- Generated by
1.8.13
|
Bitdefender Hypervisor Memory Introspection
|
Describes a detour set inside the guest memory. More...
#include <detours.h>
Data Fields | |
| LIST_ENTRY | Link |
| The link inside the DETOURS_STATE.DetoursList list. More... | |
| PFUNC_DetourCallback | Callback |
| Callback to be invoked when the detour issues a hypercall. May be NULL. More... | |
| DETOUR_TAG | Tag |
| Detour tag. More... | |
| QWORD | HypercallAddress |
| The guest virtual address at which the hypercall is placed. More... | |
| QWORD | FunctionAddress |
| The guest virtual address of the hooked function. More... | |
| QWORD | HandlerAddress |
| The guest virtual address of the detour handler. More... | |
| DWORD | HandlerSize |
| The size of the detour handler. More... | |
| QWORD | LixGuestDetour |
| The address of the linux-detour header. More... | |
| HYPERCALL_TYPE | HypercallType |
| The type of the hypercall that this detour uses. More... | |
| BYTE | JumpBackOffset |
| Offset, relative to HandlerAddress, where the jump that returns control to the hooked function is found. More... | |
| BYTE | HypercallOffset |
| Offset, relative to HandlerAddress, where the hypercall instruction is found. More... | |
| BYTE | RelocatedCodeOffset |
| Offset, relative to HandlerAddress, where the prologue that has been replaced by our jump at the beginning of the function has been relocated. More... | |
| BYTE | RelocatedCodeLength |
| The size of the relocated code. More... | |
| BYTE | NrPublicDataOffsets |
| The number of valid entries inside the PublicDataOffsets array. More... | |
| API_HOOK_PUBLIC_DATA | PublicDataOffsets [PUBLIC_DATA_MAX_DESCRIPTORS] |
| Public data that can be used to modify the detour handler. More... | |
| BOOLEAN | Disabled |
| True if this detour has been disabled. More... | |
| QWORD | ModuleBase |
| The guest virtual address of the base of the kernel module that owns the hooked function. More... | |
| void * | FunctionCloakHandle |
| The memory cloak handle used to hide the modified function start. See Memory cloaking. More... | |
| void * | HandlerCloakHandle |
| The memory cloak handle used to hide the detour handler. See Memory cloaking. More... | |
| QWORD | HitCount |
| The number of times this detour issued a hypercall. More... | |
| PAPI_HOOK_DESCRIPTOR | Descriptor |
| The hook descriptor for which this hook was set. More... | |
| const LIX_FN_DETOUR * | LixFnDetour |
Describes a detour set inside the guest memory.
This is created by IntDetSetHook and IntDetSetLixHook in order to hold information about a detour that has been set. Part of the information in this structure comes from the API_HOOK_DESCRIPTOR used for this hook.
| PFUNC_DetourCallback _DETOUR::Callback |
Callback to be invoked when the detour issues a hypercall. May be NULL.
Definition at line 437 of file detours.h.
Referenced by IntDetCreateObjectLix(), and IntDetSetHook().
| PAPI_HOOK_DESCRIPTOR _DETOUR::Descriptor |
The hook descriptor for which this hook was set.
Definition at line 497 of file detours.h.
Referenced by IntDetGetArgument(), IntDetGetArguments(), IntDetPatchArgument(), and IntDetSetHook().
| BOOLEAN _DETOUR::Disabled |
True if this detour has been disabled.
Disabled detours are still present inside the guest, but they no longer issue hypercalls.
The hypercall instruction is replaced with NOPs, but the rest of the detour code is untouched.
Definition at line 485 of file detours.h.
Referenced by IntDetCallCallback().
| QWORD _DETOUR::FunctionAddress |
The guest virtual address of the hooked function.
Definition at line 447 of file detours.h.
Referenced by IntDetCallCallback(), IntDetCreateObjectLix(), IntDetHandleWrite(), IntDetSetHook(), and IntDetSetLixHook().
| void* _DETOUR::FunctionCloakHandle |
The memory cloak handle used to hide the modified function start. See Memory cloaking.
Definition at line 490 of file detours.h.
Referenced by IntDetSetHook().
| QWORD _DETOUR::HandlerAddress |
The guest virtual address of the detour handler.
Definition at line 450 of file detours.h.
Referenced by IntDetCreateObjectLix(), IntDetGetByTag(), IntDetHandleWrite(), IntDetSetHook(), and IntDetSetLixHook().
| void* _DETOUR::HandlerCloakHandle |
The memory cloak handle used to hide the detour handler. See Memory cloaking.
Definition at line 492 of file detours.h.
Referenced by IntDetModifyPublicData(), and IntDetSetHook().
| DWORD _DETOUR::HandlerSize |
The size of the detour handler.
Note that this is not the same as the API_HOOK_HANDLER.CodeLength, as that represents only the code injected for the handler itself, but this also takes into account the size of the reallocated guest instructions.
Definition at line 456 of file detours.h.
Referenced by IntDetGetByTag(), IntDetHandleWrite(), and IntDetSetHook().
| QWORD _DETOUR::HitCount |
The number of times this detour issued a hypercall.
Definition at line 494 of file detours.h.
Referenced by IntDetCallCallback().
| QWORD _DETOUR::HypercallAddress |
The guest virtual address at which the hypercall is placed.
This is used to find the proper DETOUR structure when a hypercall is issued.
Definition at line 445 of file detours.h.
Referenced by IntDetSetHook().
| BYTE _DETOUR::HypercallOffset |
Offset, relative to HandlerAddress, where the hypercall instruction is found.
Definition at line 468 of file detours.h.
Referenced by IntDetSetHook().
| HYPERCALL_TYPE _DETOUR::HypercallType |
The type of the hypercall that this detour uses.
Definition at line 462 of file detours.h.
Referenced by IntDetCallCallback(), IntDetCreateObjectLix(), and IntDetSetHook().
| BYTE _DETOUR::JumpBackOffset |
Offset, relative to HandlerAddress, where the jump that returns control to the hooked function is found.
Definition at line 466 of file detours.h.
Referenced by IntDetSetHook().
| LIST_ENTRY _DETOUR::Link |
The link inside the DETOURS_STATE.DetoursList list.
Definition at line 435 of file detours.h.
Referenced by IntDetSetHook(), and IntDetSetLixHook().
| const LIX_FN_DETOUR* _DETOUR::LixFnDetour |
Definition at line 498 of file detours.h.
Referenced by IntDetCreateObjectLix().
| QWORD _DETOUR::LixGuestDetour |
The address of the linux-detour header.
Definition at line 459 of file detours.h.
Referenced by IntDetCreateObjectLix(), and IntDetSetLixHook().
| QWORD _DETOUR::ModuleBase |
The guest virtual address of the base of the kernel module that owns the hooked function.
Definition at line 487 of file detours.h.
Referenced by IntDetSetHook().
| BYTE _DETOUR::NrPublicDataOffsets |
The number of valid entries inside the PublicDataOffsets array.
Definition at line 476 of file detours.h.
Referenced by IntDetModifyPublicData(), and IntDetSetHook().
| API_HOOK_PUBLIC_DATA _DETOUR::PublicDataOffsets[PUBLIC_DATA_MAX_DESCRIPTORS] |
Public data that can be used to modify the detour handler.
Definition at line 478 of file detours.h.
Referenced by IntDetModifyPublicData(), and IntDetSetHook().
| BYTE _DETOUR::RelocatedCodeLength |
The size of the relocated code.
Definition at line 473 of file detours.h.
Referenced by IntDetCreateObjectLix(), IntDetHandleWrite(), IntDetSetHook(), and IntDetSetLixHook().
| BYTE _DETOUR::RelocatedCodeOffset |
Offset, relative to HandlerAddress, where the prologue that has been replaced by our jump at the beginning of the function has been relocated.
Definition at line 471 of file detours.h.
Referenced by IntDetCreateObjectLix(), and IntDetSetHook().
| DETOUR_TAG _DETOUR::Tag |
Detour tag.
Definition at line 440 of file detours.h.
Referenced by IntDetCallCallback(), IntDetGetArguments(), IntDetHandleWrite(), and IntDetSetHook().
1.8.13