HyperDbg Debugger
Loading...
Searching...
No Matches
d-u.cpp File Reference

!u* u* , !d* d* commands More...

#include "pch.h"

Functions

VOID CommandReadMemoryAndDisassemblerHelp ()
 help of u* d* !u* !d* commands
VOID CommandReadMemoryAndDisassembler (vector< CommandToken > CommandTokens, string Command)
 u* d* !u* !d* commands handler

Variables

BOOLEAN g_IsSerialConnectedToRemoteDebuggee
 Shows if the debugger was connected to remote debuggee over (A remote guest).
ACTIVE_DEBUGGING_PROCESS g_ActiveProcessDebuggingState
 State of active debugging thread.

Detailed Description

!u* u* , !d* d* commands

Author
Sina Karvandi (sina@.nosp@m.hype.nosp@m.rdbg..nosp@m.org)
Version
0.1
Date
2020-05-27

Function Documentation

◆ CommandReadMemoryAndDisassembler()

VOID CommandReadMemoryAndDisassembler ( vector< CommandToken > CommandTokens,
string Command )

u* d* !u* !d* commands handler

Parameters
CommandTokens
Command
Returns
VOID
74{
75 UINT32 Pid = 0;
76 UINT32 Length = 0;
77 UINT64 TargetAddress = 0;
78 BOOLEAN IsNextProcessId = FALSE;
79 BOOLEAN IsFirstCommand = TRUE;
80 BOOLEAN IsNextLength = FALSE;
81
82 string FirstCommand = GetCaseSensitiveStringFromCommandToken(CommandTokens.front());
83
84 //
85 // By default if the user-debugger is active, we use these commands
86 // on the memory layout of the debuggee process
87 //
89 {
90 Pid = g_ActiveProcessDebuggingState.ProcessId;
91 }
92
93 if (CommandTokens.size() == 1)
94 {
95 //
96 // Means that user entered one command without any parameter
97 //
98 ShowMessages("incorrect use of the '%s'\n\n",
99 GetCaseSensitiveStringFromCommandToken(CommandTokens.at(0)).c_str());
101 return;
102 }
103
104 for (auto Section : CommandTokens)
105 {
106 if (IsFirstCommand)
107 {
108 IsFirstCommand = FALSE;
109 continue;
110 }
111
112 if (IsNextProcessId == TRUE)
113 {
114 if (!ConvertTokenToUInt32(Section, &Pid))
115 {
116 ShowMessages("err, you should enter a valid process id\n\n");
117 return;
118 }
119 IsNextProcessId = FALSE;
120 continue;
121 }
122
123 if (IsNextLength == TRUE)
124 {
125 if (!ConvertTokenToUInt32(Section, &Length))
126 {
127 ShowMessages("err, you should enter a valid length\n\n");
128 return;
129 }
130 IsNextLength = FALSE;
131 continue;
132 }
133
134 if (CompareLowerCaseStrings(Section, "l"))
135 {
136 IsNextLength = TRUE;
137 continue;
138 }
139
140 if (CompareLowerCaseStrings(Section, "pid"))
141 {
142 IsNextProcessId = TRUE;
143 continue;
144 }
145
146 //
147 // Probably it's address
148 //
149 if (TargetAddress == 0)
150 {
152 {
153 //
154 // Couldn't resolve or unknown parameter
155 //
156 ShowMessages("err, couldn't resolve error at '%s'\n",
158 return;
159 }
160 }
161 else
162 {
163 //
164 // User inserts two address
165 //
166 ShowMessages("err, incorrect use of the '%s' command\n\n",
167 GetCaseSensitiveStringFromCommandToken(CommandTokens.at(0)).c_str());
169
170 return;
171 }
172 }
173
174 if (!TargetAddress)
175 {
176 //
177 // User inserts two address
178 //
179 ShowMessages("err, please enter a valid address\n\n");
180
181 return;
182 }
183
184 if (Length == 0)
185 {
186 //
187 // Default length (user doesn't specified)
188 //
189 if (CompareLowerCaseStrings(CommandTokens.at(0), "u") ||
190 CompareLowerCaseStrings(CommandTokens.at(0), "!u") ||
191 CompareLowerCaseStrings(CommandTokens.at(0), "u64") ||
192 CompareLowerCaseStrings(CommandTokens.at(0), "!u64"))
193 {
194 Length = 0x40;
195 }
196 else
197 {
198 Length = 0x80;
199 }
200 }
201
202 if (IsNextLength || IsNextProcessId)
203 {
204 ShowMessages("incorrect use of the '%s' command\n\n",
205 GetCaseSensitiveStringFromCommandToken(CommandTokens.at(0)).c_str());
207 return;
208 }
209
210 //
211 // Check to prevent using process id in d* and u* commands
212 //
214 {
216 return;
217 }
218
219 if (Pid == 0)
220 {
221 //
222 // Default process we read from current process
223 //
224 Pid = GetCurrentProcessId();
225 }
226
227 if (CompareLowerCaseStrings(CommandTokens.at(0), "db"))
228 {
230 TargetAddress,
233 Pid,
234 Length,
235 NULL);
236 }
237 else if (CompareLowerCaseStrings(CommandTokens.at(0), "dc"))
238 {
240 TargetAddress,
243 Pid,
244 Length,
245 NULL);
246 }
247 else if (CompareLowerCaseStrings(CommandTokens.at(0), "dd"))
248 {
250 TargetAddress,
253 Pid,
254 Length,
255 NULL);
256 }
257 else if (CompareLowerCaseStrings(CommandTokens.at(0), "dq"))
258 {
260 TargetAddress,
263 Pid,
264 Length,
265 NULL);
266 }
267 else if (CompareLowerCaseStrings(CommandTokens.at(0), "!db"))
268 {
270 TargetAddress,
273 Pid,
274 Length,
275 NULL);
276 }
277 else if (CompareLowerCaseStrings(CommandTokens.at(0), "!dc"))
278 {
280 TargetAddress,
283 Pid,
284 Length,
285 NULL);
286 }
287 else if (CompareLowerCaseStrings(CommandTokens.at(0), "!dd"))
288 {
290 TargetAddress,
293 Pid,
294 Length,
295 NULL);
296 }
297 else if (CompareLowerCaseStrings(CommandTokens.at(0), "!dq"))
298 {
300 TargetAddress,
303 Pid,
304 Length,
305 NULL);
306 }
307
308 //
309 // Disassembler (!u or u or u2 !u2)
310 //
311 else if (CompareLowerCaseStrings(CommandTokens.at(0), "u") || CompareLowerCaseStrings(CommandTokens.at(0), "u64"))
312 {
315 TargetAddress,
318 Pid,
319 Length,
320 NULL);
321 }
322 else if (CompareLowerCaseStrings(CommandTokens.at(0), "!u") || CompareLowerCaseStrings(CommandTokens.at(0), "!u64"))
323 {
326 TargetAddress,
329 Pid,
330 Length,
331 NULL);
332 }
333 else if (CompareLowerCaseStrings(CommandTokens.at(0), "u2") || CompareLowerCaseStrings(CommandTokens.at(0), "u32"))
334 {
337 TargetAddress,
340 Pid,
341 Length,
342 NULL);
343 }
344 else if (CompareLowerCaseStrings(CommandTokens.at(0), "!u2") || CompareLowerCaseStrings(CommandTokens.at(0), "!u32"))
345 {
348 TargetAddress,
351 Pid,
352 Length,
353 NULL);
354 }
355}
BOOLEAN g_IsSerialConnectedToRemoteDebuggee
Shows if the debugger was connected to remote debuggee over (A remote guest).
Definition globals.h:253
ACTIVE_DEBUGGING_PROCESS g_ActiveProcessDebuggingState
State of active debugging thread.
Definition globals.h:372
UCHAR BOOLEAN
Definition BasicTypes.h:35
#define TRUE
Definition BasicTypes.h:114
#define FALSE
Definition BasicTypes.h:113
unsigned int UINT32
Definition BasicTypes.h:54
@ READ_FROM_KERNEL
Definition RequestStructures.h:245
@ DEBUGGER_SHOW_COMMAND_DC
Definition RequestStructures.h:281
@ DEBUGGER_SHOW_COMMAND_DISASSEMBLE32
Definition RequestStructures.h:279
@ DEBUGGER_SHOW_COMMAND_DD
Definition RequestStructures.h:283
@ DEBUGGER_SHOW_COMMAND_DQ
Definition RequestStructures.h:282
@ DEBUGGER_SHOW_COMMAND_DB
Definition RequestStructures.h:280
@ DEBUGGER_SHOW_COMMAND_DISASSEMBLE64
Definition RequestStructures.h:278
@ DEBUGGER_READ_PHYSICAL_ADDRESS
Definition RequestStructures.h:255
@ DEBUGGER_READ_VIRTUAL_ADDRESS
Definition RequestStructures.h:256
std::string GetCaseSensitiveStringFromCommandToken(CommandToken TargetToken)
Get case sensitive string from command token.
Definition common.cpp:467
BOOLEAN CompareLowerCaseStrings(CommandToken TargetToken, const CHAR *StringToCompare)
Compare lower case strings.
Definition common.cpp:503
BOOLEAN ConvertTokenToUInt32(CommandToken TargetToken, PUINT32 Result)
check and convert command token to a 32 bit unsigned integer
Definition common.cpp:546
VOID CommandReadMemoryAndDisassemblerHelp()
help of u* d* !u* !d* commands
Definition d-u.cpp:26
#define ASSERT_MESSAGE_CANNOT_SPECIFY_PID
Definition common.h:39
VOID HyperDbgShowMemoryOrDisassemble(DEBUGGER_SHOW_MEMORY_STYLE Style, UINT64 Address, DEBUGGER_READ_MEMORY_TYPE MemoryType, DEBUGGER_READ_READING_TYPE ReadingType, UINT32 Pid, UINT32 Size, PDEBUGGER_DT_COMMAND_OPTIONS DtDetails)
Show memory or disassembler.
Definition readmem.cpp:193
BOOLEAN SymbolConvertNameOrExprToAddress(const string &TextToConvert, PUINT64 Result)
check and convert string to a 64 bit unsigned integer and also check for symbol object names and eval...
Definition symbol.cpp:359

◆ CommandReadMemoryAndDisassemblerHelp()

VOID CommandReadMemoryAndDisassemblerHelp ( )

help of u* d* !u* !d* commands

Returns
VOID
27{
28 ShowMessages("db dc dd dq !db !dc !dd !dq & u u64 !u !u64 u2 u32 !u2 !u32 : reads the "
29 "memory different shapes (hex) and disassembler\n");
30 ShowMessages("db Byte and ASCII characters\n");
31 ShowMessages("dc Double-word values (4 bytes) and ASCII characters\n");
32 ShowMessages("dd Double-word values (4 bytes)\n");
33 ShowMessages("dq Quad-word values (8 bytes). \n");
34 ShowMessages("u u64 Disassembler at the target address (x64) \n");
35 ShowMessages("u2 u32 Disassembler at the target address (x86) \n");
36 ShowMessages("\nIf you want to read physical memory then add '!' at the "
37 "start of the command\n");
38 ShowMessages("you can also disassemble physical memory using '!u'\n\n");
39
40 ShowMessages("syntax : \tdb [Address (hex)] [l Length (hex)] [pid ProcessId (hex)]\n");
41 ShowMessages("syntax : \tdc [Address (hex)] [l Length (hex)] [pid ProcessId (hex)]\n");
42 ShowMessages("syntax : \tdd [Address (hex)] [l Length (hex)] [pid ProcessId (hex)]\n");
43 ShowMessages("syntax : \tdq [Address (hex)] [l Length (hex)] [pid ProcessId (hex)]\n");
44 ShowMessages("syntax : \tu [Address (hex)] [l Length (hex)] [pid ProcessId (hex)]\n");
45 ShowMessages("syntax : \tu64 [Address (hex)] [l Length (hex)] [pid ProcessId (hex)]\n");
46 ShowMessages("syntax : \tu2 [Address (hex)] [l Length (hex)] [pid ProcessId (hex)]\n");
47 ShowMessages("syntax : \tu32 [Address (hex)] [l Length (hex)] [pid ProcessId (hex)]\n");
48
49 ShowMessages("\n");
50 ShowMessages("\t\te.g : db nt!Kd_DEFAULT_Mask\n");
51 ShowMessages("\t\te.g : db nt!Kd_DEFAULT_Mask+10\n");
52 ShowMessages("\t\te.g : db @rax\n");
53 ShowMessages("\t\te.g : db @rax+50\n");
54 ShowMessages("\t\te.g : db fffff8077356f010\n");
55 ShowMessages("\t\te.g : !dq 100000\n");
56 ShowMessages("\t\te.g : !dq @rax+77\n");
57 ShowMessages("\t\te.g : u32 @eip\n");
58 ShowMessages("\t\te.g : u nt!ExAllocatePoolWithTag\n");
59 ShowMessages("\t\te.g : u nt!ExAllocatePoolWithTag+30\n");
60 ShowMessages("\t\te.g : u fffff8077356f010\n");
61 ShowMessages("\t\te.g : u fffff8077356f010+@rcx\n");
62}

Variable Documentation

◆ g_ActiveProcessDebuggingState

ACTIVE_DEBUGGING_PROCESS g_ActiveProcessDebuggingState
extern

State of active debugging thread.

372{0};

◆ g_IsSerialConnectedToRemoteDebuggee

BOOLEAN g_IsSerialConnectedToRemoteDebuggee
extern

Shows if the debugger was connected to remote debuggee over (A remote guest).