Bitdefender Hypervisor Memory Introspection
|
Encapsulates a protected Windows process. More...
#include <winguest.h>
Data Fields | |
CHAR | ImageBaseNamePattern [IMAGE_BASE_NAME_LEN] |
Process name pattern. More... | |
struct { | |
DWORD Original | |
The original protection flags as received from GLUE_IFACE.AddRemoveProtectedProcessUtf16 or GLUE_IFACE.AddRemoveProtectedProcessUtf8. More... | |
DWORD Current | |
The currently used protection flags. More... | |
QWORD Beta | |
Flags that were forced to beta (log-only) mode. More... | |
QWORD Feedback | |
Flags that will be forced to feedback only mode. More... | |
} | Protection |
The protection flags used for this process. More... | |
DWORD | Flags |
Flags that describe the protection mode. More... | |
PWCHAR | FullPathPattern |
Full application path pattern. More... | |
PWCHAR | FullNamePattern |
Full application name pattern. More... | |
QWORD | Context |
The context supplied in the protection policy. More... | |
LIST_ENTRY | Link |
Entry inside the gWinProtectedProcesses list. More... | |
Encapsulates a protected Windows process.
Definition at line 24 of file winguest.h.
QWORD _PROTECTED_PROCESS_INFO::Beta |
Flags that were forced to beta (log-only) mode.
This can be done by the CAMI mechanism. These are the CAMI_PROT_OPTIONS.ForceBeta flags. Detections triggered by the protection mechanism enabled by these flags will never block, the action taken will always be introGuestAllowed, and an alert will be generated.
Definition at line 51 of file winguest.h.
Referenced by IntWinProcAddProtectedProcess(), IntWinProcCreateProcessObject(), IntWinProcUpdateProtectedProcess(), and IntWinProcUpdateProtection().
QWORD _PROTECTED_PROCESS_INFO::Context |
The context supplied in the protection policy.
This is the Context parameter of the GLUE_IFACE.AddRemoveProtectedProcessUtf16 and GLUE_IFACE.AddRemoveProtectedProcessUtf8 APIs
Definition at line 75 of file winguest.h.
Referenced by IntWinProcAddProtectedProcess(), IntWinProcCreateProcessObject(), IntWinProcExistsProtectedProcess(), and IntWinProcUpdateProtection().
DWORD _PROTECTED_PROCESS_INFO::Current |
The currently used protection flags.
These are the Original flags, but the CAMI_PROT_OPTIONS settings may change them by forcing some flags to be off or on, overriding the protection policy. This allows us to disable problematic options just by updating the market CAMI file.
Definition at line 44 of file winguest.h.
Referenced by IntWinProcAddProtectedProcess(), IntWinProcCreateProcessObject(), IntWinProcExistsProtectedProcess(), IntWinProcUpdateProtectedProcess(), and IntWinProcUpdateProtection().
QWORD _PROTECTED_PROCESS_INFO::Feedback |
Flags that will be forced to feedback only mode.
This can be done by the CAMI mechanism. These are the CAMI_PROT_OPTIONS.ForceFeedback flags. Detections triggered by the protection mechanism enabled by these flags will never block, the action taken will always be introGuestAllowed, an alert will be generated, but it will have the ALERT_FLAG_FEEDBACK_ONLY; the user will not be notified, the event will generate feedback.
Definition at line 58 of file winguest.h.
Referenced by IntWinProcAddProtectedProcess(), IntWinProcCreateProcessObject(), IntWinProcUpdateProtectedProcess(), and IntWinProcUpdateProtection().
DWORD _PROTECTED_PROCESS_INFO::Flags |
Flags that describe the protection mode.
Can be either 0 or PROT_PROC_FLAG_NO_PATH
Definition at line 64 of file winguest.h.
Referenced by IntWinProcAddProtectedProcess(), and IntWinProcGetProtectedInfoEx().
PWCHAR _PROTECTED_PROCESS_INFO::FullNamePattern |
Full application name pattern.
This points inside FullPathPattern
Definition at line 70 of file winguest.h.
Referenced by IntWinProcAddProtectedProcess(), IntWinProcDumpProtected(), IntWinProcGetProtectedInfoEx(), and IntWinProcUpdateProtectedProcess().
PWCHAR _PROTECTED_PROCESS_INFO::FullPathPattern |
Full application path pattern.
Definition at line 66 of file winguest.h.
Referenced by IntWinProcAddProtectedProcess(), IntWinProcDumpProtected(), IntWinProcExistsProtectedProcess(), IntWinProcGetProtectedInfoEx(), IntWinProcRemoveAllProtectedProcesses(), IntWinProcRemoveProtectedProcessInternal(), and IntWinProcUninit().
CHAR _PROTECTED_PROCESS_INFO::ImageBaseNamePattern[IMAGE_BASE_NAME_LEN] |
Process name pattern.
This is used as a glob pattern in order to match a process name
Definition at line 29 of file winguest.h.
Referenced by IntWinProcAddProtectedProcess(), IntWinProcDumpProtected(), IntWinProcExistsProtectedProcess(), IntWinProcGetProtectedInfo(), IntWinProcGetProtectedInfoEx(), IntWinProcMarkAsSystemProcess(), IntWinProcRemoveAllProtectedProcesses(), IntWinProcRemoveProtectedProcessInternal(), and IntWinProcUpdateProtectedProcess().
LIST_ENTRY _PROTECTED_PROCESS_INFO::Link |
Entry inside the gWinProtectedProcesses list.
Definition at line 78 of file winguest.h.
Referenced by IntWinProcAddProtectedProcess(), IntWinProcRemoveAllProtectedProcesses(), IntWinProcRemoveProtectedProcessInternal(), and IntWinProcUninit().
DWORD _PROTECTED_PROCESS_INFO::Original |
The original protection flags as received from GLUE_IFACE.AddRemoveProtectedProcessUtf16 or GLUE_IFACE.AddRemoveProtectedProcessUtf8.
Definition at line 38 of file winguest.h.
Referenced by IntWinProcAddProtectedProcess(), IntWinProcDumpProtected(), IntWinProcUpdateProtectedProcess(), and IntWinProcUpdateProtection().
struct { ... } _PROTECTED_PROCESS_INFO::Protection |
The protection flags used for this process.
All the fields are a combination of Process protection options values
Referenced by IntWinProcAddProtectedProcess(), IntWinProcCreateProcessObject(), IntWinProcDumpProtected(), IntWinProcExistsProtectedProcess(), IntWinProcUpdateProtectedProcess(), and IntWinProcUpdateProtection().