Bitdefender Hypervisor Memory Introspection
Data Fields
_EVENT_MODULE_LOAD_VIOLATION Struct Reference

Event structure for suspicious module load into processes. More...

#include <intro_types.h>

Data Fields

INTRO_VIOLATION_HEADER Header
 The alert header. More...
 
INTRO_PROCESS Victim
 The process in which the module has loaded. More...
 
struct {
   INTRO_MODULE   Module
 The loaded module. More...
 
   INTRO_MODULE   ReturnModule
 The module which called the entry function of the suspicious module. More...
 
Originator
 
QWORD ReturnRip
 The RIP from which the suspicious module was called. More...
 
CHAR ReturnRipSectionName [ALERT_MAX_SECTION_NAME_LEN]
 The name of the section in which ReturnRip resides. More...
 
CHAR RipSectionName [ALERT_MAX_SECTION_NAME_LEN]
 The name of the section in which the function executed by the loaded module is found. More...
 

Detailed Description

Event structure for suspicious module load into processes.

Definition at line 1838 of file intro_types.h.

Field Documentation

◆ Header

INTRO_VIOLATION_HEADER _EVENT_MODULE_LOAD_VIOLATION::Header

The alert header.

Definition at line 1840 of file intro_types.h.

Referenced by IntWinDagentSendDoubleAgentAlert().

◆ Module

INTRO_MODULE _EVENT_MODULE_LOAD_VIOLATION::Module

The loaded module.

Definition at line 1846 of file intro_types.h.

Referenced by IntWinDagentSendDoubleAgentAlert().

◆ Originator

struct { ... } _EVENT_MODULE_LOAD_VIOLATION::Originator

Referenced by IntWinDagentSendDoubleAgentAlert().

◆ ReturnModule

INTRO_MODULE _EVENT_MODULE_LOAD_VIOLATION::ReturnModule

The module which called the entry function of the suspicious module.

Definition at line 1847 of file intro_types.h.

Referenced by IntWinDagentSendDoubleAgentAlert().

◆ ReturnRip

QWORD _EVENT_MODULE_LOAD_VIOLATION::ReturnRip

The RIP from which the suspicious module was called.

This points inside Originator.ReturnModule.

Definition at line 1853 of file intro_types.h.

Referenced by IntWinDagentSendDoubleAgentAlert().

◆ ReturnRipSectionName

CHAR _EVENT_MODULE_LOAD_VIOLATION::ReturnRipSectionName[ALERT_MAX_SECTION_NAME_LEN]

The name of the section in which ReturnRip resides.

Definition at line 1856 of file intro_types.h.

Referenced by IntWinDagentSendDoubleAgentAlert().

◆ RipSectionName

CHAR _EVENT_MODULE_LOAD_VIOLATION::RipSectionName[ALERT_MAX_SECTION_NAME_LEN]

The name of the section in which the function executed by the loaded module is found.

Definition at line 1859 of file intro_types.h.

Referenced by IntWinDagentSendDoubleAgentAlert().

◆ Victim

INTRO_PROCESS _EVENT_MODULE_LOAD_VIOLATION::Victim

The process in which the module has loaded.

Definition at line 1842 of file intro_types.h.

Referenced by IntWinDagentSendDoubleAgentAlert().

The documentation for this struct was generated from the following file: