#include "winumcache.h"
#include "winvad.h"

Data Structures
struct	_WIN_PROCESS_MODULE

struct	_PROTECTED_DLL_INFO

Macros
#define	NAMEHASH_NTDLL 0xbe9d4ec5

#define	NAMEHASH_KERNEL32 0x72f47653

#define	NAMEHASH_KERNELBASE 0x2945f399

#define	NAMEHASH_USER32 0xb8d0fd42

#define	NAMEHASH_WOW64 0xb29d7275

#define	NAMEHASH_WOW64WIN 0xb3ad9cbb

#define	NAMEHASH_WOW64CPU 0x824c82be

#define	NAMEHASH_WS2_32 0x3d20b35c

#define	NAMEHASH_WININET 0x7350cbf8

#define	NAMEHASH_VERIFIER 0x3608e61f

#define	NAMEHASH_APISETSCHEMA 0x6b8a8a45

#define	MODULE_MATCH(m, p)

Typedefs
typedef struct _WIN_PROCESS_MODULE	WIN_PROCESS_MODULE

typedef struct _WIN_PROCESS_MODULE *	PWIN_PROCESS_MODULE

typedef struct _PROTECTED_DLL_INFO	PROTECTED_DLL_INFO

typedef struct _PROTECTED_DLL_INFO *	PPROTECTED_DLL_INFO

Functions
INTSTATUS	IntWinModHandleLoadFromVad (WIN_PROCESS_OBJECT Process, const VAD Vad)
	Handle a module load from a VAD. More...

INTSTATUS	IntWinModHandleUnloadFromVad (PWIN_PROCESS_OBJECT Process, PVAD Vad)
	Handle a module unload. More...

INTSTATUS	IntWinModHandleWrite (void Context, void Hook, QWORD Address, INTRO_ACTION *Action)
	Handle writes inside a protected user-mode module wrapper. Will dispatch appropriately to either the kernel or user write handler. More...

INTSTATUS	IntWinModPolyHandler (QWORD Cr3, QWORD VirtualAddress, PINSTRUX Instrux, void *Context)
	Handle an unpack event for the indicated address. More...

INTSTATUS	IntWinModUnHookModule (PWIN_PROCESS_MODULE Module)
	Remove the protection from the indicated module. More...

INTSTATUS	IntWinModRemoveModule (PWIN_PROCESS_MODULE Module)
	Removes a Windows module. More...

void	IntWinModulesChangeProtectionFlags (PWIN_PROCESS_SUBSYSTEM Subsystem)
	Change the protection flags applied to the process modules that are currently loaded. More...

PWIN_PROCESS_MODULE	IntWinUmModFindByAddress (PWIN_PROCESS_OBJECT Process, QWORD Gva)
	Searches for a user-mode module which contains the indicated guest virtual address. More...

INTSTATUS	IntWinModHandlePreInjection (void *Context, QWORD Cr3, QWORD VirtualAddress)
	Module base page-fault pre-injection callback. More...

INTSTATUS	IntWinProcSendAllDllEventsForProcess (PWIN_PROCESS_OBJECT Process)
	Send DLL load events for all modules loaded in all subsystems of a process. More...

Macro Definition Documentation

◆ MODULE_MATCH

#define MODULE_MATCH	(	m,
		p
	)

Value:

((((m)->Path->NameHash == (p)->NameHash)) && \

(0 == memcmp((m)->Path->Name, (p)->Name, (m)->Path->NameSize)))

Definition at line 103 of file winummodule.h.

Referenced by IntWinDagentIsInitialDll(), IntWinModGetProtectionOptionForModule(), and IntWinModIsProtected().

◆ NAMEHASH_APISETSCHEMA

#define NAMEHASH_APISETSCHEMA 0x6b8a8a45

Definition at line 24 of file winummodule.h.

◆ NAMEHASH_KERNEL32

#define NAMEHASH_KERNEL32 0x72f47653

Definition at line 12 of file winummodule.h.

Referenced by IntWinModHandleModulePathInMemory(), and IntWinModHandleUnload().

◆ NAMEHASH_KERNELBASE

#define NAMEHASH_KERNELBASE 0x2945f399

Definition at line 13 of file winummodule.h.

◆ NAMEHASH_NTDLL

#define NAMEHASH_NTDLL 0xbe9d4ec5

Definition at line 11 of file winummodule.h.

Referenced by IntExceptUserHandleMemoryFunctions(), IntWinModCacheFixNamePointers(), IntWinModHandleModulePathInMemory(), IntWinModHandleUnload(), and IntWinProcHandleReadFromLsass().

◆ NAMEHASH_USER32

#define NAMEHASH_USER32 0xb8d0fd42

Definition at line 14 of file winummodule.h.

◆ NAMEHASH_VERIFIER

#define NAMEHASH_VERIFIER 0x3608e61f

Definition at line 23 of file winummodule.h.

Referenced by IntWinDagentCheckSuspiciousDllLoad(), and IntWinDagentHandleSuspModExecution().

◆ NAMEHASH_WININET

#define NAMEHASH_WININET 0x7350cbf8

Definition at line 21 of file winummodule.h.

◆ NAMEHASH_WOW64

#define NAMEHASH_WOW64 0xb29d7275

Definition at line 16 of file winummodule.h.

◆ NAMEHASH_WOW64CPU

#define NAMEHASH_WOW64CPU 0x824c82be

Definition at line 18 of file winummodule.h.

◆ NAMEHASH_WOW64WIN

#define NAMEHASH_WOW64WIN 0xb3ad9cbb

Definition at line 17 of file winummodule.h.

◆ NAMEHASH_WS2_32

#define NAMEHASH_WS2_32 0x3d20b35c

Definition at line 20 of file winummodule.h.

Typedef Documentation

◆ PPROTECTED_DLL_INFO

typedef struct _PROTECTED_DLL_INFO * PPROTECTED_DLL_INFO

◆ PROTECTED_DLL_INFO

typedef struct _PROTECTED_DLL_INFO PROTECTED_DLL_INFO

Describes a protected DLL.

◆ PWIN_PROCESS_MODULE

typedef struct _WIN_PROCESS_MODULE * PWIN_PROCESS_MODULE

◆ WIN_PROCESS_MODULE

typedef struct _WIN_PROCESS_MODULE WIN_PROCESS_MODULE

Describes a process module.

Function Documentation

◆ IntWinModHandleLoadFromVad()

INTSTATUS IntWinModHandleLoadFromVad	(	WIN_PROCESS_OBJECT *	Process,
		const VAD *	Vad
	)

Handle a module load from a VAD.

This function gets called each time an VadImageMap VAD is being loaded. It will create a module entry and it will activate protection on it, if needed.

Parameters

[in]	Process	The process.
[in]	Vad	The VAD being loaded.

Return values

INT_STATUS_SUCCESS	On success.
INT_STATUS_INSUFFICIENT_RESOURCES	If a memory alloc fails.

Definition at line 1587 of file winummodule.c.

Referenced by IntWinVadFetchImageName(), and IntWinVadHandleFilePathInMemory().

◆ IntWinModHandlePreInjection()

INTSTATUS IntWinModHandlePreInjection	(	void *	Context,
		QWORD	Cr3,
		QWORD	VirtualAddress
	)

Module base page-fault pre-injection callback.

This callback is used as a pre-injection callback for the user-mode modules headers swap-in. This function will check if the virtual address we inject a PF for is indeed valid (it has a valid VAD assigned) inside the process space. If it does, the PF injection can be done. If it doesn't, we cannot inject a PF for that address, as it would result in a process crash.

Parameters

[in]	Context	The PWIN_PROCESS_MODULE structure describing the module.
[in]	Cr3	The Cr3.
[in]	VirtualAddress	The address the PF is injected for.

Return values

INT_STATUS_SUCCESS	If the address maps to valid VAD.
INT_STATUS_NOT_NEEDED_HINT	If a valid VAD does not exits. This will block the PF injection.

Definition at line 1265 of file winummodule.c.

Referenced by IntWinDagentCheckSuspiciousDllLoad(), and IntWinModHandleModulePathInMemory().

◆ IntWinModHandleUnloadFromVad()

INTSTATUS IntWinModHandleUnloadFromVad	(	PWIN_PROCESS_OBJECT	Process,
		PVAD	Vad
	)

Handle a module unload.

This function is called whenever an VadImageMap VAD is deleted. Since those VADs describe modules, we will call the unload function whenever such a VAD is destroyed.

Parameters

[in]	Process	The process owning the VAD.
[in]	Vad	The deleted Vad.

Return values

INT_STATUS_SUCCESS	On success.
INT_STATUS_NOT_NEEDED_HINT	If the VAD does not describe any known loaded module.

Definition at line 1762 of file winummodule.c.

Referenced by IntWinVadDestroyObject().

◆ IntWinModHandleWrite()

INTSTATUS IntWinModHandleWrite	(	void *	Context,
		void *	Hook,
		QWORD	Address,
		INTRO_ACTION *	Action
	)

Handle writes inside a protected user-mode module wrapper. Will dispatch appropriately to either the kernel or user write handler.

Parameters

[in]	Context	The module (PWIN_PROCESS_MODULE structure).
[in]	Hook	The GPA hook handle.
[in]	Address	The written guest physical address.
[out]	Action	The desired action.

Return values

INT_STATUS_SUCCESS	On success.
INT_STATUS_INVALID_PARAMETER	If an invalid parameter is supplied.

Definition at line 1036 of file winummodule.c.

Referenced by IntWinModHookModule().

◆ IntWinModPolyHandler()

INTSTATUS IntWinModPolyHandler	(	QWORD	Cr3,
		QWORD	VirtualAddress,
		PINSTRUX	Instrux,
		void *	Context
	)

Handle an unpack event for the indicated address.

This function is called when an unpack is detected on the indicated page. It will just send a an unpack alert.

Parameters

[in]	Cr3	The virtual address space the unpack took place in.
[in]	VirtualAddress	The guest virtual address where the unpack was detected.
[in]	Instrux	The instruction at VirtualAddress.
[in]	Context	A PWIN_PROCESS_MODULE structure identifying the module.

Return values

INT_STATUS_SUCCESS	On success.
INT_STATUS_INVALID_PARAMETER	If an invalid parameter is supplied.

Definition at line 1940 of file winummodule.c.

Referenced by IntWinModHookPoly().

◆ IntWinModRemoveModule()

INTSTATUS IntWinModRemoveModule ( PWIN_PROCESS_MODULE Module )

Removes a Windows module.

This function will cleanup all the resources associated with the indicated module, including:

any swap handle for the module;
the UM path cache entry;
the headers cache entry; Finally, the module will be freed. NOTE: The module entry must be removed from any list/tree before calling this function. NOTE: If the module was protected, protection must be removed from it before calling this. This function must work for both protected and unprotected modules.

Parameters

[in] Module The module to be removed.

Return values

INT_STATUS_SUCCESS	On success.
INT_STATUS_INVALID_PARAMETER	If an invalid parameter is supplied.

Definition at line 2043 of file winummodule.c.

Referenced by IntWinModHandleUnload(), and IntWinProcRemoveSubsystem().

◆ IntWinModulesChangeProtectionFlags()

void IntWinModulesChangeProtectionFlags ( PWIN_PROCESS_SUBSYSTEM Subsystem )

Change the protection flags applied to the process modules that are currently loaded.

This function will iterate all the loaded modules inside the given subsystem and it will update the protection policy on them. This function must be called when the process protection flags are modified.

Parameters

[in] Subsystem The subsystem we update the protection in.

Definition at line 2138 of file winummodule.c.

Referenced by IntWinProcChangeProtectionFlags().

◆ IntWinModUnHookModule()

INTSTATUS IntWinModUnHookModule ( PWIN_PROCESS_MODULE Module )

Remove the protection from the indicated module.

Parameters

[in] Module The module to disable protection for.

Return values

INT_STATUS_SUCCESS	On success.
INT_STATUS_INVALID_PARAMETER	If an invalid parameter is used.

Definition at line 1205 of file winummodule.c.

Referenced by IntWinModHandleUnload(), IntWinModulesChangeProtectionFlags(), and IntWinProcRemoveSubsystem().

◆ IntWinProcSendAllDllEventsForProcess()

INTSTATUS IntWinProcSendAllDllEventsForProcess ( PWIN_PROCESS_OBJECT Process )

Send DLL load events for all modules loaded in all subsystems of a process.

Parameters

[in] Process The process for which we will send DLL load events.

Return values

INT_STATUS_SUCCESS On success.

Definition at line 198 of file winummodule.c.

Referenced by IntWinDagentHandleDoubleAgent(), and IntWinModHandleUserWrite().

◆ IntWinUmModFindByAddress()

PWIN_PROCESS_MODULE IntWinUmModFindByAddress	(	PWIN_PROCESS_OBJECT	Process,
		QWORD	Gva
	)

Searches for a user-mode module which contains the indicated guest virtual address.

NOTE: This function will search in all subsystems.

Parameters

[in]	Process	The process.
[in]	Gva	The guest virtual address we are searching for.

Returns: A Windows module if Gva is found to point in one, or NULL if none is found.

Definition at line 2304 of file winummodule.c.

Referenced by IntExceptGetVictimProcess(), IntExceptUserGetOriginator(), IntWinDagentHandleSuspModExecution(), IntWinStackTraceGetUser(), IntWinStackTraceGetUser32(), IntWinStackTraceGetUser64(), and IntWinThrHandleQueueApc().

Data Structures

Macros

Typedefs

Functions

Macro Definition Documentation

◆ MODULE_MATCH

◆ NAMEHASH_APISETSCHEMA

◆ NAMEHASH_KERNEL32

◆ NAMEHASH_KERNELBASE

◆ NAMEHASH_NTDLL

◆ NAMEHASH_USER32

◆ NAMEHASH_VERIFIER

◆ NAMEHASH_WININET

◆ NAMEHASH_WOW64

◆ NAMEHASH_WOW64CPU

◆ NAMEHASH_WOW64WIN

◆ NAMEHASH_WS2_32

Typedef Documentation

◆ PPROTECTED_DLL_INFO

◆ PROTECTED_DLL_INFO

◆ PWIN_PROCESS_MODULE

◆ WIN_PROCESS_MODULE

Function Documentation

◆ IntWinModHandleLoadFromVad()

◆ IntWinModHandlePreInjection()

◆ IntWinModHandleUnloadFromVad()

◆ IntWinModHandleWrite()

◆ IntWinModPolyHandler()

◆ IntWinModRemoveModule()

◆ IntWinModulesChangeProtectionFlags()

◆ IntWinModUnHookModule()

◆ IntWinProcSendAllDllEventsForProcess()

◆ IntWinUmModFindByAddress()