Bitdefender Hypervisor Memory Introspection
|
Event structure for integrity violations on monitored structures. More...
#include <intro_types.h>
Data Fields | |
INTRO_VIOLATION_HEADER | Header |
The alert header. More... | |
struct { | |
INTRO_MODULE Module | |
The module that modified the monitored region. More... | |
INTRO_PROCESS Process | |
The module to which the current code return to. More... | |
} | Originator |
struct { | |
INTRO_MODULE Module | |
The module that modified the translation. More... | |
} | Return |
struct { | |
INTRO_OBJECT_TYPE Type | |
WCHAR Name [ALERT_PATH_MAX_LEN] | |
NULL-terminated string with a human readable description of the modified object. More... | |
union { | |
INTRO_PROCESS Process | |
The process which had the access token modified. Valid only if Type is introObjectTypeTokenPtr. More... | |
INTRO_DRVOBJ DriverObject | |
The modified driver object. Valid only if Type is introObjectTypeDriverObject. More... | |
BYTE IdtEntry | |
The modified IDT entry. Valid only if Type is introObjectTypeIdt. More... | |
} | |
} | Victim |
union { | |
INTRO_WRITE_INFO WriteInfo | |
INTRO_SEC_DESC_INFO SecDescWriteInfo | |
}; | |
QWORD | BaseAddress |
The guest virtual address at which the monitored integrity region starts. More... | |
QWORD | VirtualAddress |
The guest virtual address which was modified. More... | |
DWORD | Size |
The size of the modified memory area. More... | |
Event structure for integrity violations on monitored structures.
These events are triggered by the integrity check mechanism, which is invoked on the timer event, so Introcore may not always be able to block them. For the same reason the information needed for the alert may no longer be present in the guest memory when Introcore detects the violation.
Definition at line 1572 of file intro_types.h.
union { ... } |
QWORD _EVENT_INTEGRITY_VIOLATION::BaseAddress |
The guest virtual address at which the monitored integrity region starts.
Definition at line 1614 of file intro_types.h.
Referenced by IntDetSendIntegrityAlert(), IntLixTaskSendCredViolationEvent(), IntSlackSendIntegrityAlert(), IntWinDrvObjSendIntegrityAlert(), IntWinHalHandleDispatchTableWrite(), IntWinHalSendPerfCntIntegrityAlert(), IntWinIdtSendIntegrityAlert(), IntWinInfHookIntegritySendAlert(), IntWinIntObjSendIntegrityAlert(), IntWinSDSendAclIntegrityViolation(), IntWinSDSendSecDescIntViolation(), IntWinSudSendSudIntegrityAlert(), and IntWinTokenPtrCheckIntegrityOnProcess().
INTRO_DRVOBJ _EVENT_INTEGRITY_VIOLATION::DriverObject |
The modified driver object. Valid only if Type is introObjectTypeDriverObject.
Definition at line 1597 of file intro_types.h.
Referenced by IntWinDrvObjSendIntegrityAlert().
INTRO_VIOLATION_HEADER _EVENT_INTEGRITY_VIOLATION::Header |
The alert header.
Definition at line 1574 of file intro_types.h.
Referenced by IntDetSendIntegrityAlert(), IntLixTaskSendCredViolationEvent(), IntSlackSendIntegrityAlert(), IntWinDrvObjSendIntegrityAlert(), IntWinHalHandleDispatchTableWrite(), IntWinHalSendPerfCntIntegrityAlert(), IntWinIdtSendIntegrityAlert(), IntWinInfHookIntegritySendAlert(), IntWinIntObjSendIntegrityAlert(), IntWinSDSendAclIntegrityViolation(), IntWinSDSendSecDescIntViolation(), IntWinSudSendSudIntegrityAlert(), IntWinTokenPrivsSendIntegrityAlert(), and IntWinTokenPtrCheckIntegrityOnProcess().
BYTE _EVENT_INTEGRITY_VIOLATION::IdtEntry |
The modified IDT entry. Valid only if Type is introObjectTypeIdt.
Definition at line 1599 of file intro_types.h.
Referenced by IntWinIdtSendIntegrityAlert(), and IntWinIntObjSendIntegrityAlert().
INTRO_MODULE _EVENT_INTEGRITY_VIOLATION::Module |
The module that modified the monitored region.
The module that modified the translation.
Definition at line 1578 of file intro_types.h.
Referenced by IntDetSendIntegrityAlert(), IntSlackSendIntegrityAlert(), IntWinDrvObjSendIntegrityAlert(), IntWinHalHandleDispatchTableWrite(), IntWinHalSendPerfCntIntegrityAlert(), IntWinIdtSendIntegrityAlert(), IntWinInfHookIntegritySendAlert(), and IntWinIntObjSendIntegrityAlert().
WCHAR _EVENT_INTEGRITY_VIOLATION::Name[ALERT_PATH_MAX_LEN] |
NULL-terminated string with a human readable description of the modified object.
Definition at line 1591 of file intro_types.h.
Referenced by IntDetSendIntegrityAlert(), IntLixTaskSendCredViolationEvent(), IntWinDrvObjSendIntegrityAlert(), IntWinHalHandleDispatchTableWrite(), IntWinHalSendPerfCntIntegrityAlert(), IntWinIdtSendIntegrityAlert(), IntWinInfHookIntegritySendAlert(), IntWinIntObjSendIntegrityAlert(), IntWinSDSendAclIntegrityViolation(), IntWinSDSendSecDescIntViolation(), IntWinSudSendSudIntegrityAlert(), IntWinTokenPrivsSendIntegrityAlert(), and IntWinTokenPtrCheckIntegrityOnProcess().
struct { ... } _EVENT_INTEGRITY_VIOLATION::Originator |
Referenced by IntDetSendIntegrityAlert(), IntLixTaskSendCredViolationEvent(), IntSlackSendIntegrityAlert(), IntWinDrvObjSendIntegrityAlert(), IntWinHalHandleDispatchTableWrite(), IntWinHalSendPerfCntIntegrityAlert(), IntWinIdtSendIntegrityAlert(), IntWinInfHookIntegritySendAlert(), IntWinIntObjSendIntegrityAlert(), IntWinSDSendSecDescIntViolation(), IntWinTokenPrivsSendIntegrityAlert(), and IntWinTokenPtrCheckIntegrityOnProcess().
INTRO_PROCESS _EVENT_INTEGRITY_VIOLATION::Process |
The module to which the current code return to.
The process which had the access token modified. Valid only if Type is introObjectTypeTokenPtr.
Definition at line 1579 of file intro_types.h.
Referenced by IntLixTaskSendCredViolationEvent(), IntWinSDSendAclIntegrityViolation(), IntWinSDSendSecDescIntViolation(), IntWinTokenPrivsSendIntegrityAlert(), and IntWinTokenPtrCheckIntegrityOnProcess().
struct { ... } _EVENT_INTEGRITY_VIOLATION::Return |
INTRO_SEC_DESC_INFO _EVENT_INTEGRITY_VIOLATION::SecDescWriteInfo |
The original and the new value of the security descriptor address, buffer and hash (valid only if INTRO_OBJECT_TYPE is introObjectTypeSecDesc or introObjectTypeAcl).
Definition at line 1610 of file intro_types.h.
Referenced by IntWinSDSendAclIntegrityViolation(), and IntWinSDSendSecDescIntViolation().
DWORD _EVENT_INTEGRITY_VIOLATION::Size |
The size of the modified memory area.
Definition at line 1618 of file intro_types.h.
Referenced by IntDetSendIntegrityAlert(), IntLixTaskSendCredViolationEvent(), IntSlackSendIntegrityAlert(), IntWinDrvObjSendIntegrityAlert(), IntWinHalHandleDispatchTableWrite(), IntWinHalSendPerfCntIntegrityAlert(), IntWinIdtSendIntegrityAlert(), IntWinInfHookIntegritySendAlert(), IntWinIntObjSendIntegrityAlert(), IntWinSDSendAclIntegrityViolation(), IntWinSDSendSecDescIntViolation(), IntWinSudSendSudIntegrityAlert(), and IntWinTokenPtrCheckIntegrityOnProcess().
INTRO_OBJECT_TYPE _EVENT_INTEGRITY_VIOLATION::Type |
The type of the modified object.
Definition at line 1589 of file intro_types.h.
Referenced by IntDetSendIntegrityAlert(), IntLixTaskSendCredViolationEvent(), IntSlackSendIntegrityAlert(), IntWinDrvObjSendIntegrityAlert(), IntWinHalHandleDispatchTableWrite(), IntWinHalSendPerfCntIntegrityAlert(), IntWinIdtSendIntegrityAlert(), IntWinInfHookIntegritySendAlert(), IntWinIntObjSendIntegrityAlert(), IntWinSDSendAclIntegrityViolation(), IntWinSDSendSecDescIntViolation(), IntWinSudSendSudIntegrityAlert(), IntWinTokenPrivsSendIntegrityAlert(), and IntWinTokenPtrCheckIntegrityOnProcess().
struct { ... } _EVENT_INTEGRITY_VIOLATION::Victim |
Referenced by IntDetSendIntegrityAlert(), IntLixTaskSendCredViolationEvent(), IntSlackSendIntegrityAlert(), IntWinDrvObjSendIntegrityAlert(), IntWinHalHandleDispatchTableWrite(), IntWinHalSendPerfCntIntegrityAlert(), IntWinIdtSendIntegrityAlert(), IntWinInfHookIntegritySendAlert(), IntWinIntObjSendIntegrityAlert(), IntWinSDSendAclIntegrityViolation(), IntWinSDSendSecDescIntViolation(), IntWinSudSendSudIntegrityAlert(), IntWinTokenPrivsSendIntegrityAlert(), and IntWinTokenPtrCheckIntegrityOnProcess().
QWORD _EVENT_INTEGRITY_VIOLATION::VirtualAddress |
The guest virtual address which was modified.
Definition at line 1616 of file intro_types.h.
Referenced by IntDetSendIntegrityAlert(), IntLixTaskSendCredViolationEvent(), IntSlackSendIntegrityAlert(), IntWinDrvObjSendIntegrityAlert(), IntWinHalHandleDispatchTableWrite(), IntWinHalSendPerfCntIntegrityAlert(), IntWinIdtSendIntegrityAlert(), IntWinInfHookIntegritySendAlert(), IntWinIntObjSendIntegrityAlert(), IntWinSDSendAclIntegrityViolation(), IntWinSDSendSecDescIntViolation(), IntWinSudSendSudIntegrityAlert(), and IntWinTokenPtrCheckIntegrityOnProcess().
INTRO_WRITE_INFO _EVENT_INTEGRITY_VIOLATION::WriteInfo |
The original and the new value (valid only if INTRO_OBJECT_TYPE in NOT introObjectTypeSecDesc or introObjectTypeAcl).
Definition at line 1607 of file intro_types.h.
Referenced by IntDetSendIntegrityAlert(), IntLixTaskSendCredViolationEvent(), IntSlackSendIntegrityAlert(), IntWinDrvObjSendIntegrityAlert(), IntWinHalHandleDispatchTableWrite(), IntWinHalSendPerfCntIntegrityAlert(), IntWinIdtSendIntegrityAlert(), IntWinInfHookIntegritySendAlert(), IntWinIntObjSendIntegrityAlert(), IntWinSudSendSudIntegrityAlert(), IntWinTokenPrivsSendIntegrityAlert(), and IntWinTokenPtrCheckIntegrityOnProcess().