Bitdefender Hypervisor Memory Introspection
Typedefs | Functions
winumdoubleagent.h File Reference
#include "introcrt.h"

Go to the source code of this file.

Typedefs

typedef struct _WIN_PROCESS_MODULE WIN_PROCSSS_MODULE
 

Functions

INTSTATUS IntWinDagentCheckSuspiciousDllLoad (WIN_PROCESS_MODULE *Module)
 Checks if the given module is suspicious of loading through the double agent technique and calls the module block mechanism if it is. More...
 

Typedef Documentation

◆ WIN_PROCSSS_MODULE

typedef struct _WIN_PROCESS_MODULE WIN_PROCSSS_MODULE

Definition at line 10 of file winumdoubleagent.h.

Function Documentation

◆ IntWinDagentCheckSuspiciousDllLoad()

INTSTATUS IntWinDagentCheckSuspiciousDllLoad ( WIN_PROCESS_MODULE Module)

Checks if the given module is suspicious of loading through the double agent technique and calls the module block mechanism if it is.

This is the main function which is called on modules for checking if the double agent technique was used or not. This function will check if verifier.dll is loaded in the current process and if the current module is loaded before kernel32.dll. Take note that there are some cases like the current module is excepted, and loads kernel32.dll, but some module, which is malicious, is also loaded afterwards. For this purpose, we'll check all modules if verifier is loaded, and don't consider a module malicious if it hasn't been called with DLL_VERIFIER_PROVIDER reason. This is also the function where we start checking the native subsystem and we register the module block callbacks for the suspicious modules, which will be called afterwards through the module block mechanism. Note that we can only detect the technique and block it if we are at module load time. For statically detected modules, there is very little to no evidence for such a DLL that it was loaded through double agent, thus the detection cannot take place, and the execution blocking would not be of any use, since the possible malicious part of the DLL was already executed.

Parameters
[in]ModuleThe module which is to be verified whether it is suspicious or not.
Return values
INT_STATUS_SUCCESSOn success.
INT_STATUS_NOT_NEEDED_HINTIf the process is not protected, module was static detected or other invalid configurations.

Definition at line 785 of file winumdoubleagent.c.

Referenced by IntWinModHandleModulePathInMemory().