HyperDbg Debugger
Loading...
Searching...
No Matches
Functions
epthook2.cpp File Reference

!epthook2 command More...

#include "pch.h"

Functions

VOID CommandEptHook2Help ()
 help of the !epthook2 command
 
VOID CommandEptHook2 (vector< string > SplitCommand, string Command)
 !epthook2 command handler
 

Detailed Description

!epthook2 command

Author
Sina Karvandi (sina@.nosp@m.hype.nosp@m.rdbg..nosp@m.org)
Version
0.1
Date
2020-05-27
Copyright
This project is released under the GNU Public License v3.

Function Documentation

◆ CommandEptHook2()

VOID CommandEptHook2 ( vector< string > SplitCommand,
string Command )

!epthook2 command handler

Parameters
SplitCommand
Command
Returns
VOID
49{
50 PDEBUGGER_GENERAL_EVENT_DETAIL Event = NULL;
51 PDEBUGGER_GENERAL_ACTION ActionBreakToDebugger = NULL;
52 PDEBUGGER_GENERAL_ACTION ActionCustomCode = NULL;
53 PDEBUGGER_GENERAL_ACTION ActionScript = NULL;
54 UINT32 EventLength;
55 UINT32 ActionBreakToDebuggerLength = 0;
56 UINT32 ActionCustomCodeLength = 0;
57 UINT32 ActionScriptLength = 0;
58 BOOLEAN GetAddress = FALSE;
59 UINT64 OptionalParam1 = 0; // Set the target address
60 vector<string> SplitCommandCaseSensitive {Split(Command, ' ')};
61 UINT32 IndexInCommandCaseSensitive = 0;
62 DEBUGGER_EVENT_PARSING_ERROR_CAUSE EventParsingErrorCause;
63
64 if (SplitCommand.size() < 2)
65 {
66 ShowMessages("incorrect use of the '!epthook2'\n");
67 CommandEptHook2Help();
68 return;
69 }
70
71 //
72 // Interpret and fill the general event and action fields
73 //
74 if (!InterpretGeneralEventAndActionsFields(
75 &SplitCommand,
76 &SplitCommandCaseSensitive,
77 HIDDEN_HOOK_EXEC_DETOURS,
78 &Event,
79 &EventLength,
80 &ActionBreakToDebugger,
81 &ActionBreakToDebuggerLength,
82 &ActionCustomCode,
83 &ActionCustomCodeLength,
84 &ActionScript,
85 &ActionScriptLength,
86 &EventParsingErrorCause))
87 {
88 return;
89 }
90
91 //
92 // Check here to make sure that the user didn't specified the calling stages for this ept hook
93 //
94 if (Event->EventStage != VMM_CALLBACK_CALLING_STAGE_PRE_EVENT_EMULATION)
95 {
96 ShowMessages("the utilization of 'post' or 'all' event calling stages is not meaningful "
97 "for the hidden hook; therefore, this command does not support them\n");
98
99 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
100 return;
101 }
102
103 //
104 // Interpret command specific details (if any)
105 //
106 for (auto Section : SplitCommand)
107 {
108 IndexInCommandCaseSensitive++;
109
110 if (!Section.compare("!epthook2"))
111 {
112 continue;
113 }
114 else if (!GetAddress)
115 {
116 //
117 // It's probably address
118 //
119 if (!SymbolConvertNameOrExprToAddress(
120 SplitCommandCaseSensitive.at(IndexInCommandCaseSensitive - 1),
121 &OptionalParam1))
122 {
123 //
124 // Couldn't resolve or unknown parameter
125 //
126 ShowMessages("err, couldn't resolve error at '%s'\n\n",
127 SplitCommandCaseSensitive.at(IndexInCommandCaseSensitive - 1).c_str());
128 CommandEptHook2Help();
129
130 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
131 return;
132 }
133 else
134 {
135 GetAddress = TRUE;
136 }
137 }
138 else
139 {
140 //
141 // Unknown parameter
142 //
143 ShowMessages("unknown parameter '%s'\n\n", Section.c_str());
144 CommandEptHook2Help();
145
146 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
147 return;
148 }
149 }
150 if (OptionalParam1 == 0)
151 {
152 ShowMessages("please choose an address to put the hook on it\n");
153
154 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
155 return;
156 }
157
158 //
159 // Set the optional parameters
160 //
161 Event->Options.OptionalParam1 = OptionalParam1;
162
163 //
164 // Send the ioctl to the kernel for event registration
165 //
166 if (!SendEventToKernel(Event, EventLength))
167 {
168 //
169 // There was an error, probably the handle was not initialized
170 // we have to free the Action before exit, it is because, we
171 // already freed the Event and string buffers
172 //
173
174 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
175 return;
176 }
177
178 //
179 // Add the event to the kernel
180 //
181 if (!RegisterActionToEvent(Event,
182 ActionBreakToDebugger,
183 ActionBreakToDebuggerLength,
184 ActionCustomCode,
185 ActionCustomCodeLength,
186 ActionScript,
187 ActionScriptLength))
188 {
189 //
190 // There was an error
191 //
192
193 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
194 return;
195 }
196}
BOOLEAN
UCHAR BOOLEAN
Definition BasicTypes.h:39
TRUE
#define TRUE
Definition BasicTypes.h:55
FALSE
#define FALSE
Definition BasicTypes.h:54
UINT64
unsigned __int64 UINT64
Definition BasicTypes.h:21
UINT32
unsigned int UINT32
Definition BasicTypes.h:48
VMM_CALLBACK_CALLING_STAGE_PRE_EVENT_EMULATION
@ VMM_CALLBACK_CALLING_STAGE_PRE_EVENT_EMULATION
Definition DataTypes.h:93
Split
const vector< string > Split(const string &s, const char &c)
general split command
Definition common.cpp:117
FreeEventsAndActionsMemory
VOID FreeEventsAndActionsMemory(PDEBUGGER_GENERAL_EVENT_DETAIL Event, PDEBUGGER_GENERAL_ACTION ActionBreakToDebugger, PDEBUGGER_GENERAL_ACTION ActionCustomCode, PDEBUGGER_GENERAL_ACTION ActionScript)
Deallocate buffers relating to events and actions.
Definition debugger.cpp:2292
InterpretGeneralEventAndActionsFields
BOOLEAN InterpretGeneralEventAndActionsFields(vector< string > *SplitCommand, vector< string > *SplitCommandCaseSensitive, VMM_EVENT_TYPE_ENUM EventType, PDEBUGGER_GENERAL_EVENT_DETAIL *EventDetailsToFill, PUINT32 EventBufferLength, PDEBUGGER_GENERAL_ACTION *ActionDetailsToFillBreakToDebugger, PUINT32 ActionBufferLengthBreakToDebugger, PDEBUGGER_GENERAL_ACTION *ActionDetailsToFillCustomCode, PUINT32 ActionBufferLengthCustomCode, PDEBUGGER_GENERAL_ACTION *ActionDetailsToFillScript, PUINT32 ActionBufferLengthScript, PDEBUGGER_EVENT_PARSING_ERROR_CAUSE ReasonForErrorInParsing)
Interpret general event fields.
Definition debugger.cpp:2342
SendEventToKernel
BOOLEAN SendEventToKernel(PDEBUGGER_GENERAL_EVENT_DETAIL Event, UINT32 EventBufferLength)
Register the event to the kernel.
Definition debugger.cpp:1969
RegisterActionToEvent
BOOLEAN RegisterActionToEvent(PDEBUGGER_GENERAL_EVENT_DETAIL Event, PDEBUGGER_GENERAL_ACTION ActionBreakToDebugger, UINT32 ActionBreakToDebuggerLength, PDEBUGGER_GENERAL_ACTION ActionCustomCode, UINT32 ActionCustomCodeLength, PDEBUGGER_GENERAL_ACTION ActionScript, UINT32 ActionScriptLength)
Register the action to the event.
Definition debugger.cpp:2086
CommandEptHook2Help
VOID CommandEptHook2Help()
help of the !epthook2 command
Definition epthook2.cpp:20
HIDDEN_HOOK_EXEC_DETOURS
@ HIDDEN_HOOK_EXEC_DETOURS
Definition Events.h:111
DEBUGGER_EVENT_PARSING_ERROR_CAUSE
enum _DEBUGGER_EVENT_PARSING_ERROR_CAUSE DEBUGGER_EVENT_PARSING_ERROR_CAUSE
Reason for error in parsing commands.
ShowMessages
VOID ShowMessages(const char *Fmt,...)
Show messages.
Definition libhyperdbg.cpp:96
test-case-generator.NULL
NULL()
Definition test-case-generator.py:530
_DEBUGGER_EVENT_OPTIONS::OptionalParam1
UINT64 OptionalParam1
Definition Events.h:272
_DEBUGGER_GENERAL_ACTION
Each event can have multiple actions.
Definition Events.h:406
_DEBUGGER_GENERAL_EVENT_DETAIL
Each command is like the following struct, it also used for tracing works in user mode and sending it...
Definition Events.h:350
_DEBUGGER_GENERAL_EVENT_DETAIL::Options
DEBUGGER_EVENT_OPTIONS Options
Definition Events.h:391
_DEBUGGER_GENERAL_EVENT_DETAIL::EventStage
VMM_CALLBACK_EVENT_CALLING_STAGE_TYPE EventStage
Definition Events.h:369
SymbolConvertNameOrExprToAddress
BOOLEAN SymbolConvertNameOrExprToAddress(const string &TextToConvert, PUINT64 Result)
check and convert string to a 64 bit unsigned integer and also check for symbol object names and eval...
Definition symbol.cpp:360

◆ CommandEptHook2Help()

VOID CommandEptHook2Help ( )

help of the !epthook2 command

Returns
VOID
21{
22 ShowMessages("!epthook2 : puts a hidden-hook EPT (detours).\n\n");
23
24 ShowMessages(
25 "syntax : \t!epthook2 [Address (hex)] [pid ProcessId (hex)] "
26 "[core CoreId (hex)] [imm IsImmediate (yesno)] [buffer PreAllocatedBuffer (hex)] "
27 "[script { Script (string) }] [asm condition { Condition (assembly/hex) }] [asm code { Code (assembly/hex) }] "
28 "[output {OutputName (string)}]\n");
29
30 ShowMessages("\n");
31 ShowMessages("\t\te.g : !epthook2 nt!ExAllocatePoolWithTag\n");
32 ShowMessages("\t\te.g : !epthook2 nt!ExAllocatePoolWithTag+5\n");
33 ShowMessages("\t\te.g : !epthook2 fffff801deadb000\n");
34 ShowMessages("\t\te.g : !epthook2 fffff801deadb000 pid 400\n");
35 ShowMessages("\t\te.g : !epthook2 fffff801deadb000 core 2 pid 400\n");
36 ShowMessages("\t\te.g : !epthook2 fffff801deadb000 script { printf(\"hook triggered at: %%llx\\n\", $context); }\n");
37 ShowMessages("\t\te.g : !epthook2 fffff801deadb000 asm code { nop; nop; nop }\n");
38}