HyperDbg Debugger
Loading...
Searching...
No Matches
Functions
Process.h File Reference

Header for kernel debugger functions for processes. More...

Go to the source code of this file.

Functions

VOID ProcessEnableOrDisableThreadChangeMonitor (PROCESSOR_DEBUGGING_STATE *DbgState, BOOLEAN Enable, BOOLEAN IsSwitchByClockIntrrupt)
 Enable or disable the process change monitoring detection on the running core.
 
VOID ProcessTriggerCr3ProcessChange (UINT32 CoreId)
 handle process changes for cr3 registers
 
BOOLEAN ProcessHandleProcessChange (PROCESSOR_DEBUGGING_STATE *DbgState)
 handle process changes
 
BOOLEAN ProcessInterpretProcess (PROCESSOR_DEBUGGING_STATE *DbgState, PDEBUGGEE_DETAILS_AND_SWITCH_PROCESS_PACKET PidRequest)
 change the current process @detail ONLY TO BE USED IN KD STUFFS
 
BOOLEAN ProcessCheckIfEprocessIsValid (UINT64 Eprocess, UINT64 ActiveProcessHead, ULONG ActiveProcessLinksOffset)
 checks whether the given nt!_EPROCESS is valid or not
 
BOOLEAN ProcessQueryCount (PDEBUGGER_QUERY_ACTIVE_PROCESSES_OR_THREADS DebuggerUsermodeProcessOrThreadQueryRequest)
 Query process details (count)
 
BOOLEAN ProcessQueryList (PDEBUGGER_QUERY_ACTIVE_PROCESSES_OR_THREADS DebuggerUsermodeProcessOrThreadQueryRequest, PVOID AddressToSaveDetail, UINT32 BufferSize)
 Query process details (list)
 
BOOLEAN ProcessQueryDetails (PDEBUGGEE_DETAILS_AND_SWITCH_PROCESS_PACKET GetInformationProcessRequest)
 Query process details.
 

Detailed Description

Header for kernel debugger functions for processes.

Author
Sina Karvandi (sina@.nosp@m.hype.nosp@m.rdbg..nosp@m.org)
Version
0.1
Date
2021-11-23
Copyright
This project is released under the GNU Public License v3.

Function Documentation

◆ ProcessCheckIfEprocessIsValid()

BOOLEAN ProcessCheckIfEprocessIsValid ( UINT64 Eprocess,
UINT64 ActiveProcessHead,
ULONG ActiveProcessLinksOffset )

checks whether the given nt!_EPROCESS is valid or not

Parameters
Eprocesstarget nt!_EPROCESS
ActiveProcessHeadnt!PsActiveProcessHead
ActiveProcessLinksOffsetnt!_EPROCESS.ActiveProcessLinks
Returns
BOOLEAN
265{
266 UINT64 Process;
267 LIST_ENTRY ActiveProcessLinks = {0};
268
269 //
270 // Dirty validation of parameters
271 //
272 if (ActiveProcessHead == NULL64_ZERO ||
273 ActiveProcessLinksOffset == NULL_ZERO)
274 {
275 return FALSE;
276 }
277
278 //
279 // Check if address is valid
280 //
281 if (CheckAccessValidityAndSafety(ActiveProcessHead, sizeof(BYTE)))
282 {
283 //
284 // Show processes list, we read everything from the view of system
285 // process
286 //
287 MemoryMapperReadMemorySafe(ActiveProcessHead, &ActiveProcessLinks, sizeof(ActiveProcessLinks));
288
289 //
290 // Find the top of EPROCESS from nt!_EPROCESS.ActiveProcessLinks
291 //
292 Process = (UINT64)ActiveProcessLinks.Flink - ActiveProcessLinksOffset;
293
294 do
295 {
296 //
297 // Read the next process
298 //
299 MemoryMapperReadMemorySafe(Process + ActiveProcessLinksOffset,
300 &ActiveProcessLinks,
301 sizeof(ActiveProcessLinks));
302
303 //
304 // Check if we find the process
305 //
306 if (Process == Eprocess)
307 {
308 return TRUE;
309 }
310
311 //
312 // Find the next process from the list of this process
313 //
314 Process = (UINT64)ActiveProcessLinks.Flink - ActiveProcessLinksOffset;
315
316 } while ((UINT64)ActiveProcessLinks.Flink != ActiveProcessHead);
317 }
318 else
319 {
320 //
321 // An invalid address is specified
322 //
323 return FALSE;
324 }
325
326 return FALSE;
327}
CheckAccessValidityAndSafety
BOOLEAN CheckAccessValidityAndSafety(UINT64 TargetAddress, UINT32 Size)
Check the safety to access the memory.
Definition AddressCheck.c:156
NULL_ZERO
#define NULL_ZERO
Definition BasicTypes.h:51
BYTE
unsigned char BYTE
Definition BasicTypes.h:24
NULL64_ZERO
#define NULL64_ZERO
Definition BasicTypes.h:52
TRUE
#define TRUE
Definition BasicTypes.h:55
FALSE
#define FALSE
Definition BasicTypes.h:54
UINT64
unsigned __int64 UINT64
Definition BasicTypes.h:21
MemoryMapperReadMemorySafe
_Use_decl_annotations_ BOOLEAN MemoryMapperReadMemorySafe(UINT64 VaAddressToRead, PVOID BufferToSaveMemory, SIZE_T SizeToRead)
Read memory safely by mapping the buffer (It's a wrapper)
Definition MemoryMapper.c:1101

◆ ProcessEnableOrDisableThreadChangeMonitor()

VOID ProcessEnableOrDisableThreadChangeMonitor ( PROCESSOR_DEBUGGING_STATE * DbgState,
BOOLEAN Enable,
BOOLEAN IsSwitchByClockIntrrupt )

Enable or disable the process change monitoring detection on the running core.

should be called on vmx root

Parameters
DbgStateThe state of the debugger on the current core
Enable
IsSwitchByClockIntrrupt
Returns
VOID
223{
224 if (Enable)
225 {
226 //
227 // Set indicator process interception on the target core
228 //
229 DbgState->ThreadOrProcessTracingDetails.InitialSetProcessChangeEvent = TRUE;
230 DbgState->ThreadOrProcessTracingDetails.InitialSetByClockInterrupt = IsSwitchByClockIntrrupt;
231 }
232 else
233 {
234 //
235 // Avoid future sets/unsets
236 //
237 DbgState->ThreadOrProcessTracingDetails.InitialSetProcessChangeEvent = FALSE;
238 DbgState->ThreadOrProcessTracingDetails.InitialSetByClockInterrupt = FALSE;
239 }
240
241 //
242 // Check whether we should intercept mov-to-cr3 vm-exits or intercept
243 // the clock interrupts
244 //
245 if (!IsSwitchByClockIntrrupt)
246 {
247 ProcessDetectChangeByMov2Cr3Vmexits(DbgState, Enable);
248 }
249 else
250 {
251 ProcessDetectChangeByInterceptingClockInterrupts(DbgState, Enable);
252 }
253}
ProcessDetectChangeByMov2Cr3Vmexits
VOID ProcessDetectChangeByMov2Cr3Vmexits(PROCESSOR_DEBUGGING_STATE *DbgState, BOOLEAN Enable)
Enable or disable the process change monitoring detection on the running core based on mov-to-cr3 vm-...
Definition Process.c:177
ProcessDetectChangeByInterceptingClockInterrupts
VOID ProcessDetectChangeByInterceptingClockInterrupts(PROCESSOR_DEBUGGING_STATE *DbgState, BOOLEAN Enable)
Enable or disable the process change monitoring detection on the running core based on intercepting c...
Definition Process.c:138
_DEBUGGEE_PROCESS_OR_THREAD_TRACING_DETAILS::InitialSetByClockInterrupt
BOOLEAN InitialSetByClockInterrupt
Definition State.h:50
_DEBUGGEE_PROCESS_OR_THREAD_TRACING_DETAILS::InitialSetProcessChangeEvent
BOOLEAN InitialSetProcessChangeEvent
Definition State.h:47
_PROCESSOR_DEBUGGING_STATE::ThreadOrProcessTracingDetails
DEBUGGEE_PROCESS_OR_THREAD_TRACING_DETAILS ThreadOrProcessTracingDetails
Definition State.h:178

◆ ProcessHandleProcessChange()

BOOLEAN ProcessHandleProcessChange ( PROCESSOR_DEBUGGING_STATE * DbgState)

handle process changes

Parameters
DbgStateThe state of the debugger on the current core
Returns
VOID
43{
44 //
45 // Check if we reached to the target process or not
46 //
47 if ((g_ProcessSwitch.ProcessId != NULL_ZERO && g_ProcessSwitch.ProcessId == HANDLE_TO_UINT32(PsGetCurrentProcessId())) ||
48 (g_ProcessSwitch.Process != (UINT64)NULL && g_ProcessSwitch.Process == PsGetCurrentProcess()))
49 {
50 KdHandleBreakpointAndDebugBreakpoints(DbgState, DEBUGGEE_PAUSING_REASON_DEBUGGEE_PROCESS_SWITCHED, NULL);
51
52 //
53 // Found
54 //
55 return TRUE;
56 }
57
58 //
59 // Not found
60 //
61 return FALSE;
62}
DEBUGGEE_PAUSING_REASON_DEBUGGEE_PROCESS_SWITCHED
@ DEBUGGEE_PAUSING_REASON_DEBUGGEE_PROCESS_SWITCHED
Definition Connection.h:32
KdHandleBreakpointAndDebugBreakpoints
_Use_decl_annotations_ VOID KdHandleBreakpointAndDebugBreakpoints(PROCESSOR_DEBUGGING_STATE *DbgState, DEBUGGEE_PAUSING_REASON Reason, PDEBUGGER_TRIGGERED_EVENT_DETAILS EventDetails)
Handle #DBs and #BPs for kernel debugger.
Definition Kd.c:1214
HANDLE_TO_UINT32
#define HANDLE_TO_UINT32(_var)
Definition MetaMacros.h:39
g_ProcessSwitch
DEBUGGEE_REQUEST_TO_CHANGE_PROCESS g_ProcessSwitch
Process switch to EPROCESS or Process ID.
Definition Global.h:67
_DEBUGGEE_REQUEST_TO_CHANGE_PROCESS::ProcessId
UINT32 ProcessId
Definition Kd.h:40
_DEBUGGEE_REQUEST_TO_CHANGE_PROCESS::Process
PVOID Process
Definition Kd.h:41

◆ ProcessInterpretProcess()

BOOLEAN ProcessInterpretProcess ( PROCESSOR_DEBUGGING_STATE * DbgState,
PDEBUGGEE_DETAILS_AND_SWITCH_PROCESS_PACKET PidRequest )

change the current process @detail ONLY TO BE USED IN KD STUFFS

Parameters
DbgStateThe state of the debugger on the current core
PidRequest
Returns
BOOLEAN
526{
527 switch (PidRequest->ActionType)
528 {
529 case DEBUGGEE_DETAILS_AND_SWITCH_PROCESS_GET_PROCESS_DETAILS:
530
531 //
532 // Debugger wants to know current pid, nt!_EPROCESS and process name
533 //
534 PidRequest->ProcessId = HANDLE_TO_UINT32(PsGetCurrentProcessId());
535 PidRequest->Process = (UINT64)PsGetCurrentProcess();
536 MemoryMapperReadMemorySafe((UINT64)CommonGetProcessNameFromProcessControlBlock(PsGetCurrentProcess()), &PidRequest->ProcessName, 16);
537
538 //
539 // Operation was successful
540 //
541 PidRequest->Result = DEBUGGER_OPERATION_WAS_SUCCESSFUL;
542
543 break;
544
545 case DEBUGGEE_DETAILS_AND_SWITCH_PROCESS_PERFORM_SWITCH:
546
547 //
548 // Perform the process switch
549 //
550 if (!ProcessSwitch(DbgState, PidRequest->ProcessId, (PEPROCESS)PidRequest->Process, PidRequest->IsSwitchByClkIntr))
551 {
552 PidRequest->Result = DEBUGGER_ERROR_DETAILS_OR_SWITCH_PROCESS_INVALID_PARAMETER;
553 break;
554 }
555
556 //
557 // Operation was successful
558 //
559 PidRequest->Result = DEBUGGER_OPERATION_WAS_SUCCESSFUL;
560
561 break;
562
563 case DEBUGGEE_DETAILS_AND_SWITCH_PROCESS_GET_PROCESS_LIST:
564
565 //
566 // Show the process list
567 //
568 if (!ProcessShowList(&PidRequest->ProcessListSymDetails,
569 DEBUGGER_QUERY_ACTIVE_PROCESSES_OR_THREADS_ACTION_SHOW_INSTANTLY,
570 NULL,
571 NULL,
572 (UINT64)NULL))
573 {
574 PidRequest->Result = DEBUGGER_ERROR_DETAILS_OR_SWITCH_PROCESS_INVALID_PARAMETER;
575 break;
576 }
577
578 //
579 // Operation was successful
580 //
581 PidRequest->Result = DEBUGGER_OPERATION_WAS_SUCCESSFUL;
582
583 break;
584
585 default:
586
587 //
588 // Invalid type of action
589 //
590 PidRequest->Result = DEBUGGER_ERROR_DETAILS_OR_SWITCH_PROCESS_INVALID_PARAMETER;
591
592 break;
593 }
594
595 //
596 // Check if the above operation contains error
597 //
598 if (PidRequest->Result == DEBUGGER_OPERATION_WAS_SUCCESSFUL)
599 {
600 return TRUE;
601 }
602 else
603 {
604 return FALSE;
605 }
606}
DEBUGGER_ERROR_DETAILS_OR_SWITCH_PROCESS_INVALID_PARAMETER
#define DEBUGGER_ERROR_DETAILS_OR_SWITCH_PROCESS_INVALID_PARAMETER
error, for process switch or process details, invalid parameter
Definition ErrorCodes.h:233
DEBUGGER_OPERATION_WAS_SUCCESSFUL
#define DEBUGGER_OPERATION_WAS_SUCCESSFUL
General value to indicate that the operation or request was successful.
Definition ErrorCodes.h:23
ProcessSwitch
BOOLEAN ProcessSwitch(PROCESSOR_DEBUGGING_STATE *DbgState, UINT32 ProcessId, PEPROCESS EProcess, BOOLEAN IsSwitchByClockIntrrupt)
make evnvironment ready to change the process
Definition Process.c:75
ProcessShowList
BOOLEAN ProcessShowList(PDEBUGGEE_PROCESS_LIST_NEEDED_DETAILS PorcessListSymbolInfo, DEBUGGER_QUERY_ACTIVE_PROCESSES_OR_THREADS_ACTIONS QueryAction, UINT32 *CountOfProcesses, PVOID ListSaveBuffer, UINT64 ListSaveBuffSize)
shows the processes list
Definition Process.c:340
DEBUGGEE_DETAILS_AND_SWITCH_PROCESS_GET_PROCESS_DETAILS
@ DEBUGGEE_DETAILS_AND_SWITCH_PROCESS_GET_PROCESS_DETAILS
Definition RequestStructures.h:912
DEBUGGEE_DETAILS_AND_SWITCH_PROCESS_GET_PROCESS_LIST
@ DEBUGGEE_DETAILS_AND_SWITCH_PROCESS_GET_PROCESS_LIST
Definition RequestStructures.h:913
DEBUGGEE_DETAILS_AND_SWITCH_PROCESS_PERFORM_SWITCH
@ DEBUGGEE_DETAILS_AND_SWITCH_PROCESS_PERFORM_SWITCH
Definition RequestStructures.h:914
DEBUGGER_QUERY_ACTIVE_PROCESSES_OR_THREADS_ACTION_SHOW_INSTANTLY
@ DEBUGGER_QUERY_ACTIVE_PROCESSES_OR_THREADS_ACTION_SHOW_INSTANTLY
Definition RequestStructures.h:672
CommonGetProcessNameFromProcessControlBlock
PCHAR CommonGetProcessNameFromProcessControlBlock(PEPROCESS Eprocess)
Get process name by eprocess.
Definition Common.c:48
_DEBUGGEE_DETAILS_AND_SWITCH_PROCESS_PACKET::ProcessListSymDetails
DEBUGGEE_PROCESS_LIST_NEEDED_DETAILS ProcessListSymDetails
Definition RequestStructures.h:930
_DEBUGGEE_DETAILS_AND_SWITCH_PROCESS_PACKET::ProcessId
UINT32 ProcessId
Definition RequestStructures.h:926
_DEBUGGEE_DETAILS_AND_SWITCH_PROCESS_PACKET::Process
UINT64 Process
Definition RequestStructures.h:927
_DEBUGGEE_DETAILS_AND_SWITCH_PROCESS_PACKET::ActionType
DEBUGGEE_DETAILS_AND_SWITCH_PROCESS_TYPE ActionType
Definition RequestStructures.h:925
_DEBUGGEE_DETAILS_AND_SWITCH_PROCESS_PACKET::Result
UINT32 Result
Definition RequestStructures.h:931
_DEBUGGEE_DETAILS_AND_SWITCH_PROCESS_PACKET::IsSwitchByClkIntr
BOOLEAN IsSwitchByClkIntr
Definition RequestStructures.h:928
_DEBUGGEE_DETAILS_AND_SWITCH_PROCESS_PACKET::ProcessName
UCHAR ProcessName[16]
Definition RequestStructures.h:929

◆ ProcessQueryCount()

BOOLEAN ProcessQueryCount ( PDEBUGGER_QUERY_ACTIVE_PROCESSES_OR_THREADS DebuggerUsermodeProcessOrThreadQueryRequest)

Query process details (count)

Parameters
DebuggerUsermodeProcessOrThreadQueryRequest
Returns
BOOLEAN
617{
618 BOOLEAN Result = FALSE;
619
620 //
621 // Getting the count results
622 //
623 Result = ProcessShowList(&DebuggerUsermodeProcessOrThreadQueryRequest->ProcessListNeededDetails,
624 DEBUGGER_QUERY_ACTIVE_PROCESSES_OR_THREADS_ACTION_QUERY_COUNT,
625 &DebuggerUsermodeProcessOrThreadQueryRequest->Count,
626 NULL,
627 (UINT64)NULL);
628
629 if (Result && DebuggerUsermodeProcessOrThreadQueryRequest->Count != 0)
630 {
631 DebuggerUsermodeProcessOrThreadQueryRequest->Result = DEBUGGER_OPERATION_WAS_SUCCESSFUL;
632 return TRUE;
633 }
634
635 DebuggerUsermodeProcessOrThreadQueryRequest->Result = DEBUGGER_ERROR_UNABLE_TO_QUERY_COUNT_OF_PROCESSES_OR_THREADS;
636 return FALSE;
637}
BOOLEAN
UCHAR BOOLEAN
Definition BasicTypes.h:39
DEBUGGER_ERROR_UNABLE_TO_QUERY_COUNT_OF_PROCESSES_OR_THREADS
#define DEBUGGER_ERROR_UNABLE_TO_QUERY_COUNT_OF_PROCESSES_OR_THREADS
error, unable to query count of processes or threads
Definition ErrorCodes.h:386
DEBUGGER_QUERY_ACTIVE_PROCESSES_OR_THREADS_ACTION_QUERY_COUNT
@ DEBUGGER_QUERY_ACTIVE_PROCESSES_OR_THREADS_ACTION_QUERY_COUNT
Definition RequestStructures.h:673
_DEBUGGER_QUERY_ACTIVE_PROCESSES_OR_THREADS::Count
UINT32 Count
Definition RequestStructures.h:747
_DEBUGGER_QUERY_ACTIVE_PROCESSES_OR_THREADS::Result
UINT64 Result
Definition RequestStructures.h:748
_DEBUGGER_QUERY_ACTIVE_PROCESSES_OR_THREADS::ProcessListNeededDetails
DEBUGGEE_PROCESS_LIST_NEEDED_DETAILS ProcessListNeededDetails
Definition RequestStructures.h:743

◆ ProcessQueryDetails()

BOOLEAN ProcessQueryDetails ( PDEBUGGEE_DETAILS_AND_SWITCH_PROCESS_PACKET GetInformationProcessRequest)

Query process details.

Parameters
GetInformationProcessRequest
Returns
BOOLEAN
676{
677 GetInformationProcessRequest->ProcessId = HANDLE_TO_UINT32(PsGetCurrentProcessId());
678 GetInformationProcessRequest->Process = (UINT64)PsGetCurrentProcess();
679 RtlCopyMemory(&GetInformationProcessRequest->ProcessName,
680 CommonGetProcessNameFromProcessControlBlock(PsGetCurrentProcess()),
681 15);
682
683 GetInformationProcessRequest->Result = DEBUGGER_OPERATION_WAS_SUCCESSFUL;
684
685 return TRUE;
686}

◆ ProcessQueryList()

BOOLEAN ProcessQueryList ( PDEBUGGER_QUERY_ACTIVE_PROCESSES_OR_THREADS DebuggerUsermodeProcessOrThreadQueryRequest,
PVOID AddressToSaveDetail,
UINT32 BufferSize )

Query process details (list)

Parameters
DebuggerUsermodeProcessOrThreadQueryRequest
AddressToSaveDetail
BufferSize
Returns
BOOLEAN
652{
653 BOOLEAN Result = FALSE;
654
655 //
656 // Getting the count results
657 //
658 Result = ProcessShowList(&DebuggerUsermodeProcessOrThreadQueryRequest->ProcessListNeededDetails,
659 DEBUGGER_QUERY_ACTIVE_PROCESSES_OR_THREADS_ACTION_QUERY_SAVE_DETAILS,
660 NULL,
661 AddressToSaveDetail,
662 BufferSize);
663
664 return Result;
665}
DEBUGGER_QUERY_ACTIVE_PROCESSES_OR_THREADS_ACTION_QUERY_SAVE_DETAILS
@ DEBUGGER_QUERY_ACTIVE_PROCESSES_OR_THREADS_ACTION_QUERY_SAVE_DETAILS
Definition RequestStructures.h:674

◆ ProcessTriggerCr3ProcessChange()

VOID ProcessTriggerCr3ProcessChange ( UINT32 CoreId)

handle process changes for cr3 registers

Parameters
CoreId
Returns
VOID
23{
24 PROCESSOR_DEBUGGING_STATE * DbgState = &g_DbgState[CoreId];
25
26 //
27 // Call kernel debugger handler for mov to cr3 in kernel debugger
28 //
29 if (DbgState->ThreadOrProcessTracingDetails.IsWatingForMovCr3VmExits)
30 {
31 ProcessHandleProcessChange(DbgState);
32 }
33}
ProcessHandleProcessChange
BOOLEAN ProcessHandleProcessChange(PROCESSOR_DEBUGGING_STATE *DbgState)
handle process changes
Definition Process.c:42
g_DbgState
PROCESSOR_DEBUGGING_STATE * g_DbgState
Save the state and variables related to debugging on each to logical core.
Definition Global.h:17
_DEBUGGEE_PROCESS_OR_THREAD_TRACING_DETAILS::IsWatingForMovCr3VmExits
BOOLEAN IsWatingForMovCr3VmExits
Definition State.h:62
_PROCESSOR_DEBUGGING_STATE
Saves the debugger state.
Definition State.h:165