HaltedBroadcast.c File Reference

Broadcasting functions in case of halted cores. More...

#include "pch.h"

Functions
VOID	HaltedBroadcastChangeAllMsrBitmapReadAllCores (UINT64 BitmapMask)
	This function broadcasts MSR (READ) changes to all cores.
VOID	HaltedBroadcastChangeAllMsrBitmapWriteAllCores (UINT64 BitmapMask)
	This function broadcasts MSR (WRITE) changes to all cores.
VOID	HaltedBroadcastChangeAllIoBitmapAllCores (UINT64 Port)
	This function broadcasts IO changes to all cores.
VOID	HaltedBroadcastEnableRdpmcExitingAllCores ()
	This function broadcasts enable RDPMC exiting to all cores.
VOID	HaltedBroadcastEnableRdtscExitingAllCores ()
	This function broadcasts enable rdtsc/rdtscp exiting to all cores.
VOID	HaltedBroadcastEnableMov2DebugRegsExitingAllCores ()
	This function broadcasts enable mov to debug registers exiting to all cores.
VOID	HaltedBroadcastEnableExternalInterruptExitingAllCores ()
	This function broadcasts enable external interrupt exiting to all cores.
VOID	HaltedBroadcastSetExceptionBitmapAllCores (UINT64 ExceptionIndex)
	This function broadcasts set exception bitmap to all cores.
VOID	HaltedBroadcastUnSetExceptionBitmapAllCores (UINT64 ExceptionIndex)
	This function broadcasts unset exception bitmap on VMCS to all cores.
VOID	HaltedBroadcastEnableMovToCrExitingAllCores (DEBUGGER_EVENT_OPTIONS *BroadcastingOption)
	This function broadcasts enable mov to CR exiting to all cores.
VOID	HaltedBroadcastEnableEferSyscallHookAllCores ()
	This function broadcasts enable syscall hook using EFER SCE bit to all cores.
VOID	HaltedBroadcastInvalidateEptAllContextsAllCores ()
	This function broadcasts invalidate EPT (All Contexts) to all cores.
VOID	HaltedBroadcastInvalidateSingleContextAllCores ()
	This function broadcasts invalidate EPT (A Single Context) to all cores.
VOID	HaltedBroadcastUnhookSinglePageAllCores (EPT_SINGLE_HOOK_UNHOOKING_DETAILS *UnhookingDetail)
	This function broadcasts restore a single EPT entry and invalidate EPT cache to all cores.
VOID	HaltedBroadcastSetDisableExternalInterruptExitingOnlyOnClearingInterruptEventsAllCores ()
	This function broadcasts disable external interrupt exiting only to clear !interrupt commands to all cores.
VOID	HaltedBroadcastResetMsrBitmapReadAllCores ()
	This function broadcasts reset MSR Bitmap Read to all cores.
VOID	HaltedBroadcastResetMsrBitmapWriteAllCores ()
	This function broadcasts reset MSR Bitmap Write to all cores.
VOID	HaltedBroadcastResetExceptionBitmapOnlyOnClearingExceptionEventsAllCores ()
	This function broadcasts reset exception bitmap on VMCS to all cores.
VOID	HaltedBroadcastResetIoBitmapAllCores ()
	This function broadcasts reset I/O Bitmaps (A & B) to all cores.
VOID	HaltedBroadcastDisableRdtscExitingForClearingTscEventsAllCores ()
	This function broadcasts clear rdtsc exiting bit ONLY in the case of disabling the events for !tsc command to all cores.
VOID	HaltedBroadcastDisableRdpmcExitingAllCores ()
	This function broadcasts disable rdpmc exiting in primary cpu-based controls to all cores.
VOID	HaltedBroadcastDisableEferSyscallEventsAllCores ()
	This function broadcasts disable syscall hook using EFER SCE bit controls to all cores.
VOID	HaltedBroadcastDisableMov2DrExitingForClearingDrEventsAllCores ()
	This function broadcasts clear mov 2 hw dr exiting bit ONLY in the case of disabling the events for !dr command to all cores.
VOID	HaltedBroadcastDisableMov2CrExitingForClearingCrEventsAllCores (DEBUGGER_EVENT_OPTIONS *BroadcastingOption)
	This function broadcasts clear mov 2 cr exiting bit ONLY in the case of disabling the events for !crwrite command to all cores.

Detailed Description

Broadcasting functions in case of halted cores.

Author

Sina Karvandi (sina@.nosp@m.hype.nosp@m.rdbg..nosp@m.org)

Version

0.7

Date

2023-10-19

Copyright

This project is released under the GNU Public License v3.

Function Documentation

HaltedBroadcastChangeAllIoBitmapAllCores()

VOID HaltedBroadcastChangeAllIoBitmapAllCores

(

UINT64

Port

)

This function broadcasts IO changes to all cores.

Should be called from VMX root-mode

Parameters

Port

Returns

VOID

{
    DIRECT_VMCALL_PARAMETERS DirectVmcallOptions = {0};
    UINT64                   HaltedCoreTask      = (UINT64)NULL;
 
    //
    // Set the target task
    //
    HaltedCoreTask = DEBUGGER_HALTED_CORE_TASK_CHANGE_IO_BITMAP;
 
    //
    // Set the parameters for the direct VMCALL
    //
    DirectVmcallOptions.OptionalParam1 = Port;
 
    //
    // Send request for the target task to the halted cores (synchronized)
    //
    HaltedCoreBroadcastTaskAllCores(&g_DbgState[KeGetCurrentProcessorNumberEx(NULL)],
                                    HaltedCoreTask,
                                    TRUE,
                                    TRUE,
                                    &DirectVmcallOptions);
}

HaltedBroadcastChangeAllMsrBitmapReadAllCores()

VOID HaltedBroadcastChangeAllMsrBitmapReadAllCores

(

UINT64

BitmapMask

)

This function broadcasts MSR (READ) changes to all cores.

Should be called from VMX root-mode

Parameters

BitmapMask

Returns

VOID

{
    DIRECT_VMCALL_PARAMETERS DirectVmcallOptions = {0};
    UINT64                   HaltedCoreTask      = (UINT64)NULL;
 
    //
    // Set the target task
    //
    HaltedCoreTask = DEBUGGER_HALTED_CORE_TASK_CHANGE_MSR_BITMAP_READ;
 
    //
    // Set the parameters for the direct VMCALL
    //
    DirectVmcallOptions.OptionalParam1 = BitmapMask;
 
    //
    // Send request for the target task to the halted cores (synchronized)
    //
    HaltedCoreBroadcastTaskAllCores(&g_DbgState[KeGetCurrentProcessorNumberEx(NULL)],
                                    HaltedCoreTask,
                                    TRUE,
                                    TRUE,
                                    &DirectVmcallOptions);
}

HaltedBroadcastChangeAllMsrBitmapWriteAllCores()

VOID HaltedBroadcastChangeAllMsrBitmapWriteAllCores

(

UINT64

BitmapMask

)

This function broadcasts MSR (WRITE) changes to all cores.

Should be called from VMX root-mode

Parameters

BitmapMask

Returns

VOID

{
    DIRECT_VMCALL_PARAMETERS DirectVmcallOptions = {0};
    UINT64                   HaltedCoreTask      = (UINT64)NULL;
 
    //
    // Set the target task
    //
    HaltedCoreTask = DEBUGGER_HALTED_CORE_TASK_CHANGE_MSR_BITMAP_WRITE;
 
    //
    // Set the parameters for the direct VMCALL
    //
    DirectVmcallOptions.OptionalParam1 = BitmapMask;
 
    //
    // Send request for the target task to the halted cores (synchronized)
    //
    HaltedCoreBroadcastTaskAllCores(&g_DbgState[KeGetCurrentProcessorNumberEx(NULL)],
                                    HaltedCoreTask,
                                    TRUE,
                                    TRUE,
                                    &DirectVmcallOptions);
}

HaltedBroadcastDisableEferSyscallEventsAllCores()

VOID HaltedBroadcastDisableEferSyscallEventsAllCores

(

)

This function broadcasts disable syscall hook using EFER SCE bit controls to all cores.

Should be called from VMX root-mode

Returns

VOID

{
    DIRECT_VMCALL_PARAMETERS DirectVmcallOptions = {0};
    UINT64                   HaltedCoreTask      = (UINT64)NULL;
 
    //
    // Set the target task
    //
    HaltedCoreTask = DEBUGGER_HALTED_CORE_TASK_DISABLE_SYSCALL_HOOK_EFER;
 
    //
    // Send request for the target task to the halted cores (synchronized)
    //
    HaltedCoreBroadcastTaskAllCores(&g_DbgState[KeGetCurrentProcessorNumberEx(NULL)],
                                    HaltedCoreTask,
                                    TRUE,
                                    TRUE,
                                    &DirectVmcallOptions);
}

HaltedBroadcastDisableMov2CrExitingForClearingCrEventsAllCores()

VOID HaltedBroadcastDisableMov2CrExitingForClearingCrEventsAllCores

(

DEBUGGER_EVENT_OPTIONS *

BroadcastingOption

)

This function broadcasts clear mov 2 cr exiting bit ONLY in the case of disabling the events for !crwrite command to all cores.

Should be called from VMX root-mode

Parameters

BroadcastingOption

Returns

VOID

{
    DIRECT_VMCALL_PARAMETERS DirectVmcallOptions = {0};
    UINT64                   HaltedCoreTask      = (UINT64)NULL;
 
    //
    // Set the target task
    //
    HaltedCoreTask = DEBUGGER_HALTED_CORE_TASK_DISABLE_MOV_TO_CR_EXITING_ONLY_FOR_CR_EVENTS;
 
    //
    // Set the parameters for the direct VMCALL
    //
    DirectVmcallOptions.OptionalParam1 = BroadcastingOption->OptionalParam1;
    DirectVmcallOptions.OptionalParam2 = BroadcastingOption->OptionalParam2;
 
    //
    // Send request for the target task to the halted cores (synchronized)
    //
    HaltedCoreBroadcastTaskAllCores(&g_DbgState[KeGetCurrentProcessorNumberEx(NULL)],
                                    HaltedCoreTask,
                                    TRUE,
                                    TRUE,
                                    &DirectVmcallOptions);
}

HaltedBroadcastDisableMov2DrExitingForClearingDrEventsAllCores()

VOID HaltedBroadcastDisableMov2DrExitingForClearingDrEventsAllCores

(

)

This function broadcasts clear mov 2 hw dr exiting bit ONLY in the case of disabling the events for !dr command to all cores.

Should be called from VMX root-mode

Returns

VOID

{
    DIRECT_VMCALL_PARAMETERS DirectVmcallOptions = {0};
    UINT64                   HaltedCoreTask      = (UINT64)NULL;
 
    //
    // Set the target task
    //
    HaltedCoreTask = DEBUGGER_HALTED_CORE_TASK_DISABLE_MOV_TO_HW_DR_EXITING_ONLY_FOR_DR_EVENTS;
 
    //
    // Send request for the target task to the halted cores (synchronized)
    //
    HaltedCoreBroadcastTaskAllCores(&g_DbgState[KeGetCurrentProcessorNumberEx(NULL)],
                                    HaltedCoreTask,
                                    TRUE,
                                    TRUE,
                                    &DirectVmcallOptions);
}

HaltedBroadcastDisableRdpmcExitingAllCores()

VOID HaltedBroadcastDisableRdpmcExitingAllCores

(

)

This function broadcasts disable rdpmc exiting in primary cpu-based controls to all cores.

Should be called from VMX root-mode

Returns

VOID

{
    DIRECT_VMCALL_PARAMETERS DirectVmcallOptions = {0};
    UINT64                   HaltedCoreTask      = (UINT64)NULL;
 
    //
    // Set the target task
    //
    HaltedCoreTask = DEBUGGER_HALTED_CORE_TASK_UNSET_RDPMC_EXITING;
 
    //
    // Send request for the target task to the halted cores (synchronized)
    //
    HaltedCoreBroadcastTaskAllCores(&g_DbgState[KeGetCurrentProcessorNumberEx(NULL)],
                                    HaltedCoreTask,
                                    TRUE,
                                    TRUE,
                                    &DirectVmcallOptions);
}

HaltedBroadcastDisableRdtscExitingForClearingTscEventsAllCores()

VOID HaltedBroadcastDisableRdtscExitingForClearingTscEventsAllCores

(

)

This function broadcasts clear rdtsc exiting bit ONLY in the case of disabling the events for !tsc command to all cores.

Should be called from VMX root-mode

Returns

VOID

{
    DIRECT_VMCALL_PARAMETERS DirectVmcallOptions = {0};
    UINT64                   HaltedCoreTask      = (UINT64)NULL;
 
    //
    // Set the target task
    //
    HaltedCoreTask = DEBUGGER_HALTED_CORE_TASK_DISABLE_RDTSC_EXITING_ONLY_FOR_TSC_EVENTS;
 
    //
    // Send request for the target task to the halted cores (synchronized)
    //
    HaltedCoreBroadcastTaskAllCores(&g_DbgState[KeGetCurrentProcessorNumberEx(NULL)],
                                    HaltedCoreTask,
                                    TRUE,
                                    TRUE,
                                    &DirectVmcallOptions);
}

HaltedBroadcastEnableEferSyscallHookAllCores()

VOID HaltedBroadcastEnableEferSyscallHookAllCores

(

)

This function broadcasts enable syscall hook using EFER SCE bit to all cores.

Should be called from VMX root-mode

Returns

VOID

{
    DIRECT_VMCALL_PARAMETERS DirectVmcallOptions = {0};
    UINT64                   HaltedCoreTask      = (UINT64)NULL;
 
    //
    // Set the target task
    //
    HaltedCoreTask = DEBUGGER_HALTED_CORE_TASK_ENABLE_SYSCALL_HOOK_EFER;
 
    //
    // Send request for the target task to the halted cores (synchronized)
    //
    HaltedCoreBroadcastTaskAllCores(&g_DbgState[KeGetCurrentProcessorNumberEx(NULL)],
                                    HaltedCoreTask,
                                    TRUE,
                                    TRUE,
                                    &DirectVmcallOptions);
}

HaltedBroadcastEnableExternalInterruptExitingAllCores()

VOID HaltedBroadcastEnableExternalInterruptExitingAllCores

(

)

This function broadcasts enable external interrupt exiting to all cores.

Should be called from VMX root-mode

Returns

VOID

{
    DIRECT_VMCALL_PARAMETERS DirectVmcallOptions = {0};
    UINT64                   HaltedCoreTask      = (UINT64)NULL;
 
    //
    // Set the target task
    //
    HaltedCoreTask = DEBUGGER_HALTED_CORE_TASK_ENABLE_EXTERNAL_INTERRUPT_EXITING;
 
    //
    // Send request for the target task to the halted cores (synchronized)
    //
    HaltedCoreBroadcastTaskAllCores(&g_DbgState[KeGetCurrentProcessorNumberEx(NULL)],
                                    HaltedCoreTask,
                                    TRUE,
                                    TRUE,
                                    &DirectVmcallOptions);
}

HaltedBroadcastEnableMov2DebugRegsExitingAllCores()

VOID HaltedBroadcastEnableMov2DebugRegsExitingAllCores

(

)

This function broadcasts enable mov to debug registers exiting to all cores.

Should be called from VMX root-mode

Returns

VOID

{
    DIRECT_VMCALL_PARAMETERS DirectVmcallOptions = {0};
    UINT64                   HaltedCoreTask      = (UINT64)NULL;
 
    //
    // Set the target task
    //
    HaltedCoreTask = DEBUGGER_HALTED_CORE_TASK_ENABLE_MOV_TO_DEBUG_REGS_EXITING;
 
    //
    // Send request for the target task to the halted cores (synchronized)
    //
    HaltedCoreBroadcastTaskAllCores(&g_DbgState[KeGetCurrentProcessorNumberEx(NULL)],
                                    HaltedCoreTask,
                                    TRUE,
                                    TRUE,
                                    &DirectVmcallOptions);
}

HaltedBroadcastEnableMovToCrExitingAllCores()

VOID HaltedBroadcastEnableMovToCrExitingAllCores

(

DEBUGGER_EVENT_OPTIONS *

BroadcastingOption

)

This function broadcasts enable mov to CR exiting to all cores.

Should be called from VMX root-mode

Parameters

BroadcastingOption

Returns

VOID

{
    DIRECT_VMCALL_PARAMETERS DirectVmcallOptions = {0};
    UINT64                   HaltedCoreTask      = (UINT64)NULL;
 
    //
    // Set the target task
    //
    HaltedCoreTask = DEBUGGER_HALTED_CORE_TASK_ENABLE_MOV_TO_CONTROL_REGS_EXITING;
 
    //
    // Set the parameters for the direct VMCALL
    //
    DirectVmcallOptions.OptionalParam1 = BroadcastingOption->OptionalParam1;
    DirectVmcallOptions.OptionalParam2 = BroadcastingOption->OptionalParam2;
 
    //
    // Send request for the target task to the halted cores (synchronized)
    //
    HaltedCoreBroadcastTaskAllCores(&g_DbgState[KeGetCurrentProcessorNumberEx(NULL)],
                                    HaltedCoreTask,
                                    TRUE,
                                    TRUE,
                                    &DirectVmcallOptions);
}

HaltedBroadcastEnableRdpmcExitingAllCores()

VOID HaltedBroadcastEnableRdpmcExitingAllCores

(

)

This function broadcasts enable RDPMC exiting to all cores.

Should be called from VMX root-mode

Returns

VOID

{
    DIRECT_VMCALL_PARAMETERS DirectVmcallOptions = {0};
    UINT64                   HaltedCoreTask      = (UINT64)NULL;
 
    //
    // Set the target task
    //
    HaltedCoreTask = DEBUGGER_HALTED_CORE_TASK_SET_RDPMC_EXITING;
 
    //
    // Send request for the target task to the halted cores (synchronized)
    //
    HaltedCoreBroadcastTaskAllCores(&g_DbgState[KeGetCurrentProcessorNumberEx(NULL)],
                                    HaltedCoreTask,
                                    TRUE,
                                    TRUE,
                                    &DirectVmcallOptions);
}

HaltedBroadcastEnableRdtscExitingAllCores()

VOID HaltedBroadcastEnableRdtscExitingAllCores

(

)

This function broadcasts enable rdtsc/rdtscp exiting to all cores.

Should be called from VMX root-mode

Returns

VOID

{
    DIRECT_VMCALL_PARAMETERS DirectVmcallOptions = {0};
    UINT64                   HaltedCoreTask      = (UINT64)NULL;
 
    //
    // Set the target task
    //
    HaltedCoreTask = DEBUGGER_HALTED_CORE_TASK_SET_RDTSC_EXITING;
 
    //
    // Send request for the target task to the halted cores (synchronized)
    //
    HaltedCoreBroadcastTaskAllCores(&g_DbgState[KeGetCurrentProcessorNumberEx(NULL)],
                                    HaltedCoreTask,
                                    TRUE,
                                    TRUE,
                                    &DirectVmcallOptions);
}

HaltedBroadcastInvalidateEptAllContextsAllCores()

VOID HaltedBroadcastInvalidateEptAllContextsAllCores

(

)

This function broadcasts invalidate EPT (All Contexts) to all cores.

Should be called from VMX root-mode

Returns

VOID

{
    DIRECT_VMCALL_PARAMETERS DirectVmcallOptions = {0};
    UINT64                   HaltedCoreTask      = (UINT64)NULL;
 
    //
    // Set the target task
    //
    HaltedCoreTask = DEBUGGER_HALTED_CORE_TASK_INVEPT_ALL_CONTEXTS;
 
    //
    // Send request for the target task to the halted cores (synchronized)
    //
    HaltedCoreBroadcastTaskAllCores(&g_DbgState[KeGetCurrentProcessorNumberEx(NULL)],
                                    HaltedCoreTask,
                                    TRUE,
                                    TRUE,
                                    &DirectVmcallOptions);
}

HaltedBroadcastInvalidateSingleContextAllCores()

VOID HaltedBroadcastInvalidateSingleContextAllCores

(

)

This function broadcasts invalidate EPT (A Single Context) to all cores.

Should be called from VMX root-mode

Returns

VOID

{
    DIRECT_VMCALL_PARAMETERS DirectVmcallOptions = {0};
    UINT64                   HaltedCoreTask      = (UINT64)NULL;
 
    //
    // Set the target task
    //
    HaltedCoreTask = DEBUGGER_HALTED_CORE_TASK_INVEPT_SINGLE_CONTEXT;
 
    //
    // Send request for the target task to the halted cores (synchronized)
    //
    HaltedCoreBroadcastTaskAllCores(&g_DbgState[KeGetCurrentProcessorNumberEx(NULL)],
                                    HaltedCoreTask,
                                    TRUE,
                                    TRUE,
                                    &DirectVmcallOptions);
}

HaltedBroadcastResetExceptionBitmapOnlyOnClearingExceptionEventsAllCores()

VOID HaltedBroadcastResetExceptionBitmapOnlyOnClearingExceptionEventsAllCores

(

)

This function broadcasts reset exception bitmap on VMCS to all cores.

Should be called from VMX root-mode THIS VMCALL SHOULD BE USED ONLY IN RESETTING (CLEARING) EXCEPTION EVENTS

Returns

VOID

{
    DIRECT_VMCALL_PARAMETERS DirectVmcallOptions = {0};
    UINT64                   HaltedCoreTask      = (UINT64)NULL;
 
    //
    // Set the target task
    //
    HaltedCoreTask = DEBUGGER_HALTED_CORE_TASK_RESET_EXCEPTION_BITMAP_ONLY_ON_CLEARING_EXCEPTION_EVENTS;
 
    //
    // Send request for the target task to the halted cores (synchronized)
    //
    HaltedCoreBroadcastTaskAllCores(&g_DbgState[KeGetCurrentProcessorNumberEx(NULL)],
                                    HaltedCoreTask,
                                    TRUE,
                                    TRUE,
                                    &DirectVmcallOptions);
}

HaltedBroadcastResetIoBitmapAllCores()

VOID HaltedBroadcastResetIoBitmapAllCores

(

)

This function broadcasts reset I/O Bitmaps (A & B) to all cores.

Should be called from VMX root-mode

Returns

VOID

{
    DIRECT_VMCALL_PARAMETERS DirectVmcallOptions = {0};
    UINT64                   HaltedCoreTask      = (UINT64)NULL;
 
    //
    // Set the target task
    //
    HaltedCoreTask = DEBUGGER_HALTED_CORE_TASK_RESET_IO_BITMAP;
 
    //
    // Send request for the target task to the halted cores (synchronized)
    //
    HaltedCoreBroadcastTaskAllCores(&g_DbgState[KeGetCurrentProcessorNumberEx(NULL)],
                                    HaltedCoreTask,
                                    TRUE,
                                    TRUE,
                                    &DirectVmcallOptions);
}

HaltedBroadcastResetMsrBitmapReadAllCores()

VOID HaltedBroadcastResetMsrBitmapReadAllCores

(

)

This function broadcasts reset MSR Bitmap Read to all cores.

Should be called from VMX root-mode

Returns

VOID

{
    DIRECT_VMCALL_PARAMETERS DirectVmcallOptions = {0};
    UINT64                   HaltedCoreTask      = (UINT64)NULL;
 
    //
    // Set the target task
    //
    HaltedCoreTask = DEBUGGER_HALTED_CORE_TASK_RESET_MSR_BITMAP_READ;
 
    //
    // Send request for the target task to the halted cores (synchronized)
    //
    HaltedCoreBroadcastTaskAllCores(&g_DbgState[KeGetCurrentProcessorNumberEx(NULL)],
                                    HaltedCoreTask,
                                    TRUE,
                                    TRUE,
                                    &DirectVmcallOptions);
}

HaltedBroadcastResetMsrBitmapWriteAllCores()

VOID HaltedBroadcastResetMsrBitmapWriteAllCores

(

)

This function broadcasts reset MSR Bitmap Write to all cores.

Should be called from VMX root-mode

Returns

VOID

{
    DIRECT_VMCALL_PARAMETERS DirectVmcallOptions = {0};
    UINT64                   HaltedCoreTask      = (UINT64)NULL;
 
    //
    // Set the target task
    //
    HaltedCoreTask = DEBUGGER_HALTED_CORE_TASK_RESET_MSR_BITMAP_WRITE;
 
    //
    // Send request for the target task to the halted cores (synchronized)
    //
    HaltedCoreBroadcastTaskAllCores(&g_DbgState[KeGetCurrentProcessorNumberEx(NULL)],
                                    HaltedCoreTask,
                                    TRUE,
                                    TRUE,
                                    &DirectVmcallOptions);
}

HaltedBroadcastSetDisableExternalInterruptExitingOnlyOnClearingInterruptEventsAllCores()

VOID HaltedBroadcastSetDisableExternalInterruptExitingOnlyOnClearingInterruptEventsAllCores

(

)

This function broadcasts disable external interrupt exiting only to clear !interrupt commands to all cores.

Should be called from VMX root-mode

Returns

VOID

{
    DIRECT_VMCALL_PARAMETERS DirectVmcallOptions = {0};
    UINT64                   HaltedCoreTask      = (UINT64)NULL;
 
    //
    // Set the target task
    //
    HaltedCoreTask = DEBUGGER_HALTED_CORE_TASK_DISABLE_EXTERNAL_INTERRUPT_EXITING_ONLY_TO_CLEAR_INTERRUPT_COMMANDS;
 
    //
    // Send request for the target task to the halted cores (synchronized)
    //
    HaltedCoreBroadcastTaskAllCores(&g_DbgState[KeGetCurrentProcessorNumberEx(NULL)],
                                    HaltedCoreTask,
                                    TRUE,
                                    TRUE,
                                    &DirectVmcallOptions);
}

HaltedBroadcastSetExceptionBitmapAllCores()

VOID HaltedBroadcastSetExceptionBitmapAllCores

(

UINT64

ExceptionIndex

)

This function broadcasts set exception bitmap to all cores.

Should be called from VMX root-mode

Parameters

ExceptionIndex

Returns

VOID

{
    DIRECT_VMCALL_PARAMETERS DirectVmcallOptions = {0};
    UINT64                   HaltedCoreTask      = (UINT64)NULL;
 
    //
    // Set the target task
    //
    HaltedCoreTask = DEBUGGER_HALTED_CORE_TASK_SET_EXCEPTION_BITMAP;
 
    //
    // Set the parameters for the direct VMCALL
    //
    DirectVmcallOptions.OptionalParam1 = ExceptionIndex;
 
    //
    // Send request for the target task to the halted cores (synchronized)
    //
    HaltedCoreBroadcastTaskAllCores(&g_DbgState[KeGetCurrentProcessorNumberEx(NULL)],
                                    HaltedCoreTask,
                                    TRUE,
                                    TRUE,
                                    &DirectVmcallOptions);
}

HaltedBroadcastUnhookSinglePageAllCores()

VOID HaltedBroadcastUnhookSinglePageAllCores

(

EPT_SINGLE_HOOK_UNHOOKING_DETAILS *

UnhookingDetail

)

This function broadcasts restore a single EPT entry and invalidate EPT cache to all cores.

Should be called from VMX root-mode

Parameters

UnhookingDetail

Returns

VOID

{
    DIRECT_VMCALL_PARAMETERS DirectVmcallOptions = {0};
    UINT64                   HaltedCoreTask      = (UINT64)NULL;
 
    //
    // Set the target task
    //
    HaltedCoreTask = DEBUGGER_HALTED_CORE_TASK_UNHOOK_SINGLE_PAGE;
 
    //
    // Set the parameters for the direct VMCALL
    //
    DirectVmcallOptions.OptionalParam1 = UnhookingDetail->PhysicalAddress;
    DirectVmcallOptions.OptionalParam2 = UnhookingDetail->OriginalEntry;
 
    //
    // Send request for the target task to the halted cores (synchronized)
    //
    HaltedCoreBroadcastTaskAllCores(&g_DbgState[KeGetCurrentProcessorNumberEx(NULL)],
                                    HaltedCoreTask,
                                    TRUE,
                                    TRUE,
                                    &DirectVmcallOptions);
}

HaltedBroadcastUnSetExceptionBitmapAllCores()

VOID HaltedBroadcastUnSetExceptionBitmapAllCores

(

UINT64

ExceptionIndex

)

This function broadcasts unset exception bitmap on VMCS to all cores.

Should be called from VMX root-mode

Parameters

ExceptionIndex

Returns

VOID

{
    DIRECT_VMCALL_PARAMETERS DirectVmcallOptions = {0};
    UINT64                   HaltedCoreTask      = (UINT64)NULL;
 
    //
    // Set the target task
    //
    HaltedCoreTask = DEBUGGER_HALTED_CORE_TASK_UNSET_EXCEPTION_BITMAP;
 
    //
    // Set the parameters for the direct VMCALL
    //
    DirectVmcallOptions.OptionalParam1 = ExceptionIndex;
 
    //
    // Send request for the target task to the halted cores (synchronized)
    //
    HaltedCoreBroadcastTaskAllCores(&g_DbgState[KeGetCurrentProcessorNumberEx(NULL)],
                                    HaltedCoreTask,
                                    TRUE,
                                    TRUE,
                                    &DirectVmcallOptions);
}