windpi.c

Go to the documentation of this file.

/*
 * Copyright (c) 2020 Bitdefender
 * SPDX-License-Identifier: Apache-2.0
 */
#include "windpi.h"
#include "alerts.h"
#include "winprocesshp.h"
#include "winselfmap.h"
#include "winstack.h"
#include "winthread.h"
#include "wintoken.h"
#include "shellcode.h"



typedef INTSTATUS
(*PFUNC_IntWinDpiProcessCreationHandler)(
    _In_ WIN_PROCESS_OBJECT *Child,
    _In_ WIN_PROCESS_OBJECT *RealParent,
    _Out_ WIN_PROCESS_OBJECT **Originator,
    _Out_ WIN_PROCESS_OBJECT **Victim,
    _Out_ INTRO_PC_VIOLATION_TYPE *PcType
    );


__forceinline
static MITRE_ID
IntWinDpiGetDpiMitreId(
    _In_ INTRO_PC_VIOLATION_TYPE Flags
    )
{
    // In theory, we could have multiple DPI flags set (Stolen
    // Token + Debug Flag - for example). In this case we are
    // going to pick the most dangerous type of attack.

    if (INT_PC_VIOLATION_DPI_STOLEN_TOKEN & Flags)
    {
        return idAccessToken;
    }

    if (INT_PC_VIOLATION_DPI_TOKEN_PRIVS & Flags)
    {
        return idAccessToken;
    }

    if (INT_PC_VIOLATION_DPI_PIVOTED_STACK & Flags)
    {
        return idExploitClientExec;
    }

    if (INT_PC_VIOLATION_DPI_DEBUG_FLAG & Flags)
    {
        return idTrustedDevUtil;
    }

    if (INT_PC_VIOLATION_DPI_HEAP_SPRAY & Flags)
    {
        return idExploitClientExec;
    }

    if (INT_PC_VIOLATION_DPI_THREAD_START & Flags)
    {
        return idExploitClientExec;
    }

    LOG("[ERROR] We do not have any known DPI flag set -> Flags:0x%x\n", Flags);
    return 0;
}


static INTSTATUS
IntWinDpiSendProcessCreationViolation(
    _In_ WIN_PROCESS_OBJECT *VictimProc,
    _In_ WIN_PROCESS_OBJECT *OriginatorProc,
    _In_ INTRO_ACTION Action,
    _In_ INTRO_ACTION_REASON Reason,
    _In_ INTRO_PC_VIOLATION_TYPE PcType
    )
{
    INTSTATUS status;
    EVENT_PROCESS_CREATION_VIOLATION *pEvent;
    DPI_EXTRA_INFO *extraInfo;

    pEvent = &gAlert.ProcessCreation;
    memzero(pEvent, sizeof(*pEvent));

    pEvent->Header.Action = Action;
    pEvent->Header.Reason = Reason;
    pEvent->Header.MitreID = idExecApi;

    pEvent->Header.Flags = IntAlertProcGetFlags(PROC_OPT_PROT_PREVENT_CHILD_CREATION, VictimProc, Reason, 0);

    IntAlertFillCpuContext(TRUE, &pEvent->Header.CpuContext);

    IntAlertFillWinProcessByCr3(pEvent->Header.CpuContext.Cr3,
                                &pEvent->Header.CurrentProcess);

    IntAlertFillVersionInfo(&pEvent->Header);

    IntAlertFillWinProcess(VictimProc, &pEvent->Victim);
    IntAlertFillWinProcess(OriginatorProc, &pEvent->Originator);

    pEvent->PcType = PcType;
    if (pEvent->PcType)
    {
        pEvent->Header.MitreID = IntWinDpiGetDpiMitreId(pEvent->PcType);
    }

    if (pEvent->PcType == INT_PC_VIOLATION_DPI_DEBUG_FLAG)
    {
        extraInfo = &VictimProc->DpiExtraInfo;
    }
    else
    {
        extraInfo = &OriginatorProc->DpiExtraInfo;
    }

    IntAlertFillDpiExtraInfo(extraInfo, pEvent->PcType, VictimProc, &pEvent->DpiExtraInfo);

    status = IntNotifyIntroEvent(introEventProcessCreationViolation, pEvent, sizeof(*pEvent));
    if (!INT_SUCCESS(status))
    {
        WARNING("[WARNING] IntNotifyIntroEvent failed: 0x%08x\n", status);
    }

    return INT_STATUS_SUCCESS;
}


static __forceinline BOOLEAN
IntWinDpiIsSelf(
    _In_ WIN_PROCESS_OBJECT const *First,
    _In_ WIN_PROCESS_OBJECT const *Second)
{
    if (memcmp(First->Name, Second->Name, IMAGE_BASE_NAME_LEN) == 0)
    {
        return First->MainModuleAddress == Second->MainModuleAddress;
    }

    return FALSE;
}


static INTSTATUS
IntWinDpiHandleNormalCreationRights(
    _In_ WIN_PROCESS_OBJECT *Child,
    _In_ WIN_PROCESS_OBJECT *RealParent,
    _Out_ WIN_PROCESS_OBJECT **Originator,
    _Out_ WIN_PROCESS_OBJECT **Victim,
    _Out_ INTRO_PC_VIOLATION_TYPE *PcType
    )
{
    *Originator = NULL;
    *Victim = NULL;
    *PcType = 0;

    if (!(RealParent->ProtectionMask & PROC_OPT_PROT_PREVENT_CHILD_CREATION))
    {
        return INT_STATUS_NOT_NEEDED_HINT;
    }

    if (IntWinDpiIsSelf(Child, RealParent))
    {
        return INT_STATUS_NOT_NEEDED_HINT;
    }

    *Originator = Child;
    *Victim = RealParent;
    *PcType = 0;

    return INT_STATUS_SUCCESS;
}


static INTSTATUS
IntWinDpiHandleDpiStolenToken(
    _In_ WIN_PROCESS_OBJECT *Child,
    _In_ WIN_PROCESS_OBJECT *RealParent,
    _Out_ WIN_PROCESS_OBJECT **Originator,
    _Out_ WIN_PROCESS_OBJECT **Victim,
    _Out_ INTRO_PC_VIOLATION_TYPE *PcType
    )
{
    *Originator = NULL;
    *Victim = NULL;
    *PcType = 0;

    if (!(gGuest.CoreOptions.Current & INTRO_OPT_PROT_DPI_TOKEN_STEAL))
    {
        return INT_STATUS_NOT_NEEDED_HINT;
    }

    if (!Child->CreationInfo.TokenStolenFromEprocess)
    {
        return INT_STATUS_NOT_NEEDED_HINT;
    }

    *Originator = Child;
    *Victim = RealParent;
    *PcType = INT_PC_VIOLATION_DPI_STOLEN_TOKEN;

    return INT_STATUS_SUCCESS;
}


static INTSTATUS
IntWinDpiHandleDpiTokenPrivs(
    _In_ WIN_PROCESS_OBJECT *Child,
    _In_ WIN_PROCESS_OBJECT *RealParent,
    _Out_ WIN_PROCESS_OBJECT **Originator,
    _Out_ WIN_PROCESS_OBJECT **Victim,
    _Out_ INTRO_PC_VIOLATION_TYPE *PcType)
{
    *Originator = NULL;
    *Victim = NULL;
    *PcType = 0;

    if (!(gGuest.CoreOptions.Current & INTRO_OPT_PROT_DPI_TOKEN_PRIVS))
    {
        return INT_STATUS_NOT_NEEDED_HINT;
    }

    if (!Child->CreationInfo.ParentHasTokenPrivsAltered)
    {
        return INT_STATUS_NOT_NEEDED_HINT;
    }

    // Here there might be two possible cases:
    // a) The parent has been exploited and, after a LPE, has been put to create some new malicious process.
    // b) The parent has run an exploit in order to gain increased privileges and now runs new processes
    // which normally it should not run.
    // As a) seems the most likely scenario in the wild, we'll let it this way.
    *Originator = Child;
    *Victim = RealParent;
    *PcType = INT_PC_VIOLATION_DPI_TOKEN_PRIVS;

    return INT_STATUS_SUCCESS;
}


static INTSTATUS
IntWinDpiHandleDpiPivotedStack(
    _In_ WIN_PROCESS_OBJECT *Child,
    _In_ WIN_PROCESS_OBJECT *RealParent,
    _Out_ WIN_PROCESS_OBJECT **Originator,
    _Out_ WIN_PROCESS_OBJECT **Victim,
    _Out_ INTRO_PC_VIOLATION_TYPE *PcType
    )
{
    *Originator = NULL;
    *Victim = NULL;
    *PcType = 0;

    if (!(gGuest.CoreOptions.Current & INTRO_OPT_PROT_DPI_STACK_PIVOT))
    {
        return INT_STATUS_NOT_NEEDED_HINT;
    }

    if (!Child->CreationInfo.ParentHasPivotedStack)
    {
        return INT_STATUS_NOT_NEEDED_HINT;
    }

    if (IntWinDpiIsSelf(Child, RealParent))
    {
        return INT_STATUS_NOT_NEEDED_HINT;
    }

    // The real parent is most likely the victim here as it has the stack pivoted, but this may not always
    // mean that it is without sin, as it can end up in this way after a process hollow (in which case
    // the _IntWinProcIsSelf check from above should be removed)
    *Originator = Child;
    *Victim = RealParent;
    *PcType = INT_PC_VIOLATION_DPI_PIVOTED_STACK;

    return INT_STATUS_SUCCESS;
}


static INTSTATUS
IntWinDpiHandleDpiDebug(
    _In_ WIN_PROCESS_OBJECT *Child,
    _In_ WIN_PROCESS_OBJECT *RealParent,
    _Out_ WIN_PROCESS_OBJECT **Originator,
    _Out_ WIN_PROCESS_OBJECT **Victim,
    _Out_ INTRO_PC_VIOLATION_TYPE *PcType
    )
{
    *Originator = NULL;
    *Victim = NULL;
    *PcType = 0;

    if (!(gGuest.CoreOptions.Current & INTRO_OPT_PROT_DPI_DEBUG))
    {
        return INT_STATUS_NOT_NEEDED_HINT;
    }

    if (!Child->CreationInfo.DebuggerEprocess)
    {
        return INT_STATUS_NOT_NEEDED_HINT;
    }

    if (IntWinDpiIsSelf(Child, RealParent))
    {
        return INT_STATUS_NOT_NEEDED_HINT;
    }

    *Originator = RealParent;
    *Victim = Child;
    *PcType = INT_PC_VIOLATION_DPI_DEBUG_FLAG;

    return INT_STATUS_SUCCESS;
}


static INTSTATUS
IntWinDpiHandleDpiHeapSpray(
    _In_ WIN_PROCESS_OBJECT *Child,
    _In_ WIN_PROCESS_OBJECT *RealParent,
    _Out_ WIN_PROCESS_OBJECT **Originator,
    _Out_ WIN_PROCESS_OBJECT **Victim,
    _Out_ INTRO_PC_VIOLATION_TYPE *PcType
    )
{
    *Originator = NULL;
    *Victim = NULL;
    *PcType = 0;

    if (!(gGuest.CoreOptions.Current & INTRO_OPT_PROT_DPI_HEAP_SPRAY))
    {
        return INT_STATUS_NOT_NEEDED_HINT;
    }

    if (!Child->CreationInfo.ParentHasBeenHeapSprayed)
    {
        return INT_STATUS_NOT_NEEDED_HINT;
    }

    // It's the same as in the case of pivoted stack.
    *Originator = Child;
    *Victim = RealParent;
    *PcType = INT_PC_VIOLATION_DPI_HEAP_SPRAY;

    return INT_STATUS_SUCCESS;
}


static INTSTATUS
IntWinDpiHandleDpiThreadStart(
    _In_ WIN_PROCESS_OBJECT *Child,
    _In_ WIN_PROCESS_OBJECT *RealParent,
    _Out_ WIN_PROCESS_OBJECT **Originator,
    _Out_ WIN_PROCESS_OBJECT **Victim,
    _Out_ INTRO_PC_VIOLATION_TYPE *PcType
    )
{
    *Originator = NULL;
    *Victim = NULL;
    *PcType = 0;

    if (!(gGuest.CoreOptions.Current & INTRO_OPT_PROT_DPI_THREAD_SHELL))
    {
        return INT_STATUS_NOT_NEEDED_HINT;
    }

    if (!Child->CreationInfo.ParentThreadSuspicious)
    {
        return INT_STATUS_NOT_NEEDED_HINT;
    }

    // It's the same as in the case of pivoted stack.
    *Originator = Child;
    *Victim = RealParent;
    *PcType = INT_PC_VIOLATION_DPI_THREAD_START;

    return INT_STATUS_SUCCESS;
}


static QWORD
IntWinDpiGetViolationAddress(
    _In_ INTRO_PC_VIOLATION_TYPE PcType,
    _In_ WIN_PROCESS_OBJECT *Originator,
    _In_ WIN_PROCESS_OBJECT *Victim
    )
{
    UNREFERENCED_PARAMETER(Victim);

    if (PcType == INT_PC_VIOLATION_DPI_HEAP_SPRAY)
    {
        WORD maxNumberOfHeapVals = 0;
        DWORD maxPageHeapVals = 0;

        for (DWORD val = 0x1; val < HEAP_SPRAY_NR_PAGES; val++)
        {
            QWORD heapVal = (val << 24) | (val << 16) | (val << 8) | val;

            if (Originator->DpiExtraInfo.DpiHeapSprayExtraInfo.HeapPages[val - 1].Detected)
            {
                return (heapVal & PAGE_MASK) + Originator->DpiExtraInfo.DpiHeapSprayExtraInfo.HeapPages[val - 1].Offset;
            }

            if (Originator->DpiExtraInfo.DpiHeapSprayExtraInfo.HeapPages[val - 1].HeapValCount >= maxNumberOfHeapVals &&
                Originator->DpiExtraInfo.DpiHeapSprayExtraInfo.HeapPages[val - 1].Mapped)
            {
                maxNumberOfHeapVals = (WORD)Originator->DpiExtraInfo.DpiHeapSprayExtraInfo.HeapPages[val - 1].HeapValCount;
                maxPageHeapVals = heapVal & PAGE_MASK;
            }
        }

        // If nothing was detected, there should be a page containing heap values.
        return maxPageHeapVals;
    }
    else if (PcType == INT_PC_VIOLATION_DPI_THREAD_START)
    {
        return Originator->DpiExtraInfo.DpiThreadStartExtraInfo.StartAddress;
    }

    return 0;
}


void
IntWinDpiForceFeedbackIfNeeded(
    _In_ INTRO_PC_VIOLATION_TYPE PcType,
    _In_ WIN_PROCESS_OBJECT *Originator,
    _In_ WIN_PROCESS_OBJECT *Victim,
    _Inout_ INTRO_ACTION *Action,
    _Inout_ INTRO_ACTION_REASON *Reason
    )
{
    QWORD scflags = 0;

    UNREFERENCED_PARAMETER(Victim);

    switch (PcType)
    {
        case INT_PC_VIOLATION_DPI_HEAP_SPRAY:
            // Since we will break on the first page which is detected through shemu, we won't keep a per-page
            // shellcode flags, but rather the flags of the first detected page.
            scflags = Originator->DpiExtraInfo.DpiHeapSprayExtraInfo.ShellcodeFlags;
            break;
        case INT_PC_VIOLATION_DPI_THREAD_START:
            scflags = Originator->DpiExtraInfo.DpiThreadStartExtraInfo.ShellcodeFlags;
            break;
        default:
            return;
    }

    // The detection may have been given due to something else (e.g. on heap spray due to heap vals).
    if (scflags == 0)
    {
        return;
    }

    // Shellcode flags (as set by the shellcode emulator) may be overriden via CAMI. A flag marked for feedback
    // will cause the alert to be logged & sent, but no actual detection will appear. Note that we force feedback
    // for shellcode flags if and only if all the reported flags are marked as feedback. If there is a single
    // shellcode flag set that is not feedback, a normal detection will be generated.
    if ((scflags & gGuest.ShemuOptions.Feedback) != 0 &&
        (scflags & ~gGuest.ShemuOptions.Feedback) == 0)
    {
        LOG("Current scflags 0x%016llx shemu feedback 0x%016llx, will force feedback!\n", scflags, gGuest.ShemuOptions.Feedback);
        *Action = introGuestAllowed;
        *Reason = introReasonAllowedFeedback;
    }
}


INTRO_ACTION
IntWinDpiCheckCreation(
    _In_ WIN_PROCESS_OBJECT *Child,
    _In_ WIN_PROCESS_OBJECT *RealParent
    )
{
    INTRO_ACTION retAction = introGuestAllowed;

    // The order here matters:
    //  1. Check for creations that violate the PROC_OPT_PROT_PREVENT_CHILD_CREATION flag because if that one is
    // set it means that someone asked us to block process creations from a specific process
    //  2. Check for stolen tokens
    //  3. Check for token privileges altered in a malicious way.
    //  4. Check for pivoted stack
    //  5. Check for a debug flag
    //  6. Check for a heap spray
    //  7. Check if a thread was created on a zone considered suspicious
    // The first check that generates an alert sends it and we don't do the other checks (unless in beta/feedback only,
    // when we want to see everything)
    PFUNC_IntWinDpiProcessCreationHandler handlers[] =
    {
        IntWinDpiHandleNormalCreationRights,
        IntWinDpiHandleDpiStolenToken,
        IntWinDpiHandleDpiTokenPrivs,
        IntWinDpiHandleDpiPivotedStack,
        IntWinDpiHandleDpiDebug,
        IntWinDpiHandleDpiHeapSpray,
        IntWinDpiHandleDpiThreadStart
    };

    for (DWORD i = 0; i < ARRAYSIZE(handlers); i++)
    {
        PFUNC_IntWinDpiProcessCreationHandler handler = handlers[i];
        INTSTATUS status;
        EXCEPTION_UM_ORIGINATOR originator = { 0 };
        EXCEPTION_VICTIM_ZONE victim = { 0 };
        WIN_PROCESS_OBJECT *procOrig = NULL;
        WIN_PROCESS_OBJECT *procVictim = NULL;
        INTRO_ACTION action;
        INTRO_ACTION_REASON reason;
        INTRO_PC_VIOLATION_TYPE pcType;
        QWORD protFlag;
        QWORD address;

        action = introGuestNotAllowed;
        reason = introReasonInternalError;

        status = handler(Child, RealParent, &procOrig, &procVictim, &pcType);
        if (!INT_SUCCESS(status))
        {
            ERROR("[ERROR] Process creation violation callback %d failed: 0x%08x\n", i, status);
            continue;
        }
        else if (INT_STATUS_NOT_NEEDED_HINT == status)
        {
            // This handler does not apply in this case, go to the next one
            continue;
        }

        address = IntWinDpiGetViolationAddress(pcType, procOrig, procVictim);

        status = IntExceptUserGetOriginator(procOrig, FALSE, address, NULL, &originator);
        if (!INT_SUCCESS(status))
        {
            ERROR("[ERROR] IntExceptUserGetOriginator failed: 0x%08x\n", status);
            goto _send_alert;
        }

        status = IntExceptGetVictimProcessCreation(procVictim,
                                                   pcType ? introObjectTypeProcessCreationDpi :
                                                            introObjectTypeProcessCreation,
                                                   &victim);
        if (!INT_SUCCESS(status))
        {
            ERROR("[ERROR] IntExceptGetVictimProcessCreation failed: 0x%08x\n", status);
            goto _send_alert;
        }

        originator.PcType = pcType;

        IntExcept(&victim, &originator, exceptionTypeUm, &action, &reason, introEventProcessCreationViolation);

_send_alert:
        protFlag = pcType ? INTRO_OPT_PROT_DPI : PROC_OPT_PROT_PREVENT_CHILD_CREATION;

        IntWinDpiForceFeedbackIfNeeded(pcType, procOrig, procVictim, &action, &reason);

        if (IntPolicyCoreTakeAction(protFlag, &action, &reason))
        {
            status = IntWinDpiSendProcessCreationViolation(procVictim, procOrig, action, reason, pcType);
            if (!INT_SUCCESS(status))
            {
                ERROR("[ERROR] IntWinProcSendProcessCreationViolation failed with status: 0x%08x.\n", status);
            }

            IntPolicyCoreForceBetaIfNeeded(protFlag, &action);
        }

        // Keep the highest action as the final action
        retAction = MAX(retAction, action);
        if (introGuestNotAllowed == action &&
            reason != introReasonAllowedFeedback)    // We want to keep going if this is a feedback only alert
        {
            break;
        }
    }

    return retAction;
}


static INTSTATUS
IntWinDpiGetProcessDebugFlag(
    _Inout_ WIN_PROCESS_OBJECT *Process,
    _In_ QWORD DebugHandle
    )
{
    INTSTATUS status;
    QWORD currentThread = 0;
    QWORD attachedEprocess = 0;
    QWORD flags = 0;
    QWORD debugPort = 0;
    WIN_PROCESS_OBJECT *attachedProc = NULL;

    // From IDA: if the fifth parameter (or fourth on windows 7) is a valid handle, then the current process
    // is debugged by the caller to PspInsertProcess (which will be the Real Parent Process in this case).
    if (DebugHandle)
    {
        // The debugger is the real parent process.
        Process->CreationInfo.DebuggerEprocess = Process->RealParentEprocess;
        return INT_STATUS_SUCCESS;
    }

    status = IntWinThrGetCurrentThread(gVcpu->Index, &currentThread);
    if (!INT_SUCCESS(status))
    {
        ERROR("[ERROR] IntWinThrGetCurrentThread failed: 0x%08x\n", status);
        return status;
    }

    status = IntKernVirtMemRead(currentThread + WIN_KM_FIELD(Thread, AttachedProcess),
                                gGuest.WordSize,
                                &attachedEprocess,
                                NULL);
    if (!INT_SUCCESS(status))
    {
        ERROR("[ERROR] IntKernVirtMemRead failed: 0x%08x\n", status);
        return status;
    }

    status = IntKernVirtMemRead(attachedEprocess + WIN_KM_FIELD(Process, Flags),
                                gGuest.WordSize,
                                &flags,
                                NULL);
    if (!INT_SUCCESS(status))
    {
        ERROR("[ERROR] IntKernVirtMemRead failed: 0x%08x\n", status);
        return status;
    }

    status = IntKernVirtMemRead(attachedEprocess + WIN_KM_FIELD(Process, DebugPort),
                                gGuest.WordSize,
                                &debugPort,
                                NULL);
    if (!INT_SUCCESS(status))
    {
        ERROR("[ERROR] IntKernVirtMemRead failed: 0x%08x\n", status);
        return status;
    }

    attachedProc = IntWinProcFindObjectByEprocess(attachedEprocess);
    if (NULL == attachedProc)
    {
        ERROR("[ERROR] Attached process with EPROCESS: 0x%016llx is NULL!\n", attachedEprocess);
        return INT_STATUS_NOT_FOUND;
    }

    // From IDA: If the attached process has the NoInheritDebug flag NOT set (flag 2) and has a debug port object set,
    // then the process inherits the debug port object from the attached process. In this case, the debugger for the
    // current process is identical to the debugger of the attached process.
    if (debugPort && (flags & WIN_KM_FIELD(EprocessFlags, NoDebugInherit)) == 0)
    {
        // The debugger is the attached process's debugger.
        Process->CreationInfo.DebuggerEprocess = attachedProc->CreationInfo.DebuggerEprocess;
    }

    return INT_STATUS_SUCCESS;
}


static INTSTATUS
IntWinDpiValidatePivotedStack(
    _In_ WIN_PROCESS_OBJECT *Process,
    _In_opt_ WIN_PROCESS_OBJECT *RealParent
    )
{
    INTSTATUS status = INT_STATUS_SUCCESS;
    QWORD userRsp = 0;
    DWORD segCs = 0;
    BOOLEAN fallback = TRUE;
    BOOLEAN isPivotedWow64 = FALSE;

    // We only fallback to stack-parsing for trap frame if the current process is not a
    // system one and his parent is not the System process.
    if (RealParent)
    {
        fallback = !Process->SystemProcess && RealParent->Pid != 4;
    }

    status = IntWinStackUserTrapFrameGetGeneric(&userRsp, &segCs, fallback, &Process->DpiExtraInfo);
    if (!INT_SUCCESS(status))
    {
        // If we fail to get the TrapFrame for a system process creation or when the parent has pid 4
        // or we choose to skip the check operation for another reason
        // we will consider that the stack isn't pivoted
        if (!fallback || INT_STATUS_NOT_NEEDED_HINT == status)
        {
            Process->CreationInfo.ParentHasPivotedStack = FALSE;

            status = INT_STATUS_SUCCESS;
        }
        else
        {
            ERROR("[ERROR] IntWinStackUserTrapFrameGetGeneric failed: 0x%08x\n", status);
        }

        return status;
    }
    else if (INT_STATUS_NOT_NEEDED_HINT == status)
    {
        return status;
    }

    if (NULL != RealParent && RealParent->Wow64Process)
    {
        status = IntWinStackWow64CheckIsPivoted(Process, RealParent, &Process->DpiExtraInfo);
        if (!INT_SUCCESS(status))
        {
            ERROR("[ERROR] IntWinStackWow64CheckIsPivoted failed: 0x%08x\n", status);
        }

        isPivotedWow64 = Process->CreationInfo.ParentHasPivotedStack;
        goto _skip_check_64;
    }

    status = IntWinStackUserCheckIsPivoted(userRsp, segCs, FALSE, &Process->DpiExtraInfo,
                                           &Process->CreationInfo.ParentHasPivotedStack);
    if (!INT_SUCCESS(status))
    {
        ERROR("[ERROR] IntWinStackUserCheckIsPivoted failed: 0x%08x.\n", status);
        return status;
    }
    else if (Process->CreationInfo.ParentHasPivotedStack)
    {
        WARNING("[WARNING] Process 0x%016llx created with pivoted stack\n", Process->EprocessAddress);
    }

_skip_check_64:
    Process->CreationInfo.ParentHasPivotedStack = Process->CreationInfo.ParentHasPivotedStack || isPivotedWow64;

    return status;
}


static INTSTATUS
IntWinDpiValidateParentProcessToken(
    _In_ WIN_PROCESS_OBJECT *Process,
    _In_ WIN_PROCESS_OBJECT *Parent
    )
{
    WIN_PROCESS_OBJECT *pStolenFrom;

    if (IntWinTokenPtrIsStolen(Parent, TRUE, &pStolenFrom, NULL, NULL))
    {
        Process->CreationInfo.TokenStolenFromEprocess = pStolenFrom->EprocessAddress;
        Process->DpiExtraInfo.DpiStolenTokenExtraInfo.StolenFromEprocess = pStolenFrom->EprocessAddress;
    }

    return INT_STATUS_SUCCESS;
}


static INTSTATUS
IntWinDpiValidateTokenPrivs(
    _In_ WIN_PROCESS_OBJECT* Process,
    _In_ WIN_PROCESS_OBJECT* Parent
    )
{
    INTSTATUS status;
    BOOLEAN presentIncreased = FALSE, enabledIncreased = FALSE;
    QWORD present = 0, enabled = 0;

    status = IntWinTokenCheckCurrentPrivileges(Parent,
                                               Parent->OriginalTokenPtr,
                                               &presentIncreased,
                                               &enabledIncreased,
                                               &present,
                                               &enabled);
    if (!INT_SUCCESS(status))
    {
        if (INT_STATUS_PAGE_NOT_PRESENT == status || INT_STATUS_NO_MAPPING_STRUCTURES == status)
        {
            // Don't propagate the error, just warn it, as it is benign.
            WARNING("[WARNING] IntWinTokenCheckCurrentPrivileges failed: 0x%08x\n", status);
            return INT_STATUS_SUCCESS;
        }

        return status;
    }

    if (presentIncreased || enabledIncreased || Parent->PrivsChangeDetected)
    {
        Process->CreationInfo.ParentHasTokenPrivsAltered = TRUE;

        Process->DpiExtraInfo.DpiTokenPrivsExtraInfo.OldPresent = Parent->OriginalPresentPrivs;
        Process->DpiExtraInfo.DpiTokenPrivsExtraInfo.OldEnabled = Parent->OriginalEnabledPrivs;
        Process->DpiExtraInfo.DpiTokenPrivsExtraInfo.NewPresent = present;
        Process->DpiExtraInfo.DpiTokenPrivsExtraInfo.NewEnabled = enabled;
    }

    return INT_STATUS_SUCCESS;
}


static INTSTATUS
IntWinDpiValidateHeapSpray(
    _Inout_ WIN_PROCESS_OBJECT *Process,
    _In_ WIN_PROCESS_OBJECT *Parent
    )
{
    INTSTATUS status;
    DWORD totalHeapValCnt = 0;
    DWORD totalMappedPages = 0;

    if (gGuest.Guest64 && !Parent->Wow64Process)
    {
        return INT_STATUS_NOT_NEEDED_HINT;
    }

    for (DWORD val = 0x1; val <= HEAP_SPRAY_NR_PAGES; val++)
    {
        DWORD heapVal = (val << 24) | (val << 16) | (val << 8) | val;
        BYTE *mappedBytes;
        WORD heapValCnt = 0;
        BOOLEAN foundFirstNops = FALSE;
        DWORD firstNopOccurrence = 0;
        IG_ARCH_REGS regs = { 0 };
        QWORD shflags = 0;
        VA_TRANSLATION tr = { 0 };

        status = IntTranslateVirtualAddressEx(heapVal & PAGE_MASK, Parent->Cr3, 0, &tr);
        if (!INT_SUCCESS(status))
        {
            continue;
        }

        if (!(tr.Flags & PT_P))
        {
            continue;
        }

        status = IntVirtMemMap(heapVal & PAGE_MASK, PAGE_SIZE, Parent->Cr3, 0, &mappedBytes);
        if (!INT_SUCCESS(status))
        {
            continue;
        }

        Process->DpiExtraInfo.DpiHeapSprayExtraInfo.HeapPages[val - 1].Mapped = 1;
        Process->DpiExtraInfo.DpiHeapSprayExtraInfo.HeapPages[val - 1].Executable = tr.IsExecutable;

        totalMappedPages++;

        for (DWORD i = 0; i < PAGE_SIZE; i++)
        {
            if (i % 4 == 0)
            {
                if (((DWORD *)mappedBytes)[i / 4] == heapVal)
                {
                    heapValCnt++;
                    totalHeapValCnt++;
                }
            }

            if (mappedBytes[i] == 0x90 && !foundFirstNops)
            {
                if (i > 0 && mappedBytes[i - 1] == 0x90)
                {
                    firstNopOccurrence = i;
                    foundFirstNops = TRUE;
                }
            }
        }

        IntVirtMemUnmap(&mappedBytes);

        Process->DpiExtraInfo.DpiHeapSprayExtraInfo.HeapPages[val - 1].HeapValCount = heapValCnt;

        // For now a sign of heap spraying is that at least a quarter of the page is filled
        // with the value that we mapped.
        if (heapValCnt >= PAGE_SIZE / 16)
        {
            Process->CreationInfo.ParentHasBeenHeapSprayed = TRUE;
            break;
        }

        // At this point, if there was not any nop sequence found from where to start the emulation
        // the firstNopOccurrence variable will be equal to 0. We'll start the emulation from the
        // beginning of the page, as the shellcode might have spawned on multiple pages.

        regs.Rip = (heapVal & PAGE_MASK) + firstNopOccurrence;
        regs.Cr3 = Parent->Cr3;
        // Dummy value, so there would not be underflows if the stack is 0 and some instruction
        // accesses something on the stack, behind RSP.
        regs.Rsp = 0x10000;

        status = IntShcIsSuspiciousCode((heapVal & PAGE_MASK) + firstNopOccurrence,
                                        tr.PhysicalAddress,
                                        IG_CS_TYPE_32B,
                                        &regs,
                                        &shflags);
        if (!INT_SUCCESS(status))
        {
            ERROR("[ERROR] IntShcIsSuspiciousCode failed: 0x%08x\n", status);
            return status;
        }

        if (shflags != 0)
        {
            Process->DpiExtraInfo.DpiHeapSprayExtraInfo.ShellcodeFlags = shflags;
            Process->DpiExtraInfo.DpiHeapSprayExtraInfo.HeapPages[val - 1].Detected = 1;
            Process->DpiExtraInfo.DpiHeapSprayExtraInfo.HeapPages[val - 1].Offset = firstNopOccurrence;
            Process->CreationInfo.ParentHasBeenHeapSprayed = TRUE;
            // There's no point in continuing, other than statistics.
            break;
        }

    }

    // Very heuristically: if we have mapped 5 pages and we found at least 500 heap values, then we consider
    // it was heap sprayed.
    if (totalMappedPages > 5 && totalHeapValCnt > 500)
    {
        Process->CreationInfo.ParentHasBeenHeapSprayed = TRUE;
    }

    return INT_STATUS_SUCCESS;
}


static INTSTATUS
IntWinDpiValidateThreadStart(
    _Inout_ WIN_PROCESS_OBJECT *Process,
    _In_ WIN_PROCESS_OBJECT *Parent
    )
{
    INTSTATUS status;
    QWORD thread = 0;
    QWORD startAddress = 0;
    IG_ARCH_REGS regs = { 0 };
    IG_CS_TYPE csType;
    QWORD gpa = 0;
    QWORD scflags = 0;

    if (Process->IsAgent)
    {
        return INT_STATUS_NOT_NEEDED_HINT;
    }

    status = IntWinThrGetCurrentThread(gVcpu->Index, &thread);
    if (!INT_SUCCESS(status))
    {
        ERROR("[ERROR] IntWinThrGetCurrentThread failed: 0x%08x\n", status);
        return status;
    }

    status = IntKernVirtMemFetchWordSize(thread + WIN_KM_FIELD(Thread, Win32StartAddress), &startAddress);
    if (!INT_SUCCESS(status))
    {
        ERROR("[ERROR] IntKernVirtMemFetchWordSize failed: 0x%08x\n", status);
        return status;
    }

    status = IntTranslateVirtualAddress(startAddress, Parent->Cr3, &gpa);
    if (!INT_SUCCESS(status))
    {
        WARNING("[WARNING] IntTranslateVirtualAddress failed for 0x%016llx: 0x%08x\n", startAddress, status);

        // If the page has been swapped out, don't propagate the error.
        if (INT_STATUS_PAGE_NOT_PRESENT == status || INT_STATUS_NO_MAPPING_STRUCTURES == status)
        {
            return INT_STATUS_SUCCESS;
        }

        return status;
    }

    csType = Parent->Wow64Process || !gGuest.Guest64 ? IG_CS_TYPE_32B : IG_CS_TYPE_64B;

    regs.Rip = startAddress;
    regs.Cr3 = Parent->Cr3;
    // Dummy value, so there would not be underflows if the stack is 0 and some instruction
    // accesses something on the stack, behind RSP.
    regs.Rsp = 0x10000;

    status = IntShcIsSuspiciousCode(startAddress, gpa, csType, &regs, &scflags);
    if (!INT_SUCCESS(status))
    {
        ERROR("[ERROR] IntShcIsSuspiciousCode failed: 0x%08x\n", status);
        return status;
    }

    if (scflags != 0)
    {
        VAD vad = { 0 };
        QWORD vadroot = 0;

        // If we're in an imaged mapped vad, don't give a detection. But if we failed to get the vad, then
        // we won't know for sure, and better give a detection in this case.
        status = IntKernVirtMemFetchWordSize(Parent->EprocessAddress + WIN_KM_FIELD(Process, VadRoot), &vadroot);
        if (!INT_SUCCESS(status))
        {
            ERROR("[ERROR] IntKernVirtMemFetchWordSize failed: 0x%08x\n", status);
            goto _detect;
        }

        status = IntWinVadFetchByRange(vadroot, startAddress & PAGE_MASK, startAddress & PAGE_MASK, &vad);
        if (!INT_SUCCESS(status))
        {
            ERROR("[ERROR] IntWinVadFetchByRange failed: 0x%08x\n", status);
            goto _detect;
        }

        if (vad.VadType == VadImageMap)
        {
            goto _exit;
        }

_detect:
        Process->DpiExtraInfo.DpiThreadStartExtraInfo.ShellcodeFlags = scflags;
        Process->DpiExtraInfo.DpiThreadStartExtraInfo.StartAddress = startAddress;
        Process->CreationInfo.ParentThreadSuspicious = TRUE;
    }

_exit:
    return INT_STATUS_SUCCESS;
}


static __forceinline BOOLEAN
IntWinDpiIsDpiWhiteListed(
    _In_ WIN_PROCESS_OBJECT *Process,
    _In_ WIN_PROCESS_OBJECT *Parent
    )
{
    // We'll let werfault to be created if the parent process had an exception.
    if (Process->NameHash == 0x56d1611d && // werfault.exe
        Parent->LastException != 0)
    {
        return TRUE;
    }

    // Add there any other cases on which DPI wouldn't need to be checked in the future

    return FALSE;
}


void
IntWinDpiGatherDpiInfo(
    _Inout_ WIN_PROCESS_OBJECT *Process,
    _In_ WIN_PROCESS_OBJECT *Parent,
    _In_ QWORD DebugHandle
    )
{
    if (IntWinDpiIsDpiWhiteListed(Process, Parent))
    {
        return;
    }

    if (gGuest.CoreOptions.Current & INTRO_OPT_PROT_DPI_DEBUG)
    {
        STATS_ENTER(statsDpiDebugFlag);

        INTSTATUS status = IntWinDpiGetProcessDebugFlag(Process, DebugHandle);
        if (!INT_SUCCESS(status))
        {
            ERROR("[ERROR] IntWinProcGetProcessDebugFlag failed: 0x%08x\n", status);
        }

        STATS_EXIT(statsDpiDebugFlag);
    }

    if (gGuest.CoreOptions.Current & INTRO_OPT_PROT_DPI_STACK_PIVOT)
    {
        // We don't check the stack of the system process.
        if (__likely(Process->Pid != 4))
        {
            STATS_ENTER(statsDpiStackPivot);

            INTSTATUS status = IntWinDpiValidatePivotedStack(Process, Parent);
            if (!INT_SUCCESS(status))
            {
                ERROR("[ERROR] IntWinProcValidatePivotedStack failed: 0x%08x\n", status);
            }

            STATS_EXIT(statsDpiStackPivot);
        }
    }

    if (gGuest.CoreOptions.Current & INTRO_OPT_PROT_DPI_TOKEN_STEAL)
    {
        STATS_ENTER(statsDpiStealToken);

        INTSTATUS status = IntWinDpiValidateParentProcessToken(Process, Parent);
        if (!INT_SUCCESS(status))
        {
            ERROR("[ERROR] IntWinProcValidateCreatedProcessToken failed: 0x%08x\n", status);
        }

        STATS_EXIT(statsDpiStealToken);
    }

    if (gGuest.CoreOptions.Current & INTRO_OPT_PROT_DPI_TOKEN_PRIVS)
    {
        STATS_ENTER(statsDpiTokenPrivs);

        INTSTATUS status = IntWinDpiValidateTokenPrivs(Process, Parent);
        if (!INT_SUCCESS(status))
        {
            ERROR("[ERROR] IntWinDpiValidateTokenPrivs failed: 0x%08x\n", status);
        }

        STATS_EXIT(statsDpiTokenPrivs);
    }

    if (gGuest.CoreOptions.Current & INTRO_OPT_PROT_DPI_HEAP_SPRAY)
    {
        STATS_ENTER(statsDpiHeapSpray);

        INTSTATUS status = IntWinDpiValidateHeapSpray(Process, Parent);
        if (!INT_SUCCESS(status))
        {
            ERROR("[ERROR] IntWinProcValidateHeapSpray failed: 0x%08x\n", status);
        }

        STATS_EXIT(statsDpiHeapSpray);
    }

    if (gGuest.CoreOptions.Current & INTRO_OPT_PROT_DPI_THREAD_SHELL)
    {
        STATS_ENTER(statsDpiThreadStart);

        INTSTATUS status = IntWinDpiValidateThreadStart(Process, Parent);
        if (!INT_SUCCESS(status))
        {
            ERROR("[ERROR] IntWinDpiValidateThreadStart failed: 0x%08x\n", status);
        }

        STATS_EXIT(statsDpiThreadStart);
    }
}