HyperDbg Debugger
Loading...
Searching...
No Matches
Functions | Variables
events.cpp File Reference

events commands More...

#include "pch.h"

Functions

VOID CommandEventsHelp ()
 help of the events command
 
VOID CommandEvents (vector< string > SplitCommand, string Command)
 events command handler
 
BOOLEAN CommandEventQueryEventState (UINT64 Tag)
 Check the kernel whether the event is enabled or disabled.
 
VOID CommandEventsShowEvents ()
 print every active and disabled events
 
BOOLEAN CommandEventDisableEvent (UINT64 Tag)
 Disable a special event.
 
BOOLEAN CommandEventEnableEvent (UINT64 Tag)
 enables a special event
 
BOOLEAN CommandEventClearEvent (UINT64 Tag)
 disable and remove a special event
 
VOID CommandEventsClearAllEventsAndResetTags ()
 Clears all the events and resets the tag.
 
VOID CommandEventsHandleModifiedEvent (UINT64 Tag, PDEBUGGER_MODIFY_EVENTS ModifyEventRequest)
 Handle events after modification.
 
BOOLEAN CommandEventsModifyAndQueryEvents (UINT64 Tag, DEBUGGER_MODIFY_EVENTS_TYPE TypeOfAction)
 modify a special event (enable/disable/clear) and send the request directly to the kernel
 

Variables

LIST_ENTRY g_EventTrace
 Holds a list of events in kernel and the state of events and the commands to show the state of each command (disabled/enabled)
 
BOOLEAN g_EventTraceInitialized
 it shows whether the debugger started using events or not or in other words, is g_EventTrace initialized with a variable or it is empty
 
BOOLEAN g_BreakPrintingOutput
 Shows whether the pause command or CTRL+C or CTRL+Break is executed or not.
 
BOOLEAN g_AutoFlush
 Whether auto-flush mode is enabled or not enabled.
 
BOOLEAN g_IsConnectedToRemoteDebuggee
 Shows whether the current debugger is the host and connected to a remote debuggee (guest)
 
BOOLEAN g_IsSerialConnectedToRemoteDebuggee
 Shows if the debugger was connected to remote debuggee over (A remote guest)
 
BOOLEAN g_IsSerialConnectedToRemoteDebugger
 Shows if the debugger was connected to remote debugger (A remote host)
 
UINT64 g_EventTag
 This variable holds the trace and generate numbers for new tags of events.
 

Detailed Description

events commands

Author
Sina Karvandi (sina@.nosp@m.hype.nosp@m.rdbg..nosp@m.org)
Version
0.1
Date
2020-07-24
Copyright
This project is released under the GNU Public License v3.

Function Documentation

◆ CommandEventClearEvent()

BOOLEAN CommandEventClearEvent ( UINT64 Tag)

disable and remove a special event

Parameters
Tagthe tag of the target event
Returns
BOOLEAN if the operation was successful then it returns true otherwise it returns false
387{
388 PLIST_ENTRY TempList = 0;
389 BOOLEAN Result = FALSE;
390 PDEBUGGER_GENERAL_EVENT_DETAIL TmpCommandDetail = NULL;
391
392 TempList = &g_EventTrace;
393 while (&g_EventTrace != TempList->Flink)
394 {
395 TempList = TempList->Flink;
396
397 PDEBUGGER_GENERAL_EVENT_DETAIL CommandDetail = CONTAINING_RECORD(TempList, DEBUGGER_GENERAL_EVENT_DETAIL, CommandsEventList);
398
399 if (CommandDetail->Tag == Tag || Tag == DEBUGGER_MODIFY_EVENTS_APPLY_TO_ALL_TAG)
400 {
401 //
402 // Free the buffer for string of command
403 //
404 free(CommandDetail->CommandStringBuffer);
405
406 if (!Result)
407 {
408 Result = TRUE;
409 //
410 // We'll save one element so we can traverse and deallocate
411 // all of the elements
412 //
413 TmpCommandDetail = CommandDetail;
414 }
415
416 if (Tag != DEBUGGER_MODIFY_EVENTS_APPLY_TO_ALL_TAG)
417 {
418 //
419 // Remove it from the list
420 //
421 RemoveEntryList(&CommandDetail->CommandsEventList);
422
423 //
424 // Free the event it self
425 //
426 free(CommandDetail);
427
428 //
429 // Only, one command exist with a tag, so we need to return as we
430 // find it
431 //
432
433 return TRUE;
434 }
435 }
436 }
437
438 if (Result && Tag == DEBUGGER_MODIFY_EVENTS_APPLY_TO_ALL_TAG)
439 {
440 //
441 // We have to deallocate all the elements (note that CommandDetail->CommandStringBuffer is
442 // already deallocated)
443 //
444 while ((UINT64)TmpCommandDetail != (UINT64)&g_EventTrace.Flink)
445 {
446 PVOID Temp = (PVOID)TmpCommandDetail;
447 TmpCommandDetail = (PDEBUGGER_GENERAL_EVENT_DETAIL)TmpCommandDetail->CommandsEventList.Flink;
448
449 free(Temp);
450 }
451
452 //
453 // Reinitialize list head
454 //
455 InitializeListHead(&g_EventTrace);
456 }
457
458 //
459 // Either not found or DEBUGGER_MODIFY_EVENTS_APPLY_TO_ALL_TAG is specified
460 //
461 return Result;
462}
BOOLEAN
UCHAR BOOLEAN
Definition BasicTypes.h:39
TRUE
#define TRUE
Definition BasicTypes.h:55
FALSE
#define FALSE
Definition BasicTypes.h:54
UINT64
unsigned __int64 UINT64
Definition BasicTypes.h:21
DEBUGGER_MODIFY_EVENTS_APPLY_TO_ALL_TAG
#define DEBUGGER_MODIFY_EVENTS_APPLY_TO_ALL_TAG
Apply event modifications to all tags.
Definition Constants.h:586
Tag
POOL_TYPE SIZE_T ULONG Tag
Definition Hooks.h:168
RemoveEntryList
FORCEINLINE BOOLEAN RemoveEntryList(_In_ PLIST_ENTRY Entry)
Definition Windows.h:56
InitializeListHead
FORCEINLINE VOID InitializeListHead(_Out_ PLIST_ENTRY ListHead)
Definition Windows.h:41
g_EventTrace
LIST_ENTRY g_EventTrace
Holds a list of events in kernel and the state of events and the commands to show the state of each c...
Definition globals.h:400
PDEBUGGER_GENERAL_EVENT_DETAIL
struct _DEBUGGER_GENERAL_EVENT_DETAIL * PDEBUGGER_GENERAL_EVENT_DETAIL
test-case-generator.NULL
NULL()
Definition test-case-generator.py:530
_DEBUGGER_GENERAL_EVENT_DETAIL
Each command is like the following struct, it also used for tracing works in user mode and sending it...
Definition Events.h:350
_DEBUGGER_GENERAL_EVENT_DETAIL::Tag
UINT64 Tag
Definition Events.h:388
_DEBUGGER_GENERAL_EVENT_DETAIL::CommandStringBuffer
PVOID CommandStringBuffer
Definition Events.h:393
_DEBUGGER_GENERAL_EVENT_DETAIL::CommandsEventList
LIST_ENTRY CommandsEventList
Definition Events.h:352

◆ CommandEventDisableEvent()

BOOLEAN CommandEventDisableEvent ( UINT64 Tag)

Disable a special event.

Parameters
Tagthe tag of the target event
Returns
BOOLEAN if the operation was successful then it returns true otherwise it returns false
287{
288 PLIST_ENTRY TempList = 0;
289 BOOLEAN Result = FALSE;
290
291 TempList = &g_EventTrace;
292 while (&g_EventTrace != TempList->Blink)
293 {
294 TempList = TempList->Blink;
295
296 PDEBUGGER_GENERAL_EVENT_DETAIL CommandDetail = CONTAINING_RECORD(TempList, DEBUGGER_GENERAL_EVENT_DETAIL, CommandsEventList);
297
298 if (CommandDetail->Tag == Tag ||
299 Tag == DEBUGGER_MODIFY_EVENTS_APPLY_TO_ALL_TAG)
300 {
301 //
302 // Put it to FALSE, to indicate that it's not active
303 //
304 CommandDetail->IsEnabled = FALSE;
305
306 if (!Result)
307 {
308 Result = TRUE;
309 }
310
311 if (Tag != DEBUGGER_MODIFY_EVENTS_APPLY_TO_ALL_TAG)
312 {
313 //
314 // Only, one command exist with a tag, so we need to return as we
315 // find it
316 //
317 return TRUE;
318 }
319 }
320 }
321
322 //
323 // Not found
324 //
325 return Result;
326}
_DEBUGGER_GENERAL_EVENT_DETAIL::IsEnabled
BOOLEAN IsEnabled
Definition Events.h:364

◆ CommandEventEnableEvent()

BOOLEAN CommandEventEnableEvent ( UINT64 Tag)

enables a special event

Parameters
Tagthe tag of the target event
Returns
BOOLEAN if the operation was successful then it returns true otherwise it returns false
337{
338 PLIST_ENTRY TempList = 0;
339 BOOLEAN Result = FALSE;
340
341 TempList = &g_EventTrace;
342 while (&g_EventTrace != TempList->Blink)
343 {
344 TempList = TempList->Blink;
345
346 PDEBUGGER_GENERAL_EVENT_DETAIL CommandDetail = CONTAINING_RECORD(TempList, DEBUGGER_GENERAL_EVENT_DETAIL, CommandsEventList);
347
348 if (CommandDetail->Tag == Tag ||
349 Tag == DEBUGGER_MODIFY_EVENTS_APPLY_TO_ALL_TAG)
350 {
351 //
352 // Put it to TRUE, to indicate that it's active
353 //
354 CommandDetail->IsEnabled = TRUE;
355
356 if (!Result)
357 {
358 Result = TRUE;
359 }
360
361 if (Tag != DEBUGGER_MODIFY_EVENTS_APPLY_TO_ALL_TAG)
362 {
363 //
364 // Only, one command exist with a tag, so we need to return as we
365 // find it
366 //
367 return TRUE;
368 }
369 }
370 }
371
372 //
373 // Not found
374 //
375 return Result;
376}

◆ CommandEventQueryEventState()

BOOLEAN CommandEventQueryEventState ( UINT64 Tag)

Check the kernel whether the event is enabled or disabled.

Parameters
Tagthe tag of the target event
Returns
BOOLEAN if the event was enabled and false if event was disabled
185{
186 BOOLEAN IsEnabled;
187
188 if (g_IsSerialConnectedToRemoteDebuggee)
189 {
190 //
191 // It's a remote debugger in Debugger Mode
192 //
193 if (KdSendEventQueryAndModifyPacketToDebuggee(
194 Tag,
195 DEBUGGER_MODIFY_EVENTS_QUERY_STATE,
196 &IsEnabled))
197 {
198 return IsEnabled;
199 }
200 else
201 {
202 ShowMessages("err, unable to get the state of the event\n");
203 return FALSE;
204 }
205 }
206 else
207 {
208 //
209 // It's a local debugging in VMI Mode
210 //
211 return CommandEventsModifyAndQueryEvents(
212 Tag,
213 DEBUGGER_MODIFY_EVENTS_QUERY_STATE);
214 }
215 //
216 // By default, disabled, even if there was an error
217 //
218 return FALSE;
219}
g_IsSerialConnectedToRemoteDebuggee
BOOLEAN g_IsSerialConnectedToRemoteDebuggee
Shows if the debugger was connected to remote debuggee over (A remote guest)
Definition globals.h:231
CommandEventsModifyAndQueryEvents
BOOLEAN CommandEventsModifyAndQueryEvents(UINT64 Tag, DEBUGGER_MODIFY_EVENTS_TYPE TypeOfAction)
modify a special event (enable/disable/clear) and send the request directly to the kernel
Definition events.cpp:654
DEBUGGER_MODIFY_EVENTS_QUERY_STATE
@ DEBUGGER_MODIFY_EVENTS_QUERY_STATE
Definition Events.h:231
KdSendEventQueryAndModifyPacketToDebuggee
BOOLEAN KdSendEventQueryAndModifyPacketToDebuggee(UINT64 Tag, DEBUGGER_MODIFY_EVENTS_TYPE TypeOfAction, BOOLEAN *IsEnabled)
Sends a query or request to enable/disable/clear for event.
Definition kd.cpp:265
ShowMessages
VOID ShowMessages(const char *Fmt,...)
Show messages.
Definition libhyperdbg.cpp:96

◆ CommandEvents()

VOID CommandEvents ( vector< string > SplitCommand,
string Command )

events command handler

Parameters
SplitCommand
Command
Returns
VOID
66{
67 DEBUGGER_MODIFY_EVENTS_TYPE RequestedAction;
68 UINT64 RequestedTag;
69
70 //
71 // Validate the parameters (size)
72 //
73 if (SplitCommand.size() != 1 && SplitCommand.size() != 3)
74 {
75 ShowMessages("incorrect use of the '%s'\n\n", SplitCommand.at(0).c_str());
76 CommandEventsHelp();
77 return;
78 }
79
80 if (SplitCommand.size() == 1)
81 {
82 if (!g_EventTraceInitialized)
83 {
84 ShowMessages("no active/disabled events \n");
85 return;
86 }
87
88 CommandEventsShowEvents();
89
90 //
91 // No need to continue any further
92 //
93 return;
94 }
95
96 //
97 // Validate second argument as it's not just a simple
98 // events without any parameter
99 //
100 if (!SplitCommand.at(1).compare("e"))
101 {
102 RequestedAction = DEBUGGER_MODIFY_EVENTS_ENABLE;
103 }
104 else if (!SplitCommand.at(1).compare("d"))
105 {
106 RequestedAction = DEBUGGER_MODIFY_EVENTS_DISABLE;
107 }
108 else if (!SplitCommand.at(1).compare("c"))
109 {
110 RequestedAction = DEBUGGER_MODIFY_EVENTS_CLEAR;
111 }
112 else if (!SplitCommand.at(1).compare("sc"))
113 {
114 if (!SplitCommand.at(2).compare("on"))
115 {
116 KdSendShortCircuitingEventToDebuggee(TRUE);
117 }
118 else if (!SplitCommand.at(2).compare("off"))
119 {
120 KdSendShortCircuitingEventToDebuggee(FALSE);
121 }
122 else
123 {
124 ShowMessages(
125 "please specify a correct 'on' or 'off' state for the short-circuiting state\n\n");
126 CommandEventsHelp();
127 return;
128 }
129
130 //
131 // No need to further continue
132 //
133 return;
134 }
135 else
136 {
137 //
138 // unknown second command
139 //
140 ShowMessages("incorrect use of the '%s'\n\n", SplitCommand.at(0).c_str());
141 CommandEventsHelp();
142 return;
143 }
144
145 //
146 // Validate third argument as it's not just a simple
147 // events without any parameter
148 //
149 if (!SplitCommand.at(2).compare("all"))
150 {
151 RequestedTag = DEBUGGER_MODIFY_EVENTS_APPLY_TO_ALL_TAG;
152 }
153 else if (!ConvertStringToUInt64(SplitCommand.at(2), &RequestedTag))
154 {
155 ShowMessages(
156 "please specify a correct hex value for tag id (event number)\n\n");
157 CommandEventsHelp();
158 return;
159 }
160
161 //
162 // Send the request to the kernel, we add it to a constant
163 // that's because we want start tags from that constant
164 //
165 if (RequestedTag != DEBUGGER_MODIFY_EVENTS_APPLY_TO_ALL_TAG)
166 {
167 RequestedTag = RequestedTag + DebuggerEventTagStartSeed;
168 }
169
170 //
171 // Perform event related tasks
172 //
173 CommandEventsModifyAndQueryEvents(RequestedTag, RequestedAction);
174}
DebuggerEventTagStartSeed
#define DebuggerEventTagStartSeed
The seeds that user-mode codes use as the starter of their events' tag.
Definition Constants.h:222
ConvertStringToUInt64
BOOLEAN ConvertStringToUInt64(string TextToConvert, PUINT64 Result)
check and convert string to a 64 bit unsigned integer and also check for special notations like 0x,...
Definition common.cpp:240
CommandEventsShowEvents
VOID CommandEventsShowEvents()
print every active and disabled events
Definition events.cpp:227
CommandEventsHelp
VOID CommandEventsHelp()
help of the events command
Definition events.cpp:32
g_EventTraceInitialized
BOOLEAN g_EventTraceInitialized
it shows whether the debugger started using events or not or in other words, is g_EventTrace initiali...
Definition globals.h:390
DEBUGGER_MODIFY_EVENTS_ENABLE
@ DEBUGGER_MODIFY_EVENTS_ENABLE
Definition Events.h:232
DEBUGGER_MODIFY_EVENTS_DISABLE
@ DEBUGGER_MODIFY_EVENTS_DISABLE
Definition Events.h:233
DEBUGGER_MODIFY_EVENTS_CLEAR
@ DEBUGGER_MODIFY_EVENTS_CLEAR
Definition Events.h:234
DEBUGGER_MODIFY_EVENTS_TYPE
enum _DEBUGGER_MODIFY_EVENTS_TYPE DEBUGGER_MODIFY_EVENTS_TYPE
different types of modifying events request (enable/disable/clear)
KdSendShortCircuitingEventToDebuggee
BOOLEAN KdSendShortCircuitingEventToDebuggee(BOOLEAN IsEnabled)
Sends a short-circuiting event request to debuggee.
Definition kd.cpp:226

◆ CommandEventsClearAllEventsAndResetTags()

VOID CommandEventsClearAllEventsAndResetTags ( )

Clears all the events and resets the tag.

Returns
VOID
471{
472 //
473 // Check if events are initialized
474 //
475 if (g_EventTraceInitialized)
476 {
477 CommandEventClearEvent(DEBUGGER_MODIFY_EVENTS_APPLY_TO_ALL_TAG);
478
479 //
480 // Indicate that it's not initialized
481 //
482 g_EventTraceInitialized = FALSE;
483
484 //
485 // Reset tag numbering mechanism
486 //
487 g_EventTag = DebuggerEventTagStartSeed;
488 }
489}
CommandEventClearEvent
BOOLEAN CommandEventClearEvent(UINT64 Tag)
disable and remove a special event
Definition events.cpp:386
g_EventTag
UINT64 g_EventTag
This variable holds the trace and generate numbers for new tags of events.
Definition globals.h:375

◆ CommandEventsHandleModifiedEvent()

VOID CommandEventsHandleModifiedEvent ( UINT64 Tag,
PDEBUGGER_MODIFY_EVENTS ModifyEventRequest )

Handle events after modification.

Parameters
Tagthe tag of the target event
ModifyEventRequestResults
Returns
VOID
502{
503 if (ModifyEventRequest->KernelStatus == DEBUGGER_OPERATION_WAS_SUCCESSFUL)
504 {
505 //
506 // Successful, nothing to show but we should also
507 // do the same (change) the user-mode structures
508 // that hold the event data
509 //
510 if (ModifyEventRequest->TypeOfAction == DEBUGGER_MODIFY_EVENTS_ENABLE)
511 {
512 if (!CommandEventEnableEvent(Tag))
513 {
514 ShowMessages("err, the event was successfully, "
515 "(enabled|disabled|cleared) but "
516 "can't apply it to the user-mode structures\n");
517 }
518 }
519 else if (ModifyEventRequest->TypeOfAction == DEBUGGER_MODIFY_EVENTS_DISABLE)
520 {
521 if (!CommandEventDisableEvent(Tag))
522 {
523 ShowMessages("err, the event was successfully, "
524 "(enabled|disabled|cleared) but "
525 "can't apply it to the user-mode structures\n");
526 }
527 else
528 {
529 //
530 // The action was applied successfully
531 //
532 if (g_BreakPrintingOutput)
533 {
534 //
535 // It is because we didn't query the target debuggee auto-flush
536 // variable
537 //
538 if (!g_IsConnectedToRemoteDebuggee &&
539 !g_IsSerialConnectedToRemoteDebuggee &&
540 !g_IsSerialConnectedToRemoteDebugger)
541 {
542 if (!g_AutoFlush)
543 {
544 ShowMessages(
545 "auto-flush mode is disabled, if there is still "
546 "messages or buffers in the kernel, you continue to see "
547 "the messages when you run 'g' until the kernel "
548 "buffers are empty. you can run 'settings autoflush "
549 "on' and after disabling and clearing events, "
550 "kernel buffers will be flushed automatically\n");
551 }
552 else
553 {
554 //
555 // We should flush buffers here
556 //
557 CommandFlushRequestFlush();
558 }
559 }
560 }
561 }
562 }
563 else if (ModifyEventRequest->TypeOfAction == DEBUGGER_MODIFY_EVENTS_CLEAR)
564 {
565 if (!CommandEventClearEvent(Tag))
566 {
567 ShowMessages("err, the event was successfully, "
568 "(enabled|disabled|cleared) but "
569 "can't apply it to the user-mode structures\n");
570 }
571 else
572 {
573 //
574 // If HyperDbg is operating at the Debugger Mode, we'll indicate that
575 // the event will be cleared after continuing the debuggee
576 //
577 if (g_IsSerialConnectedToRemoteDebuggee)
578 {
579 ShowMessages("%s successfully cleared, but please note in the Debugger Mode (current mode), HyperDbg "
580 "cannot clear events instantly. Instead, it first disables the events, and when "
581 "you continue the debuggee (e.g., by pressing the 'g' command), the event will be cleared. "
582 "Reapplying the same event without first continuing the debuggee may result in undefined behavior\n",
583 Tag == DEBUGGER_MODIFY_EVENTS_APPLY_TO_ALL_TAG ? "events are" : "the event is");
584 }
585
586 //
587 // The action was applied successfully
588 //
589 if (g_BreakPrintingOutput)
590 {
591 //
592 // It is because we didn't query the target debuggee auto-flush
593 // variable
594 //
595 if (!g_IsConnectedToRemoteDebuggee)
596 {
597 if (!g_AutoFlush)
598 {
599 ShowMessages(
600 "auto-flush mode is disabled, if there is still "
601 "messages or buffers in the kernel, you continue to see "
602 "the messages when you run 'g' until the kernel "
603 "buffers are empty. you can run 'settings autoflush "
604 "on' and after disabling and clearing events, "
605 "kernel buffers will be flushed automatically\n");
606 }
607 else
608 {
609 //
610 // We should flush buffers here
611 //
612 CommandFlushRequestFlush();
613 }
614 }
615 }
616 }
617 }
618 else if (ModifyEventRequest->TypeOfAction ==
619 DEBUGGER_MODIFY_EVENTS_QUERY_STATE)
620 {
621 //
622 // Nothing to show
623 //
624 }
625 else
626 {
627 ShowMessages(
628 "err, the event was successfully, (enabled|disabled|cleared) but "
629 "can't apply it to the user-mode structures\n");
630 }
631 }
632 else
633 {
634 //
635 // Interpret error
636 //
637 ShowErrorMessage((UINT32)ModifyEventRequest->KernelStatus);
638 return;
639 }
640}
UINT32
unsigned int UINT32
Definition BasicTypes.h:48
DEBUGGER_OPERATION_WAS_SUCCESSFUL
#define DEBUGGER_OPERATION_WAS_SUCCESSFUL
General value to indicate that the operation or request was successful.
Definition ErrorCodes.h:23
ShowErrorMessage
BOOLEAN ShowErrorMessage(UINT32 Error)
shows the error message
Definition debugger.cpp:38
g_IsSerialConnectedToRemoteDebugger
BOOLEAN g_IsSerialConnectedToRemoteDebugger
Shows if the debugger was connected to remote debugger (A remote host)
Definition globals.h:238
g_IsConnectedToRemoteDebuggee
BOOLEAN g_IsConnectedToRemoteDebuggee
Shows whether the current debugger is the host and connected to a remote debuggee (guest)
Definition globals.h:74
CommandEventEnableEvent
BOOLEAN CommandEventEnableEvent(UINT64 Tag)
enables a special event
Definition events.cpp:336
CommandEventDisableEvent
BOOLEAN CommandEventDisableEvent(UINT64 Tag)
Disable a special event.
Definition events.cpp:286
g_AutoFlush
BOOLEAN g_AutoFlush
Whether auto-flush mode is enabled or not enabled.
Definition globals.h:591
g_BreakPrintingOutput
BOOLEAN g_BreakPrintingOutput
Shows whether the pause command or CTRL+C or CTRL+Break is executed or not.
Definition globals.h:499
CommandFlushRequestFlush
VOID CommandFlushRequestFlush()
flush command handler
Definition flush.cpp:39
_DEBUGGER_MODIFY_EVENTS::TypeOfAction
DEBUGGER_MODIFY_EVENTS_TYPE TypeOfAction
Definition Events.h:246
_DEBUGGER_MODIFY_EVENTS::KernelStatus
UINT64 KernelStatus
Definition Events.h:244

◆ CommandEventsHelp()

VOID CommandEventsHelp ( )

help of the events command

Returns
VOID
33{
34 ShowMessages("events : shows active and disabled events\n");
35
36 ShowMessages("syntax : \tevents\n");
37 ShowMessages("syntax : \tevents [e|d|c all|EventNumber (hex)]\n");
38 ShowMessages("syntax : \tevents [sc State (on|off)]\n");
39
40 ShowMessages("e : enable\n");
41 ShowMessages("d : disable\n");
42 ShowMessages("c : clear\n");
43
44 ShowMessages("note : If you specify 'all' then e, d, or c will be applied to "
45 "all of the events.\n\n");
46
47 ShowMessages("\n");
48 ShowMessages("\te.g : events \n");
49 ShowMessages("\te.g : events e 12\n");
50 ShowMessages("\te.g : events d 10\n");
51 ShowMessages("\te.g : events c 10\n");
52 ShowMessages("\te.g : events c all\n");
53 ShowMessages("\te.g : events sc on\n");
54 ShowMessages("\te.g : events sc off\n");
55}

◆ CommandEventsModifyAndQueryEvents()

BOOLEAN CommandEventsModifyAndQueryEvents ( UINT64 Tag,
DEBUGGER_MODIFY_EVENTS_TYPE TypeOfAction )

modify a special event (enable/disable/clear) and send the request directly to the kernel

if you pass DEBUGGER_MODIFY_EVENTS_APPLY_TO_ALL_TAG as the tag then it will be applied to all the active/disabled events in the kernel

Parameters
Tagthe tag of the target event
TypeOfActionwhether its a enable/disable/clear
Returns
BOOLEAN Shows whether the event is enabled or disabled
656{
657 BOOLEAN Status;
658 ULONG ReturnedLength;
659 DEBUGGER_MODIFY_EVENTS ModifyEventRequest = {0};
660
661 //
662 // Check if there is no event, then we shouldn't apply the
663 // enable, disable, or clear commands, this command also
664 // checks for DEBUGGER_MODIFY_EVENTS_APPLY_TO_ALL_TAG to
665 // see if at least one tag exists or not; however, it's not
666 // necessary as the kernel will check for the validity of
667 // tag too, but let's not send it to kernel as we can prevent
668 // invalid requests from user-mode too
669 //
670 if (!IsTagExist(Tag))
671 {
672 if (Tag == DEBUGGER_MODIFY_EVENTS_APPLY_TO_ALL_TAG)
673 {
674 ShowMessages("there is no event\n");
675 }
676 else
677 {
678 ShowMessages("err, tag id is invalid\n");
679 }
680 return FALSE;
681 }
682
683 if (g_IsSerialConnectedToRemoteDebuggee)
684 {
685 //
686 // Remote debuggee Debugger Mode
687 //
688 KdSendEventQueryAndModifyPacketToDebuggee(Tag, TypeOfAction, NULL);
689 }
690 else
691 {
692 //
693 // Local debugging VMI-Mode
694 //
695
696 //
697 // Check if debugger is loaded or not
698 //
699 AssertShowMessageReturnStmt(g_DeviceHandle, ASSERT_MESSAGE_DRIVER_NOT_LOADED, AssertReturnFalse);
700
701 //
702 // Fill the structure to send it to the kernel
703 //
704 ModifyEventRequest.Tag = Tag;
705 ModifyEventRequest.TypeOfAction = TypeOfAction;
706
707 //
708 // Send the request to the kernel
709 //
710 Status =
711 DeviceIoControl(g_DeviceHandle, // Handle to device
712 IOCTL_DEBUGGER_MODIFY_EVENTS, // IO Control Code (IOCTL)
713 &ModifyEventRequest, // Input Buffer to driver.
714 SIZEOF_DEBUGGER_MODIFY_EVENTS, // Input buffer length
715 &ModifyEventRequest, // Output Buffer from driver.
716 SIZEOF_DEBUGGER_MODIFY_EVENTS, // Length of output
717 // buffer in bytes.
718 &ReturnedLength, // Bytes placed in buffer.
719 NULL // synchronous call
720 );
721
722 if (!Status)
723 {
724 ShowMessages("ioctl failed with code 0x%x\n", GetLastError());
725 return FALSE;
726 }
727
728 //
729 // Perform further actions
730 //
731 CommandEventsHandleModifiedEvent(Tag, &ModifyEventRequest);
732
733 if (TypeOfAction == DEBUGGER_MODIFY_EVENTS_QUERY_STATE)
734 {
735 return ModifyEventRequest.IsEnabled;
736 }
737 }
738
739 //
740 // in all the cases except query state it shows whether the operation was
741 // successful or not
742 //
743 return TRUE;
744}
ULONG
unsigned long ULONG
Definition BasicTypes.h:37
IOCTL_DEBUGGER_MODIFY_EVENTS
#define IOCTL_DEBUGGER_MODIFY_EVENTS
ioctl, request to modify an event (enable/disable/clear)
Definition Ioctls.h:148
IsTagExist
BOOLEAN IsTagExist(UINT64 Tag)
Check whether the tag exists or not, if the tag is DEBUGGER_MODIFY_EVENTS_APPLY_TO_ALL_TAG then if we...
Definition debugger.cpp:719
CommandEventsHandleModifiedEvent
VOID CommandEventsHandleModifiedEvent(UINT64 Tag, PDEBUGGER_MODIFY_EVENTS ModifyEventRequest)
Handle events after modification.
Definition events.cpp:499
SIZEOF_DEBUGGER_MODIFY_EVENTS
#define SIZEOF_DEBUGGER_MODIFY_EVENTS
Definition Events.h:197
AssertShowMessageReturnStmt
#define AssertShowMessageReturnStmt(expr, message, rc)
Definition common.h:51
ASSERT_MESSAGE_DRIVER_NOT_LOADED
#define ASSERT_MESSAGE_DRIVER_NOT_LOADED
Definition common.h:25
AssertReturnFalse
#define AssertReturnFalse
Definition common.h:21
g_DeviceHandle
HANDLE g_DeviceHandle
Holds the global handle of device which is used to send the request to the kernel by IOCTL,...
Definition globals.h:471
_DEBUGGER_MODIFY_EVENTS
request for modifying events (enable/disable/clear)
Definition Events.h:242
_DEBUGGER_MODIFY_EVENTS::IsEnabled
BOOLEAN IsEnabled
Definition Events.h:247
_DEBUGGER_MODIFY_EVENTS::Tag
UINT64 Tag
Definition Events.h:243

◆ CommandEventsShowEvents()

VOID CommandEventsShowEvents ( )

print every active and disabled events

this function will not show cleared events

Returns
VOID
228{
229 //
230 // It's an events without any argument so we have to show
231 // all the currently active events
232 //
233 PLIST_ENTRY TempList = 0;
234 BOOLEAN IsThereAnyEvents = FALSE;
235
236 TempList = &g_EventTrace;
237 while (&g_EventTrace != TempList->Blink)
238 {
239 TempList = TempList->Blink;
240
241 PDEBUGGER_GENERAL_EVENT_DETAIL CommandDetail = CONTAINING_RECORD(TempList, DEBUGGER_GENERAL_EVENT_DETAIL, CommandsEventList);
242 string CommandMessage((char *)CommandDetail->CommandStringBuffer);
243
244 //
245 // Do not show the \n(s)
246 //
247 ReplaceAll(CommandMessage, "\n", " ");
248
249 //
250 // Only show portion of message
251 //
252 if (CommandMessage.length() > 70)
253 {
254 CommandMessage = CommandMessage.substr(0, 70);
255 CommandMessage += "...";
256 }
257
258 ShowMessages("%x\t(%s)\t %s\n",
259 CommandDetail->Tag - DebuggerEventTagStartSeed,
260 // CommandDetail->IsEnabled ? "enabled" : "disabled",
261 CommandEventQueryEventState(CommandDetail->Tag)
262 ? "enabled"
263 : "disabled", /* Query is live now */
264 CommandMessage.c_str());
265
266 if (!IsThereAnyEvents)
267 {
268 IsThereAnyEvents = TRUE;
269 }
270 }
271
272 if (!IsThereAnyEvents)
273 {
274 ShowMessages("no active/disabled events \n");
275 }
276}
ReplaceAll
VOID ReplaceAll(string &str, const string &from, const string &to)
general replace all function
Definition common.cpp:91
CommandEventQueryEventState
BOOLEAN CommandEventQueryEventState(UINT64 Tag)
Check the kernel whether the event is enabled or disabled.
Definition events.cpp:184

Variable Documentation

◆ g_AutoFlush

BOOLEAN g_AutoFlush
extern

Whether auto-flush mode is enabled or not enabled.

it is disabled by default

◆ g_BreakPrintingOutput

BOOLEAN g_BreakPrintingOutput
extern

Shows whether the pause command or CTRL+C or CTRL+Break is executed or not.

◆ g_EventTag

UINT64 g_EventTag
extern

This variable holds the trace and generate numbers for new tags of events.

◆ g_EventTrace

LIST_ENTRY g_EventTrace
extern

Holds a list of events in kernel and the state of events and the commands to show the state of each command (disabled/enabled)

this list is not have any relation with the things that HyperDbg holds for each event in the kernel

400{0};

◆ g_EventTraceInitialized

BOOLEAN g_EventTraceInitialized
extern

it shows whether the debugger started using events or not or in other words, is g_EventTrace initialized with a variable or it is empty

◆ g_IsConnectedToRemoteDebuggee

BOOLEAN g_IsConnectedToRemoteDebuggee
extern

Shows whether the current debugger is the host and connected to a remote debuggee (guest)

◆ g_IsSerialConnectedToRemoteDebuggee

BOOLEAN g_IsSerialConnectedToRemoteDebuggee
extern

Shows if the debugger was connected to remote debuggee over (A remote guest)

◆ g_IsSerialConnectedToRemoteDebugger

BOOLEAN g_IsSerialConnectedToRemoteDebugger
extern

Shows if the debugger was connected to remote debugger (A remote host)