HyperDbg Debugger
Loading...
Searching...
No Matches
epthook.cpp File Reference

!epthook command More...

#include "pch.h"

Functions

VOID CommandEptHookHelp ()
 help of the !epthook command
VOID CommandEptHook (vector< CommandToken > CommandTokens, string Command)
 !epthook command handler

Detailed Description

!epthook command

Author
Sina Karvandi (sina@.nosp@m.hype.nosp@m.rdbg..nosp@m.org)
Version
0.1
Date
2020-07-10

Function Documentation

◆ CommandEptHook()

VOID CommandEptHook ( vector< CommandToken > CommandTokens,
string Command )

!epthook command handler

Parameters
CommandTokens
Command
Returns
VOID
49{
51 PDEBUGGER_GENERAL_ACTION ActionBreakToDebugger = NULL;
52 PDEBUGGER_GENERAL_ACTION ActionCustomCode = NULL;
53 PDEBUGGER_GENERAL_ACTION ActionScript = NULL;
54 UINT32 EventLength;
55 UINT32 ActionBreakToDebuggerLength = 0;
56 UINT32 ActionCustomCodeLength = 0;
57 UINT32 ActionScriptLength = 0;
58 BOOLEAN GetAddress = FALSE;
59 UINT64 OptionalParam1 = 0; // Set the target address
60 DEBUGGER_EVENT_PARSING_ERROR_CAUSE EventParsingErrorCause;
61
62 if (CommandTokens.size() < 2)
63 {
64 ShowMessages("incorrect use of the '%s'\n\n",
65 GetCaseSensitiveStringFromCommandToken(CommandTokens.at(0)).c_str());
66
68 return;
69 }
70
71 //
72 // Interpret and fill the general event and action fields
73 //
75 &CommandTokens,
77 &Event,
78 &EventLength,
79 &ActionBreakToDebugger,
80 &ActionBreakToDebuggerLength,
81 &ActionCustomCode,
82 &ActionCustomCodeLength,
83 &ActionScript,
84 &ActionScriptLength,
85 &EventParsingErrorCause))
86 {
87 return;
88 }
89
90 //
91 // Check here to make sure that the user didn't specified the calling stages for this ept hook
92 //
94 {
95 ShowMessages("the utilization of 'post' or 'all' event calling stages is not meaningful "
96 "for the hidden hook; therefore, this command does not support them\n");
97
98 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
99 return;
100 }
101
102 //
103 // Interpret command specific details (if any)
104 //
105 for (auto Section : CommandTokens)
106 {
107 if (CompareLowerCaseStrings(Section, "!epthook"))
108 {
109 continue;
110 }
111 else if (!GetAddress)
112 {
113 //
114 // It's probably address
115 //
118 &OptionalParam1))
119 {
120 //
121 // Couldn't resolve or unknown parameter
122 //
123 ShowMessages("err, couldn't resolve error at '%s'\n\n",
126
127 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
128 return;
129 }
130 else
131 {
132 GetAddress = TRUE;
133 }
134 }
135 else
136 {
137 //
138 // Unknown parameter
139 //
140 ShowMessages("unknown parameter '%s'\n\n",
143
144 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
145 return;
146 }
147 }
148 if (OptionalParam1 == 0)
149 {
150 ShowMessages("please choose an address to put the hidden breakpoint on it\n");
151
152 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
153 return;
154 }
155
156 //
157 // Set the optional parameters
158 //
159 Event->Options.OptionalParam1 = OptionalParam1;
160
161 //
162 // Send the ioctl to the kernel for event registration
163 //
164 if (!SendEventToKernel(Event, EventLength))
165 {
166 //
167 // There was an error, probably the handle was not initialized
168 // we have to free the Action before exit, it is because, we
169 // already freed the Event and string buffers
170 //
171
172 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
173 return;
174 }
175
176 //
177 // Add the event to the kernel
178 //
179 if (!RegisterActionToEvent(Event,
180 ActionBreakToDebugger,
181 ActionBreakToDebuggerLength,
182 ActionCustomCode,
183 ActionCustomCodeLength,
184 ActionScript,
185 ActionScriptLength))
186 {
187 //
188 // There was an error
189 //
190
191 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
192 return;
193 }
194}
UCHAR BOOLEAN
Definition BasicTypes.h:35
#define TRUE
Definition BasicTypes.h:114
#define FALSE
Definition BasicTypes.h:113
unsigned int UINT32
Definition BasicTypes.h:54
@ VMM_CALLBACK_CALLING_STAGE_PRE_EVENT_EMULATION
Definition DataTypes.h:126
@ HIDDEN_HOOK_EXEC_CC
Definition Events.h:112
struct _DEBUGGER_GENERAL_EVENT_DETAIL * PDEBUGGER_GENERAL_EVENT_DETAIL
struct _DEBUGGER_GENERAL_ACTION * PDEBUGGER_GENERAL_ACTION
std::string GetCaseSensitiveStringFromCommandToken(CommandToken TargetToken)
Get case sensitive string from command token.
Definition common.cpp:467
BOOLEAN CompareLowerCaseStrings(CommandToken TargetToken, const CHAR *StringToCompare)
Compare lower case strings.
Definition common.cpp:503
VOID FreeEventsAndActionsMemory(PDEBUGGER_GENERAL_EVENT_DETAIL Event, PDEBUGGER_GENERAL_ACTION ActionBreakToDebugger, PDEBUGGER_GENERAL_ACTION ActionCustomCode, PDEBUGGER_GENERAL_ACTION ActionScript)
Deallocate buffers relating to events and actions.
Definition debugger.cpp:1688
BOOLEAN InterpretGeneralEventAndActionsFields(vector< CommandToken > *CommandTokens, VMM_EVENT_TYPE_ENUM EventType, PDEBUGGER_GENERAL_EVENT_DETAIL *EventDetailsToFill, PUINT32 EventBufferLength, PDEBUGGER_GENERAL_ACTION *ActionDetailsToFillBreakToDebugger, PUINT32 ActionBufferLengthBreakToDebugger, PDEBUGGER_GENERAL_ACTION *ActionDetailsToFillCustomCode, PUINT32 ActionBufferLengthCustomCode, PDEBUGGER_GENERAL_ACTION *ActionDetailsToFillScript, PUINT32 ActionBufferLengthScript, PDEBUGGER_EVENT_PARSING_ERROR_CAUSE ReasonForErrorInParsing)
Interpret general event fields.
Definition debugger.cpp:1736
BOOLEAN SendEventToKernel(PDEBUGGER_GENERAL_EVENT_DETAIL Event, UINT32 EventBufferLength)
Register the event to the kernel.
Definition debugger.cpp:1367
BOOLEAN RegisterActionToEvent(PDEBUGGER_GENERAL_EVENT_DETAIL Event, PDEBUGGER_GENERAL_ACTION ActionBreakToDebugger, UINT32 ActionBreakToDebuggerLength, PDEBUGGER_GENERAL_ACTION ActionCustomCode, UINT32 ActionCustomCodeLength, PDEBUGGER_GENERAL_ACTION ActionScript, UINT32 ActionScriptLength)
Register the action to the event.
Definition debugger.cpp:1483
VOID CommandEptHookHelp()
help of the !epthook command
Definition epthook.cpp:20
enum _DEBUGGER_EVENT_PARSING_ERROR_CAUSE DEBUGGER_EVENT_PARSING_ERROR_CAUSE
Reason for error in parsing commands.
NULL()
Definition test-case-generator.py:530
UINT64 OptionalParam1
Definition Events.h:277
DEBUGGER_EVENT_OPTIONS Options
Definition Events.h:396
VMM_CALLBACK_EVENT_CALLING_STAGE_TYPE EventStage
Definition Events.h:374
BOOLEAN SymbolConvertNameOrExprToAddress(const string &TextToConvert, PUINT64 Result)
check and convert string to a 64 bit unsigned integer and also check for symbol object names and eval...
Definition symbol.cpp:359

◆ CommandEptHookHelp()

VOID CommandEptHookHelp ( )

help of the !epthook command

Returns
VOID
21{
22 ShowMessages("!epthook : puts a hidden-hook EPT (hidden breakpoints).\n\n");
23
24 ShowMessages(
25 "syntax : \t!epthook [Address (hex)] [pid ProcessId (hex)] [core CoreId (hex)] "
26 "[imm IsImmediate (yesno)] [buffer PreAllocatedBuffer (hex)] [script { Script (string) }] "
27 "[asm condition { Condition (assembly/hex) }] [asm code { Code (assembly/hex) }] [output {OutputName (string)}]\n");
28
29 ShowMessages("\n");
30 ShowMessages("\t\te.g : !epthook nt!ExAllocatePoolWithTag\n");
31 ShowMessages("\t\te.g : !epthook nt!ExAllocatePoolWithTag+5\n");
32 ShowMessages("\t\te.g : !epthook fffff801deadb000\n");
33 ShowMessages("\t\te.g : !epthook fffff801deadb000 pid 400\n");
34 ShowMessages("\t\te.g : !epthook fffff801deadb000 core 2 pid 400\n");
35 ShowMessages("\t\te.g : !epthook fffff801deadb000 script { printf(\"hook triggered at: %%llx\\n\", $context); }\n");
36 ShowMessages("\t\te.g : !epthook fffff801deadb000 asm code { nop; nop; nop }\n");
37}