HyperDbg Debugger
Loading...
Searching...
No Matches
Functions | Variables
d-u.cpp File Reference

!u* u* , !d* d* commands More...

#include "pch.h"

Functions

VOID CommandReadMemoryAndDisassemblerHelp ()
 help of u* d* !u* !d* commands
 
VOID CommandReadMemoryAndDisassembler (vector< string > SplitCommand, string Command)
 u* d* !u* !d* commands handler
 

Variables

BOOLEAN g_IsSerialConnectedToRemoteDebuggee
 Shows if the debugger was connected to remote debuggee over (A remote guest)
 
ACTIVE_DEBUGGING_PROCESS g_ActiveProcessDebuggingState
 State of active debugging thread.
 

Detailed Description

!u* u* , !d* d* commands

Author
Sina Karvandi (sina@.nosp@m.hype.nosp@m.rdbg..nosp@m.org)
Version
0.1
Date
2020-05-27
Copyright
This project is released under the GNU Public License v3.

Function Documentation

◆ CommandReadMemoryAndDisassembler()

VOID CommandReadMemoryAndDisassembler ( vector< string > SplitCommand,
string Command )

u* d* !u* !d* commands handler

Parameters
SplitCommand
Command
Returns
VOID
73{
74 UINT32 Pid = 0;
75 UINT32 Length = 0;
76 UINT64 TargetAddress = 0;
77 BOOLEAN IsNextProcessId = FALSE;
78 BOOLEAN IsFirstCommand = TRUE;
79 BOOLEAN IsNextLength = FALSE;
80 vector<string> SplitCommandCaseSensitive {Split(Command, ' ')};
81 UINT32 IndexInCommandCaseSensitive = 0;
82
83 string FirstCommand = SplitCommand.front();
84
85 //
86 // By default if the user-debugger is active, we use these commands
87 // on the memory layout of the debuggee process
88 //
89 if (g_ActiveProcessDebuggingState.IsActive)
90 {
91 Pid = g_ActiveProcessDebuggingState.ProcessId;
92 }
93
94 if (SplitCommand.size() == 1)
95 {
96 //
97 // Means that user entered one command without any parameter
98 //
99 ShowMessages("incorrect use of the '%s' command\n\n", FirstCommand.c_str());
100 CommandReadMemoryAndDisassemblerHelp();
101 return;
102 }
103
104 for (auto Section : SplitCommand)
105 {
106 IndexInCommandCaseSensitive++;
107
108 if (IsFirstCommand)
109 {
110 IsFirstCommand = FALSE;
111 continue;
112 }
113
114 if (IsNextProcessId == TRUE)
115 {
116 if (!ConvertStringToUInt32(Section, &Pid))
117 {
118 ShowMessages("err, you should enter a valid process id\n\n");
119 return;
120 }
121 IsNextProcessId = FALSE;
122 continue;
123 }
124
125 if (IsNextLength == TRUE)
126 {
127 if (!ConvertStringToUInt32(Section, &Length))
128 {
129 ShowMessages("err, you should enter a valid length\n\n");
130 return;
131 }
132 IsNextLength = FALSE;
133 continue;
134 }
135
136 if (!Section.compare("l"))
137 {
138 IsNextLength = TRUE;
139 continue;
140 }
141
142 if (!Section.compare("pid"))
143 {
144 IsNextProcessId = TRUE;
145 continue;
146 }
147
148 //
149 // Probably it's address
150 //
151 if (TargetAddress == 0)
152 {
153 if (!SymbolConvertNameOrExprToAddress(SplitCommandCaseSensitive.at(IndexInCommandCaseSensitive - 1),
154 &TargetAddress))
155 {
156 //
157 // Couldn't resolve or unknown parameter
158 //
159 ShowMessages("err, couldn't resolve error at '%s'\n",
160 SplitCommandCaseSensitive.at(IndexInCommandCaseSensitive - 1).c_str());
161 return;
162 }
163 }
164 else
165 {
166 //
167 // User inserts two address
168 //
169 ShowMessages("err, incorrect use of the '%s' command\n\n",
170 FirstCommand.c_str());
171 CommandReadMemoryAndDisassemblerHelp();
172
173 return;
174 }
175 }
176
177 if (!TargetAddress)
178 {
179 //
180 // User inserts two address
181 //
182 ShowMessages("err, please enter a valid address\n\n");
183
184 return;
185 }
186
187 if (Length == 0)
188 {
189 //
190 // Default length (user doesn't specified)
191 //
192 if (!FirstCommand.compare("u") ||
193 !FirstCommand.compare("!u") ||
194 !FirstCommand.compare("u64") ||
195 !FirstCommand.compare("!u64"))
196 {
197 Length = 0x40;
198 }
199 else
200 {
201 Length = 0x80;
202 }
203 }
204
205 if (IsNextLength || IsNextProcessId)
206 {
207 ShowMessages("incorrect use of the '%s' command\n\n", FirstCommand.c_str());
208 CommandReadMemoryAndDisassemblerHelp();
209 return;
210 }
211
212 //
213 // Check to prevent using process id in d* and u* commands
214 //
215 if (g_IsSerialConnectedToRemoteDebuggee && Pid != 0)
216 {
217 ShowMessages(ASSERT_MESSAGE_CANNOT_SPECIFY_PID);
218 return;
219 }
220
221 if (Pid == 0)
222 {
223 //
224 // Default process we read from current process
225 //
226 Pid = GetCurrentProcessId();
227 }
228
229 if (!FirstCommand.compare("db"))
230 {
231 HyperDbgShowMemoryOrDisassemble(DEBUGGER_SHOW_COMMAND_DB,
232 TargetAddress,
233 DEBUGGER_READ_VIRTUAL_ADDRESS,
234 READ_FROM_KERNEL,
235 Pid,
236 Length,
237 NULL);
238 }
239 else if (!FirstCommand.compare("dc"))
240 {
241 HyperDbgShowMemoryOrDisassemble(DEBUGGER_SHOW_COMMAND_DC,
242 TargetAddress,
243 DEBUGGER_READ_VIRTUAL_ADDRESS,
244 READ_FROM_KERNEL,
245 Pid,
246 Length,
247 NULL);
248 }
249 else if (!FirstCommand.compare("dd"))
250 {
251 HyperDbgShowMemoryOrDisassemble(DEBUGGER_SHOW_COMMAND_DD,
252 TargetAddress,
253 DEBUGGER_READ_VIRTUAL_ADDRESS,
254 READ_FROM_KERNEL,
255 Pid,
256 Length,
257 NULL);
258 }
259 else if (!FirstCommand.compare("dq"))
260 {
261 HyperDbgShowMemoryOrDisassemble(DEBUGGER_SHOW_COMMAND_DQ,
262 TargetAddress,
263 DEBUGGER_READ_VIRTUAL_ADDRESS,
264 READ_FROM_KERNEL,
265 Pid,
266 Length,
267 NULL);
268 }
269 else if (!FirstCommand.compare("!db"))
270 {
271 HyperDbgShowMemoryOrDisassemble(DEBUGGER_SHOW_COMMAND_DB,
272 TargetAddress,
273 DEBUGGER_READ_PHYSICAL_ADDRESS,
274 READ_FROM_KERNEL,
275 Pid,
276 Length,
277 NULL);
278 }
279 else if (!FirstCommand.compare("!dc"))
280 {
281 HyperDbgShowMemoryOrDisassemble(DEBUGGER_SHOW_COMMAND_DC,
282 TargetAddress,
283 DEBUGGER_READ_PHYSICAL_ADDRESS,
284 READ_FROM_KERNEL,
285 Pid,
286 Length,
287 NULL);
288 }
289 else if (!FirstCommand.compare("!dd"))
290 {
291 HyperDbgShowMemoryOrDisassemble(DEBUGGER_SHOW_COMMAND_DD,
292 TargetAddress,
293 DEBUGGER_READ_PHYSICAL_ADDRESS,
294 READ_FROM_KERNEL,
295 Pid,
296 Length,
297 NULL);
298 }
299 else if (!FirstCommand.compare("!dq"))
300 {
301 HyperDbgShowMemoryOrDisassemble(DEBUGGER_SHOW_COMMAND_DQ,
302 TargetAddress,
303 DEBUGGER_READ_PHYSICAL_ADDRESS,
304 READ_FROM_KERNEL,
305 Pid,
306 Length,
307 NULL);
308 }
309
310 //
311 // Disassembler (!u or u or u2 !u2)
312 //
313 else if (!FirstCommand.compare("u") || !FirstCommand.compare("u64"))
314 {
315 HyperDbgShowMemoryOrDisassemble(
316 DEBUGGER_SHOW_COMMAND_DISASSEMBLE64,
317 TargetAddress,
318 DEBUGGER_READ_VIRTUAL_ADDRESS,
319 READ_FROM_KERNEL,
320 Pid,
321 Length,
322 NULL);
323 }
324 else if (!FirstCommand.compare("!u") || !FirstCommand.compare("!u64"))
325 {
326 HyperDbgShowMemoryOrDisassemble(
327 DEBUGGER_SHOW_COMMAND_DISASSEMBLE64,
328 TargetAddress,
329 DEBUGGER_READ_PHYSICAL_ADDRESS,
330 READ_FROM_KERNEL,
331 Pid,
332 Length,
333 NULL);
334 }
335 else if (!FirstCommand.compare("u2") || !FirstCommand.compare("u32"))
336 {
337 HyperDbgShowMemoryOrDisassemble(
338 DEBUGGER_SHOW_COMMAND_DISASSEMBLE32,
339 TargetAddress,
340 DEBUGGER_READ_VIRTUAL_ADDRESS,
341 READ_FROM_KERNEL,
342 Pid,
343 Length,
344 NULL);
345 }
346 else if (!FirstCommand.compare("!u2") || !FirstCommand.compare("!u32"))
347 {
348 HyperDbgShowMemoryOrDisassemble(
349 DEBUGGER_SHOW_COMMAND_DISASSEMBLE32,
350 TargetAddress,
351 DEBUGGER_READ_PHYSICAL_ADDRESS,
352 READ_FROM_KERNEL,
353 Pid,
354 Length,
355 NULL);
356 }
357}
BOOLEAN
UCHAR BOOLEAN
Definition BasicTypes.h:39
TRUE
#define TRUE
Definition BasicTypes.h:55
FALSE
#define FALSE
Definition BasicTypes.h:54
UINT64
unsigned __int64 UINT64
Definition BasicTypes.h:21
UINT32
unsigned int UINT32
Definition BasicTypes.h:48
READ_FROM_KERNEL
@ READ_FROM_KERNEL
Definition RequestStructures.h:219
DEBUGGER_SHOW_COMMAND_DC
@ DEBUGGER_SHOW_COMMAND_DC
Definition RequestStructures.h:255
DEBUGGER_SHOW_COMMAND_DISASSEMBLE32
@ DEBUGGER_SHOW_COMMAND_DISASSEMBLE32
Definition RequestStructures.h:253
DEBUGGER_SHOW_COMMAND_DD
@ DEBUGGER_SHOW_COMMAND_DD
Definition RequestStructures.h:257
DEBUGGER_SHOW_COMMAND_DQ
@ DEBUGGER_SHOW_COMMAND_DQ
Definition RequestStructures.h:256
DEBUGGER_SHOW_COMMAND_DB
@ DEBUGGER_SHOW_COMMAND_DB
Definition RequestStructures.h:254
DEBUGGER_SHOW_COMMAND_DISASSEMBLE64
@ DEBUGGER_SHOW_COMMAND_DISASSEMBLE64
Definition RequestStructures.h:252
DEBUGGER_READ_PHYSICAL_ADDRESS
@ DEBUGGER_READ_PHYSICAL_ADDRESS
Definition RequestStructures.h:229
DEBUGGER_READ_VIRTUAL_ADDRESS
@ DEBUGGER_READ_VIRTUAL_ADDRESS
Definition RequestStructures.h:230
Split
const vector< string > Split(const string &s, const char &c)
general split command
Definition common.cpp:117
ConvertStringToUInt32
BOOLEAN ConvertStringToUInt32(string TextToConvert, PUINT32 Result)
check and convert string to a 32 bit unsigned it and also check for special notations like 0x etc.
Definition common.cpp:347
CommandReadMemoryAndDisassemblerHelp
VOID CommandReadMemoryAndDisassemblerHelp()
help of u* d* !u* !d* commands
Definition d-u.cpp:26
g_IsSerialConnectedToRemoteDebuggee
BOOLEAN g_IsSerialConnectedToRemoteDebuggee
Shows if the debugger was connected to remote debuggee over (A remote guest)
Definition globals.h:231
g_ActiveProcessDebuggingState
ACTIVE_DEBUGGING_PROCESS g_ActiveProcessDebuggingState
State of active debugging thread.
Definition globals.h:362
ASSERT_MESSAGE_CANNOT_SPECIFY_PID
#define ASSERT_MESSAGE_CANNOT_SPECIFY_PID
Definition common.h:31
ShowMessages
VOID ShowMessages(const char *Fmt,...)
Show messages.
Definition libhyperdbg.cpp:96
HyperDbgShowMemoryOrDisassemble
VOID HyperDbgShowMemoryOrDisassemble(DEBUGGER_SHOW_MEMORY_STYLE Style, UINT64 Address, DEBUGGER_READ_MEMORY_TYPE MemoryType, DEBUGGER_READ_READING_TYPE ReadingType, UINT32 Pid, UINT32 Size, PDEBUGGER_DT_COMMAND_OPTIONS DtDetails)
Show memory or disassembler.
Definition readmem.cpp:193
_ACTIVE_DEBUGGING_PROCESS::ProcessId
UINT32 ProcessId
Definition ud.h:51
_ACTIVE_DEBUGGING_PROCESS::IsActive
BOOLEAN IsActive
Definition ud.h:49
SymbolConvertNameOrExprToAddress
BOOLEAN SymbolConvertNameOrExprToAddress(const string &TextToConvert, PUINT64 Result)
check and convert string to a 64 bit unsigned integer and also check for symbol object names and eval...
Definition symbol.cpp:360

◆ CommandReadMemoryAndDisassemblerHelp()

VOID CommandReadMemoryAndDisassemblerHelp ( )

help of u* d* !u* !d* commands

Returns
VOID
27{
28 ShowMessages("db dc dd dq !db !dc !dd !dq & u u64 !u !u64 u2 u32 !u2 !u32 : reads the "
29 "memory different shapes (hex) and disassembler\n");
30 ShowMessages("db Byte and ASCII characters\n");
31 ShowMessages("dc Double-word values (4 bytes) and ASCII characters\n");
32 ShowMessages("dd Double-word values (4 bytes)\n");
33 ShowMessages("dq Quad-word values (8 bytes). \n");
34 ShowMessages("u u64 Disassembler at the target address (x64) \n");
35 ShowMessages("u2 u32 Disassembler at the target address (x86) \n");
36 ShowMessages("\nIf you want to read physical memory then add '!' at the "
37 "start of the command\n");
38 ShowMessages("you can also disassemble physical memory using '!u'\n\n");
39
40 ShowMessages("syntax : \tdb [Address (hex)] [l Length (hex)] [pid ProcessId (hex)]\n");
41 ShowMessages("syntax : \tdc [Address (hex)] [l Length (hex)] [pid ProcessId (hex)]\n");
42 ShowMessages("syntax : \tdd [Address (hex)] [l Length (hex)] [pid ProcessId (hex)]\n");
43 ShowMessages("syntax : \tdq [Address (hex)] [l Length (hex)] [pid ProcessId (hex)]\n");
44 ShowMessages("syntax : \tu [Address (hex)] [l Length (hex)] [pid ProcessId (hex)]\n");
45 ShowMessages("syntax : \tu64 [Address (hex)] [l Length (hex)] [pid ProcessId (hex)]\n");
46 ShowMessages("syntax : \tu2 [Address (hex)] [l Length (hex)] [pid ProcessId (hex)]\n");
47 ShowMessages("syntax : \tu32 [Address (hex)] [l Length (hex)] [pid ProcessId (hex)]\n");
48
49 ShowMessages("\n");
50 ShowMessages("\t\te.g : db nt!Kd_DEFAULT_Mask\n");
51 ShowMessages("\t\te.g : db nt!Kd_DEFAULT_Mask+10\n");
52 ShowMessages("\t\te.g : db @rax\n");
53 ShowMessages("\t\te.g : db @rax+50\n");
54 ShowMessages("\t\te.g : db fffff8077356f010\n");
55 ShowMessages("\t\te.g : !dq 100000\n");
56 ShowMessages("\t\te.g : !dq @rax+77\n");
57 ShowMessages("\t\te.g : u32 @eip\n");
58 ShowMessages("\t\te.g : u nt!ExAllocatePoolWithTag\n");
59 ShowMessages("\t\te.g : u nt!ExAllocatePoolWithTag+30\n");
60 ShowMessages("\t\te.g : u fffff8077356f010\n");
61 ShowMessages("\t\te.g : u fffff8077356f010+@rcx\n");
62}

Variable Documentation

◆ g_ActiveProcessDebuggingState

ACTIVE_DEBUGGING_PROCESS g_ActiveProcessDebuggingState
extern

State of active debugging thread.

362{0};

◆ g_IsSerialConnectedToRemoteDebuggee

BOOLEAN g_IsSerialConnectedToRemoteDebuggee
extern

Shows if the debugger was connected to remote debuggee over (A remote guest)