Bitdefender Hypervisor Memory Introspection
|
#include "introcore.h"
Go to the source code of this file.
Typedefs | |
typedef struct _WIN_PROCESS_OBJECT | WIN_PROCESS_OBJECT |
Functions | |
INTSTATUS | IntShcIsSuspiciousCode (QWORD Gva, QWORD Gpa, DWORD CsType, IG_ARCH_REGS *Registers, QWORD *ShellcodeFlags) |
Checks if the code located at the given guest virtual address is suspicious or not. More... | |
typedef struct _WIN_PROCESS_OBJECT WIN_PROCESS_OBJECT |
Definition at line 10 of file shellcode.h.
INTSTATUS IntShcIsSuspiciousCode | ( | QWORD | Gva, |
QWORD | Gpa, | ||
DWORD | CsType, | ||
IG_ARCH_REGS * | Registers, | ||
QWORD * | ShellcodeFlags | ||
) |
Checks if the code located at the given guest virtual address is suspicious or not.
This function will call the shellcode emulator on the provided memory address. The shellcode emulator looks after the following shellcode indicators: 0. NOP sled;
[in] | Gva | Guest virtual address to be emulated. |
[in] | Gpa | Guest physical address to be emulated. |
[in] | CsType | Operating mode, should be 32 or 64 bit mode. |
[in] | Registers | General purpose registers state. |
[in] | ShellcodeFlags | Will contain, upon return, the shellcode flags identified by the shellcode emulator. |
INT_STATUS_SUCCESS | On success. |
INT_STATUS_INVALID_PARAMETER | If an invalid parameter is supplied. |
IntVirtMemRead(Registers->RegRsp & PAGE_MASK, SHEMU_STACK_SIZE, Registers->RegCr3, ctx->Stack, NULL);
Definition at line 25 of file shellcode.c.
Referenced by IntLixVmaHandlePageExecution(), IntWinCrashHandleDepViolation(), IntWinDpiValidateHeapSpray(), IntWinDpiValidateThreadStart(), and IntWinVadIsExecSuspicious().