Bitdefender Hypervisor Memory Introspection
|
#include "winvad.h"
#include "hook.h"
#include "processor.h"
#include "swapmem.h"
#include "winprocesshp.h"
#include "shellcode.h"
#include "winummodule.h"
#include "winthread.h"
#include "exceptions.h"
#include "alerts.h"
#include "scan_engines.h"
#include "winnet.h"
Go to the source code of this file.
Macros | |
#define | VAD_SEARCH_LIMIT 1000 |
The maximum number of tries to make when searching for a VAD inside the guest. More... | |
#define | MAX_VAD_EXECS 64u |
The maximum number of execution from a VAD that Introcore will take into consideration. More... | |
#define | VAD_SHORT_FIELD_PTR(type_, ptr_, field_) (type_ *)((BYTE *)(ptr_) + WIN_KM_FIELD(VadShort, field_)) |
Gives a pointer to a field of a _MMVAD_SHORT structure. More... | |
#define | VAD_LONG_FIELD_PTR(type_, ptr_, field_) (type_ *)((BYTE *)(ptr_) + WIN_KM_FIELD(VadLong, field_)) |
Gives a pointer to a field of a _MMVAD_LONG structure. More... | |
#define | VadShortByte(ptr_, field_) *VAD_SHORT_FIELD_PTR(BYTE, ptr_, field_) |
Reads a byte from a VAD short buffer. More... | |
#define | VadShortWord(ptr_, field_) *VAD_SHORT_FIELD_PTR(WORD, ptr_, field_) |
Reads a word from a VAD short buffer. More... | |
#define | VadShortDword(ptr_, field_) *VAD_SHORT_FIELD_PTR(DWORD, ptr_, field_) |
Reads a dword from a VAD short buffer. More... | |
#define | VadShortQword(ptr_, field_) *VAD_SHORT_FIELD_PTR(QWORD, ptr_, field_) |
Reads a qword from a VAD short buffer. More... | |
#define | VadShortPtrSize(ptr_, field_) gGuest.Guest64 ? VadShortQword(ptr_, field_) : VadShortDword(ptr_, field_) |
Reads a guest pointer from a VAD short buffer. More... | |
#define | VadShortAnySize(size_, ptr_, field_) |
Reads a certain size from a VAD short buffer. More... | |
#define | MAX_LEVEL 64 |
Functions | |
static INTSTATUS | IntWinVadHandleInsertGeneric (WIN_PROCESS_OBJECT *Process, QWORD VadAddress, BOOLEAN StaticScan, VAD **Vad) |
Handles the insertion of a VAD into a process VAD tree. More... | |
static BYTE * | IntWinVadMapShortVad (QWORD Gva) |
Maps a _MMVAD_SHORT structure inside Introcore. More... | |
static BOOLEAN | IntWinVadIsProbablyNaCl (VAD const *Vad) |
Checks if a VAD is used by the Chrome's NaCl mechanism. More... | |
static BOOLEAN | IntWinVadIsProbablyDominoJava (VAD const *Vad) |
Checks if a VAD is used by Domino Java. More... | |
static INTSTATUS | IntWinVadRemoveRange (VAD *Vad, QWORD StartPage, QWORD EndPage) |
Removes a memory range from a VAD. More... | |
static INTSTATUS | IntWinVadRemoveAllPages (VAD *Vad) |
Removes all pages from a VAD. More... | |
void | IntWinVadDestroyObject (VAD **Vad) |
Frees a VAD and all the resources held by it. More... | |
static void | IntWinVadRbTreeNodeFree (RBNODE *Node) |
The node free callback used by the WIN_PROCESS_OBJECT.VadTree tree. More... | |
static int | IntWinVadRbTreeNodeCompare (RBNODE const *Left, RBNODE const *Right) |
The node compare callback used by the WIN_PROCESS_OBJECT.VadTree tree. More... | |
static int | IntWinVadRbTreeNodeCompareVa (RBNODE const *Node, void *Key) |
Custom compare function for a VAD RBTREE. This will compare VADs against a given guest virtual address. More... | |
static int | IntWinVadRbTreeNodeCompareBases (RBNODE const *Node, void *Key) |
Custom compare function for a VAD RBTREE. This will compare a VAD start page with a given guest virtual address. More... | |
void | IntWinVadProcessInit (WIN_PROCESS_OBJECT *Process) |
Initializes a WIN_PROCESS_OBJECT.VadTree. More... | |
static DWORD | IntWinVadVmProtectionToIntroProtection (DWORD VmProtection) |
Converts Windows memory protection constants to Introcore protection flags. More... | |
static DWORD | IntWinVadVadProtectionToIntroProtection (WIN_VAD_PROT VadProtection) |
Converts Windows VAD protection rights to Introcore protection rights. More... | |
static DWORD | IntWinVadVadProtectionToVmProtection (WIN_VAD_PROT VadProtection) |
Converts Windows VAD protection rights to a Windows memory protection constant. More... | |
VAD * | IntWinVadFindByVa (WIN_PROCESS_OBJECT *Process, QWORD Va) |
Finds a VAD that contains a given guest virtual address. More... | |
static VAD * | IntWinVadFindByRange (PWIN_PROCESS_OBJECT Process, QWORD StartPage, QWORD EndPage) |
Finds a VAD by the range it maps. More... | |
static PVAD | IntWinVadFindByBase (PWIN_PROCESS_OBJECT Process, QWORD Base) |
Finds a VAD by the start of the virtual address range it represents. More... | |
static INTSTATUS | IntWinVadAdjustRange (VAD *Vad, QWORD NewStartPage, QWORD NewEndPage) |
Modifies the range of pages owned by a VAD. More... | |
static INTSTATUS | IntWinVadIsExecSuspicious (WIN_PROCESS_OBJECT *Process, QWORD VirtualAddress, QWORD PhysicalAddress, INTRO_ACTION *Action) |
Handle code execution from a memory page. More... | |
static INTSTATUS | IntWinVadHandlePageExecution (VAD_PAGE *Context, void const *Hook, QWORD Address, INTRO_ACTION *Action) |
Handles execution attempts from a page owned by a monitored VAD. More... | |
static INTSTATUS | IntWinVadHandleFilePathInMemory (VAD *Context, QWORD Cr3, QWORD VirtualAddress, QWORD PhysicalAddress, void *Data, DWORD DataSize, DWORD Flags) |
Handles the swap-in of a file path taken from a Windows VAD structure. More... | |
INTSTATUS | IntWinVadRemoveProcessTree (WIN_PROCESS_OBJECT *Process) |
Removes the VAD tree from a process. More... | |
static INTSTATUS | IntWinVadFetchVadFromMemory (QWORD VadGva, VAD *Vad, BOOLEAN FailOnCorruptRange) |
Reads a _MMVAD structure from the Windows kernel and creates a corresponding VAD structure. More... | |
static INTSTATUS | IntWinVadFetchImageName (VAD *Vad) |
Reads the path of the image file mapped by a _MMVAD_LONG structure. More... | |
static INTSTATUS | IntWinVadCreateObject (WIN_PROCESS_OBJECT *Process, QWORD VadGva, VAD **Vad, BOOLEAN StaticScan) |
Creates and initializes a VAD structure. More... | |
INTSTATUS | IntWinVadShortDump (QWORD VadNodeGva, DWORD Level, void *Context) |
Prints a _MMVAD_SHORT structure. More... | |
BOOLEAN | IntWinVadDump (VAD const *Vad, void *Context) |
Prints a VAD structure. More... | |
static BOOLEAN | IntWinVadRemoveRanges (VAD *Vad, void *Context) |
Removes all pages from a VAD. More... | |
void | IntWinVadStopExploitMonitor (WIN_PROCESS_OBJECT *Process) |
Disables the exploit monitoring for a process. More... | |
QWORD | IntWinVadFindNodeInGuestSpace (QWORD VadRoot, QWORD StartPage, QWORD EndPage, DWORD Level, QWORD OldStartPage, BOOLEAN LastBranchRight) |
Searches for a VAD node inside a guest VAD tree. More... | |
INTSTATUS | IntWinVadInOrderRecursiveTraversal (QWORD VadNodeGva, DWORD Level, PFUNC_WinVadTraversalCallback Callback, void *Context) |
Traverses a guest VAD tree. More... | |
INTSTATUS | IntWinVadWalkTree (PWIN_PROCESS_OBJECT Process, PFUNC_RbTreeWalkCallback Callback) |
Walks the VAD tree of a process. More... | |
static PVAD | IntWinVadRescanVad (WIN_PROCESS_OBJECT *Process, QWORD StartPage, QWORD EndPage) |
Searches for a VAD inside the guest tree and inserts it into our VAD tree. More... | |
VAD * | IntWinVadFindAndUpdateIfNecessary (WIN_PROCESS_OBJECT *Process, QWORD StartHint, QWORD LengthHint) |
Searches for a VAD in the Introcore VAD tree. If no VAD is found, or if the found one does not fully contain the searched range, it will re-scan the guest tree in order to find a matching VAD. If the VAD is taken from the guest, it is inserted in the VAD tree of the given process. More... | |
static INTSTATUS | IntWinVadHandleProtectGeneric (WIN_PROCESS_OBJECT *Process, QWORD StartPage, QWORD EndPage, DWORD VmProtection, BOOLEAN AtInsertion) |
Handles a VAD protection change. More... | |
static INTSTATUS | IntWinVadReimportProcessTree (WIN_PROCESS_OBJECT *Process) |
Re-scans and re-imports the VAD tree of a process. More... | |
static INTSTATUS | IntWinVadHandleDeleteGeneric (WIN_PROCESS_OBJECT *Process, QWORD StartPage, QWORD EndPage, DWORD Level) |
Handles the deletion of a VAD or of memory range from a VAD. More... | |
static INTSTATUS | IntWinVadStaticInsertNodeIntoProcess (QWORD VadNodeGva, DWORD Level, WIN_PROCESS_OBJECT *Process) |
Inserts a VAD found by a memory scan inside a Introcore process VAD tree. More... | |
INTSTATUS | IntWinVadImportProcessTree (WIN_PROCESS_OBJECT *Process) |
Scans the guest VAD tree and imports the nodes into our VAD tree. More... | |
INTSTATUS | IntWinVadHandleInsert (void const *Detour) |
The detour handler that will be invoked when the guest inserts a new VAD in the tree.This is the detour handler for the MiInsertVad guest API. More... | |
INTSTATUS | IntWinVadHandleInsertPrivate (void const *Detour) |
The detour handler that will be invoked when the guest inserts a new VAD in the tree.This is the detour handler for the MiInsertPrivateVad guest API. More... | |
INTSTATUS | IntWinPatchVadHandleCommit (QWORD FunctionAddress, API_HOOK_HANDLER *Handler, void *Descriptor) |
This is the PFUNC_PreDetourCallback for the MiCommitExistingVad guest API detour.It will be invoked before the detour is placed inside the guest and will patch the detour handler with the values of winKmFieldPcrCurrentThread, winKmFieldThreadAttachedProcess, winKmFieldThreadProcess, and winKmFieldProcessSpare. For 32-bit kernels it will also patch the stack location at which the VmProtection parameter is located. More... | |
INTSTATUS | IntWinVadHandleCommit (void const *Detour) |
The detour handler that will be invoked when an existing VAD is committed by the guest.This is the detour handler for the MiCommitExistingVad guest API. Due to the way we ignore certain VADs, this can be invoked either when protection is changed for a known VAD, in which case we have to adjust our protection; or, when protection is changed for a previously unknown VAD in a way that makes it relevant for Introcore, in which case we treat as a newly created VAD. More... | |
INTSTATUS | IntWinVadHandleInsertMap (void const *Detour) |
The detour handler that will be invoked when a VAD is inserted in the guest VAD tree.This is the detour handler for the MiGetWsAndInsertVad guest API. More... | |
INTSTATUS | IntWinVadHandleDeleteVaRange (void const *Detour) |
The detour handler that will be invoked when a memory range contained by a VAD is deleted.This is the detour handler for the MiDeleteVirtualAddresses guest API. More... | |
INTSTATUS | IntWinVadHandleFinishVadDeletion (void const *Detour) |
The detour handler that will be invoked when a memory range contained by a VAD is deleted.This is the detour handler for the MiFinishVadDeletion guest API. More... | |
INTSTATUS | IntWinVadHandleVirtualProtect (void const *Detour) |
The detour handler that will be invoked when a memory range contained by a VAD has the protection rights changed.This is the detour handler for the MiProtectVirtualMemory guest API, which usually gets called as a result of a user-mode application calling an API like VirtualProtect. More... | |
BOOLEAN | IntWinVadIsInTree (const VAD *Vad) |
Checks if a VAD is inserted in a guest VAD tree. More... | |
INTSTATUS | IntWinVadPatchInsertPrivate (QWORD FunctionAddress, API_HOOK_HANDLER *Handler, void *Descriptor) |
This is the PFUNC_PreDetourCallback for the MiInsertPrivateVad guest API detour.It will be invoked before the detour is placed inside the guest and will patch the detour handler with the value of winKmFieldProcessSpare. More... | |
INTSTATUS | IntWinVadPatchInsertMap (QWORD FunctionAddress, API_HOOK_HANDLER *Handler, void *Descriptor) |
This is the PFUNC_PreDetourCallback for the MiGetWsAndInsertVad guest API detour.It will be invoked before the detour is placed inside the guest and will patch the detour handler with the value of winKmFieldProcessSpare. More... | |
INTSTATUS | IntWinVadPatchVirtualProtect (QWORD FunctionAddress, API_HOOK_HANDLER *Handler, void *Descriptor) |
This is the PFUNC_PreDetourCallback for the MiProtectVirtualMemory guest API detour.It will be invoked before the detour is placed inside the guest and will patch the detour handler with the value of winKmFieldProcessSpare. More... | |
INTSTATUS | IntWinVadPatchDeleteVaRange (QWORD FunctionAddress, API_HOOK_HANDLER *Handler, void *Descriptor) |
This is the PFUNC_PreDetourCallback for the MiDeleteVirtualAddresses guest API detour.It will be invoked before the detour is placed inside the guest and will patch the detour handler with the value of winKmFieldProcessSpare. More... | |
INTSTATUS | IntWinVadPatchFinishVadDeletion (QWORD FunctionAddress, API_HOOK_HANDLER *Handler, void *Descriptor) |
This is the PFUNC_PreDetourCallback for the MiFinishVadDeletion guest API detour.It will be invoked before the detour is placed inside the guest and will patch the detour handler with the value of winKmFieldProcessSpare. More... | |
INTSTATUS | IntWinVadPatchInsert (QWORD FunctionAddress, API_HOOK_HANDLER *Handler, void *Descriptor) |
This is the PFUNC_PreDetourCallback for the MiInsertVad guest API detour.It will be invoked before the detour is placed inside the guest and will patch the detour handler with the value of winKmFieldProcessSpare. More... | |
INTSTATUS | IntWinVadProcImportMainModuleVad (WIN_PROCESS_OBJECT *Process) |
Imports the VAD that describes the main module of a process. More... | |
INTSTATUS | IntWinVadFetchByRange (QWORD VadRoot, QWORD StartPage, QWORD EndPage, VAD *Vad) |
Fetches and returns a VAD object containing the range represented by [StartPage, EndPage]. More... | |
#define MAX_LEVEL 64 |
Referenced by IntWinVadInOrderRecursiveTraversal().
#define MAX_VAD_EXECS 64u |
The maximum number of execution from a VAD that Introcore will take into consideration.
Definition at line 21 of file winvad.c.
Referenced by IntWinVadHandleProtectGeneric().
#define VAD_LONG_FIELD_PTR | ( | type_, | |
ptr_, | |||
field_ | |||
) | (type_ *)((BYTE *)(ptr_) + WIN_KM_FIELD(VadLong, field_)) |
Gives a pointer to a field of a _MMVAD_LONG structure.
[in] | type_ | The type of the field. |
[in] | ptr_ | The pointer to the base of the VAD. This is the start of the buffer in which the VAD structure was read. The buffer should be large enough for the requested field to be inside it. |
[in] | field_ | The name of the field. This is the same name that would be used for the WIN_KM_FIELD macro. |
#define VAD_SEARCH_LIMIT 1000 |
The maximum number of tries to make when searching for a VAD inside the guest.
Definition at line 19 of file winvad.c.
Referenced by IntWinVadFetchByRange(), IntWinVadFindNodeInGuestSpace(), IntWinVadHandleProtectGeneric(), and IntWinVadRescanVad().
#define VAD_SHORT_FIELD_PTR | ( | type_, | |
ptr_, | |||
field_ | |||
) | (type_ *)((BYTE *)(ptr_) + WIN_KM_FIELD(VadShort, field_)) |
Gives a pointer to a field of a _MMVAD_SHORT structure.
[in] | type_ | The type of the field. |
[in] | ptr_ | The pointer to the base of the VAD. This is the start of the buffer in which the VAD structure was read (for example, the pointer returned by IntWinVadMapShortVad). The buffer should be large enough for the requested field to be inside it. |
[in] | field_ | The name of the field. This is the same name that would be used for the WIN_KM_FIELD macro. |
#define VadShortAnySize | ( | size_, | |
ptr_, | |||
field_ | |||
) |
Reads a certain size from a VAD short buffer.
[in] | size_ | Size to read. Valid sizes are 1, 2, 4, or 8. For other sizes memcpy is better suited. No checks are done on the size. |
[in] | ptr_ | The pointer to the base of the VAD. This is the start of the buffer in which the VAD structure was read (for example, the pointer returned by IntWinVadMapShortVad). The buffer should be large enough for the requested field to be inside it. |
[in] | field_ | The name of the field. This is the same name that would be used for the WIN_KM_FIELD macro. |
Definition at line 151 of file winvad.c.
Referenced by IntWinVadFetchVadFromMemory().
#define VadShortByte | ( | ptr_, | |
field_ | |||
) | *VAD_SHORT_FIELD_PTR(BYTE, ptr_, field_) |
Reads a byte from a VAD short buffer.
This is useful for reading _MMVAD_SHORT fields that have a size of a BYTE.
[in] | ptr_ | The pointer to the base of the VAD. This is the start of the buffer in which the VAD structure was read (for example, the pointer returned by IntWinVadMapShortVad). The buffer should be large enough for the requested field to be inside it. |
[in] | field_ | The name of the field. This is the same name that would be used for the WIN_KM_FIELD macro. |
Definition at line 90 of file winvad.c.
Referenced by IntWinVadFetchVadFromMemory().
#define VadShortDword | ( | ptr_, | |
field_ | |||
) | *VAD_SHORT_FIELD_PTR(DWORD, ptr_, field_) |
Reads a dword from a VAD short buffer.
This is useful for reading _MMVAD_SHORT fields that have a size of a DWORD.
[in] | ptr_ | The pointer to the base of the VAD. This is the start of the buffer in which the VAD structure was read (for example, the pointer returned by IntWinVadMapShortVad). The buffer should be large enough for the requested field to be inside it. |
[in] | field_ | The name of the field. This is the same name that would be used for the WIN_KM_FIELD macro. |
Definition at line 114 of file winvad.c.
Referenced by IntWinVadFetchVadFromMemory().
#define VadShortPtrSize | ( | ptr_, | |
field_ | |||
) | gGuest.Guest64 ? VadShortQword(ptr_, field_) : VadShortDword(ptr_, field_) |
Reads a guest pointer from a VAD short buffer.
This is useful for reading _MMVAD_SHORT fields that have the size of a guest pointer (GUEST_STATE.WordSize). This means that it will read either a DWORD or a QWORD.
[in] | ptr_ | The pointer to the base of the VAD. This is the start of the buffer in which the VAD structure was read (for example, the pointer returned by IntWinVadMapShortVad). The buffer should be large enough for the requested field to be inside it. |
[in] | field_ | The name of the field. This is the same name that would be used for the WIN_KM_FIELD macro. |
Definition at line 139 of file winvad.c.
Referenced by IntWinVadFetchVadFromMemory().
#define VadShortQword | ( | ptr_, | |
field_ | |||
) | *VAD_SHORT_FIELD_PTR(QWORD, ptr_, field_) |
Reads a qword from a VAD short buffer.
This is useful for reading _MMVAD_SHORT fields that have a size of a QWORD.
[in] | ptr_ | The pointer to the base of the VAD. This is the start of the buffer in which the VAD structure was read (for example, the pointer returned by IntWinVadMapShortVad). The buffer should be large enough for the requested field to be inside it. |
[in] | field_ | The name of the field. This is the same name that would be used for the WIN_KM_FIELD macro. |
Definition at line 126 of file winvad.c.
Referenced by IntWinVadFetchVadFromMemory().
#define VadShortWord | ( | ptr_, | |
field_ | |||
) | *VAD_SHORT_FIELD_PTR(WORD, ptr_, field_) |
Reads a word from a VAD short buffer.
This is useful for reading _MMVAD_SHORT fields that have a size of a WORD.
[in] | ptr_ | The pointer to the base of the VAD. This is the start of the buffer in which the VAD structure was read (for example, the pointer returned by IntWinVadMapShortVad). The buffer should be large enough for the requested field to be inside it. |
[in] | field_ | The name of the field. This is the same name that would be used for the WIN_KM_FIELD macro. |
Modifies the range of pages owned by a VAD.
This can happen when the guest deletes part of a VAD. In that case we remove the VAD_PAGE structures allocated for that range and we shrink the VAD.VadPages array and will adjust VAD.PageCount, VAD.StartPage, and VAD.EndPage.
The [NewStartPage, NewEndPage] range is inclusive. All the pages that are not in this range will be removed. The range must be included in the current [VAD.StartPage, VAD.EndPage] range.
[in,out] | Vad | The VAD to adjust. |
[in] | NewStartPage | The new VAD.StartPage value. |
[out] | NewEndPage | The new VAD.EndPage value. |
INT_STATUS_SUCCESS | in case of success. |
INT_STATUS_INSUFFICIENT_RESOURCES | if the new VAD.VadPages array can not be allocated. |
Definition at line 695 of file winvad.c.
Referenced by IntWinVadHandleDeleteGeneric().
|
static |
Creates and initializes a VAD structure.
The VAD is initialized using IntWinVadFetchVadFromMemory. If the type of the VAD is VadImageMap the path of the image will be obtained with IntWinVadFetchImageName. If the type is not VadNone, or VadImageMap, or VadWriteWatch, the VAD is ignored.
[in] | Process | The process that owns the VAD. |
[in] | VadGva | The guest virtual address of the _MMVAD structure. |
[out] | Vad | On success, and if the VAD is not ignored, will contain a pointer to the allocated and initialized VAD structure. The caller must free this VAD and release any resources held by it using IntWinVadDestroyObject. |
[in] | StaticScan | True if this VAD was discovered by a static scan, instead of being discovered when it was created. |
INT_STATUS_SUCCESS | in case of success. This is the only case in which Vad will not point to NULL. |
INT_STATUS_NOT_NEEDED_HINT | if the VAD is ignored. |
INT_STATUS_INSUFFICIENT_RESOURCES | if not enough memory is available. |
Definition at line 1585 of file winvad.c.
Referenced by IntWinVadHandleInsertGeneric(), and IntWinVadProcImportMainModuleVad().
void IntWinVadDestroyObject | ( | VAD ** | Vad | ) |
Frees a VAD and all the resources held by it.
This will remove any pending IntSwapMemReadData transactions, will remove all the VAD_PAGE structures for the VAD, and if this VAD maps a module, that module will be unloaded, as well as dereferencing the WINUM_PATH cache entry.
[in,out] | Vad | Holds a pointer to the VAD to be destroyed. On return, this will point to NULL. |
Definition at line 285 of file winvad.c.
Referenced by IntWinProcRemoveProcess(), IntWinVadHandleDeleteGeneric(), IntWinVadHandleInsertGeneric(), and IntWinVadRbTreeNodeFree().
Prints a VAD structure.
[in] | Vad | Pointer to the structure to be printed. |
[in] | Context | Ignored. |
False | if Vad is NULL; otherwise True. |
Definition at line 1706 of file winvad.c.
Referenced by IntWinProcDump(), and IntWinProcDumpVads().
Fetches and returns a VAD object containing the range represented by [StartPage, EndPage].
Note: The VAD is just completed with the relevant information, there's no need to call IntWinVadDestroyObject on the returned VAD.
[in] | VadRoot | The vad root from where to start the search. It is read from the guest, as the VadRoot field in the EPROCESS structure. |
[in] | StartPage | The page which represents the start of the range that must be contained in the returned VAD. |
[in] | EndPage | The page which represents the end of the range that must be contained in the returned VAD. |
[out] | Vad | The returned VAD object. |
INT_STATUS_SUCCESS | On success. |
INT_STATUS_INVALID_PARAMETER_1 | If the given VadRoot is equal to 0. |
INT_STATUS_INVALID_PARAMETER_4 | If the given VAD object is NULL. |
INT_STATUS_NOT_FOUND | If there is no such VAD in the tree represented by the given root such that it contains [StartPage, EndPage]. |
Definition at line 3877 of file winvad.c.
Referenced by IntWinDpiValidateThreadStart(), and IntWinStackHandleUserStackPagedOut().
Reads the path of the image file mapped by a _MMVAD_LONG structure.
IntSwapMemReadData is used to read the path, so it will not be available until IntWinVadHandleFilePathInMemory will be invoked.
[in,out] | Vad | The VAD for which to read the image name. This must already be initialized by IntWinVadFetchVadFromMemory. |
Definition at line 1478 of file winvad.c.
Referenced by IntWinVadCreateObject().
|
static |
Reads a _MMVAD structure from the Windows kernel and creates a corresponding VAD structure.
This function does not initialize any fields related to the optional VAD.Path field. For that, the IntWinVadFetchImageName function must be used.
[in] | VadGva | The guest virtual address of the _MMVAD structure. |
[out] | Vad | On success, will be initialized with the relevant information about the VAD, except the Path. |
[in] | FailOnCorruptRange | Exit with an error if the range described by StartPage and EndPage is not a valid range (EndPage must not be less than StartPage). |
INT_STATUS_SUCCESS | in case of success. |
INT_STATUS_INSUFFICIENT_RESOURCES | if the VAD structure could not be mapped. |
INT_STATUS_INVALID_DATA_STATE | if FailOnCorruptRange is TRUE, and the range described by StartPage and EndPage is not valid. |
Definition at line 1375 of file winvad.c.
Referenced by IntWinVadCreateObject(), IntWinVadFetchByRange(), IntWinVadFindNodeInGuestSpace(), IntWinVadInOrderRecursiveTraversal(), IntWinVadIsInTree(), and IntWinVadShortDump().
VAD* IntWinVadFindAndUpdateIfNecessary | ( | WIN_PROCESS_OBJECT * | Process, |
QWORD | StartHint, | ||
QWORD | LengthHint | ||
) |
Searches for a VAD in the Introcore VAD tree. If no VAD is found, or if the found one does not fully contain the searched range, it will re-scan the guest tree in order to find a matching VAD. If the VAD is taken from the guest, it is inserted in the VAD tree of the given process.
[in] | Process | The process for which the search is done. |
[in] | StartHint | The start page of the range by which to search for the VAD. |
[in] | LengthHint | The length of the range by which to search for the VAD. The last page in the range will be StartHint + LengthHint -1, rounded down to page size. |
Definition at line 2122 of file winvad.c.
Referenced by IntExceptGetVictimProcess(), and IntWinProcHandleCopyMemory().
|
static |
Finds a VAD by the start of the virtual address range it represents.
The [StartPage, EndPage] range is inclusive.
[in] | Process | The process that owns the VAD tree in which the search is done. |
[in] | Base | The base of the virtual address range. |
|
static |
Finds a VAD by the range it maps.
The [StartPage, EndPage] range is inclusive.
[in] | Process | The process that owns the VAD tree in which the search is done. |
[in] | StartPage | The first page in the searched range. |
[in] | EndPage | The last page in the searched range. |
Definition at line 629 of file winvad.c.
Referenced by IntWinVadFindAndUpdateIfNecessary(), IntWinVadHandleDeleteGeneric(), IntWinVadHandleInsertGeneric(), and IntWinVadHandleProtectGeneric().
VAD* IntWinVadFindByVa | ( | WIN_PROCESS_OBJECT * | Process, |
QWORD | Va | ||
) |
Finds a VAD that contains a given guest virtual address.
[in] | Process | The process that owns the VAD tree in which the search is done. |
[in] | Va | The VA for which the search is done. |
Definition at line 602 of file winvad.c.
Referenced by IntWinVadHandleCommit().
QWORD IntWinVadFindNodeInGuestSpace | ( | QWORD | VadRoot, |
QWORD | StartPage, | ||
QWORD | EndPage, | ||
DWORD | Level, | ||
QWORD | OldStartPage, | ||
BOOLEAN | LastBranchRight | ||
) |
Searches for a VAD node inside a guest VAD tree.
This performs an in-order recursive traversal of the guest VAD tree.
The [StartPage, EndPage] range is inclusive.
[in] | VadRoot | The root of the VAD tree. This is usually the value of the VadRoot field of an _EPROCESS structure. |
[in] | StartPage | The first page of the searched VAD. |
[in] | EndPage | The last page of the searched VAD. |
[in] | Level | The level for which this function is invoked. Should be 0 when starting a new search. |
[in] | OldStartPage | The start page for the VAD at the previous level. Should be 0 when starting a new search. |
[in] | LastBranchRight | True if the last branch taken was the right one. Should be False when starting a new search. |
Definition at line 1825 of file winvad.c.
Referenced by DbgVadFind(), IntWinVadFetchByRange(), IntWinVadHandleProtectGeneric(), IntWinVadProcImportMainModuleVad(), and IntWinVadRescanVad().
|
static |
Handles the deletion of a VAD or of memory range from a VAD.
This is the common handler for these changes and it should be invoked after the OS-specific handler gathers the needed information from the guest.
The [StartPage, EndPage] range is inclusive.
The function will attempt to find a VAD by the provided range. If no VAD is found nothing is done. This is expected since we ignore certain VAD types, but we may still receive deletion events for them.
When a VAD is found there are 4 possible cases:
Due to the way IntWinVadFindByRange works, we will always be in a case in which [StartPage, EndPage] are included inside the VAD, and we can not expect for StartPage to be lower than VAD.StartPage, or EndPage to be higher than VAD.EndPage.
[in,out] | Process | The process that owns the deleted VAD. |
[in] | StartPage | The start of the deleted memory range. |
[in] | EndPage | The last page in the deleted memory range. |
[in] | Level | The number of times this function recursed. Should be 0 when invoked to delete a range. If Level is higher than 1 the function bails out. |
INT_STATUS_SUCCESS | in case of success. |
INT_STATUS_INVALID_PARAMETER_4 | if Level is greater or equal to 2. |
INT_STATUS_INVALID_PARAMETER_2 | if End page is less than StartPage. |
Definition at line 2419 of file winvad.c.
Referenced by IntWinVadHandleDeleteVaRange(), IntWinVadHandleFinishVadDeletion(), and IntWinVadHandleInsertGeneric().
|
static |
Handles the swap-in of a file path taken from a Windows VAD structure.
This is the IntSwapMemReadData callback set by IntWinVadFetchImageName for the path to the image mapped by a long VAD. After this function returns, VAD.PathSwapHandle will be set to NULL.
[in] | Context | The VAD from which the path is obtained. |
[in] | Cr3 | The CR3 in which the swap-in was made. Ignored. |
[in] | VirtualAddress | The guest virtual address from which Data is read. Ignored. |
[in] | PhysicalAddress | The guest physical address to which VirtualAddress translates to. Ignored. |
[in] | Data | Data obtained from the guest. This will be the path. |
[in] | DataSize | The size of the Data buffer. |
[in] | Flags | Ignored. |
Definition at line 1308 of file winvad.c.
Referenced by IntWinVadFetchImageName().
|
static |
Handles the insertion of a VAD into a process VAD tree.
This is the common handler for these changes and it should be invoked after the OS-specific handler gathers the needed information from the guest.
If WIN_PROCESS_OBJECT.MonitorVad is False we do not insert the VAD in the VAD tree and do not monitor it. This can happen when we initially protect a process, but after we obtain its main module path we decide to remove that protection.
When importing an entire VAD tree we may race with the guest: some threads may be freeing memory in the process while we import the tree. The main problem with this is that if parts of that freed memory are reused, when a VAD is created we will fail to insert it into our VAD tree because it overlaps with an existing one. The solution is to delete any overlapping VADs. Note that protecting a freed VAD should have no impact because if that memory is not reused we will only place a hook on their corresponding page table entries, which should not have an impact as those will be unused until the VAs are reallocated, in which case we will delete the old hooks anyway. In theory, for each page in a new VAD there can be an overlapping VAD, so we try to insert the new VAD as many times as there are pages in it.
If needed, the VAD is monitored using IntWinVadHandleProtectGeneric.
[in,out] | Process | The process that owns the VAD. |
[in] | VadAddress | The guest virtual address of the _MMVAD structure. |
[in] | StaticScan | True if this VAD was discovered by a memory scan instead of being discovered when it was created. |
[out] | Vad | On success, will contain a pointer to the new VAD structure. May be NULL. |
Definition at line 2566 of file winvad.c.
Referenced by IntWinVadHandleCommit(), IntWinVadHandleInsert(), IntWinVadHandleInsertMap(), IntWinVadHandleInsertPrivate(), IntWinVadHandleProtectGeneric(), IntWinVadRescanVad(), and IntWinVadStaticInsertNodeIntoProcess().
|
static |
Handles execution attempts from a page owned by a monitored VAD.
This is the EPT handler set by IntWinVadHandleProtectGeneric for protected VADs.
It uses IntWinVadIsExecSuspicious to decide if the code the guest attempted to execute is malicious or not. If the execution should be blocked and the PROC_OPT_KILL_ON_EXPLOIT protection flag is set for the current process, the process will be killed by injecting a #UD in its context and Action will be set to introGuestRetry, not introGuestNotAllowed. This is because we want the instruction to be retried by the guest, so that the invalid opcode exception can be delivered for the RIP that generated the violation. If the flag is not set, the execution will be blocked by skipping the current instruction. This means that for pages with malicious instructions the guest will generate one exit for every instruction. This can cause serious performance problems.
If the execution is allowed the hook is removed. Since we analyze multiple instructions in the page this is OK, as on the following exits the same code will be analyzed again.
While the process could have an exception handler set and catch the EXCEPTION_ILLEGAL_INSTRUCTION that will be forwarded by the kernel to the process, this is not a problem, as the page will still be hooked and further attempts of executing from it will end up back here - essentially blocking the execution even if the #UD does not kill the process.
However, there is an issue with this blocking mechanism. The probability of it happening seems extremely low, but at least theoretically this chain of events is possible:
In theory, it is possible for step 3 to happen each and every time, causing an infinite loop and making the guest look like it hanged.
Just because IntInjectExceptionInGuest succeeded,it does not mean that the exception will actually be injected now, as other exceptions, with a higher priority, may be waiting to be injected. After the guest resumes execution we will be notified about this via the PFUNC_IntEventInjectionCallback mechanism. This does not mean that the execution attempt will succeed, as the guest will be retrying the same instruction and we will handle it again. But it can generate multiple alerts for the same action, and that can be confusing. So we keep a list of injected #UDs, identified by: the process CR3, the RIP from which the guest attempted the execution, the guest virtual address of the _ETHREAD structure for the thread that attempted the execution. See udlist.c for details about this list. On an execution attempt, before trying to analyze the code and before sending an alert, we check if we already tried to inject an #UD for the current context. If there is a previously failed injection we try it again, as the code could not have been modified in the meantime. When the injection succeeds, the entry is removed from the list.
Since shared memory pages can be executable, this poses a problem, as this callback will be invoked for each process that is protected with the PROC_OPT_PROT_EXPLOIT option. This is problematic for a series of reasons: first, we want to send only one alert for the process that actually tried to execute from that page; second, we want to kill only the process that actually attempted the execution. However, we can't simply ignore the invocations done for processes that are not the current process, because if the page is clean we will end up removing the hook only for the current process, but the execution permissions in the EPT will remain unchanged, as multiple processes will have hooked it. In this case we want to analyze the page for every process and remove the hook as needed. However, in order to send the alert only once and to kill only the current process (if needed), the action block action will be taken only for the current process. Due to the way IntWinVadIsExecSuspicious works, the execution attempt will be logged more than once.
This becomes a bit more problematic when the page is shared between processes that are protected and processes that are not protected. If a process that is not protected attempts the execution we allow the action, but it will still trigger a EPT violation for every instruction in that page, which can slow down the guest.
[in] | Context | The page for which this callback was invoked. |
[in] | Hook | The hook for which this callback was invoked. Ignored. |
[in] | Address | The guest physical address from which the guest attempted the execution. |
[out] | Action | The action to be taken. |
Definition at line 1040 of file winvad.c.
Referenced by IntWinVadHandleProtectGeneric().
|
static |
Handles a VAD protection change.
This is the common handler for these changes and it should be invoked after the OS-specific handlers gathers the needed information from the guest.
It will update every page in the [StartPage, EndPage] range (the range is inclusive). The VAD_PAGE.RangeStart for each of these pages will be set to the minimum between the current RangeStart and the supplied StartPage; the VAD_PAGE.RangeEnd for each of these paged will be set to the maximum between the current RangeEnd and the supplied EndPage, in order to keep the ranges as large as possible.
If the guest adds the execution rights for these pages, we hook them against executions; if the right is removed we remove our hooks.
[in] | Process | The process for which the change is done. |
[in] | StartPage | The start of the modified range. |
[in] | EndPage | The end of the modified range. |
[in] | VmProtection | The Windows memory protection constant used for this range. See https://docs.microsoft.com/en-us/windows/win32/memory/memory-protection-constants |
[in] | AtInsertion | True if this function is called as a result of a new VAD being inserted in the guest VAD tree; False in all other situations (for example, as a result of a VirtualProtect call). This is used to determine if we should ignore this change, because a user mode program may request a protection change after a VAD is allocated, but if the NoChange flag is set, the kernel will ignore that request. |
INT_STATUS_SUCCESS | in case of success. |
INT_STATUS_INVALID_PARAMETER_MIX | if EndPage is lower than StartPage. |
INT_STATUS_INVALID_PARAMETER_2 | if StartPage is not inside the VAD. |
INT_STATUS_INVALID_PARAMETER_3 | if EndPage is not inside the VAD. |
INT_STATUS_NOT_INITIALIZED_HINT | if the VAD is not found neither in our tree, nor in the guest tree. This is not a problem, as user mode code can request protection changes for invalid address ranges. |
INT_STATUS_NOT_NEEDED_HINT | if this is a huge VAD, or a mapped executable file, or an attempt to change the protection for a VAD that has the NoChange flag set. |
INT_STATUS_INSUFFICIENT_RESOURCES | if not enough memory is available. |
Definition at line 2161 of file winvad.c.
Referenced by IntWinVadHandleCommit(), IntWinVadHandleInsertGeneric(), and IntWinVadHandleVirtualProtect().
INTSTATUS IntWinVadImportProcessTree | ( | WIN_PROCESS_OBJECT * | Process | ) |
Scans the guest VAD tree and imports the nodes into our VAD tree.
[in,out] | Process | The process for which the scan is done. On success, WIN_PROCESS_OBJECT.VadTree will be populated wit the relevant VADs. |
INT_STATUS_SUCCESS | in case of success. |
INT_STATUS_INVALID_PARAMETER_1 | if Process is NULL. |
INT_STATUS_NOT_NEEDED_HINT | if the process VAD root is not yet initialized. This means that the process does not have any VADs yet, and we will detect all the VADs we need dynamically when they are created. |
Definition at line 2768 of file winvad.c.
Referenced by IntWinProcChangeProtectionFlags(), and IntWinVadReimportProcessTree().
INTSTATUS IntWinVadInOrderRecursiveTraversal | ( | QWORD | VadNodeGva, |
DWORD | Level, | ||
PFUNC_WinVadTraversalCallback | Callback, | ||
void * | Context | ||
) |
Traverses a guest VAD tree.
This function is recursive and will call itself for every node in the tree, starting from VadNodeGva. The tree is traversed in order. Recursion is stopped after we go past level 64.
[in] | VadNodeGva | The guest virtual address of the node for which this function was called. When starting a new traversal this should be the root of the tree. |
[in] | Level | The level for which this function is called. It is used in order to know when to stop the traversal, for trees that seem to have more levels than we can handle. Should be 0 when starting a new search. |
[in] | Callback | Callback to be invoked for every node in the tree. Errors returned by this callback are not propagated back to the caller. |
[in] | Context | Optional context to be passed to Callback each time it is invoked. |
INT_STATUS_SUCCESS | in case of success. |
INT_STATUS_INVALID_PARAMETER_1 | if VadNodeGva is not a valid kernel pointer. |
INT_STATUS_INVALID_PARAMETER_3 | if Callback is NULL. |
Definition at line 1920 of file winvad.c.
Referenced by DbgDumpVadRoot(), and IntWinVadImportProcessTree().
|
static |
Handle code execution from a memory page.
This function will determine if the instruction execution inside the indicated page is caused by an exploit or not. The main indicators we look after are:
[in] | Process | The process which owns the page. |
[in] | VirtualAddress | The executed virtual address. |
[in] | PhysicalAddress | The executed physical address (VirtualAddress translates to it). |
[in] | Action | Desired action. |
INT_STATUS_SUCCESS | On success. |
INT_STATUS_INVALID_PARAMETER | If an invalid parameter is supplied. |
Definition at line 788 of file winvad.c.
Referenced by IntWinVadHandlePageExecution().
Checks if a VAD is inserted in a guest VAD tree.
This function checks that the node for the provided VAD has a valid parent, and that the parent it points to has the VAD either as the Left, or as the Right child.
[in] | Vad | The VAD that will be checked. |
True | if the VAD is inserted in a tree. |
False | if the VAD is not inserted in a tree. |
Definition at line 3437 of file winvad.c.
Referenced by IntModBlockHandlePreInjection(), and IntWinModHandlePreInjection().
Checks if a VAD is used by Domino Java.
Java IBM Domino VADs are ignored if their type is Private, protection is VAD_PROT_EXECUTE_READWRITE and the j9jit.dll is already loaded in the current process (the WIN_PROCESS_OBJECT.IsDominoJava flag is set).
[in] | Vad | The VAD structure to check. |
Definition at line 175 of file winvad.c.
Referenced by IntWinVadHandlePageExecution().
Checks if a VAD is used by the Chrome's NaCl mechanism.
[in] | Vad | The VAD structure to check. |
Definition at line 158 of file winvad.c.
Referenced by IntWinVadHandleInsertGeneric(), and IntWinVadHandleProtectGeneric().
Maps a _MMVAD_SHORT structure inside Introcore.
This maps the minimum size needed for Introcore to properly parse the VAD. This size is defined by CAMI, see winKmFieldVadShortSize.
[in] | Gva | Guest virtual address to map. No checks are done on this address. |
Definition at line 33 of file winvad.c.
Referenced by IntWinVadFetchVadFromMemory().
void IntWinVadProcessInit | ( | WIN_PROCESS_OBJECT * | Process | ) |
Initializes a WIN_PROCESS_OBJECT.VadTree.
This will call RbPreInit and RbInit for the tree and set IntWinVadRbTreeNodeFree as the RBTREE.NodeFree function and IntWinVadRbTreeNodeCompare as the RBTREE.NodeCompare function.
[in,out] | Process | The process for which the VAD tree will be initialized. |
Definition at line 462 of file winvad.c.
Referenced by IntWinProcCreateProcessObject().
INTSTATUS IntWinVadProcImportMainModuleVad | ( | WIN_PROCESS_OBJECT * | Process | ) |
Imports the VAD that describes the main module of a process.
[in,out] | Process | The process that owns the VAD. |
INT_STATUS_SUCCESS | in case of success. |
INT_STATUS_INVALID_PARAMETER_1 | if Process is NULL. |
Definition at line 3816 of file winvad.c.
Referenced by IntWinProcCreateProcessObject().
The node compare callback used by the WIN_PROCESS_OBJECT.VadTree tree.
This compares the ranges that two VADs map.
[in] | Left | First node to compare. |
[in] | Right | Second node to compare. |
-1 | if the range of the Left VAD is lower in memory than that of the Right VAD. |
1 | if the range of the Left VAD is higher in memory than tat of the Left VAD. |
0 | in all other cases. This means that the VADs overlap in some way, but a process can not have overlapping VADs, so this means that the Left and Right VADs are the same. |
Definition at line 356 of file winvad.c.
Referenced by IntWinVadProcessInit().
|
static |
Custom compare function for a VAD RBTREE. This will compare a VAD start page with a given guest virtual address.
[in] | Node | Node to be compared. |
[in] | Key | Key to compare against. In this case, the key is a guest virtual address. |
0 | if Key is the same as the VAD.StartPage. |
-1 | if the Key is lower in memory than the start of the memory range mapped by the VAD. |
1 | if the Key is higher in memory than the end of the memory range mapped by the VAD. |
Definition at line 427 of file winvad.c.
Referenced by IntWinVadFindByBase().
|
static |
Custom compare function for a VAD RBTREE. This will compare VADs against a given guest virtual address.
[in] | Node | Node to be compared. |
[in] | Key | Key to compare against. In this case, the key is a guest virtual address. |
0 | if Key is inside the memory range mapped by the VAD. |
-1 | if the Key is lower in memory than the start of the memory range mapped by the VAD. |
1 | if the Key is higher in memory than the end of the memory range mapped by the VAD. |
Definition at line 393 of file winvad.c.
Referenced by IntWinVadFindByVa().
|
static |
The node free callback used by the WIN_PROCESS_OBJECT.VadTree tree.
[in,out] | Node | Pointer to the node to be freed. |
Definition at line 340 of file winvad.c.
Referenced by IntWinVadProcessInit().
|
static |
Re-scans and re-imports the VAD tree of a process.
This will remove all entries in the current tree and re-create it.
[in,out] | Process | The process for which the re-import is done. |
Definition at line 2385 of file winvad.c.
Referenced by IntWinVadHandleDeleteGeneric().
Removes all pages from a VAD.
This unhooks and frees all the entries in the VAD.VadPages array and frees the array itself at the end.
[in,out] | Vad | The VAD for which the pages will be removed. |
Definition at line 253 of file winvad.c.
Referenced by IntWinVadDestroyObject(), and IntWinVadRemoveRanges().
INTSTATUS IntWinVadRemoveProcessTree | ( | WIN_PROCESS_OBJECT * | Process | ) |
Removes the VAD tree from a process.
[in,out] | Process | The process for which the tree is removed. |
INT_STATUS_SUCCESS | in case of success. |
INT_STATUS_INVALID_PARAMETER_1 | if Process is NULL. |
Definition at line 1351 of file winvad.c.
Referenced by IntWinProcChangeProtectionFlags(), and IntWinVadReimportProcessTree().
Removes a memory range from a VAD.
This will remove the execution hook for all the pages in the given range, and will free the VAD_PAGE structures for the given range. The [StartPage, EndPage] range is inclusive.
Errors encountered while unhooking the pages are logged, but are not propagated back to the caller.
[in,out] | Vad | The VAD for which the range is removed. |
[in] | StartPage | The first page in the VAD. |
[in] | EndPage | The last page in the VAD. |
INT_STATUS_SUCCESS | in case of success. |
INT_STATUS_NOT_NEEDED_HINT | if there are no pages allocated for this VAD. |
Definition at line 198 of file winvad.c.
Referenced by IntWinVadHandlePageExecution(), and IntWinVadRemoveAllPages().
Removes all pages from a VAD.
This is simply a wrapper over IntWinVadRemoveAllPages. We needed a wrapper in order to have the right type for RbWalkInorderTree.
[in,out] | Vad | The VAD for which the pages will be removed. |
[in] | Context | Ignored. |
False | if Vad is NULL; otherwise True. |
Definition at line 1781 of file winvad.c.
Referenced by IntWinVadStopExploitMonitor().
|
static |
Searches for a VAD inside the guest tree and inserts it into our VAD tree.
The [StartPage, EndPage] range is inclusive.
Since the guest is running while we're searching for the VAD, sometimes, modifications will take place inside the tree exactly when we're parsing it. This means that we could end up not finding this range, because, for example, a node above our searched node was removed. This can easily be mitigated by attempting several times to search for the VAD - usually, the VAD will be found in the second attempt. We limit this search to 1000 tries.
[in,out] | Process | The process for which the search is done. |
[in] | StartPage | The first page of the searched VAD. |
[in] | EndPage | The last page of the searched VAD. |
Definition at line 2058 of file winvad.c.
Referenced by IntWinVadFindAndUpdateIfNecessary().
Prints a _MMVAD_SHORT structure.
[in] | VadNodeGva | The guest virtual address of the _MMVAD_SHORT structure. |
[in] | Level | The level at which the node is located inside the VAD tree. |
[in] | Context | Ignored. |
Definition at line 1659 of file winvad.c.
Referenced by DbgDumpVadRoot().
|
static |
Inserts a VAD found by a memory scan inside a Introcore process VAD tree.
[in] | VadNodeGva | The guest virtual address of the VAD node in the guest VAD tree. |
[in] | Level | The level at which the node is found. |
[in,out] | Process | The process that owns the VAD. |
INT_STATUS_SUCCESS | in case of success. |
INT_STATUS_INVALID_PARAMETER_1 | if VadNodeGva is not a valid kernel pointer. |
INT_STATUS_NOT_NEEDED_HINT | if WIN_PROCESS_OBJECT.MonitorVad is False. While walking the guest VAD tree, we may decide to remove the protection of this process, based on the process main module, in which case we no longer care about the VADs. |
Definition at line 2718 of file winvad.c.
Referenced by IntWinVadImportProcessTree().
void IntWinVadStopExploitMonitor | ( | WIN_PROCESS_OBJECT * | Process | ) |
Disables the exploit monitoring for a process.
[in,out] | Process | The process for which to stop the exploit protection. |
Definition at line 1811 of file winvad.c.
Referenced by IntWinProcChangeProtectionFlags().
|
static |
Converts Windows VAD protection rights to Introcore protection rights.
[in] | VadProtection | The VAD protection rights. |
Definition at line 522 of file winvad.c.
Referenced by IntWinVadFetchVadFromMemory().
|
static |
Converts Windows VAD protection rights to a Windows memory protection constant.
[in] | VadProtection | The VAD protection rights. |
Definition at line 562 of file winvad.c.
Referenced by IntWinVadHandleInsertGeneric().
Converts Windows memory protection constants to Introcore protection flags.
[in] | VmProtection | A Windows memory protection constant. See https://docs.microsoft.com/en-us/windows/win32/memory/memory-protection-constants |
Definition at line 481 of file winvad.c.
Referenced by IntWinVadHandleProtectGeneric().
INTSTATUS IntWinVadWalkTree | ( | PWIN_PROCESS_OBJECT | Process, |
PFUNC_RbTreeWalkCallback | Callback | ||
) |
Walks the VAD tree of a process.
[in] | Process | The process for which the walk is done. |
[in] | Callback | Callback to be invoked for each node in the tree. If the callback returns False, the walk is stopped. No context is passed to Callback. |
INT_STATUS_SUCCESS | in case of success. |
INT_STATUS_INVALID_PARAMETER_1 | is Process is NULL. |
INT_STATUS_INVALID_PARAMETER_2 | is Callback is NULL. |
Definition at line 2025 of file winvad.c.
Referenced by IntWinProcDump(), and IntWinProcDumpVads().