22#define MAX_USER_ACTIONS_FOR_THREADS 3
28#define MAX_THREADS_IN_A_PROCESS_HOLDER 100
37#define MAX_CR3_IN_A_PROCESS 4
81 UINT32 PageFaultErrorCode);
109 UINT64 ViolationQualification,
110 UINT64 GuestPhysicalAddr);
BOOLEAN AttachingHandleCr3VmexitsForThreadInterception(UINT32 CoreId, CR3_TYPE NewCr3)
Handle the cr3 vm-exits for thread interception.
Definition Attaching.c:1036
BOOLEAN AttachingQueryDetailsOfActiveDebuggingThreadsAndProcesses(PVOID BufferToStoreDetails, UINT32 BufferSize)
Query details of active debugging threads.
Definition Attaching.c:1476
VOID AttachingTargetProcess(PDEBUGGER_ATTACH_DETACH_USER_MODE_PROCESS Request)
Dispatch and perform attaching tasks.
Definition Attaching.c:1508
PUSERMODE_DEBUGGING_PROCESS_DETAILS AttachingFindProcessDebuggingDetailsByProcessId(UINT32 ProcessId)
Find user-mode debugging details for threads by process Id.
Definition Attaching.c:187
BOOLEAN AttachingConfigureInterceptingThreads(UINT64 ProcessDebuggingToken, BOOLEAN Enable)
Enable or disable the thread intercepting phase.
Definition Attaching.c:695
#define MAX_CR3_IN_A_PROCESS
Maximum number of CR3 registers that a process can have.
Definition Attaching.h:37
PUSERMODE_DEBUGGING_PROCESS_DETAILS AttachingFindProcessDebuggingDetailsByToken(UINT64 Token)
Find user-mode debugging details for threads by token.
Definition Attaching.c:164
struct _USERMODE_DEBUGGING_PROCESS_DETAILS * PUSERMODE_DEBUGGING_PROCESS_DETAILS
BOOLEAN AttachingInitialize()
Initialize the attaching mechanism.
Definition Attaching.c:22
VOID AttachingRemoveAndFreeAllProcessDebuggingDetails()
Remove and deallocate all thread debuggig details.
Definition Attaching.c:229
VOID AttachingHandleEntrypointInterception(PROCESSOR_DEBUGGING_STATE *DbgState)
Handle the interception of finding the entrypoint on attaching to user-mode process.
Definition Attaching.c:436
struct _USERMODE_DEBUGGING_PROCESS_DETAILS USERMODE_DEBUGGING_PROCESS_DETAILS
Description of each active thread in user-mode attaching mechanism.
BOOLEAN AttachingCheckPageFaultsWithUserDebugger(UINT32 CoreId, UINT64 Address, UINT32 PageFaultErrorCode)
Check page-faults with user-debugger.
Definition Attaching.c:621
BOOLEAN AttachingCheckUnhandledEptViolation(UINT32 CoreId, UINT64 ViolationQualification, UINT64 GuestPhysicalAddr)
handling unhandled EPT violations
Definition Attaching.c:1102
BOOLEAN AttachingReachedToValidLoadedModule(PROCESSOR_DEBUGGING_STATE *DbgState, PUSERMODE_DEBUGGING_PROCESS_DETAILS ProcessDebuggingDetail)
Handle cases where we reached to the valid loaded module The main module should be loaded once we rea...
Definition Attaching.c:348
UCHAR BOOLEAN
Definition BasicTypes.h:39
#define VOID
Definition BasicTypes.h:33
unsigned __int64 UINT64
Definition BasicTypes.h:21
unsigned int UINT32
Definition BasicTypes.h:48
UINT64 Address
Definition HyperDbgScriptImports.h:67
CR3 Structure.
Definition BasicTypes.h:130
request for attaching user-mode process
Definition RequestStructures.h:631
Saves the debugger state.
Definition State.h:165
Description of each active thread in user-mode attaching mechanism.
Definition Attaching.h:49
CR3_TYPE InterceptedCr3[MAX_CR3_IN_A_PROCESS]
Definition Attaching.h:66
LIST_ENTRY ThreadsListHead
Definition Attaching.h:67
UINT64 Context
Definition Attaching.h:55
UINT64 Token
Definition Attaching.h:50
BOOLEAN CheckCallBackForInterceptingFirstInstruction
Definition Attaching.h:65
UINT64 BaseAddressOfMainModule
Definition Attaching.h:59
BOOLEAN Is32Bit
Definition Attaching.h:62
UINT64 UsermodeReservedBuffer
Definition Attaching.h:57
UINT32 ActiveThreadId
Definition Attaching.h:53
BOOLEAN Enabled
Definition Attaching.h:51
UINT32 ProcessId
Definition Attaching.h:61
BOOLEAN IsOnThreadInterceptingPhase
Definition Attaching.h:64
UINT64 EntrypointOfMainModule
Definition Attaching.h:58
PVOID PebAddressToMonitor
Definition Attaching.h:52
GUEST_REGS Registers
Definition Attaching.h:54
BOOLEAN IsOnTheStartingPhase
Definition Attaching.h:63
PEPROCESS Eprocess
Definition Attaching.h:60
LIST_ENTRY AttachedProcessList
Definition Attaching.h:56
Definition BasicTypes.h:70
1.11.0