Bitdefender Hypervisor Memory Introspection
|
#include <windpi.h>
Data Fields | |
struct { | |
QWORD _Reserved | |
Reserved for further use. More... | |
} | DpiDebugExtraInfo |
struct { | |
QWORD CurrentStack | |
The current stack of the process at the point of process creation. More... | |
QWORD StackBase | |
The known stack base present in TIB at the moment of process creation. More... | |
QWORD StackLimit | |
QWORD TrapFrameAddress | |
The address of the trap frame. Used for more information gathering when sending the alert. More... | |
QWORD CurrentWow64Stack | |
The current stack of the process in WoW64 mode. Valid only if the process is WoW64. More... | |
QWORD Wow64StackBase | |
The known stack base in WoW64 mode. Valid only if the process is WoW64. More... | |
QWORD Wow64StackLimit | |
The known stack limit in WoW64 mode. Valid only if the process is WoW64. More... | |
} | DpiPivotedStackExtraInfo |
struct { | |
QWORD StolenFromEprocess | |
The EPROCESS address from which the token was stolen. More... | |
} | DpiStolenTokenExtraInfo |
struct { | |
struct { | |
DWORD Mapped: 1 | |
DWORD Detected: 1 | |
The bit is set if the i-th page was detected as malicious by shemu. More... | |
DWORD HeapValCount: 11 | |
The number of heap values in the page. Since the max value can be 1024, 11 bits are needed. More... | |
DWORD Offset: 12 | |
The offset where the detection on the given page was given, if Detection is equal to 1. More... | |
DWORD Executable: 1 | |
True if the page is executable in the translation. More... | |
DWORD Reserved: 7 | |
Reserved for further use. More... | |
} HeapPages [HEAP_SPRAY_NR_PAGES] | |
QWORD ShellcodeFlags | |
Contains the flags on the first page which was detected through shemu. More... | |
} | DpiHeapSprayExtraInfo |
struct { | |
QWORD OldEnabled | |
QWORD NewEnabled | |
The new value from parent's token Privileges.Enabled field, which was deemed malicious. More... | |
QWORD OldPresent | |
QWORD NewPresent | |
The new value from parent's token Privileges.Present field, which was deemed malicious. More... | |
} | DpiTokenPrivsExtraInfo |
struct { | |
QWORD StartAddress | |
The address on which the parent's thread started execution. More... | |
QWORD ShellcodeFlags | |
Contains the flags of the starting page detected through shemu. More... | |
} | DpiThreadStartExtraInfo |
struct { | |
QWORD SecDescStolenFromEproc | |
If the parent security descriptor has been stolen, this variable may indicate (in case we find it) the victim process (where security descriptor has been stolen from) - it can be NULL. More... | |
QWORD OldPtrValue | |
Old value. More... | |
QWORD NewPtrValue | |
New value. More... | |
ACL OldSacl | |
The old SACL header. More... | |
ACL OldDacl | |
The old DACL header. More... | |
ACL NewSacl | |
The new SACL header. More... | |
ACL NewDacl | |
The new DACL header. More... | |
} | DpiSecDescAclExtraInfo |
Extra info extracted while checking if any DPI heuristic has been violated.
QWORD _DPI_EXTRA_INFO::CurrentStack |
The current stack of the process at the point of process creation.
Definition at line 36 of file windpi.h.
Referenced by IntExceptUserLogWindowsInformation(), and IntSerializeDpiWinPivotedStack().
QWORD _DPI_EXTRA_INFO::CurrentWow64Stack |
The current stack of the process in WoW64 mode. Valid only if the process is WoW64.
Definition at line 42 of file windpi.h.
Referenced by IntExceptUserLogWindowsInformation(), and IntSerializeDpiWinPivotedStack().
DWORD _DPI_EXTRA_INFO::Detected |
struct { ... } _DPI_EXTRA_INFO::DpiDebugExtraInfo |
struct { ... } _DPI_EXTRA_INFO::DpiHeapSprayExtraInfo |
Referenced by IntExceptUserLogWindowsInformation(), and IntSerializeDpiWinHeapSpray().
struct { ... } _DPI_EXTRA_INFO::DpiPivotedStackExtraInfo |
Referenced by IntExceptUserLogWindowsInformation(), and IntSerializeDpiWinPivotedStack().
struct { ... } _DPI_EXTRA_INFO::DpiSecDescAclExtraInfo |
Referenced by IntExceptUserLogWindowsInformation(), and IntSerializeDpiWinSecDesc().
struct { ... } _DPI_EXTRA_INFO::DpiStolenTokenExtraInfo |
Referenced by IntExceptUserLogWindowsInformation(), and IntSerializeDpiWinStolenToken().
struct { ... } _DPI_EXTRA_INFO::DpiThreadStartExtraInfo |
Referenced by IntExceptUserLogWindowsInformation(), and IntSerializeDpiWinThreadStart().
struct { ... } _DPI_EXTRA_INFO::DpiTokenPrivsExtraInfo |
Referenced by IntExceptUserLogWindowsInformation(), and IntSerializeDpiWinTokenPrivs().
DWORD _DPI_EXTRA_INFO::Executable |
struct { ... } _DPI_EXTRA_INFO::HeapPages[HEAP_SPRAY_NR_PAGES] |
Referenced by IntExceptUserLogWindowsInformation(), and IntSerializeDpiWinHeapSpray().
DWORD _DPI_EXTRA_INFO::HeapValCount |
DWORD _DPI_EXTRA_INFO::Mapped |
ACL _DPI_EXTRA_INFO::NewDacl |
The new DACL header.
Definition at line 99 of file windpi.h.
Referenced by IntExceptUserLogWindowsInformation().
QWORD _DPI_EXTRA_INFO::NewEnabled |
The new value from parent's token Privileges.Enabled field, which was deemed malicious.
Definition at line 74 of file windpi.h.
Referenced by IntExceptUserLogWindowsInformation(), and IntSerializeDpiWinTokenPrivs().
QWORD _DPI_EXTRA_INFO::NewPresent |
The new value from parent's token Privileges.Present field, which was deemed malicious.
Definition at line 77 of file windpi.h.
Referenced by IntExceptUserLogWindowsInformation(), and IntSerializeDpiWinTokenPrivs().
ACL _DPI_EXTRA_INFO::NewSacl |
The new SACL header.
Definition at line 98 of file windpi.h.
Referenced by IntExceptUserLogWindowsInformation().
DWORD _DPI_EXTRA_INFO::Offset |
ACL _DPI_EXTRA_INFO::OldDacl |
The old DACL header.
Definition at line 96 of file windpi.h.
Referenced by IntExceptUserLogWindowsInformation().
QWORD _DPI_EXTRA_INFO::OldEnabled |
The old value from parent's token Privileges.Enabled field.
Definition at line 72 of file windpi.h.
Referenced by IntExceptUserLogWindowsInformation(), and IntSerializeDpiWinTokenPrivs().
QWORD _DPI_EXTRA_INFO::OldPresent |
The old value from parent's token Privileges.Present field.
Definition at line 75 of file windpi.h.
Referenced by IntExceptUserLogWindowsInformation(), and IntSerializeDpiWinTokenPrivs().
ACL _DPI_EXTRA_INFO::OldSacl |
The old SACL header.
Definition at line 95 of file windpi.h.
Referenced by IntExceptUserLogWindowsInformation().
QWORD _DPI_EXTRA_INFO::SecDescStolenFromEproc |
If the parent security descriptor has been stolen, this variable may indicate (in case we find it) the victim process (where security descriptor has been stolen from) - it can be NULL.
Definition at line 90 of file windpi.h.
Referenced by IntExceptUserLogWindowsInformation(), and IntSerializeDpiWinSecDesc().
QWORD _DPI_EXTRA_INFO::ShellcodeFlags |
Contains the flags on the first page which was detected through shemu.
Contains the flags of the starting page detected through shemu.
Definition at line 67 of file windpi.h.
Referenced by IntExceptUserLogWindowsInformation(), IntSerializeDpiWinHeapSpray(), and IntSerializeDpiWinThreadStart().
QWORD _DPI_EXTRA_INFO::StackBase |
The known stack base present in TIB at the moment of process creation.
Definition at line 37 of file windpi.h.
Referenced by IntExceptUserLogWindowsInformation(), and IntSerializeDpiWinPivotedStack().
QWORD _DPI_EXTRA_INFO::StackLimit |
The known stack limit present in TIB at the moment of process creation.
Definition at line 38 of file windpi.h.
Referenced by IntExceptUserLogWindowsInformation(), and IntSerializeDpiWinPivotedStack().
QWORD _DPI_EXTRA_INFO::StartAddress |
The address on which the parent's thread started execution.
Definition at line 82 of file windpi.h.
Referenced by IntExceptUserLogWindowsInformation(), and IntSerializeDpiWinThreadStart().
QWORD _DPI_EXTRA_INFO::StolenFromEprocess |
The EPROCESS address from which the token was stolen.
Definition at line 49 of file windpi.h.
Referenced by IntExceptUserLogWindowsInformation(), and IntSerializeDpiWinStolenToken().
QWORD _DPI_EXTRA_INFO::TrapFrameAddress |
The address of the trap frame. Used for more information gathering when sending the alert.
Definition at line 40 of file windpi.h.
Referenced by IntExceptUserLogWindowsInformation(), and IntSerializeDpiWinPivotedStack().
QWORD _DPI_EXTRA_INFO::Wow64StackBase |
The known stack base in WoW64 mode. Valid only if the process is WoW64.
Definition at line 43 of file windpi.h.
Referenced by IntExceptUserLogWindowsInformation(), and IntSerializeDpiWinPivotedStack().
QWORD _DPI_EXTRA_INFO::Wow64StackLimit |
The known stack limit in WoW64 mode. Valid only if the process is WoW64.
Definition at line 44 of file windpi.h.
Referenced by IntExceptUserLogWindowsInformation(), and IntSerializeDpiWinPivotedStack().