- Generated by
1.8.13
|
Bitdefender Hypervisor Memory Introspection
|
Contains definitions for structures and constants used by the Windows kernel. More...
#include "introdefs.h"Go to the source code of this file.
Data Structures | |
| struct | _UNICODE_STRING |
| A _UNICODE_STRING structure as defined by Windows. More... | |
| struct | _UNICODE_STRING32 |
| The Windows UNICODE_STRING structure used for 32-bit guests. More... | |
| struct | _UNICODE_STRING64 |
| The Windows UNICODE_STRING structure used for 64-bit guests. More... | |
| struct | _LIST_ENTRY32 |
| Models a LIST_ENTRY structure used by 32-bit Windows guests. More... | |
| struct | _LIST_ENTRY64 |
| Models a LIST_ENTRY structure used by 64-bit Windows guests. More... | |
| struct | _LDR_DATA_TABLE_ENTRY32 |
| The _LDR_DATA_TABLE_ENTRY structure used by 32-bit guests. More... | |
| struct | _LDR_DATA_TABLE_ENTRY64 |
| The _LDR_DATA_TABLE_ENTRY structure used by 64-bit guests. More... | |
| struct | _DRIVER_OBJECT32 |
| The _DRIVER_OBJECT structure used by 32-bit guests. More... | |
| struct | _DRIVER_OBJECT64 |
| The _DRIVER_OBJECT structure used by 64-bit guests. More... | |
| struct | _FAST_IO_DISPATCH32 |
| The _FAST_IO_DISPATCH structure used by 32-bit guests. More... | |
| struct | _FAST_IO_DISPATCH64 |
| The _FAST_IO_DISPATCH structure used by 64-bit guests. More... | |
| struct | _OBJECT_HEADER32 |
| The _OBJECT_HEADER32 structure used by 32-bit guests. More... | |
| struct | _OBJECT_HEADER64 |
| The _OBJECT_HEADER32 structure used by 64-bit guests. More... | |
| struct | _POOL_HEADER32 |
| The _POOL_HEADER structure used by 32-bit guests. More... | |
| struct | _POOL_HEADER64 |
| The _POOL_HEADER structure used by 64-bit guests. More... | |
| union | _POOL_HEADER |
| struct | _POOL_TRACKER_BIG_PAGES32 |
| struct | _POOL_TRACKER_BIG_PAGES64 |
| union | _POOL_TRACKER_BIG_PAGES |
| struct | _SID_AND_ATTRIBUTES64 |
| struct | _SID_AND_ATTRIBUTES32 |
| struct | _SID_IDENTIFIER_AUTHORITY |
| struct | _SID |
| struct | _SECURITY_DESCRIPTOR |
| struct | _ACL |
| An access control list. More... | |
| struct | _ACE_HEADER |
| An access control entry header. More... | |
| struct | _RTL_USER_PROCESS_PARAMETERS32 |
| This is the structure as documented in winternl.h. More... | |
| struct | _RTL_USER_PROCESS_PARAMETERS64 |
| This is the structure as documented in winternl.h. More... | |
| struct | _RTL_DYNAMIC_HASH_TABLE32 |
| This is the structure as documented in ntddk.h. More... | |
| struct | _RTL_DYNAMIC_HASH_TABLE64 |
| This is the structure as documented in ntddk.h. More... | |
| struct | _PEB32 |
| This is the structure as documented in winternl.h. More... | |
| struct | _PEB64 |
| This is the structure as documented in winternl.h. More... | |
| struct | _M128A |
| struct | _KI_IO_ACCESS_MAP |
| struct | _KTSS |
| struct | _KTRAP_FRAME32 |
| struct | _KTRAP_FRAME64 |
| struct | _EXCEPTION_RECORD64 |
| An _EXCEPTION_RECORD structure used by 64-bit guests. More... | |
| struct | _EXCEPTION_RECORD32 |
| An _EXCEPTION_RECORD structure used by 64-bit guests. More... | |
| struct | _KEXCEPTION_FRAME64 |
| An _KEXCEPTION_FRAME structure used by 64-bit guests. More... | |
| struct | _OBJECT_TYPE64 |
| An _OBJECT_TYPE structure used by 64-bit guests. More... | |
| struct | _OBJECT_TYPE32 |
| An _OBJECT_TYPE structure used by 32-bit guests. More... | |
| struct | _OBJECT_DIRECTORY_ENTRY64 |
| An OBJECT_DIRECTORY_ENTRY64 structure used by 64-bit guests. More... | |
| struct | _OBJECT_DIRECTORY_ENTRY32 |
| An OBJECT_DIRECTORY_ENTRY64 structure used by 32-bit guests. More... | |
| struct | _OBJECT_NAME64 |
| An _OBJECT_HEADER_NAME_INFO structure used by 64-bit guests. More... | |
| struct | _OBJECT_NAME32 |
| An _OBJECT_HEADER_NAME_INFO structure used by 32-bit guests. More... | |
| struct | _XSAVE_FORMAT |
| Format of data for (F)XSAVE/(F)XRSTOR instruction for 32-bit guests. More... | |
| struct | _FLOATING_SAVE_AREA |
| Format of data for (F)XSAVE/(F)XRSTOR instruction. More... | |
| struct | _CONTEXT64 |
| Context Frame for 64-bit guests. More... | |
| struct | _CONTEXT32 |
| Context Frame for 32-bit guests. More... | |
| union | _WIN_MITIGATION_FLAGS |
| Mitigation flags. More... | |
| union | _WIN_MITIGATION_FLAGS2 |
| Mitigation flags. More... | |
| struct | _RTL_VERIFIER_DLL_DESCRIPTOR_32 |
| Verifier provider initialization structures for 32-bit processes. More... | |
| struct | _RTL_VERIFIER_DLL_DESCRIPTOR_64 |
| Verifier provider initialization structures for 64-bit processes. More... | |
| struct | _RTL_VERIFIER_PROVIDER_DESCRIPTOR_32 |
| Verifier provider initialization structures for 32-bit processes. More... | |
| struct | _RTL_VERIFIER_PROVIDER_DESCRIPTOR_64 |
| Verifier provider initialization structures for 64-bit processes. More... | |
| union | _ADDRINFO |
| union | _LOCAL_ADDRESS |
| struct | _KINTERRUPT_COMMON32 |
| The common part of nt!_KINTERRUPT on all x86 Windows versions. More... | |
| struct | _KINTERRUPT_COMMON64 |
| The common part of nt!_KINTERRUPT on all x64 Windows versions. More... | |
Macros | |
| #define | IDT_OFFSET 0x38 |
| The offset of the IDT base inside the _KPCR. More... | |
| #define | IDT_DESC_SIZE32 8 |
| The size of a 32-bit interrupt descriptor. More... | |
| #define | IDT_DESC_SIZE64 16 |
| The size of a 64-bit interrupt descriptor. More... | |
| #define | DRIVER_OBJECT_TYPE 4 |
| The type of a _DRIVER_OBJECT structure. More... | |
| #define | KESDT_SIZE (4 * 4) |
| The size of the KeServiceDescriptorTable. More... | |
| #define | WIN_BUILD_7_0 7600 |
| #define | WIN_BUILD_7_1 7601 |
| #define | WIN_BUILD_7_2 7602 |
| #define | WIN_BUILD_8 9200 |
| #define | WIN_BUILD_8_1 9600 |
| #define | WIN_BUILD_10_TH1 10240 |
| #define | WIN_BUILD_10_TH2 10586 |
| #define | WIN_BUILD_10_RS1 14393 |
| #define | WIN_BUILD_10_RS2 15063 |
| #define | WIN_BUILD_10_RS3 16299 |
| #define | WIN_BUILD_10_RS4 17134 |
| #define | WIN_BUILD_10_RS5 17763 |
| #define | WIN_BUILD_10_19H1 18362 |
| #define | WIN_BUILD_10_19H2 18362 |
| #define | WIN_BUILD_10_20H1 19041 |
| #define | WIN_HAL_HEAP_BASE_32 0xFFD00000 |
| The base address of the HAL heap on 32-bit kernels. More... | |
| #define | WIN_HAL_HEAP_BASE_64 0xFFFFFFFFFFD00000 |
| The base address of the HAL heap on 64-bit kernels. More... | |
| #define | IS_KERNEL_POINTER_WIN(is64, p) |
| Checks if a guest virtual address resides inside the Windows kernel address space. More... | |
| #define | FIX_GUEST_POINTER(is64, x) ((is64) ? (x) : ((x) & 0xFFFFFFFF)) |
| Masks the unused part of a Windows guest virtual address. More... | |
| #define | EX_FAST_REF_TO_PTR(is64, p) ((is64) ? (p) & ~(0x0FULL) : (p) & ~(0x07ULL)) |
| Converts a _EX_FAST_REF value to a pointer. More... | |
| #define | WIN_POOL_HEADER_SIZE32 0x8 |
| The size of a pool header on 32-bit Windows. More... | |
| #define | WIN_POOL_HEADER_SIZE64 0x10 |
| The size of a pool header on 64-bit Windows. More... | |
| #define | WIN_POOL_HEADER_SIZE ((gGuest.Guest64) ? WIN_POOL_HEADER_SIZE64 : WIN_POOL_HEADER_SIZE32) |
| #define | WIN_POOL_BLOCK_SIZE32 0x08 |
| The block size of a pool allocation on 32-bit Windows. More... | |
| #define | WIN_POOL_BLOCK_SIZE64 0x10 |
| The block size of a pool allocation on 64-bit Windows. More... | |
| #define | WIN_POOL_BLOCK_SIZE ((gGuest.Guest64) ? WIN_POOL_BLOCK_SIZE64 : WIN_POOL_BLOCK_SIZE32) |
| #define | WIN_POOL_TRACKER_SIZE |
| #define | SE_GROUP_MANDATORY (0x00000001L) |
| #define | SE_GROUP_ENABLED_BY_DEFAULT (0x00000002L) |
| #define | SE_GROUP_ENABLED (0x00000004L) |
| #define | SE_GROUP_OWNER (0x00000008L) |
| #define | SE_GROUP_USE_FOR_DENY_ONLY (0x00000010L) |
| #define | SE_GROUP_INTEGRITY (0x00000020L) |
| #define | SE_GROUP_INTEGRITY_ENABLED (0x00000040L) |
| #define | SE_GROUP_LOGON_ID (0xC0000000L) |
| #define | SE_GROUP_RESOURCE (0x20000000L) |
| #define | SE_GROUP_VALID_ATTRIBUTES |
| #define | ACCESS_ALLOWED_ACE_TYPE_STRING "ACCESS_ALLOWED_ACE_TYPE" |
| Printable version of ACCESS_ALLOWED_ACE_TYPE. More... | |
| #define | ACCESS_DENIED_ACE_TYPE_STRING "ACCESS_DENIED_ACE_TYPE" |
| Printable version of ACCESS_DENIED_ACE_TYPE. More... | |
| #define | SYSTEM_AUDIT_ACE_TYPE_STRING "SYSTEM_AUDIT_ACE_TYPE" |
| Printable version of SYSTEM_AUDIT_ACE_TYPE. More... | |
| #define | SYSTEM_ALARM_ACE_TYPES_STRING "SYSTEM_ALARM_ACE_TYPE" |
| Printable version of SYSTEM_ALARM_ACE_TYPE. More... | |
| #define | ACCESS_ALLOWED_COMPOUND_ACE_TYPE_STRING "ACCESS_ALLOWED_COMPOUND_ACE_TYPE" |
| Printable version of ACCESS_ALLOWED_COMPOUND_ACE_TYPE. More... | |
| #define | ACCESS_ALLOWED_OBJECT_ACE_TYPE_STRING "ACCESS_ALLOWED_OBJECT_ACE_TYPE" |
| Printable version of ACCESS_ALLOWED_OBJECT_ACE_TYPE. More... | |
| #define | ACCESS_DENIED_OBJECT_ACE_TYPE_STRING "ACCESS_DENIED_OBJECT_ACE_TYPE" |
| Printable version of ACCESS_DENIED_OBJECT_ACE_TYPE. More... | |
| #define | SYSTEM_AUDIT_OBJECT_ACE_TYPE_STRING "SYSTEM_AUDIT_OBJECT_ACE_TYPE" |
| Printable version of SYSTEM_AUDIT_OBJECT_ACE_TYPE. More... | |
| #define | SYSTEM_ALARM_OBJECT_ACE_TYPE_STRING "SYSTEM_ALARM_OBJECT_ACE_TYPE" |
| Printable version of SYSTEM_ALARM_OBJECT_ACE_TYPE. More... | |
| #define | ACCESS_ALLOWED_CALLBACK_ACE_TYPE_STRING "ACCESS_ALLOWED_CALLBACK_ACE_TYPE" |
| Printable version of ACCESS_ALLOWED_CALLBACK_ACE_TYPE. More... | |
| #define | ACCESS_DENIED_CALLBACK_ACE_TYPE_STRING "ACCESS_DENIED_CALLBACK_ACE_TYPE" |
| Printable version of ACCESS_DENIED_CALLBACK_ACE_TYPE. More... | |
| #define | ACCESS_ALLOWED_CALLBACK_OBJECT_ACE_TYPE_STRING "ACCESS_ALLOWED_CALLBACK_OBJECT_ACE_TYPE" |
| Printable version of ACCESS_ALLOWED_CALLBACK_OBJECT_ACE_TYPE. More... | |
| #define | ACCESS_DENIED_CALLBACK_OBJECT_ACE_TYPE_STRING "ACCESS_DENIED_CALLBACK_OBJECT_ACE_TYPE" |
| Printable version of ACCESS_DENIED_CALLBACK_OBJECT_ACE_TYPE. More... | |
| #define | SYSTEM_AUDIT_CALLBACK_ACE_TYPE_STRING "SYSTEM_AUDIT_CALLBACK_ACE_TYPE" |
| Printable version of SYSTEM_AUDIT_CALLBACK_ACE_TYPE. More... | |
| #define | SYSTEM_ALARM_CALLBACK_ACE_TYPE_STRING "SYSTEM_ALARM_CALLBACK_ACE_TYPE" |
| Printable version of SYSTEM_ALARM_CALLBACK_ACE_TYPE. More... | |
| #define | SYSTEM_AUDIT_CALLBACK_OBJECT_ACE_TYPE_STRING "SYSTEM_AUDIT_CALLBACK_OBJECT_ACE_TYPE" |
| Printable version of SYSTEM_AUDIT_CALLBACK_OBJECT_ACE_TYPE. More... | |
| #define | SYSTEM_ALARM_CALLBACK_OBJECT_ACE_TYPE_STRING "SYSTEM_ALARM_CALLBACK_OBJECT_ACE_TYPE" |
| Printable version of SYSTEM_ALARM_CALLBACK_OBJECT_ACE_TYPE. More... | |
| #define | SYSTEM_MANDATORY_LABEL_ACE_TYPE_STRING "SYSTEM_MANDATORY_LABEL_ACE_TYPE" |
| Printable version of SYSTEM_MANDATORY_LABEL_ACE_TYPE. More... | |
| #define | SYSTEM_RESOURCE_ATTRIBUTE_ACE_TYPE_STRING "SYSTEM_RESOURCE_ATTRIBUTE_ACE_TYPE" |
| Printable version of SYSTEM_RESOURCE_ATTRIBUTE_ACE_TYPE. More... | |
| #define | SYSTEM_SCOPED_POLICY_ID_ACE_TYPE_STRING "SYSTEM_SCOPED_POLICY_ID_ACE_TYPE" |
| Printable version of SYSTEM_SCOPED_POLICY_ID_ACE_TYPE. More... | |
| #define | SYSTEM_PROCESS_TRUST_LABEL_ACE_TYPE_STRING "SYSTEM_PROCESS_TRUST_LABEL_ACE_TYPE" |
| Printable version of SYSTEM_PROCESS_TRUST_LABEL_ACE_TYPE. More... | |
| #define | SYSTEM_ACCESS_FILTER_ACE_TYPE_STRING "SYSTEM_ACCESS_FILTER_ACE_TYPE" |
| Printable version of SYSTEM_ACCESS_FILTER_ACE_TYPE. More... | |
| #define | ACL_REVISION (2) |
| #define | ACL_REVISION_DS (4) |
| #define | ACL_REVISION1 (1) |
| #define | MIN_ACL_REVISION ACL_REVISION2 |
| #define | ACL_REVISION2 (2) |
| #define | ACL_REVISION3 (3) |
| #define | ACL_REVISION4 (4) |
| #define | MAX_ACL_REVISION ACL_REVISION4 |
| #define | EXCEPTION_MAXIMUM_PARAMETERS 15ul |
| #define | WIN_PTE_READWRITE 0x080 |
| #define | WIN_PTE_TRANSITION 0x800 |
| #define | WIN_PTE_PROTOTYPE 0x400 |
| #define | WIN_PTE_GUARD 0x200 |
| #define | HAL_DISPATCH_TABLE_PTR_COUNT 23 |
| The number of entries inside the hal dispatch table. More... | |
| #define | RTL_BALANCED_NODE_PARENT_TO_PTR(Parent) ((Parent) & ~3) |
| Gets the pointer to the parent of a _RTL_BALANCED_NODE. More... | |
| #define | WIN_MM_PAGE_NOACCESS 0x001 |
| Defined by Windows as PAGE_NOACCESS in winnt.h. More... | |
| #define | WIN_MM_PAGE_READONLY 0x002 |
| Defined by Windows as PAGE_READONLY in winnt.h. More... | |
| #define | WIN_MM_PAGE_READWRITE 0x004 |
| Defined by Windows as PAGE_READWRITE in winnt.h. More... | |
| #define | WIN_MM_PAGE_WRITECOPY 0x008 |
| Defined by Windows as PAGE_WRITECOPY in winnt.h. More... | |
| #define | WIN_MM_PAGE_EXECUTE 0x010 |
| Defined by Windows as PAGE_EXECUTE in winnt.h. More... | |
| #define | WIN_MM_PAGE_EXECUTE_READ 0x020 |
| Defined by Windows as PAGE_EXECUTE_READ in winnt.h. More... | |
| #define | WIN_MM_PAGE_EXECUTE_READWRITE 0x040 |
| Defined by Windows as PAGE_EXECUTE_READWRITE in winnt.h. More... | |
| #define | WIN_MM_PAGE_EXECUTE_WRITECOPY 0x080 |
| Defined by Windows as PAGE_EXECUTE_WRITECOPY in winnt.h. More... | |
| #define | WIN_MM_PAGE_GUARD 0x100 |
| Defined by Windows as PAGE_GUARD in winnt.h. More... | |
| #define | WIN_MM_PAGE_NOCACHE 0x200 |
| Defined by Windows as PAGE_NOCACHE in winnt.h. More... | |
| #define | WIN_MM_PAGE_WRITECOMBINE 0x400 |
| Defined by Windows as PAGE_WRITECOMBINE in winnt.h. More... | |
| #define | KEXEC_OPT_EXEC_DISABLE 1 |
| Disables execution rights for memory that contains data. Enables DEP. More... | |
| #define | KEXEC_OPT_EXEC_ENABLE 2 |
| Enables execution rights for memory that contains data. Disables DEP. More... | |
| #define | KEXEC_OPT_PERMANENT 8 |
| Freezes the DEP settings for a process. More... | |
| #define | SIZE_OF_80387_REGISTERS 80 |
| #define | MAXIMUM_SUPPORTED_EXTENSION 512 |
| #define | POOL_TAG_INCO 'oCnI' |
| Inet Compartment. More... | |
| #define | POOL_TAG_INPA 'APnI' |
| Inet Port Array. More... | |
| #define | POOL_TAG_INCS 'SCnI' |
| Inet Compartment Set. More... | |
| #define | POOL_TAG_INNL 'lNnI' |
| Used to search for address family. More... | |
| #define | POOL_TAG_TCCO 'oCcT' |
| Tcp Compartment. More... | |
| #define | POOL_TAG_TCHT 'THcT' |
| Tcp Hash Table. More... | |
| #define | POOL_TAG_TCPT 'tPcT' |
| Tcp Partition. More... | |
| #define | POOL_TAG_TCPE 'EpcT' |
| Tcp Endpoint. More... | |
| #define | POOL_TAG_TCPL 'LpcT' |
| Tcp Listener. More... | |
| #define | POOL_TAG_TCTW 'WTcT' |
| Tcp Time Wait Endpoint. More... | |
| #define | DLL_PROCESS_DETACH 0 |
| #define | DLL_PROCESS_ATTACH 1 |
| #define | DLL_THREAD_ATTACH 2 |
| #define | DLL_THREAD_DETACH 3 |
| #define | DLL_VERIFIER_PROVIDER 4 |
| #define | AF_INET 0x02 |
| IPv4. More... | |
| #define | AF_INET6 0x17 |
| IPv6. More... | |
Functions | |
| STATIC_ASSERT (sizeof(POOL_HEADER32)==WIN_POOL_HEADER_SIZE32, "Wrong size for POOL_HEADER32!") | |
| STATIC_ASSERT (sizeof(POOL_HEADER64)==WIN_POOL_HEADER_SIZE64, "Wrong size for POOL_HEADER64!") | |
| STATIC_ASSERT (OFFSET_OF(POOL_HEADER32, PoolTag)==OFFSET_OF(POOL_HEADER64, PoolTag), "Wrong PoolTag offset!") | |
| STATIC_ASSERT (sizeof(KTRAP_FRAME64)==0x190, "Wrong size for KTRAP_FRAME64!") | |
| STATIC_ASSERT (OFFSET_OF(KTRAP_FRAME64, Rax)==0x30, "Wrong offset for Rax in KTRAP_FRAME64!") | |
| STATIC_ASSERT (OFFSET_OF(KTRAP_FRAME64, Rbx)==0x140, "Wrong offset for Rbx in KTRAP_FRAME64!") | |
| STATIC_ASSERT (OFFSET_OF(KTRAP_FRAME64, Rip)==0x168, "Wrong offset for Rip in KTRAP_FRAME64!") | |
| STATIC_ASSERT (OFFSET_OF(KTRAP_FRAME64, Rsp)==0x180, "Wrong offset for Rsp in KTRAP_FRAME64!") | |
| STATIC_ASSERT (sizeof(KEXCEPTION_FRAME64)==0x140, "Wrong size for KEXCEPTION_FRAME64!") | |
| STATIC_ASSERT (OFFSET_OF(KEXCEPTION_FRAME64, Rbp)==0xF8, "Wrong offset for Rbp in KEXCEPTION_FRAME64!") | |
| STATIC_ASSERT (sizeof(OBJECT_TYPE64)==0x40, "Invalid OBJECT_TYPE64 size!") | |
| STATIC_ASSERT (sizeof(OBJECT_TYPE32)==0x28, "Invalid OBJECT_TYPE32 size!") | |
| STATIC_ASSERT (OFFSET_OF(KINTERRUPT_COMMON32, ServiceRoutine)==0xc, "Wrong ServiceRoutine offset in KINTERRUPT32!") | |
| STATIC_ASSERT (OFFSET_OF(KINTERRUPT_COMMON32, DispatchAddress)==0x28, "Wrong DispatchAddress offset in KINTERRUPT32!") | |
| STATIC_ASSERT (OFFSET_OF(KINTERRUPT_COMMON64, ServiceRoutine)==0x18, "Wrong ServiceRoutine offset in KINTERRUPT64!") | |
| STATIC_ASSERT (OFFSET_OF(KINTERRUPT_COMMON64, DispatchAddress)==0x50, "Wrong DispatchAddress offset in KINTERRUPT64!") | |
Contains definitions for structures and constants used by the Windows kernel.
A definition should be placed here if it is unchanged on most (if not all) Windows versions or if placing it inside CAMI is not doable due to some reason. In general, try to avoid defining that types that need a switch on the OS version in order to be used. The definitions are either lifted from public Windows headers (this is the best guarantee that it will not change over time), public debugging symbols, or through reverse engineering. Try to not define all the fields in a structure, as that can quickly lead to the need of defining other structures. Instead, definitions should be kept to the minimum necessary for introcore. Since a 64-bit introcore is used for both 32- and 64-bit guests, structures that are needed for both OS versions will usually be defined twice, once for 32-bit and once for 64-bit.
Definition in file wddefs.h.
| #define ACCESS_ALLOWED_ACE_TYPE_STRING "ACCESS_ALLOWED_ACE_TYPE" |
Printable version of ACCESS_ALLOWED_ACE_TYPE.
Definition at line 688 of file wddefs.h.
Referenced by IntWinSDGetAceTypeName().
| #define ACCESS_ALLOWED_CALLBACK_ACE_TYPE_STRING "ACCESS_ALLOWED_CALLBACK_ACE_TYPE" |
Printable version of ACCESS_ALLOWED_CALLBACK_ACE_TYPE.
Definition at line 706 of file wddefs.h.
Referenced by IntWinSDGetAceTypeName().
| #define ACCESS_ALLOWED_CALLBACK_OBJECT_ACE_TYPE_STRING "ACCESS_ALLOWED_CALLBACK_OBJECT_ACE_TYPE" |
Printable version of ACCESS_ALLOWED_CALLBACK_OBJECT_ACE_TYPE.
Definition at line 710 of file wddefs.h.
Referenced by IntWinSDGetAceTypeName().
| #define ACCESS_ALLOWED_COMPOUND_ACE_TYPE_STRING "ACCESS_ALLOWED_COMPOUND_ACE_TYPE" |
Printable version of ACCESS_ALLOWED_COMPOUND_ACE_TYPE.
Definition at line 696 of file wddefs.h.
Referenced by IntWinSDGetAceTypeName().
| #define ACCESS_ALLOWED_OBJECT_ACE_TYPE_STRING "ACCESS_ALLOWED_OBJECT_ACE_TYPE" |
Printable version of ACCESS_ALLOWED_OBJECT_ACE_TYPE.
Definition at line 698 of file wddefs.h.
Referenced by IntWinSDGetAceTypeName().
| #define ACCESS_DENIED_ACE_TYPE_STRING "ACCESS_DENIED_ACE_TYPE" |
Printable version of ACCESS_DENIED_ACE_TYPE.
Definition at line 690 of file wddefs.h.
Referenced by IntWinSDGetAceTypeName().
| #define ACCESS_DENIED_CALLBACK_ACE_TYPE_STRING "ACCESS_DENIED_CALLBACK_ACE_TYPE" |
Printable version of ACCESS_DENIED_CALLBACK_ACE_TYPE.
Definition at line 708 of file wddefs.h.
Referenced by IntWinSDGetAceTypeName().
| #define ACCESS_DENIED_CALLBACK_OBJECT_ACE_TYPE_STRING "ACCESS_DENIED_CALLBACK_OBJECT_ACE_TYPE" |
Printable version of ACCESS_DENIED_CALLBACK_OBJECT_ACE_TYPE.
Definition at line 712 of file wddefs.h.
Referenced by IntWinSDGetAceTypeName().
| #define ACCESS_DENIED_OBJECT_ACE_TYPE_STRING "ACCESS_DENIED_OBJECT_ACE_TYPE" |
Printable version of ACCESS_DENIED_OBJECT_ACE_TYPE.
Definition at line 700 of file wddefs.h.
Referenced by IntWinSDGetAceTypeName().
| #define AF_INET 0x02 |
| #define AF_INET6 0x17 |
| #define DLL_VERIFIER_PROVIDER 4 |
Definition at line 1890 of file wddefs.h.
Referenced by IntWinDagentCheckSuspiciousDllLoad(), IntWinDagentHandleSuspModExecution(), and IntWinDagentHandleVerifierReason().
| #define DRIVER_OBJECT_TYPE 4 |
The type of a _DRIVER_OBJECT structure.
This is the value of the Type field inside the _DRIVER_OBJECT structure
Definition at line 37 of file wddefs.h.
Referenced by IntWinDrvObjIsValidDriverObject().
| #define EX_FAST_REF_TO_PTR | ( | is64, | |
| p | |||
| ) | ((is64) ? (p) & ~(0x0FULL) : (p) & ~(0x07ULL)) |
Converts a _EX_FAST_REF value to a pointer.
_EX_FAST_REF encapsulates both a pointer and a counter. It takes advantage of the fact most kernel data structures are aligned to a 8-byte boundary on 32-bit kernels and on a 16-byte boundary on 64-bit kernels. Thus, the lower 3 or 4 bits of their base address are always 0. Windows uses those as a reference counter. This macro cleans them.
| [in] | is64 | True for 64-bit guests, False for 32-bit guests |
| [in] | p | A _EX_FAST_REF |
Definition at line 100 of file wddefs.h.
Referenced by IntWinGetAccessTokenFromProcess(), IntWinProcCreateProcessObject(), IntWinSDFetchSecDescAddress(), IntWinTokenFetchTokenAddress(), IntWinTokenPrivsHandleSwap(), IntWinTokenPrivsHandleWrite(), IntWinTokenPtrIsStolen(), and IntWinVadFetchImageName().
| #define EXCEPTION_MAXIMUM_PARAMETERS 15ul |
Definition at line 1180 of file wddefs.h.
Referenced by IntLogExceptionRecord().
| #define FIX_GUEST_POINTER | ( | is64, | |
| x | |||
| ) | ((is64) ? (x) : ((x) & 0xFFFFFFFF)) |
Masks the unused part of a Windows guest virtual address.
For 32-bit guests, masks the upper 32-bits of the address. Does nothing for 64-bit guests.
| [in] | is64 | True for 64-bit guests, False for 32-bit guests |
| [in] | x | The guest virtual address to be masked |
Definition at line 87 of file wddefs.h.
Referenced by DbgDumpGuestModules(), IntStackAnalyzePointer(), IntThrSafeMoveRip(), IntWinGuestFindIdleCr3(), IntWinNetGetLocalAddr(), IntWinNetIterateLinkedList(), IntWinNetParseTcpPartition(), and IntWinPfnModifyRefCount().
| #define HAL_DISPATCH_TABLE_PTR_COUNT 23 |
The number of entries inside the hal dispatch table.
See the HAL_DISPATCH definition in ntddk.h
Definition at line 1310 of file wddefs.h.
Referenced by IntWinHalCreateHalData().
| #define IDT_DESC_SIZE32 8 |
The size of a 32-bit interrupt descriptor.
Definition at line 31 of file wddefs.h.
Referenced by IntExceptGetVictimIntegrity(), and IntWinIdtSendIntegrityAlert().
| #define IDT_DESC_SIZE64 16 |
The size of a 64-bit interrupt descriptor.
Definition at line 32 of file wddefs.h.
Referenced by IntExceptGetVictimIntegrity(), IntLixIdtProtectOnCpu(), IntVeFindKernelKvaShadowAndKernelExit(), and IntWinIdtSendIntegrityAlert().
| #define IDT_OFFSET 0x38 |
| #define IS_KERNEL_POINTER_WIN | ( | is64, | |
| p | |||
| ) |
Checks if a guest virtual address resides inside the Windows kernel address space.
| [in] | is64 | True for 64-bit guests, False for 32-bit guests |
| [in] | p | Guest virtual address to check |
Definition at line 76 of file wddefs.h.
Referenced by DbgDumpVadRoot(), IntAlertEptFillFromVictimZone(), IntAlertFillCodeBlocks(), IntDecEmulateRead(), IntExceptGetOriginatorFromModification(), IntHookPtsCheckIntegrity(), IntIntegrityAddRegion(), IntLixStackTraceGet(), IntLogCriticalStructureCoruption(), IntReadString(), IntSerializeCodeBlocksGetExtractLevel(), IntStackAnalyzePointer(), IntThrSafeInspectRunningThreads(), IntThrSafeIsStackPtrInIntro(), IntThrSafeMoveReturn(), IntThrSafeWinInspectRunningThreadOnCpu(), IntThrSafeWinInspectWaitingThread(), IntWinDrvCreateFromAddress(), IntWinDrvIsListHead(), IntWinDrvObjHandleWrite(), IntWinDrvObjIsValidDriverObject(), IntWinGetAccesTokenFromThread(), IntWinGuestFindIdleCr3(), IntWinGuestFindKernelObjectsInternal(), IntWinGuestNew(), IntWinHalFindHalHeapAndInterruptController(), IntWinHalIsIntController(), IntWinHandleException(), IntWinIdtProtectOnCpu(), IntWinIdtUnprotectOnCpu(), IntWinInfHookIntegrityHandleWrite(), IntWinIntObjHandleArrayModification(), IntWinIntObjProtect(), IntWinIsUmTrapFrame(), IntWinModFillInjectionData(), IntWinModHandleWrite(), IntWinNetCheckPartition(), IntWinNetFillTcpStruct(), IntWinNetFindTcpBitmap(), IntWinNetFindTcpPartition(), IntWinNetGetPortsAndState(), IntWinNetGetTcpPortPool(), IntWinNetIterateSlinkedList(), IntWinObjFindRootDirectory(), IntWinObjGetPoolHeaderForObject(), IntWinObjHandleDirectoryEntryInMemory(), IntWinObjHandleDriverDirectoryEntryInMemory(), IntWinObjHandleObjectInMemory(), IntWinObjHandleRootDirTagInMemory(), IntWinObjIsTypeObject(), IntWinObjParseDriverDirectory(), IntWinPfnIsMmPfnDatabase(), IntWinPfnLockAddress(), IntWinPfnUnlockAddress(), IntWinProcHandleCopyMemory(), IntWinReadSid(), IntWinReadToken(), IntWinStackHandleUserStackPagedOut(), IntWinStackTraceGet32(), IntWinStackTraceGet64(), IntWinStackTraceGetUser(), IntWinStackTraceGetUser32(), IntWinStackUserCheckIsPivoted(), IntWinStackUserTrapFrameGet32(), IntWinStackUserTrapFrameGet64(), IntWinStackUserTrapFrameGetGeneric(), IntWinThrGetCurrentThread(), IntWinVadFindNodeInGuestSpace(), IntWinVadInOrderRecursiveTraversal(), IntWinVadIsInTree(), IntWinVadShortDump(), and IntWinVadStaticInsertNodeIntoProcess().
| #define KESDT_SIZE (4 * 4) |
The size of the KeServiceDescriptorTable.
ServiceTableBase, ServiceCounterTableBase, NumberOfServices and ParamTableBase
Definition at line 42 of file wddefs.h.
Referenced by IntWinDrvHeadersInMemory().
| #define KEXEC_OPT_EXEC_DISABLE 1 |
Disables execution rights for memory that contains data. Enables DEP.
This is the _KEXECUTE_OPTIONS.ExecuteDisable Windows flag found in the _EPROCESS.Flags field
Definition at line 1431 of file wddefs.h.
Referenced by IntWinProcEnforceProcessDep().
| #define KEXEC_OPT_EXEC_ENABLE 2 |
Enables execution rights for memory that contains data. Disables DEP.
This is the _KEXECUTE_OPTIONS.ExecuteEnable Windows flag found in the _EPROCESS.Flags field
Definition at line 1435 of file wddefs.h.
Referenced by IntWinProcEnforceProcessDep().
| #define KEXEC_OPT_PERMANENT 8 |
Freezes the DEP settings for a process.
This is the _KEXECUTE_OPTIONS.Permanent Windows flag found in the _EPROCESS.Flags field If it is set, the user mode SetProcessDEPPolicy() API will not be able to disable DEP for a process. See https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-setprocessdeppolicy
Definition at line 1441 of file wddefs.h.
Referenced by IntWinProcEnforceProcessDep().
| #define MAX_ACL_REVISION ACL_REVISION4 |
Definition at line 748 of file wddefs.h.
Referenced by IntWinSDFindAcls().
| #define MIN_ACL_REVISION ACL_REVISION2 |
| #define POOL_TAG_INCO 'oCnI' |
Inet Compartment.
Definition at line 1814 of file wddefs.h.
Referenced by IntWinNetGetTcpPortPoolFromCompartment().
| #define POOL_TAG_INCS 'SCnI' |
Inet Compartment Set.
Definition at line 1816 of file wddefs.h.
Referenced by IntWinNetGetTcpPortPoolFromCompartment().
| #define POOL_TAG_INNL 'lNnI' |
Used to search for address family.
Definition at line 1817 of file wddefs.h.
Referenced by IntWinNetGetAddrFam().
| #define POOL_TAG_INPA 'APnI' |
| #define POOL_TAG_TCCO 'oCcT' |
Tcp Compartment.
Definition at line 1819 of file wddefs.h.
Referenced by IntWinNetGetTcpPortPoolFromCompartment().
| #define POOL_TAG_TCHT 'THcT' |
| #define POOL_TAG_TCPE 'EpcT' |
| #define POOL_TAG_TCPL 'LpcT' |
| #define RTL_BALANCED_NODE_PARENT_TO_PTR | ( | Parent | ) | ((Parent) & ~3) |
Gets the pointer to the parent of a _RTL_BALANCED_NODE.
| [in] | Parent | The value of the Parent field as taken from the guest |
Definition at line 1317 of file wddefs.h.
Referenced by IntWinVadFindNodeInGuestSpace(), and IntWinVadInOrderRecursiveTraversal().
| #define SE_GROUP_VALID_ATTRIBUTES |
| #define SYSTEM_ACCESS_FILTER_ACE_TYPE_STRING "SYSTEM_ACCESS_FILTER_ACE_TYPE" |
Printable version of SYSTEM_ACCESS_FILTER_ACE_TYPE.
Definition at line 730 of file wddefs.h.
Referenced by IntWinSDGetAceTypeName().
| #define SYSTEM_ALARM_ACE_TYPES_STRING "SYSTEM_ALARM_ACE_TYPE" |
Printable version of SYSTEM_ALARM_ACE_TYPE.
Definition at line 694 of file wddefs.h.
Referenced by IntWinSDGetAceTypeName().
| #define SYSTEM_ALARM_CALLBACK_ACE_TYPE_STRING "SYSTEM_ALARM_CALLBACK_ACE_TYPE" |
Printable version of SYSTEM_ALARM_CALLBACK_ACE_TYPE.
Definition at line 716 of file wddefs.h.
Referenced by IntWinSDGetAceTypeName().
| #define SYSTEM_ALARM_CALLBACK_OBJECT_ACE_TYPE_STRING "SYSTEM_ALARM_CALLBACK_OBJECT_ACE_TYPE" |
Printable version of SYSTEM_ALARM_CALLBACK_OBJECT_ACE_TYPE.
Definition at line 720 of file wddefs.h.
Referenced by IntWinSDGetAceTypeName().
| #define SYSTEM_ALARM_OBJECT_ACE_TYPE_STRING "SYSTEM_ALARM_OBJECT_ACE_TYPE" |
Printable version of SYSTEM_ALARM_OBJECT_ACE_TYPE.
Definition at line 704 of file wddefs.h.
Referenced by IntWinSDGetAceTypeName().
| #define SYSTEM_AUDIT_ACE_TYPE_STRING "SYSTEM_AUDIT_ACE_TYPE" |
Printable version of SYSTEM_AUDIT_ACE_TYPE.
Definition at line 692 of file wddefs.h.
Referenced by IntWinSDGetAceTypeName().
| #define SYSTEM_AUDIT_CALLBACK_ACE_TYPE_STRING "SYSTEM_AUDIT_CALLBACK_ACE_TYPE" |
Printable version of SYSTEM_AUDIT_CALLBACK_ACE_TYPE.
Definition at line 714 of file wddefs.h.
Referenced by IntWinSDGetAceTypeName().
| #define SYSTEM_AUDIT_CALLBACK_OBJECT_ACE_TYPE_STRING "SYSTEM_AUDIT_CALLBACK_OBJECT_ACE_TYPE" |
Printable version of SYSTEM_AUDIT_CALLBACK_OBJECT_ACE_TYPE.
Definition at line 718 of file wddefs.h.
Referenced by IntWinSDGetAceTypeName().
| #define SYSTEM_AUDIT_OBJECT_ACE_TYPE_STRING "SYSTEM_AUDIT_OBJECT_ACE_TYPE" |
Printable version of SYSTEM_AUDIT_OBJECT_ACE_TYPE.
Definition at line 702 of file wddefs.h.
Referenced by IntWinSDGetAceTypeName().
| #define SYSTEM_MANDATORY_LABEL_ACE_TYPE_STRING "SYSTEM_MANDATORY_LABEL_ACE_TYPE" |
Printable version of SYSTEM_MANDATORY_LABEL_ACE_TYPE.
Definition at line 722 of file wddefs.h.
Referenced by IntWinSDGetAceTypeName().
| #define SYSTEM_PROCESS_TRUST_LABEL_ACE_TYPE_STRING "SYSTEM_PROCESS_TRUST_LABEL_ACE_TYPE" |
Printable version of SYSTEM_PROCESS_TRUST_LABEL_ACE_TYPE.
Definition at line 728 of file wddefs.h.
Referenced by IntWinSDGetAceTypeName().
| #define SYSTEM_RESOURCE_ATTRIBUTE_ACE_TYPE_STRING "SYSTEM_RESOURCE_ATTRIBUTE_ACE_TYPE" |
Printable version of SYSTEM_RESOURCE_ATTRIBUTE_ACE_TYPE.
Definition at line 724 of file wddefs.h.
Referenced by IntWinSDGetAceTypeName().
| #define SYSTEM_SCOPED_POLICY_ID_ACE_TYPE_STRING "SYSTEM_SCOPED_POLICY_ID_ACE_TYPE" |
Printable version of SYSTEM_SCOPED_POLICY_ID_ACE_TYPE.
Definition at line 726 of file wddefs.h.
Referenced by IntWinSDGetAceTypeName().
| #define WIN_BUILD_10_20H1 19041 |
Definition at line 61 of file wddefs.h.
Referenced by IntWinHalCreateHalData().
| #define WIN_BUILD_10_RS2 15063 |
Definition at line 55 of file wddefs.h.
Referenced by IntWinHalCreateHalData().
| #define WIN_BUILD_10_TH1 10240 |
Definition at line 52 of file wddefs.h.
Referenced by IntWinProcCreateProcessObject().
| #define WIN_BUILD_8 9200 |
Definition at line 50 of file wddefs.h.
Referenced by IntWinHalCreateHalData().
| #define WIN_BUILD_8_1 9600 |
Definition at line 51 of file wddefs.h.
Referenced by IntWinPatchVadHandleCommit().
| #define WIN_HAL_HEAP_BASE_32 0xFFD00000 |
The base address of the HAL heap on 32-bit kernels.
Definition at line 67 of file wddefs.h.
Referenced by IntWinHalCreateHalData().
| #define WIN_HAL_HEAP_BASE_64 0xFFFFFFFFFFD00000 |
The base address of the HAL heap on 64-bit kernels.
Definition at line 68 of file wddefs.h.
Referenced by IntWinHalCreateHalData().
| #define WIN_MM_PAGE_EXECUTE 0x010 |
Defined by Windows as PAGE_EXECUTE in winnt.h.
Definition at line 1353 of file wddefs.h.
Referenced by IntWinVadVadProtectionToVmProtection(), and IntWinVadVmProtectionToIntroProtection().
| #define WIN_MM_PAGE_EXECUTE_READ 0x020 |
Defined by Windows as PAGE_EXECUTE_READ in winnt.h.
Definition at line 1354 of file wddefs.h.
Referenced by IntWinVadVadProtectionToVmProtection(), and IntWinVadVmProtectionToIntroProtection().
| #define WIN_MM_PAGE_EXECUTE_READWRITE 0x040 |
Defined by Windows as PAGE_EXECUTE_READWRITE in winnt.h.
Definition at line 1355 of file wddefs.h.
Referenced by IntWinVadVadProtectionToVmProtection(), and IntWinVadVmProtectionToIntroProtection().
| #define WIN_MM_PAGE_EXECUTE_WRITECOPY 0x080 |
Defined by Windows as PAGE_EXECUTE_WRITECOPY in winnt.h.
Definition at line 1356 of file wddefs.h.
Referenced by IntWinVadVadProtectionToVmProtection(), and IntWinVadVmProtectionToIntroProtection().
| #define WIN_MM_PAGE_GUARD 0x100 |
Defined by Windows as PAGE_GUARD in winnt.h.
Definition at line 1357 of file wddefs.h.
Referenced by IntWinVadHandleProtectGeneric().
| #define WIN_MM_PAGE_NOACCESS 0x001 |
Defined by Windows as PAGE_NOACCESS in winnt.h.
Definition at line 1349 of file wddefs.h.
Referenced by IntWinVadVadProtectionToVmProtection(), and IntWinVadVmProtectionToIntroProtection().
| #define WIN_MM_PAGE_NOCACHE 0x200 |
| #define WIN_MM_PAGE_READONLY 0x002 |
Defined by Windows as PAGE_READONLY in winnt.h.
Definition at line 1350 of file wddefs.h.
Referenced by IntWinVadVadProtectionToVmProtection(), and IntWinVadVmProtectionToIntroProtection().
| #define WIN_MM_PAGE_READWRITE 0x004 |
Defined by Windows as PAGE_READWRITE in winnt.h.
Definition at line 1351 of file wddefs.h.
Referenced by IntWinVadVadProtectionToVmProtection(), and IntWinVadVmProtectionToIntroProtection().
| #define WIN_MM_PAGE_WRITECOMBINE 0x400 |
| #define WIN_MM_PAGE_WRITECOPY 0x008 |
Defined by Windows as PAGE_WRITECOPY in winnt.h.
Definition at line 1352 of file wddefs.h.
Referenced by IntWinVadVadProtectionToVmProtection(), and IntWinVadVmProtectionToIntroProtection().
| #define WIN_POOL_BLOCK_SIZE ((gGuest.Guest64) ? WIN_POOL_BLOCK_SIZE64 : WIN_POOL_BLOCK_SIZE32) |
Definition at line 474 of file wddefs.h.
Referenced by IntWinNetFillTcpStruct().
| #define WIN_POOL_BLOCK_SIZE32 0x08 |
| #define WIN_POOL_BLOCK_SIZE64 0x10 |
| #define WIN_POOL_HEADER_SIZE ((gGuest.Guest64) ? WIN_POOL_HEADER_SIZE64 : WIN_POOL_HEADER_SIZE32) |
Definition at line 469 of file wddefs.h.
Referenced by IntWinNetCheckPartition(), IntWinNetFillTcpStruct(), IntWinNetFindTcpBitmap(), IntWinNetGetAddrFam(), IntWinNetGetTcpPortPoolFromCompartment(), IntWinNetSearchForAlloc(), IntWinPoolGetPoolHeaderInPage(), and IntWinPoolHandleAlloc().
| #define WIN_POOL_HEADER_SIZE32 0x8 |
The size of a pool header on 32-bit Windows.
Definition at line 466 of file wddefs.h.
Referenced by IntWinObjGetPoolHeaderForObject().
| #define WIN_POOL_HEADER_SIZE64 0x10 |
The size of a pool header on 64-bit Windows.
Definition at line 467 of file wddefs.h.
Referenced by IntWinObjGetPoolHeaderForObject().
| #define WIN_POOL_TRACKER_SIZE |
| typedef struct _ACE_HEADER ACE_HEADER |
An access control entry header.
See https://docs.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-ace_header
An access control list.
See https://docs.microsoft.com/en-us/windows/win32/secauthz/access-control-lists
| typedef struct _CONTEXT32 CONTEXT32 |
Context Frame for 32-bit guests.
| typedef struct _CONTEXT64 CONTEXT64 |
Context Frame for 64-bit guests.
| typedef struct _DRIVER_OBJECT32 DRIVER_OBJECT32 |
The _DRIVER_OBJECT structure used by 32-bit guests.
| typedef struct _DRIVER_OBJECT64 DRIVER_OBJECT64 |
The _DRIVER_OBJECT structure used by 64-bit guests.
| typedef struct _EXCEPTION_RECORD32 EXCEPTION_RECORD32 |
An _EXCEPTION_RECORD structure used by 64-bit guests.
See https://docs.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-exception_record The fields have the same meaning as for EXCEPTION_RECORD64
| typedef struct _EXCEPTION_RECORD64 EXCEPTION_RECORD64 |
An _EXCEPTION_RECORD structure used by 64-bit guests.
See https://docs.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-exception_record
| typedef struct _FAST_IO_DISPATCH32 FAST_IO_DISPATCH32 |
The _FAST_IO_DISPATCH structure used by 32-bit guests.
| typedef struct _FAST_IO_DISPATCH64 FAST_IO_DISPATCH64 |
The _FAST_IO_DISPATCH structure used by 64-bit guests.
| typedef struct _FLOATING_SAVE_AREA FLOATING_SAVE_AREA |
Format of data for (F)XSAVE/(F)XRSTOR instruction.
| typedef struct _KEXCEPTION_FRAME64 KEXCEPTION_FRAME64 |
An _KEXCEPTION_FRAME structure used by 64-bit guests.
This is established when the exception is handled. It will contain the values of all the nonvolatile registers.
| typedef struct _KI_IO_ACCESS_MAP KI_IO_ACCESS_MAP |
| typedef struct _KINTERRUPT_COMMON32 KINTERRUPT_COMMON32 |
The common part of nt!_KINTERRUPT on all x86 Windows versions.
| typedef struct _KINTERRUPT_COMMON64 KINTERRUPT_COMMON64 |
The common part of nt!_KINTERRUPT on all x64 Windows versions.
| typedef enum _KTHREAD_STATE KTHREAD_STATE |
Thread scheduling states.
| typedef struct _KTRAP_FRAME32 KTRAP_FRAME32 |
| typedef struct _KTRAP_FRAME64 KTRAP_FRAME64 |
| typedef enum _KWAIT_REASON KWAIT_REASON |
The waiting status of the threads.
| typedef struct _LDR_DATA_TABLE_ENTRY32 LDR_DATA_TABLE_ENTRY32 |
The _LDR_DATA_TABLE_ENTRY structure used by 32-bit guests.
| typedef struct _LDR_DATA_TABLE_ENTRY64 LDR_DATA_TABLE_ENTRY64 |
The _LDR_DATA_TABLE_ENTRY structure used by 64-bit guests.
| typedef struct _LIST_ENTRY32 LIST_ENTRY32 |
Models a LIST_ENTRY structure used by 32-bit Windows guests.
See https://docs.microsoft.com/en-us/windows/win32/api/ntdef/ns-ntdef-list_entry
| typedef struct _LIST_ENTRY64 LIST_ENTRY64 |
Models a LIST_ENTRY structure used by 64-bit Windows guests.
See https://docs.microsoft.com/en-us/windows/win32/api/ntdef/ns-ntdef-list_entry
| typedef union _LOCAL_ADDRESS LOCAL_ADDRESS |
| typedef struct _OBJECT_DIRECTORY_ENTRY32 OBJECT_DIRECTORY_ENTRY32 |
An OBJECT_DIRECTORY_ENTRY64 structure used by 32-bit guests.
| typedef struct _OBJECT_DIRECTORY_ENTRY64 OBJECT_DIRECTORY_ENTRY64 |
An OBJECT_DIRECTORY_ENTRY64 structure used by 64-bit guests.
| typedef struct _OBJECT_HEADER32 OBJECT_HEADER32 |
The _OBJECT_HEADER32 structure used by 32-bit guests.
| typedef struct _OBJECT_HEADER64 OBJECT_HEADER64 |
The _OBJECT_HEADER32 structure used by 64-bit guests.
| typedef struct _OBJECT_NAME32 OBJECT_NAME32 |
An _OBJECT_HEADER_NAME_INFO structure used by 32-bit guests.
| typedef struct _OBJECT_NAME64 OBJECT_NAME64 |
An _OBJECT_HEADER_NAME_INFO structure used by 64-bit guests.
| typedef struct _OBJECT_TYPE32 OBJECT_TYPE32 |
An _OBJECT_TYPE structure used by 32-bit guests.
| typedef struct _OBJECT_TYPE64 OBJECT_TYPE64 |
An _OBJECT_TYPE structure used by 64-bit guests.
| typedef struct _CONTEXT32 * PCONTEXT32 |
| typedef struct _CONTEXT64 * PCONTEXT64 |
| typedef struct _DRIVER_OBJECT32 * PDRIVER_OBJECT32 |
| typedef struct _DRIVER_OBJECT64 * PDRIVER_OBJECT64 |
| typedef struct _EXCEPTION_RECORD32 * PEXCEPTION_RECORD32 |
| typedef struct _EXCEPTION_RECORD64 * PEXCEPTION_RECORD64 |
| typedef struct _FAST_IO_DISPATCH32 * PFAST_IO_DISPATCH32 |
| typedef struct _FAST_IO_DISPATCH64 * PFAST_IO_DISPATCH64 |
| typedef FLOATING_SAVE_AREA* PFLOATING_SAVE_AREA |
| typedef struct _KEXCEPTION_FRAME64 * PKEXCEPTION_FRAME64 |
| typedef struct _KI_IO_ACCESS_MAP * PKI_IO_ACCESS_MAP |
| typedef struct _KINTERRUPT_COMMON32 * PKINTERRUPT_COMMON32 |
| typedef struct _KINTERRUPT_COMMON64 * PKINTERRUPT_COMMON64 |
| typedef struct _KTRAP_FRAME32 * PKTRAP_FRAME32 |
| typedef struct _KTRAP_FRAME64 * PKTRAP_FRAME64 |
| typedef struct _LDR_DATA_TABLE_ENTRY32 * PLDR_DATA_TABLE_ENTRY32 |
| typedef struct _LDR_DATA_TABLE_ENTRY64 * PLDR_DATA_TABLE_ENTRY64 |
| typedef struct _LIST_ENTRY32 * PLIST_ENTRY32 |
| typedef struct _LIST_ENTRY64 * PLIST_ENTRY64 |
| typedef union _LOCAL_ADDRESS * PLOCAL_ADDRESS |
| typedef struct _OBJECT_DIRECTORY_ENTRY32 * POBJECT_DIRECTORY_ENTRY32 |
| typedef struct _OBJECT_DIRECTORY_ENTRY64 * POBJECT_DIRECTORY_ENTRY64 |
| typedef struct _OBJECT_HEADER32 * POBJECT_HEADER32 |
| typedef struct _OBJECT_HEADER64 * POBJECT_HEADER64 |
| typedef struct _OBJECT_NAME32 * POBJECT_NAME32 |
| typedef struct _OBJECT_NAME64 * POBJECT_NAME64 |
| typedef struct _OBJECT_TYPE32 * POBJECT_TYPE32 |
| typedef struct _OBJECT_TYPE64 * POBJECT_TYPE64 |
| typedef union _POOL_HEADER POOL_HEADER |
| typedef struct _POOL_HEADER32 POOL_HEADER32 |
The _POOL_HEADER structure used by 32-bit guests.
| typedef struct _POOL_HEADER64 POOL_HEADER64 |
The _POOL_HEADER structure used by 64-bit guests.
| typedef union _POOL_TRACKER_BIG_PAGES POOL_TRACKER_BIG_PAGES |
| typedef struct _POOL_TRACKER_BIG_PAGES32 POOL_TRACKER_BIG_PAGES32 |
| typedef struct _POOL_TRACKER_BIG_PAGES64 POOL_TRACKER_BIG_PAGES64 |
| typedef enum _POOL_TYPE POOL_TYPE |
The type of a pool allocation.
See either wdm.h or https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/wdm/ne-wdm-_pool_type
| typedef union _POOL_HEADER * PPOOL_HEADER |
| typedef union _POOL_TRACKER_BIG_PAGES * PPOOL_TRACKER_BIG_PAGES |
| typedef struct _RTL_DYNAMIC_HASH_TABLE32 * PRTL_DYNAMIC_HASH_TABLE32 |
| typedef struct _RTL_DYNAMIC_HASH_TABLE64 * PRTL_DYNAMIC_HASH_TABLE64 |
| typedef struct _RTL_USER_PROCESS_PARAMETERS32 * PRTL_USER_PROCESS_PARAMETERS32 |
| typedef struct _RTL_USER_PROCESS_PARAMETERS64 * PRTL_USER_PROCESS_PARAMETERS64 |
| typedef struct _RTL_VERIFIER_DLL_DESCRIPTOR_32 * PRTL_VERIFIER_DLL_DESCRIPTOR_32 |
| typedef struct _RTL_VERIFIER_DLL_DESCRIPTOR_64 * PRTL_VERIFIER_DLL_DESCRIPTOR_64 |
| typedef struct _RTL_VERIFIER_PROVIDER_DESCRIPTOR_32 * PRTL_VERIFIER_PROVIDER_DESCRIPTOR_32 |
| typedef struct _RTL_VERIFIER_PROVIDER_DESCRIPTOR_64 * PRTL_VERIFIER_PROVIDER_DESCRIPTOR_64 |
| typedef struct _SECURITY_DESCRIPTOR * PSECURITY_DESCRIPTOR |
| typedef enum _SECURITY_IMPERSONATION_LEVEL * PSECURITY_IMPERSONATION_LEVEL |
| typedef struct _SID_AND_ATTRIBUTES32 * PSID_AND_ATTRIBUTES32 |
| typedef struct _SID_AND_ATTRIBUTES64 * PSID_AND_ATTRIBUTES64 |
| typedef struct _SID_IDENTIFIER_AUTHORITY * PSID_IDENTIFIER_AUTHORITY |
| typedef union _WIN_MITIGATION_FLAGS * PWIN_MITIGATION_FLAGS |
| typedef union _WIN_MITIGATION_FLAGS2 * PWIN_MITIGATION_FLAGS2 |
| typedef XSAVE_FORMAT * PXMM_SAVE_AREA32 |
| typedef struct _XSAVE_FORMAT * PXSAVE_FORMAT |
| typedef struct _RTL_DYNAMIC_HASH_TABLE32 RTL_DYNAMIC_HASH_TABLE32 |
This is the structure as documented in ntddk.h.
| typedef struct _RTL_DYNAMIC_HASH_TABLE64 RTL_DYNAMIC_HASH_TABLE64 |
This is the structure as documented in ntddk.h.
| typedef struct _RTL_USER_PROCESS_PARAMETERS32 RTL_USER_PROCESS_PARAMETERS32 |
This is the structure as documented in winternl.h.
| typedef struct _RTL_USER_PROCESS_PARAMETERS64 RTL_USER_PROCESS_PARAMETERS64 |
This is the structure as documented in winternl.h.
| typedef struct _RTL_VERIFIER_DLL_DESCRIPTOR_32 RTL_VERIFIER_DLL_DESCRIPTOR_32 |
Verifier provider initialization structures for 32-bit processes.
See Alex Ionescu's presentation "Esoteric Hooks" http://www.alex-ionescu.com/Estoteric%20Hooks.pdf
| typedef struct _RTL_VERIFIER_DLL_DESCRIPTOR_64 RTL_VERIFIER_DLL_DESCRIPTOR_64 |
Verifier provider initialization structures for 64-bit processes.
See Alex Ionescu's presentation "Esoteric Hooks" http://www.alex-ionescu.com/Estoteric%20Hooks.pdf
Verifier provider initialization structures for 32-bit processes.
See Alex Ionescu's presentation "Esoteric Hooks" http://www.alex-ionescu.com/Estoteric%20Hooks.pdf
Verifier provider initialization structures for 64-bit processes.
See Alex Ionescu's presentation "Esoteric Hooks" http://www.alex-ionescu.com/Estoteric%20Hooks.pdf
| typedef struct _SECURITY_DESCRIPTOR SECURITY_DESCRIPTOR |
| typedef WORD SECURITY_DESCRIPTOR_CONTROL |
| typedef struct _SID_AND_ATTRIBUTES32 SID_AND_ATTRIBUTES32 |
| typedef struct _SID_AND_ATTRIBUTES64 SID_AND_ATTRIBUTES64 |
| typedef struct _SID_IDENTIFIER_AUTHORITY SID_IDENTIFIER_AUTHORITY |
| typedef struct _UNICODE_STRING UNICODE_STRING |
A _UNICODE_STRING structure as defined by Windows.
See https://docs.microsoft.com/en-us/windows/win32/api/subauth/ns-subauth-unicode_string
| typedef struct _UNICODE_STRING32 UNICODE_STRING32 |
The Windows UNICODE_STRING structure used for 32-bit guests.
See https://docs.microsoft.com/en-us/windows/win32/api/subauth/ns-subauth-unicode_string
| typedef struct _UNICODE_STRING64 UNICODE_STRING64 |
The Windows UNICODE_STRING structure used for 64-bit guests.
See https://docs.microsoft.com/en-us/windows/win32/api/subauth/ns-subauth-unicode_string
The types of a _MMVAD structure.
This is the value of the VadType part of the VadFlags field of a Windows kernel _MMVAD structure
| typedef union _WIN_MITIGATION_FLAGS WIN_MITIGATION_FLAGS |
Mitigation flags.
Available on Windows >= RS3 (16299). These are the possible values for the MitigationFlagsValues field from _EPROCESS
| typedef union _WIN_MITIGATION_FLAGS2 WIN_MITIGATION_FLAGS2 |
Mitigation flags.
Available on Windows >= RS3 (16299). These are the possible values for the MitigationFlags2Values field from _EPROCESS
| typedef enum _WIN_SOCK_STATE WIN_SOCK_STATE |
The states in which a Windows socket can be in.
| typedef XSAVE_FORMAT XMM_SAVE_AREA32 |
| typedef struct _XSAVE_FORMAT XSAVE_FORMAT |
Format of data for (F)XSAVE/(F)XRSTOR instruction for 32-bit guests.
| enum _ACE_TYPE |
Access Control Entry type - ntifs.h.
| enum _KTHREAD_STATE |
| enum _KWAIT_REASON |
The waiting status of the threads.
| enum _POOL_TYPE |
The type of a pool allocation.
See either wdm.h or https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/wdm/ne-wdm-_pool_type
| enum _VAD_TYPE |
The types of a _MMVAD structure.
This is the value of the VadType part of the VadFlags field of a Windows kernel _MMVAD structure
| Enumerator | |
|---|---|
| VadNone | None. Normal allocations have this type. |
| VadDevicePhysicalMemory | Ignored by introcore. |
| VadImageMap | The type used for mapped image files (including executable files) |
| VadAwe | The type of an allocation used by Address Windowing Extension. Ignored by introcore. See https://docs.microsoft.com/en-us/windows/win32/memory/address-windowing-extensions |
| VadWriteWatch | The type of an allocation that specified the MEM_WRITE_WATCH VirtualAlloc flag. See https://docs.microsoft.com/en-us/windows/win32/api/memoryapi/nf-memoryapi-virtualalloc |
| VadLargePages | The type of an allocation that uses large pages. See https://docs.microsoft.com/en-us/windows/win32/memory/large-page-support |
| VadRotatePhysical | Memory used by video drivers to transfer data between the GPU and a process. |
| VadLargePageSection | |
| enum _WIN_SOCK_STATE |
| enum POWER_ACTION |
The _POWER_ACTION enum values used by the Windows kernel.
These are used by the IntWinPowHandlePowerStateChange detour handler.
| Enumerator | |
|---|---|
| PowerActionNone | |
| PowerActionReserved | |
| PowerActionSleep | |
| PowerActionHibernate | |
| PowerActionShutdown | |
| PowerActionShutdownReset | |
| PowerActionShutdownOff | |
| PowerActionWarmEject | |
| enum SYSTEM_POWER_STATE |
The _SYSTEM_POWER_STATE enum values used by the Windows kernel.
These are used by the IntWinPowHandlePowerStateChange detour handler.
| Enumerator | |
|---|---|
| PowerSystemUnspecified | |
| PowerSystemWorking | |
| PowerSystemSleeping1 | |
| PowerSystemSleeping2 | |
| PowerSystemSleeping3 | |
| PowerSystemHibernate | |
| PowerSystemShutdown | |
| PowerSystemMaximum | |
| STATIC_ASSERT | ( | sizeof(POOL_HEADER32) | = =WIN_POOL_HEADER_SIZE32, |
| "Wrong size for POOL_HEADER32!" | |||
| ) |
| STATIC_ASSERT | ( | sizeof(POOL_HEADER64) | = =WIN_POOL_HEADER_SIZE64, |
| "Wrong size for POOL_HEADER64!" | |||
| ) |
| STATIC_ASSERT | ( | OFFSET_OF(POOL_HEADER32, PoolTag) | = =OFFSET_OF(POOL_HEADER64, PoolTag), |
| "Wrong PoolTag offset!" | |||
| ) |
| STATIC_ASSERT | ( | sizeof(KTRAP_FRAME64) | = =0x190, |
| "Wrong size for KTRAP_FRAME64!" | |||
| ) |
| STATIC_ASSERT | ( | OFFSET_OF(KTRAP_FRAME64, Rax) | = =0x30, |
| "Wrong offset for Rax in KTRAP_FRAME64!" | |||
| ) |
| STATIC_ASSERT | ( | OFFSET_OF(KTRAP_FRAME64, Rbx) | = =0x140, |
| "Wrong offset for Rbx in KTRAP_FRAME64!" | |||
| ) |
| STATIC_ASSERT | ( | OFFSET_OF(KTRAP_FRAME64, Rip) | = =0x168, |
| "Wrong offset for Rip in KTRAP_FRAME64!" | |||
| ) |
| STATIC_ASSERT | ( | OFFSET_OF(KTRAP_FRAME64, Rsp) | = =0x180, |
| "Wrong offset for Rsp in KTRAP_FRAME64!" | |||
| ) |
| STATIC_ASSERT | ( | sizeof(KEXCEPTION_FRAME64) | = =0x140, |
| "Wrong size for KEXCEPTION_FRAME64!" | |||
| ) |
| STATIC_ASSERT | ( | OFFSET_OF(KEXCEPTION_FRAME64, Rbp) | = =0xF8, |
| "Wrong offset for Rbp in KEXCEPTION_FRAME64!" | |||
| ) |
| STATIC_ASSERT | ( | sizeof(OBJECT_TYPE64) | = =0x40, |
| "Invalid OBJECT_TYPE64 size!" | |||
| ) |
| STATIC_ASSERT | ( | sizeof(OBJECT_TYPE32) | = =0x28, |
| "Invalid OBJECT_TYPE32 size!" | |||
| ) |
| STATIC_ASSERT | ( | OFFSET_OF(KINTERRUPT_COMMON32, ServiceRoutine) | = =0xc, |
| "Wrong ServiceRoutine offset in KINTERRUPT32!" | |||
| ) |
| STATIC_ASSERT | ( | OFFSET_OF(KINTERRUPT_COMMON32, DispatchAddress) | = =0x28, |
| "Wrong DispatchAddress offset in KINTERRUPT32!" | |||
| ) |
| STATIC_ASSERT | ( | OFFSET_OF(KINTERRUPT_COMMON64, ServiceRoutine) | = =0x18, |
| "Wrong ServiceRoutine offset in KINTERRUPT64!" | |||
| ) |
| STATIC_ASSERT | ( | OFFSET_OF(KINTERRUPT_COMMON64, DispatchAddress) | = =0x50, |
| "Wrong DispatchAddress offset in KINTERRUPT64!" | |||
| ) |
1.8.13