HyperDbg Debugger
Loading...
Searching...
No Matches
Classes | Macros | Typedefs | Enumerations | Functions
Events.h File Reference

Headers relating to Exception Bitmap and Event (Interrupt and Exception) Injection. More...

Go to the source code of this file.

Classes

union  _INTERRUPT_INFO
 Interrupt injection and event format. More...
 
struct  _EVENT_INFORMATION
 Event information. More...
 

Macros

#define RESERVED_MSR_RANGE_LOW   0x40000000
 Reserved MSR low range.
 
#define RESERVED_MSR_RANGE_HI   0x4000109F
 Reserved MSR high range.
 
#define EXCEPTION_BITMAP_MASK_ALL   0xffffffff
 Exception bitmap for masking all exceptions/faults/traps.
 

Typedefs

typedef enum _INTERRUPT_TYPE INTERRUPT_TYPE
 Type of interrupts.
 
typedef union _INTERRUPT_INFO INTERRUPT_INFO
 Interrupt injection and event format.
 
typedef union _INTERRUPT_INFOPINTERRUPT_INFO
 
typedef struct _EVENT_INFORMATION EVENT_INFORMATION
 Event information.
 
typedef struct _EVENT_INFORMATIONPEVENT_INFORMATION
 

Enumerations

enum  _INTERRUPT_TYPE {
  INTERRUPT_TYPE_EXTERNAL_INTERRUPT = 0 , INTERRUPT_TYPE_RESERVED = 1 , INTERRUPT_TYPE_NMI = 2 , INTERRUPT_TYPE_HARDWARE_EXCEPTION = 3 ,
  INTERRUPT_TYPE_SOFTWARE_INTERRUPT = 4 , INTERRUPT_TYPE_PRIVILEGED_SOFTWARE_INTERRUPT = 5 , INTERRUPT_TYPE_SOFTWARE_EXCEPTION = 6 , INTERRUPT_TYPE_OTHER_EVENT = 7
}
 Type of interrupts. More...
 

Functions

VOID EventInjectInterruptOrException (_In_ VMEXIT_INTERRUPT_INFORMATION InterruptExit)
 re-inject interrupt or exception to the guest
 
VOID EventInjectPageFaults (_Inout_ VIRTUAL_MACHINE_STATE *VCpu, _In_ VMEXIT_INTERRUPT_INFORMATION InterruptExit, _In_ UINT64 PageFaultAddress, _In_ PAGE_FAULT_EXCEPTION PageFaultCode)
 inject #PFs to the guest
 
VOID EventInjectBreakpoint ()
 Inject #BP to the guest (Event Injection)
 
VOID EventInjectInterruption (INTERRUPT_TYPE InterruptionType, EXCEPTION_VECTORS Vector, BOOLEAN DeliverErrorCode, UINT32 ErrorCode)
 Injects interruption to a guest.
 
VOID EventInjectGeneralProtection ()
 Inject #GP to the guest (Event Injection)
 
VOID EventInjectUndefinedOpcode (VIRTUAL_MACHINE_STATE *VCpu)
 Inject #UD to the guest (Invalid Opcode - Undefined Opcode)
 
VOID EventInjectNmi (VIRTUAL_MACHINE_STATE *VCpu)
 Inject NMI to the guest (Event Injection)
 
VOID EventInjectPageFaultWithoutErrorCode (UINT64 PageFaultAddress)
 Inject #PF to the guest (Page-Fault for EFER Injector)
 
VOID EventInjectDebugBreakpoint ()
 Inject Debug Breakpoint Exception.
 
VOID EventInjectPageFaultWithCr2 (VIRTUAL_MACHINE_STATE *VCpu, UINT64 Address, UINT32 PageFaultCode)
 Inject page-fault with an address as cr2.
 
VOID EventInjectPageFaultRangeAddress (VIRTUAL_MACHINE_STATE *VCpu, UINT64 AddressFrom, UINT64 AddressTo, UINT32 PageFaultCode)
 Inject a range of page-faults.
 

Detailed Description

Headers relating to Exception Bitmap and Event (Interrupt and Exception) Injection.

Author
Sina Karvandi (sina@.nosp@m.hype.nosp@m.rdbg..nosp@m.org)
Version
0.1
Date
2020-04-11
Copyright
This project is released under the GNU Public License v3.

Macro Definition Documentation

◆ EXCEPTION_BITMAP_MASK_ALL

#define EXCEPTION_BITMAP_MASK_ALL   0xffffffff

Exception bitmap for masking all exceptions/faults/traps.

◆ RESERVED_MSR_RANGE_HI

#define RESERVED_MSR_RANGE_HI   0x4000109F

Reserved MSR high range.

◆ RESERVED_MSR_RANGE_LOW

#define RESERVED_MSR_RANGE_LOW   0x40000000

Reserved MSR low range.

Typedef Documentation

◆ EVENT_INFORMATION

typedef struct _EVENT_INFORMATION EVENT_INFORMATION

Event information.

◆ INTERRUPT_INFO

typedef union _INTERRUPT_INFO INTERRUPT_INFO

Interrupt injection and event format.

◆ INTERRUPT_TYPE

typedef enum _INTERRUPT_TYPE INTERRUPT_TYPE

Type of interrupts.

◆ PEVENT_INFORMATION

typedef struct _EVENT_INFORMATION * PEVENT_INFORMATION

◆ PINTERRUPT_INFO

typedef union _INTERRUPT_INFO * PINTERRUPT_INFO

Enumeration Type Documentation

◆ _INTERRUPT_TYPE

enum _INTERRUPT_TYPE

Type of interrupts.

Enumerator
INTERRUPT_TYPE_EXTERNAL_INTERRUPT 
INTERRUPT_TYPE_RESERVED 
INTERRUPT_TYPE_NMI 
INTERRUPT_TYPE_HARDWARE_EXCEPTION 
INTERRUPT_TYPE_SOFTWARE_INTERRUPT 
INTERRUPT_TYPE_PRIVILEGED_SOFTWARE_INTERRUPT 
INTERRUPT_TYPE_SOFTWARE_EXCEPTION 
INTERRUPT_TYPE_OTHER_EVENT 
49{
50 INTERRUPT_TYPE_EXTERNAL_INTERRUPT = 0,
51 INTERRUPT_TYPE_RESERVED = 1,
52 INTERRUPT_TYPE_NMI = 2,
53 INTERRUPT_TYPE_HARDWARE_EXCEPTION = 3,
54 INTERRUPT_TYPE_SOFTWARE_INTERRUPT = 4,
55 INTERRUPT_TYPE_PRIVILEGED_SOFTWARE_INTERRUPT = 5,
56 INTERRUPT_TYPE_SOFTWARE_EXCEPTION = 6,
57 INTERRUPT_TYPE_OTHER_EVENT = 7
58} INTERRUPT_TYPE;
INTERRUPT_TYPE_HARDWARE_EXCEPTION
@ INTERRUPT_TYPE_HARDWARE_EXCEPTION
Definition Events.h:53
INTERRUPT_TYPE_EXTERNAL_INTERRUPT
@ INTERRUPT_TYPE_EXTERNAL_INTERRUPT
Definition Events.h:50
INTERRUPT_TYPE_PRIVILEGED_SOFTWARE_INTERRUPT
@ INTERRUPT_TYPE_PRIVILEGED_SOFTWARE_INTERRUPT
Definition Events.h:55
INTERRUPT_TYPE_SOFTWARE_EXCEPTION
@ INTERRUPT_TYPE_SOFTWARE_EXCEPTION
Definition Events.h:56
INTERRUPT_TYPE_RESERVED
@ INTERRUPT_TYPE_RESERVED
Definition Events.h:51
INTERRUPT_TYPE_NMI
@ INTERRUPT_TYPE_NMI
Definition Events.h:52
INTERRUPT_TYPE_SOFTWARE_INTERRUPT
@ INTERRUPT_TYPE_SOFTWARE_INTERRUPT
Definition Events.h:54
INTERRUPT_TYPE_OTHER_EVENT
@ INTERRUPT_TYPE_OTHER_EVENT
Definition Events.h:57
INTERRUPT_TYPE
enum _INTERRUPT_TYPE INTERRUPT_TYPE
Type of interrupts.

Function Documentation

◆ EventInjectBreakpoint()

VOID EventInjectBreakpoint ( )

Inject #BP to the guest (Event Injection)

Returns
VOID
47{
48 UINT32 ExitInstrLength;
49
50 EventInjectInterruption(INTERRUPT_TYPE_SOFTWARE_EXCEPTION, EXCEPTION_VECTOR_BREAKPOINT, FALSE, 0);
51
52 VmxVmread32P(VMCS_VMEXIT_INSTRUCTION_LENGTH, &ExitInstrLength);
53 VmxVmwrite64(VMCS_CTRL_VMENTRY_INSTRUCTION_LENGTH, ExitInstrLength);
54}
FALSE
#define FALSE
Definition BasicTypes.h:54
UINT32
unsigned int UINT32
Definition BasicTypes.h:48
EventInjectInterruption
VOID EventInjectInterruption(INTERRUPT_TYPE InterruptionType, EXCEPTION_VECTORS Vector, BOOLEAN DeliverErrorCode, UINT32 ErrorCode)
Injects interruption to a guest.
Definition Events.c:24
VmxVmwrite64
UCHAR VmxVmwrite64(size_t Field, UINT64 FieldValue)
VMX VMWRITE instruction (64-bit)
Definition Vmx.c:122
VmxVmread32P
UCHAR VmxVmread32P(size_t Field, UINT32 *FieldValue)
VMX VMREAD instruction (32-bit)
Definition Vmx.c:86
EXCEPTION_VECTOR_BREAKPOINT
@ EXCEPTION_VECTOR_BREAKPOINT
Definition Events.h:27

◆ EventInjectDebugBreakpoint()

VOID EventInjectDebugBreakpoint ( )

Inject Debug Breakpoint Exception.

Returns
VOID
113{
114 EventInjectInterruption(INTERRUPT_TYPE_HARDWARE_EXCEPTION, EXCEPTION_VECTOR_DEBUG_BREAKPOINT, FALSE, 0);
115}
EXCEPTION_VECTOR_DEBUG_BREAKPOINT
@ EXCEPTION_VECTOR_DEBUG_BREAKPOINT
Definition Events.h:25

◆ EventInjectGeneralProtection()

VOID EventInjectGeneralProtection ( )

Inject #GP to the guest (Event Injection)

Returns
VOID
63{
64 UINT32 ExitInstrLength;
65
66 EventInjectInterruption(INTERRUPT_TYPE_HARDWARE_EXCEPTION, EXCEPTION_VECTOR_GENERAL_PROTECTION_FAULT, TRUE, 0);
67
68 VmxVmread32P(VMCS_VMEXIT_INSTRUCTION_LENGTH, &ExitInstrLength);
69 VmxVmwrite64(VMCS_CTRL_VMENTRY_INSTRUCTION_LENGTH, ExitInstrLength);
70}
TRUE
#define TRUE
Definition BasicTypes.h:55
EXCEPTION_VECTOR_GENERAL_PROTECTION_FAULT
@ EXCEPTION_VECTOR_GENERAL_PROTECTION_FAULT
Definition Events.h:37

◆ EventInjectInterruption()

VOID EventInjectInterruption ( INTERRUPT_TYPE InterruptionType,
EXCEPTION_VECTORS Vector,
BOOLEAN DeliverErrorCode,
UINT32 ErrorCode )

Injects interruption to a guest.

Parameters
InterruptionTypeType of interrupt
VectorVector Number of Interrupt (IDT Index)
DeliverErrorCodeDeliver Error Code or Not
ErrorCodeError Code (If DeliverErrorCode is true)
Returns
VOID
25{
26 INTERRUPT_INFO Inject = {0};
27 Inject.Fields.Valid = TRUE;
28 Inject.Fields.InterruptType = InterruptionType;
29 Inject.Fields.Vector = Vector;
30 Inject.Fields.DeliverCode = DeliverErrorCode;
31
32 VmxVmwrite64(VMCS_CTRL_VMENTRY_INTERRUPTION_INFORMATION_FIELD, Inject.Flags);
33
34 if (DeliverErrorCode)
35 {
36 VmxVmwrite64(VMCS_CTRL_VMENTRY_EXCEPTION_ERROR_CODE, ErrorCode);
37 }
38}
_INTERRUPT_INFO
Interrupt injection and event format.
Definition Events.h:69
_INTERRUPT_INFO::Vector
UINT32 Vector
Definition Events.h:72
_INTERRUPT_INFO::DeliverCode
UINT32 DeliverCode
Definition Events.h:76
_INTERRUPT_INFO::Valid
UINT32 Valid
Definition Events.h:78
_INTERRUPT_INFO::Flags
UINT32 Flags
Definition Events.h:80
_INTERRUPT_INFO::InterruptType
UINT32 InterruptType
Definition Events.h:75
_INTERRUPT_INFO::Fields
struct _INTERRUPT_INFO::@7 Fields

◆ EventInjectInterruptOrException()

VOID EventInjectInterruptOrException ( _In_ VMEXIT_INTERRUPT_INFORMATION InterruptExit)

re-inject interrupt or exception to the guest

Parameters
InterruptExitinterrupt info from vm-exit
Returns
VOID
156{
157 UINT32 ErrorCode = 0;
158
159 //
160 // Re-inject it
161 //
162 VmxVmwrite64(VMCS_CTRL_VMENTRY_INTERRUPTION_INFORMATION_FIELD, InterruptExit.AsUInt);
163
164 //
165 // re-write error code (if any)
166 //
167 if (InterruptExit.ErrorCodeValid)
168 {
169 //
170 // Read the error code
171 //
172 VmxVmread32P(VMCS_VMEXIT_INTERRUPTION_ERROR_CODE, &ErrorCode);
173
174 //
175 // Write the error code
176 //
177 VmxVmwrite64(VMCS_CTRL_VMENTRY_EXCEPTION_ERROR_CODE, ErrorCode);
178 }
179}

◆ EventInjectNmi()

VOID EventInjectNmi ( VIRTUAL_MACHINE_STATE * VCpu)

Inject NMI to the guest (Event Injection)

Parameters
VCpuThe virtual processor's state
Returns
VOID
97{
98 EventInjectInterruption(INTERRUPT_TYPE_NMI, EXCEPTION_VECTOR_NMI, FALSE, 0);
99
100 //
101 // Suppress RIP increment
102 //
103 HvSuppressRipIncrement(VCpu);
104}
HvSuppressRipIncrement
VOID HvSuppressRipIncrement(VIRTUAL_MACHINE_STATE *VCpu)
Suppress the incrementation of RIP.
Definition Hv.c:324
EXCEPTION_VECTOR_NMI
@ EXCEPTION_VECTOR_NMI
Definition Events.h:26

◆ EventInjectPageFaultRangeAddress()

VOID EventInjectPageFaultRangeAddress ( VIRTUAL_MACHINE_STATE * VCpu,
UINT64 AddressFrom,
UINT64 AddressTo,
UINT32 PageFaultCode )

Inject a range of page-faults.

Parameters
VCpuThe virtual processor's state
AddressFromPage-fault address (from)
AddressToPage-fault address (to)
AddressPage-fault address
PageFaultCodePage-fault error code
Returns
VOID
241{
242 UNREFERENCED_PARAMETER(VCpu);
243
244 //
245 // Indicate that the VMM is waiting for interrupt-window to
246 // be opened to inject page-fault
247 //
248 g_WaitingForInterruptWindowToInjectPageFault = TRUE;
249
250 //
251 // Set the (from) address for page-fault injection
252 //
253 g_PageFaultInjectionAddressFrom = AddressFrom;
254
255 //
256 // Set the (to) address for page-fault injection
257 //
258 g_PageFaultInjectionAddressTo = AddressTo;
259
260 //
261 // Set the error code for page-fault injection
262 //
263 g_PageFaultInjectionErrorCode = PageFaultCode;
264
265 //
266 // Set interrupt-window exiting to TRUE
267 //
268 HvSetInterruptWindowExiting(TRUE);
269}
g_PageFaultInjectionAddressTo
UINT64 g_PageFaultInjectionAddressTo
The (to) address for page-fault injection.
Definition GlobalVariables.h:191
g_WaitingForInterruptWindowToInjectPageFault
BOOLEAN g_WaitingForInterruptWindowToInjectPageFault
Shows whether the the VMM is waiting to inject a page-fault or not.
Definition GlobalVariables.h:179
g_PageFaultInjectionAddressFrom
UINT64 g_PageFaultInjectionAddressFrom
The (from) address for page-fault injection.
Definition GlobalVariables.h:185
g_PageFaultInjectionErrorCode
UINT32 g_PageFaultInjectionErrorCode
The error code for page-fault injection.
Definition GlobalVariables.h:197
HvSetInterruptWindowExiting
VOID HvSetInterruptWindowExiting(BOOLEAN Set)
Set Interrupt-window exiting.
Definition Hv.c:606

◆ EventInjectPageFaults()

VOID EventInjectPageFaults ( _Inout_ VIRTUAL_MACHINE_STATE * VCpu,
_In_ VMEXIT_INTERRUPT_INFORMATION InterruptExit,
_In_ UINT64 PageFaultAddress,
_In_ PAGE_FAULT_EXCEPTION PageFaultCode )

inject #PFs to the guest

Parameters
VCpuThe virtual processor's state
InterruptExitinterrupt info from vm-exit
PageFaultAddressPage-fault address to be placed to cr2 register
PageFaultCodePage-fault error code
Returns
VOID
196{
197 //
198 // *** #PF is treated differently, we have to deal with cr2 too ***
199 //
200
201 //
202 // Cr2 is used as the page-fault address
203 //
204 __writecr2(PageFaultAddress);
205
206 HvSuppressRipIncrement(VCpu);
207
208 //
209 // Re-inject the interrupt/exception
210 //
211 VmxVmwrite64(VMCS_CTRL_VMENTRY_INTERRUPTION_INFORMATION_FIELD, InterruptExit.AsUInt);
212
213 //
214 // re-write error code (if any)
215 //
216 if (InterruptExit.ErrorCodeValid)
217 {
218 //
219 // Write the error code
220 //
221 VmxVmwrite64(VMCS_CTRL_VMENTRY_EXCEPTION_ERROR_CODE, PageFaultCode.AsUInt);
222 }
223}

◆ EventInjectPageFaultWithCr2()

VOID EventInjectPageFaultWithCr2 ( VIRTUAL_MACHINE_STATE * VCpu,
UINT64 Address,
UINT32 PageFaultCode )

Inject page-fault with an address as cr2.

Parameters
VCpuThe virtual processor's state
AddressPage-fault address
PageFaultCodePage-fault error code
Returns
VOID
282{
283 VMEXIT_INTERRUPT_INFORMATION InterruptInfo = {0};
284 PAGE_FAULT_EXCEPTION PageFaultErrorCode = {0};
285
286 //
287 // Configure the #PF injection
288 //
289
290 //
291 // InterruptExit [Type: _VMEXIT_INTERRUPT_INFO]
292 //
293 // [+0x000 ( 7: 0)] Vector : 0xe [Type: unsigned int]
294 // [+0x000 (10: 8)] InterruptionType : 0x3 [Type: unsigned int]
295 // [+0x000 (11:11)] ErrorCodeValid : 0x1 [Type: unsigned int]
296 // [+0x000 (12:12)] NmiUnblocking : 0x0 [Type: unsigned int]
297 // [+0x000 (30:13)] Reserved : 0x0 [Type: unsigned int]
298 // [+0x000 (31:31)] Valid : 0x1 [Type: unsigned int]
299 // [+0x000] Flags : 0x80000b0e [Type: unsigned int]
300 //
301 InterruptInfo.Vector = EXCEPTION_VECTOR_PAGE_FAULT;
302 InterruptInfo.InterruptionType = INTERRUPT_TYPE_HARDWARE_EXCEPTION;
303 InterruptInfo.ErrorCodeValid = TRUE;
304 InterruptInfo.NmiUnblocking = FALSE;
305 InterruptInfo.Valid = TRUE;
306
307 //
308 // Configure the page-fault error code
309 //
310 PageFaultErrorCode.AsUInt = PageFaultCode;
311
312 //
313 // Inject #PF
314 //
315 EventInjectPageFaults(VCpu,
316 InterruptInfo,
317 Address,
318 PageFaultErrorCode);
319}
EventInjectPageFaults
VOID EventInjectPageFaults(_Inout_ VIRTUAL_MACHINE_STATE *VCpu, _In_ VMEXIT_INTERRUPT_INFORMATION InterruptExit, _In_ UINT64 PageFaultAddress, _In_ PAGE_FAULT_EXCEPTION PageFaultCode)
inject #PFs to the guest
Definition Events.c:192
Address
UINT64 Address
Definition HyperDbgScriptImports.h:67
EXCEPTION_VECTOR_PAGE_FAULT
@ EXCEPTION_VECTOR_PAGE_FAULT
Definition Events.h:38

◆ EventInjectPageFaultWithoutErrorCode()

VOID EventInjectPageFaultWithoutErrorCode ( UINT64 PageFaultAddress)

Inject #PF to the guest (Page-Fault for EFER Injector)

Parameters
PageFaultAddressAddress of page fault
Returns
VOID
125{
126 PAGE_FAULT_EXCEPTION ErrorCode = {0};
127
128 //
129 // Write the page-fault address
130 //
131 __writecr2(PageFaultAddress);
132
133 //
134 // Make the error code
135 //
136 ErrorCode.Execute = 0;
137 ErrorCode.Present = 0;
138 ErrorCode.UserModeAccess = 0;
139 ErrorCode.Write = 0;
140
141 //
142 // Error code is from PAGE_FAULT_ERROR_CODE structure
143 //
144 EventInjectInterruption(INTERRUPT_TYPE_HARDWARE_EXCEPTION, EXCEPTION_VECTOR_PAGE_FAULT, TRUE, ErrorCode.AsUInt);
145}

◆ EventInjectUndefinedOpcode()

VOID EventInjectUndefinedOpcode ( VIRTUAL_MACHINE_STATE * VCpu)

Inject #UD to the guest (Invalid Opcode - Undefined Opcode)

Parameters
VCpuThe virtual processor's state
Returns
VOID
80{
81 EventInjectInterruption(INTERRUPT_TYPE_HARDWARE_EXCEPTION, EXCEPTION_VECTOR_UNDEFINED_OPCODE, FALSE, 0);
82
83 //
84 // Suppress RIP increment
85 //
86 HvSuppressRipIncrement(VCpu);
87}
EXCEPTION_VECTOR_UNDEFINED_OPCODE
@ EXCEPTION_VECTOR_UNDEFINED_OPCODE
Definition Events.h:30