105 QWORD retAddr = 0, dllHandle, reserved;
106 DWORD addrSize, reason;
127 ERROR(
"[ERROR] IntVirtMemRead failed: 0x%08x\n", status);
133 WARNING(
"[WARNING] Something which is not the entry point was called for %s (Rip %llx rva %x Entry point %x)\n",
142 dllHandle = regs->
Rcx;
146 else if (bEntryPoint)
153 ERROR(
"[ERROR] IntVirtMemRead failed: 0x%08x\n", status);
157 dllHandle = stackArr[0];
158 reason = stackArr[1];
159 reserved = stackArr[2];
168 status = pBlockObj->
Callback(pMod, pBlockObj, dllHandle, reason, reserved, retAddr, &action);
170 *Action =
MAX(action, *Action);
174 WARNING(
"[WARNING] Block object callback returned: 0x%08x\n", status);
185 if (pCbList->Reason != reason)
192 status = pCbObj->ReasonCallback(pMod, pBlockObj, dllHandle, reason, reserved, retAddr, &action);
194 *Action =
MAX(action, *Action);
198 ERROR(
"[ERROR] Callback for reason %u returned: 0x%08x\n", reason, status);
211 ERROR(
"[ERROR] IntWinModBlockRemoveBlockObject failed: 0x%08x\n", status);
248 ERROR(
"[ERROR] IntSetGprs failed: 0x%08x\n", status2);
266 WARNING(
"[WARNING] Status is %x and flag KILL_ON_ERROR given, will try to kill process...\n", status);
300 if (NULL == pModBlock)
313 LOG(
"[WINMODULE] The VAD 0x%016llx belonging to module %s seems to not be inside the tree yet, " 314 "will postpone #PF...\n",
373 ERROR(
"[ERROR] IntHookObjectCreate failed: 0x%08x\n", status);
374 goto cleanup_and_exit;
380 ERROR(
"[ERROR] IntPeValidateHeader failed: 0x%08x\n", status);
381 goto cleanup_and_exit;
386 TRACE(
"[INFO] Hooking for execute for Virtual Base (0x%016llx)\n", pMod->
VirtualBase);
391 char name[9] = { 0 };
393 memcpy(name, pSec->
Name, 8);
397 INFO(
"[INFO] Skipping section from VA 0x%08x, size 0x%08x, which is larger than VadSize 0x%016llx\n",
405 TRACE(
"[INFO] Hooking for execute section %s (0x%08x, 0x%08x)\n",
418 ERROR(
"[ERROR] IntHookObjectHookRegion failed: 0x%08x\n", status);
419 goto cleanup_and_exit;
425 LOG(
"[INFO] Skipping for execute section %s (0x%08x, 0x%08x)\n",
435 ERROR(
"[ERROR] Section callback returned: 0x%08x\n", status);
436 goto cleanup_and_exit;
499 if (NULL == Callback)
504 if (NULL == BlockObject)
509 if (Module->StaticScan)
515 if (NULL == pBlockObject)
538 ERROR(
"[ERROR] IntSwapMemReadData failed: 0x%08x\n", status);
539 goto cleanup_and_exit;
542 *BlockObject = pBlockObject;
547 if (NULL != pBlockObject)
559 _In_ void *BlockObject,
595 if (NULL == BlockObject)
605 if (NULL == Callback)
618 if (pCbList->Reason == Reason)
620 pFinalCbList = pCbList;
629 if (NULL == pFinalCbList)
632 goto cleanup_and_exit;
635 pFinalCbList->
Reason = Reason;
653 if (NULL != pFinalCbList)
682 if (NULL == BlockObject)
692 ERROR(
"[ERROR] Cleanup callback returned: 0x%08x\n", status);
702 ERROR(
"[ERROR] IntHookObjectDestroy failed: 0x%08x\n", status);
711 ERROR(
"[ERROR] IntSwapMemRemoveTransaction failed: 0x%08x\n", status);
727 list2 = list2->
Flink;
WINUM_PATH * Path
Module path.
#define IMAGE_SCN_MEM_EXECUTE
#define CONTAINING_RECORD(List, Type, Member)
enum _WIN_MOD_BLOCK_FLAG WIN_MOD_BLOCK_FLAG
Used to provided blocking options.
#define ROUND_UP(what, to)
struct _REASON_CALLBACK_OBJECT * PREASON_CALLBACK_OBJECT
INTSTATUS IntHookObjectDestroy(HOOK_OBJECT_DESCRIPTOR **Object, DWORD Flags)
Destroy an entire hook object. All regions belonging to this object will be removed.
void * HeadersSwapHandle
The swap handle used for reading the module headers.
IG_ARCH_REGS Regs
The current state of the guest registers.
DWORD Index
The VCPU number.
WIN_PROCESS_MODULE * Module
The Windows process module to be blocked.
struct _REASON_CALLBACK_OBJECT REASON_CALLBACK_OBJECT
A reason callback context (invoked for a given dllMain reason).
#define INT_STATUS_SUCCESS
const VAD * Vad
The VAD which describes this module.
Do not unload the module.
INTSTATUS IntWinModBlockRemoveBlockObject(void *BlockObject)
This function is used in order to destroy a WIN_MOD_BLOCK_OBJECT structure.
A reason callback context (invoked for a given dllMain reason).
INTSTATUS IntSwapMemReadData(QWORD Cr3, QWORD VirtualAddress, DWORD Length, DWORD Options, void *Context, DWORD ContextTag, PFUNC_PagesReadCallback Callback, PFUNC_PreInjectCallback PreInject, void **SwapHandle)
Reads a region of guest virtual memory, and calls the indicated callback when all the data is availab...
struct _LIST_ENTRY * Flink
INTSTATUS(* PFUNC_IntWinModBlockCleanup)(WIN_PROCESS_MODULE *Module, const void *BlockObject)
This callback type will be invoked when IntWinModBlockRemoveBlockObject is called for cleanup purpose...
#define INT_SUCCESS(Status)
WIN_MOD_BLOCK_FLAG Flags
The flags that will determine the action the be taken in case a malicious module is detected...
QWORD SectionOffset
Offset of the first section header.
#define WINMODBLOCK_INVALID_VALUE
DllHandle, Reason and Reserved can be equal to WINMODBLOCK_INVALID_VALUE when something that is not t...
struct _REASON_CALLBACK_LIST_OBJECT * PREASON_CALLBACK_LIST_OBJECT
#define INT_STATUS_NOT_NEEDED_HINT
void * ExecHookObject
The hook object placed on the executable sections.
struct _WIN_MOD_BLOCK_OBJECT WIN_MOD_BLOCK_OBJECT
Windows module block object.
static INTSTATUS IntWinModBlockHandleExecution(void *Context, void *Hook, QWORD Address, INTRO_ACTION *Action)
This function is invoked when a hooked section belonging to the analyzed module starts executing...
#define HpAllocWithTag(Len, Tag)
int INTSTATUS
The status data type.
PFUNC_IntWinModBlockCleanup CleanupCallback
This callback is invoked before destroying the WIN_MOD_BLOCK_OBJECT associated with this module...
INTSTATUS IntInjectExceptionInGuest(BYTE Vector, QWORD Cr2, DWORD ErrorCode, DWORD CpuNumber)
Injects an exception inside the guest.
QWORD VirtualBase
Guest virtual address of the loaded module.
QWORD VadGva
The guest virtual address at which the corresponding Windows _MMVAD structure is located.
A reason callback structure (this can contain multiple callbacks to be invoked for a certain dllMain ...
Executions in suspicious DLL loads.
QWORD Cr3
Process PDBR. Includes PCID.
DWORD Reason
The dllMain reason.
INTSTATUS IntSwapMemRemoveTransaction(void *Transaction)
Remove a transaction.
static BOOLEAN RemoveEntryList(LIST_ENTRY *Entry)
QWORD NumberOfSections
Number of sections.
LIST_ENTRY ReasonCallbacksList
A list of callbacks that will be invoked for different dllMain reasons.
#define HpFreeAndNullWithTag(Add, Tag)
BOOLEAN IntWinVadIsInTree(const VAD *Vad)
Checks if a VAD is inserted in a guest VAD tree.
#define INT_STATUS_INVALID_PARAMETER_5
#define INT_STATUS_INVALID_INTERNAL_STATE
INTSTATUS(* PFUNC_IntWinModBlockCallback)(WIN_PROCESS_MODULE *Module, void *BlockObject, QWORD DllHandle, QWORD Reason, QWORD Reserved, QWORD RetAddress, INTRO_ACTION *Action)
This callbacks provided detection logic for Windows module loads.
struct _WIN_PROCESS_OBJECT * Process
The process object related to this subsystem.
union _IMAGE_SECTION_HEADER::@214 Misc
INTSTATUS IntWinModBlockRegisterCallbackForReason(void *BlockObject, DWORD Reason, PFUNC_IntWinModBlockCallback Callback)
Registers a callback that is invoked when the blocked module's DllMain function is called with a give...
static void InsertTailList(LIST_ENTRY *ListHead, LIST_ENTRY *Entry)
Process subsystem type 64 bit.
PFUNC_IntWinModBlockCallback Callback
The callback that will provided the detection logic.
static void InitializeListHead(LIST_ENTRY *ListHead)
#define UNREFERENCED_PARAMETER(P)
PFUNC_IntWinModBlockHeadersCallback HeadersCallback
This callback is invoked when the module headers have been successfully read.
static INTSTATUS IntModBlockHandlePreInjection(void *Context, QWORD Cr3, QWORD VirtualAddress)
This function is invoked before injecting the #PF used to read the module headers.
DWORD EntryPoint
Entry point (RVA).
INTSTATUS IntPeValidateHeader(QWORD ImageBase, BYTE *ImageBaseBuffer, DWORD ImageBaseBufferSize, INTRO_PE_INFO *PeInfo, QWORD Cr3)
Validates a PE header.
enum _INTRO_ACTION INTRO_ACTION
Event actions.
#define _In_reads_bytes_(expr)
INTSTATUS IntSetGprs(DWORD CpuNumber, PIG_ARCH_REGS Regs)
Sets the values of the guest GPRs.
WCHAR * Name
The name of the module contained in the path.
struct _REASON_CALLBACK_LIST_OBJECT REASON_CALLBACK_LIST_OBJECT
A reason callback structure (this can contain multiple callbacks to be invoked for a certain dllMain ...
INTSTATUS IntVirtMemRead(QWORD Gva, DWORD Length, QWORD Cr3, void *Buffer, DWORD *RetLength)
Reads data from a guest virtual memory range.
INTSTATUS IntWinModBlockBlockModuleLoad(WIN_PROCESS_MODULE *Module, WIN_MOD_BLOCK_FLAG Flags, PFUNC_IntWinModBlockCallback Callback, PFUNC_IntWinModBlockHeadersCallback HeadersCallback, PFUNC_IntWinModBlockCleanup CleanupCallback, void **BlockObject)
This function is invoked when a suspicious dll is loaded in order to analyze and block the dll load i...
Exposes the types, constants and functions needed to block Windows module loads (used to block double...
#define IMAGE_SCN_MEM_DISCARDABLE
DWORD EntryPoint
The entry point of the module.
WIN_SUBSYTEM_TYPE SubsystemType
Process subsystem type.
LIST_ENTRY Link
Entry within REASON_CALLBACK_LIST_OBJECT::Callbacks.
QWORD PageCount
The number of 4K pages in the VAD.
Force the module to unload by returning FALSE.
INTSTATUS IntHookObjectHookRegion(void *Object, QWORD Cr3, QWORD Gla, SIZE_T Length, BYTE Type, void *Callback, void *Context, DWORD Flags, HOOK_REGION_DESCRIPTOR **Region)
Hook a contiguous region of virtual memory inside the provided virtual address space.
char * utf16_for_log(const WCHAR *WString)
Converts a UTF-16 to a UTF-8 string to be used inside logging macros.
struct _WIN_MOD_BLOCK_OBJECT * PWIN_MOD_BLOCK_OBJECT
#define INT_STATUS_INVALID_PARAMETER_1
VCPU_STATE * gVcpu
The state of the current VCPU.
UINT8 Name[IMAGE_SIZEOF_SHORT_NAME]
LIST_ENTRY Link
Entry within WIN_MOD_BLOCK_OBJECT::ReasonCallbacksList.
static INTSTATUS IntModBlockHandleBlockModHeadersInMemory(WIN_MOD_BLOCK_OBJECT *Context, QWORD Cr3, QWORD VirtualAddress, QWORD PhysicalAddress, BYTE *Data, DWORD DataSize, DWORD Flags)
This function is invoked when the module headers have been successfully read.
Measures module load violation handling.
PWIN_PROCESS_SUBSYSTEM Subsystem
Module subsystem.
INTSTATUS(* PFUNC_IntWinModBlockHeadersCallback)(WIN_PROCESS_MODULE *Module, BYTE *Headers)
This callback type will be called for the suspicious module headers when they are swapped in...
#define list_for_each(_head, _struct_type, _var)
LIST_ENTRY Callbacks
A list of callbacks to be invoked for the given dllMain reason.
#define INT_STATUS_INVALID_PARAMETER_2
INTSTATUS IntHookObjectCreate(DWORD ObjectType, QWORD Cr3, void **Object)
Create a new hook object.
PFUNC_IntWinModBlockCallback ReasonCallback
The callback to be invoked.
#define SWAPMEM_OPT_UM_FAULT
If set, the PF must be injected only while in user-mode. Use it when reading user-mode memory...
Windows module block object.
#define INT_STATUS_INSUFFICIENT_RESOURCES
#define INT_STATUS_INVALID_PARAMETER_3
WCHAR * Path
The string which represents the user-mode module path.