HyperDbg Debugger
Loading...
Searching...
No Matches
dt-struct.cpp File Reference

dt and struct command More...

#include "pch.h"

Functions

VOID CommandDtHelp ()
 help of the dt command
VOID CommandStructHelp ()
 help of the struct command
BOOLEAN CommandDtAndStructConvertHyperDbgArgsToPdbex (vector< CommandToken > ExtraArgs, std::string &PdbexArgs, UINT32 *ProcessId)
 Convert HyperDbg arguments for dt and struct commands to pdbex arguments.
BOOLEAN CommandDtShowDataBasedOnSymbolTypes (const CHAR *TypeName, UINT64 Address, BOOLEAN IsStruct, PVOID BufferAddress, UINT32 TargetPid, BOOLEAN IsPhysicalAddress, const CHAR *AdditionalParameters)
 Show data based on the symbol structure and data types.
VOID CommandDtAndStruct (vector< CommandToken > CommandTokens, string Command)
 dt and struct command handler

Variables

BOOLEAN g_IsSerialConnectedToRemoteDebuggee
 Shows if the debugger was connected to remote debuggee over (A remote guest).
ACTIVE_DEBUGGING_PROCESS g_ActiveProcessDebuggingState
 State of active debugging thread.

Detailed Description

dt and struct command

Author
Sina Karvandi (sina@.nosp@m.hype.nosp@m.rdbg..nosp@m.org)
Version
0.1
Date
2021-12-13

Function Documentation

◆ CommandDtAndStruct()

VOID CommandDtAndStruct ( vector< CommandToken > CommandTokens,
string Command )

dt and struct command handler

Parameters
CommandTokens
Command
Returns
VOID
430{
431 CommandToken TempTypeNameHolder;
432 std::string PdbexArgs = "";
433 BOOLEAN IsStruct = FALSE;
434 UINT64 TargetAddress = NULL;
435 PVOID BufferAddressRetrievedFromDebuggee = NULL;
436 UINT32 TargetPid = NULL;
437 BOOLEAN IsPhysicalAddress = FALSE;
438
439 //
440 // Check if command is 'struct' or not
441 //
442 if (CompareLowerCaseStrings(CommandTokens.at(0), "struct") ||
443 CompareLowerCaseStrings(CommandTokens.at(0), "structure"))
444 {
445 IsStruct = TRUE;
446 }
447 else
448 {
449 IsStruct = FALSE;
450 }
451
452 //
453 // Check if command is '!dt' for physical address or not
454 //
455 if (!IsStruct && CompareLowerCaseStrings(CommandTokens.at(0), "!dt"))
456 {
457 IsPhysicalAddress = TRUE;
458 }
459 else
460 {
461 IsPhysicalAddress = FALSE;
462 }
463
464 if (CommandTokens.size() == 1)
465 {
466 ShowMessages("incorrect use of the '%s'\n\n",
467 GetCaseSensitiveStringFromCommandToken(CommandTokens.at(0)).c_str());
468
469 if (IsStruct)
470 {
472 }
473 else
474 {
476 }
477
478 return;
479 }
480
481 //
482 // Create TempSplitTokens by copying elements from CommandTokens, excluding the first element
483 //
484 std::vector<CommandToken> TempSplitTokens(CommandTokens.begin() + 1, CommandTokens.end());
485
486 //
487 // If the size is zero, then it's only a type name
488 //
489 if (TempSplitTokens.size() == 1)
490 {
491 //
492 // Call the dt parser wrapper, it's only a structure (type) name
493 // Call it with default configuration
494 //
496 NULL,
497 IsStruct,
498 NULL,
499 TargetPid,
500 IsPhysicalAddress,
502 }
503 else
504 {
505 //
506 // When we're here, it means we have size() >= 2, so we have to check
507 // the first and the second method to see which one is the type and
508 // which one is the symbol
509 //
510
511 //
512 // Check if the first parameter is an address or valid expression
513 //
514 if (IsStruct || !SymbolConvertNameOrExprToAddress(GetCaseSensitiveStringFromCommandToken(TempSplitTokens.at(0)).c_str(),
515 &TargetAddress))
516 {
517 //
518 // No it's not, we'll get the first argument as the structure (type) name
519 // And we have to check whether the second argument is a buffer address or not
520 //
521 if (IsStruct || !SymbolConvertNameOrExprToAddress(GetCaseSensitiveStringFromCommandToken(TempSplitTokens.at(1)).c_str(),
522 &TargetAddress))
523 {
524 //
525 // The second argument is also not buffer address
526 // probably the user entered a structure (type) name along with some params
527 //
528 TempTypeNameHolder = TempSplitTokens.at(0);
529
530 //
531 // Remove the first argument
532 //
533 TempSplitTokens.erase(TempSplitTokens.begin());
534
535 //
536 // Convert to pdbex args
537 //
538 if (!CommandDtAndStructConvertHyperDbgArgsToPdbex(TempSplitTokens, PdbexArgs, &TargetPid))
539 {
540 if (IsStruct)
541 {
543 }
544 else
545 {
547 }
548
549 return;
550 }
551
552 //
553 // Call the wrapper of pdbex
554 //
556 TargetAddress,
557 IsStruct,
558 BufferAddressRetrievedFromDebuggee,
559 TargetPid,
560 IsPhysicalAddress,
561 PdbexArgs.c_str());
562 }
563 else
564 {
565 //
566 // The second argument is a buffer address
567 // The user entered a structure (type) name along with buffer address
568 //
569 if (TempSplitTokens.size() == 2)
570 {
571 //
572 // There is not parameters, only a symbol name and then a buffer address
573 // Call it with default configuration
574 //
576 TargetAddress,
577 IsStruct,
578 BufferAddressRetrievedFromDebuggee,
579 TargetPid,
580 IsPhysicalAddress,
582 }
583 else
584 {
585 //
586 // Other than the first argument which is a structure (type) name, and
587 // the second argument which is buffer address, there are other parameters, so
588 // we WON'T call it with default parameters
589 //
590 TempTypeNameHolder = TempSplitTokens.at(0);
591
592 //
593 // Remove the first, and the second arguments
594 //
595 TempSplitTokens.erase(TempSplitTokens.begin());
596 TempSplitTokens.erase(TempSplitTokens.begin());
597
598 //
599 // Convert to pdbex args
600 //
601 if (!CommandDtAndStructConvertHyperDbgArgsToPdbex(TempSplitTokens, PdbexArgs, &TargetPid))
602 {
603 if (IsStruct)
604 {
606 }
607 else
608 {
610 }
611
612 return;
613 }
614
615 //
616 // Call the wrapper of pdbex
617 //
619 TargetAddress,
620 IsStruct,
621 BufferAddressRetrievedFromDebuggee,
622 TargetPid,
623 IsPhysicalAddress,
624 PdbexArgs.c_str());
625 }
626 }
627 }
628 else
629 {
630 //
631 // The first argument is a buffer address, so we get the first argument as
632 // a buffer address and the second argument as the structure (type) name
633 //
634 if (TempSplitTokens.size() == 2)
635 {
636 //
637 // There is not parameters, only a buffer address and then a symbol name
638 // Call it with default configuration
639 //
641 TargetAddress,
642 IsStruct,
643 BufferAddressRetrievedFromDebuggee,
644 TargetPid,
645 IsPhysicalAddress,
647 }
648 else
649 {
650 //
651 // Other than the first argument which is a buffer address, and the second
652 // argument which is structure (type) name, there are other parameters, so
653 // we WON'T call it with default parameters
654 //
655 TempTypeNameHolder = TempSplitTokens.at(1);
656
657 //
658 // Remove the first, and the second arguments
659 //
660 TempSplitTokens.erase(TempSplitTokens.begin());
661 TempSplitTokens.erase(TempSplitTokens.begin());
662
663 //
664 // Convert to pdbex args
665 //
666 if (!CommandDtAndStructConvertHyperDbgArgsToPdbex(TempSplitTokens, PdbexArgs, &TargetPid))
667 {
668 if (IsStruct)
669 {
671 }
672 else
673 {
675 }
676
677 return;
678 }
679
680 //
681 // Call the wrapper of pdbex
682 //
684 TargetAddress,
685 IsStruct,
686 BufferAddressRetrievedFromDebuggee,
687 TargetPid,
688 IsPhysicalAddress,
689 PdbexArgs.c_str());
690 }
691 }
692 }
693}
UCHAR BOOLEAN
Definition BasicTypes.h:35
void * PVOID
Definition BasicTypes.h:56
#define TRUE
Definition BasicTypes.h:114
#define FALSE
Definition BasicTypes.h:113
unsigned int UINT32
Definition BasicTypes.h:54
std::tuple< CommandParsingTokenType, std::string, std::string > CommandToken
Command's parsing type.
Definition commands.h:177
std::string GetCaseSensitiveStringFromCommandToken(CommandToken TargetToken)
Get case sensitive string from command token.
Definition common.cpp:467
BOOLEAN CompareLowerCaseStrings(CommandToken TargetToken, const CHAR *StringToCompare)
Compare lower case strings.
Definition common.cpp:503
VOID CommandStructHelp()
help of the struct command
Definition dt-struct.cpp:63
BOOLEAN CommandDtAndStructConvertHyperDbgArgsToPdbex(vector< CommandToken > ExtraArgs, std::string &PdbexArgs, UINT32 *ProcessId)
Convert HyperDbg arguments for dt and struct commands to pdbex arguments.
Definition dt-struct.cpp:93
VOID CommandDtHelp()
help of the dt command
Definition dt-struct.cpp:26
BOOLEAN CommandDtShowDataBasedOnSymbolTypes(const CHAR *TypeName, UINT64 Address, BOOLEAN IsStruct, PVOID BufferAddress, UINT32 TargetPid, BOOLEAN IsPhysicalAddress, const CHAR *AdditionalParameters)
Show data based on the symbol structure and data types.
Definition dt-struct.cpp:316
NULL()
Definition test-case-generator.py:530
BOOLEAN SymbolConvertNameOrExprToAddress(const string &TextToConvert, PUINT64 Result)
check and convert string to a 64 bit unsigned integer and also check for symbol object names and eval...
Definition symbol.cpp:359
#define PDBEX_DEFAULT_CONFIGURATION
Definition symbol.h:33

◆ CommandDtAndStructConvertHyperDbgArgsToPdbex()

BOOLEAN CommandDtAndStructConvertHyperDbgArgsToPdbex ( vector< CommandToken > ExtraArgs,
std::string & PdbexArgs,
UINT32 * ProcessId )

Convert HyperDbg arguments for dt and struct commands to pdbex arguments.

This is because we don't wanna modify the internal structure of pdbex so let's pdbex parse its standard commands

Parameters
ExtraArgs
PdbexArgs
ProcessId
Returns
BOOLEAN
96{
97 UINT32 TargetProcessId = NULL;
98 BOOLEAN NextItemIsYesNo = FALSE;
99 BOOLEAN NextItemIsString = FALSE;
100 BOOLEAN NextItemIsInline = FALSE;
101 BOOLEAN NextItemIsFileName = FALSE;
102 BOOLEAN NextItemIsProcessId = FALSE;
103
104 //
105 // Clear the args
106 //
107 PdbexArgs = "";
108
109 //
110 // Traverse through the extra arguments
111 //
112 for (auto Item : ExtraArgs)
113 {
114 //
115 // Check for output file name
116 //
117 if (NextItemIsFileName)
118 {
119 PdbexArgs += "\"" + GetCaseSensitiveStringFromCommandToken(Item) + "\" ";
120
121 NextItemIsFileName = FALSE;
122 continue;
123 }
124
125 //
126 // Check for process id
127 //
128 if (NextItemIsProcessId)
129 {
130 if (!ConvertTokenToUInt32(Item, &TargetProcessId))
131 {
132 ShowMessages("err, you should enter a valid process id\n\n");
133 return FALSE;
134 }
135
136 NextItemIsProcessId = FALSE;
137 continue;
138 }
139
140 //
141 // Check if we expect yes/no answers
142 //
143 if (NextItemIsYesNo)
144 {
145 if (CompareLowerCaseStrings(Item, "yes"))
146 {
147 PdbexArgs += " ";
148 }
149 else if (CompareLowerCaseStrings(Item, "no"))
150 {
151 PdbexArgs += "- ";
152 }
153 else
154 {
155 //
156 // Yes/no expected but didn't see it
157 //
158 ShowMessages("err, please insert 'yes' or 'no' as the argument\n\n");
159 return FALSE;
160 }
161
162 NextItemIsYesNo = FALSE;
163 continue;
164 }
165
166 //
167 // Check if we expect inline param answers
168 //
169 if (NextItemIsInline)
170 {
171 if (CompareLowerCaseStrings(Item, "none"))
172 {
173 PdbexArgs += "n ";
174 }
175 else if (CompareLowerCaseStrings(Item, "all"))
176 {
177 PdbexArgs += "a ";
178 }
179 else if (CompareLowerCaseStrings(Item, "unnamed") || CompareLowerCaseStrings(Item, "unamed"))
180 {
181 PdbexArgs += "i ";
182 }
183 else
184 {
185 //
186 // none/unnamed/all expected but didn't see it
187 //
188 ShowMessages("err, please insert 'none', 'unnamed', or 'all' as the argument\n\n");
189 return FALSE;
190 }
191
192 NextItemIsInline = FALSE;
193 continue;
194 }
195
196 //
197 // Check if we expect string answers
198 //
199 if (NextItemIsString)
200 {
201 PdbexArgs += GetCaseSensitiveStringFromCommandToken(Item) + " ";
202
203 NextItemIsString = FALSE;
204 continue;
205 }
206
207 //
208 // Check for args
209 //
210 if (CompareLowerCaseStrings(Item, "pid"))
211 {
212 NextItemIsProcessId = TRUE;
213 }
214 else if (CompareLowerCaseStrings(Item, "output"))
215 {
216 NextItemIsFileName = TRUE;
217 PdbexArgs += "-o ";
218 }
219 else if (CompareLowerCaseStrings(Item, "inline"))
220 {
221 NextItemIsInline = TRUE;
222 PdbexArgs += "-e ";
223 }
224 else if (CompareLowerCaseStrings(Item, "prefix"))
225 {
226 NextItemIsString = TRUE;
227 PdbexArgs += "-r ";
228 }
229 else if (CompareLowerCaseStrings(Item, "suffix"))
230 {
231 NextItemIsString = TRUE;
232 PdbexArgs += "-g ";
233 }
234 else if (CompareLowerCaseStrings(Item, "padding"))
235 {
236 NextItemIsYesNo = TRUE;
237 PdbexArgs += "-p";
238 }
239 else if (CompareLowerCaseStrings(Item, "offset") || CompareLowerCaseStrings(Item, "offsets"))
240 {
241 NextItemIsYesNo = TRUE;
242 PdbexArgs += "-x";
243 }
244 else if (CompareLowerCaseStrings(Item, "bitfield") || CompareLowerCaseStrings(Item, "bitfields"))
245 {
246 NextItemIsYesNo = TRUE;
247 PdbexArgs += "-b";
248 }
249 else if (CompareLowerCaseStrings(Item, "native"))
250 {
251 NextItemIsYesNo = TRUE;
252 PdbexArgs += "-i";
253 }
254 else if (CompareLowerCaseStrings(Item, "decl"))
255 {
256 NextItemIsYesNo = TRUE;
257 PdbexArgs += "-n";
258 }
259 else if (CompareLowerCaseStrings(Item, "def"))
260 {
261 NextItemIsYesNo = TRUE;
262 PdbexArgs += "-l";
263 }
264 else if (CompareLowerCaseStrings(Item, "func"))
265 {
266 NextItemIsYesNo = TRUE;
267 PdbexArgs += "-f";
268 }
269 else if (CompareLowerCaseStrings(Item, "pragma"))
270 {
271 NextItemIsYesNo = TRUE;
272 PdbexArgs += "-z";
273 }
274 else
275 {
276 //
277 // Unknown args
278 //
279 ShowMessages("err, unknown argument at '%s'\n\n",
281 return FALSE;
282 }
283 }
284
285 //
286 // Check if user entered yes/no or string when expected or not
287 //
288 if (NextItemIsYesNo || NextItemIsString || NextItemIsInline || NextItemIsFileName || NextItemIsProcessId)
289 {
290 ShowMessages("err, incomplete argument\n\n");
291 return FALSE;
292 }
293
294 //
295 // Set the process id
296 //
297 *ProcessId = TargetProcessId;
298
299 return TRUE;
300}
BOOLEAN ConvertTokenToUInt32(CommandToken TargetToken, PUINT32 Result)
check and convert command token to a 32 bit unsigned integer
Definition common.cpp:546

◆ CommandDtHelp()

VOID CommandDtHelp ( )

help of the dt command

Returns
VOID
27{
28 ShowMessages("dt !dt : displays information about a local variable, global "
29 "variable or data type.\n\n");
30
31 ShowMessages("If you want to read physical memory then add '!' at the "
32 "start of the command\n\n");
33
34 ShowMessages("syntax : \tdt [Module!SymbolName (string)] [AddressExpression (string)] "
35 "[pid ProcessId (hex)] [padding Padding (yesno)] [offset Offset (yesno)] "
36 "[bitfield Bitfield (yesno)] [native Native (yesno)] [decl Declaration (yesno)] "
37 "[def Definitions (yesno)] [func Functions (yesno)] [pragma Pragma (yesno)] "
38 "[prefix Prefix (string)] [suffix Suffix (string)] [inline Expansion (string)] "
39 "[output FileName (string)]\n\n");
40 ShowMessages("syntax : \t!dt [Module!SymbolName (string)] [AddressExpression (string)] "
41 "[padding Padding (yesno)] [offset Offset (yesno)] [bitfield Bitfield (yesno)] "
42 "[native Native (yesno)] [decl Declaration (yesno)] [def Definitions (yesno)] "
43 "[func Functions (yesno)] [pragma Pragma (yesno)] [prefix Prefix (string)] "
44 "[suffix Suffix (string)] [inline Expansion (string)] [output FileName (string)]\n");
45
46 ShowMessages("\n");
47 ShowMessages("\t\te.g : dt nt!_EPROCESS\n");
48 ShowMessages("\t\te.g : dt nt!_EPROCESS fffff8077356f010\n");
49 ShowMessages("\t\te.g : dt nt!_EPROCESS $proc\n");
50 ShowMessages("\t\te.g : dt nt!_KPROCESS @rax+@rbx+c0\n");
51 ShowMessages("\t\te.g : !dt nt!_EPROCESS 1f0300\n");
52 ShowMessages("\t\te.g : dt MyModule!_MY_STRUCT 7ff00040 pid 1420\n");
53 ShowMessages("\t\te.g : dt nt!_EPROCESS $proc inline all\n");
54 ShowMessages("\t\te.g : dt nt!_EPROCESS fffff8077356f010 inline no\n");
55}

◆ CommandDtShowDataBasedOnSymbolTypes()

BOOLEAN CommandDtShowDataBasedOnSymbolTypes ( const CHAR * TypeName,
UINT64 Address,
BOOLEAN IsStruct,
PVOID BufferAddress,
UINT32 TargetPid,
BOOLEAN IsPhysicalAddress,
const CHAR * AdditionalParameters )

Show data based on the symbol structure and data types.

Parameters
TypeName
Address
IsStruct
BufferAddress
TargetPid
IsPhysicalAddress
AdditionalParameters
Returns
BOOLEAN
324{
325 UINT64 StructureSize = 0;
326 BOOLEAN ResultOfFindingSize = FALSE;
327 DEBUGGER_DT_COMMAND_OPTIONS DtOptions = {0};
328
329 //
330 // Check for pid
331 //
332
333 if (g_IsSerialConnectedToRemoteDebuggee && TargetPid != 0)
334 {
335 //
336 // Check to prevent using process id in dt command
337 //
339 return FALSE;
340 }
341 else if (TargetPid == NULL)
342 {
343 //
344 // By default if the user-debugger is active, we use these commands
345 // on the memory layout of the debuggee process
346 //
348 {
349 TargetPid = g_ActiveProcessDebuggingState.ProcessId;
350 }
351 else
352 {
353 //
354 // Use the current process for the pid
355 //
356 TargetPid = PlatformGetCurrentProcessId();
357 }
358 }
359
360 //
361 // Set the options
362 //
363 DtOptions.TypeName = TypeName;
364 DtOptions.Address = Address;
365 DtOptions.IsStruct = IsStruct;
366 DtOptions.BufferAddress = NULL; // we didn't read it yet
367 DtOptions.TargetPid = TargetPid;
368 DtOptions.AdditionalParameters = AdditionalParameters;
369
370 if (Address != NULL)
371 {
372 //
373 // *** We need to read the memory here ***
374 //
375
376 //
377 // Get the field size
378 //
379 ResultOfFindingSize = ScriptEngineGetDataTypeSizeWrapper((char *)TypeName, &StructureSize);
380
381 //
382 // Check if size is found
383 //
384 if (!ResultOfFindingSize || StructureSize == 0)
385 {
386 //
387 // Field not found or size is invalid
388 //
389 ShowMessages("err, couldn't resolve error at '%s'\n", TypeName);
390 return FALSE;
391 }
392
393 //
394 // Set the type (structure) size
395 //
396 DtOptions.SizeOfTypeName = StructureSize;
397
398 //
399 // Read the memory
400 //
402 Address,
405 TargetPid,
406 (UINT32)StructureSize,
407 &DtOptions);
408
409 return TRUE;
410 }
411 else
412 {
413 //
414 // It's a simple structure without an address
415 // Call the pdbex wrapper
416 //
417 return ScriptEngineShowDataBasedOnSymbolTypesWrapper(TypeName, Address, IsStruct, BufferAddress, AdditionalParameters);
418 }
419}
BOOLEAN g_IsSerialConnectedToRemoteDebuggee
Shows if the debugger was connected to remote debuggee over (A remote guest).
Definition globals.h:253
ACTIVE_DEBUGGING_PROCESS g_ActiveProcessDebuggingState
State of active debugging thread.
Definition globals.h:372
struct _DEBUGGER_DT_COMMAND_OPTIONS DEBUGGER_DT_COMMAND_OPTIONS
requests options for dt and struct command
@ READ_FROM_KERNEL
Definition RequestStructures.h:245
@ DEBUGGER_SHOW_COMMAND_DT
Definition RequestStructures.h:277
@ DEBUGGER_READ_PHYSICAL_ADDRESS
Definition RequestStructures.h:255
@ DEBUGGER_READ_VIRTUAL_ADDRESS
Definition RequestStructures.h:256
#define ASSERT_MESSAGE_CANNOT_SPECIFY_PID
Definition common.h:39
UINT32 PlatformGetCurrentProcessId(VOID)
Platform independent wrapper for GetCurrentProcessId / getpid.
Definition platform-lib-calls.c:185
VOID HyperDbgShowMemoryOrDisassemble(DEBUGGER_SHOW_MEMORY_STYLE Style, UINT64 Address, DEBUGGER_READ_MEMORY_TYPE MemoryType, DEBUGGER_READ_READING_TYPE ReadingType, UINT32 Pid, UINT32 Size, PDEBUGGER_DT_COMMAND_OPTIONS DtDetails)
Show memory or disassembler.
Definition readmem.cpp:193
BOOLEAN ScriptEngineShowDataBasedOnSymbolTypesWrapper(const CHAR *TypeName, UINT64 Address, BOOLEAN IsStruct, PVOID BufferAddress, const CHAR *AdditionalParameters)
ScriptEngineShowDataBasedOnSymbolTypes wrapper.
Definition script-engine-wrapper.cpp:213
BOOLEAN ScriptEngineGetDataTypeSizeWrapper(CHAR *TypeName, UINT64 *TypeSize)
ScriptEngineGetDataTypeSize wrapper.
Definition script-engine-wrapper.cpp:147
UINT64 Address
Definition RequestStructures.h:167
PVOID BufferAddress
Definition RequestStructures.h:169
const CHAR * TypeName
Definition RequestStructures.h:165
BOOLEAN IsStruct
Definition RequestStructures.h:168
UINT32 TargetPid
Definition RequestStructures.h:170
UINT64 SizeOfTypeName
Definition RequestStructures.h:166
const CHAR * AdditionalParameters
Definition RequestStructures.h:171

◆ CommandStructHelp()

VOID CommandStructHelp ( )

help of the struct command

Returns
VOID
64{
65 ShowMessages("struct : displays a data type, enum, or structure derived from PDB symbols.\n\n");
66
67 ShowMessages("syntax : struct [Module!SymbolName (string)] [offset Offset (yesno)] [bitfield Bitfield (yesno)] "
68 "[native Native (yesno)] [decl Declaration (yesno)] [def Definitions (yesno)] "
69 "[func Functions (yesno)] [pragma Pragma (yesno)] [prefix Prefix (string)] "
70 "[suffix Suffix (string)] [inline Expantion (string)] [output FileName (string)]\n");
71
72 ShowMessages("\n");
73 ShowMessages("\t\te.g : struct nt!_EPROCESS\n");
74 ShowMessages("\t\te.g : struct nt!*\n");
75 ShowMessages("\t\te.g : struct nt!* output ntheader.h\n");
76 ShowMessages("\t\te.g : struct nt!* func yes output ntheader.h\n");
77 ShowMessages("\t\te.g : struct nt!* func yes output ntheader.h\n");
78 ShowMessages("\t\te.g : struct nt!* func yes output \"c:\\users\\sina\\desktop\\nt header.h\"\n");
79}

Variable Documentation

◆ g_ActiveProcessDebuggingState

ACTIVE_DEBUGGING_PROCESS g_ActiveProcessDebuggingState
extern

State of active debugging thread.

372{0};

◆ g_IsSerialConnectedToRemoteDebuggee

BOOLEAN g_IsSerialConnectedToRemoteDebuggee
extern

Shows if the debugger was connected to remote debuggee over (A remote guest).