HyperDbg Debugger
Loading...
Searching...
No Matches
DpcRoutines.h File Reference

Definition for DPC functions. More...

Go to the source code of this file.

Functions

BOOLEAN DpcRoutineEnableLbr (KDPC *Dpc, PVOID DeferredContext, PVOID SystemArgument1, PVOID SystemArgument2)
 Broadcast enabling LBR.
BOOLEAN DpcRoutineDisableLbr (KDPC *Dpc, PVOID DeferredContext, PVOID SystemArgument1, PVOID SystemArgument2)
 Broadcast disabling LBR.
BOOLEAN DpcRoutineFlushLbr (KDPC *Dpc, PVOID DeferredContext, PVOID SystemArgument1, PVOID SystemArgument2)
 Broadcast flushing LBR.
BOOLEAN DpcRoutineFilterLbrOptions (KDPC *Dpc, PVOID DeferredContext, PVOID SystemArgument1, PVOID SystemArgument2)
 Broadcast updating LBR filter options.
BOOLEAN DpcRoutineEnablePt (KDPC *Dpc, PVOID DeferredContext, PVOID SystemArgument1, PVOID SystemArgument2)
 Broadcast enabling PT.
BOOLEAN DpcRoutineDisablePt (KDPC *Dpc, PVOID DeferredContext, PVOID SystemArgument1, PVOID SystemArgument2)
 Broadcast disabling PT.
BOOLEAN DpcRoutinePausePt (KDPC *Dpc, PVOID DeferredContext, PVOID SystemArgument1, PVOID SystemArgument2)
 Broadcast pausing PT.
BOOLEAN DpcRoutineResumePt (KDPC *Dpc, PVOID DeferredContext, PVOID SystemArgument1, PVOID SystemArgument2)
 Broadcast resuming PT.
BOOLEAN DpcRoutineSizePt (KDPC *Dpc, PVOID DeferredContext, PVOID SystemArgument1, PVOID SystemArgument2)
 Broadcast snapshotting per-CPU PT output position.
BOOLEAN DpcRoutineDumpPt (KDPC *Dpc, PVOID DeferredContext, PVOID SystemArgument1, PVOID SystemArgument2)
 Broadcast dumping PT state.
BOOLEAN DpcRoutineFlushPt (KDPC *Dpc, PVOID DeferredContext, PVOID SystemArgument1, PVOID SystemArgument2)
 Broadcast flushing PT state.
BOOLEAN DpcRoutineFilterPt (KDPC *Dpc, PVOID DeferredContext, PVOID SystemArgument1, PVOID SystemArgument2)
 Broadcast applying a PT filter to all cores.

Detailed Description

Definition for DPC functions.

Author
Sina Karvandi (sina@.nosp@m.hype.nosp@m.rdbg..nosp@m.org)
Version
0.19
Date
2026-04-19

Function Documentation

◆ DpcRoutineDisableLbr()

BOOLEAN DpcRoutineDisableLbr ( KDPC * Dpc,
PVOID DeferredContext,
PVOID SystemArgument1,
PVOID SystemArgument2 )

Broadcast disabling LBR.

Parameters
Dpc
DeferredContext
SystemArgument1
SystemArgument2
Returns
BOOLEAN
80{
81 UNREFERENCED_PARAMETER(Dpc);
82 UNREFERENCED_PARAMETER(DeferredContext);
83
84 //
85 // Disable LBR on all cores from VMX-root mode by VMCALL
86 //
87 LbrStop();
88
89 //
90 // Check if the initialization is being done for hypervisor environment or not
91 // If it is, then we need to perform some additional steps to enable LBR in VMX
92 //
94 {
96 {
97 //
98 // Perform VMX-root mode specific operations to disable load and clear guest
99 // IA32_LBR_CTL MSR (VMCS_GUEST_LBR_CTL) for LBR
100 //
101 g_Callbacks.VmFuncSetLoadGuestIa32LbrCtlVmcallOnTargetCore(FALSE);
102 g_Callbacks.VmFuncSetClearGuestIa32LbrCtlVmcallOnTargetCore(FALSE);
103 }
104 else
105 {
106 //
107 // Perform VMX-root mode specific operations to disable load and save
108 // VM-exit and VM-entry controls for IA32_DEBUGCTL for LBR
109 //
110 g_Callbacks.VmFuncSetSaveDebugControlsVmcallOnTargetCore(FALSE);
111 g_Callbacks.VmFuncSetLoadDebugControlsVmcallOnTargetCore(FALSE);
112 }
113 }
114
115 // ------------------------------------------------------------------------------
116 // Synchronize the end of this routine with the caller
117 //
118 PlatformBroadcastSynchronizeEndOfRoutine(SystemArgument1, SystemArgument2);
119
120 return TRUE;
121}
VOID LbrStop()
Stop collecting LBR branches.
Definition Lbr.c:983
VOID PlatformBroadcastSynchronizeEndOfRoutine(PVOID SystemArgument1, PVOID SystemArgument2)
This function synchronize the function execution for a single core.
Definition PlatformBroadcast.c:24
#define TRUE
Definition BasicTypes.h:114
#define FALSE
Definition BasicTypes.h:113
HYPEREVADE_CALLBACKS g_Callbacks
List of callbacks.
Definition Transparency.h:23
BOOLEAN g_RunningOnHypervisorEnvironment
The flag indicating whether the initialization is being done for hypervisor environment or not.
Definition GlobalVariables.h:35
BOOLEAN g_ArchBasedLastBranchRecord
The flag indicating whether the architectural LBR is supported by the CPU or not if false it means th...
Definition GlobalVariables.h:42

◆ DpcRoutineDisablePt()

BOOLEAN DpcRoutineDisablePt ( KDPC * Dpc,
PVOID DeferredContext,
PVOID SystemArgument1,
PVOID SystemArgument2 )

Broadcast disabling PT.

214{
215 UNREFERENCED_PARAMETER(Dpc);
216 UNREFERENCED_PARAMETER(DeferredContext);
217
218 PtStop();
219
220 // ------------------------------------------------------------------------------
221 // Synchronize the end of this routine with the caller
222 //
223 PlatformBroadcastSynchronizeEndOfRoutine(SystemArgument1, SystemArgument2);
224
225 return TRUE;
226}
VOID PtStop()
Stop PT tracing on the CURRENT CPU. Trace data accumulated in the per-CPU output buffer is left in pl...
Definition Pt.c:1255

◆ DpcRoutineDumpPt()

BOOLEAN DpcRoutineDumpPt ( KDPC * Dpc,
PVOID DeferredContext,
PVOID SystemArgument1,
PVOID SystemArgument2 )

Broadcast dumping PT state.

297{
298 UNREFERENCED_PARAMETER(Dpc);
299 UNREFERENCED_PARAMETER(DeferredContext);
300
301 PtDump();
302
303 // ------------------------------------------------------------------------------
304 // Synchronize the end of this routine with the caller
305 //
306 PlatformBroadcastSynchronizeEndOfRoutine(SystemArgument1, SystemArgument2);
307
308 return TRUE;
309}
VOID PtDump()
Print PT trace summary for the CURRENT CPU.
Definition Pt.c:1361

◆ DpcRoutineEnableLbr()

BOOLEAN DpcRoutineEnableLbr ( KDPC * Dpc,
PVOID DeferredContext,
PVOID SystemArgument1,
PVOID SystemArgument2 )

Broadcast enabling LBR.

Parameters
Dpc
DeferredContext
SystemArgument1
SystemArgument2
Returns
BOOLEAN
25{
26 UNREFERENCED_PARAMETER(Dpc);
27 UNREFERENCED_PARAMETER(DeferredContext);
28
29 //
30 // Check if the initialization is being done for hypervisor environment or not
31 // If it is, then we need to perform some additional steps to enable LBR in VMX
32 //
34 {
36 {
37 //
38 // Perform VMX-root mode specific operations to load and clear guest
39 // IA32_LBR_CTL MSR (VMCS_GUEST_LBR_CTL) for LBR
40 //
41 g_Callbacks.VmFuncSetLoadGuestIa32LbrCtlVmcallOnTargetCore(TRUE);
42 g_Callbacks.VmFuncSetClearGuestIa32LbrCtlVmcallOnTargetCore(TRUE);
43 }
44 else
45 {
46 //
47 // Perform VMX-root mode specific operations to enable load and save
48 // VM-exit and VM-entry controls for IA32_DEBUGCTL for LBR
49 //
50 g_Callbacks.VmFuncSetSaveDebugControlsVmcallOnTargetCore(TRUE);
51 g_Callbacks.VmFuncSetLoadDebugControlsVmcallOnTargetCore(TRUE);
52 }
53 }
54
55 //
56 // Enable LBR on all cores from VMX-root mode by VMCALL
57 // By default, all filter options are disabled, which means all branch types will be captured
58 //
60
61 // ------------------------------------------------------------------------------
62 // Synchronize the end of this routine with the caller
63 //
64 PlatformBroadcastSynchronizeEndOfRoutine(SystemArgument1, SystemArgument2);
65
66 return TRUE;
67}
BOOLEAN LbrStart(UINT64 FilterOptions)
Start collecting LBR branches.
Definition Lbr.c:903
#define LBR_SELECT_WITHOUT_FILTER
Definition Lbr.h:27

◆ DpcRoutineEnablePt()

BOOLEAN DpcRoutineEnablePt ( KDPC * Dpc,
PVOID DeferredContext,
PVOID SystemArgument1,
PVOID SystemArgument2 )

Broadcast enabling PT.

Parameters
Dpc
DeferredContext
SystemArgument1
SystemArgument2
Returns
BOOLEAN
189{
190 UNREFERENCED_PARAMETER(Dpc);
191 UNREFERENCED_PARAMETER(DeferredContext);
192
193 //
194 // Enable PT on the current core. PT in the current implementation is
195 // controlled via direct MSR writes from kernel context; if PT is later
196 // wired into VMCS save/load controls, the corresponding hypervisor
197 // helpers should be invoked here similar to DpcRoutineEnableLbr.
198 //
199 PtStart();
200
201 // ------------------------------------------------------------------------------
202 // Synchronize the end of this routine with the caller
203 //
204 PlatformBroadcastSynchronizeEndOfRoutine(SystemArgument1, SystemArgument2);
205
206 return TRUE;
207}
BOOLEAN PtStart()
Start PT tracing on the CURRENT CPU. Buffers must already be allocated by PtAllocateAllCpuBuffers (ca...
Definition Pt.c:1215

◆ DpcRoutineFilterLbrOptions()

BOOLEAN DpcRoutineFilterLbrOptions ( KDPC * Dpc,
PVOID DeferredContext,
PVOID SystemArgument1,
PVOID SystemArgument2 )

Broadcast updating LBR filter options.

Parameters
Dpc
DeferredContext
SystemArgument1
SystemArgument2
Returns
BOOLEAN
162{
163 UNREFERENCED_PARAMETER(Dpc);
164
165 //
166 // Flush LBR on all cores
167 //
168 LbrFilter((UINT64)DeferredContext);
169
170 // ------------------------------------------------------------------------------
171 // Synchronize the end of this routine with the caller
172 //
173 PlatformBroadcastSynchronizeEndOfRoutine(SystemArgument1, SystemArgument2);
174
175 return TRUE;
176}
VOID LbrFilter(UINT64 FilterOptions)
Filter LBR branches based on the provided options.
Definition Lbr.c:1070

◆ DpcRoutineFilterPt()

BOOLEAN DpcRoutineFilterPt ( KDPC * Dpc,
PVOID DeferredContext,
PVOID SystemArgument1,
PVOID SystemArgument2 )

Broadcast applying a PT filter to all cores.

   DeferredContext carries the PT_FILTER_OPTIONS * supplied by the
   broadcaster; PtFilter writes the user-tunable fields into the
   current CPU's per-CPU PT_TRACE_CONFIG and reprograms PT MSRs.
339{
340 UNREFERENCED_PARAMETER(Dpc);
341
342 PtFilter((const PT_FILTER_OPTIONS *)DeferredContext);
343
344 // ------------------------------------------------------------------------------
345 // Synchronize the end of this routine with the caller
346 //
347 PlatformBroadcastSynchronizeEndOfRoutine(SystemArgument1, SystemArgument2);
348
349 return TRUE;
350}
struct _PT_FILTER_OPTIONS PT_FILTER_OPTIONS
Narrow input descriptor for PtFilter.

◆ DpcRoutineFlushLbr()

BOOLEAN DpcRoutineFlushLbr ( KDPC * Dpc,
PVOID DeferredContext,
PVOID SystemArgument1,
PVOID SystemArgument2 )

Broadcast flushing LBR.

Parameters
Dpc
DeferredContext
SystemArgument1
SystemArgument2
Returns
BOOLEAN
134{
135 UNREFERENCED_PARAMETER(Dpc);
136 UNREFERENCED_PARAMETER(DeferredContext);
137
138 //
139 // Flush LBR on all cores
140 //
141 LbrFlush();
142
143 // ------------------------------------------------------------------------------
144 // Synchronize the end of this routine with the caller
145 //
146 PlatformBroadcastSynchronizeEndOfRoutine(SystemArgument1, SystemArgument2);
147
148 return TRUE;
149}
VOID LbrFlush()
Flush LBR MSRs by disabling LBR and clearing all LBR entries.
Definition Lbr.c:1041

◆ DpcRoutineFlushPt()

BOOLEAN DpcRoutineFlushPt ( KDPC * Dpc,
PVOID DeferredContext,
PVOID SystemArgument1,
PVOID SystemArgument2 )

Broadcast flushing PT state.

316{
317 UNREFERENCED_PARAMETER(Dpc);
318 UNREFERENCED_PARAMETER(DeferredContext);
319
320 PtFlush();
321
322 // ------------------------------------------------------------------------------
323 // Synchronize the end of this routine with the caller
324 //
325 PlatformBroadcastSynchronizeEndOfRoutine(SystemArgument1, SystemArgument2);
326
327 return TRUE;
328}
VOID PtFlush()
Flush PT trace state on the CURRENT CPU — disables tracing and clears the bytes-captured counter so t...
Definition Pt.c:1491

◆ DpcRoutinePausePt()

BOOLEAN DpcRoutinePausePt ( KDPC * Dpc,
PVOID DeferredContext,
PVOID SystemArgument1,
PVOID SystemArgument2 )

Broadcast pausing PT.

233{
234 UNREFERENCED_PARAMETER(Dpc);
235 UNREFERENCED_PARAMETER(DeferredContext);
236
237 PtPause();
238
239 // ------------------------------------------------------------------------------
240 // Synchronize the end of this routine with the caller
241 //
242 PlatformBroadcastSynchronizeEndOfRoutine(SystemArgument1, SystemArgument2);
243
244 return TRUE;
245}
VOID PtPause()
Pause PT tracing on the CURRENT CPU. Buffer state is preserved so a subsequent PtResume picks up wher...
Definition Pt.c:1276

◆ DpcRoutineResumePt()

BOOLEAN DpcRoutineResumePt ( KDPC * Dpc,
PVOID DeferredContext,
PVOID SystemArgument1,
PVOID SystemArgument2 )

Broadcast resuming PT.

252{
253 UNREFERENCED_PARAMETER(Dpc);
254 UNREFERENCED_PARAMETER(DeferredContext);
255
256 PtResume();
257
258 // ------------------------------------------------------------------------------
259 // Synchronize the end of this routine with the caller
260 //
261 PlatformBroadcastSynchronizeEndOfRoutine(SystemArgument1, SystemArgument2);
262
263 return TRUE;
264}
VOID PtResume()
Resume PT tracing on the CURRENT CPU after a prior PtPause.
Definition Pt.c:1296

◆ DpcRoutineSizePt()

BOOLEAN DpcRoutineSizePt ( KDPC * Dpc,
PVOID DeferredContext,
PVOID SystemArgument1,
PVOID SystemArgument2 )

Broadcast snapshotting per-CPU PT output position.

   DeferredContext is a UINT64 array (one slot per active CPU);
   each per-core DPC writes its own core's byte count and never
   touches another slot, so no synchronisation is required.
275{
276 UINT64 * Sizes = (UINT64 *)DeferredContext;
277 UINT32 Core = KeGetCurrentProcessorNumberEx(NULL);
278
279 UNREFERENCED_PARAMETER(Dpc);
280
281 if (Sizes != NULL && Core < PT_MAX_CPUS_FOR_MMAP)
282 Sizes[Core] = PtSize();
283
284 // ------------------------------------------------------------------------------
285 // Synchronize the end of this routine with the caller
286 //
287 PlatformBroadcastSynchronizeEndOfRoutine(SystemArgument1, SystemArgument2);
288
289 return TRUE;
290}
unsigned int UINT32
Definition BasicTypes.h:54
#define PT_MAX_CPUS_FOR_MMAP
Definition PtDefinitions.h:60
UINT64 PtSize()
Snapshot the current PT output position on the CURRENT CPU without disturbing tracing state....
Definition Pt.c:1320