HyperDbg Debugger
Loading...
Searching...
No Matches
Functions
DebuggerEvents.c File Reference

Implementation of Debugger events (triggers and enable events) More...

#include "pch.h"

Functions

VOID DebuggerEventEnableEferOnAllProcessors ()
 routines for !syscall command (enable syscall hook)
 
VOID DebuggerEventDisableEferOnAllProcessors ()
 routines for !syscall command (disable syscall hook)
 
VOID DebuggerEventEnableMovToCr3ExitingOnAllProcessors ()
 routines for debugging threads (enable mov-to-cr3 exiting)
 
VOID DebuggerEventDisableMovToCr3ExitingOnAllProcessors ()
 routines for debugging threads (disable mov-to-cr3 exiting)
 
BOOLEAN DebuggerEventEnableMonitorReadWriteExec (EPT_HOOKS_ADDRESS_DETAILS_FOR_MEMORY_MONITOR *HookingDetails, UINT32 ProcessId, BOOLEAN ApplyDirectlyFromVmxRoot)
 Apply monitor ept hook events for address.
 
BOOLEAN DebuggerCheckProcessOrThreadChange (_In_ UINT32 CoreId)
 Handle process or thread switches.
 

Detailed Description

Implementation of Debugger events (triggers and enable events)

Author
Sina Karvandi (sina@.nosp@m.hype.nosp@m.rdbg..nosp@m.org)
Version
0.1
Date
2020-05-12
Copyright
This project is released under the GNU Public License v3.

Function Documentation

◆ DebuggerCheckProcessOrThreadChange()

BOOLEAN DebuggerCheckProcessOrThreadChange ( _In_ UINT32 CoreId)

Handle process or thread switches.

Parameters
CoreId
Returns
BOOLEAN
115{
116 PROCESSOR_DEBUGGING_STATE * DbgState = &g_DbgState[CoreId];
117
118 //
119 // Check whether intercepting this process or thread is active or not
120 //
121 if (DbgState->ThreadOrProcessTracingDetails.InterceptClockInterruptsForThreadChange ||
122 DbgState->ThreadOrProcessTracingDetails.InterceptClockInterruptsForProcessChange)
123
124 {
125 //
126 // We only handle interrupts that are related to the clock-timer interrupt
127 //
128 if (DbgState->ThreadOrProcessTracingDetails.InterceptClockInterruptsForThreadChange)
129 {
130 return ThreadHandleThreadChange(DbgState);
131 }
132 else
133 {
134 return ProcessHandleProcessChange(DbgState);
135 }
136 }
137
138 //
139 // Not handled here
140 //
141 return FALSE;
142}
FALSE
#define FALSE
Definition BasicTypes.h:54
ProcessHandleProcessChange
BOOLEAN ProcessHandleProcessChange(PROCESSOR_DEBUGGING_STATE *DbgState)
handle process changes
Definition Process.c:42
ThreadHandleThreadChange
BOOLEAN ThreadHandleThreadChange(PROCESSOR_DEBUGGING_STATE *DbgState)
handle thread changes
Definition Thread.c:22
g_DbgState
PROCESSOR_DEBUGGING_STATE * g_DbgState
Save the state and variables related to debugging on each to logical core.
Definition Global.h:17
_DEBUGGEE_PROCESS_OR_THREAD_TRACING_DETAILS::InterceptClockInterruptsForProcessChange
BOOLEAN InterceptClockInterruptsForProcessChange
Definition State.h:63
_DEBUGGEE_PROCESS_OR_THREAD_TRACING_DETAILS::InterceptClockInterruptsForThreadChange
BOOLEAN InterceptClockInterruptsForThreadChange
Definition State.h:57
_PROCESSOR_DEBUGGING_STATE
Saves the debugger state.
Definition State.h:165
_PROCESSOR_DEBUGGING_STATE::ThreadOrProcessTracingDetails
DEBUGGEE_PROCESS_OR_THREAD_TRACING_DETAILS ThreadOrProcessTracingDetails
Definition State.h:178

◆ DebuggerEventDisableEferOnAllProcessors()

VOID DebuggerEventDisableEferOnAllProcessors ( )

routines for !syscall command (disable syscall hook)

Returns
VOID
32{
33 ConfigureDisableEferSyscallEventsOnAllProcessors();
34}
ConfigureDisableEferSyscallEventsOnAllProcessors
VOID ConfigureDisableEferSyscallEventsOnAllProcessors()
routines for disabling syscall hooks on all cores
Definition Configuration.c:143

◆ DebuggerEventDisableMovToCr3ExitingOnAllProcessors()

VOID DebuggerEventDisableMovToCr3ExitingOnAllProcessors ( )

routines for debugging threads (disable mov-to-cr3 exiting)

Returns
VOID
54{
55 ConfigureDisableMovToCr3ExitingOnAllProcessors();
56}
ConfigureDisableMovToCr3ExitingOnAllProcessors
VOID ConfigureDisableMovToCr3ExitingOnAllProcessors()
routines for debugging threads (disable mov-to-cr3 exiting)
Definition Configuration.c:116

◆ DebuggerEventEnableEferOnAllProcessors()

VOID DebuggerEventEnableEferOnAllProcessors ( )

routines for !syscall command (enable syscall hook)

Returns
VOID
21{
22 ConfigureEnableEferSyscallEventsOnAllProcessors();
23}
ConfigureEnableEferSyscallEventsOnAllProcessors
VOID ConfigureEnableEferSyscallEventsOnAllProcessors()
routines for enabling syscall hooks on all cores
Definition Configuration.c:132

◆ DebuggerEventEnableMonitorReadWriteExec()

BOOLEAN DebuggerEventEnableMonitorReadWriteExec ( EPT_HOOKS_ADDRESS_DETAILS_FOR_MEMORY_MONITOR * HookingDetails,
UINT32 ProcessId,
BOOLEAN ApplyDirectlyFromVmxRoot )

Apply monitor ept hook events for address.

Parameters
HookingDetails
ProcessId
ApplyDirectlyFromVmxRoot
Returns
VOID
71{
72 //
73 // Check if the detail is ok for either read or write or both
74 //
75 if (!HookingDetails->SetHookForRead && !HookingDetails->SetHookForWrite && !HookingDetails->SetHookForExec)
76 {
77 return FALSE;
78 }
79
80 //
81 // If the read is FALSE and WRITE is TRUE, then the processor doesn't support
82 // such a thing, we will enable the Read silently here if, this problem will be
83 // solved when the trigger works, the trigger routines won't enable reads
84 //
85 if (HookingDetails->SetHookForWrite)
86 {
87 HookingDetails->SetHookForRead = TRUE;
88 }
89
90 //
91 // Perform the EPT Hook
92 //
93 if (ApplyDirectlyFromVmxRoot)
94 {
95 return ConfigureEptHookMonitorFromVmxRoot(KeGetCurrentProcessorNumberEx(NULL),
96 HookingDetails);
97 }
98 else
99 {
100 return ConfigureEptHookMonitor(KeGetCurrentProcessorNumberEx(NULL),
101 HookingDetails,
102 ProcessId);
103 }
104}
TRUE
#define TRUE
Definition BasicTypes.h:55
ConfigureEptHookMonitorFromVmxRoot
BOOLEAN ConfigureEptHookMonitorFromVmxRoot(UINT32 CoreId, EPT_HOOKS_ADDRESS_DETAILS_FOR_MEMORY_MONITOR *MemoryAddressDetails)
This function allocates a buffer in VMX Non Root Mode and then invokes a VMCALL to set the hook.
Definition Configuration.c:358
ConfigureEptHookMonitor
BOOLEAN ConfigureEptHookMonitor(UINT32 CoreId, EPT_HOOKS_ADDRESS_DETAILS_FOR_MEMORY_MONITOR *HookingDetails, UINT32 ProcessId)
This function allocates a buffer in VMX Non Root Mode and then invokes a VMCALL to set the hook.
Definition Configuration.c:318
_EPT_HOOKS_ADDRESS_DETAILS_FOR_MEMORY_MONITOR::SetHookForRead
BOOLEAN SetHookForRead
Definition DataTypes.h:334
_EPT_HOOKS_ADDRESS_DETAILS_FOR_MEMORY_MONITOR::SetHookForWrite
BOOLEAN SetHookForWrite
Definition DataTypes.h:335
_EPT_HOOKS_ADDRESS_DETAILS_FOR_MEMORY_MONITOR::SetHookForExec
BOOLEAN SetHookForExec
Definition DataTypes.h:336

◆ DebuggerEventEnableMovToCr3ExitingOnAllProcessors()

VOID DebuggerEventEnableMovToCr3ExitingOnAllProcessors ( )

routines for debugging threads (enable mov-to-cr3 exiting)

Returns
VOID
43{
44 ConfigureEnableMovToCr3ExitingOnAllProcessors();
45}
ConfigureEnableMovToCr3ExitingOnAllProcessors
VOID ConfigureEnableMovToCr3ExitingOnAllProcessors()
routines for debugging threads (enable mov-to-cr3 exiting)
Definition Configuration.c:21