HyperDbg Debugger
Loading...
Searching...
No Matches
HyperDbgHyperTrace.h File Reference

Headers relating exported functions from hypertrace (tracing) module. More...

Go to the source code of this file.

Macros

#define IMPORT_EXPORT_HYPERTRACE   __declspec(dllimport)

Functions

IMPORT_EXPORT_HYPERTRACE BOOLEAN HyperTraceInitCallback (HYPERTRACE_CALLBACKS *HyperTraceCallbacks, BOOLEAN RunningOnHypervisorEnvironment)
 Initialize the hypertrace module callbacks.
IMPORT_EXPORT_HYPERTRACE VOID HyperTraceUninit ()
 Uninitialize the hypertrace module.
IMPORT_EXPORT_HYPERTRACE BOOLEAN HyperTraceLbrIsSupported (UINT32 *Capacity, BOOLEAN *IsArchLbr)
 Check if LBR is supported on the current CPU and get its capacity.
IMPORT_EXPORT_HYPERTRACE BOOLEAN HyperTraceLbrCheck ()
 Check if LBR is supported and enabled on the current core.
IMPORT_EXPORT_HYPERTRACE BOOLEAN HyperTraceLbrRestore ()
 Restore (re-enable) LBR collection on the current core with previous filter options.
IMPORT_EXPORT_HYPERTRACE BOOLEAN HyperTraceLbrRestoreByFilter (UINT64 FilterOptions)
 Restore (re-enable) LBR collection on the current core with the specified filter options.
IMPORT_EXPORT_HYPERTRACE BOOLEAN HyperTraceLbrSave (HYPERTRACE_LBR_OPERATION_PACKETS *HyperTraceOperationRequest)
 Save LBR tracing for HyperTrace.
IMPORT_EXPORT_HYPERTRACE BOOLEAN HyperTraceLbrPrint (HYPERTRACE_LBR_OPERATION_PACKETS *HyperTraceOperationRequest)
 Print LBR tracing for HyperTrace.
IMPORT_EXPORT_HYPERTRACE BOOLEAN HyperTraceLbrFlush (HYPERTRACE_LBR_OPERATION_PACKETS *HyperTraceOperationRequest)
 Flush LBR tracing for HyperTrace.
IMPORT_EXPORT_HYPERTRACE BOOLEAN HyperTraceLbrQueryStateOfLbrSaveAndLoadVmExitAndEntryControls (UINT32 CoreId)
 Query the state of LBR save and load VM exit and entry controls.
IMPORT_EXPORT_HYPERTRACE BOOLEAN HyperTraceLbrPerformDump (HYPERTRACE_LBR_DUMP_PACKETS *LbrDumpRequest)
 Perform actions related to HyperTrace LBR dumping.
IMPORT_EXPORT_HYPERTRACE BOOLEAN HyperTraceLbrPerformOperation (HYPERTRACE_LBR_OPERATION_PACKETS *LbrOperationRequest)
 Perform actions related to HyperTrace LBR operations.
IMPORT_EXPORT_HYPERTRACE BOOLEAN HyperTracePtEnable (HYPERTRACE_PT_OPERATION_PACKETS *PtOperationRequest)
 Enable PT tracing for HyperTrace.
IMPORT_EXPORT_HYPERTRACE BOOLEAN HyperTracePtDisable (HYPERTRACE_PT_OPERATION_PACKETS *PtOperationRequest)
 Disable PT tracing for HyperTrace.
IMPORT_EXPORT_HYPERTRACE BOOLEAN HyperTracePtPause (HYPERTRACE_PT_OPERATION_PACKETS *PtOperationRequest)
 Pause PT tracing on every core. Buffers stay allocated and the per-CPU CTL is preserved, so HyperTracePtResume can restart the trace exactly where it stopped.
IMPORT_EXPORT_HYPERTRACE BOOLEAN HyperTracePtResume (HYPERTRACE_PT_OPERATION_PACKETS *PtOperationRequest)
 Resume PT tracing on every core after a prior HyperTracePtPause.
IMPORT_EXPORT_HYPERTRACE BOOLEAN HyperTracePtSize (HYPERTRACE_PT_OPERATION_PACKETS *PtOperationRequest)
 Snapshot the current PT output position on every core and write the per-CPU byte counts into HyperTraceOperationRequest->BytesPerCpu. The returned counts are the decode window — bytes [0, BytesPerCpu[i]) in CPU i's user mapping currently hold valid trace data.
IMPORT_EXPORT_HYPERTRACE BOOLEAN HyperTracePtDump (HYPERTRACE_PT_OPERATION_PACKETS *PtOperationRequest)
 Dump PT trace state for HyperTrace.
IMPORT_EXPORT_HYPERTRACE BOOLEAN HyperTracePtFlush (HYPERTRACE_PT_OPERATION_PACKETS *PtOperationRequest)
 Flush PT trace state on all cores (free buffers).
IMPORT_EXPORT_HYPERTRACE BOOLEAN HyperTracePtFilter (HYPERTRACE_PT_OPERATION_PACKETS *PtOperationRequest)
 Apply a new PT trace configuration (TraceUser / TraceKernel / TargetCr3 / BufferSize / NumAddrRanges + AddrRanges) on all cores.
IMPORT_EXPORT_HYPERTRACE BOOLEAN HyperTracePtPerformOperation (HYPERTRACE_PT_OPERATION_PACKETS *PtOperationRequest)
 Perform actions related to HyperTrace PT.
IMPORT_EXPORT_HYPERTRACE BOOLEAN HyperTracePtMmap (HYPERTRACE_PT_MMAP_PACKETS *Req)
 Map every per-CPU PT main output + overflow buffer into the calling user-mode process. See HYPERTRACE_PT_MMAP_PACKETS for the full lifetime / single-process contract.

Detailed Description

Headers relating exported functions from hypertrace (tracing) module.

Author
Sina Karvandi (sina@.nosp@m.hype.nosp@m.rdbg..nosp@m.org)
Version
0.18
Date
2026-02-08

Macro Definition Documentation

◆ IMPORT_EXPORT_HYPERTRACE

#define IMPORT_EXPORT_HYPERTRACE   __declspec(dllimport)

Function Documentation

◆ HyperTraceInitCallback()

IMPORT_EXPORT_HYPERTRACE BOOLEAN HyperTraceInitCallback ( HYPERTRACE_CALLBACKS * HyperTraceCallbacks,
BOOLEAN RunningOnHypervisorEnvironment )

Initialize the hypertrace module callbacks.

This only for callback initialization, not for LBR, PT, etc. initialization

Parameters
HyperTraceCallbacksPointer to the HyperTrace callbacks structure to be registered
RunningOnHypervisorEnvironmentWhether the initialization is being done for hypervisor environment or not, it can be used to skip some of the initialization steps if it is not for hypervisor environment and behave differently based on that
Returns
BOOLEAN
26{
27 UINT32 ProcessorsCount = 0;
28
29 //
30 // Check if any of the required callbacks are NULL
31 //
32 for (UINT32 i = 0; i < sizeof(HYPERTRACE_CALLBACKS) / sizeof(UINT64); i++)
33 {
34 if (((PVOID *)HyperTraceCallbacks)[i] == NULL)
35 {
36 //
37 // The callback has null entry, so we cannot proceed
38 //
39 return FALSE;
40 }
41 }
42
43 //
44 // Save the callbacks
45 //
46 PlatformWriteMemory(&g_Callbacks, HyperTraceCallbacks, sizeof(HYPERTRACE_CALLBACKS));
47
48 //
49 // Query the number of processors in the system to initialize the global LBR state list accordingly
50 //
51 ProcessorsCount = PlatformCpuGetActiveProcessorCount();
52
53 //
54 // Initialize the global LBR state list to hold LBR states for each core
55 //
57
58 //
59 // Initialize the global PT per-CPU state list. Each entry starts in
60 // PT_STATE_DISABLED with no buffers allocated; PtStart() will lazily
61 // allocate ToPA / output / overflow buffers on first use per core.
62 //
64
65 if (g_PtStateList != NULL)
66 {
67 UINT32 i;
68 for (i = 0; i < ProcessorsCount; i++)
69 {
72 }
73 }
74
75 //
76 // Set the flag to indicate whether the initialization is being done for hypervisor environment or not
77 //
78 g_RunningOnHypervisorEnvironment = RunningOnHypervisorEnvironment;
79
80 //
81 // It is initialized, but LBR is disabled at this stage
82 //
84
85 //
86 // It is initialized, but Processor Trace is disabled at this stage
87 //
89
90 //
91 // Enable callbacks and set the initialized flag
92 //
94
95 return TRUE;
96}
ULONG PlatformCpuGetActiveProcessorCount(VOID)
Get the count of active logical processors.
Definition PlatformCpu.c:24
PVOID PlatformMemAllocateZeroedNonPagedPool(SIZE_T NumberOfBytes)
Allocates zeroed non-paged pool memory.
Definition PlatformMem.c:248
VOID PlatformWriteMemory(PVOID Address, PVOID Buffer, SIZE_T Size)
Writes data from a buffer to a memory address.
Definition PlatformMem.c:115
void * PVOID
Definition BasicTypes.h:56
#define TRUE
Definition BasicTypes.h:114
#define FALSE
Definition BasicTypes.h:113
unsigned int UINT32
Definition BasicTypes.h:54
struct _LBR_STACK_ENTRY LBR_STACK_ENTRY
The structure to hold the LBR stack for a single processor core, including the branch entries and the...
struct _PT_PER_CPU PT_PER_CPU
Per-CPU Intel PT state — one of these per logical processor.
@ PT_STATE_DISABLED
Definition PtDefinitions.h:218
struct _HYPERTRACE_CALLBACKS HYPERTRACE_CALLBACKS
Prototype of each function needed by hypertrace module.
HYPEREVADE_CALLBACKS g_Callbacks
List of callbacks.
Definition Transparency.h:23
BOOLEAN g_RunningOnHypervisorEnvironment
The flag indicating whether the initialization is being done for hypervisor environment or not.
Definition GlobalVariables.h:35
VOID PtEngineInitDefaultConfig(PT_TRACE_CONFIG *Config)
Initialize a PT_TRACE_CONFIG with sensible defaults. Trace user + kernel, branch + TSC packets,...
Definition Pt.c:342
PT_PER_CPU * g_PtStateList
Dynamically allocated array of per-CPU Intel PT state. Sized to KeQueryActiveProcessorCount(0) at hyp...
Definition GlobalVariables.h:84
LBR_STACK_ENTRY * g_LbrStateList
This will be a dynamically allocated array to hold LBR states for each core.
Definition GlobalVariables.h:54
BOOLEAN g_ProcessorTraceEnabled
The flag indicating whether the hypertrace Processor Trace is initialized or not.
Definition GlobalVariables.h:78
BOOLEAN g_HyperTraceCallbacksInitialized
The flag indicating whether the hypertrace module callbacks is initialized or not.
Definition GlobalVariables.h:29
BOOLEAN g_LastBranchRecordEnabled
The flag indicating whether the hypertrace LBR tracing is initialized or not.
Definition GlobalVariables.h:48

◆ HyperTraceLbrCheck()

IMPORT_EXPORT_HYPERTRACE BOOLEAN HyperTraceLbrCheck ( )

Check if LBR is supported and enabled on the current core.

Returns
BOOLEAN
105{
106 //
107 // Only check LBR once it is already initialized
108 //
110 {
111 return FALSE;
112 }
113
114 return LbrCheck();
115}
BOOLEAN LbrCheck()
Check if LBR is enabled or not.
Definition Lbr.c:876

◆ HyperTraceLbrFlush()

IMPORT_EXPORT_HYPERTRACE BOOLEAN HyperTraceLbrFlush ( HYPERTRACE_LBR_OPERATION_PACKETS * HyperTraceOperationRequest)

Flush LBR tracing for HyperTrace.

Parameters
HyperTraceOperationRequest
Returns
BOOLEAN
316{
317 //
318 // Check if LBR is already disabled or not
319 //
321 {
323 return FALSE;
324 }
325
326 //
327 // Disabling LBR
328 //
330
331 //
332 // Broadcast flushing LBR on all cores
333 //
335
336 //
337 // Set successful status
338 //
340
341 return TRUE;
342}
VOID HyperTraceLbrSetKernelStatus(HYPERTRACE_LBR_OPERATION_PACKETS *HyperTraceLbrOperationRequest, UINT32 Status)
Set the kernel status in the HyperTrace LBR operation request structure.
Definition LbrApi.c:69
#define DEBUGGER_ERROR_LBR_ALREADY_DISABLED
error, LBR is already disabled
Definition ErrorCodes.h:606
#define DEBUGGER_OPERATION_WAS_SUCCESSFUL
General value to indicate that the operation or request was successful.
Definition ErrorCodes.h:23
VOID BroadcastFlushLbrOnAllCores()
Routines to flush LBR on all cores.
Definition Broadcast.c:48

◆ HyperTraceLbrIsSupported()

IMPORT_EXPORT_HYPERTRACE BOOLEAN HyperTraceLbrIsSupported ( UINT32 * Capacity,
BOOLEAN * IsArchLbr )

Check if LBR is supported on the current CPU and get its capacity.

Parameters
CapacityPointer to a variable to receive the LBR capacity (number of entries)
IsArchLbrPointer to a variable to receive whether the supported LBR is architectural LBR or not (legacy LBR)
Returns
BOOLEAN
158{
159 //
160 // Check for ARCHITECTURAL LBR support first, if not supported then check for LEGACY LBR support
161 //
163 {
164 //
165 // If the CPU does not support architectural LBR, we can check for legacy LBR support as a fallback
166 //
168 {
169 return FALSE;
170 }
171 }
172
173 //
174 // Set capacity when the pointer is valid
175 //
176 if (Capacity != NULL)
177 {
178 *Capacity = (UINT32)g_LbrCapacity;
179 }
180
181 //
182 // Set IsArchLbr when the pointer is valid
183 //
184 if (IsArchLbr != NULL)
185 {
186 *IsArchLbr = g_ArchBasedLastBranchRecord;
187 }
188
189 return TRUE;
190}
BOOLEAN LbrCheckAndReadArchitecturalLbrDetails()
Check if the current CPU supports architectural LBR.
Definition Lbr.c:86
BOOLEAN LbrCheckAndReadLegacyLbrDetails()
Check if the current CPU supports LBR by examining the CPU family and model and looking up the corres...
Definition Lbr.c:177
ULONGLONG g_LbrCapacity
The global variable to hold the LBR capacity of the current CPU.
Definition GlobalVariables.h:60
BOOLEAN g_ArchBasedLastBranchRecord
The flag indicating whether the architectural LBR is supported by the CPU or not if false it means th...
Definition GlobalVariables.h:42

◆ HyperTraceLbrPerformDump()

IMPORT_EXPORT_HYPERTRACE BOOLEAN HyperTraceLbrPerformDump ( HYPERTRACE_LBR_DUMP_PACKETS * LbrDumpRequest)

Perform actions related to HyperTrace LBR dumping.

Parameters
LbrDumpRequest
Returns
BOOLEAN
458{
459 ULONG ProcessorsCount;
460
461 //
462 // Check if LBR is enabled or not before dumping
463 //
465 {
467 return FALSE;
468 }
469
470 //
471 // Get the number of processors in the system to validate the requested core id for dumping
472 //
473 ProcessorsCount = KeQueryActiveProcessorCount(0);
474
475 //
476 // Check if core id is valid
477 //
478 if (LbrDumpRequest->CoreId >= ProcessorsCount)
479 {
481 return FALSE;
482 }
483
484 //
485 // Check if next core is valid in the case of dumping all cores
486 //
487 if (LbrDumpRequest->CoreId == ProcessorsCount - 1)
488 {
489 LbrDumpRequest->NextCoreIsValid = FALSE;
490 }
491 else
492 {
493 LbrDumpRequest->NextCoreIsValid = TRUE;
494 }
495
496 //
497 // Set ARCH or LEGACY LBR flag in the dump request structure based on the type of LBR supported by the CPU
498 //
500
501 //
502 // Set the current LBR capacity in the dump request structure based on the type of LBR supported by the CPU
503 //
504 LbrDumpRequest->CurrentLbrCapacity = (UINT8)g_LbrCapacity;
505
506 //
507 // Copy the LBR stack entries of the requested core into the dump request structure to be sent back to usermode
508 //
509 RtlCopyMemory(&LbrDumpRequest->LbrStack, &g_LbrStateList[LbrDumpRequest->CoreId], sizeof(LBR_STACK_ENTRY));
510
511 //
512 // Set successful status
513 //
515
516 return TRUE;
517}
VOID HyperTraceLbrDumpSetKernelStatus(HYPERTRACE_LBR_DUMP_PACKETS *HyperTraceLbrDumpOperationRequest, UINT32 Status)
Set the kernel status in the HyperTrace LBR dump operation request structure.
Definition LbrApi.c:88
unsigned char UINT8
Definition BasicTypes.h:52
unsigned long ULONG
Definition BasicTypes.h:31
#define DEBUGGER_ERROR_INVALID_CORE_ID
error, the core id is invalid
Definition ErrorCodes.h:69
BOOLEAN NextCoreIsValid
Definition RequestStructures.h:1325
UINT8 CurrentLbrCapacity
Definition RequestStructures.h:1328
LBR_STACK_ENTRY LbrStack
Definition RequestStructures.h:1327
BOOLEAN ArchBasedLBR
Definition RequestStructures.h:1326
UINT32 CoreId
Definition RequestStructures.h:1324

◆ HyperTraceLbrPerformOperation()

IMPORT_EXPORT_HYPERTRACE BOOLEAN HyperTraceLbrPerformOperation ( HYPERTRACE_LBR_OPERATION_PACKETS * LbrOperationRequest)

Perform actions related to HyperTrace LBR operations.

Parameters
LbrOperationRequest
Returns
BOOLEAN
528{
529 BOOLEAN Status = TRUE;
530
531 //
532 // Check if the hypertrace module is initialized before performing any operation
533 //
535 {
537 return FALSE;
538 }
539
540 //
541 // Perform the requested operation
542 //
543 switch (LbrOperationRequest->LbrOperationType)
544 {
546
547 // LogInfo("HyperTrace: Enabling LBR tracing...\n");
548
549 HyperTraceLbrEnable(LbrOperationRequest);
550
551 break;
552
554
555 // LogInfo("HyperTrace: Disabling LBR tracing...\n");
556
557 HyperTraceLbrDisable(LbrOperationRequest);
558
559 break;
560
562
563 // LogInfo("HyperTrace: Flushing LBR tracing...\n");
564
565 HyperTraceLbrFlush(LbrOperationRequest);
566
567 break;
568
570
571 // LogInfo("HyperTrace: Updating LBR filter options...\n");
572
573 HyperTraceLbrUpdateFilterOptions(LbrOperationRequest);
574
575 break;
576
577 default:
578
579 Status = FALSE;
581
582 break;
583 }
584
585 return Status;
586}
BOOLEAN HyperTraceLbrEnable(HYPERTRACE_LBR_OPERATION_PACKETS *HyperTraceOperationRequest)
Enable LBR tracing for HyperTrace.
Definition LbrApi.c:200
BOOLEAN HyperTraceLbrDisable(HYPERTRACE_LBR_OPERATION_PACKETS *HyperTraceOperationRequest)
Disable LBR tracing for HyperTrace.
Definition LbrApi.c:278
BOOLEAN HyperTraceLbrFlush(HYPERTRACE_LBR_OPERATION_PACKETS *HyperTraceOperationRequest)
Flush LBR tracing for HyperTrace.
Definition LbrApi.c:315
BOOLEAN HyperTraceLbrUpdateFilterOptions(HYPERTRACE_LBR_OPERATION_PACKETS *HyperTraceOperationRequest)
Update LBR filter options for HyperTrace.
Definition LbrApi.c:425
UCHAR BOOLEAN
Definition BasicTypes.h:35
#define DEBUGGER_ERROR_INVALID_HYPERTRACE_OPERATION_TYPE
error, invalid HyperTrace operation type is specified in the request
Definition ErrorCodes.h:594
#define DEBUGGER_ERROR_HYPERTRACE_NOT_INITIALIZED
error, HyperTrace is not initialized
Definition ErrorCodes.h:588
@ HYPERTRACE_LBR_OPERATION_REQUEST_TYPE_FILTER
Definition RequestStructures.h:1290
@ HYPERTRACE_LBR_OPERATION_REQUEST_TYPE_FLUSH
Definition RequestStructures.h:1288
@ HYPERTRACE_LBR_OPERATION_REQUEST_TYPE_DISABLE
Definition RequestStructures.h:1287
@ HYPERTRACE_LBR_OPERATION_REQUEST_TYPE_ENABLE
Definition RequestStructures.h:1286
HYPERTRACE_LBR_OPERATION_REQUEST_TYPE LbrOperationType
Definition RequestStructures.h:1303

◆ HyperTraceLbrPrint()

IMPORT_EXPORT_HYPERTRACE BOOLEAN HyperTraceLbrPrint ( HYPERTRACE_LBR_OPERATION_PACKETS * HyperTraceOperationRequest)

Print LBR tracing for HyperTrace.

Parameters
HyperTraceOperationRequest
Returns
BOOLEAN
387{
388 //
389 // Check if LBR is already disabled or not
390 //
392 {
394 return FALSE;
395 }
396
397 // LogInfo("Dumping LBR Buffer...\n");
398
399 //
400 // Save the LBR state
401 //
402 LbrSave();
403
404 //
405 // This will print the collected LBR branches to the log
406 //
407 LbrPrint();
408
409 //
410 // The operation was successful
411 //
413
414 return TRUE;
415}
VOID LbrSave()
Save LBR branches.
Definition Lbr.c:1091
VOID LbrPrint()
Print collected LBR branches.
Definition Lbr.c:1194

◆ HyperTraceLbrQueryStateOfLbrSaveAndLoadVmExitAndEntryControls()

IMPORT_EXPORT_HYPERTRACE BOOLEAN HyperTraceLbrQueryStateOfLbrSaveAndLoadVmExitAndEntryControls ( UINT32 CoreId)

Query the state of LBR save and load VM exit and entry controls.

Parameters
CoreIdThe index of the processor core to query
Returns
BOOLEAN
54{
55 UNREFERENCED_PARAMETER(CoreId); // Right now there is no core specifc controls for LBR
56
58}

◆ HyperTraceLbrRestore()

IMPORT_EXPORT_HYPERTRACE BOOLEAN HyperTraceLbrRestore ( )

Restore (re-enable) LBR collection on the current core with previous filter options.

Returns
BOOLEAN
144{
146}
BOOLEAN HyperTraceLbrRestoreByFilter(UINT64 FilterOptions)
Restore (re-enable) LBR collection on the current core with the specified filter options.
Definition LbrApi.c:124
UINT64 g_LbrFilterOptions
The global variable to hold the current LBR filter options bitmask (for both architectural and legacy...
Definition GlobalVariables.h:72

◆ HyperTraceLbrRestoreByFilter()

IMPORT_EXPORT_HYPERTRACE BOOLEAN HyperTraceLbrRestoreByFilter ( UINT64 FilterOptions)

Restore (re-enable) LBR collection on the current core with the specified filter options.

Parameters
FilterOptionsA bitmask of filter options to apply to the LBR branches
Returns
BOOLEAN
125{
126 //
127 // Only restore (re-enable) LBR once it is already initialized
128 //
130 {
131 return FALSE;
132 }
133
134 return LbrStart(FilterOptions);
135}
BOOLEAN LbrStart(UINT64 FilterOptions)
Start collecting LBR branches.
Definition Lbr.c:903

◆ HyperTraceLbrSave()

IMPORT_EXPORT_HYPERTRACE BOOLEAN HyperTraceLbrSave ( HYPERTRACE_LBR_OPERATION_PACKETS * HyperTraceOperationRequest)

Save LBR tracing for HyperTrace.

Parameters
HyperTraceOperationRequest
Returns
BOOLEAN
353{
354 //
355 // Check if LBR is already disabled or not
356 //
358 {
360 return FALSE;
361 }
362
363 // LogInfo("Saving LBR Buffer...\n");
364
365 //
366 // Save the LBR state
367 //
368 LbrSave();
369
370 //
371 // The operation was successful
372 //
374
375 return TRUE;
376}

◆ HyperTracePtDisable()

IMPORT_EXPORT_HYPERTRACE BOOLEAN HyperTracePtDisable ( HYPERTRACE_PT_OPERATION_PACKETS * PtOperationRequest)

Disable PT tracing for HyperTrace.

Parameters
PtOperationRequestPointer to the HyperTrace PT operation request packet
Returns
BOOLEAN
158{
159 //
160 // Check if PT is already disabled or not
161 //
163 {
164 if (PtOperationRequest != NULL)
165 {
167 }
168
169 return FALSE;
170 }
171
172 //
173 // Disabling PT
174 //
176
177 //
178 // Broadcast disabling PT on all cores (DPC stops tracing per-core)
179 //
181
182 //
183 // Free per-CPU buffers at PASSIVE_LEVEL after the broadcast has stopped
184 // tracing on every core.
185 //
187
188 //
189 // Set successful status
190 //
191 if (PtOperationRequest != NULL)
192 {
194 }
195
196 return TRUE;
197}
#define DEBUGGER_ERROR_PT_ALREADY_DISABLED
error, PT is already disabled
Definition ErrorCodes.h:630
VOID PtFreeAllCpuBuffers()
Free ToPA / output / overflow buffers for every active CPU.
Definition Pt.c:1089
VOID BroadcastDisablePtOnAllCores()
Routines to disable PT on all cores.
Definition Broadcast.c:89
UINT32 KernelStatus
Definition RequestStructures.h:1384

◆ HyperTracePtDump()

IMPORT_EXPORT_HYPERTRACE BOOLEAN HyperTracePtDump ( HYPERTRACE_PT_OPERATION_PACKETS * HyperTraceOperationRequest)

Dump PT trace state for HyperTrace.

Parameters
HyperTraceOperationRequest
Returns
BOOLEAN
309{
311 {
312 if (HyperTraceOperationRequest != NULL)
313 {
314 HyperTraceOperationRequest->KernelStatus = DEBUGGER_ERROR_PT_ALREADY_DISABLED;
315 }
316 return FALSE;
317 }
318
319 LogInfo("Dumping PT trace summary...\n");
320
322
323 if (HyperTraceOperationRequest != NULL)
324 {
325 HyperTraceOperationRequest->KernelStatus = DEBUGGER_OPERATION_WAS_SUCCESSFUL;
326 }
327
328 return TRUE;
329}
#define LogInfo(format,...)
Define log variables.
Definition HyperDbgHyperLogIntrinsics.h:71
VOID BroadcastDumpPtOnAllCores()
Routines to dump PT state on all cores.
Definition Broadcast.c:135

◆ HyperTracePtEnable()

IMPORT_EXPORT_HYPERTRACE BOOLEAN HyperTracePtEnable ( HYPERTRACE_PT_OPERATION_PACKETS * PtOperationRequest)

Enable PT tracing for HyperTrace.

Parameters
PtOperationRequestPointer to the HyperTrace PT operation request packet
Returns
BOOLEAN
95{
96 //
97 // Check if PT is already enabled or not
98 //
100 {
102 return FALSE;
103 }
104
105 //
106 // Check PT support on CPU
107 //
108 if (!PtCheck())
109 {
110 PtOperationRequest->KernelStatus = DEBUGGER_ERROR_PT_NOT_SUPPORTED;
111 return FALSE;
112 }
113
114 //
115 // Allocate per-CPU ToPA / output / overflow buffers at PASSIVE_LEVEL
116 // (the contiguous-memory allocator cannot run from a DPC).
117 // PtAllocateAllCpuBuffers reads Cpu->Config.BufferSize, which was set
118 // either at module init (default 2MB) or by a prior !pt filter — so
119 // any pre-enable filter settings are preserved here.
120 //
122 {
123 //
124 // Roll back any partial allocations so we don't leak on next try.
125 //
127 PtOperationRequest->KernelStatus = DEBUGGER_ERROR_PT_NOT_SUPPORTED;
128 return FALSE;
129 }
130
131 //
132 // Broadcast enabling PT on all cores
133 //
135
136 //
137 // Set the flag to indicate that PT tracing is enabled
138 //
140
141 //
142 // Set successful status
143 //
145
146 return TRUE;
147}
#define DEBUGGER_ERROR_PT_ALREADY_ENABLED
error, PT is already enabled
Definition ErrorCodes.h:624
#define DEBUGGER_ERROR_PT_NOT_SUPPORTED
error, PT is not supported by the processor
Definition ErrorCodes.h:636
BOOLEAN PtAllocateAllCpuBuffers()
Allocate ToPA / output / overflow buffers for every active CPU.
Definition Pt.c:1051
BOOLEAN PtCheck()
Check whether Intel PT is supported on the current CPU. Mirrors LbrCheck — must be called once before...
Definition Pt.c:1012
VOID BroadcastEnablePtOnAllCores()
Routines to enable PT on all cores.
Definition Broadcast.c:78

◆ HyperTracePtFilter()

Apply a new PT trace configuration (TraceUser / TraceKernel / TargetCr3 / BufferSize / NumAddrRanges + AddrRanges) on all cores.

Mirrors HyperTraceLbrUpdateFilterOptions / LbrFilter:

  • If PT is currently enabled, stop tracing on all cores, free and reallocate buffers (because BufferSize may have changed), push the new config into every per-CPU slot, and resume tracing on all cores.
  • If PT is currently disabled, only update the per-CPU config so that the next !pt enable picks it up.

Must be called at IRQL == PASSIVE_LEVEL because of the contiguous-memory allocator.

407{
408 PT_FILTER_OPTIONS FilterOptions = {0};
409 BOOLEAN WasEnabled = g_ProcessorTraceEnabled;
410 BOOLEAN BufferChanged = FALSE;
411 UINT64 ExistingSize = 0;
412 UINT32 Copy;
413
414 //
415 // Translate the user-mode packet into PT_FILTER_OPTIONS — the narrow
416 // surface PtFilter operates on. Default to user+kernel when the
417 // caller specified neither (matches LBR's empty-filter behaviour).
418 //
419 if (Req->TraceUser || Req->TraceKernel)
420 {
421 FilterOptions.TraceUser = (Req->TraceUser != 0) ? TRUE : FALSE;
422 FilterOptions.TraceKernel = (Req->TraceKernel != 0) ? TRUE : FALSE;
423 }
424 else
425 {
426 FilterOptions.TraceUser = TRUE;
427 FilterOptions.TraceKernel = TRUE;
428 }
429 FilterOptions.TargetCr3 = Req->TargetCr3;
430 FilterOptions.BufferSize = Req->BufferSize;
431 FilterOptions.NumAddrRanges = Req->NumAddrRanges;
432 if (FilterOptions.NumAddrRanges > PT_MAX_ADDR_RANGES)
433 FilterOptions.NumAddrRanges = PT_MAX_ADDR_RANGES;
434 for (Copy = 0; Copy < FilterOptions.NumAddrRanges; Copy++)
435 {
436 FilterOptions.AddrRanges[Copy] = Req->AddrRanges[Copy];
437 }
438
439 //
440 // Decide between fast (filter-only) and slow (buffer-resize) paths.
441 //
442 if (g_PtStateList != NULL)
443 {
444 ExistingSize = g_PtStateList[0].Config.BufferSize;
445 }
446 if (FilterOptions.BufferSize != 0 && FilterOptions.BufferSize != ExistingSize)
447 {
448 BufferChanged = TRUE;
449 }
450
451 if (!WasEnabled || BufferChanged)
452 {
453 //
454 // Slow path — PT is off and/or BufferSize changed. We have to
455 // free + reallocate per-CPU buffers at PASSIVE_LEVEL, so we
456 // can't go through DPC for the config seeding either.
457 //
458 PT_TRACE_CONFIG Cfg;
459
460 if (WasEnabled)
461 {
464 }
465
466 //
467 // Build a full PT_TRACE_CONFIG (defaults + the user-tunable
468 // fields from the request) and seed it on every CPU so the next
469 // PtAllocateAllCpuBuffers picks up the right BufferSize and
470 // PtEngineStart programs the right RTIT_CTL bits.
471 //
472 HyperTracePtBuildConfig(Req, &Cfg);
473 HyperTracePtSeedConfigOnAllCpus(&Cfg);
474
475 if (WasEnabled)
476 {
478 {
481 if (Req != NULL)
482 {
484 }
485 return FALSE;
486 }
487
489 }
490 }
491 else
492 {
493 //
494 // Fast filter-only path: PT is running and BufferSize is
495 // unchanged. Force FilterOptions.BufferSize=0 so PtFilter on each core
496 // keeps the buffer that's already allocated, then broadcast.
497 //
498 FilterOptions.BufferSize = 0;
499 BroadcastFilterPtOnAllCores(&FilterOptions);
500 }
501
502 if (Req != NULL)
503 {
505 }
506
507 return TRUE;
508}
struct _PT_TRACE_CONFIG PT_TRACE_CONFIG
Intel PT trace configuration — what the user specifies.
#define PT_MAX_ADDR_RANGES
Definition PtDefinitions.h:53
struct _PT_FILTER_OPTIONS PT_FILTER_OPTIONS
Narrow input descriptor for PtFilter.
VOID BroadcastFilterPtOnAllCores(PT_FILTER_OPTIONS *FilterOptions)
Routines to apply a PT filter on all cores. The same Options pointer is passed to every per-core DPC;...
Definition Broadcast.c:159
VOID BroadcastFlushPtOnAllCores()
Routines to flush PT state on all cores.
Definition Broadcast.c:146
UINT32 TraceUser
Definition RequestStructures.h:1389
UINT32 TraceKernel
Definition RequestStructures.h:1390
UINT32 NumAddrRanges
Definition RequestStructures.h:1393
PT_ADDR_RANGE AddrRanges[PT_MAX_ADDR_RANGES]
Definition RequestStructures.h:1397
UINT64 TargetCr3
Definition RequestStructures.h:1391
UINT64 BufferSize
Definition RequestStructures.h:1392
UINT64 BufferSize
Definition Pt.h:45
UINT32 NumAddrRanges
Definition Pt.h:46
UINT64 TargetCr3
Definition Pt.h:44
BOOLEAN TraceUser
Definition Pt.h:42
BOOLEAN TraceKernel
Definition Pt.h:43
PT_ADDR_RANGE AddrRanges[PT_MAX_ADDR_RANGES]
Definition Pt.h:47

◆ HyperTracePtFlush()

IMPORT_EXPORT_HYPERTRACE BOOLEAN HyperTracePtFlush ( HYPERTRACE_PT_OPERATION_PACKETS * HyperTraceOperationRequest)

Flush PT trace state on all cores (free buffers).

Parameters
HyperTraceOperationRequest
Returns
BOOLEAN
340{
342 {
343 if (HyperTraceOperationRequest != NULL)
344 {
345 HyperTraceOperationRequest->KernelStatus = DEBUGGER_ERROR_PT_ALREADY_DISABLED;
346 }
347 return FALSE;
348 }
349
350 //
351 // Stop tracing on all cores via DPC (so MSRs are quiesced)
352 //
354
355 //
356 // Then free contiguous buffers at PASSIVE_LEVEL
357 //
359
360 //
361 // Reallocate buffers so subsequent !pt save / !pt dump / !pt enable
362 // continue to work — Flush in LBR keeps tracing alive, so we mirror
363 // that by leaving PT primed for the next !pt enable.
364 //
366 {
368 if (HyperTraceOperationRequest != NULL)
369 {
370 HyperTraceOperationRequest->KernelStatus = DEBUGGER_ERROR_PT_NOT_SUPPORTED;
371 }
373 return FALSE;
374 }
375
376 //
377 // Resume tracing on all cores
378 //
380
381 if (HyperTraceOperationRequest != NULL)
382 {
383 HyperTraceOperationRequest->KernelStatus = DEBUGGER_OPERATION_WAS_SUCCESSFUL;
384 }
385
386 return TRUE;
387}

◆ HyperTracePtMmap()

Map every per-CPU PT main output + overflow buffer into the calling user-mode process. See HYPERTRACE_PT_MMAP_PACKETS for the full lifetime / single-process contract.

517{
518 if (Req == NULL)
519 return FALSE;
520
521 Req->NumCpus = 0;
522
524 {
526 return FALSE;
527 }
528
530 {
532 return FALSE;
533 }
534
536 {
538 return FALSE;
539 }
540
542 return TRUE;
543}
#define PT_MAX_CPUS_FOR_MMAP
Definition PtDefinitions.h:60
INT32 PtMmapAllCpuBuffersToUser(PT_USER_BUFFER_DESC *OutDescs, UINT32 MaxDescs, UINT32 *OutNumCpus)
Map every per-CPU PT main output buffer and 4 KB overflow page into the current user process as a sin...
Definition Pt.c:1127
UINT32 KernelStatus
Definition RequestStructures.h:1438
PT_USER_BUFFER_DESC Cpus[PT_MAX_CPUS_FOR_MMAP]
Definition RequestStructures.h:1440
UINT32 NumCpus
Definition RequestStructures.h:1439

◆ HyperTracePtPause()

IMPORT_EXPORT_HYPERTRACE BOOLEAN HyperTracePtPause ( HYPERTRACE_PT_OPERATION_PACKETS * HyperTraceOperationRequest)

Pause PT tracing on every core. Buffers stay allocated and the per-CPU CTL is preserved, so HyperTracePtResume can restart the trace exactly where it stopped.

Parameters
HyperTraceOperationRequest
Returns
BOOLEAN
210{
212 {
213 if (HyperTraceOperationRequest != NULL)
214 {
215 HyperTraceOperationRequest->KernelStatus = DEBUGGER_ERROR_PT_ALREADY_DISABLED;
216 }
217 return FALSE;
218 }
219
221
222 if (HyperTraceOperationRequest != NULL)
223 {
224 HyperTraceOperationRequest->KernelStatus = DEBUGGER_OPERATION_WAS_SUCCESSFUL;
225 }
226
227 return TRUE;
228}
VOID BroadcastPausePtOnAllCores()
Routines to pause PT tracing on all cores.
Definition Broadcast.c:100

◆ HyperTracePtPerformOperation()

IMPORT_EXPORT_HYPERTRACE BOOLEAN HyperTracePtPerformOperation ( HYPERTRACE_PT_OPERATION_PACKETS * PtOperationRequest)

Perform actions related to HyperTrace PT.

Parameters
PtOperationRequest
Returns
BOOLEAN
554{
555 BOOLEAN Status = TRUE;
556
557 //
558 // Check if the hypertrace module is initialized before performing any operation
559 //
561 {
563 return FALSE;
564 }
565
566 //
567 // Perform the requested operation
568 //
569 switch (PtOperationRequest->PtOperationType)
570 {
572
573 LogInfo("HyperTrace: Enabling PT tracing...\n");
574
575 HyperTracePtEnable(PtOperationRequest);
576
577 break;
578
580
581 LogInfo("HyperTrace: Disabling PT tracing...\n");
582
583 HyperTracePtDisable(PtOperationRequest);
584
585 break;
586
588
589 LogInfo("HyperTrace: Pausing PT tracing...\n");
590
591 HyperTracePtPause(PtOperationRequest);
592
593 break;
594
596
597 LogInfo("HyperTrace: Resuming PT tracing...\n");
598
599 HyperTracePtResume(PtOperationRequest);
600
601 break;
602
604
605 LogInfo("HyperTrace: Snapshotting PT buffer sizes...\n");
606
607 HyperTracePtSize(PtOperationRequest);
608
609 break;
610
612
613 LogInfo("HyperTrace: Showing PT tracing...\n");
614
615 HyperTracePtDump(PtOperationRequest);
616
617 break;
618
620
621 LogInfo("HyperTrace: Flushing PT tracing...\n");
622
623 HyperTracePtFlush(PtOperationRequest);
624
625 break;
626
628
629 LogInfo("HyperTrace: Updating PT filter / config...\n");
630
631 HyperTracePtFilter(PtOperationRequest);
632
633 break;
634
635 default:
636 Status = FALSE;
638 break;
639 }
640
641 return Status;
642}
BOOLEAN HyperTracePtPause(HYPERTRACE_PT_OPERATION_PACKETS *HyperTraceOperationRequest)
Pause PT tracing on every core. Buffers stay allocated and the per-CPU CTL is preserved,...
Definition PtApi.c:209
BOOLEAN HyperTracePtSize(HYPERTRACE_PT_OPERATION_PACKETS *HyperTraceOperationRequest)
Snapshot the current PT output position on every core and write the per-CPU byte counts into HyperTra...
Definition PtApi.c:270
BOOLEAN HyperTracePtResume(HYPERTRACE_PT_OPERATION_PACKETS *HyperTraceOperationRequest)
Resume PT tracing on every core after a prior HyperTracePtPause.
Definition PtApi.c:238
BOOLEAN HyperTracePtFlush(HYPERTRACE_PT_OPERATION_PACKETS *HyperTraceOperationRequest)
Flush PT trace state on all cores (free buffers).
Definition PtApi.c:339
BOOLEAN HyperTracePtFilter(HYPERTRACE_PT_OPERATION_PACKETS *Req)
Apply a new PT trace configuration (TraceUser / TraceKernel / TargetCr3 / BufferSize / NumAddrRanges ...
Definition PtApi.c:406
BOOLEAN HyperTracePtDump(HYPERTRACE_PT_OPERATION_PACKETS *HyperTraceOperationRequest)
Dump PT trace state for HyperTrace.
Definition PtApi.c:308
BOOLEAN HyperTracePtEnable(HYPERTRACE_PT_OPERATION_PACKETS *PtOperationRequest)
Enable PT tracing for HyperTrace.
Definition PtApi.c:94
BOOLEAN HyperTracePtDisable(HYPERTRACE_PT_OPERATION_PACKETS *PtOperationRequest)
Disable PT tracing for HyperTrace.
Definition PtApi.c:157
@ HYPERTRACE_PT_OPERATION_REQUEST_TYPE_PAUSE
Definition RequestStructures.h:1356
@ HYPERTRACE_PT_OPERATION_REQUEST_TYPE_DUMP
Definition RequestStructures.h:1359
@ HYPERTRACE_PT_OPERATION_REQUEST_TYPE_ENABLE
Definition RequestStructures.h:1354
@ HYPERTRACE_PT_OPERATION_REQUEST_TYPE_FILTER
Definition RequestStructures.h:1361
@ HYPERTRACE_PT_OPERATION_REQUEST_TYPE_RESUME
Definition RequestStructures.h:1357
@ HYPERTRACE_PT_OPERATION_REQUEST_TYPE_SIZE
Definition RequestStructures.h:1358
@ HYPERTRACE_PT_OPERATION_REQUEST_TYPE_FLUSH
Definition RequestStructures.h:1360
@ HYPERTRACE_PT_OPERATION_REQUEST_TYPE_DISABLE
Definition RequestStructures.h:1355
HYPERTRACE_PT_OPERATION_REQUEST_TYPE PtOperationType
Definition RequestStructures.h:1383

◆ HyperTracePtResume()

IMPORT_EXPORT_HYPERTRACE BOOLEAN HyperTracePtResume ( HYPERTRACE_PT_OPERATION_PACKETS * HyperTraceOperationRequest)

Resume PT tracing on every core after a prior HyperTracePtPause.

Parameters
HyperTraceOperationRequest
Returns
BOOLEAN
239{
241 {
242 if (HyperTraceOperationRequest != NULL)
243 {
244 HyperTraceOperationRequest->KernelStatus = DEBUGGER_ERROR_PT_ALREADY_DISABLED;
245 }
246 return FALSE;
247 }
248
250
251 if (HyperTraceOperationRequest != NULL)
252 {
253 HyperTraceOperationRequest->KernelStatus = DEBUGGER_OPERATION_WAS_SUCCESSFUL;
254 }
255
256 return TRUE;
257}
VOID BroadcastResumePtOnAllCores()
Routines to resume PT tracing on all cores.
Definition Broadcast.c:111

◆ HyperTracePtSize()

IMPORT_EXPORT_HYPERTRACE BOOLEAN HyperTracePtSize ( HYPERTRACE_PT_OPERATION_PACKETS * HyperTraceOperationRequest)

Snapshot the current PT output position on every core and write the per-CPU byte counts into HyperTraceOperationRequest->BytesPerCpu. The returned counts are the decode window — bytes [0, BytesPerCpu[i]) in CPU i's user mapping currently hold valid trace data.

Parameters
HyperTraceOperationRequest
Returns
BOOLEAN
271{
272 UINT32 ProcessorsCount;
273
275 {
276 if (HyperTraceOperationRequest != NULL)
277 {
278 HyperTraceOperationRequest->KernelStatus = DEBUGGER_ERROR_PT_ALREADY_DISABLED;
279 }
280 return FALSE;
281 }
282
283 if (HyperTraceOperationRequest == NULL)
284 return FALSE;
285
286 ProcessorsCount = KeQueryActiveProcessorCount(0);
287 if (ProcessorsCount > PT_MAX_CPUS_FOR_MMAP)
288 ProcessorsCount = PT_MAX_CPUS_FOR_MMAP;
289
290 RtlZeroMemory(HyperTraceOperationRequest->BytesPerCpu,
291 sizeof(HyperTraceOperationRequest->BytesPerCpu));
292
293 BroadcastSizePtOnAllCores(HyperTraceOperationRequest->BytesPerCpu);
294
295 HyperTraceOperationRequest->NumCpus = ProcessorsCount;
296 HyperTraceOperationRequest->KernelStatus = DEBUGGER_OPERATION_WAS_SUCCESSFUL;
297 return TRUE;
298}
VOID BroadcastSizePtOnAllCores(UINT64 *Sizes)
Routines to snapshot per-CPU PT output positions. The DPC writes its own core's byte count into Sizes...
Definition Broadcast.c:124
UINT32 NumCpus
Definition RequestStructures.h:1402
UINT64 BytesPerCpu[PT_MAX_CPUS_FOR_MMAP]
Definition RequestStructures.h:1404

◆ HyperTraceUninit()

IMPORT_EXPORT_HYPERTRACE VOID HyperTraceUninit ( )

Uninitialize the hypertrace module.

Returns
VOID
105{
106 //
107 // Check if the callbacks are initialized, if not, we don't need to handle anymore
108 //
110 {
111 return;
112 }
113
114 //
115 // Disable LBR tracing if it is still enabled
116 //
118 {
120 }
121
122 //
123 // Unallocate the global LBR state list if it is allocated
124 //
125 if (g_LbrStateList != NULL)
126 {
129 }
130
131 //
132 // Disable Processor Trace if it is still enabled
133 //
135 {
137 }
138
139 //
140 // Free PT buffers (if any) and the per-CPU state list
141 //
142 if (g_PtStateList != NULL)
143 {
144 UINT32 ProcessorsCountLocal = KeQueryActiveProcessorCount(0);
145 UINT32 i;
146
147 for (i = 0; i < ProcessorsCountLocal; i++)
148 {
150 }
151
154 }
155
156 //
157 // Reset the environment flag to default value
158 //
160
161 //
162 // Set callbacks to not initialized
163 //
165}
PVOID PlatformMemFreePool(PVOID BufferAddress)
Frees a memory pool.
Definition PlatformMem.c:269
IMPORT_EXPORT_HYPERTRACE BOOLEAN HyperTracePtDisable(HYPERTRACE_PT_OPERATION_PACKETS *PtOperationRequest)
Disable PT tracing for HyperTrace.
Definition PtApi.c:157
VOID PtEngineFreeBuffers(PT_PER_CPU *Cpu)
Free all PT buffers belonging to one per-CPU context. Must not be called while State == PT_STATE_TRAC...
Definition Pt.c:482
NULL()
Definition test-case-generator.py:530