- Generated by
1.8.13
|
Bitdefender Hypervisor Memory Introspection
|
A structure that describes a hidden guest memory region. More...
Data Fields | |
| LIST_ENTRY | Link |
| Entry inside the gMemClkRegions linked list. More... | |
| QWORD | Gva |
| The guest virtual address at which the hidden region starts. More... | |
| QWORD | Cr3 |
| The Cr3 in which the hidden region is mapped. More... | |
| DWORD | Size |
| The size of the hidden region. OriginalData and PatchedData have this size. More... | |
| DWORD | Options |
| A combination of MEMCLOAK_OPTIONS values. More... | |
| PBYTE | OriginalData |
| A buffer containing the original data. More... | |
| PBYTE | PatchedData |
| A buffer containing the data patched by introcore. More... | |
| MEMCLOAK_PAGE | Pages [MEMCLOACK_PAGE_MAX_COUNT] |
| Array of pages contained in this region. More... | |
| DWORD | PageCount |
| The number of valid entries in the Pages array. More... | |
| PFUNC_IntMemCloakWriteHandle | WriteHandler |
| The write handler used for this region. More... | |
A structure that describes a hidden guest memory region.
Definition at line 31 of file memcloak.c.
| QWORD _MEMCLOAK_REGION::Cr3 |
The Cr3 in which the hidden region is mapped.
Definition at line 35 of file memcloak.c.
Referenced by IntMemClkCloakRegion(), IntMemClkDump(), IntMemClkModifyPatchedData(), and IntMemClkUnInit().
| QWORD _MEMCLOAK_REGION::Gva |
The guest virtual address at which the hidden region starts.
Definition at line 34 of file memcloak.c.
Referenced by IntMemClkCloakRegion(), IntMemClkDump(), IntMemClkHandleRead(), IntMemClkHandleSwap(), IntMemClkHandleWrite(), IntMemClkHashRegion(), IntMemClkIsPtrInCloak(), IntMemClkModifyPatchedData(), and IntMemClkUnInit().
| LIST_ENTRY _MEMCLOAK_REGION::Link |
Entry inside the gMemClkRegions linked list.
Definition at line 33 of file memcloak.c.
Referenced by IntMemClkCloakRegion().
| DWORD _MEMCLOAK_REGION::Options |
A combination of MEMCLOAK_OPTIONS values.
Definition at line 37 of file memcloak.c.
Referenced by IntMemClkCloakRegion(), IntMemClkDump(), and IntMemClkHandleRead().
| PBYTE _MEMCLOAK_REGION::OriginalData |
A buffer containing the original data.
Definition at line 38 of file memcloak.c.
Referenced by IntMemClkCloakRegion(), IntMemClkDump(), IntMemClkGetOriginalData(), IntMemClkHandleRead(), IntMemClkHandleSwap(), IntMemClkHashRegion(), IntMemClkModifyOriginalData(), and IntMemClkUnInit().
| DWORD _MEMCLOAK_REGION::PageCount |
The number of valid entries in the Pages array.
Definition at line 45 of file memcloak.c.
Referenced by IntMemClkCloakRegion(), and IntMemClkDump().
| MEMCLOAK_PAGE _MEMCLOAK_REGION::Pages[MEMCLOACK_PAGE_MAX_COUNT] |
Array of pages contained in this region.
Hidden region can cross the page boundary, in which case we will have two pages included in a single region.
Definition at line 44 of file memcloak.c.
Referenced by IntMemClkCloakRegion(), and IntMemClkDump().
| PBYTE _MEMCLOAK_REGION::PatchedData |
A buffer containing the data patched by introcore.
Definition at line 39 of file memcloak.c.
Referenced by IntMemClkCloakRegion(), IntMemClkDump(), IntMemClkHandleSwap(), IntMemClkModifyPatchedData(), and IntMemClkUnInit().
| DWORD _MEMCLOAK_REGION::Size |
The size of the hidden region. OriginalData and PatchedData have this size.
Definition at line 36 of file memcloak.c.
Referenced by IntMemClkCloakRegion(), IntMemClkDump(), IntMemClkGetOriginalData(), IntMemClkHandleRead(), IntMemClkHandleSwap(), IntMemClkHashRegion(), IntMemClkIsPtrInCloak(), IntMemClkModifyOriginalData(), IntMemClkModifyPatchedData(), and IntMemClkUnInit().
| PFUNC_IntMemCloakWriteHandle _MEMCLOAK_REGION::WriteHandler |
The write handler used for this region.
This will be invoked when the guest attempts to modify a hidden memory region.
Definition at line 50 of file memcloak.c.
Referenced by IntMemClkCloakRegion(), and IntMemClkHandleWrite().
1.8.13