kd.cpp File Reference

routines to kernel debugging More...

#include "pch.h"

Functions
BOOLEAN	KdCheckForTheEndOfTheBuffer (PUINT32 CurrentLoopIndex, BYTE *Buffer)
	compares the buffer with a string
BOOLEAN	KdCompareBufferWithString (CHAR *Buffer, const CHAR *CompareBuffer)
	compares the buffer with a string
BYTE	KdComputeDataChecksum (PVOID Buffer, UINT32 Length)
	calculate the checksum of received buffer from debugger
VOID	KdInterpretPausedDebuggee ()
	Interpret the packets from debuggee in the case of paused.
BOOLEAN	KdSendContinuePacketToDebuggee ()
	Sends a continue or 'g' command packet to the debuggee.
BOOLEAN	KdSendSwitchCorePacketToDebuggee (UINT32 NewCore)
	Sends a change core or '~ x' command packet to the debuggee.
BOOLEAN	KdSendShortCircuitingEventToDebuggee (BOOLEAN IsEnabled)
	Sends a short-circuiting event request to debuggee.
BOOLEAN	KdSendEventQueryAndModifyPacketToDebuggee (UINT64 Tag, DEBUGGER_MODIFY_EVENTS_TYPE TypeOfAction, BOOLEAN *IsEnabled)
	Sends a query or request to enable/disable/clear for event.
BOOLEAN	KdSendFlushPacketToDebuggee ()
	Send a flush request to the debuggee.
BOOLEAN	KdSendCallStackPacketToDebuggee (UINT64 BaseAddress, UINT32 Size, DEBUGGER_CALLSTACK_DISPLAY_METHOD DisplayMethod, BOOLEAN Is32Bit)
	Send a callstack request to the debuggee.
BOOLEAN	KdSendTestQueryPacketToDebuggee (DEBUGGER_TEST_QUERY_STATE Type)
	Send a test query request to the debuggee.
BOOLEAN	KdSendTestQueryPacketWithContextToDebuggee (DEBUGGER_TEST_QUERY_STATE Type, UINT64 Context)
	Send a test query request to the debuggee with the specified context.
BOOLEAN	KdSendSymbolReloadPacketToDebuggee (UINT32 ProcessId)
	Send symbol reload packet to the debuggee.
BOOLEAN	KdSendReadRegisterPacketToDebuggee (PDEBUGGEE_REGISTER_READ_DESCRIPTION RegDes, UINT32 RegBuffSize)
	Send a read register packet to the debuggee.
BOOLEAN	KdSendWriteRegisterPacketToDebuggee (PDEBUGGEE_REGISTER_WRITE_DESCRIPTION RegDes)
	Send a write register packet to the debuggee.
BOOLEAN	KdSendReadMemoryPacketToDebuggee (PDEBUGGER_READ_MEMORY ReadMem, UINT32 RequestSize)
	Send a Read memory packet to the debuggee.
BOOLEAN	KdSendEditMemoryPacketToDebuggee (PDEBUGGER_EDIT_MEMORY EditMem, UINT32 Size)
	Send an Edit memory packet to the debuggee.
PDEBUGGER_EVENT_AND_ACTION_RESULT	KdSendRegisterEventPacketToDebuggee (PDEBUGGER_GENERAL_EVENT_DETAIL Event, UINT32 EventBufferLength)
	Send a register event request to the debuggee.
PDEBUGGER_EVENT_AND_ACTION_RESULT	KdSendAddActionToEventPacketToDebuggee (PDEBUGGER_GENERAL_ACTION GeneralAction, UINT32 GeneralActionLength)
	Send an add action to event request to the debuggee.
BOOLEAN	KdSendSwitchProcessPacketToDebuggee (DEBUGGEE_DETAILS_AND_SWITCH_PROCESS_TYPE ActionType, UINT32 NewPid, UINT64 NewProcess, BOOLEAN SetChangeByClockInterrupt, PDEBUGGEE_PROCESS_LIST_NEEDED_DETAILS SymDetailsForProcessList)
	Sends a change process or show process details packet to the debuggee.
BOOLEAN	KdSendSwitchThreadPacketToDebuggee (DEBUGGEE_DETAILS_AND_SWITCH_THREAD_TYPE ActionType, UINT32 NewTid, UINT64 NewThread, BOOLEAN CheckByClockInterrupt, PDEBUGGEE_THREAD_LIST_NEEDED_DETAILS SymDetailsForThreadList)
	Sends a change thread or show threads detail packet to the debuggee.
BOOLEAN	KdSendPtePacketToDebuggee (PDEBUGGER_READ_PAGE_TABLE_ENTRIES_DETAILS PtePacket)
	Sends a PTE or '!pte' command packet to the debuggee.
BOOLEAN	KdSendPageinPacketToDebuggee (PDEBUGGER_PAGE_IN_REQUEST PageinPacket)
	Sends a page-in or '.pagein' command packet to the debuggee.
BOOLEAN	KdSendVa2paAndPa2vaPacketToDebuggee (PDEBUGGER_VA2PA_AND_PA2VA_COMMANDS Va2paAndPa2vaPacket)
	Sends VA2PA and PA2VA packest, or '!va2pa' and '!pa2va' commands packet to the debuggee.
BOOLEAN	KdSendBpPacketToDebuggee (PDEBUGGEE_BP_PACKET BpPacket)
	Sends a breakpoint set or 'bp' command packet to the debuggee.
BOOLEAN	KdSendListOrModifyPacketToDebuggee (PDEBUGGEE_BP_LIST_OR_MODIFY_PACKET ListOrModifyPacket)
	Sends a breakpoint list or modification packet to the debuggee.
BOOLEAN	KdSendScriptPacketToDebuggee (UINT64 BufferAddress, UINT32 BufferLength, UINT32 Pointer, BOOLEAN IsFormat)
	Sends a script packet to the debuggee.
BOOLEAN	KdSendUserInputPacketToDebuggee (const char *Sendbuf, int Len, BOOLEAN IgnoreBreakingAgain)
	Sends user input packet to the debuggee.
BOOLEAN	KdSendSearchRequestPacketToDebuggee (UINT64 *SearchRequestBuffer, UINT32 SearchRequestBufferSize)
	Sends search query request packet to the debuggee.
BOOLEAN	KdSendStepPacketToDebuggee (DEBUGGER_REMOTE_STEPPING_REQUEST StepRequestType)
	Sends p (step out) and t (step in) packet to the debuggee.
BOOLEAN	KdSendPausePacketToDebuggee ()
	Sends a PAUSE packet to the debuggee.
BOOLEAN	KdGetWindowVersion (CHAR *BufferToSave)
	Get Windows name, version and build to send to debugger.

Variables
PMODULE_SYMBOL_DETAIL	g_SymbolTable
	The buffer that stores the details of symbol table.
UINT32	g_SymbolTableSize
	The buffer that stores size of the details of symbol table.
UINT32	g_SymbolTableCurrentIndex
	The index to hold the track of added symbols.
HANDLE	g_SerialListeningThreadHandle
	In debuggee and debugger, we save the handle of the user-mode listening thread for pauses here.
HANDLE	g_SerialRemoteComPortHandle
	In debugger (not debuggee), we save the handle of the user-mode listening thread for remote system here.
HANDLE	g_DebuggeeStopCommandEventHandle
	An event to make sure that the user won't give any command in debuggee and all the commands are coming from just the debugger.
DEBUGGER_SYNCRONIZATION_EVENTS_STATE	g_KernelSyncronizationObjectsHandleTable [DEBUGGER_MAXIMUM_SYNCRONIZATION_KERNEL_DEBUGGER_OBJECTS]
	In debugger (not debuggee), we save the handle of the user-mode listening thread for pauses here for kernel debugger.
BYTE	g_CurrentRunningInstruction [MAXIMUM_INSTR_SIZE]
	Current executing instructions.
BOOLEAN	g_IsConnectedToHyperDbgLocally
	Shows whether the user is allowed to use 'load' command to load modules locally in VMI (virtual machine introspection) mode.
OVERLAPPED	g_OverlappedIoStructureForReadDebugger
	This is an OVERLAPPED structure for managing simultaneous read and writes for debugger (in current design debuggee is not needed to write simultaneously but it's needed for write)
OVERLAPPED	g_OverlappedIoStructureForWriteDebugger
OVERLAPPED	g_OverlappedIoStructureForReadDebuggee
DEBUGGER_EVENT_AND_ACTION_RESULT	g_DebuggeeResultOfRegisteringEvent
	Holds the result of registering events from the remote debuggee.
DEBUGGER_EVENT_AND_ACTION_RESULT	g_DebuggeeResultOfAddingActionsToEvent
	Holds the result of adding action to events from the remote debuggee.
BOOLEAN	g_IsSerialConnectedToRemoteDebuggee
	Shows if the debugger was connected to remote debuggee over (A remote guest)
BOOLEAN	g_IsSerialConnectedToRemoteDebugger
	Shows if the debugger was connected to remote debugger (A remote host)
BOOLEAN	g_IsDebuggerConntectedToNamedPipe
	Shows if the debugger is connected to the guest using named pipe.
BOOLEAN	g_IsDebuggeeRunning
	Shows if the debuggee is running or not.
BOOLEAN	g_IsDebuggerModulesLoaded
	this variable is used to indicate that modules are loaded so we make sure to later use a trace of loading in 'unload' command (used in Debugger VMM)
BOOLEAN	g_SerialConnectionAlreadyClosed
	In both debuggee and debugger we save the state of the closed connection to avoid double close.
BOOLEAN	g_IgnoreNewLoggingMessages
	Shows if the debugger should show debuggee's messages or not.
BOOLEAN	g_SharedEventStatus
	Shows whether the queried event is enabled or disabled.
BOOLEAN	g_IsRunningInstruction32Bit
	whether the Current executing instructions is 32-bit or 64 bit
BOOLEAN	g_IgnorePauseRequests
	Show whether the pause request (CTRL+C or CTRL+BREAK) should be ignored or not.
BOOLEAN	g_IsDebuggeeInHandshakingPhase
	Shows if the debuggee is in the handshake phase or not.
BOOLEAN	g_ShouldPreviousCommandBeContinued
	Shows whether the previous command should be continued or not.
BYTE	g_EndOfBufferCheckSerial [4]
	the buffer that we set at the end of buffers for serial
ULONG	g_CurrentRemoteCore
	Current core that the debuggee is debugging.

Detailed Description

routines to kernel debugging

Author

Sina Karvandi (sina@.nosp@m.hype.nosp@m.rdbg..nosp@m.org)

Version

0.1

Date

2020-12-22

Copyright

This project is released under the GNU Public License v3.

Function Documentation

KdCheckForTheEndOfTheBuffer()

BOOLEAN KdCheckForTheEndOfTheBuffer	(	PUINT32	CurrentLoopIndex,
		BYTE *	Buffer )

compares the buffer with a string

Parameters

CurrentLoopIndex	Number of previously read bytes
Buffer

Returns

BOOLEAN

{
    UINT32 ActualBufferLength;
 
    ActualBufferLength = *CurrentLoopIndex;
 
    //
    // End of buffer is 4 character long
    //
    if (*CurrentLoopIndex <= 3)
    {
        return FALSE;
    }
 
    if (Buffer[ActualBufferLength] == SERIAL_END_OF_BUFFER_CHAR_4 &&
        Buffer[ActualBufferLength - 1] == SERIAL_END_OF_BUFFER_CHAR_3 &&
        Buffer[ActualBufferLength - 2] == SERIAL_END_OF_BUFFER_CHAR_2 &&
        Buffer[ActualBufferLength - 3] == SERIAL_END_OF_BUFFER_CHAR_1)
    {
        //
        // Clear the end character
        //
        Buffer[ActualBufferLength - 3] = NULL;
        Buffer[ActualBufferLength - 2] = NULL;
        Buffer[ActualBufferLength - 1] = NULL;
        Buffer[ActualBufferLength]     = NULL;
 
        //
        // Set the new length
        //
        *CurrentLoopIndex = ActualBufferLength - 3;
 
        return TRUE;
    }
    return FALSE;
}

KdCompareBufferWithString()

BOOLEAN KdCompareBufferWithString	(	CHAR *	Buffer,
		const CHAR *	CompareBuffer )

compares the buffer with a string

Parameters

Buffer
CompareBuffer

Returns

BOOLEAN

{
    int Result;
 
    Result = strcmp(Buffer, CompareBuffer);
 
    if (Result == 0)
        return TRUE;
    else
        return FALSE;
}

KdComputeDataChecksum()

BYTE KdComputeDataChecksum	(	PVOID	Buffer,
		UINT32	Length )

calculate the checksum of received buffer from debugger

Parameters

Buffer
LengthReceived

Returns

BYTE

{
    BYTE CalculatedCheckSum = 0;
    BYTE Temp               = 0;
    while (Length--)
    {
        Temp               = *(BYTE *)Buffer;
        CalculatedCheckSum = CalculatedCheckSum + Temp;
        Buffer             = (PVOID)((UINT64)Buffer + 1);
    }
    return CalculatedCheckSum;
}

KdGetWindowVersion()

BOOLEAN KdGetWindowVersion

(

CHAR *

BufferToSave

)

Get Windows name, version and build to send to debugger.

Parameters

BufferToSave

Returns

BOOLEAN

KdInterpretPausedDebuggee()

VOID KdInterpretPausedDebuggee

(

)

Interpret the packets from debuggee in the case of paused.

Returns

VOID

{
    //
    // Wait for handshake to complete or in other words
    // get the receive packet
    //
    DbgWaitForKernelResponse(DEBUGGER_SYNCRONIZATION_OBJECT_KERNEL_DEBUGGER_PAUSED_DEBUGGEE_DETAILS);
}

KdSendAddActionToEventPacketToDebuggee()

PDEBUGGER_EVENT_AND_ACTION_RESULT KdSendAddActionToEventPacketToDebuggee	(	PDEBUGGER_GENERAL_ACTION	GeneralAction,
		UINT32	GeneralActionLength )

Send an add action to event request to the debuggee.

as this command uses one global variable to transfer the buffers so should not be called simultaneously

Parameters

GeneralAction
GeneralActionLength

Returns

PDEBUGGER_EVENT_AND_ACTION_RESULT

{
    PDEBUGGEE_EVENT_AND_ACTION_HEADER_FOR_REMOTE_PACKET Header;
    UINT32                                              Len;
 
    Len = GeneralActionLength +
          sizeof(DEBUGGEE_EVENT_AND_ACTION_HEADER_FOR_REMOTE_PACKET);
 
    Header = (PDEBUGGEE_EVENT_AND_ACTION_HEADER_FOR_REMOTE_PACKET)malloc(Len);
 
    if (Header == NULL)
    {
        return NULL;
    }
 
    RtlZeroMemory(Header, Len);
 
    //
    // Set length in header
    //
    Header->Length = GeneralActionLength;
 
    //
    // Move buffer
    //
    memcpy((PVOID)((UINT64)Header +
                   sizeof(DEBUGGEE_EVENT_AND_ACTION_HEADER_FOR_REMOTE_PACKET)),
           (PVOID)GeneralAction,
           GeneralActionLength);
 
    RtlZeroMemory(&g_DebuggeeResultOfAddingActionsToEvent,
                  sizeof(DEBUGGER_EVENT_AND_ACTION_RESULT));
 
    //
    // Send add action to event packet
    //
    if (!KdCommandPacketAndBufferToDebuggee(
            DEBUGGER_REMOTE_PACKET_TYPE_DEBUGGER_TO_DEBUGGEE_EXECUTE_ON_VMX_ROOT,
            DEBUGGER_REMOTE_PACKET_REQUESTED_ACTION_ON_VMX_ROOT_ADD_ACTION_TO_EVENT,
            (CHAR *)Header,
            Len))
    {
        free(Header);
        return NULL;
    }
 
    //
    // Wait until the result of adding action to event received
    //
    DbgWaitForKernelResponse(DEBUGGER_SYNCRONIZATION_OBJECT_KERNEL_DEBUGGER_ADD_ACTION_TO_EVENT);
 
    free(Header);
 
    return &g_DebuggeeResultOfAddingActionsToEvent;
}

KdSendBpPacketToDebuggee()

BOOLEAN KdSendBpPacketToDebuggee

(

PDEBUGGEE_BP_PACKET

BpPacket

)

Sends a breakpoint set or 'bp' command packet to the debuggee.

Parameters

BpPacket

Returns

BOOLEAN

{
    //
    // Send 'bp' as a breakpoint packet
    //
    if (!KdCommandPacketAndBufferToDebuggee(
            DEBUGGER_REMOTE_PACKET_TYPE_DEBUGGER_TO_DEBUGGEE_EXECUTE_ON_VMX_ROOT,
            DEBUGGER_REMOTE_PACKET_REQUESTED_ACTION_ON_VMX_ROOT_BP,
            (CHAR *)BpPacket,
            sizeof(DEBUGGEE_BP_PACKET)))
    {
        return FALSE;
    }
 
    //
    // Wait until the result of putting breakpoint is received
    //
    DbgWaitForKernelResponse(DEBUGGER_SYNCRONIZATION_OBJECT_KERNEL_DEBUGGER_BP);
 
    return TRUE;
}

KdSendCallStackPacketToDebuggee()

BOOLEAN KdSendCallStackPacketToDebuggee	(	UINT64	BaseAddress,
		UINT32	Size,
		DEBUGGER_CALLSTACK_DISPLAY_METHOD	DisplayMethod,
		BOOLEAN	Is32Bit )

Send a callstack request to the debuggee.

Parameters

BaseAddress
Size
DisplayMethod
Is32Bit

Returns

BOOLEAN

{
    UINT32                      FrameCount;
    UINT32                      CallstackRequestSize = 0;
    PDEBUGGER_CALLSTACK_REQUEST CallstackPacket      = NULL;
 
    if (Size == 0)
    {
        return FALSE;
    }
 
    if (Is32Bit)
    {
        FrameCount = Size / sizeof(UINT32);
    }
    else
    {
        FrameCount = Size / sizeof(UINT64);
    }
 
    CallstackRequestSize = sizeof(DEBUGGER_CALLSTACK_REQUEST) + (sizeof(DEBUGGER_SINGLE_CALLSTACK_FRAME) * FrameCount);
 
    //
    // Allocate buffer for request
    //
    CallstackPacket = (PDEBUGGER_CALLSTACK_REQUEST)malloc(CallstackRequestSize);
 
    if (CallstackPacket == NULL)
    {
        return FALSE;
    }
 
    RtlZeroMemory(CallstackPacket, CallstackRequestSize);
 
    //
    // Set the details
    //
    CallstackPacket->BaseAddress   = BaseAddress;
    CallstackPacket->Is32Bit       = Is32Bit;
    CallstackPacket->Size          = Size;
    CallstackPacket->BufferSize    = CallstackRequestSize;
    CallstackPacket->FrameCount    = FrameCount;
    CallstackPacket->DisplayMethod = DisplayMethod;
 
    //
    // Send 'k' command as callstack request packet
    //
    if (!KdCommandPacketAndBufferToDebuggee(
            DEBUGGER_REMOTE_PACKET_TYPE_DEBUGGER_TO_DEBUGGEE_EXECUTE_ON_VMX_ROOT,
            DEBUGGER_REMOTE_PACKET_REQUESTED_ACTION_ON_VMX_ROOT_MODE_CALLSTACK,
            (CHAR *)CallstackPacket,
            CallstackRequestSize))
    {
        free(CallstackPacket);
        return FALSE;
    }
 
    //
    // Wait until the result of callstack is received
    //
    DbgWaitForKernelResponse(DEBUGGER_SYNCRONIZATION_OBJECT_KERNEL_DEBUGGER_CALLSTACK_RESULT);
 
    free(CallstackPacket);
    return TRUE;
}

KdSendContinuePacketToDebuggee()

BOOLEAN KdSendContinuePacketToDebuggee

(

)

Sends a continue or 'g' command packet to the debuggee.

Returns

BOOLEAN

{
    //
    // No core
    //
    g_CurrentRemoteCore = DEBUGGER_DEBUGGEE_IS_RUNNING_NO_CORE;
 
    //
    // Send 'g' as continue packet
    //
    if (!KdCommandPacketToDebuggee(
            DEBUGGER_REMOTE_PACKET_TYPE_DEBUGGER_TO_DEBUGGEE_EXECUTE_ON_VMX_ROOT,
            DEBUGGER_REMOTE_PACKET_REQUESTED_ACTION_ON_VMX_ROOT_MODE_CONTINUE))
    {
        return FALSE;
    }
 
    return TRUE;
}

KdSendEditMemoryPacketToDebuggee()

BOOLEAN KdSendEditMemoryPacketToDebuggee	(	PDEBUGGER_EDIT_MEMORY	EditMem,
		UINT32	Size )

Send an Edit memory packet to the debuggee.

Parameters

EditMem
Size

Returns

BOOLEAN

{
    //
    // Set the request data
    //
    DbgWaitSetRequestData(DEBUGGER_SYNCRONIZATION_OBJECT_KERNEL_DEBUGGER_EDIT_MEMORY, EditMem, sizeof(DEBUGGER_EDIT_MEMORY));
 
    //
    // Send d command as read memory packet
    //
    if (!KdCommandPacketAndBufferToDebuggee(
            DEBUGGER_REMOTE_PACKET_TYPE_DEBUGGER_TO_DEBUGGEE_EXECUTE_ON_VMX_ROOT,
            DEBUGGER_REMOTE_PACKET_REQUESTED_ACTION_ON_VMX_ROOT_EDIT_MEMORY,
            (CHAR *)EditMem,
            Size))
    {
        return FALSE;
    }
 
    //
    // Wait until the result of read registers received
    //
    DbgWaitForKernelResponse(DEBUGGER_SYNCRONIZATION_OBJECT_KERNEL_DEBUGGER_EDIT_MEMORY);
 
    return TRUE;
}

KdSendEventQueryAndModifyPacketToDebuggee()

BOOLEAN KdSendEventQueryAndModifyPacketToDebuggee	(	UINT64	Tag,
		DEBUGGER_MODIFY_EVENTS_TYPE	TypeOfAction,
		BOOLEAN *	IsEnabled )

Sends a query or request to enable/disable/clear for event.

if IsQueryState is TRUE then TypeOfAction is ignored

Parameters

Tag
TypeOfAction
IsEnabled	If it's a query state then this argument can be used

Returns

BOOLEAN

{
    DEBUGGER_MODIFY_EVENTS ModifyAndQueryEventPacket = {0};
 
    g_SharedEventStatus = FALSE;
 
    //
    // Fill the structure of packet
    //
    ModifyAndQueryEventPacket.Tag          = Tag;
    ModifyAndQueryEventPacket.TypeOfAction = TypeOfAction;
 
    //
    // Send modify and query event packet
    //
    if (!KdCommandPacketAndBufferToDebuggee(
            DEBUGGER_REMOTE_PACKET_TYPE_DEBUGGER_TO_DEBUGGEE_EXECUTE_ON_VMX_ROOT,
            DEBUGGER_REMOTE_PACKET_REQUESTED_ACTION_ON_VMX_ROOT_QUERY_AND_MODIFY_EVENT,
            (CHAR *)&ModifyAndQueryEventPacket,
            sizeof(DEBUGGER_MODIFY_EVENTS)))
    {
        return FALSE;
    }
 
    //
    // Wait until the result of query and modify event is received
    //
    DbgWaitForKernelResponse(DEBUGGER_SYNCRONIZATION_OBJECT_KERNEL_DEBUGGER_MODIFY_AND_QUERY_EVENT);
 
    if (TypeOfAction == DEBUGGER_MODIFY_EVENTS_QUERY_STATE)
    {
        //
        // We should read the results to set IsEnabled variable
        //
        *IsEnabled = g_SharedEventStatus;
    }
 
    return TRUE;
}

KdSendFlushPacketToDebuggee()

BOOLEAN KdSendFlushPacketToDebuggee

(

)

Send a flush request to the debuggee.

Returns

BOOLEAN

{
    DEBUGGER_FLUSH_LOGGING_BUFFERS FlushPacket = {0};
 
    //
    // Send 'flush' command as flush packet
    //
    if (!KdCommandPacketAndBufferToDebuggee(
            DEBUGGER_REMOTE_PACKET_TYPE_DEBUGGER_TO_DEBUGGEE_EXECUTE_ON_VMX_ROOT,
            DEBUGGER_REMOTE_PACKET_REQUESTED_ACTION_ON_VMX_ROOT_MODE_FLUSH_BUFFERS,
            (CHAR *)&FlushPacket,
            sizeof(DEBUGGER_FLUSH_LOGGING_BUFFERS)))
    {
        return FALSE;
    }
 
    //
    // Wait until the result of flushing received
    //
    DbgWaitForKernelResponse(DEBUGGER_SYNCRONIZATION_OBJECT_KERNEL_DEBUGGER_FLUSH_RESULT);
 
    return TRUE;
}

KdSendListOrModifyPacketToDebuggee()

BOOLEAN KdSendListOrModifyPacketToDebuggee

(

PDEBUGGEE_BP_LIST_OR_MODIFY_PACKET

ListOrModifyPacket

)

Sends a breakpoint list or modification packet to the debuggee.

Parameters

ListOrModifyPacket

Returns

BOOLEAN

{
    //
    // Send list or modify breakpoint packet
    //
    if (!KdCommandPacketAndBufferToDebuggee(
            DEBUGGER_REMOTE_PACKET_TYPE_DEBUGGER_TO_DEBUGGEE_EXECUTE_ON_VMX_ROOT,
            DEBUGGER_REMOTE_PACKET_REQUESTED_ACTION_ON_VMX_ROOT_LIST_OR_MODIFY_BREAKPOINTS,
            (CHAR *)ListOrModifyPacket,
            sizeof(DEBUGGEE_BP_LIST_OR_MODIFY_PACKET)))
    {
        return FALSE;
    }
 
    //
    // Wait until the result of listing or modifying breakpoints is received
    //
    DbgWaitForKernelResponse(DEBUGGER_SYNCRONIZATION_OBJECT_KERNEL_DEBUGGER_LIST_OR_MODIFY_BREAKPOINTS);
 
    return TRUE;
}

KdSendPageinPacketToDebuggee()

BOOLEAN KdSendPageinPacketToDebuggee

(

PDEBUGGER_PAGE_IN_REQUEST

PageinPacket

)

Sends a page-in or '.pagein' command packet to the debuggee.

Parameters

PageinPacket

Returns

BOOLEAN

{
    //
    // Send the '.pagein' packet
    //
    if (!KdCommandPacketAndBufferToDebuggee(
            DEBUGGER_REMOTE_PACKET_TYPE_DEBUGGER_TO_DEBUGGEE_EXECUTE_ON_VMX_ROOT,
            DEBUGGER_REMOTE_PACKET_REQUESTED_ACTION_ON_VMX_ROOT_INJECT_PAGE_FAULT,
            (CHAR *)PageinPacket,
            sizeof(DEBUGGER_PAGE_IN_REQUEST)))
    {
        return FALSE;
    }
 
    //
    // Wait until the result of page-in packet is received
    //
    DbgWaitForKernelResponse(DEBUGGER_SYNCRONIZATION_OBJECT_KERNEL_DEBUGGER_PAGE_IN_STATE);
 
    return TRUE;
}

KdSendPausePacketToDebuggee()

BOOLEAN KdSendPausePacketToDebuggee

(

)

Sends a PAUSE packet to the debuggee.

Returns

BOOLEAN

{
    //
    // Send the pause packet to debuggee
    //
    if (!KdCommandPacketToDebuggee(
            DEBUGGER_REMOTE_PACKET_TYPE_DEBUGGER_TO_DEBUGGEE_EXECUTE_ON_USER_MODE,
            DEBUGGER_REMOTE_PACKET_REQUESTED_ACTION_ON_USER_MODE_PAUSE))
    {
        return FALSE;
    }
 
    //
    // Handle the paused state (show rip, instructions, etc.)
    //
    KdInterpretPausedDebuggee();
 
    return TRUE;
}

KdSendPtePacketToDebuggee()

BOOLEAN KdSendPtePacketToDebuggee

(

PDEBUGGER_READ_PAGE_TABLE_ENTRIES_DETAILS

PtePacket

)

Sends a PTE or '!pte' command packet to the debuggee.

Parameters

PtePacket

Returns

BOOLEAN

{
    //
    // Send the '!pte' packet
    //
    if (!KdCommandPacketAndBufferToDebuggee(
            DEBUGGER_REMOTE_PACKET_TYPE_DEBUGGER_TO_DEBUGGEE_EXECUTE_ON_VMX_ROOT,
            DEBUGGER_REMOTE_PACKET_REQUESTED_ACTION_ON_VMX_ROOT_SYMBOL_QUERY_PTE,
            (CHAR *)PtePacket,
            sizeof(DEBUGGER_READ_PAGE_TABLE_ENTRIES_DETAILS)))
    {
        return FALSE;
    }
 
    //
    // Wait until the result of PTE packet is received
    //
    DbgWaitForKernelResponse(DEBUGGER_SYNCRONIZATION_OBJECT_KERNEL_DEBUGGER_PTE_RESULT);
 
    return TRUE;
}

KdSendReadMemoryPacketToDebuggee()

BOOLEAN KdSendReadMemoryPacketToDebuggee	(	PDEBUGGER_READ_MEMORY	ReadMem,
		UINT32	RequestSize )

Send a Read memory packet to the debuggee.

Parameters

ReadMem
Size

Returns

BOOLEAN

{
    //
    // Set the request data
    //
    DbgWaitSetRequestData(DEBUGGER_SYNCRONIZATION_OBJECT_KERNEL_DEBUGGER_READ_MEMORY, ReadMem, RequestSize);
 
    //
    // Send u-d command as read memory packet
    //
    if (!KdCommandPacketAndBufferToDebuggee(
            DEBUGGER_REMOTE_PACKET_TYPE_DEBUGGER_TO_DEBUGGEE_EXECUTE_ON_VMX_ROOT,
            DEBUGGER_REMOTE_PACKET_REQUESTED_ACTION_ON_VMX_ROOT_READ_MEMORY,
            (CHAR *)ReadMem,
            sizeof(DEBUGGER_READ_MEMORY) // only the header is enough, no need to send the entire buffer
            ))
    {
        return FALSE;
    }
 
    //
    // Wait until the result of read registers received
    //
    DbgWaitForKernelResponse(DEBUGGER_SYNCRONIZATION_OBJECT_KERNEL_DEBUGGER_READ_MEMORY);
 
    return TRUE;
}

KdSendReadRegisterPacketToDebuggee()

BOOLEAN KdSendReadRegisterPacketToDebuggee	(	PDEBUGGEE_REGISTER_READ_DESCRIPTION	RegDes,
		UINT32	RegBuffSize )

Send a read register packet to the debuggee.

Parameters

RegDes
RegBuffSize

Returns

BOOLEAN

{
    //
    // Set the request data
    //
    DbgWaitSetRequestData(DEBUGGER_SYNCRONIZATION_OBJECT_KERNEL_DEBUGGER_READ_REGISTERS, RegDes, RegBuffSize);
 
    //
    // Send the 'r' command as read register packet
    //
    if (!KdCommandPacketAndBufferToDebuggee(
            DEBUGGER_REMOTE_PACKET_TYPE_DEBUGGER_TO_DEBUGGEE_EXECUTE_ON_VMX_ROOT,
            DEBUGGER_REMOTE_PACKET_REQUESTED_ACTION_ON_VMX_ROOT_READ_REGISTERS,
            (CHAR *)RegDes,
            sizeof(DEBUGGEE_REGISTER_READ_DESCRIPTION) // only the header is enough, no need to send the entire buffer
            ))
    {
        return FALSE;
    }
 
    //
    // Wait until the result of read registers received
    //
    DbgWaitForKernelResponse(DEBUGGER_SYNCRONIZATION_OBJECT_KERNEL_DEBUGGER_READ_REGISTERS);
 
    return TRUE;
}

KdSendRegisterEventPacketToDebuggee()

PDEBUGGER_EVENT_AND_ACTION_RESULT KdSendRegisterEventPacketToDebuggee	(	PDEBUGGER_GENERAL_EVENT_DETAIL	Event,
		UINT32	EventBufferLength )

Send a register event request to the debuggee.

as this command uses one global variable to transfer the buffers so should not be called simultaneously

Parameters

Event
EventBufferLength

Returns

PDEBUGGER_EVENT_AND_ACTION_RESULT

{
    PDEBUGGEE_EVENT_AND_ACTION_HEADER_FOR_REMOTE_PACKET Header;
    UINT32                                              Len;
 
    Len = EventBufferLength +
          sizeof(DEBUGGEE_EVENT_AND_ACTION_HEADER_FOR_REMOTE_PACKET);
 
    Header = (PDEBUGGEE_EVENT_AND_ACTION_HEADER_FOR_REMOTE_PACKET)malloc(Len);
 
    if (Header == NULL)
    {
        return NULL;
    }
 
    RtlZeroMemory(Header, Len);
 
    //
    // Set length in header
    //
    Header->Length = EventBufferLength;
 
    //
    // Move buffer
    //
    memcpy((PVOID)((UINT64)Header +
                   sizeof(DEBUGGEE_EVENT_AND_ACTION_HEADER_FOR_REMOTE_PACKET)),
           (PVOID)Event,
           EventBufferLength);
 
    RtlZeroMemory(&g_DebuggeeResultOfRegisteringEvent,
                  sizeof(DEBUGGER_EVENT_AND_ACTION_RESULT));
 
    //
    // Send register event packet
    //
    if (!KdCommandPacketAndBufferToDebuggee(
            DEBUGGER_REMOTE_PACKET_TYPE_DEBUGGER_TO_DEBUGGEE_EXECUTE_ON_VMX_ROOT,
            DEBUGGER_REMOTE_PACKET_REQUESTED_ACTION_ON_VMX_ROOT_REGISTER_EVENT,
            (CHAR *)Header,
            Len))
    {
        free(Header);
        return NULL;
    }
 
    //
    // Wait until the result of registering received
    //
    DbgWaitForKernelResponse(DEBUGGER_SYNCRONIZATION_OBJECT_KERNEL_DEBUGGER_REGISTER_EVENT);
 
    free(Header);
 
    return &g_DebuggeeResultOfRegisteringEvent;
}

KdSendScriptPacketToDebuggee()

BOOLEAN KdSendScriptPacketToDebuggee	(	UINT64	BufferAddress,
		UINT32	BufferLength,
		UINT32	Pointer,
		BOOLEAN	IsFormat )

Sends a script packet to the debuggee.

Parameters

BufferAddress
BufferLength
Pointer
IsFormat

Returns

BOOLEAN

{
    PDEBUGGEE_SCRIPT_PACKET ScriptPacket;
    UINT32                  SizeOfStruct = 0;
 
    SizeOfStruct = sizeof(DEBUGGEE_SCRIPT_PACKET) + BufferLength;
 
    ScriptPacket = (DEBUGGEE_SCRIPT_PACKET *)malloc(SizeOfStruct);
 
    RtlZeroMemory(ScriptPacket, SizeOfStruct);
 
    //
    // Fill the script packet buffer
    //
    ScriptPacket->ScriptBufferSize    = BufferLength;
    ScriptPacket->ScriptBufferPointer = Pointer;
    ScriptPacket->IsFormat            = IsFormat;
 
    //
    // Move the buffer at the bottom of the script packet
    //
    memcpy((PVOID)((UINT64)ScriptPacket + sizeof(DEBUGGEE_SCRIPT_PACKET)),
           (PVOID)BufferAddress,
           BufferLength);
 
    //
    // Send script packet
    //
    if (!KdCommandPacketAndBufferToDebuggee(
            DEBUGGER_REMOTE_PACKET_TYPE_DEBUGGER_TO_DEBUGGEE_EXECUTE_ON_VMX_ROOT,
            DEBUGGER_REMOTE_PACKET_REQUESTED_ACTION_ON_VMX_ROOT_RUN_SCRIPT,
            (CHAR *)ScriptPacket,
            SizeOfStruct))
    {
        free(ScriptPacket);
        return FALSE;
    }
 
    if (IsFormat)
    {
        //
        // Wait for formats results too
        //
        DbgWaitForKernelResponse(DEBUGGER_SYNCRONIZATION_OBJECT_KERNEL_DEBUGGER_SCRIPT_FORMATS_RESULT);
    }
 
    //
    // Wait until the result of script engine received
    //
    DbgWaitForKernelResponse(DEBUGGER_SYNCRONIZATION_OBJECT_KERNEL_DEBUGGER_SCRIPT_RUNNING_RESULT);
 
    free(ScriptPacket);
    return TRUE;
}

KdSendSearchRequestPacketToDebuggee()

BOOLEAN KdSendSearchRequestPacketToDebuggee	(	UINT64 *	SearchRequestBuffer,
		UINT32	SearchRequestBufferSize )

Sends search query request packet to the debuggee.

Parameters

SearchRequestBuffer
SearchRequestBufferSize

Returns

BOOLEAN

{
    //
    // Send search request packet
    //
    if (!KdCommandPacketAndBufferToDebuggee(
            DEBUGGER_REMOTE_PACKET_TYPE_DEBUGGER_TO_DEBUGGEE_EXECUTE_ON_VMX_ROOT,
            DEBUGGER_REMOTE_PACKET_REQUESTED_ACTION_ON_VMX_ROOT_SEARCH_QUERY,
            (CHAR *)SearchRequestBuffer,
            SearchRequestBufferSize))
    {
        return FALSE;
    }
 
    //
    // Wait until the result of search request received
    //
    DbgWaitForKernelResponse(DEBUGGER_SYNCRONIZATION_OBJECT_KERNEL_DEBUGGER_SEARCH_QUERY_RESULT);
 
    return TRUE;
}

KdSendShortCircuitingEventToDebuggee()

BOOLEAN KdSendShortCircuitingEventToDebuggee

(

BOOLEAN

IsEnabled

)

Sends a short-circuiting event request to debuggee.

Parameters

IsEnabled

Returns

BOOLEAN

{
    DEBUGGER_SHORT_CIRCUITING_EVENT ShortCircuitEventPacket = {0};
 
    //
    // Fill the structure of the packet
    //
    ShortCircuitEventPacket.IsShortCircuiting = IsEnabled;
 
    //
    // Send modify and query event packet
    //
    if (!KdCommandPacketAndBufferToDebuggee(
            DEBUGGER_REMOTE_PACKET_TYPE_DEBUGGER_TO_DEBUGGEE_EXECUTE_ON_VMX_ROOT,
            DEBUGGER_REMOTE_PACKET_REQUESTED_ACTION_ON_VMX_ROOT_SET_SHORT_CIRCUITING_STATE,
            (CHAR *)&ShortCircuitEventPacket,
            sizeof(DEBUGGER_SHORT_CIRCUITING_EVENT)))
    {
        return FALSE;
    }
 
    //
    // Wait until the result of setting short-circuiting event state is received
    //
    DbgWaitForKernelResponse(DEBUGGER_SYNCRONIZATION_OBJECT_KERNEL_DEBUGGER_SHORT_CIRCUITING_EVENT_STATE);
 
    return TRUE;
}

KdSendStepPacketToDebuggee()

BOOLEAN KdSendStepPacketToDebuggee

(

DEBUGGER_REMOTE_STEPPING_REQUEST

StepRequestType

)

Sends p (step out) and t (step in) packet to the debuggee.

Returns

BOOLEAN

{
    DEBUGGEE_STEP_PACKET StepPacket = {0};
    UINT32               CallInstructionSize;
 
    //
    // Set the type of step packet
    //
    StepPacket.StepType = StepRequestType;
 
    //
    // Check if it's a step-over
    //
    if (StepRequestType == DEBUGGER_REMOTE_STEPPING_REQUEST_STEP_OVER ||
        StepRequestType == DEBUGGER_REMOTE_STEPPING_REQUEST_STEP_OVER_FOR_GU)
    {
        //
        // It's not needed to check for DEBUGGER_REMOTE_STEPPING_REQUEST_STEP_OVER_FOR_GU_LAST_INSTRUCTION
        // as the last instruction is a 'RET' not a 'CALL'
        //
 
        //
        // We should check whether the current instruction is a 'call'
        // instruction or not, if yes we have to compute the length of call
        //
        if (HyperDbgCheckWhetherTheCurrentInstructionIsCall(
                g_CurrentRunningInstruction,
                MAXIMUM_INSTR_SIZE,
                g_IsRunningInstruction32Bit ? FALSE : TRUE, // equals to !g_IsRunningInstruction32Bit
                &CallInstructionSize))
        {
            //
            // It's a call in step-over
            //
            StepPacket.IsCurrentInstructionACall = TRUE;
            StepPacket.CallLength                = CallInstructionSize;
        }
    }
 
    //
    // Set the debuggee is running after this command
    //
    if (StepRequestType == DEBUGGER_REMOTE_STEPPING_REQUEST_STEP_OVER ||
        StepRequestType == DEBUGGER_REMOTE_STEPPING_REQUEST_STEP_OVER_FOR_GU ||
        StepRequestType == DEBUGGER_REMOTE_STEPPING_REQUEST_STEP_IN)
    {
        //
        // The debuggee is also running after this type of command
        // This is because this way the debuggee is running after the step-over or step-in
        // so, if the program either terminates or couldn't run the next instruction, the
        // user could pause the debuggee again
        //
        g_IsDebuggeeRunning = TRUE;
    }
 
    //
    // Send step packet to the serial
    //
    if (!KdCommandPacketAndBufferToDebuggee(
            DEBUGGER_REMOTE_PACKET_TYPE_DEBUGGER_TO_DEBUGGEE_EXECUTE_ON_VMX_ROOT,
            DEBUGGER_REMOTE_PACKET_REQUESTED_ACTION_ON_VMX_ROOT_MODE_STEP,
            (CHAR *)&StepPacket,
            sizeof(DEBUGGEE_STEP_PACKET)))
    {
        return FALSE;
    }
 
    //
    // Wait until the result of user-input received
    //
    DbgWaitForKernelResponse(DEBUGGER_SYNCRONIZATION_OBJECT_KERNEL_DEBUGGER_IS_DEBUGGER_RUNNING);
 
    return TRUE;
}

KdSendSwitchCorePacketToDebuggee()

BOOLEAN KdSendSwitchCorePacketToDebuggee

(

UINT32

NewCore

)

Sends a change core or '~ x' command packet to the debuggee.

Returns

BOOLEAN

{
    DEBUGGEE_CHANGE_CORE_PACKET CoreChangePacket = {0};
 
    CoreChangePacket.NewCore = NewCore;
 
    if (CoreChangePacket.NewCore == g_CurrentRemoteCore)
    {
        //
        // We show an error message here when there is no core change (because the
        // target core and current operating core is the same)
        //
        ShowMessages("the current operating core is %x (not changed)\n",
                     CoreChangePacket.NewCore);
 
        return FALSE;
    }
 
    //
    // Send '~' as switch packet
    //
    if (!KdCommandPacketAndBufferToDebuggee(
            DEBUGGER_REMOTE_PACKET_TYPE_DEBUGGER_TO_DEBUGGEE_EXECUTE_ON_VMX_ROOT,
            DEBUGGER_REMOTE_PACKET_REQUESTED_ACTION_ON_VMX_ROOT_MODE_CHANGE_CORE,
            (CHAR *)&CoreChangePacket,
            sizeof(DEBUGGEE_CHANGE_CORE_PACKET)))
    {
        return FALSE;
    }
 
    //
    // Wait until the result of core change received
    //
    DbgWaitForKernelResponse(DEBUGGER_SYNCRONIZATION_OBJECT_KERNEL_DEBUGGER_CORE_SWITCHING_RESULT);
 
    return TRUE;
}

KdSendSwitchProcessPacketToDebuggee()

BOOLEAN KdSendSwitchProcessPacketToDebuggee	(	DEBUGGEE_DETAILS_AND_SWITCH_PROCESS_TYPE	ActionType,
		UINT32	NewPid,
		UINT64	NewProcess,
		BOOLEAN	SetChangeByClockInterrupt,
		PDEBUGGEE_PROCESS_LIST_NEEDED_DETAILS	SymDetailsForProcessList )

Sends a change process or show process details packet to the debuggee.

Parameters

ActionType
NewPid
NewProcess
SetChangeByClockInterrupt
SymDetailsForProcessList

Returns

BOOLEAN

{
    DEBUGGEE_DETAILS_AND_SWITCH_PROCESS_PACKET ProcessChangePacket = {0};
 
    ProcessChangePacket.ActionType        = ActionType;
    ProcessChangePacket.ProcessId         = NewPid;
    ProcessChangePacket.Process           = NewProcess;
    ProcessChangePacket.IsSwitchByClkIntr = SetChangeByClockInterrupt;
 
    //
    // Check if the command really needs these information or not
    // it's because some of the command don't need symbol offset information
    //
    if (SymDetailsForProcessList != NULL)
    {
        memcpy(&ProcessChangePacket.ProcessListSymDetails, SymDetailsForProcessList, sizeof(DEBUGGEE_PROCESS_LIST_NEEDED_DETAILS));
    }
 
    //
    // Send '.process' as switch packet
    //
    if (!KdCommandPacketAndBufferToDebuggee(
            DEBUGGER_REMOTE_PACKET_TYPE_DEBUGGER_TO_DEBUGGEE_EXECUTE_ON_VMX_ROOT,
            DEBUGGER_REMOTE_PACKET_REQUESTED_ACTION_ON_VMX_ROOT_MODE_CHANGE_PROCESS,
            (CHAR *)&ProcessChangePacket,
            sizeof(DEBUGGEE_DETAILS_AND_SWITCH_PROCESS_PACKET)))
    {
        return FALSE;
    }
 
    //
    // Wait until the result of process change received
    //
    DbgWaitForKernelResponse(DEBUGGER_SYNCRONIZATION_OBJECT_KERNEL_DEBUGGER_PROCESS_SWITCHING_RESULT);
 
    return TRUE;
}

KdSendSwitchThreadPacketToDebuggee()

BOOLEAN KdSendSwitchThreadPacketToDebuggee	(	DEBUGGEE_DETAILS_AND_SWITCH_THREAD_TYPE	ActionType,
		UINT32	NewTid,
		UINT64	NewThread,
		BOOLEAN	CheckByClockInterrupt,
		PDEBUGGEE_THREAD_LIST_NEEDED_DETAILS	SymDetailsForThreadList )

Sends a change thread or show threads detail packet to the debuggee.

Parameters

ActionType
NewTid
NewThread
CheckByClockInterrupt
SymDetailsForThreadList

Returns

BOOLEAN

{
    DEBUGGEE_DETAILS_AND_SWITCH_THREAD_PACKET ThreadChangePacket = {0};
 
    ThreadChangePacket.ActionType            = ActionType;
    ThreadChangePacket.ThreadId              = NewTid;
    ThreadChangePacket.Thread                = NewThread;
    ThreadChangePacket.CheckByClockInterrupt = CheckByClockInterrupt;
 
    //
    // Check if the command really needs these information or not
    // it's because some of the command don't need symbol offset information
    //
    if (SymDetailsForThreadList != NULL)
    {
        memcpy(&ThreadChangePacket.ThreadListSymDetails, SymDetailsForThreadList, sizeof(DEBUGGEE_THREAD_LIST_NEEDED_DETAILS));
    }
 
    //
    // Send '.thread' as switch packet
    //
    if (!KdCommandPacketAndBufferToDebuggee(
            DEBUGGER_REMOTE_PACKET_TYPE_DEBUGGER_TO_DEBUGGEE_EXECUTE_ON_VMX_ROOT,
            DEBUGGER_REMOTE_PACKET_REQUESTED_ACTION_ON_VMX_ROOT_MODE_CHANGE_THREAD,
            (CHAR *)&ThreadChangePacket,
            sizeof(DEBUGGEE_DETAILS_AND_SWITCH_THREAD_PACKET)))
    {
        return FALSE;
    }
 
    //
    // Wait until the result of thread change received
    //
    DbgWaitForKernelResponse(DEBUGGER_SYNCRONIZATION_OBJECT_KERNEL_DEBUGGER_THREAD_SWITCHING_RESULT);
 
    return TRUE;
}

KdSendSymbolReloadPacketToDebuggee()

BOOLEAN KdSendSymbolReloadPacketToDebuggee

(

UINT32

ProcessId

)

Send symbol reload packet to the debuggee.

Returns

BOOLEAN

{
    DEBUGGEE_SYMBOL_REQUEST_PACKET SymbolRequest = {0};
 
    SymbolRequest.ProcessId = ProcessId;
 
    //
    // Send '.sym reload' as symbol reload packet
    //
    if (!KdCommandPacketAndBufferToDebuggee(
            DEBUGGER_REMOTE_PACKET_TYPE_DEBUGGER_TO_DEBUGGEE_EXECUTE_ON_VMX_ROOT,
            DEBUGGER_REMOTE_PACKET_REQUESTED_ACTION_ON_VMX_ROOT_SYMBOL_RELOAD,
            (CHAR *)&SymbolRequest,
            sizeof(DEBUGGEE_SYMBOL_REQUEST_PACKET)))
    {
        return FALSE;
    }
 
    //
    // Wait until all of the symbol packets are received
    //
    DbgWaitForKernelResponse(DEBUGGER_SYNCRONIZATION_OBJECT_KERNEL_DEBUGGER_SYMBOL_RELOAD);
 
    return TRUE;
}

KdSendTestQueryPacketToDebuggee()

BOOLEAN KdSendTestQueryPacketToDebuggee

(

DEBUGGER_TEST_QUERY_STATE

Type

)

Send a test query request to the debuggee.

Parameters

Type

Returns

BOOLEAN

{
    DEBUGGER_DEBUGGER_TEST_QUERY_BUFFER TestQueryPacket = {0};
 
    TestQueryPacket.RequestType = Type;
 
    //
    // Send 'test query' command as query packet
    //
    if (!KdCommandPacketAndBufferToDebuggee(
            DEBUGGER_REMOTE_PACKET_TYPE_DEBUGGER_TO_DEBUGGEE_EXECUTE_ON_VMX_ROOT,
            DEBUGGER_REMOTE_PACKET_REQUESTED_ACTION_ON_VMX_ROOT_MODE_TEST_QUERY,
            (CHAR *)&TestQueryPacket,
            sizeof(DEBUGGER_DEBUGGER_TEST_QUERY_BUFFER)))
    {
        return FALSE;
    }
 
    //
    // Wait until the result of test query is received
    //
    DbgWaitForKernelResponse(DEBUGGER_SYNCRONIZATION_OBJECT_KERNEL_DEBUGGER_TEST_QUERY);
 
    return TRUE;
}

KdSendTestQueryPacketWithContextToDebuggee()

BOOLEAN KdSendTestQueryPacketWithContextToDebuggee	(	DEBUGGER_TEST_QUERY_STATE	Type,
		UINT64	Context )

Send a test query request to the debuggee with the specified context.

Parameters

Type
Context

Returns

BOOLEAN

{
    DEBUGGER_DEBUGGER_TEST_QUERY_BUFFER TestQueryPacket = {0};
 
    TestQueryPacket.RequestType = Type;
    TestQueryPacket.Context     = Context;
 
    //
    // Send 'test query' command as query packet
    //
    if (!KdCommandPacketAndBufferToDebuggee(
            DEBUGGER_REMOTE_PACKET_TYPE_DEBUGGER_TO_DEBUGGEE_EXECUTE_ON_VMX_ROOT,
            DEBUGGER_REMOTE_PACKET_REQUESTED_ACTION_ON_VMX_ROOT_MODE_TEST_QUERY,
            (CHAR *)&TestQueryPacket,
            sizeof(DEBUGGER_DEBUGGER_TEST_QUERY_BUFFER)))
    {
        return FALSE;
    }
 
    //
    // Wait until the result of test query is received
    //
    DbgWaitForKernelResponse(DEBUGGER_SYNCRONIZATION_OBJECT_KERNEL_DEBUGGER_TEST_QUERY);
 
    return TRUE;
}

KdSendUserInputPacketToDebuggee()

BOOLEAN KdSendUserInputPacketToDebuggee	(	const char *	Sendbuf,
		int	Len,
		BOOLEAN	IgnoreBreakingAgain )

Sends user input packet to the debuggee.

Parameters

Sendbuf
Len
IgnoreBreakingAgain

Returns

BOOLEAN

{
    PDEBUGGEE_USER_INPUT_PACKET UserInputPacket;
    UINT32                      SizeOfStruct = 0;
 
    SizeOfStruct = sizeof(DEBUGGEE_USER_INPUT_PACKET) + Len;
 
    UserInputPacket = (DEBUGGEE_USER_INPUT_PACKET *)malloc(SizeOfStruct);
 
    RtlZeroMemory(UserInputPacket, SizeOfStruct);
 
    //
    // Fill the script packet buffer descriptors
    //
    UserInputPacket->CommandLen           = Len;
    UserInputPacket->IgnoreFinishedSignal = IgnoreBreakingAgain;
 
    //
    // Move the user input buffer at the bottom of the structure packet
    //
    memcpy((PVOID)((UINT64)UserInputPacket + sizeof(DEBUGGEE_USER_INPUT_PACKET)),
           (PVOID)Sendbuf,
           Len);
 
    //
    // Send user-input packet
    //
    if (!KdCommandPacketAndBufferToDebuggee(
            DEBUGGER_REMOTE_PACKET_TYPE_DEBUGGER_TO_DEBUGGEE_EXECUTE_ON_VMX_ROOT,
            DEBUGGER_REMOTE_PACKET_REQUESTED_ACTION_ON_VMX_ROOT_USER_INPUT_BUFFER,
            (CHAR *)UserInputPacket,
            SizeOfStruct))
    {
        free(UserInputPacket);
        return FALSE;
    }
 
    //
    // Wait until the result of user-input received
    //
    if (!IgnoreBreakingAgain)
    {
        DbgWaitForKernelResponse(DEBUGGER_SYNCRONIZATION_OBJECT_KERNEL_DEBUGGER_DEBUGGEE_FINISHED_COMMAND_EXECUTION);
    }
 
    free(UserInputPacket);
 
    return TRUE;
}

KdSendVa2paAndPa2vaPacketToDebuggee()

BOOLEAN KdSendVa2paAndPa2vaPacketToDebuggee

(

PDEBUGGER_VA2PA_AND_PA2VA_COMMANDS

Va2paAndPa2vaPacket

)

Sends VA2PA and PA2VA packest, or '!va2pa' and '!pa2va' commands packet to the debuggee.

Parameters

Va2paAndPa2vaPacket

Returns

BOOLEAN

{
    //
    // Send '!va2pa' or '!pa2va' as a query packet
    //
    if (!KdCommandPacketAndBufferToDebuggee(
            DEBUGGER_REMOTE_PACKET_TYPE_DEBUGGER_TO_DEBUGGEE_EXECUTE_ON_VMX_ROOT,
            DEBUGGER_REMOTE_PACKET_REQUESTED_ACTION_ON_VMX_ROOT_QUERY_PA2VA_AND_VA2PA,
            (CHAR *)Va2paAndPa2vaPacket,
            sizeof(DEBUGGER_VA2PA_AND_PA2VA_COMMANDS)))
    {
        return FALSE;
    }
 
    //
    // Wait until the result of VA2PA or PA2VA packet is received
    //
    DbgWaitForKernelResponse(DEBUGGER_SYNCRONIZATION_OBJECT_KERNEL_DEBUGGER_VA2PA_AND_PA2VA_RESULT);
 
    return TRUE;
}

KdSendWriteRegisterPacketToDebuggee()

BOOLEAN KdSendWriteRegisterPacketToDebuggee

(

PDEBUGGEE_REGISTER_WRITE_DESCRIPTION

RegDes

)

Send a write register packet to the debuggee.

Parameters

RegDes

Returns

BOOLEAN

{
    //
    // Set the request data
    //
    DbgWaitSetRequestData(DEBUGGER_SYNCRONIZATION_OBJECT_KERNEL_DEBUGGER_WRITE_REGISTER, RegDes, sizeof(DEBUGGEE_REGISTER_WRITE_DESCRIPTION));
 
    //
    // Send write register packet
    //
    if (!KdCommandPacketAndBufferToDebuggee(
            DEBUGGER_REMOTE_PACKET_TYPE_DEBUGGER_TO_DEBUGGEE_EXECUTE_ON_VMX_ROOT,
            DEBUGGER_REMOTE_PACKET_REQUESTED_ACTION_ON_VMX_ROOT_WRITE_REGISTER,
            (CHAR *)RegDes,
            sizeof(DEBUGGEE_REGISTER_WRITE_DESCRIPTION)))
    {
        return FALSE;
    }
 
    //
    // Wait until the result of write register received
    //
    DbgWaitForKernelResponse(DEBUGGER_SYNCRONIZATION_OBJECT_KERNEL_DEBUGGER_WRITE_REGISTER);
 
    return TRUE;
}

Variable Documentation

g_CurrentRemoteCore

ULONG g_CurrentRemoteCore

extern

Current core that the debuggee is debugging.

g_CurrentRunningInstruction

BYTE g_CurrentRunningInstruction[MAXIMUM_INSTR_SIZE]

extern

Current executing instructions.

{0};

g_DebuggeeResultOfAddingActionsToEvent

DEBUGGER_EVENT_AND_ACTION_RESULT g_DebuggeeResultOfAddingActionsToEvent

extern

Holds the result of adding action to events from the remote debuggee.

                                                                          {
    0};

g_DebuggeeResultOfRegisteringEvent

DEBUGGER_EVENT_AND_ACTION_RESULT g_DebuggeeResultOfRegisteringEvent

extern

Holds the result of registering events from the remote debuggee.

{0};

g_DebuggeeStopCommandEventHandle

HANDLE g_DebuggeeStopCommandEventHandle

extern

An event to make sure that the user won't give any command in debuggee and all the commands are coming from just the debugger.

g_EndOfBufferCheckSerial

BYTE g_EndOfBufferCheckSerial[4]

extern

the buffer that we set at the end of buffers for serial

                                                                  {
    SERIAL_END_OF_BUFFER_CHAR_1,
    SERIAL_END_OF_BUFFER_CHAR_2,
    SERIAL_END_OF_BUFFER_CHAR_3,
    SERIAL_END_OF_BUFFER_CHAR_4};

g_IgnoreNewLoggingMessages

BOOLEAN g_IgnoreNewLoggingMessages

extern

Shows if the debugger should show debuggee's messages or not.

g_IgnorePauseRequests

BOOLEAN g_IgnorePauseRequests

extern

Show whether the pause request (CTRL+C or CTRL+BREAK) should be ignored or not.

g_IsConnectedToHyperDbgLocally

BOOLEAN g_IsConnectedToHyperDbgLocally

extern

Shows whether the user is allowed to use 'load' command to load modules locally in VMI (virtual machine introspection) mode.

g_IsDebuggeeInHandshakingPhase

BOOLEAN g_IsDebuggeeInHandshakingPhase

extern

Shows if the debuggee is in the handshake phase or not.

g_IsDebuggeeRunning

BOOLEAN g_IsDebuggeeRunning

extern

Shows if the debuggee is running or not.

g_IsDebuggerConntectedToNamedPipe

BOOLEAN g_IsDebuggerConntectedToNamedPipe

extern

Shows if the debugger is connected to the guest using named pipe.

g_IsDebuggerModulesLoaded

BOOLEAN g_IsDebuggerModulesLoaded

extern

this variable is used to indicate that modules are loaded so we make sure to later use a trace of loading in 'unload' command (used in Debugger VMM)

g_IsRunningInstruction32Bit

BOOLEAN g_IsRunningInstruction32Bit

extern

whether the Current executing instructions is 32-bit or 64 bit

g_IsSerialConnectedToRemoteDebuggee

BOOLEAN g_IsSerialConnectedToRemoteDebuggee

extern

Shows if the debugger was connected to remote debuggee over (A remote guest)

g_IsSerialConnectedToRemoteDebugger

BOOLEAN g_IsSerialConnectedToRemoteDebugger

extern

Shows if the debugger was connected to remote debugger (A remote host)

g_KernelSyncronizationObjectsHandleTable

DEBUGGER_SYNCRONIZATION_EVENTS_STATE g_KernelSyncronizationObjectsHandleTable[DEBUGGER_MAXIMUM_SYNCRONIZATION_KERNEL_DEBUGGER_OBJECTS]

extern

In debugger (not debuggee), we save the handle of the user-mode listening thread for pauses here for kernel debugger.

{0};

g_OverlappedIoStructureForReadDebuggee

OVERLAPPED g_OverlappedIoStructureForReadDebuggee

extern

{0};

g_OverlappedIoStructureForReadDebugger

OVERLAPPED g_OverlappedIoStructureForReadDebugger

extern

This is an OVERLAPPED structure for managing simultaneous read and writes for debugger (in current design debuggee is not needed to write simultaneously but it's needed for write)

{0};

g_OverlappedIoStructureForWriteDebugger

OVERLAPPED g_OverlappedIoStructureForWriteDebugger

extern

{0};

g_SerialConnectionAlreadyClosed

BOOLEAN g_SerialConnectionAlreadyClosed

extern

In both debuggee and debugger we save the state of the closed connection to avoid double close.

g_SerialListeningThreadHandle

HANDLE g_SerialListeningThreadHandle

extern

In debuggee and debugger, we save the handle of the user-mode listening thread for pauses here.

g_SerialRemoteComPortHandle

HANDLE g_SerialRemoteComPortHandle

extern

In debugger (not debuggee), we save the handle of the user-mode listening thread for remote system here.

g_SharedEventStatus

BOOLEAN g_SharedEventStatus

extern

Shows whether the queried event is enabled or disabled.

g_ShouldPreviousCommandBeContinued

BOOLEAN g_ShouldPreviousCommandBeContinued

extern

Shows whether the previous command should be continued or not.

g_SymbolTable

PMODULE_SYMBOL_DETAIL g_SymbolTable

extern

The buffer that stores the details of symbol table.

g_SymbolTableCurrentIndex

UINT32 g_SymbolTableCurrentIndex

extern

The index to hold the track of added symbols.

g_SymbolTableSize

UINT32 g_SymbolTableSize

extern

The buffer that stores size of the details of symbol table.