- Generated by
1.8.13
|
Bitdefender Hypervisor Memory Introspection
|
Holds information about a Windows guest. More...
#include <winguest.h>
Data Fields | |
| QWORD | PsCreateSystemThread |
| Guest virtual address of the PsCreateSystemThread kernel function. More... | |
| QWORD | ExAllocatePoolWithTag |
| Guest virtual address of the ExAllocatePoolWithTag kernel function. More... | |
| QWORD | ExFreePoolWithTag |
| Guest virtual address of the ExFreePoolWithTag kernel function. More... | |
| QWORD | SyscallAddress |
| Guest virtual address of the SYSCALL/SYSENTER handler. More... | |
| DWORD | NtBuildNumberValue |
| The value of the NtBuildNumber kernel variable. More... | |
| QWORD | KeServiceDescriptorTable |
| Guest virtual address of the KeServiceDescriptorTable variable. More... | |
| QWORD | Ssdt |
| Guest virtual address of the SSDT structure inside the kernel. More... | |
| DWORD | NumberOfServices |
| The number of entries in the SSDT. More... | |
| QWORD | HalpInterruptControllerGva |
| Guest virtual address of the HalpInterruptController (owned by hal.dll). More... | |
| QWORD | PropperSyscallGva |
| Guest virtual address of the KiSystemServiceUser function. More... | |
| PCHAR | NtBuildLabString |
| PCHAR | VersionString |
| A NULL terminated string containing Windows version information. More... | |
| PCHAR | ServerVersionString |
| A NULL terminated string containing Windows server version information. More... | |
| WIN_PRODUCT_TYPE | ProductType |
| The product type. Obtained directly from the guest during initialization. More... | |
| QWORD | PsActiveProcessHead |
| Guest virtual address of the PsActiveProcessHead kernel variable. More... | |
| QWORD | PsLoadedModuleList |
| Guest virtual address of the PsLoadedModuleList kernel variable. More... | |
| QWORD | MmPfnDatabase |
| Guest virtual address of the PFN data base. More... | |
| QWORD | ObpRootDirectoryObject |
| Guest virtual address of the ObpRootDirectoryObject. More... | |
| QWORD | DriverDirectory |
| Guest virtual address of the Driver namespace directory. More... | |
| QWORD | FileSystemDirectory |
| Guest virtual address of the FileSystem namespace directory. More... | |
| BYTE * | KernelBuffer |
| A buffer containing the entire kernel image. More... | |
| DWORD | KernelBufferSize |
| The size of the KernelBuffer. More... | |
| DWORD | RemainingSections |
| The number of kernel sections not yet read into KernelBuffer. More... | |
| LIST_HEAD | InitSwapHandles |
| A list of swap handles used to read KernelBuffer. More... | |
| WIN_OPAQUE_FIELDS | OsSpecificFields |
| OS-dependent and specific information (variables, offsets, etc). More... | |
Holds information about a Windows guest.
Definition at line 810 of file winguest.h.
| QWORD _WINDOWS_GUEST::DriverDirectory |
Guest virtual address of the Driver namespace directory.
Definition at line 839 of file winguest.h.
Referenced by IntWinObjCheckDrvDirSearchState(), and IntWinObjParseDriverDirectory().
| QWORD _WINDOWS_GUEST::ExAllocatePoolWithTag |
Guest virtual address of the ExAllocatePoolWithTag kernel function.
Definition at line 813 of file winguest.h.
Referenced by IntWinAgentInject(), and IntWinGuestResolveImports().
| QWORD _WINDOWS_GUEST::ExFreePoolWithTag |
Guest virtual address of the ExFreePoolWithTag kernel function.
Definition at line 814 of file winguest.h.
Referenced by IntWinAgentInject(), and IntWinGuestResolveImports().
| QWORD _WINDOWS_GUEST::FileSystemDirectory |
Guest virtual address of the FileSystem namespace directory.
Definition at line 840 of file winguest.h.
Referenced by IntWinObjCheckDrvDirSearchState(), and IntWinObjParseDriverDirectory().
| QWORD _WINDOWS_GUEST::HalpInterruptControllerGva |
Guest virtual address of the HalpInterruptController (owned by hal.dll).
Definition at line 820 of file winguest.h.
| LIST_HEAD _WINDOWS_GUEST::InitSwapHandles |
A list of swap handles used to read KernelBuffer.
Definition at line 855 of file winguest.h.
Referenced by IntWinGuestCancelKernelRead(), IntWinGuestNew(), and IntWinGuestReadKernel().
| BYTE* _WINDOWS_GUEST::KernelBuffer |
A buffer containing the entire kernel image.
It can be used instead of reading from the guest memory when values from non-writable parts of the kernel are needed. This boosts performance, as it can save us from quite a lot of GVA to GPA translations and GPA mappings inside the host. Because certain parts of the kernel may be swapped out, this buffer is filled using IntSwapMemRead, with IntWinGuestSectionInMemory as the swap in handler. This means that it is not necessarily read in a sequential manner. While RemainingSections is not 0, the buffer is not yet filled and no hooks are placed inside the guest. It is guaranteed that the buffer is fully read after IntWinGuestFinishInit is called.
Definition at line 851 of file winguest.h.
Referenced by IntAlertEptFillFromVictimZone(), IntDetSetHook(), IntExceptWinKernelGetOriginator(), IntPeFindKernelExport(), IntPtiMonitorAllPtWriteCandidates(), IntSlackAllocWindows(), IntSwapgsStartMitigation(), IntWinAgentFindSyscallLinkage(), IntWinApiFindFunctionRva(), IntWinGuestFindDriversNamespace(), IntWinGuestFindKernelObjectsInternal(), IntWinGuestReadKernel(), IntWinGuestSectionInMemory(), IntWinGuestUninit(), IntWinHalFindPerformanceCounterInternal(), IntWinInfHookGetEtwpDebuggerData(), and IntWinStackTraceGet64().
| DWORD _WINDOWS_GUEST::KernelBufferSize |
The size of the KernelBuffer.
Definition at line 852 of file winguest.h.
Referenced by IntAlertEptFillFromVictimZone(), IntDetSetHook(), IntExceptWinKernelGetOriginator(), IntPeFindKernelExport(), IntSlackAllocWindows(), IntWinAgentFindSyscallLinkage(), IntWinApiFindFunctionRva(), IntWinGuestFindDriversNamespace(), IntWinGuestFindKernelObjectsInternal(), IntWinGuestReadKernel(), IntWinHalFindPerformanceCounterInternal(), IntWinInfHookGetEtwpDebuggerData(), and IntWinStackTraceGet64().
| QWORD _WINDOWS_GUEST::KeServiceDescriptorTable |
Guest virtual address of the KeServiceDescriptorTable variable.
Definition at line 817 of file winguest.h.
Referenced by IntExceptGetVictimEpt(), IntWinDrvHeadersInMemory(), and IntWinGuestResolveImports().
| QWORD _WINDOWS_GUEST::MmPfnDatabase |
Guest virtual address of the PFN data base.
Definition at line 837 of file winguest.h.
Referenced by DbgDumpPfn(), IntWinGuestFindKernelObjectsInternal(), and IntWinPfnModifyRefCount().
| PCHAR _WINDOWS_GUEST::NtBuildLabString |
A NULL terminated string containing the NtBuildLab kernel variable.
Definition at line 823 of file winguest.h.
Referenced by IntWinGetVersionString(), IntWinGuestResolveImports(), and IntWinGuestUninit().
| DWORD _WINDOWS_GUEST::NtBuildNumberValue |
The value of the NtBuildNumber kernel variable.
Definition at line 816 of file winguest.h.
Referenced by IntGuestGetInfo(), IntWinGuestFinishInit(), and IntWinGuestResolveImports().
| DWORD _WINDOWS_GUEST::NumberOfServices |
The number of entries in the SSDT.
Definition at line 819 of file winguest.h.
Referenced by IntDetSetHook(), IntExceptGetVictimEpt(), IntMtblCheckAccess(), and IntWinGuestResolveImports().
| QWORD _WINDOWS_GUEST::ObpRootDirectoryObject |
Guest virtual address of the ObpRootDirectoryObject.
Definition at line 838 of file winguest.h.
Referenced by IntWinGuestFindDriversNamespace(), IntWinObjFindRootDirectory(), and IntWinObjHandleRootDirTagInMemory().
| WIN_OPAQUE_FIELDS _WINDOWS_GUEST::OsSpecificFields |
OS-dependent and specific information (variables, offsets, etc).
Definition at line 857 of file winguest.h.
Referenced by IntWinAgentHandleDriverVmcall(), and IntWinProcMapEprocess().
| WIN_PRODUCT_TYPE _WINDOWS_GUEST::ProductType |
The product type. Obtained directly from the guest during initialization.
Definition at line 833 of file winguest.h.
Referenced by IntWinGetVersionString(), and IntWinGuestFinishInit().
| QWORD _WINDOWS_GUEST::PropperSyscallGva |
Guest virtual address of the KiSystemServiceUser function.
Definition at line 821 of file winguest.h.
Referenced by IntWinAgentFindPropperSyscall().
| QWORD _WINDOWS_GUEST::PsActiveProcessHead |
Guest virtual address of the PsActiveProcessHead kernel variable.
Definition at line 835 of file winguest.h.
Referenced by IntWinGuestFindKernelObjects(), IntWinGuestFindKernelObjectsInternal(), and IntWinProcIterateGuestProcesses().
| QWORD _WINDOWS_GUEST::PsCreateSystemThread |
Guest virtual address of the PsCreateSystemThread kernel function.
Definition at line 812 of file winguest.h.
Referenced by IntWinAgentInject(), and IntWinGuestResolveImports().
| QWORD _WINDOWS_GUEST::PsLoadedModuleList |
Guest virtual address of the PsLoadedModuleList kernel variable.
Definition at line 836 of file winguest.h.
Referenced by DbgDumpGuestModules(), IntWinDrvIterateLoadedModules(), and IntWinGuestFindKernelObjectsInternal().
| DWORD _WINDOWS_GUEST::RemainingSections |
The number of kernel sections not yet read into KernelBuffer.
Definition at line 854 of file winguest.h.
Referenced by IntThrSafeCheckThreads(), IntWinAgentFindSyscallLinkage(), IntWinGuestReadKernel(), and IntWinGuestSectionInMemory().
| PCHAR _WINDOWS_GUEST::ServerVersionString |
A NULL terminated string containing Windows server version information.
This is obtained from a CAMI file and is set by IntCamiLoadWindows.
Definition at line 831 of file winguest.h.
Referenced by IntCamiLoadWindows(), IntWinGetVersionString(), and IntWinGuestUninit().
| QWORD _WINDOWS_GUEST::Ssdt |
Guest virtual address of the SSDT structure inside the kernel.
Definition at line 818 of file winguest.h.
Referenced by IntDetSetHook(), IntExceptGetVictimEpt(), IntMtblCheckAccess(), and IntWinGuestResolveImports().
| QWORD _WINDOWS_GUEST::SyscallAddress |
Guest virtual address of the SYSCALL/SYSENTER handler.
Definition at line 815 of file winguest.h.
Referenced by IntWinAgentFindInstruction(), and IntWinGuestNew().
| PCHAR _WINDOWS_GUEST::VersionString |
A NULL terminated string containing Windows version information.
This is obtained from a CAMI file and is set by IntCamiLoadWindows.
Definition at line 827 of file winguest.h.
Referenced by IntCamiLoadWindows(), IntWinGetVersionString(), and IntWinGuestUninit().
1.8.13