5 #ifndef _WINUMMODULE_H_ 6 #define _WINUMMODULE_H_ 11 #define NAMEHASH_NTDLL 0xbe9d4ec5 12 #define NAMEHASH_KERNEL32 0x72f47653 13 #define NAMEHASH_KERNELBASE 0x2945f399 14 #define NAMEHASH_USER32 0xb8d0fd42 16 #define NAMEHASH_WOW64 0xb29d7275 17 #define NAMEHASH_WOW64WIN 0xb3ad9cbb 18 #define NAMEHASH_WOW64CPU 0x824c82be 20 #define NAMEHASH_WS2_32 0x3d20b35c 21 #define NAMEHASH_WININET 0x7350cbf8 23 #define NAMEHASH_VERIFIER 0x3608e61f 24 #define NAMEHASH_APISETSCHEMA 0x6b8a8a45 103 #define MODULE_MATCH(m, p) ((((m)->Path->NameHash == (p)->NameHash)) && \ 104 (0 == memcmp((m)->Path->Name, (p)->Name, (m)->Path->NameSize))) 134 _In_ PINSTRUX Instrux,
140 _In_ PWIN_PROCESS_MODULE Module
145 _In_ PWIN_PROCESS_MODULE Module
171 #endif // _WINUMMODULE_H_ WINUM_PATH * Path
Module path.
DWORD Is64BitModule
TRUE if the module is 64 bit.
PBYTE IATBitmap
A bitmap indicating which IAT entries have been initialized.
const VAD * Vad
The VAD which describes this module.
DWORD ShouldProtHooks
TRUE if the module should be protected against hooks.
DWORD ShouldGetCache
TRUE if the module headers should be cached.
INTSTATUS IntWinModHandlePreInjection(void *Context, QWORD Cr3, QWORD VirtualAddress)
Module base page-fault pre-injection callback.
DWORD IsSuspicious
TRUE if the module is suspicious.
Windows process subsystem.
int INTSTATUS
The status data type.
DWORD IsProtected
TRUE if the module is actually hooked.
struct _WIN_PROCESS_MODULE * PWIN_PROCESS_MODULE
BOOLEAN FirstDoubleAgentExecDone
A flag which is set in order to verify if the first execution (for init phase) is done on double agen...
QWORD VirtualBase
Guest virtual address of the loaded module.
struct _PROTECTED_DLL_INFO PROTECTED_DLL_INFO
struct _PROTECTED_DLL_INFO * PPROTECTED_DLL_INFO
QWORD SlackSpaceForVerifier
The address between sections on which we put the needed verifier structure on double agent...
PWIN_PROCESS_MODULE IntWinUmModFindByAddress(PWIN_PROCESS_OBJECT Process, QWORD Gva)
Searches for a user-mode module which contains the indicated guest virtual address.
void IntWinModulesChangeProtectionFlags(PWIN_PROCESS_SUBSYSTEM Subsystem)
Change the protection flags applied to the process modules that are currently loaded.
DWORD LoadEventSent
TRUE if the load event has been sent.
DWORD DoubleAgentAlertSent
TRUE if a DoubleAgent alert has been sent on this module.
struct _WIN_PROCESS_MODULE WIN_PROCESS_MODULE
DWORD ShouldProtUnpack
TRUE if the module should be protected against unpack.
void * SlackSpaceSwapHandle
Swap handle for the slack space page where we put verifier structures.
void * MainModHeadersSwapHandle
Needed for verifying if the process main module is from the Native subsystem or not (e...
void * HookObject
Module hook object.
DWORD UnloadEventSent
TRUE if the unload event has been sent.
INTSTATUS IntWinModHandleWrite(void *Context, void *Hook, QWORD Address, INTRO_ACTION *Action)
Handle writes inside a protected user-mode module wrapper. Will dispatch appropriately to either the ...
void * ModBlockObject
Module load block handle.
INTSTATUS IntWinModPolyHandler(QWORD Cr3, QWORD VirtualAddress, PINSTRUX Instrux, void *Context)
Handle an unpack event for the indicated address.
INTSTATUS IntWinModHandleLoadFromVad(WIN_PROCESS_OBJECT *Process, const VAD *Vad)
Handle a module load from a VAD.
LIST_ENTRY Link
List entry element.
enum _INTRO_ACTION INTRO_ACTION
Event actions.
INTSTATUS IntWinProcSendAllDllEventsForProcess(PWIN_PROCESS_OBJECT Process)
Send DLL load events for all modules loaded in all subsystems of a process.
DWORD UnpackAlertSent
TRUE if unpack alerts have been sent.
void * HeadersSwapHandle
Swap handle for the headers.
WINUM_MODULE_CACHE * Cache
Module headers cache.
DWORD IATEntries
Number of IAT entries.
DWORD StaticScan
TRUE if the module was found by statically enumerating process modules.
INTSTATUS IntWinModRemoveModule(PWIN_PROCESS_MODULE Module)
Removes a Windows module.
void * ExportsSwapHandle
Swap handle for the exports.
PWIN_PROCESS_SUBSYSTEM Subsystem
Module subsystem.
QWORD AddressOfVerifierData
The address received by DllMain where the pointer to verifier structure should be put...
INTSTATUS IntWinModUnHookModule(PWIN_PROCESS_MODULE Module)
Remove the protection from the indicated module.
A representation of a Windows VAD structure.
DWORD IsMainModule
TRUE if this is the main module.
DWORD IsSystemModule
TRUE if this is a system module (loaded from system32 or syswow64).
DWORD Size
Virtual size of the module.
INTSTATUS IntWinModHandleUnloadFromVad(PWIN_PROCESS_OBJECT Process, PVAD Vad)
Handle a module unload.
This structure describes a running process inside the guest.