Bitdefender Hypervisor Memory Introspection
|
Describes a user-mode originator. More...
#include <exceptions.h>
Data Fields | |
DWORD | NameHash |
The namehash of the process. More... | |
union { | |
PCHAR Name | |
The process name of the originator (saved as CHAR). More... | |
PWCHAR NameWide | |
The module name of the originator (saved as WCHAR). More... | |
}; | |
union { | |
void * Process | |
The process that's modifying the memory (always present). More... | |
WIN_PROCESS_OBJECT * WinProc | |
The windows process that's modifying the memory (always present). More... | |
LIX_TASK_OBJECT * LixProc | |
The Linux process that's modifying the memory (always present). More... | |
}; | |
union { | |
void * Library | |
The library that's modifying the memory (if that's the case). More... | |
WIN_PROCESS_MODULE * WinLib | |
The windows library that's modifying the memory (if that's the case). More... | |
}; | |
union { | |
QWORD Rip | |
Where the write/exec came. More... | |
QWORD SourceVA | |
The GVA from where the injection is. More... | |
}; | |
struct { | |
DWORD NameHash | |
The namehash of the return originator. More... | |
union { | |
PCHAR Name | |
The process name of the return originator (saved as CHAR). More... | |
PWCHAR NameWide | |
The module name of the return originator (saved as WCHAR). More... | |
} | |
QWORD Rip | |
The RIP from where the violation came. More... | |
union { | |
void * Library | |
The library that's modifying the memory (if that's the case). More... | |
WIN_PROCESS_MODULE * WinLib | |
The windows library that's modifying the memory (if that's the case). More... | |
} | |
} | Return |
INTRO_PC_VIOLATION_TYPE | PcType |
Valid if the current violation is DPI Process Creation Violation. More... | |
INSTRUX * | Instruction |
The modifying/executing instruction (valid when Rip != 0). More... | |
BOOLEAN | Execute |
Describes a user-mode originator.
Definition at line 994 of file exceptions.h.
union { ... } |
union { ... } |
union { ... } |
union { ... } |
BOOLEAN _EXCEPTION_UM_ORIGINATOR::Execute |
Definition at line 1045 of file exceptions.h.
Referenced by IntExceptVerifyCodeBlocksSig().
INSTRUX* _EXCEPTION_UM_ORIGINATOR::Instruction |
The modifying/executing instruction (valid when Rip != 0).
Definition at line 1043 of file exceptions.h.
void* _EXCEPTION_UM_ORIGINATOR::Library |
The library that's modifying the memory (if that's the case).
Definition at line 1013 of file exceptions.h.
Referenced by IntWinSudSendSudExecAlert(), and IntWinVadIsExecSuspicious().
LIX_TASK_OBJECT* _EXCEPTION_UM_ORIGINATOR::LixProc |
The Linux process that's modifying the memory (always present).
Definition at line 1008 of file exceptions.h.
Referenced by IntExceptVerifyCodeBlocksSig(), IntExceptVerifyValueCodeSig(), and IntExceptVerifyValueSig().
PCHAR _EXCEPTION_UM_ORIGINATOR::Name |
The process name of the originator (saved as CHAR).
The process name of the return originator (saved as CHAR).
Definition at line 1000 of file exceptions.h.
DWORD _EXCEPTION_UM_ORIGINATOR::NameHash |
The namehash of the process.
The namehash of the return originator.
Definition at line 996 of file exceptions.h.
PWCHAR _EXCEPTION_UM_ORIGINATOR::NameWide |
The module name of the originator (saved as WCHAR).
The module name of the return originator (saved as WCHAR).
Definition at line 1001 of file exceptions.h.
INTRO_PC_VIOLATION_TYPE _EXCEPTION_UM_ORIGINATOR::PcType |
Valid if the current violation is DPI Process Creation Violation.
Definition at line 1041 of file exceptions.h.
Referenced by IntExceptVerifyProcessCreationSignature(), IntExceptVerifyValueCodeSig(), IntLixValidateProcessCreationRights(), and IntWinDpiCheckCreation().
void* _EXCEPTION_UM_ORIGINATOR::Process |
The process that's modifying the memory (always present).
Definition at line 1006 of file exceptions.h.
struct { ... } _EXCEPTION_UM_ORIGINATOR::Return |
Referenced by IntWinSudSendSudExecAlert(), and IntWinVadIsExecSuspicious().
QWORD _EXCEPTION_UM_ORIGINATOR::Rip |
Where the write/exec came.
The RIP from where the violation came.
Definition at line 1019 of file exceptions.h.
Referenced by IntExceptVerifyCodeBlocksSig(), IntExceptVerifyValueCodeSig(), IntWinCrashHandleDepViolation(), IntWinSudSendSudExecAlert(), and IntWinVadIsExecSuspicious().
QWORD _EXCEPTION_UM_ORIGINATOR::SourceVA |
The GVA from where the injection is.
Definition at line 1020 of file exceptions.h.
Referenced by IntExceptVerifyValueSig(), and IntWinCrashHandleDepViolation().
WIN_PROCESS_MODULE* _EXCEPTION_UM_ORIGINATOR::WinLib |
The windows library that's modifying the memory (if that's the case).
Definition at line 1014 of file exceptions.h.
Referenced by IntExceptVerifyCodeBlocksSig().
WIN_PROCESS_OBJECT* _EXCEPTION_UM_ORIGINATOR::WinProc |
The windows process that's modifying the memory (always present).
Definition at line 1007 of file exceptions.h.
Referenced by IntExceptVerifyCodeBlocksSig(), IntExceptVerifyExportSig(), IntExceptVerifyValueCodeSig(), and IntExceptVerifyValueSig().