- Generated by
1.8.13
|
Bitdefender Hypervisor Memory Introspection
|
Contains information about various Windows user mode and kernel mode structures.Everything about a structure of interest should be placed here (size, field offsets, etc). The Km structure contains information about kernel objects, while the Um field contains information about user mode objects. Each structure has a specific tag (WIN_KM_STRUCTURE for Km, WIN_UM_STRUCTURE for Um) which is used to identify it. Each entry inside an array contains specific information. The specific WIN_UM_FIELD and WIN_KM_FIELD structures describe the information found at each index in these arrays. For example, the WIN_KM_FIELD_PROCESS enum describes the information found in the Km.Process array. If the offset at which the name of a process is found inside the kernel _EPROCESS structure is needed, it can be obtained by looking at Km.Process[winKmFieldProcessName]. In order to simplify this, the WIN_KM_FIELD macro can be used: WIN_OPAQUE_FIELDS(Process, Name). A similar approach is available for user mode fields with the WIN_UM_FIELD macro. These fields are set when a CAMI file is loaded at initialization time, in the IntCamiLoadOpaqueFields function. If the loaded CAMI file contains a structure that is not known by introcore, or contains more field than the current introcore version uses, the extra information is discarded. This is why new fields should be added right before the End tags, in order to preserve the current order and allow older introcore versions to load newer CAMI files. More...
#include <winguest.h>
Data Fields | |
| struct { | |
| DWORD Process [winKmFieldProcessEnd] | |
| Information about the _EPROCESS structure. Indexed with values from WIN_KM_FIELD_PROCESS. More... | |
| DWORD Thread [winKmFieldThreadEnd] | |
| Information about the _ETHREAD structure. Indexed with values from WIN_KM_FIELD_THREAD. More... | |
| DWORD DrvObj [winKmFieldDrvObjEnd] | |
| Information about the _DRIVER_OBJECT structure. Indexed with values from WIN_KM_FIELD_DRVOBJ. More... | |
| DWORD Pcr [winKmFieldPcrEnd] | |
| Information about the _KPCR structure. Indexed with values from WIN_KM_FIELD_PCR. More... | |
| DWORD PoolDescriptor [winKmFieldPoolDescriptorEnd] | |
| Information about the _POOL_DESCRIPTOR structure. Indexed with values from WIN_KM_FIELD_POOLDESCRIPTOR. More... | |
| DWORD Mmpfn [winKmFieldMmpfnEnd] | |
| Information about the _MMPFN structure. Indexed with values from WIN_KM_FIELD_MMPFN. More... | |
| DWORD Token [winKmFieldTokenEnd] | |
| Information about the _TOKEN structure. Indexed with values from WIN_KM_FIELD_TOKEN. More... | |
| DWORD Ungrouped [winKmFieldUngroupedEnd] | |
| Information about the various structures and kernel data. Indexed with values from WIN_KM_FIELD_UNGROUPED. More... | |
| DWORD EprocessFlags [winKmFieldEprocessFlagsEnd] | |
| Information about the _EPROCESS flags. Indexed with values from WIN_KM_FIELD_EPROCESSFLAGS. More... | |
| DWORD VadShort [winKmFieldVadShortEnd] | |
| Information about the _MMVAD_SHORT structure. Indexed with values from WIN_KM_FIELD_VAD_SHORT. More... | |
| DWORD VadLong [winKmFieldVadLongEnd] | |
| Information about the _MMVAD_LONG structure. Indexed with values from WIN_KM_FIELD_VAD_LONG. More... | |
| DWORD VadFlags [winKmFieldVadFlagsEnd] | |
| Information about the _MMVAD_SHORT flags. Indexed with values from WIN_KM_FIELD_VADFLAGS. More... | |
| DWORD SyscallNumbers [winKmFieldSyscallNumbersEnd] | |
| Syscall numbers needed by agents. Indexed with values from WIN_KM_FIELD_SYSCALL_NUMBERS. More... | |
| DWORD FileObject [winKmFieldFileObjectEnd] | |
| Information about the _FILE_OBJECT structure. Indexed with values from WIN_KM_FIELD_FILE_OBJECT. More... | |
| } | Km |
| Kernel mode information. More... | |
| struct { | |
| DWORD Dll [winUmFieldDllEnd] | |
| Information about the _LDR_DATA_TABLE_ENTRY structure. Indexed with values from WIN_UM_FIELD_DLL. More... | |
| DWORD Peb [winUmFieldPebEnd] | |
| Information about the _PEB structure. Indexed with values from WIN_UM_FIELD_PEB. More... | |
| DWORD Teb [winUmFieldTebEnd] | |
| Information about the _TEB structure. Indexed with values from WIN_UM_FIELD_TEB. More... | |
| } | Um |
| User mode information. More... | |
Contains information about various Windows user mode and kernel mode structures.
Everything about a structure of interest should be placed here (size, field offsets, etc). The Km structure contains information about kernel objects, while the Um field contains information about user mode objects. Each structure has a specific tag (WIN_KM_STRUCTURE for Km, WIN_UM_STRUCTURE for Um) which is used to identify it. Each entry inside an array contains specific information. The specific WIN_UM_FIELD and WIN_KM_FIELD structures describe the information found at each index in these arrays. For example, the WIN_KM_FIELD_PROCESS enum describes the information found in the Km.Process array. If the offset at which the name of a process is found inside the kernel _EPROCESS structure is needed, it can be obtained by looking at Km.Process[winKmFieldProcessName]. In order to simplify this, the WIN_KM_FIELD macro can be used: WIN_OPAQUE_FIELDS(Process, Name). A similar approach is available for user mode fields with the WIN_UM_FIELD macro. These fields are set when a CAMI file is loaded at initialization time, in the IntCamiLoadOpaqueFields function. If the loaded CAMI file contains a structure that is not known by introcore, or contains more field than the current introcore version uses, the extra information is discarded. This is why new fields should be added right before the End tags, in order to preserve the current order and allow older introcore versions to load newer CAMI files.
Definition at line 675 of file winguest.h.
| DWORD _WIN_OPAQUE_FIELDS::Dll[winUmFieldDllEnd] |
Information about the _LDR_DATA_TABLE_ENTRY structure. Indexed with values from WIN_UM_FIELD_DLL.
Definition at line 714 of file winguest.h.
| DWORD _WIN_OPAQUE_FIELDS::DrvObj[winKmFieldDrvObjEnd] |
Information about the _DRIVER_OBJECT structure. Indexed with values from WIN_KM_FIELD_DRVOBJ.
Definition at line 685 of file winguest.h.
| DWORD _WIN_OPAQUE_FIELDS::EprocessFlags[winKmFieldEprocessFlagsEnd] |
Information about the _EPROCESS flags. Indexed with values from WIN_KM_FIELD_EPROCESSFLAGS.
Definition at line 697 of file winguest.h.
| DWORD _WIN_OPAQUE_FIELDS::FileObject[winKmFieldFileObjectEnd] |
Information about the _FILE_OBJECT structure. Indexed with values from WIN_KM_FIELD_FILE_OBJECT.
Definition at line 707 of file winguest.h.
| struct { ... } _WIN_OPAQUE_FIELDS::Km |
Kernel mode information.
Referenced by IntWinAgentHandleDriverVmcall(), and IntWinProcMapEprocess().
| DWORD _WIN_OPAQUE_FIELDS::Mmpfn[winKmFieldMmpfnEnd] |
Information about the _MMPFN structure. Indexed with values from WIN_KM_FIELD_MMPFN.
Definition at line 691 of file winguest.h.
| DWORD _WIN_OPAQUE_FIELDS::Pcr[winKmFieldPcrEnd] |
Information about the _KPCR structure. Indexed with values from WIN_KM_FIELD_PCR.
Definition at line 687 of file winguest.h.
| DWORD _WIN_OPAQUE_FIELDS::Peb[winUmFieldPebEnd] |
Information about the _PEB structure. Indexed with values from WIN_UM_FIELD_PEB.
Definition at line 716 of file winguest.h.
| DWORD _WIN_OPAQUE_FIELDS::PoolDescriptor[winKmFieldPoolDescriptorEnd] |
Information about the _POOL_DESCRIPTOR structure. Indexed with values from WIN_KM_FIELD_POOLDESCRIPTOR.
Definition at line 689 of file winguest.h.
| DWORD _WIN_OPAQUE_FIELDS::Process[winKmFieldProcessEnd] |
Information about the _EPROCESS structure. Indexed with values from WIN_KM_FIELD_PROCESS.
Definition at line 681 of file winguest.h.
Referenced by IntWinProcMapEprocess().
| DWORD _WIN_OPAQUE_FIELDS::SyscallNumbers[winKmFieldSyscallNumbersEnd] |
Syscall numbers needed by agents. Indexed with values from WIN_KM_FIELD_SYSCALL_NUMBERS.
Definition at line 705 of file winguest.h.
Referenced by IntWinAgentHandleDriverVmcall().
| DWORD _WIN_OPAQUE_FIELDS::Teb[winUmFieldTebEnd] |
Information about the _TEB structure. Indexed with values from WIN_UM_FIELD_TEB.
Definition at line 718 of file winguest.h.
| DWORD _WIN_OPAQUE_FIELDS::Thread[winKmFieldThreadEnd] |
Information about the _ETHREAD structure. Indexed with values from WIN_KM_FIELD_THREAD.
Definition at line 683 of file winguest.h.
| DWORD _WIN_OPAQUE_FIELDS::Token[winKmFieldTokenEnd] |
Information about the _TOKEN structure. Indexed with values from WIN_KM_FIELD_TOKEN.
Definition at line 693 of file winguest.h.
| struct { ... } _WIN_OPAQUE_FIELDS::Um |
User mode information.
| DWORD _WIN_OPAQUE_FIELDS::Ungrouped[winKmFieldUngroupedEnd] |
Information about the various structures and kernel data. Indexed with values from WIN_KM_FIELD_UNGROUPED.
Definition at line 695 of file winguest.h.
| DWORD _WIN_OPAQUE_FIELDS::VadFlags[winKmFieldVadFlagsEnd] |
Information about the _MMVAD_SHORT flags. Indexed with values from WIN_KM_FIELD_VADFLAGS.
Definition at line 703 of file winguest.h.
| DWORD _WIN_OPAQUE_FIELDS::VadLong[winKmFieldVadLongEnd] |
Information about the _MMVAD_LONG structure. Indexed with values from WIN_KM_FIELD_VAD_LONG.
Definition at line 701 of file winguest.h.
| DWORD _WIN_OPAQUE_FIELDS::VadShort[winKmFieldVadShortEnd] |
Information about the _MMVAD_SHORT structure. Indexed with values from WIN_KM_FIELD_VAD_SHORT.
Definition at line 699 of file winguest.h.
1.8.13