wintoken.h File Reference

#include "guests.h"

Go to the source code of this file.

Typedefs
typedef struct _WIN_PROCESS_OBJECT	WIN_PROCESS_OBJECT
typedef struct _WIN_PROCESS_OBJECT *	PWIN_PROCESS_OBJECT

Functions
TIMER_FRIENDLY INTSTATUS	IntWinTokenCheckIntegrity (void)
	This function checks the integrity of the security token for all the processes inside gWinProcesses. The checks include both verifying if there are token pointers belonging to multiple processes, indicating a stolen token, and verifying if the Token Privileges have not changed in a malicious way, indicating a privilege escalation. More...
INTSTATUS	IntWinTokenPtrCheckIntegrityOnProcess (WIN_PROCESS_OBJECT *Process)
	This function checks if the security token of a given process has been stone from another process. More...
INTSTATUS	IntWinTokenPrivsProtectOnProcess (WIN_PROCESS_OBJECT *Process)
	Updates the stored original Privileges bitfields (Present and Enabled) and hooks through EPT the Privileges inside the assigned token of the given process, if needed. More...
INTSTATUS	IntWinTokenPrivsUnprotectOnProcess (WIN_PROCESS_OBJECT *Process)
INTSTATUS	IntWinTokenPrivsCheckIntegrityOnProcess (WIN_PROCESS_OBJECT *Process)
	This function checks if the privileges bitfields for the given process have been changed in a malicious manner, sending an alert if needed. More...
BOOLEAN	IntWinTokenPtrIsStolen (WIN_PROCESS_OBJECT *Process, BOOLEAN Check, WIN_PROCESS_OBJECT **FromProcess, QWORD *OldValue, QWORD *NewValue)
	This function checks if the security token of a given process has been stone from another process. More...
INTSTATUS	IntWinTokenProtectPrivs (void)
	Protects all the currently unprotected tokens belonging to processes against privileges manipulation. More...
INTSTATUS	IntWinTokenUnprotectPrivs (void)
	Unprotects all the currently protected tokens belonging to processes against privileges manipulation. More...
INTSTATUS	IntWinTokenCheckCurrentPrivileges (WIN_PROCESS_OBJECT *Process, QWORD TokenPtr, BOOLEAN IntegrityCheck, BOOLEAN *PresentIncreased, BOOLEAN *EnabledIncreased, QWORD *Present, QWORD *Enabled)
	Verifies the current token if the current Privileges.Present and Privileges.Enabled fields were not altered in a malicious way. More...

Typedef Documentation

PWIN_PROCESS_OBJECT

typedef struct _WIN_PROCESS_OBJECT * PWIN_PROCESS_OBJECT

Definition at line 10 of file wintoken.h.

WIN_PROCESS_OBJECT

typedef struct _WIN_PROCESS_OBJECT WIN_PROCESS_OBJECT

Definition at line 10 of file wintoken.h.

Function Documentation

IntWinTokenCheckCurrentPrivileges()

INTSTATUS IntWinTokenCheckCurrentPrivileges	(	WIN_PROCESS_OBJECT *	Process,
		QWORD	TokenPtr,
		BOOLEAN	IntegrityCheck,
		BOOLEAN *	PresentIncreased,
		BOOLEAN *	EnabledIncreased,
		QWORD *	Present,
		QWORD *	Enabled
	)

Verifies the current token if the current Privileges.Present and Privileges.Enabled fields were not altered in a malicious way.

The checks performed on integrity on privileges are:

1. The Present field inside Privileges should not increase. That means, no bits should be 1 if they were previously 0. Note that present privileges may decrease.
2. Any bit set in the Enabled field of Privileges should also be set in the Present field. As the kernel checks against the Present bitfield when increasing a privilege in the Enabled bitfield, but when checking the privileges before accessing a resource, the kernel only checks the Enabled bitfield, we should ensure that there is a consistency between those fields. Note: This function might be called in cases where Process->OriginalTokenPtr != TokenPtr (e.g. the current token assigned to the given process has changed, but we have not yet updated Process->OriginalTokenPtr internally), when it is not this case, one might simply call this function with Process->OriginalTokenPtr as the second argument.

Parameters

[in]	Process	The process for which the checks are done.
[in]	TokenPtr	The GVA which points to the assigned token, may be different from Process->OriginalTokenPtr.
[in]	IntegrityCheck	This should be set by the caller if this function is called during an integrity check on timer. If this parameter is set, the function will take into account the corner case in which there is a one bit difference between Enabled and Present privileges, due to a race condition between our checks and the privilege removal from the guest.
[out]	PresentIncreased	It will store a boolean representing whether the current privileges violate the first check.
[out]	EnabledIncreased	It will store a boolean representing whether the current privileges violate the second check.
[out]	Present	The current value in the Privileges.Present field.
[out]	Enabled	The current value in the Privileges.Enabled field.

Return values

INT_STATUS_SUCCESS	On success.
INT_STATUS_INVALID_PARAMETER_1	If a NULL Process has been given.
INT_STATUS_INVALID_PARAMETER_3	If a NULL PresentIncreased has been given.
INT_STATUS_INVALID_PARAMETER_4	If a NULL EnabledIncreased has been given.

Definition at line 811 of file wintoken.c.

Referenced by IntWinDpiValidateTokenPrivs(), and IntWinTokenPrivsCheckIntegrityOnProcess().

IntWinTokenCheckIntegrity()

TIMER_FRIENDLY INTSTATUS IntWinTokenCheckIntegrity

(

void

)

This function checks the integrity of the security token for all the processes inside gWinProcesses. The checks include both verifying if there are token pointers belonging to multiple processes, indicating a stolen token, and verifying if the Token Privileges have not changed in a malicious way, indicating a privilege escalation.

Return values

INT_STATUS_SUCCESS

On success.

Definition at line 1097 of file wintoken.c.

Referenced by IntHandleTimer().

IntWinTokenPrivsCheckIntegrityOnProcess()

INTSTATUS IntWinTokenPrivsCheckIntegrityOnProcess

(

WIN_PROCESS_OBJECT *

Process

)

This function checks if the privileges bitfields for the given process have been changed in a malicious manner, sending an alert if needed.

Parameters

[in]

Process

The WIN_PROCESS_OBJECT for which the privileges are checked in the assigned token.

Return values

INT_STATUS_SUCCESS

On success.

Definition at line 958 of file wintoken.c.

Referenced by IntWinProcCreateProcessObject(), IntWinProcDeleteProcessObject(), and IntWinTokenCheckIntegrity().

IntWinTokenPrivsProtectOnProcess()

INTSTATUS IntWinTokenPrivsProtectOnProcess

(

WIN_PROCESS_OBJECT *

Process

)

Updates the stored original Privileges bitfields (Present and Enabled) and hooks through EPT the Privileges inside the assigned token of the given process, if needed.

Parameters

[in,out]

Process

The WIN_PROCESS_OBJECT for which the privileges information is stored, and for which a hook would be established on the assigned token, if needed.

Return values

INT_STATUS_SUCCESS	On success.
INT_STATUS_INVALID_PARAMETER_1	If the given process is NULL.

Definition at line 1163 of file wintoken.c.

Referenced by IntWinProcCreateProcessObject(), and IntWinTokenProtectPrivs().

IntWinTokenPrivsUnprotectOnProcess()

INTSTATUS IntWinTokenPrivsUnprotectOnProcess

(

WIN_PROCESS_OBJECT *

Process

)

Definition at line 1224 of file wintoken.c.

Referenced by IntWinProcRemoveProcess().

IntWinTokenProtectPrivs()

INTSTATUS IntWinTokenProtectPrivs

(

void

)

Protects all the currently unprotected tokens belonging to processes against privileges manipulation.

Return values

INT_STATUS_SUCCESS	On success.
INT_STATUS_NOT_NEEDED_HINT	If the option INTRO_OPT_PROT_KM_TOKEN_PRIVS is not activated.

Definition at line 1258 of file wintoken.c.

Referenced by IntGuestUpdateCoreOptions().

IntWinTokenPtrCheckIntegrityOnProcess()

INTSTATUS IntWinTokenPtrCheckIntegrityOnProcess

(

WIN_PROCESS_OBJECT *

Process

)

This function checks if the security token of a given process has been stone from another process.

Parameters

[in]

Process

The process whose token has to be verified.

Return values

INT_STATUS_SUCCESS

On success.

Definition at line 719 of file wintoken.c.

Referenced by IntWinProcCreateProcessObject(), IntWinProcDeleteProcessObject(), IntWinTokenCheckIntegrity(), IntWinTokenPrivsHandleSwap(), and IntWinTokenPrivsHandleWrite().

IntWinTokenPtrIsStolen()

BOOLEAN IntWinTokenPtrIsStolen	(	WIN_PROCESS_OBJECT *	Process,
		BOOLEAN	Check,
		WIN_PROCESS_OBJECT **	FromProcess,
		QWORD *	OldValue,
		QWORD *	NewValue
	)

This function checks if the security token of a given process has been stone from another process.

Parameters

[in]	Process	The process who`s token has to be verified.
[in]	Check	If TRUE, gWinProcesses will be iterated to see if the token value is the same for another process (same thing happens if the original token pointer has been modified).
[out]	FromProcess	The process where the token has been stolen from.
[out]	OldValue	The old token.
[out]	NewValue	The new token.

Return values

TRUE	The given process has a stolen token.
FALSE	The given process has its original token.

Definition at line 625 of file wintoken.c.

Referenced by IntWinDpiValidateParentProcessToken(), and IntWinTokenPtrCheckIntegrityOnProcess().

IntWinTokenUnprotectPrivs()

INTSTATUS IntWinTokenUnprotectPrivs

(

void

)

Unprotects all the currently protected tokens belonging to processes against privileges manipulation.

Return values

INT_STATUS_SUCCESS	On success.
INT_STATUS_NOT_NEEDED_HINT	If the option INTRO_OPT_PROT_KM_TOKEN_PRIVS is in fact activated.

Definition at line 1299 of file wintoken.c.

Referenced by IntGuestUpdateCoreOptions().