HyperDbg Debugger
Loading...
Searching...
No Matches
debugger.cpp File Reference

Interpret general fields. More...

#include "pch.h"

Functions

BOOLEAN ShowErrorMessage (UINT32 Error)
 shows the error message
UINT64 DebuggerGetNtoskrnlBase ()
 Get ntoskrnl.exe base in the kernel.
UINT64 DebuggerGetKernelBase ()
 Get the base address of the kernel module.
BOOLEAN DebuggerPauseDebuggee ()
 pauses the debuggee
BOOLEAN IsConnectedToAnyInstanceOfDebuggerOrDebuggee ()
 Shows whether the debugger is connected to a debugger or debuggee connected to a debugger.
BOOLEAN IsTagExist (UINT64 Tag)
 Check whether the tag exists or not, if the tag is DEBUGGER_MODIFY_EVENTS_APPLY_TO_ALL_TAG then if we find just one event, it also means that the tag is found.
BOOLEAN InterpretScript (vector< CommandToken > *CommandTokens, PBOOLEAN ScriptSyntaxErrors, PUINT64 BufferAddress, PUINT32 BufferLength, PUINT32 Pointer, PUINT64 ScriptCodeBuffer)
 Interpret script (if an event has script).
BOOLEAN InterpretConditionsAndCodes (vector< CommandToken > *CommandTokens, BOOLEAN IsConditionBuffer, PUINT64 BufferAddress, PUINT32 BufferLength)
 Interpret conditions (if an event has condition) and custom code.
BOOLEAN InterpretOutput (vector< CommandToken > *CommandTokens, vector< string > &InputSources)
 Interpret output (if an event has special output).
BOOLEAN SendEventToKernel (PDEBUGGER_GENERAL_EVENT_DETAIL Event, UINT32 EventBufferLength)
 Register the event to the kernel.
BOOLEAN RegisterActionToEvent (PDEBUGGER_GENERAL_EVENT_DETAIL Event, PDEBUGGER_GENERAL_ACTION ActionBreakToDebugger, UINT32 ActionBreakToDebuggerLength, PDEBUGGER_GENERAL_ACTION ActionCustomCode, UINT32 ActionCustomCodeLength, PDEBUGGER_GENERAL_ACTION ActionScript, UINT32 ActionScriptLength)
 Register the action to the event.
UINT64 GetNewDebuggerEventTag ()
 Get the New Debugger Event Tag object and increase the global variable for tag.
VOID FreeEventsAndActionsMemory (PDEBUGGER_GENERAL_EVENT_DETAIL Event, PDEBUGGER_GENERAL_ACTION ActionBreakToDebugger, PDEBUGGER_GENERAL_ACTION ActionCustomCode, PDEBUGGER_GENERAL_ACTION ActionScript)
 Deallocate buffers relating to events and actions.
BOOLEAN InterpretGeneralEventAndActionsFields (vector< CommandToken > *CommandTokens, VMM_EVENT_TYPE_ENUM EventType, PDEBUGGER_GENERAL_EVENT_DETAIL *EventDetailsToFill, PUINT32 EventBufferLength, PDEBUGGER_GENERAL_ACTION *ActionDetailsToFillBreakToDebugger, PUINT32 ActionBufferLengthBreakToDebugger, PDEBUGGER_GENERAL_ACTION *ActionDetailsToFillCustomCode, PUINT32 ActionBufferLengthCustomCode, PDEBUGGER_GENERAL_ACTION *ActionDetailsToFillScript, PUINT32 ActionBufferLengthScript, PDEBUGGER_EVENT_PARSING_ERROR_CAUSE ReasonForErrorInParsing)
 Interpret general event fields.

Variables

UINT64 g_EventTag
 This variable holds the trace and generate numbers for new tags of events.
UINT64 g_KernelBaseAddress
 Shows the kernel base address.
LIST_ENTRY g_EventTrace
 Holds a list of events in kernel and the state of events and the commands to show the state of each command (disabled/enabled).
BOOLEAN g_EventTraceInitialized
 it shows whether the debugger started using events or not or in other words, is g_EventTrace initialized with a variable or it is empty
BOOLEAN g_BreakPrintingOutput
 Shows whether the pause command or CTRL+C or CTRL+Break is executed or not.
BOOLEAN g_AutoUnpause
 Whether auto-unpause mode is enabled or not enabled.
BOOLEAN g_OutputSourcesInitialized
 it shows whether the debugger started using output sources or not or in other words, is g_OutputSources initialized with a variable or it is empty
LIST_ENTRY g_OutputSources
 Holds a list of output sources created by output command.
BOOLEAN g_IsConnectedToRemoteDebuggee
 Shows whether the current debugger is the host and connected to a remote debuggee (guest).
BOOLEAN g_IsConnectedToRemoteDebugger
 Shows whether the current system is a guest (debuggee) and a remote debugger is connected to this system.
BOOLEAN g_IsSerialConnectedToRemoteDebuggee
 Shows if the debugger was connected to remote debuggee over (A remote guest).
BOOLEAN g_IsSerialConnectedToRemoteDebugger
 Shows if the debugger was connected to remote debugger (A remote host).
BOOLEAN g_IsKdModuleLoaded
 shows whether the kernel debugger (KD) module is loaded or not
BOOLEAN g_IsVmmModuleLoaded
 shows whether the VMM module is loaded or not
ACTIVE_DEBUGGING_PROCESS g_ActiveProcessDebuggingState
 State of active debugging thread.

Detailed Description

Interpret general fields.

Author
Sina Karvandi (sina@.nosp@m.hype.nosp@m.rdbg..nosp@m.org)
Version
0.1
Date
2020-05-27

Function Documentation

◆ DebuggerGetKernelBase()

UINT64 DebuggerGetKernelBase ( )

Get the base address of the kernel module.

Returns
UINT64
699{
700 UINT64 KernelBase = NULL;
701
703 {
704 KernelBase = g_KernelBaseAddress;
705 }
706 else
707 {
708 KernelBase = DebuggerGetNtoskrnlBase();
709 g_KernelBaseAddress = KernelBase;
710 }
711
712 return KernelBase;
713}
BOOLEAN g_IsSerialConnectedToRemoteDebuggee
Shows if the debugger was connected to remote debuggee over (A remote guest).
Definition globals.h:253
UINT64 g_KernelBaseAddress
Shows the kernel base address.
Definition globals.h:576
UINT64 DebuggerGetNtoskrnlBase()
Get ntoskrnl.exe base in the kernel.
Definition debugger.cpp:657
NULL()
Definition test-case-generator.py:530

◆ DebuggerGetNtoskrnlBase()

UINT64 DebuggerGetNtoskrnlBase ( )

Get ntoskrnl.exe base in the kernel.

Returns
UINT64 Base address of ntoskrnl.exe
658{
659#ifdef _WIN32
660 UINT64 NtoskrnlBase = NULL;
661 PRTL_PROCESS_MODULES Modules = NULL;
662
664 {
665 ShowMessages("err, unable to get the module list for getting ntoskrnl base address\n");
666 return NULL64_ZERO;
667 }
668
669 for (UINT32 i = 0; i < Modules->NumberOfModules; i++)
670 {
671 if (!strcmp((const CHAR *)Modules->Modules[i].FullPathName + Modules->Modules[i].OffsetToFileName,
672 "ntoskrnl.exe"))
673 {
674 NtoskrnlBase = (UINT64)Modules->Modules[i].ImageBase;
675 break;
676 }
677 }
678
679 free(Modules);
680
681 return NtoskrnlBase;
682#else
683 //
684 // TODO(Linux): NT-style system module enumeration (PRTL_PROCESS_MODULES via
685 // NtQuerySystemInformation) has no Linux analog. The kernel-module base lookup
686 // will need a Linux-specific mechanism once the kernel side exists.
687 //
688 return NULL64_ZERO;
689#endif
690}
struct _RTL_PROCESS_MODULES * PRTL_PROCESS_MODULES
#define NULL64_ZERO
Definition BasicTypes.h:111
#define FALSE
Definition BasicTypes.h:113
unsigned int UINT32
Definition BasicTypes.h:54
char CHAR
Definition BasicTypes.h:33
ULONG NumberOfModules
Definition Windows.h:34
BOOLEAN SymbolCheckAndAllocateModuleInformation(PRTL_PROCESS_MODULES *Modules)
Check and allocate module information.
Definition symbol.cpp:1303

◆ DebuggerPauseDebuggee()

BOOLEAN DebuggerPauseDebuggee ( )

pauses the debuggee

Returns
BOOLEAN shows whether the pause was successful or not, if successful then when it returns true the debuggee is not paused anymore (continued)
723{
724 BOOLEAN StatusIoctl = 0;
725 ULONG ReturnedLength = 0;
726 DEBUGGER_PAUSE_PACKET_RECEIVED PauseRequest = {0};
727
728 //
729 // Send a pause IOCTL
730 //
731 StatusIoctl = PlatformDeviceIoControl(g_DeviceHandle, // Handle to device
732 IOCTL_PAUSE_PACKET_RECEIVED, // IO Control Code (IOCTL)
733 &PauseRequest, // Input Buffer to driver.
735 // length
736 &PauseRequest, // Output Buffer from driver.
737 SIZEOF_DEBUGGER_PAUSE_PACKET_RECEIVED, // Length of output
738 // buffer in bytes.
739 &ReturnedLength, // Bytes placed in buffer.
740 NULL // synchronous call
741 );
742
743 if (!StatusIoctl)
744 {
745 ShowMessages("ioctl failed with code 0x%x\n", PlatformGetLastError());
746 return FALSE;
747 }
748
749 if (PauseRequest.Result == DEBUGGER_OPERATION_WAS_SUCCESSFUL)
750 {
751 //
752 // Nothing to show, the request was successfully processed
753 //
754 return TRUE;
755 }
756 else
757 {
758 ShowErrorMessage(PauseRequest.Result);
759 return FALSE;
760 }
761 return FALSE;
762}
UCHAR BOOLEAN
Definition BasicTypes.h:35
#define TRUE
Definition BasicTypes.h:114
unsigned long ULONG
Definition BasicTypes.h:31
#define SIZEOF_DEBUGGER_PAUSE_PACKET_RECEIVED
Definition DataTypes.h:203
struct _DEBUGGER_PAUSE_PACKET_RECEIVED DEBUGGER_PAUSE_PACKET_RECEIVED
request to pause and halt the system
#define DEBUGGER_OPERATION_WAS_SUCCESSFUL
General value to indicate that the operation or request was successful.
Definition ErrorCodes.h:23
#define IOCTL_PAUSE_PACKET_RECEIVED
ioctl, pause and halt the system
Definition Ioctls.h:242
BOOLEAN ShowErrorMessage(UINT32 Error)
shows the error message
Definition debugger.cpp:40
HANDLE g_DeviceHandle
Holds the global handle of device which is used to send the request to the kernel by IOCTL,...
Definition globals.h:481
BOOL PlatformDeviceIoControl(HANDLE Device, DWORD IoControlCode, LPVOID InBuffer, DWORD InBufferSize, LPVOID OutBuffer, DWORD OutBufferSize, LPDWORD BytesReturned, LPVOID Overlapped)
DWORD PlatformGetLastError(VOID)
Platform independent wrapper for GetLastError.
Definition platform-lib-calls.c:350
UINT32 Result
Definition DataTypes.h:212

◆ FreeEventsAndActionsMemory()

VOID FreeEventsAndActionsMemory ( PDEBUGGER_GENERAL_EVENT_DETAIL Event,
PDEBUGGER_GENERAL_ACTION ActionBreakToDebugger,
PDEBUGGER_GENERAL_ACTION ActionCustomCode,
PDEBUGGER_GENERAL_ACTION ActionScript )

Deallocate buffers relating to events and actions.

Parameters

return VOID

1692{
1693 if (Event != NULL)
1694 {
1695 if (Event->CommandStringBuffer != NULL)
1696 {
1697 free(Event->CommandStringBuffer);
1698 }
1699
1700 free(Event);
1701 }
1702
1703 if (ActionBreakToDebugger != NULL)
1704 {
1705 free(ActionBreakToDebugger);
1706 }
1707 if (ActionCustomCode != NULL)
1708 {
1709 free(ActionCustomCode);
1710 }
1711 if (ActionScript != NULL)
1712 {
1713 free(ActionScript);
1714 }
1715}
PVOID CommandStringBuffer
Definition Events.h:398

◆ GetNewDebuggerEventTag()

UINT64 GetNewDebuggerEventTag ( )

Get the New Debugger Event Tag object and increase the global variable for tag.

Returns
UINT64
1677{
1678 return g_EventTag++;
1679}
UINT64 g_EventTag
This variable holds the trace and generate numbers for new tags of events.
Definition globals.h:385

◆ InterpretConditionsAndCodes()

BOOLEAN InterpretConditionsAndCodes ( vector< CommandToken > * CommandTokens,
BOOLEAN IsConditionBuffer,
PUINT64 BufferAddress,
PUINT32 BufferLength )

Interpret conditions (if an event has condition) and custom code.

If this function returns true then it means that there is a condition or code buffer in this command split and the details are returned in the input structure

Parameters
CommandTokenscommand tokens
IsConditionBufferis it a condition buffer or a custom code buffer
BufferAddressthe address that the allocated buffer will be saved on it
BufferLengththe length of the buffer
Returns
BOOLEAN shows whether the interpret was successful (true) or not successful (false)
1029{
1030 BOOLEAN IsAsm = FALSE;
1031 BOOLEAN IsTextVisited = FALSE;
1032 string TargetBracketString = "";
1033
1034 string Temp;
1035 vector<CHAR> ParsedBytes;
1036 vector<INT> IndexesToRemove;
1037 UCHAR * FinalBuffer;
1038 UINT32 AssembledByteCount;
1039 INT NewIndexToRemove = 0;
1040 INT Index = 0;
1041
1042 for (auto Section : *CommandTokens)
1043 {
1044 Index++;
1045
1046 if (IsTextVisited && IsTokenBracketString(Section))
1047 {
1048 //
1049 // Save to remove this string from the command
1050 //
1051 IndexesToRemove.push_back(Index);
1052
1053 //
1054 // Fill the bracket string
1055 //
1056 TargetBracketString = GetCaseSensitiveStringFromCommandToken(Section);
1057
1058 IsTextVisited = FALSE;
1059 continue;
1060 }
1061
1062 if (!IsConditionBuffer && CompareLowerCaseStrings(Section, "code"))
1063 {
1064 //
1065 // Save to remove this string from the command
1066 //
1067 IndexesToRemove.push_back(Index);
1068
1069 IsTextVisited = TRUE;
1070 continue;
1071 }
1072
1073 if (IsConditionBuffer && CompareLowerCaseStrings(Section, "condition"))
1074 {
1075 //
1076 // Save to remove this string from the command
1077 //
1078 IndexesToRemove.push_back(Index);
1079
1080 IsTextVisited = TRUE;
1081 continue;
1082 }
1083
1084 if (CompareLowerCaseStrings(Section, "asm"))
1085 {
1086 //
1087 // Save to remove this string from the command
1088 //
1089 IndexesToRemove.push_back(Index);
1090
1091 IsAsm = TRUE;
1092 continue;
1093 }
1094 }
1095
1096 //
1097 // Now we have everything in condition/code buffer
1098 // Check to see if it is empty or not
1099 //
1100 if (TargetBracketString.length() == 0)
1101 {
1102 //
1103 // Nothing in condition buffer, return zero
1104 //
1105 return FALSE;
1106 }
1107
1108 //
1109 // Check if asm code was provided instead of hex
1110 //
1111 if (IsAsm)
1112 {
1114 AssembleData.AsmRaw = TargetBracketString; // by now, it should only have one element
1116
1117 //
1118 // Append a 'ret' at the end of asm code
1119 //
1120 AssembleData.AsmFixed += "; ret";
1121
1122 if (AssembleData.Assemble(0)) // we just want the hex bytes, so NULL instead of Start_Address
1123 {
1124 ShowMessages("err, assemble error code: '%u'\n\n", AssembleData.KsErr);
1125 return FALSE;
1126 }
1127 else
1128 {
1129 //
1130 // Get the BytesCount; for readability.
1131 //
1132 AssembledByteCount = (UINT32)AssembleData.BytesCount;
1133
1134 //
1135 // * FinalBuffer *
1136 //
1137 FinalBuffer = (UCHAR *)malloc(AssembledByteCount);
1138
1139 if (FinalBuffer == NULL)
1140 {
1141 return FALSE;
1142 }
1143
1144 memcpy(FinalBuffer, AssembleData.EncodedBytes, AssembledByteCount);
1145
1146 //
1147 // Set the buffer and length
1148 //
1149 *BufferAddress = (UINT64)FinalBuffer;
1150 *BufferLength = AssembledByteCount;
1151 }
1152 }
1153 else
1154 {
1155 //
1156 // Append a 'ret' at the end of the buffer
1157 //
1158 TargetBracketString += "c3";
1159
1160 //
1161 // If we reach here then there is sth in condition buffer
1162 //
1163
1164 //
1165 // Check if the TargetBracketString is started with '0x'
1166 //
1167 if (TargetBracketString.rfind("0x", 0) == 0 || TargetBracketString.rfind("0X", 0) == 0 || TargetBracketString.rfind("\\x", 0) == 0 || TargetBracketString.rfind("\\X", 0) == 0)
1168 {
1169 Temp = TargetBracketString.erase(0, 2);
1170 }
1171 else if (TargetBracketString.rfind('x', 0) == 0 || TargetBracketString.rfind('X', 0) == 0)
1172 {
1173 Temp = TargetBracketString.erase(0, 1);
1174 }
1175 else
1176 {
1177 Temp = std::move(TargetBracketString);
1178 }
1179
1180 //
1181 // replace \x s
1182 //
1183 ReplaceAll(Temp, "\\x", "");
1184
1185 //
1186 // check if the buffer is aligned to 2
1187 //
1188 if (Temp.size() % 2 != 0)
1189 {
1190 //
1191 // Add a zero to the start of the buffer
1192 //
1193 Temp.insert(0, 1, '0');
1194 }
1195
1196 if (!IsHexNotation(Temp))
1197 {
1198 ShowMessages("please enter condition code in a hex notation\n");
1199 return FALSE;
1200 }
1201
1202 //
1203 // Convert it to vectored bytes
1204 //
1205 ParsedBytes = HexToBytes(Temp);
1206
1207 //
1208 // Convert to a contigues buffer
1209 //
1210 FinalBuffer = (UCHAR *)malloc(ParsedBytes.size());
1211
1212 if (FinalBuffer == NULL)
1213 {
1214 return FALSE;
1215 }
1216
1217 std::copy(ParsedBytes.begin(), ParsedBytes.end(), FinalBuffer);
1218
1219 //
1220 // Set the buffer and length
1221 //
1222 *BufferAddress = (UINT64)FinalBuffer;
1223 *BufferLength = (UINT32)ParsedBytes.size();
1224 }
1225
1226 //
1227 // Removing the code or condition indexes from the command
1228 //
1229 NewIndexToRemove = 0;
1230 for (auto IndexToRemove : IndexesToRemove)
1231 {
1232 NewIndexToRemove++;
1233
1234 CommandTokens->erase(CommandTokens->begin() + (IndexToRemove - NewIndexToRemove));
1235 }
1236
1237 return TRUE;
1238}
int INT
Definition BasicTypes.h:43
unsigned char UCHAR
Definition BasicTypes.h:34
Definition assembler.h:16
VOID ParseAssemblyData()
tries to solve the symbol issue with Keystone, which apparently originates from LLVM-MC.
Definition assembler.cpp:20
std::string AsmFixed
Definition assembler.h:19
UCHAR * EncodedBytes
Definition assembler.h:22
ks_err KsErr
Definition assembler.h:24
SIZE_T BytesCount
Definition assembler.h:21
INT Assemble(UINT64 StartAddr, ks_arch Arch=KS_ARCH_X86, INT Mode=KS_MODE_64, INT Syntax=KS_OPT_SYNTAX_INTEL)
Definition assembler.cpp:119
std::string AsmRaw
Definition assembler.h:18
std::string GetCaseSensitiveStringFromCommandToken(CommandToken TargetToken)
Get case sensitive string from command token.
Definition common.cpp:467
BOOLEAN IsTokenBracketString(CommandToken TargetToken)
Is token bracket string.
Definition common.cpp:524
BOOLEAN CompareLowerCaseStrings(CommandToken TargetToken, const CHAR *StringToCompare)
Compare lower case strings.
Definition common.cpp:503
BOOLEAN IsHexNotation(const string &s)
VOID ReplaceAll(string &str, const string &from, const string &to)
vector< CHAR > HexToBytes(const string &hex)

◆ InterpretGeneralEventAndActionsFields()

BOOLEAN InterpretGeneralEventAndActionsFields ( vector< CommandToken > * CommandTokens,
VMM_EVENT_TYPE_ENUM EventType,
PDEBUGGER_GENERAL_EVENT_DETAIL * EventDetailsToFill,
PUINT32 EventBufferLength,
PDEBUGGER_GENERAL_ACTION * ActionDetailsToFillBreakToDebugger,
PUINT32 ActionBufferLengthBreakToDebugger,
PDEBUGGER_GENERAL_ACTION * ActionDetailsToFillCustomCode,
PUINT32 ActionBufferLengthCustomCode,
PDEBUGGER_GENERAL_ACTION * ActionDetailsToFillScript,
PUINT32 ActionBufferLengthScript,
PDEBUGGER_EVENT_PARSING_ERROR_CAUSE ReasonForErrorInParsing )

Interpret general event fields.

Parameters
CommandTokensthe command tokens
EventTypetype of event
EventDetailsToFilla pointer address that will be filled by event detail buffer
EventBufferLengtha pointer the receives the buffer length of the event
ActionDetailsToFilla pointer address that will be filled by action detail buffer
ActionBufferLengtha pointer the receives the buffer length of the action
ReasonForErrorInParsingreason that interpretation failed, null if the returns true
Returns
BOOLEAN If this function returns true then it means that there was no error in parsing the general event details
1748{
1749 BOOLEAN Result = FALSE;
1751 PDEBUGGER_GENERAL_ACTION TempActionBreak = NULL;
1752 PDEBUGGER_GENERAL_ACTION TempActionScript = NULL;
1753 PDEBUGGER_GENERAL_ACTION TempActionCustomCode = NULL;
1755 UINT32 LengthOfCustomCodeActionBuffer = 0;
1756 UINT32 LengthOfScriptActionBuffer = 0;
1757 UINT32 LengthOfBreakActionBuffer = 0;
1758 UINT64 ConditionBufferAddress;
1759 UINT32 ConditionBufferLength = 0;
1760 vector<string> ListOfOutputSources;
1761 UINT64 CodeBufferAddress;
1762 UINT32 CodeBufferLength = 0;
1763 UINT64 ScriptBufferAddress;
1764 UINT64 ScriptCodeBuffer = 0;
1765 BOOLEAN HasScriptSyntaxError = 0;
1766 UINT32 ScriptBufferLength = 0;
1767 UINT32 ScriptBufferPointer = 0;
1768 UINT32 LengthOfEventBuffer = 0;
1769 string CommandString;
1770 BOOLEAN IsAShortCircuitingEventByDefault = FALSE;
1771 BOOLEAN HasConditionBuffer = FALSE;
1772 BOOLEAN HasOutputPath = FALSE;
1773 BOOLEAN HasCodeBuffer = FALSE;
1774 BOOLEAN HasScript = FALSE;
1775 BOOLEAN IsNextCommandPid = FALSE;
1776 BOOLEAN IsNextCommandCoreId = FALSE;
1777 BOOLEAN IsNextCommandBufferSize = FALSE;
1778 BOOLEAN IsNextCommandImmediateMessaging = FALSE;
1779 BOOLEAN IsNextCommandExecutionStage = FALSE;
1780 BOOLEAN IsNextCommandSc = FALSE;
1781 BOOLEAN ImmediateMessagePassing = UseImmediateMessagingByDefaultOnEvents;
1782 UINT32 CoreId;
1783 UINT32 ProcessId;
1784 UINT32 IndexOfValidSourceTags;
1785 UINT32 RequestBuffer = 0;
1786 PLIST_ENTRY TempList;
1787 BOOLEAN OutputSourceFound;
1788 vector<INT> IndexesToRemove;
1789 vector<UINT64> ListOfValidSourceTags;
1790 INT NewIndexToRemove = 0;
1791 INT Index = 0;
1792
1793 //
1794 // Create a command string to show in the history
1795 //
1796 for (auto Section : *CommandTokens)
1797 {
1798 CommandString.append(GetCaseSensitiveStringFromCommandToken(Section));
1799 CommandString.append(" ");
1800 }
1801
1802 //
1803 // Compute the size of buffer + 1 null for the end of buffer
1804 //
1805 UINT64 BufferOfCommandStringLength = CommandString.size() + 1;
1806
1807 //
1808 // Allocate Buffer and zero for command to the buffer
1809 //
1810 PVOID BufferOfCommandString = malloc(BufferOfCommandStringLength);
1811
1812 PlatformZeroMemory(BufferOfCommandString, BufferOfCommandStringLength);
1813
1814 //
1815 // Copy the string to the buffer
1816 //
1817 memcpy(BufferOfCommandString, CommandString.c_str(), CommandString.size());
1818
1819 //
1820 // Check if there is a condition buffer in the command
1821 //
1822 if (!InterpretConditionsAndCodes(CommandTokens, TRUE, &ConditionBufferAddress, &ConditionBufferLength))
1823 {
1824 //
1825 // Indicate condition is not available
1826 //
1827 HasConditionBuffer = FALSE;
1828
1829 /* ShowMessages("\nNo condition!\n"); */
1830 }
1831 else
1832 {
1833 //
1834 // Indicate condition is available
1835 //
1836 HasConditionBuffer = TRUE;
1837
1838 /*
1839 ShowMessages(
1840 "\n========================= Condition =========================\n");
1841
1842 ShowMessages(
1843 "\nUINT64 DebuggerCheckForCondition(PGUEST_REGS Regs_RCX, PVOID "
1844 "Context_RDX)\n{\n");
1845
1846 //
1847 // Disassemble the buffer
1848 //
1849 HyperDbgDisassembler64((UCHAR *)ConditionBufferAddress, 0x0,
1850 ConditionBufferLength);
1851
1852 ShowMessages("}\n\n");
1853
1854 ShowMessages(
1855 "=============================================================\n");
1856 */
1857 }
1858
1859 //
1860 // Check if there is a code buffer in the command
1861 //
1862 if (!InterpretConditionsAndCodes(CommandTokens, FALSE, &CodeBufferAddress, &CodeBufferLength))
1863 {
1864 //
1865 // Indicate code is not available
1866 //
1867 HasCodeBuffer = FALSE;
1868 //
1869 // ShowMessages("\nNo custom code!\n");
1870 //
1871 }
1872 else
1873 {
1874 //
1875 // Indicate code is available
1876 //
1877 HasCodeBuffer = TRUE;
1878
1879 /*
1880 ShowMessages(
1881 "\n========================= Code =========================\n");
1882 ShowMessages("\nPVOID DebuggerRunCustomCodeFunc(PVOID "
1883 "PreAllocatedBufferAddress_RCX, "
1884 "PGUEST_REGS Regs_RDX, PVOID Context_R8)\n{\n");
1885
1886 //
1887 // Disassemble the buffer
1888 //
1889 HyperDbgDisassembler64((UCHAR *)CodeBufferAddress, 0x0,
1890 CodeBufferLength);
1891
1892 ShowMessages("}\n\n");
1893
1894 ShowMessages(
1895 "=============================================================\n");
1896 */
1897 }
1898
1899 //
1900 // Check if there is a Script block in the command
1901 //
1902 if (!InterpretScript(CommandTokens,
1903 &HasScriptSyntaxError,
1904 &ScriptBufferAddress,
1905 &ScriptBufferLength,
1906 &ScriptBufferPointer,
1907 &ScriptCodeBuffer))
1908 {
1909 //
1910 // Indicate code is not available
1911 //
1912 HasScript = FALSE;
1913 //
1914 // ShowMessages("\nNo script!\n");
1915 //
1916 }
1917 else
1918 {
1919 //
1920 // Check if there is a syntax error
1921 //
1922 if (HasScriptSyntaxError)
1923 {
1924 free(BufferOfCommandString);
1925
1927 return FALSE;
1928 }
1929
1930 //
1931 // Indicate code is available
1932 //
1933 HasScript = TRUE;
1934 }
1935
1936 //
1937 // Check if there is a output path in the command
1938 //
1939 if (!InterpretOutput(CommandTokens, ListOfOutputSources))
1940 {
1941 //
1942 // Indicate output is not available
1943 //
1944 HasOutputPath = FALSE;
1945
1946 //
1947 // ShowMessages("\nNo condition!\n");
1948 //
1949 }
1950 else
1951 {
1952 //
1953 // Check for empty input
1954 //
1955 if (ListOfOutputSources.size() == 0)
1956 {
1957 //
1958 // No input !
1959 //
1960 free(BufferOfCommandString);
1961
1962 ShowMessages("err, no input found\n");
1963 *ReasonForErrorInParsing = DEBUGGER_EVENT_PARSING_ERROR_CAUSE_NO_INPUT;
1964 return FALSE;
1965 }
1966
1967 //
1968 // Check whether the size exceed maximum size or not
1969 //
1970 if (ListOfOutputSources.size() > DebuggerOutputSourceMaximumRemoteSourceForSingleEvent)
1971 {
1972 free(BufferOfCommandString);
1973
1974 ShowMessages(
1975 "err, based on this build of HyperDbg, the maximum input sources for "
1976 "a single event is 0x%x sources but you entered 0x%x sources\n",
1978 ListOfOutputSources.size());
1980 return FALSE;
1981 }
1982
1983 //
1984 // Check whether the output source initialized or not
1985 //
1987 {
1988 free(BufferOfCommandString);
1989
1990 ShowMessages("err, the name you entered, not found. Did you use "
1991 "'output' command to create it?\n");
1993 return FALSE;
1994 }
1995
1996 //
1997 // Convert output sources to the corresponding tags
1998 //
1999 for (auto item : ListOfOutputSources)
2000 {
2001 TempList = 0;
2002 OutputSourceFound = FALSE;
2003
2004 //
2005 // Now we should find the corresponding object in the list
2006 // of output sources and save its tags
2007 //
2008 TempList = &g_OutputSources;
2009
2010 while (&g_OutputSources != TempList->Flink)
2011 {
2012 TempList = TempList->Flink;
2013
2014 PDEBUGGER_EVENT_FORWARDING CurrentOutputSourceDetails = CONTAINING_RECORD(TempList, DEBUGGER_EVENT_FORWARDING, OutputSourcesList);
2015
2016 if (strcmp(CurrentOutputSourceDetails->Name,
2017 RemoveSpaces(item).c_str()) == 0)
2018 {
2019 //
2020 // Check to see the source state, whether it is closed or not
2021 //
2022 if (CurrentOutputSourceDetails->State == EVENT_FORWARDING_CLOSED)
2023 {
2024 free(BufferOfCommandString);
2025
2026 ShowMessages("err, output source already closed\n");
2028 return FALSE;
2029 }
2030
2031 //
2032 // Check to see the source state, whether it is opened or not
2033 //
2034 if (CurrentOutputSourceDetails->State == EVENT_FORWARDING_STATE_NOT_OPENED)
2035 {
2036 //
2037 // Just show a message
2038 //
2039 ShowMessages("some of the output(s) are not opened, it's not an error, but please ensure "
2040 "to open the output using the 'output' command to forward the results to the "
2041 "target resource\n");
2042 }
2043
2044 //
2045 // Indicate that we found this item
2046 //
2047 OutputSourceFound = TRUE;
2048
2049 //
2050 // Save the tag into a list which will be used later
2051 //
2052 ListOfValidSourceTags.push_back(
2053 CurrentOutputSourceDetails->OutputUniqueTag);
2054
2055 //
2056 // No need to search through the list anymore
2057 //
2058 break;
2059 }
2060 }
2061
2062 if (!OutputSourceFound)
2063 {
2064 free(BufferOfCommandString);
2065
2066 ShowMessages("err, the name you entered, not found. Did you use "
2067 "'output' command to create it?\n");
2069 return FALSE;
2070 }
2071 }
2072 //
2073 // Indicate output is available
2074 //
2075 HasOutputPath = TRUE;
2076 }
2077
2078 //
2079 // Create action and event based on previously parsed buffers
2080 // (DEBUGGER_GENERAL_ACTION)
2081 //
2082 // Allocate the buffer (with ConditionBufferLength and CodeBufferLength)
2083 //
2084
2085 /*
2086
2087 Layout of Buffer :
2088
2089 ________________________________
2090 | |
2091 | DEBUGGER_GENERAL_EVENT_DETAIL |
2092 | |
2093 |________________________________|
2094 | |
2095 | Condition Buffer |
2096 | |
2097 |________________________________|
2098
2099 */
2100
2101 /*
2102 ________________________________
2103 | |
2104 | DEBUGGER_GENERAL_ACTION |
2105 | |
2106 |________________________________|
2107 | |
2108 | Condition Custom Code |
2109 | or Script Buffer |
2110 |________________________________|
2111
2112 */
2113
2114 LengthOfEventBuffer = sizeof(DEBUGGER_GENERAL_EVENT_DETAIL) + ConditionBufferLength;
2115
2116 TempEvent = (PDEBUGGER_GENERAL_EVENT_DETAIL)malloc(LengthOfEventBuffer);
2117 PlatformZeroMemory(TempEvent, LengthOfEventBuffer);
2118
2119 //
2120 // Check if buffer is available
2121 //
2122 if (TempEvent == NULL)
2123 {
2124 ShowMessages("err, allocation error\n");
2125 *ReasonForErrorInParsing = DEBUGGER_EVENT_PARSING_ERROR_CAUSE_ALLOCATION_ERROR;
2126 goto ReturnWithError;
2127 }
2128
2129 //
2130 // Event is enabled by default when created
2131 //
2132 TempEvent->IsEnabled = TRUE;
2133
2134 //
2135 // Get a new tag for it
2136 //
2137 TempEvent->Tag = GetNewDebuggerEventTag();
2138
2139 //
2140 // Set the core Id and Process Id to all cores and all
2141 // processes, next time we check whether the user needs
2142 // a special core or a special process then we change it
2143 //
2145
2146 if (g_ActiveProcessDebuggingState.IsActive)
2147 {
2148 ShowMessages("notice: as you're debugging a user-mode application, "
2149 "this event will only trigger on your current debugging process "
2150 "(pid:%x). If you want the event from the entire system, "
2151 "add 'pid all' to the event\n\n",
2153
2154 TempEvent->ProcessId = g_ActiveProcessDebuggingState.ProcessId;
2155 }
2156 else
2157 {
2159 }
2160
2161 //
2162 // Set the event type
2163 //
2164 TempEvent->EventType = EventType;
2165
2166 //
2167 // Set buffer string command
2168 //
2169 TempEvent->CommandStringBuffer = BufferOfCommandString;
2170
2171 //
2172 // Fill the buffer of condition for event
2173 //
2174 if (HasConditionBuffer)
2175 {
2176 memcpy((PVOID)((UINT64)TempEvent + sizeof(DEBUGGER_GENERAL_EVENT_DETAIL)),
2177 (PVOID)ConditionBufferAddress,
2178 ConditionBufferLength);
2179
2180 //
2181 // Set the size of the buffer for event condition
2182 //
2183 TempEvent->ConditionBufferSize = ConditionBufferLength;
2184 }
2185
2186 //
2187 // Fill the buffer of custom code for action
2188 //
2189 if (HasCodeBuffer)
2190 {
2191 //
2192 // Allocate the Action (THIS ACTION BUFFER WILL BE FREED WHEN WE SENT IT TO
2193 // THE KERNEL AND RETURNED FROM THE KERNEL AS WE DON'T NEED IT ANYMORE)
2194 //
2195 LengthOfCustomCodeActionBuffer = sizeof(DEBUGGER_GENERAL_ACTION) + CodeBufferLength;
2196
2197 TempActionCustomCode = (PDEBUGGER_GENERAL_ACTION)malloc(LengthOfCustomCodeActionBuffer);
2198
2199 PlatformZeroMemory(TempActionCustomCode, LengthOfCustomCodeActionBuffer);
2200
2201 memcpy(
2202 (PVOID)((UINT64)TempActionCustomCode + sizeof(DEBUGGER_GENERAL_ACTION)),
2203 (PVOID)CodeBufferAddress,
2204 CodeBufferLength);
2205 //
2206 // Set the action Tag
2207 //
2208 TempActionCustomCode->EventTag = TempEvent->Tag;
2209
2210 //
2211 // Set the action type
2212 //
2213 TempActionCustomCode->ActionType = RUN_CUSTOM_CODE;
2214
2215 //
2216 // Set the action buffer size
2217 //
2218 TempActionCustomCode->CustomCodeBufferSize = CodeBufferLength;
2219
2220 //
2221 // Increase the count of actions
2222 //
2223 TempEvent->CountOfActions = TempEvent->CountOfActions + 1;
2224 }
2225
2226 //
2227 // Fill the buffer of script for action
2228 //
2229 if (HasScript)
2230 {
2231 //
2232 // Allocate the Action (THIS ACTION BUFFER WILL BE FREED WHEN WE SENT IT TO
2233 // THE KERNEL AND RETURNED FROM THE KERNEL AS WE DON'T NEED IT ANYMORE)
2234 //
2235 LengthOfScriptActionBuffer = sizeof(DEBUGGER_GENERAL_ACTION) + ScriptBufferLength;
2236 TempActionScript = (PDEBUGGER_GENERAL_ACTION)malloc(LengthOfScriptActionBuffer);
2237
2238 PlatformZeroMemory(TempActionScript, LengthOfScriptActionBuffer);
2239
2240 memcpy((PVOID)((UINT64)TempActionScript + sizeof(DEBUGGER_GENERAL_ACTION)),
2241 (PVOID)ScriptBufferAddress,
2242 ScriptBufferLength);
2243 //
2244 // Set the action Tag
2245 //
2246 TempActionScript->EventTag = TempEvent->Tag;
2247
2248 //
2249 // Set the action type
2250 //
2251 TempActionScript->ActionType = RUN_SCRIPT;
2252
2253 //
2254 // Set the action buffer size and pointer
2255 //
2256 TempActionScript->ScriptBufferSize = ScriptBufferLength;
2257 TempActionScript->ScriptBufferPointer = ScriptBufferPointer;
2258
2259 //
2260 // Increase the count of actions
2261 //
2262 TempEvent->CountOfActions = TempEvent->CountOfActions + 1;
2263
2264 //
2265 // Free the buffer of script related functions
2266 //
2268 }
2269
2270 //
2271 // If this action didn't contain a buffer for custom code and
2272 // a buffer for script then it's a break to debugger
2273 //
2274 if (!HasCodeBuffer && !HasScript)
2275 {
2276 //
2277 // Allocate the Action (THIS ACTION BUFFER WILL BE FREED WHEN WE SENT IT TO
2278 // THE KERNEL AND RETURNED FROM THE KERNEL AS WE DON'T NEED IT ANYMORE)
2279 //
2280 LengthOfBreakActionBuffer = sizeof(DEBUGGER_GENERAL_ACTION);
2281
2282 TempActionBreak = (PDEBUGGER_GENERAL_ACTION)malloc(LengthOfBreakActionBuffer);
2283
2284 PlatformZeroMemory(TempActionBreak, LengthOfBreakActionBuffer);
2285
2286 //
2287 // Set the action Tag
2288 //
2289 TempActionBreak->EventTag = TempEvent->Tag;
2290
2291 //
2292 // Set the action type
2293 //
2294 TempActionBreak->ActionType = BREAK_TO_DEBUGGER;
2295
2296 //
2297 // Increase the count of actions
2298 //
2299 TempEvent->CountOfActions = TempEvent->CountOfActions + 1;
2300 }
2301
2302 //
2303 // Interpret rest of the command
2304 //
2305 for (auto Section : *CommandTokens)
2306 {
2307 Index++;
2308
2309 if (IsNextCommandBufferSize)
2310 {
2311 if (!ConvertTokenToUInt32(Section, &RequestBuffer))
2312 {
2313 ShowMessages("err, buffer size is invalid\n");
2314 *ReasonForErrorInParsing = DEBUGGER_EVENT_PARSING_ERROR_CAUSE_FORMAT_ERROR;
2315 goto ReturnWithError;
2316 }
2317 else
2318 {
2319 //
2320 // Set the specific requested buffer size
2321 //
2322 if (TempActionBreak != NULL)
2323 {
2324 TempActionBreak->PreAllocatedBuffer = RequestBuffer;
2325 }
2326 if (TempActionScript != NULL)
2327 {
2328 TempActionScript->PreAllocatedBuffer = RequestBuffer;
2329 }
2330 if (TempActionCustomCode != NULL)
2331 {
2332 TempActionCustomCode->PreAllocatedBuffer = RequestBuffer;
2333 }
2334 }
2335 IsNextCommandBufferSize = FALSE;
2336
2337 //
2338 // Add index to remove it from the command
2339 //
2340 IndexesToRemove.push_back(Index);
2341
2342 continue;
2343 }
2344
2345 if (IsNextCommandImmediateMessaging)
2346 {
2347 if (CompareLowerCaseStrings(Section, "yes"))
2348 {
2349 ImmediateMessagePassing = TRUE;
2350 }
2351 else if (CompareLowerCaseStrings(Section, "no"))
2352 {
2353 ImmediateMessagePassing = FALSE;
2354 }
2355 else
2356 {
2357 //
2358 // err, not token recognized error
2359 //
2360
2361 ShowMessages("err, immediate messaging token is invalid\n");
2362 *ReasonForErrorInParsing = DEBUGGER_EVENT_PARSING_ERROR_CAUSE_FORMAT_ERROR;
2363 goto ReturnWithError;
2364 }
2365
2366 IsNextCommandImmediateMessaging = FALSE;
2367
2368 //
2369 // Add index to remove it from the command
2370 //
2371 IndexesToRemove.push_back(Index);
2372
2373 continue;
2374 }
2375
2376 if (IsNextCommandExecutionStage)
2377 {
2378 if (CompareLowerCaseStrings(Section, "pre"))
2379 {
2381 }
2382 else if (CompareLowerCaseStrings(Section, "post"))
2383 {
2385 }
2386 else if (CompareLowerCaseStrings(Section, "all"))
2387 {
2389 }
2390 else
2391 {
2392 //
2393 // err, not token recognized error
2394 //
2395
2396 ShowMessages("err, the specified execution mode is invalid; you can either choose 'pre' or 'post'\n");
2397 *ReasonForErrorInParsing = DEBUGGER_EVENT_PARSING_ERROR_CAUSE_FORMAT_ERROR;
2398 goto ReturnWithError;
2399 }
2400
2401 IsNextCommandExecutionStage = FALSE;
2402
2403 //
2404 // Add index to remove it from the command
2405 //
2406 IndexesToRemove.push_back(Index);
2407
2408 continue;
2409 }
2410
2411 if (IsNextCommandSc)
2412 {
2413 if (CompareLowerCaseStrings(Section, "on"))
2414 {
2415 IsAShortCircuitingEventByDefault = TRUE;
2416 }
2417 else if (CompareLowerCaseStrings(Section, "off"))
2418 {
2419 IsAShortCircuitingEventByDefault = FALSE;
2420 }
2421 else
2422 {
2423 //
2424 // err, not token recognized error
2425 //
2426
2427 ShowMessages("err, the specified short-circuiting state is invalid; you can either choose 'on' or 'off'\n");
2428 *ReasonForErrorInParsing = DEBUGGER_EVENT_PARSING_ERROR_CAUSE_FORMAT_ERROR;
2429 goto ReturnWithError;
2430 }
2431
2432 IsNextCommandSc = FALSE;
2433
2434 //
2435 // Add index to remove it from the command
2436 //
2437 IndexesToRemove.push_back(Index);
2438
2439 continue;
2440 }
2441
2442 if (IsNextCommandPid)
2443 {
2444 if (CompareLowerCaseStrings(Section, "all"))
2445 {
2447 }
2448 else if (!ConvertTokenToUInt32(Section, &ProcessId))
2449 {
2450 ShowMessages("err, pid is invalid\n");
2451 *ReasonForErrorInParsing = DEBUGGER_EVENT_PARSING_ERROR_CAUSE_FORMAT_ERROR;
2452
2453 goto ReturnWithError;
2454 }
2455 else
2456 {
2457 //
2458 // Set the specific process id
2459 //
2460 TempEvent->ProcessId = ProcessId;
2461 }
2462
2463 IsNextCommandPid = FALSE;
2464
2465 //
2466 // Add index to remove it from the command
2467 //
2468 IndexesToRemove.push_back(Index);
2469
2470 continue;
2471 }
2472
2473 if (IsNextCommandCoreId)
2474 {
2475 if (!ConvertTokenToUInt32(Section, &CoreId))
2476 {
2477 ShowMessages("err, core id is invalid\n");
2478 *ReasonForErrorInParsing = DEBUGGER_EVENT_PARSING_ERROR_CAUSE_FORMAT_ERROR;
2479 goto ReturnWithError;
2480 }
2481 else
2482 {
2483 //
2484 // Set the specific core id
2485 //
2486 TempEvent->CoreId = CoreId;
2487 }
2488 IsNextCommandCoreId = FALSE;
2489
2490 //
2491 // Add index to remove it from the command
2492 //
2493 IndexesToRemove.push_back(Index);
2494
2495 continue;
2496 }
2497
2498 if (CompareLowerCaseStrings(Section, "pid"))
2499 {
2500 IsNextCommandPid = TRUE;
2501
2502 //
2503 // Add index to remove it from the command
2504 //
2505 IndexesToRemove.push_back(Index);
2506
2507 continue;
2508 }
2509 if (CompareLowerCaseStrings(Section, "core"))
2510 {
2511 IsNextCommandCoreId = TRUE;
2512
2513 //
2514 // Add index to remove it from the command
2515 //
2516 IndexesToRemove.push_back(Index);
2517
2518 continue;
2519 }
2520
2521 if (CompareLowerCaseStrings(Section, "imm"))
2522 {
2523 //
2524 // the next command is immediate messaging indicator
2525 //
2526 IsNextCommandImmediateMessaging = TRUE;
2527
2528 //
2529 // Add index to remove it from the command
2530 //
2531 IndexesToRemove.push_back(Index);
2532
2533 continue;
2534 }
2535
2536 if (CompareLowerCaseStrings(Section, "stage"))
2537 {
2538 //
2539 // the next command is execution mode (pre- and post-events)
2540 //
2541 IsNextCommandExecutionStage = TRUE;
2542
2543 //
2544 // Add index to remove it from the command
2545 //
2546 IndexesToRemove.push_back(Index);
2547
2548 continue;
2549 }
2550
2551 if (CompareLowerCaseStrings(Section, "sc"))
2552 {
2553 //
2554 // the next command is the default short-circuiting state
2555 //
2556 IsNextCommandSc = TRUE;
2557
2558 //
2559 // Add index to remove it from the command
2560 //
2561 IndexesToRemove.push_back(Index);
2562
2563 continue;
2564 }
2565
2566 if (CompareLowerCaseStrings(Section, "buffer"))
2567 {
2568 IsNextCommandBufferSize = TRUE;
2569
2570 //
2571 // Add index to remove it from the command
2572 //
2573 IndexesToRemove.push_back(Index);
2574
2575 continue;
2576 }
2577 }
2578
2579 //
2580 // Additional validation
2581 //
2582 if (IsNextCommandCoreId)
2583 {
2584 ShowMessages("err, please specify a value for 'core'\n");
2585
2586 *ReasonForErrorInParsing = DEBUGGER_EVENT_PARSING_ERROR_CAUSE_FORMAT_ERROR;
2587
2588 goto ReturnWithError;
2589 }
2590
2591 if (IsNextCommandPid)
2592 {
2593 ShowMessages("err, please specify a value for 'pid'\n");
2594
2595 *ReasonForErrorInParsing = DEBUGGER_EVENT_PARSING_ERROR_CAUSE_FORMAT_ERROR;
2596
2597 goto ReturnWithError;
2598 }
2599
2600 if (IsNextCommandBufferSize)
2601 {
2602 ShowMessages("err, please specify a value for 'buffer'\n");
2603
2604 *ReasonForErrorInParsing = DEBUGGER_EVENT_PARSING_ERROR_CAUSE_FORMAT_ERROR;
2605
2606 goto ReturnWithError;
2607 }
2608
2609 if (IsNextCommandImmediateMessaging)
2610 {
2611 ShowMessages("err, please specify a value for 'imm'\n");
2612
2613 *ReasonForErrorInParsing = DEBUGGER_EVENT_PARSING_ERROR_CAUSE_FORMAT_ERROR;
2614
2615 goto ReturnWithError;
2616 }
2617
2618 if (IsNextCommandExecutionStage)
2619 {
2620 ShowMessages("err, please specify a value for 'stage'\n");
2621
2622 *ReasonForErrorInParsing = DEBUGGER_EVENT_PARSING_ERROR_CAUSE_FORMAT_ERROR;
2623
2624 goto ReturnWithError;
2625 }
2626
2627 if (IsNextCommandSc)
2628 {
2629 ShowMessages("err, please specify a value for 'sc'\n");
2630
2631 *ReasonForErrorInParsing = DEBUGGER_EVENT_PARSING_ERROR_CAUSE_FORMAT_ERROR;
2632
2633 goto ReturnWithError;
2634 }
2635
2636 //
2637 // Check to make sure that short-circuiting is not used in post-events
2638 //
2641 IsAShortCircuitingEventByDefault)
2642 {
2643 ShowMessages(
2644 "err, using the short-circuiting mechanism with 'post' or 'all' stage events "
2645 "doesn't make sense; it's not supported!\n");
2646
2648
2649 goto ReturnWithError;
2650 }
2651
2652 //
2653 // It's not possible to break to debugger in VMI-mode
2654 //
2655 if (!g_IsSerialConnectedToRemoteDebuggee && TempActionBreak != NULL)
2656 {
2657 ShowMessages(
2658 "err, the script or assembly code is either not found or invalid. "
2659 "As a result, the default action is to break. "
2660 "However, breaking to the debugger is not possible in the VMI Mode. "
2661 "To achieve full control of the system, you can switch to the Debugger Mode. "
2662 "In the VMI Mode, you can still use scripts and run custom code for local debugging."
2663 "For more information, please check: https://docs.hyperdbg.org/using-hyperdbg/prerequisites/operation-modes\n");
2664
2666
2667 goto ReturnWithError;
2668 }
2669
2670 //
2671 // We do not support non-immediate message passing if the user
2672 // specified a special output
2673 //
2674 if (!ImmediateMessagePassing && HasOutputPath)
2675 {
2676 ShowMessages("err, non-immediate message passing is not supported in "
2677 "'output-forwarding mode'\n");
2678
2680
2681 goto ReturnWithError;
2682 }
2683
2684 //
2685 // Set the specific requested immediate message passing
2686 //
2687 if (TempActionBreak != NULL)
2688 {
2689 TempActionBreak->ImmediateMessagePassing = ImmediateMessagePassing;
2690 }
2691 if (TempActionScript != NULL)
2692 {
2693 TempActionScript->ImmediateMessagePassing = ImmediateMessagePassing;
2694 }
2695 if (TempActionCustomCode != NULL)
2696 {
2697 TempActionCustomCode->ImmediateMessagePassing = ImmediateMessagePassing;
2698 }
2699
2700 //
2701 // Set the tags into the event list
2702 //
2703 IndexOfValidSourceTags = 0;
2704 for (auto item : ListOfValidSourceTags)
2705 {
2706 TempEvent->OutputSourceTags[IndexOfValidSourceTags] = item;
2707
2708 //
2709 // Increase index
2710 //
2711 IndexOfValidSourceTags++;
2712 }
2713
2714 //
2715 // If it has output then we should indicate it in event's object
2716 //
2717 if (HasOutputPath)
2718 {
2719 TempEvent->HasCustomOutput = TRUE;
2720 }
2721
2722 //
2723 // Set the specific requested short-circuiting state
2724 //
2725 if (IsAShortCircuitingEventByDefault)
2726 {
2727 TempEvent->EnableShortCircuiting = TRUE;
2728 }
2729
2730 //
2731 // Set the specific event mode (calling stage)
2732 //
2733 TempEvent->EventStage = CallingStage;
2734
2735 //
2736 // Fill the address and length of event before release
2737 //
2738 *EventDetailsToFill = TempEvent;
2739 *EventBufferLength = LengthOfEventBuffer;
2740
2741 //
2742 // Fill the address and length of action before release
2743 //
2744 if (TempActionBreak != NULL)
2745 {
2746 *ActionDetailsToFillBreakToDebugger = TempActionBreak;
2747 *ActionBufferLengthBreakToDebugger = LengthOfBreakActionBuffer;
2748 }
2749 if (TempActionScript != NULL)
2750 {
2751 *ActionDetailsToFillScript = TempActionScript;
2752 *ActionBufferLengthScript = LengthOfScriptActionBuffer;
2753 }
2754 if (TempActionCustomCode != NULL)
2755 {
2756 *ActionDetailsToFillCustomCode = TempActionCustomCode;
2757 *ActionBufferLengthCustomCode = LengthOfCustomCodeActionBuffer;
2758 }
2759
2760 //
2761 // Remove the command that we interpreted above from the command
2762 //
2763 for (auto IndexToRemove : IndexesToRemove)
2764 {
2765 NewIndexToRemove++;
2766 CommandTokens->erase(CommandTokens->begin() + (IndexToRemove - NewIndexToRemove));
2767 }
2768
2769 //
2770 // Check if list is initialized or not
2771 //
2773 {
2774 InitializeListHead(&g_EventTrace);
2776 }
2777
2778 //
2779 // Add the event to the trace list
2780 // UPDATE : if we add it here, then if the event was not
2781 // successful then still the event shows this event, so
2782 // we have to add it lated
2783 //
2784 // InsertHeadList(&g_EventTrace, &(TempEvent->CommandsEventList));
2785
2786 //
2787 // Everything is ok, let's return TRUE
2788 //
2790 return TRUE;
2791
2792ReturnWithError:
2793
2794 if (BufferOfCommandString)
2795 {
2796 free(BufferOfCommandString);
2797 }
2798
2799 if (TempEvent)
2800 {
2801 free(TempEvent);
2802 }
2803
2804 if (TempActionBreak != NULL)
2805 {
2806 free(TempActionBreak);
2807 }
2808 if (TempActionScript != NULL)
2809 {
2810 free(TempActionScript);
2811 }
2812 if (TempActionCustomCode != NULL)
2813 {
2814 free(TempActionCustomCode);
2815 }
2816
2817 return FALSE;
2818}
#define UseImmediateMessagingByDefaultOnEvents
Use immediate messaging (means that it sends each message when they received and do not accumulate th...
Definition Configuration.h:57
VOID PlatformZeroMemory(PVOID Destination, SIZE_T Size)
Zeros a memory block.
Definition PlatformMem.c:155
ACTIVE_DEBUGGING_PROCESS g_ActiveProcessDebuggingState
State of active debugging thread.
Definition globals.h:372
void * PVOID
Definition BasicTypes.h:56
#define DEBUGGER_EVENT_APPLY_TO_ALL_CORES
Apply the event to all the cores.
Definition Constants.h:739
#define DebuggerOutputSourceMaximumRemoteSourceForSingleEvent
Determines how many sources a debugger can have for a single event.
Definition Constants.h:251
#define DEBUGGER_EVENT_APPLY_TO_ALL_PROCESSES
Apply the event to all the processes.
Definition Constants.h:745
enum _VMM_CALLBACK_EVENT_CALLING_STAGE_TYPE VMM_CALLBACK_EVENT_CALLING_STAGE_TYPE
Type of calling the event.
@ VMM_CALLBACK_CALLING_STAGE_ALL_EVENT_EMULATION
Definition DataTypes.h:128
@ VMM_CALLBACK_CALLING_STAGE_PRE_EVENT_EMULATION
Definition DataTypes.h:126
@ VMM_CALLBACK_CALLING_STAGE_POST_EVENT_EMULATION
Definition DataTypes.h:127
struct _DEBUGGER_GENERAL_EVENT_DETAIL DEBUGGER_GENERAL_EVENT_DETAIL
Each command is like the following struct, it also used for tracing works in user mode and sending it...
struct _DEBUGGER_GENERAL_EVENT_DETAIL * PDEBUGGER_GENERAL_EVENT_DETAIL
@ RUN_CUSTOM_CODE
Definition Events.h:187
@ BREAK_TO_DEBUGGER
Definition Events.h:185
@ RUN_SCRIPT
Definition Events.h:186
struct _DEBUGGER_GENERAL_ACTION DEBUGGER_GENERAL_ACTION
Each event can have multiple actions.
struct _DEBUGGER_GENERAL_ACTION * PDEBUGGER_GENERAL_ACTION
BOOLEAN ConvertTokenToUInt32(CommandToken TargetToken, PUINT32 Result)
check and convert command token to a 32 bit unsigned integer
Definition common.cpp:546
std::string RemoveSpaces(std::string str)
Remove all the spaces in a string.
Definition common.cpp:727
BOOLEAN InterpretOutput(vector< CommandToken > *CommandTokens, vector< string > &InputSources)
Interpret output (if an event has special output).
Definition debugger.cpp:1254
BOOLEAN InterpretConditionsAndCodes(vector< CommandToken > *CommandTokens, BOOLEAN IsConditionBuffer, PUINT64 BufferAddress, PUINT32 BufferLength)
Interpret conditions (if an event has condition) and custom code.
Definition debugger.cpp:1025
BOOLEAN InterpretScript(vector< CommandToken > *CommandTokens, PBOOLEAN ScriptSyntaxErrors, PUINT64 BufferAddress, PUINT32 BufferLength, PUINT32 Pointer, PUINT64 ScriptCodeBuffer)
Interpret script (if an event has script).
Definition debugger.cpp:867
UINT64 GetNewDebuggerEventTag()
Get the New Debugger Event Tag object and increase the global variable for tag.
Definition debugger.cpp:1676
BOOLEAN g_EventTraceInitialized
it shows whether the debugger started using events or not or in other words, is g_EventTrace initiali...
Definition globals.h:400
struct _DEBUGGER_EVENT_FORWARDING DEBUGGER_EVENT_FORWARDING
structures hold the detail of event forwarding
@ EVENT_FORWARDING_CLOSED
Definition forwarding.h:55
@ EVENT_FORWARDING_STATE_NOT_OPENED
Definition forwarding.h:53
struct _DEBUGGER_EVENT_FORWARDING * PDEBUGGER_EVENT_FORWARDING
@ DEBUGGER_EVENT_PARSING_ERROR_CAUSE_OUTPUT_NAME_NOT_FOUND
Definition debugger.h:82
@ DEBUGGER_EVENT_PARSING_ERROR_CAUSE_SUCCESSFUL_NO_ERROR
Definition debugger.h:78
@ DEBUGGER_EVENT_PARSING_ERROR_CAUSE_MAXIMUM_INPUT_REACHED
Definition debugger.h:81
@ DEBUGGER_EVENT_PARSING_ERROR_CAUSE_USING_SHORT_CIRCUITING_IN_POST_EVENTS
Definition debugger.h:88
@ DEBUGGER_EVENT_PARSING_ERROR_CAUSE_NO_INPUT
Definition debugger.h:80
@ DEBUGGER_EVENT_PARSING_ERROR_CAUSE_OUTPUT_SOURCE_ALREADY_CLOSED
Definition debugger.h:83
@ DEBUGGER_EVENT_PARSING_ERROR_CAUSE_SCRIPT_SYNTAX_ERROR
Definition debugger.h:79
@ DEBUGGER_EVENT_PARSING_ERROR_CAUSE_IMMEDIATE_MESSAGING_IN_EVENT_FORWARDING_MODE
Definition debugger.h:87
@ DEBUGGER_EVENT_PARSING_ERROR_CAUSE_ALLOCATION_ERROR
Definition debugger.h:84
@ DEBUGGER_EVENT_PARSING_ERROR_CAUSE_ATTEMPT_TO_BREAK_ON_VMI_MODE
Definition debugger.h:86
@ DEBUGGER_EVENT_PARSING_ERROR_CAUSE_FORMAT_ERROR
Definition debugger.h:85
LIST_ENTRY g_EventTrace
Holds a list of events in kernel and the state of events and the commands to show the state of each c...
Definition globals.h:410
#define CONTAINING_RECORD(address, type, field)
Definition nt-list.h:36
LIST_ENTRY g_OutputSources
Holds a list of output sources created by output command.
Definition globals.h:427
BOOLEAN g_OutputSourcesInitialized
it shows whether the debugger started using output sources or not or in other words,...
Definition globals.h:418
VOID ScriptEngineWrapperRemoveSymbolBuffer(PVOID SymbolBuffer)
wrapper for removing symbol buffer
Definition script-engine-wrapper.cpp:841
DEBUGGER_EVENT_FORWARDING_STATE State
Definition forwarding.h:82
CHAR Name[MAXIMUM_CHARACTERS_FOR_EVENT_FORWARDING_NAME]
Definition forwarding.h:89
UINT64 OutputUniqueTag
Definition forwarding.h:86
UINT32 CustomCodeBufferSize
Definition Events.h:419
UINT32 ScriptBufferSize
Definition Events.h:420
DEBUGGER_EVENT_ACTION_TYPE_ENUM ActionType
Definition Events.h:415
UINT32 ScriptBufferPointer
Definition Events.h:421
UINT32 PreAllocatedBuffer
Definition Events.h:417
BOOLEAN ImmediateMessagePassing
Definition Events.h:416
UINT64 EventTag
Definition Events.h:414
BOOLEAN EnableShortCircuiting
Definition Events.h:371
BOOLEAN IsEnabled
Definition Events.h:369
VMM_EVENT_TYPE_ENUM EventType
Definition Events.h:394
UINT32 CountOfActions
Definition Events.h:391
UINT64 Tag
Definition Events.h:393
BOOLEAN HasCustomOutput
Definition Events.h:377
UINT64 OutputSourceTags[DebuggerOutputSourceMaximumRemoteSourceForSingleEvent]
Definition Events.h:382
VMM_CALLBACK_EVENT_CALLING_STAGE_TYPE EventStage
Definition Events.h:374
UINT32 ConditionBufferSize
Definition Events.h:400
UINT32 ProcessId
Definition Events.h:365
UINT32 CoreId
Definition Events.h:362

◆ InterpretOutput()

BOOLEAN InterpretOutput ( vector< CommandToken > * CommandTokens,
vector< string > & InputSources )

Interpret output (if an event has special output).

If this function returns true then it means that there is a special input that needs to be considered for this event (other than just printing) like sending over network, save to file, and send over a namedpipe

Parameters
CommandTokenscommand tokens
BufferAddressthe address that the allocated buffer will be saved on it
BufferLengththe length of the buffer
Returns
BOOLEAN shows whether the interpret was successful (true) or not successful (false)
1256{
1257 BOOLEAN IsTextVisited = FALSE;
1258 string TargetBracketString = "";
1259
1260 vector<INT> IndexesToRemove;
1261 string Token;
1262 INT NewIndexToRemove = 0;
1263 INT Index = 0;
1264 CHAR Delimiter = ',';
1265 SIZE_T Pos = 0;
1266
1267 for (auto Section : *CommandTokens)
1268 {
1269 Index++;
1270
1271 if (IsTextVisited && IsTokenBracketString(Section))
1272 {
1273 //
1274 // Save to remove this string from the command
1275 //
1276 IndexesToRemove.push_back(Index);
1277
1278 //
1279 // Fill the bracket string
1280 //
1281 TargetBracketString = GetCaseSensitiveStringFromCommandToken(Section);
1282
1283 IsTextVisited = FALSE;
1284 continue;
1285 }
1286
1287 if (CompareLowerCaseStrings(Section, "output"))
1288 {
1289 //
1290 // Save to remove this string from the command
1291 //
1292 IndexesToRemove.push_back(Index);
1293
1294 IsTextVisited = TRUE;
1295 continue;
1296 }
1297 }
1298
1299 //
1300 // Now we have everything in buffer
1301 // Check to see if it is empty or not
1302 //
1303 if (TargetBracketString.length() == 0)
1304 {
1305 //
1306 // Nothing in output buffer, return zero
1307 //
1308 return FALSE;
1309 }
1310
1311 //
1312 // Check if we see multiple sources or it's just one single output
1313 //
1314 if (TargetBracketString.find(Delimiter) != std::string::npos)
1315 {
1316 //
1317 // Delimiter found !
1318 //
1319 while ((Pos = TargetBracketString.find(Delimiter)) != string::npos)
1320 {
1321 Token = TargetBracketString.substr(0, Pos);
1322 Trim(Token);
1323
1324 if (!Token.empty())
1325 {
1326 InputSources.push_back(Token);
1327 }
1328
1329 TargetBracketString.erase(0, Pos + sizeof(Delimiter) / sizeof(char));
1330 }
1331
1332 if (!TargetBracketString.empty())
1333 {
1334 InputSources.push_back(TargetBracketString);
1335 }
1336 }
1337 else
1338 {
1339 //
1340 // Delimiter not found !
1341 //
1342 InputSources.push_back(TargetBracketString);
1343 }
1344
1345 //
1346 // Removing indexes from the command
1347 //
1348 NewIndexToRemove = 0;
1349 for (auto IndexToRemove : IndexesToRemove)
1350 {
1351 NewIndexToRemove++;
1352 CommandTokens->erase(CommandTokens->begin() + (IndexToRemove - NewIndexToRemove));
1353 }
1354
1355 return TRUE;
1356}
VOID Trim(std::string &s)
trim from both ends and start of a string (in place)
Definition common.cpp:715

◆ InterpretScript()

BOOLEAN InterpretScript ( vector< CommandToken > * CommandTokens,
PBOOLEAN ScriptSyntaxErrors,
PUINT64 BufferAddress,
PUINT32 BufferLength,
PUINT32 Pointer,
PUINT64 ScriptCodeBuffer )

Interpret script (if an event has script).

If this function returns true then it means that there is a script in this command split and the details are returned in the input structure

Parameters
CommandTokenscommand tokens
BufferAddressthe address that the allocated buffer will be saved on it
BufferLengththe length of the buffer
Returns
BOOLEAN shows whether the interpret was successful (true) or not successful (false)
873{
874 BOOLEAN IsTextVisited = FALSE;
875 string TargetBracketString = "";
876
877 vector<int> IndexesToRemove;
878 UINT32 Index = 0;
879 UINT32 NewIndexToRemove = 0;
880
881 //
882 // Indicate that there is an error at first
883 //
884 *ScriptSyntaxErrors = TRUE;
885
886 for (auto Section : *CommandTokens)
887 {
888 Index++;
889
890 if (IsTextVisited && IsTokenBracketString(Section))
891 {
892 //
893 // Save to remove this string from the command
894 //
895 IndexesToRemove.push_back(Index);
896
897 //
898 // Fill the bracket string
899 //
900 TargetBracketString = GetCaseSensitiveStringFromCommandToken(Section);
901
902 IsTextVisited = FALSE;
903 continue;
904 }
905
906 if (CompareLowerCaseStrings(Section, "script"))
907 {
908 //
909 // Save to remove this string from the command
910 //
911 IndexesToRemove.push_back(Index);
912
913 IsTextVisited = TRUE;
914 continue;
915 }
916 }
917
918 //
919 // Now we have everything in buffer
920 // Check to see if it is empty or not
921 //
922 if (TargetBracketString.length() == 0)
923 {
924 //
925 // Nothing in output buffer, return zero
926 //
927 return FALSE;
928 }
929
930 if (TargetBracketString.rfind("file:", 0) == 0)
931 {
932 //
933 // It's a file script
934 //
935 std::ifstream t(TargetBracketString.erase(0, 5).c_str());
936 std::stringstream buffer;
937 buffer << t.rdbuf();
938 TargetBracketString = buffer.str();
939 if (TargetBracketString.empty())
940 {
941 ShowMessages("err, either script file is not found or it's empty\n");
942
943 //
944 // There was an error
945 //
946 *ScriptSyntaxErrors = TRUE;
947
948 //
949 // return TRUE to show that this item contains an script
950 //
951 return TRUE;
952 }
953 }
954
955 // ShowMessages("script : %s\n", TargetBracketString.c_str());
956
957 //
958 // Run script engine handler
959 //
960 PVOID CodeBuffer = ScriptEngineParseWrapper((CHAR *)TargetBracketString.c_str(), TRUE);
961
962 if (CodeBuffer == NULL)
963 {
964 //
965 // There was an error
966 //
967 *ScriptSyntaxErrors = TRUE;
968
969 //
970 // return TRUE to show that this item contains an script
971 //
972 return TRUE;
973 }
974 else
975 {
976 //
977 // There is no syntax error
978 //
979 *ScriptSyntaxErrors = FALSE;
980 }
981
982 //
983 // Print symbols (test)
984 //
985 // PrintSymbolBufferWrapper(CodeBuffer);
986
987 //
988 // Set the buffer and length
989 //
990 *BufferAddress = ScriptEngineWrapperGetHead(CodeBuffer);
991 *BufferLength = ScriptEngineWrapperGetSize(CodeBuffer);
992 *Pointer = ScriptEngineWrapperGetPointer(CodeBuffer);
993 *ScriptCodeBuffer = (UINT64)CodeBuffer;
994
995 //
996 // Removing the script indexes from the command
997 //
998 NewIndexToRemove = 0;
999
1000 for (auto IndexToRemove : IndexesToRemove)
1001 {
1002 NewIndexToRemove++;
1003
1004 CommandTokens->erase(CommandTokens->begin() + (IndexToRemove - NewIndexToRemove));
1005 }
1006
1007 return TRUE;
1008}
UINT32 ScriptEngineWrapperGetSize(PVOID SymbolBuffer)
wrapper for getting size
Definition script-engine-wrapper.cpp:815
UINT32 ScriptEngineWrapperGetPointer(PVOID SymbolBuffer)
wrapper for getting pointer
Definition script-engine-wrapper.cpp:829
PVOID ScriptEngineParseWrapper(CHAR *Expr, BOOLEAN ShowErrorMessageIfAny)
ScriptEngineParse wrapper.
Definition script-engine-wrapper.cpp:298
UINT64 ScriptEngineWrapperGetHead(PVOID SymbolBuffer)
wrapper for getting head
Definition script-engine-wrapper.cpp:803

◆ IsConnectedToAnyInstanceOfDebuggerOrDebuggee()

BOOLEAN IsConnectedToAnyInstanceOfDebuggerOrDebuggee ( )

Shows whether the debugger is connected to a debugger or debuggee connected to a debugger.

we use this function to avoid connecting to a remote machine when debuggee or debugger is already connected to an instance

Returns
BOOLEAN
774{
775 if (g_DeviceHandle)
776 {
777 ShowMessages("err, the current system is already connected to the local "
778 "debugging, use '.disconnect' to disconnect\n");
779 return TRUE;
780 }
782 {
783 ShowMessages("err, the current system is already connected to remote "
784 "machine (debuggee), use '.disconnect' to disconnect from the "
785 "remote machine\n");
786 return TRUE;
787 }
789 {
790 ShowMessages("err, the current system is already connected to remote "
791 "machine (debugger), use '.disconnect' to disconnect from the "
792 "remote machine from debugger\n");
793 return TRUE;
794 }
796 {
797 ShowMessages(
798 "err, the current system is already connected to remote "
799 "machine (debuggee), use '.debug close' to disconnect from the "
800 "remote machine\n");
801 return TRUE;
802 }
804 {
805 ShowMessages(
806 "err, the current system is already connected to remote "
807 "machine (debugger), use '.debug close' to disconnect from the "
808 "remote machine from debugger\n");
809 return TRUE;
810 }
811
812 return FALSE;
813}
BOOLEAN g_IsConnectedToRemoteDebuggee
Shows whether the current debugger is the host and connected to a remote debuggee (guest).
Definition globals.h:96
BOOLEAN g_IsSerialConnectedToRemoteDebugger
Shows if the debugger was connected to remote debugger (A remote host).
Definition rev.cpp:18
BOOLEAN g_IsConnectedToRemoteDebugger
Shows whether the current system is a guest (debuggee) and a remote debugger is connected to this sys...
Definition globals.h:103

◆ IsTagExist()

BOOLEAN IsTagExist ( UINT64 Tag)

Check whether the tag exists or not, if the tag is DEBUGGER_MODIFY_EVENTS_APPLY_TO_ALL_TAG then if we find just one event, it also means that the tag is found.

Parameters
Tag
Returns
BOOLEAN
825{
826 PLIST_ENTRY TempList = 0;
827 PDEBUGGER_GENERAL_EVENT_DETAIL CommandDetail = {0};
828
830 {
831 return FALSE;
832 }
833
834 TempList = &g_EventTrace;
835 while (&g_EventTrace != TempList->Blink)
836 {
837 TempList = TempList->Blink;
838
839 CommandDetail = CONTAINING_RECORD(TempList, DEBUGGER_GENERAL_EVENT_DETAIL, CommandsEventList);
840
841 if (CommandDetail->Tag == Tag || Tag == DEBUGGER_MODIFY_EVENTS_APPLY_TO_ALL_TAG)
842 {
843 return TRUE;
844 }
845 }
846
847 //
848 // Not found
849 //
850 return FALSE;
851}
POOL_TYPE SIZE_T ULONG Tag
Definition Hooks.h:89
#define DEBUGGER_MODIFY_EVENTS_APPLY_TO_ALL_TAG
Apply event modifications to all tags.
Definition Constants.h:714

◆ RegisterActionToEvent()

BOOLEAN RegisterActionToEvent ( PDEBUGGER_GENERAL_EVENT_DETAIL Event,
PDEBUGGER_GENERAL_ACTION ActionBreakToDebugger,
UINT32 ActionBreakToDebuggerLength,
PDEBUGGER_GENERAL_ACTION ActionCustomCode,
UINT32 ActionCustomCodeLength,
PDEBUGGER_GENERAL_ACTION ActionScript,
UINT32 ActionScriptLength )

Register the action to the event.

Parameters
Eventthe event instance buffer
ActionBreakToDebuggerthe action of breaking into the debugger
ActionBreakToDebuggerLengththe action of breaking into the debugger (length)
ActionCustomCodethe action of custom code
ActionCustomCodeLengththe action of custom code (length)
ActionScriptthe action of script buffer
ActionScriptLengththe action of script buffer (length)
Returns
BOOLEAN BOOLEAN if the request was successful then true if the request was not successful then false
1490{
1491 BOOL Status;
1492 ULONG ReturnedLength;
1493 DEBUGGER_EVENT_AND_ACTION_RESULT ReturnedBuffer = {0};
1494 PDEBUGGER_EVENT_AND_ACTION_RESULT TempAddingResult;
1495
1497 {
1498 //
1499 // It's action(s) in debugger mode
1500 //
1501
1502 //
1503 // Send Break to debugger packet to debuggee
1504 //
1505 if (ActionBreakToDebugger != NULL)
1506 {
1507 //
1508 // Send the add action to event from here
1509 //
1510 TempAddingResult = KdSendAddActionToEventPacketToDebuggee(
1511 ActionBreakToDebugger,
1512 ActionBreakToDebuggerLength);
1513
1514 //
1515 // Move the buffer to local buffer
1516 //
1517 memcpy(&ReturnedBuffer, TempAddingResult, sizeof(DEBUGGER_EVENT_AND_ACTION_RESULT));
1518 }
1519
1520 //
1521 // Send custom code packet to debuggee
1522 //
1523 if (ActionCustomCode != NULL)
1524 {
1525 //
1526 // Send the add action to event from here
1527 //
1528 TempAddingResult = KdSendAddActionToEventPacketToDebuggee(
1529 ActionCustomCode,
1530 ActionCustomCodeLength);
1531
1532 //
1533 // Move the buffer to local buffer
1534 //
1535 memcpy(&ReturnedBuffer, TempAddingResult, sizeof(DEBUGGER_EVENT_AND_ACTION_RESULT));
1536 }
1537
1538 //
1539 // Send custom code packet to debuggee
1540 //
1541 if (ActionScript != NULL)
1542 {
1543 //
1544 // Send the add action to event from here
1545 //
1546 TempAddingResult = KdSendAddActionToEventPacketToDebuggee(
1547 ActionScript,
1548 ActionScriptLength);
1549
1550 //
1551 // Move the buffer to local buffer
1552 //
1553 memcpy(&ReturnedBuffer, TempAddingResult, sizeof(DEBUGGER_EVENT_AND_ACTION_RESULT));
1554 }
1555 }
1556 else
1557 {
1558 //
1559 // It's either a local debugger to in vmi-mode remote connection
1560 //
1562
1563 //
1564 // Send IOCTLs
1565 //
1566
1567 //
1568 // Send Break to debugger ioctl
1569 //
1570 if (ActionBreakToDebugger != NULL)
1571 {
1572 Status = PlatformDeviceIoControl(
1573 g_DeviceHandle, // Handle to device
1574 IOCTL_DEBUGGER_ADD_ACTION_TO_EVENT, // IO Control Code (IOCTL)
1575 ActionBreakToDebugger, // Input Buffer to driver.
1576 ActionBreakToDebuggerLength, // Input buffer length
1577 &ReturnedBuffer, // Output Buffer from driver.
1578 sizeof(DEBUGGER_EVENT_AND_ACTION_RESULT), // Length
1579 // of
1580 // output
1581 // buffer
1582 // in
1583 // bytes.
1584 &ReturnedLength, // Bytes placed in buffer.
1585 NULL // synchronous call
1586 );
1587
1588 if (!Status)
1589 {
1590 ShowMessages("ioctl failed with code 0x%x\n", PlatformGetLastError());
1591 return FALSE;
1592 }
1593 }
1594
1595 //
1596 // Send custom code ioctl
1597 //
1598 if (ActionCustomCode != NULL)
1599 {
1600 Status = PlatformDeviceIoControl(
1601 g_DeviceHandle, // Handle to device
1602 IOCTL_DEBUGGER_ADD_ACTION_TO_EVENT, // IO Control Code (IOCTL)
1603 ActionCustomCode, // Input Buffer to driver.
1604 ActionCustomCodeLength, // Input buffer length
1605 &ReturnedBuffer, // Output Buffer from driver.
1606 sizeof(DEBUGGER_EVENT_AND_ACTION_RESULT), // Length
1607 // of
1608 // output
1609 // buffer
1610 // in
1611 // bytes.
1612 &ReturnedLength, // Bytes placed in buffer.
1613 NULL // synchronous call
1614 );
1615
1616 if (!Status)
1617 {
1618 ShowMessages("ioctl failed with code 0x%x\n", PlatformGetLastError());
1619 return FALSE;
1620 }
1621 }
1622
1623 //
1624 // Send custom code ioctl
1625 //
1626 if (ActionScript != NULL)
1627 {
1628 Status = PlatformDeviceIoControl(
1629 g_DeviceHandle, // Handle to device
1630 IOCTL_DEBUGGER_ADD_ACTION_TO_EVENT, // IO Control Code (IOCTL)
1631 ActionScript, // Input Buffer to driver.
1632 ActionScriptLength, // Input buffer length
1633 &ReturnedBuffer, // Output Buffer from driver.
1634 sizeof(DEBUGGER_EVENT_AND_ACTION_RESULT), // Length
1635 // of
1636 // output
1637 // buffer
1638 // in
1639 // bytes.
1640 &ReturnedLength, // Bytes placed in buffer.
1641 NULL // synchronous call
1642 );
1643
1644 if (!Status)
1645 {
1646 ShowMessages("ioctl failed with code 0x%x\n", PlatformGetLastError());
1647 return FALSE;
1648 }
1649 }
1650 }
1651
1652 //
1653 // As we're not needing any of action buffer, we'll free all of the
1654 // here in the case of a successful registration of action, however
1655 // event detail is needed for the 'event' command's list
1656 //
1657 FreeEventsAndActionsMemory(NULL, ActionBreakToDebugger, ActionCustomCode, ActionScript);
1658
1659 //
1660 // Now, we'll register the command as returned buffer shows that
1661 // this event was successful and now we can add it to the list of
1662 // events
1663 //
1664 InsertHeadList(&g_EventTrace, &(Event->CommandsEventList));
1665
1666 return TRUE;
1667}
int BOOL
Definition BasicTypes.h:25
struct _DEBUGGER_EVENT_AND_ACTION_RESULT * PDEBUGGER_EVENT_AND_ACTION_RESULT
struct _DEBUGGER_EVENT_AND_ACTION_RESULT DEBUGGER_EVENT_AND_ACTION_RESULT
Status of register buffers.
#define IOCTL_DEBUGGER_ADD_ACTION_TO_EVENT
ioctl, add action to event
Definition Ioctls.h:171
VOID FreeEventsAndActionsMemory(PDEBUGGER_GENERAL_EVENT_DETAIL Event, PDEBUGGER_GENERAL_ACTION ActionBreakToDebugger, PDEBUGGER_GENERAL_ACTION ActionCustomCode, PDEBUGGER_GENERAL_ACTION ActionScript)
Deallocate buffers relating to events and actions.
Definition debugger.cpp:1688
PDEBUGGER_EVENT_AND_ACTION_RESULT KdSendAddActionToEventPacketToDebuggee(PDEBUGGER_GENERAL_ACTION GeneralAction, UINT32 GeneralActionLength)
Send an add action to event request to the debuggee.
Definition kd.cpp:737
#define AssertShowMessageReturnStmt(expr1, expr2, message1, message2, rc)
Definition common.h:59
#define ASSERT_MESSAGE_VMM_NOT_LOADED
Definition common.h:31
#define ASSERT_MESSAGE_DRIVER_NOT_LOADED
Definition common.h:27
#define AssertReturnFalse
Definition common.h:21
BOOLEAN g_IsVmmModuleLoaded
shows whether the VMM module is loaded or not
Definition globals.h:28
LIST_ENTRY CommandsEventList
Definition Events.h:359

◆ SendEventToKernel()

BOOLEAN SendEventToKernel ( PDEBUGGER_GENERAL_EVENT_DETAIL Event,
UINT32 EventBufferLength )

Register the event to the kernel.

Parameters
Eventthe event structure to send
EventBufferLengththe buffer length of event
Returns
BOOLEAN if the request was successful then true if the request was not successful then false
1369{
1370 BOOL Status;
1371 ULONG ReturnedLength;
1372 DEBUGGER_EVENT_AND_ACTION_RESULT ReturnedBuffer = {0};
1374
1376 {
1377 //
1378 // It's a debugger, we should send the events buffer directly
1379 // from here
1380 //
1381
1382 //
1383 // Send the buffer from here
1384 //
1385 TempRegResult = KdSendRegisterEventPacketToDebuggee(Event, EventBufferLength);
1386
1387 //
1388 // Move the buffer to local buffer
1389 //
1390 memcpy(&ReturnedBuffer, TempRegResult, sizeof(DEBUGGER_EVENT_AND_ACTION_RESULT));
1391 }
1392 else
1393 {
1394 //
1395 // It's either a debuggee or a local debugging instance
1396 //
1398
1399 //
1400 // Send IOCTL
1401 //
1402
1403 Status = PlatformDeviceIoControl(g_DeviceHandle, // Handle to device
1404 IOCTL_DEBUGGER_REGISTER_EVENT, // IO Control Code (IOCTL)
1405 Event, // Input Buffer to driver.
1406 EventBufferLength, // Input buffer length
1407 &ReturnedBuffer, // Output Buffer from driver.
1408 sizeof(DEBUGGER_EVENT_AND_ACTION_RESULT), // Length
1409 // of
1410 // output
1411 // buffer
1412 // in
1413 // bytes.
1414 &ReturnedLength, // Bytes placed in buffer.
1415 NULL // synchronous call
1416 );
1417
1418 if (!Status)
1419 {
1420 ShowMessages("ioctl failed with code 0x%x\n", PlatformGetLastError());
1421 return FALSE;
1422 }
1423 }
1424
1425 if (ReturnedBuffer.IsSuccessful && ReturnedBuffer.Error == 0)
1426 {
1427 //
1428 // Check for auto-unpause mode
1429 //
1431 {
1432 //
1433 // Allow debugger to show its contents
1434 //
1435
1436 //
1437 // Set the g_BreakPrintingOutput to FALSE
1438 //
1440
1441 //
1442 // If it's a remote debugger then we send the remote debuggee a 'g'
1443 //
1445 {
1446 RemoteConnectionSendCommand("g", (UINT32)strlen("g") + 1);
1447 }
1448
1449 ShowMessages("\n");
1450 }
1451 }
1452 else
1453 {
1454 //
1455 // Show the error
1456 //
1457 if (ReturnedBuffer.Error != 0)
1458 {
1459 ShowErrorMessage(ReturnedBuffer.Error);
1460 }
1461
1462 return FALSE;
1463 }
1464
1465 return TRUE;
1466}
#define IOCTL_DEBUGGER_REGISTER_EVENT
ioctl, register an event
Definition Ioctls.h:164
PDEBUGGER_EVENT_AND_ACTION_RESULT KdSendRegisterEventPacketToDebuggee(PDEBUGGER_GENERAL_EVENT_DETAIL Event, UINT32 EventBufferLength)
Send a register event request to the debuggee.
Definition kd.cpp:670
BOOLEAN g_BreakPrintingOutput
Shows whether the pause command or CTRL+C or CTRL+Break is executed or not.
Definition globals.h:509
INT RemoteConnectionSendCommand(const CHAR *sendbuf, INT len)
send the command as a client (debugger, host) to the server (debuggee, guest)
Definition remote-connection.cpp:445
BOOLEAN g_AutoUnpause
Whether auto-unpause mode is enabled or not enabled.
Definition globals.h:587
UINT32 Error
Definition Events.h:434
BOOLEAN IsSuccessful
Definition Events.h:433

◆ ShowErrorMessage()

BOOLEAN ShowErrorMessage ( UINT32 Error)

shows the error message

Parameters
Error
Returns
BOOLEAN
41{
42 switch (Error)
43 {
45 ShowMessages("err, tag not found (%x)\n",
46 Error);
47 break;
48
50 ShowMessages("err, invalid action type (%x)\n",
51 Error);
52 break;
53
55 ShowMessages("err, action buffer size is zero (%x)\n",
56 Error);
57 break;
58
60 ShowMessages("err, the event type is invalid (%x)\n",
61 Error);
62 break;
63
65 ShowMessages("err, unable to create event (%x)\n",
66 Error);
67 break;
68
70
71 ShowMessages("err, invalid address (%x)\n"
72 "address may be paged-out or unavailable on the page table due to 'demand paging'\n"
73 "please refer to https://docs.hyperdbg.org/tips-and-tricks/considerations/accessing-invalid-address for further information\n",
74 Error);
75 break;
76
78 ShowMessages("err, invalid core id (%x)\n",
79 Error);
80 break;
81
83 ShowMessages("err, exception index exceed first 32 entries (%x)\n",
84 Error);
85 break;
86
88 ShowMessages("err, interrupt index is not valid (%x)\n",
89 Error);
90 break;
91
93 ShowMessages("err, unable to hide or unhide debugger and entr the transparent mode (%x)\n",
94 Error);
95 break;
96
98 ShowMessages("err, debugger already hidden in the transparent mode (%x)\n",
99 Error);
100 break;
101
103 ShowMessages("err, edit memory request has invalid parameters (%x)\n",
104 Error);
105 break;
106
108 ShowMessages("err, edit memory request has invalid address based on "
109 "current process layout, the address might be valid but not "
110 "present in the ram (%x)\n"
111 "address may be paged-out or unavailable on the page table due to 'demand paging'\n"
112 "please refer to https://docs.hyperdbg.org/tips-and-tricks/considerations/accessing-invalid-address for further information\n",
113 Error);
114 break;
115
117 ShowMessages("err, edit memory request has invalid address based on other "
118 "process layout (%x)\n",
119 Error);
120 break;
121
123 ShowMessages("err, modify event with invalid tag (%x)\n",
124 Error);
125 break;
126
128 ShowMessages("err, modify event with invalid type of action (%x)\n",
129 Error);
130 break;
131
133 ShowMessages("err, invalid parameter passed to stepping core. (%x)\n",
134 Error);
135 break;
136
138 ShowMessages(
139 "err, the target thread not found or the thread is disabled (%x)\n",
140 Error);
141 break;
142
144 ShowMessages("err, invalid baud rate (%x)\n",
145 Error);
146 break;
147
149 ShowMessages("err, invalid serial port (%x)\n",
150 Error);
151 break;
152
154 ShowMessages("err, invalid core selected in switching cores (%x)\n",
155 Error);
156 break;
157
159 ShowMessages("err, unable to switch to the new process (%x)\n",
160 Error);
161 break;
162
164 ShowMessages("err, unable to run the script on remote debuggee (%x)\n",
165 Error);
166 break;
167
169 ShowMessages("err, invalid register number (%x)\n",
170 Error);
171 break;
172
174 ShowMessages("err, maximum number of breakpoints are used, you need to "
175 "send an ioctl to re-allocate new pre-allocated buffers or "
176 "configure HyperDbg to pre-allocated more buffers by "
177 "configuring MAXIMUM_BREAKPOINTS_WITHOUT_CONTINUE (%x)\n",
178 Error);
179 break;
180
182 ShowMessages("err, breakpoint already exists on target address, you can "
183 "use 'bl' command to view a list of breakpoints (%x)\n",
184 Error);
185 break;
186
188 ShowMessages("err, breakpoint id is invalid (%x)\n",
189 Error);
190 break;
191
193 ShowMessages("err, breakpoint already disabled (%x)\n",
194 Error);
195 break;
196
198 ShowMessages("err, breakpoint already enabled (%x)\n",
199 Error);
200 break;
201
203 ShowMessages("err, the memory type is invalid (%x)\n",
204 Error);
205 break;
206
208 ShowMessages("err, the process id is invalid, make sure to enter the "
209 "process id in hex format, or if you want to use it in decimal "
210 "format, add '0n' prefix to the number (%x)\n",
211 Error);
212 break;
213
215 ShowMessages("err, the event is not applied (%x)\n",
216 Error);
217 break;
218
220 ShowMessages("err, either the process id or the _EPROCESS is invalid or "
221 "cannot get the details based on the provided parameters (%x)\n",
222 Error);
223 break;
224
226 ShowMessages("err, either the thread id, _ETHREAD, or _EPROCESS is invalid or "
227 "cannot get the details based on the provided parameters (%x)\n",
228 Error);
229 break;
230
232 ShowMessages("err, the maximum breakpoint for a single page is hit, "
233 "you cannot apply more breakpoints in this page (%x)\n"
234 "please refer to https://docs.hyperdbg.org/tips-and-tricks/misc/customize-build/number-of-ept-hooks-in-one-page"
235 " for further information\n",
236 Error);
237 break;
238
240 ShowMessages("err, the pre-allocated buffer is empty, usually this buffer will be "
241 "filled at the next IOCTL when the debugger is continued (%x)\n"
242 "please visit the documentation for the 'prealloc' command or use "
243 "'.help prealloc' to to reserve more pre-allocated pools\n",
244 Error);
245 break;
246
248 ShowMessages("err, could not convert 2MB large page to 4KB pages "
249 "(maybe pre-allocated buffers are empty?) (%x)\n",
250 Error);
251 break;
252
254 ShowMessages("err, failed to get the PML1 entry of the target address (%x)\n",
255 Error);
256 break;
257
259 ShowMessages("err, the page modification is not applied, make sure that you don't "
260 "put multiple EPT Hooks or Monitors on a single page (%x)\n",
261 Error);
262 break;
263
265 ShowMessages("err, could not build the EPT hook (%x)\n",
266 Error);
267 break;
268
270 ShowMessages("err, could not find the allocation type (%x)\n",
271 Error);
272 break;
273
275 ShowMessages("err, invalid index specified for test query command (%x)\n",
276 Error);
277 break;
278
280 ShowMessages("err, unable to attach to the target process (%x)\n",
281 Error);
282 break;
283
285 ShowMessages("err, unable to remove hooks as the entrypoint of user-mode "
286 "process is not reached yet (%x)\n",
287 Error);
288 break;
289
291 ShowMessages("err, unable to remove hooks (%x)\n",
292 Error);
293 break;
294
296 ShowMessages("err, the routines for getting the PEB is not correctly "
297 "initialized (%x)\n",
298 Error);
299 break;
300
302 ShowMessages("err, unable to detect whether the process was 32-bit "
303 "or 64-bit (%x)\n",
304 Error);
305 break;
306
308 ShowMessages("err, unable to kill the process (%x)\n",
309 Error);
310 break;
311
313 ShowMessages("err, invalid thread debugging token (%x)\n",
314 Error);
315 break;
316
318 ShowMessages("err, unable to pause the threads of the process (%x)\n",
319 Error);
320 break;
321
323 ShowMessages("err, the user debugger is already attached to this "
324 "process, please use the '.switch' command to switch "
325 "to this process (%x)\n",
326 Error);
327 break;
328
330 ShowMessages("err, the user debugger is not already attached to "
331 "the process (%x)\n",
332 Error);
333 break;
334
336 ShowMessages("err, the user debugger is not able to detach from "
337 "this process as there are paused threads in the "
338 "target process, please make sure to remove all "
339 "the events and continue the target process, then "
340 "perform the detach again (%x)\n",
341 Error);
342 break;
343
345 ShowMessages("err, unable to switch to the process id or thread id "
346 "as the target process id or thread id is not found in "
347 "the attached threads list, please view the list of "
348 "processes and threads by using the '.switch list' command (%x)\n",
349 Error);
350 break;
351
353 ShowMessages("err, unable to switch to the process as the process doesn't "
354 "contain an active intercepted thread (%x)\n",
355 Error);
356 break;
357
359 ShowMessages("err, unable to get user-mode modules of the process (%x)\n",
360 Error);
361 break;
362
364 ShowMessages("err, unable to get the callstack (%x)\n",
365 Error);
366 break;
367
369 ShowMessages("err, unable to query count of processes or threads (%x)\n",
370 Error);
371 break;
372
374 ShowMessages("err, using short-circuiting event with post events is not possible (%x)\n",
375 Error);
376 break;
377
379 ShowMessages("err, unknown test query is received to the debugger (%x)\n",
380 Error);
381 break;
382
384 ShowMessages("err, invalid process or memory address (%x)\n",
385 Error);
386 break;
387
389 ShowMessages("err, unable to add the current thread/process to the list of trap flags. "
390 "Are you debugging multiple threads or stepping through different processes "
391 "simultaneously? (%x)\n",
392 Error);
393 break;
394
396 ShowMessages("err, process does not exists (already terminated?) (%x)\n",
397 Error);
398 break;
399
401 ShowMessages("err, the specified execution mode is invalid (%x)\n",
402 Error);
403 break;
404
406 ShowMessages("err, you cannot specify process id while the debugger is paused in the debugger mode. "
407 "You can use the '.process' or the '.thread' command to switch to the target process's "
408 "memory layout (%x)\n",
409 Error);
410 break;
411
413 ShowMessages("err, the requested buffer for storing event and conditions is larger than the pre-allocated "
414 "buffer size (%x)\nfor more information on how to resolve this issue, "
415 "please visit: https://docs.hyperdbg.org/tips-and-tricks/misc/instant-events\n",
416 Error);
417 break;
418
420 ShowMessages("err, not enough pre-allocated buffer exists for storing the event. You can use the 'prealloc' "
421 "command to fix this issue by pre-allocating more buffers (%x)\nfor more information "
422 "please visit: https://docs.hyperdbg.org/tips-and-tricks/misc/instant-events\n",
423 Error);
424 break;
425
427 ShowMessages("err, the requested event is considered as a \"big instant event\" and right now, there is no "
428 "pre-allocated buffer for storing it. You can use the 'prealloc' command to fix this issue by "
429 "pre-allocating big instant event buffers (%x)\nfor more information "
430 "please visit: https://docs.hyperdbg.org/tips-and-tricks/misc/instant-events\n",
431 Error);
432 break;
433
435 ShowMessages("err, unable to allocate buffer for the target action (%x)\n",
436 Error);
437 break;
438
440 ShowMessages("err, not enough pre-allocated buffer exists for storing the event's action. You can use the 'prealloc' "
441 "command to fix this issue by pre-allocating more buffers (%x)\nfor more information "
442 "please visit: https://docs.hyperdbg.org/tips-and-tricks/misc/instant-events\n",
443 Error);
444 break;
445
447 ShowMessages("err, the requested action is considered as a \"big instant event (action)\" and right now, there is no "
448 "pre-allocated buffer for storing it. You can use the 'prealloc' command to fix this issue by "
449 "pre-allocating big instant event's action buffers (%x)\nfor more information "
450 "please visit: https://docs.hyperdbg.org/tips-and-tricks/misc/instant-events\n",
451 Error);
452 break;
453
455 ShowMessages("err, the requested buffer for storing action is larger than the pre-allocated "
456 "buffer size (%x)\nfor more information on how to resolve this issue, "
457 "please visit: https://docs.hyperdbg.org/tips-and-tricks/misc/instant-events\n",
458 Error);
459 break;
460
462 ShowMessages("err, the requested optional buffer is bigger than the debuggers send/receive stack, "
463 "please select a smaller requested buffer for the target event (%x)\n",
464 Error);
465 break;
466
468 ShowMessages("err, by default HyperDbg won't allocate requested safe buffers for instant events in "
469 "the debugger mode. You can use the 'prealloc' command to allocate (regular) requested safe "
470 "buffers before running this command (%x)\nfor more information "
471 "please visit: https://docs.hyperdbg.org/tips-and-tricks/misc/instant-events\n",
472 Error);
473 break;
474
476 ShowMessages("err, the requested safe buffer is bigger than regular buffers. You can use the 'prealloc' "
477 "command to allocate (big) requested safe buffers before running this command (%x)\n"
478 "for more information "
479 "please visit: https://docs.hyperdbg.org/tips-and-tricks/misc/instant-events\n",
480 Error);
481 break;
482
484 ShowMessages("err, the requested buffer for storing safe buffers of the action is larger than the pre-allocated "
485 "buffer size (%x)\nfor more information on how to resolve this issue, "
486 "please visit: https://docs.hyperdbg.org/tips-and-tricks/misc/instant-events\n",
487 Error);
488 break;
489
491 ShowMessages("err, unable to allocate buffer for the target requested safe buffer (%x)\n",
492 Error);
493 break;
494
496 ShowMessages("err, invalid type is specified for preactivation (%x)\n",
497 Error);
498 break;
499
501 ShowMessages("err, for performance reasons, the '!mode' event command cannot be directly initialized in the Debugger Mode. "
502 "You can use the 'preactivate mode' command to preactivate this mechanism after that, "
503 "you can use the '!mode' event (%x)\n",
504 Error);
505 break;
506
508 ShowMessages("err, the event(s) that you've requested are disabled, yet HyperDbg cannot remove (clear) them in "
509 "the subsequent run due to the user-mode priority buffers being at full capacity. "
510 "This typically occurs when you attempt to clear numerous events without resuming the debuggee. "
511 "Since these unserviced events remain in the queue, HyperDbg is unable to clear them. "
512 "To address this issue, you can resume the debuggee, allowing all queued events to be cleared (usually 2 to 10 seconds). "
513 "Afterward, you can pause the debuggee again and request the removal of new events (%x)\n"
514 "for more information on how to resolve this issue "
515 "please visit: https://docs.hyperdbg.org/tips-and-tricks/misc/instant-events\n",
516 Error);
517 break;
518
520 ShowMessages("err, the event cannot be applied since not all cores are locked! "
521 "If you are using the instant-event mechanism or switching between cores, this will likely halt the system. "
522 "This may be caused by a race condition, but continuing and halting the debugger might resolve it. "
523 "If the problem persists, please open an issue and provide steps to reproduce it (%x)\n",
524 Error);
525 break;
526
528 ShowMessages("err, target core is not locked! "
529 "This may be caused by a race condition, continuing and halting the debugger might resolve it. "
530 "If the problem persists, please open an issue and provide steps to reproduce it (%x)\n",
531 Error);
532 break;
533
535 ShowMessages("err, invalid physical address (%x)\n",
536 Error);
537 break;
538
540 ShowMessages("err, could not perform APIC actions (%x)\n",
541 Error);
542 break;
543
545 ShowMessages("err, debugger was not in the hidden transparent-mode (%x)\n",
546 Error);
547 break;
548
550 ShowMessages("err, the user debugger cannot be initialized (%x)\n",
551 Error);
552 break;
553
555 ShowMessages("err, putting EPT hooks on physical address above 512 GB is not supported (%x)\n",
556 Error);
557 break;
558
560 ShowMessages("err, invalid SMI operation parameter(s) are specified (%x)\n",
561 Error);
562 break;
563
565 ShowMessages("err, unable to trigger SMI, are you running on a nested-virtualization environment? (%x)\n",
566 Error);
567 break;
568
570 ShowMessages("err, unable to apply command to the target thread (%x)\n",
571 Error);
572 break;
573
575 ShowMessages("err, the hypertrace module is not loaded and initialized, "
576 "use the 'load trace' command to load the hypertrace module (%x)\n",
577 Error);
578 break;
579
581 ShowMessages("err, invalid hypertrace operation type is specified (%x)\n",
582 Error);
583 break;
584
586 ShowMessages("err, LBR is already enabled, you can disable it using the '!lbr' command (%x)\n",
587 Error);
588 break;
589
591 ShowMessages("err, LBR is already disabled, you can enable it using the '!lbr' command (%x)\n",
592 Error);
593 break;
594
596 ShowMessages("err, LBR is not supported on this processor, this is likely caused by running inside "
597 "a nested virtualization (VM) environment that masks and removes LBR CPU flags (%x)\n",
598 Error);
599 break;
600
602 ShowMessages("err, LBR is not supported on VMCS (%x)\n",
603 Error);
604 break;
605
607 ShowMessages("err, PT is already enabled (%x)\n",
608 Error);
609 break;
610
612 ShowMessages("err, PT is already disabled (%x)\n",
613 Error);
614 break;
615
617 ShowMessages("err, PT is not supported on this processor (%x)\n",
618 Error);
619 break;
620
622 ShowMessages("err, hypertrace is already loaded, please unload hypertrace module using the "
623 "'unload' command and then load the 'VMM' module. Then you can load hypertrace "
624 "after loading the VMM as it is because hypertrace behaves differently to sync "
625 "with VMM modules; it needs to have this notion that it is running within the "
626 "hypervisor, so that is why it needs to be initialized again if the VMM module "
627 "is loaded (%x)\n",
628 Error);
629 break;
630
632 ShowMessages("err, the VMM module cannot be initialized because the debugger is not loaded (%x)\n",
633 Error);
634 break;
635
637 ShowMessages("err, cannot initialize the debugger (%x)\n",
638 Error);
639 break;
640
641 default:
642 ShowMessages("err, error not found (%x)\n",
643 Error);
644 return FALSE;
645 break;
646 }
647
648 return TRUE;
649}
#define DEBUGGER_ERROR_ACTION_BUFFER_SIZE_IS_ZERO
error, the action buffer size is invalid
Definition ErrorCodes.h:45
#define DEBUGGER_ERROR_INSTANT_EVENT_REGULAR_PREALLOCATED_BUFFER_NOT_FOUND
error, the regular preallocated buffer not found
Definition ErrorCodes.h:441
#define DEBUGGER_ERROR_EPT_FAILED_TO_GET_PML1_ENTRY_OF_TARGET_ADDRESS
error, failed to get PML1 entry of the target address
Definition ErrorCodes.h:264
#define DEBUGGER_ERROR_DEBUGGER_NOT_INITIALIZED
error, the user debugger cannot be initialized
Definition ErrorCodes.h:558
#define DEBUGGER_ERROR_UNABLE_TO_DETECT_32_BIT_OR_64_BIT_PROCESS
error, unable to get 32-bit or 64-bit of the target process
Definition ErrorCodes.h:320
#define DEBUGGER_ERROR_INSTANT_EVENT_BIG_REQUESTED_SAFE_BUFFER_NOT_FOUND
error, the requested safe buffer does not exists (big)
Definition ErrorCodes.h:489
#define DEBUGGER_ERROR_TAG_NOT_EXISTS
error, the tag not exist
Definition ErrorCodes.h:33
#define DEBUGGER_ERROR_DEBUGGER_ALREADY_HIDE
error, the debugger is already in transparent-mode
Definition ErrorCodes.h:93
#define DEBUGGER_ERROR_INTERRUPT_INDEX_IS_NOT_VALID
error, the index for !interrupt command is not between 32 to 256
Definition ErrorCodes.h:81
#define DEBUGGER_ERROR_APIC_ACTIONS_ERROR
error, could not perform APIC actions
Definition ErrorCodes.h:546
#define DEBUGGER_ERROR_UNABLE_TO_REMOVE_HOOKS
error, could not remove the previous hook
Definition ErrorCodes.h:308
#define DEBUGGER_ERROR_INSTANT_EVENT_PREALLOCATED_BUFFER_IS_NOT_ENOUGH_FOR_EVENT_AND_CONDITIONALS
error, the preallocated buffer is not enough for storing event+conditional buffer
Definition ErrorCodes.h:435
#define DEBUGGER_ERROR_INSTANT_EVENT_REQUESTED_OPTIONAL_BUFFER_IS_BIGGER_THAN_DEBUGGERS_SEND_RECEIVE_STACK
error, the requested optional buffer is bigger than send/receive stack of the debugger
Definition ErrorCodes.h:477
#define DEBUGGER_ERROR_UNABLE_TO_ALLOCATE_REQUESTED_SAFE_BUFFER
error, enable to create requested safe buffer (cannot allocate buffer)
Definition ErrorCodes.h:501
#define DEBUGGER_ERROR_MAXIMUM_BREAKPOINT_WITHOUT_CONTINUE
error, maximum pools were used without continuing debuggee
Definition ErrorCodes.h:184
#define DEBUGGER_ERROR_INSTANT_EVENT_PREALLOCATED_BUFFER_IS_NOT_ENOUGH_FOR_REQUESTED_SAFE_BUFFER
error, the preallocated buffer is not enough for storing safe requested buffer
Definition ErrorCodes.h:495
#define DEBUGGER_ERROR_READING_MEMORY_INVALID_PARAMETER
error, for reading from memory in case of invalid parameters
Definition ErrorCodes.h:405
#define DEBUGGER_ERROR_INVALID_TEST_QUERY_INDEX
error, could not find the index of test query
Definition ErrorCodes.h:288
#define DEBUGGER_ERROR_PRE_ALLOCATED_BUFFER_IS_EMPTY
error, there is no pre-allocated buffer
Definition ErrorCodes.h:251
#define DEBUGGER_ERROR_COULD_NOT_FIND_ALLOCATION_TYPE
error, could not find the type of allocation
Definition ErrorCodes.h:282
#define DEBUGGER_ERROR_MODIFY_EVENTS_INVALID_TYPE_OF_ACTION
error, type of action (enable/disable/clear) is wrong
Definition ErrorCodes.h:127
#define DEBUGGER_ERROR_BREAKPOINT_ALREADY_EXISTS_ON_THE_ADDRESS
error, breakpoint already exists on the target address
Definition ErrorCodes.h:190
#define DEBUGGER_ERROR_EDIT_MEMORY_STATUS_INVALID_ADDRESS_BASED_ON_OTHER_PROCESS
error, an invalid address is specified based on another process's cr3 in !e* or e* commands
Definition ErrorCodes.h:114
#define DEBUGGER_ERROR_INSTANT_EVENT_REGULAR_REQUESTED_SAFE_BUFFER_NOT_FOUND
error, the requested safe buffer does not exist (regular)
Definition ErrorCodes.h:483
#define DEBUGGER_ERROR_DEBUGGER_ALREADY_UNHIDE
error, debugger is already not in the transparent-mode
Definition ErrorCodes.h:552
#define DEBUGGER_ERROR_LBR_NOT_SUPPORTED_ON_VMCS
error, LBR not supported on VMCS
Definition ErrorCodes.h:618
#define DEBUGGER_ERROR_STEPPINGS_EITHER_THREAD_NOT_FOUND_OR_DISABLED
error, thread is invalid (not found) or disabled in stepping (step-in & step-out) requests
Definition ErrorCodes.h:140
#define DEBUGGER_ERROR_DETAILS_OR_SWITCH_THREAD_INVALID_PARAMETER
error, for thread switch or thread details, invalid parameter
Definition ErrorCodes.h:239
#define DEBUGGER_ERROR_UNABLE_TO_PAUSE_THE_PROCESS_THREADS
error, unable to pause the process's threads
Definition ErrorCodes.h:338
#define DEBUGGER_ERROR_UNABLE_TO_TRIGGER_SMI
error, unable to trigger SMI
Definition ErrorCodes.h:576
#define DEBUGGER_ERROR_INSTANT_EVENT_PREALLOCATED_BUFFER_IS_NOT_ENOUGH_FOR_ACTION_BUFFER
error, the preallocated buffer is not enough for storing action buffer
Definition ErrorCodes.h:471
#define DEBUGGER_ERROR_BREAKPOINT_ID_NOT_FOUND
error, breakpoint id not found
Definition ErrorCodes.h:196
#define DEBUGGER_ERROR_INVALID_CORE_ID
error, the core id is invalid
Definition ErrorCodes.h:69
#define DEBUGGER_ERROR_STEPPING_INVALID_PARAMETER
error, invalid parameters steppings actions
Definition ErrorCodes.h:133
#define DEBUGGER_ERROR_INVALID_REGISTER_NUMBER
error, invalid register number
Definition ErrorCodes.h:178
#define DEBUGGER_ERROR_UNABLE_TO_KILL_THE_PROCESS
error, unable to kill the target process
Definition ErrorCodes.h:326
#define DEBUGGER_ERROR_EDIT_MEMORY_STATUS_INVALID_ADDRESS_BASED_ON_CURRENT_PROCESS
error, an invalid address is specified based on current cr3 in !e* or e* commands
Definition ErrorCodes.h:106
#define DEBUGGER_ERROR_MODIFY_EVENTS_INVALID_TAG
error, invalid tag for 'events' command (tag id is unknown for kernel)
Definition ErrorCodes.h:121
#define DEBUGGER_ERROR_INVALID_HYPERTRACE_OPERATION_TYPE
error, invalid HyperTrace operation type is specified in the request
Definition ErrorCodes.h:594
#define DEBUGGER_ERROR_UNABLE_TO_GET_MODULES_OF_THE_PROCESS
error, unable to get modules
Definition ErrorCodes.h:374
#define DEBUGGER_ERROR_PREPARING_DEBUGGEE_INVALID_SERIAL_PORT
error, serial port address is invalid
Definition ErrorCodes.h:152
#define DEBUGGER_ERROR_THE_USER_DEBUGGER_NOT_ATTACHED_TO_THE_PROCESS
error, the user debugger is not attached to the target process
Definition ErrorCodes.h:350
#define DEBUGGER_ERROR_THE_TARGET_EVENT_IS_DISABLED_BUT_CANNOT_BE_CLEARED_PRIRITY_BUFFER_IS_FULL
error, the target event(s) is/are disabled but cannot clear them because the buffer of the user-mode ...
Definition ErrorCodes.h:520
#define DEBUGGER_ERROR_NOT_ALL_CORES_ARE_LOCKED_FOR_APPLYING_INSTANT_EVENT
error, not all cores are locked (probably due to a race condition in HyperDbg) in instant-event mecha...
Definition ErrorCodes.h:527
#define DEBUGGER_ERROR_DETAILS_OR_SWITCH_PROCESS_INVALID_PARAMETER
error, for process switch or process details, invalid parameter
Definition ErrorCodes.h:233
#define DEBUGGER_ERROR_UNABLE_TO_SWITCH_PROCESS_ID_OR_THREAD_ID_IS_INVALID
error, cannot switch to new thread as the process id or thread id is not found
Definition ErrorCodes.h:362
#define DEBUGGER_ERROR_LBR_ALREADY_DISABLED
error, LBR is already disabled
Definition ErrorCodes.h:606
#define DEBUGGER_ERROR_THE_TRAP_FLAG_LIST_IS_FULL
error, the list of threads/process trap flag is full
Definition ErrorCodes.h:411
#define DEBUGGER_ERROR_PT_ALREADY_ENABLED
error, PT is already enabled
Definition ErrorCodes.h:624
#define DEBUGGER_ERROR_LBR_ALREADY_ENABLED
error, LBR is already enabled
Definition ErrorCodes.h:600
#define DEBUGGER_ERROR_UNABLE_TO_ATTACH_TO_AN_ALREADY_ATTACHED_PROCESS
error, user debugger already attached to this process
Definition ErrorCodes.h:344
#define DEBUGGER_ERROR_CANNOT_PUT_EPT_HOOKS_ON_PHYSICAL_ADDRESS_ABOVE_512_GB
error, cannot put EPT hooks on addresses above 512 GB
Definition ErrorCodes.h:564
#define DEBUGGER_ERROR_UNABLE_TO_KILL_THE_PROCESS_DOES_NOT_EXISTS
error, unable to kill the target process. process does not exists
Definition ErrorCodes.h:417
#define DEBUGGER_ERROR_UNABLE_TO_GET_CALLSTACK
error, unable to get the callstack
Definition ErrorCodes.h:380
#define DEBUGGER_ERROR_PREPARING_DEBUGGEE_INVALID_CORE_IN_REMOTE_DEBUGGE
error, invalid core selected in changing core in remote debuggee
Definition ErrorCodes.h:158
#define DEBUGGER_ERROR_INVALID_THREAD_DEBUGGING_TOKEN
error, invalid thread debugging token
Definition ErrorCodes.h:332
#define DEBUGGER_ERROR_UNABLE_TO_DETACH_AS_THERE_ARE_PAUSED_THREADS
error, cannot detach from the process as there are paused threads
Definition ErrorCodes.h:356
#define DEBUGGER_ERROR_PT_ALREADY_DISABLED
error, PT is already disabled
Definition ErrorCodes.h:630
#define DEBUGGER_ERROR_EPT_MULTIPLE_HOOKS_IN_A_SINGLE_PAGE
error, multiple EPT Hooks or Monitors are applied on a single page
Definition ErrorCodes.h:270
#define DEBUGGER_ERROR_UNABLE_TO_CREATE_ACTION_CANNOT_ALLOCATE_BUFFER
error, enable to create action (cannot allocate buffer)
Definition ErrorCodes.h:453
#define DEBUGGER_ERROR_USING_SHORT_CIRCUITING_EVENT_WITH_POST_EVENT_MODE_IS_FORBIDDEDN
error, using short-circuiting event with post-event mode is not supported in HyperDbg
Definition ErrorCodes.h:393
#define DEBUGGER_ERROR_COULD_NOT_BUILD_THE_EPT_HOOK
error, could not build the EPT Hook
Definition ErrorCodes.h:276
#define DEBUGGER_ERROR_INVALID_SMI_OPERATION_PARAMETERS
error, invalid parameters for SMI operation request
Definition ErrorCodes.h:570
#define DEBUGGER_ERROR_EVENT_IS_NOT_APPLIED
error, for event specific reasons the event is not applied
Definition ErrorCodes.h:227
#define DEBUGGER_ERROR_BREAKPOINT_ALREADY_DISABLED
error, breakpoint already disabled
Definition ErrorCodes.h:202
#define DEBUGGER_ERROR_THE_MODE_EXEC_TRAP_IS_NOT_INITIALIZED
error, the mode exec trap is not already initialized
Definition ErrorCodes.h:513
#define DEBUGGER_ERROR_UNABLE_TO_ATTACH_TO_TARGET_USER_MODE_PROCESS
error, failed to attach to the target user-mode process
Definition ErrorCodes.h:294
#define DEBUGGER_ERROR_MEMORY_TYPE_INVALID
error, memory type is invalid
Definition ErrorCodes.h:214
#define DEBUGGER_ERROR_FUNCTIONS_FOR_INITIALIZING_PEB_ADDRESSES_ARE_NOT_INITIALIZED
error, the needed routines for debugging is not initialized
Definition ErrorCodes.h:314
#define DEBUGGER_ERROR_PT_NOT_SUPPORTED
error, PT is not supported by the processor
Definition ErrorCodes.h:636
#define DEBUGGER_ERROR_LBR_NOT_SUPPORTED
error, LBR is not supported by the processor
Definition ErrorCodes.h:612
#define DEBUGGER_ERROR_MODE_EXECUTION_IS_INVALID
error, the execution mode is incorrect
Definition ErrorCodes.h:423
#define DEBUGGER_ERROR_INSTANT_EVENT_ACTION_BIG_PREALLOCATED_BUFFER_NOT_FOUND
error, the big preallocated buffer not found (for action)
Definition ErrorCodes.h:465
#define DEBUGGER_ERROR_COULD_NOT_FIND_PREACTIVATION_TYPE
error, could not find the type of preactivation
Definition ErrorCodes.h:507
#define DEBUGGER_ERROR_PROCESS_ID_CANNOT_BE_SPECIFIED_WHILE_APPLYING_EVENT_FROM_VMX_ROOT_MODE
error, the process id cannot be specified while the debugger is in VMX-root mode
Definition ErrorCodes.h:429
#define DEBUGGER_ERROR_EVENT_TYPE_IS_INVALID
error, the event type is unknown
Definition ErrorCodes.h:51
#define DEBUGGER_ERROR_UNKNOWN_TEST_QUERY_RECEIVED
error, unknown test query is received
Definition ErrorCodes.h:399
#define DEBUGGER_ERROR_INVALID_PHYSICAL_ADDRESS
error, invalid physical address
Definition ErrorCodes.h:540
#define DEBUGGER_ERROR_INSTANT_EVENT_BIG_PREALLOCATED_BUFFER_NOT_FOUND
error, the big preallocated buffer not found
Definition ErrorCodes.h:447
#define DEBUGGER_ERROR_MAXIMUM_BREAKPOINT_FOR_A_SINGLE_PAGE_IS_HIT
error, maximum breakpoint for a single page is hit
Definition ErrorCodes.h:245
#define DEBUGGER_ERROR_TARGET_SWITCHING_CORE_IS_NOT_LOCKED
error, switching to the target core is not possible because core is not locked (probably due to a rac...
Definition ErrorCodes.h:534
#define DEBUGGER_ERROR_VMM_CANNOT_BE_INITIALIZED_IF_HYPERTRACE_IS_LOADED
error, VMM cannot be initialized while HyperTrace module is already loaded
Definition ErrorCodes.h:642
#define DEBUGGER_ERROR_EXCEPTION_INDEX_EXCEED_FIRST_32_ENTRIES
error, the index is greater than 32 in !exception command
Definition ErrorCodes.h:75
#define DEBUGGER_ERROR_INVALID_ADDRESS
error, invalid address specified for debugger
Definition ErrorCodes.h:63
#define DEBUGGER_ERROR_INSTANT_EVENT_ACTION_REGULAR_PREALLOCATED_BUFFER_NOT_FOUND
error, the regular preallocated buffer not found (for action)
Definition ErrorCodes.h:459
#define DEBUGGER_ERROR_UNABLE_TO_REMOVE_HOOKS_ENTRYPOINT_NOT_REACHED
error, failed to remove hooks as entrypoint is not reached yet
Definition ErrorCodes.h:302
#define DEBUGGER_ERROR_INVALID_ACTION_TYPE
error, invalid type of action
Definition ErrorCodes.h:39
#define DEBUGGER_ERROR_CANNOT_INITIALIZE_DEBUGGER
error, cannot initialize the debugger
Definition ErrorCodes.h:654
#define DEBUGGER_ERROR_HYPERTRACE_NOT_INITIALIZED
error, HyperTrace is not initialized
Definition ErrorCodes.h:588
#define DEBUGGER_ERROR_UNABLE_TO_HIDE_OR_UNHIDE_DEBUGGER
error, unable to hide the debugger and enter to transparent-mode
Definition ErrorCodes.h:87
#define DEBUGGER_ERROR_UNABLE_TO_CREATE_EVENT
error, enable to create event
Definition ErrorCodes.h:57
#define DEBUGGER_ERROR_INVALID_PROCESS_ID
error, the process id is invalid
Definition ErrorCodes.h:220
#define DEBUGGER_ERROR_PREPARING_DEBUGGEE_UNABLE_TO_SWITCH_TO_NEW_PROCESS
error, invalid process selected in changing process in remote debuggee
Definition ErrorCodes.h:165
#define DEBUGGER_ERROR_UNABLE_TO_SWITCH_THERE_IS_NO_THREAD_ON_THE_PROCESS
error, cannot switch to new thread the process doesn't contain an active thread
Definition ErrorCodes.h:368
#define DEBUGGER_ERROR_EDIT_MEMORY_STATUS_INVALID_PARAMETER
error, invalid parameters in !e* e* commands
Definition ErrorCodes.h:99
#define DEBUGGER_ERROR_BREAKPOINT_ALREADY_ENABLED
error, breakpoint already enabled
Definition ErrorCodes.h:208
#define DEBUGGER_ERROR_PREPARING_DEBUGGEE_INVALID_BAUDRATE
error, baud rate is invalid
Definition ErrorCodes.h:146
#define DEBUGGER_ERROR_UNABLE_TO_QUERY_COUNT_OF_PROCESSES_OR_THREADS
error, unable to query count of processes or threads
Definition ErrorCodes.h:386
#define DEBUGGER_ERROR_UNABLE_TO_APPLY_COMMAND_TO_THE_TARGET_THREAD
error, unable to apply the command to the target thread
Definition ErrorCodes.h:582
#define DEBUGGER_ERROR_EPT_COULD_NOT_SPLIT_THE_LARGE_PAGE_TO_4KB_PAGES
error, in the EPT handler, it could not split the 2MB pages to 512 entries of 4 KB pages
Definition ErrorCodes.h:258
#define DEBUGGER_ERROR_PREPARING_DEBUGGEE_TO_RUN_SCRIPT
error, unable to run script in remote debuggee
Definition ErrorCodes.h:172
#define DEBUGGER_ERROR_VMM_CANNOT_BE_INITIALIZED_IF_DEBUGGER_IS_NOT_LOADED
error, VMM cannot be initialized if the debugger is not loaded
Definition ErrorCodes.h:648

Variable Documentation

◆ g_ActiveProcessDebuggingState

ACTIVE_DEBUGGING_PROCESS g_ActiveProcessDebuggingState
extern

State of active debugging thread.

372{0};

◆ g_AutoUnpause

BOOLEAN g_AutoUnpause
extern

Whether auto-unpause mode is enabled or not enabled.

it is enabled by default

◆ g_BreakPrintingOutput

BOOLEAN g_BreakPrintingOutput
extern

Shows whether the pause command or CTRL+C or CTRL+Break is executed or not.

◆ g_EventTag

UINT64 g_EventTag
extern

This variable holds the trace and generate numbers for new tags of events.

◆ g_EventTrace

LIST_ENTRY g_EventTrace
extern

Holds a list of events in kernel and the state of events and the commands to show the state of each command (disabled/enabled).

this list is not have any relation with the things that HyperDbg holds for each event in the kernel

410{0};

◆ g_EventTraceInitialized

BOOLEAN g_EventTraceInitialized
extern

it shows whether the debugger started using events or not or in other words, is g_EventTrace initialized with a variable or it is empty

◆ g_IsConnectedToRemoteDebuggee

BOOLEAN g_IsConnectedToRemoteDebuggee
extern

Shows whether the current debugger is the host and connected to a remote debuggee (guest).

◆ g_IsConnectedToRemoteDebugger

BOOLEAN g_IsConnectedToRemoteDebugger
extern

Shows whether the current system is a guest (debuggee) and a remote debugger is connected to this system.

◆ g_IsKdModuleLoaded

BOOLEAN g_IsKdModuleLoaded
extern

shows whether the kernel debugger (KD) module is loaded or not

◆ g_IsSerialConnectedToRemoteDebuggee

BOOLEAN g_IsSerialConnectedToRemoteDebuggee
extern

Shows if the debugger was connected to remote debuggee over (A remote guest).

◆ g_IsSerialConnectedToRemoteDebugger

BOOLEAN g_IsSerialConnectedToRemoteDebugger
extern

Shows if the debugger was connected to remote debugger (A remote host).

◆ g_IsVmmModuleLoaded

BOOLEAN g_IsVmmModuleLoaded
extern

shows whether the VMM module is loaded or not

◆ g_KernelBaseAddress

UINT64 g_KernelBaseAddress
extern

Shows the kernel base address.

◆ g_OutputSources

LIST_ENTRY g_OutputSources
extern

Holds a list of output sources created by output command.

user-mode events and output sources are two separate things in HyperDbg

427{0};

◆ g_OutputSourcesInitialized

BOOLEAN g_OutputSourcesInitialized
extern

it shows whether the debugger started using output sources or not or in other words, is g_OutputSources initialized with a variable or it is empty