Bitdefender Hypervisor Memory Introspection
guest_stack.h
Go to the documentation of this file.
1 /*
2  * Copyright (c) 2020 Bitdefender
3  * SPDX-License-Identifier: Apache-2.0
4  */
5 #ifndef _GUEST_STACK_H_
6 #define _GUEST_STACK_H_
7 
8 #include "introtypes.h"
9 
11 #define STACK_ADDR_NOT_INSIDE_FUNCTION 0x00000001
12 #define STACK_CALL_ADDRESS_IMPRECISE 0x00000002
14 #define STACK_INTERRUPT_ROUTINE 0x00000004
16 #define STACK_EXCEPTION_ROUTINE 0x00000008
18 
20 #define STACK_FLG_ONLY_DRIVER_ADDRS 0x00000001
21 #define STACK_FLG_FAST_GET 0x00000002
23 
25 typedef struct _STACK_ELEMENT
26 {
32  DWORD Flags;
33  void *ReturnModule;
34  QWORD ReturnAddress;
35 
36  QWORD CalledAddress;
37  QWORD CurrentRip;
38  QWORD RetAddrPointer;
39 } STACK_ELEMENT, *PSTACK_ELEMENT;
40 
42 typedef struct _STACK_TRACE
43 {
44  DWORD NumberOfTraces;
45  QWORD StartRip;
46  STACK_ELEMENT *Traces;
47 
48  BOOLEAN Bits64;
49 } STACK_TRACE, *PSTACK_TRACE;
50 
51 #endif //_GUEST_STACK_H_
_STACK_TRACE::Bits64
BOOLEAN Bits64
TRUE if we got the stack frame in 64-bit mode (RBP) or 32 (EBP)
Definition: guest_stack.h:48
BOOLEAN
_Bool BOOLEAN
Definition: intro_types.h:58
PSTACK_TRACE
struct _STACK_TRACE * PSTACK_TRACE
_STACK_ELEMENT::Flags
DWORD Flags
Describe what each of the following fields mean.
Definition: guest_stack.h:32
_STACK_ELEMENT
Structure that describes a stack trace element.
Definition: guest_stack.h:25
_STACK_TRACE::NumberOfTraces
DWORD NumberOfTraces
Number of elements inside Traces.
Definition: guest_stack.h:44
_STACK_ELEMENT::RetAddrPointer
QWORD RetAddrPointer
Where we found the return address.
Definition: guest_stack.h:38
_STACK_TRACE::Traces
STACK_ELEMENT * Traces
Array describing the stack trace elements.
Definition: guest_stack.h:46
_STACK_ELEMENT::ReturnModule
void * ReturnModule
The module to which the function belongs.
Definition: guest_stack.h:33
QWORD
unsigned long long QWORD
Definition: intro_types.h:53
_STACK_ELEMENT::CalledAddress
QWORD CalledAddress
The start address of the function called.
Definition: guest_stack.h:36
_STACK_ELEMENT::ReturnAddress
QWORD ReturnAddress
The address where the current stack frame will return (@ ret)
Definition: guest_stack.h:34
_STACK_TRACE::StartRip
QWORD StartRip
The RIP where we were initially.
Definition: guest_stack.h:45
STACK_TRACE
struct _STACK_TRACE STACK_TRACE
Structure that describes a stack trace.
DWORD
uint32_t DWORD
Definition: intro_types.h:49
_STACK_ELEMENT::CurrentRip
QWORD CurrentRip
The RIP where we are now (pointing to the instruction next to the CALL)
Definition: guest_stack.h:37
PSTACK_ELEMENT
struct _STACK_ELEMENT * PSTACK_ELEMENT
STACK_ELEMENT
struct _STACK_ELEMENT STACK_ELEMENT
Structure that describes a stack trace element.
_STACK_TRACE
Structure that describes a stack trace.
Definition: guest_stack.h:42