HyperDbg Debugger
Loading...
Searching...
No Matches
Macros | Functions
HaltedCore.h File Reference

Header for the implementation of applying events in halted cores. More...

Go to the source code of this file.

Macros

#define DEBUGGER_HALTED_CORE_TASK_TEST   0x00000001
 Halted core task for testing purpose.
 
#define DEBUGGER_HALTED_CORE_TASK_RUN_VMCALL   0x00000002
 Halted core task for running VMCALLs.
 
#define DEBUGGER_HALTED_CORE_TASK_SET_PROCESS_INTERCEPTION   0x00000003
 Halted core task for setting process interception.
 
#define DEBUGGER_HALTED_CORE_TASK_SET_THREAD_INTERCEPTION   0x00000004
 Halted core task for setting thread interception.
 
#define DEBUGGER_HALTED_CORE_TASK_CHANGE_MSR_BITMAP_READ   0x00000005
 Halted core task for changing MSR Bitmap Read.
 
#define DEBUGGER_HALTED_CORE_TASK_CHANGE_MSR_BITMAP_WRITE   0x00000006
 Halted core task for changing MSR Bitmap Write.
 
#define DEBUGGER_HALTED_CORE_TASK_CHANGE_IO_BITMAP   0x00000007
 Halted core task for changing I/O Bitmaps (A & B)
 
#define DEBUGGER_HALTED_CORE_TASK_SET_RDPMC_EXITING   0x00000008
 Halted core task for enabling rdpmc exiting.
 
#define DEBUGGER_HALTED_CORE_TASK_SET_RDTSC_EXITING   0x00000009
 Halted core task for enabling rdtsc/rdtscp exiting.
 
#define DEBUGGER_HALTED_CORE_TASK_ENABLE_MOV_TO_DEBUG_REGS_EXITING   0x0000000a
 Halted core task for enabling mov to debug registers exiting.
 
#define DEBUGGER_HALTED_CORE_TASK_SET_EXCEPTION_BITMAP   0x0000000b
 Halted core task for setting exception bitmap.
 
#define DEBUGGER_HALTED_CORE_TASK_ENABLE_EXTERNAL_INTERRUPT_EXITING   0x0000000c
 Halted core task for enabling external interrupt exiting.
 
#define DEBUGGER_HALTED_CORE_TASK_ENABLE_MOV_TO_CONTROL_REGS_EXITING   0x0000000d
 Halted core task for enabling mov to CR exiting.
 
#define DEBUGGER_HALTED_CORE_TASK_ENABLE_SYSCALL_HOOK_EFER   0x0000000e
 Halted core task for enabling syscall hook using EFER SCE bit.
 
#define DEBUGGER_HALTED_CORE_TASK_INVEPT_ALL_CONTEXTS   0x0000000f
 Halted core task for invalidating EPT (All Contexts)
 
#define DEBUGGER_HALTED_CORE_TASK_INVEPT_SINGLE_CONTEXT   0x00000010
 Halted core task for invalidating EPT (A Single Context)
 
#define DEBUGGER_HALTED_CORE_TASK_UNSET_EXCEPTION_BITMAP   0x00000011
 Halted core task for unsetting exception bitmap on VMCS.
 
#define DEBUGGER_HALTED_CORE_TASK_UNHOOK_SINGLE_PAGE   0x00000012
 Halted core task for restoring a single EPT entry and invalidating EPT cache.
 
#define DEBUGGER_HALTED_CORE_TASK_DISABLE_EXTERNAL_INTERRUPT_EXITING_ONLY_TO_CLEAR_INTERRUPT_COMMANDS   0x00000013
 Halted core task for disabling external interrupt exiting only to clear !interrupt commands.
 
#define DEBUGGER_HALTED_CORE_TASK_RESET_MSR_BITMAP_READ   0x00000014
 Halted core task for resetting MSR Bitmap Read.
 
#define DEBUGGER_HALTED_CORE_TASK_RESET_MSR_BITMAP_WRITE   0x00000015
 Halted core task for resetting MSR Bitmap Write.
 
#define DEBUGGER_HALTED_CORE_TASK_RESET_EXCEPTION_BITMAP_ONLY_ON_CLEARING_EXCEPTION_EVENTS   0x00000016
 Halted core task for resetting exception bitmap on VMCS.
 
#define DEBUGGER_HALTED_CORE_TASK_RESET_IO_BITMAP   0x00000017
 Halted core task for resetting I/O Bitmaps (A & B)
 
#define DEBUGGER_HALTED_CORE_TASK_DISABLE_RDTSC_EXITING_ONLY_FOR_TSC_EVENTS   0x00000018
 Halted core task for clearing rdtsc exiting bit ONLY in the case of disabling the events for !tsc command.
 
#define DEBUGGER_HALTED_CORE_TASK_UNSET_RDPMC_EXITING   0x00000019
 Halted core task for disabling rdpmc exiting in primary cpu-based controls.
 
#define DEBUGGER_HALTED_CORE_TASK_DISABLE_SYSCALL_HOOK_EFER   0x0000001a
 Halted core task for disabling syscall hook using EFER SCE bit.
 
#define DEBUGGER_HALTED_CORE_TASK_DISABLE_MOV_TO_HW_DR_EXITING_ONLY_FOR_DR_EVENTS   0x0000001b
 Halted core task for clearing mov 2 hw dr exiting bit ONLY in the case of disabling the events for !dr command.
 
#define DEBUGGER_HALTED_CORE_TASK_DISABLE_MOV_TO_CR_EXITING_ONLY_FOR_CR_EVENTS   0x0000001c
 Halted core task for clearing mov 2 cr exiting bit ONLY in the case of disabling the events for !crwrite command.
 

Functions

BOOLEAN HaltedCoreBroadcastTaskAllCores (PROCESSOR_DEBUGGING_STATE *DbgState, UINT64 TargetTask, BOOLEAN LockAgainAfterTask, BOOLEAN Synchronize, PVOID Context)
 Broadcast tasks to halted cores.
 
VOID HaltedCoreRunTaskOnSingleCore (UINT32 TargetCoreId, UINT64 TargetTask, BOOLEAN LockAgainAfterTask, PVOID Context)
 Run the task on a single halted core.
 
VOID HaltedCorePerformTargetTask (PROCESSOR_DEBUGGING_STATE *DbgState, UINT64 TargetTask, PVOID Context)
 Perform the task on halted core.
 

Detailed Description

Header for the implementation of applying events in halted cores.

Author
Sina Karvandi (sina@.nosp@m.hype.nosp@m.rdbg..nosp@m.org)
Version
0.7
Date
2023-09-30
Copyright
This project is released under the GNU Public License v3.

Macro Definition Documentation

◆ DEBUGGER_HALTED_CORE_TASK_CHANGE_IO_BITMAP

#define DEBUGGER_HALTED_CORE_TASK_CHANGE_IO_BITMAP   0x00000007

Halted core task for changing I/O Bitmaps (A & B)

◆ DEBUGGER_HALTED_CORE_TASK_CHANGE_MSR_BITMAP_READ

#define DEBUGGER_HALTED_CORE_TASK_CHANGE_MSR_BITMAP_READ   0x00000005

Halted core task for changing MSR Bitmap Read.

◆ DEBUGGER_HALTED_CORE_TASK_CHANGE_MSR_BITMAP_WRITE

#define DEBUGGER_HALTED_CORE_TASK_CHANGE_MSR_BITMAP_WRITE   0x00000006

Halted core task for changing MSR Bitmap Write.

◆ DEBUGGER_HALTED_CORE_TASK_DISABLE_EXTERNAL_INTERRUPT_EXITING_ONLY_TO_CLEAR_INTERRUPT_COMMANDS

#define DEBUGGER_HALTED_CORE_TASK_DISABLE_EXTERNAL_INTERRUPT_EXITING_ONLY_TO_CLEAR_INTERRUPT_COMMANDS   0x00000013

Halted core task for disabling external interrupt exiting only to clear !interrupt commands.

◆ DEBUGGER_HALTED_CORE_TASK_DISABLE_MOV_TO_CR_EXITING_ONLY_FOR_CR_EVENTS

#define DEBUGGER_HALTED_CORE_TASK_DISABLE_MOV_TO_CR_EXITING_ONLY_FOR_CR_EVENTS   0x0000001c

Halted core task for clearing mov 2 cr exiting bit ONLY in the case of disabling the events for !crwrite command.

◆ DEBUGGER_HALTED_CORE_TASK_DISABLE_MOV_TO_HW_DR_EXITING_ONLY_FOR_DR_EVENTS

#define DEBUGGER_HALTED_CORE_TASK_DISABLE_MOV_TO_HW_DR_EXITING_ONLY_FOR_DR_EVENTS   0x0000001b

Halted core task for clearing mov 2 hw dr exiting bit ONLY in the case of disabling the events for !dr command.

◆ DEBUGGER_HALTED_CORE_TASK_DISABLE_RDTSC_EXITING_ONLY_FOR_TSC_EVENTS

#define DEBUGGER_HALTED_CORE_TASK_DISABLE_RDTSC_EXITING_ONLY_FOR_TSC_EVENTS   0x00000018

Halted core task for clearing rdtsc exiting bit ONLY in the case of disabling the events for !tsc command.

◆ DEBUGGER_HALTED_CORE_TASK_DISABLE_SYSCALL_HOOK_EFER

#define DEBUGGER_HALTED_CORE_TASK_DISABLE_SYSCALL_HOOK_EFER   0x0000001a

Halted core task for disabling syscall hook using EFER SCE bit.

◆ DEBUGGER_HALTED_CORE_TASK_ENABLE_EXTERNAL_INTERRUPT_EXITING

#define DEBUGGER_HALTED_CORE_TASK_ENABLE_EXTERNAL_INTERRUPT_EXITING   0x0000000c

Halted core task for enabling external interrupt exiting.

◆ DEBUGGER_HALTED_CORE_TASK_ENABLE_MOV_TO_CONTROL_REGS_EXITING

#define DEBUGGER_HALTED_CORE_TASK_ENABLE_MOV_TO_CONTROL_REGS_EXITING   0x0000000d

Halted core task for enabling mov to CR exiting.

◆ DEBUGGER_HALTED_CORE_TASK_ENABLE_MOV_TO_DEBUG_REGS_EXITING

#define DEBUGGER_HALTED_CORE_TASK_ENABLE_MOV_TO_DEBUG_REGS_EXITING   0x0000000a

Halted core task for enabling mov to debug registers exiting.

◆ DEBUGGER_HALTED_CORE_TASK_ENABLE_SYSCALL_HOOK_EFER

#define DEBUGGER_HALTED_CORE_TASK_ENABLE_SYSCALL_HOOK_EFER   0x0000000e

Halted core task for enabling syscall hook using EFER SCE bit.

◆ DEBUGGER_HALTED_CORE_TASK_INVEPT_ALL_CONTEXTS

#define DEBUGGER_HALTED_CORE_TASK_INVEPT_ALL_CONTEXTS   0x0000000f

Halted core task for invalidating EPT (All Contexts)

◆ DEBUGGER_HALTED_CORE_TASK_INVEPT_SINGLE_CONTEXT

#define DEBUGGER_HALTED_CORE_TASK_INVEPT_SINGLE_CONTEXT   0x00000010

Halted core task for invalidating EPT (A Single Context)

◆ DEBUGGER_HALTED_CORE_TASK_RESET_EXCEPTION_BITMAP_ONLY_ON_CLEARING_EXCEPTION_EVENTS

#define DEBUGGER_HALTED_CORE_TASK_RESET_EXCEPTION_BITMAP_ONLY_ON_CLEARING_EXCEPTION_EVENTS   0x00000016

Halted core task for resetting exception bitmap on VMCS.

◆ DEBUGGER_HALTED_CORE_TASK_RESET_IO_BITMAP

#define DEBUGGER_HALTED_CORE_TASK_RESET_IO_BITMAP   0x00000017

Halted core task for resetting I/O Bitmaps (A & B)

◆ DEBUGGER_HALTED_CORE_TASK_RESET_MSR_BITMAP_READ

#define DEBUGGER_HALTED_CORE_TASK_RESET_MSR_BITMAP_READ   0x00000014

Halted core task for resetting MSR Bitmap Read.

◆ DEBUGGER_HALTED_CORE_TASK_RESET_MSR_BITMAP_WRITE

#define DEBUGGER_HALTED_CORE_TASK_RESET_MSR_BITMAP_WRITE   0x00000015

Halted core task for resetting MSR Bitmap Write.

◆ DEBUGGER_HALTED_CORE_TASK_RUN_VMCALL

#define DEBUGGER_HALTED_CORE_TASK_RUN_VMCALL   0x00000002

Halted core task for running VMCALLs.

◆ DEBUGGER_HALTED_CORE_TASK_SET_EXCEPTION_BITMAP

#define DEBUGGER_HALTED_CORE_TASK_SET_EXCEPTION_BITMAP   0x0000000b

Halted core task for setting exception bitmap.

◆ DEBUGGER_HALTED_CORE_TASK_SET_PROCESS_INTERCEPTION

#define DEBUGGER_HALTED_CORE_TASK_SET_PROCESS_INTERCEPTION   0x00000003

Halted core task for setting process interception.

◆ DEBUGGER_HALTED_CORE_TASK_SET_RDPMC_EXITING

#define DEBUGGER_HALTED_CORE_TASK_SET_RDPMC_EXITING   0x00000008

Halted core task for enabling rdpmc exiting.

◆ DEBUGGER_HALTED_CORE_TASK_SET_RDTSC_EXITING

#define DEBUGGER_HALTED_CORE_TASK_SET_RDTSC_EXITING   0x00000009

Halted core task for enabling rdtsc/rdtscp exiting.

◆ DEBUGGER_HALTED_CORE_TASK_SET_THREAD_INTERCEPTION

#define DEBUGGER_HALTED_CORE_TASK_SET_THREAD_INTERCEPTION   0x00000004

Halted core task for setting thread interception.

◆ DEBUGGER_HALTED_CORE_TASK_TEST

#define DEBUGGER_HALTED_CORE_TASK_TEST   0x00000001

Halted core task for testing purpose.

◆ DEBUGGER_HALTED_CORE_TASK_UNHOOK_SINGLE_PAGE

#define DEBUGGER_HALTED_CORE_TASK_UNHOOK_SINGLE_PAGE   0x00000012

Halted core task for restoring a single EPT entry and invalidating EPT cache.

◆ DEBUGGER_HALTED_CORE_TASK_UNSET_EXCEPTION_BITMAP

#define DEBUGGER_HALTED_CORE_TASK_UNSET_EXCEPTION_BITMAP   0x00000011

Halted core task for unsetting exception bitmap on VMCS.

◆ DEBUGGER_HALTED_CORE_TASK_UNSET_RDPMC_EXITING

#define DEBUGGER_HALTED_CORE_TASK_UNSET_RDPMC_EXITING   0x00000019

Halted core task for disabling rdpmc exiting in primary cpu-based controls.

Function Documentation

◆ HaltedCoreBroadcastTaskAllCores()

BOOLEAN HaltedCoreBroadcastTaskAllCores ( PROCESSOR_DEBUGGING_STATE * DbgState,
UINT64 TargetTask,
BOOLEAN LockAgainAfterTask,
BOOLEAN Synchronize,
PVOID Context )

Broadcast tasks to halted cores.

This function should be called from VMX root-mode

Parameters
DbgStateThe state of the debugger on the current core
TargetTaskThe target task
LockAgainAfterTaskLock the core after the task
SynchronizeWhether the function should wait for all cores to synchronize and lock again or not
Contextoptional parameter passed to the functions
Returns
BOOLEAN
404{
405 ULONG ProcessorsCount;
406
407 ProcessorsCount = KeQueryActiveProcessorCount(0);
408
409 //
410 // Synchronization is not possible when the locking after the task is
411 // not expected
412 //
413 if (Synchronize && !LockAgainAfterTask)
414 {
415 LogWarning("Synchronization is not possible when the locking after the task is not expected");
416 return FALSE;
417 }
418
419 //
420 // Apply the task to all cores except current core
421 //
422 for (UINT32 i = 0; i < ProcessorsCount; i++)
423 {
424 if (DbgState->CoreId != i)
425 {
426 //
427 // apply task to the target core
428 //
429 HaltedCoreApplyTaskOnTargetCore(i, TargetTask, LockAgainAfterTask, Context);
430 }
431 else
432 {
433 //
434 // Perform the task for the current core
435 //
436 HaltedCorePerformTargetTask(DbgState, TargetTask, Context);
437 }
438 }
439
440 //
441 // If synchronization is expected, we need to check to make sure
442 // all cores are synchronized (locked) at this point or not
443 //
444 if (Synchronize)
445 {
446 for (size_t i = 0; i < ProcessorsCount; i++)
447 {
448 if (DbgState->CoreId != i)
449 {
450 //
451 // Wait until the core is locked again
452 //
453 while (TRUE)
454 {
455 //
456 // Keep checking to make sure the target core finished the
457 // execution its task and locked again
458 //
459 if (KdCheckTheHaltedCore(&g_DbgState[i]) == FALSE)
460 {
461 continue;
462 }
463 else
464 {
465 break;
466 }
467 }
468 }
469 }
470 }
471
472 //
473 // All cores locked again
474 //
475 return TRUE;
476}
TRUE
#define TRUE
Definition BasicTypes.h:55
FALSE
#define FALSE
Definition BasicTypes.h:54
UINT32
unsigned int UINT32
Definition BasicTypes.h:48
ULONG
unsigned long ULONG
Definition BasicTypes.h:37
HaltedCoreApplyTaskOnTargetCore
VOID HaltedCoreApplyTaskOnTargetCore(UINT32 TargetCoreId, UINT64 TargetTask, BOOLEAN LockAgainAfterTask, PVOID Context)
Run the task on a single halted core.
Definition HaltedCore.c:321
HaltedCorePerformTargetTask
VOID HaltedCorePerformTargetTask(PROCESSOR_DEBUGGING_STATE *DbgState, UINT64 TargetTask, PVOID Context)
Perform the task on halted core.
Definition HaltedCore.c:45
LogWarning
#define LogWarning(format,...)
Log in the case of warning.
Definition HyperDbgHyperLogIntrinsics.h:99
KdCheckTheHaltedCore
BOOLEAN KdCheckTheHaltedCore(PROCESSOR_DEBUGGING_STATE *DbgState)
check the lock state of the target core
Definition Kd.c:1825
Context
NTKERNELAPI _In_opt_ PVOID Context
Definition Dpc.h:25
g_DbgState
PROCESSOR_DEBUGGING_STATE * g_DbgState
Save the state and variables related to debugging on each to logical core.
Definition Global.h:17
_PROCESSOR_DEBUGGING_STATE::CoreId
UINT32 CoreId
Definition State.h:169

◆ HaltedCorePerformTargetTask()

VOID HaltedCorePerformTargetTask ( PROCESSOR_DEBUGGING_STATE * DbgState,
UINT64 TargetTask,
PVOID Context )

Perform the task on halted core.

This function should be called from VMX root-mode

Parameters
DbgStateThe state of the debugger on the current core
TargetTaskThe target task
Contextoptional parameter passed to the functions
Returns
VOID
48{
49 switch (TargetTask)
50 {
51 case DEBUGGER_HALTED_CORE_TASK_TEST:
52 {
53 //
54 // Perform the test task
55 //
56 HaltedCoreTaskTest(DbgState, Context);
57 break;
58 }
59
60 case DEBUGGER_HALTED_CORE_TASK_RUN_VMCALL:
61 {
62 //
63 // Call the direct VMCALL test function
64 //
65 DirectVmcallTest(DbgState->CoreId, (DIRECT_VMCALL_PARAMETERS *)Context);
66
67 break;
68 }
69 case DEBUGGER_HALTED_CORE_TASK_SET_PROCESS_INTERCEPTION:
70 {
71 //
72 // Enable process change detection
73 //
74 ProcessEnableOrDisableThreadChangeMonitor(DbgState, TRUE, PVOID_TO_BOOLEAN(Context));
75
76 break;
77 }
78 case DEBUGGER_HALTED_CORE_TASK_SET_THREAD_INTERCEPTION:
79 {
80 //
81 // Enable alert for thread changes
82 //
83 ThreadEnableOrDisableThreadChangeMonitor(DbgState, TRUE, PVOID_TO_BOOLEAN(Context));
84
85 break;
86 }
87 case DEBUGGER_HALTED_CORE_TASK_CHANGE_MSR_BITMAP_READ:
88 {
89 //
90 // Change MSR bitmap for read (RDMSR)
91 //
92 DirectVmcallChangeMsrBitmapRead(DbgState->CoreId, (DIRECT_VMCALL_PARAMETERS *)Context);
93
94 break;
95 }
96 case DEBUGGER_HALTED_CORE_TASK_CHANGE_MSR_BITMAP_WRITE:
97 {
98 //
99 // Change MSR bitmap for write (WRMSR)
100 //
101 DirectVmcallChangeMsrBitmapWrite(DbgState->CoreId, (DIRECT_VMCALL_PARAMETERS *)Context);
102
103 break;
104 }
105 case DEBUGGER_HALTED_CORE_TASK_CHANGE_IO_BITMAP:
106 {
107 //
108 // Change I/O bitmap
109 //
110 DirectVmcallChangeIoBitmap(DbgState->CoreId, (DIRECT_VMCALL_PARAMETERS *)Context);
111
112 break;
113 }
114 case DEBUGGER_HALTED_CORE_TASK_SET_RDPMC_EXITING:
115 {
116 //
117 // Enable rdpmc exiting
118 //
119 DirectVmcallEnableRdpmcExiting(DbgState->CoreId, (DIRECT_VMCALL_PARAMETERS *)Context);
120
121 break;
122 }
123 case DEBUGGER_HALTED_CORE_TASK_SET_RDTSC_EXITING:
124 {
125 //
126 // Enable rdtsc/rdtscp exiting
127 //
128 DirectVmcallEnableRdtscpExiting(DbgState->CoreId, (DIRECT_VMCALL_PARAMETERS *)Context);
129
130 break;
131 }
132 case DEBUGGER_HALTED_CORE_TASK_ENABLE_MOV_TO_DEBUG_REGS_EXITING:
133 {
134 //
135 // Enable mov to debug registers exiting
136 //
137 DirectVmcallEnableMov2DebugRegsExiting(DbgState->CoreId, (DIRECT_VMCALL_PARAMETERS *)Context);
138
139 break;
140 }
141 case DEBUGGER_HALTED_CORE_TASK_SET_EXCEPTION_BITMAP:
142 {
143 //
144 // Set exception bitmap
145 //
146 DirectVmcallSetExceptionBitmap(DbgState->CoreId, (DIRECT_VMCALL_PARAMETERS *)Context);
147
148 break;
149 }
150 case DEBUGGER_HALTED_CORE_TASK_ENABLE_EXTERNAL_INTERRUPT_EXITING:
151 {
152 //
153 // enable external interrupt exiting
154 //
155 DirectVmcallEnableExternalInterruptExiting(DbgState->CoreId, (DIRECT_VMCALL_PARAMETERS *)Context);
156
157 break;
158 }
159 case DEBUGGER_HALTED_CORE_TASK_ENABLE_MOV_TO_CONTROL_REGS_EXITING:
160 {
161 //
162 // enable mov to CR exiting
163 //
164 DirectVmcallEnableMovToCrExiting(DbgState->CoreId, (DIRECT_VMCALL_PARAMETERS *)Context);
165
166 break;
167 }
168 case DEBUGGER_HALTED_CORE_TASK_ENABLE_SYSCALL_HOOK_EFER:
169 {
170 //
171 // enable syscall hook using EFER SCE bit
172 //
173 DirectVmcallEnableEferSyscall(DbgState->CoreId, (DIRECT_VMCALL_PARAMETERS *)Context);
174
175 break;
176 }
177 case DEBUGGER_HALTED_CORE_TASK_INVEPT_ALL_CONTEXTS:
178 {
179 //
180 // invalidate EPT (All Contexts)
181 //
182 DirectVmcallInvalidateEptAllContexts(DbgState->CoreId, (DIRECT_VMCALL_PARAMETERS *)Context);
183
184 break;
185 }
186 case DEBUGGER_HALTED_CORE_TASK_INVEPT_SINGLE_CONTEXT:
187 {
188 //
189 // invalidate EPT (A Single Context)
190 //
191 DirectVmcallInvalidateSingleContext(DbgState->CoreId, (DIRECT_VMCALL_PARAMETERS *)Context);
192
193 break;
194 }
195 case DEBUGGER_HALTED_CORE_TASK_UNSET_EXCEPTION_BITMAP:
196 {
197 //
198 // unset exception bitmap on VMCS
199 //
200 DirectVmcallUnsetExceptionBitmap(DbgState->CoreId, (DIRECT_VMCALL_PARAMETERS *)Context);
201
202 break;
203 }
204 case DEBUGGER_HALTED_CORE_TASK_UNHOOK_SINGLE_PAGE:
205 {
206 //
207 // restore a single EPT entry and invalidate EPT cache
208 //
209 DirectVmcallUnhookSinglePage(DbgState->CoreId, (DIRECT_VMCALL_PARAMETERS *)Context);
210
211 break;
212 }
213 case DEBUGGER_HALTED_CORE_TASK_DISABLE_EXTERNAL_INTERRUPT_EXITING_ONLY_TO_CLEAR_INTERRUPT_COMMANDS:
214 {
215 //
216 // disable external interrupt exiting only to clear !interrupt commands
217 //
218 DirectVmcallSetDisableExternalInterruptExitingOnlyOnClearingInterruptEvents(DbgState->CoreId, (DIRECT_VMCALL_PARAMETERS *)Context);
219
220 break;
221 }
222 case DEBUGGER_HALTED_CORE_TASK_RESET_MSR_BITMAP_READ:
223 {
224 //
225 // reset MSR Bitmap Read
226 //
227 DirectVmcallResetMsrBitmapRead(DbgState->CoreId, (DIRECT_VMCALL_PARAMETERS *)Context);
228
229 break;
230 }
231 case DEBUGGER_HALTED_CORE_TASK_RESET_MSR_BITMAP_WRITE:
232 {
233 //
234 // reset MSR Bitmap Write
235 //
236 DirectVmcallResetMsrBitmapWrite(DbgState->CoreId, (DIRECT_VMCALL_PARAMETERS *)Context);
237
238 break;
239 }
240 case DEBUGGER_HALTED_CORE_TASK_RESET_EXCEPTION_BITMAP_ONLY_ON_CLEARING_EXCEPTION_EVENTS:
241 {
242 //
243 // reset exception bitmap on VMCS
244 //
245 DirectVmcallResetExceptionBitmapOnlyOnClearingExceptionEvents(DbgState->CoreId, (DIRECT_VMCALL_PARAMETERS *)Context);
246
247 break;
248 }
249 case DEBUGGER_HALTED_CORE_TASK_RESET_IO_BITMAP:
250 {
251 //
252 // reset I/O Bitmaps (A & B)
253 //
254 DirectVmcallResetIoBitmap(DbgState->CoreId, (DIRECT_VMCALL_PARAMETERS *)Context);
255
256 break;
257 }
258 case DEBUGGER_HALTED_CORE_TASK_DISABLE_RDTSC_EXITING_ONLY_FOR_TSC_EVENTS:
259 {
260 //
261 // clear rdtsc exiting bit ONLY in the case of disabling the events for !tsc command
262 //
263 DirectVmcallDisableRdtscExitingForClearingTscEvents(DbgState->CoreId, (DIRECT_VMCALL_PARAMETERS *)Context);
264
265 break;
266 }
267 case DEBUGGER_HALTED_CORE_TASK_UNSET_RDPMC_EXITING:
268 {
269 //
270 // disable rdpmc exiting in primary cpu-based controls
271 //
272 DirectVmcallDisableRdpmcExiting(DbgState->CoreId, (DIRECT_VMCALL_PARAMETERS *)Context);
273
274 break;
275 }
276 case DEBUGGER_HALTED_CORE_TASK_DISABLE_SYSCALL_HOOK_EFER:
277 {
278 //
279 // disable syscall hook using EFER SCE bit
280 //
281 DirectVmcallDisableEferSyscallEvents(DbgState->CoreId, (DIRECT_VMCALL_PARAMETERS *)Context);
282
283 break;
284 }
285 case DEBUGGER_HALTED_CORE_TASK_DISABLE_MOV_TO_HW_DR_EXITING_ONLY_FOR_DR_EVENTS:
286 {
287 //
288 // clear mov 2 hw dr exiting bit ONLY in the case of disabling the events for !dr command
289 //
290 DirectVmcallDisableMov2DrExitingForClearingDrEvents(DbgState->CoreId, (DIRECT_VMCALL_PARAMETERS *)Context);
291
292 break;
293 }
294 case DEBUGGER_HALTED_CORE_TASK_DISABLE_MOV_TO_CR_EXITING_ONLY_FOR_CR_EVENTS:
295 {
296 //
297 // clear mov 2 cr exiting bit ONLY in the case of disabling the events for !crwrite command
298 //
299 DirectVmcallDisableMov2CrExitingForClearingCrEvents(DbgState->CoreId, (DIRECT_VMCALL_PARAMETERS *)Context);
300
301 break;
302 }
303 default:
304 LogWarning("Warning, unknown broadcast on halted core received");
305 break;
306 }
307}
DirectVmcallResetExceptionBitmapOnlyOnClearingExceptionEvents
NTSTATUS DirectVmcallResetExceptionBitmapOnlyOnClearingExceptionEvents(UINT32 CoreId, DIRECT_VMCALL_PARAMETERS *DirectVmcallOptions)
routines for resetting exception bitmap on VMCS
Definition DirectVmcall.c:407
DirectVmcallEnableMovToCrExiting
NTSTATUS DirectVmcallEnableMovToCrExiting(UINT32 CoreId, DIRECT_VMCALL_PARAMETERS *DirectVmcallOptions)
routines for enabling mov to CR exiting
Definition DirectVmcall.c:217
DirectVmcallDisableRdtscExitingForClearingTscEvents
NTSTATUS DirectVmcallDisableRdtscExitingForClearingTscEvents(UINT32 CoreId, DIRECT_VMCALL_PARAMETERS *DirectVmcallOptions)
routines for clearing rdtsc exiting bit ONLY in the case of disabling the events for !...
Definition DirectVmcall.c:446
DirectVmcallInvalidateSingleContext
NTSTATUS DirectVmcallInvalidateSingleContext(UINT32 CoreId, DIRECT_VMCALL_PARAMETERS *DirectVmcallOptions)
routines for invalidating EPT (A Single Context)
Definition DirectVmcall.c:293
DirectVmcallUnsetExceptionBitmap
NTSTATUS DirectVmcallUnsetExceptionBitmap(UINT32 CoreId, DIRECT_VMCALL_PARAMETERS *DirectVmcallOptions)
routines for unsetting exception bitmap on VMCS
Definition DirectVmcall.c:312
DirectVmcallResetMsrBitmapWrite
NTSTATUS DirectVmcallResetMsrBitmapWrite(UINT32 CoreId, DIRECT_VMCALL_PARAMETERS *DirectVmcallOptions)
routines for resetting MSR Bitmap Write
Definition DirectVmcall.c:388
DirectVmcallInvalidateEptAllContexts
NTSTATUS DirectVmcallInvalidateEptAllContexts(UINT32 CoreId, DIRECT_VMCALL_PARAMETERS *DirectVmcallOptions)
routines for invalidating EPT (All Contexts)
Definition DirectVmcall.c:274
DirectVmcallChangeMsrBitmapWrite
NTSTATUS DirectVmcallChangeMsrBitmapWrite(UINT32 CoreId, DIRECT_VMCALL_PARAMETERS *DirectVmcallOptions)
routines for changing MSR Bitmap (Write)
Definition DirectVmcall.c:84
DirectVmcallChangeMsrBitmapRead
NTSTATUS DirectVmcallChangeMsrBitmapRead(UINT32 CoreId, DIRECT_VMCALL_PARAMETERS *DirectVmcallOptions)
routines for changing MSR Bitmap (Read)
Definition DirectVmcall.c:65
DirectVmcallSetDisableExternalInterruptExitingOnlyOnClearingInterruptEvents
NTSTATUS DirectVmcallSetDisableExternalInterruptExitingOnlyOnClearingInterruptEvents(UINT32 CoreId, DIRECT_VMCALL_PARAMETERS *DirectVmcallOptions)
routines for disabling external interrupt exiting only to clear !interrupt commands
Definition DirectVmcall.c:350
DirectVmcallSetExceptionBitmap
NTSTATUS DirectVmcallSetExceptionBitmap(UINT32 CoreId, DIRECT_VMCALL_PARAMETERS *DirectVmcallOptions)
routines for setting exception bitmap
Definition DirectVmcall.c:179
DirectVmcallEnableRdtscpExiting
NTSTATUS DirectVmcallEnableRdtscpExiting(UINT32 CoreId, DIRECT_VMCALL_PARAMETERS *DirectVmcallOptions)
routines for enabling rdtsc/rdtscp exiting
Definition DirectVmcall.c:141
DirectVmcallUnhookSinglePage
NTSTATUS DirectVmcallUnhookSinglePage(UINT32 CoreId, DIRECT_VMCALL_PARAMETERS *DirectVmcallOptions)
routines for restoring a single EPT entry and invalidating EPT cache
Definition DirectVmcall.c:331
DirectVmcallEnableEferSyscall
NTSTATUS DirectVmcallEnableEferSyscall(UINT32 CoreId, DIRECT_VMCALL_PARAMETERS *DirectVmcallOptions)
routines for enabling syscall hook using EFER SCE bit
Definition DirectVmcall.c:236
DirectVmcallDisableMov2DrExitingForClearingDrEvents
NTSTATUS DirectVmcallDisableMov2DrExitingForClearingDrEvents(UINT32 CoreId, DIRECT_VMCALL_PARAMETERS *DirectVmcallOptions)
routines for clearing mov 2 hw dr exiting bit ONLY in the case of disabling the events for !...
Definition DirectVmcall.c:504
DirectVmcallResetIoBitmap
NTSTATUS DirectVmcallResetIoBitmap(UINT32 CoreId, DIRECT_VMCALL_PARAMETERS *DirectVmcallOptions)
routines for resetting I/O Bitmaps (A & B)
Definition DirectVmcall.c:426
DirectVmcallTest
NTSTATUS DirectVmcallTest(UINT32 CoreId, DIRECT_VMCALL_PARAMETERS *DirectVmcallOptions)
routines for test direct VMCALL
Definition DirectVmcall.c:25
DirectVmcallResetMsrBitmapRead
NTSTATUS DirectVmcallResetMsrBitmapRead(UINT32 CoreId, DIRECT_VMCALL_PARAMETERS *DirectVmcallOptions)
routines for resetting MSR Bitmap Read
Definition DirectVmcall.c:369
DirectVmcallEnableRdpmcExiting
NTSTATUS DirectVmcallEnableRdpmcExiting(UINT32 CoreId, DIRECT_VMCALL_PARAMETERS *DirectVmcallOptions)
routines for enabling rdpmc exiting
Definition DirectVmcall.c:122
DirectVmcallEnableMov2DebugRegsExiting
NTSTATUS DirectVmcallEnableMov2DebugRegsExiting(UINT32 CoreId, DIRECT_VMCALL_PARAMETERS *DirectVmcallOptions)
routines for enabling mov to debug registers exiting
Definition DirectVmcall.c:160
DirectVmcallDisableMov2CrExitingForClearingCrEvents
NTSTATUS DirectVmcallDisableMov2CrExitingForClearingCrEvents(UINT32 CoreId, DIRECT_VMCALL_PARAMETERS *DirectVmcallOptions)
routines for clearing mov 2 cr exiting bit ONLY in the case of disabling the events for !...
Definition DirectVmcall.c:524
DirectVmcallChangeIoBitmap
NTSTATUS DirectVmcallChangeIoBitmap(UINT32 CoreId, DIRECT_VMCALL_PARAMETERS *DirectVmcallOptions)
routines for changing IO Bitmap
Definition DirectVmcall.c:103
DirectVmcallDisableEferSyscallEvents
NTSTATUS DirectVmcallDisableEferSyscallEvents(UINT32 CoreId, DIRECT_VMCALL_PARAMETERS *DirectVmcallOptions)
routines for disabling syscall hook using EFER SCE bit
Definition DirectVmcall.c:484
DirectVmcallDisableRdpmcExiting
NTSTATUS DirectVmcallDisableRdpmcExiting(UINT32 CoreId, DIRECT_VMCALL_PARAMETERS *DirectVmcallOptions)
routines for disabling rdpmc exiting in primary cpu-based controls
Definition DirectVmcall.c:465
DirectVmcallEnableExternalInterruptExiting
NTSTATUS DirectVmcallEnableExternalInterruptExiting(UINT32 CoreId, DIRECT_VMCALL_PARAMETERS *DirectVmcallOptions)
routines for enabling external interrupt exiting
Definition DirectVmcall.c:198
HaltedCoreTaskTest
VOID HaltedCoreTaskTest(PROCESSOR_DEBUGGING_STATE *DbgState, PVOID Context)
Perform the test task on halted core.
Definition HaltedCore.c:24
DEBUGGER_HALTED_CORE_TASK_SET_EXCEPTION_BITMAP
#define DEBUGGER_HALTED_CORE_TASK_SET_EXCEPTION_BITMAP
Halted core task for setting exception bitmap.
Definition HaltedCore.h:82
DEBUGGER_HALTED_CORE_TASK_SET_RDTSC_EXITING
#define DEBUGGER_HALTED_CORE_TASK_SET_RDTSC_EXITING
Halted core task for enabling rdtsc/rdtscp exiting.
Definition HaltedCore.h:70
DEBUGGER_HALTED_CORE_TASK_UNSET_RDPMC_EXITING
#define DEBUGGER_HALTED_CORE_TASK_UNSET_RDPMC_EXITING
Halted core task for disabling rdpmc exiting in primary cpu-based controls.
Definition HaltedCore.h:167
DEBUGGER_HALTED_CORE_TASK_SET_PROCESS_INTERCEPTION
#define DEBUGGER_HALTED_CORE_TASK_SET_PROCESS_INTERCEPTION
Halted core task for setting process interception.
Definition HaltedCore.h:34
DEBUGGER_HALTED_CORE_TASK_RESET_IO_BITMAP
#define DEBUGGER_HALTED_CORE_TASK_RESET_IO_BITMAP
Halted core task for resetting I/O Bitmaps (A & B)
Definition HaltedCore.h:154
DEBUGGER_HALTED_CORE_TASK_ENABLE_EXTERNAL_INTERRUPT_EXITING
#define DEBUGGER_HALTED_CORE_TASK_ENABLE_EXTERNAL_INTERRUPT_EXITING
Halted core task for enabling external interrupt exiting.
Definition HaltedCore.h:88
DEBUGGER_HALTED_CORE_TASK_DISABLE_RDTSC_EXITING_ONLY_FOR_TSC_EVENTS
#define DEBUGGER_HALTED_CORE_TASK_DISABLE_RDTSC_EXITING_ONLY_FOR_TSC_EVENTS
Halted core task for clearing rdtsc exiting bit ONLY in the case of disabling the events for !...
Definition HaltedCore.h:161
DEBUGGER_HALTED_CORE_TASK_DISABLE_MOV_TO_CR_EXITING_ONLY_FOR_CR_EVENTS
#define DEBUGGER_HALTED_CORE_TASK_DISABLE_MOV_TO_CR_EXITING_ONLY_FOR_CR_EVENTS
Halted core task for clearing mov 2 cr exiting bit ONLY in the case of disabling the events for !...
Definition HaltedCore.h:187
DEBUGGER_HALTED_CORE_TASK_ENABLE_MOV_TO_DEBUG_REGS_EXITING
#define DEBUGGER_HALTED_CORE_TASK_ENABLE_MOV_TO_DEBUG_REGS_EXITING
Halted core task for enabling mov to debug registers exiting.
Definition HaltedCore.h:76
DEBUGGER_HALTED_CORE_TASK_UNHOOK_SINGLE_PAGE
#define DEBUGGER_HALTED_CORE_TASK_UNHOOK_SINGLE_PAGE
Halted core task for restoring a single EPT entry and invalidating EPT cache.
Definition HaltedCore.h:124
DEBUGGER_HALTED_CORE_TASK_SET_RDPMC_EXITING
#define DEBUGGER_HALTED_CORE_TASK_SET_RDPMC_EXITING
Halted core task for enabling rdpmc exiting.
Definition HaltedCore.h:64
DEBUGGER_HALTED_CORE_TASK_RUN_VMCALL
#define DEBUGGER_HALTED_CORE_TASK_RUN_VMCALL
Halted core task for running VMCALLs.
Definition HaltedCore.h:28
DEBUGGER_HALTED_CORE_TASK_DISABLE_MOV_TO_HW_DR_EXITING_ONLY_FOR_DR_EVENTS
#define DEBUGGER_HALTED_CORE_TASK_DISABLE_MOV_TO_HW_DR_EXITING_ONLY_FOR_DR_EVENTS
Halted core task for clearing mov 2 hw dr exiting bit ONLY in the case of disabling the events for !...
Definition HaltedCore.h:180
DEBUGGER_HALTED_CORE_TASK_RESET_EXCEPTION_BITMAP_ONLY_ON_CLEARING_EXCEPTION_EVENTS
#define DEBUGGER_HALTED_CORE_TASK_RESET_EXCEPTION_BITMAP_ONLY_ON_CLEARING_EXCEPTION_EVENTS
Halted core task for resetting exception bitmap on VMCS.
Definition HaltedCore.h:148
DEBUGGER_HALTED_CORE_TASK_RESET_MSR_BITMAP_READ
#define DEBUGGER_HALTED_CORE_TASK_RESET_MSR_BITMAP_READ
Halted core task for resetting MSR Bitmap Read.
Definition HaltedCore.h:136
DEBUGGER_HALTED_CORE_TASK_INVEPT_ALL_CONTEXTS
#define DEBUGGER_HALTED_CORE_TASK_INVEPT_ALL_CONTEXTS
Halted core task for invalidating EPT (All Contexts)
Definition HaltedCore.h:106
DEBUGGER_HALTED_CORE_TASK_DISABLE_EXTERNAL_INTERRUPT_EXITING_ONLY_TO_CLEAR_INTERRUPT_COMMANDS
#define DEBUGGER_HALTED_CORE_TASK_DISABLE_EXTERNAL_INTERRUPT_EXITING_ONLY_TO_CLEAR_INTERRUPT_COMMANDS
Halted core task for disabling external interrupt exiting only to clear !interrupt commands.
Definition HaltedCore.h:130
DEBUGGER_HALTED_CORE_TASK_TEST
#define DEBUGGER_HALTED_CORE_TASK_TEST
Halted core task for testing purpose.
Definition HaltedCore.h:22
DEBUGGER_HALTED_CORE_TASK_CHANGE_IO_BITMAP
#define DEBUGGER_HALTED_CORE_TASK_CHANGE_IO_BITMAP
Halted core task for changing I/O Bitmaps (A & B)
Definition HaltedCore.h:58
DEBUGGER_HALTED_CORE_TASK_INVEPT_SINGLE_CONTEXT
#define DEBUGGER_HALTED_CORE_TASK_INVEPT_SINGLE_CONTEXT
Halted core task for invalidating EPT (A Single Context)
Definition HaltedCore.h:112
DEBUGGER_HALTED_CORE_TASK_SET_THREAD_INTERCEPTION
#define DEBUGGER_HALTED_CORE_TASK_SET_THREAD_INTERCEPTION
Halted core task for setting thread interception.
Definition HaltedCore.h:40
DEBUGGER_HALTED_CORE_TASK_ENABLE_SYSCALL_HOOK_EFER
#define DEBUGGER_HALTED_CORE_TASK_ENABLE_SYSCALL_HOOK_EFER
Halted core task for enabling syscall hook using EFER SCE bit.
Definition HaltedCore.h:100
DEBUGGER_HALTED_CORE_TASK_ENABLE_MOV_TO_CONTROL_REGS_EXITING
#define DEBUGGER_HALTED_CORE_TASK_ENABLE_MOV_TO_CONTROL_REGS_EXITING
Halted core task for enabling mov to CR exiting.
Definition HaltedCore.h:94
DEBUGGER_HALTED_CORE_TASK_UNSET_EXCEPTION_BITMAP
#define DEBUGGER_HALTED_CORE_TASK_UNSET_EXCEPTION_BITMAP
Halted core task for unsetting exception bitmap on VMCS.
Definition HaltedCore.h:118
DEBUGGER_HALTED_CORE_TASK_DISABLE_SYSCALL_HOOK_EFER
#define DEBUGGER_HALTED_CORE_TASK_DISABLE_SYSCALL_HOOK_EFER
Halted core task for disabling syscall hook using EFER SCE bit.
Definition HaltedCore.h:173
DEBUGGER_HALTED_CORE_TASK_CHANGE_MSR_BITMAP_WRITE
#define DEBUGGER_HALTED_CORE_TASK_CHANGE_MSR_BITMAP_WRITE
Halted core task for changing MSR Bitmap Write.
Definition HaltedCore.h:52
DEBUGGER_HALTED_CORE_TASK_CHANGE_MSR_BITMAP_READ
#define DEBUGGER_HALTED_CORE_TASK_CHANGE_MSR_BITMAP_READ
Halted core task for changing MSR Bitmap Read.
Definition HaltedCore.h:46
DEBUGGER_HALTED_CORE_TASK_RESET_MSR_BITMAP_WRITE
#define DEBUGGER_HALTED_CORE_TASK_RESET_MSR_BITMAP_WRITE
Halted core task for resetting MSR Bitmap Write.
Definition HaltedCore.h:142
PVOID_TO_BOOLEAN
#define PVOID_TO_BOOLEAN(_var)
Definition MetaMacros.h:40
ProcessEnableOrDisableThreadChangeMonitor
VOID ProcessEnableOrDisableThreadChangeMonitor(PROCESSOR_DEBUGGING_STATE *DbgState, BOOLEAN Enable, BOOLEAN IsSwitchByClockIntrrupt)
Enable or disable the process change monitoring detection on the running core.
Definition Process.c:220
ThreadEnableOrDisableThreadChangeMonitor
VOID ThreadEnableOrDisableThreadChangeMonitor(PROCESSOR_DEBUGGING_STATE *DbgState, BOOLEAN Enable, BOOLEAN IsSwitchByClockIntrrupt)
Enable or disable the thread change monitoring detection on the running core.
Definition Thread.c:597
_DIRECT_VMCALL_PARAMETERS
Used for sending direct VMCALLs on the VMX root-mode.
Definition DataTypes.h:294

◆ HaltedCoreRunTaskOnSingleCore()

VOID HaltedCoreRunTaskOnSingleCore ( UINT32 TargetCoreId,
UINT64 TargetTask,
BOOLEAN LockAgainAfterTask,
PVOID Context )

Run the task on a single halted core.

This function should be called from VMX root-mode

Parameters
TargetCoreIdThe target core's ID (to just run on this core)
TargetTaskThe target task
LockAgainAfterTaskLock the core after the task
Contextoptional parameter passed to the functions
Returns
VOID
360{
361 //
362 // Check if the task needs to be executed for the current
363 // core or any other cores
364 //
365 if (TargetCoreId == KeGetCurrentProcessorNumberEx(NULL))
366 {
367 //
368 // *** Perform the task for the current core ***
369 //
370 HaltedCorePerformTargetTask(&g_DbgState[TargetCoreId], TargetTask, Context);
371 }
372 else
373 {
374 //
375 // *** Perform the task for another core ***
376 //
377
378 //
379 // apply task to the target core
380 //
381 HaltedCoreApplyTaskOnTargetCore(TargetCoreId, TargetTask, LockAgainAfterTask, Context);
382 }
383}