HyperDbg Debugger
Loading...
Searching...
No Matches
ExecTrap.h
Go to the documentation of this file.
1
13#include "pch.h"
14
16// Definitions //
18
23#define MAXIMUM_NUMBER_OF_PROCESSES_FOR_USER_KERNEL_EXEC_THREAD 100
24
26// Structures //
28
39
41// Functions //
43
44VOID
45ExecTrapHandleCr3Vmexit(VIRTUAL_MACHINE_STATE * VCpu);
46
47VOID
48ExecTrapChangeToUserDisabledMbecEptp(VIRTUAL_MACHINE_STATE * VCpu);
49
50VOID
51ExecTrapChangeToKernelDisabledMbecEptp(VIRTUAL_MACHINE_STATE * VCpu);
52
53VOID
54ExecTrapRestoreToNormalEptp(VIRTUAL_MACHINE_STATE * VCpu);
55
56VOID
57ExecTrapHandleMoveToAdjustedTrapState(VIRTUAL_MACHINE_STATE * VCpu, DEBUGGER_EVENT_MODE_TYPE TargetMode);
58
59VOID
60ExecTrapUninitialize();
61
62BOOLEAN
63ExecTrapInitialize();
64
65BOOLEAN
66ExecTrapHandleEptViolationVmexit(VIRTUAL_MACHINE_STATE * VCpu,
67 VMX_EXIT_QUALIFICATION_EPT_VIOLATION * ViolationQualification);
68
69BOOLEAN
70ExecTrapAddProcessToWatchingList(UINT32 ProcessId);
71
72BOOLEAN
73ExecTrapRemoveProcessFromWatchingList(UINT32 ProcessId);
BOOLEAN
UCHAR BOOLEAN
Definition BasicTypes.h:39
VOID
#define VOID
Definition BasicTypes.h:33
UINT64
unsigned __int64 UINT64
Definition BasicTypes.h:21
UINT32
unsigned int UINT32
Definition BasicTypes.h:48
ExecTrapRestoreToNormalEptp
VOID ExecTrapRestoreToNormalEptp(VIRTUAL_MACHINE_STATE *VCpu)
restore to normal EPTP
Definition ExecTrap.c:671
ExecTrapHandleCr3Vmexit
VOID ExecTrapHandleCr3Vmexit(VIRTUAL_MACHINE_STATE *VCpu)
Handle MOV to CR3 vm-exits for hooking mode execution.
Definition ExecTrap.c:847
PUSER_KERNEL_EXECUTION_TRAP_STATE
struct _USER_KERNEL_EXECUTION_TRAP_STATE * PUSER_KERNEL_EXECUTION_TRAP_STATE
ExecTrapChangeToKernelDisabledMbecEptp
VOID ExecTrapChangeToKernelDisabledMbecEptp(VIRTUAL_MACHINE_STATE *VCpu)
change to kernel-disabled MBEC EPTP
Definition ExecTrap.c:731
MAXIMUM_NUMBER_OF_PROCESSES_FOR_USER_KERNEL_EXEC_THREAD
#define MAXIMUM_NUMBER_OF_PROCESSES_FOR_USER_KERNEL_EXEC_THREAD
maximum number of processes for a simultaneous user-mode, kernel-mode execution trap
Definition ExecTrap.h:23
ExecTrapRemoveProcessFromWatchingList
BOOLEAN ExecTrapRemoveProcessFromWatchingList(UINT32 ProcessId)
Remove the target process from the watching list.
Definition ExecTrap.c:909
ExecTrapChangeToUserDisabledMbecEptp
VOID ExecTrapChangeToUserDisabledMbecEptp(VIRTUAL_MACHINE_STATE *VCpu)
change to user-disabled MBEC EPTP
Definition ExecTrap.c:711
USER_KERNEL_EXECUTION_TRAP_STATE
struct _USER_KERNEL_EXECUTION_TRAP_STATE USER_KERNEL_EXECUTION_TRAP_STATE
The status user-mode, kernel-mode execution traps for processes.
ExecTrapInitialize
BOOLEAN ExecTrapInitialize()
Initialize the reversing machine based on service request.
Definition ExecTrap.c:497
ExecTrapAddProcessToWatchingList
BOOLEAN ExecTrapAddProcessToWatchingList(UINT32 ProcessId)
Add the target process to the watching list.
Definition ExecTrap.c:894
ExecTrapUninitialize
VOID ExecTrapUninitialize()
Uinitialize the needed structure for the reversing machine.
Definition ExecTrap.c:605
ExecTrapHandleEptViolationVmexit
BOOLEAN ExecTrapHandleEptViolationVmexit(VIRTUAL_MACHINE_STATE *VCpu, VMX_EXIT_QUALIFICATION_EPT_VIOLATION *ViolationQualification)
Handle EPT Violations related to the MBEC hooks.
Definition ExecTrap.c:779
ExecTrapHandleMoveToAdjustedTrapState
VOID ExecTrapHandleMoveToAdjustedTrapState(VIRTUAL_MACHINE_STATE *VCpu, DEBUGGER_EVENT_MODE_TYPE TargetMode)
Restore the execution of the trap to adjusted trap state.
Definition ExecTrap.c:753
DEBUGGER_EVENT_MODE_TYPE
enum _DEBUGGER_EVENT_MODE_TYPE DEBUGGER_EVENT_MODE_TYPE
Type of mode change traps.
_USER_KERNEL_EXECUTION_TRAP_STATE
The status user-mode, kernel-mode execution traps for processes.
Definition ExecTrap.h:34
_USER_KERNEL_EXECUTION_TRAP_STATE::NumberOfItems
UINT32 NumberOfItems
Definition ExecTrap.h:35
_USER_KERNEL_EXECUTION_TRAP_STATE::InterceptionProcessIds
UINT64 InterceptionProcessIds[MAXIMUM_NUMBER_OF_PROCESSES_FOR_USER_KERNEL_EXEC_THREAD]
Definition ExecTrap.h:36
_VIRTUAL_MACHINE_STATE
The status of each core after and before VMX.
Definition State.h:290