doxygen/html/winguest_8h_source.html

 /*
  * Copyright (c) 2020 Bitdefender
  * SPDX-License-Identifier: Apache-2.0
  */
 #ifndef _WINGUEST_H_
 #define _WINGUEST_H_

 #include "introcore.h"
 #include "patsig.h"

 typedef struct _GUEST_STATE GUEST_STATE, *PGUEST_STATE;

 #define IMAGE_BASE_NAME_LEN 16u

 #define IMAGE_FULL_PATH_LEN 260u

 #define PROT_PROC_FLAG_NO_PATH 0x00000001

 typedef struct _PROTECTED_PROCESS_INFO
 {
     CHAR        ImageBaseNamePattern[IMAGE_BASE_NAME_LEN];

     struct
     {
         DWORD   Original;
         DWORD   Current;

         QWORD   Beta;
         QWORD   Feedback;
     } Protection;

     DWORD       Flags;
     PWCHAR      FullPathPattern;
     PWCHAR      FullNamePattern;
     QWORD       Context;

     LIST_ENTRY  Link;
 } PROTECTED_PROCESS_INFO, *PPROTECTED_PROCESS_INFO;

 typedef struct _WIN_UNEXPORTED_FUNCTION_PATTERN
 {
     CHAR                SectionHint[8];
     PATTERN_SIGNATURE   Signature;
 } WIN_UNEXPORTED_FUNCTION_PATTERN, *PWIN_UNEXPORTED_FUNCTION_PATTERN;


 typedef struct _WIN_UNEXPORTED_FUNCTION
 {
     DWORD                           NameHash;

     DWORD                           PatternsCount;
     _Field_size_(PatternsCount)
     WIN_UNEXPORTED_FUNCTION_PATTERN Patterns[0];
 } WIN_UNEXPORTED_FUNCTION, *PWIN_UNEXPORTED_FUNCTION;

 typedef enum
 {
     winModNone = 0,
     winModCore,
     winModAntivirus,
     winModCitrix,
 } PROTECTED_MODULE_TYPE;

 typedef struct _PROTECTED_MODULE_INFO
 {
     PROTECTED_MODULE_TYPE   Type;
     const WCHAR             *Name;
     const WCHAR             *Path;
     const WCHAR             *DriverObject;

     QWORD                   RequiredFlags;
 } PROTECTED_MODULE_INFO, *PPROTECTED_MODULE_INFO;

 typedef enum
 {
     FLAG_STATIC_DETECTION = 1,
     FLAG_DYNAMIC_DETECTION = 2,
 } OBJ_DISCOVERY_TYPE;

 typedef enum _WIN_UM_FIELD_DLL
 {
     winUmFieldDllBaseOffsetInModule64 = 0,
     winUmFieldDllBaseOffsetInModule32,
     winUmFieldDllSizeOffsetInModule64,
     winUmFieldDllSizeOffsetInModule32,
     winUmFieldDllNameOffsetInModule64,
     winUmFieldDllNameOffsetInModule32,
     winUmFieldDllEnd
 } WIN_UM_FIELD_DLL;

 typedef enum _WIN_UM_FIELD_PEB
 {
     winUmFieldPeb64Size = 0,
     winUmFieldPeb32Size,
     winUmFieldPebEnd
 } WIN_UM_FIELD_PEB;

 typedef enum _WIN_UM_FIELD_TEB
 {
     winUmFieldTeb64Size = 0,
     winUmFieldTeb32Size,
     winUmFieldTebWow64SaveArea,
     winUmFieldTebWow64StackInSaveArea,
     winUmFieldTebEnd
 } WIN_UM_FIELD_TEB;

 typedef enum _WIN_KM_STRUCTURE
 {
     winKmStructureProcess = 0,
     winKmStructureThread,
     winKmStructureDrvObj,
     winKmStructurePcr,
     winKmStructurePoolDescriptor,
     winKmStructureMmpfn,
     winKmStructureToken,
     winKmStructureUngrouped,
     winKmStructureEprocessFlags,
     winKmStructureVadShort,
     winKmStructureVadLong,
     winKmStructureVadFlags,
     winKmStructureSyscallNumbers,
     winKmStructureFileObject,
     winKmStructureEnd
 } WIN_KM_STRUCTURE;

 typedef enum _WIN_UM_STRUCTURE
 {
     winUmStructureDll = 0,
     winUmStructurePeb,
     winUmStructureTeb,
     winUmStructureEnd
 } WIN_UM_STRUCTURE;

 typedef enum _WIN_KM_FIELD_PROCESS
 {
     winKmFieldProcessCr3 = 0,
     winKmFieldProcessUserCr3,
     winKmFieldProcessKexecOptions,
     winKmFieldProcessListEntry,
     winKmFieldProcessName,
     winKmFieldProcessSectionBase,
     winKmFieldProcessId,
     winKmFieldProcessParentPid,
     winKmFieldProcessVadRoot,
     winKmFieldProcessCreateTime,
     winKmFieldProcessExitStatus,
     winKmFieldProcessToken,
     winKmFieldProcessObjectTable,
     winKmFieldProcessPeb,
     winKmFieldProcessThreadListHead,
     winKmFieldProcessWoW64,
     winKmFieldProcessFlags,
     winKmFieldProcessFlags3,
     winKmFieldProcessMitigationFlags,
     winKmFieldProcessMitigationFlags2,
     winKmFieldProcessDebugPort,
     winKmFieldProcessSpare,
     winKmFieldProcessEnd
 } WIN_KM_FIELD_PROCESS;

 typedef enum _WIN_KM_FIELD_THREAD
 {
     winKmFieldThreadProcess = 0,
     winKmFieldThreadThreadListEntry,
     winKmFieldThreadKernelStack,
     winKmFieldThreadStackBase,
     winKmFieldThreadStackLimit,
     winKmFieldThreadState,
     winKmFieldThreadWaitReason,
     winKmFieldThreadAttachedProcess,
     winKmFieldThreadTeb,
     winKmFieldThreadId,
     winKmFieldThreadClientSecurity,
     winKmFieldThreadTrapFrame,
     winKmFieldThreadWin32StartAddress,
     winKmFieldThreadEnd
 } WIN_KM_FIELD_THREAD;

 typedef enum _WIN_KM_FIELD_DRVOBJ
 {
     winKmFieldDrvObjSize = 0,
     winKmFieldDrvObjFiodispSize,
     winKmFieldDrvObjAllocationGap,
     winKmFieldDrvObjFiodisp,
     winKmFieldDrvObjStart,
     winKmFieldDrvObjEnd
 } WIN_KM_FIELD_DRVOBJ;

 typedef enum _WIN_KM_FIELD_PCR
 {
     winKmFieldPcrCurrentThread = 0,
     winKmFieldPcrUserTime,
     winKmFieldPcrEnd
 } WIN_KM_FIELD_PCR;

 typedef enum _WIN_KM_FIELD_POOLDESCRIPTOR
 {
     winKmFieldPoolDescriptorTotalBytes = 0,
     winKmFieldPoolDescriptorNppSize,
     winKmFieldPoolDescriptorEnd
 } WIN_KM_FIELD_POOLDESCRIPTOR;

 typedef enum _WIN_KM_FIELD_MMPFN
 {
     winKmFieldMmpfnSize = 0,
     winKmFieldMmpfnPte,
     winKmFieldMmpfnRefCount,
     winKmFieldMmpfnFlags,

     winKmFieldMmpfnPaeSize,
     winKmFieldMmpfnPaePte,
     winKmFieldMmpfnPaeRefCount,
     winKmFieldMmpfnPaeFlags,
     winKmFieldMmpfnEnd
 } WIN_KM_FIELD_MMPFN;

 typedef enum _WIN_KM_FIELD_TOKEN
 {
     winKmFieldTokenPrivs = 0,
     winKmFieldTokenUserCount,
     winKmFieldTokenRestrictedCount,
     winKmFieldTokenUsers,
     winKmFieldTokenRestrictedSids,
     winKmFieldTokenEnd
 } WIN_KM_FIELD_TOKEN;

 typedef enum _WIN_KM_FIELD_UNGROUPED
 {
     winKmFieldUngroupedCtlAreaFile = 0,
     winKmFieldUngroupedHandleTableTableCode,
     winKmFieldUngroupedHalIntCtrlType,
     winKmFieldUngroupedWmiGetClockOffset,
     winKmFieldUngroupedEtwDbgDataSiloOffset,
     winKmFieldUngroupedEtwSignatureOffset,
     winKmFieldUngroupedSubsectionCtlArea,
     winKmFieldUngroupedEnd
 } WIN_KM_FIELD_UNGROUPED;

 typedef enum _WIN_KM_FIELD_EPROCESSFLAGS
 {
     winKmFieldEprocessFlagsNoDebugInherit = 0,
     winKmFieldEprocessFlagsExiting,
     winKmFieldEprocessFlagsDelete,
     winKmFieldEprocessFlags3Crashed,
     winKmFieldEprocessFlagsVmDeleted,
     winKmFieldEprocessFlagsHasAddrSpace,
     winKmFieldEprocessFlagsEnd
 } WIN_KM_FIELD_EPROCESSFLAGS;

 typedef enum _WIN_KM_FIELD_VAD_SHORT
 {
     winKmFieldVadShortParent = 0,
     winKmFieldVadShortLeft,
     winKmFieldVadShortRight,
     winKmFieldVadShortStartingVpn,
     winKmFieldVadShortStartingVpnHigh,
     winKmFieldVadShortEndingVpn,
     winKmFieldVadShortEndingVpnHigh,
     winKmFieldVadShortFlags,
     winKmFieldVadShortFlagsSize,
     winKmFieldVadShortVpnSize,
     winKmFieldVadShortSize,
     winKmFieldVadShortEnd
 } WIN_KM_FIELD_VAD_SHORT;

 typedef enum _WIN_KM_FIELD_VAD_LONG
 {
     winKmFieldVadLongSubsection = 0,
     winKmFieldVadLongEnd
 } WIN_KM_FIELD_VAD_LONG;

 typedef enum _WIN_KM_FIELD_VADFLAGS
 {
     winKmFieldVadFlagsTypeShift = 0,
     winKmFieldVadFlagsTypeMask,

     winKmFieldVadFlagsProtectionShift,
     winKmFieldVadFlagsProtectionMask,

     winKmFieldVadFlagsNoChangeBit,

     winKmFieldVadFlagsPrivateFixupMask,

     winKmFieldVadFlagsDeleteInProgressMask,

     winKmFieldVadFlagsEnd
 } WIN_KM_FIELD_VADFLAGS;

 typedef enum _WIN_KM_FIELD_SYSCALL_NUMBERS
 {
     winKmFieldSyscallNumbersNtWriteVirtualMemory = 0,
     winKmFieldSyscallNumbersNtProtectVirtualMemory,
     winKmFieldSyscallNumbersNtCreateThreadEx,
     winKmFieldSyscallNumbersEnd
 } WIN_KM_FIELD_SYSCALL_NUMBERS;

 typedef enum _WIN_KM_FIELD_FILE_OBJECT
 {
     winKmFieldFileObjectNameBuffer,
     winKmFieldFileObjectNameLength,
     winKmFieldFileObjectEnd
 } WIN_KM_FIELD_FILE_OBJECT;

 typedef struct _WIN_OPAQUE_FIELDS
 {
     struct
     {
         DWORD Process[winKmFieldProcessEnd];
         DWORD Thread[winKmFieldThreadEnd];
         DWORD DrvObj[winKmFieldDrvObjEnd];
         DWORD Pcr[winKmFieldPcrEnd];
         DWORD PoolDescriptor[winKmFieldPoolDescriptorEnd];
         DWORD Mmpfn[winKmFieldMmpfnEnd];
         DWORD Token[winKmFieldTokenEnd];
         DWORD Ungrouped[winKmFieldUngroupedEnd];
         DWORD EprocessFlags[winKmFieldEprocessFlagsEnd];
         DWORD VadShort[winKmFieldVadShortEnd];
         DWORD VadLong[winKmFieldVadLongEnd];
         DWORD VadFlags[winKmFieldVadFlagsEnd];
         DWORD SyscallNumbers[winKmFieldSyscallNumbersEnd];
         DWORD FileObject[winKmFieldFileObjectEnd];
     } Km;

     struct
     {
         DWORD Dll[winUmFieldDllEnd];
         DWORD Peb[winUmFieldPebEnd];
         DWORD Teb[winUmFieldTebEnd];
     } Um;
 } WIN_OPAQUE_FIELDS, *PWIN_OPAQUE_FIELDS;

 #define WIN_KM_FIELD(Structure, Field) gWinGuest->OsSpecificFields.Km.Structure[winKmField##Structure##Field]

 #define WIN_SYSCALL_NUMBER(Syscall) WIN_KM_FIELD(SyscallNumbers, Syscall)

 #define WIN_UM_FIELD(Structure, Field) gWinGuest->OsSpecificFields.Um.Structure[winUmField##Structure##Field]

 typedef struct _WIN_MODULE_UNIQUE_KEY
 {
     DWORD ImageSize;
     DWORD TimeDateStamp;
 } WIN_MODULE_UNIQUE_KEY, PWIN_MODULE_UNIQUE_KEY;

 typedef enum
 {
     winProductTypeNotYetLoaded,
     winProductTypeWinNt,
     winProductTypeLanManNt,
     winProductTypeServer,
     winProductTypeUnknown
 } WIN_PRODUCT_TYPE;

 typedef struct _WINDOWS_GUEST
 {
     QWORD PsCreateSystemThread;
     QWORD ExAllocatePoolWithTag;
     QWORD ExFreePoolWithTag;
     QWORD SyscallAddress;
     DWORD NtBuildNumberValue;
     QWORD KeServiceDescriptorTable;
     QWORD Ssdt;
     DWORD NumberOfServices;
     QWORD HalpInterruptControllerGva;
     QWORD PropperSyscallGva;

     PCHAR NtBuildLabString;
     PCHAR VersionString;
     PCHAR ServerVersionString;

     WIN_PRODUCT_TYPE ProductType;

     QWORD PsActiveProcessHead;
     QWORD PsLoadedModuleList;
     QWORD MmPfnDatabase;
     QWORD ObpRootDirectoryObject;
     QWORD DriverDirectory;
     QWORD FileSystemDirectory;

     BYTE *KernelBuffer;
     DWORD KernelBufferSize;

     DWORD RemainingSections;
     LIST_HEAD InitSwapHandles;

     WIN_OPAQUE_FIELDS OsSpecificFields;
 } WINDOWS_GUEST, *PWINDOWS_GUEST;

 typedef struct _WIN_INIT_SWAP
 {
     LIST_ENTRY  Link;
     void        *SwapHandle;

     QWORD       VirtualAddress;
     DWORD       Size;
 } WIN_INIT_SWAP, *PWIN_INIT_SWAP;

 INTSTATUS
 IntWinGuestNew(
     void
     );

 INTSTATUS
 IntWinGuestInit(
     void
     );

 void
 IntWinGuestUninit(
     void
     );

 void
 IntWinGuestCancelKernelRead(
     void
     );

 INTSTATUS
 IntWinGetVersionString(
     _In_ DWORD FullStringSize,
     _In_ DWORD VersionStringSize,
     _Out_ CHAR *FullString,
     _Out_ CHAR *VersionString
     );

 INTSTATUS
 IntWinGuestProtectSudExec(
     void
     );

 INTSTATUS
 IntWinGuestUnprotectSudExec(
     void
     );

 #endif // _WINGUEST_H_
winKmFieldVadShortStartingVpnHigh
Definition: winguest.h:499

PWCHAR
uint16_t * PWCHAR
Definition: intro_types.h:63

WIN_KM_FIELD_EPROCESSFLAGS
enum _WIN_KM_FIELD_EPROCESSFLAGS WIN_KM_FIELD_EPROCESSFLAGS
Indexes in the WIN_OPAQUE_FIELDS.Km.EprocessFlags array, containing information about the flags insid...

winKmStructureFileObject
Definition: winguest.h:233

winUmFieldDllEnd
The end of the fields.
Definition: winguest.h:172

winKmFieldVadShortParent
Offset of ParentValue.
Definition: winguest.h:486

_WIN_KM_FIELD_VAD_SHORT
_WIN_KM_FIELD_VAD_SHORT
Indexes in the WIN_OPAQUE_FIELDS.Km.VadShort array, containing information about the _MMVAD_SHORT str...
Definition: winguest.h:483

winKmFieldVadFlagsProtectionShift
Definition: winguest.h:575

winProductTypeLanManNt
Advanced server.
Definition: winguest.h:785

winUmFieldTebWow64SaveArea
Definition: winguest.h:203

winUmFieldTeb64Size
The relevant size of the _TEB for 64-bit processes.
Definition: winguest.h:199

_Out_
#define _Out_
Definition: intro_sal.h:22

winKmFieldThreadAttachedProcess
Offset of Tcb.ApcState.Process.
Definition: winguest.h:312

winKmFieldProcessWoW64
Offset of Wow64Process (only for 64-bit guests).
Definition: winguest.h:281

winUmStructurePeb
Used for the WIN_OPAQUE_FIELDS.Um.Peb array.
Definition: winguest.h:249

WIN_UM_FIELD_PEB
enum _WIN_UM_FIELD_PEB WIN_UM_FIELD_PEB
Indexes in the WIN_OPAQUE_FIELDS.Um.Peb array, containing offsets inside the _PEB structure...

winKmFieldProcessVadRoot
Offset of VadRoot.
Definition: winguest.h:274

winKmFieldThreadState
Offset of Tcb.State.
Definition: winguest.h:310

_WINDOWS_GUEST::MmPfnDatabase
QWORD MmPfnDatabase
Guest virtual address of the PFN data base.
Definition: winguest.h:823

_PROTECTED_MODULE_INFO::Type
PROTECTED_MODULE_TYPE Type
The type of the module.
Definition: winguest.h:126

_WINDOWS_GUEST::PropperSyscallGva
QWORD PropperSyscallGva
Guest virtual address of the KiSystemServiceUser function.
Definition: winguest.h:807

_PROTECTED_PROCESS_INFO::Original
DWORD Original
The original protection flags as received from GLUE_IFACE.AddRemoveProtectedProcessUtf16 or GLUE_IFAC...
Definition: winguest.h:37

winUmFieldDllNameOffsetInModule32
Definition: winguest.h:167

_WINDOWS_GUEST::FileSystemDirectory
QWORD FileSystemDirectory
Guest virtual address of the FileSystem namespace directory.
Definition: winguest.h:826

winKmFieldSyscallNumbersNtWriteVirtualMemory
The NtWriteSyscallMemory syscall number.
Definition: winguest.h:613

BYTE
uint8_t BYTE
Definition: intro_types.h:47

_PROTECTED_MODULE_INFO::RequiredFlags
QWORD RequiredFlags
The introcore options that need to be active in order to protect this module.
Definition: winguest.h:137

winKmFieldMmpfnPte
Offset of PteAddress (or PteLong).
Definition: winguest.h:399

_In_
#define _In_
Definition: intro_sal.h:21

_WINDOWS_GUEST::SyscallAddress
QWORD SyscallAddress
Guest virtual address of the SYSCALL/SYSENTER handler.
Definition: winguest.h:801

introcore.h

winKmFieldUngroupedEnd
The end of the fields.
Definition: winguest.h:453

winKmFieldVadFlagsProtectionMask
Definition: winguest.h:579

_PROTECTED_PROCESS_INFO::Context
QWORD Context
The context supplied in the protection policy.
Definition: winguest.h:74

winKmFieldVadShortEndingVpnHigh
Definition: winguest.h:508

winKmFieldPcrCurrentThread
Offset of PrcbData.CurrentThread.
Definition: winguest.h:360

winUmStructureDll
Used for the WIN_OPAQUE_FIELDS.Um.Dll array.
Definition: winguest.h:248

winKmFieldSyscallNumbersEnd
The end of the fields.
Definition: winguest.h:620

winKmFieldThreadWin32StartAddress
Definition: winguest.h:317

winKmStructureVadLong
Used for the WIN_OPAQUE_FIELDS.Km.VadLong array.
Definition: winguest.h:230

winKmFieldTokenEnd
The end of the fields.
Definition: winguest.h:430

PWIN_UNEXPORTED_FUNCTION_PATTERN
struct _WIN_UNEXPORTED_FUNCTION_PATTERN * PWIN_UNEXPORTED_FUNCTION_PATTERN

winProductTypeNotYetLoaded
Information not yet loaded.
Definition: winguest.h:783

_WIN_KM_FIELD_SYSCALL_NUMBERS
_WIN_KM_FIELD_SYSCALL_NUMBERS
Indexes in the WIN_OPAQUE_FIELDS.Km.SyscallNumbers array, containing syscall numbers.The WIN_SYSCALL_NUMBER or WIN_KM_FIELD macros can be used to access these more easily.
Definition: winguest.h:611

winProductTypeUnknown
The product type is unknown.
Definition: winguest.h:790

IntWinGuestUnprotectSudExec
INTSTATUS IntWinGuestUnprotectSudExec(void)
Removes the execution EPT hook on SharedUserData.
Definition: winguest.c:1135

_WIN_KM_FIELD_MMPFN
_WIN_KM_FIELD_MMPFN
Indexes in the WIN_OPAQUE_FIELDS.Km.Mmpfn array, containing information about the _MMPFN structure...
Definition: winguest.h:396

PPROTECTED_PROCESS_INFO
struct _PROTECTED_PROCESS_INFO * PPROTECTED_PROCESS_INFO

winKmFieldDrvObjFiodispSize
The size of the _FAST_IO_DISPATCH structure.
Definition: winguest.h:341

_WIN_UM_FIELD_TEB
_WIN_UM_FIELD_TEB
Indexes in the WIN_OPAQUE_FIELDS.Um.Teb array, containing offsets inside the _TEB structure...
Definition: winguest.h:197

WIN_KM_FIELD_VAD_LONG
enum _WIN_KM_FIELD_VAD_LONG WIN_KM_FIELD_VAD_LONG
Indexes in the WIN_OPAQUE_FIELDS.Km.VadLong array, containing information about the _MMVAD_LONG struc...

_WINDOWS_GUEST::ExFreePoolWithTag
QWORD ExFreePoolWithTag
Guest virtual address of the ExFreePoolWithTag kernel function.
Definition: winguest.h:800

winKmFieldVadFlagsNoChangeBit
Definition: winguest.h:589

WIN_UM_FIELD_DLL
enum _WIN_UM_FIELD_DLL WIN_UM_FIELD_DLL
Indexes in the WIN_OPAQUE_FIELDS.Um.Dll array, containing offsets inside the _LDR_DATA_TABLE_ENTRY st...

_WIN_INIT_SWAP::Link
LIST_ENTRY Link
Link inside the WINDOWS_GUEST.InitSwapHandles list.
Definition: winguest.h:853

winKmFieldEprocessFlagsExiting
Mask for Exiting from _EPROCESS.Flags.
Definition: winguest.h:465

PROTECTED_PROCESS_INFO
struct _PROTECTED_PROCESS_INFO PROTECTED_PROCESS_INFO
Encapsulates a protected Windows process.

winKmFieldThreadEnd
The end of the fields.
Definition: winguest.h:322

winKmFieldProcessUserCr3
Offset of Pcb.UserDirectoryTableBase if it exists, DirectoryTableBase if not.
Definition: winguest.h:267

_WINDOWS_GUEST::ProductType
WIN_PRODUCT_TYPE ProductType
The product type. Obtained directly from the guest during initialization.
Definition: winguest.h:819

WIN_KM_FIELD_VADFLAGS
enum _WIN_KM_FIELD_VADFLAGS WIN_KM_FIELD_VADFLAGS
Indexes in the WIN_OPAQUE_FIELDS.Km.VadFlags array, containing information about the bits in the winK...

winKmFieldSyscallNumbersNtCreateThreadEx
Definition: winguest.h:615

winModNone
Invalid.
Definition: winguest.h:115

winKmFieldProcessExitStatus
Offset of ExitStatus.
Definition: winguest.h:276

WINDOWS_GUEST
struct _WINDOWS_GUEST WINDOWS_GUEST
Holds information about a Windows guest.

_PROTECTED_PROCESS_INFO::Current
DWORD Current
The currently used protection flags.
Definition: winguest.h:43

winKmFieldMmpfnPaeFlags
Definition: winguest.h:406

WIN_KM_FIELD_PCR
enum _WIN_KM_FIELD_PCR WIN_KM_FIELD_PCR
Indexes in the WIN_OPAQUE_FIELDS.Km.Pcr array, containing information about the _KPCR structure...

_PROTECTED_PROCESS_INFO::Feedback
QWORD Feedback
Flags that will be forced to feedback only mode.
Definition: winguest.h:57

winKmFieldThreadStackBase
Offset of Tcb.StackBase.
Definition: winguest.h:308

winKmFieldUngroupedEtwSignatureOffset
The offset relative tot he EtwDebuggerData structure at which the ETW signature is found...
Definition: winguest.h:447

winKmFieldProcessFlags
Offset of Flags.
Definition: winguest.h:282

WIN_KM_FIELD_SYSCALL_NUMBERS
enum _WIN_KM_FIELD_SYSCALL_NUMBERS WIN_KM_FIELD_SYSCALL_NUMBERS
Indexes in the WIN_OPAQUE_FIELDS.Km.SyscallNumbers array, containing syscall numbers.The WIN_SYSCALL_NUMBER or WIN_KM_FIELD macros can be used to access these more easily.

INTSTATUS
int INTSTATUS
The status data type.
Definition: introstatus.h:24

winKmFieldMmpfnPaePte
Offset of PteAddress (or PteLong) when PAE is enabled.
Definition: winguest.h:404

winUmFieldPebEnd
The end of the fields.
Definition: winguest.h:189

winKmFieldUngroupedSubsectionCtlArea
Definition: winguest.h:448

winKmFieldProcessEnd
The end of the fields.
Definition: winguest.h:295

winKmStructureMmpfn
Used for the WIN_OPAQUE_FIELDS.Km.Mmpfn array.
Definition: winguest.h:225

winKmFieldThreadClientSecurity
Offset of ClientSecurity.
Definition: winguest.h:315

PROTECTED_MODULE_TYPE
PROTECTED_MODULE_TYPE
Protected kernel module types.
Definition: winguest.h:113

_WINDOWS_GUEST::NumberOfServices
DWORD NumberOfServices
The number of entries in the SSDT.
Definition: winguest.h:805

winKmStructureVadFlags
Used for the WIN_OPAQUE_FIELDS.Km.VadFlags array.
Definition: winguest.h:231

winKmFieldVadShortVpnSize
Definition: winguest.h:518

winKmFieldProcessMitigationFlags
Offset of MitigationFlags if it exists (>= RS3).
Definition: winguest.h:284

winKmStructureEprocessFlags
Used for the WIN_OPAQUE_FIELDS.Km.EprocessFlags array.
Definition: winguest.h:228

winKmStructurePcr
Used for the WIN_OPAQUE_FIELDS.Km.Pcr array.
Definition: winguest.h:223

winKmFieldUngroupedWmiGetClockOffset
Offset of GetCpuClock in _WMI_LOGGER_CONTEXT.
Definition: winguest.h:444

_PROTECTED_PROCESS_INFO::Flags
DWORD Flags
Flags that describe the protection mode.
Definition: winguest.h:63

_WINDOWS_GUEST::ExAllocatePoolWithTag
QWORD ExAllocatePoolWithTag
Guest virtual address of the ExAllocatePoolWithTag kernel function.
Definition: winguest.h:799

winKmFieldProcessObjectTable
Offset of ObjectTable.
Definition: winguest.h:278

_WINDOWS_GUEST::ServerVersionString
PCHAR ServerVersionString
A NULL terminated string containing Windows server version information.
Definition: winguest.h:817

WIN_MODULE_UNIQUE_KEY
struct _WIN_MODULE_UNIQUE_KEY WIN_MODULE_UNIQUE_KEY
Information that can identify a module.

IMAGE_BASE_NAME_LEN
#define IMAGE_BASE_NAME_LEN
The maximum length of a process name.
Definition: winguest.h:14

winKmFieldEprocessFlagsDelete
Mask for Delete from _EPROCESS.Flags.
Definition: winguest.h:466

winKmFieldTokenPrivs
Offset of Privileges.
Definition: winguest.h:421

_WIN_KM_FIELD_DRVOBJ
_WIN_KM_FIELD_DRVOBJ
Indexes in the WIN_OPAQUE_FIELDS.Km.DrvObj array, containing information about the _DRIVER_OBJECT str...
Definition: winguest.h:330

winKmFieldThreadTrapFrame
Offset of Tcb.TrapFrame.
Definition: winguest.h:316

winKmFieldVadShortStartingVpn
Definition: winguest.h:495

WIN_OPAQUE_FIELDS
struct _WIN_OPAQUE_FIELDS WIN_OPAQUE_FIELDS
Contains information about various Windows user mode and kernel mode structures.Everything about a st...

winKmFieldVadShortSize
The minimum size that must be read from the guest in order to properly parse a _MMVAD_SHORT structure...
Definition: winguest.h:520

_WIN_UM_FIELD_PEB
_WIN_UM_FIELD_PEB
Indexes in the WIN_OPAQUE_FIELDS.Um.Peb array, containing offsets inside the _PEB structure...
Definition: winguest.h:181

_WIN_UNEXPORTED_FUNCTION_PATTERN
Describes a pattern for a kernel function that is not exported.
Definition: winguest.h:84

_WIN_KM_FIELD_UNGROUPED
_WIN_KM_FIELD_UNGROUPED
Indexes in the WIN_OPAQUE_FIELDS.Km.Ungrouped array, containing information about various kernel stru...
Definition: winguest.h:439

winKmStructureToken
Used for the WIN_OPAQUE_FIELDS.Km.Token array.
Definition: winguest.h:226

_WIN_KM_FIELD_VAD_LONG
_WIN_KM_FIELD_VAD_LONG
Indexes in the WIN_OPAQUE_FIELDS.Km.VadLong array, containing information about the _MMVAD_LONG struc...
Definition: winguest.h:534

winKmFieldVadFlagsPrivateFixupMask
The mask that must be applied for the private fix-up setting.
Definition: winguest.h:592

_PROTECTED_PROCESS_INFO
Encapsulates a protected Windows process.
Definition: winguest.h:23

IntWinGuestNew
INTSTATUS IntWinGuestNew(void)
Starts the initialization and protection process for a new Windows guest.
Definition: winguest.c:2760

winKmFieldVadShortEnd
The end of the fields.
Definition: winguest.h:525

winKmFieldVadShortEndingVpn
Definition: winguest.h:504

_WIN_KM_FIELD_PROCESS
_WIN_KM_FIELD_PROCESS
Indexes in the WIN_OPAQUE_FIELDS.Km.Process array, containing offsets inside the _EPROCESS structure...
Definition: winguest.h:263

winKmFieldProcessListEntry
Offset of ActiveProcessLinks.
Definition: winguest.h:269

WIN_KM_FIELD_FILE_OBJECT
enum _WIN_KM_FIELD_FILE_OBJECT WIN_KM_FIELD_FILE_OBJECT
Indexes in the WIN_OPAQUE_FIELDS.Km.FileObject array, containing information about the _FILE_OBJECT s...

_WINDOWS_GUEST::PsCreateSystemThread
QWORD PsCreateSystemThread
Guest virtual address of the PsCreateSystemThread kernel function.
Definition: winguest.h:798

winUmFieldTeb32Size
Definition: winguest.h:200

winKmFieldPcrEnd
The end of the fields.
Definition: winguest.h:366

winKmFieldFileObjectNameLength
Definition: winguest.h:632

winUmFieldDllSizeOffsetInModule64
The offset of the SizeOfImage field for 64-bit modules.
Definition: winguest.h:164

_WINDOWS_GUEST::HalpInterruptControllerGva
QWORD HalpInterruptControllerGva
Guest virtual address of the HalpInterruptController (owned by hal.dll).
Definition: winguest.h:806

WIN_KM_FIELD_VAD_SHORT
enum _WIN_KM_FIELD_VAD_SHORT WIN_KM_FIELD_VAD_SHORT
Indexes in the WIN_OPAQUE_FIELDS.Km.VadShort array, containing information about the _MMVAD_SHORT str...

winKmFieldEprocessFlags3Crashed
Mask for Flag3Crashed from _EPROCESS.Flags.
Definition: winguest.h:467

_WIN_KM_FIELD_EPROCESSFLAGS
_WIN_KM_FIELD_EPROCESSFLAGS
Indexes in the WIN_OPAQUE_FIELDS.Km.EprocessFlags array, containing information about the flags insid...
Definition: winguest.h:462

FLAG_STATIC_DETECTION
The object was detected after it was created.
Definition: winguest.h:148

winKmFieldMmpfnPaeRefCount
Offset of u3.ReferenceCount when PAE is enabled.
Definition: winguest.h:405

winKmFieldUngroupedHalIntCtrlType
Offset of InterruptControllerType.
Definition: winguest.h:443

winKmFieldTokenRestrictedCount
Offset of RestrictedSidCount.
Definition: winguest.h:423

_Field_size_
#define _Field_size_(expr)
Definition: intro_sal.h:41

winModAntivirus
Antivirus modules.
Definition: winguest.h:117

WIN_KM_FIELD_UNGROUPED
enum _WIN_KM_FIELD_UNGROUPED WIN_KM_FIELD_UNGROUPED
Indexes in the WIN_OPAQUE_FIELDS.Km.Ungrouped array, containing information about various kernel stru...

_WIN_INIT_SWAP::Size
DWORD Size
The size of the read.
Definition: winguest.h:857

IntWinGetVersionString
INTSTATUS IntWinGetVersionString(DWORD FullStringSize, DWORD VersionStringSize, CHAR *FullString, CHAR *VersionString)
Gets the version string for a Windows guest.
Definition: winguest.c:3064

WIN_INIT_SWAP
struct _WIN_INIT_SWAP WIN_INIT_SWAP
The initialization swap handle.

WIN_KM_FIELD_DRVOBJ
enum _WIN_KM_FIELD_DRVOBJ WIN_KM_FIELD_DRVOBJ
Indexes in the WIN_OPAQUE_FIELDS.Km.DrvObj array, containing information about the _DRIVER_OBJECT str...

winKmFieldProcessSpare
The offset at which spare space is found inside the structure.
Definition: winguest.h:290

_WINDOWS_GUEST::PsActiveProcessHead
QWORD PsActiveProcessHead
Guest virtual address of the PsActiveProcessHead kernel variable.
Definition: winguest.h:821

_WIN_MODULE_UNIQUE_KEY::TimeDateStamp
DWORD TimeDateStamp
The time date stamp of the image, as taken from the MZPE headers.
Definition: winguest.h:774

_WINDOWS_GUEST::PsLoadedModuleList
QWORD PsLoadedModuleList
Guest virtual address of the PsLoadedModuleList kernel variable.
Definition: winguest.h:822

winKmStructureProcess
Used for the WIN_OPAQUE_FIELDS.Km.Process array.
Definition: winguest.h:220

winUmFieldTebEnd
The end of the fields.
Definition: winguest.h:210

WIN_PRODUCT_TYPE
WIN_PRODUCT_TYPE
The type of the Windows OS.
Definition: winguest.h:781

winKmFieldVadFlagsTypeShift
Definition: winguest.h:567

winKmFieldProcessName
Offset of ImageFileName.
Definition: winguest.h:270

PWIN_OPAQUE_FIELDS
struct _WIN_OPAQUE_FIELDS * PWIN_OPAQUE_FIELDS

_PROTECTED_PROCESS_INFO::Link
LIST_ENTRY Link
Entry inside the gWinProtectedProcesses list.
Definition: winguest.h:77

QWORD
unsigned long long QWORD
Definition: intro_types.h:53

IntWinGuestInit
INTSTATUS IntWinGuestInit(void)
Initializes a new Windows guest.
Definition: winguest.c:645

WIN_UM_STRUCTURE
enum _WIN_UM_STRUCTURE WIN_UM_STRUCTURE
Structure tags used for the user mode structures.Each of these refers to a WIN_OPAQUE_FIELDS.Um field.

_PROTECTED_PROCESS_INFO::ImageBaseNamePattern
CHAR ImageBaseNamePattern[IMAGE_BASE_NAME_LEN]
Process name pattern.
Definition: winguest.h:28

PROTECTED_MODULE_INFO
struct _PROTECTED_MODULE_INFO PROTECTED_MODULE_INFO
Encapsulates a protected Windows kernel module.

winKmFieldDrvObjFiodisp
Offset of FastIoDispatch.
Definition: winguest.h:344

_PROTECTED_PROCESS_INFO::Beta
QWORD Beta
Flags that were forced to beta (log-only) mode.
Definition: winguest.h:50

_WIN_KM_FIELD_PCR
_WIN_KM_FIELD_PCR
Indexes in the WIN_OPAQUE_FIELDS.Km.Pcr array, containing information about the _KPCR structure...
Definition: winguest.h:358

winUmFieldPeb64Size
The relevant size of the _PEB for 64-bit processes.
Definition: winguest.h:183

_WINDOWS_GUEST::Ssdt
QWORD Ssdt
Guest virtual address of the SSDT structure inside the kernel.
Definition: winguest.h:804

WIN_KM_FIELD_POOLDESCRIPTOR
enum _WIN_KM_FIELD_POOLDESCRIPTOR WIN_KM_FIELD_POOLDESCRIPTOR
Indexes in the WIN_OPAQUE_FIELDS.Km.PoolDescriptor array, containing information about the _POOL_DESC...

winKmFieldProcessParentPid
Offset of InheritedFromUniqueProcessId.
Definition: winguest.h:273

winKmFieldVadShortFlagsSize
The minimum size that must be read from the guest in order to properly parse winKmFieldVadShortFlags...
Definition: winguest.h:514

_WIN_MODULE_UNIQUE_KEY
Information that can identify a module.
Definition: winguest.h:771

winKmFieldVadLongEnd
The end of the fields.
Definition: winguest.h:541

_WIN_KM_FIELD_VADFLAGS
_WIN_KM_FIELD_VADFLAGS
Indexes in the WIN_OPAQUE_FIELDS.Km.VadFlags array, containing information about the bits in the winK...
Definition: winguest.h:563

_WINDOWS_GUEST::OsSpecificFields
WIN_OPAQUE_FIELDS OsSpecificFields
OS-dependent and specific information (variables, offsets, etc).
Definition: winguest.h:843

winKmFieldThreadKernelStack
Offset of Tcb.KernelStack.
Definition: winguest.h:307

winKmFieldThreadThreadListEntry
Offset of Tcb.ThreadListEntry (not the one found directly in the _ETHREAD).
Definition: winguest.h:306

patsig.h

winKmFieldProcessCr3
Definition: winguest.h:265

winKmFieldVadFlagsEnd
The end of the fields.
Definition: winguest.h:603

winKmFieldUngroupedEtwDbgDataSiloOffset
Definition: winguest.h:445

winKmFieldProcessToken
Offset of Token.
Definition: winguest.h:277

winKmStructureThread
Used for the WIN_OPAQUE_FIELDS.Km.Thread array.
Definition: winguest.h:221

PWINDOWS_GUEST
struct _WINDOWS_GUEST * PWINDOWS_GUEST

winModCitrix
Xen-specific Citrix modules.
Definition: winguest.h:118

winKmFieldThreadWaitReason
Offset of Tcb.WaitReason.
Definition: winguest.h:311

winKmFieldVadShortLeft
Offset of LeftChild.
Definition: winguest.h:488

_WIN_INIT_SWAP::VirtualAddress
QWORD VirtualAddress
The guest virtual address that will be read.
Definition: winguest.h:856

winKmFieldProcessCreateTime
Offset of CreateTime.
Definition: winguest.h:275

PCHAR
char * PCHAR
Definition: intro_types.h:56

winKmFieldVadFlagsTypeMask
Definition: winguest.h:571

_WIN_UM_FIELD_DLL
_WIN_UM_FIELD_DLL
Indexes in the WIN_OPAQUE_FIELDS.Um.Dll array, containing offsets inside the _LDR_DATA_TABLE_ENTRY st...
Definition: winguest.h:160

_PROTECTED_PROCESS_INFO::FullPathPattern
PWCHAR FullPathPattern
Full application path pattern.
Definition: winguest.h:65

_PROTECTED_PROCESS_INFO::Protection
struct _PROTECTED_PROCESS_INFO::@206 Protection
The protection flags used for this process.

winUmStructureEnd
The end of the tags.
Definition: winguest.h:255

WIN_UNEXPORTED_FUNCTION_PATTERN
struct _WIN_UNEXPORTED_FUNCTION_PATTERN WIN_UNEXPORTED_FUNCTION_PATTERN
Describes a pattern for a kernel function that is not exported.

winKmFieldProcessFlags3
Offset of Flags3.
Definition: winguest.h:283

_PROTECTED_MODULE_INFO::Path
const WCHAR * Path
Definition: winguest.h:128

_WIN_UNEXPORTED_FUNCTION
Describes a function that is not exported.
Definition: winguest.h:99

winKmFieldMmpfnPaeSize
The size of the _MMPFN structure when PAE is enabled.
Definition: winguest.h:403

WIN_KM_FIELD_PROCESS
enum _WIN_KM_FIELD_PROCESS WIN_KM_FIELD_PROCESS
Indexes in the WIN_OPAQUE_FIELDS.Km.Process array, containing offsets inside the _EPROCESS structure...

_WIN_KM_FIELD_POOLDESCRIPTOR
_WIN_KM_FIELD_POOLDESCRIPTOR
Indexes in the WIN_OPAQUE_FIELDS.Km.PoolDescriptor array, containing information about the _POOL_DESC...
Definition: winguest.h:375

winKmFieldPoolDescriptorEnd
The end of the fields.
Definition: winguest.h:383

winUmFieldTebWow64StackInSaveArea
The offset of the ESP in the winUmFieldTebWow64SaveArea.
Definition: winguest.h:205

WCHAR
uint16_t WCHAR
Definition: intro_types.h:63

winKmFieldProcessDebugPort
Definition: winguest.h:286

winKmFieldTokenRestrictedSids
Definition: winguest.h:425

WIN_KM_FIELD_THREAD
enum _WIN_KM_FIELD_THREAD WIN_KM_FIELD_THREAD
Indexes in the WIN_OPAQUE_FIELDS.Km.Thread array, containing offsets inside the _ETHREAD structure...

DWORD
uint32_t DWORD
Definition: intro_types.h:49

_WINDOWS_GUEST::KernelBufferSize
DWORD KernelBufferSize
The size of the KernelBuffer.
Definition: winguest.h:838

winKmStructureDrvObj
Used for the WIN_OPAQUE_FIELDS.Km.DrvObj array.
Definition: winguest.h:222

winKmFieldDrvObjStart
Definition: winguest.h:345

winKmFieldPoolDescriptorNppSize
Definition: winguest.h:378

winKmFieldProcessPeb
Offset of Peb.
Definition: winguest.h:279

winKmStructureUngrouped
Used for the WIN_OPAQUE_FIELDS.Km.Ungrouped array.
Definition: winguest.h:227

IntWinGuestUninit
void IntWinGuestUninit(void)
Uninits a Windows guest.
Definition: winguest.c:675

_WINDOWS_GUEST
Holds information about a Windows guest.
Definition: winguest.h:796

winKmFieldProcessId
Offset of UniqueProcessId.
Definition: winguest.h:272

winKmFieldEprocessFlagsVmDeleted
Mask for VmDeleted from _EPROCESS.Flags.
Definition: winguest.h:468

winKmFieldFileObjectEnd
The end of the fields.
Definition: winguest.h:637

winKmFieldEprocessFlagsEnd
The end of the fields.
Definition: winguest.h:474

_WIN_KM_STRUCTURE
_WIN_KM_STRUCTURE
Structure tags used for the kernel mode structures.Each of these refers to a WIN_OPAQUE_FIELDS.Km field.
Definition: winguest.h:218

winUmFieldPeb32Size
Definition: winguest.h:184

WIN_KM_STRUCTURE
enum _WIN_KM_STRUCTURE WIN_KM_STRUCTURE
Structure tags used for the kernel mode structures.Each of these refers to a WIN_OPAQUE_FIELDS.Km field.

winKmFieldThreadStackLimit
Offset of Tcb.StackLimit.
Definition: winguest.h:309

winKmStructurePoolDescriptor
Used for the WIN_OPAQUE_FIELDS.Km.PoolDescriptor array.
Definition: winguest.h:224

PPROTECTED_MODULE_INFO
struct _PROTECTED_MODULE_INFO * PPROTECTED_MODULE_INFO

winKmFieldThreadId
Offset of Cid.UniqueThread.
Definition: winguest.h:314

_WIN_UNEXPORTED_FUNCTION_PATTERN::Signature
PATTERN_SIGNATURE Signature
The pattern signature.
Definition: winguest.h:91

_WINDOWS_GUEST::KeServiceDescriptorTable
QWORD KeServiceDescriptorTable
Guest virtual address of the KeServiceDescriptorTable variable.
Definition: winguest.h:803

_WINDOWS_GUEST::ObpRootDirectoryObject
QWORD ObpRootDirectoryObject
Guest virtual address of the ObpRootDirectoryObject.
Definition: winguest.h:824

winProductTypeServer
Definition: winguest.h:786

winKmStructureVadShort
Used for the WIN_OPAQUE_FIELDS.Km.VadShort array.
Definition: winguest.h:229

winKmFieldTokenUserCount
Offset of UserAndGroupCount.
Definition: winguest.h:422

winKmFieldMmpfnEnd
The end of the fields.
Definition: winguest.h:411

winKmFieldProcessKexecOptions
Offset of Pcb.Flags.
Definition: winguest.h:268

_WIN_UNEXPORTED_FUNCTION::PatternsCount
DWORD PatternsCount
The number of entries in the Patterns array.
Definition: winguest.h:105

winKmFieldPoolDescriptorTotalBytes
Offset of TotalBytes.
Definition: winguest.h:377

winKmFieldThreadTeb
Offset of Tcb.Teb.
Definition: winguest.h:313

_PROTECTED_MODULE_INFO
Encapsulates a protected Windows kernel module.
Definition: winguest.h:124

winKmFieldUngroupedCtlAreaFile
Offset of FilePointer in _CONTROL_AREA.
Definition: winguest.h:441

winKmStructureEnd
The end of the tags.
Definition: winguest.h:238

_WIN_KM_FIELD_THREAD
_WIN_KM_FIELD_THREAD
Indexes in the WIN_OPAQUE_FIELDS.Km.Thread array, containing offsets inside the _ETHREAD structure...
Definition: winguest.h:303

_WIN_UNEXPORTED_FUNCTION::NameHash
DWORD NameHash
Crc32 checksum of the function name.
Definition: winguest.h:102

_WINDOWS_GUEST::InitSwapHandles
LIST_HEAD InitSwapHandles
A list of swap handles used to read KernelBuffer.
Definition: winguest.h:841

_WINDOWS_GUEST::RemainingSections
DWORD RemainingSections
The number of kernel sections not yet read into KernelBuffer.
Definition: winguest.h:840

IntWinGuestProtectSudExec
INTSTATUS IntWinGuestProtectSudExec(void)
Protects SharedUserData against executions by establishing an EPT hook on it.
Definition: winguest.c:1100

winKmFieldMmpfnRefCount
Offset of u3.ReferenceCount.
Definition: winguest.h:400

_WIN_KM_FIELD_FILE_OBJECT
_WIN_KM_FIELD_FILE_OBJECT
Indexes in the WIN_OPAQUE_FIELDS.Km.FileObject array, containing information about the _FILE_OBJECT s...
Definition: winguest.h:629

_WIN_INIT_SWAP
The initialization swap handle.
Definition: winguest.h:851

winKmFieldDrvObjSize
The size of the _DRIVER_OBJECT structure.
Definition: winguest.h:336

winUmFieldDllNameOffsetInModule64
The offset of the FullDllName field for 64-bit modules.
Definition: winguest.h:166

_WINDOWS_GUEST::DriverDirectory
QWORD DriverDirectory
Guest virtual address of the Driver namespace directory.
Definition: winguest.h:825

WIN_UM_FIELD_TEB
enum _WIN_UM_FIELD_TEB WIN_UM_FIELD_TEB
Indexes in the WIN_OPAQUE_FIELDS.Um.Teb array, containing offsets inside the _TEB structure...

winKmFieldDrvObjAllocationGap
The size of the allocation that precedes a driver object, excluding the POOL_HEADER (0x8/0x10 bytes)...
Definition: winguest.h:343

_WIN_KM_FIELD_TOKEN
_WIN_KM_FIELD_TOKEN
Indexes in the WIN_OPAQUE_FIELDS.Km.Token array, containing information about the _TOKEN structure...
Definition: winguest.h:419

winProductTypeWinNt
Workstation.
Definition: winguest.h:784

_WINDOWS_GUEST::NtBuildLabString
PCHAR NtBuildLabString
Definition: winguest.h:809

winKmFieldEprocessFlagsNoDebugInherit
Mask for NoDebugInherit from _EPROCESS.Flags.
Definition: winguest.h:464

IntWinGuestCancelKernelRead
void IntWinGuestCancelKernelRead(void)
Cancels the kernel read.
Definition: winguest.c:611

_WINDOWS_GUEST::KernelBuffer
BYTE * KernelBuffer
A buffer containing the entire kernel image.
Definition: winguest.h:837

FLAG_DYNAMIC_DETECTION
The object was detected when it was created.
Definition: winguest.h:150

winKmFieldMmpfnSize
The size of the _MMPFN structure.
Definition: winguest.h:398

winModCore
Core Windows kernel modules.
Definition: winguest.h:116

winKmFieldFileObjectNameBuffer
Offset of FileName.Buffer.
Definition: winguest.h:631

winUmFieldDllSizeOffsetInModule32
The offset of the SizeOfImage field for 64-bit modules.
Definition: winguest.h:165

_WINDOWS_GUEST::NtBuildNumberValue
DWORD NtBuildNumberValue
The value of the NtBuildNumber kernel variable.
Definition: winguest.h:802

winKmFieldVadShortRight
Offset of RightChild.
Definition: winguest.h:490

_PATTERN_SIGNATURE
Describes a signature that can be used for searching or matching guest contents.
Definition: patsig.h:23

winKmFieldDrvObjEnd
The end of the fields.
Definition: winguest.h:350

winKmFieldVadShortFlags
Definition: winguest.h:512

PWIN_MODULE_UNIQUE_KEY
struct _WIN_MODULE_UNIQUE_KEY PWIN_MODULE_UNIQUE_KEY

_WIN_UM_STRUCTURE
_WIN_UM_STRUCTURE
Structure tags used for the user mode structures.Each of these refers to a WIN_OPAQUE_FIELDS.Um field.
Definition: winguest.h:246

PWIN_INIT_SWAP
struct _WIN_INIT_SWAP * PWIN_INIT_SWAP

WIN_KM_FIELD_MMPFN
enum _WIN_KM_FIELD_MMPFN WIN_KM_FIELD_MMPFN
Indexes in the WIN_OPAQUE_FIELDS.Km.Mmpfn array, containing information about the _MMPFN structure...

winUmFieldDllBaseOffsetInModule32
The offset of the DllBase field for 32-bit modules.
Definition: winguest.h:163

CHAR
char CHAR
Definition: intro_types.h:56

_GUEST_STATE
Describes a guest.
Definition: guests.h:265

_PROTECTED_PROCESS_INFO::FullNamePattern
PWCHAR FullNamePattern
Full application name pattern.
Definition: winguest.h:69

_PROTECTED_MODULE_INFO::Name
const WCHAR * Name
The name of the module.
Definition: winguest.h:127

_WIN_INIT_SWAP::SwapHandle
void * SwapHandle
The actual swap handle returned by IntSwapMemRead.
Definition: winguest.h:854

winKmFieldThreadProcess
Offset of Tcb.Process.
Definition: winguest.h:305

winKmFieldTokenUsers
Offset of UserAndGroups.
Definition: winguest.h:424

winKmFieldUngroupedHandleTableTableCode
Offset of TableCode _HANDLE_TABLE.
Definition: winguest.h:442

winKmFieldVadFlagsDeleteInProgressMask
Definition: winguest.h:597

winKmStructureSyscallNumbers
Used for the WIN_OPAQUE_FIELDS.Km.SyscallNumbers array.
Definition: winguest.h:232

winKmFieldVadLongSubsection
Definition: winguest.h:536

winKmFieldProcessMitigationFlags2
Offset of MitigationFlags2 if it exists (>= RS3).
Definition: winguest.h:285

winKmFieldSyscallNumbersNtProtectVirtualMemory
The NtProtectVirtualMemory syscall number.
Definition: winguest.h:614

winKmFieldEprocessFlagsHasAddrSpace
Definition: winguest.h:469

_WIN_MODULE_UNIQUE_KEY::ImageSize
DWORD ImageSize
The size of image, as taken from the MZPE headers.
Definition: winguest.h:773

winUmFieldDllBaseOffsetInModule64
The offset of the DllBase field for 64-bit modules.
Definition: winguest.h:162

WIN_KM_FIELD_TOKEN
enum _WIN_KM_FIELD_TOKEN WIN_KM_FIELD_TOKEN
Indexes in the WIN_OPAQUE_FIELDS.Km.Token array, containing information about the _TOKEN structure...

winUmStructureTeb
Definition: winguest.h:250

PGUEST_STATE
struct _GUEST_STATE * PGUEST_STATE
Definition: winguest.h:11

OBJ_DISCOVERY_TYPE
OBJ_DISCOVERY_TYPE
Describes the mode in which a kernel object was found.
Definition: winguest.h:143

_LIST_ENTRY
Definition: introlists.h:16

winKmFieldProcessSectionBase
Offset of SectionBaseAddress.
Definition: winguest.h:271

winKmFieldProcessThreadListHead
Offset of Pcb.ThreadListHead.
Definition: winguest.h:280

_WIN_OPAQUE_FIELDS
Contains information about various Windows user mode and kernel mode structures.Everything about a st...
Definition: winguest.h:661

winKmFieldPcrUserTime
Definition: winguest.h:361

winKmFieldMmpfnFlags
Offset of u3.e1.
Definition: winguest.h:401