HyperDbg Debugger
Loading...
Searching...
No Matches
Functions
Common.c File Reference

Routines for common tasks in debugger. More...

#include "pch.h"

Functions

BOOLEAN CommonIsProcessExist (UINT32 ProcId)
 Checks whether the process with ProcId exists or not.
 
_Use_decl_annotations_ NTSTATUS CommonGetHandleFromProcess (UINT32 ProcessId, PHANDLE Handle)
 Get handle from Process Id.
 
PCHAR CommonGetProcessNameFromProcessControlBlock (PEPROCESS Eprocess)
 Get process name by eprocess.
 
NTSTATUS CommonUndocumentedNtOpenProcess (PHANDLE ProcessHandle, ACCESS_MASK DesiredAccess, HANDLE ProcessId, KPROCESSOR_MODE AccessMode)
 The undocumented way of NtOpenProcess.
 
_Use_decl_annotations_ BOOLEAN CommonKillProcess (UINT32 ProcessId, PROCESS_KILL_METHODS KillingMethod)
 Kill a user-mode process with different methods.
 
_Use_decl_annotations_ BOOLEAN CommonValidateCoreNumber (UINT32 CoreNumber)
 Validate core number.
 

Detailed Description

Routines for common tasks in debugger.

Author
Sina Karvandi (sina@.nosp@m.hype.nosp@m.rdbg..nosp@m.org)
Version
0.2
Date
2023-01-22
Copyright
This project is released under the GNU Public License v3.

Function Documentation

◆ CommonGetHandleFromProcess()

_Use_decl_annotations_ NTSTATUS CommonGetHandleFromProcess ( UINT32 ProcessId,
PHANDLE Handle )

Get handle from Process Id.

Parameters
Handle
ProcessId
Returns
NTSTATUS
53{
54 NTSTATUS Status;
55 Status = STATUS_SUCCESS;
56 OBJECT_ATTRIBUTES ObjAttr = {0};
57 CLIENT_ID Cid = {0};
58 InitializeObjectAttributes(&ObjAttr, NULL, 0, NULL, NULL);
59
60 Cid.UniqueProcess = (HANDLE)ProcessId;
61 Cid.UniqueThread = (HANDLE)0;
62
63 Status = ZwOpenProcess(Handle, PROCESS_ALL_ACCESS, &ObjAttr, &Cid);
64
65 return Status;
66}

◆ CommonGetProcessNameFromProcessControlBlock()

PCHAR CommonGetProcessNameFromProcessControlBlock ( PEPROCESS Eprocess)

Get process name by eprocess.

Parameters
EprocessProcess eprocess
Returns
PCHAR Returns a pointer to the process name
76{
77 PCHAR Result = 0;
78
79 //
80 // We can't use PsLookupProcessByProcessId as in pageable and not
81 // work on vmx-root
82 //
83 Result = (CHAR *)PsGetProcessImageFileName(Eprocess);
84
85 return Result;
86}
CHAR
char CHAR
Definition BasicTypes.h:31
PsGetProcessImageFileName
UCHAR * PsGetProcessImageFileName(IN PEPROCESS Process)

◆ CommonIsProcessExist()

BOOLEAN CommonIsProcessExist ( UINT32 ProcId)

Checks whether the process with ProcId exists or not.

this function should NOT be called from vmx-root mode

Parameters
UINT32ProcId
Returns
BOOLEAN Returns true if the process exists and false if it the process doesn't exist
25{
26 PEPROCESS TargetEprocess;
27
28 if (PsLookupProcessByProcessId((HANDLE)ProcId, &TargetEprocess) != STATUS_SUCCESS)
29 {
30 //
31 // There was an error, probably the process id was not found
32 //
33 return FALSE;
34 }
35 else
36 {
37 ObDereferenceObject(TargetEprocess);
38
39 return TRUE;
40 }
41}
TRUE
#define TRUE
Definition BasicTypes.h:55
FALSE
#define FALSE
Definition BasicTypes.h:54

◆ CommonKillProcess()

_Use_decl_annotations_ BOOLEAN CommonKillProcess ( UINT32 ProcessId,
PROCESS_KILL_METHODS KillingMethod )

Kill a user-mode process with different methods.

Parameters
ProcessId
KillingMethod
Returns
BOOLEAN
160{
161 NTSTATUS Status = STATUS_SUCCESS;
162 HANDLE ProcessHandle = NULL;
163 PEPROCESS Process = NULL;
164
165 if (ProcessId == NULL_ZERO)
166 {
167 return FALSE;
168 }
169
170 switch (KillingMethod)
171 {
172 case PROCESS_KILL_METHOD_1:
173
174 Status = CommonGetHandleFromProcess(ProcessId, &ProcessHandle);
175
176 if (!NT_SUCCESS(Status) || ProcessHandle == NULL)
177 {
178 return FALSE;
179 }
180
181 //
182 // Call ZwTerminateProcess with NULL handle
183 //
184 Status = ZwTerminateProcess(ProcessHandle, 0);
185
186 if (!NT_SUCCESS(Status))
187 {
188 return FALSE;
189 }
190
191 break;
192
193 case PROCESS_KILL_METHOD_2:
194
195 CommonUndocumentedNtOpenProcess(
196 &ProcessHandle,
197 PROCESS_ALL_ACCESS,
198 (HANDLE)ProcessId,
199 KernelMode);
200
201 if (ProcessHandle == NULL)
202 {
203 return FALSE;
204 }
205
206 //
207 // Call ZwTerminateProcess with NULL handle
208 //
209 Status = ZwTerminateProcess(ProcessHandle, 0);
210
211 if (!NT_SUCCESS(Status))
212 {
213 return FALSE;
214 }
215
216 break;
217
218 case PROCESS_KILL_METHOD_3:
219
220 //
221 // Get the base address of process's executable image and unmap it
222 //
223 Status = MmUnmapViewOfSection(Process, PsGetProcessSectionBaseAddress(Process));
224
225 //
226 // Dereference the target process
227 //
228 ObDereferenceObject(Process);
229
230 break;
231
232 default:
233
234 //
235 // Unknown killing method
236 //
237 return FALSE;
238 break;
239 }
240
241 //
242 // If we reached here, it means the functionality of
243 // the above codes was successful
244 //
245 return TRUE;
246}
NULL_ZERO
#define NULL_ZERO
Definition BasicTypes.h:51
CommonGetHandleFromProcess
_Use_decl_annotations_ NTSTATUS CommonGetHandleFromProcess(UINT32 ProcessId, PHANDLE Handle)
Get handle from Process Id.
Definition Common.c:52
CommonUndocumentedNtOpenProcess
NTSTATUS CommonUndocumentedNtOpenProcess(PHANDLE ProcessHandle, ACCESS_MASK DesiredAccess, HANDLE ProcessId, KPROCESSOR_MODE AccessMode)
The undocumented way of NtOpenProcess.
Definition Common.c:98
MmUnmapViewOfSection
NTSTATUS MmUnmapViewOfSection(PEPROCESS Process, PVOID BaseAddress)
PROCESS_KILL_METHOD_2
@ PROCESS_KILL_METHOD_2
Definition Common.h:66
PROCESS_KILL_METHOD_1
@ PROCESS_KILL_METHOD_1
Definition Common.h:65
PROCESS_KILL_METHOD_3
@ PROCESS_KILL_METHOD_3
Definition Common.h:67
PsGetProcessSectionBaseAddress
PVOID PsGetProcessSectionBaseAddress(PEPROCESS Process)
test-case-generator.NULL
NULL()
Definition test-case-generator.py:530

◆ CommonUndocumentedNtOpenProcess()

NTSTATUS CommonUndocumentedNtOpenProcess ( PHANDLE ProcessHandle,
ACCESS_MASK DesiredAccess,
HANDLE ProcessId,
KPROCESSOR_MODE AccessMode )

The undocumented way of NtOpenProcess.

Parameters
ProcessHandle
DesiredAccess
ProcessId
AccessMode
Returns
NTSTATUS
103{
104 NTSTATUS Status = STATUS_SUCCESS;
105 ACCESS_STATE AccessState;
106 CHAR AuxData[0x200] = {0};
107 PEPROCESS ProcessObject = NULL;
108 HANDLE ProcHandle = NULL;
109
110 Status = SeCreateAccessState(
111 &AccessState,
112 AuxData,
113 DesiredAccess,
114 (PGENERIC_MAPPING)((PCHAR)*PsProcessType + 52));
115
116 if (!NT_SUCCESS(Status))
117 {
118 return Status;
119 }
120
121 AccessState.PreviouslyGrantedAccess |= AccessState.RemainingDesiredAccess;
122 AccessState.RemainingDesiredAccess = 0;
123
124 Status = PsLookupProcessByProcessId(ProcessId, &ProcessObject);
125
126 if (!NT_SUCCESS(Status))
127 {
128 SeDeleteAccessState(&AccessState);
129 return Status;
130 }
131 Status = ObOpenObjectByPointer(
132 ProcessObject,
133 0,
134 &AccessState,
135 0,
136 *PsProcessType,
137 AccessMode,
138 &ProcHandle);
139
140 SeDeleteAccessState(&AccessState);
141
142 ObDereferenceObject(ProcessObject);
143
144 if (NT_SUCCESS(Status))
145 *ProcessHandle = ProcHandle;
146
147 return Status;
148}
DesiredAccess
PHANDLE ACCESS_MASK DesiredAccess
Definition Hooks.h:130
SeDeleteAccessState
NTKERNELAPI VOID NTAPI SeDeleteAccessState(PACCESS_STATE AccessState)
SeCreateAccessState
NTKERNELAPI NTSTATUS NTAPI SeCreateAccessState(PACCESS_STATE AccessState, PVOID AuxData, ACCESS_MASK DesiredAccess, PGENERIC_MAPPING Mapping)

◆ CommonValidateCoreNumber()

_Use_decl_annotations_ BOOLEAN CommonValidateCoreNumber ( UINT32 CoreNumber)

Validate core number.

Parameters
CoreNumber
Returns
BOOLEAN
257{
258 ULONG ProcessorsCount;
259
260 ProcessorsCount = KeQueryActiveProcessorCount(0);
261
262 if (CoreNumber >= ProcessorsCount)
263 {
264 return FALSE;
265 }
266 else
267 {
268 return TRUE;
269 }
270}
ULONG
unsigned long ULONG
Definition BasicTypes.h:37