- Generated by
1.8.13
|
Bitdefender Hypervisor Memory Introspection
|
Holds information about a driver object. More...
#include <windrvobj.h>
Data Fields | |
| LIST_ENTRY | Link |
| Entry inside the gWinDriverObjects list. More... | |
| QWORD | DriverObjectGva |
| The guest virtual address of the guest _DRIVER_OBJECT represented by this structure. More... | |
| QWORD | DriverObjectGpa |
| The guest physical address of the guest _DRIVER_OBJECT represented by this structure. More... | |
| QWORD | FastIOTableAddress |
| The guest virtual address of the _FAST_IO_DISPATCH structure used by this driver object. May be 0. More... | |
| PWCHAR | Name |
| NULL-terminated wide-char string containing the name of the driver, as taken from the guest driver object. More... | |
| DWORD | NameLen |
| The length, in characters, of Name, not including the NULL-terminator. More... | |
| DWORD | NameHash |
| Hash of the Name. More... | |
| QWORD | Owner |
| Guest virtual address of the kernel module that owns this driver object. More... | |
| void * | DrvobjHookObject |
| The EPT hook object used for the _DRIVER_OBJECT structure. More... | |
| void * | DrvobjIntegrityObject |
| The integrity object used for the _DRIVER_OBJECT structure. More... | |
| void * | FiodispIntegrityObject |
| The integrity object used for the _FAST_IO_DISPATCH structure. More... | |
| BOOLEAN | DrvobjProtected |
| True if the driver object structure is protected. More... | |
| BOOLEAN | FiodispProtected |
| True if the fast IO dispatch structure is protected. More... | |
| BOOLEAN | Aligned |
| True if the driver object allocation is page aligned. More... | |
Holds information about a driver object.
Definition at line 13 of file windrvobj.h.
| BOOLEAN _WIN_DRIVER_OBJECT::Aligned |
True if the driver object allocation is page aligned.
This can happen if prior to the driver object creation we intercept the memory allocation for it. In that case, IntWinPoolHandleAlloc will change the allocation size to ensure that the driver object is allocated in an entire page. The same is true for fast IO dispatch allocations. This allows us to protect the driver object and its fast IO dispatch structure using an EPT hook; otherwise, that may not be doable, as we don't know what other structures are in that page and we can end up with a lot of VMEXITs that do not interest us, which will have a negative performance impact.
Definition at line 66 of file windrvobj.h.
Referenced by IntWinDrvObjCreateFromAddress().
| QWORD _WIN_DRIVER_OBJECT::DriverObjectGpa |
The guest physical address of the guest _DRIVER_OBJECT represented by this structure.
A driver object may be referenced by multiple GVAs, so we also keep the GPA to which DriverObjectGva translates to. Note that we do not update this when the translation for DriverObjectGva changes, but when an EPT violation is triggered for it (the hooked GPA is automatically updated by the EPT hooking mechanism).
Definition at line 25 of file windrvobj.h.
Referenced by IntExceptKernelMatchVictim(), IntWinDrvObjCreateFromAddress(), IntWinDrvObjHandleWrite(), and IntWinDrvObjRemoveFromAddress().
| QWORD _WIN_DRIVER_OBJECT::DriverObjectGva |
The guest virtual address of the guest _DRIVER_OBJECT represented by this structure.
Definition at line 18 of file windrvobj.h.
Referenced by IntExceptGetVictimIntegrity(), IntWinDrvObjCreateFromAddress(), IntWinDrvObjFindByDrvObj(), IntWinDrvObjHandleWrite(), and IntWinDrvObjRemoveFromAddress().
| void* _WIN_DRIVER_OBJECT::DrvobjHookObject |
The EPT hook object used for the _DRIVER_OBJECT structure.
Only valid when Aligned is True.
Definition at line 43 of file windrvobj.h.
| void* _WIN_DRIVER_OBJECT::DrvobjIntegrityObject |
The integrity object used for the _DRIVER_OBJECT structure.
Only valid when Aligned is False.
Definition at line 47 of file windrvobj.h.
| BOOLEAN _WIN_DRIVER_OBJECT::DrvobjProtected |
True if the driver object structure is protected.
Definition at line 55 of file windrvobj.h.
Referenced by IntWinDrvObjUpdateProtection().
| QWORD _WIN_DRIVER_OBJECT::FastIOTableAddress |
The guest virtual address of the _FAST_IO_DISPATCH structure used by this driver object. May be 0.
Definition at line 27 of file windrvobj.h.
Referenced by IntWinDrvObjCreateFromAddress(), IntWinDrvObjHandleModification(), IntWinDrvObjHandleWrite(), and IntWinDrvObjRemoveFromAddress().
| void* _WIN_DRIVER_OBJECT::FiodispIntegrityObject |
The integrity object used for the _FAST_IO_DISPATCH structure.
The fast IO dispatch is always protected with the integrity mechanism as it can be in memory zones that are written a lot.
Definition at line 52 of file windrvobj.h.
| BOOLEAN _WIN_DRIVER_OBJECT::FiodispProtected |
True if the fast IO dispatch structure is protected.
Definition at line 57 of file windrvobj.h.
| LIST_ENTRY _WIN_DRIVER_OBJECT::Link |
Entry inside the gWinDriverObjects list.
Definition at line 16 of file windrvobj.h.
Referenced by IntWinDrvObjCreateFromAddress(), IntWinDrvObjRemoveFromAddress(), IntWinDrvObjUninit(), and IntWinDrvRemoveEntry().
| PWCHAR _WIN_DRIVER_OBJECT::Name |
NULL-terminated wide-char string containing the name of the driver, as taken from the guest driver object.
Definition at line 30 of file windrvobj.h.
Referenced by IntAlertEptFillFromVictimZone(), IntWinDrvObjCreateFromAddress(), IntWinDrvObjHandleWrite(), and IntWinDrvObjUpdateProtection().
| DWORD _WIN_DRIVER_OBJECT::NameHash |
Hash of the Name.
Definition at line 34 of file windrvobj.h.
Referenced by IntExceptGetVictimIntegrity(), and IntWinDrvObjCreateFromAddress().
| DWORD _WIN_DRIVER_OBJECT::NameLen |
The length, in characters, of Name, not including the NULL-terminator.
Definition at line 32 of file windrvobj.h.
Referenced by IntWinDrvObjCreateFromAddress().
| QWORD _WIN_DRIVER_OBJECT::Owner |
Guest virtual address of the kernel module that owns this driver object.
This is the module in which the DriverStart routine from the driver object is located.
Definition at line 38 of file windrvobj.h.
Referenced by IntWinDrvObjCreateFromAddress(), IntWinDrvObjFindByOwnerAddress(), and IntWinDrvObjHandleWrite().
1.8.13