doxygen/html/winummodule_8h_source.html

 /*
  * Copyright (c) 2020 Bitdefender
  * SPDX-License-Identifier: Apache-2.0
  */
 #ifndef _WINUMMODULE_H_
 #define _WINUMMODULE_H_

 #include "winumcache.h"
 #include "winvad.h"

 #define NAMEHASH_NTDLL          0xbe9d4ec5
 #define NAMEHASH_KERNEL32       0x72f47653
 #define NAMEHASH_KERNELBASE     0x2945f399
 #define NAMEHASH_USER32         0xb8d0fd42

 #define NAMEHASH_WOW64          0xb29d7275
 #define NAMEHASH_WOW64WIN       0xb3ad9cbb
 #define NAMEHASH_WOW64CPU       0x824c82be

 #define NAMEHASH_WS2_32         0x3d20b35c
 #define NAMEHASH_WININET        0x7350cbf8

 #define NAMEHASH_VERIFIER       0x3608e61f
 #define NAMEHASH_APISETSCHEMA   0x6b8a8a45


 typedef struct _WIN_PROCESS_MODULE
 {
     LIST_ENTRY          Link;

     QWORD               VirtualBase;
     DWORD               Size;

     union
     {
         DWORD           Flags;
         struct
         {
             DWORD       ShouldProtHooks: 1;
             DWORD       ShouldProtUnpack: 1;
             DWORD       UnpackAlertSent: 1;
             DWORD       Is64BitModule: 1;
             DWORD       IsProtected: 1;
             DWORD       IsMainModule: 1;
             DWORD       IsSystemModule : 1;
             DWORD       LoadEventSent: 1;
             DWORD       UnloadEventSent: 1;
             DWORD       IsSuspicious: 1;
             DWORD       SuspChecked: 1;
             DWORD       StaticScan: 1;
             DWORD       ShouldGetCache: 1;
             DWORD       DoubleAgentAlertSent: 1;
         };
     };

     PWIN_PROCESS_SUBSYSTEM  Subsystem;

     WINUM_PATH              *Path;
     WINUM_MODULE_CACHE      *Cache;

     DWORD                   IATEntries;
     PBYTE                   IATBitmap;

     void                    *HookObject;
     void                    *HeadersSwapHandle;
     void                    *ExportsSwapHandle;

     void                    *ModBlockObject;

     QWORD                   SlackSpaceForVerifier;
     QWORD                   AddressOfVerifierData;
     BOOLEAN                 FirstDoubleAgentExecDone;
     void                    *SlackSpaceSwapHandle;

     void                    *MainModHeadersSwapHandle;

     const VAD               *Vad;

 } WIN_PROCESS_MODULE, *PWIN_PROCESS_MODULE;


 typedef struct _PROTECTED_DLL_INFO
 {
     WCHAR   *Name;
     DWORD   NameHash;
 } PROTECTED_DLL_INFO, * PPROTECTED_DLL_INFO;


 #define MODULE_MATCH(m, p)      ((((m)->Path->NameHash == (p)->NameHash)) && \
                                 (0 == memcmp((m)->Path->Name, (p)->Name, (m)->Path->NameSize)))


 //
 // API
 //
 INTSTATUS
 IntWinModHandleLoadFromVad(
     _In_ WIN_PROCESS_OBJECT *Process,
     _In_ const VAD *Vad
     );

 INTSTATUS
 IntWinModHandleUnloadFromVad(
     _In_ PWIN_PROCESS_OBJECT Process,
     _In_ PVAD Vad
     );

 INTSTATUS
 IntWinModHandleWrite(
     _In_opt_ void *Context,
     _In_ void *Hook,
     _In_ QWORD Address,
     _Out_ INTRO_ACTION *Action
     );

 INTSTATUS
 IntWinModPolyHandler(
     _In_ QWORD Cr3,
     _In_ QWORD VirtualAddress,
     _In_ PINSTRUX Instrux,
     _In_ void *Context
     );

 INTSTATUS
 IntWinModUnHookModule(
     _In_ PWIN_PROCESS_MODULE Module
     );

 INTSTATUS
 IntWinModRemoveModule(
     _In_ PWIN_PROCESS_MODULE Module
     );

 void
 IntWinModulesChangeProtectionFlags(
     _In_ PWIN_PROCESS_SUBSYSTEM Subsystem
     );

 PWIN_PROCESS_MODULE
 IntWinUmModFindByAddress(
     _In_ PWIN_PROCESS_OBJECT Process,
     _In_ QWORD Gva
     );

 INTSTATUS
 IntWinModHandlePreInjection(
     _In_ void *Context,
     _In_ QWORD Cr3,
     _In_ QWORD VirtualAddress
     );

 INTSTATUS
 IntWinProcSendAllDllEventsForProcess(
     _In_ PWIN_PROCESS_OBJECT Process
     );

 #endif // _WINUMMODULE_H_
_WIN_PROCESS_MODULE::Path
WINUM_PATH * Path
Module path.
Definition: winummodule.h:62

_WIN_PROCESS_MODULE::Is64BitModule
DWORD Is64BitModule
TRUE if the module is 64 bit.
Definition: winummodule.h:45

_In_opt_
#define _In_opt_
Definition: intro_sal.h:16

_WIN_PROCESS_MODULE::IATBitmap
PBYTE IATBitmap
A bitmap indicating which IAT entries have been initialized.
Definition: winummodule.h:66

_Out_
#define _Out_
Definition: intro_sal.h:22

BOOLEAN
_Bool BOOLEAN
Definition: intro_types.h:58

_PROTECTED_DLL_INFO::Name
WCHAR * Name
Name.
Definition: winummodule.h:98

_In_
#define _In_
Definition: intro_sal.h:21

_WIN_PROCESS_MODULE::Vad
const VAD * Vad
The VAD which describes this module.
Definition: winummodule.h:88

_WIN_PROCESS_MODULE::ShouldProtHooks
DWORD ShouldProtHooks
TRUE if the module should be protected against hooks.
Definition: winummodule.h:42

winvad.h

_WIN_PROCESS_MODULE::ShouldGetCache
DWORD ShouldGetCache
TRUE if the module headers should be cached.
Definition: winummodule.h:55

IntWinModHandlePreInjection
INTSTATUS IntWinModHandlePreInjection(void *Context, QWORD Cr3, QWORD VirtualAddress)
Module base page-fault pre-injection callback.
Definition: winummodule.c:1265

_WIN_PROCESS_MODULE::IsSuspicious
DWORD IsSuspicious
TRUE if the module is suspicious.
Definition: winummodule.h:51

_WIN_PROCESS_SUBSYSTEM
Windows process subsystem.
Definition: winprocess.h:54

INTSTATUS
int INTSTATUS
The status data type.
Definition: introstatus.h:24

_WIN_PROCESS_MODULE::IsProtected
DWORD IsProtected
TRUE if the module is actually hooked.
Definition: winummodule.h:46

PWIN_PROCESS_MODULE
struct _WIN_PROCESS_MODULE * PWIN_PROCESS_MODULE

_WIN_PROCESS_MODULE::FirstDoubleAgentExecDone
BOOLEAN FirstDoubleAgentExecDone
A flag which is set in order to verify if the first execution (for init phase) is done on double agen...
Definition: winummodule.h:80

_WIN_PROCESS_MODULE::VirtualBase
QWORD VirtualBase
Guest virtual address of the loaded module.
Definition: winummodule.h:34

_PROTECTED_DLL_INFO
Definition: winummodule.h:96

PROTECTED_DLL_INFO
struct _PROTECTED_DLL_INFO PROTECTED_DLL_INFO

PPROTECTED_DLL_INFO
struct _PROTECTED_DLL_INFO * PPROTECTED_DLL_INFO

_WIN_PROCESS_MODULE::SlackSpaceForVerifier
QWORD SlackSpaceForVerifier
The address between sections on which we put the needed verifier structure on double agent...
Definition: winummodule.h:75

IntWinUmModFindByAddress
PWIN_PROCESS_MODULE IntWinUmModFindByAddress(PWIN_PROCESS_OBJECT Process, QWORD Gva)
Searches for a user-mode module which contains the indicated guest virtual address.
Definition: winummodule.c:2304

IntWinModulesChangeProtectionFlags
void IntWinModulesChangeProtectionFlags(PWIN_PROCESS_SUBSYSTEM Subsystem)
Change the protection flags applied to the process modules that are currently loaded.
Definition: winummodule.c:2138

_WIN_PROCESS_MODULE::Flags
DWORD Flags
Raw flags.
Definition: winummodule.h:39

_WIN_PROCESS_MODULE::LoadEventSent
DWORD LoadEventSent
TRUE if the load event has been sent.
Definition: winummodule.h:49

PBYTE
uint8_t * PBYTE
Definition: intro_types.h:47

_WIN_PROCESS_MODULE::DoubleAgentAlertSent
DWORD DoubleAgentAlertSent
TRUE if a DoubleAgent alert has been sent on this module.
Definition: winummodule.h:56

QWORD
unsigned long long QWORD
Definition: intro_types.h:53

WIN_PROCESS_MODULE
struct _WIN_PROCESS_MODULE WIN_PROCESS_MODULE

winumcache.h

_WIN_PROCESS_MODULE::ShouldProtUnpack
DWORD ShouldProtUnpack
TRUE if the module should be protected against unpack.
Definition: winummodule.h:43

_WIN_PROCESS_MODULE::SlackSpaceSwapHandle
void * SlackSpaceSwapHandle
Swap handle for the slack space page where we put verifier structures.
Definition: winummodule.h:82

_WINUM_MODULE_CACHE
Definition: winumcache.h:76

_WINUM_PATH
Definition: winumpath.h:13

_WIN_PROCESS_MODULE::MainModHeadersSwapHandle
void * MainModHeadersSwapHandle
Needed for verifying if the process main module is from the Native subsystem or not (e...
Definition: winummodule.h:86

_WIN_PROCESS_MODULE::HookObject
void * HookObject
Module hook object.
Definition: winummodule.h:68

_WIN_PROCESS_MODULE::UnloadEventSent
DWORD UnloadEventSent
TRUE if the unload event has been sent.
Definition: winummodule.h:50

IntWinModHandleWrite
INTSTATUS IntWinModHandleWrite(void *Context, void *Hook, QWORD Address, INTRO_ACTION *Action)
Handle writes inside a protected user-mode module wrapper. Will dispatch appropriately to either the ...
Definition: winummodule.c:1036

_WIN_PROCESS_MODULE::ModBlockObject
void * ModBlockObject
Module load block handle.
Definition: winummodule.h:72

WCHAR
uint16_t WCHAR
Definition: intro_types.h:63

DWORD
uint32_t DWORD
Definition: intro_types.h:49

IntWinModPolyHandler
INTSTATUS IntWinModPolyHandler(QWORD Cr3, QWORD VirtualAddress, PINSTRUX Instrux, void *Context)
Handle an unpack event for the indicated address.
Definition: winummodule.c:1940

IntWinModHandleLoadFromVad
INTSTATUS IntWinModHandleLoadFromVad(WIN_PROCESS_OBJECT *Process, const VAD *Vad)
Handle a module load from a VAD.
Definition: winummodule.c:1587

_WIN_PROCESS_MODULE::Link
LIST_ENTRY Link
List entry element.
Definition: winummodule.h:32

INTRO_ACTION
enum _INTRO_ACTION INTRO_ACTION
Event actions.

IntWinProcSendAllDllEventsForProcess
INTSTATUS IntWinProcSendAllDllEventsForProcess(PWIN_PROCESS_OBJECT Process)
Send DLL load events for all modules loaded in all subsystems of a process.
Definition: winummodule.c:198

_WIN_PROCESS_MODULE::UnpackAlertSent
DWORD UnpackAlertSent
TRUE if unpack alerts have been sent.
Definition: winummodule.h:44

_PROTECTED_DLL_INFO::NameHash
DWORD NameHash
Name hash.
Definition: winummodule.h:99

_WIN_PROCESS_MODULE::HeadersSwapHandle
void * HeadersSwapHandle
Swap handle for the headers.
Definition: winummodule.h:69

_WIN_PROCESS_MODULE::Cache
WINUM_MODULE_CACHE * Cache
Module headers cache.
Definition: winummodule.h:63

_WIN_PROCESS_MODULE
Definition: winummodule.h:30

_WIN_PROCESS_MODULE::SuspChecked
DWORD SuspChecked
Definition: winummodule.h:52

_WIN_PROCESS_MODULE::IATEntries
DWORD IATEntries
Number of IAT entries.
Definition: winummodule.h:65

_WIN_PROCESS_MODULE::StaticScan
DWORD StaticScan
TRUE if the module was found by statically enumerating process modules.
Definition: winummodule.h:54

IntWinModRemoveModule
INTSTATUS IntWinModRemoveModule(PWIN_PROCESS_MODULE Module)
Removes a Windows module.
Definition: winummodule.c:2043

_WIN_PROCESS_MODULE::ExportsSwapHandle
void * ExportsSwapHandle
Swap handle for the exports.
Definition: winummodule.h:70

_WIN_PROCESS_MODULE::Subsystem
PWIN_PROCESS_SUBSYSTEM Subsystem
Module subsystem.
Definition: winummodule.h:60

_WIN_PROCESS_MODULE::AddressOfVerifierData
QWORD AddressOfVerifierData
The address received by DllMain where the pointer to verifier structure should be put...
Definition: winummodule.h:77

IntWinModUnHookModule
INTSTATUS IntWinModUnHookModule(PWIN_PROCESS_MODULE Module)
Remove the protection from the indicated module.
Definition: winummodule.c:1205

_VAD
A representation of a Windows VAD structure.
Definition: winvad.h:80

_WIN_PROCESS_MODULE::IsMainModule
DWORD IsMainModule
TRUE if this is the main module.
Definition: winummodule.h:47

_WIN_PROCESS_MODULE::IsSystemModule
DWORD IsSystemModule
TRUE if this is a system module (loaded from system32 or syswow64).
Definition: winummodule.h:48

_WIN_PROCESS_MODULE::Size
DWORD Size
Virtual size of the module.
Definition: winummodule.h:35

_LIST_ENTRY
Definition: introlists.h:16

IntWinModHandleUnloadFromVad
INTSTATUS IntWinModHandleUnloadFromVad(PWIN_PROCESS_OBJECT Process, PVAD Vad)
Handle a module unload.
Definition: winummodule.c:1762

_WIN_PROCESS_OBJECT
This structure describes a running process inside the guest.
Definition: winprocess.h:83