HyperDbg Debugger
Loading...
Searching...
No Matches
Functions
crwrite.cpp File Reference

!crwrite command More...

#include "pch.h"

Functions

VOID CommandCrwriteHelp ()
 help of the !crwrite command
 
VOID CommandCrwrite (vector< string > SplitCommand, string Command)
 !crwrite command handler
 

Detailed Description

!crwrite command

Author
angel_killah
Version
0.1
Date
2022-07-05
Copyright
This project is released under the GNU Public License v3.

Function Documentation

◆ CommandCrwrite()

VOID CommandCrwrite ( vector< string > SplitCommand,
string Command )

!crwrite command handler

Parameters
SplitCommand
Command
Returns
VOID
47{
48 PDEBUGGER_GENERAL_EVENT_DETAIL Event = NULL;
49 PDEBUGGER_GENERAL_ACTION ActionBreakToDebugger = NULL;
50 PDEBUGGER_GENERAL_ACTION ActionCustomCode = NULL;
51 PDEBUGGER_GENERAL_ACTION ActionScript = NULL;
52 UINT32 EventLength;
53 UINT32 ActionBreakToDebuggerLength = 0;
54 UINT32 ActionCustomCodeLength = 0;
55 UINT32 ActionScriptLength = 0;
56 UINT64 TargetRegister = 1;
57 UINT64 MaskRegister = 0xFFFFFFFFFFFFFFFF;
58 BOOLEAN GetRegister = FALSE;
59 BOOLEAN GetMask = FALSE;
60 vector<string> SplitCommandCaseSensitive {Split(Command, ' ')};
61 DEBUGGER_EVENT_PARSING_ERROR_CAUSE EventParsingErrorCause;
62
63 if (SplitCommand.size() < 2)
64 {
65 ShowMessages("incorrect use of the '!crwrite'\n");
66 CommandCrwriteHelp();
67 return;
68 }
69
70 //
71 // Interpret and fill the general event and action fields
72 //
73 //
74 if (!InterpretGeneralEventAndActionsFields(
75 &SplitCommand,
76 &SplitCommandCaseSensitive,
77 CONTROL_REGISTER_MODIFIED,
78 &Event,
79 &EventLength,
80 &ActionBreakToDebugger,
81 &ActionBreakToDebuggerLength,
82 &ActionCustomCode,
83 &ActionCustomCodeLength,
84 &ActionScript,
85 &ActionScriptLength,
86 &EventParsingErrorCause))
87 {
88 return;
89 }
90
91 //
92 // Interpret command specific details (if any)
93 //
94 for (auto Section : SplitCommand)
95 {
96 if (!Section.compare("!crwrite"))
97 {
98 continue;
99 }
100 else if (!GetRegister)
101 {
102 //
103 // It's probably a CR
104 //
105 if (!ConvertStringToUInt64(Section, &TargetRegister))
106 {
107 //
108 // Unknown parameter
109 //
110 ShowMessages("unknown parameter '%s'\n\n", Section.c_str());
111 CommandCrwriteHelp();
112
113 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
114 return;
115 }
116 else
117 {
118 GetRegister = TRUE;
119 }
120 }
121 else if (!GetMask)
122 {
123 if (!ConvertStringToUInt64(Section, &MaskRegister))
124 {
125 //
126 // Unknown parameter
127 //
128 ShowMessages("unknown parameter '%s'\n\n", Section.c_str());
129 CommandCrwriteHelp();
130
131 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
132 return;
133 }
134 else
135 {
136 GetMask = TRUE;
137 }
138 }
139 else
140 {
141 //
142 // Unknown parameter
143 //
144 ShowMessages("unknown parameter '%s'\n\n", Section.c_str());
145 CommandCrwriteHelp();
146
147 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
148 return;
149 }
150 }
151
152 if (TargetRegister != VMX_EXIT_QUALIFICATION_REGISTER_CR0 && TargetRegister != VMX_EXIT_QUALIFICATION_REGISTER_CR4)
153 {
154 ShowMessages("please choose either 0 for cr0 or 4 for cr4\n");
155 CommandCrwriteHelp();
156
157 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
158 return;
159 }
160
161 //
162 // Set the target control register
163 //
164 Event->Options.OptionalParam1 = TargetRegister;
165
166 //
167 // Set the mask to filter control register bits
168 //
169 Event->Options.OptionalParam2 = MaskRegister;
170
171 //
172 // Send the ioctl to the kernel for event registration
173 //
174 if (!SendEventToKernel(Event, EventLength))
175 {
176 //
177 // There was an error, probably the handle was not initialized
178 // we have to free the Action before exit, it is because, we
179 // already freed the Event and string buffers
180 //
181 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
182 return;
183 }
184
185 //
186 // Add the event to the kernel
187 //
188 if (!RegisterActionToEvent(Event,
189 ActionBreakToDebugger,
190 ActionBreakToDebuggerLength,
191 ActionCustomCode,
192 ActionCustomCodeLength,
193 ActionScript,
194 ActionScriptLength))
195 {
196 //
197 // There was an error
198 //
199 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
200 return;
201 }
202}
BOOLEAN
UCHAR BOOLEAN
Definition BasicTypes.h:39
TRUE
#define TRUE
Definition BasicTypes.h:55
FALSE
#define FALSE
Definition BasicTypes.h:54
UINT64
unsigned __int64 UINT64
Definition BasicTypes.h:21
UINT32
unsigned int UINT32
Definition BasicTypes.h:48
Split
const vector< string > Split(const string &s, const char &c)
general split command
Definition common.cpp:117
ConvertStringToUInt64
BOOLEAN ConvertStringToUInt64(string TextToConvert, PUINT64 Result)
check and convert string to a 64 bit unsigned integer and also check for special notations like 0x,...
Definition common.cpp:240
CommandCrwriteHelp
VOID CommandCrwriteHelp()
help of the !crwrite command
Definition crwrite.cpp:20
FreeEventsAndActionsMemory
VOID FreeEventsAndActionsMemory(PDEBUGGER_GENERAL_EVENT_DETAIL Event, PDEBUGGER_GENERAL_ACTION ActionBreakToDebugger, PDEBUGGER_GENERAL_ACTION ActionCustomCode, PDEBUGGER_GENERAL_ACTION ActionScript)
Deallocate buffers relating to events and actions.
Definition debugger.cpp:2292
InterpretGeneralEventAndActionsFields
BOOLEAN InterpretGeneralEventAndActionsFields(vector< string > *SplitCommand, vector< string > *SplitCommandCaseSensitive, VMM_EVENT_TYPE_ENUM EventType, PDEBUGGER_GENERAL_EVENT_DETAIL *EventDetailsToFill, PUINT32 EventBufferLength, PDEBUGGER_GENERAL_ACTION *ActionDetailsToFillBreakToDebugger, PUINT32 ActionBufferLengthBreakToDebugger, PDEBUGGER_GENERAL_ACTION *ActionDetailsToFillCustomCode, PUINT32 ActionBufferLengthCustomCode, PDEBUGGER_GENERAL_ACTION *ActionDetailsToFillScript, PUINT32 ActionBufferLengthScript, PDEBUGGER_EVENT_PARSING_ERROR_CAUSE ReasonForErrorInParsing)
Interpret general event fields.
Definition debugger.cpp:2342
SendEventToKernel
BOOLEAN SendEventToKernel(PDEBUGGER_GENERAL_EVENT_DETAIL Event, UINT32 EventBufferLength)
Register the event to the kernel.
Definition debugger.cpp:1969
RegisterActionToEvent
BOOLEAN RegisterActionToEvent(PDEBUGGER_GENERAL_EVENT_DETAIL Event, PDEBUGGER_GENERAL_ACTION ActionBreakToDebugger, UINT32 ActionBreakToDebuggerLength, PDEBUGGER_GENERAL_ACTION ActionCustomCode, UINT32 ActionCustomCodeLength, PDEBUGGER_GENERAL_ACTION ActionScript, UINT32 ActionScriptLength)
Register the action to the event.
Definition debugger.cpp:2086
CONTROL_REGISTER_MODIFIED
@ CONTROL_REGISTER_MODIFIED
Definition Events.h:162
DEBUGGER_EVENT_PARSING_ERROR_CAUSE
enum _DEBUGGER_EVENT_PARSING_ERROR_CAUSE DEBUGGER_EVENT_PARSING_ERROR_CAUSE
Reason for error in parsing commands.
ShowMessages
VOID ShowMessages(const char *Fmt,...)
Show messages.
Definition libhyperdbg.cpp:96
test-case-generator.NULL
NULL()
Definition test-case-generator.py:530
_DEBUGGER_EVENT_OPTIONS::OptionalParam2
UINT64 OptionalParam2
Definition Events.h:273
_DEBUGGER_EVENT_OPTIONS::OptionalParam1
UINT64 OptionalParam1
Definition Events.h:272
_DEBUGGER_GENERAL_ACTION
Each event can have multiple actions.
Definition Events.h:406
_DEBUGGER_GENERAL_EVENT_DETAIL
Each command is like the following struct, it also used for tracing works in user mode and sending it...
Definition Events.h:350
_DEBUGGER_GENERAL_EVENT_DETAIL::Options
DEBUGGER_EVENT_OPTIONS Options
Definition Events.h:391

◆ CommandCrwriteHelp()

VOID CommandCrwriteHelp ( )

help of the !crwrite command

Returns
VOID
21{
22 ShowMessages("!crwrite : monitors modification of control registers (CR0 / CR4).\n\n");
23
24 ShowMessages("syntax : \t!crwrite [Cr (hex)] [mask Mask (hex)] [pid ProcessId (hex)] "
25 "[core CoreId (hex)] [imm IsImmediate (yesno)] [sc EnableShortCircuiting (onoff)] "
26 "[stage CallingStage (prepostall)] [buffer PreAllocatedBuffer (hex)] [script { Script (string) }] "
27 "[asm condition { Condition (assembly/hex) }] [asm code { Code (assembly/hex) }] [output {OutputName (string)}]\n");
28
29 ShowMessages("\n");
30 ShowMessages("\t\te.g : !crwrite 0\n");
31 ShowMessages("\t\te.g : !crwrite 0 0x10000\n");
32 ShowMessages("\t\te.g : !crwrite 4 pid 400\n");
33 ShowMessages("\t\te.g : !crwrite 4 core 2 pid 400\n");
34 ShowMessages("\t\te.g : !crwrite 4 script { printf(\"4th control register is modified at: %%llx\\n\", @rip); }\n");
35 ShowMessages("\t\te.g : !crwrite 4 asm code { nop; nop; nop }\n");
36}