HyperDbg Debugger
Loading...
Searching...
No Matches
Functions | Variables
debugger.cpp File Reference

Interpret general fields. More...

#include "pch.h"

Functions

BOOLEAN ShowErrorMessage (UINT32 Error)
 shows the error message
 
UINT64 DebuggerGetNtoskrnlBase ()
 Get ntoskrnl.exe base in the kernel.
 
UINT64 DebuggerGetKernelBase ()
 Get the base address of the kernel module.
 
BOOLEAN DebuggerPauseDebuggee ()
 pauses the debuggee
 
BOOLEAN IsConnectedToAnyInstanceOfDebuggerOrDebuggee ()
 Shows whether the debugger is connected to a debugger or debuggee connected to a debugger.
 
BOOLEAN IsTagExist (UINT64 Tag)
 Check whether the tag exists or not, if the tag is DEBUGGER_MODIFY_EVENTS_APPLY_TO_ALL_TAG then if we find just one event, it also means that the tag is found.
 
BOOLEAN InterpretScript (vector< string > *SplitCommand, vector< string > *SplitCommandCaseSensitive, PBOOLEAN ScriptSyntaxErrors, PUINT64 BufferAddress, PUINT32 BufferLength, PUINT32 Pointer, PUINT64 ScriptCodeBuffer)
 Interpret script (if an event has script)
 
BOOLEAN InterpretConditionsAndCodes (vector< string > *SplitCommand, vector< string > *SplitCommandCaseSensitive, BOOLEAN IsConditionBuffer, PUINT64 BufferAddress, PUINT32 BufferLength)
 Interpret conditions (if an event has condition) and custom code.
 
BOOLEAN InterpretOutput (vector< string > *SplitCommand, vector< string > *SplitCommandCaseSensitive, vector< string > &InputSources)
 Interpret output (if an event has special output)
 
BOOLEAN SendEventToKernel (PDEBUGGER_GENERAL_EVENT_DETAIL Event, UINT32 EventBufferLength)
 Register the event to the kernel.
 
BOOLEAN RegisterActionToEvent (PDEBUGGER_GENERAL_EVENT_DETAIL Event, PDEBUGGER_GENERAL_ACTION ActionBreakToDebugger, UINT32 ActionBreakToDebuggerLength, PDEBUGGER_GENERAL_ACTION ActionCustomCode, UINT32 ActionCustomCodeLength, PDEBUGGER_GENERAL_ACTION ActionScript, UINT32 ActionScriptLength)
 Register the action to the event.
 
UINT64 GetNewDebuggerEventTag ()
 Get the New Debugger Event Tag object and increase the global variable for tag.
 
VOID FreeEventsAndActionsMemory (PDEBUGGER_GENERAL_EVENT_DETAIL Event, PDEBUGGER_GENERAL_ACTION ActionBreakToDebugger, PDEBUGGER_GENERAL_ACTION ActionCustomCode, PDEBUGGER_GENERAL_ACTION ActionScript)
 Deallocate buffers relating to events and actions.
 
BOOLEAN InterpretGeneralEventAndActionsFields (vector< string > *SplitCommand, vector< string > *SplitCommandCaseSensitive, VMM_EVENT_TYPE_ENUM EventType, PDEBUGGER_GENERAL_EVENT_DETAIL *EventDetailsToFill, PUINT32 EventBufferLength, PDEBUGGER_GENERAL_ACTION *ActionDetailsToFillBreakToDebugger, PUINT32 ActionBufferLengthBreakToDebugger, PDEBUGGER_GENERAL_ACTION *ActionDetailsToFillCustomCode, PUINT32 ActionBufferLengthCustomCode, PDEBUGGER_GENERAL_ACTION *ActionDetailsToFillScript, PUINT32 ActionBufferLengthScript, PDEBUGGER_EVENT_PARSING_ERROR_CAUSE ReasonForErrorInParsing)
 Interpret general event fields.
 

Variables

UINT64 g_EventTag
 This variable holds the trace and generate numbers for new tags of events.
 
UINT64 g_KernelBaseAddress
 Shows the kernel base address.
 
LIST_ENTRY g_EventTrace
 Holds a list of events in kernel and the state of events and the commands to show the state of each command (disabled/enabled)
 
BOOLEAN g_EventTraceInitialized
 it shows whether the debugger started using events or not or in other words, is g_EventTrace initialized with a variable or it is empty
 
BOOLEAN g_BreakPrintingOutput
 Shows whether the pause command or CTRL+C or CTRL+Break is executed or not.
 
BOOLEAN g_AutoUnpause
 Whether auto-unpause mode is enabled or not enabled.
 
BOOLEAN g_OutputSourcesInitialized
 it shows whether the debugger started using output sources or not or in other words, is g_OutputSources initialized with a variable or it is empty
 
LIST_ENTRY g_OutputSources
 Holds a list of output sources created by output command.
 
BOOLEAN g_IsConnectedToRemoteDebuggee
 Shows whether the current debugger is the host and connected to a remote debuggee (guest)
 
BOOLEAN g_IsConnectedToRemoteDebugger
 Shows whether the current system is a guest (debuggee) and a remote debugger is connected to this system.
 
BOOLEAN g_IsSerialConnectedToRemoteDebuggee
 Shows if the debugger was connected to remote debuggee over (A remote guest)
 
BOOLEAN g_IsSerialConnectedToRemoteDebugger
 Shows if the debugger was connected to remote debugger (A remote host)
 
ACTIVE_DEBUGGING_PROCESS g_ActiveProcessDebuggingState
 State of active debugging thread.
 

Detailed Description

Interpret general fields.

Author
Sina Karvandi (sina@.nosp@m.hype.nosp@m.rdbg..nosp@m.org)
Version
0.1
Date
2020-05-27
Copyright
This project is released under the GNU Public License v3.

Function Documentation

◆ DebuggerGetKernelBase()

UINT64 DebuggerGetKernelBase ( )

Get the base address of the kernel module.

Returns
UINT64
594{
595 UINT64 KernelBase = NULL;
596
597 if (g_IsSerialConnectedToRemoteDebuggee)
598 {
599 KernelBase = g_KernelBaseAddress;
600 }
601 else
602 {
603 KernelBase = DebuggerGetNtoskrnlBase();
604 g_KernelBaseAddress = KernelBase;
605 }
606
607 return KernelBase;
608}
UINT64
unsigned __int64 UINT64
Definition BasicTypes.h:21
g_KernelBaseAddress
UINT64 g_KernelBaseAddress
Shows the kernel base address.
Definition globals.h:566
DebuggerGetNtoskrnlBase
UINT64 DebuggerGetNtoskrnlBase()
Get ntoskrnl.exe base in the kernel.
Definition debugger.cpp:551
g_IsSerialConnectedToRemoteDebuggee
BOOLEAN g_IsSerialConnectedToRemoteDebuggee
Shows if the debugger was connected to remote debuggee over (A remote guest)
Definition globals.h:231
test-case-generator.NULL
NULL()
Definition test-case-generator.py:530

◆ DebuggerGetNtoskrnlBase()

UINT64 DebuggerGetNtoskrnlBase ( )

Get ntoskrnl.exe base in the kernel.

Returns
UINT64 Base address of ntoskrnl.exe
552{
553 NTSTATUS Status = STATUS_UNSUCCESSFUL;
554 UINT64 NtoskrnlBase = NULL;
555 PRTL_PROCESS_MODULES Modules = NULL;
556 ULONG SysModuleInfoBufferSize = 0;
557
558 //
559 // Get required size of "RTL_PROCESS_MODULES" buffer
560 //
561 Status = NtQuerySystemInformation((SYSTEM_INFORMATION_CLASS)SystemModuleInformation, NULL, NULL, &SysModuleInfoBufferSize);
562
563 Modules = (PRTL_PROCESS_MODULES)malloc(SysModuleInfoBufferSize);
564
565 if (Modules == NULL)
566 {
567 return NULL64_ZERO;
568 }
569
570 NtQuerySystemInformation((SYSTEM_INFORMATION_CLASS)SystemModuleInformation, Modules, SysModuleInfoBufferSize, NULL);
571
572 for (UINT32 i = 0; i < Modules->NumberOfModules; i++)
573 {
574 if (!strcmp((const char *)Modules->Modules[i].FullPathName + Modules->Modules[i].OffsetToFileName,
575 "ntoskrnl.exe"))
576 {
577 NtoskrnlBase = (UINT64)Modules->Modules[i].ImageBase;
578 break;
579 }
580 }
581
582 free(Modules);
583
584 return NtoskrnlBase;
585}
NULL64_ZERO
#define NULL64_ZERO
Definition BasicTypes.h:52
UINT32
unsigned int UINT32
Definition BasicTypes.h:48
ULONG
unsigned long ULONG
Definition BasicTypes.h:37
SystemModuleInformation
@ SystemModuleInformation
Definition Hooks.h:116
SYSTEM_INFORMATION_CLASS
enum _SYSTEM_INFORMATION_CLASS SYSTEM_INFORMATION_CLASS
System information class.
PRTL_PROCESS_MODULES
struct _RTL_PROCESS_MODULES * PRTL_PROCESS_MODULES
STATUS_UNSUCCESSFUL
#define STATUS_UNSUCCESSFUL
Definition Windows.h:172
_RTL_PROCESS_MODULES
Definition Windows.h:33
_RTL_PROCESS_MODULES::NumberOfModules
ULONG NumberOfModules
Definition Windows.h:34

◆ DebuggerPauseDebuggee()

BOOLEAN DebuggerPauseDebuggee ( )

pauses the debuggee

Returns
BOOLEAN shows whether the pause was successful or not, if successful then when it returns true the debuggee is not paused anymore (continued)
618{
619 BOOLEAN StatusIoctl = 0;
620 ULONG ReturnedLength = 0;
621 DEBUGGER_PAUSE_PACKET_RECEIVED PauseRequest = {0};
622
623 //
624 // Send a pause IOCTL
625 //
626 StatusIoctl = DeviceIoControl(g_DeviceHandle, // Handle to device
627 IOCTL_PAUSE_PACKET_RECEIVED, // IO Control Code (IOCTL)
628 &PauseRequest, // Input Buffer to driver.
629 SIZEOF_DEBUGGER_PAUSE_PACKET_RECEIVED, // Input buffer
630 // length
631 &PauseRequest, // Output Buffer from driver.
632 SIZEOF_DEBUGGER_PAUSE_PACKET_RECEIVED, // Length of output
633 // buffer in bytes.
634 &ReturnedLength, // Bytes placed in buffer.
635 NULL // synchronous call
636 );
637
638 if (!StatusIoctl)
639 {
640 ShowMessages("ioctl failed with code 0x%x\n", GetLastError());
641 return FALSE;
642 }
643
644 if (PauseRequest.Result == DEBUGGER_OPERATION_WAS_SUCCESSFUL)
645 {
646 //
647 // Nothing to show, the request was successfully processed
648 //
649 return TRUE;
650 }
651 else
652 {
653 ShowErrorMessage(PauseRequest.Result);
654 return FALSE;
655 }
656 return FALSE;
657}
BOOLEAN
UCHAR BOOLEAN
Definition BasicTypes.h:39
TRUE
#define TRUE
Definition BasicTypes.h:55
FALSE
#define FALSE
Definition BasicTypes.h:54
SIZEOF_DEBUGGER_PAUSE_PACKET_RECEIVED
#define SIZEOF_DEBUGGER_PAUSE_PACKET_RECEIVED
Definition DataTypes.h:170
DEBUGGER_OPERATION_WAS_SUCCESSFUL
#define DEBUGGER_OPERATION_WAS_SUCCESSFUL
General value to indicate that the operation or request was successful.
Definition ErrorCodes.h:23
IOCTL_PAUSE_PACKET_RECEIVED
#define IOCTL_PAUSE_PACKET_RECEIVED
ioctl, pause and halt the system
Definition Ioctls.h:184
ShowErrorMessage
BOOLEAN ShowErrorMessage(UINT32 Error)
shows the error message
Definition debugger.cpp:38
g_DeviceHandle
HANDLE g_DeviceHandle
Holds the global handle of device which is used to send the request to the kernel by IOCTL,...
Definition globals.h:471
ShowMessages
VOID ShowMessages(const char *Fmt,...)
Show messages.
Definition libhyperdbg.cpp:96
_DEBUGGER_PAUSE_PACKET_RECEIVED
request to pause and halt the system
Definition DataTypes.h:178
_DEBUGGER_PAUSE_PACKET_RECEIVED::Result
UINT32 Result
Definition DataTypes.h:179

◆ FreeEventsAndActionsMemory()

VOID FreeEventsAndActionsMemory ( PDEBUGGER_GENERAL_EVENT_DETAIL Event,
PDEBUGGER_GENERAL_ACTION ActionBreakToDebugger,
PDEBUGGER_GENERAL_ACTION ActionCustomCode,
PDEBUGGER_GENERAL_ACTION ActionScript )

Deallocate buffers relating to events and actions.

Parameters

return VOID

2296{
2297 if (Event != NULL)
2298 {
2299 if (Event->CommandStringBuffer != NULL)
2300 {
2301 free(Event->CommandStringBuffer);
2302 }
2303
2304 free(Event);
2305 }
2306
2307 if (ActionBreakToDebugger != NULL)
2308 {
2309 free(ActionBreakToDebugger);
2310 }
2311 if (ActionCustomCode != NULL)
2312 {
2313 free(ActionCustomCode);
2314 }
2315 if (ActionScript != NULL)
2316 {
2317 free(ActionScript);
2318 }
2319}
_DEBUGGER_GENERAL_EVENT_DETAIL::CommandStringBuffer
PVOID CommandStringBuffer
Definition Events.h:393

◆ GetNewDebuggerEventTag()

UINT64 GetNewDebuggerEventTag ( )

Get the New Debugger Event Tag object and increase the global variable for tag.

Returns
UINT64
2281{
2282 return g_EventTag++;
2283}
g_EventTag
UINT64 g_EventTag
This variable holds the trace and generate numbers for new tags of events.
Definition globals.h:375

◆ InterpretConditionsAndCodes()

BOOLEAN InterpretConditionsAndCodes ( vector< string > * SplitCommand,
vector< string > * SplitCommandCaseSensitive,
BOOLEAN IsConditionBuffer,
PUINT64 BufferAddress,
PUINT32 BufferLength )

Interpret conditions (if an event has condition) and custom code.

If this function returns true then it means that there is a condition or code buffer in this command split and the details are returned in the input structure

Parameters
SplitCommandthe initialized command that are split by space
SplitCommandCaseSensitivethe initialized command that are split by space case sensitive
IsConditionBufferis it a condition buffer or a custom code buffer
BufferAddressthe address that the allocated buffer will be saved on it
BufferLengththe length of the buffer
Returns
BOOLEAN shows whether the interpret was successful (true) or not successful (false)
1251{
1252 BOOLEAN IsAsm = FALSE;
1253 BOOLEAN IsTextVisited = FALSE;
1254 BOOLEAN IsInState = FALSE;
1255 BOOLEAN IsEnded = FALSE;
1256 string Temp;
1257 string TempStr;
1258 string AppendedFinalBuffer;
1259 vector<string> SaveBuffer;
1260 vector<CHAR> ParsedBytes;
1261 vector<int> IndexesToRemove;
1262 UCHAR * FinalBuffer;
1263 UINT32 AssembledByteCount;
1264 int NewIndexToRemove = 0;
1265 int Index = 0;
1266
1267 for (auto Section : *SplitCommand)
1268 {
1269 Index++;
1270
1271 if (IsInState)
1272 {
1273 //
1274 // Check if the buffer is ended or not
1275 //
1276 if (!Section.compare("}"))
1277 {
1278 //
1279 // Save to remove this string from the command
1280 //
1281 IndexesToRemove.push_back(Index);
1282 IsEnded = TRUE;
1283 break;
1284 }
1285
1286 //
1287 // Check if the condition is end or not
1288 //
1289 if (HasEnding(Section, "}"))
1290 {
1291 //
1292 // Save to remove this string from the command
1293 //
1294 IndexesToRemove.push_back(Index);
1295
1296 //
1297 // remove the last character and append it to the ConditionBuffer
1298 //
1299 SaveBuffer.emplace_back(Section.begin(), Section.begin() + Section.size() - 1);
1300
1301 IsEnded = TRUE;
1302 break;
1303 }
1304
1305 //
1306 // Save to remove this string from the command
1307 //
1308 IndexesToRemove.push_back(Index);
1309
1310 //
1311 // Add the codes into condition bi
1312 //
1313 SaveBuffer.push_back(Section);
1314
1315 //
1316 // We want to stay in this condition
1317 //
1318 continue;
1319 }
1320
1321 if (IsTextVisited && !Section.compare("{"))
1322 {
1323 //
1324 // Save to remove this string from the command
1325 //
1326 IndexesToRemove.push_back(Index);
1327
1328 IsInState = TRUE;
1329 continue;
1330 }
1331
1332 if (IsTextVisited && Section.rfind('{', 0) == 0)
1333 {
1334 //
1335 // Section starts with {
1336 //
1337
1338 //
1339 // Check if it ends with }
1340 //
1341 if (HasEnding(Section, "}"))
1342 {
1343 //
1344 // Save to remove this string from the command
1345 //
1346 IndexesToRemove.push_back(Index);
1347
1348 TempStr = Section.erase(0, 1);
1349 SaveBuffer.emplace_back(TempStr.begin(), TempStr.begin() + TempStr.size() - 1);
1350
1351 IsEnded = TRUE;
1352 break;
1353 }
1354
1355 //
1356 // Save to remove this string from the command
1357 //
1358 IndexesToRemove.push_back(Index);
1359
1360 SaveBuffer.push_back(Section.erase(0, 1));
1361
1362 IsInState = TRUE;
1363 continue;
1364 }
1365
1366 if (!Section.compare("asm"))
1367 {
1368 if (IsTextVisited)
1369 {
1370 ShowMessages("wrong use of \"asm\"\n"); // asm must not be after condition or code
1371 }
1372 else
1373 {
1374 IndexesToRemove.push_back(Index);
1375
1376 IsAsm = TRUE;
1377 continue;
1378 }
1379 }
1380
1381 if (IsConditionBuffer)
1382 {
1383 if (!Section.compare("condition"))
1384 {
1385 //
1386 // Save to remove this string from the command
1387 //
1388 IndexesToRemove.push_back(Index);
1389
1390 IsTextVisited = TRUE;
1391 continue;
1392 }
1393 }
1394 else
1395 {
1396 //
1397 // It's code
1398 //
1399 if (!Section.compare("code"))
1400 {
1401 //
1402 // Save to remove this string from the command
1403 //
1404 IndexesToRemove.push_back(Index);
1405
1406 IsTextVisited = TRUE;
1407 continue;
1408 }
1409 }
1410
1411 if (IsConditionBuffer)
1412 {
1413 if (!Section.compare("condition{"))
1414 {
1415 //
1416 // Save to remove this string from the command
1417 //
1418 IndexesToRemove.push_back(Index);
1419
1420 IsTextVisited = TRUE;
1421 IsInState = TRUE;
1422 continue;
1423 }
1424 }
1425 else
1426 {
1427 //
1428 // It's code
1429 //
1430 if (!Section.compare("code{"))
1431 {
1432 //
1433 // Save to remove this string from the command
1434 //
1435 IndexesToRemove.push_back(Index);
1436
1437 IsTextVisited = TRUE;
1438 IsInState = TRUE;
1439 continue;
1440 }
1441 }
1442
1443 if (IsConditionBuffer)
1444 {
1445 if (Section.rfind("condition{", 0) == 0)
1446 {
1447 //
1448 // Save to remove this string from the command
1449 //
1450 IndexesToRemove.push_back(Index);
1451
1452 IsTextVisited = TRUE;
1453 IsInState = TRUE;
1454
1455 if (!HasEnding(Section, "}"))
1456 {
1457 //
1458 // Section starts with condition{
1459 //
1460 SaveBuffer.push_back(Section.erase(0, 10));
1461 continue;
1462 }
1463 else
1464 {
1465 //
1466 // remove the last character and first character append it to the
1467 // ConditionBuffer
1468 //
1469 TempStr = Section.erase(0, 10);
1470 SaveBuffer.emplace_back(TempStr.begin(), TempStr.begin() + TempStr.size() - 1);
1471
1472 IsEnded = TRUE;
1473 break;
1474 }
1475 }
1476 }
1477 else
1478 {
1479 //
1480 // It's a code
1481 //
1482 if (Section.rfind("code{", 0) == 0)
1483 {
1484 //
1485 // Save to remove this string from the command
1486 //
1487 IndexesToRemove.push_back(Index);
1488
1489 IsTextVisited = TRUE;
1490 IsInState = TRUE;
1491
1492 if (!HasEnding(Section, "}"))
1493 {
1494 //
1495 // Section starts with code{
1496 //
1497 SaveBuffer.push_back(Section.erase(0, 5));
1498 continue;
1499 }
1500 else
1501 {
1502 //
1503 // remove the last character and first character append it to the
1504 // ConditionBuffer
1505 //
1506 TempStr = Section.erase(0, 5);
1507 SaveBuffer.emplace_back(TempStr.begin(), TempStr.begin() + TempStr.size() - 1);
1508
1509 IsEnded = TRUE;
1510 break;
1511 }
1512 }
1513 }
1514 }
1515
1516 //
1517 // Now we have everything in condition buffer
1518 // Check to see if it is empty or not
1519 //
1520 if (SaveBuffer.size() == 0)
1521 {
1522 //
1523 // Nothing in condition buffer, return zero
1524 //
1525 return FALSE;
1526 }
1527
1528 //
1529 // Check if we see '}' at the end
1530 //
1531 if (!IsEnded)
1532 {
1533 //
1534 // Nothing in condition buffer, return zero
1535 //
1536 return FALSE;
1537 }
1538
1539 //
1540 // Check if asm code was provided instead of hex
1541 //
1542 if (IsAsm)
1543 {
1544 //
1545 // Append " " between two std::strings
1546 //
1547 auto ApndSemCln = [](std::string a, std::string b) {
1548 return std::move(a) + ' ' + std::move(b);
1549 };
1550
1551 //
1552 // Concatenate each assembly line
1553 //
1554 std::string AsmCode = std::accumulate(std::next(SaveBuffer.begin()), SaveBuffer.end(), SaveBuffer[0], ApndSemCln);
1555
1556 AssembleData AssembleData;
1557 AssembleData.AsmRaw = AsmCode; // by now, it should only have one element
1558 AssembleData.ParseAssemblyData();
1559
1560 //
1561 // Append a 'ret' at the end of asm code
1562 //
1563 AssembleData.AsmFixed += "; ret";
1564
1565 if (AssembleData.Assemble(0)) // we just want the hex bytes, so NULL instead of Start_Address
1566 {
1567 ShowMessages("err, assemble error code: '%u'\n\n", AssembleData.KsErr);
1568 return FALSE;
1569 }
1570 else
1571 {
1572 //
1573 // Get the BytesCount; for readability.
1574 //
1575 AssembledByteCount = (UINT32)AssembleData.BytesCount;
1576
1577 //
1578 // * FinalBuffer *
1579 //
1580 FinalBuffer = (unsigned char *)malloc(AssembledByteCount);
1581
1582 if (FinalBuffer == NULL)
1583 {
1584 return FALSE;
1585 }
1586
1587 memcpy(FinalBuffer, AssembleData.EncodedBytes, AssembledByteCount);
1588
1589 //
1590 // Set the buffer and length
1591 //
1592 *BufferAddress = (UINT64)FinalBuffer;
1593 *BufferLength = AssembledByteCount;
1594 }
1595 }
1596 else
1597 {
1598 //
1599 // Append a 'ret' at the end of the buffer
1600 //
1601 SaveBuffer.push_back("c3");
1602
1603 //
1604 // If we reach here then there is sth in condition buffer
1605 //
1606 for (auto Section : SaveBuffer)
1607 {
1608 //
1609 // Check if the section is started with '0x'
1610 //
1611 if (Section.rfind("0x", 0) == 0 || Section.rfind("0X", 0) == 0 || Section.rfind("\\x", 0) == 0 || Section.rfind("\\X", 0) == 0)
1612 {
1613 Temp = Section.erase(0, 2);
1614 }
1615 else if (Section.rfind('x', 0) == 0 || Section.rfind('X', 0) == 0)
1616 {
1617 Temp = Section.erase(0, 1);
1618 }
1619 else
1620 {
1621 Temp = std::move(Section);
1622 }
1623
1624 //
1625 // replace \x s
1626 //
1627 ReplaceAll(Temp, "\\x", "");
1628
1629 //
1630 // check if the buffer is aligned to 2
1631 //
1632 if (Temp.size() % 2 != 0)
1633 {
1634 //
1635 // Add a zero to the start of the buffer
1636 //
1637 Temp.insert(0, 1, '0');
1638 }
1639
1640 if (!IsHexNotation(Temp))
1641 {
1642 ShowMessages("please enter condition code in a hex notation\n");
1643 return FALSE;
1644 }
1645 AppendedFinalBuffer.append(Temp);
1646 }
1647
1648 //
1649 // Convert it to vectored bytes
1650 //
1651 ParsedBytes = HexToBytes(AppendedFinalBuffer);
1652
1653 //
1654 // Convert to a contigues buffer
1655 //
1656 FinalBuffer = (unsigned char *)malloc(ParsedBytes.size());
1657
1658 if (FinalBuffer == NULL)
1659 {
1660 return FALSE;
1661 }
1662
1663 std::copy(ParsedBytes.begin(), ParsedBytes.end(), FinalBuffer);
1664
1665 //
1666 // Set the buffer and length
1667 //
1668 *BufferAddress = (UINT64)FinalBuffer;
1669 *BufferLength = (UINT32)ParsedBytes.size();
1670 }
1671
1672 //
1673 // Removing the code or condition indexes from the command
1674 //
1675 NewIndexToRemove = 0;
1676 for (auto IndexToRemove : IndexesToRemove)
1677 {
1678 NewIndexToRemove++;
1679
1680 SplitCommand->erase(SplitCommand->begin() + (IndexToRemove - NewIndexToRemove));
1681 SplitCommandCaseSensitive->erase(SplitCommandCaseSensitive->begin() + (IndexToRemove - NewIndexToRemove));
1682 }
1683
1684 return TRUE;
1685}
UCHAR
unsigned char UCHAR
Definition BasicTypes.h:35
BufferAddress
UINT64 BOOLEAN PVOID BufferAddress
Definition HyperDbgScriptImports.h:67
AssembleData
Definition assembler.h:16
AssembleData::ParseAssemblyData
VOID ParseAssemblyData()
tries to solve the symbol issue with Keystone, which apparently originates from LLVM-MC.
Definition assembler.cpp:20
AssembleData::AsmFixed
std::string AsmFixed
Definition assembler.h:19
AssembleData::BytesCount
size_t BytesCount
Definition assembler.h:21
AssembleData::KsErr
ks_err KsErr
Definition assembler.h:24
AssembleData::EncodedBytes
unsigned char * EncodedBytes
Definition assembler.h:22
AssembleData::Assemble
INT Assemble(UINT64 StartAddr, ks_arch Arch=KS_ARCH_X86, INT Mode=KS_MODE_64, INT Syntax=KS_OPT_SYNTAX_INTEL)
Definition assembler.cpp:119
AssembleData::AsmRaw
std::string AsmRaw
Definition assembler.h:18
IsHexNotation
BOOLEAN IsHexNotation(const string &s)
check whether the string is hex or not
Definition common.cpp:162
ReplaceAll
VOID ReplaceAll(string &str, const string &from, const string &to)
general replace all function
Definition common.cpp:91
HexToBytes
vector< char > HexToBytes(const string &hex)
converts hex to bytes
Definition common.cpp:216
HasEnding
BOOLEAN HasEnding(string const &fullString, string const &ending)
checks whether the string ends with a special string or not
Definition common.cpp:448

◆ InterpretGeneralEventAndActionsFields()

BOOLEAN InterpretGeneralEventAndActionsFields ( vector< string > * SplitCommand,
vector< string > * SplitCommandCaseSensitive,
VMM_EVENT_TYPE_ENUM EventType,
PDEBUGGER_GENERAL_EVENT_DETAIL * EventDetailsToFill,
PUINT32 EventBufferLength,
PDEBUGGER_GENERAL_ACTION * ActionDetailsToFillBreakToDebugger,
PUINT32 ActionBufferLengthBreakToDebugger,
PDEBUGGER_GENERAL_ACTION * ActionDetailsToFillCustomCode,
PUINT32 ActionBufferLengthCustomCode,
PDEBUGGER_GENERAL_ACTION * ActionDetailsToFillScript,
PUINT32 ActionBufferLengthScript,
PDEBUGGER_EVENT_PARSING_ERROR_CAUSE ReasonForErrorInParsing )

Interpret general event fields.

Parameters
SplitCommandthe commands that was split by space
SplitCommandCaseSensitivethe commands that was split by space case sensitive
EventTypetype of event
EventDetailsToFilla pointer address that will be filled by event detail buffer
EventBufferLengtha pointer the receives the buffer length of the event
ActionDetailsToFilla pointer address that will be filled by action detail buffer
ActionBufferLengtha pointer the receives the buffer length of the action
ReasonForErrorInParsingreason that interpretation failed, null if the returns true
Returns
BOOLEAN If this function returns true then it means that there was no error in parsing the general event details
2355{
2356 BOOLEAN Result = FALSE;
2357 PDEBUGGER_GENERAL_EVENT_DETAIL TempEvent = NULL;
2358 PDEBUGGER_GENERAL_ACTION TempActionBreak = NULL;
2359 PDEBUGGER_GENERAL_ACTION TempActionScript = NULL;
2360 PDEBUGGER_GENERAL_ACTION TempActionCustomCode = NULL;
2361 VMM_CALLBACK_EVENT_CALLING_STAGE_TYPE CallingStage = VMM_CALLBACK_CALLING_STAGE_PRE_EVENT_EMULATION; // by default 'pre' event
2362 UINT32 LengthOfCustomCodeActionBuffer = 0;
2363 UINT32 LengthOfScriptActionBuffer = 0;
2364 UINT32 LengthOfBreakActionBuffer = 0;
2365 UINT64 ConditionBufferAddress;
2366 UINT32 ConditionBufferLength = 0;
2367 vector<string> ListOfOutputSources;
2368 UINT64 CodeBufferAddress;
2369 UINT32 CodeBufferLength = 0;
2370 UINT64 ScriptBufferAddress;
2371 UINT64 ScriptCodeBuffer = 0;
2372 BOOLEAN HasScriptSyntaxError = 0;
2373 UINT32 ScriptBufferLength = 0;
2374 UINT32 ScriptBufferPointer = 0;
2375 UINT32 LengthOfEventBuffer = 0;
2376 string CommandString;
2377 BOOLEAN IsAShortCircuitingEventByDefault = FALSE;
2378 BOOLEAN HasConditionBuffer = FALSE;
2379 BOOLEAN HasOutputPath = FALSE;
2380 BOOLEAN HasCodeBuffer = FALSE;
2381 BOOLEAN HasScript = FALSE;
2382 BOOLEAN IsNextCommandPid = FALSE;
2383 BOOLEAN IsNextCommandCoreId = FALSE;
2384 BOOLEAN IsNextCommandBufferSize = FALSE;
2385 BOOLEAN IsNextCommandImmediateMessaging = FALSE;
2386 BOOLEAN IsNextCommandExecutionStage = FALSE;
2387 BOOLEAN IsNextCommandSc = FALSE;
2388 BOOLEAN ImmediateMessagePassing = UseImmediateMessagingByDefaultOnEvents;
2389 UINT32 CoreId;
2390 UINT32 ProcessId;
2391 UINT32 IndexOfValidSourceTags;
2392 UINT32 RequestBuffer = 0;
2393 PLIST_ENTRY TempList;
2394 BOOLEAN OutputSourceFound;
2395 vector<int> IndexesToRemove;
2396 vector<UINT64> ListOfValidSourceTags;
2397 int NewIndexToRemove = 0;
2398 int Index = 0;
2399
2400 //
2401 // Create a command string to show in the history
2402 //
2403 for (auto Section : *SplitCommandCaseSensitive)
2404 {
2405 CommandString.append(Section);
2406 CommandString.append(" ");
2407 }
2408
2409 //
2410 // Compute the size of buffer + 1 null for the end of buffer
2411 //
2412 UINT64 BufferOfCommandStringLength = CommandString.size() + 1;
2413
2414 //
2415 // Allocate Buffer and zero for command to the buffer
2416 //
2417 PVOID BufferOfCommandString = malloc(BufferOfCommandStringLength);
2418
2419 RtlZeroMemory(BufferOfCommandString, BufferOfCommandStringLength);
2420
2421 //
2422 // Copy the string to the buffer
2423 //
2424 memcpy(BufferOfCommandString, CommandString.c_str(), CommandString.size());
2425
2426 //
2427 // Check if there is a condition buffer in the command
2428 //
2429 if (!InterpretConditionsAndCodes(SplitCommand, SplitCommandCaseSensitive, TRUE, &ConditionBufferAddress, &ConditionBufferLength))
2430 {
2431 //
2432 // Indicate condition is not available
2433 //
2434 HasConditionBuffer = FALSE;
2435
2436 //
2437 // ShowMessages("\nNo condition!\n");
2438 //
2439 }
2440 else
2441 {
2442 //
2443 // Indicate condition is available
2444 //
2445 HasConditionBuffer = TRUE;
2446
2447 /*
2448 ShowMessages(
2449 "\n========================= Condition =========================\n");
2450
2451 ShowMessages(
2452 "\nUINT64 DebuggerCheckForCondition(PGUEST_REGS Regs_RCX, PVOID "
2453 "Context_RDX)\n{\n");
2454
2455 //
2456 // Disassemble the buffer
2457 //
2458 HyperDbgDisassembler64((unsigned char *)ConditionBufferAddress, 0x0,
2459 ConditionBufferLength);
2460
2461 ShowMessages("}\n\n");
2462
2463 ShowMessages(
2464 "=============================================================\n");
2465 */
2466 }
2467
2468 //
2469 // Check if there is a code buffer in the command
2470 //
2471 if (!InterpretConditionsAndCodes(SplitCommand, SplitCommandCaseSensitive, FALSE, &CodeBufferAddress, &CodeBufferLength))
2472 {
2473 //
2474 // Indicate code is not available
2475 //
2476 HasCodeBuffer = FALSE;
2477 //
2478 // ShowMessages("\nNo custom code!\n");
2479 //
2480 }
2481 else
2482 {
2483 //
2484 // Indicate code is available
2485 //
2486 HasCodeBuffer = TRUE;
2487
2488 /*
2489 ShowMessages(
2490 "\n========================= Code =========================\n");
2491 ShowMessages("\nPVOID DebuggerRunCustomCodeFunc(PVOID "
2492 "PreAllocatedBufferAddress_RCX, "
2493 "PGUEST_REGS Regs_RDX, PVOID Context_R8)\n{\n");
2494
2495 //
2496 // Disassemble the buffer
2497 //
2498 HyperDbgDisassembler64((unsigned char *)CodeBufferAddress, 0x0,
2499 CodeBufferLength);
2500
2501 ShowMessages("}\n\n");
2502
2503 ShowMessages(
2504 "=============================================================\n");
2505 */
2506 }
2507
2508 //
2509 // Check if there is a Script block in the command
2510 //
2511 if (!InterpretScript(SplitCommand,
2512 SplitCommandCaseSensitive,
2513 &HasScriptSyntaxError,
2514 &ScriptBufferAddress,
2515 &ScriptBufferLength,
2516 &ScriptBufferPointer,
2517 &ScriptCodeBuffer))
2518 {
2519 //
2520 // Indicate code is not available
2521 //
2522 HasScript = FALSE;
2523 //
2524 // ShowMessages("\nNo script!\n");
2525 //
2526 }
2527 else
2528 {
2529 //
2530 // Check if there is a syntax error
2531 //
2532 if (HasScriptSyntaxError)
2533 {
2534 free(BufferOfCommandString);
2535
2536 *ReasonForErrorInParsing = DEBUGGER_EVENT_PARSING_ERROR_CAUSE_SCRIPT_SYNTAX_ERROR;
2537 return FALSE;
2538 }
2539
2540 //
2541 // Indicate code is available
2542 //
2543 HasScript = TRUE;
2544 }
2545
2546 //
2547 // Check if there is a output path in the command
2548 //
2549 if (!InterpretOutput(SplitCommand, SplitCommandCaseSensitive, ListOfOutputSources))
2550 {
2551 //
2552 // Indicate output is not available
2553 //
2554 HasOutputPath = FALSE;
2555
2556 //
2557 // ShowMessages("\nNo condition!\n");
2558 //
2559 }
2560 else
2561 {
2562 //
2563 // Check for empty input
2564 //
2565 if (ListOfOutputSources.size() == 0)
2566 {
2567 //
2568 // No input !
2569 //
2570 free(BufferOfCommandString);
2571
2572 ShowMessages("err, no input found\n");
2573 *ReasonForErrorInParsing = DEBUGGER_EVENT_PARSING_ERROR_CAUSE_NO_INPUT;
2574 return FALSE;
2575 }
2576
2577 //
2578 // Check whether the size exceed maximum size or not
2579 //
2580 if (ListOfOutputSources.size() > DebuggerOutputSourceMaximumRemoteSourceForSingleEvent)
2581 {
2582 free(BufferOfCommandString);
2583
2584 ShowMessages(
2585 "err, based on this build of HyperDbg, the maximum input sources for "
2586 "a single event is 0x%x sources but you entered 0x%x sources\n",
2587 DebuggerOutputSourceMaximumRemoteSourceForSingleEvent,
2588 ListOfOutputSources.size());
2589 *ReasonForErrorInParsing = DEBUGGER_EVENT_PARSING_ERROR_CAUSE_MAXIMUM_INPUT_REACHED;
2590 return FALSE;
2591 }
2592
2593 //
2594 // Check whether the output source initialized or not
2595 //
2596 if (!g_OutputSourcesInitialized)
2597 {
2598 free(BufferOfCommandString);
2599
2600 ShowMessages("err, the name you entered, not found. Did you use "
2601 "'output' command to create it?\n");
2602 *ReasonForErrorInParsing = DEBUGGER_EVENT_PARSING_ERROR_CAUSE_OUTPUT_NAME_NOT_FOUND;
2603 return FALSE;
2604 }
2605
2606 //
2607 // Convert output sources to the corresponding tags
2608 //
2609 for (auto item : ListOfOutputSources)
2610 {
2611 TempList = 0;
2612 OutputSourceFound = FALSE;
2613
2614 //
2615 // Now we should find the corresponding object in the list
2616 // of output sources and save its tags
2617 //
2618 TempList = &g_OutputSources;
2619
2620 while (&g_OutputSources != TempList->Flink)
2621 {
2622 TempList = TempList->Flink;
2623
2624 PDEBUGGER_EVENT_FORWARDING CurrentOutputSourceDetails = CONTAINING_RECORD(TempList, DEBUGGER_EVENT_FORWARDING, OutputSourcesList);
2625
2626 if (strcmp(CurrentOutputSourceDetails->Name,
2627 RemoveSpaces(item).c_str()) == 0)
2628 {
2629 //
2630 // Check to see the source state, whether it is closed or not
2631 //
2632 if (CurrentOutputSourceDetails->State == EVENT_FORWARDING_CLOSED)
2633 {
2634 free(BufferOfCommandString);
2635
2636 ShowMessages("err, output source already closed\n");
2637 *ReasonForErrorInParsing = DEBUGGER_EVENT_PARSING_ERROR_CAUSE_OUTPUT_SOURCE_ALREADY_CLOSED;
2638 return FALSE;
2639 }
2640
2641 //
2642 // Check to see the source state, whether it is opened or not
2643 //
2644 if (CurrentOutputSourceDetails->State == EVENT_FORWARDING_STATE_NOT_OPENED)
2645 {
2646 //
2647 // Just show a message
2648 //
2649 ShowMessages("some of the output(s) are not opened, it's not an error, but please ensure "
2650 "to open the output using the 'output' command to forward the results to the "
2651 "target resource\n");
2652 }
2653
2654 //
2655 // Indicate that we found this item
2656 //
2657 OutputSourceFound = TRUE;
2658
2659 //
2660 // Save the tag into a list which will be used later
2661 //
2662 ListOfValidSourceTags.push_back(
2663 CurrentOutputSourceDetails->OutputUniqueTag);
2664
2665 //
2666 // No need to search through the list anymore
2667 //
2668 break;
2669 }
2670 }
2671
2672 if (!OutputSourceFound)
2673 {
2674 free(BufferOfCommandString);
2675
2676 ShowMessages("err, the name you entered, not found. Did you use "
2677 "'output' command to create it?\n");
2678 *ReasonForErrorInParsing = DEBUGGER_EVENT_PARSING_ERROR_CAUSE_OUTPUT_NAME_NOT_FOUND;
2679 return FALSE;
2680 }
2681 }
2682 //
2683 // Indicate output is available
2684 //
2685 HasOutputPath = TRUE;
2686 }
2687
2688 //
2689 // Create action and event based on previously parsed buffers
2690 // (DEBUGGER_GENERAL_ACTION)
2691 //
2692 // Allocate the buffer (with ConditionBufferLength and CodeBufferLength)
2693 //
2694
2695 /*
2696
2697 Layout of Buffer :
2698
2699 ________________________________
2700 | |
2701 | DEBUGGER_GENERAL_EVENT_DETAIL |
2702 | |
2703 |________________________________|
2704 | |
2705 | Condition Buffer |
2706 | |
2707 |________________________________|
2708
2709 */
2710
2711 /*
2712 ________________________________
2713 | |
2714 | DEBUGGER_GENERAL_ACTION |
2715 | |
2716 |________________________________|
2717 | |
2718 | Condition Custom Code |
2719 | or Script Buffer |
2720 |________________________________|
2721
2722 */
2723
2724 LengthOfEventBuffer = sizeof(DEBUGGER_GENERAL_EVENT_DETAIL) + ConditionBufferLength;
2725
2726 TempEvent = (PDEBUGGER_GENERAL_EVENT_DETAIL)malloc(LengthOfEventBuffer);
2727 RtlZeroMemory(TempEvent, LengthOfEventBuffer);
2728
2729 //
2730 // Check if buffer is available
2731 //
2732 if (TempEvent == NULL)
2733 {
2734 ShowMessages("err, allocation error\n");
2735 *ReasonForErrorInParsing = DEBUGGER_EVENT_PARSING_ERROR_CAUSE_ALLOCATION_ERROR;
2736 goto ReturnWithError;
2737 }
2738
2739 //
2740 // Event is enabled by default when created
2741 //
2742 TempEvent->IsEnabled = TRUE;
2743
2744 //
2745 // Get a new tag for it
2746 //
2747 TempEvent->Tag = GetNewDebuggerEventTag();
2748
2749 //
2750 // Set the core Id and Process Id to all cores and all
2751 // processes, next time we check whether the user needs
2752 // a special core or a special process then we change it
2753 //
2754 TempEvent->CoreId = DEBUGGER_EVENT_APPLY_TO_ALL_CORES;
2755
2756 if (g_ActiveProcessDebuggingState.IsActive)
2757 {
2758 ShowMessages("notice: as you're debugging a user-mode application, "
2759 "this event will only trigger on your current debugging process "
2760 "(pid:%x). If you want the event from the entire system, "
2761 "add 'pid all' to the event\n",
2762 g_ActiveProcessDebuggingState.ProcessId);
2763
2764 TempEvent->ProcessId = g_ActiveProcessDebuggingState.ProcessId;
2765 }
2766 else
2767 {
2768 TempEvent->ProcessId = DEBUGGER_EVENT_APPLY_TO_ALL_PROCESSES;
2769 }
2770
2771 //
2772 // Set the event type
2773 //
2774 TempEvent->EventType = EventType;
2775
2776 //
2777 // Get the current time
2778 //
2779 TempEvent->CreationTime = time(0);
2780
2781 //
2782 // Set buffer string command
2783 //
2784 TempEvent->CommandStringBuffer = BufferOfCommandString;
2785
2786 //
2787 // Fill the buffer of condition for event
2788 //
2789 if (HasConditionBuffer)
2790 {
2791 memcpy((PVOID)((UINT64)TempEvent + sizeof(DEBUGGER_GENERAL_EVENT_DETAIL)),
2792 (PVOID)ConditionBufferAddress,
2793 ConditionBufferLength);
2794
2795 //
2796 // Set the size of the buffer for event condition
2797 //
2798 TempEvent->ConditionBufferSize = ConditionBufferLength;
2799 }
2800
2801 //
2802 // Fill the buffer of custom code for action
2803 //
2804 if (HasCodeBuffer)
2805 {
2806 //
2807 // Allocate the Action (THIS ACTION BUFFER WILL BE FREED WHEN WE SENT IT TO
2808 // THE KERNEL AND RETURNED FROM THE KERNEL AS WE DON'T NEED IT ANYMORE)
2809 //
2810 LengthOfCustomCodeActionBuffer = sizeof(DEBUGGER_GENERAL_ACTION) + CodeBufferLength;
2811
2812 TempActionCustomCode = (PDEBUGGER_GENERAL_ACTION)malloc(LengthOfCustomCodeActionBuffer);
2813
2814 RtlZeroMemory(TempActionCustomCode, LengthOfCustomCodeActionBuffer);
2815
2816 memcpy(
2817 (PVOID)((UINT64)TempActionCustomCode + sizeof(DEBUGGER_GENERAL_ACTION)),
2818 (PVOID)CodeBufferAddress,
2819 CodeBufferLength);
2820 //
2821 // Set the action Tag
2822 //
2823 TempActionCustomCode->EventTag = TempEvent->Tag;
2824
2825 //
2826 // Set the action type
2827 //
2828 TempActionCustomCode->ActionType = RUN_CUSTOM_CODE;
2829
2830 //
2831 // Set the action buffer size
2832 //
2833 TempActionCustomCode->CustomCodeBufferSize = CodeBufferLength;
2834
2835 //
2836 // Increase the count of actions
2837 //
2838 TempEvent->CountOfActions = TempEvent->CountOfActions + 1;
2839 }
2840
2841 //
2842 // Fill the buffer of script for action
2843 //
2844 if (HasScript)
2845 {
2846 //
2847 // Allocate the Action (THIS ACTION BUFFER WILL BE FREED WHEN WE SENT IT TO
2848 // THE KERNEL AND RETURNED FROM THE KERNEL AS WE DON'T NEED IT ANYMORE)
2849 //
2850 LengthOfScriptActionBuffer = sizeof(DEBUGGER_GENERAL_ACTION) + ScriptBufferLength;
2851 TempActionScript = (PDEBUGGER_GENERAL_ACTION)malloc(LengthOfScriptActionBuffer);
2852
2853 RtlZeroMemory(TempActionScript, LengthOfScriptActionBuffer);
2854
2855 memcpy((PVOID)((UINT64)TempActionScript + sizeof(DEBUGGER_GENERAL_ACTION)),
2856 (PVOID)ScriptBufferAddress,
2857 ScriptBufferLength);
2858 //
2859 // Set the action Tag
2860 //
2861 TempActionScript->EventTag = TempEvent->Tag;
2862
2863 //
2864 // Set the action type
2865 //
2866 TempActionScript->ActionType = RUN_SCRIPT;
2867
2868 //
2869 // Set the action buffer size and pointer
2870 //
2871 TempActionScript->ScriptBufferSize = ScriptBufferLength;
2872 TempActionScript->ScriptBufferPointer = ScriptBufferPointer;
2873
2874 //
2875 // Increase the count of actions
2876 //
2877 TempEvent->CountOfActions = TempEvent->CountOfActions + 1;
2878
2879 //
2880 // Free the buffer of script related functions
2881 //
2882 ScriptEngineWrapperRemoveSymbolBuffer((PVOID)ScriptCodeBuffer);
2883 }
2884
2885 //
2886 // If this action didn't contain a buffer for custom code and
2887 // a buffer for script then it's a break to debugger
2888 //
2889 if (!HasCodeBuffer && !HasScript)
2890 {
2891 //
2892 // Allocate the Action (THIS ACTION BUFFER WILL BE FREED WHEN WE SENT IT TO
2893 // THE KERNEL AND RETURNED FROM THE KERNEL AS WE DON'T NEED IT ANYMORE)
2894 //
2895 LengthOfBreakActionBuffer = sizeof(DEBUGGER_GENERAL_ACTION);
2896
2897 TempActionBreak = (PDEBUGGER_GENERAL_ACTION)malloc(LengthOfBreakActionBuffer);
2898
2899 RtlZeroMemory(TempActionBreak, LengthOfBreakActionBuffer);
2900
2901 //
2902 // Set the action Tag
2903 //
2904 TempActionBreak->EventTag = TempEvent->Tag;
2905
2906 //
2907 // Set the action type
2908 //
2909 TempActionBreak->ActionType = BREAK_TO_DEBUGGER;
2910
2911 //
2912 // Increase the count of actions
2913 //
2914 TempEvent->CountOfActions = TempEvent->CountOfActions + 1;
2915 }
2916
2917 //
2918 // Interpret rest of the command
2919 //
2920 for (auto Section : *SplitCommand)
2921 {
2922 Index++;
2923 if (IsNextCommandBufferSize)
2924 {
2925 if (!ConvertStringToUInt32(Section, &RequestBuffer))
2926 {
2927 ShowMessages("err, buffer size is invalid\n");
2928 *ReasonForErrorInParsing = DEBUGGER_EVENT_PARSING_ERROR_CAUSE_FORMAT_ERROR;
2929 goto ReturnWithError;
2930 }
2931 else
2932 {
2933 //
2934 // Set the specific requested buffer size
2935 //
2936 if (TempActionBreak != NULL)
2937 {
2938 TempActionBreak->PreAllocatedBuffer = RequestBuffer;
2939 }
2940 if (TempActionScript != NULL)
2941 {
2942 TempActionScript->PreAllocatedBuffer = RequestBuffer;
2943 }
2944 if (TempActionCustomCode != NULL)
2945 {
2946 TempActionCustomCode->PreAllocatedBuffer = RequestBuffer;
2947 }
2948 }
2949 IsNextCommandBufferSize = FALSE;
2950
2951 //
2952 // Add index to remove it from the command
2953 //
2954 IndexesToRemove.push_back(Index);
2955
2956 continue;
2957 }
2958
2959 if (IsNextCommandImmediateMessaging)
2960 {
2961 if (!Section.compare("yes"))
2962 {
2963 ImmediateMessagePassing = TRUE;
2964 }
2965 else if (!Section.compare("no"))
2966 {
2967 ImmediateMessagePassing = FALSE;
2968 }
2969 else
2970 {
2971 //
2972 // err, not token recognized error
2973 //
2974
2975 ShowMessages("err, immediate messaging token is invalid\n");
2976 *ReasonForErrorInParsing = DEBUGGER_EVENT_PARSING_ERROR_CAUSE_FORMAT_ERROR;
2977 goto ReturnWithError;
2978 }
2979
2980 IsNextCommandImmediateMessaging = FALSE;
2981
2982 //
2983 // Add index to remove it from the command
2984 //
2985 IndexesToRemove.push_back(Index);
2986
2987 continue;
2988 }
2989
2990 if (IsNextCommandExecutionStage)
2991 {
2992 if (!Section.compare("pre"))
2993 {
2994 CallingStage = VMM_CALLBACK_CALLING_STAGE_PRE_EVENT_EMULATION;
2995 }
2996 else if (!Section.compare("post"))
2997 {
2998 CallingStage = VMM_CALLBACK_CALLING_STAGE_POST_EVENT_EMULATION;
2999 }
3000 else if (!Section.compare("all"))
3001 {
3002 CallingStage = VMM_CALLBACK_CALLING_STAGE_ALL_EVENT_EMULATION;
3003 }
3004 else
3005 {
3006 //
3007 // err, not token recognized error
3008 //
3009
3010 ShowMessages("err, the specified execution mode is invalid; you can either choose 'pre' or 'post'\n");
3011 *ReasonForErrorInParsing = DEBUGGER_EVENT_PARSING_ERROR_CAUSE_FORMAT_ERROR;
3012 goto ReturnWithError;
3013 }
3014
3015 IsNextCommandExecutionStage = FALSE;
3016
3017 //
3018 // Add index to remove it from the command
3019 //
3020 IndexesToRemove.push_back(Index);
3021
3022 continue;
3023 }
3024
3025 if (IsNextCommandSc)
3026 {
3027 if (!Section.compare("on"))
3028 {
3029 IsAShortCircuitingEventByDefault = TRUE;
3030 }
3031 else if (!Section.compare("off"))
3032 {
3033 IsAShortCircuitingEventByDefault = FALSE;
3034 }
3035 else
3036 {
3037 //
3038 // err, not token recognized error
3039 //
3040
3041 ShowMessages("err, the specified short-circuiting state is invalid; you can either choose 'on' or 'off'\n");
3042 *ReasonForErrorInParsing = DEBUGGER_EVENT_PARSING_ERROR_CAUSE_FORMAT_ERROR;
3043 goto ReturnWithError;
3044 }
3045
3046 IsNextCommandSc = FALSE;
3047
3048 //
3049 // Add index to remove it from the command
3050 //
3051 IndexesToRemove.push_back(Index);
3052
3053 continue;
3054 }
3055
3056 if (IsNextCommandPid)
3057 {
3058 if (!Section.compare("all"))
3059 {
3060 TempEvent->ProcessId = DEBUGGER_EVENT_APPLY_TO_ALL_PROCESSES;
3061 }
3062 else if (!ConvertStringToUInt32(Section, &ProcessId))
3063 {
3064 ShowMessages("err, pid is invalid\n");
3065 *ReasonForErrorInParsing = DEBUGGER_EVENT_PARSING_ERROR_CAUSE_FORMAT_ERROR;
3066
3067 goto ReturnWithError;
3068 }
3069 else
3070 {
3071 //
3072 // Set the specific process id
3073 //
3074 TempEvent->ProcessId = ProcessId;
3075 }
3076
3077 IsNextCommandPid = FALSE;
3078
3079 //
3080 // Add index to remove it from the command
3081 //
3082 IndexesToRemove.push_back(Index);
3083
3084 continue;
3085 }
3086
3087 if (IsNextCommandCoreId)
3088 {
3089 if (!ConvertStringToUInt32(Section, &CoreId))
3090 {
3091 ShowMessages("err, core id is invalid\n");
3092 *ReasonForErrorInParsing = DEBUGGER_EVENT_PARSING_ERROR_CAUSE_FORMAT_ERROR;
3093 goto ReturnWithError;
3094 }
3095 else
3096 {
3097 //
3098 // Set the specific core id
3099 //
3100 TempEvent->CoreId = CoreId;
3101 }
3102 IsNextCommandCoreId = FALSE;
3103
3104 //
3105 // Add index to remove it from the command
3106 //
3107 IndexesToRemove.push_back(Index);
3108
3109 continue;
3110 }
3111
3112 if (!Section.compare("pid"))
3113 {
3114 IsNextCommandPid = TRUE;
3115
3116 //
3117 // Add index to remove it from the command
3118 //
3119 IndexesToRemove.push_back(Index);
3120
3121 continue;
3122 }
3123 if (!Section.compare("core"))
3124 {
3125 IsNextCommandCoreId = TRUE;
3126
3127 //
3128 // Add index to remove it from the command
3129 //
3130 IndexesToRemove.push_back(Index);
3131
3132 continue;
3133 }
3134
3135 if (!Section.compare("imm"))
3136 {
3137 //
3138 // the next command is immediate messaging indicator
3139 //
3140 IsNextCommandImmediateMessaging = TRUE;
3141
3142 //
3143 // Add index to remove it from the command
3144 //
3145 IndexesToRemove.push_back(Index);
3146
3147 continue;
3148 }
3149
3150 if (!Section.compare("stage"))
3151 {
3152 //
3153 // the next command is execution mode (pre- and post-events)
3154 //
3155 IsNextCommandExecutionStage = TRUE;
3156
3157 //
3158 // Add index to remove it from the command
3159 //
3160 IndexesToRemove.push_back(Index);
3161
3162 continue;
3163 }
3164
3165 if (!Section.compare("sc"))
3166 {
3167 //
3168 // the next command is the default short-circuiting state
3169 //
3170 IsNextCommandSc = TRUE;
3171
3172 //
3173 // Add index to remove it from the command
3174 //
3175 IndexesToRemove.push_back(Index);
3176
3177 continue;
3178 }
3179
3180 if (!Section.compare("buffer"))
3181 {
3182 IsNextCommandBufferSize = TRUE;
3183
3184 //
3185 // Add index to remove it from the command
3186 //
3187 IndexesToRemove.push_back(Index);
3188
3189 continue;
3190 }
3191 }
3192
3193 //
3194 // Additional validation
3195 //
3196 if (IsNextCommandCoreId)
3197 {
3198 ShowMessages("err, please specify a value for 'core'\n");
3199
3200 *ReasonForErrorInParsing = DEBUGGER_EVENT_PARSING_ERROR_CAUSE_FORMAT_ERROR;
3201
3202 goto ReturnWithError;
3203 }
3204
3205 if (IsNextCommandPid)
3206 {
3207 ShowMessages("err, please specify a value for 'pid'\n");
3208
3209 *ReasonForErrorInParsing = DEBUGGER_EVENT_PARSING_ERROR_CAUSE_FORMAT_ERROR;
3210
3211 goto ReturnWithError;
3212 }
3213
3214 if (IsNextCommandBufferSize)
3215 {
3216 ShowMessages("err, please specify a value for 'buffer'\n");
3217
3218 *ReasonForErrorInParsing = DEBUGGER_EVENT_PARSING_ERROR_CAUSE_FORMAT_ERROR;
3219
3220 goto ReturnWithError;
3221 }
3222
3223 if (IsNextCommandImmediateMessaging)
3224 {
3225 ShowMessages("err, please specify a value for 'imm'\n");
3226
3227 *ReasonForErrorInParsing = DEBUGGER_EVENT_PARSING_ERROR_CAUSE_FORMAT_ERROR;
3228
3229 goto ReturnWithError;
3230 }
3231
3232 if (IsNextCommandExecutionStage)
3233 {
3234 ShowMessages("err, please specify a value for 'stage'\n");
3235
3236 *ReasonForErrorInParsing = DEBUGGER_EVENT_PARSING_ERROR_CAUSE_FORMAT_ERROR;
3237
3238 goto ReturnWithError;
3239 }
3240
3241 if (IsNextCommandSc)
3242 {
3243 ShowMessages("err, please specify a value for 'sc'\n");
3244
3245 *ReasonForErrorInParsing = DEBUGGER_EVENT_PARSING_ERROR_CAUSE_FORMAT_ERROR;
3246
3247 goto ReturnWithError;
3248 }
3249
3250 //
3251 // Check to make sure that short-circuiting is not used in post-events
3252 //
3253 if ((CallingStage == VMM_CALLBACK_CALLING_STAGE_POST_EVENT_EMULATION ||
3254 CallingStage == VMM_CALLBACK_CALLING_STAGE_ALL_EVENT_EMULATION) &&
3255 IsAShortCircuitingEventByDefault)
3256 {
3257 ShowMessages(
3258 "err, using the short-circuiting mechanism with 'post' or 'all' stage events "
3259 "doesn't make sense; it's not supported!\n");
3260
3261 *ReasonForErrorInParsing = DEBUGGER_EVENT_PARSING_ERROR_CAUSE_USING_SHORT_CIRCUITING_IN_POST_EVENTS;
3262
3263 goto ReturnWithError;
3264 }
3265
3266 //
3267 // It's not possible to break to debugger in VMI-mode
3268 //
3269 if (!g_IsSerialConnectedToRemoteDebuggee && TempActionBreak != NULL)
3270 {
3271 ShowMessages(
3272 "err, the script or assembly code is either not found or invalid. "
3273 "As a result, the default action is to break. "
3274 "However, breaking to the debugger is not possible in the VMI Mode. "
3275 "To achieve full control of the system, you can switch to the Debugger Mode. "
3276 "In the VMI Mode, you can still use scripts and run custom code for local debugging."
3277 "For more information, please check: https://docs.hyperdbg.org/using-hyperdbg/prerequisites/operation-modes\n");
3278
3279 *ReasonForErrorInParsing = DEBUGGER_EVENT_PARSING_ERROR_CAUSE_ATTEMPT_TO_BREAK_ON_VMI_MODE;
3280
3281 goto ReturnWithError;
3282 }
3283
3284 //
3285 // We do not support non-immediate message passing if the user
3286 // specified a special output
3287 //
3288 if (!ImmediateMessagePassing && HasOutputPath)
3289 {
3290 ShowMessages("err, non-immediate message passing is not supported in "
3291 "'output-forwarding mode'\n");
3292
3293 *ReasonForErrorInParsing = DEBUGGER_EVENT_PARSING_ERROR_CAUSE_IMMEDIATE_MESSAGING_IN_EVENT_FORWARDING_MODE;
3294
3295 goto ReturnWithError;
3296 }
3297
3298 //
3299 // Set the specific requested immediate message passing
3300 //
3301 if (TempActionBreak != NULL)
3302 {
3303 TempActionBreak->ImmediateMessagePassing = ImmediateMessagePassing;
3304 }
3305 if (TempActionScript != NULL)
3306 {
3307 TempActionScript->ImmediateMessagePassing = ImmediateMessagePassing;
3308 }
3309 if (TempActionCustomCode != NULL)
3310 {
3311 TempActionCustomCode->ImmediateMessagePassing = ImmediateMessagePassing;
3312 }
3313
3314 //
3315 // Set the tags into the event list
3316 //
3317 IndexOfValidSourceTags = 0;
3318 for (auto item : ListOfValidSourceTags)
3319 {
3320 TempEvent->OutputSourceTags[IndexOfValidSourceTags] = item;
3321
3322 //
3323 // Increase index
3324 //
3325 IndexOfValidSourceTags++;
3326 }
3327
3328 //
3329 // If it has output then we should indicate it in event's object
3330 //
3331 if (HasOutputPath)
3332 {
3333 TempEvent->HasCustomOutput = TRUE;
3334 }
3335
3336 //
3337 // Set the specific requested short-circuiting state
3338 //
3339 if (IsAShortCircuitingEventByDefault)
3340 {
3341 TempEvent->EnableShortCircuiting = TRUE;
3342 }
3343
3344 //
3345 // Set the specific event mode (calling stage)
3346 //
3347 TempEvent->EventStage = CallingStage;
3348
3349 //
3350 // Fill the address and length of event before release
3351 //
3352 *EventDetailsToFill = TempEvent;
3353 *EventBufferLength = LengthOfEventBuffer;
3354
3355 //
3356 // Fill the address and length of action before release
3357 //
3358 if (TempActionBreak != NULL)
3359 {
3360 *ActionDetailsToFillBreakToDebugger = TempActionBreak;
3361 *ActionBufferLengthBreakToDebugger = LengthOfBreakActionBuffer;
3362 }
3363 if (TempActionScript != NULL)
3364 {
3365 *ActionDetailsToFillScript = TempActionScript;
3366 *ActionBufferLengthScript = LengthOfScriptActionBuffer;
3367 }
3368 if (TempActionCustomCode != NULL)
3369 {
3370 *ActionDetailsToFillCustomCode = TempActionCustomCode;
3371 *ActionBufferLengthCustomCode = LengthOfCustomCodeActionBuffer;
3372 }
3373
3374 //
3375 // Remove the command that we interpreted above from the command
3376 //
3377 for (auto IndexToRemove : IndexesToRemove)
3378 {
3379 NewIndexToRemove++;
3380 SplitCommand->erase(SplitCommand->begin() + (IndexToRemove - NewIndexToRemove));
3381 SplitCommandCaseSensitive->erase(SplitCommandCaseSensitive->begin() + (IndexToRemove - NewIndexToRemove));
3382 }
3383
3384 //
3385 // Check if list is initialized or not
3386 //
3387 if (!g_EventTraceInitialized)
3388 {
3389 InitializeListHead(&g_EventTrace);
3390 g_EventTraceInitialized = TRUE;
3391 }
3392
3393 //
3394 // Add the event to the trace list
3395 // UPDATE : if we add it here, then if the event was not
3396 // successful then still the event shows this event, so
3397 // we have to add it lated
3398 //
3399 // InsertHeadList(&g_EventTrace, &(TempEvent->CommandsEventList));
3400
3401 //
3402 // Everything is ok, let's return TRUE
3403 //
3404 *ReasonForErrorInParsing = DEBUGGER_EVENT_PARSING_ERROR_CAUSE_SUCCESSFUL_NO_ERROR;
3405 return TRUE;
3406
3407ReturnWithError:
3408
3409 if (BufferOfCommandString)
3410 {
3411 free(BufferOfCommandString);
3412 }
3413
3414 if (TempEvent)
3415 {
3416 free(TempEvent);
3417 }
3418
3419 if (TempActionBreak != NULL)
3420 {
3421 free(TempActionBreak);
3422 }
3423 if (TempActionScript != NULL)
3424 {
3425 free(TempActionScript);
3426 }
3427 if (TempActionCustomCode != NULL)
3428 {
3429 free(TempActionCustomCode);
3430 }
3431
3432 return FALSE;
3433}
UseImmediateMessagingByDefaultOnEvents
#define UseImmediateMessagingByDefaultOnEvents
Use immediate messaging (means that it sends each message when they received and do not accumulate th...
Definition Configuration.h:57
DEBUGGER_EVENT_APPLY_TO_ALL_CORES
#define DEBUGGER_EVENT_APPLY_TO_ALL_CORES
Apply the event to all the cores.
Definition Constants.h:611
DebuggerOutputSourceMaximumRemoteSourceForSingleEvent
#define DebuggerOutputSourceMaximumRemoteSourceForSingleEvent
Determines how many sources a debugger can have for a single event.
Definition Constants.h:243
DEBUGGER_EVENT_APPLY_TO_ALL_PROCESSES
#define DEBUGGER_EVENT_APPLY_TO_ALL_PROCESSES
Apply the event to all the processes.
Definition Constants.h:617
VMM_CALLBACK_EVENT_CALLING_STAGE_TYPE
enum _VMM_CALLBACK_EVENT_CALLING_STAGE_TYPE VMM_CALLBACK_EVENT_CALLING_STAGE_TYPE
Type of calling the event.
VMM_CALLBACK_CALLING_STAGE_ALL_EVENT_EMULATION
@ VMM_CALLBACK_CALLING_STAGE_ALL_EVENT_EMULATION
Definition DataTypes.h:95
VMM_CALLBACK_CALLING_STAGE_PRE_EVENT_EMULATION
@ VMM_CALLBACK_CALLING_STAGE_PRE_EVENT_EMULATION
Definition DataTypes.h:93
VMM_CALLBACK_CALLING_STAGE_POST_EVENT_EMULATION
@ VMM_CALLBACK_CALLING_STAGE_POST_EVENT_EMULATION
Definition DataTypes.h:94
InitializeListHead
FORCEINLINE VOID InitializeListHead(_Out_ PLIST_ENTRY ListHead)
Definition Windows.h:41
ConvertStringToUInt32
BOOLEAN ConvertStringToUInt32(string TextToConvert, PUINT32 Result)
check and convert string to a 32 bit unsigned it and also check for special notations like 0x etc.
Definition common.cpp:347
RemoveSpaces
std::string RemoveSpaces(std::string str)
Remove all the spaces in a string.
Definition common.cpp:606
InterpretOutput
BOOLEAN InterpretOutput(vector< string > *SplitCommand, vector< string > *SplitCommandCaseSensitive, vector< string > &InputSources)
Interpret output (if an event has special output)
Definition debugger.cpp:1703
g_OutputSourcesInitialized
BOOLEAN g_OutputSourcesInitialized
it shows whether the debugger started using output sources or not or in other words,...
Definition globals.h:408
g_EventTrace
LIST_ENTRY g_EventTrace
Holds a list of events in kernel and the state of events and the commands to show the state of each c...
Definition globals.h:400
g_EventTraceInitialized
BOOLEAN g_EventTraceInitialized
it shows whether the debugger started using events or not or in other words, is g_EventTrace initiali...
Definition globals.h:390
InterpretConditionsAndCodes
BOOLEAN InterpretConditionsAndCodes(vector< string > *SplitCommand, vector< string > *SplitCommandCaseSensitive, BOOLEAN IsConditionBuffer, PUINT64 BufferAddress, PUINT32 BufferLength)
Interpret conditions (if an event has condition) and custom code.
Definition debugger.cpp:1246
g_ActiveProcessDebuggingState
ACTIVE_DEBUGGING_PROCESS g_ActiveProcessDebuggingState
State of active debugging thread.
Definition globals.h:362
InterpretScript
BOOLEAN InterpretScript(vector< string > *SplitCommand, vector< string > *SplitCommandCaseSensitive, PBOOLEAN ScriptSyntaxErrors, PUINT64 BufferAddress, PUINT32 BufferLength, PUINT32 Pointer, PUINT64 ScriptCodeBuffer)
Interpret script (if an event has script)
Definition debugger.cpp:763
g_OutputSources
LIST_ENTRY g_OutputSources
Holds a list of output sources created by output command.
Definition globals.h:417
GetNewDebuggerEventTag
UINT64 GetNewDebuggerEventTag()
Get the New Debugger Event Tag object and increase the global variable for tag.
Definition debugger.cpp:2280
EVENT_FORWARDING_CLOSED
@ EVENT_FORWARDING_CLOSED
Definition forwarding.h:55
EVENT_FORWARDING_STATE_NOT_OPENED
@ EVENT_FORWARDING_STATE_NOT_OPENED
Definition forwarding.h:53
DEBUGGER_GENERAL_EVENT_DETAIL
struct _DEBUGGER_GENERAL_EVENT_DETAIL DEBUGGER_GENERAL_EVENT_DETAIL
Each command is like the following struct, it also used for tracing works in user mode and sending it...
PDEBUGGER_GENERAL_EVENT_DETAIL
struct _DEBUGGER_GENERAL_EVENT_DETAIL * PDEBUGGER_GENERAL_EVENT_DETAIL
RUN_CUSTOM_CODE
@ RUN_CUSTOM_CODE
Definition Events.h:182
BREAK_TO_DEBUGGER
@ BREAK_TO_DEBUGGER
Definition Events.h:180
RUN_SCRIPT
@ RUN_SCRIPT
Definition Events.h:181
DEBUGGER_GENERAL_ACTION
struct _DEBUGGER_GENERAL_ACTION DEBUGGER_GENERAL_ACTION
Each event can have multiple actions.
PDEBUGGER_GENERAL_ACTION
struct _DEBUGGER_GENERAL_ACTION * PDEBUGGER_GENERAL_ACTION
DEBUGGER_EVENT_PARSING_ERROR_CAUSE_OUTPUT_NAME_NOT_FOUND
@ DEBUGGER_EVENT_PARSING_ERROR_CAUSE_OUTPUT_NAME_NOT_FOUND
Definition debugger.h:74
DEBUGGER_EVENT_PARSING_ERROR_CAUSE_SUCCESSFUL_NO_ERROR
@ DEBUGGER_EVENT_PARSING_ERROR_CAUSE_SUCCESSFUL_NO_ERROR
Definition debugger.h:70
DEBUGGER_EVENT_PARSING_ERROR_CAUSE_MAXIMUM_INPUT_REACHED
@ DEBUGGER_EVENT_PARSING_ERROR_CAUSE_MAXIMUM_INPUT_REACHED
Definition debugger.h:73
DEBUGGER_EVENT_PARSING_ERROR_CAUSE_USING_SHORT_CIRCUITING_IN_POST_EVENTS
@ DEBUGGER_EVENT_PARSING_ERROR_CAUSE_USING_SHORT_CIRCUITING_IN_POST_EVENTS
Definition debugger.h:80
DEBUGGER_EVENT_PARSING_ERROR_CAUSE_NO_INPUT
@ DEBUGGER_EVENT_PARSING_ERROR_CAUSE_NO_INPUT
Definition debugger.h:72
DEBUGGER_EVENT_PARSING_ERROR_CAUSE_OUTPUT_SOURCE_ALREADY_CLOSED
@ DEBUGGER_EVENT_PARSING_ERROR_CAUSE_OUTPUT_SOURCE_ALREADY_CLOSED
Definition debugger.h:75
DEBUGGER_EVENT_PARSING_ERROR_CAUSE_SCRIPT_SYNTAX_ERROR
@ DEBUGGER_EVENT_PARSING_ERROR_CAUSE_SCRIPT_SYNTAX_ERROR
Definition debugger.h:71
DEBUGGER_EVENT_PARSING_ERROR_CAUSE_IMMEDIATE_MESSAGING_IN_EVENT_FORWARDING_MODE
@ DEBUGGER_EVENT_PARSING_ERROR_CAUSE_IMMEDIATE_MESSAGING_IN_EVENT_FORWARDING_MODE
Definition debugger.h:79
DEBUGGER_EVENT_PARSING_ERROR_CAUSE_ALLOCATION_ERROR
@ DEBUGGER_EVENT_PARSING_ERROR_CAUSE_ALLOCATION_ERROR
Definition debugger.h:76
DEBUGGER_EVENT_PARSING_ERROR_CAUSE_ATTEMPT_TO_BREAK_ON_VMI_MODE
@ DEBUGGER_EVENT_PARSING_ERROR_CAUSE_ATTEMPT_TO_BREAK_ON_VMI_MODE
Definition debugger.h:78
DEBUGGER_EVENT_PARSING_ERROR_CAUSE_FORMAT_ERROR
@ DEBUGGER_EVENT_PARSING_ERROR_CAUSE_FORMAT_ERROR
Definition debugger.h:77
ScriptEngineWrapperRemoveSymbolBuffer
VOID ScriptEngineWrapperRemoveSymbolBuffer(PVOID SymbolBuffer)
wrapper for removing symbol buffer
Definition script-engine-wrapper.cpp:860
_ACTIVE_DEBUGGING_PROCESS::ProcessId
UINT32 ProcessId
Definition ud.h:51
_ACTIVE_DEBUGGING_PROCESS::IsActive
BOOLEAN IsActive
Definition ud.h:49
_DEBUGGER_EVENT_FORWARDING
structures hold the detail of event forwarding
Definition forwarding.h:80
_DEBUGGER_EVENT_FORWARDING::State
DEBUGGER_EVENT_FORWARDING_STATE State
Definition forwarding.h:82
_DEBUGGER_EVENT_FORWARDING::Name
CHAR Name[MAXIMUM_CHARACTERS_FOR_EVENT_FORWARDING_NAME]
Definition forwarding.h:89
_DEBUGGER_EVENT_FORWARDING::OutputUniqueTag
UINT64 OutputUniqueTag
Definition forwarding.h:86
_DEBUGGER_GENERAL_ACTION
Each event can have multiple actions.
Definition Events.h:406
_DEBUGGER_GENERAL_ACTION::CustomCodeBufferSize
UINT32 CustomCodeBufferSize
Definition Events.h:412
_DEBUGGER_GENERAL_ACTION::ScriptBufferSize
UINT32 ScriptBufferSize
Definition Events.h:413
_DEBUGGER_GENERAL_ACTION::ActionType
DEBUGGER_EVENT_ACTION_TYPE_ENUM ActionType
Definition Events.h:408
_DEBUGGER_GENERAL_ACTION::ScriptBufferPointer
UINT32 ScriptBufferPointer
Definition Events.h:414
_DEBUGGER_GENERAL_ACTION::PreAllocatedBuffer
UINT32 PreAllocatedBuffer
Definition Events.h:410
_DEBUGGER_GENERAL_ACTION::ImmediateMessagePassing
BOOLEAN ImmediateMessagePassing
Definition Events.h:409
_DEBUGGER_GENERAL_ACTION::EventTag
UINT64 EventTag
Definition Events.h:407
_DEBUGGER_GENERAL_EVENT_DETAIL
Each command is like the following struct, it also used for tracing works in user mode and sending it...
Definition Events.h:350
_DEBUGGER_GENERAL_EVENT_DETAIL::EnableShortCircuiting
BOOLEAN EnableShortCircuiting
Definition Events.h:366
_DEBUGGER_GENERAL_EVENT_DETAIL::IsEnabled
BOOLEAN IsEnabled
Definition Events.h:364
_DEBUGGER_GENERAL_EVENT_DETAIL::EventType
VMM_EVENT_TYPE_ENUM EventType
Definition Events.h:389
_DEBUGGER_GENERAL_EVENT_DETAIL::CountOfActions
UINT32 CountOfActions
Definition Events.h:386
_DEBUGGER_GENERAL_EVENT_DETAIL::OutputSourceTags
UINT64 OutputSourceTags[DebuggerOutputSourceMaximumRemoteSourceForSingleEvent]
Definition Events.h:377
_DEBUGGER_GENERAL_EVENT_DETAIL::Tag
UINT64 Tag
Definition Events.h:388
_DEBUGGER_GENERAL_EVENT_DETAIL::HasCustomOutput
BOOLEAN HasCustomOutput
Definition Events.h:372
_DEBUGGER_GENERAL_EVENT_DETAIL::EventStage
VMM_CALLBACK_EVENT_CALLING_STAGE_TYPE EventStage
Definition Events.h:369
_DEBUGGER_GENERAL_EVENT_DETAIL::ConditionBufferSize
UINT32 ConditionBufferSize
Definition Events.h:395
_DEBUGGER_GENERAL_EVENT_DETAIL::ProcessId
UINT32 ProcessId
Definition Events.h:360
_DEBUGGER_GENERAL_EVENT_DETAIL::CoreId
UINT32 CoreId
Definition Events.h:357
_DEBUGGER_GENERAL_EVENT_DETAIL::CreationTime
time_t CreationTime
Definition Events.h:355

◆ InterpretOutput()

BOOLEAN InterpretOutput ( vector< string > * SplitCommand,
vector< string > * SplitCommandCaseSensitive,
vector< string > & InputSources )

Interpret output (if an event has special output)

If this function returns true then it means that there is a special input that needs to be considered for this event (other than just printing) like sending over network, save to file, and send over a namedpipe

Parameters
SplitCommandthe initialized command that are split by space
SplitCommandCaseSensitivethe initialized command that are split by space case sensitive
BufferAddressthe address that the allocated buffer will be saved on it
BufferLengththe length of the buffer
Returns
BOOLEAN shows whether the interpret was successful (true) or not successful (false)
1706{
1707 BOOLEAN IsTextVisited = FALSE;
1708 BOOLEAN IsInState = FALSE;
1709 BOOLEAN IsEnded = FALSE;
1710 string AppendedFinalBuffer;
1711 vector<string> SaveBuffer;
1712 vector<int> IndexesToRemove;
1713 string Token;
1714 string TempStr;
1715 int NewIndexToRemove = 0;
1716 int Index = 0;
1717 char Delimiter = ',';
1718 size_t Pos = 0;
1719 vector<string> SplitCommandCaseSensitiveInstance = *SplitCommandCaseSensitive;
1720 UINT32 IndexInCommandCaseSensitive = 0;
1721
1722 for (auto Section : *SplitCommand)
1723 {
1724 IndexInCommandCaseSensitive++;
1725 Index++;
1726
1727 if (IsInState)
1728 {
1729 //
1730 // Check if the buffer is ended or not
1731 //
1732 if (!Section.compare("}"))
1733 {
1734 //
1735 // Save to remove this string from the command
1736 //
1737 IndexesToRemove.push_back(Index);
1738 IsEnded = TRUE;
1739 break;
1740 }
1741
1742 //
1743 // Check if the output is end or not
1744 //
1745 if (HasEnding(Section, "}"))
1746 {
1747 //
1748 // Save to remove this string from the command
1749 //
1750 IndexesToRemove.push_back(Index);
1751
1752 //
1753 // remove the last character and append it to the output buffer
1754 //
1755 TempStr = SplitCommandCaseSensitiveInstance.at(IndexInCommandCaseSensitive - 1);
1756 SaveBuffer.emplace_back(TempStr.begin(), TempStr.begin() + TempStr.size() - 1);
1757
1758 IsEnded = TRUE;
1759 break;
1760 }
1761
1762 //
1763 // Save to remove this string from the command
1764 //
1765 IndexesToRemove.push_back(Index);
1766
1767 //
1768 // Add the codes into buffer buffer
1769 //
1770 SaveBuffer.push_back(SplitCommandCaseSensitiveInstance.at(IndexInCommandCaseSensitive - 1));
1771
1772 //
1773 // We want to stay in this condition
1774 //
1775 continue;
1776 }
1777
1778 if (IsTextVisited && !Section.compare("{"))
1779 {
1780 //
1781 // Save to remove this string from the command
1782 //
1783 IndexesToRemove.push_back(Index);
1784
1785 IsInState = TRUE;
1786 continue;
1787 }
1788
1789 if (IsTextVisited && Section.rfind('{', 0) == 0)
1790 {
1791 //
1792 // Section starts with {
1793 //
1794
1795 //
1796 // Check if it ends with }
1797 //
1798 if (HasEnding(Section, "}"))
1799 {
1800 //
1801 // Save to remove this string from the command
1802 //
1803 IndexesToRemove.push_back(Index);
1804
1805 TempStr = SplitCommandCaseSensitiveInstance.at(IndexInCommandCaseSensitive - 1).erase(0, 1);
1806 SaveBuffer.emplace_back(TempStr.begin(), TempStr.begin() + TempStr.size() - 1);
1807
1808 IsEnded = TRUE;
1809 break;
1810 }
1811
1812 //
1813 // Save to remove this string from the command
1814 //
1815 IndexesToRemove.push_back(Index);
1816
1817 SaveBuffer.push_back(SplitCommandCaseSensitiveInstance.at(IndexInCommandCaseSensitive - 1).erase(0, 1));
1818
1819 IsInState = TRUE;
1820 continue;
1821 }
1822
1823 if (!Section.compare("output"))
1824 {
1825 //
1826 // Save to remove this string from the command
1827 //
1828 IndexesToRemove.push_back(Index);
1829
1830 IsTextVisited = TRUE;
1831 continue;
1832 }
1833
1834 if (!Section.compare("output{"))
1835 {
1836 //
1837 // Save to remove this string from the command
1838 //
1839 IndexesToRemove.push_back(Index);
1840
1841 IsTextVisited = TRUE;
1842 IsInState = TRUE;
1843 continue;
1844 }
1845
1846 if (Section.rfind("output{", 0) == 0)
1847 {
1848 //
1849 // Save to remove this string from the command
1850 //
1851 IndexesToRemove.push_back(Index);
1852
1853 IsTextVisited = TRUE;
1854 IsInState = TRUE;
1855
1856 if (!HasEnding(Section, "}"))
1857 {
1858 //
1859 // Section starts with output{
1860 //
1861 SaveBuffer.push_back(SplitCommandCaseSensitiveInstance.at(IndexInCommandCaseSensitive - 1).erase(0, 7));
1862 continue;
1863 }
1864 else
1865 {
1866 //
1867 // remove the last character and first character append it to the
1868 // Output
1869 //
1870 TempStr = SplitCommandCaseSensitiveInstance.at(IndexInCommandCaseSensitive - 1).erase(0, 7);
1871 SaveBuffer.emplace_back(TempStr.begin(), TempStr.begin() + TempStr.size() - 1);
1872
1873 IsEnded = TRUE;
1874 break;
1875 }
1876 }
1877 }
1878
1879 //
1880 // Now we have everything in buffer buffer
1881 // Check to see if it is empty or not
1882 //
1883 if (SaveBuffer.size() == 0)
1884 {
1885 //
1886 // Nothing in output buffer, return zero
1887 //
1888 return FALSE;
1889 }
1890
1891 //
1892 // Check if we see '}' at the end
1893 //
1894 if (!IsEnded)
1895 {
1896 //
1897 // Nothing in output buffer, return zero
1898 //
1899 return FALSE;
1900 }
1901
1902 //
1903 // If we reach here then there is sth in condition buffer
1904 //
1905 for (auto Section : SaveBuffer)
1906 {
1907 AppendedFinalBuffer.append(Section);
1908 AppendedFinalBuffer.append(" ");
1909 }
1910
1911 //
1912 // Check if we see multiple sources or it's just one single output
1913 //
1914 if (AppendedFinalBuffer.find(Delimiter) != std::string::npos)
1915 {
1916 //
1917 // Delimiter found !
1918 //
1919 while ((Pos = AppendedFinalBuffer.find(Delimiter)) != string::npos)
1920 {
1921 Token = AppendedFinalBuffer.substr(0, Pos);
1922 Trim(Token);
1923
1924 if (!Token.empty())
1925 {
1926 InputSources.push_back(Token);
1927 }
1928
1929 AppendedFinalBuffer.erase(0, Pos + sizeof(Delimiter) / sizeof(char));
1930 }
1931
1932 if (!AppendedFinalBuffer.empty())
1933 {
1934 InputSources.push_back(AppendedFinalBuffer);
1935 }
1936 }
1937 else
1938 {
1939 //
1940 // Delimiter not found !
1941 //
1942 InputSources.push_back(AppendedFinalBuffer);
1943 }
1944
1945 //
1946 // Removing the code or condition indexes from the command
1947 //
1948 NewIndexToRemove = 0;
1949 for (auto IndexToRemove : IndexesToRemove)
1950 {
1951 NewIndexToRemove++;
1952
1953 SplitCommand->erase(SplitCommand->begin() + (IndexToRemove - NewIndexToRemove));
1954 SplitCommandCaseSensitive->erase(SplitCommandCaseSensitive->begin() + (IndexToRemove - NewIndexToRemove));
1955 }
1956
1957 return TRUE;
1958}
Trim
void Trim(std::string &s)
trim from both ends and start of a string (in place)
Definition common.cpp:594

◆ InterpretScript()

BOOLEAN InterpretScript ( vector< string > * SplitCommand,
vector< string > * SplitCommandCaseSensitive,
PBOOLEAN ScriptSyntaxErrors,
PUINT64 BufferAddress,
PUINT32 BufferLength,
PUINT32 Pointer,
PUINT64 ScriptCodeBuffer )

Interpret script (if an event has script)

If this function returns true then it means that there is a script in this command split and the details are returned in the input structure

Parameters
SplitCommandthe initialized command that are split by space
SplitCommandCaseSensitivecase sensitive split command
BufferAddressthe address that the allocated buffer will be saved on it
BufferLengththe length of the buffer
Returns
BOOLEAN shows whether the interpret was successful (true) or not successful (false)
770{
771 BOOLEAN IsTextVisited = FALSE;
772 BOOLEAN IsInState = FALSE;
773 BOOLEAN IsEnded = FALSE;
774 string AppendedFinalBuffer;
775 vector<string> SaveBuffer;
776 vector<int> IndexesToRemove;
777 UINT32 Index = 0;
778 UINT32 NewIndexToRemove = 0;
779 INT32 OpenBracket = 0; // Should be signed
780 UINT32 CountOfOpenBrackets;
781 UINT32 CountOfCloseBrackets;
782 UINT32 IndexInCommandCaseSensitive = 0;
783 vector<string> SplitCommandCaseSensitiveInstance = *SplitCommandCaseSensitive;
784 string TempStr;
785
786 //
787 // Indicate that there is an error at first
788 //
789 *ScriptSyntaxErrors = TRUE;
790
791 for (auto Section : *SplitCommand)
792 {
793 IndexInCommandCaseSensitive++;
794 Index++;
795
796 if (IsInState)
797 {
798 if (OpenBracket == 0 && Section.find('{') == string::npos)
799 {
800 //
801 // Check if the buffer is ended or not
802 //
803 if (!Section.compare("}"))
804 {
805 //
806 // Save to remove this string from the command
807 //
808 IndexesToRemove.push_back(Index);
809 IsEnded = TRUE;
810 break;
811 }
812
813 //
814 // Check if the script is end or not
815 //
816 if (HasEnding(Section, "}"))
817 {
818 //
819 // Save to remove this string from the command
820 //
821 IndexesToRemove.push_back(Index);
822
823 //
824 // remove the last character and append it to the ConditionBuffer
825 //
826 TempStr = SplitCommandCaseSensitiveInstance.at(IndexInCommandCaseSensitive - 1);
827 SaveBuffer.emplace_back(TempStr.begin(), TempStr.begin() + TempStr.size() - 1);
828
829 IsEnded = TRUE;
830 break;
831 }
832 }
833
834 //
835 // Save to remove this string from the command
836 //
837 IndexesToRemove.push_back(Index);
838
839 //
840 // Check if script contains bracket "{"
841 //
842 if (Section.find('{') != string::npos)
843 {
844 //
845 // We find a { between the script
846 //
847
848 //
849 // Check the count of brackets in the string and add it to OpenBracket
850 //
851 UINT32 CountOfBrackets = (UINT32)count(Section.begin(), Section.end(), '{');
852
853 //
854 // Add it to the open brackets
855 //
856 OpenBracket += CountOfBrackets;
857 }
858
859 //
860 // Check if script contains bracket "}"
861 //
862 if (Section.find('}') != string::npos)
863 {
864 //
865 // We find a } between the script
866 //
867
868 //
869 // Check the count of brackets in the string and add it to OpenBracket
870 //
871 UINT32 CountOfBrackets = (UINT32)count(Section.begin(), Section.end(), '}');
872
873 //
874 // Add it to the open brackets
875 //
876 OpenBracket -= CountOfBrackets;
877
878 if (OpenBracket < 0)
879 {
880 OpenBracket = 0;
881 IsEnded = TRUE;
882 TempStr = SplitCommandCaseSensitiveInstance.at(IndexInCommandCaseSensitive - 1);
883 SaveBuffer.emplace_back(TempStr.begin(), TempStr.begin() + TempStr.size() - 1);
884 break;
885 }
886 }
887
888 //
889 // Add the text as the script screen
890 //
891 SaveBuffer.push_back(SplitCommandCaseSensitiveInstance.at(IndexInCommandCaseSensitive - 1));
892
893 //
894 // We want to stay in this condition
895 //
896 continue;
897 }
898
899 if (IsTextVisited && !Section.compare("{"))
900 {
901 //
902 // Save to remove this string from the command
903 //
904 IndexesToRemove.push_back(Index);
905
906 IsInState = TRUE;
907 continue;
908 }
909
910 if (IsTextVisited && Section.rfind('{', 0) == 0)
911 {
912 //
913 // Section starts with {
914 //
915
916 //
917 // Check if script contains bracket "{"
918 //
919 if (Section.find('{') != string::npos)
920 {
921 //
922 // We find a { between the script
923 //
924
925 //
926 // Check the count of brackets in the string and add it to OpenBracket
927 //
928 UINT32 CountOfBrackets = (UINT32)count(Section.begin(), Section.end(), '{');
929
930 //
931 // Add it to the open brackets (-1 because script starts with { which
932 // is not related to our interpretation of script)
933 //
934 OpenBracket += CountOfBrackets - 1;
935 }
936
937 //
938 // Check if it ends with }
939 //
940 if (OpenBracket == 0 && HasEnding(Section, "}"))
941 {
942 //
943 // Save to remove this string from the command
944 //
945 IndexesToRemove.push_back(Index);
946
947 TempStr = SplitCommandCaseSensitiveInstance.at(IndexInCommandCaseSensitive - 1).erase(0, 1);
948 SaveBuffer.emplace_back(TempStr.begin(), TempStr.begin() + TempStr.size() - 1);
949
950 IsEnded = TRUE;
951 break;
952 }
953
954 //
955 // Check if script contains bracket "}"
956 //
957 if (Section.find('}') != string::npos)
958 {
959 //
960 // We find a } between the script
961 //
962
963 //
964 // Check the count of brackets in the string and add it to OpenBracket
965 //
966 UINT32 CountOfBrackets = (UINT32)count(Section.begin(), Section.end(), '}');
967
968 //
969 // Add it to the open brackets
970 //
971 OpenBracket -= CountOfBrackets;
972
973 if (OpenBracket < 0)
974 {
975 OpenBracket = 0;
976 IsEnded = TRUE;
977 TempStr = SplitCommandCaseSensitiveInstance.at(IndexInCommandCaseSensitive - 1);
978 SaveBuffer.emplace_back(TempStr.begin(), TempStr.begin() + TempStr.size() - 1);
979 break;
980 }
981 }
982
983 //
984 // Save to remove this string from the command
985 //
986 IndexesToRemove.push_back(Index);
987
988 SaveBuffer.push_back(SplitCommandCaseSensitiveInstance.at(IndexInCommandCaseSensitive - 1).erase(0, 1));
989
990 IsInState = TRUE;
991 continue;
992 }
993
994 //
995 // Check if it's a script
996 //
997 if (!Section.compare("script"))
998 {
999 //
1000 // Save to remove this string from the command
1001 //
1002 IndexesToRemove.push_back(Index);
1003
1004 IsTextVisited = TRUE;
1005 continue;
1006 }
1007
1008 //
1009 // Check if it's a script with script{
1010 //
1011 if (!Section.compare("script{"))
1012 {
1013 //
1014 // Save to remove this string from the command
1015 //
1016 IndexesToRemove.push_back(Index);
1017
1018 IsTextVisited = TRUE;
1019 IsInState = TRUE;
1020 continue;
1021 }
1022
1023 //
1024 // It's a script
1025 //
1026 if (Section.rfind("script{", 0) == 0)
1027 {
1028 //
1029 // Save to remove this string from the command
1030 //
1031 IndexesToRemove.push_back(Index);
1032
1033 IsTextVisited = TRUE;
1034 IsInState = TRUE;
1035 CountOfOpenBrackets = (UINT32)count(Section.begin(), Section.end(), '{');
1036 CountOfCloseBrackets = (UINT32)count(Section.begin(), Section.end(), '}');
1037
1038 //
1039 // Check if script contains bracket "{"
1040 //
1041 if (Section.find('{') != string::npos)
1042 {
1043 //
1044 // We find a { between the script
1045 //
1046
1047 //
1048 // Add it to the open brackets (-1 because script starts with { which
1049 // is not related to our interpretation of script)
1050 //
1051 OpenBracket += CountOfOpenBrackets - 1;
1052 }
1053
1054 if (CountOfOpenBrackets == CountOfCloseBrackets || (OpenBracket == 0 && HasEnding(Section, "}")))
1055 {
1056 //
1057 // remove the last character and first character append it to the
1058 // ConditionBuffer
1059 //
1060 TempStr = SplitCommandCaseSensitiveInstance.at(IndexInCommandCaseSensitive - 1).erase(0, 7);
1061 SaveBuffer.emplace_back(TempStr.begin(), TempStr.begin() + TempStr.size() - 1);
1062
1063 IsEnded = TRUE;
1064 OpenBracket = 0;
1065 break;
1066 }
1067 else
1068 {
1069 //
1070 // Section starts with script{
1071 //
1072 SaveBuffer.push_back(SplitCommandCaseSensitiveInstance.at(IndexInCommandCaseSensitive - 1).erase(0, 7));
1073
1074 //
1075 // Check if script contains bracket "}"
1076 //
1077 if (Section.find('}') != string::npos)
1078 {
1079 //
1080 // We find a } between the script
1081 //
1082
1083 //
1084 // Check the count of brackets in the string and add it to OpenBracket
1085 //
1086 UINT32 CountOfBrackets = (UINT32)count(Section.begin(), Section.end(), '}');
1087
1088 //
1089 // Add it to the open brackets
1090 //
1091 OpenBracket -= CountOfBrackets;
1092
1093 if (OpenBracket < 0)
1094 {
1095 OpenBracket = 0;
1096 IsEnded = TRUE;
1097 }
1098 }
1099
1100 continue;
1101 }
1102 }
1103 }
1104
1105 //
1106 // Now we have everything in script buffer
1107 // Check to see if it is empty or not
1108 //
1109 if (SaveBuffer.size() == 0)
1110 {
1111 //
1112 // Nothing in condition buffer, return zero
1113 //
1114 return FALSE;
1115 }
1116
1117 //
1118 // Check if we see that all the '{' ended with '}' or not
1119 //
1120 if (OpenBracket != 0)
1121 {
1122 //
1123 // Not all open brackets close with a }
1124 //
1125 return FALSE;
1126 }
1127
1128 //
1129 // Check if we see '}' at the end
1130 //
1131 if (!IsEnded)
1132 {
1133 //
1134 // Nothing in condition buffer, return zero
1135 //
1136 return FALSE;
1137 }
1138
1139 //
1140 // If we reach here then there is sth in script buffer
1141 //
1142 for (auto Section : SaveBuffer)
1143 {
1144 AppendedFinalBuffer.append(Section);
1145 AppendedFinalBuffer.append(" ");
1146 }
1147
1148 if (AppendedFinalBuffer.rfind("file:", 0) == 0)
1149 {
1150 //
1151 // It's a file script
1152 //
1153 std::ifstream t(AppendedFinalBuffer.erase(0, 5).c_str());
1154 std::stringstream buffer;
1155 buffer << t.rdbuf();
1156 AppendedFinalBuffer = buffer.str();
1157 if (AppendedFinalBuffer.empty())
1158 {
1159 ShowMessages("err, either script file is not found or it's empty\n");
1160
1161 //
1162 // There was an error
1163 //
1164 *ScriptSyntaxErrors = TRUE;
1165
1166 //
1167 // return TRUE to show that this item contains an script
1168 //
1169 return TRUE;
1170 }
1171 }
1172
1173 // ShowMessages("script : %s\n", AppendedFinalBuffer.c_str());
1174
1175 //
1176 // Run script engine handler
1177 //
1178 PVOID CodeBuffer = ScriptEngineParseWrapper((char *)AppendedFinalBuffer.c_str(), TRUE);
1179
1180 if (CodeBuffer == NULL)
1181 {
1182 //
1183 // There was an error
1184 //
1185 *ScriptSyntaxErrors = TRUE;
1186
1187 //
1188 // return TRUE to show that this item contains an script
1189 //
1190 return TRUE;
1191 }
1192 else
1193 {
1194 //
1195 // There is no syntax error
1196 //
1197 *ScriptSyntaxErrors = FALSE;
1198 }
1199
1200 //
1201 // Print symbols (test)
1202 //
1203 // PrintSymbolBufferWrapper(CodeBuffer);
1204
1205 //
1206 // Set the buffer and length
1207 //
1208 *BufferAddress = ScriptEngineWrapperGetHead(CodeBuffer);
1209 *BufferLength = ScriptEngineWrapperGetSize(CodeBuffer);
1210 *Pointer = ScriptEngineWrapperGetPointer(CodeBuffer);
1211 *ScriptCodeBuffer = (UINT64)CodeBuffer;
1212
1213 //
1214 // Removing the script indexes from the command
1215 //
1216 NewIndexToRemove = 0;
1217
1218 for (auto IndexToRemove : IndexesToRemove)
1219 {
1220 NewIndexToRemove++;
1221
1222 SplitCommand->erase(SplitCommand->begin() + (IndexToRemove - NewIndexToRemove));
1223 SplitCommandCaseSensitive->erase(SplitCommandCaseSensitive->begin() + (IndexToRemove - NewIndexToRemove));
1224 }
1225
1226 return TRUE;
1227}
INT32
signed int INT32
Definition BasicTypes.h:44
ScriptEngineWrapperGetSize
UINT32 ScriptEngineWrapperGetSize(PVOID SymbolBuffer)
wrapper for getting size
Definition script-engine-wrapper.cpp:834
ScriptEngineWrapperGetPointer
UINT32 ScriptEngineWrapperGetPointer(PVOID SymbolBuffer)
wrapper for getting pointer
Definition script-engine-wrapper.cpp:848
ScriptEngineParseWrapper
PVOID ScriptEngineParseWrapper(char *Expr, BOOLEAN ShowErrorMessageIfAny)
ScriptEngineParse wrapper.
Definition script-engine-wrapper.cpp:267
ScriptEngineWrapperGetHead
UINT64 ScriptEngineWrapperGetHead(PVOID SymbolBuffer)
wrapper for getting head
Definition script-engine-wrapper.cpp:822

◆ IsConnectedToAnyInstanceOfDebuggerOrDebuggee()

BOOLEAN IsConnectedToAnyInstanceOfDebuggerOrDebuggee ( )

Shows whether the debugger is connected to a debugger or debuggee connected to a debugger.

we use this function to avoid connecting to a remote machine when debuggee or debugger is already connected to an instance

Returns
BOOLEAN
669{
670 if (g_DeviceHandle)
671 {
672 ShowMessages("err, the current system is already connected to the local "
673 "debugging, use '.disconnect' to disconnect\n");
674 return TRUE;
675 }
676 else if (g_IsConnectedToRemoteDebuggee)
677 {
678 ShowMessages("err, the current system is already connected to remote "
679 "machine (debuggee), use '.disconnect' to disconnect from the "
680 "remote machine\n");
681 return TRUE;
682 }
683 else if (g_IsConnectedToRemoteDebugger)
684 {
685 ShowMessages("err, the current system is already connected to remote "
686 "machine (debugger), use '.disconnect' to disconnect from the "
687 "remote machine from debugger\n");
688 return TRUE;
689 }
690 else if (g_IsSerialConnectedToRemoteDebuggee)
691 {
692 ShowMessages(
693 "err, the current system is already connected to remote "
694 "machine (debuggee), use '.debug close' to disconnect from the "
695 "remote machine\n");
696 return TRUE;
697 }
698 else if (g_IsSerialConnectedToRemoteDebugger)
699 {
700 ShowMessages(
701 "err, the current system is already connected to remote "
702 "machine (debugger), use '.debug close' to disconnect from the "
703 "remote machine from debugger\n");
704 return TRUE;
705 }
706
707 return FALSE;
708}
g_IsSerialConnectedToRemoteDebugger
BOOLEAN g_IsSerialConnectedToRemoteDebugger
Shows if the debugger was connected to remote debugger (A remote host)
Definition globals.h:238
g_IsConnectedToRemoteDebuggee
BOOLEAN g_IsConnectedToRemoteDebuggee
Shows whether the current debugger is the host and connected to a remote debuggee (guest)
Definition globals.h:74
g_IsConnectedToRemoteDebugger
BOOLEAN g_IsConnectedToRemoteDebugger
Shows whether the current system is a guest (debuggee) and a remote debugger is connected to this sys...
Definition globals.h:81

◆ IsTagExist()

BOOLEAN IsTagExist ( UINT64 Tag)

Check whether the tag exists or not, if the tag is DEBUGGER_MODIFY_EVENTS_APPLY_TO_ALL_TAG then if we find just one event, it also means that the tag is found.

Parameters
Tag
Returns
BOOLEAN
720{
721 PLIST_ENTRY TempList = 0;
722 PDEBUGGER_GENERAL_EVENT_DETAIL CommandDetail = {0};
723
724 if (!g_EventTraceInitialized)
725 {
726 return FALSE;
727 }
728
729 TempList = &g_EventTrace;
730 while (&g_EventTrace != TempList->Blink)
731 {
732 TempList = TempList->Blink;
733
734 CommandDetail = CONTAINING_RECORD(TempList, DEBUGGER_GENERAL_EVENT_DETAIL, CommandsEventList);
735
736 if (CommandDetail->Tag == Tag || Tag == DEBUGGER_MODIFY_EVENTS_APPLY_TO_ALL_TAG)
737 {
738 return TRUE;
739 }
740 }
741
742 //
743 // Not found
744 //
745 return FALSE;
746}
DEBUGGER_MODIFY_EVENTS_APPLY_TO_ALL_TAG
#define DEBUGGER_MODIFY_EVENTS_APPLY_TO_ALL_TAG
Apply event modifications to all tags.
Definition Constants.h:586
Tag
POOL_TYPE SIZE_T ULONG Tag
Definition Hooks.h:168

◆ RegisterActionToEvent()

BOOLEAN RegisterActionToEvent ( PDEBUGGER_GENERAL_EVENT_DETAIL Event,
PDEBUGGER_GENERAL_ACTION ActionBreakToDebugger,
UINT32 ActionBreakToDebuggerLength,
PDEBUGGER_GENERAL_ACTION ActionCustomCode,
UINT32 ActionCustomCodeLength,
PDEBUGGER_GENERAL_ACTION ActionScript,
UINT32 ActionScriptLength )

Register the action to the event.

Parameters
Eventthe event instance buffer
ActionBreakToDebuggerthe action of breaking into the debugger
ActionBreakToDebuggerLengththe action of breaking into the debugger (length)
ActionCustomCodethe action of custom code
ActionCustomCodeLengththe action of custom code (length)
ActionScriptthe action of script buffer
ActionScriptLengththe action of script buffer (length)
Returns
BOOLEAN BOOLEAN if the request was successful then true if the request was not successful then false
2093{
2094 BOOL Status;
2095 ULONG ReturnedLength;
2096 DEBUGGER_EVENT_AND_ACTION_RESULT ReturnedBuffer = {0};
2097 PDEBUGGER_EVENT_AND_ACTION_RESULT TempAddingResult;
2098
2099 if (g_IsSerialConnectedToRemoteDebuggee)
2100 {
2101 //
2102 // It's action(s) in debugger mode
2103 //
2104
2105 //
2106 // Send Break to debugger packet to debuggee
2107 //
2108 if (ActionBreakToDebugger != NULL)
2109 {
2110 //
2111 // Send the add action to event from here
2112 //
2113 TempAddingResult = KdSendAddActionToEventPacketToDebuggee(
2114 ActionBreakToDebugger,
2115 ActionBreakToDebuggerLength);
2116
2117 //
2118 // Move the buffer to local buffer
2119 //
2120 memcpy(&ReturnedBuffer, TempAddingResult, sizeof(DEBUGGER_EVENT_AND_ACTION_RESULT));
2121 }
2122
2123 //
2124 // Send custom code packet to debuggee
2125 //
2126 if (ActionCustomCode != NULL)
2127 {
2128 //
2129 // Send the add action to event from here
2130 //
2131 TempAddingResult = KdSendAddActionToEventPacketToDebuggee(
2132 ActionCustomCode,
2133 ActionCustomCodeLength);
2134
2135 //
2136 // Move the buffer to local buffer
2137 //
2138 memcpy(&ReturnedBuffer, TempAddingResult, sizeof(DEBUGGER_EVENT_AND_ACTION_RESULT));
2139 }
2140
2141 //
2142 // Send custom code packet to debuggee
2143 //
2144 if (ActionScript != NULL)
2145 {
2146 //
2147 // Send the add action to event from here
2148 //
2149 TempAddingResult = KdSendAddActionToEventPacketToDebuggee(
2150 ActionScript,
2151 ActionScriptLength);
2152
2153 //
2154 // Move the buffer to local buffer
2155 //
2156 memcpy(&ReturnedBuffer, TempAddingResult, sizeof(DEBUGGER_EVENT_AND_ACTION_RESULT));
2157 }
2158 }
2159 else
2160 {
2161 //
2162 // It's either a local debugger to in vmi-mode remote conntection
2163 //
2164
2165 AssertShowMessageReturnStmt(g_DeviceHandle, ASSERT_MESSAGE_DRIVER_NOT_LOADED, AssertReturnFalse);
2166
2167 //
2168 // Send IOCTLs
2169 //
2170
2171 //
2172 // Send Break to debugger ioctl
2173 //
2174 if (ActionBreakToDebugger != NULL)
2175 {
2176 Status = DeviceIoControl(
2177 g_DeviceHandle, // Handle to device
2178 IOCTL_DEBUGGER_ADD_ACTION_TO_EVENT, // IO Control Code (IOCTL)
2179 ActionBreakToDebugger, // Input Buffer to driver.
2180 ActionBreakToDebuggerLength, // Input buffer length
2181 &ReturnedBuffer, // Output Buffer from driver.
2182 sizeof(DEBUGGER_EVENT_AND_ACTION_RESULT), // Length
2183 // of
2184 // output
2185 // buffer
2186 // in
2187 // bytes.
2188 &ReturnedLength, // Bytes placed in buffer.
2189 NULL // synchronous call
2190 );
2191
2192 if (!Status)
2193 {
2194 ShowMessages("ioctl failed with code 0x%x\n", GetLastError());
2195 return FALSE;
2196 }
2197 }
2198
2199 //
2200 // Send custom code ioctl
2201 //
2202 if (ActionCustomCode != NULL)
2203 {
2204 Status = DeviceIoControl(
2205 g_DeviceHandle, // Handle to device
2206 IOCTL_DEBUGGER_ADD_ACTION_TO_EVENT, // IO Control Code (IOCTL)
2207 ActionCustomCode, // Input Buffer to driver.
2208 ActionCustomCodeLength, // Input buffer length
2209 &ReturnedBuffer, // Output Buffer from driver.
2210 sizeof(DEBUGGER_EVENT_AND_ACTION_RESULT), // Length
2211 // of
2212 // output
2213 // buffer
2214 // in
2215 // bytes.
2216 &ReturnedLength, // Bytes placed in buffer.
2217 NULL // synchronous call
2218 );
2219
2220 if (!Status)
2221 {
2222 ShowMessages("ioctl failed with code 0x%x\n", GetLastError());
2223 return FALSE;
2224 }
2225 }
2226
2227 //
2228 // Send custom code ioctl
2229 //
2230 if (ActionScript != NULL)
2231 {
2232 Status = DeviceIoControl(
2233 g_DeviceHandle, // Handle to device
2234 IOCTL_DEBUGGER_ADD_ACTION_TO_EVENT, // IO Control Code (IOCTL)
2235 ActionScript, // Input Buffer to driver.
2236 ActionScriptLength, // Input buffer length
2237 &ReturnedBuffer, // Output Buffer from driver.
2238 sizeof(DEBUGGER_EVENT_AND_ACTION_RESULT), // Length
2239 // of
2240 // output
2241 // buffer
2242 // in
2243 // bytes.
2244 &ReturnedLength, // Bytes placed in buffer.
2245 NULL // synchronous call
2246 );
2247
2248 if (!Status)
2249 {
2250 ShowMessages("ioctl failed with code 0x%x\n", GetLastError());
2251 return FALSE;
2252 }
2253 }
2254 }
2255
2256 //
2257 // As we're not needing any of action buffer, we'll free all of the
2258 // here in the case of a successful registration of action, however
2259 // event detail is needed for the 'event' command's list
2260 //
2261 FreeEventsAndActionsMemory(NULL, ActionBreakToDebugger, ActionCustomCode, ActionScript);
2262
2263 //
2264 // Now, we'll register the command as returned buffer shows that
2265 // this event was successful and now we can add it to the list of
2266 // events
2267 //
2268 InsertHeadList(&g_EventTrace, &(Event->CommandsEventList));
2269
2270 return TRUE;
2271}
BOOL
int BOOL
Definition BasicTypes.h:23
IOCTL_DEBUGGER_ADD_ACTION_TO_EVENT
#define IOCTL_DEBUGGER_ADD_ACTION_TO_EVENT
ioctl, add action to event
Definition Ioctls.h:113
InsertHeadList
FORCEINLINE VOID InsertHeadList(_Inout_ PLIST_ENTRY ListHead, _Inout_ PLIST_ENTRY Entry)
Definition Windows.h:115
FreeEventsAndActionsMemory
VOID FreeEventsAndActionsMemory(PDEBUGGER_GENERAL_EVENT_DETAIL Event, PDEBUGGER_GENERAL_ACTION ActionBreakToDebugger, PDEBUGGER_GENERAL_ACTION ActionCustomCode, PDEBUGGER_GENERAL_ACTION ActionScript)
Deallocate buffers relating to events and actions.
Definition debugger.cpp:2292
KdSendAddActionToEventPacketToDebuggee
PDEBUGGER_EVENT_AND_ACTION_RESULT KdSendAddActionToEventPacketToDebuggee(PDEBUGGER_GENERAL_ACTION GeneralAction, UINT32 GeneralActionLength)
Send an add action to event request to the debuggee.
Definition kd.cpp:737
AssertShowMessageReturnStmt
#define AssertShowMessageReturnStmt(expr, message, rc)
Definition common.h:51
ASSERT_MESSAGE_DRIVER_NOT_LOADED
#define ASSERT_MESSAGE_DRIVER_NOT_LOADED
Definition common.h:25
AssertReturnFalse
#define AssertReturnFalse
Definition common.h:21
_DEBUGGER_EVENT_AND_ACTION_RESULT
Status of register buffers.
Definition Events.h:423
_DEBUGGER_GENERAL_EVENT_DETAIL::CommandsEventList
LIST_ENTRY CommandsEventList
Definition Events.h:352

◆ SendEventToKernel()

BOOLEAN SendEventToKernel ( PDEBUGGER_GENERAL_EVENT_DETAIL Event,
UINT32 EventBufferLength )

Register the event to the kernel.

Parameters
Eventthe event structure to send
EventBufferLengththe buffer length of event
Returns
BOOLEAN if the request was successful then true if the request was not successful then false
1971{
1972 BOOL Status;
1973 ULONG ReturnedLength;
1974 DEBUGGER_EVENT_AND_ACTION_RESULT ReturnedBuffer = {0};
1975 PDEBUGGER_EVENT_AND_ACTION_RESULT TempRegResult;
1976
1977 if (g_IsSerialConnectedToRemoteDebuggee)
1978 {
1979 //
1980 // It's a debugger, we should send the events buffer directly
1981 // from here
1982 //
1983
1984 //
1985 // Send the buffer from here
1986 //
1987 TempRegResult = KdSendRegisterEventPacketToDebuggee(Event, EventBufferLength);
1988
1989 //
1990 // Move the buffer to local buffer
1991 //
1992 memcpy(&ReturnedBuffer, TempRegResult, sizeof(DEBUGGER_EVENT_AND_ACTION_RESULT));
1993 }
1994 else
1995 {
1996 //
1997 // It's either a debuggee or a local debugging instance
1998 //
1999
2000 AssertShowMessageReturnStmt(g_DeviceHandle, ASSERT_MESSAGE_DRIVER_NOT_LOADED, AssertReturnFalse);
2001
2002 //
2003 // Send IOCTL
2004 //
2005
2006 Status = DeviceIoControl(g_DeviceHandle, // Handle to device
2007 IOCTL_DEBUGGER_REGISTER_EVENT, // IO Control Code (IOCTL)
2008 Event, // Input Buffer to driver.
2009 EventBufferLength, // Input buffer length
2010 &ReturnedBuffer, // Output Buffer from driver.
2011 sizeof(DEBUGGER_EVENT_AND_ACTION_RESULT), // Length
2012 // of
2013 // output
2014 // buffer
2015 // in
2016 // bytes.
2017 &ReturnedLength, // Bytes placed in buffer.
2018 NULL // synchronous call
2019 );
2020
2021 if (!Status)
2022 {
2023 ShowMessages("ioctl failed with code 0x%x\n", GetLastError());
2024 return FALSE;
2025 }
2026 }
2027
2028 if (ReturnedBuffer.IsSuccessful && ReturnedBuffer.Error == 0)
2029 {
2030 //
2031 // Check for auto-unpause mode
2032 //
2033 if (!g_IsSerialConnectedToRemoteDebuggee && !g_IsSerialConnectedToRemoteDebugger && g_BreakPrintingOutput && g_AutoUnpause)
2034 {
2035 //
2036 // Allow debugger to show its contents
2037 //
2038
2039 //
2040 // Set the g_BreakPrintingOutput to FALSE
2041 //
2042 g_BreakPrintingOutput = FALSE;
2043
2044 //
2045 // If it's a remote debugger then we send the remote debuggee a 'g'
2046 //
2047 if (g_IsConnectedToRemoteDebuggee)
2048 {
2049 RemoteConnectionSendCommand("g", (UINT32)strlen("g") + 1);
2050 }
2051
2052 ShowMessages("\n");
2053 }
2054 }
2055 else
2056 {
2057 //
2058 // Show the error
2059 //
2060 if (ReturnedBuffer.Error != 0)
2061 {
2062 ShowErrorMessage(ReturnedBuffer.Error);
2063 }
2064
2065 return FALSE;
2066 }
2067
2068 return TRUE;
2069}
IOCTL_DEBUGGER_REGISTER_EVENT
#define IOCTL_DEBUGGER_REGISTER_EVENT
ioctl, register an event
Definition Ioctls.h:106
g_BreakPrintingOutput
BOOLEAN g_BreakPrintingOutput
Shows whether the pause command or CTRL+C or CTRL+Break is executed or not.
Definition globals.h:499
g_AutoUnpause
BOOLEAN g_AutoUnpause
Whether auto-unpause mode is enabled or not enabled.
Definition globals.h:577
KdSendRegisterEventPacketToDebuggee
PDEBUGGER_EVENT_AND_ACTION_RESULT KdSendRegisterEventPacketToDebuggee(PDEBUGGER_GENERAL_EVENT_DETAIL Event, UINT32 EventBufferLength)
Send a register event request to the debuggee.
Definition kd.cpp:670
RemoteConnectionSendCommand
int RemoteConnectionSendCommand(const char *sendbuf, int len)
send the command as a client (debugger, host) to the server (debuggee, guest)
Definition remote-connection.cpp:445
_DEBUGGER_EVENT_AND_ACTION_RESULT::Error
UINT32 Error
Definition Events.h:425
_DEBUGGER_EVENT_AND_ACTION_RESULT::IsSuccessful
BOOLEAN IsSuccessful
Definition Events.h:424

◆ ShowErrorMessage()

BOOLEAN ShowErrorMessage ( UINT32 Error)

shows the error message

Parameters
Error
Returns
BOOLEAN
39{
40 switch (Error)
41 {
42 case DEBUGGER_ERROR_TAG_NOT_EXISTS:
43 ShowMessages("err, tag not found (%x)\n",
44 Error);
45 break;
46
47 case DEBUGGER_ERROR_INVALID_ACTION_TYPE:
48 ShowMessages("err, invalid action type (%x)\n",
49 Error);
50 break;
51
52 case DEBUGGER_ERROR_ACTION_BUFFER_SIZE_IS_ZERO:
53 ShowMessages("err, action buffer size is zero (%x)\n",
54 Error);
55 break;
56
57 case DEBUGGER_ERROR_EVENT_TYPE_IS_INVALID:
58 ShowMessages("err, the event type is invalid (%x)\n",
59 Error);
60 break;
61
62 case DEBUGGER_ERROR_UNABLE_TO_CREATE_EVENT:
63 ShowMessages("err, unable to create event (%x)\n",
64 Error);
65 break;
66
67 case DEBUGGER_ERROR_INVALID_ADDRESS:
68
69 ShowMessages("err, invalid address (%x)\n"
70 "address may be paged-out or unavailable on the page table due to 'demand paging'\n"
71 "please refer to https://docs.hyperdbg.org/tips-and-tricks/considerations/accessing-invalid-address for further information\n",
72 Error);
73 break;
74
75 case DEBUGGER_ERROR_INVALID_CORE_ID:
76 ShowMessages("err, invalid core id (%x)\n",
77 Error);
78 break;
79
80 case DEBUGGER_ERROR_EXCEPTION_INDEX_EXCEED_FIRST_32_ENTRIES:
81 ShowMessages("err, exception index exceed first 32 entries (%x)\n",
82 Error);
83 break;
84
85 case DEBUGGER_ERROR_INTERRUPT_INDEX_IS_NOT_VALID:
86 ShowMessages("err, interrupt index is not valid (%x)\n",
87 Error);
88 break;
89
90 case DEBUGGER_ERROR_UNABLE_TO_HIDE_OR_UNHIDE_DEBUGGER:
91 ShowMessages("err, unable to hide or unhide debugger (%x)\n",
92 Error);
93 break;
94
95 case DEBUGGER_ERROR_DEBUGGER_ALREADY_UHIDE:
96 ShowMessages("err, debugger already unhide (%x)\n",
97 Error);
98 break;
99
100 case DEBUGGER_ERROR_EDIT_MEMORY_STATUS_INVALID_PARAMETER:
101 ShowMessages("err, edit memory request has invalid parameters (%x)\n",
102 Error);
103 break;
104
105 case DEBUGGER_ERROR_EDIT_MEMORY_STATUS_INVALID_ADDRESS_BASED_ON_CURRENT_PROCESS:
106 ShowMessages("err, edit memory request has invalid address based on "
107 "current process layout, the address might be valid but not "
108 "present in the ram (%x)\n"
109 "address may be paged-out or unavailable on the page table due to 'demand paging'\n"
110 "please refer to https://docs.hyperdbg.org/tips-and-tricks/considerations/accessing-invalid-address for further information\n",
111 Error);
112 break;
113
114 case DEBUGGER_ERROR_EDIT_MEMORY_STATUS_INVALID_ADDRESS_BASED_ON_OTHER_PROCESS:
115 ShowMessages("err, edit memory request has invalid address based on other "
116 "process layout (%x)\n",
117 Error);
118 break;
119
120 case DEBUGGER_ERROR_MODIFY_EVENTS_INVALID_TAG:
121 ShowMessages("err, modify event with invalid tag (%x)\n",
122 Error);
123 break;
124
125 case DEBUGGER_ERROR_MODIFY_EVENTS_INVALID_TYPE_OF_ACTION:
126 ShowMessages("err, modify event with invalid type of action (%x)\n",
127 Error);
128 break;
129
130 case DEBUGGER_ERROR_STEPPING_INVALID_PARAMETER:
131 ShowMessages("err, invalid parameter passed to stepping core. (%x)\n",
132 Error);
133 break;
134
135 case DEBUGGER_ERROR_STEPPINGS_EITHER_THREAD_NOT_FOUND_OR_DISABLED:
136 ShowMessages(
137 "err, the target thread not found or the thread is disabled (%x)\n",
138 Error);
139 break;
140
141 case DEBUGGER_ERROR_PREPARING_DEBUGGEE_INVALID_BAUDRATE:
142 ShowMessages("err, invalid baud rate (%x)\n",
143 Error);
144 break;
145
146 case DEBUGGER_ERROR_PREPARING_DEBUGGEE_INVALID_SERIAL_PORT:
147 ShowMessages("err, invalid serial port (%x)\n",
148 Error);
149 break;
150
151 case DEBUGGER_ERROR_PREPARING_DEBUGGEE_INVALID_CORE_IN_REMOTE_DEBUGGE:
152 ShowMessages("err, invalid core selected in switching cores (%x)\n",
153 Error);
154 break;
155
156 case DEBUGGER_ERROR_PREPARING_DEBUGGEE_UNABLE_TO_SWITCH_TO_NEW_PROCESS:
157 ShowMessages("err, unable to switch to the new process (%x)\n",
158 Error);
159 break;
160
161 case DEBUGGER_ERROR_PREPARING_DEBUGGEE_TO_RUN_SCRIPT:
162 ShowMessages("err, unable to run the script on remote debuggee (%x)\n",
163 Error);
164 break;
165
166 case DEBUGGER_ERROR_INVALID_REGISTER_NUMBER:
167 ShowMessages("err, invalid register number (%x)\n",
168 Error);
169 break;
170
171 case DEBUGGER_ERROR_MAXIMUM_BREAKPOINT_WITHOUT_CONTINUE:
172 ShowMessages("err, maximum number of breakpoints are used, you need to "
173 "send an ioctl to re-allocate new pre-allocated buffers or "
174 "configure HyperDbg to pre-allocated more buffers by "
175 "configuring MAXIMUM_BREAKPOINTS_WITHOUT_CONTINUE (%x)\n",
176 Error);
177 break;
178
179 case DEBUGGER_ERROR_BREAKPOINT_ALREADY_EXISTS_ON_THE_ADDRESS:
180 ShowMessages("err, breakpoint already exists on target address, you can "
181 "use 'bl' command to view a list of breakpoints (%x)\n",
182 Error);
183 break;
184
185 case DEBUGGER_ERROR_BREAKPOINT_ID_NOT_FOUND:
186 ShowMessages("err, breakpoint id is invalid (%x)\n",
187 Error);
188 break;
189
190 case DEBUGGER_ERROR_BREAKPOINT_ALREADY_DISABLED:
191 ShowMessages("err, breakpoint already disabled (%x)\n",
192 Error);
193 break;
194
195 case DEBUGGER_ERROR_BREAKPOINT_ALREADY_ENABLED:
196 ShowMessages("err, breakpoint already enabled (%x)\n",
197 Error);
198 break;
199
200 case DEBUGGER_ERROR_MEMORY_TYPE_INVALID:
201 ShowMessages("err, the memory type is invalid (%x)\n",
202 Error);
203 break;
204
205 case DEBUGGER_ERROR_INVALID_PROCESS_ID:
206 ShowMessages("err, the process id is invalid, make sure to enter the "
207 "process id in hex format, or if you want to use it in decimal "
208 "format, add '0n' prefix to the number (%x)\n",
209 Error);
210 break;
211
212 case DEBUGGER_ERROR_EVENT_IS_NOT_APPLIED:
213 ShowMessages("err, the event is not applied (%x)\n",
214 Error);
215 break;
216
217 case DEBUGGER_ERROR_DETAILS_OR_SWITCH_PROCESS_INVALID_PARAMETER:
218 ShowMessages("err, either the process id or the _EPROCESS is invalid or "
219 "cannot get the details based on the provided parameters (%x)\n",
220 Error);
221 break;
222
223 case DEBUGGER_ERROR_DETAILS_OR_SWITCH_THREAD_INVALID_PARAMETER:
224 ShowMessages("err, either the thread id, _ETHREAD, or _EPROCESS is invalid or "
225 "cannot get the details based on the provided parameters (%x)\n",
226 Error);
227 break;
228
229 case DEBUGGER_ERROR_MAXIMUM_BREAKPOINT_FOR_A_SINGLE_PAGE_IS_HIT:
230 ShowMessages("err, the maximum breakpoint for a single page is hit, "
231 "you cannot apply more breakpoints in this page (%x)\n",
232 Error);
233 break;
234
235 case DEBUGGER_ERROR_PRE_ALLOCATED_BUFFER_IS_EMPTY:
236 ShowMessages("err, the pre-allocated buffer is empty, usually this buffer will be "
237 "filled at the next IOCTL when the debugger is continued (%x)\n"
238 "please visit the documentation for the 'prealloc' command or use "
239 "'.help prealloc' to to reserve more pre-allocated pools\n",
240 Error);
241 break;
242
243 case DEBUGGER_ERROR_EPT_COULD_NOT_SPLIT_THE_LARGE_PAGE_TO_4KB_PAGES:
244 ShowMessages("err, could not convert 2MB large page to 4KB pages (%x)\n",
245 Error);
246 break;
247
248 case DEBUGGER_ERROR_EPT_FAILED_TO_GET_PML1_ENTRY_OF_TARGET_ADDRESS:
249 ShowMessages("err, failed to get the PML1 entry of the target address (%x)\n",
250 Error);
251 break;
252
253 case DEBUGGER_ERROR_EPT_MULTIPLE_HOOKS_IN_A_SINGLE_PAGE:
254 ShowMessages("err, the page modification is not applied, make sure that you don't "
255 "put multiple EPT Hooks or Monitors on a single page (%x)\n",
256 Error);
257 break;
258
259 case DEBUGGER_ERROR_COULD_NOT_BUILD_THE_EPT_HOOK:
260 ShowMessages("err, could not build the EPT hook (%x)\n",
261 Error);
262 break;
263
264 case DEBUGGER_ERROR_COULD_NOT_FIND_ALLOCATION_TYPE:
265 ShowMessages("err, could not find the allocation type (%x)\n",
266 Error);
267 break;
268
269 case DEBUGGER_ERROR_INVALID_TEST_QUERY_INDEX:
270 ShowMessages("err, invalid index specified for test query command (%x)\n",
271 Error);
272 break;
273
274 case DEBUGGER_ERROR_UNABLE_TO_ATTACH_TO_TARGET_USER_MODE_PROCESS:
275 ShowMessages("err, unable to attach to the target process (%x)\n",
276 Error);
277 break;
278
279 case DEBUGGER_ERROR_UNABLE_TO_REMOVE_HOOKS_ENTRYPOINT_NOT_REACHED:
280 ShowMessages("err, unable to remove hooks as the entrypoint of user-mode "
281 "process is not reached yet (%x)\n",
282 Error);
283 break;
284
285 case DEBUGGER_ERROR_UNABLE_TO_REMOVE_HOOKS:
286 ShowMessages("err, unable to remove hooks (%x)\n",
287 Error);
288 break;
289
290 case DEBUGGER_ERROR_FUNCTIONS_FOR_INITIALIZING_PEB_ADDRESSES_ARE_NOT_INITIALIZED:
291 ShowMessages("err, the routines for getting the PEB is not correctly "
292 "initialized (%x)\n",
293 Error);
294 break;
295
296 case DEBUGGER_ERROR_UNABLE_TO_DETECT_32_BIT_OR_64_BIT_PROCESS:
297 ShowMessages("err, unable to detect whether the process was 32-bit "
298 "or 64-bit (%x)\n",
299 Error);
300 break;
301
302 case DEBUGGER_ERROR_UNABLE_TO_KILL_THE_PROCESS:
303 ShowMessages("err, unable to kill the process (%x)\n",
304 Error);
305 break;
306
307 case DEBUGGER_ERROR_INVALID_THREAD_DEBUGGING_TOKEN:
308 ShowMessages("err, invalid thread debugging token (%x)\n",
309 Error);
310 break;
311
312 case DEBUGGER_ERROR_UNABLE_TO_PAUSE_THE_PROCESS_THREADS:
313 ShowMessages("err, unable to pause the threads of the process (%x)\n",
314 Error);
315 break;
316
317 case DEBUGGER_ERROR_UNABLE_TO_ATTACH_TO_AN_ALREADY_ATTACHED_PROCESS:
318 ShowMessages("err, the user debugger is already attached to this "
319 "process, please use the '.switch' command to switch "
320 "to this process (%x)\n",
321 Error);
322 break;
323
324 case DEBUGGER_ERROR_THE_USER_DEBUGGER_NOT_ATTACHED_TO_THE_PROCESS:
325 ShowMessages("err, the user debugger is not already attached to "
326 "the process (%x)\n",
327 Error);
328 break;
329
330 case DEBUGGER_ERROR_UNABLE_TO_DETACH_AS_THERE_ARE_PAUSED_THREADS:
331 ShowMessages("err, the user debugger is not able to detach from "
332 "this process as there are paused threads in the "
333 "target process, please make sure to remove all "
334 "the events and continue the target process, then "
335 "perform the detach again (%x)\n",
336 Error);
337 break;
338
339 case DEBUGGER_ERROR_UNABLE_TO_SWITCH_PROCESS_ID_OR_THREAD_ID_IS_INVALID:
340 ShowMessages("err, unable to switch to the process id or thread id "
341 "as the target process id or thread id is not found in "
342 "the attached threads list, please view the list of "
343 "processes and threads by using the '.switch list' command (%x)\n",
344 Error);
345 break;
346
347 case DEBUGGER_ERROR_UNABLE_TO_SWITCH_THERE_IS_NO_THREAD_ON_THE_PROCESS:
348 ShowMessages("err, unable to switch to the process as the process doesn't "
349 "contain an active intercepted thread (%x)\n",
350 Error);
351 break;
352
353 case DEBUGGER_ERROR_UNABLE_TO_GET_MODULES_OF_THE_PROCESS:
354 ShowMessages("err, unable to get user-mode modules of the process (%x)\n",
355 Error);
356 break;
357
358 case DEBUGGER_ERROR_UNABLE_TO_GET_CALLSTACK:
359 ShowMessages("err, unable to get the callstack (%x)\n",
360 Error);
361 break;
362
363 case DEBUGGER_ERROR_UNABLE_TO_QUERY_COUNT_OF_PROCESSES_OR_THREADS:
364 ShowMessages("err, unable to query count of processes or threads (%x)\n",
365 Error);
366 break;
367
368 case DEBUGGER_ERROR_USING_SHORT_CIRCUITING_EVENT_WITH_POST_EVENT_MODE_IS_FORBIDDEDN:
369 ShowMessages("err, using short-circuiting event with post events is not possible (%x)\n",
370 Error);
371 break;
372
373 case DEBUGGER_ERROR_UNKNOWN_TEST_QUERY_RECEIVED:
374 ShowMessages("err, unknown test query is received to the debugger (%x)\n",
375 Error);
376 break;
377
378 case DEBUGGER_ERROR_READING_MEMORY_INVALID_PARAMETER:
379 ShowMessages("err, invalid process or memory address (%x)\n",
380 Error);
381 break;
382
383 case DEBUGGER_ERROR_THE_TRAP_FLAG_LIST_IS_FULL:
384 ShowMessages("err, unable to add the current thread/process to the list of trap flags. "
385 "Are you debugging multiple threads or stepping through different processes "
386 "simultaneously? (%x)\n",
387 Error);
388 break;
389
390 case DEBUGGER_ERROR_UNABLE_TO_KILL_THE_PROCESS_DOES_NOT_EXISTS:
391 ShowMessages("err, process does not exists (already terminated?) (%x)\n",
392 Error);
393 break;
394
395 case DEBUGGER_ERROR_MODE_EXECUTION_IS_INVALID:
396 ShowMessages("err, the specified execution mode is invalid (%x)\n",
397 Error);
398 break;
399
400 case DEBUGGER_ERROR_PROCESS_ID_CANNOT_BE_SPECIFIED_WHILE_APPLYING_EVENT_FROM_VMX_ROOT_MODE:
401 ShowMessages("err, you cannot specify process id while the debugger is paused in the debugger mode. "
402 "You can use the '.process' or the '.thread' command to switch to the target process's "
403 "memory layout (%x)\n",
404 Error);
405 break;
406
407 case DEBUGGER_ERROR_INSTANT_EVENT_PREALLOCATED_BUFFER_IS_NOT_ENOUGH_FOR_EVENT_AND_CONDITIONALS:
408 ShowMessages("err, the requested buffer for storing event and conditions is larger than the pre-allocated "
409 "buffer size (%x)\nfor more information on how to resolve this issue, "
410 "please visit: https://docs.hyperdbg.org/tips-and-tricks/misc/instant-events\n",
411 Error);
412 break;
413
414 case DEBUGGER_ERROR_INSTANT_EVENT_REGULAR_PREALLOCATED_BUFFER_NOT_FOUND:
415 ShowMessages("err, not enough pre-allocated buffer exists for storing the event. You can use the 'prealloc' "
416 "command to fix this issue by pre-allocating more buffers (%x)\nfor more information "
417 "please visit: https://docs.hyperdbg.org/tips-and-tricks/misc/instant-events\n",
418 Error);
419 break;
420
421 case DEBUGGER_ERROR_INSTANT_EVENT_BIG_PREALLOCATED_BUFFER_NOT_FOUND:
422 ShowMessages("err, the requested event is considered as a \"big instant event\" and right now, there is no "
423 "pre-allocated buffer for storing it. You can use the 'prealloc' command to fix this issue by "
424 "pre-allocating big instant event buffers (%x)\nfor more information "
425 "please visit: https://docs.hyperdbg.org/tips-and-tricks/misc/instant-events\n",
426 Error);
427 break;
428
429 case DEBUGGER_ERROR_UNABLE_TO_CREATE_ACTION_CANNOT_ALLOCATE_BUFFER:
430 ShowMessages("err, unable to allocate buffer for the target action (%x)\n",
431 Error);
432 break;
433
434 case DEBUGGER_ERROR_INSTANT_EVENT_ACTION_REGULAR_PREALLOCATED_BUFFER_NOT_FOUND:
435 ShowMessages("err, not enough pre-allocated buffer exists for storing the event's action. You can use the 'prealloc' "
436 "command to fix this issue by pre-allocating more buffers (%x)\nfor more information "
437 "please visit: https://docs.hyperdbg.org/tips-and-tricks/misc/instant-events\n",
438 Error);
439 break;
440
441 case DEBUGGER_ERROR_INSTANT_EVENT_ACTION_BIG_PREALLOCATED_BUFFER_NOT_FOUND:
442 ShowMessages("err, the requested action is considered as a \"big instant event (action)\" and right now, there is no "
443 "pre-allocated buffer for storing it. You can use the 'prealloc' command to fix this issue by "
444 "pre-allocating big instant event's action buffers (%x)\nfor more information "
445 "please visit: https://docs.hyperdbg.org/tips-and-tricks/misc/instant-events\n",
446 Error);
447 break;
448
449 case DEBUGGER_ERROR_INSTANT_EVENT_PREALLOCATED_BUFFER_IS_NOT_ENOUGH_FOR_ACTION_BUFFER:
450 ShowMessages("err, the requested buffer for storing action is larger than the pre-allocated "
451 "buffer size (%x)\nfor more information on how to resolve this issue, "
452 "please visit: https://docs.hyperdbg.org/tips-and-tricks/misc/instant-events\n",
453 Error);
454 break;
455
456 case DEBUGGER_ERROR_INSTANT_EVENT_REQUESTED_OPTIONAL_BUFFER_IS_BIGGER_THAN_DEBUGGERS_SEND_RECEIVE_STACK:
457 ShowMessages("err, the requested optional buffer is bigger than the debuggers send/receive stack, "
458 "please select a smaller requested buffer for the target event (%x)\n",
459 Error);
460 break;
461
462 case DEBUGGER_ERROR_INSTANT_EVENT_REGULAR_REQUESTED_SAFE_BUFFER_NOT_FOUND:
463 ShowMessages("err, by default HyperDbg won't allocate requested safe buffers for instant events in "
464 "the debugger mode. You can use the 'prealloc' command to allocate (regular) requested safe "
465 "buffers before running this command (%x)\nfor more information "
466 "please visit: https://docs.hyperdbg.org/tips-and-tricks/misc/instant-events\n",
467 Error);
468 break;
469
470 case DEBUGGER_ERROR_INSTANT_EVENT_BIG_REQUESTED_SAFE_BUFFER_NOT_FOUND:
471 ShowMessages("err, the requested safe buffer is bigger than regular buffers. You can use the 'prealloc' "
472 "command to allocate (big) requested safe buffers before running this command (%x)\n"
473 "for more information "
474 "please visit: https://docs.hyperdbg.org/tips-and-tricks/misc/instant-events\n",
475 Error);
476 break;
477
478 case DEBUGGER_ERROR_INSTANT_EVENT_PREALLOCATED_BUFFER_IS_NOT_ENOUGH_FOR_REQUESTED_SAFE_BUFFER:
479 ShowMessages("err, the requested buffer for storing safe buffers of the action is larger than the pre-allocated "
480 "buffer size (%x)\nfor more information on how to resolve this issue, "
481 "please visit: https://docs.hyperdbg.org/tips-and-tricks/misc/instant-events\n",
482 Error);
483 break;
484
485 case DEBUGGER_ERROR_UNABLE_TO_ALLOCATE_REQUESTED_SAFE_BUFFER:
486 ShowMessages("err, unable to allocate buffer for the target requested safe buffer (%x)\n",
487 Error);
488 break;
489
490 case DEBUGGER_ERROR_COULD_NOT_FIND_PREACTIVATION_TYPE:
491 ShowMessages("err, invalid type is specified for preactivation (%x)\n",
492 Error);
493 break;
494
495 case DEBUGGER_ERROR_THE_MODE_EXEC_TRAP_IS_NOT_INITIALIZED:
496 ShowMessages("err, the '!mode' event command cannot be directly initialized in the Debugger Mode. "
497 "To avoid wasting system resources and performance issues we decided to use another "
498 "command to initialize it first then use it. You can use the 'preactivate mode' command "
499 "to preactivate this mechanism after that, you can use the '!mode' event (%x)\n",
500 Error);
501 break;
502
503 case DEBUGGER_ERROR_THE_TARGET_EVENT_IS_DISABLED_BUT_CANNOT_BE_CLEARED_PRIRITY_BUFFER_IS_FULL:
504 ShowMessages("err, the event(s) that you've requested are disabled, yet HyperDbg cannot remove (clear) them in "
505 "the subsequent run due to the user-mode priority buffers being at full capacity. "
506 "This typically occurs when you attempt to clear numerous events without resuming the debuggee. "
507 "Since these unserviced events remain in the queue, HyperDbg is unable to clear them. "
508 "To address this issue, you can resume the debuggee, allowing all queued events to be cleared (usually 2 to 10 seconds). "
509 "Afterward, you can pause the debuggee again and request the removal of new events (%x)\n"
510 "for more information on how to resolve this issue "
511 "please visit: https://docs.hyperdbg.org/tips-and-tricks/misc/instant-events\n",
512 Error);
513 break;
514
515 case DEBUGGER_ERROR_NOT_ALL_CORES_ARE_LOCKED_FOR_APPLYING_INSTANT_EVENT:
516 ShowMessages("err, the event cannot be applied since not all cores are locked! "
517 "If you are using the instant-event mechanism or switching between cores, this will likely halt the system. "
518 "This may be caused by a race condition, but continuing and halting the debugger might resolve it. "
519 "If the problem persists, please open an issue and provide steps to reproduce it (%x)\n",
520 Error);
521 break;
522
523 case DEBUGGER_ERROR_TARGET_SWITCHING_CORE_IS_NOT_LOCKED:
524 ShowMessages("err, target core is not locked! "
525 "This may be caused by a race condition, continuing and halting the debugger might resolve it. "
526 "If the problem persists, please open an issue and provide steps to reproduce it (%x)\n",
527 Error);
528 break;
529
530 case DEBUGGER_ERROR_INVALID_PHYSICAL_ADDRESS:
531 ShowMessages("err, invalid physical address (%x)\n",
532 Error);
533 break;
534
535 default:
536 ShowMessages("err, error not found (%x)\n",
537 Error);
538 return FALSE;
539 break;
540 }
541
542 return TRUE;
543}
DEBUGGER_ERROR_ACTION_BUFFER_SIZE_IS_ZERO
#define DEBUGGER_ERROR_ACTION_BUFFER_SIZE_IS_ZERO
error, the action buffer size is invalid
Definition ErrorCodes.h:45
DEBUGGER_ERROR_INSTANT_EVENT_REGULAR_PREALLOCATED_BUFFER_NOT_FOUND
#define DEBUGGER_ERROR_INSTANT_EVENT_REGULAR_PREALLOCATED_BUFFER_NOT_FOUND
error, the regular preallocated buffer not found
Definition ErrorCodes.h:441
DEBUGGER_ERROR_EPT_FAILED_TO_GET_PML1_ENTRY_OF_TARGET_ADDRESS
#define DEBUGGER_ERROR_EPT_FAILED_TO_GET_PML1_ENTRY_OF_TARGET_ADDRESS
error, failed to get PML1 entry of the target address
Definition ErrorCodes.h:264
DEBUGGER_ERROR_UNABLE_TO_DETECT_32_BIT_OR_64_BIT_PROCESS
#define DEBUGGER_ERROR_UNABLE_TO_DETECT_32_BIT_OR_64_BIT_PROCESS
error, unable to get 32-bit or 64-bit of the target process
Definition ErrorCodes.h:320
DEBUGGER_ERROR_INSTANT_EVENT_BIG_REQUESTED_SAFE_BUFFER_NOT_FOUND
#define DEBUGGER_ERROR_INSTANT_EVENT_BIG_REQUESTED_SAFE_BUFFER_NOT_FOUND
error, the requested safe buffer does not exists (big)
Definition ErrorCodes.h:489
DEBUGGER_ERROR_TAG_NOT_EXISTS
#define DEBUGGER_ERROR_TAG_NOT_EXISTS
error, the tag not exist
Definition ErrorCodes.h:33
DEBUGGER_ERROR_INTERRUPT_INDEX_IS_NOT_VALID
#define DEBUGGER_ERROR_INTERRUPT_INDEX_IS_NOT_VALID
error, the index for !interrupt command is not between 32 to 256
Definition ErrorCodes.h:81
DEBUGGER_ERROR_UNABLE_TO_REMOVE_HOOKS
#define DEBUGGER_ERROR_UNABLE_TO_REMOVE_HOOKS
error, could not remove the previous hook
Definition ErrorCodes.h:308
DEBUGGER_ERROR_INSTANT_EVENT_PREALLOCATED_BUFFER_IS_NOT_ENOUGH_FOR_EVENT_AND_CONDITIONALS
#define DEBUGGER_ERROR_INSTANT_EVENT_PREALLOCATED_BUFFER_IS_NOT_ENOUGH_FOR_EVENT_AND_CONDITIONALS
error, the preallocated buffer is not enough for storing event+conditional buffer
Definition ErrorCodes.h:435
DEBUGGER_ERROR_INSTANT_EVENT_REQUESTED_OPTIONAL_BUFFER_IS_BIGGER_THAN_DEBUGGERS_SEND_RECEIVE_STACK
#define DEBUGGER_ERROR_INSTANT_EVENT_REQUESTED_OPTIONAL_BUFFER_IS_BIGGER_THAN_DEBUGGERS_SEND_RECEIVE_STACK
error, the requested optional buffer is bigger than send/receive stack of the debugger
Definition ErrorCodes.h:477
DEBUGGER_ERROR_UNABLE_TO_ALLOCATE_REQUESTED_SAFE_BUFFER
#define DEBUGGER_ERROR_UNABLE_TO_ALLOCATE_REQUESTED_SAFE_BUFFER
error, enable to create requested safe buffer (cannot allocate buffer)
Definition ErrorCodes.h:501
DEBUGGER_ERROR_MAXIMUM_BREAKPOINT_WITHOUT_CONTINUE
#define DEBUGGER_ERROR_MAXIMUM_BREAKPOINT_WITHOUT_CONTINUE
error, maximum pools were used without continuing debuggee
Definition ErrorCodes.h:184
DEBUGGER_ERROR_INSTANT_EVENT_PREALLOCATED_BUFFER_IS_NOT_ENOUGH_FOR_REQUESTED_SAFE_BUFFER
#define DEBUGGER_ERROR_INSTANT_EVENT_PREALLOCATED_BUFFER_IS_NOT_ENOUGH_FOR_REQUESTED_SAFE_BUFFER
error, the preallocated buffer is not enough for storing safe requested buffer
Definition ErrorCodes.h:495
DEBUGGER_ERROR_READING_MEMORY_INVALID_PARAMETER
#define DEBUGGER_ERROR_READING_MEMORY_INVALID_PARAMETER
error, for reading from memory in case of invalid parameters
Definition ErrorCodes.h:405
DEBUGGER_ERROR_INVALID_TEST_QUERY_INDEX
#define DEBUGGER_ERROR_INVALID_TEST_QUERY_INDEX
error, could not find the index of test query
Definition ErrorCodes.h:288
DEBUGGER_ERROR_PRE_ALLOCATED_BUFFER_IS_EMPTY
#define DEBUGGER_ERROR_PRE_ALLOCATED_BUFFER_IS_EMPTY
error, there is no pre-allocated buffer
Definition ErrorCodes.h:251
DEBUGGER_ERROR_COULD_NOT_FIND_ALLOCATION_TYPE
#define DEBUGGER_ERROR_COULD_NOT_FIND_ALLOCATION_TYPE
error, could not find the type of allocation
Definition ErrorCodes.h:282
DEBUGGER_ERROR_MODIFY_EVENTS_INVALID_TYPE_OF_ACTION
#define DEBUGGER_ERROR_MODIFY_EVENTS_INVALID_TYPE_OF_ACTION
error, type of action (enable/disable/clear) is wrong
Definition ErrorCodes.h:127
DEBUGGER_ERROR_BREAKPOINT_ALREADY_EXISTS_ON_THE_ADDRESS
#define DEBUGGER_ERROR_BREAKPOINT_ALREADY_EXISTS_ON_THE_ADDRESS
error, breakpoint already exists on the target address
Definition ErrorCodes.h:190
DEBUGGER_ERROR_EDIT_MEMORY_STATUS_INVALID_ADDRESS_BASED_ON_OTHER_PROCESS
#define DEBUGGER_ERROR_EDIT_MEMORY_STATUS_INVALID_ADDRESS_BASED_ON_OTHER_PROCESS
error, an invalid address is specified based on anotehr process's cr3 in !e* or e* commands
Definition ErrorCodes.h:114
DEBUGGER_ERROR_INSTANT_EVENT_REGULAR_REQUESTED_SAFE_BUFFER_NOT_FOUND
#define DEBUGGER_ERROR_INSTANT_EVENT_REGULAR_REQUESTED_SAFE_BUFFER_NOT_FOUND
error, the requested safe buffer does not exist (regular)
Definition ErrorCodes.h:483
DEBUGGER_ERROR_STEPPINGS_EITHER_THREAD_NOT_FOUND_OR_DISABLED
#define DEBUGGER_ERROR_STEPPINGS_EITHER_THREAD_NOT_FOUND_OR_DISABLED
error, thread is invalid (not found) or disabled in stepping (step-in & step-out) requests
Definition ErrorCodes.h:140
DEBUGGER_ERROR_DETAILS_OR_SWITCH_THREAD_INVALID_PARAMETER
#define DEBUGGER_ERROR_DETAILS_OR_SWITCH_THREAD_INVALID_PARAMETER
error, for thread switch or thread details, invalid parameter
Definition ErrorCodes.h:239
DEBUGGER_ERROR_UNABLE_TO_PAUSE_THE_PROCESS_THREADS
#define DEBUGGER_ERROR_UNABLE_TO_PAUSE_THE_PROCESS_THREADS
error, unable to pause the process's threads
Definition ErrorCodes.h:338
DEBUGGER_ERROR_INSTANT_EVENT_PREALLOCATED_BUFFER_IS_NOT_ENOUGH_FOR_ACTION_BUFFER
#define DEBUGGER_ERROR_INSTANT_EVENT_PREALLOCATED_BUFFER_IS_NOT_ENOUGH_FOR_ACTION_BUFFER
error, the preallocated buffer is not enough for storing action buffer
Definition ErrorCodes.h:471
DEBUGGER_ERROR_BREAKPOINT_ID_NOT_FOUND
#define DEBUGGER_ERROR_BREAKPOINT_ID_NOT_FOUND
error, breakpoint id not found
Definition ErrorCodes.h:196
DEBUGGER_ERROR_INVALID_CORE_ID
#define DEBUGGER_ERROR_INVALID_CORE_ID
error, the core id is invalid
Definition ErrorCodes.h:69
DEBUGGER_ERROR_STEPPING_INVALID_PARAMETER
#define DEBUGGER_ERROR_STEPPING_INVALID_PARAMETER
error, invalid parameters steppings actions
Definition ErrorCodes.h:133
DEBUGGER_ERROR_INVALID_REGISTER_NUMBER
#define DEBUGGER_ERROR_INVALID_REGISTER_NUMBER
error, invalid register number
Definition ErrorCodes.h:178
DEBUGGER_ERROR_UNABLE_TO_KILL_THE_PROCESS
#define DEBUGGER_ERROR_UNABLE_TO_KILL_THE_PROCESS
error, unable to kill the target process
Definition ErrorCodes.h:326
DEBUGGER_ERROR_EDIT_MEMORY_STATUS_INVALID_ADDRESS_BASED_ON_CURRENT_PROCESS
#define DEBUGGER_ERROR_EDIT_MEMORY_STATUS_INVALID_ADDRESS_BASED_ON_CURRENT_PROCESS
error, an invalid address is specified based on current cr3 in !e* or e* commands
Definition ErrorCodes.h:106
DEBUGGER_ERROR_MODIFY_EVENTS_INVALID_TAG
#define DEBUGGER_ERROR_MODIFY_EVENTS_INVALID_TAG
error, invalid tag for 'events' command (tag id is unknown for kernel)
Definition ErrorCodes.h:121
DEBUGGER_ERROR_UNABLE_TO_GET_MODULES_OF_THE_PROCESS
#define DEBUGGER_ERROR_UNABLE_TO_GET_MODULES_OF_THE_PROCESS
error, unable to get modules
Definition ErrorCodes.h:374
DEBUGGER_ERROR_PREPARING_DEBUGGEE_INVALID_SERIAL_PORT
#define DEBUGGER_ERROR_PREPARING_DEBUGGEE_INVALID_SERIAL_PORT
error, serial port address is invalid
Definition ErrorCodes.h:152
DEBUGGER_ERROR_THE_USER_DEBUGGER_NOT_ATTACHED_TO_THE_PROCESS
#define DEBUGGER_ERROR_THE_USER_DEBUGGER_NOT_ATTACHED_TO_THE_PROCESS
error, the user debugger is not attached to the target process
Definition ErrorCodes.h:350
DEBUGGER_ERROR_THE_TARGET_EVENT_IS_DISABLED_BUT_CANNOT_BE_CLEARED_PRIRITY_BUFFER_IS_FULL
#define DEBUGGER_ERROR_THE_TARGET_EVENT_IS_DISABLED_BUT_CANNOT_BE_CLEARED_PRIRITY_BUFFER_IS_FULL
error, the target event(s) is/are disabled but cannot clear them because the buffer of the user-mode ...
Definition ErrorCodes.h:520
DEBUGGER_ERROR_NOT_ALL_CORES_ARE_LOCKED_FOR_APPLYING_INSTANT_EVENT
#define DEBUGGER_ERROR_NOT_ALL_CORES_ARE_LOCKED_FOR_APPLYING_INSTANT_EVENT
error, not all cores are locked (probably due to a race condition in HyperDbg) in instant-event mecha...
Definition ErrorCodes.h:527
DEBUGGER_ERROR_DETAILS_OR_SWITCH_PROCESS_INVALID_PARAMETER
#define DEBUGGER_ERROR_DETAILS_OR_SWITCH_PROCESS_INVALID_PARAMETER
error, for process switch or process details, invalid parameter
Definition ErrorCodes.h:233
DEBUGGER_ERROR_UNABLE_TO_SWITCH_PROCESS_ID_OR_THREAD_ID_IS_INVALID
#define DEBUGGER_ERROR_UNABLE_TO_SWITCH_PROCESS_ID_OR_THREAD_ID_IS_INVALID
error, cannot switch to new thread as the process id or thread id is not found
Definition ErrorCodes.h:362
DEBUGGER_ERROR_THE_TRAP_FLAG_LIST_IS_FULL
#define DEBUGGER_ERROR_THE_TRAP_FLAG_LIST_IS_FULL
error, the list of threads/process trap flag is full
Definition ErrorCodes.h:411
DEBUGGER_ERROR_UNABLE_TO_ATTACH_TO_AN_ALREADY_ATTACHED_PROCESS
#define DEBUGGER_ERROR_UNABLE_TO_ATTACH_TO_AN_ALREADY_ATTACHED_PROCESS
error, user debugger already attached to this process
Definition ErrorCodes.h:344
DEBUGGER_ERROR_UNABLE_TO_KILL_THE_PROCESS_DOES_NOT_EXISTS
#define DEBUGGER_ERROR_UNABLE_TO_KILL_THE_PROCESS_DOES_NOT_EXISTS
error, unable to kill the target process. process does not exists
Definition ErrorCodes.h:417
DEBUGGER_ERROR_UNABLE_TO_GET_CALLSTACK
#define DEBUGGER_ERROR_UNABLE_TO_GET_CALLSTACK
error, unable to get the callstack
Definition ErrorCodes.h:380
DEBUGGER_ERROR_PREPARING_DEBUGGEE_INVALID_CORE_IN_REMOTE_DEBUGGE
#define DEBUGGER_ERROR_PREPARING_DEBUGGEE_INVALID_CORE_IN_REMOTE_DEBUGGE
error, invalid core selected in changing core in remote debuggee
Definition ErrorCodes.h:158
DEBUGGER_ERROR_INVALID_THREAD_DEBUGGING_TOKEN
#define DEBUGGER_ERROR_INVALID_THREAD_DEBUGGING_TOKEN
error, invalid thread debugging token
Definition ErrorCodes.h:332
DEBUGGER_ERROR_UNABLE_TO_DETACH_AS_THERE_ARE_PAUSED_THREADS
#define DEBUGGER_ERROR_UNABLE_TO_DETACH_AS_THERE_ARE_PAUSED_THREADS
error, cannot detach from the process as there are paused threads
Definition ErrorCodes.h:356
DEBUGGER_ERROR_EPT_MULTIPLE_HOOKS_IN_A_SINGLE_PAGE
#define DEBUGGER_ERROR_EPT_MULTIPLE_HOOKS_IN_A_SINGLE_PAGE
error, multiple EPT Hooks or Monitors are applied on a single page
Definition ErrorCodes.h:270
DEBUGGER_ERROR_UNABLE_TO_CREATE_ACTION_CANNOT_ALLOCATE_BUFFER
#define DEBUGGER_ERROR_UNABLE_TO_CREATE_ACTION_CANNOT_ALLOCATE_BUFFER
error, enable to create action (cannot allocate buffer)
Definition ErrorCodes.h:453
DEBUGGER_ERROR_USING_SHORT_CIRCUITING_EVENT_WITH_POST_EVENT_MODE_IS_FORBIDDEDN
#define DEBUGGER_ERROR_USING_SHORT_CIRCUITING_EVENT_WITH_POST_EVENT_MODE_IS_FORBIDDEDN
error, using short-circuiting event with post-event mode is not supported in HyperDbg
Definition ErrorCodes.h:393
DEBUGGER_ERROR_COULD_NOT_BUILD_THE_EPT_HOOK
#define DEBUGGER_ERROR_COULD_NOT_BUILD_THE_EPT_HOOK
error, could not build the EPT Hook
Definition ErrorCodes.h:276
DEBUGGER_ERROR_EVENT_IS_NOT_APPLIED
#define DEBUGGER_ERROR_EVENT_IS_NOT_APPLIED
error, for event specific reasons the event is not applied
Definition ErrorCodes.h:227
DEBUGGER_ERROR_BREAKPOINT_ALREADY_DISABLED
#define DEBUGGER_ERROR_BREAKPOINT_ALREADY_DISABLED
error, breakpoint already disabled
Definition ErrorCodes.h:202
DEBUGGER_ERROR_THE_MODE_EXEC_TRAP_IS_NOT_INITIALIZED
#define DEBUGGER_ERROR_THE_MODE_EXEC_TRAP_IS_NOT_INITIALIZED
error, the mode exec trap is not already initialized
Definition ErrorCodes.h:513
DEBUGGER_ERROR_UNABLE_TO_ATTACH_TO_TARGET_USER_MODE_PROCESS
#define DEBUGGER_ERROR_UNABLE_TO_ATTACH_TO_TARGET_USER_MODE_PROCESS
error, failed to attach to the target user-mode process
Definition ErrorCodes.h:294
DEBUGGER_ERROR_MEMORY_TYPE_INVALID
#define DEBUGGER_ERROR_MEMORY_TYPE_INVALID
error, memory type is invalid
Definition ErrorCodes.h:214
DEBUGGER_ERROR_FUNCTIONS_FOR_INITIALIZING_PEB_ADDRESSES_ARE_NOT_INITIALIZED
#define DEBUGGER_ERROR_FUNCTIONS_FOR_INITIALIZING_PEB_ADDRESSES_ARE_NOT_INITIALIZED
error, the needed routines for debugging is not initialized
Definition ErrorCodes.h:314
DEBUGGER_ERROR_MODE_EXECUTION_IS_INVALID
#define DEBUGGER_ERROR_MODE_EXECUTION_IS_INVALID
error, the execution mode is incorrect
Definition ErrorCodes.h:423
DEBUGGER_ERROR_INSTANT_EVENT_ACTION_BIG_PREALLOCATED_BUFFER_NOT_FOUND
#define DEBUGGER_ERROR_INSTANT_EVENT_ACTION_BIG_PREALLOCATED_BUFFER_NOT_FOUND
error, the big preallocated buffer not found (for action)
Definition ErrorCodes.h:465
DEBUGGER_ERROR_COULD_NOT_FIND_PREACTIVATION_TYPE
#define DEBUGGER_ERROR_COULD_NOT_FIND_PREACTIVATION_TYPE
error, could not find the type of preactivation
Definition ErrorCodes.h:507
DEBUGGER_ERROR_PROCESS_ID_CANNOT_BE_SPECIFIED_WHILE_APPLYING_EVENT_FROM_VMX_ROOT_MODE
#define DEBUGGER_ERROR_PROCESS_ID_CANNOT_BE_SPECIFIED_WHILE_APPLYING_EVENT_FROM_VMX_ROOT_MODE
error, the process id cannot be specified while the debugger is in VMX-root mode
Definition ErrorCodes.h:429
DEBUGGER_ERROR_EVENT_TYPE_IS_INVALID
#define DEBUGGER_ERROR_EVENT_TYPE_IS_INVALID
error, the event type is unknown
Definition ErrorCodes.h:51
DEBUGGER_ERROR_UNKNOWN_TEST_QUERY_RECEIVED
#define DEBUGGER_ERROR_UNKNOWN_TEST_QUERY_RECEIVED
error, unknown test query is received
Definition ErrorCodes.h:399
DEBUGGER_ERROR_INVALID_PHYSICAL_ADDRESS
#define DEBUGGER_ERROR_INVALID_PHYSICAL_ADDRESS
error, invalid physical address
Definition ErrorCodes.h:540
DEBUGGER_ERROR_INSTANT_EVENT_BIG_PREALLOCATED_BUFFER_NOT_FOUND
#define DEBUGGER_ERROR_INSTANT_EVENT_BIG_PREALLOCATED_BUFFER_NOT_FOUND
error, the big preallocated buffer not found
Definition ErrorCodes.h:447
DEBUGGER_ERROR_MAXIMUM_BREAKPOINT_FOR_A_SINGLE_PAGE_IS_HIT
#define DEBUGGER_ERROR_MAXIMUM_BREAKPOINT_FOR_A_SINGLE_PAGE_IS_HIT
error, maximum breakpoint for a single page is hit
Definition ErrorCodes.h:245
DEBUGGER_ERROR_TARGET_SWITCHING_CORE_IS_NOT_LOCKED
#define DEBUGGER_ERROR_TARGET_SWITCHING_CORE_IS_NOT_LOCKED
error, switching to the target core is not possible because core is not locked (probably due to a rac...
Definition ErrorCodes.h:534
DEBUGGER_ERROR_EXCEPTION_INDEX_EXCEED_FIRST_32_ENTRIES
#define DEBUGGER_ERROR_EXCEPTION_INDEX_EXCEED_FIRST_32_ENTRIES
error, the index is greater than 32 in !exception command
Definition ErrorCodes.h:75
DEBUGGER_ERROR_INVALID_ADDRESS
#define DEBUGGER_ERROR_INVALID_ADDRESS
error, invalid address specified for debugger
Definition ErrorCodes.h:63
DEBUGGER_ERROR_INSTANT_EVENT_ACTION_REGULAR_PREALLOCATED_BUFFER_NOT_FOUND
#define DEBUGGER_ERROR_INSTANT_EVENT_ACTION_REGULAR_PREALLOCATED_BUFFER_NOT_FOUND
error, the regular preallocated buffer not found (for action)
Definition ErrorCodes.h:459
DEBUGGER_ERROR_UNABLE_TO_REMOVE_HOOKS_ENTRYPOINT_NOT_REACHED
#define DEBUGGER_ERROR_UNABLE_TO_REMOVE_HOOKS_ENTRYPOINT_NOT_REACHED
error, failed to remove hooks as entrypoint is not reached yet
Definition ErrorCodes.h:302
DEBUGGER_ERROR_INVALID_ACTION_TYPE
#define DEBUGGER_ERROR_INVALID_ACTION_TYPE
error, invalid type of action
Definition ErrorCodes.h:39
DEBUGGER_ERROR_UNABLE_TO_HIDE_OR_UNHIDE_DEBUGGER
#define DEBUGGER_ERROR_UNABLE_TO_HIDE_OR_UNHIDE_DEBUGGER
error, unable to hide the debugger and enter to transparent-mode
Definition ErrorCodes.h:87
DEBUGGER_ERROR_UNABLE_TO_CREATE_EVENT
#define DEBUGGER_ERROR_UNABLE_TO_CREATE_EVENT
error, enable to create event
Definition ErrorCodes.h:57
DEBUGGER_ERROR_INVALID_PROCESS_ID
#define DEBUGGER_ERROR_INVALID_PROCESS_ID
error, the process id is invalid
Definition ErrorCodes.h:220
DEBUGGER_ERROR_PREPARING_DEBUGGEE_UNABLE_TO_SWITCH_TO_NEW_PROCESS
#define DEBUGGER_ERROR_PREPARING_DEBUGGEE_UNABLE_TO_SWITCH_TO_NEW_PROCESS
error, invalid process selected in changing process in remote debuggee
Definition ErrorCodes.h:165
DEBUGGER_ERROR_DEBUGGER_ALREADY_UHIDE
#define DEBUGGER_ERROR_DEBUGGER_ALREADY_UHIDE
error, the debugger is already in transparent-mode
Definition ErrorCodes.h:93
DEBUGGER_ERROR_UNABLE_TO_SWITCH_THERE_IS_NO_THREAD_ON_THE_PROCESS
#define DEBUGGER_ERROR_UNABLE_TO_SWITCH_THERE_IS_NO_THREAD_ON_THE_PROCESS
error, cannot switch to new thread the process doesn't contain an active thread
Definition ErrorCodes.h:368
DEBUGGER_ERROR_EDIT_MEMORY_STATUS_INVALID_PARAMETER
#define DEBUGGER_ERROR_EDIT_MEMORY_STATUS_INVALID_PARAMETER
error, invalid parameters in !e* e* commands
Definition ErrorCodes.h:99
DEBUGGER_ERROR_BREAKPOINT_ALREADY_ENABLED
#define DEBUGGER_ERROR_BREAKPOINT_ALREADY_ENABLED
error, breakpoint already enabled
Definition ErrorCodes.h:208
DEBUGGER_ERROR_PREPARING_DEBUGGEE_INVALID_BAUDRATE
#define DEBUGGER_ERROR_PREPARING_DEBUGGEE_INVALID_BAUDRATE
error, baud rate is invalid
Definition ErrorCodes.h:146
DEBUGGER_ERROR_UNABLE_TO_QUERY_COUNT_OF_PROCESSES_OR_THREADS
#define DEBUGGER_ERROR_UNABLE_TO_QUERY_COUNT_OF_PROCESSES_OR_THREADS
error, unable to query count of processes or threads
Definition ErrorCodes.h:386
DEBUGGER_ERROR_EPT_COULD_NOT_SPLIT_THE_LARGE_PAGE_TO_4KB_PAGES
#define DEBUGGER_ERROR_EPT_COULD_NOT_SPLIT_THE_LARGE_PAGE_TO_4KB_PAGES
error, in the EPT handler, it could not split the 2MB pages to 512 entries of 4 KB pages
Definition ErrorCodes.h:258
DEBUGGER_ERROR_PREPARING_DEBUGGEE_TO_RUN_SCRIPT
#define DEBUGGER_ERROR_PREPARING_DEBUGGEE_TO_RUN_SCRIPT
error, unable to run script in remote debuggee
Definition ErrorCodes.h:172

Variable Documentation

◆ g_ActiveProcessDebuggingState

ACTIVE_DEBUGGING_PROCESS g_ActiveProcessDebuggingState
extern

State of active debugging thread.

362{0};

◆ g_AutoUnpause

BOOLEAN g_AutoUnpause
extern

Whether auto-unpause mode is enabled or not enabled.

it is enabled by default

◆ g_BreakPrintingOutput

BOOLEAN g_BreakPrintingOutput
extern

Shows whether the pause command or CTRL+C or CTRL+Break is executed or not.

◆ g_EventTag

UINT64 g_EventTag
extern

This variable holds the trace and generate numbers for new tags of events.

◆ g_EventTrace

LIST_ENTRY g_EventTrace
extern

Holds a list of events in kernel and the state of events and the commands to show the state of each command (disabled/enabled)

this list is not have any relation with the things that HyperDbg holds for each event in the kernel

400{0};

◆ g_EventTraceInitialized

BOOLEAN g_EventTraceInitialized
extern

it shows whether the debugger started using events or not or in other words, is g_EventTrace initialized with a variable or it is empty

◆ g_IsConnectedToRemoteDebuggee

BOOLEAN g_IsConnectedToRemoteDebuggee
extern

Shows whether the current debugger is the host and connected to a remote debuggee (guest)

◆ g_IsConnectedToRemoteDebugger

BOOLEAN g_IsConnectedToRemoteDebugger
extern

Shows whether the current system is a guest (debuggee) and a remote debugger is connected to this system.

◆ g_IsSerialConnectedToRemoteDebuggee

BOOLEAN g_IsSerialConnectedToRemoteDebuggee
extern

Shows if the debugger was connected to remote debuggee over (A remote guest)

◆ g_IsSerialConnectedToRemoteDebugger

BOOLEAN g_IsSerialConnectedToRemoteDebugger
extern

Shows if the debugger was connected to remote debugger (A remote host)

◆ g_KernelBaseAddress

UINT64 g_KernelBaseAddress
extern

Shows the kernel base address.

◆ g_OutputSources

LIST_ENTRY g_OutputSources
extern

Holds a list of output sources created by output command.

user-mode events and output sources are two separate things in HyperDbg

417{0};

◆ g_OutputSourcesInitialized

BOOLEAN g_OutputSourcesInitialized
extern

it shows whether the debugger started using output sources or not or in other words, is g_OutputSources initialized with a variable or it is empty