- Generated by
1.8.13
|
Bitdefender Hypervisor Memory Introspection
|
#include "guests.h"Go to the source code of this file.
Typedefs | |
| typedef struct _WIN_PROCESS_OBJECT | WIN_PROCESS_OBJECT |
| typedef struct _WIN_PROCESS_OBJECT * | PWIN_PROCESS_OBJECT |
Functions | |
| TIMER_FRIENDLY INTSTATUS | IntWinTokenCheckIntegrity (void) |
| This function checks the integrity of the security token for all the processes inside gWinProcesses. The checks include both verifying if there are token pointers belonging to multiple processes, indicating a stolen token, and verifying if the Token Privileges have not changed in a malicious way, indicating a privilege escalation. More... | |
| INTSTATUS | IntWinTokenPtrCheckIntegrityOnProcess (WIN_PROCESS_OBJECT *Process) |
| This function checks if the security token of a given process has been stone from another process. More... | |
| INTSTATUS | IntWinTokenPrivsProtectOnProcess (WIN_PROCESS_OBJECT *Process) |
| Updates the stored original Privileges bitfields (Present and Enabled) and hooks through EPT the Privileges inside the assigned token of the given process, if needed. More... | |
| INTSTATUS | IntWinTokenPrivsUnprotectOnProcess (WIN_PROCESS_OBJECT *Process) |
| INTSTATUS | IntWinTokenPrivsCheckIntegrityOnProcess (WIN_PROCESS_OBJECT *Process) |
| This function checks if the privileges bitfields for the given process have been changed in a malicious manner, sending an alert if needed. More... | |
| BOOLEAN | IntWinTokenPtrIsStolen (WIN_PROCESS_OBJECT *Process, BOOLEAN Check, WIN_PROCESS_OBJECT **FromProcess, QWORD *OldValue, QWORD *NewValue) |
| This function checks if the security token of a given process has been stone from another process. More... | |
| INTSTATUS | IntWinTokenProtectPrivs (void) |
| Protects all the currently unprotected tokens belonging to processes against privileges manipulation. More... | |
| INTSTATUS | IntWinTokenUnprotectPrivs (void) |
| Unprotects all the currently protected tokens belonging to processes against privileges manipulation. More... | |
| INTSTATUS | IntWinTokenCheckCurrentPrivileges (WIN_PROCESS_OBJECT *Process, QWORD TokenPtr, BOOLEAN *PresentIncreased, BOOLEAN *EnabledIncreased, QWORD *Present, QWORD *Enabled) |
| Verifies the current token if the current Privileges.Present and Privileges.Enabled fields were not altered in a malicious way. More... | |
| typedef struct _WIN_PROCESS_OBJECT * PWIN_PROCESS_OBJECT |
Definition at line 10 of file wintoken.h.
| typedef struct _WIN_PROCESS_OBJECT WIN_PROCESS_OBJECT |
Definition at line 10 of file wintoken.h.
| INTSTATUS IntWinTokenCheckCurrentPrivileges | ( | WIN_PROCESS_OBJECT * | Process, |
| QWORD | TokenPtr, | ||
| BOOLEAN * | PresentIncreased, | ||
| BOOLEAN * | EnabledIncreased, | ||
| QWORD * | Present, | ||
| QWORD * | Enabled | ||
| ) |
Verifies the current token if the current Privileges.Present and Privileges.Enabled fields were not altered in a malicious way.
The checks performed on integrity on privileges are:
| [in] | Process | The process for which the checks are done. |
| [in] | TokenPtr | The GVA which points to the assigned token, may be different from Process->OriginalTokenPtr. |
| [out] | PresentIncreased | It will store a boolean representing whether the current privileges violate the first check. |
| [out] | EnabledIncreased | It will store a boolean representing whether the current privileges violate the second check. |
| [out] | Present | The current value in the Privileges.Present field. |
| [out] | Enabled | The current value in the Privileges.Enabled field. |
| INT_STATUS_SUCCESS | On success. |
| INT_STATUS_INVALID_PARAMETER_1 | If a NULL Process has been given. |
| INT_STATUS_INVALID_PARAMETER_3 | If a NULL PresentIncreased has been given. |
| INT_STATUS_INVALID_PARAMETER_4 | If a NULL EnabledIncreased has been given. |
Definition at line 696 of file wintoken.c.
Referenced by IntWinDpiValidateTokenPrivs(), and IntWinTokenPrivsCheckIntegrityOnProcess().
| TIMER_FRIENDLY INTSTATUS IntWinTokenCheckIntegrity | ( | void | ) |
This function checks the integrity of the security token for all the processes inside gWinProcesses. The checks include both verifying if there are token pointers belonging to multiple processes, indicating a stolen token, and verifying if the Token Privileges have not changed in a malicious way, indicating a privilege escalation.
| INT_STATUS_SUCCESS | On success. |
Definition at line 942 of file wintoken.c.
Referenced by IntHandleTimer().
| INTSTATUS IntWinTokenPrivsCheckIntegrityOnProcess | ( | WIN_PROCESS_OBJECT * | Process | ) |
This function checks if the privileges bitfields for the given process have been changed in a malicious manner, sending an alert if needed.
| [in] | Process | The WIN_PROCESS_OBJECT for which the privileges are checked in the assigned token. |
| INT_STATUS_SUCCESS | On success. |
Definition at line 818 of file wintoken.c.
Referenced by IntWinProcCreateProcessObject(), IntWinProcDeleteProcessObject(), and IntWinTokenCheckIntegrity().
| INTSTATUS IntWinTokenPrivsProtectOnProcess | ( | WIN_PROCESS_OBJECT * | Process | ) |
Updates the stored original Privileges bitfields (Present and Enabled) and hooks through EPT the Privileges inside the assigned token of the given process, if needed.
| [in,out] | Process | The WIN_PROCESS_OBJECT for which the privileges information is stored, and for which a hook would be established on the assigned token, if needed. |
| INT_STATUS_SUCCESS | On success. |
| INT_STATUS_INVALID_PARAMETER_1 | If the given process is NULL. |
Definition at line 1008 of file wintoken.c.
Referenced by IntWinProcCreateProcessObject(), and IntWinTokenProtectPrivs().
| INTSTATUS IntWinTokenPrivsUnprotectOnProcess | ( | WIN_PROCESS_OBJECT * | Process | ) |
Definition at line 1069 of file wintoken.c.
Referenced by IntWinProcRemoveProcess().
| INTSTATUS IntWinTokenProtectPrivs | ( | void | ) |
Protects all the currently unprotected tokens belonging to processes against privileges manipulation.
| INT_STATUS_SUCCESS | On success. |
| INT_STATUS_NOT_NEEDED_HINT | If the option INTRO_OPT_PROT_KM_TOKEN_PRIVS is not activated. |
Definition at line 1094 of file wintoken.c.
Referenced by IntGuestUpdateCoreOptions().
| INTSTATUS IntWinTokenPtrCheckIntegrityOnProcess | ( | WIN_PROCESS_OBJECT * | Process | ) |
This function checks if the security token of a given process has been stone from another process.
| [in] | Process | The process whose token has to be verified. |
| INT_STATUS_SUCCESS | On success. |
Definition at line 604 of file wintoken.c.
Referenced by IntWinProcCreateProcessObject(), IntWinProcDeleteProcessObject(), IntWinTokenCheckIntegrity(), and IntWinTokenPrivsHandleWrite().
| BOOLEAN IntWinTokenPtrIsStolen | ( | WIN_PROCESS_OBJECT * | Process, |
| BOOLEAN | Check, | ||
| WIN_PROCESS_OBJECT ** | FromProcess, | ||
| QWORD * | OldValue, | ||
| QWORD * | NewValue | ||
| ) |
This function checks if the security token of a given process has been stone from another process.
| [in] | Process | The process who`s token has to be verified. |
| [in] | Check | If TRUE, gWinProcesses will be iterated to see if the token value is the same for another process (same thing happens if the original token pointer has been modified). |
| [out] | FromProcess | The process where the token has been stolen from. |
| [out] | OldValue | The old token. |
| [out] | NewValue | The new token. |
| TRUE | The given process has a stolen token. |
| FALSE | The given process has its original token. |
Definition at line 510 of file wintoken.c.
Referenced by IntWinDpiValidateParentProcessToken(), and IntWinTokenPtrCheckIntegrityOnProcess().
| INTSTATUS IntWinTokenUnprotectPrivs | ( | void | ) |
Unprotects all the currently protected tokens belonging to processes against privileges manipulation.
| INT_STATUS_SUCCESS | On success. |
| INT_STATUS_NOT_NEEDED_HINT | If the option INTRO_OPT_PROT_KM_TOKEN_PRIVS is in fact activated. |
Definition at line 1135 of file wintoken.c.
Referenced by IntGuestUpdateCoreOptions().
1.8.13