- Generated by
1.8.13
|
Bitdefender Hypervisor Memory Introspection
|
Exposes the types, constants and functions used to handle Windows processes events (creation, termination, memory reads/writes, etc.). More...
Go to the source code of this file.
Data Structures | |
| struct | _WIN_PROCESS_SUBSYSTEM |
| Windows process subsystem. More... | |
| struct | _WIN_PROCESS_OBJECT |
| This structure describes a running process inside the guest. More... | |
Macros | |
| #define | WIN_STATUS_ACCESS_DENIED 0xC0000022 |
| Equivalent to NTSTATUS STATUS_ACCESS_DENIED. More... | |
| #define | WIN_STATUS_SUCCESS 0x00000000 |
| Equivalent to NTSTATUS STATUS_SUCCESS. More... | |
Typedefs | |
| typedef enum _WIN_SUBSYTEM_TYPE | WIN_SUBSYTEM_TYPE |
| The Windows subsystem types. More... | |
| typedef enum _WINPROC_GUEST_EXITS | WINPROC_GUEST_EXITS |
| Windows guest exit types. More... | |
| typedef struct _WIN_PROCESS_SUBSYSTEM | WIN_PROCESS_SUBSYSTEM |
| Windows process subsystem. More... | |
| typedef struct _WIN_PROCESS_SUBSYSTEM * | PWIN_PROCESS_SUBSYSTEM |
| typedef struct _WIN_PROCESS_OBJECT | WIN_PROCESS_OBJECT |
| This structure describes a running process inside the guest. More... | |
| typedef struct _WIN_PROCESS_OBJECT * | PWIN_PROCESS_OBJECT |
Enumerations | |
| enum | _WIN_SUBSYTEM_TYPE { winSubsysUnknown = 0, winSubsys64Bit, winSubsys32Bit } |
| The Windows subsystem types. More... | |
| enum | _WINPROC_GUEST_EXITS { winProcExitVad = 0x01, winProcExitWriteMemory = 0x02, winProcExitReadMemory = 0x04, winProcExitThreadCtx = 0x08, winProcExitQueueApc = 0x10 } |
| Windows guest exit types. More... | |
Functions | |
| static QWORD | IntWinProcGetProtOption (const WIN_PROCESS_OBJECT *Process) |
| Get the protection type for the given process. More... | |
| static BOOLEAN | IntWinProcPolicyIsBeta (const WIN_PROCESS_OBJECT *Process, QWORD Flag) |
| Checks if the given process is protected with the provided flag (in beta mode). More... | |
| static BOOLEAN | IntWinProcPolicyIsFeedback (const WIN_PROCESS_OBJECT *Process, QWORD Flag) |
| Checks if the given process is protected with the provided flag (in feedback mode). More... | |
| INTSTATUS | IntWinProcHandleCreate (void *Detour) |
| Detour handler for the PspInsertProcess Windows kernel API.The actual process creation is handled by IntWinProcHandleCreateInternal. This function establishes the context of the creation and, if needed, blocks the process creation. More... | |
| INTSTATUS | IntWinProcHandleTerminate (void *Detour) |
| This functions handles the termination of a Windows process.This function is invoked every time "MmCleanProcessAddressSpace" is called (a process is being terminated) and is responsible for removing the process from all the internal structures. More... | |
| INTSTATUS | IntWinProcHandleCopyMemory (void *Detour) |
| This functions is responsible handling process read/write operations.This function is invoked every time "MmCopyVirtualMemory" is called (a process is writing/reading another process), its purpose being to block malicious operations, such as a credential dump (reading from lsass.exe). More... | |
| INTSTATUS | IntWinProcPatchCopyMemoryDetour (QWORD FunctionAddress, void *Handler, QWORD HandlerAddress) |
| This functions is responsible for patching the detour that handles the "MmCopyVirtualMemory".This function is invoked every time "MmCopyVirtualMemory" is called (a process is writing/reading another process) but before the actual handler IntWinProcHandleCopyMemory, its purpose being to modify the hook code (see winhkhnd.c). More... | |
| INTSTATUS | IntWinProcPatchPspInsertProcess86 (QWORD FunctionAddress, void *Handler, QWORD HandlerAddress) |
| This functions is responsible for patching the detour that handles the "PspInsertProcess". More... | |
| INTSTATUS | IntWinProcProtect (WIN_PROCESS_OBJECT *Process) |
| Protects a new process. More... | |
| INTSTATUS | IntWinProcUnprotect (WIN_PROCESS_OBJECT *Process) |
| Remove a process from protection. More... | |
| const PROTECTED_PROCESS_INFO * | IntWinProcGetProtectedInfoEx (PWCHAR Path, BOOLEAN IsSystem) |
| Returns a pointer to the PROTECTED_PROCESS_INFO structure for the given process Path. More... | |
| INTSTATUS | IntWinProcUpdateProtection (void) |
| Iterates trough the global process list (gWinProcesses) in order to update the protection state for each process. More... | |
| INTSTATUS | IntWinProcCreateProcessObject (WIN_PROCESS_OBJECT **Process, QWORD EprocessAddress, PBYTE EprocessBuffer, QWORD ParentEprocess, QWORD RealParentEprocess, QWORD Cr3, DWORD Pid, BOOLEAN StaticScan) |
| Allocates a WIN_PROCESS_OBJECT structure for the given process. More... | |
| INTSTATUS | IntWinProcValidateSystemCr3 (void) |
| This function checks if the system CR3 value was modified and if GUEST_STATE::KernelBetaDetections is NOT set, it restores the original value. More... | |
| INTSTATUS | IntWinProcAddProtectedProcess (const WCHAR *Path, DWORD ProtectionMask, QWORD Context) |
| This function adds the provided process to the protected process list. More... | |
| INTSTATUS | IntWinProcRemoveProtectedProcess (const WCHAR *Path) |
| This function removed the provided process from the protected process list. More... | |
| INTSTATUS | IntWinProcRemoveAllProtectedProcesses (void) |
| This function removed all the processes from the protected process list. More... | |
| void | IntWinProcDumpProtected (void) |
| Log all the protected processes. More... | |
| void | IntWinProcUninit (void) |
| This function removes all process objects from the list, and registers the calls the cleanup function for each process. More... | |
| INTSTATUS | IntWinProcGetObjectByPid (DWORD Pid, WIN_PROCESS_OBJECT **Process) |
| This function looks for a process with the given PID inside gWinProcesses and returns its WIN_PROCESS_OBJECT. More... | |
| INTSTATUS | IntWinProcReadCommandLine (WIN_PROCESS_OBJECT *Process) |
| Reads the command line of the given process using IntSwapMemReadData. More... | |
| INTSTATUS | IntWinProcChangeProtectionFlags (WIN_PROCESS_OBJECT *Process, DWORD OldMask, DWORD NewMask) |
| This function changes the protection flags for the given process. More... | |
| void | IntWinProcUpdateProtectedProcess (const void *Name, const CAMI_STRING_ENCODING Encoding, const CAMI_PROT_OPTIONS *Options) |
| This function updates the protection for the given process. More... | |
Exposes the types, constants and functions used to handle Windows processes events (creation, termination, memory reads/writes, etc.).
Definition in file winprocess.h.
| #define WIN_STATUS_ACCESS_DENIED 0xC0000022 |
Equivalent to NTSTATUS STATUS_ACCESS_DENIED.
Definition at line 22 of file winprocess.h.
Referenced by IntWinProcHandleCopyMemory(), IntWinThrHandleQueueApc(), and IntWinThrHandleThreadHijack().
| #define WIN_STATUS_SUCCESS 0x00000000 |
Equivalent to NTSTATUS STATUS_SUCCESS.
Definition at line 23 of file winprocess.h.
Referenced by IntWinProcHandleCopyMemory(), IntWinThrHandleQueueApc(), and IntWinThrHandleThreadHijack().
| typedef struct _WIN_PROCESS_OBJECT * PWIN_PROCESS_OBJECT |
| typedef struct _WIN_PROCESS_SUBSYSTEM * PWIN_PROCESS_SUBSYSTEM |
| typedef struct _WIN_PROCESS_OBJECT WIN_PROCESS_OBJECT |
This structure describes a running process inside the guest.
| typedef struct _WIN_PROCESS_SUBSYSTEM WIN_PROCESS_SUBSYSTEM |
Windows process subsystem.
| typedef enum _WIN_SUBSYTEM_TYPE WIN_SUBSYTEM_TYPE |
The Windows subsystem types.
| typedef enum _WINPROC_GUEST_EXITS WINPROC_GUEST_EXITS |
Windows guest exit types.
| enum _WIN_SUBSYTEM_TYPE |
The Windows subsystem types.
| Enumerator | |
|---|---|
| winSubsysUnknown | Process subsystem type unknown. |
| winSubsys64Bit | Process subsystem type 64 bit. |
| winSubsys32Bit | Process subsystem type 32 bit. |
Definition at line 29 of file winprocess.h.
| enum _WINPROC_GUEST_EXITS |
Windows guest exit types.
Definition at line 39 of file winprocess.h.
This function adds the provided process to the protected process list.
| [in] | Path | The full process path. |
| [in] | ProtectionMask | The process protection mask. |
| [in] | Context | Protection policy context. |
| INT_STATUS_SUCCESS | On success. |
Definition at line 3536 of file winprocess.c.
Referenced by IntAddRemoveProtectedProcessUtf16(), IntAddRemoveProtectedProcessUtf8(), and IntWinProcPolicyIsFeedback().
| INTSTATUS IntWinProcChangeProtectionFlags | ( | WIN_PROCESS_OBJECT * | Process, |
| DWORD | OldMask, | ||
| DWORD | NewMask | ||
| ) |
This function changes the protection flags for the given process.
| [in] | Process | The process to update the protection flags for. |
| [in] | OldMask | The old protection flag mask. |
| [in] | NewMask | The new protection flag mask. |
| INT_STATUS_SUCCESS | On success. |
| INT_STATUS_INVALID_PARAMETER_1 | The process object is NULL. |
| INT_STATUS_NOT_NEEDED_HINT | The masks are identical. |
Definition at line 3877 of file winprocess.c.
Referenced by IntWinProcPolicyIsFeedback(), IntWinProcProtect(), IntWinProcUnprotect(), and IntWinProcUpdateProtection().
| INTSTATUS IntWinProcCreateProcessObject | ( | WIN_PROCESS_OBJECT ** | Process, |
| QWORD | EprocessAddress, | ||
| PBYTE | EprocessBuffer, | ||
| QWORD | ParentEprocess, | ||
| QWORD | RealParentEprocess, | ||
| QWORD | Cr3, | ||
| DWORD | Pid, | ||
| BOOLEAN | StaticScan | ||
| ) |
Allocates a WIN_PROCESS_OBJECT structure for the given process.
This function is responsible for allocating a WIN_PROCESS_OBJECT structure for the given process, reading its command line if necessary, importing its main module VAD, protecting the process, sending a notification to the integrator, etc.
| [out] | Process | The internally allocate process object. |
| [in] | EprocessAddress | The EPROCESS address of the process. |
| [in] | EprocessBuffer | The address of the EPROCESS mapping. |
| [in] | ParentEprocess | The EPROCESS address of the parent process. |
| [in] | RealParentEprocess | The EPROCESS address of the real parent process. |
| [in] | Cr3 | The address space. |
| [in] | Pid | The process identifier. |
| [in] | StaticScan | TRUE if the process already existed but was found only now (when initializing the introspection), FALSE if this process was just created. |
| INT_STATUS_SUCCESS | On success. |
Definition at line 1494 of file winprocess.c.
Referenced by IntWinProcAdd(), IntWinProcHandleCreateInternal(), and IntWinProcPolicyIsFeedback().
| void IntWinProcDumpProtected | ( | void | ) |
Log all the protected processes.
Definition at line 3736 of file winprocess.c.
Referenced by DbgProcList(), and IntWinProcPolicyIsFeedback().
| INTSTATUS IntWinProcGetObjectByPid | ( | DWORD | Pid, |
| WIN_PROCESS_OBJECT ** | Process | ||
| ) |
This function looks for a process with the given PID inside gWinProcesses and returns its WIN_PROCESS_OBJECT.
| [in] | Pid | The process identifier. |
| [out] | Process | The process object for the given PID. |
| INT_STATUS_SUCCESS | On success. |
| INT_STATUS_NOT_FOUND | If the process was not found. |
Definition at line 3834 of file winprocess.c.
Referenced by IntWinGetAccessTokenFromProcess(), and IntWinProcPolicyIsFeedback().
| const PROTECTED_PROCESS_INFO* IntWinProcGetProtectedInfoEx | ( | PWCHAR | Path, |
| BOOLEAN | IsSystem | ||
| ) |
Returns a pointer to the PROTECTED_PROCESS_INFO structure for the given process Path.
| [in] | Path | The path of the process. |
| [in] | IsSystem | TRUE if the process is system process, FALSE otherwise. |
| PROTECTED_PROCESS_INFO | If the process is protected. |
| NULL | If the process is NOT protected. |
Definition at line 1063 of file winprocess.c.
Referenced by IntWinModHandleModulePathInMemory(), IntWinProcPolicyIsFeedback(), and IntWinProcUpdateProtection().
|
static |
Get the protection type for the given process.
| [in] | Process | The process object. |
| INTRO_OPT_PROT_UM_SYS_PROCS | If the given process is system process. |
| INTRO_OPT_PROT_UM_MISC_PROCS | If the given process is NOT system process. |
Definition at line 328 of file winprocess.h.
Referenced by IntPolicyGetProcProt(), IntWinProcPolicyIsBeta(), and IntWinProcPolicyIsFeedback().
| INTSTATUS IntWinProcPatchPspInsertProcess86 | ( | QWORD | FunctionAddress, |
| void * | Handler, | ||
| QWORD | HandlerAddress | ||
| ) |
This functions is responsible for patching the detour that handles the "PspInsertProcess".
This function is invoked every time "PspInsertProcess" is called (a process is created) but before the actual handler IntWinProcHandleCreate, its purpose being to modify the hook code (see winhkhnd.c). On some 32 Bit versions of the Windows, the a RET N instructions is used so the code must take that into account when blocking a process creation.
| [in] | FunctionAddress | The address of the function. |
| [in] | Handler | An API_HOOK_HANDLER structure. |
| [in] | HandlerAddress | The address of the handler. |
| INT_STATUS_SUCCESS | On success. |
Definition at line 2277 of file winprocess.c.
Referenced by IntWinProcPolicyIsFeedback().
|
static |
Checks if the given process is protected with the provided flag (in beta mode).
| [in] | Process | The process object. |
| [in] | Flag | The protection flag to be checked. |
| TRUE | If the process is protected with the provided flag (in beta mode). |
| FALSE | If the process is NOT protected with the provided flag (in beta mode). |
Definition at line 344 of file winprocess.h.
Referenced by IntPolicyProcIsBeta().
|
static |
Checks if the given process is protected with the provided flag (in feedback mode).
| [in] | Process | The process object. |
| [in] | Flag | The protection flag to be checked. |
| TRUE | If the process is protected with the provided flag (in feedback mode). |
| FALSE | If the process is NOT protected with the provided flag (in feedback mode). |
Definition at line 364 of file winprocess.h.
Referenced by IntPolicyProcIsFeedback().
| INTSTATUS IntWinProcProtect | ( | WIN_PROCESS_OBJECT * | Process | ) |
Protects a new process.
| [in] | Process | The process to be protected. |
| INT_STATUS_SUCCESS | On success. |
| INT_STATUS_INVALID_PARAMETER_1 | If the process is NULL. |
| INT_STATUS_NOT_NEEDED_HINT | If the process is already protected. |
Definition at line 3111 of file winprocess.c.
Referenced by IntWinProcCreateProcessObject(), IntWinProcPolicyIsFeedback(), and IntWinProcUpdateProtection().
| INTSTATUS IntWinProcReadCommandLine | ( | WIN_PROCESS_OBJECT * | Process | ) |
Reads the command line of the given process using IntSwapMemReadData.
| [in] | Process | The process to read the command line from. |
| INT_STATUS_SUCCESS | On success. |
Definition at line 893 of file winprocess.c.
Referenced by IntWinProcCreateProcessObject(), and IntWinProcPolicyIsFeedback().
| INTSTATUS IntWinProcRemoveAllProtectedProcesses | ( | void | ) |
This function removed all the processes from the protected process list.
| INT_STATUS_SUCCESS | On success. |
Definition at line 3704 of file winprocess.c.
Referenced by IntRemoveAllProtectedProcesses(), and IntWinProcPolicyIsFeedback().
This function removed the provided process from the protected process list.
| [in] | Path | The full process path. |
| INT_STATUS_SUCCESS | On success. |
Definition at line 3650 of file winprocess.c.
Referenced by IntAddRemoveProtectedProcessUtf16(), IntAddRemoveProtectedProcessUtf8(), and IntWinProcPolicyIsFeedback().
| void IntWinProcUninit | ( | void | ) |
This function removes all process objects from the list, and registers the calls the cleanup function for each process.
Definition at line 3764 of file winprocess.c.
Referenced by IntWinGuestUninit(), and IntWinProcPolicyIsFeedback().
| INTSTATUS IntWinProcUnprotect | ( | WIN_PROCESS_OBJECT * | Process | ) |
Remove a process from protection.
| [in] | Process | The process to be removed from protection. |
| INT_STATUS_SUCCESS | On success. |
| INT_STATUS_INVALID_PARAMETER_1 | If the process is NULL. |
Definition at line 3071 of file winprocess.c.
Referenced by IntWinModHandleModulePathInMemory(), IntWinProcDeleteProcessObject(), IntWinProcPolicyIsFeedback(), IntWinProcProtect(), IntWinProcUninit(), and IntWinProcUpdateProtection().
| void IntWinProcUpdateProtectedProcess | ( | const void * | Name, |
| const CAMI_STRING_ENCODING | Encoding, | ||
| const CAMI_PROT_OPTIONS * | Options | ||
| ) |
This function updates the protection for the given process.
| [in] | Name | The name of the process. |
| [in] | Encoding | The encoding used by the Name variable. |
| [in] | Options | The protection options to be applied. |
Definition at line 3481 of file winprocess.c.
Referenced by IntCamiUpdateProcessProtectionItems(), and IntWinProcPolicyIsFeedback().
| INTSTATUS IntWinProcUpdateProtection | ( | void | ) |
Iterates trough the global process list (gWinProcesses) in order to update the protection state for each process.
| INT_STATUS_SUCCESS | On success. |
Definition at line 1155 of file winprocess.c.
Referenced by IntCamiSetProcProtOptions(), IntGuestUpdateCoreOptions(), IntWinProcAddProtectedProcess(), IntWinProcPolicyIsFeedback(), and IntWinProcRemoveProtectedProcess().
| INTSTATUS IntWinProcValidateSystemCr3 | ( | void | ) |
This function checks if the system CR3 value was modified and if GUEST_STATE::KernelBetaDetections is NOT set, it restores the original value.
| INT_STATUS_SUCCESS | On success. |
| INT_STATUS_NOT_FOUND | If the system process was not found within the gWinProcesses. |
| INT_STATUS_NOT_INITIALIZED_HINT | If the introcore is not fully initialized. |
Definition at line 3195 of file winprocess.c.
Referenced by IntHandleTimer(), and IntWinProcPolicyIsFeedback().
1.8.13