Bitdefender Hypervisor Memory Introspection: _WIN_LOGGER_CTX_STATE Struct Reference

Bitdefender Hypervisor Memory Introspection

Data Fields
QWORD	WmiLoggerCtx

QWORD	LoggerGvaInSilo
	Keeps the address of the pointer to WMI_LOGGER_CONTEXT (basically EtwDebuggerDataSilo + 0x10). More...

QWORD	CurrentGetCpuClock
	Keeps the current, known WMI_LOGGER_CONTEXT.GetCpuClock which is verified on integrity. More...

QWORD	EtwDbgDataGva
	The guest virtual address of EtwpDebuggerData. More...

BOOLEAN	Initialized

BOOLEAN	FailedToInitialize
	Set if the protection failed to initialize, in order to avoid retrying indefinitely. More...

void *	WmiLoggerIntegrityObject
	Integrity object for WMI_LOGGER_CONTEXT.GetCpuClock. More...

void *	SiloIntegrityObject
	Integrity object for EtwDebuggerDataSilo.WmiCtxLoggerPtr. More...

void *	WmiLoggerHookObject
	Hook object for SPP hooking of WMI_LOGGER_CONTEXT.GetCpuClock. More...

void *	WmiLoggerHookObjectStats
	Hook object for SPP statistics on WMI_LOGGER_CONTEXT.GetCpuClock. More...

void *	SiloHookObject
	Hook object for SPP hooking on EtwDebuggerDataSilo - needed for when WMI_LOGGER_CONTEXT is relocated. More...

void *	SiloHookObjectStats
	Hook object for SPP statistics on EtwDebuggerDataSilo. More...

void *	FirstSiloWriteHookObject

QWORD	SiloTotal

QWORD	SiloInteresting
	SPP stats for EtwDebuggerDataSilo, containing the number of writes that we are interested into. More...

QWORD	WmiTotal

QWORD	WmiInteresting
	SPP stats for WMI_LOGGER_CONTEXT, containing the number of writes that we are interested into. More...

Detailed Description

Object containing the current state of the protected WMI_LOGGER_CONTEXT structure.

Definition at line 49 of file wininfinityhook.c.

Field Documentation

◆ CurrentGetCpuClock

QWORD _WIN_LOGGER_CTX_STATE::CurrentGetCpuClock

Keeps the current, known WMI_LOGGER_CONTEXT.GetCpuClock which is verified on integrity.

Definition at line 55 of file wininfinityhook.c.

Referenced by IntWinInfCheckCtxLoggerOnRelocation(), IntWinInfHookGetCpuClockIntegrityCallback(), and IntWinInfHookProtect().

◆ EtwDbgDataGva

QWORD _WIN_LOGGER_CTX_STATE::EtwDbgDataGva

The guest virtual address of EtwpDebuggerData.

Definition at line 57 of file wininfinityhook.c.

Referenced by IntWinInfHookGetEtwpDebuggerData().

◆ FailedToInitialize

BOOLEAN _WIN_LOGGER_CTX_STATE::FailedToInitialize

Set if the protection failed to initialize, in order to avoid retrying indefinitely.

Definition at line 61 of file wininfinityhook.c.

Referenced by IntWinInfHookGetCircularCtxLogger(), IntWinInfHookHandleSiloFirstWrite(), IntWinInfHookProtect(), and IntWinInfHookUnprotect().

◆ FirstSiloWriteHookObject

void* _WIN_LOGGER_CTX_STATE::FirstSiloWriteHookObject

Hook object for the first write of the GVA of EtwpDbgDataSilo inside EtwpDbgData.

Needed in case it is not initialized yet.

Definition at line 76 of file wininfinityhook.c.

Referenced by IntWinInfHookGetCircularCtxLogger(), IntWinInfHookHandleSiloFirstWrite(), and IntWinInfHookUnprotect().

◆ Initialized

BOOLEAN _WIN_LOGGER_CTX_STATE::Initialized

Set if the protection is initialized.

Definition at line 59 of file wininfinityhook.c.

Referenced by IntWinInfHookProtect().

◆ LoggerGvaInSilo

QWORD _WIN_LOGGER_CTX_STATE::LoggerGvaInSilo

Keeps the address of the pointer to WMI_LOGGER_CONTEXT (basically EtwDebuggerDataSilo + 0x10).

Definition at line 53 of file wininfinityhook.c.

Referenced by IntWinInfHookGetCircularCtxLogger(), IntWinInfHookProtect(), IntWinInfHookSiloWmiPtrIntegrityCallback(), and IntWinInfHookSppHookWmiSiloPtr().

◆ SiloHookObject

void* _WIN_LOGGER_CTX_STATE::SiloHookObject

Hook object for SPP hooking on EtwDebuggerDataSilo - needed for when WMI_LOGGER_CONTEXT is relocated.

Definition at line 70 of file wininfinityhook.c.

Referenced by IntWinInfHookSppHookWmiSiloPtr(), and IntWinInfHookUnprotect().

◆ SiloHookObjectStats

void* _WIN_LOGGER_CTX_STATE::SiloHookObjectStats

Hook object for SPP statistics on EtwDebuggerDataSilo.

Definition at line 71 of file wininfinityhook.c.

Referenced by IntWinInfHookSppHookWmiSiloPtr(), and IntWinInfHookUnprotect().

◆ SiloIntegrityObject

void* _WIN_LOGGER_CTX_STATE::SiloIntegrityObject

Integrity object for EtwDebuggerDataSilo.WmiCtxLoggerPtr.

Definition at line 64 of file wininfinityhook.c.

Referenced by IntWinInfHookProtect(), and IntWinInfHookUnprotect().

◆ SiloInteresting

QWORD _WIN_LOGGER_CTX_STATE::SiloInteresting

SPP stats for EtwDebuggerDataSilo, containing the number of writes that we are interested into.

Definition at line 80 of file wininfinityhook.c.

Referenced by IntWinInfHookSppViolationCallbackWmiPtrChanged(), and IntWinInfHookSppWmiSiloStatsCallback().

◆ SiloTotal

QWORD _WIN_LOGGER_CTX_STATE::SiloTotal

SPP stats for EtwDebuggerDataSilo, containing the number of total writes.

Definition at line 78 of file wininfinityhook.c.

Referenced by IntWinInfHookSppViolationCallbackWmiPtrChanged(), and IntWinInfHookSppWmiSiloStatsCallback().

◆ WmiInteresting

QWORD _WIN_LOGGER_CTX_STATE::WmiInteresting

SPP stats for WMI_LOGGER_CONTEXT, containing the number of writes that we are interested into.

Definition at line 84 of file wininfinityhook.c.

Referenced by IntWinInfHookWmiGetCpuClockSppCallback(), and IntWinInfHookWmiGetCpuClockSppStatsCallback().

◆ WmiLoggerCtx

QWORD _WIN_LOGGER_CTX_STATE::WmiLoggerCtx

Keeps the current address of WMI_LOGGER_CTX.

Definition at line 51 of file wininfinityhook.c.

Referenced by IntWinInfCheckCtxLoggerOnRelocation(), IntWinInfHookEptSppHandleWrite(), IntWinInfHookGetCpuClockIntegrityCallback(), IntWinInfHookHookSppWmiGetClock(), IntWinInfHookIntegrityHandleWrite(), IntWinInfHookProtect(), IntWinInfHookSiloWmiPtrIntegrityCallback(), and IntWinInfHookSppViolationCallbackWmiPtrChanged().

◆ WmiLoggerHookObject

void* _WIN_LOGGER_CTX_STATE::WmiLoggerHookObject

Hook object for SPP hooking of WMI_LOGGER_CONTEXT.GetCpuClock.

Definition at line 66 of file wininfinityhook.c.

Referenced by IntWinInfHookHookSppWmiGetClock(), IntWinInfHookSppViolationCallbackWmiPtrChanged(), and IntWinInfHookUnprotect().

◆ WmiLoggerHookObjectStats

void* _WIN_LOGGER_CTX_STATE::WmiLoggerHookObjectStats

Hook object for SPP statistics on WMI_LOGGER_CONTEXT.GetCpuClock.

Definition at line 67 of file wininfinityhook.c.

Referenced by IntWinInfHookHookSppWmiGetClock(), IntWinInfHookSppViolationCallbackWmiPtrChanged(), and IntWinInfHookUnprotect().

◆ WmiLoggerIntegrityObject

void* _WIN_LOGGER_CTX_STATE::WmiLoggerIntegrityObject

Integrity object for WMI_LOGGER_CONTEXT.GetCpuClock.

Definition at line 63 of file wininfinityhook.c.

Referenced by IntWinInfHookProtect(), IntWinInfHookSiloWmiPtrIntegrityCallback(), and IntWinInfHookUnprotect().

◆ WmiTotal

QWORD _WIN_LOGGER_CTX_STATE::WmiTotal

SPP stats for WMI_LOGGER_CONTEXT, containing the number of total writes.

Definition at line 82 of file wininfinityhook.c.

Referenced by IntWinInfHookWmiGetCpuClockSppCallback(), and IntWinInfHookWmiGetCpuClockSppStatsCallback().

The documentation for this struct was generated from the following file:

introcore/src/guests/windows/kernel/wininfinityhook.c

_WIN_LOGGER_CTX_STATE
Generated by 1.8.13