HyperDbg Debugger
Loading...
Searching...
No Matches
Driver.h File Reference

Header for WDK driver functions. More...

Go to the source code of this file.

Functions

NTSTATUS DriverEntry (PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath)
 Load & Unload.
VOID DrvUnload (PDRIVER_OBJECT DriverObject)
 Run in the case of driver unload to unregister the devices.
NTSTATUS DrvCreate (PDEVICE_OBJECT DeviceObject, PIRP Irp)
 IRP Major Functions.
NTSTATUS DrvRead (PDEVICE_OBJECT DeviceObject, PIRP Irp)
 IRP_MJ_READ Function handler.
NTSTATUS DrvWrite (PDEVICE_OBJECT DeviceObject, PIRP Irp)
 IRP_MJ_WRITE Function handler.
NTSTATUS DrvClose (PDEVICE_OBJECT DeviceObject, PIRP Irp)
 IRP_MJ_CLOSE Function handler.
NTSTATUS DrvUnsupported (PDEVICE_OBJECT DeviceObject, PIRP Irp)
 Unsupported message for all other IRP_MJ_* handlers.
NTSTATUS DrvDispatchIoControl (PDEVICE_OBJECT DeviceObject, PIRP Irp)
 Driver IOCTL Dispatcher.
NTSTATUS DrvDispatchBasicIoControl (PIRP Irp, PIO_STACK_LOCATION IrpStack, BOOLEAN *DoNotChangeInformation)
 IOCTL Dispatcher for Basic IOCTLs (initialization and event registration).
NTSTATUS DrvDispatchKdIoControl (PIRP Irp, PIO_STACK_LOCATION IrpStack, BOOLEAN *DoNotChangeInformation)
 IOCTL Dispatcher for KD (Kernel Debugger) IOCTLs.
NTSTATUS DrvDispatchVmmIoControl (PIRP Irp, PIO_STACK_LOCATION IrpStack, BOOLEAN *DoNotChangeInformation)
 IOCTL Dispatcher for VMM IOCTLs.
NTSTATUS DrvDispatchHyperTraceIoControl (PIRP Irp, PIO_STACK_LOCATION IrpStack, BOOLEAN *DoNotChangeInformation)
 IOCTL Dispatcher for HyperTrace IOCTLs.

Detailed Description

Header for WDK driver functions.

Author
Sina Karvandi (sina@.nosp@m.hype.nosp@m.rdbg..nosp@m.org)
Version
0.2
Date
2023-01-13

Function Documentation

◆ DriverEntry()

NTSTATUS DriverEntry ( PDRIVER_OBJECT DriverObject,
PUNICODE_STRING RegistryPath )

Load & Unload.

Main Driver Entry in the case of driver load.

Load & Unload.

Parameters
DriverObject
RegistryPath
Returns
NTSTATUS

Main Driver Entry in the case of driver load.

26{
27 NTSTATUS Ntstatus = STATUS_SUCCESS;
28 UINT64 Index = 0;
29 PDEVICE_OBJECT DeviceObject = NULL;
30 UNICODE_STRING DriverName = RTL_CONSTANT_STRING(L"\\Device\\HyperDbgReversingMachineDevice");
31 UNICODE_STRING DosDeviceName = RTL_CONSTANT_STRING(L"\\DosDevices\\HyperDbgReversingMachineDevice");
32
33 UNREFERENCED_PARAMETER(RegistryPath);
34 UNREFERENCED_PARAMETER(DriverObject);
35
36 //
37 // Opt-in to using non-executable pool memory on Windows 8 and later.
38 // https://msdn.microsoft.com/en-us/library/windows/hardware/hh920402(v=vs.85).aspx
39 //
40 ExInitializeDriverRuntime(DrvRtPoolNxOptIn);
41
42 //
43 // Creating the device for interaction with user-mode
44 //
45 Ntstatus = IoCreateDevice(DriverObject,
46 0,
47 &DriverName,
49 FILE_DEVICE_SECURE_OPEN,
50 FALSE,
51 &DeviceObject);
52
53 if (Ntstatus == STATUS_SUCCESS)
54 {
55 for (Index = 0; Index < IRP_MJ_MAXIMUM_FUNCTION; Index++)
56 DriverObject->MajorFunction[Index] = DrvUnsupported;
57
58 //
59 // We cannot use logging mechanism of HyperDbg as it's not initialized yet
60 //
61 DbgPrint("Setting device major functions");
62
63 DriverObject->MajorFunction[IRP_MJ_CLOSE] = DrvClose;
64 DriverObject->MajorFunction[IRP_MJ_CREATE] = DrvCreate;
65 DriverObject->MajorFunction[IRP_MJ_READ] = DrvRead;
66 DriverObject->MajorFunction[IRP_MJ_WRITE] = DrvWrite;
67 DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = DrvDispatchIoControl;
68
69 DriverObject->DriverUnload = DrvUnload;
70 IoCreateSymbolicLink(&DosDeviceName, &DriverName);
71 }
72
73 //
74 // Establish user-buffer access method.
75 //
76 if (DeviceObject != NULL)
77 {
78 DeviceObject->Flags |= DO_BUFFERED_IO;
79 }
80
81 //
82 // We cannot use logging mechanism of HyperDbg as it's not initialized yet
83 //
84 DbgPrint("HyperDbg's device and major functions are loaded");
85
86
87 ASSERT(NT_SUCCESS(Ntstatus));
88 return Ntstatus;
89}
#define FALSE
Definition BasicTypes.h:113
#define FILE_DEVICE_UNKNOWN
Definition Ioctls.h:52
struct _UNICODE_STRING UNICODE_STRING
NTSTATUS DrvWrite(PDEVICE_OBJECT DeviceObject, PIRP Irp)
IRP_MJ_WRITE Function handler.
Definition Driver.c:216
NTSTATUS DrvUnsupported(PDEVICE_OBJECT DeviceObject, PIRP Irp)
Unsupported message for all other IRP_MJ_* handlers.
Definition Driver.c:266
NTSTATUS DrvRead(PDEVICE_OBJECT DeviceObject, PIRP Irp)
IRP_MJ_READ Function handler.
Definition Driver.c:192
NTSTATUS DrvClose(PDEVICE_OBJECT DeviceObject, PIRP Irp)
IRP_MJ_CLOSE Function handler.
Definition Driver.c:240
VOID DrvUnload(PDRIVER_OBJECT DriverObject)
Run in the case of driver unload to unregister the devices.
Definition Driver.c:98
NTSTATUS DrvCreate(PDEVICE_OBJECT DeviceObject, PIRP Irp)
IRP_MJ_CREATE Function handler.
Definition Driver.c:120
NTSTATUS DrvDispatchIoControl(PDEVICE_OBJECT DeviceObject, PIRP Irp)
Driver IOCTL Dispatcher.
Definition Ioctl.c:23
NULL()
Definition test-case-generator.py:530

◆ DrvClose()

NTSTATUS DrvClose ( PDEVICE_OBJECT DeviceObject,
PIRP Irp )

IRP_MJ_CLOSE Function handler.

Parameters
DeviceObject
Irp
Returns
NTSTATUS
241{
242 UNREFERENCED_PARAMETER(DeviceObject);
243
244 //
245 // If the close is called means that all of the IOCTLs
246 // are not in a pending state so we can safely allow
247 // a new handle creation for future calls to the driver
248 //
250
251 Irp->IoStatus.Status = STATUS_SUCCESS;
252 Irp->IoStatus.Information = 0;
253 IoCompleteRequest(Irp, IO_NO_INCREMENT);
254
255 return STATUS_SUCCESS;
256}
BOOLEAN g_HandleInUse
Determines whether the one application gets the handle or not this is used to ensure that only one ap...
Definition Global.h:18

◆ DrvCreate()

NTSTATUS DrvCreate ( PDEVICE_OBJECT DeviceObject,
PIRP Irp )

IRP Major Functions.

IRP_MJ_CREATE Function handler.

IRP Major Functions.

Parameters
DeviceObject
Irp
Returns
NTSTATUS

IRP_MJ_CREATE Function handler.

121{
122 UNREFERENCED_PARAMETER(DeviceObject);
123
124 //
125 // Check for privilege
126 //
127 // Check for the correct security access.
128 // The caller must have the SeDebugPrivilege.
129 //
130
131 LUID DebugPrivilege = {SE_DEBUG_PRIVILEGE, 0};
132
133 if (!SeSinglePrivilegeCheck(DebugPrivilege, Irp->RequestorMode))
134 {
135 Irp->IoStatus.Status = STATUS_ACCESS_DENIED;
136 Irp->IoStatus.Information = 0;
137 IoCompleteRequest(Irp, IO_NO_INCREMENT);
138
139 return STATUS_ACCESS_DENIED;
140 }
141
142 //
143 // Check to allow just one handle to the driver
144 // means that only one application can get the handle
145 // and new application won't allowed to create a new
146 // handle unless the IRP_MJ_CLOSE called.
147 //
148 if (g_HandleInUse)
149 {
150 //
151 // A driver got the handle before
152 //
153 Irp->IoStatus.Status = STATUS_SUCCESS;
154 Irp->IoStatus.Information = 0;
155 IoCompleteRequest(Irp, IO_NO_INCREMENT);
156
157 return STATUS_SUCCESS;
158 }
159
160 //
161 // Initialize the vmm and the reversing machine
162 //
164 {
165 Irp->IoStatus.Status = STATUS_SUCCESS;
166 Irp->IoStatus.Information = 0;
167 IoCompleteRequest(Irp, IO_NO_INCREMENT);
168
169 return STATUS_SUCCESS;
170 }
171 else
172 {
173 //
174 // There was a problem, so not loaded
175 //
176 Irp->IoStatus.Status = STATUS_UNSUCCESSFUL;
177 Irp->IoStatus.Information = 0;
178 IoCompleteRequest(Irp, IO_NO_INCREMENT);
179
180 return STATUS_UNSUCCESSFUL;
181 }
182}
#define STATUS_UNSUCCESSFUL
Definition Windows.h:172
BOOLEAN LoaderInitVmmAndReversingMachine()
Initialize the VMM and Reversing Machine.
Definition Loader.c:19

◆ DrvDispatchBasicIoControl()

NTSTATUS DrvDispatchBasicIoControl ( PIRP Irp,
PIO_STACK_LOCATION IrpStack,
BOOLEAN * DoNotChangeInformation )

IOCTL Dispatcher for Basic IOCTLs (initialization and event registration).

Parameters
Irp
IrpStack
DoNotChangeInformation
Returns
NTSTATUS
215{
216 PREGISTER_NOTIFY_BUFFER RegisterEventRequest;
217 PDEBUGGER_INIT_VMM_PACKET InitVmmRequest;
218 PDEBUGGER_INIT_HYPERTRACE_PACKET InitHyperTraceRequest;
219 ULONG InBuffLength;
220 ULONG OutBuffLength;
221 NTSTATUS Status = STATUS_SUCCESS;
222 UINT32 Ioctl = IrpStack->Parameters.DeviceIoControl.IoControlCode;
223
224 switch (Ioctl)
225 {
226 case IOCTL_INIT_VMM:
227
228 //
229 // Validate and adjust the parameters, and set the target buffer to the system buffer of the IRP
230 //
232 (PVOID *)&InitVmmRequest,
233 Irp,
234 IrpStack,
235 &InBuffLength,
236 &OutBuffLength))
237 {
238 Status = STATUS_INVALID_PARAMETER;
239 break;
240 }
241
242 //
243 // Initialize the debugger and the vmm
244 //
245 if (LoaderInitDebuggerAndVmm(InitVmmRequest))
246 {
247 Status = STATUS_SUCCESS;
248 }
249 else
250 {
251 //
252 // There was a problem, so not loaded
253 //
254 Status = STATUS_UNSUCCESSFUL;
255 }
256
257 //
258 // Adjust the status and output size
259 //
260 DrvAdjustStatusAndSetOutputSize(SIZEOF_DEBUGGER_INIT_VMM_PACKET, DoNotChangeInformation, Irp, &Status);
261
262 break;
263
265
266 //
267 // Validate and adjust the parameters, and set the target buffer to the system buffer of the IRP
268 //
270 (PVOID *)&InitHyperTraceRequest,
271 Irp,
272 IrpStack,
273 &InBuffLength,
274 &OutBuffLength))
275 {
276 Status = STATUS_INVALID_PARAMETER;
277 break;
278 }
279
280 //
281 // Initialize the HyperTrace (if supported by the processor)
282 //
283 LoaderInitHyperTrace(InitHyperTraceRequest, TRUE);
284
285 //
286 // Adjust the status and output size
287 //
288 DrvAdjustStatusAndSetOutputSize(SIZEOF_DEBUGGER_INIT_HYPERTRACE_PACKET, DoNotChangeInformation, Irp, &Status);
289
290 break;
291
293
294 //
295 // First validate the parameters.
296 //
297 if (IrpStack->Parameters.DeviceIoControl.InputBufferLength < SIZEOF_REGISTER_EVENT || Irp->AssociatedIrp.SystemBuffer == NULL)
298 {
299 Status = STATUS_INVALID_PARAMETER;
300 LogError("Err, invalid parameter to IOCTL dispatcher");
301 break;
302 }
303
304 //
305 // IRPs supply a pointer to a buffer at Irp->AssociatedIrp.SystemBuffer.
306 // This buffer represents both the input buffer and the output buffer that
307 // are specified in calls to DeviceIoControl
308 //
309 RegisterEventRequest = (PREGISTER_NOTIFY_BUFFER)Irp->AssociatedIrp.SystemBuffer;
310
311 switch (RegisterEventRequest->Type)
312 {
313 case IRP_BASED:
314
316
317 break;
318 case EVENT_BASED:
319
321 {
322 Status = STATUS_SUCCESS;
323 }
324 else
325 {
326 Status = STATUS_UNSUCCESSFUL;
327 }
328
329 break;
330 default:
331 LogError("Err, unknown notification type from user-mode");
332 Status = STATUS_INVALID_PARAMETER;
333 break;
334 }
335
336 break;
337
339
340 //
341 // Send an immediate message, and we're no longer get new IRP
342 //
344 "$",
345 sizeof(CHAR),
346 TRUE);
347
348 Status = STATUS_SUCCESS;
349
350 break;
351
352 default:
353 LogError("Err, unknown IOCTL");
354 Status = STATUS_NOT_IMPLEMENTED;
355 break;
356 }
357
358 return Status;
359}
void * PVOID
Definition BasicTypes.h:56
#define TRUE
Definition BasicTypes.h:114
unsigned int UINT32
Definition BasicTypes.h:54
char CHAR
Definition BasicTypes.h:33
unsigned long ULONG
Definition BasicTypes.h:31
#define OPERATION_HYPERVISOR_DRIVER_END_OF_IRPS
Definition Constants.h:388
struct _REGISTER_NOTIFY_BUFFER * PREGISTER_NOTIFY_BUFFER
@ EVENT_BASED
Definition DataTypes.h:288
@ IRP_BASED
Definition DataTypes.h:287
#define SIZEOF_REGISTER_EVENT
Definition Events.h:438
#define IOCTL_INIT_VMM
ioctl, initialize the VMM module
Definition Ioctls.h:100
#define IOCTL_RETURN_IRP_PENDING_PACKETS_AND_DISALLOW_IOCTL
ioctl, irp pending mechanism for reading from message tracing buffers
Definition Ioctls.h:121
#define IOCTL_INIT_HYPERTRACE
ioctl, initialize the HyperTrace module
Definition Ioctls.h:107
#define IOCTL_REGISTER_EVENT
ioctl, register a new event
Definition Ioctls.h:114
struct _DEBUGGER_INIT_VMM_PACKET * PDEBUGGER_INIT_VMM_PACKET
#define SIZEOF_DEBUGGER_INIT_VMM_PACKET
Definition RequestStructures.h:16
struct _DEBUGGER_INIT_HYPERTRACE_PACKET * PDEBUGGER_INIT_HYPERTRACE_PACKET
#define SIZEOF_DEBUGGER_INIT_HYPERTRACE_PACKET
Definition RequestStructures.h:31
IMPORT_EXPORT_HYPERLOG BOOLEAN LogCallbackSendBuffer(_In_ UINT32 OperationCode, _In_reads_bytes_(BufferLength) PVOID Buffer, _In_ UINT32 BufferLength, _In_ BOOLEAN Priority)
routines callback for sending buffer
Definition HyperLogCallback.c:123
IMPORT_EXPORT_HYPERLOG BOOLEAN LogRegisterEventBasedNotification(PVOID TargetIrp)
Create an event-based usermode notifying mechanism.
Definition Logging.c:1594
IMPORT_EXPORT_HYPERLOG BOOLEAN LogRegisterIrpBasedNotification(PVOID TargetIrp, LONG *Status)
Register a new IRP Pending thread which listens for new buffers.
Definition Logging.c:1475
#define LogError(format,...)
Log in the case of error.
Definition HyperDbgHyperLogIntrinsics.h:113
BOOLEAN DrvValidateAndAdjustIoctlParameter(UINT32 BufferSize, PVOID *TargetBuffer, PIRP Irp, PIO_STACK_LOCATION IrpStack, ULONG *InBuffLength, ULONG *OutBuffLength)
Validates amd adjusts the parameters of an IOCTL request.
Definition Ioctl.c:26
VOID DrvAdjustStatusAndSetOutputSize(UINT32 ExpectedOutputBufferSize, BOOLEAN *DoNotChangeInformation, PIRP Irp, NTSTATUS *Status)
Adjusts the status and output buffer size for an IOCTL request.
Definition Ioctl.c:72
BOOLEAN LoaderInitDebuggerAndVmm(PDEBUGGER_INIT_VMM_PACKET InitVmmPacket)
Initialize the debugger and the vmm.
Definition Loader.c:302
BOOLEAN LoaderInitHyperTrace(PDEBUGGER_INIT_HYPERTRACE_PACKET InitHyperTracePacket, BOOLEAN RunningOnHypervisorEnvironment)
Initialize the hyper trace module.
Definition Loader.c:21
NOTIFY_TYPE Type
Definition DataTypes.h:312

◆ DrvDispatchHyperTraceIoControl()

NTSTATUS DrvDispatchHyperTraceIoControl ( PIRP Irp,
PIO_STACK_LOCATION IrpStack,
BOOLEAN * DoNotChangeInformation )

IOCTL Dispatcher for HyperTrace IOCTLs.

Parameters
Irp
IrpStack
DoNotChangeInformation
Returns
NTSTATUS
1567{
1568 PHYPERTRACE_LBR_OPERATION_PACKETS HyperTraceLbrOperationRequest;
1569 PHYPERTRACE_LBR_DUMP_PACKETS HyperTraceLbrdumpRequest;
1570 PHYPERTRACE_PT_OPERATION_PACKETS HyperTracePtOperationRequest;
1571 PHYPERTRACE_PT_MMAP_PACKETS HyperTracePtMmapRequest;
1572 ULONG InBuffLength;
1573 ULONG OutBuffLength;
1574 NTSTATUS Status = STATUS_SUCCESS;
1575 UINT32 Ioctl = IrpStack->Parameters.DeviceIoControl.IoControlCode;
1576
1577 switch (Ioctl)
1578 {
1580
1581 //
1582 // Perform the unload of HyperTrace (there is no parameter for this IOCTL)
1583 //
1585
1586 //
1587 // Adjust the status and output size
1588 //
1589 DrvAdjustStatusAndSetOutputSize(0, DoNotChangeInformation, Irp, &Status);
1590
1591 break;
1592
1594
1595 //
1596 // Validate and adjust the parameters, and set the target buffer to the system buffer of the IRP
1597 //
1599 (PVOID *)&HyperTraceLbrOperationRequest,
1600 Irp,
1601 IrpStack,
1602 &InBuffLength,
1603 &OutBuffLength))
1604 {
1605 Status = STATUS_INVALID_PARAMETER;
1606 break;
1607 }
1608
1609 //
1610 // Perform the HyperTrace LBR operation
1611 //
1612 HyperTraceLbrPerformOperation(HyperTraceLbrOperationRequest);
1613
1614 //
1615 // Adjust the status and output size
1616 //
1617 DrvAdjustStatusAndSetOutputSize(SIZEOF_HYPERTRACE_LBR_OPERATION_PACKETS, DoNotChangeInformation, Irp, &Status);
1618
1619 break;
1620
1622
1623 //
1624 // Validate and adjust the parameters, and set the target buffer to the system buffer of the IRP
1625 //
1627 (PVOID *)&HyperTraceLbrdumpRequest,
1628 Irp,
1629 IrpStack,
1630 &InBuffLength,
1631 &OutBuffLength))
1632 {
1633 Status = STATUS_INVALID_PARAMETER;
1634 break;
1635 }
1636
1637 //
1638 // Perform the HyperTrace LBR dump operation
1639 //
1640 HyperTraceLbrPerformDump(HyperTraceLbrdumpRequest);
1641
1642 //
1643 // Adjust the status and output size
1644 //
1645 DrvAdjustStatusAndSetOutputSize(SIZEOF_HYPERTRACE_LBR_DUMP_PACKETS, DoNotChangeInformation, Irp, &Status);
1646
1647 break;
1648
1650
1651 //
1652 // Validate and adjust the parameters, and set the target buffer to the system buffer of the IRP
1653 //
1655 (PVOID *)&HyperTracePtOperationRequest,
1656 Irp,
1657 IrpStack,
1658 &InBuffLength,
1659 &OutBuffLength))
1660 {
1661 Status = STATUS_INVALID_PARAMETER;
1662 break;
1663 }
1664
1665 //
1666 // If the caller asked to filter by a process id (and didn't
1667 // already provide an explicit CR3), resolve the PID to the CR3
1668 // the PT engine should match here — hyperkd owns the NT_KPROCESS
1669 // layout, whereas the hypertrace engine only consumes a CR3. The
1670 // kernel/user CR3 is chosen based on the requested trace mode so
1671 // it works whether or not KVA shadowing (KPTI) is enabled.
1672 //
1673 if (HyperTracePtOperationRequest->TargetProcessId != 0 &&
1674 HyperTracePtOperationRequest->TargetCr3 == 0)
1675 {
1676 HyperTracePtOperationRequest->TargetCr3 =
1677 DrvResolvePtTargetCr3(HyperTracePtOperationRequest->TargetProcessId,
1678 (BOOLEAN)(HyperTracePtOperationRequest->TraceUser != 0),
1679 (BOOLEAN)(HyperTracePtOperationRequest->TraceKernel != 0));
1680 }
1681
1682 //
1683 // Perform the HyperTrace PT operation
1684 //
1685 HyperTracePtPerformOperation(HyperTracePtOperationRequest);
1686
1687 //
1688 // Adjust the status and output size
1689 //
1690 DrvAdjustStatusAndSetOutputSize(SIZEOF_HYPERTRACE_PT_OPERATION_PACKETS, DoNotChangeInformation, Irp, &Status);
1691
1692 break;
1693
1695
1696 //
1697 // Validate and adjust the parameters, and set the target buffer to the system buffer of the IRP
1698 //
1700 (PVOID *)&HyperTracePtMmapRequest,
1701 Irp,
1702 IrpStack,
1703 &InBuffLength,
1704 &OutBuffLength))
1705 {
1706 Status = STATUS_INVALID_PARAMETER;
1707 break;
1708 }
1709
1710 //
1711 // Map the per-CPU PT output buffers into the calling user process
1712 //
1713 HyperTracePtMmap(HyperTracePtMmapRequest);
1714
1715 //
1716 // Adjust the status and output size
1717 //
1718 DrvAdjustStatusAndSetOutputSize(SIZEOF_HYPERTRACE_PT_MMAP_PACKETS, DoNotChangeInformation, Irp, &Status);
1719
1720 break;
1721
1722 default:
1723 LogError("Err, unknown IOCTL");
1724 Status = STATUS_NOT_IMPLEMENTED;
1725 break;
1726 }
1727
1728 return Status;
1729}
UCHAR BOOLEAN
Definition BasicTypes.h:35
#define IOCTL_PERFORM_HYPERTRACE_UNLOAD
ioctl, to unload HyperTrace module
Definition Ioctls.h:400
#define IOCTL_PERFORM_HYPERTRACE_LBR_DUMP
ioctl, to perform HyperTrace LBR dump
Definition Ioctls.h:414
#define IOCTL_PERFORM_HYPERTRACE_PT_OPERATION
ioctl, to perform HyperTrace PT operations
Definition Ioctls.h:421
#define IOCTL_PERFORM_HYPERTRACE_PT_MMAP
ioctl, to map per-CPU HyperTrace PT output buffers into the calling user-mode process....
Definition Ioctls.h:429
#define IOCTL_PERFORM_HYPERTRACE_LBR_OPERATION
ioctl, to perform HyperTrace LBR operations
Definition Ioctls.h:407
#define SIZEOF_HYPERTRACE_LBR_OPERATION_PACKETS
Debugger size of HYPERTRACE_LBR_OPERATION_PACKETS.
Definition RequestStructures.h:1313
struct _HYPERTRACE_PT_OPERATION_PACKETS * PHYPERTRACE_PT_OPERATION_PACKETS
struct _HYPERTRACE_LBR_OPERATION_PACKETS * PHYPERTRACE_LBR_OPERATION_PACKETS
#define SIZEOF_HYPERTRACE_PT_OPERATION_PACKETS
Debugger size of HYPERTRACE_PT_OPERATION_PACKETS.
Definition RequestStructures.h:1412
struct _HYPERTRACE_LBR_DUMP_PACKETS * PHYPERTRACE_LBR_DUMP_PACKETS
#define SIZEOF_HYPERTRACE_LBR_DUMP_PACKETS
Debugger size of HYPERTRACE_LBR_DUMP_PACKETS.
Definition RequestStructures.h:1343
#define SIZEOF_HYPERTRACE_PT_MMAP_PACKETS
Debugger size of HYPERTRACE_PT_MMAP_PACKETS.
Definition RequestStructures.h:1448
struct _HYPERTRACE_PT_MMAP_PACKETS * PHYPERTRACE_PT_MMAP_PACKETS
IMPORT_EXPORT_HYPERTRACE BOOLEAN HyperTraceLbrPerformOperation(HYPERTRACE_LBR_OPERATION_PACKETS *LbrOperationRequest)
Perform actions related to HyperTrace LBR operations.
Definition LbrApi.c:527
IMPORT_EXPORT_HYPERTRACE BOOLEAN HyperTracePtPerformOperation(HYPERTRACE_PT_OPERATION_PACKETS *PtOperationRequest)
Perform actions related to HyperTrace PT.
Definition PtApi.c:553
IMPORT_EXPORT_HYPERTRACE BOOLEAN HyperTraceLbrPerformDump(HYPERTRACE_LBR_DUMP_PACKETS *LbrDumpRequest)
Perform actions related to HyperTrace LBR dumping.
Definition LbrApi.c:457
IMPORT_EXPORT_HYPERTRACE BOOLEAN HyperTracePtMmap(HYPERTRACE_PT_MMAP_PACKETS *Req)
Map every per-CPU PT main output + overflow buffer into the calling user-mode process....
Definition PtApi.c:516
VOID LoaderUninitHyperTrace()
Uninitialize the hyper trace module.
Definition Loader.c:341

◆ DrvDispatchIoControl()

NTSTATUS DrvDispatchIoControl ( PDEVICE_OBJECT DeviceObject,
PIRP Irp )

Driver IOCTL Dispatcher.

Parameters
DeviceObject
Irp
Returns
NTSTATUS
24{
25 PIO_STACK_LOCATION IrpStack;
26 PREGISTER_NOTIFY_BUFFER RegisterEventRequest;
27 NTSTATUS Status;
28
29 UNREFERENCED_PARAMETER(DeviceObject);
30
31 //
32 // Here's the best place to see if there is any allocation pending
33 // to be allcated as we're in PASSIVE_LEVEL
34 //
35 // DO NOT CHANGE CALLING OF THE FOLLOWING FUNCTION
36 //
37 // PoolManagerCheckAndPerformAllocationAndDeallocation();
38
40 {
41 IrpStack = IoGetCurrentIrpStackLocation(Irp);
42
43 switch (IrpStack->Parameters.DeviceIoControl.IoControlCode)
44 {
46
47 //
48 // First validate the parameters.
49 //
50 if (IrpStack->Parameters.DeviceIoControl.InputBufferLength < SIZEOF_REGISTER_EVENT || Irp->AssociatedIrp.SystemBuffer == NULL)
51 {
52 Status = STATUS_INVALID_PARAMETER;
53 LogError("Err, invalid parameter to IOCTL dispatcher");
54 break;
55 }
56
57 //
58 // IRPs supply a pointer to a buffer at Irp->AssociatedIrp.SystemBuffer.
59 // This buffer represents both the input buffer and the output buffer that
60 // are specified in calls to DeviceIoControl
61 //
62 RegisterEventRequest = (PREGISTER_NOTIFY_BUFFER)Irp->AssociatedIrp.SystemBuffer;
63
64 switch (RegisterEventRequest->Type)
65 {
66 case IRP_BASED:
67
69
70 break;
71 case EVENT_BASED:
72
74 {
75 Status = STATUS_SUCCESS;
76 }
77 else
78 {
79 Status = STATUS_UNSUCCESSFUL;
80 }
81
82 break;
83 default:
84 LogError("Err, unknown notification type from user-mode");
85 Status = STATUS_INVALID_PARAMETER;
86 break;
87 }
88 break;
89
90 default:
91 LogError("Err, unknown IOCTL");
92 Status = STATUS_NOT_IMPLEMENTED;
93 break;
94 }
95 }
96 else
97 {
98 //
99 // We're no longer serve IOCTL
100 //
101 Status = STATUS_SUCCESS;
102 }
103
104 if (Status != STATUS_PENDING)
105 {
106 Irp->IoStatus.Status = Status;
107
108 IoCompleteRequest(Irp, IO_NO_INCREMENT);
109 }
110
111 return Status;
112}
BOOLEAN g_VmmInitialized
Shows whether the VMM is initialized or not.
Definition Global.h:24

◆ DrvDispatchKdIoControl()

NTSTATUS DrvDispatchKdIoControl ( PIRP Irp,
PIO_STACK_LOCATION IrpStack,
BOOLEAN * DoNotChangeInformation )

IOCTL Dispatcher for KD (Kernel Debugger) IOCTLs.

Parameters
Irp
IrpStack
DoNotChangeInformation
Returns
NTSTATUS
371{
372 NTSTATUS Status = STATUS_SUCCESS;
373 UINT32 Ioctl = IrpStack->Parameters.DeviceIoControl.IoControlCode;
374
375 UNREFERENCED_PARAMETER(Irp);
376 UNREFERENCED_PARAMETER(DoNotChangeInformation);
377
378 switch (Ioctl)
379 {
380 default:
381 LogError("Err, unknown IOCTL");
382 Status = STATUS_NOT_IMPLEMENTED;
383 break;
384 }
385
386 return Status;
387}

◆ DrvDispatchVmmIoControl()

NTSTATUS DrvDispatchVmmIoControl ( PIRP Irp,
PIO_STACK_LOCATION IrpStack,
BOOLEAN * DoNotChangeInformation )

IOCTL Dispatcher for VMM IOCTLs.

Parameters
Irp
IrpStack
DoNotChangeInformation
Returns
NTSTATUS
399{
400 PDEBUGGER_READ_MEMORY DebuggerReadMemRequest;
401 PDEBUGGER_READ_AND_WRITE_ON_MSR DebuggerReadOrWriteMsrRequest;
402 PDEBUGGER_HIDE_AND_TRANSPARENT_DEBUGGER_MODE DebuggerHideAndUnhideRequest;
404 PDEBUGGER_PAGE_IN_REQUEST DebuggerPageinRequest;
407 PDEBUGGER_VA2PA_AND_PA2VA_COMMANDS DebuggerVa2paAndPa2vaRequest;
408 PDEBUGGER_EDIT_MEMORY DebuggerEditMemoryRequest;
409 PDEBUGGER_SEARCH_MEMORY DebuggerSearchMemoryRequest;
410 PDEBUGGER_GENERAL_EVENT_DETAIL DebuggerNewEventRequest;
411 PDEBUGGER_MODIFY_EVENTS DebuggerModifyEventRequest;
412 PDEBUGGER_FLUSH_LOGGING_BUFFERS DebuggerFlushBuffersRequest;
413 PDEBUGGER_PREALLOC_COMMAND DebuggerReservePreallocPoolRequest;
414 PDEBUGGER_PREACTIVATE_COMMAND DebuggerPreactivationRequest;
415 PDEBUGGER_APIC_REQUEST DebuggerApicRequest;
416 PINTERRUPT_DESCRIPTOR_TABLE_ENTRIES_PACKETS DebuggerQueryIdtRequest;
417 PDEBUGGEE_BP_PACKET DebuggerBreakpointRequest;
418 PDEBUGGER_UD_COMMAND_PACKET DebuggerUdCommandRequest;
419 PUSERMODE_LOADED_MODULE_DETAILS DebuggerUsermodeModulesRequest;
420 PDEBUGGER_QUERY_ACTIVE_PROCESSES_OR_THREADS DebuggerUsermodeProcessOrThreadQueryRequest;
421 PDEBUGGEE_DETAILS_AND_SWITCH_PROCESS_PACKET GetInformationProcessRequest;
423 PDEBUGGEE_DETAILS_AND_SWITCH_THREAD_PACKET GetInformationThreadRequest;
424 PDEBUGGER_PERFORM_KERNEL_TESTS DebuggerKernelTestRequest;
425 PDEBUGGER_SEND_COMMAND_EXECUTION_FINISHED_SIGNAL DebuggerCommandExecutionFinishedRequest;
426 PDEBUGGER_SEND_USERMODE_MESSAGES_TO_DEBUGGER DebuggerSendUsermodeMessageRequest;
427 PDEBUGGEE_SEND_GENERAL_PACKET_FROM_DEBUGGEE_TO_DEBUGGER DebuggerSendBufferFromDebuggeeToDebuggerRequest;
428 PDEBUGGER_ATTACH_DETACH_USER_MODE_PROCESS DebuggerAttachOrDetachToThreadRequest;
429 PDEBUGGER_PREPARE_DEBUGGEE DebuggeeRequest;
430 PDEBUGGER_PAUSE_PACKET_RECEIVED DebuggerPauseKernelRequest;
431 PDEBUGGER_GENERAL_ACTION DebuggerNewActionRequest;
432 PSMI_OPERATION_PACKETS SmiOperationRequest;
433 PVOID BufferToStoreThreadsAndProcessesDetails;
434 ULONG InBuffLength; // Input buffer length
435 ULONG OutBuffLength; // Output buffer length
436 SIZE_T ReturnSize;
437 NTSTATUS Status = STATUS_SUCCESS;
438 UINT32 Ioctl = IrpStack->Parameters.DeviceIoControl.IoControlCode;
439
440 switch (Ioctl)
441 {
443
444 //
445 // Uninitialize the VMM and the debugger
446 //
448
449 Status = STATUS_SUCCESS;
450
451 break;
452
454
455 //
456 // Validate and adjust the parameters, and set the target buffer to the system buffer of the IRP
457 //
459 (PVOID *)&DebuggerReadMemRequest,
460 Irp,
461 IrpStack,
462 &InBuffLength,
463 &OutBuffLength))
464 {
465 Status = STATUS_INVALID_PARAMETER;
466 break;
467 }
468
469 if (DebuggerCommandReadMemory(DebuggerReadMemRequest,
470 ((CHAR *)DebuggerReadMemRequest) + SIZEOF_DEBUGGER_READ_MEMORY,
471 &ReturnSize) == TRUE)
472 {
473 //
474 // Return the header a read bytes
475 //
476 DrvAdjustStatusAndSetOutputSize((UINT32)(ReturnSize + SIZEOF_DEBUGGER_READ_MEMORY), DoNotChangeInformation, Irp, &Status);
477 }
478 else
479 {
480 //
481 // Just return the header to the user-mode
482 //
483 DrvAdjustStatusAndSetOutputSize(SIZEOF_DEBUGGER_READ_MEMORY, DoNotChangeInformation, Irp, &Status);
484 }
485
486 break;
487
489
490 //
491 // Validate and adjust the parameters, and set the target buffer to the system buffer of the IRP
492 //
494 (PVOID *)&DebuggerReadOrWriteMsrRequest,
495 Irp,
496 IrpStack,
497 &InBuffLength,
498 &OutBuffLength))
499 {
500 Status = STATUS_INVALID_PARAMETER;
501 break;
502 }
503
504 //
505 // Both usermode and to send to usermode and the coming buffer are
506 // at the same place
507 //
508 Status = DebuggerReadOrWriteMsr(DebuggerReadOrWriteMsrRequest, (UINT64 *)DebuggerReadOrWriteMsrRequest, &ReturnSize);
509
510 //
511 // Set the size
512 //
513 if (Status == STATUS_SUCCESS)
514 {
515 //
516 // Adjust the status and output size
517 //
518 DrvAdjustStatusAndSetOutputSize((UINT32)ReturnSize, DoNotChangeInformation, Irp, &Status);
519 }
520
521 break;
522
524
525 //
526 // Validate and adjust the parameters, and set the target buffer to the system buffer of the IRP
527 //
529 (PVOID *)&DebuggerPteRequest,
530 Irp,
531 IrpStack,
532 &InBuffLength,
533 &OutBuffLength))
534 {
535 Status = STATUS_INVALID_PARAMETER;
536 break;
537 }
538
539 //
540 // Both usermode and to send to usermode and the coming buffer are
541 // at the same place (it's not in vmx-root)
542 //
543 ExtensionCommandPte(DebuggerPteRequest, FALSE);
544
545 //
546 // Adjust the status and output size
547 //
549
550 break;
551
553
554 //
555 // Validate and adjust the parameters, and set the target buffer to the system buffer of the IRP
556 //
558 (PVOID *)&DebuggerNewEventRequest,
559 Irp,
560 IrpStack,
561 &InBuffLength,
562 &OutBuffLength))
563 {
564 Status = STATUS_INVALID_PARAMETER;
565 break;
566 }
567
568 //
569 // Both usermode and to send to usermode and the coming buffer are
570 // at the same place (not coming from the VMX-root mode)
571 //
572 DebuggerParseEvent(DebuggerNewEventRequest,
573 (PDEBUGGER_EVENT_AND_ACTION_RESULT)Irp->AssociatedIrp.SystemBuffer,
574 FALSE);
575
576 //
577 // Adjust the status and output size
578 //
579 DrvAdjustStatusAndSetOutputSize(sizeof(DEBUGGER_EVENT_AND_ACTION_RESULT), DoNotChangeInformation, Irp, &Status);
580
581 break;
582
584
585 //
586 // Validate and adjust the parameters, and set the target buffer to the system buffer of the IRP
587 //
589 (PVOID *)&DebuggerNewActionRequest,
590 Irp,
591 IrpStack,
592 &InBuffLength,
593 &OutBuffLength))
594 {
595 Status = STATUS_INVALID_PARAMETER;
596 break;
597 }
598
599 //
600 // Both usermode and to send to usermode and the coming buffer are
601 // at the same place
602 //
603 DebuggerParseAction(DebuggerNewActionRequest,
604 (PDEBUGGER_EVENT_AND_ACTION_RESULT)Irp->AssociatedIrp.SystemBuffer,
605 FALSE);
606
607 //
608 // Adjust the status and output size
609 //
610 DrvAdjustStatusAndSetOutputSize(sizeof(DEBUGGER_EVENT_AND_ACTION_RESULT), DoNotChangeInformation, Irp, &Status);
611
612 break;
613
615
616 //
617 // Validate and adjust the parameters, and set the target buffer to the system buffer of the IRP
618 //
620 (PVOID *)&DebuggerHideAndUnhideRequest,
621 Irp,
622 IrpStack,
623 &InBuffLength,
624 &OutBuffLength))
625 {
626 Status = STATUS_INVALID_PARAMETER;
627 break;
628 }
629
630 //
631 // check if it's a !hide or !unhide command
632 //
633 if (DebuggerHideAndUnhideRequest->IsHide == TRUE)
634 {
635 //
636 // It's a hide request
637 //
638 TransparentHideDebuggerWrapper(DebuggerHideAndUnhideRequest);
639 }
640 else
641 {
642 //
643 // It's a unhide request
644 //
645 TransparentUnhideDebuggerWrapper(DebuggerHideAndUnhideRequest);
646 }
647
648 //
649 // Adjust the status and output size
650 //
652
653 break;
654
656
657 //
658 // Validate and adjust the parameters, and set the target buffer to the system buffer of the IRP
659 //
661 (PVOID *)&DebuggerVa2paAndPa2vaRequest,
662 Irp,
663 IrpStack,
664 &InBuffLength,
665 &OutBuffLength))
666 {
667 Status = STATUS_INVALID_PARAMETER;
668 break;
669 }
670
671 //
672 // Both usermode and to send to usermode and the coming buffer are
673 // at the same place (we're not in vmx-root here)
674 //
675 ExtensionCommandVa2paAndPa2va(DebuggerVa2paAndPa2vaRequest, FALSE);
676
677 //
678 // Adjust the status and output size
679 //
681
682 break;
683
685
686 //
687 // Validate and adjust the parameters, and set the target buffer to the system buffer of the IRP
688 //
690 (PVOID *)&DebuggerEditMemoryRequest,
691 Irp,
692 IrpStack,
693 &InBuffLength,
694 &OutBuffLength))
695 {
696 Status = STATUS_INVALID_PARAMETER;
697 break;
698 }
699
700 //
701 // Here we should validate whether the input parameter is
702 // valid or in other words whether we received enough space or not
703 //
704 if (IrpStack->Parameters.DeviceIoControl.InputBufferLength != SIZEOF_DEBUGGER_EDIT_MEMORY + DebuggerEditMemoryRequest->CountOf64Chunks * sizeof(UINT64))
705 {
706 Status = STATUS_INVALID_PARAMETER;
707 break;
708 }
709
710 //
711 // Both usermode and to send to usermode and the coming buffer are
712 // at the same place
713 //
714 DebuggerCommandEditMemory(DebuggerEditMemoryRequest);
715
716 //
717 // Adjust the status and output size
718 //
719 DrvAdjustStatusAndSetOutputSize(SIZEOF_DEBUGGER_EDIT_MEMORY, DoNotChangeInformation, Irp, &Status);
720
721 break;
722
724
725 //
726 // Validate and adjust the parameters, and set the target buffer to the system buffer of the IRP
727 //
729 (PVOID *)&DebuggerSearchMemoryRequest,
730 Irp,
731 IrpStack,
732 &InBuffLength,
733 &OutBuffLength))
734 {
735 Status = STATUS_INVALID_PARAMETER;
736 break;
737 }
738
739 //
740 // The OutBuffLength should have at least MaximumSearchResults * sizeof(UINT64)
741 // free space to store the results
742 //
743 if (OutBuffLength < MaximumSearchResults * sizeof(UINT64))
744 {
745 Status = STATUS_INVALID_PARAMETER;
746 break;
747 }
748
749 //
750 // Here we should validate whether the input parameter is
751 // valid or in other words whether we received enough space or not
752 //
753 if (IrpStack->Parameters.DeviceIoControl.InputBufferLength != SIZEOF_DEBUGGER_SEARCH_MEMORY + DebuggerSearchMemoryRequest->CountOf64Chunks * sizeof(UINT64))
754 {
755 Status = STATUS_INVALID_PARAMETER;
756 break;
757 }
758
759 //
760 // Both usermode and to send to usermode and the coming buffer are
761 // at the same place
762 //
763 if (DebuggerCommandSearchMemory(DebuggerSearchMemoryRequest) != STATUS_SUCCESS)
764 {
765 //
766 // It is because it was not valid in any of the ways to the function
767 // then we're sure that the usermode code won't interpret it's previous
768 // buffer as a valid buffer and will not show it to the user
769 //
770 RtlZeroMemory(DebuggerSearchMemoryRequest, MaximumSearchResults * sizeof(UINT64));
771 }
772
773 //
774 // Configure IRP status, and also we send the results
775 // buffer, with it's null values (if any)
776 //
777 DrvAdjustStatusAndSetOutputSize(MaximumSearchResults * sizeof(UINT64), DoNotChangeInformation, Irp, &Status);
778
779 break;
780
782
783 //
784 // Validate and adjust the parameters, and set the target buffer to the system buffer of the IRP
785 //
787 (PVOID *)&DebuggerModifyEventRequest,
788 Irp,
789 IrpStack,
790 &InBuffLength,
791 &OutBuffLength))
792 {
793 Status = STATUS_INVALID_PARAMETER;
794 break;
795 }
796
797 //
798 // Both usermode and to send to usermode and the coming buffer are
799 // at the same place
800 //
802
803 //
804 // Adjust the status and output size
805 //
806 DrvAdjustStatusAndSetOutputSize(SIZEOF_DEBUGGER_MODIFY_EVENTS, DoNotChangeInformation, Irp, &Status);
807
808 break;
809
811
812 //
813 // Validate and adjust the parameters, and set the target buffer to the system buffer of the IRP
814 //
816 (PVOID *)&DebuggerFlushBuffersRequest,
817 Irp,
818 IrpStack,
819 &InBuffLength,
820 &OutBuffLength))
821 {
822 Status = STATUS_INVALID_PARAMETER;
823 break;
824 }
825
826 //
827 // Perform the flush
828 //
829 DebuggerCommandFlush(DebuggerFlushBuffersRequest);
830
831 //
832 // Adjust the status and output size
833 //
834 DrvAdjustStatusAndSetOutputSize(SIZEOF_DEBUGGER_FLUSH_LOGGING_BUFFERS, DoNotChangeInformation, Irp, &Status);
835
836 break;
837
839
840 //
841 // Validate and adjust the parameters, and set the target buffer to the system buffer of the IRP
842 //
844 (PVOID *)&DebuggerAttachOrDetachToThreadRequest,
845 Irp,
846 IrpStack,
847 &InBuffLength,
848 &OutBuffLength))
849 {
850 Status = STATUS_INVALID_PARAMETER;
851 break;
852 }
853
854 //
855 // Perform the attach to the target process
856 //
857 AttachingTargetProcess(DebuggerAttachOrDetachToThreadRequest);
858
859 //
860 // Adjust the status and output size
861 //
863
864 break;
865
867
868 //
869 // Validate and adjust the parameters, and set the target buffer to the system buffer of the IRP
870 //
872 (PVOID *)&DebuggeeRequest,
873 Irp,
874 IrpStack,
875 &InBuffLength,
876 &OutBuffLength))
877 {
878 Status = STATUS_INVALID_PARAMETER;
879 break;
880 }
881
882 //
883 // Perform the action
884 //
885 SerialConnectionPrepare(DebuggeeRequest);
886
887 //
888 // Adjust the status and output size
889 //
890 DrvAdjustStatusAndSetOutputSize(SIZEOF_DEBUGGER_PREPARE_DEBUGGEE, DoNotChangeInformation, Irp, &Status);
891
892 break;
893
895
896 //
897 // Validate and adjust the parameters, and set the target buffer to the system buffer of the IRP
898 //
900 (PVOID *)&DebuggerPauseKernelRequest,
901 Irp,
902 IrpStack,
903 &InBuffLength,
904 &OutBuffLength))
905 {
906 Status = STATUS_INVALID_PARAMETER;
907 break;
908 }
909
910 //
911 // Perform the action
912 //
913 KdHaltSystem(DebuggerPauseKernelRequest);
914
915 //
916 // Adjust the status and output size
917 //
918 DrvAdjustStatusAndSetOutputSize(SIZEOF_DEBUGGER_PAUSE_PACKET_RECEIVED, DoNotChangeInformation, Irp, &Status);
919
920 break;
921
923
924 //
925 // Validate and adjust the parameters, and set the target buffer to the system buffer of the IRP
926 //
928 (PVOID *)&DebuggerCommandExecutionFinishedRequest,
929 Irp,
930 IrpStack,
931 &InBuffLength,
932 &OutBuffLength))
933 {
934 Status = STATUS_INVALID_PARAMETER;
935 break;
936 }
937
938 //
939 // Perform the signal operation
940 //
941 DebuggerCommandSignalExecutionState(DebuggerCommandExecutionFinishedRequest);
942
943 //
944 // Adjust the status and output size
945 //
947
948 break;
949
951
952 //
953 // Validate and adjust the parameters, and set the target buffer to the system buffer of the IRP
954 //
956 (PVOID *)&DebuggerSendUsermodeMessageRequest,
957 Irp,
958 IrpStack,
959 &InBuffLength,
960 &OutBuffLength))
961 {
962 Status = STATUS_INVALID_PARAMETER;
963 break;
964 }
965
966 //
967 // Second validation phase
968 //
969 if (DebuggerSendUsermodeMessageRequest->Length == NULL_ZERO ||
970 IrpStack->Parameters.DeviceIoControl.InputBufferLength != SIZEOF_DEBUGGER_SEND_USERMODE_MESSAGES_TO_DEBUGGER + DebuggerSendUsermodeMessageRequest->Length)
971 {
972 Status = STATUS_INVALID_PARAMETER;
973 break;
974 }
975
976 //
977 // Perform the signal operation
978 //
979 DebuggerCommandSendMessage(DebuggerSendUsermodeMessageRequest);
980
981 //
982 // Adjust the status and output size
983 //
985
986 break;
987
989
990 //
991 // Validate and adjust the parameters, and set the target buffer to the system buffer of the IRP
992 //
994 (PVOID *)&DebuggerSendBufferFromDebuggeeToDebuggerRequest,
995 Irp,
996 IrpStack,
997 &InBuffLength,
998 &OutBuffLength))
999 {
1000 Status = STATUS_INVALID_PARAMETER;
1001 break;
1002 }
1003
1004 //
1005 // Second validation phase
1006 //
1007 if (DebuggerSendBufferFromDebuggeeToDebuggerRequest->LengthOfBuffer == NULL_ZERO ||
1008 IrpStack->Parameters.DeviceIoControl.InputBufferLength != SIZEOF_DEBUGGEE_SEND_GENERAL_PACKET_FROM_DEBUGGEE_TO_DEBUGGER + DebuggerSendBufferFromDebuggeeToDebuggerRequest->LengthOfBuffer)
1009 {
1010 Status = STATUS_INVALID_PARAMETER;
1011 break;
1012 }
1013
1014 //
1015 // Perform the signal operation
1016 //
1017 DebuggerCommandSendGeneralBufferToDebugger(DebuggerSendBufferFromDebuggeeToDebuggerRequest);
1018
1019 //
1020 // Adjust the status and output size
1021 //
1023
1024 break;
1025
1027
1028 //
1029 // Validate and adjust the parameters, and set the target buffer to the system buffer of the IRP
1030 //
1032 (PVOID *)&DebuggerKernelTestRequest,
1033 Irp,
1034 IrpStack,
1035 &InBuffLength,
1036 &OutBuffLength))
1037 {
1038 Status = STATUS_INVALID_PARAMETER;
1039 break;
1040 }
1041
1042 //
1043 // Perform the kernel-side tests
1044 //
1045 TestKernelPerformTests(DebuggerKernelTestRequest);
1046
1047 //
1048 // Adjust the status and output size
1049 //
1050 DrvAdjustStatusAndSetOutputSize(SIZEOF_DEBUGGER_PERFORM_KERNEL_TESTS, DoNotChangeInformation, Irp, &Status);
1051
1052 break;
1053
1055
1056 //
1057 // Validate and adjust the parameters, and set the target buffer to the system buffer of the IRP
1058 //
1060 (PVOID *)&DebuggerReservePreallocPoolRequest,
1061 Irp,
1062 IrpStack,
1063 &InBuffLength,
1064 &OutBuffLength))
1065 {
1066 Status = STATUS_INVALID_PARAMETER;
1067 break;
1068 }
1069
1070 //
1071 // Perform the reservation pools
1072 //
1073 DebuggerCommandReservePreallocatedPools(DebuggerReservePreallocPoolRequest);
1074
1075 //
1076 // Adjust the status and output size
1077 //
1078 DrvAdjustStatusAndSetOutputSize(SIZEOF_DEBUGGER_PREALLOC_COMMAND, DoNotChangeInformation, Irp, &Status);
1079
1080 break;
1081
1083
1084 //
1085 // Validate and adjust the parameters, and set the target buffer to the system buffer of the IRP
1086 //
1088 (PVOID *)&DebuggerPreactivationRequest,
1089 Irp,
1090 IrpStack,
1091 &InBuffLength,
1092 &OutBuffLength))
1093 {
1094 Status = STATUS_INVALID_PARAMETER;
1095 break;
1096 }
1097
1098 //
1099 // Perform the activation of the functionality
1100 //
1101 DebuggerCommandPreactivateFunctionality(DebuggerPreactivationRequest);
1102
1103 //
1104 // Adjust the status and output size
1105 //
1106 DrvAdjustStatusAndSetOutputSize(SIZEOF_DEBUGGER_PREACTIVATE_COMMAND, DoNotChangeInformation, Irp, &Status);
1107
1108 break;
1109
1111
1112 //
1113 // Validate and adjust the parameters, and set the target buffer to the system buffer of the IRP
1114 //
1116 (PVOID *)&DebuggerApicRequest,
1117 Irp,
1118 IrpStack,
1119 &InBuffLength,
1120 &OutBuffLength))
1121 {
1122 Status = STATUS_INVALID_PARAMETER;
1123 break;
1124 }
1125
1126 //
1127 // Adjust the status and output size
1128 //
1129 DrvAdjustStatusAndSetOutputSize(ExtensionCommandPerformActionsForApicRequests(DebuggerApicRequest), DoNotChangeInformation, Irp, &Status);
1130
1131 break;
1132
1134
1135 //
1136 // Validate and adjust the parameters, and set the target buffer to the system buffer of the IRP
1137 //
1139 (PVOID *)&DebuggerQueryIdtRequest,
1140 Irp,
1141 IrpStack,
1142 &InBuffLength,
1143 &OutBuffLength))
1144 {
1145 Status = STATUS_INVALID_PARAMETER;
1146 break;
1147 }
1148
1149 //
1150 // Perform the query of IDT entries (not from vmx-root)
1151 //
1152 ExtensionCommandPerformQueryIdtEntriesRequest(DebuggerQueryIdtRequest, FALSE);
1153
1154 //
1155 // Adjust the status and output size
1156 //
1158
1159 break;
1160
1162
1163 //
1164 // Validate and adjust the parameters, and set the target buffer to the system buffer of the IRP
1165 //
1167 (PVOID *)&DebuggerBreakpointRequest,
1168 Irp,
1169 IrpStack,
1170 &InBuffLength,
1171 &OutBuffLength))
1172 {
1173 Status = STATUS_INVALID_PARAMETER;
1174 break;
1175 }
1176
1177 //
1178 // Perform setting the breakpoint (for the user mode debugger)
1179 // Switching to the target process memory is needed as we are
1180 // in HyperDbg's process memory layout and we need to switch to
1181 // the target process memory layout to set the breakpoint
1182 //
1183 BreakpointAddNew(DebuggerBreakpointRequest, TRUE);
1184
1185 //
1186 // Adjust the status and output size
1187 //
1188 DrvAdjustStatusAndSetOutputSize(SIZEOF_DEBUGGEE_BP_PACKET, DoNotChangeInformation, Irp, &Status);
1189
1190 break;
1191
1193
1194 //
1195 // Validate and adjust the parameters, and set the target buffer to the system buffer of the IRP
1196 //
1198 (PVOID *)&SmiOperationRequest,
1199 Irp,
1200 IrpStack,
1201 &InBuffLength,
1202 &OutBuffLength))
1203 {
1204 Status = STATUS_INVALID_PARAMETER;
1205 break;
1206 }
1207
1208 //
1209 // Perform the SMI operation (it's not from vmx-root)
1210 //
1211 VmFuncSmmPerformSmiOperation(SmiOperationRequest, FALSE);
1212
1213 //
1214 // Adjust the status and output size
1215 //
1216 DrvAdjustStatusAndSetOutputSize(SIZEOF_SMI_OPERATION_PACKETS, DoNotChangeInformation, Irp, &Status);
1217
1218 break;
1219
1221
1222 //
1223 // Validate and adjust the parameters, and set the target buffer to the system buffer of the IRP
1224 //
1226 (PVOID *)&DebuggerUdCommandRequest,
1227 Irp,
1228 IrpStack,
1229 &InBuffLength,
1230 &OutBuffLength))
1231 {
1232 Status = STATUS_INVALID_PARAMETER;
1233 break;
1234 }
1235
1236 //
1237 // Perform the dispatching of user debugger command
1238 //
1239 UdDispatchUsermodeCommands(DebuggerUdCommandRequest, InBuffLength, OutBuffLength);
1240
1241 //
1242 // Adjust the status and output size
1243 //
1244 DrvAdjustStatusAndSetOutputSize(OutBuffLength, DoNotChangeInformation, Irp, &Status);
1245
1246 break;
1247
1249
1250 OutBuffLength = IrpStack->Parameters.DeviceIoControl.OutputBufferLength;
1251
1252 if (!OutBuffLength)
1253 {
1254 Status = STATUS_INVALID_PARAMETER;
1255 break;
1256 }
1257
1258 //
1259 // Both usermode and to send to usermode is here
1260 //
1261 BufferToStoreThreadsAndProcessesDetails = (PVOID)Irp->AssociatedIrp.SystemBuffer;
1262
1263 //
1264 // Perform the dispatching of user debugger command
1265 //
1266 AttachingQueryDetailsOfActiveDebuggingThreadsAndProcesses(BufferToStoreThreadsAndProcessesDetails, OutBuffLength);
1267
1268 //
1269 // Adjust the status and output size
1270 //
1271 DrvAdjustStatusAndSetOutputSize(OutBuffLength, DoNotChangeInformation, Irp, &Status);
1272
1273 break;
1274
1276
1277 //
1278 // Validate and adjust the parameters, and set the target buffer to the system buffer of the IRP
1279 //
1281 (PVOID *)&DebuggerUsermodeModulesRequest,
1282 Irp,
1283 IrpStack,
1284 &InBuffLength,
1285 &OutBuffLength))
1286 {
1287 Status = STATUS_INVALID_PARAMETER;
1288 break;
1289 }
1290
1291 //
1292 // Getting the modules details
1293 //
1294 UserAccessGetLoadedModules(DebuggerUsermodeModulesRequest, OutBuffLength);
1295
1296 //
1297 // Adjust the status and output size
1298 //
1299 DrvAdjustStatusAndSetOutputSize(OutBuffLength, DoNotChangeInformation, Irp, &Status);
1300
1301 break;
1302
1304
1305 //
1306 // Validate and adjust the parameters, and set the target buffer to the system buffer of the IRP
1307 //
1309 (PVOID *)&DebuggerUsermodeProcessOrThreadQueryRequest,
1310 Irp,
1311 IrpStack,
1312 &InBuffLength,
1313 &OutBuffLength))
1314 {
1315 Status = STATUS_INVALID_PARAMETER;
1316 break;
1317 }
1318
1319 //
1320 // Getting the count result
1321 //
1322 if (DebuggerUsermodeProcessOrThreadQueryRequest->QueryType == DEBUGGER_QUERY_ACTIVE_PROCESSES_OR_THREADS_QUERY_PROCESS_COUNT)
1323 {
1324 ProcessQueryCount(DebuggerUsermodeProcessOrThreadQueryRequest);
1325 }
1326 else if (DebuggerUsermodeProcessOrThreadQueryRequest->QueryType == DEBUGGER_QUERY_ACTIVE_PROCESSES_OR_THREADS_QUERY_THREAD_COUNT)
1327 {
1328 ThreadQueryCount(DebuggerUsermodeProcessOrThreadQueryRequest);
1329 }
1330
1331 //
1332 // Adjust the status and output size
1333 //
1335
1336 break;
1337
1339
1340 //
1341 // Validate and adjust the parameters, and set the target buffer to the system buffer of the IRP
1342 //
1344 (PVOID *)&DebuggerUsermodeProcessOrThreadQueryRequest,
1345 Irp,
1346 IrpStack,
1347 &InBuffLength,
1348 &OutBuffLength))
1349 {
1350 Status = STATUS_INVALID_PARAMETER;
1351 break;
1352 }
1353
1354 //
1355 // Getting the list of processes or threads
1356 //
1357 if (DebuggerUsermodeProcessOrThreadQueryRequest->QueryType == DEBUGGER_QUERY_ACTIVE_PROCESSES_OR_THREADS_QUERY_PROCESS_LIST)
1358 {
1359 ProcessQueryList(DebuggerUsermodeProcessOrThreadQueryRequest,
1360 DebuggerUsermodeProcessOrThreadQueryRequest,
1361 OutBuffLength);
1362 }
1363 else if (DebuggerUsermodeProcessOrThreadQueryRequest->QueryType == DEBUGGER_QUERY_ACTIVE_PROCESSES_OR_THREADS_QUERY_THREAD_LIST)
1364 {
1365 ThreadQueryList(DebuggerUsermodeProcessOrThreadQueryRequest,
1366 DebuggerUsermodeProcessOrThreadQueryRequest,
1367 OutBuffLength);
1368 }
1369
1370 //
1371 // Adjust the status and output size
1372 //
1373 DrvAdjustStatusAndSetOutputSize(OutBuffLength, DoNotChangeInformation, Irp, &Status);
1374
1375 break;
1376
1378
1379 //
1380 // Validate and adjust the parameters, and set the target buffer to the system buffer of the IRP
1381 //
1383 (PVOID *)&GetInformationThreadRequest,
1384 Irp,
1385 IrpStack,
1386 &InBuffLength,
1387 &OutBuffLength))
1388 {
1389 Status = STATUS_INVALID_PARAMETER;
1390 break;
1391 }
1392
1393 //
1394 // Get the information
1395 //
1396 ThreadQueryDetails(GetInformationThreadRequest);
1397
1398 //
1399 // Adjust the status and output size
1400 //
1402
1403 break;
1404
1406
1407 //
1408 // Validate and adjust the parameters, and set the target buffer to the system buffer of the IRP
1409 //
1411 (PVOID *)&GetInformationProcessRequest,
1412 Irp,
1413 IrpStack,
1414 &InBuffLength,
1415 &OutBuffLength))
1416 {
1417 Status = STATUS_INVALID_PARAMETER;
1418 break;
1419 }
1420
1421 //
1422 // Get the information
1423 //
1424 ProcessQueryDetails(GetInformationProcessRequest);
1425
1426 //
1427 // Adjust the status and output size
1428 //
1430
1431 break;
1432
1434
1435 //
1436 // Validate and adjust the parameters, and set the target buffer to the system buffer of the IRP
1437 //
1439 (PVOID *)&RevServiceRequest,
1440 Irp,
1441 IrpStack,
1442 &InBuffLength,
1443 &OutBuffLength))
1444 {
1445 Status = STATUS_INVALID_PARAMETER;
1446 break;
1447 }
1448
1449 //
1450 // Perform the service request
1451 //
1453
1454 //
1455 // Adjust the status and output size
1456 //
1458
1459 break;
1460
1462
1463 //
1464 // Validate and adjust the parameters, and set the target buffer to the system buffer of the IRP
1465 //
1467 (PVOID *)&DebuggerPageinRequest,
1468 Irp,
1469 IrpStack,
1470 &InBuffLength,
1471 &OutBuffLength))
1472 {
1473 Status = STATUS_INVALID_PARAMETER;
1474 break;
1475 }
1476
1477 //
1478 // Both usermode and to send to usermode and the coming buffer are
1479 // at the same place (it's in VMI-mode)
1480 //
1481 DebuggerCommandBringPagein(DebuggerPageinRequest);
1482
1483 //
1484 // Adjust the status and output size
1485 //
1486 DrvAdjustStatusAndSetOutputSize(SIZEOF_DEBUGGER_PAGE_IN_REQUEST, DoNotChangeInformation, Irp, &Status);
1487
1488 break;
1489
1491
1492 //
1493 // Validate and adjust the parameters, and set the target buffer to the system buffer of the IRP
1494 //
1496 (PVOID *)&PcitreeRequest,
1497 Irp,
1498 IrpStack,
1499 &InBuffLength,
1500 &OutBuffLength))
1501 {
1502 Status = STATUS_INVALID_PARAMETER;
1503 break;
1504 }
1505
1506 //
1507 // Both usermode and to send to usermode and the coming buffer are
1508 // at the same place (it's in VMI-mode)
1509 //
1510 ExtensionCommandPcitree(PcitreeRequest, FALSE);
1511
1512 //
1513 // Adjust the status and output size
1514 //
1516
1517 break;
1518
1520
1521 //
1522 // Validate and adjust the parameters, and set the target buffer to the system buffer of the IRP
1523 //
1525 (PVOID *)&PcidevinfoRequest,
1526 Irp,
1527 IrpStack,
1528 &InBuffLength,
1529 &OutBuffLength))
1530 {
1531 Status = STATUS_INVALID_PARAMETER;
1532 break;
1533 }
1534
1535 //
1536 // Both usermode and to send to usermode and the coming buffer are
1537 // at the same place (it's in VMI-mode)
1538 //
1539 ExtensionCommandPcidevinfo(PcidevinfoRequest, FALSE);
1540
1541 //
1542 // Adjust the status and output size
1543 //
1545
1546 break;
1547
1548 default:
1549 LogError("Err, unknown IOCTL");
1550 Status = STATUS_NOT_IMPLEMENTED;
1551 break;
1552 }
1553
1554 return Status;
1555}
BOOLEAN AttachingQueryDetailsOfActiveDebuggingThreadsAndProcesses(PVOID BufferToStoreDetails, UINT32 BufferSize)
Query details of active debugging threads.
Definition Attaching.c:1393
VOID AttachingTargetProcess(PDEBUGGER_ATTACH_DETACH_USER_MODE_PROCESS Request)
Dispatch and perform attaching tasks.
Definition Attaching.c:1425
BOOLEAN BreakpointAddNew(PDEBUGGEE_BP_PACKET BpDescriptorArg, BOOLEAN SwitchToTargetMemoryLayout)
Add new breakpoints.
Definition BreakpointCommands.c:950
#define EnableInstantEventMechanism
Enable or disable the instant event mechanism.
Definition Configuration.h:70
BOOLEAN DebuggerParseEvent(PDEBUGGER_GENERAL_EVENT_DETAIL EventDetails, PDEBUGGER_EVENT_AND_ACTION_RESULT ResultsToReturn, BOOLEAN InputFromVmxRoot)
Routine for parsing events.
Definition Debugger.c:3163
BOOLEAN DebuggerParseEventsModification(PDEBUGGER_MODIFY_EVENTS DebuggerEventModificationRequest, BOOLEAN InputFromVmxRoot, BOOLEAN PoolManagerAllocatedMemory)
Parse and validate requests to enable/disable/clear from the user-mode.
Definition Debugger.c:3728
BOOLEAN DebuggerParseAction(PDEBUGGER_GENERAL_ACTION ActionDetails, PDEBUGGER_EVENT_AND_ACTION_RESULT ResultsToReturn, BOOLEAN InputFromVmxRoot)
Routine for validating and parsing actions that are coming from the user-mode.
Definition Debugger.c:3307
BOOLEAN DebuggerCommandBringPagein(PDEBUGGER_PAGE_IN_REQUEST PageinRequest)
routines for the .pagein command
Definition DebuggerCommands.c:1532
NTSTATUS DebuggerCommandPreactivateFunctionality(PDEBUGGER_PREACTIVATE_COMMAND PreactivateRequest)
Preactivate a special functionality.
Definition DebuggerCommands.c:1500
NTSTATUS DebuggerCommandReservePreallocatedPools(PDEBUGGER_PREALLOC_COMMAND PreallocRequest)
Reserve and allocate pre-allocated buffers.
Definition DebuggerCommands.c:1376
NTSTATUS DebuggerReadOrWriteMsr(PDEBUGGER_READ_AND_WRITE_ON_MSR ReadOrWriteMsrRequest, UINT64 *UserBuffer, PSIZE_T ReturnSize)
Perform rdmsr, wrmsr commands.
Definition DebuggerCommands.c:337
NTSTATUS DebuggerCommandSignalExecutionState(PDEBUGGER_SEND_COMMAND_EXECUTION_FINISHED_SIGNAL DebuggerFinishedExecutionRequest)
Perform the command finished signal.
Definition DebuggerCommands.c:1312
NTSTATUS DebuggerCommandSearchMemory(PDEBUGGER_SEARCH_MEMORY SearchMemRequest)
Start searching memory.
Definition DebuggerCommands.c:1191
BOOLEAN DebuggerCommandReadMemory(PDEBUGGER_READ_MEMORY ReadMemRequest, PVOID UserBuffer, PSIZE_T ReturnSize)
Read memory for different commands.
Definition DebuggerCommands.c:74
NTSTATUS DebuggerCommandSendMessage(PDEBUGGER_SEND_USERMODE_MESSAGES_TO_DEBUGGER DebuggerSendUsermodeMessageRequest)
Send the user-mode buffer to debugger.
Definition DebuggerCommands.c:1331
NTSTATUS DebuggerCommandSendGeneralBufferToDebugger(PDEBUGGEE_SEND_GENERAL_PACKET_FROM_DEBUGGEE_TO_DEBUGGER DebuggeeBufferRequest)
Send general buffers from the debuggee to the debugger.
Definition DebuggerCommands.c:1353
NTSTATUS DebuggerCommandFlush(PDEBUGGER_FLUSH_LOGGING_BUFFERS DebuggerFlushBuffersRequest)
Perform the flush requests to vmx-root and vmx non-root buffers.
Definition DebuggerCommands.c:1292
NTSTATUS DebuggerCommandEditMemory(PDEBUGGER_EDIT_MEMORY EditMemRequest)
Edit physical and virtual memory.
Definition DebuggerCommands.c:490
VOID ExtensionCommandPerformQueryIdtEntriesRequest(PINTERRUPT_DESCRIPTOR_TABLE_ENTRIES_PACKETS IdtQueryRequest, BOOLEAN ReadFromVmxRoot)
Perform query for IDT entries.
Definition ExtensionCommands.c:92
VOID ExtensionCommandVa2paAndPa2va(PDEBUGGER_VA2PA_AND_PA2VA_COMMANDS AddressDetails, BOOLEAN OperateOnVmxRoot)
routines for !va2pa and !pa2va commands
Definition ExtensionCommands.c:114
VOID ExtensionCommandPcidevinfo(PDEBUGGEE_PCIDEVINFO_REQUEST_RESPONSE_PACKET PcidevinfoPacket, BOOLEAN OperateOnVmxRoot)
Request PCI device info.
Definition ExtensionCommands.c:760
UINT32 ExtensionCommandPerformActionsForApicRequests(PDEBUGGER_APIC_REQUEST ApicRequest)
Perform actions regarding APIC.
Definition ExtensionCommands.c:23
BOOLEAN ExtensionCommandPte(PDEBUGGER_READ_PAGE_TABLE_ENTRIES_DETAILS PteDetails, BOOLEAN IsOperatingInVmxRoot)
routines for !pte command
Definition ExtensionCommands.c:261
VOID ExtensionCommandPcitree(PDEBUGGEE_PCITREE_REQUEST_RESPONSE_PACKET PcitreePacket, BOOLEAN OperateOnVmxRoot)
routines for PCIe tree
Definition ExtensionCommands.c:697
VOID KdHaltSystem(PDEBUGGER_PAUSE_PACKET_RECEIVED PausePacket)
Halt the system.
Definition Kd.c:3489
VOID TestKernelPerformTests(PDEBUGGER_PERFORM_KERNEL_TESTS KernelTestRequest)
Perform the kernel-side tests.
Definition KernelTests.c:22
BOOLEAN ProcessQueryList(PDEBUGGER_QUERY_ACTIVE_PROCESSES_OR_THREADS DebuggerUsermodeProcessOrThreadQueryRequest, PVOID AddressToSaveDetail, UINT32 BufferSize)
Query process details (list).
Definition Process.c:649
BOOLEAN ProcessQueryCount(PDEBUGGER_QUERY_ACTIVE_PROCESSES_OR_THREADS DebuggerUsermodeProcessOrThreadQueryRequest)
Query process details (count).
Definition Process.c:616
BOOLEAN ProcessQueryDetails(PDEBUGGEE_DETAILS_AND_SWITCH_PROCESS_PACKET GetInformationProcessRequest)
Query process details.
Definition Process.c:675
NTSTATUS SerialConnectionPrepare(PDEBUGGER_PREPARE_DEBUGGEE DebuggeeRequest)
Perform tasks relating to stepping (step-in & step-out) requests.
Definition SerialConnection.c:341
BOOLEAN ThreadQueryDetails(PDEBUGGEE_DETAILS_AND_SWITCH_THREAD_PACKET GetInformationThreadRequest)
Query thread details.
Definition Thread.c:712
BOOLEAN ThreadQueryList(PDEBUGGER_QUERY_ACTIVE_PROCESSES_OR_THREADS DebuggerUsermodeProcessOrThreadQueryRequest, PVOID AddressToSaveDetail, UINT32 BufferSize)
Query thread details (list).
Definition Thread.c:686
BOOLEAN ThreadQueryCount(PDEBUGGER_QUERY_ACTIVE_PROCESSES_OR_THREADS DebuggerUsermodeProcessOrThreadQueryRequest)
Query thread details (count).
Definition Thread.c:653
BOOLEAN UdDispatchUsermodeCommands(PDEBUGGER_UD_COMMAND_PACKET ActionRequest, UINT32 ActionRequestInputLength, UINT32 ActionRequestOutputLength)
Dispatch the user-mode commands.
Definition Ud.c:642
BOOLEAN UserAccessGetLoadedModules(PUSERMODE_LOADED_MODULE_DETAILS ProcessLoadedModuleRequest, UINT32 BufferSize)
Get details about loaded modules.
Definition UserAccess.c:779
#define NULL_ZERO
Definition BasicTypes.h:110
#define MaximumSearchResults
maximum results that will be returned by !s* s* command
Definition Constants.h:516
#define SIZEOF_DEBUGGER_PAUSE_PACKET_RECEIVED
Definition DataTypes.h:203
struct _DEBUGGER_PAUSE_PACKET_RECEIVED * PDEBUGGER_PAUSE_PACKET_RECEIVED
#define SIZEOF_DEBUGGER_GENERAL_EVENT_DETAIL
Definition Events.h:404
struct _DEBUGGER_GENERAL_EVENT_DETAIL * PDEBUGGER_GENERAL_EVENT_DETAIL
#define SIZEOF_DEBUGGER_GENERAL_ACTION
Definition Events.h:425
struct _DEBUGGER_MODIFY_EVENTS * PDEBUGGER_MODIFY_EVENTS
struct _DEBUGGER_EVENT_AND_ACTION_RESULT * PDEBUGGER_EVENT_AND_ACTION_RESULT
#define SIZEOF_DEBUGGER_MODIFY_EVENTS
Definition Events.h:254
struct _DEBUGGER_GENERAL_ACTION * PDEBUGGER_GENERAL_ACTION
struct _DEBUGGER_EVENT_AND_ACTION_RESULT DEBUGGER_EVENT_AND_ACTION_RESULT
Status of register buffers.
#define IOCTL_SEND_GENERAL_BUFFER_FROM_DEBUGGEE_TO_DEBUGGER
ioctl, send general buffer from debuggee to debugger
Definition Ioctls.h:263
#define IOCTL_PCIE_ENDPOINT_ENUM
ioctl, to enumerate PCIe endpoints
Definition Ioctls.h:354
#define IOCTL_DEBUGGER_EDIT_MEMORY
ioctl, request to edit virtual and physical memory
Definition Ioctls.h:192
#define IOCTL_PERFORM_SMI_OPERATION
ioctl, to perform SMI operations
Definition Ioctls.h:389
#define IOCTL_DEBUGGER_READ_OR_WRITE_MSR
ioctl, request to read or write on a special MSR
Definition Ioctls.h:150
#define IOCTL_DEBUGGER_READ_MEMORY
ioctl, request to read memory
Definition Ioctls.h:143
#define IOCTL_DEBUGGER_VA2PA_AND_PA2VA_COMMANDS
ioctl, for !va2pa and !pa2va commands
Definition Ioctls.h:185
#define IOCTL_QUERY_CURRENT_THREAD
ioctl, query the current thread details
Definition Ioctls.h:326
#define IOCTL_PREACTIVATE_FUNCTIONALITY
ioctl, to preactivate a functionality
Definition Ioctls.h:347
#define IOCTL_DEBUGGER_FLUSH_LOGGING_BUFFERS
ioctl, flush the kernel buffers
Definition Ioctls.h:213
#define IOCTL_SEND_USERMODE_MESSAGES_TO_DEBUGGER
ioctl, send user-mode messages to the debugger
Definition Ioctls.h:256
#define IOCTL_PERFORM_ACTIONS_ON_APIC
ioctl, to perform actions related to APIC
Definition Ioctls.h:361
#define IOCTL_REQUEST_REV_MACHINE_SERVICE
ioctl, request service from the reversing machine
Definition Ioctls.h:333
#define IOCTL_DEBUGGER_ATTACH_DETACH_USER_MODE_PROCESS
ioctl, attach or detach user-mode processes
Definition Ioctls.h:220
#define IOCTL_PREPARE_DEBUGGEE
ioctl, prepare debuggee
Definition Ioctls.h:235
#define IOCTL_DEBUGGER_SEARCH_MEMORY
ioctl, request to search virtual and physical memory
Definition Ioctls.h:199
#define IOCTL_QUERY_CURRENT_PROCESS
ioctl, query the current process details
Definition Ioctls.h:319
#define IOCTL_DEBUGGER_REGISTER_EVENT
ioctl, register an event
Definition Ioctls.h:164
#define IOCTL_TERMINATE_VMX
ioctl, to terminate vmx and exit form debugger
Definition Ioctls.h:136
#define IOCTL_SEND_USER_DEBUGGER_COMMANDS
ioctl, to send user debugger commands
Definition Ioctls.h:284
#define IOCTL_DEBUGGER_BRING_PAGES_IN
ioctl, request to bring pages in
Definition Ioctls.h:340
#define IOCTL_PCIDEVINFO_ENUM
ioctl, to query for PCI endpoint info
Definition Ioctls.h:368
#define IOCTL_SET_BREAKPOINT_USER_DEBUGGER
ioctl, to set breakpoint for the user debugger
Definition Ioctls.h:382
#define IOCTL_PAUSE_PACKET_RECEIVED
ioctl, pause and halt the system
Definition Ioctls.h:242
#define IOCTL_SEND_SIGNAL_EXECUTION_IN_DEBUGGEE_FINISHED
ioctl, send a signal that execution of command finished
Definition Ioctls.h:249
#define IOCTL_GET_LIST_OF_THREADS_AND_PROCESSES
ioctl, to get list threads/processes
Definition Ioctls.h:312
#define IOCTL_DEBUGGER_HIDE_AND_UNHIDE_TO_TRANSPARENT_THE_DEBUGGER
ioctl, request to enable or disable transparent-mode
Definition Ioctls.h:178
#define IOCTL_DEBUGGER_READ_PAGE_TABLE_ENTRIES_DETAILS
ioctl, request to read page table entries
Definition Ioctls.h:157
#define IOCTL_GET_DETAIL_OF_ACTIVE_THREADS_AND_PROCESSES
ioctl, to get active threads/processes that are debugging
Definition Ioctls.h:291
#define IOCTL_QUERY_COUNT_OF_ACTIVE_PROCESSES_OR_THREADS
ioctl, query count of active threads or processes
Definition Ioctls.h:305
#define IOCTL_DEBUGGER_ADD_ACTION_TO_EVENT
ioctl, add action to event
Definition Ioctls.h:171
#define IOCTL_PERFORM_KERNEL_SIDE_TESTS
ioctl, to perform kernel-side tests
Definition Ioctls.h:270
#define IOCTL_DEBUGGER_MODIFY_EVENTS
ioctl, request to modify an event (enable/disable/clear)
Definition Ioctls.h:206
#define IOCTL_QUERY_IDT_ENTRY
ioctl, to query the IDT entries
Definition Ioctls.h:375
#define IOCTL_RESERVE_PRE_ALLOCATED_POOLS
ioctl, to reserve pre-allocated pools
Definition Ioctls.h:277
#define IOCTL_GET_USER_MODE_MODULE_DETAILS
ioctl, to get user mode modules details
Definition Ioctls.h:298
@ DEBUGGER_QUERY_ACTIVE_PROCESSES_OR_THREADS_QUERY_THREAD_COUNT
Definition RequestStructures.h:710
@ DEBUGGER_QUERY_ACTIVE_PROCESSES_OR_THREADS_QUERY_PROCESS_LIST
Definition RequestStructures.h:711
@ DEBUGGER_QUERY_ACTIVE_PROCESSES_OR_THREADS_QUERY_THREAD_LIST
Definition RequestStructures.h:712
@ DEBUGGER_QUERY_ACTIVE_PROCESSES_OR_THREADS_QUERY_PROCESS_COUNT
Definition RequestStructures.h:709
#define SIZEOF_DEBUGGER_PERFORM_KERNEL_TESTS
Definition RequestStructures.h:366
struct _DEBUGGER_READ_PAGE_TABLE_ENTRIES_DETAILS * PDEBUGGER_READ_PAGE_TABLE_ENTRIES_DETAILS
#define SIZEOF_DEBUGGER_SEND_USERMODE_MESSAGES_TO_DEBUGGER
Definition RequestStructures.h:420
struct _DEBUGGER_QUERY_ACTIVE_PROCESSES_OR_THREADS * PDEBUGGER_QUERY_ACTIVE_PROCESSES_OR_THREADS
#define SIZEOF_DEBUGGER_READ_PAGE_TABLE_ENTRIES_DETAILS
Definition RequestStructures.h:46
#define SIZEOF_DEBUGGER_READ_AND_WRITE_ON_MSR
Definition RequestStructures.h:441
#define SIZEOF_REVERSING_MACHINE_RECONSTRUCT_MEMORY_REQUEST
Definition RequestStructures.h:137
#define SIZEOF_DEBUGGEE_PCIDEVINFO_REQUEST_RESPONSE_PACKET
check so the DEBUGGEE_PCITREE_REQUEST_RESPONSE_PACKET should be smaller than packet size
Definition RequestStructures.h:1663
#define SIZEOF_DEBUGGER_PREALLOC_COMMAND
Definition RequestStructures.h:194
struct _DEBUGGER_APIC_REQUEST * PDEBUGGER_APIC_REQUEST
#define SIZEOF_DEBUGGEE_PCITREE_REQUEST_RESPONSE_PACKET
Definition RequestStructures.h:1639
struct _DEBUGGER_SEND_USERMODE_MESSAGES_TO_DEBUGGER * PDEBUGGER_SEND_USERMODE_MESSAGES_TO_DEBUGGER
struct _DEBUGGER_SEARCH_MEMORY * PDEBUGGER_SEARCH_MEMORY
#define SIZEOF_DEBUGGER_UD_COMMAND_PACKET
Definition RequestStructures.h:957
#define SIZEOF_DEBUGGER_PAGE_IN_REQUEST
Definition RequestStructures.h:96
#define SIZEOF_DEBUGGER_VA2PA_AND_PA2VA_COMMANDS
Definition RequestStructures.h:77
struct _DEBUGGER_PERFORM_KERNEL_TESTS * PDEBUGGER_PERFORM_KERNEL_TESTS
#define SIZEOF_DEBUGGEE_DETAILS_AND_SWITCH_THREAD_PACKET
Debugger size of DEBUGGEE_DETAILS_AND_SWITCH_THREAD_PACKET.
Definition RequestStructures.h:1035
struct _DEBUGGEE_PCITREE_REQUEST_RESPONSE_PACKET * PDEBUGGEE_PCITREE_REQUEST_RESPONSE_PACKET
struct _DEBUGGEE_DETAILS_AND_SWITCH_THREAD_PACKET * PDEBUGGEE_DETAILS_AND_SWITCH_THREAD_PACKET
struct _DEBUGGER_PREACTIVATE_COMMAND * PDEBUGGER_PREACTIVATE_COMMAND
#define SIZEOF_DEBUGGER_FLUSH_LOGGING_BUFFERS
Definition RequestStructures.h:311
struct _DEBUGGER_READ_AND_WRITE_ON_MSR * PDEBUGGER_READ_AND_WRITE_ON_MSR
struct _DEBUGGER_UD_COMMAND_PACKET * PDEBUGGER_UD_COMMAND_PACKET
#define SIZEOF_DEBUGGEE_BP_PACKET
Debugger size of DEBUGGEE_BP_PACKET.
Definition RequestStructures.h:1531
struct _DEBUGGEE_BP_PACKET * PDEBUGGEE_BP_PACKET
struct _SMI_OPERATION_PACKETS * PSMI_OPERATION_PACKETS
struct _DEBUGGER_PREALLOC_COMMAND * PDEBUGGER_PREALLOC_COMMAND
struct _DEBUGGEE_PCIDEVINFO_REQUEST_RESPONSE_PACKET * PDEBUGGEE_PCIDEVINFO_REQUEST_RESPONSE_PACKET
struct _DEBUGGER_PAGE_IN_REQUEST * PDEBUGGER_PAGE_IN_REQUEST
struct _DEBUGGER_HIDE_AND_TRANSPARENT_DEBUGGER_MODE * PDEBUGGER_HIDE_AND_TRANSPARENT_DEBUGGER_MODE
#define SIZEOF_DEBUGGER_ATTACH_DETACH_USER_MODE_PROCESS
Definition RequestStructures.h:655
struct _DEBUGGER_SEND_COMMAND_EXECUTION_FINISHED_SIGNAL * PDEBUGGER_SEND_COMMAND_EXECUTION_FINISHED_SIGNAL
#define SIZEOF_DEBUGGER_PREPARE_DEBUGGEE
Definition RequestStructures.h:624
#define SIZEOF_DEBUGGER_EDIT_MEMORY
Definition RequestStructures.h:474
struct _REVERSING_MACHINE_RECONSTRUCT_MEMORY_REQUEST * PREVERSING_MACHINE_RECONSTRUCT_MEMORY_REQUEST
struct _DEBUGGER_PREPARE_DEBUGGEE * PDEBUGGER_PREPARE_DEBUGGEE
struct _DEBUGGER_EDIT_MEMORY * PDEBUGGER_EDIT_MEMORY
struct _DEBUGGER_READ_MEMORY * PDEBUGGER_READ_MEMORY
#define SIZEOF_DEBUGGEE_DETAILS_AND_SWITCH_PROCESS_PACKET
Debugger size of DEBUGGEE_DETAILS_AND_SWITCH_PROCESS_PACKET.
Definition RequestStructures.h:997
#define SIZEOF_DEBUGGER_SEARCH_MEMORY
Definition RequestStructures.h:515
#define SIZEOF_DEBUGGER_APIC_REQUEST
Debugger size of DEBUGGER_APIC_REQUEST.
Definition RequestStructures.h:1108
#define SIZEOF_DEBUGGEE_SEND_GENERAL_PACKET_FROM_DEBUGGEE_TO_DEBUGGER
Definition RequestStructures.h:397
#define SIZEOF_DEBUGGER_SEND_COMMAND_EXECUTION_FINISHED_SIGNAL
Definition RequestStructures.h:381
#define SIZEOF_SMI_OPERATION_PACKETS
Debugger size of SMI_OPERATION_PACKETS.
Definition RequestStructures.h:1275
#define SIZEOF_DEBUGGER_HIDE_AND_TRANSPARENT_DEBUGGER_MODE
Definition RequestStructures.h:588
struct _DEBUGGEE_DETAILS_AND_SWITCH_PROCESS_PACKET * PDEBUGGEE_DETAILS_AND_SWITCH_PROCESS_PACKET
struct _DEBUGGEE_SEND_GENERAL_PACKET_FROM_DEBUGGEE_TO_DEBUGGER * PDEBUGGEE_SEND_GENERAL_PACKET_FROM_DEBUGGEE_TO_DEBUGGER
#define SIZEOF_DEBUGGER_READ_MEMORY
Definition RequestStructures.h:237
#define SIZEOF_DEBUGGER_QUERY_ACTIVE_PROCESSES_OR_THREADS
Definition RequestStructures.h:700
struct _DEBUGGER_FLUSH_LOGGING_BUFFERS * PDEBUGGER_FLUSH_LOGGING_BUFFERS
#define SIZEOF_DEBUGGER_PREACTIVATE_COMMAND
Definition RequestStructures.h:221
struct _DEBUGGER_VA2PA_AND_PA2VA_COMMANDS * PDEBUGGER_VA2PA_AND_PA2VA_COMMANDS
struct _INTERRUPT_DESCRIPTOR_TABLE_ENTRIES_PACKETS * PINTERRUPT_DESCRIPTOR_TABLE_ENTRIES_PACKETS
#define SIZEOF_INTERRUPT_DESCRIPTOR_TABLE_ENTRIES_PACKETS
Debugger size of INTERRUPT_DESCRIPTOR_TABLE_ENTRIES_PACKETS.
Definition RequestStructures.h:1474
struct _DEBUGGER_ATTACH_DETACH_USER_MODE_PROCESS * PDEBUGGER_ATTACH_DETACH_USER_MODE_PROCESS
#define SIZEOF_USERMODE_LOADED_MODULE_DETAILS
Definition Symbols.h:60
struct _USERMODE_LOADED_MODULE_DETAILS * PUSERMODE_LOADED_MODULE_DETAILS
IMPORT_EXPORT_VMM BOOLEAN TransparentHideDebuggerWrapper(DEBUGGER_HIDE_AND_TRANSPARENT_DEBUGGER_MODE *TransparentModeRequest)
Wrapper for hiding debugger on transparent-mode (activate transparent-mode).
Definition HyperEvade.c:25
IMPORT_EXPORT_VMM BOOLEAN VmFuncSmmPerformSmiOperation(SMI_OPERATION_PACKETS *SmiOperationRequest, BOOLEAN ApplyFromVmxRootMode)
Perform actions related to System Management Interrupts (SMIs).
Definition Export.c:1140
IMPORT_EXPORT_VMM BOOLEAN TransparentUnhideDebuggerWrapper(DEBUGGER_HIDE_AND_TRANSPARENT_DEBUGGER_MODE *TransparentModeRequest)
Deactivate transparent-mode.
Definition HyperEvade.c:125
IMPORT_EXPORT_VMM BOOLEAN ConfigureInitializeExecTrapOnAllProcessors()
routines for initializing user-mode, kernel-mode exec trap
Definition Configuration.c:32
VOID LoaderUninitVmmAndDebugger()
Uninitialize the VMM and the debugger.
Definition Loader.c:417
BOOLEAN g_KernelDebuggerState
shows whether the kernel debugger is enabled or disabled
Definition Global.h:151

◆ DrvRead()

NTSTATUS DrvRead ( PDEVICE_OBJECT DeviceObject,
PIRP Irp )

IRP_MJ_READ Function handler.

Parameters
DeviceObject
Irp
Returns
NTSTATUS
193{
194 UNREFERENCED_PARAMETER(DeviceObject);
195
196 //
197 // Not used
198 //
199 DbgPrint("This function is not used");
200
201 Irp->IoStatus.Status = STATUS_SUCCESS;
202 Irp->IoStatus.Information = 0;
203 IoCompleteRequest(Irp, IO_NO_INCREMENT);
204
205 return STATUS_SUCCESS;
206}

◆ DrvUnload()

VOID DrvUnload ( PDRIVER_OBJECT DriverObject)

Run in the case of driver unload to unregister the devices.

Parameters
DriverObject
Returns
VOID
99{
100 UNICODE_STRING DosDeviceName;
101
102 RtlInitUnicodeString(&DosDeviceName, L"\\DosDevices\\HyperDbgReversingMachineDevice");
103 IoDeleteSymbolicLink(&DosDeviceName);
104 IoDeleteDevice(DriverObject->DeviceObject);
105
106 //
107 // Unloading VMM and Debugger
108 //
110}
VOID LoaderUninitLogTracer()
Uninitialize the log tracer.
Definition Loader.c:104

◆ DrvUnsupported()

NTSTATUS DrvUnsupported ( PDEVICE_OBJECT DeviceObject,
PIRP Irp )

Unsupported message for all other IRP_MJ_* handlers.

Parameters
DeviceObject
Irp
Returns
NTSTATUS
267{
268 UNREFERENCED_PARAMETER(DeviceObject);
269
270 //
271 // Not supported
272 //
273 DbgPrint("This function is not supported");
274
275 Irp->IoStatus.Status = STATUS_SUCCESS;
276 Irp->IoStatus.Information = 0;
277 IoCompleteRequest(Irp, IO_NO_INCREMENT);
278
279 return STATUS_SUCCESS;
280}

◆ DrvWrite()

NTSTATUS DrvWrite ( PDEVICE_OBJECT DeviceObject,
PIRP Irp )

IRP_MJ_WRITE Function handler.

Parameters
DeviceObject
Irp
Returns
NTSTATUS
217{
218 UNREFERENCED_PARAMETER(DeviceObject);
219
220 //
221 // Not used
222 //
223 DbgPrint("This function is not used");
224
225 Irp->IoStatus.Status = STATUS_SUCCESS;
226 Irp->IoStatus.Information = 0;
227 IoCompleteRequest(Irp, IO_NO_INCREMENT);
228
229 return STATUS_SUCCESS;
230}