Bitdefender Hypervisor Memory Introspection
|
#include <winummodule.h>
Data Fields | |
LIST_ENTRY | Link |
List entry element. More... | |
QWORD | VirtualBase |
Guest virtual address of the loaded module. More... | |
DWORD | Size |
Virtual size of the module. More... | |
union { | |
DWORD Flags | |
Raw flags. More... | |
struct { | |
DWORD ShouldProtHooks: 1 | |
TRUE if the module should be protected against hooks. More... | |
DWORD ShouldProtUnpack: 1 | |
TRUE if the module should be protected against unpack. More... | |
DWORD UnpackAlertSent: 1 | |
TRUE if unpack alerts have been sent. More... | |
DWORD Is64BitModule: 1 | |
TRUE if the module is 64 bit. More... | |
DWORD IsProtected: 1 | |
TRUE if the module is actually hooked. More... | |
DWORD IsMainModule: 1 | |
TRUE if this is the main module. More... | |
DWORD IsSystemModule: 1 | |
TRUE if this is a system module (loaded from system32 or syswow64). More... | |
DWORD LoadEventSent: 1 | |
TRUE if the load event has been sent. More... | |
DWORD UnloadEventSent: 1 | |
TRUE if the unload event has been sent. More... | |
DWORD IsSuspicious: 1 | |
TRUE if the module is suspicious. More... | |
DWORD SuspChecked: 1 | |
DWORD StaticScan: 1 | |
TRUE if the module was found by statically enumerating process modules. More... | |
DWORD ShouldGetCache: 1 | |
TRUE if the module headers should be cached. More... | |
DWORD DoubleAgentAlertSent: 1 | |
TRUE if a DoubleAgent alert has been sent on this module. More... | |
} | |
}; | |
PWIN_PROCESS_SUBSYSTEM | Subsystem |
Module subsystem. More... | |
WINUM_PATH * | Path |
Module path. More... | |
WINUM_MODULE_CACHE * | Cache |
Module headers cache. More... | |
DWORD | IATEntries |
Number of IAT entries. More... | |
PBYTE | IATBitmap |
A bitmap indicating which IAT entries have been initialized. More... | |
void * | HookObject |
Module hook object. More... | |
void * | HeadersSwapHandle |
Swap handle for the headers. More... | |
void * | ExportsSwapHandle |
Swap handle for the exports. More... | |
void * | ModBlockObject |
Module load block handle. More... | |
QWORD | SlackSpaceForVerifier |
The address between sections on which we put the needed verifier structure on double agent. More... | |
QWORD | AddressOfVerifierData |
The address received by DllMain where the pointer to verifier structure should be put. More... | |
BOOLEAN | FirstDoubleAgentExecDone |
A flag which is set in order to verify if the first execution (for init phase) is done on double agent case. More... | |
void * | SlackSpaceSwapHandle |
Swap handle for the slack space page where we put verifier structures. More... | |
void * | MainModHeadersSwapHandle |
Needed for verifying if the process main module is from the Native subsystem or not (e.g. doesn't load kernel32.dll). More... | |
const VAD * | Vad |
The VAD which describes this module. More... | |
Describes a process module.
Definition at line 30 of file winummodule.h.
union { ... } |
QWORD _WIN_PROCESS_MODULE::AddressOfVerifierData |
The address received by DllMain where the pointer to verifier structure should be put.
Definition at line 77 of file winummodule.h.
Referenced by IntWinDagentHandleSlackWritable(), and IntWinDagentHandleSuspModExecution().
WINUM_MODULE_CACHE* _WIN_PROCESS_MODULE::Cache |
Module headers cache.
Definition at line 63 of file winummodule.h.
Referenced by IntExceptGetVictimEpt(), IntExceptVerifyExportSig(), IntWinModCacheFixNamePointers(), IntWinModHandleExportsInMemory(), IntWinModHandleUserWrite(), IntWinModWriteValidHandler(), IntWinStackTraceGetUser32(), and IntWinStackTraceGetUser64().
DWORD _WIN_PROCESS_MODULE::DoubleAgentAlertSent |
TRUE if a DoubleAgent alert has been sent on this module.
Definition at line 56 of file winummodule.h.
void* _WIN_PROCESS_MODULE::ExportsSwapHandle |
Swap handle for the exports.
Definition at line 70 of file winummodule.h.
Referenced by IntWinModHandleExportsInMemory().
BOOLEAN _WIN_PROCESS_MODULE::FirstDoubleAgentExecDone |
A flag which is set in order to verify if the first execution (for init phase) is done on double agent case.
Definition at line 80 of file winummodule.h.
Referenced by IntWinDagentHandleSuspModExecution().
DWORD _WIN_PROCESS_MODULE::Flags |
Raw flags.
Definition at line 39 of file winummodule.h.
void* _WIN_PROCESS_MODULE::HeadersSwapHandle |
Swap handle for the headers.
Definition at line 69 of file winummodule.h.
Referenced by IntWinModHandleMainModuleInMemory(), and IntWinModHandleModuleHeadersInMemory().
void* _WIN_PROCESS_MODULE::HookObject |
Module hook object.
Definition at line 68 of file winummodule.h.
Referenced by IntExceptVerifyCodeBlocksSig().
PBYTE _WIN_PROCESS_MODULE::IATBitmap |
A bitmap indicating which IAT entries have been initialized.
Definition at line 66 of file winummodule.h.
Referenced by IntWinModHandleUserWrite().
DWORD _WIN_PROCESS_MODULE::IATEntries |
Number of IAT entries.
Definition at line 65 of file winummodule.h.
Referenced by IntWinModHandleUserWrite().
DWORD _WIN_PROCESS_MODULE::Is64BitModule |
TRUE if the module is 64 bit.
Definition at line 45 of file winummodule.h.
Referenced by IntWinModHandleLoadFromVad(), and IntWinModHandleUserWrite().
DWORD _WIN_PROCESS_MODULE::IsMainModule |
TRUE if this is the main module.
Definition at line 47 of file winummodule.h.
Referenced by IntWinModHandleLoadFromVad(), IntWinModulesChangeProtectionFlags(), IntWinProcDump(), and IntWinProcHandleReadFromLsass().
DWORD _WIN_PROCESS_MODULE::IsProtected |
TRUE if the module is actually hooked.
Definition at line 46 of file winummodule.h.
Referenced by IntWinModulesChangeProtectionFlags(), and IntWinProcDump().
DWORD _WIN_PROCESS_MODULE::IsSuspicious |
TRUE if the module is suspicious.
Definition at line 51 of file winummodule.h.
Referenced by IntWinDagentHandleSuspModExecution().
DWORD _WIN_PROCESS_MODULE::IsSystemModule |
TRUE if this is a system module (loaded from system32 or syswow64).
Definition at line 48 of file winummodule.h.
Referenced by IntWinModulesChangeProtectionFlags().
LIST_ENTRY _WIN_PROCESS_MODULE::Link |
List entry element.
Definition at line 32 of file winummodule.h.
Referenced by IntWinModHandleLoadFromVad(), IntWinModHandleUnload(), and IntWinProcRemoveSubsystem().
DWORD _WIN_PROCESS_MODULE::LoadEventSent |
TRUE if the load event has been sent.
Definition at line 49 of file winummodule.h.
void* _WIN_PROCESS_MODULE::MainModHeadersSwapHandle |
Needed for verifying if the process main module is from the Native subsystem or not (e.g. doesn't load kernel32.dll).
Definition at line 86 of file winummodule.h.
Referenced by IntWinDagentCheckNativeSubsystem().
void* _WIN_PROCESS_MODULE::ModBlockObject |
Module load block handle.
Definition at line 72 of file winummodule.h.
WINUM_PATH* _WIN_PROCESS_MODULE::Path |
Module path.
Definition at line 62 of file winummodule.h.
Referenced by IntExceptGetVictimEpt(), IntExceptUserGetOriginator(), IntExceptUserHandleMemoryFunctions(), IntExceptVerifyExportSig(), IntModBlockHandleBlockModHeadersInMemory(), IntModBlockHandlePreInjection(), IntWinDagentCheckNativeSubsystem(), IntWinDagentHandleSuspModExecution(), IntWinModBlockHandleExecution(), IntWinModCacheFixNamePointers(), IntWinModHandleExportsInMemory(), IntWinModHandleLoadFromVad(), IntWinModHandlePreInjection(), IntWinModHandleUnload(), IntWinModulesChangeProtectionFlags(), IntWinProcDump(), IntWinProcHandleCopyMemory(), and IntWinProcHandleReadFromLsass().
DWORD _WIN_PROCESS_MODULE::ShouldGetCache |
TRUE if the module headers should be cached.
Definition at line 55 of file winummodule.h.
DWORD _WIN_PROCESS_MODULE::ShouldProtHooks |
TRUE if the module should be protected against hooks.
Definition at line 42 of file winummodule.h.
Referenced by IntWinModHandleModuleHeadersInMemory(), IntWinModulesChangeProtectionFlags(), and IntWinProcDump().
DWORD _WIN_PROCESS_MODULE::ShouldProtUnpack |
TRUE if the module should be protected against unpack.
Definition at line 43 of file winummodule.h.
Referenced by IntWinModHandleMainModuleInMemory(), IntWinModulesChangeProtectionFlags(), and IntWinProcDump().
DWORD _WIN_PROCESS_MODULE::Size |
Virtual size of the module.
Definition at line 35 of file winummodule.h.
Referenced by IntWinModHandleLoadFromVad(), IntWinProcDump(), IntWinProcHandleReadFromLsass(), and IntWinUmModFindByAddress().
QWORD _WIN_PROCESS_MODULE::SlackSpaceForVerifier |
The address between sections on which we put the needed verifier structure on double agent.
Definition at line 75 of file winummodule.h.
Referenced by IntWinDagentHandleSlackWritable(), and IntWinDagentHandleSuspModExecution().
void* _WIN_PROCESS_MODULE::SlackSpaceSwapHandle |
Swap handle for the slack space page where we put verifier structures.
Definition at line 82 of file winummodule.h.
Referenced by IntWinDagentHandleSlackWritable().
DWORD _WIN_PROCESS_MODULE::StaticScan |
TRUE if the module was found by statically enumerating process modules.
Definition at line 54 of file winummodule.h.
Referenced by IntWinModHandleLoadFromVad().
PWIN_PROCESS_SUBSYSTEM _WIN_PROCESS_MODULE::Subsystem |
Module subsystem.
Definition at line 60 of file winummodule.h.
Referenced by IntExceptGetVictimEpt(), IntWinDagentCheckNativeSubsystem(), IntWinDagentHandleSlackWritable(), IntWinDagentHandleSuspModExecution(), IntWinModBlockHandleExecution(), IntWinModHandleKernelWrite(), IntWinModHandleLoadFromVad(), IntWinModHandleMainModuleInMemory(), IntWinModHandleModuleHeadersInMemory(), IntWinModHandleUnload(), IntWinModHandleUserWrite(), and IntWinModPolyHandler().
DWORD _WIN_PROCESS_MODULE::SuspChecked |
TRUE if the module has been checked against DoubleAgent.
Definition at line 52 of file winummodule.h.
DWORD _WIN_PROCESS_MODULE::UnloadEventSent |
TRUE if the unload event has been sent.
Definition at line 50 of file winummodule.h.
DWORD _WIN_PROCESS_MODULE::UnpackAlertSent |
TRUE if unpack alerts have been sent.
Definition at line 44 of file winummodule.h.
Referenced by IntWinModPolyHandler().
const VAD* _WIN_PROCESS_MODULE::Vad |
The VAD which describes this module.
Definition at line 88 of file winummodule.h.
Referenced by IntModBlockHandleBlockModHeadersInMemory(), IntModBlockHandlePreInjection(), IntWinModHandleLoadFromVad(), and IntWinModHandlePreInjection().
QWORD _WIN_PROCESS_MODULE::VirtualBase |
Guest virtual address of the loaded module.
Definition at line 34 of file winummodule.h.
Referenced by IntAlertEptFillFromVictimZone(), IntExceptGetVictimEpt(), IntExceptVerifyExportSig(), IntModBlockHandleBlockModHeadersInMemory(), IntWinModBlockHandleExecution(), IntWinModHandleLoadFromVad(), IntWinModHandleUnload(), IntWinModHandleUserWrite(), IntWinModulesChangeProtectionFlags(), IntWinModWriteValidHandler(), IntWinProcDump(), IntWinProcHandleCopyMemory(), IntWinProcHandleReadFromLsass(), IntWinStackTraceGetUser32(), IntWinStackTraceGetUser64(), IntWinThrHandleQueueApc(), IntWinThrHandleThreadHijack(), and IntWinUmModFindByAddress().