201 _In_ void const *Detour
206 _In_ void const *Detour
211 _In_ void const *Detour
216 _In_ void const *Detour
221 _In_ void const *Detour
226 _In_ void const *Detour
284 _In_ void const *Detour
299 _In_ void *Descriptor
312 _In_ void *Descriptor
320 _In_ void *Descriptor
328 _In_ void *Descriptor
336 _In_ void *Descriptor
344 _In_ void *Descriptor
352 _In_ void *Descriptor
INTSTATUS IntWinVadPatchInsert(QWORD FunctionAddress, API_HOOK_HANDLER *Handler, void *Descriptor)
This is the PFUNC_PreDetourCallback for the MiInsertVad guest API detour.It will be invoked before th...
Exposes the types, constants and functions used to handle Windows processes events (creation...
INTSTATUS IntWinVadHandleInsert(void const *Detour)
The detour handler that will be invoked when the guest inserts a new VAD in the tree.This is the detour handler for the MiInsertVad guest API.
struct _VAD_PAGE * PVAD_PAGE
INTSTATUS IntWinVadHandleDeleteVaRange(void const *Detour)
The detour handler that will be invoked when a memory range contained by a VAD is deleted...
INTSTATUS IntWinVadPatchInsertMap(QWORD FunctionAddress, API_HOOK_HANDLER *Handler, void *Descriptor)
This is the PFUNC_PreDetourCallback for the MiGetWsAndInsertVad guest API detour.It will be invoked b...
INTSTATUS IntWinVadImportProcessTree(WIN_PROCESS_OBJECT *Process)
Scans the guest VAD tree and imports the nodes into our VAD tree.
void IntWinVadStopExploitMonitor(WIN_PROCESS_OBJECT *Process)
Disables the exploit monitoring for a process.
Described a detour handler.
INTSTATUS IntWinVadRemoveProcessTree(WIN_PROCESS_OBJECT *Process)
Removes the VAD tree from a process.
INTSTATUS IntWinVadProcImportMainModuleVad(WIN_PROCESS_OBJECT *Process)
Imports the VAD that describes the main module of a process.
BOOLEAN IntWinVadDump(VAD const *Vad, void *Context)
Prints a VAD structure.
INTSTATUS IntWinVadHandleVirtualProtect(void const *Detour)
The detour handler that will be invoked when a memory range contained by a VAD has the protection rig...
struct _VAD VAD
A representation of a Windows VAD structure.
int INTSTATUS
The status data type.
INTSTATUS IntWinVadHandleCommit(void const *Detour)
The detour handler that will be invoked when an existing VAD is committed by the guest.This is the detour handler for the MiCommitExistingVad guest API. Due to the way we ignore certain VADs, this can be invoked either when protection is changed for a known VAD, in which case we have to adjust our protection; or, when protection is changed for a previously unknown VAD in a way that makes it relevant for Introcore, in which case we treat as a newly created VAD.
BOOLEAN Legitimate
True if an execution from this page was attempted and it was deemed to no be malicious.
QWORD VadGva
The guest virtual address at which the corresponding Windows _MMVAD structure is located.
WIN_VAD_PROT
VAD protection flags as used by the Windows kernel. These represent the values in the Protection port...
DWORD ExecCount
The number of execution violations triggered by pages inside this VAD.
QWORD Address
The base address of the page.
DWORD DeleteInProgress
Set if the DeleteInProgress bit inside the VadFlags field is set.
INTSTATUS IntWinVadPatchVirtualProtect(QWORD FunctionAddress, API_HOOK_HANDLER *Handler, void *Descriptor)
This is the PFUNC_PreDetourCallback for the MiProtectVirtualMemory guest API detour.It will be invoked before the detour is placed inside the guest and will patch the detour handler with the value of winKmFieldProcessSpare.
void * ExecHook
Execution hook handle, if one exists.
INTSTATUS IntWinVadPatchDeleteVaRange(QWORD FunctionAddress, API_HOOK_HANDLER *Handler, void *Descriptor)
This is the PFUNC_PreDetourCallback for the MiDeleteVirtualAddresses guest API detour.It will be invoked before the detour is placed inside the guest and will patch the detour handler with the value of winKmFieldProcessSpare.
INTSTATUS IntWinVadHandleInsertPrivate(void const *Detour)
The detour handler that will be invoked when the guest inserts a new VAD in the tree.This is the detour handler for the MiInsertPrivateVad guest API.
INTSTATUS IntWinVadPatchFinishVadDeletion(QWORD FunctionAddress, API_HOOK_HANDLER *Handler, void *Descriptor)
This is the PFUNC_PreDetourCallback for the MiFinishVadDeletion guest API detour.It will be invoked b...
BOOLEAN IntWinVadIsInTree(const VAD *Vad)
Checks if a VAD is inserted in a guest VAD tree.
struct _VAD * Vad
The VAD containing this page.
VAD_TYPE VadType
The type of the VAD.
INTSTATUS(* PFUNC_PreDetourCallback)(QWORD FunctionAddress, void *Handler, void *Descriptor)
The type of a callback invoked before setting a detour.
RBNODE RbNode
The node inside the WIN_PROCESS_OBJECT.VadTree tree.
INTSTATUS IntWinPatchVadHandleCommit(QWORD FunctionAddress, API_HOOK_HANDLER *Handler, void *Descriptor)
This is the PFUNC_PreDetourCallback for the MiCommitExistingVad guest API detour.It will be invoked b...
A representation of a memory page included in a VAD structure.
INTSTATUS IntWinVadWalkTree(PWIN_PROCESS_OBJECT Process, PFUNC_RbTreeWalkCallback Callback)
Walks the VAD tree of a process.
DWORD StaticScan
Set if the VAD was statically detected by a scan, after it was created.
WIN_PROCESS_OBJECT * Process
The process to which this VAD belongs to.
INTSTATUS IntWinVadFetchByRange(QWORD VadRoot, QWORD StartPage, QWORD EndPage, VAD *Vad)
Fetches and returns a VAD object containing the range represented by [StartPage, EndPage].
INTSTATUS IntWinVadHandleInsertMap(void const *Detour)
The detour handler that will be invoked when a VAD is inserted in the guest VAD tree.This is the detour handler for the MiGetWsAndInsertVad guest API.
INTSTATUS IntWinVadPatchInsertPrivate(QWORD FunctionAddress, API_HOOK_HANDLER *Handler, void *Descriptor)
This is the PFUNC_PreDetourCallback for the MiInsertPrivateVad guest API detour.It will be invoked be...
FUNC_RbTreeWalkCallback * PFUNC_RbTreeWalkCallback
INTSTATUS IntWinVadHandleFinishVadDeletion(void const *Detour)
The detour handler that will be invoked when a memory range contained by a VAD is deleted...
void IntWinVadDestroyObject(VAD **Vad)
Frees a VAD and all the resources held by it.
#define _Function_class_(expr)
VAD * IntWinVadFindAndUpdateIfNecessary(WIN_PROCESS_OBJECT *Process, QWORD StartHint, QWORD LengthHint)
Searches for a VAD in the Introcore VAD tree. If no VAD is found, or if the found one does not fully ...
VAD * IntWinVadFindByVa(WIN_PROCESS_OBJECT *Process, QWORD Va)
Finds a VAD that contains a given guest virtual address.
enum _VAD_TYPE VAD_TYPE
The types of a _MMVAD structure.
INTSTATUS(* PFUNC_WinVadTraversalCallback)(QWORD VadNodeGva, DWORD Level, void *Context)
Callback type used for in-guest VAD tree traversals.
QWORD PageCount
The number of 4K pages in the VAD.
INTSTATUS IntWinVadInOrderRecursiveTraversal(QWORD VadNodeGva, DWORD Level, PFUNC_WinVadTraversalCallback Callback, void *Context)
Traverses a guest VAD tree.
BOOLEAN FUNC_RbTreeWalkCallback(RBNODE *Node, void *WalkContext)
INTSTATUS IntWinVadShortDump(QWORD VadNodeGva, DWORD Level, void *Context)
Prints a _MMVAD_SHORT structure.
DWORD HugeVad
Set if the memory range represented by this VAD has a size of at least 4G.
DWORD NoChange
Set if the NoChange bit inside the VadFlags field is set.
void IntWinVadProcessInit(WIN_PROCESS_OBJECT *Process)
Initializes a WIN_PROCESS_OBJECT.VadTree.
DWORD PrivateFixup
Set if the PrivateFixup bit inside the VadFlags field is set.
A representation of a Windows VAD structure.
DWORD IsIgnored
Set if this VAD is not monitored regardless of the protection rights it has.
struct _VAD_PAGE VAD_PAGE
A representation of a memory page included in a VAD structure.
DWORD IsStack
Set if the memory range represented by this VAD is a stack.
VAD_PAGE ** VadPages
An array representing each page in the VAD. It has PageCount entries.
This structure describes a running process inside the guest.
QWORD IntWinVadFindNodeInGuestSpace(QWORD VadRoot, QWORD StartPage, QWORD EndPage, DWORD Level, QWORD OldStartPage, BOOLEAN LastBranchRight)
Searches for a VAD node inside a guest VAD tree.
1.8.13