HyperDbg Debugger
Loading...
Searching...
No Matches
Functions
ApplyEvents.c File Reference

Implementation of debugger functions for applying events. More...

#include "pch.h"

Functions

BOOLEAN ApplyEventMonitorEvent (PDEBUGGER_EVENT Event, PDEBUGGER_EVENT_AND_ACTION_RESULT ResultsToReturn, BOOLEAN InputFromVmxRoot)
 Applying monitor memory hook events.
 
BOOLEAN ApplyEventEptHookExecCcEvent (PDEBUGGER_EVENT Event, PDEBUGGER_EVENT_AND_ACTION_RESULT ResultsToReturn, BOOLEAN InputFromVmxRoot)
 Applying EPT hook execution (hidden breakpoints) events.
 
BOOLEAN ApplyEventEpthookInlineEvent (PDEBUGGER_EVENT Event, PDEBUGGER_EVENT_AND_ACTION_RESULT ResultsToReturn, BOOLEAN InputFromVmxRoot)
 Applying EPT hook trampoline (inline hook) events.
 
VOID ApplyEventRdmsrExecutionEvent (PDEBUGGER_EVENT Event, PDEBUGGER_EVENT_AND_ACTION_RESULT ResultsToReturn, BOOLEAN InputFromVmxRoot)
 Applying RDMSR execution events.
 
VOID ApplyEventWrmsrExecutionEvent (PDEBUGGER_EVENT Event, PDEBUGGER_EVENT_AND_ACTION_RESULT ResultsToReturn, BOOLEAN InputFromVmxRoot)
 Applying WRMSR execution events.
 
VOID ApplyEventInOutExecutionEvent (PDEBUGGER_EVENT Event, PDEBUGGER_EVENT_AND_ACTION_RESULT ResultsToReturn, BOOLEAN InputFromVmxRoot)
 Applying IN/OUT instructions execution events.
 
VOID ApplyEventTscExecutionEvent (PDEBUGGER_EVENT Event, PDEBUGGER_EVENT_AND_ACTION_RESULT ResultsToReturn, BOOLEAN InputFromVmxRoot)
 Applying RDTSC/RDTSCP instructions execution events.
 
VOID ApplyEventRdpmcExecutionEvent (PDEBUGGER_EVENT Event, PDEBUGGER_EVENT_AND_ACTION_RESULT ResultsToReturn, BOOLEAN InputFromVmxRoot)
 Applying RDPMC instruction execution events.
 
VOID ApplyEventMov2DebugRegExecutionEvent (PDEBUGGER_EVENT Event, PDEBUGGER_EVENT_AND_ACTION_RESULT ResultsToReturn, BOOLEAN InputFromVmxRoot)
 Applying mov 2 debug registers events.
 
VOID ApplyEventControlRegisterAccessedEvent (PDEBUGGER_EVENT Event, PDEBUGGER_EVENT_AND_ACTION_RESULT ResultsToReturn, BOOLEAN InputFromVmxRoot)
 Applying control registers accessed events.
 
VOID ApplyEventExceptionEvent (PDEBUGGER_EVENT Event, PDEBUGGER_EVENT_AND_ACTION_RESULT ResultsToReturn, BOOLEAN InputFromVmxRoot)
 Applying exception events.
 
VOID ApplyEventInterruptEvent (PDEBUGGER_EVENT Event, PDEBUGGER_EVENT_AND_ACTION_RESULT ResultsToReturn, BOOLEAN InputFromVmxRoot)
 Applying interrupt interception events.
 
VOID ApplyEventEferSyscallHookEvent (PDEBUGGER_EVENT Event, PDEBUGGER_EVENT_AND_ACTION_RESULT ResultsToReturn, BOOLEAN InputFromVmxRoot)
 Applying EFER SYSCALL hook events.
 
VOID ApplyEventEferSysretHookEvent (PDEBUGGER_EVENT Event, PDEBUGGER_EVENT_AND_ACTION_RESULT ResultsToReturn, BOOLEAN InputFromVmxRoot)
 Applying EFER SYSRET hook events.
 
VOID ApplyEventVmcallExecutionEvent (PDEBUGGER_EVENT Event, PDEBUGGER_EVENT_AND_ACTION_RESULT ResultsToReturn, BOOLEAN InputFromVmxRoot)
 Applying VMCALL instruction execution events.
 
BOOLEAN ApplyEventTrapModeChangeEvent (PDEBUGGER_EVENT Event, PDEBUGGER_EVENT_AND_ACTION_RESULT ResultsToReturn, BOOLEAN InputFromVmxRoot)
 Applying trap mode change events.
 
VOID ApplyEventCpuidExecutionEvent (PDEBUGGER_EVENT Event, PDEBUGGER_EVENT_AND_ACTION_RESULT ResultsToReturn, BOOLEAN InputFromVmxRoot)
 Applying CPUID instruction execution events.
 
VOID ApplyEventTracingEvent (PDEBUGGER_EVENT Event, PDEBUGGER_EVENT_AND_ACTION_RESULT ResultsToReturn, BOOLEAN InputFromVmxRoot)
 Applying trace events.
 

Detailed Description

Implementation of debugger functions for applying events.

Author
Sina Karvandi (sina@.nosp@m.hype.nosp@m.rdbg..nosp@m.org)
Version
0.7
Date
2023-10-15
Copyright
This project is released under the GNU Public License v3.

Function Documentation

◆ ApplyEventControlRegisterAccessedEvent()

VOID ApplyEventControlRegisterAccessedEvent ( PDEBUGGER_EVENT Event,
PDEBUGGER_EVENT_AND_ACTION_RESULT ResultsToReturn,
BOOLEAN InputFromVmxRoot )

Applying control registers accessed events.

Parameters
EventThe created event object
ResultsToReturnResult buffer that should be returned to the user-mode
InputFromVmxRootWhether the input comes from VMX root-mode or IOCTL
Returns
VOID
851{
852 UNREFERENCED_PARAMETER(ResultsToReturn);
853
854 //
855 // Setting an indicator to CR
856 //
857 Event->Options.OptionalParam1 = Event->InitOptions.OptionalParam1;
858 Event->Options.OptionalParam2 = Event->InitOptions.OptionalParam2;
859
860 //
861 // Let's see if it is for all cores or just one core
862 //
863 if (Event->CoreId == DEBUGGER_EVENT_APPLY_TO_ALL_CORES)
864 {
865 //
866 // All cores
867 //
868 if (InputFromVmxRoot)
869 {
870 HaltedBroadcastEnableMovToCrExitingAllCores(&Event->Options);
871 }
872 else
873 {
874 ExtensionCommandEnableMovControlRegisterExitingAllCores(Event);
875 }
876 }
877 else
878 {
879 //
880 // Just one core
881 //
882 if (InputFromVmxRoot)
883 {
884 HaltedRoutineEnableMovToCrExitingOnSingleCore(Event->CoreId, &Event->Options);
885 }
886 else
887 {
888 ConfigureEnableMovToControlRegisterExitingOnSingleCore(Event->CoreId, &Event->Options);
889 }
890 }
891}
ConfigureEnableMovToControlRegisterExitingOnSingleCore
VOID ConfigureEnableMovToControlRegisterExitingOnSingleCore(UINT32 TargetCoreId, DEBUGGER_EVENT_OPTIONS *BroadcastingOption)
enable mov 2 control register on a single core
Definition Configuration.c:526
DEBUGGER_EVENT_APPLY_TO_ALL_CORES
#define DEBUGGER_EVENT_APPLY_TO_ALL_CORES
Apply the event to all the cores.
Definition Constants.h:611
ExtensionCommandEnableMovControlRegisterExitingAllCores
VOID ExtensionCommandEnableMovControlRegisterExitingAllCores(PDEBUGGER_EVENT Event)
routines for !crwrite
Definition ExtensionCommands.c:494
HaltedBroadcastEnableMovToCrExitingAllCores
VOID HaltedBroadcastEnableMovToCrExitingAllCores(DEBUGGER_EVENT_OPTIONS *BroadcastingOption)
This function broadcasts enable mov to CR exiting to all cores.
Definition HaltedBroadcast.c:301
HaltedRoutineEnableMovToCrExitingOnSingleCore
VOID HaltedRoutineEnableMovToCrExitingOnSingleCore(UINT32 TargetCoreId, DEBUGGER_EVENT_OPTIONS *BroadcastingOption)
This function performs running enable mov to CR exiting on a single core.
Definition HaltedRoutines.c:306
_DEBUGGER_EVENT_OPTIONS::OptionalParam2
UINT64 OptionalParam2
Definition Events.h:273
_DEBUGGER_EVENT_OPTIONS::OptionalParam1
UINT64 OptionalParam1
Definition Events.h:272
_DEBUGGER_EVENT::InitOptions
DEBUGGER_EVENT_OPTIONS InitOptions
Definition Debugger.h:129
_DEBUGGER_EVENT::CoreId
UINT32 CoreId
Definition Debugger.h:113
_DEBUGGER_EVENT::Options
DEBUGGER_EVENT_OPTIONS Options
Definition Debugger.h:131

◆ ApplyEventCpuidExecutionEvent()

VOID ApplyEventCpuidExecutionEvent ( PDEBUGGER_EVENT Event,
PDEBUGGER_EVENT_AND_ACTION_RESULT ResultsToReturn,
BOOLEAN InputFromVmxRoot )

Applying CPUID instruction execution events.

Parameters
EventThe created event object
ResultsToReturnResult buffer that should be returned to the user-mode
InputFromVmxRootWhether the input comes from VMX root-mode or IOCTL
Returns
VOID
1275{
1276 UNREFERENCED_PARAMETER(Event);
1277 UNREFERENCED_PARAMETER(ResultsToReturn);
1278 UNREFERENCED_PARAMETER(InputFromVmxRoot);
1279
1280 //
1281 // Enable triggering events for CPUIDs. This event doesn't support custom optional
1282 // parameter(s) because it's unconditional users can use condition(s) to check for
1283 // their custom optional parameters
1284 //
1285 VmFuncSetTriggerEventForCpuids(TRUE);
1286}
TRUE
#define TRUE
Definition BasicTypes.h:55
VmFuncSetTriggerEventForCpuids
VOID VmFuncSetTriggerEventForCpuids(BOOLEAN Set)
Set triggering events for CPUIDs.
Definition Export.c:587

◆ ApplyEventEferSyscallHookEvent()

VOID ApplyEventEferSyscallHookEvent ( PDEBUGGER_EVENT Event,
PDEBUGGER_EVENT_AND_ACTION_RESULT ResultsToReturn,
BOOLEAN InputFromVmxRoot )

Applying EFER SYSCALL hook events.

Parameters
EventThe created event object
ResultsToReturnResult buffer that should be returned to the user-mode
InputFromVmxRootWhether the input comes from VMX root-mode or IOCTL
Returns
VOID
1017{
1018 UNREFERENCED_PARAMETER(ResultsToReturn);
1019
1020 DEBUGGER_EVENT_SYSCALL_SYSRET_TYPE SyscallHookType = DEBUGGER_EVENT_SYSCALL_SYSRET_SAFE_ACCESS_MEMORY;
1021
1022 //
1023 // whether it's a !syscall2 or !sysret2
1024 //
1025 if (Event->InitOptions.OptionalParam2 == DEBUGGER_EVENT_SYSCALL_SYSRET_HANDLE_ALL_UD)
1026 {
1027 SyscallHookType = DEBUGGER_EVENT_SYSCALL_SYSRET_HANDLE_ALL_UD;
1028 }
1029 else if (Event->InitOptions.OptionalParam2 == DEBUGGER_EVENT_SYSCALL_SYSRET_SAFE_ACCESS_MEMORY)
1030 {
1031 SyscallHookType = DEBUGGER_EVENT_SYSCALL_SYSRET_SAFE_ACCESS_MEMORY;
1032 }
1033
1034 //
1035 // Set hook type
1036 //
1037 ConfigureSetEferSyscallOrSysretHookType(SyscallHookType);
1038
1039 //
1040 // Let's see if it is for all cores or just one core
1041 //
1042 if (Event->CoreId == DEBUGGER_EVENT_APPLY_TO_ALL_CORES)
1043 {
1044 //
1045 // All cores
1046 //
1047 if (InputFromVmxRoot)
1048 {
1049 HaltedBroadcastEnableEferSyscallHookAllCores();
1050 }
1051 else
1052 {
1053 DebuggerEventEnableEferOnAllProcessors();
1054 }
1055 }
1056 else
1057 {
1058 if (InputFromVmxRoot)
1059 {
1060 HaltedRoutineEnableEferSyscallHookOnSingleCore(Event->CoreId);
1061 }
1062 else
1063 {
1064 ConfigureEnableEferSyscallHookOnSingleCore(Event->CoreId);
1065 }
1066 }
1067
1068 //
1069 // Set the event's target syscall number and save the approach
1070 // of handling event details
1071 //
1072 Event->Options.OptionalParam1 = Event->InitOptions.OptionalParam1;
1073 Event->Options.OptionalParam2 = SyscallHookType;
1074}
ConfigureSetEferSyscallOrSysretHookType
VOID ConfigureSetEferSyscallOrSysretHookType(DEBUGGER_EVENT_SYSCALL_SYSRET_TYPE SyscallHookType)
routines for setting EFER syscall or sysret hooks type
Definition Configuration.c:439
ConfigureEnableEferSyscallHookOnSingleCore
VOID ConfigureEnableEferSyscallHookOnSingleCore(UINT32 TargetCoreId)
routines for enabling EFER syscall hooks on a single core
Definition Configuration.c:426
DebuggerEventEnableEferOnAllProcessors
VOID DebuggerEventEnableEferOnAllProcessors()
routines for !syscall command (enable syscall hook)
Definition DebuggerEvents.c:20
HaltedBroadcastEnableEferSyscallHookAllCores
VOID HaltedBroadcastEnableEferSyscallHookAllCores()
This function broadcasts enable syscall hook using EFER SCE bit to all cores.
Definition HaltedBroadcast.c:334
HaltedRoutineEnableEferSyscallHookOnSingleCore
VOID HaltedRoutineEnableEferSyscallHookOnSingleCore(UINT32 TargetCoreId)
This function performs running enable syscall hook using EFER SCE bit on a single core.
Definition HaltedRoutines.c:340
DEBUGGER_EVENT_SYSCALL_SYSRET_SAFE_ACCESS_MEMORY
@ DEBUGGER_EVENT_SYSCALL_SYSRET_SAFE_ACCESS_MEMORY
Definition Events.h:192
DEBUGGER_EVENT_SYSCALL_SYSRET_HANDLE_ALL_UD
@ DEBUGGER_EVENT_SYSCALL_SYSRET_HANDLE_ALL_UD
Definition Events.h:193
DEBUGGER_EVENT_SYSCALL_SYSRET_TYPE
enum _DEBUGGER_EVENT_SYSCALL_SYSRET_TYPE DEBUGGER_EVENT_SYSCALL_SYSRET_TYPE
Type of handling !syscall or !sysret.

◆ ApplyEventEferSysretHookEvent()

VOID ApplyEventEferSysretHookEvent ( PDEBUGGER_EVENT Event,
PDEBUGGER_EVENT_AND_ACTION_RESULT ResultsToReturn,
BOOLEAN InputFromVmxRoot )

Applying EFER SYSRET hook events.

Parameters
EventThe created event object
ResultsToReturnResult buffer that should be returned to the user-mode
InputFromVmxRootWhether the input comes from VMX root-mode or IOCTL
Returns
VOID
1090{
1091 UNREFERENCED_PARAMETER(ResultsToReturn);
1092
1093 DEBUGGER_EVENT_SYSCALL_SYSRET_TYPE SyscallHookType = DEBUGGER_EVENT_SYSCALL_SYSRET_SAFE_ACCESS_MEMORY;
1094
1095 //
1096 // whether it's a !syscall2 or !sysret2
1097 //
1098 if (Event->InitOptions.OptionalParam2 == DEBUGGER_EVENT_SYSCALL_SYSRET_HANDLE_ALL_UD)
1099 {
1100 SyscallHookType = DEBUGGER_EVENT_SYSCALL_SYSRET_HANDLE_ALL_UD;
1101 }
1102 else if (Event->InitOptions.OptionalParam2 == DEBUGGER_EVENT_SYSCALL_SYSRET_SAFE_ACCESS_MEMORY)
1103 {
1104 SyscallHookType = DEBUGGER_EVENT_SYSCALL_SYSRET_SAFE_ACCESS_MEMORY;
1105 }
1106
1107 //
1108 // Set hook type
1109 //
1110 ConfigureSetEferSyscallOrSysretHookType(SyscallHookType);
1111
1112 //
1113 // Let's see if it is for all cores or just one core
1114 //
1115 if (Event->CoreId == DEBUGGER_EVENT_APPLY_TO_ALL_CORES)
1116 {
1117 //
1118 // All cores
1119 //
1120 if (InputFromVmxRoot)
1121 {
1122 HaltedBroadcastEnableEferSyscallHookAllCores();
1123 }
1124 else
1125 {
1126 DebuggerEventEnableEferOnAllProcessors();
1127 }
1128 }
1129 else
1130 {
1131 //
1132 // Just one core
1133 //
1134 if (InputFromVmxRoot)
1135 {
1136 HaltedRoutineEnableEferSyscallHookOnSingleCore(Event->CoreId);
1137 }
1138 else
1139 {
1140 ConfigureEnableEferSyscallHookOnSingleCore(Event->CoreId);
1141 }
1142 }
1143
1144 //
1145 // Set the event's target syscall number and save the approach
1146 // of handling event details
1147 //
1148 Event->Options.OptionalParam1 = Event->InitOptions.OptionalParam1;
1149 Event->Options.OptionalParam2 = SyscallHookType;
1150}

◆ ApplyEventEptHookExecCcEvent()

BOOLEAN ApplyEventEptHookExecCcEvent ( PDEBUGGER_EVENT Event,
PDEBUGGER_EVENT_AND_ACTION_RESULT ResultsToReturn,
BOOLEAN InputFromVmxRoot )

Applying EPT hook execution (hidden breakpoints) events.

Parameters
EventThe created event object
ResultsToReturnResult buffer that should be returned to the user-mode
InputFromVmxRootWhether the input comes from VMX root-mode or IOCTL
Returns
BOOLEAN
327{
328 UINT32 TempProcessId;
329
330 if (InputFromVmxRoot)
331 {
332 //
333 // *** apply the hook directly from VMX root-mode ***
334 //
335
336 //
337 // First, breakpoints have to be intercepted as the caller to the
338 // direct hook function have to broadcast it by its own
339 //
340 HaltedBroadcastSetExceptionBitmapAllCores(EXCEPTION_VECTOR_BREAKPOINT);
341
342 //
343 // Invoke the hooker
344 //
345 if (!ConfigureEptHookFromVmxRoot((PVOID)Event->InitOptions.OptionalParam1))
346 {
347 //
348 // There was an error applying this event, so we're setting
349 // the event
350 //
351 ResultsToReturn->IsSuccessful = FALSE;
352 ResultsToReturn->Error = DebuggerGetLastError();
353 goto EventNotApplied;
354 }
355 else
356 {
357 //
358 // As the call to hook adjuster was successful, we have to
359 // invalidate the TLB of EPT caches for all cores here
360 //
361 HaltedBroadcastInvalidateSingleContextAllCores();
362 }
363 }
364 else
365 {
366 //
367 // *** apply the hook from VMX non root-mode ***
368 //
369
370 //
371 // Check if process id is equal to DEBUGGER_EVENT_APPLY_TO_ALL_PROCESSES
372 // or if process id is 0 then we use the cr3 of current process
373 //
374 if (Event->ProcessId == DEBUGGER_EVENT_APPLY_TO_ALL_PROCESSES || Event->ProcessId == 0)
375 {
376 TempProcessId = HANDLE_TO_UINT32(PsGetCurrentProcessId());
377 }
378 else
379 {
380 TempProcessId = Event->ProcessId;
381 }
382
383 //
384 // Invoke the hooker
385 //
386 if (!ConfigureEptHook((PVOID)Event->InitOptions.OptionalParam1, TempProcessId))
387 {
388 //
389 // There was an error applying this event, so we're setting
390 // the event
391 //
392 ResultsToReturn->IsSuccessful = FALSE;
393 ResultsToReturn->Error = DebuggerGetLastError();
394 goto EventNotApplied;
395 }
396 }
397
398 //
399 // We set events OptionalParam1 here to make sure that our event is
400 // executed not for all hooks but for this special hook
401 //
402 Event->Options.OptionalParam1 = Event->InitOptions.OptionalParam1;
403
404 //
405 // Applying event was successful
406 //
407 return TRUE;
408
409EventNotApplied:
410
411 return FALSE;
412}
FALSE
#define FALSE
Definition BasicTypes.h:54
UINT32
unsigned int UINT32
Definition BasicTypes.h:48
ConfigureEptHookFromVmxRoot
BOOLEAN ConfigureEptHookFromVmxRoot(PVOID TargetAddress)
This function invokes a direct VMCALL to setup the hook.
Definition Configuration.c:278
ConfigureEptHook
BOOLEAN ConfigureEptHook(PVOID TargetAddress, UINT32 ProcessId)
This function invokes a VMCALL to set the hook and broadcast the exiting for the breakpoints on excep...
Definition Configuration.c:261
DEBUGGER_EVENT_APPLY_TO_ALL_PROCESSES
#define DEBUGGER_EVENT_APPLY_TO_ALL_PROCESSES
Apply the event to all the processes.
Definition Constants.h:617
DebuggerGetLastError
UINT32 DebuggerGetLastError()
Debugger get the last error.
Definition Debugger.c:32
HaltedBroadcastInvalidateSingleContextAllCores
VOID HaltedBroadcastInvalidateSingleContextAllCores()
This function broadcasts invalidate EPT (A Single Context) to all cores.
Definition HaltedBroadcast.c:388
HaltedBroadcastSetExceptionBitmapAllCores
VOID HaltedBroadcastSetExceptionBitmapAllCores(UINT64 ExceptionIndex)
This function broadcasts set exception bitmap to all cores.
Definition HaltedBroadcast.c:233
HANDLE_TO_UINT32
#define HANDLE_TO_UINT32(_var)
Definition MetaMacros.h:39
EXCEPTION_VECTOR_BREAKPOINT
@ EXCEPTION_VECTOR_BREAKPOINT
Definition Events.h:27
_DEBUGGER_EVENT_AND_ACTION_RESULT::Error
UINT32 Error
Definition Events.h:425
_DEBUGGER_EVENT_AND_ACTION_RESULT::IsSuccessful
BOOLEAN IsSuccessful
Definition Events.h:424
_DEBUGGER_EVENT::ProcessId
UINT32 ProcessId
Definition Debugger.h:117

◆ ApplyEventEpthookInlineEvent()

BOOLEAN ApplyEventEpthookInlineEvent ( PDEBUGGER_EVENT Event,
PDEBUGGER_EVENT_AND_ACTION_RESULT ResultsToReturn,
BOOLEAN InputFromVmxRoot )

Applying EPT hook trampoline (inline hook) events.

Parameters
EventThe created event object
ResultsToReturnResult buffer that should be returned to the user-mode
InputFromVmxRootWhether the input comes from VMX root-mode or IOCTL
Returns
BOOLEAN
428{
429 UINT32 TempProcessId;
430
431 if (InputFromVmxRoot)
432 {
433 //
434 // *** apply the hook directly from VMX root-mode ***
435 //
436
437 //
438 // We set events OptionalParam1 here to make sure that our event is
439 // executed not for all hooks but for this special hook
440 // Also, we are sure that this is not null because we checked it before
441 //
442 Event->Options.OptionalParam1 = VirtualAddressToPhysicalAddressOnTargetProcess((PVOID)Event->InitOptions.OptionalParam1);
443
444 //
445 // Invoke the hooker
446 //
447 if (!ConfigureEptHook2FromVmxRoot(KeGetCurrentProcessorNumberEx(NULL),
448 (PVOID)Event->InitOptions.OptionalParam1,
449 NULL))
450 {
451 //
452 // There was an error applying this event, so we're setting
453 // the event
454 //
455 ResultsToReturn->IsSuccessful = FALSE;
456 ResultsToReturn->Error = DebuggerGetLastError();
457 goto EventNotApplied;
458 }
459 else
460 {
461 //
462 // As the call to hook adjuster was successful, we have to
463 // invalidate the TLB of EPT caches for all cores here
464 //
465 HaltedBroadcastInvalidateSingleContextAllCores();
466 }
467 }
468 else
469 {
470 //
471 // *** apply the hook from VMX non root-mode ***
472 //
473
474 //
475 // Check if process id is equal to DEBUGGER_EVENT_APPLY_TO_ALL_PROCESSES
476 // or if process id is 0 then we use the cr3 of current process
477 //
478 if (Event->ProcessId == DEBUGGER_EVENT_APPLY_TO_ALL_PROCESSES || Event->ProcessId == 0)
479 {
480 TempProcessId = HANDLE_TO_UINT32(PsGetCurrentProcessId());
481 }
482 else
483 {
484 TempProcessId = Event->ProcessId;
485 }
486
487 //
488 // We set events OptionalParam1 here to make sure that our event is
489 // executed not for all hooks but for this special hook
490 // Also, we are sure that this is not null because we checked it before
491 //
492 Event->Options.OptionalParam1 = VirtualAddressToPhysicalAddressByProcessId((PVOID)Event->InitOptions.OptionalParam1, TempProcessId);
493
494 //
495 // Invoke the hooker
496 //
497 if (!ConfigureEptHook2(KeGetCurrentProcessorNumberEx(NULL),
498 (PVOID)Event->InitOptions.OptionalParam1,
499 NULL,
500 TempProcessId))
501 {
502 //
503 // There was an error applying this event, so we're setting
504 // the event
505 //
506 ResultsToReturn->IsSuccessful = FALSE;
507 ResultsToReturn->Error = DebuggerGetLastError();
508 goto EventNotApplied;
509 }
510 }
511
512 //
513 // Applying event was successful
514 //
515 return TRUE;
516
517EventNotApplied:
518
519 return FALSE;
520}
ConfigureEptHook2
BOOLEAN ConfigureEptHook2(UINT32 CoreId, PVOID TargetAddress, PVOID HookFunction, UINT32 ProcessId)
This function allocates a buffer in VMX Non Root Mode and then invokes a VMCALL to set the hook (inli...
Definition Configuration.c:295
ConfigureEptHook2FromVmxRoot
BOOLEAN ConfigureEptHook2FromVmxRoot(UINT32 CoreId, PVOID TargetAddress, PVOID HookFunction)
This function allocates a buffer in VMX Non Root Mode and then invokes a VMCALL to set the hook (inli...
Definition Configuration.c:338
VirtualAddressToPhysicalAddressByProcessId
_Use_decl_annotations_ UINT64 VirtualAddressToPhysicalAddressByProcessId(PVOID VirtualAddress, UINT32 ProcessId)
Converts Virtual Address to Physical Address based on a specific process id's kernel cr3.
Definition Conversion.c:171
VirtualAddressToPhysicalAddressOnTargetProcess
_Use_decl_annotations_ UINT64 VirtualAddressToPhysicalAddressOnTargetProcess(PVOID VirtualAddress)
Converts Virtual Address to Physical Address based on the current process's kernel cr3.
Definition Conversion.c:258

◆ ApplyEventExceptionEvent()

VOID ApplyEventExceptionEvent ( PDEBUGGER_EVENT Event,
PDEBUGGER_EVENT_AND_ACTION_RESULT ResultsToReturn,
BOOLEAN InputFromVmxRoot )

Applying exception events.

Parameters
EventThe created event object
ResultsToReturnResult buffer that should be returned to the user-mode
InputFromVmxRootWhether the input comes from VMX root-mode or IOCTL
Returns
VOID
907{
908 UNREFERENCED_PARAMETER(ResultsToReturn);
909
910 //
911 // Let's see if it is for all cores or just one core
912 //
913 if (Event->CoreId == DEBUGGER_EVENT_APPLY_TO_ALL_CORES)
914 {
915 //
916 // All cores
917 //
918 if (InputFromVmxRoot)
919 {
920 HaltedBroadcastSetExceptionBitmapAllCores(Event->InitOptions.OptionalParam1);
921 }
922 else
923 {
924 ExtensionCommandSetExceptionBitmapAllCores(Event->InitOptions.OptionalParam1);
925 }
926 }
927 else
928 {
929 //
930 // Just one core
931 //
932 if (InputFromVmxRoot)
933 {
934 HaltedRoutineSetExceptionBitmapOnSingleCore(Event->CoreId, Event->InitOptions.OptionalParam1);
935 }
936 else
937 {
938 ConfigureSetExceptionBitmapOnSingleCore(Event->CoreId, (UINT32)Event->InitOptions.OptionalParam1);
939 }
940 }
941
942 //
943 // Set the event's target exception
944 //
945 Event->Options.OptionalParam1 = Event->InitOptions.OptionalParam1;
946}
ConfigureSetExceptionBitmapOnSingleCore
VOID ConfigureSetExceptionBitmapOnSingleCore(UINT32 TargetCoreId, UINT32 BitMask)
set exception bitmap on a single core
Definition Configuration.c:512
ExtensionCommandSetExceptionBitmapAllCores
VOID ExtensionCommandSetExceptionBitmapAllCores(UINT64 ExceptionIndex)
routines for !exception command which
Definition ExtensionCommands.c:450
HaltedRoutineSetExceptionBitmapOnSingleCore
VOID HaltedRoutineSetExceptionBitmapOnSingleCore(UINT32 TargetCoreId, UINT64 ExceptionIndex)
This function performs running set exception bitmap on a single core.
Definition HaltedRoutines.c:238

◆ ApplyEventInOutExecutionEvent()

VOID ApplyEventInOutExecutionEvent ( PDEBUGGER_EVENT Event,
PDEBUGGER_EVENT_AND_ACTION_RESULT ResultsToReturn,
BOOLEAN InputFromVmxRoot )

Applying IN/OUT instructions execution events.

Parameters
EventThe created event object
ResultsToReturnResult buffer that should be returned to the user-mode
InputFromVmxRootWhether the input comes from VMX root-mode or IOCTL
Returns
VOID
646{
647 UNREFERENCED_PARAMETER(ResultsToReturn);
648
649 //
650 // Let's see if it is for all cores or just one core
651 //
652 if (Event->CoreId == DEBUGGER_EVENT_APPLY_TO_ALL_CORES)
653 {
654 //
655 // All cores
656 //
657 if (InputFromVmxRoot)
658 {
659 HaltedBroadcastChangeAllIoBitmapAllCores(Event->InitOptions.OptionalParam1);
660 }
661 else
662 {
663 ExtensionCommandIoBitmapChangeAllCores(Event->InitOptions.OptionalParam1);
664 }
665 }
666 else
667 {
668 //
669 // Just one core
670 //
671 if (InputFromVmxRoot)
672 {
673 HaltedRoutineChangeIoBitmapOnSingleCore(Event->CoreId, Event->InitOptions.OptionalParam1);
674 }
675 else
676 {
677 ConfigureChangeIoBitmapOnSingleCore(Event->CoreId, Event->InitOptions.OptionalParam1);
678 }
679 }
680
681 //
682 // Setting an indicator to MSR
683 //
684 Event->Options.OptionalParam1 = Event->InitOptions.OptionalParam1;
685}
ConfigureChangeIoBitmapOnSingleCore
VOID ConfigureChangeIoBitmapOnSingleCore(UINT32 TargetCoreId, UINT64 Port)
change I/O port bitmap on a single core
Definition Configuration.c:568
ExtensionCommandIoBitmapChangeAllCores
VOID ExtensionCommandIoBitmapChangeAllCores(UINT64 Port)
routines for !ioin and !ioout command which
Definition ExtensionCommands.c:576
HaltedBroadcastChangeAllIoBitmapAllCores
VOID HaltedBroadcastChangeAllIoBitmapAllCores(UINT64 Port)
This function broadcasts IO changes to all cores.
Definition HaltedBroadcast.c:91
HaltedRoutineChangeIoBitmapOnSingleCore
VOID HaltedRoutineChangeIoBitmapOnSingleCore(UINT32 TargetCoreId, UINT64 Port)
This function performs running changes to I/O bitmap on a single core.
Definition HaltedRoutines.c:92

◆ ApplyEventInterruptEvent()

VOID ApplyEventInterruptEvent ( PDEBUGGER_EVENT Event,
PDEBUGGER_EVENT_AND_ACTION_RESULT ResultsToReturn,
BOOLEAN InputFromVmxRoot )

Applying interrupt interception events.

Parameters
EventThe created event object
ResultsToReturnResult buffer that should be returned to the user-mode
InputFromVmxRootWhether the input comes from VMX root-mode or IOCTL
Returns
VOID
962{
963 UNREFERENCED_PARAMETER(ResultsToReturn);
964
965 //
966 // Let's see if it is for all cores or just one core
967 //
968 if (Event->CoreId == DEBUGGER_EVENT_APPLY_TO_ALL_CORES)
969 {
970 //
971 // All cores
972 //
973 if (InputFromVmxRoot)
974 {
975 HaltedBroadcastEnableExternalInterruptExitingAllCores();
976 }
977 else
978 {
979 ExtensionCommandSetExternalInterruptExitingAllCores();
980 }
981 }
982 else
983 {
984 //
985 // Just one core
986 //
987 if (InputFromVmxRoot)
988 {
989 HaltedRoutineEnableExternalInterruptExiting(Event->CoreId);
990 }
991 else
992 {
993 ConfigureSetExternalInterruptExitingOnSingleCore(Event->CoreId);
994 }
995 }
996
997 //
998 // Set the event's target interrupt
999 //
1000 Event->Options.OptionalParam1 = Event->InitOptions.OptionalParam1;
1001}
ConfigureSetExternalInterruptExitingOnSingleCore
VOID ConfigureSetExternalInterruptExitingOnSingleCore(UINT32 TargetCoreId)
set external interrupt exiting on a single core
Definition Configuration.c:459
ExtensionCommandSetExternalInterruptExitingAllCores
VOID ExtensionCommandSetExternalInterruptExitingAllCores()
routines for !interrupt command which
Definition ExtensionCommands.c:549
HaltedBroadcastEnableExternalInterruptExitingAllCores
VOID HaltedBroadcastEnableExternalInterruptExitingAllCores()
This function broadcasts enable external interrupt exiting to all cores.
Definition HaltedBroadcast.c:204
HaltedRoutineEnableExternalInterruptExiting
VOID HaltedRoutineEnableExternalInterruptExiting(UINT32 TargetCoreId)
This function performs running enable external interrupt exiting on a single core.
Definition HaltedRoutines.c:209

◆ ApplyEventMonitorEvent()

BOOLEAN ApplyEventMonitorEvent ( PDEBUGGER_EVENT Event,
PDEBUGGER_EVENT_AND_ACTION_RESULT ResultsToReturn,
BOOLEAN InputFromVmxRoot )

Applying monitor memory hook events.

Parameters
EventThe created event object
ResultsToReturnResult buffer that should be returned to the user-mode
InputFromVmxRootWhether the input comes from VMX root-mode or IOCTL
Returns
BOOLEAN
29{
30 UINT32 TempProcessId;
31 BOOLEAN ResultOfApplyingEvent = FALSE;
32 UINT64 RemainingSize;
33 UINT64 PagesBytes;
34 UINT64 ConstEndAddress;
35 UINT64 TempStartAddress;
36 UINT64 TempEndAddress;
37 UINT64 TempNextPageAddr;
38 EPT_HOOKS_ADDRESS_DETAILS_FOR_MEMORY_MONITOR HookingAddresses = {0};
39
40 if (InputFromVmxRoot)
41 {
42 TempProcessId = NULL_ZERO; // Process Id does not make sense in the Debugger Mode
43 }
44 else
45 {
46 //
47 // Check if process id is equal to DEBUGGER_EVENT_APPLY_TO_ALL_PROCESSES
48 // or if process id is 0 then we use the cr3 of current process
49 //
50 if (Event->ProcessId == DEBUGGER_EVENT_APPLY_TO_ALL_PROCESSES || Event->ProcessId == 0)
51 {
52 TempProcessId = HANDLE_TO_UINT32(PsGetCurrentProcessId());
53 }
54 else
55 {
56 TempProcessId = Event->ProcessId;
57 }
58 }
59 //
60 // In all the cases we should set both read/write, even if it's only
61 // read we should set the write too!
62 // Also execute bit has the same conditions here, because if write is set
63 // read should be also set
64 //
65 switch (Event->EventType)
66 {
67 case HIDDEN_HOOK_READ_AND_WRITE_AND_EXECUTE:
68 case HIDDEN_HOOK_READ_AND_EXECUTE:
69
70 HookingAddresses.SetHookForRead = TRUE;
71 HookingAddresses.SetHookForWrite = TRUE;
72 HookingAddresses.SetHookForExec = TRUE;
73
74 break;
75
76 case HIDDEN_HOOK_WRITE_AND_EXECUTE:
77
78 HookingAddresses.SetHookForRead = FALSE;
79 HookingAddresses.SetHookForWrite = TRUE;
80 HookingAddresses.SetHookForExec = FALSE;
81
82 break;
83
84 case HIDDEN_HOOK_READ_AND_WRITE:
85 case HIDDEN_HOOK_READ:
86
87 HookingAddresses.SetHookForRead = TRUE;
88 HookingAddresses.SetHookForWrite = TRUE;
89 HookingAddresses.SetHookForExec = FALSE;
90
91 break;
92
93 case HIDDEN_HOOK_WRITE:
94
95 HookingAddresses.SetHookForRead = FALSE;
96 HookingAddresses.SetHookForWrite = TRUE;
97 HookingAddresses.SetHookForExec = FALSE;
98
99 break;
100
101 case HIDDEN_HOOK_EXECUTE:
102
103 HookingAddresses.SetHookForRead = FALSE;
104 HookingAddresses.SetHookForWrite = FALSE;
105 HookingAddresses.SetHookForExec = TRUE;
106
107 break;
108
109 default:
110 LogError("Err, Invalid monitor hook type");
111
112 ResultsToReturn->IsSuccessful = FALSE;
113 ResultsToReturn->Error = DEBUGGER_ERROR_EVENT_TYPE_IS_INVALID;
114
115 goto EventNotApplied;
116
117 break;
118 }
119
120 //
121 // Set the tag
122 //
123 HookingAddresses.Tag = Event->Tag;
124
125 TempStartAddress = Event->InitOptions.OptionalParam1;
126 TempEndAddress = Event->InitOptions.OptionalParam2;
127 ConstEndAddress = TempEndAddress;
128
129 PagesBytes = (UINT64)PAGE_ALIGN(TempStartAddress);
130 PagesBytes = TempEndAddress - PagesBytes;
131 PagesBytes = PagesBytes / PAGE_SIZE;
132
133 RemainingSize = TempEndAddress - TempStartAddress;
134
135 // LogInfo("Start address: %llx, end address: %llx", TempStartAddress, TempEndAddress, RemainingSize);
136
137 for (size_t i = 0; i <= PagesBytes; i++)
138 {
139 if (RemainingSize >= PAGE_SIZE)
140 {
141 TempEndAddress = (TempStartAddress + ((UINT64)PAGE_ALIGN(TempStartAddress + PAGE_SIZE) - TempStartAddress)) - 1;
142 RemainingSize = ConstEndAddress - TempEndAddress - 1;
143 }
144 else
145 {
146 TempNextPageAddr = (UINT64)PAGE_ALIGN(TempStartAddress + RemainingSize);
147
148 //
149 // Check if by adding the remaining size, we'll go to the next
150 // page boundary or not
151 //
152 if (TempNextPageAddr > ((UINT64)PAGE_ALIGN(TempStartAddress)))
153 {
154 //
155 // It goes to the next page boundary
156 //
157 TempEndAddress = TempNextPageAddr - 1;
158 RemainingSize = RemainingSize - (TempEndAddress - TempStartAddress) - 1;
159 }
160 else
161 {
162 TempEndAddress = TempStartAddress + RemainingSize;
163 RemainingSize = 0;
164 }
165 }
166
167 // LogInfo("Start address: %llx, end address: %llx, remaining size: %llx",
168 // TempStartAddress,
169 // TempEndAddress,
170 // RemainingSize);
171
172 //
173 // Setup hooking addresses
174 //
175 HookingAddresses.StartAddress = TempStartAddress;
176 HookingAddresses.EndAddress = TempEndAddress;
177
178 if ((DEBUGGER_HOOK_MEMORY_TYPE)Event->InitOptions.OptionalParam3 == DEBUGGER_MEMORY_HOOK_PHYSICAL_ADDRESS)
179 {
180 HookingAddresses.MemoryType = DEBUGGER_MEMORY_HOOK_PHYSICAL_ADDRESS;
181 }
182 else
183 {
184 HookingAddresses.MemoryType = DEBUGGER_MEMORY_HOOK_VIRTUAL_ADDRESS;
185 }
186
187 //
188 // Apply the hook
189 //
190 ResultOfApplyingEvent = DebuggerEventEnableMonitorReadWriteExec(&HookingAddresses,
191 TempProcessId,
192 InputFromVmxRoot);
193
194 if (!ResultOfApplyingEvent)
195 {
196 //
197 // The event is not applied, won't apply other EPT modifications
198 // as we want to remove this event
199 //
200
201 //
202 // Now we should restore the previously applied events (if any)
203 //
204 if (InputFromVmxRoot)
205 {
206 //
207 // EPT hooking tag is same as event tag, so we can use it to unhook
208 //
209 TerminateEptHookUnHookAllHooksByHookingTagFromVmxRootAndApplyInvalidation(Event->Tag);
210 }
211 else
212 {
213 //
214 // EPT hooking tag is same as event tag, so we can use it to unhook
215 //
216 ConfigureEptHookUnHookAllByHookingTag(Event->Tag);
217 }
218
219 //
220 // Break from the loop
221 //
222 break;
223 }
224 else
225 {
226 //
227 // We applied the hook and the pre-allocated buffers are used
228 // for this hook, as here is a safe PASSIVE_LEVEL we can force
229 // the Windows to reallocate some pools for us, thus, if this
230 // hook is continued to other pages, we still have pre-allocated
231 // buffers ready for our future hooks
232 //
233 if (!InputFromVmxRoot)
234 {
235 PoolManagerCheckAndPerformAllocationAndDeallocation();
236 }
237 }
238
239 //
240 // Swap the temporary start address and temporary end address
241 //
242 TempStartAddress = TempEndAddress + 1;
243 }
244
245 //
246 // If applied directly from VMX root-mode,
247 // As the call to hook adjuster was successful, we have to
248 // invalidate the TLB of EPT caches for all cores here
249 //
250 if (InputFromVmxRoot)
251 {
252 HaltedBroadcastInvalidateSingleContextAllCores();
253 }
254
255 //
256 // Check if address is virtual or physical
257 //
258 if ((DEBUGGER_HOOK_MEMORY_TYPE)Event->Options.OptionalParam3 == DEBUGGER_MEMORY_HOOK_PHYSICAL_ADDRESS)
259 {
260 //
261 // It's a physical address so we just save the addresses without conversion
262 //
263 Event->Options.OptionalParam1 = Event->InitOptions.OptionalParam1;
264 Event->Options.OptionalParam2 = Event->InitOptions.OptionalParam2;
265 }
266 else
267 {
268 //
269 // It's a virtual address, we convert the Event's optional parameters physical address
270 // because vm-exit occurs and we have the physical address to compare in the case of
271 // hidden hook rw events
272 //
273 if (InputFromVmxRoot)
274 {
275 Event->Options.OptionalParam1 = VirtualAddressToPhysicalAddressOnTargetProcess((PVOID)Event->InitOptions.OptionalParam1);
276 Event->Options.OptionalParam2 = VirtualAddressToPhysicalAddressOnTargetProcess((PVOID)Event->InitOptions.OptionalParam2);
277 }
278 else
279 {
280 Event->Options.OptionalParam1 = VirtualAddressToPhysicalAddressByProcessId((PVOID)Event->InitOptions.OptionalParam1, TempProcessId);
281 Event->Options.OptionalParam2 = VirtualAddressToPhysicalAddressByProcessId((PVOID)Event->InitOptions.OptionalParam2, TempProcessId);
282 }
283 }
284
285 //
286 // The initial options are also recorded
287 //
288 Event->Options.OptionalParam3 = Event->InitOptions.OptionalParam1;
289 Event->Options.OptionalParam4 = Event->InitOptions.OptionalParam2;
290 Event->Options.OptionalParam5 = Event->InitOptions.OptionalParam3; // This parameter shows whether the address is physical or virtual
291
292 //
293 // Check if we should restore the event if it was not successful
294 //
295 if (!ResultOfApplyingEvent)
296 {
297 ResultsToReturn->IsSuccessful = FALSE;
298 ResultsToReturn->Error = DebuggerGetLastError();
299
300 goto EventNotApplied;
301 }
302
303 //
304 // Applying event was successful
305 //
306 return TRUE;
307
308EventNotApplied:
309
310 return FALSE;
311}
BOOLEAN
UCHAR BOOLEAN
Definition BasicTypes.h:39
NULL_ZERO
#define NULL_ZERO
Definition BasicTypes.h:51
UINT64
unsigned __int64 UINT64
Definition BasicTypes.h:21
ConfigureEptHookUnHookAllByHookingTag
BOOLEAN ConfigureEptHookUnHookAllByHookingTag(UINT64 HookingTag)
Remove all hooks from the hooked pages list using Hooking Tag.
Definition Configuration.c:157
DEBUGGER_MEMORY_HOOK_VIRTUAL_ADDRESS
@ DEBUGGER_MEMORY_HOOK_VIRTUAL_ADDRESS
Definition DataTypes.h:311
DEBUGGER_MEMORY_HOOK_PHYSICAL_ADDRESS
@ DEBUGGER_MEMORY_HOOK_PHYSICAL_ADDRESS
Definition DataTypes.h:312
DEBUGGER_HOOK_MEMORY_TYPE
enum _DEBUGGER_HOOK_MEMORY_TYPE DEBUGGER_HOOK_MEMORY_TYPE
different type of memory addresses
DebuggerEventEnableMonitorReadWriteExec
BOOLEAN DebuggerEventEnableMonitorReadWriteExec(EPT_HOOKS_ADDRESS_DETAILS_FOR_MEMORY_MONITOR *HookingDetails, UINT32 ProcessId, BOOLEAN ApplyDirectlyFromVmxRoot)
Apply monitor ept hook events for address.
Definition DebuggerEvents.c:68
DEBUGGER_ERROR_EVENT_TYPE_IS_INVALID
#define DEBUGGER_ERROR_EVENT_TYPE_IS_INVALID
error, the event type is unknown
Definition ErrorCodes.h:51
LogError
#define LogError(format,...)
Log in the case of error.
Definition HyperDbgHyperLogIntrinsics.h:113
PoolManagerCheckAndPerformAllocationAndDeallocation
BOOLEAN PoolManagerCheckAndPerformAllocationAndDeallocation()
This function performs allocations from VMX non-root based on g_RequestNewAllocation.
Definition PoolManager.c:302
TerminateEptHookUnHookAllHooksByHookingTagFromVmxRootAndApplyInvalidation
BOOLEAN TerminateEptHookUnHookAllHooksByHookingTagFromVmxRootAndApplyInvalidation(UINT64 HookingTag)
Remove all hooks from the hooked pages list and invalidate TLB using hooking tag.
Definition Termination.c:1648
HIDDEN_HOOK_WRITE_AND_EXECUTE
@ HIDDEN_HOOK_WRITE_AND_EXECUTE
Definition Events.h:103
HIDDEN_HOOK_READ_AND_WRITE
@ HIDDEN_HOOK_READ_AND_WRITE
Definition Events.h:101
HIDDEN_HOOK_READ_AND_EXECUTE
@ HIDDEN_HOOK_READ_AND_EXECUTE
Definition Events.h:102
HIDDEN_HOOK_READ
@ HIDDEN_HOOK_READ
Definition Events.h:104
HIDDEN_HOOK_WRITE
@ HIDDEN_HOOK_WRITE
Definition Events.h:105
HIDDEN_HOOK_READ_AND_WRITE_AND_EXECUTE
@ HIDDEN_HOOK_READ_AND_WRITE_AND_EXECUTE
Definition Events.h:100
HIDDEN_HOOK_EXECUTE
@ HIDDEN_HOOK_EXECUTE
Definition Events.h:106
PAGE_SIZE
#define PAGE_SIZE
Size of each page (4096 bytes)
Definition common.h:69
PAGE_ALIGN
#define PAGE_ALIGN(Va)
Aligning a page.
Definition common.h:75
_DEBUGGER_EVENT_OPTIONS::OptionalParam5
UINT64 OptionalParam5
Definition Events.h:276
_DEBUGGER_EVENT_OPTIONS::OptionalParam3
UINT64 OptionalParam3
Definition Events.h:274
_DEBUGGER_EVENT_OPTIONS::OptionalParam4
UINT64 OptionalParam4
Definition Events.h:275
_DEBUGGER_EVENT::Tag
UINT64 Tag
Definition Debugger.h:109
_DEBUGGER_EVENT::EventType
VMM_EVENT_TYPE_ENUM EventType
Definition Debugger.h:111
_EPT_HOOKS_ADDRESS_DETAILS_FOR_MEMORY_MONITOR
Setting details for EPT Hooks (!monitor)
Definition DataTypes.h:331
_EPT_HOOKS_ADDRESS_DETAILS_FOR_MEMORY_MONITOR::StartAddress
UINT64 StartAddress
Definition DataTypes.h:332
_EPT_HOOKS_ADDRESS_DETAILS_FOR_MEMORY_MONITOR::SetHookForRead
BOOLEAN SetHookForRead
Definition DataTypes.h:334
_EPT_HOOKS_ADDRESS_DETAILS_FOR_MEMORY_MONITOR::SetHookForWrite
BOOLEAN SetHookForWrite
Definition DataTypes.h:335
_EPT_HOOKS_ADDRESS_DETAILS_FOR_MEMORY_MONITOR::EndAddress
UINT64 EndAddress
Definition DataTypes.h:333
_EPT_HOOKS_ADDRESS_DETAILS_FOR_MEMORY_MONITOR::MemoryType
DEBUGGER_HOOK_MEMORY_TYPE MemoryType
Definition DataTypes.h:337
_EPT_HOOKS_ADDRESS_DETAILS_FOR_MEMORY_MONITOR::SetHookForExec
BOOLEAN SetHookForExec
Definition DataTypes.h:336
_EPT_HOOKS_ADDRESS_DETAILS_FOR_MEMORY_MONITOR::Tag
UINT64 Tag
Definition DataTypes.h:338

◆ ApplyEventMov2DebugRegExecutionEvent()

VOID ApplyEventMov2DebugRegExecutionEvent ( PDEBUGGER_EVENT Event,
PDEBUGGER_EVENT_AND_ACTION_RESULT ResultsToReturn,
BOOLEAN InputFromVmxRoot )

Applying mov 2 debug registers events.

Parameters
EventThe created event object
ResultsToReturnResult buffer that should be returned to the user-mode
InputFromVmxRootWhether the input comes from VMX root-mode or IOCTL
Returns
VOID
801{
802 UNREFERENCED_PARAMETER(InputFromVmxRoot);
803
804 //
805 // Let's see if it is for all cores or just one core
806 //
807 if (Event->CoreId == DEBUGGER_EVENT_APPLY_TO_ALL_CORES)
808 {
809 //
810 // All cores
811 //
812 if (ResultsToReturn)
813 {
814 HaltedBroadcastEnableMov2DebugRegsExitingAllCores();
815 }
816 else
817 {
818 ExtensionCommandEnableMovDebugRegistersExitingAllCores();
819 }
820 }
821 else
822 {
823 //
824 // Just one core
825 //
826 if (ResultsToReturn)
827 {
828 HaltedRoutineEnableMov2DebugRegsExitingOnSingleCore(Event->CoreId);
829 }
830 else
831 {
832 ConfigureEnableMovToDebugRegistersExitingOnSingleCore(Event->CoreId);
833 }
834 }
835}
ConfigureEnableMovToDebugRegistersExitingOnSingleCore
VOID ConfigureEnableMovToDebugRegistersExitingOnSingleCore(UINT32 TargetCoreId)
enable mov 2 debug register exiting on a single core
Definition Configuration.c:498
ExtensionCommandEnableMovDebugRegistersExitingAllCores
VOID ExtensionCommandEnableMovDebugRegistersExitingAllCores()
routines for !dr
Definition ExtensionCommands.c:522
HaltedBroadcastEnableMov2DebugRegsExitingAllCores
VOID HaltedBroadcastEnableMov2DebugRegsExitingAllCores()
This function broadcasts enable mov to debug registers exiting to all cores.
Definition HaltedBroadcast.c:177
HaltedRoutineEnableMov2DebugRegsExitingOnSingleCore
VOID HaltedRoutineEnableMov2DebugRegsExitingOnSingleCore(UINT32 TargetCoreId)
This function performs running enable mov to debug registers exiting on a single core.
Definition HaltedRoutines.c:181

◆ ApplyEventRdmsrExecutionEvent()

VOID ApplyEventRdmsrExecutionEvent ( PDEBUGGER_EVENT Event,
PDEBUGGER_EVENT_AND_ACTION_RESULT ResultsToReturn,
BOOLEAN InputFromVmxRoot )

Applying RDMSR execution events.

Parameters
EventThe created event object
ResultsToReturnResult buffer that should be returned to the user-mode
InputFromVmxRootWhether the input comes from VMX root-mode or IOCTL
Returns
VOID
536{
537 UNREFERENCED_PARAMETER(ResultsToReturn);
538
539 //
540 // Let's see if it is for all cores or just one core
541 //
542 if (Event->CoreId == DEBUGGER_EVENT_APPLY_TO_ALL_CORES)
543 {
544 //
545 // All cores
546 //
547 if (InputFromVmxRoot)
548 {
549 HaltedBroadcastChangeAllMsrBitmapReadAllCores(Event->InitOptions.OptionalParam1);
550 }
551 else
552 {
553 ExtensionCommandChangeAllMsrBitmapReadAllCores(Event->InitOptions.OptionalParam1);
554 }
555 }
556 else
557 {
558 //
559 // Just one core
560 //
561 if (InputFromVmxRoot)
562 {
563 HaltedRoutineChangeAllMsrBitmapReadOnSingleCore(Event->CoreId, Event->InitOptions.OptionalParam1);
564 }
565 else
566 {
567 ConfigureChangeMsrBitmapReadOnSingleCore(Event->CoreId, Event->InitOptions.OptionalParam1);
568 }
569 }
570
571 //
572 // Setting an indicator to MSR
573 //
574 Event->Options.OptionalParam1 = Event->InitOptions.OptionalParam1;
575}
ConfigureChangeMsrBitmapReadOnSingleCore
VOID ConfigureChangeMsrBitmapReadOnSingleCore(UINT32 TargetCoreId, UINT64 MsrMask)
change the mask of msr bitmaps for read on a single core
Definition Configuration.c:554
ExtensionCommandChangeAllMsrBitmapReadAllCores
VOID ExtensionCommandChangeAllMsrBitmapReadAllCores(UINT64 BitmapMask)
routines for !msrread command which
Definition ExtensionCommands.c:300
HaltedBroadcastChangeAllMsrBitmapReadAllCores
VOID HaltedBroadcastChangeAllMsrBitmapReadAllCores(UINT64 BitmapMask)
This function broadcasts MSR (READ) changes to all cores.
Definition HaltedBroadcast.c:23
HaltedRoutineChangeAllMsrBitmapReadOnSingleCore
VOID HaltedRoutineChangeAllMsrBitmapReadOnSingleCore(UINT32 TargetCoreId, UINT64 BitmapMask)
This function performs running MSR changes (RDMSR) on a single core.
Definition HaltedRoutines.c:24

◆ ApplyEventRdpmcExecutionEvent()

VOID ApplyEventRdpmcExecutionEvent ( PDEBUGGER_EVENT Event,
PDEBUGGER_EVENT_AND_ACTION_RESULT ResultsToReturn,
BOOLEAN InputFromVmxRoot )

Applying RDPMC instruction execution events.

Parameters
EventThe created event object
ResultsToReturnResult buffer that should be returned to the user-mode
InputFromVmxRootWhether the input comes from VMX root-mode or IOCTL
Returns
VOID
751{
752 UNREFERENCED_PARAMETER(ResultsToReturn);
753
754 //
755 // Let's see if it is for all cores or just one core
756 //
757 if (Event->CoreId == DEBUGGER_EVENT_APPLY_TO_ALL_CORES)
758 {
759 //
760 // All cores
761 //
762 if (InputFromVmxRoot)
763 {
764 HaltedBroadcastEnableRdpmcExitingAllCores();
765 }
766 else
767 {
768 ExtensionCommandEnableRdpmcExitingAllCores();
769 }
770 }
771 else
772 {
773 //
774 // Just one core
775 //
776 if (InputFromVmxRoot)
777 {
778 HaltedRoutineEnableRdpmcExitingOnSingleCore(Event->CoreId);
779 }
780 else
781 {
782 ConfigureEnableRdpmcExitingOnSingleCore(Event->CoreId);
783 }
784 }
785}
ConfigureEnableRdpmcExitingOnSingleCore
VOID ConfigureEnableRdpmcExitingOnSingleCore(UINT32 TargetCoreId)
enable RDPMC exiting on a single core
Definition Configuration.c:485
ExtensionCommandEnableRdpmcExitingAllCores
VOID ExtensionCommandEnableRdpmcExitingAllCores()
routines for !pmc
Definition ExtensionCommands.c:421
HaltedBroadcastEnableRdpmcExitingAllCores
VOID HaltedBroadcastEnableRdpmcExitingAllCores()
This function broadcasts enable RDPMC exiting to all cores.
Definition HaltedBroadcast.c:123
HaltedRoutineEnableRdpmcExitingOnSingleCore
VOID HaltedRoutineEnableRdpmcExitingOnSingleCore(UINT32 TargetCoreId)
This function performs running enable RDPMC exiting on a single core.
Definition HaltedRoutines.c:125

◆ ApplyEventTracingEvent()

VOID ApplyEventTracingEvent ( PDEBUGGER_EVENT Event,
PDEBUGGER_EVENT_AND_ACTION_RESULT ResultsToReturn,
BOOLEAN InputFromVmxRoot )

Applying trace events.

Parameters
EventThe created event object
ResultsToReturnResult buffer that should be returned to the user-mode
InputFromVmxRootWhether the input comes from VMX root-mode or IOCTL
Returns
VOID
1302{
1303 UNREFERENCED_PARAMETER(ResultsToReturn);
1304 UNREFERENCED_PARAMETER(InputFromVmxRoot);
1305
1306 //
1307 // This is a dependent-event thus, it will be activated later by
1308 // another event and nothing needs to be initiated at this stage
1309 //
1310
1311 //
1312 // Save the type of the trace
1313 //
1314 Event->Options.OptionalParam1 = Event->InitOptions.OptionalParam1;
1315}

◆ ApplyEventTrapModeChangeEvent()

BOOLEAN ApplyEventTrapModeChangeEvent ( PDEBUGGER_EVENT Event,
PDEBUGGER_EVENT_AND_ACTION_RESULT ResultsToReturn,
BOOLEAN InputFromVmxRoot )

Applying trap mode change events.

Parameters
EventThe created event object
ResultsToReturnResult buffer that should be returned to the user-mode
InputFromVmxRootWhether the input comes from VMX root-mode or IOCTL
Returns
BOOLEAN
1193{
1194 //
1195 // Set the event's mode of execution
1196 //
1197 Event->Options.OptionalParam1 = Event->InitOptions.OptionalParam1;
1198
1199 if (InputFromVmxRoot)
1200 {
1201 //
1202 // The event registration is coming from VMX root-mode, we
1203 // cannot initialize this event in VMX-root mode, so we need
1204 // to check whether it's already activated (using the 'preactivate' command)
1205 // or not and if it's activated then we can just add the current process
1206 // to the watchlist, otherwise the user needs to preactivate this event
1207 //
1208
1209 //
1210 // Technically, it's possible to initiate this mechanism at this point
1211 // but it involves preallocating huge buffers so we prefer not to allocate
1212 // these amount of buffers by default in HyperDbg as the users might not
1213 // really use this mechanism and it would be a waste of system resources
1214 // so, if the user needs to use this mechanism, it can use the 'preactivate'
1215 // command to first activate this mechanism and then use it
1216 //
1217 if (VmFuncQueryModeExecTrap())
1218 {
1219 //
1220 // Add the process to the watching list
1221 //
1222 ConfigureExecTrapAddProcessToWatchingList(Event->ProcessId);
1223 }
1224 else
1225 {
1226 //
1227 // The mode exec trap is not initialized
1228 //
1229 ResultsToReturn->IsSuccessful = FALSE;
1230 ResultsToReturn->Error = DEBUGGER_ERROR_THE_MODE_EXEC_TRAP_IS_NOT_INITIALIZED;
1231
1232 return FALSE;
1233 }
1234 }
1235 else
1236 {
1237 //
1238 // The event registration is coming from VMX non-root mode so we
1239 // can initialize this mechanism if it's not already initialized
1240 //
1241
1242 //
1243 // Add the process to the watching list
1244 //
1245 ConfigureExecTrapAddProcessToWatchingList(Event->ProcessId);
1246
1247 //
1248 // Enable triggering events for user-mode execution traps. This event doesn't
1249 // support custom optional parameter(s) because it's unconditional users can
1250 // use condition(s) to check for their custom optional parameters
1251 //
1252 ConfigureInitializeExecTrapOnAllProcessors();
1253 }
1254
1255 //
1256 // It was successfully applied
1257 //
1258 return TRUE;
1259}
ConfigureExecTrapAddProcessToWatchingList
BOOLEAN ConfigureExecTrapAddProcessToWatchingList(UINT32 ProcessId)
Add the target process to the watching list.
Definition Configuration.c:60
ConfigureInitializeExecTrapOnAllProcessors
BOOLEAN ConfigureInitializeExecTrapOnAllProcessors()
routines for initializing user-mode, kernel-mode exec trap
Definition Configuration.c:37
DEBUGGER_ERROR_THE_MODE_EXEC_TRAP_IS_NOT_INITIALIZED
#define DEBUGGER_ERROR_THE_MODE_EXEC_TRAP_IS_NOT_INITIALIZED
error, the mode exec trap is not already initialized
Definition ErrorCodes.h:513
VmFuncQueryModeExecTrap
BOOLEAN VmFuncQueryModeExecTrap()
Get the current state of mode exec trap mechanism.
Definition Export.c:563

◆ ApplyEventTscExecutionEvent()

VOID ApplyEventTscExecutionEvent ( PDEBUGGER_EVENT Event,
PDEBUGGER_EVENT_AND_ACTION_RESULT ResultsToReturn,
BOOLEAN InputFromVmxRoot )

Applying RDTSC/RDTSCP instructions execution events.

Parameters
EventThe created event object
ResultsToReturnResult buffer that should be returned to the user-mode
InputFromVmxRootWhether the input comes from VMX root-mode or IOCTL
Returns
VOID
701{
702 UNREFERENCED_PARAMETER(ResultsToReturn);
703
704 //
705 // Let's see if it is for all cores or just one core
706 //
707 if (Event->CoreId == DEBUGGER_EVENT_APPLY_TO_ALL_CORES)
708 {
709 //
710 // All cores
711 //
712 if (InputFromVmxRoot)
713 {
714 HaltedBroadcastEnableRdtscExitingAllCores();
715 }
716 else
717 {
718 ExtensionCommandEnableRdtscExitingAllCores();
719 }
720 }
721 else
722 {
723 //
724 // Just one core
725 //
726 if (InputFromVmxRoot)
727 {
728 HaltedRoutineEnableRdtscExitingOnSingleCore(Event->CoreId);
729 }
730 else
731 {
732 ConfigureEnableRdtscExitingOnSingleCore(Event->CoreId);
733 }
734 }
735}
ConfigureEnableRdtscExitingOnSingleCore
VOID ConfigureEnableRdtscExitingOnSingleCore(UINT32 TargetCoreId)
enable RDTSC exiting on a single core
Definition Configuration.c:472
ExtensionCommandEnableRdtscExitingAllCores
VOID ExtensionCommandEnableRdtscExitingAllCores()
routines for !tsc command
Definition ExtensionCommands.c:354
HaltedBroadcastEnableRdtscExitingAllCores
VOID HaltedBroadcastEnableRdtscExitingAllCores()
This function broadcasts enable rdtsc/rdtscp exiting to all cores.
Definition HaltedBroadcast.c:150
HaltedRoutineEnableRdtscExitingOnSingleCore
VOID HaltedRoutineEnableRdtscExitingOnSingleCore(UINT32 TargetCoreId)
This function performs running enable rdtsc/rdtscp exiting on a single core.
Definition HaltedRoutines.c:153

◆ ApplyEventVmcallExecutionEvent()

VOID ApplyEventVmcallExecutionEvent ( PDEBUGGER_EVENT Event,
PDEBUGGER_EVENT_AND_ACTION_RESULT ResultsToReturn,
BOOLEAN InputFromVmxRoot )

Applying VMCALL instruction execution events.

Parameters
EventThe created event object
ResultsToReturnResult buffer that should be returned to the user-mode
InputFromVmxRootWhether the input comes from VMX root-mode or IOCTL
Returns
VOID
1166{
1167 UNREFERENCED_PARAMETER(Event);
1168 UNREFERENCED_PARAMETER(ResultsToReturn);
1169 UNREFERENCED_PARAMETER(InputFromVmxRoot);
1170
1171 //
1172 // Enable triggering events for VMCALLs. This event doesn't support custom optional
1173 // parameter(s) because it's unconditional users can use condition(s) to check for
1174 // their custom optional parameters
1175 //
1176 VmFuncSetTriggerEventForVmcalls(TRUE);
1177}
VmFuncSetTriggerEventForVmcalls
VOID VmFuncSetTriggerEventForVmcalls(BOOLEAN Set)
Set triggering events for VMCALLs.
Definition Export.c:575

◆ ApplyEventWrmsrExecutionEvent()

VOID ApplyEventWrmsrExecutionEvent ( PDEBUGGER_EVENT Event,
PDEBUGGER_EVENT_AND_ACTION_RESULT ResultsToReturn,
BOOLEAN InputFromVmxRoot )

Applying WRMSR execution events.

Parameters
EventThe created event object
ResultsToReturnResult buffer that should be returned to the user-mode
InputFromVmxRootWhether the input comes from VMX root-mode or IOCTL
Returns
VOID
591{
592 UNREFERENCED_PARAMETER(ResultsToReturn);
593
594 //
595 // Let's see if it is for all cores or just one core
596 //
597 if (Event->CoreId == DEBUGGER_EVENT_APPLY_TO_ALL_CORES)
598 {
599 //
600 // All cores
601 //
602 if (InputFromVmxRoot)
603 {
604 HaltedBroadcastChangeAllMsrBitmapWriteAllCores(Event->InitOptions.OptionalParam1);
605 }
606 else
607 {
608 ExtensionCommandChangeAllMsrBitmapWriteAllCores(Event->InitOptions.OptionalParam1);
609 }
610 }
611 else
612 {
613 //
614 // Just one core
615 //
616 if (InputFromVmxRoot)
617 {
618 HaltedRoutineChangeAllMsrBitmapWriteOnSingleCore(Event->CoreId, Event->InitOptions.OptionalParam1);
619 }
620 else
621 {
622 ConfigureChangeMsrBitmapWriteOnSingleCore(Event->CoreId, Event->InitOptions.OptionalParam1);
623 }
624 }
625
626 //
627 // Setting an indicator to MSR
628 //
629 Event->Options.OptionalParam1 = Event->InitOptions.OptionalParam1;
630}
ConfigureChangeMsrBitmapWriteOnSingleCore
VOID ConfigureChangeMsrBitmapWriteOnSingleCore(UINT32 TargetCoreId, UINT64 MsrMask)
change the mask of msr bitmaps for write on a single core
Definition Configuration.c:540
ExtensionCommandChangeAllMsrBitmapWriteAllCores
VOID ExtensionCommandChangeAllMsrBitmapWriteAllCores(UINT64 BitmapMask)
routines for !msrwrite command which
Definition ExtensionCommands.c:327
HaltedBroadcastChangeAllMsrBitmapWriteAllCores
VOID HaltedBroadcastChangeAllMsrBitmapWriteAllCores(UINT64 BitmapMask)
This function broadcasts MSR (WRITE) changes to all cores.
Definition HaltedBroadcast.c:57
HaltedRoutineChangeAllMsrBitmapWriteOnSingleCore
VOID HaltedRoutineChangeAllMsrBitmapWriteOnSingleCore(UINT32 TargetCoreId, UINT64 BitmapMask)
This function performs running MSR changes (WRMSR) on a single core.
Definition HaltedRoutines.c:58