#include "windeployer.h"
#include "winagent.h"
#include "alerts.h"
#include "guests.h"
#include "winagent_dummy_Win32.h"
#include "winagent_dummy_x64.h"
#include "winagent_gather_Win32.h"
#include "winagent_gather_x64.h"
#include "winagent_killer_Win32.h"
#include "winagent_killer_x64.h"
#include "winpe.h"
#include "winprocesshp.h"

Functions
static INTSTATUS	IntWinDepDeploy (QWORD GuestVirtualAddress, DWORD AgentTag, void *Context)
	Boot agent deployment callback. More...

static INTSTATUS	IntWinDepComplete (QWORD GuestVirtualAddress, DWORD ErrorCode, DWORD AgentTag, void *Context)
	Called once the boot driver finishes starting the agent inside the guest. More...

static INTSTATUS	IntWinFormatAgentKillerCommandLine (char *CommandLine, DWORD Length)
	Formats the agent killer command line. More...

INTSTATUS	IntWinDepInjectProcess (DWORD AgentTag, PBYTE AgentContent, DWORD AgentSize, const CHAR Name, const CHAR Args)
	Inject a process inside a Windows guest. More...

INTSTATUS	IntWinDepInjectFile (PBYTE FileContent, DWORD FileSize, const CHAR *Name)
	Inject a file inside the Windows guest. More...

Function Documentation

◆ IntWinDepComplete()

static INTSTATUS IntWinDepComplete	(	QWORD	GuestVirtualAddress,
		DWORD	ErrorCode,
		DWORD	AgentTag,
		void *	Context
	)

static

Called once the boot driver finishes starting the agent inside the guest.

This callback is called once the boot driver has finished execution. On success (ErrorCode 0), this means that either the process agent has been started, or the file agent has been written on disk.

Parameters

[in]	GuestVirtualAddress	Unused.
[in]	ErrorCode	Injection error code. 0 indicates success.
[in]	AgentTag	The agent tag.
[in]	Context	The optional context.

Return values

INT_STATUS_SUCCESS On success.

Definition at line 69 of file windeployer.c.

Referenced by IntWinDepInjectFile(), and IntWinDepInjectProcess().

◆ IntWinDepDeploy()

static INTSTATUS IntWinDepDeploy	(	QWORD	GuestVirtualAddress,
		DWORD	AgentTag,
		void *	Context
	)

static

Boot agent deployment callback.

This is the injection callback called once the boot driver has been successfully injected inside the guest. This function will send an introEventAgentEvent, indicating that the agent has been injected via the agentInjected event type. NOTE: This event does not indicate that the injected agent has actually started. That may still fail!

Parameters

[in]	GuestVirtualAddress	Gla where the boot driver has been injected.
[in]	AgentTag	The agent tag.
[in]	Context	Optional context.

Return values

INT_STATUS_SUCCESS On success.

Definition at line 20 of file windeployer.c.

Referenced by IntWinDepInjectFile(), and IntWinDepInjectProcess().

◆ IntWinDepInjectFile()

INTSTATUS IntWinDepInjectFile	(	PBYTE	FileContent,
		DWORD	FileSize,
		const CHAR *	Name
	)

Inject a file inside the Windows guest.

This function will inject a file inside the guest. The file will be written inside the System% folder, so make sure you use a name that will not conflict with potential existing files.

Parameters

[in]	FileContent	The file contents to be injected.
[in]	FileSize	The file size.
[in]	Name	The file name.

Return values

INT_STATUS_SUCCESS On success.

Definition at line 294 of file windeployer.c.

Referenced by IntDepInjectFile().

◆ IntWinDepInjectProcess()

INTSTATUS IntWinDepInjectProcess	(	DWORD	AgentTag,
		PBYTE	AgentContent,
		DWORD	AgentSize,
		const CHAR *	Name,
		const CHAR *	Args
	)

Inject a process inside a Windows guest.

Inject a process inside the Windows guest. The executable file will be written inside the System% folder, so make sure you use a name that will not conflict with existing files inside that folder. The process will be started under the SYSTEM user by default.

Parameters

[in]	AgentTag	Tag used to identify the agent. Some tags are predefined and reserved: IG_AGENT_TAG_DUMMY_TOOL - used to test the injection; IG_AGENT_TAG_LOG_GATHER_TOOL - the log gather tool; IG_AGENT_TAG_AGENT_KILLER_TOOL - the agent killer; Other agents must have another tag, which can later be used to identify the agent.
[in]	AgentContent	Unless AgentTag indicates a predefined agent, this must be supplied.
[in]	AgentSize	Size of the AgentContent buffer.
[in]	Name	Agent name. The process will have this name inside the guest.
[in]	Args	Optional arguments to be passed to the agent.

Return values

INT_STATUS_SUCCESS	On success.
INT_STATUS_INVALID_PARAMETER	If an invalid parameter is supplied.

Definition at line 137 of file windeployer.c.

Referenced by IntDepInjectProcess().

◆ IntWinFormatAgentKillerCommandLine()

static INTSTATUS IntWinFormatAgentKillerCommandLine	(	char *	CommandLine,
		DWORD	Length
	)

static

Formats the agent killer command line.

Parameters

[in]	CommandLine	The agent killer command line.
[in]	Length	The command line length.

Return values

INT_STATUS_SUCCESS On success.

Definition at line 119 of file windeployer.c.

Referenced by IntWinDepInjectProcess().

Functions

Function Documentation

◆ IntWinDepComplete()

◆ IntWinDepDeploy()

◆ IntWinDepInjectFile()

◆ IntWinDepInjectProcess()

◆ IntWinFormatAgentKillerCommandLine()