HyperDbg Debugger
Loading...
Searching...
No Matches
Classes | Macros | Typedefs | Functions | Variables
commands.h File Reference

The hyperdbg command interpreter and driver connector. More...

Go to the source code of this file.

Classes

struct  _COMMAND_DETAIL
 Details of each command. More...
 

Macros

#define DEBUGGER_COMMAND_ATTRIBUTE_EVENT    0x1 | DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE | DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_CASE_SENSITIVE
 Different attributes of commands.
 
#define DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE   0x2
 
#define DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_REMOTE_CONNECTION   0x4
 
#define DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_CASE_SENSITIVE   0x8
 
#define DEBUGGER_COMMAND_ATTRIBUTE_REPEAT_ON_ENTER   0x10
 
#define DEBUGGER_COMMAND_ATTRIBUTE_WONT_STOP_DEBUGGER_AGAIN   0x20
 
#define DEBUGGER_COMMAND_ATTRIBUTE_HWDBG   0x40
 
#define DEBUGGER_COMMAND_ATTRIBUTE_ABSOLUTE_LOCAL
 Absolute local commands.
 
#define DEBUGGER_COMMAND_CLEAR_ATTRIBUTES    DEBUGGER_COMMAND_ATTRIBUTE_ABSOLUTE_LOCAL
 Command's attributes.
 
#define DEBUGGER_COMMAND_HELP_ATTRIBUTES    DEBUGGER_COMMAND_ATTRIBUTE_ABSOLUTE_LOCAL
 
#define DEBUGGER_COMMAND_CONNECT_ATTRIBUTES    DEBUGGER_COMMAND_ATTRIBUTE_ABSOLUTE_LOCAL
 
#define DEBUGGER_COMMAND_LISTEN_ATTRIBUTES    DEBUGGER_COMMAND_ATTRIBUTE_ABSOLUTE_LOCAL
 
#define DEBUGGER_COMMAND_G_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_ABSOLUTE_LOCAL | DEBUGGER_COMMAND_ATTRIBUTE_REPEAT_ON_ENTER
 
#define DEBUGGER_COMMAND_ATTACH_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE
 
#define DEBUGGER_COMMAND_DETACH_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE
 
#define DEBUGGER_COMMAND_SWITCH_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE
 
#define DEBUGGER_COMMAND_START_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_WONT_STOP_DEBUGGER_AGAIN
 
#define DEBUGGER_COMMAND_RESTART_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_WONT_STOP_DEBUGGER_AGAIN
 
#define DEBUGGER_COMMAND_KILL_ATTRIBUTES   NULL
 
#define DEBUGGER_COMMAND_PROCESS_ATTRIBUTES    DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE
 
#define DEBUGGER_COMMAND_THREAD_ATTRIBUTES    DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE
 
#define DEBUGGER_COMMAND_SLEEP_ATTRIBUTES    DEBUGGER_COMMAND_ATTRIBUTE_ABSOLUTE_LOCAL
 
#define DEBUGGER_COMMAND_EVENTS_ATTRIBUTES    DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE
 
#define DEBUGGER_COMMAND_SETTINGS_ATTRIBUTES    DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE
 
#define DEBUGGER_COMMAND_DISCONNECT_ATTRIBUTES    DEBUGGER_COMMAND_ATTRIBUTE_ABSOLUTE_LOCAL
 
#define DEBUGGER_COMMAND_DEBUG_ATTRIBUTES    DEBUGGER_COMMAND_ATTRIBUTE_ABSOLUTE_LOCAL | DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_CASE_SENSITIVE
 
#define DEBUGGER_COMMAND_DOT_STATUS_ATTRIBUTES    DEBUGGER_COMMAND_ATTRIBUTE_ABSOLUTE_LOCAL
 
#define DEBUGGER_COMMAND_STATUS_ATTRIBUTES   NULL
 
#define DEBUGGER_COMMAND_LOAD_ATTRIBUTES   NULL
 
#define DEBUGGER_COMMAND_EXIT_ATTRIBUTES    DEBUGGER_COMMAND_ATTRIBUTE_ABSOLUTE_LOCAL
 
#define DEBUGGER_COMMAND_FLUSH_ATTRIBUTES    DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE
 
#define DEBUGGER_COMMAND_PAUSE_ATTRIBUTES    DEBUGGER_COMMAND_ATTRIBUTE_ABSOLUTE_LOCAL
 
#define DEBUGGER_COMMAND_UNLOAD_ATTRIBUTES   NULL
 
#define DEBUGGER_COMMAND_SCRIPT_ATTRIBUTES    DEBUGGER_COMMAND_ATTRIBUTE_ABSOLUTE_LOCAL | DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_CASE_SENSITIVE
 
#define DEBUGGER_COMMAND_OUTPUT_ATTRIBUTES    DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE | DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_CASE_SENSITIVE
 
#define DEBUGGER_COMMAND_PRINT_ATTRIBUTES    DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE | DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_CASE_SENSITIVE | DEBUGGER_COMMAND_ATTRIBUTE_REPEAT_ON_ENTER
 
#define DEBUGGER_COMMAND_EVAL_ATTRIBUTES    DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE | DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_CASE_SENSITIVE | DEBUGGER_COMMAND_ATTRIBUTE_REPEAT_ON_ENTER
 
#define DEBUGGER_COMMAND_LOGOPEN_ATTRIBUTES    DEBUGGER_COMMAND_ATTRIBUTE_ABSOLUTE_LOCAL | DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_CASE_SENSITIVE
 
#define DEBUGGER_COMMAND_LOGCLOSE_ATTRIBUTES    DEBUGGER_COMMAND_ATTRIBUTE_ABSOLUTE_LOCAL
 
#define DEBUGGER_COMMAND_TEST_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE
 
#define DEBUGGER_COMMAND_CPU_ATTRIBUTES   NULL
 
#define DEBUGGER_COMMAND_WRMSR_ATTRIBUTES   NULL
 
#define DEBUGGER_COMMAND_RDMSR_ATTRIBUTES   NULL
 
#define DEBUGGER_COMMAND_VA2PA_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_CASE_SENSITIVE | DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE
 
#define DEBUGGER_COMMAND_PA2VA_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_CASE_SENSITIVE | DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE
 
#define DEBUGGER_COMMAND_FORMATS_ATTRIBUTES    DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE | DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_CASE_SENSITIVE | DEBUGGER_COMMAND_ATTRIBUTE_REPEAT_ON_ENTER
 
#define DEBUGGER_COMMAND_PTE_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_CASE_SENSITIVE | DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE
 
#define DEBUGGER_COMMAND_CORE_ATTRIBUTES    DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE
 
#define DEBUGGER_COMMAND_MONITOR_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_EVENT
 
#define DEBUGGER_COMMAND_VMCALL_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_EVENT
 
#define DEBUGGER_COMMAND_EPTHOOK_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_EVENT
 
#define DEBUGGER_COMMAND_EPTHOOK2_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_EVENT
 
#define DEBUGGER_COMMAND_CPUID_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_EVENT
 
#define DEBUGGER_COMMAND_MSRREAD_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_EVENT
 
#define DEBUGGER_COMMAND_MSRWRITE_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_EVENT
 
#define DEBUGGER_COMMAND_TSC_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_EVENT
 
#define DEBUGGER_COMMAND_PMC_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_EVENT
 
#define DEBUGGER_COMMAND_CRWRITE_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_EVENT
 
#define DEBUGGER_COMMAND_DR_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_EVENT
 
#define DEBUGGER_COMMAND_IOIN_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_EVENT
 
#define DEBUGGER_COMMAND_IOOUT_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_EVENT
 
#define DEBUGGER_COMMAND_EXCEPTION_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_EVENT
 
#define DEBUGGER_COMMAND_INTERRUPT_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_EVENT
 
#define DEBUGGER_COMMAND_SYSCALL_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_EVENT
 
#define DEBUGGER_COMMAND_SYSRET_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_EVENT
 
#define DEBUGGER_COMMAND_MODE_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_EVENT
 
#define DEBUGGER_COMMAND_TRACE_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_EVENT
 
#define DEBUGGER_COMMAND_HIDE_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_CASE_SENSITIVE
 
#define DEBUGGER_COMMAND_UNHIDE_ATTRIBUTES   NULL
 
#define DEBUGGER_COMMAND_MEASURE_ATTRIBUTES   NULL
 
#define DEBUGGER_COMMAND_LM_ATTRIBUTES   NULL
 
#define DEBUGGER_COMMAND_P_ATTRIBUTES    DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE | DEBUGGER_COMMAND_ATTRIBUTE_REPEAT_ON_ENTER
 
#define DEBUGGER_COMMAND_T_ATTRIBUTES    DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE | DEBUGGER_COMMAND_ATTRIBUTE_REPEAT_ON_ENTER
 
#define DEBUGGER_COMMAND_I_ATTRIBUTES    DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE | DEBUGGER_COMMAND_ATTRIBUTE_REPEAT_ON_ENTER
 
#define DEBUGGER_COMMAND_D_AND_U_ATTRIBUTES    DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE | DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_CASE_SENSITIVE | DEBUGGER_COMMAND_ATTRIBUTE_REPEAT_ON_ENTER
 
#define DEBUGGER_COMMAND_E_ATTRIBUTES    DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE | DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_CASE_SENSITIVE
 
#define DEBUGGER_COMMAND_S_ATTRIBUTES    DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE | DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_CASE_SENSITIVE
 
#define DEBUGGER_COMMAND_R_ATTRIBUTES    DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE | DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_CASE_SENSITIVE | DEBUGGER_COMMAND_ATTRIBUTE_REPEAT_ON_ENTER
 
#define DEBUGGER_COMMAND_BP_ATTRIBUTES    DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE | DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_CASE_SENSITIVE
 
#define DEBUGGER_COMMAND_BE_ATTRIBUTES    DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE
 
#define DEBUGGER_COMMAND_BD_ATTRIBUTES    DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE
 
#define DEBUGGER_COMMAND_BC_ATTRIBUTES    DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE
 
#define DEBUGGER_COMMAND_BL_ATTRIBUTES    DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE
 
#define DEBUGGER_COMMAND_SYMPATH_ATTRIBUTES    DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE | DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_CASE_SENSITIVE
 
#define DEBUGGER_COMMAND_SYM_ATTRIBUTES    DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE | DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_CASE_SENSITIVE
 
#define DEBUGGER_COMMAND_X_ATTRIBUTES    DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE | DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_CASE_SENSITIVE
 
#define DEBUGGER_COMMAND_PREALLOC_ATTRIBUTES   NULL
 
#define DEBUGGER_COMMAND_PREACTIVATE_ATTRIBUTES   NULL
 
#define DEBUGGER_COMMAND_K_ATTRIBUTES    DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE
 
#define DEBUGGER_COMMAND_DT_ATTRIBUTES    DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE | DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_CASE_SENSITIVE | DEBUGGER_COMMAND_ATTRIBUTE_REPEAT_ON_ENTER
 
#define DEBUGGER_COMMAND_STRUCT_ATTRIBUTES    DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE | DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_CASE_SENSITIVE
 
#define DEBUGGER_COMMAND_PE_ATTRIBUTES   NULL
 
#define DEBUGGER_COMMAND_REV_ATTRIBUTES   NULL
 
#define DEBUGGER_COMMAND_TRACK_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE
 
#define DEBUGGER_COMMAND_PAGEIN_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_CASE_SENSITIVE | DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE
 
#define DEBUGGER_COMMAND_DUMP_ATTRIBUTES    DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE | DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_CASE_SENSITIVE
 
#define DEBUGGER_COMMAND_GU_ATTRIBUTES    DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE | DEBUGGER_COMMAND_ATTRIBUTE_REPEAT_ON_ENTER
 
#define DEBUGGER_COMMAND_HWDBG_HW_CLK_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_HWDBG
 
#define DEBUGGER_COMMAND_A_ATTRIBUTES    DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE | DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_CASE_SENSITIVE
 

Typedefs

typedef VOID(* CommandFuncType) (vector< string > SplitCommand, string Command)
 Command's function type.
 
typedef VOID(* CommandHelpFuncType) ()
 Command's help function type.
 
typedef struct _COMMAND_DETAIL COMMAND_DETAIL
 Details of each command.
 
typedef struct _COMMAND_DETAILPCOMMAND_DETAIL
 
typedef std::map< std::string, COMMAND_DETAILCommandType
 Type saving commands and mapping to command string.
 

Functions

VOID CommandSettingsLoadDefaultValuesFromConfigFile ()
 Loads default settings values from config file.
 
VOID CommandSettingsSetValueFromConfigFile (std::string OptionName, std::string OptionValue)
 Sets the setting values from config file.
 
BOOLEAN CommandSettingsGetValueFromConfigFile (std::string OptionName, std::string &OptionValue)
 Gets the setting values from config file.
 
VOID CpuReadVendorString (CHAR *Result)
 Reads the CPU vendor string.
 
int ReadCpuDetails ()
 Print out supported instruction set extensions.
 
VOID ShowMessages (const char *Fmt,...)
 Show messages.
 
string SeparateTo64BitValue (UINT64 Value)
 add ` between 64 bit values and convert them to string
 
void ShowMemoryCommandDB (unsigned char *OutputBuffer, UINT32 Size, UINT64 Address, DEBUGGER_READ_MEMORY_TYPE MemoryType, UINT64 Length)
 Show memory in bytes (DB)
 
void ShowMemoryCommandDD (unsigned char *OutputBuffer, UINT32 Size, UINT64 Address, DEBUGGER_READ_MEMORY_TYPE MemoryType, UINT64 Length)
 Show memory in dword format (DD)
 
void ShowMemoryCommandDC (unsigned char *OutputBuffer, UINT32 Size, UINT64 Address, DEBUGGER_READ_MEMORY_TYPE MemoryType, UINT64 Length)
 Show memory in dword format (DC)
 
void ShowMemoryCommandDQ (unsigned char *OutputBuffer, UINT32 Size, UINT64 Address, DEBUGGER_READ_MEMORY_TYPE MemoryType, UINT64 Length)
 Show memory in qword format (DQ)
 
VOID CommandPteShowResults (UINT64 TargetVa, PDEBUGGER_READ_PAGE_TABLE_ENTRIES_DETAILS PteRead)
 show results of !pte command
 
DEBUGGER_CONDITIONAL_JUMP_STATUS HyperDbgIsConditionalJumpTaken (unsigned char *BufferToDisassemble, UINT64 BuffLength, RFLAGS Rflags, BOOLEAN Isx86_64)
 Check whether the jump is taken or not taken (in debugger)
 
int HyperDbgDisassembler64 (unsigned char *BufferToDisassemble, UINT64 BaseAddress, UINT64 Size, UINT32 MaximumInstrDecoded, BOOLEAN ShowBranchIsTakenOrNot, PRFLAGS Rflags)
 Disassemble x64 assemblies.
 
int HyperDbgDisassembler32 (unsigned char *BufferToDisassemble, UINT64 BaseAddress, UINT64 Size, UINT32 MaximumInstrDecoded, BOOLEAN ShowBranchIsTakenOrNot, PRFLAGS Rflags)
 Disassemble 32 bit assemblies.
 
UINT32 HyperDbgLengthDisassemblerEngine (unsigned char *BufferToDisassemble, UINT64 BuffLength, BOOLEAN Isx86_64)
 Length Disassembler engine based on Zydis.
 
BOOLEAN HyperDbgCheckWhetherTheCurrentInstructionIsCall (unsigned char *BufferToDisassemble, UINT64 BuffLength, BOOLEAN Isx86_64, PUINT32 CallLength)
 Check whether the current instruction is a 'call' or not.
 
BOOLEAN HyperDbgCheckWhetherTheCurrentInstructionIsCallOrRet (unsigned char *BufferToDisassemble, UINT64 CurrentRip, UINT32 BuffLength, BOOLEAN Isx86_64, PBOOLEAN IsRet)
 Check whether the current instruction is a 'call' or 'ret' or not.
 
BOOLEAN HyperDbgCheckWhetherTheCurrentInstructionIsRet (unsigned char *BufferToDisassemble, UINT64 BuffLength, BOOLEAN Isx86_64)
 Check whether the current instruction is a 'ret' or not.
 
VOID HyperDbgShowMemoryOrDisassemble (DEBUGGER_SHOW_MEMORY_STYLE Style, UINT64 Address, DEBUGGER_READ_MEMORY_TYPE MemoryType, DEBUGGER_READ_READING_TYPE ReadingType, UINT32 Pid, UINT32 Size, PDEBUGGER_DT_COMMAND_OPTIONS DtDetails)
 Show memory or disassembler.
 
BOOLEAN HyperDbgReadMemory (UINT64 TargetAddress, DEBUGGER_READ_MEMORY_TYPE MemoryType, DEBUGGER_READ_READING_TYPE ReadingType, UINT32 Pid, UINT32 Size, BOOLEAN GetAddressMode, DEBUGGER_READ_MEMORY_ADDRESS_MODE *AddressMode, BYTE *TargetBufferToStore, UINT32 *ReturnLength)
 Read memory and disassembler.
 
VOID InitializeCommandsDictionary ()
 Initialize commands and attributes.
 
VOID InitializeDebugger ()
 Initialize the debugger and adjust commands for the first run.
 
BOOLEAN CheckMultilineCommand (CHAR *CurrentCommand, BOOLEAN Reset)
 check for multi-line commands
 
BOOLEAN ContinuePreviousCommand ()
 Some of commands like stepping commands (i, p, t) and etc. need to be repeated when the user press enter, this function shows whether we should continue the previous command or not.
 
VOID CommandDumpSaveIntoFile (PVOID Buffer, UINT32 Length)
 Saves the received buffers into the files.
 
VOID CommandTest (vector< string > SplitCommand, string Command)
 test command handler
 
VOID CommandClearScreen (vector< string > SplitCommand, string Command)
 .cls command handler
 
VOID CommandReadMemoryAndDisassembler (vector< string > SplitCommand, string Command)
 u* d* !u* !d* commands handler
 
VOID CommandConnect (vector< string > SplitCommand, string Command)
 .connect command handler
 
VOID CommandLoad (vector< string > SplitCommand, string Command)
 load command handler
 
VOID CommandUnload (vector< string > SplitCommand, string Command)
 unload command handler
 
VOID CommandScript (vector< string > SplitCommand, string Command)
 .script command handler
 
VOID CommandCpu (vector< string > SplitCommand, string Command)
 cpu command handler
 
VOID CommandExit (vector< string > SplitCommand, string Command)
 exit command handler
 
VOID CommandDisconnect (vector< string > SplitCommand, string Command)
 .disconnect command handler
 
VOID CommandFormats (vector< string > SplitCommand, string Command)
 handler of .formats command
 
VOID CommandRdmsr (vector< string > SplitCommand, string Command)
 rdmsr command handler
 
VOID CommandWrmsr (vector< string > SplitCommand, string Command)
 wrmsr command handler
 
VOID CommandPte (vector< string > SplitCommand, string Command)
 !pte command handler
 
VOID CommandMonitor (vector< string > SplitCommand, string Command)
 !monitor command handler
 
VOID CommandSyscallAndSysret (vector< string > SplitCommand, string Command)
 !syscall, !syscall2 and !sysret, !sysret2 commands handler
 
VOID CommandEptHook (vector< string > SplitCommand, string Command)
 !epthook command handler
 
VOID CommandEptHook2 (vector< string > SplitCommand, string Command)
 !epthook2 command handler
 
VOID CommandCpuid (vector< string > SplitCommand, string Command)
 !cpuid command handler
 
VOID CommandMsrread (vector< string > SplitCommand, string Command)
 !msrread command handler
 
VOID CommandMsrwrite (vector< string > SplitCommand, string Command)
 !msrwrite command handler
 
VOID CommandTsc (vector< string > SplitCommand, string Command)
 handler of !tsc command
 
VOID CommandPmc (vector< string > SplitCommand, string Command)
 !pmc command handler
 
VOID CommandException (vector< string > SplitCommand, string Command)
 !exception command handler
 
VOID CommandCrwrite (vector< string > SplitCommand, string Command)
 !crwrite command handler
 
VOID CommandDr (vector< string > SplitCommand, string Command)
 !dr command handler
 
VOID CommandInterrupt (vector< string > SplitCommand, string Command)
 !interrupt command handler
 
VOID CommandIoin (vector< string > SplitCommand, string Command)
 !ioin command handler
 
VOID CommandIoout (vector< string > SplitCommand, string Command)
 !ioout command handler
 
VOID CommandVmcall (vector< string > SplitCommand, string Command)
 !vmcall command handler
 
VOID CommandMode (vector< string > SplitCommand, string Command)
 !mode command handler
 
VOID CommandTrace (vector< string > SplitCommand, string Command)
 !trace command handler
 
VOID CommandHide (vector< string > SplitCommand, string Command)
 !hide command handler
 
VOID CommandUnhide (vector< string > SplitCommand, string Command)
 !unhide command handler
 
VOID CommandLogopen (vector< string > SplitCommand, string Command)
 .logopen command handler
 
VOID CommandLogclose (vector< string > SplitCommand, string Command)
 .logclose command handler
 
VOID CommandVa2pa (vector< string > SplitCommand, string Command)
 !va2pa command handler
 
VOID CommandPa2va (vector< string > SplitCommand, string Command)
 !pa2va command handler
 
VOID CommandEvents (vector< string > SplitCommand, string Command)
 events command handler
 
VOID CommandG (vector< string > SplitCommand, string Command)
 handler of g command
 
VOID CommandLm (vector< string > SplitCommand, string Command)
 handle lm command
 
VOID CommandSleep (vector< string > SplitCommand, string Command)
 sleep command help
 
VOID CommandEditMemory (vector< string > SplitCommand, string Command)
 !e* and e* commands handler
 
VOID CommandSearchMemory (vector< string > SplitCommand, string Command)
 !s* s* commands handler
 
VOID CommandMeasure (vector< string > SplitCommand, string Command)
 !measure command handler
 
VOID CommandSettings (vector< string > SplitCommand, string Command)
 settings command handler
 
VOID CommandFlush (vector< string > SplitCommand, string Command)
 flush command handler
 
VOID CommandPause (vector< string > SplitCommand, string Command)
 pause command handler
 
VOID CommandListen (vector< string > SplitCommand, string Command)
 listen command handler
 
VOID CommandStatus (vector< string > SplitCommand, string Command)
 .status and status command handler
 
VOID CommandAttach (vector< string > SplitCommand, string Command)
 .attach command handler
 
VOID CommandDetach (vector< string > SplitCommand, string Command)
 .detach command handler
 
VOID CommandStart (vector< string > SplitCommand, string Command)
 .start command handler
 
VOID CommandRestart (vector< string > SplitCommand, string Command)
 .restart command handler
 
VOID CommandSwitch (vector< string > SplitCommand, string Command)
 .switch command handler
 
VOID CommandKill (vector< string > SplitCommand, string Command)
 .kill command handler
 
VOID CommandT (vector< string > SplitCommand, string Command)
 handler of t command
 
VOID CommandI (vector< string > SplitCommand, string Command)
 handler of i command
 
VOID CommandPrint (vector< string > SplitCommand, string Command)
 handler of print command
 
VOID CommandOutput (vector< string > SplitCommand, string Command)
 output command handler
 
VOID CommandDebug (vector< string > SplitCommand, string Command)
 .debug command handler
 
VOID CommandP (vector< string > SplitCommand, string Command)
 handler of p command
 
VOID CommandCore (vector< string > SplitCommand, string Command)
 ~ command handler
 
VOID CommandProcess (vector< string > SplitCommand, string Command)
 .process command handler
 
VOID CommandThread (vector< string > SplitCommand, string Command)
 .thread command handler
 
VOID CommandEval (vector< string > SplitCommand, string Command)
 handler of ? command
 
VOID CommandR (vector< string > SplitCommand, string Command)
 
VOID CommandBp (vector< string > SplitCommand, string Command)
 bp command handler
 
VOID CommandBl (vector< string > SplitCommand, string Command)
 handler of the bl command
 
VOID CommandBe (vector< string > SplitCommand, string Command)
 handler of be command
 
VOID CommandBd (vector< string > SplitCommand, string Command)
 handler of bd command
 
VOID CommandBc (vector< string > SplitCommand, string Command)
 handler of bc command
 
VOID CommandSympath (vector< string > SplitCommand, string Command)
 .sympath command handler
 
VOID CommandSym (vector< string > SplitCommand, string Command)
 .sym command handler
 
VOID CommandX (vector< string > SplitCommand, string Command)
 x command handler
 
VOID CommandPrealloc (vector< string > SplitCommand, string Command)
 prealloc command handler
 
VOID CommandPreactivate (vector< string > SplitCommand, string Command)
 preactivate command handler
 
VOID CommandDtAndStruct (vector< string > SplitCommand, string Command)
 dt and struct command handler
 
VOID CommandK (vector< string > SplitCommand, string Command)
 k command handler
 
VOID CommandPe (vector< string > SplitCommand, string Command)
 .pe command handler
 
VOID CommandRev (vector< string > SplitCommand, string Command)
 !rev command handler
 
VOID CommandTrack (vector< string > SplitCommand, string Command)
 handler of !track command
 
VOID CommandPagein (vector< string > SplitCommand, string Command)
 .pagein command handler
 
VOID CommandDump (vector< string > SplitCommand, string Command)
 .dump command handler
 
VOID CommandGu (vector< string > SplitCommand, string Command)
 handler of gu command
 
VOID CommandAssemble (vector< string > SplitCommand, string Command)
 a and !a commands handler
 
VOID CommandHwClk (vector< string > SplitCommand, string Command)
 !hw_clk command handler
 

Variables

HANDLE g_DeviceHandle
 Holds the global handle of device which is used to send the request to the kernel by IOCTL, this handle is not used for IRP Pending of message tracing this handle is used in KD VMM.
 

Detailed Description

The hyperdbg command interpreter and driver connector.

Author
Sina Karvandi (sina@.nosp@m.hype.nosp@m.rdbg..nosp@m.org)
Alee Amini (alee@.nosp@m.hype.nosp@m.rdbg..nosp@m.org)
Version
0.1
Date
2020-04-11
Copyright
This project is released under the GNU Public License v3.

Macro Definition Documentation

◆ DEBUGGER_COMMAND_A_ATTRIBUTES

#define DEBUGGER_COMMAND_A_ATTRIBUTES    DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE | DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_CASE_SENSITIVE
434#define DEBUGGER_COMMAND_A_ATTRIBUTES \
435 DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE | DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_CASE_SENSITIVE

◆ DEBUGGER_COMMAND_ATTACH_ATTRIBUTES

#define DEBUGGER_COMMAND_ATTACH_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE

◆ DEBUGGER_COMMAND_ATTRIBUTE_ABSOLUTE_LOCAL

#define DEBUGGER_COMMAND_ATTRIBUTE_ABSOLUTE_LOCAL
Value:
DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE | \
DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_REMOTE_CONNECTION
DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE
#define DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE
Definition commands.h:191
DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_REMOTE_CONNECTION
#define DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_REMOTE_CONNECTION
Definition commands.h:192

Absolute local commands.

202#define DEBUGGER_COMMAND_ATTRIBUTE_ABSOLUTE_LOCAL \
203 DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE | \
204 DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_REMOTE_CONNECTION

◆ DEBUGGER_COMMAND_ATTRIBUTE_EVENT

#define DEBUGGER_COMMAND_ATTRIBUTE_EVENT    0x1 | DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE | DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_CASE_SENSITIVE

Different attributes of commands.

189#define DEBUGGER_COMMAND_ATTRIBUTE_EVENT \
190 0x1 | DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE | DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_CASE_SENSITIVE

◆ DEBUGGER_COMMAND_ATTRIBUTE_HWDBG

#define DEBUGGER_COMMAND_ATTRIBUTE_HWDBG   0x40

◆ DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_CASE_SENSITIVE

#define DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_CASE_SENSITIVE   0x8

◆ DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE

#define DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE   0x2

◆ DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_REMOTE_CONNECTION

#define DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_REMOTE_CONNECTION   0x4

◆ DEBUGGER_COMMAND_ATTRIBUTE_REPEAT_ON_ENTER

#define DEBUGGER_COMMAND_ATTRIBUTE_REPEAT_ON_ENTER   0x10

◆ DEBUGGER_COMMAND_ATTRIBUTE_WONT_STOP_DEBUGGER_AGAIN

#define DEBUGGER_COMMAND_ATTRIBUTE_WONT_STOP_DEBUGGER_AGAIN   0x20

◆ DEBUGGER_COMMAND_BC_ATTRIBUTES

#define DEBUGGER_COMMAND_BC_ATTRIBUTES    DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE
389#define DEBUGGER_COMMAND_BC_ATTRIBUTES \
390 DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE

◆ DEBUGGER_COMMAND_BD_ATTRIBUTES

#define DEBUGGER_COMMAND_BD_ATTRIBUTES    DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE
386#define DEBUGGER_COMMAND_BD_ATTRIBUTES \
387 DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE

◆ DEBUGGER_COMMAND_BE_ATTRIBUTES

#define DEBUGGER_COMMAND_BE_ATTRIBUTES    DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE
383#define DEBUGGER_COMMAND_BE_ATTRIBUTES \
384 DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE

◆ DEBUGGER_COMMAND_BL_ATTRIBUTES

#define DEBUGGER_COMMAND_BL_ATTRIBUTES    DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE
392#define DEBUGGER_COMMAND_BL_ATTRIBUTES \
393 DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE

◆ DEBUGGER_COMMAND_BP_ATTRIBUTES

#define DEBUGGER_COMMAND_BP_ATTRIBUTES    DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE | DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_CASE_SENSITIVE
380#define DEBUGGER_COMMAND_BP_ATTRIBUTES \
381 DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE | DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_CASE_SENSITIVE

◆ DEBUGGER_COMMAND_CLEAR_ATTRIBUTES

#define DEBUGGER_COMMAND_CLEAR_ATTRIBUTES    DEBUGGER_COMMAND_ATTRIBUTE_ABSOLUTE_LOCAL

Command's attributes.

210#define DEBUGGER_COMMAND_CLEAR_ATTRIBUTES \
211 DEBUGGER_COMMAND_ATTRIBUTE_ABSOLUTE_LOCAL

◆ DEBUGGER_COMMAND_CONNECT_ATTRIBUTES

#define DEBUGGER_COMMAND_CONNECT_ATTRIBUTES    DEBUGGER_COMMAND_ATTRIBUTE_ABSOLUTE_LOCAL
216#define DEBUGGER_COMMAND_CONNECT_ATTRIBUTES \
217 DEBUGGER_COMMAND_ATTRIBUTE_ABSOLUTE_LOCAL

◆ DEBUGGER_COMMAND_CORE_ATTRIBUTES

#define DEBUGGER_COMMAND_CORE_ATTRIBUTES    DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE
310#define DEBUGGER_COMMAND_CORE_ATTRIBUTES \
311 DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE

◆ DEBUGGER_COMMAND_CPU_ATTRIBUTES

#define DEBUGGER_COMMAND_CPU_ATTRIBUTES   NULL

◆ DEBUGGER_COMMAND_CPUID_ATTRIBUTES

#define DEBUGGER_COMMAND_CPUID_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_EVENT

◆ DEBUGGER_COMMAND_CRWRITE_ATTRIBUTES

#define DEBUGGER_COMMAND_CRWRITE_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_EVENT

◆ DEBUGGER_COMMAND_D_AND_U_ATTRIBUTES

#define DEBUGGER_COMMAND_D_AND_U_ATTRIBUTES    DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE | DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_CASE_SENSITIVE | DEBUGGER_COMMAND_ATTRIBUTE_REPEAT_ON_ENTER
368#define DEBUGGER_COMMAND_D_AND_U_ATTRIBUTES \
369 DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE | DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_CASE_SENSITIVE | DEBUGGER_COMMAND_ATTRIBUTE_REPEAT_ON_ENTER

◆ DEBUGGER_COMMAND_DEBUG_ATTRIBUTES

#define DEBUGGER_COMMAND_DEBUG_ATTRIBUTES    DEBUGGER_COMMAND_ATTRIBUTE_ABSOLUTE_LOCAL | DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_CASE_SENSITIVE
254#define DEBUGGER_COMMAND_DEBUG_ATTRIBUTES \
255 DEBUGGER_COMMAND_ATTRIBUTE_ABSOLUTE_LOCAL | DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_CASE_SENSITIVE

◆ DEBUGGER_COMMAND_DETACH_ATTRIBUTES

#define DEBUGGER_COMMAND_DETACH_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE

◆ DEBUGGER_COMMAND_DISCONNECT_ATTRIBUTES

#define DEBUGGER_COMMAND_DISCONNECT_ATTRIBUTES    DEBUGGER_COMMAND_ATTRIBUTE_ABSOLUTE_LOCAL
251#define DEBUGGER_COMMAND_DISCONNECT_ATTRIBUTES \
252 DEBUGGER_COMMAND_ATTRIBUTE_ABSOLUTE_LOCAL

◆ DEBUGGER_COMMAND_DOT_STATUS_ATTRIBUTES

#define DEBUGGER_COMMAND_DOT_STATUS_ATTRIBUTES    DEBUGGER_COMMAND_ATTRIBUTE_ABSOLUTE_LOCAL
257#define DEBUGGER_COMMAND_DOT_STATUS_ATTRIBUTES \
258 DEBUGGER_COMMAND_ATTRIBUTE_ABSOLUTE_LOCAL

◆ DEBUGGER_COMMAND_DR_ATTRIBUTES

#define DEBUGGER_COMMAND_DR_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_EVENT

◆ DEBUGGER_COMMAND_DT_ATTRIBUTES

#define DEBUGGER_COMMAND_DT_ATTRIBUTES    DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE | DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_CASE_SENSITIVE | DEBUGGER_COMMAND_ATTRIBUTE_REPEAT_ON_ENTER
411#define DEBUGGER_COMMAND_DT_ATTRIBUTES \
412 DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE | DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_CASE_SENSITIVE | DEBUGGER_COMMAND_ATTRIBUTE_REPEAT_ON_ENTER

◆ DEBUGGER_COMMAND_DUMP_ATTRIBUTES

#define DEBUGGER_COMMAND_DUMP_ATTRIBUTES    DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE | DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_CASE_SENSITIVE
426#define DEBUGGER_COMMAND_DUMP_ATTRIBUTES \
427 DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE | DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_CASE_SENSITIVE

◆ DEBUGGER_COMMAND_E_ATTRIBUTES

#define DEBUGGER_COMMAND_E_ATTRIBUTES    DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE | DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_CASE_SENSITIVE
371#define DEBUGGER_COMMAND_E_ATTRIBUTES \
372 DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE | DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_CASE_SENSITIVE

◆ DEBUGGER_COMMAND_EPTHOOK2_ATTRIBUTES

#define DEBUGGER_COMMAND_EPTHOOK2_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_EVENT

◆ DEBUGGER_COMMAND_EPTHOOK_ATTRIBUTES

#define DEBUGGER_COMMAND_EPTHOOK_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_EVENT

◆ DEBUGGER_COMMAND_EVAL_ATTRIBUTES

#define DEBUGGER_COMMAND_EVAL_ATTRIBUTES    DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE | DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_CASE_SENSITIVE | DEBUGGER_COMMAND_ATTRIBUTE_REPEAT_ON_ENTER
284#define DEBUGGER_COMMAND_EVAL_ATTRIBUTES \
285 DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE | DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_CASE_SENSITIVE | DEBUGGER_COMMAND_ATTRIBUTE_REPEAT_ON_ENTER

◆ DEBUGGER_COMMAND_EVENTS_ATTRIBUTES

#define DEBUGGER_COMMAND_EVENTS_ATTRIBUTES    DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE
245#define DEBUGGER_COMMAND_EVENTS_ATTRIBUTES \
246 DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE

◆ DEBUGGER_COMMAND_EXCEPTION_ATTRIBUTES

#define DEBUGGER_COMMAND_EXCEPTION_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_EVENT

◆ DEBUGGER_COMMAND_EXIT_ATTRIBUTES

#define DEBUGGER_COMMAND_EXIT_ATTRIBUTES    DEBUGGER_COMMAND_ATTRIBUTE_ABSOLUTE_LOCAL
264#define DEBUGGER_COMMAND_EXIT_ATTRIBUTES \
265 DEBUGGER_COMMAND_ATTRIBUTE_ABSOLUTE_LOCAL

◆ DEBUGGER_COMMAND_FLUSH_ATTRIBUTES

#define DEBUGGER_COMMAND_FLUSH_ATTRIBUTES    DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE
267#define DEBUGGER_COMMAND_FLUSH_ATTRIBUTES \
268 DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE

◆ DEBUGGER_COMMAND_FORMATS_ATTRIBUTES

#define DEBUGGER_COMMAND_FORMATS_ATTRIBUTES    DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE | DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_CASE_SENSITIVE | DEBUGGER_COMMAND_ATTRIBUTE_REPEAT_ON_ENTER
305#define DEBUGGER_COMMAND_FORMATS_ATTRIBUTES \
306 DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE | DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_CASE_SENSITIVE | DEBUGGER_COMMAND_ATTRIBUTE_REPEAT_ON_ENTER

◆ DEBUGGER_COMMAND_G_ATTRIBUTES

#define DEBUGGER_COMMAND_G_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_ABSOLUTE_LOCAL | DEBUGGER_COMMAND_ATTRIBUTE_REPEAT_ON_ENTER

◆ DEBUGGER_COMMAND_GU_ATTRIBUTES

#define DEBUGGER_COMMAND_GU_ATTRIBUTES    DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE | DEBUGGER_COMMAND_ATTRIBUTE_REPEAT_ON_ENTER
429#define DEBUGGER_COMMAND_GU_ATTRIBUTES \
430 DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE | DEBUGGER_COMMAND_ATTRIBUTE_REPEAT_ON_ENTER

◆ DEBUGGER_COMMAND_HELP_ATTRIBUTES

#define DEBUGGER_COMMAND_HELP_ATTRIBUTES    DEBUGGER_COMMAND_ATTRIBUTE_ABSOLUTE_LOCAL
213#define DEBUGGER_COMMAND_HELP_ATTRIBUTES \
214 DEBUGGER_COMMAND_ATTRIBUTE_ABSOLUTE_LOCAL

◆ DEBUGGER_COMMAND_HIDE_ATTRIBUTES

#define DEBUGGER_COMMAND_HIDE_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_CASE_SENSITIVE

◆ DEBUGGER_COMMAND_HWDBG_HW_CLK_ATTRIBUTES

#define DEBUGGER_COMMAND_HWDBG_HW_CLK_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_HWDBG

◆ DEBUGGER_COMMAND_I_ATTRIBUTES

#define DEBUGGER_COMMAND_I_ATTRIBUTES    DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE | DEBUGGER_COMMAND_ATTRIBUTE_REPEAT_ON_ENTER
365#define DEBUGGER_COMMAND_I_ATTRIBUTES \
366 DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE | DEBUGGER_COMMAND_ATTRIBUTE_REPEAT_ON_ENTER

◆ DEBUGGER_COMMAND_INTERRUPT_ATTRIBUTES

#define DEBUGGER_COMMAND_INTERRUPT_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_EVENT

◆ DEBUGGER_COMMAND_IOIN_ATTRIBUTES

#define DEBUGGER_COMMAND_IOIN_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_EVENT

◆ DEBUGGER_COMMAND_IOOUT_ATTRIBUTES

#define DEBUGGER_COMMAND_IOOUT_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_EVENT

◆ DEBUGGER_COMMAND_K_ATTRIBUTES

#define DEBUGGER_COMMAND_K_ATTRIBUTES    DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE
408#define DEBUGGER_COMMAND_K_ATTRIBUTES \
409 DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE

◆ DEBUGGER_COMMAND_KILL_ATTRIBUTES

#define DEBUGGER_COMMAND_KILL_ATTRIBUTES   NULL

◆ DEBUGGER_COMMAND_LISTEN_ATTRIBUTES

#define DEBUGGER_COMMAND_LISTEN_ATTRIBUTES    DEBUGGER_COMMAND_ATTRIBUTE_ABSOLUTE_LOCAL
219#define DEBUGGER_COMMAND_LISTEN_ATTRIBUTES \
220 DEBUGGER_COMMAND_ATTRIBUTE_ABSOLUTE_LOCAL

◆ DEBUGGER_COMMAND_LM_ATTRIBUTES

#define DEBUGGER_COMMAND_LM_ATTRIBUTES   NULL

◆ DEBUGGER_COMMAND_LOAD_ATTRIBUTES

#define DEBUGGER_COMMAND_LOAD_ATTRIBUTES   NULL

◆ DEBUGGER_COMMAND_LOGCLOSE_ATTRIBUTES

#define DEBUGGER_COMMAND_LOGCLOSE_ATTRIBUTES    DEBUGGER_COMMAND_ATTRIBUTE_ABSOLUTE_LOCAL
290#define DEBUGGER_COMMAND_LOGCLOSE_ATTRIBUTES \
291 DEBUGGER_COMMAND_ATTRIBUTE_ABSOLUTE_LOCAL

◆ DEBUGGER_COMMAND_LOGOPEN_ATTRIBUTES

#define DEBUGGER_COMMAND_LOGOPEN_ATTRIBUTES    DEBUGGER_COMMAND_ATTRIBUTE_ABSOLUTE_LOCAL | DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_CASE_SENSITIVE
287#define DEBUGGER_COMMAND_LOGOPEN_ATTRIBUTES \
288 DEBUGGER_COMMAND_ATTRIBUTE_ABSOLUTE_LOCAL | DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_CASE_SENSITIVE

◆ DEBUGGER_COMMAND_MEASURE_ATTRIBUTES

#define DEBUGGER_COMMAND_MEASURE_ATTRIBUTES   NULL

◆ DEBUGGER_COMMAND_MODE_ATTRIBUTES

#define DEBUGGER_COMMAND_MODE_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_EVENT

◆ DEBUGGER_COMMAND_MONITOR_ATTRIBUTES

#define DEBUGGER_COMMAND_MONITOR_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_EVENT

◆ DEBUGGER_COMMAND_MSRREAD_ATTRIBUTES

#define DEBUGGER_COMMAND_MSRREAD_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_EVENT

◆ DEBUGGER_COMMAND_MSRWRITE_ATTRIBUTES

#define DEBUGGER_COMMAND_MSRWRITE_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_EVENT

◆ DEBUGGER_COMMAND_OUTPUT_ATTRIBUTES

#define DEBUGGER_COMMAND_OUTPUT_ATTRIBUTES    DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE | DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_CASE_SENSITIVE
278#define DEBUGGER_COMMAND_OUTPUT_ATTRIBUTES \
279 DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE | DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_CASE_SENSITIVE

◆ DEBUGGER_COMMAND_P_ATTRIBUTES

#define DEBUGGER_COMMAND_P_ATTRIBUTES    DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE | DEBUGGER_COMMAND_ATTRIBUTE_REPEAT_ON_ENTER
359#define DEBUGGER_COMMAND_P_ATTRIBUTES \
360 DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE | DEBUGGER_COMMAND_ATTRIBUTE_REPEAT_ON_ENTER

◆ DEBUGGER_COMMAND_PA2VA_ATTRIBUTES

#define DEBUGGER_COMMAND_PA2VA_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_CASE_SENSITIVE | DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE

◆ DEBUGGER_COMMAND_PAGEIN_ATTRIBUTES

#define DEBUGGER_COMMAND_PAGEIN_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_CASE_SENSITIVE | DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE

◆ DEBUGGER_COMMAND_PAUSE_ATTRIBUTES

#define DEBUGGER_COMMAND_PAUSE_ATTRIBUTES    DEBUGGER_COMMAND_ATTRIBUTE_ABSOLUTE_LOCAL
270#define DEBUGGER_COMMAND_PAUSE_ATTRIBUTES \
271 DEBUGGER_COMMAND_ATTRIBUTE_ABSOLUTE_LOCAL

◆ DEBUGGER_COMMAND_PE_ATTRIBUTES

#define DEBUGGER_COMMAND_PE_ATTRIBUTES   NULL

◆ DEBUGGER_COMMAND_PMC_ATTRIBUTES

#define DEBUGGER_COMMAND_PMC_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_EVENT

◆ DEBUGGER_COMMAND_PREACTIVATE_ATTRIBUTES

#define DEBUGGER_COMMAND_PREACTIVATE_ATTRIBUTES   NULL

◆ DEBUGGER_COMMAND_PREALLOC_ATTRIBUTES

#define DEBUGGER_COMMAND_PREALLOC_ATTRIBUTES   NULL

◆ DEBUGGER_COMMAND_PRINT_ATTRIBUTES

#define DEBUGGER_COMMAND_PRINT_ATTRIBUTES    DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE | DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_CASE_SENSITIVE | DEBUGGER_COMMAND_ATTRIBUTE_REPEAT_ON_ENTER
281#define DEBUGGER_COMMAND_PRINT_ATTRIBUTES \
282 DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE | DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_CASE_SENSITIVE | DEBUGGER_COMMAND_ATTRIBUTE_REPEAT_ON_ENTER

◆ DEBUGGER_COMMAND_PROCESS_ATTRIBUTES

#define DEBUGGER_COMMAND_PROCESS_ATTRIBUTES    DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE
236#define DEBUGGER_COMMAND_PROCESS_ATTRIBUTES \
237 DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE

◆ DEBUGGER_COMMAND_PTE_ATTRIBUTES

#define DEBUGGER_COMMAND_PTE_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_CASE_SENSITIVE | DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE

◆ DEBUGGER_COMMAND_R_ATTRIBUTES

#define DEBUGGER_COMMAND_R_ATTRIBUTES    DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE | DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_CASE_SENSITIVE | DEBUGGER_COMMAND_ATTRIBUTE_REPEAT_ON_ENTER
377#define DEBUGGER_COMMAND_R_ATTRIBUTES \
378 DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE | DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_CASE_SENSITIVE | DEBUGGER_COMMAND_ATTRIBUTE_REPEAT_ON_ENTER

◆ DEBUGGER_COMMAND_RDMSR_ATTRIBUTES

#define DEBUGGER_COMMAND_RDMSR_ATTRIBUTES   NULL

◆ DEBUGGER_COMMAND_RESTART_ATTRIBUTES

#define DEBUGGER_COMMAND_RESTART_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_WONT_STOP_DEBUGGER_AGAIN

◆ DEBUGGER_COMMAND_REV_ATTRIBUTES

#define DEBUGGER_COMMAND_REV_ATTRIBUTES   NULL

◆ DEBUGGER_COMMAND_S_ATTRIBUTES

#define DEBUGGER_COMMAND_S_ATTRIBUTES    DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE | DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_CASE_SENSITIVE
374#define DEBUGGER_COMMAND_S_ATTRIBUTES \
375 DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE | DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_CASE_SENSITIVE

◆ DEBUGGER_COMMAND_SCRIPT_ATTRIBUTES

#define DEBUGGER_COMMAND_SCRIPT_ATTRIBUTES    DEBUGGER_COMMAND_ATTRIBUTE_ABSOLUTE_LOCAL | DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_CASE_SENSITIVE
275#define DEBUGGER_COMMAND_SCRIPT_ATTRIBUTES \
276 DEBUGGER_COMMAND_ATTRIBUTE_ABSOLUTE_LOCAL | DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_CASE_SENSITIVE

◆ DEBUGGER_COMMAND_SETTINGS_ATTRIBUTES

#define DEBUGGER_COMMAND_SETTINGS_ATTRIBUTES    DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE
248#define DEBUGGER_COMMAND_SETTINGS_ATTRIBUTES \
249 DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE

◆ DEBUGGER_COMMAND_SLEEP_ATTRIBUTES

#define DEBUGGER_COMMAND_SLEEP_ATTRIBUTES    DEBUGGER_COMMAND_ATTRIBUTE_ABSOLUTE_LOCAL
242#define DEBUGGER_COMMAND_SLEEP_ATTRIBUTES \
243 DEBUGGER_COMMAND_ATTRIBUTE_ABSOLUTE_LOCAL

◆ DEBUGGER_COMMAND_START_ATTRIBUTES

#define DEBUGGER_COMMAND_START_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_WONT_STOP_DEBUGGER_AGAIN

◆ DEBUGGER_COMMAND_STATUS_ATTRIBUTES

#define DEBUGGER_COMMAND_STATUS_ATTRIBUTES   NULL

◆ DEBUGGER_COMMAND_STRUCT_ATTRIBUTES

#define DEBUGGER_COMMAND_STRUCT_ATTRIBUTES    DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE | DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_CASE_SENSITIVE
414#define DEBUGGER_COMMAND_STRUCT_ATTRIBUTES \
415 DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE | DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_CASE_SENSITIVE

◆ DEBUGGER_COMMAND_SWITCH_ATTRIBUTES

#define DEBUGGER_COMMAND_SWITCH_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE

◆ DEBUGGER_COMMAND_SYM_ATTRIBUTES

#define DEBUGGER_COMMAND_SYM_ATTRIBUTES    DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE | DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_CASE_SENSITIVE
398#define DEBUGGER_COMMAND_SYM_ATTRIBUTES \
399 DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE | DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_CASE_SENSITIVE

◆ DEBUGGER_COMMAND_SYMPATH_ATTRIBUTES

#define DEBUGGER_COMMAND_SYMPATH_ATTRIBUTES    DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE | DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_CASE_SENSITIVE
395#define DEBUGGER_COMMAND_SYMPATH_ATTRIBUTES \
396 DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE | DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_CASE_SENSITIVE

◆ DEBUGGER_COMMAND_SYSCALL_ATTRIBUTES

#define DEBUGGER_COMMAND_SYSCALL_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_EVENT

◆ DEBUGGER_COMMAND_SYSRET_ATTRIBUTES

#define DEBUGGER_COMMAND_SYSRET_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_EVENT

◆ DEBUGGER_COMMAND_T_ATTRIBUTES

#define DEBUGGER_COMMAND_T_ATTRIBUTES    DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE | DEBUGGER_COMMAND_ATTRIBUTE_REPEAT_ON_ENTER
362#define DEBUGGER_COMMAND_T_ATTRIBUTES \
363 DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE | DEBUGGER_COMMAND_ATTRIBUTE_REPEAT_ON_ENTER

◆ DEBUGGER_COMMAND_TEST_ATTRIBUTES

#define DEBUGGER_COMMAND_TEST_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE

◆ DEBUGGER_COMMAND_THREAD_ATTRIBUTES

#define DEBUGGER_COMMAND_THREAD_ATTRIBUTES    DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE
239#define DEBUGGER_COMMAND_THREAD_ATTRIBUTES \
240 DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE

◆ DEBUGGER_COMMAND_TRACE_ATTRIBUTES

#define DEBUGGER_COMMAND_TRACE_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_EVENT

◆ DEBUGGER_COMMAND_TRACK_ATTRIBUTES

#define DEBUGGER_COMMAND_TRACK_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE

◆ DEBUGGER_COMMAND_TSC_ATTRIBUTES

#define DEBUGGER_COMMAND_TSC_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_EVENT

◆ DEBUGGER_COMMAND_UNHIDE_ATTRIBUTES

#define DEBUGGER_COMMAND_UNHIDE_ATTRIBUTES   NULL

◆ DEBUGGER_COMMAND_UNLOAD_ATTRIBUTES

#define DEBUGGER_COMMAND_UNLOAD_ATTRIBUTES   NULL

◆ DEBUGGER_COMMAND_VA2PA_ATTRIBUTES

#define DEBUGGER_COMMAND_VA2PA_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_CASE_SENSITIVE | DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE

◆ DEBUGGER_COMMAND_VMCALL_ATTRIBUTES

#define DEBUGGER_COMMAND_VMCALL_ATTRIBUTES   DEBUGGER_COMMAND_ATTRIBUTE_EVENT

◆ DEBUGGER_COMMAND_WRMSR_ATTRIBUTES

#define DEBUGGER_COMMAND_WRMSR_ATTRIBUTES   NULL

◆ DEBUGGER_COMMAND_X_ATTRIBUTES

#define DEBUGGER_COMMAND_X_ATTRIBUTES    DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE | DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_CASE_SENSITIVE
401#define DEBUGGER_COMMAND_X_ATTRIBUTES \
402 DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_COMMAND_IN_DEBUGGER_MODE | DEBUGGER_COMMAND_ATTRIBUTE_LOCAL_CASE_SENSITIVE

Typedef Documentation

◆ COMMAND_DETAIL

typedef struct _COMMAND_DETAIL COMMAND_DETAIL

Details of each command.

◆ CommandFuncType

typedef VOID(* CommandFuncType) (vector< string > SplitCommand, string Command)

Command's function type.

◆ CommandHelpFuncType

typedef VOID(* CommandHelpFuncType) ()

Command's help function type.

◆ CommandType

typedef std::map<std::string, COMMAND_DETAIL> CommandType

Type saving commands and mapping to command string.

◆ PCOMMAND_DETAIL

typedef struct _COMMAND_DETAIL * PCOMMAND_DETAIL

Function Documentation

◆ CheckMultilineCommand()

BOOLEAN CheckMultilineCommand ( CHAR * CurrentCommand,
BOOLEAN Reset )

check for multi-line commands

Parameters
CurrentCommand
Reset
Returns
BOOLEAN return TRUE if the command needs extra input, otherwise return FALSE
612{
613 UINT32 CurrentCommandLen = 0;
614 std::string CurrentCommandStr(CurrentCommand);
615
616 if (Reset)
617 {
618 g_IsInterpreterOnString = FALSE;
619 g_IsInterpreterPreviousCharacterABackSlash = FALSE;
620 g_InterpreterCountOfOpenCurlyBrackets = 0;
621 }
622
623 CurrentCommandLen = (UINT32)CurrentCommandStr.length();
624
625 for (size_t i = 0; i < CurrentCommandLen; i++)
626 {
627 switch (CurrentCommandStr.at(i))
628 {
629 case '"':
630
631 if (g_IsInterpreterPreviousCharacterABackSlash)
632 {
633 g_IsInterpreterPreviousCharacterABackSlash = FALSE;
634 break; // it's an escaped \" double-quote
635 }
636
637 if (g_IsInterpreterOnString)
638 g_IsInterpreterOnString = FALSE;
639 else
640 g_IsInterpreterOnString = TRUE;
641
642 break;
643
644 case '{':
645
646 if (g_IsInterpreterPreviousCharacterABackSlash)
647 g_IsInterpreterPreviousCharacterABackSlash = FALSE;
648
649 if (!g_IsInterpreterOnString)
650 g_InterpreterCountOfOpenCurlyBrackets++;
651
652 break;
653
654 case '}':
655
656 if (g_IsInterpreterPreviousCharacterABackSlash)
657 g_IsInterpreterPreviousCharacterABackSlash = FALSE;
658
659 if (!g_IsInterpreterOnString && g_InterpreterCountOfOpenCurlyBrackets > 0)
660 g_InterpreterCountOfOpenCurlyBrackets--;
661
662 break;
663
664 case '\\':
665
666 if (g_IsInterpreterPreviousCharacterABackSlash)
667 g_IsInterpreterPreviousCharacterABackSlash = FALSE; // it's not a escape character (two backslashes \\ )
668 else
669 g_IsInterpreterPreviousCharacterABackSlash = TRUE;
670
671 break;
672
673 default:
674
675 if (g_IsInterpreterPreviousCharacterABackSlash)
676 g_IsInterpreterPreviousCharacterABackSlash = FALSE;
677
678 break;
679 }
680 }
681
682 if (g_IsInterpreterOnString == FALSE && g_InterpreterCountOfOpenCurlyBrackets == 0)
683 {
684 //
685 // either the command is finished or it's a single
686 // line command
687 //
688 return FALSE;
689 }
690 else
691 {
692 //
693 // There still other lines, this command is incomplete
694 //
695 return TRUE;
696 }
697}
TRUE
#define TRUE
Definition BasicTypes.h:55
FALSE
#define FALSE
Definition BasicTypes.h:54
UINT32
unsigned int UINT32
Definition BasicTypes.h:48
g_InterpreterCountOfOpenCurlyBrackets
UINT32 g_InterpreterCountOfOpenCurlyBrackets
Keeps the trace of curly brackets in the interpreter.
Definition globals.h:47
g_IsInterpreterPreviousCharacterABackSlash
BOOLEAN g_IsInterpreterPreviousCharacterABackSlash
Is interpreter encountered a back slash at previous run.
Definition globals.h:42
g_IsInterpreterOnString
BOOLEAN g_IsInterpreterOnString
shows whether the interpreter is currently on a string or not
Definition globals.h:37

◆ CommandAssemble()

VOID CommandAssemble ( vector< string > SplitCommand,
string Command )

a and !a commands handler

Parameters
SplitCommand
Command
Returns
VOID
183{
184 DEBUGGER_EDIT_MEMORY_TYPE MemoryType {};
185 _CMD CMD {};
186 UINT64 Address {};
187 UINT64 StartAddress {};
188 UINT32 ProcId = 0;
189
190 CMD = ParseUserCmd(Command);
191
192 if (CMD.isEmpty())
193 {
194 //
195 // Error messeges are already printed
196 //
197 return;
198 }
199
200 if (!CMD.ProcIdStr.empty())
201 {
202 if (!ConvertStringToUInt32(CMD.ProcIdStr, &ProcId))
203 {
204 ShowMessages("please specify a correct hex process id\n\n");
205 CommandAssembleHelp();
206 return;
207 }
208 }
209
210 if (g_ActiveProcessDebuggingState.IsActive)
211 {
212 ProcId = g_ActiveProcessDebuggingState.ProcessId;
213 }
214
215 if (CMD.AsmSnippet.empty())
216 {
217 ShowMessages("no assembly snippet provided\n");
218 CommandAssembleHelp();
219 return;
220 }
221 else if (CMD.CommandStr == "a")
222 {
223 MemoryType = EDIT_VIRTUAL_MEMORY;
224 }
225 else if (CMD.CommandStr == "!a")
226 {
227 MemoryType = EDIT_PHYSICAL_MEMORY;
228 }
229 else
230 {
231 ShowMessages("unknown assemble command\n\n");
232 CommandAssembleHelp();
233 return;
234 }
235
236 //
237 // Fetching start_address i.e. address to assemble to
238 //
239 if (!CMD.AddressStr.empty()) // was any address provided to assemble to?
240 {
241 if (!SymbolConvertNameOrExprToAddress(CMD.AddressStr, &Address))
242 {
243 ShowMessages("err, couldn't resolve Address at '%s'\n\n",
244 CMD.AddressStr.c_str());
245 CommandAssembleHelp();
246 return;
247 }
248 }
249 else if (!CMD.StartAddressStr.empty()) // was a custom start_address provided?
250 {
251 if (!SymbolConvertNameOrExprToAddress(CMD.StartAddressStr, &StartAddress))
252 {
253 ShowMessages("err, couldn't resolve Address at '%s'\n\n",
254 CMD.StartAddressStr.c_str());
255 CommandAssembleHelp();
256 return;
257 }
258 Address = StartAddress;
259 }
260 else
261 {
262 ShowMessages("warning, no start address provided to calculate relative asm commands\n\n");
263 }
264
265 AssembleData AssembleData;
266 AssembleData.AsmRaw = CMD.AsmSnippet; // third element
267 AssembleData.ParseAssemblyData();
268
269 if (AssembleData.Assemble(Address))
270 {
271 ShowMessages("err, code: '%u'\n\n", AssembleData.KsErr);
272 CommandAssembleHelp();
273 return;
274 }
275
276 if (ProcId == 0)
277 {
278 ProcId = GetCurrentProcessId();
279 }
280
281 if (Address) // was the user only trying to get the bytes?
282 {
283 if (HyperDbgWriteMemory(
284 (PVOID)Address,
285 MemoryType,
286 ProcId,
287 (PVOID)AssembleData.EncodedBytes,
288 (UINT32)AssembleData.BytesCount))
289 {
290 ShowMessages("successfully assembled at 0x%016llx address\n", static_cast<UINT64>(Address));
291 }
292 else
293 {
294 ShowMessages("failed to write generated assembly to memory\n");
295 }
296 }
297}
UINT64
unsigned __int64 UINT64
Definition BasicTypes.h:21
Address
UINT64 Address
Definition HyperDbgScriptImports.h:67
EDIT_PHYSICAL_MEMORY
@ EDIT_PHYSICAL_MEMORY
Definition RequestStructures.h:463
EDIT_VIRTUAL_MEMORY
@ EDIT_VIRTUAL_MEMORY
Definition RequestStructures.h:462
DEBUGGER_EDIT_MEMORY_TYPE
enum _DEBUGGER_EDIT_MEMORY_TYPE DEBUGGER_EDIT_MEMORY_TYPE
different type of addresses for editing memory
ParseUserCmd
_CMD ParseUserCmd(const std::string &command)
Definition a.cpp:66
CommandAssembleHelp
VOID CommandAssembleHelp()
help of a and !a command
Definition a.cpp:43
g_ActiveProcessDebuggingState
ACTIVE_DEBUGGING_PROCESS g_ActiveProcessDebuggingState
State of active debugging thread.
Definition globals.h:362
_CMD
Definition a.cpp:17
AssembleData
Definition assembler.h:16
AssembleData::ParseAssemblyData
VOID ParseAssemblyData()
tries to solve the symbol issue with Keystone, which apparently originates from LLVM-MC.
Definition assembler.cpp:20
AssembleData::BytesCount
size_t BytesCount
Definition assembler.h:21
AssembleData::KsErr
ks_err KsErr
Definition assembler.h:24
AssembleData::EncodedBytes
unsigned char * EncodedBytes
Definition assembler.h:22
AssembleData::Assemble
INT Assemble(UINT64 StartAddr, ks_arch Arch=KS_ARCH_X86, INT Mode=KS_MODE_64, INT Syntax=KS_OPT_SYNTAX_INTEL)
Definition assembler.cpp:119
AssembleData::AsmRaw
std::string AsmRaw
Definition assembler.h:18
ConvertStringToUInt32
BOOLEAN ConvertStringToUInt32(string TextToConvert, PUINT32 Result)
check and convert string to a 32 bit unsigned it and also check for special notations like 0x etc.
Definition common.cpp:347
HyperDbgWriteMemory
BOOLEAN HyperDbgWriteMemory(PVOID DestinationAddress, DEBUGGER_EDIT_MEMORY_TYPE MemoryType, UINT32 ProcessId, PVOID SourceAddress, UINT32 NumberOfBytes)
API function for writing the memory content.
Definition e.cpp:193
ShowMessages
VOID ShowMessages(const char *Fmt,...)
Show messages.
Definition libhyperdbg.cpp:96
_ACTIVE_DEBUGGING_PROCESS::ProcessId
UINT32 ProcessId
Definition ud.h:51
_ACTIVE_DEBUGGING_PROCESS::IsActive
BOOLEAN IsActive
Definition ud.h:49
SymbolConvertNameOrExprToAddress
BOOLEAN SymbolConvertNameOrExprToAddress(const string &TextToConvert, PUINT64 Result)
check and convert string to a 64 bit unsigned integer and also check for symbol object names and eval...
Definition symbol.cpp:360

◆ CommandAttach()

VOID CommandAttach ( vector< string > SplitCommand,
string Command )

.attach command handler

Parameters
SplitCommand
Command
Returns
VOID
45{
46 UINT32 TargetPid = 0;
47 BOOLEAN NextIsPid = FALSE;
48
49 //
50 // Disable user-mode debugger in this version
51 //
52#if ActivateUserModeDebugger == FALSE
53
54 if (!g_IsSerialConnectedToRemoteDebugger)
55 {
56 ShowMessages("the user-mode debugger in VMI Mode is still in the beta version and not stable. "
57 "we decided to exclude it from this release and release it in future versions. "
58 "if you want to test the user-mode debugger in VMI Mode, you should build "
59 "HyperDbg with special instructions. But attaching/switching to other processes\n"
60 "are fully supported in the Debugger Mode.\n"
61 "(it's not recommended to use it in VMI Mode yet!)\n");
62 return;
63 }
64
65#endif // !ActivateUserModeDebugger
66
67 //
68 // It's a attach to a target PID
69 //
70 if (SplitCommand.size() >= 4)
71 {
72 ShowMessages("incorrect use of the '.attach'\n\n");
73 CommandAttachHelp();
74 return;
75 }
76
77 //
78 // .attach and .detach commands are only supported in VMI Mode
79 //
80 if (g_IsSerialConnectedToRemoteDebuggee)
81 {
82 ShowMessages("err, '.attach', and '.detach' commands are only usable "
83 "in VMI Mode, you can use the '.process', or the '.thread' "
84 "in Debugger Mode\n");
85 return;
86 }
87
88 for (auto item : SplitCommand)
89 {
90 //
91 // Find out whether the user enters pid or not
92 //
93 if (NextIsPid)
94 {
95 NextIsPid = FALSE;
96
97 if (!ConvertStringToUInt32(item, &TargetPid))
98 {
99 ShowMessages("please specify a correct hex value for process id\n\n");
100 CommandAttachHelp();
101 return;
102 }
103 }
104 else if (!item.compare("pid"))
105 {
106 //
107 // next item is a pid for the process
108 //
109 NextIsPid = TRUE;
110 }
111 }
112
113 //
114 // Check if the process id is empty or not
115 //
116 if (TargetPid == 0)
117 {
118 ShowMessages("please specify a hex value for process id\n\n");
119 CommandAttachHelp();
120 return;
121 }
122
123 //
124 // Perform attach to target process
125 //
126 UdAttachToProcess(TargetPid, NULL, NULL, FALSE);
127}
BOOLEAN
UCHAR BOOLEAN
Definition BasicTypes.h:39
g_IsSerialConnectedToRemoteDebugger
BOOLEAN g_IsSerialConnectedToRemoteDebugger
Shows if the debugger was connected to remote debugger (A remote host)
Definition globals.h:238
CommandAttachHelp
VOID CommandAttachHelp()
help of the .attach command
Definition attach.cpp:26
g_IsSerialConnectedToRemoteDebuggee
BOOLEAN g_IsSerialConnectedToRemoteDebuggee
Shows if the debugger was connected to remote debuggee over (A remote guest)
Definition globals.h:231
UdAttachToProcess
BOOLEAN UdAttachToProcess(UINT32 TargetPid, const WCHAR *TargetFileAddress, const WCHAR *CommandLine, BOOLEAN RunCallbackAtTheFirstInstruction)
Attach to target process.
Definition ud.cpp:349

◆ CommandBc()

VOID CommandBc ( vector< string > SplitCommand,
string Command )

handler of bc command

Parameters
SplitCommand
Command
Returns
VOID
45{
46 UINT64 BreakpointId;
47 DEBUGGEE_BP_LIST_OR_MODIFY_PACKET Request = {0};
48
49 //
50 // Validate the commands
51 //
52 if (SplitCommand.size() != 2)
53 {
54 ShowMessages("incorrect use of the 'bc'\n\n");
55 CommandBcHelp();
56 return;
57 }
58
59 //
60 // Get the breakpoint id
61 //
62 if (!ConvertStringToUInt64(SplitCommand.at(1), &BreakpointId))
63 {
64 ShowMessages("please specify a correct hex value for breakpoint id\n\n");
65 CommandBcHelp();
66
67 return;
68 }
69
70 //
71 // Check if the remote serial debuggee is paused or not (connected or not)
72 //
73 if (g_IsSerialConnectedToRemoteDebuggee)
74 {
75 //
76 // Perform clearing breakpoint
77 //
78 Request.Request = DEBUGGEE_BREAKPOINT_MODIFICATION_REQUEST_CLEAR;
79
80 //
81 // Set breakpoint id
82 //
83 Request.BreakpointId = BreakpointId;
84
85 //
86 // Send the request
87 //
88 KdSendListOrModifyPacketToDebuggee(&Request);
89 }
90 else
91 {
92 ShowMessages("err, clearing breakpoints is only valid if you connected to "
93 "a debuggee in debugger-mode\n");
94 }
95}
DEBUGGEE_BREAKPOINT_MODIFICATION_REQUEST_CLEAR
@ DEBUGGEE_BREAKPOINT_MODIFICATION_REQUEST_CLEAR
Definition RequestStructures.h:1081
CommandBcHelp
VOID CommandBcHelp()
help of the bc command
Definition bc.cpp:25
g_IsSerialConnectedToRemoteDebuggee
BOOLEAN g_IsSerialConnectedToRemoteDebuggee
Shows if the debugger was connected to remote debuggee over (A remote guest)
Definition globals.h:231
ConvertStringToUInt64
BOOLEAN ConvertStringToUInt64(string TextToConvert, PUINT64 Result)
check and convert string to a 64 bit unsigned integer and also check for special notations like 0x,...
Definition common.cpp:240
KdSendListOrModifyPacketToDebuggee
BOOLEAN KdSendListOrModifyPacketToDebuggee(PDEBUGGEE_BP_LIST_OR_MODIFY_PACKET ListOrModifyPacket)
Sends a breakpoint list or modification packet to the debuggee.
Definition kd.cpp:1023
_DEBUGGEE_BP_LIST_OR_MODIFY_PACKET
The structure of breakpoint modification requests packet in HyperDbg.
Definition RequestStructures.h:1090
_DEBUGGEE_BP_LIST_OR_MODIFY_PACKET::BreakpointId
UINT64 BreakpointId
Definition RequestStructures.h:1091
_DEBUGGEE_BP_LIST_OR_MODIFY_PACKET::Request
DEBUGGEE_BREAKPOINT_MODIFICATION_REQUEST Request
Definition RequestStructures.h:1092

◆ CommandBd()

VOID CommandBd ( vector< string > SplitCommand,
string Command )

handler of bd command

Parameters
SplitCommand
Command
Returns
VOID
45{
46 UINT64 BreakpointId;
47 DEBUGGEE_BP_LIST_OR_MODIFY_PACKET Request = {0};
48
49 //
50 // Validate the commands
51 //
52 if (SplitCommand.size() != 2)
53 {
54 ShowMessages("incorrect use of the 'bd'\n\n");
55 CommandBdHelp();
56 return;
57 }
58
59 //
60 // Get the breakpoint id
61 //
62 if (!ConvertStringToUInt64(SplitCommand.at(1), &BreakpointId))
63 {
64 ShowMessages("please specify a correct hex value for breakpoint id\n\n");
65 CommandBdHelp();
66
67 return;
68 }
69
70 //
71 // Check if the remote serial debuggee is paused or not (connected or not)
72 //
73 if (g_IsSerialConnectedToRemoteDebuggee)
74 {
75 //
76 // Perform disabling breakpoint
77 //
78 Request.Request = DEBUGGEE_BREAKPOINT_MODIFICATION_REQUEST_DISABLE;
79
80 //
81 // Set breakpoint id
82 //
83 Request.BreakpointId = BreakpointId;
84
85 //
86 // Send the request
87 //
88 KdSendListOrModifyPacketToDebuggee(&Request);
89 }
90 else
91 {
92 ShowMessages("err, disabling breakpoints is only valid if you connected to "
93 "a debuggee in debugger-mode\n");
94 }
95}
DEBUGGEE_BREAKPOINT_MODIFICATION_REQUEST_DISABLE
@ DEBUGGEE_BREAKPOINT_MODIFICATION_REQUEST_DISABLE
Definition RequestStructures.h:1080
CommandBdHelp
VOID CommandBdHelp()
help of the bd command
Definition bd.cpp:25
g_IsSerialConnectedToRemoteDebuggee
BOOLEAN g_IsSerialConnectedToRemoteDebuggee
Shows if the debugger was connected to remote debuggee over (A remote guest)
Definition globals.h:231

◆ CommandBe()

VOID CommandBe ( vector< string > SplitCommand,
string Command )

handler of be command

Parameters
SplitCommand
Command
Returns
VOID
45{
46 UINT64 BreakpointId;
47 DEBUGGEE_BP_LIST_OR_MODIFY_PACKET Request = {0};
48
49 //
50 // Validate the commands
51 //
52 if (SplitCommand.size() != 2)
53 {
54 ShowMessages("incorrect use of the 'be'\n\n");
55 CommandBeHelp();
56 return;
57 }
58
59 //
60 // Get the breakpoint id
61 //
62 if (!ConvertStringToUInt64(SplitCommand.at(1), &BreakpointId))
63 {
64 ShowMessages("please specify a correct hex value for breakpoint id\n\n");
65 CommandBeHelp();
66
67 return;
68 }
69
70 //
71 // Check if the remote serial debuggee is paused or not (connected or not)
72 //
73 if (g_IsSerialConnectedToRemoteDebuggee)
74 {
75 //
76 // Perform enabling breakpoint
77 //
78 Request.Request = DEBUGGEE_BREAKPOINT_MODIFICATION_REQUEST_ENABLE;
79
80 //
81 // Set breakpoint id
82 //
83 Request.BreakpointId = BreakpointId;
84
85 //
86 // Send the request
87 //
88 KdSendListOrModifyPacketToDebuggee(&Request);
89 }
90 else
91 {
92 ShowMessages("err, enabling breakpoints is only valid if you connected to "
93 "a debuggee in debugger-mode\n");
94 }
95}
DEBUGGEE_BREAKPOINT_MODIFICATION_REQUEST_ENABLE
@ DEBUGGEE_BREAKPOINT_MODIFICATION_REQUEST_ENABLE
Definition RequestStructures.h:1079
CommandBeHelp
VOID CommandBeHelp()
help of the be command
Definition be.cpp:25
g_IsSerialConnectedToRemoteDebuggee
BOOLEAN g_IsSerialConnectedToRemoteDebuggee
Shows if the debugger was connected to remote debuggee over (A remote guest)
Definition globals.h:231

◆ CommandBl()

VOID CommandBl ( vector< string > SplitCommand,
string Command )

handler of the bl command

Parameters
SplitCommand
Command
Returns
VOID
41{
42 DEBUGGEE_BP_LIST_OR_MODIFY_PACKET Request = {0};
43
44 //
45 // Validate the commands
46 //
47 if (SplitCommand.size() != 1)
48 {
49 ShowMessages("incorrect use of the 'bl'\n\n");
50 CommandBlHelp();
51 return;
52 }
53
54 //
55 // Check if the remote serial debuggee is paused or not (connected or not)
56 //
57 if (g_IsSerialConnectedToRemoteDebuggee)
58 {
59 //
60 // Perform listing breakpoint
61 //
62 Request.Request = DEBUGGEE_BREAKPOINT_MODIFICATION_REQUEST_LIST_BREAKPOINTS;
63
64 //
65 // Send the request
66 //
67 KdSendListOrModifyPacketToDebuggee(&Request);
68 ShowMessages("\n");
69 }
70 else
71 {
72 ShowMessages("err, listing breakpoints is only valid if you connected to "
73 "a debuggee in debugger-mode\n");
74 }
75}
DEBUGGEE_BREAKPOINT_MODIFICATION_REQUEST_LIST_BREAKPOINTS
@ DEBUGGEE_BREAKPOINT_MODIFICATION_REQUEST_LIST_BREAKPOINTS
Definition RequestStructures.h:1078
g_IsSerialConnectedToRemoteDebuggee
BOOLEAN g_IsSerialConnectedToRemoteDebuggee
Shows if the debugger was connected to remote debuggee over (A remote guest)
Definition globals.h:231
CommandBlHelp
VOID CommandBlHelp()
help of the bl command
Definition bl.cpp:25

◆ CommandBp()

VOID CommandBp ( vector< string > SplitCommand,
string Command )

bp command handler

Parameters
SplitCommand
Command
Returns
VOID
84{
85 BOOL IsNextCoreId = FALSE;
86 BOOL IsNextPid = FALSE;
87 BOOL IsNextTid = FALSE;
88
89 BOOLEAN SetCoreId = FALSE;
90 BOOLEAN SetPid = FALSE;
91 BOOLEAN SetTid = FALSE;
92 BOOLEAN SetAddress = FALSE;
93
94 UINT32 Tid = DEBUGGEE_BP_APPLY_TO_ALL_THREADS;
95 UINT32 Pid = DEBUGGEE_BP_APPLY_TO_ALL_PROCESSES;
96 UINT32 CoreNumer = DEBUGGEE_BP_APPLY_TO_ALL_CORES;
97 UINT64 Address = NULL;
98 vector<string> SplitCommandCaseSensitive {Split(Command, ' ')};
99 UINT32 IndexInCommandCaseSensitive = 0;
100 BOOLEAN IsFirstCommand = TRUE;
101
102 if (SplitCommand.size() >= 9)
103 {
104 ShowMessages("incorrect use of the 'bp'\n\n");
105 CommandBpHelp();
106 return;
107 }
108
109 for (auto Section : SplitCommand)
110 {
111 IndexInCommandCaseSensitive++;
112
113 //
114 // Ignore the first argument as it's the command string itself (bp)
115 //
116 if (IsFirstCommand == TRUE)
117 {
118 IsFirstCommand = FALSE;
119 continue;
120 }
121
122 if (IsNextCoreId)
123 {
124 if (!ConvertStringToUInt32(Section, &CoreNumer))
125 {
126 ShowMessages("please specify a correct hex value for core id\n\n");
127 CommandBpHelp();
128 return;
129 }
130 IsNextCoreId = FALSE;
131 continue;
132 }
133 if (IsNextPid)
134 {
135 if (!ConvertStringToUInt32(Section, &Pid))
136 {
137 ShowMessages("please specify a correct hex value for process id\n\n");
138 CommandBpHelp();
139 return;
140 }
141 IsNextPid = FALSE;
142 continue;
143 }
144
145 if (IsNextTid)
146 {
147 if (!ConvertStringToUInt32(Section, &Tid))
148 {
149 ShowMessages("please specify a correct hex value for thread id\n\n");
150 CommandBpHelp();
151 return;
152 }
153 IsNextTid = FALSE;
154 continue;
155 }
156
157 if (!Section.compare("pid"))
158 {
159 IsNextPid = TRUE;
160 continue;
161 }
162 if (!Section.compare("tid"))
163 {
164 IsNextTid = TRUE;
165 continue;
166 }
167 if (!Section.compare("core"))
168 {
169 IsNextCoreId = TRUE;
170 continue;
171 }
172
173 if (!SetAddress)
174 {
175 if (!SymbolConvertNameOrExprToAddress(SplitCommandCaseSensitive.at(IndexInCommandCaseSensitive - 1), &Address))
176 {
177 //
178 // Couldn't resolve or unknown parameter
179 //
180 ShowMessages("err, couldn't resolve error at '%s'\n\n",
181 SplitCommandCaseSensitive.at(IndexInCommandCaseSensitive - 1).c_str());
182 CommandBpHelp();
183 return;
184 }
185 else
186 {
187 //
188 // Means that address is received
189 //
190 SetAddress = TRUE;
191 continue;
192 }
193 }
194 }
195
196 //
197 // Check if address is set or not
198 //
199 if (!SetAddress)
200 {
201 ShowMessages(
202 "please specify a correct hex value as the breakpoint address\n\n");
203 CommandBpHelp();
204 return;
205 }
206 if (IsNextPid)
207 {
208 ShowMessages("please specify a correct hex value for process id\n\n");
209 CommandBpHelp();
210 return;
211 }
212 if (IsNextCoreId)
213 {
214 ShowMessages("please specify a correct hex value for core\n\n");
215 CommandBpHelp();
216 return;
217 }
218 if (IsNextTid)
219 {
220 ShowMessages("please specify a correct hex value for thread id\n\n");
221 CommandBpHelp();
222 return;
223 }
224
225 if (!g_IsSerialConnectedToRemoteDebuggee)
226 {
227 ShowMessages("err, setting breakpoints is not possible when you're not "
228 "connected to a debuggee\n");
229 return;
230 }
231
232 //
233 // Request breakpoint the bp packet
234 //
235 CommandBpRequest(Address, Pid, Tid, CoreNumer);
236}
BOOL
int BOOL
Definition BasicTypes.h:23
DEBUGGEE_BP_APPLY_TO_ALL_PROCESSES
#define DEBUGGEE_BP_APPLY_TO_ALL_PROCESSES
The constant to apply to all processes for bp command.
Definition Constants.h:653
DEBUGGEE_BP_APPLY_TO_ALL_THREADS
#define DEBUGGEE_BP_APPLY_TO_ALL_THREADS
The constant to apply to all threads for bp command.
Definition Constants.h:659
DEBUGGEE_BP_APPLY_TO_ALL_CORES
#define DEBUGGEE_BP_APPLY_TO_ALL_CORES
The constant to apply to all cores for bp command.
Definition Constants.h:647
CommandBpRequest
VOID CommandBpRequest(UINT64 Address, UINT32 Pid, UINT32 Tid, UINT32 CoreNumer)
request breakpoint
Definition bp.cpp:57
g_IsSerialConnectedToRemoteDebuggee
BOOLEAN g_IsSerialConnectedToRemoteDebuggee
Shows if the debugger was connected to remote debuggee over (A remote guest)
Definition globals.h:231
CommandBpHelp
VOID CommandBpHelp()
help of the bp command
Definition bp.cpp:25
Split
const vector< string > Split(const string &s, const char &c)
general split command
Definition common.cpp:117
test-case-generator.NULL
NULL()
Definition test-case-generator.py:530

◆ CommandClearScreen()

VOID CommandClearScreen ( vector< string > SplitCommand,
string Command )

.cls command handler

Parameters
SplitCommand
Command
Returns
VOID
36{
37 system("cls");
38}

◆ CommandConnect()

VOID CommandConnect ( vector< string > SplitCommand,
string Command )

.connect command handler

Parameters
SplitCommand
Command
Returns
VOID
107{
108 string ip;
109 string port;
110
111 if (g_IsConnectedToHyperDbgLocally || g_IsConnectedToRemoteDebuggee ||
112 g_IsConnectedToRemoteDebugger)
113 {
114 ShowMessages("you're connected to a debugger, please use '.disconnect' "
115 "command\n");
116 return;
117 }
118
119 if (g_IsSerialConnectedToRemoteDebuggee ||
120 g_IsSerialConnectedToRemoteDebugger)
121 {
122 ShowMessages("you're connected to a an instance of HyperDbg, please use "
123 "'.debug close' command\n");
124 return;
125 }
126
127 if (SplitCommand.size() == 1)
128 {
129 //
130 // Means that user entered just a connect so we have to
131 // ask to connect to what ?
132 //
133 ShowMessages("incorrect use of the '.connect'\n\n");
134 CommandConnectHelp();
135 return;
136 }
137 else if (SplitCommand.at(1) == "local" && SplitCommand.size() == 2)
138 {
139 //
140 // connect to local debugger
141 //
142 ShowMessages("local debugging (vmi-mode)\n");
143 ConnectLocalDebugger();
144 return;
145 }
146 else if (SplitCommand.size() == 3 || SplitCommand.size() == 2)
147 {
148 ip = SplitCommand.at(1);
149
150 if (SplitCommand.size() == 3)
151 {
152 port = SplitCommand.at(2);
153 }
154
155 //
156 // means that probably wants to connect to a remote
157 // system, let's first check the if the parameters are
158 // valid
159 //
160 if (!ValidateIP(ip))
161 {
162 ShowMessages("incorrect ip address\n");
163 return;
164 }
165
166 if (SplitCommand.size() == 3)
167 {
168 if (!IsNumber(port) || stoi(port) > 65535 || stoi(port) < 0)
169 {
170 ShowMessages("incorrect port\n");
171 return;
172 }
173
174 //
175 // connect to remote debugger
176 //
177 ConnectRemoteDebugger(ip.c_str(), port.c_str());
178 }
179 else
180 {
181 //
182 // connect to remote debugger (default port)
183 //
184 ConnectRemoteDebugger(ip.c_str(), NULL);
185 }
186 }
187 else
188 {
189 ShowMessages("incorrect use of the '.connect'\n\n");
190 CommandConnectHelp();
191 return;
192 }
193}
IsNumber
BOOLEAN IsNumber(const string &str)
check if given string is a numeric string or not
Definition common.cpp:145
ValidateIP
BOOLEAN ValidateIP(const string &ip)
Function to validate an IP address.
Definition common.cpp:469
g_IsSerialConnectedToRemoteDebugger
BOOLEAN g_IsSerialConnectedToRemoteDebugger
Shows if the debugger was connected to remote debugger (A remote host)
Definition globals.h:238
g_IsConnectedToRemoteDebuggee
BOOLEAN g_IsConnectedToRemoteDebuggee
Shows whether the current debugger is the host and connected to a remote debuggee (guest)
Definition globals.h:74
ConnectLocalDebugger
VOID ConnectLocalDebugger()
Connect to local debugger.
Definition connect.cpp:50
CommandConnectHelp
VOID CommandConnectHelp()
help of the .connect command
Definition connect.cpp:31
ConnectRemoteDebugger
BOOLEAN ConnectRemoteDebugger(const CHAR *Ip, const CHAR *Port)
Connect to remote debugger.
Definition connect.cpp:61
g_IsConnectedToRemoteDebugger
BOOLEAN g_IsConnectedToRemoteDebugger
Shows whether the current system is a guest (debuggee) and a remote debugger is connected to this sys...
Definition globals.h:81
g_IsSerialConnectedToRemoteDebuggee
BOOLEAN g_IsSerialConnectedToRemoteDebuggee
Shows if the debugger was connected to remote debuggee over (A remote guest)
Definition globals.h:231
g_IsConnectedToHyperDbgLocally
BOOLEAN g_IsConnectedToHyperDbgLocally
Shows whether the user is allowed to use 'load' command to load modules locally in VMI (virtual machi...
Definition globals.h:67

◆ CommandCore()

VOID CommandCore ( vector< string > SplitCommand,
string Command )

~ command handler

Parameters
SplitCommand
Command
Returns
VOID
47{
48 UINT32 TargetCore = 0;
49
50 if (SplitCommand.size() != 1 && SplitCommand.size() != 2)
51 {
52 ShowMessages("incorrect use of the '~'\n\n");
53 CommandCoreHelp();
54 return;
55 }
56
57 //
58 // Check if it's connected to a remote debuggee or not
59 //
60 if (!g_IsSerialConnectedToRemoteDebuggee)
61 {
62 ShowMessages("err, you're not connected to any debuggee\n");
63 return;
64 }
65
66 if (SplitCommand.size() == 1)
67 {
68 ShowMessages("current processor : 0x%x\n", g_CurrentRemoteCore);
69 }
70 else if (SplitCommand.size() == 2)
71 {
72 if (!ConvertStringToUInt32(SplitCommand.at(1), &TargetCore))
73 {
74 ShowMessages("please specify a correct hex value for the core that you "
75 "want to operate on it\n\n");
76 CommandCoreHelp();
77 return;
78 }
79
80 //
81 // Send the changing core packet
82 //
83 KdSendSwitchCorePacketToDebuggee(TargetCore);
84 }
85}
g_CurrentRemoteCore
ULONG g_CurrentRemoteCore
Current core that the debuggee is debugging.
Definition globals.h:263
CommandCoreHelp
VOID CommandCoreHelp()
help of the ~ command
Definition core.cpp:26
g_IsSerialConnectedToRemoteDebuggee
BOOLEAN g_IsSerialConnectedToRemoteDebuggee
Shows if the debugger was connected to remote debuggee over (A remote guest)
Definition globals.h:231
KdSendSwitchCorePacketToDebuggee
BOOLEAN KdSendSwitchCorePacketToDebuggee(UINT32 NewCore)
Sends a change core or '~ x' command packet to the debuggee.
Definition kd.cpp:181

◆ CommandCpu()

VOID CommandCpu ( vector< string > SplitCommand,
string Command )

cpu command handler

Parameters
SplitCommand
Command
Returns
VOID
36{
37 if (SplitCommand.size() != 1)
38 {
39 ShowMessages("incorrect use of the 'cpu'\n\n");
40 CommandCpuHelp();
41 return;
42 }
43 ReadCpuDetails();
44}
ReadCpuDetails
int ReadCpuDetails()
Print out supported instruction set extensions.
Definition cpu.cpp:261
CommandCpuHelp
VOID CommandCpuHelp()
help of the cpu command
Definition cpu.cpp:20

◆ CommandCpuid()

VOID CommandCpuid ( vector< string > SplitCommand,
string Command )

!cpuid command handler

Parameters
SplitCommand
Command
Returns
VOID
48{
49 PDEBUGGER_GENERAL_EVENT_DETAIL Event = NULL;
50 PDEBUGGER_GENERAL_ACTION ActionBreakToDebugger = NULL;
51 PDEBUGGER_GENERAL_ACTION ActionCustomCode = NULL;
52 PDEBUGGER_GENERAL_ACTION ActionScript = NULL;
53 BOOLEAN GetEax = FALSE;
54 UINT32 EventLength;
55 UINT64 SpecialTarget = 0;
56 UINT32 ActionBreakToDebuggerLength = 0;
57 UINT32 ActionCustomCodeLength = 0;
58 UINT32 ActionScriptLength = 0;
59 vector<string> SplitCommandCaseSensitive {Split(Command, ' ')};
60 DEBUGGER_EVENT_PARSING_ERROR_CAUSE EventParsingErrorCause;
61
62 //
63 // Interpret and fill the general event and action fields
64 //
65 //
66 if (!InterpretGeneralEventAndActionsFields(
67 &SplitCommand,
68 &SplitCommandCaseSensitive,
69 CPUID_INSTRUCTION_EXECUTION,
70 &Event,
71 &EventLength,
72 &ActionBreakToDebugger,
73 &ActionBreakToDebuggerLength,
74 &ActionCustomCode,
75 &ActionCustomCodeLength,
76 &ActionScript,
77 &ActionScriptLength,
78 &EventParsingErrorCause))
79 {
80 return;
81 }
82
83 //
84 // Interpret command specific details (if any), of CPUID EAX index
85 //
86 for (auto Section : SplitCommand)
87 {
88 if (!Section.compare("!cpuid"))
89 {
90 continue;
91 }
92 else if (!GetEax)
93 {
94 //
95 // It's probably an msr
96 //
97 if (!ConvertStringToUInt64(Section, &SpecialTarget))
98 {
99 //
100 // Unknown parameter
101 //
102 ShowMessages("unknown parameter '%s'\n\n", Section.c_str());
103 CommandCpuidHelp();
104
105 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
106 return;
107 }
108 else
109 {
110 //
111 // An special EAX is set
112 //
113 GetEax = TRUE;
114 }
115 }
116 else
117 {
118 //
119 // Unknown parameter
120 //
121 ShowMessages("unknown parameter '%s'\n\n", Section.c_str());
122 CommandCpuidHelp();
123
124 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
125 return;
126 }
127 }
128
129 //
130 // Set the target EAX (if not specific then it means all msrs)
131 //
132 Event->Options.OptionalParam1 = GetEax;
133
134 if (GetEax)
135 {
136 Event->Options.OptionalParam2 = SpecialTarget;
137 }
138
139 //
140 // Send the ioctl to the kernel for event registration
141 //
142 if (!SendEventToKernel(Event, EventLength))
143 {
144 //
145 // There was an error, probably the handle was not initialized
146 // we have to free the Action before exit, it is because, we
147 // already freed the Event and string buffers
148 //
149
150 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
151 return;
152 }
153
154 //
155 // Add the event to the kernel
156 //
157 if (!RegisterActionToEvent(Event,
158 ActionBreakToDebugger,
159 ActionBreakToDebuggerLength,
160 ActionCustomCode,
161 ActionCustomCodeLength,
162 ActionScript,
163 ActionScriptLength))
164 {
165 //
166 // There was an error
167 //
168 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
169 return;
170 }
171}
CommandCpuidHelp
VOID CommandCpuidHelp()
help of the !cpuid command
Definition cpuid.cpp:20
FreeEventsAndActionsMemory
VOID FreeEventsAndActionsMemory(PDEBUGGER_GENERAL_EVENT_DETAIL Event, PDEBUGGER_GENERAL_ACTION ActionBreakToDebugger, PDEBUGGER_GENERAL_ACTION ActionCustomCode, PDEBUGGER_GENERAL_ACTION ActionScript)
Deallocate buffers relating to events and actions.
Definition debugger.cpp:2292
InterpretGeneralEventAndActionsFields
BOOLEAN InterpretGeneralEventAndActionsFields(vector< string > *SplitCommand, vector< string > *SplitCommandCaseSensitive, VMM_EVENT_TYPE_ENUM EventType, PDEBUGGER_GENERAL_EVENT_DETAIL *EventDetailsToFill, PUINT32 EventBufferLength, PDEBUGGER_GENERAL_ACTION *ActionDetailsToFillBreakToDebugger, PUINT32 ActionBufferLengthBreakToDebugger, PDEBUGGER_GENERAL_ACTION *ActionDetailsToFillCustomCode, PUINT32 ActionBufferLengthCustomCode, PDEBUGGER_GENERAL_ACTION *ActionDetailsToFillScript, PUINT32 ActionBufferLengthScript, PDEBUGGER_EVENT_PARSING_ERROR_CAUSE ReasonForErrorInParsing)
Interpret general event fields.
Definition debugger.cpp:2342
SendEventToKernel
BOOLEAN SendEventToKernel(PDEBUGGER_GENERAL_EVENT_DETAIL Event, UINT32 EventBufferLength)
Register the event to the kernel.
Definition debugger.cpp:1969
RegisterActionToEvent
BOOLEAN RegisterActionToEvent(PDEBUGGER_GENERAL_EVENT_DETAIL Event, PDEBUGGER_GENERAL_ACTION ActionBreakToDebugger, UINT32 ActionBreakToDebuggerLength, PDEBUGGER_GENERAL_ACTION ActionCustomCode, UINT32 ActionCustomCodeLength, PDEBUGGER_GENERAL_ACTION ActionScript, UINT32 ActionScriptLength)
Register the action to the event.
Definition debugger.cpp:2086
CPUID_INSTRUCTION_EXECUTION
@ CPUID_INSTRUCTION_EXECUTION
Definition Events.h:123
DEBUGGER_EVENT_PARSING_ERROR_CAUSE
enum _DEBUGGER_EVENT_PARSING_ERROR_CAUSE DEBUGGER_EVENT_PARSING_ERROR_CAUSE
Reason for error in parsing commands.
_DEBUGGER_EVENT_OPTIONS::OptionalParam2
UINT64 OptionalParam2
Definition Events.h:273
_DEBUGGER_EVENT_OPTIONS::OptionalParam1
UINT64 OptionalParam1
Definition Events.h:272
_DEBUGGER_GENERAL_ACTION
Each event can have multiple actions.
Definition Events.h:406
_DEBUGGER_GENERAL_EVENT_DETAIL
Each command is like the following struct, it also used for tracing works in user mode and sending it...
Definition Events.h:350
_DEBUGGER_GENERAL_EVENT_DETAIL::Options
DEBUGGER_EVENT_OPTIONS Options
Definition Events.h:391

◆ CommandCrwrite()

VOID CommandCrwrite ( vector< string > SplitCommand,
string Command )

!crwrite command handler

Parameters
SplitCommand
Command
Returns
VOID
47{
48 PDEBUGGER_GENERAL_EVENT_DETAIL Event = NULL;
49 PDEBUGGER_GENERAL_ACTION ActionBreakToDebugger = NULL;
50 PDEBUGGER_GENERAL_ACTION ActionCustomCode = NULL;
51 PDEBUGGER_GENERAL_ACTION ActionScript = NULL;
52 UINT32 EventLength;
53 UINT32 ActionBreakToDebuggerLength = 0;
54 UINT32 ActionCustomCodeLength = 0;
55 UINT32 ActionScriptLength = 0;
56 UINT64 TargetRegister = 1;
57 UINT64 MaskRegister = 0xFFFFFFFFFFFFFFFF;
58 BOOLEAN GetRegister = FALSE;
59 BOOLEAN GetMask = FALSE;
60 vector<string> SplitCommandCaseSensitive {Split(Command, ' ')};
61 DEBUGGER_EVENT_PARSING_ERROR_CAUSE EventParsingErrorCause;
62
63 if (SplitCommand.size() < 2)
64 {
65 ShowMessages("incorrect use of the '!crwrite'\n");
66 CommandCrwriteHelp();
67 return;
68 }
69
70 //
71 // Interpret and fill the general event and action fields
72 //
73 //
74 if (!InterpretGeneralEventAndActionsFields(
75 &SplitCommand,
76 &SplitCommandCaseSensitive,
77 CONTROL_REGISTER_MODIFIED,
78 &Event,
79 &EventLength,
80 &ActionBreakToDebugger,
81 &ActionBreakToDebuggerLength,
82 &ActionCustomCode,
83 &ActionCustomCodeLength,
84 &ActionScript,
85 &ActionScriptLength,
86 &EventParsingErrorCause))
87 {
88 return;
89 }
90
91 //
92 // Interpret command specific details (if any)
93 //
94 for (auto Section : SplitCommand)
95 {
96 if (!Section.compare("!crwrite"))
97 {
98 continue;
99 }
100 else if (!GetRegister)
101 {
102 //
103 // It's probably a CR
104 //
105 if (!ConvertStringToUInt64(Section, &TargetRegister))
106 {
107 //
108 // Unknown parameter
109 //
110 ShowMessages("unknown parameter '%s'\n\n", Section.c_str());
111 CommandCrwriteHelp();
112
113 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
114 return;
115 }
116 else
117 {
118 GetRegister = TRUE;
119 }
120 }
121 else if (!GetMask)
122 {
123 if (!ConvertStringToUInt64(Section, &MaskRegister))
124 {
125 //
126 // Unknown parameter
127 //
128 ShowMessages("unknown parameter '%s'\n\n", Section.c_str());
129 CommandCrwriteHelp();
130
131 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
132 return;
133 }
134 else
135 {
136 GetMask = TRUE;
137 }
138 }
139 else
140 {
141 //
142 // Unknown parameter
143 //
144 ShowMessages("unknown parameter '%s'\n\n", Section.c_str());
145 CommandCrwriteHelp();
146
147 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
148 return;
149 }
150 }
151
152 if (TargetRegister != VMX_EXIT_QUALIFICATION_REGISTER_CR0 && TargetRegister != VMX_EXIT_QUALIFICATION_REGISTER_CR4)
153 {
154 ShowMessages("please choose either 0 for cr0 or 4 for cr4\n");
155 CommandCrwriteHelp();
156
157 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
158 return;
159 }
160
161 //
162 // Set the target control register
163 //
164 Event->Options.OptionalParam1 = TargetRegister;
165
166 //
167 // Set the mask to filter control register bits
168 //
169 Event->Options.OptionalParam2 = MaskRegister;
170
171 //
172 // Send the ioctl to the kernel for event registration
173 //
174 if (!SendEventToKernel(Event, EventLength))
175 {
176 //
177 // There was an error, probably the handle was not initialized
178 // we have to free the Action before exit, it is because, we
179 // already freed the Event and string buffers
180 //
181 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
182 return;
183 }
184
185 //
186 // Add the event to the kernel
187 //
188 if (!RegisterActionToEvent(Event,
189 ActionBreakToDebugger,
190 ActionBreakToDebuggerLength,
191 ActionCustomCode,
192 ActionCustomCodeLength,
193 ActionScript,
194 ActionScriptLength))
195 {
196 //
197 // There was an error
198 //
199 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
200 return;
201 }
202}
CommandCrwriteHelp
VOID CommandCrwriteHelp()
help of the !crwrite command
Definition crwrite.cpp:20
CONTROL_REGISTER_MODIFIED
@ CONTROL_REGISTER_MODIFIED
Definition Events.h:162

◆ CommandDebug()

VOID CommandDebug ( vector< string > SplitCommand,
string Command )

.debug command handler

Parameters
SplitCommand
Command
Returns
VOID
211{
212 UINT32 Baudrate;
213 UINT32 Port;
214
215 if (SplitCommand.size() == 2 && !SplitCommand.at(1).compare("close"))
216 {
217 //
218 // Check if the debugger is attached to a debuggee
219 //
220 if (g_IsSerialConnectedToRemoteDebuggee)
221 {
222 KdCloseConnection();
223 }
224 else
225 {
226 ShowMessages(
227 "err, debugger is not attached to any instance of debuggee\n");
228 }
229 return;
230 }
231 else if (SplitCommand.size() <= 3)
232 {
233 ShowMessages("incorrect use of the '.debug'\n\n");
234 CommandDebugHelp();
235 return;
236 }
237
238 //
239 // Check the main command
240 //
241 if (!SplitCommand.at(1).compare("remote"))
242 {
243 //
244 // in the case of the 'remote'
245 //
246
247 if (!SplitCommand.at(2).compare("serial"))
248 {
249 //
250 // Connect to a remote serial device
251 //
252 if (SplitCommand.size() != 5)
253 {
254 ShowMessages("incorrect use of the '.debug'\n\n");
255 CommandDebugHelp();
256 return;
257 }
258
259 //
260 // Set baudrate
261 //
262 if (!IsNumber(SplitCommand.at(3)))
263 {
264 //
265 // Unknown parameter
266 //
267 ShowMessages("unknown parameter '%s'\n\n",
268 SplitCommand.at(3).c_str());
269 CommandDebugHelp();
270 return;
271 }
272
273 Baudrate = stoi(SplitCommand.at(3));
274
275 //
276 // Check if baudrate is valid or not
277 //
278 if (!CommandDebugCheckBaudrate(Baudrate))
279 {
280 //
281 // Baud-rate is invalid
282 //
283 ShowMessages("err, baud rate is invalid\n\n");
284 CommandDebugHelp();
285 return;
286 }
287
288 //
289 // check if com port address is valid or not
290 //
291 if (!CommandDebugCheckComPort(SplitCommand.at(4).c_str(), &Port))
292 {
293 //
294 // com port is invalid
295 //
296 ShowMessages("err, COM port is invalid\n\n");
297 CommandDebugHelp();
298 return;
299 }
300
301 //
302 // Everything is okay, connect to the remote machine to send (debugger)
303 //
304 HyperDbgDebugRemoteDeviceUsingComPort(SplitCommand.at(4).c_str(), Baudrate);
305 }
306 else if (!SplitCommand.at(2).compare("namedpipe"))
307 {
308 //
309 // Connect to a remote namedpipe
310 //
311 string Delimiter = "namedpipe";
312 string Token = Command.substr(
313 Command.find(Delimiter) + Delimiter.size() + 1,
314 Command.size());
315
316 //
317 // Connect to a namedpipe (it's probably a Virtual Machine debugging)
318 //
319 HyperDbgDebugRemoteDeviceUsingNamedPipe(Token.c_str());
320 }
321 else
322 {
323 //
324 // Unknown parameter
325 //
326 ShowMessages("unknown parameter '%s'\n\n", SplitCommand.at(2).c_str());
327 CommandDebugHelp();
328 return;
329 }
330 }
331 else if (!SplitCommand.at(1).compare("prepare"))
332 {
333 if (SplitCommand.size() != 5)
334 {
335 ShowMessages("incorrect use of the '.debug'\n\n");
336 CommandDebugHelp();
337 return;
338 }
339
340 //
341 // in the case of the 'prepare'
342 // currently we only support serial
343 //
344 if (!SplitCommand.at(2).compare("serial"))
345 {
346 //
347 // Set baudrate
348 //
349 if (!IsNumber(SplitCommand.at(3)))
350 {
351 //
352 // Unknown parameter
353 //
354 ShowMessages("unknown parameter '%s'\n\n",
355 SplitCommand.at(3).c_str());
356 CommandDebugHelp();
357 return;
358 }
359
360 Baudrate = stoi(SplitCommand.at(3));
361
362 //
363 // Check if baudrate is valid or not
364 //
365 if (!CommandDebugCheckBaudrate(Baudrate))
366 {
367 //
368 // Baud-rate is invalid
369 //
370 ShowMessages("err, baud rate is invalid\n\n");
371 CommandDebugHelp();
372 return;
373 }
374
375 //
376 // check if com port address is valid or not
377 //
378 if (!CommandDebugCheckComPort(SplitCommand.at(4).c_str(), &Port))
379 {
380 //
381 // com port is invalid
382 //
383 ShowMessages("err, COM port is invalid\n\n");
384 CommandDebugHelp();
385 return;
386 }
387
388 //
389 // Everything is okay, prepare to send (debuggee)
390 //
391 HyperDbgDebugCurrentDeviceUsingComPort(SplitCommand.at(4).c_str(), Baudrate);
392 }
393 else
394 {
395 ShowMessages("invalid parameter '%s'\n\n", SplitCommand.at(2));
396 CommandDebugHelp();
397 return;
398 }
399 }
400 else
401 {
402 ShowMessages("invalid parameter '%s'\n\n", SplitCommand.at(1));
403 CommandDebugHelp();
404 return;
405 }
406}
HyperDbgDebugRemoteDeviceUsingNamedPipe
BOOLEAN HyperDbgDebugRemoteDeviceUsingNamedPipe(const CHAR *NamedPipe)
Connect to a remote named pipe (Debugger)
Definition debug.cpp:156
HyperDbgDebugRemoteDeviceUsingComPort
BOOLEAN HyperDbgDebugRemoteDeviceUsingComPort(const CHAR *PortName, DWORD Baudrate)
Connect to a remote serial device (Debugger)
Definition debug.cpp:116
CommandDebugCheckComPort
BOOLEAN CommandDebugCheckComPort(const CHAR *ComPort, UINT32 *Port)
Check if COM port is valid or not.
Definition debug.cpp:60
HyperDbgDebugCurrentDeviceUsingComPort
BOOLEAN HyperDbgDebugCurrentDeviceUsingComPort(const CHAR *PortName, DWORD Baudrate)
Connect to a remote serial device (Debuggee)
Definition debug.cpp:170
CommandDebugCheckBaudrate
BOOLEAN CommandDebugCheckBaudrate(DWORD Baudrate)
Check if baud rate is valid or not.
Definition debug.cpp:93
CommandDebugHelp
VOID CommandDebugHelp()
help of the .debug command
Definition debug.cpp:29
g_IsSerialConnectedToRemoteDebuggee
BOOLEAN g_IsSerialConnectedToRemoteDebuggee
Shows if the debugger was connected to remote debuggee over (A remote guest)
Definition globals.h:231
KdCloseConnection
BOOLEAN KdCloseConnection()

◆ CommandDetach()

VOID CommandDetach ( vector< string > SplitCommand,
string Command )

.detach command handler

Parameters
SplitCommand
Command
Returns
VOID
72{
73 if (SplitCommand.size() >= 2)
74 {
75 ShowMessages("incorrect use of the '.detach'\n\n");
76 CommandDetachHelp();
77 return;
78 }
79
80 //
81 // .attach and .detach commands are only supported in VMI Mode
82 //
83 if (g_IsSerialConnectedToRemoteDebuggee)
84 {
85 ShowMessages("err, '.attach', and '.detach' commands are only usable "
86 "in VMI Mode, you can use the '.process', or the '.thread' "
87 "in Debugger Mode\n");
88 return;
89 }
90
91 //
92 // Perform detach from the process
93 //
94 DetachFromProcess();
95}
DetachFromProcess
VOID DetachFromProcess()
perform detach from process
Definition detach.cpp:39
CommandDetachHelp
VOID CommandDetachHelp()
help of the .detach command
Definition detach.cpp:26
g_IsSerialConnectedToRemoteDebuggee
BOOLEAN g_IsSerialConnectedToRemoteDebuggee
Shows if the debugger was connected to remote debuggee over (A remote guest)
Definition globals.h:231

◆ CommandDisconnect()

VOID CommandDisconnect ( vector< string > SplitCommand,
string Command )

.disconnect command handler

Parameters
SplitCommand
Command
Returns
VOID
45{
46 if (SplitCommand.size() != 1)
47 {
48 ShowMessages("incorrect use of the '.disconnect'\n\n");
49 CommandDisconnectHelp();
50 return;
51 }
52
53 if (!g_IsConnectedToHyperDbgLocally && !g_IsConnectedToRemoteDebuggee)
54 {
55 ShowMessages("you're not connected to any instance of HyperDbg, did you "
56 "use '.connect'? \n");
57 return;
58 }
59
60 //
61 // Check if it's local debugger and the driver is still
62 // loading (not unloaded)
63 //
64 if (g_IsConnectedToHyperDbgLocally && g_DeviceHandle)
65 {
66 ShowMessages("you cannot disconnect in local debugging while the "
67 "driver is still loaded. please use 'unload' command before "
68 "disconnecting from the current instance of debugger\n");
69 return;
70 }
71
72 //
73 // Disconnect the session
74 //
75 g_IsConnectedToHyperDbgLocally = FALSE;
76
77 //
78 // This computer is connected to a remote system
79 //
80 if (g_IsConnectedToRemoteDebuggee)
81 {
82 //
83 // We should kill the thread that was listening for the
84 // remote commands and close the connection
85 //
86 TerminateThread(g_RemoteDebuggeeListeningThread, 0);
87 CloseHandle(g_RemoteDebuggeeListeningThread);
88 CloseHandle(g_EndOfMessageReceivedEvent);
89 g_EndOfMessageReceivedEvent = NULL;
90
91 RemoteConnectionCloseTheConnectionWithDebuggee();
92
93 g_IsConnectedToRemoteDebuggee = FALSE;
94 }
95
96 ShowMessages("disconnected successfully\n");
97}
g_IsConnectedToRemoteDebuggee
BOOLEAN g_IsConnectedToRemoteDebuggee
Shows whether the current debugger is the host and connected to a remote debuggee (guest)
Definition globals.h:74
g_RemoteDebuggeeListeningThread
HANDLE g_RemoteDebuggeeListeningThread
In debugger (not debuggee), we save the ip of server debuggee in this variable to use it later e....
Definition globals.h:124
CommandDisconnectHelp
VOID CommandDisconnectHelp()
help of the .disconnect command
Definition disconnect.cpp:28
g_EndOfMessageReceivedEvent
HANDLE g_EndOfMessageReceivedEvent
Handle to if the end of the message received (for showing signature)
Definition globals.h:137
g_IsConnectedToHyperDbgLocally
BOOLEAN g_IsConnectedToHyperDbgLocally
Shows whether the user is allowed to use 'load' command to load modules locally in VMI (virtual machi...
Definition globals.h:67
g_DeviceHandle
HANDLE g_DeviceHandle
Holds the global handle of device which is used to send the request to the kernel by IOCTL,...
Definition globals.h:471
RemoteConnectionCloseTheConnectionWithDebuggee
int RemoteConnectionCloseTheConnectionWithDebuggee()
Close the connect from client side to the debuggee.
Definition remote-connection.cpp:504

◆ CommandDr()

VOID CommandDr ( vector< string > SplitCommand,
string Command )

!dr command handler

Parameters
SplitCommand
Command
Returns
VOID
46{
47 PDEBUGGER_GENERAL_EVENT_DETAIL Event = NULL;
48 PDEBUGGER_GENERAL_ACTION ActionBreakToDebugger = NULL;
49 PDEBUGGER_GENERAL_ACTION ActionCustomCode = NULL;
50 PDEBUGGER_GENERAL_ACTION ActionScript = NULL;
51 UINT32 EventLength;
52 UINT32 ActionBreakToDebuggerLength = 0;
53 UINT32 ActionCustomCodeLength = 0;
54 UINT32 ActionScriptLength = 0;
55 vector<string> SplitCommandCaseSensitive {Split(Command, ' ')};
56 DEBUGGER_EVENT_PARSING_ERROR_CAUSE EventParsingErrorCause;
57
58 //
59 // Interpret and fill the general event and action fields
60 //
61 //
62 if (!InterpretGeneralEventAndActionsFields(
63 &SplitCommand,
64 &SplitCommandCaseSensitive,
65 DEBUG_REGISTERS_ACCESSED,
66 &Event,
67 &EventLength,
68 &ActionBreakToDebugger,
69 &ActionBreakToDebuggerLength,
70 &ActionCustomCode,
71 &ActionCustomCodeLength,
72 &ActionScript,
73 &ActionScriptLength,
74 &EventParsingErrorCause))
75 {
76 return;
77 }
78
79 //
80 // Check for size
81 //
82 if (SplitCommand.size() > 1)
83 {
84 ShowMessages("incorrect use of the '!dr'\n");
85 CommandDrHelp();
86
87 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
88 return;
89 }
90
91 //
92 // Send the ioctl to the kernel for event registration
93 //
94 if (!SendEventToKernel(Event, EventLength))
95 {
96 //
97 // There was an error, probably the handle was not initialized
98 // we have to free the Action before exit, it is because, we
99 // already freed the Event and string buffers
100 //
101
102 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
103 return;
104 }
105
106 //
107 // Add the event to the kernel
108 //
109 if (!RegisterActionToEvent(Event,
110 ActionBreakToDebugger,
111 ActionBreakToDebuggerLength,
112 ActionCustomCode,
113 ActionCustomCodeLength,
114 ActionScript,
115 ActionScriptLength))
116 {
117 //
118 // There was an error
119 //
120
121 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
122 return;
123 }
124}
CommandDrHelp
VOID CommandDrHelp()
help of the !dr command
Definition dr.cpp:20
DEBUG_REGISTERS_ACCESSED
@ DEBUG_REGISTERS_ACCESSED
Definition Events.h:146

◆ CommandDtAndStruct()

VOID CommandDtAndStruct ( vector< string > SplitCommand,
string Command )

dt and struct command handler

Parameters
SplitCommand
Command
Returns
VOID
428{
429 std::string TempTypeNameHolder;
430 std::string PdbexArgs = "";
431 BOOLEAN IsStruct = FALSE;
432 UINT64 TargetAddress = NULL;
433 PVOID BufferAddressRetrievedFromDebuggee = NULL;
434 UINT32 TargetPid = NULL;
435 BOOLEAN IsPhysicalAddress = FALSE;
436
437 //
438 // Check if command is 'struct' or not
439 //
440 if (!SplitCommand.at(0).compare("struct") ||
441 !SplitCommand.at(0).compare("structure"))
442 {
443 IsStruct = TRUE;
444 }
445 else
446 {
447 IsStruct = FALSE;
448 }
449
450 //
451 // Check if command is '!dt' for physical address or not
452 //
453 if (!SplitCommand.at(0).compare("!dt"))
454 {
455 IsPhysicalAddress = TRUE;
456 }
457 else
458 {
459 IsPhysicalAddress = FALSE;
460 }
461
462 if (SplitCommand.size() == 1)
463 {
464 ShowMessages("incorrect use of the '%s'\n\n", SplitCommand.at(0).c_str());
465
466 if (IsStruct)
467 {
468 CommandStructHelp();
469 }
470 else
471 {
472 CommandDtHelp();
473 }
474
475 return;
476 }
477
478 //
479 // Trim the command
480 //
481 Trim(Command);
482
483 //
484 // Remove dt, struct, or structure from it
485 //
486 Command.erase(0, SplitCommand.at(0).size());
487
488 //
489 // Trim it again
490 //
491 Trim(Command);
492
493 //
494 // Check for the first and second arguments
495 //
496 vector<string> TempSplitCommand {Split(Command, ' ')};
497
498 //
499 // If the size is zero, then it's only a type name
500 //
501 if (TempSplitCommand.size() == 1)
502 {
503 //
504 // Call the dt parser wrapper, it's only a structure (type) name
505 // Call it with default configuration
506 //
507 CommandDtShowDataBasedOnSymbolTypes(TempSplitCommand.at(0).c_str(),
508 NULL,
509 IsStruct,
510 NULL,
511 TargetPid,
512 IsPhysicalAddress,
513 PDBEX_DEFAULT_CONFIGURATION);
514 }
515 else
516 {
517 //
518 // When we're here, it means we have size() >= 2, so we have to check
519 // the first and the second method to see which one is the type and
520 // which one is the symbol
521 //
522
523 //
524 // Check if the first parameter is an address or valid expression
525 //
526 if (IsStruct || !SymbolConvertNameOrExprToAddress(TempSplitCommand.at(0).c_str(),
527 &TargetAddress))
528 {
529 //
530 // No it's not, we'll get the first argument as the structure (type) name
531 // And we have to check whether the second argument is a buffer address or not
532 //
533 if (IsStruct || !SymbolConvertNameOrExprToAddress(TempSplitCommand.at(1).c_str(),
534 &TargetAddress))
535 {
536 //
537 // The second argument is also not buffer address
538 // probably the user entered a structure (type) name along with some params
539 //
540 TempTypeNameHolder = TempSplitCommand.at(0);
541
542 //
543 // Remove the first argument
544 //
545 TempSplitCommand.erase(TempSplitCommand.begin());
546
547 //
548 // Convert to pdbex args
549 //
550 if (!CommandDtAndStructConvertHyperDbgArgsToPdbex(TempSplitCommand, PdbexArgs, &TargetPid))
551 {
552 if (IsStruct)
553 {
554 CommandStructHelp();
555 }
556 else
557 {
558 CommandDtHelp();
559 }
560
561 return;
562 }
563
564 //
565 // Call the wrapper of pdbex
566 //
567 CommandDtShowDataBasedOnSymbolTypes(TempTypeNameHolder.c_str(),
568 TargetAddress,
569 IsStruct,
570 BufferAddressRetrievedFromDebuggee,
571 TargetPid,
572 IsPhysicalAddress,
573 PdbexArgs.c_str());
574 }
575 else
576 {
577 //
578 // The second argument is a buffer address
579 // The user entered a structure (type) name along with buffer address
580 //
581 if (TempSplitCommand.size() == 2)
582 {
583 //
584 // There is not parameters, only a symbol name and then a buffer address
585 // Call it with default configuration
586 //
587 CommandDtShowDataBasedOnSymbolTypes(TempSplitCommand.at(0).c_str(),
588 TargetAddress,
589 IsStruct,
590 BufferAddressRetrievedFromDebuggee,
591 TargetPid,
592 IsPhysicalAddress,
593 PDBEX_DEFAULT_CONFIGURATION);
594 }
595 else
596 {
597 //
598 // Other than the first argument which is a structure (type) name, and
599 // the second argument which is buffer address, there are other parameters, so
600 // we WON'T call it with default parameters
601 //
602 TempTypeNameHolder = TempSplitCommand.at(0);
603
604 //
605 // Remove the first, and the second arguments
606 //
607 TempSplitCommand.erase(TempSplitCommand.begin());
608 TempSplitCommand.erase(TempSplitCommand.begin());
609
610 //
611 // Convert to pdbex args
612 //
613 if (!CommandDtAndStructConvertHyperDbgArgsToPdbex(TempSplitCommand, PdbexArgs, &TargetPid))
614 {
615 if (IsStruct)
616 {
617 CommandStructHelp();
618 }
619 else
620 {
621 CommandDtHelp();
622 }
623
624 return;
625 }
626
627 //
628 // Call the wrapper of pdbex
629 //
630 CommandDtShowDataBasedOnSymbolTypes(TempTypeNameHolder.c_str(),
631 TargetAddress,
632 IsStruct,
633 BufferAddressRetrievedFromDebuggee,
634 TargetPid,
635 IsPhysicalAddress,
636 PdbexArgs.c_str());
637 }
638 }
639 }
640 else
641 {
642 //
643 // The first argument is a buffer address, so we get the first argument as
644 // a buffer address and the second argument as the structure (type) name
645 //
646 if (TempSplitCommand.size() == 2)
647 {
648 //
649 // There is not parameters, only a buffer address and then a symbol name
650 // Call it with default configuration
651 //
652 CommandDtShowDataBasedOnSymbolTypes(TempSplitCommand.at(1).c_str(),
653 TargetAddress,
654 IsStruct,
655 BufferAddressRetrievedFromDebuggee,
656 TargetPid,
657 IsPhysicalAddress,
658 PDBEX_DEFAULT_CONFIGURATION);
659 }
660 else
661 {
662 //
663 // Other than the first argument which is a buffer address, and the second
664 // argument which is structure (type) name, there are other parameters, so
665 // we WON'T call it with default parameters
666 //
667 TempTypeNameHolder = TempSplitCommand.at(1);
668
669 //
670 // Remove the first, and the second arguments
671 //
672 TempSplitCommand.erase(TempSplitCommand.begin());
673 TempSplitCommand.erase(TempSplitCommand.begin());
674
675 //
676 // Convert to pdbex args
677 //
678 if (!CommandDtAndStructConvertHyperDbgArgsToPdbex(TempSplitCommand, PdbexArgs, &TargetPid))
679 {
680 if (IsStruct)
681 {
682 CommandStructHelp();
683 }
684 else
685 {
686 CommandDtHelp();
687 }
688
689 return;
690 }
691
692 //
693 // Call the wrapper of pdbex
694 //
695 CommandDtShowDataBasedOnSymbolTypes(TempTypeNameHolder.c_str(),
696 TargetAddress,
697 IsStruct,
698 BufferAddressRetrievedFromDebuggee,
699 TargetPid,
700 IsPhysicalAddress,
701 PdbexArgs.c_str());
702 }
703 }
704 }
705}
IsStruct
UINT64 BOOLEAN IsStruct
Definition HyperDbgScriptImports.h:67
Trim
void Trim(std::string &s)
trim from both ends and start of a string (in place)
Definition common.cpp:594
CommandDtShowDataBasedOnSymbolTypes
BOOLEAN CommandDtShowDataBasedOnSymbolTypes(const char *TypeName, UINT64 Address, BOOLEAN IsStruct, PVOID BufferAddress, UINT32 TargetPid, BOOLEAN IsPhysicalAddress, const char *AdditionalParameters)
Show data based on the symbol structure and data types.
Definition dt-struct.cpp:314
CommandStructHelp
VOID CommandStructHelp()
help of the struct command
Definition dt-struct.cpp:63
CommandDtAndStructConvertHyperDbgArgsToPdbex
BOOLEAN CommandDtAndStructConvertHyperDbgArgsToPdbex(vector< string > ExtraArgs, std::string &PdbexArgs, UINT32 *ProcessId)
Convert HyperDbg arguments for dt and struct commands to pdbex arguments.
Definition dt-struct.cpp:92
CommandDtHelp
VOID CommandDtHelp()
help of the dt command
Definition dt-struct.cpp:26
PDBEX_DEFAULT_CONFIGURATION
#define PDBEX_DEFAULT_CONFIGURATION
Definition symbol.h:33

◆ CommandDump()

VOID CommandDump ( vector< string > SplitCommand,
string Command )

.dump command handler

Parameters
SplitCommand
Command
Returns
VOID
63{
64 wstring Filepath;
65 UINT32 ActualLength;
66 UINT32 Iterator;
67 UINT32 Pid = 0;
68 UINT32 Length = 0;
69 UINT64 StartAddress = 0;
70 UINT64 EndAddress = 0;
71 BOOLEAN IsFirstCommand = TRUE;
72 BOOLEAN NextIsProcId = FALSE;
73 BOOLEAN NextIsPath = FALSE;
74 BOOLEAN IsTheFirstAddr = FALSE;
75 BOOLEAN IsTheSecondAddr = FALSE;
76 BOOLEAN IsDumpPathSpecified = FALSE;
77 string FirstCommand = SplitCommand.front();
78 DEBUGGER_READ_MEMORY_TYPE MemoryType = DEBUGGER_READ_VIRTUAL_ADDRESS;
79
80 if (SplitCommand.size() <= 4)
81 {
82 ShowMessages("err, incorrect use of the '.dump' command\n\n");
83 CommandDumpHelp();
84 return;
85 }
86
87 //
88 // By default if the user-debugger is active, we use these commands
89 // on the memory layout of the debuggee process
90 //
91 if (g_ActiveProcessDebuggingState.IsActive)
92 {
93 Pid = g_ActiveProcessDebuggingState.ProcessId;
94 }
95
96 for (auto Section : SplitCommand)
97 {
98 if (IsFirstCommand == TRUE)
99 {
100 IsFirstCommand = FALSE;
101 continue;
102 }
103 else if (NextIsProcId)
104 {
105 if (!ConvertStringToUInt32(Section, &Pid))
106 {
107 ShowMessages("please specify a correct hex value for process id\n\n");
108 CommandDumpHelp();
109 return;
110 }
111 NextIsProcId = FALSE;
112 continue;
113 }
114 else if (NextIsPath)
115 {
116 //
117 // Convert path to wstring
118 //
119 StringToWString(Filepath, Section);
120 IsDumpPathSpecified = TRUE;
121
122 NextIsPath = FALSE;
123 }
124 else if (!Section.compare("pid"))
125 {
126 NextIsProcId = TRUE;
127 continue;
128 }
129 else if (!Section.compare("path"))
130 {
131 NextIsPath = TRUE;
132 continue;
133 }
134 //
135 // Check the 'From' address
136 //
137 else if (!IsTheFirstAddr && SymbolConvertNameOrExprToAddress(Section, &StartAddress))
138 {
139 IsTheFirstAddr = TRUE;
140 }
141 //
142 // Check the 'To' address
143 //
144 else if (!IsTheSecondAddr && SymbolConvertNameOrExprToAddress(Section, &EndAddress))
145 {
146 IsTheSecondAddr = TRUE;
147 }
148 else
149 {
150 //
151 // invalid input
152 //
153 ShowMessages("err, couldn't resolve error at '%s'\n\n",
154 Section.c_str());
155 CommandDumpHelp();
156
157 return;
158 }
159 }
160
161 //
162 // Check if 'pid' is not specified
163 //
164 if (NextIsProcId)
165 {
166 ShowMessages("please specify a correct hex value for process id\n\n");
167 CommandDumpHelp();
168 return;
169 }
170
171 //
172 // Check if 'path' is either specified, not completely specified
173 //
174 if (NextIsPath || !IsDumpPathSpecified)
175 {
176 ShowMessages("please specify a correct path for saving the dump\n\n");
177 CommandDumpHelp();
178 return;
179 }
180
181 //
182 // Check if start address or end address is null
183 //
184 if (!IsTheFirstAddr || !IsTheSecondAddr)
185 {
186 ShowMessages("err, please specify the start and end address in hex format\n");
187 return;
188 }
189
190 //
191 // Check if end address is bigger than start address
192 //
193 if (StartAddress >= EndAddress)
194 {
195 ShowMessages("err, please note that the 'to' address should be greater than the 'from' address\n");
196 return;
197 }
198
199 //
200 // Check to prevent using process id in d* and u* commands
201 //
202 if (g_IsSerialConnectedToRemoteDebuggee && Pid != 0)
203 {
204 ShowMessages(ASSERT_MESSAGE_CANNOT_SPECIFY_PID);
205 return;
206 }
207
208 if (Pid == 0)
209 {
210 //
211 // Default process we read from current process
212 //
213 Pid = GetCurrentProcessId();
214 }
215
216 //
217 // Check whether it's physical or virtual address
218 //
219 if (!FirstCommand.compare("!dump"))
220 {
221 MemoryType = DEBUGGER_READ_PHYSICAL_ADDRESS;
222 }
223
224 //
225 // Create or open the file for writing the dump file
226 //
227 DumpFileHandle = CreateFileW(
228 Filepath.c_str(),
229 GENERIC_WRITE,
230 0,
231 NULL,
232 CREATE_ALWAYS,
233 FILE_ATTRIBUTE_NORMAL,
234 NULL);
235
236 if (DumpFileHandle == INVALID_HANDLE_VALUE)
237 {
238 ShowMessages("err, unable to create or open the file\n");
239 return;
240 }
241
242 //
243 // Compute the length
244 //
245 Length = (UINT32)(EndAddress - StartAddress);
246
247 ActualLength = NULL;
248 Iterator = Length / PAGE_SIZE;
249
250 for (size_t i = 0; i <= Iterator; i++)
251 {
252 UINT64 Address = StartAddress + (i * PAGE_SIZE);
253
254 if (Length >= PAGE_SIZE)
255 {
256 ActualLength = PAGE_SIZE;
257 }
258 else
259 {
260 ActualLength = Length;
261 }
262
263 Length -= ActualLength;
264
265 if (ActualLength != 0)
266 {
267 // ShowMessages("address: 0x%llx | actual length: 0x%llx\n", Address, ActualLength);
268
269 HyperDbgShowMemoryOrDisassemble(
270 DEBUGGER_SHOW_COMMAND_DUMP,
271 Address,
272 MemoryType,
273 READ_FROM_KERNEL,
274 Pid,
275 ActualLength,
276 NULL);
277 }
278 }
279
280 //
281 // Close the file handle if it's not already closed
282 //
283 if (DumpFileHandle != NULL)
284 {
285 CloseHandle(DumpFileHandle);
286 DumpFileHandle = NULL;
287 }
288
289 ShowMessages("the dump file is saved at: %ls\n", Filepath.c_str());
290}
READ_FROM_KERNEL
@ READ_FROM_KERNEL
Definition RequestStructures.h:219
DEBUGGER_READ_MEMORY_TYPE
enum _DEBUGGER_READ_MEMORY_TYPE DEBUGGER_READ_MEMORY_TYPE
different type of addresses
DEBUGGER_SHOW_COMMAND_DUMP
@ DEBUGGER_SHOW_COMMAND_DUMP
Definition RequestStructures.h:258
DEBUGGER_READ_PHYSICAL_ADDRESS
@ DEBUGGER_READ_PHYSICAL_ADDRESS
Definition RequestStructures.h:229
DEBUGGER_READ_VIRTUAL_ADDRESS
@ DEBUGGER_READ_VIRTUAL_ADDRESS
Definition RequestStructures.h:230
StringToWString
VOID StringToWString(std::wstring &ws, const std::string &s)
convert std::string to std::wstring
Definition common.cpp:729
CommandDumpHelp
VOID CommandDumpHelp()
help of the .dump command
Definition dump.cpp:36
g_IsSerialConnectedToRemoteDebuggee
BOOLEAN g_IsSerialConnectedToRemoteDebuggee
Shows if the debugger was connected to remote debuggee over (A remote guest)
Definition globals.h:231
g_ActiveProcessDebuggingState
ACTIVE_DEBUGGING_PROCESS g_ActiveProcessDebuggingState
State of active debugging thread.
Definition globals.h:362
DumpFileHandle
HANDLE DumpFileHandle
Holds the handle of the dump file.
Definition dump.cpp:28
ASSERT_MESSAGE_CANNOT_SPECIFY_PID
#define ASSERT_MESSAGE_CANNOT_SPECIFY_PID
Definition common.h:31
PAGE_SIZE
#define PAGE_SIZE
Size of each page (4096 bytes)
Definition common.h:69
HyperDbgShowMemoryOrDisassemble
VOID HyperDbgShowMemoryOrDisassemble(DEBUGGER_SHOW_MEMORY_STYLE Style, UINT64 Address, DEBUGGER_READ_MEMORY_TYPE MemoryType, DEBUGGER_READ_READING_TYPE ReadingType, UINT32 Pid, UINT32 Size, PDEBUGGER_DT_COMMAND_OPTIONS DtDetails)
Show memory or disassembler.
Definition readmem.cpp:193

◆ CommandDumpSaveIntoFile()

VOID CommandDumpSaveIntoFile ( PVOID Buffer,
UINT32 Length )

Saves the received buffers into the files.

Parameters
Buffer
Length
Returns
VOID
302{
303 DWORD BytesWritten;
304
305 //
306 // Check if handle is valid
307 //
308 if (DumpFileHandle == NULL)
309 {
310 ShowMessages("err, invalid handle for saving the dump buffer is specified\n");
311 return;
312 }
313
314 //
315 // Write the buffer into the dump file
316 //
317 if (!WriteFile(DumpFileHandle, Buffer, Length, &BytesWritten, NULL))
318 {
319 ShowMessages("err, unable to write buffer into the dump\n");
320
321 CloseHandle(DumpFileHandle);
322 DumpFileHandle = NULL;
323
324 return;
325 }
326}
DWORD
unsigned long DWORD
Definition BasicTypes.h:22

◆ CommandEditMemory()

VOID CommandEditMemory ( vector< string > SplitCommand,
string Command )

!e* and e* commands handler

Parameters
SplitCommand
Command
Returns
VOID
266{
267 UINT64 Address;
268 UINT64 * FinalBuffer;
269 vector<UINT64> ValuesToEdit;
270 DEBUGGER_EDIT_MEMORY_TYPE MemoryType;
271 DEBUGGER_EDIT_MEMORY_BYTE_SIZE ByteSize;
272 BOOL SetAddress = FALSE;
273 BOOL SetValue = FALSE;
274 BOOL SetProcId = FALSE;
275 BOOL NextIsProcId = FALSE;
276 UINT64 Value = 0;
277 UINT32 ProcId = 0;
278 UINT32 CountOfValues = 0;
279 UINT32 FinalSize = 0;
280 vector<string> SplitCommandCaseSensitive {Split(Command, ' ')};
281 UINT32 IndexInCommandCaseSensitive = 0;
282 BOOLEAN IsFirstCommand = TRUE;
283
284 //
285 // By default if the user-debugger is active, we use these commands
286 // on the memory layout of the debuggee process
287 //
288 if (g_ActiveProcessDebuggingState.IsActive)
289 {
290 ProcId = g_ActiveProcessDebuggingState.ProcessId;
291 }
292
293 if (SplitCommand.size() <= 2)
294 {
295 ShowMessages("incorrect use of the 'e*'\n\n");
296 CommandEditMemoryHelp();
297 return;
298 }
299
300 for (auto Section : SplitCommand)
301 {
302 IndexInCommandCaseSensitive++;
303
304 if (IsFirstCommand)
305 {
306 if (!Section.compare("!eb"))
307 {
308 MemoryType = EDIT_PHYSICAL_MEMORY;
309 ByteSize = EDIT_BYTE;
310 }
311 else if (!Section.compare("!ed"))
312 {
313 MemoryType = EDIT_PHYSICAL_MEMORY;
314 ByteSize = EDIT_DWORD;
315 }
316 else if (!Section.compare("!eq"))
317 {
318 MemoryType = EDIT_PHYSICAL_MEMORY;
319 ByteSize = EDIT_QWORD;
320 }
321 else if (!Section.compare("eb"))
322 {
323 MemoryType = EDIT_VIRTUAL_MEMORY;
324 ByteSize = EDIT_BYTE;
325 }
326 else if (!Section.compare("ed"))
327 {
328 MemoryType = EDIT_VIRTUAL_MEMORY;
329 ByteSize = EDIT_DWORD;
330 }
331 else if (!Section.compare("eq"))
332 {
333 MemoryType = EDIT_VIRTUAL_MEMORY;
334 ByteSize = EDIT_QWORD;
335 }
336 else
337 {
338 //
339 // What's this? :(
340 //
341 ShowMessages("unknown error happened !\n\n");
342 CommandEditMemoryHelp();
343 return;
344 }
345
346 IsFirstCommand = FALSE;
347
348 continue;
349 }
350
351 if (NextIsProcId)
352 {
353 //
354 // It's a process id
355 //
356 NextIsProcId = FALSE;
357
358 if (!ConvertStringToUInt32(Section, &ProcId))
359 {
360 ShowMessages("please specify a correct hex process id\n\n");
361 CommandEditMemoryHelp();
362 return;
363 }
364 else
365 {
366 //
367 // Means that the proc id is set, next we should read value
368 //
369 continue;
370 }
371 }
372
373 //
374 // Check if it's a process id or not
375 //
376 if (!SetProcId && !Section.compare("pid"))
377 {
378 NextIsProcId = TRUE;
379 continue;
380 }
381
382 if (!SetAddress)
383 {
384 if (!SymbolConvertNameOrExprToAddress(SplitCommandCaseSensitive.at(IndexInCommandCaseSensitive - 1),
385 &Address))
386 {
387 ShowMessages("err, couldn't resolve error at '%s'\n\n",
388 SplitCommandCaseSensitive.at(IndexInCommandCaseSensitive - 1).c_str());
389 CommandEditMemoryHelp();
390 return;
391 }
392 else
393 {
394 //
395 // Means that the address is set, next we should read value
396 //
397 SetAddress = TRUE;
398 continue;
399 }
400 }
401
402 if (SetAddress)
403 {
404 //
405 // Remove the hex notations
406 //
407 if (Section.rfind("0x", 0) == 0 || Section.rfind("0X", 0) == 0 ||
408 Section.rfind("\\x", 0) == 0 || Section.rfind("\\X", 0) == 0)
409 {
410 Section = Section.erase(0, 2);
411 }
412 else if (Section.rfind('x', 0) == 0 || Section.rfind('X', 0) == 0)
413 {
414 Section = Section.erase(0, 1);
415 }
416 Section.erase(remove(Section.begin(), Section.end(), '`'), Section.end());
417
418 //
419 // Check if the value is valid based on byte counts
420 //
421 if (ByteSize == EDIT_BYTE && Section.size() >= 3)
422 {
423 ShowMessages("please specify a byte (hex) value for 'eb' or '!eb'\n\n");
424 return;
425 }
426 if (ByteSize == EDIT_DWORD && Section.size() >= 9)
427 {
428 ShowMessages(
429 "please specify a dword (hex) value for 'ed' or '!ed'\n\n");
430 return;
431 }
432 if (ByteSize == EDIT_QWORD && Section.size() >= 17)
433 {
434 ShowMessages(
435 "please specify a qword (hex) value for 'eq' or '!eq'\n\n");
436 return;
437 }
438
439 //
440 // Qword is checked by the following function, no need to double
441 // check it above.
442 //
443
444 if (!ConvertStringToUInt64(Section, &Value))
445 {
446 ShowMessages("please specify a correct hex value to change the memory "
447 "content\n\n");
448 CommandEditMemoryHelp();
449 return;
450 }
451 else
452 {
453 //
454 // Add it to the list
455 //
456
457 ValuesToEdit.push_back(Value);
458
459 //
460 // Keep track of values to modify
461 //
462 CountOfValues++;
463
464 if (!SetValue)
465 {
466 //
467 // At least on value is there
468 //
469 SetValue = TRUE;
470 }
471 continue;
472 }
473 }
474 }
475
476 //
477 // Check to prevent using process id in e* commands
478 //
479 if (g_IsSerialConnectedToRemoteDebuggee && ProcId != 0)
480 {
481 ShowMessages(ASSERT_MESSAGE_CANNOT_SPECIFY_PID);
482 return;
483 }
484
485 //
486 // Only valid for VMI Mode
487 //
488 if (ProcId == 0)
489 {
490 ProcId = GetCurrentProcessId();
491 }
492
493 //
494 // Check if address and value are set or not
495 //
496 if (!SetAddress)
497 {
498 ShowMessages("please specify a correct hex address\n\n");
499 CommandEditMemoryHelp();
500 return;
501 }
502 if (!SetValue)
503 {
504 ShowMessages(
505 "please specify a correct hex value as the content to edit\n\n");
506 CommandEditMemoryHelp();
507 return;
508 }
509 if (NextIsProcId)
510 {
511 ShowMessages("please specify a correct hex value as the process id\n\n");
512 CommandEditMemoryHelp();
513 return;
514 }
515
516 //
517 // Make the chunks for editing
518 //
519 FinalSize = (CountOfValues * sizeof(UINT64));
520
521 //
522 // Allocate structure + buffer
523 //
524 FinalBuffer = (UINT64 *)malloc(FinalSize);
525
526 if (!FinalBuffer)
527 {
528 ShowMessages("unable to allocate memory\n\n");
529 return;
530 }
531
532 //
533 // Zero the buffer
534 //
535 ZeroMemory(FinalBuffer, FinalSize);
536
537 //
538 // Put the values in 64 bit structures
539 //
540 std::copy(ValuesToEdit.begin(), ValuesToEdit.end(), FinalBuffer);
541
542 //
543 // Perform the write operation
544 //
545 WriteMemoryContent(Address,
546 MemoryType,
547 ByteSize,
548 ProcId,
549 CountOfValues,
550 FinalBuffer);
551
552 //
553 // Free the malloc buffer
554 //
555 free(FinalBuffer);
556}
EDIT_QWORD
@ EDIT_QWORD
Definition RequestStructures.h:474
EDIT_DWORD
@ EDIT_DWORD
Definition RequestStructures.h:473
EDIT_BYTE
@ EDIT_BYTE
Definition RequestStructures.h:472
DEBUGGER_EDIT_MEMORY_BYTE_SIZE
enum _DEBUGGER_EDIT_MEMORY_BYTE_SIZE DEBUGGER_EDIT_MEMORY_BYTE_SIZE
size of editing memory
SetValue
VOID SetValue(PGUEST_REGS GuestRegs, SCRIPT_ENGINE_VARIABLES_LIST *VariablesList, PSYMBOL Symbol, UINT64 Value, SYMBOL_BUFFER *StackBuffer, UINT64 *StackIndx, UINT64 *StackBaseIndx, UINT64 *ReturnValue)
Set the value.
Definition ScriptEngineEval.c:184
CommandEditMemoryHelp
VOID CommandEditMemoryHelp()
help of !e* and e* commands
Definition e.cpp:26
WriteMemoryContent
BOOLEAN WriteMemoryContent(UINT64 AddressToEdit, DEBUGGER_EDIT_MEMORY_TYPE MemoryType, DEBUGGER_EDIT_MEMORY_BYTE_SIZE ByteSize, UINT32 Pid, UINT32 CountOf64Chunks, UINT64 *BufferToEdit)
Perform writing the memory content.
Definition e.cpp:64
g_IsSerialConnectedToRemoteDebuggee
BOOLEAN g_IsSerialConnectedToRemoteDebuggee
Shows if the debugger was connected to remote debuggee over (A remote guest)
Definition globals.h:231
g_ActiveProcessDebuggingState
ACTIVE_DEBUGGING_PROCESS g_ActiveProcessDebuggingState
State of active debugging thread.
Definition globals.h:362
Value
RequestedActionOfThePacket Value(0x1) 00000000

◆ CommandEptHook()

VOID CommandEptHook ( vector< string > SplitCommand,
string Command )

!epthook command handler

Parameters
SplitCommand
Command
Returns
VOID
48{
49 PDEBUGGER_GENERAL_EVENT_DETAIL Event = NULL;
50 PDEBUGGER_GENERAL_ACTION ActionBreakToDebugger = NULL;
51 PDEBUGGER_GENERAL_ACTION ActionCustomCode = NULL;
52 PDEBUGGER_GENERAL_ACTION ActionScript = NULL;
53 UINT32 EventLength;
54 UINT32 ActionBreakToDebuggerLength = 0;
55 UINT32 ActionCustomCodeLength = 0;
56 UINT32 ActionScriptLength = 0;
57 BOOLEAN GetAddress = FALSE;
58 UINT64 OptionalParam1 = 0; // Set the target address
59 vector<string> SplitCommandCaseSensitive {Split(Command, ' ')};
60 UINT32 IndexInCommandCaseSensitive = 0;
61 DEBUGGER_EVENT_PARSING_ERROR_CAUSE EventParsingErrorCause;
62
63 if (SplitCommand.size() < 2)
64 {
65 ShowMessages("incorrect use of the '!epthook'\n");
66 CommandEptHookHelp();
67 return;
68 }
69
70 //
71 // Interpret and fill the general event and action fields
72 //
73 if (!InterpretGeneralEventAndActionsFields(
74 &SplitCommand,
75 &SplitCommandCaseSensitive,
76 HIDDEN_HOOK_EXEC_CC,
77 &Event,
78 &EventLength,
79 &ActionBreakToDebugger,
80 &ActionBreakToDebuggerLength,
81 &ActionCustomCode,
82 &ActionCustomCodeLength,
83 &ActionScript,
84 &ActionScriptLength,
85 &EventParsingErrorCause))
86 {
87 return;
88 }
89
90 //
91 // Check here to make sure that the user didn't specified the calling stages for this ept hook
92 //
93 if (Event->EventStage != VMM_CALLBACK_CALLING_STAGE_PRE_EVENT_EMULATION)
94 {
95 ShowMessages("the utilization of 'post' or 'all' event calling stages is not meaningful "
96 "for the hidden hook; therefore, this command does not support them\n");
97
98 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
99 return;
100 }
101
102 //
103 // Interpret command specific details (if any)
104 //
105 for (auto Section : SplitCommand)
106 {
107 IndexInCommandCaseSensitive++;
108
109 if (!Section.compare("!epthook"))
110 {
111 continue;
112 }
113 else if (!GetAddress)
114 {
115 //
116 // It's probably address
117 //
118 if (!SymbolConvertNameOrExprToAddress(
119 SplitCommandCaseSensitive.at(IndexInCommandCaseSensitive - 1),
120 &OptionalParam1))
121 {
122 //
123 // Couldn't resolve or unknown parameter
124 //
125 ShowMessages("err, couldn't resolve error at '%s'\n\n",
126 SplitCommandCaseSensitive.at(IndexInCommandCaseSensitive - 1).c_str());
127 CommandEptHookHelp();
128
129 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
130 return;
131 }
132 else
133 {
134 GetAddress = TRUE;
135 }
136 }
137 else
138 {
139 //
140 // Unknown parameter
141 //
142 ShowMessages("unknown parameter '%s'\n\n", Section.c_str());
143 CommandEptHookHelp();
144
145 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
146 return;
147 }
148 }
149 if (OptionalParam1 == 0)
150 {
151 ShowMessages("please choose an address to put the hidden breakpoint on it\n");
152
153 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
154 return;
155 }
156
157 //
158 // Set the optional parameters
159 //
160 Event->Options.OptionalParam1 = OptionalParam1;
161
162 //
163 // Send the ioctl to the kernel for event registration
164 //
165 if (!SendEventToKernel(Event, EventLength))
166 {
167 //
168 // There was an error, probably the handle was not initialized
169 // we have to free the Action before exit, it is because, we
170 // already freed the Event and string buffers
171 //
172
173 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
174 return;
175 }
176
177 //
178 // Add the event to the kernel
179 //
180 if (!RegisterActionToEvent(Event,
181 ActionBreakToDebugger,
182 ActionBreakToDebuggerLength,
183 ActionCustomCode,
184 ActionCustomCodeLength,
185 ActionScript,
186 ActionScriptLength))
187 {
188 //
189 // There was an error
190 //
191
192 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
193 return;
194 }
195}
VMM_CALLBACK_CALLING_STAGE_PRE_EVENT_EMULATION
@ VMM_CALLBACK_CALLING_STAGE_PRE_EVENT_EMULATION
Definition DataTypes.h:93
CommandEptHookHelp
VOID CommandEptHookHelp()
help of the !epthook command
Definition epthook.cpp:20
HIDDEN_HOOK_EXEC_CC
@ HIDDEN_HOOK_EXEC_CC
Definition Events.h:112
_DEBUGGER_GENERAL_EVENT_DETAIL::EventStage
VMM_CALLBACK_EVENT_CALLING_STAGE_TYPE EventStage
Definition Events.h:369

◆ CommandEptHook2()

VOID CommandEptHook2 ( vector< string > SplitCommand,
string Command )

!epthook2 command handler

Parameters
SplitCommand
Command
Returns
VOID
49{
50 PDEBUGGER_GENERAL_EVENT_DETAIL Event = NULL;
51 PDEBUGGER_GENERAL_ACTION ActionBreakToDebugger = NULL;
52 PDEBUGGER_GENERAL_ACTION ActionCustomCode = NULL;
53 PDEBUGGER_GENERAL_ACTION ActionScript = NULL;
54 UINT32 EventLength;
55 UINT32 ActionBreakToDebuggerLength = 0;
56 UINT32 ActionCustomCodeLength = 0;
57 UINT32 ActionScriptLength = 0;
58 BOOLEAN GetAddress = FALSE;
59 UINT64 OptionalParam1 = 0; // Set the target address
60 vector<string> SplitCommandCaseSensitive {Split(Command, ' ')};
61 UINT32 IndexInCommandCaseSensitive = 0;
62 DEBUGGER_EVENT_PARSING_ERROR_CAUSE EventParsingErrorCause;
63
64 if (SplitCommand.size() < 2)
65 {
66 ShowMessages("incorrect use of the '!epthook2'\n");
67 CommandEptHook2Help();
68 return;
69 }
70
71 //
72 // Interpret and fill the general event and action fields
73 //
74 if (!InterpretGeneralEventAndActionsFields(
75 &SplitCommand,
76 &SplitCommandCaseSensitive,
77 HIDDEN_HOOK_EXEC_DETOURS,
78 &Event,
79 &EventLength,
80 &ActionBreakToDebugger,
81 &ActionBreakToDebuggerLength,
82 &ActionCustomCode,
83 &ActionCustomCodeLength,
84 &ActionScript,
85 &ActionScriptLength,
86 &EventParsingErrorCause))
87 {
88 return;
89 }
90
91 //
92 // Check here to make sure that the user didn't specified the calling stages for this ept hook
93 //
94 if (Event->EventStage != VMM_CALLBACK_CALLING_STAGE_PRE_EVENT_EMULATION)
95 {
96 ShowMessages("the utilization of 'post' or 'all' event calling stages is not meaningful "
97 "for the hidden hook; therefore, this command does not support them\n");
98
99 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
100 return;
101 }
102
103 //
104 // Interpret command specific details (if any)
105 //
106 for (auto Section : SplitCommand)
107 {
108 IndexInCommandCaseSensitive++;
109
110 if (!Section.compare("!epthook2"))
111 {
112 continue;
113 }
114 else if (!GetAddress)
115 {
116 //
117 // It's probably address
118 //
119 if (!SymbolConvertNameOrExprToAddress(
120 SplitCommandCaseSensitive.at(IndexInCommandCaseSensitive - 1),
121 &OptionalParam1))
122 {
123 //
124 // Couldn't resolve or unknown parameter
125 //
126 ShowMessages("err, couldn't resolve error at '%s'\n\n",
127 SplitCommandCaseSensitive.at(IndexInCommandCaseSensitive - 1).c_str());
128 CommandEptHook2Help();
129
130 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
131 return;
132 }
133 else
134 {
135 GetAddress = TRUE;
136 }
137 }
138 else
139 {
140 //
141 // Unknown parameter
142 //
143 ShowMessages("unknown parameter '%s'\n\n", Section.c_str());
144 CommandEptHook2Help();
145
146 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
147 return;
148 }
149 }
150 if (OptionalParam1 == 0)
151 {
152 ShowMessages("please choose an address to put the hook on it\n");
153
154 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
155 return;
156 }
157
158 //
159 // Set the optional parameters
160 //
161 Event->Options.OptionalParam1 = OptionalParam1;
162
163 //
164 // Send the ioctl to the kernel for event registration
165 //
166 if (!SendEventToKernel(Event, EventLength))
167 {
168 //
169 // There was an error, probably the handle was not initialized
170 // we have to free the Action before exit, it is because, we
171 // already freed the Event and string buffers
172 //
173
174 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
175 return;
176 }
177
178 //
179 // Add the event to the kernel
180 //
181 if (!RegisterActionToEvent(Event,
182 ActionBreakToDebugger,
183 ActionBreakToDebuggerLength,
184 ActionCustomCode,
185 ActionCustomCodeLength,
186 ActionScript,
187 ActionScriptLength))
188 {
189 //
190 // There was an error
191 //
192
193 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
194 return;
195 }
196}
CommandEptHook2Help
VOID CommandEptHook2Help()
help of the !epthook2 command
Definition epthook2.cpp:20
HIDDEN_HOOK_EXEC_DETOURS
@ HIDDEN_HOOK_EXEC_DETOURS
Definition Events.h:111

◆ CommandEval()

VOID CommandEval ( vector< string > SplitCommand,
string Command )

handler of ? command

Parameters
SplitCommand
Command
Returns
VOID
197{
198 PVOID CodeBuffer;
199 UINT64 BufferAddress;
200 UINT32 BufferLength;
201 UINT32 Pointer;
202
203 if (SplitCommand.size() == 1)
204 {
205 ShowMessages("incorrect use of the '?'\n\n");
206 CommandEvalHelp();
207 return;
208 }
209
210 //
211 // Trim the command
212 //
213 Trim(Command);
214
215 //
216 // Remove the first command from it
217 //
218 Command.erase(0, SplitCommand.at(0).size());
219
220 //
221 // Trim it again
222 //
223 Trim(Command);
224
225 //
226 // Check if it's a test-case check or not
227 //
228 if (!Command.compare("test"))
229 {
230 //
231 // It's a test-case checker
232 //
233 if (!CommandEvalCheckTestcase())
234 {
235 ShowMessages("err, testing script engine test-cases was not successful\n");
236 }
237 else
238 {
239 ShowMessages("testing script engine test-cases was successful\n");
240 }
241
242 return;
243 }
244
245 if (g_IsSerialConnectedToRemoteDebuggee)
246 {
247 //
248 // Send over serial
249 //
250
251 //
252 // Run script engine handler
253 //
254 CodeBuffer = ScriptEngineParseWrapper((char *)Command.c_str(), TRUE);
255
256 if (CodeBuffer == NULL)
257 {
258 //
259 // return to show that this item contains an script
260 //
261 return;
262 }
263
264 //
265 // Print symbols (test)
266 //
267 // PrintSymbolBufferWrapper(CodeBuffer);
268
269 //
270 // Set the buffer and length
271 //
272 BufferAddress = ScriptEngineWrapperGetHead(CodeBuffer);
273 BufferLength = ScriptEngineWrapperGetSize(CodeBuffer);
274 Pointer = ScriptEngineWrapperGetPointer(CodeBuffer);
275
276 //
277 // Send it to the remote debuggee
278 //
279 KdSendScriptPacketToDebuggee(BufferAddress, BufferLength, Pointer, FALSE);
280
281 //
282 // Remove the buffer of script engine interpreted code
283 //
284 ScriptEngineWrapperRemoveSymbolBuffer(CodeBuffer);
285 }
286 else
287 {
288 //
289 // It's a test
290 //
291 ShowMessages("this command should not be used while you're in VMI-Mode or not in debugger-mode, "
292 "the results that you see is a simulated result for TESTING script-engine "
293 "and is not based on the status of your system. You can use this command, "
294 "ONLY in debugger-mode\n\n");
295
296 ShowMessages("test expression : %s \n", Command.c_str());
297 ScriptEngineWrapperTestParser(Command);
298 }
299}
BufferAddress
UINT64 BOOLEAN PVOID BufferAddress
Definition HyperDbgScriptImports.h:67
CommandEvalHelp
VOID CommandEvalHelp()
help of the ? command
Definition eval.cpp:27
g_IsSerialConnectedToRemoteDebuggee
BOOLEAN g_IsSerialConnectedToRemoteDebuggee
Shows if the debugger was connected to remote debuggee over (A remote guest)
Definition globals.h:231
CommandEvalCheckTestcase
BOOLEAN CommandEvalCheckTestcase()
Check test-cases for script-engine.
Definition eval.cpp:44
KdSendScriptPacketToDebuggee
BOOLEAN KdSendScriptPacketToDebuggee(UINT64 BufferAddress, UINT32 BufferLength, UINT32 Pointer, BOOLEAN IsFormat)
Sends a script packet to the debuggee.
Definition kd.cpp:1056
ScriptEngineWrapperGetSize
UINT32 ScriptEngineWrapperGetSize(PVOID SymbolBuffer)
wrapper for getting size
Definition script-engine-wrapper.cpp:834
ScriptEngineWrapperTestParser
VOID ScriptEngineWrapperTestParser(const string &Expr)
test parser
Definition script-engine-wrapper.cpp:719
ScriptEngineWrapperGetPointer
UINT32 ScriptEngineWrapperGetPointer(PVOID SymbolBuffer)
wrapper for getting pointer
Definition script-engine-wrapper.cpp:848
ScriptEngineParseWrapper
PVOID ScriptEngineParseWrapper(char *Expr, BOOLEAN ShowErrorMessageIfAny)
ScriptEngineParse wrapper.
Definition script-engine-wrapper.cpp:267
ScriptEngineWrapperGetHead
UINT64 ScriptEngineWrapperGetHead(PVOID SymbolBuffer)
wrapper for getting head
Definition script-engine-wrapper.cpp:822
ScriptEngineWrapperRemoveSymbolBuffer
VOID ScriptEngineWrapperRemoveSymbolBuffer(PVOID SymbolBuffer)
wrapper for removing symbol buffer
Definition script-engine-wrapper.cpp:860

◆ CommandEvents()

VOID CommandEvents ( vector< string > SplitCommand,
string Command )

events command handler

Parameters
SplitCommand
Command
Returns
VOID
66{
67 DEBUGGER_MODIFY_EVENTS_TYPE RequestedAction;
68 UINT64 RequestedTag;
69
70 //
71 // Validate the parameters (size)
72 //
73 if (SplitCommand.size() != 1 && SplitCommand.size() != 3)
74 {
75 ShowMessages("incorrect use of the '%s'\n\n", SplitCommand.at(0).c_str());
76 CommandEventsHelp();
77 return;
78 }
79
80 if (SplitCommand.size() == 1)
81 {
82 if (!g_EventTraceInitialized)
83 {
84 ShowMessages("no active/disabled events \n");
85 return;
86 }
87
88 CommandEventsShowEvents();
89
90 //
91 // No need to continue any further
92 //
93 return;
94 }
95
96 //
97 // Validate second argument as it's not just a simple
98 // events without any parameter
99 //
100 if (!SplitCommand.at(1).compare("e"))
101 {
102 RequestedAction = DEBUGGER_MODIFY_EVENTS_ENABLE;
103 }
104 else if (!SplitCommand.at(1).compare("d"))
105 {
106 RequestedAction = DEBUGGER_MODIFY_EVENTS_DISABLE;
107 }
108 else if (!SplitCommand.at(1).compare("c"))
109 {
110 RequestedAction = DEBUGGER_MODIFY_EVENTS_CLEAR;
111 }
112 else if (!SplitCommand.at(1).compare("sc"))
113 {
114 if (!SplitCommand.at(2).compare("on"))
115 {
116 KdSendShortCircuitingEventToDebuggee(TRUE);
117 }
118 else if (!SplitCommand.at(2).compare("off"))
119 {
120 KdSendShortCircuitingEventToDebuggee(FALSE);
121 }
122 else
123 {
124 ShowMessages(
125 "please specify a correct 'on' or 'off' state for the short-circuiting state\n\n");
126 CommandEventsHelp();
127 return;
128 }
129
130 //
131 // No need to further continue
132 //
133 return;
134 }
135 else
136 {
137 //
138 // unknown second command
139 //
140 ShowMessages("incorrect use of the '%s'\n\n", SplitCommand.at(0).c_str());
141 CommandEventsHelp();
142 return;
143 }
144
145 //
146 // Validate third argument as it's not just a simple
147 // events without any parameter
148 //
149 if (!SplitCommand.at(2).compare("all"))
150 {
151 RequestedTag = DEBUGGER_MODIFY_EVENTS_APPLY_TO_ALL_TAG;
152 }
153 else if (!ConvertStringToUInt64(SplitCommand.at(2), &RequestedTag))
154 {
155 ShowMessages(
156 "please specify a correct hex value for tag id (event number)\n\n");
157 CommandEventsHelp();
158 return;
159 }
160
161 //
162 // Send the request to the kernel, we add it to a constant
163 // that's because we want start tags from that constant
164 //
165 if (RequestedTag != DEBUGGER_MODIFY_EVENTS_APPLY_TO_ALL_TAG)
166 {
167 RequestedTag = RequestedTag + DebuggerEventTagStartSeed;
168 }
169
170 //
171 // Perform event related tasks
172 //
173 CommandEventsModifyAndQueryEvents(RequestedTag, RequestedAction);
174}
DEBUGGER_MODIFY_EVENTS_APPLY_TO_ALL_TAG
#define DEBUGGER_MODIFY_EVENTS_APPLY_TO_ALL_TAG
Apply event modifications to all tags.
Definition Constants.h:586
DebuggerEventTagStartSeed
#define DebuggerEventTagStartSeed
The seeds that user-mode codes use as the starter of their events' tag.
Definition Constants.h:222
CommandEventsShowEvents
VOID CommandEventsShowEvents()
print every active and disabled events
Definition events.cpp:227
CommandEventsHelp
VOID CommandEventsHelp()
help of the events command
Definition events.cpp:32
g_EventTraceInitialized
BOOLEAN g_EventTraceInitialized
it shows whether the debugger started using events or not or in other words, is g_EventTrace initiali...
Definition globals.h:390
CommandEventsModifyAndQueryEvents
BOOLEAN CommandEventsModifyAndQueryEvents(UINT64 Tag, DEBUGGER_MODIFY_EVENTS_TYPE TypeOfAction)
modify a special event (enable/disable/clear) and send the request directly to the kernel
Definition events.cpp:654
DEBUGGER_MODIFY_EVENTS_ENABLE
@ DEBUGGER_MODIFY_EVENTS_ENABLE
Definition Events.h:232
DEBUGGER_MODIFY_EVENTS_DISABLE
@ DEBUGGER_MODIFY_EVENTS_DISABLE
Definition Events.h:233
DEBUGGER_MODIFY_EVENTS_CLEAR
@ DEBUGGER_MODIFY_EVENTS_CLEAR
Definition Events.h:234
DEBUGGER_MODIFY_EVENTS_TYPE
enum _DEBUGGER_MODIFY_EVENTS_TYPE DEBUGGER_MODIFY_EVENTS_TYPE
different types of modifying events request (enable/disable/clear)
KdSendShortCircuitingEventToDebuggee
BOOLEAN KdSendShortCircuitingEventToDebuggee(BOOLEAN IsEnabled)
Sends a short-circuiting event request to debuggee.
Definition kd.cpp:226

◆ CommandException()

VOID CommandException ( vector< string > SplitCommand,
string Command )

!exception command handler

Parameters
SplitCommand
Command
Returns
VOID
51{
52 PDEBUGGER_GENERAL_EVENT_DETAIL Event = NULL;
53 PDEBUGGER_GENERAL_ACTION ActionBreakToDebugger = NULL;
54 PDEBUGGER_GENERAL_ACTION ActionCustomCode = NULL;
55 PDEBUGGER_GENERAL_ACTION ActionScript = NULL;
56 UINT32 EventLength;
57 UINT32 ActionBreakToDebuggerLength = 0;
58 UINT32 ActionCustomCodeLength = 0;
59 UINT32 ActionScriptLength = 0;
60 UINT64 SpecialTarget = DEBUGGER_EVENT_EXCEPTIONS_ALL_FIRST_32_ENTRIES;
61 BOOLEAN GetEntry = FALSE;
62 vector<string> SplitCommandCaseSensitive {Split(Command, ' ')};
63 DEBUGGER_EVENT_PARSING_ERROR_CAUSE EventParsingErrorCause;
64
65 //
66 // Interpret and fill the general event and action fields
67 //
68 //
69 if (!InterpretGeneralEventAndActionsFields(
70 &SplitCommand,
71 &SplitCommandCaseSensitive,
72 EXCEPTION_OCCURRED,
73 &Event,
74 &EventLength,
75 &ActionBreakToDebugger,
76 &ActionBreakToDebuggerLength,
77 &ActionCustomCode,
78 &ActionCustomCodeLength,
79 &ActionScript,
80 &ActionScriptLength,
81 &EventParsingErrorCause))
82 {
83 return;
84 }
85
86 //
87 // Interpret command specific details (if any)
88 //
89 for (auto Section : SplitCommand)
90 {
91 if (!Section.compare("!exception"))
92 {
93 continue;
94 }
95 else if (!GetEntry)
96 {
97 //
98 // It's probably an index
99 //
100 if (!ConvertStringToUInt64(Section, &SpecialTarget))
101 {
102 //
103 // Unknown parameter
104 //
105 ShowMessages("unknown parameter '%s'\n\n", Section.c_str());
106 CommandExceptionHelp();
107
108 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
109 return;
110 }
111 else
112 {
113 //
114 // Check if entry is valid or not (start from zero)
115 //
116 if (SpecialTarget >= 31)
117 {
118 //
119 // Entry is invalid (this command is designed for just first 32
120 // entries)
121 //
122 ShowMessages("the entry should be between 0x0 to 0x1f or first 32 "
123 "entries'\n\n");
124 CommandExceptionHelp();
125
126 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
127 return;
128 }
129 GetEntry = TRUE;
130 }
131 }
132 else
133 {
134 //
135 // Unknown parameter
136 //
137 ShowMessages("unknown parameter '%s'\n\n", Section.c_str());
138 CommandExceptionHelp();
139
140 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
141 return;
142 }
143 }
144
145 //
146 // Set the target exception (if not specific then it means all exceptions)
147 //
148 Event->Options.OptionalParam1 = SpecialTarget;
149
150 //
151 // Send the ioctl to the kernel for event registration
152 //
153 if (!SendEventToKernel(Event, EventLength))
154 {
155 //
156 // There was an error, probably the handle was not initialized
157 // we have to free the Action before exit, it is because, we
158 // already freed the Event and string buffers
159 //
160
161 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
162 return;
163 }
164
165 //
166 // Add the event to the kernel
167 //
168 if (!RegisterActionToEvent(Event,
169 ActionBreakToDebugger,
170 ActionBreakToDebuggerLength,
171 ActionCustomCode,
172 ActionCustomCodeLength,
173 ActionScript,
174 ActionScriptLength))
175 {
176 //
177 // There was an error
178 //
179
180 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
181 return;
182 }
183}
DEBUGGER_EVENT_EXCEPTIONS_ALL_FIRST_32_ENTRIES
#define DEBUGGER_EVENT_EXCEPTIONS_ALL_FIRST_32_ENTRIES
Apply to all first 32 exceptions.
Definition Constants.h:629
CommandExceptionHelp
VOID CommandExceptionHelp()
help of the !exception command
Definition exception.cpp:20
EXCEPTION_OCCURRED
@ EXCEPTION_OCCURRED
Definition Events.h:140

◆ CommandExit()

VOID CommandExit ( vector< string > SplitCommand,
string Command )

exit command handler

Parameters
SplitCommand
Command
Returns
VOID
44{
45 if (SplitCommand.size() != 1)
46 {
47 ShowMessages("incorrect use of the 'exit'\n\n");
48 CommandExitHelp();
49 return;
50 }
51
52 if (g_IsConnectedToHyperDbgLocally)
53 {
54 //
55 // It is in VMI mode
56 //
57
58 //
59 // unload and exit if the vmm module is loaded
60 //
61 if (g_DeviceHandle)
62 {
63 HyperDbgUnloadVmm();
64 }
65 }
66 else if (g_IsSerialConnectedToRemoteDebuggee)
67 {
68 //
69 // It is in debugger mode
70 //
71
72 KdCloseConnection();
73 }
74
75 exit(0);
76}
g_DeviceHandle
HANDLE g_DeviceHandle
Holds the global handle of device which is used to send the request to the kernel by IOCTL,...
Definition globals.h:471
CommandExitHelp
VOID CommandExitHelp()
help of the exit command
Definition exit.cpp:27
g_IsSerialConnectedToRemoteDebuggee
BOOLEAN g_IsSerialConnectedToRemoteDebuggee
Shows if the debugger was connected to remote debuggee over (A remote guest)
Definition globals.h:231
g_IsConnectedToHyperDbgLocally
BOOLEAN g_IsConnectedToHyperDbgLocally
Shows whether the user is allowed to use 'load' command to load modules locally in VMI (virtual machi...
Definition globals.h:67
HyperDbgUnloadVmm
INT HyperDbgUnloadVmm()
Unload VMM driver.
Definition libhyperdbg.cpp:693

◆ CommandFlush()

VOID CommandFlush ( vector< string > SplitCommand,
string Command )

flush command handler

Parameters
SplitCommand
Command
Returns
VOID
110{
111 if (SplitCommand.size() != 1)
112 {
113 ShowMessages("incorrect use of the 'flush'\n\n");
114 CommandFlushHelp();
115 return;
116 }
117
118 //
119 // Flush the buffer
120 //
121 CommandFlushRequestFlush();
122}
CommandFlushHelp
VOID CommandFlushHelp()
help of the flush command
Definition flush.cpp:25
CommandFlushRequestFlush
VOID CommandFlushRequestFlush()
flush command handler
Definition flush.cpp:39

◆ CommandFormats()

VOID CommandFormats ( vector< string > SplitCommand,
string Command )

handler of .formats command

Parameters
SplitCommand
Command
Returns
VOID
106{
107 UINT64 ConstantValue = 0;
108 BOOLEAN HasError = TRUE;
109
110 if (SplitCommand.size() == 1)
111 {
112 ShowMessages("incorrect use of the '.formats'\n\n");
113 CommandFormatsHelp();
114 return;
115 }
116
117 //
118 // Trim the command
119 //
120 Trim(Command);
121
122 //
123 // Remove .formats from it
124 //
125 Command.erase(0, SplitCommand.at(0).size());
126
127 //
128 // Trim it again
129 //
130 Trim(Command);
131
132 //
133 // Evaluate a single expression
134 //
135 ConstantValue = ScriptEngineEvalSingleExpression(Command, &HasError);
136
137 if (HasError)
138 {
139 ShowMessages("err, couldn't resolve error at '%s'\n", Command.c_str());
140 }
141 else
142 {
143 //
144 // Show formats results for a constant
145 //
146 CommandFormatsShowResults(ConstantValue);
147 }
148}
CommandFormatsHelp
VOID CommandFormatsHelp()
help of the help command :)
Definition formats.cpp:20
CommandFormatsShowResults
VOID CommandFormatsShowResults(UINT64 U64Value)
show results of .formats command
Definition formats.cpp:43
ScriptEngineEvalSingleExpression
UINT64 ScriptEngineEvalSingleExpression(string Expr, PBOOLEAN HasError)
Get the value from the evaluation of single expression from local debuggee and remote debuggee.
Definition script-engine.cpp:30

◆ CommandG()

VOID CommandG ( vector< string > SplitCommand,
string Command )

handler of g command

Parameters
SplitCommand
Command
Returns
VOID
94{
95 if (SplitCommand.size() != 1)
96 {
97 ShowMessages("incorrect use of the 'g'\n\n");
98 CommandGHelp();
99 return;
100 }
101
102 CommandGRequest();
103}
CommandGRequest
VOID CommandGRequest()
Request to unpause.
Definition g.cpp:41
CommandGHelp
VOID CommandGHelp()
help of the g command
Definition g.cpp:28

◆ CommandGu()

VOID CommandGu ( vector< string > SplitCommand,
string Command )

handler of gu command

Parameters
SplitCommand
Command
Returns
VOID
52{
53 UINT32 StepCount;
54 DEBUGGER_REMOTE_STEPPING_REQUEST RequestFormat;
55 BOOLEAN BreakOnNextInstruction = FALSE;
56
57 //
58 // Validate the commands
59 //
60 if (SplitCommand.size() != 1 && SplitCommand.size() != 2)
61 {
62 ShowMessages("incorrect use of the 'gu'\n\n");
63 CommandGuHelp();
64 return;
65 }
66
67 //
68 // Set type of request
69 //
70 RequestFormat = DEBUGGER_REMOTE_STEPPING_REQUEST_STEP_OVER_FOR_GU;
71
72 //
73 // Check if the command has a counter parameter
74 //
75 if (SplitCommand.size() == 2)
76 {
77 if (!ConvertStringToUInt32(SplitCommand.at(1), &StepCount))
78 {
79 ShowMessages("please specify a correct hex value for [count]\n\n");
80 CommandGuHelp();
81 return;
82 }
83 }
84 else
85 {
86 StepCount = DEBUGGER_REMOTE_TRACKING_DEFAULT_COUNT_OF_STEPPING;
87 }
88
89 //
90 // Check if the remote serial debuggee or user debugger are paused or not
91 //
92 if (g_IsSerialConnectedToRemoteDebuggee || g_ActiveProcessDebuggingState.IsActive)
93 {
94 //
95 // Check if the thread is paused or not
96 //
97 if (g_ActiveProcessDebuggingState.IsActive && !g_ActiveProcessDebuggingState.IsPaused)
98 {
99 ShowMessages("the target process is running, use the "
100 "'pause' command or press CTRL+C to pause the process\n");
101 return;
102 }
103
104 //
105 // Indicate that we're instrumenting
106 //
107 g_IsInstrumentingInstructions = TRUE;
108
109 for (size_t i = 0; i < StepCount; i++)
110 {
111 //
112 // For logging purpose
113 //
114 // ShowMessages("percentage : %f %% (%x)\n", 100.0 * (i /
115 // (float)StepCount), i);
116 //
117
118 //
119 // Check if the current instruction is 'ret' or not
120 //
121 if (HyperDbgCheckWhetherTheCurrentInstructionIsRet(
122 g_CurrentRunningInstruction,
123 MAXIMUM_INSTR_SIZE,
124 g_IsRunningInstruction32Bit ? FALSE : TRUE // equals to !g_IsRunningInstruction32Bit
125 ))
126 {
127 BreakOnNextInstruction = TRUE;
128
129 //
130 // It's the last instruction, so we gonna show the instruction
131 //
132 RequestFormat = DEBUGGER_REMOTE_STEPPING_REQUEST_STEP_OVER_FOR_GU_LAST_INSTRUCTION;
133 }
134
135 if (g_IsSerialConnectedToRemoteDebuggee)
136 {
137 //
138 // It's stepping over serial connection in kernel debugger
139 //
140 KdSendStepPacketToDebuggee(RequestFormat);
141 }
142 else
143 {
144 //
145 // It's stepping over user debugger
146 //
147 UdSendStepPacketToDebuggee(g_ActiveProcessDebuggingState.ProcessDebuggingToken,
148 g_ActiveProcessDebuggingState.ThreadId,
149 RequestFormat);
150 }
151
152 //
153 // Check if user pressed CTRL+C
154 //
155 if (!g_IsInstrumentingInstructions)
156 {
157 break;
158 }
159
160 //
161 // Check if we see 'ret' in the previous instruction or not
162 //
163 if (BreakOnNextInstruction)
164 {
165 break;
166 }
167 }
168
169 //
170 // We're not instrumenting instructions anymore
171 //
172 g_IsInstrumentingInstructions = FALSE;
173 }
174 else
175 {
176 ShowMessages("err, going up (gu) is not valid in the current context, you "
177 "should connect to a debuggee\n");
178 }
179}
MAXIMUM_INSTR_SIZE
#define MAXIMUM_INSTR_SIZE
maximum instruction size in Intel
Definition Constants.h:468
DEBUGGER_REMOTE_STEPPING_REQUEST_STEP_OVER_FOR_GU
@ DEBUGGER_REMOTE_STEPPING_REQUEST_STEP_OVER_FOR_GU
Definition RequestStructures.h:997
DEBUGGER_REMOTE_STEPPING_REQUEST_STEP_OVER_FOR_GU_LAST_INSTRUCTION
@ DEBUGGER_REMOTE_STEPPING_REQUEST_STEP_OVER_FOR_GU_LAST_INSTRUCTION
Definition RequestStructures.h:998
DEBUGGER_REMOTE_STEPPING_REQUEST
enum _DEBUGGER_REMOTE_STEPPING_REQUEST DEBUGGER_REMOTE_STEPPING_REQUEST
stepping and tracking types
DEBUGGER_REMOTE_TRACKING_DEFAULT_COUNT_OF_STEPPING
#define DEBUGGER_REMOTE_TRACKING_DEFAULT_COUNT_OF_STEPPING
default number of instructions used in tracking and stepping
Definition RequestStructures.h:1023
HyperDbgCheckWhetherTheCurrentInstructionIsRet
BOOLEAN HyperDbgCheckWhetherTheCurrentInstructionIsRet(unsigned char *BufferToDisassemble, UINT64 BuffLength, BOOLEAN Isx86_64)
Check whether the current instruction is a 'ret' or not.
Definition disassembler.cpp:1096
g_IsRunningInstruction32Bit
BOOLEAN g_IsRunningInstruction32Bit
whether the Current executing instructions is 32-bit or 64 bit
Definition globals.h:210
g_IsInstrumentingInstructions
BOOLEAN g_IsInstrumentingInstructions
Shows whether the user is running 't', 'p', or 'i' command.
Definition globals.h:561
g_IsSerialConnectedToRemoteDebuggee
BOOLEAN g_IsSerialConnectedToRemoteDebuggee
Shows if the debugger was connected to remote debuggee over (A remote guest)
Definition globals.h:231
g_ActiveProcessDebuggingState
ACTIVE_DEBUGGING_PROCESS g_ActiveProcessDebuggingState
State of active debugging thread.
Definition globals.h:362
CommandGuHelp
VOID CommandGuHelp()
help of the gu command
Definition gu.cpp:29
g_CurrentRunningInstruction
BYTE g_CurrentRunningInstruction[MAXIMUM_INSTR_SIZE]
Current executing instructions.
Definition globals.h:204
KdSendStepPacketToDebuggee
BOOLEAN KdSendStepPacketToDebuggee(DEBUGGER_REMOTE_STEPPING_REQUEST StepRequestType)
Sends p (step out) and t (step in) packet to the debuggee.
Definition kd.cpp:1206
_ACTIVE_DEBUGGING_PROCESS::ThreadId
UINT32 ThreadId
Definition ud.h:52
_ACTIVE_DEBUGGING_PROCESS::ProcessDebuggingToken
UINT64 ProcessDebuggingToken
Definition ud.h:50
_ACTIVE_DEBUGGING_PROCESS::IsPaused
BOOLEAN IsPaused
Definition ud.h:53
UdSendStepPacketToDebuggee
VOID UdSendStepPacketToDebuggee(UINT64 ProcessDetailToken, UINT32 TargetThreadId, DEBUGGER_REMOTE_STEPPING_REQUEST StepType)
Send stepping instructions packet to user debugger.
Definition ud.cpp:1000

◆ CommandHide()

VOID CommandHide ( vector< string > SplitCommand,
string Command )

!hide command handler

Parameters
SplitCommand
Command
Returns
VOID
61{
62 BOOLEAN Status;
63 ULONG ReturnedLength;
64 UINT64 TargetPid;
65 BOOLEAN TrueIfProcessIdAndFalseIfProcessName;
66 DEBUGGER_HIDE_AND_TRANSPARENT_DEBUGGER_MODE HideRequest = {0};
67 PDEBUGGER_HIDE_AND_TRANSPARENT_DEBUGGER_MODE FinalRequestBuffer = 0;
68 size_t RequestBufferSize = 0;
69
70 if (SplitCommand.size() <= 2 && SplitCommand.size() != 1)
71 {
72 ShowMessages("incorrect use of the '!hide'\n\n");
73 CommandHideHelp();
74 return;
75 }
76
77 //
78 // Find out whether the user enters pid or name
79 //
80 if (SplitCommand.size() == 1)
81 {
82 if (g_ActiveProcessDebuggingState.IsActive)
83 {
84 TrueIfProcessIdAndFalseIfProcessName = TRUE;
85 TargetPid = g_ActiveProcessDebuggingState.ProcessId;
86 }
87 else
88 {
89 //
90 // There is no user-debugging process
91 //
92 ShowMessages("you're not attached to any user-mode process, "
93 "please explicitly specify the process id or process name\n");
94 return;
95 }
96 }
97 else if (!SplitCommand.at(1).compare("pid"))
98 {
99 TrueIfProcessIdAndFalseIfProcessName = TRUE;
100
101 //
102 // Check for the user to not add extra arguments
103 //
104 if (SplitCommand.size() != 3)
105 {
106 ShowMessages("incorrect use of the '!hide'\n\n");
107 CommandHideHelp();
108 return;
109 }
110
111 //
112 // It's just a pid for the process
113 //
114 if (!ConvertStringToUInt64(SplitCommand.at(2), &TargetPid))
115 {
116 ShowMessages("incorrect process id\n\n");
117 return;
118 }
119 }
120 else if (!SplitCommand.at(1).compare("name"))
121 {
122 TrueIfProcessIdAndFalseIfProcessName = FALSE;
123
124 //
125 // Trim the command
126 //
127 Trim(Command);
128
129 //
130 // Remove !hide from it
131 //
132 Command.erase(0, SplitCommand.at(0).size());
133
134 //
135 // remove name + space
136 //
137 Command.erase(0, 4 + 1);
138
139 //
140 // Trim it again
141 //
142 Trim(Command);
143 }
144 else
145 {
146 //
147 // Invalid argument for the second parameter to the command
148 //
149 ShowMessages("incorrect use of the '!hide'\n\n");
150 CommandHideHelp();
151 return;
152 }
153
154 //
155 // Check if the user used !measure or not
156 //
157 if (!g_TransparentResultsMeasured || !g_CpuidAverage ||
158 !g_CpuidStandardDeviation || !g_CpuidMedian)
159 {
160 ShowMessages("the average, median and standard deviation is not measured. "
161 "Did you use '!measure' command?\n");
162 return;
163 }
164
165 //
166 // Check if debugger is loaded or not
167 //
168 AssertShowMessageReturnStmt(g_DeviceHandle, ASSERT_MESSAGE_DRIVER_NOT_LOADED, AssertReturn);
169
170 //
171 // We wanna hide the debugger and make transparent vm-exits
172 //
173 HideRequest.IsHide = TRUE;
174
175 //
176 // Set the measured times cpuid
177 //
178 HideRequest.CpuidAverage = g_CpuidAverage;
179 HideRequest.CpuidMedian = g_CpuidMedian;
180 HideRequest.CpuidStandardDeviation = g_CpuidStandardDeviation;
181
182 //
183 // Set the measured times rdtsc/p
184 //
185 HideRequest.RdtscAverage = g_RdtscAverage;
186 HideRequest.RdtscMedian = g_RdtscMedian;
187 HideRequest.RdtscStandardDeviation = g_RdtscStandardDeviation;
188
189 HideRequest.TrueIfProcessIdAndFalseIfProcessName =
190 TrueIfProcessIdAndFalseIfProcessName;
191
192 if (TrueIfProcessIdAndFalseIfProcessName)
193 {
194 //
195 // It's a process id
196 //
197 HideRequest.ProcId = (UINT32)TargetPid;
198
199 RequestBufferSize = sizeof(DEBUGGER_HIDE_AND_TRANSPARENT_DEBUGGER_MODE);
200 }
201 else
202 {
203 //
204 // It's a process name
205 //
206 HideRequest.LengthOfProcessName = (UINT32)Command.size() + 1;
207 RequestBufferSize = sizeof(DEBUGGER_HIDE_AND_TRANSPARENT_DEBUGGER_MODE) + Command.size() + 1;
208 }
209
210 //
211 // Allocate the requested buffer
212 //
213 FinalRequestBuffer =
214 (PDEBUGGER_HIDE_AND_TRANSPARENT_DEBUGGER_MODE)malloc(RequestBufferSize);
215
216 if (FinalRequestBuffer == NULL)
217 {
218 ShowMessages("insufficient space\n");
219 return;
220 }
221
222 //
223 // Zero the memory
224 //
225 RtlZeroMemory(FinalRequestBuffer, RequestBufferSize);
226
227 //
228 // Copy the buffer on the top of the final buffer
229 // to send the kernel
230 //
231 memcpy(FinalRequestBuffer, &HideRequest, sizeof(DEBUGGER_HIDE_AND_TRANSPARENT_DEBUGGER_MODE));
232
233 //
234 // If it's a name then we should add it to the end of the buffer
235 //
236 memcpy(((UINT64 *)((UINT64)FinalRequestBuffer +
237 sizeof(DEBUGGER_HIDE_AND_TRANSPARENT_DEBUGGER_MODE))),
238 Command.c_str(),
239 Command.size());
240
241 //
242 // Send the request to the kernel
243 //
244
245 Status = DeviceIoControl(
246 g_DeviceHandle, // Handle to device
247 IOCTL_DEBUGGER_HIDE_AND_UNHIDE_TO_TRANSPARENT_THE_DEBUGGER, // IO Control
248 // code
249 FinalRequestBuffer, // Input Buffer to driver.
250 (DWORD)RequestBufferSize, // Input buffer length
251 FinalRequestBuffer, // Output Buffer from driver.
252 SIZEOF_DEBUGGER_HIDE_AND_TRANSPARENT_DEBUGGER_MODE, // Length of output
253 // buffer in bytes.
254 &ReturnedLength, // Bytes placed in buffer.
255 NULL // synchronous call
256 );
257
258 if (!Status)
259 {
260 ShowMessages("ioctl failed with code 0x%x\n", GetLastError());
261 free(FinalRequestBuffer);
262 return;
263 }
264
265 if (FinalRequestBuffer->KernelStatus == DEBUGGER_OPERATION_WAS_SUCCESSFUL)
266 {
267 ShowMessages("transparent debugging successfully enabled :)\n");
268 }
269 else if (FinalRequestBuffer->KernelStatus ==
270 DEBUGGER_ERROR_UNABLE_TO_HIDE_OR_UNHIDE_DEBUGGER)
271 {
272 ShowMessages("unable to hide the debugger (transparent-debugging) :(\n");
273 free(FinalRequestBuffer);
274 return;
275 }
276 else
277 {
278 ShowMessages("unknown error occurred :(\n");
279 free(FinalRequestBuffer);
280 return;
281 }
282
283 //
284 // free the buffer
285 //
286 free(FinalRequestBuffer);
287}
ULONG
unsigned long ULONG
Definition BasicTypes.h:37
DEBUGGER_ERROR_UNABLE_TO_HIDE_OR_UNHIDE_DEBUGGER
#define DEBUGGER_ERROR_UNABLE_TO_HIDE_OR_UNHIDE_DEBUGGER
error, unable to hide the debugger and enter to transparent-mode
Definition ErrorCodes.h:87
DEBUGGER_OPERATION_WAS_SUCCESSFUL
#define DEBUGGER_OPERATION_WAS_SUCCESSFUL
General value to indicate that the operation or request was successful.
Definition ErrorCodes.h:23
IOCTL_DEBUGGER_HIDE_AND_UNHIDE_TO_TRANSPARENT_THE_DEBUGGER
#define IOCTL_DEBUGGER_HIDE_AND_UNHIDE_TO_TRANSPARENT_THE_DEBUGGER
ioctl, request to enable or disable transparent-mode
Definition Ioctls.h:120
PDEBUGGER_HIDE_AND_TRANSPARENT_DEBUGGER_MODE
struct _DEBUGGER_HIDE_AND_TRANSPARENT_DEBUGGER_MODE * PDEBUGGER_HIDE_AND_TRANSPARENT_DEBUGGER_MODE
SIZEOF_DEBUGGER_HIDE_AND_TRANSPARENT_DEBUGGER_MODE
#define SIZEOF_DEBUGGER_HIDE_AND_TRANSPARENT_DEBUGGER_MODE
Definition RequestStructures.h:541
DEBUGGER_HIDE_AND_TRANSPARENT_DEBUGGER_MODE
struct _DEBUGGER_HIDE_AND_TRANSPARENT_DEBUGGER_MODE DEBUGGER_HIDE_AND_TRANSPARENT_DEBUGGER_MODE
request for enable or disable transparent-mode
g_CpuidStandardDeviation
UINT64 g_CpuidStandardDeviation
The standard deviation calculated from the measurements of cpuid '!measure' command.
Definition globals.h:532
g_RdtscAverage
UINT64 g_RdtscAverage
The average calculated from the measurements of rdtsc/p '!measure' command.
Definition globals.h:544
g_ActiveProcessDebuggingState
ACTIVE_DEBUGGING_PROCESS g_ActiveProcessDebuggingState
State of active debugging thread.
Definition globals.h:362
g_RdtscMedian
UINT64 g_RdtscMedian
The median calculated from the measurements of rdtsc/p '!measure' command.
Definition globals.h:556
g_TransparentResultsMeasured
BOOLEAN g_TransparentResultsMeasured
Shows whether the user executed and mesaured '!measure' command or not, it is because we want to use ...
Definition globals.h:520
CommandHideHelp
VOID CommandHideHelp()
help of the !hide command
Definition hide.cpp:34
g_CpuidMedian
UINT64 g_CpuidMedian
The median calculated from the measurements of cpuid '!measure' command.
Definition globals.h:538
g_RdtscStandardDeviation
UINT64 g_RdtscStandardDeviation
The standard deviation calculated from the measurements of rdtsc/p '!measure' command.
Definition globals.h:550
g_CpuidAverage
UINT64 g_CpuidAverage
The average calculated from the measurements of cpuid '!measure' command.
Definition globals.h:526
AssertShowMessageReturnStmt
#define AssertShowMessageReturnStmt(expr, message, rc)
Definition common.h:51
AssertReturn
#define AssertReturn
Definition common.h:19
ASSERT_MESSAGE_DRIVER_NOT_LOADED
#define ASSERT_MESSAGE_DRIVER_NOT_LOADED
Definition common.h:25
_DEBUGGER_HIDE_AND_TRANSPARENT_DEBUGGER_MODE
request for enable or disable transparent-mode
Definition RequestStructures.h:549
_DEBUGGER_HIDE_AND_TRANSPARENT_DEBUGGER_MODE::CpuidStandardDeviation
UINT64 CpuidStandardDeviation
Definition RequestStructures.h:553
_DEBUGGER_HIDE_AND_TRANSPARENT_DEBUGGER_MODE::RdtscStandardDeviation
UINT64 RdtscStandardDeviation
Definition RequestStructures.h:557
_DEBUGGER_HIDE_AND_TRANSPARENT_DEBUGGER_MODE::CpuidAverage
UINT64 CpuidAverage
Definition RequestStructures.h:552
_DEBUGGER_HIDE_AND_TRANSPARENT_DEBUGGER_MODE::KernelStatus
UINT64 KernelStatus
Definition RequestStructures.h:565
_DEBUGGER_HIDE_AND_TRANSPARENT_DEBUGGER_MODE::RdtscAverage
UINT64 RdtscAverage
Definition RequestStructures.h:556
_DEBUGGER_HIDE_AND_TRANSPARENT_DEBUGGER_MODE::IsHide
BOOLEAN IsHide
Definition RequestStructures.h:550
_DEBUGGER_HIDE_AND_TRANSPARENT_DEBUGGER_MODE::CpuidMedian
UINT64 CpuidMedian
Definition RequestStructures.h:554
_DEBUGGER_HIDE_AND_TRANSPARENT_DEBUGGER_MODE::RdtscMedian
UINT64 RdtscMedian
Definition RequestStructures.h:558
_DEBUGGER_HIDE_AND_TRANSPARENT_DEBUGGER_MODE::LengthOfProcessName
UINT32 LengthOfProcessName
Definition RequestStructures.h:562
_DEBUGGER_HIDE_AND_TRANSPARENT_DEBUGGER_MODE::TrueIfProcessIdAndFalseIfProcessName
BOOLEAN TrueIfProcessIdAndFalseIfProcessName
Definition RequestStructures.h:560
_DEBUGGER_HIDE_AND_TRANSPARENT_DEBUGGER_MODE::ProcId
UINT32 ProcId
Definition RequestStructures.h:561

◆ CommandHwClk()

VOID CommandHwClk ( vector< string > SplitCommand,
string Command )

!hw_clk command handler

Parameters
SplitCommand
Command
Returns
VOID
47{
48 PDEBUGGER_GENERAL_EVENT_DETAIL Event = NULL;
49 PDEBUGGER_GENERAL_ACTION ActionBreakToDebugger = NULL;
50 PDEBUGGER_GENERAL_ACTION ActionCustomCode = NULL;
51 PDEBUGGER_GENERAL_ACTION ActionScript = NULL;
52 UINT32 EventLength;
53 UINT64 SpecialTarget = 0;
54 UINT32 ActionBreakToDebuggerLength = 0;
55 UINT32 ActionCustomCodeLength = 0;
56 UINT32 ActionScriptLength = 0;
57 UINT32 NumberOfStagesForScript = 0;
58 UINT32 NumberOfOperandsForScript = 0;
59 size_t NewCompressedBufferSize = 0;
60 size_t NumberOfNeededFlipFlopsInTargetDevice = 0;
61 size_t NumberOfBytesPerChunk = 0;
62 vector<string> SplitCommandCaseSensitive {Split(Command, ' ')};
63 DEBUGGER_EVENT_PARSING_ERROR_CAUSE EventParsingErrorCause;
64 HWDBG_SHORT_SYMBOL * NewScriptBuffer = NULL;
65
66 if (SplitCommand.size() >= 2 && !SplitCommand.at(1).compare("test"))
67 {
68 TCHAR TestFilePath[MAX_PATH] = {0};
69 const SIZE_T BufferSize = 256; // Adjust based on the number of memory entries of the file
70 UINT32 PortNum = 0;
71 UINT32 MemoryBuffer[BufferSize];
72
73 if (SetupPathForFileName(HWDBG_TEST_READ_INSTANCE_INFO_PATH, TestFilePath, sizeof(TestFilePath), TRUE) &&
74 HwdbgInterpreterFillMemoryFromFile(TestFilePath, MemoryBuffer, BufferSize))
75 {
76 //
77 // Print the content of MemoryBuffer for verification
78 //
79 for (SIZE_T I = 0; I < BufferSize; ++I)
80 {
81 ShowMessages("%08x ", MemoryBuffer[I]);
82 ShowMessages("\n");
83 }
84 }
85
86 //
87 // Interpret packet
88 //
89 if (HwdbgInterpretPacket(MemoryBuffer, BufferSize))
90 {
91 ShowMessages("instance info interpreted successfully\n");
92
93 ShowMessages("Debuggee Version: 0x%x\n", g_HwdbgInstanceInfo.version);
94 ShowMessages("Debuggee Maximum Number Of Stages: 0x%x\n", g_HwdbgInstanceInfo.maximumNumberOfStages);
95 ShowMessages("Debuggee Script Variable Length: 0x%x\n", g_HwdbgInstanceInfo.scriptVariableLength);
96 ShowMessages("Debuggee Number of Supported Local (and global) Variables: 0x%x\n", g_HwdbgInstanceInfo.numberOfSupportedLocalAndGlobalVariables);
97 ShowMessages("Debuggee Number of Supported Temporary Variables: 0x%x\n", g_HwdbgInstanceInfo.numberOfSupportedTemporaryVariables);
98 ShowMessages("Debuggee Maximum Number Of Supported GET Script Operators: 0x%x\n", g_HwdbgInstanceInfo.maximumNumberOfSupportedGetScriptOperators);
99 ShowMessages("Debuggee Maximum Number Of Supported SET Script Operators: 0x%x\n", g_HwdbgInstanceInfo.maximumNumberOfSupportedSetScriptOperators);
100 ShowMessages("Debuggee Shared Memory Size: 0x%x\n", g_HwdbgInstanceInfo.sharedMemorySize);
101 ShowMessages("Debuggee Debugger Area Offset: 0x%x\n", g_HwdbgInstanceInfo.debuggerAreaOffset);
102 ShowMessages("Debuggee Debuggee Area Offset: 0x%x\n", g_HwdbgInstanceInfo.debuggeeAreaOffset);
103 ShowMessages("Debuggee Script Capabilities Mask: 0x%llx\n", g_HwdbgInstanceInfo.scriptCapabilities);
104
105 //
106 // Show script capabilities
107 //
108 HwdbgInterpreterShowScriptCapabilities(&g_HwdbgInstanceInfo);
109
110 ShowMessages("Debuggee Number Of Pins: 0x%x\n", g_HwdbgInstanceInfo.numberOfPins);
111 ShowMessages("Debuggee Number Of Ports: 0x%x\n", g_HwdbgInstanceInfo.numberOfPorts);
112
113 ShowMessages("Debuggee BRAM Address Width: 0x%x\n", g_HwdbgInstanceInfo.bramAddrWidth);
114 ShowMessages("Debuggee BRAM Data Width: 0x%x (%d bit)\n", g_HwdbgInstanceInfo.bramDataWidth, g_HwdbgInstanceInfo.bramDataWidth);
115
116 for (auto item : g_HwdbgPortConfiguration)
117 {
118 ShowMessages("Port number %d ($hw_port%d): 0x%x\n", PortNum, PortNum, item);
119 PortNum++;
120 }
121 }
122 else
123 {
124 ShowMessages("err, unable to interpret instance info packet of the debuggee");
125 return;
126 }
127
128 //
129 // Interpret and fill the general event and action fields
130 //
131 //
132 if (!InterpretGeneralEventAndActionsFields(
133 &SplitCommand,
134 &SplitCommandCaseSensitive,
135 (VMM_EVENT_TYPE_ENUM)NULL, // not an event
136 &Event,
137 &EventLength,
138 &ActionBreakToDebugger,
139 &ActionBreakToDebuggerLength,
140 &ActionCustomCode,
141 &ActionCustomCodeLength,
142 &ActionScript,
143 &ActionScriptLength,
144 &EventParsingErrorCause))
145 {
146 return;
147 }
148
149 //
150 // Print the actual script
151 //
152 ShowMessages("\nHyperDbg (general) script buffer (size=%d, flip-flops (just script)=%d):\n\n",
153 ActionScript->ScriptBufferSize,
154 ActionScript->ScriptBufferSize * 8 // Converted to bits
155 );
156
157 CHAR * ScriptBuffer = (CHAR *)((UINT64)ActionScript + sizeof(DEBUGGER_GENERAL_ACTION));
158
159 for (size_t i = 0; i < ActionScript->ScriptBufferSize; i++)
160 {
161 ShowMessages("%02X ", (UINT8)ScriptBuffer[i]);
162 }
163
164 ShowMessages("\n");
165
166 //
167 // Check the script capabilities with the generated script
168 //
169 if (HwdbgInterpreterCheckScriptBufferWithScriptCapabilities(&g_HwdbgInstanceInfo,
170 ScriptBuffer,
171 ActionScript->ScriptBufferSize / sizeof(SYMBOL),
172 &NumberOfStagesForScript,
173 &NumberOfOperandsForScript))
174 {
175 ShowMessages("\n[+] target script is supported by this instance of hwdbg!\n");
176
177 //
178 // Now, converting the script based on supported script variable length
179 //
180 if (g_HwdbgInstanceInfoIsValid)
181 {
182 //
183 // Conversion needed
184 //
185 if (g_HwdbgInstanceInfo.scriptVariableLength >= sizeof(BYTE) * 8)
186 {
187 //
188 // The script variable length is valid (at least 8 bit (1 byte)
189 //
190
191 //
192 // Compress script buffer
193 //
194 if (HwdbgInterpreterConvertSymbolToHwdbgShortSymbolBuffer(&g_HwdbgInstanceInfo,
195 (SYMBOL *)ScriptBuffer,
196 ActionScript->ScriptBufferSize,
197 NumberOfStagesForScript,
198 &NewScriptBuffer,
199 &NewCompressedBufferSize) == TRUE &&
200
201 //
202 // we put bram data width size here instead of script variable length (g_HwdbgInstanceInfo.scriptVariableLength)
203 // since we want it to read one symbol filed at a time
204 //
205 HwdbgInterpreterCompressBuffer((UINT64 *)NewScriptBuffer,
206 NewCompressedBufferSize,
207 g_HwdbgInstanceInfo.scriptVariableLength,
208 g_HwdbgInstanceInfo.bramDataWidth,
209 &NewCompressedBufferSize,
210 &NumberOfBytesPerChunk) == TRUE)
211 {
212 ShowMessages("\n---------------------------------------------------------\n");
213
214 UINT32 NumberOfOperandsImplemented = NumberOfStagesForScript * (g_HwdbgInstanceInfo.maximumNumberOfSupportedGetScriptOperators + g_HwdbgInstanceInfo.maximumNumberOfSupportedSetScriptOperators);
215
216 //
217 // Calculate the number of flip-flops needed in the target device
218 // + operator symbol itself which only contains value (type is always equal to SYMBOL_SEMANTIC_RULE_TYPE)
219 // so, it is not counted as a flip-flop
220 //
221 NumberOfNeededFlipFlopsInTargetDevice = (NumberOfStagesForScript * (g_HwdbgInstanceInfo.maximumNumberOfSupportedGetScriptOperators + g_HwdbgInstanceInfo.maximumNumberOfSupportedSetScriptOperators) * g_HwdbgInstanceInfo.scriptVariableLength * sizeof(HWDBG_SHORT_SYMBOL) / sizeof(UINT64)) + // size of operator (GET and SET)
222 (NumberOfStagesForScript * g_HwdbgInstanceInfo.scriptVariableLength * (sizeof(HWDBG_SHORT_SYMBOL) / sizeof(UINT64)) / 2) + // size of main operator (/ 2 is becasue Type is not inffered)
223 (NumberOfStagesForScript * g_HwdbgInstanceInfo.numberOfSupportedLocalAndGlobalVariables * g_HwdbgInstanceInfo.scriptVariableLength) + // size of local (and global) variables
224 (NumberOfStagesForScript * g_HwdbgInstanceInfo.numberOfSupportedTemporaryVariables * g_HwdbgInstanceInfo.scriptVariableLength) + // size of temporary variables
225 (NumberOfStagesForScript * Log2Ceil(g_HwdbgInstanceInfo.maximumNumberOfStages * (g_HwdbgInstanceInfo.maximumNumberOfSupportedGetScriptOperators + g_HwdbgInstanceInfo.maximumNumberOfSupportedSetScriptOperators + 1)) * 2) + // size of stage index register + targetStage (* 2)
226 (NumberOfStagesForScript) + // stage enable flip-flop
227 (NumberOfStagesForScript * g_HwdbgInstanceInfo.numberOfPins); // input => output flip-flop
228
229 ShowMessages("hwdbg script buffer (buffer size=%d, stages=%d, operands needed: %d - operands used: %d (%.2f%%), total used flip-flops=%d, number of bytes per chunk: %d):\n\n",
230 NewCompressedBufferSize,
231 NumberOfStagesForScript,
232 NumberOfOperandsImplemented,
233 NumberOfOperandsForScript,
234 ((float)NumberOfOperandsForScript / (float)NumberOfOperandsImplemented) * 100,
235 NumberOfNeededFlipFlopsInTargetDevice,
236 NumberOfBytesPerChunk);
237
238 for (size_t i = 0; i < NewCompressedBufferSize; i++)
239 {
240 ShowMessages("%02X ", (UINT8)((CHAR *)NewScriptBuffer)[i]);
241 }
242
243 ShowMessages("\n\nwriting script configuration packet into the file\n");
244
245 //
246 // *** Write script configuration packet into a file ***
247 //
248 if (SetupPathForFileName(HWDBG_TEST_WRITE_SCRIPT_BUFFER_PATH, TestFilePath, sizeof(TestFilePath), FALSE) &&
249 HwdbgInterpreterSendScriptPacket(&g_HwdbgInstanceInfo,
250 TestFilePath,
251 NumberOfStagesForScript + NumberOfOperandsImplemented - 1, // Number of symbols = Number of stages + Number of operands - 1
252 NewScriptBuffer,
253 (UINT32)NewCompressedBufferSize))
254 {
255 ShowMessages("\n[*] script buffer successfully written into file: %s\n", TestFilePath);
256 }
257 else
258 {
259 ShowMessages("err, unable to write script buffer\n");
260 }
261
262 //
263 // *** Write test instance info request into a file ***
264 //
265 if (SetupPathForFileName(HWDBG_TEST_WRITE_INSTANCE_INFO_PATH, TestFilePath, sizeof(TestFilePath), FALSE) &&
266 HwdbgInterpreterSendPacketAndBufferToHwdbg(
267 &g_HwdbgInstanceInfo,
268 TestFilePath,
269 DEBUGGER_REMOTE_PACKET_TYPE_DEBUGGER_TO_DEBUGGEE_HARDWARE_LEVEL,
270 hwdbgActionSendInstanceInfo,
271 NULL,
272 NULL_ZERO))
273 {
274 ShowMessages("[*] instance info successfully written into file: %s\n", TestFilePath);
275 }
276 }
277 }
278 else
279 {
280 //
281 // The script variable length is not valid (at least 8 bit (1 byte)
282 //
283 ShowMessages("err, the script variable length should be at least 8 bits (1 byte)\n");
284 }
285 }
286 }
287 else
288 {
289 ShowMessages("\n[-] target script is NOT supported by this instance of hwdbg!\n");
290 }
291
292 //
293 // Free the allocated memory
294 //
295 if (NewScriptBuffer != NULL)
296 {
297 free(NewScriptBuffer);
298 }
299 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
300 }
301 else
302 {
303 ShowMessages("incorrect use of the '%s'\n\n", SplitCommand.at(0).c_str());
304 CommandHwClkHelp();
305 return;
306 }
307}
NULL_ZERO
#define NULL_ZERO
Definition BasicTypes.h:51
BYTE
unsigned char BYTE
Definition BasicTypes.h:24
UINT8
unsigned char UINT8
Definition BasicTypes.h:46
CHAR
char CHAR
Definition BasicTypes.h:31
DEBUGGER_REMOTE_PACKET_TYPE_DEBUGGER_TO_DEBUGGEE_HARDWARE_LEVEL
@ DEBUGGER_REMOTE_PACKET_TYPE_DEBUGGER_TO_DEBUGGEE_HARDWARE_LEVEL
Definition Connection.h:169
hwdbgActionSendInstanceInfo
@ hwdbgActionSendInstanceInfo
Definition HardwareDebugger.h:42
HWDBG_SHORT_SYMBOL
struct HWDBG_SHORT_SYMBOL HWDBG_SHORT_SYMBOL
Log2Ceil
UINT32 Log2Ceil(UINT32 n)
Function to compute log2Ceil.
Definition common.cpp:1216
CommandHwClkHelp
VOID CommandHwClkHelp()
help of the !hw_clk command
Definition hw_clk.cpp:28
g_HwdbgPortConfiguration
std::vector< UINT32 > g_HwdbgPortConfiguration
Ports configuration of hwdbg.
Definition globals.h:693
g_HwdbgInstanceInfo
HWDBG_INSTANCE_INFORMATION g_HwdbgInstanceInfo
Instance information of the current hwdbg debuggee.
Definition globals.h:681
g_HwdbgInstanceInfoIsValid
BOOLEAN g_HwdbgInstanceInfoIsValid
Shows whether the instance info is valid (received) or not.
Definition globals.h:687
HwdbgInterpreterFillMemoryFromFile
BOOLEAN HwdbgInterpreterFillMemoryFromFile(const TCHAR *FileName, UINT32 *MemoryBuffer, size_t BufferSize)
Function to read the file and fill the memory buffer.
Definition hwdbg-interpreter.cpp:577
HwdbgInterpreterConvertSymbolToHwdbgShortSymbolBuffer
BOOLEAN HwdbgInterpreterConvertSymbolToHwdbgShortSymbolBuffer(HWDBG_INSTANCE_INFORMATION *InstanceInfo, SYMBOL *SymbolBuffer, size_t SymbolBufferLength, UINT32 NumberOfStages, HWDBG_SHORT_SYMBOL **NewShortSymbolBuffer, size_t *NewBufferSize)
Function to compress the buffer.
Definition hwdbg-interpreter.cpp:806
HwdbgInterpreterSendScriptPacket
BOOLEAN HwdbgInterpreterSendScriptPacket(HWDBG_INSTANCE_INFORMATION *InstanceInfo, const TCHAR *FileName, UINT32 NumberOfSymbols, HWDBG_SHORT_SYMBOL *Buffer, UINT32 BufferLength)
Sends a HyperDbg script packet to the hwdbg.
Definition hwdbg-interpreter.cpp:1131
HwdbgInterpreterShowScriptCapabilities
VOID HwdbgInterpreterShowScriptCapabilities(HWDBG_INSTANCE_INFORMATION *InstanceInfo)
Shows the script capablities of the target debuggee.
Definition hwdbg-interpreter.cpp:179
HwdbgInterpreterCheckScriptBufferWithScriptCapabilities
BOOLEAN HwdbgInterpreterCheckScriptBufferWithScriptCapabilities(HWDBG_INSTANCE_INFORMATION *InstanceInfo, PVOID ScriptBuffer, UINT32 CountOfScriptSymbolChunks, UINT32 *NumberOfStages, UINT32 *NumberOfOperands)
Check the script capablities with the target script buffer.
Definition hwdbg-interpreter.cpp:238
HwdbgInterpreterCompressBuffer
BOOLEAN HwdbgInterpreterCompressBuffer(UINT64 *Buffer, size_t BufferLength, UINT32 ScriptVariableLength, UINT32 BramDataWidth, size_t *NewBufferSize, size_t *NumberOfBytesPerChunk)
Function to compress the buffer.
Definition hwdbg-interpreter.cpp:724
HwdbgInterpretPacket
BOOLEAN HwdbgInterpretPacket(PVOID BufferReceived, UINT32 LengthReceived)
Interpret packets of hwdbg.
Definition hwdbg-interpreter.cpp:30
HwdbgInterpreterSendPacketAndBufferToHwdbg
BOOLEAN HwdbgInterpreterSendPacketAndBufferToHwdbg(HWDBG_INSTANCE_INFORMATION *InstanceInfo, const TCHAR *FileName, DEBUGGER_REMOTE_PACKET_TYPE PacketType, HWDBG_ACTION_ENUMS RequestedAction, CHAR *Buffer, UINT32 BufferLength)
Sends a HyperDbg packet + a buffer to the hwdbg.
Definition hwdbg-interpreter.cpp:994
HWDBG_TEST_WRITE_SCRIPT_BUFFER_PATH
#define HWDBG_TEST_WRITE_SCRIPT_BUFFER_PATH
Path to write the sample of the script buffer.
Definition hwdbg-interpreter.h:28
HWDBG_TEST_READ_INSTANCE_INFO_PATH
#define HWDBG_TEST_READ_INSTANCE_INFO_PATH
Path to read the sample of the instance info.
Definition hwdbg-interpreter.h:22
HWDBG_TEST_WRITE_INSTANCE_INFO_PATH
#define HWDBG_TEST_WRITE_INSTANCE_INFO_PATH
Path to write the sample of the instance info requests.
Definition hwdbg-interpreter.h:34
VMM_EVENT_TYPE_ENUM
enum _VMM_EVENT_TYPE_ENUM VMM_EVENT_TYPE_ENUM
enum to show type of all HyperDbg events
DEBUGGER_GENERAL_ACTION
struct _DEBUGGER_GENERAL_ACTION DEBUGGER_GENERAL_ACTION
Each event can have multiple actions.
SetupPathForFileName
BOOLEAN SetupPathForFileName(const CHAR *FileName, _Inout_updates_bytes_all_(BufferLength) PCHAR FileLocation, ULONG BufferLength, BOOLEAN CheckFileExists)
Setup file name.
Definition install.cpp:440
_DEBUGGER_GENERAL_ACTION::ScriptBufferSize
UINT32 ScriptBufferSize
Definition Events.h:413
_HWDBG_INSTANCE_INFORMATION::version
UINT32 version
Definition HardwareDebugger.h:95
_HWDBG_INSTANCE_INFORMATION::sharedMemorySize
UINT32 sharedMemorySize
Definition HardwareDebugger.h:102
_HWDBG_INSTANCE_INFORMATION::maximumNumberOfSupportedGetScriptOperators
UINT32 maximumNumberOfSupportedGetScriptOperators
Definition HardwareDebugger.h:100
_HWDBG_INSTANCE_INFORMATION::debuggeeAreaOffset
UINT32 debuggeeAreaOffset
Definition HardwareDebugger.h:104
_HWDBG_INSTANCE_INFORMATION::numberOfSupportedLocalAndGlobalVariables
UINT32 numberOfSupportedLocalAndGlobalVariables
Definition HardwareDebugger.h:98
_HWDBG_INSTANCE_INFORMATION::debuggerAreaOffset
UINT32 debuggerAreaOffset
Definition HardwareDebugger.h:103
_HWDBG_INSTANCE_INFORMATION::scriptCapabilities
struct _HWDBG_INSTANCE_INFORMATION::_HWDBG_SCRIPT_CAPABILITIES scriptCapabilities
_HWDBG_INSTANCE_INFORMATION::maximumNumberOfStages
UINT32 maximumNumberOfStages
Definition HardwareDebugger.h:96
_HWDBG_INSTANCE_INFORMATION::numberOfSupportedTemporaryVariables
UINT32 numberOfSupportedTemporaryVariables
Definition HardwareDebugger.h:99
_HWDBG_INSTANCE_INFORMATION::numberOfPorts
UINT32 numberOfPorts
Definition HardwareDebugger.h:106
_HWDBG_INSTANCE_INFORMATION::bramAddrWidth
UINT32 bramAddrWidth
Definition HardwareDebugger.h:152
_HWDBG_INSTANCE_INFORMATION::maximumNumberOfSupportedSetScriptOperators
UINT32 maximumNumberOfSupportedSetScriptOperators
Definition HardwareDebugger.h:101
_HWDBG_INSTANCE_INFORMATION::bramDataWidth
UINT32 bramDataWidth
Definition HardwareDebugger.h:153
_HWDBG_INSTANCE_INFORMATION::numberOfPins
UINT32 numberOfPins
Definition HardwareDebugger.h:105
_HWDBG_INSTANCE_INFORMATION::scriptVariableLength
UINT32 scriptVariableLength
Definition HardwareDebugger.h:97
HWDBG_SHORT_SYMBOL
Definition ScriptEngineCommonDefinitions.h:15
SYMBOL
Definition ScriptEngineCommonDefinitions.h:6

◆ CommandI()

VOID CommandI ( vector< string > SplitCommand,
string Command )

handler of i command

Parameters
SplitCommand
Command
Returns
VOID
56{
57 UINT32 StepCount;
58 DEBUGGER_REMOTE_STEPPING_REQUEST RequestFormat;
59
60 //
61 // Validate the commands
62 //
63 if (SplitCommand.size() != 1 && SplitCommand.size() != 2)
64 {
65 ShowMessages("incorrect use of the 'i'\n\n");
66 CommandIHelp();
67 return;
68 }
69
70 //
71 // Check if we're in VMI mode
72 //
73 if (g_ActiveProcessDebuggingState.IsActive)
74 {
75 ShowMessages("the instrumentation step-in is only supported in Debugger Mode\n");
76 return;
77 }
78
79 //
80 // Set type of step
81 //
82 RequestFormat = DEBUGGER_REMOTE_STEPPING_REQUEST_INSTRUMENTATION_STEP_IN;
83
84 //
85 // Check if the command has a counter parameter
86 //
87 if (SplitCommand.size() == 2)
88 {
89 if (!ConvertStringToUInt32(SplitCommand.at(1), &StepCount))
90 {
91 ShowMessages("please specify a correct hex value for [count]\n\n");
92 CommandIHelp();
93 return;
94 }
95 }
96 else
97 {
98 StepCount = 1;
99 }
100
101 //
102 // Check if the remote serial debuggee or user debugger are paused or not
103 //
104 if (g_IsSerialConnectedToRemoteDebuggee)
105 {
106 //
107 // Indicate that we're instrumenting
108 //
109 g_IsInstrumentingInstructions = TRUE;
110
111 for (size_t i = 0; i < StepCount; i++)
112 {
113 //
114 // For logging purpose
115 //
116 // ShowMessages("percentage : %f %% (%x)\n", 100.0 * (i /
117 // (float)StepCount), i);
118 //
119
120 //
121 // It's stepping over serial connection in kernel debugger
122 //
123 KdSendStepPacketToDebuggee(RequestFormat);
124
125 if (!SplitCommand.at(0).compare("ir"))
126 {
127 //
128 // Show registers
129 //
130 HyperDbgRegisterShowAll();
131
132 if (i != StepCount - 1)
133 {
134 ShowMessages("\n");
135 }
136 }
137
138 //
139 // Check if user pressed CTRL+C
140 //
141 if (!g_IsInstrumentingInstructions)
142 {
143 break;
144 }
145 }
146
147 //
148 // We're not instrumenting instructions anymore
149 //
150 g_IsInstrumentingInstructions = FALSE;
151 }
152 else
153 {
154 ShowMessages("err, stepping (i) is not valid in the current context, you "
155 "should connect to a debuggee\n");
156 }
157}
DEBUGGER_REMOTE_STEPPING_REQUEST_INSTRUMENTATION_STEP_IN
@ DEBUGGER_REMOTE_STEPPING_REQUEST_INSTRUMENTATION_STEP_IN
Definition RequestStructures.h:993
CommandIHelp
VOID CommandIHelp()
help of the i command
Definition i.cpp:27
g_IsInstrumentingInstructions
BOOLEAN g_IsInstrumentingInstructions
Shows whether the user is running 't', 'p', or 'i' command.
Definition globals.h:561
g_IsSerialConnectedToRemoteDebuggee
BOOLEAN g_IsSerialConnectedToRemoteDebuggee
Shows if the debugger was connected to remote debuggee over (A remote guest)
Definition globals.h:231
g_ActiveProcessDebuggingState
ACTIVE_DEBUGGING_PROCESS g_ActiveProcessDebuggingState
State of active debugging thread.
Definition globals.h:362
HyperDbgRegisterShowAll
BOOLEAN HyperDbgRegisterShowAll()
handler of r show all registers
Definition r.cpp:317

◆ CommandInterrupt()

VOID CommandInterrupt ( vector< string > SplitCommand,
string Command )

!interrupt command handler

Parameters
SplitCommand
Command
Returns
VOID
49{
50 PDEBUGGER_GENERAL_EVENT_DETAIL Event = NULL;
51 PDEBUGGER_GENERAL_ACTION ActionBreakToDebugger = NULL;
52 PDEBUGGER_GENERAL_ACTION ActionCustomCode = NULL;
53 PDEBUGGER_GENERAL_ACTION ActionScript = NULL;
54 UINT32 EventLength;
55 UINT32 ActionBreakToDebuggerLength = 0;
56 UINT32 ActionCustomCodeLength = 0;
57 UINT32 ActionScriptLength = 0;
58 UINT64 SpecialTarget = 0;
59 BOOLEAN GetEntry = FALSE;
60 vector<string> SplitCommandCaseSensitive {Split(Command, ' ')};
61 DEBUGGER_EVENT_PARSING_ERROR_CAUSE EventParsingErrorCause;
62
63 //
64 // Interpret and fill the general event and action fields
65 //
66 //
67 if (!InterpretGeneralEventAndActionsFields(
68 &SplitCommand,
69 &SplitCommandCaseSensitive,
70 EXTERNAL_INTERRUPT_OCCURRED,
71 &Event,
72 &EventLength,
73 &ActionBreakToDebugger,
74 &ActionBreakToDebuggerLength,
75 &ActionCustomCode,
76 &ActionCustomCodeLength,
77 &ActionScript,
78 &ActionScriptLength,
79 &EventParsingErrorCause))
80 {
81 return;
82 }
83
84 //
85 // Interpret command specific details (if any)
86 //
87 //
88 for (auto Section : SplitCommand)
89 {
90 if (!Section.compare("!interrupt"))
91 {
92 continue;
93 }
94 else if (!GetEntry)
95 {
96 //
97 // It's probably an index
98 //
99 if (!ConvertStringToUInt64(Section, &SpecialTarget))
100 {
101 //
102 // Unknown parameter
103 //
104 ShowMessages("unknown parameter '%s'\n\n", Section.c_str());
105 CommandInterruptHelp();
106
107 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
108 return;
109 }
110 else
111 {
112 //
113 // Check if entry is valid or not
114 //
115 if (!(SpecialTarget >= 32 && SpecialTarget <= 0xff))
116 {
117 //
118 // Entry is invalid (this command is designed for just entries
119 // between 32 to 255)
120 //
121 ShowMessages("the entry should be between 0x20 to 0xFF or the "
122 "entries between 32 to 255\n\n");
123 CommandInterruptHelp();
124
125 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
126 return;
127 }
128 GetEntry = TRUE;
129 }
130 }
131 else
132 {
133 //
134 // Unknown parameter
135 //
136 ShowMessages("unknown parameter '%s'\n\n", Section.c_str());
137 CommandInterruptHelp();
138
139 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
140 return;
141 }
142 }
143
144 if (SpecialTarget == 0)
145 {
146 //
147 // The user didn't set the target interrupt, even though it's possible to
148 // get all interrupts but it makes the system not responsive so it's wrong
149 // to trigger event on all interrupts and we're not going to support it
150 //
151 ShowMessages("please specify an interrupt index to monitor, HyperDbg "
152 "doesn't support to trigger events on all interrupts because "
153 "it's not reasonable and make the system unresponsive\n");
154 CommandInterruptHelp();
155
156 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
157 return;
158 }
159
160 //
161 // Set the target interrupt
162 //
163 Event->Options.OptionalParam1 = SpecialTarget;
164
165 //
166 // Send the ioctl to the kernel for event registration
167 //
168 if (!SendEventToKernel(Event, EventLength))
169 {
170 //
171 // There was an error, probably the handle was not initialized
172 // we have to free the Action before exit, it is because, we
173 // already freed the Event and string buffers
174 //
175
176 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
177 return;
178 }
179
180 //
181 // Add the event to the kernel
182 //
183 if (!RegisterActionToEvent(Event,
184 ActionBreakToDebugger,
185 ActionBreakToDebuggerLength,
186 ActionCustomCode,
187 ActionCustomCodeLength,
188 ActionScript,
189 ActionScriptLength))
190 {
191 //
192 // There was an error
193 //
194
195 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
196 return;
197 }
198}
EXTERNAL_INTERRUPT_OCCURRED
@ EXTERNAL_INTERRUPT_OCCURRED
Definition Events.h:141
CommandInterruptHelp
VOID CommandInterruptHelp()
help of the !interrupt command
Definition interrupt.cpp:20

◆ CommandIoin()

VOID CommandIoin ( vector< string > SplitCommand,
string Command )

!ioin command handler

Parameters
SplitCommand
Command
Returns
VOID
48{
49 PDEBUGGER_GENERAL_EVENT_DETAIL Event = NULL;
50 PDEBUGGER_GENERAL_ACTION ActionBreakToDebugger = NULL;
51 PDEBUGGER_GENERAL_ACTION ActionCustomCode = NULL;
52 PDEBUGGER_GENERAL_ACTION ActionScript = NULL;
53 UINT32 EventLength;
54 UINT32 ActionBreakToDebuggerLength = 0;
55 UINT32 ActionCustomCodeLength = 0;
56 UINT32 ActionScriptLength = 0;
57 UINT64 SpecialTarget = DEBUGGER_EVENT_ALL_IO_PORTS;
58 BOOLEAN GetPort = FALSE;
59 vector<string> SplitCommandCaseSensitive {Split(Command, ' ')};
60 DEBUGGER_EVENT_PARSING_ERROR_CAUSE EventParsingErrorCause;
61
62 //
63 // Interpret and fill the general event and action fields
64 //
65 if (!InterpretGeneralEventAndActionsFields(
66 &SplitCommand,
67 &SplitCommandCaseSensitive,
68 IN_INSTRUCTION_EXECUTION,
69 &Event,
70 &EventLength,
71 &ActionBreakToDebugger,
72 &ActionBreakToDebuggerLength,
73 &ActionCustomCode,
74 &ActionCustomCodeLength,
75 &ActionScript,
76 &ActionScriptLength,
77 &EventParsingErrorCause))
78 {
79 return;
80 }
81
82 //
83 // Interpret command specific details (if any)
84 //
85 for (auto Section : SplitCommand)
86 {
87 if (!Section.compare("!ioin"))
88 {
89 continue;
90 }
91 else if (!GetPort)
92 {
93 //
94 // It's probably an I/O port
95 //
96 if (!ConvertStringToUInt64(Section, &SpecialTarget))
97 {
98 //
99 // Unknown parameter
100 //
101 ShowMessages("unknown parameter '%s'\n\n", Section.c_str());
102 CommandIoinHelp();
103
104 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
105 return;
106 }
107 else
108 {
109 GetPort = TRUE;
110 }
111 }
112 else
113 {
114 //
115 // Unknown parameter
116 //
117 ShowMessages("unknown parameter '%s'\n\n", Section.c_str());
118 CommandIoinHelp();
119
120 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
121 return;
122 }
123 }
124
125 //
126 // Set the target I/O port
127 //
128 Event->Options.OptionalParam1 = SpecialTarget;
129
130 //
131 // Send the ioctl to the kernel for event registration
132 //
133 if (!SendEventToKernel(Event, EventLength))
134 {
135 //
136 // There was an error, probably the handle was not initialized
137 // we have to free the Action before exit, it is because, we
138 // already freed the Event and string buffers
139 //
140
141 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
142 return;
143 }
144
145 //
146 // Add the event to the kernel
147 //
148 if (!RegisterActionToEvent(Event,
149 ActionBreakToDebugger,
150 ActionBreakToDebuggerLength,
151 ActionCustomCode,
152 ActionCustomCodeLength,
153 ActionScript,
154 ActionScriptLength))
155 {
156 //
157 // There was an error
158 //
159
160 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
161 return;
162 }
163}
DEBUGGER_EVENT_ALL_IO_PORTS
#define DEBUGGER_EVENT_ALL_IO_PORTS
Apply to all I/O ports.
Definition Constants.h:641
IN_INSTRUCTION_EXECUTION
@ IN_INSTRUCTION_EXECUTION
Definition Events.h:134
CommandIoinHelp
VOID CommandIoinHelp()
help of the !ioin command
Definition ioin.cpp:20

◆ CommandIoout()

VOID CommandIoout ( vector< string > SplitCommand,
string Command )

!ioout command handler

Parameters
SplitCommand
Command
Returns
VOID
48{
49 PDEBUGGER_GENERAL_EVENT_DETAIL Event = NULL;
50 PDEBUGGER_GENERAL_ACTION ActionBreakToDebugger = NULL;
51 PDEBUGGER_GENERAL_ACTION ActionCustomCode = NULL;
52 PDEBUGGER_GENERAL_ACTION ActionScript = NULL;
53 UINT32 EventLength;
54 UINT32 ActionBreakToDebuggerLength = 0;
55 UINT32 ActionCustomCodeLength = 0;
56 UINT32 ActionScriptLength = 0;
57 UINT64 SpecialTarget = DEBUGGER_EVENT_ALL_IO_PORTS;
58 BOOLEAN GetPort = FALSE;
59 vector<string> SplitCommandCaseSensitive {Split(Command, ' ')};
60 DEBUGGER_EVENT_PARSING_ERROR_CAUSE EventParsingErrorCause;
61
62 //
63 // Interpret and fill the general event and action fields
64 //
65 //
66 if (!InterpretGeneralEventAndActionsFields(
67 &SplitCommand,
68 &SplitCommandCaseSensitive,
69 OUT_INSTRUCTION_EXECUTION,
70 &Event,
71 &EventLength,
72 &ActionBreakToDebugger,
73 &ActionBreakToDebuggerLength,
74 &ActionCustomCode,
75 &ActionCustomCodeLength,
76 &ActionScript,
77 &ActionScriptLength,
78 &EventParsingErrorCause))
79 {
80 return;
81 }
82
83 //
84 // Interpret command specific details (if any)
85 //
86 //
87 for (auto Section : SplitCommand)
88 {
89 if (!Section.compare("!ioout"))
90 {
91 continue;
92 }
93 else if (!GetPort)
94 {
95 //
96 // It's probably an I/O port
97 //
98 if (!ConvertStringToUInt64(Section, &SpecialTarget))
99 {
100 //
101 // Unknown parameter
102 //
103 ShowMessages("unknown parameter '%s'\n\n", Section.c_str());
104 CommandIooutHelp();
105
106 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
107 return;
108 }
109 else
110 {
111 GetPort = TRUE;
112 }
113 }
114 else
115 {
116 //
117 // Unknown parameter
118 //
119 ShowMessages("unknown parameter '%s'\n\n", Section.c_str());
120 CommandIooutHelp();
121
122 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
123 return;
124 }
125 }
126
127 //
128 // Set the target I/O port
129 //
130 Event->Options.OptionalParam1 = SpecialTarget;
131
132 //
133 // Send the ioctl to the kernel for event registration
134 //
135 if (!SendEventToKernel(Event, EventLength))
136 {
137 //
138 // There was an error, probably the handle was not initialized
139 // we have to free the Action before exit, it is because, we
140 // already freed the Event and string buffers
141 //
142
143 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
144 return;
145 }
146
147 //
148 // Add the event to the kernel
149 //
150 if (!RegisterActionToEvent(Event,
151 ActionBreakToDebugger,
152 ActionBreakToDebuggerLength,
153 ActionCustomCode,
154 ActionCustomCodeLength,
155 ActionScript,
156 ActionScriptLength))
157 {
158 //
159 // There was an error
160 //
161
162 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
163 return;
164 }
165}
OUT_INSTRUCTION_EXECUTION
@ OUT_INSTRUCTION_EXECUTION
Definition Events.h:135
CommandIooutHelp
VOID CommandIooutHelp()
help of the !ioout command
Definition ioout.cpp:20

◆ CommandK()

VOID CommandK ( vector< string > SplitCommand,
string Command )

k command handler

Parameters
SplitCommand
Command
Returns
VOID
56{
57 UINT64 BaseAddress = NULL; // Null base address means current RSP register
58 UINT32 Length = 0x100; // Default length
59 vector<string> SplitCommandCaseSensitive {Split(Command, ' ')};
60 UINT32 IndexInCommandCaseSensitive = 0;
61 BOOLEAN IsFirstCommand = TRUE;
62 BOOLEAN IsNextBase = FALSE;
63 BOOLEAN IsNextLength = FALSE;
64
65 string FirstCommand = SplitCommand.front();
66
67 if (SplitCommand.size() >= 6)
68 {
69 ShowMessages("incorrect use of the '%s'\n\n", FirstCommand.c_str());
70 CommandKHelp();
71 return;
72 }
73
74 if (!g_IsSerialConnectedToRemoteDebuggee)
75 {
76 ShowMessages("err, tracing callstack is not possible when you're not "
77 "connected to a debuggee\n");
78 return;
79 }
80
81 //
82 // Set the default length
83 //
84 if (g_IsRunningInstruction32Bit)
85 {
86 Length = 0x100;
87 }
88 else
89 {
90 Length = 0x200;
91 }
92
93 for (auto Section : SplitCommand)
94 {
95 IndexInCommandCaseSensitive++;
96
97 if (IsFirstCommand)
98 {
99 IsFirstCommand = FALSE;
100 continue;
101 }
102 if (IsNextBase == TRUE)
103 {
104 if (!SymbolConvertNameOrExprToAddress(SplitCommandCaseSensitive.at(IndexInCommandCaseSensitive - 1),
105 &BaseAddress))
106 {
107 //
108 // Couldn't resolve or unknown parameter
109 //
110 ShowMessages("err, couldn't resolve error at '%s'\n",
111 SplitCommandCaseSensitive.at(IndexInCommandCaseSensitive - 1).c_str());
112 return;
113 }
114
115 IsNextBase = FALSE;
116 continue;
117 }
118
119 if (IsNextLength == TRUE)
120 {
121 if (!ConvertStringToUInt32(Section, &Length))
122 {
123 ShowMessages("err, you should enter a valid length\n\n");
124 return;
125 }
126 IsNextLength = FALSE;
127 continue;
128 }
129
130 if (!Section.compare("l"))
131 {
132 IsNextLength = TRUE;
133 continue;
134 }
135
136 if (!Section.compare("base"))
137 {
138 IsNextBase = TRUE;
139 continue;
140 }
141
142 //
143 // User inserts unexpected input
144 //
145 ShowMessages("err, incorrect use of the '%s' command\n\n",
146 FirstCommand.c_str());
147 CommandKHelp();
148
149 return;
150 }
151
152 if (IsNextLength || IsNextBase)
153 {
154 ShowMessages("incorrect use of the '%s' command\n\n", FirstCommand.c_str());
155 CommandKHelp();
156 return;
157 }
158
159 //
160 // Send callstack request
161 //
162
163 if (!FirstCommand.compare("k"))
164 {
165 KdSendCallStackPacketToDebuggee(BaseAddress,
166 Length,
167 DEBUGGER_CALLSTACK_DISPLAY_METHOD_WITHOUT_PARAMS,
168 g_IsRunningInstruction32Bit);
169 }
170 else if (!FirstCommand.compare("kq"))
171 {
172 KdSendCallStackPacketToDebuggee(BaseAddress,
173 Length,
174 DEBUGGER_CALLSTACK_DISPLAY_METHOD_WITH_PARAMS,
175 FALSE);
176 }
177 else if (!FirstCommand.compare("kd"))
178 {
179 KdSendCallStackPacketToDebuggee(BaseAddress,
180 Length,
181 DEBUGGER_CALLSTACK_DISPLAY_METHOD_WITH_PARAMS,
182 TRUE);
183 }
184}
DEBUGGER_CALLSTACK_DISPLAY_METHOD_WITHOUT_PARAMS
@ DEBUGGER_CALLSTACK_DISPLAY_METHOD_WITHOUT_PARAMS
Definition RequestStructures.h:779
DEBUGGER_CALLSTACK_DISPLAY_METHOD_WITH_PARAMS
@ DEBUGGER_CALLSTACK_DISPLAY_METHOD_WITH_PARAMS
Definition RequestStructures.h:780
g_IsRunningInstruction32Bit
BOOLEAN g_IsRunningInstruction32Bit
whether the Current executing instructions is 32-bit or 64 bit
Definition globals.h:210
g_IsSerialConnectedToRemoteDebuggee
BOOLEAN g_IsSerialConnectedToRemoteDebuggee
Shows if the debugger was connected to remote debuggee over (A remote guest)
Definition globals.h:231
CommandKHelp
VOID CommandKHelp()
help of the k command
Definition k.cpp:26
KdSendCallStackPacketToDebuggee
BOOLEAN KdSendCallStackPacketToDebuggee(UINT64 BaseAddress, UINT32 Size, DEBUGGER_CALLSTACK_DISPLAY_METHOD DisplayMethod, BOOLEAN Is32Bit)
Send a callstack request to the debuggee.
Definition kd.cpp:348

◆ CommandKill()

VOID CommandKill ( vector< string > SplitCommand,
string Command )

.kill command handler

Parameters
SplitCommand
Command
Returns
VOID
42{
43 if (SplitCommand.size() != 1)
44 {
45 ShowMessages("incorrect use of the '.kill'\n\n");
46 CommandKillHelp();
47 return;
48 }
49
50 if (g_ActiveProcessDebuggingState.IsActive)
51 {
52 //
53 // Kill the current active process
54 //
55 if (!UdKillProcess(g_ActiveProcessDebuggingState.ProcessId))
56 {
57 ShowMessages("process does not exists, is it already terminated?\n");
58 }
59 }
60 else if (g_ProcessIdOfLatestStartingProcess != NULL)
61 {
62 if (!UdKillProcess(g_ProcessIdOfLatestStartingProcess))
63 {
64 ShowMessages("process does not exists, is it already terminated?\n");
65 }
66
67 //
68 // No longer the last process exists
69 //
70 g_ProcessIdOfLatestStartingProcess = NULL;
71 }
72 else
73 {
74 ShowMessages("nothing to terminate!\n");
75 return;
76 }
77}
CommandKillHelp
VOID CommandKillHelp()
help of the .kill command
Definition kill.cpp:26
g_ProcessIdOfLatestStartingProcess
UINT32 g_ProcessIdOfLatestStartingProcess
The process id of the latest starting process.
Definition globals.h:368
g_ActiveProcessDebuggingState
ACTIVE_DEBUGGING_PROCESS g_ActiveProcessDebuggingState
State of active debugging thread.
Definition globals.h:362
UdKillProcess
BOOLEAN UdKillProcess(UINT32 TargetPid)
Kill the target process from kernel.
Definition ud.cpp:666

◆ CommandListen()

VOID CommandListen ( vector< string > SplitCommand,
string Command )

listen command handler

Parameters
SplitCommand
Command
Returns
VOID
54{
55 string port;
56
57 if (SplitCommand.size() >= 3)
58 {
59 //
60 // Means that user entered invalid parameters
61 //
62 ShowMessages("incorrect use of the '.listen'\n\n");
63 CommandListenHelp();
64 return;
65 }
66
67 if (g_IsConnectedToHyperDbgLocally || g_IsConnectedToRemoteDebuggee ||
68 g_IsConnectedToRemoteDebugger)
69 {
70 ShowMessages("you're connected to a debugger, please use '.disconnect' "
71 "command\n");
72 return;
73 }
74
75 //
76 // Check to avoid using this command in debugger-mode
77 //
78 if (g_IsSerialConnectedToRemoteDebuggee || g_IsSerialConnectedToRemoteDebugger)
79 {
80 ShowMessages("you're connected to a an instance of HyperDbg, please use "
81 "'.debug close' command\n");
82 return;
83 }
84
85 if (SplitCommand.size() == 1)
86 {
87 //
88 // listen on default port
89 //
90 ShowMessages("listening on %s ...\n", DEFAULT_PORT);
91 RemoteConnectionListen(DEFAULT_PORT);
92
93 return;
94 }
95 else if (SplitCommand.size() == 2)
96 {
97 port = SplitCommand.at(1);
98
99 //
100 // means that probably wants to listen
101 // on a specific port, let's see if the
102 // port is valid or not
103 //
104 if (!IsNumber(port) || stoi(port) > 65535 || stoi(port) < 0)
105 {
106 ShowMessages("incorrect port\n");
107 return;
108 }
109
110 //
111 // listen on the port
112 //
113 ShowMessages("listening on %s ...\n", port.c_str());
114 RemoteConnectionListen(port.c_str());
115 }
116 else
117 {
118 ShowMessages("incorrect use of the '.listen'\n\n");
119 CommandListenHelp();
120 return;
121 }
122}
DEFAULT_PORT
#define DEFAULT_PORT
default port of HyperDbg for listening by debuggee (server, guest)
Definition Constants.h:323
g_IsSerialConnectedToRemoteDebugger
BOOLEAN g_IsSerialConnectedToRemoteDebugger
Shows if the debugger was connected to remote debugger (A remote host)
Definition globals.h:238
g_IsConnectedToRemoteDebuggee
BOOLEAN g_IsConnectedToRemoteDebuggee
Shows whether the current debugger is the host and connected to a remote debuggee (guest)
Definition globals.h:74
g_IsConnectedToRemoteDebugger
BOOLEAN g_IsConnectedToRemoteDebugger
Shows whether the current system is a guest (debuggee) and a remote debugger is connected to this sys...
Definition globals.h:81
CommandListenHelp
VOID CommandListenHelp()
help of the listen command
Definition listen.cpp:29
g_IsSerialConnectedToRemoteDebuggee
BOOLEAN g_IsSerialConnectedToRemoteDebuggee
Shows if the debugger was connected to remote debuggee over (A remote guest)
Definition globals.h:231
g_IsConnectedToHyperDbgLocally
BOOLEAN g_IsConnectedToHyperDbgLocally
Shows whether the user is allowed to use 'load' command to load modules locally in VMI (virtual machi...
Definition globals.h:67
RemoteConnectionListen
VOID RemoteConnectionListen(PCSTR Port)
Listen of a port and wait for a client connection.
Definition remote-connection.cpp:40

◆ CommandLm()

VOID CommandLm ( vector< string > SplitCommand,
string Command )

handle lm command

Parameters
SplitCommand
Command
Returns
VOID
386{
387 BOOLEAN SetPid = FALSE;
388 BOOLEAN SetSearchFilter = FALSE;
389 BOOLEAN SearchStringEntered = FALSE;
390 BOOLEAN OnlyShowKernelModules = FALSE;
391 BOOLEAN OnlyShowUserModules = FALSE;
392 UINT32 TargetPid = NULL;
393 char Search[MAX_PATH] = {0};
394 char * SearchString = NULL;
395
396 //
397 // Interpret command specific details (if any)
398 //
399 for (auto Section : SplitCommand)
400 {
401 if (!Section.compare("lm"))
402 {
403 continue;
404 }
405 else if (!Section.compare("pid") && !SetPid)
406 {
407 SetPid = TRUE;
408 }
409 else if (!Section.compare("m") && !SetSearchFilter)
410 {
411 SetSearchFilter = TRUE;
412 }
413 else if (SetPid)
414 {
415 if (!ConvertStringToUInt32(Section, &TargetPid))
416 {
417 //
418 // couldn't resolve or unknown parameter
419 //
420 ShowMessages("err, couldn't resolve error at '%s'\n\n",
421 Section.c_str());
422 CommandLmHelp();
423 return;
424 }
425 SetPid = FALSE;
426 }
427 else if (SetSearchFilter)
428 {
429 if (Section.length() >= MAX_PATH)
430 {
431 ShowMessages("err, string is too large for search, please enter "
432 "smaller string\n");
433
434 return;
435 }
436
437 SearchStringEntered = TRUE;
438 strcpy(Search, Section.c_str());
439
440 SetSearchFilter = FALSE;
441 }
442 else if (!Section.compare("km"))
443 {
444 if (OnlyShowUserModules)
445 {
446 ShowMessages("err, you cannot use both 'um', and 'km', by default "
447 "HyperDbg shows both user-mode and kernel-mode modules\n");
448 return;
449 }
450
451 OnlyShowKernelModules = TRUE;
452 }
453 else if (!Section.compare("um"))
454 {
455 if (OnlyShowKernelModules)
456 {
457 ShowMessages("err, you cannot use both 'um', and 'km', by default "
458 "HyperDbg shows both user-mode and kernel-mode modules\n");
459 return;
460 }
461
462 OnlyShowUserModules = TRUE;
463 }
464 else
465 {
466 //
467 // Unknown parameter
468 //
469 ShowMessages("err, couldn't resolve error at '%s'\n\n",
470 Section.c_str());
471 CommandLmHelp();
472 return;
473 }
474 }
475
476 if (SetPid)
477 {
478 ShowMessages("err, please enter a valid process id in hex format, "
479 "or if you want to use it in decimal format, add '0n' "
480 "prefix to the number\n");
481 return;
482 }
483
484 if (SetSearchFilter)
485 {
486 ShowMessages("err, please enter a valid string to search in modules\n");
487 return;
488 }
489
490 //
491 // Check if we have string to search
492 //
493 if (SearchStringEntered)
494 {
495 SearchString = Search;
496 }
497
498 //
499 // Show user mode modules
500 //
501 if (!OnlyShowKernelModules)
502 {
503 if (TargetPid != NULL)
504 {
505 CommandLmShowUserModeModule(TargetPid, SearchString);
506 }
507 else if (g_ActiveProcessDebuggingState.IsActive)
508 {
509 CommandLmShowUserModeModule(g_ActiveProcessDebuggingState.ProcessId, SearchString);
510 }
511 else
512 {
513 CommandLmShowUserModeModule(GetCurrentProcessId(), SearchString);
514 }
515 }
516
517 //
518 // Show kernel mode modules
519 //
520 if (!OnlyShowUserModules)
521 {
522 if (!OnlyShowKernelModules)
523 {
524 ShowMessages("\n==============================================================================\n\n");
525 }
526
527 CommandLmShowKernelModeModule(SearchString);
528 }
529}
CommandLmHelp
VOID CommandLmHelp()
help of the lm command
Definition lm.cpp:27
CommandLmShowKernelModeModule
BOOLEAN CommandLmShowKernelModeModule(const char *SearchModule)
show modules for kernel mode
Definition lm.cpp:274
g_ActiveProcessDebuggingState
ACTIVE_DEBUGGING_PROCESS g_ActiveProcessDebuggingState
State of active debugging thread.
Definition globals.h:362
CommandLmShowUserModeModule
BOOLEAN CommandLmShowUserModeModule(UINT32 ProcessId, const char *SearchModule)
show modules for specified user mode process
Definition lm.cpp:83

◆ CommandLoad()

VOID CommandLoad ( vector< string > SplitCommand,
string Command )

load command handler

Parameters
SplitCommand
Command
Returns
VOID
47{
48 if (SplitCommand.size() != 2)
49 {
50 ShowMessages("incorrect use of the 'load'\n\n");
51 CommandLoadHelp();
52 return;
53 }
54
55 if (!g_IsConnectedToHyperDbgLocally)
56 {
57 ShowMessages("you're not connected to any instance of HyperDbg, did you "
58 "use '.connect'? \n");
59 return;
60 }
61
62 //
63 // Check for the module
64 //
65 if (!SplitCommand.at(1).compare("vmm"))
66 {
67 //
68 // Check to make sure that the driver is not already loaded
69 //
70 if (g_DeviceHandle)
71 {
72 ShowMessages("handle of the driver found, if you use 'load' before, please "
73 "first unload it then call 'unload'\n");
74 return;
75 }
76
77 //
78 // Load VMM Module
79 //
80 ShowMessages("loading the vmm driver\n");
81
82 if (HyperDbgInstallVmmDriver() == 1 || HyperDbgLoadVmmModule() == 1)
83 {
84 ShowMessages("failed to install or load the driver\n");
85 return;
86 }
87
88 //
89 // If in vmi-mode then initialize and load symbols (pdb)
90 // for previously downloaded symbols
91 // When the VMM module is loaded, we use the current
92 // process (HyperDbg's process) as the base for user-mode
93 // symbols
94 //
95 SymbolLocalReload(GetCurrentProcessId());
96 }
97 else
98 {
99 //
100 // Module not found
101 //
102 ShowMessages("err, module not found\n");
103 }
104}
HyperDbgInstallVmmDriver
INT HyperDbgInstallVmmDriver()
Install VMM driver.
Definition libhyperdbg.cpp:502
HyperDbgLoadVmmModule
INT HyperDbgLoadVmmModule()
load vmm module
Definition libhyperdbg.cpp:798
g_DeviceHandle
HANDLE g_DeviceHandle
Holds the global handle of device which is used to send the request to the kernel by IOCTL,...
Definition globals.h:471
g_IsConnectedToHyperDbgLocally
BOOLEAN g_IsConnectedToHyperDbgLocally
Shows whether the user is allowed to use 'load' command to load modules locally in VMI (virtual machi...
Definition globals.h:67
CommandLoadHelp
VOID CommandLoadHelp()
help of the load command
Definition load.cpp:28
SymbolLocalReload
BOOLEAN SymbolLocalReload(UINT32 UserProcessId)
Locally reload the symbol table.
Definition symbol.cpp:50

◆ CommandLogclose()

VOID CommandLogclose ( vector< string > SplitCommand,
string Command )

.logclose command handler

Parameters
SplitCommand
Command
Returns
VOID
42{
43 if (SplitCommand.size() != 1)
44 {
45 ShowMessages("incorrect use of the '.logclose'\n\n");
46 CommandLogcloseHelp();
47 return;
48 }
49 if (!g_LogOpened)
50 {
51 ShowMessages("there is no opened log, did you use '.logopen'? \n");
52 return;
53 }
54
55 //
56 // Show the time and message before close
57 //
58 time_t t = time(NULL);
59 struct tm tm = *localtime(&t);
60 ShowMessages("log file closed (%d-%02d-%02d "
61 "%02d:%02d:%02d)\n",
62 tm.tm_year + 1900,
63 tm.tm_mon + 1,
64 tm.tm_mday,
65 tm.tm_hour,
66 tm.tm_min,
67 tm.tm_sec);
68 //
69 // close the file
70 //
71 g_LogOpenFile.close();
72
73 //
74 // Globally indicate that file is no longer available
75 //
76 g_LogOpened = FALSE;
77}
g_LogOpened
BOOLEAN g_LogOpened
Shows whether the '.logopen' command is executed and the log file is open or not.
Definition globals.h:478
g_LogOpenFile
ofstream g_LogOpenFile
The object of log file ('.logopen' command)
Definition globals.h:484
CommandLogcloseHelp
VOID CommandLogcloseHelp()
help .logclose command
Definition logclose.cpp:26

◆ CommandLogopen()

VOID CommandLogopen ( vector< string > SplitCommand,
string Command )

.logopen command handler

Parameters
SplitCommand
Command
Returns
VOID
44{
45 if (SplitCommand.size() == 1)
46 {
47 ShowMessages("please specify a file\n");
48 CommandLogopenHelp();
49 return;
50 }
51
52 if (g_LogOpened)
53 {
54 ShowMessages("log was opened previously, you have the close it first "
55 "(using .logclose)\n");
56 return;
57 }
58
59 //
60 // Trim the command
61 //
62 Trim(Command);
63
64 //
65 // Remove .logopen from it
66 //
67 Command.erase(0, SplitCommand.at(0).size());
68
69 //
70 // Trim it again
71 //
72 Trim(Command);
73
74 //
75 // Try to open it as file
76 //
77 g_LogOpenFile.open(Command.c_str());
78
79 //
80 // Check if it's okay
81 //
82 if (g_LogOpenFile.is_open())
83 {
84 //
85 // Start intercepting logs
86 //
87 g_LogOpened = TRUE;
88
89 //
90 // Enable save to the file (Message + time)
91 //
92 time_t t = time(NULL);
93 struct tm tm = *localtime(&t);
94
95 ShowMessages("save commands and results into file : %s (%d-%02d-%02d "
96 "%02d:%02d:%02d)\n",
97 Command.c_str(),
98 tm.tm_year + 1900,
99 tm.tm_mon + 1,
100 tm.tm_mday,
101 tm.tm_hour,
102 tm.tm_min,
103 tm.tm_sec);
104 }
105 else
106 {
107 ShowMessages("unable to open file : %s\n", Command.c_str());
108 return;
109 }
110}
g_LogOpened
BOOLEAN g_LogOpened
Shows whether the '.logopen' command is executed and the log file is open or not.
Definition globals.h:478
CommandLogopenHelp
VOID CommandLogopenHelp()
help of the .logopen command
Definition logopen.cpp:28
g_LogOpenFile
ofstream g_LogOpenFile
The object of log file ('.logopen' command)
Definition globals.h:484

◆ CommandMeasure()

VOID CommandMeasure ( vector< string > SplitCommand,
string Command )

!measure command handler

Parameters
SplitCommand
Command
Returns
VOID
54{
55 BOOLEAN DefaultMode = FALSE;
56
57 if (SplitCommand.size() >= 3)
58 {
59 ShowMessages("incorrect use of the '!measure'\n\n");
60 CommandMeasureHelp();
61 return;
62 }
63
64 if (SplitCommand.size() == 2 && SplitCommand.at(1).compare("default"))
65 {
66 ShowMessages("incorrect use of the '!measure'\n\n");
67 CommandMeasureHelp();
68 return;
69 }
70 else if (SplitCommand.size() == 2 &&
71 !SplitCommand.at(1).compare("default"))
72 {
73 DefaultMode = TRUE;
74 }
75
76 //
77 // Check if debugger is loaded or not
78 //
79 if (g_DeviceHandle && !DefaultMode)
80 {
81 ShowMessages(
82 "Debugger is loaded and your machine is already in a hypervisor, you "
83 "should measure the times before 'load'-ing the debugger, please "
84 "'unload' the debugger and use '!measure' again or use '!measure "
85 "default' to use hardcoded measurements\n");
86 return;
87 }
88
89 if (!DefaultMode)
90 {
91 if (TransparentModeCheckHypervisorPresence(
92 &g_CpuidAverage,
93 &g_CpuidStandardDeviation,
94 &g_CpuidMedian))
95 {
96 ShowMessages(
97 "we detected that there is a hypervisor, on your system, it "
98 "leads to wrong measurement results for our transparent-mode, please "
99 "make sure that you're not in a hypervisor then measure the result "
100 "again; otherwise the transparent-mode will not work but you can use "
101 "'!measure default' to use the hardcoded measurements !\n\n");
102
103 return;
104 }
105
106 if (TransparentModeCheckRdtscpVmexit(
107 &g_RdtscAverage,
108 &g_RdtscStandardDeviation,
109 &g_RdtscMedian))
110 {
111 ShowMessages(
112 "we detected that there is a hypervisor, on your system, it "
113 "leads to wrong measurement results for our transparent-mode, please "
114 "make sure that you're not in a hypervisor then measure the result "
115 "again; otherwise the transparent-mode will not work but you can use "
116 "'!measure default' to use the hardcoded measurements !\n\n");
117
118 return;
119 }
120 }
121 else
122 {
123 //
124 // It's a default mode
125 //
126
127 //
128 // Default values for cpuid
129 //
130 g_CpuidAverage = 0x5f;
131 g_CpuidStandardDeviation = 0x10;
132 g_CpuidMedian = 0x5f;
133
134 //
135 // Default values for rdtsc/p
136 //
137 g_RdtscAverage = 0x16;
138 g_RdtscStandardDeviation = 0x5;
139 g_RdtscMedian = 0x16;
140 }
141
142 ShowMessages("the measurements were successful\nyou can use the '!hide' command now\n");
143
144 //
145 // Indicate that the measurements was successful
146 //
147 g_TransparentResultsMeasured = TRUE;
148}
g_CpuidStandardDeviation
UINT64 g_CpuidStandardDeviation
The standard deviation calculated from the measurements of cpuid '!measure' command.
Definition globals.h:532
g_RdtscAverage
UINT64 g_RdtscAverage
The average calculated from the measurements of rdtsc/p '!measure' command.
Definition globals.h:544
CommandMeasureHelp
VOID CommandMeasureHelp()
help of the !measure command
Definition measure.cpp:33
g_RdtscMedian
UINT64 g_RdtscMedian
The median calculated from the measurements of rdtsc/p '!measure' command.
Definition globals.h:556
g_TransparentResultsMeasured
BOOLEAN g_TransparentResultsMeasured
Shows whether the user executed and mesaured '!measure' command or not, it is because we want to use ...
Definition globals.h:520
g_CpuidMedian
UINT64 g_CpuidMedian
The median calculated from the measurements of cpuid '!measure' command.
Definition globals.h:538
g_RdtscStandardDeviation
UINT64 g_RdtscStandardDeviation
The standard deviation calculated from the measurements of rdtsc/p '!measure' command.
Definition globals.h:550
g_CpuidAverage
UINT64 g_CpuidAverage
The average calculated from the measurements of cpuid '!measure' command.
Definition globals.h:526
TransparentModeCheckRdtscpVmexit
BOOLEAN TransparentModeCheckRdtscpVmexit(UINT64 *Average, UINT64 *StandardDeviation, UINT64 *Median)
compute the average, standard deviation and median if rdtsc+rdtsc
Definition transparency.cpp:224
TransparentModeCheckHypervisorPresence
BOOLEAN TransparentModeCheckHypervisorPresence(UINT64 *Average, UINT64 *StandardDeviation, UINT64 *Median)
compute the average, standard deviation and median if rdtsc+cpuid+rdtsc
Definition transparency.cpp:194

◆ CommandMode()

VOID CommandMode ( vector< string > SplitCommand,
string Command )

!mode command handler

Parameters
SplitCommand
Command
Returns
VOID
49{
50 PDEBUGGER_GENERAL_EVENT_DETAIL Event = NULL;
51 PDEBUGGER_GENERAL_ACTION ActionBreakToDebugger = NULL;
52 PDEBUGGER_GENERAL_ACTION ActionCustomCode = NULL;
53 PDEBUGGER_GENERAL_ACTION ActionScript = NULL;
54 UINT32 EventLength;
55 UINT32 ActionBreakToDebuggerLength = 0;
56 UINT32 ActionCustomCodeLength = 0;
57 UINT32 ActionScriptLength = 0;
58 vector<string> SplitCommandCaseSensitive {Split(Command, ' ')};
59 DEBUGGER_EVENT_PARSING_ERROR_CAUSE EventParsingErrorCause;
60 BOOLEAN SetMode = FALSE;
61 DEBUGGER_EVENT_MODE_TYPE TargetInterceptionMode = DEBUGGER_EVENT_MODE_TYPE_INVALID;
62
63 //
64 // Interpret and fill the general event and action fields
65 //
66 //
67 if (!InterpretGeneralEventAndActionsFields(
68 &SplitCommand,
69 &SplitCommandCaseSensitive,
70 TRAP_EXECUTION_MODE_CHANGED,
71 &Event,
72 &EventLength,
73 &ActionBreakToDebugger,
74 &ActionBreakToDebuggerLength,
75 &ActionCustomCode,
76 &ActionCustomCodeLength,
77 &ActionScript,
78 &ActionScriptLength,
79 &EventParsingErrorCause))
80 {
81 return;
82 }
83
84 //
85 // Check here to make sure that the user didn't specified the calling stages for this mode change execution trap
86 //
87 if (Event->EventStage != VMM_CALLBACK_CALLING_STAGE_PRE_EVENT_EMULATION)
88 {
89 ShowMessages("the utilization of 'post' or 'all' event calling stages is not meaningful "
90 "for the mode (user-mode/kernel-mode) change traps; therefore, this command does not support them\n");
91
92 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
93 return;
94 }
95
96 //
97 // Check for size
98 //
99 if (SplitCommand.size() > 2)
100 {
101 ShowMessages("incorrect use of the '!mode'\n");
102 CommandModeHelp();
103
104 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
105 return;
106 }
107
108 //
109 // Interpret command specific details (if any)
110 //
111 for (auto Section : SplitCommand)
112 {
113 if (!Section.compare("!mode"))
114 {
115 continue;
116 }
117 else if (!Section.compare("u") && !SetMode)
118 {
119 TargetInterceptionMode = DEBUGGER_EVENT_MODE_TYPE_USER_MODE;
120 SetMode = TRUE;
121 }
122 else if (!Section.compare("k") && !SetMode)
123 {
124 TargetInterceptionMode = DEBUGGER_EVENT_MODE_TYPE_KERNEL_MODE;
125 SetMode = TRUE;
126 }
127 else if ((!Section.compare("uk") || !Section.compare("ku")) && !SetMode)
128 {
129 TargetInterceptionMode = DEBUGGER_EVENT_MODE_TYPE_USER_MODE_AND_KERNEL_MODE;
130 SetMode = TRUE;
131 }
132 else
133 {
134 //
135 // Couldn't resolve or unknown parameter
136 //
137 ShowMessages("err, couldn't resolve error at '%s'\n\n",
138 Section.c_str());
139
140 CommandModeHelp();
141
142 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
143 }
144 }
145
146 //
147 // Check if user specified the execution mode or not
148 //
149 if (!SetMode)
150 {
151 ShowMessages("please specify the mode(s) that you want to intercept their execution (u, k, ku)\n");
152
153 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
154 return;
155 }
156
157 //
158 // Check if user specified the process id or not
159 //
160 if (Event->ProcessId == DEBUGGER_EVENT_APPLY_TO_ALL_PROCESSES)
161 {
162 ShowMessages("this event only applies to the selected process(es). please specify "
163 "the 'pid' or the process id of the target process that you want to trap its execution\n");
164
165 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
166 return;
167 }
168
169 //
170 // Set the first parameter to the required execution mode
171 //
172 Event->Options.OptionalParam1 = (UINT64)TargetInterceptionMode;
173
174 //
175 // Send the ioctl to the kernel for event registration
176 //
177 if (!SendEventToKernel(Event, EventLength))
178 {
179 //
180 // There was an error, probably the handle was not initialized
181 // we have to free the Action before exit, it is because, we
182 // already freed the Event and string buffers
183 //
184
185 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
186 return;
187 }
188
189 //
190 // Add the event to the kernel
191 //
192 if (!RegisterActionToEvent(Event,
193 ActionBreakToDebugger,
194 ActionBreakToDebuggerLength,
195 ActionCustomCode,
196 ActionCustomCodeLength,
197 ActionScript,
198 ActionScriptLength))
199 {
200 //
201 // There was an error
202 //
203
204 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
205 return;
206 }
207}
DEBUGGER_EVENT_APPLY_TO_ALL_PROCESSES
#define DEBUGGER_EVENT_APPLY_TO_ALL_PROCESSES
Apply the event to all the processes.
Definition Constants.h:617
TRAP_EXECUTION_MODE_CHANGED
@ TRAP_EXECUTION_MODE_CHANGED
Definition Events.h:169
DEBUGGER_EVENT_MODE_TYPE_KERNEL_MODE
@ DEBUGGER_EVENT_MODE_TYPE_KERNEL_MODE
Definition Events.h:207
DEBUGGER_EVENT_MODE_TYPE_USER_MODE_AND_KERNEL_MODE
@ DEBUGGER_EVENT_MODE_TYPE_USER_MODE_AND_KERNEL_MODE
Definition Events.h:205
DEBUGGER_EVENT_MODE_TYPE_INVALID
@ DEBUGGER_EVENT_MODE_TYPE_INVALID
Definition Events.h:208
DEBUGGER_EVENT_MODE_TYPE_USER_MODE
@ DEBUGGER_EVENT_MODE_TYPE_USER_MODE
Definition Events.h:206
DEBUGGER_EVENT_MODE_TYPE
enum _DEBUGGER_EVENT_MODE_TYPE DEBUGGER_EVENT_MODE_TYPE
Type of mode change traps.
CommandModeHelp
VOID CommandModeHelp()
help of the !mode command
Definition mode.cpp:20
_DEBUGGER_GENERAL_EVENT_DETAIL::ProcessId
UINT32 ProcessId
Definition Events.h:360

◆ CommandMonitor()

VOID CommandMonitor ( vector< string > SplitCommand,
string Command )

!monitor command handler

Parameters
SplitCommand
Command
Returns
VOID
62{
63 PDEBUGGER_GENERAL_EVENT_DETAIL Event = NULL;
64 PDEBUGGER_GENERAL_ACTION ActionBreakToDebugger = NULL;
65 PDEBUGGER_GENERAL_ACTION ActionCustomCode = NULL;
66 PDEBUGGER_GENERAL_ACTION ActionScript = NULL;
67 UINT32 EventLength;
68 UINT32 ActionBreakToDebuggerLength = 0;
69 UINT32 ActionCustomCodeLength = 0;
70 UINT32 ActionScriptLength = 0;
71 UINT32 HookLength = 0;
72 UINT64 OptionalParam1 = 0; // Set the 'from' target address
73 UINT64 OptionalParam2 = 0; // Set the 'to' target address
74 BOOLEAN SetFrom = FALSE;
75 BOOLEAN SetTo = FALSE;
76 BOOLEAN IsNextLength = FALSE;
77 BOOLEAN LengthAlreadySet = FALSE;
78 BOOLEAN SetAttributes = FALSE;
79 BOOLEAN HookMemoryTypeSet = FALSE;
80 vector<string> SplitCommandCaseSensitive {Split(Command, ' ')};
81 DEBUGGER_HOOK_MEMORY_TYPE HookMemoryType = DEBUGGER_MEMORY_HOOK_VIRTUAL_ADDRESS; // by default virtual address
82 UINT32 IndexInCommandCaseSensitive = 0;
83 DEBUGGER_EVENT_PARSING_ERROR_CAUSE EventParsingErrorCause;
84
85 if (SplitCommand.size() < 4)
86 {
87 ShowMessages("incorrect use of the '!monitor'\n");
88 CommandMonitorHelp();
89 return;
90 }
91
92 //
93 // Interpret and fill the general event and action fields
94 //
95 // We use HIDDEN_HOOK_READ_AND_WRITE here but it might be changed to
96 // HIDDEN_HOOK_READ or HIDDEN_HOOK_WRITE or other events it is because
97 // we are not sure what kind event the user need
98 //
99 if (!InterpretGeneralEventAndActionsFields(
100 &SplitCommand,
101 &SplitCommandCaseSensitive,
102 HIDDEN_HOOK_READ_AND_WRITE_AND_EXECUTE,
103 &Event,
104 &EventLength,
105 &ActionBreakToDebugger,
106 &ActionBreakToDebuggerLength,
107 &ActionCustomCode,
108 &ActionCustomCodeLength,
109 &ActionScript,
110 &ActionScriptLength,
111 &EventParsingErrorCause))
112 {
113 return;
114 }
115
116 //
117 // Interpret command specific details (if any)
118 //
119 for (auto Section : SplitCommand)
120 {
121 IndexInCommandCaseSensitive++;
122
123 if (!Section.compare("!monitor"))
124 {
125 continue;
126 }
127 else if (IsNextLength)
128 {
129 if (!ConvertStringToUInt32(Section, &HookLength))
130 {
131 ShowMessages("err, you should enter a valid length\n\n");
132 return;
133 }
134
135 IsNextLength = FALSE;
136 LengthAlreadySet = TRUE;
137 SetTo = TRUE; // No longer need a second address
138 }
139 else if (!Section.compare("r") && !SetAttributes)
140 {
141 Event->EventType = HIDDEN_HOOK_READ;
142 SetAttributes = TRUE;
143 }
144 else if (!Section.compare("w") && !SetAttributes)
145 {
146 Event->EventType = HIDDEN_HOOK_WRITE;
147 SetAttributes = TRUE;
148 }
149 else if (!Section.compare("x") && !SetAttributes)
150 {
151 Event->EventType = HIDDEN_HOOK_EXECUTE;
152 SetAttributes = TRUE;
153 }
154 else if ((!Section.compare("rw") || !Section.compare("wr")) && !SetAttributes)
155 {
156 Event->EventType = HIDDEN_HOOK_READ_AND_WRITE;
157 SetAttributes = TRUE;
158 }
159 else if ((!Section.compare("rx") || !Section.compare("xr")) &&
160 !SetAttributes)
161 {
162 Event->EventType = HIDDEN_HOOK_READ_AND_EXECUTE;
163 SetAttributes = TRUE;
164 }
165 else if ((!Section.compare("wx") || !Section.compare("xw")) &&
166 !SetAttributes)
167 {
168 Event->EventType = HIDDEN_HOOK_WRITE_AND_EXECUTE;
169 SetAttributes = TRUE;
170 }
171 else if ((!Section.compare("rwx") ||
172 !Section.compare("rxw") ||
173 !Section.compare("wrx") ||
174 !Section.compare("wxr") ||
175 !Section.compare("xrw") ||
176 !Section.compare("xwr")) &&
177 !SetAttributes)
178 {
179 Event->EventType = HIDDEN_HOOK_READ_AND_WRITE_AND_EXECUTE;
180 SetAttributes = TRUE;
181 }
182 else if (!Section.compare("l") && !SetTo && !LengthAlreadySet)
183 {
184 IsNextLength = TRUE;
185 continue;
186 }
187 else if (!Section.compare("va") && !HookMemoryTypeSet)
188 {
189 HookMemoryType = DEBUGGER_MEMORY_HOOK_VIRTUAL_ADDRESS;
190 HookMemoryTypeSet = TRUE;
191 continue;
192 }
193 else if (!Section.compare("pa") && !HookMemoryTypeSet)
194 {
195 HookMemoryType = DEBUGGER_MEMORY_HOOK_PHYSICAL_ADDRESS;
196 HookMemoryTypeSet = TRUE;
197 continue;
198 }
199 else
200 {
201 //
202 // It's probably address
203 //
204 if (!SetFrom)
205 {
206 if (!SymbolConvertNameOrExprToAddress(
207 SplitCommandCaseSensitive.at(IndexInCommandCaseSensitive - 1),
208 &OptionalParam1))
209 {
210 //
211 // couldn't resolve or unknown parameter
212 //
213 ShowMessages("err, couldn't resolve error at '%s'\n\n",
214 SplitCommandCaseSensitive.at(IndexInCommandCaseSensitive - 1).c_str());
215 CommandMonitorHelp();
216
217 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
218 return;
219 }
220 SetFrom = TRUE;
221 }
222 else if (!SetTo && !LengthAlreadySet)
223 {
224 if (!SymbolConvertNameOrExprToAddress(
225 SplitCommandCaseSensitive.at(IndexInCommandCaseSensitive - 1),
226 &OptionalParam2))
227 {
228 //
229 // Couldn't resolve or unknown parameter
230 //
231 ShowMessages("err, couldn't resolve error at '%s'\n\n",
232 SplitCommandCaseSensitive.at(IndexInCommandCaseSensitive - 1).c_str());
233
234 CommandMonitorHelp();
235
236 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
237 return;
238 }
239 SetTo = TRUE;
240 }
241 else
242 {
243 //
244 // Unknown parameter
245 //
246 ShowMessages("unknown parameter '%s'\n\n", Section.c_str());
247 CommandMonitorHelp();
248
249 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
250 return;
251 }
252 }
253 }
254
255 //
256 // Check if all parameters are received
257 //
258 if (!SetFrom || !SetTo)
259 {
260 ShowMessages("please choose the 'from' or 'to' values or specify the length\n");
261 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
262 return;
263 }
264
265 //
266 // Check if user specified the 'l' rather than providing two addresses
267 //
268 if (LengthAlreadySet)
269 {
270 //
271 // Because when the user specifies length, the last byte should be ignored
272 //
273 OptionalParam2 = OptionalParam1 + HookLength - 1;
274 }
275
276 //
277 // Check for invalid order of address
278 //
279 if (OptionalParam1 > OptionalParam2)
280 {
281 //
282 // 'from' is greater than 'to'
283 //
284 ShowMessages("please choose the 'from' value first, then choose the 'to' "
285 "value\n");
286
287 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
288 return;
289 }
290
291 //
292 // Check if user set the attributes of !monitor or not
293 //
294 if (!SetAttributes)
295 {
296 ShowMessages("please specify the attribute(s) that you want to monitor (r, w, x, rw, rx, wx, rwx)\n");
297
298 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
299 return;
300 }
301
302 //
303 // Set the optional parameters
304 //
305 Event->Options.OptionalParam1 = OptionalParam1;
306 Event->Options.OptionalParam2 = OptionalParam2;
307 Event->Options.OptionalParam3 = HookMemoryType;
308
309 //
310 // Send the ioctl to the kernel for event registration
311 //
312 if (!SendEventToKernel(Event, EventLength))
313 {
314 //
315 // There was an error, probably the handle was not initialized
316 // we have to free the Action before exit, it is because, we
317 // already freed the Event and string buffers
318 //
319
320 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
321 return;
322 }
323
324 //
325 // Add the event to the kernel
326 //
327 if (!RegisterActionToEvent(Event,
328 ActionBreakToDebugger,
329 ActionBreakToDebuggerLength,
330 ActionCustomCode,
331 ActionCustomCodeLength,
332 ActionScript,
333 ActionScriptLength))
334 {
335 //
336 // There was an error
337 //
338
339 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
340 return;
341 }
342}
DEBUGGER_MEMORY_HOOK_VIRTUAL_ADDRESS
@ DEBUGGER_MEMORY_HOOK_VIRTUAL_ADDRESS
Definition DataTypes.h:311
DEBUGGER_MEMORY_HOOK_PHYSICAL_ADDRESS
@ DEBUGGER_MEMORY_HOOK_PHYSICAL_ADDRESS
Definition DataTypes.h:312
DEBUGGER_HOOK_MEMORY_TYPE
enum _DEBUGGER_HOOK_MEMORY_TYPE DEBUGGER_HOOK_MEMORY_TYPE
different type of memory addresses
HIDDEN_HOOK_WRITE_AND_EXECUTE
@ HIDDEN_HOOK_WRITE_AND_EXECUTE
Definition Events.h:103
HIDDEN_HOOK_READ_AND_WRITE
@ HIDDEN_HOOK_READ_AND_WRITE
Definition Events.h:101
HIDDEN_HOOK_READ_AND_EXECUTE
@ HIDDEN_HOOK_READ_AND_EXECUTE
Definition Events.h:102
HIDDEN_HOOK_READ
@ HIDDEN_HOOK_READ
Definition Events.h:104
HIDDEN_HOOK_WRITE
@ HIDDEN_HOOK_WRITE
Definition Events.h:105
HIDDEN_HOOK_READ_AND_WRITE_AND_EXECUTE
@ HIDDEN_HOOK_READ_AND_WRITE_AND_EXECUTE
Definition Events.h:100
HIDDEN_HOOK_EXECUTE
@ HIDDEN_HOOK_EXECUTE
Definition Events.h:106
CommandMonitorHelp
VOID CommandMonitorHelp()
help of the !monitor command
Definition monitor.cpp:20
_DEBUGGER_EVENT_OPTIONS::OptionalParam3
UINT64 OptionalParam3
Definition Events.h:274
_DEBUGGER_GENERAL_EVENT_DETAIL::EventType
VMM_EVENT_TYPE_ENUM EventType
Definition Events.h:389

◆ CommandMsrread()

VOID CommandMsrread ( vector< string > SplitCommand,
string Command )

!msrread command handler

Parameters
SplitCommand
Command
Returns
VOID
47{
48 PDEBUGGER_GENERAL_EVENT_DETAIL Event = NULL;
49 PDEBUGGER_GENERAL_ACTION ActionBreakToDebugger = NULL;
50 PDEBUGGER_GENERAL_ACTION ActionCustomCode = NULL;
51 PDEBUGGER_GENERAL_ACTION ActionScript = NULL;
52 UINT32 EventLength;
53 UINT32 ActionBreakToDebuggerLength = 0;
54 UINT32 ActionCustomCodeLength = 0;
55 UINT32 ActionScriptLength = 0;
56 UINT64 SpecialTarget = DEBUGGER_EVENT_MSR_READ_OR_WRITE_ALL_MSRS;
57 BOOLEAN GetAddress = FALSE;
58 vector<string> SplitCommandCaseSensitive {Split(Command, ' ')};
59 DEBUGGER_EVENT_PARSING_ERROR_CAUSE EventParsingErrorCause;
60
61 //
62 // Interpret and fill the general event and action fields
63 //
64 //
65 if (!InterpretGeneralEventAndActionsFields(
66 &SplitCommand,
67 &SplitCommandCaseSensitive,
68 RDMSR_INSTRUCTION_EXECUTION,
69 &Event,
70 &EventLength,
71 &ActionBreakToDebugger,
72 &ActionBreakToDebuggerLength,
73 &ActionCustomCode,
74 &ActionCustomCodeLength,
75 &ActionScript,
76 &ActionScriptLength,
77 &EventParsingErrorCause))
78 {
79 return;
80 }
81
82 //
83 // Interpret command specific details (if any), it is because we can use
84 // special msr bitmap here
85 //
86 for (auto Section : SplitCommand)
87 {
88 if (!Section.compare("!msrread") || !Section.compare("!msread"))
89 {
90 continue;
91 }
92 else if (!GetAddress)
93 {
94 //
95 // It's probably an msr
96 //
97 if (!ConvertStringToUInt64(Section, &SpecialTarget))
98 {
99 //
100 // Unknown parameter
101 //
102 ShowMessages("unknown parameter '%s'\n\n", Section.c_str());
103 CommandMsrreadHelp();
104
105 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
106 return;
107 }
108 else
109 {
110 GetAddress = TRUE;
111 }
112 }
113 else
114 {
115 //
116 // Unknown parameter
117 //
118 ShowMessages("unknown parameter '%s'\n\n", Section.c_str());
119 CommandMsrreadHelp();
120
121 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
122 return;
123 }
124 }
125
126 //
127 // Set the target msr (if not specific then it means all msrs)
128 //
129 Event->Options.OptionalParam1 = SpecialTarget;
130
131 //
132 // Send the ioctl to the kernel for event registration
133 //
134 if (!SendEventToKernel(Event, EventLength))
135 {
136 //
137 // There was an error, probably the handle was not initialized
138 // we have to free the Action before exit, it is because, we
139 // already freed the Event and string buffers
140 //
141
142 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
143 return;
144 }
145
146 //
147 // Add the event to the kernel
148 //
149 if (!RegisterActionToEvent(Event,
150 ActionBreakToDebugger,
151 ActionBreakToDebuggerLength,
152 ActionCustomCode,
153 ActionCustomCodeLength,
154 ActionScript,
155 ActionScriptLength))
156 {
157 //
158 // There was an error
159 //
160
161 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
162 return;
163 }
164}
DEBUGGER_EVENT_MSR_READ_OR_WRITE_ALL_MSRS
#define DEBUGGER_EVENT_MSR_READ_OR_WRITE_ALL_MSRS
Apply to all Model Specific Registers.
Definition Constants.h:623
RDMSR_INSTRUCTION_EXECUTION
@ RDMSR_INSTRUCTION_EXECUTION
Definition Events.h:128
CommandMsrreadHelp
VOID CommandMsrreadHelp()
help of the !msrread command
Definition msrread.cpp:20

◆ CommandMsrwrite()

VOID CommandMsrwrite ( vector< string > SplitCommand,
string Command )

!msrwrite command handler

Parameters
SplitCommand
Command
Returns
VOID
47{
48 PDEBUGGER_GENERAL_EVENT_DETAIL Event = NULL;
49 PDEBUGGER_GENERAL_ACTION ActionBreakToDebugger = NULL;
50 PDEBUGGER_GENERAL_ACTION ActionCustomCode = NULL;
51 PDEBUGGER_GENERAL_ACTION ActionScript = NULL;
52 UINT32 EventLength;
53 UINT32 ActionBreakToDebuggerLength = 0;
54 UINT32 ActionCustomCodeLength = 0;
55 UINT32 ActionScriptLength = 0;
56 UINT64 SpecialTarget = DEBUGGER_EVENT_MSR_READ_OR_WRITE_ALL_MSRS;
57 BOOLEAN GetAddress = FALSE;
58 vector<string> SplitCommandCaseSensitive {Split(Command, ' ')};
59 DEBUGGER_EVENT_PARSING_ERROR_CAUSE EventParsingErrorCause;
60
61 //
62 // Interpret and fill the general event and action fields
63 //
64 //
65 if (!InterpretGeneralEventAndActionsFields(
66 &SplitCommand,
67 &SplitCommandCaseSensitive,
68 WRMSR_INSTRUCTION_EXECUTION,
69 &Event,
70 &EventLength,
71 &ActionBreakToDebugger,
72 &ActionBreakToDebuggerLength,
73 &ActionCustomCode,
74 &ActionCustomCodeLength,
75 &ActionScript,
76 &ActionScriptLength,
77 &EventParsingErrorCause))
78 {
79 return;
80 }
81
82 //
83 // Interpret command specific details (if any), it is because we can use
84 // special msr bitmap here
85 //
86 for (auto Section : SplitCommand)
87 {
88 if (!Section.compare("!msrwrite"))
89 {
90 continue;
91 }
92 else if (!GetAddress)
93 {
94 //
95 // It's probably an msr
96 //
97 if (!ConvertStringToUInt64(Section, &SpecialTarget))
98 {
99 //
100 // Unknown parameter
101 //
102 ShowMessages("unknown parameter '%s'\n\n", Section.c_str());
103 CommandMsrwriteHelp();
104
105 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
106 return;
107 }
108 else
109 {
110 GetAddress = TRUE;
111 }
112 }
113 else
114 {
115 //
116 // Unknown parameter
117 //
118 ShowMessages("unknown parameter '%s'\n\n", Section.c_str());
119 CommandMsrwriteHelp();
120
121 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
122 return;
123 }
124 }
125
126 //
127 // Set the target msr (if not specific then it means all msrs)
128 //
129 Event->Options.OptionalParam1 = SpecialTarget;
130
131 //
132 // Send the ioctl to the kernel for event registration
133 //
134 if (!SendEventToKernel(Event, EventLength))
135 {
136 //
137 // There was an error, probably the handle was not initialized
138 // we have to free the Action before exit, it is because, we
139 // already freed the Event and string buffers
140 //
141
142 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
143 return;
144 }
145
146 //
147 // Add the event to the kernel
148 //
149 if (!RegisterActionToEvent(Event,
150 ActionBreakToDebugger,
151 ActionBreakToDebuggerLength,
152 ActionCustomCode,
153 ActionCustomCodeLength,
154 ActionScript,
155 ActionScriptLength))
156 {
157 //
158 // There was an error
159 //
160
161 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
162 return;
163 }
164}
WRMSR_INSTRUCTION_EXECUTION
@ WRMSR_INSTRUCTION_EXECUTION
Definition Events.h:129
CommandMsrwriteHelp
VOID CommandMsrwriteHelp()
help of the !msrwrite command
Definition msrwrite.cpp:20

◆ CommandOutput()

VOID CommandOutput ( vector< string > SplitCommand,
string Command )

output command handler

Parameters
SplitCommand
Command
Returns
VOID
55{
56 PDEBUGGER_EVENT_FORWARDING EventForwardingObject;
57 DEBUGGER_EVENT_FORWARDING_TYPE Type;
58 DEBUGGER_OUTPUT_SOURCE_STATUS Status;
59 string DetailsOfSource;
60 UINT32 IndexToShowList;
61 PLIST_ENTRY TempList = 0;
62 BOOLEAN OutputSourceFound = FALSE;
63 HANDLE SourceHandle = INVALID_HANDLE_VALUE;
64 SOCKET Socket = NULL;
65 HMODULE Module = NULL;
66 vector<string> SplitCommandCaseSensitive {Split(Command, ' ')};
67
68 if (SplitCommand.size() <= 2)
69 {
70 ShowMessages("incorrect use of the 'output'\n\n");
71 CommandOutputHelp();
72 return;
73 }
74
75 //
76 // Check if the user needs a list of outputs or not
77 //
78 if (SplitCommand.size() == 1)
79 {
80 IndexToShowList = 0;
81
82 if (g_OutputSourcesInitialized)
83 {
84 TempList = &g_OutputSources;
85
86 while (&g_OutputSources != TempList->Blink)
87 {
88 TempList = TempList->Blink;
89
90 PDEBUGGER_EVENT_FORWARDING CurrentOutputSourceDetails =
91 CONTAINING_RECORD(TempList, DEBUGGER_EVENT_FORWARDING, OutputSourcesList);
92
93 //
94 // Increase index
95 //
96 IndexToShowList++;
97
98 string TempStateString = "";
99 string TempTypeString = "";
100
101 if (CurrentOutputSourceDetails->State ==
102 EVENT_FORWARDING_STATE_NOT_OPENED)
103 {
104 TempStateString = "not opened";
105 }
106 else if (CurrentOutputSourceDetails->State ==
107 EVENT_FORWARDING_STATE_OPENED)
108 {
109 TempStateString = "opened ";
110 }
111 else if (CurrentOutputSourceDetails->State ==
112 EVENT_FORWARDING_CLOSED)
113 {
114 TempStateString = "closed ";
115 }
116
117 if (CurrentOutputSourceDetails->Type == EVENT_FORWARDING_NAMEDPIPE)
118 {
119 TempTypeString = "namedpipe";
120 }
121 else if (CurrentOutputSourceDetails->Type == EVENT_FORWARDING_FILE)
122 {
123 TempTypeString = "file ";
124 }
125 else if (CurrentOutputSourceDetails->Type == EVENT_FORWARDING_TCP)
126 {
127 TempTypeString = "tcp ";
128 }
129 else if (CurrentOutputSourceDetails->Type == EVENT_FORWARDING_MODULE)
130 {
131 TempTypeString = "module ";
132 }
133
134 ShowMessages("%x %s %s\t%s\n", IndexToShowList, TempTypeString.c_str(), TempStateString.c_str(), CurrentOutputSourceDetails->Name);
135 }
136 }
137 else
138 {
139 ShowMessages("output forwarding list is empty\n");
140 }
141
142 return;
143 }
144
145 //
146 // Check if it's a create, open, or close
147 //
148 if (!SplitCommand.at(1).compare("create"))
149 {
150 //
151 // It's a create
152 //
153
154 //
155 // check if the parameters are okay for a create or not
156 //
157 if (SplitCommand.size() <= 4)
158 {
159 ShowMessages("incorrect use of the 'output'\n\n");
160 CommandOutputHelp();
161 return;
162 }
163
164 //
165 // Check for the type of the output source
166 //
167 if (!SplitCommand.at(3).compare("file"))
168 {
169 Type = EVENT_FORWARDING_FILE;
170 }
171 else if (!SplitCommand.at(3).compare("namedpipe"))
172 {
173 Type = EVENT_FORWARDING_NAMEDPIPE;
174 }
175 else if (!SplitCommand.at(3).compare("tcp"))
176 {
177 Type = EVENT_FORWARDING_TCP;
178 }
179 else if (!SplitCommand.at(3).compare("module"))
180 {
181 Type = EVENT_FORWARDING_MODULE;
182 }
183 else
184 {
185 ShowMessages("incorrect type near '%s'\n\n",
186 SplitCommand.at(3).c_str());
187 CommandOutputHelp();
188 return;
189 }
190
191 //
192 // Check to make sure that the name doesn't exceed the maximum character
193 //
194 if (SplitCommand.at(2).size() >=
195 MAXIMUM_CHARACTERS_FOR_EVENT_FORWARDING_NAME)
196 {
197 ShowMessages("name of the output cannot exceed form %d characters\n\n",
198 MAXIMUM_CHARACTERS_FOR_EVENT_FORWARDING_NAME);
199 CommandOutputHelp();
200 return;
201 }
202
203 //
204 // Search to see if there is another output source with the
205 // same name which we don't want to create two or more output
206 // sources with the same name
207 //
208 if (g_OutputSourcesInitialized)
209 {
210 TempList = &g_OutputSources;
211
212 while (&g_OutputSources != TempList->Flink)
213 {
214 TempList = TempList->Flink;
215
216 PDEBUGGER_EVENT_FORWARDING CurrentOutputSourceDetails =
217 CONTAINING_RECORD(TempList, DEBUGGER_EVENT_FORWARDING, OutputSourcesList);
218
219 if (strcmp(CurrentOutputSourceDetails->Name,
220 SplitCommandCaseSensitive.at(2).c_str()) == 0)
221 {
222 //
223 // Indicate that we found this item
224 //
225 OutputSourceFound = TRUE;
226
227 //
228 // No need to search through the list anymore
229 //
230 break;
231 }
232 }
233
234 //
235 // Check whether the entered name already exists
236 //
237 if (OutputSourceFound)
238 {
239 ShowMessages("err, the name you entered, already exists, please choose "
240 "another name\n");
241 return;
242 }
243 }
244
245 //
246 // try to open the source and get the handle
247 //
248 DetailsOfSource = Command.substr(Command.find(SplitCommandCaseSensitive.at(3)) +
249 SplitCommandCaseSensitive.at(3).size() + 1,
250 Command.size());
251
252 SourceHandle = ForwardingCreateOutputSource(Type, DetailsOfSource, &Socket, &Module);
253
254 //
255 // Check if it's a valid handle or not
256 //
257 if (SourceHandle == INVALID_HANDLE_VALUE)
258 {
259 ShowMessages(
260 "err, invalid address or cannot open or find the address\n");
261 return;
262 }
263
264 //
265 // allocate the buffer for storing the event forwarding details
266 //
267 EventForwardingObject =
268 (PDEBUGGER_EVENT_FORWARDING)malloc(sizeof(DEBUGGER_EVENT_FORWARDING));
269
270 if (EventForwardingObject == NULL)
271 {
272 ShowMessages("err, in allocating memory for event forwarding\n");
273 return;
274 }
275
276 RtlZeroMemory(EventForwardingObject, sizeof(DEBUGGER_EVENT_FORWARDING));
277
278 //
279 // Set the state
280 //
281 EventForwardingObject->State = EVENT_FORWARDING_STATE_NOT_OPENED;
282
283 //
284 // Set the type
285 //
286 EventForwardingObject->Type = Type;
287
288 //
289 // Get a new tag
290 //
291 EventForwardingObject->OutputUniqueTag = ForwardingGetNewOutputSourceTag();
292
293 //
294 // Set the handle or in the case of TCP, set the socket
295 // or if it's a module the set the module handle
296 //
297 if (Type == EVENT_FORWARDING_TCP)
298 {
299 EventForwardingObject->Socket = Socket;
300 }
301 else if (Type == EVENT_FORWARDING_MODULE)
302 {
303 EventForwardingObject->Module = Module;
304
305 //
306 // Handle is the function address
307 //
308 EventForwardingObject->Handle = SourceHandle;
309 }
310 else
311 {
312 EventForwardingObject->Handle = SourceHandle;
313 }
314
315 //
316 // Move the name of the output source to the buffer
317 //
318 strcpy_s(EventForwardingObject->Name, SplitCommandCaseSensitive.at(2).c_str());
319
320 //
321 // Check if list is initialized or not
322 //
323 if (!g_OutputSourcesInitialized)
324 {
325 g_OutputSourcesInitialized = TRUE;
326 InitializeListHead(&g_OutputSources);
327 }
328
329 //
330 // Add the source to the trace list
331 //
332 InsertHeadList(&g_OutputSources,
333 &(EventForwardingObject->OutputSourcesList));
334 }
335 else if (!SplitCommand.at(1).compare("open"))
336 {
337 //
338 // It's an open
339 //
340 if (!g_OutputSourcesInitialized)
341 {
342 ShowMessages("err, the name you entered, not found\n");
343 return;
344 }
345
346 //
347 // Now we should find the corresponding object in the memory and
348 // pass it to the global open functions
349 //
350 TempList = &g_OutputSources;
351
352 while (&g_OutputSources != TempList->Flink)
353 {
354 TempList = TempList->Flink;
355
356 PDEBUGGER_EVENT_FORWARDING CurrentOutputSourceDetails = CONTAINING_RECORD(
357 TempList,
358 DEBUGGER_EVENT_FORWARDING,
359 OutputSourcesList);
360
361 if (strcmp(CurrentOutputSourceDetails->Name,
362 SplitCommandCaseSensitive.at(2).c_str()) == 0)
363 {
364 //
365 // Indicate that we found this item
366 //
367 OutputSourceFound = TRUE;
368
369 //
370 // Open the output
371 //
372 Status = ForwardingOpenOutputSource(CurrentOutputSourceDetails);
373
374 if (Status == DEBUGGER_OUTPUT_SOURCE_STATUS_ALREADY_CLOSED)
375 {
376 ShowMessages("err, the name you entered was already closed\n");
377 return;
378 }
379 else if (Status == DEBUGGER_OUTPUT_SOURCE_STATUS_ALREADY_OPENED)
380 {
381 ShowMessages("err, the name you entered was already opened\n");
382 return;
383 }
384 else if (Status !=
385 DEBUGGER_OUTPUT_SOURCE_STATUS_SUCCESSFULLY_OPENED)
386 {
387 ShowMessages("err, unable to open the output source\n");
388 return;
389 }
390
391 //
392 // No need to search through the list anymore
393 //
394 break;
395 }
396 }
397
398 if (!OutputSourceFound)
399 {
400 ShowMessages("err, the name you entered, not found\n");
401 return;
402 }
403 }
404 else if (!SplitCommand.at(1).compare("close"))
405 {
406 //
407 // It's a close
408 //
409 if (!g_OutputSourcesInitialized)
410 {
411 ShowMessages("err, the name you entered, not found\n");
412 return;
413 }
414
415 //
416 // Now we should find the corresponding object in the memory and
417 // pass it to the global close functions
418 //
419 TempList = &g_OutputSources;
420
421 while (&g_OutputSources != TempList->Flink)
422 {
423 TempList = TempList->Flink;
424
425 PDEBUGGER_EVENT_FORWARDING CurrentOutputSourceDetails = CONTAINING_RECORD(
426 TempList,
427 DEBUGGER_EVENT_FORWARDING,
428 OutputSourcesList);
429
430 if (strcmp(CurrentOutputSourceDetails->Name,
431 SplitCommandCaseSensitive.at(2).c_str()) == 0)
432 {
433 //
434 // Indicate that we found this item
435 //
436 OutputSourceFound = TRUE;
437
438 //
439 // Close the output if it's not already closed
440 //
441 Status = ForwardingCloseOutputSource(CurrentOutputSourceDetails);
442
443 if (Status == DEBUGGER_OUTPUT_SOURCE_STATUS_ALREADY_CLOSED)
444 {
445 ShowMessages("err, the name you entered was already closed\n");
446 return;
447 }
448 else if (Status == DEBUGGER_OUTPUT_SOURCE_STATUS_UNKNOWN_ERROR)
449 {
450 ShowMessages("err, unable to close the source\n");
451 return;
452 }
453 else if (Status !=
454 DEBUGGER_OUTPUT_SOURCE_STATUS_SUCCESSFULLY_CLOSED)
455 {
456 ShowMessages("err, unable to close the source\n");
457 return;
458 }
459
460 //
461 // No need to search through the list anymore
462 //
463 break;
464 }
465 }
466
467 if (!OutputSourceFound)
468 {
469 ShowMessages("err, the name you entered, not found\n");
470 return;
471 }
472 }
473 else
474 {
475 //
476 // Invalid argument
477 //
478 ShowMessages("incorrect option at '%s'\n\n", SplitCommand.at(1).c_str());
479 CommandOutputHelp();
480 return;
481 }
482}
InitializeListHead
FORCEINLINE VOID InitializeListHead(_Out_ PLIST_ENTRY ListHead)
Definition Windows.h:41
InsertHeadList
FORCEINLINE VOID InsertHeadList(_Inout_ PLIST_ENTRY ListHead, _Inout_ PLIST_ENTRY Entry)
Definition Windows.h:115
ForwardingCloseOutputSource
DEBUGGER_OUTPUT_SOURCE_STATUS ForwardingCloseOutputSource(PDEBUGGER_EVENT_FORWARDING SourceDescriptor)
Closes the output source.
Definition forwarding.cpp:110
ForwardingOpenOutputSource
DEBUGGER_OUTPUT_SOURCE_STATUS ForwardingOpenOutputSource(PDEBUGGER_EVENT_FORWARDING SourceDescriptor)
Opens the output source.
Definition forwarding.cpp:40
ForwardingCreateOutputSource
VOID * ForwardingCreateOutputSource(DEBUGGER_EVENT_FORWARDING_TYPE SourceType, const string &Description, SOCKET *Socket, HMODULE *Module)
Create a new source (create handle from the source)
Definition forwarding.cpp:215
ForwardingGetNewOutputSourceTag
UINT64 ForwardingGetNewOutputSourceTag()
Get the output source tag and increase the global variable for tag.
Definition forwarding.cpp:28
EVENT_FORWARDING_STATE_OPENED
@ EVENT_FORWARDING_STATE_OPENED
Definition forwarding.h:54
EVENT_FORWARDING_CLOSED
@ EVENT_FORWARDING_CLOSED
Definition forwarding.h:55
EVENT_FORWARDING_STATE_NOT_OPENED
@ EVENT_FORWARDING_STATE_NOT_OPENED
Definition forwarding.h:53
DEBUGGER_EVENT_FORWARDING_TYPE
enum _DEBUGGER_EVENT_FORWARDING_TYPE DEBUGGER_EVENT_FORWARDING_TYPE
event forwarding type
MAXIMUM_CHARACTERS_FOR_EVENT_FORWARDING_NAME
#define MAXIMUM_CHARACTERS_FOR_EVENT_FORWARDING_NAME
maximum characters for event forwarding source names
Definition forwarding.h:32
DEBUGGER_OUTPUT_SOURCE_STATUS_SUCCESSFULLY_OPENED
@ DEBUGGER_OUTPUT_SOURCE_STATUS_SUCCESSFULLY_OPENED
Definition forwarding.h:67
DEBUGGER_OUTPUT_SOURCE_STATUS_UNKNOWN_ERROR
@ DEBUGGER_OUTPUT_SOURCE_STATUS_UNKNOWN_ERROR
Definition forwarding.h:71
DEBUGGER_OUTPUT_SOURCE_STATUS_ALREADY_OPENED
@ DEBUGGER_OUTPUT_SOURCE_STATUS_ALREADY_OPENED
Definition forwarding.h:69
DEBUGGER_OUTPUT_SOURCE_STATUS_SUCCESSFULLY_CLOSED
@ DEBUGGER_OUTPUT_SOURCE_STATUS_SUCCESSFULLY_CLOSED
Definition forwarding.h:68
DEBUGGER_OUTPUT_SOURCE_STATUS_ALREADY_CLOSED
@ DEBUGGER_OUTPUT_SOURCE_STATUS_ALREADY_CLOSED
Definition forwarding.h:70
DEBUGGER_OUTPUT_SOURCE_STATUS
enum _DEBUGGER_OUTPUT_SOURCE_STATUS DEBUGGER_OUTPUT_SOURCE_STATUS
output source status
EVENT_FORWARDING_TCP
@ EVENT_FORWARDING_TCP
Definition forwarding.h:42
EVENT_FORWARDING_MODULE
@ EVENT_FORWARDING_MODULE
Definition forwarding.h:43
EVENT_FORWARDING_FILE
@ EVENT_FORWARDING_FILE
Definition forwarding.h:41
EVENT_FORWARDING_NAMEDPIPE
@ EVENT_FORWARDING_NAMEDPIPE
Definition forwarding.h:40
PDEBUGGER_EVENT_FORWARDING
struct _DEBUGGER_EVENT_FORWARDING * PDEBUGGER_EVENT_FORWARDING
g_OutputSourcesInitialized
BOOLEAN g_OutputSourcesInitialized
it shows whether the debugger started using output sources or not or in other words,...
Definition globals.h:408
CommandOutputHelp
VOID CommandOutputHelp()
help of the output command
Definition output.cpp:26
g_OutputSources
LIST_ENTRY g_OutputSources
Holds a list of output sources created by output command.
Definition globals.h:417
_DEBUGGER_EVENT_FORWARDING
structures hold the detail of event forwarding
Definition forwarding.h:80
_DEBUGGER_EVENT_FORWARDING::OutputSourcesList
LIST_ENTRY OutputSourcesList
Definition forwarding.h:88
_DEBUGGER_EVENT_FORWARDING::Type
DEBUGGER_EVENT_FORWARDING_TYPE Type
Definition forwarding.h:81
_DEBUGGER_EVENT_FORWARDING::State
DEBUGGER_EVENT_FORWARDING_STATE State
Definition forwarding.h:82
_DEBUGGER_EVENT_FORWARDING::Name
CHAR Name[MAXIMUM_CHARACTERS_FOR_EVENT_FORWARDING_NAME]
Definition forwarding.h:89
_DEBUGGER_EVENT_FORWARDING::Socket
SOCKET Socket
Definition forwarding.h:84
_DEBUGGER_EVENT_FORWARDING::Module
HMODULE Module
Definition forwarding.h:85
_DEBUGGER_EVENT_FORWARDING::OutputUniqueTag
UINT64 OutputUniqueTag
Definition forwarding.h:86
_DEBUGGER_EVENT_FORWARDING::Handle
VOID * Handle
Definition forwarding.h:83

◆ CommandP()

VOID CommandP ( vector< string > SplitCommand,
string Command )

handler of p command

Parameters
SplitCommand
Command
Returns
VOID
53{
54 UINT32 StepCount;
55 DEBUGGER_REMOTE_STEPPING_REQUEST RequestFormat;
56
57 //
58 // Validate the commands
59 //
60 if (SplitCommand.size() != 1 && SplitCommand.size() != 2)
61 {
62 ShowMessages("incorrect use of the 'p'\n\n");
63 CommandPHelp();
64 return;
65 }
66
67 //
68 // Set type of request
69 //
70 RequestFormat = DEBUGGER_REMOTE_STEPPING_REQUEST_STEP_OVER;
71
72 //
73 // Check if the command has a counter parameter
74 //
75 if (SplitCommand.size() == 2)
76 {
77 if (!ConvertStringToUInt32(SplitCommand.at(1), &StepCount))
78 {
79 ShowMessages("please specify a correct hex value for [count]\n\n");
80 CommandPHelp();
81 return;
82 }
83 }
84 else
85 {
86 StepCount = 1;
87 }
88
89 //
90 // Check if the remote serial debuggee or user debugger are paused or not
91 //
92 if (g_IsSerialConnectedToRemoteDebuggee || g_ActiveProcessDebuggingState.IsActive)
93 {
94 //
95 // Check if the thread is paused or not
96 //
97 if (g_ActiveProcessDebuggingState.IsActive && !g_ActiveProcessDebuggingState.IsPaused)
98 {
99 ShowMessages("the target process is running, use the "
100 "'pause' command or press CTRL+C to pause the process\n");
101 return;
102 }
103
104 //
105 // Indicate that we're instrumenting
106 //
107 g_IsInstrumentingInstructions = TRUE;
108
109 for (size_t i = 0; i < StepCount; i++)
110 {
111 //
112 // For logging purpose
113 //
114 // ShowMessages("percentage : %f %% (%x)\n", 100.0 * (i /
115 // (float)StepCount), i);
116 //
117
118 if (g_IsSerialConnectedToRemoteDebuggee)
119 {
120 //
121 // It's stepping over serial connection in kernel debugger
122 //
123 KdSendStepPacketToDebuggee(RequestFormat);
124 }
125 else
126 {
127 //
128 // It's stepping over user debugger
129 //
130 UdSendStepPacketToDebuggee(g_ActiveProcessDebuggingState.ProcessDebuggingToken,
131 g_ActiveProcessDebuggingState.ThreadId,
132 RequestFormat);
133 }
134
135 if (!SplitCommand.at(0).compare("pr"))
136 {
137 //
138 // Show registers
139 //
140 HyperDbgRegisterShowAll();
141
142 if (i != StepCount - 1)
143 {
144 ShowMessages("\n");
145 }
146 }
147
148 //
149 // Check if user pressed CTRL+C
150 //
151 if (!g_IsInstrumentingInstructions)
152 {
153 break;
154 }
155 }
156
157 //
158 // We're not instrumenting instructions anymore
159 //
160 g_IsInstrumentingInstructions = FALSE;
161 }
162 else
163 {
164 ShowMessages("err, stepping (p) is not valid in the current context, you "
165 "should connect to a debuggee\n");
166 }
167}
DEBUGGER_REMOTE_STEPPING_REQUEST_STEP_OVER
@ DEBUGGER_REMOTE_STEPPING_REQUEST_STEP_OVER
Definition RequestStructures.h:996
g_IsInstrumentingInstructions
BOOLEAN g_IsInstrumentingInstructions
Shows whether the user is running 't', 'p', or 'i' command.
Definition globals.h:561
g_IsSerialConnectedToRemoteDebuggee
BOOLEAN g_IsSerialConnectedToRemoteDebuggee
Shows if the debugger was connected to remote debuggee over (A remote guest)
Definition globals.h:231
CommandPHelp
VOID CommandPHelp()
help of the p command
Definition p.cpp:27
g_ActiveProcessDebuggingState
ACTIVE_DEBUGGING_PROCESS g_ActiveProcessDebuggingState
State of active debugging thread.
Definition globals.h:362

◆ CommandPa2va()

VOID CommandPa2va ( vector< string > SplitCommand,
string Command )

!pa2va command handler

Parameters
SplitCommand
Command
Returns
VOID
49{
50 BOOL Status;
51 ULONG ReturnedLength;
52 UINT64 TargetPa;
53 UINT32 Pid = 0;
54 DEBUGGER_VA2PA_AND_PA2VA_COMMANDS AddressDetails = {0};
55 vector<string> SplitCommandCaseSensitive {Split(Command, ' ')};
56
57 if (SplitCommand.size() == 1 || SplitCommand.size() >= 5 ||
58 SplitCommand.size() == 3)
59 {
60 ShowMessages("incorrect use of the '!pa2va'\n\n");
61 CommandPa2vaHelp();
62 return;
63 }
64
65 //
66 // By default if the user-debugger is active, we use these commands
67 // on the memory layout of the debuggee process
68 //
69 if (g_ActiveProcessDebuggingState.IsActive)
70 {
71 Pid = g_ActiveProcessDebuggingState.ProcessId;
72 }
73
74 if (SplitCommand.size() == 2)
75 {
76 //
77 // It's just a address for current process
78 //
79 if (!SymbolConvertNameOrExprToAddress(SplitCommandCaseSensitive.at(1), &TargetPa))
80 {
81 //
82 // Couldn't resolve or unknown parameter
83 //
84 ShowMessages("err, couldn't resolve error at '%s'\n",
85 SplitCommandCaseSensitive.at(1).c_str());
86 return;
87 }
88 }
89 else
90 {
91 //
92 // It might be address + pid
93 //
94 if (!SplitCommand.at(1).compare("pid"))
95 {
96 if (!ConvertStringToUInt32(SplitCommand.at(2), &Pid))
97 {
98 ShowMessages("incorrect address, please enter a valid process id\n");
99 return;
100 }
101 if (!SymbolConvertNameOrExprToAddress(SplitCommandCaseSensitive.at(3), &TargetPa))
102 {
103 //
104 // Couldn't resolve or unknown parameter
105 //
106 ShowMessages("err, couldn't resolve error at '%s'\n",
107 SplitCommandCaseSensitive.at(3).c_str());
108 return;
109 }
110 }
111 else if (!SplitCommand.at(2).compare("pid"))
112 {
113 if (!SymbolConvertNameOrExprToAddress(SplitCommandCaseSensitive.at(1), &TargetPa))
114 {
115 //
116 // Couldn't resolve or unknown parameter
117 //
118 ShowMessages("err, couldn't resolve error at '%s'\n",
119 SplitCommandCaseSensitive.at(1).c_str());
120
121 return;
122 }
123 if (!ConvertStringToUInt32(SplitCommand.at(3), &Pid))
124 {
125 ShowMessages("incorrect address, please enter a valid process id\n");
126 return;
127 }
128 }
129 else
130 {
131 ShowMessages("incorrect use of the '!pa2va'\n\n");
132 CommandPa2vaHelp();
133 return;
134 }
135 }
136
137 //
138 // Prepare the buffer
139 // We use same buffer for input and output
140 //
141 AddressDetails.PhysicalAddress = TargetPa;
142 AddressDetails.ProcessId = Pid; // it's null if in debugger mode
143 AddressDetails.IsVirtual2Physical = FALSE;
144
145 if (g_IsSerialConnectedToRemoteDebuggee)
146 {
147 //
148 // Check to prevent using process id in !pa2va command
149 //
150 if (Pid != 0)
151 {
152 ShowMessages(ASSERT_MESSAGE_CANNOT_SPECIFY_PID);
153 return;
154 }
155
156 //
157 // Send the request over serial kernel debugger
158 //
159
160 KdSendVa2paAndPa2vaPacketToDebuggee(&AddressDetails);
161 }
162 else
163 {
164 AssertShowMessageReturnStmt(g_DeviceHandle, ASSERT_MESSAGE_DRIVER_NOT_LOADED, AssertReturn);
165
166 if (Pid == 0)
167 {
168 Pid = GetCurrentProcessId();
169 AddressDetails.ProcessId = Pid;
170 }
171
172 //
173 // Send IOCTL
174 //
175 Status = DeviceIoControl(
176 g_DeviceHandle, // Handle to device
177 IOCTL_DEBUGGER_VA2PA_AND_PA2VA_COMMANDS, // IO Control Code (IOCTL)
178 &AddressDetails, // Input Buffer to driver.
179 SIZEOF_DEBUGGER_VA2PA_AND_PA2VA_COMMANDS, // Input buffer length
180 &AddressDetails, // Output Buffer from driver.
181 SIZEOF_DEBUGGER_VA2PA_AND_PA2VA_COMMANDS, // Length of output
182 // buffer in bytes.
183 &ReturnedLength, // Bytes placed in buffer.
184 NULL // synchronous call
185 );
186
187 if (!Status)
188 {
189 ShowMessages("ioctl failed with code 0x%x\n", GetLastError());
190 return;
191 }
192
193 if (AddressDetails.KernelStatus == DEBUGGER_OPERATION_WAS_SUCCESSFUL)
194 {
195 //
196 // Show the results
197 //
198 ShowMessages("%llx\n", AddressDetails.VirtualAddress);
199 }
200 else
201 {
202 //
203 // An err occurred, no results
204 //
205 ShowErrorMessage(AddressDetails.KernelStatus);
206 }
207 }
208}
IOCTL_DEBUGGER_VA2PA_AND_PA2VA_COMMANDS
#define IOCTL_DEBUGGER_VA2PA_AND_PA2VA_COMMANDS
ioctl, for !va2pa and !pa2va commands
Definition Ioctls.h:127
SIZEOF_DEBUGGER_VA2PA_AND_PA2VA_COMMANDS
#define SIZEOF_DEBUGGER_VA2PA_AND_PA2VA_COMMANDS
Definition RequestStructures.h:46
ShowErrorMessage
BOOLEAN ShowErrorMessage(UINT32 Error)
shows the error message
Definition debugger.cpp:38
KdSendVa2paAndPa2vaPacketToDebuggee
BOOLEAN KdSendVa2paAndPa2vaPacketToDebuggee(PDEBUGGER_VA2PA_AND_PA2VA_COMMANDS Va2paAndPa2vaPacket)
Sends VA2PA and PA2VA packest, or '!va2pa' and '!pa2va' commands packet to the debuggee.
Definition kd.cpp:965
CommandPa2vaHelp
VOID CommandPa2vaHelp()
help of the !pa2va command
Definition pa2va.cpp:26
g_IsSerialConnectedToRemoteDebuggee
BOOLEAN g_IsSerialConnectedToRemoteDebuggee
Shows if the debugger was connected to remote debuggee over (A remote guest)
Definition globals.h:231
g_ActiveProcessDebuggingState
ACTIVE_DEBUGGING_PROCESS g_ActiveProcessDebuggingState
State of active debugging thread.
Definition globals.h:362
_DEBUGGER_VA2PA_AND_PA2VA_COMMANDS
requests for !va2pa and !pa2va commands
Definition RequestStructures.h:54
_DEBUGGER_VA2PA_AND_PA2VA_COMMANDS::IsVirtual2Physical
BOOLEAN IsVirtual2Physical
Definition RequestStructures.h:58
_DEBUGGER_VA2PA_AND_PA2VA_COMMANDS::KernelStatus
UINT32 KernelStatus
Definition RequestStructures.h:59
_DEBUGGER_VA2PA_AND_PA2VA_COMMANDS::PhysicalAddress
UINT64 PhysicalAddress
Definition RequestStructures.h:56
_DEBUGGER_VA2PA_AND_PA2VA_COMMANDS::ProcessId
UINT32 ProcessId
Definition RequestStructures.h:57
_DEBUGGER_VA2PA_AND_PA2VA_COMMANDS::VirtualAddress
UINT64 VirtualAddress
Definition RequestStructures.h:55

◆ CommandPagein()

VOID CommandPagein ( vector< string > SplitCommand,
string Command )

.pagein command handler

Parameters
SplitCommand
Command
Returns
VOID
265{
266 UINT32 Pid = 0;
267 UINT64 Length = 0;
268 UINT64 TargetAddressFrom = NULL;
269 UINT64 TargetAddressTo = NULL;
270 BOOLEAN IsNextProcessId = FALSE;
271 BOOLEAN IsFirstCommand = TRUE;
272 BOOLEAN IsNextLength = FALSE;
273 vector<string> SplitCommandCaseSensitive {Split(Command, ' ')};
274 UINT32 IndexInCommandCaseSensitive = 0;
275 PAGE_FAULT_EXCEPTION PageFaultErrorCode = {0};
276
277 //
278 // By default if the user-debugger is active, we use these commands
279 // on the memory layout of the debuggee process
280 //
281 if (g_ActiveProcessDebuggingState.IsActive)
282 {
283 Pid = g_ActiveProcessDebuggingState.ProcessId;
284 }
285
286 if (SplitCommand.size() == 1)
287 {
288 //
289 // Means that user entered one command without any parameter
290 //
291 ShowMessages("incorrect use of the '.pagein' command\n\n");
292 CommandPageinHelp();
293 return;
294 }
295
296 for (auto Section : SplitCommand)
297 {
298 IndexInCommandCaseSensitive++;
299
300 if (IsFirstCommand)
301 {
302 IsFirstCommand = FALSE;
303 continue;
304 }
305 if (IsNextProcessId == TRUE)
306 {
307 if (!ConvertStringToUInt32(Section, &Pid))
308 {
309 ShowMessages("err, you should enter a valid process id\n\n");
310 return;
311 }
312 IsNextProcessId = FALSE;
313 continue;
314 }
315
316 if (IsNextLength == TRUE)
317 {
318 if (!SymbolConvertNameOrExprToAddress(Section, &Length))
319 {
320 ShowMessages("err, you should enter a valid length\n\n");
321 return;
322 }
323 IsNextLength = FALSE;
324 continue;
325 }
326
327 if (!Section.compare("l"))
328 {
329 IsNextLength = TRUE;
330 continue;
331 }
332
333 // if (!Section.compare("pid"))
334 // {
335 // IsNextProcessId = TRUE;
336 // continue;
337 // }
338
339 //
340 // Probably it's address or mode string
341 //
342
343 if (CommandPageinCheckAndInterpretModeString(Section, &PageFaultErrorCode))
344 {
345 continue;
346 }
347 else if (TargetAddressFrom == 0)
348 {
349 if (!SymbolConvertNameOrExprToAddress(SplitCommandCaseSensitive.at(IndexInCommandCaseSensitive - 1),
350 &TargetAddressFrom))
351 {
352 //
353 // Couldn't resolve or unknown parameter
354 //
355 ShowMessages("err, couldn't resolve error at '%s'\n",
356 SplitCommandCaseSensitive.at(IndexInCommandCaseSensitive - 1).c_str());
357 return;
358 }
359 }
360 else
361 {
362 //
363 // User inserts two address
364 //
365 ShowMessages("err, incorrect use of the '.pagein' command\n\n");
366 CommandPageinHelp();
367
368 return;
369 }
370 }
371
372 if (!TargetAddressFrom)
373 {
374 //
375 // User inserts two address
376 //
377 ShowMessages("err, please enter a valid address\n\n");
378
379 return;
380 }
381
382 if (IsNextLength || IsNextProcessId)
383 {
384 ShowMessages("incorrect use of the '.pagein' command\n\n");
385 CommandPageinHelp();
386 return;
387 }
388
389 //
390 // If the user didn't specified a range, then only one page will be
391 // paged-in; so we use the same AddressFrom and AddressTo
392 //
393 if (Length == 0)
394 {
395 TargetAddressTo = TargetAddressFrom;
396 }
397 else
398 {
399 TargetAddressTo = TargetAddressFrom + Length;
400 }
401
402 //
403 // Send the request
404 //
405 // ShowMessages(".pagin address from: %llx -> to %llx, page-fault code: 0x%x, pid: %x, length: 0x%llx",
406 // TargetAddressFrom,
407 // TargetAddressTo,
408 // PageFaultErrorCode.AsUInt,
409 // Pid,
410 // Length);
411
412 //
413 // Request the page-in
414 //
415 CommandPageinRequest(TargetAddressFrom,
416 TargetAddressTo,
417 PageFaultErrorCode,
418 Pid);
419}
CommandPageinHelp
VOID CommandPageinHelp()
help of the .pagein command
Definition pagein.cpp:26
CommandPageinCheckAndInterpretModeString
BOOLEAN CommandPageinCheckAndInterpretModeString(const std::string &ModeString, PAGE_FAULT_EXCEPTION *PageFaultErrorCode)
Check whether the mode string is valid or not.
Definition pagein.cpp:81
CommandPageinRequest
VOID CommandPageinRequest(UINT64 TargetVirtualAddrFrom, UINT64 TargetVirtualAddrTo, PAGE_FAULT_EXCEPTION PageFaultErrorCode, UINT32 Pid)
request to bring the page(s) in
Definition pagein.cpp:171
g_ActiveProcessDebuggingState
ACTIVE_DEBUGGING_PROCESS g_ActiveProcessDebuggingState
State of active debugging thread.
Definition globals.h:362

◆ CommandPause()

VOID CommandPause ( vector< string > SplitCommand,
string Command )

pause command handler

Parameters
SplitCommand
Command
Returns
VOID
72{
73 if (SplitCommand.size() != 1)
74 {
75 ShowMessages("incorrect use of the 'pause'\n\n");
76 CommandPauseHelp();
77 return;
78 }
79
80 CommandPauseRequest();
81}
CommandPauseRequest
VOID CommandPauseRequest()
request to pause
Definition pause.cpp:40
CommandPauseHelp
VOID CommandPauseHelp()
help of the pause command
Definition pause.cpp:27

◆ CommandPe()

VOID CommandPe ( vector< string > SplitCommand,
string Command )

.pe command handler

Parameters
SplitCommand
Command
Returns
VOID
44{
45 BOOLEAN Is32Bit = FALSE;
46 wstring Filepath;
47 BOOLEAN ShowDumpOfSection = FALSE;
48
49 if (SplitCommand.size() <= 2)
50 {
51 ShowMessages("err, incorrect use of the '.pe' command\n\n");
52 CommandPeHelp();
53 return;
54 }
55
56 //
57 // Check for first option
58 //
59 if (!SplitCommand.at(1).compare("section"))
60 {
61 if (SplitCommand.size() == 3)
62 {
63 ShowMessages("please specify a valid PE file\n\n");
64 CommandPeHelp();
65 return;
66 }
67 ShowDumpOfSection = TRUE;
68 }
69 else if (!SplitCommand.at(1).compare("header"))
70 {
71 ShowDumpOfSection = FALSE;
72 }
73 else
74 {
75 //
76 // Couldn't resolve or unknown parameter
77 //
78 ShowMessages("err, couldn't resolve error at '%s'\n\n",
79 SplitCommand.at(1).c_str());
80 CommandPeHelp();
81 return;
82 }
83
84 //
85 // Trim the command
86 //
87 Trim(Command);
88
89 //
90 // Remove .pe from it
91 //
92 Command.erase(0, SplitCommand.at(0).size());
93
94 if (!ShowDumpOfSection)
95 {
96 //
97 // Remove header + space
98 //
99 Command.erase(0, 6 + 1);
100 }
101 else
102 {
103 //
104 // Remove section + space
105 //
106 Command.erase(0, 7 + 1);
107
108 //
109 // Remove the string param for section + space
110 //
111 Command.erase(0, SplitCommand.at(2).size() + 1);
112 }
113
114 //
115 // Trim it again
116 //
117 Trim(Command);
118
119 //
120 // Convert path to wstring
121 //
122 StringToWString(Filepath, Command);
123
124 //
125 // Detect whether PE is 32-bit or 64-bit
126 //
127 if (!PeIsPE32BitOr64Bit(Filepath.c_str(), &Is32Bit))
128 {
129 //
130 // File was invalid, the error message is shown in the above function
131 //
132 return;
133 }
134
135 //
136 // Parse PE file
137 //
138 if (!ShowDumpOfSection)
139 {
140 PeShowSectionInformationAndDump(Filepath.c_str(), NULL, Is32Bit);
141 }
142 else
143 {
144 PeShowSectionInformationAndDump(Filepath.c_str(), SplitCommand.at(2).c_str(), Is32Bit);
145 }
146}
PeIsPE32BitOr64Bit
BOOLEAN PeIsPE32BitOr64Bit(const WCHAR *AddressOfFile, PBOOLEAN Is32Bit)
Detect whether PE is a 32-bit PE or 64-bit PE.
Definition pe-parser.cpp:482
PeShowSectionInformationAndDump
BOOLEAN PeShowSectionInformationAndDump(const WCHAR *AddressOfFile, const CHAR *SectionToShow, BOOLEAN Is32Bit)
Show information about different sections of PE and the dump of sections.
Definition pe-parser.cpp:75
CommandPeHelp
VOID CommandPeHelp()
help of the .pe command
Definition pe.cpp:22

◆ CommandPmc()

VOID CommandPmc ( vector< string > SplitCommand,
string Command )

!pmc command handler

Parameters
SplitCommand
Command
Returns
VOID
46{
47 PDEBUGGER_GENERAL_EVENT_DETAIL Event = NULL;
48 PDEBUGGER_GENERAL_ACTION ActionBreakToDebugger = NULL;
49 PDEBUGGER_GENERAL_ACTION ActionCustomCode = NULL;
50 PDEBUGGER_GENERAL_ACTION ActionScript = NULL;
51 UINT32 EventLength;
52 UINT32 ActionBreakToDebuggerLength = 0;
53 UINT32 ActionCustomCodeLength = 0;
54 UINT32 ActionScriptLength = 0;
55 vector<string> SplitCommandCaseSensitive {Split(Command, ' ')};
56 DEBUGGER_EVENT_PARSING_ERROR_CAUSE EventParsingErrorCause;
57
58 //
59 // Interpret and fill the general event and action fields
60 //
61 //
62 if (!InterpretGeneralEventAndActionsFields(
63 &SplitCommand,
64 &SplitCommandCaseSensitive,
65 PMC_INSTRUCTION_EXECUTION,
66 &Event,
67 &EventLength,
68 &ActionBreakToDebugger,
69 &ActionBreakToDebuggerLength,
70 &ActionCustomCode,
71 &ActionCustomCodeLength,
72 &ActionScript,
73 &ActionScriptLength,
74 &EventParsingErrorCause))
75 {
76 return;
77 }
78
79 //
80 // Check for size
81 //
82 if (SplitCommand.size() > 1)
83 {
84 ShowMessages("incorrect use of the '!pmc'\n");
85 CommandPmcHelp();
86
87 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
88 return;
89 }
90
91 //
92 // Send the ioctl to the kernel for event registration
93 //
94 if (!SendEventToKernel(Event, EventLength))
95 {
96 //
97 // There was an error, probably the handle was not initialized
98 // we have to free the Action before exit, it is because, we
99 // already freed the Event and string buffers
100 //
101
102 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
103 return;
104 }
105
106 //
107 // Add the event to the kernel
108 //
109 if (!RegisterActionToEvent(Event,
110 ActionBreakToDebugger,
111 ActionBreakToDebuggerLength,
112 ActionCustomCode,
113 ActionCustomCodeLength,
114 ActionScript,
115 ActionScriptLength))
116 {
117 //
118 // There was an error
119 //
120
121 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
122 return;
123 }
124}
PMC_INSTRUCTION_EXECUTION
@ PMC_INSTRUCTION_EXECUTION
Definition Events.h:152
CommandPmcHelp
VOID CommandPmcHelp()
help of the !pmc command
Definition pmc.cpp:20

◆ CommandPreactivate()

VOID CommandPreactivate ( vector< string > SplitCommand,
string Command )

preactivate command handler

Parameters
SplitCommand
Command
Returns
VOID
43{
44 BOOL Status;
45 ULONG ReturnedLength;
46 DEBUGGER_PREACTIVATE_COMMAND PreactivateRequest = {0};
47
48 if (SplitCommand.size() != 2)
49 {
50 ShowMessages("incorrect use of the 'Preactivate'\n\n");
51 CommandPreactivateHelp();
52 return;
53 }
54
55 //
56 // Set the type of preactivation
57 //
58 if (!SplitCommand.at(1).compare("mode") || !SplitCommand.at(1).compare("!mode"))
59 {
60 PreactivateRequest.Type = DEBUGGER_PREACTIVATE_COMMAND_TYPE_MODE;
61 }
62 else
63 {
64 //
65 // Couldn't resolve or unknown parameter
66 //
67 ShowMessages("err, couldn't resolve error at '%s'\n",
68 SplitCommand.at(1).c_str());
69 return;
70 }
71
72 AssertShowMessageReturnStmt(g_DeviceHandle, ASSERT_MESSAGE_DRIVER_NOT_LOADED, AssertReturn);
73
74 //
75 // Send IOCTL
76 //
77 Status = DeviceIoControl(
78 g_DeviceHandle, // Handle to device
79 IOCTL_PREACTIVATE_FUNCTIONALITY, // IO Control Code (IOCTL)
80 &PreactivateRequest, // Input Buffer to driver.
81 SIZEOF_DEBUGGER_PREACTIVATE_COMMAND, // Input buffer length
82 &PreactivateRequest, // Output Buffer from driver.
83 SIZEOF_DEBUGGER_PREACTIVATE_COMMAND, // Length of output
84 // buffer in bytes.
85 &ReturnedLength, // Bytes placed in buffer.
86 NULL // synchronous call
87 );
88
89 if (!Status)
90 {
91 ShowMessages("ioctl failed with code 0x%x\n", GetLastError());
92 return;
93 }
94
95 if (PreactivateRequest.KernelStatus == DEBUGGER_OPERATION_WAS_SUCCESSFUL)
96 {
97 ShowMessages("the requested service is activated successfully!\n");
98 }
99 else
100 {
101 //
102 // An err occurred, no results
103 //
104 ShowErrorMessage(PreactivateRequest.KernelStatus);
105 }
106}
IOCTL_PREACTIVATE_FUNCTIONALITY
#define IOCTL_PREACTIVATE_FUNCTIONALITY
ioctl, to preactivate a functionality
Definition Ioctls.h:289
DEBUGGER_PREACTIVATE_COMMAND_TYPE_MODE
@ DEBUGGER_PREACTIVATE_COMMAND_TYPE_MODE
Definition RequestStructures.h:190
SIZEOF_DEBUGGER_PREACTIVATE_COMMAND
#define SIZEOF_DEBUGGER_PREACTIVATE_COMMAND
Definition RequestStructures.h:194
CommandPreactivateHelp
VOID CommandPreactivateHelp()
help of the preactivate command
Definition preactivate.cpp:20
_DEBUGGER_PREACTIVATE_COMMAND
requests for the 'preactivate' command
Definition RequestStructures.h:202
_DEBUGGER_PREACTIVATE_COMMAND::KernelStatus
UINT32 KernelStatus
Definition RequestStructures.h:204
_DEBUGGER_PREACTIVATE_COMMAND::Type
DEBUGGER_PREACTIVATE_COMMAND_TYPE Type
Definition RequestStructures.h:203

◆ CommandPrealloc()

VOID CommandPrealloc ( vector< string > SplitCommand,
string Command )

prealloc command handler

Parameters
SplitCommand
Command
Returns
VOID
55{
56 BOOL Status;
57 ULONG ReturnedLength;
58 UINT64 Count;
59 DEBUGGER_PREALLOC_COMMAND PreallocRequest = {0};
60
61 if (SplitCommand.size() != 3)
62 {
63 ShowMessages("incorrect use of the 'prealloc'\n\n");
64 CommandPreallocHelp();
65 return;
66 }
67
68 //
69 // Set the type of pre-allocation
70 //
71 if (!SplitCommand.at(1).compare("thread-interception"))
72 {
73 PreallocRequest.Type = DEBUGGER_PREALLOC_COMMAND_TYPE_THREAD_INTERCEPTION;
74 }
75 else if (!SplitCommand.at(1).compare("monitor") || !SplitCommand.at(1).compare("!monitor"))
76 {
77 PreallocRequest.Type = DEBUGGER_PREALLOC_COMMAND_TYPE_MONITOR;
78 }
79 else if (!SplitCommand.at(1).compare("epthook") || !SplitCommand.at(1).compare("!epthook"))
80 {
81 PreallocRequest.Type = DEBUGGER_PREALLOC_COMMAND_TYPE_EPTHOOK;
82 }
83 else if (!SplitCommand.at(1).compare("epthook2") || !SplitCommand.at(1).compare("!epthook2"))
84 {
85 PreallocRequest.Type = DEBUGGER_PREALLOC_COMMAND_TYPE_EPTHOOK2;
86 }
87 else if (!SplitCommand.at(1).compare("regular-event"))
88 {
89 PreallocRequest.Type = DEBUGGER_PREALLOC_COMMAND_TYPE_REGULAR_EVENT;
90 }
91 else if (!SplitCommand.at(1).compare("big-event"))
92 {
93 PreallocRequest.Type = DEBUGGER_PREALLOC_COMMAND_TYPE_BIG_EVENT;
94 }
95 else if (!SplitCommand.at(1).compare("regular-safe-buffer"))
96 {
97 PreallocRequest.Type = DEBUGGER_PREALLOC_COMMAND_TYPE_REGULAR_SAFE_BUFFER;
98 }
99 else if (!SplitCommand.at(1).compare("big-safe-buffer"))
100 {
101 PreallocRequest.Type = DEBUGGER_PREALLOC_COMMAND_TYPE_BIG_SAFE_BUFFER;
102 }
103 else
104 {
105 //
106 // Couldn't resolve or unknown parameter
107 //
108 ShowMessages("err, couldn't resolve error at '%s'\n",
109 SplitCommand.at(1).c_str());
110 return;
111 }
112
113 //
114 // Get the count of needed pre-allocated buffers
115 //
116 if (!SymbolConvertNameOrExprToAddress(SplitCommand.at(2), &Count))
117 {
118 //
119 // Couldn't resolve or unknown parameter
120 //
121 ShowMessages("err, couldn't resolve error at '%s'\n",
122 SplitCommand.at(2).c_str());
123 return;
124 }
125
126 //
127 // Set the counter
128 //
129 PreallocRequest.Count = (UINT32)Count;
130
131 AssertShowMessageReturnStmt(g_DeviceHandle, ASSERT_MESSAGE_DRIVER_NOT_LOADED, AssertReturn);
132
133 //
134 // Send IOCTL
135 //
136 Status = DeviceIoControl(
137 g_DeviceHandle, // Handle to device
138 IOCTL_RESERVE_PRE_ALLOCATED_POOLS, // IO Control Code (IOCTL)
139 &PreallocRequest, // Input Buffer to driver.
140 SIZEOF_DEBUGGER_PREALLOC_COMMAND, // Input buffer length
141 &PreallocRequest, // Output Buffer from driver.
142 SIZEOF_DEBUGGER_PREALLOC_COMMAND, // Length of output
143 // buffer in bytes.
144 &ReturnedLength, // Bytes placed in buffer.
145 NULL // synchronous call
146 );
147
148 if (!Status)
149 {
150 ShowMessages("ioctl failed with code 0x%x\n", GetLastError());
151 return;
152 }
153
154 if (PreallocRequest.KernelStatus == DEBUGGER_OPERATION_WAS_SUCCESSFUL)
155 {
156 ShowMessages("the requested pools are allocated and reserved\n");
157 }
158 else
159 {
160 //
161 // An err occurred, no results
162 //
163 ShowErrorMessage(PreallocRequest.KernelStatus);
164 }
165}
IOCTL_RESERVE_PRE_ALLOCATED_POOLS
#define IOCTL_RESERVE_PRE_ALLOCATED_POOLS
ioctl, to reserve pre-allocated pools
Definition Ioctls.h:219
SIZEOF_DEBUGGER_PREALLOC_COMMAND
#define SIZEOF_DEBUGGER_PREALLOC_COMMAND
Definition RequestStructures.h:166
DEBUGGER_PREALLOC_COMMAND_TYPE_MONITOR
@ DEBUGGER_PREALLOC_COMMAND_TYPE_MONITOR
Definition RequestStructures.h:156
DEBUGGER_PREALLOC_COMMAND_TYPE_EPTHOOK2
@ DEBUGGER_PREALLOC_COMMAND_TYPE_EPTHOOK2
Definition RequestStructures.h:158
DEBUGGER_PREALLOC_COMMAND_TYPE_BIG_EVENT
@ DEBUGGER_PREALLOC_COMMAND_TYPE_BIG_EVENT
Definition RequestStructures.h:160
DEBUGGER_PREALLOC_COMMAND_TYPE_REGULAR_EVENT
@ DEBUGGER_PREALLOC_COMMAND_TYPE_REGULAR_EVENT
Definition RequestStructures.h:159
DEBUGGER_PREALLOC_COMMAND_TYPE_THREAD_INTERCEPTION
@ DEBUGGER_PREALLOC_COMMAND_TYPE_THREAD_INTERCEPTION
Definition RequestStructures.h:155
DEBUGGER_PREALLOC_COMMAND_TYPE_BIG_SAFE_BUFFER
@ DEBUGGER_PREALLOC_COMMAND_TYPE_BIG_SAFE_BUFFER
Definition RequestStructures.h:162
DEBUGGER_PREALLOC_COMMAND_TYPE_REGULAR_SAFE_BUFFER
@ DEBUGGER_PREALLOC_COMMAND_TYPE_REGULAR_SAFE_BUFFER
Definition RequestStructures.h:161
DEBUGGER_PREALLOC_COMMAND_TYPE_EPTHOOK
@ DEBUGGER_PREALLOC_COMMAND_TYPE_EPTHOOK
Definition RequestStructures.h:157
CommandPreallocHelp
VOID CommandPreallocHelp()
help of the prealloc command
Definition prealloc.cpp:20
_DEBUGGER_PREALLOC_COMMAND
requests for the 'prealloc' command
Definition RequestStructures.h:174
_DEBUGGER_PREALLOC_COMMAND::Type
DEBUGGER_PREALLOC_COMMAND_TYPE Type
Definition RequestStructures.h:175
_DEBUGGER_PREALLOC_COMMAND::KernelStatus
UINT32 KernelStatus
Definition RequestStructures.h:177
_DEBUGGER_PREALLOC_COMMAND::Count
UINT32 Count
Definition RequestStructures.h:176

◆ CommandPrint()

VOID CommandPrint ( vector< string > SplitCommand,
string Command )

handler of print command

Parameters
SplitCommand
Command
Returns
VOID
47{
48 PVOID CodeBuffer;
49 UINT64 BufferAddress;
50 UINT32 BufferLength;
51 UINT32 Pointer;
52
53 if (SplitCommand.size() == 1)
54 {
55 ShowMessages("incorrect use of the 'print'\n\n");
56 CommandPrintHelp();
57 return;
58 }
59
60 //
61 // Trim the command
62 //
63 Trim(Command);
64
65 //
66 // Remove print from it
67 //
68 Command.erase(0, SplitCommand.at(0).size());
69
70 //
71 // Trim it again
72 //
73 Trim(Command);
74
75 //
76 // Prepend and append 'print(' and ')'
77 //
78 Command.insert(0, "print(");
79 Command.append(");");
80
81 if (g_IsSerialConnectedToRemoteDebuggee)
82 {
83 //
84 // Send over serial
85 //
86
87 //
88 // Run script engine handler
89 //
90 CodeBuffer = ScriptEngineParseWrapper((char *)Command.c_str(), TRUE);
91
92 if (CodeBuffer == NULL)
93 {
94 //
95 // return to show that this item contains an script
96 //
97 return;
98 }
99
100 //
101 // Print symbols (test)
102 //
103 // PrintSymbolBufferWrapper(CodeBuffer);
104
105 //
106 // Set the buffer and length
107 //
108 BufferAddress = ScriptEngineWrapperGetHead(CodeBuffer);
109 BufferLength = ScriptEngineWrapperGetSize(CodeBuffer);
110 Pointer = ScriptEngineWrapperGetPointer(CodeBuffer);
111
112 //
113 // Send it to the remote debuggee
114 //
115 KdSendScriptPacketToDebuggee(BufferAddress, BufferLength, Pointer, FALSE);
116
117 //
118 // Remove the buffer of script engine interpreted code
119 //
120 ScriptEngineWrapperRemoveSymbolBuffer(CodeBuffer);
121
122 ShowMessages("\n");
123 }
124 else
125 {
126 //
127 // error
128 //
129 ShowMessages("err, you're not connected to any debuggee\n");
130 }
131}
CommandPrintHelp
VOID CommandPrintHelp()
help of the print command
Definition print.cpp:28
g_IsSerialConnectedToRemoteDebuggee
BOOLEAN g_IsSerialConnectedToRemoteDebuggee
Shows if the debugger was connected to remote debuggee over (A remote guest)
Definition globals.h:231

◆ CommandProcess()

VOID CommandProcess ( vector< string > SplitCommand,
string Command )

.process command handler

Parameters
SplitCommand
Command
Returns
VOID
57{
58 UINT32 TargetProcessId = 0;
59 UINT64 TargetProcess = 0;
60 UINT64 AddressOfActiveProcessHead = 0; // nt!PsActiveProcessHead
61 UINT32 OffsetOfImageFileName = 0; // nt!_EPROCESS.ImageFileName
62 UINT32 OffsetOfUniqueProcessId = 0; // nt!_EPROCESS.UniqueProcessId
63 UINT32 OffsetOfActiveProcessLinks = 0; // nt!_EPROCESS.ActiveProcessLinks
64 BOOLEAN ResultOfGettingOffsets = FALSE;
65 BOOLEAN IsSetByClkIntr = FALSE;
66 DEBUGGEE_PROCESS_LIST_NEEDED_DETAILS ProcessListNeededItems = {0};
67
68 if (SplitCommand.size() >= 4)
69 {
70 ShowMessages("incorrect use of the '.process'\n\n");
71 CommandProcessHelp();
72 return;
73 }
74
75 if (SplitCommand.size() == 1)
76 {
77 //
78 // Check if it's connected to a remote debuggee or not
79 //
80 if (!g_IsSerialConnectedToRemoteDebuggee)
81 {
82 //
83 // Get the process details in VMI mode
84 //
85 ObjectShowProcessesOrThreadDetails(TRUE);
86 }
87 else
88 {
89 //
90 // Send the packet to get current process
91 //
92 KdSendSwitchProcessPacketToDebuggee(DEBUGGEE_DETAILS_AND_SWITCH_PROCESS_GET_PROCESS_DETAILS,
93 NULL,
94 NULL,
95 FALSE,
96 NULL);
97 }
98 }
99 else if (SplitCommand.size() == 2)
100 {
101 if (!SplitCommand.at(1).compare("list"))
102 {
103 //
104 // Query for nt!_EPROCESS.ImageFileName, nt!_EPROCESS.UniqueProcessId,
105 // nt!_EPROCESS.UniqueProcessId offset from the top of nt!_EPROCESS,
106 // and nt!PsActiveProcessHead address and check if we find them or not,
107 // otherwise, it means that the PDB for ntoskrnl.exe is not available
108 //
109 if (ScriptEngineGetFieldOffsetWrapper((CHAR *)"nt!_EPROCESS", (CHAR *)"ActiveProcessLinks", &OffsetOfActiveProcessLinks) &&
110 ScriptEngineGetFieldOffsetWrapper((CHAR *)"nt!_EPROCESS", (CHAR *)"ImageFileName", &OffsetOfImageFileName) &&
111 ScriptEngineGetFieldOffsetWrapper((CHAR *)"nt!_EPROCESS", (CHAR *)"UniqueProcessId", &OffsetOfUniqueProcessId) &&
112 SymbolConvertNameOrExprToAddress("nt!PsActiveProcessHead", &AddressOfActiveProcessHead))
113 {
114 //
115 // For test offsets and addresses
116 //
117
118 /*
119 ShowMessages("Address of ActiveProcessHead : %llx\n", AddressOfActiveProcessHead);
120 ShowMessages("Offset Of ActiveProcessLinks : 0x%x\n", OffsetOfActiveProcessLinks);
121 ShowMessages("Offset Of ImageFileName : 0x%x\n", OffsetOfImageFileName);
122 ShowMessages("Offset Of UniqueProcessId : 0x%x\n", OffsetOfUniqueProcessId);
123 */
124
125 ProcessListNeededItems.PsActiveProcessHead = AddressOfActiveProcessHead;
126 ProcessListNeededItems.ActiveProcessLinksOffset = OffsetOfActiveProcessLinks;
127 ProcessListNeededItems.ImageFileNameOffset = OffsetOfImageFileName;
128 ProcessListNeededItems.UniquePidOffset = OffsetOfUniqueProcessId;
129
130 if (!g_IsSerialConnectedToRemoteDebuggee)
131 {
132 //
133 // Get list of processes in VMI mode
134 //
135 ObjectShowProcessesOrThreadList(TRUE,
136 &ProcessListNeededItems,
137 NULL,
138 NULL);
139 }
140 else
141 {
142 //
143 // Send the packet to show list of process
144 //
145 KdSendSwitchProcessPacketToDebuggee(DEBUGGEE_DETAILS_AND_SWITCH_PROCESS_GET_PROCESS_LIST,
146 NULL,
147 NULL,
148 FALSE,
149 &ProcessListNeededItems);
150 }
151 }
152 else
153 {
154 ShowMessages("err, the need offset to iterate over processes not found, "
155 "make sure to load ntoskrnl.exe's PDB file. use '.help .sym' for "
156 "more information\n");
157 return;
158 }
159 }
160 else
161 {
162 ShowMessages(
163 "err, unknown parameter at '%s'\n\n",
164 SplitCommand.at(1).c_str());
165 CommandProcessHelp();
166 return;
167 }
168 }
169 else if (SplitCommand.size() == 3)
170 {
171 //
172 // Check if it's connected to a remote debuggee or not
173 //
174 if (!g_IsSerialConnectedToRemoteDebuggee)
175 {
176 ShowMessages("err, you're not connected to any debuggee in Debugger Mode, "
177 "you can use the '.attach', or the '.detach' commands if you're "
178 "operating in VMI Mode\n");
179 return;
180 }
181
182 if (!SplitCommand.at(1).compare("pid"))
183 {
184 if (!ConvertStringToUInt32(SplitCommand.at(2), &TargetProcessId))
185 {
186 ShowMessages(
187 "please specify a correct hex value for the process id that you "
188 "want to operate on it\n\n");
189 CommandProcessHelp();
190 return;
191 }
192 }
193 else if (!SplitCommand.at(1).compare("process"))
194 {
195 if (!SymbolConvertNameOrExprToAddress(SplitCommand.at(2), &TargetProcess))
196 {
197 ShowMessages(
198 "please specify a correct hex value for the process (nt!_EPROCESS) that you "
199 "want to operate on it\n\n");
200 CommandProcessHelp();
201 return;
202 }
203 }
204 else
205 {
206 ShowMessages(
207 "err, unknown parameter at '%s'\n\n",
208 SplitCommand.at(2).c_str());
209 CommandProcessHelp();
210 return;
211 }
212
213 //
214 // Check for switching method
215 //
216 if (!SplitCommand.at(0).compare(".process2"))
217 {
218 IsSetByClkIntr = FALSE;
219 }
220 else
221 {
222 IsSetByClkIntr = TRUE;
223 }
224
225 //
226 // Send the packet to change process
227 //
228 KdSendSwitchProcessPacketToDebuggee(DEBUGGEE_DETAILS_AND_SWITCH_PROCESS_PERFORM_SWITCH,
229 TargetProcessId,
230 TargetProcess,
231 IsSetByClkIntr,
232 NULL);
233 }
234 else
235 {
236 ShowMessages("invalid parameter\n\n");
237 CommandProcessHelp();
238 return;
239 }
240}
DEBUGGEE_DETAILS_AND_SWITCH_PROCESS_GET_PROCESS_DETAILS
@ DEBUGGEE_DETAILS_AND_SWITCH_PROCESS_GET_PROCESS_DETAILS
Definition RequestStructures.h:912
DEBUGGEE_DETAILS_AND_SWITCH_PROCESS_GET_PROCESS_LIST
@ DEBUGGEE_DETAILS_AND_SWITCH_PROCESS_GET_PROCESS_LIST
Definition RequestStructures.h:913
DEBUGGEE_DETAILS_AND_SWITCH_PROCESS_PERFORM_SWITCH
@ DEBUGGEE_DETAILS_AND_SWITCH_PROCESS_PERFORM_SWITCH
Definition RequestStructures.h:914
KdSendSwitchProcessPacketToDebuggee
BOOLEAN KdSendSwitchProcessPacketToDebuggee(DEBUGGEE_DETAILS_AND_SWITCH_PROCESS_TYPE ActionType, UINT32 NewPid, UINT64 NewProcess, BOOLEAN SetChangeByClockInterrupt, PDEBUGGEE_PROCESS_LIST_NEEDED_DETAILS SymDetailsForProcessList)
Sends a change process or show process details packet to the debuggee.
Definition kd.cpp:805
ObjectShowProcessesOrThreadList
BOOLEAN ObjectShowProcessesOrThreadList(BOOLEAN IsProcess, PDEBUGGEE_PROCESS_LIST_NEEDED_DETAILS SymDetailsForProcessList, UINT64 Eprocess, PDEBUGGEE_THREAD_LIST_NEEDED_DETAILS SymDetailsForThreadList)
Get details about processes or threads.
Definition objects.cpp:138
ObjectShowProcessesOrThreadDetails
BOOLEAN ObjectShowProcessesOrThreadDetails(BOOLEAN IsProcess)
Get details about processes or threads.
Definition objects.cpp:26
CommandProcessHelp
VOID CommandProcessHelp()
help of the .process command
Definition process.cpp:25
g_IsSerialConnectedToRemoteDebuggee
BOOLEAN g_IsSerialConnectedToRemoteDebuggee
Shows if the debugger was connected to remote debuggee over (A remote guest)
Definition globals.h:231
ScriptEngineGetFieldOffsetWrapper
BOOLEAN ScriptEngineGetFieldOffsetWrapper(CHAR *TypeName, CHAR *FieldName, UINT32 *FieldOffset)
ScriptEngineGetFieldOffset wrapper.
Definition script-engine-wrapper.cpp:131
_DEBUGGEE_PROCESS_LIST_NEEDED_DETAILS
The structure of needed information to get the details of the process from nt!_EPROCESS and location ...
Definition RequestStructures.h:684
_DEBUGGEE_PROCESS_LIST_NEEDED_DETAILS::UniquePidOffset
ULONG UniquePidOffset
Definition RequestStructures.h:687
_DEBUGGEE_PROCESS_LIST_NEEDED_DETAILS::ImageFileNameOffset
ULONG ImageFileNameOffset
Definition RequestStructures.h:686
_DEBUGGEE_PROCESS_LIST_NEEDED_DETAILS::ActiveProcessLinksOffset
ULONG ActiveProcessLinksOffset
Definition RequestStructures.h:688
_DEBUGGEE_PROCESS_LIST_NEEDED_DETAILS::PsActiveProcessHead
UINT64 PsActiveProcessHead
Definition RequestStructures.h:685

◆ CommandPte()

VOID CommandPte ( vector< string > SplitCommand,
string Command )

!pte command handler

Parameters
SplitCommand
Command
Returns
VOID
92{
93 BOOL Status;
94 ULONG ReturnedLength;
95 UINT64 TargetVa;
96 UINT32 Pid = 0;
97 DEBUGGER_READ_PAGE_TABLE_ENTRIES_DETAILS AddressDetails = {0};
98 vector<string> SplitCommandCaseSensitive {Split(Command, ' ')};
99
100 if (SplitCommand.size() == 1 || SplitCommand.size() >= 5 ||
101 SplitCommand.size() == 3)
102 {
103 ShowMessages("incorrect use of the '!pte'\n\n");
104 CommandPteHelp();
105 return;
106 }
107
108 //
109 // By default if the user-debugger is active, we use these commands
110 // on the memory layout of the debuggee process
111 //
112 if (g_ActiveProcessDebuggingState.IsActive)
113 {
114 Pid = g_ActiveProcessDebuggingState.ProcessId;
115 }
116
117 if (SplitCommand.size() == 2)
118 {
119 //
120 // It's just an address for current process
121 //
122 if (!SymbolConvertNameOrExprToAddress(SplitCommandCaseSensitive.at(1), &TargetVa))
123 {
124 //
125 // Couldn't resolve or unknown parameter
126 //
127 ShowMessages("err, couldn't resolve error at '%s'\n",
128 SplitCommandCaseSensitive.at(1).c_str());
129 return;
130 }
131 }
132 else
133 {
134 //
135 // It might be address + pid
136 //
137 if (!SplitCommand.at(1).compare("pid"))
138 {
139 if (!ConvertStringToUInt32(SplitCommand.at(2), &Pid))
140 {
141 ShowMessages("incorrect address, please enter a valid process id\n");
142 return;
143 }
144
145 if (!SymbolConvertNameOrExprToAddress(SplitCommandCaseSensitive.at(3), &TargetVa))
146 {
147 //
148 // Couldn't resolve or unknown parameter
149 //
150 ShowMessages("err, couldn't resolve error at '%s'\n",
151 SplitCommandCaseSensitive.at(3).c_str());
152 return;
153 }
154 }
155 else if (!SplitCommand.at(2).compare("pid"))
156 {
157 if (!SymbolConvertNameOrExprToAddress(SplitCommandCaseSensitive.at(1), &TargetVa))
158 {
159 //
160 // Couldn't resolve or unknown parameter
161 //
162 ShowMessages("err, couldn't resolve error at '%s'\n\n",
163 SplitCommandCaseSensitive.at(1).c_str());
164 return;
165 }
166
167 if (!ConvertStringToUInt32(SplitCommand.at(3), &Pid))
168 {
169 ShowMessages("incorrect address, please enter a valid process id\n");
170 return;
171 }
172 }
173 else
174 {
175 ShowMessages("incorrect use of the '!pte'\n\n");
176 CommandPteHelp();
177 return;
178 }
179 }
180
181 //
182 // Prepare the buffer
183 // We use same buffer for input and output
184 //
185 AddressDetails.VirtualAddress = TargetVa;
186 AddressDetails.ProcessId = Pid; // null in debugger mode
187
188 if (g_IsSerialConnectedToRemoteDebuggee)
189 {
190 //
191 // Check to prevent using process id in !pte command
192 //
193 if (Pid != 0)
194 {
195 ShowMessages(ASSERT_MESSAGE_CANNOT_SPECIFY_PID);
196 return;
197 }
198
199 //
200 // Send the request over serial kernel debugger
201 //
202
203 KdSendPtePacketToDebuggee(&AddressDetails);
204 }
205 else
206 {
207 AssertShowMessageReturnStmt(g_DeviceHandle, ASSERT_MESSAGE_DRIVER_NOT_LOADED, AssertReturn);
208
209 if (Pid == 0)
210 {
211 Pid = GetCurrentProcessId();
212 AddressDetails.ProcessId = Pid;
213 }
214
215 //
216 // Send IOCTL
217 //
218 Status = DeviceIoControl(
219 g_DeviceHandle, // Handle to device
220 IOCTL_DEBUGGER_READ_PAGE_TABLE_ENTRIES_DETAILS, // IO Control Code (IOCTL)
221 &AddressDetails, // Input Buffer to driver.
222 SIZEOF_DEBUGGER_READ_PAGE_TABLE_ENTRIES_DETAILS, // Input buffer length
223 &AddressDetails, // Output Buffer from driver.
224 SIZEOF_DEBUGGER_READ_PAGE_TABLE_ENTRIES_DETAILS, // Length of output
225 // buffer in bytes.
226 &ReturnedLength, // Bytes placed in buffer.
227 NULL // synchronous call
228 );
229
230 if (!Status)
231 {
232 ShowMessages("ioctl failed with code 0x%x\n", GetLastError());
233 return;
234 }
235
236 if (AddressDetails.KernelStatus != DEBUGGER_OPERATION_WAS_SUCCESSFUL)
237 {
238 ShowErrorMessage(AddressDetails.KernelStatus);
239 return;
240 }
241
242 //
243 // Show the results
244 //
245 CommandPteShowResults(TargetVa, &AddressDetails);
246 }
247}
IOCTL_DEBUGGER_READ_PAGE_TABLE_ENTRIES_DETAILS
#define IOCTL_DEBUGGER_READ_PAGE_TABLE_ENTRIES_DETAILS
ioctl, request to read page table entries
Definition Ioctls.h:99
SIZEOF_DEBUGGER_READ_PAGE_TABLE_ENTRIES_DETAILS
#define SIZEOF_DEBUGGER_READ_PAGE_TABLE_ENTRIES_DETAILS
Definition RequestStructures.h:14
KdSendPtePacketToDebuggee
BOOLEAN KdSendPtePacketToDebuggee(PDEBUGGER_READ_PAGE_TABLE_ENTRIES_DETAILS PtePacket)
Sends a PTE or '!pte' command packet to the debuggee.
Definition kd.cpp:907
CommandPteHelp
VOID CommandPteHelp()
help of the !pte command
Definition pte.cpp:26
CommandPteShowResults
VOID CommandPteShowResults(UINT64 TargetVa, PDEBUGGER_READ_PAGE_TABLE_ENTRIES_DETAILS PteRead)
show results of !pte command
Definition pte.cpp:47
g_IsSerialConnectedToRemoteDebuggee
BOOLEAN g_IsSerialConnectedToRemoteDebuggee
Shows if the debugger was connected to remote debuggee over (A remote guest)
Definition globals.h:231
g_ActiveProcessDebuggingState
ACTIVE_DEBUGGING_PROCESS g_ActiveProcessDebuggingState
State of active debugging thread.
Definition globals.h:362
_DEBUGGER_READ_PAGE_TABLE_ENTRIES_DETAILS
request for !pte command
Definition RequestStructures.h:22
_DEBUGGER_READ_PAGE_TABLE_ENTRIES_DETAILS::VirtualAddress
UINT64 VirtualAddress
Definition RequestStructures.h:23
_DEBUGGER_READ_PAGE_TABLE_ENTRIES_DETAILS::ProcessId
UINT32 ProcessId
Definition RequestStructures.h:24
_DEBUGGER_READ_PAGE_TABLE_ENTRIES_DETAILS::KernelStatus
UINT32 KernelStatus
Definition RequestStructures.h:38

◆ CommandPteShowResults()

VOID CommandPteShowResults ( UINT64 TargetVa,
PDEBUGGER_READ_PAGE_TABLE_ENTRIES_DETAILS PteRead )

show results of !pte command

Parameters
TargetVa
PteRead
Returns
VOID
48{
49 /*
50 VA fffff8003abc9370
51 PXE at FFFF83C1E0F07F80 PPE at FFFF83C1E0FF0000 PDE at
52 FFFF83C1FE000EA8 PTE at FFFF83FC001D5E48 contains 0000000004108063
53 contains 0000000004109063 contains 00000000026008E3 contains
54 0000000000000000 pfn 4108 ---DA--KWEV pfn 4109 ---DA--KWEV pfn
55 2600 --LDA--KWEV LARGE PAGE pfn 27c9
56 */
57 ShowMessages("VA %llx\n", TargetVa);
58 ShowMessages("PML4E (PXE) at %016llx\tcontains %016llx\nPDPTE (PPE) at "
59 "%016llx\tcontains "
60 "%016llx\nPDE at %016llx\tcontains %016llx\n",
61 PteRead->Pml4eVirtualAddress,
62 PteRead->Pml4eValue,
63 PteRead->PdpteVirtualAddress,
64 PteRead->PdpteValue,
65 PteRead->PdeVirtualAddress,
66 PteRead->PdeValue);
67
68 //
69 // Check if it's a large PDE
70 //
71 if (PteRead->PdeVirtualAddress == PteRead->PteVirtualAddress)
72 {
73 ShowMessages("PDE is a large page, so it doesn't have a PTE\n");
74 }
75 else
76 {
77 ShowMessages("PTE at %016llx\tcontains %016llx\n",
78 PteRead->PteVirtualAddress,
79 PteRead->PteValue);
80 }
81}
_DEBUGGER_READ_PAGE_TABLE_ENTRIES_DETAILS::PdeValue
UINT64 PdeValue
Definition RequestStructures.h:33
_DEBUGGER_READ_PAGE_TABLE_ENTRIES_DETAILS::PdpteValue
UINT64 PdpteValue
Definition RequestStructures.h:30
_DEBUGGER_READ_PAGE_TABLE_ENTRIES_DETAILS::PdpteVirtualAddress
UINT64 PdpteVirtualAddress
Definition RequestStructures.h:29
_DEBUGGER_READ_PAGE_TABLE_ENTRIES_DETAILS::PteVirtualAddress
UINT64 PteVirtualAddress
Definition RequestStructures.h:35
_DEBUGGER_READ_PAGE_TABLE_ENTRIES_DETAILS::Pml4eValue
UINT64 Pml4eValue
Definition RequestStructures.h:27
_DEBUGGER_READ_PAGE_TABLE_ENTRIES_DETAILS::Pml4eVirtualAddress
UINT64 Pml4eVirtualAddress
Definition RequestStructures.h:26
_DEBUGGER_READ_PAGE_TABLE_ENTRIES_DETAILS::PteValue
UINT64 PteValue
Definition RequestStructures.h:36
_DEBUGGER_READ_PAGE_TABLE_ENTRIES_DETAILS::PdeVirtualAddress
UINT64 PdeVirtualAddress
Definition RequestStructures.h:32

◆ CommandR()

VOID CommandR ( vector< string > SplitCommand,
string Command )

◆ CommandRdmsr()

VOID CommandRdmsr ( vector< string > SplitCommand,
string Command )

rdmsr command handler

Parameters
SplitCommand
Command
Returns
VOID
115{
116 BOOL Status;
117 SIZE_T NumCPU;
118 DEBUGGER_READ_AND_WRITE_ON_MSR MsrReadRequest;
119 ULONG ReturnedLength;
120 UINT64 Msr;
121 BOOL IsNextCoreId = FALSE;
122 BOOL SetMsr = FALSE;
123 UINT32 CoreNumer = DEBUGGER_READ_AND_WRITE_ON_MSR_APPLY_ALL_CORES;
124 BOOLEAN IsFirstCommand = TRUE;
125
126 if (SplitCommand.size() >= 5)
127 {
128 ShowMessages("incorrect use of the 'rdmsr'\n\n");
129 CommandRdmsrHelp();
130 return;
131 }
132
133 for (auto Section : SplitCommand)
134 {
135 if (IsFirstCommand == TRUE)
136 {
137 IsFirstCommand = FALSE;
138 continue;
139 }
140
141 if (IsNextCoreId)
142 {
143 if (!ConvertStringToUInt32(Section, &CoreNumer))
144 {
145 ShowMessages("please specify a correct hex value for core id\n\n");
146 CommandRdmsrHelp();
147 return;
148 }
149 IsNextCoreId = FALSE;
150 continue;
151 }
152
153 if (!Section.compare("core"))
154 {
155 IsNextCoreId = TRUE;
156 continue;
157 }
158
159 if (SetMsr || !ConvertStringToUInt64(Section, &Msr))
160 {
161 ShowMessages("please specify a correct hex value to be read\n\n");
162 CommandRdmsrHelp();
163 return;
164 }
165 SetMsr = TRUE;
166 }
167
168 //
169 // Check if msr is set or not
170 //
171 if (!SetMsr)
172 {
173 ShowMessages("please specify a correct hex value to be read\n\n");
174 CommandRdmsrHelp();
175 return;
176 }
177 if (IsNextCoreId)
178 {
179 ShowMessages("please specify a correct hex value for core\n\n");
180 CommandRdmsrHelp();
181 return;
182 }
183
184 AssertShowMessageReturnStmt(g_DeviceHandle, ASSERT_MESSAGE_DRIVER_NOT_LOADED, AssertReturn);
185
186 MsrReadRequest.ActionType = DEBUGGER_MSR_READ;
187 MsrReadRequest.Msr = Msr;
188 MsrReadRequest.CoreNumber = CoreNumer;
189
190 //
191 // Find logical cores count
192 //
193 SIZE_T NumCores = GetWindowsNumaNumberOfCores();
194 NumCPU = NumCores > 0 ? NumCores : GetWindowsCompatibleNumberOfCores();
195
196 //
197 // allocate buffer for transferring messages
198 //
199 UINT64 * OutputBuffer = (UINT64 *)malloc(sizeof(UINT64) * NumCPU);
200
201 ZeroMemory(OutputBuffer, sizeof(UINT64) * NumCPU);
202
203 Status = DeviceIoControl(
204 g_DeviceHandle, // Handle to device
205 IOCTL_DEBUGGER_READ_OR_WRITE_MSR, // IO Control Code (IOCTL)
206 &MsrReadRequest, // Input Buffer to driver.
207 SIZEOF_DEBUGGER_READ_AND_WRITE_ON_MSR, // Input buffer length
208 OutputBuffer, // Output Buffer from driver.
209 (DWORD)(sizeof(UINT64) * NumCPU), // Length of output buffer in bytes.
210 &ReturnedLength, // Bytes placed in buffer.
211 NULL // synchronous call
212 );
213
214 if (!Status)
215 {
216 ShowMessages("ioctl failed with code (%x), either msr index or core id is invalid\n",
217 GetLastError());
218 free(OutputBuffer);
219 return;
220 }
221
222 //
223 // btw, %x is enough, no need to %llx
224 //
225 if (CoreNumer == DEBUGGER_READ_AND_WRITE_ON_MSR_APPLY_ALL_CORES)
226 {
227 //
228 // Show all cores
229 //
230 for (SIZE_T i = 0; i < NumCPU; i++)
231 {
232 ShowMessages("core : 0x%x - msr[%llx] = %s\n", i, Msr, SeparateTo64BitValue((OutputBuffer[i])).c_str());
233 }
234 }
235 else
236 {
237 //
238 // Show for a single-core
239 //
240 ShowMessages("core : 0x%x - msr[%llx] = %s\n", CoreNumer, Msr, SeparateTo64BitValue((OutputBuffer[0])).c_str());
241 }
242
243 //
244 // Free the buffer
245 //
246 free(OutputBuffer);
247}
DEBUGGER_READ_AND_WRITE_ON_MSR_APPLY_ALL_CORES
#define DEBUGGER_READ_AND_WRITE_ON_MSR_APPLY_ALL_CORES
Read and write MSRs to all cores.
Definition Constants.h:599
IOCTL_DEBUGGER_READ_OR_WRITE_MSR
#define IOCTL_DEBUGGER_READ_OR_WRITE_MSR
ioctl, request to read or write on a special MSR
Definition Ioctls.h:92
SIZEOF_DEBUGGER_READ_AND_WRITE_ON_MSR
#define SIZEOF_DEBUGGER_READ_AND_WRITE_ON_MSR
Definition RequestStructures.h:422
DEBUGGER_MSR_READ
@ DEBUGGER_MSR_READ
Definition RequestStructures.h:431
SeparateTo64BitValue
string SeparateTo64BitValue(UINT64 Value)
add ` between 64 bit values and convert them to string
Definition common.cpp:27
CommandRdmsrHelp
VOID CommandRdmsrHelp()
help of the rdmsr command
Definition rdmsr.cpp:20
_DEBUGGER_READ_AND_WRITE_ON_MSR
request to read or write on MSRs
Definition RequestStructures.h:440
_DEBUGGER_READ_AND_WRITE_ON_MSR::CoreNumber
UINT32 CoreNumber
Definition RequestStructures.h:442
_DEBUGGER_READ_AND_WRITE_ON_MSR::ActionType
DEBUGGER_MSR_ACTION_TYPE ActionType
Definition RequestStructures.h:446
_DEBUGGER_READ_AND_WRITE_ON_MSR::Msr
UINT64 Msr
Definition RequestStructures.h:441

◆ CommandReadMemoryAndDisassembler()

VOID CommandReadMemoryAndDisassembler ( vector< string > SplitCommand,
string Command )

u* d* !u* !d* commands handler

Parameters
SplitCommand
Command
Returns
VOID
73{
74 UINT32 Pid = 0;
75 UINT32 Length = 0;
76 UINT64 TargetAddress = 0;
77 BOOLEAN IsNextProcessId = FALSE;
78 BOOLEAN IsFirstCommand = TRUE;
79 BOOLEAN IsNextLength = FALSE;
80 vector<string> SplitCommandCaseSensitive {Split(Command, ' ')};
81 UINT32 IndexInCommandCaseSensitive = 0;
82
83 string FirstCommand = SplitCommand.front();
84
85 //
86 // By default if the user-debugger is active, we use these commands
87 // on the memory layout of the debuggee process
88 //
89 if (g_ActiveProcessDebuggingState.IsActive)
90 {
91 Pid = g_ActiveProcessDebuggingState.ProcessId;
92 }
93
94 if (SplitCommand.size() == 1)
95 {
96 //
97 // Means that user entered one command without any parameter
98 //
99 ShowMessages("incorrect use of the '%s' command\n\n", FirstCommand.c_str());
100 CommandReadMemoryAndDisassemblerHelp();
101 return;
102 }
103
104 for (auto Section : SplitCommand)
105 {
106 IndexInCommandCaseSensitive++;
107
108 if (IsFirstCommand)
109 {
110 IsFirstCommand = FALSE;
111 continue;
112 }
113
114 if (IsNextProcessId == TRUE)
115 {
116 if (!ConvertStringToUInt32(Section, &Pid))
117 {
118 ShowMessages("err, you should enter a valid process id\n\n");
119 return;
120 }
121 IsNextProcessId = FALSE;
122 continue;
123 }
124
125 if (IsNextLength == TRUE)
126 {
127 if (!ConvertStringToUInt32(Section, &Length))
128 {
129 ShowMessages("err, you should enter a valid length\n\n");
130 return;
131 }
132 IsNextLength = FALSE;
133 continue;
134 }
135
136 if (!Section.compare("l"))
137 {
138 IsNextLength = TRUE;
139 continue;
140 }
141
142 if (!Section.compare("pid"))
143 {
144 IsNextProcessId = TRUE;
145 continue;
146 }
147
148 //
149 // Probably it's address
150 //
151 if (TargetAddress == 0)
152 {
153 if (!SymbolConvertNameOrExprToAddress(SplitCommandCaseSensitive.at(IndexInCommandCaseSensitive - 1),
154 &TargetAddress))
155 {
156 //
157 // Couldn't resolve or unknown parameter
158 //
159 ShowMessages("err, couldn't resolve error at '%s'\n",
160 SplitCommandCaseSensitive.at(IndexInCommandCaseSensitive - 1).c_str());
161 return;
162 }
163 }
164 else
165 {
166 //
167 // User inserts two address
168 //
169 ShowMessages("err, incorrect use of the '%s' command\n\n",
170 FirstCommand.c_str());
171 CommandReadMemoryAndDisassemblerHelp();
172
173 return;
174 }
175 }
176
177 if (!TargetAddress)
178 {
179 //
180 // User inserts two address
181 //
182 ShowMessages("err, please enter a valid address\n\n");
183
184 return;
185 }
186
187 if (Length == 0)
188 {
189 //
190 // Default length (user doesn't specified)
191 //
192 if (!FirstCommand.compare("u") ||
193 !FirstCommand.compare("!u") ||
194 !FirstCommand.compare("u64") ||
195 !FirstCommand.compare("!u64"))
196 {
197 Length = 0x40;
198 }
199 else
200 {
201 Length = 0x80;
202 }
203 }
204
205 if (IsNextLength || IsNextProcessId)
206 {
207 ShowMessages("incorrect use of the '%s' command\n\n", FirstCommand.c_str());
208 CommandReadMemoryAndDisassemblerHelp();
209 return;
210 }
211
212 //
213 // Check to prevent using process id in d* and u* commands
214 //
215 if (g_IsSerialConnectedToRemoteDebuggee && Pid != 0)
216 {
217 ShowMessages(ASSERT_MESSAGE_CANNOT_SPECIFY_PID);
218 return;
219 }
220
221 if (Pid == 0)
222 {
223 //
224 // Default process we read from current process
225 //
226 Pid = GetCurrentProcessId();
227 }
228
229 if (!FirstCommand.compare("db"))
230 {
231 HyperDbgShowMemoryOrDisassemble(DEBUGGER_SHOW_COMMAND_DB,
232 TargetAddress,
233 DEBUGGER_READ_VIRTUAL_ADDRESS,
234 READ_FROM_KERNEL,
235 Pid,
236 Length,
237 NULL);
238 }
239 else if (!FirstCommand.compare("dc"))
240 {
241 HyperDbgShowMemoryOrDisassemble(DEBUGGER_SHOW_COMMAND_DC,
242 TargetAddress,
243 DEBUGGER_READ_VIRTUAL_ADDRESS,
244 READ_FROM_KERNEL,
245 Pid,
246 Length,
247 NULL);
248 }
249 else if (!FirstCommand.compare("dd"))
250 {
251 HyperDbgShowMemoryOrDisassemble(DEBUGGER_SHOW_COMMAND_DD,
252 TargetAddress,
253 DEBUGGER_READ_VIRTUAL_ADDRESS,
254 READ_FROM_KERNEL,
255 Pid,
256 Length,
257 NULL);
258 }
259 else if (!FirstCommand.compare("dq"))
260 {
261 HyperDbgShowMemoryOrDisassemble(DEBUGGER_SHOW_COMMAND_DQ,
262 TargetAddress,
263 DEBUGGER_READ_VIRTUAL_ADDRESS,
264 READ_FROM_KERNEL,
265 Pid,
266 Length,
267 NULL);
268 }
269 else if (!FirstCommand.compare("!db"))
270 {
271 HyperDbgShowMemoryOrDisassemble(DEBUGGER_SHOW_COMMAND_DB,
272 TargetAddress,
273 DEBUGGER_READ_PHYSICAL_ADDRESS,
274 READ_FROM_KERNEL,
275 Pid,
276 Length,
277 NULL);
278 }
279 else if (!FirstCommand.compare("!dc"))
280 {
281 HyperDbgShowMemoryOrDisassemble(DEBUGGER_SHOW_COMMAND_DC,
282 TargetAddress,
283 DEBUGGER_READ_PHYSICAL_ADDRESS,
284 READ_FROM_KERNEL,
285 Pid,
286 Length,
287 NULL);
288 }
289 else if (!FirstCommand.compare("!dd"))
290 {
291 HyperDbgShowMemoryOrDisassemble(DEBUGGER_SHOW_COMMAND_DD,
292 TargetAddress,
293 DEBUGGER_READ_PHYSICAL_ADDRESS,
294 READ_FROM_KERNEL,
295 Pid,
296 Length,
297 NULL);
298 }
299 else if (!FirstCommand.compare("!dq"))
300 {
301 HyperDbgShowMemoryOrDisassemble(DEBUGGER_SHOW_COMMAND_DQ,
302 TargetAddress,
303 DEBUGGER_READ_PHYSICAL_ADDRESS,
304 READ_FROM_KERNEL,
305 Pid,
306 Length,
307 NULL);
308 }
309
310 //
311 // Disassembler (!u or u or u2 !u2)
312 //
313 else if (!FirstCommand.compare("u") || !FirstCommand.compare("u64"))
314 {
315 HyperDbgShowMemoryOrDisassemble(
316 DEBUGGER_SHOW_COMMAND_DISASSEMBLE64,
317 TargetAddress,
318 DEBUGGER_READ_VIRTUAL_ADDRESS,
319 READ_FROM_KERNEL,
320 Pid,
321 Length,
322 NULL);
323 }
324 else if (!FirstCommand.compare("!u") || !FirstCommand.compare("!u64"))
325 {
326 HyperDbgShowMemoryOrDisassemble(
327 DEBUGGER_SHOW_COMMAND_DISASSEMBLE64,
328 TargetAddress,
329 DEBUGGER_READ_PHYSICAL_ADDRESS,
330 READ_FROM_KERNEL,
331 Pid,
332 Length,
333 NULL);
334 }
335 else if (!FirstCommand.compare("u2") || !FirstCommand.compare("u32"))
336 {
337 HyperDbgShowMemoryOrDisassemble(
338 DEBUGGER_SHOW_COMMAND_DISASSEMBLE32,
339 TargetAddress,
340 DEBUGGER_READ_VIRTUAL_ADDRESS,
341 READ_FROM_KERNEL,
342 Pid,
343 Length,
344 NULL);
345 }
346 else if (!FirstCommand.compare("!u2") || !FirstCommand.compare("!u32"))
347 {
348 HyperDbgShowMemoryOrDisassemble(
349 DEBUGGER_SHOW_COMMAND_DISASSEMBLE32,
350 TargetAddress,
351 DEBUGGER_READ_PHYSICAL_ADDRESS,
352 READ_FROM_KERNEL,
353 Pid,
354 Length,
355 NULL);
356 }
357}
DEBUGGER_SHOW_COMMAND_DC
@ DEBUGGER_SHOW_COMMAND_DC
Definition RequestStructures.h:255
DEBUGGER_SHOW_COMMAND_DISASSEMBLE32
@ DEBUGGER_SHOW_COMMAND_DISASSEMBLE32
Definition RequestStructures.h:253
DEBUGGER_SHOW_COMMAND_DD
@ DEBUGGER_SHOW_COMMAND_DD
Definition RequestStructures.h:257
DEBUGGER_SHOW_COMMAND_DQ
@ DEBUGGER_SHOW_COMMAND_DQ
Definition RequestStructures.h:256
DEBUGGER_SHOW_COMMAND_DB
@ DEBUGGER_SHOW_COMMAND_DB
Definition RequestStructures.h:254
DEBUGGER_SHOW_COMMAND_DISASSEMBLE64
@ DEBUGGER_SHOW_COMMAND_DISASSEMBLE64
Definition RequestStructures.h:252
CommandReadMemoryAndDisassemblerHelp
VOID CommandReadMemoryAndDisassemblerHelp()
help of u* d* !u* !d* commands
Definition d-u.cpp:26
g_IsSerialConnectedToRemoteDebuggee
BOOLEAN g_IsSerialConnectedToRemoteDebuggee
Shows if the debugger was connected to remote debuggee over (A remote guest)
Definition globals.h:231
g_ActiveProcessDebuggingState
ACTIVE_DEBUGGING_PROCESS g_ActiveProcessDebuggingState
State of active debugging thread.
Definition globals.h:362

◆ CommandRestart()

VOID CommandRestart ( vector< string > SplitCommand,
string Command )

.restart command handler

Parameters
SplitCommand
Command
Returns
VOID
47{
48 if (SplitCommand.size() != 1)
49 {
50 ShowMessages("incorrect use of the '.restart'\n\n");
51 CommandRestartHelp();
52 return;
53 }
54
55 //
56 // Check if the .start command is previously called or not
57 //
58 if (g_StartCommandPath.empty())
59 {
60 ShowMessages("nothing to restart, did you use the '.start' command before?\n");
61 return;
62 }
63
64 //
65 // Check to kill the current active process (if exists)
66 //
67 if (g_ActiveProcessDebuggingState.IsActive)
68 {
69 //
70 // kill the process, we will restart the process even if we didn't
71 // successfully killed the active process
72 //
73 UdKillProcess(g_ActiveProcessDebuggingState.ProcessId);
74 }
75 else if (g_ProcessIdOfLatestStartingProcess != NULL)
76 {
77 UdKillProcess(g_ProcessIdOfLatestStartingProcess);
78
79 //
80 // No longer the last process exists
81 //
82 g_ProcessIdOfLatestStartingProcess = NULL;
83 }
84
85 //
86 // Perform run of the target file
87 //
88 if (g_StartCommandPathAndArguments.empty())
89 {
90 UdAttachToProcess(NULL,
91 g_StartCommandPath.c_str(),
92 NULL,
93 FALSE);
94 }
95 else
96 {
97 UdAttachToProcess(NULL,
98 g_StartCommandPath.c_str(),
99 (WCHAR *)g_StartCommandPathAndArguments.c_str(),
100 FALSE);
101 }
102}
WCHAR
wchar_t WCHAR
Definition BasicTypes.h:32
g_StartCommandPathAndArguments
std::wstring g_StartCommandPathAndArguments
the start arguments used in .start command
Definition globals.h:653
g_ProcessIdOfLatestStartingProcess
UINT32 g_ProcessIdOfLatestStartingProcess
The process id of the latest starting process.
Definition globals.h:368
CommandRestartHelp
VOID CommandRestartHelp()
help of the .restart command
Definition restart.cpp:29
g_ActiveProcessDebuggingState
ACTIVE_DEBUGGING_PROCESS g_ActiveProcessDebuggingState
State of active debugging thread.
Definition globals.h:362
g_StartCommandPath
std::wstring g_StartCommandPath
the start path used in .start command
Definition globals.h:647

◆ CommandRev()

VOID CommandRev ( vector< string > SplitCommand,
string Command )

!rev command handler

Parameters
SplitCommand
Command
Returns
VOID
52{
53 /*
54 vector<string> PathAndArgs;
55 string Arguments = "";
56
57 //
58 // Disable user-mode debugger in this version
59 //
60#if ActivateUserModeDebugger == FALSE
61
62 if (!g_IsSerialConnectedToRemoteDebugger)
63 {
64 ShowMessages("the user-mode debugger in VMI Mode is still in the beta version and not stable. "
65 "we decided to exclude it from this release and release it in future versions. "
66 "if you want to test the user-mode debugger in VMI Mode, you should build "
67 "HyperDbg with special instructions. But starting processes is fully supported "
68 "in the Debugger Mode.\n"
69 "(it's not recommended to use it in VMI Mode yet!)\n");
70 return;
71 }
72
73#endif // !ActivateUserModeDebugger
74
75 if (SplitCommand.size() <= 2)
76 {
77 ShowMessages("incorrect use of the '.start'\n\n");
78 CommandStartHelp();
79 return;
80 }
81
82
83 if (!SplitCommand.at(1).compare("path"))
84 {
85 //
86 // *** It's a run of target PE file ***
87 //
88
89 //
90 // Trim the command
91 //
92 Trim(Command);
93
94 //
95 // Remove !rev from it
96 //
97 Command.erase(0, SplitCommand.at(0).size());
98
99 //
100 // Remove path + space
101 //
102 Command.erase(0, 4 + 1);
103
104 //
105 // Trim it again
106 //
107 Trim(Command);
108
109 //
110 // Split Path and args
111 //
112 SplitPathAndArgs(PathAndArgs, Command);
113
114 //
115 // Convert path to wstring
116 //
117 StringToWString(g_StartCommandPath, PathAndArgs.at(0));
118
119 if (PathAndArgs.size() != 1)
120 {
121 //
122 // There are arguments to this command
123 //
124
125 for (auto item : PathAndArgs)
126 {
127 //
128 // Append the arguments
129 //
130 // ShowMessages("Arg : %s\n", item.c_str());
131 Arguments += item + " ";
132 }
133
134 //
135 // Remove the latest space
136 //
137 Arguments.pop_back();
138
139 //
140 // Convert arguments to wstring
141 //
142 StringToWString(g_StartCommandPathAndArguments, Arguments);
143 }
144 }
145 else
146 {
147 ShowMessages("err, couldn't resolve error at '%s'\n\n",
148 SplitCommand.at(1).c_str());
149 CommandStartHelp();
150 return;
151 }
152
153 //
154 // Perform run of the target file
155 //
156 if (Arguments.empty())
157 {
158 UdAttachToProcess(NULL,
159 g_StartCommandPath.c_str(),
160 NULL,
161 TRUE);
162 }
163 else
164 {
165 UdAttachToProcess(NULL,
166 g_StartCommandPath.c_str(),
167 (WCHAR *)g_StartCommandPathAndArguments.c_str(),
168 TRUE);
169 }
170
172 return;
173
174 */
175
176 REVERSING_MACHINE_RECONSTRUCT_MEMORY_REQUEST RevRequest = {0};
177 BOOLEAN SetPid = FALSE;
178 UINT32 TargetPid = NULL;
179 BOOLEAN IgnoreFirstCommand = TRUE;
180 REVERSING_MACHINE_RECONSTRUCT_MEMORY_MODE Mode = REVERSING_MACHINE_RECONSTRUCT_MEMORY_MODE_UNKNOWN;
181 REVERSING_MACHINE_RECONSTRUCT_MEMORY_TYPE Type = REVERSING_MACHINE_RECONSTRUCT_MEMORY_TYPE_UNKNOWN;
182
183 //
184 // Interpret command specific details
185 //
186 for (auto Section : SplitCommand)
187 {
188 if (!Section.compare("!rev") && IgnoreFirstCommand)
189 {
190 IgnoreFirstCommand = FALSE;
191 continue;
192 }
193 else if (!Section.compare("pid") && !SetPid)
194 {
195 SetPid = TRUE;
196 }
197 else if (SetPid)
198 {
199 if (!ConvertStringToUInt32(Section, &TargetPid))
200 {
201 //
202 // couldn't resolve or unknown parameter
203 //
204 ShowMessages("err, couldn't resolve error at '%s'\n\n",
205 Section.c_str());
206 CommandRevHelp();
207 return;
208 }
209 SetPid = FALSE;
210 }
211 else if (!Section.compare("pattern"))
212 {
213 Type = REVERSING_MACHINE_RECONSTRUCT_MEMORY_TYPE_PATTERN;
214 }
215 else if (!Section.compare("reconstruct"))
216 {
217 Type = REVERSING_MACHINE_RECONSTRUCT_MEMORY_TYPE_RECONSTRUCT;
218 }
219 else
220 {
221 //
222 // Unknown parameter
223 //
224 ShowMessages("err, couldn't resolve error at '%s'\n\n",
225 Section.c_str());
226 CommandRevHelp();
227 return;
228 }
229 }
230
231 if (SetPid)
232 {
233 ShowMessages("err, please enter a valid process id in hex format, "
234 "or if you want to use it in decimal format, add '0n' "
235 "prefix to the number\n");
236 return;
237 }
238
239 RevRequest.ProcessId = TargetPid;
240
241 // ================================================================================
242
243 //
244 // Send the request to the hypervisor (kernel)
245 //
246 RevRequestService(&RevRequest);
247}
REVERSING_MACHINE_RECONSTRUCT_MEMORY_TYPE_PATTERN
@ REVERSING_MACHINE_RECONSTRUCT_MEMORY_TYPE_PATTERN
Definition RequestStructures.h:104
REVERSING_MACHINE_RECONSTRUCT_MEMORY_TYPE_UNKNOWN
@ REVERSING_MACHINE_RECONSTRUCT_MEMORY_TYPE_UNKNOWN
Definition RequestStructures.h:102
REVERSING_MACHINE_RECONSTRUCT_MEMORY_TYPE_RECONSTRUCT
@ REVERSING_MACHINE_RECONSTRUCT_MEMORY_TYPE_RECONSTRUCT
Definition RequestStructures.h:103
REVERSING_MACHINE_RECONSTRUCT_MEMORY_TYPE
enum _REVERSING_MACHINE_RECONSTRUCT_MEMORY_TYPE REVERSING_MACHINE_RECONSTRUCT_MEMORY_TYPE
different types of reconstruct requests
REVERSING_MACHINE_RECONSTRUCT_MEMORY_MODE_UNKNOWN
@ REVERSING_MACHINE_RECONSTRUCT_MEMORY_MODE_UNKNOWN
Definition RequestStructures.h:91
REVERSING_MACHINE_RECONSTRUCT_MEMORY_MODE
enum _REVERSING_MACHINE_RECONSTRUCT_MEMORY_MODE REVERSING_MACHINE_RECONSTRUCT_MEMORY_MODE
different modes of reconstruct requests
RevRequestService
BOOLEAN RevRequestService(REVERSING_MACHINE_RECONSTRUCT_MEMORY_REQUEST *RevRequest)
Request service from the reversing machine.
Definition rev-ctrl.cpp:23
CommandRevHelp
VOID CommandRevHelp()
help of the !rev command
Definition rev.cpp:28
_REVERSING_MACHINE_RECONSTRUCT_MEMORY_REQUEST
requests for !rev command
Definition RequestStructures.h:115
_REVERSING_MACHINE_RECONSTRUCT_MEMORY_REQUEST::ProcessId
UINT32 ProcessId
Definition RequestStructures.h:116

◆ CommandScript()

VOID CommandScript ( vector< string > SplitCommand,
string Command )

.script command handler

Parameters
SplitCommand
Command
Returns
VOID
269{
270 vector<string> PathAndArgs;
271
272 if (SplitCommand.size() == 1)
273 {
274 ShowMessages("please specify a file\n");
275 CommandScriptHelp();
276 return;
277 }
278
279 //
280 // Trim the command
281 //
282 Trim(Command);
283
284 //
285 // Remove .script from it
286 //
287 Command.erase(0, SplitCommand.at(0).size());
288
289 //
290 // Trim it again
291 //
292 Trim(Command);
293
294 //
295 // Split Path and args
296 //
297 SplitPathAndArgs(PathAndArgs, Command);
298
299 /*
300
301 for (auto item : PathAndArgs)
302 {
303 //
304 // The first argument is the path
305 //
306 ShowMessages("Arg : %s\n", item.c_str());
307 }
308
309 */
310
311 //
312 // Parse the file and the possible arguments
313 //
314 HyperDbgScriptReadFileAndExecuteCommand(PathAndArgs);
315}
SplitPathAndArgs
VOID SplitPathAndArgs(std::vector< std::string > &Qargs, const std::string &Command)
Split path and arguments and handle strings between quotes.
Definition common.cpp:744
CommandScriptHelp
VOID CommandScriptHelp()
help of the .script command
Definition script.cpp:27
HyperDbgScriptReadFileAndExecuteCommand
VOID HyperDbgScriptReadFileAndExecuteCommand(std::vector< std::string > &PathAndArgs)
Read file and run the script.
Definition script.cpp:113

◆ CommandSearchMemory()

VOID CommandSearchMemory ( vector< string > SplitCommand,
string Command )

!s* s* commands handler

Parameters
SplitCommand
Command
Returns
VOID
139{
140 UINT64 Address;
141 vector<UINT64> ValuesToEdit;
142 BOOL SetAddress = FALSE;
143 BOOL SetValue = FALSE;
144 BOOL SetProcId = FALSE;
145 BOOL NextIsProcId = FALSE;
146 BOOL SetLength = FALSE;
147 BOOL NextIsLength = FALSE;
148 DEBUGGER_SEARCH_MEMORY SearchMemoryRequest = {0};
149 UINT64 Value = 0;
150 UINT64 Length = 0;
151 UINT32 ProcId = 0;
152 UINT32 CountOfValues = 0;
153 UINT32 FinalSize = 0;
154 UINT64 * FinalBuffer = NULL;
155 vector<string> SplitCommandCaseSensitive {Split(Command, ' ')};
156 UINT32 IndexInCommandCaseSensitive = 0;
157 BOOLEAN IsFirstCommand = TRUE;
158
159 //
160 // By default if the user-debugger is active, we use these commands
161 // on the memory layout of the debuggee process
162 //
163 if (g_ActiveProcessDebuggingState.IsActive)
164 {
165 ProcId = g_ActiveProcessDebuggingState.ProcessId;
166 }
167
168 if (SplitCommand.size() <= 4)
169 {
170 ShowMessages("incorrect use of the 's*'\n\n");
171 CommandSearchMemoryHelp();
172 return;
173 }
174
175 for (auto Section : SplitCommand)
176 {
177 IndexInCommandCaseSensitive++;
178
179 if (IsFirstCommand == TRUE)
180 {
181 if (!Section.compare("!sb"))
182 {
183 SearchMemoryRequest.MemoryType = SEARCH_PHYSICAL_MEMORY;
184 SearchMemoryRequest.ByteSize = SEARCH_BYTE;
185 }
186 else if (!Section.compare("!sd"))
187 {
188 SearchMemoryRequest.MemoryType = SEARCH_PHYSICAL_MEMORY;
189 SearchMemoryRequest.ByteSize = SEARCH_DWORD;
190 }
191 else if (!Section.compare("!sq"))
192 {
193 SearchMemoryRequest.MemoryType = SEARCH_PHYSICAL_MEMORY;
194 SearchMemoryRequest.ByteSize = SEARCH_QWORD;
195 }
196 else if (!Section.compare("sb"))
197 {
198 SearchMemoryRequest.MemoryType = SEARCH_VIRTUAL_MEMORY;
199 SearchMemoryRequest.ByteSize = SEARCH_BYTE;
200 }
201 else if (!Section.compare("sd"))
202 {
203 SearchMemoryRequest.MemoryType = SEARCH_VIRTUAL_MEMORY;
204 SearchMemoryRequest.ByteSize = SEARCH_DWORD;
205 }
206 else if (!Section.compare("sq"))
207 {
208 SearchMemoryRequest.MemoryType = SEARCH_VIRTUAL_MEMORY;
209 SearchMemoryRequest.ByteSize = SEARCH_QWORD;
210 }
211 else
212 {
213 //
214 // What's this? :(
215 //
216 ShowMessages("unknown error happened !\n\n");
217 CommandSearchMemoryHelp();
218 return;
219 }
220
221 IsFirstCommand = FALSE;
222
223 continue;
224 }
225
226 if (NextIsProcId)
227 {
228 //
229 // It's a process id
230 //
231 NextIsProcId = FALSE;
232
233 if (!ConvertStringToUInt32(Section, &ProcId))
234 {
235 ShowMessages("please specify a correct hex process id\n\n");
236 CommandSearchMemoryHelp();
237 return;
238 }
239 else
240 {
241 //
242 // Means that the proc id is set, next we should read value
243 //
244 continue;
245 }
246 }
247
248 if (NextIsLength)
249 {
250 //
251 // It's a length
252 //
253 NextIsLength = FALSE;
254
255 if (!ConvertStringToUInt64(Section, &Length))
256 {
257 ShowMessages("please specify a correct hex length\n\n");
258 CommandSearchMemoryHelp();
259 return;
260 }
261 else
262 {
263 //
264 // Means that the proc id is set, next we should read value
265 //
266 SetLength = TRUE;
267 continue;
268 }
269 }
270
271 //
272 // Check if it's a process id or not
273 //
274 if (!SetProcId && !Section.compare("pid"))
275 {
276 NextIsProcId = TRUE;
277 continue;
278 }
279
280 //
281 // Check if it's a length or not
282 //
283 if (!SetLength && !Section.compare("l"))
284 {
285 NextIsLength = TRUE;
286 continue;
287 }
288
289 if (!SetAddress)
290 {
291 if (!SymbolConvertNameOrExprToAddress(SplitCommandCaseSensitive.at(IndexInCommandCaseSensitive - 1), &Address))
292 {
293 ShowMessages("err, couldn't resolve error at '%s'\n\n",
294 SplitCommandCaseSensitive.at(IndexInCommandCaseSensitive - 1).c_str());
295 CommandSearchMemoryHelp();
296 return;
297 }
298 else
299 {
300 //
301 // Means that the address is set, next we should read value
302 //
303 SetAddress = TRUE;
304 continue;
305 }
306 }
307
308 if (SetAddress)
309 {
310 //
311 // Remove the hex notations
312 //
313 if (Section.rfind("0x", 0) == 0 || Section.rfind("0X", 0) == 0 ||
314 Section.rfind("\\x", 0) == 0 || Section.rfind("\\X", 0) == 0)
315 {
316 Section = Section.erase(0, 2);
317 }
318 else if (Section.rfind('x', 0) == 0 || Section.rfind('X', 0) == 0)
319 {
320 Section = Section.erase(0, 1);
321 }
322 Section.erase(remove(Section.begin(), Section.end(), '`'), Section.end());
323
324 //
325 // Check if the value is valid based on byte counts
326 //
327 if (SearchMemoryRequest.ByteSize == SEARCH_BYTE && Section.size() >= 3)
328 {
329 ShowMessages("please specify a byte (hex) value for 'sb' or '!sb'\n\n");
330 return;
331 }
332 if (SearchMemoryRequest.ByteSize == SEARCH_DWORD && Section.size() >= 9)
333 {
334 ShowMessages(
335 "please specify a dword (hex) value for 'sd' or '!sd'\n\n");
336 return;
337 }
338 if (SearchMemoryRequest.ByteSize == SEARCH_QWORD &&
339 Section.size() >= 17)
340 {
341 ShowMessages(
342 "please specify a qword (hex) value for 'sq' or '!sq'\n\n");
343 return;
344 }
345
346 //
347 // Qword is checked by the following function, no need to double
348 // check it above.
349 //
350 if (!ConvertStringToUInt64(Section, &Value))
351 {
352 ShowMessages("please specify a correct hex value to search in the "
353 "memory content\n\n");
354 CommandSearchMemoryHelp();
355 return;
356 }
357 else
358 {
359 //
360 // Add it to the list
361 //
362 ValuesToEdit.push_back(Value);
363
364 //
365 // Keep track of values to modify
366 //
367 CountOfValues++;
368
369 if (!SetValue)
370 {
371 //
372 // At least on walue is there
373 //
374 SetValue = TRUE;
375 }
376 continue;
377 }
378 }
379 }
380
381 //
382 // Check to prevent using process id in s* commands
383 //
384 if (g_IsSerialConnectedToRemoteDebuggee && ProcId != 0)
385 {
386 ShowMessages(ASSERT_MESSAGE_CANNOT_SPECIFY_PID);
387 return;
388 }
389
390 if (ProcId == 0)
391 {
392 ProcId = GetCurrentProcessId();
393 }
394
395 //
396 // Fill the structure
397 //
398 SearchMemoryRequest.ProcessId = ProcId;
399 SearchMemoryRequest.Address = Address;
400 SearchMemoryRequest.CountOf64Chunks = CountOfValues;
401
402 //
403 // Check if address and value are set or not
404 //
405 if (!SetAddress)
406 {
407 ShowMessages("please specify a correct hex address\n\n");
408 CommandSearchMemoryHelp();
409 return;
410 }
411 if (!SetValue)
412 {
413 ShowMessages(
414 "please specify a correct hex value as the content to search\n\n");
415 CommandSearchMemoryHelp();
416 return;
417 }
418 if (!SetLength)
419 {
420 ShowMessages("please specify a correct hex value as the length\n\n");
421 CommandSearchMemoryHelp();
422 return;
423 }
424 if (NextIsProcId)
425 {
426 ShowMessages("please specify a correct hex value as the process id\n\n");
427 CommandSearchMemoryHelp();
428 return;
429 }
430 if (NextIsLength)
431 {
432 ShowMessages("please specify a correct hex length\n\n");
433 CommandSearchMemoryHelp();
434 return;
435 }
436
437 //
438 // Now it's time to put everything together in one structure
439 //
440 FinalSize = (CountOfValues * sizeof(UINT64)) + SIZEOF_DEBUGGER_SEARCH_MEMORY;
441
442 //
443 // Set the size
444 //
445 SearchMemoryRequest.FinalStructureSize = FinalSize;
446
447 //
448 // Set the length
449 //
450 SearchMemoryRequest.Length = Length;
451
452 if (!g_IsSerialConnectedToRemoteDebuggee)
453 {
454 AssertShowMessageReturnStmt(g_DeviceHandle, ASSERT_MESSAGE_DRIVER_NOT_LOADED, AssertReturn);
455 }
456
457 //
458 // Allocate structure + buffer
459 //
460 FinalBuffer = (UINT64 *)malloc(FinalSize);
461
462 if (!FinalBuffer)
463 {
464 ShowMessages("unable to allocate memory\n\n");
465 return;
466 }
467
468 //
469 // Zero the buffer
470 //
471 ZeroMemory(FinalBuffer, FinalSize);
472
473 //
474 // Copy the structure on top of the allocated buffer
475 //
476 memcpy(FinalBuffer, &SearchMemoryRequest, SIZEOF_DEBUGGER_SEARCH_MEMORY);
477
478 //
479 // Put the values in 64 bit structures
480 //
481 std::copy(ValuesToEdit.begin(), ValuesToEdit.end(), (UINT64 *)((UINT64)FinalBuffer + SIZEOF_DEBUGGER_SEARCH_MEMORY));
482
483 //
484 // Check if it's a connection in debugger mode
485 //
486 if (g_IsSerialConnectedToRemoteDebuggee)
487 {
488 //
489 // The buffer should be sent to the debugger
490 //
491 KdSendSearchRequestPacketToDebuggee(FinalBuffer, FinalSize);
492 }
493 else
494 {
495 //
496 // it's a local connection, send the buffer directly
497 //
498 CommandSearchSendRequest(FinalBuffer, FinalSize);
499 }
500
501 //
502 // Free the buffers
503 //
504 free(FinalBuffer);
505}
SEARCH_QWORD
@ SEARCH_QWORD
Definition RequestStructures.h:518
SEARCH_BYTE
@ SEARCH_BYTE
Definition RequestStructures.h:516
SEARCH_DWORD
@ SEARCH_DWORD
Definition RequestStructures.h:517
SEARCH_PHYSICAL_MEMORY
@ SEARCH_PHYSICAL_MEMORY
Definition RequestStructures.h:504
SEARCH_VIRTUAL_MEMORY
@ SEARCH_VIRTUAL_MEMORY
Definition RequestStructures.h:505
SIZEOF_DEBUGGER_SEARCH_MEMORY
#define SIZEOF_DEBUGGER_SEARCH_MEMORY
Definition RequestStructures.h:496
KdSendSearchRequestPacketToDebuggee
BOOLEAN KdSendSearchRequestPacketToDebuggee(UINT64 *SearchRequestBuffer, UINT32 SearchRequestBufferSize)
Sends search query request packet to the debuggee.
Definition kd.cpp:1178
CommandSearchSendRequest
VOID CommandSearchSendRequest(UINT64 *BufferToSendAsIoctl, UINT32 BufferToSendAsIoctlSize)
Send the request of search to the kernel.
Definition s.cpp:62
CommandSearchMemoryHelp
VOID CommandSearchMemoryHelp()
help of !s* s* commands
Definition s.cpp:26
g_IsSerialConnectedToRemoteDebuggee
BOOLEAN g_IsSerialConnectedToRemoteDebuggee
Shows if the debugger was connected to remote debuggee over (A remote guest)
Definition globals.h:231
g_ActiveProcessDebuggingState
ACTIVE_DEBUGGING_PROCESS g_ActiveProcessDebuggingState
State of active debugging thread.
Definition globals.h:362
_DEBUGGER_SEARCH_MEMORY
request for searching memory
Definition RequestStructures.h:527
_DEBUGGER_SEARCH_MEMORY::Length
UINT64 Length
Definition RequestStructures.h:529
_DEBUGGER_SEARCH_MEMORY::ProcessId
UINT32 ProcessId
Definition RequestStructures.h:530
_DEBUGGER_SEARCH_MEMORY::CountOf64Chunks
UINT32 CountOf64Chunks
Definition RequestStructures.h:533
_DEBUGGER_SEARCH_MEMORY::FinalStructureSize
UINT32 FinalStructureSize
Definition RequestStructures.h:534
_DEBUGGER_SEARCH_MEMORY::Address
UINT64 Address
Definition RequestStructures.h:528
_DEBUGGER_SEARCH_MEMORY::ByteSize
DEBUGGER_SEARCH_MEMORY_BYTE_SIZE ByteSize
Definition RequestStructures.h:532
_DEBUGGER_SEARCH_MEMORY::MemoryType
DEBUGGER_SEARCH_MEMORY_TYPE MemoryType
Definition RequestStructures.h:531

◆ CommandSettings()

VOID CommandSettings ( vector< string > SplitCommand,
string Command )

settings command handler

Parameters
SplitCommand
Command
Returns
VOID
545{
546 if (SplitCommand.size() <= 1)
547 {
548 ShowMessages("incorrect use of the 'settings'\n\n");
549 CommandSettingsHelp();
550 return;
551 }
552
553 //
554 // Interpret the field name
555 //
556 if (!SplitCommand.at(1).compare("autounpause"))
557 {
558 //
559 // Handle it locally
560 //
561 CommandSettingsAutoUpause(SplitCommand);
562 }
563 else if (!SplitCommand.at(1).compare("syntax"))
564 {
565 //
566 // If it's a remote debugger then we send it to the remote debugger
567 //
568 if (g_IsConnectedToRemoteDebuggee)
569 {
570 RemoteConnectionSendCommand(Command.c_str(), (UINT32)Command.length() + 1);
571 }
572 else
573 {
574 //
575 // If it's a connection over serial or a local debugging then
576 // we handle it locally
577 //
578 CommandSettingsSyntax(SplitCommand);
579 }
580 }
581 else if (!SplitCommand.at(1).compare("autoflush"))
582 {
583 //
584 // If it's a remote debugger then we send it to the remote debugger
585 //
586 if (g_IsConnectedToRemoteDebuggee)
587 {
588 RemoteConnectionSendCommand(Command.c_str(), (UINT32)Command.length() + 1);
589 }
590 else
591 {
592 //
593 // If it's a connection over serial or a local debugging then
594 // we handle it locally
595 //
596 CommandSettingsAutoFlush(SplitCommand);
597 }
598 }
599 else if (!SplitCommand.at(1).compare("addressconversion"))
600 {
601 //
602 // If it's a remote debugger then we send it to the remote debugger
603 //
604 if (g_IsConnectedToRemoteDebuggee)
605 {
606 RemoteConnectionSendCommand(Command.c_str(), (UINT32)Command.length() + 1);
607 }
608 else
609 {
610 //
611 // If it's a connection over serial or a local debugging then
612 // we handle it locally
613 //
614 CommandSettingsAddressConversion(SplitCommand);
615 }
616 }
617 else
618 {
619 //
620 // optionm not found
621 //
622 ShowMessages("incorrect use of the 'settings', please use 'help settings' "
623 "for more details\n");
624 return;
625 }
626}
RemoteConnectionSendCommand
int RemoteConnectionSendCommand(const char *sendbuf, int len)
send the command as a client (debugger, host) to the server (debuggee, guest)
Definition remote-connection.cpp:445
g_IsConnectedToRemoteDebuggee
BOOLEAN g_IsConnectedToRemoteDebuggee
Shows whether the current debugger is the host and connected to a remote debuggee (guest)
Definition globals.h:74
CommandSettingsAddressConversion
VOID CommandSettingsAddressConversion(vector< string > SplitCommand)
set the address conversion enabled and disabled and query the status of this mode
Definition settings.cpp:274
CommandSettingsHelp
VOID CommandSettingsHelp()
help of the settings command
Definition settings.cpp:29
CommandSettingsSyntax
VOID CommandSettingsSyntax(vector< string > SplitCommand)
set the syntax of !u !u2 u u2 command
Definition settings.cpp:464
CommandSettingsAutoFlush
VOID CommandSettingsAutoFlush(vector< string > SplitCommand)
set the auto-flush mode to enabled and disabled and query the status of this mode
Definition settings.cpp:338
CommandSettingsAutoUpause
VOID CommandSettingsAutoUpause(vector< string > SplitCommand)
set auto-unpause mode to enabled or disabled
Definition settings.cpp:401

◆ CommandSettingsGetValueFromConfigFile()

BOOLEAN CommandSettingsGetValueFromConfigFile ( std::string OptionName,
std::string & OptionValue )

Gets the setting values from config file.

Parameters
OptionName
OptionValue
Returns
BOOLEAN Shows if the settings is available or not
61{
62 inipp::Ini<char> Ini;
63 WCHAR ConfigPath[MAX_PATH] = {0};
64 std::string OptionValueFromFile;
65
66 //
67 // Get config file path
68 //
69 GetConfigFilePath(ConfigPath);
70
71 if (!IsFileExistW(ConfigPath))
72 {
73 return FALSE;
74 }
75
76 //
77 // Open the file
78 //
79 ifstream Is(ConfigPath);
80
81 //
82 // Read config file
83 //
84 Ini.parse(Is);
85
86 //
87 // Show config file
88 //
89 // Ini.generate(std::cout);
90
91 inipp::get_value(Ini.sections["DEFAULT"], OptionName, OptionValueFromFile);
92
93 Is.close();
94
95 if (!OptionValueFromFile.empty())
96 {
97 OptionValue = OptionValueFromFile;
98 return TRUE;
99 }
100 else
101 {
102 return FALSE;
103 }
104}
inipp::Ini
Definition inipp.h:172
inipp::Ini::sections
Sections sections
Definition inipp.h:178
inipp::Ini::parse
void parse(std::basic_istream< CharT > &is)
Definition inipp.h:202
GetConfigFilePath
VOID GetConfigFilePath(PWCHAR ConfigPath)
Get config path.
Definition common.cpp:671
IsFileExistW
BOOLEAN IsFileExistW(const wchar_t *FileName)
check if a file exist or not (wide-char)
Definition common.cpp:632
inipp::get_value
bool get_value(const std::map< std::basic_string< CharT >, std::basic_string< CharT > > &sec, const std::basic_string< CharT > &key, T &dst)
Definition inipp.h:116

◆ CommandSettingsLoadDefaultValuesFromConfigFile()

VOID CommandSettingsLoadDefaultValuesFromConfigFile ( )

Loads default settings values from config file.

Returns
VOID
162{
163 string OptionValue;
164
165 //
166 // *** Set default configurations ***
167 //
168
169 //
170 // Set the assembly syntax
171 //
172 if (CommandSettingsGetValueFromConfigFile("AsmSyntax", OptionValue))
173 {
174 //
175 // The user tries to set a value as the syntax
176 //
177 if (!OptionValue.compare("intel"))
178 {
179 g_DisassemblerSyntax = 1;
180 }
181 else if (!OptionValue.compare("att") ||
182 !OptionValue.compare("at&t"))
183 {
184 g_DisassemblerSyntax = 2;
185 }
186 else if (!OptionValue.compare("masm"))
187 {
188 g_DisassemblerSyntax = 3;
189 }
190 else
191 {
192 //
193 // Sth is incorrect
194 //
195 ShowMessages("err, incorrect assembly syntax settings\n");
196 }
197 }
198
199 //
200 // Set the auto unpause
201 //
202 if (CommandSettingsGetValueFromConfigFile("AutoUnpause", OptionValue))
203 {
204 if (!OptionValue.compare("on"))
205 {
206 g_AutoUnpause = TRUE;
207 }
208 else if (!OptionValue.compare("off"))
209 {
210 g_AutoUnpause = FALSE;
211 }
212 else
213 {
214 //
215 // Sth is incorrect
216 //
217 ShowMessages("err, incorrect auto unpause settings\n");
218 }
219 }
220
221 //
222 // Set the auto flush
223 //
224 if (CommandSettingsGetValueFromConfigFile("AutoFlush", OptionValue))
225 {
226 if (!OptionValue.compare("on"))
227 {
228 g_AutoFlush = TRUE;
229 }
230 else if (!OptionValue.compare("off"))
231 {
232 g_AutoFlush = FALSE;
233 }
234 else
235 {
236 //
237 // Sth is incorrect
238 //
239 ShowMessages("err, incorrect auto flush settings\n");
240 }
241 }
242
243 //
244 // Set the address conversion
245 //
246 if (CommandSettingsGetValueFromConfigFile("AddrConv", OptionValue))
247 {
248 if (!OptionValue.compare("on"))
249 {
250 g_AddressConversion = TRUE;
251 }
252 else if (!OptionValue.compare("off"))
253 {
254 g_AddressConversion = FALSE;
255 }
256 else
257 {
258 //
259 // Sth is incorrect
260 //
261 ShowMessages("err, incorrect address conversion settings\n");
262 }
263 }
264}
g_AutoFlush
BOOLEAN g_AutoFlush
Whether auto-flush mode is enabled or not enabled.
Definition globals.h:591
g_AddressConversion
BOOLEAN g_AddressConversion
Whether converting addresses to object names or not.
Definition globals.h:584
CommandSettingsGetValueFromConfigFile
BOOLEAN CommandSettingsGetValueFromConfigFile(std::string OptionName, std::string &OptionValue)
Gets the setting values from config file.
Definition settings.cpp:60
g_AutoUnpause
BOOLEAN g_AutoUnpause
Whether auto-unpause mode is enabled or not enabled.
Definition globals.h:577
g_DisassemblerSyntax
UINT32 g_DisassemblerSyntax
Shows the syntax used in !u !u2 u u2 commands.
Definition globals.h:598

◆ CommandSettingsSetValueFromConfigFile()

VOID CommandSettingsSetValueFromConfigFile ( std::string OptionName,
std::string OptionValue )

Sets the setting values from config file.

Parameters
OptionName
OptionValue
Returns
VOID
116{
117 inipp::Ini<char> Ini;
118 WCHAR ConfigPath[MAX_PATH] = {0};
119
120 //
121 // Get config file path
122 //
123 GetConfigFilePath(ConfigPath);
124
125 ifstream Is(ConfigPath);
126
127 //
128 // Read config file
129 //
130 Ini.parse(Is);
131
132 Is.close();
133
134 //
135 // Save the config
136 //
137 Ini.sections["DEFAULT"][OptionName] = OptionValue.c_str();
138 Ini.interpolate();
139
140 //
141 // Test, show the config
142 //
143 // Ini.generate(std::cout);
144
145 //
146 // Save the config
147 //
148 ofstream Os(ConfigPath);
149
150 Ini.generate(Os);
151
152 Os.close();
153}
inipp::Ini::generate
void generate(std::basic_ostream< CharT > &os) const
Definition inipp.h:189
inipp::Ini::interpolate
void interpolate()
Definition inipp.h:246

◆ CommandSleep()

VOID CommandSleep ( vector< string > SplitCommand,
string Command )

sleep command help

Parameters
SplitCommand
Command
Returns
VOID
38{
39 UINT32 MillisecondsTime = 0;
40
41 if (SplitCommand.size() != 2)
42 {
43 ShowMessages("incorrect use of the 'sleep'\n\n");
44 CommandSleepHelp();
45 return;
46 }
47
48 if (!ConvertStringToUInt32(SplitCommand.at(1), &MillisecondsTime))
49 {
50 ShowMessages(
51 "please specify a correct hex value for time (milliseconds)\n\n");
52 CommandSleepHelp();
53 return;
54 }
55 Sleep(MillisecondsTime);
56}
CommandSleepHelp
VOID CommandSleepHelp()
help of the sleep command
Definition sleep.cpp:20

◆ CommandStart()

VOID CommandStart ( vector< string > SplitCommand,
string Command )

.start command handler

Parameters
SplitCommand
Command
Returns
VOID
46{
47 vector<string> PathAndArgs;
48 string Arguments = "";
49
50 //
51 // Disable user-mode debugger in this version
52 //
53#if ActivateUserModeDebugger == FALSE
54
55 if (!g_IsSerialConnectedToRemoteDebugger)
56 {
57 ShowMessages("the user-mode debugger in VMI Mode is still in the beta version and not stable. "
58 "we decided to exclude it from this release and release it in future versions. "
59 "if you want to test the user-mode debugger in VMI Mode, you should build "
60 "HyperDbg with special instructions. But starting processes is fully supported "
61 "in the Debugger Mode.\n"
62 "(it's not recommended to use it in VMI Mode yet!)\n");
63 return;
64 }
65
66#endif // !ActivateUserModeDebugger
67
68 if (SplitCommand.size() <= 2)
69 {
70 ShowMessages("incorrect use of the '.start'\n\n");
71 CommandStartHelp();
72 return;
73 }
74
75 if (!SplitCommand.at(1).compare("path"))
76 {
77 //
78 // *** It's a run of target PE file ***
79 //
80
81 //
82 // Trim the command
83 //
84 Trim(Command);
85
86 //
87 // Remove '.start' or 'start' from it
88 //
89 Command.erase(0, SplitCommand.at(0).size());
90
91 //
92 // Remove path + space
93 //
94 Command.erase(0, 4 + 1);
95
96 //
97 // Trim it again
98 //
99 Trim(Command);
100
101 //
102 // Split Path and args
103 //
104 SplitPathAndArgs(PathAndArgs, Command);
105
106 //
107 // Convert path to wstring
108 //
109 StringToWString(g_StartCommandPath, PathAndArgs.at(0));
110
111 if (PathAndArgs.size() != 1)
112 {
113 //
114 // There are arguments to this command
115 //
116
117 for (auto item : PathAndArgs)
118 {
119 //
120 // Append the arguments
121 //
122 // ShowMessages("Arg : %s\n", item.c_str());
123 Arguments += item + " ";
124 }
125
126 //
127 // Remove the latest space
128 //
129 Arguments.pop_back();
130
131 //
132 // Convert arguments to wstring
133 //
134 StringToWString(g_StartCommandPathAndArguments, Arguments);
135 }
136 }
137 else
138 {
139 ShowMessages("err, couldn't resolve error at '%s'\n\n",
140 SplitCommand.at(1).c_str());
141 CommandStartHelp();
142 return;
143 }
144
145 //
146 // Perform run of the target file
147 //
148 if (Arguments.empty())
149 {
150 UdAttachToProcess(NULL,
151 g_StartCommandPath.c_str(),
152 NULL,
153 FALSE);
154 }
155 else
156 {
157 UdAttachToProcess(NULL,
158 g_StartCommandPath.c_str(),
159 (WCHAR *)g_StartCommandPathAndArguments.c_str(),
160 FALSE);
161 }
162}
g_IsSerialConnectedToRemoteDebugger
BOOLEAN g_IsSerialConnectedToRemoteDebugger
Shows if the debugger was connected to remote debugger (A remote host)
Definition globals.h:238
g_StartCommandPathAndArguments
std::wstring g_StartCommandPathAndArguments
the start arguments used in .start command
Definition globals.h:653
CommandStartHelp
VOID CommandStartHelp()
help of the .start command
Definition start.cpp:27
g_StartCommandPath
std::wstring g_StartCommandPath
the start path used in .start command
Definition globals.h:647

◆ CommandStatus()

VOID CommandStatus ( vector< string > SplitCommand,
string Command )

.status and status command handler

Parameters
SplitCommand
Command
Returns
VOID
51{
52 if (SplitCommand.size() != 1)
53 {
54 ShowMessages("incorrect use of the '.status'\n\n");
55 CommandStatusHelp();
56 }
57
58 if (g_IsSerialConnectedToRemoteDebuggee)
59 {
60 //
61 // Connected to a remote debugger (serial port)
62 //
63 ShowMessages("remote debugging - debugger ('debugger mode')\n");
64 }
65 else if (g_IsSerialConnectedToRemoteDebugger)
66 {
67 //
68 // Connected to a remote debuggee (serial port)
69 //
70 ShowMessages("remote debugging - debuggee ('debugger mode')\n");
71 }
72 else if (g_IsConnectedToRemoteDebuggee)
73 {
74 //
75 // Connected to a remote debuggee
76 //
77 ShowMessages("remote debugging ('vmi mode'), ip : %s:%s \n",
78 g_ServerIp.c_str(),
79 g_ServerPort.c_str());
80 }
81 else if (g_IsConnectedToHyperDbgLocally)
82 {
83 //
84 // Connected to a local system
85 //
86 ShowMessages("local debugging ('vmi mode')\n");
87 }
88 else if (g_IsConnectedToRemoteDebugger)
89 {
90 //
91 // It's computer connect to a remote machine (this
92 // message shouldn't be showed)
93 //
94 ShowMessages("a remote debugger connected to this system in ('vmi "
95 "mode'), ip : %s:%s \n",
96 g_ServerIp.c_str(),
97 g_ServerPort.c_str());
98 }
99 else
100 {
101 //
102 // we never should see this message
103 //
104 ShowMessages("err, you're not connected to any instance of HyperDbg\n");
105 }
106}
g_IsSerialConnectedToRemoteDebugger
BOOLEAN g_IsSerialConnectedToRemoteDebugger
Shows if the debugger was connected to remote debugger (A remote host)
Definition globals.h:238
g_IsConnectedToRemoteDebuggee
BOOLEAN g_IsConnectedToRemoteDebuggee
Shows whether the current debugger is the host and connected to a remote debuggee (guest)
Definition globals.h:74
g_ServerPort
string g_ServerPort
In debugger (not debuggee), we save the port of server debuggee in this variable to use it later e....
Definition globals.h:110
CommandStatusHelp
VOID CommandStatusHelp()
help of the .status command
Definition status.cpp:31
g_IsConnectedToRemoteDebugger
BOOLEAN g_IsConnectedToRemoteDebugger
Shows whether the current system is a guest (debuggee) and a remote debugger is connected to this sys...
Definition globals.h:81
g_IsSerialConnectedToRemoteDebuggee
BOOLEAN g_IsSerialConnectedToRemoteDebuggee
Shows if the debugger was connected to remote debuggee over (A remote guest)
Definition globals.h:231
g_IsConnectedToHyperDbgLocally
BOOLEAN g_IsConnectedToHyperDbgLocally
Shows whether the user is allowed to use 'load' command to load modules locally in VMI (virtual machi...
Definition globals.h:67
g_ServerIp
string g_ServerIp
In debugger (not debuggee), we save the port of server debuggee in this variable to use it later e....
Definition globals.h:117

◆ CommandSwitch()

VOID CommandSwitch ( vector< string > SplitCommand,
string Command )

.switch command handler

Parameters
SplitCommand
Command
Returns
VOID
50{
51 UINT32 PidOrTid = NULL;
52
53 if (SplitCommand.size() > 3 || SplitCommand.size() == 2)
54 {
55 ShowMessages("incorrect use of the '.switch'\n\n");
56 CommandSwitchHelp();
57 return;
58 }
59
60 //
61 // .attach and .detach commands are only supported in VMI Mode
62 //
63 if (g_IsSerialConnectedToRemoteDebuggee)
64 {
65 ShowMessages("err, the '.switch' command is only usable in VMI Mode, "
66 "you can use the '.process', or the '.thread' "
67 "in Debugger Mode\n");
68 return;
69 }
70
71 //
72 // Perform switching or listing the threads
73 //
74 if (SplitCommand.size() == 1)
75 {
76 UdShowListActiveDebuggingProcessesAndThreads();
77 }
78 else if (!SplitCommand.at(1).compare("pid"))
79 {
80 if (!ConvertStringToUInt32(SplitCommand.at(2), &PidOrTid))
81 {
82 ShowMessages("please specify a correct hex value for process id\n\n");
83 return;
84 }
85
86 //
87 // Switch by pid
88 //
89 if (UdSetActiveDebuggingThreadByPidOrTid(PidOrTid, FALSE))
90 {
91 ShowMessages("switched to process id: %x\n", PidOrTid);
92 }
93 }
94 else if (!SplitCommand.at(1).compare("tid"))
95 {
96 if (!ConvertStringToUInt32(SplitCommand.at(2), &PidOrTid))
97 {
98 ShowMessages("please specify a correct hex value for thread id\n\n");
99 return;
100 }
101
102 //
103 // Switch by tid
104 //
105 if (UdSetActiveDebuggingThreadByPidOrTid(PidOrTid, TRUE))
106 {
107 ShowMessages("switched to thread id: %x\n", PidOrTid);
108 }
109 }
110 else
111 {
112 ShowMessages("err, couldn't resolve error at '%s'\n",
113 SplitCommand.at(1).c_str());
114 return;
115 }
116}
CommandSwitchHelp
VOID CommandSwitchHelp()
help of the .switch command
Definition switch.cpp:26
g_IsSerialConnectedToRemoteDebuggee
BOOLEAN g_IsSerialConnectedToRemoteDebuggee
Shows if the debugger was connected to remote debuggee over (A remote guest)
Definition globals.h:231
UdSetActiveDebuggingThreadByPidOrTid
BOOLEAN UdSetActiveDebuggingThreadByPidOrTid(UINT32 TargetPidOrTid, BOOLEAN IsTid)
Set the active debugging thread by process id or thread id.
Definition ud.cpp:1037
UdShowListActiveDebuggingProcessesAndThreads
BOOLEAN UdShowListActiveDebuggingProcessesAndThreads()
Show list of active debugging processes and threads.
Definition ud.cpp:1119

◆ CommandSym()

VOID CommandSym ( vector< string > SplitCommand,
string Command )

.sym command handler

Parameters
SplitCommand
Command
Returns
VOID
56{
57 UINT64 BaseAddress = NULL;
58 UINT32 UserProcessId = NULL;
59
60 if (SplitCommand.size() == 1)
61 {
62 ShowMessages("incorrect use of the '.sym'\n\n");
63 CommandSymHelp();
64 return;
65 }
66
67 if (!SplitCommand.at(1).compare("table"))
68 {
69 //
70 // Validate params
71 //
72 if (SplitCommand.size() != 2)
73 {
74 ShowMessages("incorrect use of the '.sym'\n\n");
75 CommandSymHelp();
76 return;
77 }
78
79 //
80 // Show symbol table
81 //
82 SymbolBuildAndShowSymbolTable();
83 }
84 else if (!SplitCommand.at(1).compare("load") || !SplitCommand.at(1).compare("download"))
85 {
86 //
87 // Validate params
88 //
89 if (SplitCommand.size() != 2)
90 {
91 ShowMessages("incorrect use of the '.sym'\n\n");
92 CommandSymHelp();
93 return;
94 }
95
96 //
97 // Load and download available symbols
98 //
99 if (!SplitCommand.at(1).compare("load"))
100 {
101 SymbolLoadOrDownloadSymbols(FALSE, FALSE);
102 }
103 else if (!SplitCommand.at(1).compare("download"))
104 {
105 SymbolLoadOrDownloadSymbols(TRUE, FALSE);
106 }
107 }
108 else if (!SplitCommand.at(1).compare("reload"))
109 {
110 //
111 // Validate params
112 //
113 if (SplitCommand.size() != 2 && SplitCommand.size() != 4)
114 {
115 ShowMessages("incorrect use of the '.sym'\n\n");
116 CommandSymHelp();
117 return;
118 }
119
120 //
121 // Check for process id
122 //
123 if (SplitCommand.size() == 4)
124 {
125 if (!SplitCommand.at(2).compare("pid"))
126 {
127 if (!ConvertStringToUInt32(SplitCommand.at(3), &UserProcessId))
128 {
129 //
130 // couldn't resolve or unknown parameter
131 //
132 ShowMessages("err, couldn't resolve error at '%s'\n\n",
133 SplitCommand.at(3).c_str());
134 CommandSymHelp();
135 return;
136 }
137 }
138 else
139 {
140 ShowMessages("incorrect use of the '.sym'\n\n");
141 CommandSymHelp();
142 return;
143 }
144 }
145
146 //
147 // Refresh and reload symbols
148 //
149 if (g_IsSerialConnectedToRemoteDebuggee)
150 {
151 //
152 // Update symbol table from remote debuggee in debugger-mode
153 //
154 SymbolReloadSymbolTableInDebuggerMode(UserProcessId);
155 }
156 else
157 {
158 //
159 // Check if user explicitly specified the process id
160 //
161 if (UserProcessId == NULL)
162 {
163 //
164 // User didn't explicitly specified the process id, so
165 // if it's a user-debugger process, we use the modules
166 // of the target user-debuggee's process, otherwise,
167 // the current process (HyperDbg's process) is specified
168 //
169 if (g_ActiveProcessDebuggingState.IsActive)
170 {
171 UserProcessId = g_ActiveProcessDebuggingState.ProcessId;
172 }
173 else
174 {
175 UserProcessId = GetCurrentProcessId();
176 }
177 }
178
179 //
180 // Build locally and reload it
181 //
182 if (SymbolLocalReload(UserProcessId))
183 {
184 ShowMessages("symbol table updated successfully\n");
185 }
186 }
187 }
188 else if (!SplitCommand.at(1).compare("unload"))
189 {
190 //
191 // Validate params
192 //
193 if (SplitCommand.size() != 2)
194 {
195 ShowMessages("incorrect use of the '.sym'\n\n");
196 CommandSymHelp();
197 return;
198 }
199
200 //
201 // unload without any parameters, means that unload
202 // all the symbols
203 //
204 ScriptEngineUnloadAllSymbolsWrapper();
205
206 //
207 // Size is 3 there is module name (not working ! I don't know why)
208 //
209 // ScriptEngineUnloadModuleSymbolWrapper((char *)SplitCommand.at(2).c_str());
210 }
211 else if (!SplitCommand.at(1).compare("add"))
212 {
213 //
214 // Validate params
215 //
216 if (SplitCommand.size() < 6)
217 {
218 ShowMessages("incorrect use of the '.sym'\n\n");
219 CommandSymHelp();
220 return;
221 }
222
223 if (!SplitCommand.at(2).compare("base"))
224 {
225 string Delimiter = "";
226 string PathToPdb = "";
227 if (!ConvertStringToUInt64(SplitCommand.at(3), &BaseAddress))
228 {
229 ShowMessages("please add a valid hex address to be used as the base address\n\n");
230 CommandSymHelp();
231 return;
232 }
233
234 //
235 // Base address is now valid, check if next parameter is path
236 //
237 if (SplitCommand.at(4).compare("path"))
238 {
239 ShowMessages("incorrect use of the '.sym'\n\n");
240 CommandSymHelp();
241 return;
242 }
243
244 //
245 // The rest of command is pdb path
246 //
247 Delimiter = "path ";
248 PathToPdb = Command.substr(Command.find(Delimiter) + 5, Command.size());
249
250 //
251 // Check if pdb file exists or not
252 //
253 if (!IsFileExistA(PathToPdb.c_str()))
254 {
255 ShowMessages("pdb file not found\n");
256 return;
257 }
258
259 ShowMessages("loading module symbol at '%s'\n", PathToPdb.c_str());
260
261 //
262 // Load the pdb file (the validation of pdb file is checked into pdb
263 // parsing functions)
264 //
265 ScriptEngineLoadFileSymbolWrapper(BaseAddress, PathToPdb.c_str(), NULL);
266 }
267 else
268 {
269 ShowMessages("incorrect use of the '.sym'\n\n");
270 CommandSymHelp();
271 return;
272 }
273 }
274 else
275 {
276 ShowMessages("unknown parameter at '%s'\n\n", SplitCommand.at(1).c_str());
277 CommandSymHelp();
278 return;
279 }
280}
IsFileExistA
BOOLEAN IsFileExistA(const char *FileName)
check if a file exist or not (ASCII)
Definition common.cpp:619
ScriptEngineUnloadAllSymbolsWrapper
UINT32 ScriptEngineUnloadAllSymbolsWrapper()
ScriptEngineUnloadAllSymbols wrapper.
Definition script-engine-wrapper.cpp:91
ScriptEngineLoadFileSymbolWrapper
UINT32 ScriptEngineLoadFileSymbolWrapper(UINT64 BaseAddress, const char *PdbFileName, const char *CustomModuleName)
ScriptEngineLoadFileSymbol wrapper.
Definition script-engine-wrapper.cpp:67
CommandSymHelp
VOID CommandSymHelp()
help of the .sym command
Definition sym.cpp:26
g_IsSerialConnectedToRemoteDebuggee
BOOLEAN g_IsSerialConnectedToRemoteDebuggee
Shows if the debugger was connected to remote debuggee over (A remote guest)
Definition globals.h:231
g_ActiveProcessDebuggingState
ACTIVE_DEBUGGING_PROCESS g_ActiveProcessDebuggingState
State of active debugging thread.
Definition globals.h:362
SymbolLoadOrDownloadSymbols
BOOLEAN SymbolLoadOrDownloadSymbols(BOOLEAN IsDownload, BOOLEAN SilentLoad)
Load or download symbols.
Definition symbol.cpp:299
SymbolReloadSymbolTableInDebuggerMode
BOOLEAN SymbolReloadSymbolTableInDebuggerMode(UINT32 ProcessId)
Update the symbol table from remote debuggee in debugger mode.
Definition symbol.cpp:1004
SymbolBuildAndShowSymbolTable
VOID SymbolBuildAndShowSymbolTable()
Build and show symbol table details.
Definition symbol.cpp:264

◆ CommandSympath()

VOID CommandSympath ( vector< string > SplitCommand,
string Command )

.sympath command handler

Parameters
SplitCommand
Command
Returns
VOID
45{
46 string SymbolServer = "";
47 string Token;
48
49 if (SplitCommand.size() == 1)
50 {
51 //
52 // Show the current symbol path
53 //
54 if (!CommandSettingsGetValueFromConfigFile("SymbolServer", SymbolServer))
55 {
56 ShowMessages("symbol server is not configured, please use '.help .sympath'\n");
57 }
58 else
59 {
60 ShowMessages("current symbol server is : %s\n", SymbolServer.c_str());
61 }
62 }
63 else
64 {
65 //
66 // Save the symbol path
67 //
68
69 //
70 // Trim the command
71 //
72 Trim(Command);
73
74 //
75 // Remove .sympath from it
76 //
77 Command.erase(0, SplitCommand.at(0).size());
78
79 //
80 // Trim it again
81 //
82 Trim(Command);
83
84 //
85 // *** validate the symbols ***
86 //
87
88 //
89 // Check if the string contains '*'
90 //
91 char Delimiter = '*';
92 if (Command.find(Delimiter) != std::string::npos)
93 {
94 //
95 // Found
96 //
97 Token = Command.substr(0, Command.find(Delimiter));
98 // using transform() function and ::tolower in STL
99 transform(Token.begin(), Token.end(), Token.begin(), ::tolower);
100
101 //
102 // Check if it starts with srv
103 //
104 if (!Token.compare("srv"))
105 {
106 //
107 // Save the config
108 //
109 CommandSettingsSetValueFromConfigFile("SymbolServer", Command);
110
111 //
112 // Show the message
113 //
114 ShowMessages("symbol server/path is configured successfully\n");
115 ShowMessages("use '.sym load', '.sym reload', or '.sym download' to load pdb files\n");
116 }
117 else
118 {
119 ShowMessages("symbol path is invalid\n\n");
120 CommandSympathHelp();
121 return;
122 }
123 }
124 else
125 {
126 ShowMessages("symbol path is invalid\n\n");
127 CommandSympathHelp();
128 return;
129 }
130 }
131}
CommandSettingsSetValueFromConfigFile
VOID CommandSettingsSetValueFromConfigFile(std::string OptionName, std::string OptionValue)
Sets the setting values from config file.
Definition settings.cpp:115
CommandSympathHelp
VOID CommandSympathHelp()
help of the .sympath command
Definition sympath.cpp:24

◆ CommandSyscallAndSysret()

VOID CommandSyscallAndSysret ( vector< string > SplitCommand,
string Command )

!syscall, !syscall2 and !sysret, !sysret2 commands handler

Parameters
SplitCommand
Command
Returns
VOID
85{
86 PDEBUGGER_GENERAL_EVENT_DETAIL Event = NULL;
87 PDEBUGGER_GENERAL_ACTION ActionBreakToDebugger = NULL;
88 PDEBUGGER_GENERAL_ACTION ActionCustomCode = NULL;
89 PDEBUGGER_GENERAL_ACTION ActionScript = NULL;
90 UINT32 EventLength;
91 UINT32 ActionBreakToDebuggerLength = 0;
92 UINT32 ActionCustomCodeLength = 0;
93 UINT32 ActionScriptLength = 0;
94 UINT64 SpecialTarget = DEBUGGER_EVENT_SYSCALL_ALL_SYSRET_OR_SYSCALLS;
95 BOOLEAN GetSyscallNumber = FALSE;
96 vector<string> SplitCommandCaseSensitive {Split(Command, ' ')};
97 DEBUGGER_EVENT_PARSING_ERROR_CAUSE EventParsingErrorCause;
98 string Cmd;
99
100 //
101 // Interpret and fill the general event and action fields
102 //
103 //
104 Cmd = SplitCommand.at(0);
105 if (!Cmd.compare("!syscall") || !Cmd.compare("!syscall2"))
106 {
107 if (!InterpretGeneralEventAndActionsFields(
108 &SplitCommand,
109 &SplitCommandCaseSensitive,
110 SYSCALL_HOOK_EFER_SYSCALL,
111 &Event,
112 &EventLength,
113 &ActionBreakToDebugger,
114 &ActionBreakToDebuggerLength,
115 &ActionCustomCode,
116 &ActionCustomCodeLength,
117 &ActionScript,
118 &ActionScriptLength,
119 &EventParsingErrorCause))
120 {
121 return;
122 }
123 }
124 else
125 {
126 if (!InterpretGeneralEventAndActionsFields(
127 &SplitCommand,
128 &SplitCommandCaseSensitive,
129 SYSCALL_HOOK_EFER_SYSRET,
130 &Event,
131 &EventLength,
132 &ActionBreakToDebugger,
133 &ActionBreakToDebuggerLength,
134 &ActionCustomCode,
135 &ActionCustomCodeLength,
136 &ActionScript,
137 &ActionScriptLength,
138 &EventParsingErrorCause))
139 {
140 return;
141 }
142 }
143
144 //
145 // Interpret command specific details (if any)
146 //
147
148 //
149 // Currently we do not support any extra argument for !sysret command
150 // it is because we don't know how to find syscall number in sysret
151 // and we don't wanna deal with dynamic mapping of rcx (user stack)
152 // in vmx-root
153 //
154 if (!Cmd.compare("!syscall") || !Cmd.compare("!syscall2"))
155 {
156 for (auto Section : SplitCommand)
157 {
158 if (!Section.compare("!syscall") ||
159 !Section.compare("!syscall2") ||
160 !Section.compare("!sysret") ||
161 !Section.compare("!sysret2"))
162 {
163 continue;
164 }
165
166 else if (!GetSyscallNumber)
167 {
168 //
169 // It's probably a syscall address
170 //
171 if (!ConvertStringToUInt64(Section, &SpecialTarget))
172 {
173 //
174 // Unknown parameter
175 //
176 ShowMessages("unknown parameter '%s'\n\n", Section.c_str());
177
178 if (!Cmd.compare("!syscall") || !Cmd.compare("!syscall2"))
179 {
180 CommandSyscallHelp();
181 }
182 else
183 {
184 CommandSysretHelp();
185 }
186
187 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
188 return;
189 }
190 else
191 {
192 GetSyscallNumber = TRUE;
193 }
194 }
195 else
196 {
197 //
198 // Unknown parameter
199 //
200 ShowMessages("unknown parameter '%s'\n\n", Section.c_str());
201
202 if (!Cmd.compare("!syscall") || !Cmd.compare("!syscall2"))
203 {
204 CommandSyscallHelp();
205 }
206 else
207 {
208 CommandSysretHelp();
209 }
210
211 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
212 return;
213 }
214 }
215
216 //
217 // Set the target syscall
218 //
219 Event->Options.OptionalParam1 = SpecialTarget;
220 }
221
222 //
223 // Set whether it's !syscall or !syscall2 or !sysret or !sysret2
224 //
225 if (!Cmd.compare("!syscall2") || !Cmd.compare("!sysret2"))
226 {
227 //
228 // It's a !syscall2 or !sysret2
229 //
230 Event->Options.OptionalParam2 = DEBUGGER_EVENT_SYSCALL_SYSRET_HANDLE_ALL_UD;
231 }
232 else
233 {
234 //
235 // It's a !syscall or !sysret
236 //
237 Event->Options.OptionalParam2 = DEBUGGER_EVENT_SYSCALL_SYSRET_SAFE_ACCESS_MEMORY;
238 }
239
240 //
241 // Send the ioctl to the kernel for event registration
242 //
243 if (!SendEventToKernel(Event, EventLength))
244 {
245 //
246 // There was an error, probably the handle was not initialized
247 // we have to free the Action before exit, it is because, we
248 // already freed the Event and string buffers
249 //
250
251 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
252 return;
253 }
254
255 //
256 // Add the event to the kernel
257 //
258 if (!RegisterActionToEvent(Event,
259 ActionBreakToDebugger,
260 ActionBreakToDebuggerLength,
261 ActionCustomCode,
262 ActionCustomCodeLength,
263 ActionScript,
264 ActionScriptLength))
265 {
266 //
267 // There was an error
268 //
269
270 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
271 return;
272 }
273}
DEBUGGER_EVENT_SYSCALL_ALL_SYSRET_OR_SYSCALLS
#define DEBUGGER_EVENT_SYSCALL_ALL_SYSRET_OR_SYSCALLS
Apply to all syscalls and sysrets.
Definition Constants.h:635
SYSCALL_HOOK_EFER_SYSCALL
@ SYSCALL_HOOK_EFER_SYSCALL
Definition Events.h:117
SYSCALL_HOOK_EFER_SYSRET
@ SYSCALL_HOOK_EFER_SYSRET
Definition Events.h:118
DEBUGGER_EVENT_SYSCALL_SYSRET_SAFE_ACCESS_MEMORY
@ DEBUGGER_EVENT_SYSCALL_SYSRET_SAFE_ACCESS_MEMORY
Definition Events.h:192
DEBUGGER_EVENT_SYSCALL_SYSRET_HANDLE_ALL_UD
@ DEBUGGER_EVENT_SYSCALL_SYSRET_HANDLE_ALL_UD
Definition Events.h:193
CommandSysretHelp
VOID CommandSysretHelp()
help of the !sysret command
Definition syscall-sysret.cpp:54
CommandSyscallHelp
VOID CommandSyscallHelp()
help of the !syscall command
Definition syscall-sysret.cpp:20

◆ CommandT()

VOID CommandT ( vector< string > SplitCommand,
string Command )

handler of t command

Parameters
SplitCommand
Command
Returns
VOID
53{
54 UINT32 StepCount;
55 DEBUGGER_REMOTE_STEPPING_REQUEST RequestFormat;
56
57 //
58 // Validate the commands
59 //
60 if (SplitCommand.size() != 1 && SplitCommand.size() != 2)
61 {
62 ShowMessages("incorrect use of the 't'\n\n");
63 CommandTHelp();
64 return;
65 }
66
67 //
68 // Set type of step
69 //
70 RequestFormat = DEBUGGER_REMOTE_STEPPING_REQUEST_STEP_IN;
71
72 //
73 // Check if the command has a counter parameter
74 //
75 if (SplitCommand.size() == 2)
76 {
77 if (!ConvertStringToUInt32(SplitCommand.at(1), &StepCount))
78 {
79 ShowMessages("please specify a correct hex value for [count]\n\n");
80 CommandTHelp();
81 return;
82 }
83 }
84 else
85 {
86 StepCount = 1;
87 }
88
89 //
90 // Check if the remote serial debuggee or user debugger are paused or not
91 //
92 if (g_IsSerialConnectedToRemoteDebuggee || g_ActiveProcessDebuggingState.IsActive)
93 {
94 //
95 // Check if the thread is paused or not
96 //
97 if (g_ActiveProcessDebuggingState.IsActive && !g_ActiveProcessDebuggingState.IsPaused)
98 {
99 ShowMessages("the target process is running, use the "
100 "'pause' command or press CTRL+C to pause the process\n");
101 return;
102 }
103
104 //
105 // Indicate that we're instrumenting
106 //
107 g_IsInstrumentingInstructions = TRUE;
108
109 for (size_t i = 0; i < StepCount; i++)
110 {
111 //
112 // For logging purpose
113 //
114 // ShowMessages("percentage : %f %% (%x)\n", 100.0 * (i /
115 // (float)StepCount), i);
116 //
117
118 if (g_IsSerialConnectedToRemoteDebuggee)
119 {
120 //
121 // It's stepping over serial connection in kernel debugger
122 //
123 KdSendStepPacketToDebuggee(RequestFormat);
124 }
125 else
126 {
127 //
128 // It's stepping over user debugger
129 //
130 UdSendStepPacketToDebuggee(g_ActiveProcessDebuggingState.ProcessDebuggingToken,
131 g_ActiveProcessDebuggingState.ThreadId,
132 RequestFormat);
133 }
134
135 if (!SplitCommand.at(0).compare("tr"))
136 {
137 //
138 // Show registers
139 //
140 HyperDbgRegisterShowAll();
141
142 if (i != StepCount - 1)
143 {
144 ShowMessages("\n");
145 }
146 }
147
148 //
149 // Check if user pressed CTRL+C
150 //
151 if (!g_IsInstrumentingInstructions)
152 {
153 break;
154 }
155 }
156
157 //
158 // We're not instrumenting instructions anymore
159 //
160 g_IsInstrumentingInstructions = FALSE;
161 }
162 else
163 {
164 ShowMessages("err, stepping (t) is not valid in the current context, you "
165 "should connect to a debuggee\n");
166 }
167}
DEBUGGER_REMOTE_STEPPING_REQUEST_STEP_IN
@ DEBUGGER_REMOTE_STEPPING_REQUEST_STEP_IN
Definition RequestStructures.h:992
CommandTHelp
VOID CommandTHelp()
help of the t command
Definition t.cpp:27
g_IsInstrumentingInstructions
BOOLEAN g_IsInstrumentingInstructions
Shows whether the user is running 't', 'p', or 'i' command.
Definition globals.h:561
g_IsSerialConnectedToRemoteDebuggee
BOOLEAN g_IsSerialConnectedToRemoteDebuggee
Shows if the debugger was connected to remote debuggee over (A remote guest)
Definition globals.h:231
g_ActiveProcessDebuggingState
ACTIVE_DEBUGGING_PROCESS g_ActiveProcessDebuggingState
State of active debugging thread.
Definition globals.h:362

◆ CommandTest()

VOID CommandTest ( vector< string > SplitCommand,
string Command )

test command handler

Parameters
SplitCommand
Command
Returns
VOID
365{
366 UINT64 Context = NULL;
367
368 if (SplitCommand.size() == 1)
369 {
370 //
371 // For testing functionalities
372 //
373 CommandTestPerformTest();
374 }
375 else if (SplitCommand.size() == 2 && !SplitCommand.at(1).compare("query"))
376 {
377 //
378 // Query the state of debuggee in debugger mode
379 //
380 CommandTestQueryState();
381 }
382 else if (SplitCommand.size() == 2 && !SplitCommand.at(1).compare("trap-status"))
383 {
384 //
385 // Query the state of trap flag in debugger mode
386 //
387 CommandTestQueryTrapState();
388 }
389 else if (SplitCommand.size() == 2 && !SplitCommand.at(1).compare("pool"))
390 {
391 //
392 // Query the state of pre-allocated pools in debugger mode
393 //
394 CommandTestQueryPreAllocPoolsState();
395 }
396 else if (SplitCommand.size() == 2 && !SplitCommand.at(1).compare("sync-task"))
397 {
398 //
399 // Send target task to the halted cores in debugger mode (synchronous)
400 //
401 CommandTestSetTargetTaskToHaltedCores(TRUE);
402 }
403 else if (SplitCommand.size() == 2 && !SplitCommand.at(1).compare("async-task"))
404 {
405 //
406 // Send target task to the halted cores in debugger mode (asynchronous)
407 //
408 CommandTestSetTargetTaskToHaltedCores(FALSE);
409 }
410 else if (SplitCommand.size() == 3 && !SplitCommand.at(1).compare("target-core-task"))
411 {
412 if (!ConvertStringToUInt64(SplitCommand.at(2), &Context))
413 {
414 ShowMessages("err, you should enter a valid hex number as the core id\n\n");
415 return;
416 }
417
418 //
419 // Send target task to the specific halted core in debugger mode
420 //
421 CommandTestSetTargetTaskToTargetCore((UINT32)Context);
422 }
423 else if (SplitCommand.size() == 3 && !SplitCommand.at(1).compare("breakpoint"))
424 {
425 //
426 // Change breakpoint state
427 //
428 if (!SplitCommand.at(2).compare("on"))
429 {
430 CommandTestSetBreakpointState(TRUE);
431 }
432 else if (!SplitCommand.at(2).compare("off"))
433 {
434 CommandTestSetBreakpointState(FALSE);
435 }
436 else
437 {
438 ShowMessages("err, couldn't resolve error at '%s'\n\n", SplitCommand.at(2).c_str());
439 return;
440 }
441 }
442 else if (SplitCommand.size() == 3 && !SplitCommand.at(1).compare("trap"))
443 {
444 //
445 // Change debug break state
446 //
447 if (!SplitCommand.at(2).compare("on"))
448 {
449 CommandTestSetDebugBreakState(TRUE);
450 }
451 else if (!SplitCommand.at(2).compare("off"))
452 {
453 CommandTestSetDebugBreakState(FALSE);
454 }
455 else
456 {
457 ShowMessages("err, couldn't resolve error at '%s'\n\n", SplitCommand.at(2).c_str());
458 return;
459 }
460 }
461 else
462 {
463 ShowMessages("incorrect use of the 'test'\n\n");
464 CommandTestHelp();
465 return;
466 }
467}
Context
NTKERNELAPI _In_opt_ PVOID Context
Definition Dpc.h:25
CommandTestSetTargetTaskToTargetCore
VOID CommandTestSetTargetTaskToTargetCore(UINT32 CoreNumber)
test command for setting target task to the specified core
Definition test.cpp:285
CommandTestSetTargetTaskToHaltedCores
VOID CommandTestSetTargetTaskToHaltedCores(BOOLEAN Synchronous)
test command for setting target tasks to halted cores
Definition test.cpp:263
CommandTestQueryPreAllocPoolsState
VOID CommandTestQueryPreAllocPoolsState()
test command for query the state of pre-allocated pools
Definition test.cpp:241
CommandTestSetDebugBreakState
VOID CommandTestSetDebugBreakState(BOOLEAN State)
test command for turning on/off the debug breaks (#DB)
Definition test.cpp:334
CommandTestPerformTest
BOOLEAN CommandTestPerformTest()
perform test on the remote process
Definition test.cpp:106
CommandTestQueryState
VOID CommandTestQueryState()
test command for query the state
Definition test.cpp:199
CommandTestSetBreakpointState
VOID CommandTestSetBreakpointState(BOOLEAN State)
test command for turning on/off the breakpoints (#DB)
Definition test.cpp:306
CommandTestHelp
VOID CommandTestHelp()
help of the test command
Definition test.cpp:25
CommandTestQueryTrapState
VOID CommandTestQueryTrapState()
test command for query the trap state
Definition test.cpp:220

◆ CommandThread()

VOID CommandThread ( vector< string > SplitCommand,
string Command )

.thread command handler

Parameters
SplitCommand
Command
Returns
VOID
120{
121 UINT32 TargetThreadId = 0;
122 UINT64 TargetThread = 0;
123 UINT64 TargetProcess = 0;
124 BOOLEAN CheckByClkIntr = FALSE;
125
126 if (SplitCommand.size() >= 5)
127 {
128 ShowMessages("incorrect use of the '.thread'\n\n");
129 CommandThreadHelp();
130 return;
131 }
132
133 if (SplitCommand.size() == 1)
134 {
135 //
136 // Check if it's connected to a remote debuggee or not
137 //
138 if (!g_IsSerialConnectedToRemoteDebuggee)
139 {
140 ObjectShowProcessesOrThreadDetails(FALSE);
141 }
142 else
143 {
144 //
145 // Send the packet to get current thread
146 //
147 KdSendSwitchThreadPacketToDebuggee(DEBUGGEE_DETAILS_AND_SWITCH_THREAD_GET_THREAD_DETAILS,
148 NULL,
149 NULL,
150 FALSE,
151 NULL);
152 }
153 }
154 else if (SplitCommand.size() == 2)
155 {
156 if (!SplitCommand.at(1).compare("list"))
157 {
158 //
159 // Sending null as the nt!_EPROCESS indicates that the target process is
160 // the current process (Current nt!_EPROCESS)
161 //
162 if (!CommandThreadListThreads(NULL))
163 {
164 ShowMessages("err, the need offset to iterate over threads not found, "
165 "make sure to load ntoskrnl.exe's PDB file. use '.help .sym' for "
166 "more information\n");
167 return;
168 }
169 }
170 else
171 {
172 ShowMessages(
173 "err, unknown parameter at '%s'\n\n",
174 SplitCommand.at(1).c_str());
175 CommandThreadHelp();
176 return;
177 }
178 }
179 else if (SplitCommand.size() == 3)
180 {
181 //
182 // Check if it's connected to a remote debuggee or not
183 //
184 if (!g_IsSerialConnectedToRemoteDebuggee)
185 {
186 ShowMessages("err, you're not connected to any debuggee in Debugger Mode, "
187 "you can use the '.attach', or the '.detach' commands if you're "
188 "operating in VMI Mode\n");
189 return;
190 }
191
192 if (!SplitCommand.at(1).compare("tid"))
193 {
194 if (!ConvertStringToUInt32(SplitCommand.at(2), &TargetThreadId))
195 {
196 ShowMessages(
197 "please specify a correct hex value for the thread id that you "
198 "want to operate on it\n\n");
199 CommandThreadHelp();
200 return;
201 }
202 }
203 else if (!SplitCommand.at(1).compare("thread"))
204 {
205 if (!SymbolConvertNameOrExprToAddress(SplitCommand.at(2), &TargetThread))
206 {
207 ShowMessages(
208 "please specify a correct hex value for the thread (nt!_ETHREAD) that you "
209 "want to operate on it\n\n");
210 CommandThreadHelp();
211 return;
212 }
213 }
214 else if (!SplitCommand.at(1).compare("list") && !SplitCommand.at(2).compare("process"))
215 {
216 ShowMessages(
217 "please specify a hex value for the process\n\n");
218 CommandThreadHelp();
219 return;
220 }
221 else
222 {
223 ShowMessages(
224 "err, unknown parameter at '%s'\n\n",
225 SplitCommand.at(2).c_str());
226 CommandThreadHelp();
227 return;
228 }
229
230 if (!SplitCommand.at(0).compare(".thread2"))
231 {
232 //
233 // Check by changes to gs:[188]
234 //
235 CheckByClkIntr = FALSE;
236 }
237 else
238 {
239 //
240 // Check on clock interrupt changes
241 //
242 CheckByClkIntr = TRUE;
243 }
244
245 //
246 // Send the packet to change the thread
247 //
248 KdSendSwitchThreadPacketToDebuggee(DEBUGGEE_DETAILS_AND_SWITCH_THREAD_PERFORM_SWITCH,
249 TargetThreadId,
250 TargetThread,
251 CheckByClkIntr,
252 NULL);
253 }
254 else if (SplitCommand.size() == 4)
255 {
256 if (!SplitCommand.at(1).compare("list"))
257 {
258 if (!SplitCommand.at(2).compare("process"))
259 {
260 if (!SymbolConvertNameOrExprToAddress(SplitCommand.at(3), &TargetProcess))
261 {
262 ShowMessages(
263 "please specify a correct hex value for the process (nt!_EPROCESS) that you "
264 "want to see its threads\n\n");
265 CommandThreadHelp();
266 return;
267 }
268
269 //
270 // List the target process's threads
271 //
272 if (!CommandThreadListThreads(TargetProcess))
273 {
274 ShowMessages("err, the need offset to iterate over threads not found, "
275 "make sure to load ntoskrnl.exe's PDB file. use '.help .sym' for "
276 "more information\n");
277 return;
278 }
279 }
280 else
281 {
282 ShowMessages(
283 "err, unknown parameter at '%s'\n\n",
284 SplitCommand.at(2).c_str());
285 CommandThreadHelp();
286 return;
287 }
288 }
289 else
290 {
291 ShowMessages(
292 "err, unknown parameter at '%s'\n\n",
293 SplitCommand.at(1).c_str());
294 CommandThreadHelp();
295 return;
296 }
297 }
298 else
299 {
300 ShowMessages("invalid parameter\n\n");
301 CommandThreadHelp();
302 return;
303 }
304}
DEBUGGEE_DETAILS_AND_SWITCH_THREAD_PERFORM_SWITCH
@ DEBUGGEE_DETAILS_AND_SWITCH_THREAD_PERFORM_SWITCH
Definition RequestStructures.h:952
DEBUGGEE_DETAILS_AND_SWITCH_THREAD_GET_THREAD_DETAILS
@ DEBUGGEE_DETAILS_AND_SWITCH_THREAD_GET_THREAD_DETAILS
Definition RequestStructures.h:953
KdSendSwitchThreadPacketToDebuggee
BOOLEAN KdSendSwitchThreadPacketToDebuggee(DEBUGGEE_DETAILS_AND_SWITCH_THREAD_TYPE ActionType, UINT32 NewTid, UINT64 NewThread, BOOLEAN CheckByClockInterrupt, PDEBUGGEE_THREAD_LIST_NEEDED_DETAILS SymDetailsForThreadList)
Sends a change thread or show threads detail packet to the debuggee.
Definition kd.cpp:858
CommandThreadHelp
VOID CommandThreadHelp()
help of the .thread command
Definition thread.cpp:25
CommandThreadListThreads
BOOLEAN CommandThreadListThreads(UINT64 Eprocess)
Definition thread.cpp:50
g_IsSerialConnectedToRemoteDebuggee
BOOLEAN g_IsSerialConnectedToRemoteDebuggee
Shows if the debugger was connected to remote debuggee over (A remote guest)
Definition globals.h:231

◆ CommandTrace()

VOID CommandTrace ( vector< string > SplitCommand,
string Command )

!trace command handler

Parameters
SplitCommand
Command
Returns
VOID
51{
52 PDEBUGGER_GENERAL_EVENT_DETAIL Event = NULL;
53 PDEBUGGER_GENERAL_ACTION ActionBreakToDebugger = NULL;
54 PDEBUGGER_GENERAL_ACTION ActionCustomCode = NULL;
55 PDEBUGGER_GENERAL_ACTION ActionScript = NULL;
56 UINT32 EventLength;
57 UINT32 ActionBreakToDebuggerLength = 0;
58 UINT32 ActionCustomCodeLength = 0;
59 UINT32 ActionScriptLength = 0;
60 vector<string> SplitCommandCaseSensitive {Split(Command, ' ')};
61 DEBUGGER_EVENT_PARSING_ERROR_CAUSE EventParsingErrorCause;
62 BOOLEAN SetTraceType = FALSE;
63 DEBUGGER_EVENT_TRACE_TYPE TargetTrace = DEBUGGER_EVENT_TRACE_TYPE_INVALID;
64
65 //
66 // Interpret and fill the general event and action fields
67 //
68 //
69 if (!InterpretGeneralEventAndActionsFields(
70 &SplitCommand,
71 &SplitCommandCaseSensitive,
72 TRAP_EXECUTION_INSTRUCTION_TRACE,
73 &Event,
74 &EventLength,
75 &ActionBreakToDebugger,
76 &ActionBreakToDebuggerLength,
77 &ActionCustomCode,
78 &ActionCustomCodeLength,
79 &ActionScript,
80 &ActionScriptLength,
81 &EventParsingErrorCause))
82 {
83 return;
84 }
85
86 //
87 // Check for size
88 //
89 if (SplitCommand.size() > 2)
90 {
91 ShowMessages("incorrect use of the '!trace'\n");
92 CommandTraceHelp();
93
94 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
95 return;
96 }
97
98 //
99 // Interpret command specific details (if any)
100 //
101 for (auto Section : SplitCommand)
102 {
103 if (!Section.compare("!trace"))
104 {
105 continue;
106 }
107 else if ((!Section.compare("step-in") || !Section.compare("stepin") || !Section.compare("step")) && !SetTraceType)
108 {
109 TargetTrace = DEBUGGER_EVENT_TRACE_TYPE_STEP_IN;
110 SetTraceType = TRUE;
111 }
112 else if ((!Section.compare("step-out") || !Section.compare("stepout")) && !SetTraceType)
113 {
114 TargetTrace = DEBUGGER_EVENT_TRACE_TYPE_STEP_OUT;
115 SetTraceType = TRUE;
116 }
117 else if ((!Section.compare("step-instrument") || !Section.compare("instrument-step") ||
118 !Section.compare("instrumentstep") ||
119 !Section.compare("instrument-step-in")) &&
120 !SetTraceType)
121 {
122 TargetTrace = DEBUGGER_EVENT_TRACE_TYPE_INSTRUMENTATION_STEP_IN;
123 SetTraceType = TRUE;
124 }
125 else
126 {
127 //
128 // Couldn't resolve or unknown parameter
129 //
130 ShowMessages("err, couldn't resolve error at '%s'\n\n",
131 Section.c_str());
132
133 CommandTraceHelp();
134
135 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
136 }
137 }
138
139 //
140 // Check if user specified the execution mode or not
141 //
142 if (!SetTraceType)
143 {
144 ShowMessages("please specify the trace type\n");
145
146 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
147 return;
148 }
149
150 //
151 // Set the first parameter to the required trace type
152 //
153 Event->Options.OptionalParam1 = (UINT64)SetTraceType;
154
155 //
156 // Send the ioctl to the kernel for event registration
157 //
158 if (!SendEventToKernel(Event, EventLength))
159 {
160 //
161 // There was an error, probably the handle was not initialized
162 // we have to free the Action before exit, it is because, we
163 // already freed the Event and string buffers
164 //
165
166 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
167 return;
168 }
169
170 //
171 // Add the event to the kernel
172 //
173 if (!RegisterActionToEvent(Event,
174 ActionBreakToDebugger,
175 ActionBreakToDebuggerLength,
176 ActionCustomCode,
177 ActionCustomCodeLength,
178 ActionScript,
179 ActionScriptLength))
180 {
181 //
182 // There was an error
183 //
184
185 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
186 return;
187 }
188}
DEBUGGER_EVENT_TRACE_TYPE_INVALID
@ DEBUGGER_EVENT_TRACE_TYPE_INVALID
Definition Events.h:218
DEBUGGER_EVENT_TRACE_TYPE_INSTRUMENTATION_STEP_IN
@ DEBUGGER_EVENT_TRACE_TYPE_INSTRUMENTATION_STEP_IN
Definition Events.h:221
DEBUGGER_EVENT_TRACE_TYPE_STEP_IN
@ DEBUGGER_EVENT_TRACE_TYPE_STEP_IN
Definition Events.h:219
DEBUGGER_EVENT_TRACE_TYPE_STEP_OUT
@ DEBUGGER_EVENT_TRACE_TYPE_STEP_OUT
Definition Events.h:220
TRAP_EXECUTION_INSTRUCTION_TRACE
@ TRAP_EXECUTION_INSTRUCTION_TRACE
Definition Events.h:170
DEBUGGER_EVENT_TRACE_TYPE
enum _DEBUGGER_EVENT_TRACE_TYPE DEBUGGER_EVENT_TRACE_TYPE
Type of tracing events.
CommandTraceHelp
VOID CommandTraceHelp()
help of the !trace command
Definition trace.cpp:20

◆ CommandTrack()

VOID CommandTrack ( vector< string > SplitCommand,
string Command )

handler of !track command

Parameters
SplitCommand
Command
Returns
VOID
95{
96

◆ CommandTsc()

VOID CommandTsc ( vector< string > SplitCommand,
string Command )

handler of !tsc command

Parameters
SplitCommand
Command
Returns
VOID
46{
47 PDEBUGGER_GENERAL_EVENT_DETAIL Event = NULL;
48 PDEBUGGER_GENERAL_ACTION ActionBreakToDebugger = NULL;
49 PDEBUGGER_GENERAL_ACTION ActionCustomCode = NULL;
50 PDEBUGGER_GENERAL_ACTION ActionScript = NULL;
51 UINT32 EventLength;
52 UINT32 ActionBreakToDebuggerLength = 0;
53 UINT32 ActionCustomCodeLength = 0;
54 UINT32 ActionScriptLength = 0;
55 vector<string> SplitCommandCaseSensitive {Split(Command, ' ')};
56 DEBUGGER_EVENT_PARSING_ERROR_CAUSE EventParsingErrorCause;
57
58 //
59 // Interpret and fill the general event and action fields
60 //
61 //
62 if (!InterpretGeneralEventAndActionsFields(
63 &SplitCommand,
64 &SplitCommandCaseSensitive,
65 TSC_INSTRUCTION_EXECUTION,
66 &Event,
67 &EventLength,
68 &ActionBreakToDebugger,
69 &ActionBreakToDebuggerLength,
70 &ActionCustomCode,
71 &ActionCustomCodeLength,
72 &ActionScript,
73 &ActionScriptLength,
74 &EventParsingErrorCause))
75 {
76 return;
77 }
78
79 //
80 // Check for size
81 //
82 if (SplitCommand.size() > 1)
83 {
84 ShowMessages("incorrect use of the '!tsc'\n");
85 CommandTscHelp();
86
87 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
88 return;
89 }
90
91 //
92 // Send the ioctl to the kernel for event registration
93 //
94 if (!SendEventToKernel(Event, EventLength))
95 {
96 //
97 // There was an error, probably the handle was not initialized
98 // we have to free the Action before exit, it is because, we
99 // already freed the Event and string buffers
100 //
101
102 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
103 return;
104 }
105
106 //
107 // Add the event to the kernel
108 //
109 if (!RegisterActionToEvent(Event,
110 ActionBreakToDebugger,
111 ActionBreakToDebuggerLength,
112 ActionCustomCode,
113 ActionCustomCodeLength,
114 ActionScript,
115 ActionScriptLength))
116 {
117 //
118 // There was an error
119 //
120
121 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
122 return;
123 }
124}
TSC_INSTRUCTION_EXECUTION
@ TSC_INSTRUCTION_EXECUTION
Definition Events.h:151
CommandTscHelp
VOID CommandTscHelp()
help of the !tsc command
Definition tsc.cpp:20

◆ CommandUnhide()

VOID CommandUnhide ( vector< string > SplitCommand,
string Command )

!unhide command handler

Parameters
SplitCommand
Command
Returns
VOID
39{
40 BOOLEAN Status;
41 ULONG ReturnedLength;
42 DEBUGGER_HIDE_AND_TRANSPARENT_DEBUGGER_MODE UnhideRequest = {0};
43
44 if (SplitCommand.size() >= 2)
45 {
46 ShowMessages("incorrect use of the '!unhide'\n\n");
47 CommandUnhideHelp();
48 return;
49 }
50
51 //
52 // Check if debugger is loaded or not
53 //
54 AssertShowMessageReturnStmt(g_DeviceHandle, ASSERT_MESSAGE_DRIVER_NOT_LOADED, AssertReturn);
55
56 //
57 // We don't wanna hide the debugger and make transparent vm-exits
58 //
59 UnhideRequest.IsHide = FALSE;
60
61 //
62 // Send the request to the kernel
63 //
64 Status = DeviceIoControl(
65 g_DeviceHandle, // Handle to device
66 IOCTL_DEBUGGER_HIDE_AND_UNHIDE_TO_TRANSPARENT_THE_DEBUGGER, // IO Control
67 // code
68 &UnhideRequest, // Input Buffer to driver.
69 SIZEOF_DEBUGGER_HIDE_AND_TRANSPARENT_DEBUGGER_MODE, // Input buffer length
70 &UnhideRequest, // Output Buffer from driver.
71 SIZEOF_DEBUGGER_HIDE_AND_TRANSPARENT_DEBUGGER_MODE, // Length of output
72 // buffer in bytes.
73 &ReturnedLength, // Bytes placed in buffer.
74 NULL // synchronous call
75 );
76
77 if (!Status)
78 {
79 ShowMessages("ioctl failed with code 0x%x\n", GetLastError());
80 return;
81 }
82
83 if (UnhideRequest.KernelStatus == DEBUGGER_OPERATION_WAS_SUCCESSFUL)
84 {
85 ShowMessages("transparent debugging successfully disabled :)\n");
86 }
87 else if (UnhideRequest.KernelStatus ==
88 DEBUGGER_ERROR_DEBUGGER_ALREADY_UHIDE)
89 {
90 ShowMessages("debugger is not in transparent-mode\n");
91 }
92 else
93 {
94 ShowMessages("unknown error occurred :(\n");
95 }
96}
DEBUGGER_ERROR_DEBUGGER_ALREADY_UHIDE
#define DEBUGGER_ERROR_DEBUGGER_ALREADY_UHIDE
error, the debugger is already in transparent-mode
Definition ErrorCodes.h:93
CommandUnhideHelp
VOID CommandUnhideHelp()
help of the !unhide command
Definition unhide.cpp:20

◆ CommandUnload()

VOID CommandUnload ( vector< string > SplitCommand,
string Command )

unload command handler

Parameters
SplitCommand
Command
Returns
VOID
49{
50 if (SplitCommand.size() != 2 && SplitCommand.size() != 3)
51 {
52 ShowMessages("incorrect use of the 'unload'\n\n");
53 CommandUnloadHelp();
54 return;
55 }
56
57 //
58 // Check for the module
59 //
60 if ((SplitCommand.size() == 2 && !SplitCommand.at(1).compare("vmm")) || (SplitCommand.size() == 3 && !SplitCommand.at(2).compare("vmm") && !SplitCommand.at(1).compare("remove")))
61 {
62 if (!g_IsConnectedToHyperDbgLocally)
63 {
64 ShowMessages("you're not connected to any instance of HyperDbg, did you "
65 "use '.connect'? \n");
66 return;
67 }
68
69 //
70 // Check to avoid using this command in debugger-mode
71 //
72 if (g_IsSerialConnectedToRemoteDebuggee || g_IsSerialConnectedToRemoteDebugger)
73 {
74 ShowMessages("you're connected to a an instance of HyperDbg, please use "
75 "'.debug close' command\n");
76 return;
77 }
78
79 if (g_IsDebuggerModulesLoaded)
80 {
81 HyperDbgUnloadVmm();
82 }
83 else
84 {
85 ShowMessages("there is nothing to unload\n");
86 }
87
88 //
89 // Check to remove the driver
90 //
91 if (!SplitCommand.at(1).compare("remove"))
92 {
93 //
94 // Stop the driver
95 //
96 if (HyperDbgStopVmmDriver())
97 {
98 ShowMessages("err, failed to stop driver\n");
99 return;
100 }
101
102 //
103 // Uninstall the driver
104 //
105 if (HyperDbgUninstallVmmDriver())
106 {
107 ShowMessages("err, failed to uninstall the driver\n");
108 return;
109 }
110
111 ShowMessages("the driver is removed\n");
112 }
113 }
114 else
115 {
116 //
117 // Module not found
118 //
119 ShowMessages("err, module not found\n");
120 }
121}
HyperDbgUninstallVmmDriver
INT HyperDbgUninstallVmmDriver()
Remove the VMM driver.
Definition libhyperdbg.cpp:604
HyperDbgStopVmmDriver
INT HyperDbgStopVmmDriver()
Stop VMM driver.
Definition libhyperdbg.cpp:570
g_IsSerialConnectedToRemoteDebugger
BOOLEAN g_IsSerialConnectedToRemoteDebugger
Shows if the debugger was connected to remote debugger (A remote host)
Definition globals.h:238
CommandUnloadHelp
VOID CommandUnloadHelp()
help of the unload command
Definition unload.cpp:28
g_IsSerialConnectedToRemoteDebuggee
BOOLEAN g_IsSerialConnectedToRemoteDebuggee
Shows if the debugger was connected to remote debuggee over (A remote guest)
Definition globals.h:231
g_IsConnectedToHyperDbgLocally
BOOLEAN g_IsConnectedToHyperDbgLocally
Shows whether the user is allowed to use 'load' command to load modules locally in VMI (virtual machi...
Definition globals.h:67
g_IsDebuggerModulesLoaded
BOOLEAN g_IsDebuggerModulesLoaded
this variable is used to indicate that modules are loaded so we make sure to later use a trace of loa...
Definition globals.h:356

◆ CommandVa2pa()

VOID CommandVa2pa ( vector< string > SplitCommand,
string Command )

!va2pa command handler

Parameters
SplitCommand
Command
Returns
VOID
50{
51 BOOL Status;
52 ULONG ReturnedLength;
53 UINT64 TargetVa;
54 UINT32 Pid = 0;
55 DEBUGGER_VA2PA_AND_PA2VA_COMMANDS AddressDetails = {0};
56 vector<string> SplitCommandCaseSensitive {Split(Command, ' ')};
57
58 if (SplitCommand.size() == 1 || SplitCommand.size() >= 5 ||
59 SplitCommand.size() == 3)
60 {
61 ShowMessages("incorrect use of the '!va2pa'\n\n");
62 CommandVa2paHelp();
63 return;
64 }
65
66 //
67 // By default if the user-debugger is active, we use these commands
68 // on the memory layout of the debuggee process
69 //
70 if (g_ActiveProcessDebuggingState.IsActive)
71 {
72 Pid = g_ActiveProcessDebuggingState.ProcessId;
73 }
74
75 if (SplitCommand.size() == 2)
76 {
77 //
78 // It's just an address for current process
79 //
80 if (!SymbolConvertNameOrExprToAddress(SplitCommandCaseSensitive.at(1), &TargetVa))
81 {
82 //
83 // Couldn't resolve or unknown parameter
84 //
85 ShowMessages("err, couldn't resolve error at '%s'\n",
86 SplitCommandCaseSensitive.at(1).c_str());
87 return;
88 }
89 }
90 else
91 {
92 //
93 // It might be address + pid
94 //
95 if (!SplitCommand.at(1).compare("pid"))
96 {
97 if (!ConvertStringToUInt32(SplitCommand.at(2), &Pid))
98 {
99 ShowMessages("incorrect address, please enter a valid process id\n");
100 return;
101 }
102
103 if (!SymbolConvertNameOrExprToAddress(SplitCommandCaseSensitive.at(3), &TargetVa))
104 {
105 //
106 // Couldn't resolve or unknown parameter
107 //
108 ShowMessages("err, couldn't resolve error at '%s'\n",
109 SplitCommandCaseSensitive.at(3).c_str());
110 return;
111 }
112 }
113 else if (!SplitCommand.at(2).compare("pid"))
114 {
115 if (!SymbolConvertNameOrExprToAddress(SplitCommandCaseSensitive.at(1), &TargetVa))
116 {
117 //
118 // Couldn't resolve or unknown parameter
119 //
120 ShowMessages("err, couldn't resolve error at '%s'\n",
121 SplitCommandCaseSensitive.at(1).c_str());
122 return;
123 }
124
125 if (!ConvertStringToUInt32(SplitCommand.at(3), &Pid))
126 {
127 ShowMessages("incorrect address, please enter a valid process id\n");
128 return;
129 }
130 }
131 else
132 {
133 ShowMessages("incorrect use of the '!va2pa'\n\n");
134 CommandVa2paHelp();
135 return;
136 }
137 }
138
139 //
140 // Prepare the buffer
141 // We use same buffer for input and output
142 //
143 AddressDetails.VirtualAddress = TargetVa;
144 AddressDetails.ProcessId = Pid; // null in debugger mode
145 AddressDetails.IsVirtual2Physical = TRUE;
146
147 if (g_IsSerialConnectedToRemoteDebuggee)
148 {
149 //
150 // Check to prevent using process id in !va2pa command
151 //
152 if (Pid != 0)
153 {
154 ShowMessages(ASSERT_MESSAGE_CANNOT_SPECIFY_PID);
155 return;
156 }
157
158 //
159 // Send the request over serial kernel debugger
160 //
161
162 KdSendVa2paAndPa2vaPacketToDebuggee(&AddressDetails);
163 }
164 else
165 {
166 AssertShowMessageReturnStmt(g_DeviceHandle, ASSERT_MESSAGE_DRIVER_NOT_LOADED, AssertReturn);
167
168 if (Pid == 0)
169 {
170 Pid = GetCurrentProcessId();
171 AddressDetails.ProcessId = Pid;
172 }
173
174 //
175 // Send IOCTL
176 //
177 Status = DeviceIoControl(
178 g_DeviceHandle, // Handle to device
179 IOCTL_DEBUGGER_VA2PA_AND_PA2VA_COMMANDS, // IO Control Code (IOCTL)
180 &AddressDetails, // Input Buffer to driver.
181 SIZEOF_DEBUGGER_VA2PA_AND_PA2VA_COMMANDS, // Input buffer length
182 &AddressDetails, // Output Buffer from driver.
183 SIZEOF_DEBUGGER_VA2PA_AND_PA2VA_COMMANDS, // Length of output
184 // buffer in bytes.
185 &ReturnedLength, // Bytes placed in buffer.
186 NULL // synchronous call
187 );
188
189 if (!Status)
190 {
191 ShowMessages("ioctl failed with code 0x%x\n", GetLastError());
192 return;
193 }
194
195 if (AddressDetails.KernelStatus == DEBUGGER_OPERATION_WAS_SUCCESSFUL)
196 {
197 //
198 // Show the results
199 //
200 ShowMessages("%llx\n", AddressDetails.PhysicalAddress);
201 }
202 else
203 {
204 //
205 // An err occurred, no results
206 //
207 ShowErrorMessage(AddressDetails.KernelStatus);
208 }
209 }
210}
g_IsSerialConnectedToRemoteDebuggee
BOOLEAN g_IsSerialConnectedToRemoteDebuggee
Shows if the debugger was connected to remote debuggee over (A remote guest)
Definition globals.h:231
g_ActiveProcessDebuggingState
ACTIVE_DEBUGGING_PROCESS g_ActiveProcessDebuggingState
State of active debugging thread.
Definition globals.h:362
CommandVa2paHelp
VOID CommandVa2paHelp()
help of the !va2pa command
Definition va2pa.cpp:26

◆ CommandVmcall()

VOID CommandVmcall ( vector< string > SplitCommand,
string Command )

!vmcall command handler

Parameters
SplitCommand
Command
Returns
VOID
46{
47 PDEBUGGER_GENERAL_EVENT_DETAIL Event = NULL;
48 PDEBUGGER_GENERAL_ACTION ActionBreakToDebugger = NULL;
49 PDEBUGGER_GENERAL_ACTION ActionCustomCode = NULL;
50 PDEBUGGER_GENERAL_ACTION ActionScript = NULL;
51 UINT32 EventLength;
52 UINT32 ActionBreakToDebuggerLength = 0;
53 UINT32 ActionCustomCodeLength = 0;
54 UINT32 ActionScriptLength = 0;
55 vector<string> SplitCommandCaseSensitive {Split(Command, ' ')};
56 DEBUGGER_EVENT_PARSING_ERROR_CAUSE EventParsingErrorCause;
57
58 //
59 // Interpret and fill the general event and action fields
60 //
61 //
62 if (!InterpretGeneralEventAndActionsFields(
63 &SplitCommand,
64 &SplitCommandCaseSensitive,
65 VMCALL_INSTRUCTION_EXECUTION,
66 &Event,
67 &EventLength,
68 &ActionBreakToDebugger,
69 &ActionBreakToDebuggerLength,
70 &ActionCustomCode,
71 &ActionCustomCodeLength,
72 &ActionScript,
73 &ActionScriptLength,
74 &EventParsingErrorCause))
75 {
76 return;
77 }
78
79 //
80 // Check for size
81 //
82 if (SplitCommand.size() > 1)
83 {
84 ShowMessages("incorrect use of the '!vmcall'\n");
85 CommandVmcallHelp();
86
87 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
88 return;
89 }
90
91 //
92 // Send the ioctl to the kernel for event registration
93 //
94 if (!SendEventToKernel(Event, EventLength))
95 {
96 //
97 // There was an error, probably the handle was not initialized
98 // we have to free the Action before exit, it is because, we
99 // already freed the Event and string buffers
100 //
101
102 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
103 return;
104 }
105
106 //
107 // Add the event to the kernel
108 //
109 if (!RegisterActionToEvent(Event,
110 ActionBreakToDebugger,
111 ActionBreakToDebuggerLength,
112 ActionCustomCode,
113 ActionCustomCodeLength,
114 ActionScript,
115 ActionScriptLength))
116 {
117 //
118 // There was an error
119 //
120
121 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
122 return;
123 }
124}
VMCALL_INSTRUCTION_EXECUTION
@ VMCALL_INSTRUCTION_EXECUTION
Definition Events.h:157
CommandVmcallHelp
VOID CommandVmcallHelp()
help of the !vmcall command
Definition vmcall.cpp:20

◆ CommandWrmsr()

VOID CommandWrmsr ( vector< string > SplitCommand,
string Command )

wrmsr command handler

Parameters
SplitCommand
Command
Returns
VOID
43{
44 BOOL Status;
45 UINT64 Msr;
46 DEBUGGER_READ_AND_WRITE_ON_MSR MsrWriteRequest = {0};
47 BOOL IsNextCoreId = FALSE;
48 BOOL SetMsr = FALSE;
49 BOOL SetValue = FALSE;
50 UINT64 Value = 0;
51 UINT32 CoreNumer = DEBUGGER_READ_AND_WRITE_ON_MSR_APPLY_ALL_CORES;
52 BOOLEAN IsFirstCommand = TRUE;
53
54 if (SplitCommand.size() >= 6)
55 {
56 ShowMessages("incorrect use of the 'wrmsr'\n\n");
57 CommandWrmsrHelp();
58 return;
59 }
60
61 for (auto Section : SplitCommand)
62 {
63 if (IsFirstCommand == TRUE)
64 {
65 IsFirstCommand = FALSE;
66 continue;
67 }
68
69 if (IsNextCoreId)
70 {
71 if (!ConvertStringToUInt32(Section, &CoreNumer))
72 {
73 ShowMessages("please specify a correct hex value for core id\n\n");
74 CommandWrmsrHelp();
75 return;
76 }
77
78 IsNextCoreId = FALSE;
79 continue;
80 }
81
82 if (!Section.compare("core"))
83 {
84 IsNextCoreId = TRUE;
85 continue;
86 }
87
88 if (!SetMsr)
89 {
90 if (!ConvertStringToUInt64(Section, &Msr))
91 {
92 ShowMessages("please specify a correct hex value to be read\n\n");
93 CommandWrmsrHelp();
94 return;
95 }
96 else
97 {
98 //
99 // Means that the MSR is set, next we should read value
100 //
101 SetMsr = TRUE;
102 continue;
103 }
104 }
105
106 if (SetMsr)
107 {
108 if (!SymbolConvertNameOrExprToAddress(Section, &Value))
109 {
110 ShowMessages(
111 "please specify a correct hex value or an expression to put on the msr\n\n");
112 CommandWrmsrHelp();
113 return;
114 }
115 else
116 {
117 SetValue = TRUE;
118 continue;
119 }
120 }
121 }
122
123 //
124 // Check if msr is set or not
125 //
126 if (!SetMsr)
127 {
128 ShowMessages("please specify a correct hex value to write\n\n");
129 CommandWrmsrHelp();
130 return;
131 }
132
133 if (!SetValue)
134 {
135 ShowMessages("please specify a correct hex value to put on msr\n\n");
136 CommandWrmsrHelp();
137 return;
138 }
139
140 if (IsNextCoreId)
141 {
142 ShowMessages("please specify a correct hex value for core\n\n");
143 CommandWrmsrHelp();
144 return;
145 }
146
147 AssertShowMessageReturnStmt(g_DeviceHandle, ASSERT_MESSAGE_DRIVER_NOT_LOADED, AssertReturn);
148
149 MsrWriteRequest.ActionType = DEBUGGER_MSR_WRITE;
150 MsrWriteRequest.Msr = Msr;
151 MsrWriteRequest.CoreNumber = CoreNumer;
152 MsrWriteRequest.Value = Value;
153
154 Status = DeviceIoControl(
155 g_DeviceHandle, // Handle to device
156 IOCTL_DEBUGGER_READ_OR_WRITE_MSR, // IO Control Code (IOCTL)
157 &MsrWriteRequest, // Input Buffer to driver.
158 SIZEOF_DEBUGGER_READ_AND_WRITE_ON_MSR, // Input buffer length
159 NULL, // Output Buffer from driver.
160 NULL, // Length of output buffer in bytes.
161 NULL, // Bytes placed in buffer.
162 NULL // synchronous call
163 );
164
165 if (!Status)
166 {
167 ShowMessages("ioctl failed with code (%x), either msr index or core id is invalid\n",
168 GetLastError());
169 return;
170 }
171
172 ShowMessages("\n");
173}
DEBUGGER_MSR_WRITE
@ DEBUGGER_MSR_WRITE
Definition RequestStructures.h:432
_DEBUGGER_READ_AND_WRITE_ON_MSR::Value
UINT64 Value
Definition RequestStructures.h:447
CommandWrmsrHelp
VOID CommandWrmsrHelp()
help of the wrmsr command
Definition wrmsr.cpp:20

◆ CommandX()

VOID CommandX ( vector< string > SplitCommand,
string Command )

x command handler

Parameters
SplitCommand
Command
Returns
VOID
41{
42 if (SplitCommand.size() == 1)
43 {
44 ShowMessages("incorrect use of the 'x'\n\n");
45 CommandXHelp();
46 return;
47 }
48
49 //
50 // Trim the command
51 //
52 Trim(Command);
53
54 //
55 // Remove x from it
56 //
57 Command.erase(0, SplitCommand.at(0).size());
58
59 //
60 // Trim it again
61 //
62 Trim(Command);
63
64 //
65 // Search for mask
66 //
67 ScriptEngineSearchSymbolForMaskWrapper(Command.c_str());
68}
ScriptEngineSearchSymbolForMaskWrapper
UINT32 ScriptEngineSearchSymbolForMaskWrapper(const char *SearchMask)
ScriptEngineSearchSymbolForMask wrapper.
Definition script-engine-wrapper.cpp:116
CommandXHelp
VOID CommandXHelp()
help of the x command
Definition x.cpp:20

◆ ContinuePreviousCommand()

BOOLEAN ContinuePreviousCommand ( )

Some of commands like stepping commands (i, p, t) and etc. need to be repeated when the user press enter, this function shows whether we should continue the previous command or not.

Returns
TRUE means the command should be continued, FALSE means command should be ignored
709{
710 BOOLEAN Result = g_ShouldPreviousCommandBeContinued;
711
712 //
713 // We should keep it false for the next command
714 //
715 g_ShouldPreviousCommandBeContinued = FALSE;
716
717 if (Result)
718 {
719 return TRUE;
720 }
721 else
722 {
723 return FALSE;
724 }
725}
g_ShouldPreviousCommandBeContinued
BOOLEAN g_ShouldPreviousCommandBeContinued
Shows whether the previous command should be continued or not.
Definition globals.h:318

◆ CpuReadVendorString()

VOID CpuReadVendorString ( CHAR * Result)

Reads the CPU vendor string.

Returns
char *
250{
251 std::string VendorString = InstructionSet::Vendor();
252 strcpy(Result, VendorString.c_str());
253}
InstructionSet::Vendor
static std::string Vendor(void)
Definition cpu.cpp:57

◆ HyperDbgCheckWhetherTheCurrentInstructionIsCall()

BOOLEAN HyperDbgCheckWhetherTheCurrentInstructionIsCall ( unsigned char * BufferToDisassemble,
UINT64 BuffLength,
BOOLEAN Isx86_64,
PUINT32 CallLength )

Check whether the current instruction is a 'call' or not.

Parameters
BufferToDisassembleCurrent Bytes of assembly
BuffLengthLength of buffer
Isx86_64Whether it's an x86 or x64
CallLengthLength of call (if return value is TRUE)
Returns
BOOLEAN
760{
761 ZydisDecoder decoder;
762 ZydisFormatter formatter;
763 ZydisDecodedOperand operands[ZYDIS_MAX_OPERAND_COUNT];
764 UINT64 CurrentRip = 0;
765 int instr_decoded = 0;
766 ZydisDecodedInstruction instruction;
767 char buffer[256];
768 UINT32 MaximumInstrDecoded = 1;
769
770 //
771 // Default length
772 //
773 *CallLength = 0;
774
775 if (ZydisGetVersion() != ZYDIS_VERSION)
776 {
777 ShowMessages("invalid zydis version\n");
778 return DEBUGGER_CONDITIONAL_JUMP_STATUS_ERROR;
779 }
780
781 if (Isx86_64)
782 {
783 ZydisDecoderInit(&decoder, ZYDIS_MACHINE_MODE_LONG_64, ZYDIS_STACK_WIDTH_64);
784 }
785 else
786 {
787 ZydisDecoderInit(&decoder, ZYDIS_MACHINE_MODE_LONG_COMPAT_32, ZYDIS_STACK_WIDTH_32);
788 }
789
790 ZydisFormatterInit(&formatter, ZYDIS_FORMATTER_STYLE_INTEL);
791
792 ZydisFormatterSetProperty(&formatter, ZYDIS_FORMATTER_PROP_FORCE_SEGMENT, ZYAN_TRUE);
793 ZydisFormatterSetProperty(&formatter, ZYDIS_FORMATTER_PROP_FORCE_SIZE, ZYAN_TRUE);
794
795 //
796 // Replace the `ZYDIS_FORMATTER_FUNC_PRINT_ADDRESS_ABS` function that
797 // formats the absolute addresses
798 //
799 default_print_address_absolute =
800 (ZydisFormatterFunc)&ZydisFormatterPrintAddressAbsolute;
801 ZydisFormatterSetHook(&formatter, ZYDIS_FORMATTER_FUNC_PRINT_ADDRESS_ABS, (const void **)&default_print_address_absolute);
802
803 while (ZYAN_SUCCESS(ZydisDecoderDecodeFull(&decoder, BufferToDisassemble, BuffLength, &instruction, operands)))
804 {
805 //
806 // We have to pass a `runtime_address` different to
807 // `ZYDIS_RUNTIME_ADDRESS_NONE` to enable printing of absolute addresses
808 //
809
810 ZydisFormatterFormatInstruction(&formatter, &instruction, operands, instruction.operand_count_visible, &buffer[0], sizeof(buffer), (ZyanU64)CurrentRip, ZYAN_NULL);
811
812 if (instruction.mnemonic == ZydisMnemonic::ZYDIS_MNEMONIC_CALL)
813 {
814 //
815 // It's a call
816 //
817
818 //
819 // Log call
820 //
821 // ShowMessages("call length : 0x%x\n", instruction.length);
822
823 //
824 // Set the length
825 //
826 *CallLength = instruction.length;
827
828 return TRUE;
829 }
830 else
831 {
832 //
833 // It's not call
834 //
835 return FALSE;
836 }
837 }
838
839 //
840 // Should not reach here
841 //
842 return FALSE;
843}
DEBUGGER_CONDITIONAL_JUMP_STATUS_ERROR
@ DEBUGGER_CONDITIONAL_JUMP_STATUS_ERROR
Definition RequestStructures.h:1107
default_print_address_absolute
ZydisFormatterFunc default_print_address_absolute
Definition disassembler.cpp:61

◆ HyperDbgCheckWhetherTheCurrentInstructionIsCallOrRet()

BOOLEAN HyperDbgCheckWhetherTheCurrentInstructionIsCallOrRet ( unsigned char * BufferToDisassemble,
UINT64 CurrentRip,
UINT32 BuffLength,
BOOLEAN Isx86_64,
PBOOLEAN IsRet )

Check whether the current instruction is a 'call' or 'ret' or not.

Parameters
BufferToDisassembleCurrent Bytes of assembly
CurrentRipAddress of current RIP
BuffLengthLength of buffer
Isx86_64Whether it's an x86 or x64
IsRetWhether it's a 'ret' or not
Returns
BOOLEAN
989{
990 ZydisDecoder decoder;
991 ZydisFormatter formatter;
992 ZydisDecodedOperand operands[ZYDIS_MAX_OPERAND_COUNT];
993 int instr_decoded = 0;
994 ZydisDecodedInstruction instruction;
995 char buffer[256];
996 UINT32 MaximumInstrDecoded = 1;
997
998 if (ZydisGetVersion() != ZYDIS_VERSION)
999 {
1000 ShowMessages("invalid zydis version\n");
1001 return DEBUGGER_CONDITIONAL_JUMP_STATUS_ERROR;
1002 }
1003
1004 if (!Isx86_64)
1005 {
1006 ZydisDecoderInit(&decoder, ZYDIS_MACHINE_MODE_LONG_64, ZYDIS_STACK_WIDTH_64);
1007 }
1008 else
1009 {
1010 ZydisDecoderInit(&decoder, ZYDIS_MACHINE_MODE_LONG_COMPAT_32, ZYDIS_STACK_WIDTH_32);
1011 }
1012
1013 ZydisFormatterInit(&formatter, ZYDIS_FORMATTER_STYLE_INTEL);
1014
1015 ZydisFormatterSetProperty(&formatter, ZYDIS_FORMATTER_PROP_FORCE_SEGMENT, ZYAN_TRUE);
1016 ZydisFormatterSetProperty(&formatter, ZYDIS_FORMATTER_PROP_FORCE_SIZE, ZYAN_TRUE);
1017
1018 //
1019 // Replace the `ZYDIS_FORMATTER_FUNC_PRINT_ADDRESS_ABS` function that
1020 // formats the absolute addresses
1021 //
1022 default_print_address_absolute =
1023 (ZydisFormatterFunc)&ZydisFormatterPrintAddressAbsoluteForTrackingInstructions;
1024 ZydisFormatterSetHook(&formatter, ZYDIS_FORMATTER_FUNC_PRINT_ADDRESS_ABS, (const void **)&default_print_address_absolute);
1025
1026 while (ZYAN_SUCCESS(ZydisDecoderDecodeFull(&decoder, BufferToDisassemble, BuffLength, &instruction, operands)))
1027 {
1028 if (instruction.mnemonic == ZydisMnemonic::ZYDIS_MNEMONIC_CALL)
1029 {
1030 //
1031 // It's a 'call' instruction
1032 //
1033
1034 //
1035 // Log call
1036 //
1037 // ShowMessages("call length : 0x%x\n", instruction.length);
1038
1039 //
1040 // We have to pass a `runtime_address` different to
1041 // `ZYDIS_RUNTIME_ADDRESS_NONE` to enable printing of absolute addresses
1042 //
1043
1044 ZydisFormatterFormatInstruction(&formatter, &instruction, operands, instruction.operand_count_visible, &buffer[0], sizeof(buffer), (ZyanU64)CurrentRip, ZYAN_NULL);
1045
1046 *IsRet = FALSE;
1047
1048 return TRUE;
1049 }
1050 else if (instruction.mnemonic == ZydisMnemonic::ZYDIS_MNEMONIC_RET)
1051 {
1052 //
1053 // It's a 'ret' instruction
1054 //
1055
1056 //
1057 // Log ret
1058 //
1059 // ShowMessages("ret length : 0x%x\n", instruction.length);
1060
1061 //
1062 // Call the tracker callback
1063 //
1064 CommandTrackHandleReceivedRetInstructions(CurrentRip);
1065
1066 *IsRet = TRUE;
1067
1068 return TRUE;
1069 }
1070 else
1071 {
1072 //
1073 // It's not call
1074 //
1075 return FALSE;
1076 }
1077 }
1078
1079 //
1080 // Should not reach here
1081 //
1082 return FALSE;
1083}
CommandTrackHandleReceivedRetInstructions
VOID CommandTrackHandleReceivedRetInstructions(UINT64 CurrentRip)
Handle received 'ret'.
Definition track.cpp:281

◆ HyperDbgCheckWhetherTheCurrentInstructionIsRet()

BOOLEAN HyperDbgCheckWhetherTheCurrentInstructionIsRet ( unsigned char * BufferToDisassemble,
UINT64 BuffLength,
BOOLEAN Isx86_64 )

Check whether the current instruction is a 'ret' or not.

Parameters
BufferToDisassembleCurrent Bytes of assembly
BuffLengthLength of buffer
Isx86_64Whether it's an x86 or x64
RetLengthLength of ret (if return value is TRUE)
Returns
BOOLEAN
1100{
1101 ZydisDecoder decoder;
1102 ZydisFormatter formatter;
1103 ZydisDecodedOperand operands[ZYDIS_MAX_OPERAND_COUNT];
1104 UINT64 CurrentRip = 0;
1105 int instr_decoded = 0;
1106 ZydisDecodedInstruction instruction;
1107 char buffer[256];
1108 UINT32 MaximumInstrDecoded = 1;
1109
1110 if (ZydisGetVersion() != ZYDIS_VERSION)
1111 {
1112 ShowMessages("invalid zydis version\n");
1113 return DEBUGGER_CONDITIONAL_JUMP_STATUS_ERROR;
1114 }
1115
1116 if (Isx86_64)
1117 {
1118 ZydisDecoderInit(&decoder, ZYDIS_MACHINE_MODE_LONG_64, ZYDIS_STACK_WIDTH_64);
1119 }
1120 else
1121 {
1122 ZydisDecoderInit(&decoder, ZYDIS_MACHINE_MODE_LONG_COMPAT_32, ZYDIS_STACK_WIDTH_32);
1123 }
1124
1125 ZydisFormatterInit(&formatter, ZYDIS_FORMATTER_STYLE_INTEL);
1126
1127 ZydisFormatterSetProperty(&formatter, ZYDIS_FORMATTER_PROP_FORCE_SEGMENT, ZYAN_TRUE);
1128 ZydisFormatterSetProperty(&formatter, ZYDIS_FORMATTER_PROP_FORCE_SIZE, ZYAN_TRUE);
1129
1130 //
1131 // Replace the `ZYDIS_FORMATTER_FUNC_PRINT_ADDRESS_ABS` function that
1132 // formats the absolute addresses
1133 //
1134 default_print_address_absolute =
1135 (ZydisFormatterFunc)&ZydisFormatterPrintAddressAbsolute;
1136 ZydisFormatterSetHook(&formatter, ZYDIS_FORMATTER_FUNC_PRINT_ADDRESS_ABS, (const void **)&default_print_address_absolute);
1137
1138 while (ZYAN_SUCCESS(ZydisDecoderDecodeFull(&decoder, BufferToDisassemble, BuffLength, &instruction, operands)))
1139 {
1140 //
1141 // We have to pass a `runtime_address` different to
1142 // `ZYDIS_RUNTIME_ADDRESS_NONE` to enable printing of absolute addresses
1143 //
1144
1145 ZydisFormatterFormatInstruction(&formatter, &instruction, operands, instruction.operand_count_visible, &buffer[0], sizeof(buffer), (ZyanU64)CurrentRip, ZYAN_NULL);
1146
1147 if (instruction.mnemonic == ZydisMnemonic::ZYDIS_MNEMONIC_RET)
1148 {
1149 //
1150 // It's a ret
1151 //
1152
1153 //
1154 // Log ret
1155 //
1156 // ShowMessages("ret length : 0x%x\n", instruction.length);
1157
1158 return TRUE;
1159 }
1160 else
1161 {
1162 //
1163 // It's not ret
1164 //
1165 return FALSE;
1166 }
1167 }
1168
1169 //
1170 // Should not reach here
1171 //
1172 return FALSE;
1173}

◆ HyperDbgDisassembler32()

int HyperDbgDisassembler32 ( unsigned char * BufferToDisassemble,
UINT64 BaseAddress,
UINT64 Size,
UINT32 MaximumInstrDecoded,
BOOLEAN ShowBranchIsTakenOrNot,
PRFLAGS Rflags )

Disassemble 32 bit assemblies.

Parameters
BufferToDisassemblebuffer to disassemble
BaseAddressthe base address of assembly
Sizesize of buffer
MaximumInstrDecodedmaximum instructions to decode, 0 means all possible
ShowBranchIsTakenOrNoton conditional jumps shows whether jumps is taken or not
Rflagsin the case ShowBranchIsTakenOrNot is true, we use this variable to show the result of jump
Returns
int
379{
380 if (ZydisGetVersion() != ZYDIS_VERSION)
381 {
382 fputs("Invalid Zydis version\n", ZYAN_STDERR);
383 return EXIT_FAILURE;
384 }
385
386 ZydisDecoder decoder;
387 ZydisDecoderInit(&decoder, ZYDIS_MACHINE_MODE_LONG_COMPAT_32, ZYDIS_STACK_WIDTH_32);
388
389 //
390 // Disassembling buffer
391 //
392 DisassembleBuffer(&decoder, (UINT32)BaseAddress, &BufferToDisassemble[0], Size, MaximumInstrDecoded, FALSE, ShowBranchIsTakenOrNot, Rflags);
393
394 return 0;
395}
DisassembleBuffer
VOID DisassembleBuffer(ZydisDecoder *decoder, ZyanU64 runtime_address, ZyanU8 *data, ZyanUSize length, uint32_t maximum_instr, BOOLEAN is_x86_64, BOOLEAN show_of_branch_is_taken, PRFLAGS rflags)
Disassemble a user-mode buffer.
Definition disassembler.cpp:119

◆ HyperDbgDisassembler64()

int HyperDbgDisassembler64 ( unsigned char * BufferToDisassemble,
UINT64 BaseAddress,
UINT64 Size,
UINT32 MaximumInstrDecoded,
BOOLEAN ShowBranchIsTakenOrNot,
PRFLAGS Rflags )

Disassemble x64 assemblies.

Parameters
BufferToDisassemblebuffer to disassemble
BaseAddressthe base address of assembly
Sizesize of buffer
MaximumInstrDecodedmaximum instructions to decode, 0 means all possible
ShowBranchIsTakenOrNoton conditional jumps shows whether jumps is taken or not
Rflagsin the case ShowBranchIsTakenOrNot is true, we use this variable to show the result of jump
Returns
int
339{
340 if (ZydisGetVersion() != ZYDIS_VERSION)
341 {
342 fputs("Invalid Zydis version\n", ZYAN_STDERR);
343 return EXIT_FAILURE;
344 }
345
346 ZydisDecoder decoder;
347 ZydisDecoderInit(&decoder, ZYDIS_MACHINE_MODE_LONG_64, ZYDIS_STACK_WIDTH_64);
348
349 //
350 // Disassembling buffer
351 //
352 DisassembleBuffer(&decoder, BaseAddress, &BufferToDisassemble[0], Size, MaximumInstrDecoded, TRUE, ShowBranchIsTakenOrNot, Rflags);
353
354 return 0;
355}

◆ HyperDbgIsConditionalJumpTaken()

DEBUGGER_CONDITIONAL_JUMP_STATUS HyperDbgIsConditionalJumpTaken ( unsigned char * BufferToDisassemble,
UINT64 BuffLength,
RFLAGS Rflags,
BOOLEAN Isx86_64 )

Check whether the jump is taken or not taken (in debugger)

the implementation of this function derived from the table in this site : http://www.unixwiz.net/techtips/x86-jumps.html

Parameters
BufferToDisassembleCurrent Bytes of assembly
BuffLengthLength of buffer
RflagsThe kernel's current RFLAG
Isx86_64Whether it's an x86 or x64
Returns
DEBUGGER_NEXT_INSTRUCTION_FINDER_STATUS
414{
415 ZydisDecoder decoder;
416 ZydisFormatter formatter;
417 ZydisDecodedOperand operands[ZYDIS_MAX_OPERAND_COUNT];
418 UINT64 CurrentRip = 0;
419 int instr_decoded = 0;
420 ZydisDecodedInstruction instruction;
421 UINT32 MaximumInstrDecoded = 1;
422
423 if (ZydisGetVersion() != ZYDIS_VERSION)
424 {
425 ShowMessages("invalid Zydis version\n");
426 return DEBUGGER_CONDITIONAL_JUMP_STATUS_ERROR;
427 }
428
429 if (Isx86_64)
430 {
431 ZydisDecoderInit(&decoder, ZYDIS_MACHINE_MODE_LONG_64, ZYDIS_STACK_WIDTH_64);
432 }
433 else
434 {
435 ZydisDecoderInit(&decoder, ZYDIS_MACHINE_MODE_LONG_COMPAT_32, ZYDIS_STACK_WIDTH_32);
436 }
437
438 ZydisFormatterInit(&formatter, ZYDIS_FORMATTER_STYLE_INTEL);
439
440 ZydisFormatterSetProperty(&formatter, ZYDIS_FORMATTER_PROP_FORCE_SEGMENT, ZYAN_TRUE);
441 ZydisFormatterSetProperty(&formatter, ZYDIS_FORMATTER_PROP_FORCE_SIZE, ZYAN_TRUE);
442
443 //
444 // Replace the `ZYDIS_FORMATTER_FUNC_PRINT_ADDRESS_ABS` function that
445 // formats the absolute addresses
446 //
447 default_print_address_absolute = (ZydisFormatterFunc)&ZydisFormatterPrintAddressAbsolute;
448 ZydisFormatterSetHook(&formatter, ZYDIS_FORMATTER_FUNC_PRINT_ADDRESS_ABS, (const void **)&default_print_address_absolute);
449
450 while (ZYAN_SUCCESS(ZydisDecoderDecodeFull(&decoder, BufferToDisassemble, BuffLength, &instruction, operands)))
451 {
452 //
453 // We have to pass a `runtime_address` different to
454 // `ZYDIS_RUNTIME_ADDRESS_NONE` to enable printing of absolute addresses
455 //
456
457 // ZydisFormatterFormatInstruction(&formatter, &instruction, operands, instruction.operand_count_visible, &buffer[0], sizeof(buffer), (ZyanU64)CurrentRip, ZYAN_NULL);
458
459 switch (instruction.mnemonic)
460 {
461 case ZydisMnemonic::ZYDIS_MNEMONIC_JO:
462
463 //
464 // Jump if overflow (jo)
465 //
466 if (Rflags.OverflowFlag)
467 return DEBUGGER_CONDITIONAL_JUMP_STATUS_JUMP_IS_TAKEN;
468 else
469 return DEBUGGER_CONDITIONAL_JUMP_STATUS_JUMP_IS_NOT_TAKEN;
470
471 break;
472
473 case ZydisMnemonic::ZYDIS_MNEMONIC_JNO:
474
475 //
476 // Jump if not overflow (jno)
477 //
478 if (!Rflags.OverflowFlag)
479 return DEBUGGER_CONDITIONAL_JUMP_STATUS_JUMP_IS_TAKEN;
480 else
481 return DEBUGGER_CONDITIONAL_JUMP_STATUS_JUMP_IS_NOT_TAKEN;
482
483 break;
484
485 case ZydisMnemonic::ZYDIS_MNEMONIC_JS:
486
487 //
488 // Jump if sign
489 //
490 if (Rflags.SignFlag)
491 return DEBUGGER_CONDITIONAL_JUMP_STATUS_JUMP_IS_TAKEN;
492 else
493 return DEBUGGER_CONDITIONAL_JUMP_STATUS_JUMP_IS_NOT_TAKEN;
494
495 break;
496
497 case ZydisMnemonic::ZYDIS_MNEMONIC_JNS:
498
499 //
500 // Jump if not sign
501 //
502 if (!Rflags.SignFlag)
503 return DEBUGGER_CONDITIONAL_JUMP_STATUS_JUMP_IS_TAKEN;
504 else
505 return DEBUGGER_CONDITIONAL_JUMP_STATUS_JUMP_IS_NOT_TAKEN;
506
507 break;
508
509 case ZydisMnemonic::ZYDIS_MNEMONIC_JZ:
510
511 //
512 // Jump if equal (je),
513 // Jump if zero (jz)
514 //
515 if (Rflags.ZeroFlag)
516 return DEBUGGER_CONDITIONAL_JUMP_STATUS_JUMP_IS_TAKEN;
517 else
518 return DEBUGGER_CONDITIONAL_JUMP_STATUS_JUMP_IS_NOT_TAKEN;
519
520 break;
521
522 case ZydisMnemonic::ZYDIS_MNEMONIC_JNZ:
523
524 //
525 // Jump if not equal (jne),
526 // Jump if not zero (jnz)
527 //
528 if (!Rflags.ZeroFlag)
529 return DEBUGGER_CONDITIONAL_JUMP_STATUS_JUMP_IS_TAKEN;
530 else
531 return DEBUGGER_CONDITIONAL_JUMP_STATUS_JUMP_IS_NOT_TAKEN;
532
533 break;
534
535 case ZydisMnemonic::ZYDIS_MNEMONIC_JB:
536
537 //
538 // Jump if below (jb),
539 // Jump if not above or equal (jnae),
540 // Jump if carry (jc)
541 //
542
543 //
544 // This jump is unsigned
545 //
546
547 if (Rflags.CarryFlag)
548 return DEBUGGER_CONDITIONAL_JUMP_STATUS_JUMP_IS_TAKEN;
549 else
550 return DEBUGGER_CONDITIONAL_JUMP_STATUS_JUMP_IS_NOT_TAKEN;
551
552 break;
553
554 case ZydisMnemonic::ZYDIS_MNEMONIC_JNB:
555
556 //
557 // Jump if not below (jnb),
558 // Jump if above or equal (jae),
559 // Jump if not carry (jnc)
560 //
561
562 //
563 // This jump is unsigned
564 //
565
566 if (!Rflags.CarryFlag)
567 return DEBUGGER_CONDITIONAL_JUMP_STATUS_JUMP_IS_TAKEN;
568 else
569 return DEBUGGER_CONDITIONAL_JUMP_STATUS_JUMP_IS_NOT_TAKEN;
570
571 break;
572
573 case ZydisMnemonic::ZYDIS_MNEMONIC_JBE:
574
575 //
576 // Jump if below or equal (jbe),
577 // Jump if not above (jna)
578 //
579
580 //
581 // This jump is unsigned
582 //
583
584 if (Rflags.CarryFlag || Rflags.ZeroFlag)
585 return DEBUGGER_CONDITIONAL_JUMP_STATUS_JUMP_IS_TAKEN;
586 else
587 return DEBUGGER_CONDITIONAL_JUMP_STATUS_JUMP_IS_NOT_TAKEN;
588
589 break;
590
591 case ZydisMnemonic::ZYDIS_MNEMONIC_JNBE:
592
593 //
594 // Jump if above (ja),
595 // Jump if not below or equal (jnbe)
596 //
597
598 //
599 // This jump is unsigned
600 //
601
602 if (!Rflags.CarryFlag && !Rflags.ZeroFlag)
603 return DEBUGGER_CONDITIONAL_JUMP_STATUS_JUMP_IS_TAKEN;
604 else
605 return DEBUGGER_CONDITIONAL_JUMP_STATUS_JUMP_IS_NOT_TAKEN;
606
607 break;
608
609 case ZydisMnemonic::ZYDIS_MNEMONIC_JL:
610
611 //
612 // Jump if less (jl),
613 // Jump if not greater or equal (jnge)
614 //
615
616 //
617 // This jump is signed
618 //
619
620 if (Rflags.SignFlag != Rflags.OverflowFlag)
621 return DEBUGGER_CONDITIONAL_JUMP_STATUS_JUMP_IS_TAKEN;
622 else
623 return DEBUGGER_CONDITIONAL_JUMP_STATUS_JUMP_IS_NOT_TAKEN;
624
625 break;
626
627 case ZydisMnemonic::ZYDIS_MNEMONIC_JNL:
628
629 //
630 // Jump if greater or equal (jge),
631 // Jump if not less (jnl)
632 //
633
634 //
635 // This jump is signed
636 //
637
638 if (Rflags.SignFlag == Rflags.OverflowFlag)
639 return DEBUGGER_CONDITIONAL_JUMP_STATUS_JUMP_IS_TAKEN;
640 else
641 return DEBUGGER_CONDITIONAL_JUMP_STATUS_JUMP_IS_NOT_TAKEN;
642
643 break;
644
645 case ZydisMnemonic::ZYDIS_MNEMONIC_JLE:
646
647 //
648 // Jump if less or equal (jle),
649 // Jump if not greater (jng)
650 //
651
652 //
653 // This jump is signed
654 //
655
656 if (Rflags.ZeroFlag || Rflags.SignFlag != Rflags.OverflowFlag)
657 return DEBUGGER_CONDITIONAL_JUMP_STATUS_JUMP_IS_TAKEN;
658 else
659 return DEBUGGER_CONDITIONAL_JUMP_STATUS_JUMP_IS_NOT_TAKEN;
660
661 break;
662
663 case ZydisMnemonic::ZYDIS_MNEMONIC_JNLE:
664
665 //
666 // Jump if greater (jg),
667 // Jump if not less or equal (jnle)
668 //
669
670 //
671 // This jump is signed
672 //
673
674 if (!Rflags.ZeroFlag && Rflags.SignFlag == Rflags.OverflowFlag)
675 return DEBUGGER_CONDITIONAL_JUMP_STATUS_JUMP_IS_TAKEN;
676 else
677 return DEBUGGER_CONDITIONAL_JUMP_STATUS_JUMP_IS_NOT_TAKEN;
678
679 break;
680
681 case ZydisMnemonic::ZYDIS_MNEMONIC_JP:
682
683 //
684 // Jump if parity (jp),
685 // Jump if parity even (jpe)
686 //
687
688 if (Rflags.ParityFlag)
689 return DEBUGGER_CONDITIONAL_JUMP_STATUS_JUMP_IS_TAKEN;
690 else
691 return DEBUGGER_CONDITIONAL_JUMP_STATUS_JUMP_IS_NOT_TAKEN;
692
693 break;
694
695 case ZydisMnemonic::ZYDIS_MNEMONIC_JNP:
696
697 //
698 // Jump if not parity (jnp),
699 // Jump if parity odd (jpo)
700 //
701
702 if (!Rflags.ParityFlag)
703 return DEBUGGER_CONDITIONAL_JUMP_STATUS_JUMP_IS_TAKEN;
704 else
705 return DEBUGGER_CONDITIONAL_JUMP_STATUS_JUMP_IS_NOT_TAKEN;
706
707 break;
708
709 case ZydisMnemonic::ZYDIS_MNEMONIC_JCXZ:
710 case ZydisMnemonic::ZYDIS_MNEMONIC_JECXZ:
711
712 //
713 // Jump if %CX register is 0 (jcxz),
714 // Jump if% ECX register is 0 (jecxz)
715 //
716
717 //
718 // Actually this instruction are rarely used
719 // but if we want to support these instructions then we
720 // should read ecx and cx each time in the debuggee,
721 // so it's better to just ignore it as a non-conditional
722 // jump
723 //
724 return DEBUGGER_CONDITIONAL_JUMP_STATUS_NOT_CONDITIONAL_JUMP;
725
726 default:
727
728 //
729 // It's not a jump
730 //
731 return DEBUGGER_CONDITIONAL_JUMP_STATUS_NOT_CONDITIONAL_JUMP;
732 break;
733 }
734
735 return DEBUGGER_CONDITIONAL_JUMP_STATUS_ERROR;
736 }
737
738 //
739 // Should not reach here
740 //
741 return DEBUGGER_CONDITIONAL_JUMP_STATUS_ERROR;
742}
DEBUGGER_CONDITIONAL_JUMP_STATUS_JUMP_IS_NOT_TAKEN
@ DEBUGGER_CONDITIONAL_JUMP_STATUS_JUMP_IS_NOT_TAKEN
Definition RequestStructures.h:1110
DEBUGGER_CONDITIONAL_JUMP_STATUS_JUMP_IS_TAKEN
@ DEBUGGER_CONDITIONAL_JUMP_STATUS_JUMP_IS_TAKEN
Definition RequestStructures.h:1109
DEBUGGER_CONDITIONAL_JUMP_STATUS_NOT_CONDITIONAL_JUMP
@ DEBUGGER_CONDITIONAL_JUMP_STATUS_NOT_CONDITIONAL_JUMP
Definition RequestStructures.h:1108

◆ HyperDbgLengthDisassemblerEngine()

UINT32 HyperDbgLengthDisassemblerEngine ( unsigned char * BufferToDisassemble,
UINT64 BuffLength,
BOOLEAN Isx86_64 )

Length Disassembler engine based on Zydis.

Parameters
BufferToDisassembleCurrent Bytes of assembly
BuffLengthLength of buffer
Isx86_64Whether it's an x86 or x64
Lengthof call (if return value is TRUE)
Returns
UINT32
860{
861 ZydisDecoder decoder;
862 ZydisFormatter formatter;
863 ZydisDecodedOperand operands[ZYDIS_MAX_OPERAND_COUNT];
864 UINT64 CurrentRip = 0;
865 int instr_decoded = 0;
866 ZydisDecodedInstruction instruction;
867 UINT32 MaximumInstrDecoded = 1;
868
869 if (ZydisGetVersion() != ZYDIS_VERSION)
870 {
871 ShowMessages("invalid Zydis version\n");
872 return DEBUGGER_CONDITIONAL_JUMP_STATUS_ERROR;
873 }
874
875 if (Isx86_64)
876 {
877 ZydisDecoderInit(&decoder, ZYDIS_MACHINE_MODE_LONG_64, ZYDIS_STACK_WIDTH_64);
878 }
879 else
880 {
881 ZydisDecoderInit(&decoder, ZYDIS_MACHINE_MODE_LONG_COMPAT_32, ZYDIS_STACK_WIDTH_32);
882 }
883
884 ZydisFormatterInit(&formatter, ZYDIS_FORMATTER_STYLE_INTEL);
885
886 ZydisFormatterSetProperty(&formatter, ZYDIS_FORMATTER_PROP_FORCE_SEGMENT, ZYAN_TRUE);
887 ZydisFormatterSetProperty(&formatter, ZYDIS_FORMATTER_PROP_FORCE_SIZE, ZYAN_TRUE);
888
889 //
890 // Replace the `ZYDIS_FORMATTER_FUNC_PRINT_ADDRESS_ABS` function that
891 // formats the absolute addresses
892 //
893 default_print_address_absolute =
894 (ZydisFormatterFunc)&ZydisFormatterPrintAddressAbsolute;
895 ZydisFormatterSetHook(&formatter, ZYDIS_FORMATTER_FUNC_PRINT_ADDRESS_ABS, (const void **)&default_print_address_absolute);
896
897 while (ZYAN_SUCCESS(ZydisDecoderDecodeFull(&decoder, BufferToDisassemble, BuffLength, &instruction, operands)))
898 {
899 //
900 // We have to pass a `runtime_address` different to
901 // `ZYDIS_RUNTIME_ADDRESS_NONE` to enable printing of absolute addresses
902 //
903 // ZydisFormatterFormatInstruction(&formatter, &instruction, operands, instruction.operand_count_visible, &buffer[0], sizeof(buffer), (ZyanU64)CurrentRip, ZYAN_NULL);
904
905 //
906 // Return len of buffer
907 //
908 return instruction.length;
909 }
910
911 //
912 // Error in disassembling buffer
913 //
914 return 0;
915}

◆ HyperDbgReadMemory()

BOOLEAN HyperDbgReadMemory ( UINT64 TargetAddress,
DEBUGGER_READ_MEMORY_TYPE MemoryType,
DEBUGGER_READ_READING_TYPE ReadingType,
UINT32 Pid,
UINT32 Size,
BOOLEAN GetAddressMode,
DEBUGGER_READ_MEMORY_ADDRESS_MODE * AddressMode,
BYTE * TargetBufferToStore,
UINT32 * ReturnLength )

Read memory and disassembler.

Parameters
TargetAddresslocation of where to read the memory
MemoryTypetype of memory (phyical or virtual)
ReadingTyperead from kernel or vmx-root
PidThe target process id
Sizesize of memory to read
GetAddressModecheck for address mode
AddressModeAddress mode (32 or 64)
TargetBufferToStoreThe buffer to store the read memory
ReturnLengthThe length of the read memory
Returns
BOOLEAN TRUE if the operation was successful, otherwise FALSE
45{
46 BOOL Status;
47 ULONG ReturnedLength;
48 DEBUGGER_READ_MEMORY ReadMem = {0};
49 UINT32 SizeOfTargetBuffer;
50
51 //
52 // Check if driver is loaded if it's in VMI mode
53 //
54 if (!g_IsSerialConnectedToRemoteDebuggee)
55 {
56 AssertShowMessageReturnStmt(g_DeviceHandle, ASSERT_MESSAGE_DRIVER_NOT_LOADED, AssertReturnFalse);
57 }
58
59 //
60 // Fill the read memory structure
61 //
62 ReadMem.Address = TargetAddress;
63 ReadMem.Pid = Pid;
64 ReadMem.Size = Size;
65 ReadMem.MemoryType = MemoryType;
66 ReadMem.ReadingType = ReadingType;
67 ReadMem.GetAddressMode = GetAddressMode;
68
69 //
70 // allocate buffer for transferring messages
71 //
72 SizeOfTargetBuffer = sizeof(DEBUGGER_READ_MEMORY) + (Size * sizeof(CHAR));
73 DEBUGGER_READ_MEMORY * MemReadRequest = (DEBUGGER_READ_MEMORY *)malloc(SizeOfTargetBuffer);
74
75 //
76 // Check if the buffer is allocated successfully
77 //
78 if (MemReadRequest == NULL)
79 {
80 return FALSE;
81 }
82
83 ZeroMemory(MemReadRequest, SizeOfTargetBuffer);
84
85 //
86 // Copy the buffer to send
87 //
88 memcpy(MemReadRequest, &ReadMem, sizeof(DEBUGGER_READ_MEMORY));
89
90 //
91 // Check if this is used for Debugger Mode or VMI mode
92 //
93 if (g_IsSerialConnectedToRemoteDebuggee)
94 {
95 //
96 // It's on Debugger mode
97 //
98 if (!KdSendReadMemoryPacketToDebuggee(MemReadRequest, SizeOfTargetBuffer))
99 {
100 std::free(MemReadRequest);
101 return FALSE;
102 }
103 }
104 else
105 {
106 //
107 // It's on VMI mode
108 //
109
110 Status = DeviceIoControl(g_DeviceHandle, // Handle to device
111 IOCTL_DEBUGGER_READ_MEMORY, // IO Control Code (IOCTL)
112 MemReadRequest, // Input Buffer to driver.
113 SIZEOF_DEBUGGER_READ_MEMORY, // Input buffer length
114 MemReadRequest, // Output Buffer from driver.
115 SizeOfTargetBuffer, // Length of output buffer in bytes.
116 &ReturnedLength, // Bytes placed in buffer.
117 NULL // synchronous call
118 );
119
120 if (!Status)
121 {
122 ShowMessages("ioctl failed with code 0x%x\n", GetLastError());
123 std::free(MemReadRequest);
124 return FALSE;
125 }
126 }
127
128 //
129 // Check if reading memory was successful or not
130 //
131 if (MemReadRequest->KernelStatus != DEBUGGER_OPERATION_WAS_SUCCESSFUL)
132 {
133 ShowErrorMessage(MemReadRequest->KernelStatus);
134 std::free(MemReadRequest);
135 return FALSE;
136 }
137 else
138 {
139 if (g_IsSerialConnectedToRemoteDebuggee)
140 {
141 //
142 // Change the ReturnedLength as it contains the headers
143 //
144 *ReturnLength = MemReadRequest->ReturnLength;
145 }
146 else
147 {
148 //
149 // Change the ReturnedLength as it contains the headers
150 //
151 ReturnedLength -= SIZEOF_DEBUGGER_READ_MEMORY;
152 *ReturnLength = ReturnedLength;
153 }
154
155 //
156 // Set address mode (if requested)
157 //
158 if (GetAddressMode)
159 {
160 *AddressMode = MemReadRequest->AddressMode;
161 }
162
163 //
164 // Copy the buffer
165 //
166 memcpy(TargetBufferToStore,
167 ((unsigned char *)MemReadRequest) + sizeof(DEBUGGER_READ_MEMORY),
168 *ReturnLength);
169
170 //
171 // free the buffer
172 //
173 std::free(MemReadRequest);
174
175 return TRUE;
176 }
177}
IOCTL_DEBUGGER_READ_MEMORY
#define IOCTL_DEBUGGER_READ_MEMORY
ioctl, request to read memory
Definition Ioctls.h:85
DEBUGGER_READ_MEMORY
struct _DEBUGGER_READ_MEMORY DEBUGGER_READ_MEMORY
request for reading virtual and physical memory
SIZEOF_DEBUGGER_READ_MEMORY
#define SIZEOF_DEBUGGER_READ_MEMORY
Definition RequestStructures.h:211
KdSendReadMemoryPacketToDebuggee
BOOLEAN KdSendReadMemoryPacketToDebuggee(PDEBUGGER_READ_MEMORY ReadMem, UINT32 RequestSize)
Send a Read memory packet to the debuggee.
Definition kd.cpp:597
AssertReturnFalse
#define AssertReturnFalse
Definition common.h:21
g_IsSerialConnectedToRemoteDebuggee
BOOLEAN g_IsSerialConnectedToRemoteDebuggee
Shows if the debugger was connected to remote debuggee over (A remote guest)
Definition globals.h:231
_DEBUGGER_READ_MEMORY
request for reading virtual and physical memory
Definition RequestStructures.h:266
_DEBUGGER_READ_MEMORY::KernelStatus
UINT32 KernelStatus
Definition RequestStructures.h:275
_DEBUGGER_READ_MEMORY::Size
UINT32 Size
Definition RequestStructures.h:269
_DEBUGGER_READ_MEMORY::Pid
UINT32 Pid
Definition RequestStructures.h:267
_DEBUGGER_READ_MEMORY::AddressMode
DEBUGGER_READ_MEMORY_ADDRESS_MODE AddressMode
Definition RequestStructures.h:271
_DEBUGGER_READ_MEMORY::ReturnLength
UINT32 ReturnLength
Definition RequestStructures.h:274
_DEBUGGER_READ_MEMORY::GetAddressMode
BOOLEAN GetAddressMode
Definition RequestStructures.h:270
_DEBUGGER_READ_MEMORY::ReadingType
DEBUGGER_READ_READING_TYPE ReadingType
Definition RequestStructures.h:273
_DEBUGGER_READ_MEMORY::MemoryType
DEBUGGER_READ_MEMORY_TYPE MemoryType
Definition RequestStructures.h:272
_DEBUGGER_READ_MEMORY::Address
UINT64 Address
Definition RequestStructures.h:268

◆ HyperDbgShowMemoryOrDisassemble()

VOID HyperDbgShowMemoryOrDisassemble ( DEBUGGER_SHOW_MEMORY_STYLE Style,
UINT64 Address,
DEBUGGER_READ_MEMORY_TYPE MemoryType,
DEBUGGER_READ_READING_TYPE ReadingType,
UINT32 Pid,
UINT32 Size,
PDEBUGGER_DT_COMMAND_OPTIONS DtDetails )

Show memory or disassembler.

Parameters
Stylestyle of show memory (as byte, dwrod, qword)
Addresslocation of where to read the memory
MemoryTypetype of memory (phyical or virtual)
ReadingTyperead from kernel or vmx-root
PidThe target process id
Sizesize of memory to read
DtDetailsOptions for dt structure show details
Returns
VOID
200{
201 UINT32 ReturnedLength;
202 UCHAR * Buffer;
203 DEBUGGER_READ_MEMORY_ADDRESS_MODE AddressMode;
204 BOOLEAN CheckForAddressMode = FALSE;
205 BOOLEAN Status = FALSE;
206
207 //
208 // Check if this is used for disassembler or not
209 //
210 if (Style == DEBUGGER_SHOW_COMMAND_DISASSEMBLE64 ||
211 Style == DEBUGGER_SHOW_COMMAND_DISASSEMBLE32)
212 {
213 CheckForAddressMode = TRUE;
214 }
215 else
216 {
217 CheckForAddressMode = FALSE;
218 }
219
220 //
221 // Allocate buffer for output
222 //
223 Buffer = (UCHAR *)malloc(Size);
224
225 //
226 // Perform reading memory
227 //
228 Status = HyperDbgReadMemory(Address,
229 MemoryType,
230 ReadingType,
231 Pid,
232 Size,
233 CheckForAddressMode,
234 &AddressMode,
235 (BYTE *)Buffer,
236 &ReturnedLength);
237
238 //
239 // Check if reading memory was successful or not
240 //
241 if (!Status)
242 {
243 //
244 // Check for extra message for the dump command
245 //
246 if (Style == DEBUGGER_SHOW_COMMAND_DUMP)
247 {
248 ShowMessages("HyperDbg attempted to access an invalid target address: 0x%llx\n"
249 "if you are confident that the address is valid, it may be paged out "
250 "or not yet available in the current CR3 page table\n"
251 "you can use the '.pagein' command to load this page table into memory and "
252 "trigger a page fault (#PF), please refer to the documentation for further details\n\n",
253 Address);
254 }
255
256 //
257 // free the buffer
258 //
259 std::free(Buffer);
260 return;
261 }
262
263 switch (Style)
264 {
265 case DEBUGGER_SHOW_COMMAND_DT:
266
267 //
268 // Show the 'dt' command view
269 //
270 if (Size == ReturnedLength)
271 {
272 ScriptEngineShowDataBasedOnSymbolTypesWrapper(DtDetails->TypeName,
273 Address,
274 FALSE,
275 Buffer,
276 DtDetails->AdditionalParameters);
277 }
278 else if (ReturnedLength == 0)
279 {
280 ShowMessages("err, invalid address");
281 }
282 else
283 {
284 ShowMessages("err, invalid address or memory is smaller than the structure size");
285 }
286
287 break;
288
289 case DEBUGGER_SHOW_COMMAND_DB:
290
291 ShowMemoryCommandDB(
292 Buffer,
293 Size,
294 Address,
295 MemoryType,
296 ReturnedLength);
297
298 break;
299
300 case DEBUGGER_SHOW_COMMAND_DC:
301
302 ShowMemoryCommandDC(
303 Buffer,
304 Size,
305 Address,
306 MemoryType,
307 ReturnedLength);
308
309 break;
310
311 case DEBUGGER_SHOW_COMMAND_DD:
312
313 ShowMemoryCommandDD(
314 Buffer,
315 Size,
316 Address,
317 MemoryType,
318 ReturnedLength);
319
320 break;
321
322 case DEBUGGER_SHOW_COMMAND_DQ:
323
324 ShowMemoryCommandDQ(
325 Buffer,
326 Size,
327 Address,
328 MemoryType,
329 ReturnedLength);
330
331 break;
332
333 case DEBUGGER_SHOW_COMMAND_DUMP:
334
335 CommandDumpSaveIntoFile(Buffer, Size);
336
337 break;
338
339 case DEBUGGER_SHOW_COMMAND_DISASSEMBLE64:
340
341 //
342 // Check if assembly mismatch occurred with the target address
343 //
344 if (AddressMode == DEBUGGER_READ_ADDRESS_MODE_32_BIT && MemoryType == DEBUGGER_READ_VIRTUAL_ADDRESS)
345 {
346 ShowMessages("the target address seems to be located in a 32-bit program, if so, "
347 "please consider using the 'u32' instead to utilize the 32-bit disassembler\n");
348 }
349
350 //
351 // Show diassembles
352 //
353 if (ReturnedLength != 0)
354 {
355 HyperDbgDisassembler64(
356 Buffer,
357 Address,
358 ReturnedLength,
359 0,
360 FALSE,
361 NULL);
362 }
363 else
364 {
365 ShowMessages("err, invalid address\n");
366 }
367
368 break;
369
370 case DEBUGGER_SHOW_COMMAND_DISASSEMBLE32:
371
372 //
373 // Check if assembly mismatch occurred with the target address
374 //
375 if (AddressMode == DEBUGGER_READ_ADDRESS_MODE_64_BIT && MemoryType == DEBUGGER_READ_VIRTUAL_ADDRESS)
376 {
377 ShowMessages("the target address seems to be located in a 64-bit program, if so, "
378 "please consider using the 'u' instead to utilize the 64-bit disassembler\n");
379 }
380
381 //
382 // Show diassembles
383 //
384 if (ReturnedLength != 0)
385 {
386 HyperDbgDisassembler32(
387 Buffer,
388 Address,
389 ReturnedLength,
390 0,
391 FALSE,
392 NULL);
393 }
394 else
395 {
396 ShowMessages("err, invalid address\n");
397 }
398
399 break;
400 }
401
402 //
403 // free the buffer
404 //
405 std::free(Buffer);
406}
UCHAR
unsigned char UCHAR
Definition BasicTypes.h:35
DEBUGGER_READ_ADDRESS_MODE_32_BIT
@ DEBUGGER_READ_ADDRESS_MODE_32_BIT
Definition RequestStructures.h:239
DEBUGGER_READ_ADDRESS_MODE_64_BIT
@ DEBUGGER_READ_ADDRESS_MODE_64_BIT
Definition RequestStructures.h:240
DEBUGGER_READ_MEMORY_ADDRESS_MODE
enum _DEBUGGER_READ_MEMORY_ADDRESS_MODE DEBUGGER_READ_MEMORY_ADDRESS_MODE
different address mode
DEBUGGER_SHOW_COMMAND_DT
@ DEBUGGER_SHOW_COMMAND_DT
Definition RequestStructures.h:251
HyperDbgDisassembler32
int HyperDbgDisassembler32(unsigned char *BufferToDisassemble, UINT64 BaseAddress, UINT64 Size, UINT32 MaximumInstrDecoded, BOOLEAN ShowBranchIsTakenOrNot, PRFLAGS Rflags)
Disassemble 32 bit assemblies.
Definition disassembler.cpp:373
HyperDbgDisassembler64
int HyperDbgDisassembler64(unsigned char *BufferToDisassemble, UINT64 BaseAddress, UINT64 Size, UINT32 MaximumInstrDecoded, BOOLEAN ShowBranchIsTakenOrNot, PRFLAGS Rflags)
Disassemble x64 assemblies.
Definition disassembler.cpp:333
CommandDumpSaveIntoFile
VOID CommandDumpSaveIntoFile(PVOID Buffer, UINT32 Length)
Saves the received buffers into the files.
Definition dump.cpp:301
ShowMemoryCommandDD
void ShowMemoryCommandDD(unsigned char *OutputBuffer, UINT32 Size, UINT64 Address, DEBUGGER_READ_MEMORY_TYPE MemoryType, UINT64 Length)
Show memory in dword format (DD)
Definition readmem.cpp:555
ShowMemoryCommandDQ
void ShowMemoryCommandDQ(unsigned char *OutputBuffer, UINT32 Size, UINT64 Address, DEBUGGER_READ_MEMORY_TYPE MemoryType, UINT64 Length)
Show memory in qword format (DQ)
Definition readmem.cpp:604
ShowMemoryCommandDB
void ShowMemoryCommandDB(unsigned char *OutputBuffer, UINT32 Size, UINT64 Address, DEBUGGER_READ_MEMORY_TYPE MemoryType, UINT64 Length)
Show memory in bytes (DB)
Definition readmem.cpp:418
HyperDbgReadMemory
BOOLEAN HyperDbgReadMemory(UINT64 TargetAddress, DEBUGGER_READ_MEMORY_TYPE MemoryType, DEBUGGER_READ_READING_TYPE ReadingType, UINT32 Pid, UINT32 Size, BOOLEAN GetAddressMode, DEBUGGER_READ_MEMORY_ADDRESS_MODE *AddressMode, BYTE *TargetBufferToStore, UINT32 *ReturnLength)
Read memory and disassembler.
Definition readmem.cpp:36
ShowMemoryCommandDC
void ShowMemoryCommandDC(unsigned char *OutputBuffer, UINT32 Size, UINT64 Address, DEBUGGER_READ_MEMORY_TYPE MemoryType, UINT64 Length)
Show memory in dword format (DC)
Definition readmem.cpp:486
ScriptEngineShowDataBasedOnSymbolTypesWrapper
BOOLEAN ScriptEngineShowDataBasedOnSymbolTypesWrapper(const char *TypeName, UINT64 Address, BOOLEAN IsStruct, PVOID BufferAddress, const char *AdditionalParameters)
ScriptEngineShowDataBasedOnSymbolTypes wrapper.
Definition script-engine-wrapper.cpp:212
_DEBUGGER_DT_COMMAND_OPTIONS::TypeName
const char * TypeName
Definition RequestStructures.h:136
_DEBUGGER_DT_COMMAND_OPTIONS::AdditionalParameters
const char * AdditionalParameters
Definition RequestStructures.h:142

◆ InitializeCommandsDictionary()

VOID InitializeCommandsDictionary ( )

Initialize commands and attributes.

Returns
VOID
818{
819 g_CommandsList[".help"] = {NULL, &CommandHelpHelp, DEBUGGER_COMMAND_HELP_ATTRIBUTES};
820 g_CommandsList[".hh"] = {NULL, &CommandHelpHelp, DEBUGGER_COMMAND_HELP_ATTRIBUTES};
821 g_CommandsList["help"] = {NULL, &CommandHelpHelp, DEBUGGER_COMMAND_HELP_ATTRIBUTES};
822
823 g_CommandsList["clear"] = {&CommandClearScreen, &CommandClearScreenHelp, DEBUGGER_COMMAND_CLEAR_ATTRIBUTES};
824 g_CommandsList[".cls"] = {&CommandClearScreen, &CommandClearScreenHelp, DEBUGGER_COMMAND_CLEAR_ATTRIBUTES};
825 g_CommandsList["cls"] = {&CommandClearScreen, &CommandClearScreenHelp, DEBUGGER_COMMAND_CLEAR_ATTRIBUTES};
826
827 g_CommandsList[".connect"] = {&CommandConnect, &CommandConnectHelp, DEBUGGER_COMMAND_CONNECT_ATTRIBUTES};
828 g_CommandsList["connect"] = {&CommandConnect, &CommandConnectHelp, DEBUGGER_COMMAND_CONNECT_ATTRIBUTES};
829
830 g_CommandsList[".listen"] = {&CommandListen, &CommandListenHelp, DEBUGGER_COMMAND_LISTEN_ATTRIBUTES};
831 g_CommandsList["listen"] = {&CommandListen, &CommandListenHelp, DEBUGGER_COMMAND_LISTEN_ATTRIBUTES};
832
833 g_CommandsList["g"] = {&CommandG, &CommandGHelp, DEBUGGER_COMMAND_G_ATTRIBUTES};
834 g_CommandsList["go"] = {&CommandG, &CommandGHelp, DEBUGGER_COMMAND_G_ATTRIBUTES};
835
836 g_CommandsList[".attach"] = {&CommandAttach, &CommandAttachHelp, DEBUGGER_COMMAND_ATTACH_ATTRIBUTES};
837 g_CommandsList["attach"] = {&CommandAttach, &CommandAttachHelp, DEBUGGER_COMMAND_ATTACH_ATTRIBUTES};
838
839 g_CommandsList[".detach"] = {&CommandDetach, &CommandDetachHelp, DEBUGGER_COMMAND_DETACH_ATTRIBUTES};
840 g_CommandsList["detach"] = {&CommandDetach, &CommandDetachHelp, DEBUGGER_COMMAND_DETACH_ATTRIBUTES};
841
842 g_CommandsList[".start"] = {&CommandStart, &CommandStartHelp, DEBUGGER_COMMAND_START_ATTRIBUTES};
843 g_CommandsList["start"] = {&CommandStart, &CommandStartHelp, DEBUGGER_COMMAND_START_ATTRIBUTES};
844
845 g_CommandsList[".restart"] = {&CommandRestart, &CommandRestartHelp, DEBUGGER_COMMAND_RESTART_ATTRIBUTES};
846 g_CommandsList["restart"] = {&CommandRestart, &CommandRestartHelp, DEBUGGER_COMMAND_RESTART_ATTRIBUTES};
847
848 g_CommandsList[".switch"] = {&CommandSwitch, &CommandSwitchHelp, DEBUGGER_COMMAND_SWITCH_ATTRIBUTES};
849 g_CommandsList["switch"] = {&CommandSwitch, &CommandSwitchHelp, DEBUGGER_COMMAND_SWITCH_ATTRIBUTES};
850
851 g_CommandsList[".kill"] = {&CommandKill, &CommandKillHelp, DEBUGGER_COMMAND_KILL_ATTRIBUTES};
852 g_CommandsList["kill"] = {&CommandKill, &CommandKillHelp, DEBUGGER_COMMAND_KILL_ATTRIBUTES};
853
854 g_CommandsList[".process"] = {&CommandProcess, &CommandProcessHelp, DEBUGGER_COMMAND_PROCESS_ATTRIBUTES};
855 g_CommandsList[".process2"] = {&CommandProcess, &CommandProcessHelp, DEBUGGER_COMMAND_PROCESS_ATTRIBUTES};
856 g_CommandsList["process"] = {&CommandProcess, &CommandProcessHelp, DEBUGGER_COMMAND_PROCESS_ATTRIBUTES};
857 g_CommandsList["process2"] = {&CommandProcess, &CommandProcessHelp, DEBUGGER_COMMAND_PROCESS_ATTRIBUTES};
858
859 g_CommandsList[".thread"] = {&CommandThread, &CommandThreadHelp, DEBUGGER_COMMAND_THREAD_ATTRIBUTES};
860 g_CommandsList[".thread2"] = {&CommandThread, &CommandThreadHelp, DEBUGGER_COMMAND_THREAD_ATTRIBUTES};
861 g_CommandsList["thread"] = {&CommandThread, &CommandThreadHelp, DEBUGGER_COMMAND_THREAD_ATTRIBUTES};
862 g_CommandsList["thread2"] = {&CommandThread, &CommandThreadHelp, DEBUGGER_COMMAND_THREAD_ATTRIBUTES};
863
864 g_CommandsList["sleep"] = {&CommandSleep, &CommandSleepHelp, DEBUGGER_COMMAND_SLEEP_ATTRIBUTES};
865
866 g_CommandsList["event"] = {&CommandEvents, &CommandEventsHelp, DEBUGGER_COMMAND_EVENTS_ATTRIBUTES};
867 g_CommandsList["events"] = {&CommandEvents, &CommandEventsHelp, DEBUGGER_COMMAND_EVENTS_ATTRIBUTES};
868
869 g_CommandsList["setting"] = {&CommandSettings, &CommandSettingsHelp, DEBUGGER_COMMAND_SETTINGS_ATTRIBUTES};
870 g_CommandsList["settings"] = {&CommandSettings, &CommandSettingsHelp, DEBUGGER_COMMAND_SETTINGS_ATTRIBUTES};
871 g_CommandsList[".setting"] = {&CommandSettings, &CommandSettingsHelp, DEBUGGER_COMMAND_SETTINGS_ATTRIBUTES};
872 g_CommandsList[".settings"] = {&CommandSettings, &CommandSettingsHelp, DEBUGGER_COMMAND_SETTINGS_ATTRIBUTES};
873
874 g_CommandsList[".disconnect"] = {&CommandDisconnect, &CommandDisconnectHelp, DEBUGGER_COMMAND_DISCONNECT_ATTRIBUTES};
875 g_CommandsList["disconnect"] = {&CommandDisconnect, &CommandDisconnectHelp, DEBUGGER_COMMAND_DISCONNECT_ATTRIBUTES};
876
877 g_CommandsList[".debug"] = {&CommandDebug, &CommandDebugHelp, DEBUGGER_COMMAND_DEBUG_ATTRIBUTES};
878 g_CommandsList["debug"] = {&CommandDebug, &CommandDebugHelp, DEBUGGER_COMMAND_DEBUG_ATTRIBUTES};
879
880 g_CommandsList[".status"] = {&CommandStatus, &CommandStatusHelp, DEBUGGER_COMMAND_DOT_STATUS_ATTRIBUTES};
881 g_CommandsList["status"] = {&CommandStatus, &CommandStatusHelp, DEBUGGER_COMMAND_STATUS_ATTRIBUTES};
882
883 g_CommandsList["load"] = {&CommandLoad, &CommandLoadHelp, DEBUGGER_COMMAND_LOAD_ATTRIBUTES};
884
885 g_CommandsList["exit"] = {&CommandExit, &CommandExitHelp, DEBUGGER_COMMAND_EXIT_ATTRIBUTES};
886 g_CommandsList[".exit"] = {&CommandExit, &CommandExitHelp, DEBUGGER_COMMAND_EXIT_ATTRIBUTES};
887
888 g_CommandsList["flush"] = {&CommandFlush, &CommandFlushHelp, DEBUGGER_COMMAND_FLUSH_ATTRIBUTES};
889
890 g_CommandsList["pause"] = {&CommandPause, &CommandPauseHelp, DEBUGGER_COMMAND_PAUSE_ATTRIBUTES};
891
892 g_CommandsList["unload"] = {&CommandUnload, &CommandUnloadHelp, DEBUGGER_COMMAND_UNLOAD_ATTRIBUTES};
893
894 g_CommandsList[".script"] = {&CommandScript, &CommandScriptHelp, DEBUGGER_COMMAND_SCRIPT_ATTRIBUTES};
895 g_CommandsList["script"] = {&CommandScript, &CommandScriptHelp, DEBUGGER_COMMAND_SCRIPT_ATTRIBUTES};
896
897 g_CommandsList["output"] = {&CommandOutput, &CommandOutputHelp, DEBUGGER_COMMAND_OUTPUT_ATTRIBUTES};
898
899 g_CommandsList["print"] = {&CommandPrint, &CommandPrintHelp, DEBUGGER_COMMAND_PRINT_ATTRIBUTES};
900
901 g_CommandsList["?"] = {&CommandEval, &CommandEvalHelp, DEBUGGER_COMMAND_EVAL_ATTRIBUTES};
902 g_CommandsList["eval"] = {&CommandEval, &CommandEvalHelp, DEBUGGER_COMMAND_EVAL_ATTRIBUTES};
903 g_CommandsList["evaluate"] = {&CommandEval, &CommandEvalHelp, DEBUGGER_COMMAND_EVAL_ATTRIBUTES};
904
905 g_CommandsList[".logopen"] = {&CommandLogopen, &CommandLogopenHelp, DEBUGGER_COMMAND_LOGOPEN_ATTRIBUTES};
906
907 g_CommandsList[".logclose"] = {&CommandLogclose, &CommandLogcloseHelp, DEBUGGER_COMMAND_LOGCLOSE_ATTRIBUTES};
908
909 g_CommandsList[".pagein"] = {&CommandPagein, &CommandPageinHelp, DEBUGGER_COMMAND_PAGEIN_ATTRIBUTES};
910 g_CommandsList["pagein"] = {&CommandPagein, &CommandPageinHelp, DEBUGGER_COMMAND_PAGEIN_ATTRIBUTES};
911
912 g_CommandsList["test"] = {&CommandTest, &CommandTestHelp, DEBUGGER_COMMAND_TEST_ATTRIBUTES};
913
914 g_CommandsList["cpu"] = {&CommandCpu, &CommandCpuHelp, DEBUGGER_COMMAND_CPU_ATTRIBUTES};
915
916 g_CommandsList["wrmsr"] = {&CommandWrmsr, &CommandWrmsrHelp, DEBUGGER_COMMAND_WRMSR_ATTRIBUTES};
917
918 g_CommandsList["rdmsr"] = {&CommandRdmsr, &CommandRdmsrHelp, DEBUGGER_COMMAND_RDMSR_ATTRIBUTES};
919
920 g_CommandsList["!va2pa"] = {&CommandVa2pa, &CommandVa2paHelp, DEBUGGER_COMMAND_VA2PA_ATTRIBUTES};
921
922 g_CommandsList["!pa2va"] = {&CommandPa2va, &CommandPa2vaHelp, DEBUGGER_COMMAND_PA2VA_ATTRIBUTES};
923
924 g_CommandsList[".formats"] = {&CommandFormats, &CommandFormatsHelp, DEBUGGER_COMMAND_FORMATS_ATTRIBUTES};
925 g_CommandsList[".format"] = {&CommandFormats, &CommandFormatsHelp, DEBUGGER_COMMAND_FORMATS_ATTRIBUTES};
926
927 g_CommandsList["!pte"] = {&CommandPte, &CommandPteHelp, DEBUGGER_COMMAND_PTE_ATTRIBUTES};
928
929 g_CommandsList["~"] = {&CommandCore, &CommandCoreHelp, DEBUGGER_COMMAND_CORE_ATTRIBUTES};
930 g_CommandsList["core"] = {&CommandCore, &CommandCoreHelp, DEBUGGER_COMMAND_CORE_ATTRIBUTES};
931
932 g_CommandsList["!monitor"] = {&CommandMonitor, &CommandMonitorHelp, DEBUGGER_COMMAND_MONITOR_ATTRIBUTES};
933
934 g_CommandsList["!vmcall"] = {&CommandVmcall, &CommandVmcallHelp, DEBUGGER_COMMAND_VMCALL_ATTRIBUTES};
935
936 g_CommandsList["!epthook"] = {&CommandEptHook, &CommandEptHookHelp, DEBUGGER_COMMAND_EPTHOOK_ATTRIBUTES};
937 g_CommandsList["bh"] = {&CommandEptHook, &CommandEptHookHelp, DEBUGGER_COMMAND_EPTHOOK_ATTRIBUTES};
938
939 g_CommandsList["bp"] = {&CommandBp, &CommandBpHelp, DEBUGGER_COMMAND_BP_ATTRIBUTES};
940
941 g_CommandsList["bl"] = {&CommandBl, &CommandBlHelp, DEBUGGER_COMMAND_BD_ATTRIBUTES};
942
943 g_CommandsList["be"] = {&CommandBe, &CommandBeHelp, DEBUGGER_COMMAND_BD_ATTRIBUTES};
944
945 g_CommandsList["bd"] = {&CommandBd, &CommandBdHelp, DEBUGGER_COMMAND_BD_ATTRIBUTES};
946
947 g_CommandsList["bc"] = {&CommandBc, &CommandBcHelp, DEBUGGER_COMMAND_BD_ATTRIBUTES};
948
949 g_CommandsList["!epthook2"] = {&CommandEptHook2, &CommandEptHook2Help, DEBUGGER_COMMAND_EPTHOOK2_ATTRIBUTES};
950
951 g_CommandsList["!cpuid"] = {&CommandCpuid, &CommandCpuidHelp, DEBUGGER_COMMAND_CPUID_ATTRIBUTES};
952
953 g_CommandsList["!msrread"] = {&CommandMsrread, &CommandMsrreadHelp, DEBUGGER_COMMAND_MSRREAD_ATTRIBUTES};
954 g_CommandsList["!msread"] = {&CommandMsrread, &CommandMsrreadHelp, DEBUGGER_COMMAND_MSRREAD_ATTRIBUTES};
955
956 g_CommandsList["!msrwrite"] = {&CommandMsrwrite, &CommandMsrwriteHelp, DEBUGGER_COMMAND_MSRWRITE_ATTRIBUTES};
957
958 g_CommandsList["!tsc"] = {&CommandTsc, &CommandTscHelp, DEBUGGER_COMMAND_TSC_ATTRIBUTES};
959
960 g_CommandsList["!pmc"] = {&CommandPmc, &CommandPmcHelp, DEBUGGER_COMMAND_PMC_ATTRIBUTES};
961
962 g_CommandsList["!crwrite"] = {&CommandCrwrite, &CommandCrwriteHelp, DEBUGGER_COMMAND_CRWRITE_ATTRIBUTES};
963
964 g_CommandsList["!dr"] = {&CommandDr, &CommandDrHelp, DEBUGGER_COMMAND_DR_ATTRIBUTES};
965
966 g_CommandsList["!ioin"] = {&CommandIoin, &CommandIoinHelp, DEBUGGER_COMMAND_IOIN_ATTRIBUTES};
967
968 g_CommandsList["!ioout"] = {&CommandIoout, &CommandIooutHelp, DEBUGGER_COMMAND_IOOUT_ATTRIBUTES};
969 g_CommandsList["!iout"] = {&CommandIoout, &CommandIooutHelp, DEBUGGER_COMMAND_IOOUT_ATTRIBUTES};
970
971 g_CommandsList["!exception"] = {&CommandException, &CommandExceptionHelp, DEBUGGER_COMMAND_EXCEPTION_ATTRIBUTES};
972
973 g_CommandsList["!interrupt"] = {&CommandInterrupt, &CommandInterruptHelp, DEBUGGER_COMMAND_INTERRUPT_ATTRIBUTES};
974
975 g_CommandsList["!syscall"] = {&CommandSyscallAndSysret, &CommandSyscallHelp, DEBUGGER_COMMAND_SYSCALL_ATTRIBUTES};
976 g_CommandsList["!syscall2"] = {&CommandSyscallAndSysret, &CommandSyscallHelp, DEBUGGER_COMMAND_SYSCALL_ATTRIBUTES};
977
978 g_CommandsList["!sysret"] = {&CommandSyscallAndSysret, &CommandSysretHelp, DEBUGGER_COMMAND_SYSRET_ATTRIBUTES};
979 g_CommandsList["!sysret2"] = {&CommandSyscallAndSysret, &CommandSysretHelp, DEBUGGER_COMMAND_SYSRET_ATTRIBUTES};
980
981 g_CommandsList["!mode"] = {&CommandMode, &CommandModeHelp, DEBUGGER_COMMAND_MODE_ATTRIBUTES};
982
983 g_CommandsList["!trace"] = {&CommandTrace, &CommandTraceHelp, DEBUGGER_COMMAND_TRACE_ATTRIBUTES};
984
985 g_CommandsList["!hide"] = {&CommandHide, &CommandHideHelp, DEBUGGER_COMMAND_HIDE_ATTRIBUTES};
986
987 g_CommandsList["!unhide"] = {&CommandUnhide, &CommandUnhideHelp, DEBUGGER_COMMAND_UNHIDE_ATTRIBUTES};
988
989 g_CommandsList["!measure"] = {&CommandMeasure, &CommandMeasureHelp, DEBUGGER_COMMAND_MEASURE_ATTRIBUTES};
990
991 g_CommandsList["lm"] = {&CommandLm, &CommandLmHelp, DEBUGGER_COMMAND_LM_ATTRIBUTES};
992
993 g_CommandsList["p"] = {&CommandP, &CommandPHelp, DEBUGGER_COMMAND_P_ATTRIBUTES};
994 g_CommandsList["pr"] = {&CommandP, &CommandPHelp, DEBUGGER_COMMAND_P_ATTRIBUTES};
995
996 g_CommandsList["t"] = {&CommandT, &CommandTHelp, DEBUGGER_COMMAND_T_ATTRIBUTES};
997 g_CommandsList["tr"] = {&CommandT, &CommandTHelp, DEBUGGER_COMMAND_T_ATTRIBUTES};
998
999 g_CommandsList["i"] = {&CommandI, &CommandIHelp, DEBUGGER_COMMAND_I_ATTRIBUTES};
1000 g_CommandsList["ir"] = {&CommandI, &CommandIHelp, DEBUGGER_COMMAND_I_ATTRIBUTES};
1001
1002 g_CommandsList["gu"] = {&CommandGu, &CommandGuHelp, DEBUGGER_COMMAND_GU_ATTRIBUTES};
1003
1004 g_CommandsList["db"] = {&CommandReadMemoryAndDisassembler,
1005 &CommandReadMemoryAndDisassemblerHelp,
1006 DEBUGGER_COMMAND_D_AND_U_ATTRIBUTES};
1007 g_CommandsList["dc"] = {&CommandReadMemoryAndDisassembler,
1008 &CommandReadMemoryAndDisassemblerHelp,
1009 DEBUGGER_COMMAND_D_AND_U_ATTRIBUTES};
1010 g_CommandsList["dd"] = {&CommandReadMemoryAndDisassembler,
1011 &CommandReadMemoryAndDisassemblerHelp,
1012 DEBUGGER_COMMAND_D_AND_U_ATTRIBUTES};
1013 g_CommandsList["dq"] = {&CommandReadMemoryAndDisassembler,
1014 &CommandReadMemoryAndDisassemblerHelp,
1015 DEBUGGER_COMMAND_D_AND_U_ATTRIBUTES};
1016 g_CommandsList["!db"] = {&CommandReadMemoryAndDisassembler,
1017 &CommandReadMemoryAndDisassemblerHelp,
1018 DEBUGGER_COMMAND_D_AND_U_ATTRIBUTES};
1019 g_CommandsList["!dc"] = {&CommandReadMemoryAndDisassembler,
1020 &CommandReadMemoryAndDisassemblerHelp,
1021 DEBUGGER_COMMAND_D_AND_U_ATTRIBUTES};
1022 g_CommandsList["!dd"] = {&CommandReadMemoryAndDisassembler,
1023 &CommandReadMemoryAndDisassemblerHelp,
1024 DEBUGGER_COMMAND_D_AND_U_ATTRIBUTES};
1025 g_CommandsList["!dq"] = {&CommandReadMemoryAndDisassembler,
1026 &CommandReadMemoryAndDisassemblerHelp,
1027 DEBUGGER_COMMAND_D_AND_U_ATTRIBUTES};
1028 g_CommandsList["!u"] = {&CommandReadMemoryAndDisassembler,
1029 &CommandReadMemoryAndDisassemblerHelp,
1030 DEBUGGER_COMMAND_D_AND_U_ATTRIBUTES};
1031 g_CommandsList["u"] = {&CommandReadMemoryAndDisassembler,
1032 &CommandReadMemoryAndDisassemblerHelp,
1033 DEBUGGER_COMMAND_D_AND_U_ATTRIBUTES};
1034 g_CommandsList["!u64"] = {&CommandReadMemoryAndDisassembler,
1035 &CommandReadMemoryAndDisassemblerHelp,
1036 DEBUGGER_COMMAND_D_AND_U_ATTRIBUTES};
1037 g_CommandsList["u64"] = {&CommandReadMemoryAndDisassembler,
1038 &CommandReadMemoryAndDisassemblerHelp,
1039 DEBUGGER_COMMAND_D_AND_U_ATTRIBUTES};
1040 g_CommandsList["!u2"] = {&CommandReadMemoryAndDisassembler,
1041 &CommandReadMemoryAndDisassemblerHelp,
1042 DEBUGGER_COMMAND_D_AND_U_ATTRIBUTES};
1043 g_CommandsList["u2"] = {&CommandReadMemoryAndDisassembler,
1044 &CommandReadMemoryAndDisassemblerHelp,
1045 DEBUGGER_COMMAND_D_AND_U_ATTRIBUTES};
1046 g_CommandsList["!u32"] = {&CommandReadMemoryAndDisassembler,
1047 &CommandReadMemoryAndDisassemblerHelp,
1048 DEBUGGER_COMMAND_D_AND_U_ATTRIBUTES};
1049 g_CommandsList["u32"] = {&CommandReadMemoryAndDisassembler,
1050 &CommandReadMemoryAndDisassemblerHelp,
1051 DEBUGGER_COMMAND_D_AND_U_ATTRIBUTES};
1052
1053 g_CommandsList["eb"] = {&CommandEditMemory, &CommandEditMemoryHelp, DEBUGGER_COMMAND_E_ATTRIBUTES};
1054 g_CommandsList["ed"] = {&CommandEditMemory, &CommandEditMemoryHelp, DEBUGGER_COMMAND_E_ATTRIBUTES};
1055 g_CommandsList["eq"] = {&CommandEditMemory, &CommandEditMemoryHelp, DEBUGGER_COMMAND_E_ATTRIBUTES};
1056 g_CommandsList["!eb"] = {&CommandEditMemory, &CommandEditMemoryHelp, DEBUGGER_COMMAND_E_ATTRIBUTES};
1057 g_CommandsList["!ed"] = {&CommandEditMemory, &CommandEditMemoryHelp, DEBUGGER_COMMAND_E_ATTRIBUTES};
1058 g_CommandsList["!eq"] = {&CommandEditMemory, &CommandEditMemoryHelp, DEBUGGER_COMMAND_E_ATTRIBUTES};
1059
1060 g_CommandsList["sb"] = {&CommandSearchMemory, &CommandSearchMemoryHelp, DEBUGGER_COMMAND_S_ATTRIBUTES};
1061 g_CommandsList["sd"] = {&CommandSearchMemory, &CommandSearchMemoryHelp, DEBUGGER_COMMAND_S_ATTRIBUTES};
1062 g_CommandsList["sq"] = {&CommandSearchMemory, &CommandSearchMemoryHelp, DEBUGGER_COMMAND_S_ATTRIBUTES};
1063 g_CommandsList["!sb"] = {&CommandSearchMemory, &CommandSearchMemoryHelp, DEBUGGER_COMMAND_S_ATTRIBUTES};
1064 g_CommandsList["!sd"] = {&CommandSearchMemory, &CommandSearchMemoryHelp, DEBUGGER_COMMAND_S_ATTRIBUTES};
1065 g_CommandsList["!sq"] = {&CommandSearchMemory, &CommandSearchMemoryHelp, DEBUGGER_COMMAND_S_ATTRIBUTES};
1066
1067 g_CommandsList["r"] = {&CommandR, &CommandRHelp, DEBUGGER_COMMAND_R_ATTRIBUTES};
1068
1069 g_CommandsList[".sympath"] = {&CommandSympath, &CommandSympathHelp, DEBUGGER_COMMAND_SYMPATH_ATTRIBUTES};
1070 g_CommandsList["sympath"] = {&CommandSympath, &CommandSympathHelp, DEBUGGER_COMMAND_SYMPATH_ATTRIBUTES};
1071
1072 g_CommandsList[".sym"] = {&CommandSym, &CommandSymHelp, DEBUGGER_COMMAND_SYM_ATTRIBUTES};
1073 g_CommandsList["sym"] = {&CommandSym, &CommandSymHelp, DEBUGGER_COMMAND_SYM_ATTRIBUTES};
1074
1075 g_CommandsList["x"] = {&CommandX, &CommandXHelp, DEBUGGER_COMMAND_X_ATTRIBUTES};
1076
1077 g_CommandsList["prealloc"] = {&CommandPrealloc, &CommandPreallocHelp, DEBUGGER_COMMAND_PREALLOC_ATTRIBUTES};
1078 g_CommandsList["preallocate"] = {&CommandPrealloc, &CommandPreallocHelp, DEBUGGER_COMMAND_PREALLOC_ATTRIBUTES};
1079 g_CommandsList["preallocation"] = {&CommandPrealloc, &CommandPreallocHelp, DEBUGGER_COMMAND_PREALLOC_ATTRIBUTES};
1080
1081 g_CommandsList["preactivate"] = {&CommandPreactivate, &CommandPreactivateHelp, DEBUGGER_COMMAND_PREACTIVATE_ATTRIBUTES};
1082 g_CommandsList["preactive"] = {&CommandPreactivate, &CommandPreactivateHelp, DEBUGGER_COMMAND_PREACTIVATE_ATTRIBUTES};
1083 g_CommandsList["preactivation"] = {&CommandPreactivate, &CommandPreactivateHelp, DEBUGGER_COMMAND_PREACTIVATE_ATTRIBUTES};
1084
1085 g_CommandsList["k"] = {&CommandK, &CommandKHelp, DEBUGGER_COMMAND_K_ATTRIBUTES};
1086 g_CommandsList["kd"] = {&CommandK, &CommandKHelp, DEBUGGER_COMMAND_K_ATTRIBUTES};
1087 g_CommandsList["kq"] = {&CommandK, &CommandKHelp, DEBUGGER_COMMAND_K_ATTRIBUTES};
1088
1089 g_CommandsList["dt"] = {&CommandDtAndStruct, &CommandDtHelp, DEBUGGER_COMMAND_DT_ATTRIBUTES};
1090 g_CommandsList["!dt"] = {&CommandDtAndStruct, &CommandDtHelp, DEBUGGER_COMMAND_DT_ATTRIBUTES};
1091
1092 g_CommandsList["struct"] = {&CommandDtAndStruct, &CommandStructHelp, DEBUGGER_COMMAND_STRUCT_ATTRIBUTES};
1093 g_CommandsList["structure"] = {&CommandDtAndStruct, &CommandStructHelp, DEBUGGER_COMMAND_STRUCT_ATTRIBUTES};
1094
1095 g_CommandsList[".pe"] = {&CommandPe, &CommandPeHelp, DEBUGGER_COMMAND_PE_ATTRIBUTES};
1096
1097 g_CommandsList["!rev"] = {&CommandRev, &CommandRevHelp, DEBUGGER_COMMAND_REV_ATTRIBUTES};
1098 g_CommandsList["rev"] = {&CommandRev, &CommandRevHelp, DEBUGGER_COMMAND_REV_ATTRIBUTES};
1099
1100 g_CommandsList["!track"] = {&CommandTrack, &CommandTrackHelp, DEBUGGER_COMMAND_TRACK_ATTRIBUTES};
1101 g_CommandsList["track"] = {&CommandTrack, &CommandTrackHelp, DEBUGGER_COMMAND_TRACK_ATTRIBUTES};
1102
1103 g_CommandsList[".dump"] = {&CommandDump, &CommandDumpHelp, DEBUGGER_COMMAND_DUMP_ATTRIBUTES};
1104 g_CommandsList["dump"] = {&CommandDump, &CommandDumpHelp, DEBUGGER_COMMAND_DUMP_ATTRIBUTES};
1105 g_CommandsList["!dump"] = {&CommandDump, &CommandDumpHelp, DEBUGGER_COMMAND_DUMP_ATTRIBUTES};
1106
1107 //
1108 // hwdbg commands
1109 //
1110 g_CommandsList["!hw_clk"] = {&CommandHwClk, &CommandHwClkHelp, DEBUGGER_COMMAND_HWDBG_HW_CLK_ATTRIBUTES};
1111 g_CommandsList["!hw_clock"] = {&CommandHwClk, &CommandHwClkHelp, DEBUGGER_COMMAND_HWDBG_HW_CLK_ATTRIBUTES};
1112 g_CommandsList["!hwdbg_clock"] = {&CommandHwClk, &CommandHwClkHelp, DEBUGGER_COMMAND_HWDBG_HW_CLK_ATTRIBUTES};
1113 g_CommandsList["!hwdbg_clock"] = {&CommandHwClk, &CommandHwClkHelp, DEBUGGER_COMMAND_HWDBG_HW_CLK_ATTRIBUTES};
1114
1115 g_CommandsList["a"] = {&CommandAssemble, &CommandAssembleHelp, DEBUGGER_COMMAND_A_ATTRIBUTES};
1116 g_CommandsList["asm"] = {&CommandAssemble, &CommandAssembleHelp, DEBUGGER_COMMAND_A_ATTRIBUTES};
1117 g_CommandsList["assemble"] = {&CommandAssemble, &CommandAssembleHelp, DEBUGGER_COMMAND_A_ATTRIBUTES};
1118 g_CommandsList["assembly"] = {&CommandAssemble, &CommandAssembleHelp, DEBUGGER_COMMAND_A_ATTRIBUTES};
1119 g_CommandsList["!a"] = {&CommandAssemble, &CommandAssembleHelp, DEBUGGER_COMMAND_A_ATTRIBUTES};
1120 g_CommandsList["!asm"] = {&CommandAssemble, &CommandAssembleHelp, DEBUGGER_COMMAND_A_ATTRIBUTES};
1121 g_CommandsList["!assemble"] = {&CommandAssemble, &CommandAssembleHelp, DEBUGGER_COMMAND_A_ATTRIBUTES};
1122 g_CommandsList["!assembly"] = {&CommandAssemble, &CommandAssembleHelp, DEBUGGER_COMMAND_A_ATTRIBUTES};
1123}
CommandAssemble
VOID CommandAssemble(vector< string > SplitCommand, string Command)
a and !a commands handler
Definition a.cpp:182
CommandAttach
VOID CommandAttach(vector< string > SplitCommand, string Command)
.attach command handler
Definition attach.cpp:44
CommandBc
VOID CommandBc(vector< string > SplitCommand, string Command)
handler of bc command
Definition bc.cpp:44
CommandBd
VOID CommandBd(vector< string > SplitCommand, string Command)
handler of bd command
Definition bd.cpp:44
CommandBe
VOID CommandBe(vector< string > SplitCommand, string Command)
handler of be command
Definition be.cpp:44
CommandBl
VOID CommandBl(vector< string > SplitCommand, string Command)
handler of the bl command
Definition bl.cpp:40
CommandBp
VOID CommandBp(vector< string > SplitCommand, string Command)
bp command handler
Definition bp.cpp:83
CommandClearScreenHelp
VOID CommandClearScreenHelp()
help of the .cls command
Definition cls.cpp:20
CommandClearScreen
VOID CommandClearScreen(vector< string > SplitCommand, string Command)
.cls command handler
Definition cls.cpp:35
DEBUGGER_COMMAND_IOOUT_ATTRIBUTES
#define DEBUGGER_COMMAND_IOOUT_ATTRIBUTES
Definition commands.h:337
DEBUGGER_COMMAND_LOAD_ATTRIBUTES
#define DEBUGGER_COMMAND_LOAD_ATTRIBUTES
Definition commands.h:262
DEBUGGER_COMMAND_INTERRUPT_ATTRIBUTES
#define DEBUGGER_COMMAND_INTERRUPT_ATTRIBUTES
Definition commands.h:341
DEBUGGER_COMMAND_PAGEIN_ATTRIBUTES
#define DEBUGGER_COMMAND_PAGEIN_ATTRIBUTES
Definition commands.h:424
DEBUGGER_COMMAND_X_ATTRIBUTES
#define DEBUGGER_COMMAND_X_ATTRIBUTES
Definition commands.h:401
DEBUGGER_COMMAND_HELP_ATTRIBUTES
#define DEBUGGER_COMMAND_HELP_ATTRIBUTES
Definition commands.h:213
DEBUGGER_COMMAND_BD_ATTRIBUTES
#define DEBUGGER_COMMAND_BD_ATTRIBUTES
Definition commands.h:386
DEBUGGER_COMMAND_MEASURE_ATTRIBUTES
#define DEBUGGER_COMMAND_MEASURE_ATTRIBUTES
Definition commands.h:355
DEBUGGER_COMMAND_HIDE_ATTRIBUTES
#define DEBUGGER_COMMAND_HIDE_ATTRIBUTES
Definition commands.h:351
DEBUGGER_COMMAND_A_ATTRIBUTES
#define DEBUGGER_COMMAND_A_ATTRIBUTES
Definition commands.h:434
DEBUGGER_COMMAND_VMCALL_ATTRIBUTES
#define DEBUGGER_COMMAND_VMCALL_ATTRIBUTES
Definition commands.h:315
DEBUGGER_COMMAND_DT_ATTRIBUTES
#define DEBUGGER_COMMAND_DT_ATTRIBUTES
Definition commands.h:411
DEBUGGER_COMMAND_FORMATS_ATTRIBUTES
#define DEBUGGER_COMMAND_FORMATS_ATTRIBUTES
Definition commands.h:305
DEBUGGER_COMMAND_STRUCT_ATTRIBUTES
#define DEBUGGER_COMMAND_STRUCT_ATTRIBUTES
Definition commands.h:414
DEBUGGER_COMMAND_PTE_ATTRIBUTES
#define DEBUGGER_COMMAND_PTE_ATTRIBUTES
Definition commands.h:308
DEBUGGER_COMMAND_DUMP_ATTRIBUTES
#define DEBUGGER_COMMAND_DUMP_ATTRIBUTES
Definition commands.h:426
DEBUGGER_COMMAND_DISCONNECT_ATTRIBUTES
#define DEBUGGER_COMMAND_DISCONNECT_ATTRIBUTES
Definition commands.h:251
DEBUGGER_COMMAND_TSC_ATTRIBUTES
#define DEBUGGER_COMMAND_TSC_ATTRIBUTES
Definition commands.h:327
DEBUGGER_COMMAND_K_ATTRIBUTES
#define DEBUGGER_COMMAND_K_ATTRIBUTES
Definition commands.h:408
DEBUGGER_COMMAND_FLUSH_ATTRIBUTES
#define DEBUGGER_COMMAND_FLUSH_ATTRIBUTES
Definition commands.h:267
DEBUGGER_COMMAND_S_ATTRIBUTES
#define DEBUGGER_COMMAND_S_ATTRIBUTES
Definition commands.h:374
DEBUGGER_COMMAND_BP_ATTRIBUTES
#define DEBUGGER_COMMAND_BP_ATTRIBUTES
Definition commands.h:380
DEBUGGER_COMMAND_WRMSR_ATTRIBUTES
#define DEBUGGER_COMMAND_WRMSR_ATTRIBUTES
Definition commands.h:297
DEBUGGER_COMMAND_P_ATTRIBUTES
#define DEBUGGER_COMMAND_P_ATTRIBUTES
Definition commands.h:359
DEBUGGER_COMMAND_SYM_ATTRIBUTES
#define DEBUGGER_COMMAND_SYM_ATTRIBUTES
Definition commands.h:398
DEBUGGER_COMMAND_PA2VA_ATTRIBUTES
#define DEBUGGER_COMMAND_PA2VA_ATTRIBUTES
Definition commands.h:303
DEBUGGER_COMMAND_CPUID_ATTRIBUTES
#define DEBUGGER_COMMAND_CPUID_ATTRIBUTES
Definition commands.h:321
DEBUGGER_COMMAND_REV_ATTRIBUTES
#define DEBUGGER_COMMAND_REV_ATTRIBUTES
Definition commands.h:420
DEBUGGER_COMMAND_PMC_ATTRIBUTES
#define DEBUGGER_COMMAND_PMC_ATTRIBUTES
Definition commands.h:329
DEBUGGER_COMMAND_LISTEN_ATTRIBUTES
#define DEBUGGER_COMMAND_LISTEN_ATTRIBUTES
Definition commands.h:219
DEBUGGER_COMMAND_TEST_ATTRIBUTES
#define DEBUGGER_COMMAND_TEST_ATTRIBUTES
Definition commands.h:293
DEBUGGER_COMMAND_PREACTIVATE_ATTRIBUTES
#define DEBUGGER_COMMAND_PREACTIVATE_ATTRIBUTES
Definition commands.h:406
DEBUGGER_COMMAND_OUTPUT_ATTRIBUTES
#define DEBUGGER_COMMAND_OUTPUT_ATTRIBUTES
Definition commands.h:278
DEBUGGER_COMMAND_CORE_ATTRIBUTES
#define DEBUGGER_COMMAND_CORE_ATTRIBUTES
Definition commands.h:310
DEBUGGER_COMMAND_SCRIPT_ATTRIBUTES
#define DEBUGGER_COMMAND_SCRIPT_ATTRIBUTES
Definition commands.h:275
DEBUGGER_COMMAND_RDMSR_ATTRIBUTES
#define DEBUGGER_COMMAND_RDMSR_ATTRIBUTES
Definition commands.h:299
DEBUGGER_COMMAND_PE_ATTRIBUTES
#define DEBUGGER_COMMAND_PE_ATTRIBUTES
Definition commands.h:417
DEBUGGER_COMMAND_SWITCH_ATTRIBUTES
#define DEBUGGER_COMMAND_SWITCH_ATTRIBUTES
Definition commands.h:228
DEBUGGER_COMMAND_MSRWRITE_ATTRIBUTES
#define DEBUGGER_COMMAND_MSRWRITE_ATTRIBUTES
Definition commands.h:325
DEBUGGER_COMMAND_RESTART_ATTRIBUTES
#define DEBUGGER_COMMAND_RESTART_ATTRIBUTES
Definition commands.h:232
DEBUGGER_COMMAND_SETTINGS_ATTRIBUTES
#define DEBUGGER_COMMAND_SETTINGS_ATTRIBUTES
Definition commands.h:248
DEBUGGER_COMMAND_VA2PA_ATTRIBUTES
#define DEBUGGER_COMMAND_VA2PA_ATTRIBUTES
Definition commands.h:301
DEBUGGER_COMMAND_UNHIDE_ATTRIBUTES
#define DEBUGGER_COMMAND_UNHIDE_ATTRIBUTES
Definition commands.h:353
DEBUGGER_COMMAND_STATUS_ATTRIBUTES
#define DEBUGGER_COMMAND_STATUS_ATTRIBUTES
Definition commands.h:260
DEBUGGER_COMMAND_PAUSE_ATTRIBUTES
#define DEBUGGER_COMMAND_PAUSE_ATTRIBUTES
Definition commands.h:270
DEBUGGER_COMMAND_LOGCLOSE_ATTRIBUTES
#define DEBUGGER_COMMAND_LOGCLOSE_ATTRIBUTES
Definition commands.h:290
DEBUGGER_COMMAND_G_ATTRIBUTES
#define DEBUGGER_COMMAND_G_ATTRIBUTES
Definition commands.h:222
DEBUGGER_COMMAND_LOGOPEN_ATTRIBUTES
#define DEBUGGER_COMMAND_LOGOPEN_ATTRIBUTES
Definition commands.h:287
DEBUGGER_COMMAND_CONNECT_ATTRIBUTES
#define DEBUGGER_COMMAND_CONNECT_ATTRIBUTES
Definition commands.h:216
DEBUGGER_COMMAND_E_ATTRIBUTES
#define DEBUGGER_COMMAND_E_ATTRIBUTES
Definition commands.h:371
DEBUGGER_COMMAND_IOIN_ATTRIBUTES
#define DEBUGGER_COMMAND_IOIN_ATTRIBUTES
Definition commands.h:335
DEBUGGER_COMMAND_SYMPATH_ATTRIBUTES
#define DEBUGGER_COMMAND_SYMPATH_ATTRIBUTES
Definition commands.h:395
DEBUGGER_COMMAND_EXCEPTION_ATTRIBUTES
#define DEBUGGER_COMMAND_EXCEPTION_ATTRIBUTES
Definition commands.h:339
DEBUGGER_COMMAND_T_ATTRIBUTES
#define DEBUGGER_COMMAND_T_ATTRIBUTES
Definition commands.h:362
DEBUGGER_COMMAND_HWDBG_HW_CLK_ATTRIBUTES
#define DEBUGGER_COMMAND_HWDBG_HW_CLK_ATTRIBUTES
Definition commands.h:432
DEBUGGER_COMMAND_MODE_ATTRIBUTES
#define DEBUGGER_COMMAND_MODE_ATTRIBUTES
Definition commands.h:347
DEBUGGER_COMMAND_LM_ATTRIBUTES
#define DEBUGGER_COMMAND_LM_ATTRIBUTES
Definition commands.h:357
DEBUGGER_COMMAND_SYSRET_ATTRIBUTES
#define DEBUGGER_COMMAND_SYSRET_ATTRIBUTES
Definition commands.h:345
DEBUGGER_COMMAND_TRACE_ATTRIBUTES
#define DEBUGGER_COMMAND_TRACE_ATTRIBUTES
Definition commands.h:349
DEBUGGER_COMMAND_UNLOAD_ATTRIBUTES
#define DEBUGGER_COMMAND_UNLOAD_ATTRIBUTES
Definition commands.h:273
DEBUGGER_COMMAND_THREAD_ATTRIBUTES
#define DEBUGGER_COMMAND_THREAD_ATTRIBUTES
Definition commands.h:239
DEBUGGER_COMMAND_EPTHOOK_ATTRIBUTES
#define DEBUGGER_COMMAND_EPTHOOK_ATTRIBUTES
Definition commands.h:317
DEBUGGER_COMMAND_SLEEP_ATTRIBUTES
#define DEBUGGER_COMMAND_SLEEP_ATTRIBUTES
Definition commands.h:242
DEBUGGER_COMMAND_PREALLOC_ATTRIBUTES
#define DEBUGGER_COMMAND_PREALLOC_ATTRIBUTES
Definition commands.h:404
DEBUGGER_COMMAND_EPTHOOK2_ATTRIBUTES
#define DEBUGGER_COMMAND_EPTHOOK2_ATTRIBUTES
Definition commands.h:319
DEBUGGER_COMMAND_MONITOR_ATTRIBUTES
#define DEBUGGER_COMMAND_MONITOR_ATTRIBUTES
Definition commands.h:313
DEBUGGER_COMMAND_PRINT_ATTRIBUTES
#define DEBUGGER_COMMAND_PRINT_ATTRIBUTES
Definition commands.h:281
DEBUGGER_COMMAND_START_ATTRIBUTES
#define DEBUGGER_COMMAND_START_ATTRIBUTES
Definition commands.h:230
DEBUGGER_COMMAND_DOT_STATUS_ATTRIBUTES
#define DEBUGGER_COMMAND_DOT_STATUS_ATTRIBUTES
Definition commands.h:257
DEBUGGER_COMMAND_DR_ATTRIBUTES
#define DEBUGGER_COMMAND_DR_ATTRIBUTES
Definition commands.h:333
DEBUGGER_COMMAND_CLEAR_ATTRIBUTES
#define DEBUGGER_COMMAND_CLEAR_ATTRIBUTES
Command's attributes.
Definition commands.h:210
DEBUGGER_COMMAND_SYSCALL_ATTRIBUTES
#define DEBUGGER_COMMAND_SYSCALL_ATTRIBUTES
Definition commands.h:343
DEBUGGER_COMMAND_GU_ATTRIBUTES
#define DEBUGGER_COMMAND_GU_ATTRIBUTES
Definition commands.h:429
DEBUGGER_COMMAND_PROCESS_ATTRIBUTES
#define DEBUGGER_COMMAND_PROCESS_ATTRIBUTES
Definition commands.h:236
DEBUGGER_COMMAND_KILL_ATTRIBUTES
#define DEBUGGER_COMMAND_KILL_ATTRIBUTES
Definition commands.h:234
DEBUGGER_COMMAND_I_ATTRIBUTES
#define DEBUGGER_COMMAND_I_ATTRIBUTES
Definition commands.h:365
DEBUGGER_COMMAND_CRWRITE_ATTRIBUTES
#define DEBUGGER_COMMAND_CRWRITE_ATTRIBUTES
Definition commands.h:331
DEBUGGER_COMMAND_D_AND_U_ATTRIBUTES
#define DEBUGGER_COMMAND_D_AND_U_ATTRIBUTES
Definition commands.h:368
DEBUGGER_COMMAND_CPU_ATTRIBUTES
#define DEBUGGER_COMMAND_CPU_ATTRIBUTES
Definition commands.h:295
DEBUGGER_COMMAND_MSRREAD_ATTRIBUTES
#define DEBUGGER_COMMAND_MSRREAD_ATTRIBUTES
Definition commands.h:323
DEBUGGER_COMMAND_EVENTS_ATTRIBUTES
#define DEBUGGER_COMMAND_EVENTS_ATTRIBUTES
Definition commands.h:245
DEBUGGER_COMMAND_ATTACH_ATTRIBUTES
#define DEBUGGER_COMMAND_ATTACH_ATTRIBUTES
Definition commands.h:224
DEBUGGER_COMMAND_EXIT_ATTRIBUTES
#define DEBUGGER_COMMAND_EXIT_ATTRIBUTES
Definition commands.h:264
DEBUGGER_COMMAND_EVAL_ATTRIBUTES
#define DEBUGGER_COMMAND_EVAL_ATTRIBUTES
Definition commands.h:284
DEBUGGER_COMMAND_DETACH_ATTRIBUTES
#define DEBUGGER_COMMAND_DETACH_ATTRIBUTES
Definition commands.h:226
DEBUGGER_COMMAND_TRACK_ATTRIBUTES
#define DEBUGGER_COMMAND_TRACK_ATTRIBUTES
Definition commands.h:422
DEBUGGER_COMMAND_R_ATTRIBUTES
#define DEBUGGER_COMMAND_R_ATTRIBUTES
Definition commands.h:377
DEBUGGER_COMMAND_DEBUG_ATTRIBUTES
#define DEBUGGER_COMMAND_DEBUG_ATTRIBUTES
Definition commands.h:254
CommandConnect
VOID CommandConnect(vector< string > SplitCommand, string Command)
.connect command handler
Definition connect.cpp:106
CommandCore
VOID CommandCore(vector< string > SplitCommand, string Command)
~ command handler
Definition core.cpp:46
CommandCpu
VOID CommandCpu(vector< string > SplitCommand, string Command)
cpu command handler
Definition cpu.cpp:35
CommandCpuid
VOID CommandCpuid(vector< string > SplitCommand, string Command)
!cpuid command handler
Definition cpuid.cpp:47
CommandCrwrite
VOID CommandCrwrite(vector< string > SplitCommand, string Command)
!crwrite command handler
Definition crwrite.cpp:46
CommandReadMemoryAndDisassembler
VOID CommandReadMemoryAndDisassembler(vector< string > SplitCommand, string Command)
u* d* !u* !d* commands handler
Definition d-u.cpp:72
CommandDebug
VOID CommandDebug(vector< string > SplitCommand, string Command)
.debug command handler
Definition debug.cpp:210
CommandDetach
VOID CommandDetach(vector< string > SplitCommand, string Command)
.detach command handler
Definition detach.cpp:71
CommandDisconnect
VOID CommandDisconnect(vector< string > SplitCommand, string Command)
.disconnect command handler
Definition disconnect.cpp:44
CommandDr
VOID CommandDr(vector< string > SplitCommand, string Command)
!dr command handler
Definition dr.cpp:45
CommandDtAndStruct
VOID CommandDtAndStruct(vector< string > SplitCommand, string Command)
dt and struct command handler
Definition dt-struct.cpp:427
CommandDump
VOID CommandDump(vector< string > SplitCommand, string Command)
.dump command handler
Definition dump.cpp:62
CommandEditMemory
VOID CommandEditMemory(vector< string > SplitCommand, string Command)
!e* and e* commands handler
Definition e.cpp:265
CommandEptHook2
VOID CommandEptHook2(vector< string > SplitCommand, string Command)
!epthook2 command handler
Definition epthook2.cpp:48
CommandEptHook
VOID CommandEptHook(vector< string > SplitCommand, string Command)
!epthook command handler
Definition epthook.cpp:47
CommandEval
VOID CommandEval(vector< string > SplitCommand, string Command)
handler of ? command
Definition eval.cpp:196
CommandEvents
VOID CommandEvents(vector< string > SplitCommand, string Command)
events command handler
Definition events.cpp:65
CommandException
VOID CommandException(vector< string > SplitCommand, string Command)
!exception command handler
Definition exception.cpp:50
CommandExit
VOID CommandExit(vector< string > SplitCommand, string Command)
exit command handler
Definition exit.cpp:43
CommandFlush
VOID CommandFlush(vector< string > SplitCommand, string Command)
flush command handler
Definition flush.cpp:109
CommandFormats
VOID CommandFormats(vector< string > SplitCommand, string Command)
handler of .formats command
Definition formats.cpp:105
CommandG
VOID CommandG(vector< string > SplitCommand, string Command)
handler of g command
Definition g.cpp:93
CommandGu
VOID CommandGu(vector< string > SplitCommand, string Command)
handler of gu command
Definition gu.cpp:51
CommandHelpHelp
VOID CommandHelpHelp()
help of the help command :)
Definition help.cpp:22
CommandHide
VOID CommandHide(vector< string > SplitCommand, string Command)
!hide command handler
Definition hide.cpp:60
CommandHwClk
VOID CommandHwClk(vector< string > SplitCommand, string Command)
!hw_clk command handler
Definition hw_clk.cpp:46
CommandI
VOID CommandI(vector< string > SplitCommand, string Command)
handler of i command
Definition i.cpp:55
g_CommandsList
CommandType g_CommandsList
List of command and attributes.
Definition globals.h:324
CommandInterrupt
VOID CommandInterrupt(vector< string > SplitCommand, string Command)
!interrupt command handler
Definition interrupt.cpp:48
CommandIoin
VOID CommandIoin(vector< string > SplitCommand, string Command)
!ioin command handler
Definition ioin.cpp:47
CommandIoout
VOID CommandIoout(vector< string > SplitCommand, string Command)
!ioout command handler
Definition ioout.cpp:47
CommandK
VOID CommandK(vector< string > SplitCommand, string Command)
k command handler
Definition k.cpp:55
CommandKill
VOID CommandKill(vector< string > SplitCommand, string Command)
.kill command handler
Definition kill.cpp:41
CommandListen
VOID CommandListen(vector< string > SplitCommand, string Command)
listen command handler
Definition listen.cpp:53
CommandLm
VOID CommandLm(vector< string > SplitCommand, string Command)
handle lm command
Definition lm.cpp:385
CommandLoad
VOID CommandLoad(vector< string > SplitCommand, string Command)
load command handler
Definition load.cpp:46
CommandLogclose
VOID CommandLogclose(vector< string > SplitCommand, string Command)
.logclose command handler
Definition logclose.cpp:41
CommandLogopen
VOID CommandLogopen(vector< string > SplitCommand, string Command)
.logopen command handler
Definition logopen.cpp:43
CommandMeasure
VOID CommandMeasure(vector< string > SplitCommand, string Command)
!measure command handler
Definition measure.cpp:53
CommandMode
VOID CommandMode(vector< string > SplitCommand, string Command)
!mode command handler
Definition mode.cpp:48
CommandMonitor
VOID CommandMonitor(vector< string > SplitCommand, string Command)
!monitor command handler
Definition monitor.cpp:61
CommandMsrread
VOID CommandMsrread(vector< string > SplitCommand, string Command)
!msrread command handler
Definition msrread.cpp:46
CommandMsrwrite
VOID CommandMsrwrite(vector< string > SplitCommand, string Command)
!msrwrite command handler
Definition msrwrite.cpp:46
CommandOutput
VOID CommandOutput(vector< string > SplitCommand, string Command)
output command handler
Definition output.cpp:54
CommandP
VOID CommandP(vector< string > SplitCommand, string Command)
handler of p command
Definition p.cpp:52
CommandPa2va
VOID CommandPa2va(vector< string > SplitCommand, string Command)
!pa2va command handler
Definition pa2va.cpp:48
CommandPagein
VOID CommandPagein(vector< string > SplitCommand, string Command)
.pagein command handler
Definition pagein.cpp:264
CommandPause
VOID CommandPause(vector< string > SplitCommand, string Command)
pause command handler
Definition pause.cpp:71
CommandPe
VOID CommandPe(vector< string > SplitCommand, string Command)
.pe command handler
Definition pe.cpp:43
CommandPmc
VOID CommandPmc(vector< string > SplitCommand, string Command)
!pmc command handler
Definition pmc.cpp:45
CommandPreactivate
VOID CommandPreactivate(vector< string > SplitCommand, string Command)
preactivate command handler
Definition preactivate.cpp:42
CommandPrealloc
VOID CommandPrealloc(vector< string > SplitCommand, string Command)
prealloc command handler
Definition prealloc.cpp:54
CommandPrint
VOID CommandPrint(vector< string > SplitCommand, string Command)
handler of print command
Definition print.cpp:46
CommandProcess
VOID CommandProcess(vector< string > SplitCommand, string Command)
.process command handler
Definition process.cpp:56
CommandPte
VOID CommandPte(vector< string > SplitCommand, string Command)
!pte command handler
Definition pte.cpp:91
CommandRHelp
VOID CommandRHelp()
help of the r command
Definition r.cpp:151
CommandR
VOID CommandR(std::vector< std::string > SplitCommand, std::string Command)
handler of r command
Definition r.cpp:414
CommandRdmsr
VOID CommandRdmsr(vector< string > SplitCommand, string Command)
rdmsr command handler
Definition rdmsr.cpp:114
CommandRestart
VOID CommandRestart(vector< string > SplitCommand, string Command)
.restart command handler
Definition restart.cpp:46
CommandRev
VOID CommandRev(vector< string > SplitCommand, string Command)
!rev command handler
Definition rev.cpp:51
CommandSearchMemory
VOID CommandSearchMemory(vector< string > SplitCommand, string Command)
!s* s* commands handler
Definition s.cpp:138
CommandScript
VOID CommandScript(vector< string > SplitCommand, string Command)
.script command handler
Definition script.cpp:268
CommandSettings
VOID CommandSettings(vector< string > SplitCommand, string Command)
settings command handler
Definition settings.cpp:544
CommandSleep
VOID CommandSleep(vector< string > SplitCommand, string Command)
sleep command help
Definition sleep.cpp:37
CommandStart
VOID CommandStart(vector< string > SplitCommand, string Command)
.start command handler
Definition start.cpp:45
CommandStatus
VOID CommandStatus(vector< string > SplitCommand, string Command)
.status and status command handler
Definition status.cpp:50
CommandSwitch
VOID CommandSwitch(vector< string > SplitCommand, string Command)
.switch command handler
Definition switch.cpp:49
CommandSym
VOID CommandSym(vector< string > SplitCommand, string Command)
.sym command handler
Definition sym.cpp:55
CommandSympath
VOID CommandSympath(vector< string > SplitCommand, string Command)
.sympath command handler
Definition sympath.cpp:44
CommandSyscallAndSysret
VOID CommandSyscallAndSysret(vector< string > SplitCommand, string Command)
!syscall, !syscall2 and !sysret, !sysret2 commands handler
Definition syscall-sysret.cpp:84
CommandT
VOID CommandT(vector< string > SplitCommand, string Command)
handler of t command
Definition t.cpp:52
CommandTest
VOID CommandTest(vector< string > SplitCommand, string Command)
test command handler
Definition test.cpp:364
CommandThread
VOID CommandThread(vector< string > SplitCommand, string Command)
.thread command handler
Definition thread.cpp:119
CommandTrace
VOID CommandTrace(vector< string > SplitCommand, string Command)
!trace command handler
Definition trace.cpp:50
CommandTrack
VOID CommandTrack(vector< string > SplitCommand, string Command)
handler of !track command
Definition track.cpp:59
CommandTrackHelp
VOID CommandTrackHelp()
help of the !track command
Definition track.cpp:36
CommandTsc
VOID CommandTsc(vector< string > SplitCommand, string Command)
handler of !tsc command
Definition tsc.cpp:45
CommandUnhide
VOID CommandUnhide(vector< string > SplitCommand, string Command)
!unhide command handler
Definition unhide.cpp:38
CommandUnload
VOID CommandUnload(vector< string > SplitCommand, string Command)
unload command handler
Definition unload.cpp:48
CommandVa2pa
VOID CommandVa2pa(vector< string > SplitCommand, string Command)
!va2pa command handler
Definition va2pa.cpp:49
CommandVmcall
VOID CommandVmcall(vector< string > SplitCommand, string Command)
!vmcall command handler
Definition vmcall.cpp:45
CommandWrmsr
VOID CommandWrmsr(vector< string > SplitCommand, string Command)
wrmsr command handler
Definition wrmsr.cpp:42
CommandX
VOID CommandX(vector< string > SplitCommand, string Command)
x command handler
Definition x.cpp:40

◆ InitializeDebugger()

VOID InitializeDebugger ( )

Initialize the debugger and adjust commands for the first run.

Returns
VOID
768{
769 //
770 // Initialize the mapping of functions
771 //
772 InitializeCommandsDictionary();
773
774 //
775 // Set the callback for symbol message handler
776 //
777 ScriptEngineSetTextMessageCallbackWrapper(ShowMessages);
778
779 //
780 // Register the CTRL+C and CTRL+BREAK Signals handler
781 //
782 if (!SetConsoleCtrlHandler(BreakController, TRUE))
783 {
784 ShowMessages("err, when registering CTRL+C and CTRL+BREAK Signals "
785 "handler\n");
786 //
787 // prefer to continue
788 //
789 }
790
791 //
792 // *** Check for feature indicators ***
793 //
794
795 //
796 // Get x86 processor width for virtual address
797 //
798 g_VirtualAddressWidth = Getx86VirtualAddressWidth();
799
800 //
801 // Check if processor supports TSX (RTM)
802 //
803 g_RtmSupport = CheckCpuSupportRtm();
804
805 //
806 // Load default settings
807 //
808 CommandSettingsLoadDefaultValuesFromConfigFile();
809}
BreakController
BOOL BreakController(DWORD CtrlType)
handle CTRL+C and CTRL+Break events
Definition break-control.cpp:34
CheckCpuSupportRtm
BOOLEAN CheckCpuSupportRtm()
Check whether the processor supports RTM or not.
Definition common.cpp:903
Getx86VirtualAddressWidth
UINT32 Getx86VirtualAddressWidth()
Get virtual address width for x86 processors.
Definition common.cpp:885
InitializeCommandsDictionary
VOID InitializeCommandsDictionary()
Initialize commands and attributes.
Definition interpreter.cpp:817
g_VirtualAddressWidth
UINT32 g_VirtualAddressWidth
Virtual address width for x86 processors.
Definition globals.h:28
g_RtmSupport
BOOLEAN g_RtmSupport
check for RTM support
Definition globals.h:22
ScriptEngineSetTextMessageCallbackWrapper
VOID ScriptEngineSetTextMessageCallbackWrapper(PVOID Handler)
ScriptEngineSetTextMessageCallback wrapper.
Definition script-engine-wrapper.cpp:80
CommandSettingsLoadDefaultValuesFromConfigFile
VOID CommandSettingsLoadDefaultValuesFromConfigFile()
Loads default settings values from config file.
Definition settings.cpp:161

◆ ReadCpuDetails()

int ReadCpuDetails ( )

Print out supported instruction set extensions.

Returns
int
262{
263 auto & outstream = std::cout;
264
265 auto support_message = [&outstream](std::string isa_feature,
266 bool is_supported) {
267 ShowMessages("%s %s\n", isa_feature.c_str(), (is_supported ? "supported" : "not supported"));
268 };
269
270 ShowMessages("\nvendor : %s\n", InstructionSet::Vendor().c_str());
271 ShowMessages("brand : %s\n\n", InstructionSet::Brand().c_str());
272
273 support_message("3DNOW", InstructionSet::_3DNOW());
274 support_message("3DNOWEXT", InstructionSet::_3DNOWEXT());
275 support_message("ABM", InstructionSet::ABM());
276 support_message("ADX", InstructionSet::ADX());
277 support_message("AES", InstructionSet::AES());
278 support_message("AVX", InstructionSet::AVX());
279 support_message("AVX2", InstructionSet::AVX2());
280 support_message("AVX512CD", InstructionSet::AVX512CD());
281 support_message("AVX512ER", InstructionSet::AVX512ER());
282 support_message("AVX512F", InstructionSet::AVX512F());
283 support_message("AVX512PF", InstructionSet::AVX512PF());
284 support_message("BMI1", InstructionSet::BMI1());
285 support_message("BMI2", InstructionSet::BMI2());
286 support_message("CLFSH", InstructionSet::CLFSH());
287 support_message("CMPXCHG16B", InstructionSet::CMPXCHG16B());
288 support_message("CX8", InstructionSet::CX8());
289 support_message("ERMS", InstructionSet::ERMS());
290 support_message("F16C", InstructionSet::F16C());
291 support_message("FMA", InstructionSet::FMA());
292 support_message("FSGSBASE", InstructionSet::FSGSBASE());
293 support_message("FXSR", InstructionSet::FXSR());
294 support_message("HLE", InstructionSet::HLE());
295 support_message("INVPCID", InstructionSet::INVPCID());
296 support_message("LAHF", InstructionSet::LAHF());
297 support_message("LZCNT", InstructionSet::LZCNT());
298 support_message("MMX", InstructionSet::MMX());
299 support_message("MMXEXT", InstructionSet::MMXEXT());
300 support_message("MONITOR", InstructionSet::MONITOR());
301 support_message("MOVBE", InstructionSet::MOVBE());
302 support_message("MSR", InstructionSet::MSR());
303 support_message("OSXSAVE", InstructionSet::OSXSAVE());
304 support_message("PCLMULQDQ", InstructionSet::PCLMULQDQ());
305 support_message("POPCNT", InstructionSet::POPCNT());
306 support_message("PREFETCHWT1", InstructionSet::PREFETCHWT1());
307 support_message("RDRAND", InstructionSet::RDRAND());
308 support_message("RDSEED", InstructionSet::RDSEED());
309 support_message("RDTSCP", InstructionSet::RDTSCP());
310 support_message("RTM", InstructionSet::RTM());
311 support_message("SEP", InstructionSet::SEP());
312 support_message("SHA", InstructionSet::SHA());
313 support_message("SSE", InstructionSet::SSE());
314 support_message("SSE2", InstructionSet::SSE2());
315 support_message("SSE3", InstructionSet::SSE3());
316 support_message("SSE4.1", InstructionSet::SSE41());
317 support_message("SSE4.2", InstructionSet::SSE42());
318 support_message("SSE4a", InstructionSet::SSE4a());
319 support_message("SSSE3", InstructionSet::SSSE3());
320 support_message("SYSCALL", InstructionSet::SYSCALL());
321 support_message("TBM", InstructionSet::TBM());
322 support_message("XOP", InstructionSet::XOP());
323 support_message("XSAVE", InstructionSet::XSAVE());
324
325 return 0;
326}
InstructionSet::_3DNOWEXT
static bool _3DNOWEXT(void)
Definition cpu.cpp:118
InstructionSet::SSE4a
static bool SSE4a(void)
Definition cpu.cpp:108
InstructionSet::XSAVE
static bool XSAVE(void)
Definition cpu.cpp:71
InstructionSet::MONITOR
static bool MONITOR(void)
Definition cpu.cpp:62
InstructionSet::OSXSAVE
static bool OSXSAVE(void)
Definition cpu.cpp:72
InstructionSet::XOP
static bool XOP(void)
Definition cpu.cpp:109
InstructionSet::SEP
static bool SEP(void)
Definition cpu.cpp:79
InstructionSet::SSE3
static bool SSE3(void)
Definition cpu.cpp:60
InstructionSet::FMA
static bool FMA(void)
Definition cpu.cpp:64
InstructionSet::SSE42
static bool SSE42(void)
Definition cpu.cpp:67
InstructionSet::AVX512ER
static bool AVX512ER(void)
Definition cpu.cpp:99
InstructionSet::MSR
static bool MSR(void)
Definition cpu.cpp:77
InstructionSet::BMI1
static bool BMI1(void)
Definition cpu.cpp:88
InstructionSet::BMI2
static bool BMI2(void)
Definition cpu.cpp:91
InstructionSet::RDRAND
static bool RDRAND(void)
Definition cpu.cpp:75
InstructionSet::_3DNOW
static bool _3DNOW(void)
Definition cpu.cpp:122
InstructionSet::AVX2
static bool AVX2(void)
Definition cpu.cpp:90
InstructionSet::ABM
static bool ABM(void)
Definition cpu.cpp:107
InstructionSet::PREFETCHWT1
static bool PREFETCHWT1(void)
Definition cpu.cpp:103
InstructionSet::MOVBE
static bool MOVBE(void)
Definition cpu.cpp:68
InstructionSet::AVX512F
static bool AVX512F(void)
Definition cpu.cpp:95
InstructionSet::SSE41
static bool SSE41(void)
Definition cpu.cpp:66
InstructionSet::ERMS
static bool ERMS(void)
Definition cpu.cpp:92
InstructionSet::F16C
static bool F16C(void)
Definition cpu.cpp:74
InstructionSet::POPCNT
static bool POPCNT(void)
Definition cpu.cpp:69
InstructionSet::MMX
static bool MMX(void)
Definition cpu.cpp:82
InstructionSet::RTM
static bool RTM(void)
Definition cpu.cpp:94
InstructionSet::ADX
static bool ADX(void)
Definition cpu.cpp:97
InstructionSet::PCLMULQDQ
static bool PCLMULQDQ(void)
Definition cpu.cpp:61
InstructionSet::Brand
static std::string Brand(void)
Definition cpu.cpp:58
InstructionSet::CMPXCHG16B
static bool CMPXCHG16B(void)
Definition cpu.cpp:65
InstructionSet::HLE
static bool HLE(void)
Definition cpu.cpp:89
InstructionSet::SYSCALL
static bool SYSCALL(void)
Definition cpu.cpp:112
InstructionSet::AES
static bool AES(void)
Definition cpu.cpp:70
InstructionSet::INVPCID
static bool INVPCID(void)
Definition cpu.cpp:93
InstructionSet::TBM
static bool TBM(void)
Definition cpu.cpp:110
InstructionSet::AVX512CD
static bool AVX512CD(void)
Definition cpu.cpp:100
InstructionSet::SHA
static bool SHA(void)
Definition cpu.cpp:101
InstructionSet::SSSE3
static bool SSSE3(void)
Definition cpu.cpp:63
InstructionSet::LZCNT
static bool LZCNT(void)
Definition cpu.cpp:106
InstructionSet::RDSEED
static bool RDSEED(void)
Definition cpu.cpp:96
InstructionSet::SSE2
static bool SSE2(void)
Definition cpu.cpp:85
InstructionSet::AVX
static bool AVX(void)
Definition cpu.cpp:73
InstructionSet::CLFSH
static bool CLFSH(void)
Definition cpu.cpp:81
InstructionSet::FXSR
static bool FXSR(void)
Definition cpu.cpp:83
InstructionSet::SSE
static bool SSE(void)
Definition cpu.cpp:84
InstructionSet::AVX512PF
static bool AVX512PF(void)
Definition cpu.cpp:98
InstructionSet::FSGSBASE
static bool FSGSBASE(void)
Definition cpu.cpp:87
InstructionSet::LAHF
static bool LAHF(void)
Definition cpu.cpp:105
InstructionSet::MMXEXT
static bool MMXEXT(void)
Definition cpu.cpp:116
InstructionSet::RDTSCP
static bool RDTSCP(void)
Definition cpu.cpp:117
InstructionSet::CX8
static bool CX8(void)
Definition cpu.cpp:78

◆ SeparateTo64BitValue()

string SeparateTo64BitValue ( UINT64 Value)

add ` between 64 bit values and convert them to string

Parameters
Value
Returns
string
28{
29 ostringstream OstringStream;
30 string Temp;
31
32 OstringStream << setw(16) << setfill('0') << hex << Value;
33 Temp = OstringStream.str();
34
35 Temp.insert(8, 1, '`');
36 return Temp;
37}

◆ ShowMemoryCommandDB()

void ShowMemoryCommandDB ( unsigned char * OutputBuffer,
UINT32 Size,
UINT64 Address,
DEBUGGER_READ_MEMORY_TYPE MemoryType,
UINT64 Length )

Show memory in bytes (DB)

Parameters
OutputBufferthe buffer to show
Sizesize of memory to read
Addresslocation of where to read the memory
MemoryTypetype of memory (phyical or virtual)
LengthLength of memory to show
419{
420 unsigned int Character;
421
422 for (UINT32 i = 0; i < Size; i += 16)
423 {
424 if (MemoryType == DEBUGGER_READ_PHYSICAL_ADDRESS)
425 {
426 ShowMessages("#\t");
427 }
428
429 //
430 // Print address
431 //
432 ShowMessages("%s ", SeparateTo64BitValue((UINT64)(Address + i)).c_str());
433
434 //
435 // Print the hex code
436 //
437 for (size_t j = 0; j < 16; j++)
438 {
439 //
440 // check to see if the address is valid or not
441 //
442 if (i + j >= Length)
443 {
444 ShowMessages("?? ");
445 }
446 else
447 {
448 ShowMessages("%02X ", OutputBuffer[i + j]);
449 }
450 }
451
452 //
453 // Print the character
454 //
455 ShowMessages(" ");
456 for (size_t j = 0; j < 16; j++)
457 {
458 Character = (OutputBuffer[i + j]);
459 if (isprint(Character))
460 {
461 ShowMessages("%c", Character);
462 }
463 else
464 {
465 ShowMessages(".");
466 }
467 }
468
469 //
470 // Go to new line
471 //
472 ShowMessages("\n");
473 }
474}

◆ ShowMemoryCommandDC()

void ShowMemoryCommandDC ( unsigned char * OutputBuffer,
UINT32 Size,
UINT64 Address,
DEBUGGER_READ_MEMORY_TYPE MemoryType,
UINT64 Length )

Show memory in dword format (DC)

Parameters
OutputBufferthe buffer to show
Sizesize of memory to read
Addresslocation of where to read the memory
MemoryTypetype of memory (phyical or virtual)
LengthLength of memory to show
487{
488 unsigned int Character;
489 for (UINT32 i = 0; i < Size; i += 16)
490 {
491 if (MemoryType == DEBUGGER_READ_PHYSICAL_ADDRESS)
492 {
493 ShowMessages("#\t");
494 }
495
496 //
497 // Print address
498 //
499 ShowMessages("%s ", SeparateTo64BitValue((UINT64)(Address + i)).c_str());
500
501 //
502 // Print the hex code
503 //
504 for (size_t j = 0; j < 16; j += 4)
505 {
506 //
507 // check to see if the address is valid or not
508 //
509 if (i + j >= Length)
510 {
511 ShowMessages("???????? ");
512 }
513 else
514 {
515 UINT32 OutputBufferVar = *((UINT32 *)&OutputBuffer[i + j]);
516 ShowMessages("%08X ", OutputBufferVar);
517 }
518 }
519
520 //
521 // Print the character
522 //
523
524 ShowMessages(" ");
525 for (size_t j = 0; j < 16; j++)
526 {
527 Character = (OutputBuffer[i + j]);
528 if (isprint(Character))
529 {
530 ShowMessages("%c", Character);
531 }
532 else
533 {
534 ShowMessages(".");
535 }
536 }
537
538 //
539 // Go to new line
540 //
541 ShowMessages("\n");
542 }
543}

◆ ShowMemoryCommandDD()

void ShowMemoryCommandDD ( unsigned char * OutputBuffer,
UINT32 Size,
UINT64 Address,
DEBUGGER_READ_MEMORY_TYPE MemoryType,
UINT64 Length )

Show memory in dword format (DD)

Parameters
OutputBufferthe buffer to show
Sizesize of memory to read
Addresslocation of where to read the memory
MemoryTypetype of memory (phyical or virtual)
LengthLength of memory to show
556{
557 for (UINT32 i = 0; i < Size; i += 16)
558 {
559 if (MemoryType == DEBUGGER_READ_PHYSICAL_ADDRESS)
560 {
561 ShowMessages("#\t");
562 }
563
564 //
565 // Print address
566 //
567 ShowMessages("%s ", SeparateTo64BitValue((UINT64)(Address + i)).c_str());
568
569 //
570 // Print the hex code
571 //
572 for (size_t j = 0; j < 16; j += 4)
573 {
574 //
575 // check to see if the address is valid or not
576 //
577 if (i + j >= Length)
578 {
579 ShowMessages("???????? ");
580 }
581 else
582 {
583 UINT32 OutputBufferVar = *((UINT32 *)&OutputBuffer[i + j]);
584 ShowMessages("%08X ", OutputBufferVar);
585 }
586 }
587 //
588 // Go to new line
589 //
590 ShowMessages("\n");
591 }
592}

◆ ShowMemoryCommandDQ()

void ShowMemoryCommandDQ ( unsigned char * OutputBuffer,
UINT32 Size,
UINT64 Address,
DEBUGGER_READ_MEMORY_TYPE MemoryType,
UINT64 Length )

Show memory in qword format (DQ)

Parameters
OutputBufferthe buffer to show
Sizesize of memory to read
Addresslocation of where to read the memory
MemoryTypetype of memory (phyical or virtual)
LengthLength of memory to show
605{
606 for (UINT32 i = 0; i < Size; i += 16)
607 {
608 if (MemoryType == DEBUGGER_READ_PHYSICAL_ADDRESS)
609 {
610 ShowMessages("#\t");
611 }
612
613 //
614 // Print address
615 //
616 ShowMessages("%s ", SeparateTo64BitValue((UINT64)(Address + i)).c_str());
617
618 //
619 // Print the hex code
620 //
621 for (size_t j = 0; j < 16; j += 8)
622 {
623 //
624 // check to see if the address is valid or not
625 //
626 if (i + j >= Length)
627 {
628 ShowMessages("???????? ");
629 }
630 else
631 {
632 UINT32 OutputBufferVar = *((UINT32 *)&OutputBuffer[i + j + 4]);
633 ShowMessages("%08X`", OutputBufferVar);
634
635 OutputBufferVar = *((UINT32 *)&OutputBuffer[i + j]);
636 ShowMessages("%08X ", OutputBufferVar);
637 }
638 }
639
640 //
641 // Go to new line
642 //
643 ShowMessages("\n");
644 }
645}

◆ ShowMessages()

VOID ShowMessages ( const char * Fmt,
... )

Show messages.

Parameters
Fmtformat string message
...arguments
Returns
VOID
Parameters
Fmtformat string message
97{
98 va_list ArgList;
99 va_list Args;
100 char TempMessage[COMMUNICATION_BUFFER_SIZE + TCP_END_OF_BUFFER_CHARS_COUNT] = {0};
101
102 if (g_MessageHandler == NULL && !g_IsConnectedToRemoteDebugger && !g_IsSerialConnectedToRemoteDebugger)
103 {
104 va_start(Args, Fmt);
105
106 vprintf(Fmt, Args);
107
108 va_end(Args);
109
110 if (!g_LogOpened)
111 {
112 return;
113 }
114 }
115
116 va_start(ArgList, Fmt);
117
118 int SprintfResult = vsprintf_s(TempMessage, Fmt, ArgList);
119
120 va_end(ArgList);
121
122 if (SprintfResult != -1)
123 {
124 if (g_IsConnectedToRemoteDebugger)
125 {
126 //
127 // vsprintf_s and vswprintf_s return the number of characters written,
128 // not including the terminating null character, or a negative value
129 // if an output error occurs.
130 //
131 RemoteConnectionSendResultsToHost(TempMessage, SprintfResult);
132 }
133 else if (g_IsSerialConnectedToRemoteDebugger)
134 {
135 KdSendUsermodePrints(TempMessage, SprintfResult);
136 }
137
138 if (g_LogOpened)
139 {
140 //
141 // .logopen command executed
142 //
143 LogopenSaveToFile(TempMessage);
144 }
145 if (g_MessageHandler != NULL)
146 {
147 //
148 // There is another handler
149 //
150 if (g_MessageHandlerSharedBuffer == NULL)
151 {
152 ((SendMessageWithParamCallback)g_MessageHandler)(TempMessage);
153 }
154 else
155 {
156 memcpy(g_MessageHandlerSharedBuffer, TempMessage, strlen(TempMessage) + 1);
157 ((SendMessageWWithSharedBufferCallback)g_MessageHandler)();
158 }
159 }
160 }
161}
TCP_END_OF_BUFFER_CHARS_COUNT
#define TCP_END_OF_BUFFER_CHARS_COUNT
count of characters for tcp end of buffer
Definition Constants.h:440
COMMUNICATION_BUFFER_SIZE
#define COMMUNICATION_BUFFER_SIZE
Packet size for TCP connections.
Definition Constants.h:330
SendMessageWWithSharedBufferCallback
int(* SendMessageWWithSharedBufferCallback)()
Callback type that can be used to be used as a custom ShowMessages function (using shared buffer)
Definition DataTypes.h:129
SendMessageWithParamCallback
int(* SendMessageWithParamCallback)(const char *Text)
Callback type that can be used to be used as a custom ShowMessages function (by passing message as a ...
Definition DataTypes.h:122
KdSendUsermodePrints
VOID KdSendUsermodePrints(CHAR *Input, UINT32 Length)
g_IsSerialConnectedToRemoteDebugger
BOOLEAN g_IsSerialConnectedToRemoteDebugger
Shows if the debugger was connected to remote debugger (A remote host)
Definition rev.cpp:20
g_LogOpened
BOOLEAN g_LogOpened
Shows whether the '.logopen' command is executed and the log file is open or not.
Definition globals.h:478
g_MessageHandlerSharedBuffer
PVOID g_MessageHandlerSharedBuffer
The shared buffer for the handler of ShowMessages function.
Definition globals.h:456
g_IsConnectedToRemoteDebugger
BOOLEAN g_IsConnectedToRemoteDebugger
Shows whether the current system is a guest (debuggee) and a remote debugger is connected to this sys...
Definition globals.h:81
g_MessageHandler
PVOID g_MessageHandler
The handler for ShowMessages function this is because the user might choose not to use printf and ins...
Definition globals.h:450
LogopenSaveToFile
VOID LogopenSaveToFile(const char *Text)
Append text to the file object.
Definition logopen.cpp:119
RemoteConnectionSendResultsToHost
int RemoteConnectionSendResultsToHost(const char *sendbuf, int len)
Send the results of executing a command from deubggee (server, guest) to the debugger (client,...
Definition remote-connection.cpp:481

Variable Documentation

◆ g_DeviceHandle

HANDLE g_DeviceHandle
extern

Holds the global handle of device which is used to send the request to the kernel by IOCTL, this handle is not used for IRP Pending of message tracing this handle is used in KD VMM.