HyperDbg Debugger
Loading...
Searching...
No Matches
Functions
Dispatch.h File Reference

Headers of debugger functions for dispatching, triggering and emulating events. More...

Go to the source code of this file.

Functions

VOID DispatchEventEferSysret (VIRTUAL_MACHINE_STATE *VCpu, PVOID Context)
 Handling debugger functions related to SYSRET events.
 
VOID DispatchEventEferSyscall (VIRTUAL_MACHINE_STATE *VCpu)
 Handling debugger functions related to SYSCALL events.
 
VOID DispatchEventCpuid (VIRTUAL_MACHINE_STATE *VCpu)
 Handling debugger functions related to CPUID events.
 
VOID DispatchEventTsc (VIRTUAL_MACHINE_STATE *VCpu, BOOLEAN IsRdtscp)
 Handling debugger functions related to RDTSC/RDTSCP events.
 
VOID DispatchEventVmcall (VIRTUAL_MACHINE_STATE *VCpu)
 Handling debugger functions related to VMCALL events.
 
VOID DispatchEventMode (VIRTUAL_MACHINE_STATE *VCpu, DEBUGGER_EVENT_MODE_TYPE TargetMode, BOOLEAN HandleState)
 Handling debugger functions related to user-mode/kernel-mode execution trap events.
 
VOID DispatchEventMovToCr3 (VIRTUAL_MACHINE_STATE *VCpu)
 Handling debugger functions related to mov 2 cr3 events.
 
VOID DispatchEventIO (VIRTUAL_MACHINE_STATE *VCpu)
 Handling debugger functions related to IO events.
 
VOID DispatchEventRdmsr (VIRTUAL_MACHINE_STATE *VCpu)
 Handling debugger functions related to RDMSR events.
 
VOID DispatchEventWrmsr (VIRTUAL_MACHINE_STATE *VCpu)
 Handling debugger functions related to WRMSR events.
 
VOID DispatchEventRdpmc (VIRTUAL_MACHINE_STATE *VCpu)
 Handling debugger functions related to RDPMC events.
 
VOID DispatchEventMovToFromControlRegisters (VIRTUAL_MACHINE_STATE *VCpu)
 Handling debugger functions related to mov to/from CR events.
 
VOID DispatchEventMov2DebugRegs (VIRTUAL_MACHINE_STATE *VCpu)
 Handling debugger functions related to MOV 2 DR events.
 
VOID DispatchEventException (VIRTUAL_MACHINE_STATE *VCpu)
 Handling debugger functions related to EXCEPTION events.
 
VOID DispatchEventExternalInterrupts (VIRTUAL_MACHINE_STATE *VCpu)
 Handling debugger functions related to external-interrupt events.
 
VOID DispatchEventHiddenHookExecCc (VIRTUAL_MACHINE_STATE *VCpu, PVOID Context)
 Handling debugger functions related to hidden hook exec CC events.
 
VOID DispatchEventHiddenHookExecDetours (VIRTUAL_MACHINE_STATE *VCpu, PVOID Context)
 Handling debugger functions related to hidden hook exec detours events.
 
VOID DispatchEventHiddenHookPageReadWriteExecReadPostEvent (VIRTUAL_MACHINE_STATE *VCpu, PVOID Context)
 Handling debugger functions related to read & write & execute, read events (post)
 
VOID DispatchEventHiddenHookPageReadWriteExecWritePostEvent (VIRTUAL_MACHINE_STATE *VCpu, PVOID Context)
 Handling debugger functions related to read & write & execute, write events (post)
 
VOID DispatchEventHiddenHookPageReadWriteExecExecutePostEvent (VIRTUAL_MACHINE_STATE *VCpu, PVOID Context)
 Handling debugger functions related to read & write & execute, execute events (post)
 
VOID DispatchEventInstrumentationTrace (VIRTUAL_MACHINE_STATE *VCpu)
 
BOOLEAN DispatchEventHiddenHookPageReadWriteExecuteReadPreEvent (VIRTUAL_MACHINE_STATE *VCpu, PVOID Context, BOOLEAN *IsTriggeringPostEventAllowed)
 Handling debugger functions related to read & write & execute, read events (pre)
 
BOOLEAN DispatchEventHiddenHookPageReadWriteExecuteWritePreEvent (VIRTUAL_MACHINE_STATE *VCpu, PVOID Context, BOOLEAN *IsTriggeringPostEventAllowed)
 Handling debugger functions related to read & write & execute, write events (pre)
 
BOOLEAN DispatchEventHiddenHookPageReadWriteExecuteExecutePreEvent (VIRTUAL_MACHINE_STATE *VCpu, PVOID Context, BOOLEAN *IsTriggeringPostEventAllowed)
 Handling debugger functions related to read & write & execute, execute events (pre)
 

Detailed Description

Headers of debugger functions for dispatching, triggering and emulating events.

Author
Sina Karvandi (sina@.nosp@m.hype.nosp@m.rdbg..nosp@m.org)
Version
0.1
Date
2022-09-21
Copyright
This project is released under the GNU Public License v3.

Function Documentation

◆ DispatchEventCpuid()

VOID DispatchEventCpuid ( VIRTUAL_MACHINE_STATE * VCpu)

Handling debugger functions related to CPUID events.

Parameters
VCpuThe virtual processor's state
Returns
VOID
114{
115 UINT64 Context;
116 VMM_CALLBACK_TRIGGERING_EVENT_STATUS_TYPE EventTriggerResult;
117 BOOLEAN PostEventTriggerReq = FALSE;
118
119 //
120 // Check if attaching is for command dispatching in user debugger
121 // or a regular CPUID
122 //
123 if (g_Callbacks.UdCheckForCommand != NULL && g_Callbacks.UdCheckForCommand())
124 {
125 //
126 // It's a thread command for user debugger, no need to run the
127 // actual CPUID instruction and change the registers
128 //
129 return;
130 }
131
132 //
133 // As the context to event trigger, we send the eax before the cpuid
134 // so that the debugger can both read the eax as it's now changed by
135 // the cpuid instruction and also can modify the results
136 //
137 if (g_TriggerEventForCpuids)
138 {
139 //
140 // Adjusting the core context (save EAX for the debugger)
141 //
142 Context = VCpu->Regs->rax & 0xffffffff;
143
144 //
145 // Triggering the pre-event
146 //
147 EventTriggerResult = VmmCallbackTriggerEvents(CPUID_INSTRUCTION_EXECUTION,
148 VMM_CALLBACK_CALLING_STAGE_PRE_EVENT_EMULATION,
149 (PVOID)Context,
150 &PostEventTriggerReq,
151 VCpu->Regs);
152
153 //
154 // Check whether we need to short-circuiting event emulation or not
155 //
156 if (EventTriggerResult != VMM_CALLBACK_TRIGGERING_EVENT_STATUS_SUCCESSFUL_IGNORE_EVENT)
157 {
158 //
159 // Handle the CPUID event in the case of triggering event
160 //
161 HvHandleCpuid(VCpu);
162 }
163
164 //
165 // Check for the post-event triggering needs
166 //
167 if (PostEventTriggerReq)
168 {
169 VmmCallbackTriggerEvents(CPUID_INSTRUCTION_EXECUTION,
170 VMM_CALLBACK_CALLING_STAGE_POST_EVENT_EMULATION,
171 (PVOID)Context,
172 NULL,
173 VCpu->Regs);
174 }
175 }
176 else
177 {
178 //
179 // Otherwise and if there is no event, we should handle the CPUID
180 // normally
181 //
182 HvHandleCpuid(VCpu);
183 }
184}
BOOLEAN
UCHAR BOOLEAN
Definition BasicTypes.h:39
FALSE
#define FALSE
Definition BasicTypes.h:54
UINT64
unsigned __int64 UINT64
Definition BasicTypes.h:21
VmmCallbackTriggerEvents
VMM_CALLBACK_TRIGGERING_EVENT_STATUS_TYPE VmmCallbackTriggerEvents(VMM_EVENT_TYPE_ENUM EventType, VMM_CALLBACK_EVENT_CALLING_STAGE_TYPE CallingStage, PVOID Context, BOOLEAN *PostEventRequired, GUEST_REGS *Regs)
routines callback to trigger events
Definition Callback.c:154
VMM_CALLBACK_CALLING_STAGE_PRE_EVENT_EMULATION
@ VMM_CALLBACK_CALLING_STAGE_PRE_EVENT_EMULATION
Definition DataTypes.h:93
VMM_CALLBACK_CALLING_STAGE_POST_EVENT_EMULATION
@ VMM_CALLBACK_CALLING_STAGE_POST_EVENT_EMULATION
Definition DataTypes.h:94
g_TriggerEventForCpuids
BOOLEAN g_TriggerEventForCpuids
Showes whether the cpuid handler is allowed to trigger an event or not.
Definition GlobalVariables.h:138
g_Callbacks
VMM_CALLBACKS g_Callbacks
List of callbacks.
Definition GlobalVariables.h:32
HvHandleCpuid
VOID HvHandleCpuid(VIRTUAL_MACHINE_STATE *VCpu)
Handle Cpuid Vmexits.
Definition Hv.c:67
Context
NTKERNELAPI _In_opt_ PVOID Context
Definition Dpc.h:25
VMM_CALLBACK_TRIGGERING_EVENT_STATUS_TYPE
enum _VMM_CALLBACK_TRIGGERING_EVENT_STATUS_TYPE VMM_CALLBACK_TRIGGERING_EVENT_STATUS_TYPE
The status of triggering events.
VMM_CALLBACK_TRIGGERING_EVENT_STATUS_SUCCESSFUL_IGNORE_EVENT
@ VMM_CALLBACK_TRIGGERING_EVENT_STATUS_SUCCESSFUL_IGNORE_EVENT
Definition Events.h:80
CPUID_INSTRUCTION_EXECUTION
@ CPUID_INSTRUCTION_EXECUTION
Definition Events.h:123
_VIRTUAL_MACHINE_STATE::Regs
GUEST_REGS * Regs
Definition State.h:305
_VMM_CALLBACKS::UdCheckForCommand
UD_CHECK_FOR_COMMAND UdCheckForCommand
Definition VMM.h:217
GUEST_REGS::rax
UINT64 rax
Definition BasicTypes.h:75

◆ DispatchEventEferSyscall()

VOID DispatchEventEferSyscall ( VIRTUAL_MACHINE_STATE * VCpu)

Handling debugger functions related to SYSCALL events.

Parameters
CoreIndexCurrent core's index
RegsGuest's gp register
Returns
VOID
70{
71 BOOLEAN PostEventTriggerReq = FALSE;
72 VMM_CALLBACK_TRIGGERING_EVENT_STATUS_TYPE EventTriggerResult;
73
74 //
75 // We should trigger the event of SYSCALL here, we send the
76 // syscall number in rax
77 //
78 EventTriggerResult = VmmCallbackTriggerEvents(SYSCALL_HOOK_EFER_SYSCALL,
79 VMM_CALLBACK_CALLING_STAGE_PRE_EVENT_EMULATION,
80 (PVOID)VCpu->Regs->rax,
81 &PostEventTriggerReq,
82 VCpu->Regs);
83
84 //
85 // Check whether we need to short-circuiting event emulation or not
86 //
87 if (EventTriggerResult != VMM_CALLBACK_TRIGGERING_EVENT_STATUS_SUCCESSFUL_IGNORE_EVENT)
88 {
89 SyscallHookEmulateSYSCALL(VCpu);
90 HvSuppressRipIncrement(VCpu);
91 }
92
93 //
94 // Check for the post-event triggering needs
95 //
96 if (PostEventTriggerReq)
97 {
98 VmmCallbackTriggerEvents(SYSCALL_HOOK_EFER_SYSCALL,
99 VMM_CALLBACK_CALLING_STAGE_POST_EVENT_EMULATION,
100 (PVOID)VCpu->Regs->rax,
101 NULL,
102 VCpu->Regs);
103 }
104}
SyscallHookEmulateSYSCALL
_Use_decl_annotations_ BOOLEAN SyscallHookEmulateSYSCALL(VIRTUAL_MACHINE_STATE *VCpu)
This function emulates the SYSCALL execution.
Definition EferHook.c:115
HvSuppressRipIncrement
VOID HvSuppressRipIncrement(VIRTUAL_MACHINE_STATE *VCpu)
Suppress the incrementation of RIP.
Definition Hv.c:324
SYSCALL_HOOK_EFER_SYSCALL
@ SYSCALL_HOOK_EFER_SYSCALL
Definition Events.h:117

◆ DispatchEventEferSysret()

VOID DispatchEventEferSysret ( VIRTUAL_MACHINE_STATE * VCpu,
PVOID Context )

Handling debugger functions related to SYSRET events.

Parameters
CoreIndexCurrent core's index
RegsGuest's gp register
ContextContext of triggering the event
Returns
VOID
26{
27 BOOLEAN PostEventTriggerReq = FALSE;
28 VMM_CALLBACK_TRIGGERING_EVENT_STATUS_TYPE EventTriggerResult;
29
30 //
31 // We should trigger the event of SYSRET here
32 //
33 EventTriggerResult = VmmCallbackTriggerEvents(SYSCALL_HOOK_EFER_SYSRET,
34 VMM_CALLBACK_CALLING_STAGE_PRE_EVENT_EMULATION,
35 Context,
36 &PostEventTriggerReq,
37 VCpu->Regs);
38
39 //
40 // Check whether we need to short-circuiting event emulation or not
41 //
42 if (EventTriggerResult != VMM_CALLBACK_TRIGGERING_EVENT_STATUS_SUCCESSFUL_IGNORE_EVENT)
43 {
44 SyscallHookEmulateSYSRET(VCpu);
45 HvSuppressRipIncrement(VCpu);
46 }
47
48 //
49 // Check for the post-event triggering needs
50 //
51 if (PostEventTriggerReq)
52 {
53 VmmCallbackTriggerEvents(SYSCALL_HOOK_EFER_SYSRET,
54 VMM_CALLBACK_CALLING_STAGE_POST_EVENT_EMULATION,
55 Context,
56 NULL,
57 VCpu->Regs);
58 }
59}
SyscallHookEmulateSYSRET
_Use_decl_annotations_ BOOLEAN SyscallHookEmulateSYSRET(VIRTUAL_MACHINE_STATE *VCpu)
This function emulates the SYSRET execution.
Definition EferHook.c:182
SYSCALL_HOOK_EFER_SYSRET
@ SYSCALL_HOOK_EFER_SYSRET
Definition Events.h:118

◆ DispatchEventException()

VOID DispatchEventException ( VIRTUAL_MACHINE_STATE * VCpu)

Handling debugger functions related to EXCEPTION events.

Parameters
VCpuThe virtual processor's state
Returns
VOID
756{
757 VMM_CALLBACK_TRIGGERING_EVENT_STATUS_TYPE EventTriggerResult;
758 BOOLEAN PostEventTriggerReq = FALSE;
759 VMEXIT_INTERRUPT_INFORMATION InterruptExit = {0};
760
761 //
762 // read the exit interruption information
763 //
764 VmxVmread32P(VMCS_VMEXIT_INTERRUPTION_INFORMATION, &InterruptExit.AsUInt);
765
766 //
767 // This type of vm-exit, can be either because of an !exception event,
768 // or it might be because we triggered APIC or X2APIC to generate an
769 // NMI, we want to halt the debuggee. We perform the checks here to
770 // avoid triggering an event for NMIs when the debuggee requested it
771 //
772 if (InterruptExit.InterruptionType == INTERRUPT_TYPE_NMI &&
773 InterruptExit.Vector == EXCEPTION_VECTOR_NMI)
774 {
775 //
776 // Check if we're waiting for an NMI on this core and if the guest is NOT in
777 // a instrument step-in ('i' command) routine
778 //
779 if (!VCpu->RegisterBreakOnMtf &&
780 VmxBroadcastNmiHandler(VCpu, FALSE))
781 {
782 return;
783 }
784 }
785
786 //
787 // *** When we reached here it means that this is not a NMI cause by guest,
788 // probably an event ***
789 //
790
791 //
792 // Triggering the pre-event
793 // As the context to event trigger, we send the vector or IDT Index
794 //
795 EventTriggerResult = VmmCallbackTriggerEvents(EXCEPTION_OCCURRED,
796 VMM_CALLBACK_CALLING_STAGE_PRE_EVENT_EMULATION,
797 (PVOID)InterruptExit.Vector,
798 &PostEventTriggerReq,
799 VCpu->Regs);
800
801 //
802 // Now, we check if the guest enabled MTF for debugging (instrumentation stepping)
803 // This is because based on Intel SDM :
804 // If the "monitor trap flag" VM-execution control is 1 and VM entry is
805 // injecting a vectored event, an MTF VM exit is pending on the instruction
806 // boundary before the first instruction following the VM entry
807 // and,
808 // If VM entry is injecting a pending MTF VM exit, an MTF VM exit is pending on the
809 // instruction boundary before the first instruction following the VM entry
810 // This is the case even if the "monitor trap flag" VM-execution control is 0
811 //
812 // So, we'll ignore the injection of Exception in this case
813 //
814 if (VCpu->RegisterBreakOnMtf)
815 {
816 return;
817 }
818
819 //
820 // Check whether we need to short-circuiting event emulation or not
821 //
822 if (EventTriggerResult != VMM_CALLBACK_TRIGGERING_EVENT_STATUS_SUCCESSFUL_IGNORE_EVENT)
823 {
824 //
825 // Handle exception (emulate or inject the event)
826 //
827 IdtEmulationHandleExceptionAndNmi(VCpu, InterruptExit);
828 }
829
830 //
831 // Check for the post-event triggering needs
832 //
833 if (PostEventTriggerReq)
834 {
835 VmmCallbackTriggerEvents(EXCEPTION_OCCURRED,
836 VMM_CALLBACK_CALLING_STAGE_POST_EVENT_EMULATION,
837 (PVOID)InterruptExit.Vector,
838 NULL,
839 VCpu->Regs);
840 }
841}
IdtEmulationHandleExceptionAndNmi
VOID IdtEmulationHandleExceptionAndNmi(_Inout_ VIRTUAL_MACHINE_STATE *VCpu, _In_ VMEXIT_INTERRUPT_INFORMATION InterruptExit)
Handle NMI and exception vm-exits.
Definition IdtEmulation.c:257
VmxVmread32P
UCHAR VmxVmread32P(size_t Field, UINT32 *FieldValue)
VMX VMREAD instruction (32-bit)
Definition Vmx.c:86
VmxBroadcastNmiHandler
BOOLEAN VmxBroadcastNmiHandler(VIRTUAL_MACHINE_STATE *VCpu, BOOLEAN IsOnVmxNmiHandler)
Handle broadcast NMIs in vmx-root mode.
Definition VmxBroadcast.c:187
INTERRUPT_TYPE_NMI
@ INTERRUPT_TYPE_NMI
Definition Events.h:52
EXCEPTION_OCCURRED
@ EXCEPTION_OCCURRED
Definition Events.h:140
EXCEPTION_VECTOR_NMI
@ EXCEPTION_VECTOR_NMI
Definition Events.h:26
_VIRTUAL_MACHINE_STATE::RegisterBreakOnMtf
BOOLEAN RegisterBreakOnMtf
Definition State.h:298

◆ DispatchEventExternalInterrupts()

VOID DispatchEventExternalInterrupts ( VIRTUAL_MACHINE_STATE * VCpu)

Handling debugger functions related to external-interrupt events.

Parameters
VCpuThe virtual processor's state
Returns
VOID
851{
852 VMEXIT_INTERRUPT_INFORMATION InterruptExit = {0};
853 VMM_CALLBACK_TRIGGERING_EVENT_STATUS_TYPE EventTriggerResult;
854 BOOLEAN PostEventTriggerReq = FALSE;
855
856 //
857 // read the exit interruption information
858 //
859 VmxVmread32P(VMCS_VMEXIT_INTERRUPTION_INFORMATION, &InterruptExit.AsUInt);
860
861 //
862 // Check for immediate vm-exit mechanism
863 //
864 if (VCpu->WaitForImmediateVmexit &&
865 InterruptExit.Vector == IMMEDIATE_VMEXIT_MECHANISM_VECTOR_FOR_SELF_IPI)
866 {
867 //
868 // Disable vm-exit on external interrupts
869 //
870 HvSetExternalInterruptExiting(VCpu, FALSE);
871
872 //
873 // Not increase the RIP
874 //
875 HvSuppressRipIncrement(VCpu);
876
877 //
878 // Handle immediate vm-exit mechanism
879 //
880 VmxMechanismHandleImmediateVmexit(VCpu);
881
882 //
883 // No need to continue, it's a HyperDbg mechanism
884 //
885 return;
886 }
887
888 //
889 // Check process or thread change detections
890 // we cannot ignore injecting the interrupt to the guest if the target interrupt
891 // and process or thread proved to cause a system halt. it halts the system as
892 // we Windows expects to switch the thread while we're forcing it to not do it
893 // Windows fires a clk interrupt on core 0 and fires IPI on other cores
894 // to change a thread
895 //
896 // It seems that clock interrupt is not applied to all cores,
897 // (https://twitter.com/Intel80x86/status/1655461171280105472?s=20)
898 // So, we no longer check for clock interrupts only in core 0
899 //
900 if ((/* VCpu->CoreId == 0 && */ InterruptExit.Vector == CLOCK_INTERRUPT) ||
901 (VCpu->CoreId != 0 && InterruptExit.Vector == IPI_INTERRUPT))
902 {
903 if (g_Callbacks.DebuggerCheckProcessOrThreadChange != NULL)
904 {
905 g_Callbacks.DebuggerCheckProcessOrThreadChange(VCpu->CoreId);
906 }
907 }
908
909 //
910 // Triggering the pre-event
911 //
912 EventTriggerResult = VmmCallbackTriggerEvents(EXTERNAL_INTERRUPT_OCCURRED,
913 VMM_CALLBACK_CALLING_STAGE_PRE_EVENT_EMULATION,
914 (PVOID)InterruptExit.Vector,
915 &PostEventTriggerReq,
916 VCpu->Regs);
917
918 //
919 // Check whether we need to short-circuiting event emulation or not
920 //
921 if (EventTriggerResult != VMM_CALLBACK_TRIGGERING_EVENT_STATUS_SUCCESSFUL_IGNORE_EVENT)
922 {
923 //
924 // Handle vm-exit and perform changes
925 //
926 IdtEmulationHandleExternalInterrupt(VCpu, InterruptExit);
927 }
928
929 //
930 // Check for the post-event triggering needs
931 //
932 if (PostEventTriggerReq)
933 {
934 //
935 // Trigger the event
936 //
937 // As the context to event trigger, we send the vector index
938 //
939 // Keep in mind that interrupt might be inserted in pending list
940 // because the guest is not in a interruptible state and will
941 // be re-injected when the guest is ready for interrupts
942 //
943 VmmCallbackTriggerEvents(EXTERNAL_INTERRUPT_OCCURRED,
944 VMM_CALLBACK_CALLING_STAGE_POST_EVENT_EMULATION,
945 (PVOID)InterruptExit.Vector,
946 NULL,
947 VCpu->Regs);
948 }
949}
HvSetExternalInterruptExiting
VOID HvSetExternalInterruptExiting(VIRTUAL_MACHINE_STATE *VCpu, BOOLEAN Set)
Set the External Interrupt Exiting.
Definition Hv.c:1055
IdtEmulationHandleExternalInterrupt
VOID IdtEmulationHandleExternalInterrupt(_Inout_ VIRTUAL_MACHINE_STATE *VCpu, _In_ VMEXIT_INTERRUPT_INFORMATION InterruptExit)
external-interrupt vm-exit handler
Definition IdtEmulation.c:415
VmxMechanismHandleImmediateVmexit
VOID VmxMechanismHandleImmediateVmexit(VIRTUAL_MACHINE_STATE *VCpu)
Handle immediate vm-exit after vm-entry.
Definition VmxMechanisms.c:106
IMMEDIATE_VMEXIT_MECHANISM_VECTOR_FOR_SELF_IPI
#define IMMEDIATE_VMEXIT_MECHANISM_VECTOR_FOR_SELF_IPI
Definition VmxMechanisms.h:18
EXTERNAL_INTERRUPT_OCCURRED
@ EXTERNAL_INTERRUPT_OCCURRED
Definition Events.h:141
IPI_INTERRUPT
@ IPI_INTERRUPT
Definition Events.h:63
CLOCK_INTERRUPT
@ CLOCK_INTERRUPT
Definition Events.h:62
_VIRTUAL_MACHINE_STATE::WaitForImmediateVmexit
BOOLEAN WaitForImmediateVmexit
Definition State.h:295
_VIRTUAL_MACHINE_STATE::CoreId
UINT32 CoreId
Definition State.h:306
_VMM_CALLBACKS::DebuggerCheckProcessOrThreadChange
INTERCEPTION_CALLBACK_TRIGGER_CLOCK_AND_IPI DebuggerCheckProcessOrThreadChange
Definition VMM.h:220

◆ DispatchEventHiddenHookExecCc()

VOID DispatchEventHiddenHookExecCc ( VIRTUAL_MACHINE_STATE * VCpu,
PVOID Context )

Handling debugger functions related to hidden hook exec CC events.

Parameters
VCpuThe virtual processor's state
ContextThe context of the caller
Returns
VOID
961{
962 BOOLEAN PostEventTriggerReq = FALSE;
963
964 //
965 // Triggering the pre-event (This command only support the
966 // pre-event, the post-event doesn't make sense in this command)
967 //
968 VmmCallbackTriggerEvents(HIDDEN_HOOK_EXEC_CC,
969 VMM_CALLBACK_CALLING_STAGE_PRE_EVENT_EMULATION,
970 Context,
971 &PostEventTriggerReq,
972 VCpu->Regs); // it will crash if we pass it NULL
973}
HIDDEN_HOOK_EXEC_CC
@ HIDDEN_HOOK_EXEC_CC
Definition Events.h:112

◆ DispatchEventHiddenHookExecDetours()

VOID DispatchEventHiddenHookExecDetours ( VIRTUAL_MACHINE_STATE * VCpu,
PVOID Context )

Handling debugger functions related to hidden hook exec detours events.

Parameters
VCpuThe virtual processor's state
ContextThe context of the caller
Returns
VOID
985{
986 BOOLEAN PostEventTriggerReq = FALSE;
987
988 //
989 // Triggering the pre-event (This command only support the
990 // pre-event, the post-event doesn't make sense in this command)
991 //
992 VmmCallbackTriggerEvents(HIDDEN_HOOK_EXEC_DETOURS,
993 VMM_CALLBACK_CALLING_STAGE_PRE_EVENT_EMULATION,
994 Context,
995 &PostEventTriggerReq,
996 VCpu->Regs); // it will crash if we pass it NULL
997}
HIDDEN_HOOK_EXEC_DETOURS
@ HIDDEN_HOOK_EXEC_DETOURS
Definition Events.h:111

◆ DispatchEventHiddenHookPageReadWriteExecExecutePostEvent()

VOID DispatchEventHiddenHookPageReadWriteExecExecutePostEvent ( VIRTUAL_MACHINE_STATE * VCpu,
PVOID Context )

Handling debugger functions related to read & write & execute, execute events (post)

Parameters
VCpuThe virtual processor's state
ContextThe context of the caller
Returns
VOID
1382{
1383 //
1384 // Triggering the post-event (for the execute hooks)
1385 //
1386 VmmCallbackTriggerEvents(HIDDEN_HOOK_EXECUTE,
1387 VMM_CALLBACK_CALLING_STAGE_POST_EVENT_EMULATION,
1388 Context,
1389 NULL,
1390 VCpu->Regs);
1391
1392 //
1393 // Triggering the post-event (for the read & execute hooks)
1394 //
1395 VmmCallbackTriggerEvents(HIDDEN_HOOK_READ_AND_EXECUTE,
1396 VMM_CALLBACK_CALLING_STAGE_POST_EVENT_EMULATION,
1397 Context,
1398 NULL,
1399 VCpu->Regs);
1400
1401 //
1402 // Triggering the post-event (for the write & execute hooks)
1403 //
1404 VmmCallbackTriggerEvents(HIDDEN_HOOK_WRITE_AND_EXECUTE,
1405 VMM_CALLBACK_CALLING_STAGE_POST_EVENT_EMULATION,
1406 Context,
1407 NULL,
1408 VCpu->Regs);
1409
1410 //
1411 // Triggering the post-event (for the read & write & execute hooks)
1412 //
1413 VmmCallbackTriggerEvents(HIDDEN_HOOK_READ_AND_WRITE_AND_EXECUTE,
1414 VMM_CALLBACK_CALLING_STAGE_POST_EVENT_EMULATION,
1415 Context,
1416 NULL,
1417 VCpu->Regs);
1418}
HIDDEN_HOOK_WRITE_AND_EXECUTE
@ HIDDEN_HOOK_WRITE_AND_EXECUTE
Definition Events.h:103
HIDDEN_HOOK_READ_AND_EXECUTE
@ HIDDEN_HOOK_READ_AND_EXECUTE
Definition Events.h:102
HIDDEN_HOOK_READ_AND_WRITE_AND_EXECUTE
@ HIDDEN_HOOK_READ_AND_WRITE_AND_EXECUTE
Definition Events.h:100
HIDDEN_HOOK_EXECUTE
@ HIDDEN_HOOK_EXECUTE
Definition Events.h:106

◆ DispatchEventHiddenHookPageReadWriteExecReadPostEvent()

VOID DispatchEventHiddenHookPageReadWriteExecReadPostEvent ( VIRTUAL_MACHINE_STATE * VCpu,
PVOID Context )

Handling debugger functions related to read & write & execute, read events (post)

Parameters
VCpuThe virtual processor's state
ContextThe context of the caller
Returns
VOID
1290{
1291 //
1292 // Triggering the post-event (for the read hooks)
1293 //
1294 VmmCallbackTriggerEvents(HIDDEN_HOOK_READ,
1295 VMM_CALLBACK_CALLING_STAGE_POST_EVENT_EMULATION,
1296 Context,
1297 NULL,
1298 VCpu->Regs);
1299
1300 //
1301 // Triggering the post-event (for the read & write hooks)
1302 //
1303 VmmCallbackTriggerEvents(HIDDEN_HOOK_READ_AND_WRITE,
1304 VMM_CALLBACK_CALLING_STAGE_POST_EVENT_EMULATION,
1305 Context,
1306 NULL,
1307 VCpu->Regs);
1308
1309 //
1310 // Triggering the post-event (for the read & execute hooks)
1311 //
1312 VmmCallbackTriggerEvents(HIDDEN_HOOK_READ_AND_EXECUTE,
1313 VMM_CALLBACK_CALLING_STAGE_POST_EVENT_EMULATION,
1314 Context,
1315 NULL,
1316 VCpu->Regs);
1317
1318 //
1319 // Triggering the post-event (for the read & write & execute hooks)
1320 //
1321 VmmCallbackTriggerEvents(HIDDEN_HOOK_READ_AND_WRITE_AND_EXECUTE,
1322 VMM_CALLBACK_CALLING_STAGE_POST_EVENT_EMULATION,
1323 Context,
1324 NULL,
1325 VCpu->Regs);
1326}
HIDDEN_HOOK_READ_AND_WRITE
@ HIDDEN_HOOK_READ_AND_WRITE
Definition Events.h:101
HIDDEN_HOOK_READ
@ HIDDEN_HOOK_READ
Definition Events.h:104

◆ DispatchEventHiddenHookPageReadWriteExecuteExecutePreEvent()

BOOLEAN DispatchEventHiddenHookPageReadWriteExecuteExecutePreEvent ( VIRTUAL_MACHINE_STATE * VCpu,
PVOID Context,
BOOLEAN * IsTriggeringPostEventAllowed )

Handling debugger functions related to read & write & execute, execute events (pre)

Parameters
VCpuThe virtual processor's state
ContextThe context of the caller
IsTriggeringPostEventAllowed
Returns
BOOLEAN
1197{
1198 VMM_CALLBACK_TRIGGERING_EVENT_STATUS_TYPE EventTriggerResult;
1199 BOOLEAN PostEventTriggerReq = FALSE;
1200 BOOLEAN ShortCircuitingEvent = FALSE;
1201
1202 //
1203 // Triggering the pre-event (for the execute hooks)
1204 //
1205 EventTriggerResult = VmmCallbackTriggerEvents(HIDDEN_HOOK_EXECUTE,
1206 VMM_CALLBACK_CALLING_STAGE_PRE_EVENT_EMULATION,
1207 Context,
1208 &PostEventTriggerReq,
1209 VCpu->Regs);
1210
1211 if (EventTriggerResult == VMM_CALLBACK_TRIGGERING_EVENT_STATUS_SUCCESSFUL_IGNORE_EVENT)
1212 {
1213 ShortCircuitingEvent = TRUE;
1214 }
1215
1216 if (PostEventTriggerReq)
1217 {
1218 *IsTriggeringPostEventAllowed = TRUE;
1219 }
1220
1221 //
1222 // Triggering the pre-event (for the read & execute hooks)
1223 //
1224 EventTriggerResult = VmmCallbackTriggerEvents(HIDDEN_HOOK_READ_AND_EXECUTE,
1225 VMM_CALLBACK_CALLING_STAGE_PRE_EVENT_EMULATION,
1226 Context,
1227 &PostEventTriggerReq,
1228 VCpu->Regs);
1229
1230 if (EventTriggerResult == VMM_CALLBACK_TRIGGERING_EVENT_STATUS_SUCCESSFUL_IGNORE_EVENT)
1231 {
1232 ShortCircuitingEvent = TRUE;
1233 }
1234
1235 if (PostEventTriggerReq)
1236 {
1237 *IsTriggeringPostEventAllowed = TRUE;
1238 }
1239
1240 //
1241 // Triggering the pre-event (for the write & execute hooks)
1242 //
1243 EventTriggerResult = VmmCallbackTriggerEvents(HIDDEN_HOOK_WRITE_AND_EXECUTE,
1244 VMM_CALLBACK_CALLING_STAGE_PRE_EVENT_EMULATION,
1245 Context,
1246 &PostEventTriggerReq,
1247 VCpu->Regs);
1248
1249 if (EventTriggerResult == VMM_CALLBACK_TRIGGERING_EVENT_STATUS_SUCCESSFUL_IGNORE_EVENT)
1250 {
1251 ShortCircuitingEvent = TRUE;
1252 }
1253
1254 if (PostEventTriggerReq)
1255 {
1256 *IsTriggeringPostEventAllowed = TRUE;
1257 }
1258
1259 //
1260 // Triggering the pre-event (for the read & write & execute hooks)
1261 //
1262 EventTriggerResult = VmmCallbackTriggerEvents(HIDDEN_HOOK_READ_AND_WRITE_AND_EXECUTE,
1263 VMM_CALLBACK_CALLING_STAGE_PRE_EVENT_EMULATION,
1264 Context,
1265 &PostEventTriggerReq,
1266 VCpu->Regs);
1267
1268 if (EventTriggerResult == VMM_CALLBACK_TRIGGERING_EVENT_STATUS_SUCCESSFUL_IGNORE_EVENT)
1269 {
1270 ShortCircuitingEvent = TRUE;
1271 }
1272
1273 if (PostEventTriggerReq)
1274 {
1275 *IsTriggeringPostEventAllowed = TRUE;
1276 }
1277
1278 return ShortCircuitingEvent;
1279}
TRUE
#define TRUE
Definition BasicTypes.h:55

◆ DispatchEventHiddenHookPageReadWriteExecuteReadPreEvent()

BOOLEAN DispatchEventHiddenHookPageReadWriteExecuteReadPreEvent ( VIRTUAL_MACHINE_STATE * VCpu,
PVOID Context,
BOOLEAN * IsTriggeringPostEventAllowed )

Handling debugger functions related to read & write & execute, read events (pre)

Parameters
VCpuThe virtual processor's state
ContextThe context of the caller
IsTriggeringPostEventAllowed
Returns
BOOLEAN
1009{
1010 VMM_CALLBACK_TRIGGERING_EVENT_STATUS_TYPE EventTriggerResult;
1011 BOOLEAN PostEventTriggerReq = FALSE;
1012 BOOLEAN ShortCircuitingEvent = FALSE;
1013
1014 //
1015 // Triggering the pre-event (for the read hooks)
1016 //
1017 EventTriggerResult = VmmCallbackTriggerEvents(HIDDEN_HOOK_READ,
1018 VMM_CALLBACK_CALLING_STAGE_PRE_EVENT_EMULATION,
1019 Context,
1020 &PostEventTriggerReq,
1021 VCpu->Regs);
1022
1023 if (EventTriggerResult == VMM_CALLBACK_TRIGGERING_EVENT_STATUS_SUCCESSFUL_IGNORE_EVENT)
1024 {
1025 ShortCircuitingEvent = TRUE;
1026 }
1027
1028 if (PostEventTriggerReq)
1029 {
1030 *IsTriggeringPostEventAllowed = TRUE;
1031 }
1032
1033 //
1034 // Triggering the pre-event (for the read & write hooks)
1035 //
1036 EventTriggerResult = VmmCallbackTriggerEvents(HIDDEN_HOOK_READ_AND_WRITE,
1037 VMM_CALLBACK_CALLING_STAGE_PRE_EVENT_EMULATION,
1038 Context,
1039 &PostEventTriggerReq,
1040 VCpu->Regs);
1041
1042 if (EventTriggerResult == VMM_CALLBACK_TRIGGERING_EVENT_STATUS_SUCCESSFUL_IGNORE_EVENT)
1043 {
1044 ShortCircuitingEvent = TRUE;
1045 }
1046
1047 if (PostEventTriggerReq)
1048 {
1049 *IsTriggeringPostEventAllowed = TRUE;
1050 }
1051
1052 //
1053 // Triggering the pre-event (for the read & execute hooks)
1054 //
1055 EventTriggerResult = VmmCallbackTriggerEvents(HIDDEN_HOOK_READ_AND_EXECUTE,
1056 VMM_CALLBACK_CALLING_STAGE_PRE_EVENT_EMULATION,
1057 Context,
1058 &PostEventTriggerReq,
1059 VCpu->Regs);
1060
1061 if (EventTriggerResult == VMM_CALLBACK_TRIGGERING_EVENT_STATUS_SUCCESSFUL_IGNORE_EVENT)
1062 {
1063 ShortCircuitingEvent = TRUE;
1064 }
1065
1066 if (PostEventTriggerReq)
1067 {
1068 *IsTriggeringPostEventAllowed = TRUE;
1069 }
1070
1071 //
1072 // Triggering the pre-event (for the read & write & execute hooks)
1073 //
1074 EventTriggerResult = VmmCallbackTriggerEvents(HIDDEN_HOOK_READ_AND_WRITE_AND_EXECUTE,
1075 VMM_CALLBACK_CALLING_STAGE_PRE_EVENT_EMULATION,
1076 Context,
1077 &PostEventTriggerReq,
1078 VCpu->Regs);
1079
1080 if (EventTriggerResult == VMM_CALLBACK_TRIGGERING_EVENT_STATUS_SUCCESSFUL_IGNORE_EVENT)
1081 {
1082 ShortCircuitingEvent = TRUE;
1083 }
1084
1085 if (PostEventTriggerReq)
1086 {
1087 *IsTriggeringPostEventAllowed = TRUE;
1088 }
1089
1090 return ShortCircuitingEvent;
1091}

◆ DispatchEventHiddenHookPageReadWriteExecuteWritePreEvent()

BOOLEAN DispatchEventHiddenHookPageReadWriteExecuteWritePreEvent ( VIRTUAL_MACHINE_STATE * VCpu,
PVOID Context,
BOOLEAN * IsTriggeringPostEventAllowed )

Handling debugger functions related to read & write & execute, write events (pre)

Parameters
VCpuThe virtual processor's state
ContextThe context of the caller
IsTriggeringPostEventAllowedIs the caller required to trigger post event
Returns
BOOLEAN
1103{
1104 VMM_CALLBACK_TRIGGERING_EVENT_STATUS_TYPE EventTriggerResult;
1105 BOOLEAN PostEventTriggerReq = FALSE;
1106 BOOLEAN ShortCircuitingEvent = FALSE;
1107
1108 //
1109 // Triggering the pre-event (for the write hooks)
1110 //
1111 EventTriggerResult = VmmCallbackTriggerEvents(HIDDEN_HOOK_WRITE,
1112 VMM_CALLBACK_CALLING_STAGE_PRE_EVENT_EMULATION,
1113 Context,
1114 &PostEventTriggerReq,
1115 VCpu->Regs);
1116
1117 if (EventTriggerResult == VMM_CALLBACK_TRIGGERING_EVENT_STATUS_SUCCESSFUL_IGNORE_EVENT)
1118 {
1119 ShortCircuitingEvent = TRUE;
1120 }
1121
1122 if (PostEventTriggerReq)
1123 {
1124 *IsTriggeringPostEventAllowed = TRUE;
1125 }
1126
1127 //
1128 // Triggering the pre-event (for the read & write hooks)
1129 //
1130 EventTriggerResult = VmmCallbackTriggerEvents(HIDDEN_HOOK_READ_AND_WRITE,
1131 VMM_CALLBACK_CALLING_STAGE_PRE_EVENT_EMULATION,
1132 Context,
1133 &PostEventTriggerReq,
1134 VCpu->Regs);
1135
1136 if (EventTriggerResult == VMM_CALLBACK_TRIGGERING_EVENT_STATUS_SUCCESSFUL_IGNORE_EVENT)
1137 {
1138 ShortCircuitingEvent = TRUE;
1139 }
1140
1141 if (PostEventTriggerReq)
1142 {
1143 *IsTriggeringPostEventAllowed = TRUE;
1144 }
1145
1146 //
1147 // Triggering the pre-event (for the write & execute hooks)
1148 //
1149 EventTriggerResult = VmmCallbackTriggerEvents(HIDDEN_HOOK_WRITE_AND_EXECUTE,
1150 VMM_CALLBACK_CALLING_STAGE_PRE_EVENT_EMULATION,
1151 Context,
1152 &PostEventTriggerReq,
1153 VCpu->Regs);
1154
1155 if (EventTriggerResult == VMM_CALLBACK_TRIGGERING_EVENT_STATUS_SUCCESSFUL_IGNORE_EVENT)
1156 {
1157 ShortCircuitingEvent = TRUE;
1158 }
1159
1160 if (PostEventTriggerReq)
1161 {
1162 *IsTriggeringPostEventAllowed = TRUE;
1163 }
1164
1165 //
1166 // Triggering the pre-event (for the read & write & execute hooks)
1167 //
1168 EventTriggerResult = VmmCallbackTriggerEvents(HIDDEN_HOOK_READ_AND_WRITE_AND_EXECUTE,
1169 VMM_CALLBACK_CALLING_STAGE_PRE_EVENT_EMULATION,
1170 Context,
1171 &PostEventTriggerReq,
1172 VCpu->Regs);
1173
1174 if (EventTriggerResult == VMM_CALLBACK_TRIGGERING_EVENT_STATUS_SUCCESSFUL_IGNORE_EVENT)
1175 {
1176 ShortCircuitingEvent = TRUE;
1177 }
1178
1179 if (PostEventTriggerReq)
1180 {
1181 *IsTriggeringPostEventAllowed = TRUE;
1182 }
1183
1184 return ShortCircuitingEvent;
1185}
HIDDEN_HOOK_WRITE
@ HIDDEN_HOOK_WRITE
Definition Events.h:105

◆ DispatchEventHiddenHookPageReadWriteExecWritePostEvent()

VOID DispatchEventHiddenHookPageReadWriteExecWritePostEvent ( VIRTUAL_MACHINE_STATE * VCpu,
PVOID Context )

Handling debugger functions related to read & write & execute, write events (post)

Parameters
VCpuThe virtual processor's state
ContextThe context of the caller
Returns
VOID
1337{
1338 //
1339 // Triggering the post-event (for the write hooks)
1340 //
1341 VmmCallbackTriggerEvents(HIDDEN_HOOK_WRITE,
1342 VMM_CALLBACK_CALLING_STAGE_POST_EVENT_EMULATION,
1343 Context,
1344 NULL,
1345 VCpu->Regs);
1346
1347 //
1348 // Triggering the post-event (for the read & write hooks)
1349 //
1350 VmmCallbackTriggerEvents(HIDDEN_HOOK_READ_AND_WRITE,
1351 VMM_CALLBACK_CALLING_STAGE_POST_EVENT_EMULATION,
1352 Context,
1353 NULL,
1354 VCpu->Regs);
1355 //
1356 // Triggering the post-event (for the write & execute hooks)
1357 //
1358 VmmCallbackTriggerEvents(HIDDEN_HOOK_WRITE_AND_EXECUTE,
1359 VMM_CALLBACK_CALLING_STAGE_POST_EVENT_EMULATION,
1360 Context,
1361 NULL,
1362 VCpu->Regs);
1363 //
1364 // Triggering the post-event (for the read & write & execute hooks)
1365 //
1366 VmmCallbackTriggerEvents(HIDDEN_HOOK_READ_AND_WRITE_AND_EXECUTE,
1367 VMM_CALLBACK_CALLING_STAGE_POST_EVENT_EMULATION,
1368 Context,
1369 NULL,
1370 VCpu->Regs);
1371}

◆ DispatchEventInstrumentationTrace()

VOID DispatchEventInstrumentationTrace ( VIRTUAL_MACHINE_STATE * VCpu)

◆ DispatchEventIO()

VOID DispatchEventIO ( VIRTUAL_MACHINE_STATE * VCpu)

Handling debugger functions related to IO events.

Parameters
VCpuThe virtual processor's state
Returns
VOID
426{
427 VMM_CALLBACK_TRIGGERING_EVENT_STATUS_TYPE EventTriggerResult = VMM_CALLBACK_TRIGGERING_EVENT_STATUS_SUCCESSFUL_NO_INITIALIZED;
428 VMX_EXIT_QUALIFICATION_IO_INSTRUCTION IoQualification = {.AsUInt = VCpu->ExitQualification};
429 RFLAGS Flags = {0};
430 BOOLEAN PostEventTriggerReq = FALSE;
431
432 //
433 // Read Guest's RFLAGS
434 //
435 VmxVmread64P(VMCS_GUEST_RFLAGS, (UINT64 *)&Flags);
436
437 //
438 // As the context to event trigger, port address
439 //
440 if (IoQualification.DirectionOfAccess == AccessIn)
441 {
442 EventTriggerResult = VmmCallbackTriggerEvents(IN_INSTRUCTION_EXECUTION,
443 VMM_CALLBACK_CALLING_STAGE_PRE_EVENT_EMULATION,
444 (PVOID)IoQualification.PortNumber,
445 &PostEventTriggerReq,
446 VCpu->Regs);
447 }
448 else if (IoQualification.DirectionOfAccess == AccessOut)
449 {
450 EventTriggerResult = VmmCallbackTriggerEvents(OUT_INSTRUCTION_EXECUTION,
451 VMM_CALLBACK_CALLING_STAGE_PRE_EVENT_EMULATION,
452 (PVOID)IoQualification.PortNumber,
453 &PostEventTriggerReq,
454 VCpu->Regs);
455 }
456
457 //
458 // Check whether we need to short-circuiting event emulation or not
459 //
460 if (EventTriggerResult != VMM_CALLBACK_TRIGGERING_EVENT_STATUS_SUCCESSFUL_IGNORE_EVENT)
461 {
462 //
463 // Call the I/O Handler
464 //
465 IoHandleIoVmExits(VCpu, IoQualification, Flags);
466 }
467
468 //
469 // Check for the post-event triggering needs
470 //
471 if (PostEventTriggerReq)
472 {
473 if (IoQualification.DirectionOfAccess == AccessIn)
474 {
475 VmmCallbackTriggerEvents(IN_INSTRUCTION_EXECUTION,
476 VMM_CALLBACK_CALLING_STAGE_POST_EVENT_EMULATION,
477 (PVOID)IoQualification.PortNumber,
478 NULL,
479 VCpu->Regs);
480 }
481 else if (IoQualification.DirectionOfAccess == AccessOut)
482 {
483 VmmCallbackTriggerEvents(OUT_INSTRUCTION_EXECUTION,
484 VMM_CALLBACK_CALLING_STAGE_POST_EVENT_EMULATION,
485 (PVOID)IoQualification.PortNumber,
486 NULL,
487 VCpu->Regs);
488 }
489 }
490}
IoHandleIoVmExits
VOID IoHandleIoVmExits(VIRTUAL_MACHINE_STATE *VCpu, VMX_EXIT_QUALIFICATION_IO_INSTRUCTION IoQualification, RFLAGS Flags)
VM-Exit handler for I/O Instructions (in/out)
Definition IoHandler.c:24
AccessOut
@ AccessOut
Definition IoHandler.h:24
AccessIn
@ AccessIn
Definition IoHandler.h:25
VmxVmread64P
UCHAR VmxVmread64P(size_t Field, UINT64 *FieldValue)
VMX VMREAD instruction (64-bit)
Definition Vmx.c:72
VMM_CALLBACK_TRIGGERING_EVENT_STATUS_SUCCESSFUL_NO_INITIALIZED
@ VMM_CALLBACK_TRIGGERING_EVENT_STATUS_SUCCESSFUL_NO_INITIALIZED
Definition Events.h:78
OUT_INSTRUCTION_EXECUTION
@ OUT_INSTRUCTION_EXECUTION
Definition Events.h:135
IN_INSTRUCTION_EXECUTION
@ IN_INSTRUCTION_EXECUTION
Definition Events.h:134
_VIRTUAL_MACHINE_STATE::ExitQualification
UINT32 ExitQualification
Definition State.h:308

◆ DispatchEventMode()

VOID DispatchEventMode ( VIRTUAL_MACHINE_STATE * VCpu,
DEBUGGER_EVENT_MODE_TYPE TargetMode,
BOOLEAN HandleState )

Handling debugger functions related to user-mode/kernel-mode execution trap events.

Parameters
VCpuThe virtual processor's state
IsUserModeWhether the execution event caused by a switch from kernel-to-user or otherwise user-to-kernel
HandleStatewhether the state should be handled by dispatcher or not
Returns
VOID
313{
314 VMM_CALLBACK_TRIGGERING_EVENT_STATUS_TYPE EventTriggerResult;
315 BOOLEAN PostEventTriggerReq = FALSE;
316
317 //
318 // As the context to event trigger, we send NULL
319 //
320 if (g_ExecTrapInitialized)
321 {
322 //
323 // Triggering the pre-event
324 //
325 EventTriggerResult = VmmCallbackTriggerEvents(TRAP_EXECUTION_MODE_CHANGED,
326 VMM_CALLBACK_CALLING_STAGE_PRE_EVENT_EMULATION,
327 (PVOID)TargetMode,
328 &PostEventTriggerReq,
329 VCpu->Regs);
330
331 //
332 // Check whether we need to short-circuiting event emulation or not
333 //
334 if (EventTriggerResult != VMM_CALLBACK_TRIGGERING_EVENT_STATUS_SUCCESSFUL_IGNORE_EVENT && HandleState)
335 {
336 //
337 // Handle the user-mode/kernel-mode execution trap event in the case of triggering event
338 //
339 ExecTrapHandleMoveToAdjustedTrapState(VCpu, (UINT64)TargetMode);
340 }
341
342 //
343 // *** Post-event doesn't make sense for this kind of event! ***
344 //
345 }
346 else
347 {
348 //
349 // Otherwise and if there is no event, we should handle the
350 // user-mode/kernel-mode execution trap normally
351 //
352 if (HandleState)
353 {
354 ExecTrapHandleMoveToAdjustedTrapState(VCpu, (UINT64)TargetMode);
355 }
356 }
357}
ExecTrapHandleMoveToAdjustedTrapState
VOID ExecTrapHandleMoveToAdjustedTrapState(VIRTUAL_MACHINE_STATE *VCpu, DEBUGGER_EVENT_MODE_TYPE TargetMode)
Restore the execution of the trap to adjusted trap state.
Definition ExecTrap.c:753
g_ExecTrapInitialized
BOOLEAN g_ExecTrapInitialized
Showes whether the execution trap handler is allowed to trigger an event or not.
Definition GlobalVariables.h:149
TRAP_EXECUTION_MODE_CHANGED
@ TRAP_EXECUTION_MODE_CHANGED
Definition Events.h:169

◆ DispatchEventMov2DebugRegs()

VOID DispatchEventMov2DebugRegs ( VIRTUAL_MACHINE_STATE * VCpu)

Handling debugger functions related to MOV 2 DR events.

Parameters
VCpuThe virtual processor's state
Returns
VOID
635{
636 VMM_CALLBACK_TRIGGERING_EVENT_STATUS_TYPE EventTriggerResult;
637 BOOLEAN PostEventTriggerReq = FALSE;
638
639 //
640 // Handle access to debug registers, if we should not ignore it, it is
641 // because on detecting thread scheduling we ignore the hardware debug
642 // registers modifications
643 //
644 if (g_Callbacks.KdQueryDebuggerQueryThreadOrProcessTracingDetailsByCoreId != NULL &&
645 g_Callbacks.KdQueryDebuggerQueryThreadOrProcessTracingDetailsByCoreId(VCpu->CoreId,
646 DEBUGGER_THREAD_PROCESS_TRACING_INTERCEPT_CLOCK_DEBUG_REGISTER_INTERCEPTION))
647 {
648 return;
649 }
650
651 //
652 // Triggering the pre-event
653 //
654 EventTriggerResult = VmmCallbackTriggerEvents(DEBUG_REGISTERS_ACCESSED,
655 VMM_CALLBACK_CALLING_STAGE_PRE_EVENT_EMULATION,
656 NULL,
657 &PostEventTriggerReq,
658 VCpu->Regs);
659
660 //
661 // Check whether we need to short-circuiting event emulation or not
662 //
663 if (EventTriggerResult != VMM_CALLBACK_TRIGGERING_EVENT_STATUS_SUCCESSFUL_IGNORE_EVENT)
664 {
665 //
666 // Handle RDPMC (emulate MOV 2 Debug Registers)
667 //
668 HvHandleMovDebugRegister(VCpu);
669 }
670
671 //
672 // Check for the post-event triggering needs
673 //
674 if (PostEventTriggerReq)
675 {
676 VmmCallbackTriggerEvents(DEBUG_REGISTERS_ACCESSED,
677 VMM_CALLBACK_CALLING_STAGE_POST_EVENT_EMULATION,
678 NULL,
679 NULL,
680 VCpu->Regs);
681 }
682}
DEBUGGER_THREAD_PROCESS_TRACING_INTERCEPT_CLOCK_DEBUG_REGISTER_INTERCEPTION
@ DEBUGGER_THREAD_PROCESS_TRACING_INTERCEPT_CLOCK_DEBUG_REGISTER_INTERCEPTION
Definition DataTypes.h:108
HvHandleMovDebugRegister
VOID HvHandleMovDebugRegister(VIRTUAL_MACHINE_STATE *VCpu)
Handle Mov to Debug Registers Exitings.
Definition Hv.c:748
DEBUG_REGISTERS_ACCESSED
@ DEBUG_REGISTERS_ACCESSED
Definition Events.h:146
_VMM_CALLBACKS::KdQueryDebuggerQueryThreadOrProcessTracingDetailsByCoreId
KD_QUERY_DEBUGGER_THREAD_OR_PROCESS_TRACING_DETAILS_BY_CORE_ID KdQueryDebuggerQueryThreadOrProcessTracingDetailsByCoreId
Definition VMM.h:222

◆ DispatchEventMovToCr3()

VOID DispatchEventMovToCr3 ( VIRTUAL_MACHINE_STATE * VCpu)

Handling debugger functions related to mov 2 cr3 events.

Parameters
VCpuThe virtual processor's state
Returns
VOID
367{
368 VMM_CALLBACK_TRIGGERING_EVENT_STATUS_TYPE EventTriggerResult;
369 BOOLEAN PostEventTriggerReq = FALSE;
370
371 //
372 // As the context to event trigger, we send NULL
373 //
374 if (g_ExecTrapInitialized)
375 {
376 //
377 // Triggering the pre-event
378 //
379 EventTriggerResult = VmmCallbackTriggerEvents(CONTROL_REGISTER_3_MODIFIED,
380 VMM_CALLBACK_CALLING_STAGE_PRE_EVENT_EMULATION,
381 NULL,
382 &PostEventTriggerReq,
383 VCpu->Regs);
384
385 //
386 // Check whether we need to short-circuiting event emulation or not
387 //
388 if (EventTriggerResult != VMM_CALLBACK_TRIGGERING_EVENT_STATUS_SUCCESSFUL_IGNORE_EVENT)
389 {
390 //
391 // Handle the mov 2 cr3 event in the case of triggering event
392 //
393 // ExecTrapHandleRestoringToNormalState(VCpu);
394 }
395
396 //
397 // Check for the post-event triggering needs
398 //
399 if (PostEventTriggerReq)
400 {
401 VmmCallbackTriggerEvents(CONTROL_REGISTER_3_MODIFIED,
402 VMM_CALLBACK_CALLING_STAGE_POST_EVENT_EMULATION,
403 NULL,
404 NULL,
405 VCpu->Regs);
406 }
407 }
408 else
409 {
410 //
411 // Otherwise and if there is no event, we should handle the
412 // mov 2 cr3 normally
413 //
414 // ExecTrapHandleRestoringToNormalState(VCpu);
415 }
416}
CONTROL_REGISTER_3_MODIFIED
@ CONTROL_REGISTER_3_MODIFIED
Definition Events.h:164

◆ DispatchEventMovToFromControlRegisters()

VOID DispatchEventMovToFromControlRegisters ( VIRTUAL_MACHINE_STATE * VCpu)

Handling debugger functions related to mov to/from CR events.

Parameters
VCpuThe virtual processor's state
Returns
VOID
692{
693 BOOLEAN ModifyReg;
694 VMX_EXIT_QUALIFICATION_MOV_CR * CrExitQualification;
695 VMM_CALLBACK_TRIGGERING_EVENT_STATUS_TYPE EventTriggerResult;
696 BOOLEAN PostEventTriggerReq = FALSE;
697 UINT32 ExitQualification = 0;
698
699 //
700 // Read the exit qualification
701 //
702 VmxVmread32P(VMCS_EXIT_QUALIFICATION, &ExitQualification);
703
704 CrExitQualification = (VMX_EXIT_QUALIFICATION_MOV_CR *)&ExitQualification;
705
706 if (CrExitQualification->AccessType == VMX_EXIT_QUALIFICATION_ACCESS_MOV_TO_CR)
707 {
708 ModifyReg = TRUE;
709 }
710 else
711 {
712 ModifyReg = FALSE;
713 }
714
715 //
716 // Triggering the pre-event
717 //
718 EventTriggerResult = VmmCallbackTriggerEvents(ModifyReg ? CONTROL_REGISTER_MODIFIED : CONTROL_REGISTER_READ,
719 VMM_CALLBACK_CALLING_STAGE_PRE_EVENT_EMULATION,
720 (PVOID)CrExitQualification->ControlRegister,
721 &PostEventTriggerReq,
722 VCpu->Regs);
723
724 //
725 // Check whether we need to short-circuiting event emulation or not
726 //
727 if (EventTriggerResult != VMM_CALLBACK_TRIGGERING_EVENT_STATUS_SUCCESSFUL_IGNORE_EVENT)
728 {
729 //
730 // Handle mov to/from control registers (emulate CR access)
731 //
732 HvHandleControlRegisterAccess(VCpu, CrExitQualification);
733 }
734
735 //
736 // Check for the post-event triggering needs
737 //
738 if (PostEventTriggerReq)
739 {
740 VmmCallbackTriggerEvents(ModifyReg ? CONTROL_REGISTER_MODIFIED : CONTROL_REGISTER_READ,
741 VMM_CALLBACK_CALLING_STAGE_POST_EVENT_EMULATION,
742 (PVOID)CrExitQualification->ControlRegister,
743 NULL,
744 VCpu->Regs);
745 }
746}
UINT32
unsigned int UINT32
Definition BasicTypes.h:48
HvHandleControlRegisterAccess
VOID HvHandleControlRegisterAccess(VIRTUAL_MACHINE_STATE *VCpu, VMX_EXIT_QUALIFICATION_MOV_CR *CrExitQualification)
Handles Guest Access to control registers.
Definition Hv.c:136
CONTROL_REGISTER_READ
@ CONTROL_REGISTER_READ
Definition Events.h:163
CONTROL_REGISTER_MODIFIED
@ CONTROL_REGISTER_MODIFIED
Definition Events.h:162
test-case-generator.NULL
NULL()
Definition test-case-generator.py:530

◆ DispatchEventRdmsr()

VOID DispatchEventRdmsr ( VIRTUAL_MACHINE_STATE * VCpu)

Handling debugger functions related to RDMSR events.

Parameters
VCpuThe virtual processor's state
Returns
VOID
500{
501 VMM_CALLBACK_TRIGGERING_EVENT_STATUS_TYPE EventTriggerResult;
502 BOOLEAN PostEventTriggerReq = FALSE;
503
504 //
505 // Triggering the pre-event
506 //
507 EventTriggerResult = VmmCallbackTriggerEvents(RDMSR_INSTRUCTION_EXECUTION,
508 VMM_CALLBACK_CALLING_STAGE_PRE_EVENT_EMULATION,
509 (PVOID)(VCpu->Regs->rcx & 0xffffffff),
510 &PostEventTriggerReq,
511 VCpu->Regs);
512
513 //
514 // Check whether we need to short-circuiting event emulation or not
515 //
516 if (EventTriggerResult != VMM_CALLBACK_TRIGGERING_EVENT_STATUS_SUCCESSFUL_IGNORE_EVENT)
517 {
518 //
519 // Handle vm-exit and perform changes
520 //
521 MsrHandleRdmsrVmexit(VCpu->Regs);
522 }
523
524 //
525 // Check for the post-event triggering needs
526 //
527 if (PostEventTriggerReq)
528 {
529 VmmCallbackTriggerEvents(RDMSR_INSTRUCTION_EXECUTION,
530 VMM_CALLBACK_CALLING_STAGE_POST_EVENT_EMULATION,
531 (PVOID)(VCpu->Regs->rcx & 0xffffffff),
532 NULL,
533 VCpu->Regs);
534 }
535}
MsrHandleRdmsrVmexit
VOID MsrHandleRdmsrVmexit(PGUEST_REGS GuestRegs)
Handles in the cases when RDMSR causes a vm-exit.
Definition MsrHandlers.c:21
RDMSR_INSTRUCTION_EXECUTION
@ RDMSR_INSTRUCTION_EXECUTION
Definition Events.h:128
GUEST_REGS::rcx
UINT64 rcx
Definition BasicTypes.h:76

◆ DispatchEventRdpmc()

VOID DispatchEventRdpmc ( VIRTUAL_MACHINE_STATE * VCpu)

Handling debugger functions related to RDPMC events.

Parameters
VCpuThe virtual processor's state
Returns
VOID
590{
591 VMM_CALLBACK_TRIGGERING_EVENT_STATUS_TYPE EventTriggerResult;
592 BOOLEAN PostEventTriggerReq = FALSE;
593
594 //
595 // Triggering the pre-event
596 //
597 EventTriggerResult = VmmCallbackTriggerEvents(PMC_INSTRUCTION_EXECUTION,
598 VMM_CALLBACK_CALLING_STAGE_PRE_EVENT_EMULATION,
599 NULL,
600 &PostEventTriggerReq,
601 VCpu->Regs);
602
603 //
604 // Check whether we need to short-circuiting event emulation or not
605 //
606 if (EventTriggerResult != VMM_CALLBACK_TRIGGERING_EVENT_STATUS_SUCCESSFUL_IGNORE_EVENT)
607 {
608 //
609 // Handle RDPMC (emulate RDPMC)
610 //
611 CounterEmulateRdpmc(VCpu);
612 }
613
614 //
615 // Check for the post-event triggering needs
616 //
617 if (PostEventTriggerReq)
618 {
619 VmmCallbackTriggerEvents(PMC_INSTRUCTION_EXECUTION,
620 VMM_CALLBACK_CALLING_STAGE_POST_EVENT_EMULATION,
621 NULL,
622 NULL,
623 VCpu->Regs);
624 }
625}
CounterEmulateRdpmc
VOID CounterEmulateRdpmc(VIRTUAL_MACHINE_STATE *VCpu)
Emulate RDPMC.
Definition Counters.c:62
PMC_INSTRUCTION_EXECUTION
@ PMC_INSTRUCTION_EXECUTION
Definition Events.h:152

◆ DispatchEventTsc()

VOID DispatchEventTsc ( VIRTUAL_MACHINE_STATE * VCpu,
BOOLEAN IsRdtscp )

Handling debugger functions related to RDTSC/RDTSCP events.

Parameters
VCpuThe virtual processor's state
IsRdtscpIs a RDTSCP or RDTSC
Returns
VOID
195{
196 VMM_CALLBACK_TRIGGERING_EVENT_STATUS_TYPE EventTriggerResult;
197 BOOLEAN PostEventTriggerReq = FALSE;
198
199 //
200 // As the context to event trigger, we send the false which means
201 // it's an rdtsc (for rdtscp we set Context to true)
202 // Note : Using !tsc command in transparent-mode is not allowed
203 //
204 EventTriggerResult = VmmCallbackTriggerEvents(TSC_INSTRUCTION_EXECUTION,
205 VMM_CALLBACK_CALLING_STAGE_PRE_EVENT_EMULATION,
206 (PVOID)IsRdtscp,
207 &PostEventTriggerReq,
208 VCpu->Regs);
209
210 //
211 // Check whether we need to short-circuiting event emulation or not
212 //
213 if (EventTriggerResult != VMM_CALLBACK_TRIGGERING_EVENT_STATUS_SUCCESSFUL_IGNORE_EVENT)
214 {
215 //
216 // Handle rdtsc (emulate rdtsc/p)
217 //
218 if (IsRdtscp)
219 {
220 CounterEmulateRdtscp(VCpu);
221 }
222 else
223 {
224 CounterEmulateRdtsc(VCpu);
225 }
226 }
227
228 //
229 // Check for the post-event triggering needs
230 //
231 if (PostEventTriggerReq)
232 {
233 VmmCallbackTriggerEvents(TSC_INSTRUCTION_EXECUTION,
234 VMM_CALLBACK_CALLING_STAGE_POST_EVENT_EMULATION,
235 (PVOID)IsRdtscp,
236 NULL,
237 VCpu->Regs);
238 }
239}
CounterEmulateRdtscp
VOID CounterEmulateRdtscp(VIRTUAL_MACHINE_STATE *VCpu)
Emulate RDTSCP.
Definition Counters.c:43
CounterEmulateRdtsc
VOID CounterEmulateRdtsc(VIRTUAL_MACHINE_STATE *VCpu)
Emulate RDTSC.
Definition Counters.c:21
TSC_INSTRUCTION_EXECUTION
@ TSC_INSTRUCTION_EXECUTION
Definition Events.h:151

◆ DispatchEventVmcall()

VOID DispatchEventVmcall ( VIRTUAL_MACHINE_STATE * VCpu)

Handling debugger functions related to VMCALL events.

Parameters
VCpuThe virtual processor's state
Returns
VOID
249{
250 VMM_CALLBACK_TRIGGERING_EVENT_STATUS_TYPE EventTriggerResult;
251 BOOLEAN PostEventTriggerReq = FALSE;
252
253 //
254 // As the context to event trigger, we send NULL
255 // Registers are the best source to know the purpose
256 //
257 if (g_TriggerEventForVmcalls)
258 {
259 //
260 // Triggering the pre-event
261 //
262 EventTriggerResult = VmmCallbackTriggerEvents(VMCALL_INSTRUCTION_EXECUTION,
263 VMM_CALLBACK_CALLING_STAGE_PRE_EVENT_EMULATION,
264 NULL,
265 &PostEventTriggerReq,
266 VCpu->Regs);
267
268 //
269 // Check whether we need to short-circuiting event emulation or not
270 //
271 if (EventTriggerResult != VMM_CALLBACK_TRIGGERING_EVENT_STATUS_SUCCESSFUL_IGNORE_EVENT)
272 {
273 //
274 // Handle the VMCALL event in the case of triggering event
275 //
276 VmxHandleVmcallVmExit(VCpu);
277 }
278
279 //
280 // Check for the post-event triggering needs
281 //
282 if (PostEventTriggerReq)
283 {
284 VmmCallbackTriggerEvents(CPUID_INSTRUCTION_EXECUTION,
285 VMM_CALLBACK_CALLING_STAGE_POST_EVENT_EMULATION,
286 NULL,
287 NULL,
288 VCpu->Regs);
289 }
290 }
291 else
292 {
293 //
294 // Otherwise and if there is no event, we should handle the VMCALL
295 // normally
296 //
297 VmxHandleVmcallVmExit(VCpu);
298 }
299}
g_TriggerEventForVmcalls
BOOLEAN g_TriggerEventForVmcalls
Showes whether the vmcall handler is allowed to trigger an event or not.
Definition GlobalVariables.h:131
VmxHandleVmcallVmExit
_Use_decl_annotations_ NTSTATUS VmxHandleVmcallVmExit(VIRTUAL_MACHINE_STATE *VCpu)
Handle vm-exits of VMCALLs.
Definition Vmcall.c:74
VMCALL_INSTRUCTION_EXECUTION
@ VMCALL_INSTRUCTION_EXECUTION
Definition Events.h:157

◆ DispatchEventWrmsr()

VOID DispatchEventWrmsr ( VIRTUAL_MACHINE_STATE * VCpu)

Handling debugger functions related to WRMSR events.

Parameters
VCpuThe virtual processor's state
Returns
VOID
545{
546 VMM_CALLBACK_TRIGGERING_EVENT_STATUS_TYPE EventTriggerResult;
547 BOOLEAN PostEventTriggerReq = FALSE;
548
549 //
550 // Triggering the pre-event
551 //
552 EventTriggerResult = VmmCallbackTriggerEvents(WRMSR_INSTRUCTION_EXECUTION,
553 VMM_CALLBACK_CALLING_STAGE_PRE_EVENT_EMULATION,
554 (PVOID)(VCpu->Regs->rcx & 0xffffffff),
555 &PostEventTriggerReq,
556 VCpu->Regs);
557
558 //
559 // Check whether we need to short-circuiting event emulation or not
560 //
561 if (EventTriggerResult != VMM_CALLBACK_TRIGGERING_EVENT_STATUS_SUCCESSFUL_IGNORE_EVENT)
562 {
563 //
564 // Handle vm-exit and perform changes
565 //
566 MsrHandleWrmsrVmexit(VCpu->Regs);
567 }
568
569 //
570 // Check for the post-event triggering needs
571 //
572 if (PostEventTriggerReq)
573 {
574 VmmCallbackTriggerEvents(WRMSR_INSTRUCTION_EXECUTION,
575 VMM_CALLBACK_CALLING_STAGE_POST_EVENT_EMULATION,
576 (PVOID)(VCpu->Regs->rcx & 0xffffffff),
577 NULL,
578 VCpu->Regs);
579 }
580}
MsrHandleWrmsrVmexit
VOID MsrHandleWrmsrVmexit(PGUEST_REGS GuestRegs)
Handles in the cases when RDMSR causes a vm-exit.
Definition MsrHandlers.c:162
WRMSR_INSTRUCTION_EXECUTION
@ WRMSR_INSTRUCTION_EXECUTION
Definition Events.h:129