- Generated by
1.8.13
|
Bitdefender Hypervisor Memory Introspection
|
This structure describes a running process inside the guest. More...
#include <winprocess.h>
Data Fields | |
| LIST_ENTRY | Link |
| Entry within gWinProcesses (Doubly Linked List). More... | |
| RBNODE | NodeCr3 |
| Entry within gWinProcTreeCr3 (RB Tree). More... | |
| RBNODE | NodeUserCr3 |
| Entry within gWinProcTreeUserCr3 (RB Tree). More... | |
| RBNODE | NodeEproc |
| Entry within gWinProcTreeEprocess (RB Tree). More... | |
| QWORD | EprocessAddress |
| This will be the address of the ActiveProcess field. More... | |
| QWORD | ParentEprocess |
| The EPROCESS of the parent process. More... | |
| QWORD | RealParentEprocess |
| The active EPROCESS at the moment of creation. More... | |
| QWORD | CreationTime |
| The creation time of the process, as stored inside the EPROCESS. More... | |
| QWORD | Cr3 |
| Process PDBR. Includes PCID. More... | |
| QWORD | UserCr3 |
| Process user PDBR. Includes PCID. More... | |
| DWORD | Pid |
| Process ID (the one used by Windows). More... | |
| DWORD | NameHash |
| Name hash, as used by the exceptions module. More... | |
| QWORD | Peb64Address |
| PEB 64 address (on x86 OSes, this will be 0). More... | |
| QWORD | Peb32Address |
| PEB 32 address (on pure x64 processes, this will be 0). More... | |
| QWORD | MainModuleAddress |
| The address of the main module. More... | |
| CHAR | Name [IMAGE_BASE_NAME_LEN] |
| Process base name. More... | |
| WINUM_PATH * | Path |
| Will point inside the loaded modules list to the full process path. More... | |
| PCHAR | CommandLine |
| The command line with which the process was created (can be NULL). More... | |
| DWORD | CommandLineSize |
| Includes the NULL terminator. More... | |
| union { | |
| DWORD Flags | |
| Windows process flags (possible values for this bitmask are described below). More... | |
| struct { | |
| DWORD Wow64Process: 1 | |
| TRUE if this is a 32 bit process on a 64 bit OS. More... | |
| DWORD Terminating: 1 | |
| TRUE if the process is terminating (cleanup pending). More... | |
| DWORD Protected: 1 | |
| TRUE if this is a protected process. If this is FALSE, most of the above fields aren't used at all. More... | |
| DWORD IsAgent: 1 | |
| TRUE if this is an injected agent. More... | |
| DWORD MainModuleLoaded: 1 | |
| TRUE if the main module has been loaded. More... | |
| DWORD UnpackProtected: 1 | |
| TRUE if the main module has been protected against unpacks. More... | |
| DWORD Initialized: 1 | |
| DWORD BetaDetections: 1 | |
| TRUE if BETA is enabled for this particular process. More... | |
| DWORD SystemProcess: 1 | |
| TRUE if this is a system process. More... | |
| DWORD Lsass: 1 | |
| TRUE if this is the lsass process. More... | |
| DWORD StaticDetected: 1 | |
| TRUE if the process was detected using a static scan (during static init). More... | |
| DWORD LastPebWriteDone: 1 | |
| TRUE if the write into PEB is done (used for initialization checks). More... | |
| DWORD InjectedApphelp: 1 | |
| TRUE if AppHelp was injected. More... | |
| DWORD ParentWow64: 1 | |
| TRUE if the parent is a 32 bit process on a 64 bit OS. More... | |
| DWORD StartInitializing: 1 | |
| TRUE if the process actually started initializing (there is a time windows from the moment we add the inside out lists to the point when it actually starts its initialization steps when the process is "invalid"). More... | |
| DWORD OneTimeInjectionDone: 1 | |
| The one time injection already took place (exception). More... | |
| DWORD LateProtection: 1 | |
| TRUE if the protection was not activated right from start. More... | |
| DWORD Peb32ContextWritten: 1 | |
| TURE if the Process Environment Block (x86) context was written (valid only on Windows 7). More... | |
| DWORD Peb64ContextWritten: 1 | |
| TURE if the Process Environment Block (x64) context was written (valid only on Windows 7). More... | |
| DWORD MonitorVad: 1 | |
| TRUE if we need to handle VAD events for this process. More... | |
| DWORD MonitorModules: 1 | |
| TRUE if we need to monitor module load/unloads. More... | |
| DWORD IsPreviousAgent: 1 | |
| TRUE if this is an agent injected in a previous session. More... | |
| DWORD ExploitGuardEnabled: 1 | |
| TRUE if any Exploit Guard mitigation option is set for this process. More... | |
| } | |
| }; | |
| BYTE | InjectionsCount |
| The number of injections allowed at the initialization. More... | |
| BYTE | PebWrittenCount |
| The number writes to the (Process Environment Block). More... | |
| QWORD | InjectedApphelpAddress |
| The address of the injected apphelp (during initialization). More... | |
| DWORD | InjectedAppHelpSize |
| The size of the injected apphelp (during initialization). More... | |
| DWORD | LastException |
| The code of the last exception that took place. More... | |
| QWORD | LastExceptionRip |
| The RIP of the last exception that took place. More... | |
| BOOLEAN | LastExceptionContinuable |
| TRUE if the last exception is continuable (for example a #PF that was caused due to the way the OS does the lazy memory mappings). More... | |
| BOOLEAN | HasNaClEnabled |
| Only valid for chromium-based browsers; TRUE if this is a NaCl process. More... | |
| BOOLEAN | EnforcedDep |
| TRUE is the DEP (Data Execution Prevention) has been enforced. More... | |
| DWORD | ExitStatus |
| The exit status of the process (used when sending the process terminated event). More... | |
| BOOLEAN | IsDominoJava |
| True if this is a Java IBM process and j9jit.dll is loaded. More... | |
| BOOLEAN | FirstDominoJavaIgnored |
| TRUE if the first Domino Java execution VAD was ignored. More... | |
| union { | |
| DWORD ProtectionMask | |
| Protection mask: tells us what level of protection will be activated for this process. More... | |
| struct { | |
| DWORD ProtReserved1: 2 | |
| RESERVED. More... | |
| DWORD ProtCoreModules: 1 | |
| Protect the core module loaded by the process. More... | |
| DWORD ProtUnpack: 1 | |
| Protect process against unpacking attempts. More... | |
| DWORD ProtWriteMem: 1 | |
| Protect the the memory against writes. More... | |
| DWORD ProtWsockModules: 1 | |
| Protect the Windows Socket related modules. More... | |
| DWORD ProtExploits: 1 | |
| DWORD ProtThreadCtx: 1 | |
| Protect the thread context (protection against thread hijacking). More... | |
| DWORD ProtQueueApc: 1 | |
| DWORD ProtCreation: 1 | |
| Prevent this process from creating child processes (other than other instances of itself). More... | |
| DWORD ProtDoubleAgent: 1 | |
| Protect the process against double agent attacks. More... | |
| DWORD ProtReserved2: 18 | |
| DWORD ProtRemediate: 1 | |
| Any event inside the process will trigger the injection of the remediation tool. More... | |
| DWORD ProtKillExploit: 1 | |
| DWORD ProtBeta: 1 | |
| Process is monitored, but in log-only mode so no actions will be blocked. More... | |
| } | |
| }; | |
| QWORD | BetaMask |
| The protection mask in beta mode. More... | |
| QWORD | FeedbackMask |
| The protection mask in feedback mode. More... | |
| DWORD | AgentTag |
| If IsAgent is TRUE, this will be the agent tag. More... | |
| void * | Cr3PageLockObject |
| The CR3 will be locked in memory, to prevent the OS from dynamically modifying the CR3 of a running process. More... | |
| void * | UserCr3PageLockObject |
| The UserCR3 will be locked in memory, to prevent the OS from dynamically modifying the CR3 of a running process. More... | |
| RBTREE | VadTree |
| RB-Tree of process VADs. More... | |
| void * | VasMonRoot |
| Virtual Address Space monitor root. More... | |
| LIST_HEAD * | VadPages |
| Vad pages Hash-Table. More... | |
| QWORD | OriginalTokenPtr |
| Original Token pointer inside EPROCESS (should never change). More... | |
| void * | ParamsSwapHandle |
| The swap memory handle for Process->Peb->ProcessParameters (used to read the command line of the process). More... | |
| void * | CmdLineSwapHandle |
| The swap memory handle for the UNICODE_STRING containing the command line of the a process. More... | |
| void * | CmdBufSwapHandle |
| The swap memory handle for the command line buffer. More... | |
| void * | SelfMapHook |
| The self mapping memory hook. More... | |
| void * | UserSelfMapHook |
| The user self mapping memory hook. More... | |
| QWORD | SelfMapEntryValue |
| The self mapping memory entry value. More... | |
| QWORD | UserSelfMapEntryValue |
| The user self mapping memory entry value. More... | |
| QWORD | Context |
| Context from integrator if the process is protected, 0 otherwise. More... | |
| BOOLEAN | ImageIsFromNativeSubsystem |
| TRUE if the process image is from the native subsystem. More... | |
| BOOLEAN | IsVerifierLoaded |
| TRUE if app verifier is loaded. More... | |
| WORD | OriginalSpareValue |
| We put in guest * and some flags in order to decide whether to raise a VM exit on a process. Here we keep the overwritten original value of the spare field. More... | |
| void * | MainModuleVad |
| Used for keeping the main module VAD (used for dereferencing paths) as the unprotected processes don't have a VAD RB-Tree. More... | |
| struct { | |
| BOOLEAN ParentHasPivotedStack | |
| The parent process has a pivoted stack. More... | |
| QWORD DebuggerEprocess | |
| This will keep the EPROCESS of the debugger process (if any). More... | |
| QWORD TokenStolenFromEprocess | |
| This will keep the EPROCESS of the process from which the current process stole the token. More... | |
| BOOLEAN ParentHasBeenHeapSprayed | |
| The parent process has been heap sprayed. More... | |
| BOOLEAN ParentHasTokenPrivsAltered | |
| The parent process has the token privileges altered in a malicious way, most probably due to a privilege escalation. More... | |
| BOOLEAN ParentThreadSuspicious | |
| The parent thread start address was considered suspicious. More... | |
| } | CreationInfo |
| DPI_EXTRA_INFO | DpiExtraInfo |
| Represents the gathered extra info while checking the DPI heuristics. More... | |
| PWIN_PROCESS_SUBSYSTEM | Subsystemx86 |
| The x86 subsystem. Note that a 32 bit process on a 64 bit OS may have both subsystems valid. In that case, we need to handle & protect both of them. More... | |
| PWIN_PROCESS_SUBSYSTEM | Subsystemx64 |
| The x64 subsystem. Note that a 32 bit process on a 64 bit OS may have both subsystems valid. In that case, we need to handle & protect both of them. More... | |
| void * | TokenHook |
| Hook object for the ept hook over nt!_TOKEN Privileges field. More... | |
| QWORD | OriginalPresentPrivs |
| Saved value of the Privileges Present bitfield inside the nt!_TOKEN structure assigned to the current process. More... | |
| QWORD | OriginalEnabledPrivs |
| Saved value of the Privileges Enabled bitfield inside the nt!_TOKEN structure assigned to the current process. More... | |
| BOOLEAN | SkipPrivsNextCheck |
| Signals whether the next privileges check on integrity should be skipped for the current process. Is set if, for example, we could not fetch the privileges when the process was created. More... | |
| BOOLEAN | PrivsChangeDetected |
| Set to TRUE when a token privilege change has been detected. This is useful for DPI, in the case where a write has been detected over the privileges, but because of the detect only mechanism, we have overwritten the OriginalPresentPrivs and OriginalEnabledPrivs values, thus DPI will not raise an alert on process creation due to the fact that the mechanism doesn't see any change. For this purpose, we'll analyze every process creation in DPI from the moment the privileges have changed and a detection took place on integrity. More... | |
This structure describes a running process inside the guest.
Definition at line 81 of file winprocess.h.
| union { ... } |
| union { ... } |
| DWORD _WIN_PROCESS_OBJECT::AgentTag |
If IsAgent is TRUE, this will be the agent tag.
Definition at line 227 of file winprocess.h.
Referenced by IntWinProcCreateProcessObject(), and IntWinProcDeleteProcessObject().
| DWORD _WIN_PROCESS_OBJECT::BetaDetections |
TRUE if BETA is enabled for this particular process.
Definition at line 133 of file winprocess.h.
Referenced by IntWinProcUpdateProtection().
| QWORD _WIN_PROCESS_OBJECT::BetaMask |
The protection mask in beta mode.
Definition at line 224 of file winprocess.h.
Referenced by IntWinProcCreateProcessObject(), and IntWinProcUpdateProtection().
| void* _WIN_PROCESS_OBJECT::CmdBufSwapHandle |
The swap memory handle for the command line buffer.
Definition at line 251 of file winprocess.h.
Referenced by IntWinGetPrcoCmdLineHandleCmdLineInMemory(), and IntWinGetProcCmdLineHandleBufferInMemory().
| void* _WIN_PROCESS_OBJECT::CmdLineSwapHandle |
The swap memory handle for the UNICODE_STRING containing the command line of the a process.
Definition at line 249 of file winprocess.h.
Referenced by IntWinGetPrcoCmdLineHandleCmdLineInMemory(), and IntWinGetPrcoCmdLineHandleUserParamsInMemory().
| PCHAR _WIN_PROCESS_OBJECT::CommandLine |
The command line with which the process was created (can be NULL).
Definition at line 112 of file winprocess.h.
Referenced by IntExceptVerifyValueSig(), and IntWinGetProcCmdLineHandleBufferInMemory().
| DWORD _WIN_PROCESS_OBJECT::CommandLineSize |
Includes the NULL terminator.
Definition at line 114 of file winprocess.h.
Referenced by IntWinGetProcCmdLineHandleBufferInMemory().
| QWORD _WIN_PROCESS_OBJECT::Context |
Context from integrator if the process is protected, 0 otherwise.
Definition at line 260 of file winprocess.h.
Referenced by IntWinProcCreateProcessObject(), IntWinProcExistsProtectedProcess(), and IntWinProcUpdateProtection().
| QWORD _WIN_PROCESS_OBJECT::Cr3 |
Process PDBR. Includes PCID.
Definition at line 96 of file winprocess.h.
Referenced by DbgIterateVaSpace(), IntDispatchVeAsEpt(), IntExceptGetVictimProcess(), IntExceptGetVictimProcessCreation(), IntExceptUserLogWindowsInformation(), IntExceptVerifyCodeBlocksSig(), IntExceptVerifyValueCodeSig(), IntExceptVerifyValueSig(), IntGetGprs(), IntLogCriticalProcessHasDied(), IntLogProcessInfo(), IntSerializeDpiWinHeapSpray(), IntSerializeDpiWinThreadStart(), IntWinDagentHandleSlackWritable(), IntWinGetPrcoCmdLineHandleCmdLineInMemory(), IntWinGetPrcoCmdLineHandleUserParamsInMemory(), IntWinModBlockHandleExecution(), IntWinModHandleModulePathInMemory(), IntWinModHandleUserWrite(), IntWinModHookModule(), IntWinModHookPoly(), IntWinProcCreateProcessObject(), IntWinProcDeleteProcessObject(), IntWinProcDump(), IntWinProcFindObjectByCr3(), IntWinProcHandleCopyMemory(), IntWinProcHandleCreate(), IntWinProcHandleDuplicate(), IntWinProcRbTreeNodeCompareCr3(), IntWinProcUpdateProtection(), IntWinProcValidateSystemCr3(), IntWinSelfMapHandleCr3SelfMapWrite(), IntWinSetUmExceptionEvent(), IntWinThrHandleQueueApc(), IntWinThrHandleThreadHijack(), and IntWinVadHandlePageExecution().
| void* _WIN_PROCESS_OBJECT::Cr3PageLockObject |
The CR3 will be locked in memory, to prevent the OS from dynamically modifying the CR3 of a running process.
Definition at line 231 of file winprocess.h.
| struct { ... } _WIN_PROCESS_OBJECT::CreationInfo |
| QWORD _WIN_PROCESS_OBJECT::CreationTime |
The creation time of the process, as stored inside the EPROCESS.
Definition at line 93 of file winprocess.h.
Referenced by IntLogProcessInfo(), and IntWinProcCreateProcessObject().
| QWORD _WIN_PROCESS_OBJECT::DebuggerEprocess |
This will keep the EPROCESS of the debugger process (if any).
Definition at line 278 of file winprocess.h.
Referenced by IntExceptUserLogWindowsInformation(), IntSerializeDpiWinDebug(), and IntWinDpiGetProcessDebugFlag().
| DPI_EXTRA_INFO _WIN_PROCESS_OBJECT::DpiExtraInfo |
Represents the gathered extra info while checking the DPI heuristics.
Definition at line 292 of file winprocess.h.
Referenced by IntExceptUserLogWindowsInformation(), IntSerializeDpiWinHeapSpray(), IntSerializeDpiWinPivotedStack(), IntSerializeDpiWinStolenToken(), IntSerializeDpiWinThreadStart(), and IntSerializeDpiWinTokenPrivs().
| BOOLEAN _WIN_PROCESS_OBJECT::EnforcedDep |
TRUE is the DEP (Data Execution Prevention) has been enforced.
Definition at line 185 of file winprocess.h.
Referenced by IntWinCrashHandleDepViolation().
| QWORD _WIN_PROCESS_OBJECT::EprocessAddress |
This will be the address of the ActiveProcess field.
Definition at line 88 of file winprocess.h.
Referenced by DbgLogCurrentProcess(), IntExceptUserLogWindowsInformation(), IntLogCriticalProcessHasDied(), IntLogProcessInfo(), IntWinDpiValidateParentProcessToken(), IntWinGetAccessTokenFromProcess(), IntWinGetProcCmdLineHandleBufferInMemory(), IntWinGetStartUpTime(), IntWinModHandleMainModuleInMemory(), IntWinModHandleUserWrite(), IntWinProcAdd(), IntWinProcCreateProcessObject(), IntWinProcDeleteProcessObject(), IntWinProcDump(), IntWinProcDumpEgFlags(), IntWinProcDumpVads(), IntWinProcFindObjectByEprocess(), IntWinProcGetNameFromInternalEprocess(), IntWinProcHandleCreate(), IntWinProcHandleCreateInternal(), IntWinProcHandleDuplicate(), IntWinProcRbTreeNodeCompareEproc(), IntWinProcUpdateProtection(), IntWinProcValidateSystemCr3(), IntWinThrHandleThreadHijack(), IntWinTokenPrivsHandleWrite(), IntWinTokenPtrCheckIntegrityOnProcess(), IntWinUmCheckInitializationInjection(), IntWinVadHandleInsertPrivate(), and IntWinVadHandleVirtualProtect().
| DWORD _WIN_PROCESS_OBJECT::ExitStatus |
The exit status of the process (used when sending the process terminated event).
Definition at line 188 of file winprocess.h.
Referenced by IntLogProcessInfo(), and IntWinProcDeleteProcessObject().
| DWORD _WIN_PROCESS_OBJECT::ExploitGuardEnabled |
TRUE if any Exploit Guard mitigation option is set for this process.
Definition at line 165 of file winprocess.h.
Referenced by IntWinProcCreateProcessObject().
| QWORD _WIN_PROCESS_OBJECT::FeedbackMask |
The protection mask in feedback mode.
Definition at line 225 of file winprocess.h.
Referenced by IntWinProcCreateProcessObject(), and IntWinProcUpdateProtection().
| BOOLEAN _WIN_PROCESS_OBJECT::FirstDominoJavaIgnored |
TRUE if the first Domino Java execution VAD was ignored.
Definition at line 191 of file winprocess.h.
Referenced by IntWinModCheckSpecialCases(), and IntWinVadHandlePageExecution().
| DWORD _WIN_PROCESS_OBJECT::Flags |
Windows process flags (possible values for this bitmask are described below).
Definition at line 119 of file winprocess.h.
Referenced by IntLogProcessInfo().
| BOOLEAN _WIN_PROCESS_OBJECT::HasNaClEnabled |
Only valid for chromium-based browsers; TRUE if this is a NaCl process.
Definition at line 183 of file winprocess.h.
Referenced by IntWinGetProcCmdLineHandleBufferInMemory().
| BOOLEAN _WIN_PROCESS_OBJECT::ImageIsFromNativeSubsystem |
TRUE if the process image is from the native subsystem.
Definition at line 262 of file winprocess.h.
Referenced by IntWinDagentCheckNativeSubsystem(), and IntWinDagentHandleSuspModExecution().
| DWORD _WIN_PROCESS_OBJECT::Initialized |
Definition at line 132 of file winprocess.h.
Referenced by IntWinProcCreateProcessObject(), IntWinProcHandleCopyMemory(), and IntWinUmCheckInitializationInjection().
| DWORD _WIN_PROCESS_OBJECT::InjectedApphelp |
TRUE if AppHelp was injected.
Definition at line 142 of file winprocess.h.
| QWORD _WIN_PROCESS_OBJECT::InjectedApphelpAddress |
The address of the injected apphelp (during initialization).
Definition at line 172 of file winprocess.h.
| DWORD _WIN_PROCESS_OBJECT::InjectedAppHelpSize |
The size of the injected apphelp (during initialization).
Definition at line 173 of file winprocess.h.
| BYTE _WIN_PROCESS_OBJECT::InjectionsCount |
The number of injections allowed at the initialization.
Definition at line 169 of file winprocess.h.
Referenced by IntWinUmCheckInitializationInjection().
| DWORD _WIN_PROCESS_OBJECT::IsAgent |
TRUE if this is an injected agent.
Definition at line 129 of file winprocess.h.
Referenced by IntWinAgentHandleAppVmcall(), IntWinProcCreateProcessObject(), IntWinProcDeleteProcessObject(), IntWinProcGetAgentsAsCli(), IntWinProcHandleCopyMemory(), and IntWinProcUninit().
| BOOLEAN _WIN_PROCESS_OBJECT::IsDominoJava |
True if this is a Java IBM process and j9jit.dll is loaded.
Definition at line 190 of file winprocess.h.
Referenced by IntWinModCheckSpecialCases().
| DWORD _WIN_PROCESS_OBJECT::IsPreviousAgent |
TRUE if this is an agent injected in a previous session.
Definition at line 162 of file winprocess.h.
Referenced by IntWinAgentHandleAppVmcall(), and IntWinProcCreateProcessObject().
| BOOLEAN _WIN_PROCESS_OBJECT::IsVerifierLoaded |
TRUE if app verifier is loaded.
Definition at line 263 of file winprocess.h.
Referenced by IntWinDagentHandleSuspModExecution().
| DWORD _WIN_PROCESS_OBJECT::LastException |
The code of the last exception that took place.
Definition at line 175 of file winprocess.h.
Referenced by IntWinSetUmExceptionEvent().
| BOOLEAN _WIN_PROCESS_OBJECT::LastExceptionContinuable |
TRUE if the last exception is continuable (for example a #PF that was caused due to the way the OS does the lazy memory mappings).
Definition at line 180 of file winprocess.h.
Referenced by IntWinSetUmExceptionEvent().
| QWORD _WIN_PROCESS_OBJECT::LastExceptionRip |
The RIP of the last exception that took place.
Definition at line 176 of file winprocess.h.
Referenced by IntWinSetUmExceptionEvent().
| DWORD _WIN_PROCESS_OBJECT::LastPebWriteDone |
TRUE if the write into PEB is done (used for initialization checks).
Definition at line 141 of file winprocess.h.
Referenced by IntWinUmCheckInitializationInjection().
| DWORD _WIN_PROCESS_OBJECT::LateProtection |
TRUE if the protection was not activated right from start.
Definition at line 152 of file winprocess.h.
Referenced by IntWinProcCreateProcessObject(), and IntWinProcUpdateProtection().
| LIST_ENTRY _WIN_PROCESS_OBJECT::Link |
Entry within gWinProcesses (Doubly Linked List).
Definition at line 83 of file winprocess.h.
Referenced by IntWinProcCreateProcessObject(), IntWinProcDeleteProcessObject(), and IntWinProcUninit().
| DWORD _WIN_PROCESS_OBJECT::Lsass |
TRUE if this is the lsass process.
Definition at line 135 of file winprocess.h.
Referenced by IntWinProcCreateProcessObject(), and IntWinProcHandleCopyMemory().
| QWORD _WIN_PROCESS_OBJECT::MainModuleAddress |
The address of the main module.
Definition at line 104 of file winprocess.h.
Referenced by IntWinModHandleModulePathInMemory(), and IntWinProcCreateProcessObject().
| DWORD _WIN_PROCESS_OBJECT::MainModuleLoaded |
TRUE if the main module has been loaded.
Definition at line 130 of file winprocess.h.
Referenced by IntWinModHandleModulePathInMemory().
| void* _WIN_PROCESS_OBJECT::MainModuleVad |
Used for keeping the main module VAD (used for dereferencing paths) as the unprotected processes don't have a VAD RB-Tree.
Definition at line 271 of file winprocess.h.
| DWORD _WIN_PROCESS_OBJECT::MonitorModules |
TRUE if we need to monitor module load/unloads.
Definition at line 161 of file winprocess.h.
Referenced by IntExceptGetVictimProcess().
| DWORD _WIN_PROCESS_OBJECT::MonitorVad |
TRUE if we need to handle VAD events for this process.
Definition at line 160 of file winprocess.h.
Referenced by IntExceptGetVictimProcess(), IntWinProcCreateProcessObject(), IntWinProcHandleCopyMemory(), IntWinVadHandleCommit(), IntWinVadHandleDeleteVaRange(), IntWinVadHandleFinishVadDeletion(), IntWinVadHandleInsert(), IntWinVadHandleInsertMap(), IntWinVadHandleInsertPrivate(), and IntWinVadHandleVirtualProtect().
| CHAR _WIN_PROCESS_OBJECT::Name[IMAGE_BASE_NAME_LEN] |
Process base name.
Definition at line 106 of file winprocess.h.
Referenced by DbgIterateVaSpace(), DbgLogCurrentProcess(), IntExceptGetVictimEpt(), IntExceptGetVictimProcess(), IntExceptGetVictimProcessCreation(), IntExceptUserLogWindowsInformation(), IntLogCriticalProcessHasDied(), IntLogProcessInfo(), IntWinAgentHandleAppVmcall(), IntWinDagentHandleSuspModExecution(), IntWinGetProcCmdLineHandleBufferInMemory(), IntWinModCheckSpecialCases(), IntWinModHandleModulePathInMemory(), IntWinModHandleUserWrite(), IntWinProcCreateProcessObject(), IntWinProcDeleteProcessObject(), IntWinProcDump(), IntWinProcDumpEgFlags(), IntWinProcDumpVads(), IntWinProcExistsProtectedProcess(), IntWinProcFindObjectByName(), IntWinProcGetAgentsAsCli(), IntWinProcGetNameFromInternalEprocess(), IntWinProcHandleCopyMemory(), IntWinProcHandleCreateInternal(), IntWinProcHandleDuplicate(), IntWinProcUpdateProtection(), IntWinSelfMapHandleCr3SelfMapWrite(), IntWinSetUmExceptionEvent(), IntWinThrHandleQueueApc(), IntWinThrHandleThreadHijack(), IntWinTokenProtectPrivs(), IntWinTokenPtrCheckIntegrityOnProcess(), IntWinUmCheckInitializationInjection(), and IntWinVadHandlePageExecution().
| DWORD _WIN_PROCESS_OBJECT::NameHash |
Name hash, as used by the exceptions module.
Definition at line 99 of file winprocess.h.
Referenced by IntExceptGetVictimEpt(), IntExceptGetVictimProcess(), IntExceptGetVictimProcessCreation(), IntExceptUserLogWindowsInformation(), and IntWinProcCreateProcessObject().
| RBNODE _WIN_PROCESS_OBJECT::NodeCr3 |
Entry within gWinProcTreeCr3 (RB Tree).
Definition at line 84 of file winprocess.h.
Referenced by IntWinProcCreateProcessObject(), IntWinProcDeleteProcessObject(), IntWinProcFindObjectByCr3(), and IntWinProcUninit().
| RBNODE _WIN_PROCESS_OBJECT::NodeEproc |
Entry within gWinProcTreeEprocess (RB Tree).
Definition at line 86 of file winprocess.h.
Referenced by IntWinProcCreateProcessObject(), IntWinProcDeleteProcessObject(), IntWinProcFindObjectByEprocess(), and IntWinProcUninit().
| RBNODE _WIN_PROCESS_OBJECT::NodeUserCr3 |
Entry within gWinProcTreeUserCr3 (RB Tree).
Definition at line 85 of file winprocess.h.
Referenced by IntWinProcCreateProcessObject(), IntWinProcDeleteProcessObject(), IntWinProcFindObjectByUserCr3(), and IntWinProcUninit().
| DWORD _WIN_PROCESS_OBJECT::OneTimeInjectionDone |
The one time injection already took place (exception).
Definition at line 151 of file winprocess.h.
Referenced by IntWinProcCreateProcessObject().
| QWORD _WIN_PROCESS_OBJECT::OriginalEnabledPrivs |
Saved value of the Privileges Enabled bitfield inside the nt!_TOKEN structure assigned to the current process.
Definition at line 310 of file winprocess.h.
| QWORD _WIN_PROCESS_OBJECT::OriginalPresentPrivs |
Saved value of the Privileges Present bitfield inside the nt!_TOKEN structure assigned to the current process.
Definition at line 306 of file winprocess.h.
| WORD _WIN_PROCESS_OBJECT::OriginalSpareValue |
We put in guest * and some flags in order to decide whether to raise a VM exit on a process. Here we keep the overwritten original value of the spare field.
Definition at line 267 of file winprocess.h.
Referenced by IntWinProcCreateProcessObject().
| QWORD _WIN_PROCESS_OBJECT::OriginalTokenPtr |
Original Token pointer inside EPROCESS (should never change).
Definition at line 241 of file winprocess.h.
Referenced by IntLogProcessInfo(), IntWinProcCreateProcessObject(), IntWinProcDump(), IntWinTokenPrivsHandleWrite(), and IntWinTokenPtrIsStolen().
| void* _WIN_PROCESS_OBJECT::ParamsSwapHandle |
The swap memory handle for Process->Peb->ProcessParameters (used to read the command line of the process).
Definition at line 245 of file winprocess.h.
Referenced by IntWinGetPrcoCmdLineHandleUserParamsInMemory().
| QWORD _WIN_PROCESS_OBJECT::ParentEprocess |
The EPROCESS of the parent process.
Definition at line 89 of file winprocess.h.
Referenced by IntLogProcessInfo(), IntWinProcCreateProcessObject(), IntWinProcDeleteProcessObject(), and IntWinProcDump().
| BOOLEAN _WIN_PROCESS_OBJECT::ParentHasBeenHeapSprayed |
The parent process has been heap sprayed.
Definition at line 283 of file winprocess.h.
| BOOLEAN _WIN_PROCESS_OBJECT::ParentHasPivotedStack |
The parent process has a pivoted stack.
Definition at line 275 of file winprocess.h.
| BOOLEAN _WIN_PROCESS_OBJECT::ParentHasTokenPrivsAltered |
The parent process has the token privileges altered in a malicious way, most probably due to a privilege escalation.
Definition at line 287 of file winprocess.h.
| BOOLEAN _WIN_PROCESS_OBJECT::ParentThreadSuspicious |
The parent thread start address was considered suspicious.
Definition at line 289 of file winprocess.h.
| DWORD _WIN_PROCESS_OBJECT::ParentWow64 |
TRUE if the parent is a 32 bit process on a 64 bit OS.
Definition at line 144 of file winprocess.h.
Referenced by IntWinProcCreateProcessObject().
| WINUM_PATH* _WIN_PROCESS_OBJECT::Path |
Will point inside the loaded modules list to the full process path.
Definition at line 109 of file winprocess.h.
Referenced by IntLogProcessInfo(), IntWinModHandleModulePathInMemory(), IntWinProcCreateProcessObject(), and IntWinProcUpdateProtection().
| QWORD _WIN_PROCESS_OBJECT::Peb32Address |
PEB 32 address (on pure x64 processes, this will be 0).
Definition at line 102 of file winprocess.h.
Referenced by IntLogProcessInfo(), IntWinProcCreateProcessObject(), and IntWinUmCheckInitializationInjection().
| DWORD _WIN_PROCESS_OBJECT::Peb32ContextWritten |
TURE if the Process Environment Block (x86) context was written (valid only on Windows 7).
Definition at line 155 of file winprocess.h.
| QWORD _WIN_PROCESS_OBJECT::Peb64Address |
PEB 64 address (on x86 OSes, this will be 0).
Definition at line 101 of file winprocess.h.
Referenced by IntLogProcessInfo(), IntWinProcCreateProcessObject(), and IntWinUmCheckInitializationInjection().
| DWORD _WIN_PROCESS_OBJECT::Peb64ContextWritten |
TURE if the Process Environment Block (x64) context was written (valid only on Windows 7).
Definition at line 158 of file winprocess.h.
| BYTE _WIN_PROCESS_OBJECT::PebWrittenCount |
The number writes to the (Process Environment Block).
Definition at line 170 of file winprocess.h.
Referenced by IntWinUmCheckInitializationInjection().
| DWORD _WIN_PROCESS_OBJECT::Pid |
Process ID (the one used by Windows).
Definition at line 98 of file winprocess.h.
Referenced by DbgLogCurrentProcess(), IntExceptUserLogWindowsInformation(), IntLogCriticalProcessHasDied(), IntLogProcessInfo(), IntWinAgentHandleAppVmcall(), IntWinAgentHandleDriverVmcall(), IntWinDagentHandleSuspModExecution(), IntWinGetProcCmdLineHandleBufferInMemory(), IntWinModHandleModulePathInMemory(), IntWinModHandleUserWrite(), IntWinProcCreateProcessObject(), IntWinProcDeleteProcessObject(), IntWinProcDump(), IntWinProcDumpVads(), IntWinProcFindObjectByPid(), IntWinProcGetAgentsAsCli(), IntWinProcGetObjectByPid(), IntWinProcHandleCopyMemory(), IntWinProcHandleCreate(), IntWinProcHandleCreateInternal(), IntWinProcHandleDuplicate(), IntWinProcUpdateProtection(), IntWinProcValidateSystemCr3(), IntWinSetUmExceptionEvent(), IntWinThrHandleThreadHijack(), IntWinTokenProtectPrivs(), and IntWinTokenPtrCheckIntegrityOnProcess().
| BOOLEAN _WIN_PROCESS_OBJECT::PrivsChangeDetected |
Set to TRUE when a token privilege change has been detected. This is useful for DPI, in the case where a write has been detected over the privileges, but because of the detect only mechanism, we have overwritten the OriginalPresentPrivs and OriginalEnabledPrivs values, thus DPI will not raise an alert on process creation due to the fact that the mechanism doesn't see any change. For this purpose, we'll analyze every process creation in DPI from the moment the privileges have changed and a detection took place on integrity.
Definition at line 322 of file winprocess.h.
| DWORD _WIN_PROCESS_OBJECT::ProtBeta |
Process is monitored, but in log-only mode so no actions will be blocked.
Definition at line 220 of file winprocess.h.
| DWORD _WIN_PROCESS_OBJECT::ProtCoreModules |
Protect the core module loaded by the process.
Definition at line 201 of file winprocess.h.
Referenced by IntWinModHandleModulePathInMemory().
| DWORD _WIN_PROCESS_OBJECT::ProtCreation |
Prevent this process from creating child processes (other than other instances of itself).
Definition at line 211 of file winprocess.h.
| DWORD _WIN_PROCESS_OBJECT::ProtDoubleAgent |
Protect the process against double agent attacks.
Definition at line 213 of file winprocess.h.
| DWORD _WIN_PROCESS_OBJECT::Protected |
TRUE if this is a protected process. If this is FALSE, most of the above fields aren't used at all.
Definition at line 128 of file winprocess.h.
Referenced by IntLogCriticalProcessHasDied(), IntWinCrashHandleDepViolation(), IntWinModHandleModuleHeadersInMemory(), IntWinProcCreateProcessObject(), IntWinProcDeleteProcessObject(), IntWinProcHandleCopyMemory(), IntWinProcUninit(), IntWinProcUpdateProtection(), IntWinSetUmExceptionEvent(), IntWinThrHandleQueueApc(), IntWinThrHandleThreadHijack(), and IntWinVadHandleCommit().
| DWORD _WIN_PROCESS_OBJECT::ProtectionMask |
Protection mask: tells us what level of protection will be activated for this process.
Definition at line 196 of file winprocess.h.
Referenced by IntWinGetPrcoCmdLineHandleCmdLineInMemory(), IntWinGetProcCmdLineHandleBufferInMemory(), IntWinProcCreateProcessObject(), IntWinProcDump(), and IntWinProcUpdateProtection().
| DWORD _WIN_PROCESS_OBJECT::ProtExploits |
Protect the process against exploits.
Definition at line 205 of file winprocess.h.
Referenced by IntWinCrashHandleDepViolation(), IntWinVadHandlePageExecution(), IntWinVadHandleProtectGeneric(), and IntWinVadHandleVirtualProtect().
| DWORD _WIN_PROCESS_OBJECT::ProtKillExploit |
The process will be killed if an exploit is detected.
Definition at line 218 of file winprocess.h.
Referenced by IntWinVadHandlePageExecution().
| DWORD _WIN_PROCESS_OBJECT::ProtQueueApc |
Protect APC Queue of the process (APC hijacking).
Definition at line 209 of file winprocess.h.
Referenced by IntWinThrHandleQueueApc().
| DWORD _WIN_PROCESS_OBJECT::ProtRemediate |
Any event inside the process will trigger the injection of the remediation tool.
Definition at line 216 of file winprocess.h.
| DWORD _WIN_PROCESS_OBJECT::ProtReserved1 |
RESERVED.
Definition at line 200 of file winprocess.h.
| DWORD _WIN_PROCESS_OBJECT::ProtReserved2 |
RESERVED.
Definition at line 214 of file winprocess.h.
| DWORD _WIN_PROCESS_OBJECT::ProtThreadCtx |
Protect the thread context (protection against thread hijacking).
Definition at line 207 of file winprocess.h.
Referenced by IntWinThrHandleThreadHijack().
| DWORD _WIN_PROCESS_OBJECT::ProtUnpack |
Protect process against unpacking attempts.
Definition at line 202 of file winprocess.h.
Referenced by IntWinModHandleModulePathInMemory().
| DWORD _WIN_PROCESS_OBJECT::ProtWriteMem |
Protect the the memory against writes.
Definition at line 203 of file winprocess.h.
Referenced by IntWinProcHandleCopyMemory().
| DWORD _WIN_PROCESS_OBJECT::ProtWsockModules |
Protect the Windows Socket related modules.
Definition at line 204 of file winprocess.h.
Referenced by IntWinModHandleModulePathInMemory().
| QWORD _WIN_PROCESS_OBJECT::RealParentEprocess |
The active EPROCESS at the moment of creation.
Definition at line 90 of file winprocess.h.
Referenced by IntLogProcessInfo(), IntWinProcCreateProcessObject(), IntWinProcDeleteProcessObject(), and IntWinProcDump().
| QWORD _WIN_PROCESS_OBJECT::SelfMapEntryValue |
The self mapping memory entry value.
Definition at line 256 of file winprocess.h.
| void* _WIN_PROCESS_OBJECT::SelfMapHook |
The self mapping memory hook.
Definition at line 253 of file winprocess.h.
Referenced by IntWinSelfMapEnableSelfMapEntryProtection(), and IntWinSelfMapHandleCr3SelfMapWrite().
| BOOLEAN _WIN_PROCESS_OBJECT::SkipPrivsNextCheck |
Signals whether the next privileges check on integrity should be skipped for the current process. Is set if, for example, we could not fetch the privileges when the process was created.
Definition at line 314 of file winprocess.h.
| DWORD _WIN_PROCESS_OBJECT::StartInitializing |
TRUE if the process actually started initializing (there is a time windows from the moment we add the inside out lists to the point when it actually starts its initialization steps when the process is "invalid").
Definition at line 149 of file winprocess.h.
Referenced by IntWinProcCreateProcessObject(), IntWinProcHandleCopyMemory(), and IntWinUmCheckInitializationInjection().
| DWORD _WIN_PROCESS_OBJECT::StaticDetected |
TRUE if the process was detected using a static scan (during static init).
Definition at line 138 of file winprocess.h.
Referenced by IntWinProcCreateProcessObject().
| PWIN_PROCESS_SUBSYSTEM _WIN_PROCESS_OBJECT::Subsystemx64 |
The x64 subsystem. Note that a 32 bit process on a 64 bit OS may have both subsystems valid. In that case, we need to handle & protect both of them.
Definition at line 300 of file winprocess.h.
Referenced by IntWinProcCreateProcessObject(), and IntWinProcDump().
| PWIN_PROCESS_SUBSYSTEM _WIN_PROCESS_OBJECT::Subsystemx86 |
The x86 subsystem. Note that a 32 bit process on a 64 bit OS may have both subsystems valid. In that case, we need to handle & protect both of them.
Definition at line 296 of file winprocess.h.
Referenced by IntWinProcCreateProcessObject(), and IntWinProcDump().
| DWORD _WIN_PROCESS_OBJECT::SystemProcess |
TRUE if this is a system process.
Definition at line 134 of file winprocess.h.
Referenced by IntWinCrashHandleDepViolation(), IntWinModHandleModulePathInMemory(), IntWinModPolyHandler(), IntWinProcCreateProcessObject(), IntWinProcDump(), IntWinProcFindObjectByName(), IntWinProcHandleCopyMemory(), IntWinProcUpdateProtection(), IntWinSelfMapHandleCr3SelfMapWrite(), IntWinThrHandleQueueApc(), and IntWinThrHandleThreadHijack().
| DWORD _WIN_PROCESS_OBJECT::Terminating |
TRUE if the process is terminating (cleanup pending).
Definition at line 124 of file winprocess.h.
Referenced by IntWinProcDeleteProcessObject(), and IntWinProcUninit().
| void* _WIN_PROCESS_OBJECT::TokenHook |
Hook object for the ept hook over nt!_TOKEN Privileges field.
Definition at line 302 of file winprocess.h.
Referenced by IntWinTokenUnprotectPrivs().
| QWORD _WIN_PROCESS_OBJECT::TokenStolenFromEprocess |
This will keep the EPROCESS of the process from which the current process stole the token.
Definition at line 281 of file winprocess.h.
Referenced by IntWinDpiValidateParentProcessToken().
| DWORD _WIN_PROCESS_OBJECT::UnpackProtected |
TRUE if the main module has been protected against unpacks.
Definition at line 131 of file winprocess.h.
Referenced by IntWinModHandleMainModuleInMemory().
| QWORD _WIN_PROCESS_OBJECT::UserCr3 |
Process user PDBR. Includes PCID.
Definition at line 97 of file winprocess.h.
Referenced by IntDispatchVeAsEpt(), IntLogCriticalProcessHasDied(), IntLogProcessInfo(), IntWinModHandleUserWrite(), IntWinProcCreateProcessObject(), IntWinProcDeleteProcessObject(), IntWinProcFindObjectByUserCr3(), IntWinProcRbTreeNodeCompareUserCr3(), and IntWinSelfMapHandleCr3SelfMapWrite().
| void* _WIN_PROCESS_OBJECT::UserCr3PageLockObject |
The UserCR3 will be locked in memory, to prevent the OS from dynamically modifying the CR3 of a running process.
Definition at line 235 of file winprocess.h.
| QWORD _WIN_PROCESS_OBJECT::UserSelfMapEntryValue |
The user self mapping memory entry value.
Definition at line 257 of file winprocess.h.
| void* _WIN_PROCESS_OBJECT::UserSelfMapHook |
The user self mapping memory hook.
Definition at line 254 of file winprocess.h.
Referenced by IntWinSelfMapEnableSelfMapEntryProtection(), and IntWinSelfMapHandleCr3SelfMapWrite().
| LIST_HEAD* _WIN_PROCESS_OBJECT::VadPages |
Vad pages Hash-Table.
Definition at line 239 of file winprocess.h.
| RBTREE _WIN_PROCESS_OBJECT::VadTree |
RB-Tree of process VADs.
Definition at line 237 of file winprocess.h.
| void* _WIN_PROCESS_OBJECT::VasMonRoot |
Virtual Address Space monitor root.
Definition at line 238 of file winprocess.h.
| DWORD _WIN_PROCESS_OBJECT::Wow64Process |
TRUE if this is a 32 bit process on a 64 bit OS.
Definition at line 123 of file winprocess.h.
Referenced by IntExceptVerifyCodeBlocksSig(), IntExceptVerifyExportSig(), IntExceptVerifyValueCodeSig(), IntExceptVerifyValueSig(), IntWinGetPrcoCmdLineHandleCmdLineInMemory(), IntWinGetPrcoCmdLineHandleUserParamsInMemory(), IntWinModHandleModulePathInMemory(), IntWinProcCreateProcessObject(), IntWinProcDump(), IntWinThrHandleQueueApc(), IntWinThrHandleThreadHijack(), and IntWinUmCheckInitializationInjection().
1.8.13