HyperDbg Debugger
Loading...
Searching...
No Matches
Ioctl.c File Reference

IOCTL Functions form user mode and other parts. More...

#include "pch.h"

Functions

BOOLEAN DrvValidateAndAdjustIoctlParameter (UINT32 BufferSize, PVOID *TargetBuffer, PIRP Irp, PIO_STACK_LOCATION IrpStack, ULONG *InBuffLength, ULONG *OutBuffLength)
 Validates amd adjusts the parameters of an IOCTL request.
VOID DrvAdjustStatusAndSetOutputSize (UINT32 ExpectedOutputBufferSize, BOOLEAN *DoNotChangeInformation, PIRP Irp, NTSTATUS *Status)
 Adjusts the status and output buffer size for an IOCTL request.
BOOLEAN IoctlCheckIoctlAllowed (ULONG Ioctl)
 Checks whether the IOCTL request is allowed based on the current state of the driver and the system.
NTSTATUS DrvDispatchBasicIoControl (PIRP Irp, PIO_STACK_LOCATION IrpStack, BOOLEAN *DoNotChangeInformation)
 IOCTL Dispatcher for Basic IOCTLs (initialization and event registration).
NTSTATUS DrvDispatchKdIoControl (PIRP Irp, PIO_STACK_LOCATION IrpStack, BOOLEAN *DoNotChangeInformation)
 IOCTL Dispatcher for KD (Kernel Debugger) IOCTLs.
NTSTATUS DrvDispatchVmmIoControl (PIRP Irp, PIO_STACK_LOCATION IrpStack, BOOLEAN *DoNotChangeInformation)
 IOCTL Dispatcher for VMM IOCTLs.
NTSTATUS DrvDispatchHyperTraceIoControl (PIRP Irp, PIO_STACK_LOCATION IrpStack, BOOLEAN *DoNotChangeInformation)
 IOCTL Dispatcher for HyperTrace IOCTLs.
NTSTATUS DrvDispatchIoControl (PDEVICE_OBJECT DeviceObject, PIRP Irp)
 Driver IOCTL Dispatcher.

Detailed Description

IOCTL Functions form user mode and other parts.

Author
Sina Karvandi (sina@.nosp@m.hype.nosp@m.rdbg..nosp@m.org)
Version
0.1
Date
2020-06-01

Function Documentation

◆ DrvAdjustStatusAndSetOutputSize()

VOID DrvAdjustStatusAndSetOutputSize ( UINT32 ExpectedOutputBufferSize,
BOOLEAN * DoNotChangeInformation,
PIRP Irp,
NTSTATUS * Status )

Adjusts the status and output buffer size for an IOCTL request.

Parameters
ExpectedOutputBufferSizeThe expected size of the output buffer
DoNotChangeInformationOutput parameter to indicate whether to change the information field of the IRP's I/O status block
IrpThe IRP representing the IOCTL request
StatusOutput parameter to receive the status to be set in the IRP's I/O status block
Returns
VOID
76{
77 Irp->IoStatus.Information = ExpectedOutputBufferSize;
78 *Status = STATUS_SUCCESS;
79
80 //
81 // Avoid zeroing it
82 //
83 *DoNotChangeInformation = TRUE;
84}
#define TRUE
Definition BasicTypes.h:114

◆ DrvDispatchBasicIoControl()

NTSTATUS DrvDispatchBasicIoControl ( PIRP Irp,
PIO_STACK_LOCATION IrpStack,
BOOLEAN * DoNotChangeInformation )

IOCTL Dispatcher for Basic IOCTLs (initialization and event registration).

Parameters
Irp
IrpStack
DoNotChangeInformation
Returns
NTSTATUS
215{
216 PREGISTER_NOTIFY_BUFFER RegisterEventRequest;
217 PDEBUGGER_INIT_VMM_PACKET InitVmmRequest;
218 PDEBUGGER_INIT_HYPERTRACE_PACKET InitHyperTraceRequest;
219 ULONG InBuffLength;
220 ULONG OutBuffLength;
221 NTSTATUS Status = STATUS_SUCCESS;
222 UINT32 Ioctl = IrpStack->Parameters.DeviceIoControl.IoControlCode;
223
224 switch (Ioctl)
225 {
226 case IOCTL_INIT_VMM:
227
228 //
229 // Validate and adjust the parameters, and set the target buffer to the system buffer of the IRP
230 //
232 (PVOID *)&InitVmmRequest,
233 Irp,
234 IrpStack,
235 &InBuffLength,
236 &OutBuffLength))
237 {
238 Status = STATUS_INVALID_PARAMETER;
239 break;
240 }
241
242 //
243 // Initialize the debugger and the vmm
244 //
245 if (LoaderInitDebuggerAndVmm(InitVmmRequest))
246 {
247 Status = STATUS_SUCCESS;
248 }
249 else
250 {
251 //
252 // There was a problem, so not loaded
253 //
254 Status = STATUS_UNSUCCESSFUL;
255 }
256
257 //
258 // Adjust the status and output size
259 //
260 DrvAdjustStatusAndSetOutputSize(SIZEOF_DEBUGGER_INIT_VMM_PACKET, DoNotChangeInformation, Irp, &Status);
261
262 break;
263
265
266 //
267 // Validate and adjust the parameters, and set the target buffer to the system buffer of the IRP
268 //
270 (PVOID *)&InitHyperTraceRequest,
271 Irp,
272 IrpStack,
273 &InBuffLength,
274 &OutBuffLength))
275 {
276 Status = STATUS_INVALID_PARAMETER;
277 break;
278 }
279
280 //
281 // Initialize the HyperTrace (if supported by the processor)
282 //
283 LoaderInitHyperTrace(InitHyperTraceRequest, TRUE);
284
285 //
286 // Adjust the status and output size
287 //
288 DrvAdjustStatusAndSetOutputSize(SIZEOF_DEBUGGER_INIT_HYPERTRACE_PACKET, DoNotChangeInformation, Irp, &Status);
289
290 break;
291
293
294 //
295 // First validate the parameters.
296 //
297 if (IrpStack->Parameters.DeviceIoControl.InputBufferLength < SIZEOF_REGISTER_EVENT || Irp->AssociatedIrp.SystemBuffer == NULL)
298 {
299 Status = STATUS_INVALID_PARAMETER;
300 LogError("Err, invalid parameter to IOCTL dispatcher");
301 break;
302 }
303
304 //
305 // IRPs supply a pointer to a buffer at Irp->AssociatedIrp.SystemBuffer.
306 // This buffer represents both the input buffer and the output buffer that
307 // are specified in calls to DeviceIoControl
308 //
309 RegisterEventRequest = (PREGISTER_NOTIFY_BUFFER)Irp->AssociatedIrp.SystemBuffer;
310
311 switch (RegisterEventRequest->Type)
312 {
313 case IRP_BASED:
314
316
317 break;
318 case EVENT_BASED:
319
321 {
322 Status = STATUS_SUCCESS;
323 }
324 else
325 {
326 Status = STATUS_UNSUCCESSFUL;
327 }
328
329 break;
330 default:
331 LogError("Err, unknown notification type from user-mode");
332 Status = STATUS_INVALID_PARAMETER;
333 break;
334 }
335
336 break;
337
339
340 //
341 // Send an immediate message, and we're no longer get new IRP
342 //
344 "$",
345 sizeof(CHAR),
346 TRUE);
347
348 Status = STATUS_SUCCESS;
349
350 break;
351
352 default:
353 LogError("Err, unknown IOCTL");
354 Status = STATUS_NOT_IMPLEMENTED;
355 break;
356 }
357
358 return Status;
359}
#define STATUS_UNSUCCESSFUL
Definition Windows.h:172
void * PVOID
Definition BasicTypes.h:56
unsigned int UINT32
Definition BasicTypes.h:54
char CHAR
Definition BasicTypes.h:33
unsigned long ULONG
Definition BasicTypes.h:31
#define OPERATION_HYPERVISOR_DRIVER_END_OF_IRPS
Definition Constants.h:388
struct _REGISTER_NOTIFY_BUFFER * PREGISTER_NOTIFY_BUFFER
@ EVENT_BASED
Definition DataTypes.h:288
@ IRP_BASED
Definition DataTypes.h:287
#define SIZEOF_REGISTER_EVENT
Definition Events.h:438
#define IOCTL_INIT_VMM
ioctl, initialize the VMM module
Definition Ioctls.h:100
#define IOCTL_RETURN_IRP_PENDING_PACKETS_AND_DISALLOW_IOCTL
ioctl, irp pending mechanism for reading from message tracing buffers
Definition Ioctls.h:121
#define IOCTL_INIT_HYPERTRACE
ioctl, initialize the HyperTrace module
Definition Ioctls.h:107
#define IOCTL_REGISTER_EVENT
ioctl, register a new event
Definition Ioctls.h:114
struct _DEBUGGER_INIT_VMM_PACKET * PDEBUGGER_INIT_VMM_PACKET
#define SIZEOF_DEBUGGER_INIT_VMM_PACKET
Definition RequestStructures.h:16
struct _DEBUGGER_INIT_HYPERTRACE_PACKET * PDEBUGGER_INIT_HYPERTRACE_PACKET
#define SIZEOF_DEBUGGER_INIT_HYPERTRACE_PACKET
Definition RequestStructures.h:31
IMPORT_EXPORT_HYPERLOG BOOLEAN LogCallbackSendBuffer(_In_ UINT32 OperationCode, _In_reads_bytes_(BufferLength) PVOID Buffer, _In_ UINT32 BufferLength, _In_ BOOLEAN Priority)
routines callback for sending buffer
Definition HyperLogCallback.c:123
IMPORT_EXPORT_HYPERLOG BOOLEAN LogRegisterEventBasedNotification(PVOID TargetIrp)
Create an event-based usermode notifying mechanism.
Definition Logging.c:1594
IMPORT_EXPORT_HYPERLOG BOOLEAN LogRegisterIrpBasedNotification(PVOID TargetIrp, LONG *Status)
Register a new IRP Pending thread which listens for new buffers.
Definition Logging.c:1475
#define LogError(format,...)
Log in the case of error.
Definition HyperDbgHyperLogIntrinsics.h:113
BOOLEAN DrvValidateAndAdjustIoctlParameter(UINT32 BufferSize, PVOID *TargetBuffer, PIRP Irp, PIO_STACK_LOCATION IrpStack, ULONG *InBuffLength, ULONG *OutBuffLength)
Validates amd adjusts the parameters of an IOCTL request.
Definition Ioctl.c:26
VOID DrvAdjustStatusAndSetOutputSize(UINT32 ExpectedOutputBufferSize, BOOLEAN *DoNotChangeInformation, PIRP Irp, NTSTATUS *Status)
Adjusts the status and output buffer size for an IOCTL request.
Definition Ioctl.c:72
BOOLEAN LoaderInitDebuggerAndVmm(PDEBUGGER_INIT_VMM_PACKET InitVmmPacket)
Initialize the debugger and the vmm.
Definition Loader.c:302
BOOLEAN LoaderInitHyperTrace(PDEBUGGER_INIT_HYPERTRACE_PACKET InitHyperTracePacket, BOOLEAN RunningOnHypervisorEnvironment)
Initialize the hyper trace module.
Definition Loader.c:21
NOTIFY_TYPE Type
Definition DataTypes.h:312

◆ DrvDispatchHyperTraceIoControl()

NTSTATUS DrvDispatchHyperTraceIoControl ( PIRP Irp,
PIO_STACK_LOCATION IrpStack,
BOOLEAN * DoNotChangeInformation )

IOCTL Dispatcher for HyperTrace IOCTLs.

Parameters
Irp
IrpStack
DoNotChangeInformation
Returns
NTSTATUS
1567{
1568 PHYPERTRACE_LBR_OPERATION_PACKETS HyperTraceLbrOperationRequest;
1569 PHYPERTRACE_LBR_DUMP_PACKETS HyperTraceLbrdumpRequest;
1570 PHYPERTRACE_PT_OPERATION_PACKETS HyperTracePtOperationRequest;
1571 PHYPERTRACE_PT_MMAP_PACKETS HyperTracePtMmapRequest;
1572 ULONG InBuffLength;
1573 ULONG OutBuffLength;
1574 NTSTATUS Status = STATUS_SUCCESS;
1575 UINT32 Ioctl = IrpStack->Parameters.DeviceIoControl.IoControlCode;
1576
1577 switch (Ioctl)
1578 {
1580
1581 //
1582 // Perform the unload of HyperTrace (there is no parameter for this IOCTL)
1583 //
1585
1586 //
1587 // Adjust the status and output size
1588 //
1589 DrvAdjustStatusAndSetOutputSize(0, DoNotChangeInformation, Irp, &Status);
1590
1591 break;
1592
1594
1595 //
1596 // Validate and adjust the parameters, and set the target buffer to the system buffer of the IRP
1597 //
1599 (PVOID *)&HyperTraceLbrOperationRequest,
1600 Irp,
1601 IrpStack,
1602 &InBuffLength,
1603 &OutBuffLength))
1604 {
1605 Status = STATUS_INVALID_PARAMETER;
1606 break;
1607 }
1608
1609 //
1610 // Perform the HyperTrace LBR operation
1611 //
1612 HyperTraceLbrPerformOperation(HyperTraceLbrOperationRequest);
1613
1614 //
1615 // Adjust the status and output size
1616 //
1617 DrvAdjustStatusAndSetOutputSize(SIZEOF_HYPERTRACE_LBR_OPERATION_PACKETS, DoNotChangeInformation, Irp, &Status);
1618
1619 break;
1620
1622
1623 //
1624 // Validate and adjust the parameters, and set the target buffer to the system buffer of the IRP
1625 //
1627 (PVOID *)&HyperTraceLbrdumpRequest,
1628 Irp,
1629 IrpStack,
1630 &InBuffLength,
1631 &OutBuffLength))
1632 {
1633 Status = STATUS_INVALID_PARAMETER;
1634 break;
1635 }
1636
1637 //
1638 // Perform the HyperTrace LBR dump operation
1639 //
1640 HyperTraceLbrPerformDump(HyperTraceLbrdumpRequest);
1641
1642 //
1643 // Adjust the status and output size
1644 //
1645 DrvAdjustStatusAndSetOutputSize(SIZEOF_HYPERTRACE_LBR_DUMP_PACKETS, DoNotChangeInformation, Irp, &Status);
1646
1647 break;
1648
1650
1651 //
1652 // Validate and adjust the parameters, and set the target buffer to the system buffer of the IRP
1653 //
1655 (PVOID *)&HyperTracePtOperationRequest,
1656 Irp,
1657 IrpStack,
1658 &InBuffLength,
1659 &OutBuffLength))
1660 {
1661 Status = STATUS_INVALID_PARAMETER;
1662 break;
1663 }
1664
1665 //
1666 // If the caller asked to filter by a process id (and didn't
1667 // already provide an explicit CR3), resolve the PID to the CR3
1668 // the PT engine should match here — hyperkd owns the NT_KPROCESS
1669 // layout, whereas the hypertrace engine only consumes a CR3. The
1670 // kernel/user CR3 is chosen based on the requested trace mode so
1671 // it works whether or not KVA shadowing (KPTI) is enabled.
1672 //
1673 if (HyperTracePtOperationRequest->TargetProcessId != 0 &&
1674 HyperTracePtOperationRequest->TargetCr3 == 0)
1675 {
1676 HyperTracePtOperationRequest->TargetCr3 =
1677 DrvResolvePtTargetCr3(HyperTracePtOperationRequest->TargetProcessId,
1678 (BOOLEAN)(HyperTracePtOperationRequest->TraceUser != 0),
1679 (BOOLEAN)(HyperTracePtOperationRequest->TraceKernel != 0));
1680 }
1681
1682 //
1683 // Perform the HyperTrace PT operation
1684 //
1685 HyperTracePtPerformOperation(HyperTracePtOperationRequest);
1686
1687 //
1688 // Adjust the status and output size
1689 //
1690 DrvAdjustStatusAndSetOutputSize(SIZEOF_HYPERTRACE_PT_OPERATION_PACKETS, DoNotChangeInformation, Irp, &Status);
1691
1692 break;
1693
1695
1696 //
1697 // Validate and adjust the parameters, and set the target buffer to the system buffer of the IRP
1698 //
1700 (PVOID *)&HyperTracePtMmapRequest,
1701 Irp,
1702 IrpStack,
1703 &InBuffLength,
1704 &OutBuffLength))
1705 {
1706 Status = STATUS_INVALID_PARAMETER;
1707 break;
1708 }
1709
1710 //
1711 // Map the per-CPU PT output buffers into the calling user process
1712 //
1713 HyperTracePtMmap(HyperTracePtMmapRequest);
1714
1715 //
1716 // Adjust the status and output size
1717 //
1718 DrvAdjustStatusAndSetOutputSize(SIZEOF_HYPERTRACE_PT_MMAP_PACKETS, DoNotChangeInformation, Irp, &Status);
1719
1720 break;
1721
1722 default:
1723 LogError("Err, unknown IOCTL");
1724 Status = STATUS_NOT_IMPLEMENTED;
1725 break;
1726 }
1727
1728 return Status;
1729}
UCHAR BOOLEAN
Definition BasicTypes.h:35
#define IOCTL_PERFORM_HYPERTRACE_UNLOAD
ioctl, to unload HyperTrace module
Definition Ioctls.h:400
#define IOCTL_PERFORM_HYPERTRACE_LBR_DUMP
ioctl, to perform HyperTrace LBR dump
Definition Ioctls.h:414
#define IOCTL_PERFORM_HYPERTRACE_PT_OPERATION
ioctl, to perform HyperTrace PT operations
Definition Ioctls.h:421
#define IOCTL_PERFORM_HYPERTRACE_PT_MMAP
ioctl, to map per-CPU HyperTrace PT output buffers into the calling user-mode process....
Definition Ioctls.h:429
#define IOCTL_PERFORM_HYPERTRACE_LBR_OPERATION
ioctl, to perform HyperTrace LBR operations
Definition Ioctls.h:407
#define SIZEOF_HYPERTRACE_LBR_OPERATION_PACKETS
Debugger size of HYPERTRACE_LBR_OPERATION_PACKETS.
Definition RequestStructures.h:1313
struct _HYPERTRACE_PT_OPERATION_PACKETS * PHYPERTRACE_PT_OPERATION_PACKETS
struct _HYPERTRACE_LBR_OPERATION_PACKETS * PHYPERTRACE_LBR_OPERATION_PACKETS
#define SIZEOF_HYPERTRACE_PT_OPERATION_PACKETS
Debugger size of HYPERTRACE_PT_OPERATION_PACKETS.
Definition RequestStructures.h:1412
struct _HYPERTRACE_LBR_DUMP_PACKETS * PHYPERTRACE_LBR_DUMP_PACKETS
#define SIZEOF_HYPERTRACE_LBR_DUMP_PACKETS
Debugger size of HYPERTRACE_LBR_DUMP_PACKETS.
Definition RequestStructures.h:1343
#define SIZEOF_HYPERTRACE_PT_MMAP_PACKETS
Debugger size of HYPERTRACE_PT_MMAP_PACKETS.
Definition RequestStructures.h:1448
struct _HYPERTRACE_PT_MMAP_PACKETS * PHYPERTRACE_PT_MMAP_PACKETS
IMPORT_EXPORT_HYPERTRACE BOOLEAN HyperTraceLbrPerformOperation(HYPERTRACE_LBR_OPERATION_PACKETS *LbrOperationRequest)
Perform actions related to HyperTrace LBR operations.
Definition LbrApi.c:527
IMPORT_EXPORT_HYPERTRACE BOOLEAN HyperTracePtPerformOperation(HYPERTRACE_PT_OPERATION_PACKETS *PtOperationRequest)
Perform actions related to HyperTrace PT.
Definition PtApi.c:553
IMPORT_EXPORT_HYPERTRACE BOOLEAN HyperTraceLbrPerformDump(HYPERTRACE_LBR_DUMP_PACKETS *LbrDumpRequest)
Perform actions related to HyperTrace LBR dumping.
Definition LbrApi.c:457
IMPORT_EXPORT_HYPERTRACE BOOLEAN HyperTracePtMmap(HYPERTRACE_PT_MMAP_PACKETS *Req)
Map every per-CPU PT main output + overflow buffer into the calling user-mode process....
Definition PtApi.c:516
VOID LoaderUninitHyperTrace()
Uninitialize the hyper trace module.
Definition Loader.c:341

◆ DrvDispatchIoControl()

NTSTATUS DrvDispatchIoControl ( PDEVICE_OBJECT DeviceObject,
PIRP Irp )

Driver IOCTL Dispatcher.

Parameters
DeviceObject
Irp
Returns
NTSTATUS
1740{
1741 UNREFERENCED_PARAMETER(DeviceObject);
1742
1743 PIO_STACK_LOCATION IrpStack;
1744 NTSTATUS Status = STATUS_SUCCESS;
1745 BOOLEAN DoNotChangeInformation = FALSE;
1746 UINT32 Ioctl = 0;
1747 ULONG IoctlFunction = 0;
1748
1749 //
1750 // Here's the best place to see if there is any allocation pending
1751 // to be allocated as we're in PASSIVE_LEVEL
1752 //
1754
1755 //
1756 // Get the current stack location of the IRP to access the parameters of the IOCTL request
1757 //
1758 IrpStack = IoGetCurrentIrpStackLocation(Irp);
1759
1760 //
1761 // Get the IOCTL code from the parameters
1762 //
1763 Ioctl = IrpStack->Parameters.DeviceIoControl.IoControlCode;
1764
1765 //
1766 // If we don't allow IOCTL from user-mode, we just complete the request with success, and return
1767 //
1768 if (!IoctlCheckIoctlAllowed(Ioctl))
1769 {
1770 Irp->IoStatus.Status = STATUS_SUCCESS;
1771 Irp->IoStatus.Information = 0;
1772 IoCompleteRequest(Irp, IO_NO_INCREMENT);
1773
1774 return STATUS_SUCCESS;
1775 }
1776
1777 //
1778 // Dispatch to the appropriate handler based on the IOCTL range
1779 //
1780 IoctlFunction = CTL_CODE_FUNCTION(Ioctl);
1781
1782 if (IoctlFunction > IOCTL_BASIC_IOCTL && IoctlFunction <= IOCTL_BASIC_IOCTL + 0x100)
1783 {
1784 Status = DrvDispatchBasicIoControl(Irp, IrpStack, &DoNotChangeInformation);
1785 }
1786 else if (IoctlFunction > IOCTL_KD_IOCTL && IoctlFunction <= IOCTL_KD_IOCTL + 0x100)
1787 {
1788 Status = DrvDispatchKdIoControl(Irp, IrpStack, &DoNotChangeInformation);
1789 }
1790 else if (IoctlFunction > IOCTL_VMM_IOCTL && IoctlFunction <= IOCTL_VMM_IOCTL + 0x100)
1791 {
1792 Status = DrvDispatchVmmIoControl(Irp, IrpStack, &DoNotChangeInformation);
1793 }
1794 else if (IoctlFunction > IOCTL_HYPERTRACE_IOCTL && IoctlFunction <= IOCTL_HYPERTRACE_IOCTL + 0x100)
1795 {
1796 Status = DrvDispatchHyperTraceIoControl(Irp, IrpStack, &DoNotChangeInformation);
1797 }
1798 else
1799 {
1800 Status = STATUS_NOT_IMPLEMENTED;
1801 }
1802
1803 if (Status != STATUS_PENDING)
1804 {
1805 Irp->IoStatus.Status = Status;
1806 if (!DoNotChangeInformation)
1807 {
1808 Irp->IoStatus.Information = 0;
1809 }
1810 IoCompleteRequest(Irp, IO_NO_INCREMENT);
1811 }
1812
1813 return Status;
1814}
BOOLEAN PoolManagerCheckAndPerformAllocationAndDeallocation()
This function performs allocations from VMX non-root based on g_RequestNewAllocation.
Definition PoolManager.c:320
#define FALSE
Definition BasicTypes.h:113
#define IOCTL_KD_IOCTL
ioctl, for KD (Kernel Debugger) related functionalities
Definition Ioctls.h:78
#define IOCTL_HYPERTRACE_IOCTL
ioctl, for HyperTrace related functionalities
Definition Ioctls.h:90
#define IOCTL_BASIC_IOCTL
ioctl, for basic communication between user-mode and kernel-mode, and for loading and initializing th...
Definition Ioctls.h:72
#define IOCTL_VMM_IOCTL
ioctl, for VMM and debugger related functionalities
Definition Ioctls.h:84
#define CTL_CODE_FUNCTION(Code)
Extract the function from an IOCTL code.
Definition Ioctls.h:60
NTSTATUS DrvDispatchVmmIoControl(PIRP Irp, PIO_STACK_LOCATION IrpStack, BOOLEAN *DoNotChangeInformation)
IOCTL Dispatcher for VMM IOCTLs.
Definition Ioctl.c:398
BOOLEAN IoctlCheckIoctlAllowed(ULONG Ioctl)
Checks whether the IOCTL request is allowed based on the current state of the driver and the system.
Definition Ioctl.c:93
NTSTATUS DrvDispatchKdIoControl(PIRP Irp, PIO_STACK_LOCATION IrpStack, BOOLEAN *DoNotChangeInformation)
IOCTL Dispatcher for KD (Kernel Debugger) IOCTLs.
Definition Ioctl.c:370
NTSTATUS DrvDispatchBasicIoControl(PIRP Irp, PIO_STACK_LOCATION IrpStack, BOOLEAN *DoNotChangeInformation)
IOCTL Dispatcher for Basic IOCTLs (initialization and event registration).
Definition Ioctl.c:214
NTSTATUS DrvDispatchHyperTraceIoControl(PIRP Irp, PIO_STACK_LOCATION IrpStack, BOOLEAN *DoNotChangeInformation)
IOCTL Dispatcher for HyperTrace IOCTLs.
Definition Ioctl.c:1566

◆ DrvDispatchKdIoControl()

NTSTATUS DrvDispatchKdIoControl ( PIRP Irp,
PIO_STACK_LOCATION IrpStack,
BOOLEAN * DoNotChangeInformation )

IOCTL Dispatcher for KD (Kernel Debugger) IOCTLs.

Parameters
Irp
IrpStack
DoNotChangeInformation
Returns
NTSTATUS
371{
372 NTSTATUS Status = STATUS_SUCCESS;
373 UINT32 Ioctl = IrpStack->Parameters.DeviceIoControl.IoControlCode;
374
375 UNREFERENCED_PARAMETER(Irp);
376 UNREFERENCED_PARAMETER(DoNotChangeInformation);
377
378 switch (Ioctl)
379 {
380 default:
381 LogError("Err, unknown IOCTL");
382 Status = STATUS_NOT_IMPLEMENTED;
383 break;
384 }
385
386 return Status;
387}

◆ DrvDispatchVmmIoControl()

NTSTATUS DrvDispatchVmmIoControl ( PIRP Irp,
PIO_STACK_LOCATION IrpStack,
BOOLEAN * DoNotChangeInformation )

IOCTL Dispatcher for VMM IOCTLs.

Parameters
Irp
IrpStack
DoNotChangeInformation
Returns
NTSTATUS
399{
400 PDEBUGGER_READ_MEMORY DebuggerReadMemRequest;
401 PDEBUGGER_READ_AND_WRITE_ON_MSR DebuggerReadOrWriteMsrRequest;
402 PDEBUGGER_HIDE_AND_TRANSPARENT_DEBUGGER_MODE DebuggerHideAndUnhideRequest;
404 PDEBUGGER_PAGE_IN_REQUEST DebuggerPageinRequest;
407 PDEBUGGER_VA2PA_AND_PA2VA_COMMANDS DebuggerVa2paAndPa2vaRequest;
408 PDEBUGGER_EDIT_MEMORY DebuggerEditMemoryRequest;
409 PDEBUGGER_SEARCH_MEMORY DebuggerSearchMemoryRequest;
410 PDEBUGGER_GENERAL_EVENT_DETAIL DebuggerNewEventRequest;
411 PDEBUGGER_MODIFY_EVENTS DebuggerModifyEventRequest;
412 PDEBUGGER_FLUSH_LOGGING_BUFFERS DebuggerFlushBuffersRequest;
413 PDEBUGGER_PREALLOC_COMMAND DebuggerReservePreallocPoolRequest;
414 PDEBUGGER_PREACTIVATE_COMMAND DebuggerPreactivationRequest;
415 PDEBUGGER_APIC_REQUEST DebuggerApicRequest;
416 PINTERRUPT_DESCRIPTOR_TABLE_ENTRIES_PACKETS DebuggerQueryIdtRequest;
417 PDEBUGGEE_BP_PACKET DebuggerBreakpointRequest;
418 PDEBUGGER_UD_COMMAND_PACKET DebuggerUdCommandRequest;
419 PUSERMODE_LOADED_MODULE_DETAILS DebuggerUsermodeModulesRequest;
420 PDEBUGGER_QUERY_ACTIVE_PROCESSES_OR_THREADS DebuggerUsermodeProcessOrThreadQueryRequest;
421 PDEBUGGEE_DETAILS_AND_SWITCH_PROCESS_PACKET GetInformationProcessRequest;
423 PDEBUGGEE_DETAILS_AND_SWITCH_THREAD_PACKET GetInformationThreadRequest;
424 PDEBUGGER_PERFORM_KERNEL_TESTS DebuggerKernelTestRequest;
425 PDEBUGGER_SEND_COMMAND_EXECUTION_FINISHED_SIGNAL DebuggerCommandExecutionFinishedRequest;
426 PDEBUGGER_SEND_USERMODE_MESSAGES_TO_DEBUGGER DebuggerSendUsermodeMessageRequest;
427 PDEBUGGEE_SEND_GENERAL_PACKET_FROM_DEBUGGEE_TO_DEBUGGER DebuggerSendBufferFromDebuggeeToDebuggerRequest;
428 PDEBUGGER_ATTACH_DETACH_USER_MODE_PROCESS DebuggerAttachOrDetachToThreadRequest;
429 PDEBUGGER_PREPARE_DEBUGGEE DebuggeeRequest;
430 PDEBUGGER_PAUSE_PACKET_RECEIVED DebuggerPauseKernelRequest;
431 PDEBUGGER_GENERAL_ACTION DebuggerNewActionRequest;
432 PSMI_OPERATION_PACKETS SmiOperationRequest;
433 PVOID BufferToStoreThreadsAndProcessesDetails;
434 ULONG InBuffLength; // Input buffer length
435 ULONG OutBuffLength; // Output buffer length
436 SIZE_T ReturnSize;
437 NTSTATUS Status = STATUS_SUCCESS;
438 UINT32 Ioctl = IrpStack->Parameters.DeviceIoControl.IoControlCode;
439
440 switch (Ioctl)
441 {
443
444 //
445 // Uninitialize the VMM and the debugger
446 //
448
449 Status = STATUS_SUCCESS;
450
451 break;
452
454
455 //
456 // Validate and adjust the parameters, and set the target buffer to the system buffer of the IRP
457 //
459 (PVOID *)&DebuggerReadMemRequest,
460 Irp,
461 IrpStack,
462 &InBuffLength,
463 &OutBuffLength))
464 {
465 Status = STATUS_INVALID_PARAMETER;
466 break;
467 }
468
469 if (DebuggerCommandReadMemory(DebuggerReadMemRequest,
470 ((CHAR *)DebuggerReadMemRequest) + SIZEOF_DEBUGGER_READ_MEMORY,
471 &ReturnSize) == TRUE)
472 {
473 //
474 // Return the header a read bytes
475 //
476 DrvAdjustStatusAndSetOutputSize((UINT32)(ReturnSize + SIZEOF_DEBUGGER_READ_MEMORY), DoNotChangeInformation, Irp, &Status);
477 }
478 else
479 {
480 //
481 // Just return the header to the user-mode
482 //
483 DrvAdjustStatusAndSetOutputSize(SIZEOF_DEBUGGER_READ_MEMORY, DoNotChangeInformation, Irp, &Status);
484 }
485
486 break;
487
489
490 //
491 // Validate and adjust the parameters, and set the target buffer to the system buffer of the IRP
492 //
494 (PVOID *)&DebuggerReadOrWriteMsrRequest,
495 Irp,
496 IrpStack,
497 &InBuffLength,
498 &OutBuffLength))
499 {
500 Status = STATUS_INVALID_PARAMETER;
501 break;
502 }
503
504 //
505 // Both usermode and to send to usermode and the coming buffer are
506 // at the same place
507 //
508 Status = DebuggerReadOrWriteMsr(DebuggerReadOrWriteMsrRequest, (UINT64 *)DebuggerReadOrWriteMsrRequest, &ReturnSize);
509
510 //
511 // Set the size
512 //
513 if (Status == STATUS_SUCCESS)
514 {
515 //
516 // Adjust the status and output size
517 //
518 DrvAdjustStatusAndSetOutputSize((UINT32)ReturnSize, DoNotChangeInformation, Irp, &Status);
519 }
520
521 break;
522
524
525 //
526 // Validate and adjust the parameters, and set the target buffer to the system buffer of the IRP
527 //
529 (PVOID *)&DebuggerPteRequest,
530 Irp,
531 IrpStack,
532 &InBuffLength,
533 &OutBuffLength))
534 {
535 Status = STATUS_INVALID_PARAMETER;
536 break;
537 }
538
539 //
540 // Both usermode and to send to usermode and the coming buffer are
541 // at the same place (it's not in vmx-root)
542 //
543 ExtensionCommandPte(DebuggerPteRequest, FALSE);
544
545 //
546 // Adjust the status and output size
547 //
549
550 break;
551
553
554 //
555 // Validate and adjust the parameters, and set the target buffer to the system buffer of the IRP
556 //
558 (PVOID *)&DebuggerNewEventRequest,
559 Irp,
560 IrpStack,
561 &InBuffLength,
562 &OutBuffLength))
563 {
564 Status = STATUS_INVALID_PARAMETER;
565 break;
566 }
567
568 //
569 // Both usermode and to send to usermode and the coming buffer are
570 // at the same place (not coming from the VMX-root mode)
571 //
572 DebuggerParseEvent(DebuggerNewEventRequest,
573 (PDEBUGGER_EVENT_AND_ACTION_RESULT)Irp->AssociatedIrp.SystemBuffer,
574 FALSE);
575
576 //
577 // Adjust the status and output size
578 //
579 DrvAdjustStatusAndSetOutputSize(sizeof(DEBUGGER_EVENT_AND_ACTION_RESULT), DoNotChangeInformation, Irp, &Status);
580
581 break;
582
584
585 //
586 // Validate and adjust the parameters, and set the target buffer to the system buffer of the IRP
587 //
589 (PVOID *)&DebuggerNewActionRequest,
590 Irp,
591 IrpStack,
592 &InBuffLength,
593 &OutBuffLength))
594 {
595 Status = STATUS_INVALID_PARAMETER;
596 break;
597 }
598
599 //
600 // Both usermode and to send to usermode and the coming buffer are
601 // at the same place
602 //
603 DebuggerParseAction(DebuggerNewActionRequest,
604 (PDEBUGGER_EVENT_AND_ACTION_RESULT)Irp->AssociatedIrp.SystemBuffer,
605 FALSE);
606
607 //
608 // Adjust the status and output size
609 //
610 DrvAdjustStatusAndSetOutputSize(sizeof(DEBUGGER_EVENT_AND_ACTION_RESULT), DoNotChangeInformation, Irp, &Status);
611
612 break;
613
615
616 //
617 // Validate and adjust the parameters, and set the target buffer to the system buffer of the IRP
618 //
620 (PVOID *)&DebuggerHideAndUnhideRequest,
621 Irp,
622 IrpStack,
623 &InBuffLength,
624 &OutBuffLength))
625 {
626 Status = STATUS_INVALID_PARAMETER;
627 break;
628 }
629
630 //
631 // check if it's a !hide or !unhide command
632 //
633 if (DebuggerHideAndUnhideRequest->IsHide == TRUE)
634 {
635 //
636 // It's a hide request
637 //
638 TransparentHideDebuggerWrapper(DebuggerHideAndUnhideRequest);
639 }
640 else
641 {
642 //
643 // It's a unhide request
644 //
645 TransparentUnhideDebuggerWrapper(DebuggerHideAndUnhideRequest);
646 }
647
648 //
649 // Adjust the status and output size
650 //
652
653 break;
654
656
657 //
658 // Validate and adjust the parameters, and set the target buffer to the system buffer of the IRP
659 //
661 (PVOID *)&DebuggerVa2paAndPa2vaRequest,
662 Irp,
663 IrpStack,
664 &InBuffLength,
665 &OutBuffLength))
666 {
667 Status = STATUS_INVALID_PARAMETER;
668 break;
669 }
670
671 //
672 // Both usermode and to send to usermode and the coming buffer are
673 // at the same place (we're not in vmx-root here)
674 //
675 ExtensionCommandVa2paAndPa2va(DebuggerVa2paAndPa2vaRequest, FALSE);
676
677 //
678 // Adjust the status and output size
679 //
681
682 break;
683
685
686 //
687 // Validate and adjust the parameters, and set the target buffer to the system buffer of the IRP
688 //
690 (PVOID *)&DebuggerEditMemoryRequest,
691 Irp,
692 IrpStack,
693 &InBuffLength,
694 &OutBuffLength))
695 {
696 Status = STATUS_INVALID_PARAMETER;
697 break;
698 }
699
700 //
701 // Here we should validate whether the input parameter is
702 // valid or in other words whether we received enough space or not
703 //
704 if (IrpStack->Parameters.DeviceIoControl.InputBufferLength != SIZEOF_DEBUGGER_EDIT_MEMORY + DebuggerEditMemoryRequest->CountOf64Chunks * sizeof(UINT64))
705 {
706 Status = STATUS_INVALID_PARAMETER;
707 break;
708 }
709
710 //
711 // Both usermode and to send to usermode and the coming buffer are
712 // at the same place
713 //
714 DebuggerCommandEditMemory(DebuggerEditMemoryRequest);
715
716 //
717 // Adjust the status and output size
718 //
719 DrvAdjustStatusAndSetOutputSize(SIZEOF_DEBUGGER_EDIT_MEMORY, DoNotChangeInformation, Irp, &Status);
720
721 break;
722
724
725 //
726 // Validate and adjust the parameters, and set the target buffer to the system buffer of the IRP
727 //
729 (PVOID *)&DebuggerSearchMemoryRequest,
730 Irp,
731 IrpStack,
732 &InBuffLength,
733 &OutBuffLength))
734 {
735 Status = STATUS_INVALID_PARAMETER;
736 break;
737 }
738
739 //
740 // The OutBuffLength should have at least MaximumSearchResults * sizeof(UINT64)
741 // free space to store the results
742 //
743 if (OutBuffLength < MaximumSearchResults * sizeof(UINT64))
744 {
745 Status = STATUS_INVALID_PARAMETER;
746 break;
747 }
748
749 //
750 // Here we should validate whether the input parameter is
751 // valid or in other words whether we received enough space or not
752 //
753 if (IrpStack->Parameters.DeviceIoControl.InputBufferLength != SIZEOF_DEBUGGER_SEARCH_MEMORY + DebuggerSearchMemoryRequest->CountOf64Chunks * sizeof(UINT64))
754 {
755 Status = STATUS_INVALID_PARAMETER;
756 break;
757 }
758
759 //
760 // Both usermode and to send to usermode and the coming buffer are
761 // at the same place
762 //
763 if (DebuggerCommandSearchMemory(DebuggerSearchMemoryRequest) != STATUS_SUCCESS)
764 {
765 //
766 // It is because it was not valid in any of the ways to the function
767 // then we're sure that the usermode code won't interpret it's previous
768 // buffer as a valid buffer and will not show it to the user
769 //
770 RtlZeroMemory(DebuggerSearchMemoryRequest, MaximumSearchResults * sizeof(UINT64));
771 }
772
773 //
774 // Configure IRP status, and also we send the results
775 // buffer, with it's null values (if any)
776 //
777 DrvAdjustStatusAndSetOutputSize(MaximumSearchResults * sizeof(UINT64), DoNotChangeInformation, Irp, &Status);
778
779 break;
780
782
783 //
784 // Validate and adjust the parameters, and set the target buffer to the system buffer of the IRP
785 //
787 (PVOID *)&DebuggerModifyEventRequest,
788 Irp,
789 IrpStack,
790 &InBuffLength,
791 &OutBuffLength))
792 {
793 Status = STATUS_INVALID_PARAMETER;
794 break;
795 }
796
797 //
798 // Both usermode and to send to usermode and the coming buffer are
799 // at the same place
800 //
802
803 //
804 // Adjust the status and output size
805 //
806 DrvAdjustStatusAndSetOutputSize(SIZEOF_DEBUGGER_MODIFY_EVENTS, DoNotChangeInformation, Irp, &Status);
807
808 break;
809
811
812 //
813 // Validate and adjust the parameters, and set the target buffer to the system buffer of the IRP
814 //
816 (PVOID *)&DebuggerFlushBuffersRequest,
817 Irp,
818 IrpStack,
819 &InBuffLength,
820 &OutBuffLength))
821 {
822 Status = STATUS_INVALID_PARAMETER;
823 break;
824 }
825
826 //
827 // Perform the flush
828 //
829 DebuggerCommandFlush(DebuggerFlushBuffersRequest);
830
831 //
832 // Adjust the status and output size
833 //
834 DrvAdjustStatusAndSetOutputSize(SIZEOF_DEBUGGER_FLUSH_LOGGING_BUFFERS, DoNotChangeInformation, Irp, &Status);
835
836 break;
837
839
840 //
841 // Validate and adjust the parameters, and set the target buffer to the system buffer of the IRP
842 //
844 (PVOID *)&DebuggerAttachOrDetachToThreadRequest,
845 Irp,
846 IrpStack,
847 &InBuffLength,
848 &OutBuffLength))
849 {
850 Status = STATUS_INVALID_PARAMETER;
851 break;
852 }
853
854 //
855 // Perform the attach to the target process
856 //
857 AttachingTargetProcess(DebuggerAttachOrDetachToThreadRequest);
858
859 //
860 // Adjust the status and output size
861 //
863
864 break;
865
867
868 //
869 // Validate and adjust the parameters, and set the target buffer to the system buffer of the IRP
870 //
872 (PVOID *)&DebuggeeRequest,
873 Irp,
874 IrpStack,
875 &InBuffLength,
876 &OutBuffLength))
877 {
878 Status = STATUS_INVALID_PARAMETER;
879 break;
880 }
881
882 //
883 // Perform the action
884 //
885 SerialConnectionPrepare(DebuggeeRequest);
886
887 //
888 // Adjust the status and output size
889 //
890 DrvAdjustStatusAndSetOutputSize(SIZEOF_DEBUGGER_PREPARE_DEBUGGEE, DoNotChangeInformation, Irp, &Status);
891
892 break;
893
895
896 //
897 // Validate and adjust the parameters, and set the target buffer to the system buffer of the IRP
898 //
900 (PVOID *)&DebuggerPauseKernelRequest,
901 Irp,
902 IrpStack,
903 &InBuffLength,
904 &OutBuffLength))
905 {
906 Status = STATUS_INVALID_PARAMETER;
907 break;
908 }
909
910 //
911 // Perform the action
912 //
913 KdHaltSystem(DebuggerPauseKernelRequest);
914
915 //
916 // Adjust the status and output size
917 //
918 DrvAdjustStatusAndSetOutputSize(SIZEOF_DEBUGGER_PAUSE_PACKET_RECEIVED, DoNotChangeInformation, Irp, &Status);
919
920 break;
921
923
924 //
925 // Validate and adjust the parameters, and set the target buffer to the system buffer of the IRP
926 //
928 (PVOID *)&DebuggerCommandExecutionFinishedRequest,
929 Irp,
930 IrpStack,
931 &InBuffLength,
932 &OutBuffLength))
933 {
934 Status = STATUS_INVALID_PARAMETER;
935 break;
936 }
937
938 //
939 // Perform the signal operation
940 //
941 DebuggerCommandSignalExecutionState(DebuggerCommandExecutionFinishedRequest);
942
943 //
944 // Adjust the status and output size
945 //
947
948 break;
949
951
952 //
953 // Validate and adjust the parameters, and set the target buffer to the system buffer of the IRP
954 //
956 (PVOID *)&DebuggerSendUsermodeMessageRequest,
957 Irp,
958 IrpStack,
959 &InBuffLength,
960 &OutBuffLength))
961 {
962 Status = STATUS_INVALID_PARAMETER;
963 break;
964 }
965
966 //
967 // Second validation phase
968 //
969 if (DebuggerSendUsermodeMessageRequest->Length == NULL_ZERO ||
970 IrpStack->Parameters.DeviceIoControl.InputBufferLength != SIZEOF_DEBUGGER_SEND_USERMODE_MESSAGES_TO_DEBUGGER + DebuggerSendUsermodeMessageRequest->Length)
971 {
972 Status = STATUS_INVALID_PARAMETER;
973 break;
974 }
975
976 //
977 // Perform the signal operation
978 //
979 DebuggerCommandSendMessage(DebuggerSendUsermodeMessageRequest);
980
981 //
982 // Adjust the status and output size
983 //
985
986 break;
987
989
990 //
991 // Validate and adjust the parameters, and set the target buffer to the system buffer of the IRP
992 //
994 (PVOID *)&DebuggerSendBufferFromDebuggeeToDebuggerRequest,
995 Irp,
996 IrpStack,
997 &InBuffLength,
998 &OutBuffLength))
999 {
1000 Status = STATUS_INVALID_PARAMETER;
1001 break;
1002 }
1003
1004 //
1005 // Second validation phase
1006 //
1007 if (DebuggerSendBufferFromDebuggeeToDebuggerRequest->LengthOfBuffer == NULL_ZERO ||
1008 IrpStack->Parameters.DeviceIoControl.InputBufferLength != SIZEOF_DEBUGGEE_SEND_GENERAL_PACKET_FROM_DEBUGGEE_TO_DEBUGGER + DebuggerSendBufferFromDebuggeeToDebuggerRequest->LengthOfBuffer)
1009 {
1010 Status = STATUS_INVALID_PARAMETER;
1011 break;
1012 }
1013
1014 //
1015 // Perform the signal operation
1016 //
1017 DebuggerCommandSendGeneralBufferToDebugger(DebuggerSendBufferFromDebuggeeToDebuggerRequest);
1018
1019 //
1020 // Adjust the status and output size
1021 //
1023
1024 break;
1025
1027
1028 //
1029 // Validate and adjust the parameters, and set the target buffer to the system buffer of the IRP
1030 //
1032 (PVOID *)&DebuggerKernelTestRequest,
1033 Irp,
1034 IrpStack,
1035 &InBuffLength,
1036 &OutBuffLength))
1037 {
1038 Status = STATUS_INVALID_PARAMETER;
1039 break;
1040 }
1041
1042 //
1043 // Perform the kernel-side tests
1044 //
1045 TestKernelPerformTests(DebuggerKernelTestRequest);
1046
1047 //
1048 // Adjust the status and output size
1049 //
1050 DrvAdjustStatusAndSetOutputSize(SIZEOF_DEBUGGER_PERFORM_KERNEL_TESTS, DoNotChangeInformation, Irp, &Status);
1051
1052 break;
1053
1055
1056 //
1057 // Validate and adjust the parameters, and set the target buffer to the system buffer of the IRP
1058 //
1060 (PVOID *)&DebuggerReservePreallocPoolRequest,
1061 Irp,
1062 IrpStack,
1063 &InBuffLength,
1064 &OutBuffLength))
1065 {
1066 Status = STATUS_INVALID_PARAMETER;
1067 break;
1068 }
1069
1070 //
1071 // Perform the reservation pools
1072 //
1073 DebuggerCommandReservePreallocatedPools(DebuggerReservePreallocPoolRequest);
1074
1075 //
1076 // Adjust the status and output size
1077 //
1078 DrvAdjustStatusAndSetOutputSize(SIZEOF_DEBUGGER_PREALLOC_COMMAND, DoNotChangeInformation, Irp, &Status);
1079
1080 break;
1081
1083
1084 //
1085 // Validate and adjust the parameters, and set the target buffer to the system buffer of the IRP
1086 //
1088 (PVOID *)&DebuggerPreactivationRequest,
1089 Irp,
1090 IrpStack,
1091 &InBuffLength,
1092 &OutBuffLength))
1093 {
1094 Status = STATUS_INVALID_PARAMETER;
1095 break;
1096 }
1097
1098 //
1099 // Perform the activation of the functionality
1100 //
1101 DebuggerCommandPreactivateFunctionality(DebuggerPreactivationRequest);
1102
1103 //
1104 // Adjust the status and output size
1105 //
1106 DrvAdjustStatusAndSetOutputSize(SIZEOF_DEBUGGER_PREACTIVATE_COMMAND, DoNotChangeInformation, Irp, &Status);
1107
1108 break;
1109
1111
1112 //
1113 // Validate and adjust the parameters, and set the target buffer to the system buffer of the IRP
1114 //
1116 (PVOID *)&DebuggerApicRequest,
1117 Irp,
1118 IrpStack,
1119 &InBuffLength,
1120 &OutBuffLength))
1121 {
1122 Status = STATUS_INVALID_PARAMETER;
1123 break;
1124 }
1125
1126 //
1127 // Adjust the status and output size
1128 //
1129 DrvAdjustStatusAndSetOutputSize(ExtensionCommandPerformActionsForApicRequests(DebuggerApicRequest), DoNotChangeInformation, Irp, &Status);
1130
1131 break;
1132
1134
1135 //
1136 // Validate and adjust the parameters, and set the target buffer to the system buffer of the IRP
1137 //
1139 (PVOID *)&DebuggerQueryIdtRequest,
1140 Irp,
1141 IrpStack,
1142 &InBuffLength,
1143 &OutBuffLength))
1144 {
1145 Status = STATUS_INVALID_PARAMETER;
1146 break;
1147 }
1148
1149 //
1150 // Perform the query of IDT entries (not from vmx-root)
1151 //
1152 ExtensionCommandPerformQueryIdtEntriesRequest(DebuggerQueryIdtRequest, FALSE);
1153
1154 //
1155 // Adjust the status and output size
1156 //
1158
1159 break;
1160
1162
1163 //
1164 // Validate and adjust the parameters, and set the target buffer to the system buffer of the IRP
1165 //
1167 (PVOID *)&DebuggerBreakpointRequest,
1168 Irp,
1169 IrpStack,
1170 &InBuffLength,
1171 &OutBuffLength))
1172 {
1173 Status = STATUS_INVALID_PARAMETER;
1174 break;
1175 }
1176
1177 //
1178 // Perform setting the breakpoint (for the user mode debugger)
1179 // Switching to the target process memory is needed as we are
1180 // in HyperDbg's process memory layout and we need to switch to
1181 // the target process memory layout to set the breakpoint
1182 //
1183 BreakpointAddNew(DebuggerBreakpointRequest, TRUE);
1184
1185 //
1186 // Adjust the status and output size
1187 //
1188 DrvAdjustStatusAndSetOutputSize(SIZEOF_DEBUGGEE_BP_PACKET, DoNotChangeInformation, Irp, &Status);
1189
1190 break;
1191
1193
1194 //
1195 // Validate and adjust the parameters, and set the target buffer to the system buffer of the IRP
1196 //
1198 (PVOID *)&SmiOperationRequest,
1199 Irp,
1200 IrpStack,
1201 &InBuffLength,
1202 &OutBuffLength))
1203 {
1204 Status = STATUS_INVALID_PARAMETER;
1205 break;
1206 }
1207
1208 //
1209 // Perform the SMI operation (it's not from vmx-root)
1210 //
1211 VmFuncSmmPerformSmiOperation(SmiOperationRequest, FALSE);
1212
1213 //
1214 // Adjust the status and output size
1215 //
1216 DrvAdjustStatusAndSetOutputSize(SIZEOF_SMI_OPERATION_PACKETS, DoNotChangeInformation, Irp, &Status);
1217
1218 break;
1219
1221
1222 //
1223 // Validate and adjust the parameters, and set the target buffer to the system buffer of the IRP
1224 //
1226 (PVOID *)&DebuggerUdCommandRequest,
1227 Irp,
1228 IrpStack,
1229 &InBuffLength,
1230 &OutBuffLength))
1231 {
1232 Status = STATUS_INVALID_PARAMETER;
1233 break;
1234 }
1235
1236 //
1237 // Perform the dispatching of user debugger command
1238 //
1239 UdDispatchUsermodeCommands(DebuggerUdCommandRequest, InBuffLength, OutBuffLength);
1240
1241 //
1242 // Adjust the status and output size
1243 //
1244 DrvAdjustStatusAndSetOutputSize(OutBuffLength, DoNotChangeInformation, Irp, &Status);
1245
1246 break;
1247
1249
1250 OutBuffLength = IrpStack->Parameters.DeviceIoControl.OutputBufferLength;
1251
1252 if (!OutBuffLength)
1253 {
1254 Status = STATUS_INVALID_PARAMETER;
1255 break;
1256 }
1257
1258 //
1259 // Both usermode and to send to usermode is here
1260 //
1261 BufferToStoreThreadsAndProcessesDetails = (PVOID)Irp->AssociatedIrp.SystemBuffer;
1262
1263 //
1264 // Perform the dispatching of user debugger command
1265 //
1266 AttachingQueryDetailsOfActiveDebuggingThreadsAndProcesses(BufferToStoreThreadsAndProcessesDetails, OutBuffLength);
1267
1268 //
1269 // Adjust the status and output size
1270 //
1271 DrvAdjustStatusAndSetOutputSize(OutBuffLength, DoNotChangeInformation, Irp, &Status);
1272
1273 break;
1274
1276
1277 //
1278 // Validate and adjust the parameters, and set the target buffer to the system buffer of the IRP
1279 //
1281 (PVOID *)&DebuggerUsermodeModulesRequest,
1282 Irp,
1283 IrpStack,
1284 &InBuffLength,
1285 &OutBuffLength))
1286 {
1287 Status = STATUS_INVALID_PARAMETER;
1288 break;
1289 }
1290
1291 //
1292 // Getting the modules details
1293 //
1294 UserAccessGetLoadedModules(DebuggerUsermodeModulesRequest, OutBuffLength);
1295
1296 //
1297 // Adjust the status and output size
1298 //
1299 DrvAdjustStatusAndSetOutputSize(OutBuffLength, DoNotChangeInformation, Irp, &Status);
1300
1301 break;
1302
1304
1305 //
1306 // Validate and adjust the parameters, and set the target buffer to the system buffer of the IRP
1307 //
1309 (PVOID *)&DebuggerUsermodeProcessOrThreadQueryRequest,
1310 Irp,
1311 IrpStack,
1312 &InBuffLength,
1313 &OutBuffLength))
1314 {
1315 Status = STATUS_INVALID_PARAMETER;
1316 break;
1317 }
1318
1319 //
1320 // Getting the count result
1321 //
1322 if (DebuggerUsermodeProcessOrThreadQueryRequest->QueryType == DEBUGGER_QUERY_ACTIVE_PROCESSES_OR_THREADS_QUERY_PROCESS_COUNT)
1323 {
1324 ProcessQueryCount(DebuggerUsermodeProcessOrThreadQueryRequest);
1325 }
1326 else if (DebuggerUsermodeProcessOrThreadQueryRequest->QueryType == DEBUGGER_QUERY_ACTIVE_PROCESSES_OR_THREADS_QUERY_THREAD_COUNT)
1327 {
1328 ThreadQueryCount(DebuggerUsermodeProcessOrThreadQueryRequest);
1329 }
1330
1331 //
1332 // Adjust the status and output size
1333 //
1335
1336 break;
1337
1339
1340 //
1341 // Validate and adjust the parameters, and set the target buffer to the system buffer of the IRP
1342 //
1344 (PVOID *)&DebuggerUsermodeProcessOrThreadQueryRequest,
1345 Irp,
1346 IrpStack,
1347 &InBuffLength,
1348 &OutBuffLength))
1349 {
1350 Status = STATUS_INVALID_PARAMETER;
1351 break;
1352 }
1353
1354 //
1355 // Getting the list of processes or threads
1356 //
1357 if (DebuggerUsermodeProcessOrThreadQueryRequest->QueryType == DEBUGGER_QUERY_ACTIVE_PROCESSES_OR_THREADS_QUERY_PROCESS_LIST)
1358 {
1359 ProcessQueryList(DebuggerUsermodeProcessOrThreadQueryRequest,
1360 DebuggerUsermodeProcessOrThreadQueryRequest,
1361 OutBuffLength);
1362 }
1363 else if (DebuggerUsermodeProcessOrThreadQueryRequest->QueryType == DEBUGGER_QUERY_ACTIVE_PROCESSES_OR_THREADS_QUERY_THREAD_LIST)
1364 {
1365 ThreadQueryList(DebuggerUsermodeProcessOrThreadQueryRequest,
1366 DebuggerUsermodeProcessOrThreadQueryRequest,
1367 OutBuffLength);
1368 }
1369
1370 //
1371 // Adjust the status and output size
1372 //
1373 DrvAdjustStatusAndSetOutputSize(OutBuffLength, DoNotChangeInformation, Irp, &Status);
1374
1375 break;
1376
1378
1379 //
1380 // Validate and adjust the parameters, and set the target buffer to the system buffer of the IRP
1381 //
1383 (PVOID *)&GetInformationThreadRequest,
1384 Irp,
1385 IrpStack,
1386 &InBuffLength,
1387 &OutBuffLength))
1388 {
1389 Status = STATUS_INVALID_PARAMETER;
1390 break;
1391 }
1392
1393 //
1394 // Get the information
1395 //
1396 ThreadQueryDetails(GetInformationThreadRequest);
1397
1398 //
1399 // Adjust the status and output size
1400 //
1402
1403 break;
1404
1406
1407 //
1408 // Validate and adjust the parameters, and set the target buffer to the system buffer of the IRP
1409 //
1411 (PVOID *)&GetInformationProcessRequest,
1412 Irp,
1413 IrpStack,
1414 &InBuffLength,
1415 &OutBuffLength))
1416 {
1417 Status = STATUS_INVALID_PARAMETER;
1418 break;
1419 }
1420
1421 //
1422 // Get the information
1423 //
1424 ProcessQueryDetails(GetInformationProcessRequest);
1425
1426 //
1427 // Adjust the status and output size
1428 //
1430
1431 break;
1432
1434
1435 //
1436 // Validate and adjust the parameters, and set the target buffer to the system buffer of the IRP
1437 //
1439 (PVOID *)&RevServiceRequest,
1440 Irp,
1441 IrpStack,
1442 &InBuffLength,
1443 &OutBuffLength))
1444 {
1445 Status = STATUS_INVALID_PARAMETER;
1446 break;
1447 }
1448
1449 //
1450 // Perform the service request
1451 //
1453
1454 //
1455 // Adjust the status and output size
1456 //
1458
1459 break;
1460
1462
1463 //
1464 // Validate and adjust the parameters, and set the target buffer to the system buffer of the IRP
1465 //
1467 (PVOID *)&DebuggerPageinRequest,
1468 Irp,
1469 IrpStack,
1470 &InBuffLength,
1471 &OutBuffLength))
1472 {
1473 Status = STATUS_INVALID_PARAMETER;
1474 break;
1475 }
1476
1477 //
1478 // Both usermode and to send to usermode and the coming buffer are
1479 // at the same place (it's in VMI-mode)
1480 //
1481 DebuggerCommandBringPagein(DebuggerPageinRequest);
1482
1483 //
1484 // Adjust the status and output size
1485 //
1486 DrvAdjustStatusAndSetOutputSize(SIZEOF_DEBUGGER_PAGE_IN_REQUEST, DoNotChangeInformation, Irp, &Status);
1487
1488 break;
1489
1491
1492 //
1493 // Validate and adjust the parameters, and set the target buffer to the system buffer of the IRP
1494 //
1496 (PVOID *)&PcitreeRequest,
1497 Irp,
1498 IrpStack,
1499 &InBuffLength,
1500 &OutBuffLength))
1501 {
1502 Status = STATUS_INVALID_PARAMETER;
1503 break;
1504 }
1505
1506 //
1507 // Both usermode and to send to usermode and the coming buffer are
1508 // at the same place (it's in VMI-mode)
1509 //
1510 ExtensionCommandPcitree(PcitreeRequest, FALSE);
1511
1512 //
1513 // Adjust the status and output size
1514 //
1516
1517 break;
1518
1520
1521 //
1522 // Validate and adjust the parameters, and set the target buffer to the system buffer of the IRP
1523 //
1525 (PVOID *)&PcidevinfoRequest,
1526 Irp,
1527 IrpStack,
1528 &InBuffLength,
1529 &OutBuffLength))
1530 {
1531 Status = STATUS_INVALID_PARAMETER;
1532 break;
1533 }
1534
1535 //
1536 // Both usermode and to send to usermode and the coming buffer are
1537 // at the same place (it's in VMI-mode)
1538 //
1539 ExtensionCommandPcidevinfo(PcidevinfoRequest, FALSE);
1540
1541 //
1542 // Adjust the status and output size
1543 //
1545
1546 break;
1547
1548 default:
1549 LogError("Err, unknown IOCTL");
1550 Status = STATUS_NOT_IMPLEMENTED;
1551 break;
1552 }
1553
1554 return Status;
1555}
BOOLEAN AttachingQueryDetailsOfActiveDebuggingThreadsAndProcesses(PVOID BufferToStoreDetails, UINT32 BufferSize)
Query details of active debugging threads.
Definition Attaching.c:1393
VOID AttachingTargetProcess(PDEBUGGER_ATTACH_DETACH_USER_MODE_PROCESS Request)
Dispatch and perform attaching tasks.
Definition Attaching.c:1425
BOOLEAN BreakpointAddNew(PDEBUGGEE_BP_PACKET BpDescriptorArg, BOOLEAN SwitchToTargetMemoryLayout)
Add new breakpoints.
Definition BreakpointCommands.c:950
#define EnableInstantEventMechanism
Enable or disable the instant event mechanism.
Definition Configuration.h:70
BOOLEAN DebuggerParseEvent(PDEBUGGER_GENERAL_EVENT_DETAIL EventDetails, PDEBUGGER_EVENT_AND_ACTION_RESULT ResultsToReturn, BOOLEAN InputFromVmxRoot)
Routine for parsing events.
Definition Debugger.c:3163
BOOLEAN DebuggerParseEventsModification(PDEBUGGER_MODIFY_EVENTS DebuggerEventModificationRequest, BOOLEAN InputFromVmxRoot, BOOLEAN PoolManagerAllocatedMemory)
Parse and validate requests to enable/disable/clear from the user-mode.
Definition Debugger.c:3728
BOOLEAN DebuggerParseAction(PDEBUGGER_GENERAL_ACTION ActionDetails, PDEBUGGER_EVENT_AND_ACTION_RESULT ResultsToReturn, BOOLEAN InputFromVmxRoot)
Routine for validating and parsing actions that are coming from the user-mode.
Definition Debugger.c:3307
BOOLEAN DebuggerCommandBringPagein(PDEBUGGER_PAGE_IN_REQUEST PageinRequest)
routines for the .pagein command
Definition DebuggerCommands.c:1532
NTSTATUS DebuggerCommandPreactivateFunctionality(PDEBUGGER_PREACTIVATE_COMMAND PreactivateRequest)
Preactivate a special functionality.
Definition DebuggerCommands.c:1500
NTSTATUS DebuggerCommandReservePreallocatedPools(PDEBUGGER_PREALLOC_COMMAND PreallocRequest)
Reserve and allocate pre-allocated buffers.
Definition DebuggerCommands.c:1376
NTSTATUS DebuggerReadOrWriteMsr(PDEBUGGER_READ_AND_WRITE_ON_MSR ReadOrWriteMsrRequest, UINT64 *UserBuffer, PSIZE_T ReturnSize)
Perform rdmsr, wrmsr commands.
Definition DebuggerCommands.c:337
NTSTATUS DebuggerCommandSignalExecutionState(PDEBUGGER_SEND_COMMAND_EXECUTION_FINISHED_SIGNAL DebuggerFinishedExecutionRequest)
Perform the command finished signal.
Definition DebuggerCommands.c:1312
NTSTATUS DebuggerCommandSearchMemory(PDEBUGGER_SEARCH_MEMORY SearchMemRequest)
Start searching memory.
Definition DebuggerCommands.c:1191
BOOLEAN DebuggerCommandReadMemory(PDEBUGGER_READ_MEMORY ReadMemRequest, PVOID UserBuffer, PSIZE_T ReturnSize)
Read memory for different commands.
Definition DebuggerCommands.c:74
NTSTATUS DebuggerCommandSendMessage(PDEBUGGER_SEND_USERMODE_MESSAGES_TO_DEBUGGER DebuggerSendUsermodeMessageRequest)
Send the user-mode buffer to debugger.
Definition DebuggerCommands.c:1331
NTSTATUS DebuggerCommandSendGeneralBufferToDebugger(PDEBUGGEE_SEND_GENERAL_PACKET_FROM_DEBUGGEE_TO_DEBUGGER DebuggeeBufferRequest)
Send general buffers from the debuggee to the debugger.
Definition DebuggerCommands.c:1353
NTSTATUS DebuggerCommandFlush(PDEBUGGER_FLUSH_LOGGING_BUFFERS DebuggerFlushBuffersRequest)
Perform the flush requests to vmx-root and vmx non-root buffers.
Definition DebuggerCommands.c:1292
NTSTATUS DebuggerCommandEditMemory(PDEBUGGER_EDIT_MEMORY EditMemRequest)
Edit physical and virtual memory.
Definition DebuggerCommands.c:490
VOID ExtensionCommandPerformQueryIdtEntriesRequest(PINTERRUPT_DESCRIPTOR_TABLE_ENTRIES_PACKETS IdtQueryRequest, BOOLEAN ReadFromVmxRoot)
Perform query for IDT entries.
Definition ExtensionCommands.c:92
VOID ExtensionCommandVa2paAndPa2va(PDEBUGGER_VA2PA_AND_PA2VA_COMMANDS AddressDetails, BOOLEAN OperateOnVmxRoot)
routines for !va2pa and !pa2va commands
Definition ExtensionCommands.c:114
VOID ExtensionCommandPcidevinfo(PDEBUGGEE_PCIDEVINFO_REQUEST_RESPONSE_PACKET PcidevinfoPacket, BOOLEAN OperateOnVmxRoot)
Request PCI device info.
Definition ExtensionCommands.c:760
UINT32 ExtensionCommandPerformActionsForApicRequests(PDEBUGGER_APIC_REQUEST ApicRequest)
Perform actions regarding APIC.
Definition ExtensionCommands.c:23
BOOLEAN ExtensionCommandPte(PDEBUGGER_READ_PAGE_TABLE_ENTRIES_DETAILS PteDetails, BOOLEAN IsOperatingInVmxRoot)
routines for !pte command
Definition ExtensionCommands.c:261
VOID ExtensionCommandPcitree(PDEBUGGEE_PCITREE_REQUEST_RESPONSE_PACKET PcitreePacket, BOOLEAN OperateOnVmxRoot)
routines for PCIe tree
Definition ExtensionCommands.c:697
VOID KdHaltSystem(PDEBUGGER_PAUSE_PACKET_RECEIVED PausePacket)
Halt the system.
Definition Kd.c:3489
VOID TestKernelPerformTests(PDEBUGGER_PERFORM_KERNEL_TESTS KernelTestRequest)
Perform the kernel-side tests.
Definition KernelTests.c:22
BOOLEAN ProcessQueryList(PDEBUGGER_QUERY_ACTIVE_PROCESSES_OR_THREADS DebuggerUsermodeProcessOrThreadQueryRequest, PVOID AddressToSaveDetail, UINT32 BufferSize)
Query process details (list).
Definition Process.c:649
BOOLEAN ProcessQueryCount(PDEBUGGER_QUERY_ACTIVE_PROCESSES_OR_THREADS DebuggerUsermodeProcessOrThreadQueryRequest)
Query process details (count).
Definition Process.c:616
BOOLEAN ProcessQueryDetails(PDEBUGGEE_DETAILS_AND_SWITCH_PROCESS_PACKET GetInformationProcessRequest)
Query process details.
Definition Process.c:675
NTSTATUS SerialConnectionPrepare(PDEBUGGER_PREPARE_DEBUGGEE DebuggeeRequest)
Perform tasks relating to stepping (step-in & step-out) requests.
Definition SerialConnection.c:341
BOOLEAN ThreadQueryDetails(PDEBUGGEE_DETAILS_AND_SWITCH_THREAD_PACKET GetInformationThreadRequest)
Query thread details.
Definition Thread.c:712
BOOLEAN ThreadQueryList(PDEBUGGER_QUERY_ACTIVE_PROCESSES_OR_THREADS DebuggerUsermodeProcessOrThreadQueryRequest, PVOID AddressToSaveDetail, UINT32 BufferSize)
Query thread details (list).
Definition Thread.c:686
BOOLEAN ThreadQueryCount(PDEBUGGER_QUERY_ACTIVE_PROCESSES_OR_THREADS DebuggerUsermodeProcessOrThreadQueryRequest)
Query thread details (count).
Definition Thread.c:653
BOOLEAN UdDispatchUsermodeCommands(PDEBUGGER_UD_COMMAND_PACKET ActionRequest, UINT32 ActionRequestInputLength, UINT32 ActionRequestOutputLength)
Dispatch the user-mode commands.
Definition Ud.c:642
BOOLEAN UserAccessGetLoadedModules(PUSERMODE_LOADED_MODULE_DETAILS ProcessLoadedModuleRequest, UINT32 BufferSize)
Get details about loaded modules.
Definition UserAccess.c:779
#define NULL_ZERO
Definition BasicTypes.h:110
#define MaximumSearchResults
maximum results that will be returned by !s* s* command
Definition Constants.h:516
#define SIZEOF_DEBUGGER_PAUSE_PACKET_RECEIVED
Definition DataTypes.h:203
struct _DEBUGGER_PAUSE_PACKET_RECEIVED * PDEBUGGER_PAUSE_PACKET_RECEIVED
#define SIZEOF_DEBUGGER_GENERAL_EVENT_DETAIL
Definition Events.h:404
struct _DEBUGGER_GENERAL_EVENT_DETAIL * PDEBUGGER_GENERAL_EVENT_DETAIL
#define SIZEOF_DEBUGGER_GENERAL_ACTION
Definition Events.h:425
struct _DEBUGGER_MODIFY_EVENTS * PDEBUGGER_MODIFY_EVENTS
struct _DEBUGGER_EVENT_AND_ACTION_RESULT * PDEBUGGER_EVENT_AND_ACTION_RESULT
#define SIZEOF_DEBUGGER_MODIFY_EVENTS
Definition Events.h:254
struct _DEBUGGER_GENERAL_ACTION * PDEBUGGER_GENERAL_ACTION
struct _DEBUGGER_EVENT_AND_ACTION_RESULT DEBUGGER_EVENT_AND_ACTION_RESULT
Status of register buffers.
#define IOCTL_SEND_GENERAL_BUFFER_FROM_DEBUGGEE_TO_DEBUGGER
ioctl, send general buffer from debuggee to debugger
Definition Ioctls.h:263
#define IOCTL_PCIE_ENDPOINT_ENUM
ioctl, to enumerate PCIe endpoints
Definition Ioctls.h:354
#define IOCTL_DEBUGGER_EDIT_MEMORY
ioctl, request to edit virtual and physical memory
Definition Ioctls.h:192
#define IOCTL_PERFORM_SMI_OPERATION
ioctl, to perform SMI operations
Definition Ioctls.h:389
#define IOCTL_DEBUGGER_READ_OR_WRITE_MSR
ioctl, request to read or write on a special MSR
Definition Ioctls.h:150
#define IOCTL_DEBUGGER_READ_MEMORY
ioctl, request to read memory
Definition Ioctls.h:143
#define IOCTL_DEBUGGER_VA2PA_AND_PA2VA_COMMANDS
ioctl, for !va2pa and !pa2va commands
Definition Ioctls.h:185
#define IOCTL_QUERY_CURRENT_THREAD
ioctl, query the current thread details
Definition Ioctls.h:326
#define IOCTL_PREACTIVATE_FUNCTIONALITY
ioctl, to preactivate a functionality
Definition Ioctls.h:347
#define IOCTL_DEBUGGER_FLUSH_LOGGING_BUFFERS
ioctl, flush the kernel buffers
Definition Ioctls.h:213
#define IOCTL_SEND_USERMODE_MESSAGES_TO_DEBUGGER
ioctl, send user-mode messages to the debugger
Definition Ioctls.h:256
#define IOCTL_PERFORM_ACTIONS_ON_APIC
ioctl, to perform actions related to APIC
Definition Ioctls.h:361
#define IOCTL_REQUEST_REV_MACHINE_SERVICE
ioctl, request service from the reversing machine
Definition Ioctls.h:333
#define IOCTL_DEBUGGER_ATTACH_DETACH_USER_MODE_PROCESS
ioctl, attach or detach user-mode processes
Definition Ioctls.h:220
#define IOCTL_PREPARE_DEBUGGEE
ioctl, prepare debuggee
Definition Ioctls.h:235
#define IOCTL_DEBUGGER_SEARCH_MEMORY
ioctl, request to search virtual and physical memory
Definition Ioctls.h:199
#define IOCTL_QUERY_CURRENT_PROCESS
ioctl, query the current process details
Definition Ioctls.h:319
#define IOCTL_DEBUGGER_REGISTER_EVENT
ioctl, register an event
Definition Ioctls.h:164
#define IOCTL_TERMINATE_VMX
ioctl, to terminate vmx and exit form debugger
Definition Ioctls.h:136
#define IOCTL_SEND_USER_DEBUGGER_COMMANDS
ioctl, to send user debugger commands
Definition Ioctls.h:284
#define IOCTL_DEBUGGER_BRING_PAGES_IN
ioctl, request to bring pages in
Definition Ioctls.h:340
#define IOCTL_PCIDEVINFO_ENUM
ioctl, to query for PCI endpoint info
Definition Ioctls.h:368
#define IOCTL_SET_BREAKPOINT_USER_DEBUGGER
ioctl, to set breakpoint for the user debugger
Definition Ioctls.h:382
#define IOCTL_PAUSE_PACKET_RECEIVED
ioctl, pause and halt the system
Definition Ioctls.h:242
#define IOCTL_SEND_SIGNAL_EXECUTION_IN_DEBUGGEE_FINISHED
ioctl, send a signal that execution of command finished
Definition Ioctls.h:249
#define IOCTL_GET_LIST_OF_THREADS_AND_PROCESSES
ioctl, to get list threads/processes
Definition Ioctls.h:312
#define IOCTL_DEBUGGER_HIDE_AND_UNHIDE_TO_TRANSPARENT_THE_DEBUGGER
ioctl, request to enable or disable transparent-mode
Definition Ioctls.h:178
#define IOCTL_DEBUGGER_READ_PAGE_TABLE_ENTRIES_DETAILS
ioctl, request to read page table entries
Definition Ioctls.h:157
#define IOCTL_GET_DETAIL_OF_ACTIVE_THREADS_AND_PROCESSES
ioctl, to get active threads/processes that are debugging
Definition Ioctls.h:291
#define IOCTL_QUERY_COUNT_OF_ACTIVE_PROCESSES_OR_THREADS
ioctl, query count of active threads or processes
Definition Ioctls.h:305
#define IOCTL_DEBUGGER_ADD_ACTION_TO_EVENT
ioctl, add action to event
Definition Ioctls.h:171
#define IOCTL_PERFORM_KERNEL_SIDE_TESTS
ioctl, to perform kernel-side tests
Definition Ioctls.h:270
#define IOCTL_DEBUGGER_MODIFY_EVENTS
ioctl, request to modify an event (enable/disable/clear)
Definition Ioctls.h:206
#define IOCTL_QUERY_IDT_ENTRY
ioctl, to query the IDT entries
Definition Ioctls.h:375
#define IOCTL_RESERVE_PRE_ALLOCATED_POOLS
ioctl, to reserve pre-allocated pools
Definition Ioctls.h:277
#define IOCTL_GET_USER_MODE_MODULE_DETAILS
ioctl, to get user mode modules details
Definition Ioctls.h:298
@ DEBUGGER_QUERY_ACTIVE_PROCESSES_OR_THREADS_QUERY_THREAD_COUNT
Definition RequestStructures.h:710
@ DEBUGGER_QUERY_ACTIVE_PROCESSES_OR_THREADS_QUERY_PROCESS_LIST
Definition RequestStructures.h:711
@ DEBUGGER_QUERY_ACTIVE_PROCESSES_OR_THREADS_QUERY_THREAD_LIST
Definition RequestStructures.h:712
@ DEBUGGER_QUERY_ACTIVE_PROCESSES_OR_THREADS_QUERY_PROCESS_COUNT
Definition RequestStructures.h:709
#define SIZEOF_DEBUGGER_PERFORM_KERNEL_TESTS
Definition RequestStructures.h:366
struct _DEBUGGER_READ_PAGE_TABLE_ENTRIES_DETAILS * PDEBUGGER_READ_PAGE_TABLE_ENTRIES_DETAILS
#define SIZEOF_DEBUGGER_SEND_USERMODE_MESSAGES_TO_DEBUGGER
Definition RequestStructures.h:420
struct _DEBUGGER_QUERY_ACTIVE_PROCESSES_OR_THREADS * PDEBUGGER_QUERY_ACTIVE_PROCESSES_OR_THREADS
#define SIZEOF_DEBUGGER_READ_PAGE_TABLE_ENTRIES_DETAILS
Definition RequestStructures.h:46
#define SIZEOF_DEBUGGER_READ_AND_WRITE_ON_MSR
Definition RequestStructures.h:441
#define SIZEOF_REVERSING_MACHINE_RECONSTRUCT_MEMORY_REQUEST
Definition RequestStructures.h:137
#define SIZEOF_DEBUGGEE_PCIDEVINFO_REQUEST_RESPONSE_PACKET
check so the DEBUGGEE_PCITREE_REQUEST_RESPONSE_PACKET should be smaller than packet size
Definition RequestStructures.h:1663
#define SIZEOF_DEBUGGER_PREALLOC_COMMAND
Definition RequestStructures.h:194
struct _DEBUGGER_APIC_REQUEST * PDEBUGGER_APIC_REQUEST
#define SIZEOF_DEBUGGEE_PCITREE_REQUEST_RESPONSE_PACKET
Definition RequestStructures.h:1639
struct _DEBUGGER_SEND_USERMODE_MESSAGES_TO_DEBUGGER * PDEBUGGER_SEND_USERMODE_MESSAGES_TO_DEBUGGER
struct _DEBUGGER_SEARCH_MEMORY * PDEBUGGER_SEARCH_MEMORY
#define SIZEOF_DEBUGGER_UD_COMMAND_PACKET
Definition RequestStructures.h:957
#define SIZEOF_DEBUGGER_PAGE_IN_REQUEST
Definition RequestStructures.h:96
#define SIZEOF_DEBUGGER_VA2PA_AND_PA2VA_COMMANDS
Definition RequestStructures.h:77
struct _DEBUGGER_PERFORM_KERNEL_TESTS * PDEBUGGER_PERFORM_KERNEL_TESTS
#define SIZEOF_DEBUGGEE_DETAILS_AND_SWITCH_THREAD_PACKET
Debugger size of DEBUGGEE_DETAILS_AND_SWITCH_THREAD_PACKET.
Definition RequestStructures.h:1035
struct _DEBUGGEE_PCITREE_REQUEST_RESPONSE_PACKET * PDEBUGGEE_PCITREE_REQUEST_RESPONSE_PACKET
struct _DEBUGGEE_DETAILS_AND_SWITCH_THREAD_PACKET * PDEBUGGEE_DETAILS_AND_SWITCH_THREAD_PACKET
struct _DEBUGGER_PREACTIVATE_COMMAND * PDEBUGGER_PREACTIVATE_COMMAND
#define SIZEOF_DEBUGGER_FLUSH_LOGGING_BUFFERS
Definition RequestStructures.h:311
struct _DEBUGGER_READ_AND_WRITE_ON_MSR * PDEBUGGER_READ_AND_WRITE_ON_MSR
struct _DEBUGGER_UD_COMMAND_PACKET * PDEBUGGER_UD_COMMAND_PACKET
#define SIZEOF_DEBUGGEE_BP_PACKET
Debugger size of DEBUGGEE_BP_PACKET.
Definition RequestStructures.h:1531
struct _DEBUGGEE_BP_PACKET * PDEBUGGEE_BP_PACKET
struct _SMI_OPERATION_PACKETS * PSMI_OPERATION_PACKETS
struct _DEBUGGER_PREALLOC_COMMAND * PDEBUGGER_PREALLOC_COMMAND
struct _DEBUGGEE_PCIDEVINFO_REQUEST_RESPONSE_PACKET * PDEBUGGEE_PCIDEVINFO_REQUEST_RESPONSE_PACKET
struct _DEBUGGER_PAGE_IN_REQUEST * PDEBUGGER_PAGE_IN_REQUEST
struct _DEBUGGER_HIDE_AND_TRANSPARENT_DEBUGGER_MODE * PDEBUGGER_HIDE_AND_TRANSPARENT_DEBUGGER_MODE
#define SIZEOF_DEBUGGER_ATTACH_DETACH_USER_MODE_PROCESS
Definition RequestStructures.h:655
struct _DEBUGGER_SEND_COMMAND_EXECUTION_FINISHED_SIGNAL * PDEBUGGER_SEND_COMMAND_EXECUTION_FINISHED_SIGNAL
#define SIZEOF_DEBUGGER_PREPARE_DEBUGGEE
Definition RequestStructures.h:624
#define SIZEOF_DEBUGGER_EDIT_MEMORY
Definition RequestStructures.h:474
struct _REVERSING_MACHINE_RECONSTRUCT_MEMORY_REQUEST * PREVERSING_MACHINE_RECONSTRUCT_MEMORY_REQUEST
struct _DEBUGGER_PREPARE_DEBUGGEE * PDEBUGGER_PREPARE_DEBUGGEE
struct _DEBUGGER_EDIT_MEMORY * PDEBUGGER_EDIT_MEMORY
struct _DEBUGGER_READ_MEMORY * PDEBUGGER_READ_MEMORY
#define SIZEOF_DEBUGGEE_DETAILS_AND_SWITCH_PROCESS_PACKET
Debugger size of DEBUGGEE_DETAILS_AND_SWITCH_PROCESS_PACKET.
Definition RequestStructures.h:997
#define SIZEOF_DEBUGGER_SEARCH_MEMORY
Definition RequestStructures.h:515
#define SIZEOF_DEBUGGER_APIC_REQUEST
Debugger size of DEBUGGER_APIC_REQUEST.
Definition RequestStructures.h:1108
#define SIZEOF_DEBUGGEE_SEND_GENERAL_PACKET_FROM_DEBUGGEE_TO_DEBUGGER
Definition RequestStructures.h:397
#define SIZEOF_DEBUGGER_SEND_COMMAND_EXECUTION_FINISHED_SIGNAL
Definition RequestStructures.h:381
#define SIZEOF_SMI_OPERATION_PACKETS
Debugger size of SMI_OPERATION_PACKETS.
Definition RequestStructures.h:1275
#define SIZEOF_DEBUGGER_HIDE_AND_TRANSPARENT_DEBUGGER_MODE
Definition RequestStructures.h:588
struct _DEBUGGEE_DETAILS_AND_SWITCH_PROCESS_PACKET * PDEBUGGEE_DETAILS_AND_SWITCH_PROCESS_PACKET
struct _DEBUGGEE_SEND_GENERAL_PACKET_FROM_DEBUGGEE_TO_DEBUGGER * PDEBUGGEE_SEND_GENERAL_PACKET_FROM_DEBUGGEE_TO_DEBUGGER
#define SIZEOF_DEBUGGER_READ_MEMORY
Definition RequestStructures.h:237
#define SIZEOF_DEBUGGER_QUERY_ACTIVE_PROCESSES_OR_THREADS
Definition RequestStructures.h:700
struct _DEBUGGER_FLUSH_LOGGING_BUFFERS * PDEBUGGER_FLUSH_LOGGING_BUFFERS
#define SIZEOF_DEBUGGER_PREACTIVATE_COMMAND
Definition RequestStructures.h:221
struct _DEBUGGER_VA2PA_AND_PA2VA_COMMANDS * PDEBUGGER_VA2PA_AND_PA2VA_COMMANDS
struct _INTERRUPT_DESCRIPTOR_TABLE_ENTRIES_PACKETS * PINTERRUPT_DESCRIPTOR_TABLE_ENTRIES_PACKETS
#define SIZEOF_INTERRUPT_DESCRIPTOR_TABLE_ENTRIES_PACKETS
Debugger size of INTERRUPT_DESCRIPTOR_TABLE_ENTRIES_PACKETS.
Definition RequestStructures.h:1474
struct _DEBUGGER_ATTACH_DETACH_USER_MODE_PROCESS * PDEBUGGER_ATTACH_DETACH_USER_MODE_PROCESS
#define SIZEOF_USERMODE_LOADED_MODULE_DETAILS
Definition Symbols.h:60
struct _USERMODE_LOADED_MODULE_DETAILS * PUSERMODE_LOADED_MODULE_DETAILS
IMPORT_EXPORT_VMM BOOLEAN TransparentHideDebuggerWrapper(DEBUGGER_HIDE_AND_TRANSPARENT_DEBUGGER_MODE *TransparentModeRequest)
Wrapper for hiding debugger on transparent-mode (activate transparent-mode).
Definition HyperEvade.c:25
IMPORT_EXPORT_VMM BOOLEAN VmFuncSmmPerformSmiOperation(SMI_OPERATION_PACKETS *SmiOperationRequest, BOOLEAN ApplyFromVmxRootMode)
Perform actions related to System Management Interrupts (SMIs).
Definition Export.c:1140
IMPORT_EXPORT_VMM BOOLEAN TransparentUnhideDebuggerWrapper(DEBUGGER_HIDE_AND_TRANSPARENT_DEBUGGER_MODE *TransparentModeRequest)
Deactivate transparent-mode.
Definition HyperEvade.c:125
IMPORT_EXPORT_VMM BOOLEAN ConfigureInitializeExecTrapOnAllProcessors()
routines for initializing user-mode, kernel-mode exec trap
Definition Configuration.c:32
VOID LoaderUninitVmmAndDebugger()
Uninitialize the VMM and the debugger.
Definition Loader.c:417
BOOLEAN g_KernelDebuggerState
shows whether the kernel debugger is enabled or disabled
Definition Global.h:151

◆ DrvValidateAndAdjustIoctlParameter()

BOOLEAN DrvValidateAndAdjustIoctlParameter ( UINT32 BufferSize,
PVOID * TargetBuffer,
PIRP Irp,
PIO_STACK_LOCATION IrpStack,
ULONG * InBuffLength,
ULONG * OutBuffLength )

Validates amd adjusts the parameters of an IOCTL request.

Parameters
BufferSizeThe expected size of the input buffer
IrpThe IRP representing the IOCTL request @IrpStack The current stack location of the IRP @InBuffLength Output parameter to receive the actual input buffer length @OutBuffLength Output parameter to receive the actual output buffer length
Returns
TRUE if the parameters are valid, FALSE otherwise
32{
33 //
34 // First validate the parameters
35 //
36 if (IrpStack->Parameters.DeviceIoControl.InputBufferLength < BufferSize || Irp->AssociatedIrp.SystemBuffer == NULL)
37 {
38 LogError("Err, invalid parameter to IOCTL dispatcher");
39 return FALSE;
40 }
41
42 *InBuffLength = IrpStack->Parameters.DeviceIoControl.InputBufferLength;
43 *OutBuffLength = IrpStack->Parameters.DeviceIoControl.OutputBufferLength;
44
45 if (!*InBuffLength || !*OutBuffLength)
46 {
47 return FALSE;
48 }
49
50 //
51 // Set the target buffer to the system buffer of the IRP
52 //
53 *TargetBuffer = Irp->AssociatedIrp.SystemBuffer;
54
55 //
56 // Validation was successful
57 //
58 return TRUE;
59}

◆ IoctlCheckIoctlAllowed()

BOOLEAN IoctlCheckIoctlAllowed ( ULONG Ioctl)

Checks whether the IOCTL request is allowed based on the current state of the driver and the system.

Parameters
IoctlThe IOCTL code of the request
Returns
BOOLEAN TRUE if the IOCTL request is allowed, FALSE otherwise
94{
95 ULONG IoctlFunction = CTL_CODE_FUNCTION(Ioctl);
96
97 //
98 // First 100 IOCTLs are about loading and initializing modules
99 //
100 if (IoctlFunction > IOCTL_BASIC_IOCTL && IoctlFunction <= IOCTL_BASIC_IOCTL + 0x100)
101 {
102 //
103 // Always allow these IOCTLs even if we don't allow IOCTL from user-mode, because they are used for loading and initializing the driver and its components
104 //
105 return TRUE;
106 }
107 else if (IoctlFunction > IOCTL_KD_IOCTL && IoctlFunction <= IOCTL_KD_IOCTL + 0x100)
108 {
109 //
110 // Allow if the KD module is initialized
111 //
112 return g_KdInitialized;
113 }
114 else if (IoctlFunction > IOCTL_VMM_IOCTL && IoctlFunction <= IOCTL_VMM_IOCTL + 0x100)
115 {
116 //
117 // Allow if the VMM module is initialized
118 //
119 return g_VmmInitialized;
120 }
121 else if (IoctlFunction > IOCTL_HYPERTRACE_IOCTL && IoctlFunction <= IOCTL_HYPERTRACE_IOCTL + 0x100)
122 {
123 //
124 // Allow if the HyperTrace module is initialized
125 //
127 }
128 else
129 {
130 //
131 // For other (unknown) IOCTLs, we don't allow them
132 //
133 return FALSE;
134 }
135}
BOOLEAN g_VmmInitialized
Shows whether the VMM is initialized or not.
Definition Global.h:24
BOOLEAN g_HyperTraceInitialized
Shows whether the hypertrace module is initialized or not.
Definition Global.h:41
BOOLEAN g_KdInitialized
Shows whether the KD module is initialized or not.
Definition Global.h:29