Bitdefender Hypervisor Memory Introspection
|
Describes a field from KUSER_SHARED_DATA which is protected through integrity. More...
Data Fields | |
char * | FieldName |
The name of the KUSER_SHARED_DATA field. More... | |
WORD | FieldOffset |
WORD | FieldSize |
The size of the field. Note that this size can be 1, 2, 4, 8 for fields which are initialized, and can be any size if the field contains only zero values (when ShouldBeZero is set to TRUE) as long as the field is contained in the same page as the KUSER_SHARED_DATA structure. More... | |
DWORD | ModifiedCount |
The number of modifications on the field from the time the protection has been initialized up until now. It is used for de-activating the protection on the current field when the number of modifications exceeds a fixed threshold (1000 by default), indicating that the field contains variable data. More... | |
BOOLEAN | ShouldBeZero |
Set to TRUE if the contents of the field should be always zero. More... | |
BOOLEAN | ShouldCheck |
BOOLEAN | ReenableOnZero |
Set to TRUE after an allowed modification has been made on a field with ShouldBeZero set to TRUE. This will signal that detection can be made again on the current ShouldBeZero field when, on a future check, the whole contents of the field is filled with 0. This ensures that we will not give an alert once every second for a ShouldBeZero field that was modified, and will ensure that, when the field becomes filled with zero again, the field will be again protected and modifications will be detected. More... | |
QWORD | OldValue |
The saved value for fields that don't have ShouldBeZero set to TRUE. More... | |
Describes a field from KUSER_SHARED_DATA which is protected through integrity.
char* _SHARED_USER_DATA_PROT_FIELD::FieldName |
The name of the KUSER_SHARED_DATA field.
Definition at line 48 of file winsud.c.
Referenced by IntWinSudCheckIntegrity(), and IntWinSudProtectIntegrity().
WORD _SHARED_USER_DATA_PROT_FIELD::FieldOffset |
The offset of the field in the structure.
Definition at line 49 of file winsud.c.
Referenced by IntWinSudCheckIntegrity(), and IntWinSudProtectIntegrity().
WORD _SHARED_USER_DATA_PROT_FIELD::FieldSize |
The size of the field. Note that this size can be 1, 2, 4, 8 for fields which are initialized, and can be any size if the field contains only zero values (when ShouldBeZero is set to TRUE) as long as the field is contained in the same page as the KUSER_SHARED_DATA structure.
Definition at line 54 of file winsud.c.
Referenced by IntWinSudCheckIntegrity(), and IntWinSudProtectIntegrity().
DWORD _SHARED_USER_DATA_PROT_FIELD::ModifiedCount |
The number of modifications on the field from the time the protection has been initialized up until now. It is used for de-activating the protection on the current field when the number of modifications exceeds a fixed threshold (1000 by default), indicating that the field contains variable data.
Definition at line 59 of file winsud.c.
Referenced by IntWinSudCheckIntegrity().
QWORD _SHARED_USER_DATA_PROT_FIELD::OldValue |
The saved value for fields that don't have ShouldBeZero set to TRUE.
Definition at line 68 of file winsud.c.
Referenced by IntWinSudCheckIntegrity(), and IntWinSudProtectIntegrity().
BOOLEAN _SHARED_USER_DATA_PROT_FIELD::ReenableOnZero |
Set to TRUE after an allowed modification has been made on a field with ShouldBeZero set to TRUE. This will signal that detection can be made again on the current ShouldBeZero field when, on a future check, the whole contents of the field is filled with 0. This ensures that we will not give an alert once every second for a ShouldBeZero field that was modified, and will ensure that, when the field becomes filled with zero again, the field will be again protected and modifications will be detected.
Definition at line 67 of file winsud.c.
Referenced by IntWinSudCheckIntegrity().
BOOLEAN _SHARED_USER_DATA_PROT_FIELD::ShouldBeZero |
Set to TRUE if the contents of the field should be always zero.
Definition at line 60 of file winsud.c.
Referenced by IntWinSudCheckIntegrity(), and IntWinSudProtectIntegrity().
BOOLEAN _SHARED_USER_DATA_PROT_FIELD::ShouldCheck |
Set to TRUE if this field should be checked on the next timer tick.
Definition at line 61 of file winsud.c.
Referenced by IntWinSudCheckIntegrity(), and IntWinSudProtectIntegrity().