HyperDbg Debugger
Loading...
Searching...
No Matches
Functions
Thread.h File Reference

Header for kernel debugger functions for threads. More...

Go to the source code of this file.

Functions

BOOLEAN ThreadInterpretThread (PROCESSOR_DEBUGGING_STATE *DbgState, PDEBUGGEE_DETAILS_AND_SWITCH_THREAD_PACKET TidRequest)
 change the current thread
 
VOID ThreadEnableOrDisableThreadChangeMonitor (PROCESSOR_DEBUGGING_STATE *DbgState, BOOLEAN Enable, BOOLEAN IsSwitchByClockIntrrupt)
 Enable or disable the thread change monitoring detection on the running core.
 
BOOLEAN ThreadHandleThreadChange (PROCESSOR_DEBUGGING_STATE *DbgState)
 handle thread changes
 
BOOLEAN ThreadQueryCount (PDEBUGGER_QUERY_ACTIVE_PROCESSES_OR_THREADS DebuggerUsermodeProcessOrThreadQueryRequest)
 Query thread details (count)
 
BOOLEAN ThreadQueryList (PDEBUGGER_QUERY_ACTIVE_PROCESSES_OR_THREADS DebuggerUsermodeProcessOrThreadQueryRequest, PVOID AddressToSaveDetail, UINT32 BufferSize)
 Query thread details (list)
 
BOOLEAN ThreadQueryDetails (PDEBUGGEE_DETAILS_AND_SWITCH_THREAD_PACKET GetInformationThreadRequest)
 Query thread details.
 

Detailed Description

Header for kernel debugger functions for threads.

Author
Sina Karvandi (sina@.nosp@m.hype.nosp@m.rdbg..nosp@m.org)
Version
0.1
Date
2021-11-23
Copyright
This project is released under the GNU Public License v3.

Function Documentation

◆ ThreadEnableOrDisableThreadChangeMonitor()

VOID ThreadEnableOrDisableThreadChangeMonitor ( PROCESSOR_DEBUGGING_STATE * DbgState,
BOOLEAN Enable,
BOOLEAN IsSwitchByClockIntrrupt )

Enable or disable the thread change monitoring detection on the running core.

should be called on vmx root

Parameters
DbgStateThe state of the debugger on the current core
Enable
IsSwitchByClockIntrrupt
Returns
VOID
600{
601 if (Enable)
602 {
603 DbgState->ThreadOrProcessTracingDetails.InitialSetThreadChangeEvent = TRUE;
604 DbgState->ThreadOrProcessTracingDetails.InitialSetByClockInterrupt = IsSwitchByClockIntrrupt;
605 }
606 else
607 {
608 //
609 // Avoid future sets/unsets
610 //
611 DbgState->ThreadOrProcessTracingDetails.InitialSetThreadChangeEvent = FALSE;
612 DbgState->ThreadOrProcessTracingDetails.InitialSetByClockInterrupt = FALSE;
613 }
614
615 //
616 // Check if it's a HW breakpoint on gs:[188] or a clock interception
617 //
618 if (!IsSwitchByClockIntrrupt)
619 {
620 ThreadDetectChangeByDebugRegisterOnGs(DbgState, Enable);
621 }
622 else
623 {
624 ThreadDetectChangeByInterceptingClockInterrupts(DbgState, Enable);
625 }
626}
TRUE
#define TRUE
Definition BasicTypes.h:55
FALSE
#define FALSE
Definition BasicTypes.h:54
ThreadDetectChangeByDebugRegisterOnGs
VOID ThreadDetectChangeByDebugRegisterOnGs(PROCESSOR_DEBUGGING_STATE *DbgState, BOOLEAN Enable)
Enable or disable the thread change monitoring detection on the running core based on putting a HW br...
Definition Thread.c:424
ThreadDetectChangeByInterceptingClockInterrupts
VOID ThreadDetectChangeByInterceptingClockInterrupts(PROCESSOR_DEBUGGING_STATE *DbgState, BOOLEAN Enable)
Enable or disable the thread change monitoring detection on the running core based on intercepting cl...
Definition Thread.c:556
_DEBUGGEE_PROCESS_OR_THREAD_TRACING_DETAILS::InitialSetByClockInterrupt
BOOLEAN InitialSetByClockInterrupt
Definition State.h:50
_DEBUGGEE_PROCESS_OR_THREAD_TRACING_DETAILS::InitialSetThreadChangeEvent
BOOLEAN InitialSetThreadChangeEvent
Definition State.h:48
_PROCESSOR_DEBUGGING_STATE::ThreadOrProcessTracingDetails
DEBUGGEE_PROCESS_OR_THREAD_TRACING_DETAILS ThreadOrProcessTracingDetails
Definition State.h:178

◆ ThreadHandleThreadChange()

BOOLEAN ThreadHandleThreadChange ( PROCESSOR_DEBUGGING_STATE * DbgState)

handle thread changes

Parameters
DbgStateThe state of the debugger on the current core
Returns
BOOLEAN
23{
24 //
25 // Check if we reached to the target thread or not
26 //
27 if ((g_ThreadSwitch.ThreadId != NULL_ZERO && g_ThreadSwitch.ThreadId == HANDLE_TO_UINT32(PsGetCurrentThreadId())) ||
28 (g_ThreadSwitch.Thread != NULL64_ZERO && g_ThreadSwitch.Thread == PsGetCurrentThread()))
29 {
30 //
31 // Halt the debuggee, we have found the target thread
32 //
33 KdHandleBreakpointAndDebugBreakpoints(DbgState, DEBUGGEE_PAUSING_REASON_DEBUGGEE_THREAD_SWITCHED, NULL);
34
35 //
36 // Found
37 //
38 return TRUE;
39 }
40
41 //
42 // Not found
43 //
44 return FALSE;
45}
NULL_ZERO
#define NULL_ZERO
Definition BasicTypes.h:51
NULL64_ZERO
#define NULL64_ZERO
Definition BasicTypes.h:52
DEBUGGEE_PAUSING_REASON_DEBUGGEE_THREAD_SWITCHED
@ DEBUGGEE_PAUSING_REASON_DEBUGGEE_THREAD_SWITCHED
Definition Connection.h:33
KdHandleBreakpointAndDebugBreakpoints
_Use_decl_annotations_ VOID KdHandleBreakpointAndDebugBreakpoints(PROCESSOR_DEBUGGING_STATE *DbgState, DEBUGGEE_PAUSING_REASON Reason, PDEBUGGER_TRIGGERED_EVENT_DETAILS EventDetails)
Handle #DBs and #BPs for kernel debugger.
Definition Kd.c:1214
HANDLE_TO_UINT32
#define HANDLE_TO_UINT32(_var)
Definition MetaMacros.h:39
g_ThreadSwitch
DEBUGGEE_REQUEST_TO_CHANGE_THREAD g_ThreadSwitch
Thread switch to ETHREAD or Thread ID.
Definition Global.h:73
_DEBUGGEE_REQUEST_TO_CHANGE_THREAD::Thread
PVOID Thread
Definition Kd.h:52
_DEBUGGEE_REQUEST_TO_CHANGE_THREAD::ThreadId
UINT32 ThreadId
Definition Kd.h:51

◆ ThreadInterpretThread()

BOOLEAN ThreadInterpretThread ( PROCESSOR_DEBUGGING_STATE * DbgState,
PDEBUGGEE_DETAILS_AND_SWITCH_THREAD_PACKET TidRequest )

change the current thread

Parameters
DbgStateThe state of the debugger on the current core
TidRequest
Returns
BOOLEAN
327{
328 switch (TidRequest->ActionType)
329 {
330 case DEBUGGEE_DETAILS_AND_SWITCH_THREAD_GET_THREAD_DETAILS:
331
332 //
333 // Debugger wants to know current tid, nt!_ETHREAD and process name, etc.
334 //
335 TidRequest->ProcessId = HANDLE_TO_UINT32(PsGetCurrentProcessId());
336 TidRequest->ThreadId = HANDLE_TO_UINT32(PsGetCurrentThreadId());
337 TidRequest->Process = (UINT64)PsGetCurrentProcess();
338 TidRequest->Thread = (UINT64)PsGetCurrentThread();
339 MemoryMapperReadMemorySafe((UINT64)CommonGetProcessNameFromProcessControlBlock(PsGetCurrentProcess()), &TidRequest->ProcessName, 16);
340
341 //
342 // Operation was successful
343 //
344 TidRequest->Result = DEBUGGER_OPERATION_WAS_SUCCESSFUL;
345
346 break;
347
348 case DEBUGGEE_DETAILS_AND_SWITCH_THREAD_PERFORM_SWITCH:
349
350 //
351 // Perform the thread switch
352 //
353 if (!ThreadSwitch(DbgState,
354 TidRequest->ThreadId,
355 (PETHREAD)TidRequest->Thread,
356 TidRequest->CheckByClockInterrupt))
357 {
358 TidRequest->Result = DEBUGGER_ERROR_DETAILS_OR_SWITCH_THREAD_INVALID_PARAMETER;
359 break;
360 }
361
362 //
363 // Operation was successful
364 //
365 TidRequest->Result = DEBUGGER_OPERATION_WAS_SUCCESSFUL;
366
367 break;
368
369 case DEBUGGEE_DETAILS_AND_SWITCH_THREAD_GET_THREAD_LIST:
370
371 //
372 // Show the threads list
373 //
374 if (!ThreadShowList(&TidRequest->ThreadListSymDetails,
375 DEBUGGER_QUERY_ACTIVE_PROCESSES_OR_THREADS_ACTION_SHOW_INSTANTLY,
376 NULL,
377 NULL,
378 (UINT64)NULL))
379 {
380 TidRequest->Result = DEBUGGER_ERROR_DETAILS_OR_SWITCH_THREAD_INVALID_PARAMETER;
381 break;
382 }
383
384 //
385 // Operation was successful
386 //
387 TidRequest->Result = DEBUGGER_OPERATION_WAS_SUCCESSFUL;
388
389 break;
390
391 default:
392
393 //
394 // Invalid type of action
395 //
396 TidRequest->Result = DEBUGGER_ERROR_DETAILS_OR_SWITCH_THREAD_INVALID_PARAMETER;
397
398 break;
399 }
400
401 //
402 // Check if the above operation contains error
403 //
404 if (TidRequest->Result == DEBUGGER_OPERATION_WAS_SUCCESSFUL)
405 {
406 return TRUE;
407 }
408 else
409 {
410 return FALSE;
411 }
412}
UINT64
unsigned __int64 UINT64
Definition BasicTypes.h:21
DEBUGGER_ERROR_DETAILS_OR_SWITCH_THREAD_INVALID_PARAMETER
#define DEBUGGER_ERROR_DETAILS_OR_SWITCH_THREAD_INVALID_PARAMETER
error, for thread switch or thread details, invalid parameter
Definition ErrorCodes.h:239
DEBUGGER_OPERATION_WAS_SUCCESSFUL
#define DEBUGGER_OPERATION_WAS_SUCCESSFUL
General value to indicate that the operation or request was successful.
Definition ErrorCodes.h:23
MemoryMapperReadMemorySafe
_Use_decl_annotations_ BOOLEAN MemoryMapperReadMemorySafe(UINT64 VaAddressToRead, PVOID BufferToSaveMemory, SIZE_T SizeToRead)
Read memory safely by mapping the buffer (It's a wrapper)
Definition MemoryMapper.c:1101
DEBUGGEE_DETAILS_AND_SWITCH_THREAD_GET_THREAD_LIST
@ DEBUGGEE_DETAILS_AND_SWITCH_THREAD_GET_THREAD_LIST
Definition RequestStructures.h:954
DEBUGGEE_DETAILS_AND_SWITCH_THREAD_PERFORM_SWITCH
@ DEBUGGEE_DETAILS_AND_SWITCH_THREAD_PERFORM_SWITCH
Definition RequestStructures.h:952
DEBUGGEE_DETAILS_AND_SWITCH_THREAD_GET_THREAD_DETAILS
@ DEBUGGEE_DETAILS_AND_SWITCH_THREAD_GET_THREAD_DETAILS
Definition RequestStructures.h:953
DEBUGGER_QUERY_ACTIVE_PROCESSES_OR_THREADS_ACTION_SHOW_INSTANTLY
@ DEBUGGER_QUERY_ACTIVE_PROCESSES_OR_THREADS_ACTION_SHOW_INSTANTLY
Definition RequestStructures.h:672
ThreadShowList
BOOLEAN ThreadShowList(PDEBUGGEE_THREAD_LIST_NEEDED_DETAILS ThreadListSymbolInfo, DEBUGGER_QUERY_ACTIVE_PROCESSES_OR_THREADS_ACTIONS QueryAction, UINT32 *CountOfThreads, PVOID ListSaveBuffer, UINT64 ListSaveBuffSize)
shows the threads list
Definition Thread.c:122
ThreadSwitch
BOOLEAN ThreadSwitch(PROCESSOR_DEBUGGING_STATE *DbgState, UINT32 ThreadId, PETHREAD EThread, BOOLEAN CheckByClockInterrupt)
make evnvironment ready to change the thread
Definition Thread.c:58
CommonGetProcessNameFromProcessControlBlock
PCHAR CommonGetProcessNameFromProcessControlBlock(PEPROCESS Eprocess)
Get process name by eprocess.
Definition Common.c:48
_DEBUGGEE_DETAILS_AND_SWITCH_THREAD_PACKET::ActionType
DEBUGGEE_DETAILS_AND_SWITCH_THREAD_TYPE ActionType
Definition RequestStructures.h:964
_DEBUGGEE_DETAILS_AND_SWITCH_THREAD_PACKET::Thread
UINT64 Thread
Definition RequestStructures.h:967
_DEBUGGEE_DETAILS_AND_SWITCH_THREAD_PACKET::ThreadListSymDetails
DEBUGGEE_THREAD_LIST_NEEDED_DETAILS ThreadListSymDetails
Definition RequestStructures.h:971
_DEBUGGEE_DETAILS_AND_SWITCH_THREAD_PACKET::Process
UINT64 Process
Definition RequestStructures.h:968
_DEBUGGEE_DETAILS_AND_SWITCH_THREAD_PACKET::ProcessId
UINT32 ProcessId
Definition RequestStructures.h:966
_DEBUGGEE_DETAILS_AND_SWITCH_THREAD_PACKET::ProcessName
UCHAR ProcessName[16]
Definition RequestStructures.h:970
_DEBUGGEE_DETAILS_AND_SWITCH_THREAD_PACKET::ThreadId
UINT32 ThreadId
Definition RequestStructures.h:965
_DEBUGGEE_DETAILS_AND_SWITCH_THREAD_PACKET::CheckByClockInterrupt
BOOLEAN CheckByClockInterrupt
Definition RequestStructures.h:969
_DEBUGGEE_DETAILS_AND_SWITCH_THREAD_PACKET::Result
UINT32 Result
Definition RequestStructures.h:972

◆ ThreadQueryCount()

BOOLEAN ThreadQueryCount ( PDEBUGGER_QUERY_ACTIVE_PROCESSES_OR_THREADS DebuggerUsermodeProcessOrThreadQueryRequest)

Query thread details (count)

Parameters
DebuggerUsermodeProcessOrThreadQueryRequest
Returns
BOOLEAN
637{
638 BOOLEAN Result = FALSE;
639
640 //
641 // Getting the count results
642 //
643 Result = ThreadShowList(&DebuggerUsermodeProcessOrThreadQueryRequest->ThreadListNeededDetails,
644 DEBUGGER_QUERY_ACTIVE_PROCESSES_OR_THREADS_ACTION_QUERY_COUNT,
645 &DebuggerUsermodeProcessOrThreadQueryRequest->Count,
646 NULL,
647 (UINT64)NULL);
648
649 if (Result && DebuggerUsermodeProcessOrThreadQueryRequest->Count != 0)
650 {
651 DebuggerUsermodeProcessOrThreadQueryRequest->Result = DEBUGGER_OPERATION_WAS_SUCCESSFUL;
652 return TRUE;
653 }
654
655 DebuggerUsermodeProcessOrThreadQueryRequest->Result = DEBUGGER_ERROR_UNABLE_TO_QUERY_COUNT_OF_PROCESSES_OR_THREADS;
656 return FALSE;
657}
BOOLEAN
UCHAR BOOLEAN
Definition BasicTypes.h:39
DEBUGGER_ERROR_UNABLE_TO_QUERY_COUNT_OF_PROCESSES_OR_THREADS
#define DEBUGGER_ERROR_UNABLE_TO_QUERY_COUNT_OF_PROCESSES_OR_THREADS
error, unable to query count of processes or threads
Definition ErrorCodes.h:386
DEBUGGER_QUERY_ACTIVE_PROCESSES_OR_THREADS_ACTION_QUERY_COUNT
@ DEBUGGER_QUERY_ACTIVE_PROCESSES_OR_THREADS_ACTION_QUERY_COUNT
Definition RequestStructures.h:673
_DEBUGGER_QUERY_ACTIVE_PROCESSES_OR_THREADS::Count
UINT32 Count
Definition RequestStructures.h:747
_DEBUGGER_QUERY_ACTIVE_PROCESSES_OR_THREADS::ThreadListNeededDetails
DEBUGGEE_THREAD_LIST_NEEDED_DETAILS ThreadListNeededDetails
Definition RequestStructures.h:744
_DEBUGGER_QUERY_ACTIVE_PROCESSES_OR_THREADS::Result
UINT64 Result
Definition RequestStructures.h:748

◆ ThreadQueryDetails()

BOOLEAN ThreadQueryDetails ( PDEBUGGEE_DETAILS_AND_SWITCH_THREAD_PACKET GetInformationThreadRequest)

Query thread details.

Parameters
GetInformationThreadRequest
Returns
BOOLEAN
696{
697 GetInformationThreadRequest->ProcessId = HANDLE_TO_UINT32(PsGetCurrentProcessId());
698 GetInformationThreadRequest->Process = (UINT64)PsGetCurrentProcess();
699 GetInformationThreadRequest->Thread = (UINT64)PsGetCurrentThread();
700 GetInformationThreadRequest->ThreadId = HANDLE_TO_UINT32(PsGetCurrentThreadId());
701
702 RtlCopyMemory(&GetInformationThreadRequest->ProcessName,
703 CommonGetProcessNameFromProcessControlBlock(PsGetCurrentProcess()),
704 15);
705
706 GetInformationThreadRequest->Result = DEBUGGER_OPERATION_WAS_SUCCESSFUL;
707
708 return TRUE;
709}

◆ ThreadQueryList()

BOOLEAN ThreadQueryList ( PDEBUGGER_QUERY_ACTIVE_PROCESSES_OR_THREADS DebuggerUsermodeProcessOrThreadQueryRequest,
PVOID AddressToSaveDetail,
UINT32 BufferSize )

Query thread details (list)

Parameters
DebuggerUsermodeProcessOrThreadQueryRequest
AddressToSaveDetail
BufferSize
Returns
BOOLEAN
672{
673 BOOLEAN Result = FALSE;
674
675 //
676 // Getting the list of threads
677 //
678 Result = ThreadShowList(&DebuggerUsermodeProcessOrThreadQueryRequest->ThreadListNeededDetails,
679 DEBUGGER_QUERY_ACTIVE_PROCESSES_OR_THREADS_ACTION_QUERY_SAVE_DETAILS,
680 NULL,
681 AddressToSaveDetail,
682 BufferSize);
683
684 return Result;
685}
DEBUGGER_QUERY_ACTIVE_PROCESSES_OR_THREADS_ACTION_QUERY_SAVE_DETAILS
@ DEBUGGER_QUERY_ACTIVE_PROCESSES_OR_THREADS_ACTION_QUERY_SAVE_DETAILS
Definition RequestStructures.h:674