HyperDbg Debugger
Loading...
Searching...
No Matches
Classes | Macros | Typedefs | Functions
Attaching.h File Reference

Header for attaching and detaching for debugging user-mode processes. More...

Go to the source code of this file.

Classes

struct  _USERMODE_DEBUGGING_PROCESS_DETAILS
 Description of each active thread in user-mode attaching mechanism. More...
 

Macros

#define MAX_USER_ACTIONS_FOR_THREADS   3
 Maximum actions in paused threads storage.
 
#define MAX_THREADS_IN_A_PROCESS_HOLDER   100
 Maximum threads that a process thread holder might have.
 
#define MAX_CR3_IN_A_PROCESS   4
 Maximum number of CR3 registers that a process can have.
 

Typedefs

typedef struct _USERMODE_DEBUGGING_PROCESS_DETAILS USERMODE_DEBUGGING_PROCESS_DETAILS
 Description of each active thread in user-mode attaching mechanism.
 
typedef struct _USERMODE_DEBUGGING_PROCESS_DETAILSPUSERMODE_DEBUGGING_PROCESS_DETAILS
 

Functions

BOOLEAN AttachingInitialize ()
 Initialize the attaching mechanism.
 
BOOLEAN AttachingCheckPageFaultsWithUserDebugger (UINT32 CoreId, UINT64 Address, UINT32 PageFaultErrorCode)
 Check page-faults with user-debugger.
 
BOOLEAN AttachingConfigureInterceptingThreads (UINT64 ProcessDebuggingToken, BOOLEAN Enable)
 Enable or disable the thread intercepting phase.
 
BOOLEAN AttachingHandleCr3VmexitsForThreadInterception (UINT32 CoreId, CR3_TYPE NewCr3)
 Handle the cr3 vm-exits for thread interception.
 
VOID AttachingTargetProcess (PDEBUGGER_ATTACH_DETACH_USER_MODE_PROCESS Request)
 Dispatch and perform attaching tasks.
 
VOID AttachingHandleEntrypointInterception (PROCESSOR_DEBUGGING_STATE *DbgState)
 Handle the interception of finding the entrypoint on attaching to user-mode process.
 
VOID AttachingRemoveAndFreeAllProcessDebuggingDetails ()
 Remove and deallocate all thread debuggig details.
 
PUSERMODE_DEBUGGING_PROCESS_DETAILS AttachingFindProcessDebuggingDetailsByToken (UINT64 Token)
 Find user-mode debugging details for threads by token.
 
PUSERMODE_DEBUGGING_PROCESS_DETAILS AttachingFindProcessDebuggingDetailsByProcessId (UINT32 ProcessId)
 Find user-mode debugging details for threads by process Id.
 
BOOLEAN AttachingQueryDetailsOfActiveDebuggingThreadsAndProcesses (PVOID BufferToStoreDetails, UINT32 BufferSize)
 Query details of active debugging threads.
 
BOOLEAN AttachingCheckUnhandledEptViolation (UINT32 CoreId, UINT64 ViolationQualification, UINT64 GuestPhysicalAddr)
 handling unhandled EPT violations
 
BOOLEAN AttachingReachedToValidLoadedModule (PROCESSOR_DEBUGGING_STATE *DbgState, PUSERMODE_DEBUGGING_PROCESS_DETAILS ProcessDebuggingDetail)
 Handle cases where we reached to the valid loaded module The main module should be loaded once we reach to this function.
 

Detailed Description

Header for attaching and detaching for debugging user-mode processes.

Author
Sina Karvandi (sina@.nosp@m.hype.nosp@m.rdbg..nosp@m.org)
Version
0.1
Date
2021-12-28
Copyright
This project is released under the GNU Public License v3.

Macro Definition Documentation

◆ MAX_CR3_IN_A_PROCESS

#define MAX_CR3_IN_A_PROCESS   4

Maximum number of CR3 registers that a process can have.

Generally, a process has one cr3 but after meltdown KPTI another Cr3 is added and separated the kernel and user CR3s, recently I've noticed from a tweet from Petr Benes that there might be other cr3s https://twitter.com/PetrBenes/status/1310642455352672257?s=20 So, I assume two extra cr3 for each process

◆ MAX_THREADS_IN_A_PROCESS_HOLDER

#define MAX_THREADS_IN_A_PROCESS_HOLDER   100

Maximum threads that a process thread holder might have.

◆ MAX_USER_ACTIONS_FOR_THREADS

#define MAX_USER_ACTIONS_FOR_THREADS   3

Maximum actions in paused threads storage.

Typedef Documentation

◆ PUSERMODE_DEBUGGING_PROCESS_DETAILS

typedef struct _USERMODE_DEBUGGING_PROCESS_DETAILS * PUSERMODE_DEBUGGING_PROCESS_DETAILS

◆ USERMODE_DEBUGGING_PROCESS_DETAILS

typedef struct _USERMODE_DEBUGGING_PROCESS_DETAILS USERMODE_DEBUGGING_PROCESS_DETAILS

Description of each active thread in user-mode attaching mechanism.

Function Documentation

◆ AttachingCheckPageFaultsWithUserDebugger()

BOOLEAN AttachingCheckPageFaultsWithUserDebugger ( UINT32 CoreId,
UINT64 Address,
UINT32 PageFaultErrorCode )

Check page-faults with user-debugger.

Parameters
CoreId
Address
PageFaultErrorCode
Returns
BOOLEAN if TRUE show that the page-fault injection should be ignored
624{
625 UNREFERENCED_PARAMETER(Address);
626 UNREFERENCED_PARAMETER(PageFaultErrorCode);
627
628 PUSERMODE_DEBUGGING_PROCESS_DETAILS ProcessDebuggingDetail;
629 PROCESSOR_DEBUGGING_STATE * DbgState = &g_DbgState[CoreId];
630
631 //
632 // Check whether user-debugger is initialized or not
633 //
634 if (g_UserDebuggerState == FALSE)
635 {
636 return FALSE;
637 }
638
639 //
640 // Check if thread is in user-mode
641 //
642 if (VmFuncGetLastVmexitRip(CoreId) & 0xf000000000000000)
643 {
644 //
645 // We won't intercept threads in kernel-mode
646 //
647 return FALSE;
648 }
649
650 ProcessDebuggingDetail = AttachingFindProcessDebuggingDetailsByProcessId(HANDLE_TO_UINT32(PsGetCurrentProcessId()));
651
652 if (!ProcessDebuggingDetail)
653 {
654 //
655 // not related to user debugger
656 //
657 return FALSE;
658 }
659
660 //
661 // Check if thread is in intercepting phase
662 //
663 if (ProcessDebuggingDetail->IsOnThreadInterceptingPhase)
664 {
665 //
666 // Handling state through the user-mode debugger
667 //
668 UdCheckAndHandleBreakpointsAndDebugBreaks(DbgState,
669 DEBUGGEE_PAUSING_REASON_DEBUGGEE_GENERAL_THREAD_INTERCEPTED,
670 NULL);
671
672 //
673 // related to user debugger
674 //
675 VmFuncSuppressRipIncrement(CoreId);
676
677 return TRUE;
678 }
679
680 //
681 // this thread is not in intercepting phase
682 //
683 return FALSE;
684}
AttachingFindProcessDebuggingDetailsByProcessId
PUSERMODE_DEBUGGING_PROCESS_DETAILS AttachingFindProcessDebuggingDetailsByProcessId(UINT32 ProcessId)
Find user-mode debugging details for threads by process Id.
Definition Attaching.c:187
TRUE
#define TRUE
Definition BasicTypes.h:55
FALSE
#define FALSE
Definition BasicTypes.h:54
DEBUGGEE_PAUSING_REASON_DEBUGGEE_GENERAL_THREAD_INTERCEPTED
@ DEBUGGEE_PAUSING_REASON_DEBUGGEE_GENERAL_THREAD_INTERCEPTED
Definition Connection.h:42
VmFuncGetLastVmexitRip
UINT64 VmFuncGetLastVmexitRip(UINT32 CoreId)
get the last vm-exit RIP
Definition Export.c:318
VmFuncSuppressRipIncrement
VOID VmFuncSuppressRipIncrement(UINT32 CoreId)
Suppress the incrementation of RIP.
Definition Export.c:34
Address
UINT64 Address
Definition HyperDbgScriptImports.h:67
HANDLE_TO_UINT32
#define HANDLE_TO_UINT32(_var)
Definition MetaMacros.h:39
UdCheckAndHandleBreakpointsAndDebugBreaks
BOOLEAN UdCheckAndHandleBreakpointsAndDebugBreaks(PROCESSOR_DEBUGGING_STATE *DbgState, DEBUGGEE_PAUSING_REASON Reason, PDEBUGGER_TRIGGERED_EVENT_DETAILS EventDetails)
Handle #DBs and #BPs for kernel debugger.
Definition Ud.c:443
g_DbgState
PROCESSOR_DEBUGGING_STATE * g_DbgState
Save the state and variables related to debugging on each to logical core.
Definition Global.h:17
g_UserDebuggerState
BOOLEAN g_UserDebuggerState
shows whether the user debugger is enabled or disabled
Definition Global.h:109
_PROCESSOR_DEBUGGING_STATE
Saves the debugger state.
Definition State.h:165
_USERMODE_DEBUGGING_PROCESS_DETAILS
Description of each active thread in user-mode attaching mechanism.
Definition Attaching.h:49
_USERMODE_DEBUGGING_PROCESS_DETAILS::IsOnThreadInterceptingPhase
BOOLEAN IsOnThreadInterceptingPhase
Definition Attaching.h:64

◆ AttachingCheckUnhandledEptViolation()

BOOLEAN AttachingCheckUnhandledEptViolation ( UINT32 CoreId,
UINT64 ViolationQualification,
UINT64 GuestPhysicalAddr )

handling unhandled EPT violations

Parameters
CoreId
ViolationQualification
GuestPhysicalAddr
Returns
BOOLEAN
1105{
1106 UNREFERENCED_PARAMETER(CoreId);
1107 UNREFERENCED_PARAMETER(ViolationQualification);
1108 UNREFERENCED_PARAMETER(GuestPhysicalAddr);
1109
1110 //
1111 // Not handled here
1112 //
1113 return FALSE;
1114}

◆ AttachingConfigureInterceptingThreads()

BOOLEAN AttachingConfigureInterceptingThreads ( UINT64 ProcessDebuggingToken,
BOOLEAN Enable )

Enable or disable the thread intercepting phase.

this function should be called in vmx non-root

Parameters
ProcessDebuggingToken
Enable
Returns
BOOLEAN
696{
697 PUSERMODE_DEBUGGING_PROCESS_DETAILS ProcessDebuggingDetail;
698
699 //
700 // Get the current process debugging detail
701 //
702 ProcessDebuggingDetail = AttachingFindProcessDebuggingDetailsByToken(ProcessDebuggingToken);
703
704 if (!ProcessDebuggingDetail)
705 {
706 return FALSE;
707 }
708
709 //
710 // If the thread is already in intercepting phase, we should return,
711 //
712 if (Enable && ProcessDebuggingDetail->IsOnThreadInterceptingPhase)
713 {
714 LogError("Err, thread is already in intercepting phase");
715 return FALSE;
716 }
717
718 //
719 // if the user want to disable the intercepting phase, we just ignore the
720 // request without a message
721 //
722 if (!Enable && !ProcessDebuggingDetail->IsOnThreadInterceptingPhase)
723 {
724 return FALSE;
725 }
726
727 //
728 // We're or we're not in thread intercepting phase now
729 //
730 ProcessDebuggingDetail->IsOnThreadInterceptingPhase = Enable;
731
732 if (Enable)
733 {
734 //
735 // Intercept all mov 2 cr3s
736 //
737 DebuggerEventEnableMovToCr3ExitingOnAllProcessors();
738 }
739 else
740 {
741 //
742 // Removing the mov to cr3 vm-exits
743 //
744 DebuggerEventDisableMovToCr3ExitingOnAllProcessors();
745 }
746
747 //
748 // Set the supervisor bit to 1 when we want to continue all the threads
749 //
750 if (!Enable)
751 {
752 for (size_t i = 0; i < MAX_CR3_IN_A_PROCESS; i++)
753 {
754 if (ProcessDebuggingDetail->InterceptedCr3[i].Flags != (UINT64)NULL)
755 {
756 //
757 // This cr3 should not be intercepted on threads' user mode execution
758 //
759 if (!MemoryMapperSetSupervisorBitWithoutSwitchingByCr3(NULL,
760 TRUE,
761 PagingLevelPageMapLevel4,
762 ProcessDebuggingDetail->InterceptedCr3[i]))
763 {
764 return FALSE;
765 }
766 }
767 }
768 }
769
770 return TRUE;
771}
AttachingFindProcessDebuggingDetailsByToken
PUSERMODE_DEBUGGING_PROCESS_DETAILS AttachingFindProcessDebuggingDetailsByToken(UINT64 Token)
Find user-mode debugging details for threads by token.
Definition Attaching.c:164
MAX_CR3_IN_A_PROCESS
#define MAX_CR3_IN_A_PROCESS
Maximum number of CR3 registers that a process can have.
Definition Attaching.h:37
UINT64
unsigned __int64 UINT64
Definition BasicTypes.h:21
PagingLevelPageMapLevel4
@ PagingLevelPageMapLevel4
Definition DataTypes.h:28
DebuggerEventDisableMovToCr3ExitingOnAllProcessors
VOID DebuggerEventDisableMovToCr3ExitingOnAllProcessors()
routines for debugging threads (disable mov-to-cr3 exiting)
Definition DebuggerEvents.c:53
DebuggerEventEnableMovToCr3ExitingOnAllProcessors
VOID DebuggerEventEnableMovToCr3ExitingOnAllProcessors()
routines for debugging threads (enable mov-to-cr3 exiting)
Definition DebuggerEvents.c:42
LogError
#define LogError(format,...)
Log in the case of error.
Definition HyperDbgHyperLogIntrinsics.h:113
MemoryMapperSetSupervisorBitWithoutSwitchingByCr3
_Use_decl_annotations_ BOOLEAN MemoryMapperSetSupervisorBitWithoutSwitchingByCr3(PVOID Va, BOOLEAN Set, PAGING_LEVEL Level, CR3_TYPE TargetCr3)
This function the Supervisor bit of the target PTE based on the specific cr3.
Definition MemoryMapper.c:1697
_CR3_TYPE::Flags
UINT64 Flags
Definition BasicTypes.h:133
_USERMODE_DEBUGGING_PROCESS_DETAILS::InterceptedCr3
CR3_TYPE InterceptedCr3[MAX_CR3_IN_A_PROCESS]
Definition Attaching.h:66

◆ AttachingFindProcessDebuggingDetailsByProcessId()

PUSERMODE_DEBUGGING_PROCESS_DETAILS AttachingFindProcessDebuggingDetailsByProcessId ( UINT32 ProcessId)

Find user-mode debugging details for threads by process Id.

Parameters
ProcessId
Returns
PUSERMODE_DEBUGGING_PROCESS_DETAILS
188{
189 LIST_FOR_EACH_LINK(g_ProcessDebuggingDetailsListHead, USERMODE_DEBUGGING_PROCESS_DETAILS, AttachedProcessList, ProcessDebuggingDetails)
190 {
191 //
192 // Check if we found the target thread and if it's enabled
193 //
194 if (ProcessDebuggingDetails->ProcessId == ProcessId && ProcessDebuggingDetails->Enabled)
195 {
196 return ProcessDebuggingDetails;
197 }
198 }
199
200 return NULL;
201}
LIST_FOR_EACH_LINK
#define LIST_FOR_EACH_LINK(_head, _struct_type, _member, _var)
Definition MetaMacros.h:34
g_ProcessDebuggingDetailsListHead
LIST_ENTRY g_ProcessDebuggingDetailsListHead
List header of thread debugging details.
Definition Global.h:152
test-case-generator.NULL
NULL()
Definition test-case-generator.py:530

◆ AttachingFindProcessDebuggingDetailsByToken()

PUSERMODE_DEBUGGING_PROCESS_DETAILS AttachingFindProcessDebuggingDetailsByToken ( UINT64 Token)

Find user-mode debugging details for threads by token.

Parameters
Token
Returns
PUSERMODE_DEBUGGING_PROCESS_DETAILS
165{
166 LIST_FOR_EACH_LINK(g_ProcessDebuggingDetailsListHead, USERMODE_DEBUGGING_PROCESS_DETAILS, AttachedProcessList, ProcessDebuggingDetails)
167 {
168 //
169 // Check if we found the target thread and if it's enabled
170 //
171 if (ProcessDebuggingDetails->Token == Token && ProcessDebuggingDetails->Enabled)
172 {
173 return ProcessDebuggingDetails;
174 }
175 }
176
177 return NULL;
178}

◆ AttachingHandleCr3VmexitsForThreadInterception()

BOOLEAN AttachingHandleCr3VmexitsForThreadInterception ( UINT32 CoreId,
CR3_TYPE NewCr3 )

Handle the cr3 vm-exits for thread interception.

this function should be called in vmx-root

Parameters
CoreId
NewCr3
Returns
BOOLEAN
1037{
1038 PUSERMODE_DEBUGGING_PROCESS_DETAILS ProcessDebuggingDetail;
1039
1040 ProcessDebuggingDetail = AttachingFindProcessDebuggingDetailsByProcessId(HANDLE_TO_UINT32(PsGetCurrentProcessId()));
1041
1042 //
1043 // Check if process is valid or if thread is in intercepting phase
1044 //
1045 if (!ProcessDebuggingDetail || !ProcessDebuggingDetail->IsOnThreadInterceptingPhase)
1046 {
1047 //
1048 // not related to user debugger
1049 //
1050 VmFuncUnsetExceptionBitmap(CoreId, EXCEPTION_VECTOR_PAGE_FAULT);
1051 return FALSE;
1052 }
1053
1054 //
1055 // Save the cr3 for future continuing the thread
1056 //
1057 for (size_t i = 0; i < MAX_CR3_IN_A_PROCESS; i++)
1058 {
1059 if (ProcessDebuggingDetail->InterceptedCr3[i].Flags == NewCr3.Flags)
1060 {
1061 //
1062 // We found it saved previously, no need any further action
1063 //
1064 break;
1065 }
1066
1067 if (ProcessDebuggingDetail->InterceptedCr3[i].Flags == (UINT64)NULL)
1068 {
1069 //
1070 // Save the cr3
1071 //
1072 ProcessDebuggingDetail->InterceptedCr3[i].Flags = NewCr3.Flags;
1073 break;
1074 }
1075 }
1076
1077 //
1078 // This thread should be intercepted
1079 //
1080 if (!MemoryMapperSetSupervisorBitWithoutSwitchingByCr3(NULL, FALSE, PagingLevelPageMapLevel4, NewCr3))
1081 {
1082 return FALSE;
1083 }
1084
1085 //
1086 // Intercept #PFs
1087 //
1088 VmFuncSetExceptionBitmap(CoreId, EXCEPTION_VECTOR_PAGE_FAULT);
1089
1090 return TRUE;
1091}
VmFuncSetExceptionBitmap
VOID VmFuncSetExceptionBitmap(UINT32 CoreId, UINT32 IdtIndex)
Set exception bitmap in VMCS.
Definition Export.c:253
VmFuncUnsetExceptionBitmap
VOID VmFuncUnsetExceptionBitmap(UINT32 CoreId, UINT32 IdtIndex)
Unset exception bitmap in VMCS.
Definition Export.c:267
EXCEPTION_VECTOR_PAGE_FAULT
@ EXCEPTION_VECTOR_PAGE_FAULT
Definition Events.h:38

◆ AttachingHandleEntrypointInterception()

VOID AttachingHandleEntrypointInterception ( PROCESSOR_DEBUGGING_STATE * DbgState)

Handle the interception of finding the entrypoint on attaching to user-mode process.

Parameters
DbgStateThe state of the debugger on the current core
Returns
VOID
437{
438 PUSERMODE_DEBUGGING_PROCESS_DETAILS ProcessDebuggingDetail = NULL;
439 PAGE_FAULT_EXCEPTION PageFaultErrorCode = {0};
440
441 //
442 // Not increment the RIP register as no instruction is intended to go
443 //
444 VmFuncSuppressRipIncrement(DbgState->CoreId);
445
446 ProcessDebuggingDetail = AttachingFindProcessDebuggingDetailsByProcessId(HANDLE_TO_UINT32(PsGetCurrentProcessId()));
447
448 //
449 // Check to only break on the target process id and thread id and when
450 // the entrypoint is not called, if the thread debugging detail is found
451 //
452 if (ProcessDebuggingDetail != NULL)
453 {
454 if (g_IsWaitingForUserModeProcessEntryToBeCalled)
455 {
456 //
457 // Show a message that we reached to the entrypoint
458 //
459 // Log("Reached to the main module entrypoint (%016llx)\n", VmFuncGetLastVmexitRip(DbgState->CoreId));
460
461 //
462 // Not waiting for these event anymore
463 //
464 g_IsWaitingForUserModeProcessEntryToBeCalled = FALSE;
465
466 //
467 // Whenever Windows calls the start entrypoint of the target PE, initially,
468 // the module is not loaded in the memory, thus a page-fault will happen and
469 // the page-fault handler will bring the module content to the memory and after
470 // that, the start entrypoint of PE is called again
471 // It's not possible for us to handle everything here without checking for the
472 // possible page-fault, it is because the first instruction is not available to be
473 // read from the memory, thus, it shows a wrong instruction and the user might not
474 // use the instrumentation step-in from the start up of the entrypoint.
475 // Because if the user uses the instrumentation step-in command then it should go
476 // the page-fault handler routine in the kernel and it's not what the user expects
477 // we inject a #PF here and let the Windows handle the page-fault. Meanwhile, we
478 // set the hardware debug breakpoint again at the start of the entrypoint, so, the
479 // next time that the instruction is about to be fetched, a vm-exit happens as a
480 // result of intercepting #DBs
481 // In some cases, there is no need to inject #PF to the guest. One example is when
482 // the target page is already available in the memory like the same process is also
483 // open in the debuggee. In these cases, we handle the break directly without injecting
484 // any page-fault
485 //
486
487 if (!CheckAccessValidityAndSafety(ProcessDebuggingDetail->EntrypointOfMainModule, sizeof(CHAR)))
488 {
489 // LogInfo("Injecting #PF for entrypoint at : %llx", ProcessDebuggingDetail->EntrypointOfMainModule);
490
491 //
492 // We're waiting for this pointer to be called again after handling page-fault
493 //
494 g_IsWaitingForReturnAndRunFromPageFault = TRUE;
495
496 //
497 // Create page-fault error code (user, fetch #PF)
498 //
499 PageFaultErrorCode.AsUInt = 0x14;
500
501 //
502 // Inject the page-fault
503 //
504 VmFuncEventInjectPageFaultWithCr2(DbgState->CoreId,
505 ProcessDebuggingDetail->EntrypointOfMainModule,
506 PageFaultErrorCode.AsUInt);
507
508 //
509 // Also, set the RFLAGS.TF to intercept the process (thread) again after inject #PF
510 //
511 VmFuncSetRflagTrapFlag(TRUE);
512
513 //
514 // Indicate that we should set the trap flag to the FALSE next time on
515 // the same process/thread
516 //
517 if (!BreakpointRestoreTheTrapFlagOnceTriggered(HANDLE_TO_UINT32(PsGetCurrentProcessId()), HANDLE_TO_UINT32(PsGetCurrentThreadId())))
518 {
519 LogWarning("Warning, it is currently not possible to add the current process/thread to the list of processes "
520 "where the trap flag should be masked. Please ensure that you manually unset the trap flag");
521 }
522 }
523 else
524 {
525 //
526 // Address is valid, probably the module is previously loaded
527 // or another process with same image is currently running
528 // Thus, there is no need to inject #PF, we'll handle it in debugger
529 //
530 AttachingReachedToValidLoadedModule(DbgState, ProcessDebuggingDetail);
531 }
532 }
533 else if (g_IsWaitingForReturnAndRunFromPageFault)
534 {
535 //
536 // not waiting for a break after the page-fault anymore
537 //
538 g_IsWaitingForReturnAndRunFromPageFault = FALSE;
539
540 //
541 // We reached here as a result of setting the trap flag after
542 // injecting a page-fault
543 //
544 AttachingReachedToValidLoadedModule(DbgState, ProcessDebuggingDetail);
545 }
546 }
547}
CheckAccessValidityAndSafety
BOOLEAN CheckAccessValidityAndSafety(UINT64 TargetAddress, UINT32 Size)
Check the safety to access the memory.
Definition AddressCheck.c:156
AttachingReachedToValidLoadedModule
BOOLEAN AttachingReachedToValidLoadedModule(PROCESSOR_DEBUGGING_STATE *DbgState, PUSERMODE_DEBUGGING_PROCESS_DETAILS ProcessDebuggingDetail)
Handle cases where we reached to the valid loaded module The main module should be loaded once we rea...
Definition Attaching.c:348
CHAR
char CHAR
Definition BasicTypes.h:31
BreakpointRestoreTheTrapFlagOnceTriggered
BOOLEAN BreakpointRestoreTheTrapFlagOnceTriggered(UINT32 ProcessId, UINT32 ThreadId)
This function makes sure to unset the RFLAGS.TF on next trigger of #DB on the target process/thread.
Definition BreakpointCommands.c:174
VmFuncSetRflagTrapFlag
VOID VmFuncSetRflagTrapFlag(BOOLEAN Set)
Set Rflag's trap flag.
Definition Export.c:110
VmFuncEventInjectPageFaultWithCr2
VOID VmFuncEventInjectPageFaultWithCr2(UINT32 CoreId, UINT64 Address, UINT32 PageFaultCode)
Inject #PF and configure CR2 register.
Definition Export.c:626
LogWarning
#define LogWarning(format,...)
Log in the case of warning.
Definition HyperDbgHyperLogIntrinsics.h:99
g_IsWaitingForReturnAndRunFromPageFault
BOOLEAN g_IsWaitingForReturnAndRunFromPageFault
Whether the thread attaching mechanism is waiting for a page-fault finish or not.
Definition Global.h:146
g_IsWaitingForUserModeProcessEntryToBeCalled
BOOLEAN g_IsWaitingForUserModeProcessEntryToBeCalled
Whether the thread attaching mechanism is waiting for #DB or not.
Definition Global.h:158
_PROCESSOR_DEBUGGING_STATE::CoreId
UINT32 CoreId
Definition State.h:169
_USERMODE_DEBUGGING_PROCESS_DETAILS::EntrypointOfMainModule
UINT64 EntrypointOfMainModule
Definition Attaching.h:58

◆ AttachingInitialize()

BOOLEAN AttachingInitialize ( )

Initialize the attaching mechanism.

as we use the functionalities for these functions, we initialize them from the debugger at start up of debugger (not initialization of user-debugger)

Returns
BOOLEAN
23{
24 UNICODE_STRING FunctionName;
25
26 //
27 // Find address of PsGetProcessPeb
28 //
29 if (g_PsGetProcessPeb == NULL)
30 {
31 RtlInitUnicodeString(&FunctionName, L"PsGetProcessPeb");
32 g_PsGetProcessPeb = (PsGetProcessPeb)MmGetSystemRoutineAddress(&FunctionName);
33
34 if (g_PsGetProcessPeb == NULL)
35 {
36 LogError("Err, cannot resolve PsGetProcessPeb");
37
38 //
39 // Won't fail the entire debugger for not finding this
40 //
41 // return FALSE;
42 }
43 }
44
45 //
46 // Find address of PsGetProcessWow64Process
47 //
48 if (g_PsGetProcessWow64Process == NULL)
49 {
50 RtlInitUnicodeString(&FunctionName, L"PsGetProcessWow64Process");
51 g_PsGetProcessWow64Process = (PsGetProcessWow64Process)MmGetSystemRoutineAddress(&FunctionName);
52
53 if (g_PsGetProcessWow64Process == NULL)
54 {
55 LogError("Err, cannot resolve PsGetProcessPeb");
56
57 //
58 // Won't fail the entire debugger for not finding this
59 //
60 // return FALSE;
61 }
62 }
63
64 //
65 // Find address of ZwQueryInformationProcess
66 //
67 if (g_ZwQueryInformationProcess == NULL)
68 {
69 UNICODE_STRING RoutineName;
70
71 RtlInitUnicodeString(&RoutineName, L"ZwQueryInformationProcess");
72
73 g_ZwQueryInformationProcess = (ZwQueryInformationProcess)MmGetSystemRoutineAddress(&RoutineName);
74
75 if (g_ZwQueryInformationProcess == NULL)
76 {
77 LogError("Err, cannot resolve ZwQueryInformationProcess");
78
79 //
80 // Won't fail the entire debugger for not finding this
81 //
82 // return FALSE;
83 }
84 }
85
86 return TRUE;
87}
g_ZwQueryInformationProcess
ZwQueryInformationProcess g_ZwQueryInformationProcess
Address of ZwQueryInformationProcess.
Definition UserAccess.h:187
g_PsGetProcessPeb
PsGetProcessPeb g_PsGetProcessPeb
Address of PsGetProcessPeb.
Definition UserAccess.h:193
PsGetProcessWow64Process
PPEB32(NTAPI * PsGetProcessWow64Process)(PEPROCESS Process)
Definition UserAccess.h:177
g_PsGetProcessWow64Process
PsGetProcessWow64Process g_PsGetProcessWow64Process
Address of PsGetProcessWow64Process.
Definition UserAccess.h:199
ZwQueryInformationProcess
NTSTATUS(* ZwQueryInformationProcess)(__in HANDLE ProcessHandle, __in PROCESSINFOCLASS ProcessInformationClass, __out_bcount(ProcessInformationLength) PVOID ProcessInformation, __in ULONG ProcessInformationLength, __out_opt PULONG ReturnLength)
Definition UserAccess.h:168
PsGetProcessPeb
PPEB(NTAPI * PsGetProcessPeb)(PEPROCESS Process)
Definition UserAccess.h:175
_UNICODE_STRING
Definition casting.cpp:25

◆ AttachingQueryDetailsOfActiveDebuggingThreadsAndProcesses()

BOOLEAN AttachingQueryDetailsOfActiveDebuggingThreadsAndProcesses ( PVOID BufferToStoreDetails,
UINT32 BufferSize )

Query details of active debugging threads.

Parameters
BufferToStoreDetails
BufferSize
Returns
BOOLEAN
1477{
1478 UINT32 CountOfProcessesAndThreadsToStore;
1479
1480 CountOfProcessesAndThreadsToStore = BufferSize / SIZEOF_USERMODE_DEBUGGING_THREAD_OR_PROCESS_STATE_DETAILS;
1481
1482 if (CountOfProcessesAndThreadsToStore == 0)
1483 {
1484 //
1485 // No active thread or process
1486 //
1487 return FALSE;
1488 }
1489
1490 // LogInfo("Count of active process and threads : %x", CountOfProcessesAndThreadsToStore);
1491
1492 //
1493 // Get the results
1494 //
1495 ThreadHolderQueryDetailsOfActiveDebuggingThreadsAndProcesses(BufferToStoreDetails, CountOfProcessesAndThreadsToStore);
1496
1497 return TRUE;
1498}
UINT32
unsigned int UINT32
Definition BasicTypes.h:48
SIZEOF_USERMODE_DEBUGGING_THREAD_OR_PROCESS_STATE_DETAILS
#define SIZEOF_USERMODE_DEBUGGING_THREAD_OR_PROCESS_STATE_DETAILS
Definition RequestStructures.h:806
ThreadHolderQueryDetailsOfActiveDebuggingThreadsAndProcesses
VOID ThreadHolderQueryDetailsOfActiveDebuggingThreadsAndProcesses(USERMODE_DEBUGGING_THREAD_OR_PROCESS_STATE_DETAILS *BufferToStoreDetails, UINT32 MaxCount)
Query details of active debugging threads and processes.
Definition ThreadHolder.c:549

◆ AttachingReachedToValidLoadedModule()

BOOLEAN AttachingReachedToValidLoadedModule ( PROCESSOR_DEBUGGING_STATE * DbgState,
PUSERMODE_DEBUGGING_PROCESS_DETAILS ProcessDebuggingDetail )

Handle cases where we reached to the valid loaded module The main module should be loaded once we reach to this function.

Parameters
DbgStateThe state of the debugger on the current core
ProcessDebuggingDetail
Returns
BOOLEAN
350{
351 DEBUGGEE_BP_PACKET BpRequest = {0};
352
353 //
354 // Double check to make sure the main module is loaded
355 //
356 if (!CheckAccessValidityAndSafety(ProcessDebuggingDetail->EntrypointOfMainModule, sizeof(CHAR)))
357 {
358 LogError("Err, the main module is not loaded or the main entrypoint is not valid");
359 return FALSE;
360 }
361
362 //
363 // Setting a breakpoint to the main entrypoint of the module
364 //
365 BpRequest.Address = ProcessDebuggingDetail->EntrypointOfMainModule;
366 BpRequest.Core = DEBUGGEE_BP_APPLY_TO_ALL_CORES;
367 BpRequest.Pid = DEBUGGEE_BP_APPLY_TO_ALL_PROCESSES;
368 BpRequest.Tid = DEBUGGEE_BP_APPLY_TO_ALL_THREADS;
369
370 //
371 // Remove the breakpoint after hit
372 //
373 BpRequest.RemoveAfterHit = TRUE;
374
375 //
376 // Check if the process needs to check for callbacks for the very first instruction
377 //
378 if (ProcessDebuggingDetail->CheckCallBackForInterceptingFirstInstruction)
379 {
380 //
381 // This breakpoint should check for callbacks
382 //
383 BpRequest.CheckForCallbacks = TRUE;
384 }
385
386 //
387 // Register the breakpoint
388 //
389 if (!BreakpointAddNew(&BpRequest))
390 {
391 LogError("Err, unable to set breakpoint on the entrypoint module");
392 return FALSE;
393 }
394
395 //
396 // Finish the starting point of the thread
397 //
398 AttachingSetStartingPhaseOfProcessDebuggingDetailsByToken(FALSE, ProcessDebuggingDetail->Token);
399
400 //
401 // Check if we're connect to the kHyperDbg or uHyperDbg
402 //
403 if (g_KernelDebuggerState)
404 {
405 //
406 // Handling state through the kernel-mode debugger
407 //
408 KdHandleBreakpointAndDebugBreakpoints(DbgState,
409 DEBUGGEE_PAUSING_REASON_DEBUGGEE_STARTING_MODULE_LOADED,
410 NULL);
411 }
412 else
413 {
414 //
415 // Handling state through the user-mode debugger
416 //
417 UdCheckAndHandleBreakpointsAndDebugBreaks(DbgState,
418 DEBUGGEE_PAUSING_REASON_DEBUGGEE_STARTING_MODULE_LOADED,
419 NULL);
420 }
421
422 //
423 // Handled successfully
424 //
425 return TRUE;
426}
AttachingSetStartingPhaseOfProcessDebuggingDetailsByToken
BOOLEAN AttachingSetStartingPhaseOfProcessDebuggingDetailsByToken(BOOLEAN Set, UINT64 Token)
Set the start up phase of a debugging thread buffer by its token.
Definition Attaching.c:300
BreakpointAddNew
BOOLEAN BreakpointAddNew(PDEBUGGEE_BP_PACKET BpDescriptorArg)
Add new breakpoints.
Definition BreakpointCommands.c:893
DEBUGGEE_PAUSING_REASON_DEBUGGEE_STARTING_MODULE_LOADED
@ DEBUGGEE_PAUSING_REASON_DEBUGGEE_STARTING_MODULE_LOADED
Definition Connection.h:36
DEBUGGEE_BP_APPLY_TO_ALL_PROCESSES
#define DEBUGGEE_BP_APPLY_TO_ALL_PROCESSES
The constant to apply to all processes for bp command.
Definition Constants.h:653
DEBUGGEE_BP_APPLY_TO_ALL_THREADS
#define DEBUGGEE_BP_APPLY_TO_ALL_THREADS
The constant to apply to all threads for bp command.
Definition Constants.h:659
DEBUGGEE_BP_APPLY_TO_ALL_CORES
#define DEBUGGEE_BP_APPLY_TO_ALL_CORES
The constant to apply to all cores for bp command.
Definition Constants.h:647
KdHandleBreakpointAndDebugBreakpoints
_Use_decl_annotations_ VOID KdHandleBreakpointAndDebugBreakpoints(PROCESSOR_DEBUGGING_STATE *DbgState, DEBUGGEE_PAUSING_REASON Reason, PDEBUGGER_TRIGGERED_EVENT_DETAILS EventDetails)
Handle #DBs and #BPs for kernel debugger.
Definition Kd.c:1214
g_KernelDebuggerState
BOOLEAN g_KernelDebuggerState
shows whether the kernel debugger is enabled or disabled
Definition Global.h:103
_DEBUGGEE_BP_PACKET
The structure of bp command packet in HyperDbg.
Definition RequestStructures.h:1060
_DEBUGGEE_BP_PACKET::Tid
UINT32 Tid
Definition RequestStructures.h:1063
_DEBUGGEE_BP_PACKET::RemoveAfterHit
BOOLEAN RemoveAfterHit
Definition RequestStructures.h:1065
_DEBUGGEE_BP_PACKET::Core
UINT32 Core
Definition RequestStructures.h:1064
_DEBUGGEE_BP_PACKET::CheckForCallbacks
BOOLEAN CheckForCallbacks
Definition RequestStructures.h:1066
_DEBUGGEE_BP_PACKET::Address
UINT64 Address
Definition RequestStructures.h:1061
_DEBUGGEE_BP_PACKET::Pid
UINT32 Pid
Definition RequestStructures.h:1062
_USERMODE_DEBUGGING_PROCESS_DETAILS::Token
UINT64 Token
Definition Attaching.h:50
_USERMODE_DEBUGGING_PROCESS_DETAILS::CheckCallBackForInterceptingFirstInstruction
BOOLEAN CheckCallBackForInterceptingFirstInstruction
Definition Attaching.h:65

◆ AttachingRemoveAndFreeAllProcessDebuggingDetails()

VOID AttachingRemoveAndFreeAllProcessDebuggingDetails ( )

Remove and deallocate all thread debuggig details.

Returns
VOID
230{
231 LIST_FOR_EACH_LINK(g_ProcessDebuggingDetailsListHead, USERMODE_DEBUGGING_PROCESS_DETAILS, AttachedProcessList, ProcessDebuggingDetails)
232 {
233 //
234 // Free the thread holding structure(s)
235 //
236 ThreadHolderFreeHoldingStructures(ProcessDebuggingDetails);
237
238 //
239 // Remove thread debugging detail from the list active threads
240 //
241 RemoveEntryList(&ProcessDebuggingDetails->AttachedProcessList);
242
243 //
244 // Unallocate the pool
245 //
246 PlatformMemFreePool(ProcessDebuggingDetails);
247 }
248}
PlatformMemFreePool
VOID PlatformMemFreePool(PVOID BufferAddress)
Free (dellocate) a non-paged buffer.
Definition Mem.c:86
ThreadHolderFreeHoldingStructures
VOID ThreadHolderFreeHoldingStructures(PUSERMODE_DEBUGGING_PROCESS_DETAILS ProcessDebuggingDetail)
Free all of thread holder structures.
Definition ThreadHolder.c:465
RemoveEntryList
FORCEINLINE BOOLEAN RemoveEntryList(_In_ PLIST_ENTRY Entry)
Definition Windows.h:56

◆ AttachingTargetProcess()

VOID AttachingTargetProcess ( PDEBUGGER_ATTACH_DETACH_USER_MODE_PROCESS Request)

Dispatch and perform attaching tasks.

this function should not be called in vmx-root

Parameters
AttachRequest
Returns
VOID
1509{
1510 //
1511 // As we're here, we need to initialize the user-mode debugger
1512 //
1513 UdInitializeUserDebugger();
1514
1515 switch (Request->Action)
1516 {
1517 case DEBUGGER_ATTACH_DETACH_USER_MODE_PROCESS_ACTION_ATTACH:
1518
1519 AttachingPerformAttachToProcess(Request, Request->IsStartingNewProcess);
1520
1521 break;
1522
1523 case DEBUGGER_ATTACH_DETACH_USER_MODE_PROCESS_ACTION_DETACH:
1524
1525 AttachingPerformDetach(Request);
1526
1527 break;
1528
1529 case DEBUGGER_ATTACH_DETACH_USER_MODE_PROCESS_ACTION_REMOVE_HOOKS:
1530
1531 AttachingRemoveHooks(Request);
1532
1533 break;
1534
1535 case DEBUGGER_ATTACH_DETACH_USER_MODE_PROCESS_ACTION_KILL_PROCESS:
1536
1537 AttachingKillProcess(Request);
1538
1539 break;
1540
1541 case DEBUGGER_ATTACH_DETACH_USER_MODE_PROCESS_ACTION_PAUSE_PROCESS:
1542
1543 AttachingPauseProcess(Request);
1544
1545 break;
1546
1547 case DEBUGGER_ATTACH_DETACH_USER_MODE_PROCESS_ACTION_SWITCH_BY_PROCESS_OR_THREAD:
1548
1549 AttachingSwitchProcess(Request);
1550
1551 break;
1552
1553 case DEBUGGER_ATTACH_DETACH_USER_MODE_PROCESS_ACTION_QUERY_COUNT_OF_ACTIVE_DEBUGGING_THREADS:
1554
1555 AttachingQueryCountOfActiveDebuggingThreadsAndProcesses(Request);
1556
1557 break;
1558
1559 default:
1560
1561 Request->Result = DEBUGGER_ERROR_INVALID_ACTION_TYPE;
1562
1563 break;
1564 }
1565}
AttachingSwitchProcess
BOOLEAN AttachingSwitchProcess(PDEBUGGER_ATTACH_DETACH_USER_MODE_PROCESS SwitchRequest)
Switch to the target thread.
Definition Attaching.c:1362
AttachingPerformDetach
BOOLEAN AttachingPerformDetach(PDEBUGGER_ATTACH_DETACH_USER_MODE_PROCESS DetachRequest)
Clearing hooks after resuming the process.
Definition Attaching.c:1302
AttachingPerformAttachToProcess
BOOLEAN AttachingPerformAttachToProcess(PDEBUGGER_ATTACH_DETACH_USER_MODE_PROCESS AttachRequest, BOOLEAN IsAttachingToEntrypoint)
Attach to the target process.
Definition Attaching.c:808
AttachingPauseProcess
BOOLEAN AttachingPauseProcess(PDEBUGGER_ATTACH_DETACH_USER_MODE_PROCESS PauseRequest)
Pauses the target process.
Definition Attaching.c:1185
AttachingQueryCountOfActiveDebuggingThreadsAndProcesses
BOOLEAN AttachingQueryCountOfActiveDebuggingThreadsAndProcesses(PDEBUGGER_ATTACH_DETACH_USER_MODE_PROCESS QueryCountOfDebugThreadsRequest)
Query count of active debugging threads.
Definition Attaching.c:1450
AttachingRemoveHooks
BOOLEAN AttachingRemoveHooks(PDEBUGGER_ATTACH_DETACH_USER_MODE_PROCESS AttachRequest)
Clearing hooks after resuming the process.
Definition Attaching.c:1124
AttachingKillProcess
BOOLEAN AttachingKillProcess(PDEBUGGER_ATTACH_DETACH_USER_MODE_PROCESS KillRequest)
Kill the target process from kernel-mode.
Definition Attaching.c:1210
DEBUGGER_ERROR_INVALID_ACTION_TYPE
#define DEBUGGER_ERROR_INVALID_ACTION_TYPE
error, invalid type of action
Definition ErrorCodes.h:39
DEBUGGER_ATTACH_DETACH_USER_MODE_PROCESS_ACTION_DETACH
@ DEBUGGER_ATTACH_DETACH_USER_MODE_PROCESS_ACTION_DETACH
Definition RequestStructures.h:617
DEBUGGER_ATTACH_DETACH_USER_MODE_PROCESS_ACTION_QUERY_COUNT_OF_ACTIVE_DEBUGGING_THREADS
@ DEBUGGER_ATTACH_DETACH_USER_MODE_PROCESS_ACTION_QUERY_COUNT_OF_ACTIVE_DEBUGGING_THREADS
Definition RequestStructures.h:622
DEBUGGER_ATTACH_DETACH_USER_MODE_PROCESS_ACTION_KILL_PROCESS
@ DEBUGGER_ATTACH_DETACH_USER_MODE_PROCESS_ACTION_KILL_PROCESS
Definition RequestStructures.h:619
DEBUGGER_ATTACH_DETACH_USER_MODE_PROCESS_ACTION_SWITCH_BY_PROCESS_OR_THREAD
@ DEBUGGER_ATTACH_DETACH_USER_MODE_PROCESS_ACTION_SWITCH_BY_PROCESS_OR_THREAD
Definition RequestStructures.h:621
DEBUGGER_ATTACH_DETACH_USER_MODE_PROCESS_ACTION_PAUSE_PROCESS
@ DEBUGGER_ATTACH_DETACH_USER_MODE_PROCESS_ACTION_PAUSE_PROCESS
Definition RequestStructures.h:620
DEBUGGER_ATTACH_DETACH_USER_MODE_PROCESS_ACTION_ATTACH
@ DEBUGGER_ATTACH_DETACH_USER_MODE_PROCESS_ACTION_ATTACH
Definition RequestStructures.h:616
DEBUGGER_ATTACH_DETACH_USER_MODE_PROCESS_ACTION_REMOVE_HOOKS
@ DEBUGGER_ATTACH_DETACH_USER_MODE_PROCESS_ACTION_REMOVE_HOOKS
Definition RequestStructures.h:618
UdInitializeUserDebugger
BOOLEAN UdInitializeUserDebugger()
initialize user debugger
Definition Ud.c:21
_DEBUGGER_ATTACH_DETACH_USER_MODE_PROCESS::Action
DEBUGGER_ATTACH_DETACH_USER_MODE_PROCESS_ACTION_TYPE Action
Definition RequestStructures.h:638
_DEBUGGER_ATTACH_DETACH_USER_MODE_PROCESS::IsStartingNewProcess
BOOLEAN IsStartingNewProcess
Definition RequestStructures.h:632
_DEBUGGER_ATTACH_DETACH_USER_MODE_PROCESS::Result
UINT64 Result
Definition RequestStructures.h:641