- Generated by
1.8.13
|
Bitdefender Hypervisor Memory Introspection
|
A representation of a Windows VAD structure. More...
#include <winvad.h>
Data Fields | |
| RBNODE | RbNode |
| The node inside the WIN_PROCESS_OBJECT.VadTree tree. More... | |
| QWORD | Left |
| QWORD | Right |
| QWORD | Parent |
| QWORD | StartPage |
| QWORD | EndPage |
| QWORD | VadGva |
| The guest virtual address at which the corresponding Windows _MMVAD structure is located. More... | |
| QWORD | PageCount |
| The number of 4K pages in the VAD. More... | |
| DWORD | VadProtection |
| VAD_TYPE | VadType |
| The type of the VAD. More... | |
| DWORD | Protection |
| WIN_PROCESS_OBJECT * | Process |
| The process to which this VAD belongs to. More... | |
| VAD_PAGE ** | VadPages |
| An array representing each page in the VAD. It has PageCount entries. More... | |
| void * | PathSwapHandle |
| QWORD | SubsectionGva |
| WINUM_PATH * | Path |
| DWORD | ExecCount |
| The number of execution violations triggered by pages inside this VAD. More... | |
| struct { | |
| DWORD StaticScan: 1 | |
| Set if the VAD was statically detected by a scan, after it was created. More... | |
| DWORD IsStack: 1 | |
| Set if the memory range represented by this VAD is a stack. More... | |
| DWORD HugeVad: 1 | |
| Set if the memory range represented by this VAD has a size of at least 4G. More... | |
| DWORD IsIgnored: 1 | |
| Set if this VAD is not monitored regardless of the protection rights it has. More... | |
| DWORD NoChange: 1 | |
| Set if the NoChange bit inside the VadFlags field is set. More... | |
| DWORD PrivateFixup: 1 | |
| Set if the PrivateFixup bit inside the VadFlags field is set. More... | |
| DWORD DeleteInProgress: 1 | |
| Set if the DeleteInProgress bit inside the VadFlags field is set. More... | |
| DWORD Unused: 25 | |
| Spare bits. More... | |
| }; | |
A representation of a Windows VAD structure.
This can be obtained from a _MMVAD_SHORT or a _MMVAD_LONG Windows structure.
| struct { ... } |
| DWORD _VAD::DeleteInProgress |
| QWORD _VAD::EndPage |
The last page in the VAD.
The [StartPage, EndPage] range is always inclusive.
Definition at line 106 of file winvad.h.
Referenced by IntWinProcHandleCopyMemory(), IntWinStackHandleUserStackPagedOut(), IntWinVadCreateObject(), IntWinVadFindByRange(), IntWinVadFindNodeInGuestSpace(), IntWinVadHandleDeleteGeneric(), IntWinVadHandleInsertGeneric(), IntWinVadHandleProtectGeneric(), IntWinVadRbTreeNodeCompare(), and IntWinVadShortDump().
| DWORD _VAD::ExecCount |
The number of execution violations triggered by pages inside this VAD.
Definition at line 147 of file winvad.h.
Referenced by IntWinVadHandlePageExecution(), and IntWinVadHandleProtectGeneric().
| DWORD _VAD::HugeVad |
Set if the memory range represented by this VAD has a size of at least 4G.
Definition at line 156 of file winvad.h.
Referenced by IntWinVadHandleProtectGeneric().
| DWORD _VAD::IsIgnored |
Set if this VAD is not monitored regardless of the protection rights it has.
Definition at line 158 of file winvad.h.
Referenced by IntWinVadHandleInsertGeneric(), IntWinVadHandlePageExecution(), and IntWinVadHandleProtectGeneric().
| DWORD _VAD::IsStack |
Set if the memory range represented by this VAD is a stack.
Definition at line 154 of file winvad.h.
Referenced by IntWinProcHandleCopyMemory(), and IntWinVadHandleProtectGeneric().
| QWORD _VAD::Left |
The left node at the moment the VAD was read from the guest.
This might change, so don't count on it, except after it was read and the guest was not applying changes to the tree. We need it when parsing the in-guest tree.
Definition at line 88 of file winvad.h.
Referenced by IntWinVadFindNodeInGuestSpace(), IntWinVadInOrderRecursiveTraversal(), and IntWinVadIsInTree().
| DWORD _VAD::NoChange |
Set if the NoChange bit inside the VadFlags field is set.
Definition at line 160 of file winvad.h.
Referenced by IntWinVadHandleProtectGeneric().
| QWORD _VAD::PageCount |
The number of 4K pages in the VAD.
Definition at line 110 of file winvad.h.
Referenced by IntModBlockHandleBlockModHeadersInMemory(), IntWinProcHandleCopyMemory(), IntWinVadHandleInsertGeneric(), IntWinVadHandleProtectGeneric(), and IntWinVadRbTreeNodeCompareVa().
| QWORD _VAD::Parent |
The parent node at the moment the VAD was read from the guest.
This might change, so don't count on it, except after it was read and the guest was not applying changes to the tree. We need it when parsing the in-guest tree.
Definition at line 98 of file winvad.h.
Referenced by IntWinVadIsInTree().
| WINUM_PATH* _VAD::Path |
The path of the image file mapped by this VAD.
Will be NULL if it is not used. Can be non-NULL only if the VAD Type is VadImageMap.
Definition at line 144 of file winvad.h.
Referenced by IntWinProcHandleCopyMemory(), IntWinVadCreateObject(), IntWinVadDestroyObject(), and IntWinVadHandleFilePathInMemory().
| void* _VAD::PathSwapHandle |
The IntSwapMemReadData handle used to swap the path of the image mapped by this VAD.
Note that not all VADs map a file. This is used only for VadImageMap VADs.
Definition at line 133 of file winvad.h.
Referenced by IntWinVadDestroyObject(), and IntWinVadHandleFilePathInMemory().
| DWORD _VAD::PrivateFixup |
| WIN_PROCESS_OBJECT* _VAD::Process |
The process to which this VAD belongs to.
Definition at line 127 of file winvad.h.
Referenced by IntWinVadCreateObject(), IntWinVadDestroyObject(), IntWinVadHandleFilePathInMemory(), IntWinVadHandlePageExecution(), and IntWinVadHandleProtectGeneric().
| DWORD _VAD::Protection |
VAD protection as represented by Introcore.
This represents the protection rights equivalent to VadProtection, valid for the original protection rights of the VAD. Changes done after the VAD was created are reflected in the corresponding VAD_PAGE. Valid values are a combination of PROT_READ, PROT_WRITE, and PROT_EXEC.
Definition at line 124 of file winvad.h.
Referenced by IntWinVadHandleInsertGeneric().
| RBNODE _VAD::RbNode |
The node inside the WIN_PROCESS_OBJECT.VadTree tree.
Definition at line 83 of file winvad.h.
Referenced by IntWinVadFindByRange(), IntWinVadHandleDeleteGeneric(), and IntWinVadHandleInsertGeneric().
| QWORD _VAD::Right |
The right node at the moment the VAD was read from the guest.
This might change, so don't count on it, except after it was read and the guest was not applying changes to the tree. We need it when parsing the in-guest tree.
Definition at line 93 of file winvad.h.
Referenced by IntWinVadFindNodeInGuestSpace(), IntWinVadInOrderRecursiveTraversal(), and IntWinVadIsInTree().
| QWORD _VAD::StartPage |
The first page in the VAD.
The [StartPage, EndPage] range is always inclusive.
Definition at line 102 of file winvad.h.
Referenced by IntWinProcHandleCopyMemory(), IntWinVadCreateObject(), IntWinVadFindAndUpdateIfNecessary(), IntWinVadFindByRange(), IntWinVadFindNodeInGuestSpace(), IntWinVadHandleDeleteGeneric(), IntWinVadHandleInsertGeneric(), IntWinVadHandleProtectGeneric(), IntWinVadRbTreeNodeCompare(), IntWinVadRbTreeNodeCompareBases(), IntWinVadRbTreeNodeCompareVa(), and IntWinVadShortDump().
| DWORD _VAD::StaticScan |
Set if the VAD was statically detected by a scan, after it was created.
Definition at line 152 of file winvad.h.
Referenced by IntWinVadCreateObject().
| QWORD _VAD::SubsectionGva |
The guest virtual address of the _SUBSECTION structure associated with a _MMVAD_LONG structure.
This is valid only for VADs that have the Type VadImageMap; will be 0 for other types. It is used by the WINUM_PATH cache.
Definition at line 139 of file winvad.h.
Referenced by IntWinVadHandleFilePathInMemory().
| QWORD _VAD::VadGva |
The guest virtual address at which the corresponding Windows _MMVAD structure is located.
Definition at line 108 of file winvad.h.
Referenced by IntModBlockHandlePreInjection(), IntWinModHandlePreInjection(), IntWinVadCreateObject(), IntWinVadFindNodeInGuestSpace(), IntWinVadHandleCommit(), IntWinVadHandleDeleteGeneric(), IntWinVadHandleInsertGeneric(), and IntWinVadHandleProtectGeneric().
| VAD_PAGE** _VAD::VadPages |
An array representing each page in the VAD. It has PageCount entries.
Definition at line 129 of file winvad.h.
Referenced by IntWinVadCreateObject(), and IntWinVadHandleProtectGeneric().
| DWORD _VAD::VadProtection |
The protection as represented inside the Windows kernel. This is obtained from the Protection portion of the VadFlags field inside the _MMVAD_SHORT Windows structure.
This represents the protection rights passed when the VAD was created. Protection changes done after that are reflected in the corresponding VAD_PAGE. Valid values are a combination of WIN_VAD_PROT values.
Definition at line 116 of file winvad.h.
Referenced by IntWinVadHandleInsertGeneric(), and IntWinVadShortDump().
| VAD_TYPE _VAD::VadType |
The type of the VAD.
Definition at line 118 of file winvad.h.
Referenced by IntWinDpiValidateThreadStart(), IntWinVadCreateObject(), IntWinVadDestroyObject(), IntWinVadHandleInsertGeneric(), IntWinVadHandleProtectGeneric(), and IntWinVadShortDump().
1.8.13