Bitdefender Hypervisor Memory Introspection
|
Go to the source code of this file.
Data Structures | |
struct | _WIN_PROCESS_MODULE |
struct | _PROTECTED_DLL_INFO |
Macros | |
#define | NAMEHASH_NTDLL 0xbe9d4ec5 |
#define | NAMEHASH_KERNEL32 0x72f47653 |
#define | NAMEHASH_KERNELBASE 0x2945f399 |
#define | NAMEHASH_USER32 0xb8d0fd42 |
#define | NAMEHASH_WOW64 0xb29d7275 |
#define | NAMEHASH_WOW64WIN 0xb3ad9cbb |
#define | NAMEHASH_WOW64CPU 0x824c82be |
#define | NAMEHASH_WS2_32 0x3d20b35c |
#define | NAMEHASH_WININET 0x7350cbf8 |
#define | NAMEHASH_VERIFIER 0x3608e61f |
#define | NAMEHASH_APISETSCHEMA 0x6b8a8a45 |
#define | MODULE_MATCH(m, p) |
Typedefs | |
typedef struct _WIN_PROCESS_MODULE | WIN_PROCESS_MODULE |
typedef struct _WIN_PROCESS_MODULE * | PWIN_PROCESS_MODULE |
typedef struct _PROTECTED_DLL_INFO | PROTECTED_DLL_INFO |
typedef struct _PROTECTED_DLL_INFO * | PPROTECTED_DLL_INFO |
Functions | |
INTSTATUS | IntWinModHandleLoadFromVad (WIN_PROCESS_OBJECT *Process, const VAD *Vad) |
Handle a module load from a VAD. More... | |
INTSTATUS | IntWinModHandleUnloadFromVad (PWIN_PROCESS_OBJECT Process, PVAD Vad) |
Handle a module unload. More... | |
INTSTATUS | IntWinModHandleWrite (void *Context, void *Hook, QWORD Address, INTRO_ACTION *Action) |
Handle writes inside a protected user-mode module wrapper. Will dispatch appropriately to either the kernel or user write handler. More... | |
INTSTATUS | IntWinModPolyHandler (QWORD Cr3, QWORD VirtualAddress, PINSTRUX Instrux, void *Context) |
Handle an unpack event for the indicated address. More... | |
INTSTATUS | IntWinModUnHookModule (PWIN_PROCESS_MODULE Module) |
Remove the protection from the indicated module. More... | |
INTSTATUS | IntWinModRemoveModule (PWIN_PROCESS_MODULE Module) |
Removes a Windows module. More... | |
void | IntWinModulesChangeProtectionFlags (PWIN_PROCESS_SUBSYSTEM Subsystem) |
Change the protection flags applied to the process modules that are currently loaded. More... | |
PWIN_PROCESS_MODULE | IntWinUmModFindByAddress (PWIN_PROCESS_OBJECT Process, QWORD Gva) |
Searches for a user-mode module which contains the indicated guest virtual address. More... | |
INTSTATUS | IntWinModHandlePreInjection (void *Context, QWORD Cr3, QWORD VirtualAddress) |
Module base page-fault pre-injection callback. More... | |
INTSTATUS | IntWinProcSendAllDllEventsForProcess (PWIN_PROCESS_OBJECT Process) |
Send DLL load events for all modules loaded in all subsystems of a process. More... | |
#define MODULE_MATCH | ( | m, | |
p | |||
) |
Definition at line 103 of file winummodule.h.
Referenced by IntWinDagentIsInitialDll(), IntWinModGetProtectionOptionForModule(), and IntWinModIsProtected().
#define NAMEHASH_APISETSCHEMA 0x6b8a8a45 |
Definition at line 24 of file winummodule.h.
#define NAMEHASH_KERNEL32 0x72f47653 |
Definition at line 12 of file winummodule.h.
Referenced by IntWinModHandleModulePathInMemory(), and IntWinModHandleUnload().
#define NAMEHASH_KERNELBASE 0x2945f399 |
Definition at line 13 of file winummodule.h.
#define NAMEHASH_NTDLL 0xbe9d4ec5 |
Definition at line 11 of file winummodule.h.
Referenced by IntExceptUserHandleMemoryFunctions(), IntWinModCacheFixNamePointers(), IntWinModHandleModulePathInMemory(), IntWinModHandleUnload(), and IntWinProcHandleReadFromLsass().
#define NAMEHASH_USER32 0xb8d0fd42 |
Definition at line 14 of file winummodule.h.
#define NAMEHASH_VERIFIER 0x3608e61f |
Definition at line 23 of file winummodule.h.
Referenced by IntWinDagentCheckSuspiciousDllLoad(), and IntWinDagentHandleSuspModExecution().
#define NAMEHASH_WININET 0x7350cbf8 |
Definition at line 21 of file winummodule.h.
#define NAMEHASH_WOW64 0xb29d7275 |
Definition at line 16 of file winummodule.h.
#define NAMEHASH_WOW64CPU 0x824c82be |
Definition at line 18 of file winummodule.h.
#define NAMEHASH_WOW64WIN 0xb3ad9cbb |
Definition at line 17 of file winummodule.h.
#define NAMEHASH_WS2_32 0x3d20b35c |
Definition at line 20 of file winummodule.h.
typedef struct _PROTECTED_DLL_INFO * PPROTECTED_DLL_INFO |
typedef struct _PROTECTED_DLL_INFO PROTECTED_DLL_INFO |
Describes a protected DLL.
typedef struct _WIN_PROCESS_MODULE * PWIN_PROCESS_MODULE |
typedef struct _WIN_PROCESS_MODULE WIN_PROCESS_MODULE |
Describes a process module.
INTSTATUS IntWinModHandleLoadFromVad | ( | WIN_PROCESS_OBJECT * | Process, |
const VAD * | Vad | ||
) |
Handle a module load from a VAD.
This function gets called each time an VadImageMap VAD is being loaded. It will create a module entry and it will activate protection on it, if needed.
[in] | Process | The process. |
[in] | Vad | The VAD being loaded. |
INT_STATUS_SUCCESS | On success. |
INT_STATUS_INSUFFICIENT_RESOURCES | If a memory alloc fails. |
Definition at line 1587 of file winummodule.c.
Referenced by IntWinVadFetchImageName(), and IntWinVadHandleFilePathInMemory().
Module base page-fault pre-injection callback.
This callback is used as a pre-injection callback for the user-mode modules headers swap-in. This function will check if the virtual address we inject a PF for is indeed valid (it has a valid VAD assigned) inside the process space. If it does, the PF injection can be done. If it doesn't, we cannot inject a PF for that address, as it would result in a process crash.
[in] | Context | The PWIN_PROCESS_MODULE structure describing the module. |
[in] | Cr3 | The Cr3. |
[in] | VirtualAddress | The address the PF is injected for. |
INT_STATUS_SUCCESS | If the address maps to valid VAD. |
INT_STATUS_NOT_NEEDED_HINT | If a valid VAD does not exits. This will block the PF injection. |
Definition at line 1265 of file winummodule.c.
Referenced by IntWinDagentCheckSuspiciousDllLoad(), and IntWinModHandleModulePathInMemory().
INTSTATUS IntWinModHandleUnloadFromVad | ( | PWIN_PROCESS_OBJECT | Process, |
PVAD | Vad | ||
) |
Handle a module unload.
This function is called whenever an VadImageMap VAD is deleted. Since those VADs describe modules, we will call the unload function whenever such a VAD is destroyed.
[in] | Process | The process owning the VAD. |
[in] | Vad | The deleted Vad. |
INT_STATUS_SUCCESS | On success. |
INT_STATUS_NOT_NEEDED_HINT | If the VAD does not describe any known loaded module. |
Definition at line 1762 of file winummodule.c.
Referenced by IntWinVadDestroyObject().
INTSTATUS IntWinModHandleWrite | ( | void * | Context, |
void * | Hook, | ||
QWORD | Address, | ||
INTRO_ACTION * | Action | ||
) |
Handle writes inside a protected user-mode module wrapper. Will dispatch appropriately to either the kernel or user write handler.
[in] | Context | The module (PWIN_PROCESS_MODULE structure). |
[in] | Hook | The GPA hook handle. |
[in] | Address | The written guest physical address. |
[out] | Action | The desired action. |
INT_STATUS_SUCCESS | On success. |
INT_STATUS_INVALID_PARAMETER | If an invalid parameter is supplied. |
Definition at line 1036 of file winummodule.c.
Referenced by IntWinModHookModule().
INTSTATUS IntWinModPolyHandler | ( | QWORD | Cr3, |
QWORD | VirtualAddress, | ||
PINSTRUX | Instrux, | ||
void * | Context | ||
) |
Handle an unpack event for the indicated address.
This function is called when an unpack is detected on the indicated page. It will just send a an unpack alert.
[in] | Cr3 | The virtual address space the unpack took place in. |
[in] | VirtualAddress | The guest virtual address where the unpack was detected. |
[in] | Instrux | The instruction at VirtualAddress. |
[in] | Context | A PWIN_PROCESS_MODULE structure identifying the module. |
INT_STATUS_SUCCESS | On success. |
INT_STATUS_INVALID_PARAMETER | If an invalid parameter is supplied. |
Definition at line 1940 of file winummodule.c.
Referenced by IntWinModHookPoly().
INTSTATUS IntWinModRemoveModule | ( | PWIN_PROCESS_MODULE | Module | ) |
Removes a Windows module.
This function will cleanup all the resources associated with the indicated module, including:
[in] | Module | The module to be removed. |
INT_STATUS_SUCCESS | On success. |
INT_STATUS_INVALID_PARAMETER | If an invalid parameter is supplied. |
Definition at line 2043 of file winummodule.c.
Referenced by IntWinModHandleUnload(), and IntWinProcRemoveSubsystem().
void IntWinModulesChangeProtectionFlags | ( | PWIN_PROCESS_SUBSYSTEM | Subsystem | ) |
Change the protection flags applied to the process modules that are currently loaded.
This function will iterate all the loaded modules inside the given subsystem and it will update the protection policy on them. This function must be called when the process protection flags are modified.
[in] | Subsystem | The subsystem we update the protection in. |
Definition at line 2138 of file winummodule.c.
Referenced by IntWinProcChangeProtectionFlags().
INTSTATUS IntWinModUnHookModule | ( | PWIN_PROCESS_MODULE | Module | ) |
Remove the protection from the indicated module.
[in] | Module | The module to disable protection for. |
INT_STATUS_SUCCESS | On success. |
INT_STATUS_INVALID_PARAMETER | If an invalid parameter is used. |
Definition at line 1205 of file winummodule.c.
Referenced by IntWinModHandleUnload(), IntWinModulesChangeProtectionFlags(), and IntWinProcRemoveSubsystem().
INTSTATUS IntWinProcSendAllDllEventsForProcess | ( | PWIN_PROCESS_OBJECT | Process | ) |
Send DLL load events for all modules loaded in all subsystems of a process.
[in] | Process | The process for which we will send DLL load events. |
INT_STATUS_SUCCESS | On success. |
Definition at line 198 of file winummodule.c.
Referenced by IntWinDagentHandleDoubleAgent(), and IntWinModHandleUserWrite().
PWIN_PROCESS_MODULE IntWinUmModFindByAddress | ( | PWIN_PROCESS_OBJECT | Process, |
QWORD | Gva | ||
) |
Searches for a user-mode module which contains the indicated guest virtual address.
NOTE: This function will search in all subsystems.
[in] | Process | The process. |
[in] | Gva | The guest virtual address we are searching for. |
Definition at line 2304 of file winummodule.c.
Referenced by IntExceptGetVictimProcess(), IntExceptUserGetOriginator(), IntWinDagentHandleSuspModExecution(), IntWinStackTraceGetUser(), IntWinStackTraceGetUser32(), IntWinStackTraceGetUser64(), and IntWinThrHandleQueueApc().