HyperDbg Debugger
Loading...
Searching...
No Matches
Functions
Configuration.c File Reference

Configuration interface for hypervisor events. More...

#include "pch.h"

Functions

VOID ConfigureEnableMovToCr3ExitingOnAllProcessors ()
 routines for debugging threads (enable mov-to-cr3 exiting)
 
BOOLEAN ConfigureInitializeExecTrapOnAllProcessors ()
 routines for initializing user-mode, kernel-mode exec trap
 
VOID ConfigureUninitializeExecTrapOnAllProcessors ()
 routines for uninitializing user-mode, kernel-mode exec trap
 
BOOLEAN ConfigureExecTrapAddProcessToWatchingList (UINT32 ProcessId)
 Add the target process to the watching list.
 
BOOLEAN ConfigureExecTrapRemoveProcessFromWatchingList (UINT32 ProcessId)
 Remove the target process from the watching list.
 
VOID ConfigureModeBasedExecHookUninitializeOnAllProcessors ()
 routines for initializing Mode-based execution hooks
 
VOID ConfigureDirtyLoggingInitializeOnAllProcessors ()
 routines for initializing dirty logging mechanism
 
VOID ConfigureDirtyLoggingUninitializeOnAllProcessors ()
 routines for uninitializing dirty logging mechanism
 
VOID ConfigureDisableMovToCr3ExitingOnAllProcessors ()
 routines for debugging threads (disable mov-to-cr3 exiting)
 
VOID ConfigureEnableEferSyscallEventsOnAllProcessors ()
 routines for enabling syscall hooks on all cores
 
VOID ConfigureDisableEferSyscallEventsOnAllProcessors ()
 routines for disabling syscall hooks on all cores
 
BOOLEAN ConfigureEptHookUnHookAllByHookingTag (UINT64 HookingTag)
 Remove all hooks from the hooked pages list using Hooking Tag.
 
BOOLEAN ConfigureEptHookUnHookSingleHookByHookingTagFromVmxRoot (UINT64 HookingTag, EPT_SINGLE_HOOK_UNHOOKING_DETAILS *TargetUnhookingDetails)
 Remove single hook from the hooked pages by the given hooking tag.
 
BOOLEAN ConfigureEptHookUnHookSingleAddress (UINT64 VirtualAddress, UINT64 PhysAddress, UINT32 ProcessId)
 Remove single hook from the hooked pages list and invalidate TLB.
 
BOOLEAN ConfigureEptHookUnHookSingleAddressFromVmxRoot (UINT64 VirtualAddress, UINT64 PhysAddress, EPT_SINGLE_HOOK_UNHOOKING_DETAILS *TargetUnhookingDetails)
 Remove single hook from the hooked pages list and invalidate TLB.
 
VOID ConfigureEptHookAllocateExtraHookingPagesForMemoryMonitorsAndExecEptHooks (UINT32 Count)
 Allocate (reserve) extra pages for storing details of page hooks for memory monitor and regular hidden breakpoit exec EPT hooks.
 
VOID ConfigureEptHookReservePreallocatedPoolsForEptHooks (UINT32 Count)
 Allocate (reserve) pages for storing EPT hooks page hooks.
 
BOOLEAN ConfigureEptHook (PVOID TargetAddress, UINT32 ProcessId)
 This function invokes a VMCALL to set the hook and broadcast the exiting for the breakpoints on exception bitmap.
 
BOOLEAN ConfigureEptHookFromVmxRoot (PVOID TargetAddress)
 This function invokes a direct VMCALL to setup the hook.
 
BOOLEAN ConfigureEptHook2 (UINT32 CoreId, PVOID TargetAddress, PVOID HookFunction, UINT32 ProcessId)
 This function allocates a buffer in VMX Non Root Mode and then invokes a VMCALL to set the hook (inline)
 
BOOLEAN ConfigureEptHookMonitor (UINT32 CoreId, EPT_HOOKS_ADDRESS_DETAILS_FOR_MEMORY_MONITOR *HookingDetails, UINT32 ProcessId)
 This function allocates a buffer in VMX Non Root Mode and then invokes a VMCALL to set the hook.
 
BOOLEAN ConfigureEptHook2FromVmxRoot (UINT32 CoreId, PVOID TargetAddress, PVOID HookFunction)
 This function allocates a buffer in VMX Non Root Mode and then invokes a VMCALL to set the hook (inline EPT hook)
 
BOOLEAN ConfigureEptHookMonitorFromVmxRoot (UINT32 CoreId, EPT_HOOKS_ADDRESS_DETAILS_FOR_MEMORY_MONITOR *MemoryAddressDetails)
 This function allocates a buffer in VMX Non Root Mode and then invokes a VMCALL to set the hook.
 
BOOLEAN ConfigureEptHookModifyInstructionFetchState (UINT32 CoreId, PVOID PhysicalAddress, BOOLEAN IsUnset)
 Change PML EPT state for execution (execute) @detail should be called from VMX-root.
 
BOOLEAN ConfigureEptHookModifyPageReadState (UINT32 CoreId, PVOID PhysicalAddress, BOOLEAN IsUnset)
 Change PML EPT state for read @detail should be called from VMX-root.
 
BOOLEAN ConfigureEptHookModifyPageWriteState (UINT32 CoreId, PVOID PhysicalAddress, BOOLEAN IsUnset)
 Change PML EPT state for write @detail should be called from VMX-root.
 
VOID ConfigureEnableEferSyscallHookOnSingleCore (UINT32 TargetCoreId)
 routines for enabling EFER syscall hooks on a single core
 
VOID ConfigureSetEferSyscallOrSysretHookType (DEBUGGER_EVENT_SYSCALL_SYSRET_TYPE SyscallHookType)
 routines for setting EFER syscall or sysret hooks type
 
VOID ConfigureSetExternalInterruptExitingOnSingleCore (UINT32 TargetCoreId)
 set external interrupt exiting on a single core
 
VOID ConfigureEnableRdtscExitingOnSingleCore (UINT32 TargetCoreId)
 enable RDTSC exiting on a single core
 
VOID ConfigureEnableRdpmcExitingOnSingleCore (UINT32 TargetCoreId)
 enable RDPMC exiting on a single core
 
VOID ConfigureEnableMovToDebugRegistersExitingOnSingleCore (UINT32 TargetCoreId)
 enable mov 2 debug register exiting on a single core
 
VOID ConfigureSetExceptionBitmapOnSingleCore (UINT32 TargetCoreId, UINT32 BitMask)
 set exception bitmap on a single core
 
VOID ConfigureEnableMovToControlRegisterExitingOnSingleCore (UINT32 TargetCoreId, DEBUGGER_EVENT_OPTIONS *BroadcastingOption)
 enable mov 2 control register on a single core
 
VOID ConfigureChangeMsrBitmapWriteOnSingleCore (UINT32 TargetCoreId, UINT64 MsrMask)
 change the mask of msr bitmaps for write on a single core
 
VOID ConfigureChangeMsrBitmapReadOnSingleCore (UINT32 TargetCoreId, UINT64 MsrMask)
 change the mask of msr bitmaps for read on a single core
 
VOID ConfigureChangeIoBitmapOnSingleCore (UINT32 TargetCoreId, UINT64 Port)
 change I/O port bitmap on a single core
 

Detailed Description

Configuration interface for hypervisor events.

Author
Sina Karvandi (sina@.nosp@m.hype.nosp@m.rdbg..nosp@m.org)
Version
0.2
Date
2023-01-26
Copyright
This project is released under the GNU Public License v3.

Function Documentation

◆ ConfigureChangeIoBitmapOnSingleCore()

VOID ConfigureChangeIoBitmapOnSingleCore ( UINT32 TargetCoreId,
UINT64 Port )

change I/O port bitmap on a single core

Parameters
TargetCoreIdThe target core's ID (to just run on this core)
PortTarget port in I/O bitmap
Returns
VOID
569{
570 DpcRoutineRunTaskOnSingleCore(TargetCoreId, (PVOID)DpcRoutinePerformChangeIoBitmapOnSingleCore, (PVOID)Port);
571}
DpcRoutinePerformChangeIoBitmapOnSingleCore
VOID DpcRoutinePerformChangeIoBitmapOnSingleCore(KDPC *Dpc, PVOID DeferredContext, PVOID SystemArgument1, PVOID SystemArgument2)
change I/O bitmap on a single core
Definition DpcRoutines.c:419
DpcRoutineRunTaskOnSingleCore
NTSTATUS DpcRoutineRunTaskOnSingleCore(UINT32 CoreNumber, PVOID Routine, PVOID DeferredContext)
This function synchronize the function execution for a single core You should only used it for one co...
Definition DpcRoutines.c:35

◆ ConfigureChangeMsrBitmapReadOnSingleCore()

VOID ConfigureChangeMsrBitmapReadOnSingleCore ( UINT32 TargetCoreId,
UINT64 MsrMask )

change the mask of msr bitmaps for read on a single core

Parameters
TargetCoreIdThe target core's ID (to just run on this core)
MsrMaskThe ECX in MSR (mask)
Returns
VOID
555{
556 DpcRoutineRunTaskOnSingleCore(TargetCoreId, (PVOID)DpcRoutinePerformChangeMsrBitmapReadOnSingleCore, (PVOID)MsrMask);
557}
DpcRoutinePerformChangeMsrBitmapReadOnSingleCore
VOID DpcRoutinePerformChangeMsrBitmapReadOnSingleCore(KDPC *Dpc, PVOID DeferredContext, PVOID SystemArgument1, PVOID SystemArgument2)
change msr bitmap read on a single core
Definition DpcRoutines.c:161

◆ ConfigureChangeMsrBitmapWriteOnSingleCore()

VOID ConfigureChangeMsrBitmapWriteOnSingleCore ( UINT32 TargetCoreId,
UINT64 MsrMask )

change the mask of msr bitmaps for write on a single core

Parameters
TargetCoreIdThe target core's ID (to just run on this core)
MsrMaskThe ECX in MSR (mask)
Returns
VOID
541{
542 DpcRoutineRunTaskOnSingleCore(TargetCoreId, (PVOID)DpcRoutinePerformChangeMsrBitmapWriteOnSingleCore, (PVOID)MsrMask);
543}
DpcRoutinePerformChangeMsrBitmapWriteOnSingleCore
VOID DpcRoutinePerformChangeMsrBitmapWriteOnSingleCore(KDPC *Dpc, PVOID DeferredContext, PVOID SystemArgument1, PVOID SystemArgument2)
change msr bitmap write on a single core
Definition DpcRoutines.c:189

◆ ConfigureDirtyLoggingInitializeOnAllProcessors()

VOID ConfigureDirtyLoggingInitializeOnAllProcessors ( )

routines for initializing dirty logging mechanism

Returns
VOID
95{
96 DirtyLoggingInitialize();
97}
DirtyLoggingInitialize
BOOLEAN DirtyLoggingInitialize()
Initialize the dirty logging mechanism.
Definition DirtyLogging.c:21

◆ ConfigureDirtyLoggingUninitializeOnAllProcessors()

VOID ConfigureDirtyLoggingUninitializeOnAllProcessors ( )

routines for uninitializing dirty logging mechanism

Returns
VOID
106{
107 DirtyLoggingUninitialize();
108}
DirtyLoggingUninitialize
VOID DirtyLoggingUninitialize()
Initialize the dirty logging mechanism.
Definition DirtyLogging.c:182

◆ ConfigureDisableEferSyscallEventsOnAllProcessors()

VOID ConfigureDisableEferSyscallEventsOnAllProcessors ( )

routines for disabling syscall hooks on all cores

Returns
VOID
144{
145 BroadcastDisableEferSyscallEventsOnAllProcessors();
146}
BroadcastDisableEferSyscallEventsOnAllProcessors
VOID BroadcastDisableEferSyscallEventsOnAllProcessors()
routines for disabling syscall hooks on all cores
Definition Broadcast.c:513

◆ ConfigureDisableMovToCr3ExitingOnAllProcessors()

VOID ConfigureDisableMovToCr3ExitingOnAllProcessors ( )

routines for debugging threads (disable mov-to-cr3 exiting)

Returns
VOID
117{
118 //
119 // Indicate that the future #PFs should or should not be checked with user debugger
120 //
121 g_CheckPageFaultsAndMov2Cr3VmexitsWithUserDebugger = FALSE;
122
123 BroadcastDisableMovToCr3ExitingOnAllProcessors();
124}
FALSE
#define FALSE
Definition BasicTypes.h:54
BroadcastDisableMovToCr3ExitingOnAllProcessors
VOID BroadcastDisableMovToCr3ExitingOnAllProcessors()
routines for debugging threads (disable mov-to-cr3 exiting)
Definition Broadcast.c:491
g_CheckPageFaultsAndMov2Cr3VmexitsWithUserDebugger
BOOLEAN g_CheckPageFaultsAndMov2Cr3VmexitsWithUserDebugger
Whether the page-fault and cr3 vm-exits in vmx-root should check the #PFs or the PML4....
Definition GlobalVariables.h:114

◆ ConfigureEnableEferSyscallEventsOnAllProcessors()

VOID ConfigureEnableEferSyscallEventsOnAllProcessors ( )

routines for enabling syscall hooks on all cores

Returns
VOID
133{
134 BroadcastEnableEferSyscallEventsOnAllProcessors();
135}
BroadcastEnableEferSyscallEventsOnAllProcessors
VOID BroadcastEnableEferSyscallEventsOnAllProcessors()
routines for enabling syscall hooks on all cores
Definition Broadcast.c:502

◆ ConfigureEnableEferSyscallHookOnSingleCore()

VOID ConfigureEnableEferSyscallHookOnSingleCore ( UINT32 TargetCoreId)

routines for enabling EFER syscall hooks on a single core

Parameters
TargetCoreIdThe target core's ID (to just run on this core)
Returns
VOID
427{
428 DpcRoutineRunTaskOnSingleCore(TargetCoreId, (PVOID)DpcRoutinePerformEnableEferSyscallHookOnSingleCore, NULL);
429}
DpcRoutinePerformEnableEferSyscallHookOnSingleCore
VOID DpcRoutinePerformEnableEferSyscallHookOnSingleCore(KDPC *Dpc, PVOID DeferredContext, PVOID SystemArgument1, PVOID SystemArgument2)
Enable syscall hook EFER on a single core.
Definition DpcRoutines.c:390

◆ ConfigureEnableMovToControlRegisterExitingOnSingleCore()

VOID ConfigureEnableMovToControlRegisterExitingOnSingleCore ( UINT32 TargetCoreId,
DEBUGGER_EVENT_OPTIONS * BroadcastingOption )

enable mov 2 control register on a single core

Parameters
TargetCoreIdThe target core's ID (to just run on this core)
BroadcastingOptionThe optional broadcasting fields
Returns
VOID
527{
528 DpcRoutineRunTaskOnSingleCore(TargetCoreId, (PVOID)DpcRoutinePerformEnableMovToControlRegisterExiting, &BroadcastingOption);
529}
DpcRoutinePerformEnableMovToControlRegisterExiting
VOID DpcRoutinePerformEnableMovToControlRegisterExiting(KDPC *Dpc, DEBUGGER_EVENT_OPTIONS *EventOptions, PVOID SystemArgument1, PVOID SystemArgument2)
Set the Mov to Control Registers Exitings.
Definition DpcRoutines.c:333

◆ ConfigureEnableMovToCr3ExitingOnAllProcessors()

VOID ConfigureEnableMovToCr3ExitingOnAllProcessors ( )

routines for debugging threads (enable mov-to-cr3 exiting)

Returns
VOID
22{
23 //
24 // Indicate that the future #PFs should or should not be checked with user debugger
25 //
26 g_CheckPageFaultsAndMov2Cr3VmexitsWithUserDebugger = TRUE;
27
28 BroadcastEnableMovToCr3ExitingOnAllProcessors();
29}
TRUE
#define TRUE
Definition BasicTypes.h:55
BroadcastEnableMovToCr3ExitingOnAllProcessors
VOID BroadcastEnableMovToCr3ExitingOnAllProcessors()
routines for debugging threads (enable mov-to-cr3 exiting)
Definition Broadcast.c:436

◆ ConfigureEnableMovToDebugRegistersExitingOnSingleCore()

VOID ConfigureEnableMovToDebugRegistersExitingOnSingleCore ( UINT32 TargetCoreId)

enable mov 2 debug register exiting on a single core

Parameters
TargetCoreIdThe target core's ID (to just run on this core)
Returns
VOID
499{
500 DpcRoutineRunTaskOnSingleCore(TargetCoreId, (PVOID)DpcRoutinePerformEnableMovToDebugRegistersExiting, NULL);
501}
DpcRoutinePerformEnableMovToDebugRegistersExiting
VOID DpcRoutinePerformEnableMovToDebugRegistersExiting(KDPC *Dpc, PVOID DeferredContext, PVOID SystemArgument1, PVOID SystemArgument2)
Set the Mov to Debug Registers Exitings.
Definition DpcRoutines.c:304

◆ ConfigureEnableRdpmcExitingOnSingleCore()

VOID ConfigureEnableRdpmcExitingOnSingleCore ( UINT32 TargetCoreId)

enable RDPMC exiting on a single core

Parameters
TargetCoreIdThe target core's ID (to just run on this core)
Returns
VOID
486{
487 DpcRoutineRunTaskOnSingleCore(TargetCoreId, (PVOID)DpcRoutinePerformEnableRdpmcExitingOnSingleCore, NULL);
488}
DpcRoutinePerformEnableRdpmcExitingOnSingleCore
VOID DpcRoutinePerformEnableRdpmcExitingOnSingleCore(KDPC *Dpc, PVOID DeferredContext, PVOID SystemArgument1, PVOID SystemArgument2)
set rdpmc exiting
Definition DpcRoutines.c:246

◆ ConfigureEnableRdtscExitingOnSingleCore()

VOID ConfigureEnableRdtscExitingOnSingleCore ( UINT32 TargetCoreId)

enable RDTSC exiting on a single core

Parameters
TargetCoreIdThe target core's ID (to just run on this core)
Returns
VOID
473{
474 DpcRoutineRunTaskOnSingleCore(TargetCoreId, (PVOID)DpcRoutinePerformEnableRdtscExitingOnSingleCore, NULL);
475}
DpcRoutinePerformEnableRdtscExitingOnSingleCore
VOID DpcRoutinePerformEnableRdtscExitingOnSingleCore(KDPC *Dpc, PVOID DeferredContext, PVOID SystemArgument1, PVOID SystemArgument2)
set rdtsc/rdtscp exiting
Definition DpcRoutines.c:217

◆ ConfigureEptHook()

BOOLEAN ConfigureEptHook ( PVOID TargetAddress,
UINT32 ProcessId )

This function invokes a VMCALL to set the hook and broadcast the exiting for the breakpoints on exception bitmap.

this command uses hidden breakpoints (0xcc) to hook, THIS FUNCTION SHOULD BE CALLED WHEN THE VMLAUNCH ALREADY EXECUTED, it is because, broadcasting to enable exception bitmap for breakpoint is not clear here, if we want to broadcast to enable exception bitmaps on all cores when vmlaunch is not executed then that's ok but a user might call this function when we didn't configure the vmcs, it's a problem! we can solve it by giving a hint to vmcs configure function to make it ok for future configuration but that sounds stupid, I think it's better to not support this feature. Btw, debugger won't use this function in the above mentioned method, so we won't have any problem with this :)

Parameters
TargetAddressThe address of function or memory address to be hooked
ProcessIdThe process id to translate based on that process's cr3
Returns
BOOLEAN Returns true if the hook was successful or false if there was an error
262{
263 return EptHook(TargetAddress, ProcessId);
264}
EptHook
BOOLEAN EptHook(PVOID TargetAddress, UINT32 ProcessId)
This function invokes a VMCALL to set the hook and broadcast the exiting for the breakpoints on excep...
Definition EptHook.c:605

◆ ConfigureEptHook2()

BOOLEAN ConfigureEptHook2 ( UINT32 CoreId,
PVOID TargetAddress,
PVOID HookFunction,
UINT32 ProcessId )

This function allocates a buffer in VMX Non Root Mode and then invokes a VMCALL to set the hook (inline)

this command uses hidden detours, this NOT be called from vmx-root mode

Parameters
CoreIdID of the target core
TargetAddressThe address of function or memory address to be hooked
HookFunctionThe function that will be called when hook triggered
ProcessIdThe process id to translate based on that process's cr3
Returns
BOOLEAN Returns true if the hook was successful or false if there was an error
299{
300 return EptHookInlineHook(&g_GuestState[CoreId],
301 TargetAddress,
302 HookFunction,
303 ProcessId);
304}
EptHookInlineHook
BOOLEAN EptHookInlineHook(VIRTUAL_MACHINE_STATE *VCpu, PVOID TargetAddress, PVOID HookFunction, UINT32 ProcessId)
This function applies EPT hook 2 (inline) to the target EPT table.
Definition EptHook.c:1542
g_GuestState
VIRTUAL_MACHINE_STATE * g_GuestState
Save the state and variables related to virtualization on each to logical core.
Definition GlobalVariables.h:38

◆ ConfigureEptHook2FromVmxRoot()

BOOLEAN ConfigureEptHook2FromVmxRoot ( UINT32 CoreId,
PVOID TargetAddress,
PVOID HookFunction )

This function allocates a buffer in VMX Non Root Mode and then invokes a VMCALL to set the hook (inline EPT hook)

this command uses hidden detours, this should be called from vmx-root mode

Parameters
CoreIdID of the target core
TargetAddressThe address of function or memory address to be hooked
HookFunctionThe function that will be called when hook triggered
Returns
BOOLEAN Returns true if the hook was successful or false if there was an error
341{
342 return EptHookInlineHookFromVmxRoot(&g_GuestState[CoreId],
343 TargetAddress,
344 HookFunction);
345}
EptHookInlineHookFromVmxRoot
BOOLEAN EptHookInlineHookFromVmxRoot(VIRTUAL_MACHINE_STATE *VCpu, PVOID TargetAddress, PVOID HookFunction)
This function applies EPT inline to the target EPT table.
Definition EptHook.c:1613

◆ ConfigureEptHookAllocateExtraHookingPagesForMemoryMonitorsAndExecEptHooks()

VOID ConfigureEptHookAllocateExtraHookingPagesForMemoryMonitorsAndExecEptHooks ( UINT32 Count)

Allocate (reserve) extra pages for storing details of page hooks for memory monitor and regular hidden breakpoit exec EPT hooks.

Parameters
Count
Returns
VOID
228{
229 EptHookAllocateExtraHookingPagesForMemoryMonitorsAndExecEptHooks(Count);
230}
EptHookAllocateExtraHookingPagesForMemoryMonitorsAndExecEptHooks
VOID EptHookAllocateExtraHookingPagesForMemoryMonitorsAndExecEptHooks(UINT32 Count)
Allocate (reserve) extra pages for storing details of page hooks for memory monitor and regular hidde...
Definition EptHook.c:110

◆ ConfigureEptHookFromVmxRoot()

BOOLEAN ConfigureEptHookFromVmxRoot ( PVOID TargetAddress)

This function invokes a direct VMCALL to setup the hook.

the caller of this function should make sure to 1) broadcast to all cores to intercept breakpoints (#BPs) and after calling this function 2) the caller should broadcast to all cores to invalidate their EPTPs

Parameters
TargetAddressThe address of function or memory address to be hooked
Returns
BOOLEAN Returns true if the hook was successful or false if there was an error
279{
280 return EptHookFromVmxRoot(TargetAddress);
281}
EptHookFromVmxRoot
BOOLEAN EptHookFromVmxRoot(PVOID TargetAddress)
This function invokes a direct VMCALL to setup the hook.
Definition EptHook.c:631

◆ ConfigureEptHookModifyInstructionFetchState()

BOOLEAN ConfigureEptHookModifyInstructionFetchState ( UINT32 CoreId,
PVOID PhysicalAddress,
BOOLEAN IsUnset )

Change PML EPT state for execution (execute) @detail should be called from VMX-root.

Parameters
CoreIdCurrent Core ID
PhysicalAddressTarget physical address
IsUnsetIs unsetting bit or setting bit
Returns
BOOLEAN
378{
379 return EptHookModifyInstructionFetchState(&g_GuestState[CoreId], PhysicalAddress, IsUnset);
380}
EptHookModifyInstructionFetchState
BOOLEAN EptHookModifyInstructionFetchState(VIRTUAL_MACHINE_STATE *VCpu, PVOID PhysicalAddress, BOOLEAN IsUnset)
Change PML EPT state for execution (execute) @detail should be called from VMX-root.
Definition EptHook.c:2566

◆ ConfigureEptHookModifyPageReadState()

BOOLEAN ConfigureEptHookModifyPageReadState ( UINT32 CoreId,
PVOID PhysicalAddress,
BOOLEAN IsUnset )

Change PML EPT state for read @detail should be called from VMX-root.

Parameters
VCpuThe virtual processor's state
PhysicalAddressTarget physical address
IsUnsetIs unsetting bit or setting bit
Returns
BOOLEAN
396{
397 return EptHookModifyPageReadState(&g_GuestState[CoreId], PhysicalAddress, IsUnset);
398}
EptHookModifyPageReadState
BOOLEAN EptHookModifyPageReadState(VIRTUAL_MACHINE_STATE *VCpu, PVOID PhysicalAddress, BOOLEAN IsUnset)
Change PML EPT state for read @detail should be called from VMX-root.
Definition EptHook.c:2624

◆ ConfigureEptHookModifyPageWriteState()

BOOLEAN ConfigureEptHookModifyPageWriteState ( UINT32 CoreId,
PVOID PhysicalAddress,
BOOLEAN IsUnset )

Change PML EPT state for write @detail should be called from VMX-root.

Parameters
VCpuThe virtual processor's state
PhysicalAddressTarget physical address
IsUnsetIs unsetting bit or setting bit
Returns
BOOLEAN
414{
415 return EptHookModifyPageWriteState(&g_GuestState[CoreId], PhysicalAddress, IsUnset);
416}
EptHookModifyPageWriteState
BOOLEAN EptHookModifyPageWriteState(VIRTUAL_MACHINE_STATE *VCpu, PVOID PhysicalAddress, BOOLEAN IsUnset)
Change PML EPT state for write @detail should be called from VMX-root.
Definition EptHook.c:2682

◆ ConfigureEptHookMonitor()

BOOLEAN ConfigureEptHookMonitor ( UINT32 CoreId,
EPT_HOOKS_ADDRESS_DETAILS_FOR_MEMORY_MONITOR * HookingDetails,
UINT32 ProcessId )

This function allocates a buffer in VMX Non Root Mode and then invokes a VMCALL to set the hook.

this command uses hidden detours, this NOT be called from vmx-root mode

Parameters
CoreIdID of the target core
HookingDetailsMonitor hooking detail
ProcessIdThe process id to translate based on that process's cr3
Returns
BOOLEAN Returns true if the hook was successful or false if there was an error
321{
322 return EptHookMonitorHook(&g_GuestState[CoreId],
323 HookingDetails,
324 ProcessId);
325}
EptHookMonitorHook
BOOLEAN EptHookMonitorHook(VIRTUAL_MACHINE_STATE *VCpu, EPT_HOOKS_ADDRESS_DETAILS_FOR_MEMORY_MONITOR *HookingDetails, UINT32 ProcessId)
This function applies monitor hooks to the target EPT table.
Definition EptHook.c:1582

◆ ConfigureEptHookMonitorFromVmxRoot()

BOOLEAN ConfigureEptHookMonitorFromVmxRoot ( UINT32 CoreId,
EPT_HOOKS_ADDRESS_DETAILS_FOR_MEMORY_MONITOR * MemoryAddressDetails )

This function allocates a buffer in VMX Non Root Mode and then invokes a VMCALL to set the hook.

this command uses hidden detours, this should be called from vmx-root mode

Parameters
CoreIdID of the target core
MemoryAddressDetailsMonitor hooking details
Returns
BOOLEAN Returns true if the hook was successful or false if there was an error
360{
361 return EptHookMonitorFromVmxRoot(&g_GuestState[CoreId], MemoryAddressDetails);
362}
EptHookMonitorFromVmxRoot
BOOLEAN EptHookMonitorFromVmxRoot(VIRTUAL_MACHINE_STATE *VCpu, EPT_HOOKS_ADDRESS_DETAILS_FOR_MEMORY_MONITOR *MemoryAddressDetails)
This function applies EPT monitor hooks to the target EPT table.
Definition EptHook.c:1651

◆ ConfigureEptHookReservePreallocatedPoolsForEptHooks()

VOID ConfigureEptHookReservePreallocatedPoolsForEptHooks ( UINT32 Count)

Allocate (reserve) pages for storing EPT hooks page hooks.

Parameters
Count
Returns
VOID
240{
241 EptHookReservePreallocatedPoolsForEptHooks(Count);
242}
EptHookReservePreallocatedPoolsForEptHooks
VOID EptHookReservePreallocatedPoolsForEptHooks(UINT32 Count)
Reserve pre-allocated pools for EPT hooks.
Definition EptHook.c:70

◆ ConfigureEptHookUnHookAllByHookingTag()

BOOLEAN ConfigureEptHookUnHookAllByHookingTag ( UINT64 HookingTag)

Remove all hooks from the hooked pages list using Hooking Tag.

Should be called from vmx non-root

Parameters
HookingTagThe hooking tag to remove all hooks
Returns
BOOLEAN If unhook was successful it returns true or if it was not successful returns false
158{
159 return EptHookUnHookAllByHookingTag(HookingTag);
160}
EptHookUnHookAllByHookingTag
BOOLEAN EptHookUnHookAllByHookingTag(UINT64 HookingTag)
Remove all hooks from the hooked pages by the given hooking tag.
Definition EptHook.c:2296

◆ ConfigureEptHookUnHookSingleAddress()

BOOLEAN ConfigureEptHookUnHookSingleAddress ( UINT64 VirtualAddress,
UINT64 PhysAddress,
UINT32 ProcessId )

Remove single hook from the hooked pages list and invalidate TLB.

Should be called from vmx non-root

Parameters
VirtualAddressVirtual address to unhook
PhysAddressPhysical address to unhook (optional)
ProcessIdThe process id of target process

in unhooking for some hooks only physical address is availables

Returns
BOOLEAN If unhook was successful it returns true or if it was not successful returns false
191{
192 return EptHookUnHookSingleAddress(VirtualAddress, PhysAddress, ProcessId);
193}
EptHookUnHookSingleAddress
BOOLEAN EptHookUnHookSingleAddress(UINT64 VirtualAddress, UINT64 PhysAddress, UINT32 ProcessId)
Remove single hook from the hooked pages list and invalidate TLB.
Definition EptHook.c:2370

◆ ConfigureEptHookUnHookSingleAddressFromVmxRoot()

BOOLEAN ConfigureEptHookUnHookSingleAddressFromVmxRoot ( UINT64 VirtualAddress,
UINT64 PhysAddress,
EPT_SINGLE_HOOK_UNHOOKING_DETAILS * TargetUnhookingDetails )

Remove single hook from the hooked pages list and invalidate TLB.

Should be called from vmx root-mode and it's the responsibility of caller to broadcast to all cores to remove the target physical address and invalidate EPT and modify exception bitmap (#BPs) if needed

Parameters
VirtualAddressVirtual address to unhook
PhysAddressPhysical address to unhook (optional)
TargetUnhookingDetailsTarget data for the caller to restore EPT entry and invalidate EPT caches. Only when applied in VMX-root mode directly
Returns
BOOLEAN If unhook was successful it returns true or if it was not successful returns false
212{
213 return EptHookUnHookSingleAddressFromVmxRoot(VirtualAddress,
214 PhysAddress,
215 TargetUnhookingDetails);
216}
EptHookUnHookSingleAddressFromVmxRoot
BOOLEAN EptHookUnHookSingleAddressFromVmxRoot(UINT64 VirtualAddress, UINT64 PhysAddress, EPT_SINGLE_HOOK_UNHOOKING_DETAILS *TargetUnhookingDetails)
Remove single hook from the hooked pages list and invalidate TLB.
Definition EptHook.c:2404

◆ ConfigureEptHookUnHookSingleHookByHookingTagFromVmxRoot()

BOOLEAN ConfigureEptHookUnHookSingleHookByHookingTagFromVmxRoot ( UINT64 HookingTag,
EPT_SINGLE_HOOK_UNHOOKING_DETAILS * TargetUnhookingDetails )

Remove single hook from the hooked pages by the given hooking tag.

Should be called from Vmx root-mode

Parameters
HookingTagThe hooking tag to unhook
Returns
BOOLEAN If unhook was successful it returns true or if it was not successful returns false
172{
173 return EptHookUnHookSingleHookByHookingTagFromVmxRoot(HookingTag, TargetUnhookingDetails);
174}
EptHookUnHookSingleHookByHookingTagFromVmxRoot
BOOLEAN EptHookUnHookSingleHookByHookingTagFromVmxRoot(UINT64 HookingTag, EPT_SINGLE_HOOK_UNHOOKING_DETAILS *TargetUnhookingDetails)
Remove single hook from the hooked pages by the given hooking tag.
Definition EptHook.c:2339

◆ ConfigureExecTrapAddProcessToWatchingList()

BOOLEAN ConfigureExecTrapAddProcessToWatchingList ( UINT32 ProcessId)

Add the target process to the watching list.

Parameters
ProcessId
Returns
BOOLEAN
61{
62 return ExecTrapAddProcessToWatchingList(ProcessId);
63}
ExecTrapAddProcessToWatchingList
BOOLEAN ExecTrapAddProcessToWatchingList(UINT32 ProcessId)
Add the target process to the watching list.
Definition ExecTrap.c:894

◆ ConfigureExecTrapRemoveProcessFromWatchingList()

BOOLEAN ConfigureExecTrapRemoveProcessFromWatchingList ( UINT32 ProcessId)

Remove the target process from the watching list.

Parameters
ProcessId
Returns
BOOLEAN
73{
74 return ExecTrapRemoveProcessFromWatchingList(ProcessId);
75}
ExecTrapRemoveProcessFromWatchingList
BOOLEAN ExecTrapRemoveProcessFromWatchingList(UINT32 ProcessId)
Remove the target process from the watching list.
Definition ExecTrap.c:909

◆ ConfigureInitializeExecTrapOnAllProcessors()

BOOLEAN ConfigureInitializeExecTrapOnAllProcessors ( )

routines for initializing user-mode, kernel-mode exec trap

Returns
BOOLEAN
38{
39 return ExecTrapInitialize();
40}
ExecTrapInitialize
BOOLEAN ExecTrapInitialize()
Initialize the reversing machine based on service request.
Definition ExecTrap.c:497

◆ ConfigureModeBasedExecHookUninitializeOnAllProcessors()

VOID ConfigureModeBasedExecHookUninitializeOnAllProcessors ( )

routines for initializing Mode-based execution hooks

Returns
VOID
84{
85 ModeBasedExecHookUninitialize();
86}
ModeBasedExecHookUninitialize
VOID ModeBasedExecHookUninitialize()
Uinitialize the needed structure for hooking mode execution.
Definition ModeBasedExecHook.c:247

◆ ConfigureSetEferSyscallOrSysretHookType()

VOID ConfigureSetEferSyscallOrSysretHookType ( DEBUGGER_EVENT_SYSCALL_SYSRET_TYPE SyscallHookType)

routines for setting EFER syscall or sysret hooks type

Parameters
SyscallHookTypeType of hook
Returns
VOID
440{
441 if (SyscallHookType == DEBUGGER_EVENT_SYSCALL_SYSRET_HANDLE_ALL_UD)
442 {
443 g_IsUnsafeSyscallOrSysretHandling = TRUE;
444 }
445 else if (SyscallHookType == DEBUGGER_EVENT_SYSCALL_SYSRET_SAFE_ACCESS_MEMORY)
446 {
447 g_IsUnsafeSyscallOrSysretHandling = FALSE;
448 }
449}
g_IsUnsafeSyscallOrSysretHandling
BOOLEAN g_IsUnsafeSyscallOrSysretHandling
Shows whether the debuggee is waiting for an trap step or not.
Definition GlobalVariables.h:101
DEBUGGER_EVENT_SYSCALL_SYSRET_SAFE_ACCESS_MEMORY
@ DEBUGGER_EVENT_SYSCALL_SYSRET_SAFE_ACCESS_MEMORY
Definition Events.h:192
DEBUGGER_EVENT_SYSCALL_SYSRET_HANDLE_ALL_UD
@ DEBUGGER_EVENT_SYSCALL_SYSRET_HANDLE_ALL_UD
Definition Events.h:193

◆ ConfigureSetExceptionBitmapOnSingleCore()

VOID ConfigureSetExceptionBitmapOnSingleCore ( UINT32 TargetCoreId,
UINT32 BitMask )

set exception bitmap on a single core

Parameters
TargetCoreIdThe target core's ID (to just run on this core)
BitMaskThe bit mask of exception bitmap
Returns
VOID
513{
514 DpcRoutineRunTaskOnSingleCore(TargetCoreId, (PVOID)DpcRoutinePerformSetExceptionBitmapOnSingleCore, (PVOID)BitMask);
515}
DpcRoutinePerformSetExceptionBitmapOnSingleCore
VOID DpcRoutinePerformSetExceptionBitmapOnSingleCore(KDPC *Dpc, PVOID DeferredContext, PVOID SystemArgument1, PVOID SystemArgument2)
change exception bitmap on a single core
Definition DpcRoutines.c:275

◆ ConfigureSetExternalInterruptExitingOnSingleCore()

VOID ConfigureSetExternalInterruptExitingOnSingleCore ( UINT32 TargetCoreId)

set external interrupt exiting on a single core

Parameters
TargetCoreIdThe target core's ID (to just run on this core)
Returns
VOID
460{
461 DpcRoutineRunTaskOnSingleCore(TargetCoreId, (PVOID)DpcRoutinePerformSetExternalInterruptExitingOnSingleCore, NULL);
462}
DpcRoutinePerformSetExternalInterruptExitingOnSingleCore
VOID DpcRoutinePerformSetExternalInterruptExitingOnSingleCore(KDPC *Dpc, PVOID DeferredContext, PVOID SystemArgument1, PVOID SystemArgument2)
Enable external interrupt exiting on a single core.
Definition DpcRoutines.c:361

◆ ConfigureUninitializeExecTrapOnAllProcessors()

VOID ConfigureUninitializeExecTrapOnAllProcessors ( )

routines for uninitializing user-mode, kernel-mode exec trap

Returns
VOID
49{
50 ExecTrapUninitialize();
51}
ExecTrapUninitialize
VOID ExecTrapUninitialize()
Uinitialize the needed structure for the reversing machine.
Definition ExecTrap.c:605