HyperDbg Debugger
Loading...
Searching...
No Matches
Classes | Macros | Typedefs | Functions
ExecTrap.h File Reference

Header for the user-mode, kernel-mode execution traps' routines. More...

#include "pch.h"

Go to the source code of this file.

Classes

struct  _USER_KERNEL_EXECUTION_TRAP_STATE
 The status user-mode, kernel-mode execution traps for processes. More...
 

Macros

#define MAXIMUM_NUMBER_OF_PROCESSES_FOR_USER_KERNEL_EXEC_THREAD   100
 maximum number of processes for a simultaneous user-mode, kernel-mode execution trap
 

Typedefs

typedef struct _USER_KERNEL_EXECUTION_TRAP_STATE USER_KERNEL_EXECUTION_TRAP_STATE
 The status user-mode, kernel-mode execution traps for processes.
 
typedef struct _USER_KERNEL_EXECUTION_TRAP_STATEPUSER_KERNEL_EXECUTION_TRAP_STATE
 

Functions

VOID ExecTrapHandleCr3Vmexit (VIRTUAL_MACHINE_STATE *VCpu)
 Handle MOV to CR3 vm-exits for hooking mode execution.
 
VOID ExecTrapChangeToUserDisabledMbecEptp (VIRTUAL_MACHINE_STATE *VCpu)
 change to user-disabled MBEC EPTP
 
VOID ExecTrapChangeToKernelDisabledMbecEptp (VIRTUAL_MACHINE_STATE *VCpu)
 change to kernel-disabled MBEC EPTP
 
VOID ExecTrapRestoreToNormalEptp (VIRTUAL_MACHINE_STATE *VCpu)
 restore to normal EPTP
 
VOID ExecTrapHandleMoveToAdjustedTrapState (VIRTUAL_MACHINE_STATE *VCpu, DEBUGGER_EVENT_MODE_TYPE TargetMode)
 Restore the execution of the trap to adjusted trap state.
 
VOID ExecTrapUninitialize ()
 Uinitialize the needed structure for the reversing machine.
 
BOOLEAN ExecTrapInitialize ()
 Initialize the reversing machine based on service request.
 
BOOLEAN ExecTrapHandleEptViolationVmexit (VIRTUAL_MACHINE_STATE *VCpu, VMX_EXIT_QUALIFICATION_EPT_VIOLATION *ViolationQualification)
 Handle EPT Violations related to the MBEC hooks.
 
BOOLEAN ExecTrapAddProcessToWatchingList (UINT32 ProcessId)
 Add the target process to the watching list.
 
BOOLEAN ExecTrapRemoveProcessFromWatchingList (UINT32 ProcessId)
 Remove the target process from the watching list.
 

Detailed Description

Header for the user-mode, kernel-mode execution traps' routines.

Author
Sina Karvandi (sina@.nosp@m.hype.nosp@m.rdbg..nosp@m.org)
Version
0.4
Date
2023-07-05
Copyright
This project is released under the GNU Public License v3.

Macro Definition Documentation

◆ MAXIMUM_NUMBER_OF_PROCESSES_FOR_USER_KERNEL_EXEC_THREAD

#define MAXIMUM_NUMBER_OF_PROCESSES_FOR_USER_KERNEL_EXEC_THREAD   100

maximum number of processes for a simultaneous user-mode, kernel-mode execution trap

Typedef Documentation

◆ PUSER_KERNEL_EXECUTION_TRAP_STATE

typedef struct _USER_KERNEL_EXECUTION_TRAP_STATE * PUSER_KERNEL_EXECUTION_TRAP_STATE

◆ USER_KERNEL_EXECUTION_TRAP_STATE

typedef struct _USER_KERNEL_EXECUTION_TRAP_STATE USER_KERNEL_EXECUTION_TRAP_STATE

The status user-mode, kernel-mode execution traps for processes.

Function Documentation

◆ ExecTrapAddProcessToWatchingList()

BOOLEAN ExecTrapAddProcessToWatchingList ( UINT32 ProcessId)

Add the target process to the watching list.

Parameters
ProcessId
Returns
BOOLEAN
895{
896 return InsertionSortInsertItem(&g_ExecTrapState.InterceptionProcessIds[0],
897 &g_ExecTrapState.NumberOfItems,
898 MAXIMUM_NUMBER_OF_PROCESSES_FOR_USER_KERNEL_EXEC_THREAD,
899 (UINT64)ProcessId);
900}
UINT64
unsigned __int64 UINT64
Definition BasicTypes.h:21
MAXIMUM_NUMBER_OF_PROCESSES_FOR_USER_KERNEL_EXEC_THREAD
#define MAXIMUM_NUMBER_OF_PROCESSES_FOR_USER_KERNEL_EXEC_THREAD
maximum number of processes for a simultaneous user-mode, kernel-mode execution trap
Definition ExecTrap.h:23
g_ExecTrapState
USER_KERNEL_EXECUTION_TRAP_STATE g_ExecTrapState
State of the trap-flag.
Definition GlobalVariables.h:162
InsertionSortInsertItem
BOOLEAN InsertionSortInsertItem(UINT64 ArrayPtr[], UINT32 *NumberOfItems, UINT32 MaxNumOfItems, UINT64 Key)
Function to implement insertion sort.
Definition InsertionSort.c:24
_USER_KERNEL_EXECUTION_TRAP_STATE::NumberOfItems
UINT32 NumberOfItems
Definition ExecTrap.h:35
_USER_KERNEL_EXECUTION_TRAP_STATE::InterceptionProcessIds
UINT64 InterceptionProcessIds[MAXIMUM_NUMBER_OF_PROCESSES_FOR_USER_KERNEL_EXEC_THREAD]
Definition ExecTrap.h:36

◆ ExecTrapChangeToKernelDisabledMbecEptp()

VOID ExecTrapChangeToKernelDisabledMbecEptp ( VIRTUAL_MACHINE_STATE * VCpu)

change to kernel-disabled MBEC EPTP

Parameters
VCpuThe virtual processor's state
Returns
VOID
732{
733 //
734 // Change EPTP
735 //
736 __vmx_vmwrite(VMCS_CTRL_EPT_POINTER, g_EptState->ModeBasedKernelDisabledEptPointer.AsUInt);
737
738 //
739 // It's not on normal EPTP
740 //
741 VCpu->NotNormalEptp = TRUE;
742}
TRUE
#define TRUE
Definition BasicTypes.h:55
g_EptState
EPT_STATE * g_EptState
Save the state and variables related to EPT.
Definition GlobalVariables.h:50
_EPT_STATE::ModeBasedKernelDisabledEptPointer
EPT_POINTER ModeBasedKernelDisabledEptPointer
Definition Ept.h:125
_VIRTUAL_MACHINE_STATE::NotNormalEptp
BOOLEAN NotNormalEptp
Definition State.h:300

◆ ExecTrapChangeToUserDisabledMbecEptp()

VOID ExecTrapChangeToUserDisabledMbecEptp ( VIRTUAL_MACHINE_STATE * VCpu)

change to user-disabled MBEC EPTP

Parameters
VCpuThe virtual processor's state
Returns
VOID
712{
713 //
714 // Change EPTP
715 //
716 __vmx_vmwrite(VMCS_CTRL_EPT_POINTER, g_EptState->ModeBasedUserDisabledEptPointer.AsUInt);
717
718 //
719 // It's not on normal EPTP
720 //
721 VCpu->NotNormalEptp = TRUE;
722}
_EPT_STATE::ModeBasedUserDisabledEptPointer
EPT_POINTER ModeBasedUserDisabledEptPointer
Definition Ept.h:124

◆ ExecTrapHandleCr3Vmexit()

VOID ExecTrapHandleCr3Vmexit ( VIRTUAL_MACHINE_STATE * VCpu)

Handle MOV to CR3 vm-exits for hooking mode execution.

Parameters
VCpuThe virtual processor's state
Returns
VOID
848{
849 BOOLEAN Result;
850 UINT32 Index;
851
852 //
853 // Search the list of processes for the current process's user-execution
854 // trap state
855 //
856 Result = BinarySearchPerformSearchItem(&g_ExecTrapState.InterceptionProcessIds[0],
857 g_ExecTrapState.NumberOfItems,
858 &Index,
859 (UINT64)PsGetCurrentProcessId());
860
861 //
862 // Check whether the procerss is in the list of interceptions or not
863 //
864 if (Result)
865 {
866 //
867 // Enable MBEC to detect execution in user-mode
868 //
869 HvSetModeBasedExecutionEnableFlag(TRUE);
870 VCpu->MbecEnabled = TRUE;
871
872 //
873 // Trigger the event
874 //
875 DispatchEventMode(VCpu, DEBUGGER_EVENT_MODE_TYPE_KERNEL_MODE, TRUE);
876 }
877 else if (VCpu->MbecEnabled)
878 {
879 //
880 // In case, the process is changed, we've disable the MBEC
881 //
882 HvSetModeBasedExecutionEnableFlag(FALSE);
883 VCpu->MbecEnabled = FALSE;
884 }
885}
BOOLEAN
UCHAR BOOLEAN
Definition BasicTypes.h:39
FALSE
#define FALSE
Definition BasicTypes.h:54
UINT32
unsigned int UINT32
Definition BasicTypes.h:48
BinarySearchPerformSearchItem
BOOLEAN BinarySearchPerformSearchItem(UINT64 ArrayPtr[], UINT32 NumberOfItems, UINT32 *ResultIndex, UINT64 Key)
A utility function to perform the binary search.
Definition BinarySearch.c:46
DispatchEventMode
VOID DispatchEventMode(VIRTUAL_MACHINE_STATE *VCpu, DEBUGGER_EVENT_MODE_TYPE TargetMode, BOOLEAN HandleState)
Handling debugger functions related to user-mode/kernel-mode execution trap events.
Definition Dispatch.c:312
HvSetModeBasedExecutionEnableFlag
VOID HvSetModeBasedExecutionEnableFlag(BOOLEAN Set)
Set Mode-based Execution Control (MBEC) Enable bit.
Definition Hv.c:677
DEBUGGER_EVENT_MODE_TYPE_KERNEL_MODE
@ DEBUGGER_EVENT_MODE_TYPE_KERNEL_MODE
Definition Events.h:207
_VIRTUAL_MACHINE_STATE::MbecEnabled
BOOLEAN MbecEnabled
Definition State.h:301

◆ ExecTrapHandleEptViolationVmexit()

BOOLEAN ExecTrapHandleEptViolationVmexit ( VIRTUAL_MACHINE_STATE * VCpu,
VMX_EXIT_QUALIFICATION_EPT_VIOLATION * ViolationQualification )

Handle EPT Violations related to the MBEC hooks.

Parameters
VCpuThe virtual processor's state
ViolationQualification
Returns
BOOLEAN
781{
782 //
783 // Check if this mechanism is use or not
784 //
785 if (!g_ExecTrapInitialized)
786 {
787 return FALSE;
788 }
789
790 if (!ViolationQualification->EptExecutableForUserMode && ViolationQualification->ExecuteAccess)
791 {
792 //
793 // For test purposes
794 //
795 // LogInfo("Reached to the user-mode of the process (0x%x) is executed address: %llx", PsGetCurrentProcessId(), VCpu->LastVmexitRip);
796
797 //
798 // Suppress the RIP increment
799 //
800 HvSuppressRipIncrement(VCpu);
801
802 //
803 // Trigger the event
804 //
805 DispatchEventMode(VCpu, DEBUGGER_EVENT_MODE_TYPE_USER_MODE, TRUE);
806
807 return TRUE;
808 }
809 else if (!ViolationQualification->EptExecutable && ViolationQualification->ExecuteAccess)
810 {
811 //
812 // For test purposes
813 //
814 // LogInfo("Reached to the kernel-mode of the process (0x%x) is executed address: %llx", PsGetCurrentProcessId(), VCpu->LastVmexitRip);
815
816 //
817 // Suppress the RIP increment
818 //
819 HvSuppressRipIncrement(VCpu);
820
821 //
822 // Trigger the event
823 //
824 DispatchEventMode(VCpu, DEBUGGER_EVENT_MODE_TYPE_KERNEL_MODE, TRUE);
825 }
826 else
827 {
828 //
829 // Unexpected violation
830 //
831 return FALSE;
832 }
833
834 //
835 // It successfully handled by MBEC hooks
836 //
837 return TRUE;
838}
g_ExecTrapInitialized
BOOLEAN g_ExecTrapInitialized
Showes whether the execution trap handler is allowed to trigger an event or not.
Definition GlobalVariables.h:149
HvSuppressRipIncrement
VOID HvSuppressRipIncrement(VIRTUAL_MACHINE_STATE *VCpu)
Suppress the incrementation of RIP.
Definition Hv.c:324
DEBUGGER_EVENT_MODE_TYPE_USER_MODE
@ DEBUGGER_EVENT_MODE_TYPE_USER_MODE
Definition Events.h:206

◆ ExecTrapHandleMoveToAdjustedTrapState()

VOID ExecTrapHandleMoveToAdjustedTrapState ( VIRTUAL_MACHINE_STATE * VCpu,
DEBUGGER_EVENT_MODE_TYPE TargetMode )

Restore the execution of the trap to adjusted trap state.

Parameters
VCpuThe virtual processor's state
IsUserModeWhether the execution event caused by a switch from kernel-to-user or otherwise user-to-kernel
Returns
VOID
754{
755 if (TargetMode == DEBUGGER_EVENT_MODE_TYPE_USER_MODE)
756 {
757 //
758 // Change EPT to kernel disabled
759 //
760 ExecTrapChangeToKernelDisabledMbecEptp(VCpu);
761 }
762 else if (TargetMode == DEBUGGER_EVENT_MODE_TYPE_KERNEL_MODE)
763 {
764 //
765 // Change EPT to user disabled
766 //
767 ExecTrapChangeToUserDisabledMbecEptp(VCpu);
768 }
769}
ExecTrapChangeToKernelDisabledMbecEptp
VOID ExecTrapChangeToKernelDisabledMbecEptp(VIRTUAL_MACHINE_STATE *VCpu)
change to kernel-disabled MBEC EPTP
Definition ExecTrap.c:731
ExecTrapChangeToUserDisabledMbecEptp
VOID ExecTrapChangeToUserDisabledMbecEptp(VIRTUAL_MACHINE_STATE *VCpu)
change to user-disabled MBEC EPTP
Definition ExecTrap.c:711

◆ ExecTrapInitialize()

BOOLEAN ExecTrapInitialize ( )

Initialize the reversing machine based on service request.

Returns
BOOLEAN
498{
499 //
500 // Check if the reversing machine is already initialized
501 //
502 if (g_ExecTrapInitialized)
503 {
504 //
505 // Already initialized
506 //
507 return FALSE;
508 }
509
510 //
511 // Check if MBEC supported by this processors
512 //
513 if (!g_CompatibilityCheck.ModeBasedExecutionSupport)
514 {
515 LogInfo("Your processor doesn't support Mode-Based Execution Controls (MBEC), which is a needed feature for this functionality :(\n"
516 "MBEC is available on processors starting from the 7th generation (Kaby Lake) and onwards");
517 return FALSE;
518 }
519
520 //
521 // Read the RAM regions
522 //
523 ExecTrapReadRamPhysicalRegions();
524
525 //
526 // Allocate MBEC EPT page-table (user-disabled)
527 //
528 if (!ExecTrapAllocateUserDisabledMbecEptPageTable())
529 {
530 //
531 // There was an error allocating MBEC page table for EPT tables
532 //
533 return FALSE;
534 }
535
536 //
537 // Allocate MBEC EPT page-table (kernel-disabled)
538 //
539 if (!ExecTrapAllocateKernelDisabledMbecEptPageTable())
540 {
541 //
542 // Free the user-disabled page-table buffer
543 //
544 MmFreeContiguousMemory(g_EptState->ModeBasedUserDisabledEptPageTable);
545 g_EptState->ModeBasedUserDisabledEptPageTable = NULL;
546
547 //
548 // There was an error allocating MBEC page table for EPT tables
549 //
550 return FALSE;
551 }
552
553 //
554 // Call the function responsible for initializing Mode-based hooks
555 //
556 if (ModeBasedExecHookInitialize() == FALSE)
557 {
558 //
559 // Free the user-disabled page-table buffer
560 //
561 MmFreeContiguousMemory(g_EptState->ModeBasedUserDisabledEptPageTable);
562 g_EptState->ModeBasedUserDisabledEptPageTable = NULL;
563
564 //
565 // Free the kernel-disabled page-table buffer
566 //
567 MmFreeContiguousMemory(g_EptState->ModeBasedKernelDisabledEptPageTable);
568 g_EptState->ModeBasedKernelDisabledEptPageTable = NULL;
569
570 //
571 // The initialization was not successful
572 //
573 return FALSE;
574 }
575
576 //
577 // Change EPT on all core's to a MBEC supported EPTP
578 // (No longer needed as the starting phase of the process uses EPT hooks)
579 //
580 BroadcastChangeToMbecSupportedEptpOnAllProcessors();
581
582 //
583 // Indicate that the reversing machine is initialized
584 // It should be initialized here BEFORE broadcasting mov 2 cr3 exiting
585 // because an EPT violation might be thrown before we enabled it from
586 // here
587 //
588 g_ExecTrapInitialized = TRUE;
589
590 //
591 // Enable Mode-based execution control by broadcasting MOV to CR3 exiting
592 //
593 BroadcastEnableMovToCr3ExitingOnAllProcessors();
594
595 return TRUE;
596}
BroadcastChangeToMbecSupportedEptpOnAllProcessors
VOID BroadcastChangeToMbecSupportedEptpOnAllProcessors()
routines for changing EPTP to an MBEC supported EPTP
Definition Broadcast.c:447
BroadcastEnableMovToCr3ExitingOnAllProcessors
VOID BroadcastEnableMovToCr3ExitingOnAllProcessors()
routines for debugging threads (enable mov-to-cr3 exiting)
Definition Broadcast.c:436
ExecTrapReadRamPhysicalRegions
VOID ExecTrapReadRamPhysicalRegions()
Read the RAM regions (physical address)
Definition ExecTrap.c:459
ExecTrapAllocateUserDisabledMbecEptPageTable
BOOLEAN ExecTrapAllocateUserDisabledMbecEptPageTable()
Initialize the needed structure for hooking user-mode execution.
Definition ExecTrap.c:255
ExecTrapAllocateKernelDisabledMbecEptPageTable
BOOLEAN ExecTrapAllocateKernelDisabledMbecEptPageTable()
Initialize the needed structure for hooking kernel-mode execution.
Definition ExecTrap.c:319
g_CompatibilityCheck
COMPATIBILITY_CHECKS_STATUS g_CompatibilityCheck
Different attributes and compatibility checks of the current processor.
Definition GlobalVariables.h:26
LogInfo
#define LogInfo(format,...)
Define log variables.
Definition HyperDbgHyperLogIntrinsics.h:71
ModeBasedExecHookInitialize
BOOLEAN ModeBasedExecHookInitialize()
Initialize the needed structure for hooking mode execution.
Definition ModeBasedExecHook.c:185
test-case-generator.NULL
NULL()
Definition test-case-generator.py:530
_COMPATIBILITY_CHECKS_STATUS::ModeBasedExecutionSupport
BOOLEAN ModeBasedExecutionSupport
Definition CompatibilityChecks.h:28
_EPT_STATE::ModeBasedKernelDisabledEptPageTable
PVMM_EPT_PAGE_TABLE ModeBasedKernelDisabledEptPageTable
Definition Ept.h:123
_EPT_STATE::ModeBasedUserDisabledEptPageTable
PVMM_EPT_PAGE_TABLE ModeBasedUserDisabledEptPageTable
Definition Ept.h:122

◆ ExecTrapRemoveProcessFromWatchingList()

BOOLEAN ExecTrapRemoveProcessFromWatchingList ( UINT32 ProcessId)

Remove the target process from the watching list.

Parameters
ProcessId
Returns
BOOLEAN
910{
911 return InsertionSortDeleteItem(&g_ExecTrapState.InterceptionProcessIds[0],
912 &g_ExecTrapState.NumberOfItems,
913 (UINT64)ProcessId);
914}
InsertionSortDeleteItem
BOOLEAN InsertionSortDeleteItem(UINT64 ArrayPtr[], UINT32 *NumberOfItems, UINT32 Index)
Function to implement insertion sort.
Definition InsertionSort.c:66

◆ ExecTrapRestoreToNormalEptp()

VOID ExecTrapRestoreToNormalEptp ( VIRTUAL_MACHINE_STATE * VCpu)

restore to normal EPTP

Parameters
VCpuThe virtual processor's state
Returns
VOID
672{
673 //
674 // Change EPTP
675 //
676 __vmx_vmwrite(VMCS_CTRL_EPT_POINTER, VCpu->EptPointer.AsUInt);
677
678 //
679 // It's on normal EPTP
680 //
681 VCpu->NotNormalEptp = FALSE;
682}
_VIRTUAL_MACHINE_STATE::EptPointer
EPT_POINTER EptPointer
Definition State.h:341

◆ ExecTrapUninitialize()

VOID ExecTrapUninitialize ( )

Uinitialize the needed structure for the reversing machine.

should be called from vmx non-root mode

Returns
VOID
606{
607 //
608 // Check if it's already initialized
609 //
610 if (!g_ExecTrapInitialized)
611 {
612 return;
613 }
614
615 //
616 // Indicate that the uninitialization phase started
617 //
618 g_ExecTrapUnInitializationStarted = TRUE;
619
620 //
621 // Disable MOV to CR3 exiting
622 //
623 BroadcastDisableMovToCr3ExitingOnAllProcessors();
624
625 //
626 // Restore to normal EPTP
627 //
628 BroadcastRestoreToNormalEptpOnAllProcessors();
629
630 //
631 // Uninitialize the mode-based execution controls
632 //
633 ModeBasedExecHookUninitialize();
634
635 //
636 // Indicate that the execution traps are disabled
637 //
638 g_ExecTrapInitialized = FALSE;
639
640 //
641 // Indicate that the uninitialization phase finished
642 //
643 g_ExecTrapUnInitializationStarted = FALSE;
644
645 //
646 // Free Identity Page Table for MBEC hooks (user-disabled)
647 //
648 if (g_EptState->ModeBasedUserDisabledEptPageTable != NULL)
649 {
650 MmFreeContiguousMemory(g_EptState->ModeBasedUserDisabledEptPageTable);
651 g_EptState->ModeBasedUserDisabledEptPageTable = NULL;
652 }
653
654 //
655 // Free Identity Page Table for MBEC hooks (kernel-disabled)
656 //
657 if (g_EptState->ModeBasedKernelDisabledEptPageTable != NULL)
658 {
659 MmFreeContiguousMemory(g_EptState->ModeBasedKernelDisabledEptPageTable);
660 g_EptState->ModeBasedKernelDisabledEptPageTable = NULL;
661 }
662}
BroadcastRestoreToNormalEptpOnAllProcessors
VOID BroadcastRestoreToNormalEptpOnAllProcessors()
routines for restoring EPTP to normal EPTP
Definition Broadcast.c:458
BroadcastDisableMovToCr3ExitingOnAllProcessors
VOID BroadcastDisableMovToCr3ExitingOnAllProcessors()
routines for debugging threads (disable mov-to-cr3 exiting)
Definition Broadcast.c:491
g_ExecTrapUnInitializationStarted
BOOLEAN g_ExecTrapUnInitializationStarted
Showes whether the uninitialization of the exec trap is started or not.
Definition GlobalVariables.h:156
ModeBasedExecHookUninitialize
VOID ModeBasedExecHookUninitialize()
Uinitialize the needed structure for hooking mode execution.
Definition ModeBasedExecHook.c:247