- Generated by
1.8.13
|
Bitdefender Hypervisor Memory Introspection
|
Structure for keeping the relevant DPI violation information. More...
#include <intro_types.h>
Data Fields | |
| struct { | |
| INTRO_PROCESS Debugger | |
| The debugger of the current process. May or may not be the parent. More... | |
| } | DpiDebugFlag |
| struct { | |
| QWORD CurrentStack | |
| The current stack of the parent process. More... | |
| QWORD StackBase | |
| The known stack base of the parent process. More... | |
| QWORD StackLimit | |
| The known stack limit of the parent process. More... | |
| QWORD Wow64CurrentStack | |
| The current stack of the parent process in WoW64 mode. More... | |
| QWORD Wow64StackBase | |
| The known stack base of the parent process in WoW64 mode. More... | |
| QWORD Wow64StackLimit | |
| The known stack limit of the parent process in WoW64 mode. More... | |
| BYTE TrapFrameContent [512] | |
| The content of the trap frame where the current stack has been found. More... | |
| } | DpiPivotedStack |
| struct { | |
| INTRO_PROCESS StolenFrom | |
| The process from which the token was stolen. More... | |
| } | DpiStolenToken |
| struct { | |
| struct { | |
| DWORD Mapped: 1 | |
| DWORD Detected: 1 | |
| The bit is set if the i-th page was detected as malicious by shemu. More... | |
| DWORD HeapValCount: 11 | |
| The number of heap values in the page. Since the max value can be 1024, 11 bits are needed. More... | |
| DWORD Offset: 12 | |
| The offset where the detection on the given page was given, if Detection is equal to 1. More... | |
| DWORD Executable: 1 | |
| True if the page is executable in the translation. More... | |
| DWORD Reserved: 7 | |
| Reserved for further use. More... | |
| } HeapPages [0xF] | |
| QWORD ShellcodeFlags | |
| The shellcode flags given by shemu on the detected page. More... | |
| BYTE DetectedPage [0x1000] | |
| The page which was detected through shemu as malicious. More... | |
| BYTE MaxHeapValPageContent [0x1000] | |
| The copied page which has the most heap values in it. More... | |
| } | DpiHeapSpray |
| struct { | |
| QWORD OldEnabled | |
| QWORD NewEnabled | |
| The new Privileges.Enabled value in the parent's token, which was deemed malicious. More... | |
| QWORD OldPresent | |
| QWORD NewPresent | |
| The new Privileges.Present value in the parent's token, which was deemed malicious. More... | |
| } | DpiTokenPrivs |
| struct { | |
| QWORD ShellcodeFlags | |
| The shellcode flags given by shemu on the detected page. More... | |
| QWORD StartAddress | |
| The address where the thread started executing. More... | |
| BYTE StartPage [0x1000] | |
| The copied page from where the thread started executing. More... | |
| } | DpiThreadStart |
| struct { | |
| INTRO_PROCESS SecDescStolenFrom | |
| This variable may indicate the victim process (where security descriptor has been stolen from). If the security descriptor is invalid, this variable will be uninitialized. More... | |
| QWORD OldPointerValue | |
| Old value. More... | |
| QWORD NewPointerValue | |
| New value. More... | |
| INTRO_ACL OldSacl | |
| The old SACL header. More... | |
| INTRO_ACL OldDacl | |
| The old DACL header. More... | |
| INTRO_ACL NewSacl | |
| The new SACL header. More... | |
| INTRO_ACL NewDacl | |
| The new DACL header. More... | |
| } | DpiSecDescAcl |
Structure for keeping the relevant DPI violation information.
Definition at line 1685 of file intro_types.h.
| QWORD _INTRO_DPI_EXTRA_INFO::CurrentStack |
The current stack of the parent process.
Definition at line 1694 of file intro_types.h.
| INTRO_PROCESS _INTRO_DPI_EXTRA_INFO::Debugger |
The debugger of the current process. May or may not be the parent.
Definition at line 1689 of file intro_types.h.
| DWORD _INTRO_DPI_EXTRA_INFO::Detected |
The bit is set if the i-th page was detected as malicious by shemu.
Definition at line 1714 of file intro_types.h.
| BYTE _INTRO_DPI_EXTRA_INFO::DetectedPage[0x1000] |
The page which was detected through shemu as malicious.
Definition at line 1725 of file intro_types.h.
| struct { ... } _INTRO_DPI_EXTRA_INFO::DpiDebugFlag |
| struct { ... } _INTRO_DPI_EXTRA_INFO::DpiHeapSpray |
| struct { ... } _INTRO_DPI_EXTRA_INFO::DpiPivotedStack |
| struct { ... } _INTRO_DPI_EXTRA_INFO::DpiSecDescAcl |
| struct { ... } _INTRO_DPI_EXTRA_INFO::DpiStolenToken |
| struct { ... } _INTRO_DPI_EXTRA_INFO::DpiThreadStart |
| struct { ... } _INTRO_DPI_EXTRA_INFO::DpiTokenPrivs |
| DWORD _INTRO_DPI_EXTRA_INFO::Executable |
True if the page is executable in the translation.
Definition at line 1719 of file intro_types.h.
| struct { ... } _INTRO_DPI_EXTRA_INFO::HeapPages[0xF] |
| DWORD _INTRO_DPI_EXTRA_INFO::HeapValCount |
The number of heap values in the page. Since the max value can be 1024, 11 bits are needed.
Definition at line 1716 of file intro_types.h.
| DWORD _INTRO_DPI_EXTRA_INFO::Mapped |
The bit is set if the i-th page could be mapped.
Definition at line 1712 of file intro_types.h.
| BYTE _INTRO_DPI_EXTRA_INFO::MaxHeapValPageContent[0x1000] |
The copied page which has the most heap values in it.
Definition at line 1726 of file intro_types.h.
| INTRO_ACL _INTRO_DPI_EXTRA_INFO::NewDacl |
The new DACL header.
Definition at line 1759 of file intro_types.h.
| QWORD _INTRO_DPI_EXTRA_INFO::NewEnabled |
The new Privileges.Enabled value in the parent's token, which was deemed malicious.
Definition at line 1733 of file intro_types.h.
| QWORD _INTRO_DPI_EXTRA_INFO::NewPointerValue |
New value.
Definition at line 1753 of file intro_types.h.
| QWORD _INTRO_DPI_EXTRA_INFO::NewPresent |
The new Privileges.Present value in the parent's token, which was deemed malicious.
Definition at line 1736 of file intro_types.h.
| INTRO_ACL _INTRO_DPI_EXTRA_INFO::NewSacl |
The new SACL header.
Definition at line 1758 of file intro_types.h.
| DWORD _INTRO_DPI_EXTRA_INFO::Offset |
The offset where the detection on the given page was given, if Detection is equal to 1.
Definition at line 1718 of file intro_types.h.
| INTRO_ACL _INTRO_DPI_EXTRA_INFO::OldDacl |
The old DACL header.
Definition at line 1756 of file intro_types.h.
| QWORD _INTRO_DPI_EXTRA_INFO::OldEnabled |
The old Privileges.Enabled value in the parent's token.
Definition at line 1731 of file intro_types.h.
| QWORD _INTRO_DPI_EXTRA_INFO::OldPointerValue |
Old value.
Definition at line 1752 of file intro_types.h.
| QWORD _INTRO_DPI_EXTRA_INFO::OldPresent |
The old Privileges.Present value in the parent's token.
Definition at line 1734 of file intro_types.h.
| INTRO_ACL _INTRO_DPI_EXTRA_INFO::OldSacl |
The old SACL header.
Definition at line 1755 of file intro_types.h.
| DWORD _INTRO_DPI_EXTRA_INFO::Reserved |
Reserved for further use.
Definition at line 1720 of file intro_types.h.
| INTRO_PROCESS _INTRO_DPI_EXTRA_INFO::SecDescStolenFrom |
This variable may indicate the victim process (where security descriptor has been stolen from). If the security descriptor is invalid, this variable will be uninitialized.
Definition at line 1750 of file intro_types.h.
| QWORD _INTRO_DPI_EXTRA_INFO::ShellcodeFlags |
The shellcode flags given by shemu on the detected page.
Definition at line 1723 of file intro_types.h.
| QWORD _INTRO_DPI_EXTRA_INFO::StackBase |
The known stack base of the parent process.
Definition at line 1695 of file intro_types.h.
| QWORD _INTRO_DPI_EXTRA_INFO::StackLimit |
The known stack limit of the parent process.
Definition at line 1696 of file intro_types.h.
| QWORD _INTRO_DPI_EXTRA_INFO::StartAddress |
The address where the thread started executing.
Definition at line 1742 of file intro_types.h.
| BYTE _INTRO_DPI_EXTRA_INFO::StartPage[0x1000] |
The copied page from where the thread started executing.
Definition at line 1743 of file intro_types.h.
| INTRO_PROCESS _INTRO_DPI_EXTRA_INFO::StolenFrom |
The process from which the token was stolen.
Definition at line 1705 of file intro_types.h.
| BYTE _INTRO_DPI_EXTRA_INFO::TrapFrameContent[512] |
The content of the trap frame where the current stack has been found.
Definition at line 1700 of file intro_types.h.
| QWORD _INTRO_DPI_EXTRA_INFO::Wow64CurrentStack |
The current stack of the parent process in WoW64 mode.
Definition at line 1697 of file intro_types.h.
| QWORD _INTRO_DPI_EXTRA_INFO::Wow64StackBase |
The known stack base of the parent process in WoW64 mode.
Definition at line 1698 of file intro_types.h.
| QWORD _INTRO_DPI_EXTRA_INFO::Wow64StackLimit |
The known stack limit of the parent process in WoW64 mode.
Definition at line 1699 of file intro_types.h.
1.8.13