HyperDbg Debugger
Loading...
Searching...
No Matches
commands.h File Reference

The hyperdbg command interpreter and driver connector. More...

Go to the source code of this file.

Classes

struct  _COMMAND_DETAIL
 Details of each command. More...

Macros

#define DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE   0x1
 Different attributes of commands.
#define DEBUGGER_COMMAND_ATTRIBUTE_EVENT   0x2 | DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE
#define DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_REMOTE_CONNECTION   0x4
#define DEBUGGER_COMMAND_ATTRIBUTE_REPEAT_ON_ENTER   0x8
#define DEBUGGER_COMMAND_ATTRIBUTE_WONT_STOP_DEBUGGER_AGAIN   0x10
#define DEBUGGER_COMMAND_ATTRIBUTE_HWDBG   0x20
#define DEBUGGER_COMMAND_ATTRIBUTE_ABSOLUTE_LOCAL   DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE | DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_REMOTE_CONNECTION
 Absolute local commands.
#define DEBUGGER_COMMAND_CLEAR_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_ABSOLUTE_LOCAL
 Command's attributes.
#define DEBUGGER_COMMAND_HELP_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_ABSOLUTE_LOCAL
#define DEBUGGER_COMMAND_CONNECT_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_ABSOLUTE_LOCAL
#define DEBUGGER_COMMAND_LISTEN_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_ABSOLUTE_LOCAL
#define DEBUGGER_COMMAND_G_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_ABSOLUTE_LOCAL | DEBUGGER_COMMAND_ATTRIBUTE_REPEAT_ON_ENTER
#define DEBUGGER_COMMAND_GG_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_ABSOLUTE_LOCAL | DEBUGGER_COMMAND_ATTRIBUTE_REPEAT_ON_ENTER
#define DEBUGGER_COMMAND_ATTACH_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_WONT_STOP_DEBUGGER_AGAIN
#define DEBUGGER_COMMAND_DETACH_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_WONT_STOP_DEBUGGER_AGAIN
#define DEBUGGER_COMMAND_SWITCH_ATTRIBUTES   NULL
#define DEBUGGER_COMMAND_CONTINUE_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_WONT_STOP_DEBUGGER_AGAIN
#define DEBUGGER_COMMAND_PAUSE_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_WONT_STOP_DEBUGGER_AGAIN
#define DEBUGGER_COMMAND_START_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_WONT_STOP_DEBUGGER_AGAIN
#define DEBUGGER_COMMAND_RESTART_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_WONT_STOP_DEBUGGER_AGAIN
#define DEBUGGER_COMMAND_KILL_ATTRIBUTES   NULL
#define DEBUGGER_COMMAND_PROCESS_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE
#define DEBUGGER_COMMAND_THREAD_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE
#define DEBUGGER_COMMAND_SLEEP_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_ABSOLUTE_LOCAL
#define DEBUGGER_COMMAND_EVENTS_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE
#define DEBUGGER_COMMAND_SETTINGS_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE
#define DEBUGGER_COMMAND_DISCONNECT_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_ABSOLUTE_LOCAL
#define DEBUGGER_COMMAND_DEBUG_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_ABSOLUTE_LOCAL
#define DEBUGGER_COMMAND_DOT_STATUS_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_ABSOLUTE_LOCAL
#define DEBUGGER_COMMAND_STATUS_ATTRIBUTES   NULL
#define DEBUGGER_COMMAND_LOAD_ATTRIBUTES   NULL
#define DEBUGGER_COMMAND_EXIT_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_ABSOLUTE_LOCAL
#define DEBUGGER_COMMAND_FLUSH_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE
#define DEBUGGER_COMMAND_UNLOAD_ATTRIBUTES   NULL
#define DEBUGGER_COMMAND_SCRIPT_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_ABSOLUTE_LOCAL
#define DEBUGGER_COMMAND_OUTPUT_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE
#define DEBUGGER_COMMAND_PRINT_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE | DEBUGGER_COMMAND_ATTRIBUTE_REPEAT_ON_ENTER
#define DEBUGGER_COMMAND_EVAL_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE | DEBUGGER_COMMAND_ATTRIBUTE_REPEAT_ON_ENTER
#define DEBUGGER_COMMAND_LOGOPEN_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_ABSOLUTE_LOCAL
#define DEBUGGER_COMMAND_LOGCLOSE_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_ABSOLUTE_LOCAL
#define DEBUGGER_COMMAND_TEST_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE
#define DEBUGGER_COMMAND_CPU_ATTRIBUTES   NULL
#define DEBUGGER_COMMAND_WRMSR_ATTRIBUTES   NULL
#define DEBUGGER_COMMAND_RDMSR_ATTRIBUTES   NULL
#define DEBUGGER_COMMAND_VA2PA_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE
#define DEBUGGER_COMMAND_PA2VA_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE
#define DEBUGGER_COMMAND_FORMATS_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE | DEBUGGER_COMMAND_ATTRIBUTE_REPEAT_ON_ENTER
#define DEBUGGER_COMMAND_PTE_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE
#define DEBUGGER_COMMAND_APIC_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE
#define DEBUGGER_COMMAND_IOAPIC_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE
#define DEBUGGER_COMMAND_CORE_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE
#define DEBUGGER_COMMAND_MONITOR_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_EVENT
#define DEBUGGER_COMMAND_VMCALL_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_EVENT
#define DEBUGGER_COMMAND_EPTHOOK_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_EVENT
#define DEBUGGER_COMMAND_EPTHOOK2_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_EVENT
#define DEBUGGER_COMMAND_CPUID_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_EVENT
#define DEBUGGER_COMMAND_XSETBV_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_EVENT
#define DEBUGGER_COMMAND_MSRREAD_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_EVENT
#define DEBUGGER_COMMAND_MSRWRITE_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_EVENT
#define DEBUGGER_COMMAND_TSC_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_EVENT
#define DEBUGGER_COMMAND_PMC_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_EVENT
#define DEBUGGER_COMMAND_CRWRITE_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_EVENT
#define DEBUGGER_COMMAND_DR_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_EVENT
#define DEBUGGER_COMMAND_IOIN_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_EVENT
#define DEBUGGER_COMMAND_IOOUT_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_EVENT
#define DEBUGGER_COMMAND_EXCEPTION_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_EVENT
#define DEBUGGER_COMMAND_INTERRUPT_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_EVENT
#define DEBUGGER_COMMAND_SYSCALL_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_EVENT
#define DEBUGGER_COMMAND_SYSRET_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_EVENT
#define DEBUGGER_COMMAND_MODE_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_EVENT
#define DEBUGGER_COMMAND_TRACE_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_EVENT
#define DEBUGGER_COMMAND_HIDE_ATTRIBUTES   NULL
#define DEBUGGER_COMMAND_UNHIDE_ATTRIBUTES   NULL
#define DEBUGGER_COMMAND_MEASURE_ATTRIBUTES   NULL
#define DEBUGGER_COMMAND_LM_ATTRIBUTES   NULL
#define DEBUGGER_COMMAND_P_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE | DEBUGGER_COMMAND_ATTRIBUTE_REPEAT_ON_ENTER
#define DEBUGGER_COMMAND_T_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE | DEBUGGER_COMMAND_ATTRIBUTE_REPEAT_ON_ENTER
#define DEBUGGER_COMMAND_I_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE | DEBUGGER_COMMAND_ATTRIBUTE_REPEAT_ON_ENTER
#define DEBUGGER_COMMAND_D_AND_U_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE | DEBUGGER_COMMAND_ATTRIBUTE_REPEAT_ON_ENTER
#define DEBUGGER_COMMAND_E_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE
#define DEBUGGER_COMMAND_S_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE
#define DEBUGGER_COMMAND_R_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE | DEBUGGER_COMMAND_ATTRIBUTE_REPEAT_ON_ENTER
#define DEBUGGER_COMMAND_BP_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE
#define DEBUGGER_COMMAND_BE_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE
#define DEBUGGER_COMMAND_BD_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE
#define DEBUGGER_COMMAND_BC_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE
#define DEBUGGER_COMMAND_BL_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE
#define DEBUGGER_COMMAND_SYMPATH_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE
#define DEBUGGER_COMMAND_SYM_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE
#define DEBUGGER_COMMAND_X_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE
#define DEBUGGER_COMMAND_PREALLOC_ATTRIBUTES   NULL
#define DEBUGGER_COMMAND_PREACTIVATE_ATTRIBUTES   NULL
#define DEBUGGER_COMMAND_K_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE
#define DEBUGGER_COMMAND_DT_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE | DEBUGGER_COMMAND_ATTRIBUTE_REPEAT_ON_ENTER
#define DEBUGGER_COMMAND_STRUCT_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE
#define DEBUGGER_COMMAND_PE_ATTRIBUTES   NULL
#define DEBUGGER_COMMAND_REV_ATTRIBUTES   NULL
#define DEBUGGER_COMMAND_TRACK_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE
#define DEBUGGER_COMMAND_PAGEIN_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE
#define DEBUGGER_COMMAND_DUMP_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE
#define DEBUGGER_COMMAND_GU_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE | DEBUGGER_COMMAND_ATTRIBUTE_REPEAT_ON_ENTER
#define DEBUGGER_COMMAND_HWDBG_HW_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_HWDBG
#define DEBUGGER_COMMAND_HWDBG_HW_CLK_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_HWDBG
#define DEBUGGER_COMMAND_A_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE
#define DEBUGGER_COMMAND_PCITREE_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE
#define DEBUGGER_COMMAND_PCICAM_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE
#define DEBUGGER_COMMAND_IDT_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE
#define DEBUGGER_COMMAND_SMI_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE
#define DEBUGGER_COMMAND_LBR_ATTRIBUTES   NULL
#define DEBUGGER_COMMAND_LBRDUMP_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE
#define DEBUGGER_COMMAND_PT_ATTRIBUTES   NULL

Typedefs

typedef std::tuple< CommandParsingTokenType, std::string, std::string > CommandToken
 Command's parsing type.
typedef VOID(* CommandFuncTypeParser) (vector< CommandToken > CommandTokens, string Command)
 Command's function type.
typedef VOID(* CommandHelpFuncType) ()
 Command's help function type.
typedef struct _COMMAND_DETAIL COMMAND_DETAIL
 Details of each command.
typedef struct _COMMAND_DETAILPCOMMAND_DETAIL
typedef std::map< std::string, COMMAND_DETAILCommandType
 Type saving commands and mapping to command string.

Enumerations

enum  CommandParsingTokenType { Num , String , StringLiteral , BracketString }
 Command's parsing type (enum). More...

Functions

VOID CommandSettingsLoadDefaultValuesFromConfigFile ()
 Loads default settings values from config file.
VOID CommandSettingsSetValueFromConfigFile (std::string OptionName, std::string OptionValue)
 Sets the setting values from config file.
BOOLEAN CommandSettingsGetValueFromConfigFile (std::string OptionName, std::string &OptionValue)
 Gets the setting values from config file.
VOID CpuReadVendorString (CHAR *Result)
 Reads the CPU vendor string.
INT ReadCpuDetails ()
 Print out supported instruction set extensions.
VOID ShowMessages (const CHAR *Fmt,...)
 Show messages.
string SeparateTo64BitValue (UINT64 Value)
VOID ShowMemoryCommandDB (UCHAR *OutputBuffer, UINT32 Size, UINT64 Address, DEBUGGER_READ_MEMORY_TYPE MemoryType, UINT64 Length)
 Show memory in bytes (DB).
VOID ShowMemoryCommandDD (UCHAR *OutputBuffer, UINT32 Size, UINT64 Address, DEBUGGER_READ_MEMORY_TYPE MemoryType, UINT64 Length)
 Show memory in dword format (DD).
VOID ShowMemoryCommandDC (UCHAR *OutputBuffer, UINT32 Size, UINT64 Address, DEBUGGER_READ_MEMORY_TYPE MemoryType, UINT64 Length)
 Show memory in dword format (DC).
VOID ShowMemoryCommandDQ (UCHAR *OutputBuffer, UINT32 Size, UINT64 Address, DEBUGGER_READ_MEMORY_TYPE MemoryType, UINT64 Length)
 Show memory in qword format (DQ).
VOID CommandPteShowResults (UINT64 TargetVa, PDEBUGGER_READ_PAGE_TABLE_ENTRIES_DETAILS PteRead)
 show results of !pte command
DEBUGGER_CONDITIONAL_JUMP_STATUS HyperDbgIsConditionalJumpTaken (UCHAR *BufferToDisassemble, UINT64 BuffLength, RFLAGS Rflags, BOOLEAN Isx86_64)
 Check whether the jump is taken or not taken (in debugger).
INT HyperDbgDisassembler64 (UCHAR *BufferToDisassemble, UINT64 BaseAddress, UINT64 Size, UINT32 MaximumInstrDecoded, BOOLEAN ShowBranchIsTakenOrNot, PRFLAGS Rflags)
 Disassemble x64 assemblies.
INT HyperDbgDisassembler32 (UCHAR *BufferToDisassemble, UINT64 BaseAddress, UINT64 Size, UINT32 MaximumInstrDecoded, BOOLEAN ShowBranchIsTakenOrNot, PRFLAGS Rflags)
 Disassemble 32 bit assemblies.
UINT32 HyperDbgLengthDisassemblerEngine (UCHAR *BufferToDisassemble, UINT64 BuffLength, BOOLEAN Isx86_64)
 Length Disassembler engine based on Zydis.
BOOLEAN HyperDbgCheckWhetherTheCurrentInstructionIsCall (UCHAR *BufferToDisassemble, UINT64 BuffLength, BOOLEAN Isx86_64, PUINT32 CallLength)
 Check whether the current instruction is a 'call' or not.
BOOLEAN HyperDbgCheckWhetherTheCurrentInstructionIsCallOrRet (UCHAR *BufferToDisassemble, UINT64 CurrentRip, UINT32 BuffLength, BOOLEAN Isx86_64, PBOOLEAN IsRet)
 Check whether the current instruction is a 'call' or 'ret' or not.
BOOLEAN HyperDbgCheckWhetherTheCurrentInstructionIsRet (UCHAR *BufferToDisassemble, UINT64 BuffLength, BOOLEAN Isx86_64)
 Check whether the current instruction is a 'ret' or not.
UINT32 HyperDbgGetImmediateValueOnEaxForSyscallNumber (UCHAR *BufferToDisassemble, UINT64 BuffLength, BOOLEAN Isx86_64)
 Get immediate value on EAX register.
VOID HyperDbgShowMemoryOrDisassemble (DEBUGGER_SHOW_MEMORY_STYLE Style, UINT64 Address, DEBUGGER_READ_MEMORY_TYPE MemoryType, DEBUGGER_READ_READING_TYPE ReadingType, UINT32 Pid, UINT32 Size, PDEBUGGER_DT_COMMAND_OPTIONS DtDetails)
 Show memory or disassembler.
BOOLEAN HyperDbgReadMemory (UINT64 TargetAddress, DEBUGGER_READ_MEMORY_TYPE MemoryType, DEBUGGER_READ_READING_TYPE ReadingType, UINT32 Pid, UINT32 Size, BOOLEAN GetAddressMode, DEBUGGER_READ_MEMORY_ADDRESS_MODE *AddressMode, BYTE *TargetBufferToStore, UINT32 *ReturnLength)
 Read memory and disassembler.
VOID InitializeCommandsDictionary ()
 Initialize commands and attributes.
VOID InitializeDebugger ()
 Initialize the debugger and adjust commands for the first run.
BOOLEAN CheckMultilineCommand (CHAR *CurrentCommand, BOOLEAN Reset)
 check for multi-line commands
BOOLEAN ContinuePreviousCommand ()
 Some of commands like stepping commands (i, p, t) and etc. need to be repeated when the user press enter, this function shows whether we should continue the previous command or not.
VOID CommandDumpSaveIntoFile (PVOID Buffer, UINT32 Length)
 Saves the received buffers into the files.
VOID CommandTest (vector< CommandToken > CommandTokens, string Command)
 test command handler
VOID CommandCls (vector< CommandToken > CommandTokens, string Command)
 .cls command handler
VOID CommandReadMemoryAndDisassembler (vector< CommandToken > CommandTokens, string Command)
 u* d* !u* !d* commands handler
VOID CommandConnect (vector< CommandToken > CommandTokens, string Command)
 .connect command handler
VOID CommandLoad (vector< CommandToken > CommandTokens, string Command)
 load command handler
VOID CommandUnload (vector< CommandToken > CommandTokens, string Command)
 unload command handler
VOID CommandScript (vector< CommandToken > CommandTokens, string Command)
 .script command handler
VOID CommandCpu (vector< CommandToken > CommandTokens, string Command)
 cpu command handler
VOID CommandExit (vector< CommandToken > CommandTokens, string Command)
 exit command handler
VOID CommandDisconnect (vector< CommandToken > CommandTokens, string Command)
 .disconnect command handler
VOID CommandFormats (vector< CommandToken > CommandTokens, string Command)
 handler of .formats command
VOID CommandRdmsr (vector< CommandToken > CommandTokens, string Command)
 rdmsr command handler
VOID CommandWrmsr (vector< CommandToken > CommandTokens, string Command)
 wrmsr command handler
VOID CommandPte (vector< CommandToken > CommandTokens, string Command)
 !pte command handler
VOID CommandMonitor (vector< CommandToken > CommandTokens, string Command)
 !monitor command handler
VOID CommandSyscallAndSysret (vector< CommandToken > CommandTokens, string Command)
 !syscall, !syscall2 and !sysret, !sysret2 commands handler
VOID CommandEptHook (vector< CommandToken > CommandTokens, string Command)
 !epthook command handler
VOID CommandEptHook2 (vector< CommandToken > CommandTokens, string Command)
 !epthook2 command handler
VOID CommandCpuid (vector< CommandToken > CommandTokens, string Command)
 !cpuid command handler
VOID CommandMsrread (vector< CommandToken > CommandTokens, string Command)
 !msrread command handler
VOID CommandMsrwrite (vector< CommandToken > CommandTokens, string Command)
 !msrwrite command handler
VOID CommandTsc (vector< CommandToken > CommandTokens, string Command)
 handler of !tsc command
VOID CommandPmc (vector< CommandToken > CommandTokens, string Command)
 !pmc command handler
VOID CommandException (vector< CommandToken > CommandTokens, string Command)
 !exception command handler
VOID CommandCrwrite (vector< CommandToken > CommandTokens, string Command)
 !crwrite command handler
VOID CommandDr (vector< CommandToken > CommandTokens, string Command)
 !dr command handler
VOID CommandInterrupt (vector< CommandToken > CommandTokens, string Command)
 !interrupt command handler
VOID CommandIoin (vector< CommandToken > CommandTokens, string Command)
 !ioin command handler
VOID CommandIoout (vector< CommandToken > CommandTokens, string Command)
 !ioout command handler
VOID CommandVmcall (vector< CommandToken > CommandTokens, string Command)
 !vmcall command handler
VOID CommandMode (vector< CommandToken > CommandTokens, string Command)
 !mode command handler
VOID CommandTrace (vector< CommandToken > CommandTokens, string Command)
 !trace command handler
VOID CommandHide (vector< CommandToken > CommandTokens, string Command)
 !hide command handler
VOID CommandUnhide (vector< CommandToken > CommandTokens, string Command)
 !unhide command handler
VOID CommandLogopen (vector< CommandToken > CommandTokens, string Command)
 .logopen command handler
VOID CommandLogclose (vector< CommandToken > CommandTokens, string Command)
 .logclose command handler
VOID CommandVa2pa (vector< CommandToken > CommandTokens, string Command)
 !va2pa command handler
VOID CommandPa2va (vector< CommandToken > CommandTokens, string Command)
 !pa2va command handler
VOID CommandEvents (vector< CommandToken > CommandTokens, string Command)
 events command handler
VOID CommandG (vector< CommandToken > CommandTokens, string Command)
 handler of g command
VOID CommandContinue (vector< CommandToken > CommandTokens, string Command)
 handler of continue command
VOID CommandGg (vector< CommandToken > CommandTokens, string Command)
 gg command handler
VOID CommandLm (vector< CommandToken > CommandTokens, string Command)
 handle lm command
VOID CommandSleep (vector< CommandToken > CommandTokens, string Command)
 sleep command help
VOID CommandEditMemory (vector< CommandToken > CommandTokens, string Command)
 !e* and e* commands handler
VOID CommandSearchMemory (vector< CommandToken > CommandTokens, string Command)
 !s* s* commands handler
VOID CommandMeasure (vector< CommandToken > CommandTokens, string Command)
 !measure command handler
VOID CommandSettings (vector< CommandToken > CommandTokens, string Command)
 settings command handler
VOID CommandFlush (vector< CommandToken > CommandTokens, string Command)
 flush command handler
VOID CommandPause (vector< CommandToken > CommandTokens, string Command)
 pause command handler
VOID CommandListen (vector< CommandToken > CommandTokens, string Command)
 listen command handler
VOID CommandStatus (vector< CommandToken > CommandTokens, string Command)
 .status and status command handler
VOID CommandAttach (vector< CommandToken > CommandTokens, string Command)
 .attach command handler
VOID CommandDetach (vector< CommandToken > CommandTokens, string Command)
 .detach command handler
VOID CommandStart (vector< CommandToken > CommandTokens, string Command)
 .start command handler
VOID CommandRestart (vector< CommandToken > CommandTokens, string Command)
 .restart command handler
VOID CommandSwitch (vector< CommandToken > CommandTokens, string Command)
 .switch command handler
VOID CommandKill (vector< CommandToken > CommandTokens, string Command)
 .kill command handler
VOID CommandT (vector< CommandToken > CommandTokens, string Command)
 handler of t command
VOID CommandI (vector< CommandToken > CommandTokens, string Command)
 handler of i command
VOID CommandPrint (vector< CommandToken > CommandTokens, string Command)
 handler of print command
VOID CommandOutput (vector< CommandToken > CommandTokens, string Command)
 output command handler
VOID CommandDebug (vector< CommandToken > CommandTokens, string Command)
 .debug command handler
VOID CommandP (vector< CommandToken > CommandTokens, string Command)
 handler of p command
VOID CommandCore (vector< CommandToken > CommandTokens, string Command)
 ~ command handler
VOID CommandProcess (vector< CommandToken > CommandTokens, string Command)
 .process command handler
VOID CommandThread (vector< CommandToken > CommandTokens, string Command)
 .thread command handler
VOID CommandEval (vector< CommandToken > CommandTokens, string Command)
 handler of ? command
VOID CommandR (vector< CommandToken > CommandTokens, string Command)
 handler of r command
VOID CommandBp (vector< CommandToken > CommandTokens, string Command)
 bp command handler
VOID CommandBl (vector< CommandToken > CommandTokens, string Command)
 handler of the bl command
VOID CommandBe (vector< CommandToken > CommandTokens, string Command)
 handler of be command
VOID CommandBd (vector< CommandToken > CommandTokens, string Command)
 handler of bd command
VOID CommandBc (vector< CommandToken > CommandTokens, string Command)
 handler of bc command
VOID CommandSympath (vector< CommandToken > CommandTokens, string Command)
 .sympath command handler
VOID CommandSym (vector< CommandToken > CommandTokens, string Command)
 .sym command handler
VOID CommandX (vector< CommandToken > CommandTokens, string Command)
 x command handler
VOID CommandPrealloc (vector< CommandToken > CommandTokens, string Command)
 prealloc command handler
VOID CommandPreactivate (vector< CommandToken > CommandTokens, string Command)
 preactivate command handler
VOID CommandDtAndStruct (vector< CommandToken > CommandTokens, string Command)
 dt and struct command handler
VOID CommandK (vector< CommandToken > CommandTokens, string Command)
 k command handler
VOID CommandPe (vector< CommandToken > CommandTokens, string Command)
 .pe command handler
VOID CommandRev (vector< CommandToken > CommandTokens, string Command)
 !rev command handler
VOID CommandApic (vector< CommandToken > CommandTokens, string Command)
 !apic command handler
VOID CommandIoapic (vector< CommandToken > CommandTokens, string Command)
 !ioapic command handler
VOID CommandTrack (vector< CommandToken > CommandTokens, string Command)
 handler of !track command
VOID CommandPagein (vector< CommandToken > CommandTokens, string Command)
 .pagein command handler
VOID CommandDump (vector< CommandToken > CommandTokens, string Command)
 .dump command handler
VOID CommandGu (vector< CommandToken > CommandTokens, string Command)
 handler of gu command
VOID CommandAssemble (vector< CommandToken > CommandTokens, string Command)
 a and !a commands handler
VOID CommandPcitree (vector< CommandToken > CommandTokens, string Command)
 !pcitree command handler
VOID CommandPcicam (vector< CommandToken > CommandTokens, string Command)
 !pcicam command handler
VOID CommandIdt (vector< CommandToken > CommandTokens, string Command)
 !idt command handler
VOID CommandSmi (vector< CommandToken > CommandTokens, string Command)
 !smi command handler
VOID CommandLbr (vector< CommandToken > CommandTokens, string Command)
 !lbr command handler
VOID CommandLbrdump (vector< CommandToken > CommandTokens, string Command)
 !lbrdump command handler
VOID CommandPt (vector< CommandToken > CommandTokens, string Command)
 !pt command handler
VOID CommandHwClk (vector< CommandToken > CommandTokens, string Command)
 !hw_clk command handler
VOID CommandHw (vector< CommandToken > CommandTokens, string Command)
 !hw command handler
VOID CommandXsetbv (vector< CommandToken > CommandTokens, string Command)
 !xsetbv command handler
VOID CommandXsetbvHelp ()
 help of the !xsetbv command

Variables

HANDLE g_DeviceHandle
 Holds the global handle of device which is used to send the request to the kernel by IOCTL, this handle is not used for IRP Pending of message tracing this handle is used in KD VMM.

Detailed Description

The hyperdbg command interpreter and driver connector.

Author
Sina Karvandi (sina@.nosp@m.hype.nosp@m.rdbg..nosp@m.org)
Alee Amini (alee@.nosp@m.hype.nosp@m.rdbg..nosp@m.org)
Version
0.1
Date
2020-04-11

Macro Definition Documentation

◆ DEBUGGER_COMMAND_A_ATTRIBUTES

#define DEBUGGER_COMMAND_A_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE
465#define DEBUGGER_COMMAND_A_ATTRIBUTES \
466 DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE

◆ DEBUGGER_COMMAND_APIC_ATTRIBUTES

#define DEBUGGER_COMMAND_APIC_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE

◆ DEBUGGER_COMMAND_ATTACH_ATTRIBUTES

#define DEBUGGER_COMMAND_ATTACH_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_WONT_STOP_DEBUGGER_AGAIN

◆ DEBUGGER_COMMAND_ATTRIBUTE_ABSOLUTE_LOCAL

Absolute local commands.

224#define DEBUGGER_COMMAND_ATTRIBUTE_ABSOLUTE_LOCAL \
225 DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE | DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_REMOTE_CONNECTION

◆ DEBUGGER_COMMAND_ATTRIBUTE_EVENT

#define DEBUGGER_COMMAND_ATTRIBUTE_EVENT   0x2 | DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE

◆ DEBUGGER_COMMAND_ATTRIBUTE_HWDBG

#define DEBUGGER_COMMAND_ATTRIBUTE_HWDBG   0x20

◆ DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE

#define DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE   0x1

Different attributes of commands.

◆ DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_REMOTE_CONNECTION

#define DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_REMOTE_CONNECTION   0x4

◆ DEBUGGER_COMMAND_ATTRIBUTE_REPEAT_ON_ENTER

#define DEBUGGER_COMMAND_ATTRIBUTE_REPEAT_ON_ENTER   0x8

◆ DEBUGGER_COMMAND_ATTRIBUTE_WONT_STOP_DEBUGGER_AGAIN

#define DEBUGGER_COMMAND_ATTRIBUTE_WONT_STOP_DEBUGGER_AGAIN   0x10

◆ DEBUGGER_COMMAND_BC_ATTRIBUTES

#define DEBUGGER_COMMAND_BC_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE
419#define DEBUGGER_COMMAND_BC_ATTRIBUTES \
420 DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE

◆ DEBUGGER_COMMAND_BD_ATTRIBUTES

#define DEBUGGER_COMMAND_BD_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE
416#define DEBUGGER_COMMAND_BD_ATTRIBUTES \
417 DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE

◆ DEBUGGER_COMMAND_BE_ATTRIBUTES

#define DEBUGGER_COMMAND_BE_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE
413#define DEBUGGER_COMMAND_BE_ATTRIBUTES \
414 DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE

◆ DEBUGGER_COMMAND_BL_ATTRIBUTES

#define DEBUGGER_COMMAND_BL_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE
422#define DEBUGGER_COMMAND_BL_ATTRIBUTES \
423 DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE

◆ DEBUGGER_COMMAND_BP_ATTRIBUTES

#define DEBUGGER_COMMAND_BP_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE
410#define DEBUGGER_COMMAND_BP_ATTRIBUTES \
411 DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE

◆ DEBUGGER_COMMAND_CLEAR_ATTRIBUTES

#define DEBUGGER_COMMAND_CLEAR_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_ABSOLUTE_LOCAL

Command's attributes.

231#define DEBUGGER_COMMAND_CLEAR_ATTRIBUTES \
232 DEBUGGER_COMMAND_ATTRIBUTE_ABSOLUTE_LOCAL

◆ DEBUGGER_COMMAND_CONNECT_ATTRIBUTES

#define DEBUGGER_COMMAND_CONNECT_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_ABSOLUTE_LOCAL
237#define DEBUGGER_COMMAND_CONNECT_ATTRIBUTES \
238 DEBUGGER_COMMAND_ATTRIBUTE_ABSOLUTE_LOCAL

◆ DEBUGGER_COMMAND_CONTINUE_ATTRIBUTES

#define DEBUGGER_COMMAND_CONTINUE_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_WONT_STOP_DEBUGGER_AGAIN

◆ DEBUGGER_COMMAND_CORE_ATTRIBUTES

#define DEBUGGER_COMMAND_CORE_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE
338#define DEBUGGER_COMMAND_CORE_ATTRIBUTES \
339 DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE

◆ DEBUGGER_COMMAND_CPU_ATTRIBUTES

#define DEBUGGER_COMMAND_CPU_ATTRIBUTES   NULL

◆ DEBUGGER_COMMAND_CPUID_ATTRIBUTES

#define DEBUGGER_COMMAND_CPUID_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_EVENT

◆ DEBUGGER_COMMAND_CRWRITE_ATTRIBUTES

#define DEBUGGER_COMMAND_CRWRITE_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_EVENT

◆ DEBUGGER_COMMAND_D_AND_U_ATTRIBUTES

398#define DEBUGGER_COMMAND_D_AND_U_ATTRIBUTES \
399 DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE | DEBUGGER_COMMAND_ATTRIBUTE_REPEAT_ON_ENTER

◆ DEBUGGER_COMMAND_DEBUG_ATTRIBUTES

#define DEBUGGER_COMMAND_DEBUG_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_ABSOLUTE_LOCAL
281#define DEBUGGER_COMMAND_DEBUG_ATTRIBUTES \
282 DEBUGGER_COMMAND_ATTRIBUTE_ABSOLUTE_LOCAL

◆ DEBUGGER_COMMAND_DETACH_ATTRIBUTES

#define DEBUGGER_COMMAND_DETACH_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_WONT_STOP_DEBUGGER_AGAIN

◆ DEBUGGER_COMMAND_DISCONNECT_ATTRIBUTES

#define DEBUGGER_COMMAND_DISCONNECT_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_ABSOLUTE_LOCAL
278#define DEBUGGER_COMMAND_DISCONNECT_ATTRIBUTES \
279 DEBUGGER_COMMAND_ATTRIBUTE_ABSOLUTE_LOCAL

◆ DEBUGGER_COMMAND_DOT_STATUS_ATTRIBUTES

#define DEBUGGER_COMMAND_DOT_STATUS_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_ABSOLUTE_LOCAL
284#define DEBUGGER_COMMAND_DOT_STATUS_ATTRIBUTES \
285 DEBUGGER_COMMAND_ATTRIBUTE_ABSOLUTE_LOCAL

◆ DEBUGGER_COMMAND_DR_ATTRIBUTES

#define DEBUGGER_COMMAND_DR_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_EVENT

◆ DEBUGGER_COMMAND_DT_ATTRIBUTES

441#define DEBUGGER_COMMAND_DT_ATTRIBUTES \
442 DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE | DEBUGGER_COMMAND_ATTRIBUTE_REPEAT_ON_ENTER

◆ DEBUGGER_COMMAND_DUMP_ATTRIBUTES

#define DEBUGGER_COMMAND_DUMP_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE
455#define DEBUGGER_COMMAND_DUMP_ATTRIBUTES \
456 DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE

◆ DEBUGGER_COMMAND_E_ATTRIBUTES

#define DEBUGGER_COMMAND_E_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE
401#define DEBUGGER_COMMAND_E_ATTRIBUTES \
402 DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE

◆ DEBUGGER_COMMAND_EPTHOOK2_ATTRIBUTES

#define DEBUGGER_COMMAND_EPTHOOK2_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_EVENT

◆ DEBUGGER_COMMAND_EPTHOOK_ATTRIBUTES

#define DEBUGGER_COMMAND_EPTHOOK_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_EVENT

◆ DEBUGGER_COMMAND_EVAL_ATTRIBUTES

308#define DEBUGGER_COMMAND_EVAL_ATTRIBUTES \
309 DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE | DEBUGGER_COMMAND_ATTRIBUTE_REPEAT_ON_ENTER

◆ DEBUGGER_COMMAND_EVENTS_ATTRIBUTES

#define DEBUGGER_COMMAND_EVENTS_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE
272#define DEBUGGER_COMMAND_EVENTS_ATTRIBUTES \
273 DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE

◆ DEBUGGER_COMMAND_EXCEPTION_ATTRIBUTES

#define DEBUGGER_COMMAND_EXCEPTION_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_EVENT

◆ DEBUGGER_COMMAND_EXIT_ATTRIBUTES

#define DEBUGGER_COMMAND_EXIT_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_ABSOLUTE_LOCAL
291#define DEBUGGER_COMMAND_EXIT_ATTRIBUTES \
292 DEBUGGER_COMMAND_ATTRIBUTE_ABSOLUTE_LOCAL

◆ DEBUGGER_COMMAND_FLUSH_ATTRIBUTES

#define DEBUGGER_COMMAND_FLUSH_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE
294#define DEBUGGER_COMMAND_FLUSH_ATTRIBUTES \
295 DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE

◆ DEBUGGER_COMMAND_FORMATS_ATTRIBUTES

329#define DEBUGGER_COMMAND_FORMATS_ATTRIBUTES \
330 DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE | DEBUGGER_COMMAND_ATTRIBUTE_REPEAT_ON_ENTER

◆ DEBUGGER_COMMAND_G_ATTRIBUTES

◆ DEBUGGER_COMMAND_GG_ATTRIBUTES

◆ DEBUGGER_COMMAND_GU_ATTRIBUTES

458#define DEBUGGER_COMMAND_GU_ATTRIBUTES \
459 DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE | DEBUGGER_COMMAND_ATTRIBUTE_REPEAT_ON_ENTER

◆ DEBUGGER_COMMAND_HELP_ATTRIBUTES

#define DEBUGGER_COMMAND_HELP_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_ABSOLUTE_LOCAL
234#define DEBUGGER_COMMAND_HELP_ATTRIBUTES \
235 DEBUGGER_COMMAND_ATTRIBUTE_ABSOLUTE_LOCAL

◆ DEBUGGER_COMMAND_HIDE_ATTRIBUTES

#define DEBUGGER_COMMAND_HIDE_ATTRIBUTES   NULL

◆ DEBUGGER_COMMAND_HWDBG_HW_ATTRIBUTES

#define DEBUGGER_COMMAND_HWDBG_HW_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_HWDBG

◆ DEBUGGER_COMMAND_HWDBG_HW_CLK_ATTRIBUTES

#define DEBUGGER_COMMAND_HWDBG_HW_CLK_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_HWDBG

◆ DEBUGGER_COMMAND_I_ATTRIBUTES

395#define DEBUGGER_COMMAND_I_ATTRIBUTES \
396 DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE | DEBUGGER_COMMAND_ATTRIBUTE_REPEAT_ON_ENTER

◆ DEBUGGER_COMMAND_IDT_ATTRIBUTES

#define DEBUGGER_COMMAND_IDT_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE
474#define DEBUGGER_COMMAND_IDT_ATTRIBUTES \
475 DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE

◆ DEBUGGER_COMMAND_INTERRUPT_ATTRIBUTES

#define DEBUGGER_COMMAND_INTERRUPT_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_EVENT

◆ DEBUGGER_COMMAND_IOAPIC_ATTRIBUTES

#define DEBUGGER_COMMAND_IOAPIC_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE

◆ DEBUGGER_COMMAND_IOIN_ATTRIBUTES

#define DEBUGGER_COMMAND_IOIN_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_EVENT

◆ DEBUGGER_COMMAND_IOOUT_ATTRIBUTES

#define DEBUGGER_COMMAND_IOOUT_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_EVENT

◆ DEBUGGER_COMMAND_K_ATTRIBUTES

#define DEBUGGER_COMMAND_K_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE
438#define DEBUGGER_COMMAND_K_ATTRIBUTES \
439 DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE

◆ DEBUGGER_COMMAND_KILL_ATTRIBUTES

#define DEBUGGER_COMMAND_KILL_ATTRIBUTES   NULL

◆ DEBUGGER_COMMAND_LBR_ATTRIBUTES

#define DEBUGGER_COMMAND_LBR_ATTRIBUTES   NULL
480#define DEBUGGER_COMMAND_LBR_ATTRIBUTES \
481 NULL

◆ DEBUGGER_COMMAND_LBRDUMP_ATTRIBUTES

#define DEBUGGER_COMMAND_LBRDUMP_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE
483#define DEBUGGER_COMMAND_LBRDUMP_ATTRIBUTES \
484 DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE

◆ DEBUGGER_COMMAND_LISTEN_ATTRIBUTES

#define DEBUGGER_COMMAND_LISTEN_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_ABSOLUTE_LOCAL
240#define DEBUGGER_COMMAND_LISTEN_ATTRIBUTES \
241 DEBUGGER_COMMAND_ATTRIBUTE_ABSOLUTE_LOCAL

◆ DEBUGGER_COMMAND_LM_ATTRIBUTES

#define DEBUGGER_COMMAND_LM_ATTRIBUTES   NULL

◆ DEBUGGER_COMMAND_LOAD_ATTRIBUTES

#define DEBUGGER_COMMAND_LOAD_ATTRIBUTES   NULL

◆ DEBUGGER_COMMAND_LOGCLOSE_ATTRIBUTES

#define DEBUGGER_COMMAND_LOGCLOSE_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_ABSOLUTE_LOCAL
314#define DEBUGGER_COMMAND_LOGCLOSE_ATTRIBUTES \
315 DEBUGGER_COMMAND_ATTRIBUTE_ABSOLUTE_LOCAL

◆ DEBUGGER_COMMAND_LOGOPEN_ATTRIBUTES

#define DEBUGGER_COMMAND_LOGOPEN_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_ABSOLUTE_LOCAL
311#define DEBUGGER_COMMAND_LOGOPEN_ATTRIBUTES \
312 DEBUGGER_COMMAND_ATTRIBUTE_ABSOLUTE_LOCAL

◆ DEBUGGER_COMMAND_MEASURE_ATTRIBUTES

#define DEBUGGER_COMMAND_MEASURE_ATTRIBUTES   NULL

◆ DEBUGGER_COMMAND_MODE_ATTRIBUTES

#define DEBUGGER_COMMAND_MODE_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_EVENT

◆ DEBUGGER_COMMAND_MONITOR_ATTRIBUTES

#define DEBUGGER_COMMAND_MONITOR_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_EVENT

◆ DEBUGGER_COMMAND_MSRREAD_ATTRIBUTES

#define DEBUGGER_COMMAND_MSRREAD_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_EVENT

◆ DEBUGGER_COMMAND_MSRWRITE_ATTRIBUTES

#define DEBUGGER_COMMAND_MSRWRITE_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_EVENT

◆ DEBUGGER_COMMAND_OUTPUT_ATTRIBUTES

#define DEBUGGER_COMMAND_OUTPUT_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE
302#define DEBUGGER_COMMAND_OUTPUT_ATTRIBUTES \
303 DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE

◆ DEBUGGER_COMMAND_P_ATTRIBUTES

389#define DEBUGGER_COMMAND_P_ATTRIBUTES \
390 DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE | DEBUGGER_COMMAND_ATTRIBUTE_REPEAT_ON_ENTER

◆ DEBUGGER_COMMAND_PA2VA_ATTRIBUTES

#define DEBUGGER_COMMAND_PA2VA_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE

◆ DEBUGGER_COMMAND_PAGEIN_ATTRIBUTES

#define DEBUGGER_COMMAND_PAGEIN_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE

◆ DEBUGGER_COMMAND_PAUSE_ATTRIBUTES

#define DEBUGGER_COMMAND_PAUSE_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_WONT_STOP_DEBUGGER_AGAIN

◆ DEBUGGER_COMMAND_PCICAM_ATTRIBUTES

#define DEBUGGER_COMMAND_PCICAM_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE
471#define DEBUGGER_COMMAND_PCICAM_ATTRIBUTES \
472 DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE

◆ DEBUGGER_COMMAND_PCITREE_ATTRIBUTES

#define DEBUGGER_COMMAND_PCITREE_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE
468#define DEBUGGER_COMMAND_PCITREE_ATTRIBUTES \
469 DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE

◆ DEBUGGER_COMMAND_PE_ATTRIBUTES

#define DEBUGGER_COMMAND_PE_ATTRIBUTES   NULL

◆ DEBUGGER_COMMAND_PMC_ATTRIBUTES

#define DEBUGGER_COMMAND_PMC_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_EVENT

◆ DEBUGGER_COMMAND_PREACTIVATE_ATTRIBUTES

#define DEBUGGER_COMMAND_PREACTIVATE_ATTRIBUTES   NULL

◆ DEBUGGER_COMMAND_PREALLOC_ATTRIBUTES

#define DEBUGGER_COMMAND_PREALLOC_ATTRIBUTES   NULL

◆ DEBUGGER_COMMAND_PRINT_ATTRIBUTES

305#define DEBUGGER_COMMAND_PRINT_ATTRIBUTES \
306 DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE | DEBUGGER_COMMAND_ATTRIBUTE_REPEAT_ON_ENTER

◆ DEBUGGER_COMMAND_PROCESS_ATTRIBUTES

#define DEBUGGER_COMMAND_PROCESS_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE
263#define DEBUGGER_COMMAND_PROCESS_ATTRIBUTES \
264 DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE

◆ DEBUGGER_COMMAND_PT_ATTRIBUTES

#define DEBUGGER_COMMAND_PT_ATTRIBUTES   NULL
486#define DEBUGGER_COMMAND_PT_ATTRIBUTES \
487 NULL

◆ DEBUGGER_COMMAND_PTE_ATTRIBUTES

#define DEBUGGER_COMMAND_PTE_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE

◆ DEBUGGER_COMMAND_R_ATTRIBUTES

407#define DEBUGGER_COMMAND_R_ATTRIBUTES \
408 DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE | DEBUGGER_COMMAND_ATTRIBUTE_REPEAT_ON_ENTER

◆ DEBUGGER_COMMAND_RDMSR_ATTRIBUTES

#define DEBUGGER_COMMAND_RDMSR_ATTRIBUTES   NULL

◆ DEBUGGER_COMMAND_RESTART_ATTRIBUTES

#define DEBUGGER_COMMAND_RESTART_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_WONT_STOP_DEBUGGER_AGAIN

◆ DEBUGGER_COMMAND_REV_ATTRIBUTES

#define DEBUGGER_COMMAND_REV_ATTRIBUTES   NULL

◆ DEBUGGER_COMMAND_S_ATTRIBUTES

#define DEBUGGER_COMMAND_S_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE
404#define DEBUGGER_COMMAND_S_ATTRIBUTES \
405 DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE

◆ DEBUGGER_COMMAND_SCRIPT_ATTRIBUTES

#define DEBUGGER_COMMAND_SCRIPT_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_ABSOLUTE_LOCAL
299#define DEBUGGER_COMMAND_SCRIPT_ATTRIBUTES \
300 DEBUGGER_COMMAND_ATTRIBUTE_ABSOLUTE_LOCAL

◆ DEBUGGER_COMMAND_SETTINGS_ATTRIBUTES

#define DEBUGGER_COMMAND_SETTINGS_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE
275#define DEBUGGER_COMMAND_SETTINGS_ATTRIBUTES \
276 DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE

◆ DEBUGGER_COMMAND_SLEEP_ATTRIBUTES

#define DEBUGGER_COMMAND_SLEEP_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_ABSOLUTE_LOCAL
269#define DEBUGGER_COMMAND_SLEEP_ATTRIBUTES \
270 DEBUGGER_COMMAND_ATTRIBUTE_ABSOLUTE_LOCAL

◆ DEBUGGER_COMMAND_SMI_ATTRIBUTES

#define DEBUGGER_COMMAND_SMI_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE
477#define DEBUGGER_COMMAND_SMI_ATTRIBUTES \
478 DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE

◆ DEBUGGER_COMMAND_START_ATTRIBUTES

#define DEBUGGER_COMMAND_START_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_WONT_STOP_DEBUGGER_AGAIN

◆ DEBUGGER_COMMAND_STATUS_ATTRIBUTES

#define DEBUGGER_COMMAND_STATUS_ATTRIBUTES   NULL

◆ DEBUGGER_COMMAND_STRUCT_ATTRIBUTES

#define DEBUGGER_COMMAND_STRUCT_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE
444#define DEBUGGER_COMMAND_STRUCT_ATTRIBUTES \
445 DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE

◆ DEBUGGER_COMMAND_SWITCH_ATTRIBUTES

#define DEBUGGER_COMMAND_SWITCH_ATTRIBUTES   NULL

◆ DEBUGGER_COMMAND_SYM_ATTRIBUTES

#define DEBUGGER_COMMAND_SYM_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE
428#define DEBUGGER_COMMAND_SYM_ATTRIBUTES \
429 DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE

◆ DEBUGGER_COMMAND_SYMPATH_ATTRIBUTES

#define DEBUGGER_COMMAND_SYMPATH_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE
425#define DEBUGGER_COMMAND_SYMPATH_ATTRIBUTES \
426 DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE

◆ DEBUGGER_COMMAND_SYSCALL_ATTRIBUTES

#define DEBUGGER_COMMAND_SYSCALL_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_EVENT

◆ DEBUGGER_COMMAND_SYSRET_ATTRIBUTES

#define DEBUGGER_COMMAND_SYSRET_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_EVENT

◆ DEBUGGER_COMMAND_T_ATTRIBUTES

392#define DEBUGGER_COMMAND_T_ATTRIBUTES \
393 DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE | DEBUGGER_COMMAND_ATTRIBUTE_REPEAT_ON_ENTER

◆ DEBUGGER_COMMAND_TEST_ATTRIBUTES

#define DEBUGGER_COMMAND_TEST_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE

◆ DEBUGGER_COMMAND_THREAD_ATTRIBUTES

#define DEBUGGER_COMMAND_THREAD_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE
266#define DEBUGGER_COMMAND_THREAD_ATTRIBUTES \
267 DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE

◆ DEBUGGER_COMMAND_TRACE_ATTRIBUTES

#define DEBUGGER_COMMAND_TRACE_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_EVENT

◆ DEBUGGER_COMMAND_TRACK_ATTRIBUTES

#define DEBUGGER_COMMAND_TRACK_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE

◆ DEBUGGER_COMMAND_TSC_ATTRIBUTES

#define DEBUGGER_COMMAND_TSC_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_EVENT

◆ DEBUGGER_COMMAND_UNHIDE_ATTRIBUTES

#define DEBUGGER_COMMAND_UNHIDE_ATTRIBUTES   NULL

◆ DEBUGGER_COMMAND_UNLOAD_ATTRIBUTES

#define DEBUGGER_COMMAND_UNLOAD_ATTRIBUTES   NULL

◆ DEBUGGER_COMMAND_VA2PA_ATTRIBUTES

#define DEBUGGER_COMMAND_VA2PA_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE

◆ DEBUGGER_COMMAND_VMCALL_ATTRIBUTES

#define DEBUGGER_COMMAND_VMCALL_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_EVENT

◆ DEBUGGER_COMMAND_WRMSR_ATTRIBUTES

#define DEBUGGER_COMMAND_WRMSR_ATTRIBUTES   NULL

◆ DEBUGGER_COMMAND_X_ATTRIBUTES

#define DEBUGGER_COMMAND_X_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE
431#define DEBUGGER_COMMAND_X_ATTRIBUTES \
432 DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE

◆ DEBUGGER_COMMAND_XSETBV_ATTRIBUTES

#define DEBUGGER_COMMAND_XSETBV_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_EVENT

Typedef Documentation

◆ COMMAND_DETAIL

Details of each command.

◆ CommandFuncTypeParser

typedef VOID(* CommandFuncTypeParser) (vector< CommandToken > CommandTokens, string Command)

Command's function type.

◆ CommandHelpFuncType

typedef VOID(* CommandHelpFuncType) ()

Command's help function type.

◆ CommandToken

typedef std::tuple<CommandParsingTokenType, std::string, std::string> CommandToken

Command's parsing type.

◆ CommandType

typedef std::map<std::string, COMMAND_DETAIL> CommandType

Type saving commands and mapping to command string.

◆ PCOMMAND_DETAIL

typedef struct _COMMAND_DETAIL * PCOMMAND_DETAIL

Enumeration Type Documentation

◆ CommandParsingTokenType

Command's parsing type (enum).

Enumerator
Num 
String 
StringLiteral 
BracketString 
166{
167 Num,
168 String,
CommandParsingTokenType
Command's parsing type (enum).
Definition commands.h:166
@ Num
Definition commands.h:167
@ StringLiteral
Definition commands.h:169
@ String
Definition commands.h:168
@ BracketString
Definition commands.h:170

Function Documentation

◆ CheckMultilineCommand()

BOOLEAN CheckMultilineCommand ( CHAR * CurrentCommand,
BOOLEAN Reset )

check for multi-line commands

Parameters
CurrentCommand
Reset
Returns
BOOLEAN return TRUE if the command needs extra input, otherwise return FALSE
1133{
1134 UINT32 CurrentCommandLen = 0;
1135 std::string CurrentCommandStr(CurrentCommand);
1136
1137 if (Reset)
1138 {
1142 }
1143
1144 CurrentCommandLen = (UINT32)CurrentCommandStr.length();
1145
1146 for (SIZE_T i = 0; i < CurrentCommandLen; i++)
1147 {
1148 switch (CurrentCommandStr.at(i))
1149 {
1150 case '"':
1151
1153 {
1155 break; // it's an escaped \" double-quote
1156 }
1157
1160 else
1162
1163 break;
1164
1165 case '{':
1166
1169
1172
1173 break;
1174
1175 case '}':
1176
1179
1182
1183 break;
1184
1185 case '\\':
1186
1188 g_IsInterpreterPreviousCharacterABackSlash = FALSE; // it's not a escape character (two backslashes \\ )
1189 else
1191
1192 break;
1193
1194 default:
1195
1198
1199 break;
1200 }
1201 }
1202
1204 {
1205 //
1206 // either the command is finished or it's a single
1207 // line command
1208 //
1209 return FALSE;
1210 }
1211 else
1212 {
1213 //
1214 // There still other lines, this command is incomplete
1215 //
1216 return TRUE;
1217 }
1218}
#define TRUE
Definition BasicTypes.h:114
#define FALSE
Definition BasicTypes.h:113
unsigned int UINT32
Definition BasicTypes.h:54
UINT32 g_InterpreterCountOfOpenCurlyBrackets
Keeps the trace of curly brackets in the interpreter.
Definition globals.h:69
BOOLEAN g_IsInterpreterPreviousCharacterABackSlash
Is interpreter encountered a back slash at previous run.
Definition globals.h:64
BOOLEAN g_IsInterpreterOnString
shows whether the interpreter is currently on a string or not
Definition globals.h:59

◆ CommandApic()

VOID CommandApic ( vector< CommandToken > CommandTokens,
string Command )

!apic command handler

Parameters
CommandTokens
Command
Returns
VOID
187{
188 BOOLEAN IsUsingX2APIC = FALSE;
189 UINT8 i = 0, j = 0;
190 UINT32 k = 0;
191 UINT32 Reg = 0;
192 LAPIC_PAGE LocalApic = {0};
193
194 if (CommandTokens.size() != 1)
195 {
196 ShowMessages("incorrect use of the '%s'\n\n",
197 GetCaseSensitiveStringFromCommandToken(CommandTokens.at(0)).c_str());
198
200 return;
201 }
202
203 //
204 // Get the local APIC results
205 //
206 if (HyperDbgGetLocalApic(&LocalApic, &IsUsingX2APIC) == FALSE)
207 {
208 return;
209 }
210
211 //
212 // Show different fields of the Local APIC
213 //
214 ShowMessages("*** (%s Mode) PHYSICAL LAPIC ID = %u, Ver = 0x%x, MaxLvtEntry = %d, DirectedEOI = P%d/E%d, (SW: '%s')\n"
215 " -> TPR = 0x%08x, PPR = 0x%08x\n"
216 " -> LDR = 0x%08x, SVR = 0x%08x, Err = 0x%08x\n"
217 " -> LVT_INT0 = 0x%08x, LVT_INT1 = 0x%08x\n"
218 " -> LVT_CMCI = 0x%08x, LVT_PMCR = 0x%08x\n"
219 " -> LVT_TMR = 0x%08x, LVT_TSR = 0x%08x\n"
220 " -> LVT_ERR = 0x%08x\n"
221 " -> InitialCount = 0x%08x, CurrentCount = 0x%08x, DivideConfig = 0x%08x\n",
222 IsUsingX2APIC ? "X2APIC" : "XAPIC",
223 LocalApic.Id >> 24,
224 LocalApic.Version,
225 (LocalApic.Version & 0xFF0000) >> 16,
226 (LocalApic.Version >> 24) & 1,
227 (LocalApic.SpuriousInterruptVector >> 12) & 1,
228 (LocalApic.SpuriousInterruptVector & LAPIC_SVR_FLAG_SW_ENABLE) != 0 ? "Enabled" : "Disabled",
229 LocalApic.TPR,
230 LocalApic.ProcessorPriority,
231 LocalApic.LogicalDestination,
232 LocalApic.SpuriousInterruptVector,
233 LocalApic.ErrorStatus,
234 LocalApic.LvtLINT0,
235 LocalApic.LvtLINT1,
236 LocalApic.LvtCmci,
237 LocalApic.LvtPerfMonCounters,
238 LocalApic.LvtTimer,
239 LocalApic.LvtThermalSensor,
240 LocalApic.LvtError,
241 LocalApic.InitialCount,
242 LocalApic.CurrentCount,
243 LocalApic.DivideConfiguration);
244
245 //
246 // Print the ISR, TMR and IRR
247 //
248 ShowMessages("ISR : ");
249
250 for (i = 0; i < 8; i++)
251 {
252 k = 1;
253 Reg = (UINT32)LocalApic.ISR[i * 4];
254 for (j = 0; j < 32; j++)
255 {
256 if (0 != (Reg & k))
257 {
258 ShowMessages("0x%02hhx ", (UINT8)(i * 32 + j));
259 }
260 k = k << 1;
261 }
262 }
263 ShowMessages("\n");
264
265 ShowMessages("TMR : ");
266
267 for (i = 0; i < 8; i++)
268 {
269 k = 1;
270 Reg = (UINT32)LocalApic.TMR[i * 4];
271 for (j = 0; j < 32; j++)
272 {
273 if (Reg & k)
274 {
275 ShowMessages("0x%02hhx ", (UINT8)(i * 32 + j));
276 }
277 k = k << 1;
278 }
279 }
280
281 ShowMessages("\n");
282
283 ShowMessages("IRR : ");
284
285 for (i = 0; i < 8; i++)
286 {
287 k = 1;
288 Reg = (UINT32)LocalApic.IRR[i * 4];
289 for (j = 0; j < 32; j++)
290 {
291 if (Reg & k)
292 {
293 ShowMessages("0x%02hhx ", (UINT8)(i * 32 + j));
294 }
295 k = k << 1;
296 }
297 }
298
299 ShowMessages("\n");
300}
BOOLEAN HyperDbgGetLocalApic(PLAPIC_PAGE LocalApic, PBOOLEAN IsUsingX2APIC)
Request to get Local APIC.
Definition apic.cpp:169
VOID CommandApicHelp()
help of the !apic command
Definition apic.cpp:26
UCHAR BOOLEAN
Definition BasicTypes.h:35
unsigned char UINT8
Definition BasicTypes.h:52
#define LAPIC_SVR_FLAG_SW_ENABLE
Definition RequestStructures.h:1118
struct _LAPIC_PAGE LAPIC_PAGE
LAPIC structure and offsets.
std::string GetCaseSensitiveStringFromCommandToken(CommandToken TargetToken)
Get case sensitive string from command token.
Definition common.cpp:467
UINT32 LvtLINT1
Definition RequestStructures.h:1192
UINT32 LvtError
Definition RequestStructures.h:1195
UINT32 TMR[32]
Definition RequestStructures.h:1162
UINT32 Version
Definition RequestStructures.h:1131
UINT32 LvtCmci
Definition RequestStructures.h:1171
UINT32 LvtThermalSensor
Definition RequestStructures.h:1183
UINT32 InitialCount
Definition RequestStructures.h:1198
UINT32 CurrentCount
Definition RequestStructures.h:1201
UINT32 ISR[32]
Definition RequestStructures.h:1160
UINT32 DivideConfiguration
Definition RequestStructures.h:1206
UINT32 TPR
Definition RequestStructures.h:1136
UINT32 ErrorStatus
Definition RequestStructures.h:1166
UINT32 LvtTimer
Definition RequestStructures.h:1180
UINT32 LogicalDestination
Definition RequestStructures.h:1151
UINT32 IRR[32]
Definition RequestStructures.h:1164
UINT32 LvtLINT0
Definition RequestStructures.h:1189
UINT32 Id
Definition RequestStructures.h:1128
UINT32 ProcessorPriority
Definition RequestStructures.h:1142
UINT32 LvtPerfMonCounters
Definition RequestStructures.h:1186
UINT32 SpuriousInterruptVector
Definition RequestStructures.h:1157

◆ CommandAssemble()

VOID CommandAssemble ( vector< CommandToken > CommandTokens,
string Command )

a and !a commands handler

Parameters
CommandTokens
Command
Returns
VOID
183{
184 DEBUGGER_EDIT_MEMORY_TYPE MemoryType {};
185 _CMD CMD {};
186 UINT64 Address {};
187 UINT64 StartAddress {};
188 UINT32 ProcId = 0;
189
190 CMD = ParseUserCmd(Command);
191
192 if (CMD.isEmpty())
193 {
194 //
195 // Error messages are already printed
196 //
197 return;
198 }
199
200 if (!CMD.ProcIdStr.empty())
201 {
202 if (!ConvertStringToUInt32(CMD.ProcIdStr, &ProcId))
203 {
204 ShowMessages("please specify a correct hex process id\n\n");
206 return;
207 }
208 }
209
211 {
212 ProcId = g_ActiveProcessDebuggingState.ProcessId;
213 }
214
215 if (CMD.AsmSnippet.empty())
216 {
217 ShowMessages("no assembly snippet provided\n");
219 return;
220 }
221 else if (CMD.CommandStr == "a")
222 {
223 MemoryType = EDIT_VIRTUAL_MEMORY;
224 }
225 else if (CMD.CommandStr == "!a")
226 {
227 MemoryType = EDIT_PHYSICAL_MEMORY;
228 }
229 else
230 {
231 ShowMessages("unknown assemble command\n\n");
233 return;
234 }
235
236 //
237 // Fetching start_address i.e. address to assemble to
238 //
239 if (!CMD.AddressStr.empty()) // was any address provided to assemble to?
240 {
242 {
243 ShowMessages("err, couldn't resolve Address at '%s'\n\n",
244 CMD.AddressStr.c_str());
246 return;
247 }
248 }
249 else if (!CMD.StartAddressStr.empty()) // was a custom start_address provided?
250 {
251 if (!SymbolConvertNameOrExprToAddress(CMD.StartAddressStr, &StartAddress))
252 {
253 ShowMessages("err, couldn't resolve Address at '%s'\n\n",
254 CMD.StartAddressStr.c_str());
256 return;
257 }
258 Address = StartAddress;
259 }
260 else
261 {
262 ShowMessages("warning, no start address provided to calculate relative asm commands\n\n");
263 }
264
266 AssembleData.AsmRaw = CMD.AsmSnippet; // third element
268
269 if (AssembleData.Assemble(Address))
270 {
271 ShowMessages("err, code: '%u'\n\n", AssembleData.KsErr);
273 return;
274 }
275
276 if (ProcId == 0)
277 {
279 }
280
281 if (Address) // was the user only trying to get the bytes?
282 {
284 (PVOID)Address,
285 MemoryType,
286 ProcId,
289 {
290 ShowMessages("successfully assembled at 0x%016llx address\n", static_cast<UINT64>(Address));
291 }
292 else
293 {
294 ShowMessages("failed to write generated assembly to memory\n");
295 }
296 }
297}
_CMD ParseUserCmd(const std::string &command)
Definition a.cpp:66
VOID CommandAssembleHelp()
help of a and !a command
Definition a.cpp:43
ACTIVE_DEBUGGING_PROCESS g_ActiveProcessDebuggingState
State of active debugging thread.
Definition globals.h:372
void * PVOID
Definition BasicTypes.h:56
@ EDIT_PHYSICAL_MEMORY
Definition RequestStructures.h:483
@ EDIT_VIRTUAL_MEMORY
Definition RequestStructures.h:482
enum _DEBUGGER_EDIT_MEMORY_TYPE DEBUGGER_EDIT_MEMORY_TYPE
different type of addresses for editing memory
Definition a.cpp:17
std::string StartAddressStr
Definition a.cpp:22
bool isEmpty() const
Definition a.cpp:27
std::string AddressStr
Definition a.cpp:20
std::string CommandStr
Definition a.cpp:19
std::string AsmSnippet
Definition a.cpp:21
std::string ProcIdStr
Definition a.cpp:23
Definition assembler.h:16
VOID ParseAssemblyData()
tries to solve the symbol issue with Keystone, which apparently originates from LLVM-MC.
Definition assembler.cpp:20
UCHAR * EncodedBytes
Definition assembler.h:22
ks_err KsErr
Definition assembler.h:24
SIZE_T BytesCount
Definition assembler.h:21
INT Assemble(UINT64 StartAddr, ks_arch Arch=KS_ARCH_X86, INT Mode=KS_MODE_64, INT Syntax=KS_OPT_SYNTAX_INTEL)
Definition assembler.cpp:119
std::string AsmRaw
Definition assembler.h:18
BOOLEAN HyperDbgWriteMemory(PVOID DestinationAddress, DEBUGGER_EDIT_MEMORY_TYPE MemoryType, UINT32 ProcessId, PVOID SourceAddress, UINT32 NumberOfBytes)
API function for writing the memory content.
Definition e.cpp:196
BOOLEAN ConvertStringToUInt32(string TextToConvert, PUINT32 Result)
UINT32 PlatformGetCurrentProcessId(VOID)
Platform independent wrapper for GetCurrentProcessId / getpid.
Definition platform-lib-calls.c:185
BOOLEAN SymbolConvertNameOrExprToAddress(const string &TextToConvert, PUINT64 Result)
check and convert string to a 64 bit unsigned integer and also check for symbol object names and eval...
Definition symbol.cpp:359

◆ CommandAttach()

VOID CommandAttach ( vector< CommandToken > CommandTokens,
string Command )

.attach command handler

Parameters
CommandTokens
Command
Returns
VOID
45{
46 UINT32 TargetPid = 0;
47 BOOLEAN NextIsPid = FALSE;
48
49 //
50 // Disable user-mode debugger in this version
51 //
52#if ActivateUserModeDebugger == FALSE
53
55 {
56 ShowMessages("the user-mode debugger in VMI Mode is still in the beta version and not stable. "
57 "we decided to exclude it from this release and release it in future versions. "
58 "if you want to test the user-mode debugger in VMI Mode, you should build "
59 "HyperDbg with special instructions. But attaching/switching to other processes\n"
60 "are fully supported in the Debugger Mode.\n"
61 "(it's not recommended to use it in VMI Mode yet!)\n");
62 return;
63 }
64
65#endif // !ActivateUserModeDebugger
66
67 //
68 // It's a attach to a target PID
69 //
70 if (CommandTokens.size() >= 4)
71 {
72 ShowMessages("incorrect use of the '%s'\n\n",
73 GetCaseSensitiveStringFromCommandToken(CommandTokens.at(0)).c_str());
75 return;
76 }
77
78 for (auto Section = CommandTokens.begin() + 1; Section != CommandTokens.end(); Section++)
79 {
80 //
81 // Find out whether the user enters pid or not
82 //
83 if (NextIsPid)
84 {
85 NextIsPid = FALSE;
86
87 if (!ConvertTokenToUInt32(*Section, &TargetPid))
88 {
89 ShowMessages("please specify a correct hex value for process id\n\n");
91 return;
92 }
93 }
94 else if (CompareLowerCaseStrings(*Section, "pid"))
95 {
96 //
97 // next item is a pid for the process
98 //
99 NextIsPid = TRUE;
100 }
101 else
102 {
103 ShowMessages("unknown parameter at '%s'\n\n",
106 return;
107 }
108 }
109
110 //
111 // Check if the process id is empty or not
112 //
113 if (TargetPid == 0)
114 {
115 ShowMessages("please specify a hex value for process id\n\n");
117 return;
118 }
119
120 //
121 // Perform attach to target process
122 //
123 ShowMessages("Attaching to process 0x%llx (%lld)...\n\n", TargetPid, TargetPid);
124 UdAttachToProcess(TargetPid, NULL, NULL, FALSE);
125}
VOID CommandAttachHelp()
help of the .attach command
Definition attach.cpp:25
BOOLEAN CompareLowerCaseStrings(CommandToken TargetToken, const CHAR *StringToCompare)
Compare lower case strings.
Definition common.cpp:503
BOOLEAN ConvertTokenToUInt32(CommandToken TargetToken, PUINT32 Result)
check and convert command token to a 32 bit unsigned integer
Definition common.cpp:546
BOOLEAN g_IsSerialConnectedToRemoteDebugger
Shows if the debugger was connected to remote debugger (A remote host).
Definition rev.cpp:18
BOOLEAN UdAttachToProcess(UINT32 TargetPid, const WCHAR *TargetFileAddress, const WCHAR *CommandLine, BOOLEAN RunCallbackAtTheFirstInstruction)
Attach to target process.
Definition ud.cpp:372

◆ CommandBc()

VOID CommandBc ( vector< CommandToken > CommandTokens,
string Command )

handler of bc command

Parameters
CommandTokens
Command
Returns
VOID
46{
47 UINT64 BreakpointId;
49
50 //
51 // Validate the commands
52 //
53 if (CommandTokens.size() != 2)
54 {
55 ShowMessages("incorrect use of the '%s'\n\n",
56 GetCaseSensitiveStringFromCommandToken(CommandTokens.at(0)).c_str());
58 return;
59 }
60
61 //
62 // Get the breakpoint id
63 //
64 if (!ConvertTokenToUInt64(CommandTokens.at(1), &BreakpointId))
65 {
66 ShowMessages("please specify a correct hex value for breakpoint id\n\n");
68
69 return;
70 }
71
72 //
73 // Check if the remote serial debuggee is paused or not (connected or not)
74 //
76 {
77 //
78 // Perform clearing breakpoint
79 //
81
82 //
83 // Set breakpoint id
84 //
85 Request.BreakpointId = BreakpointId;
86
87 //
88 // Send the request
89 //
91 }
92 else
93 {
94 ShowMessages("err, clearing breakpoints is only valid if you connected to "
95 "a debuggee in debugger-mode\n");
96 }
97}
BOOLEAN g_IsSerialConnectedToRemoteDebuggee
Shows if the debugger was connected to remote debuggee over (A remote guest).
Definition globals.h:253
VOID CommandBcHelp()
help of the bc command
Definition bc.cpp:25
struct _DEBUGGEE_BP_LIST_OR_MODIFY_PACKET DEBUGGEE_BP_LIST_OR_MODIFY_PACKET
The structure of breakpoint modification requests packet in HyperDbg.
@ DEBUGGEE_BREAKPOINT_MODIFICATION_REQUEST_CLEAR
Definition RequestStructures.h:1544
BOOLEAN ConvertTokenToUInt64(CommandToken TargetToken, PUINT64 Result)
add ` between 64 bit values and convert them to string
Definition common.cpp:447
BOOLEAN KdSendListOrModifyPacketToDebuggee(PDEBUGGEE_BP_LIST_OR_MODIFY_PACKET ListOrModifyPacket)
Sends a breakpoint list or modification packet to the debuggee.
Definition kd.cpp:1198
UINT64 BreakpointId
Definition RequestStructures.h:1554
DEBUGGEE_BREAKPOINT_MODIFICATION_REQUEST Request
Definition RequestStructures.h:1555

◆ CommandBd()

VOID CommandBd ( vector< CommandToken > CommandTokens,
string Command )

handler of bd command

Parameters
CommandTokens
Command
Returns
VOID
46{
47 UINT64 BreakpointId;
49
50 //
51 // Validate the commands
52 //
53 if (CommandTokens.size() != 2)
54 {
55 ShowMessages("incorrect use of the '%s'\n\n",
56 GetCaseSensitiveStringFromCommandToken(CommandTokens.at(0)).c_str());
58 return;
59 }
60
61 //
62 // Get the breakpoint id
63 //
64 if (!ConvertTokenToUInt64(CommandTokens.at(1), &BreakpointId))
65 {
66 ShowMessages("please specify a correct hex value for breakpoint id\n\n");
68
69 return;
70 }
71
72 //
73 // Check if the remote serial debuggee is paused or not (connected or not)
74 //
76 {
77 //
78 // Perform disabling breakpoint
79 //
81
82 //
83 // Set breakpoint id
84 //
85 Request.BreakpointId = BreakpointId;
86
87 //
88 // Send the request
89 //
91 }
92 else
93 {
94 ShowMessages("err, disabling breakpoints is only valid if you connected to "
95 "a debuggee in debugger-mode\n");
96 }
97}
VOID CommandBdHelp()
help of the bd command
Definition bd.cpp:25
@ DEBUGGEE_BREAKPOINT_MODIFICATION_REQUEST_DISABLE
Definition RequestStructures.h:1543

◆ CommandBe()

VOID CommandBe ( vector< CommandToken > CommandTokens,
string Command )

handler of be command

Parameters
CommandTokens
Command
Returns
VOID
46{
47 UINT64 BreakpointId;
49
50 //
51 // Validate the commands
52 //
53 if (CommandTokens.size() != 2)
54 {
55 ShowMessages("incorrect use of the '%s'\n\n",
56 GetCaseSensitiveStringFromCommandToken(CommandTokens.at(0)).c_str());
58 return;
59 }
60
61 //
62 // Get the breakpoint id
63 //
64 if (!ConvertTokenToUInt64(CommandTokens.at(1), &BreakpointId))
65 {
66 ShowMessages("please specify a correct hex value for breakpoint id\n\n");
68
69 return;
70 }
71
72 //
73 // Check if the remote serial debuggee is paused or not (connected or not)
74 //
76 {
77 //
78 // Perform enabling breakpoint
79 //
81
82 //
83 // Set breakpoint id
84 //
85 Request.BreakpointId = BreakpointId;
86
87 //
88 // Send the request
89 //
91 }
92 else
93 {
94 ShowMessages("err, enabling breakpoints is only valid if you connected to "
95 "a debuggee in debugger-mode\n");
96 }
97}
VOID CommandBeHelp()
help of the be command
Definition be.cpp:25
@ DEBUGGEE_BREAKPOINT_MODIFICATION_REQUEST_ENABLE
Definition RequestStructures.h:1542

◆ CommandBl()

VOID CommandBl ( vector< CommandToken > CommandTokens,
string Command )

handler of the bl command

Parameters
CommandTokens
Command
Returns
VOID
42{
44
45 //
46 // Validate the commands
47 //
48 if (CommandTokens.size() != 1)
49 {
50 ShowMessages("incorrect use of the '%s'\n\n",
51 GetCaseSensitiveStringFromCommandToken(CommandTokens.at(0)).c_str());
53 return;
54 }
55
56 //
57 // Check if the remote serial debuggee is paused or not (connected or not)
58 //
60 {
61 //
62 // Perform listing breakpoint
63 //
65
66 //
67 // Send the request
68 //
70 ShowMessages("\n");
71 }
72 else
73 {
74 ShowMessages("err, listing breakpoints is only valid if you connected to "
75 "a debuggee in debugger-mode\n");
76 }
77}
VOID CommandBlHelp()
help of the bl command
Definition bl.cpp:25
@ DEBUGGEE_BREAKPOINT_MODIFICATION_REQUEST_LIST_BREAKPOINTS
Definition RequestStructures.h:1541

◆ CommandBp()

VOID CommandBp ( vector< CommandToken > CommandTokens,
string Command )

bp command handler

Parameters
CommandTokens
Command
Returns
VOID
169{
170 BOOL IsNextCoreId = FALSE;
171 BOOL IsNextPid = FALSE;
172 BOOL IsNextTid = FALSE;
173
174 BOOLEAN SetCoreId = FALSE;
175 BOOLEAN SetPid = FALSE;
176 BOOLEAN SetTid = FALSE;
177 BOOLEAN SetAddress = FALSE;
178
182 UINT64 Address = NULL;
183 BOOLEAN IsFirstCommand = TRUE;
184
185 if (CommandTokens.size() >= 9)
186 {
187 ShowMessages("incorrect use of the '%s'\n\n",
188 GetCaseSensitiveStringFromCommandToken(CommandTokens.at(0)).c_str());
190 return;
191 }
192
193 //
194// Disable user-mode debugger in this version
195//
196#if ActivateUserModeDebugger == FALSE
197
199 {
200 ShowMessages("the user-mode debugger in VMI Mode is still in the beta version and not stable. "
201 "we decided to exclude it from this release and release it in future versions. "
202 "if you want to test the user-mode debugger in VMI Mode, you should build "
203 "HyperDbg with special instructions. But starting processes is fully supported "
204 "in the Debugger Mode.\n"
205 "(it's not recommended to use it in VMI Mode yet!)\n");
206 return;
207 }
208
209#endif // !ActivateUserModeDebugger
210
211 //
212 // If the user is debugging a process, use its pid
213 //
215 {
216 Pid = g_ActiveProcessDebuggingState.ProcessId;
217 }
218
219 for (auto Section : CommandTokens)
220 {
221 //
222 // Ignore the first argument as it's the command string itself (bp)
223 //
224 if (IsFirstCommand == TRUE)
225 {
226 IsFirstCommand = FALSE;
227 continue;
228 }
229
230 if (IsNextCoreId)
231 {
232 if (!ConvertTokenToUInt32(Section, &CoreNumer))
233 {
234 ShowMessages("please specify a correct hex value for core id\n\n");
236 return;
237 }
238 IsNextCoreId = FALSE;
239 continue;
240 }
241 if (IsNextPid)
242 {
243 if (!ConvertTokenToUInt32(Section, &Pid))
244 {
245 ShowMessages("please specify a correct hex value for process id\n\n");
247 return;
248 }
249 IsNextPid = FALSE;
250 continue;
251 }
252
253 if (IsNextTid)
254 {
255 if (!ConvertTokenToUInt32(Section, &Tid))
256 {
257 ShowMessages("please specify a correct hex value for thread id\n\n");
259 return;
260 }
261 IsNextTid = FALSE;
262 continue;
263 }
264
265 if (CompareLowerCaseStrings(Section, "pid"))
266 {
267 IsNextPid = TRUE;
268 continue;
269 }
270 if (CompareLowerCaseStrings(Section, "tid"))
271 {
272 IsNextTid = TRUE;
273 continue;
274 }
275 if (CompareLowerCaseStrings(Section, "core"))
276 {
277 IsNextCoreId = TRUE;
278 continue;
279 }
280
281 if (!SetAddress)
282 {
284 {
285 //
286 // Couldn't resolve or unknown parameter
287 //
288 ShowMessages("err, couldn't resolve error at '%s'\n\n",
291 return;
292 }
293 else
294 {
295 //
296 // Means that address is received
297 //
298 SetAddress = TRUE;
299 continue;
300 }
301 }
302 }
303
304 //
305 // Check if address is set or not
306 //
307 if (!SetAddress)
308 {
309 ShowMessages("please specify a correct hex value as the breakpoint address\n\n");
311 return;
312 }
313 if (IsNextPid)
314 {
315 ShowMessages("please specify a correct hex value for process id\n\n");
317 return;
318 }
319 if (IsNextCoreId)
320 {
321 ShowMessages("please specify a correct hex value for core\n\n");
323 return;
324 }
325 if (IsNextTid)
326 {
327 ShowMessages("please specify a correct hex value for thread id\n\n");
329 return;
330 }
331
333 {
334 ShowMessages("setting breakpoints is not possible when you're not connected "
335 "to a target debuggee (kernel debugger or user debugger)\n");
336 return;
337 }
338
339 //
340 // Request breakpoint the bp packet
341 //
342 if (!CommandBpRequest(Address, Pid, Tid, CoreNumer))
343 {
344 ShowMessages("err, couldn't set breakpoint\n");
345 }
346}
VOID CommandBpHelp()
help of the bp command
Definition bp.cpp:27
BOOLEAN CommandBpRequest(UINT64 Address, UINT32 Pid, UINT32 Tid, UINT32 CoreNumer)
request breakpoint
Definition bp.cpp:119
int BOOL
Definition BasicTypes.h:25
#define DEBUGGEE_BP_APPLY_TO_ALL_PROCESSES
The constant to apply to all processes for bp command.
Definition Constants.h:781
#define DEBUGGEE_BP_APPLY_TO_ALL_THREADS
The constant to apply to all threads for bp command.
Definition Constants.h:787
#define DEBUGGEE_BP_APPLY_TO_ALL_CORES
The constant to apply to all cores for bp command.
Definition Constants.h:775
NULL()
Definition test-case-generator.py:530

◆ CommandCls()

VOID CommandCls ( vector< CommandToken > CommandTokens,
string Command )

.cls command handler

Parameters
CommandTokens
Command
Returns
VOID
37{
38 if (CommandTokens.size() != 1)
39 {
40 ShowMessages("incorrect use of the '%s'\n\n",
41 GetCaseSensitiveStringFromCommandToken(CommandTokens.at(0)).c_str());
43 return;
44 }
45
46 system("cls");
47}
VOID CommandClsHelp()
help of the .cls command
Definition cls.cpp:20

◆ CommandConnect()

VOID CommandConnect ( vector< CommandToken > CommandTokens,
string Command )

.connect command handler

Parameters
CommandTokens
Command
Returns
VOID
108{
109 string Ip;
110 string Port;
111
114 {
115 ShowMessages("you're connected to a debugger, please use '.disconnect' "
116 "command\n");
117 return;
118 }
119
122 {
123 ShowMessages("you're connected to a an instance of HyperDbg, please use "
124 "'.debug close' command\n");
125 return;
126 }
127
128 if (CommandTokens.size() == 1)
129 {
130 //
131 // Means that user entered just a connect so we have to
132 // ask to connect to what ?
133 //
134 ShowMessages("incorrect use of the '%s'\n\n",
135 GetCaseSensitiveStringFromCommandToken(CommandTokens.at(0)).c_str());
137 return;
138 }
139 else if (CompareLowerCaseStrings(CommandTokens.at(1), "local") && CommandTokens.size() == 2)
140 {
141 //
142 // connect to local debugger
143 //
144 ShowMessages("local debugging (vmi-mode)\n");
145
147
148 return;
149 }
150 else if (CommandTokens.size() == 3 || CommandTokens.size() == 2)
151 {
152 Ip = GetCaseSensitiveStringFromCommandToken(CommandTokens.at(1));
153
154 if (CommandTokens.size() == 3)
155 {
156 Port = GetCaseSensitiveStringFromCommandToken(CommandTokens.at(2));
157 }
158
159 //
160 // means that probably wants to connect to a remote
161 // system, let's first check the if the parameters are
162 // valid
163 //
164 if (!ValidateIP(Ip))
165 {
166 ShowMessages("incorrect ip address\n");
167 return;
168 }
169
170 if (CommandTokens.size() == 3)
171 {
172 if (!IsNumber(Port) || stoi(Port) > 65535 || stoi(Port) < 0)
173 {
174 ShowMessages("incorrect port\n");
175 return;
176 }
177
178 //
179 // connect to remote debugger
180 //
181 ConnectRemoteDebugger(Ip.c_str(), Port.c_str());
182 }
183 else
184 {
185 //
186 // connect to remote debugger (default port)
187 //
188 ConnectRemoteDebugger(Ip.c_str(), NULL);
189 }
190 }
191 else
192 {
193 ShowMessages("incorrect use of the '%s'\n\n",
194 GetCaseSensitiveStringFromCommandToken(CommandTokens.at(0)).c_str());
196 return;
197 }
198}
BOOLEAN ValidateIP(const string &ip)
Function to validate an IP address.
Definition common.cpp:590
VOID ConnectLocalDebugger()
Connect to local debugger.
Definition connect.cpp:50
VOID CommandConnectHelp()
help of the .connect command
Definition connect.cpp:31
BOOLEAN ConnectRemoteDebugger(const CHAR *Ip, const CHAR *Port)
Connect to remote debugger.
Definition connect.cpp:61
BOOLEAN g_IsConnectedToRemoteDebuggee
Shows whether the current debugger is the host and connected to a remote debuggee (guest).
Definition globals.h:96
BOOLEAN g_IsConnectedToHyperDbgLocally
Shows whether the user is allowed to use 'load' command to load modules locally in VMI (virtual machi...
Definition globals.h:89
BOOLEAN IsNumber(const string &str)
BOOLEAN g_IsConnectedToRemoteDebugger
Shows whether the current system is a guest (debuggee) and a remote debugger is connected to this sys...
Definition globals.h:103

◆ CommandContinue()

VOID CommandContinue ( vector< CommandToken > CommandTokens,
string Command )

handler of continue command

Parameters
CommandTokens
Command
Returns
VOID
48{
49 if (CommandTokens.size() != 1)
50 {
51 ShowMessages("incorrect use of the '%s'\n\n",
52 GetCaseSensitiveStringFromCommandToken(CommandTokens.at(0)).c_str());
54 return;
55 }
56
58}
VOID CommandContinueRequest()
Request to continue.
Definition continue.cpp:33
VOID CommandGHelp()
help of the g command
Definition g.cpp:28

◆ CommandCore()

VOID CommandCore ( vector< CommandToken > CommandTokens,
string Command )

~ command handler

Parameters
CommandTokens
Command
Returns
VOID
48{
49 UINT32 TargetCore = 0;
50
51 if (CommandTokens.size() != 1 && CommandTokens.size() != 2)
52 {
53 ShowMessages("incorrect use of the '%s'\n\n",
54 GetCaseSensitiveStringFromCommandToken(CommandTokens.at(0)).c_str());
56 return;
57 }
58
59 //
60 // Check if it's connected to a remote debuggee or not
61 //
63 {
64 ShowMessages("err, you're not connected to any debuggee\n");
65 return;
66 }
67
68 if (CommandTokens.size() == 1)
69 {
70 ShowMessages("current processor : 0x%x\n", g_CurrentRemoteCore);
71 }
72 else if (CommandTokens.size() == 2)
73 {
74 if (!ConvertTokenToUInt32(CommandTokens.at(1), &TargetCore))
75 {
76 ShowMessages("please specify a correct hex value for the core that you "
77 "want to operate on it\n\n");
79 return;
80 }
81
82 //
83 // Send the changing core packet
84 //
86 }
87}
ULONG g_CurrentRemoteCore
Current core that the debuggee is debugging.
Definition globals.h:285
VOID CommandCoreHelp()
help of the ~ command
Definition core.cpp:26
BOOLEAN KdSendSwitchCorePacketToDebuggee(UINT32 NewCore)
Sends a change core or '~ x' command packet to the debuggee.
Definition kd.cpp:181

◆ CommandCpu()

VOID CommandCpu ( vector< CommandToken > CommandTokens,
string Command )

cpu command handler

Parameters
CommandTokens
Command
Returns
VOID
37{
38 if (CommandTokens.size() != 1)
39 {
40 ShowMessages("incorrect use of the '%s'\n\n",
41 GetCaseSensitiveStringFromCommandToken(CommandTokens.at(0)).c_str());
43 return;
44 }
45
47}
int ReadCpuDetails()
Print out supported instruction set extensions.
Definition cpu.cpp:264
VOID CommandCpuHelp()
help of the cpu command
Definition cpu.cpp:20

◆ CommandCpuid()

VOID CommandCpuid ( vector< CommandToken > CommandTokens,
string Command )

!cpuid command handler

Parameters
CommandTokens
Command
Returns
VOID
49{
51 PDEBUGGER_GENERAL_ACTION ActionBreakToDebugger = NULL;
52 PDEBUGGER_GENERAL_ACTION ActionCustomCode = NULL;
53 PDEBUGGER_GENERAL_ACTION ActionScript = NULL;
54 BOOLEAN GetEax = FALSE;
55 UINT32 EventLength;
56 UINT64 SpecialTarget = 0;
57 UINT32 ActionBreakToDebuggerLength = 0;
58 UINT32 ActionCustomCodeLength = 0;
59 UINT32 ActionScriptLength = 0;
60 DEBUGGER_EVENT_PARSING_ERROR_CAUSE EventParsingErrorCause;
61
62 //
63 // Interpret and fill the general event and action fields
64 //
65 //
67 &CommandTokens,
69 &Event,
70 &EventLength,
71 &ActionBreakToDebugger,
72 &ActionBreakToDebuggerLength,
73 &ActionCustomCode,
74 &ActionCustomCodeLength,
75 &ActionScript,
76 &ActionScriptLength,
77 &EventParsingErrorCause))
78 {
79 return;
80 }
81
82 //
83 // Interpret command specific details (if any), of CPUID EAX index
84 //
85 for (auto Section : CommandTokens)
86 {
87 if (CompareLowerCaseStrings(Section, "!cpuid"))
88 {
89 continue;
90 }
91 else if (!GetEax)
92 {
93 //
94 // It's probably an index of EAX
95 //
96 if (!ConvertTokenToUInt64(Section, &SpecialTarget))
97 {
98 //
99 // Unknown parameter
100 //
101 ShowMessages("unknown parameter '%s'\n\n",
104
105 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
106 return;
107 }
108 else
109 {
110 //
111 // An special EAX is set
112 //
113 GetEax = TRUE;
114 }
115 }
116 else
117 {
118 //
119 // Unknown parameter
120 //
121 ShowMessages("unknown parameter '%s'\n\n",
123
125
126 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
127 return;
128 }
129 }
130
131 //
132 // Set the target EAX (if not specific then it means all msrs)
133 //
134 Event->Options.OptionalParam1 = GetEax;
135
136 if (GetEax)
137 {
138 Event->Options.OptionalParam2 = SpecialTarget;
139 }
140
141 //
142 // Send the ioctl to the kernel for event registration
143 //
144 if (!SendEventToKernel(Event, EventLength))
145 {
146 //
147 // There was an error, probably the handle was not initialized
148 // we have to free the Action before exit, it is because, we
149 // already freed the Event and string buffers
150 //
151
152 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
153 return;
154 }
155
156 //
157 // Add the event to the kernel
158 //
159 if (!RegisterActionToEvent(Event,
160 ActionBreakToDebugger,
161 ActionBreakToDebuggerLength,
162 ActionCustomCode,
163 ActionCustomCodeLength,
164 ActionScript,
165 ActionScriptLength))
166 {
167 //
168 // There was an error
169 //
170 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
171 return;
172 }
173}
@ CPUID_INSTRUCTION_EXECUTION
Definition Events.h:123
struct _DEBUGGER_GENERAL_EVENT_DETAIL * PDEBUGGER_GENERAL_EVENT_DETAIL
struct _DEBUGGER_GENERAL_ACTION * PDEBUGGER_GENERAL_ACTION
VOID CommandCpuidHelp()
help of the !cpuid command
Definition cpuid.cpp:20
VOID FreeEventsAndActionsMemory(PDEBUGGER_GENERAL_EVENT_DETAIL Event, PDEBUGGER_GENERAL_ACTION ActionBreakToDebugger, PDEBUGGER_GENERAL_ACTION ActionCustomCode, PDEBUGGER_GENERAL_ACTION ActionScript)
Deallocate buffers relating to events and actions.
Definition debugger.cpp:1688
BOOLEAN InterpretGeneralEventAndActionsFields(vector< CommandToken > *CommandTokens, VMM_EVENT_TYPE_ENUM EventType, PDEBUGGER_GENERAL_EVENT_DETAIL *EventDetailsToFill, PUINT32 EventBufferLength, PDEBUGGER_GENERAL_ACTION *ActionDetailsToFillBreakToDebugger, PUINT32 ActionBufferLengthBreakToDebugger, PDEBUGGER_GENERAL_ACTION *ActionDetailsToFillCustomCode, PUINT32 ActionBufferLengthCustomCode, PDEBUGGER_GENERAL_ACTION *ActionDetailsToFillScript, PUINT32 ActionBufferLengthScript, PDEBUGGER_EVENT_PARSING_ERROR_CAUSE ReasonForErrorInParsing)
Interpret general event fields.
Definition debugger.cpp:1736
BOOLEAN SendEventToKernel(PDEBUGGER_GENERAL_EVENT_DETAIL Event, UINT32 EventBufferLength)
Register the event to the kernel.
Definition debugger.cpp:1367
BOOLEAN RegisterActionToEvent(PDEBUGGER_GENERAL_EVENT_DETAIL Event, PDEBUGGER_GENERAL_ACTION ActionBreakToDebugger, UINT32 ActionBreakToDebuggerLength, PDEBUGGER_GENERAL_ACTION ActionCustomCode, UINT32 ActionCustomCodeLength, PDEBUGGER_GENERAL_ACTION ActionScript, UINT32 ActionScriptLength)
Register the action to the event.
Definition debugger.cpp:1483
enum _DEBUGGER_EVENT_PARSING_ERROR_CAUSE DEBUGGER_EVENT_PARSING_ERROR_CAUSE
Reason for error in parsing commands.
UINT64 OptionalParam2
Definition Events.h:278
UINT64 OptionalParam1
Definition Events.h:277
DEBUGGER_EVENT_OPTIONS Options
Definition Events.h:396

◆ CommandCrwrite()

VOID CommandCrwrite ( vector< CommandToken > CommandTokens,
string Command )

!crwrite command handler

Parameters
CommandTokens
Command
Returns
VOID
48{
50 PDEBUGGER_GENERAL_ACTION ActionBreakToDebugger = NULL;
51 PDEBUGGER_GENERAL_ACTION ActionCustomCode = NULL;
52 PDEBUGGER_GENERAL_ACTION ActionScript = NULL;
53 UINT32 EventLength;
54 UINT32 ActionBreakToDebuggerLength = 0;
55 UINT32 ActionCustomCodeLength = 0;
56 UINT32 ActionScriptLength = 0;
57 UINT64 TargetRegister = 1;
58 UINT64 MaskRegister = 0xFFFFFFFFFFFFFFFF;
59 BOOLEAN GetRegister = FALSE;
60 BOOLEAN GetMask = FALSE;
61 DEBUGGER_EVENT_PARSING_ERROR_CAUSE EventParsingErrorCause;
62
63 if (CommandTokens.size() < 2)
64 {
65 ShowMessages("incorrect use of the '%s'\n\n",
66 GetCaseSensitiveStringFromCommandToken(CommandTokens.at(0)).c_str());
68 return;
69 }
70
71 //
72 // Interpret and fill the general event and action fields
73 //
74 //
76 &CommandTokens,
78 &Event,
79 &EventLength,
80 &ActionBreakToDebugger,
81 &ActionBreakToDebuggerLength,
82 &ActionCustomCode,
83 &ActionCustomCodeLength,
84 &ActionScript,
85 &ActionScriptLength,
86 &EventParsingErrorCause))
87 {
88 return;
89 }
90
91 //
92 // Interpret command specific details (if any)
93 //
94 for (auto Section : CommandTokens)
95 {
96 if (CompareLowerCaseStrings(Section, "!crwrite"))
97 {
98 continue;
99 }
100 else if (!GetRegister)
101 {
102 //
103 // It's probably a CR
104 //
105 if (!ConvertTokenToUInt64(Section, &TargetRegister))
106 {
107 //
108 // Unknown parameter
109 //
110 ShowMessages("unknown parameter '%s'\n\n",
113
114 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
115 return;
116 }
117 else
118 {
119 GetRegister = TRUE;
120 }
121 }
122 else if (!GetMask)
123 {
124 if (!ConvertTokenToUInt64(Section, &MaskRegister))
125 {
126 //
127 // Unknown parameter
128 //
129 ShowMessages("unknown parameter '%s'\n\n",
132
133 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
134 return;
135 }
136 else
137 {
138 GetMask = TRUE;
139 }
140 }
141 else
142 {
143 //
144 // Unknown parameter
145 //
146 ShowMessages("unknown parameter '%s'\n\n",
149
150 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
151 return;
152 }
153 }
154
155 if (TargetRegister != VMX_EXIT_QUALIFICATION_REGISTER_CR0 && TargetRegister != VMX_EXIT_QUALIFICATION_REGISTER_CR4)
156 {
157 ShowMessages("please choose either 0 for cr0 or 4 for cr4\n");
159
160 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
161 return;
162 }
163
164 //
165 // Set the target control register
166 //
167 Event->Options.OptionalParam1 = TargetRegister;
168
169 //
170 // Set the mask to filter control register bits
171 //
172 Event->Options.OptionalParam2 = MaskRegister;
173
174 //
175 // Send the ioctl to the kernel for event registration
176 //
177 if (!SendEventToKernel(Event, EventLength))
178 {
179 //
180 // There was an error, probably the handle was not initialized
181 // we have to free the Action before exit, it is because, we
182 // already freed the Event and string buffers
183 //
184 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
185 return;
186 }
187
188 //
189 // Add the event to the kernel
190 //
191 if (!RegisterActionToEvent(Event,
192 ActionBreakToDebugger,
193 ActionBreakToDebuggerLength,
194 ActionCustomCode,
195 ActionCustomCodeLength,
196 ActionScript,
197 ActionScriptLength))
198 {
199 //
200 // There was an error
201 //
202 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
203 return;
204 }
205}
@ CONTROL_REGISTER_MODIFIED
Definition Events.h:162
VOID CommandCrwriteHelp()
help of the !crwrite command
Definition crwrite.cpp:20

◆ CommandDebug()

VOID CommandDebug ( vector< CommandToken > CommandTokens,
string Command )

.debug command handler

Parameters
CommandTokens
Command
Returns
VOID
236{
237 UINT32 Baudrate;
238 UINT32 Port;
239 BOOLEAN IsFirstCommand = TRUE;
240 BOOLEAN IsRemote = FALSE;
241 BOOLEAN IsPrepare = FALSE;
242 BOOLEAN IsSerial = FALSE;
243 BOOLEAN IsNamedPipe = FALSE;
244 BOOLEAN IsPause = FALSE;
245 BOOLEAN IsNamedPipeAddressKnown = FALSE;
246 string NamedPipeAddress;
247 BOOLEAN IsComPortAddressKnown = FALSE;
248 string ComAddress;
249 BOOLEAN IsComPortBaudrateKnown = FALSE;
250
251 if (CommandTokens.size() == 2 && CompareLowerCaseStrings(CommandTokens.at(1), "close"))
252 {
253 //
254 // Check if the debugger is attached to a debuggee
255 //
257 {
258 ShowMessages("err, debugger is not attached to any instance of debuggee\n");
259 }
260
261 return;
262 }
263 else if (CommandTokens.size() <= 3)
264 {
265 ShowMessages("incorrect use of the '%s'\n\n",
266 GetCaseSensitiveStringFromCommandToken(CommandTokens.at(0)).c_str());
268 return;
269 }
270
271 for (auto Section : CommandTokens)
272 {
273 if (IsFirstCommand)
274 {
275 IsFirstCommand = FALSE;
276 continue;
277 }
278 else if (!IsRemote && CompareLowerCaseStrings(Section, "remote"))
279 {
280 IsRemote = TRUE;
281 continue;
282 }
283 else if (!IsPrepare && CompareLowerCaseStrings(Section, "prepare"))
284 {
285 IsPrepare = TRUE;
286 continue;
287 }
288 else if (!IsSerial && CompareLowerCaseStrings(Section, "serial"))
289 {
290 IsSerial = TRUE;
291 continue;
292 }
293 else if (!IsNamedPipe && CompareLowerCaseStrings(Section, "namedpipe"))
294 {
295 IsNamedPipe = TRUE;
296 continue;
297 }
298 else if (!IsPause && CompareLowerCaseStrings(Section, "pause"))
299 {
300 IsPause = TRUE;
301 continue;
302 }
303 else if (!IsNamedPipeAddressKnown && IsNamedPipe)
304 {
305 IsNamedPipeAddressKnown = TRUE;
306 NamedPipeAddress = GetCaseSensitiveStringFromCommandToken(Section);
307 continue;
308 }
309 else if (!IsComPortBaudrateKnown && IsSerial && IsNumber(GetCaseSensitiveStringFromCommandToken(Section)))
310 {
311 IsComPortBaudrateKnown = TRUE;
312 Baudrate = stoi(GetCaseSensitiveStringFromCommandToken(Section));
313
314 //
315 // Check if baudrate is valid or not
316 //
317 if (!CommandDebugCheckBaudrate(Baudrate))
318 {
319 //
320 // Baud-rate is invalid
321 //
322 ShowMessages("err, baud rate is invalid\n\n");
324 return;
325 }
326
327 continue;
328 }
329 else if (!IsComPortAddressKnown && IsSerial)
330 {
331 IsComPortAddressKnown = TRUE;
332 ComAddress = GetCaseSensitiveStringFromCommandToken(Section);
333
334 //
335 // check if com port address is valid or not
336 //
337 if (!CommandDebugCheckComPort(ComAddress.c_str(), &Port))
338 {
339 //
340 // com port is invalid
341 //
342 ShowMessages("err, COM port is invalid\n\n");
344 return;
345 }
346
347 continue;
348 }
349 else
350 {
351 ShowMessages("err, couldn't resolve error at '%s'\n\n",
354 return;
355 }
356 }
357
358 //
359 // Validate parameters
360 //
361 if (IsRemote && IsPrepare)
362 {
363 ShowMessages("err, both 'remote' and 'prepare' can't be used together\n\n");
365 return;
366 }
367
368 if (!IsRemote && !IsPrepare)
369 {
370 ShowMessages("err, either 'remote' or 'prepare' should be used\n\n");
372 return;
373 }
374
375 //
376 // Prepare cannot be specified with the 'pause'
377 //
378 if (IsPrepare && IsPause)
379 {
380 ShowMessages("err, 'pause' cannot be used with 'prepare'\n\n");
382 return;
383 }
384
385 //
386 // Named pipe cannot be used with the 'prepare'
387 //
388 if (IsNamedPipe && IsPrepare)
389 {
390 ShowMessages("err, named pipe cannot be used with 'prepare'\n\n");
392 return;
393 }
394
395 //
396 // Check if named pipe is empty or not if it's a named pipe
397 //
398 if (IsNamedPipe && NamedPipeAddress.empty())
399 {
400 ShowMessages("err, named pipe address is empty\n\n");
402 return;
403 }
404
405 //
406 // If it's serial, COM address and bausrate should be known
407 //
408 if (IsSerial && (!IsComPortAddressKnown || !IsComPortBaudrateKnown))
409 {
410 ShowMessages("err, COM port address or baudrate is unknown\n\n");
412 return;
413 }
414
415 //
416 // Perform connecting to the remote machine or prepare to send
417 //
418 if (IsPrepare)
419 {
420 //
421 // Everything is okay, prepare to send (debuggee)
422 //
423 HyperDbgDebugCurrentDeviceUsingComPort(ComAddress.c_str(), Baudrate);
424 }
425 else
426 {
427 //
428 // Everything is okay, connect to the remote machine to send (debugger)
429 //
430 if (IsNamedPipe)
431 {
432 HyperDbgDebugRemoteDeviceUsingNamedPipe(NamedPipeAddress.c_str(), IsPause);
433 }
434 else if (IsSerial)
435 {
436 HyperDbgDebugRemoteDeviceUsingComPort(ComAddress.c_str(), Baudrate, IsPause);
437 }
438 }
439}
BOOLEAN HyperDbgDebugRemoteDeviceUsingComPort(const CHAR *PortName, DWORD Baudrate, BOOLEAN PauseAfterConnection)
Connect to a remote serial device (Debugger).
Definition debug.cpp:116
BOOLEAN HyperDbgDebugRemoteDeviceUsingNamedPipe(const CHAR *NamedPipe, BOOLEAN PauseAfterConnection)
Connect to a remote named pipe (Debugger).
Definition debug.cpp:157
BOOLEAN CommandDebugCheckComPort(const CHAR *ComPort, UINT32 *Port)
Check if COM port is valid or not.
Definition debug.cpp:59
BOOLEAN HyperDbgDebugCurrentDeviceUsingComPort(const CHAR *PortName, DWORD Baudrate)
Connect to a remote serial device (Debuggee).
Definition debug.cpp:171
BOOLEAN CommandDebugCheckBaudrate(DWORD Baudrate)
Check if baud rate is valid or not.
Definition debug.cpp:92
VOID CommandDebugHelp()
help of the .debug command
Definition debug.cpp:25
BOOLEAN HyperDbgDebugCloseRemoteDebugger()
Connect to a remote serial device (Debuggee).
Definition debug.cpp:211

◆ CommandDetach()

VOID CommandDetach ( vector< CommandToken > CommandTokens,
string Command )

.detach command handler

Parameters
CommandTokens
Command
Returns
VOID
73{
74 if (CommandTokens.size() >= 2)
75 {
76 ShowMessages("incorrect use of the '%s'\n\n",
77 GetCaseSensitiveStringFromCommandToken(CommandTokens.at(0)).c_str());
79 return;
80 }
81
82 //
83 // Perform detach from the process
84 //
86}
VOID DetachFromProcess()
perform detach from process
Definition detach.cpp:39
VOID CommandDetachHelp()
help of the .detach command
Definition detach.cpp:26

◆ CommandDisconnect()

VOID CommandDisconnect ( vector< CommandToken > CommandTokens,
string Command )

.disconnect command handler

Parameters
CommandTokens
Command
Returns
VOID
46{
47 if (CommandTokens.size() != 1)
48 {
49 ShowMessages("incorrect use of the '%s'\n\n",
50 GetCaseSensitiveStringFromCommandToken(CommandTokens.at(0)).c_str());
52 return;
53 }
54
56 {
57 ShowMessages("you're not connected to any instance of HyperDbg, did you "
58 "use '.connect'? \n");
59 return;
60 }
61
62 //
63 // Check if it's local debugger and the driver is still
64 // loading (not unloaded)
65 //
67 {
68 ShowMessages("you cannot disconnect in local debugging while the "
69 "driver is still loaded. please use 'unload' command before "
70 "disconnecting from the current instance of debugger\n");
71 return;
72 }
73
74 //
75 // Disconnect the session
76 //
78
79 //
80 // This computer is connected to a remote system
81 //
83 {
84 //
85 // We should kill the thread that was listening for the
86 // remote commands and close the connection
87 //
88 TerminateThread(g_RemoteDebuggeeListeningThread, 0);
90 CloseHandle(g_EndOfMessageReceivedEvent);
92
94
96 }
97
98 ShowMessages("disconnected successfully\n");
99}
HANDLE g_RemoteDebuggeeListeningThread
In debugger (not debuggee), we save the ip of server debuggee in this variable to use it later e....
Definition globals.h:146
VOID CommandDisconnectHelp()
help of the .disconnect command
Definition disconnect.cpp:28
HANDLE g_EndOfMessageReceivedEvent
Handle to if the end of the message received (for showing signature).
Definition globals.h:159
HANDLE g_DeviceHandle
Holds the global handle of device which is used to send the request to the kernel by IOCTL,...
Definition globals.h:481
INT RemoteConnectionCloseTheConnectionWithDebuggee()
Close the connect from client side to the debuggee.
Definition remote-connection.cpp:504

◆ CommandDr()

VOID CommandDr ( vector< CommandToken > CommandTokens,
string Command )

!dr command handler

Parameters
CommandTokens
Command
Returns
VOID
47{
49 PDEBUGGER_GENERAL_ACTION ActionBreakToDebugger = NULL;
50 PDEBUGGER_GENERAL_ACTION ActionCustomCode = NULL;
51 PDEBUGGER_GENERAL_ACTION ActionScript = NULL;
52 UINT32 EventLength;
53 UINT32 ActionBreakToDebuggerLength = 0;
54 UINT32 ActionCustomCodeLength = 0;
55 UINT32 ActionScriptLength = 0;
56 DEBUGGER_EVENT_PARSING_ERROR_CAUSE EventParsingErrorCause;
57
58 //
59 // Interpret and fill the general event and action fields
60 //
61 //
63 &CommandTokens,
65 &Event,
66 &EventLength,
67 &ActionBreakToDebugger,
68 &ActionBreakToDebuggerLength,
69 &ActionCustomCode,
70 &ActionCustomCodeLength,
71 &ActionScript,
72 &ActionScriptLength,
73 &EventParsingErrorCause))
74 {
75 return;
76 }
77
78 //
79 // Check for size
80 //
81 if (CommandTokens.size() > 1)
82 {
83 ShowMessages("incorrect use of the '%s'\n\n",
84 GetCaseSensitiveStringFromCommandToken(CommandTokens.at(0)).c_str());
86
87 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
88 return;
89 }
90
91 //
92 // Send the ioctl to the kernel for event registration
93 //
94 if (!SendEventToKernel(Event, EventLength))
95 {
96 //
97 // There was an error, probably the handle was not initialized
98 // we have to free the Action before exit, it is because, we
99 // already freed the Event and string buffers
100 //
101
102 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
103 return;
104 }
105
106 //
107 // Add the event to the kernel
108 //
109 if (!RegisterActionToEvent(Event,
110 ActionBreakToDebugger,
111 ActionBreakToDebuggerLength,
112 ActionCustomCode,
113 ActionCustomCodeLength,
114 ActionScript,
115 ActionScriptLength))
116 {
117 //
118 // There was an error
119 //
120
121 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
122 return;
123 }
124}
@ DEBUG_REGISTERS_ACCESSED
Definition Events.h:146
VOID CommandDrHelp()
help of the !dr command
Definition dr.cpp:20

◆ CommandDtAndStruct()

VOID CommandDtAndStruct ( vector< CommandToken > CommandTokens,
string Command )

dt and struct command handler

Parameters
CommandTokens
Command
Returns
VOID
430{
431 CommandToken TempTypeNameHolder;
432 std::string PdbexArgs = "";
433 BOOLEAN IsStruct = FALSE;
434 UINT64 TargetAddress = NULL;
435 PVOID BufferAddressRetrievedFromDebuggee = NULL;
436 UINT32 TargetPid = NULL;
437 BOOLEAN IsPhysicalAddress = FALSE;
438
439 //
440 // Check if command is 'struct' or not
441 //
442 if (CompareLowerCaseStrings(CommandTokens.at(0), "struct") ||
443 CompareLowerCaseStrings(CommandTokens.at(0), "structure"))
444 {
445 IsStruct = TRUE;
446 }
447 else
448 {
449 IsStruct = FALSE;
450 }
451
452 //
453 // Check if command is '!dt' for physical address or not
454 //
455 if (!IsStruct && CompareLowerCaseStrings(CommandTokens.at(0), "!dt"))
456 {
457 IsPhysicalAddress = TRUE;
458 }
459 else
460 {
461 IsPhysicalAddress = FALSE;
462 }
463
464 if (CommandTokens.size() == 1)
465 {
466 ShowMessages("incorrect use of the '%s'\n\n",
467 GetCaseSensitiveStringFromCommandToken(CommandTokens.at(0)).c_str());
468
469 if (IsStruct)
470 {
472 }
473 else
474 {
476 }
477
478 return;
479 }
480
481 //
482 // Create TempSplitTokens by copying elements from CommandTokens, excluding the first element
483 //
484 std::vector<CommandToken> TempSplitTokens(CommandTokens.begin() + 1, CommandTokens.end());
485
486 //
487 // If the size is zero, then it's only a type name
488 //
489 if (TempSplitTokens.size() == 1)
490 {
491 //
492 // Call the dt parser wrapper, it's only a structure (type) name
493 // Call it with default configuration
494 //
496 NULL,
497 IsStruct,
498 NULL,
499 TargetPid,
500 IsPhysicalAddress,
502 }
503 else
504 {
505 //
506 // When we're here, it means we have size() >= 2, so we have to check
507 // the first and the second method to see which one is the type and
508 // which one is the symbol
509 //
510
511 //
512 // Check if the first parameter is an address or valid expression
513 //
514 if (IsStruct || !SymbolConvertNameOrExprToAddress(GetCaseSensitiveStringFromCommandToken(TempSplitTokens.at(0)).c_str(),
515 &TargetAddress))
516 {
517 //
518 // No it's not, we'll get the first argument as the structure (type) name
519 // And we have to check whether the second argument is a buffer address or not
520 //
521 if (IsStruct || !SymbolConvertNameOrExprToAddress(GetCaseSensitiveStringFromCommandToken(TempSplitTokens.at(1)).c_str(),
522 &TargetAddress))
523 {
524 //
525 // The second argument is also not buffer address
526 // probably the user entered a structure (type) name along with some params
527 //
528 TempTypeNameHolder = TempSplitTokens.at(0);
529
530 //
531 // Remove the first argument
532 //
533 TempSplitTokens.erase(TempSplitTokens.begin());
534
535 //
536 // Convert to pdbex args
537 //
538 if (!CommandDtAndStructConvertHyperDbgArgsToPdbex(TempSplitTokens, PdbexArgs, &TargetPid))
539 {
540 if (IsStruct)
541 {
543 }
544 else
545 {
547 }
548
549 return;
550 }
551
552 //
553 // Call the wrapper of pdbex
554 //
556 TargetAddress,
557 IsStruct,
558 BufferAddressRetrievedFromDebuggee,
559 TargetPid,
560 IsPhysicalAddress,
561 PdbexArgs.c_str());
562 }
563 else
564 {
565 //
566 // The second argument is a buffer address
567 // The user entered a structure (type) name along with buffer address
568 //
569 if (TempSplitTokens.size() == 2)
570 {
571 //
572 // There is not parameters, only a symbol name and then a buffer address
573 // Call it with default configuration
574 //
576 TargetAddress,
577 IsStruct,
578 BufferAddressRetrievedFromDebuggee,
579 TargetPid,
580 IsPhysicalAddress,
582 }
583 else
584 {
585 //
586 // Other than the first argument which is a structure (type) name, and
587 // the second argument which is buffer address, there are other parameters, so
588 // we WON'T call it with default parameters
589 //
590 TempTypeNameHolder = TempSplitTokens.at(0);
591
592 //
593 // Remove the first, and the second arguments
594 //
595 TempSplitTokens.erase(TempSplitTokens.begin());
596 TempSplitTokens.erase(TempSplitTokens.begin());
597
598 //
599 // Convert to pdbex args
600 //
601 if (!CommandDtAndStructConvertHyperDbgArgsToPdbex(TempSplitTokens, PdbexArgs, &TargetPid))
602 {
603 if (IsStruct)
604 {
606 }
607 else
608 {
610 }
611
612 return;
613 }
614
615 //
616 // Call the wrapper of pdbex
617 //
619 TargetAddress,
620 IsStruct,
621 BufferAddressRetrievedFromDebuggee,
622 TargetPid,
623 IsPhysicalAddress,
624 PdbexArgs.c_str());
625 }
626 }
627 }
628 else
629 {
630 //
631 // The first argument is a buffer address, so we get the first argument as
632 // a buffer address and the second argument as the structure (type) name
633 //
634 if (TempSplitTokens.size() == 2)
635 {
636 //
637 // There is not parameters, only a buffer address and then a symbol name
638 // Call it with default configuration
639 //
641 TargetAddress,
642 IsStruct,
643 BufferAddressRetrievedFromDebuggee,
644 TargetPid,
645 IsPhysicalAddress,
647 }
648 else
649 {
650 //
651 // Other than the first argument which is a buffer address, and the second
652 // argument which is structure (type) name, there are other parameters, so
653 // we WON'T call it with default parameters
654 //
655 TempTypeNameHolder = TempSplitTokens.at(1);
656
657 //
658 // Remove the first, and the second arguments
659 //
660 TempSplitTokens.erase(TempSplitTokens.begin());
661 TempSplitTokens.erase(TempSplitTokens.begin());
662
663 //
664 // Convert to pdbex args
665 //
666 if (!CommandDtAndStructConvertHyperDbgArgsToPdbex(TempSplitTokens, PdbexArgs, &TargetPid))
667 {
668 if (IsStruct)
669 {
671 }
672 else
673 {
675 }
676
677 return;
678 }
679
680 //
681 // Call the wrapper of pdbex
682 //
684 TargetAddress,
685 IsStruct,
686 BufferAddressRetrievedFromDebuggee,
687 TargetPid,
688 IsPhysicalAddress,
689 PdbexArgs.c_str());
690 }
691 }
692 }
693}
std::tuple< CommandParsingTokenType, std::string, std::string > CommandToken
Command's parsing type.
Definition commands.h:177
VOID CommandStructHelp()
help of the struct command
Definition dt-struct.cpp:63
BOOLEAN CommandDtAndStructConvertHyperDbgArgsToPdbex(vector< CommandToken > ExtraArgs, std::string &PdbexArgs, UINT32 *ProcessId)
Convert HyperDbg arguments for dt and struct commands to pdbex arguments.
Definition dt-struct.cpp:93
VOID CommandDtHelp()
help of the dt command
Definition dt-struct.cpp:26
BOOLEAN CommandDtShowDataBasedOnSymbolTypes(const CHAR *TypeName, UINT64 Address, BOOLEAN IsStruct, PVOID BufferAddress, UINT32 TargetPid, BOOLEAN IsPhysicalAddress, const CHAR *AdditionalParameters)
Show data based on the symbol structure and data types.
Definition dt-struct.cpp:316
#define PDBEX_DEFAULT_CONFIGURATION
Definition symbol.h:33

◆ CommandDump()

VOID CommandDump ( vector< CommandToken > CommandTokens,
string Command )

.dump command handler

Parameters
CommandTokens
Command
Returns
VOID
63{
64 wstring Filepath;
65 UINT32 ActualLength;
66 UINT32 Iterator;
67 UINT32 Pid = 0;
68 UINT32 Length = 0;
69 UINT64 StartAddress = 0;
70 UINT64 EndAddress = 0;
71 BOOLEAN IsFirstCommand = TRUE;
72 BOOLEAN NextIsProcId = FALSE;
73 BOOLEAN NextIsPath = FALSE;
74 BOOLEAN IsTheFirstAddr = FALSE;
75 BOOLEAN IsTheSecondAddr = FALSE;
76 BOOLEAN IsDumpPathSpecified = FALSE;
77 string FirstCommand = GetLowerStringFromCommandToken(CommandTokens.front());
79
80 if (CommandTokens.size() <= 4)
81 {
82 ShowMessages("err, incorrect use of the '.dump' command\n\n");
84 return;
85 }
86
87 //
88 // By default if the user-debugger is active, we use these commands
89 // on the memory layout of the debuggee process
90 //
92 {
93 Pid = g_ActiveProcessDebuggingState.ProcessId;
94 }
95
96 for (auto Section : CommandTokens)
97 {
98 if (IsFirstCommand == TRUE)
99 {
100 IsFirstCommand = FALSE;
101 continue;
102 }
103 else if (NextIsProcId)
104 {
105 if (!ConvertTokenToUInt32(Section, &Pid))
106 {
107 ShowMessages("please specify a correct hex value for process id\n\n");
109 return;
110 }
111 NextIsProcId = FALSE;
112 continue;
113 }
114 else if (NextIsPath)
115 {
116 //
117 // Convert path to wstring
118 //
120 IsDumpPathSpecified = TRUE;
121
122 NextIsPath = FALSE;
123 }
124 else if (CompareLowerCaseStrings(Section, "pid"))
125 {
126 NextIsProcId = TRUE;
127 continue;
128 }
129 else if (CompareLowerCaseStrings(Section, "path"))
130 {
131 NextIsPath = TRUE;
132 continue;
133 }
134 //
135 // Check the 'From' address
136 //
137 else if (!IsTheFirstAddr &&
139 {
140 IsTheFirstAddr = TRUE;
141 }
142 //
143 // Check the 'To' address
144 //
145 else if (!IsTheSecondAddr &&
147 {
148 IsTheSecondAddr = TRUE;
149 }
150 else
151 {
152 //
153 // invalid input
154 //
155 ShowMessages("err, couldn't resolve error at '%s'\n\n",
158
159 return;
160 }
161 }
162
163 //
164 // Check if 'pid' is not specified
165 //
166 if (NextIsProcId)
167 {
168 ShowMessages("please specify a correct hex value for process id\n\n");
170 return;
171 }
172
173 //
174 // Check if 'path' is either specified, not completely specified
175 //
176 if (NextIsPath || !IsDumpPathSpecified)
177 {
178 ShowMessages("please specify a correct path for saving the dump\n\n");
180 return;
181 }
182
183 //
184 // Check if start address or end address is null
185 //
186 if (!IsTheFirstAddr || !IsTheSecondAddr)
187 {
188 ShowMessages("err, please specify the start and end address in hex format\n");
189 return;
190 }
191
192 //
193 // Check if end address is bigger than start address
194 //
195 if (StartAddress >= EndAddress)
196 {
197 ShowMessages("err, please note that the 'to' address should be greater than the 'from' address\n");
198 return;
199 }
200
201 //
202 // Check to prevent using process id in d* and u* commands
203 //
205 {
207 return;
208 }
209
210 if (Pid == 0)
211 {
212 //
213 // Default process we read from current process
214 //
216 }
217
218 //
219 // Check whether it's physical or virtual address
220 //
221 if (!FirstCommand.compare("!dump"))
222 {
224 }
225
226 //
227 // Create or open the file for writing the dump file
228 //
229 // TEMPORARY LINUX SHIM (same as in pe.cpp): std::wstring stores native
230 // wchar_t (4 bytes on Linux), but the HyperDbg WCHAR type is 2 bytes
231 // (UINT16) and PlatformOpenFileForWriting takes a const WCHAR *. On Linux
232 // the cast is a bogus 2-byte reinterpretation, acceptable only because
233 // Linux file I/O is still stubbed (the path is never opened). On Windows
234 // WCHAR == wchar_t, so it is a plain correct pointer. TODO(Linux): remove
235 // once real file I/O lands and convert wchar_t -> 2-byte WCHAR properly.
236 //
237#ifdef __linux__
238 DumpFileHandle = PlatformOpenFileForWriting((const WCHAR *)Filepath.c_str());
239#else
240 DumpFileHandle = PlatformOpenFileForWriting(Filepath.c_str());
241#endif
242
243 if (DumpFileHandle == INVALID_HANDLE_VALUE)
244 {
245 ShowMessages("err, unable to create or open the file\n");
246 return;
247 }
248
249 //
250 // Compute the length
251 //
252 Length = (UINT32)(EndAddress - StartAddress);
253
254 ActualLength = NULL;
255 Iterator = Length / PAGE_SIZE;
256
257 for (SIZE_T i = 0; i <= Iterator; i++)
258 {
259 UINT64 Address = StartAddress + (i * PAGE_SIZE);
260
261 if (Length >= PAGE_SIZE)
262 {
263 ActualLength = PAGE_SIZE;
264 }
265 else
266 {
267 ActualLength = Length;
268 }
269
270 Length -= ActualLength;
271
272 if (ActualLength != 0)
273 {
274 // ShowMessages("address: 0x%llx | actual length: 0x%llx\n", Address, ActualLength);
275
278 Address,
279 MemoryType,
281 Pid,
282 ActualLength,
283 NULL);
284 }
285 }
286
287 //
288 // Close the file handle if it's not already closed
289 //
290 if (DumpFileHandle != NULL)
291 {
294 }
295
296 ShowMessages("the dump file is saved at: %ls\n", Filepath.c_str());
297}
@ READ_FROM_KERNEL
Definition RequestStructures.h:245
enum _DEBUGGER_READ_MEMORY_TYPE DEBUGGER_READ_MEMORY_TYPE
different type of addresses
@ DEBUGGER_SHOW_COMMAND_DUMP
Definition RequestStructures.h:284
@ DEBUGGER_READ_PHYSICAL_ADDRESS
Definition RequestStructures.h:255
@ DEBUGGER_READ_VIRTUAL_ADDRESS
Definition RequestStructures.h:256
VOID StringToWString(std::wstring &ws, const std::string &s)
convert std::string to std::wstring
Definition common.cpp:850
std::string GetLowerStringFromCommandToken(CommandToken TargetToken)
Get lower case string from command token.
Definition common.cpp:484
VOID CommandDumpHelp()
help of the .dump command
Definition dump.cpp:36
HANDLE DumpFileHandle
Holds the handle of the dump file.
Definition dump.cpp:28
#define ASSERT_MESSAGE_CANNOT_SPECIFY_PID
Definition common.h:39
#define PAGE_SIZE
Size of each page (4096 bytes).
Definition common.h:80
HANDLE PlatformOpenFileForWriting(const WCHAR *Path)
Platform independent wrapper to create/open a file for writing.
Definition platform-lib-calls.c:392
BOOLEAN PlatformCloseFile(HANDLE FileHandle)
Platform independent wrapper to close a file opened by PlatformOpenFileForWriting.
Definition platform-lib-calls.c:440
VOID HyperDbgShowMemoryOrDisassemble(DEBUGGER_SHOW_MEMORY_STYLE Style, UINT64 Address, DEBUGGER_READ_MEMORY_TYPE MemoryType, DEBUGGER_READ_READING_TYPE ReadingType, UINT32 Pid, UINT32 Size, PDEBUGGER_DT_COMMAND_OPTIONS DtDetails)
Show memory or disassembler.
Definition readmem.cpp:193

◆ CommandDumpSaveIntoFile()

VOID CommandDumpSaveIntoFile ( PVOID Buffer,
UINT32 Length )

Saves the received buffers into the files.

Parameters
Buffer
Length
Returns
VOID
309{
310 //
311 // Check if handle is valid
312 //
313 if (DumpFileHandle == NULL)
314 {
315 ShowMessages("err, invalid handle for saving the dump buffer is specified\n");
316 return;
317 }
318
319 //
320 // Write the buffer into the dump file
321 //
322 if (!PlatformWriteFile(DumpFileHandle, Buffer, Length))
323 {
324 ShowMessages("err, unable to write buffer into the dump\n");
325
328
329 return;
330 }
331}
BOOLEAN PlatformWriteFile(HANDLE FileHandle, const VOID *Buffer, DWORD NumberOfBytes)
Platform independent wrapper to write a buffer to an open file.
Definition platform-lib-calls.c:420

◆ CommandEditMemory()

VOID CommandEditMemory ( vector< CommandToken > CommandTokens,
string Command )

!e* and e* commands handler

Parameters
CommandTokens
Command
Returns
VOID
270{
271 UINT64 Address;
272 UINT64 * FinalBuffer;
273 vector<UINT64> ValuesToEdit;
274 DEBUGGER_EDIT_MEMORY_TYPE MemoryType;
276 BOOL SetAddress = FALSE;
278 BOOL SetProcId = FALSE;
279 BOOL NextIsProcId = FALSE;
280 UINT64 Value = 0;
281 UINT32 ProcId = 0;
282 UINT32 CountOfValues = 0;
283 UINT32 FinalSize = 0;
284 BOOLEAN IsFirstCommand = TRUE;
285
286 //
287 // By default if the user-debugger is active, we use these commands
288 // on the memory layout of the debuggee process
289 //
291 {
292 ProcId = g_ActiveProcessDebuggingState.ProcessId;
293 }
294
295 if (CommandTokens.size() <= 2)
296 {
297 ShowMessages("incorrect use of the '%s'\n\n",
298 GetCaseSensitiveStringFromCommandToken(CommandTokens.at(0)).c_str());
300 return;
301 }
302
303 for (auto Section : CommandTokens)
304 {
305 if (IsFirstCommand)
306 {
307 if (CompareLowerCaseStrings(Section, "!eb"))
308 {
309 MemoryType = EDIT_PHYSICAL_MEMORY;
310 ByteSize = EDIT_BYTE;
311 }
312 else if (CompareLowerCaseStrings(Section, "!ed"))
313 {
314 MemoryType = EDIT_PHYSICAL_MEMORY;
315 ByteSize = EDIT_DWORD;
316 }
317 else if (CompareLowerCaseStrings(Section, "!eq"))
318 {
319 MemoryType = EDIT_PHYSICAL_MEMORY;
320 ByteSize = EDIT_QWORD;
321 }
322 else if (CompareLowerCaseStrings(Section, "eb"))
323 {
324 MemoryType = EDIT_VIRTUAL_MEMORY;
325 ByteSize = EDIT_BYTE;
326 }
327 else if (CompareLowerCaseStrings(Section, "ed"))
328 {
329 MemoryType = EDIT_VIRTUAL_MEMORY;
330 ByteSize = EDIT_DWORD;
331 }
332 else if (CompareLowerCaseStrings(Section, "eq"))
333 {
334 MemoryType = EDIT_VIRTUAL_MEMORY;
335 ByteSize = EDIT_QWORD;
336 }
337 else
338 {
339 //
340 // What's this? :(
341 //
342 ShowMessages("unknown error happened !\n\n");
344 return;
345 }
346
347 IsFirstCommand = FALSE;
348
349 continue;
350 }
351
352 if (NextIsProcId)
353 {
354 //
355 // It's a process id
356 //
357 NextIsProcId = FALSE;
358
359 if (!ConvertTokenToUInt32(Section, &ProcId))
360 {
361 ShowMessages("please specify a correct hex process id\n\n");
363 return;
364 }
365 else
366 {
367 //
368 // Means that the proc id is set, next we should read value
369 //
370 continue;
371 }
372 }
373
374 //
375 // Check if it's a process id or not
376 //
377 if (!SetProcId && CompareLowerCaseStrings(Section, "pid"))
378 {
379 NextIsProcId = TRUE;
380 continue;
381 }
382
383 if (!SetAddress)
384 {
386 {
387 ShowMessages("err, couldn't resolve error at '%s'\n\n",
390 return;
391 }
392 else
393 {
394 //
395 // Means that the address is set, next we should read value
396 //
397 SetAddress = TRUE;
398 continue;
399 }
400 }
401
402 if (SetAddress)
403 {
404 //
405 // Remove the hex notations
406 //
407 std::string TargetVal = GetCaseSensitiveStringFromCommandToken(Section);
408
409 if (TargetVal.rfind("0x", 0) == 0 || TargetVal.rfind("0X", 0) == 0 ||
410 TargetVal.rfind("\\x", 0) == 0 || TargetVal.rfind("\\X", 0) == 0)
411 {
412 TargetVal = TargetVal.erase(0, 2);
413 }
414 else if (TargetVal.rfind('x', 0) == 0 || TargetVal.rfind('X', 0) == 0)
415 {
416 TargetVal = TargetVal.erase(0, 1);
417 }
418
419 TargetVal.erase(remove(TargetVal.begin(), TargetVal.end(), '`'), TargetVal.end());
420
421 //
422 // Check if the value is valid based on byte counts
423 //
424 if (ByteSize == EDIT_BYTE && TargetVal.size() >= 3)
425 {
426 ShowMessages("please specify a byte (hex) value for 'eb' or '!eb'\n\n");
427 return;
428 }
429 if (ByteSize == EDIT_DWORD && TargetVal.size() >= 9)
430 {
431 ShowMessages(
432 "please specify a dword (hex) value for 'ed' or '!ed'\n\n");
433 return;
434 }
435 if (ByteSize == EDIT_QWORD && TargetVal.size() >= 17)
436 {
437 ShowMessages(
438 "please specify a qword (hex) value for 'eq' or '!eq'\n\n");
439 return;
440 }
441
442 //
443 // Qword is checked by the following function, no need to double
444 // check it above.
445 //
446
447 if (!ConvertStringToUInt64(TargetVal, &Value))
448 {
449 ShowMessages("please specify a correct hex value to change the memory "
450 "content\n\n");
452 return;
453 }
454 else
455 {
456 //
457 // Add it to the list
458 //
459
460 ValuesToEdit.push_back(Value);
461
462 //
463 // Keep track of values to modify
464 //
465 CountOfValues++;
466
467 if (!SetValue)
468 {
469 //
470 // At least on value is there
471 //
472 SetValue = TRUE;
473 }
474 continue;
475 }
476 }
477 }
478
479 //
480 // Check to prevent using process id in e* commands
481 //
482 if (g_IsSerialConnectedToRemoteDebuggee && ProcId != 0)
483 {
485 return;
486 }
487
488 //
489 // Only valid for VMI Mode
490 //
491 if (ProcId == 0)
492 {
493 ProcId = GetCurrentProcessId();
494 }
495
496 //
497 // Check if address and value are set or not
498 //
499 if (!SetAddress)
500 {
501 ShowMessages("please specify a correct hex address\n\n");
503 return;
504 }
505 if (!SetValue)
506 {
507 ShowMessages(
508 "please specify a correct hex value as the content to edit\n\n");
510 return;
511 }
512 if (NextIsProcId)
513 {
514 ShowMessages("please specify a correct hex value as the process id\n\n");
516 return;
517 }
518
519 //
520 // Make the chunks for editing
521 //
522 FinalSize = (CountOfValues * sizeof(UINT64));
523
524 //
525 // Allocate structure + buffer
526 //
527 FinalBuffer = (UINT64 *)malloc(FinalSize);
528
529 if (!FinalBuffer)
530 {
531 ShowMessages("unable to allocate memory\n\n");
532 return;
533 }
534
535 //
536 // Zero the buffer
537 //
538 ZeroMemory(FinalBuffer, FinalSize);
539
540 //
541 // Put the values in 64 bit structures
542 //
543 std::copy(ValuesToEdit.begin(), ValuesToEdit.end(), FinalBuffer);
544
545 //
546 // Perform the write operation
547 //
548 WriteMemoryContent(Address,
549 MemoryType,
550 ByteSize,
551 ProcId,
552 CountOfValues,
553 FinalBuffer);
554
555 //
556 // Free the malloc buffer
557 //
558 free(FinalBuffer);
559}
VOID SetValue(PGUEST_REGS GuestRegs, SCRIPT_ENGINE_GENERAL_REGISTERS *ScriptGeneralRegisters, PSYMBOL Symbol, UINT64 Value)
Set the value.
Definition ScriptEngineEval.c:185
@ EDIT_QWORD
Definition RequestStructures.h:494
@ EDIT_DWORD
Definition RequestStructures.h:493
@ EDIT_BYTE
Definition RequestStructures.h:492
enum _DEBUGGER_EDIT_MEMORY_BYTE_SIZE DEBUGGER_EDIT_MEMORY_BYTE_SIZE
size of editing memory
VOID CommandEditMemoryHelp()
help of !e* and e* commands
Definition e.cpp:28
BOOLEAN WriteMemoryContent(UINT64 AddressToEdit, DEBUGGER_EDIT_MEMORY_TYPE MemoryType, DEBUGGER_EDIT_MEMORY_BYTE_SIZE ByteSize, UINT32 Pid, UINT32 CountOf64Chunks, UINT64 *BufferToEdit)
Perform writing the memory content.
Definition e.cpp:66
RequestedActionOfThePacket Value(0x1) 00000000
BOOLEAN ConvertStringToUInt64(string TextToConvert, PUINT64 Result)

◆ CommandEptHook()

VOID CommandEptHook ( vector< CommandToken > CommandTokens,
string Command )

!epthook command handler

Parameters
CommandTokens
Command
Returns
VOID
49{
51 PDEBUGGER_GENERAL_ACTION ActionBreakToDebugger = NULL;
52 PDEBUGGER_GENERAL_ACTION ActionCustomCode = NULL;
53 PDEBUGGER_GENERAL_ACTION ActionScript = NULL;
54 UINT32 EventLength;
55 UINT32 ActionBreakToDebuggerLength = 0;
56 UINT32 ActionCustomCodeLength = 0;
57 UINT32 ActionScriptLength = 0;
58 BOOLEAN GetAddress = FALSE;
59 UINT64 OptionalParam1 = 0; // Set the target address
60 DEBUGGER_EVENT_PARSING_ERROR_CAUSE EventParsingErrorCause;
61
62 if (CommandTokens.size() < 2)
63 {
64 ShowMessages("incorrect use of the '%s'\n\n",
65 GetCaseSensitiveStringFromCommandToken(CommandTokens.at(0)).c_str());
66
68 return;
69 }
70
71 //
72 // Interpret and fill the general event and action fields
73 //
75 &CommandTokens,
77 &Event,
78 &EventLength,
79 &ActionBreakToDebugger,
80 &ActionBreakToDebuggerLength,
81 &ActionCustomCode,
82 &ActionCustomCodeLength,
83 &ActionScript,
84 &ActionScriptLength,
85 &EventParsingErrorCause))
86 {
87 return;
88 }
89
90 //
91 // Check here to make sure that the user didn't specified the calling stages for this ept hook
92 //
94 {
95 ShowMessages("the utilization of 'post' or 'all' event calling stages is not meaningful "
96 "for the hidden hook; therefore, this command does not support them\n");
97
98 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
99 return;
100 }
101
102 //
103 // Interpret command specific details (if any)
104 //
105 for (auto Section : CommandTokens)
106 {
107 if (CompareLowerCaseStrings(Section, "!epthook"))
108 {
109 continue;
110 }
111 else if (!GetAddress)
112 {
113 //
114 // It's probably address
115 //
118 &OptionalParam1))
119 {
120 //
121 // Couldn't resolve or unknown parameter
122 //
123 ShowMessages("err, couldn't resolve error at '%s'\n\n",
126
127 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
128 return;
129 }
130 else
131 {
132 GetAddress = TRUE;
133 }
134 }
135 else
136 {
137 //
138 // Unknown parameter
139 //
140 ShowMessages("unknown parameter '%s'\n\n",
143
144 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
145 return;
146 }
147 }
148 if (OptionalParam1 == 0)
149 {
150 ShowMessages("please choose an address to put the hidden breakpoint on it\n");
151
152 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
153 return;
154 }
155
156 //
157 // Set the optional parameters
158 //
159 Event->Options.OptionalParam1 = OptionalParam1;
160
161 //
162 // Send the ioctl to the kernel for event registration
163 //
164 if (!SendEventToKernel(Event, EventLength))
165 {
166 //
167 // There was an error, probably the handle was not initialized
168 // we have to free the Action before exit, it is because, we
169 // already freed the Event and string buffers
170 //
171
172 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
173 return;
174 }
175
176 //
177 // Add the event to the kernel
178 //
179 if (!RegisterActionToEvent(Event,
180 ActionBreakToDebugger,
181 ActionBreakToDebuggerLength,
182 ActionCustomCode,
183 ActionCustomCodeLength,
184 ActionScript,
185 ActionScriptLength))
186 {
187 //
188 // There was an error
189 //
190
191 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
192 return;
193 }
194}
@ VMM_CALLBACK_CALLING_STAGE_PRE_EVENT_EMULATION
Definition DataTypes.h:126
@ HIDDEN_HOOK_EXEC_CC
Definition Events.h:112
VOID CommandEptHookHelp()
help of the !epthook command
Definition epthook.cpp:20
VMM_CALLBACK_EVENT_CALLING_STAGE_TYPE EventStage
Definition Events.h:374

◆ CommandEptHook2()

VOID CommandEptHook2 ( vector< CommandToken > CommandTokens,
string Command )

!epthook2 command handler

Parameters
CommandTokens
Command
Returns
VOID
50{
52 PDEBUGGER_GENERAL_ACTION ActionBreakToDebugger = NULL;
53 PDEBUGGER_GENERAL_ACTION ActionCustomCode = NULL;
54 PDEBUGGER_GENERAL_ACTION ActionScript = NULL;
55 UINT32 EventLength;
56 UINT32 ActionBreakToDebuggerLength = 0;
57 UINT32 ActionCustomCodeLength = 0;
58 UINT32 ActionScriptLength = 0;
59 BOOLEAN GetAddress = FALSE;
60 UINT64 OptionalParam1 = 0; // Set the target address
61 DEBUGGER_EVENT_PARSING_ERROR_CAUSE EventParsingErrorCause;
62
63 if (CommandTokens.size() < 2)
64 {
65 ShowMessages("incorrect use of the '%s'\n\n",
66 GetCaseSensitiveStringFromCommandToken(CommandTokens.at(0)).c_str());
67
69 return;
70 }
71
72 //
73 // Interpret and fill the general event and action fields
74 //
76 &CommandTokens,
78 &Event,
79 &EventLength,
80 &ActionBreakToDebugger,
81 &ActionBreakToDebuggerLength,
82 &ActionCustomCode,
83 &ActionCustomCodeLength,
84 &ActionScript,
85 &ActionScriptLength,
86 &EventParsingErrorCause))
87 {
88 return;
89 }
90
91 //
92 // Check here to make sure that the user didn't specified the calling stages for this ept hook
93 //
95 {
96 ShowMessages("the utilization of 'post' or 'all' event calling stages is not meaningful "
97 "for the hidden hook; therefore, this command does not support them\n");
98
99 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
100 return;
101 }
102
103 //
104 // Interpret command specific details (if any)
105 //
106 for (auto Section : CommandTokens)
107 {
108 if (CompareLowerCaseStrings(Section, "!epthook2"))
109 {
110 continue;
111 }
112 else if (!GetAddress)
113 {
114 //
115 // It's probably address
116 //
119 &OptionalParam1))
120 {
121 //
122 // Couldn't resolve or unknown parameter
123 //
124 ShowMessages("err, couldn't resolve error at '%s'\n\n",
127
128 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
129 return;
130 }
131 else
132 {
133 GetAddress = TRUE;
134 }
135 }
136 else
137 {
138 //
139 // Unknown parameter
140 //
141 ShowMessages("unknown parameter '%s'\n\n",
144
145 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
146 return;
147 }
148 }
149 if (OptionalParam1 == 0)
150 {
151 ShowMessages("please choose an address to put the hook on it\n");
152
153 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
154 return;
155 }
156
157 //
158 // Set the optional parameters
159 //
160 Event->Options.OptionalParam1 = OptionalParam1;
161
162 //
163 // Send the ioctl to the kernel for event registration
164 //
165 if (!SendEventToKernel(Event, EventLength))
166 {
167 //
168 // There was an error, probably the handle was not initialized
169 // we have to free the Action before exit, it is because, we
170 // already freed the Event and string buffers
171 //
172
173 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
174 return;
175 }
176
177 //
178 // Add the event to the kernel
179 //
180 if (!RegisterActionToEvent(Event,
181 ActionBreakToDebugger,
182 ActionBreakToDebuggerLength,
183 ActionCustomCode,
184 ActionCustomCodeLength,
185 ActionScript,
186 ActionScriptLength))
187 {
188 //
189 // There was an error
190 //
191
192 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
193 return;
194 }
195}
@ HIDDEN_HOOK_EXEC_DETOURS
Definition Events.h:111
VOID CommandEptHook2Help()
help of the !epthook2 command
Definition epthook2.cpp:20

◆ CommandEval()

VOID CommandEval ( vector< CommandToken > CommandTokens,
string Command )

handler of ? command

Parameters
CommandTokens
Command
Returns
VOID
197{
198 if (CommandTokens.size() == 1)
199 {
200 ShowMessages("incorrect use of the '%s'\n\n",
201 GetCaseSensitiveStringFromCommandToken(CommandTokens.at(0)).c_str());
203 return;
204 }
205
206 //
207 // Trim the command
208 //
209 Trim(Command);
210
211 //
212 // Remove the first command from it
213 //
214 Command.erase(0, GetCaseSensitiveStringFromCommandToken(CommandTokens.at(0)).size());
215
216 //
217 // Trim it again
218 //
219 Trim(Command);
220
221 //
222 // Check if it's a test-case check or not
223 //
224 if (!Command.compare("test"))
225 {
226 //
227 // It's a test-case checker
228 //
230 {
231 ShowMessages("err, testing script engine test-cases was not successful\n");
232 }
233 else
234 {
235 ShowMessages("testing script engine test-cases was successful\n");
236 }
237
238 return;
239 }
240
241 //
242 // Check if we're connected to a remote debuggee (kernel debugger) or the user debugger
243 //
245 {
246 //
247 // Send data to the target user debugger or kernel debugger
248 //
250 }
251 else
252 {
253 //
254 // It's a test (simulated) run of the script-engine
255 //
256 ShowMessages("this command should not be used while you're in VMI-Mode (not attached to the user debugger) "
257 "or not in the debugger mode, the results that you see is a simulated result for TESTING the script engine "
258 "and is not based on the status of your system. You can use this command, either in the debugger mode "
259 "(kernel debugger), or when you attached to a user debugger\n\n");
260
261 ShowMessages("test expression : %s \n", Command.c_str());
263 }
264}
char CHAR
Definition BasicTypes.h:33
VOID Trim(std::string &s)
trim from both ends and start of a string (in place)
Definition common.cpp:715
VOID CommandEvalHelp()
help of the ? command
Definition eval.cpp:26
BOOLEAN CommandEvalCheckTestcase()
Check test-cases for script-engine.
Definition eval.cpp:43
VOID ScriptEngineWrapperTestParser(const string &Expr)
test parser
Definition script-engine-wrapper.cpp:674
BOOLEAN ScriptEngineExecuteSingleExpression(CHAR *Expr, BOOLEAN ShowErrorMessageIfAny, BOOLEAN IsFormat)
Execute single expression for the kernel debugger and the user-mode debugger.
Definition script-engine.cpp:100

◆ CommandEvents()

VOID CommandEvents ( vector< CommandToken > CommandTokens,
string Command )

events command handler

Parameters
CommandTokens
Command
Returns
VOID
68{
69 DEBUGGER_MODIFY_EVENTS_TYPE RequestedAction;
70 UINT64 RequestedTag;
71
72 //
73 // Validate the parameters (size)
74 //
75 if (CommandTokens.size() != 1 && CommandTokens.size() != 3)
76 {
77 ShowMessages("incorrect use of the '%s'\n\n",
78 GetCaseSensitiveStringFromCommandToken(CommandTokens.at(0)).c_str());
80 return;
81 }
82
83 if (CommandTokens.size() == 1)
84 {
86 {
87 ShowMessages("no active/disabled events \n");
88 return;
89 }
90
92
93 //
94 // No need to continue any further
95 //
96 return;
97 }
98
99 //
100 // Validate second argument as it's not just a simple
101 // events without any parameter
102 //
103 if (CompareLowerCaseStrings(CommandTokens.at(1), "e"))
104 {
105 RequestedAction = DEBUGGER_MODIFY_EVENTS_ENABLE;
106 }
107 else if (CompareLowerCaseStrings(CommandTokens.at(1), "d"))
108 {
109 RequestedAction = DEBUGGER_MODIFY_EVENTS_DISABLE;
110 }
111 else if (CompareLowerCaseStrings(CommandTokens.at(1), "c"))
112 {
113 RequestedAction = DEBUGGER_MODIFY_EVENTS_CLEAR;
114 }
115 else if (CompareLowerCaseStrings(CommandTokens.at(1), "sc"))
116 {
117 if (CompareLowerCaseStrings(CommandTokens.at(2), "on"))
118 {
120 }
121 else if (CompareLowerCaseStrings(CommandTokens.at(2), "off"))
122 {
124 }
125 else
126 {
127 ShowMessages(
128 "please specify a correct 'on' or 'off' state for the short-circuiting state\n\n");
130 return;
131 }
132
133 //
134 // No need to further continue
135 //
136 return;
137 }
138 else
139 {
140 //
141 // unknown second command
142 //
143 ShowMessages("incorrect use of the '%s'\n\n",
144 GetCaseSensitiveStringFromCommandToken(CommandTokens.at(0)).c_str());
146 return;
147 }
148
149 //
150 // Validate third argument as it's not just a simple
151 // events without any parameter
152 //
153 if (CompareLowerCaseStrings(CommandTokens.at(2), "all"))
154 {
156 }
157 else if (!ConvertTokenToUInt64(CommandTokens.at(2), &RequestedTag))
158 {
159 ShowMessages(
160 "please specify a correct hex value for tag id (event number)\n\n");
162 return;
163 }
164
165 //
166 // Send the request to the kernel, we add it to a constant
167 // that's because we want start tags from that constant
168 //
169 if (RequestedTag != DEBUGGER_MODIFY_EVENTS_APPLY_TO_ALL_TAG)
170 {
171 RequestedTag = RequestedTag + DebuggerEventTagStartSeed;
172 }
173
174 //
175 // Perform event related tasks
176 //
177 CommandEventsModifyAndQueryEvents(RequestedTag, RequestedAction);
178}
#define DEBUGGER_MODIFY_EVENTS_APPLY_TO_ALL_TAG
Apply event modifications to all tags.
Definition Constants.h:714
#define DebuggerEventTagStartSeed
The seeds that user-mode codes use as the starter of their events' tag.
Definition Constants.h:230
@ DEBUGGER_MODIFY_EVENTS_ENABLE
Definition Events.h:235
@ DEBUGGER_MODIFY_EVENTS_DISABLE
Definition Events.h:236
@ DEBUGGER_MODIFY_EVENTS_CLEAR
Definition Events.h:237
enum _DEBUGGER_MODIFY_EVENTS_TYPE DEBUGGER_MODIFY_EVENTS_TYPE
different types of modifying events request (enable/disable/clear)
VOID CommandEventsShowEvents()
print every active and disabled events
Definition events.cpp:231
VOID CommandEventsHelp()
help of the events command
Definition events.cpp:33
BOOLEAN g_EventTraceInitialized
it shows whether the debugger started using events or not or in other words, is g_EventTrace initiali...
Definition globals.h:400
BOOLEAN CommandEventsModifyAndQueryEvents(UINT64 Tag, DEBUGGER_MODIFY_EVENTS_TYPE TypeOfAction)
modify a special event (enable/disable/clear) and send the request directly to the kernel
Definition events.cpp:658
BOOLEAN KdSendShortCircuitingEventToDebuggee(BOOLEAN IsEnabled)
Sends a short-circuiting event request to debuggee.
Definition kd.cpp:226

◆ CommandException()

VOID CommandException ( vector< CommandToken > CommandTokens,
string Command )

!exception command handler

Parameters
CommandTokens
Command
Returns
VOID
52{
54 PDEBUGGER_GENERAL_ACTION ActionBreakToDebugger = NULL;
55 PDEBUGGER_GENERAL_ACTION ActionCustomCode = NULL;
56 PDEBUGGER_GENERAL_ACTION ActionScript = NULL;
57 UINT32 EventLength;
58 UINT32 ActionBreakToDebuggerLength = 0;
59 UINT32 ActionCustomCodeLength = 0;
60 UINT32 ActionScriptLength = 0;
62 BOOLEAN GetEntry = FALSE;
63 DEBUGGER_EVENT_PARSING_ERROR_CAUSE EventParsingErrorCause;
64
65 //
66 // Interpret and fill the general event and action fields
67 //
68 //
70 &CommandTokens,
72 &Event,
73 &EventLength,
74 &ActionBreakToDebugger,
75 &ActionBreakToDebuggerLength,
76 &ActionCustomCode,
77 &ActionCustomCodeLength,
78 &ActionScript,
79 &ActionScriptLength,
80 &EventParsingErrorCause))
81 {
82 return;
83 }
84
85 //
86 // Interpret command specific details (if any)
87 //
88 for (auto Section : CommandTokens)
89 {
90 if (CompareLowerCaseStrings(Section, "!exception"))
91 {
92 continue;
93 }
94 else if (!GetEntry)
95 {
96 //
97 // It's probably an index
98 //
99 if (!ConvertTokenToUInt64(Section, &SpecialTarget))
100 {
101 //
102 // Unknown parameter
103 //
104 ShowMessages("unknown parameter '%s'\n\n",
107
108 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
109 return;
110 }
111 else
112 {
113 //
114 // Check if entry is valid or not (start from zero)
115 //
116 if (SpecialTarget >= 31)
117 {
118 //
119 // Entry is invalid (this command is designed for just first 32
120 // entries)
121 //
122 ShowMessages("the entry should be between 0x0 to 0x1f or first 32 "
123 "entries'\n\n");
125
126 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
127 return;
128 }
129 GetEntry = TRUE;
130 }
131 }
132 else
133 {
134 //
135 // Unknown parameter
136 //
137 ShowMessages("unknown parameter '%s'\n\n",
140
141 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
142 return;
143 }
144 }
145
146 //
147 // Set the target exception (if not specific then it means all exceptions)
148 //
149 Event->Options.OptionalParam1 = SpecialTarget;
150
151 //
152 // Send the ioctl to the kernel for event registration
153 //
154 if (!SendEventToKernel(Event, EventLength))
155 {
156 //
157 // There was an error, probably the handle was not initialized
158 // we have to free the Action before exit, it is because, we
159 // already freed the Event and string buffers
160 //
161
162 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
163 return;
164 }
165
166 //
167 // Add the event to the kernel
168 //
169 if (!RegisterActionToEvent(Event,
170 ActionBreakToDebugger,
171 ActionBreakToDebuggerLength,
172 ActionCustomCode,
173 ActionCustomCodeLength,
174 ActionScript,
175 ActionScriptLength))
176 {
177 //
178 // There was an error
179 //
180
181 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
182 return;
183 }
184}
#define DEBUGGER_EVENT_EXCEPTIONS_ALL_FIRST_32_ENTRIES
Apply to all first 32 exceptions.
Definition Constants.h:757
@ EXCEPTION_OCCURRED
Definition Events.h:140
VOID CommandExceptionHelp()
help of the !exception command
Definition exception.cpp:20

◆ CommandExit()

VOID CommandExit ( vector< CommandToken > CommandTokens,
string Command )

exit command handler

Parameters
CommandTokens
Command
Returns
VOID
47{
48 if (CommandTokens.size() != 1)
49 {
50 ShowMessages("incorrect use of the '%s'\n\n",
51 GetCaseSensitiveStringFromCommandToken(CommandTokens.at(0)).c_str());
53 return;
54 }
55
57 {
58 //
59 // It is in VMI mode
60 //
61
62 //
63 // unload and exit if the any module is loaded
64 //
66 {
67 //
68 // Unload all modules
69 //
71 }
72 }
74 {
75 //
76 // It is in debugger mode
77 //
78
80 }
81
82 exit(0);
83}
VOID CommandExitHelp()
help of the exit command
Definition exit.cpp:29
BOOLEAN KdCloseConnection()
Send close packet to the debuggee and debugger.
Definition kd.cpp:3056
INT HyperDbgUnloadAllModules()
unload all modules (KD, VMM, HyperTrace, etc.)
Definition libhyperdbg.cpp:628

◆ CommandFlush()

VOID CommandFlush ( vector< CommandToken > CommandTokens,
string Command )

flush command handler

Parameters
CommandTokens
Command
Returns
VOID
112{
113 if (CommandTokens.size() != 1)
114 {
115 ShowMessages("incorrect use of the '%s'\n\n",
116 GetCaseSensitiveStringFromCommandToken(CommandTokens.at(0)).c_str());
118 return;
119 }
120
121 //
122 // Flush the buffer
123 //
125}
VOID CommandFlushHelp()
help of the flush command
Definition flush.cpp:26
VOID CommandFlushRequestFlush()
flush command handler
Definition flush.cpp:40

◆ CommandFormats()

VOID CommandFormats ( vector< CommandToken > CommandTokens,
string Command )

handler of .formats command

Parameters
CommandTokens
Command
Returns
VOID
107{
108 UINT64 ConstantValue = 0;
109 BOOLEAN HasError = TRUE;
110
111 if (CommandTokens.size() == 1)
112 {
113 ShowMessages("incorrect use of the '%s'\n\n",
114 GetCaseSensitiveStringFromCommandToken(CommandTokens.at(0)).c_str());
116 return;
117 }
118
119 //
120 // Trim the command
121 //
122 Trim(Command);
123
124 //
125 // Remove .formats from it
126 //
127 Command.erase(0, GetCaseSensitiveStringFromCommandToken(CommandTokens.at(0)).size());
128
129 //
130 // Trim it again
131 //
132 Trim(Command);
133
134 //
135 // Evaluate a single expression
136 //
137 ConstantValue = ScriptEngineEvalSingleExpression(Command, &HasError);
138
139 if (HasError)
140 {
141 ShowMessages("err, couldn't resolve error at '%s'\n", Command.c_str());
142 }
143 else
144 {
145 //
146 // Show formats results for a constant
147 //
148 CommandFormatsShowResults(ConstantValue);
149 }
150}
VOID CommandFormatsHelp()
help of the help command :)
Definition formats.cpp:20
VOID CommandFormatsShowResults(UINT64 U64Value)
show results of .formats command
Definition formats.cpp:43
UINT64 ScriptEngineEvalSingleExpression(string Expr, PBOOLEAN HasError)
Get the value from the evaluation of single expression from local debuggee and remote debuggee.
Definition script-engine.cpp:31

◆ CommandG()

VOID CommandG ( vector< CommandToken > CommandTokens,
string Command )

handler of g command

Parameters
CommandTokens
Command
Returns
VOID
95{
96 if (CommandTokens.size() != 1)
97 {
98 ShowMessages("incorrect use of the '%s'\n\n",
99 GetCaseSensitiveStringFromCommandToken(CommandTokens.at(0)).c_str());
100 CommandGHelp();
101 return;
102 }
103
105}
VOID CommandGRequest()
Request to unpause.
Definition g.cpp:41

◆ CommandGg()

VOID CommandGg ( vector< CommandToken > CommandTokens,
string Command )

gg command handler

Parameters
CommandTokens
Command
Returns
VOID
42{
43 if (CommandTokens.size() == 1)
44 {
45 ShowMessages("Good Game! :)\n");
46 }
47 else if (CommandTokens.size() == 2 && CompareLowerCaseStrings(CommandTokens.at(1), "wp"))
48 {
49 ShowMessages("Good Game, Well Played! :)\n");
50 }
51 else
52 {
53 ShowMessages("incorrect use of the '%s'\n\n",
54 GetCaseSensitiveStringFromCommandToken(CommandTokens.at(0)).c_str());
56 return;
57 }
58}
VOID CommandGgHelp()
help of the g command
Definition gg.cpp:20

◆ CommandGu()

VOID CommandGu ( vector< CommandToken > CommandTokens,
string Command )

handler of gu command

Parameters
CommandTokens
Command
Returns
VOID
53{
54 UINT32 StepCount;
55 BOOLEAN LastInstruction = FALSE;
56 BOOLEAN BreakOnNextInstruction = FALSE;
57
58 //
59 // Validate the commands
60 //
61 if (CommandTokens.size() != 1 && CommandTokens.size() != 2)
62 {
63 ShowMessages("incorrect use of the '%s'\n\n",
64 GetCaseSensitiveStringFromCommandToken(CommandTokens.at(0)).c_str());
66 return;
67 }
68
69 //
70 // Check if the command has a counter parameter
71 //
72 if (CommandTokens.size() == 2)
73 {
74 if (!ConvertTokenToUInt32(CommandTokens.at(1), &StepCount))
75 {
76 ShowMessages("please specify a correct hex value for [count]\n\n");
78 return;
79 }
80 }
81 else
82 {
84 }
85
86 //
87 // Check if the remote serial debuggee or user debugger are paused or not
88 //
90 {
91 //
92 // Check if the thread is paused or not
93 //
95 {
96 ShowMessages("the target process is running, use the "
97 "'pause' command or press CTRL+C to pause the process\n");
98 return;
99 }
100
101 //
102 // Indicate that we're instrumenting
103 //
105
106 for (SIZE_T i = 0; i < StepCount; i++)
107 {
108 //
109 // For logging purpose
110 //
111 // ShowMessages("percentage : %f %% (%x)\n", 100.0 * (i /
112 // (float)StepCount), i);
113 //
114
115 //
116 // Check if the current instruction is 'ret' or not
117 //
121 g_IsRunningInstruction32Bit ? FALSE : TRUE // equals to !g_IsRunningInstruction32Bit
122 ))
123 {
124 BreakOnNextInstruction = TRUE;
125
126 //
127 // It's the last instruction, so we gonna show the instruction
128 //
129 LastInstruction = TRUE;
130 }
131
132 //
133 // Perform a GU step
134 //
135 SteppingStepOverForGu(LastInstruction);
136
137 //
138 // Check if user pressed CTRL+C
139 //
141 {
142 break;
143 }
144
145 //
146 // Check if we see 'ret' in the previous instruction or not
147 //
148 if (BreakOnNextInstruction)
149 {
150 break;
151 }
152 }
153
154 //
155 // We're not instrumenting instructions anymore
156 //
158 }
159 else
160 {
161 ShowMessages("err, going up (gu) is not valid in the current context, you "
162 "should connect to a debuggee\n");
163 }
164}
#define MAXIMUM_INSTR_SIZE
maximum instruction size in Intel
Definition Constants.h:470
#define DEBUGGER_REMOTE_TRACKING_DEFAULT_COUNT_OF_STEPPING
default number of instructions used in tracking and stepping
Definition RequestStructures.h:1077
BOOLEAN HyperDbgCheckWhetherTheCurrentInstructionIsRet(UCHAR *BufferToDisassemble, UINT64 BuffLength, BOOLEAN Isx86_64)
Check whether the current instruction is a 'ret' or not.
Definition disassembler.cpp:1095
BOOLEAN g_IsRunningInstruction32Bit
whether the Current executing instructions is 32-bit or 64 bit
Definition globals.h:232
BOOLEAN g_IsInstrumentingInstructions
Shows whether the user is running 't', 'p', or 'i' command.
Definition globals.h:571
VOID CommandGuHelp()
help of the gu command
Definition gu.cpp:29
BYTE g_CurrentRunningInstruction[MAXIMUM_INSTR_SIZE]
Current executing instructions.
Definition globals.h:226
BOOLEAN SteppingStepOverForGu(BOOLEAN LastInstruction)
Perform Step-over for GU.
Definition steppings.cpp:155

◆ CommandHide()

VOID CommandHide ( vector< CommandToken > CommandTokens,
string Command )

!hide command handler

Parameters
CommandTokens
Command
Returns
VOID
396{
397 UINT32 TargetPid;
398 BOOLEAN TrueIfProcessIdAndFalseIfProcessName;
399
400#if ActivateHyperEvadeProject != TRUE
401
402 ShowMessages("warning, the !hide command (hyperevade project) is in the Beta phase and is not yet well-tested, "
403 "so it is disabled in this version. If you want to test, you can enable it "
404 "from the configuration file (set ActivateHyperEvadeProject to TRUE) and recompile HyperDbg\n\n");
405 return;
406
407#endif
408
409 if (CommandTokens.size() != 1 && CommandTokens.size() != 3)
410 {
411 ShowMessages("incorrect use of the '%s'\n\n",
412 GetCaseSensitiveStringFromCommandToken(CommandTokens.at(0)).c_str());
414 return;
415 }
416
417 //
418 // Find out whether the user enters pid or name
419 //
420 if (CommandTokens.size() == 1)
421 {
423 {
424 TrueIfProcessIdAndFalseIfProcessName = TRUE;
425 TargetPid = g_ActiveProcessDebuggingState.ProcessId;
426 }
427 else
428 {
429 //
430 // There is no user-debugging process
431 //
432 ShowMessages("you're not attached to any user-mode process, "
433 "please explicitly specify the process id or process name\n\n");
435 return;
436 }
437 }
438 else if (CompareLowerCaseStrings(CommandTokens.at(1), "pid"))
439 {
440 TrueIfProcessIdAndFalseIfProcessName = TRUE;
441
442 //
443 // Check for the user to not add extra arguments
444 //
445 if (CommandTokens.size() != 3)
446 {
447 ShowMessages("incorrect use of the '%s'\n\n",
448 GetCaseSensitiveStringFromCommandToken(CommandTokens.at(0)).c_str());
450 return;
451 }
452
453 //
454 // It's just a pid for the process
455 //
456 if (!ConvertTokenToUInt32(CommandTokens.at(2), &TargetPid))
457 {
458 ShowMessages("incorrect process id\n\n");
459 return;
460 }
461 }
462 else if (CompareLowerCaseStrings(CommandTokens.at(1), "name"))
463 {
464 TrueIfProcessIdAndFalseIfProcessName = FALSE;
465 }
466 else
467 {
468 //
469 // Invalid argument for the second parameter to the command
470 //
471 ShowMessages("incorrect use of the '%s'\n\n",
472 GetCaseSensitiveStringFromCommandToken(CommandTokens.at(0)).c_str());
474 return;
475 }
476
477 //
478 // Enable the transparent mode
479 //
480 if (TrueIfProcessIdAndFalseIfProcessName)
481 {
483 NULL,
484 TRUE);
485 }
486 else
487 {
489 (CHAR *)GetCaseSensitiveStringFromCommandToken(CommandTokens.at(2)).c_str(),
490 FALSE);
491 }
492}
BOOLEAN HyperDbgEnableTransparentMode(UINT32 ProcessId, CHAR *ProcessName, BOOLEAN IsProcessId)
Enable transparent mode.
Definition hide.cpp:382
VOID CommandHideHelp()
help of the !hide command
Definition hide.cpp:27

◆ CommandHw()

VOID CommandHw ( vector< CommandToken > CommandTokens,
string Command )

!hw command handler

Parameters
CommandTokens
Command
Returns
VOID
47{
48 if (CommandTokens.size() >= 2 && CompareLowerCaseStrings(CommandTokens.at(1), "script"))
49 {
50 //
51 // Perform test with default file path and initial BRAM buffer size
52 //
57 }
58 else if (CommandTokens.size() >= 2 &&
59 (CompareLowerCaseStrings(CommandTokens.at(1), "eval") || CompareLowerCaseStrings(CommandTokens.at(1), "evaluation")))
60 {
61 //
62 // Perform test evaluation
63 //
65 }
66 else if (CommandTokens.size() == 2 && CompareLowerCaseStrings(CommandTokens.at(1), "unload"))
67 {
68 //
69 // Unload the script
70 //
72 }
73 else
74 {
75 ShowMessages("incorrect use of the '%s'\n\n",
76 GetCaseSensitiveStringFromCommandToken(CommandTokens.at(0)).c_str());
78 return;
79 }
80}
#define HWDBG_TEST_WRITE_SCRIPT_BUFFER_PATH
Path to write the sample of the script buffer.
Definition HardwareDebugger.h:48
#define HWDBG_TEST_READ_INSTANCE_INFO_PATH
Path to read the sample of the instance info.
Definition HardwareDebugger.h:42
#define DEFAULT_INITIAL_BRAM_BUFFER_SIZE
Initial default buffer size (BRAN Size).
Definition HardwareDebugger.h:36
VOID CommandHwHelp()
help of the !hw command
Definition hw.cpp:25
BOOLEAN g_HwdbgInstanceInfoIsValid
Shows whether the instance info is valid (received) or not.
Definition globals.h:697
BOOLEAN HwdbgScriptRunScript(const CHAR *Script, const TCHAR *InstanceFilePathToRead, const TCHAR *HardwareScriptFilePathToSave, UINT32 InitialBramBufferSize)
Run script in hwdbg.
Definition hwdbg-scripts.cpp:460
VOID ScriptEngineWrapperTestParserForHwdbg(const string &Expr)
test parser for hwdbg
Definition script-engine-wrapper.cpp:752

◆ CommandHwClk()

VOID CommandHwClk ( vector< CommandToken > CommandTokens,
string Command )

!hw_clk command handler

Parameters
CommandTokens
Command
Returns
VOID
155{
156 if (CommandTokens.size() >= 2)
157 {
158 //
159 // Perform test with default file path and initial BRAM buffer size
160 //
161 CommandHwClkPerformTest(CommandTokens,
166 }
167 else
168 {
169 ShowMessages("incorrect use of the '%s'\n\n",
170 GetCaseSensitiveStringFromCommandToken(CommandTokens.at(0)).c_str());
172 return;
173 }
174}
#define HWDBG_TEST_WRITE_INSTANCE_INFO_PATH
Path to write the sample of the instance info requests.
Definition HardwareDebugger.h:54
VOID CommandHwClkHelp()
help of the !hw_clk command
Definition hw_clk.cpp:25
BOOLEAN CommandHwClkPerformTest(vector< CommandToken > CommandTokens, const TCHAR *InstanceFilePathToRead, const TCHAR *InstanceFilePathToSave, const TCHAR *HardwareScriptFilePathToSave, UINT32 InitialBramBufferSize)
!hw_clk perform test
Definition hw_clk.cpp:47

◆ CommandI()

VOID CommandI ( vector< CommandToken > CommandTokens,
string Command )

handler of i command

Parameters
CommandTokens
Command
Returns
VOID
57{
58 UINT32 StepCount;
59
60 //
61 // Validate the commands
62 //
63 if (CommandTokens.size() != 1 && CommandTokens.size() != 2)
64 {
65 ShowMessages("incorrect use of the '%s'\n\n",
66 GetCaseSensitiveStringFromCommandToken(CommandTokens.at(0)).c_str());
68 return;
69 }
70
71 //
72 // Check if we're in VMI mode
73 //
75 {
76 ShowMessages("the instrumentation step-in is only supported in Debugger Mode\n");
77 return;
78 }
79
80 //
81 // Check if the command has a counter parameter
82 //
83 if (CommandTokens.size() == 2)
84 {
85 if (!ConvertTokenToUInt32(CommandTokens.at(1), &StepCount))
86 {
87 ShowMessages("please specify a correct hex value for [count]\n\n");
89 return;
90 }
91 }
92 else
93 {
94 StepCount = 1;
95 }
96
97 //
98 // Check if the remote serial debuggee or user debugger are paused or not
99 //
101 {
102 //
103 // Indicate that we're instrumenting
104 //
106
107 for (SIZE_T i = 0; i < StepCount; i++)
108 {
109 //
110 // For logging purpose
111 //
112 // ShowMessages("percentage : %f %% (%x)\n", 100.0 * (i /
113 // (float)StepCount), i);
114 //
115
116 //
117 // It's stepping over serial connection in kernel debugger
118 //
120
121 if (CompareLowerCaseStrings(CommandTokens.at(0), "ir"))
122 {
123 //
124 // Show registers
125 //
127
128 if (i != StepCount - 1)
129 {
130 ShowMessages("\n");
131 }
132 }
133
134 //
135 // Check if user pressed CTRL+C
136 //
138 {
139 break;
140 }
141 }
142
143 //
144 // We're not instrumenting instructions anymore
145 //
147 }
148 else
149 {
150 ShowMessages("err, stepping (i) is not valid in the current context, you "
151 "should connect to a debuggee\n");
152 }
153}
VOID CommandIHelp()
help of the i command
Definition i.cpp:27
BOOLEAN HyperDbgRegisterShowAll()
handler of r show all registers
Definition r.cpp:354
BOOLEAN SteppingInstrumentationStepIn()
Perform Instrumentation Step-in.
Definition steppings.cpp:26

◆ CommandIdt()

VOID CommandIdt ( vector< CommandToken > CommandTokens,
string Command )

!idt command handler

Parameters
CommandTokens
Command
Returns
VOID
116{
117 UINT32 IdtEntry;
119 BOOLEAN ShowAllEntries = TRUE;
120 UINT64 UsedBaseAddress = NULL;
121
122 //
123 // Check if the command should show all entries or just one entry
124 //
125 if (CommandTokens.size() == 1)
126 {
127 ShowAllEntries = TRUE;
128 }
129 else if (CommandTokens.size() == 2)
130 {
131 ShowAllEntries = FALSE;
132
133 //
134 // Get the IDT entry number
135 //
136 if (ConvertTokenToUInt32(CommandTokens.at(1), &IdtEntry) == FALSE)
137 {
138 ShowMessages("err, invalid IDT entry number\n");
139 return;
140 }
141
142 if (IdtEntry > MAX_NUMBER_OF_IDT_ENTRIES)
143 {
144 ShowMessages("err, invalid IDT entry number\n");
145 return;
146 }
147 }
148 else
149 {
150 ShowMessages("incorrect use of the '%s'\n\n",
151 GetCaseSensitiveStringFromCommandToken(CommandTokens.at(0)).c_str());
152
154 return;
155 }
156
157 //
158 // Allocate buffer for IDT entry
159 //
161
162 if (IdtPacket == NULL)
163 {
164 ShowMessages("err, allocating buffer for receiving IDT entries");
165 }
166
167 RtlZeroMemory(IdtPacket, sizeof(INTERRUPT_DESCRIPTOR_TABLE_ENTRIES_PACKETS));
168
169 //
170 // Get the IDT buffer
171 //
172 if (HyperDbgGetIdtEntry(IdtPacket) == TRUE)
173 {
174 //
175 // Show (dump) entries
176 //
177 if (ShowAllEntries)
178 {
179 ShowMessages("IDT Entries:\n\n");
180
181 for (UINT32 i = 0; i < MAX_NUMBER_OF_IDT_ENTRIES; i++)
182 {
183 ShowMessages("IDT[0x%x:%d]\t: %s\t",
184 i,
185 i,
186 SeparateTo64BitValue(IdtPacket->IdtEntry[i]).c_str());
187
188 //
189 // Apply addressconversion of settings here
190 //
192 {
193 //
194 // Showing function names here
195 //
196 if (SymbolShowFunctionNameBasedOnAddress(IdtPacket->IdtEntry[i], &UsedBaseAddress))
197 {
198 //
199 // The symbol address is showed (nothing to do)
200 //
201 }
202 }
203
204 ShowMessages("\n");
205 }
206 }
207 else
208 {
209 ShowMessages("IDT[0x%x:%d] : %s\t",
210 IdtEntry,
211 IdtEntry,
212 SeparateTo64BitValue(IdtPacket->IdtEntry[IdtEntry]).c_str());
213
214 //
215 // Apply addressconversion of settings here
216 //
218 {
219 //
220 // Showing function names here
221 //
222 if (SymbolShowFunctionNameBasedOnAddress(IdtPacket->IdtEntry[IdtEntry], &UsedBaseAddress))
223 {
224 //
225 // The symbol address is showed (nothing to do)
226 //
227 }
228
229 ShowMessages("\n");
230 }
231 }
232 }
233
234 //
235 // Deallocate the buffer
236 //
237 free(IdtPacket);
238}
struct _INTERRUPT_DESCRIPTOR_TABLE_ENTRIES_PACKETS INTERRUPT_DESCRIPTOR_TABLE_ENTRIES_PACKETS
The structure of IDT entries result packet in HyperDbg.
#define MAX_NUMBER_OF_IDT_ENTRIES
Maximum number of IDT entries.
Definition RequestStructures.h:1457
string SeparateTo64BitValue(UINT64 Value)
BOOLEAN HyperDbgGetIdtEntry(INTERRUPT_DESCRIPTOR_TABLE_ENTRIES_PACKETS *IdtPacket)
Send IDT entry requests.
Definition idt.cpp:46
VOID CommandIdtHelp()
help of the !idt command
Definition idt.cpp:27
BOOLEAN g_AddressConversion
Whether converting addresses to object names or not.
Definition globals.h:594
UINT64 IdtEntry[MAX_NUMBER_OF_IDT_ENTRIES]
Definition RequestStructures.h:1466
BOOLEAN SymbolShowFunctionNameBasedOnAddress(UINT64 Address, PUINT64 UsedBaseAddress)
shows the functions' name for the disassembler
Definition symbol.cpp:161

◆ CommandInterrupt()

VOID CommandInterrupt ( vector< CommandToken > CommandTokens,
string Command )

!interrupt command handler

Parameters
CommandTokens
Command
Returns
VOID
50{
52 PDEBUGGER_GENERAL_ACTION ActionBreakToDebugger = NULL;
53 PDEBUGGER_GENERAL_ACTION ActionCustomCode = NULL;
54 PDEBUGGER_GENERAL_ACTION ActionScript = NULL;
55 UINT32 EventLength;
56 UINT32 ActionBreakToDebuggerLength = 0;
57 UINT32 ActionCustomCodeLength = 0;
58 UINT32 ActionScriptLength = 0;
59 UINT64 SpecialTarget = 0;
60 BOOLEAN GetEntry = FALSE;
61 DEBUGGER_EVENT_PARSING_ERROR_CAUSE EventParsingErrorCause;
62
63 //
64 // Interpret and fill the general event and action fields
65 //
66 //
68 &CommandTokens,
70 &Event,
71 &EventLength,
72 &ActionBreakToDebugger,
73 &ActionBreakToDebuggerLength,
74 &ActionCustomCode,
75 &ActionCustomCodeLength,
76 &ActionScript,
77 &ActionScriptLength,
78 &EventParsingErrorCause))
79 {
80 return;
81 }
82
83 //
84 // Interpret command specific details (if any)
85 //
86 //
87 for (auto Section : CommandTokens)
88 {
89 if (CompareLowerCaseStrings(Section, "!interrupt"))
90 {
91 continue;
92 }
93 else if (!GetEntry)
94 {
95 //
96 // It's probably an index
97 //
98 if (!ConvertTokenToUInt64(Section, &SpecialTarget))
99 {
100 //
101 // Unknown parameter
102 //
103 ShowMessages("unknown parameter '%s'\n\n",
106
107 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
108 return;
109 }
110 else
111 {
112 //
113 // Check if entry is valid or not
114 //
115 if (!(SpecialTarget >= 32 && SpecialTarget <= 0xff))
116 {
117 //
118 // Entry is invalid (this command is designed for just entries
119 // between 32 to 255)
120 //
121 ShowMessages("the entry should be between 0x20 to 0xFF or the "
122 "entries between 32 to 255\n\n");
124
125 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
126 return;
127 }
128 GetEntry = TRUE;
129 }
130 }
131 else
132 {
133 //
134 // Unknown parameter
135 //
136 ShowMessages("unknown parameter '%s'\n\n",
139
140 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
141 return;
142 }
143 }
144
145 if (SpecialTarget == 0)
146 {
147 //
148 // The user didn't set the target interrupt, even though it's possible to
149 // get all interrupts but it makes the system not responsive so it's wrong
150 // to trigger event on all interrupts and we're not going to support it
151 //
152 ShowMessages("please specify an interrupt index to monitor, HyperDbg "
153 "doesn't support to trigger events on all interrupts because "
154 "it's not reasonable and make the system unresponsive\n");
156
157 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
158 return;
159 }
160
161 //
162 // Set the target interrupt
163 //
164 Event->Options.OptionalParam1 = SpecialTarget;
165
166 //
167 // Send the ioctl to the kernel for event registration
168 //
169 if (!SendEventToKernel(Event, EventLength))
170 {
171 //
172 // There was an error, probably the handle was not initialized
173 // we have to free the Action before exit, it is because, we
174 // already freed the Event and string buffers
175 //
176
177 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
178 return;
179 }
180
181 //
182 // Add the event to the kernel
183 //
184 if (!RegisterActionToEvent(Event,
185 ActionBreakToDebugger,
186 ActionBreakToDebuggerLength,
187 ActionCustomCode,
188 ActionCustomCodeLength,
189 ActionScript,
190 ActionScriptLength))
191 {
192 //
193 // There was an error
194 //
195
196 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
197 return;
198 }
199}
@ EXTERNAL_INTERRUPT_OCCURRED
Definition Events.h:141
VOID CommandInterruptHelp()
help of the !interrupt command
Definition interrupt.cpp:20

◆ CommandIoapic()

VOID CommandIoapic ( vector< CommandToken > CommandTokens,
string Command )

!ioapic command handler

Parameters
CommandTokens
Command
Returns
VOID
195{
196 IO_APIC_ENTRY_PACKETS * IoApicPackets = NULL;
197
198 if (CommandTokens.size() != 1)
199 {
200 ShowMessages("incorrect use of the '%s'\n\n",
201 GetCaseSensitiveStringFromCommandToken(CommandTokens.at(0)).c_str());
202
204 return;
205 }
206
207 //
208 // Allocate buffer for I/O APIC
209 //
210 IoApicPackets = (IO_APIC_ENTRY_PACKETS *)malloc(sizeof(IO_APIC_ENTRY_PACKETS));
211
212 if (IoApicPackets == NULL)
213 {
214 ShowMessages("err, allocating buffer for receiving I/O APIC");
215 }
216
217 RtlZeroMemory(IoApicPackets, sizeof(IO_APIC_ENTRY_PACKETS));
218
219 //
220 // Get the I/O APIC buffer
221 //
222 if (HyperDbgGetIoApic(IoApicPackets) == TRUE)
223 {
224 //
225 // Show (dump) entries
226 //
227 CommandIoapicShowIoApicEntries(IoApicPackets);
228 }
229
230 //
231 // Deallocate the buffer
232 //
233 free(IoApicPackets);
234}
struct _IO_APIC_ENTRY_PACKETS IO_APIC_ENTRY_PACKETS
The structure of I/O APIC result packet in HyperDbg.
VOID CommandIoapicShowIoApicEntries(IO_APIC_ENTRY_PACKETS *IoApicPackets)
Show I/O APIC.
Definition ioapic.cpp:141
VOID CommandIoapicHelp()
help of the !ioapic command
Definition ioapic.cpp:20
BOOLEAN HyperDbgGetIoApic(IO_APIC_ENTRY_PACKETS *IoApic)
Request to get I/O APIC.
Definition ioapic.cpp:38

◆ CommandIoin()

VOID CommandIoin ( vector< CommandToken > CommandTokens,
string Command )

!ioin command handler

Parameters
CommandTokens
Command
Returns
VOID
49{
51 PDEBUGGER_GENERAL_ACTION ActionBreakToDebugger = NULL;
52 PDEBUGGER_GENERAL_ACTION ActionCustomCode = NULL;
53 PDEBUGGER_GENERAL_ACTION ActionScript = NULL;
54 UINT32 EventLength;
55 UINT32 ActionBreakToDebuggerLength = 0;
56 UINT32 ActionCustomCodeLength = 0;
57 UINT32 ActionScriptLength = 0;
58 UINT64 SpecialTarget = DEBUGGER_EVENT_ALL_IO_PORTS;
59 BOOLEAN GetPort = FALSE;
60 DEBUGGER_EVENT_PARSING_ERROR_CAUSE EventParsingErrorCause;
61
62 //
63 // Interpret and fill the general event and action fields
64 //
66 &CommandTokens,
68 &Event,
69 &EventLength,
70 &ActionBreakToDebugger,
71 &ActionBreakToDebuggerLength,
72 &ActionCustomCode,
73 &ActionCustomCodeLength,
74 &ActionScript,
75 &ActionScriptLength,
76 &EventParsingErrorCause))
77 {
78 return;
79 }
80
81 //
82 // Interpret command specific details (if any)
83 //
84 for (auto Section : CommandTokens)
85 {
86 if (CompareLowerCaseStrings(Section, "!ioin"))
87 {
88 continue;
89 }
90 else if (!GetPort)
91 {
92 //
93 // It's probably an I/O port
94 //
95 if (!ConvertTokenToUInt64(Section, &SpecialTarget))
96 {
97 //
98 // Unknown parameter
99 //
100 ShowMessages("unknown parameter '%s'\n\n",
103
104 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
105 return;
106 }
107 else
108 {
109 GetPort = TRUE;
110 }
111 }
112 else
113 {
114 //
115 // Unknown parameter
116 //
117 ShowMessages("unknown parameter '%s'\n\n",
120
121 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
122 return;
123 }
124 }
125
126 //
127 // Set the target I/O port
128 //
129 Event->Options.OptionalParam1 = SpecialTarget;
130
131 //
132 // Send the ioctl to the kernel for event registration
133 //
134 if (!SendEventToKernel(Event, EventLength))
135 {
136 //
137 // There was an error, probably the handle was not initialized
138 // we have to free the Action before exit, it is because, we
139 // already freed the Event and string buffers
140 //
141
142 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
143 return;
144 }
145
146 //
147 // Add the event to the kernel
148 //
149 if (!RegisterActionToEvent(Event,
150 ActionBreakToDebugger,
151 ActionBreakToDebuggerLength,
152 ActionCustomCode,
153 ActionCustomCodeLength,
154 ActionScript,
155 ActionScriptLength))
156 {
157 //
158 // There was an error
159 //
160
161 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
162 return;
163 }
164}
#define DEBUGGER_EVENT_ALL_IO_PORTS
Apply to all I/O ports.
Definition Constants.h:769
@ IN_INSTRUCTION_EXECUTION
Definition Events.h:134
VOID CommandIoinHelp()
help of the !ioin command
Definition ioin.cpp:20

◆ CommandIoout()

VOID CommandIoout ( vector< CommandToken > CommandTokens,
string Command )

!ioout command handler

Parameters
CommandTokens
Command
Returns
VOID
49{
51 PDEBUGGER_GENERAL_ACTION ActionBreakToDebugger = NULL;
52 PDEBUGGER_GENERAL_ACTION ActionCustomCode = NULL;
53 PDEBUGGER_GENERAL_ACTION ActionScript = NULL;
54 UINT32 EventLength;
55 UINT32 ActionBreakToDebuggerLength = 0;
56 UINT32 ActionCustomCodeLength = 0;
57 UINT32 ActionScriptLength = 0;
58 UINT64 SpecialTarget = DEBUGGER_EVENT_ALL_IO_PORTS;
59 BOOLEAN GetPort = FALSE;
60 DEBUGGER_EVENT_PARSING_ERROR_CAUSE EventParsingErrorCause;
61
62 //
63 // Interpret and fill the general event and action fields
64 //
65 //
67 &CommandTokens,
69 &Event,
70 &EventLength,
71 &ActionBreakToDebugger,
72 &ActionBreakToDebuggerLength,
73 &ActionCustomCode,
74 &ActionCustomCodeLength,
75 &ActionScript,
76 &ActionScriptLength,
77 &EventParsingErrorCause))
78 {
79 return;
80 }
81
82 //
83 // Interpret command specific details (if any)
84 //
85 //
86 for (auto Section : CommandTokens)
87 {
88 if (CompareLowerCaseStrings(Section, "!ioout"))
89 {
90 continue;
91 }
92 else if (!GetPort)
93 {
94 //
95 // It's probably an I/O port
96 //
97 if (!ConvertTokenToUInt64(Section, &SpecialTarget))
98 {
99 //
100 // Unknown parameter
101 //
102 ShowMessages("unknown parameter '%s'\n\n",
105
106 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
107 return;
108 }
109 else
110 {
111 GetPort = TRUE;
112 }
113 }
114 else
115 {
116 //
117 // Unknown parameter
118 //
119 ShowMessages("unknown parameter '%s'\n\n",
122
123 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
124 return;
125 }
126 }
127
128 //
129 // Set the target I/O port
130 //
131 Event->Options.OptionalParam1 = SpecialTarget;
132
133 //
134 // Send the ioctl to the kernel for event registration
135 //
136 if (!SendEventToKernel(Event, EventLength))
137 {
138 //
139 // There was an error, probably the handle was not initialized
140 // we have to free the Action before exit, it is because, we
141 // already freed the Event and string buffers
142 //
143
144 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
145 return;
146 }
147
148 //
149 // Add the event to the kernel
150 //
151 if (!RegisterActionToEvent(Event,
152 ActionBreakToDebugger,
153 ActionBreakToDebuggerLength,
154 ActionCustomCode,
155 ActionCustomCodeLength,
156 ActionScript,
157 ActionScriptLength))
158 {
159 //
160 // There was an error
161 //
162
163 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
164 return;
165 }
166}
@ OUT_INSTRUCTION_EXECUTION
Definition Events.h:135
VOID CommandIooutHelp()
help of the !ioout command
Definition ioout.cpp:20

◆ CommandK()

VOID CommandK ( vector< CommandToken > CommandTokens,
string Command )

k command handler

Parameters
CommandTokens
Command
Returns
VOID
57{
58 UINT64 BaseAddress = NULL; // Null base address means current RSP register
59 UINT32 Length = PAGE_SIZE; // Default length
60 BOOLEAN IsFirstCommand = TRUE;
61 BOOLEAN IsNextBase = FALSE;
62 BOOLEAN IsNextLength = FALSE;
63
64 if (CommandTokens.size() >= 6)
65 {
66 ShowMessages("incorrect use of the '%s'\n\n",
67 GetCaseSensitiveStringFromCommandToken(CommandTokens.at(0)).c_str());
69 return;
70 }
71
73 {
74 ShowMessages("err, tracing callstack is not possible when you're not "
75 "connected to a debuggee\n");
76 return;
77 }
78
79 //
80 // Set the default length
81 //
83 {
84 Length = PAGE_SIZE;
85 }
86 else
87 {
88 Length = PAGE_SIZE * 2;
89 }
90
91 for (auto Section : CommandTokens)
92 {
93 if (IsFirstCommand)
94 {
95 IsFirstCommand = FALSE;
96 continue;
97 }
98 if (IsNextBase == TRUE)
99 {
101 &BaseAddress))
102 {
103 //
104 // Couldn't resolve or unknown parameter
105 //
106 ShowMessages("err, couldn't resolve error at '%s'\n",
108 return;
109 }
110
111 IsNextBase = FALSE;
112 continue;
113 }
114
115 if (IsNextLength == TRUE)
116 {
117 if (!ConvertTokenToUInt32(Section, &Length))
118 {
119 ShowMessages("err, you should enter a valid length\n\n");
120 return;
121 }
122 IsNextLength = FALSE;
123 continue;
124 }
125
126 if (CompareLowerCaseStrings(Section, "l"))
127 {
128 IsNextLength = TRUE;
129 continue;
130 }
131
132 if (CompareLowerCaseStrings(Section, "base"))
133 {
134 IsNextBase = TRUE;
135 continue;
136 }
137
138 //
139 // User inserts unexpected input
140 //
141 ShowMessages("err, incorrect use of the '%s' command\n\n",
142 GetCaseSensitiveStringFromCommandToken(CommandTokens.at(0)).c_str());
143 CommandKHelp();
144
145 return;
146 }
147
148 if (IsNextLength || IsNextBase)
149 {
150 ShowMessages("incorrect use of the '%s' command\n\n",
151 GetCaseSensitiveStringFromCommandToken(CommandTokens.at(0)).c_str());
152 CommandKHelp();
153 return;
154 }
155
156 //
157 // Send callstack request
158 //
159
160 if (CompareLowerCaseStrings(CommandTokens.at(0), "k"))
161 {
163 Length,
166 }
167 else if (CompareLowerCaseStrings(CommandTokens.at(0), "kq"))
168 {
170 Length,
172 FALSE);
173 }
174 else if (CompareLowerCaseStrings(CommandTokens.at(0), "kd"))
175 {
177 Length,
179 TRUE);
180 }
181}
@ DEBUGGER_CALLSTACK_DISPLAY_METHOD_WITHOUT_PARAMS
Definition RequestStructures.h:833
@ DEBUGGER_CALLSTACK_DISPLAY_METHOD_WITH_PARAMS
Definition RequestStructures.h:834
VOID CommandKHelp()
help of the k command
Definition k.cpp:26
BOOLEAN KdSendCallStackPacketToDebuggee(UINT64 BaseAddress, UINT32 Size, DEBUGGER_CALLSTACK_DISPLAY_METHOD DisplayMethod, BOOLEAN Is32Bit)
Send a callstack request to the debuggee.
Definition kd.cpp:348

◆ CommandKill()

VOID CommandKill ( vector< CommandToken > CommandTokens,
string Command )

.kill command handler

Parameters
CommandTokens
Command
Returns
VOID
43{
44 if (CommandTokens.size() != 1)
45 {
46 ShowMessages("incorrect use of the '%s'\n\n",
47 GetCaseSensitiveStringFromCommandToken(CommandTokens.at(0)).c_str());
49 return;
50 }
51
53 {
54 //
55 // Kill the current active process
56 //
58 {
59 ShowMessages("process does not exists, is it already terminated?\n");
60 }
61 }
63 {
65 {
66 ShowMessages("process does not exists, is it already terminated?\n");
67 }
68
69 //
70 // No longer the last process exists
71 //
73 }
74 else
75 {
76 ShowMessages("nothing to terminate!\n");
77 return;
78 }
79}
VOID CommandKillHelp()
help of the .kill command
Definition kill.cpp:26
UINT32 g_ProcessIdOfLatestStartingProcess
The process id of the latest starting process.
Definition globals.h:378
BOOLEAN UdKillProcess(UINT32 TargetPid)
Kill the target process from kernel.
Definition ud.cpp:688

◆ CommandLbr()

VOID CommandLbr ( vector< CommandToken > CommandTokens,
string Command )

!lbr command handler

Parameters
CommandTokens
Command
Returns
VOID
330{
331 HYPERTRACE_LBR_OPERATION_PACKETS LbrRequest = {0};
332 BOOLEAN ParseResult = FALSE;
333
334 if (CommandTokens.size() == 1)
335 {
336 ShowMessages("incorrect use of the '%s'\n\n",
337 GetCaseSensitiveStringFromCommandToken(CommandTokens.at(0)).c_str());
339 return;
340 }
341
342 //
343 // Dispatch to the appropriate parser based on the subcommand
344 //
345 if (CompareLowerCaseStrings(CommandTokens.at(1), "enable") ||
346 CompareLowerCaseStrings(CommandTokens.at(1), "disable") ||
347 CompareLowerCaseStrings(CommandTokens.at(1), "flush"))
348 {
349 ParseResult = CommandLbrParseSimpleOperation(CommandTokens, &LbrRequest);
350 }
351 else if (CompareLowerCaseStrings(CommandTokens.at(1), "filter"))
352 {
353 ParseResult = CommandLbrParseFilterOperation(CommandTokens, &LbrRequest);
354 }
355 else
356 {
357 ParseResult = FALSE;
358 }
359
360 if (!ParseResult)
361 {
362 ShowMessages("incorrect use of the '%s'\n\n",
363 GetCaseSensitiveStringFromCommandToken(CommandTokens.at(0)).c_str());
365 return;
366 }
367
368 //
369 // Check if the HyperTrace module is loaded, as it is required for LBR operations
370 //
372
373 //
374 // Send the LBR operation request
375 //
376 if (CommandLbrSendRequest(&LbrRequest))
377 {
378 CommandLbrShowSuccessMessage(&LbrRequest);
379 }
380 else
381 {
382 ShowErrorMessage(LbrRequest.KernelStatus);
383 }
384}
struct _HYPERTRACE_LBR_OPERATION_PACKETS HYPERTRACE_LBR_OPERATION_PACKETS
The structure of HyperTrace LBR result packet in HyperDbg.
BOOLEAN ShowErrorMessage(UINT32 Error)
shows the error message
Definition debugger.cpp:40
BOOLEAN CommandLbrSendRequest(HYPERTRACE_LBR_OPERATION_PACKETS *LbrRequest)
Send LBR requests.
Definition lbr.cpp:79
BOOLEAN CommandLbrParseSimpleOperation(vector< CommandToken > CommandTokens, HYPERTRACE_LBR_OPERATION_PACKETS *LbrRequest)
Parses simple (no-argument) LBR operations: enable, disable, flush.
Definition lbr.cpp:138
VOID CommandLbrHelp()
help of the !lbr command
Definition lbr.cpp:26
BOOLEAN CommandLbrParseFilterOperation(vector< CommandToken > CommandTokens, HYPERTRACE_LBR_OPERATION_PACKETS *LbrRequest)
Parses the LBR filter operation and accumulates filter option flags.
Definition lbr.cpp:200
VOID CommandLbrShowSuccessMessage(const HYPERTRACE_LBR_OPERATION_PACKETS *LbrRequest)
Displays the success message appropriate for the completed LBR operation.
Definition lbr.cpp:298
#define ASSERT_MESSAGE_HYPERTRACE_NOT_LOADED
Definition common.h:33
#define AssertShowMessageReturnStmt(expr1, expr2, message1, message2, rc)
Definition common.h:59
#define AssertReturn
Definition common.h:19
#define ASSERT_MESSAGE_DRIVER_NOT_LOADED
Definition common.h:27
BOOLEAN g_IsHyperTraceModuleLoaded
shows whether the HyperTrace module is loaded or not
Definition lbrdump.cpp:19
UINT32 KernelStatus
Definition RequestStructures.h:1305

◆ CommandLbrdump()

VOID CommandLbrdump ( vector< CommandToken > CommandTokens,
string Command )

!lbrdump command handler

Parameters
CommandTokens
Command
Returns
VOID
241{
242 HYPERTRACE_LBR_DUMP_PACKETS LbrdumpRequest = {0};
243 UINT32 CoreId = 0;
244 BOOLEAN ContinueDumpingAllCores = TRUE;
245
246 if (CommandTokens.size() != 1 && CommandTokens.size() != 3)
247 {
248 ShowMessages("incorrect use of the '%s'\n\n",
249 GetCaseSensitiveStringFromCommandToken(CommandTokens.at(0)).c_str());
251 return;
252 }
253
254 //
255 // Check if the HyperTrace module is loaded, as it is required for LBR operations
256 //
258
259 if (CommandTokens.size() == 3)
260 {
261 if (CompareLowerCaseStrings(CommandTokens.at(1), "core"))
262 {
263 if (!ConvertTokenToUInt32(CommandTokens.at(2), &CoreId))
264 {
265 //
266 // Unknown parameter
267 //
268 ShowMessages("unknown parameter '%s'\n\n",
269 GetCaseSensitiveStringFromCommandToken(CommandTokens.at(0)).c_str());
271
272 return;
273 }
274 }
275 else
276 {
277 ShowMessages("incorrect use of the '%s'\n\n",
278 GetCaseSensitiveStringFromCommandToken(CommandTokens.at(0)).c_str());
280 return;
281 }
282 }
283 else
284 {
285 //
286 // If no core is specified, we can set the CoreId to a special value (e.g., 0xFFFFFFFF) to indicate that the dump should be performed for all cores
287 //
289 }
290
291 //
292 // If the CoreId is set to the special value for dumping all cores,
293 // we can set it to 0 to start dumping from the first core and rely on the NextCoreIsValid flag
294 // in the dump request structure to indicate whether there are more cores to be dumped or not in
295 // the driver response
296 //
297 if (CoreId == HYPERTRACE_LBR_DUMP_ALL_CORES)
298 {
299 LbrdumpRequest.CoreId = 0;
300 }
301 else
302 {
303 LbrdumpRequest.CoreId = CoreId;
304 }
305
306 while (ContinueDumpingAllCores)
307 {
308 //
309 // Send the LBR dump request
310 //
311 if (HyperDbgLbrdumpSendRequest(&LbrdumpRequest))
312 {
314 {
315 //
316 // Show entries of the LBR stack in the request structure which are filled by the driver in response to the dump request
317 //
318 CommandLbrdumpPrint(&LbrdumpRequest);
319
320 if (CoreId == HYPERTRACE_LBR_DUMP_ALL_CORES && LbrdumpRequest.NextCoreIsValid)
321 {
322 //
323 // If the NextCoreIsValid flag is set, it means there are more cores to be
324 // dumped in the case of dumping all cores, so we can update the CoreId
325 // in the dump request structure to the next core number for the next
326 // iteration of dumping
327 //
328 LbrdumpRequest.CoreId++;
329 }
330 else
331 {
332 //
333 // If the NextCoreIsValid flag is not set, it means there are no more
334 // cores to be dumped in the case of dumping all cores, so we can break the loop
335 //
336 ContinueDumpingAllCores = FALSE;
337 }
338 }
339 else
340 {
341 ShowErrorMessage(LbrdumpRequest.KernelStatus);
342 break;
343 }
344 }
345 else
346 {
347 ShowMessages("failed to send LBR dump request\n");
348 break;
349 }
350 }
351}
#define DEBUGGER_OPERATION_WAS_SUCCESSFUL
General value to indicate that the operation or request was successful.
Definition ErrorCodes.h:23
struct _HYPERTRACE_LBR_DUMP_PACKETS HYPERTRACE_LBR_DUMP_PACKETS
The structure of HyperTrace LBR dump result packet in HyperDbg.
#define HYPERTRACE_LBR_DUMP_ALL_CORES
In the case of dumping all cores, this value is used to specify that all cores should be dumped.
Definition RequestStructures.h:1337
VOID CommandLbrdumpHelp()
help of the !lbrdump command
Definition lbrdump.cpp:82
VOID CommandLbrdumpPrint(HYPERTRACE_LBR_DUMP_PACKETS *LbrdumpRequest)
Print collected LBR branches.
Definition lbrdump.cpp:153
BOOLEAN HyperDbgLbrdumpSendRequest(HYPERTRACE_LBR_DUMP_PACKETS *LbrdumpRequest)
Send LBR dump requests.
Definition lbrdump.cpp:29
BOOLEAN NextCoreIsValid
Definition RequestStructures.h:1325
UINT32 KernelStatus
Definition RequestStructures.h:1329
UINT32 CoreId
Definition RequestStructures.h:1324

◆ CommandListen()

VOID CommandListen ( vector< CommandToken > CommandTokens,
string Command )

listen command handler

Parameters
CommandTokens
Command
Returns
VOID
55{
56 string Port;
57
58 if (CommandTokens.size() >= 3)
59 {
60 //
61 // Means that user entered invalid parameters
62 //
63 ShowMessages("incorrect use of the '%s'\n\n",
64 GetCaseSensitiveStringFromCommandToken(CommandTokens.at(0)).c_str());
66 return;
67 }
68
71 {
72 ShowMessages("you're connected to a debugger, please use '.disconnect' "
73 "command\n");
74 return;
75 }
76
77 //
78 // Check to avoid using this command in debugger-mode
79 //
81 {
82 ShowMessages("you're connected to a an instance of HyperDbg, please use "
83 "'.debug close' command\n");
84 return;
85 }
86
87 if (CommandTokens.size() == 1)
88 {
89 //
90 // listen on default port
91 //
92 ShowMessages("listening on %s ...\n", DEFAULT_PORT);
94
95 return;
96 }
97 else if (CommandTokens.size() == 2)
98 {
99 Port = GetCaseSensitiveStringFromCommandToken(CommandTokens.at(1));
100
101 //
102 // means that probably wants to listen
103 // on a specific port, let's see if the
104 // port is valid or not
105 //
106 if (!IsNumber(Port) || stoi(Port) > 65535 || stoi(Port) < 0)
107 {
108 ShowMessages("incorrect port\n");
109 return;
110 }
111
112 //
113 // listen on the port
114 //
115 ShowMessages("listening on %s ...\n", Port.c_str());
116 RemoteConnectionListen(Port.c_str());
117 }
118 else
119 {
120 ShowMessages("incorrect use of the '%s'\n\n",
121 GetCaseSensitiveStringFromCommandToken(CommandTokens.at(0)).c_str());
123 return;
124 }
125}
#define DEFAULT_PORT
default port of HyperDbg for listening by debuggee (server, guest)
Definition Constants.h:331
VOID CommandListenHelp()
help of the listen command
Definition listen.cpp:29
VOID RemoteConnectionListen(PCSTR Port)
Listen of a port and wait for a client connection.
Definition remote-connection.cpp:40

◆ CommandLm()

VOID CommandLm ( vector< CommandToken > CommandTokens,
string Command )

handle lm command

Parameters
CommandTokens
Command
Returns
VOID
359{
360 BOOLEAN SetPid = FALSE;
361 BOOLEAN SetSearchFilter = FALSE;
362 BOOLEAN SearchStringEntered = FALSE;
363 BOOLEAN OnlyShowKernelModules = FALSE;
364 BOOLEAN OnlyShowUserModules = FALSE;
365 UINT32 TargetPid = NULL;
366 CHAR Search[MAX_PATH] = {0};
367 CHAR * SearchString = NULL;
368
369 //
370 // Interpret command specific details (if any)
371 //
372 for (auto Section : CommandTokens)
373 {
374 if (CompareLowerCaseStrings(Section, "lm"))
375 {
376 continue;
377 }
378 else if (CompareLowerCaseStrings(Section, "pid") && !SetPid)
379 {
380 SetPid = TRUE;
381 }
382 else if (CompareLowerCaseStrings(Section, "m") && !SetSearchFilter)
383 {
384 SetSearchFilter = TRUE;
385 }
386 else if (SetPid)
387 {
388 if (!ConvertTokenToUInt32(Section, &TargetPid))
389 {
390 //
391 // couldn't resolve or unknown parameter
392 //
393 ShowMessages("err, couldn't resolve error at '%s'\n\n",
396 return;
397 }
398 SetPid = FALSE;
399 }
400 else if (SetSearchFilter)
401 {
402 if (GetCaseSensitiveStringFromCommandToken(Section).length() >= MAX_PATH)
403 {
404 ShowMessages("err, string is too large for search, please enter "
405 "smaller string\n");
406
407 return;
408 }
409
410 SearchStringEntered = TRUE;
411 strcpy(Search, GetLowerStringFromCommandToken(Section).c_str());
412
413 SetSearchFilter = FALSE;
414 }
415 else if (CompareLowerCaseStrings(Section, "km"))
416 {
417 if (OnlyShowUserModules)
418 {
419 ShowMessages("err, you cannot use both 'um', and 'km', by default "
420 "HyperDbg shows both user-mode and kernel-mode modules\n");
421 return;
422 }
423
424 OnlyShowKernelModules = TRUE;
425 }
426 else if (CompareLowerCaseStrings(Section, "um"))
427 {
428 if (OnlyShowKernelModules)
429 {
430 ShowMessages("err, you cannot use both 'um', and 'km', by default "
431 "HyperDbg shows both user-mode and kernel-mode modules\n");
432 return;
433 }
434
435 OnlyShowUserModules = TRUE;
436 }
437 else
438 {
439 //
440 // Unknown parameter
441 //
442 ShowMessages("err, couldn't resolve error at '%s'\n\n",
445 return;
446 }
447 }
448
449 if (SetPid)
450 {
451 ShowMessages("err, please enter a valid process id in hex format, "
452 "or if you want to use it in decimal format, add '0n' "
453 "prefix to the number\n");
454 return;
455 }
456
457 if (SetSearchFilter)
458 {
459 ShowMessages("err, please enter a valid string to search in modules\n");
460 return;
461 }
462
463 //
464 // Check if we have string to search
465 //
466 if (SearchStringEntered)
467 {
468 SearchString = Search;
469 }
470
471 //
472 // Show user mode modules
473 //
474 if (!OnlyShowKernelModules)
475 {
476 if (TargetPid != NULL)
477 {
478 CommandLmShowUserModeModule(TargetPid, SearchString);
479 }
480 else if (g_ActiveProcessDebuggingState.IsActive)
481 {
483 }
484 else
485 {
486 CommandLmShowUserModeModule(GetCurrentProcessId(), SearchString);
487 }
488 }
489
490 //
491 // Show kernel mode modules
492 //
493 if (!OnlyShowUserModules)
494 {
495 if (!OnlyShowKernelModules)
496 {
497 ShowMessages("\n==============================================================================\n\n");
498 }
499
500 CommandLmShowKernelModeModule(SearchString);
501 }
502}
VOID CommandLmHelp()
help of the lm command
Definition lm.cpp:28
BOOLEAN CommandLmShowUserModeModule(UINT32 ProcessId, const CHAR *SearchModule)
show modules for specified user mode process
Definition lm.cpp:84
BOOLEAN CommandLmShowKernelModeModule(const CHAR *SearchModule)
show modules for kernel mode
Definition lm.cpp:275

◆ CommandLoad()

VOID CommandLoad ( vector< CommandToken > CommandTokens,
string Command )

load command handler

Parameters
CommandTokens
Command
Returns
VOID
51{
52 if (CommandTokens.size() != 2)
53 {
54 ShowMessages("incorrect use of the '%s'\n\n",
55 GetCaseSensitiveStringFromCommandToken(CommandTokens.at(0)).c_str());
57 return;
58 }
59
61 {
62 ShowMessages("you're not connected to any instance of HyperDbg, did you "
63 "use '.connect'? \n");
64 return;
65 }
66
67 //
68 // Check for the module
69 //
70 if (CompareLowerCaseStrings(CommandTokens.at(1), "all") || CompareLowerCaseStrings(CommandTokens.at(1), "."))
71 {
72 //
73 // Load aa Modules
74 //
75 ShowMessages("loading the all modules\n");
76
78 {
79 ShowMessages("failed to install or load drivers\n");
80 return;
81 }
82
83 //
84 // If in vmi-mode then initialize and load symbols (pdb)
85 // for previously downloaded symbols
86 // When the VMM module is loaded, we use the current
87 // process (HyperDbg's process) as the base for user-mode
88 // symbols
89 //
90 SymbolLocalReload(GetCurrentProcessId());
91 }
92 else if (CompareLowerCaseStrings(CommandTokens.at(1), "vmm") ||
93 CompareLowerCaseStrings(CommandTokens.at(1), "vm"))
94 {
95 //
96 // Check to make sure that the driver is not already loaded
97 //
99 {
100 ShowMessages("the vmm module is already running, if you use 'load' before, please "
101 "first unload it using the 'unload' command\n");
102 return;
103 }
104
105 //
106 // Load the VMM Module
107 //
108 ShowMessages("loading the vmm module\n");
109
111 {
112 ShowMessages("failed to install or load the driver\n");
113 return;
114 }
115
116 //
117 // If in vmi-mode then initialize and load symbols (pdb)
118 // for previously downloaded symbols
119 // When the VMM module is loaded, we use the current
120 // process (HyperDbg's process) as the base for user-mode
121 // symbols
122 //
123 SymbolLocalReload(GetCurrentProcessId());
124 }
125 else if (CompareLowerCaseStrings(CommandTokens.at(1), "trace") ||
126 CompareLowerCaseStrings(CommandTokens.at(1), "hypertrace"))
127 {
128 //
129 // Check to make sure that the driver is not already loaded
130 //
132 {
133 ShowMessages("the trace module is already running, if you use 'load' before, please "
134 "first unload it using the 'unload' command\n");
135 return;
136 }
137
138 //
139 // Load the HyperTrace Module
140 //
141 ShowMessages("loading the trace module\n");
142
144 {
145 ShowMessages("failed to install or load the driver\n");
146 return;
147 }
148 }
149 else if (CompareLowerCaseStrings(CommandTokens.at(1), "kd") ||
150 CompareLowerCaseStrings(CommandTokens.at(1), "dbg") ||
151 CompareLowerCaseStrings(CommandTokens.at(1), "debugger") ||
152 CompareLowerCaseStrings(CommandTokens.at(1), "debug") ||
153 CompareLowerCaseStrings(CommandTokens.at(1), "kerneldebugger") ||
154 CompareLowerCaseStrings(CommandTokens.at(1), "kerneldebug"))
155 {
156 //
157 // Check to make sure that the driver is not already loaded
158 //
160 {
161 ShowMessages("the kd module is already running, if you use 'load' before, please "
162 "first unload it using the 'unload' command\n");
163 return;
164 }
165
166 //
167 // Load the KD Module
168 //
169 ShowMessages("loading the kd module\n");
170
172 {
173 ShowMessages("failed to install or load the driver\n");
174 return;
175 }
176 }
177 else
178 {
179 //
180 // Module not found
181 //
182 ShowMessages("err, module not found\n");
183 }
184}
INT HyperDbgLoadAllModules()
load all modules (KD, VMM, HyperTrace, etc.)
Definition libhyperdbg.cpp:908
BOOLEAN g_IsKdModuleLoaded
shows whether the kernel debugger (KD) module is loaded or not
Definition globals.h:22
INT HyperDbgInstallKdDriver()
Install KD (Kernel Debugger) driver.
Definition libhyperdbg.cpp:81
INT HyperDbgLoadHyperTraceModule()
load hypertrace module
Definition libhyperdbg.cpp:838
INT HyperDbgLoadVmmModule()
load vmm module
Definition libhyperdbg.cpp:749
BOOLEAN g_IsVmmModuleLoaded
shows whether the VMM module is loaded or not
Definition globals.h:28
INT HyperDbgLoadKdModule()
load kd module
Definition libhyperdbg.cpp:665
VOID CommandLoadHelp()
help of the load command
Definition load.cpp:28
BOOLEAN SymbolLocalReload(UINT32 UserProcessId)
Locally reload the symbol table.
Definition symbol.cpp:49

◆ CommandLogclose()

VOID CommandLogclose ( vector< CommandToken > CommandTokens,
string Command )

.logclose command handler

Parameters
CommandTokens
Command
Returns
VOID
43{
44 if (CommandTokens.size() != 1)
45 {
46 ShowMessages("incorrect use of the '%s'\n\n",
47 GetCaseSensitiveStringFromCommandToken(CommandTokens.at(0)).c_str());
49 return;
50 }
51 if (!g_LogOpened)
52 {
53 ShowMessages("there is no opened log, did you use '.logopen'? \n");
54 return;
55 }
56
57 //
58 // Show the time and message before close
59 //
60 time_t t = time(NULL);
61 struct tm tm = *localtime(&t);
62 ShowMessages("log file closed (%d-%02d-%02d "
63 "%02d:%02d:%02d)\n",
64 tm.tm_year + 1900,
65 tm.tm_mon + 1,
66 tm.tm_mday,
67 tm.tm_hour,
68 tm.tm_min,
69 tm.tm_sec);
70 //
71 // close the file
72 //
73 g_LogOpenFile.close();
74
75 //
76 // Globally indicate that file is no longer available
77 //
79}
ofstream g_LogOpenFile
The object of log file ('.logopen' command).
Definition globals.h:494
VOID CommandLogcloseHelp()
help .logclose command
Definition logclose.cpp:26
BOOLEAN g_LogOpened
Shows whether the '.logopen' command is executed and the log file is open or not.
Definition globals.h:488

◆ CommandLogopen()

VOID CommandLogopen ( vector< CommandToken > CommandTokens,
string Command )

.logopen command handler

Parameters
CommandTokens
Command
Returns
VOID
49{
50 if (CommandTokens.size() != 2)
51 {
52 ShowMessages("incorrect use of the '%s'\n\n",
53 GetCaseSensitiveStringFromCommandToken(CommandTokens.at(0)).c_str());
55 return;
56 }
57
58 if (g_LogOpened)
59 {
60 ShowMessages("log was opened previously, you have the close it first "
61 "(using .logclose)\n");
62 return;
63 }
64
65 //
66 // Try to open it as file
67 //
68 g_LogOpenFile.open(GetCaseSensitiveStringFromCommandToken(CommandTokens.at(1)).c_str());
69
70 //
71 // Check if it's okay
72 //
73 if (g_LogOpenFile.is_open())
74 {
75 //
76 // Start intercepting logs
77 //
79
80 //
81 // Enable save to the file (Message + time)
82 //
83 time_t t = time(NULL);
84 struct tm tm = *localtime(&t);
85
86 ShowMessages("save commands and results into file : %s (%d-%02d-%02d "
87 "%02d:%02d:%02d)\n",
88 GetCaseSensitiveStringFromCommandToken(CommandTokens.at(1)).c_str(),
89 tm.tm_year + 1900,
90 tm.tm_mon + 1,
91 tm.tm_mday,
92 tm.tm_hour,
93 tm.tm_min,
94 tm.tm_sec);
95 }
96 else
97 {
98 ShowMessages("unable to open file : %s\n", GetCaseSensitiveStringFromCommandToken(CommandTokens.at(1)).c_str());
99 return;
100 }
101}
VOID CommandLogopenHelp()
help of the .logopen command
Definition logopen.cpp:28

◆ CommandMeasure()

VOID CommandMeasure ( vector< CommandToken > CommandTokens,
string Command )

!measure command handler

Parameters
CommandTokens
Command
Returns
VOID
57{
58 BOOLEAN DefaultMode = FALSE;
59
60 ShowMessages("This command is deprecated, you should not use it anymore!\n");
61 return;
62
63 if (CommandTokens.size() >= 3)
64 {
65 ShowMessages("incorrect use of the '%s'\n\n",
66 GetCaseSensitiveStringFromCommandToken(CommandTokens.at(0)).c_str());
68 return;
69 }
70
71 if (CommandTokens.size() == 2 && !CompareLowerCaseStrings(CommandTokens.at(1), "default"))
72 {
73 ShowMessages("incorrect use of the '%s'\n\n",
74 GetCaseSensitiveStringFromCommandToken(CommandTokens.at(0)).c_str());
76 return;
77 }
78 else if (CommandTokens.size() == 2 &&
79 CompareLowerCaseStrings(CommandTokens.at(1), "default"))
80 {
81 DefaultMode = TRUE;
82 }
83
84 //
85 // Check if debugger is loaded or not
86 //
87 if (g_DeviceHandle && !DefaultMode)
88 {
89 ShowMessages(
90 "Debugger is loaded and your machine is already in a hypervisor, you "
91 "should measure the times before 'load'-ing the debugger, please "
92 "'unload' the debugger and use '!measure' again or use '!measure "
93 "default' to use hardcoded measurements\n");
94 return;
95 }
96
97 if (!DefaultMode)
98 {
103 {
104 ShowMessages(
105 "we detected that there is a hypervisor, on your system, it "
106 "leads to wrong measurement results for our transparent-mode, please "
107 "make sure that you're not in a hypervisor then measure the result "
108 "again; otherwise the transparent-mode will not work but you can use "
109 "'!measure default' to use the hardcoded measurements !\n\n");
110
111 return;
112 }
113
118 {
119 ShowMessages(
120 "we detected that there is a hypervisor, on your system, it "
121 "leads to wrong measurement results for our transparent-mode, please "
122 "make sure that you're not in a hypervisor then measure the result "
123 "again; otherwise the transparent-mode will not work but you can use "
124 "'!measure default' to use the hardcoded measurements !\n\n");
125
126 return;
127 }
128 }
129 else
130 {
131 //
132 // It's a default mode
133 //
134
135 //
136 // Default values for cpuid
137 //
138 g_CpuidAverage = 0x5f;
140 g_CpuidMedian = 0x5f;
141
142 //
143 // Default values for rdtsc/p
144 //
145 g_RdtscAverage = 0x16;
147 g_RdtscMedian = 0x16;
148 }
149
150 ShowMessages("the measurements were successful\nyou can use the '!hide' command now\n");
151
152 //
153 // Indicate that the measurements was successful
154 //
156}
UINT64 g_CpuidStandardDeviation
The standard deviation calculated from the measurements of cpuid '!measure' command.
Definition globals.h:542
UINT64 g_RdtscAverage
The average calculated from the measurements of rdtsc/p '!measure' command.
Definition globals.h:554
VOID CommandMeasureHelp()
help of the !measure command
Definition measure.cpp:33
UINT64 g_RdtscMedian
The median calculated from the measurements of rdtsc/p '!measure' command.
Definition globals.h:566
BOOLEAN g_TransparentResultsMeasured
Shows whether the user executed and mesaured '!measure' command or not, it is because we want to use ...
Definition globals.h:530
UINT64 g_CpuidMedian
The median calculated from the measurements of cpuid '!measure' command.
Definition globals.h:548
UINT64 g_RdtscStandardDeviation
The standard deviation calculated from the measurements of rdtsc/p '!measure' command.
Definition globals.h:560
UINT64 g_CpuidAverage
The average calculated from the measurements of cpuid '!measure' command.
Definition globals.h:536
BOOLEAN TransparentModeCheckRdtscpVmexit(UINT64 *Average, UINT64 *StandardDeviation, UINT64 *Median)
compute the average, standard deviation and median if rdtsc+rdtsc
Definition transparency.cpp:212
BOOLEAN TransparentModeCheckHypervisorPresence(UINT64 *Average, UINT64 *StandardDeviation, UINT64 *Median)
compute the average, standard deviation and median if rdtsc+cpuid+rdtsc
Definition transparency.cpp:182

◆ CommandMode()

VOID CommandMode ( vector< CommandToken > CommandTokens,
string Command )

!mode command handler

Parameters
CommandTokens
Command
Returns
VOID
50{
52 PDEBUGGER_GENERAL_ACTION ActionBreakToDebugger = NULL;
53 PDEBUGGER_GENERAL_ACTION ActionCustomCode = NULL;
54 PDEBUGGER_GENERAL_ACTION ActionScript = NULL;
55 UINT32 EventLength;
56 UINT32 ActionBreakToDebuggerLength = 0;
57 UINT32 ActionCustomCodeLength = 0;
58 UINT32 ActionScriptLength = 0;
59 DEBUGGER_EVENT_PARSING_ERROR_CAUSE EventParsingErrorCause;
60 BOOLEAN SetMode = FALSE;
62
63 //
64 // Interpret and fill the general event and action fields
65 //
66 //
68 &CommandTokens,
70 &Event,
71 &EventLength,
72 &ActionBreakToDebugger,
73 &ActionBreakToDebuggerLength,
74 &ActionCustomCode,
75 &ActionCustomCodeLength,
76 &ActionScript,
77 &ActionScriptLength,
78 &EventParsingErrorCause))
79 {
80 return;
81 }
82
83 //
84 // Check here to make sure that the user didn't specified the calling stages for this mode change execution trap
85 //
87 {
88 ShowMessages("the utilization of 'post' or 'all' event calling stages is not meaningful "
89 "for the mode (user-mode/kernel-mode) change traps; therefore, this command does not support them\n");
90
91 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
92 return;
93 }
94
95 //
96 // Check for size
97 //
98 if (CommandTokens.size() > 2)
99 {
100 ShowMessages("incorrect use of the '%s'\n\n",
101 GetCaseSensitiveStringFromCommandToken(CommandTokens.at(0)).c_str());
102
104
105 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
106 return;
107 }
108
109 //
110 // Interpret command specific details (if any)
111 //
112 for (auto Section : CommandTokens)
113 {
114 if (CompareLowerCaseStrings(Section, "!mode"))
115 {
116 continue;
117 }
118 else if (CompareLowerCaseStrings(Section, "u") && !SetMode)
119 {
120 TargetInterceptionMode = DEBUGGER_EVENT_MODE_TYPE_USER_MODE;
121 SetMode = TRUE;
122 }
123 else if (CompareLowerCaseStrings(Section, "k") && !SetMode)
124 {
125 TargetInterceptionMode = DEBUGGER_EVENT_MODE_TYPE_KERNEL_MODE;
126 SetMode = TRUE;
127 }
128 else if ((CompareLowerCaseStrings(Section, "uk") || CompareLowerCaseStrings(Section, "ku")) && !SetMode)
129 {
131 SetMode = TRUE;
132 }
133 else
134 {
135 //
136 // Couldn't resolve or unknown parameter
137 //
138 ShowMessages("err, couldn't resolve error at '%s'\n\n",
140
142
143 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
144 }
145 }
146
147 //
148 // Check if user specified the execution mode or not
149 //
150 if (!SetMode)
151 {
152 ShowMessages("please specify the mode(s) that you want to intercept their execution (u, k, ku)\n");
153
154 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
155 return;
156 }
157
158 //
159 // Check if user specified the process id or not
160 //
162 {
163 ShowMessages("this event only applies to the selected process(es). please specify "
164 "the 'pid' or the process id of the target process that you want to trap its execution\n");
165
166 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
167 return;
168 }
169
170 //
171 // Set the first parameter to the required execution mode
172 //
173 Event->Options.OptionalParam1 = (UINT64)TargetInterceptionMode;
174
175 //
176 // Send the ioctl to the kernel for event registration
177 //
178 if (!SendEventToKernel(Event, EventLength))
179 {
180 //
181 // There was an error, probably the handle was not initialized
182 // we have to free the Action before exit, it is because, we
183 // already freed the Event and string buffers
184 //
185
186 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
187 return;
188 }
189
190 //
191 // Add the event to the kernel
192 //
193 if (!RegisterActionToEvent(Event,
194 ActionBreakToDebugger,
195 ActionBreakToDebuggerLength,
196 ActionCustomCode,
197 ActionCustomCodeLength,
198 ActionScript,
199 ActionScriptLength))
200 {
201 //
202 // There was an error
203 //
204
205 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
206 return;
207 }
208}
#define DEBUGGER_EVENT_APPLY_TO_ALL_PROCESSES
Apply the event to all the processes.
Definition Constants.h:745
@ TRAP_EXECUTION_MODE_CHANGED
Definition Events.h:169
@ DEBUGGER_EVENT_MODE_TYPE_KERNEL_MODE
Definition Events.h:210
@ DEBUGGER_EVENT_MODE_TYPE_USER_MODE_AND_KERNEL_MODE
Definition Events.h:208
@ DEBUGGER_EVENT_MODE_TYPE_INVALID
Definition Events.h:211
@ DEBUGGER_EVENT_MODE_TYPE_USER_MODE
Definition Events.h:209
enum _DEBUGGER_EVENT_MODE_TYPE DEBUGGER_EVENT_MODE_TYPE
Type of mode change traps.
VOID CommandModeHelp()
help of the !mode command
Definition mode.cpp:20
UINT32 ProcessId
Definition Events.h:365

◆ CommandMonitor()

VOID CommandMonitor ( vector< CommandToken > CommandTokens,
string Command )

!monitor command handler

Parameters
CommandTokens
Command
Returns
VOID
63{
65 PDEBUGGER_GENERAL_ACTION ActionBreakToDebugger = NULL;
66 PDEBUGGER_GENERAL_ACTION ActionCustomCode = NULL;
67 PDEBUGGER_GENERAL_ACTION ActionScript = NULL;
68 UINT32 EventLength;
69 UINT32 ActionBreakToDebuggerLength = 0;
70 UINT32 ActionCustomCodeLength = 0;
71 UINT32 ActionScriptLength = 0;
72 UINT32 HookLength = 0;
73 UINT64 OptionalParam1 = 0; // Set the 'from' target address
74 UINT64 OptionalParam2 = 0; // Set the 'to' target address
75 BOOLEAN SetFrom = FALSE;
76 BOOLEAN SetTo = FALSE;
77 BOOLEAN IsNextLength = FALSE;
78 BOOLEAN LengthAlreadySet = FALSE;
79 BOOLEAN SetAttributes = FALSE;
80 BOOLEAN HookMemoryTypeSet = FALSE;
81 DEBUGGER_HOOK_MEMORY_TYPE HookMemoryType = DEBUGGER_MEMORY_HOOK_VIRTUAL_ADDRESS; // by default virtual address
82 DEBUGGER_EVENT_PARSING_ERROR_CAUSE EventParsingErrorCause;
83
84 if (CommandTokens.size() < 4)
85 {
86 ShowMessages("incorrect use of the '%s'\n\n",
87 GetCaseSensitiveStringFromCommandToken(CommandTokens.at(0)).c_str());
88
90 return;
91 }
92
93 //
94 // Interpret and fill the general event and action fields
95 //
96 // We use HIDDEN_HOOK_READ_AND_WRITE here but it might be changed to
97 // HIDDEN_HOOK_READ or HIDDEN_HOOK_WRITE or other events it is because
98 // we are not sure what kind event the user need
99 //
101 &CommandTokens,
103 &Event,
104 &EventLength,
105 &ActionBreakToDebugger,
106 &ActionBreakToDebuggerLength,
107 &ActionCustomCode,
108 &ActionCustomCodeLength,
109 &ActionScript,
110 &ActionScriptLength,
111 &EventParsingErrorCause))
112 {
113 return;
114 }
115
116 //
117 // Interpret command specific details (if any)
118 //
119 for (auto Section : CommandTokens)
120 {
121 if (CompareLowerCaseStrings(Section, "!monitor"))
122 {
123 continue;
124 }
125 else if (IsNextLength)
126 {
127 if (!ConvertTokenToUInt32(Section, &HookLength))
128 {
129 ShowMessages("err, you should enter a valid length\n\n");
130 return;
131 }
132
133 IsNextLength = FALSE;
134 LengthAlreadySet = TRUE;
135 SetTo = TRUE; // No longer need a second address
136 }
137 else if (CompareLowerCaseStrings(Section, "r") && !SetAttributes)
138 {
140 SetAttributes = TRUE;
141 }
142 else if (CompareLowerCaseStrings(Section, "w") && !SetAttributes)
143 {
145 SetAttributes = TRUE;
146 }
147 else if (CompareLowerCaseStrings(Section, "x") && !SetAttributes)
148 {
150 SetAttributes = TRUE;
151 }
152 else if ((CompareLowerCaseStrings(Section, "rw") || CompareLowerCaseStrings(Section, "wr")) && !SetAttributes)
153 {
155 SetAttributes = TRUE;
156 }
157 else if ((CompareLowerCaseStrings(Section, "rx") || CompareLowerCaseStrings(Section, "xr")) &&
158 !SetAttributes)
159 {
161 SetAttributes = TRUE;
162 }
163 else if ((CompareLowerCaseStrings(Section, "wx") || CompareLowerCaseStrings(Section, "xw")) &&
164 !SetAttributes)
165 {
167 SetAttributes = TRUE;
168 }
169 else if ((CompareLowerCaseStrings(Section, "rwx") ||
170 CompareLowerCaseStrings(Section, "rxw") ||
171 CompareLowerCaseStrings(Section, "wrx") ||
172 CompareLowerCaseStrings(Section, "wxr") ||
173 CompareLowerCaseStrings(Section, "xrw") ||
174 CompareLowerCaseStrings(Section, "xwr")) &&
175 !SetAttributes)
176 {
178 SetAttributes = TRUE;
179 }
180 else if (CompareLowerCaseStrings(Section, "l") && !SetTo && !LengthAlreadySet)
181 {
182 IsNextLength = TRUE;
183 continue;
184 }
185 else if (CompareLowerCaseStrings(Section, "va") && !HookMemoryTypeSet)
186 {
188 HookMemoryTypeSet = TRUE;
189 continue;
190 }
191 else if (CompareLowerCaseStrings(Section, "pa") && !HookMemoryTypeSet)
192 {
194 HookMemoryTypeSet = TRUE;
195 continue;
196 }
197 else
198 {
199 //
200 // It's probably address
201 //
202 if (!SetFrom)
203 {
206 &OptionalParam1))
207 {
208 //
209 // couldn't resolve or unknown parameter
210 //
211 ShowMessages("err, couldn't resolve error at '%s'\n\n",
214
215 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
216 return;
217 }
218 SetFrom = TRUE;
219 }
220 else if (!SetTo && !LengthAlreadySet)
221 {
224 &OptionalParam2))
225 {
226 //
227 // Couldn't resolve or unknown parameter
228 //
229 ShowMessages("err, couldn't resolve error at '%s'\n\n",
231
233
234 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
235 return;
236 }
237 SetTo = TRUE;
238 }
239 else
240 {
241 //
242 // Unknown parameter
243 //
244 ShowMessages("unknown parameter '%s'\n\n",
247
248 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
249 return;
250 }
251 }
252 }
253
254 //
255 // Check if all parameters are received
256 //
257 if (!SetFrom || !SetTo)
258 {
259 ShowMessages("please choose the 'from' or 'to' values or specify the length\n");
260 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
261 return;
262 }
263
264 //
265 // Check if user specified the 'l' rather than providing two addresses
266 //
267 if (LengthAlreadySet)
268 {
269 //
270 // Because when the user specifies length, the last byte should be ignored
271 //
272 OptionalParam2 = OptionalParam1 + HookLength - 1;
273 }
274
275 //
276 // Check for invalid order of address
277 //
278 if (OptionalParam1 > OptionalParam2)
279 {
280 //
281 // 'from' is greater than 'to'
282 //
283 ShowMessages("please choose the 'from' value first, then choose the 'to' "
284 "value\n");
285
286 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
287 return;
288 }
289
290 //
291 // Check if user set the attributes of !monitor or not
292 //
293 if (!SetAttributes)
294 {
295 ShowMessages("please specify the attribute(s) that you want to monitor (r, w, x, rw, rx, wx, rwx)\n");
296
297 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
298 return;
299 }
300
301 //
302 // Set the optional parameters
303 //
304 Event->Options.OptionalParam1 = OptionalParam1;
305 Event->Options.OptionalParam2 = OptionalParam2;
306 Event->Options.OptionalParam3 = HookMemoryType;
307
308 //
309 // Send the ioctl to the kernel for event registration
310 //
311 if (!SendEventToKernel(Event, EventLength))
312 {
313 //
314 // There was an error, probably the handle was not initialized
315 // we have to free the Action before exit, it is because, we
316 // already freed the Event and string buffers
317 //
318
319 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
320 return;
321 }
322
323 //
324 // Add the event to the kernel
325 //
326 if (!RegisterActionToEvent(Event,
327 ActionBreakToDebugger,
328 ActionBreakToDebuggerLength,
329 ActionCustomCode,
330 ActionCustomCodeLength,
331 ActionScript,
332 ActionScriptLength))
333 {
334 //
335 // There was an error
336 //
337
338 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
339 return;
340 }
341}
@ DEBUGGER_MEMORY_HOOK_VIRTUAL_ADDRESS
Definition DataTypes.h:360
@ DEBUGGER_MEMORY_HOOK_PHYSICAL_ADDRESS
Definition DataTypes.h:361
enum _DEBUGGER_HOOK_MEMORY_TYPE DEBUGGER_HOOK_MEMORY_TYPE
different type of memory addresses
@ HIDDEN_HOOK_WRITE_AND_EXECUTE
Definition Events.h:103
@ HIDDEN_HOOK_READ_AND_WRITE
Definition Events.h:101
@ HIDDEN_HOOK_READ_AND_EXECUTE
Definition Events.h:102
@ HIDDEN_HOOK_READ
Definition Events.h:104
@ HIDDEN_HOOK_WRITE
Definition Events.h:105
@ HIDDEN_HOOK_READ_AND_WRITE_AND_EXECUTE
Definition Events.h:100
@ HIDDEN_HOOK_EXECUTE
Definition Events.h:106
VOID CommandMonitorHelp()
help of the !monitor command
Definition monitor.cpp:20
UINT64 OptionalParam3
Definition Events.h:279
VMM_EVENT_TYPE_ENUM EventType
Definition Events.h:394

◆ CommandMsrread()

VOID CommandMsrread ( vector< CommandToken > CommandTokens,
string Command )

!msrread command handler

Parameters
CommandTokens
Command
Returns
VOID
48{
50 PDEBUGGER_GENERAL_ACTION ActionBreakToDebugger = NULL;
51 PDEBUGGER_GENERAL_ACTION ActionCustomCode = NULL;
52 PDEBUGGER_GENERAL_ACTION ActionScript = NULL;
53 UINT32 EventLength;
54 UINT32 ActionBreakToDebuggerLength = 0;
55 UINT32 ActionCustomCodeLength = 0;
56 UINT32 ActionScriptLength = 0;
57 UINT64 SpecialTarget = DEBUGGER_EVENT_MSR_READ_OR_WRITE_ALL_MSRS;
58 BOOLEAN GetAddress = FALSE;
59 DEBUGGER_EVENT_PARSING_ERROR_CAUSE EventParsingErrorCause;
60
61 //
62 // Interpret and fill the general event and action fields
63 //
64 //
66 &CommandTokens,
68 &Event,
69 &EventLength,
70 &ActionBreakToDebugger,
71 &ActionBreakToDebuggerLength,
72 &ActionCustomCode,
73 &ActionCustomCodeLength,
74 &ActionScript,
75 &ActionScriptLength,
76 &EventParsingErrorCause))
77 {
78 return;
79 }
80
81 //
82 // Interpret command specific details (if any), it is because we can use
83 // special msr bitmap here
84 //
85 for (auto Section : CommandTokens)
86 {
87 if (CompareLowerCaseStrings(Section, "!msrread") || CompareLowerCaseStrings(Section, "!msread"))
88 {
89 continue;
90 }
91 else if (!GetAddress)
92 {
93 //
94 // It's probably an msr
95 //
96 if (!ConvertTokenToUInt64(Section, &SpecialTarget))
97 {
98 //
99 // Unknown parameter
100 //
101 ShowMessages("unknown parameter '%s'\n\n",
104
105 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
106 return;
107 }
108 else
109 {
110 GetAddress = TRUE;
111 }
112 }
113 else
114 {
115 //
116 // Unknown parameter
117 //
118 ShowMessages("unknown parameter '%s'\n\n",
121
122 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
123 return;
124 }
125 }
126
127 //
128 // Set the target msr (if not specific then it means all msrs)
129 //
130 Event->Options.OptionalParam1 = SpecialTarget;
131
132 //
133 // Send the ioctl to the kernel for event registration
134 //
135 if (!SendEventToKernel(Event, EventLength))
136 {
137 //
138 // There was an error, probably the handle was not initialized
139 // we have to free the Action before exit, it is because, we
140 // already freed the Event and string buffers
141 //
142
143 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
144 return;
145 }
146
147 //
148 // Add the event to the kernel
149 //
150 if (!RegisterActionToEvent(Event,
151 ActionBreakToDebugger,
152 ActionBreakToDebuggerLength,
153 ActionCustomCode,
154 ActionCustomCodeLength,
155 ActionScript,
156 ActionScriptLength))
157 {
158 //
159 // There was an error
160 //
161
162 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
163 return;
164 }
165}
#define DEBUGGER_EVENT_MSR_READ_OR_WRITE_ALL_MSRS
Apply to all Model Specific Registers.
Definition Constants.h:751
@ RDMSR_INSTRUCTION_EXECUTION
Definition Events.h:128
VOID CommandMsrreadHelp()
help of the !msrread command
Definition msrread.cpp:20

◆ CommandMsrwrite()

VOID CommandMsrwrite ( vector< CommandToken > CommandTokens,
string Command )

!msrwrite command handler

Parameters
CommandTokens
Command
Returns
VOID
48{
50 PDEBUGGER_GENERAL_ACTION ActionBreakToDebugger = NULL;
51 PDEBUGGER_GENERAL_ACTION ActionCustomCode = NULL;
52 PDEBUGGER_GENERAL_ACTION ActionScript = NULL;
53 UINT32 EventLength;
54 UINT32 ActionBreakToDebuggerLength = 0;
55 UINT32 ActionCustomCodeLength = 0;
56 UINT32 ActionScriptLength = 0;
57 UINT64 SpecialTarget = DEBUGGER_EVENT_MSR_READ_OR_WRITE_ALL_MSRS;
58 BOOLEAN GetAddress = FALSE;
59 DEBUGGER_EVENT_PARSING_ERROR_CAUSE EventParsingErrorCause;
60
61 //
62 // Interpret and fill the general event and action fields
63 //
64 //
66 &CommandTokens,
68 &Event,
69 &EventLength,
70 &ActionBreakToDebugger,
71 &ActionBreakToDebuggerLength,
72 &ActionCustomCode,
73 &ActionCustomCodeLength,
74 &ActionScript,
75 &ActionScriptLength,
76 &EventParsingErrorCause))
77 {
78 return;
79 }
80
81 //
82 // Interpret command specific details (if any), it is because we can use
83 // special msr bitmap here
84 //
85 for (auto Section : CommandTokens)
86 {
87 if (CompareLowerCaseStrings(Section, "!msrwrite"))
88 {
89 continue;
90 }
91 else if (!GetAddress)
92 {
93 //
94 // It's probably an msr
95 //
96 if (!ConvertTokenToUInt64(Section, &SpecialTarget))
97 {
98 //
99 // Unknown parameter
100 //
101 ShowMessages("unknown parameter '%s'\n\n",
104
105 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
106 return;
107 }
108 else
109 {
110 GetAddress = TRUE;
111 }
112 }
113 else
114 {
115 //
116 // Unknown parameter
117 //
118 ShowMessages("unknown parameter '%s'\n\n",
121
122 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
123 return;
124 }
125 }
126
127 //
128 // Set the target msr (if not specific then it means all msrs)
129 //
130 Event->Options.OptionalParam1 = SpecialTarget;
131
132 //
133 // Send the ioctl to the kernel for event registration
134 //
135 if (!SendEventToKernel(Event, EventLength))
136 {
137 //
138 // There was an error, probably the handle was not initialized
139 // we have to free the Action before exit, it is because, we
140 // already freed the Event and string buffers
141 //
142
143 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
144 return;
145 }
146
147 //
148 // Add the event to the kernel
149 //
150 if (!RegisterActionToEvent(Event,
151 ActionBreakToDebugger,
152 ActionBreakToDebuggerLength,
153 ActionCustomCode,
154 ActionCustomCodeLength,
155 ActionScript,
156 ActionScriptLength))
157 {
158 //
159 // There was an error
160 //
161
162 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
163 return;
164 }
165}
@ WRMSR_INSTRUCTION_EXECUTION
Definition Events.h:129
VOID CommandMsrwriteHelp()
help of the !msrwrite command
Definition msrwrite.cpp:20

◆ CommandOutput()

VOID CommandOutput ( vector< CommandToken > CommandTokens,
string Command )

output command handler

Parameters
CommandTokens
Command
Returns
VOID
59{
60 PDEBUGGER_EVENT_FORWARDING EventForwardingObject;
63 string DetailsOfSource;
64 UINT32 IndexToShowList;
65 PLIST_ENTRY TempList = 0;
66 BOOLEAN OutputSourceFound = FALSE;
67 HANDLE SourceHandle = INVALID_HANDLE_VALUE;
68 SOCKET Socket = NULL;
69 HMODULE Module = NULL;
70
71 if ((CommandTokens.size() != 1 && CommandTokens.size() <= 2) || CommandTokens.size() >= 6)
72 {
73 ShowMessages("incorrect use of the '%s'\n\n",
74 GetCaseSensitiveStringFromCommandToken(CommandTokens.at(0)).c_str());
76 return;
77 }
78
79 //
80 // Check if the user needs a list of outputs or not
81 //
82 if (CommandTokens.size() == 1)
83 {
84 IndexToShowList = 0;
85
87 {
88 TempList = &g_OutputSources;
89
90 while (&g_OutputSources != TempList->Blink)
91 {
92 TempList = TempList->Blink;
93
94 PDEBUGGER_EVENT_FORWARDING CurrentOutputSourceDetails =
95 CONTAINING_RECORD(TempList, DEBUGGER_EVENT_FORWARDING, OutputSourcesList);
96
97 //
98 // Increase index
99 //
100 IndexToShowList++;
101
102 string TempStateString = "";
103 string TempTypeString = "";
104
105 if (CurrentOutputSourceDetails->State ==
107 {
108 TempStateString = "not opened";
109 }
110 else if (CurrentOutputSourceDetails->State ==
112 {
113 TempStateString = "opened ";
114 }
115 else if (CurrentOutputSourceDetails->State ==
117 {
118 TempStateString = "closed ";
119 }
120
121 if (CurrentOutputSourceDetails->Type == EVENT_FORWARDING_NAMEDPIPE)
122 {
123 TempTypeString = "namedpipe";
124 }
125 else if (CurrentOutputSourceDetails->Type == EVENT_FORWARDING_FILE)
126 {
127 TempTypeString = "file ";
128 }
129 else if (CurrentOutputSourceDetails->Type == EVENT_FORWARDING_TCP)
130 {
131 TempTypeString = "tcp ";
132 }
133 else if (CurrentOutputSourceDetails->Type == EVENT_FORWARDING_MODULE)
134 {
135 TempTypeString = "module ";
136 }
137
138 ShowMessages("%x %s %s\t%s\n", IndexToShowList, TempTypeString.c_str(), TempStateString.c_str(), CurrentOutputSourceDetails->Name);
139 }
140 }
141 else
142 {
143 ShowMessages("output forwarding list is empty\n");
144 }
145
146 return;
147 }
148
149 //
150 // Check if it's a create, open, or close
151 //
152 if (CompareLowerCaseStrings(CommandTokens.at(1), "create"))
153 {
154 //
155 // It's a create
156 //
157
158 //
159 // check if the parameters are okay for a create or not
160 //
161 if (CommandTokens.size() <= 4)
162 {
163 ShowMessages("incorrect use of the '%s'\n\n",
164 GetCaseSensitiveStringFromCommandToken(CommandTokens.at(0)).c_str());
166 return;
167 }
168
169 //
170 // Check for the type of the output source
171 //
172 if (CompareLowerCaseStrings(CommandTokens.at(3), "file"))
173 {
175 }
176 else if (CompareLowerCaseStrings(CommandTokens.at(3), "namedpipe"))
177 {
179 }
180 else if (CompareLowerCaseStrings(CommandTokens.at(3), "tcp"))
181 {
183 }
184 else if (CompareLowerCaseStrings(CommandTokens.at(3), "module"))
185 {
187 }
188 else
189 {
190 ShowMessages("incorrect type near '%s'\n\n",
191 GetCaseSensitiveStringFromCommandToken(CommandTokens.at(3)).c_str());
193 return;
194 }
195
196 //
197 // Check to make sure that the name doesn't exceed the maximum character
198 //
199 if (GetCaseSensitiveStringFromCommandToken(CommandTokens.at(2)).size() >=
201 {
202 ShowMessages("name of the output cannot exceed form %d characters\n\n",
205 return;
206 }
207
208 //
209 // Search to see if there is another output source with the
210 // same name which we don't want to create two or more output
211 // sources with the same name
212 //
214 {
215 TempList = &g_OutputSources;
216
217 while (&g_OutputSources != TempList->Flink)
218 {
219 TempList = TempList->Flink;
220
221 PDEBUGGER_EVENT_FORWARDING CurrentOutputSourceDetails =
222 CONTAINING_RECORD(TempList, DEBUGGER_EVENT_FORWARDING, OutputSourcesList);
223
224 if (strcmp(CurrentOutputSourceDetails->Name,
225 GetCaseSensitiveStringFromCommandToken(CommandTokens.at(2)).c_str()) == 0)
226 {
227 //
228 // Indicate that we found this item
229 //
230 OutputSourceFound = TRUE;
231
232 //
233 // No need to search through the list anymore
234 //
235 break;
236 }
237 }
238
239 //
240 // Check whether the entered name already exists
241 //
242 if (OutputSourceFound)
243 {
244 ShowMessages("err, the name you entered, already exists, please choose "
245 "another name\n");
246 return;
247 }
248 }
249
250 //
251 // try to open the source and get the handle
252 //
253 DetailsOfSource = GetCaseSensitiveStringFromCommandToken(CommandTokens.at(4));
254
255 SourceHandle = ForwardingCreateOutputSource(Type, DetailsOfSource, &Socket, &Module);
256
257 //
258 // Check if it's a valid handle or not
259 //
260 if (SourceHandle == INVALID_HANDLE_VALUE)
261 {
262 ShowMessages(
263 "err, invalid address or cannot open or find the address\n");
264 return;
265 }
266
267 //
268 // allocate the buffer for storing the event forwarding details
269 //
270 EventForwardingObject =
272
273 if (EventForwardingObject == NULL)
274 {
275 ShowMessages("err, in allocating memory for event forwarding\n");
276 return;
277 }
278
279 RtlZeroMemory(EventForwardingObject, sizeof(DEBUGGER_EVENT_FORWARDING));
280
281 //
282 // Set the state
283 //
284 EventForwardingObject->State = EVENT_FORWARDING_STATE_NOT_OPENED;
285
286 //
287 // Set the type
288 //
289 EventForwardingObject->Type = Type;
290
291 //
292 // Get a new tag
293 //
294 EventForwardingObject->OutputUniqueTag = ForwardingGetNewOutputSourceTag();
295
296 //
297 // Set the handle or in the case of TCP, set the socket
298 // or if it's a module the set the module handle
299 //
300 if (Type == EVENT_FORWARDING_TCP)
301 {
302 EventForwardingObject->Socket = Socket;
303 }
304 else if (Type == EVENT_FORWARDING_MODULE)
305 {
306 EventForwardingObject->Module = Module;
307
308 //
309 // Handle is the function address
310 //
311 EventForwardingObject->Handle = SourceHandle;
312 }
313 else
314 {
315 EventForwardingObject->Handle = SourceHandle;
316 }
317
318 //
319 // Move the name of the output source to the buffer
320 //
321 strcpy_s(EventForwardingObject->Name,
322 GetCaseSensitiveStringFromCommandToken(CommandTokens.at(2)).c_str());
323
324 //
325 // Check if list is initialized or not
326 //
328 {
330 InitializeListHead(&g_OutputSources);
331 }
332
333 //
334 // Add the source to the trace list
335 //
336 InsertHeadList(&g_OutputSources,
337 &(EventForwardingObject->OutputSourcesList));
338 }
339 else if (CompareLowerCaseStrings(CommandTokens.at(1), "open"))
340 {
341 //
342 // It's an open
343 //
345 {
346 ShowMessages("err, the name you entered, not found\n");
347 return;
348 }
349
350 //
351 // Now we should find the corresponding object in the memory and
352 // pass it to the global open functions
353 //
354 TempList = &g_OutputSources;
355
356 while (&g_OutputSources != TempList->Flink)
357 {
358 TempList = TempList->Flink;
359
360 PDEBUGGER_EVENT_FORWARDING CurrentOutputSourceDetails = CONTAINING_RECORD(
361 TempList,
363 OutputSourcesList);
364
365 if (strcmp(CurrentOutputSourceDetails->Name,
366 GetCaseSensitiveStringFromCommandToken(CommandTokens.at(2)).c_str()) == 0)
367 {
368 //
369 // Indicate that we found this item
370 //
371 OutputSourceFound = TRUE;
372
373 //
374 // Open the output
375 //
376 Status = ForwardingOpenOutputSource(CurrentOutputSourceDetails);
377
379 {
380 ShowMessages("err, the name you entered was already closed\n");
381 return;
382 }
384 {
385 ShowMessages("err, the name you entered was already opened\n");
386 return;
387 }
388 else if (Status !=
390 {
391 ShowMessages("err, unable to open the output source\n");
392 return;
393 }
394
395 //
396 // No need to search through the list anymore
397 //
398 break;
399 }
400 }
401
402 if (!OutputSourceFound)
403 {
404 ShowMessages("err, the name you entered, not found\n");
405 return;
406 }
407 }
408 else if (CompareLowerCaseStrings(CommandTokens.at(1), "close"))
409 {
410 //
411 // It's a close
412 //
414 {
415 ShowMessages("err, the name you entered, not found\n");
416 return;
417 }
418
419 //
420 // Now we should find the corresponding object in the memory and
421 // pass it to the global close functions
422 //
423 TempList = &g_OutputSources;
424
425 while (&g_OutputSources != TempList->Flink)
426 {
427 TempList = TempList->Flink;
428
429 PDEBUGGER_EVENT_FORWARDING CurrentOutputSourceDetails = CONTAINING_RECORD(
430 TempList,
432 OutputSourcesList);
433
434 if (strcmp(CurrentOutputSourceDetails->Name,
435 GetCaseSensitiveStringFromCommandToken(CommandTokens.at(2)).c_str()) == 0)
436 {
437 //
438 // Indicate that we found this item
439 //
440 OutputSourceFound = TRUE;
441
442 //
443 // Close the output if it's not already closed
444 //
445 Status = ForwardingCloseOutputSource(CurrentOutputSourceDetails);
446
448 {
449 ShowMessages("err, the name you entered was already closed\n");
450 return;
451 }
453 {
454 ShowMessages("err, unable to close the source\n");
455 return;
456 }
457 else if (Status !=
459 {
460 ShowMessages("err, unable to close the source\n");
461 return;
462 }
463
464 //
465 // No need to search through the list anymore
466 //
467 break;
468 }
469 }
470
471 if (!OutputSourceFound)
472 {
473 ShowMessages("err, the name you entered, not found\n");
474 return;
475 }
476 }
477 else
478 {
479 //
480 // Invalid argument
481 //
482 ShowMessages("incorrect option at '%s'\n\n",
483 GetCaseSensitiveStringFromCommandToken(CommandTokens.at(0)).c_str());
485 return;
486 }
487}
DEBUGGER_OUTPUT_SOURCE_STATUS ForwardingCloseOutputSource(PDEBUGGER_EVENT_FORWARDING SourceDescriptor)
Closes the output source.
Definition forwarding.cpp:110
DEBUGGER_OUTPUT_SOURCE_STATUS ForwardingOpenOutputSource(PDEBUGGER_EVENT_FORWARDING SourceDescriptor)
Opens the output source.
Definition forwarding.cpp:40
UINT64 ForwardingGetNewOutputSourceTag()
Get the output source tag and increase the global variable for tag.
Definition forwarding.cpp:28
PVOID ForwardingCreateOutputSource(DEBUGGER_EVENT_FORWARDING_TYPE SourceType, const string &Description, SOCKET *Socket, HMODULE *Module)
Create a new source (create handle from the source).
Definition forwarding.cpp:215
struct _DEBUGGER_EVENT_FORWARDING DEBUGGER_EVENT_FORWARDING
structures hold the detail of event forwarding
@ EVENT_FORWARDING_STATE_OPENED
Definition forwarding.h:54
@ EVENT_FORWARDING_CLOSED
Definition forwarding.h:55
@ EVENT_FORWARDING_STATE_NOT_OPENED
Definition forwarding.h:53
enum _DEBUGGER_EVENT_FORWARDING_TYPE DEBUGGER_EVENT_FORWARDING_TYPE
event forwarding type
#define MAXIMUM_CHARACTERS_FOR_EVENT_FORWARDING_NAME
maximum characters for event forwarding source names
Definition forwarding.h:32
@ DEBUGGER_OUTPUT_SOURCE_STATUS_SUCCESSFULLY_OPENED
Definition forwarding.h:67
@ DEBUGGER_OUTPUT_SOURCE_STATUS_UNKNOWN_ERROR
Definition forwarding.h:71
@ DEBUGGER_OUTPUT_SOURCE_STATUS_ALREADY_OPENED
Definition forwarding.h:69
@ DEBUGGER_OUTPUT_SOURCE_STATUS_SUCCESSFULLY_CLOSED
Definition forwarding.h:68
@ DEBUGGER_OUTPUT_SOURCE_STATUS_ALREADY_CLOSED
Definition forwarding.h:70
enum _DEBUGGER_OUTPUT_SOURCE_STATUS DEBUGGER_OUTPUT_SOURCE_STATUS
output source status
@ EVENT_FORWARDING_TCP
Definition forwarding.h:42
@ EVENT_FORWARDING_MODULE
Definition forwarding.h:43
@ EVENT_FORWARDING_FILE
Definition forwarding.h:41
@ EVENT_FORWARDING_NAMEDPIPE
Definition forwarding.h:40
struct _DEBUGGER_EVENT_FORWARDING * PDEBUGGER_EVENT_FORWARDING
#define CONTAINING_RECORD(address, type, field)
Definition nt-list.h:36
VOID CommandOutputHelp()
help of the output command
Definition output.cpp:26
LIST_ENTRY g_OutputSources
Holds a list of output sources created by output command.
Definition globals.h:427
BOOLEAN g_OutputSourcesInitialized
it shows whether the debugger started using output sources or not or in other words,...
Definition globals.h:418
LIST_ENTRY OutputSourcesList
Definition forwarding.h:88
DEBUGGER_EVENT_FORWARDING_TYPE Type
Definition forwarding.h:81
DEBUGGER_EVENT_FORWARDING_STATE State
Definition forwarding.h:82
CHAR Name[MAXIMUM_CHARACTERS_FOR_EVENT_FORWARDING_NAME]
Definition forwarding.h:89
SOCKET Socket
Definition forwarding.h:84
HMODULE Module
Definition forwarding.h:85
UINT64 OutputUniqueTag
Definition forwarding.h:86
VOID * Handle
Definition forwarding.h:83

◆ CommandP()

VOID CommandP ( vector< CommandToken > CommandTokens,
string Command )

handler of p command

Parameters
CommandTokens
Command
Returns
VOID
54{
55 UINT32 StepCount;
57
58 //
59 // Validate the commands
60 //
61 if (CommandTokens.size() != 1 && CommandTokens.size() != 2)
62 {
63 ShowMessages("incorrect use of the '%s'\n\n",
64 GetCaseSensitiveStringFromCommandToken(CommandTokens.at(0)).c_str());
66 return;
67 }
68
69 //
70 // Set type of request
71 //
73
74 //
75 // Check if the command has a counter parameter
76 //
77 if (CommandTokens.size() == 2)
78 {
79 if (!ConvertTokenToUInt32(CommandTokens.at(1), &StepCount))
80 {
81 ShowMessages("please specify a correct hex value for [count]\n\n");
83 return;
84 }
85 }
86 else
87 {
88 StepCount = 1;
89 }
90
91 //
92 // Check if the remote serial debuggee or user debugger are paused or not
93 //
95 {
96 //
97 // Check if the thread is paused or not
98 //
100 {
101 ShowMessages("the target process is running, use the "
102 "'pause' command or press CTRL+C to pause the process\n");
103 return;
104 }
105
106 //
107 // Indicate that we're instrumenting
108 //
110
111 for (SIZE_T i = 0; i < StepCount; i++)
112 {
113 //
114 // For logging purpose
115 //
116 // ShowMessages("percentage : %f %% (%x)\n", 100.0 * (i /
117 // (float)StepCount), i);
118 //
119
120 //
121 // Perform Step-over
122 //
124
125 if (CompareLowerCaseStrings(CommandTokens.at(0), "pr"))
126 {
127 //
128 // Show registers
129 //
131
132 if (i != StepCount - 1)
133 {
134 ShowMessages("\n");
135 }
136 }
137
138 //
139 // Check if user pressed CTRL+C
140 //
142 {
143 break;
144 }
145 }
146
147 //
148 // We're not instrumenting instructions anymore
149 //
151 }
152 else
153 {
154 ShowMessages("err, stepping (p) is not valid in the current context, you "
155 "should connect to a debuggee\n");
156 }
157}
@ DEBUGGER_REMOTE_STEPPING_REQUEST_STEP_OVER
Definition RequestStructures.h:1050
enum _DEBUGGER_REMOTE_STEPPING_REQUEST DEBUGGER_REMOTE_STEPPING_REQUEST
stepping and tracking types
VOID CommandPHelp()
help of the p command
Definition p.cpp:27
BOOLEAN SteppingStepOver()
Perform Step-over.
Definition steppings.cpp:117

◆ CommandPa2va()

VOID CommandPa2va ( vector< CommandToken > CommandTokens,
string Command )

!pa2va command handler

Parameters
CommandTokens
Command
Returns
VOID
51{
52 BOOL Status;
53 ULONG ReturnedLength;
54 UINT64 TargetPa;
55 UINT32 Pid = 0;
56 DEBUGGER_VA2PA_AND_PA2VA_COMMANDS AddressDetails = {0};
57
58 if (CommandTokens.size() == 1 || CommandTokens.size() >= 5 || CommandTokens.size() == 3)
59 {
60 ShowMessages("incorrect use of the '%s'\n\n",
61 GetCaseSensitiveStringFromCommandToken(CommandTokens.at(0)).c_str());
62
64 return;
65 }
66
67 //
68 // By default if the user-debugger is active, we use these commands
69 // on the memory layout of the debuggee process
70 //
72 {
73 Pid = g_ActiveProcessDebuggingState.ProcessId;
74 }
75
76 if (CommandTokens.size() == 2)
77 {
78 //
79 // It's just a address for current process
80 //
82 {
83 //
84 // Couldn't resolve or unknown parameter
85 //
86 ShowMessages("err, couldn't resolve error at '%s'\n",
87 GetCaseSensitiveStringFromCommandToken(CommandTokens.at(1)).c_str());
88 return;
89 }
90 }
91 else
92 {
93 //
94 // It might be address + pid
95 //
96 if (CompareLowerCaseStrings(CommandTokens.at(1), "pid"))
97 {
98 if (!ConvertTokenToUInt32(CommandTokens.at(2), &Pid))
99 {
100 ShowMessages("incorrect address, please enter a valid process id\n");
101 return;
102 }
104 {
105 //
106 // Couldn't resolve or unknown parameter
107 //
108 ShowMessages("err, couldn't resolve error at '%s'\n",
109 GetCaseSensitiveStringFromCommandToken(CommandTokens.at(3)).c_str());
110 return;
111 }
112 }
113 else if (CompareLowerCaseStrings(CommandTokens.at(2), "pid"))
114 {
116 {
117 //
118 // Couldn't resolve or unknown parameter
119 //
120 ShowMessages("err, couldn't resolve error at '%s'\n",
121 GetCaseSensitiveStringFromCommandToken(CommandTokens.at(1)).c_str());
122
123 return;
124 }
125 if (!ConvertTokenToUInt32(CommandTokens.at(3), &Pid))
126 {
127 ShowMessages("incorrect address, please enter a valid process id\n");
128 return;
129 }
130 }
131 else
132 {
133 ShowMessages("incorrect use of the '%s'\n\n",
134 GetCaseSensitiveStringFromCommandToken(CommandTokens.at(0)).c_str());
136 return;
137 }
138 }
139
140 //
141 // Prepare the buffer
142 // We use same buffer for input and output
143 //
144 AddressDetails.PhysicalAddress = TargetPa;
145 AddressDetails.ProcessId = Pid; // it's null if in debugger mode
146 AddressDetails.IsVirtual2Physical = FALSE;
147
149 {
150 //
151 // Check to prevent using process id in !pa2va command
152 //
153 if (Pid != 0)
154 {
156 return;
157 }
158
159 //
160 // Send the request over serial kernel debugger
161 //
162
164 }
165 else
166 {
168
169 if (Pid == 0)
170 {
171 Pid = GetCurrentProcessId();
172 AddressDetails.ProcessId = Pid;
173 }
174
175 //
176 // Send IOCTL
177 //
178 Status = DeviceIoControl(
179 g_DeviceHandle, // Handle to device
180 IOCTL_DEBUGGER_VA2PA_AND_PA2VA_COMMANDS, // IO Control Code (IOCTL)
181 &AddressDetails, // Input Buffer to driver.
182 SIZEOF_DEBUGGER_VA2PA_AND_PA2VA_COMMANDS, // Input buffer length
183 &AddressDetails, // Output Buffer from driver.
185 // buffer in bytes.
186 &ReturnedLength, // Bytes placed in buffer.
187 NULL // synchronous call
188 );
189
190 if (!Status)
191 {
192 ShowMessages("ioctl failed with code 0x%x\n", GetLastError());
193 return;
194 }
195
197 {
198 //
199 // Show the results
200 //
201 ShowMessages("%llx\n", AddressDetails.VirtualAddress);
202 }
203 else
204 {
205 //
206 // An err occurred, no results
207 //
208 ShowErrorMessage(AddressDetails.KernelStatus);
209 }
210 }
211}
unsigned long ULONG
Definition BasicTypes.h:31
#define IOCTL_DEBUGGER_VA2PA_AND_PA2VA_COMMANDS
ioctl, for !va2pa and !pa2va commands
Definition Ioctls.h:185
#define SIZEOF_DEBUGGER_VA2PA_AND_PA2VA_COMMANDS
Definition RequestStructures.h:77
struct _DEBUGGER_VA2PA_AND_PA2VA_COMMANDS DEBUGGER_VA2PA_AND_PA2VA_COMMANDS
requests for !va2pa and !pa2va commands
BOOLEAN KdSendVa2paAndPa2vaPacketToDebuggee(PDEBUGGER_VA2PA_AND_PA2VA_COMMANDS Va2paAndPa2vaPacket)
Sends VA2PA and PA2VA packest, or '!va2pa' and '!pa2va' commands packet to the debuggee.
Definition kd.cpp:965
#define ASSERT_MESSAGE_KD_NOT_LOADED
Definition common.h:29
VOID CommandPa2vaHelp()
help of the !pa2va command
Definition pa2va.cpp:27
BOOLEAN IsVirtual2Physical
Definition RequestStructures.h:89
UINT32 KernelStatus
Definition RequestStructures.h:90
UINT64 PhysicalAddress
Definition RequestStructures.h:87
UINT32 ProcessId
Definition RequestStructures.h:88
UINT64 VirtualAddress
Definition RequestStructures.h:86

◆ CommandPagein()

VOID CommandPagein ( vector< CommandToken > CommandTokens,
string Command )

.pagein command handler

Parameters
CommandTokens
Command
Returns
VOID
267{
268 UINT32 Pid = 0;
269 UINT64 Length = 0;
270 UINT64 TargetAddressFrom = NULL;
271 UINT64 TargetAddressTo = NULL;
272 BOOLEAN IsNextProcessId = FALSE;
273 BOOLEAN IsFirstCommand = TRUE;
274 BOOLEAN IsNextLength = FALSE;
275 PAGE_FAULT_EXCEPTION PageFaultErrorCode = {0};
276
277 //
278 // By default if the user-debugger is active, we use these commands
279 // on the memory layout of the debuggee process
280 //
282 {
283 Pid = g_ActiveProcessDebuggingState.ProcessId;
284 }
285
286 if (CommandTokens.size() == 1)
287 {
288 //
289 // Means that user entered one command without any parameter
290 //
291 ShowMessages("incorrect use of the '%s'\n\n",
292 GetCaseSensitiveStringFromCommandToken(CommandTokens.at(0)).c_str());
294 return;
295 }
296
297 for (auto Section : CommandTokens)
298 {
299 if (IsFirstCommand)
300 {
301 IsFirstCommand = FALSE;
302 continue;
303 }
304 if (IsNextProcessId == TRUE)
305 {
306 if (!ConvertTokenToUInt32(Section, &Pid))
307 {
308 ShowMessages("err, you should enter a valid process id\n\n");
309 return;
310 }
311 IsNextProcessId = FALSE;
312 continue;
313 }
314
315 if (IsNextLength == TRUE)
316 {
318 {
319 ShowMessages("err, you should enter a valid length\n\n");
320 return;
321 }
322 IsNextLength = FALSE;
323 continue;
324 }
325
326 if (CompareLowerCaseStrings(Section, "l"))
327 {
328 IsNextLength = TRUE;
329 continue;
330 }
331
332 // if (CompareLowerCaseStrings(Section, "pid"))
333 // {
334 // IsNextProcessId = TRUE;
335 // continue;
336 // }
337
338 //
339 // Probably it's address or mode string
340 //
341
343 {
344 continue;
345 }
346 else if (TargetAddressFrom == 0)
347 {
349 &TargetAddressFrom))
350 {
351 //
352 // Couldn't resolve or unknown parameter
353 //
354 ShowMessages("err, couldn't resolve error at '%s'\n",
356 return;
357 }
358 }
359 else
360 {
361 //
362 // User inserts two address
363 //
364 ShowMessages("err, incorrect use of the '.pagein' command\n\n");
366
367 return;
368 }
369 }
370
371 if (!TargetAddressFrom)
372 {
373 //
374 // User inserts two address
375 //
376 ShowMessages("err, please enter a valid address\n\n");
377
378 return;
379 }
380
381 if (IsNextLength || IsNextProcessId)
382 {
383 ShowMessages("incorrect use of the '%s'\n\n",
384 GetCaseSensitiveStringFromCommandToken(CommandTokens.at(0)).c_str());
386 return;
387 }
388
389 //
390 // If the user didn't specified a range, then only one page will be
391 // paged-in; so we use the same AddressFrom and AddressTo
392 //
393 if (Length == 0)
394 {
395 TargetAddressTo = TargetAddressFrom;
396 }
397 else
398 {
399 TargetAddressTo = TargetAddressFrom + Length;
400 }
401
402 //
403 // Send the request
404 //
405 // ShowMessages(".pagin address from: %llx -> to %llx, page-fault code: 0x%x, pid: %x, length: 0x%llx",
406 // TargetAddressFrom,
407 // TargetAddressTo,
408 // PageFaultErrorCode.AsUInt,
409 // Pid,
410 // Length);
411
412 //
413 // Request the page-in
414 //
415 CommandPageinRequest(TargetAddressFrom,
416 TargetAddressTo,
417 PageFaultErrorCode,
418 Pid);
419}
VOID CommandPageinHelp()
help of the .pagein command
Definition pagein.cpp:27
BOOLEAN CommandPageinCheckAndInterpretModeString(const std::string &ModeString, PAGE_FAULT_EXCEPTION *PageFaultErrorCode)
Check whether the mode string is valid or not.
Definition pagein.cpp:82
VOID CommandPageinRequest(UINT64 TargetVirtualAddrFrom, UINT64 TargetVirtualAddrTo, PAGE_FAULT_EXCEPTION PageFaultErrorCode, UINT32 Pid)
request to bring the page(s) in
Definition pagein.cpp:172

◆ CommandPause()

VOID CommandPause ( vector< CommandToken > CommandTokens,
string Command )

pause command handler

Parameters
CommandTokens
Command
Returns
VOID
72{
73 if (CommandTokens.size() != 1)
74 {
75 ShowMessages("incorrect use of the '%s'\n\n",
76 GetCaseSensitiveStringFromCommandToken(CommandTokens.at(0)).c_str());
78 return;
79 }
80
81 //
82 // request to pause
83 //
85}
VOID CommandPauseRequest()
request to pause
Definition pause.cpp:40
VOID CommandPauseHelp()
help of the pause command
Definition pause.cpp:27

◆ CommandPcicam()

VOID CommandPcicam ( vector< CommandToken > CommandTokens,
string Command )

!pcicam command handler

Parameters
CommandTokens
Command
Returns
VOID
48{
49 BOOL Status;
50 ULONG ReturnedLength;
52 UINT32 TargetBus = 0;
53 UINT32 TargetDevice = 0;
54 UINT32 TargetFunction = 0;
55
56 const CHAR * PciHeaderTypes[] = {"Endpoint", "PCI-to-PCI Bridge", "PCI-to-CardBus Bridge"};
57
58 if (CommandTokens.size() < 4 || CommandTokens.size() > 5)
59 {
60 ShowMessages("Incorrect use of '%s'\n\n",
61 GetCaseSensitiveStringFromCommandToken(CommandTokens.at(0)).c_str());
63 return;
64 }
65
66 if (ConvertTokenToUInt32(CommandTokens.at(1), &TargetBus))
67 {
68 if (TargetBus > BUS_MAX_NUM)
69 {
70 ShowMessages("Invalid bus number '%s'\n\n",
71 GetCaseSensitiveStringFromCommandToken(CommandTokens.at(1)).c_str());
73 return;
74 }
75 PcidevinfoPacket.DeviceInfo.Bus = (UINT8)TargetBus;
76 }
77
78 if (ConvertTokenToUInt32(CommandTokens.at(2), &TargetDevice))
79 {
80 if (TargetDevice > DEVICE_MAX_NUM)
81 {
82 ShowMessages("Invalid device number '%s'\n\n",
83 GetCaseSensitiveStringFromCommandToken(CommandTokens.at(2)).c_str());
85 return;
86 }
87 PcidevinfoPacket.DeviceInfo.Device = (UINT8)TargetDevice;
88 }
89
90 if (ConvertTokenToUInt32(CommandTokens.at(3), &TargetFunction))
91 {
92 if (TargetFunction > FUNCTION_MAX_NUM)
93 {
94 ShowMessages("Invalid function number '%s'\n\n",
95 GetCaseSensitiveStringFromCommandToken(CommandTokens.at(3)).c_str());
97 return;
98 }
99 PcidevinfoPacket.DeviceInfo.Function = (UINT8)TargetFunction;
100 }
101
102 if (CommandTokens.size() == 5)
103 {
104 if (strncmp(GetCaseSensitiveStringFromCommandToken(CommandTokens.at(4)).c_str(), "x", 1) == 0)
105 {
106 PcidevinfoPacket.PrintRaw = TRUE;
107 }
108 else
109 {
110 ShowMessages("Invalid parameter '%s'\n\n",
111 GetCaseSensitiveStringFromCommandToken(CommandTokens.at(4)).c_str());
113 return;
114 }
115 }
116
117 //
118 // Send buffer
119 //
121 {
122 KdSendPcidevinfoPacketToDebuggee(&PcidevinfoPacket);
123 }
124 else
125 {
127
128 //
129 // Send IOCTL
130 //
131 Status = DeviceIoControl(
132 g_DeviceHandle, // Handle to device
133 IOCTL_PCIDEVINFO_ENUM, // IO Control Code (IOCTL)
134 &PcidevinfoPacket, // Input Buffer to driver.
136 &PcidevinfoPacket, // Output Buffer from driver.
138 // buffer in bytes.
139 &ReturnedLength, // Bytes placed in buffer.
140 NULL // synchronous call
141 );
142
143 if (!Status)
144 {
145 ShowMessages("ioctl failed with code 0x%x\n", GetLastError());
146 return;
147 }
148
149 if (PcidevinfoPacket.KernelStatus == DEBUGGER_OPERATION_WAS_SUCCESSFUL)
150 {
151 //
152 // For some reason, MSVC refuses to initialize these at top of case
153 //
154 const CHAR * PciHeaderTypeAsString[] = {"Endpoint", "PCI-to-PCI Bridge", "PCI-to-CardBus Bridge"};
155 const CHAR * PciMmioBarTypeAsString[] = {"32-bit Wide",
156 "Reserved",
157 "64-bit Wide",
158 "Reserved"};
159 UINT8 BarNumOffset = 0;
160
161 ShowMessages("PCI configuration space (CAM) for device %04x:%02x:%02x:%x\n",
162 0, // TODO: Add support for domains beyond 0000
163 PcidevinfoPacket.DeviceInfo.Bus,
164 PcidevinfoPacket.DeviceInfo.Device,
165 PcidevinfoPacket.DeviceInfo.Function);
166
167 if (!PcidevinfoPacket.PrintRaw)
168 {
169 Vendor * CurrentVendor = GetVendorById(PcidevinfoPacket.DeviceInfo.ConfigSpace.CommonHeader.VendorId);
170 CHAR * CurrentVendorName = (CHAR *)"N/A";
171 CHAR * CurrentDeviceName = (CHAR *)"N/A";
172
173 if (CurrentVendor != NULL)
174 {
175 CurrentVendorName = CurrentVendor->VendorName;
176 Device * CurrentDevice = GetDeviceFromVendor(CurrentVendor, PcidevinfoPacket.DeviceInfo.ConfigSpace.CommonHeader.DeviceId);
177
178 if (CurrentDevice != NULL)
179 {
180 CurrentDeviceName = CurrentDevice->DeviceName;
181 }
182 }
183
184 ShowMessages("\nCommon Header:\nVID:DID: %04x:%04x\nVendor Name: %-17.*s\nDevice Name: %.*s\nCommand: %04x\n",
187 strnlen_s(CurrentVendorName, PCI_NAME_STR_LENGTH),
188 CurrentVendorName,
189 strnlen_s(CurrentDeviceName, PCI_NAME_STR_LENGTH),
190 CurrentDeviceName,
191 PcidevinfoPacket.DeviceInfo.ConfigSpace.CommonHeader.Command);
192
193 if ((PcidevinfoPacket.DeviceInfo.ConfigSpace.CommonHeader.HeaderType & 0x01) << 7 == 0) // Only applicable to endpoints
194 {
195 ShowMessages(" Memory Space: %u\n I/O Space: %u\n",
196 (PcidevinfoPacket.DeviceInfo.ConfigSpace.CommonHeader.Command & 0x2) >> 1,
197 (PcidevinfoPacket.DeviceInfo.ConfigSpace.CommonHeader.Command & 0x1));
198 }
199
200 ShowMessages("Status: %04x\nRevision ID: %02x\nClass Code: %06x\nCacheLineSize: %02x\nPrimaryLatencyTimer: %02x\nHeaderType: %s (%02x)\n Multi-function Device: %s\nBist: %02x\n",
201 PcidevinfoPacket.DeviceInfo.ConfigSpace.CommonHeader.Status,
206 (PcidevinfoPacket.DeviceInfo.ConfigSpace.CommonHeader.HeaderType & 0x3f) < 2 ? PciHeaderTypeAsString[(PcidevinfoPacket.DeviceInfo.ConfigSpace.CommonHeader.HeaderType & 0x1)] : "Unknown",
208 (PcidevinfoPacket.DeviceInfo.ConfigSpace.CommonHeader.HeaderType & 0x1) ? "True" : "False",
209 PcidevinfoPacket.DeviceInfo.ConfigSpace.CommonHeader.Bist);
210 FreeVendor(CurrentVendor);
212
213 ShowMessages("\nDevice Header:\n");
214
215 if ((PcidevinfoPacket.DeviceInfo.ConfigSpace.CommonHeader.HeaderType & 0x01) << 7 == 0) // Endpoint
216 {
217 for (UINT8 i = 0; i < 5; i++)
218 {
219 //
220 // Memory I/O
221 //
222 if ((PcidevinfoPacket.DeviceInfo.ConfigSpace.DeviceHeader.ConfigSpaceEp.Bar[i] & 0x1) == 0)
223 {
224 //
225 // 64-bit BAR
226 //
227 if (((PcidevinfoPacket.DeviceInfo.ConfigSpace.DeviceHeader.ConfigSpaceEp.Bar[i] & 0x6) >> 1) == 2)
228 {
229 UINT64 BarMsb = PcidevinfoPacket.DeviceInfo.ConfigSpace.DeviceHeader.ConfigSpaceEp.Bar[i + 1];
230 UINT64 BarLsb = PcidevinfoPacket.DeviceInfo.ConfigSpace.DeviceHeader.ConfigSpaceEp.Bar[i];
231 UINT64 ActualBar = ((BarMsb & 0xFFFFFFFF) << 32) + (BarLsb & 0xFFFFFFF0);
232
233 ShowMessages("BAR%u %s\n BAR Type: MMIO\n MMIO BAR Type: %s (%02x)\n BAR MSB: %08x\n BAR LSB: %08x\n BAR (actual): %016llx\n Prefetchable: %s\n",
234 i - BarNumOffset,
235 ((PcidevinfoPacket.DeviceInfo.ConfigSpace.CommonHeader.Command & 0x2) >> 1 == 0) || !PcidevinfoPacket.DeviceInfo.MmioBarInfo[i].IsEnabled ? "[disabled]" : "",
236 PciMmioBarTypeAsString[(PcidevinfoPacket.DeviceInfo.ConfigSpace.DeviceHeader.ConfigSpaceEp.Bar[i] & 0x6) >> 1],
237 (PcidevinfoPacket.DeviceInfo.ConfigSpace.DeviceHeader.ConfigSpaceEp.Bar[i] & 0x6) >> 1,
238 BarMsb,
239 BarLsb,
240 ActualBar,
241 (PcidevinfoPacket.DeviceInfo.ConfigSpace.DeviceHeader.ConfigSpaceEp.Bar[i] & 0x8 >> 3) ? "True" : "False");
242
243 i++;
244 BarNumOffset++;
245 }
246 //
247 // 32-bit BAR
248 //
249 else
250 {
251 UINT32 ActualBar = (PcidevinfoPacket.DeviceInfo.ConfigSpace.DeviceHeader.ConfigSpaceEp.Bar[i] & 0xFFFFFFF0);
252
253 ShowMessages("BAR%u %s\n BAR Type: MMIO\n BAR: %08x\n BAR (actual): %08x\n Prefetchable: %s\n",
254 i - BarNumOffset,
255 ((PcidevinfoPacket.DeviceInfo.ConfigSpace.CommonHeader.Command & 0x2) >> 1 == 0) || !PcidevinfoPacket.DeviceInfo.MmioBarInfo[i].IsEnabled ? "[disabled]" : "",
257 ActualBar,
258 (PcidevinfoPacket.DeviceInfo.ConfigSpace.DeviceHeader.ConfigSpaceEp.Bar[i] & 0x8 >> 3) ? "True" : "False");
259 }
260 }
261 //
262 // Port I/O
263 //
264 else
265 {
266 //
267 // 32-bit BAR is the only flavor we have here
268 //
269 UINT32 ActualBar32 = PcidevinfoPacket.DeviceInfo.ConfigSpace.DeviceHeader.ConfigSpaceEp.Bar[i] & 0xFFFFFFFC;
270
271 ShowMessages("BAR%u %s\n BAR Type: Port IO\n BAR: %08x\n BAR (actual): %08x\n Reserved: %u\n",
272 i - BarNumOffset,
273 ((PcidevinfoPacket.DeviceInfo.ConfigSpace.CommonHeader.Command & 0x1) == 0) ? "[disabled]" : "",
275 ActualBar32,
276 (PcidevinfoPacket.DeviceInfo.ConfigSpace.DeviceHeader.ConfigSpaceEp.Bar[i] & 0x2) >> 1);
277 }
278 }
279
280 ShowMessages("Cardbus CIS Pointer: %08x\nSubsystem Vendor ID: %04x\nSubsystem ID: %04x\nROM BAR: %08x\nCapabilities Pointer: %02x\nReserved (0xD): %06x\nReserved (0xE): %08x\nInterrupt Line: %02x\nInterrupt Pin: %02x\nMin Grant: %02x\nMax latency: %02x\n",
292 }
293 else if ((PcidevinfoPacket.DeviceInfo.ConfigSpace.CommonHeader.HeaderType & 0x3f) == 1) // PCI-to-PCI Bridge
294 {
295 ShowMessages("BAR0: %08x\nBAR1: %08x\n", PcidevinfoPacket.DeviceInfo.ConfigSpace.DeviceHeader.ConfigSpacePtpBridge.Bar[0], PcidevinfoPacket.DeviceInfo.ConfigSpace.DeviceHeader.ConfigSpacePtpBridge.Bar[1]);
296
297 ShowMessages("Primary Bus Number: %02x\nSecondary Bus Number: %02x\nSubordinate Bus Number: %02x\nSecondary Latency Timer: %02x\nI/O Base: %02x\nI/O Limit: %02x\nSecondary Status: %04x\nMemory Base: %04x\nMemory Limit: %04x\nPrefetchable Memory Base: %04x\nPrefetchable Memory Limit: %04x\nPrefetchable Base Upper 32 Bits: %08x\nPrefetchable Limit Upper 32 Bits: %08x\nI/O Base Upper 16 Bits: %04x\nI/O Limit Upper 16 Bits: %04x\nCapability Pointer: %02x\nReserved: %06x\nROM BAR: %08x\nInterrupt Line: %02x\nInterrupt Pin: %02x\nBridge Control: %04x\n",
319 }
320 else if ((PcidevinfoPacket.DeviceInfo.ConfigSpace.CommonHeader.HeaderType & 0x3f) == 2) // PCI-to-CardBus Bridge
321 {
322 ShowMessages("Parsing header type %s (%02x) currently unsupported\n", PciHeaderTypeAsString[PcidevinfoPacket.DeviceInfo.ConfigSpace.CommonHeader.HeaderType & 0x01], PcidevinfoPacket.DeviceInfo.ConfigSpace.CommonHeader.HeaderType & 0x01);
323 }
324 else
325 {
326 ShowMessages("\nDevice Header:\nUnknown header type %02x\n", (PcidevinfoPacket.DeviceInfo.ConfigSpace.CommonHeader.HeaderType & 0x3f));
327 }
328 }
329 else
330 {
331 UINT32 * cs = (UINT32 *)&PcidevinfoPacket.DeviceInfo.ConfigSpace; // Overflows into .ConfigSpaceAdditional - no padding due to pack(0)
332
333 ShowMessages(" 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f\n");
334
335 for (UINT16 i = 0; i < CAM_CONFIG_SPACE_LENGTH; i += 16)
336 {
337 ShowMessages("%02x: ", i);
338 for (UINT8 j = 0; j < 16; j++)
339 {
340 ShowMessages("%02x ", *(((BYTE *)cs) + j));
341 }
342
343 //
344 // Print ASCII representation
345 // Replace non-printable characters with "."
346 //
347 for (UINT8 j = 0; j < 16; j++)
348 {
349 CHAR c = (CHAR) * (cs + j);
350 if (c >= 32 && c <= 126)
351 {
352 ShowMessages("%c", c);
353 }
354 else
355 {
356 ShowMessages(".");
357 }
358 }
359 ShowMessages("\n");
360 cs += 4;
361 }
362 }
363 }
364 else
365 {
366 //
367 // An err occurred, no results
368 //
369 ShowMessages("An error occurred, no results:");
370
371 ShowErrorMessage(PcidevinfoPacket.KernelStatus);
372 }
373 }
374}
unsigned short UINT16
Definition BasicTypes.h:53
unsigned char BYTE
Definition BasicTypes.h:40
#define IOCTL_PCIDEVINFO_ENUM
ioctl, to query for PCI endpoint info
Definition Ioctls.h:368
#define FUNCTION_MAX_NUM
Definition Pcie.h:41
#define DEVICE_MAX_NUM
Definition Pcie.h:40
#define BUS_MAX_NUM
Definition Pcie.h:39
#define CAM_CONFIG_SPACE_LENGTH
Definition Pcie.h:43
#define SIZEOF_DEBUGGEE_PCIDEVINFO_REQUEST_RESPONSE_PACKET
check so the DEBUGGEE_PCITREE_REQUEST_RESPONSE_PACKET should be smaller than packet size
Definition RequestStructures.h:1663
struct _DEBUGGEE_PCIDEVINFO_REQUEST_RESPONSE_PACKET DEBUGGEE_PCIDEVINFO_REQUEST_RESPONSE_PACKET
PCI device info Request-Response Packet, used by !pcicam and future PCI-related commands....
BOOLEAN KdSendPcidevinfoPacketToDebuggee(PDEBUGGEE_PCIDEVINFO_REQUEST_RESPONSE_PACKET PciepinfoPacket)
Request PCI device info (CAM). Current consumers include '!pcicam'.
Definition kd.cpp:3621
Device * GetDeviceFromVendor(Vendor *VendorToUse, UINT16 DeviceId)
Returns Device entry corresponding to DeviceId.
Definition pci-id.cpp:339
Vendor * GetVendorById(UINT16 VendorId)
Returns Vendor entry, including corresponding devices and subdevices.
Definition pci-id.cpp:305
VOID FreePciIdDatabase()
Frees PciIdDatabaseBuffer.
Definition pci-id.cpp:288
VOID FreeVendor(Vendor *VendorToFree)
Frees Vendor and all of its members.
Definition pci-id.cpp:260
#define PCI_NAME_STR_LENGTH
Definition pci-id.h:15
VOID CommandPcicamHelp()
!pcicam command help
Definition pcicam.cpp:26
PCI_DEV DeviceInfo
Definition RequestStructures.h:1674
UINT32 KernelStatus
Definition RequestStructures.h:1672
BOOL PrintRaw
Definition RequestStructures.h:1673
BOOL IsEnabled
Definition Pcie.h:147
UINT8 Device
Definition Pcie.h:169
UINT8 Bus
Definition Pcie.h:168
UINT8 Function
Definition Pcie.h:170
PCI_DEV_MMIOBAR_INFO MmioBarInfo[6]
Definition Pcie.h:173
PORTABLE_PCI_CONFIG_SPACE_HEADER ConfigSpace
Definition Pcie.h:171
UINT8 Bist
Definition Pcie.h:60
UINT8 ClassCode[3]
Definition Pcie.h:56
UINT8 RevisionId
Definition Pcie.h:55
UINT16 Command
Definition Pcie.h:53
UINT8 CacheLineSize
Definition Pcie.h:57
UINT16 VendorId
Definition Pcie.h:51
UINT16 DeviceId
Definition Pcie.h:52
UINT8 HeaderType
Definition Pcie.h:59
UINT16 Status
Definition Pcie.h:54
UINT8 PrimaryLatencyTimer
Definition Pcie.h:58
PORTABLE_PCI_COMMON_HEADER CommonHeader
Definition Pcie.h:158
PORTABLE_PCI_DEVICE_HEADER DeviceHeader
Definition Pcie.h:159
Definition pci-id.h:26
CHAR DeviceName[PCI_NAME_STR_LENGTH]
Definition pci-id.h:28
Definition pci-id.h:34
CHAR VendorName[PCI_NAME_STR_LENGTH]
Definition pci-id.h:36
struct _PORTABLE_PCI_DEVICE_HEADER::_PORTABLE_PCI_EP_HEADER ConfigSpaceEp
struct _PORTABLE_PCI_DEVICE_HEADER::_PORTABLE_PCI_BRIDGE_HEADER ConfigSpacePtpBridge

◆ CommandPcitree()

VOID CommandPcitree ( vector< CommandToken > CommandTokens,
string Command )

!pcitree command handler

Parameters
CommandTokens
Command
Returns
VOID
46{
47 BOOL Status;
48 ULONG ReturnedLength;
50
51 if (CommandTokens.size() != 1)
52 {
53 ShowMessages("incorrect use of the '%s'\n\n",
54 GetCaseSensitiveStringFromCommandToken(CommandTokens.at(0)).c_str());
56 return;
57 }
58
59 //
60 // Send buffer
61 //
63 {
64 KdSendPcitreePacketToDebuggee(&PcitreePacket);
65 }
66 else
67 {
69
70 //
71 // Send IOCTL
72 //
73 Status = DeviceIoControl(
74 g_DeviceHandle, // Handle to device
75 IOCTL_PCIE_ENDPOINT_ENUM, // IO Control Code (IOCTL)
76 &PcitreePacket, // Input Buffer to driver.
78 &PcitreePacket, // Output Buffer from driver.
80 // buffer in bytes.
81 &ReturnedLength, // Bytes placed in buffer.
82 NULL // synchronous call
83 );
84
85 if (!Status)
86 {
87 ShowMessages("ioctl failed with code 0x%x\n", GetLastError());
88 return;
89 }
90
92 {
93 //
94 // Print PCI device tree
95 //
96 ShowMessages("%-12s | %-9s | %-17s | %s \n%s\n", "DBDF", "VID:DID", "Vendor Name", "Device Name", "----------------------------------------------------------------------");
97 for (UINT8 i = 0; i < (PcitreePacket.DeviceInfoListNum < DEV_MAX_NUM ? PcitreePacket.DeviceInfoListNum : DEV_MAX_NUM); i++)
98 {
99 Vendor * CurrentVendor = GetVendorById(PcitreePacket.DeviceInfoList[i].ConfigSpace.VendorId);
100 CHAR * CurrentVendorName = (CHAR *)"N/A";
101 CHAR * CurrentDeviceName = (CHAR *)"N/A";
102
103 if (CurrentVendor != NULL)
104 {
105 CurrentVendorName = CurrentVendor->VendorName;
106 Device * CurrentDevice = GetDeviceFromVendor(CurrentVendor, PcitreePacket.DeviceInfoList[i].ConfigSpace.DeviceId);
107
108 if (CurrentDevice != NULL)
109 {
110 CurrentDeviceName = CurrentDevice->DeviceName;
111 }
112 }
113
114 ShowMessages("%04x:%02x:%02x:%x | %04x:%04x | %-17.*s | %.*s\n",
115 0, // TODO: Add support for domains beyond 0000
116 PcitreePacket.DeviceInfoList[i].Bus,
117 PcitreePacket.DeviceInfoList[i].Device,
118 PcitreePacket.DeviceInfoList[i].Function,
119 PcitreePacket.DeviceInfoList[i].ConfigSpace.VendorId,
120 PcitreePacket.DeviceInfoList[i].ConfigSpace.DeviceId,
121 strnlen_s(CurrentVendorName, PCI_NAME_STR_LENGTH),
122 CurrentVendorName,
123 strnlen_s(CurrentDeviceName, PCI_NAME_STR_LENGTH),
124 CurrentDeviceName
125
126 );
127
128 FreeVendor(CurrentVendor);
129 }
131 }
132 else
133 {
134 //
135 // An err occurred, no results
136 //
137 ShowErrorMessage(PcitreePacket.KernelStatus);
138 }
139 }
140}
#define IOCTL_PCIE_ENDPOINT_ENUM
ioctl, to enumerate PCIe endpoints
Definition Ioctls.h:354
#define DEV_MAX_NUM
Definition Pcie.h:42
#define SIZEOF_DEBUGGEE_PCITREE_REQUEST_RESPONSE_PACKET
Definition RequestStructures.h:1639
struct _DEBUGGEE_PCITREE_REQUEST_RESPONSE_PACKET DEBUGGEE_PCITREE_REQUEST_RESPONSE_PACKET
Pcitree Request-Response Packet. Represents PCI device tree.
BOOLEAN KdSendPcitreePacketToDebuggee(PDEBUGGEE_PCITREE_REQUEST_RESPONSE_PACKET PcitreePacket)
Sends '!pcitree' command, including buffer, to the debuggee.
Definition kd.cpp:3592
VOID CommandPcitreeHelp()
help of the !pcitree command
Definition pcitree.cpp:26
UINT8 DeviceInfoListNum
Definition RequestStructures.h:1649
UINT32 KernelStatus
Definition RequestStructures.h:1648
PCI_DEV_MINIMAL DeviceInfoList[DEV_MAX_NUM]
Definition RequestStructures.h:1650
PORTABLE_PCI_CONFIG_SPACE_HEADER_MINIMAL ConfigSpace
Definition Pcie.h:137
UINT8 Bus
Definition Pcie.h:134
UINT8 Function
Definition Pcie.h:136
UINT8 Device
Definition Pcie.h:135
UINT16 VendorId
Definition Pcie.h:123
UINT16 DeviceId
Definition Pcie.h:124

◆ CommandPe()

VOID CommandPe ( vector< CommandToken > CommandTokens,
string Command )

.pe command handler

Parameters
CommandTokens
Command
Returns
VOID
43{
44 BOOLEAN Is32Bit = FALSE;
45 wstring Filepath;
46 string TempFilePath;
47 BOOLEAN ShowDumpOfSection = FALSE;
48
49 if (CommandTokens.size() <= 2)
50 {
51 ShowMessages("err, incorrect use of the '%s' command\n\n",
52 GetCaseSensitiveStringFromCommandToken(CommandTokens.at(0)).c_str());
54 return;
55 }
56
57 //
58 // Check for first option
59 //
60 if (CompareLowerCaseStrings(CommandTokens.at(1), "section"))
61 {
62 if (CommandTokens.size() == 3)
63 {
64 ShowMessages("err, incorrect use of the '%s' command\n\n",
65 GetCaseSensitiveStringFromCommandToken(CommandTokens.at(0)).c_str());
67 return;
68 }
69
70 if (CommandTokens.size() != 4)
71 {
72 ShowMessages("err, incorrect use of the '%s' command\n\n",
73 GetCaseSensitiveStringFromCommandToken(CommandTokens.at(0)).c_str());
75 return;
76 }
77 ShowDumpOfSection = TRUE;
78 TempFilePath = GetCaseSensitiveStringFromCommandToken(CommandTokens.at(3));
79 }
80 else if (CompareLowerCaseStrings(CommandTokens.at(1), "header"))
81 {
82 if (CommandTokens.size() != 3)
83 {
84 ShowMessages("err, incorrect use of the '%s' command\n\n",
85 GetCaseSensitiveStringFromCommandToken(CommandTokens.at(0)).c_str());
87 return;
88 }
89
90 ShowDumpOfSection = FALSE;
91 TempFilePath = GetCaseSensitiveStringFromCommandToken(CommandTokens.at(2));
92 }
93 else
94 {
95 //
96 // Couldn't resolve or unknown parameter
97 //
98 ShowMessages("err, couldn't resolve error at '%s'\n\n",
99 GetCaseSensitiveStringFromCommandToken(CommandTokens.at(1)).c_str());
101 return;
102 }
103
104 //
105 // Convert path to wstring
106 //
107 StringToWString(Filepath, TempFilePath);
108
109 //
110 // TEMPORARY LINUX SHIM:
111 // std::wstring stores native wchar_t, which is 4 bytes on Linux, but the
112 // HyperDbg WCHAR type is 2 bytes (UINT16) and the PE-parser path APIs take
113 // a const WCHAR *. The cast below exists ONLY so the project compiles on
114 // Linux. On Linux it produces a bogus 2-byte reinterpretation of the 4-byte
115 // buffer; that is acceptable for now only because Linux file I/O is still
116 // stubbed (the path is never actually opened). On Windows WCHAR == wchar_t,
117 // so it is a plain, correct pointer with no reinterpretation.
118 //
119 // TODO (Linux): remove this cast once real Linux file I/O lands. The proper
120 // fix is to convert the 4-byte wchar_t path into a 2-byte WCHAR/UTF-16
121 // buffer (e.g. a std::wstring -> WCHAR helper) and pass that, so the PE
122 // parser receives a valid path. The same conversion is needed by
123 // PlatformMapFileReadOnly / PlatformOpenFileForWriting.
124 //
125#ifdef __linux__
126 const WCHAR * FilepathW = (const WCHAR *)Filepath.c_str();
127#else
128 const WCHAR * FilepathW = Filepath.c_str();
129#endif
130
131 //
132 // Detect whether PE is 32-bit or 64-bit
133 //
134 if (!PeIsPE32BitOr64Bit(FilepathW, &Is32Bit))
135 {
136 //
137 // File was invalid, the error message is shown in the above function
138 //
139 return;
140 }
141
142 //
143 // Parse PE file
144 //
145 if (!ShowDumpOfSection)
146 {
147 PeShowSectionInformationAndDump(FilepathW, NULL, Is32Bit);
148 }
149 else
150 {
151 PeShowSectionInformationAndDump(FilepathW, GetCaseSensitiveStringFromCommandToken(CommandTokens.at(2)).c_str(), Is32Bit);
152 }
153}
BOOLEAN PeIsPE32BitOr64Bit(const WCHAR *AddressOfFile, PBOOLEAN Is32Bit)
Detect whether PE is a 32-bit PE or 64-bit PE.
Definition pe-parser.cpp:4483
BOOLEAN PeShowSectionInformationAndDump(const WCHAR *AddressOfFile, const CHAR *SectionToShow, BOOLEAN Is32Bit)
Show information about different sections of PE and the dump of sections.
Definition pe-parser.cpp:3727
VOID CommandPeHelp()
help of the .pe command
Definition pe.cpp:20

◆ CommandPmc()

VOID CommandPmc ( vector< CommandToken > CommandTokens,
string Command )

!pmc command handler

Parameters
CommandTokens
Command
Returns
VOID
47{
49 PDEBUGGER_GENERAL_ACTION ActionBreakToDebugger = NULL;
50 PDEBUGGER_GENERAL_ACTION ActionCustomCode = NULL;
51 PDEBUGGER_GENERAL_ACTION ActionScript = NULL;
52 UINT32 EventLength;
53 UINT32 ActionBreakToDebuggerLength = 0;
54 UINT32 ActionCustomCodeLength = 0;
55 UINT32 ActionScriptLength = 0;
56 DEBUGGER_EVENT_PARSING_ERROR_CAUSE EventParsingErrorCause;
57
58 //
59 // Interpret and fill the general event and action fields
60 //
61 //
63 &CommandTokens,
65 &Event,
66 &EventLength,
67 &ActionBreakToDebugger,
68 &ActionBreakToDebuggerLength,
69 &ActionCustomCode,
70 &ActionCustomCodeLength,
71 &ActionScript,
72 &ActionScriptLength,
73 &EventParsingErrorCause))
74 {
75 return;
76 }
77
78 //
79 // Check for size
80 //
81 if (CommandTokens.size() > 1)
82 {
83 ShowMessages("incorrect use of the '%s'\n\n",
84 GetCaseSensitiveStringFromCommandToken(CommandTokens.at(0)).c_str());
86
87 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
88 return;
89 }
90
91 //
92 // Send the ioctl to the kernel for event registration
93 //
94 if (!SendEventToKernel(Event, EventLength))
95 {
96 //
97 // There was an error, probably the handle was not initialized
98 // we have to free the Action before exit, it is because, we
99 // already freed the Event and string buffers
100 //
101
102 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
103 return;
104 }
105
106 //
107 // Add the event to the kernel
108 //
109 if (!RegisterActionToEvent(Event,
110 ActionBreakToDebugger,
111 ActionBreakToDebuggerLength,
112 ActionCustomCode,
113 ActionCustomCodeLength,
114 ActionScript,
115 ActionScriptLength))
116 {
117 //
118 // There was an error
119 //
120
121 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
122 return;
123 }
124}
@ PMC_INSTRUCTION_EXECUTION
Definition Events.h:152
VOID CommandPmcHelp()
help of the !pmc command
Definition pmc.cpp:20

◆ CommandPreactivate()

VOID CommandPreactivate ( vector< CommandToken > CommandTokens,
string Command )

preactivate command handler

Parameters
CommandTokens
Command
Returns
VOID
50{
51 BOOL Status;
52 ULONG ReturnedLength;
53 DEBUGGER_PREACTIVATE_COMMAND PreactivateRequest = {};
54
55 if (CommandTokens.size() != 2)
56 {
57 ShowMessages("incorrect use of the '%s'\n\n",
58 GetCaseSensitiveStringFromCommandToken(CommandTokens.at(0)).c_str());
60 return;
61 }
62
63 //
64 // Set the type of preactivation
65 //
66 if (CompareLowerCaseStrings(CommandTokens.at(1), "mode") || CompareLowerCaseStrings(CommandTokens.at(1), "!mode"))
67 {
69 }
70 else
71 {
72 //
73 // Couldn't resolve or unknown parameter
74 //
75 ShowMessages("err, couldn't resolve error at '%s'\n",
76 GetCaseSensitiveStringFromCommandToken(CommandTokens.at(1)).c_str());
77 return;
78 }
79
81
82 //
83 // Send IOCTL
84 //
86 g_DeviceHandle, // Handle to device
87 IOCTL_PREACTIVATE_FUNCTIONALITY, // IO Control Code (IOCTL)
88 &PreactivateRequest, // Input Buffer to driver.
89 SIZEOF_DEBUGGER_PREACTIVATE_COMMAND, // Input buffer length
90 &PreactivateRequest, // Output Buffer from driver.
91 SIZEOF_DEBUGGER_PREACTIVATE_COMMAND, // Length of output
92 // buffer in bytes.
93 &ReturnedLength, // Bytes placed in buffer.
94 NULL // synchronous call
95 );
96
97 if (!Status)
98 {
99 ShowMessages("ioctl failed with code 0x%x\n", PlatformGetLastError());
100 return;
101 }
102
103 if (PreactivateRequest.KernelStatus == DEBUGGER_OPERATION_WAS_SUCCESSFUL)
104 {
105 ShowMessages("the requested service is activated successfully!\n");
106 }
107 else
108 {
109 //
110 // An err occurred, no results
111 //
112 ShowErrorMessage(PreactivateRequest.KernelStatus);
113 }
114}
#define IOCTL_PREACTIVATE_FUNCTIONALITY
ioctl, to preactivate a functionality
Definition Ioctls.h:347
struct _DEBUGGER_PREACTIVATE_COMMAND DEBUGGER_PREACTIVATE_COMMAND
requests for the 'preactivate' command
@ DEBUGGER_PREACTIVATE_COMMAND_TYPE_MODE
Definition RequestStructures.h:217
#define SIZEOF_DEBUGGER_PREACTIVATE_COMMAND
Definition RequestStructures.h:221
#define ASSERT_MESSAGE_VMM_NOT_LOADED
Definition common.h:31
BOOL PlatformDeviceIoControl(HANDLE Device, DWORD IoControlCode, LPVOID InBuffer, DWORD InBufferSize, LPVOID OutBuffer, DWORD OutBufferSize, LPDWORD BytesReturned, LPVOID Overlapped)
DWORD PlatformGetLastError(VOID)
Platform independent wrapper for GetLastError.
Definition platform-lib-calls.c:350
VOID CommandPreactivateHelp()
help of the preactivate command
Definition preactivate.cpp:26
UINT32 KernelStatus
Definition RequestStructures.h:231
DEBUGGER_PREACTIVATE_COMMAND_TYPE Type
Definition RequestStructures.h:230

◆ CommandPrealloc()

VOID CommandPrealloc ( vector< CommandToken > CommandTokens,
string Command )

prealloc command handler

Parameters
CommandTokens
Command
Returns
VOID
61{
62 BOOL Status;
63 ULONG ReturnedLength;
64 UINT64 Count;
65 DEBUGGER_PREALLOC_COMMAND PreallocRequest = {};
66 string SecondParam;
67
68 if (CommandTokens.size() != 3)
69 {
70 ShowMessages("incorrect use of the '%s'\n\n",
71 GetCaseSensitiveStringFromCommandToken(CommandTokens.at(0)).c_str());
73 return;
74 }
75
76 SecondParam = GetLowerStringFromCommandToken(CommandTokens.at(1));
77
78 //
79 // Set the type of pre-allocation
80 //
81 if (!SecondParam.compare("thread-interception"))
82 {
84 }
85 else if (!SecondParam.compare("monitor") || !SecondParam.compare("!monitor"))
86 {
88 }
89 else if (!SecondParam.compare("epthook") || !SecondParam.compare("!epthook"))
90 {
92 }
93 else if (!SecondParam.compare("epthook2") || !SecondParam.compare("!epthook2"))
94 {
96 }
97 else if (!SecondParam.compare("regular-event"))
98 {
100 }
101 else if (!SecondParam.compare("big-event"))
102 {
104 }
105 else if (!SecondParam.compare("regular-safe-buffer"))
106 {
108 }
109 else if (!SecondParam.compare("big-safe-buffer"))
110 {
112 }
113 else
114 {
115 //
116 // Couldn't resolve or unknown parameter
117 //
118 ShowMessages("err, couldn't resolve error at '%s'\n",
119 GetCaseSensitiveStringFromCommandToken(CommandTokens.at(1)).c_str());
120 return;
121 }
122
123 //
124 // Get the count of needed pre-allocated buffers
125 //
127 {
128 //
129 // Couldn't resolve or unknown parameter
130 //
131 ShowMessages("err, couldn't resolve error at '%s'\n",
132 GetCaseSensitiveStringFromCommandToken(CommandTokens.at(2)).c_str());
133 return;
134 }
135
136 //
137 // Set the counter
138 //
139 PreallocRequest.Count = (UINT32)Count;
140
142
143 //
144 // Send IOCTL
145 //
147 g_DeviceHandle, // Handle to device
148 IOCTL_RESERVE_PRE_ALLOCATED_POOLS, // IO Control Code (IOCTL)
149 &PreallocRequest, // Input Buffer to driver.
150 SIZEOF_DEBUGGER_PREALLOC_COMMAND, // Input buffer length
151 &PreallocRequest, // Output Buffer from driver.
152 SIZEOF_DEBUGGER_PREALLOC_COMMAND, // Length of output
153 // buffer in bytes.
154 &ReturnedLength, // Bytes placed in buffer.
155 NULL // synchronous call
156 );
157
158 if (!Status)
159 {
160 ShowMessages("ioctl failed with code 0x%x\n", PlatformGetLastError());
161 return;
162 }
163
164 if (PreallocRequest.KernelStatus == DEBUGGER_OPERATION_WAS_SUCCESSFUL)
165 {
166 ShowMessages("the requested pools are allocated and reserved\n");
167 }
168 else
169 {
170 //
171 // An err occurred, no results
172 //
173 ShowErrorMessage(PreallocRequest.KernelStatus);
174 }
175}
#define IOCTL_RESERVE_PRE_ALLOCATED_POOLS
ioctl, to reserve pre-allocated pools
Definition Ioctls.h:277
#define SIZEOF_DEBUGGER_PREALLOC_COMMAND
Definition RequestStructures.h:194
struct _DEBUGGER_PREALLOC_COMMAND DEBUGGER_PREALLOC_COMMAND
requests for the 'prealloc' command
@ DEBUGGER_PREALLOC_COMMAND_TYPE_MONITOR
Definition RequestStructures.h:184
@ DEBUGGER_PREALLOC_COMMAND_TYPE_EPTHOOK2
Definition RequestStructures.h:186
@ DEBUGGER_PREALLOC_COMMAND_TYPE_BIG_EVENT
Definition RequestStructures.h:188
@ DEBUGGER_PREALLOC_COMMAND_TYPE_REGULAR_EVENT
Definition RequestStructures.h:187
@ DEBUGGER_PREALLOC_COMMAND_TYPE_THREAD_INTERCEPTION
Definition RequestStructures.h:183
@ DEBUGGER_PREALLOC_COMMAND_TYPE_BIG_SAFE_BUFFER
Definition RequestStructures.h:190
@ DEBUGGER_PREALLOC_COMMAND_TYPE_REGULAR_SAFE_BUFFER
Definition RequestStructures.h:189
@ DEBUGGER_PREALLOC_COMMAND_TYPE_EPTHOOK
Definition RequestStructures.h:185
VOID CommandPreallocHelp()
help of the prealloc command
Definition prealloc.cpp:25
DEBUGGER_PREALLOC_COMMAND_TYPE Type
Definition RequestStructures.h:203
UINT32 KernelStatus
Definition RequestStructures.h:205
UINT32 Count
Definition RequestStructures.h:204

◆ CommandPrint()

VOID CommandPrint ( vector< CommandToken > CommandTokens,
string Command )

handler of print command

Parameters
CommandTokens
Command
Returns
VOID
43{
44 if (CommandTokens.size() == 1)
45 {
46 ShowMessages("incorrect use of the '%s'\n\n",
47 GetCaseSensitiveStringFromCommandToken(CommandTokens.at(0)).c_str());
49 return;
50 }
51
52 //
53 // Trim the command
54 //
55 Trim(Command);
56
57 //
58 // Remove print from it
59 //
60 Command.erase(0, GetCaseSensitiveStringFromCommandToken(CommandTokens.at(0)).size());
61
62 //
63 // Trim it again
64 //
65 Trim(Command);
66
67 //
68 // Prepend and append 'print(' and ')'
69 //
70 Command.insert(0, "print(");
71 Command.append(");");
72
73 //
74 // Execute the expression
75 //
77}
VOID CommandPrintHelp()
help of the print command
Definition print.cpp:23

◆ CommandProcess()

VOID CommandProcess ( vector< CommandToken > CommandTokens,
string Command )

.process command handler

Parameters
CommandTokens
Command
Returns
VOID
58{
59 UINT32 TargetProcessId = 0;
60 UINT64 TargetProcess = 0;
61 UINT64 AddressOfActiveProcessHead = 0; // nt!PsActiveProcessHead
62 UINT32 OffsetOfImageFileName = 0; // nt!_EPROCESS.ImageFileName
63 UINT32 OffsetOfUniqueProcessId = 0; // nt!_EPROCESS.UniqueProcessId
64 UINT32 OffsetOfActiveProcessLinks = 0; // nt!_EPROCESS.ActiveProcessLinks
65 BOOLEAN ResultOfGettingOffsets = FALSE;
66 BOOLEAN IsSetByClkIntr = FALSE;
67 DEBUGGEE_PROCESS_LIST_NEEDED_DETAILS ProcessListNeededItems = {0};
68
69 if (CommandTokens.size() >= 4)
70 {
71 ShowMessages("incorrect use of the '%s'\n\n",
72 GetCaseSensitiveStringFromCommandToken(CommandTokens.at(0)).c_str());
74 return;
75 }
76
77 if (CommandTokens.size() == 1)
78 {
79 //
80 // Check if it's connected to a remote debuggee or not
81 //
83 {
84 //
85 // Get the process details in VMI mode
86 //
88 }
89 else
90 {
91 //
92 // Send the packet to get current process
93 //
95 NULL,
96 NULL,
97 FALSE,
98 NULL);
99 }
100 }
101 else if (CommandTokens.size() == 2)
102 {
103 if (CompareLowerCaseStrings(CommandTokens.at(1), "list"))
104 {
105 //
106 // Query for nt!_EPROCESS.ImageFileName, nt!_EPROCESS.UniqueProcessId,
107 // nt!_EPROCESS.UniqueProcessId offset from the top of nt!_EPROCESS,
108 // and nt!PsActiveProcessHead address and check if we find them or not,
109 // otherwise, it means that the PDB for ntoskrnl.exe is not available
110 //
111 if (ScriptEngineGetFieldOffsetWrapper((CHAR *)"nt!_EPROCESS", (CHAR *)"ActiveProcessLinks", &OffsetOfActiveProcessLinks) &&
112 ScriptEngineGetFieldOffsetWrapper((CHAR *)"nt!_EPROCESS", (CHAR *)"ImageFileName", &OffsetOfImageFileName) &&
113 ScriptEngineGetFieldOffsetWrapper((CHAR *)"nt!_EPROCESS", (CHAR *)"UniqueProcessId", &OffsetOfUniqueProcessId) &&
114 SymbolConvertNameOrExprToAddress("nt!PsActiveProcessHead", &AddressOfActiveProcessHead))
115 {
116 //
117 // For test offsets and addresses
118 //
119
120 /*
121 ShowMessages("Address of ActiveProcessHead : %llx\n", AddressOfActiveProcessHead);
122 ShowMessages("Offset Of ActiveProcessLinks : 0x%x\n", OffsetOfActiveProcessLinks);
123 ShowMessages("Offset Of ImageFileName : 0x%x\n", OffsetOfImageFileName);
124 ShowMessages("Offset Of UniqueProcessId : 0x%x\n", OffsetOfUniqueProcessId);
125 */
126
127 ProcessListNeededItems.PsActiveProcessHead = AddressOfActiveProcessHead;
128 ProcessListNeededItems.ActiveProcessLinksOffset = OffsetOfActiveProcessLinks;
129 ProcessListNeededItems.ImageFileNameOffset = OffsetOfImageFileName;
130 ProcessListNeededItems.UniquePidOffset = OffsetOfUniqueProcessId;
131
133 {
134 //
135 // Get list of processes in VMI mode
136 //
138 &ProcessListNeededItems,
139 NULL,
140 NULL);
141 }
142 else
143 {
144 //
145 // Send the packet to show list of process
146 //
148 NULL,
149 NULL,
150 FALSE,
151 &ProcessListNeededItems);
152 }
153 }
154 else
155 {
156 ShowMessages("err, the need offset to iterate over processes not found, "
157 "make sure to load ntoskrnl.exe's PDB file. use '.help .sym' for "
158 "more information\n");
159 return;
160 }
161 }
162 else
163 {
164 ShowMessages(
165 "err, unknown parameter at '%s'\n\n",
166 GetCaseSensitiveStringFromCommandToken(CommandTokens.at(1)).c_str());
168 return;
169 }
170 }
171 else if (CommandTokens.size() == 3)
172 {
173 //
174 // Check if it's connected to a remote debuggee or not
175 //
177 {
178 ShowMessages("err, you're not connected to any debuggee in Debugger Mode, "
179 "you can use the '.attach', or the '.detach' commands if you're "
180 "operating in VMI Mode\n");
181 return;
182 }
183
184 if (CompareLowerCaseStrings(CommandTokens.at(1), "pid"))
185 {
186 if (!ConvertTokenToUInt32(CommandTokens.at(2), &TargetProcessId))
187 {
188 ShowMessages(
189 "please specify a correct hex value for the process id that you "
190 "want to operate on it\n\n");
192 return;
193 }
194 }
195 else if (CompareLowerCaseStrings(CommandTokens.at(1), "process"))
196 {
197 if (!SymbolConvertNameOrExprToAddress(GetCaseSensitiveStringFromCommandToken(CommandTokens.at(2)), &TargetProcess))
198 {
199 ShowMessages(
200 "please specify a correct hex value for the process (nt!_EPROCESS) that you "
201 "want to operate on it\n\n");
203 return;
204 }
205 }
206 else
207 {
208 ShowMessages(
209 "err, unknown parameter at '%s'\n\n",
210 GetCaseSensitiveStringFromCommandToken(CommandTokens.at(2)).c_str());
212 return;
213 }
214
215 //
216 // Check for switching method
217 //
218 if (CompareLowerCaseStrings(CommandTokens.at(0), ".process2"))
219 {
220 IsSetByClkIntr = FALSE;
221 }
222 else
223 {
224 IsSetByClkIntr = TRUE;
225 }
226
227 //
228 // Send the packet to change process
229 //
231 TargetProcessId,
232 TargetProcess,
233 IsSetByClkIntr,
234 NULL);
235 }
236 else
237 {
238 ShowMessages("invalid parameter\n\n");
240 return;
241 }
242}
struct _DEBUGGEE_PROCESS_LIST_NEEDED_DETAILS DEBUGGEE_PROCESS_LIST_NEEDED_DETAILS
The structure of needed information to get the details of the process from nt!_EPROCESS and location ...
@ DEBUGGEE_DETAILS_AND_SWITCH_PROCESS_GET_PROCESS_DETAILS
Definition RequestStructures.h:968
@ DEBUGGEE_DETAILS_AND_SWITCH_PROCESS_GET_PROCESS_LIST
Definition RequestStructures.h:969
@ DEBUGGEE_DETAILS_AND_SWITCH_PROCESS_PERFORM_SWITCH
Definition RequestStructures.h:970
BOOLEAN KdSendSwitchProcessPacketToDebuggee(DEBUGGEE_DETAILS_AND_SWITCH_PROCESS_TYPE ActionType, UINT32 NewPid, UINT64 NewProcess, BOOLEAN SetChangeByClockInterrupt, PDEBUGGEE_PROCESS_LIST_NEEDED_DETAILS SymDetailsForProcessList)
Sends a change process or show process details packet to the debuggee.
Definition kd.cpp:805
BOOLEAN ObjectShowProcessesOrThreadList(BOOLEAN IsProcess, PDEBUGGEE_PROCESS_LIST_NEEDED_DETAILS SymDetailsForProcessList, UINT64 Eprocess, PDEBUGGEE_THREAD_LIST_NEEDED_DETAILS SymDetailsForThreadList)
Get details about processes or threads.
Definition objects.cpp:138
BOOLEAN ObjectShowProcessesOrThreadDetails(BOOLEAN IsProcess)
Get details about processes or threads.
Definition objects.cpp:26
VOID CommandProcessHelp()
help of the .process command
Definition process.cpp:25
BOOLEAN ScriptEngineGetFieldOffsetWrapper(CHAR *TypeName, CHAR *FieldName, UINT32 *FieldOffset)
ScriptEngineGetFieldOffset wrapper.
Definition script-engine-wrapper.cpp:132
ULONG UniquePidOffset
Definition RequestStructures.h:739
ULONG ImageFileNameOffset
Definition RequestStructures.h:738
ULONG ActiveProcessLinksOffset
Definition RequestStructures.h:740
UINT64 PsActiveProcessHead
Definition RequestStructures.h:737

◆ CommandPt()

VOID CommandPt ( vector< CommandToken > CommandTokens,
string Command )

!pt command handler

Parameters
CommandTokens
Command
Returns
VOID
322{
323 HYPERTRACE_PT_OPERATION_PACKETS PtRequest = {0};
324
325 if (CommandTokens.size() == 1)
326 {
327 ShowMessages("incorrect use of the '%s'\n\n",
328 GetCaseSensitiveStringFromCommandToken(CommandTokens.at(0)).c_str());
329
331 return;
332 }
333
334 if (CompareLowerCaseStrings(CommandTokens.at(1), "enable") && CommandTokens.size() == 2)
335 {
337 }
338 else if (CompareLowerCaseStrings(CommandTokens.at(1), "disable") && CommandTokens.size() == 2)
339 {
341 }
342 else if (CompareLowerCaseStrings(CommandTokens.at(1), "pause") && CommandTokens.size() == 2)
343 {
345 }
346 else if (CompareLowerCaseStrings(CommandTokens.at(1), "resume") && CommandTokens.size() == 2)
347 {
349 }
350 else if (CompareLowerCaseStrings(CommandTokens.at(1), "size") && CommandTokens.size() == 2)
351 {
353 }
354 else if (CompareLowerCaseStrings(CommandTokens.at(1), "dump") && CommandTokens.size() == 2)
355 {
357 }
358 else if (CompareLowerCaseStrings(CommandTokens.at(1), "flush") && CommandTokens.size() == 2)
359 {
361 }
362 else if (CompareLowerCaseStrings(CommandTokens.at(1), "filter"))
363 {
365
366 if (!CommandPtParseFilterOptions(CommandTokens, &PtRequest))
367 {
369 return;
370 }
371 }
372 else
373 {
374 ShowMessages("incorrect use of the '%s'\n\n",
375 GetCaseSensitiveStringFromCommandToken(CommandTokens.at(0)).c_str());
377 return;
378 }
379
380 //
381 // Send the PT operation request
382 //
383 if (CommandPtSendRequest(&PtRequest))
384 {
385 switch (PtRequest.PtOperationType)
386 {
388 ShowMessages("PT enabled successfully\n");
389 break;
391 ShowMessages("PT disabled successfully\n");
392 break;
394 ShowMessages("PT trace paused\n");
395 break;
397 ShowMessages("PT trace resumed\n");
398 break;
400 ShowMessages("PT buffer bytes-written per CPU:\n");
401 for (UINT32 i = 0; i < PtRequest.NumCpus; i++)
402 {
403 ShowMessages(" core %u : 0x%llx\n", i, PtRequest.BytesPerCpu[i]);
404 }
405 break;
407 ShowMessages("PT trace state is shown\n");
408 break;
410 ShowMessages("PT trace state is flushed\n");
411 break;
413 ShowMessages("PT filter / config updated successfully\n");
414 break;
415 default:
416 ShowMessages("unknown PT operation type\n");
417 break;
418 }
419 }
420 else
421 {
423 return;
424 }
425}
struct _HYPERTRACE_PT_OPERATION_PACKETS HYPERTRACE_PT_OPERATION_PACKETS
The structure of HyperTrace PT result packet in HyperDbg.
@ HYPERTRACE_PT_OPERATION_REQUEST_TYPE_PAUSE
Definition RequestStructures.h:1356
@ HYPERTRACE_PT_OPERATION_REQUEST_TYPE_DUMP
Definition RequestStructures.h:1359
@ HYPERTRACE_PT_OPERATION_REQUEST_TYPE_ENABLE
Definition RequestStructures.h:1354
@ HYPERTRACE_PT_OPERATION_REQUEST_TYPE_FILTER
Definition RequestStructures.h:1361
@ HYPERTRACE_PT_OPERATION_REQUEST_TYPE_RESUME
Definition RequestStructures.h:1357
@ HYPERTRACE_PT_OPERATION_REQUEST_TYPE_SIZE
Definition RequestStructures.h:1358
@ HYPERTRACE_PT_OPERATION_REQUEST_TYPE_FLUSH
Definition RequestStructures.h:1360
@ HYPERTRACE_PT_OPERATION_REQUEST_TYPE_DISABLE
Definition RequestStructures.h:1355
VOID CommandPtHelp()
help of the !pt command
Definition pt.cpp:26
BOOLEAN CommandPtSendRequest(HYPERTRACE_PT_OPERATION_PACKETS *PtRequest)
Send PT requests.
Definition pt.cpp:71
UINT32 NumCpus
Definition RequestStructures.h:1402
HYPERTRACE_PT_OPERATION_REQUEST_TYPE PtOperationType
Definition RequestStructures.h:1383
UINT64 BytesPerCpu[PT_MAX_CPUS_FOR_MMAP]
Definition RequestStructures.h:1404
UINT32 KernelStatus
Definition RequestStructures.h:1384

◆ CommandPte()

VOID CommandPte ( vector< CommandToken > CommandTokens,
string Command )

!pte command handler

Parameters
CommandTokens
Command
Returns
VOID
94{
95 BOOL Status;
96 ULONG ReturnedLength;
97 UINT64 TargetVa;
98 UINT32 Pid = 0;
100
101 if (CommandTokens.size() == 1 || CommandTokens.size() >= 5 ||
102 CommandTokens.size() == 3)
103 {
104 ShowMessages("incorrect use of the '%s'\n\n",
105 GetCaseSensitiveStringFromCommandToken(CommandTokens.at(0)).c_str());
107 return;
108 }
109
110 //
111 // By default if the user-debugger is active, we use these commands
112 // on the memory layout of the debuggee process
113 //
115 {
116 Pid = g_ActiveProcessDebuggingState.ProcessId;
117 }
118
119 if (CommandTokens.size() == 2)
120 {
121 //
122 // It's just an address for current process
123 //
125 {
126 //
127 // Couldn't resolve or unknown parameter
128 //
129 ShowMessages("err, couldn't resolve error at '%s'\n",
130 GetCaseSensitiveStringFromCommandToken(CommandTokens.at(1)).c_str());
131 return;
132 }
133 }
134 else
135 {
136 //
137 // It might be address + pid
138 //
139 if (CompareLowerCaseStrings(CommandTokens.at(1), "pid"))
140 {
141 if (!ConvertTokenToUInt32(CommandTokens.at(2), &Pid))
142 {
143 ShowMessages("incorrect address, please enter a valid process id\n");
144 return;
145 }
146
148 {
149 //
150 // Couldn't resolve or unknown parameter
151 //
152 ShowMessages("err, couldn't resolve error at '%s'\n",
153 GetCaseSensitiveStringFromCommandToken(CommandTokens.at(3)).c_str());
154 return;
155 }
156 }
157 else if (CompareLowerCaseStrings(CommandTokens.at(2), "pid"))
158 {
160 {
161 //
162 // Couldn't resolve or unknown parameter
163 //
164 ShowMessages("err, couldn't resolve error at '%s'\n\n",
165 GetCaseSensitiveStringFromCommandToken(CommandTokens.at(1)).c_str());
166 return;
167 }
168
169 if (!ConvertTokenToUInt32(CommandTokens.at(3), &Pid))
170 {
171 ShowMessages("incorrect address, please enter a valid process id\n");
172 return;
173 }
174 }
175 else
176 {
177 ShowMessages("incorrect use of the '%s'\n\n",
178 GetCaseSensitiveStringFromCommandToken(CommandTokens.at(0)).c_str());
180 return;
181 }
182 }
183
184 //
185 // Prepare the buffer
186 // We use same buffer for input and output
187 //
188 AddressDetails.VirtualAddress = TargetVa;
189 AddressDetails.ProcessId = Pid; // null in debugger mode
190
192 {
193 //
194 // Check to prevent using process id in !pte command
195 //
196 if (Pid != 0)
197 {
199 return;
200 }
201
202 //
203 // Send the request over serial kernel debugger
204 //
205
206 KdSendPtePacketToDebuggee(&AddressDetails);
207 }
208 else
209 {
211
212 if (Pid == 0)
213 {
214 Pid = GetCurrentProcessId();
215 AddressDetails.ProcessId = Pid;
216 }
217
218 //
219 // Send IOCTL
220 //
221 Status = DeviceIoControl(
222 g_DeviceHandle, // Handle to device
223 IOCTL_DEBUGGER_READ_PAGE_TABLE_ENTRIES_DETAILS, // IO Control Code (IOCTL)
224 &AddressDetails, // Input Buffer to driver.
226 &AddressDetails, // Output Buffer from driver.
228 // buffer in bytes.
229 &ReturnedLength, // Bytes placed in buffer.
230 NULL // synchronous call
231 );
232
233 if (!Status)
234 {
235 ShowMessages("ioctl failed with code 0x%x\n", GetLastError());
236 return;
237 }
238
240 {
241 ShowErrorMessage(AddressDetails.KernelStatus);
242 return;
243 }
244
245 //
246 // Show the results
247 //
248 CommandPteShowResults(TargetVa, &AddressDetails);
249 }
250}
#define IOCTL_DEBUGGER_READ_PAGE_TABLE_ENTRIES_DETAILS
ioctl, request to read page table entries
Definition Ioctls.h:157
#define SIZEOF_DEBUGGER_READ_PAGE_TABLE_ENTRIES_DETAILS
Definition RequestStructures.h:46
struct _DEBUGGER_READ_PAGE_TABLE_ENTRIES_DETAILS DEBUGGER_READ_PAGE_TABLE_ENTRIES_DETAILS
request for !pte command
BOOLEAN KdSendPtePacketToDebuggee(PDEBUGGER_READ_PAGE_TABLE_ENTRIES_DETAILS PtePacket)
Sends a PTE or '!pte' command packet to the debuggee.
Definition kd.cpp:907
VOID CommandPteHelp()
help of the !pte command
Definition pte.cpp:27
VOID CommandPteShowResults(UINT64 TargetVa, PDEBUGGER_READ_PAGE_TABLE_ENTRIES_DETAILS PteRead)
show results of !pte command
Definition pte.cpp:48
UINT64 VirtualAddress
Definition RequestStructures.h:55
UINT32 ProcessId
Definition RequestStructures.h:56
UINT32 KernelStatus
Definition RequestStructures.h:70

◆ CommandPteShowResults()

VOID CommandPteShowResults ( UINT64 TargetVa,
PDEBUGGER_READ_PAGE_TABLE_ENTRIES_DETAILS PteRead )

show results of !pte command

Parameters
TargetVa
PteRead
Returns
VOID
49{
50 /*
51 VA fffff8003abc9370
52 PXE at FFFF83C1E0F07F80 PPE at FFFF83C1E0FF0000 PDE at
53 FFFF83C1FE000EA8 PTE at FFFF83FC001D5E48 contains 0000000004108063
54 contains 0000000004109063 contains 00000000026008E3 contains
55 0000000000000000 pfn 4108 ---DA--KWEV pfn 4109 ---DA--KWEV pfn
56 2600 --LDA--KWEV LARGE PAGE pfn 27c9
57 */
58 ShowMessages("VA %llx\n", TargetVa);
59 ShowMessages("PML4E (PXE) at %016llx\tcontains %016llx\nPDPTE (PPE) at "
60 "%016llx\tcontains "
61 "%016llx\nPDE at %016llx\tcontains %016llx\n",
62 PteRead->Pml4eVirtualAddress,
63 PteRead->Pml4eValue,
64 PteRead->PdpteVirtualAddress,
65 PteRead->PdpteValue,
66 PteRead->PdeVirtualAddress,
67 PteRead->PdeValue);
68
69 //
70 // Check if it's a large PDE
71 //
72 if (PteRead->PdeVirtualAddress == PteRead->PteVirtualAddress)
73 {
74 ShowMessages("PDE is a large page, so it doesn't have a PTE\n");
75 }
76 else
77 {
78 ShowMessages("PTE at %016llx\tcontains %016llx\n",
79 PteRead->PteVirtualAddress,
80 PteRead->PteValue);
81 }
82}
UINT64 PdeValue
Definition RequestStructures.h:65
UINT64 PdpteValue
Definition RequestStructures.h:62
UINT64 PdpteVirtualAddress
Definition RequestStructures.h:61
UINT64 PteVirtualAddress
Definition RequestStructures.h:67
UINT64 Pml4eValue
Definition RequestStructures.h:59
UINT64 Pml4eVirtualAddress
Definition RequestStructures.h:58
UINT64 PteValue
Definition RequestStructures.h:68
UINT64 PdeVirtualAddress
Definition RequestStructures.h:64

◆ CommandR()

VOID CommandR ( vector< CommandToken > CommandTokens,
string Command )

handler of r command

Parameters
CommandTokens
Command
Returns
VOID
453{
454 REGS_ENUM RegKind;
455 std::vector<std::string> Tmp;
456 std::string SetRegisterValue;
457
458 if (CommandTokens.size() == 1)
459 {
460 //
461 // show all registers
462 //
465 {
467 }
468 else
469 {
470 ShowMessages("err, reading registers (r) is not valid in the current "
471 "context, you should connect to a debuggee or attach to a process\n");
472 }
473
474 return;
475 }
476
477 //
478 // clear additional space of the command string
479 //
480
481 //
482 // if command does not contain a '=' means user wants to read it
483 //
484 if (Command.find('=', 0) == string::npos)
485 {
486 //
487 // erase '=' from the string now we have just the name of register
488 //
489 Command.erase(0, 1);
490 ReplaceAll(Command, "@", "");
491 ReplaceAll(Command, " ", "");
492 if (RegistersMap.find(Command) != RegistersMap.end())
493 {
494 RegKind = RegistersMap[Command];
495 }
496 else
497 {
498 //
499 // set the Reg to -1(invalid register)
500 //
501 RegKind = (REGS_ENUM)-1;
502 }
503
504 if (RegKind != -1)
505 {
506 //
507 // send the request
508 //
511 {
513 }
514 else
515 {
516 ShowMessages("err, reading registers (r) is not valid in the current "
517 "context, you should connect to a debuggee or attach to a process\n");
518 }
519 }
520 else
521 {
522 ShowMessages("err, invalid register\n");
523 }
524 }
525
526 //
527 // if command contains a '=' means user wants modify the register
528 //
529 else if (Command.find('=', 0) != string::npos)
530 {
531 Command.erase(0, 1);
532 Tmp = Split(Command, '=');
533 if (Tmp.size() == 2)
534 {
535 ReplaceAll(Tmp[0], " ", "");
536 string tmp = Tmp[0];
537 if (RegistersMap.find(Tmp[0]) != RegistersMap.end())
538 {
539 RegKind = RegistersMap[Tmp[0]];
540 }
541 else
542 {
543 ReplaceAll(tmp, "@", "");
544 if (RegistersMap.find(tmp) != RegistersMap.end())
545 {
546 RegKind = RegistersMap[tmp];
547 }
548 else
549 {
550 RegKind = (REGS_ENUM)-1;
551 }
552 }
553 if (RegKind != -1)
554 {
555 //
556 // send the request
557 //
558 SetRegisterValue = "@" + tmp + '=' + Tmp[1] + "; ";
559
560 //
561 // Send data to the target user debugger or kernel debugger
562 //
563 ScriptEngineExecuteSingleExpression((CHAR *)SetRegisterValue.c_str(), TRUE, FALSE);
564 }
565 else
566 {
567 //
568 // error
569 //
570 ShowMessages("err, invalid register\n");
571 }
572 }
573 }
574}
REGS_ENUM
Definition ScriptEngineCommonDefinitions.h:315
VOID ReplaceAll(string &str, const string &from, const string &to)
const vector< string > Split(const string &s, const CHAR &c)
std::map< std::string, REGS_ENUM > RegistersMap
Definition r.cpp:23
BOOLEAN HyperDbgRegisterShowTargetRegister(REGS_ENUM RegisterId)
handler of r show the target register
Definition r.cpp:424

◆ CommandRdmsr()

VOID CommandRdmsr ( vector< CommandToken > CommandTokens,
string Command )

rdmsr command handler

Parameters
CommandTokens
Command
Returns
VOID
121{
122 BOOL Status;
123 SIZE_T NumCPU;
124 DEBUGGER_READ_AND_WRITE_ON_MSR MsrReadRequest;
125 ULONG ReturnedLength;
126 UINT64 Msr;
127 BOOL IsNextCoreId = FALSE;
128 BOOL SetMsr = FALSE;
130 BOOLEAN IsFirstCommand = TRUE;
131
132 if (CommandTokens.size() >= 5)
133 {
134 ShowMessages("incorrect use of the '%s'\n\n",
135 GetCaseSensitiveStringFromCommandToken(CommandTokens.at(0)).c_str());
137 return;
138 }
139
140 for (auto Section : CommandTokens)
141 {
142 if (IsFirstCommand == TRUE)
143 {
144 IsFirstCommand = FALSE;
145 continue;
146 }
147
148 if (IsNextCoreId)
149 {
150 if (!ConvertTokenToUInt32(Section, &CoreNumer))
151 {
152 ShowMessages("please specify a correct hex value for core id\n\n");
154 return;
155 }
156 IsNextCoreId = FALSE;
157 continue;
158 }
159
160 if (CompareLowerCaseStrings(Section, "core"))
161 {
162 IsNextCoreId = TRUE;
163 continue;
164 }
165
166 if (SetMsr || !ConvertTokenToUInt64(Section, &Msr))
167 {
168 ShowMessages("please specify a correct hex value to be read\n\n");
170 return;
171 }
172 SetMsr = TRUE;
173 }
174
175 //
176 // Check if msr is set or not
177 //
178 if (!SetMsr)
179 {
180 ShowMessages("please specify a correct hex value to be read\n\n");
182 return;
183 }
184 if (IsNextCoreId)
185 {
186 ShowMessages("please specify a correct hex value for core\n\n");
188 return;
189 }
190
192
193 MsrReadRequest.ActionType = DEBUGGER_MSR_READ;
194 MsrReadRequest.Msr = Msr;
195 MsrReadRequest.CoreNumber = CoreNumer;
196
197 //
198 // Find logical cores count
199 //
200 SIZE_T NumCores = GetWindowsNumaNumberOfCores();
201 NumCPU = NumCores > 0 ? NumCores : GetWindowsCompatibleNumberOfCores();
202
203 //
204 // allocate buffer for transferring messages
205 //
206 UINT64 * OutputBuffer = (UINT64 *)malloc(sizeof(UINT64) * NumCPU);
207
208 ZeroMemory(OutputBuffer, sizeof(UINT64) * NumCPU);
209
210 Status = DeviceIoControl(
211 g_DeviceHandle, // Handle to device
212 IOCTL_DEBUGGER_READ_OR_WRITE_MSR, // IO Control Code (IOCTL)
213 &MsrReadRequest, // Input Buffer to driver.
214 SIZEOF_DEBUGGER_READ_AND_WRITE_ON_MSR, // Input buffer length
215 OutputBuffer, // Output Buffer from driver.
216 (DWORD)(sizeof(UINT64) * NumCPU), // Length of output buffer in bytes.
217 &ReturnedLength, // Bytes placed in buffer.
218 NULL // synchronous call
219 );
220
221 if (!Status)
222 {
223 ShowMessages("ioctl failed with code (%x), either msr index or core id is invalid\n",
224 GetLastError());
225 free(OutputBuffer);
226 return;
227 }
228
229 //
230 // btw, %x is enough, no need to %llx
231 //
233 {
234 //
235 // Show all cores
236 //
237 for (SIZE_T i = 0; i < NumCPU; i++)
238 {
239 ShowMessages("core : 0x%x - msr[%llx] = %s\n", i, Msr, SeparateTo64BitValue((OutputBuffer[i])).c_str());
240 }
241 }
242 else
243 {
244 //
245 // Show for a single-core
246 //
247 ShowMessages("core : 0x%x - msr[%llx] = %s\n", CoreNumer, Msr, SeparateTo64BitValue((OutputBuffer[0])).c_str());
248 }
249
250 //
251 // Free the buffer
252 //
253 free(OutputBuffer);
254}
unsigned long DWORD
Definition BasicTypes.h:38
#define DEBUGGER_READ_AND_WRITE_ON_MSR_APPLY_ALL_CORES
Read and write MSRs to all cores.
Definition Constants.h:727
#define IOCTL_DEBUGGER_READ_OR_WRITE_MSR
ioctl, request to read or write on a special MSR
Definition Ioctls.h:150
struct _DEBUGGER_READ_AND_WRITE_ON_MSR DEBUGGER_READ_AND_WRITE_ON_MSR
request to read or write on MSRs
#define SIZEOF_DEBUGGER_READ_AND_WRITE_ON_MSR
Definition RequestStructures.h:441
@ DEBUGGER_MSR_READ
Definition RequestStructures.h:450
VOID CommandRdmsrHelp()
help of the rdmsr command
Definition rdmsr.cpp:25
UINT32 CoreNumber
Definition RequestStructures.h:461
DEBUGGER_MSR_ACTION_TYPE ActionType
Definition RequestStructures.h:464
UINT64 Msr
Definition RequestStructures.h:460

◆ CommandReadMemoryAndDisassembler()

VOID CommandReadMemoryAndDisassembler ( vector< CommandToken > CommandTokens,
string Command )

u* d* !u* !d* commands handler

Parameters
CommandTokens
Command
Returns
VOID
74{
75 UINT32 Pid = 0;
76 UINT32 Length = 0;
77 UINT64 TargetAddress = 0;
78 BOOLEAN IsNextProcessId = FALSE;
79 BOOLEAN IsFirstCommand = TRUE;
80 BOOLEAN IsNextLength = FALSE;
81
82 string FirstCommand = GetCaseSensitiveStringFromCommandToken(CommandTokens.front());
83
84 //
85 // By default if the user-debugger is active, we use these commands
86 // on the memory layout of the debuggee process
87 //
89 {
90 Pid = g_ActiveProcessDebuggingState.ProcessId;
91 }
92
93 if (CommandTokens.size() == 1)
94 {
95 //
96 // Means that user entered one command without any parameter
97 //
98 ShowMessages("incorrect use of the '%s'\n\n",
99 GetCaseSensitiveStringFromCommandToken(CommandTokens.at(0)).c_str());
101 return;
102 }
103
104 for (auto Section : CommandTokens)
105 {
106 if (IsFirstCommand)
107 {
108 IsFirstCommand = FALSE;
109 continue;
110 }
111
112 if (IsNextProcessId == TRUE)
113 {
114 if (!ConvertTokenToUInt32(Section, &Pid))
115 {
116 ShowMessages("err, you should enter a valid process id\n\n");
117 return;
118 }
119 IsNextProcessId = FALSE;
120 continue;
121 }
122
123 if (IsNextLength == TRUE)
124 {
125 if (!ConvertTokenToUInt32(Section, &Length))
126 {
127 ShowMessages("err, you should enter a valid length\n\n");
128 return;
129 }
130 IsNextLength = FALSE;
131 continue;
132 }
133
134 if (CompareLowerCaseStrings(Section, "l"))
135 {
136 IsNextLength = TRUE;
137 continue;
138 }
139
140 if (CompareLowerCaseStrings(Section, "pid"))
141 {
142 IsNextProcessId = TRUE;
143 continue;
144 }
145
146 //
147 // Probably it's address
148 //
149 if (TargetAddress == 0)
150 {
152 {
153 //
154 // Couldn't resolve or unknown parameter
155 //
156 ShowMessages("err, couldn't resolve error at '%s'\n",
158 return;
159 }
160 }
161 else
162 {
163 //
164 // User inserts two address
165 //
166 ShowMessages("err, incorrect use of the '%s' command\n\n",
167 GetCaseSensitiveStringFromCommandToken(CommandTokens.at(0)).c_str());
169
170 return;
171 }
172 }
173
174 if (!TargetAddress)
175 {
176 //
177 // User inserts two address
178 //
179 ShowMessages("err, please enter a valid address\n\n");
180
181 return;
182 }
183
184 if (Length == 0)
185 {
186 //
187 // Default length (user doesn't specified)
188 //
189 if (CompareLowerCaseStrings(CommandTokens.at(0), "u") ||
190 CompareLowerCaseStrings(CommandTokens.at(0), "!u") ||
191 CompareLowerCaseStrings(CommandTokens.at(0), "u64") ||
192 CompareLowerCaseStrings(CommandTokens.at(0), "!u64"))
193 {
194 Length = 0x40;
195 }
196 else
197 {
198 Length = 0x80;
199 }
200 }
201
202 if (IsNextLength || IsNextProcessId)
203 {
204 ShowMessages("incorrect use of the '%s' command\n\n",
205 GetCaseSensitiveStringFromCommandToken(CommandTokens.at(0)).c_str());
207 return;
208 }
209
210 //
211 // Check to prevent using process id in d* and u* commands
212 //
214 {
216 return;
217 }
218
219 if (Pid == 0)
220 {
221 //
222 // Default process we read from current process
223 //
224 Pid = GetCurrentProcessId();
225 }
226
227 if (CompareLowerCaseStrings(CommandTokens.at(0), "db"))
228 {
230 TargetAddress,
233 Pid,
234 Length,
235 NULL);
236 }
237 else if (CompareLowerCaseStrings(CommandTokens.at(0), "dc"))
238 {
240 TargetAddress,
243 Pid,
244 Length,
245 NULL);
246 }
247 else if (CompareLowerCaseStrings(CommandTokens.at(0), "dd"))
248 {
250 TargetAddress,
253 Pid,
254 Length,
255 NULL);
256 }
257 else if (CompareLowerCaseStrings(CommandTokens.at(0), "dq"))
258 {
260 TargetAddress,
263 Pid,
264 Length,
265 NULL);
266 }
267 else if (CompareLowerCaseStrings(CommandTokens.at(0), "!db"))
268 {
270 TargetAddress,
273 Pid,
274 Length,
275 NULL);
276 }
277 else if (CompareLowerCaseStrings(CommandTokens.at(0), "!dc"))
278 {
280 TargetAddress,
283 Pid,
284 Length,
285 NULL);
286 }
287 else if (CompareLowerCaseStrings(CommandTokens.at(0), "!dd"))
288 {
290 TargetAddress,
293 Pid,
294 Length,
295 NULL);
296 }
297 else if (CompareLowerCaseStrings(CommandTokens.at(0), "!dq"))
298 {
300 TargetAddress,
303 Pid,
304 Length,
305 NULL);
306 }
307
308 //
309 // Disassembler (!u or u or u2 !u2)
310 //
311 else if (CompareLowerCaseStrings(CommandTokens.at(0), "u") || CompareLowerCaseStrings(CommandTokens.at(0), "u64"))
312 {
315 TargetAddress,
318 Pid,
319 Length,
320 NULL);
321 }
322 else if (CompareLowerCaseStrings(CommandTokens.at(0), "!u") || CompareLowerCaseStrings(CommandTokens.at(0), "!u64"))
323 {
326 TargetAddress,
329 Pid,
330 Length,
331 NULL);
332 }
333 else if (CompareLowerCaseStrings(CommandTokens.at(0), "u2") || CompareLowerCaseStrings(CommandTokens.at(0), "u32"))
334 {
337 TargetAddress,
340 Pid,
341 Length,
342 NULL);
343 }
344 else if (CompareLowerCaseStrings(CommandTokens.at(0), "!u2") || CompareLowerCaseStrings(CommandTokens.at(0), "!u32"))
345 {
348 TargetAddress,
351 Pid,
352 Length,
353 NULL);
354 }
355}
@ DEBUGGER_SHOW_COMMAND_DC
Definition RequestStructures.h:281
@ DEBUGGER_SHOW_COMMAND_DISASSEMBLE32
Definition RequestStructures.h:279
@ DEBUGGER_SHOW_COMMAND_DD
Definition RequestStructures.h:283
@ DEBUGGER_SHOW_COMMAND_DQ
Definition RequestStructures.h:282
@ DEBUGGER_SHOW_COMMAND_DB
Definition RequestStructures.h:280
@ DEBUGGER_SHOW_COMMAND_DISASSEMBLE64
Definition RequestStructures.h:278
VOID CommandReadMemoryAndDisassemblerHelp()
help of u* d* !u* !d* commands
Definition d-u.cpp:26

◆ CommandRestart()

VOID CommandRestart ( vector< CommandToken > CommandTokens,
string Command )

.restart command handler

Parameters
CommandTokens
Command
Returns
VOID
48{
49 if (CommandTokens.size() != 1)
50 {
51 ShowMessages("incorrect use of the '%s'\n\n",
52 GetCaseSensitiveStringFromCommandToken(CommandTokens.at(0)).c_str());
54 return;
55 }
56
57 //
58 // Check if the .start command is previously called or not
59 //
60 if (g_StartCommandPath.empty())
61 {
62 ShowMessages("nothing to restart, did you use the '.start' command before?\n");
63 return;
64 }
65
66 //
67 // Check to kill the current active process (if exists)
68 //
70 {
71 //
72 // kill the process, we will restart the process even if we didn't
73 // successfully killed the active process
74 //
76 }
78 {
80
81 //
82 // No longer the last process exists
83 //
85 }
86
87 //
88 // Perform run of the target file
89 //
91 {
92 //
93 // TEMPORARY LINUX SHIM (same as in pe.cpp/dump.cpp): the path is a
94 // std::wstring of native wchar_t (4 bytes on Linux), but UdAttachToProcess
95 // takes a 2-byte HyperDbg WCHAR * (UINT16). The cast is a bogus 2-byte
96 // reinterpretation on Linux, acceptable only because the user-debugger
97 // path is still stubbed there. On Windows WCHAR == wchar_t, so it is a
98 // plain correct pointer. TODO(Linux): convert wchar_t -> 2-byte WCHAR
99 // properly once the Linux user-debugger path is real.
100 //
102 (WCHAR *)g_StartCommandPath.c_str(),
103 NULL,
104 FALSE);
105 }
106 else
107 {
108 //
109 // TEMPORARY LINUX SHIM (same as in pe.cpp/dump.cpp): the path/arguments
110 // are std::wstring of native wchar_t (4 bytes on Linux), but
111 // UdAttachToProcess takes 2-byte HyperDbg WCHAR * (UINT16). The casts are
112 // a bogus 2-byte reinterpretation on Linux, acceptable only because the
113 // user-debugger path is still stubbed there. On Windows WCHAR == wchar_t,
114 // so they are plain correct pointers. TODO(Linux): convert wchar_t ->
115 // 2-byte WCHAR properly once the Linux user-debugger path is real.
116 //
118 (WCHAR *)g_StartCommandPath.c_str(),
119 (WCHAR *)g_StartCommandPathAndArguments.c_str(),
120 FALSE);
121 }
122}
std::wstring g_StartCommandPathAndArguments
the start arguments used in .start command
Definition globals.h:663
VOID CommandRestartHelp()
help of the .restart command
Definition restart.cpp:29
std::wstring g_StartCommandPath
the start path used in .start command
Definition globals.h:657

◆ CommandRev()

VOID CommandRev ( vector< CommandToken > CommandTokens,
string Command )

!rev command handler

Parameters
CommandTokens
Command
Returns
VOID
51{
53 BOOLEAN SetPid = FALSE;
54 UINT32 TargetPid = NULL;
55 BOOLEAN IgnoreFirstCommand = TRUE;
58
59 //
60 // Interpret command specific details
61 //
62 for (auto Section : CommandTokens)
63 {
64 if (CompareLowerCaseStrings(Section, "!rev") && IgnoreFirstCommand)
65 {
66 IgnoreFirstCommand = FALSE;
67 continue;
68 }
69 else if (CompareLowerCaseStrings(Section, "pid") && !SetPid)
70 {
71 SetPid = TRUE;
72 }
73 else if (SetPid)
74 {
75 if (!ConvertTokenToUInt32(Section, &TargetPid))
76 {
77 //
78 // couldn't resolve or unknown parameter
79 //
80 ShowMessages("err, couldn't resolve error at '%s'\n\n",
83 return;
84 }
85 SetPid = FALSE;
86 }
87 else if (CompareLowerCaseStrings(Section, "pattern"))
88 {
90 }
91 else if (CompareLowerCaseStrings(Section, "reconstruct"))
92 {
94 }
95 else
96 {
97 //
98 // Unknown parameter
99 //
100 ShowMessages("err, couldn't resolve error at '%s'\n\n",
103 return;
104 }
105 }
106
107 if (SetPid)
108 {
109 ShowMessages("err, please enter a valid process id in hex format, "
110 "or if you want to use it in decimal format, add '0n' "
111 "prefix to the number\n");
112 return;
113 }
114
115 RevRequest.ProcessId = TargetPid;
116
117 // ================================================================================
118
119 //
120 // Send the request to the hypervisor (kernel)
121 //
122 RevRequestService(&RevRequest);
123}
struct _REVERSING_MACHINE_RECONSTRUCT_MEMORY_REQUEST REVERSING_MACHINE_RECONSTRUCT_MEMORY_REQUEST
requests for !rev command
@ REVERSING_MACHINE_RECONSTRUCT_MEMORY_TYPE_PATTERN
Definition RequestStructures.h:134
@ REVERSING_MACHINE_RECONSTRUCT_MEMORY_TYPE_UNKNOWN
Definition RequestStructures.h:132
@ REVERSING_MACHINE_RECONSTRUCT_MEMORY_TYPE_RECONSTRUCT
Definition RequestStructures.h:133
enum _REVERSING_MACHINE_RECONSTRUCT_MEMORY_TYPE REVERSING_MACHINE_RECONSTRUCT_MEMORY_TYPE
different types of reconstruct requests
@ REVERSING_MACHINE_RECONSTRUCT_MEMORY_MODE_UNKNOWN
Definition RequestStructures.h:121
enum _REVERSING_MACHINE_RECONSTRUCT_MEMORY_MODE REVERSING_MACHINE_RECONSTRUCT_MEMORY_MODE
different modes of reconstruct requests
BOOLEAN RevRequestService(REVERSING_MACHINE_RECONSTRUCT_MEMORY_REQUEST *RevRequest)
Request service from the reversing machine.
Definition rev-ctrl.cpp:28
VOID CommandRevHelp()
help of the !rev command
Definition rev.cpp:26
UINT32 ProcessId
Definition RequestStructures.h:146

◆ CommandScript()

VOID CommandScript ( vector< CommandToken > CommandTokens,
string Command )

.script command handler

Parameters
CommandTokens
Command
Returns
VOID
264{
265 vector<string> PathAndArgs;
266 BOOLEAN IsFirstCommand = FALSE;
267
268 if (CommandTokens.size() == 1)
269 {
270 ShowMessages("please specify a file\n\n");
272 return;
273 }
274
275 for (auto Section : CommandTokens)
276 {
277 if (!IsFirstCommand)
278 {
279 IsFirstCommand = TRUE;
280 continue;
281 }
282
283 //
284 // Add the path and the arguments
285 //
286 PathAndArgs.push_back(GetCaseSensitiveStringFromCommandToken(Section));
287 }
288
289 //
290 // Parse the file and the possible arguments
291 //
293}
VOID CommandScriptHelp()
help of the .script command
Definition script.cpp:27
VOID HyperDbgScriptReadFileAndExecuteCommand(std::vector< std::string > &PathAndArgs)
Read file and run the script.
Definition script.cpp:108

◆ CommandSearchMemory()

VOID CommandSearchMemory ( vector< CommandToken > CommandTokens,
string Command )

!s* s* commands handler

Parameters
CommandTokens
Command
Returns
VOID
142{
143 UINT64 Address;
144 vector<UINT64> ValuesToEdit;
145 BOOL SetAddress = FALSE;
147 BOOL SetProcId = FALSE;
148 BOOL NextIsProcId = FALSE;
149 BOOL SetLength = FALSE;
150 BOOL NextIsLength = FALSE;
151 DEBUGGER_SEARCH_MEMORY SearchMemoryRequest = {0};
152 UINT64 Value = 0;
153 UINT64 Length = 0;
154 UINT32 ProcId = 0;
155 UINT32 CountOfValues = 0;
156 UINT32 FinalSize = 0;
157 UINT64 * FinalBuffer = NULL;
158 BOOLEAN IsFirstCommand = TRUE;
159
160 //
161 // By default if the user-debugger is active, we use these commands
162 // on the memory layout of the debuggee process
163 //
165 {
166 ProcId = g_ActiveProcessDebuggingState.ProcessId;
167 }
168
169 if (CommandTokens.size() <= 4)
170 {
171 ShowMessages("incorrect use of the '%s'\n\n",
172 GetCaseSensitiveStringFromCommandToken(CommandTokens.at(0)).c_str());
173
175 return;
176 }
177
178 for (auto Section : CommandTokens)
179 {
180 if (IsFirstCommand == TRUE)
181 {
182 std::string FirstCommand = GetLowerStringFromCommandToken(Section);
183
184 if (!FirstCommand.compare("!sb"))
185 {
186 SearchMemoryRequest.MemoryType = SEARCH_PHYSICAL_MEMORY;
187 SearchMemoryRequest.ByteSize = SEARCH_BYTE;
188 }
189 else if (!FirstCommand.compare("!sd"))
190 {
191 SearchMemoryRequest.MemoryType = SEARCH_PHYSICAL_MEMORY;
192 SearchMemoryRequest.ByteSize = SEARCH_DWORD;
193 }
194 else if (!FirstCommand.compare("!sq"))
195 {
196 SearchMemoryRequest.MemoryType = SEARCH_PHYSICAL_MEMORY;
197 SearchMemoryRequest.ByteSize = SEARCH_QWORD;
198 }
199 else if (!FirstCommand.compare("sb"))
200 {
201 SearchMemoryRequest.MemoryType = SEARCH_VIRTUAL_MEMORY;
202 SearchMemoryRequest.ByteSize = SEARCH_BYTE;
203 }
204 else if (!FirstCommand.compare("sd"))
205 {
206 SearchMemoryRequest.MemoryType = SEARCH_VIRTUAL_MEMORY;
207 SearchMemoryRequest.ByteSize = SEARCH_DWORD;
208 }
209 else if (!FirstCommand.compare("sq"))
210 {
211 SearchMemoryRequest.MemoryType = SEARCH_VIRTUAL_MEMORY;
212 SearchMemoryRequest.ByteSize = SEARCH_QWORD;
213 }
214 else
215 {
216 //
217 // What's this? :(
218 //
219 ShowMessages("unknown error happened!\n\n");
221 return;
222 }
223
224 IsFirstCommand = FALSE;
225
226 continue;
227 }
228
229 if (NextIsProcId)
230 {
231 //
232 // It's a process id
233 //
234 NextIsProcId = FALSE;
235
236 if (!ConvertTokenToUInt32(Section, &ProcId))
237 {
238 ShowMessages("please specify a correct hex process id\n\n");
240 return;
241 }
242 else
243 {
244 //
245 // Means that the proc id is set, next we should read value
246 //
247 continue;
248 }
249 }
250
251 if (NextIsLength)
252 {
253 //
254 // It's a length
255 //
256 NextIsLength = FALSE;
257
258 if (!ConvertTokenToUInt64(Section, &Length))
259 {
260 ShowMessages("please specify a correct hex length\n\n");
262 return;
263 }
264 else
265 {
266 //
267 // Means that the proc id is set, next we should read value
268 //
269 SetLength = TRUE;
270 continue;
271 }
272 }
273
274 //
275 // Check if it's a process id or not
276 //
277 if (!SetProcId && CompareLowerCaseStrings(Section, "pid"))
278 {
279 NextIsProcId = TRUE;
280 continue;
281 }
282
283 //
284 // Check if it's a length or not
285 //
286 if (!SetLength && CompareLowerCaseStrings(Section, "l"))
287 {
288 NextIsLength = TRUE;
289 continue;
290 }
291
292 if (!SetAddress)
293 {
295 {
296 ShowMessages("err, couldn't resolve error at '%s'\n\n",
299 return;
300 }
301 else
302 {
303 //
304 // Means that the address is set, next we should read value
305 //
306 SetAddress = TRUE;
307 continue;
308 }
309 }
310
311 if (SetAddress)
312 {
313 //
314 // Remove the hex notations
315 //
316 std::string TargetVal = GetCaseSensitiveStringFromCommandToken(Section);
317
318 if (TargetVal.rfind("0x", 0) == 0 || TargetVal.rfind("0X", 0) == 0 ||
319 TargetVal.rfind("\\x", 0) == 0 || TargetVal.rfind("\\X", 0) == 0)
320 {
321 TargetVal = TargetVal.erase(0, 2);
322 }
323 else if (TargetVal.rfind('x', 0) == 0 || TargetVal.rfind('X', 0) == 0)
324 {
325 TargetVal = TargetVal.erase(0, 1);
326 }
327
328 TargetVal.erase(remove(TargetVal.begin(), TargetVal.end(), '`'), TargetVal.end());
329
330 //
331 // Check if the value is valid based on byte counts
332 //
333 if (SearchMemoryRequest.ByteSize == SEARCH_BYTE && TargetVal.size() >= 3)
334 {
335 ShowMessages("please specify a byte (hex) value for 'sb' or '!sb'\n\n");
336 return;
337 }
338
339 if (SearchMemoryRequest.ByteSize == SEARCH_DWORD && TargetVal.size() >= 9)
340 {
341 ShowMessages("please specify a dword (hex) value for 'sd' or '!sd'\n\n");
342 return;
343 }
344
345 if (SearchMemoryRequest.ByteSize == SEARCH_QWORD && TargetVal.size() >= 17)
346 {
347 ShowMessages("please specify a qword (hex) value for 'sq' or '!sq'\n\n");
348 return;
349 }
350
351 //
352 // Qword is checked by the following function, no need to double
353 // check it above.
354 //
355 if (!ConvertStringToUInt64(TargetVal, &Value))
356 {
357 ShowMessages("please specify a correct hex value to search in the "
358 "memory content\n\n");
360 return;
361 }
362 else
363 {
364 //
365 // Add it to the list
366 //
367 ValuesToEdit.push_back(Value);
368
369 //
370 // Keep track of values to modify
371 //
372 CountOfValues++;
373
374 if (!SetValue)
375 {
376 //
377 // At least one value is there
378 //
379 SetValue = TRUE;
380 }
381 continue;
382 }
383 }
384 }
385
386 //
387 // Check to prevent using process id in s* commands
388 //
389 if (g_IsSerialConnectedToRemoteDebuggee && ProcId != 0)
390 {
392 return;
393 }
394
395 if (ProcId == 0)
396 {
397 ProcId = GetCurrentProcessId();
398 }
399
400 //
401 // Fill the structure
402 //
403 SearchMemoryRequest.ProcessId = ProcId;
404 SearchMemoryRequest.Address = Address;
405 SearchMemoryRequest.CountOf64Chunks = CountOfValues;
406
407 //
408 // Check if address and value are set or not
409 //
410 if (!SetAddress)
411 {
412 ShowMessages("please specify a correct hex address\n\n");
414 return;
415 }
416 if (!SetValue)
417 {
418 ShowMessages(
419 "please specify a correct hex value as the content to search\n\n");
421 return;
422 }
423 if (!SetLength)
424 {
425 ShowMessages("please specify a correct hex value as the length\n\n");
427 return;
428 }
429 if (NextIsProcId)
430 {
431 ShowMessages("please specify a correct hex value as the process id\n\n");
433 return;
434 }
435 if (NextIsLength)
436 {
437 ShowMessages("please specify a correct hex length\n\n");
439 return;
440 }
441
442 //
443 // Now it's time to put everything together in one structure
444 //
445 FinalSize = (CountOfValues * sizeof(UINT64)) + SIZEOF_DEBUGGER_SEARCH_MEMORY;
446
447 //
448 // Set the size
449 //
450 SearchMemoryRequest.FinalStructureSize = FinalSize;
451
452 //
453 // Set the length
454 //
455 SearchMemoryRequest.Length = Length;
456
458 {
460 }
461
462 //
463 // Allocate structure + buffer
464 //
465 FinalBuffer = (UINT64 *)malloc(FinalSize);
466
467 if (!FinalBuffer)
468 {
469 ShowMessages("unable to allocate memory\n\n");
470 return;
471 }
472
473 //
474 // Zero the buffer
475 //
476 ZeroMemory(FinalBuffer, FinalSize);
477
478 //
479 // Copy the structure on top of the allocated buffer
480 //
481 memcpy(FinalBuffer, &SearchMemoryRequest, SIZEOF_DEBUGGER_SEARCH_MEMORY);
482
483 //
484 // Put the values in 64 bit structures
485 //
486 std::copy(ValuesToEdit.begin(), ValuesToEdit.end(), (UINT64 *)((UINT64)FinalBuffer + SIZEOF_DEBUGGER_SEARCH_MEMORY));
487
488 //
489 // Check if it's a connection in debugger mode
490 //
492 {
493 //
494 // The buffer should be sent to the debugger
495 //
496 KdSendSearchRequestPacketToDebuggee(FinalBuffer, FinalSize);
497 }
498 else
499 {
500 //
501 // it's a local connection, send the buffer directly
502 //
503 CommandSearchSendRequest(FinalBuffer, FinalSize);
504 }
505
506 //
507 // Free the buffers
508 //
509 free(FinalBuffer);
510}
@ SEARCH_QWORD
Definition RequestStructures.h:537
@ SEARCH_BYTE
Definition RequestStructures.h:535
@ SEARCH_DWORD
Definition RequestStructures.h:536
@ SEARCH_PHYSICAL_MEMORY
Definition RequestStructures.h:523
@ SEARCH_VIRTUAL_MEMORY
Definition RequestStructures.h:524
#define SIZEOF_DEBUGGER_SEARCH_MEMORY
Definition RequestStructures.h:515
struct _DEBUGGER_SEARCH_MEMORY DEBUGGER_SEARCH_MEMORY
request for searching memory
BOOLEAN KdSendSearchRequestPacketToDebuggee(UINT64 *SearchRequestBuffer, UINT32 SearchRequestBufferSize)
Sends search query request packet to the debuggee.
Definition kd.cpp:1353
VOID CommandSearchSendRequest(UINT64 *BufferToSendAsIoctl, UINT32 BufferToSendAsIoctlSize)
Send the request of search to the kernel.
Definition s.cpp:63
VOID CommandSearchMemoryHelp()
help of !s* s* commands
Definition s.cpp:27
UINT64 Length
Definition RequestStructures.h:548
UINT32 ProcessId
Definition RequestStructures.h:549
UINT32 CountOf64Chunks
Definition RequestStructures.h:552
UINT32 FinalStructureSize
Definition RequestStructures.h:553
UINT64 Address
Definition RequestStructures.h:547
DEBUGGER_SEARCH_MEMORY_BYTE_SIZE ByteSize
Definition RequestStructures.h:551
DEBUGGER_SEARCH_MEMORY_TYPE MemoryType
Definition RequestStructures.h:550

◆ CommandSettings()

VOID CommandSettings ( vector< CommandToken > CommandTokens,
string Command )

settings command handler

Parameters
CommandTokens
Command
Returns
VOID
554{
555 if (CommandTokens.size() <= 1)
556 {
557 ShowMessages("incorrect use of the '%s'\n\n",
558 GetCaseSensitiveStringFromCommandToken(CommandTokens.at(0)).c_str());
560 return;
561 }
562
563 //
564 // Interpret the field name
565 //
566 if (CompareLowerCaseStrings(CommandTokens.at(1), "autounpause"))
567 {
568 //
569 // Handle it locally
570 //
571 CommandSettingsAutoUpause(CommandTokens);
572 }
573 else if (CompareLowerCaseStrings(CommandTokens.at(1), "syntax"))
574 {
575 //
576 // If it's a remote debugger then we send it to the remote debugger
577 //
579 {
580 RemoteConnectionSendCommand(Command.c_str(), (UINT32)Command.length() + 1);
581 }
582 else
583 {
584 //
585 // If it's a connection over serial or a local debugging then
586 // we handle it locally
587 //
588 CommandSettingsSyntax(CommandTokens);
589 }
590 }
591 else if (CompareLowerCaseStrings(CommandTokens.at(1), "autoflush"))
592 {
593 //
594 // If it's a remote debugger then we send it to the remote debugger
595 //
597 {
598 RemoteConnectionSendCommand(Command.c_str(), (UINT32)Command.length() + 1);
599 }
600 else
601 {
602 //
603 // If it's a connection over serial or a local debugging then
604 // we handle it locally
605 //
606 CommandSettingsAutoFlush(CommandTokens);
607 }
608 }
609 else if (CompareLowerCaseStrings(CommandTokens.at(1), "addressconversion"))
610 {
611 //
612 // If it's a remote debugger then we send it to the remote debugger
613 //
615 {
616 RemoteConnectionSendCommand(Command.c_str(), (UINT32)Command.length() + 1);
617 }
618 else
619 {
620 //
621 // If it's a connection over serial or a local debugging then
622 // we handle it locally
623 //
625 }
626 }
627 else
628 {
629 //
630 // option not found
631 //
632 ShowMessages("incorrect use of the '%s', please use 'help %s' for more information\n",
633 GetCaseSensitiveStringFromCommandToken(CommandTokens.at(0)).c_str(),
634 GetCaseSensitiveStringFromCommandToken(CommandTokens.at(0)).c_str());
635 return;
636 }
637}
INT RemoteConnectionSendCommand(const CHAR *sendbuf, INT len)
send the command as a client (debugger, host) to the server (debuggee, guest)
Definition remote-connection.cpp:445
VOID CommandSettingsSyntax(vector< CommandToken > CommandTokens)
set the syntax of !u !u2 u u2 command
Definition settings.cpp:471
VOID CommandSettingsAddressConversion(vector< CommandToken > CommandTokens)
set the address conversion enabled and disabled and query the status of this mode
Definition settings.cpp:274
VOID CommandSettingsAutoUpause(vector< CommandToken > CommandTokens)
set auto-unpause mode to enabled or disabled
Definition settings.cpp:406
VOID CommandSettingsHelp()
help of the settings command
Definition settings.cpp:29
VOID CommandSettingsAutoFlush(vector< CommandToken > CommandTokens)
set the auto-flush mode to enabled and disabled and query the status of this mode
Definition settings.cpp:341

◆ CommandSettingsGetValueFromConfigFile()

BOOLEAN CommandSettingsGetValueFromConfigFile ( std::string OptionName,
std::string & OptionValue )

Gets the setting values from config file.

Parameters
OptionName
OptionValue
Returns
BOOLEAN Shows if the settings is available or not
61{
63 WCHAR ConfigPath[MAX_PATH] = {0};
64 std::string OptionValueFromFile;
65
66 //
67 // Get config file path
68 //
69 GetConfigFilePath(ConfigPath);
70
71 if (!IsFileExistW(ConfigPath))
72 {
73 return FALSE;
74 }
75
76 //
77 // Open the file
78 //
79 ifstream Is(ConfigPath);
80
81 //
82 // Read config file
83 //
84 Ini.parse(Is);
85
86 //
87 // Show config file
88 //
89 // Ini.generate(std::cout);
90
91 inipp::get_value(Ini.sections["DEFAULT"], OptionName, OptionValueFromFile);
92
93 Is.close();
94
95 if (!OptionValueFromFile.empty())
96 {
97 OptionValue = OptionValueFromFile;
98 return TRUE;
99 }
100 else
101 {
102 return FALSE;
103 }
104}
Definition inipp.h:172
Sections sections
Definition inipp.h:178
void parse(std::basic_istream< CharT > &is)
Definition inipp.h:202
VOID GetConfigFilePath(PWCHAR ConfigPath)
Get config path.
Definition common.cpp:792
BOOLEAN IsFileExistW(const WCHAR *FileName)
check if a file exist or not (wide-char)
Definition common.cpp:753
bool get_value(const std::map< std::basic_string< CharT >, std::basic_string< CharT > > &sec, const std::basic_string< CharT > &key, T &dst)
Definition inipp.h:116

◆ CommandSettingsLoadDefaultValuesFromConfigFile()

VOID CommandSettingsLoadDefaultValuesFromConfigFile ( )

Loads default settings values from config file.

Returns
VOID
162{
163 string OptionValue;
164
165 //
166 // *** Set default configurations ***
167 //
168
169 //
170 // Set the assembly syntax
171 //
172 if (CommandSettingsGetValueFromConfigFile("AsmSyntax", OptionValue))
173 {
174 //
175 // The user tries to set a value as the syntax
176 //
177 if (!OptionValue.compare("intel"))
178 {
180 }
181 else if (!OptionValue.compare("att") ||
182 !OptionValue.compare("at&t"))
183 {
185 }
186 else if (!OptionValue.compare("masm"))
187 {
189 }
190 else
191 {
192 //
193 // Sth is incorrect
194 //
195 ShowMessages("err, incorrect assembly syntax settings\n");
196 }
197 }
198
199 //
200 // Set the auto unpause
201 //
202 if (CommandSettingsGetValueFromConfigFile("AutoUnpause", OptionValue))
203 {
204 if (!OptionValue.compare("on"))
205 {
207 }
208 else if (!OptionValue.compare("off"))
209 {
211 }
212 else
213 {
214 //
215 // Sth is incorrect
216 //
217 ShowMessages("err, incorrect auto unpause settings\n");
218 }
219 }
220
221 //
222 // Set the auto flush
223 //
224 if (CommandSettingsGetValueFromConfigFile("AutoFlush", OptionValue))
225 {
226 if (!OptionValue.compare("on"))
227 {
229 }
230 else if (!OptionValue.compare("off"))
231 {
233 }
234 else
235 {
236 //
237 // Sth is incorrect
238 //
239 ShowMessages("err, incorrect auto flush settings\n");
240 }
241 }
242
243 //
244 // Set the address conversion
245 //
246 if (CommandSettingsGetValueFromConfigFile("AddrConv", OptionValue))
247 {
248 if (!OptionValue.compare("on"))
249 {
251 }
252 else if (!OptionValue.compare("off"))
253 {
255 }
256 else
257 {
258 //
259 // Sth is incorrect
260 //
261 ShowMessages("err, incorrect address conversion settings\n");
262 }
263 }
264}
BOOLEAN g_AutoFlush
Whether auto-flush mode is enabled or not enabled.
Definition globals.h:601
BOOLEAN CommandSettingsGetValueFromConfigFile(std::string OptionName, std::string &OptionValue)
Gets the setting values from config file.
Definition settings.cpp:60
BOOLEAN g_AutoUnpause
Whether auto-unpause mode is enabled or not enabled.
Definition globals.h:587
UINT32 g_DisassemblerSyntax
Shows the syntax used in !u !u2 u u2 commands.
Definition globals.h:608

◆ CommandSettingsSetValueFromConfigFile()

VOID CommandSettingsSetValueFromConfigFile ( std::string OptionName,
std::string OptionValue )

Sets the setting values from config file.

Parameters
OptionName
OptionValue
Returns
VOID
116{
118 WCHAR ConfigPath[MAX_PATH] = {0};
119
120 //
121 // Get config file path
122 //
123 GetConfigFilePath(ConfigPath);
124
125 ifstream Is(ConfigPath);
126
127 //
128 // Read config file
129 //
130 Ini.parse(Is);
131
132 Is.close();
133
134 //
135 // Save the config
136 //
137 Ini.sections["DEFAULT"][OptionName] = OptionValue.c_str();
138 Ini.interpolate();
139
140 //
141 // Test, show the config
142 //
143 // Ini.generate(std::cout);
144
145 //
146 // Save the config
147 //
148 ofstream Os(ConfigPath);
149
150 Ini.generate(Os);
151
152 Os.close();
153}
void generate(std::basic_ostream< CharT > &os) const
Definition inipp.h:189
void interpolate()
Definition inipp.h:246

◆ CommandSleep()

VOID CommandSleep ( vector< CommandToken > CommandTokens,
string Command )

sleep command help

Parameters
CommandTokens
Command
Returns
VOID
39{
40 UINT32 MillisecondsTime = 0;
41
42 if (CommandTokens.size() != 2)
43 {
44 ShowMessages("incorrect use of the '%s'\n\n",
45 GetCaseSensitiveStringFromCommandToken(CommandTokens.at(0)).c_str());
47 return;
48 }
49
50 if (!ConvertTokenToUInt32(CommandTokens.at(1), &MillisecondsTime))
51 {
52 ShowMessages(
53 "please specify a correct hex value for time (milliseconds)\n\n");
55 return;
56 }
57 Sleep(MillisecondsTime);
58}
VOID CommandSleepHelp()
help of the sleep command
Definition sleep.cpp:20

◆ CommandSmi()

VOID CommandSmi ( vector< CommandToken > CommandTokens,
string Command )

!smi command handler

Parameters
CommandTokens
Command
Returns
VOID
124{
125 SMI_OPERATION_PACKETS SmiOperationRequest = {0};
126
127 if (CommandTokens.size() != 2)
128 {
129 ShowMessages("incorrect use of the '%s'\n\n",
130 GetCaseSensitiveStringFromCommandToken(CommandTokens.at(0)).c_str());
131
133 return;
134 }
135
136 if (CompareLowerCaseStrings(CommandTokens.at(1), "count"))
137 {
139 }
140 else if (CompareLowerCaseStrings(CommandTokens.at(1), "trigger"))
141 {
143 }
144 else
145 {
146 ShowMessages("incorrect use of the '%s'\n\n",
147 GetCaseSensitiveStringFromCommandToken(CommandTokens.at(0)).c_str());
149 return;
150 }
151
152 //
153 // Send the SMI operation request
154 //
155 if (CommandSmiSendRequest(&SmiOperationRequest))
156 {
158 {
159 if (SmiOperationRequest.SmiCount == 0)
160 {
161 ShowMessages("SMI count: 0 (for security reasons, nested-virtualization environment (VMs) are unable to communicate with UEFI firmware)\n");
162 }
163 else
164 {
165 ShowMessages("SMI count: 0x%x\n", SmiOperationRequest.SmiCount);
166 }
167 }
169 {
170 ShowMessages("power SMI triggered successfully (you can use '!smi count' to view the number of executed SMIs)\n");
171 }
172 }
173 else
174 {
175 ShowErrorMessage(SmiOperationRequest.KernelStatus);
176 return;
177 }
178}
@ SMI_OPERATION_REQUEST_TYPE_READ_COUNT
Definition RequestStructures.h:1254
@ SMI_OPERATION_REQUEST_TYPE_TRIGGER_POWER_SMI
Definition RequestStructures.h:1255
struct _SMI_OPERATION_PACKETS SMI_OPERATION_PACKETS
The structure of I/O APIC result packet in HyperDbg.
BOOLEAN CommandSmiSendRequest(SMI_OPERATION_PACKETS *SmiOperationRequest)
Send SMI requests.
Definition smi.cpp:46
VOID CommandSmiHelp()
help of the !smi command
Definition smi.cpp:26
UINT32 KernelStatus
Definition RequestStructures.h:1267
UINT64 SmiCount
Definition RequestStructures.h:1266
SMI_OPERATION_REQUEST_TYPE SmiOperationType
Definition RequestStructures.h:1265

◆ CommandStart()

VOID CommandStart ( vector< CommandToken > CommandTokens,
string Command )

.start command handler

Parameters
CommandTokens
Command
Returns
VOID
48{
49 vector<string> PathAndArgs;
50 string Arguments = "";
51 BOOLEAN IsFirstCommand = FALSE;
52 BOOLEAN PathIgnored = FALSE;
53 BOOLEAN IsNextPath = FALSE;
54
55 if (CommandTokens.size() <= 2)
56 {
57 ShowMessages("incorrect use of the '%s'\n\n",
58 GetCaseSensitiveStringFromCommandToken(CommandTokens.at(0)).c_str());
60 return;
61 }
62
63//
64// Disable user-mode debugger in this version
65//
66#if ActivateUserModeDebugger == FALSE
67
69 {
70 ShowMessages("the user-mode debugger in VMI Mode is still in the beta version and not stable. "
71 "we decided to exclude it from this release and release it in future versions. "
72 "if you want to test the user-mode debugger in VMI Mode, you should build "
73 "HyperDbg with special instructions. But starting processes is fully supported "
74 "in the Debugger Mode.\n"
75 "(it's not recommended to use it in VMI Mode yet!)\n");
76 return;
77 }
78
79#endif // !ActivateUserModeDebugger
80
81 //
82 // Check if the first token is 'path'
83 //
84 if (!CompareLowerCaseStrings(CommandTokens.at(1), "path"))
85 {
86 ShowMessages("err, couldn't resolve error at '%s'\n\n",
87 GetCaseSensitiveStringFromCommandToken(CommandTokens.at(1)).c_str());
89 return;
90 }
91
92 //
93 // *** It's a run of target PE file ***
94 //
95
96 for (auto Section : CommandTokens)
97 {
98 //
99 // Skip first two parameters
100 //
101 if (!IsFirstCommand)
102 {
103 IsFirstCommand = TRUE;
104 continue;
105 }
106
107 //
108 // Skip the path
109 //
110 if (!PathIgnored)
111 {
112 PathIgnored = TRUE;
113 IsNextPath = TRUE;
114 continue;
115 }
116
117 //
118 // Check if the next token is the actual path
119 //
120 if (IsNextPath)
121 {
122 IsNextPath = FALSE;
123
124 //
125 // Convert path to wstring
126 //
128
129 continue;
130 }
131
132 //
133 // Append the arguments and check if arguments contain spaces then add quotes
134 //
135 if (GetCaseSensitiveStringFromCommandToken(Section).find(' ') != std::string::npos)
136 {
137 Arguments += "\"" + GetCaseSensitiveStringFromCommandToken(Section) + "\" ";
138 }
139 else
140 {
141 Arguments += GetCaseSensitiveStringFromCommandToken(Section) + " ";
142 }
143 }
144
145 //
146 // Perform run of the target file
147 //
148 if (Arguments.empty())
149 {
150 //
151 // TEMPORARY LINUX SHIM (same as in pe.cpp/dump.cpp): the path is a
152 // std::wstring of native wchar_t (4 bytes on Linux), but UdAttachToProcess
153 // takes a 2-byte HyperDbg WCHAR * (UINT16). The cast is a bogus 2-byte
154 // reinterpretation on Linux, acceptable only because the user-debugger
155 // path is still stubbed there. On Windows WCHAR == wchar_t, so it is a
156 // plain correct pointer. TODO(Linux): convert wchar_t -> 2-byte WCHAR
157 // properly once the Linux user-debugger path is real.
158 //
160 (WCHAR *)g_StartCommandPath.c_str(),
161 NULL,
162 FALSE);
163 }
164 else
165 {
166 //
167 // Remove the last space
168 //
169 Arguments.pop_back();
170
171 //
172 // Convert arguments to wstring if it's not empty
173 //
175
176 //
177 // TEMPORARY LINUX SHIM (same as in pe.cpp/dump.cpp): the path/arguments
178 // are std::wstring of native wchar_t (4 bytes on Linux), but
179 // UdAttachToProcess takes 2-byte HyperDbg WCHAR * (UINT16). The casts are
180 // a bogus 2-byte reinterpretation on Linux, acceptable only because the
181 // user-debugger path is still stubbed there. On Windows WCHAR == wchar_t,
182 // so they are plain correct pointers. TODO(Linux): convert wchar_t ->
183 // 2-byte WCHAR properly once the Linux user-debugger path is real.
184 //
186 (WCHAR *)g_StartCommandPath.c_str(),
187 (WCHAR *)g_StartCommandPathAndArguments.c_str(),
188 FALSE);
189 }
190}
VOID CommandStartHelp()
help of the .start command
Definition start.cpp:27

◆ CommandStatus()

VOID CommandStatus ( vector< CommandToken > CommandTokens,
string Command )

.status and status command handler

Parameters
CommandTokens
Command
Returns
VOID
52{
53 if (CommandTokens.size() != 1)
54 {
55 ShowMessages("incorrect use of the '%s'\n\n",
56 GetCaseSensitiveStringFromCommandToken(CommandTokens.at(0)).c_str());
58 }
59
61 {
62 //
63 // Connected to a remote debugger (serial port)
64 //
65 ShowMessages("remote debugging - debugger ('debugger mode')\n");
66 }
68 {
69 //
70 // Connected to a remote debuggee (serial port)
71 //
72 ShowMessages("remote debugging - debuggee ('debugger mode')\n");
73 }
75 {
76 //
77 // Connected to a remote debuggee
78 //
79 ShowMessages("remote debugging ('vmi mode'), ip : %s:%s \n",
80 g_ServerIp.c_str(),
81 g_ServerPort.c_str());
82 }
84 {
85 //
86 // Connected to a local system
87 //
88 ShowMessages("local debugging ('vmi mode')\n");
89 }
91 {
92 //
93 // It's computer connect to a remote machine (this
94 // message shouldn't be showed)
95 //
96 ShowMessages("a remote debugger connected to this system in ('vmi "
97 "mode'), ip : %s:%s \n",
98 g_ServerIp.c_str(),
99 g_ServerPort.c_str());
100 }
101 else
102 {
103 //
104 // we never should see this message
105 //
106 ShowMessages("err, you're not connected to any instance of HyperDbg\n");
107 }
108}
string g_ServerPort
In debugger (not debuggee), we save the port of server debuggee in this variable to use it later e....
Definition globals.h:132
string g_ServerIp
In debugger (not debuggee), we save the port of server debuggee in this variable to use it later e....
Definition globals.h:139
VOID CommandStatusHelp()
help of the .status command
Definition status.cpp:31

◆ CommandSwitch()

VOID CommandSwitch ( vector< CommandToken > CommandTokens,
string Command )

.switch command handler

Parameters
CommandTokens
Command
Returns
VOID
46{
47 UINT32 PidOrTid = NULL;
48
49 if (CommandTokens.size() > 3)
50 {
51 ShowMessages("incorrect use of the '%s'\n\n",
52 GetCaseSensitiveStringFromCommandToken(CommandTokens.at(0)).c_str());
54 return;
55 }
56
57 //
58 // Perform switching or listing the threads
59 //
60 if (CommandTokens.size() == 1 || (CommandTokens.size() == 2 && CompareLowerCaseStrings(CommandTokens.at(1), "list")))
61 {
63 }
64 else if (CompareLowerCaseStrings(CommandTokens.at(1), "pid"))
65 {
66 if (!ConvertTokenToUInt32(CommandTokens.at(2), &PidOrTid))
67 {
68 ShowMessages("please specify a correct hex value for process id\n\n");
69 return;
70 }
71
72 //
73 // Switch by pid
74 //
76 {
77 ShowMessages("switched to process id: %x\n", PidOrTid);
78 }
79 }
80 else if (CompareLowerCaseStrings(CommandTokens.at(1), "tid"))
81 {
82 if (!ConvertTokenToUInt32(CommandTokens.at(2), &PidOrTid))
83 {
84 ShowMessages("please specify a correct hex value for thread id\n\n");
85 return;
86 }
87
88 //
89 // Switch by tid
90 //
92 {
93 ShowMessages("switched to thread id: %x\n", PidOrTid);
94 }
95 }
96 else
97 {
98 ShowMessages("err, couldn't resolve error at '%s'\n",
99 GetCaseSensitiveStringFromCommandToken(CommandTokens.at(1)).c_str());
100 return;
101 }
102}
VOID CommandSwitchHelp()
help of the .switch command
Definition switch.cpp:20
BOOLEAN UdSetActiveDebuggingThreadByPidOrTid(UINT32 TargetPidOrTid, BOOLEAN IsTid)
Set the active debugging thread by process id or thread id.
Definition ud.cpp:1314
BOOLEAN UdShowListActiveDebuggingProcessesAndThreads()
Show list of active debugging processes and threads.
Definition ud.cpp:1397

◆ CommandSym()

VOID CommandSym ( vector< CommandToken > CommandTokens,
string Command )

.sym command handler

Parameters
CommandTokens
Command
Returns
VOID
57{
58 UINT64 BaseAddress = NULL;
59 UINT32 UserProcessId = NULL;
60 string PathToPdb;
61
62 if (CommandTokens.size() == 1)
63 {
64 ShowMessages("incorrect use of the '%s'\n\n",
65 GetCaseSensitiveStringFromCommandToken(CommandTokens.at(0)).c_str());
67 return;
68 }
69
70 if (CompareLowerCaseStrings(CommandTokens.at(1), "table"))
71 {
72 //
73 // Validate params
74 //
75 if (CommandTokens.size() != 2)
76 {
77 ShowMessages("incorrect use of the '%s'\n\n",
78 GetCaseSensitiveStringFromCommandToken(CommandTokens.at(0)).c_str());
80 return;
81 }
82
83 //
84 // Show symbol table
85 //
87 }
88 else if (CompareLowerCaseStrings(CommandTokens.at(1), "load") || CompareLowerCaseStrings(CommandTokens.at(1), "download"))
89 {
90 //
91 // Validate params
92 //
93 if (CommandTokens.size() != 2)
94 {
95 ShowMessages("incorrect use of the '%s'\n\n",
96 GetCaseSensitiveStringFromCommandToken(CommandTokens.at(0)).c_str());
98 return;
99 }
100
101 //
102 // Load and download available symbols
103 //
104 if (CompareLowerCaseStrings(CommandTokens.at(1), "load"))
105 {
107 }
108 else if (CompareLowerCaseStrings(CommandTokens.at(1), "download"))
109 {
111 }
112 }
113 else if (CompareLowerCaseStrings(CommandTokens.at(1), "reload"))
114 {
115 //
116 // Validate params
117 //
118 if (CommandTokens.size() != 2 && CommandTokens.size() != 4)
119 {
120 ShowMessages("incorrect use of the '%s'\n\n",
121 GetCaseSensitiveStringFromCommandToken(CommandTokens.at(0)).c_str());
123 return;
124 }
125
126 //
127 // Check for process id
128 //
129 if (CommandTokens.size() == 4)
130 {
131 if (CompareLowerCaseStrings(CommandTokens.at(2), "pid"))
132 {
133 if (!ConvertTokenToUInt32(CommandTokens.at(3), &UserProcessId))
134 {
135 //
136 // couldn't resolve or unknown parameter
137 //
138 ShowMessages("err, couldn't resolve error at '%s'\n\n",
139 GetCaseSensitiveStringFromCommandToken(CommandTokens.at(3)).c_str());
141 return;
142 }
143 }
144 else
145 {
146 ShowMessages("incorrect use of the '%s'\n\n",
147 GetCaseSensitiveStringFromCommandToken(CommandTokens.at(0)).c_str());
149 return;
150 }
151 }
152
153 //
154 // Refresh and reload symbols
155 //
157 {
158 //
159 // Update symbol table from remote debuggee in debugger-mode
160 //
162 }
163 else
164 {
165 //
166 // Check if user explicitly specified the process id
167 //
168 if (UserProcessId == NULL)
169 {
170 //
171 // User didn't explicitly specified the process id, so
172 // if it's a user-debugger process, we use the modules
173 // of the target user-debuggee's process, otherwise,
174 // the current process (HyperDbg's process) is specified
175 //
177 {
178 UserProcessId = g_ActiveProcessDebuggingState.ProcessId;
179 }
180 else
181 {
182 UserProcessId = GetCurrentProcessId();
183 }
184 }
185
186 //
187 // Build locally and reload it
188 //
189 if (SymbolLocalReload(UserProcessId))
190 {
191 ShowMessages("symbol table updated successfully\n");
192 }
193 }
194 }
195 else if (CompareLowerCaseStrings(CommandTokens.at(1), "unload"))
196 {
197 //
198 // Validate params
199 //
200 if (CommandTokens.size() != 2)
201 {
202 ShowMessages("incorrect use of the '%s'\n\n",
203 GetCaseSensitiveStringFromCommandToken(CommandTokens.at(0)).c_str());
205 return;
206 }
207
208 //
209 // unload without any parameters, means that unload
210 // all the symbols
211 //
213
214 //
215 // Size is 3 there is module name (not working ! I don't know why)
216 //
217 // ScriptEngineUnloadModuleSymbolWrapper((char *)SplitCommand.at(2).c_str());
218 }
219 else if (CompareLowerCaseStrings(CommandTokens.at(1), "add"))
220 {
221 //
222 // Validate params
223 //
224 if (CommandTokens.size() < 6)
225 {
226 ShowMessages("incorrect use of the '%s'\n\n",
227 GetCaseSensitiveStringFromCommandToken(CommandTokens.at(0)).c_str());
229 return;
230 }
231
232 if (CompareLowerCaseStrings(CommandTokens.at(2), "base"))
233 {
234 if (!ConvertTokenToUInt64(CommandTokens.at(3), &BaseAddress))
235 {
236 ShowMessages("please add a valid hex address to be used as the base address\n\n");
238 return;
239 }
240
241 //
242 // Base address is now valid, check if next parameter is path
243 //
244 if (!CompareLowerCaseStrings(CommandTokens.at(4), "path"))
245 {
246 ShowMessages("incorrect use of the '%s'\n\n",
247 GetCaseSensitiveStringFromCommandToken(CommandTokens.at(0)).c_str());
249 return;
250 }
251
252 //
253 // The rest of command is pdb path
254 //
255 PathToPdb = GetCaseSensitiveStringFromCommandToken(CommandTokens.at(5));
256
257 //
258 // Check if pdb file exists or not
259 //
260 if (!IsFileExistA(PathToPdb.c_str()))
261 {
262 ShowMessages("pdb file not found\n");
263 return;
264 }
265
266 ShowMessages("loading module symbol at '%s'\n", PathToPdb.c_str());
267
268 //
269 // Load the pdb file (the validation of pdb file is checked into pdb
270 // parsing functions)
271 //
272 ScriptEngineLoadFileSymbolWrapper(BaseAddress, PathToPdb.c_str(), NULL);
273 }
274 else
275 {
276 ShowMessages("incorrect use of the '%s'\n\n",
277 GetCaseSensitiveStringFromCommandToken(CommandTokens.at(0)).c_str());
279 return;
280 }
281 }
282 else
283 {
284 ShowMessages("unknown parameter at '%s'\n\n",
285 GetCaseSensitiveStringFromCommandToken(CommandTokens.at(1)).c_str());
287 return;
288 }
289}
BOOLEAN IsFileExistA(const CHAR *FileName)
check if a file exist or not (ASCII)
Definition common.cpp:740
UINT32 ScriptEngineLoadFileSymbolWrapper(UINT64 BaseAddress, const CHAR *PdbFileName, const CHAR *CustomModuleName)
ScriptEngineLoadFileSymbol wrapper.
Definition script-engine-wrapper.cpp:68
UINT32 ScriptEngineUnloadAllSymbolsWrapper()
ScriptEngineUnloadAllSymbols wrapper.
Definition script-engine-wrapper.cpp:92
VOID CommandSymHelp()
help of the .sym command
Definition sym.cpp:26
BOOLEAN SymbolLoadOrDownloadSymbols(BOOLEAN IsDownload, BOOLEAN SilentLoad)
Load or download symbols.
Definition symbol.cpp:298
BOOLEAN SymbolReloadSymbolTableInDebuggerMode(UINT32 ProcessId)
Update the symbol table from remote debuggee in debugger mode.
Definition symbol.cpp:1274
VOID SymbolBuildAndShowSymbolTable()
Build and show symbol table details.
Definition symbol.cpp:263

◆ CommandSympath()

VOID CommandSympath ( vector< CommandToken > CommandTokens,
string Command )

.sympath command handler

Parameters
CommandTokens
Command
Returns
VOID
46{
47 string SymbolServer = "";
48 string Token;
49
50 if (CommandTokens.size() == 1)
51 {
52 //
53 // Show the current symbol path
54 //
55 if (!CommandSettingsGetValueFromConfigFile("SymbolServer", SymbolServer))
56 {
57 ShowMessages("symbol server is not configured, please use '.help .sympath'\n");
58 }
59 else
60 {
61 ShowMessages("current symbol server is : %s\n", SymbolServer.c_str());
62 }
63 }
64 else
65 {
66 //
67 // Save the symbol path
68 //
69
70 //
71 // Because technically, the "https://" is containing characters that resemble the command token,
72 // it's better to use the symbol server in quotes, but due to the fact that for compatibility reasons,
73 // with the previous versions, we should support the old syntax, we should check if the symbol server
74 // is in quotes or not to support both syntaxes
75 //
76
77 //
78 // Trim the command
79 //
80 Trim(Command);
81
82 //
83 // Remove .sympath from it
84 //
85 Command.erase(0, GetCaseSensitiveStringFromCommandToken(CommandTokens.at(0)).size());
86
87 //
88 // Trim it again
89 //
90 Trim(Command);
91
92 //
93 // Check if the symbol server starts with quotes
94 //
95 if (Command.at(0) == '\"')
96 {
97 //
98 // Means that the symbol server is in quotes
99 //
100 Command = GetCaseSensitiveStringFromCommandToken(CommandTokens.at(1));
101 }
102
103 //
104 // *** validate the symbols ***
105 //
106
107 //
108 // Check if the string contains '*'
109 //
110 CHAR Delimiter = '*';
111 if (Command.find(Delimiter) != std::string::npos)
112 {
113 //
114 // Found
115 //
116 Token = Command.substr(0, Command.find(Delimiter));
117 // using transform() function and ::tolower in STL
118 transform(Token.begin(), Token.end(), Token.begin(), ::tolower);
119
120 //
121 // Check if it starts with srv
122 //
123 if (!Token.compare("srv"))
124 {
125 //
126 // Save the config
127 //
128 CommandSettingsSetValueFromConfigFile("SymbolServer", Command);
129
130 //
131 // Show the message
132 //
133 ShowMessages("symbol server/path is configured successfully\n");
134 ShowMessages("use '.sym load', '.sym reload', or '.sym download' to load pdb files\n");
135 }
136 else
137 {
138 ShowMessages("symbol path is invalid\n\n");
140 return;
141 }
142 }
143 else
144 {
145 ShowMessages("symbol path is invalid\n\n");
147 return;
148 }
149 }
150}
VOID CommandSettingsSetValueFromConfigFile(std::string OptionName, std::string OptionValue)
Sets the setting values from config file.
Definition settings.cpp:115
VOID CommandSympathHelp()
help of the .sympath command
Definition sympath.cpp:24

◆ CommandSyscallAndSysret()

VOID CommandSyscallAndSysret ( vector< CommandToken > CommandTokens,
string Command )

!syscall, !syscall2 and !sysret, !sysret2 commands handler

Parameters
CommandTokens
Command
Returns
VOID
86{
88 PDEBUGGER_GENERAL_ACTION ActionBreakToDebugger = NULL;
89 PDEBUGGER_GENERAL_ACTION ActionCustomCode = NULL;
90 PDEBUGGER_GENERAL_ACTION ActionScript = NULL;
91 UINT32 EventLength;
92 UINT32 ActionBreakToDebuggerLength = 0;
93 UINT32 ActionCustomCodeLength = 0;
94 UINT32 ActionScriptLength = 0;
96 BOOLEAN GetSyscallNumber = FALSE;
97 DEBUGGER_EVENT_PARSING_ERROR_CAUSE EventParsingErrorCause;
98 string Cmd;
99
100 //
101 // Interpret and fill the general event and action fields
102 //
103 //
104 Cmd = GetLowerStringFromCommandToken(CommandTokens.at(0));
105
106 if (!Cmd.compare("!syscall") || !Cmd.compare("!syscall2"))
107 {
109 &CommandTokens,
111 &Event,
112 &EventLength,
113 &ActionBreakToDebugger,
114 &ActionBreakToDebuggerLength,
115 &ActionCustomCode,
116 &ActionCustomCodeLength,
117 &ActionScript,
118 &ActionScriptLength,
119 &EventParsingErrorCause))
120 {
121 return;
122 }
123 }
124 else
125 {
127 &CommandTokens,
129 &Event,
130 &EventLength,
131 &ActionBreakToDebugger,
132 &ActionBreakToDebuggerLength,
133 &ActionCustomCode,
134 &ActionCustomCodeLength,
135 &ActionScript,
136 &ActionScriptLength,
137 &EventParsingErrorCause))
138 {
139 return;
140 }
141 }
142
143 //
144 // Interpret command specific details (if any)
145 //
146
147 //
148 // Currently we do not support any extra argument for !sysret command
149 // it is because we don't know how to find syscall number in sysret
150 // and we don't wanna deal with dynamic mapping of rcx (user stack)
151 // in vmx-root
152 //
153 if (!Cmd.compare("!syscall") || !Cmd.compare("!syscall2"))
154 {
155 for (auto Section : CommandTokens)
156 {
157 if (CompareLowerCaseStrings(Section, "!syscall") ||
158 CompareLowerCaseStrings(Section, "!syscall2") ||
159 CompareLowerCaseStrings(Section, "!sysret") ||
160 CompareLowerCaseStrings(Section, "!sysret2"))
161 {
162 continue;
163 }
164
165 else if (!GetSyscallNumber)
166 {
167 //
168 // It's probably a syscall address
169 //
172 &SpecialTarget))
173 {
174 //
175 // Unknown parameter
176 //
177 ShowMessages("unknown parameter '%s'\n\n",
179
180 if (!Cmd.compare("!syscall") || !Cmd.compare("!syscall2"))
181 {
183 }
184 else
185 {
187 }
188
189 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
190 return;
191 }
192 else
193 {
194 GetSyscallNumber = TRUE;
195 }
196 }
197 else
198 {
199 //
200 // Unknown parameter
201 //
202 ShowMessages("unknown parameter '%s'\n\n",
204
205 if (!Cmd.compare("!syscall") || !Cmd.compare("!syscall2"))
206 {
208 }
209 else
210 {
212 }
213
214 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
215 return;
216 }
217 }
218
219 //
220 // Set the target syscall
221 //
222 Event->Options.OptionalParam1 = SpecialTarget;
223 }
224
225 //
226 // Set whether it's !syscall or !syscall2 or !sysret or !sysret2
227 //
228 if (!Cmd.compare("!syscall2") || !Cmd.compare("!sysret2"))
229 {
230 //
231 // It's a !syscall2 or !sysret2
232 //
234 }
235 else
236 {
237 //
238 // It's a !syscall or !sysret
239 //
241 }
242
243 //
244 // Send the ioctl to the kernel for event registration
245 //
246 if (!SendEventToKernel(Event, EventLength))
247 {
248 //
249 // There was an error, probably the handle was not initialized
250 // we have to free the Action before exit, it is because, we
251 // already freed the Event and string buffers
252 //
253
254 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
255 return;
256 }
257
258 //
259 // Add the event to the kernel
260 //
261 if (!RegisterActionToEvent(Event,
262 ActionBreakToDebugger,
263 ActionBreakToDebuggerLength,
264 ActionCustomCode,
265 ActionCustomCodeLength,
266 ActionScript,
267 ActionScriptLength))
268 {
269 //
270 // There was an error
271 //
272
273 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
274 return;
275 }
276}
#define DEBUGGER_EVENT_SYSCALL_ALL_SYSRET_OR_SYSCALLS
Apply to all syscalls and sysrets.
Definition Constants.h:763
@ SYSCALL_HOOK_EFER_SYSCALL
Definition Events.h:117
@ SYSCALL_HOOK_EFER_SYSRET
Definition Events.h:118
@ DEBUGGER_EVENT_SYSCALL_SYSRET_SAFE_ACCESS_MEMORY
Definition Events.h:197
@ DEBUGGER_EVENT_SYSCALL_SYSRET_HANDLE_ALL_UD
Definition Events.h:198
VOID CommandSysretHelp()
help of the !sysret command
Definition syscall-sysret.cpp:54
VOID CommandSyscallHelp()
help of the !syscall command
Definition syscall-sysret.cpp:20

◆ CommandT()

VOID CommandT ( vector< CommandToken > CommandTokens,
string Command )

handler of t command

Parameters
CommandTokens
Command
Returns
VOID
54{
55 UINT32 StepCount;
56
57 //
58 // Validate the commands
59 //
60 if (CommandTokens.size() != 1 && CommandTokens.size() != 2)
61 {
62 ShowMessages("incorrect use of the '%s'\n\n",
63 GetCaseSensitiveStringFromCommandToken(CommandTokens.at(0)).c_str());
65 return;
66 }
67
68 //
69 // Check if the command has a counter parameter
70 //
71 if (CommandTokens.size() == 2)
72 {
73 if (!ConvertTokenToUInt32(CommandTokens.at(1), &StepCount))
74 {
75 ShowMessages("please specify a correct hex value for [count]\n\n");
77 return;
78 }
79 }
80 else
81 {
82 StepCount = 1;
83 }
84
85 //
86 // Check if the remote serial debuggee or user debugger are paused or not
87 //
89 {
90 //
91 // Check if the thread is paused or not
92 //
94 {
95 ShowMessages("the target process is running, use the "
96 "'pause' command to pause the process\n");
97 return;
98 }
99
100 //
101 // Indicate that we're instrumenting
102 //
104
105 for (SIZE_T i = 0; i < StepCount; i++)
106 {
107 //
108 // For logging purpose
109 //
110 // ShowMessages("percentage : %f %% (%x)\n", 100.0 * (i /
111 // (float)StepCount), i);
112 //
113
114 //
115 // Instrument (regular) the instruction
116 //
118
119 if (CompareLowerCaseStrings(CommandTokens.at(0), "tr"))
120 {
121 //
122 // Show registers
123 //
125
126 if (i != StepCount - 1)
127 {
128 ShowMessages("\n");
129 }
130 }
131
132 //
133 // Check if user pressed CTRL+C
134 //
136 {
137 break;
138 }
139 }
140
141 //
142 // We're not instrumenting instructions anymore
143 //
145 }
146 else
147 {
148 ShowMessages("err, stepping (t) is not valid in the current context, you "
149 "should connect to a debuggee\n");
150 }
151}
BOOLEAN SteppingRegularStepIn()
Perform Regular Step-in.
Definition steppings.cpp:80
VOID CommandTHelp()
help of the t command
Definition t.cpp:27

◆ CommandTest()

VOID CommandTest ( vector< CommandToken > CommandTokens,
string Command )

test command handler

Parameters
CommandTokens
Command
Returns
VOID
435{
436 UINT64 Context = NULL;
437
438 UINT32 CommandSize = (UINT32)CommandTokens.size();
439
440 if (CommandSize == 1)
441 {
442 ShowMessages("incorrect use of the '%s'\n\n",
443 GetCaseSensitiveStringFromCommandToken(CommandTokens.at(0)).c_str());
445 }
446 else if (CommandSize == 2 && CompareLowerCaseStrings(CommandTokens.at(1), "query"))
447 {
448 //
449 // Query the state of debuggee in debugger mode
450 //
452 }
453 else if (CommandSize == 2 && CompareLowerCaseStrings(CommandTokens.at(1), "trap-status"))
454 {
455 //
456 // Query the state of trap flag in debugger mode
457 //
459 }
460 else if (CommandSize == 2 && CompareLowerCaseStrings(CommandTokens.at(1), "pool"))
461 {
462 //
463 // Query the state of pre-allocated pools in debugger mode
464 //
466 }
467 else if (CommandSize == 2 && CompareLowerCaseStrings(CommandTokens.at(1), "sync-task"))
468 {
469 //
470 // Send target task to the halted cores in debugger mode (synchronous)
471 //
473 }
474 else if (CommandSize == 2 && CompareLowerCaseStrings(CommandTokens.at(1), "async-task"))
475 {
476 //
477 // Send target task to the halted cores in debugger mode (asynchronous)
478 //
480 }
481 else if (CommandSize == 3 && CompareLowerCaseStrings(CommandTokens.at(1), "target-core-task"))
482 {
483 if (!ConvertTokenToUInt64(CommandTokens.at(2), &Context))
484 {
485 ShowMessages("err, you should enter a valid hex number as the core id\n\n");
486 return;
487 }
488
489 //
490 // Send target task to the specific halted core in debugger mode
491 //
493 }
494 else if (CommandSize == 3 && CompareLowerCaseStrings(CommandTokens.at(1), "breakpoint"))
495 {
496 //
497 // Change breakpoint state
498 //
499 if (CompareLowerCaseStrings(CommandTokens.at(2), "on"))
500 {
502 }
503 else if (CompareLowerCaseStrings(CommandTokens.at(2), "off"))
504 {
506 }
507 else
508 {
509 ShowMessages("err, couldn't resolve error at '%s'\n\n",
510 GetCaseSensitiveStringFromCommandToken(CommandTokens.at(2)).c_str());
511 return;
512 }
513 }
514 else if (CommandSize == 3 && CompareLowerCaseStrings(CommandTokens.at(1), "trap"))
515 {
516 //
517 // Change debug break state
518 //
519 if (CompareLowerCaseStrings(CommandTokens.at(2), "on"))
520 {
522 }
523 else if (CompareLowerCaseStrings(CommandTokens.at(2), "off"))
524 {
526 }
527 else
528 {
529 ShowMessages("err, couldn't resolve error at '%s'\n\n",
530 GetCaseSensitiveStringFromCommandToken(CommandTokens.at(2)).c_str());
531 return;
532 }
533 }
534 else if (CommandSize == 2 && CompareLowerCaseStrings(CommandTokens.at(1), "all"))
535 {
536 //
537 // For testing functionalities
538 //
540 }
541 else if (CommandSize == 2 && CompareLowerCaseStrings(CommandTokens.at(1), "hwdbg"))
542 {
543 //
544 // For testing functionalities of hwdbg
545 //
547 }
548 else
549 {
550 ShowMessages("incorrect use of the '%s'\n\n",
551 GetCaseSensitiveStringFromCommandToken(CommandTokens.at(0)).c_str());
553 return;
554 }
555}
VOID CommandTestSetTargetTaskToTargetCore(UINT32 CoreNumber)
test command for setting target task to the specified core
Definition test.cpp:354
VOID CommandTestSetTargetTaskToHaltedCores(BOOLEAN Synchronous)
test command for setting target tasks to halted cores
Definition test.cpp:332
VOID CommandTestQueryPreAllocPoolsState()
test command for query the state of pre-allocated pools
Definition test.cpp:310
VOID CommandTestAllFunctionalities()
perform test on for all functionalities
Definition test.cpp:105
VOID CommandTestSetDebugBreakState(BOOLEAN State)
test command for turning on/off the debug breaks (DB)
Definition test.cpp:403
VOID CommandTestQueryState()
test command for query the state
Definition test.cpp:268
VOID CommandTestAllHwdbg()
perform test for all functionalities of hwdbg
Definition test.cpp:153
VOID CommandTestSetBreakpointState(BOOLEAN State)
test command for turning on/off the breakpoints (DB)
Definition test.cpp:375
VOID CommandTestHelp()
help of the test command
Definition test.cpp:26
VOID CommandTestQueryTrapState()
test command for query the trap state
Definition test.cpp:289

◆ CommandThread()

VOID CommandThread ( vector< CommandToken > CommandTokens,
string Command )

.thread command handler

Parameters
CommandTokens
Command
Returns
VOID
121{
122 UINT32 TargetThreadId = 0;
123 UINT64 TargetThread = 0;
124 UINT64 TargetProcess = 0;
125 BOOLEAN CheckByClkIntr = FALSE;
126
127 if (CommandTokens.size() >= 5)
128 {
129 ShowMessages("incorrect use of the '%s'\n\n",
130 GetCaseSensitiveStringFromCommandToken(CommandTokens.at(0)).c_str());
132 return;
133 }
134
135 if (CommandTokens.size() == 1)
136 {
137 //
138 // Check if it's connected to a remote debuggee or not
139 //
141 {
143 }
144 else
145 {
146 //
147 // Send the packet to get current thread
148 //
150 NULL,
151 NULL,
152 FALSE,
153 NULL);
154 }
155 }
156 else if (CommandTokens.size() == 2)
157 {
158 if (CompareLowerCaseStrings(CommandTokens.at(1), "list"))
159 {
160 //
161 // Sending null as the nt!_EPROCESS indicates that the target process is
162 // the current process (Current nt!_EPROCESS)
163 //
164 if (!CommandThreadListThreads(NULL))
165 {
166 ShowMessages("err, the need offset to iterate over threads not found, "
167 "make sure to load ntoskrnl.exe's PDB file. use '.help .sym' for "
168 "more information\n");
169 return;
170 }
171 }
172 else
173 {
174 ShowMessages(
175 "err, unknown parameter at '%s'\n\n",
176 GetCaseSensitiveStringFromCommandToken(CommandTokens.at(1)).c_str());
178 return;
179 }
180 }
181 else if (CommandTokens.size() == 3)
182 {
183 //
184 // Check if it's connected to a remote debuggee or not
185 //
187 {
188 ShowMessages("err, you're not connected to any debuggee in Debugger Mode, "
189 "you can use the '.attach', or the '.detach' commands if you're "
190 "operating in VMI Mode\n");
191 return;
192 }
193
194 if (CompareLowerCaseStrings(CommandTokens.at(1), "tid"))
195 {
196 if (!ConvertTokenToUInt32(CommandTokens.at(2), &TargetThreadId))
197 {
198 ShowMessages(
199 "please specify a correct hex value for the thread id that you "
200 "want to operate on it\n\n");
202 return;
203 }
204 }
205 else if (CompareLowerCaseStrings(CommandTokens.at(1), "thread"))
206 {
207 if (!SymbolConvertNameOrExprToAddress(GetCaseSensitiveStringFromCommandToken(CommandTokens.at(2)), &TargetThread))
208 {
209 ShowMessages(
210 "please specify a correct hex value for the thread (nt!_ETHREAD) that you "
211 "want to operate on it\n\n");
213 return;
214 }
215 }
216 else if (CompareLowerCaseStrings(CommandTokens.at(1), "list") && CompareLowerCaseStrings(CommandTokens.at(2), "process"))
217 {
218 ShowMessages(
219 "please specify a hex value for the process\n\n");
221 return;
222 }
223 else
224 {
225 ShowMessages(
226 "err, unknown parameter at '%s'\n\n",
227 GetCaseSensitiveStringFromCommandToken(CommandTokens.at(2)).c_str());
229 return;
230 }
231
232 if (CompareLowerCaseStrings(CommandTokens.at(0), ".thread2"))
233 {
234 //
235 // Check by changes to gs:[188]
236 //
237 CheckByClkIntr = FALSE;
238 }
239 else
240 {
241 //
242 // Check on clock interrupt changes
243 //
244 CheckByClkIntr = TRUE;
245 }
246
247 //
248 // Send the packet to change the thread
249 //
251 TargetThreadId,
252 TargetThread,
253 CheckByClkIntr,
254 NULL);
255 }
256 else if (CommandTokens.size() == 4)
257 {
258 if (CompareLowerCaseStrings(CommandTokens.at(1), "list"))
259 {
260 if (CompareLowerCaseStrings(CommandTokens.at(2), "process"))
261 {
262 if (!SymbolConvertNameOrExprToAddress(GetCaseSensitiveStringFromCommandToken(CommandTokens.at(3)), &TargetProcess))
263 {
264 ShowMessages(
265 "please specify a correct hex value for the process (nt!_EPROCESS) that you "
266 "want to see its threads\n\n");
268 return;
269 }
270
271 //
272 // List the target process's threads
273 //
274 if (!CommandThreadListThreads(TargetProcess))
275 {
276 ShowMessages("err, the need offset to iterate over threads not found, "
277 "make sure to load ntoskrnl.exe's PDB file. use '.help .sym' for "
278 "more information\n");
279 return;
280 }
281 }
282 else
283 {
284 ShowMessages(
285 "err, unknown parameter at '%s'\n\n",
286 GetCaseSensitiveStringFromCommandToken(CommandTokens.at(2)).c_str());
288 return;
289 }
290 }
291 else
292 {
293 ShowMessages(
294 "err, unknown parameter at '%s'\n\n",
295 GetCaseSensitiveStringFromCommandToken(CommandTokens.at(1)).c_str());
297 return;
298 }
299 }
300 else
301 {
302 ShowMessages("invalid parameter\n\n");
304 return;
305 }
306}
@ DEBUGGEE_DETAILS_AND_SWITCH_THREAD_PERFORM_SWITCH
Definition RequestStructures.h:1007
@ DEBUGGEE_DETAILS_AND_SWITCH_THREAD_GET_THREAD_DETAILS
Definition RequestStructures.h:1008
BOOLEAN KdSendSwitchThreadPacketToDebuggee(DEBUGGEE_DETAILS_AND_SWITCH_THREAD_TYPE ActionType, UINT32 NewTid, UINT64 NewThread, BOOLEAN CheckByClockInterrupt, PDEBUGGEE_THREAD_LIST_NEEDED_DETAILS SymDetailsForThreadList)
Sends a change thread or show threads detail packet to the debuggee.
Definition kd.cpp:858
VOID CommandThreadHelp()
help of the .thread command
Definition thread.cpp:25
BOOLEAN CommandThreadListThreads(UINT64 Eprocess)
Definition thread.cpp:50

◆ CommandTrace()

VOID CommandTrace ( vector< CommandToken > CommandTokens,
string Command )

!trace command handler

Parameters
CommandTokens
Command
Returns
VOID
52{
54 PDEBUGGER_GENERAL_ACTION ActionBreakToDebugger = NULL;
55 PDEBUGGER_GENERAL_ACTION ActionCustomCode = NULL;
56 PDEBUGGER_GENERAL_ACTION ActionScript = NULL;
57 UINT32 EventLength;
58 UINT32 ActionBreakToDebuggerLength = 0;
59 UINT32 ActionCustomCodeLength = 0;
60 UINT32 ActionScriptLength = 0;
61 DEBUGGER_EVENT_PARSING_ERROR_CAUSE EventParsingErrorCause;
62 BOOLEAN SetTraceType = FALSE;
64
65 //
66 // Interpret and fill the general event and action fields
67 //
68 //
70 &CommandTokens,
72 &Event,
73 &EventLength,
74 &ActionBreakToDebugger,
75 &ActionBreakToDebuggerLength,
76 &ActionCustomCode,
77 &ActionCustomCodeLength,
78 &ActionScript,
79 &ActionScriptLength,
80 &EventParsingErrorCause))
81 {
82 return;
83 }
84
85 //
86 // Check for size
87 //
88 if (CommandTokens.size() > 2)
89 {
90 ShowMessages("incorrect use of the '%s'\n\n",
91 GetCaseSensitiveStringFromCommandToken(CommandTokens.at(0)).c_str());
93
94 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
95 return;
96 }
97
98 //
99 // Interpret command specific details (if any)
100 //
101 for (auto Section : CommandTokens)
102 {
103 if (CompareLowerCaseStrings(Section, "!trace"))
104 {
105 continue;
106 }
107 else if ((CompareLowerCaseStrings(Section, "step-in") || CompareLowerCaseStrings(Section, "stepin") || CompareLowerCaseStrings(Section, "step")) && !SetTraceType)
108 {
110 SetTraceType = TRUE;
111 }
112 else if ((CompareLowerCaseStrings(Section, "step-out") || CompareLowerCaseStrings(Section, "stepout")) && !SetTraceType)
113 {
115 SetTraceType = TRUE;
116 }
117 else if ((CompareLowerCaseStrings(Section, "step-instrument") || CompareLowerCaseStrings(Section, "instrument-step") ||
118 CompareLowerCaseStrings(Section, "instrumentstep") ||
119 CompareLowerCaseStrings(Section, "instrument-step-in")) &&
120 !SetTraceType)
121 {
123 SetTraceType = TRUE;
124 }
125 else
126 {
127 //
128 // Couldn't resolve or unknown parameter
129 //
130 ShowMessages("err, couldn't resolve error at '%s'\n\n",
133
134 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
135 }
136 }
137
138 //
139 // Check if user specified the execution mode or not
140 //
141 if (!SetTraceType)
142 {
143 ShowMessages("please specify the trace type\n");
144
145 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
146 return;
147 }
148
149 //
150 // Set the first parameter to the required trace type
151 //
152 Event->Options.OptionalParam1 = (UINT64)SetTraceType;
153
154 //
155 // Send the ioctl to the kernel for event registration
156 //
157 if (!SendEventToKernel(Event, EventLength))
158 {
159 //
160 // There was an error, probably the handle was not initialized
161 // we have to free the Action before exit, it is because, we
162 // already freed the Event and string buffers
163 //
164
165 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
166 return;
167 }
168
169 //
170 // Add the event to the kernel
171 //
172 if (!RegisterActionToEvent(Event,
173 ActionBreakToDebugger,
174 ActionBreakToDebuggerLength,
175 ActionCustomCode,
176 ActionCustomCodeLength,
177 ActionScript,
178 ActionScriptLength))
179 {
180 //
181 // There was an error
182 //
183
184 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
185 return;
186 }
187}
@ DEBUGGER_EVENT_TRACE_TYPE_INVALID
Definition Events.h:221
@ DEBUGGER_EVENT_TRACE_TYPE_INSTRUMENTATION_STEP_IN
Definition Events.h:224
@ DEBUGGER_EVENT_TRACE_TYPE_STEP_IN
Definition Events.h:222
@ DEBUGGER_EVENT_TRACE_TYPE_STEP_OUT
Definition Events.h:223
@ TRAP_EXECUTION_INSTRUCTION_TRACE
Definition Events.h:170
enum _DEBUGGER_EVENT_TRACE_TYPE DEBUGGER_EVENT_TRACE_TYPE
Type of tracing events.
VOID CommandTraceHelp()
help of the !trace command
Definition trace.cpp:20

◆ CommandTrack()

VOID CommandTrack ( vector< CommandToken > CommandTokens,
string Command )

handler of !track command

Parameters
CommandTokens
Command
Returns
VOID
61{
62 UINT32 StepCount;
63 string SymbolServer;
64
65 //
66 // Validate the commands
67 //
68 if (CommandTokens.size() >= 4)
69 {
70 ShowMessages("incorrect use of the '%s'\n\n",
71 GetCaseSensitiveStringFromCommandToken(CommandTokens.at(0)).c_str());
73 return;
74 }
75
76 //
77 // Check if we're in VMI mode
78 //
80 {
81 ShowMessages("the tracking mechanism is only supported in Debugger Mode\n");
82 return;
83 }
84
85 //
86 // Show recommendation
87 //
88 if (!CommandSettingsGetValueFromConfigFile("SymbolServer", SymbolServer))
89 {
90 ShowMessages("it is recommended to configure the symbol path '.sympath' and load "
91 "symbols before using the '!track' command command to obtain results with function "
92 "names\n");
93 }
94
95 //
96 // Reset the details of indentation and regs
97 //
100 ShowRegs = FALSE;
102
103 //
104 // Set default of stepping (tracking)
105 //
107
108 //
109 // Check parameters
110 //
111 for (auto Section : CommandTokens)
112 {
113 if (CompareLowerCaseStrings(Section, "!track") || CompareLowerCaseStrings(Section, "track"))
114 {
115 continue;
116 }
117
118 //
119 // check if the second param is a number
120 //
121 if (ConvertTokenToUInt32(Section, &StepCount))
122 {
123 continue;
124 }
125 else if (CompareLowerCaseStrings(Section, "tree"))
126 {
127 //
128 // Default
129 //
130 ShowRegs = FALSE;
131 }
132 else if (CompareLowerCaseStrings(Section, "reg"))
133 {
134 ShowRegs = TRUE;
135 }
136 else
137 {
138 ShowMessages("err, couldn't resolve error at '%s'\n\n",
140 return;
141 }
142 }
143
144 //
145 // Check if the remote serial debuggee or user debugger are paused or not
146 //
148 {
149 //
150 // Indicate that we're instrumenting
151 //
153
154 for (SIZE_T i = 0; i < StepCount; i++)
155 {
156 //
157 // For logging purpose
158 //
159 // ShowMessages("percentage : %f %% (%x)\n", 100.0 * (i /
160 // (float)StepCount), i);
161 //
162
163 //
164 // It's stepping over serial connection in kernel debugger
165 //
167
169 {
171
172 //
173 // Show registers
174 //
176
177 ShowMessages("\n");
178 }
179
180 //
181 // Check if user pressed CTRL+C
182 //
184 {
185 break;
186 }
187 }
188
189 //
190 // We're not instrumenting instructions anymore
191 //
193 }
194 else
195 {
196 ShowMessages("err, tracking is not valid in the current context, you "
197 "should connect to a debuggee\n");
198 }
199}
BOOLEAN SteppingInstrumentationStepInForTracking()
Perform Instrumentation Step-in for Tracking.
Definition steppings.cpp:53
volatile BOOLEAN RequestShowingRegs
Definition track.cpp:28
BOOLEAN ShowRegs
Definition track.cpp:27
VOID CommandTrackHelp()
help of the !track command
Definition track.cpp:36
BOOLEAN IsCallInstructionVisited
Definition track.cpp:26
UINT32 NumberOfCallsIdentation
Definition track.cpp:25

◆ CommandTsc()

VOID CommandTsc ( vector< CommandToken > CommandTokens,
string Command )

handler of !tsc command

Parameters
CommandTokens
Command
Returns
VOID
47{
49 PDEBUGGER_GENERAL_ACTION ActionBreakToDebugger = NULL;
50 PDEBUGGER_GENERAL_ACTION ActionCustomCode = NULL;
51 PDEBUGGER_GENERAL_ACTION ActionScript = NULL;
52 UINT32 EventLength;
53 UINT32 ActionBreakToDebuggerLength = 0;
54 UINT32 ActionCustomCodeLength = 0;
55 UINT32 ActionScriptLength = 0;
56 DEBUGGER_EVENT_PARSING_ERROR_CAUSE EventParsingErrorCause;
57
58 //
59 // Interpret and fill the general event and action fields
60 //
61 //
63 &CommandTokens,
65 &Event,
66 &EventLength,
67 &ActionBreakToDebugger,
68 &ActionBreakToDebuggerLength,
69 &ActionCustomCode,
70 &ActionCustomCodeLength,
71 &ActionScript,
72 &ActionScriptLength,
73 &EventParsingErrorCause))
74 {
75 return;
76 }
77
78 //
79 // Check for size
80 //
81 if (CommandTokens.size() > 1)
82 {
83 ShowMessages("incorrect use of the '%s'\n\n",
84 GetCaseSensitiveStringFromCommandToken(CommandTokens.at(0)).c_str());
85
87
88 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
89 return;
90 }
91
92 //
93 // Send the ioctl to the kernel for event registration
94 //
95 if (!SendEventToKernel(Event, EventLength))
96 {
97 //
98 // There was an error, probably the handle was not initialized
99 // we have to free the Action before exit, it is because, we
100 // already freed the Event and string buffers
101 //
102
103 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
104 return;
105 }
106
107 //
108 // Add the event to the kernel
109 //
110 if (!RegisterActionToEvent(Event,
111 ActionBreakToDebugger,
112 ActionBreakToDebuggerLength,
113 ActionCustomCode,
114 ActionCustomCodeLength,
115 ActionScript,
116 ActionScriptLength))
117 {
118 //
119 // There was an error
120 //
121
122 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
123 return;
124 }
125}
@ TSC_INSTRUCTION_EXECUTION
Definition Events.h:151
VOID CommandTscHelp()
help of the !tsc command
Definition tsc.cpp:20

◆ CommandUnhide()

VOID CommandUnhide ( vector< CommandToken > CommandTokens,
string Command )

!unhide command handler

Parameters
CommandTokens
Command
Returns
VOID
101{
102 if (CommandTokens.size() >= 2)
103 {
104 ShowMessages("incorrect use of the '%s'\n\n",
105 GetCaseSensitiveStringFromCommandToken(CommandTokens.at(0)).c_str());
106
108 return;
109 }
110
111 //
112 // Disable transparent mode
113 //
115}
VOID CommandUnhideHelp()
help of the !unhide command
Definition unhide.cpp:25
BOOLEAN HyperDbgDisableTransparentMode()
Disable transparent mode.
Definition unhide.cpp:41

◆ CommandUnload()

VOID CommandUnload ( vector< CommandToken > CommandTokens,
string Command )

unload command handler

Parameters
CommandTokens
Command
Returns
VOID
83{
84 if (CommandTokens.size() != 2 && CommandTokens.size() != 3)
85 {
86 ShowMessages("incorrect use of the '%s'\n\n",
87 GetCaseSensitiveStringFromCommandToken(CommandTokens.at(0)).c_str());
89 return;
90 }
91
92 //
93 // Check for the module
94 //
95 if (CommandTokens.size() == 2 &&
96 (CompareLowerCaseStrings(CommandTokens.at(1), "vmm") || CompareLowerCaseStrings(CommandTokens.at(1), "vm")))
97 {
98 //
99 // Check the environment
100 //
102 {
103 return;
104 }
105
107 {
109
110 HyperDbgUnloadKd(); // Test: Should be removed
111 }
112 else
113 {
114 ShowMessages("the vmm module is not loadedd\n");
115 }
116 }
117 else if (CommandTokens.size() == 2 &&
118 (CompareLowerCaseStrings(CommandTokens.at(1), "trace") || CompareLowerCaseStrings(CommandTokens.at(1), "hypertrace")))
119 {
120 //
121 // Check the environment
122 //
124 {
125 return;
126 }
127
129 {
131 }
132 else
133 {
134 ShowMessages("the trace (hypertrace) module is not loadedd\n");
135 }
136 }
137 else if (CommandTokens.size() == 2 &&
138 (CompareLowerCaseStrings(CommandTokens.at(1), "kd") || CompareLowerCaseStrings(CommandTokens.at(1), "dbg") ||
139 CompareLowerCaseStrings(CommandTokens.at(1), "debugger") || CompareLowerCaseStrings(CommandTokens.at(1), "debug") ||
140 CompareLowerCaseStrings(CommandTokens.at(1), "kerneldebugger") || CompareLowerCaseStrings(CommandTokens.at(1), "kerneldebug")))
141 {
142 //
143 // Check the environment
144 //
146 {
147 return;
148 }
149
151 {
153 }
154 else
155 {
156 ShowMessages("the kd (kernel debugger) module is not loadedd\n");
157 }
158 }
159 else if (CommandTokens.size() == 2 &&
160 (CompareLowerCaseStrings(CommandTokens.at(1), "all") || CompareLowerCaseStrings(CommandTokens.at(1), ".")))
161 {
162 //
163 // Check the environment
164 //
166 {
167 return;
168 }
169
170 //
171 // Check if any module is loaded
172 //
174 {
175 ShowMessages("no module is loaded\n");
176 return;
177 }
178
179 ShowMessages("unloading all modules\n");
180
181 //
182 // Unload all modules
183 //
184 if (HyperDbgUnloadAllModules() != 0)
185 {
186 ShowMessages("err, failed to unload all modules\n");
187 return;
188 }
189 else
190 {
191 ShowMessages("all modules are unloaded\n");
192 }
193 }
194 else if (CommandTokens.size() == 3 && CompareLowerCaseStrings(CommandTokens.at(1), "remove") &&
195 (CompareLowerCaseStrings(CommandTokens.at(2), "all") ||
196 CompareLowerCaseStrings(CommandTokens.at(2), ".") ||
197 CompareLowerCaseStrings(CommandTokens.at(2), "vmm") ||
198 CompareLowerCaseStrings(CommandTokens.at(2), "vm")))
199 {
200 //
201 // Check the environment
202 //
204 {
205 return;
206 }
207
208 //
209 // Unload all modules before removing the driver
210 //
212 {
213 ShowMessages("err, failed to unload all modules\n");
214 return;
215 }
216
217 //
218 // Stop the driver
219 //
221 {
222 ShowMessages("err, failed to stop driver\n");
223 return;
224 }
225
226 //
227 // Uninstall the driver
228 //
230 {
231 ShowMessages("err, failed to uninstall the driver\n");
232 return;
233 }
234
235 ShowMessages("all drivers are removed\n");
236 }
237 else
238 {
239 //
240 // Module not found
241 //
242 ShowMessages("err, module not found\n");
243 }
244}
INT HyperDbgUnloadVmm()
Unload VMM module.
Definition libhyperdbg.cpp:388
BOOLEAN HyperDbgIsAnyModuleLoaded()
check if any module is loaded (KD, VMM, HyperTrace, etc.)
Definition libhyperdbg.cpp:604
INT HyperDbgUnloadHyperTrace()
Unload HyperTrace module.
Definition libhyperdbg.cpp:457
INT HyperDbgStopKdDriver()
Stop KD driver.
Definition libhyperdbg.cpp:144
INT HyperDbgUnloadKd()
Unload KD driver.
Definition libhyperdbg.cpp:505
INT HyperDbgUninstallKdDriver()
Remove the KD (Kernel Debugger) driver.
Definition libhyperdbg.cpp:178
VOID CommandUnloadHelp()
help of the unload command
Definition unload.cpp:30
BOOLEAN CommandUnloadCheckEnvironment()
check the environment for unload command
Definition unload.cpp:51

◆ CommandVa2pa()

VOID CommandVa2pa ( vector< CommandToken > CommandTokens,
string Command )

!va2pa command handler

Parameters
CommandTokens
Command
Returns
VOID
52{
53 BOOL Status;
54 ULONG ReturnedLength;
55 UINT64 TargetVa;
56 UINT32 Pid = 0;
57 DEBUGGER_VA2PA_AND_PA2VA_COMMANDS AddressDetails = {0};
58
59 if (CommandTokens.size() == 1 || CommandTokens.size() >= 5 || CommandTokens.size() == 3)
60 {
61 ShowMessages("incorrect use of the '%s'\n\n",
62 GetCaseSensitiveStringFromCommandToken(CommandTokens.at(0)).c_str());
64 return;
65 }
66
67 //
68 // By default if the user-debugger is active, we use these commands
69 // on the memory layout of the debuggee process
70 //
72 {
73 Pid = g_ActiveProcessDebuggingState.ProcessId;
74 }
75
76 if (CommandTokens.size() == 2)
77 {
78 //
79 // It's just an address for current process
80 //
82 {
83 //
84 // Couldn't resolve or unknown parameter
85 //
86 ShowMessages("err, couldn't resolve error at '%s'\n",
87 GetCaseSensitiveStringFromCommandToken(CommandTokens.at(1)).c_str());
88 return;
89 }
90 }
91 else
92 {
93 //
94 // It might be address + pid
95 //
96 if (CompareLowerCaseStrings(CommandTokens.at(1), "pid"))
97 {
98 if (!ConvertTokenToUInt32(CommandTokens.at(2), &Pid))
99 {
100 ShowMessages("incorrect address, please enter a valid process id\n");
101 return;
102 }
103
105 {
106 //
107 // Couldn't resolve or unknown parameter
108 //
109 ShowMessages("err, couldn't resolve error at '%s'\n",
110 GetCaseSensitiveStringFromCommandToken(CommandTokens.at(3)).c_str());
111 return;
112 }
113 }
114 else if (CompareLowerCaseStrings(CommandTokens.at(2), "pid"))
115 {
117 {
118 //
119 // Couldn't resolve or unknown parameter
120 //
121 ShowMessages("err, couldn't resolve error at '%s'\n",
122 GetCaseSensitiveStringFromCommandToken(CommandTokens.at(1)).c_str());
123 return;
124 }
125
126 if (!ConvertTokenToUInt32(CommandTokens.at(3), &Pid))
127 {
128 ShowMessages("incorrect address, please enter a valid process id\n");
129 return;
130 }
131 }
132 else
133 {
134 ShowMessages("incorrect use of the '%s'\n\n",
135 GetCaseSensitiveStringFromCommandToken(CommandTokens.at(0)).c_str());
137 return;
138 }
139 }
140
141 //
142 // Prepare the buffer
143 // We use same buffer for input and output
144 //
145 AddressDetails.VirtualAddress = TargetVa;
146 AddressDetails.ProcessId = Pid; // null in debugger mode
147 AddressDetails.IsVirtual2Physical = TRUE;
148
150 {
151 //
152 // Check to prevent using process id in !va2pa command
153 //
154 if (Pid != 0)
155 {
157 return;
158 }
159
160 //
161 // Send the request over serial kernel debugger
162 //
163
165 }
166 else
167 {
169
170 if (Pid == 0)
171 {
172 Pid = GetCurrentProcessId();
173 AddressDetails.ProcessId = Pid;
174 }
175
176 //
177 // Send IOCTL
178 //
179 Status = DeviceIoControl(
180 g_DeviceHandle, // Handle to device
181 IOCTL_DEBUGGER_VA2PA_AND_PA2VA_COMMANDS, // IO Control Code (IOCTL)
182 &AddressDetails, // Input Buffer to driver.
183 SIZEOF_DEBUGGER_VA2PA_AND_PA2VA_COMMANDS, // Input buffer length
184 &AddressDetails, // Output Buffer from driver.
186 // buffer in bytes.
187 &ReturnedLength, // Bytes placed in buffer.
188 NULL // synchronous call
189 );
190
191 if (!Status)
192 {
193 ShowMessages("ioctl failed with code 0x%x\n", GetLastError());
194 return;
195 }
196
198 {
199 //
200 // Show the results
201 //
202 ShowMessages("%llx\n", AddressDetails.PhysicalAddress);
203 }
204 else
205 {
206 //
207 // An err occurred, no results
208 //
209 ShowErrorMessage(AddressDetails.KernelStatus);
210 }
211 }
212}
VOID CommandVa2paHelp()
help of the !va2pa command
Definition va2pa.cpp:27

◆ CommandVmcall()

VOID CommandVmcall ( vector< CommandToken > CommandTokens,
string Command )

!vmcall command handler

Parameters
CommandTokens
Command
Returns
VOID
47{
49 PDEBUGGER_GENERAL_ACTION ActionBreakToDebugger = NULL;
50 PDEBUGGER_GENERAL_ACTION ActionCustomCode = NULL;
51 PDEBUGGER_GENERAL_ACTION ActionScript = NULL;
52 UINT32 EventLength;
53 UINT32 ActionBreakToDebuggerLength = 0;
54 UINT32 ActionCustomCodeLength = 0;
55 UINT32 ActionScriptLength = 0;
56 DEBUGGER_EVENT_PARSING_ERROR_CAUSE EventParsingErrorCause;
57
58 //
59 // Interpret and fill the general event and action fields
60 //
61 //
63 &CommandTokens,
65 &Event,
66 &EventLength,
67 &ActionBreakToDebugger,
68 &ActionBreakToDebuggerLength,
69 &ActionCustomCode,
70 &ActionCustomCodeLength,
71 &ActionScript,
72 &ActionScriptLength,
73 &EventParsingErrorCause))
74 {
75 return;
76 }
77
78 //
79 // Check for size
80 //
81 if (CommandTokens.size() > 1)
82 {
83 ShowMessages("incorrect use of the '%s'\n\n",
84 GetCaseSensitiveStringFromCommandToken(CommandTokens.at(0)).c_str());
86
87 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
88 return;
89 }
90
91 //
92 // Send the ioctl to the kernel for event registration
93 //
94 if (!SendEventToKernel(Event, EventLength))
95 {
96 //
97 // There was an error, probably the handle was not initialized
98 // we have to free the Action before exit, it is because, we
99 // already freed the Event and string buffers
100 //
101
102 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
103 return;
104 }
105
106 //
107 // Add the event to the kernel
108 //
109 if (!RegisterActionToEvent(Event,
110 ActionBreakToDebugger,
111 ActionBreakToDebuggerLength,
112 ActionCustomCode,
113 ActionCustomCodeLength,
114 ActionScript,
115 ActionScriptLength))
116 {
117 //
118 // There was an error
119 //
120
121 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
122 return;
123 }
124}
@ VMCALL_INSTRUCTION_EXECUTION
Definition Events.h:157
VOID CommandVmcallHelp()
help of the !vmcall command
Definition vmcall.cpp:20

◆ CommandWrmsr()

VOID CommandWrmsr ( vector< CommandToken > CommandTokens,
string Command )

wrmsr command handler

Parameters
CommandTokens
Command
Returns
VOID
48{
49 BOOL Status;
50 UINT64 Msr;
51 ULONG ReturnedLength;
52 DEBUGGER_READ_AND_WRITE_ON_MSR MsrWriteRequest = {0};
53 BOOL IsNextCoreId = FALSE;
54 BOOL SetMsr = FALSE;
56 UINT64 Value = 0;
58 BOOLEAN IsFirstCommand = TRUE;
59
60 if (CommandTokens.size() >= 6)
61 {
62 ShowMessages("incorrect use of the '%s'\n\n",
63 GetCaseSensitiveStringFromCommandToken(CommandTokens.at(0)).c_str());
65 return;
66 }
67
68 for (auto Section : CommandTokens)
69 {
70 if (IsFirstCommand == TRUE)
71 {
72 IsFirstCommand = FALSE;
73 continue;
74 }
75
76 if (IsNextCoreId)
77 {
78 if (!ConvertTokenToUInt32(Section, &CoreNumer))
79 {
80 ShowMessages("please specify a correct hex value for core id\n\n");
82 return;
83 }
84
85 IsNextCoreId = FALSE;
86 continue;
87 }
88
89 if (CompareLowerCaseStrings(Section, "core"))
90 {
91 IsNextCoreId = TRUE;
92 continue;
93 }
94
95 if (!SetMsr)
96 {
97 if (!ConvertTokenToUInt64(Section, &Msr))
98 {
99 ShowMessages("please specify a correct hex value to be read\n\n");
101 return;
102 }
103 else
104 {
105 //
106 // Means that the MSR is set, next we should read value
107 //
108 SetMsr = TRUE;
109 continue;
110 }
111 }
112
113 if (SetMsr)
114 {
116 {
117 ShowMessages(
118 "please specify a correct hex value or an expression to put on the msr\n\n");
120 return;
121 }
122 else
123 {
124 SetValue = TRUE;
125 continue;
126 }
127 }
128 }
129
130 //
131 // Check if msr is set or not
132 //
133 if (!SetMsr)
134 {
135 ShowMessages("please specify a correct hex value to write\n\n");
137 return;
138 }
139
140 if (!SetValue)
141 {
142 ShowMessages("please specify a correct hex value to put on msr\n\n");
144 return;
145 }
146
147 if (IsNextCoreId)
148 {
149 ShowMessages("please specify a correct hex value for core\n\n");
151 return;
152 }
153
155
156 MsrWriteRequest.ActionType = DEBUGGER_MSR_WRITE;
157 MsrWriteRequest.Msr = Msr;
158 MsrWriteRequest.CoreNumber = CoreNumer;
159 MsrWriteRequest.Value = Value;
160
161 Status = DeviceIoControl(
162 g_DeviceHandle, // Handle to device
163 IOCTL_DEBUGGER_READ_OR_WRITE_MSR, // IO Control Code (IOCTL)
164 &MsrWriteRequest, // Input Buffer to driver.
165 SIZEOF_DEBUGGER_READ_AND_WRITE_ON_MSR, // Input buffer length
166 &MsrWriteRequest, // Output Buffer from driver.
167 SIZEOF_DEBUGGER_READ_AND_WRITE_ON_MSR, // Length of output buffer in bytes.
168 &ReturnedLength, // Bytes placed in buffer.
169 NULL // synchronous call
170 );
171
172 if (!Status)
173 {
174 ShowMessages("ioctl failed with code (%x), either msr index or core id is invalid\n",
175 GetLastError());
176 return;
177 }
178
179 ShowMessages("\n");
180}
@ DEBUGGER_MSR_WRITE
Definition RequestStructures.h:451
UINT64 Value
Definition RequestStructures.h:465
VOID CommandWrmsrHelp()
help of the wrmsr command
Definition wrmsr.cpp:25

◆ CommandX()

VOID CommandX ( vector< CommandToken > CommandTokens,
string Command )

x command handler

Parameters
CommandTokens
Command
Returns
VOID
42{
43 if (CommandTokens.size() != 2)
44 {
45 ShowMessages("incorrect use of the '%s'\n\n",
46 GetCaseSensitiveStringFromCommandToken(CommandTokens.at(0)).c_str());
48 return;
49 }
50
51 //
52 // Search for mask
53 //
55}
UINT32 ScriptEngineSearchSymbolForMaskWrapper(const CHAR *SearchMask)
ScriptEngineSearchSymbolForMask wrapper.
Definition script-engine-wrapper.cpp:117
VOID CommandXHelp()
help of the x command
Definition x.cpp:20

◆ CommandXsetbv()

VOID CommandXsetbv ( vector< CommandToken > CommandTokens,
string Command )

!xsetbv command handler

Parameters
CommandTokens
Command
Returns
VOID
48{
50 PDEBUGGER_GENERAL_ACTION ActionBreakToDebugger = NULL;
51 PDEBUGGER_GENERAL_ACTION ActionCustomCode = NULL;
52 PDEBUGGER_GENERAL_ACTION ActionScript = NULL;
53 BOOLEAN GetXcr = FALSE;
54 UINT32 EventLength;
55 UINT64 SpecialTarget = 0;
56 UINT32 ActionBreakToDebuggerLength = 0;
57 UINT32 ActionCustomCodeLength = 0;
58 UINT32 ActionScriptLength = 0;
59 DEBUGGER_EVENT_PARSING_ERROR_CAUSE EventParsingErrorCause;
60
61 //
62 // Interpret and fill the general event and action fields
63 //
65 &CommandTokens,
67 &Event,
68 &EventLength,
69 &ActionBreakToDebugger,
70 &ActionBreakToDebuggerLength,
71 &ActionCustomCode,
72 &ActionCustomCodeLength,
73 &ActionScript,
74 &ActionScriptLength,
75 &EventParsingErrorCause))
76 {
77 return;
78 }
79
80 //
81 // Interpret command specific details (if any), of XCR index
82 //
83 for (auto Section : CommandTokens)
84 {
85 if (CompareLowerCaseStrings(Section, "!xsetbv"))
86 {
87 continue;
88 }
89 else if (!GetXcr)
90 {
91 //
92 // It's probably an XCR index
93 //
94 if (!ConvertTokenToUInt64(Section, &SpecialTarget))
95 {
96 //
97 // Unknown parameter
98 //
99 ShowMessages("unknown parameter '%s'\n\n",
102
103 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
104 return;
105 }
106 else
107 {
108 //
109 // A special XCR is set
110 //
111 GetXcr = TRUE;
112 }
113 }
114 else
115 {
116 //
117 // Unknown parameter
118 //
119 ShowMessages("unknown parameter '%s'\n\n",
121
123
124 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
125 return;
126 }
127 }
128
129 //
130 // Set the target XCR (if not specific then it means all XCRs)
131 //
132 Event->Options.OptionalParam1 = GetXcr;
133
134 if (GetXcr)
135 {
136 Event->Options.OptionalParam2 = SpecialTarget;
137 }
138
139 //
140 // Send the ioctl to the kernel for event registration
141 //
142 if (!SendEventToKernel(Event, EventLength))
143 {
144 //
145 // There was an error, probably the handle was not initialized
146 // we have to free the Action before exit, it is because, we
147 // already freed the Event and string buffers
148 //
149
150 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
151 return;
152 }
153
154 //
155 // Add the event to the kernel
156 //
157 if (!RegisterActionToEvent(Event,
158 ActionBreakToDebugger,
159 ActionBreakToDebuggerLength,
160 ActionCustomCode,
161 ActionCustomCodeLength,
162 ActionScript,
163 ActionScriptLength))
164 {
165 //
166 // There was an error
167 //
168 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
169 return;
170 }
171}
@ XSETBV_INSTRUCTION_EXECUTION
Definition Events.h:175
VOID CommandXsetbvHelp()
help of the !xsetbv command
Definition xsetbv.cpp:20

◆ CommandXsetbvHelp()

VOID CommandXsetbvHelp ( )

help of the !xsetbv command

Returns
VOID
21{
22 ShowMessages("!xsetbv : monitors execution of xsetbv instructions.\n\n");
23
24 ShowMessages("syntax : \t!xsetbv [Xcr (hex)] [pid ProcessId (hex)] [core CoreId (hex)] "
25 "[imm IsImmediate (yesno)] [sc EnableShortCircuiting (onoff)] [stage CallingStage (prepostall)] "
26 "[buffer PreAllocatedBuffer (hex)] [script { Script (string) }] [asm condition { Condition (assembly/hex) }] "
27 "[asm code { Code (assembly/hex) }] [output {OutputName (string)}]\n");
28
29 ShowMessages("\n");
30 ShowMessages("\t\te.g : !xsetbv\n");
31 ShowMessages("\t\te.g : !xsetbv 0\n");
32 ShowMessages("\t\te.g : !xsetbv pid 400\n");
33 ShowMessages("\t\te.g : !xsetbv core 2 pid 400\n");
34 ShowMessages("\t\te.g : !xsetbv script { printf(\"XSETBV instruction is executed with XCR index: %%llx\\n\", @rcx); }\n");
35 ShowMessages("\t\te.g : !xsetbv asm code { nop; nop; nop }\n");
36}

◆ ContinuePreviousCommand()

BOOLEAN ContinuePreviousCommand ( )

Some of commands like stepping commands (i, p, t) and etc. need to be repeated when the user press enter, this function shows whether we should continue the previous command or not.

Returns
TRUE means the command should be continued, FALSE means command should be ignored
1230{
1232
1233 //
1234 // We should keep it FALSE for the next command
1235 //
1237
1238 if (Result)
1239 {
1240 return TRUE;
1241 }
1242 else
1243 {
1244 return FALSE;
1245 }
1246}
BOOLEAN g_ShouldPreviousCommandBeContinued
Shows whether the previous command should be continued or not.
Definition globals.h:342

◆ CpuReadVendorString()

VOID CpuReadVendorString ( CHAR * Result)

Reads the CPU vendor string.

Returns
VOID
253{
254 std::string VendorString = InstructionSet::Vendor();
255 strcpy(Result, VendorString.c_str());
256}
static std::string Vendor(void)
Definition cpu.cpp:60

◆ HyperDbgCheckWhetherTheCurrentInstructionIsCall()

BOOLEAN HyperDbgCheckWhetherTheCurrentInstructionIsCall ( UCHAR * BufferToDisassemble,
UINT64 BuffLength,
BOOLEAN Isx86_64,
PUINT32 CallLength )

Check whether the current instruction is a 'call' or not.

Parameters
BufferToDisassembleCurrent Bytes of assembly
BuffLengthLength of buffer
Isx86_64Whether it's an x86 or x64
CallLengthLength of call (if return value is TRUE)
Returns
BOOLEAN
760{
761 ZydisDecoder decoder;
762 ZydisFormatter formatter;
763 ZydisDecodedOperand operands[ZYDIS_MAX_OPERAND_COUNT];
764 UINT64 CurrentRip = 0;
765 INT InstrDecoded = 0;
766 ZydisDecodedInstruction instruction;
767 CHAR buffer[256];
768 UINT32 MaximumInstrDecoded = 1;
769
770 //
771 // Default length
772 //
773 *CallLength = 0;
774
775 if (ZydisGetVersion() != ZYDIS_VERSION)
776 {
777 ShowMessages("invalid zydis version\n");
779 }
780
781 if (Isx86_64)
782 {
783 ZydisDecoderInit(&decoder, ZYDIS_MACHINE_MODE_LONG_64, ZYDIS_STACK_WIDTH_64);
784 }
785 else
786 {
787 ZydisDecoderInit(&decoder, ZYDIS_MACHINE_MODE_LONG_COMPAT_32, ZYDIS_STACK_WIDTH_32);
788 }
789
790 ZydisFormatterInit(&formatter, ZYDIS_FORMATTER_STYLE_INTEL);
791
792 ZydisFormatterSetProperty(&formatter, ZYDIS_FORMATTER_PROP_FORCE_SEGMENT, ZYAN_TRUE);
793 ZydisFormatterSetProperty(&formatter, ZYDIS_FORMATTER_PROP_FORCE_SIZE, ZYAN_TRUE);
794
795 //
796 // Replace the `ZYDIS_FORMATTER_FUNC_PRINT_ADDRESS_ABS` function that
797 // formats the absolute addresses
798 //
800 (ZydisFormatterFunc)&ZydisFormatterPrintAddressAbsolute;
801 ZydisFormatterSetHook(&formatter, ZYDIS_FORMATTER_FUNC_PRINT_ADDRESS_ABS, (const void **)&default_print_address_absolute);
802
803 while (ZYAN_SUCCESS(ZydisDecoderDecodeFull(&decoder, BufferToDisassemble, BuffLength, &instruction, operands)))
804 {
805 //
806 // We have to pass a `runtime_address` different to
807 // `ZYDIS_RUNTIME_ADDRESS_NONE` to enable printing of absolute addresses
808 //
809
810 ZydisFormatterFormatInstruction(&formatter, &instruction, operands, instruction.operand_count_visible, &buffer[0], sizeof(buffer), (ZyanU64)CurrentRip, ZYAN_NULL);
811
812 if (instruction.mnemonic == ZydisMnemonic::ZYDIS_MNEMONIC_CALL)
813 {
814 //
815 // It's a call
816 //
817
818 //
819 // Log call
820 //
821 // ShowMessages("call length : 0x%x\n", instruction.length);
822
823 //
824 // Set the length
825 //
826 *CallLength = instruction.length;
827
828 return TRUE;
829 }
830 else
831 {
832 //
833 // It's not call
834 //
835 return FALSE;
836 }
837 }
838
839 //
840 // Should not reach here
841 //
842 return FALSE;
843}
int INT
Definition BasicTypes.h:43
@ DEBUGGER_CONDITIONAL_JUMP_STATUS_ERROR
Definition RequestStructures.h:1569
ZydisFormatterFunc default_print_address_absolute
Definition disassembler.cpp:61

◆ HyperDbgCheckWhetherTheCurrentInstructionIsCallOrRet()

BOOLEAN HyperDbgCheckWhetherTheCurrentInstructionIsCallOrRet ( UCHAR * BufferToDisassemble,
UINT64 CurrentRip,
UINT32 BuffLength,
BOOLEAN Isx86_64,
PBOOLEAN IsRet )

Check whether the current instruction is a 'call' or 'ret' or not.

Parameters
BufferToDisassembleCurrent Bytes of assembly
CurrentRipAddress of current RIP
BuffLengthLength of buffer
Isx86_64Whether it's an x86 or x64
IsRetWhether it's a 'ret' or not
Returns
BOOLEAN
989{
990 ZydisDecoder decoder;
991 ZydisFormatter formatter;
992 ZydisDecodedOperand operands[ZYDIS_MAX_OPERAND_COUNT];
993 INT InstrDecoded = 0;
994 ZydisDecodedInstruction instruction;
995 CHAR buffer[256];
996 UINT32 MaximumInstrDecoded = 1;
997
998 if (ZydisGetVersion() != ZYDIS_VERSION)
999 {
1000 ShowMessages("invalid zydis version\n");
1002 }
1003
1004 if (!Isx86_64)
1005 {
1006 ZydisDecoderInit(&decoder, ZYDIS_MACHINE_MODE_LONG_64, ZYDIS_STACK_WIDTH_64);
1007 }
1008 else
1009 {
1010 ZydisDecoderInit(&decoder, ZYDIS_MACHINE_MODE_LONG_COMPAT_32, ZYDIS_STACK_WIDTH_32);
1011 }
1012
1013 ZydisFormatterInit(&formatter, ZYDIS_FORMATTER_STYLE_INTEL);
1014
1015 ZydisFormatterSetProperty(&formatter, ZYDIS_FORMATTER_PROP_FORCE_SEGMENT, ZYAN_TRUE);
1016 ZydisFormatterSetProperty(&formatter, ZYDIS_FORMATTER_PROP_FORCE_SIZE, ZYAN_TRUE);
1017
1018 //
1019 // Replace the `ZYDIS_FORMATTER_FUNC_PRINT_ADDRESS_ABS` function that
1020 // formats the absolute addresses
1021 //
1023 (ZydisFormatterFunc)&ZydisFormatterPrintAddressAbsoluteForTrackingInstructions;
1024 ZydisFormatterSetHook(&formatter, ZYDIS_FORMATTER_FUNC_PRINT_ADDRESS_ABS, (const void **)&default_print_address_absolute);
1025
1026 while (ZYAN_SUCCESS(ZydisDecoderDecodeFull(&decoder, BufferToDisassemble, BuffLength, &instruction, operands)))
1027 {
1028 if (instruction.mnemonic == ZydisMnemonic::ZYDIS_MNEMONIC_CALL)
1029 {
1030 //
1031 // It's a 'call' instruction
1032 //
1033
1034 //
1035 // Log call
1036 //
1037 // ShowMessages("call length : 0x%x\n", instruction.length);
1038
1039 //
1040 // We have to pass a `runtime_address` different to
1041 // `ZYDIS_RUNTIME_ADDRESS_NONE` to enable printing of absolute addresses
1042 //
1043
1044 ZydisFormatterFormatInstruction(&formatter, &instruction, operands, instruction.operand_count_visible, &buffer[0], sizeof(buffer), (ZyanU64)CurrentRip, ZYAN_NULL);
1045
1046 *IsRet = FALSE;
1047
1048 return TRUE;
1049 }
1050 else if (instruction.mnemonic == ZydisMnemonic::ZYDIS_MNEMONIC_RET)
1051 {
1052 //
1053 // It's a 'ret' instruction
1054 //
1055
1056 //
1057 // Log ret
1058 //
1059 // ShowMessages("ret length : 0x%x\n", instruction.length);
1060
1061 //
1062 // Call the tracker callback
1063 //
1065
1066 *IsRet = TRUE;
1067
1068 return TRUE;
1069 }
1070 else
1071 {
1072 //
1073 // It's not call
1074 //
1075 return FALSE;
1076 }
1077 }
1078
1079 //
1080 // Should not reach here
1081 //
1082 return FALSE;
1083}
VOID CommandTrackHandleReceivedRetInstructions(UINT64 CurrentRip)
Handle received 'ret'.
Definition track.cpp:282

◆ HyperDbgCheckWhetherTheCurrentInstructionIsRet()

BOOLEAN HyperDbgCheckWhetherTheCurrentInstructionIsRet ( UCHAR * BufferToDisassemble,
UINT64 BuffLength,
BOOLEAN Isx86_64 )

Check whether the current instruction is a 'ret' or not.

Parameters
BufferToDisassembleCurrent Bytes of assembly
BuffLengthLength of buffer
Isx86_64Whether it's an x86 or x64
Returns
BOOLEAN
1099{
1100 ZydisDecoder decoder;
1101 ZydisFormatter formatter;
1102 ZydisDecodedOperand operands[ZYDIS_MAX_OPERAND_COUNT];
1103 UINT64 CurrentRip = 0;
1104 INT InstrDecoded = 0;
1105 ZydisDecodedInstruction instruction;
1106 CHAR buffer[256];
1107 UINT32 MaximumInstrDecoded = 1;
1108
1109 if (ZydisGetVersion() != ZYDIS_VERSION)
1110 {
1111 ShowMessages("invalid zydis version\n");
1113 }
1114
1115 if (Isx86_64)
1116 {
1117 ZydisDecoderInit(&decoder, ZYDIS_MACHINE_MODE_LONG_64, ZYDIS_STACK_WIDTH_64);
1118 }
1119 else
1120 {
1121 ZydisDecoderInit(&decoder, ZYDIS_MACHINE_MODE_LONG_COMPAT_32, ZYDIS_STACK_WIDTH_32);
1122 }
1123
1124 ZydisFormatterInit(&formatter, ZYDIS_FORMATTER_STYLE_INTEL);
1125
1126 ZydisFormatterSetProperty(&formatter, ZYDIS_FORMATTER_PROP_FORCE_SEGMENT, ZYAN_TRUE);
1127 ZydisFormatterSetProperty(&formatter, ZYDIS_FORMATTER_PROP_FORCE_SIZE, ZYAN_TRUE);
1128
1129 //
1130 // Replace the `ZYDIS_FORMATTER_FUNC_PRINT_ADDRESS_ABS` function that
1131 // formats the absolute addresses
1132 //
1134 (ZydisFormatterFunc)&ZydisFormatterPrintAddressAbsolute;
1135 ZydisFormatterSetHook(&formatter, ZYDIS_FORMATTER_FUNC_PRINT_ADDRESS_ABS, (const void **)&default_print_address_absolute);
1136
1137 while (ZYAN_SUCCESS(ZydisDecoderDecodeFull(&decoder, BufferToDisassemble, BuffLength, &instruction, operands)))
1138 {
1139 //
1140 // We have to pass a `runtime_address` different to
1141 // `ZYDIS_RUNTIME_ADDRESS_NONE` to enable printing of absolute addresses
1142 //
1143
1144 ZydisFormatterFormatInstruction(&formatter, &instruction, operands, instruction.operand_count_visible, &buffer[0], sizeof(buffer), (ZyanU64)CurrentRip, ZYAN_NULL);
1145
1146 if (instruction.mnemonic == ZydisMnemonic::ZYDIS_MNEMONIC_RET)
1147 {
1148 //
1149 // It's a ret
1150 //
1151
1152 //
1153 // Log ret
1154 //
1155 // ShowMessages("ret length : 0x%x\n", instruction.length);
1156
1157 return TRUE;
1158 }
1159 else
1160 {
1161 //
1162 // It's not ret
1163 //
1164 return FALSE;
1165 }
1166 }
1167
1168 //
1169 // Should not reach here
1170 //
1171 return FALSE;
1172}

◆ HyperDbgDisassembler32()

INT HyperDbgDisassembler32 ( UCHAR * BufferToDisassemble,
UINT64 BaseAddress,
UINT64 Size,
UINT32 MaximumInstrDecoded,
BOOLEAN ShowBranchIsTakenOrNot,
PRFLAGS Rflags )

Disassemble 32 bit assemblies.

Parameters
BufferToDisassemblebuffer to disassemble
BaseAddressthe base address of assembly
Sizesize of buffer
MaximumInstrDecodedmaximum instructions to decode, 0 means all possible
ShowBranchIsTakenOrNoton conditional jumps shows whether jumps is taken or not
Rflagsin the case ShowBranchIsTakenOrNot is true, we use this variable to show the result of jump
Returns
INT
379{
380 if (ZydisGetVersion() != ZYDIS_VERSION)
381 {
382 fputs("Invalid Zydis version\n", ZYAN_STDERR);
383 return EXIT_FAILURE;
384 }
385
386 ZydisDecoder decoder;
387 ZydisDecoderInit(&decoder, ZYDIS_MACHINE_MODE_LONG_COMPAT_32, ZYDIS_STACK_WIDTH_32);
388
389 //
390 // Disassembling buffer
391 //
392 DisassembleBuffer(&decoder, (UINT32)BaseAddress, &BufferToDisassemble[0], Size, MaximumInstrDecoded, FALSE, ShowBranchIsTakenOrNot, Rflags);
393
394 return 0;
395}
VOID DisassembleBuffer(ZydisDecoder *decoder, ZyanU64 runtime_address, ZyanU8 *data, ZyanUSize length, UINT32 maximum_instr, BOOLEAN is_x86_64, BOOLEAN show_of_branch_is_taken, PRFLAGS rflags)
Disassemble a user-mode buffer.
Definition disassembler.cpp:119

◆ HyperDbgDisassembler64()

INT HyperDbgDisassembler64 ( UCHAR * BufferToDisassemble,
UINT64 BaseAddress,
UINT64 Size,
UINT32 MaximumInstrDecoded,
BOOLEAN ShowBranchIsTakenOrNot,
PRFLAGS Rflags )

Disassemble x64 assemblies.

Parameters
BufferToDisassemblebuffer to disassemble
BaseAddressthe base address of assembly
Sizesize of buffer
MaximumInstrDecodedmaximum instructions to decode, 0 means all possible
ShowBranchIsTakenOrNoton conditional jumps shows whether jumps is taken or not
Rflagsin the case ShowBranchIsTakenOrNot is true, we use this variable to show the result of jump
Returns
INT
339{
340 if (ZydisGetVersion() != ZYDIS_VERSION)
341 {
342 fputs("Invalid Zydis version\n", ZYAN_STDERR);
343 return EXIT_FAILURE;
344 }
345
346 ZydisDecoder decoder;
347 ZydisDecoderInit(&decoder, ZYDIS_MACHINE_MODE_LONG_64, ZYDIS_STACK_WIDTH_64);
348
349 //
350 // Disassembling buffer
351 //
352 DisassembleBuffer(&decoder, BaseAddress, &BufferToDisassemble[0], Size, MaximumInstrDecoded, TRUE, ShowBranchIsTakenOrNot, Rflags);
353
354 return 0;
355}

◆ HyperDbgGetImmediateValueOnEaxForSyscallNumber()

UINT32 HyperDbgGetImmediateValueOnEaxForSyscallNumber ( UCHAR * BufferToDisassemble,
UINT64 BuffLength,
BOOLEAN Isx86_64 )

Get immediate value on EAX register.

Parameters
BufferToDisassembleCurrent Bytes of assembly
BuffLengthLength of buffer
Isx86_64Whether it's an x86 or x64
Returns
UINT32
1188{
1189 ZydisDecoder decoder;
1190 ZydisFormatter formatter;
1191 ZydisDecodedOperand operands[ZYDIS_MAX_OPERAND_COUNT];
1192 UINT64 CurrentRip = 0;
1193 INT InstrDecoded = 0;
1194 ZydisDecodedInstruction instruction;
1195 CHAR buffer[256];
1196 UINT32 MaximumInstrDecoded = 1;
1197
1198 if (ZydisGetVersion() != ZYDIS_VERSION)
1199 {
1200 ShowMessages("invalid zydis version\n");
1202 }
1203
1204 if (Isx86_64)
1205 {
1206 ZydisDecoderInit(&decoder, ZYDIS_MACHINE_MODE_LONG_64, ZYDIS_STACK_WIDTH_64);
1207 }
1208 else
1209 {
1210 ZydisDecoderInit(&decoder, ZYDIS_MACHINE_MODE_LONG_COMPAT_32, ZYDIS_STACK_WIDTH_32);
1211 }
1212
1213 ZydisFormatterInit(&formatter, ZYDIS_FORMATTER_STYLE_INTEL);
1214
1215 ZydisFormatterSetProperty(&formatter, ZYDIS_FORMATTER_PROP_FORCE_SEGMENT, ZYAN_TRUE);
1216 ZydisFormatterSetProperty(&formatter, ZYDIS_FORMATTER_PROP_FORCE_SIZE, ZYAN_TRUE);
1217
1218 //
1219 // Replace the `ZYDIS_FORMATTER_FUNC_PRINT_ADDRESS_ABS` function that
1220 // formats the absolute addresses
1221 //
1223 (ZydisFormatterFunc)&ZydisFormatterPrintAddressAbsolute;
1224 ZydisFormatterSetHook(&formatter, ZYDIS_FORMATTER_FUNC_PRINT_ADDRESS_ABS, (const void **)&default_print_address_absolute);
1225
1226 while (ZYAN_SUCCESS(ZydisDecoderDecodeFull(&decoder, BufferToDisassemble, BuffLength, &instruction, operands)))
1227 {
1228 //
1229 // We have to pass a `runtime_address` different to
1230 // `ZYDIS_RUNTIME_ADDRESS_NONE` to enable printing of absolute addresses
1231 //
1232
1233 ZydisFormatterFormatInstruction(&formatter, &instruction, operands, instruction.operand_count_visible, &buffer[0], sizeof(buffer), (ZyanU64)CurrentRip, ZYAN_NULL);
1234
1235 if (instruction.mnemonic == ZydisMnemonic::ZYDIS_MNEMONIC_SYSCALL)
1236 {
1237 //
1238 // It's a SYSCALL instruction, we couldn't find the syscall number
1239 //
1240 return NULL;
1241 }
1242
1243 if (instruction.mnemonic == ZydisMnemonic::ZYDIS_MNEMONIC_MOV &&
1244 instruction.operand_count == 2 &&
1245 (operands[0].reg.value == ZYDIS_REGISTER_RAX || operands[0].reg.value == ZYDIS_REGISTER_EAX))
1246 {
1247 //
1248 // It's a MOV
1249 // Log syscall number
1250 //
1251 // ShowMessages("Syscall number : 0x%x\n", operands[1].imm.value.u);
1252
1253 return (UINT32)operands[1].imm.value.u;
1254 }
1255
1256 BufferToDisassemble += instruction.length;
1257 BuffLength -= instruction.length;
1258 }
1259
1260 //
1261 // Reaching here means that we didn't find any MOV instruction
1262 //
1263 return NULL;
1264}

◆ HyperDbgIsConditionalJumpTaken()

DEBUGGER_CONDITIONAL_JUMP_STATUS HyperDbgIsConditionalJumpTaken ( UCHAR * BufferToDisassemble,
UINT64 BuffLength,
RFLAGS Rflags,
BOOLEAN Isx86_64 )

Check whether the jump is taken or not taken (in debugger).

the implementation of this function derived from the table in this site : http://www.unixwiz.net/techtips/x86-jumps.html

Parameters
BufferToDisassembleCurrent Bytes of assembly
BuffLengthLength of buffer
RflagsThe kernel's current RFLAG
Isx86_64Whether it's an x86 or x64
Returns
DEBUGGER_NEXT_INSTRUCTION_FINDER_STATUS
414{
415 ZydisDecoder decoder;
416 ZydisFormatter formatter;
417 ZydisDecodedOperand operands[ZYDIS_MAX_OPERAND_COUNT];
418 UINT64 CurrentRip = 0;
419 INT InstrDecoded = 0;
420 ZydisDecodedInstruction instruction;
421 UINT32 MaximumInstrDecoded = 1;
422
423 if (ZydisGetVersion() != ZYDIS_VERSION)
424 {
425 ShowMessages("invalid Zydis version\n");
427 }
428
429 if (Isx86_64)
430 {
431 ZydisDecoderInit(&decoder, ZYDIS_MACHINE_MODE_LONG_64, ZYDIS_STACK_WIDTH_64);
432 }
433 else
434 {
435 ZydisDecoderInit(&decoder, ZYDIS_MACHINE_MODE_LONG_COMPAT_32, ZYDIS_STACK_WIDTH_32);
436 }
437
438 ZydisFormatterInit(&formatter, ZYDIS_FORMATTER_STYLE_INTEL);
439
440 ZydisFormatterSetProperty(&formatter, ZYDIS_FORMATTER_PROP_FORCE_SEGMENT, ZYAN_TRUE);
441 ZydisFormatterSetProperty(&formatter, ZYDIS_FORMATTER_PROP_FORCE_SIZE, ZYAN_TRUE);
442
443 //
444 // Replace the `ZYDIS_FORMATTER_FUNC_PRINT_ADDRESS_ABS` function that
445 // formats the absolute addresses
446 //
447 default_print_address_absolute = (ZydisFormatterFunc)&ZydisFormatterPrintAddressAbsolute;
448 ZydisFormatterSetHook(&formatter, ZYDIS_FORMATTER_FUNC_PRINT_ADDRESS_ABS, (const void **)&default_print_address_absolute);
449
450 while (ZYAN_SUCCESS(ZydisDecoderDecodeFull(&decoder, BufferToDisassemble, BuffLength, &instruction, operands)))
451 {
452 //
453 // We have to pass a `runtime_address` different to
454 // `ZYDIS_RUNTIME_ADDRESS_NONE` to enable printing of absolute addresses
455 //
456
457 // ZydisFormatterFormatInstruction(&formatter, &instruction, operands, instruction.operand_count_visible, &buffer[0], sizeof(buffer), (ZyanU64)CurrentRip, ZYAN_NULL);
458
459 switch (instruction.mnemonic)
460 {
461 case ZydisMnemonic::ZYDIS_MNEMONIC_JO:
462
463 //
464 // Jump if overflow (jo)
465 //
466 if (Rflags.OverflowFlag)
468 else
470
471 break;
472
473 case ZydisMnemonic::ZYDIS_MNEMONIC_JNO:
474
475 //
476 // Jump if not overflow (jno)
477 //
478 if (!Rflags.OverflowFlag)
480 else
482
483 break;
484
485 case ZydisMnemonic::ZYDIS_MNEMONIC_JS:
486
487 //
488 // Jump if sign
489 //
490 if (Rflags.SignFlag)
492 else
494
495 break;
496
497 case ZydisMnemonic::ZYDIS_MNEMONIC_JNS:
498
499 //
500 // Jump if not sign
501 //
502 if (!Rflags.SignFlag)
504 else
506
507 break;
508
509 case ZydisMnemonic::ZYDIS_MNEMONIC_JZ:
510
511 //
512 // Jump if equal (je),
513 // Jump if zero (jz)
514 //
515 if (Rflags.ZeroFlag)
517 else
519
520 break;
521
522 case ZydisMnemonic::ZYDIS_MNEMONIC_JNZ:
523
524 //
525 // Jump if not equal (jne),
526 // Jump if not zero (jnz)
527 //
528 if (!Rflags.ZeroFlag)
530 else
532
533 break;
534
535 case ZydisMnemonic::ZYDIS_MNEMONIC_JB:
536
537 //
538 // Jump if below (jb),
539 // Jump if not above or equal (jnae),
540 // Jump if carry (jc)
541 //
542
543 //
544 // This jump is unsigned
545 //
546
547 if (Rflags.CarryFlag)
549 else
551
552 break;
553
554 case ZydisMnemonic::ZYDIS_MNEMONIC_JNB:
555
556 //
557 // Jump if not below (jnb),
558 // Jump if above or equal (jae),
559 // Jump if not carry (jnc)
560 //
561
562 //
563 // This jump is unsigned
564 //
565
566 if (!Rflags.CarryFlag)
568 else
570
571 break;
572
573 case ZydisMnemonic::ZYDIS_MNEMONIC_JBE:
574
575 //
576 // Jump if below or equal (jbe),
577 // Jump if not above (jna)
578 //
579
580 //
581 // This jump is unsigned
582 //
583
584 if (Rflags.CarryFlag || Rflags.ZeroFlag)
586 else
588
589 break;
590
591 case ZydisMnemonic::ZYDIS_MNEMONIC_JNBE:
592
593 //
594 // Jump if above (ja),
595 // Jump if not below or equal (jnbe)
596 //
597
598 //
599 // This jump is unsigned
600 //
601
602 if (!Rflags.CarryFlag && !Rflags.ZeroFlag)
604 else
606
607 break;
608
609 case ZydisMnemonic::ZYDIS_MNEMONIC_JL:
610
611 //
612 // Jump if less (jl),
613 // Jump if not greater or equal (jnge)
614 //
615
616 //
617 // This jump is signed
618 //
619
620 if (Rflags.SignFlag != Rflags.OverflowFlag)
622 else
624
625 break;
626
627 case ZydisMnemonic::ZYDIS_MNEMONIC_JNL:
628
629 //
630 // Jump if greater or equal (jge),
631 // Jump if not less (jnl)
632 //
633
634 //
635 // This jump is signed
636 //
637
638 if (Rflags.SignFlag == Rflags.OverflowFlag)
640 else
642
643 break;
644
645 case ZydisMnemonic::ZYDIS_MNEMONIC_JLE:
646
647 //
648 // Jump if less or equal (jle),
649 // Jump if not greater (jng)
650 //
651
652 //
653 // This jump is signed
654 //
655
656 if (Rflags.ZeroFlag || Rflags.SignFlag != Rflags.OverflowFlag)
658 else
660
661 break;
662
663 case ZydisMnemonic::ZYDIS_MNEMONIC_JNLE:
664
665 //
666 // Jump if greater (jg),
667 // Jump if not less or equal (jnle)
668 //
669
670 //
671 // This jump is signed
672 //
673
674 if (!Rflags.ZeroFlag && Rflags.SignFlag == Rflags.OverflowFlag)
676 else
678
679 break;
680
681 case ZydisMnemonic::ZYDIS_MNEMONIC_JP:
682
683 //
684 // Jump if parity (jp),
685 // Jump if parity even (jpe)
686 //
687
688 if (Rflags.ParityFlag)
690 else
692
693 break;
694
695 case ZydisMnemonic::ZYDIS_MNEMONIC_JNP:
696
697 //
698 // Jump if not parity (jnp),
699 // Jump if parity odd (jpo)
700 //
701
702 if (!Rflags.ParityFlag)
704 else
706
707 break;
708
709 case ZydisMnemonic::ZYDIS_MNEMONIC_JCXZ:
710 case ZydisMnemonic::ZYDIS_MNEMONIC_JECXZ:
711
712 //
713 // Jump if %CX register is 0 (jcxz),
714 // Jump if% ECX register is 0 (jecxz)
715 //
716
717 //
718 // Actually this instruction are rarely used
719 // but if we want to support these instructions then we
720 // should read ecx and cx each time in the debuggee,
721 // so it's better to just ignore it as a non-conditional
722 // jump
723 //
725
726 default:
727
728 //
729 // It's not a jump
730 //
732 break;
733 }
734
736 }
737
738 //
739 // Should not reach here
740 //
742}
@ DEBUGGER_CONDITIONAL_JUMP_STATUS_JUMP_IS_NOT_TAKEN
Definition RequestStructures.h:1572
@ DEBUGGER_CONDITIONAL_JUMP_STATUS_JUMP_IS_TAKEN
Definition RequestStructures.h:1571
@ DEBUGGER_CONDITIONAL_JUMP_STATUS_NOT_CONDITIONAL_JUMP
Definition RequestStructures.h:1570

◆ HyperDbgLengthDisassemblerEngine()

UINT32 HyperDbgLengthDisassemblerEngine ( UCHAR * BufferToDisassemble,
UINT64 BuffLength,
BOOLEAN Isx86_64 )

Length Disassembler engine based on Zydis.

Parameters
BufferToDisassembleCurrent Bytes of assembly
BuffLengthLength of buffer
Isx86_64Whether it's an x86 or x64
Lengthof call (if return value is TRUE)
Returns
UINT32
860{
861 ZydisDecoder decoder;
862 ZydisFormatter formatter;
863 ZydisDecodedOperand operands[ZYDIS_MAX_OPERAND_COUNT];
864 UINT64 CurrentRip = 0;
865 INT InstrDecoded = 0;
866 ZydisDecodedInstruction instruction;
867 UINT32 MaximumInstrDecoded = 1;
868
869 if (ZydisGetVersion() != ZYDIS_VERSION)
870 {
871 ShowMessages("invalid Zydis version\n");
873 }
874
875 if (Isx86_64)
876 {
877 ZydisDecoderInit(&decoder, ZYDIS_MACHINE_MODE_LONG_64, ZYDIS_STACK_WIDTH_64);
878 }
879 else
880 {
881 ZydisDecoderInit(&decoder, ZYDIS_MACHINE_MODE_LONG_COMPAT_32, ZYDIS_STACK_WIDTH_32);
882 }
883
884 ZydisFormatterInit(&formatter, ZYDIS_FORMATTER_STYLE_INTEL);
885
886 ZydisFormatterSetProperty(&formatter, ZYDIS_FORMATTER_PROP_FORCE_SEGMENT, ZYAN_TRUE);
887 ZydisFormatterSetProperty(&formatter, ZYDIS_FORMATTER_PROP_FORCE_SIZE, ZYAN_TRUE);
888
889 //
890 // Replace the `ZYDIS_FORMATTER_FUNC_PRINT_ADDRESS_ABS` function that
891 // formats the absolute addresses
892 //
894 (ZydisFormatterFunc)&ZydisFormatterPrintAddressAbsolute;
895 ZydisFormatterSetHook(&formatter, ZYDIS_FORMATTER_FUNC_PRINT_ADDRESS_ABS, (const void **)&default_print_address_absolute);
896
897 while (ZYAN_SUCCESS(ZydisDecoderDecodeFull(&decoder, BufferToDisassemble, BuffLength, &instruction, operands)))
898 {
899 //
900 // We have to pass a `runtime_address` different to
901 // `ZYDIS_RUNTIME_ADDRESS_NONE` to enable printing of absolute addresses
902 //
903 // ZydisFormatterFormatInstruction(&formatter, &instruction, operands, instruction.operand_count_visible, &buffer[0], sizeof(buffer), (ZyanU64)CurrentRip, ZYAN_NULL);
904
905 //
906 // Return len of buffer
907 //
908 return instruction.length;
909 }
910
911 //
912 // Error in disassembling buffer
913 //
914 return 0;
915}

◆ HyperDbgReadMemory()

BOOLEAN HyperDbgReadMemory ( UINT64 TargetAddress,
DEBUGGER_READ_MEMORY_TYPE MemoryType,
DEBUGGER_READ_READING_TYPE ReadingType,
UINT32 Pid,
UINT32 Size,
BOOLEAN GetAddressMode,
DEBUGGER_READ_MEMORY_ADDRESS_MODE * AddressMode,
BYTE * TargetBufferToStore,
UINT32 * ReturnLength )

Read memory and disassembler.

Parameters
TargetAddresslocation of where to read the memory
MemoryTypetype of memory (phyical or virtual)
ReadingTyperead from kernel or vmx-root
PidThe target process id
Sizesize of memory to read
GetAddressModecheck for address mode
AddressModeAddress mode (32 or 64)
TargetBufferToStoreThe buffer to store the read memory
ReturnLengthThe length of the read memory
Returns
BOOLEAN TRUE if the operation was successful, otherwise FALSE
46{
47 BOOL Status;
48 ULONG ReturnedLength;
49 DEBUGGER_READ_MEMORY ReadMem = {0};
50 UINT32 SizeOfTargetBuffer;
51
52 //
53 // Check if driver is loaded if it's in local debugging mode
54 //
56 {
58 }
59
60 //
61 // Fill the read memory structure
62 //
63 ReadMem.Address = TargetAddress;
64 ReadMem.Pid = Pid;
65 ReadMem.Size = Size;
66 ReadMem.MemoryType = MemoryType;
67 ReadMem.ReadingType = ReadingType;
68 ReadMem.GetAddressMode = GetAddressMode;
69
70 //
71 // allocate buffer for transferring messages
72 //
73 SizeOfTargetBuffer = sizeof(DEBUGGER_READ_MEMORY) + (Size * sizeof(CHAR));
74 DEBUGGER_READ_MEMORY * MemReadRequest = (DEBUGGER_READ_MEMORY *)malloc(SizeOfTargetBuffer);
75
76 //
77 // Check if the buffer is allocated successfully
78 //
79 if (MemReadRequest == NULL)
80 {
81 return FALSE;
82 }
83
84 ZeroMemory(MemReadRequest, SizeOfTargetBuffer);
85
86 //
87 // Copy the buffer to send
88 //
89 memcpy(MemReadRequest, &ReadMem, sizeof(DEBUGGER_READ_MEMORY));
90
91 //
92 // Check if this is used for Debugger Mode or VMI mode
93 //
95 {
96 //
97 // It's on Debugger mode
98 //
99 if (!KdSendReadMemoryPacketToDebuggee(MemReadRequest, SizeOfTargetBuffer))
100 {
101 std::free(MemReadRequest);
102 return FALSE;
103 }
104 }
105 else
106 {
107 //
108 // It's on local debugging mode
109 //
110 Status = DeviceIoControl(g_DeviceHandle, // Handle to device
111 IOCTL_DEBUGGER_READ_MEMORY, // IO Control Code (IOCTL)
112 MemReadRequest, // Input Buffer to driver.
113 SIZEOF_DEBUGGER_READ_MEMORY, // Input buffer length
114 MemReadRequest, // Output Buffer from driver.
115 SizeOfTargetBuffer, // Length of output buffer in bytes.
116 &ReturnedLength, // Bytes placed in buffer.
117 NULL // synchronous call
118 );
119
120 if (!Status)
121 {
122 ShowMessages("ioctl failed with code 0x%x\n", GetLastError());
123 std::free(MemReadRequest);
124 return FALSE;
125 }
126 }
127
128 //
129 // Check if reading memory was successful or not
130 //
131 if (MemReadRequest->KernelStatus != DEBUGGER_OPERATION_WAS_SUCCESSFUL)
132 {
133 ShowErrorMessage(MemReadRequest->KernelStatus);
134 std::free(MemReadRequest);
135 return FALSE;
136 }
137 else
138 {
140 {
141 //
142 // Change the ReturnedLength as it contains the headers
143 //
144 *ReturnLength = MemReadRequest->ReturnLength;
145 }
146 else
147 {
148 //
149 // Change the ReturnedLength as it contains the headers
150 //
151 ReturnedLength -= SIZEOF_DEBUGGER_READ_MEMORY;
152 *ReturnLength = ReturnedLength;
153 }
154
155 //
156 // Set address mode (if requested)
157 //
158 if (GetAddressMode)
159 {
160 *AddressMode = MemReadRequest->AddressMode;
161 }
162
163 //
164 // Copy the buffer
165 //
166 memcpy(TargetBufferToStore,
167 ((UCHAR *)MemReadRequest) + sizeof(DEBUGGER_READ_MEMORY),
168 *ReturnLength);
169
170 //
171 // free the buffer
172 //
173 std::free(MemReadRequest);
174
175 return TRUE;
176 }
177}
unsigned char UCHAR
Definition BasicTypes.h:34
#define IOCTL_DEBUGGER_READ_MEMORY
ioctl, request to read memory
Definition Ioctls.h:143
struct _DEBUGGER_READ_MEMORY DEBUGGER_READ_MEMORY
request for reading virtual and physical memory
#define SIZEOF_DEBUGGER_READ_MEMORY
Definition RequestStructures.h:237
BOOLEAN KdSendReadMemoryPacketToDebuggee(PDEBUGGER_READ_MEMORY ReadMem, UINT32 RequestSize)
Send a Read memory packet to the debuggee.
Definition kd.cpp:597
#define AssertReturnFalse
Definition common.h:21
UINT32 KernelStatus
Definition RequestStructures.h:301
UINT32 Size
Definition RequestStructures.h:295
UINT32 Pid
Definition RequestStructures.h:293
DEBUGGER_READ_MEMORY_ADDRESS_MODE AddressMode
Definition RequestStructures.h:297
UINT32 ReturnLength
Definition RequestStructures.h:300
BOOLEAN GetAddressMode
Definition RequestStructures.h:296
DEBUGGER_READ_READING_TYPE ReadingType
Definition RequestStructures.h:299
DEBUGGER_READ_MEMORY_TYPE MemoryType
Definition RequestStructures.h:298
UINT64 Address
Definition RequestStructures.h:294

◆ HyperDbgShowMemoryOrDisassemble()

VOID HyperDbgShowMemoryOrDisassemble ( DEBUGGER_SHOW_MEMORY_STYLE Style,
UINT64 Address,
DEBUGGER_READ_MEMORY_TYPE MemoryType,
DEBUGGER_READ_READING_TYPE ReadingType,
UINT32 Pid,
UINT32 Size,
PDEBUGGER_DT_COMMAND_OPTIONS DtDetails )

Show memory or disassembler.

Parameters
Stylestyle of show memory (as byte, dwrod, qword)
Addresslocation of where to read the memory
MemoryTypetype of memory (phyical or virtual)
ReadingTyperead from kernel or vmx-root
PidThe target process id
Sizesize of memory to read
DtDetailsOptions for dt structure show details
Returns
VOID
200{
201 UINT32 ReturnedLength;
202 UCHAR * Buffer;
204 BOOLEAN CheckForAddressMode = FALSE;
205 BOOLEAN Status = FALSE;
206
207 //
208 // Check if this is used for disassembler or not
209 //
212 {
213 CheckForAddressMode = TRUE;
214 }
215 else
216 {
217 CheckForAddressMode = FALSE;
218 }
219
220 //
221 // Allocate buffer for output
222 //
223 Buffer = (UCHAR *)malloc(Size);
224
225 //
226 // Perform reading memory
227 //
228 Status = HyperDbgReadMemory(Address,
229 MemoryType,
230 ReadingType,
231 Pid,
232 Size,
233 CheckForAddressMode,
234 &AddressMode,
235 (BYTE *)Buffer,
236 &ReturnedLength);
237
238 //
239 // Check if reading memory was successful or not
240 //
241 if (!Status)
242 {
243 //
244 // Check for extra message for the dump command
245 //
246 if (Style == DEBUGGER_SHOW_COMMAND_DUMP)
247 {
248 ShowMessages("HyperDbg attempted to access an invalid target address: 0x%llx\n"
249 "if you are confident that the address is valid, it may be paged out "
250 "or not yet available in the current CR3 page table\n"
251 "you can use the '.pagein' command to load this page table into memory and "
252 "trigger a page fault (#PF), please refer to the documentation for further details\n\n",
253 Address);
254 }
255
256 //
257 // free the buffer
258 //
259 std::free(Buffer);
260 return;
261 }
262
263 switch (Style)
264 {
266
267 //
268 // Show the 'dt' command view
269 //
270 if (Size == ReturnedLength)
271 {
273 Address,
274 FALSE,
275 Buffer,
276 DtDetails->AdditionalParameters);
277 }
278 else if (ReturnedLength == 0)
279 {
280 ShowMessages("err, invalid address");
281 }
282 else
283 {
284 ShowMessages("err, invalid address or memory is smaller than the structure size");
285 }
286
287 break;
288
290
292 Buffer,
293 Size,
294 Address,
295 MemoryType,
296 ReturnedLength);
297
298 break;
299
301
303 Buffer,
304 Size,
305 Address,
306 MemoryType,
307 ReturnedLength);
308
309 break;
310
312
314 Buffer,
315 Size,
316 Address,
317 MemoryType,
318 ReturnedLength);
319
320 break;
321
323
325 Buffer,
326 Size,
327 Address,
328 MemoryType,
329 ReturnedLength);
330
331 break;
332
334
335 CommandDumpSaveIntoFile(Buffer, Size);
336
337 break;
338
340
341 //
342 // Check if assembly mismatch occurred with the target address
343 //
344 if (AddressMode == DEBUGGER_READ_ADDRESS_MODE_32_BIT && MemoryType == DEBUGGER_READ_VIRTUAL_ADDRESS)
345 {
346 ShowMessages("the target address seems to be located in a 32-bit program, if so, "
347 "please consider using the 'u32' instead to utilize the 32-bit disassembler\n");
348 }
349
350 //
351 // Show diassembles
352 //
353 if (ReturnedLength != 0)
354 {
356 Buffer,
357 Address,
358 ReturnedLength,
359 0,
360 FALSE,
361 NULL);
362 }
363 else
364 {
365 ShowMessages("err, invalid address\n");
366 }
367
368 break;
369
371
372 //
373 // Check if assembly mismatch occurred with the target address
374 //
375 if (AddressMode == DEBUGGER_READ_ADDRESS_MODE_64_BIT && MemoryType == DEBUGGER_READ_VIRTUAL_ADDRESS)
376 {
377 ShowMessages("the target address seems to be located in a 64-bit program, if so, "
378 "please consider using the 'u' instead to utilize the 64-bit disassembler\n");
379 }
380
381 //
382 // Show diassembles
383 //
384 if (ReturnedLength != 0)
385 {
387 Buffer,
388 Address,
389 ReturnedLength,
390 0,
391 FALSE,
392 NULL);
393 }
394 else
395 {
396 ShowMessages("err, invalid address\n");
397 }
398
399 break;
400 }
401
402 //
403 // free the buffer
404 //
405 std::free(Buffer);
406}
@ DEBUGGER_READ_ADDRESS_MODE_32_BIT
Definition RequestStructures.h:265
@ DEBUGGER_READ_ADDRESS_MODE_64_BIT
Definition RequestStructures.h:266
enum _DEBUGGER_READ_MEMORY_ADDRESS_MODE DEBUGGER_READ_MEMORY_ADDRESS_MODE
different address mode
@ DEBUGGER_SHOW_COMMAND_DT
Definition RequestStructures.h:277
INT HyperDbgDisassembler64(UCHAR *BufferToDisassemble, UINT64 BaseAddress, UINT64 Size, UINT32 MaximumInstrDecoded, BOOLEAN ShowBranchIsTakenOrNot, PRFLAGS Rflags)
Disassemble x64 assemblies.
Definition disassembler.cpp:333
INT HyperDbgDisassembler32(UCHAR *BufferToDisassemble, UINT64 BaseAddress, UINT64 Size, UINT32 MaximumInstrDecoded, BOOLEAN ShowBranchIsTakenOrNot, PRFLAGS Rflags)
Disassemble 32 bit assemblies.
Definition disassembler.cpp:373
VOID CommandDumpSaveIntoFile(PVOID Buffer, UINT32 Length)
Saves the received buffers into the files.
Definition dump.cpp:308
VOID ShowMemoryCommandDC(UCHAR *OutputBuffer, UINT32 Size, UINT64 Address, DEBUGGER_READ_MEMORY_TYPE MemoryType, UINT64 Length)
Show memory in dword format (DC).
Definition readmem.cpp:490
VOID ShowMemoryCommandDB(UCHAR *OutputBuffer, UINT32 Size, UINT64 Address, DEBUGGER_READ_MEMORY_TYPE MemoryType, UINT64 Length)
Show memory in bytes (DB).
Definition readmem.cpp:420
VOID ShowMemoryCommandDQ(UCHAR *OutputBuffer, UINT32 Size, UINT64 Address, DEBUGGER_READ_MEMORY_TYPE MemoryType, UINT64 Length)
Show memory in qword format (DQ).
Definition readmem.cpp:612
BOOLEAN HyperDbgReadMemory(UINT64 TargetAddress, DEBUGGER_READ_MEMORY_TYPE MemoryType, DEBUGGER_READ_READING_TYPE ReadingType, UINT32 Pid, UINT32 Size, BOOLEAN GetAddressMode, DEBUGGER_READ_MEMORY_ADDRESS_MODE *AddressMode, BYTE *TargetBufferToStore, UINT32 *ReturnLength)
Read memory and disassembler.
Definition readmem.cpp:37
VOID ShowMemoryCommandDD(UCHAR *OutputBuffer, UINT32 Size, UINT64 Address, DEBUGGER_READ_MEMORY_TYPE MemoryType, UINT64 Length)
Show memory in dword format (DD).
Definition readmem.cpp:561
BOOLEAN ScriptEngineShowDataBasedOnSymbolTypesWrapper(const CHAR *TypeName, UINT64 Address, BOOLEAN IsStruct, PVOID BufferAddress, const CHAR *AdditionalParameters)
ScriptEngineShowDataBasedOnSymbolTypes wrapper.
Definition script-engine-wrapper.cpp:213
const CHAR * TypeName
Definition RequestStructures.h:165
const CHAR * AdditionalParameters
Definition RequestStructures.h:171

◆ InitializeCommandsDictionary()

VOID InitializeCommandsDictionary ( )

Initialize commands and attributes.

Returns
VOID
1344{
1349
1353
1356
1359
1362
1365
1367
1370
1373
1376
1379
1382
1385
1390
1395
1397
1400
1405
1408
1411
1414
1417
1420
1422
1425
1427
1430
1432
1434
1438
1440
1442
1445
1448
1450
1452
1454
1456
1458
1461
1463
1466
1470
1472
1474
1476
1478
1480
1482
1484
1486
1488
1490
1492
1495
1497
1499
1501
1503
1505
1507
1510
1512
1514
1517
1520
1522
1524
1526
1528
1530
1532
1535
1538
1541
1543
1560
1567
1574
1576
1579
1582
1584
1588
1592
1596
1599
1602
1604
1607
1610
1614
1623
1626
1628
1630
1632
1634
1638
1640
1641 //
1642 // hwdbg commands
1643 //
1648
1650
1652}
VOID CommandAssemble(vector< CommandToken > CommandTokens, string Command)
a and !a commands handler
Definition a.cpp:182
VOID CommandApic(vector< CommandToken > CommandTokens, string Command)
!apic command handler
Definition apic.cpp:186
VOID CommandAttach(vector< CommandToken > CommandTokens, string Command)
.attach command handler
Definition attach.cpp:44
VOID CommandBc(vector< CommandToken > CommandTokens, string Command)
handler of bc command
Definition bc.cpp:45
VOID CommandBd(vector< CommandToken > CommandTokens, string Command)
handler of bd command
Definition bd.cpp:45
VOID CommandBe(vector< CommandToken > CommandTokens, string Command)
handler of be command
Definition be.cpp:45
VOID CommandBl(vector< CommandToken > CommandTokens, string Command)
handler of the bl command
Definition bl.cpp:41
VOID CommandBp(vector< CommandToken > CommandTokens, string Command)
bp command handler
Definition bp.cpp:168
VOID CommandCls(vector< CommandToken > CommandTokens, string Command)
.cls command handler
Definition cls.cpp:36
#define DEBUGGER_COMMAND_CONTINUE_ATTRIBUTES
Definition commands.h:253
#define DEBUGGER_COMMAND_IOOUT_ATTRIBUTES
Definition commands.h:367
#define DEBUGGER_COMMAND_LOAD_ATTRIBUTES
Definition commands.h:289
#define DEBUGGER_COMMAND_PCICAM_ATTRIBUTES
Definition commands.h:471
#define DEBUGGER_COMMAND_INTERRUPT_ATTRIBUTES
Definition commands.h:371
#define DEBUGGER_COMMAND_PAGEIN_ATTRIBUTES
Definition commands.h:453
#define DEBUGGER_COMMAND_X_ATTRIBUTES
Definition commands.h:431
#define DEBUGGER_COMMAND_HELP_ATTRIBUTES
Definition commands.h:234
#define DEBUGGER_COMMAND_BD_ATTRIBUTES
Definition commands.h:416
#define DEBUGGER_COMMAND_MEASURE_ATTRIBUTES
Definition commands.h:385
#define DEBUGGER_COMMAND_HIDE_ATTRIBUTES
Definition commands.h:381
#define DEBUGGER_COMMAND_A_ATTRIBUTES
Definition commands.h:465
#define DEBUGGER_COMMAND_VMCALL_ATTRIBUTES
Definition commands.h:343
#define DEBUGGER_COMMAND_DT_ATTRIBUTES
Definition commands.h:441
#define DEBUGGER_COMMAND_FORMATS_ATTRIBUTES
Definition commands.h:329
#define DEBUGGER_COMMAND_STRUCT_ATTRIBUTES
Definition commands.h:444
#define DEBUGGER_COMMAND_PTE_ATTRIBUTES
Definition commands.h:332
#define DEBUGGER_COMMAND_APIC_ATTRIBUTES
Definition commands.h:334
#define DEBUGGER_COMMAND_DUMP_ATTRIBUTES
Definition commands.h:455
#define DEBUGGER_COMMAND_DISCONNECT_ATTRIBUTES
Definition commands.h:278
#define DEBUGGER_COMMAND_GG_ATTRIBUTES
Definition commands.h:245
#define DEBUGGER_COMMAND_TSC_ATTRIBUTES
Definition commands.h:357
#define DEBUGGER_COMMAND_K_ATTRIBUTES
Definition commands.h:438
#define DEBUGGER_COMMAND_FLUSH_ATTRIBUTES
Definition commands.h:294
#define DEBUGGER_COMMAND_S_ATTRIBUTES
Definition commands.h:404
#define DEBUGGER_COMMAND_BP_ATTRIBUTES
Definition commands.h:410
#define DEBUGGER_COMMAND_WRMSR_ATTRIBUTES
Definition commands.h:321
#define DEBUGGER_COMMAND_P_ATTRIBUTES
Definition commands.h:389
#define DEBUGGER_COMMAND_SYM_ATTRIBUTES
Definition commands.h:428
#define DEBUGGER_COMMAND_PA2VA_ATTRIBUTES
Definition commands.h:327
#define DEBUGGER_COMMAND_HWDBG_HW_ATTRIBUTES
Definition commands.h:461
#define DEBUGGER_COMMAND_CPUID_ATTRIBUTES
Definition commands.h:349
#define DEBUGGER_COMMAND_REV_ATTRIBUTES
Definition commands.h:449
#define DEBUGGER_COMMAND_PMC_ATTRIBUTES
Definition commands.h:359
#define DEBUGGER_COMMAND_LISTEN_ATTRIBUTES
Definition commands.h:240
#define DEBUGGER_COMMAND_TEST_ATTRIBUTES
Definition commands.h:317
#define DEBUGGER_COMMAND_PREACTIVATE_ATTRIBUTES
Definition commands.h:436
#define DEBUGGER_COMMAND_OUTPUT_ATTRIBUTES
Definition commands.h:302
#define DEBUGGER_COMMAND_LBR_ATTRIBUTES
Definition commands.h:480
#define DEBUGGER_COMMAND_CORE_ATTRIBUTES
Definition commands.h:338
#define DEBUGGER_COMMAND_SCRIPT_ATTRIBUTES
Definition commands.h:299
#define DEBUGGER_COMMAND_RDMSR_ATTRIBUTES
Definition commands.h:323
#define DEBUGGER_COMMAND_PE_ATTRIBUTES
Definition commands.h:447
#define DEBUGGER_COMMAND_SWITCH_ATTRIBUTES
Definition commands.h:251
#define DEBUGGER_COMMAND_IOAPIC_ATTRIBUTES
Definition commands.h:336
#define DEBUGGER_COMMAND_MSRWRITE_ATTRIBUTES
Definition commands.h:355
#define DEBUGGER_COMMAND_RESTART_ATTRIBUTES
Definition commands.h:259
#define DEBUGGER_COMMAND_SETTINGS_ATTRIBUTES
Definition commands.h:275
#define DEBUGGER_COMMAND_VA2PA_ATTRIBUTES
Definition commands.h:325
#define DEBUGGER_COMMAND_UNHIDE_ATTRIBUTES
Definition commands.h:383
#define DEBUGGER_COMMAND_STATUS_ATTRIBUTES
Definition commands.h:287
#define DEBUGGER_COMMAND_PAUSE_ATTRIBUTES
Definition commands.h:255
#define DEBUGGER_COMMAND_LOGCLOSE_ATTRIBUTES
Definition commands.h:314
#define DEBUGGER_COMMAND_G_ATTRIBUTES
Definition commands.h:243
#define DEBUGGER_COMMAND_LOGOPEN_ATTRIBUTES
Definition commands.h:311
#define DEBUGGER_COMMAND_CONNECT_ATTRIBUTES
Definition commands.h:237
#define DEBUGGER_COMMAND_E_ATTRIBUTES
Definition commands.h:401
#define DEBUGGER_COMMAND_IOIN_ATTRIBUTES
Definition commands.h:365
#define DEBUGGER_COMMAND_SYMPATH_ATTRIBUTES
Definition commands.h:425
#define DEBUGGER_COMMAND_EXCEPTION_ATTRIBUTES
Definition commands.h:369
#define DEBUGGER_COMMAND_T_ATTRIBUTES
Definition commands.h:392
#define DEBUGGER_COMMAND_XSETBV_ATTRIBUTES
Definition commands.h:351
#define DEBUGGER_COMMAND_HWDBG_HW_CLK_ATTRIBUTES
Definition commands.h:463
#define DEBUGGER_COMMAND_LBRDUMP_ATTRIBUTES
Definition commands.h:483
#define DEBUGGER_COMMAND_MODE_ATTRIBUTES
Definition commands.h:377
#define DEBUGGER_COMMAND_SMI_ATTRIBUTES
Definition commands.h:477
#define DEBUGGER_COMMAND_LM_ATTRIBUTES
Definition commands.h:387
#define DEBUGGER_COMMAND_SYSRET_ATTRIBUTES
Definition commands.h:375
#define DEBUGGER_COMMAND_TRACE_ATTRIBUTES
Definition commands.h:379
#define DEBUGGER_COMMAND_UNLOAD_ATTRIBUTES
Definition commands.h:297
#define DEBUGGER_COMMAND_IDT_ATTRIBUTES
Definition commands.h:474
#define DEBUGGER_COMMAND_THREAD_ATTRIBUTES
Definition commands.h:266
#define DEBUGGER_COMMAND_EPTHOOK_ATTRIBUTES
Definition commands.h:345
#define DEBUGGER_COMMAND_SLEEP_ATTRIBUTES
Definition commands.h:269
#define DEBUGGER_COMMAND_PREALLOC_ATTRIBUTES
Definition commands.h:434
#define DEBUGGER_COMMAND_EPTHOOK2_ATTRIBUTES
Definition commands.h:347
#define DEBUGGER_COMMAND_MONITOR_ATTRIBUTES
Definition commands.h:341
#define DEBUGGER_COMMAND_PRINT_ATTRIBUTES
Definition commands.h:305
#define DEBUGGER_COMMAND_START_ATTRIBUTES
Definition commands.h:257
#define DEBUGGER_COMMAND_DOT_STATUS_ATTRIBUTES
Definition commands.h:284
#define DEBUGGER_COMMAND_DR_ATTRIBUTES
Definition commands.h:363
#define DEBUGGER_COMMAND_CLEAR_ATTRIBUTES
Command's attributes.
Definition commands.h:231
#define DEBUGGER_COMMAND_SYSCALL_ATTRIBUTES
Definition commands.h:373
#define DEBUGGER_COMMAND_GU_ATTRIBUTES
Definition commands.h:458
#define DEBUGGER_COMMAND_PROCESS_ATTRIBUTES
Definition commands.h:263
#define DEBUGGER_COMMAND_KILL_ATTRIBUTES
Definition commands.h:261
#define DEBUGGER_COMMAND_I_ATTRIBUTES
Definition commands.h:395
#define DEBUGGER_COMMAND_PT_ATTRIBUTES
Definition commands.h:486
#define DEBUGGER_COMMAND_CRWRITE_ATTRIBUTES
Definition commands.h:361
#define DEBUGGER_COMMAND_D_AND_U_ATTRIBUTES
Definition commands.h:398
#define DEBUGGER_COMMAND_PCITREE_ATTRIBUTES
Definition commands.h:468
#define DEBUGGER_COMMAND_CPU_ATTRIBUTES
Definition commands.h:319
#define DEBUGGER_COMMAND_MSRREAD_ATTRIBUTES
Definition commands.h:353
#define DEBUGGER_COMMAND_EVENTS_ATTRIBUTES
Definition commands.h:272
#define DEBUGGER_COMMAND_ATTACH_ATTRIBUTES
Definition commands.h:247
#define DEBUGGER_COMMAND_EXIT_ATTRIBUTES
Definition commands.h:291
#define DEBUGGER_COMMAND_EVAL_ATTRIBUTES
Definition commands.h:308
#define DEBUGGER_COMMAND_DETACH_ATTRIBUTES
Definition commands.h:249
#define DEBUGGER_COMMAND_TRACK_ATTRIBUTES
Definition commands.h:451
#define DEBUGGER_COMMAND_R_ATTRIBUTES
Definition commands.h:407
#define DEBUGGER_COMMAND_DEBUG_ATTRIBUTES
Definition commands.h:281
VOID CommandConnect(vector< CommandToken > CommandTokens, string Command)
.connect command handler
Definition connect.cpp:107
VOID CommandContinueHelp()
help of the continue command
Definition continue.cpp:20
VOID CommandContinue(vector< CommandToken > CommandTokens, string Command)
handler of continue command
Definition continue.cpp:47
VOID CommandCore(vector< CommandToken > CommandTokens, string Command)
~ command handler
Definition core.cpp:47
VOID CommandCpu(vector< CommandToken > CommandTokens, string Command)
cpu command handler
Definition cpu.cpp:36
VOID CommandCpuid(vector< CommandToken > CommandTokens, string Command)
!cpuid command handler
Definition cpuid.cpp:48
VOID CommandCrwrite(vector< CommandToken > CommandTokens, string Command)
!crwrite command handler
Definition crwrite.cpp:47
VOID CommandReadMemoryAndDisassembler(vector< CommandToken > CommandTokens, string Command)
u* d* !u* !d* commands handler
Definition d-u.cpp:73
VOID CommandDebug(vector< CommandToken > CommandTokens, string Command)
.debug command handler
Definition debug.cpp:235
VOID CommandDetach(vector< CommandToken > CommandTokens, string Command)
.detach command handler
Definition detach.cpp:72
VOID CommandDisconnect(vector< CommandToken > CommandTokens, string Command)
.disconnect command handler
Definition disconnect.cpp:45
VOID CommandDr(vector< CommandToken > CommandTokens, string Command)
!dr command handler
Definition dr.cpp:46
VOID CommandDtAndStruct(vector< CommandToken > CommandTokens, string Command)
dt and struct command handler
Definition dt-struct.cpp:429
VOID CommandDump(vector< CommandToken > CommandTokens, string Command)
.dump command handler
Definition dump.cpp:62
VOID CommandEditMemory(vector< CommandToken > CommandTokens, string Command)
!e* and e* commands handler
Definition e.cpp:269
VOID CommandEptHook2(vector< CommandToken > CommandTokens, string Command)
!epthook2 command handler
Definition epthook2.cpp:49
VOID CommandEptHook(vector< CommandToken > CommandTokens, string Command)
!epthook command handler
Definition epthook.cpp:48
VOID CommandEval(vector< CommandToken > CommandTokens, string Command)
handler of ? command
Definition eval.cpp:196
VOID CommandEvents(vector< CommandToken > CommandTokens, string Command)
events command handler
Definition events.cpp:67
VOID CommandException(vector< CommandToken > CommandTokens, string Command)
!exception command handler
Definition exception.cpp:51
VOID CommandExit(vector< CommandToken > CommandTokens, string Command)
exit command handler
Definition exit.cpp:46
VOID CommandFlush(vector< CommandToken > CommandTokens, string Command)
flush command handler
Definition flush.cpp:111
VOID CommandFormats(vector< CommandToken > CommandTokens, string Command)
handler of .formats command
Definition formats.cpp:106
VOID CommandG(vector< CommandToken > CommandTokens, string Command)
handler of g command
Definition g.cpp:94
VOID CommandGg(vector< CommandToken > CommandTokens, string Command)
gg command handler
Definition gg.cpp:41
VOID CommandGu(vector< CommandToken > CommandTokens, string Command)
handler of gu command
Definition gu.cpp:52
VOID CommandHelpHelp()
help of the help command :)
Definition help.cpp:22
VOID CommandHide(vector< CommandToken > CommandTokens, string Command)
!hide command handler
Definition hide.cpp:395
VOID CommandHw(vector< CommandToken > CommandTokens, string Command)
!hw command handler
Definition hw.cpp:46
VOID CommandHwClk(vector< CommandToken > CommandTokens, string Command)
!hw_clk command handler
Definition hw_clk.cpp:154
VOID CommandI(vector< CommandToken > CommandTokens, string Command)
handler of i command
Definition i.cpp:56
VOID CommandIdt(vector< CommandToken > CommandTokens, string Command)
!idt command handler
Definition idt.cpp:115
CommandType g_CommandsList
List of command and attributes.
Definition globals.h:348
VOID CommandInterrupt(vector< CommandToken > CommandTokens, string Command)
!interrupt command handler
Definition interrupt.cpp:49
VOID CommandIoapic(vector< CommandToken > CommandTokens, string Command)
!ioapic command handler
Definition ioapic.cpp:194
VOID CommandIoin(vector< CommandToken > CommandTokens, string Command)
!ioin command handler
Definition ioin.cpp:48
VOID CommandIoout(vector< CommandToken > CommandTokens, string Command)
!ioout command handler
Definition ioout.cpp:48
VOID CommandK(vector< CommandToken > CommandTokens, string Command)
k command handler
Definition k.cpp:56
VOID CommandKill(vector< CommandToken > CommandTokens, string Command)
.kill command handler
Definition kill.cpp:42
VOID CommandLbr(vector< CommandToken > CommandTokens, string Command)
!lbr command handler
Definition lbr.cpp:329
VOID CommandLbrdump(vector< CommandToken > CommandTokens, string Command)
!lbrdump command handler
Definition lbrdump.cpp:240
VOID CommandListen(vector< CommandToken > CommandTokens, string Command)
listen command handler
Definition listen.cpp:54
VOID CommandLm(vector< CommandToken > CommandTokens, string Command)
handle lm command
Definition lm.cpp:358
VOID CommandLoad(vector< CommandToken > CommandTokens, string Command)
load command handler
Definition load.cpp:50
VOID CommandLogclose(vector< CommandToken > CommandTokens, string Command)
.logclose command handler
Definition logclose.cpp:42
VOID CommandLogopen(vector< CommandToken > CommandTokens, string Command)
.logopen command handler
Definition logopen.cpp:48
VOID CommandMeasure(vector< CommandToken > CommandTokens, string Command)
!measure command handler
Definition measure.cpp:56
VOID CommandMode(vector< CommandToken > CommandTokens, string Command)
!mode command handler
Definition mode.cpp:49
VOID CommandMonitor(vector< CommandToken > CommandTokens, string Command)
!monitor command handler
Definition monitor.cpp:62
VOID CommandMsrread(vector< CommandToken > CommandTokens, string Command)
!msrread command handler
Definition msrread.cpp:47
VOID CommandMsrwrite(vector< CommandToken > CommandTokens, string Command)
!msrwrite command handler
Definition msrwrite.cpp:47
VOID CommandOutput(vector< CommandToken > CommandTokens, string Command)
output command handler
Definition output.cpp:58
VOID CommandP(vector< CommandToken > CommandTokens, string Command)
handler of p command
Definition p.cpp:53
VOID CommandPa2va(vector< CommandToken > CommandTokens, string Command)
!pa2va command handler
Definition pa2va.cpp:50
VOID CommandPagein(vector< CommandToken > CommandTokens, string Command)
.pagein command handler
Definition pagein.cpp:266
VOID CommandPause(vector< CommandToken > CommandTokens, string Command)
pause command handler
Definition pause.cpp:71
VOID CommandPcicam(vector< CommandToken > CommandTokens, string Command)
!pcicam command handler
Definition pcicam.cpp:47
VOID CommandPcitree(vector< CommandToken > CommandTokens, string Command)
!pcitree command handler
Definition pcitree.cpp:45
VOID CommandPe(vector< CommandToken > CommandTokens, string Command)
.pe command handler
Definition pe.cpp:42
VOID CommandPmc(vector< CommandToken > CommandTokens, string Command)
!pmc command handler
Definition pmc.cpp:46
VOID CommandPreactivate(vector< CommandToken > CommandTokens, string Command)
preactivate command handler
Definition preactivate.cpp:49
VOID CommandPrealloc(vector< CommandToken > CommandTokens, string Command)
prealloc command handler
Definition prealloc.cpp:60
VOID CommandPrint(vector< CommandToken > CommandTokens, string Command)
handler of print command
Definition print.cpp:42
VOID CommandProcess(vector< CommandToken > CommandTokens, string Command)
.process command handler
Definition process.cpp:57
VOID CommandPt(vector< CommandToken > CommandTokens, string Command)
!pt command handler
Definition pt.cpp:321
VOID CommandPte(vector< CommandToken > CommandTokens, string Command)
!pte command handler
Definition pte.cpp:93
VOID CommandRHelp()
help of the r command
Definition r.cpp:152
VOID CommandR(vector< CommandToken > CommandTokens, string Command)
handler of r command
Definition r.cpp:452
VOID CommandRdmsr(vector< CommandToken > CommandTokens, string Command)
rdmsr command handler
Definition rdmsr.cpp:120
VOID CommandRestart(vector< CommandToken > CommandTokens, string Command)
.restart command handler
Definition restart.cpp:47
VOID CommandRev(vector< CommandToken > CommandTokens, string Command)
!rev command handler
Definition rev.cpp:50
VOID CommandSearchMemory(vector< CommandToken > CommandTokens, string Command)
!s* s* commands handler
Definition s.cpp:141
VOID CommandScript(vector< CommandToken > CommandTokens, string Command)
.script command handler
Definition script.cpp:263
VOID CommandSettings(vector< CommandToken > CommandTokens, string Command)
settings command handler
Definition settings.cpp:553
VOID CommandSleep(vector< CommandToken > CommandTokens, string Command)
sleep command help
Definition sleep.cpp:38
VOID CommandSmi(vector< CommandToken > CommandTokens, string Command)
!smi command handler
Definition smi.cpp:123
VOID CommandStart(vector< CommandToken > CommandTokens, string Command)
.start command handler
Definition start.cpp:47
VOID CommandStatus(vector< CommandToken > CommandTokens, string Command)
.status and status command handler
Definition status.cpp:51
VOID CommandSwitch(vector< CommandToken > CommandTokens, string Command)
.switch command handler
Definition switch.cpp:45
VOID CommandSym(vector< CommandToken > CommandTokens, string Command)
.sym command handler
Definition sym.cpp:56
VOID CommandSympath(vector< CommandToken > CommandTokens, string Command)
.sympath command handler
Definition sympath.cpp:45
VOID CommandSyscallAndSysret(vector< CommandToken > CommandTokens, string Command)
!syscall, !syscall2 and !sysret, !sysret2 commands handler
Definition syscall-sysret.cpp:85
VOID CommandT(vector< CommandToken > CommandTokens, string Command)
handler of t command
Definition t.cpp:53
VOID CommandTest(vector< CommandToken > CommandTokens, string Command)
test command handler
Definition test.cpp:434
VOID CommandThread(vector< CommandToken > CommandTokens, string Command)
.thread command handler
Definition thread.cpp:120
VOID CommandTrace(vector< CommandToken > CommandTokens, string Command)
!trace command handler
Definition trace.cpp:51
VOID CommandTrack(vector< CommandToken > CommandTokens, string Command)
handler of !track command
Definition track.cpp:60
VOID CommandTsc(vector< CommandToken > CommandTokens, string Command)
handler of !tsc command
Definition tsc.cpp:46
VOID CommandUnhide(vector< CommandToken > CommandTokens, string Command)
!unhide command handler
Definition unhide.cpp:100
VOID CommandUnload(vector< CommandToken > CommandTokens, string Command)
unload command handler
Definition unload.cpp:82
VOID CommandVa2pa(vector< CommandToken > CommandTokens, string Command)
!va2pa command handler
Definition va2pa.cpp:51
VOID CommandVmcall(vector< CommandToken > CommandTokens, string Command)
!vmcall command handler
Definition vmcall.cpp:46
VOID CommandWrmsr(vector< CommandToken > CommandTokens, string Command)
wrmsr command handler
Definition wrmsr.cpp:47
VOID CommandX(vector< CommandToken > CommandTokens, string Command)
x command handler
Definition x.cpp:41
VOID CommandXsetbv(vector< CommandToken > CommandTokens, string Command)
!xsetbv command handler
Definition xsetbv.cpp:47

◆ InitializeDebugger()

VOID InitializeDebugger ( )

Initialize the debugger and adjust commands for the first run.

Returns
VOID
1289{
1290 //
1291 // Initialize the mapping of functions
1292 //
1294
1295 //
1296 // Set the callback for symbol message handler
1297 //
1298 //
1299 // ShowMessages is passed as PVOID (the callback API stores it in a PVOID and
1300 // casts to the concrete fn-ptr type at the invocation site); g++ requires the
1301 // explicit function-pointer -> void* cast that MSVC performs implicitly.
1302 //
1304
1305 //
1306 // Register the CTRL+C and CTRL+BREAK Signals handler
1307 //
1309 {
1310 ShowMessages("err, when registering CTRL+C and CTRL+BREAK Signals "
1311 "handler\n");
1312 //
1313 // prefer to continue
1314 //
1315 }
1316
1317 //
1318 // *** Check for feature indicators ***
1319 //
1320
1321 //
1322 // Get x86 processor width for virtual address
1323 //
1325
1326 //
1327 // Check if processor supports TSX (RTM)
1328 //
1330
1331 //
1332 // Load default settings
1333 //
1335}
BOOL BreakController(DWORD CtrlType)
handle CTRL+C and CTRL+Break events
Definition break-control.cpp:34
BOOLEAN CheckCpuSupportRtm()
Check whether the processor supports RTM or not.
Definition common.cpp:950
UINT32 Getx86VirtualAddressWidth()
Get virtual address width for x86 processors.
Definition common.cpp:932
UINT32 g_VirtualAddressWidth
Virtual address width for x86 processors.
Definition globals.h:50
BOOLEAN g_RtmSupport
check for RTM support
Definition globals.h:44
VOID InitializeCommandsDictionary()
Initialize commands and attributes.
Definition interpreter.cpp:1343
BOOLEAN PlatformInstallCtrlHandler(PLATFORM_CTRL_HANDLER Handler)
VOID ScriptEngineSetTextMessageCallbackWrapper(PVOID Handler)
ScriptEngineSetTextMessageCallback wrapper.
Definition script-engine-wrapper.cpp:81
VOID CommandSettingsLoadDefaultValuesFromConfigFile()
Loads default settings values from config file.
Definition settings.cpp:161

◆ ReadCpuDetails()

INT ReadCpuDetails ( )

Print out supported instruction set extensions.

Returns
int
265{
266 auto & outstream = std::cout;
267
268 auto support_message = [&outstream](std::string isa_feature,
269 bool is_supported) {
270 ShowMessages("%s %s\n", isa_feature.c_str(), (is_supported ? "supported" : "not supported"));
271 };
272
273 ShowMessages("\nvendor : %s\n", InstructionSet::Vendor().c_str());
274 ShowMessages("brand : %s\n\n", InstructionSet::Brand().c_str());
275
276 support_message("3DNOW", InstructionSet::_3DNOW());
277 support_message("3DNOWEXT", InstructionSet::_3DNOWEXT());
278 support_message("ABM", InstructionSet::ABM());
279 support_message("ADX", InstructionSet::ADX());
280 support_message("AES", InstructionSet::AES());
281 support_message("AVX", InstructionSet::AVX());
282 support_message("AVX2", InstructionSet::AVX2());
283 support_message("AVX512CD", InstructionSet::AVX512CD());
284 support_message("AVX512ER", InstructionSet::AVX512ER());
285 support_message("AVX512F", InstructionSet::AVX512F());
286 support_message("AVX512PF", InstructionSet::AVX512PF());
287 support_message("BMI1", InstructionSet::BMI1());
288 support_message("BMI2", InstructionSet::BMI2());
289 support_message("CLFSH", InstructionSet::CLFSH());
290 support_message("CMPXCHG16B", InstructionSet::CMPXCHG16B());
291 support_message("CX8", InstructionSet::CX8());
292 support_message("ERMS", InstructionSet::ERMS());
293 support_message("F16C", InstructionSet::F16C());
294 support_message("FMA", InstructionSet::FMA());
295 support_message("FSGSBASE", InstructionSet::FSGSBASE());
296 support_message("FXSR", InstructionSet::FXSR());
297 support_message("HLE", InstructionSet::HLE());
298 support_message("INVPCID", InstructionSet::INVPCID());
299 support_message("LAHF", InstructionSet::LAHF());
300 support_message("LZCNT", InstructionSet::LZCNT());
301 support_message("MMX", InstructionSet::MMX());
302 support_message("MMXEXT", InstructionSet::MMXEXT());
303 support_message("MONITOR", InstructionSet::MONITOR());
304 support_message("MOVBE", InstructionSet::MOVBE());
305 support_message("MSR", InstructionSet::MSR());
306 support_message("OSXSAVE", InstructionSet::OSXSAVE());
307 support_message("PCLMULQDQ", InstructionSet::PCLMULQDQ());
308 support_message("POPCNT", InstructionSet::POPCNT());
309 support_message("PREFETCHWT1", InstructionSet::PREFETCHWT1());
310 support_message("RDRAND", InstructionSet::RDRAND());
311 support_message("RDSEED", InstructionSet::RDSEED());
312 support_message("RDTSCP", InstructionSet::RDTSCP());
313 support_message("RTM", InstructionSet::RTM());
314 support_message("SEP", InstructionSet::SEP());
315 support_message("SHA", InstructionSet::SHA());
316 support_message("SSE", InstructionSet::SSE());
317 support_message("SSE2", InstructionSet::SSE2());
318 support_message("SSE3", InstructionSet::SSE3());
319 support_message("SSE4.1", InstructionSet::SSE41());
320 support_message("SSE4.2", InstructionSet::SSE42());
321 support_message("SSE4a", InstructionSet::SSE4a());
322 support_message("SSSE3", InstructionSet::SSSE3());
323 support_message("SYSCALL", InstructionSet::SYSCALL());
324 support_message("TBM", InstructionSet::TBM());
325 support_message("XOP", InstructionSet::XOP());
326 support_message("XSAVE", InstructionSet::XSAVE());
327
328 return 0;
329}
static bool _3DNOWEXT(void)
Definition cpu.cpp:121
static bool SSE4a(void)
Definition cpu.cpp:111
static bool XSAVE(void)
Definition cpu.cpp:74
static bool MONITOR(void)
Definition cpu.cpp:65
static bool OSXSAVE(void)
Definition cpu.cpp:75
static bool XOP(void)
Definition cpu.cpp:112
static bool SEP(void)
Definition cpu.cpp:82
static bool SSE3(void)
Definition cpu.cpp:63
static bool FMA(void)
Definition cpu.cpp:67
static bool SSE42(void)
Definition cpu.cpp:70
static bool AVX512ER(void)
Definition cpu.cpp:102
static bool MSR(void)
Definition cpu.cpp:80
static bool BMI1(void)
Definition cpu.cpp:91
static bool BMI2(void)
Definition cpu.cpp:94
static bool RDRAND(void)
Definition cpu.cpp:78
static bool _3DNOW(void)
Definition cpu.cpp:125
static bool AVX2(void)
Definition cpu.cpp:93
static bool ABM(void)
Definition cpu.cpp:110
static bool PREFETCHWT1(void)
Definition cpu.cpp:106
static bool MOVBE(void)
Definition cpu.cpp:71
static bool AVX512F(void)
Definition cpu.cpp:98
static bool SSE41(void)
Definition cpu.cpp:69
static bool ERMS(void)
Definition cpu.cpp:95
static bool F16C(void)
Definition cpu.cpp:77
static bool POPCNT(void)
Definition cpu.cpp:72
static bool MMX(void)
Definition cpu.cpp:85
static bool RTM(void)
Definition cpu.cpp:97
static bool ADX(void)
Definition cpu.cpp:100
static bool PCLMULQDQ(void)
Definition cpu.cpp:64
static std::string Brand(void)
Definition cpu.cpp:61
static bool CMPXCHG16B(void)
Definition cpu.cpp:68
static bool HLE(void)
Definition cpu.cpp:92
static bool SYSCALL(void)
Definition cpu.cpp:115
static bool AES(void)
Definition cpu.cpp:73
static bool INVPCID(void)
Definition cpu.cpp:96
static bool TBM(void)
Definition cpu.cpp:113
static bool AVX512CD(void)
Definition cpu.cpp:103
static bool SHA(void)
Definition cpu.cpp:104
static bool SSSE3(void)
Definition cpu.cpp:66
static bool LZCNT(void)
Definition cpu.cpp:109
static bool RDSEED(void)
Definition cpu.cpp:99
static bool SSE2(void)
Definition cpu.cpp:88
static bool AVX(void)
Definition cpu.cpp:76
static bool CLFSH(void)
Definition cpu.cpp:84
static bool FXSR(void)
Definition cpu.cpp:86
static bool SSE(void)
Definition cpu.cpp:87
static bool AVX512PF(void)
Definition cpu.cpp:101
static bool FSGSBASE(void)
Definition cpu.cpp:90
static bool LAHF(void)
Definition cpu.cpp:108
static bool MMXEXT(void)
Definition cpu.cpp:119
static bool RDTSCP(void)
Definition cpu.cpp:120
static bool CX8(void)
Definition cpu.cpp:81

◆ SeparateTo64BitValue()

string SeparateTo64BitValue ( UINT64 Value)

◆ ShowMemoryCommandDB()

VOID ShowMemoryCommandDB ( UCHAR * OutputBuffer,
UINT32 Size,
UINT64 Address,
DEBUGGER_READ_MEMORY_TYPE MemoryType,
UINT64 Length )

Show memory in bytes (DB).

Parameters
OutputBufferthe buffer to show
Sizesize of memory to read
Addresslocation of where to read the memory
MemoryTypetype of memory (phyical or virtual)
LengthLength of memory to show
Returns
VOID
421{
422 UINT32 Character;
423
424 for (UINT32 i = 0; i < Size; i += 16)
425 {
426 if (MemoryType == DEBUGGER_READ_PHYSICAL_ADDRESS)
427 {
428 ShowMessages("#\t");
429 }
430
431 //
432 // Print address
433 //
434 ShowMessages("%s ", SeparateTo64BitValue((UINT64)(Address + i)).c_str());
435
436 //
437 // Print the hex code
438 //
439 for (SIZE_T j = 0; j < 16; j++)
440 {
441 //
442 // check to see if the address is valid or not
443 //
444 if (i + j >= Length)
445 {
446 ShowMessages("?? ");
447 }
448 else
449 {
450 ShowMessages("%02X ", OutputBuffer[i + j]);
451 }
452 }
453
454 //
455 // Print the character
456 //
457 ShowMessages(" ");
458 for (SIZE_T j = 0; j < 16; j++)
459 {
460 Character = (OutputBuffer[i + j]);
461 if (isprint(Character))
462 {
463 ShowMessages("%c", Character);
464 }
465 else
466 {
467 ShowMessages(".");
468 }
469 }
470
471 //
472 // Go to new line
473 //
474 ShowMessages("\n");
475 }
476}

◆ ShowMemoryCommandDC()

VOID ShowMemoryCommandDC ( UCHAR * OutputBuffer,
UINT32 Size,
UINT64 Address,
DEBUGGER_READ_MEMORY_TYPE MemoryType,
UINT64 Length )

Show memory in dword format (DC).

Parameters
OutputBufferthe buffer to show
Sizesize of memory to read
Addresslocation of where to read the memory
MemoryTypetype of memory (phyical or virtual)
LengthLength of memory to show
Returns
VOID
491{
492 UINT32 Character;
493 for (UINT32 i = 0; i < Size; i += 16)
494 {
495 if (MemoryType == DEBUGGER_READ_PHYSICAL_ADDRESS)
496 {
497 ShowMessages("#\t");
498 }
499
500 //
501 // Print address
502 //
503 ShowMessages("%s ", SeparateTo64BitValue((UINT64)(Address + i)).c_str());
504
505 //
506 // Print the hex code
507 //
508 for (SIZE_T j = 0; j < 16; j += 4)
509 {
510 //
511 // check to see if the address is valid or not
512 //
513 if (i + j >= Length)
514 {
515 ShowMessages("???????? ");
516 }
517 else
518 {
519 UINT32 OutputBufferVar = *((UINT32 *)&OutputBuffer[i + j]);
520 ShowMessages("%08X ", OutputBufferVar);
521 }
522 }
523
524 //
525 // Print the character
526 //
527
528 ShowMessages(" ");
529 for (SIZE_T j = 0; j < 16; j++)
530 {
531 Character = (OutputBuffer[i + j]);
532 if (isprint(Character))
533 {
534 ShowMessages("%c", Character);
535 }
536 else
537 {
538 ShowMessages(".");
539 }
540 }
541
542 //
543 // Go to new line
544 //
545 ShowMessages("\n");
546 }
547}

◆ ShowMemoryCommandDD()

VOID ShowMemoryCommandDD ( UCHAR * OutputBuffer,
UINT32 Size,
UINT64 Address,
DEBUGGER_READ_MEMORY_TYPE MemoryType,
UINT64 Length )

Show memory in dword format (DD).

Parameters
OutputBufferthe buffer to show
Sizesize of memory to read
Addresslocation of where to read the memory
MemoryTypetype of memory (phyical or virtual)
LengthLength of memory to show
Returns
VOID
562{
563 for (UINT32 i = 0; i < Size; i += 16)
564 {
565 if (MemoryType == DEBUGGER_READ_PHYSICAL_ADDRESS)
566 {
567 ShowMessages("#\t");
568 }
569
570 //
571 // Print address
572 //
573 ShowMessages("%s ", SeparateTo64BitValue((UINT64)(Address + i)).c_str());
574
575 //
576 // Print the hex code
577 //
578 for (SIZE_T j = 0; j < 16; j += 4)
579 {
580 //
581 // check to see if the address is valid or not
582 //
583 if (i + j >= Length)
584 {
585 ShowMessages("???????? ");
586 }
587 else
588 {
589 UINT32 OutputBufferVar = *((UINT32 *)&OutputBuffer[i + j]);
590 ShowMessages("%08X ", OutputBufferVar);
591 }
592 }
593 //
594 // Go to new line
595 //
596 ShowMessages("\n");
597 }
598}

◆ ShowMemoryCommandDQ()

VOID ShowMemoryCommandDQ ( UCHAR * OutputBuffer,
UINT32 Size,
UINT64 Address,
DEBUGGER_READ_MEMORY_TYPE MemoryType,
UINT64 Length )

Show memory in qword format (DQ).

Parameters
OutputBufferthe buffer to show
Sizesize of memory to read
Addresslocation of where to read the memory
MemoryTypetype of memory (phyical or virtual)
LengthLength of memory to show
Returns
VOID
613{
614 for (UINT32 i = 0; i < Size; i += 16)
615 {
616 if (MemoryType == DEBUGGER_READ_PHYSICAL_ADDRESS)
617 {
618 ShowMessages("#\t");
619 }
620
621 //
622 // Print address
623 //
624 ShowMessages("%s ", SeparateTo64BitValue((UINT64)(Address + i)).c_str());
625
626 //
627 // Print the hex code
628 //
629 for (SIZE_T j = 0; j < 16; j += 8)
630 {
631 //
632 // check to see if the address is valid or not
633 //
634 if (i + j >= Length)
635 {
636 ShowMessages("???????? ");
637 }
638 else
639 {
640 UINT32 OutputBufferVar = *((UINT32 *)&OutputBuffer[i + j + 4]);
641 ShowMessages("%08X`", OutputBufferVar);
642
643 OutputBufferVar = *((UINT32 *)&OutputBuffer[i + j]);
644 ShowMessages("%08X ", OutputBufferVar);
645 }
646 }
647
648 //
649 // Go to new line
650 //
651 ShowMessages("\n");
652 }
653}

◆ ShowMessages()

VOID ShowMessages ( const CHAR * Fmt,
... )

Show messages.

Parameters
Fmtformat string message
...arguments
Returns
VOID
85{
86 va_list ArgList;
87 va_list Args;
89
91 {
92 va_start(Args, Fmt);
93
94 vprintf(Fmt, Args);
95
96 va_end(Args);
97
98 if (!g_LogOpened)
99 {
100 return;
101 }
102 }
103
104 va_start(ArgList, Fmt);
105
106 INT SprintfResult = PlatformVsnprintf(TempMessage, sizeof(TempMessage), Fmt, ArgList);
107
108 va_end(ArgList);
109
110 if (SprintfResult != -1)
111 {
113 {
114 //
115 // vsprintf_s and vswprintf_s return the number of characters written,
116 // not including the terminating null character, or a negative value
117 // if an output error occurs.
118 //
119 RemoteConnectionSendResultsToHost(TempMessage, SprintfResult);
120 }
122 {
123 KdSendUsermodePrints(TempMessage, SprintfResult);
124 }
125
126 if (g_LogOpened)
127 {
128 //
129 // .logopen command executed
130 //
131 LogopenSaveToFile(TempMessage);
132 }
133 if (g_MessageHandler != NULL)
134 {
135 //
136 // There is another handler
137 //
139 {
141 }
142 else
143 {
144 memcpy(g_MessageHandlerSharedBuffer, TempMessage, strlen(TempMessage) + 1);
146 }
147 }
148 }
149}
#define TCP_END_OF_BUFFER_CHARS_COUNT
count of characters for tcp end of buffer
Definition Constants.h:442
#define COMMUNICATION_BUFFER_SIZE
Packet size for TCP connections.
Definition Constants.h:338
int(* SendMessageWithSharedBufferCallback)(VOID)
Callback type that can be used to be used as a custom ShowMessages function (using shared buffer).
Definition DataTypes.h:162
int(* SendMessageWithParamCallback)(const char *Text)
Callback type that can be used to be used as a custom ShowMessages function (by passing message as a ...
Definition DataTypes.h:155
VOID KdSendUsermodePrints(CHAR *Input, UINT32 Length)
Send result of user-mode ShowMessages to debuggee.
Definition kd.cpp:3364
VOID LogopenSaveToFile(const CHAR *Text)
Append text to the file object.
Definition logopen.cpp:110
PVOID g_MessageHandlerSharedBuffer
The shared buffer for the handler of ShowMessages function.
Definition globals.h:466
PVOID g_MessageHandler
The handler for ShowMessages function this is because the user might choose not to use printf and ins...
Definition globals.h:460
INT PlatformVsnprintf(char *Buffer, SIZE_T BufferSize, const char *Format, va_list ArgList)
Platform independent wrapper for vsprintf_s / vsnprintf.
Definition platform-lib-calls.c:33
INT RemoteConnectionSendResultsToHost(const CHAR *sendbuf, INT len)
Send the results of executing a command from deubggee (server, guest) to the debugger (client,...
Definition remote-connection.cpp:481

Variable Documentation

◆ g_DeviceHandle

HANDLE g_DeviceHandle
extern

Holds the global handle of device which is used to send the request to the kernel by IOCTL, this handle is not used for IRP Pending of message tracing this handle is used in KD VMM.