
The type of the guest.
void IntAlertFillCpuContext(BOOLEAN CopyInstruction, INTRO_CPUCTX *CpuContext)
Fills the current CPU context for an alert.
struct _EXCEPTION_KM_ORIGINATOR::@63 Return
LIST_HEAD gWinProcesses
The list of all the processes inside the guest.
INTSTATUS IntHookGvaSetHook(QWORD Cr3, QWORD Gva, DWORD Length, BYTE Type, void *Callback, void *Context, void *ParentHook, DWORD Flags, HOOK_GVA **GvaHook)
Set a read, write, execute or swap hook on a guest virtual address.
void IntAlertFillVersionInfo(INTRO_VIOLATION_HEADER *Header)
Fills version information for an alert.
DWORD AccessSize
The size of the memory access. Valid only for EPT exits.
INTRO_VIOLATION_HEADER Header
The alert header.
#define ZONE_INTEGRITY
Used for integrity zone.
#define HOOK_FLG_HIGH_PRIORITY
If flag is set, the callback associated to this hook will have a higher priority than the others...
INTSTATUS IntWinTokenCheckCurrentPrivileges(WIN_PROCESS_OBJECT *Process, QWORD TokenPtr, BOOLEAN IntegrityCheck, BOOLEAN *PresentIncreased, BOOLEAN *EnabledIncreased, QWORD *Present, QWORD *Enabled)
Verifies the current token if the current Privileges.Present and Privileges.Enabled fields were not a...
Access Token Manipulation.
INTRO_ACTION_REASON Reason
The reason for which Action was taken.
INTSTATUS IntWinTokenPtrCheckIntegrityOnProcess(WIN_PROCESS_OBJECT *Process)
This function checks if the security token of a given process has been stone from another process...
EXCEPTION_VICTIM_OBJECT Object
The modified object.
INTSTATUS IntAlertFillCodeBlocks(QWORD Rip, QWORD Cr3, BOOLEAN Execute, INTRO_CODEBLOCKS *CodeBlocks)
Fills the code blocks pattern for an alert.
#define ALERT_FLAG_BETA
If set, the alert is a BETA alert. No action was taken.
static void IntWinTokenPrivsSendIntegrityAlert(EXCEPTION_VICTIM_ZONE *Victim, INTRO_ACTION Action, INTRO_ACTION_REASON Reason)
Sends an EVENT_INTEGRITY_VIOLATION when checks over the token privileges have failed.
void IntAlertEptFillFromKmOriginator(const EXCEPTION_KM_ORIGINATOR *Originator, EVENT_EPT_VIOLATION *EptViolation)
Fills kernel mode originator information inside an EPT alert.
GENERIC_ALERT gAlert
Global alert buffer.
BOOLEAN SupportSPP
Set to True if support for SPP was detected.
INTSTATUS IntWinTokenPrivsUnprotectOnProcess(WIN_PROCESS_OBJECT *Process)
QWORD Flags
The entry that maps VirtualAddress to PhysicalAddress, together with all the control bits...
void IntAlertFillWriteInfo(const EXCEPTION_VICTIM_ZONE *Victim, INTRO_WRITE_INFO *WriteInfo)
Fills the write information for an alert.
#define WIN_POOL_TAG_TOKE
#define INITIAL_CRC_VALUE
#define INT_STATUS_EXCEPTION_BLOCK
DWORD Size
The size of the modified memory area.
void IntAlertEptFillFromVictimZone(const EXCEPTION_VICTIM_ZONE *Victim, EVENT_EPT_VIOLATION *EptViolation)
Fills the victim information inside an EPT alert.
The modified object is inside an integrity hook.
INTRO_CPUCTX CpuContext
The context of the CPU that triggered the alert.
INTSTATUS IntNotifyIntroEvent(INTRO_EVENT_TYPE EventClass, void *Param, size_t EventSize)
Notifies the integrator about an introspection alert.
INTSTATUS IntGpaCacheFetchAndAdd(PGPA_CACHE Cache, QWORD Gpa, DWORD Size, PBYTE Buffer)
Fetch data from a cached entry, or add it to the cache, of not already present.
BOOLEAN Guest64
True if this is a 64-bit guest, False if it is a 32-bit guest.
INTSTATUS IntExceptGetVictimEpt(void *Context, QWORD Gpa, QWORD Gva, INTRO_OBJECT_TYPE Type, DWORD ZoneFlags, EXCEPTION_VICTIM_ZONE *Victim)
Fills an EXCEPTION_VICTIM_ZONE with relevant information from an EPT violation.
CHAR Name[IMAGE_BASE_NAME_LEN]
Process base name.
QWORD Current
The currently used options.
void * GpaCache
The currently used GPA cache.
QWORD VirtualAddress
The guest virtual address which was modified.
#define INT_STATUS_INVALID_PARAMETER_4
INTRO_VIOLATION_HEADER Header
The alert header.
void * TokenSwapHook
Hook object for notifications over the swap-in/swap-out of the current process TOKEN. We need to place this hook in order to verify on translation modifications of the current TOKEN if it is still assigned to the current process. The token might get deallocated in the mean-time and the page can be used, for example, for mapping other physical pages, thus leading to translation violations when the hashes of the contents are checked. For this purpose we will verify on every translation modification event if the current token is still used, and re-establish the hook over the token if it was previously de-allocated.
Measures the checks to see if the token has been changed when a token swap occurs.
BOOLEAN GuestInitialized
True if the OS-specific portion has been initialized.
DWORD NameHash
The hash of the modified object.
void IntExceptKernelLogInformation(EXCEPTION_VICTIM_ZONE *Victim, EXCEPTION_KM_ORIGINATOR *Originator, INTRO_ACTION Action, INTRO_ACTION_REASON Reason)
Print the information about a kernel-mode violation and dumps the code-blocks.
BYTE WordSize
Guest word size. Will be 4 for 32-bit guests and 8 for 64-bit guests.
INTRO_OBJECT_TYPE Type
The type of the modified object.
ZONE_TYPE ZoneType
The type of the modified zone.
INTSTATUS IntTranslateVirtualAddressEx(QWORD Gva, QWORD Cr3, DWORD Flags, VA_TRANSLATION *Translation)
Translates a guest virtual address to a guest physical address.
INTRO_EXEC_CONTEXT ExecContext
Information about the instruction that triggered the alert.
void * TokenHook
Hook object for the ept hook over nt!_TOKEN Privileges field.
INTSTATUS IntWinTokenPrivsProtectOnProcess(WIN_PROCESS_OBJECT *Process)
Updates the stored original Privileges bitfields (Present and Enabled) and hooks through EPT the Priv...
DWORD Pid
Process ID (the one used by Windows).
Measures the checks to see if the token has been changed when a write occurs over the token...
INTSTATUS IntHookGvaRemoveHook(HOOK_GVA **Hook, DWORD Flags)
Remove a GVA hook.
Sent when an EPT violation triggers an alert. See EVENT_EPT_VIOLATION.
#define ALERT_FLAG_NOT_RING0
If set, the alert was triggered in ring 1, 2 or 3.
Describes the modified zone.
#define UNREFERENCED_PARAMETER(P)
#define TRFLG_PG_MODE
Obtains the translation mode flag for the currently used paging mode.
struct _EXCEPTION_VICTIM_ZONE::@58::@60 WriteInfo
#define WIN_KM_FIELD(Structure, Field)
Macro used to access kernel mode fields inside the WIN_OPAQUE_FIELDS structure.
WCHAR Name[ALERT_PATH_MAX_LEN]
NULL-terminated string with a human readable description of the modified object.
QWORD OriginalTokenPtr
Original Token pointer inside EPROCESS (should never change).
BOOLEAN Valid
Set to True if the information in the structure is valid, False otherwise.
enum _INTRO_ACTION INTRO_ACTION
Event actions.
QWORD OldValue[8]
The original value. Only the first Size bytes are valid.
INTRO_WRITE_INFO WriteInfo
No access type. This can be used for swap hooks.
__must_check INTSTATUS IntVirtMemMap(QWORD Gva, DWORD Length, QWORD Cr3, DWORD Flags, void **HostPtr)
Maps a guest virtual memory range inside Introcore virtual address space.
MM Mm
Guest memory information, such as paging mode, system Cr3 value, etc.
static INTSTATUS IntWinTokenPrivsHandleSwap(void *Context, QWORD VirtualAddress, QWORD OldEntry, QWORD NewEntry, QWORD OldPageSize, QWORD NewPageSize)
Handles a token swap-in or swap-out, re-applying protection if the token is not assigned anymore to a...
BOOLEAN IntWinTokenPtrIsStolen(WIN_PROCESS_OBJECT *Process, BOOLEAN Check, WIN_PROCESS_OBJECT **FromProcess, QWORD *OldValue, QWORD *NewValue)
This function checks if the security token of a given process has been stone from another process...
QWORD EprocessAddress
This will be the address of the ActiveProcess field.
#define ALERT_FLAG_SYSPROC
If set, the alert is on system process.
GUEST_STATE gGuest
The current guest state.
void IntAlertFillWinProcessByCr3(QWORD ProcessCr3, INTRO_PROCESS *EventProcess)
Saves information about a Windows process inside an alert. The process is searched by its kernel CR3...
INTSTATUS IntVirtMemRead(QWORD Gva, DWORD Length, QWORD Cr3, void *Buffer, DWORD *RetLength)
Reads data from a guest virtual memory range.
static void IntWinTokenPrivsSendEptAlert(EXCEPTION_KM_ORIGINATOR *Originator, EXCEPTION_VICTIM_ZONE *Victim, INTRO_ACTION Action, INTRO_ACTION_REASON Reason)
Sends an EVENT_EPT_VIOLATION for a token privileges violation.
INTSTATUS IntWinTokenUnprotectPrivs(void)
Unprotects all the currently protected tokens belonging to processes against privileges manipulation...
void * Process
The internal structure of the modified process.
EVENT_INTEGRITY_VIOLATION Integrity
struct _EXCEPTION_KM_ORIGINATOR::@64 Original
struct _EVENT_INTEGRITY_VIOLATION::@302 Originator
INTRO_ACTION Action
The action that was taken as the result of this alert.
#define INT_STATUS_NO_MAPPING_STRUCTURES
Indicates that not all mapping structures of a virtual address are present.
QWORD BaseAddress
The guest virtual address at which the monitored integrity region starts.
#define INT_STATUS_NOT_INITIALIZED_HINT
Encapsulates information about a virtual to physical memory translation.
INTRO_PROCESS Process
The module to which the current code return to.
#define INT_STATUS_INVALID_PARAMETER_1
INTRO_PROCESS CurrentProcess
The current process.
VCPU_STATE * gVcpu
The state of the current VCPU.
#define INTRO_OPT_PROT_KM_TOKEN_PRIVS
Enable protection over Token Privileges bitmaps.
The action was blocked because there was no exception for it.
Sent for integrity violation alerts. See EVENT_INTEGRITY_VIOLATION.
Event structure for EPT violations.
INTSTATUS IntWinTokenPrivsCheckIntegrityOnProcess(WIN_PROCESS_OBJECT *Process)
This function checks if the privileges bitfields for the given process have been changed in a malicio...
static INTSTATUS IntWinTokenProtectPrivsInternal(WIN_PROCESS_OBJECT *Process, QWORD NewTokenPtr)
If needed, this function will establish an EPT hook on the given token pointer for privileges protect...
INTSTATUS IntExceptKernelGetOriginator(EXCEPTION_KM_ORIGINATOR *Originator, DWORD Options)
This function is used to get the information about the kernel-mode originator.
INTSTATUS IntAlertFillExecContext(QWORD Cr3, INTRO_EXEC_CONTEXT *ExecContext)
Fills the current execution context.
#define ZONE_WRITE
Used for write violation.
INTRO_PROT_OPTIONS CoreOptions
The activation and protection options for this guest.
void IntExcept(EXCEPTION_VICTIM_ZONE *Victim, void *Originator, EXCEPTION_TYPE Type, INTRO_ACTION *Action, INTRO_ACTION_REASON *Reason, INTRO_EVENT_TYPE EventClass)
This function is the entry point for the exception mechanism.
DWORD NameHash
The namehash of the originator return driver.
This structure describes a running process inside the guest.
#define VICTIM_TOKEN_PRIVILEGES
Printable name used for introObjectTypeTokenPrivs objects.
INTSTATUS IntWinTokenProtectPrivs(void)
Protects all the currently unprotected tokens belonging to processes against privileges manipulation...
#define INT_STATUS_INVALID_PARAMETER_3