HyperDbg Debugger
Loading...
Searching...
No Matches
Functions | Variables
dump.cpp File Reference
#include "pch.h"

Functions

VOID CommandDumpHelp ()
 help of the .dump command
 
VOID CommandDump (vector< string > SplitCommand, string Command)
 .dump command handler
 
VOID CommandDumpSaveIntoFile (PVOID Buffer, UINT32 Length)
 Saves the received buffers into the files.
 

Variables

BOOLEAN g_IsSerialConnectedToRemoteDebuggee
 Shows if the debugger was connected to remote debuggee over (A remote guest)
 
ACTIVE_DEBUGGING_PROCESS g_ActiveProcessDebuggingState
 State of active debugging thread.
 
HANDLE DumpFileHandle
 Holds the handle of the dump file.
 

Function Documentation

◆ CommandDump()

VOID CommandDump ( vector< string > SplitCommand,
string Command )

.dump command handler

Parameters
SplitCommand
Command
Returns
VOID
63{
64 wstring Filepath;
65 UINT32 ActualLength;
66 UINT32 Iterator;
67 UINT32 Pid = 0;
68 UINT32 Length = 0;
69 UINT64 StartAddress = 0;
70 UINT64 EndAddress = 0;
71 BOOLEAN IsFirstCommand = TRUE;
72 BOOLEAN NextIsProcId = FALSE;
73 BOOLEAN NextIsPath = FALSE;
74 BOOLEAN IsTheFirstAddr = FALSE;
75 BOOLEAN IsTheSecondAddr = FALSE;
76 BOOLEAN IsDumpPathSpecified = FALSE;
77 string FirstCommand = SplitCommand.front();
78 DEBUGGER_READ_MEMORY_TYPE MemoryType = DEBUGGER_READ_VIRTUAL_ADDRESS;
79
80 if (SplitCommand.size() <= 4)
81 {
82 ShowMessages("err, incorrect use of the '.dump' command\n\n");
83 CommandDumpHelp();
84 return;
85 }
86
87 //
88 // By default if the user-debugger is active, we use these commands
89 // on the memory layout of the debuggee process
90 //
91 if (g_ActiveProcessDebuggingState.IsActive)
92 {
93 Pid = g_ActiveProcessDebuggingState.ProcessId;
94 }
95
96 for (auto Section : SplitCommand)
97 {
98 if (IsFirstCommand == TRUE)
99 {
100 IsFirstCommand = FALSE;
101 continue;
102 }
103 else if (NextIsProcId)
104 {
105 if (!ConvertStringToUInt32(Section, &Pid))
106 {
107 ShowMessages("please specify a correct hex value for process id\n\n");
108 CommandDumpHelp();
109 return;
110 }
111 NextIsProcId = FALSE;
112 continue;
113 }
114 else if (NextIsPath)
115 {
116 //
117 // Convert path to wstring
118 //
119 StringToWString(Filepath, Section);
120 IsDumpPathSpecified = TRUE;
121
122 NextIsPath = FALSE;
123 }
124 else if (!Section.compare("pid"))
125 {
126 NextIsProcId = TRUE;
127 continue;
128 }
129 else if (!Section.compare("path"))
130 {
131 NextIsPath = TRUE;
132 continue;
133 }
134 //
135 // Check the 'From' address
136 //
137 else if (!IsTheFirstAddr && SymbolConvertNameOrExprToAddress(Section, &StartAddress))
138 {
139 IsTheFirstAddr = TRUE;
140 }
141 //
142 // Check the 'To' address
143 //
144 else if (!IsTheSecondAddr && SymbolConvertNameOrExprToAddress(Section, &EndAddress))
145 {
146 IsTheSecondAddr = TRUE;
147 }
148 else
149 {
150 //
151 // invalid input
152 //
153 ShowMessages("err, couldn't resolve error at '%s'\n\n",
154 Section.c_str());
155 CommandDumpHelp();
156
157 return;
158 }
159 }
160
161 //
162 // Check if 'pid' is not specified
163 //
164 if (NextIsProcId)
165 {
166 ShowMessages("please specify a correct hex value for process id\n\n");
167 CommandDumpHelp();
168 return;
169 }
170
171 //
172 // Check if 'path' is either specified, not completely specified
173 //
174 if (NextIsPath || !IsDumpPathSpecified)
175 {
176 ShowMessages("please specify a correct path for saving the dump\n\n");
177 CommandDumpHelp();
178 return;
179 }
180
181 //
182 // Check if start address or end address is null
183 //
184 if (!IsTheFirstAddr || !IsTheSecondAddr)
185 {
186 ShowMessages("err, please specify the start and end address in hex format\n");
187 return;
188 }
189
190 //
191 // Check if end address is bigger than start address
192 //
193 if (StartAddress >= EndAddress)
194 {
195 ShowMessages("err, please note that the 'to' address should be greater than the 'from' address\n");
196 return;
197 }
198
199 //
200 // Check to prevent using process id in d* and u* commands
201 //
202 if (g_IsSerialConnectedToRemoteDebuggee && Pid != 0)
203 {
204 ShowMessages(ASSERT_MESSAGE_CANNOT_SPECIFY_PID);
205 return;
206 }
207
208 if (Pid == 0)
209 {
210 //
211 // Default process we read from current process
212 //
213 Pid = GetCurrentProcessId();
214 }
215
216 //
217 // Check whether it's physical or virtual address
218 //
219 if (!FirstCommand.compare("!dump"))
220 {
221 MemoryType = DEBUGGER_READ_PHYSICAL_ADDRESS;
222 }
223
224 //
225 // Create or open the file for writing the dump file
226 //
227 DumpFileHandle = CreateFileW(
228 Filepath.c_str(),
229 GENERIC_WRITE,
230 0,
231 NULL,
232 CREATE_ALWAYS,
233 FILE_ATTRIBUTE_NORMAL,
234 NULL);
235
236 if (DumpFileHandle == INVALID_HANDLE_VALUE)
237 {
238 ShowMessages("err, unable to create or open the file\n");
239 return;
240 }
241
242 //
243 // Compute the length
244 //
245 Length = (UINT32)(EndAddress - StartAddress);
246
247 ActualLength = NULL;
248 Iterator = Length / PAGE_SIZE;
249
250 for (size_t i = 0; i <= Iterator; i++)
251 {
252 UINT64 Address = StartAddress + (i * PAGE_SIZE);
253
254 if (Length >= PAGE_SIZE)
255 {
256 ActualLength = PAGE_SIZE;
257 }
258 else
259 {
260 ActualLength = Length;
261 }
262
263 Length -= ActualLength;
264
265 if (ActualLength != 0)
266 {
267 // ShowMessages("address: 0x%llx | actual length: 0x%llx\n", Address, ActualLength);
268
269 HyperDbgShowMemoryOrDisassemble(
270 DEBUGGER_SHOW_COMMAND_DUMP,
271 Address,
272 MemoryType,
273 READ_FROM_KERNEL,
274 Pid,
275 ActualLength,
276 NULL);
277 }
278 }
279
280 //
281 // Close the file handle if it's not already closed
282 //
283 if (DumpFileHandle != NULL)
284 {
285 CloseHandle(DumpFileHandle);
286 DumpFileHandle = NULL;
287 }
288
289 ShowMessages("the dump file is saved at: %ls\n", Filepath.c_str());
290}
BOOLEAN
UCHAR BOOLEAN
Definition BasicTypes.h:39
TRUE
#define TRUE
Definition BasicTypes.h:55
FALSE
#define FALSE
Definition BasicTypes.h:54
UINT64
unsigned __int64 UINT64
Definition BasicTypes.h:21
UINT32
unsigned int UINT32
Definition BasicTypes.h:48
Address
UINT64 Address
Definition HyperDbgScriptImports.h:67
READ_FROM_KERNEL
@ READ_FROM_KERNEL
Definition RequestStructures.h:219
DEBUGGER_READ_MEMORY_TYPE
enum _DEBUGGER_READ_MEMORY_TYPE DEBUGGER_READ_MEMORY_TYPE
different type of addresses
DEBUGGER_SHOW_COMMAND_DUMP
@ DEBUGGER_SHOW_COMMAND_DUMP
Definition RequestStructures.h:258
DEBUGGER_READ_PHYSICAL_ADDRESS
@ DEBUGGER_READ_PHYSICAL_ADDRESS
Definition RequestStructures.h:229
DEBUGGER_READ_VIRTUAL_ADDRESS
@ DEBUGGER_READ_VIRTUAL_ADDRESS
Definition RequestStructures.h:230
StringToWString
VOID StringToWString(std::wstring &ws, const std::string &s)
convert std::string to std::wstring
Definition common.cpp:729
ConvertStringToUInt32
BOOLEAN ConvertStringToUInt32(string TextToConvert, PUINT32 Result)
check and convert string to a 32 bit unsigned it and also check for special notations like 0x etc.
Definition common.cpp:347
CommandDumpHelp
VOID CommandDumpHelp()
help of the .dump command
Definition dump.cpp:36
g_IsSerialConnectedToRemoteDebuggee
BOOLEAN g_IsSerialConnectedToRemoteDebuggee
Shows if the debugger was connected to remote debuggee over (A remote guest)
Definition globals.h:231
g_ActiveProcessDebuggingState
ACTIVE_DEBUGGING_PROCESS g_ActiveProcessDebuggingState
State of active debugging thread.
Definition globals.h:362
DumpFileHandle
HANDLE DumpFileHandle
Holds the handle of the dump file.
Definition dump.cpp:28
ASSERT_MESSAGE_CANNOT_SPECIFY_PID
#define ASSERT_MESSAGE_CANNOT_SPECIFY_PID
Definition common.h:31
PAGE_SIZE
#define PAGE_SIZE
Size of each page (4096 bytes)
Definition common.h:69
ShowMessages
VOID ShowMessages(const char *Fmt,...)
Show messages.
Definition libhyperdbg.cpp:96
test-case-generator.NULL
NULL()
Definition test-case-generator.py:530
HyperDbgShowMemoryOrDisassemble
VOID HyperDbgShowMemoryOrDisassemble(DEBUGGER_SHOW_MEMORY_STYLE Style, UINT64 Address, DEBUGGER_READ_MEMORY_TYPE MemoryType, DEBUGGER_READ_READING_TYPE ReadingType, UINT32 Pid, UINT32 Size, PDEBUGGER_DT_COMMAND_OPTIONS DtDetails)
Show memory or disassembler.
Definition readmem.cpp:193
_ACTIVE_DEBUGGING_PROCESS::ProcessId
UINT32 ProcessId
Definition ud.h:51
_ACTIVE_DEBUGGING_PROCESS::IsActive
BOOLEAN IsActive
Definition ud.h:49
SymbolConvertNameOrExprToAddress
BOOLEAN SymbolConvertNameOrExprToAddress(const string &TextToConvert, PUINT64 Result)
check and convert string to a 64 bit unsigned integer and also check for symbol object names and eval...
Definition symbol.cpp:360

◆ CommandDumpHelp()

VOID CommandDumpHelp ( )

help of the .dump command

Returns
VOID
37{
38 ShowMessages(".dump & !dump : saves memory context into a file.\n\n");
39
40 ShowMessages("syntax : \t.dump [FromAddress (hex)] [ToAddress (hex)] [pid ProcessId (hex)] [path Path (string)]\n");
41 ShowMessages("\nIf you want to dump physical memory then add '!' at the "
42 "start of the command\n\n");
43
44 ShowMessages("\n");
45 ShowMessages("\t\te.g : .dump 401000 40b000 path c:\\rev\\dump1.dmp\n");
46 ShowMessages("\t\te.g : .dump 401000 40b000 pid 1c0 path c:\\rev\\desktop\\dump2.dmp\n");
47 ShowMessages("\t\te.g : .dump fffff801deadb000 fffff801deade054 path c:\\rev\\dump3.dmp\n");
48 ShowMessages("\t\te.g : .dump fffff801deadb000 fffff801deade054 path c:\\rev\\dump4.dmp\n");
49 ShowMessages("\t\te.g : .dump 00007ff8349f2000 00007ff8349f8000 path c:\\rev\\dump5.dmp\n");
50 ShowMessages("\t\te.g : .dump @rax+@rcx @rax+@rcx+1000 path c:\\rev\\dump6.dmp\n");
51 ShowMessages("\t\te.g : !dump 1000 2100 path c:\\rev\\dump7.dmp\n");
52}

◆ CommandDumpSaveIntoFile()

VOID CommandDumpSaveIntoFile ( PVOID Buffer,
UINT32 Length )

Saves the received buffers into the files.

Parameters
Buffer
Length
Returns
VOID
302{
303 DWORD BytesWritten;
304
305 //
306 // Check if handle is valid
307 //
308 if (DumpFileHandle == NULL)
309 {
310 ShowMessages("err, invalid handle for saving the dump buffer is specified\n");
311 return;
312 }
313
314 //
315 // Write the buffer into the dump file
316 //
317 if (!WriteFile(DumpFileHandle, Buffer, Length, &BytesWritten, NULL))
318 {
319 ShowMessages("err, unable to write buffer into the dump\n");
320
321 CloseHandle(DumpFileHandle);
322 DumpFileHandle = NULL;
323
324 return;
325 }
326}
DWORD
unsigned long DWORD
Definition BasicTypes.h:22

Variable Documentation

◆ DumpFileHandle

HANDLE DumpFileHandle

Holds the handle of the dump file.

◆ g_ActiveProcessDebuggingState

ACTIVE_DEBUGGING_PROCESS g_ActiveProcessDebuggingState
extern

State of active debugging thread.

362{0};

◆ g_IsSerialConnectedToRemoteDebuggee

BOOLEAN g_IsSerialConnectedToRemoteDebuggee
extern

Shows if the debugger was connected to remote debuggee over (A remote guest)