HyperDbg Debugger
Loading...
Searching...
No Matches
Events.h
Go to the documentation of this file.
1
12#pragma once
13
15// System Events //
17
67
69// Callback Enums //
71
85
87// Event Details //
89
95{
96
97 //
98 // EPT Memory Monitoring Events
99 //
107
108 //
109 // EPT Hook Events
110 //
113
114 //
115 // System-call Events
116 //
119
120 //
121 // CPUID Instruction Execution Events
122 //
124
125 //
126 // Model-Specific Registers (MSRs) Reads/Modifications Events
127 //
130
131 //
132 // PMIO Events
133 //
136
137 //
138 // Interrupts/Exceptions/Faults Events
139 //
142
143 //
144 // Debug Registers Events
145 //
147
148 //
149 // Timing & Performance Events
150 //
153
154 //
155 // VMCALL Instruction Execution Events
156 //
158
159 //
160 // Control Registers Events
161 //
165
166 //
167 // Execution Trap Events
168 //
171
172 //
173 // XSETBV Instruction Execution Events
174 //
176
178
190
201
214
227
239
244typedef struct _DEBUGGER_MODIFY_EVENTS
245{
246 UINT64 Tag; // Tag of the target event that we want to modify
247 UINT64 KernelStatus; // Kernel put the status in this field
249 TypeOfAction; // Determines what's the action (enable | disable | clear)
250 BOOLEAN IsEnabled; // Determines what's the action (enable | disable | clear)
251
253
254#define SIZEOF_DEBUGGER_MODIFY_EVENTS sizeof(DEBUGGER_MODIFY_EVENTS)
255
261{
262 UINT64 KernelStatus; // Kernel put the status in this field
263 BOOLEAN IsShortCircuiting; // Determines whether to perform short circuting (on | off)
264
266
268// Event Options //
270
275typedef struct _DEBUGGER_EVENT_OPTIONS
276{
277 UINT64 OptionalParam1; // Optional parameter
278 UINT64 OptionalParam2; // Optional parameter
279 UINT64 OptionalParam3; // Optional parameter
280 UINT64 OptionalParam4; // Optional parameter
281 UINT64 OptionalParam5; // Optional parameter
282 UINT64 OptionalParam6; // Optional parameter
283
285
287// Enums For Event And Debugger Resources //
289
295{
296 //
297 // for exception bitmap
298 //
302
303 //
304 // for external interupts-exitings
305 //
307
308 //
309 // for external rdtsc/p exitings
310 //
312
313 //
314 // for external mov to hardware debug registers exitings
315 //
317
318 //
319 // for external mov to control registers exitings
320 //
322
324
346
348// Event Details //
350
357{
358 LIST_ENTRY
359 CommandsEventList; // Linked-list of commands list (used for tracing purpose
360 // in user mode)
361
362 UINT32 CoreId; // determines the core index to apply this event to, if it's
363 // 0xffffffff means that we have to apply it to all cores
364
365 UINT32 ProcessId; // determines the process id to apply this to
366 // only that 0xffffffff means that we have to
367 // apply it to all processes
368
370
371 BOOLEAN EnableShortCircuiting; // indicates whether the short-circuiting event
372 // is enabled or not for this event
373
374 VMM_CALLBACK_EVENT_CALLING_STAGE_TYPE EventStage; // reveals the calling stage of the event
375 // (whether it's a all- pre- or post- event)
376
377 BOOLEAN HasCustomOutput; // Shows whether this event has a custom output
378 // source or not
379
380 UINT64
383 // multiple
384 // sources which
385 // can be used to
386 // send the event
387 // results of
388 // scripts to
389 // remote sources
390
392
393 UINT64 Tag; // is same as operation code
395
397
399
401
403
404#define SIZEOF_DEBUGGER_GENERAL_EVENT_DETAIL sizeof(DEBUGGER_GENERAL_EVENT_DETAIL)
405
412typedef struct _DEBUGGER_GENERAL_ACTION
413{
414 UINT64 EventTag;
418
422
424
425#define SIZEOF_DEBUGGER_GENERAL_ACTION sizeof(DEBUGGER_GENERAL_ACTION)
426
432{
434 UINT32 Error; // If IsSuccessful was, FALSE
435
437
438#define SIZEOF_REGISTER_EVENT sizeof(REGISTER_NOTIFY_BUFFER)
UCHAR BOOLEAN
Definition BasicTypes.h:35
void * PVOID
Definition BasicTypes.h:56
unsigned int UINT32
Definition BasicTypes.h:54
#define DebuggerOutputSourceMaximumRemoteSourceForSingleEvent
Determines how many sources a debugger can have for a single event.
Definition Constants.h:251
enum _VMM_CALLBACK_EVENT_CALLING_STAGE_TYPE VMM_CALLBACK_EVENT_CALLING_STAGE_TYPE
Type of calling the event.
enum _EXCEPTION_VECTORS EXCEPTION_VECTORS
Exceptions enum.
enum _PROTECTED_HV_RESOURCES_TYPE PROTECTED_HV_RESOURCES_TYPE
Type of protected (multi-used) resources.
struct _DEBUGGER_SHORT_CIRCUITING_EVENT * PDEBUGGER_SHORT_CIRCUITING_EVENT
enum _VMM_CALLBACK_TRIGGERING_EVENT_STATUS_TYPE VMM_CALLBACK_TRIGGERING_EVENT_STATUS_TYPE
The status of triggering events.
_VMM_CALLBACK_TRIGGERING_EVENT_STATUS_TYPE
The status of triggering events.
Definition Events.h:77
@ VMM_CALLBACK_TRIGGERING_EVENT_STATUS_SUCCESSFUL_IGNORE_EVENT
Definition Events.h:80
@ VMM_CALLBACK_TRIGGERING_EVENT_STATUS_SUCCESSFUL
Definition Events.h:79
@ VMM_CALLBACK_TRIGGERING_EVENT_STATUS_DEBUGGER_NOT_ENABLED
Definition Events.h:81
@ VMM_CALLBACK_TRIGGERING_EVENT_STATUS_SUCCESSFUL_NO_INITIALIZED
Definition Events.h:78
@ VMM_CALLBACK_TRIGGERING_EVENT_STATUS_INVALID_EVENT_TYPE
Definition Events.h:82
_DEBUGGER_EVENT_TRACE_TYPE
Type of tracing events.
Definition Events.h:220
@ DEBUGGER_EVENT_TRACE_TYPE_INVALID
Definition Events.h:221
@ DEBUGGER_EVENT_TRACE_TYPE_INSTRUMENTATION_STEP_IN
Definition Events.h:224
@ DEBUGGER_EVENT_TRACE_TYPE_STEP_IN
Definition Events.h:222
@ DEBUGGER_EVENT_TRACE_TYPE_STEP_OUT
Definition Events.h:223
_VMM_EVENT_TYPE_ENUM
enum to show type of all HyperDbg events
Definition Events.h:95
@ SYSCALL_HOOK_EFER_SYSCALL
Definition Events.h:117
@ DEBUG_REGISTERS_ACCESSED
Definition Events.h:146
@ OUT_INSTRUCTION_EXECUTION
Definition Events.h:135
@ CPUID_INSTRUCTION_EXECUTION
Definition Events.h:123
@ EXTERNAL_INTERRUPT_OCCURRED
Definition Events.h:141
@ EXCEPTION_OCCURRED
Definition Events.h:140
@ HIDDEN_HOOK_WRITE_AND_EXECUTE
Definition Events.h:103
@ TRAP_EXECUTION_INSTRUCTION_TRACE
Definition Events.h:170
@ RDMSR_INSTRUCTION_EXECUTION
Definition Events.h:128
@ CONTROL_REGISTER_READ
Definition Events.h:163
@ IN_INSTRUCTION_EXECUTION
Definition Events.h:134
@ HIDDEN_HOOK_EXEC_DETOURS
Definition Events.h:111
@ CONTROL_REGISTER_3_MODIFIED
Definition Events.h:164
@ TSC_INSTRUCTION_EXECUTION
Definition Events.h:151
@ WRMSR_INSTRUCTION_EXECUTION
Definition Events.h:129
@ CONTROL_REGISTER_MODIFIED
Definition Events.h:162
@ PMC_INSTRUCTION_EXECUTION
Definition Events.h:152
@ XSETBV_INSTRUCTION_EXECUTION
Definition Events.h:175
@ HIDDEN_HOOK_READ_AND_WRITE
Definition Events.h:101
@ HIDDEN_HOOK_READ_AND_EXECUTE
Definition Events.h:102
@ HIDDEN_HOOK_EXEC_CC
Definition Events.h:112
@ HIDDEN_HOOK_READ
Definition Events.h:104
@ SYSCALL_HOOK_EFER_SYSRET
Definition Events.h:118
@ HIDDEN_HOOK_WRITE
Definition Events.h:105
@ HIDDEN_HOOK_READ_AND_WRITE_AND_EXECUTE
Definition Events.h:100
@ TRAP_EXECUTION_MODE_CHANGED
Definition Events.h:169
@ VMCALL_INSTRUCTION_EXECUTION
Definition Events.h:157
@ HIDDEN_HOOK_EXECUTE
Definition Events.h:106
enum _DEBUGGER_EVENT_TRACE_TYPE DEBUGGER_EVENT_TRACE_TYPE
Type of tracing events.
struct _DEBUGGER_GENERAL_EVENT_DETAIL DEBUGGER_GENERAL_EVENT_DETAIL
Each command is like the following struct, it also used for tracing works in user mode and sending it...
_DEBUGGER_EVENT_SYSCALL_SYSRET_TYPE
Type of handling !syscall or !sysret.
Definition Events.h:196
@ DEBUGGER_EVENT_SYSCALL_SYSRET_SAFE_ACCESS_MEMORY
Definition Events.h:197
@ DEBUGGER_EVENT_SYSCALL_SYSRET_HANDLE_ALL_UD
Definition Events.h:198
enum _DEBUGGER_EVENT_ACTION_TYPE_ENUM DEBUGGER_EVENT_ACTION_TYPE_ENUM
Type of Actions.
_DEBUGGER_EVENT_MODE_TYPE
Type of mode change traps.
Definition Events.h:207
@ DEBUGGER_EVENT_MODE_TYPE_KERNEL_MODE
Definition Events.h:210
@ DEBUGGER_EVENT_MODE_TYPE_USER_MODE_AND_KERNEL_MODE
Definition Events.h:208
@ DEBUGGER_EVENT_MODE_TYPE_INVALID
Definition Events.h:211
@ DEBUGGER_EVENT_MODE_TYPE_USER_MODE
Definition Events.h:209
_DEBUGGER_MODIFY_EVENTS_TYPE
different types of modifying events request (enable/disable/clear)
Definition Events.h:233
@ DEBUGGER_MODIFY_EVENTS_ENABLE
Definition Events.h:235
@ DEBUGGER_MODIFY_EVENTS_DISABLE
Definition Events.h:236
@ DEBUGGER_MODIFY_EVENTS_QUERY_STATE
Definition Events.h:234
@ DEBUGGER_MODIFY_EVENTS_CLEAR
Definition Events.h:237
enum _PROTECTED_HV_RESOURCES_PASSING_OVERS PROTECTED_HV_RESOURCES_PASSING_OVERS
Things to consider when applying resources.
struct _DEBUGGER_GENERAL_EVENT_DETAIL * PDEBUGGER_GENERAL_EVENT_DETAIL
_DEBUGGER_EVENT_ACTION_TYPE_ENUM
Type of Actions.
Definition Events.h:184
@ RUN_CUSTOM_CODE
Definition Events.h:187
@ BREAK_TO_DEBUGGER
Definition Events.h:185
@ RUN_SCRIPT
Definition Events.h:186
enum _VMM_EVENT_TYPE_ENUM VMM_EVENT_TYPE_ENUM
enum to show type of all HyperDbg events
struct _DEBUGGER_MODIFY_EVENTS * PDEBUGGER_MODIFY_EVENTS
enum _DEBUGGER_EVENT_MODE_TYPE DEBUGGER_EVENT_MODE_TYPE
Type of mode change traps.
struct _DEBUGGER_EVENT_OPTIONS * PDEBUGGER_EVENT_OPTIONS
struct _DEBUGGER_EVENT_AND_ACTION_RESULT * PDEBUGGER_EVENT_AND_ACTION_RESULT
_PROTECTED_HV_RESOURCES_PASSING_OVERS
Things to consider when applying resources.
Definition Events.h:295
@ PASSING_OVER_INTERRUPT_EVENTS
Definition Events.h:306
@ PASSING_OVER_MOV_TO_CONTROL_REGS_EVENTS
Definition Events.h:321
@ PASSING_OVER_TSC_EVENTS
Definition Events.h:311
@ PASSING_OVER_MOV_TO_HW_DEBUG_REGS_EVENTS
Definition Events.h:316
@ PASSING_OVER_UD_EXCEPTIONS_FOR_SYSCALL_SYSRET_HOOK
Definition Events.h:300
@ PASSING_OVER_NONE
Definition Events.h:299
@ PASSING_OVER_EXCEPTION_EVENTS
Definition Events.h:301
struct _DEBUGGER_SHORT_CIRCUITING_EVENT DEBUGGER_SHORT_CIRCUITING_EVENT
request for performing a short-circuiting event
enum _DEBUGGER_MODIFY_EVENTS_TYPE DEBUGGER_MODIFY_EVENTS_TYPE
different types of modifying events request (enable/disable/clear)
_PROTECTED_HV_RESOURCES_TYPE
Type of protected (multi-used) resources.
Definition Events.h:330
@ PROTECTED_HV_RESOURCES_MOV_CONTROL_REGISTER_EXITING
Definition Events.h:339
@ PROTECTED_HV_RESOURCES_EXCEPTION_BITMAP
Definition Events.h:331
@ PROTECTED_HV_RESOURCES_MOV_TO_DEBUG_REGISTER_EXITING
Definition Events.h:337
@ PROTECTED_HV_RESOURCES_MOV_TO_CR3_EXITING
Definition Events.h:341
@ PROTECTED_HV_RESOURCES_RDTSC_RDTSCP_EXITING
Definition Events.h:335
@ PROTECTED_HV_RESOURCES_SAVE_AND_LOAD_DEBUG_CONTROLS
Definition Events.h:343
@ PROTECTED_HV_RESOURCES_EXTERNAL_INTERRUPT_EXITING
Definition Events.h:333
enum _DEBUGGER_EVENT_SYSCALL_SYSRET_TYPE DEBUGGER_EVENT_SYSCALL_SYSRET_TYPE
Type of handling !syscall or !sysret.
struct _DEBUGGER_GENERAL_ACTION DEBUGGER_GENERAL_ACTION
Each event can have multiple actions.
struct _DEBUGGER_GENERAL_ACTION * PDEBUGGER_GENERAL_ACTION
struct _DEBUGGER_EVENT_OPTIONS DEBUGGER_EVENT_OPTIONS
request for performing a short-circuiting event
struct _DEBUGGER_MODIFY_EVENTS DEBUGGER_MODIFY_EVENTS
request for modifying events (enable/disable/clear)
_EXCEPTION_VECTORS
Exceptions enum.
Definition Events.h:23
@ EXCEPTION_VECTOR_RESERVED11
Definition Events.h:54
@ EXCEPTION_VECTOR_GENERAL_PROTECTION_FAULT
Definition Events.h:37
@ EXCEPTION_VECTOR_MATH_FAULT
Definition Events.h:40
@ EXCEPTION_VECTOR_STACK_SEGMENT_FAULT
Definition Events.h:36
@ EXCEPTION_VECTOR_INVALID_TASK_SEGMENT_SELECTOR
Definition Events.h:34
@ EXCEPTION_VECTOR_RESERVED0
Definition Events.h:33
@ EXCEPTION_VECTOR_UNDEFINED_OPCODE
Definition Events.h:30
@ EXCEPTION_VECTOR_NMI
Definition Events.h:26
@ PMI_INTERRUPT
Definition Events.h:64
@ EXCEPTION_VECTOR_RESERVED10
Definition Events.h:53
@ EXCEPTION_VECTOR_DEBUG_BREAKPOINT
Definition Events.h:25
@ EXCEPTION_VECTOR_DIVIDE_ERROR
Definition Events.h:24
@ APC_INTERRUPT
Definition Events.h:60
@ EXCEPTION_VECTOR_RESERVED8
Definition Events.h:51
@ IPI_INTERRUPT
Definition Events.h:63
@ EXCEPTION_VECTOR_PAGE_FAULT
Definition Events.h:38
@ EXCEPTION_VECTOR_RESERVED9
Definition Events.h:52
@ EXCEPTION_VECTOR_RESERVED5
Definition Events.h:48
@ EXCEPTION_VECTOR_ALIGNMENT_CHECK
Definition Events.h:41
@ EXCEPTION_VECTOR_RESERVED4
Definition Events.h:47
@ EXCEPTION_VECTOR_RESERVED1
Definition Events.h:39
@ EXCEPTION_VECTOR_RESERVED2
Definition Events.h:45
@ CLOCK_INTERRUPT
Definition Events.h:62
@ EXCEPTION_VECTOR_MACHINE_CHECK
Definition Events.h:42
@ EXCEPTION_VECTOR_SIMD_FLOATING_POINT_NUMERIC_ERROR
Definition Events.h:43
@ EXCEPTION_VECTOR_NO_MATH_COPROCESSOR
Definition Events.h:31
@ EXCEPTION_VECTOR_VIRTUAL_EXCEPTION
Definition Events.h:44
@ EXCEPTION_VECTOR_RESERVED6
Definition Events.h:49
@ EXCEPTION_VECTOR_RESERVED12
Definition Events.h:55
@ DPC_INTERRUPT
Definition Events.h:61
@ EXCEPTION_VECTOR_BOUND_RANGE_EXCEEDED
Definition Events.h:29
@ EXCEPTION_VECTOR_RESERVED3
Definition Events.h:46
@ EXCEPTION_VECTOR_OVERFLOW
Definition Events.h:28
@ EXCEPTION_VECTOR_SEGMENT_NOT_PRESENT
Definition Events.h:35
@ EXCEPTION_VECTOR_RESERVED7
Definition Events.h:50
@ EXCEPTION_VECTOR_DOUBLE_FAULT
Definition Events.h:32
@ EXCEPTION_VECTOR_BREAKPOINT
Definition Events.h:27
struct _DEBUGGER_EVENT_AND_ACTION_RESULT DEBUGGER_EVENT_AND_ACTION_RESULT
Status of register buffers.
enum _VMM_EVENT_TYPE_ENUM VMM_EVENT_TYPE_ENUM
enum to show type of all HyperDbg events
enum _DEBUGGER_MODIFY_EVENTS_TYPE DEBUGGER_MODIFY_EVENTS_TYPE
different types of modifying events request (enable/disable/clear)
struct _DEBUGGER_EVENT_OPTIONS DEBUGGER_EVENT_OPTIONS
request for performing a short-circuiting event
Status of register buffers.
Definition Events.h:432
UINT32 Error
Definition Events.h:434
BOOLEAN IsSuccessful
Definition Events.h:433
request for performing a short-circuiting event
Definition Events.h:276
UINT64 OptionalParam5
Definition Events.h:281
UINT64 OptionalParam2
Definition Events.h:278
UINT64 OptionalParam3
Definition Events.h:279
UINT64 OptionalParam6
Definition Events.h:282
UINT64 OptionalParam1
Definition Events.h:277
UINT64 OptionalParam4
Definition Events.h:280
Each event can have multiple actions.
Definition Events.h:413
UINT32 CustomCodeBufferSize
Definition Events.h:419
UINT32 ScriptBufferSize
Definition Events.h:420
DEBUGGER_EVENT_ACTION_TYPE_ENUM ActionType
Definition Events.h:415
UINT32 ScriptBufferPointer
Definition Events.h:421
UINT32 PreAllocatedBuffer
Definition Events.h:417
BOOLEAN ImmediateMessagePassing
Definition Events.h:416
UINT64 EventTag
Definition Events.h:414
Each command is like the following struct, it also used for tracing works in user mode and sending it...
Definition Events.h:357
DEBUGGER_EVENT_OPTIONS Options
Definition Events.h:396
BOOLEAN EnableShortCircuiting
Definition Events.h:371
BOOLEAN IsEnabled
Definition Events.h:369
VMM_EVENT_TYPE_ENUM EventType
Definition Events.h:394
UINT32 CountOfActions
Definition Events.h:391
UINT64 Tag
Definition Events.h:393
BOOLEAN HasCustomOutput
Definition Events.h:377
UINT64 OutputSourceTags[DebuggerOutputSourceMaximumRemoteSourceForSingleEvent]
Definition Events.h:382
VMM_CALLBACK_EVENT_CALLING_STAGE_TYPE EventStage
Definition Events.h:374
UINT32 ConditionBufferSize
Definition Events.h:400
UINT32 ProcessId
Definition Events.h:365
UINT32 CoreId
Definition Events.h:362
PVOID CommandStringBuffer
Definition Events.h:398
LIST_ENTRY CommandsEventList
Definition Events.h:359
request for modifying events (enable/disable/clear)
Definition Events.h:245
DEBUGGER_MODIFY_EVENTS_TYPE TypeOfAction
Definition Events.h:249
BOOLEAN IsEnabled
Definition Events.h:250
UINT64 KernelStatus
Definition Events.h:247
UINT64 Tag
Definition Events.h:246
request for performing a short-circuiting event
Definition Events.h:261
BOOLEAN IsShortCircuiting
Definition Events.h:263
UINT64 KernelStatus
Definition Events.h:262