Bitdefender Hypervisor Memory Introspection
|
This file handles initialization injections into Windows processes. More...
Go to the source code of this file.
Macros | |
#define | PEB32_PCONTEXT_OFFSET 0x238 |
The PEB32 (Process Environment Block) context offset. More... | |
#define | PEB64_PCONTEXT_OFFSET 0x368 |
The PEB64 (Process Environment Block) context offset. More... | |
Functions | |
static BOOLEAN | IsPeb32Write (PWIN_PROCESS_OBJECT Process, QWORD Address, DWORD Size, DWORD PebSize) |
This function checks if the current injection targets the PEB32 (Process Environment Block) structure. More... | |
static BOOLEAN | IsPeb64Write (PWIN_PROCESS_OBJECT Process, QWORD Address, DWORD Size, DWORD PebSize) |
This function checks if the current injection targets the PEB64 (Process Environment Block) structure. More... | |
static BOOLEAN | ShouldIgnoreInjection (PWIN_PROCESS_OBJECT Process, QWORD Address, DWORD Size) |
This function checks if the current injection should be ignored or not (based on the WIN_PROCESS_OBJECT.InjectionsCount and WIN_PROCESS_OBJECT.InjectedApphelp). More... | |
static BOOLEAN | IsInitializationDone (PWIN_PROCESS_OBJECT Process) |
This function checks if all the initialization steps of a process are done. More... | |
INTSTATUS | IntWinUmCheckInitializationInjection (PEXCEPTION_VICTIM_ZONE Victim, PEXCEPTION_UM_ORIGINATOR Originator) |
This function is used by the exception mechanism in order to verify the initialization state of a process (during initialization some legitimate injections take place and have to be excepted). More... | |
This file handles initialization injections into Windows processes.
Definition in file winuser_checks.c.
#define PEB32_PCONTEXT_OFFSET 0x238 |
The PEB32 (Process Environment Block) context offset.
Definition at line 18 of file winuser_checks.c.
Referenced by IntWinUmCheckInitializationInjection(), and IsPeb32Write().
#define PEB64_PCONTEXT_OFFSET 0x368 |
The PEB64 (Process Environment Block) context offset.
Definition at line 19 of file winuser_checks.c.
Referenced by IntWinUmCheckInitializationInjection(), and IsPeb64Write().
INTSTATUS IntWinUmCheckInitializationInjection | ( | PEXCEPTION_VICTIM_ZONE | Victim, |
PEXCEPTION_UM_ORIGINATOR | Originator | ||
) |
This function is used by the exception mechanism in order to verify the initialization state of a process (during initialization some legitimate injections take place and have to be excepted).
[in] | Victim | The victim object. |
[in] | Originator | The originator object. |
INT_STATUS_EXCEPTION_CHECKS_OK | On success. |
INT_STATUS_INVALID_PARAMETER_1 | The Victim is NULL. |
INT_STATUS_INVALID_PARAMETER_2 | The Originator is NULL. |
INT_STATUS_INVALID_INTERNAL_STATE | The Victim object must contain a process (EXCEPTION_VICTIM_ZONE.Object). |
INT_STATUS_EXCEPTION_CHECKS_FAILED | If the given process did not start initializing (WIN_PROCESS_OBJECT.StartInitializing is not set) or the process is fully initialized (WIN_PROCESS_OBJECT.Initialized and WIN_PROCESS_OBJECT.LastPebWriteDone are both set). |
Definition at line 260 of file winuser_checks.c.
Referenced by IntExceptUserVerifyExtra(), and IntExceptUserVerifyExtraGlobMatch().
|
static |
This function checks if all the initialization steps of a process are done.
[in] | Process | The WIN_PROCESS_OBJECT structure of the initializing process. |
TRUE | The initialization is done. |
FALSE | The initialization is NOT done. |
Definition at line 164 of file winuser_checks.c.
Referenced by IntWinUmCheckInitializationInjection().
|
static |
This function checks if the current injection targets the PEB32 (Process Environment Block) structure.
[in] | Process | The WIN_PROCESS_OBJECT structure of the initializing process. |
[in] | Address | The written address. |
[in] | Size | The write size. |
[in] | PebSize | The size of the PEB (Process Environment Block). |
TRUE | The injection is a write into the PEB32 (WIN_PROCESS_OBJECT.Peb32Address). |
FALSE | The injection is NOT a write into the PEB32 (WIN_PROCESS_OBJECT.Peb32Address). |
Definition at line 23 of file winuser_checks.c.
Referenced by IntWinUmCheckInitializationInjection().
|
static |
This function checks if the current injection targets the PEB64 (Process Environment Block) structure.
[in] | Process | The WIN_PROCESS_OBJECT structure of the initializing process. |
[in] | Address | The written address. |
[in] | Size | The write size. |
[in] | PebSize | The size of the PEB (Process Environment Block). |
TRUE | The injection is a write into the PEB64 (WIN_PROCESS_OBJECT.Peb64Address). |
FALSE | The injection is NOT a write into the PEB64 (WIN_PROCESS_OBJECT.Peb64Address). |
Definition at line 75 of file winuser_checks.c.
Referenced by IntWinUmCheckInitializationInjection().
|
static |
This function checks if the current injection should be ignored or not (based on the WIN_PROCESS_OBJECT.InjectionsCount and WIN_PROCESS_OBJECT.InjectedApphelp).
[in] | Process | The WIN_PROCESS_OBJECT structure of the initializing process. |
[in] | Address | The written address. |
[in] | Size | The write size. |
TRUE | The injection should be ignored (WIN_PROCESS_OBJECT.InjectionsCount should not change). |
FALSE | The injection should NOT be ignored (increment WIN_PROCESS_OBJECT.InjectionsCount). |
Definition at line 118 of file winuser_checks.c.
Referenced by IntWinUmCheckInitializationInjection().