- Generated by
1.8.13
|
Bitdefender Hypervisor Memory Introspection
|
Describes a detour set inside the guest memory. More...
#include <detours.h>
Data Fields | |
| LIST_ENTRY | Link |
| The link inside the DETOURS_STATE.DetoursList list. More... | |
| PFUNC_DetourCallback | Callback |
| Callback to be invoked when the detour issues a hypercall. May be NULL. More... | |
| DETOUR_TAG | Tag |
| Detour tag. More... | |
| QWORD | HypercallAddress |
| The guest virtual address at which the hypercall is placed. More... | |
| QWORD | FunctionAddress |
| The guest virtual address of the hooked function. More... | |
| QWORD | HandlerAddress |
| The guest virtual address of the detour handler. More... | |
| DWORD | HandlerSize |
| The size of the detour handler. More... | |
| QWORD | LixGuestDetour |
| The address of the linux-detour header. More... | |
| HYPERCALL_TYPE | HypercallType |
| The type of the hypercall that this detour uses. More... | |
| BYTE | JumpBackOffset |
| Offset, relative to HandlerAddress, where the jump that returns control to the hooked function is found. More... | |
| BYTE | HypercallOffset |
| Offset, relative to HandlerAddress, where the hypercall instruction is found. More... | |
| BYTE | RelocatedCodeOffset |
| Offset, relative to HandlerAddress, where the prologue that has been replaced by our jump at the beginning of the function has been relocated. More... | |
| BYTE | RelocatedCodeLength |
| The size of the relocated code. More... | |
| BYTE | NrPublicDataOffsets |
| The number of valid entries inside the PublicDataOffsets array. More... | |
| API_HOOK_PUBLIC_DATA | PublicDataOffsets [PUBLIC_DATA_MAX_DESCRIPTORS] |
| Public data that can be used to modify the detour handler. More... | |
| BOOLEAN | Disabled |
| True if this detour has been disabled. More... | |
| QWORD | ModuleBase |
| The guest virtual address of the base of the kernel module that owns the hooked function. More... | |
| void * | FunctionCloakHandle |
| The memory cloak handle used to hide the modified function start. See Memory cloaking. More... | |
| void * | HandlerCloakHandle |
| The memory cloak handle used to hide the detour handler. See Memory cloaking. More... | |
| QWORD | HitCount |
| The number of times this detour issued a hypercall. More... | |
| PAPI_HOOK_DESCRIPTOR | Descriptor |
| The hook descriptor for which this hook was set. More... | |
| const LIX_FN_DETOUR * | LixFnDetour |
Describes a detour set inside the guest memory.
This is created by IntDetSetHook and IntDetSetLixHook in order to hold information about a detour that has been set. Part of the information in this structure comes from the API_HOOK_DESCRIPTOR used for this hook.
| PFUNC_DetourCallback _DETOUR::Callback |
Callback to be invoked when the detour issues a hypercall. May be NULL.
Definition at line 441 of file detours.h.
Referenced by IntDetCreateObjectLix(), and IntDetSetHook().
| PAPI_HOOK_DESCRIPTOR _DETOUR::Descriptor |
The hook descriptor for which this hook was set.
Definition at line 501 of file detours.h.
Referenced by IntDetGetArgument(), IntDetGetArguments(), IntDetPatchArgument(), and IntDetSetHook().
| BOOLEAN _DETOUR::Disabled |
True if this detour has been disabled.
Disabled detours are still present inside the guest, but they no longer issue hypercalls.
The hypercall instruction is replaced with NOPs, but the rest of the detour code is untouched.
Definition at line 489 of file detours.h.
Referenced by IntDetCallCallback().
| QWORD _DETOUR::FunctionAddress |
The guest virtual address of the hooked function.
Definition at line 451 of file detours.h.
Referenced by IntDetCallCallback(), IntDetCreateObjectLix(), IntDetGetFunctionAddressByTag(), IntDetHandleWrite(), IntDetSetHook(), and IntDetSetLixHook().
| void* _DETOUR::FunctionCloakHandle |
The memory cloak handle used to hide the modified function start. See Memory cloaking.
Definition at line 494 of file detours.h.
Referenced by IntDetSetHook().
| QWORD _DETOUR::HandlerAddress |
The guest virtual address of the detour handler.
Definition at line 454 of file detours.h.
Referenced by IntDetCreateObjectLix(), IntDetGetByTag(), IntDetHandleWrite(), IntDetSetHook(), and IntDetSetLixHook().
| void* _DETOUR::HandlerCloakHandle |
The memory cloak handle used to hide the detour handler. See Memory cloaking.
Definition at line 496 of file detours.h.
Referenced by IntDetModifyPublicData(), and IntDetSetHook().
| DWORD _DETOUR::HandlerSize |
The size of the detour handler.
Note that this is not the same as the API_HOOK_HANDLER.CodeLength, as that represents only the code injected for the handler itself, but this also takes into account the size of the reallocated guest instructions.
Definition at line 460 of file detours.h.
Referenced by IntDetGetByTag(), IntDetHandleWrite(), and IntDetSetHook().
| QWORD _DETOUR::HitCount |
The number of times this detour issued a hypercall.
Definition at line 498 of file detours.h.
Referenced by IntDetCallCallback().
| QWORD _DETOUR::HypercallAddress |
The guest virtual address at which the hypercall is placed.
This is used to find the proper DETOUR structure when a hypercall is issued.
Definition at line 449 of file detours.h.
Referenced by IntDetSetHook().
| BYTE _DETOUR::HypercallOffset |
Offset, relative to HandlerAddress, where the hypercall instruction is found.
Definition at line 472 of file detours.h.
Referenced by IntDetSetHook().
| HYPERCALL_TYPE _DETOUR::HypercallType |
The type of the hypercall that this detour uses.
Definition at line 466 of file detours.h.
Referenced by IntDetCallCallback(), IntDetCreateObjectLix(), and IntDetSetHook().
| BYTE _DETOUR::JumpBackOffset |
Offset, relative to HandlerAddress, where the jump that returns control to the hooked function is found.
Definition at line 470 of file detours.h.
Referenced by IntDetSetHook().
| LIST_ENTRY _DETOUR::Link |
The link inside the DETOURS_STATE.DetoursList list.
Definition at line 439 of file detours.h.
Referenced by IntDetSetHook(), and IntDetSetLixHook().
| const LIX_FN_DETOUR* _DETOUR::LixFnDetour |
Definition at line 502 of file detours.h.
Referenced by IntDetCreateObjectLix().
| QWORD _DETOUR::LixGuestDetour |
The address of the linux-detour header.
Definition at line 463 of file detours.h.
Referenced by IntDetCreateObjectLix(), and IntDetSetLixHook().
| QWORD _DETOUR::ModuleBase |
The guest virtual address of the base of the kernel module that owns the hooked function.
Definition at line 491 of file detours.h.
Referenced by IntDetSetHook().
| BYTE _DETOUR::NrPublicDataOffsets |
The number of valid entries inside the PublicDataOffsets array.
Definition at line 480 of file detours.h.
Referenced by IntDetModifyPublicData(), and IntDetSetHook().
| API_HOOK_PUBLIC_DATA _DETOUR::PublicDataOffsets[PUBLIC_DATA_MAX_DESCRIPTORS] |
Public data that can be used to modify the detour handler.
Definition at line 482 of file detours.h.
Referenced by IntDetModifyPublicData(), and IntDetSetHook().
| BYTE _DETOUR::RelocatedCodeLength |
The size of the relocated code.
Definition at line 477 of file detours.h.
Referenced by IntDetCreateObjectLix(), IntDetHandleWrite(), IntDetSetHook(), and IntDetSetLixHook().
| BYTE _DETOUR::RelocatedCodeOffset |
Offset, relative to HandlerAddress, where the prologue that has been replaced by our jump at the beginning of the function has been relocated.
Definition at line 475 of file detours.h.
Referenced by IntDetCreateObjectLix(), and IntDetSetHook().
| DETOUR_TAG _DETOUR::Tag |
Detour tag.
Definition at line 444 of file detours.h.
Referenced by IntDetCallCallback(), IntDetGetArguments(), IntDetHandleWrite(), and IntDetSetHook().
1.8.13