Panoptes 1.0.0
Endpoint Detection and Response
Loading...
Searching...
No Matches
Functions
pano_query.cpp File Reference
#include "pano_query.h"
#include <ntifs.h>

Go to the source code of this file.

Functions

NTSTATUS QueryProcessMitigationPolicy (HANDLE ProcessId, PROCESS_MITIGATION_POLICY_INFORMATION *policyInfo)
 

Function Documentation

◆ QueryProcessMitigationPolicy()

NTSTATUS QueryProcessMitigationPolicy ( HANDLE  ProcessId,
PROCESS_MITIGATION_POLICY_INFORMATION policyInfo 
)

Definition at line 5 of file pano_query.cpp.

5 {
6 UNREFERENCED_PARAMETER(policyInfo);
7 HANDLE hProcess;
8 PEPROCESS eProcess;
9
10 if (ProcessId == NULL) {
11 DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "[-] Panoptes: Invalid ProcessId\n");
12 return STATUS_INVALID_PARAMETER; //0xC000000D
13 }
14
15 NTSTATUS status = PsLookupProcessByProcessId(ProcessId, &eProcess);
16 if (!NT_SUCCESS(status)) {
17 DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "[-] Panoptes: PsLookupProcessByProcessId failed with status 0x%X\n", status);
18 return status;
19 }
20
21 status = ObOpenObjectByPointer(
22 eProcess,
23 OBJ_KERNEL_HANDLE,
24 NULL,
25 0x1000,//PROCESS_QUERY_LIMITED_INFORMATION,
26 *PsProcessType,
27 KernelMode,
28 &hProcess);
29
30 ObDereferenceObject(eProcess);
31
32 if (!NT_SUCCESS(status)) {
33 DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "[-] Panoptes: ObOpenObjectByPointer failed with status 0x%X\n", status);
34 return status;
35 }
36
37 PROCESS_MITIGATION_POLICY_INFORMATION policyInfoLocal;
38 policyInfoLocal.Policy = ProcessSignaturePolicy;
39 status = ZwQueryInformationProcess(hProcess, ProcessMitigationPolicy, &policyInfoLocal, sizeof(policyInfoLocal), nullptr);
40 if (!NT_SUCCESS(status)) {
41 DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "[-] Panoptes: ZwQueryInformationProcess failed with status 0x%X\n", status);
42 }
43
44 if (&policyInfoLocal != NULL) {
45 if (policyInfoLocal.Data.SignaturePolicy.MicrosoftSignedOnly != 0) {
46 DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "[+] Panoptes: Process with MicrosoftOnly");
47 }
48 }
49
50 ZwClose(hProcess);
51
52 return STATUS_SUCCESS;
53}
ZwQueryInformationProcess
NTSTATUS NTAPI ZwQueryInformationProcess(HANDLE hProcess, PROCESSINFOCLASS infoType, PVOID pBuf, ULONG lenBuf, SIZE_T *returnLength)
_PROCESS_MITIGATION_POLICY_INFORMATION
Definition pano_query.h:6
_PROCESS_MITIGATION_POLICY_INFORMATION::SignaturePolicy
PROCESS_MITIGATION_BINARY_SIGNATURE_POLICY SignaturePolicy
Definition pano_query.h:16
_PROCESS_MITIGATION_POLICY_INFORMATION::Policy
PROCESS_MITIGATION_POLICY Policy
Definition pano_query.h:7
_PROCESS_MITIGATION_POLICY_INFORMATION::Data
union _PROCESS_MITIGATION_POLICY_INFORMATION::@5 Data

References _PROCESS_MITIGATION_POLICY_INFORMATION::Data, _PROCESS_MITIGATION_POLICY_INFORMATION::Policy, _PROCESS_MITIGATION_POLICY_INFORMATION::SignaturePolicy, and ZwQueryInformationProcess().

Referenced by ProcessCreateCallback().

Generated by doxygen 1.9.8