Bitdefender Hypervisor Memory Introspection
|
#include "guests.h"
Go to the source code of this file.
Typedefs | |
typedef struct _WIN_PROCESS_OBJECT | WIN_PROCESS_OBJECT |
typedef struct _WIN_PROCESS_OBJECT * | PWIN_PROCESS_OBJECT |
Functions | |
TIMER_FRIENDLY INTSTATUS | IntWinTokenCheckIntegrity (void) |
This function checks the integrity of the security token for all the processes inside gWinProcesses. The checks include both verifying if there are token pointers belonging to multiple processes, indicating a stolen token, and verifying if the Token Privileges have not changed in a malicious way, indicating a privilege escalation. More... | |
INTSTATUS | IntWinTokenPtrCheckIntegrityOnProcess (WIN_PROCESS_OBJECT *Process) |
This function checks if the security token of a given process has been stone from another process. More... | |
INTSTATUS | IntWinTokenPrivsProtectOnProcess (WIN_PROCESS_OBJECT *Process) |
Updates the stored original Privileges bitfields (Present and Enabled) and hooks through EPT the Privileges inside the assigned token of the given process, if needed. More... | |
INTSTATUS | IntWinTokenPrivsUnprotectOnProcess (WIN_PROCESS_OBJECT *Process) |
INTSTATUS | IntWinTokenPrivsCheckIntegrityOnProcess (WIN_PROCESS_OBJECT *Process) |
This function checks if the privileges bitfields for the given process have been changed in a malicious manner, sending an alert if needed. More... | |
BOOLEAN | IntWinTokenPtrIsStolen (WIN_PROCESS_OBJECT *Process, BOOLEAN Check, WIN_PROCESS_OBJECT **FromProcess, QWORD *OldValue, QWORD *NewValue) |
This function checks if the security token of a given process has been stone from another process. More... | |
INTSTATUS | IntWinTokenProtectPrivs (void) |
Protects all the currently unprotected tokens belonging to processes against privileges manipulation. More... | |
INTSTATUS | IntWinTokenUnprotectPrivs (void) |
Unprotects all the currently protected tokens belonging to processes against privileges manipulation. More... | |
INTSTATUS | IntWinTokenCheckCurrentPrivileges (WIN_PROCESS_OBJECT *Process, QWORD TokenPtr, BOOLEAN IntegrityCheck, BOOLEAN *PresentIncreased, BOOLEAN *EnabledIncreased, QWORD *Present, QWORD *Enabled) |
Verifies the current token if the current Privileges.Present and Privileges.Enabled fields were not altered in a malicious way. More... | |
typedef struct _WIN_PROCESS_OBJECT * PWIN_PROCESS_OBJECT |
Definition at line 10 of file wintoken.h.
typedef struct _WIN_PROCESS_OBJECT WIN_PROCESS_OBJECT |
Definition at line 10 of file wintoken.h.
INTSTATUS IntWinTokenCheckCurrentPrivileges | ( | WIN_PROCESS_OBJECT * | Process, |
QWORD | TokenPtr, | ||
BOOLEAN | IntegrityCheck, | ||
BOOLEAN * | PresentIncreased, | ||
BOOLEAN * | EnabledIncreased, | ||
QWORD * | Present, | ||
QWORD * | Enabled | ||
) |
Verifies the current token if the current Privileges.Present and Privileges.Enabled fields were not altered in a malicious way.
The checks performed on integrity on privileges are:
[in] | Process | The process for which the checks are done. |
[in] | TokenPtr | The GVA which points to the assigned token, may be different from Process->OriginalTokenPtr. |
[in] | IntegrityCheck | This should be set by the caller if this function is called during an integrity check on timer. If this parameter is set, the function will take into account the corner case in which there is a one bit difference between Enabled and Present privileges, due to a race condition between our checks and the privilege removal from the guest. |
[out] | PresentIncreased | It will store a boolean representing whether the current privileges violate the first check. |
[out] | EnabledIncreased | It will store a boolean representing whether the current privileges violate the second check. |
[out] | Present | The current value in the Privileges.Present field. |
[out] | Enabled | The current value in the Privileges.Enabled field. |
INT_STATUS_SUCCESS | On success. |
INT_STATUS_INVALID_PARAMETER_1 | If a NULL Process has been given. |
INT_STATUS_INVALID_PARAMETER_3 | If a NULL PresentIncreased has been given. |
INT_STATUS_INVALID_PARAMETER_4 | If a NULL EnabledIncreased has been given. |
Definition at line 811 of file wintoken.c.
Referenced by IntWinDpiValidateTokenPrivs(), and IntWinTokenPrivsCheckIntegrityOnProcess().
TIMER_FRIENDLY INTSTATUS IntWinTokenCheckIntegrity | ( | void | ) |
This function checks the integrity of the security token for all the processes inside gWinProcesses. The checks include both verifying if there are token pointers belonging to multiple processes, indicating a stolen token, and verifying if the Token Privileges have not changed in a malicious way, indicating a privilege escalation.
INT_STATUS_SUCCESS | On success. |
Definition at line 1097 of file wintoken.c.
Referenced by IntHandleTimer().
INTSTATUS IntWinTokenPrivsCheckIntegrityOnProcess | ( | WIN_PROCESS_OBJECT * | Process | ) |
This function checks if the privileges bitfields for the given process have been changed in a malicious manner, sending an alert if needed.
[in] | Process | The WIN_PROCESS_OBJECT for which the privileges are checked in the assigned token. |
INT_STATUS_SUCCESS | On success. |
Definition at line 958 of file wintoken.c.
Referenced by IntWinProcCreateProcessObject(), IntWinProcDeleteProcessObject(), and IntWinTokenCheckIntegrity().
INTSTATUS IntWinTokenPrivsProtectOnProcess | ( | WIN_PROCESS_OBJECT * | Process | ) |
Updates the stored original Privileges bitfields (Present and Enabled) and hooks through EPT the Privileges inside the assigned token of the given process, if needed.
[in,out] | Process | The WIN_PROCESS_OBJECT for which the privileges information is stored, and for which a hook would be established on the assigned token, if needed. |
INT_STATUS_SUCCESS | On success. |
INT_STATUS_INVALID_PARAMETER_1 | If the given process is NULL. |
Definition at line 1163 of file wintoken.c.
Referenced by IntWinProcCreateProcessObject(), and IntWinTokenProtectPrivs().
INTSTATUS IntWinTokenPrivsUnprotectOnProcess | ( | WIN_PROCESS_OBJECT * | Process | ) |
Definition at line 1224 of file wintoken.c.
Referenced by IntWinProcRemoveProcess().
INTSTATUS IntWinTokenProtectPrivs | ( | void | ) |
Protects all the currently unprotected tokens belonging to processes against privileges manipulation.
INT_STATUS_SUCCESS | On success. |
INT_STATUS_NOT_NEEDED_HINT | If the option INTRO_OPT_PROT_KM_TOKEN_PRIVS is not activated. |
Definition at line 1258 of file wintoken.c.
Referenced by IntGuestUpdateCoreOptions().
INTSTATUS IntWinTokenPtrCheckIntegrityOnProcess | ( | WIN_PROCESS_OBJECT * | Process | ) |
This function checks if the security token of a given process has been stone from another process.
[in] | Process | The process whose token has to be verified. |
INT_STATUS_SUCCESS | On success. |
Definition at line 719 of file wintoken.c.
Referenced by IntWinProcCreateProcessObject(), IntWinProcDeleteProcessObject(), IntWinTokenCheckIntegrity(), IntWinTokenPrivsHandleSwap(), and IntWinTokenPrivsHandleWrite().
BOOLEAN IntWinTokenPtrIsStolen | ( | WIN_PROCESS_OBJECT * | Process, |
BOOLEAN | Check, | ||
WIN_PROCESS_OBJECT ** | FromProcess, | ||
QWORD * | OldValue, | ||
QWORD * | NewValue | ||
) |
This function checks if the security token of a given process has been stone from another process.
[in] | Process | The process who`s token has to be verified. |
[in] | Check | If TRUE, gWinProcesses will be iterated to see if the token value is the same for another process (same thing happens if the original token pointer has been modified). |
[out] | FromProcess | The process where the token has been stolen from. |
[out] | OldValue | The old token. |
[out] | NewValue | The new token. |
TRUE | The given process has a stolen token. |
FALSE | The given process has its original token. |
Definition at line 625 of file wintoken.c.
Referenced by IntWinDpiValidateParentProcessToken(), and IntWinTokenPtrCheckIntegrityOnProcess().
INTSTATUS IntWinTokenUnprotectPrivs | ( | void | ) |
Unprotects all the currently protected tokens belonging to processes against privileges manipulation.
INT_STATUS_SUCCESS | On success. |
INT_STATUS_NOT_NEEDED_HINT | If the option INTRO_OPT_PROT_KM_TOKEN_PRIVS is in fact activated. |
Definition at line 1299 of file wintoken.c.
Referenced by IntGuestUpdateCoreOptions().