- Generated by
1.8.13
|
Bitdefender Hypervisor Memory Introspection
|
Event structure for EPT violations. More...
#include <intro_types.h>
Data Fields | |
| INTRO_VIOLATION_HEADER | Header |
| The alert header. More... | |
| struct { | |
| INTRO_MODULE Module | |
| The module that did the malicious access. More... | |
| INTRO_MODULE ReturnModule | |
| The module to which the current code returns to. More... | |
| INTRO_PROCESS Process | |
| The process that did the malicious access. More... | |
| struct { | |
| BOOLEAN User: 1 | |
| Set if it is a KM-UM write due to an injection from user-mode. More... | |
| BOOLEAN Kernel: 1 | |
| Set if it is a KM-UM write due to an injection from kernel-mode. More... | |
| } Injection | |
| } | Originator |
| struct { | |
| INTRO_OBJECT_TYPE Type | |
| The type of the accessed memory area. More... | |
| union { | |
| INTRO_MODULE Module | |
| The module that was modified. More... | |
| INTRO_DRVOBJ DriverObject | |
| The driver object that was modified. Valid only if Type is introObjectTypeDriverObject. More... | |
| } | |
| BYTE IdtEntry | |
| The IDT entry that was modified. Valid only if Type is introObjectTypeIdt. More... | |
| } | Victim |
| union { | |
| INTRO_WRITE_INFO WriteInfo | |
| INTRO_READ_INFO ReadInfo | |
| INTRO_EXEC_INFO ExecInfo | |
| Execution information. Valid only if Violation is IG_EPT_HOOK_EXECUTE. More... | |
| }; | |
| INTRO_CODEBLOCKS | CodeBlocks |
| Code blocks extracted for the alert. More... | |
| BYTE | Violation |
| The type of the access. It must be one of the IG_EPT_HOOK_TYPE values. More... | |
| QWORD | HookStartVirtual |
| The start of the monitored guest virtual memory area for which this alert was generated. More... | |
| QWORD | HookStartPhysical |
| The start of the monitored guest physical memory area for which this alert was generated. More... | |
| QWORD | VirtualPage |
| The guest virtual page in which the access was made. More... | |
| QWORD | PhysicalPage |
| The guest physical page in which the access was made. More... | |
| DWORD | Offset |
| The offset inside the page where the violation took place. More... | |
| QWORD | ZoneTypes |
| The types of the accessed memory area. More... | |
| CHAR | RipSectionName [ALERT_MAX_SECTION_NAME_LEN] |
| The name of the section in which the RIP resides. May be empty. More... | |
| QWORD | ReturnRip |
| The RIP at which the code that triggered the alert returns. More... | |
| CHAR | ReturnRipSectionName [ALERT_MAX_SECTION_NAME_LEN] |
| The name of the section in which ReturnRip resides. May be empty. More... | |
| CHAR | ModifiedSectionName [ALERT_MAX_SECTION_NAME_LEN] |
| The name of the modified section, if any. More... | |
| CHAR | FunctionName [ALERT_MAX_FUNCTION_NAME_LEN] |
| The name of the modified function, if any. This is the same as Export.Name[0]. More... | |
| DWORD | FunctionNameHash |
| The hash of the modified function name. This is the same as Export.Hash[0]. More... | |
| DWORD | Delta |
| The same as Delta. More... | |
| struct { | |
| char Name [ALERT_MAX_FUNCTIONS][ALERT_MAX_FUNCTION_NAME_LEN] | |
| Array of all the extracted function names. More... | |
| DWORD Hash [ALERT_MAX_FUNCTIONS] | |
| Array of all the extracted function hashes. Export.Hash[i] is the hash for Export.Name[i]. More... | |
| DWORD Delta | |
| The same as Delta. More... | |
| } | Export |
| INTRO_EXEC_CONTEXT | ExecContext |
| Information about the instruction that triggered the alert. More... | |
Event structure for EPT violations.
This event can describe multiple memory access violations: read, write, and execute.
Definition at line 1215 of file intro_types.h.
| union { ... } |
| INTRO_CODEBLOCKS _EVENT_EPT_VIOLATION::CodeBlocks |
Code blocks extracted for the alert.
Definition at line 1263 of file intro_types.h.
Referenced by IntLixDrvSendViolationEvent(), IntLixIdtWriteHandler(), IntLixKernelHandleRead(), IntLixVdsoHandleWriteCommon(), IntVeHandleAccess(), IntVeHandleEPTViolationInProtectedView(), IntWinCrashHandleDepViolation(), IntWinDrvObjSendEptAlert(), IntWinDrvSendAlert(), IntWinHalSendAlert(), IntWinIdtWriteHandler(), IntWinInfHookEptSppSendAlert(), IntWinModHandleKernelWrite(), IntWinModHandleUserWrite(), IntWinSelfMapHandleCr3SelfMapWrite(), IntWinSudSendSudExecAlert(), IntWinTokenPrivsSendEptAlert(), and IntWinVadIsExecSuspicious().
| DWORD _EVENT_EPT_VIOLATION::Delta |
The same as Delta.
The offset relative to the function start address at which the write was attempted. This is the same as Export.Delta. Valid only if a function was modified.
Definition at line 1294 of file intro_types.h.
| INTRO_DRVOBJ _EVENT_EPT_VIOLATION::DriverObject |
The driver object that was modified. Valid only if Type is introObjectTypeDriverObject.
Definition at line 1243 of file intro_types.h.
| INTRO_EXEC_CONTEXT _EVENT_EPT_VIOLATION::ExecContext |
Information about the instruction that triggered the alert.
Definition at line 1309 of file intro_types.h.
Referenced by IntLixDrvSendViolationEvent(), IntLixIdtWriteHandler(), IntLixKernelHandleRead(), IntLixVdsoHandleWriteCommon(), IntLixVmaHandlePageExecution(), IntVeHandleAccess(), IntVeHandleEPTViolationInProtectedView(), IntWinCrashHandleDepViolation(), IntWinDrvObjSendEptAlert(), IntWinDrvSendAlert(), IntWinHalHandleHalHeapExec(), IntWinHalSendAlert(), IntWinIdtWriteHandler(), IntWinInfHookEptSppSendAlert(), IntWinModHandleKernelWrite(), IntWinModHandleUserWrite(), IntWinSelfMapHandleCr3SelfMapWrite(), IntWinSudSendSudExecAlert(), IntWinTokenPrivsSendEptAlert(), and IntWinVadIsExecSuspicious().
| INTRO_EXEC_INFO _EVENT_EPT_VIOLATION::ExecInfo |
Execution information. Valid only if Violation is IG_EPT_HOOK_EXECUTE.
Definition at line 1260 of file intro_types.h.
Referenced by IntWinCrashHandleDepViolation(), IntWinModPolyHandler(), and IntWinSudSendSudExecAlert().
| struct { ... } _EVENT_EPT_VIOLATION::Export |
All the names used to export the modified function. In certain cases, the same function can be exported with multiple names by a module.
| CHAR _EVENT_EPT_VIOLATION::FunctionName[ALERT_MAX_FUNCTION_NAME_LEN] |
The name of the modified function, if any. This is the same as Export.Name[0].
Definition at line 1289 of file intro_types.h.
Referenced by IntLixDrvSendViolationEvent(), and IntLixKernelHandleRead().
| DWORD _EVENT_EPT_VIOLATION::FunctionNameHash |
The hash of the modified function name. This is the same as Export.Hash[0].
Definition at line 1291 of file intro_types.h.
| DWORD _EVENT_EPT_VIOLATION::Hash[ALERT_MAX_FUNCTIONS] |
Array of all the extracted function hashes. Export.Hash[i] is the hash for Export.Name[i].
Definition at line 1303 of file intro_types.h.
| INTRO_VIOLATION_HEADER _EVENT_EPT_VIOLATION::Header |
The alert header.
Definition at line 1217 of file intro_types.h.
Referenced by IntLixDrvSendViolationEvent(), IntLixIdtWriteHandler(), IntLixKernelHandleRead(), IntLixVdsoHandleWriteCommon(), IntLixVmaHandlePageExecution(), IntVeHandleAccess(), IntVeHandleEPTViolationInProtectedView(), IntWinCrashHandleDepViolation(), IntWinDrvObjSendEptAlert(), IntWinDrvSendAlert(), IntWinHalHandleHalHeapExec(), IntWinHalSendAlert(), IntWinIdtWriteHandler(), IntWinInfHookEptSppSendAlert(), IntWinModHandleKernelWrite(), IntWinModHandleUserWrite(), IntWinModPolyHandler(), IntWinSelfMapHandleCr3SelfMapWrite(), IntWinSudSendSudExecAlert(), IntWinTokenPrivsSendEptAlert(), and IntWinVadIsExecSuspicious().
| QWORD _EVENT_EPT_VIOLATION::HookStartPhysical |
The start of the monitored guest physical memory area for which this alert was generated.
Definition at line 1270 of file intro_types.h.
Referenced by IntLixDrvSendViolationEvent(), IntLixVdsoHandleWriteCommon(), IntWinCrashHandleDepViolation(), and IntWinModPolyHandler().
| QWORD _EVENT_EPT_VIOLATION::HookStartVirtual |
The start of the monitored guest virtual memory area for which this alert was generated.
Definition at line 1268 of file intro_types.h.
Referenced by IntLixDrvSendViolationEvent(), IntLixVdsoHandleWriteCommon(), IntWinCrashHandleDepViolation(), and IntWinModPolyHandler().
| BYTE _EVENT_EPT_VIOLATION::IdtEntry |
The IDT entry that was modified. Valid only if Type is introObjectTypeIdt.
Definition at line 1246 of file intro_types.h.
| struct { ... } _EVENT_EPT_VIOLATION::Injection |
Referenced by IntWinModHandleKernelWrite().
| BOOLEAN _EVENT_EPT_VIOLATION::Kernel |
Set if it is a KM-UM write due to an injection from kernel-mode.
Definition at line 1228 of file intro_types.h.
| CHAR _EVENT_EPT_VIOLATION::ModifiedSectionName[ALERT_MAX_SECTION_NAME_LEN] |
The name of the modified section, if any.
Definition at line 1287 of file intro_types.h.
Referenced by IntLixDrvSendViolationEvent(), and IntLixKernelHandleRead().
| INTRO_MODULE _EVENT_EPT_VIOLATION::Module |
The module that did the malicious access.
The module that was modified.
Definition at line 1221 of file intro_types.h.
Referenced by IntLixDrvSendViolationEvent(), IntLixIdtWriteHandler(), IntLixKernelHandleRead(), IntLixVdsoHandleWriteCommon(), IntWinIdtWriteHandler(), and IntWinModPolyHandler().
| char _EVENT_EPT_VIOLATION::Name[ALERT_MAX_FUNCTIONS][ALERT_MAX_FUNCTION_NAME_LEN] |
Array of all the extracted function names.
Definition at line 1301 of file intro_types.h.
| DWORD _EVENT_EPT_VIOLATION::Offset |
The offset inside the page where the violation took place.
Definition at line 1274 of file intro_types.h.
Referenced by IntLixDrvSendViolationEvent(), IntLixVdsoHandleWriteCommon(), IntWinCrashHandleDepViolation(), and IntWinModPolyHandler().
| struct { ... } _EVENT_EPT_VIOLATION::Originator |
| QWORD _EVENT_EPT_VIOLATION::PhysicalPage |
The guest physical page in which the access was made.
Definition at line 1273 of file intro_types.h.
Referenced by IntLixVdsoHandleWriteCommon().
| INTRO_PROCESS _EVENT_EPT_VIOLATION::Process |
The process that did the malicious access.
Definition at line 1223 of file intro_types.h.
Referenced by IntWinModHandleKernelWrite().
| INTRO_READ_INFO _EVENT_EPT_VIOLATION::ReadInfo |
The original value and the value that the guest tried to read. Valid only if Violation is IG_EPT_HOOK_WRITE.
Definition at line 1257 of file intro_types.h.
| INTRO_MODULE _EVENT_EPT_VIOLATION::ReturnModule |
The module to which the current code returns to.
Definition at line 1222 of file intro_types.h.
Referenced by IntLixDrvSendViolationEvent(), IntLixIdtWriteHandler(), IntLixKernelHandleRead(), IntWinIdtWriteHandler(), IntWinSudSendSudExecAlert(), and IntWinVadIsExecSuspicious().
| QWORD _EVENT_EPT_VIOLATION::ReturnRip |
The RIP at which the code that triggered the alert returns.
Definition at line 1282 of file intro_types.h.
Referenced by IntLixDrvSendViolationEvent(), IntWinSudSendSudExecAlert(), and IntWinVadIsExecSuspicious().
| CHAR _EVENT_EPT_VIOLATION::ReturnRipSectionName[ALERT_MAX_SECTION_NAME_LEN] |
The name of the section in which ReturnRip resides. May be empty.
Definition at line 1284 of file intro_types.h.
| CHAR _EVENT_EPT_VIOLATION::RipSectionName[ALERT_MAX_SECTION_NAME_LEN] |
The name of the section in which the RIP resides. May be empty.
Definition at line 1279 of file intro_types.h.
Referenced by IntLixDrvSendViolationEvent(), and IntLixKernelHandleRead().
| INTRO_OBJECT_TYPE _EVENT_EPT_VIOLATION::Type |
The type of the accessed memory area.
Definition at line 1237 of file intro_types.h.
Referenced by IntLixVdsoHandleWriteCommon(), IntWinCrashHandleDepViolation(), and IntWinModPolyHandler().
| BOOLEAN _EVENT_EPT_VIOLATION::User |
Set if it is a KM-UM write due to an injection from user-mode.
Definition at line 1227 of file intro_types.h.
| struct { ... } _EVENT_EPT_VIOLATION::Victim |
Describes the accessed memory area. Valid only if Violation is IG_EPT_HOOK_READ or IG_EPT_HOOK_WRITE
Referenced by IntLixDrvSendViolationEvent(), IntLixKernelHandleRead(), IntLixVdsoHandleWriteCommon(), IntWinCrashHandleDepViolation(), and IntWinModPolyHandler().
| BYTE _EVENT_EPT_VIOLATION::Violation |
The type of the access. It must be one of the IG_EPT_HOOK_TYPE values.
Definition at line 1265 of file intro_types.h.
Referenced by IntLixDrvSendViolationEvent(), IntLixVdsoHandleWriteCommon(), IntWinCrashHandleDepViolation(), and IntWinModPolyHandler().
| QWORD _EVENT_EPT_VIOLATION::VirtualPage |
The guest virtual page in which the access was made.
Definition at line 1272 of file intro_types.h.
Referenced by IntLixDrvSendViolationEvent(), IntLixVdsoHandleWriteCommon(), IntWinCrashHandleDepViolation(), and IntWinModPolyHandler().
| INTRO_WRITE_INFO _EVENT_EPT_VIOLATION::WriteInfo |
The original value and the value that the guest tried to write. Valid only if Violation is IG_EPT_HOOK_WRITE.
Definition at line 1253 of file intro_types.h.
| QWORD _EVENT_EPT_VIOLATION::ZoneTypes |
The types of the accessed memory area.
Definition at line 1276 of file intro_types.h.
Referenced by IntLixDrvSendViolationEvent(), and IntLixVdsoHandleWriteCommon().
1.8.13