- Generated by
1.8.13
|
Bitdefender Hypervisor Memory Introspection
|
Event structure for process creation violation events. More...
#include <intro_types.h>
Data Fields | |
| INTRO_VIOLATION_HEADER | Header |
| The alert header. More... | |
| INTRO_PROCESS | Victim |
| The process that was compromised. More... | |
| INTRO_PROCESS | Originator |
| The process that attempted the violation. More... | |
| INTRO_PC_VIOLATION_TYPE | PcType |
| The type of process creation violation. More... | |
| INTRO_DPI_EXTRA_INFO | DpiExtraInfo |
| A structure which contains extra information regarding the DPI violation that was detected. More... | |
Event structure for process creation violation events.
Definition at line 1767 of file intro_types.h.
| INTRO_DPI_EXTRA_INFO _EVENT_PROCESS_CREATION_VIOLATION::DpiExtraInfo |
A structure which contains extra information regarding the DPI violation that was detected.
The correct valid field of the union depends on the PcType value:
| PcType value | Victim |
|---|---|
| 0 | not valid field |
| INT_PC_VIOLATION_DPI_DEBUG_FLAG | INTRO_DPI_EXTRA_INFO.DpiDebugFlag |
| INT_PC_VIOLATION_DPI_PIVOTED_STACK | INTRO_DPI_EXTRA_INFO.DpiPivotedStack |
| INT_PC_VIOLATION_DPI_STOLEN_TOKEN | INTRO_DPI_EXTRA_INFO.DpiStolenToken |
| INT_PC_VIOLATION_DPI_HEAP_SPRAY | INTRO_DPI_EXTRA_INFO.DpiHeapSpray |
| INT_PC_VIOLATION_DPI_THREAD_START | INTRO_DPI_EXTRA_INFO.DpiThreadStart |
| INT_PC_VIOLATION_DPI_SEC_DESC | INTRO_DPI_EXTRA_INFO.DpiSecDescAcl |
| INT_PC_VIOLATION_DPI_ACL_EDIT | INTRO_DPI_EXTRA_INFO.DpiSecDescAcl |
Definition at line 1831 of file intro_types.h.
Referenced by IntWinDpiSendProcessCreationViolation().
| INTRO_VIOLATION_HEADER _EVENT_PROCESS_CREATION_VIOLATION::Header |
The alert header.
Definition at line 1769 of file intro_types.h.
Referenced by IntLixTaskSendBlockedEvent(), and IntWinDpiSendProcessCreationViolation().
| INTRO_PROCESS _EVENT_PROCESS_CREATION_VIOLATION::Originator |
The process that attempted the violation.
Based on the PcType value this has different meanings:
| PcType value | Victim |
|---|---|
| 0 | child process |
| INT_PC_VIOLATION_DPI_DEBUG_FLAG | parent process |
| INT_PC_VIOLATION_DPI_PIVOTED_STACK | child process |
| INT_PC_VIOLATION_DPI_STOLEN_TOKEN | child process |
| INT_PC_VIOLATION_DPI_TOKEN_PRIVS | child process |
| INT_PC_VIOLATION_DPI_HEAP_SPRAY | child process |
| INT_PC_VIOLATION_DPI_THREAD_START | child process |
| INT_PC_VIOLATION_DPI_SEC_DESC | child process |
| INT_PC_VIOLATION_DPI_ACL_EDIT | child process |
Definition at line 1807 of file intro_types.h.
Referenced by IntLixTaskSendBlockedEvent(), and IntWinDpiSendProcessCreationViolation().
| INTRO_PC_VIOLATION_TYPE _EVENT_PROCESS_CREATION_VIOLATION::PcType |
The type of process creation violation.
If non-zero, this is a deep process inspection event, which has several classes of detections, described by INTRO_PC_VIOLATION_TYPE.
Definition at line 1813 of file intro_types.h.
Referenced by IntLixTaskSendBlockedEvent(), and IntWinDpiSendProcessCreationViolation().
| INTRO_PROCESS _EVENT_PROCESS_CREATION_VIOLATION::Victim |
The process that was compromised.
Based on the PcType value this has different meanings:
| PcType value | Victim |
|---|---|
| 0 | parent process |
| INT_PC_VIOLATION_DPI_DEBUG_FLAG | child process |
| INT_PC_VIOLATION_DPI_PIVOTED_STACK | parent process |
| INT_PC_VIOLATION_DPI_STOLEN_TOKEN | the real parent process |
| INT_PC_VIOLATION_DPI_TOKEN_PRIVS | the real parent process |
| INT_PC_VIOLATION_DPI_HEAP_SPRAY | parent process |
| INT_PC_VIOLATION_DPI_THREAD_START | parent process |
| INT_PC_VIOLATION_DPI_SEC_DESC | the real parent process |
| INT_PC_VIOLATION_DPI_ACL_EDIT | the real parent process |
Definition at line 1788 of file intro_types.h.
Referenced by IntLixTaskSendBlockedEvent(), and IntWinDpiSendProcessCreationViolation().
1.8.13