Panoptes 1.0.0
Endpoint Detection and Response
Loading...
Searching...
No Matches
Classes | Typedefs | Functions
pano_query.h File Reference
#include "structs.h"

Go to the source code of this file.

Classes

struct  _PROCESS_MITIGATION_POLICY_INFORMATION
 

Typedefs

typedef struct _PROCESS_MITIGATION_POLICY_INFORMATION PROCESS_MITIGATION_POLICY_INFORMATION
 
typedef struct _PROCESS_MITIGATION_POLICY_INFORMATIONPPROCESS_MITIGATION_POLICY_INFORMATION
 

Functions

NTSTATUS NTAPI ZwQueryInformationProcess (HANDLE hProcess, PROCESSINFOCLASS infoType, PVOID pBuf, ULONG lenBuf, SIZE_T *returnLength)
 
NTSTATUS QueryProcessMitigationPolicy (HANDLE ProcessId, PROCESS_MITIGATION_POLICY_INFORMATION *policyInfo)
 

Typedef Documentation

◆ PPROCESS_MITIGATION_POLICY_INFORMATION

typedef struct _PROCESS_MITIGATION_POLICY_INFORMATION * PPROCESS_MITIGATION_POLICY_INFORMATION

◆ PROCESS_MITIGATION_POLICY_INFORMATION

typedef struct _PROCESS_MITIGATION_POLICY_INFORMATION PROCESS_MITIGATION_POLICY_INFORMATION

Function Documentation

◆ QueryProcessMitigationPolicy()

NTSTATUS QueryProcessMitigationPolicy ( HANDLE  ProcessId,
PROCESS_MITIGATION_POLICY_INFORMATION policyInfo 
)

Definition at line 5 of file pano_query.cpp.

5 {
6 UNREFERENCED_PARAMETER(policyInfo);
7 HANDLE hProcess;
8 PEPROCESS eProcess;
9
10 if (ProcessId == NULL) {
11 DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "[-] Panoptes: Invalid ProcessId\n");
12 return STATUS_INVALID_PARAMETER; //0xC000000D
13 }
14
15 NTSTATUS status = PsLookupProcessByProcessId(ProcessId, &eProcess);
16 if (!NT_SUCCESS(status)) {
17 DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "[-] Panoptes: PsLookupProcessByProcessId failed with status 0x%X\n", status);
18 return status;
19 }
20
21 status = ObOpenObjectByPointer(
22 eProcess,
23 OBJ_KERNEL_HANDLE,
24 NULL,
25 0x1000,//PROCESS_QUERY_LIMITED_INFORMATION,
26 *PsProcessType,
27 KernelMode,
28 &hProcess);
29
30 ObDereferenceObject(eProcess);
31
32 if (!NT_SUCCESS(status)) {
33 DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "[-] Panoptes: ObOpenObjectByPointer failed with status 0x%X\n", status);
34 return status;
35 }
36
37 PROCESS_MITIGATION_POLICY_INFORMATION policyInfoLocal;
38 policyInfoLocal.Policy = ProcessSignaturePolicy;
39 status = ZwQueryInformationProcess(hProcess, ProcessMitigationPolicy, &policyInfoLocal, sizeof(policyInfoLocal), nullptr);
40 if (!NT_SUCCESS(status)) {
41 DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "[-] Panoptes: ZwQueryInformationProcess failed with status 0x%X\n", status);
42 }
43
44 if (&policyInfoLocal != NULL) {
45 if (policyInfoLocal.Data.SignaturePolicy.MicrosoftSignedOnly != 0) {
46 DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "[+] Panoptes: Process with MicrosoftOnly");
47 }
48 }
49
50 ZwClose(hProcess);
51
52 return STATUS_SUCCESS;
53}
ZwQueryInformationProcess
NTSTATUS NTAPI ZwQueryInformationProcess(HANDLE hProcess, PROCESSINFOCLASS infoType, PVOID pBuf, ULONG lenBuf, SIZE_T *returnLength)
_PROCESS_MITIGATION_POLICY_INFORMATION
Definition pano_query.h:6
_PROCESS_MITIGATION_POLICY_INFORMATION::SignaturePolicy
PROCESS_MITIGATION_BINARY_SIGNATURE_POLICY SignaturePolicy
Definition pano_query.h:16
_PROCESS_MITIGATION_POLICY_INFORMATION::Policy
PROCESS_MITIGATION_POLICY Policy
Definition pano_query.h:7
_PROCESS_MITIGATION_POLICY_INFORMATION::Data
union _PROCESS_MITIGATION_POLICY_INFORMATION::@5 Data

References _PROCESS_MITIGATION_POLICY_INFORMATION::Data, _PROCESS_MITIGATION_POLICY_INFORMATION::Policy, _PROCESS_MITIGATION_POLICY_INFORMATION::SignaturePolicy, and ZwQueryInformationProcess().

Referenced by ProcessCreateCallback().

◆ ZwQueryInformationProcess()

NTSTATUS NTAPI ZwQueryInformationProcess ( HANDLE  hProcess,
PROCESSINFOCLASS  infoType,
PVOID  pBuf,
ULONG  lenBuf,
SIZE_T *  returnLength 
)

Referenced by QueryProcessMitigationPolicy().

Generated by doxygen 1.9.8