- Generated by
1.8.13
|
Bitdefender Hypervisor Memory Introspection
|
#include <lixprocess.h>
Data Fields | |
| LIST_ENTRY | Link |
| Linkage in the global task list. More... | |
| QWORD | Gva |
| The guest virtual address of the task_struct. More... | |
| char | Comm [LIX_COMM_SIZE] |
| The short name of the executable. More... | |
| char * | Interpreter |
| If this was a script executed through an interpretor. More... | |
| char * | CmdLine |
| The process command line. More... | |
| LIX_TASK_PATH * | Path |
| The path of the file executed. More... | |
| char * | ProcName |
| The process name that is always valid. It's set depending which info is available in order: Path, Comm. Never free, it's just a reference. More... | |
| QWORD | RealParent |
| The process which called fork() More... | |
| QWORD | Parent |
| Depends if this is a thread or a process. More... | |
| QWORD | ActualParent |
| The parent, based on tgid. Only relevant for threads. More... | |
| QWORD | ExeFileDentry |
| The guest virtual address of the executable file's "dentry" structure. More... | |
| SIZE_T | ProcNameLength |
| The length of the ProcName field. More... | |
| DWORD | InterpLength |
| The length of the Interpreter field. More... | |
| DWORD | CmdLineLength |
| The length of the CmdLine field. More... | |
| DWORD | CommHash |
| The CRC32 checksum of the Comm field. More... | |
| LIST_ENTRY | ExploitProtProcLink |
| Linkage in the protected processes list. More... | |
| QWORD | MmGva |
| The guest virtual address of the "mm_struct". More... | |
| QWORD | Cr3 |
| The CR3 for this process. More... | |
| DWORD | Pid |
| The task PID. More... | |
| DWORD | Tgid |
| The task Thread-Group-ID. More... | |
| QWORD | CreationTime |
| The creation timestamp for this process. More... | |
| LIST_HEAD | Vmas |
| The list head for the VMAs from the memory space of this process. More... | |
| struct { | |
| QWORD Mask | |
| The protection flags enabled for this process. More... | |
| QWORD Beta | |
| The protection flags for this process that are in beta mode. More... | |
| QWORD Feedback | |
| The protection flags for this process that are in feedback-only mode. More... | |
| } | Protection |
| Protection specific flags. More... | |
| QWORD | RootProtectionMask |
| The protection that children will inherit. More... | |
| QWORD | Context |
| Context from integrator. More... | |
| void * | HookObject |
| The HookObject used for EPT hooks set inside this process's memory space. More... | |
| DWORD | StaticDetected: 1 |
| TRUE if the process was detected using a static scan (during static init). More... | |
| DWORD | Exec: 1 |
| TRUE if the process did exec at least once. More... | |
| DWORD | IsThread: 1 |
| TRUE if it's a thread, not a process. More... | |
| DWORD | KernelMode: 1 |
| TRUE if this process/thread is inside kernel mode. More... | |
| DWORD | IsPreviousAgent: 1 |
| TRUE if this process is an agent remaining from a previous session. More... | |
| DWORD | Protected: 1 |
| TRUE if the process is protected. More... | |
| DWORD | ReExecToSelf: 1 |
| TRUE if the process is re-executed to self (exec to same executable). More... | |
| DWORD | MustKill: 1 |
| Will kill the process with the first occasion. More... | |
| LIX_AGENT_TAG | AgentTag |
| The agent tag, if this process is an agent. More... | |
| LIX_CREDS * | Creds |
| The LIX_CREDS reference for the credentials of this process. More... | |
| struct { | |
| QWORD Base | |
| The user mode stack base. More... | |
| QWORD Limit | |
| The user mode stack limit. More... | |
| BOOLEAN Valid | |
| TRUE if the values inside this structure are valid. More... | |
| } | UserStack |
| User stack information. More... | |
| struct { | |
| BOOLEAN IsPivoted | |
| TRUE if this process stack is pivoted (used for DPI) More... | |
| BOOLEAN StolenTokens | |
| TRUE if credentials for this process have been altered. More... | |
| } | Dpi |
| DPI related information. More... | |
Definition at line 38 of file lixprocess.h.
| QWORD _LIX_TASK_OBJECT::ActualParent |
The parent, based on tgid. Only relevant for threads.
Definition at line 58 of file lixprocess.h.
Referenced by IntLixTaskCreate().
| LIX_AGENT_TAG _LIX_TASK_OBJECT::AgentTag |
The agent tag, if this process is an agent.
Definition at line 103 of file lixprocess.h.
Referenced by IntLixAgentHandleUserVmcall(), IntLixTaskCreate(), and IntLixTaskHandleExec().
| QWORD _LIX_TASK_OBJECT::Base |
The user mode stack base.
Definition at line 109 of file lixprocess.h.
Referenced by IntLixTaskCreate().
| QWORD _LIX_TASK_OBJECT::Beta |
The protection flags for this process that are in beta mode.
Definition at line 85 of file lixprocess.h.
| char* _LIX_TASK_OBJECT::CmdLine |
The process command line.
Definition at line 48 of file lixprocess.h.
Referenced by IntExceptVerifyValueSig(), and IntLixTaskHandleExec().
| DWORD _LIX_TASK_OBJECT::CmdLineLength |
The length of the CmdLine field.
Definition at line 64 of file lixprocess.h.
| char _LIX_TASK_OBJECT::Comm[LIX_COMM_SIZE] |
The short name of the executable.
Definition at line 44 of file lixprocess.h.
Referenced by IntExceptGetVictimEpt(), IntExceptGetVictimProcess(), IntExceptGetVictimProcessCreation(), IntLixAgentHandleUserVmcall(), IntLixCommitCredsHandle(), IntLixNetProcessConnection(), IntLixTaskCreate(), IntLixTaskCreateInitTask(), IntLixTaskGuestTerminating(), IntLixTaskHandleExec(), IntLixTaskHandleInjection(), IntLixVmaAdjust(), and IntLixVmaHandlePageExecution().
| DWORD _LIX_TASK_OBJECT::CommHash |
The CRC32 checksum of the Comm field.
Definition at line 65 of file lixprocess.h.
Referenced by IntExceptGetVictimEpt(), IntExceptGetVictimProcess(), IntExceptGetVictimProcessCreation(), IntLixTaskCreate(), IntLixTaskCreateInitTask(), and IntLixTaskHandleExec().
| QWORD _LIX_TASK_OBJECT::Context |
Context from integrator.
Definition at line 90 of file lixprocess.h.
Referenced by IntLixTaskCreateInitTask().
| QWORD _LIX_TASK_OBJECT::Cr3 |
The CR3 for this process.
Definition at line 70 of file lixprocess.h.
Referenced by IntExceptGetVictimProcess(), IntExceptGetVictimProcessCreation(), IntExceptVerifyCodeBlocksSig(), IntExceptVerifyValueCodeSig(), IntExceptVerifyValueSig(), IntLixTaskCreate(), IntLixTaskHandleExec(), and IntLixVdsoDynamicProtectRelocate().
| QWORD _LIX_TASK_OBJECT::CreationTime |
The creation timestamp for this process.
Definition at line 75 of file lixprocess.h.
Referenced by IntLixTaskCreate().
| LIX_CREDS* _LIX_TASK_OBJECT::Creds |
The LIX_CREDS reference for the credentials of this process.
Definition at line 105 of file lixprocess.h.
Referenced by IntLixCommitCredsHandle(), and IntLixTaskCreate().
| struct { ... } _LIX_TASK_OBJECT::Dpi |
DPI related information.
Referenced by IntLixTaskCreate().
| DWORD _LIX_TASK_OBJECT::Exec |
TRUE if the process did exec at least once.
Definition at line 95 of file lixprocess.h.
Referenced by IntLixTaskCreate(), and IntLixTaskHandleExec().
| QWORD _LIX_TASK_OBJECT::ExeFileDentry |
The guest virtual address of the executable file's "dentry" structure.
Definition at line 60 of file lixprocess.h.
Referenced by IntLixTaskCreate().
| LIST_ENTRY _LIX_TASK_OBJECT::ExploitProtProcLink |
Linkage in the protected processes list.
Definition at line 67 of file lixprocess.h.
Referenced by IntLixTaskCreate().
| QWORD _LIX_TASK_OBJECT::Feedback |
The protection flags for this process that are in feedback-only mode.
Definition at line 86 of file lixprocess.h.
| QWORD _LIX_TASK_OBJECT::Gva |
The guest virtual address of the task_struct.
Definition at line 42 of file lixprocess.h.
Referenced by IntLixCommitCredsHandle(), IntLixCrashHandle(), IntLixTaskCreate(), IntLixTaskCreateInitTask(), IntLixTaskHandleExec(), IntLixTaskHandleInjection(), IntLixVmaAdjust(), IntLixVmaHandlePageExecution(), and IntThrSafeLixGetCurrentStack().
| void* _LIX_TASK_OBJECT::HookObject |
The HookObject used for EPT hooks set inside this process's memory space.
Definition at line 92 of file lixprocess.h.
Referenced by IntExceptVerifyCodeBlocksSig().
| DWORD _LIX_TASK_OBJECT::InterpLength |
The length of the Interpreter field.
Definition at line 63 of file lixprocess.h.
| char* _LIX_TASK_OBJECT::Interpreter |
If this was a script executed through an interpretor.
Definition at line 46 of file lixprocess.h.
Referenced by IntLixTaskCreateInitTask(), and IntLixTaskHandleExec().
| BOOLEAN _LIX_TASK_OBJECT::IsPivoted |
TRUE if this process stack is pivoted (used for DPI)
Definition at line 116 of file lixprocess.h.
| DWORD _LIX_TASK_OBJECT::IsPreviousAgent |
TRUE if this process is an agent remaining from a previous session.
Definition at line 98 of file lixprocess.h.
Referenced by IntLixAgentHandleUserVmcall(), IntLixTaskCreate(), and IntLixTaskHandleExec().
| DWORD _LIX_TASK_OBJECT::IsThread |
TRUE if it's a thread, not a process.
Definition at line 96 of file lixprocess.h.
Referenced by IntLixTaskCreate(), IntLixTaskCreateInitTask(), and IntLixTaskHandleExec().
| DWORD _LIX_TASK_OBJECT::KernelMode |
TRUE if this process/thread is inside kernel mode.
Definition at line 97 of file lixprocess.h.
Referenced by IntLixCommitCredsHandle(), IntLixTaskCreate(), and IntLixTaskCreateInitTask().
| QWORD _LIX_TASK_OBJECT::Limit |
The user mode stack limit.
Definition at line 110 of file lixprocess.h.
Referenced by IntLixTaskCreate().
| LIST_ENTRY _LIX_TASK_OBJECT::Link |
Linkage in the global task list.
Definition at line 40 of file lixprocess.h.
Referenced by IntLixTaskCreate(), IntLixTaskCreateInitTask(), and IntLixTaskHandleExec().
| QWORD _LIX_TASK_OBJECT::Mask |
The protection flags enabled for this process.
Definition at line 84 of file lixprocess.h.
Referenced by IntLixAccessRemoteVmHandler(), IntLixTaskCreateInitTask(), IntLixTaskHandleExec(), IntLixTaskHandleInjection(), IntLixVmaAdjust(), IntLixVmaChangeProtection(), IntLixVmaExpandDownwards(), IntLixVmaHandlePageExecution(), IntLixVmaInsert(), and IntLixVmaRemove().
| QWORD _LIX_TASK_OBJECT::MmGva |
The guest virtual address of the "mm_struct".
Definition at line 69 of file lixprocess.h.
Referenced by IntLixTaskCreate(), and IntLixVmaAdjust().
| DWORD _LIX_TASK_OBJECT::MustKill |
Will kill the process with the first occasion.
Definition at line 101 of file lixprocess.h.
Referenced by IntLixCrashHandle(), and IntLixVmaHandlePageExecution().
| QWORD _LIX_TASK_OBJECT::Parent |
Depends if this is a thread or a process.
Definition at line 57 of file lixprocess.h.
Referenced by IntExceptKernelLogLinuxInformation(), IntLixTaskCreate(), and IntLixTaskCreateInitTask().
| LIX_TASK_PATH* _LIX_TASK_OBJECT::Path |
The path of the file executed.
Definition at line 50 of file lixprocess.h.
Referenced by IntExceptGetVictimEpt(), IntLixTaskCreate(), IntLixTaskCreateInitTask(), and IntLixTaskHandleExec().
| DWORD _LIX_TASK_OBJECT::Pid |
The task PID.
Definition at line 72 of file lixprocess.h.
Referenced by IntLixAgentHandleUserVmcall(), IntLixCommitCredsHandle(), IntLixTaskCreate(), IntLixTaskCreateFromBinprm(), IntLixTaskCreateInitTask(), IntLixTaskHandleExec(), IntLixTaskHandleInjection(), IntLixVmaAdjust(), and IntLixVmaHandlePageExecution().
| char* _LIX_TASK_OBJECT::ProcName |
The process name that is always valid. It's set depending which info is available in order: Path, Comm. Never free, it's just a reference.
Definition at line 54 of file lixprocess.h.
Referenced by IntLixTaskCreate(), IntLixTaskHandleExec(), and IntLixTaskHandleInjection().
| SIZE_T _LIX_TASK_OBJECT::ProcNameLength |
The length of the ProcName field.
Definition at line 62 of file lixprocess.h.
| DWORD _LIX_TASK_OBJECT::Protected |
TRUE if the process is protected.
Definition at line 99 of file lixprocess.h.
Referenced by IntLixTaskCreate(), IntLixTaskCreateInitTask(), and IntLixTaskHandleExec().
| struct { ... } _LIX_TASK_OBJECT::Protection |
Protection specific flags.
Referenced by IntLixAccessRemoteVmHandler(), IntLixTaskCreateInitTask(), IntLixTaskHandleExec(), IntLixTaskHandleInjection(), IntLixVmaAdjust(), IntLixVmaChangeProtection(), IntLixVmaExpandDownwards(), IntLixVmaHandlePageExecution(), IntLixVmaInsert(), and IntLixVmaRemove().
| QWORD _LIX_TASK_OBJECT::RealParent |
The process which called fork()
Definition at line 56 of file lixprocess.h.
Referenced by IntLixTaskCreate(), and IntLixTaskCreateInitTask().
| DWORD _LIX_TASK_OBJECT::ReExecToSelf |
TRUE if the process is re-executed to self (exec to same executable).
Definition at line 100 of file lixprocess.h.
| QWORD _LIX_TASK_OBJECT::RootProtectionMask |
The protection that children will inherit.
Definition at line 89 of file lixprocess.h.
| DWORD _LIX_TASK_OBJECT::StaticDetected |
TRUE if the process was detected using a static scan (during static init).
Definition at line 94 of file lixprocess.h.
Referenced by IntLixTaskCreate().
| BOOLEAN _LIX_TASK_OBJECT::StolenTokens |
TRUE if credentials for this process have been altered.
Definition at line 117 of file lixprocess.h.
Referenced by IntLixTaskCreate().
| DWORD _LIX_TASK_OBJECT::Tgid |
The task Thread-Group-ID.
Definition at line 73 of file lixprocess.h.
Referenced by IntLixTaskCreate().
| struct { ... } _LIX_TASK_OBJECT::UserStack |
User stack information.
Referenced by IntLixTaskCreate().
| BOOLEAN _LIX_TASK_OBJECT::Valid |
TRUE if the values inside this structure are valid.
Definition at line 111 of file lixprocess.h.
Referenced by IntLixTaskCreate().
| LIST_HEAD _LIX_TASK_OBJECT::Vmas |
The list head for the VMAs from the memory space of this process.
Definition at line 80 of file lixprocess.h.
Referenced by IntLixTaskCreate().
1.8.13