Bitdefender Hypervisor Memory Introspection
|
Event structure for EPT violations. More...
#include <intro_types.h>
Data Fields | |
INTRO_VIOLATION_HEADER | Header |
The alert header. More... | |
struct { | |
INTRO_MODULE Module | |
The module that did the malicious access. More... | |
INTRO_MODULE ReturnModule | |
The module to which the current code returns to. More... | |
INTRO_PROCESS Process | |
The process that did the malicious access. More... | |
struct { | |
BOOLEAN User: 1 | |
Set if it is a KM-UM write due to an injection from user-mode. More... | |
BOOLEAN Kernel: 1 | |
Set if it is a KM-UM write due to an injection from kernel-mode. More... | |
} Injection | |
} | Originator |
struct { | |
INTRO_OBJECT_TYPE Type | |
The type of the accessed memory area. More... | |
union { | |
INTRO_MODULE Module | |
The module that was modified. More... | |
INTRO_DRVOBJ DriverObject | |
The driver object that was modified. Valid only if Type is introObjectTypeDriverObject. More... | |
} | |
BYTE IdtEntry | |
The IDT entry that was modified. Valid only if Type is introObjectTypeIdt. More... | |
} | Victim |
union { | |
INTRO_WRITE_INFO WriteInfo | |
INTRO_READ_INFO ReadInfo | |
INTRO_EXEC_INFO ExecInfo | |
Execution information. Valid only if Violation is IG_EPT_HOOK_EXECUTE. More... | |
}; | |
INTRO_CODEBLOCKS | CodeBlocks |
Code blocks extracted for the alert. More... | |
BYTE | Violation |
The type of the access. It must be one of the IG_EPT_HOOK_TYPE values. More... | |
QWORD | HookStartVirtual |
The start of the monitored guest virtual memory area for which this alert was generated. More... | |
QWORD | HookStartPhysical |
The start of the monitored guest physical memory area for which this alert was generated. More... | |
QWORD | VirtualPage |
The guest virtual page in which the access was made. More... | |
QWORD | PhysicalPage |
The guest physical page in which the access was made. More... | |
DWORD | Offset |
The offset inside the page where the violation took place. More... | |
QWORD | ZoneTypes |
The types of the accessed memory area. More... | |
CHAR | RipSectionName [ALERT_MAX_SECTION_NAME_LEN] |
The name of the section in which the RIP resides. May be empty. More... | |
QWORD | ReturnRip |
The RIP at which the code that triggered the alert returns. More... | |
CHAR | ReturnRipSectionName [ALERT_MAX_SECTION_NAME_LEN] |
The name of the section in which ReturnRip resides. May be empty. More... | |
CHAR | ModifiedSectionName [ALERT_MAX_SECTION_NAME_LEN] |
The name of the modified section, if any. More... | |
CHAR | FunctionName [ALERT_MAX_FUNCTION_NAME_LEN] |
The name of the modified function, if any. This is the same as Export.Name[0]. More... | |
DWORD | FunctionNameHash |
The hash of the modified function name. This is the same as Export.Hash[0]. More... | |
DWORD | Delta |
The same as Delta. More... | |
struct { | |
char Name [ALERT_MAX_FUNCTIONS][ALERT_MAX_FUNCTION_NAME_LEN] | |
Array of all the extracted function names. More... | |
DWORD Hash [ALERT_MAX_FUNCTIONS] | |
Array of all the extracted function hashes. Export.Hash[i] is the hash for Export.Name[i]. More... | |
DWORD Delta | |
The same as Delta. More... | |
} | Export |
INTRO_EXEC_CONTEXT | ExecContext |
Information about the instruction that triggered the alert. More... | |
Event structure for EPT violations.
This event can describe multiple memory access violations: read, write, and execute.
Definition at line 1215 of file intro_types.h.
union { ... } |
INTRO_CODEBLOCKS _EVENT_EPT_VIOLATION::CodeBlocks |
Code blocks extracted for the alert.
Definition at line 1263 of file intro_types.h.
Referenced by IntLixDrvSendViolationEvent(), IntLixIdtWriteHandler(), IntLixKernelHandleRead(), IntLixVdsoHandleWriteCommon(), IntVeHandleAccess(), IntVeHandleEPTViolationInProtectedView(), IntWinCrashHandleDepViolation(), IntWinDrvObjSendEptAlert(), IntWinDrvSendAlert(), IntWinHalSendAlert(), IntWinIdtWriteHandler(), IntWinInfHookEptSppSendAlert(), IntWinModHandleKernelWrite(), IntWinModHandleUserWrite(), IntWinSelfMapHandleCr3SelfMapWrite(), IntWinSudSendSudExecAlert(), IntWinTokenPrivsSendEptAlert(), and IntWinVadIsExecSuspicious().
DWORD _EVENT_EPT_VIOLATION::Delta |
The same as Delta.
The offset relative to the function start address at which the write was attempted. This is the same as Export.Delta. Valid only if a function was modified.
Definition at line 1294 of file intro_types.h.
INTRO_DRVOBJ _EVENT_EPT_VIOLATION::DriverObject |
The driver object that was modified. Valid only if Type is introObjectTypeDriverObject.
Definition at line 1243 of file intro_types.h.
INTRO_EXEC_CONTEXT _EVENT_EPT_VIOLATION::ExecContext |
Information about the instruction that triggered the alert.
Definition at line 1309 of file intro_types.h.
Referenced by IntLixDrvSendViolationEvent(), IntLixIdtWriteHandler(), IntLixKernelHandleRead(), IntLixVdsoHandleWriteCommon(), IntLixVmaHandlePageExecution(), IntVeHandleAccess(), IntVeHandleEPTViolationInProtectedView(), IntWinCrashHandleDepViolation(), IntWinDrvObjSendEptAlert(), IntWinDrvSendAlert(), IntWinHalHandleHalHeapExec(), IntWinHalSendAlert(), IntWinIdtWriteHandler(), IntWinInfHookEptSppSendAlert(), IntWinModHandleKernelWrite(), IntWinModHandleUserWrite(), IntWinSelfMapHandleCr3SelfMapWrite(), IntWinSudSendSudExecAlert(), IntWinTokenPrivsSendEptAlert(), and IntWinVadIsExecSuspicious().
INTRO_EXEC_INFO _EVENT_EPT_VIOLATION::ExecInfo |
Execution information. Valid only if Violation is IG_EPT_HOOK_EXECUTE.
Definition at line 1260 of file intro_types.h.
Referenced by IntWinCrashHandleDepViolation(), IntWinModPolyHandler(), and IntWinSudSendSudExecAlert().
struct { ... } _EVENT_EPT_VIOLATION::Export |
All the names used to export the modified function. In certain cases, the same function can be exported with multiple names by a module.
CHAR _EVENT_EPT_VIOLATION::FunctionName[ALERT_MAX_FUNCTION_NAME_LEN] |
The name of the modified function, if any. This is the same as Export.Name[0].
Definition at line 1289 of file intro_types.h.
Referenced by IntLixDrvSendViolationEvent(), and IntLixKernelHandleRead().
DWORD _EVENT_EPT_VIOLATION::FunctionNameHash |
The hash of the modified function name. This is the same as Export.Hash[0].
Definition at line 1291 of file intro_types.h.
DWORD _EVENT_EPT_VIOLATION::Hash[ALERT_MAX_FUNCTIONS] |
Array of all the extracted function hashes. Export.Hash[i] is the hash for Export.Name[i].
Definition at line 1303 of file intro_types.h.
INTRO_VIOLATION_HEADER _EVENT_EPT_VIOLATION::Header |
The alert header.
Definition at line 1217 of file intro_types.h.
Referenced by IntLixDrvSendViolationEvent(), IntLixIdtWriteHandler(), IntLixKernelHandleRead(), IntLixVdsoHandleWriteCommon(), IntLixVmaHandlePageExecution(), IntVeHandleAccess(), IntVeHandleEPTViolationInProtectedView(), IntWinCrashHandleDepViolation(), IntWinDrvObjSendEptAlert(), IntWinDrvSendAlert(), IntWinHalHandleHalHeapExec(), IntWinHalSendAlert(), IntWinIdtWriteHandler(), IntWinInfHookEptSppSendAlert(), IntWinModHandleKernelWrite(), IntWinModHandleUserWrite(), IntWinModPolyHandler(), IntWinSelfMapHandleCr3SelfMapWrite(), IntWinSudSendSudExecAlert(), IntWinTokenPrivsSendEptAlert(), and IntWinVadIsExecSuspicious().
QWORD _EVENT_EPT_VIOLATION::HookStartPhysical |
The start of the monitored guest physical memory area for which this alert was generated.
Definition at line 1270 of file intro_types.h.
Referenced by IntLixDrvSendViolationEvent(), IntLixVdsoHandleWriteCommon(), IntWinCrashHandleDepViolation(), and IntWinModPolyHandler().
QWORD _EVENT_EPT_VIOLATION::HookStartVirtual |
The start of the monitored guest virtual memory area for which this alert was generated.
Definition at line 1268 of file intro_types.h.
Referenced by IntLixDrvSendViolationEvent(), IntLixVdsoHandleWriteCommon(), IntWinCrashHandleDepViolation(), and IntWinModPolyHandler().
BYTE _EVENT_EPT_VIOLATION::IdtEntry |
The IDT entry that was modified. Valid only if Type is introObjectTypeIdt.
Definition at line 1246 of file intro_types.h.
struct { ... } _EVENT_EPT_VIOLATION::Injection |
Referenced by IntWinModHandleKernelWrite().
BOOLEAN _EVENT_EPT_VIOLATION::Kernel |
Set if it is a KM-UM write due to an injection from kernel-mode.
Definition at line 1228 of file intro_types.h.
CHAR _EVENT_EPT_VIOLATION::ModifiedSectionName[ALERT_MAX_SECTION_NAME_LEN] |
The name of the modified section, if any.
Definition at line 1287 of file intro_types.h.
Referenced by IntLixDrvSendViolationEvent(), and IntLixKernelHandleRead().
INTRO_MODULE _EVENT_EPT_VIOLATION::Module |
The module that did the malicious access.
The module that was modified.
Definition at line 1221 of file intro_types.h.
Referenced by IntLixDrvSendViolationEvent(), IntLixIdtWriteHandler(), IntLixKernelHandleRead(), IntLixVdsoHandleWriteCommon(), IntWinIdtWriteHandler(), and IntWinModPolyHandler().
char _EVENT_EPT_VIOLATION::Name[ALERT_MAX_FUNCTIONS][ALERT_MAX_FUNCTION_NAME_LEN] |
Array of all the extracted function names.
Definition at line 1301 of file intro_types.h.
DWORD _EVENT_EPT_VIOLATION::Offset |
The offset inside the page where the violation took place.
Definition at line 1274 of file intro_types.h.
Referenced by IntLixDrvSendViolationEvent(), IntLixVdsoHandleWriteCommon(), IntWinCrashHandleDepViolation(), and IntWinModPolyHandler().
struct { ... } _EVENT_EPT_VIOLATION::Originator |
QWORD _EVENT_EPT_VIOLATION::PhysicalPage |
The guest physical page in which the access was made.
Definition at line 1273 of file intro_types.h.
Referenced by IntLixVdsoHandleWriteCommon().
INTRO_PROCESS _EVENT_EPT_VIOLATION::Process |
The process that did the malicious access.
Definition at line 1223 of file intro_types.h.
Referenced by IntWinModHandleKernelWrite().
INTRO_READ_INFO _EVENT_EPT_VIOLATION::ReadInfo |
The original value and the value that the guest tried to read. Valid only if Violation is IG_EPT_HOOK_WRITE.
Definition at line 1257 of file intro_types.h.
INTRO_MODULE _EVENT_EPT_VIOLATION::ReturnModule |
The module to which the current code returns to.
Definition at line 1222 of file intro_types.h.
Referenced by IntLixDrvSendViolationEvent(), IntLixIdtWriteHandler(), IntLixKernelHandleRead(), IntWinIdtWriteHandler(), IntWinSudSendSudExecAlert(), and IntWinVadIsExecSuspicious().
QWORD _EVENT_EPT_VIOLATION::ReturnRip |
The RIP at which the code that triggered the alert returns.
Definition at line 1282 of file intro_types.h.
Referenced by IntLixDrvSendViolationEvent(), IntWinSudSendSudExecAlert(), and IntWinVadIsExecSuspicious().
CHAR _EVENT_EPT_VIOLATION::ReturnRipSectionName[ALERT_MAX_SECTION_NAME_LEN] |
The name of the section in which ReturnRip resides. May be empty.
Definition at line 1284 of file intro_types.h.
CHAR _EVENT_EPT_VIOLATION::RipSectionName[ALERT_MAX_SECTION_NAME_LEN] |
The name of the section in which the RIP resides. May be empty.
Definition at line 1279 of file intro_types.h.
Referenced by IntLixDrvSendViolationEvent(), and IntLixKernelHandleRead().
INTRO_OBJECT_TYPE _EVENT_EPT_VIOLATION::Type |
The type of the accessed memory area.
Definition at line 1237 of file intro_types.h.
Referenced by IntLixVdsoHandleWriteCommon(), IntWinCrashHandleDepViolation(), and IntWinModPolyHandler().
BOOLEAN _EVENT_EPT_VIOLATION::User |
Set if it is a KM-UM write due to an injection from user-mode.
Definition at line 1227 of file intro_types.h.
struct { ... } _EVENT_EPT_VIOLATION::Victim |
Describes the accessed memory area. Valid only if Violation is IG_EPT_HOOK_READ or IG_EPT_HOOK_WRITE
Referenced by IntLixDrvSendViolationEvent(), IntLixKernelHandleRead(), IntLixVdsoHandleWriteCommon(), IntWinCrashHandleDepViolation(), and IntWinModPolyHandler().
BYTE _EVENT_EPT_VIOLATION::Violation |
The type of the access. It must be one of the IG_EPT_HOOK_TYPE values.
Definition at line 1265 of file intro_types.h.
Referenced by IntLixDrvSendViolationEvent(), IntLixVdsoHandleWriteCommon(), IntWinCrashHandleDepViolation(), and IntWinModPolyHandler().
QWORD _EVENT_EPT_VIOLATION::VirtualPage |
The guest virtual page in which the access was made.
Definition at line 1272 of file intro_types.h.
Referenced by IntLixDrvSendViolationEvent(), IntLixVdsoHandleWriteCommon(), IntWinCrashHandleDepViolation(), and IntWinModPolyHandler().
INTRO_WRITE_INFO _EVENT_EPT_VIOLATION::WriteInfo |
The original value and the value that the guest tried to write. Valid only if Violation is IG_EPT_HOOK_WRITE.
Definition at line 1253 of file intro_types.h.
QWORD _EVENT_EPT_VIOLATION::ZoneTypes |
The types of the accessed memory area.
Definition at line 1276 of file intro_types.h.
Referenced by IntLixDrvSendViolationEvent(), and IntLixVdsoHandleWriteCommon().