- Generated by
1.8.13
|
Bitdefender Hypervisor Memory Introspection
|
Describes a kernel-mode originator. More...
#include <exceptions.h>
Data Fields | |
| struct { | |
| DWORD NameHash | |
| The namehash of the originator return driver. More... | |
| DWORD PathHash | |
| The pathhash of the originator return driver. More... | |
| KERNEL_DRIVER * Driver | |
| The driver that's modifying the memory. More... | |
| QWORD Rip | |
| The RIP from where the call to the exported function came. More... | |
| CHAR Section [9] | |
| The section where the Rip (not Original Rip) comes from. More... | |
| } | Return |
| STACK_ELEMENT | StackElements [8] |
| The stacktrace starting from current rip. More... | |
| STACK_TRACE | StackTrace |
| struct { | |
| DWORD NameHash | |
| The namehash of the originator return driver. More... | |
| DWORD PathHash | |
| The pathhash of the originator return driver. More... | |
| KERNEL_DRIVER * Driver | |
| The driver that's modifying the memory. More... | |
| QWORD Rip | |
| The RIP from where the call to the exported function came. More... | |
| CHAR Section [9] | |
| The section where the Rip (not Original Rip) comes from. More... | |
| } | Original |
| union { | |
| void * Process | |
| The process object from which the write originates. Valid only for KM-UM writes due to an injection originating from user-mode. More... | |
| WIN_PROCESS_OBJECT * WinProc | |
| The Windows process object from which the write originates. More... | |
| LIX_TASK_OBJECT * LixProc | |
| The Linux process object from which the write originates. More... | |
| } | Process |
| INSTRUX * | Instruction |
| The modifying instruction (at the OriginalRip). There's no point in getting the instruction at Rip, since it will be a CALL/JMP. More... | |
| BOOLEAN | IsEntryPoint |
| The the Return-Rip is insied the 'INIT' section. More... | |
| BOOLEAN | IsIntegrity |
| True if the originator is found by an integrity check. More... | |
| struct { | |
| BOOLEAN User: 1 | |
| This field is set to TRUE for a write due to an injection from user-mode. More... | |
| BOOLEAN Kernel: 1 | |
| This field is set to TRUE for a write due to an injection from kernel-mode. More... | |
| } | Injection |
Describes a kernel-mode originator.
Definition at line 943 of file exceptions.h.
| KERNEL_DRIVER* _EXCEPTION_KM_ORIGINATOR::Driver |
The driver that's modifying the memory.
Definition at line 949 of file exceptions.h.
Referenced by IntHookGvaEnableHooks(), IntHookPtsCheckIntegrity(), IntLixIdtWriteHandler(), IntLixKernelHandleRead(), IntLixMsrHandleWrite(), IntWinHalHandleDispatchTableWrite(), and IntWinIdtWriteHandler().
| struct { ... } _EXCEPTION_KM_ORIGINATOR::Injection |
Referenced by IntWinModHandleKernelWrite().
| INSTRUX* _EXCEPTION_KM_ORIGINATOR::Instruction |
The modifying instruction (at the OriginalRip). There's no point in getting the instruction at Rip, since it will be a CALL/JMP.
Definition at line 978 of file exceptions.h.
| BOOLEAN _EXCEPTION_KM_ORIGINATOR::IsEntryPoint |
The the Return-Rip is insied the 'INIT' section.
Definition at line 980 of file exceptions.h.
| BOOLEAN _EXCEPTION_KM_ORIGINATOR::IsIntegrity |
True if the originator is found by an integrity check.
Definition at line 981 of file exceptions.h.
| BOOLEAN _EXCEPTION_KM_ORIGINATOR::Kernel |
This field is set to TRUE for a write due to an injection from kernel-mode.
Definition at line 986 of file exceptions.h.
Referenced by IntWinModHandleKernelWrite().
| LIX_TASK_OBJECT* _EXCEPTION_KM_ORIGINATOR::LixProc |
The Linux process object from which the write originates.
Definition at line 973 of file exceptions.h.
| DWORD _EXCEPTION_KM_ORIGINATOR::NameHash |
The namehash of the originator return driver.
Definition at line 947 of file exceptions.h.
Referenced by IntWinDrvObjHandleModification(), IntWinSDCheckAclIntegrity(), IntWinSDCheckSecDescIntegrity(), IntWinSudHandleFieldModification(), and IntWinTokenPrivsCheckIntegrityOnProcess().
| struct { ... } _EXCEPTION_KM_ORIGINATOR::Original |
Referenced by IntExceptVerifyCodeBlocksSig(), IntExceptVerifyValueCodeSig(), IntHookGvaEnableHooks(), IntHookPtsCheckIntegrity(), IntLixIdtWriteHandler(), IntLixKernelHandleRead(), IntLixMsrHandleWrite(), IntVeHandleAccess(), IntVeHandleEPTViolationInProtectedView(), IntWinDrvObjHandleModification(), IntWinHalHandleDispatchTableWrite(), IntWinIdtWriteHandler(), IntWinModHandleKernelWrite(), IntWinSDCheckAclIntegrity(), IntWinSDCheckSecDescIntegrity(), IntWinSelfMapHandleCr3SelfMapWrite(), IntWinSudHandleFieldModification(), and IntWinTokenPrivsCheckIntegrityOnProcess().
| DWORD _EXCEPTION_KM_ORIGINATOR::PathHash |
The pathhash of the originator return driver.
Definition at line 948 of file exceptions.h.
| void* _EXCEPTION_KM_ORIGINATOR::Process |
The process object from which the write originates. Valid only for KM-UM writes due to an injection originating from user-mode.
Definition at line 971 of file exceptions.h.
Referenced by IntWinModHandleKernelWrite().
| union { ... } _EXCEPTION_KM_ORIGINATOR::Process |
| struct { ... } _EXCEPTION_KM_ORIGINATOR::Return |
Referenced by IntExceptVerifyCodeBlocksSig(), IntExceptVerifyValueCodeSig(), IntHookGvaEnableHooks(), IntLixIdtWriteHandler(), IntLixKernelHandleRead(), IntLixMsrHandleWrite(), IntWinIdtWriteHandler(), IntWinSDCheckAclIntegrity(), IntWinSDCheckSecDescIntegrity(), IntWinSudHandleFieldModification(), and IntWinTokenPrivsCheckIntegrityOnProcess().
| QWORD _EXCEPTION_KM_ORIGINATOR::Rip |
The RIP from where the call to the exported function came.
Definition at line 950 of file exceptions.h.
Referenced by IntExceptVerifyCodeBlocksSig(), IntExceptVerifyValueCodeSig(), IntLixIdtWriteHandler(), IntLixKernelHandleRead(), IntLixMsrHandleWrite(), IntVeHandleAccess(), IntVeHandleEPTViolationInProtectedView(), IntWinIdtWriteHandler(), IntWinModHandleKernelWrite(), and IntWinSelfMapHandleCr3SelfMapWrite().
| CHAR _EXCEPTION_KM_ORIGINATOR::Section[9] |
The section where the Rip (not Original Rip) comes from.
Definition at line 951 of file exceptions.h.
| STACK_ELEMENT _EXCEPTION_KM_ORIGINATOR::StackElements[8] |
The stacktrace starting from current rip.
Definition at line 954 of file exceptions.h.
| STACK_TRACE _EXCEPTION_KM_ORIGINATOR::StackTrace |
Definition at line 955 of file exceptions.h.
| BOOLEAN _EXCEPTION_KM_ORIGINATOR::User |
This field is set to TRUE for a write due to an injection from user-mode.
Definition at line 985 of file exceptions.h.
Referenced by IntWinModHandleKernelWrite().
| WIN_PROCESS_OBJECT* _EXCEPTION_KM_ORIGINATOR::WinProc |
The Windows process object from which the write originates.
Definition at line 972 of file exceptions.h.
1.8.13