- Generated by
1.8.13
|
Bitdefender Hypervisor Memory Introspection
|
#include "winprocess.h"Go to the source code of this file.
Macros | |
| #define | IntWinGetCurrentProcess() IntWinProcFindObjectByCr3(gVcpu->Regs.Cr3) |
Functions | |
| PWIN_PROCESS_OBJECT | IntWinProcFindObjectByCr3 (QWORD Cr3) |
| Finds a process by its kernel CR3. More... | |
| PWIN_PROCESS_OBJECT | IntWinProcFindObjectByUserCr3 (QWORD Cr3) |
| Finds a process by its user CR3. More... | |
| PWIN_PROCESS_OBJECT | IntWinProcFindObjectByEprocess (QWORD Eprocess) |
| Finds a process by the address of its _EPROCESS structure. More... | |
| PWIN_PROCESS_OBJECT | IntWinProcFindObjectByPid (DWORD Pid) |
| Finds a process by its ID. More... | |
| PWIN_PROCESS_OBJECT | IntWinProcFindObjectByName (CHAR const *Name, BOOLEAN MustBeSystem) |
| Finds a process by name. More... | |
| INTSTATUS | IntWinProcAdd (QWORD Eprocess, QWORD Aux) |
| Adds a new process to the Introcore list of processes. More... | |
| INTSTATUS | IntWinProcIsPsActiveProcessHead (QWORD Gva) |
| Checks if a guest memory area is the list head of the process list (PsActiveProcessHead) More... | |
| INTSTATUS | IntWinProcIterateGuestProcesses (PFUNC_IterateListCallback Callback, QWORD Aux) |
| Iterates the in-guest process list and calls Callback for each entry. More... | |
| INTSTATUS | IntWinProcGetNameFromEprocess (QWORD Eprocess, CHAR *Name) |
| Reads a process name from the guest memory. More... | |
| INTSTATUS | IntWinProcGetNameFromInternalEprocess (QWORD Eprocess, CHAR *Name) |
| Get a process name from the internal Introcore buffers. More... | |
| BOOLEAN | IntWinProcIsEnoughHeapAvailable (void) |
| Checks if enough heap is available in order to protect a new process. More... | |
| void | IntWinProcRbTreeNodeFree (RBNODE *Node) |
| The NodeFree routine for the process RBTREE structures. More... | |
| int | IntWinProcRbTreeNodeCompareCr3 (RBNODE const *Left, RBNODE const *Right) |
| int | IntWinProcRbTreeNodeCompareUserCr3 (RBNODE const *Left, RBNODE const *Right) |
| int | IntWinProcRbTreeNodeCompareEproc (RBNODE const *Left, RBNODE const *Right) |
| INTSTATUS | IntWinProcGetAgentsAsCli (PCHAR CommandLine, DWORD Length) |
| Returns the name and ID for all the processes injected as agents inside the guest. More... | |
| void | IntWinProcDump (void) |
| Prints information about all the processes in the system. More... | |
| void | IntWinProcDumpVads (const char *ProcessName) |
| Prints information about the VADs loaded in a process. More... | |
| void | IntWinProcDumpEgFlags (void) |
| Prints the mitigation flags of a process. More... | |
| INTSTATUS | IntWinProcMapEprocess (QWORD Eprocess, void **Ptr) |
| Maps a _EPROCESS structure. More... | |
| #define IntWinGetCurrentProcess | ( | ) | IntWinProcFindObjectByCr3(gVcpu->Regs.Cr3) |
Definition at line 20 of file winprocesshp.h.
Referenced by DbgLogCurrentProcess(), and IntWinSetUmExceptionEvent().
Adds a new process to the Introcore list of processes.
This function is used for statically detecting processes that were spawned before Introcore started.
This does some preliminary checks and then delegates much of the work to IntWinProcCreateProcessObject. If any of the Delete, Exiting, or VmDeleted flags are set, or if the HasAddrSpace flag is not set, the process is ignored as it is no longer active and won't become active again, but the OS did not remove it from the list of processes yet.
If possible, this function will try to find the parent of the current process.
| [in] | Eprocess | Guest virtual address of the _EPROCESS structure for the new process. |
| [in] | Aux | Ignored. |
Definition at line 323 of file winprocesshp.c.
Referenced by IntWinGuestFinishInit().
| void IntWinProcDump | ( | void | ) |
Prints information about all the processes in the system.
Definition at line 786 of file winprocesshp.c.
Referenced by DbgDumpProcesses().
| void IntWinProcDumpEgFlags | ( | void | ) |
Prints the mitigation flags of a process.
Definition at line 927 of file winprocesshp.c.
| void IntWinProcDumpVads | ( | const char * | ProcessName | ) |
Prints information about the VADs loaded in a process.
| [in] | ProcessName | NULL-terminated string with a process name. May be NULL. If it is not NULL, only the processes with a matching name will be printed. |
Definition at line 899 of file winprocesshp.c.
Referenced by DbgDumpVads().
| PWIN_PROCESS_OBJECT IntWinProcFindObjectByCr3 | ( | QWORD | Cr3 | ) |
Finds a process by its kernel CR3.
| [in] | Cr3 | Process kernel CR3 to search for. |
Definition at line 122 of file winprocesshp.c.
Referenced by IntAlertFillWinProcessByCr3(), IntDecDecodeInstructionAtRipWithCache(), IntDispatchVeAsEpt(), IntLogProcessInfo(), IntWinAgentHandleAppVmcall(), IntWinCrashHandleDepViolation(), IntWinGuestHandleUserSudExec(), IntWinModHandleUserWrite(), IntWinProcHandleCreateInternal(), IntWinProcHandleDuplicate(), IntWinVadHandleCommit(), IntWinVadHandleDeleteVaRange(), IntWinVadHandleFinishVadDeletion(), IntWinVadHandleInsertMap(), IntWinVadHandleInsertPrivate(), and IntWinVadHandlePageExecution().
| PWIN_PROCESS_OBJECT IntWinProcFindObjectByEprocess | ( | QWORD | Eprocess | ) |
Finds a process by the address of its _EPROCESS structure.
| [in] | Eprocess | The guest virtual address of the _EPROCESS structure. |
Definition at line 23 of file winprocesshp.c.
Referenced by IntAlertFillDpiExtraInfo(), IntExceptUserLogWindowsInformation(), IntLogCriticalProcessHasDied(), IntSerializeDpiWinDebug(), IntSerializeDpiWinStolenToken(), IntSerializeWinUmOriginator(), IntSerializeWinUmVictim(), IntWinDpiGetProcessDebugFlag(), IntWinInspectCommandLine(), IntWinNetGetOwner(), IntWinProcAdd(), IntWinProcCreateProcessObject(), IntWinProcHandleCopyMemory(), IntWinProcHandleCreateInternal(), IntWinProcHandleDuplicate(), IntWinProcSendProcessEvent(), IntWinThrHandleQueueApc(), IntWinThrHandleThreadHijack(), IntWinVadHandleInsert(), and IntWinVadHandleVirtualProtect().
| PWIN_PROCESS_OBJECT IntWinProcFindObjectByName | ( | CHAR const * | Name, |
| BOOLEAN | MustBeSystem | ||
| ) |
Finds a process by name.
| [in] | Name | NULL-terminated string with the name of the process. |
| [in] | MustBeSystem | True if the process must be a system process. |
Definition at line 84 of file winprocesshp.c.
Referenced by IntWinAgentHandleDriverVmcall().
| PWIN_PROCESS_OBJECT IntWinProcFindObjectByPid | ( | DWORD | Pid | ) |
Finds a process by its ID.
| [in] | Pid | Process ID to search for. |
Definition at line 53 of file winprocesshp.c.
Referenced by IntWinGetStartUpTime(), and IntWinProcAdd().
| PWIN_PROCESS_OBJECT IntWinProcFindObjectByUserCr3 | ( | QWORD | Cr3 | ) |
Finds a process by its user CR3.
If KPTI is not active, or the process has the same CR3 for both kernel and user mode, this is the same as IntWinProcFindObjectByCr3.
| [in] | Cr3 | Process user CR3 to search for. |
Definition at line 152 of file winprocesshp.c.
Referenced by IntGetGprs().
Returns the name and ID for all the processes injected as agents inside the guest.
This is useful for the killer agent.
| [out] | CommandLine | On success, will contain a NULL-terminated string with the names and IDs of the agent processes. |
| [in] | Length | The size of the CommandLine buffer. |
| INT_STATUS_SUCCESS | in case of success. |
| INT_STATUS_DATA_BUFFER_TOO_SMALL | if there is not enough space in the CommandLine buffer. |
Definition at line 739 of file winprocesshp.c.
Referenced by IntWinFormatAgentKillerCommandLine().
Reads a process name from the guest memory.
This reads the name from the _EPROCESS ImageFileName field. If the process name has more than 15 characters, only the first 15 characters will be available.
| [in] | Eprocess | The guest virtual address of the _EPROCESS structure. |
| [out] | Name | On success, will contain a NULL-terminated string with the process name. Must be at least IMAGE_BASE_NAME_LEN in size. |
Definition at line 542 of file winprocesshp.c.
Get a process name from the internal Introcore buffers.
| [in] | Eprocess | The guest virtual address of the _EPROCESS structure. |
| [out] | Name | On success, will contain a NULL-terminated string with the process name. Must be at least IMAGE_BASE_NAME_LEN in size. |
| INT_STATUS_SUCCESS | if a process was found for the provided _EPROCESS address. |
| INT_STATUS_NOT_FOUND | if no process was found. |
Definition at line 575 of file winprocesshp.c.
Referenced by IntWinProcDump().
| BOOLEAN IntWinProcIsEnoughHeapAvailable | ( | void | ) |
Checks if enough heap is available in order to protect a new process.
We consider that enough memory is available if a percentage of MIN_HEAP_SIZE_PERCENT is free from the total amount of available memory.
Definition at line 612 of file winprocesshp.c.
Referenced by IntWinProcProtect().
Checks if a guest memory area is the list head of the process list (PsActiveProcessHead)
Gva must point to the ActiveProcessLinks field of the System _EPROCESS.
The check is based on a series of invariants:
| [in] | Gva | Guest virtual address to check. |
| INT_STATUS_SUCCESS | if Gva points to PsActiveProcessHead. |
| INT_STATUS_INVALID_OBJECT_TYPE | if Gva does not point to PsActiveProcessHead. |
Definition at line 185 of file winprocesshp.c.
Referenced by IntWinGuestFindKernelObjectsInternal().
| INTSTATUS IntWinProcIterateGuestProcesses | ( | PFUNC_IterateListCallback | Callback, |
| QWORD | Aux | ||
| ) |
Iterates the in-guest process list and calls Callback for each entry.
This function will stop if it iterates more than 10000 entries, as in that case something is most likely wrong.
| [in] | Callback | Function to invoke for each entry in the process list. |
| [in] | Aux | Optional argument to pass to Callback. |
| INT_STATUS_SUCCESS | in case of success. Note that errors returned by Callback are not propagated and success is still reported. |
| INT_STATUS_INVALID_PARAMETER_1 | if Callback is NULL. |
| INT_STATUS_NOT_INITIALIZED_HINT | if PsActiveProcessHead is not set yet. |
| INT_STATUS_OUT_OF_RANGE | if more than 10000 processes are found in the list. |
Definition at line 428 of file winprocesshp.c.
Referenced by IntThrSafeCheckThreads(), and IntWinGuestFinishInit().
Maps a _EPROCESS structure.
This will map the minimum necessary size for Introcore to parse an _EPROCESS. IntVirtMemUnmap must be used to unmap a mapped process.
| [in] | Eprocess | Guest virtual address of the _EPROCESS structure to be mapped. |
| [out] | Ptr | On success, will contain a pointer to the mapped memory. |
Definition at line 1064 of file winprocesshp.c.
Referenced by IntWinProcAdd(), and IntWinProcHandleCreateInternal().
Definition at line 662 of file winprocesshp.c.
Definition at line 716 of file winprocesshp.c.
Definition at line 689 of file winprocesshp.c.
| void IntWinProcRbTreeNodeFree | ( | RBNODE * | Node | ) |
The NodeFree routine for the process RBTREE structures.
Definition at line 650 of file winprocesshp.c.
1.8.13