Bitdefender Hypervisor Memory Introspection
windpi.h
Go to the documentation of this file.
1 /*
2  * Copyright (c) 2020 Bitdefender
3  * SPDX-License-Identifier: Apache-2.0
4  */
11 
12 #ifndef _WINDPI_H_
13 #define _WINDPI_H_
14 
15 #include "winguest.h"
16 
17 typedef struct _WIN_PROCESS_OBJECT WIN_PROCESS_OBJECT, *PWIN_PROCESS_OBJECT;
18 
22 #define HEAP_SPRAY_NR_PAGES 0xF
23 
27 typedef struct _DPI_EXTRA_INFO
28 {
29  struct
30  {
31  QWORD _Reserved;
32  } DpiDebugExtraInfo;
33 
34  struct
35  {
36  QWORD CurrentStack;
37  QWORD StackBase;
38  QWORD StackLimit;
39  QWORD TrapFrameAddress;
42  QWORD CurrentWow64Stack;
43  QWORD Wow64StackBase;
44  QWORD Wow64StackLimit;
45  } DpiPivotedStackExtraInfo;
46 
47  struct
48  {
49  QWORD StolenFromEprocess;
50  } DpiStolenTokenExtraInfo;
51 
52  struct
53  {
54  struct
55  {
56  DWORD Mapped : 1;
57  DWORD Detected : 1;
60  DWORD HeapValCount : 11;
62  DWORD Offset : 12;
63  DWORD Executable : 1;
64  DWORD Reserved : 7;
65  } HeapPages[HEAP_SPRAY_NR_PAGES];
66 
67  QWORD ShellcodeFlags;
68  } DpiHeapSprayExtraInfo;
69 
70  struct
71  {
72  QWORD OldEnabled;
73  QWORD NewEnabled;
75  QWORD OldPresent;
76  QWORD NewPresent;
78  } DpiTokenPrivsExtraInfo;
79 
80  struct
81  {
82  QWORD StartAddress;
83  QWORD ShellcodeFlags;
84  } DpiThreadStartExtraInfo;
85 } DPI_EXTRA_INFO, *PDPI_EXTRA_INFO;
86 
87 void
88 IntWinDpiGatherDpiInfo(
89  _Inout_ WIN_PROCESS_OBJECT *Process,
90  _In_ WIN_PROCESS_OBJECT *Parent,
91  _In_ QWORD DebugHandle
92  );
93 
94 INTRO_ACTION
95 IntWinDpiCheckCreation(
96  _In_ WIN_PROCESS_OBJECT *Child,
97  _In_ WIN_PROCESS_OBJECT *RealParent
98  );
99 
100 #endif // _WINDPI_H_
HEAP_SPRAY_NR_PAGES
#define HEAP_SPRAY_NR_PAGES
Definition: windpi.h:22
_In_
#define _In_
Definition: intro_sal.h:21
IntWinDpiGatherDpiInfo
void IntWinDpiGatherDpiInfo(WIN_PROCESS_OBJECT *Process, WIN_PROCESS_OBJECT *Parent, QWORD DebugHandle)
Gathers all the necessary DPI (Deep Process Inspection) information that will later be used to decide...
Definition: windpi.c:1293
_DPI_EXTRA_INFO::TrapFrameAddress
QWORD TrapFrameAddress
The address of the trap frame. Used for more information gathering when sending the alert...
Definition: windpi.h:40
_DPI_EXTRA_INFO::Wow64StackLimit
QWORD Wow64StackLimit
The known stack limit in WoW64 mode. Valid only if the process is WoW64.
Definition: windpi.h:44
_DPI_EXTRA_INFO::NewEnabled
QWORD NewEnabled
The new value from parent's token Privileges.Enabled field, which was deemed malicious.
Definition: windpi.h:74
_DPI_EXTRA_INFO::StartAddress
QWORD StartAddress
The address on which the parent's thread started execution.
Definition: windpi.h:82
_DPI_EXTRA_INFO::StolenFromEprocess
QWORD StolenFromEprocess
The EPROCESS address from which the token was stolen.
Definition: windpi.h:49
PDPI_EXTRA_INFO
struct _DPI_EXTRA_INFO * PDPI_EXTRA_INFO
_DPI_EXTRA_INFO::DpiDebugExtraInfo
struct _DPI_EXTRA_INFO::@199 DpiDebugExtraInfo
_DPI_EXTRA_INFO::Wow64StackBase
QWORD Wow64StackBase
The known stack base in WoW64 mode. Valid only if the process is WoW64.
Definition: windpi.h:43
_DPI_EXTRA_INFO::Offset
DWORD Offset
The offset where the detection on the given page was given, if Detection is equal to 1...
Definition: windpi.h:62
_DPI_EXTRA_INFO::Reserved
DWORD Reserved
Reserved for further use.
Definition: windpi.h:64
_DPI_EXTRA_INFO::DpiHeapSprayExtraInfo
struct _DPI_EXTRA_INFO::@202 DpiHeapSprayExtraInfo
_Inout_
#define _Inout_
Definition: intro_sal.h:20
_DPI_EXTRA_INFO::DpiPivotedStackExtraInfo
struct _DPI_EXTRA_INFO::@200 DpiPivotedStackExtraInfo
QWORD
unsigned long long QWORD
Definition: intro_types.h:53
_DPI_EXTRA_INFO::CurrentWow64Stack
QWORD CurrentWow64Stack
The current stack of the process in WoW64 mode. Valid only if the process is WoW64.
Definition: windpi.h:42
_DPI_EXTRA_INFO::NewPresent
QWORD NewPresent
The new value from parent's token Privileges.Present field, which was deemed malicious.
Definition: windpi.h:77
_DPI_EXTRA_INFO::DpiThreadStartExtraInfo
struct _DPI_EXTRA_INFO::@204 DpiThreadStartExtraInfo
_DPI_EXTRA_INFO::CurrentStack
QWORD CurrentStack
The current stack of the process at the point of process creation.
Definition: windpi.h:36
IntWinDpiCheckCreation
INTRO_ACTION IntWinDpiCheckCreation(WIN_PROCESS_OBJECT *Child, WIN_PROCESS_OBJECT *RealParent)
Analyzes all the process creations rules in order to decided if the process creation should be allowe...
Definition: windpi.c:641
_DPI_EXTRA_INFO::OldEnabled
QWORD OldEnabled
Definition: windpi.h:72
DWORD
uint32_t DWORD
Definition: intro_types.h:49
_DPI_EXTRA_INFO::StackBase
QWORD StackBase
The known stack base present in TIB at the moment of process creation.
Definition: windpi.h:37
_DPI_EXTRA_INFO::HeapPages
struct _DPI_EXTRA_INFO::@202::@205 HeapPages[HEAP_SPRAY_NR_PAGES]
INTRO_ACTION
enum _INTRO_ACTION INTRO_ACTION
Event actions.
_DPI_EXTRA_INFO::DpiStolenTokenExtraInfo
struct _DPI_EXTRA_INFO::@201 DpiStolenTokenExtraInfo
_DPI_EXTRA_INFO::DpiTokenPrivsExtraInfo
struct _DPI_EXTRA_INFO::@203 DpiTokenPrivsExtraInfo
_DPI_EXTRA_INFO::OldPresent
QWORD OldPresent
Definition: windpi.h:75
_DPI_EXTRA_INFO::Mapped
DWORD Mapped
Definition: windpi.h:56
_DPI_EXTRA_INFO::HeapValCount
DWORD HeapValCount
The number of heap values in the page. Since the max value can be 1024, 11 bits are needed...
Definition: windpi.h:60
_DPI_EXTRA_INFO::Detected
DWORD Detected
The bit is set if the i-th page was detected as malicious by shemu.
Definition: windpi.h:58
_DPI_EXTRA_INFO::_Reserved
QWORD _Reserved
Reserved for further use.
Definition: windpi.h:31
_DPI_EXTRA_INFO::StackLimit
QWORD StackLimit
Definition: windpi.h:38
_DPI_EXTRA_INFO::ShellcodeFlags
QWORD ShellcodeFlags
Contains the flags on the first page which was detected through shemu.
Definition: windpi.h:67
PWIN_PROCESS_OBJECT
struct _WIN_PROCESS_OBJECT * PWIN_PROCESS_OBJECT
Definition: windpi.h:17
_DPI_EXTRA_INFO
Definition: windpi.h:27
DPI_EXTRA_INFO
struct _DPI_EXTRA_INFO DPI_EXTRA_INFO
_DPI_EXTRA_INFO::Executable
DWORD Executable
True if the page is executable in the translation.
Definition: windpi.h:63
_WIN_PROCESS_OBJECT
This structure describes a running process inside the guest.
Definition: winprocess.h:81