Bitdefender Hypervisor Memory Introspection
Macros | Variables
winstubs.h File Reference

Go to the source code of this file.

Macros

#define TRAMP_X64_STOP   11
 
#define TRAMP_X64_VMCALL1   1
 
#define TRAMP_X64_VMCALL2   11
 
#define TRAMP_X86_STOP   11
 
#define TRAMP_X86_VMCALL1   1
 
#define TRAMP_X86_VMCALL2   11
 
#define TRAMPOLINE_MAX_SIZE   (sizeof(gTrampolineAgentx64) > sizeof(gTrampolineAgentx86)) ? sizeof(gTrampolineAgentx64) : sizeof(gTrampolineAgentx86)
 
#define OFFSET_WIN_X64_ALLOC   0x130
 
#define OFFSET_WIN_X64_FREE   0x138
 
#define OFFSET_WIN_X64_THREAD   0x140
 
#define OFFSET_WIN_X64_AGENT_SIZE   0x148
 
#define OFFSET_WIN_X64_AGENT_TAG   0x14C
 
#define OFFSET_WIN_X64_AGENT_EP   0x150
 
#define OFFSET_WIN_X64_SEMAPHORE   0x154
 
#define OFFSET_WIN_X64_TOKEN1   0x158
 
#define OFFSET_WIN_X64_TOKEN2   0x160
 
#define OFFSET_WIN_X64_TOKEN3   0x168
 
#define OFFSET_WIN_X64_JUMPBACK   0x170
 
#define OFFSET_WIN_X86_RELOC   0x002
 
#define OFFSET_WIN_X86_ALLOC   0xF0
 
#define OFFSET_WIN_X86_FREE   0xF4
 
#define OFFSET_WIN_X86_THREAD   0xF8
 
#define OFFSET_WIN_X86_AGENT_SIZE   0xFC
 
#define OFFSET_WIN_X86_AGENT_TAG   0x100
 
#define OFFSET_WIN_X86_AGENT_EP   0x104
 
#define OFFSET_WIN_X86_SEMAPHORE   0x108
 
#define OFFSET_WIN_X86_TOKEN1   0x10C
 
#define OFFSET_WIN_X86_TOKEN2   0x110
 
#define OFFSET_WIN_X86_TOKEN3   0x114
 
#define OFFSET_WIN_X86_JUMPBACK   0x118
 

Variables

BYTE gTrampolineAgentx64 [15]
 
BYTE gTrampolineAgentx86 [15]
 
BYTE gWindowsBootstrapAgentx64 [0x180]
 
BYTE gWindowsBootstrapAgentx86 [0x120]
 

Macro Definition Documentation

◆ OFFSET_WIN_X64_AGENT_EP

#define OFFSET_WIN_X64_AGENT_EP   0x150

Definition at line 89 of file winstubs.h.

Referenced by IntWinAgentInject().

◆ OFFSET_WIN_X64_AGENT_SIZE

#define OFFSET_WIN_X64_AGENT_SIZE   0x148

Definition at line 87 of file winstubs.h.

Referenced by IntWinAgentInject().

◆ OFFSET_WIN_X64_AGENT_TAG

#define OFFSET_WIN_X64_AGENT_TAG   0x14C

Definition at line 88 of file winstubs.h.

Referenced by IntWinAgentInject().

◆ OFFSET_WIN_X64_ALLOC

#define OFFSET_WIN_X64_ALLOC   0x130

Definition at line 84 of file winstubs.h.

Referenced by IntWinAgentInject().

◆ OFFSET_WIN_X64_FREE

#define OFFSET_WIN_X64_FREE   0x138

Definition at line 85 of file winstubs.h.

Referenced by IntWinAgentInject().

◆ OFFSET_WIN_X64_JUMPBACK

#define OFFSET_WIN_X64_JUMPBACK   0x170

Definition at line 94 of file winstubs.h.

Referenced by IntWinAgentInject().

◆ OFFSET_WIN_X64_SEMAPHORE

#define OFFSET_WIN_X64_SEMAPHORE   0x154

Definition at line 90 of file winstubs.h.

Referenced by IntWinAgentRestoreState64().

◆ OFFSET_WIN_X64_THREAD

#define OFFSET_WIN_X64_THREAD   0x140

Definition at line 86 of file winstubs.h.

Referenced by IntWinAgentInject().

◆ OFFSET_WIN_X64_TOKEN1

#define OFFSET_WIN_X64_TOKEN1   0x158

Definition at line 91 of file winstubs.h.

Referenced by IntWinAgentInject().

◆ OFFSET_WIN_X64_TOKEN2

#define OFFSET_WIN_X64_TOKEN2   0x160

Definition at line 92 of file winstubs.h.

Referenced by IntWinAgentInject().

◆ OFFSET_WIN_X64_TOKEN3

#define OFFSET_WIN_X64_TOKEN3   0x168

Definition at line 93 of file winstubs.h.

Referenced by IntWinAgentInject().

◆ OFFSET_WIN_X86_AGENT_EP

#define OFFSET_WIN_X86_AGENT_EP   0x104

Definition at line 129 of file winstubs.h.

Referenced by IntWinAgentInject().

◆ OFFSET_WIN_X86_AGENT_SIZE

#define OFFSET_WIN_X86_AGENT_SIZE   0xFC

Definition at line 127 of file winstubs.h.

Referenced by IntWinAgentInject().

◆ OFFSET_WIN_X86_AGENT_TAG

#define OFFSET_WIN_X86_AGENT_TAG   0x100

Definition at line 128 of file winstubs.h.

Referenced by IntWinAgentInject().

◆ OFFSET_WIN_X86_ALLOC

#define OFFSET_WIN_X86_ALLOC   0xF0

Definition at line 124 of file winstubs.h.

Referenced by IntWinAgentInject().

◆ OFFSET_WIN_X86_FREE

#define OFFSET_WIN_X86_FREE   0xF4

Definition at line 125 of file winstubs.h.

Referenced by IntWinAgentInject().

◆ OFFSET_WIN_X86_JUMPBACK

#define OFFSET_WIN_X86_JUMPBACK   0x118

Definition at line 134 of file winstubs.h.

Referenced by IntWinAgentInject().

◆ OFFSET_WIN_X86_RELOC

#define OFFSET_WIN_X86_RELOC   0x002

Definition at line 123 of file winstubs.h.

Referenced by IntWinAgentActivatePendingAgent().

◆ OFFSET_WIN_X86_SEMAPHORE

#define OFFSET_WIN_X86_SEMAPHORE   0x108

Definition at line 130 of file winstubs.h.

Referenced by IntWinAgentRestoreState32().

◆ OFFSET_WIN_X86_THREAD

#define OFFSET_WIN_X86_THREAD   0xF8

Definition at line 126 of file winstubs.h.

Referenced by IntWinAgentInject().

◆ OFFSET_WIN_X86_TOKEN1

#define OFFSET_WIN_X86_TOKEN1   0x10C

Definition at line 131 of file winstubs.h.

Referenced by IntWinAgentInject().

◆ OFFSET_WIN_X86_TOKEN2

#define OFFSET_WIN_X86_TOKEN2   0x110

Definition at line 132 of file winstubs.h.

Referenced by IntWinAgentInject().

◆ OFFSET_WIN_X86_TOKEN3

#define OFFSET_WIN_X86_TOKEN3   0x114

Definition at line 133 of file winstubs.h.

Referenced by IntWinAgentInject().

◆ TRAMP_X64_STOP

#define TRAMP_X64_STOP   11

Definition at line 27 of file winstubs.h.

Referenced by IntWinAgentInjectTrampoline().

◆ TRAMP_X64_VMCALL1

#define TRAMP_X64_VMCALL1   1

Definition at line 28 of file winstubs.h.

Referenced by IntWinAgentInjectTrampoline().

◆ TRAMP_X64_VMCALL2

#define TRAMP_X64_VMCALL2   11

Definition at line 29 of file winstubs.h.

Referenced by IntWinAgentInjectTrampoline().

◆ TRAMP_X86_STOP

#define TRAMP_X86_STOP   11

Definition at line 46 of file winstubs.h.

Referenced by IntWinAgentInjectTrampoline().

◆ TRAMP_X86_VMCALL1

#define TRAMP_X86_VMCALL1   1

Definition at line 47 of file winstubs.h.

Referenced by IntWinAgentInjectTrampoline().

◆ TRAMP_X86_VMCALL2

#define TRAMP_X86_VMCALL2   11

Definition at line 48 of file winstubs.h.

Referenced by IntWinAgentInjectTrampoline().

◆ TRAMPOLINE_MAX_SIZE

#define TRAMPOLINE_MAX_SIZE   (sizeof(gTrampolineAgentx64) > sizeof(gTrampolineAgentx86)) ? sizeof(gTrampolineAgentx64) : sizeof(gTrampolineAgentx86)

Definition at line 50 of file winstubs.h.

Referenced by IntWinAgentInjectTrampoline().

Variable Documentation

◆ gTrampolineAgentx64

BYTE gTrampolineAgentx64[15]
Initial value:
=
{
0x50,
0xcc,
0x48, 0x85, 0xc0,
0x74, 0x02,
0xff, 0xd0,
0x58,
0xc3,
0xcc,
0x31, 0xc0,
0xc3,
}

Definition at line 13 of file winstubs.h.

◆ gTrampolineAgentx86

BYTE gTrampolineAgentx86[15]
Initial value:
=
{
0x50,
0xcc,
0x90, 0x85, 0xc0,
0x74, 0x02,
0xff, 0xd0,
0x58,
0xc3,
0xcc,
0x31, 0xc0,
0xc3,
}

Definition at line 32 of file winstubs.h.

◆ gWindowsBootstrapAgentx64

BYTE gWindowsBootstrapAgentx64[0x180]
Initial value:
=
{
0x50, 0x51, 0x52, 0x53, 0x55, 0x56, 0x57, 0x41, 0x50, 0x41, 0x51, 0x41, 0x52, 0x41, 0x53, 0x41,
0x54, 0x41, 0x55, 0x41, 0x56, 0x41, 0x57, 0x4d, 0x31, 0xf6, 0x48, 0xf7, 0xc4, 0x0f, 0x00, 0x00,
0x00, 0x74, 0x09, 0x41, 0xbe, 0x08, 0x00, 0x00, 0x00, 0x4c, 0x29, 0xf4, 0x31, 0xc9, 0x8b, 0x15,
0x14, 0x01, 0x00, 0x00, 0x44, 0x8b, 0x05, 0x11, 0x01, 0x00, 0x00, 0x48, 0x83, 0xec, 0x20, 0xff,
0x15, 0xeb, 0x00, 0x00, 0x00, 0x48, 0x83, 0xc4, 0x20, 0x4c, 0x01, 0xf4, 0x48, 0x31, 0xf6, 0x48,
0x85, 0xc0, 0x75, 0x05, 0xbe, 0x9a, 0x00, 0x00, 0xc0, 0x48, 0x89, 0xc1, 0x48, 0x8b, 0x15, 0xf5,
0x00, 0x00, 0x00, 0xcc, 0x4c, 0x29, 0xf4, 0x49, 0x89, 0xcf, 0x4d, 0x89, 0xfd, 0x44, 0x8b, 0x05,
0xdc, 0x00, 0x00, 0x00, 0x4d, 0x01, 0xc7, 0x48, 0x83, 0xec, 0x08, 0x48, 0x89, 0xe1, 0xba, 0x00,
0x00, 0x1f, 0x00, 0x4d, 0x31, 0xc0, 0x4d, 0x31, 0xc9, 0x41, 0x57, 0x48, 0x8d, 0x05, 0x3c, 0x00,
0x00, 0x00, 0x50, 0x6a, 0x00, 0x48, 0x83, 0xec, 0x20, 0xff, 0x15, 0xa1, 0x00, 0x00, 0x00, 0x48,
0x83, 0xc4, 0x40, 0x85, 0xc0, 0x79, 0x19, 0x50, 0x48, 0x83, 0xec, 0x28, 0x4c, 0x89, 0xe9, 0x8b,
0x15, 0x97, 0x00, 0x00, 0x00, 0xff, 0x15, 0x7d, 0x00, 0x00, 0x00, 0x48, 0x83, 0xc4, 0x28, 0x58,
0x4c, 0x01, 0xf4, 0x48, 0x89, 0xc1, 0x48, 0x8b, 0x15, 0x93, 0x00, 0x00, 0x00, 0xcc, 0xf3, 0x90,
0x83, 0x3d, 0x7d, 0x00, 0x00, 0x00, 0x00, 0x74, 0xf5, 0x51, 0x48, 0x83, 0xec, 0x20, 0xff, 0xd1,
0x48, 0x8b, 0x4c, 0x24, 0x20, 0x57, 0x48, 0x89, 0xcf, 0x8b, 0x0d, 0x61, 0x00, 0x00, 0x00, 0x48,
0x29, 0xcf, 0x49, 0x89, 0xf8, 0x8b, 0x0d, 0x4d, 0x00, 0x00, 0x00, 0x31, 0xc0, 0xf3, 0xaa, 0x4c,
0x89, 0xc1, 0x5f, 0x8b, 0x15, 0x43, 0x00, 0x00, 0x00, 0xff, 0x15, 0x29, 0x00, 0x00, 0x00, 0x48,
0x83, 0xc4, 0x28, 0x48, 0x8b, 0x15, 0x4e, 0x00, 0x00, 0x00, 0xcc, 0xff, 0x25, 0x4f, 0x00, 0x00,
0x00, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
}

Definition at line 56 of file winstubs.h.

Referenced by IntWinAgentInject().

◆ gWindowsBootstrapAgentx86

BYTE gWindowsBootstrapAgentx86[0x120]
Initial value:
=
{
0x60, 0xbd, 0xbd, 0xbd, 0xbd, 0xbd, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0xff, 0xb5, 0x00,
0x01, 0x00, 0x00, 0xff, 0xb5, 0xfc, 0x00, 0x00, 0x00, 0x6a, 0x00, 0xff, 0x95, 0xf0, 0x00, 0x00,
0x00, 0x31, 0xf6, 0x85, 0xc0, 0x75, 0x05, 0xbe, 0x9a, 0x00, 0x00, 0xc0, 0x89, 0xc1, 0x8b, 0x95,
0x0c, 0x01, 0x00, 0x00, 0xcc, 0x89, 0xc8, 0x89, 0xc6, 0x8b, 0x9d, 0x04, 0x01, 0x00, 0x00, 0x01,
0xd8, 0x83, 0xec, 0x08, 0x50, 0x8d, 0x8d, 0x81, 0x00, 0x00, 0x00, 0x51, 0x6a, 0x00, 0x6a, 0x00,
0x6a, 0x00, 0x68, 0x00, 0x00, 0x1f, 0x00, 0x8d, 0x4c, 0x24, 0x18, 0x51, 0xff, 0x95, 0xf8, 0x00,
0x00, 0x00, 0x83, 0xc4, 0x08, 0x85, 0xc0, 0x79, 0x0f, 0x50, 0xff, 0xb5, 0x00, 0x01, 0x00, 0x00,
0x56, 0xff, 0x95, 0xf4, 0x00, 0x00, 0x00, 0x58, 0x89, 0xc1, 0x8b, 0x95, 0x10, 0x01, 0x00, 0x00,
0xcc, 0x60, 0xe8, 0x00, 0x00, 0x00, 0x00, 0x5d, 0x81, 0xed, 0x87, 0x00, 0x00, 0x00, 0xf3, 0x90,
0x83, 0xbd, 0x08, 0x01, 0x00, 0x00, 0x00, 0x74, 0xf5, 0x8b, 0x4c, 0x24, 0x24, 0x51, 0x83, 0xec,
0x08, 0xff, 0xd1, 0x8b, 0x0c, 0x24, 0x89, 0xcf, 0x2b, 0xbd, 0x04, 0x01, 0x00, 0x00, 0x89, 0xfe,
0x8b, 0x8d, 0xfc, 0x00, 0x00, 0x00, 0x31, 0xc0, 0xf3, 0xaa, 0xff, 0xb5, 0x00, 0x01, 0x00, 0x00,
0x56, 0xff, 0x95, 0xf4, 0x00, 0x00, 0x00, 0x83, 0xc4, 0x04, 0x8b, 0x95, 0x14, 0x01, 0x00, 0x00,
0xcc, 0x8b, 0x85, 0x18, 0x01, 0x00, 0x00, 0x89, 0x44, 0x24, 0x1c, 0x61, 0xff, 0xe0, 0x90, 0x90,
0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
}

Definition at line 101 of file winstubs.h.

Referenced by IntWinAgentInject().