Bitdefender Hypervisor Memory Introspection
|
A representation of a memory page included in a VAD structure. More...
#include <winvad.h>
Data Fields | |
QWORD | Address |
The base address of the page. More... | |
DWORD | VmProtection |
DWORD | Protection |
struct _VAD * | Vad |
The VAD containing this page. More... | |
void * | ExecHook |
Execution hook handle, if one exists. More... | |
QWORD | RangeStart |
QWORD | RangeEnd |
BOOLEAN | Legitimate |
True if an execution from this page was attempted and it was deemed to no be malicious. More... | |
A representation of a memory page included in a VAD structure.
QWORD _VAD_PAGE::Address |
The base address of the page.
Definition at line 44 of file winvad.h.
Referenced by IntWinVadHandlePageExecution(), and IntWinVadHandleProtectGeneric().
void* _VAD_PAGE::ExecHook |
Execution hook handle, if one exists.
Definition at line 59 of file winvad.h.
Referenced by IntWinVadHandlePageExecution(), and IntWinVadHandleProtectGeneric().
BOOLEAN _VAD_PAGE::Legitimate |
True if an execution from this page was attempted and it was deemed to no be malicious.
Definition at line 73 of file winvad.h.
Referenced by IntWinVadHandlePageExecution(), and IntWinVadHandleProtectGeneric().
DWORD _VAD_PAGE::Protection |
The protection flags as used by Introcore.
This is obtained by converting VmProtection to a combination of PROT_READ, PROT_WRITE, and PROT_EXEC.
Definition at line 54 of file winvad.h.
Referenced by IntWinVadHandleProtectGeneric().
QWORD _VAD_PAGE::RangeEnd |
The last page in the memory range to which this page belongs. This is always inside the limits of the VAD.
Initially, the range is the entire VAD, bur operations that change individual page permissions (for example, the VirtualProtect guest API) will create sub-ranges inside the VAD.
Definition at line 70 of file winvad.h.
Referenced by IntWinVadHandlePageExecution(), and IntWinVadHandleProtectGeneric().
QWORD _VAD_PAGE::RangeStart |
The first page in the memory range to which this page belongs. This is always inside the limits of the VAD.
Initially, the range is the entire VAD, bur operations that change individual page permissions (for example, the VirtualProtect guest API) will create sub-ranges inside the VAD.
Definition at line 65 of file winvad.h.
Referenced by IntWinVadAdjustRange(), IntWinVadHandlePageExecution(), and IntWinVadHandleProtectGeneric().
struct _VAD* _VAD_PAGE::Vad |
The VAD containing this page.
Definition at line 57 of file winvad.h.
Referenced by IntWinVadHandlePageExecution(), and IntWinVadHandleProtectGeneric().
DWORD _VAD_PAGE::VmProtection |
The protection flags used by Windows for this page.
These are the protection flags used by the entire VAD and set when the VAD was created. See https://docs.microsoft.com/en-us/windows/win32/memory/memory-protection-constants for possible values.
Definition at line 50 of file winvad.h.
Referenced by IntWinVadHandleProtectGeneric().