HyperDbg Debugger
Loading...
Searching...
No Matches
Classes | Functions | Variables
a.cpp File Reference

a command More...

#include "pch.h"

Classes

class  _CMD
 

Functions

VOID CommandAssembleHelp ()
 help of a and !a command
 
_CMD ParseUserCmd (const std::string &command)
 
VOID CommandAssemble (vector< string > SplitCommand, string Command)
 a and !a commands handler
 

Variables

BOOLEAN g_IsSerialConnectedToRemoteDebuggee
 Shows if the debugger was connected to remote debuggee over (A remote guest)
 
ACTIVE_DEBUGGING_PROCESS g_ActiveProcessDebuggingState
 State of active debugging thread.
 

Detailed Description

a command

Author
Abbas Masoumi Gorji (Abbas.nosp@m.MG@h.nosp@m.yperd.nosp@m.bg.o.nosp@m.rg)
Version
0.10
Date
2024-07-15
Copyright
This project is released under the GNU Public License v3.

Function Documentation

◆ CommandAssemble()

VOID CommandAssemble ( vector< string > SplitCommand,
string Command )

a and !a commands handler

Parameters
SplitCommand
Command
Returns
VOID
183{
184 DEBUGGER_EDIT_MEMORY_TYPE MemoryType {};
185 _CMD CMD {};
186 UINT64 Address {};
187 UINT64 StartAddress {};
188 UINT32 ProcId = 0;
189
190 CMD = ParseUserCmd(Command);
191
192 if (CMD.isEmpty())
193 {
194 //
195 // Error messeges are already printed
196 //
197 return;
198 }
199
200 if (!CMD.ProcIdStr.empty())
201 {
202 if (!ConvertStringToUInt32(CMD.ProcIdStr, &ProcId))
203 {
204 ShowMessages("please specify a correct hex process id\n\n");
205 CommandAssembleHelp();
206 return;
207 }
208 }
209
210 if (g_ActiveProcessDebuggingState.IsActive)
211 {
212 ProcId = g_ActiveProcessDebuggingState.ProcessId;
213 }
214
215 if (CMD.AsmSnippet.empty())
216 {
217 ShowMessages("no assembly snippet provided\n");
218 CommandAssembleHelp();
219 return;
220 }
221 else if (CMD.CommandStr == "a")
222 {
223 MemoryType = EDIT_VIRTUAL_MEMORY;
224 }
225 else if (CMD.CommandStr == "!a")
226 {
227 MemoryType = EDIT_PHYSICAL_MEMORY;
228 }
229 else
230 {
231 ShowMessages("unknown assemble command\n\n");
232 CommandAssembleHelp();
233 return;
234 }
235
236 //
237 // Fetching start_address i.e. address to assemble to
238 //
239 if (!CMD.AddressStr.empty()) // was any address provided to assemble to?
240 {
241 if (!SymbolConvertNameOrExprToAddress(CMD.AddressStr, &Address))
242 {
243 ShowMessages("err, couldn't resolve Address at '%s'\n\n",
244 CMD.AddressStr.c_str());
245 CommandAssembleHelp();
246 return;
247 }
248 }
249 else if (!CMD.StartAddressStr.empty()) // was a custom start_address provided?
250 {
251 if (!SymbolConvertNameOrExprToAddress(CMD.StartAddressStr, &StartAddress))
252 {
253 ShowMessages("err, couldn't resolve Address at '%s'\n\n",
254 CMD.StartAddressStr.c_str());
255 CommandAssembleHelp();
256 return;
257 }
258 Address = StartAddress;
259 }
260 else
261 {
262 ShowMessages("warning, no start address provided to calculate relative asm commands\n\n");
263 }
264
265 AssembleData AssembleData;
266 AssembleData.AsmRaw = CMD.AsmSnippet; // third element
267 AssembleData.ParseAssemblyData();
268
269 if (AssembleData.Assemble(Address))
270 {
271 ShowMessages("err, code: '%u'\n\n", AssembleData.KsErr);
272 CommandAssembleHelp();
273 return;
274 }
275
276 if (ProcId == 0)
277 {
278 ProcId = GetCurrentProcessId();
279 }
280
281 if (Address) // was the user only trying to get the bytes?
282 {
283 if (HyperDbgWriteMemory(
284 (PVOID)Address,
285 MemoryType,
286 ProcId,
287 (PVOID)AssembleData.EncodedBytes,
288 (UINT32)AssembleData.BytesCount))
289 {
290 ShowMessages("successfully assembled at 0x%016llx address\n", static_cast<UINT64>(Address));
291 }
292 else
293 {
294 ShowMessages("failed to write generated assembly to memory\n");
295 }
296 }
297}
UINT64
unsigned __int64 UINT64
Definition BasicTypes.h:21
UINT32
unsigned int UINT32
Definition BasicTypes.h:48
Address
UINT64 Address
Definition HyperDbgScriptImports.h:67
EDIT_PHYSICAL_MEMORY
@ EDIT_PHYSICAL_MEMORY
Definition RequestStructures.h:463
EDIT_VIRTUAL_MEMORY
@ EDIT_VIRTUAL_MEMORY
Definition RequestStructures.h:462
DEBUGGER_EDIT_MEMORY_TYPE
enum _DEBUGGER_EDIT_MEMORY_TYPE DEBUGGER_EDIT_MEMORY_TYPE
different type of addresses for editing memory
ParseUserCmd
_CMD ParseUserCmd(const std::string &command)
Definition a.cpp:66
CommandAssembleHelp
VOID CommandAssembleHelp()
help of a and !a command
Definition a.cpp:43
g_ActiveProcessDebuggingState
ACTIVE_DEBUGGING_PROCESS g_ActiveProcessDebuggingState
State of active debugging thread.
Definition globals.h:362
_CMD
Definition a.cpp:17
AssembleData
Definition assembler.h:16
AssembleData::ParseAssemblyData
VOID ParseAssemblyData()
tries to solve the symbol issue with Keystone, which apparently originates from LLVM-MC.
Definition assembler.cpp:20
AssembleData::BytesCount
size_t BytesCount
Definition assembler.h:21
AssembleData::KsErr
ks_err KsErr
Definition assembler.h:24
AssembleData::EncodedBytes
unsigned char * EncodedBytes
Definition assembler.h:22
AssembleData::Assemble
INT Assemble(UINT64 StartAddr, ks_arch Arch=KS_ARCH_X86, INT Mode=KS_MODE_64, INT Syntax=KS_OPT_SYNTAX_INTEL)
Definition assembler.cpp:119
AssembleData::AsmRaw
std::string AsmRaw
Definition assembler.h:18
ConvertStringToUInt32
BOOLEAN ConvertStringToUInt32(string TextToConvert, PUINT32 Result)
check and convert string to a 32 bit unsigned it and also check for special notations like 0x etc.
Definition common.cpp:347
HyperDbgWriteMemory
BOOLEAN HyperDbgWriteMemory(PVOID DestinationAddress, DEBUGGER_EDIT_MEMORY_TYPE MemoryType, UINT32 ProcessId, PVOID SourceAddress, UINT32 NumberOfBytes)
API function for writing the memory content.
Definition e.cpp:193
ShowMessages
VOID ShowMessages(const char *Fmt,...)
Show messages.
Definition libhyperdbg.cpp:96
_ACTIVE_DEBUGGING_PROCESS::ProcessId
UINT32 ProcessId
Definition ud.h:51
_ACTIVE_DEBUGGING_PROCESS::IsActive
BOOLEAN IsActive
Definition ud.h:49
SymbolConvertNameOrExprToAddress
BOOLEAN SymbolConvertNameOrExprToAddress(const string &TextToConvert, PUINT64 Result)
check and convert string to a 64 bit unsigned integer and also check for symbol object names and eval...
Definition symbol.cpp:360

◆ CommandAssembleHelp()

VOID CommandAssembleHelp ( )

help of a and !a command

Returns
VOID
44{
45 ShowMessages("a !a : assembles snippet at specific address. symbols are supported.\n");
46 ShowMessages("\nIf you want to assemble to physical (address) memory then add '!' "
47 "at the start of the command\n");
48
49 ShowMessages("syntax : \ta [Address (hex)] [asm {AsmCmd1; AsmCmd2}] [pid ProcessId (hex)]\n");
50 ShowMessages("syntax : \t!a [Address (hex)] [asm {AsmCmd1; AsmCmd2}]\n");
51
52 ShowMessages("\n");
53 ShowMessages("\t\te.g : a fffff8077356f010 {nop; nop; nop} \n");
54 ShowMessages("\t\te.g : a nt!ExAllocatePoolWithTag+10+@rcx {jmp <nt!ExAllocatePoolWithTag+10>} \n");
55 ShowMessages("\t\te.g : a nt!ExAllocatePoolWithTag {add DWORD PTR [<nt!ExAllocatePoolWithTag+10+@rax>], 99} \n");
56 ShowMessages("\t\t note that within assembly snippet, symbols must be enclosed by \" <> \"\n");
57 ShowMessages("\t\t note that type specifier must be capital\n");
58
59 ShowMessages("\n");
60 ShowMessages("\tto merely view the byte code of an assembly snippet:\n");
61 ShowMessages("\t\ta {jmp <nt!ExAllocatePoolWithTag+10>} [StartAddress]\n");
62 ShowMessages("\t\t\"StartAddress\" is useful when dealing with relative instructions like \" jmp \" ");
63}

◆ ParseUserCmd()

_CMD ParseUserCmd ( const std::string & command)
67{
68 std::vector<std::string> CmdVec;
69 _CMD CMD {};
70 _CMD CmdEmpty {};
71
72 auto CmdIt = command.begin();
73 auto CmdEnd = command.end();
74
75 while (CmdIt != CmdEnd)
76 {
77 //
78 // skip leading whitespace
79 //
80 CmdIt = std::find_if_not(CmdIt, CmdEnd, ::isspace);
81 if (CmdIt == CmdEnd)
82 break;
83 if (*CmdIt == '{')
84 {
85 //
86 // find matching closing brace
87 //
88 auto CloseIt = std::find(CmdIt + 1, CmdEnd, '}');
89 if (CloseIt != CmdEnd)
90 {
91 if (CmdVec.size() < 2)
92 {
93 //
94 // if yes, asm snippet was provided right after "a" command (2nd index)
95 // i.e. no address were provided to assembling to
96 //
97 CmdVec.emplace_back(""); // emtpty addres string
98 }
99 std::string RawAsm(CmdIt + 1, CloseIt); // remove "{}"
100 CmdVec.emplace_back(RawAsm);
101 CmdIt = CloseIt + 1;
102 }
103 else
104 {
105 //
106 // no matching brace
107 //
108 ShowMessages("err, assembly snippet is not closed.");
109 }
110 }
111 else
112 {
113 //
114 // normal text, find next space
115 //
116 auto SpaceIt = std::find_if(CmdIt, CmdEnd, ::isspace);
117 CmdVec.emplace_back(CmdIt, SpaceIt);
118 CmdIt = SpaceIt;
119 }
120 }
121
122 //
123 // Check if there is any "pid"
124 //
125 auto PidIt = std::find_if(CmdVec.begin(), CmdVec.end(), [](const std::string & s) { return s.find("pid") != std::string::npos; });
126 if (PidIt != CmdVec.end())
127 {
128 bool IsLast = (PidIt == std::prev(CmdVec.end()));
129 bool IsSecondLast = (PidIt == std::prev(CmdVec.end(), 2));
130 if (!IsLast && !IsSecondLast)
131 {
132 ShowMessages("pid must be the last argument");
133 return CmdEmpty;
134 }
135 if (g_IsSerialConnectedToRemoteDebuggee)
136 {
137 ShowMessages(ASSERT_MESSAGE_CANNOT_SPECIFY_PID);
138 return CmdEmpty;
139 }
140
141 if (std::next(PidIt) != CmdVec.end()) // is there anything after "pid"?
142 {
143 CMD.ProcIdStr = std::string(*(++PidIt));
144 }
145 else
146 {
147 ShowMessages("no hex number was provided as process id\n\n");
148 return CmdEmpty;
149 }
150 }
151 else
152 {
153 //
154 // user didn't provide pid at all. ignoring.
155 //
156 }
157
158 //
159 // fill the CMD object. will be optimized later
160 //
161 if (CmdVec.size() > 0)
162 CMD.CommandStr = CmdVec.at(0);
163 if (CmdVec.size() > 1)
164 CMD.AddressStr = CmdVec.at(1);
165 if (CmdVec.size() > 2)
166 CMD.AsmSnippet = CmdVec.at(2);
167 if (CmdVec.size() > 3)
168 CMD.StartAddressStr = CmdVec.at(3);
169 // if (CmdVec.size() > 4) CMD.ProcId_str = CmdVec.at(5); 4 is the "pid" string
170
171 return CMD;
172}
g_IsSerialConnectedToRemoteDebuggee
BOOLEAN g_IsSerialConnectedToRemoteDebuggee
Shows if the debugger was connected to remote debuggee over (A remote guest)
Definition globals.h:231
ASSERT_MESSAGE_CANNOT_SPECIFY_PID
#define ASSERT_MESSAGE_CANNOT_SPECIFY_PID
Definition common.h:31

Variable Documentation

◆ g_ActiveProcessDebuggingState

ACTIVE_DEBUGGING_PROCESS g_ActiveProcessDebuggingState
extern

State of active debugging thread.

362{0};

◆ g_IsSerialConnectedToRemoteDebuggee

BOOLEAN g_IsSerialConnectedToRemoteDebuggee
extern

Shows if the debugger was connected to remote debuggee over (A remote guest)