Bitdefender Hypervisor Memory Introspection
Data Fields
_EXCEPTION_UM_ORIGINATOR Struct Reference

Describes a user-mode originator. More...

#include <exceptions.h>

Data Fields

DWORD NameHash
 The namehash of the process. More...
 
union {
   PCHAR   Name
 The process name of the originator (saved as CHAR). More...
 
   PWCHAR   NameWide
 The module name of the originator (saved as WCHAR). More...
 
}; 
 
union {
   void *   Process
 The process that's modifying the memory (always present). More...
 
   WIN_PROCESS_OBJECT *   WinProc
 The windows process that's modifying the memory (always present). More...
 
   LIX_TASK_OBJECT *   LixProc
 The Linux process that's modifying the memory (always present). More...
 
}; 
 
union {
   void *   Library
 The library that's modifying the memory (if that's the case). More...
 
   WIN_PROCESS_MODULE *   WinLib
 The windows library that's modifying the memory (if that's the case). More...
 
}; 
 
union {
   QWORD   Rip
 Where the write/exec came. More...
 
   QWORD   SourceVA
 The GVA from where the injection is. More...
 
}; 
 
struct {
   DWORD   NameHash
 The namehash of the return originator. More...
 
   union {
      PCHAR   Name
 The process name of the return originator (saved as CHAR). More...
 
      PWCHAR   NameWide
 The module name of the return originator (saved as WCHAR). More...
 
   } 
 
   QWORD   Rip
 The RIP from where the violation came. More...
 
   union {
      void *   Library
 The library that's modifying the memory (if that's the case). More...
 
      WIN_PROCESS_MODULE *   WinLib
 The windows library that's modifying the memory (if that's the case). More...
 
   } 
 
Return
 
INTRO_PC_VIOLATION_TYPE PcType
 Valid if the current violation is DPI Process Creation Violation. More...
 
INSTRUX * Instruction
 The modifying/executing instruction (valid when Rip != 0). More...
 
BOOLEAN Execute
 

Detailed Description

Describes a user-mode originator.

Definition at line 994 of file exceptions.h.

Field Documentation

◆ @68

union { ... }

◆ @70

union { ... }

◆ @72

union { ... }

◆ @74

union { ... }

◆ Execute

BOOLEAN _EXCEPTION_UM_ORIGINATOR::Execute

Definition at line 1045 of file exceptions.h.

Referenced by IntExceptVerifyCodeBlocksSig().

◆ Instruction

INSTRUX* _EXCEPTION_UM_ORIGINATOR::Instruction

The modifying/executing instruction (valid when Rip != 0).

Definition at line 1043 of file exceptions.h.

◆ Library

void* _EXCEPTION_UM_ORIGINATOR::Library

The library that's modifying the memory (if that's the case).

Definition at line 1013 of file exceptions.h.

Referenced by IntWinSudSendSudExecAlert(), and IntWinVadIsExecSuspicious().

◆ LixProc

LIX_TASK_OBJECT* _EXCEPTION_UM_ORIGINATOR::LixProc

The Linux process that's modifying the memory (always present).

Definition at line 1008 of file exceptions.h.

Referenced by IntExceptVerifyCodeBlocksSig(), IntExceptVerifyValueCodeSig(), and IntExceptVerifyValueSig().

◆ Name

PCHAR _EXCEPTION_UM_ORIGINATOR::Name

The process name of the originator (saved as CHAR).

The process name of the return originator (saved as CHAR).

Definition at line 1000 of file exceptions.h.

◆ NameHash

DWORD _EXCEPTION_UM_ORIGINATOR::NameHash

The namehash of the process.

The namehash of the return originator.

Definition at line 996 of file exceptions.h.

◆ NameWide

PWCHAR _EXCEPTION_UM_ORIGINATOR::NameWide

The module name of the originator (saved as WCHAR).

The module name of the return originator (saved as WCHAR).

Definition at line 1001 of file exceptions.h.

◆ PcType

INTRO_PC_VIOLATION_TYPE _EXCEPTION_UM_ORIGINATOR::PcType

Valid if the current violation is DPI Process Creation Violation.

Definition at line 1041 of file exceptions.h.

Referenced by IntExceptVerifyProcessCreationSignature(), IntExceptVerifyValueCodeSig(), IntLixValidateProcessCreationRights(), and IntWinDpiCheckCreation().

◆ Process

void* _EXCEPTION_UM_ORIGINATOR::Process

The process that's modifying the memory (always present).

Definition at line 1006 of file exceptions.h.

◆ Return

struct { ... } _EXCEPTION_UM_ORIGINATOR::Return

Referenced by IntWinSudSendSudExecAlert(), and IntWinVadIsExecSuspicious().

◆ Rip

QWORD _EXCEPTION_UM_ORIGINATOR::Rip

Where the write/exec came.

The RIP from where the violation came.

Definition at line 1019 of file exceptions.h.

Referenced by IntExceptVerifyCodeBlocksSig(), IntExceptVerifyValueCodeSig(), IntWinCrashHandleDepViolation(), IntWinSudSendSudExecAlert(), and IntWinVadIsExecSuspicious().

◆ SourceVA

QWORD _EXCEPTION_UM_ORIGINATOR::SourceVA

The GVA from where the injection is.

Definition at line 1020 of file exceptions.h.

Referenced by IntExceptVerifyValueSig(), and IntWinCrashHandleDepViolation().

◆ WinLib

WIN_PROCESS_MODULE* _EXCEPTION_UM_ORIGINATOR::WinLib

The windows library that's modifying the memory (if that's the case).

Definition at line 1014 of file exceptions.h.

Referenced by IntExceptVerifyCodeBlocksSig().

◆ WinProc

WIN_PROCESS_OBJECT* _EXCEPTION_UM_ORIGINATOR::WinProc

The windows process that's modifying the memory (always present).

Definition at line 1007 of file exceptions.h.

Referenced by IntExceptVerifyCodeBlocksSig(), IntExceptVerifyExportSig(), IntExceptVerifyValueCodeSig(), and IntExceptVerifyValueSig().

The documentation for this struct was generated from the following file: