- Generated by
1.8.13
|
Bitdefender Hypervisor Memory Introspection
|
Data Fields | |
| BOOLEAN | Initialized |
| True if the agents state has been initialized. More... | |
| QWORD | Trampoline |
| The address of the trampoline code (slacked inside the kernel). More... | |
| void * | TrampolineCloak |
| Cloak handle used to hide the trampoline inside the guest. More... | |
| DWORD | TrampolineSize |
| Size of the trampoline code. More... | |
| WORD | OffsetStop |
| Offset to the code chunk that stops the thread (_stop label). More... | |
| WORD | OffsetVmcall1 |
| Offset to the first hyper call. More... | |
| WORD | OffsetVmcall2 |
| Offset to the second hyper call. More... | |
| DWORD | Counter |
| Incremented on each agent injection, used to generate unique agent IDs. More... | |
| LIST_ENTRY | PendingAgents |
| List of agents waiting to be injected. More... | |
| LIST_ENTRY | AgentNames |
| List of agent names. More... | |
| void * | ActiveAgent |
| There can be only one active agent at any given moment. This is the one. More... | |
| DWORD | PendingAgentsCount |
| Number of agents waiting to be activated. More... | |
| DWORD | BootstrapAgentsCount |
| Number of agents bootstrapping. More... | |
| DWORD | CompletingAgentsCount |
| Number of agents that are yet to complete execution. More... | |
| BOOLEAN | SafeToInjectProcess |
| Will be true the moment it's safe to inject agents (the OS has booted). More... | |
Global agents state.
Definition at line 170 of file winagent.c.
| void* _AGENT_STATE::ActiveAgent |
There can be only one active agent at any given moment. This is the one.
Definition at line 185 of file winagent.c.
Referenced by IntWinAgentActivatePendingAgent(), IntWinAgentGetState(), IntWinAgentHandleBreakpointAgent(), IntWinAgentHandleInt3(), IntWinAgentHandleLoader1Hypercall(), IntWinAgentHandleVmcall(), IntWinAgentInit(), IntWinAgentIsRipInsideCurrentAgent(), IntWinAgentRemoveAgentAndResetState(), and IntWinAgentUnInit().
| LIST_ENTRY _AGENT_STATE::AgentNames |
List of agent names.
Definition at line 184 of file winagent.c.
Referenced by IntWinAgentCheckIfProcessAgentAndDecrement(), IntWinAgentCheckIfProcessAgentAndIncrement(), IntWinAgentInit(), IntWinAgentInject(), IntWinAgentRemoveEntryByAgid(), and IntWinAgentUnInit().
| DWORD _AGENT_STATE::BootstrapAgentsCount |
Number of agents bootstrapping.
Definition at line 187 of file winagent.c.
Referenced by IntWinAgentActivatePendingAgent(), IntWinAgentHandleBreakpointAgent(), and IntWinAgentReleaseBootstrap().
| DWORD _AGENT_STATE::CompletingAgentsCount |
Number of agents that are yet to complete execution.
Definition at line 188 of file winagent.c.
Referenced by IntWinAgentActivatePendingAgent(), IntWinAgentHandleBreakpointAgent(), IntWinAgentHandleLoader1Hypercall(), and IntWinAgentRemoveAgentAndResetState().
| DWORD _AGENT_STATE::Counter |
Incremented on each agent injection, used to generate unique agent IDs.
Definition at line 181 of file winagent.c.
Referenced by IntWinAgentInject(), and IntWinAgentInjectBreakpoint().
| BOOLEAN _AGENT_STATE::Initialized |
True if the agents state has been initialized.
Definition at line 172 of file winagent.c.
Referenced by IntWinAgentInit(), and IntWinAgentUnInit().
| WORD _AGENT_STATE::OffsetStop |
Offset to the code chunk that stops the thread (_stop label).
Definition at line 177 of file winagent.c.
Referenced by IntWinAgentActivatePendingAgent(), and IntWinAgentInjectTrampoline().
| WORD _AGENT_STATE::OffsetVmcall1 |
Offset to the first hyper call.
Definition at line 178 of file winagent.c.
Referenced by IntWinAgentHandleInt3(), IntWinAgentHandleLoader1Hypercall(), and IntWinAgentInjectTrampoline().
| WORD _AGENT_STATE::OffsetVmcall2 |
Offset to the second hyper call.
Definition at line 179 of file winagent.c.
Referenced by IntWinAgentHandleInt3(), IntWinAgentHandleLoader1Hypercall(), and IntWinAgentInjectTrampoline().
| LIST_ENTRY _AGENT_STATE::PendingAgents |
List of agents waiting to be injected.
Definition at line 183 of file winagent.c.
Referenced by IntWinAgentActivatePendingAgent(), IntWinAgentDisablePendingAgents(), IntWinAgentGetState(), IntWinAgentInit(), IntWinAgentInject(), and IntWinAgentInjectBreakpoint().
| DWORD _AGENT_STATE::PendingAgentsCount |
Number of agents waiting to be activated.
Definition at line 186 of file winagent.c.
Referenced by IntWinAgentActivatePendingAgent(), IntWinAgentDisablePendingAgents(), IntWinAgentGetState(), IntWinAgentInject(), and IntWinAgentInjectBreakpoint().
| BOOLEAN _AGENT_STATE::SafeToInjectProcess |
Will be true the moment it's safe to inject agents (the OS has booted).
Definition at line 189 of file winagent.c.
Referenced by IntWinAgentActivatePendingAgent(), IntWinAgentEnableInjection(), and IntWinAgentInit().
| QWORD _AGENT_STATE::Trampoline |
The address of the trampoline code (slacked inside the kernel).
Definition at line 173 of file winagent.c.
Referenced by IntWinAgentActivatePendingAgent(), IntWinAgentHandleInt3(), IntWinAgentHandleLoader1Hypercall(), IntWinAgentInjectTrampoline(), IntWinAgentIsPtrInTrampoline(), and IntWinAgentUnInit().
| void* _AGENT_STATE::TrampolineCloak |
Cloak handle used to hide the trampoline inside the guest.
Definition at line 174 of file winagent.c.
Referenced by IntWinAgentInjectTrampoline(), and IntWinAgentUnInit().
| DWORD _AGENT_STATE::TrampolineSize |
Size of the trampoline code.
Definition at line 175 of file winagent.c.
Referenced by IntWinAgentInjectTrampoline(), and IntWinAgentIsPtrInTrampoline().
1.8.13