18 #define PEB32_PCONTEXT_OFFSET 0x238 19 #define PEB64_PCONTEXT_OFFSET 0x368 41 if (Process->Peb32Address <= Address &&
42 Process->Peb32Address + PebSize > Address)
47 Process->Peb32ContextWritten =
TRUE;
53 if (Process->Peb32Address <= Address &&
54 Process->Peb32Address + PebSize > Address)
61 if (!Process->Wow64Process && Process->ParentWow64)
63 if (Process->PebWrittenCount == 1)
93 if (Process->Peb64Address <= Address &&
94 Process->Peb64Address + PebSize > Address)
99 Process->Peb64ContextWritten =
TRUE;
105 if (Process->Peb64Address <= Address &&
106 Process->Peb64Address + PebSize > Address)
136 if (Process->InjectionsCount == 1 && !Process->InjectedApphelp)
150 Process->InjectedApphelp =
TRUE;
151 Process->InjectedApphelpAddress = Address;
152 Process->InjectedAppHelpSize = Size;
180 if (Process->Subsystemx64 && Process->Subsystemx86)
182 if (Process->Peb64ContextWritten && Process->Peb32ContextWritten)
191 else if (Process->Subsystemx64 && Process->Peb64ContextWritten)
195 else if (Process->Subsystemx86 && Process->Peb32ContextWritten)
208 if (Process->PebWrittenCount == 2 && Process->Wow64Process && Process->ParentWow64 &&
211 Process->InjectedApphelp =
FALSE;
212 Process->InjectionsCount = 0;
213 Process->PebWrittenCount = 0;
218 if (Process->PebWrittenCount == 2)
223 if (!Process->Wow64Process && Process->PebWrittenCount == 1)
240 if (Process->PebWrittenCount == 1)
244 Process->InjectedApphelp =
FALSE;
245 Process->InjectionsCount = 0;
246 Process->PebWrittenCount = 0;
285 DWORD pebSize, pebWriteCount;
292 if (NULL == Originator)
297 pProc = Victim->Object.WinProc;
300 ERROR(
"[ERROR] Victim zone cannot have NULL process!\n");
313 QWORD address = Victim->Injection.Gva;
314 DWORD size = Victim->Injection.Length;
319 sizeof(
QWORD) == size)
326 sizeof(
DWORD) == size)
351 if (
IsPeb64Write(pProc, Victim->Injection.Gva, Victim->Injection.Length, pebSize))
359 if (
IsPeb32Write(pProc, Victim->Injection.Gva, Victim->Injection.Length, pebSize))
369 if (
IsPeb32Write(pProc, Victim->Injection.Gva, Victim->Injection.Length, pebSize))
static BOOLEAN ShouldIgnoreInjection(PWIN_PROCESS_OBJECT Process, QWORD Address, DWORD Size)
This function checks if the current injection should be ignored or not (based on the WIN_PROCESS_OBJE...
static BOOLEAN IsInitializationDone(PWIN_PROCESS_OBJECT Process)
This function checks if all the initialization steps of a process are done.
#define INT_STATUS_EXCEPTION_CHECKS_FAILED
#define WIN_UM_FIELD(Structure, Field)
Macro used to access user mode fields inside the WIN_OPAQUE_FIELDS structure.
#define INT_STATUS_EXCEPTION_CHECKS_OK
BYTE InjectionsCount
The number of injections allowed at the initialization.
BYTE PebWrittenCount
The number writes to the (Process Environment Block).
Describes a user-mode originator.
int INTSTATUS
The status data type.
DWORD OSVersion
Os version.
#define PEB32_PCONTEXT_OFFSET
The PEB32 (Process Environment Block) context offset.
QWORD Peb64Address
PEB 64 address (on x86 OSes, this will be 0).
DWORD Wow64Process
TRUE if this is a 32 bit process on a 64 bit OS.
DWORD LastPebWriteDone
TRUE if the write into PEB is done (used for initialization checks).
BOOLEAN Guest64
True if this is a 64-bit guest, False if it is a 32-bit guest.
CHAR Name[IMAGE_BASE_NAME_LEN]
Process base name.
static BOOLEAN IsPeb32Write(PWIN_PROCESS_OBJECT Process, QWORD Address, DWORD Size, DWORD PebSize)
This function checks if the current injection targets the PEB32 (Process Environment Block) structure...
DWORD StartInitializing
TRUE if the process actually started initializing (there is a time windows from the moment we add the...
#define INT_STATUS_INVALID_INTERNAL_STATE
INTSTATUS IntWinUmCheckInitializationInjection(PEXCEPTION_VICTIM_ZONE Victim, PEXCEPTION_UM_ORIGINATOR Originator)
This function is used by the exception mechanism in order to verify the initialization state of a pro...
Describes the modified zone.
QWORD Peb32Address
PEB 32 address (on pure x64 processes, this will be 0).
#define PEB64_PCONTEXT_OFFSET
The PEB64 (Process Environment Block) context offset.
QWORD EprocessAddress
This will be the address of the ActiveProcess field.
GUEST_STATE gGuest
The current guest state.
static BOOLEAN IsPeb64Write(PWIN_PROCESS_OBJECT Process, QWORD Address, DWORD Size, DWORD PebSize)
This function checks if the current injection targets the PEB64 (Process Environment Block) structure...
Exposes the function used to perform initialization checks on Windows processes.
#define INT_STATUS_INVALID_PARAMETER_1
#define INT_STATUS_INVALID_PARAMETER_2
This structure describes a running process inside the guest.