Bitdefender Hypervisor Memory Introspection
|
Memory access violations that cross a process boundary. More...
#include <intro_types.h>
Data Fields | |
INTRO_VIOLATION_HEADER | Header |
The alert header. More... | |
struct { | |
INTRO_PROCESS Process | |
The process that attempted the access. More... | |
} | Originator |
struct { | |
INTRO_PROCESS Process | |
The destination process. More... | |
INTRO_MODULE Module | |
The module which was written or read. More... | |
} | Victim |
QWORD | SourceVirtualAddress |
The virtual address of the source buffer. More... | |
QWORD | DestinationVirtualAddress |
The virtual address of the destination buffer. More... | |
DWORD | CopySize |
The size of the access. More... | |
MEMCOPY_VIOLATION_TYPE | ViolationType |
The type of the access. More... | |
BOOLEAN | DumpValid |
True if the contents of RawDump are valid, False if not. More... | |
BYTE | RawDump [ALERT_MAX_INJ_DUMP_SIZE] |
The source buffer contents. More... | |
CHAR | FunctionName [ALERT_MAX_FUNCTION_NAME_LEN] |
The name of the accessed function, if any. More... | |
DWORD | FunctionNameHash |
The hash of the FunctionName. It is the same as Export.Hash[0]. More... | |
DWORD | Delta |
The offset inside the affected function at which the access was made. More... | |
struct { | |
char Name [ALERT_MAX_FUNCTIONS][ALERT_MAX_FUNCTION_NAME_LEN] | |
Array of all the extracted function names. More... | |
DWORD Hash [ALERT_MAX_FUNCTIONS] | |
Array of all the extracted function hashes.Export.Hash[i] is the hash for Export.Name[i]. More... | |
DWORD Delta | |
The same as Delta. More... | |
} | Export |
All the names used to export the modified function. More... | |
Memory access violations that cross a process boundary.
Represents an attempt to write or read the memory of another process, or to hijack the execution flow of
Definition at line 1434 of file intro_types.h.
DWORD _EVENT_MEMCOPY_VIOLATION::CopySize |
The size of the access.
Definition at line 1477 of file intro_types.h.
Referenced by IntWinProcHandleCopyMemory(), IntWinProcHandleInstrument(), IntWinThrHandleQueueApc(), and IntWinThrHandleThreadHijack().
DWORD _EVENT_MEMCOPY_VIOLATION::Delta |
The offset inside the affected function at which the access was made.
The same as Delta.
Definition at line 1505 of file intro_types.h.
Referenced by IntWinProcHandleCopyMemory(), IntWinThrHandleQueueApc(), and IntWinThrHandleThreadHijack().
QWORD _EVENT_MEMCOPY_VIOLATION::DestinationVirtualAddress |
The virtual address of the destination buffer.
If ViolationType is memCopyViolationWrite this is the address in the victim process which was written. If ViolationType is memCopyViolationRead this is the address in the originator process to which the contents of SourceVirtualAddress are read to. If ViolationType is memCopyViolationSetContextThread this is the address of the victim kernel thread structure. If ViolationType is memCopyViolationQueueApcThread this is the new RIP value for the attacked thread.
Definition at line 1474 of file intro_types.h.
Referenced by IntLixTaskSendInjectionEvent(), IntWinProcHandleCopyMemory(), IntWinProcHandleInstrument(), IntWinThrHandleQueueApc(), and IntWinThrHandleThreadHijack().
BOOLEAN _EVENT_MEMCOPY_VIOLATION::DumpValid |
True if the contents of RawDump are valid, False if not.
Definition at line 1483 of file intro_types.h.
Referenced by IntWinProcHandleCopyMemory(), IntWinProcHandleInstrument(), IntWinThrHandleQueueApc(), and IntWinThrHandleThreadHijack().
struct { ... } _EVENT_MEMCOPY_VIOLATION::Export |
All the names used to export the modified function.
In certain cases, the same function can be exported with multiple names by a module.
Referenced by IntWinProcHandleCopyMemory(), IntWinThrHandleQueueApc(), and IntWinThrHandleThreadHijack().
CHAR _EVENT_MEMCOPY_VIOLATION::FunctionName[ALERT_MAX_FUNCTION_NAME_LEN] |
The name of the accessed function, if any.
If ViolationType is memCopyViolationWrite or memCopyViolationRead this is the name of the function that was written or read, if any. If ViolationType is memCopyViolationSetContextThread or memCopyViolationQueueApcThread this is the name of currently executing function in the victim thread, if any. It is the same as Export.Name[0].
Definition at line 1499 of file intro_types.h.
Referenced by IntWinProcHandleCopyMemory(), IntWinThrHandleQueueApc(), and IntWinThrHandleThreadHijack().
DWORD _EVENT_MEMCOPY_VIOLATION::FunctionNameHash |
The hash of the FunctionName. It is the same as Export.Hash[0].
Definition at line 1502 of file intro_types.h.
Referenced by IntWinProcHandleCopyMemory(), IntWinThrHandleQueueApc(), and IntWinThrHandleThreadHijack().
DWORD _EVENT_MEMCOPY_VIOLATION::Hash[ALERT_MAX_FUNCTIONS] |
Array of all the extracted function hashes.Export.Hash[i] is the hash for Export.Name[i].
Definition at line 1516 of file intro_types.h.
Referenced by IntWinProcHandleCopyMemory(), IntWinThrHandleQueueApc(), and IntWinThrHandleThreadHijack().
INTRO_VIOLATION_HEADER _EVENT_MEMCOPY_VIOLATION::Header |
The alert header.
Definition at line 1436 of file intro_types.h.
Referenced by IntLixTaskSendInjectionEvent(), IntWinProcHandleCopyMemory(), IntWinProcHandleInstrument(), IntWinThrHandleQueueApc(), and IntWinThrHandleThreadHijack().
INTRO_MODULE _EVENT_MEMCOPY_VIOLATION::Module |
The module which was written or read.
May be valid only if ViolationType is memCopyViolationWrite or memCopyViolationRead.
Definition at line 1451 of file intro_types.h.
Referenced by IntWinProcHandleCopyMemory(), IntWinThrHandleQueueApc(), and IntWinThrHandleThreadHijack().
char _EVENT_MEMCOPY_VIOLATION::Name[ALERT_MAX_FUNCTIONS][ALERT_MAX_FUNCTION_NAME_LEN] |
Array of all the extracted function names.
Definition at line 1513 of file intro_types.h.
Referenced by IntWinProcHandleCopyMemory(), IntWinThrHandleQueueApc(), and IntWinThrHandleThreadHijack().
struct { ... } _EVENT_MEMCOPY_VIOLATION::Originator |
INTRO_PROCESS _EVENT_MEMCOPY_VIOLATION::Process |
The process that attempted the access.
The destination process.
Definition at line 1440 of file intro_types.h.
Referenced by IntLixTaskSendInjectionEvent(), IntWinProcHandleCopyMemory(), IntWinProcHandleInstrument(), IntWinThrHandleQueueApc(), and IntWinThrHandleThreadHijack().
BYTE _EVENT_MEMCOPY_VIOLATION::RawDump[ALERT_MAX_INJ_DUMP_SIZE] |
The source buffer contents.
If ViolationType is memCopyViolationWrite this holds the information that the attacker tried to write. If ViolationType is memCopyViolationRead this is not filled, as it may contain sensitive information. If ViolationType is memCopyViolationSetContextThread this is the context thread structure, as defined by Windows. If ViolationType is memCopyViolationQueueApcThread this is the contents of the page containing the new Rip.
Definition at line 1492 of file intro_types.h.
Referenced by IntWinProcHandleCopyMemory(), IntWinProcHandleInstrument(), IntWinThrHandleQueueApc(), and IntWinThrHandleThreadHijack().
QWORD _EVENT_MEMCOPY_VIOLATION::SourceVirtualAddress |
The virtual address of the source buffer.
If ViolationType is memCopyViolationWrite this is the address in the attacker process which contains the data that should be written. If ViolationType is memCopyViolationRead this is the address in the victim process from which the read was attempted. If ViolationType is memCopyViolationSetContextThread this is the address of the originator kernel thread structure. If ViolationType is memCopyViolationQueueApcThread this is the address of the victim kernel thread structure.
Definition at line 1464 of file intro_types.h.
Referenced by IntLixTaskSendInjectionEvent(), IntWinProcHandleCopyMemory(), IntWinThrHandleQueueApc(), and IntWinThrHandleThreadHijack().
struct { ... } _EVENT_MEMCOPY_VIOLATION::Victim |
MEMCOPY_VIOLATION_TYPE _EVENT_MEMCOPY_VIOLATION::ViolationType |
The type of the access.
Definition at line 1480 of file intro_types.h.
Referenced by IntWinProcHandleCopyMemory(), IntWinProcHandleInstrument(), IntWinThrHandleQueueApc(), and IntWinThrHandleThreadHijack().