HyperDbg Debugger
Loading...
Searching...
No Matches
debugger.h File Reference

General debugger functions. More...

Go to the source code of this file.

Classes

struct  _DEBUGGER_SYNCRONIZATION_EVENTS_STATE
 In debugger holds the state of events. More...

Macros

#define DEBUGGER_MAXIMUM_SYNCRONIZATION_KERNEL_DEBUGGER_OBJECTS   0x40
 maximum number of event handles in kernel-debugger
#define DEBUGGER_SYNCRONIZATION_OBJECT_KERNEL_DEBUGGER_IS_DEBUGGER_RUNNING   0x0
 An event to show whether the debugger is running or not in kernel-debugger.
#define DEBUGGER_SYNCRONIZATION_OBJECT_KERNEL_DEBUGGER_STARTED_PACKET_RECEIVED   0x1
#define DEBUGGER_SYNCRONIZATION_OBJECT_KERNEL_DEBUGGER_PAUSED_DEBUGGEE_DETAILS   0x2
#define DEBUGGER_SYNCRONIZATION_OBJECT_KERNEL_DEBUGGER_CORE_SWITCHING_RESULT   0x3
#define DEBUGGER_SYNCRONIZATION_OBJECT_KERNEL_DEBUGGER_PROCESS_SWITCHING_RESULT   0x4
#define DEBUGGER_SYNCRONIZATION_OBJECT_KERNEL_DEBUGGER_THREAD_SWITCHING_RESULT   0x5
#define DEBUGGER_SYNCRONIZATION_OBJECT_KERNEL_DEBUGGER_SCRIPT_RUNNING_RESULT   0x6
#define DEBUGGER_SYNCRONIZATION_OBJECT_KERNEL_DEBUGGER_SCRIPT_FORMATS_RESULT   0x7
#define DEBUGGER_SYNCRONIZATION_OBJECT_KERNEL_DEBUGGER_DEBUGGEE_FINISHED_COMMAND_EXECUTION   0x8
#define DEBUGGER_SYNCRONIZATION_OBJECT_KERNEL_DEBUGGER_FLUSH_RESULT   0x9
#define DEBUGGER_SYNCRONIZATION_OBJECT_KERNEL_DEBUGGER_REGISTER_EVENT   0xa
#define DEBUGGER_SYNCRONIZATION_OBJECT_KERNEL_DEBUGGER_ADD_ACTION_TO_EVENT   0xb
#define DEBUGGER_SYNCRONIZATION_OBJECT_KERNEL_DEBUGGER_MODIFY_AND_QUERY_EVENT   0xc
#define DEBUGGER_SYNCRONIZATION_OBJECT_KERNEL_DEBUGGER_READ_REGISTERS   0xd
#define DEBUGGER_SYNCRONIZATION_OBJECT_KERNEL_DEBUGGER_BP   0xe
#define DEBUGGER_SYNCRONIZATION_OBJECT_KERNEL_DEBUGGER_LIST_OR_MODIFY_BREAKPOINTS   0xf
#define DEBUGGER_SYNCRONIZATION_OBJECT_KERNEL_DEBUGGER_READ_MEMORY   0x10
#define DEBUGGER_SYNCRONIZATION_OBJECT_KERNEL_DEBUGGER_EDIT_MEMORY   0x11
#define DEBUGGER_SYNCRONIZATION_OBJECT_KERNEL_DEBUGGER_SYMBOL_RELOAD   0x12
#define DEBUGGER_SYNCRONIZATION_OBJECT_KERNEL_DEBUGGER_TEST_QUERY   0x13
#define DEBUGGER_SYNCRONIZATION_OBJECT_KERNEL_DEBUGGER_CALLSTACK_RESULT   0x14
#define DEBUGGER_SYNCRONIZATION_OBJECT_KERNEL_DEBUGGER_SEARCH_QUERY_RESULT   0x15
#define DEBUGGER_SYNCRONIZATION_OBJECT_KERNEL_DEBUGGER_VA2PA_AND_PA2VA_RESULT   0x16
#define DEBUGGER_SYNCRONIZATION_OBJECT_KERNEL_DEBUGGER_PTE_RESULT   0x17
#define DEBUGGER_SYNCRONIZATION_OBJECT_KERNEL_DEBUGGER_SHORT_CIRCUITING_EVENT_STATE   0x18
#define DEBUGGER_SYNCRONIZATION_OBJECT_KERNEL_DEBUGGER_PAGE_IN_STATE   0x19
#define DEBUGGER_SYNCRONIZATION_OBJECT_KERNEL_DEBUGGER_WRITE_REGISTER   0x1a
#define DEBUGGER_SYNCRONIZATION_OBJECT_KERNEL_DEBUGGER_PCITREE_RESULT   0x1b
#define DEBUGGER_SYNCRONIZATION_OBJECT_KERNEL_DEBUGGER_APIC_ACTIONS   0x1c
#define DEBUGGER_SYNCRONIZATION_OBJECT_KERNEL_DEBUGGER_PCIDEVINFO_RESULT   0x1d
#define DEBUGGER_SYNCRONIZATION_OBJECT_KERNEL_DEBUGGER_IDT_ENTRIES   0x1e
#define DEBUGGER_SYNCRONIZATION_OBJECT_KERNEL_DEBUGGER_SMI_OPERATION_RESULT   0x1f
#define DEBUGGER_SYNCRONIZATION_OBJECT_KERNEL_DEBUGGER_HYPERTRACE_LBR_DUMP_RESULT   0x20
#define DEBUGGER_SYNCRONIZATION_OBJECT_KERNEL_DEBUGGER_HYPERTRACE_PT_OPERATION_RESULT   0x21
#define DEBUGGER_MAXIMUM_SYNCRONIZATION_USER_DEBUGGER_OBJECTS   0x40
 Maximum number of event handles in user-debugger.
#define DEBUGGER_SYNCRONIZATION_OBJECT_USER_DEBUGGER_IS_DEBUGGER_RUNNING   0x0
 An event to show whether the debugger is running or not in user-debugger.

Typedefs

typedef enum _DEBUGGER_EVENT_PARSING_ERROR_CAUSE DEBUGGER_EVENT_PARSING_ERROR_CAUSE
 Reason for error in parsing commands.
typedef enum _DEBUGGER_EVENT_PARSING_ERROR_CAUSEPDEBUGGER_EVENT_PARSING_ERROR_CAUSE
typedef struct _DEBUGGER_SYNCRONIZATION_EVENTS_STATE DEBUGGER_SYNCRONIZATION_EVENTS_STATE
 In debugger holds the state of events.
typedef struct _DEBUGGER_SYNCRONIZATION_EVENTS_STATEPDEBUGGER_SYNCRONIZATION_EVENTS_STATE

Enumerations

enum  _DEBUGGER_EVENT_PARSING_ERROR_CAUSE {
  DEBUGGER_EVENT_PARSING_ERROR_CAUSE_SUCCESSFUL_NO_ERROR = 0 , DEBUGGER_EVENT_PARSING_ERROR_CAUSE_SCRIPT_SYNTAX_ERROR = 1 , DEBUGGER_EVENT_PARSING_ERROR_CAUSE_NO_INPUT = 2 , DEBUGGER_EVENT_PARSING_ERROR_CAUSE_MAXIMUM_INPUT_REACHED = 3 ,
  DEBUGGER_EVENT_PARSING_ERROR_CAUSE_OUTPUT_NAME_NOT_FOUND = 4 , DEBUGGER_EVENT_PARSING_ERROR_CAUSE_OUTPUT_SOURCE_ALREADY_CLOSED = 5 , DEBUGGER_EVENT_PARSING_ERROR_CAUSE_ALLOCATION_ERROR = 6 , DEBUGGER_EVENT_PARSING_ERROR_CAUSE_FORMAT_ERROR = 7 ,
  DEBUGGER_EVENT_PARSING_ERROR_CAUSE_ATTEMPT_TO_BREAK_ON_VMI_MODE = 8 , DEBUGGER_EVENT_PARSING_ERROR_CAUSE_IMMEDIATE_MESSAGING_IN_EVENT_FORWARDING_MODE = 9 , DEBUGGER_EVENT_PARSING_ERROR_CAUSE_USING_SHORT_CIRCUITING_IN_POST_EVENTS = 10
}
 Reason for error in parsing commands. More...

Functions

BOOLEAN ShowErrorMessage (UINT32 Error)
 shows the error message
BOOLEAN IsConnectedToAnyInstanceOfDebuggerOrDebuggee ()
 Shows whether the debugger is connected to a debugger or debuggee connected to a debugger.
BOOLEAN IsTagExist (UINT64 Tag)
 Check whether the tag exists or not, if the tag is DEBUGGER_MODIFY_EVENTS_APPLY_TO_ALL_TAG then if we find just one event, it also means that the tag is found.
UINT64 DebuggerGetNtoskrnlBase ()
 Get ntoskrnl.exe base in the kernel.
UINT64 DebuggerGetKernelBase ()
 Get the base address of the kernel module.
BOOLEAN DebuggerPauseDebuggee ()
 pauses the debuggee
VOID FreeEventsAndActionsMemory (PDEBUGGER_GENERAL_EVENT_DETAIL Event, PDEBUGGER_GENERAL_ACTION ActionBreakToDebugger, PDEBUGGER_GENERAL_ACTION ActionCustomCode, PDEBUGGER_GENERAL_ACTION ActionScript)
 Deallocate buffers relating to events and actions.
BOOLEAN SendEventToKernel (PDEBUGGER_GENERAL_EVENT_DETAIL Event, UINT32 EventBufferLength)
 Register the event to the kernel.
BOOLEAN RegisterActionToEvent (PDEBUGGER_GENERAL_EVENT_DETAIL Event, PDEBUGGER_GENERAL_ACTION ActionBreakToDebugger, UINT32 ActionBreakToDebuggerLength, PDEBUGGER_GENERAL_ACTION ActionCustomCode, UINT32 ActionCustomCodeLength, PDEBUGGER_GENERAL_ACTION ActionScript, UINT32 ActionScriptLength)
 Register the action to the event.
BOOLEAN InterpretGeneralEventAndActionsFields (vector< CommandToken > *CommandTokens, VMM_EVENT_TYPE_ENUM EventType, PDEBUGGER_GENERAL_EVENT_DETAIL *EventDetailsToFill, PUINT32 EventBufferLength, PDEBUGGER_GENERAL_ACTION *ActionDetailsToFillBreakToDebugger, PUINT32 ActionBufferLengthBreakToDebugger, PDEBUGGER_GENERAL_ACTION *ActionDetailsToFillCustomCode, PUINT32 ActionBufferLengthCustomCode, PDEBUGGER_GENERAL_ACTION *ActionDetailsToFillScript, PUINT32 ActionBufferLengthScript, PDEBUGGER_EVENT_PARSING_ERROR_CAUSE ReasonForErrorInParsing)
 Interpret general event fields.
BOOLEAN CallstackReturnAddressToCallingAddress (UCHAR *ReturnAddress, PUINT32 IndexOfCallFromReturnAddress)
 Walkthrough the stack.
VOID CallstackShowFrames (PDEBUGGER_SINGLE_CALLSTACK_FRAME CallstackFrames, UINT32 FrameCount, DEBUGGER_CALLSTACK_DISPLAY_METHOD DisplayMethod, BOOLEAN Is32Bit)
 Show stack frames.
UINT64 GetNewDebuggerEventTag ()
 Get the New Debugger Event Tag object and increase the global variable for tag.
DWORD WINAPI ListeningSerialPauseDebuggeeThread (PVOID Param)
 Check if the remote debugger needs to pause the system.
DWORD WINAPI ListeningSerialPauseDebuggerThread (PVOID Param)
 Check if the remote debuggee needs to pause the system.
VOID LogopenSaveToFile (const CHAR *Text)
 Append text to the file object.
BOOL BreakController (DWORD CtrlType)
 handle CTRL+C and CTRL+Break events
VOID CommandEventsShowEvents ()
 print every active and disabled events
BOOLEAN CommandEventsModifyAndQueryEvents (UINT64 Tag, DEBUGGER_MODIFY_EVENTS_TYPE TypeOfAction)
 modify a special event (enable/disable/clear) and send the request directly to the kernel
VOID CommandEventsHandleModifiedEvent (UINT64 Tag, PDEBUGGER_MODIFY_EVENTS ModifyEventRequest)
 Handle events after modification.
VOID CommandEventsClearAllEventsAndResetTags ()
 Clears all the events and resets the tag.
VOID CommandFlushRequestFlush ()
 flush command handler
UINT64 GetCommandAttributes (const string &FirstCommand)
 Get Command Attributes.
VOID DetachFromProcess ()
 perform detach from process
VOID CommandPauseRequest ()
 request to pause
VOID CommandGRequest ()
 Request to unpause.
BOOLEAN CommandBpRequest (UINT64 Address, UINT32 Pid, UINT32 Tid, UINT32 CoreNumer)
 request breakpoint
VOID CommandTrackHandleReceivedInstructions (UCHAR *BufferToDisassemble, UINT32 BuffLength, BOOLEAN Isx86_64, UINT64 RipAddress)
 Handle received 'call' or 'ret'.
VOID CommandTrackHandleReceivedCallInstructions (const CHAR *NameOfFunctionFromSymbols, UINT64 ComputedAbsoluteAddress)
 Handle received 'call'.
VOID CommandTrackHandleReceivedRetInstructions (UINT64 CurrentRip)
 Handle received 'ret'.
BOOLEAN HyperDbgWriteMemory (PVOID DestinationAddress, DEBUGGER_EDIT_MEMORY_TYPE MemoryType, UINT32 ProcessId, PVOID SourceAddress, UINT32 NumberOfBytes)
 API function for writing the memory content.
BOOLEAN CommandApicSendRequest (DEBUGGER_APIC_REQUEST_TYPE ApicType, PVOID ApicBuffer, UINT32 ExpectedRequestSize, PBOOLEAN IsUsingX2APIC)
 Send APIC requests.
BOOLEAN HyperDbgReadAllRegisters (GUEST_REGS *GuestRegisters, GUEST_EXTRA_REGISTERS *ExtraRegisters)
 Read all registers.
BOOLEAN HyperDbgReadTargetRegister (REGS_ENUM RegisterId, UINT64 *TargetRegister)
 Read target register.
BOOLEAN HyperDbgWriteTargetRegister (REGS_ENUM RegisterId, UINT64 Value)
 Write target register.
BOOLEAN HyperDbgRegisterShowAll ()
 handler of r show all registers
BOOLEAN HyperDbgRegisterShowTargetRegister (REGS_ENUM RegisterId)
 handler of r show the target register
BOOLEAN HyperDbgDebugRemoteDeviceUsingComPort (const CHAR *PortName, DWORD Baudrate, BOOLEAN PauseAfterConnection)
 Connect to a remote serial device (Debugger).
BOOLEAN HyperDbgDebugRemoteDeviceUsingNamedPipe (const CHAR *NamedPipe, BOOLEAN PauseAfterConnection)
 Connect to a remote named pipe (Debugger).
BOOLEAN HyperDbgDebugCurrentDeviceUsingComPort (const CHAR *PortName, DWORD Baudrate)
 Connect to a remote serial device (Debuggee).
BOOLEAN HyperDbgDebugCloseRemoteDebugger ()
 Connect to a remote serial device (Debuggee).
BOOLEAN HyperDbgGetLocalApic (PLAPIC_PAGE LocalApic, PBOOLEAN IsUsingX2APIC)
 Request to get Local APIC.
BOOLEAN HyperDbgGetIoApic (IO_APIC_ENTRY_PACKETS *IoApic)
 Request to get I/O APIC.
BOOLEAN HyperDbgGetIdtEntry (INTERRUPT_DESCRIPTOR_TABLE_ENTRIES_PACKETS *IdtPacket)
 Send IDT entry requests.
BOOLEAN HyperDbgPerformSmiOperation (SMI_OPERATION_PACKETS *SmiOperation)
 Request to perform an SMI operation.
BOOLEAN HyperDbgEnableTransparentMode (UINT32 ProcessId, CHAR *ProcessName, BOOLEAN IsProcessId)
 Enable transparent mode.
BOOLEAN HyperDbgEnableTransparentModeEx (UINT32 ProcessId, CHAR *ProcessName, BOOLEAN IsProcessId, UINT32 EvadeMask)
 Enable transparent mode.
BOOLEAN HyperDbgDisableTransparentMode ()
 Disable transparent mode.
BOOLEAN HyperDbgLbrdumpSendRequest (HYPERTRACE_LBR_DUMP_PACKETS *LbrdumpRequest)
 Send LBR dump requests.
BOOLEAN HyperDbgPerformPtOperation (HYPERTRACE_PT_OPERATION_PACKETS *PtRequest)
 Request to perform an PT operation.
BOOLEAN HyperDbgPtMmapSendRequest (HYPERTRACE_PT_MMAP_PACKETS *MmapRequest)
 Map the per-CPU PT output buffers into the current process.

Detailed Description

General debugger functions.

Author
Sina Karvandi (sina@.nosp@m.hype.nosp@m.rdbg..nosp@m.org)
jtaw5649
Version
0.1
Date
2020-05-27

Macro Definition Documentation

◆ DEBUGGER_MAXIMUM_SYNCRONIZATION_KERNEL_DEBUGGER_OBJECTS

#define DEBUGGER_MAXIMUM_SYNCRONIZATION_KERNEL_DEBUGGER_OBJECTS   0x40

maximum number of event handles in kernel-debugger

◆ DEBUGGER_MAXIMUM_SYNCRONIZATION_USER_DEBUGGER_OBJECTS

#define DEBUGGER_MAXIMUM_SYNCRONIZATION_USER_DEBUGGER_OBJECTS   0x40

Maximum number of event handles in user-debugger.

◆ DEBUGGER_SYNCRONIZATION_OBJECT_KERNEL_DEBUGGER_ADD_ACTION_TO_EVENT

#define DEBUGGER_SYNCRONIZATION_OBJECT_KERNEL_DEBUGGER_ADD_ACTION_TO_EVENT   0xb

◆ DEBUGGER_SYNCRONIZATION_OBJECT_KERNEL_DEBUGGER_APIC_ACTIONS

#define DEBUGGER_SYNCRONIZATION_OBJECT_KERNEL_DEBUGGER_APIC_ACTIONS   0x1c

◆ DEBUGGER_SYNCRONIZATION_OBJECT_KERNEL_DEBUGGER_BP

#define DEBUGGER_SYNCRONIZATION_OBJECT_KERNEL_DEBUGGER_BP   0xe

◆ DEBUGGER_SYNCRONIZATION_OBJECT_KERNEL_DEBUGGER_CALLSTACK_RESULT

#define DEBUGGER_SYNCRONIZATION_OBJECT_KERNEL_DEBUGGER_CALLSTACK_RESULT   0x14

◆ DEBUGGER_SYNCRONIZATION_OBJECT_KERNEL_DEBUGGER_CORE_SWITCHING_RESULT

#define DEBUGGER_SYNCRONIZATION_OBJECT_KERNEL_DEBUGGER_CORE_SWITCHING_RESULT   0x3

◆ DEBUGGER_SYNCRONIZATION_OBJECT_KERNEL_DEBUGGER_DEBUGGEE_FINISHED_COMMAND_EXECUTION

#define DEBUGGER_SYNCRONIZATION_OBJECT_KERNEL_DEBUGGER_DEBUGGEE_FINISHED_COMMAND_EXECUTION   0x8

◆ DEBUGGER_SYNCRONIZATION_OBJECT_KERNEL_DEBUGGER_EDIT_MEMORY

#define DEBUGGER_SYNCRONIZATION_OBJECT_KERNEL_DEBUGGER_EDIT_MEMORY   0x11

◆ DEBUGGER_SYNCRONIZATION_OBJECT_KERNEL_DEBUGGER_FLUSH_RESULT

#define DEBUGGER_SYNCRONIZATION_OBJECT_KERNEL_DEBUGGER_FLUSH_RESULT   0x9

◆ DEBUGGER_SYNCRONIZATION_OBJECT_KERNEL_DEBUGGER_HYPERTRACE_LBR_DUMP_RESULT

#define DEBUGGER_SYNCRONIZATION_OBJECT_KERNEL_DEBUGGER_HYPERTRACE_LBR_DUMP_RESULT   0x20

◆ DEBUGGER_SYNCRONIZATION_OBJECT_KERNEL_DEBUGGER_HYPERTRACE_PT_OPERATION_RESULT

#define DEBUGGER_SYNCRONIZATION_OBJECT_KERNEL_DEBUGGER_HYPERTRACE_PT_OPERATION_RESULT   0x21

◆ DEBUGGER_SYNCRONIZATION_OBJECT_KERNEL_DEBUGGER_IDT_ENTRIES

#define DEBUGGER_SYNCRONIZATION_OBJECT_KERNEL_DEBUGGER_IDT_ENTRIES   0x1e

◆ DEBUGGER_SYNCRONIZATION_OBJECT_KERNEL_DEBUGGER_IS_DEBUGGER_RUNNING

#define DEBUGGER_SYNCRONIZATION_OBJECT_KERNEL_DEBUGGER_IS_DEBUGGER_RUNNING   0x0

An event to show whether the debugger is running or not in kernel-debugger.

◆ DEBUGGER_SYNCRONIZATION_OBJECT_KERNEL_DEBUGGER_LIST_OR_MODIFY_BREAKPOINTS

#define DEBUGGER_SYNCRONIZATION_OBJECT_KERNEL_DEBUGGER_LIST_OR_MODIFY_BREAKPOINTS   0xf

◆ DEBUGGER_SYNCRONIZATION_OBJECT_KERNEL_DEBUGGER_MODIFY_AND_QUERY_EVENT

#define DEBUGGER_SYNCRONIZATION_OBJECT_KERNEL_DEBUGGER_MODIFY_AND_QUERY_EVENT   0xc

◆ DEBUGGER_SYNCRONIZATION_OBJECT_KERNEL_DEBUGGER_PAGE_IN_STATE

#define DEBUGGER_SYNCRONIZATION_OBJECT_KERNEL_DEBUGGER_PAGE_IN_STATE   0x19

◆ DEBUGGER_SYNCRONIZATION_OBJECT_KERNEL_DEBUGGER_PAUSED_DEBUGGEE_DETAILS

#define DEBUGGER_SYNCRONIZATION_OBJECT_KERNEL_DEBUGGER_PAUSED_DEBUGGEE_DETAILS   0x2

◆ DEBUGGER_SYNCRONIZATION_OBJECT_KERNEL_DEBUGGER_PCIDEVINFO_RESULT

#define DEBUGGER_SYNCRONIZATION_OBJECT_KERNEL_DEBUGGER_PCIDEVINFO_RESULT   0x1d

◆ DEBUGGER_SYNCRONIZATION_OBJECT_KERNEL_DEBUGGER_PCITREE_RESULT

#define DEBUGGER_SYNCRONIZATION_OBJECT_KERNEL_DEBUGGER_PCITREE_RESULT   0x1b

◆ DEBUGGER_SYNCRONIZATION_OBJECT_KERNEL_DEBUGGER_PROCESS_SWITCHING_RESULT

#define DEBUGGER_SYNCRONIZATION_OBJECT_KERNEL_DEBUGGER_PROCESS_SWITCHING_RESULT   0x4

◆ DEBUGGER_SYNCRONIZATION_OBJECT_KERNEL_DEBUGGER_PTE_RESULT

#define DEBUGGER_SYNCRONIZATION_OBJECT_KERNEL_DEBUGGER_PTE_RESULT   0x17

◆ DEBUGGER_SYNCRONIZATION_OBJECT_KERNEL_DEBUGGER_READ_MEMORY

#define DEBUGGER_SYNCRONIZATION_OBJECT_KERNEL_DEBUGGER_READ_MEMORY   0x10

◆ DEBUGGER_SYNCRONIZATION_OBJECT_KERNEL_DEBUGGER_READ_REGISTERS

#define DEBUGGER_SYNCRONIZATION_OBJECT_KERNEL_DEBUGGER_READ_REGISTERS   0xd

◆ DEBUGGER_SYNCRONIZATION_OBJECT_KERNEL_DEBUGGER_REGISTER_EVENT

#define DEBUGGER_SYNCRONIZATION_OBJECT_KERNEL_DEBUGGER_REGISTER_EVENT   0xa

◆ DEBUGGER_SYNCRONIZATION_OBJECT_KERNEL_DEBUGGER_SCRIPT_FORMATS_RESULT

#define DEBUGGER_SYNCRONIZATION_OBJECT_KERNEL_DEBUGGER_SCRIPT_FORMATS_RESULT   0x7

◆ DEBUGGER_SYNCRONIZATION_OBJECT_KERNEL_DEBUGGER_SCRIPT_RUNNING_RESULT

#define DEBUGGER_SYNCRONIZATION_OBJECT_KERNEL_DEBUGGER_SCRIPT_RUNNING_RESULT   0x6

◆ DEBUGGER_SYNCRONIZATION_OBJECT_KERNEL_DEBUGGER_SEARCH_QUERY_RESULT

#define DEBUGGER_SYNCRONIZATION_OBJECT_KERNEL_DEBUGGER_SEARCH_QUERY_RESULT   0x15

◆ DEBUGGER_SYNCRONIZATION_OBJECT_KERNEL_DEBUGGER_SHORT_CIRCUITING_EVENT_STATE

#define DEBUGGER_SYNCRONIZATION_OBJECT_KERNEL_DEBUGGER_SHORT_CIRCUITING_EVENT_STATE   0x18

◆ DEBUGGER_SYNCRONIZATION_OBJECT_KERNEL_DEBUGGER_SMI_OPERATION_RESULT

#define DEBUGGER_SYNCRONIZATION_OBJECT_KERNEL_DEBUGGER_SMI_OPERATION_RESULT   0x1f

◆ DEBUGGER_SYNCRONIZATION_OBJECT_KERNEL_DEBUGGER_STARTED_PACKET_RECEIVED

#define DEBUGGER_SYNCRONIZATION_OBJECT_KERNEL_DEBUGGER_STARTED_PACKET_RECEIVED   0x1

◆ DEBUGGER_SYNCRONIZATION_OBJECT_KERNEL_DEBUGGER_SYMBOL_RELOAD

#define DEBUGGER_SYNCRONIZATION_OBJECT_KERNEL_DEBUGGER_SYMBOL_RELOAD   0x12

◆ DEBUGGER_SYNCRONIZATION_OBJECT_KERNEL_DEBUGGER_TEST_QUERY

#define DEBUGGER_SYNCRONIZATION_OBJECT_KERNEL_DEBUGGER_TEST_QUERY   0x13

◆ DEBUGGER_SYNCRONIZATION_OBJECT_KERNEL_DEBUGGER_THREAD_SWITCHING_RESULT

#define DEBUGGER_SYNCRONIZATION_OBJECT_KERNEL_DEBUGGER_THREAD_SWITCHING_RESULT   0x5

◆ DEBUGGER_SYNCRONIZATION_OBJECT_KERNEL_DEBUGGER_VA2PA_AND_PA2VA_RESULT

#define DEBUGGER_SYNCRONIZATION_OBJECT_KERNEL_DEBUGGER_VA2PA_AND_PA2VA_RESULT   0x16

◆ DEBUGGER_SYNCRONIZATION_OBJECT_KERNEL_DEBUGGER_WRITE_REGISTER

#define DEBUGGER_SYNCRONIZATION_OBJECT_KERNEL_DEBUGGER_WRITE_REGISTER   0x1a

◆ DEBUGGER_SYNCRONIZATION_OBJECT_USER_DEBUGGER_IS_DEBUGGER_RUNNING

#define DEBUGGER_SYNCRONIZATION_OBJECT_USER_DEBUGGER_IS_DEBUGGER_RUNNING   0x0

An event to show whether the debugger is running or not in user-debugger.

Typedef Documentation

◆ DEBUGGER_EVENT_PARSING_ERROR_CAUSE

Reason for error in parsing commands.

◆ DEBUGGER_SYNCRONIZATION_EVENTS_STATE

In debugger holds the state of events.

◆ PDEBUGGER_EVENT_PARSING_ERROR_CAUSE

◆ PDEBUGGER_SYNCRONIZATION_EVENTS_STATE

Enumeration Type Documentation

◆ _DEBUGGER_EVENT_PARSING_ERROR_CAUSE

Reason for error in parsing commands.

Enumerator
DEBUGGER_EVENT_PARSING_ERROR_CAUSE_SUCCESSFUL_NO_ERROR 
DEBUGGER_EVENT_PARSING_ERROR_CAUSE_SCRIPT_SYNTAX_ERROR 
DEBUGGER_EVENT_PARSING_ERROR_CAUSE_NO_INPUT 
DEBUGGER_EVENT_PARSING_ERROR_CAUSE_MAXIMUM_INPUT_REACHED 
DEBUGGER_EVENT_PARSING_ERROR_CAUSE_OUTPUT_NAME_NOT_FOUND 
DEBUGGER_EVENT_PARSING_ERROR_CAUSE_OUTPUT_SOURCE_ALREADY_CLOSED 
DEBUGGER_EVENT_PARSING_ERROR_CAUSE_ALLOCATION_ERROR 
DEBUGGER_EVENT_PARSING_ERROR_CAUSE_FORMAT_ERROR 
DEBUGGER_EVENT_PARSING_ERROR_CAUSE_ATTEMPT_TO_BREAK_ON_VMI_MODE 
DEBUGGER_EVENT_PARSING_ERROR_CAUSE_IMMEDIATE_MESSAGING_IN_EVENT_FORWARDING_MODE 
DEBUGGER_EVENT_PARSING_ERROR_CAUSE_USING_SHORT_CIRCUITING_IN_POST_EVENTS 
77{
89
@ DEBUGGER_EVENT_PARSING_ERROR_CAUSE_OUTPUT_NAME_NOT_FOUND
Definition debugger.h:82
@ DEBUGGER_EVENT_PARSING_ERROR_CAUSE_SUCCESSFUL_NO_ERROR
Definition debugger.h:78
@ DEBUGGER_EVENT_PARSING_ERROR_CAUSE_MAXIMUM_INPUT_REACHED
Definition debugger.h:81
@ DEBUGGER_EVENT_PARSING_ERROR_CAUSE_USING_SHORT_CIRCUITING_IN_POST_EVENTS
Definition debugger.h:88
@ DEBUGGER_EVENT_PARSING_ERROR_CAUSE_NO_INPUT
Definition debugger.h:80
@ DEBUGGER_EVENT_PARSING_ERROR_CAUSE_OUTPUT_SOURCE_ALREADY_CLOSED
Definition debugger.h:83
@ DEBUGGER_EVENT_PARSING_ERROR_CAUSE_SCRIPT_SYNTAX_ERROR
Definition debugger.h:79
@ DEBUGGER_EVENT_PARSING_ERROR_CAUSE_IMMEDIATE_MESSAGING_IN_EVENT_FORWARDING_MODE
Definition debugger.h:87
@ DEBUGGER_EVENT_PARSING_ERROR_CAUSE_ALLOCATION_ERROR
Definition debugger.h:84
@ DEBUGGER_EVENT_PARSING_ERROR_CAUSE_ATTEMPT_TO_BREAK_ON_VMI_MODE
Definition debugger.h:86
@ DEBUGGER_EVENT_PARSING_ERROR_CAUSE_FORMAT_ERROR
Definition debugger.h:85
enum _DEBUGGER_EVENT_PARSING_ERROR_CAUSE DEBUGGER_EVENT_PARSING_ERROR_CAUSE
Reason for error in parsing commands.

Function Documentation

◆ BreakController()

BOOL BreakController ( DWORD CtrlType)

handle CTRL+C and CTRL+Break events

Parameters
CtrlType
Returns
BOOL
35{
36 switch (CtrlType)
37 {
38 //
39 // Handle the CTRL + C & CTRL + Break signal
40 //
41 case CTRL_BREAK_EVENT:
42 case CTRL_C_EVENT:
43
44 //
45 // check if we should ignore the break requests or not
46 //
48 {
49 return TRUE;
50 }
51
52 //
53 // Check for aborting symbol loading routines
54 //
56 {
57 //
58 // Avoid to calling it again
59 //
61
62 //
63 // Abort the execution
64 //
66 }
67
68 //
69 // Check if the debuggee is running because of pausing or not
70 //
72 {
74 {
76 }
77 else
78 {
80 }
81 }
83 {
84 //
85 // vmm module is not loaded here
86 //
87 }
88 else
89 {
91 {
93 }
94 else
95 {
96 //
97 // Sleep because the other thread that shows must be stopped
98 //
100
101 //
102 // Check if its a remote debuggee then we should send the 'pause' command
103 //
105 {
106 RemoteConnectionSendCommand("pause", (UINT32)strlen("pause") + 1);
107 }
108
109 Sleep(300);
110
111 //
112 // It is because we didn't query the target debuggee auto-unpause variable
113 //
115 {
116 if (g_AutoUnpause)
117 {
118 ShowMessages(
119 "\npausing...%s\nauto-unpause mode is enabled, "
120 "debugger will automatically continue when you run a new "
121 "event command, if you want to change this behaviour then "
122 "run run 'settings autounpause off'\n\n",
124 }
125 else
126 {
127 ShowMessages(
128 "\npausing...%s\nauto-unpause mode is disabled, you "
129 "should run 'g' when you want to continue, otherwise run "
130 "'settings autounpause on'\n\n",
132 }
133
134 //
135 // Show the signature of HyperDbg
136 //
138
139 //
140 // Not pause the process if CTRL+C is pressed (Commented)
141 //
142 // if (g_ActiveProcessDebuggingState.IsActive)
143 // {
144 // UdPauseProcess(g_ActiveProcessDebuggingState.ProcessDebuggingToken);
145 // }
146 }
147 }
148 }
149
150 return TRUE;
151
152 //
153 // CTRL+CLOSE: confirm that the user wants to exit.
154 //
155 case CTRL_CLOSE_EVENT:
156 return TRUE;
157
158 case CTRL_LOGOFF_EVENT:
159 return FALSE;
160
161 case CTRL_SHUTDOWN_EVENT:
162 return FALSE;
163
164 default:
165
166 //
167 // Return TRUE if handled this message, further handler functions won't be
168 // called.
169 // Return FALSE to pass this message to further handlers until default
170 // handler calls ExitProcess().
171 //
172 return FALSE;
173 }
174}
BOOLEAN g_IsSerialConnectedToRemoteDebuggee
Shows if the debugger was connected to remote debuggee over (A remote guest).
Definition globals.h:253
ACTIVE_DEBUGGING_PROCESS g_ActiveProcessDebuggingState
State of active debugging thread.
Definition globals.h:372
BOOLEAN g_IsExecutingSymbolLoadingRoutines
Executing symbol reloading or downloading routines.
Definition globals.h:516
BOOLEAN g_IgnorePauseRequests
Show whether the pause request (CTRL+C or CTRL+BREAK) should be ignored or not.
Definition globals.h:180
#define TRUE
Definition BasicTypes.h:114
#define FALSE
Definition BasicTypes.h:113
unsigned int UINT32
Definition BasicTypes.h:54
BOOLEAN g_IsConnectedToRemoteDebuggee
Shows whether the current debugger is the host and connected to a remote debuggee (guest).
Definition globals.h:96
BOOLEAN g_IsInstrumentingInstructions
Shows whether the user is running 't', 'p', or 'i' command.
Definition globals.h:571
VOID HyperDbgShowSignature()
Show signature of HyperDbg.
Definition interpreter.cpp:1086
VOID KdBreakControlCheckAndPauseDebugger(BOOLEAN SignalRunningFlag)
check if the debuggee needs to be paused
Definition kd.cpp:2040
#define PAUSE_MESSAGE_IN_USER_DEBUGGER
Definition common.h:25
BOOLEAN g_IsKdModuleLoaded
shows whether the kernel debugger (KD) module is loaded or not
Definition globals.h:22
BOOLEAN g_BreakPrintingOutput
Shows whether the pause command or CTRL+C or CTRL+Break is executed or not.
Definition globals.h:509
INT RemoteConnectionSendCommand(const CHAR *sendbuf, INT len)
send the command as a client (debugger, host) to the server (debuggee, guest)
Definition remote-connection.cpp:445
VOID ScriptEngineSymbolAbortLoadingWrapper()
SymbolAbortLoading wrapper.
Definition script-engine-wrapper.cpp:229
BOOLEAN g_AutoUnpause
Whether auto-unpause mode is enabled or not enabled.
Definition globals.h:587

◆ CallstackReturnAddressToCallingAddress()

BOOLEAN CallstackReturnAddressToCallingAddress ( UCHAR * ReturnAddress,
PUINT32 IndexOfCallFromReturnAddress )

Walkthrough the stack.

This code is borrowed from here : https://github.com/electronicarts/EAThread/blob/master/source/x86/eathread_callstack_x86.cpp

Parameters
ReturnAddress
IndexOfCallFromReturnAddress
Returns
BOOLEAN
31{
32 //
33 // While negative array indices can be considered non-idiomatic it
34 // was felt that they are semantically appropriate as this code bases
35 // its comparisons from the return address and that it would be cleaner
36 // than using *(ReturnAddress - index).
37 //
38
39 //
40 // Three op-codes are used for the call instruction, 9A, E8, and FF.
41 // For a reference on the IA32 instruction format, see:
42 // http://www.cs.princeton.edu/courses/archive/spr06/cos217/reading/ia32vol2.pdf
43 //
44
45 //
46 // 9A cp - CALL ptr16:32 (7-byte)
47 //
48 if (ReturnAddress[-7] == 0x9A)
49 {
50 *IndexOfCallFromReturnAddress = 7;
51 return TRUE;
52 }
53 // E8 cd - CALL rel32 (5-byte)
54 else if (ReturnAddress[-5] == 0xE8)
55 {
56 *IndexOfCallFromReturnAddress = 5;
57 return TRUE;
58 }
59 else
60 {
61 //
62 // The third opcode to specify "call" instructions is FF.
63 // Unfortunately this instruction also needs the succeeding ModR/M
64 // byte to fully determine instruction length. The SIB value is
65 // another byte used for extending the range of addressing modes
66 // supported by the ModR/M byte. The values of this ModR/M byte
67 // used in conjunction with the call instruction are as follows:
68 //
69 // 7-byte call:
70 // FF [ModR/M] [SIB] [4-byte displacement]
71 // * ModR/M is either 0x94 or 0x9C
72 //
73 // 6-byte call:
74 // FF [ModR/M] [4-byte displacement]
75 // * ModR/M can be:
76 // * 0x90 - 0x9F EXCLUDING 0x94 or 0x9C
77 // * 0x15 or 0x1D
78 //
79 // 4-byte call:
80 // FF [ModR/M] [SIB] [1-byte displacement]
81 // * ModR/M is either 0x54 or 0x5C
82 //
83 // 3-byte call:
84 // FF [ModR/M] [1-byte displacement]
85 // * ModR/M can be:
86 // * 0x50 - 0x5F EXCLUDING 0x54 or 0x5C
87 // FF [ModR/M] [SIB]
88 // * ModR/M is either 0x14 or 0x1C
89 //
90 // 2-byte call:
91 // FF [ModR/M]
92 // * ModR/M can be:
93 // * 0xD0 - 0xDF
94 // * 0x10 - 0x1F EXCEPT 0x14, 0x15, 0x1C, or 0x1D
95 //
96
97 //
98 // The mask of F8 is used because we want to mask out the bottom
99 // three bits (which are most often used for register selection)
100 //
101 const UCHAR RmMask = 0xF8;
102
103 //
104 // 7-byte format:
105 //
106 if (ReturnAddress[-7] == 0xFF &&
107 (ReturnAddress[-6] == 0x94 || ReturnAddress[-6] == 0x9C))
108 {
109 *IndexOfCallFromReturnAddress = 7;
110 return TRUE;
111 }
112
113 //
114 // 6-byte format:
115 // FF [ModR/M] [4-byte displacement]
116 //
117 else if (ReturnAddress[-6] == 0xFF &&
118 ((ReturnAddress[-5] & RmMask) == 0x90 || (ReturnAddress[-5] & RmMask) == 0x98) &&
119 (ReturnAddress[-5] != 0x94 && ReturnAddress[-5] != 0x9C))
120 {
121 *IndexOfCallFromReturnAddress = 6;
122 return TRUE;
123 }
124
125 //
126 // Alternate 6-byte format:
127 //
128 else if (ReturnAddress[-6] == 0xFF &&
129 (ReturnAddress[-5] == 0x15 || ReturnAddress[-5] == 0x1D))
130 {
131 *IndexOfCallFromReturnAddress = 6;
132 return TRUE;
133 }
134
135 //
136 // 4-byte format:
137 // FF [ModR/M] [SIB] [1-byte displacement]
138 //
139 else if (ReturnAddress[-4] == 0xFF &&
140 (ReturnAddress[-3] == 0x54 || ReturnAddress[-3] == 0x5C))
141 {
142 *IndexOfCallFromReturnAddress = 4;
143 return TRUE;
144 }
145
146 //
147 // 3-byte format:
148 // FF [ModR/M] [1-byte displacement]
149 //
150 else if (ReturnAddress[-3] == 0xFF &&
151 ((ReturnAddress[-2] & RmMask) == 0x50 || (ReturnAddress[-2] & RmMask) == 0x58) &&
152 (ReturnAddress[-2] != 0x54 && ReturnAddress[-2] != 0x5C))
153 {
154 *IndexOfCallFromReturnAddress = 3;
155 return TRUE;
156 }
157
158 //
159 // Alternate 3-byte format:
160 // FF [ModR/M] [SIB]
161 //
162 else if (ReturnAddress[-3] == 0xFF &&
163 (ReturnAddress[-2] == 0x14 || ReturnAddress[-2] == 0x1C))
164 {
165 *IndexOfCallFromReturnAddress = 3;
166 return TRUE;
167 }
168
169 //
170 // 2-byte calling format:
171 // FF [ModR/M]
172 //
173 else if (ReturnAddress[-2] == 0xFF &&
174 ((ReturnAddress[-1] & RmMask) == 0xD0 || (ReturnAddress[-1] & RmMask) == 0xD8))
175 {
176 *IndexOfCallFromReturnAddress = 2;
177 return TRUE;
178 }
179
180 //
181 // Alternate 2-byte calling format:
182 // FF [ModR/M]
183 //
184 else if (ReturnAddress[-2] == 0xFF &&
185 ((ReturnAddress[-1] & RmMask) == 0x10 || (ReturnAddress[-1] & RmMask) == 0x18) &&
186 (ReturnAddress[-1] != 0x14 && ReturnAddress[-1] != 0x15 &&
187 ReturnAddress[-1] != 0x1C && ReturnAddress[-1] != 0x1D))
188 {
189 *IndexOfCallFromReturnAddress = 2;
190 return TRUE;
191 }
192 else
193 {
194 return FALSE;
195 }
196 }
197
198 return FALSE;
199}
unsigned char UCHAR
Definition BasicTypes.h:34

◆ CallstackShowFrames()

VOID CallstackShowFrames ( PDEBUGGER_SINGLE_CALLSTACK_FRAME CallstackFrames,
UINT32 FrameCount,
DEBUGGER_CALLSTACK_DISPLAY_METHOD DisplayMethod,
BOOLEAN Is32Bit )

Show stack frames.

Parameters
CallstackFrames
FrameCount
DisplayMethod
Is32Bit
Returns
VOID
216{
217 UINT32 CallLength;
218 UINT64 TargetAddress;
219 UINT64 UsedBaseAddress;
220 BOOLEAN IsCall = FALSE;
221 std::map<UINT64, LOCAL_FUNCTION_DESCRIPTION>::iterator Iterate;
222
223 //
224 // Print callstack frames
225 //
226 for (SIZE_T i = 0; i < FrameCount; i++)
227 {
228 IsCall = FALSE;
229
230 if (CallstackFrames[i].IsValidAddress)
231 {
232 //
233 // Check if it's call or just a simple code address
234 //
235 if (CallstackFrames[i].IsExecutable && CallstackReturnAddressToCallingAddress(
236 (UCHAR *)&CallstackFrames[i].InstructionBytesOnRip[MAXIMUM_CALL_INSTR_SIZE],
237 &CallLength))
238 {
239 //
240 // Computer the "call" instruction address
241 //
242 TargetAddress = CallstackFrames[i].Value - CallLength;
243
244 IsCall = TRUE;
245 }
246 else
247 {
248 //
249 // Check if we wanna show the stack params
250 //
252 {
253 continue;
254 }
255
256 IsCall = FALSE;
257 TargetAddress = CallstackFrames[i].Value;
258 }
259
260 ShowMessages("[$+%03x] ", i * (Is32Bit ? sizeof(UINT32) : sizeof(UINT64)));
261
262 if (IsCall)
263 {
264 if (Is32Bit)
265 {
266 ShowMessages(" %08x (from ", TargetAddress);
267 }
268 else
269 {
270 ShowMessages(" %016llx (from ", TargetAddress);
271 }
272 }
273 else
274 {
275 if (Is32Bit)
276 {
277 ShowMessages(" %08x (addr ", TargetAddress);
278 }
279 else
280 {
281 ShowMessages(" %016llx (addr ", TargetAddress);
282 }
283 }
284
285 //
286 // Show the name of the function if available
287 // Apply addressconversion of settings here
288 //
290 {
291 if (SymbolShowFunctionNameBasedOnAddress(TargetAddress, &UsedBaseAddress))
292 {
293 ShowMessages(" ");
294 }
295 }
296
297 if (Is32Bit)
298 {
299 ShowMessages("<%08x>)\n", TargetAddress);
300 }
301 else
302 {
303 ShowMessages("<%016llx>)\n", TargetAddress);
304 }
305 }
306 else
307 {
308 //
309 // Check if we wanna show the stack params
310 //
312 {
313 continue;
314 }
315
316 ShowMessages("[$+%03x] ", i * (Is32Bit ? sizeof(UINT32) : sizeof(UINT64)));
317
318 if (Is32Bit)
319 {
320 ShowMessages(" %08x\n", CallstackFrames[i].Value);
321 }
322 else
323 {
324 ShowMessages(" %016llx\n", CallstackFrames[i].Value);
325 }
326 }
327 }
328}
UCHAR BOOLEAN
Definition BasicTypes.h:35
#define MAXIMUM_CALL_INSTR_SIZE
maximum size for call instruction in Intel
Definition Constants.h:475
@ DEBUGGER_CALLSTACK_DISPLAY_METHOD_WITHOUT_PARAMS
Definition RequestStructures.h:833
BOOLEAN CallstackReturnAddressToCallingAddress(UCHAR *ReturnAddress, PUINT32 IndexOfCallFromReturnAddress)
Walkthrough the stack.
Definition callstack.cpp:30
RequestedActionOfThePacket Value(0x1) 00000000
BOOLEAN g_AddressConversion
Whether converting addresses to object names or not.
Definition globals.h:594
UINT64 Value
Definition RequestStructures.h:819
BOOLEAN SymbolShowFunctionNameBasedOnAddress(UINT64 Address, PUINT64 UsedBaseAddress)
shows the functions' name for the disassembler
Definition symbol.cpp:161

◆ CommandApicSendRequest()

BOOLEAN CommandApicSendRequest ( DEBUGGER_APIC_REQUEST_TYPE ApicType,
PVOID ApicBuffer,
UINT32 ExpectedRequestSize,
PBOOLEAN IsUsingX2APIC )

Send APIC requests.

Parameters
ApicType
ApicBuffer
ExpectedRequestSize
IsUsingX2APIC
Returns
VOID
51{
52 BOOL Status;
53 ULONG ReturnedLength;
54 PDEBUGGER_APIC_REQUEST ApicRequest;
55 UINT32 RequestSize = 0;
56
57 RequestSize = SIZEOF_DEBUGGER_APIC_REQUEST + ExpectedRequestSize;
58
59 //
60 // Allocate buffer to fill the request
61 //
62 ApicRequest = (PDEBUGGER_APIC_REQUEST)malloc(RequestSize);
63
64 if (ApicRequest == NULL)
65 {
66 //
67 // Unable to allocate buffer
68 //
69 return FALSE;
70 }
71
72 RtlZeroMemory(ApicRequest, RequestSize);
73
74 //
75 // Set the APIC type to local apic
76 // Note that the APIC mode (xAPIC and x2APIC) is determined in the debugger
77 //
78 ApicRequest->ApicType = ApicType;
79
81 {
82 //
83 // Send the request over serial kernel debugger
84 //
85 if (!KdSendApicActionPacketsToDebuggee(ApicRequest, RequestSize))
86 {
87 free(ApicRequest);
88 return FALSE;
89 }
90 else
91 {
92 *IsUsingX2APIC = ApicRequest->IsUsingX2APIC;
93 RtlCopyMemory(ApicBuffer, (PVOID)(((CHAR *)ApicRequest) + sizeof(DEBUGGER_APIC_REQUEST)), ExpectedRequestSize);
94
95 free(ApicRequest);
96 return TRUE;
97 }
98 }
99 else
100 {
102
103 //
104 // Send IOCTL
105 //
106 Status = DeviceIoControl(
107 g_DeviceHandle, // Handle to device
108 IOCTL_PERFORM_ACTIONS_ON_APIC, // IO Control Code (IOCTL)
109 ApicRequest, // Input Buffer to driver.
110 SIZEOF_DEBUGGER_APIC_REQUEST, // Input buffer length
111 ApicRequest, // Output Buffer from driver.
112 RequestSize, // Length of output buffer in bytes.
113 &ReturnedLength, // Bytes placed in buffer.
114 NULL // synchronous call
115 );
116
117 if (!Status)
118 {
119 ShowMessages("ioctl failed with code 0x%x\n", GetLastError());
120
121 free(ApicRequest);
122 return FALSE;
123 }
124
125 if (ReturnedLength != RequestSize && ReturnedLength != SIZEOF_DEBUGGER_APIC_REQUEST)
126 {
127 //
128 // An err occurred
129 //
130 ShowMessages("err, apic request failed\n");
131
132 free(ApicRequest);
133 return FALSE;
134 }
135
137 {
138 //
139 // Fill the request buffer
140 //
141 *IsUsingX2APIC = ApicRequest->IsUsingX2APIC;
142 RtlCopyMemory(ApicBuffer, (PVOID)(((CHAR *)ApicRequest) + sizeof(DEBUGGER_APIC_REQUEST)), ExpectedRequestSize);
143
144 free(ApicRequest);
145 return TRUE;
146 }
147 else
148 {
149 //
150 // An err occurred, no results
151 //
152 ShowErrorMessage(ApicRequest->KernelStatus);
153
154 free(ApicRequest);
155 return FALSE;
156 }
157 }
158}
int BOOL
Definition BasicTypes.h:25
void * PVOID
Definition BasicTypes.h:56
char CHAR
Definition BasicTypes.h:33
unsigned long ULONG
Definition BasicTypes.h:31
#define DEBUGGER_OPERATION_WAS_SUCCESSFUL
General value to indicate that the operation or request was successful.
Definition ErrorCodes.h:23
#define IOCTL_PERFORM_ACTIONS_ON_APIC
ioctl, to perform actions related to APIC
Definition Ioctls.h:361
struct _DEBUGGER_APIC_REQUEST * PDEBUGGER_APIC_REQUEST
#define SIZEOF_DEBUGGER_APIC_REQUEST
Debugger size of DEBUGGER_APIC_REQUEST.
Definition RequestStructures.h:1108
struct _DEBUGGER_APIC_REQUEST DEBUGGER_APIC_REQUEST
The structure of actions for APIC.
BOOLEAN ShowErrorMessage(UINT32 Error)
shows the error message
Definition debugger.cpp:40
BOOLEAN KdSendApicActionPacketsToDebuggee(PDEBUGGER_APIC_REQUEST ApicRequest, UINT32 ExpectedRequestSize)
Send requests for APIC packet to the debuggee.
Definition kd.cpp:995
#define ASSERT_MESSAGE_KD_NOT_LOADED
Definition common.h:29
#define AssertShowMessageReturnStmt(expr1, expr2, message1, message2, rc)
Definition common.h:59
#define ASSERT_MESSAGE_DRIVER_NOT_LOADED
Definition common.h:27
#define AssertReturnFalse
Definition common.h:21
HANDLE g_DeviceHandle
Holds the global handle of device which is used to send the request to the kernel by IOCTL,...
Definition globals.h:481
UINT32 KernelStatus
Definition RequestStructures.h:1100
BOOLEAN IsUsingX2APIC
Definition RequestStructures.h:1099
DEBUGGER_APIC_REQUEST_TYPE ApicType
Definition RequestStructures.h:1098

◆ CommandBpRequest()

BOOLEAN CommandBpRequest ( UINT64 Address,
UINT32 Pid,
UINT32 Tid,
UINT32 CoreNumer )

request breakpoint

Parameters
AddressAddress
PidProcess Id
TidThread Id
CoreNumerCore Number
Returns
BOOLEAN
120{
121 DEBUGGEE_BP_PACKET BpPacket = {0};
122
123 //
124 // Check if the debugger is connected to a remote debuggee or a user-debugger is active
125 //
127 {
128 return FALSE;
129 }
130
131 //
132 // Set the details for the remote packet
133 //
134 BpPacket.Address = Address;
135 BpPacket.Core = CoreNumer;
136 BpPacket.Pid = Pid;
137 BpPacket.Tid = Tid;
138
139 //
140 // Send the bp packet either to the user debugger or the kernel debugger
141 //
143 {
145 }
147 {
148 return KdSendBpPacketToDebuggee(&BpPacket);
149 }
150 else
151 {
152 //
153 // couldn't set breakpoint, no active process or remote debuggee
154 //
155 return FALSE;
156 }
157}
BOOLEAN CommandBpPerformApplyingBreakpointOnUserDebugger(DEBUGGEE_BP_PACKET *BpPacket)
Apply breakpoint on the user debugger.
Definition bp.cpp:55
struct _DEBUGGEE_BP_PACKET DEBUGGEE_BP_PACKET
The structure of bp command packet in HyperDbg.
BOOLEAN KdSendBpPacketToDebuggee(PDEBUGGEE_BP_PACKET BpPacket)
Sends a breakpoint set or 'bp' command packet to the debuggee.
Definition kd.cpp:1169
UINT32 Tid
Definition RequestStructures.h:1519
UINT32 Core
Definition RequestStructures.h:1520
UINT64 Address
Definition RequestStructures.h:1517
UINT32 Pid
Definition RequestStructures.h:1518

◆ CommandEventsClearAllEventsAndResetTags()

VOID CommandEventsClearAllEventsAndResetTags ( )

Clears all the events and resets the tag.

Returns
VOID
475{
476 //
477 // Check if events are initialized
478 //
480 {
482
483 //
484 // Indicate that it's not initialized
485 //
487
488 //
489 // Reset tag numbering mechanism
490 //
492 }
493}
#define DEBUGGER_MODIFY_EVENTS_APPLY_TO_ALL_TAG
Apply event modifications to all tags.
Definition Constants.h:714
#define DebuggerEventTagStartSeed
The seeds that user-mode codes use as the starter of their events' tag.
Definition Constants.h:230
BOOLEAN CommandEventClearEvent(UINT64 Tag)
disable and remove a special event
Definition events.cpp:390
UINT64 g_EventTag
This variable holds the trace and generate numbers for new tags of events.
Definition globals.h:385
BOOLEAN g_EventTraceInitialized
it shows whether the debugger started using events or not or in other words, is g_EventTrace initiali...
Definition globals.h:400

◆ CommandEventsHandleModifiedEvent()

VOID CommandEventsHandleModifiedEvent ( UINT64 Tag,
PDEBUGGER_MODIFY_EVENTS ModifyEventRequest )

Handle events after modification.

Parameters
Tagthe tag of the target event
ModifyEventRequestResults
Returns
VOID
506{
507 if (ModifyEventRequest->KernelStatus == DEBUGGER_OPERATION_WAS_SUCCESSFUL)
508 {
509 //
510 // Successful, nothing to show but we should also
511 // do the same (change) the user-mode structures
512 // that hold the event data
513 //
514 if (ModifyEventRequest->TypeOfAction == DEBUGGER_MODIFY_EVENTS_ENABLE)
515 {
517 {
518 ShowMessages("err, the event was successfully, "
519 "(enabled|disabled|cleared) but "
520 "can't apply it to the user-mode structures\n");
521 }
522 }
523 else if (ModifyEventRequest->TypeOfAction == DEBUGGER_MODIFY_EVENTS_DISABLE)
524 {
526 {
527 ShowMessages("err, the event was successfully, "
528 "(enabled|disabled|cleared) but "
529 "can't apply it to the user-mode structures\n");
530 }
531 else
532 {
533 //
534 // The action was applied successfully
535 //
537 {
538 //
539 // It is because we didn't query the target debuggee auto-flush
540 // variable
541 //
545 {
546 if (!g_AutoFlush)
547 {
548 ShowMessages(
549 "auto-flush mode is disabled, if there is still "
550 "messages or buffers in the kernel, you continue to see "
551 "the messages when you run 'g' until the kernel "
552 "buffers are empty. you can run 'settings autoflush "
553 "on' and after disabling and clearing events, "
554 "kernel buffers will be flushed automatically\n");
555 }
556 else
557 {
558 //
559 // We should flush buffers here
560 //
562 }
563 }
564 }
565 }
566 }
567 else if (ModifyEventRequest->TypeOfAction == DEBUGGER_MODIFY_EVENTS_CLEAR)
568 {
570 {
571 ShowMessages("err, the event was successfully, "
572 "(enabled|disabled|cleared) but "
573 "can't apply it to the user-mode structures\n");
574 }
575 else
576 {
577 //
578 // If HyperDbg is operating at the Debugger Mode, we'll indicate that
579 // the event will be cleared after continuing the debuggee
580 //
582 {
583 ShowMessages("%s successfully cleared, but please note in the Debugger Mode (current mode), HyperDbg "
584 "cannot clear events instantly. Instead, it first disables the events, and when "
585 "you continue the debuggee (e.g., by pressing the 'g' command), the event will be cleared. "
586 "Reapplying the same event without first continuing the debuggee may result in undefined behavior\n",
587 Tag == DEBUGGER_MODIFY_EVENTS_APPLY_TO_ALL_TAG ? "events are" : "the event is");
588 }
589
590 //
591 // The action was applied successfully
592 //
594 {
595 //
596 // It is because we didn't query the target debuggee auto-flush
597 // variable
598 //
600 {
601 if (!g_AutoFlush)
602 {
603 ShowMessages(
604 "auto-flush mode is disabled, if there is still "
605 "messages or buffers in the kernel, you continue to see "
606 "the messages when you run 'g' until the kernel "
607 "buffers are empty. you can run 'settings autoflush "
608 "on' and after disabling and clearing events, "
609 "kernel buffers will be flushed automatically\n");
610 }
611 else
612 {
613 //
614 // We should flush buffers here
615 //
617 }
618 }
619 }
620 }
621 }
622 else if (ModifyEventRequest->TypeOfAction ==
624 {
625 //
626 // Nothing to show
627 //
628 }
629 else
630 {
631 ShowMessages(
632 "err, the event was successfully, (enabled|disabled|cleared) but "
633 "can't apply it to the user-mode structures\n");
634 }
635 }
636 else
637 {
638 //
639 // Interpret error
640 //
641 ShowErrorMessage((UINT32)ModifyEventRequest->KernelStatus);
642 return;
643 }
644}
POOL_TYPE SIZE_T ULONG Tag
Definition Hooks.h:89
@ DEBUGGER_MODIFY_EVENTS_ENABLE
Definition Events.h:235
@ DEBUGGER_MODIFY_EVENTS_DISABLE
Definition Events.h:236
@ DEBUGGER_MODIFY_EVENTS_QUERY_STATE
Definition Events.h:234
@ DEBUGGER_MODIFY_EVENTS_CLEAR
Definition Events.h:237
BOOLEAN CommandEventEnableEvent(UINT64 Tag)
enables a special event
Definition events.cpp:340
BOOLEAN CommandEventDisableEvent(UINT64 Tag)
Disable a special event.
Definition events.cpp:290
BOOLEAN g_AutoFlush
Whether auto-flush mode is enabled or not enabled.
Definition globals.h:601
VOID CommandFlushRequestFlush()
flush command handler
Definition flush.cpp:40
BOOLEAN g_IsSerialConnectedToRemoteDebugger
Shows if the debugger was connected to remote debugger (A remote host).
Definition rev.cpp:18
DEBUGGER_MODIFY_EVENTS_TYPE TypeOfAction
Definition Events.h:249
UINT64 KernelStatus
Definition Events.h:247

◆ CommandEventsModifyAndQueryEvents()

BOOLEAN CommandEventsModifyAndQueryEvents ( UINT64 Tag,
DEBUGGER_MODIFY_EVENTS_TYPE TypeOfAction )

modify a special event (enable/disable/clear) and send the request directly to the kernel

if you pass DEBUGGER_MODIFY_EVENTS_APPLY_TO_ALL_TAG as the tag then it will be applied to all the active/disabled events in the kernel

Parameters
Tagthe tag of the target event
TypeOfActionwhether its a enable/disable/clear
Returns
BOOLEAN Shows whether the event is enabled or disabled
660{
661 BOOLEAN Status;
662 ULONG ReturnedLength;
663 DEBUGGER_MODIFY_EVENTS ModifyEventRequest = {0};
664
665 //
666 // Check if there is no event, then we shouldn't apply the
667 // enable, disable, or clear commands, this command also
668 // checks for DEBUGGER_MODIFY_EVENTS_APPLY_TO_ALL_TAG to
669 // see if at least one tag exists or not; however, it's not
670 // necessary as the kernel will check for the validity of
671 // tag too, but let's not send it to kernel as we can prevent
672 // invalid requests from user-mode too
673 //
674 if (!IsTagExist(Tag))
675 {
677 {
678 ShowMessages("there is no event\n");
679 }
680 else
681 {
682 ShowMessages("err, tag id is invalid\n");
683 }
684 return FALSE;
685 }
686
688 {
689 //
690 // Remote debuggee Debugger Mode
691 //
693 }
694 else
695 {
696 //
697 // Local debugging VMI-Mode
698 //
699
700 //
701 // Check if the VMM module is loaded or not
702 //
704
705 //
706 // Fill the structure to send it to the kernel
707 //
708 ModifyEventRequest.Tag = Tag;
709 ModifyEventRequest.TypeOfAction = TypeOfAction;
710
711 //
712 // Send the request to the kernel
713 //
714 Status =
715 DeviceIoControl(g_DeviceHandle, // Handle to device
716 IOCTL_DEBUGGER_MODIFY_EVENTS, // IO Control Code (IOCTL)
717 &ModifyEventRequest, // Input Buffer to driver.
718 SIZEOF_DEBUGGER_MODIFY_EVENTS, // Input buffer length
719 &ModifyEventRequest, // Output Buffer from driver.
720 SIZEOF_DEBUGGER_MODIFY_EVENTS, // Length of output
721 // buffer in bytes.
722 &ReturnedLength, // Bytes placed in buffer.
723 NULL // synchronous call
724 );
725
726 if (!Status)
727 {
728 ShowMessages("ioctl failed with code 0x%x\n", GetLastError());
729 return FALSE;
730 }
731
732 //
733 // Perform further actions
734 //
735 CommandEventsHandleModifiedEvent(Tag, &ModifyEventRequest);
736
737 if (TypeOfAction == DEBUGGER_MODIFY_EVENTS_QUERY_STATE)
738 {
739 return ModifyEventRequest.IsEnabled;
740 }
741 }
742
743 //
744 // in all the cases except query state it shows whether the operation was
745 // successful or not
746 //
747 return TRUE;
748}
#define SIZEOF_DEBUGGER_MODIFY_EVENTS
Definition Events.h:254
struct _DEBUGGER_MODIFY_EVENTS DEBUGGER_MODIFY_EVENTS
request for modifying events (enable/disable/clear)
#define IOCTL_DEBUGGER_MODIFY_EVENTS
ioctl, request to modify an event (enable/disable/clear)
Definition Ioctls.h:206
BOOLEAN IsTagExist(UINT64 Tag)
Check whether the tag exists or not, if the tag is DEBUGGER_MODIFY_EVENTS_APPLY_TO_ALL_TAG then if we...
Definition debugger.cpp:824
VOID CommandEventsHandleModifiedEvent(UINT64 Tag, PDEBUGGER_MODIFY_EVENTS ModifyEventRequest)
Handle events after modification.
Definition events.cpp:503
BOOLEAN KdSendEventQueryAndModifyPacketToDebuggee(UINT64 Tag, DEBUGGER_MODIFY_EVENTS_TYPE TypeOfAction, BOOLEAN *IsEnabled)
Sends a query or request to enable/disable/clear for event.
Definition kd.cpp:265
#define ASSERT_MESSAGE_VMM_NOT_LOADED
Definition common.h:31
BOOLEAN g_IsVmmModuleLoaded
shows whether the VMM module is loaded or not
Definition globals.h:28
BOOLEAN IsEnabled
Definition Events.h:250
UINT64 Tag
Definition Events.h:246

◆ CommandEventsShowEvents()

VOID CommandEventsShowEvents ( )

print every active and disabled events

this function will not show cleared events

Returns
VOID
232{
233 //
234 // It's an events without any argument so we have to show
235 // all the currently active events
236 //
237 PLIST_ENTRY TempList = 0;
238 BOOLEAN IsThereAnyEvents = FALSE;
239
240 TempList = &g_EventTrace;
241 while (&g_EventTrace != TempList->Blink)
242 {
243 TempList = TempList->Blink;
244
245 PDEBUGGER_GENERAL_EVENT_DETAIL CommandDetail = CONTAINING_RECORD(TempList, DEBUGGER_GENERAL_EVENT_DETAIL, CommandsEventList);
246 string CommandMessage((char *)CommandDetail->CommandStringBuffer);
247
248 //
249 // Do not show the \n(s)
250 //
251 ReplaceAll(CommandMessage, "\n", " ");
252
253 //
254 // Only show portion of message
255 //
256 if (CommandMessage.length() > 70)
257 {
258 CommandMessage = CommandMessage.substr(0, 70);
259 CommandMessage += "...";
260 }
261
262 ShowMessages("%x\t(%s)\t %s\n",
263 CommandDetail->Tag - DebuggerEventTagStartSeed,
264 // CommandDetail->IsEnabled ? "enabled" : "disabled",
265 CommandEventQueryEventState(CommandDetail->Tag)
266 ? "enabled"
267 : "disabled", /* Query is live now */
268 CommandMessage.c_str());
269
270 if (!IsThereAnyEvents)
271 {
272 IsThereAnyEvents = TRUE;
273 }
274 }
275
276 if (!IsThereAnyEvents)
277 {
278 ShowMessages("no active/disabled events \n");
279 }
280}
struct _DEBUGGER_GENERAL_EVENT_DETAIL DEBUGGER_GENERAL_EVENT_DETAIL
Each command is like the following struct, it also used for tracing works in user mode and sending it...
struct _DEBUGGER_GENERAL_EVENT_DETAIL * PDEBUGGER_GENERAL_EVENT_DETAIL
BOOLEAN CommandEventQueryEventState(UINT64 Tag)
Check the kernel whether the event is enabled or disabled.
Definition events.cpp:188
VOID ReplaceAll(string &str, const string &from, const string &to)
LIST_ENTRY g_EventTrace
Holds a list of events in kernel and the state of events and the commands to show the state of each c...
Definition globals.h:410
#define CONTAINING_RECORD(address, type, field)
Definition nt-list.h:36
UINT64 Tag
Definition Events.h:393
PVOID CommandStringBuffer
Definition Events.h:398

◆ CommandFlushRequestFlush()

VOID CommandFlushRequestFlush ( )

flush command handler

Returns
VOID
41{
42 BOOL Status;
43 ULONG ReturnedLength;
44 DEBUGGER_FLUSH_LOGGING_BUFFERS FlushRequest = {0};
45
47 {
48 //
49 // It's on a debugger mode
50 //
52 }
53 else
54 {
55 //
56 // It's on a local debugging mode
57 //
59
60 //
61 // By the way, we don't need to send an input buffer
62 // to the kernel, but let's keep it like this, if we
63 // want to pass some other arguments to the kernel in
64 // the future
65 //
66 Status = DeviceIoControl(
67 g_DeviceHandle, // Handle to device
68 IOCTL_DEBUGGER_FLUSH_LOGGING_BUFFERS, // IO Control Code (IOCTL)
69 &FlushRequest, // Input Buffer to driver.
70 SIZEOF_DEBUGGER_FLUSH_LOGGING_BUFFERS, // Input buffer length
71 &FlushRequest, // Output Buffer from driver.
72 SIZEOF_DEBUGGER_FLUSH_LOGGING_BUFFERS, // Length of output buffer in
73 // bytes.
74 &ReturnedLength, // Bytes placed in buffer.
75 NULL // synchronous call
76 );
77
78 if (!Status)
79 {
80 ShowMessages("ioctl failed with code 0x%x\n", GetLastError());
81 return;
82 }
83
85 {
86 //
87 // The amount of message that are deleted are the amount of
88 // vmx-root messages and vmx non-root messages
89 //
90 ShowMessages(
91 "flushing buffers was successful, total %d messages were cleared.\n",
94 }
95 else
96 {
97 ShowMessages("flushing buffers was not successful :(\n");
98 }
99 }
100}
#define IOCTL_DEBUGGER_FLUSH_LOGGING_BUFFERS
ioctl, flush the kernel buffers
Definition Ioctls.h:213
#define SIZEOF_DEBUGGER_FLUSH_LOGGING_BUFFERS
Definition RequestStructures.h:311
struct _DEBUGGER_FLUSH_LOGGING_BUFFERS DEBUGGER_FLUSH_LOGGING_BUFFERS
request for flushing buffers
BOOLEAN KdSendFlushPacketToDebuggee()
Send a flush request to the debuggee.
Definition kd.cpp:314
#define AssertReturn
Definition common.h:19
UINT32 CountOfMessagesThatSetAsReadFromVmxRoot
Definition RequestStructures.h:321
UINT32 CountOfMessagesThatSetAsReadFromVmxNonRoot
Definition RequestStructures.h:322
UINT32 KernelStatus
Definition RequestStructures.h:320

◆ CommandGRequest()

VOID CommandGRequest ( )

Request to unpause.

Returns
VOID
42{
43 //
44 // Check if the remote serial debuggee is paused or not
45 //
47 {
49 }
50 else
51 {
52 //
53 // Set the g_BreakPrintingOutput to FALSE
54 //
56
57 //
58 // If it's a remote debugger then we send the remote debuggee a 'g'
59 // and if we're connect to user debugger then we send the packet
60 // with current debugging thread token
61 //
63 {
64 RemoteConnectionSendCommand("g", (UINT32)strlen("g") + 1);
65 }
66 else if (g_ActiveProcessDebuggingState.IsActive)
67 {
69 {
71
72 //
73 // Target process is running
74 //
76 }
77 else
78 {
79 ShowMessages("the target process is already running\n");
80 }
81 }
82 }
83}
VOID KdBreakControlCheckAndContinueDebugger()
check if the debuggee needs to be continued
Definition kd.cpp:2091
BOOLEAN UdContinueProcess(UINT64 ProcessDebuggingToken)
Continue the target process.
Definition ud.cpp:933

◆ CommandPauseRequest()

VOID CommandPauseRequest ( )

request to pause

Returns
VOID
41{
42 //
43 // Set the g_BreakPrintingOutput to TRUE
44 //
46 ShowMessages("pausing...\n");
47
48 //
49 // If it's a remote debugger then we send the remote debuggee a 'g'
50 //
52 {
53 RemoteConnectionSendCommand("pause", (UINT32)strlen("pause") + 1);
54 }
55 else if (g_ActiveProcessDebuggingState.IsActive && UdPauseProcess(g_ActiveProcessDebuggingState.ProcessDebuggingToken))
56 {
57 ShowMessages("please keep interacting with the process until all the threads are intercepted "
58 "and halted; you can run the 'g' command to continue the debuggee\n");
59 }
60}
BOOLEAN UdPauseProcess(UINT64 ProcessDebuggingToken)
Pause the target process.
Definition ud.cpp:865

◆ CommandTrackHandleReceivedCallInstructions()

VOID CommandTrackHandleReceivedCallInstructions ( const CHAR * NameOfFunctionFromSymbols,
UINT64 ComputedAbsoluteAddress )

Handle received 'call'.

Parameters
NameOfFunctionFromSymbols
ComputedAbsoluteAddress
Returns
VOID
237{
238 //
239 // One 'call' instruction is visited
240 //
242
243 CHAR Utf8String1[] = "\xE2\x94\x82\x20\x20";
244
245 for (SIZE_T i = 0; i < NumberOfCallsIdentation; i++)
246 {
247 PlatformWriteConsole(Utf8String1, sizeof(Utf8String1) - 1);
248 }
249
250 //
251 // Write the UTF-8 encoded character sequence to the console
252 //
253 // CHAR Utf8String[] = "\xE2\x94\x9C\xE2\x94\x80\xE2\x94\x80";
254 CHAR Utf8String[] = "\xE2\x94\x8C\xE2\x94\x80\xE2\x94\x80";
255 PlatformWriteConsole(Utf8String, sizeof(Utf8String) - 1);
256
257 if (NameOfFunctionFromSymbols != NULL)
258 {
259 ShowMessages(" %s (%s)\n", NameOfFunctionFromSymbols, SeparateTo64BitValue(ComputedAbsoluteAddress).c_str());
260 }
261 else
262 {
263 ShowMessages(" %s\n", SeparateTo64BitValue(ComputedAbsoluteAddress).c_str());
264 }
265
266 if (ShowRegs)
267 {
269 }
270
272}
string SeparateTo64BitValue(UINT64 Value)
BOOLEAN PlatformWriteConsole(const VOID *Buffer, DWORD NumberOfBytes)
Platform independent wrapper to write raw bytes to the console.
Definition platform-lib-calls.c:374
volatile BOOLEAN RequestShowingRegs
Definition track.cpp:28
BOOLEAN ShowRegs
Definition track.cpp:27
BOOLEAN IsCallInstructionVisited
Definition track.cpp:26
UINT32 NumberOfCallsIdentation
Definition track.cpp:25

◆ CommandTrackHandleReceivedInstructions()

VOID CommandTrackHandleReceivedInstructions ( UCHAR * BufferToDisassemble,
UINT32 BuffLength,
BOOLEAN Isx86_64,
UINT64 RipAddress )

Handle received 'call' or 'ret'.

Parameters
BufferToDisassemble
BuffLength
Isx86_64
RipAddress
Returns
VOID
216{
217 BOOLEAN IsRet = FALSE;
218
219 //
220 // By calling this function, it acts as a callback that in case of the 'call' and the 'ret' instructions
221 // the callbacks will be called
222 //
223 HyperDbgCheckWhetherTheCurrentInstructionIsCallOrRet(BufferToDisassemble, RipAddress, BuffLength, Isx86_64, &IsRet);
224}
BOOLEAN HyperDbgCheckWhetherTheCurrentInstructionIsCallOrRet(UCHAR *BufferToDisassemble, UINT64 CurrentRip, UINT32 BuffLength, BOOLEAN Isx86_64, PBOOLEAN IsRet)
Check whether the current instruction is a 'call' or 'ret' or not.
Definition disassembler.cpp:983

◆ CommandTrackHandleReceivedRetInstructions()

VOID CommandTrackHandleReceivedRetInstructions ( UINT64 CurrentRip)

Handle received 'ret'.

Parameters
CurrentRip
Returns
VOID
283{
284 UINT64 UsedBaseAddress = NULL;
285 BOOLEAN IsNameShowed = FALSE;
286
288 {
290 {
292 }
293 }
294
295 CHAR Utf8String1[] = "\xE2\x94\x82\x20\x20";
296
297 for (SIZE_T i = 0; i < NumberOfCallsIdentation; i++)
298 {
299 PlatformWriteConsole(Utf8String1, sizeof(Utf8String1) - 1);
300 }
301
302 //
303 // Write the UTF-8 encoded character sequence to the console
304 //
305 CHAR Utf8String[] = "\xE2\x94\x94\xE2\x94\x80\xE2\x94\x80\x20";
306 PlatformWriteConsole(Utf8String, sizeof(Utf8String) - 1);
307
308 //
309 // Apply addressconversion of settings here
310 //
312 {
313 //
314 // Showing function names here
315 //
316 if (SymbolShowFunctionNameBasedOnAddress(CurrentRip, &UsedBaseAddress))
317 {
318 //
319 // The symbol address is showed
320 //
321 IsNameShowed = TRUE;
322 ShowMessages(" (%s)\n", SeparateTo64BitValue(CurrentRip).c_str());
323 }
324 }
325
326 if (!IsNameShowed)
327 {
328 ShowMessages("%s \n", SeparateTo64BitValue(CurrentRip).c_str());
329 }
330}
NULL()
Definition test-case-generator.py:530

◆ DebuggerGetKernelBase()

UINT64 DebuggerGetKernelBase ( )

Get the base address of the kernel module.

Returns
UINT64
699{
700 UINT64 KernelBase = NULL;
701
703 {
704 KernelBase = g_KernelBaseAddress;
705 }
706 else
707 {
708 KernelBase = DebuggerGetNtoskrnlBase();
709 g_KernelBaseAddress = KernelBase;
710 }
711
712 return KernelBase;
713}
UINT64 g_KernelBaseAddress
Shows the kernel base address.
Definition globals.h:576
UINT64 DebuggerGetNtoskrnlBase()
Get ntoskrnl.exe base in the kernel.
Definition debugger.cpp:657

◆ DebuggerGetNtoskrnlBase()

UINT64 DebuggerGetNtoskrnlBase ( )

Get ntoskrnl.exe base in the kernel.

Returns
UINT64 Base address of ntoskrnl.exe
658{
659#ifdef _WIN32
660 UINT64 NtoskrnlBase = NULL;
661 PRTL_PROCESS_MODULES Modules = NULL;
662
664 {
665 ShowMessages("err, unable to get the module list for getting ntoskrnl base address\n");
666 return NULL64_ZERO;
667 }
668
669 for (UINT32 i = 0; i < Modules->NumberOfModules; i++)
670 {
671 if (!strcmp((const CHAR *)Modules->Modules[i].FullPathName + Modules->Modules[i].OffsetToFileName,
672 "ntoskrnl.exe"))
673 {
674 NtoskrnlBase = (UINT64)Modules->Modules[i].ImageBase;
675 break;
676 }
677 }
678
679 free(Modules);
680
681 return NtoskrnlBase;
682#else
683 //
684 // TODO(Linux): NT-style system module enumeration (PRTL_PROCESS_MODULES via
685 // NtQuerySystemInformation) has no Linux analog. The kernel-module base lookup
686 // will need a Linux-specific mechanism once the kernel side exists.
687 //
688 return NULL64_ZERO;
689#endif
690}
struct _RTL_PROCESS_MODULES * PRTL_PROCESS_MODULES
#define NULL64_ZERO
Definition BasicTypes.h:111
ULONG NumberOfModules
Definition Windows.h:34
BOOLEAN SymbolCheckAndAllocateModuleInformation(PRTL_PROCESS_MODULES *Modules)
Check and allocate module information.
Definition symbol.cpp:1303

◆ DebuggerPauseDebuggee()

BOOLEAN DebuggerPauseDebuggee ( )

pauses the debuggee

Returns
BOOLEAN shows whether the pause was successful or not, if successful then when it returns true the debuggee is not paused anymore (continued)
723{
724 BOOLEAN StatusIoctl = 0;
725 ULONG ReturnedLength = 0;
726 DEBUGGER_PAUSE_PACKET_RECEIVED PauseRequest = {0};
727
728 //
729 // Send a pause IOCTL
730 //
731 StatusIoctl = PlatformDeviceIoControl(g_DeviceHandle, // Handle to device
732 IOCTL_PAUSE_PACKET_RECEIVED, // IO Control Code (IOCTL)
733 &PauseRequest, // Input Buffer to driver.
735 // length
736 &PauseRequest, // Output Buffer from driver.
737 SIZEOF_DEBUGGER_PAUSE_PACKET_RECEIVED, // Length of output
738 // buffer in bytes.
739 &ReturnedLength, // Bytes placed in buffer.
740 NULL // synchronous call
741 );
742
743 if (!StatusIoctl)
744 {
745 ShowMessages("ioctl failed with code 0x%x\n", PlatformGetLastError());
746 return FALSE;
747 }
748
749 if (PauseRequest.Result == DEBUGGER_OPERATION_WAS_SUCCESSFUL)
750 {
751 //
752 // Nothing to show, the request was successfully processed
753 //
754 return TRUE;
755 }
756 else
757 {
758 ShowErrorMessage(PauseRequest.Result);
759 return FALSE;
760 }
761 return FALSE;
762}
#define SIZEOF_DEBUGGER_PAUSE_PACKET_RECEIVED
Definition DataTypes.h:203
struct _DEBUGGER_PAUSE_PACKET_RECEIVED DEBUGGER_PAUSE_PACKET_RECEIVED
request to pause and halt the system
#define IOCTL_PAUSE_PACKET_RECEIVED
ioctl, pause and halt the system
Definition Ioctls.h:242
BOOL PlatformDeviceIoControl(HANDLE Device, DWORD IoControlCode, LPVOID InBuffer, DWORD InBufferSize, LPVOID OutBuffer, DWORD OutBufferSize, LPDWORD BytesReturned, LPVOID Overlapped)
DWORD PlatformGetLastError(VOID)
Platform independent wrapper for GetLastError.
Definition platform-lib-calls.c:350
UINT32 Result
Definition DataTypes.h:212

◆ DetachFromProcess()

VOID DetachFromProcess ( )

perform detach from process

Returns
VOID
40{
42
43 //
44 // Check if debugger is loaded or not
45 //
47
48 //
49 // Check if we attached to a process or not
50 //
52 {
53 ShowMessages("you're not attached to any thread\n");
54 return;
55 }
56
57 //
58 // Perform the detaching of the target process
59 //
61}
struct _DEBUGGER_ATTACH_DETACH_USER_MODE_PROCESS DEBUGGER_ATTACH_DETACH_USER_MODE_PROCESS
request for attaching user-mode process
BOOLEAN UdDetachProcess(UINT32 TargetPid, UINT64 ProcessDetailToken)
Detach the target process.
Definition ud.cpp:786

◆ FreeEventsAndActionsMemory()

VOID FreeEventsAndActionsMemory ( PDEBUGGER_GENERAL_EVENT_DETAIL Event,
PDEBUGGER_GENERAL_ACTION ActionBreakToDebugger,
PDEBUGGER_GENERAL_ACTION ActionCustomCode,
PDEBUGGER_GENERAL_ACTION ActionScript )

Deallocate buffers relating to events and actions.

Parameters

return VOID

1692{
1693 if (Event != NULL)
1694 {
1695 if (Event->CommandStringBuffer != NULL)
1696 {
1697 free(Event->CommandStringBuffer);
1698 }
1699
1700 free(Event);
1701 }
1702
1703 if (ActionBreakToDebugger != NULL)
1704 {
1705 free(ActionBreakToDebugger);
1706 }
1707 if (ActionCustomCode != NULL)
1708 {
1709 free(ActionCustomCode);
1710 }
1711 if (ActionScript != NULL)
1712 {
1713 free(ActionScript);
1714 }
1715}

◆ GetCommandAttributes()

UINT64 GetCommandAttributes ( const string & FirstCommand)

Get Command Attributes.

Parameters
FirstCommandjust the first word of command (without other parameters)
Returns
BOOLEAN Mask of the command's attributes
1256{
1257 CommandType::iterator Iterator;
1258
1259 //
1260 // Some commands should not be passed to the remote system
1261 // and instead should be handled in the current debugger
1262 //
1263
1264 Iterator = g_CommandsList.find(FirstCommand);
1265
1266 if (Iterator == g_CommandsList.end())
1267 {
1268 //
1269 // Command doesn't exist, if it's not exists then it's better to handle
1270 // it locally, instead of sending it to the remote computer
1271 //
1273 }
1274 else
1275 {
1276 return Iterator->second.CommandAttrib;
1277 }
1278
1279 return NULL;
1280}
#define DEBUGGER_COMMAND_ATTRIBUTE_ABSOLUTE_LOCAL
Absolute local commands.
Definition commands.h:224
CommandType g_CommandsList
List of command and attributes.
Definition globals.h:348

◆ GetNewDebuggerEventTag()

UINT64 GetNewDebuggerEventTag ( )

Get the New Debugger Event Tag object and increase the global variable for tag.

Returns
UINT64
1677{
1678 return g_EventTag++;
1679}

◆ HyperDbgDebugCloseRemoteDebugger()

BOOLEAN HyperDbgDebugCloseRemoteDebugger ( )

Connect to a remote serial device (Debuggee).

Returns
BOOLEAN
212{
213 //
214 // Check if the debugger is attached to a debuggee
215 //
217 {
219 return TRUE;
220 }
221 else
222 {
223 return FALSE;
224 }
225}
BOOLEAN KdCloseConnection()
Send close packet to the debuggee and debugger.
Definition kd.cpp:3056

◆ HyperDbgDebugCurrentDeviceUsingComPort()

BOOLEAN HyperDbgDebugCurrentDeviceUsingComPort ( const CHAR * PortName,
DWORD Baudrate )

Connect to a remote serial device (Debuggee).

Parameters
PortName
Baudrate
Returns
BOOLEAN
172{
173 UINT32 Port;
174
175 //
176 // Check if baudrate is valid or not
177 //
178 if (!CommandDebugCheckBaudrate(Baudrate))
179 {
180 //
181 // Baud-rate is invalid
182 //
183 return FALSE;
184 }
185
186 //
187 // check if com port address is valid or not
188 //
189 if (!CommandDebugCheckComPort(PortName, &Port))
190 {
191 //
192 // com port is invalid
193 //
194 return FALSE;
195 }
196
197 //
198 // Everything is okay, connect to the remote machine to send (debuggee)
199 // Note: Pause after connect is set to FALSE, because it doesn't make sense for the
200 // deubuggee to pause after connecting to the debugger
201 //
202 return KdPrepareAndConnectDebugPort(PortName, Baudrate, Port, TRUE, FALSE, FALSE);
203}
BOOLEAN CommandDebugCheckComPort(const CHAR *ComPort, UINT32 *Port)
Check if COM port is valid or not.
Definition debug.cpp:59
BOOLEAN CommandDebugCheckBaudrate(DWORD Baudrate)
Check if baud rate is valid or not.
Definition debug.cpp:92
BOOLEAN KdPrepareAndConnectDebugPort(const CHAR *PortName, DWORD Baudrate, UINT32 Port, BOOLEAN IsPreparing, BOOLEAN IsNamedPipe, BOOLEAN PauseAfterConnection)
Prepare and initialize COM port.
Definition kd.cpp:2468

◆ HyperDbgDebugRemoteDeviceUsingComPort()

BOOLEAN HyperDbgDebugRemoteDeviceUsingComPort ( const CHAR * PortName,
DWORD Baudrate,
BOOLEAN PauseAfterConnection )

Connect to a remote serial device (Debugger).

Parameters
PortName
Baudrate
PauseAfterConnection
Returns
BOOLEAN
117{
118 UINT32 Port;
119
120 //
121 // Check if baudrate is valid or not
122 //
123 if (!CommandDebugCheckBaudrate(Baudrate))
124 {
125 //
126 // Baud-rate is invalid
127 //
128 return FALSE;
129 }
130
131 //
132 // check if com port address is valid or not
133 //
134 if (!CommandDebugCheckComPort(PortName, &Port))
135 {
136 //
137 // com port is invalid
138 //
139 return FALSE;
140 }
141
142 //
143 // Everything is okay, connect to the remote machine to send (debugger)
144 //
145 return KdPrepareAndConnectDebugPort(PortName, Baudrate, Port, FALSE, FALSE, PauseAfterConnection);
146}

◆ HyperDbgDebugRemoteDeviceUsingNamedPipe()

BOOLEAN HyperDbgDebugRemoteDeviceUsingNamedPipe ( const CHAR * NamedPipe,
BOOLEAN PauseAfterConnection )

Connect to a remote named pipe (Debugger).

Parameters
NamedPipe
PauseAfterConnection
Returns
BOOLEAN
158{
159 return KdPrepareAndConnectDebugPort(NamedPipe, NULL, NULL, FALSE, TRUE, PauseAfterConnection);
160}

◆ HyperDbgDisableTransparentMode()

BOOLEAN HyperDbgDisableTransparentMode ( )

Disable transparent mode.

Returns
BOOLEAN
42{
43 BOOLEAN Status;
44 ULONG ReturnedLength;
46
47 //
48 // Check if debugger is loaded or not
49 //
51
52 //
53 // We don't wanna hide the debugger and make transparent vm-exits
54 //
55 UnhideRequest.IsHide = FALSE;
56
57 //
58 // Send the request to the kernel
59 //
60 Status = DeviceIoControl(
61 g_DeviceHandle, // Handle to device
63 // code
64 &UnhideRequest, // Input Buffer to driver.
66 &UnhideRequest, // Output Buffer from driver.
68 // buffer in bytes.
69 &ReturnedLength, // Bytes placed in buffer.
70 NULL // synchronous call
71 );
72
73 if (!Status)
74 {
75 ShowMessages("ioctl failed with code 0x%x\n", GetLastError());
76 return FALSE;
77 }
78
80 {
81 ShowMessages("transparent debugging successfully disabled :)\n");
82 return TRUE;
83 }
84 else
85 {
86 ShowErrorMessage(UnhideRequest.KernelStatus);
87 return FALSE;
88 }
89}
#define IOCTL_DEBUGGER_HIDE_AND_UNHIDE_TO_TRANSPARENT_THE_DEBUGGER
ioctl, request to enable or disable transparent-mode
Definition Ioctls.h:178
#define SIZEOF_DEBUGGER_HIDE_AND_TRANSPARENT_DEBUGGER_MODE
Definition RequestStructures.h:588
struct _DEBUGGER_HIDE_AND_TRANSPARENT_DEBUGGER_MODE DEBUGGER_HIDE_AND_TRANSPARENT_DEBUGGER_MODE
request for enable or disable transparent-mode
UINT32 KernelStatus
Definition RequestStructures.h:613
BOOLEAN IsHide
Definition RequestStructures.h:597

◆ HyperDbgEnableTransparentMode()

BOOLEAN HyperDbgEnableTransparentMode ( UINT32 ProcessId,
CHAR * ProcessName,
BOOLEAN IsProcessId )

Enable transparent mode.

Parameters
ProcessId
ProcessName
IsProcessId
Returns
BOOLEAN
383{
384 return HyperDbgEnableTransparentModeEx(ProcessId, ProcessName, IsProcessId, 0);
385}
BOOLEAN HyperDbgEnableTransparentModeEx(UINT32 ProcessId, CHAR *ProcessName, BOOLEAN IsProcessId, UINT32 EvadeMask)
Enable transparent mode.
Definition hide.cpp:235

◆ HyperDbgEnableTransparentModeEx()

BOOLEAN HyperDbgEnableTransparentModeEx ( UINT32 ProcessId,
CHAR * ProcessName,
BOOLEAN IsProcessId,
UINT32 EvadeMask )

Enable transparent mode.

Parameters
ProcessId
ProcessName
IsProcessId
EvadeMask
Returns
BOOLEAN
236{
237 BOOLEAN Status;
238 ULONG ReturnedLength;
241 SIZE_T RequestBufferSize = 0;
242 UINT32 EffectiveEvadeMask = EvadeMask == 0 ? TRANSPARENT_EVADE_MASK_DEFAULT : EvadeMask;
243
244 //
245 // Check if debugger is loaded or not
246 //
247 // AssertShowMessageReturnStmt(g_IsVmmModuleLoaded, g_DeviceHandle, ASSERT_MESSAGE_VMM_NOT_LOADED, ASSERT_MESSAGE_DRIVER_NOT_LOADED, AssertReturnFalse);
248
249 //
250 // We wanna hide the debugger and make transparent vm-exits
251 //
252 if ((EffectiveEvadeMask & ~TRANSPARENT_EVADE_MASK_ALL) != 0)
253 {
254 ShowMessages("unknown transparent-mode evade mask bits\n");
255 return FALSE;
256 }
257
258 HideRequest.IsHide = TRUE;
259 HideRequest.EvadeMask = EffectiveEvadeMask;
260
261 HideRequest.TrueIfProcessIdAndFalseIfProcessName = IsProcessId;
262
263 if (IsProcessId)
264 {
265 //
266 // It's a process id
267 //
268 HideRequest.ProcId = (UINT32)ProcessId;
269
270 RequestBufferSize = sizeof(DEBUGGER_HIDE_AND_TRANSPARENT_DEBUGGER_MODE);
271 }
272 else
273 {
274 //
275 // It's a process name
276 //
277 HideRequest.LengthOfProcessName = (UINT32)strlen(ProcessName) + 1;
278 RequestBufferSize = sizeof(DEBUGGER_HIDE_AND_TRANSPARENT_DEBUGGER_MODE) + HideRequest.LengthOfProcessName;
279 }
280
281 if ((EffectiveEvadeMask & TRANSPARENT_EVADE_MASK_SYSCALL_HOOK) != 0 &&
283 {
284 ShowMessages("warning, failed to resolve one or more syscall numbers for transparent-mode\n");
285 return FALSE;
286 }
287
288 //
289 // Allocate the requested buffer
290 //
291 FinalRequestBuffer = (PDEBUGGER_HIDE_AND_TRANSPARENT_DEBUGGER_MODE)malloc(RequestBufferSize);
292
293 if (FinalRequestBuffer == NULL)
294 {
295 ShowMessages("insufficient space\n");
296 return FALSE;
297 }
298
299 //
300 // Zero the memory
301 //
302 RtlZeroMemory(FinalRequestBuffer, RequestBufferSize);
303
304 //
305 // Copy the buffer on the top of the final buffer
306 // to send the kernel
307 //
308 memcpy(FinalRequestBuffer, &HideRequest, sizeof(DEBUGGER_HIDE_AND_TRANSPARENT_DEBUGGER_MODE));
309
310 //
311 // If it's a name then we should add it to the end of the buffer
312 //
313 if (!IsProcessId)
314 {
315 CHAR * ProcName = ProcessName;
316
317 memcpy(((UINT64 *)((UINT64)FinalRequestBuffer + sizeof(DEBUGGER_HIDE_AND_TRANSPARENT_DEBUGGER_MODE))),
318 ProcName,
319 HideRequest.LengthOfProcessName);
320 }
321
322 //
323 // Send the request to the kernel
324 //
325 Status = DeviceIoControl(
326 g_DeviceHandle, // Handle to device
328 // code
329 FinalRequestBuffer, // Input Buffer to driver.
330 (DWORD)RequestBufferSize, // Input buffer length
331 FinalRequestBuffer, // Output Buffer from driver.
333 // buffer in bytes.
334 &ReturnedLength, // Bytes placed in buffer.
335 NULL // synchronous call
336 );
337
338 if (!Status)
339 {
340 ShowMessages("ioctl failed with code 0x%x\n", GetLastError());
341 free(FinalRequestBuffer);
342 return FALSE;
343 }
344
345 if (FinalRequestBuffer->KernelStatus == DEBUGGER_OPERATION_WAS_SUCCESSFUL)
346 {
347 ShowMessages("transparent debugging successfully enabled :)\n");
348 }
350 {
351 ShowMessages("unable to hide the debugger (transparent-debugging) :(\n");
352 free(FinalRequestBuffer);
353 return FALSE;
354 }
355 else
356 {
357 ShowMessages("unknown error occurred :(\n");
358 free(FinalRequestBuffer);
359 return FALSE;
360 }
361
362 //
363 // free the buffer
364 //
365 free(FinalRequestBuffer);
366
367 //
368 // It means the transparent mode enabled successfully
369 //
370 return TRUE;
371}
unsigned long DWORD
Definition BasicTypes.h:38
#define TRANSPARENT_EVADE_MASK_DEFAULT
Definition Constants.h:689
#define TRANSPARENT_EVADE_MASK_SYSCALL_HOOK
Transparent-mode feature mask.
Definition Constants.h:683
#define TRANSPARENT_EVADE_MASK_ALL
Definition Constants.h:687
#define DEBUGGER_ERROR_UNABLE_TO_HIDE_OR_UNHIDE_DEBUGGER
error, unable to hide the debugger and enter to transparent-mode
Definition ErrorCodes.h:87
struct _DEBUGGER_HIDE_AND_TRANSPARENT_DEBUGGER_MODE * PDEBUGGER_HIDE_AND_TRANSPARENT_DEBUGGER_MODE
BOOLEAN CommandHideFillSystemCalls(SYSTEM_CALL_NUMBERS_INFORMATION *SyscallNumberDetails)
This function is called when the user wants to hide the fill system calls in the transparent mode bas...
Definition hide.cpp:53
SYSTEM_CALL_NUMBERS_INFORMATION SystemCallNumbersInformation
Definition RequestStructures.h:611
UINT32 EvadeMask
Definition RequestStructures.h:617
UINT32 LengthOfProcessName
Definition RequestStructures.h:609
BOOLEAN TrueIfProcessIdAndFalseIfProcessName
Definition RequestStructures.h:607
UINT32 ProcId
Definition RequestStructures.h:608

◆ HyperDbgGetIdtEntry()

BOOLEAN HyperDbgGetIdtEntry ( INTERRUPT_DESCRIPTOR_TABLE_ENTRIES_PACKETS * IdtPacket)

Send IDT entry requests.

Parameters
IdtPacket
Returns
VOID
47{
48 BOOL Status;
49 ULONG ReturnedLength;
50
52 {
53 //
54 // Send the request over serial kernel debugger
55 //
56 if (!KdSendQueryIdtPacketsToDebuggee(IdtPacket))
57 {
58 return FALSE;
59 }
60 else
61 {
62 return TRUE;
63 }
64 }
65 else
66 {
68
69 //
70 // Send IOCTL
71 //
72 Status = DeviceIoControl(
73 g_DeviceHandle, // Handle to device
74 IOCTL_QUERY_IDT_ENTRY, // IO Control Code (IOCTL)
75 IdtPacket, // Input Buffer to driver.
76 SIZEOF_INTERRUPT_DESCRIPTOR_TABLE_ENTRIES_PACKETS, // Input buffer length (not used in this case)
77 IdtPacket, // Output Buffer from driver.
78 SIZEOF_INTERRUPT_DESCRIPTOR_TABLE_ENTRIES_PACKETS, // Length of output buffer in bytes.
79 &ReturnedLength, // Bytes placed in buffer.
80 NULL // synchronous call
81 );
82
83 if (!Status)
84 {
85 ShowMessages("ioctl failed with code 0x%x\n", GetLastError());
86
87 return FALSE;
88 }
89
91 {
92 return TRUE;
93 }
94 else
95 {
96 //
97 // An err occurred, no results
98 //
100
101 return FALSE;
102 }
103 }
104}
#define IOCTL_QUERY_IDT_ENTRY
ioctl, to query the IDT entries
Definition Ioctls.h:375
#define SIZEOF_INTERRUPT_DESCRIPTOR_TABLE_ENTRIES_PACKETS
Debugger size of INTERRUPT_DESCRIPTOR_TABLE_ENTRIES_PACKETS.
Definition RequestStructures.h:1474
BOOLEAN KdSendQueryIdtPacketsToDebuggee(PINTERRUPT_DESCRIPTOR_TABLE_ENTRIES_PACKETS IdtRequest)
Send requests for IDT packet to the debuggee.
Definition kd.cpp:1135
UINT32 KernelStatus
Definition RequestStructures.h:1465

◆ HyperDbgGetIoApic()

BOOLEAN HyperDbgGetIoApic ( IO_APIC_ENTRY_PACKETS * IoApic)

Request to get I/O APIC.

Parameters
IolApic
Returns
BOOLEAN
39{
40 BOOLEAN IsUsingX2APIC; // not used since I/O APIC is accessed through memory (not MSR)
41
43 IoApic,
45 &IsUsingX2APIC);
46}
BOOLEAN CommandApicSendRequest(DEBUGGER_APIC_REQUEST_TYPE ApicType, PVOID ApicBuffer, UINT32 ExpectedRequestSize, PBOOLEAN IsUsingX2APIC)
Send APIC requests.
Definition apic.cpp:47
@ DEBUGGER_APIC_REQUEST_TYPE_READ_IO_APIC
Definition RequestStructures.h:1088
struct _IO_APIC_ENTRY_PACKETS IO_APIC_ENTRY_PACKETS
The structure of I/O APIC result packet in HyperDbg.

◆ HyperDbgGetLocalApic()

BOOLEAN HyperDbgGetLocalApic ( PLAPIC_PAGE LocalApic,
PBOOLEAN IsUsingX2APIC )

Request to get Local APIC.

Parameters
LocalApic
IsUsingX2APIC
Returns
BOOLEAN
170{
172 LocalApic,
173 sizeof(LAPIC_PAGE),
174 IsUsingX2APIC);
175}
@ DEBUGGER_APIC_REQUEST_TYPE_READ_LOCAL_APIC
Definition RequestStructures.h:1087
struct _LAPIC_PAGE LAPIC_PAGE
LAPIC structure and offsets.

◆ HyperDbgLbrdumpSendRequest()

BOOLEAN HyperDbgLbrdumpSendRequest ( HYPERTRACE_LBR_DUMP_PACKETS * LbrdumpRequest)

Send LBR dump requests.

Parameters
LbrdumpRequest
Returns
VOID
30{
31 BOOL Status;
32 ULONG ReturnedLength;
33
35 {
36 //
37 // Send the request over serial kernel debugger
38 //
40 {
41 return FALSE;
42 }
43 }
44 else
45 {
47
48 //
49 // Send IOCTL
50 //
51 Status = DeviceIoControl(
52 g_DeviceHandle, // Handle to device
53 IOCTL_PERFORM_HYPERTRACE_LBR_DUMP, // IO Control Code (IOCTL)
54 LbrdumpRequest, // Input Buffer to driver.
55 SIZEOF_HYPERTRACE_LBR_DUMP_PACKETS, // Input buffer length
56 LbrdumpRequest, // Output Buffer from driver.
57 SIZEOF_HYPERTRACE_LBR_DUMP_PACKETS, // Length of output buffer in bytes.
58 &ReturnedLength, // Bytes placed in buffer.
59 NULL // synchronous call
60 );
61
62 if (!Status)
63 {
64 ShowMessages("ioctl failed with code 0x%x\n", GetLastError());
65
66 return FALSE;
67 }
68 }
69
70 //
71 // Sending the request was successful
72 //
73 return TRUE;
74}
#define IOCTL_PERFORM_HYPERTRACE_LBR_DUMP
ioctl, to perform HyperTrace LBR dump
Definition Ioctls.h:414
#define SIZEOF_HYPERTRACE_LBR_DUMP_PACKETS
Debugger size of HYPERTRACE_LBR_DUMP_PACKETS.
Definition RequestStructures.h:1343
BOOLEAN KdSendHyperTraceLbrdumpPacketsToDebuggee(PHYPERTRACE_LBR_DUMP_PACKETS HyperTraceLbrdumpRequest, UINT32 ExpectedRequestSize)
Send requests for HyperTrace LBR dump packet to the debuggee.
Definition kd.cpp:1066
#define ASSERT_MESSAGE_HYPERTRACE_NOT_LOADED
Definition common.h:33
BOOLEAN g_IsHyperTraceModuleLoaded
shows whether the HyperTrace module is loaded or not
Definition lbrdump.cpp:19

◆ HyperDbgPerformPtOperation()

BOOLEAN HyperDbgPerformPtOperation ( HYPERTRACE_PT_OPERATION_PACKETS * PtRequest)

Request to perform an PT operation.

Parameters
PtRequest
Returns
BOOLEAN
135{
136 return CommandPtSendRequest(PtRequest);
137}
BOOLEAN CommandPtSendRequest(HYPERTRACE_PT_OPERATION_PACKETS *PtRequest)
Send PT requests.
Definition pt.cpp:71

◆ HyperDbgPerformSmiOperation()

BOOLEAN HyperDbgPerformSmiOperation ( SMI_OPERATION_PACKETS * SmiOperation)

Request to perform an SMI operation.

Parameters
SmiOperation
Returns
BOOLEAN
110{
111 return CommandSmiSendRequest(SmiOperation);
112}
BOOLEAN CommandSmiSendRequest(SMI_OPERATION_PACKETS *SmiOperationRequest)
Send SMI requests.
Definition smi.cpp:46

◆ HyperDbgPtMmapSendRequest()

BOOLEAN HyperDbgPtMmapSendRequest ( HYPERTRACE_PT_MMAP_PACKETS * MmapRequest)

Map the per-CPU PT output buffers into the current process.

On success MmapRequest->Cpus[0..NumCpus) hold one { UserVa, Size } per CPU, valid in this process until PT is disabled / flushed. Only meaningful in local (VMI) mode.

Parameters
MmapRequest
Returns
BOOLEAN
152{
153 BOOL Status;
154 ULONG ReturnedLength;
155
157 {
158 //
159 // The mmap surface maps into the caller's address space, which only
160 // makes sense in local mode (no remote-debuggee transport for it).
161 //
162 ShowMessages("err, PT mmap is only available in local (VMI) mode\n");
163 return FALSE;
164 }
165
167
168 Status = DeviceIoControl(
169 g_DeviceHandle, // Handle to device
170 IOCTL_PERFORM_HYPERTRACE_PT_MMAP, // IO Control Code (IOCTL)
171 MmapRequest, // Input Buffer to driver.
172 SIZEOF_HYPERTRACE_PT_MMAP_PACKETS, // Input buffer length
173 MmapRequest, // Output Buffer from driver.
174 SIZEOF_HYPERTRACE_PT_MMAP_PACKETS, // Length of output buffer in bytes.
175 &ReturnedLength, // Bytes placed in buffer.
176 NULL // synchronous call
177 );
178
179 if (!Status)
180 {
181 ShowMessages("ioctl failed with code 0x%x\n", GetLastError());
182 return FALSE;
183 }
184
185 return MmapRequest->KernelStatus == DEBUGGER_OPERATION_WAS_SUCCESSFUL;
186}
#define IOCTL_PERFORM_HYPERTRACE_PT_MMAP
ioctl, to map per-CPU HyperTrace PT output buffers into the calling user-mode process....
Definition Ioctls.h:429
#define SIZEOF_HYPERTRACE_PT_MMAP_PACKETS
Debugger size of HYPERTRACE_PT_MMAP_PACKETS.
Definition RequestStructures.h:1448
UINT32 KernelStatus
Definition RequestStructures.h:1438

◆ HyperDbgReadAllRegisters()

BOOLEAN HyperDbgReadAllRegisters ( GUEST_REGS * GuestRegisters,
GUEST_EXTRA_REGISTERS * ExtraRegisters )

Read all registers.

Parameters
GuestRegistersThe guest registers
ExtraRegistersThe extra registers
Returns
BOOLEAN Returns true if it was successful
176{
177 PGUEST_REGS Regs;
178 PGUEST_EXTRA_REGISTERS ExtraRegs;
180 UINT32 SizeOfRegState = 0;
181
182 //
183 // Calculate the size of the register state
184 //
185 SizeOfRegState = sizeof(DEBUGGEE_REGISTER_READ_DESCRIPTION) + sizeof(GUEST_REGS) + sizeof(GUEST_EXTRA_REGISTERS);
186
187 //
188 // Allocate memory for the register state
189 //
190 RegState = (DEBUGGEE_REGISTER_READ_DESCRIPTION *)malloc(SizeOfRegState);
191
192 //
193 // Check if the memory allocation was successful
194 //
195 if (RegState == NULL)
196 {
197 return FALSE;
198 }
199
200 //
201 // Set the register ID to show all registers
202 //
204
205 //
206 // Check whether a kernel debugger is connected or a user-mode debugger is active
207 //
209 {
210 if (!KdSendReadRegisterPacketToDebuggee(RegState, SizeOfRegState))
211 {
212 free(RegState);
213 return FALSE;
214 }
215 }
217 {
218 //
219 // It's stepping over user debugger
220 //
223 RegState,
224 SizeOfRegState))
225 {
226 free(RegState);
227 return FALSE;
228 }
229 }
230
232 {
233 //
234 // Copy the registers and extra registers to the output
235 //
236 Regs = (GUEST_REGS *)(((CHAR *)RegState) + sizeof(DEBUGGEE_REGISTER_READ_DESCRIPTION));
237 ExtraRegs = (GUEST_EXTRA_REGISTERS *)(((CHAR *)RegState) + sizeof(DEBUGGEE_REGISTER_READ_DESCRIPTION) + sizeof(GUEST_REGS));
238
239 if (GuestRegisters != NULL)
240 {
241 memcpy(GuestRegisters, Regs, sizeof(GUEST_REGS));
242 }
243
244 if (ExtraRegisters != NULL)
245 {
246 memcpy(ExtraRegisters, ExtraRegs, sizeof(GUEST_EXTRA_REGISTERS));
247 }
248 }
249 else
250 {
251 ShowErrorMessage(RegState->KernelStatus);
252 free(RegState);
253 return FALSE;
254 }
255
256 free(RegState);
257 return TRUE;
258}
struct GUEST_EXTRA_REGISTERS * PGUEST_EXTRA_REGISTERS
struct GUEST_REGS * PGUEST_REGS
#define DEBUGGEE_SHOW_ALL_REGISTERS
for reading all registers in r command.
Definition Constants.h:793
struct _DEBUGGEE_REGISTER_READ_DESCRIPTION DEBUGGEE_REGISTER_READ_DESCRIPTION
Register Descriptor Structure to use in r command.
BOOLEAN KdSendReadRegisterPacketToDebuggee(PDEBUGGEE_REGISTER_READ_DESCRIPTION RegDes, UINT32 RegBuffSize)
Send a read register packet to the debuggee.
Definition kd.cpp:527
UINT32 RegisterId
Definition RequestStructures.h:1617
UINT32 KernelStatus
Definition RequestStructures.h:1619
struct for extra registers
Definition BasicTypes.h:208
Definition BasicTypes.h:136
BOOLEAN UdSendReadRegisterToUserDebugger(UINT64 ProcessDetailToken, UINT32 TargetThreadId, PDEBUGGEE_REGISTER_READ_DESCRIPTION RegDes, UINT32 RegBuffSize)
Send the command to the user debugger.
Definition ud.cpp:1142

◆ HyperDbgReadTargetRegister()

BOOLEAN HyperDbgReadTargetRegister ( REGS_ENUM RegisterId,
UINT64 * TargetRegister )

Read target register.

Parameters
RegisterIdThe register ID
TargetRegisterThe value of the target register
Returns
BOOLEAN Returns true if it was successful
269{
271
272 //
273 // Set the register ID
274 //
275 RegState.RegisterId = (UINT32)RegisterId;
276
278 {
280 {
281 return FALSE;
282 }
283 }
285 {
286 //
287 // It's stepping over user debugger
288 //
291 &RegState,
293 {
294 return FALSE;
295 }
296 }
297
299 {
300 if (TargetRegister != NULL)
301 {
302 *TargetRegister = RegState.Value;
303 }
304 }
305 else
306 {
308 return FALSE;
309 }
310
311 return TRUE;
312}
UINT64 Value
Definition RequestStructures.h:1618

◆ HyperDbgRegisterShowAll()

BOOLEAN HyperDbgRegisterShowAll ( )

handler of r show all registers

Returns
BOOLEAN
355{
356 GUEST_REGS Regs = {0};
357 GUEST_EXTRA_REGISTERS ExtraRegs = {0};
358 RFLAGS Rflags = {0};
359
360 if (!HyperDbgReadAllRegisters(&Regs, &ExtraRegs))
361 {
362 return FALSE;
363 }
364
365 //
366 // Show the result of reading registers like rax=0000000000018b01
367 //
368 Rflags.AsUInt = ExtraRegs.RFLAGS;
369
370 ShowMessages(
371 "RAX=%016llx RBX=%016llx RCX=%016llx\n"
372 "RDX=%016llx RSI=% 016llx RDI=%016llx\n"
373 "RIP=%016llx RSP=%016llx RBP=%016llx\n"
374 "R8 =%016llx R9 =%016llx R10=%016llx\n"
375 "R11=%016llx R12=%016llx R13=%016llx\n"
376 "R14=%016llx R15=%016llx IOPL=%02x\n"
377 "%s %s %s %s\n%s %s %s %s\n"
378 "CS %04x SS %04x DS %04x ES %04x FS %04x GS %04x\n"
379 "RFLAGS=%016llx\n",
380 Regs.rax,
381 Regs.rbx,
382 Regs.rcx,
383 Regs.rdx,
384 Regs.rsi,
385 Regs.rdi,
386 ExtraRegs.RIP,
387 Regs.rsp,
388 Regs.rbp,
389 Regs.r8,
390 Regs.r9,
391 Regs.r10,
392 Regs.r11,
393 Regs.r12,
394 Regs.r13,
395 Regs.r14,
396 Regs.r15,
397 Rflags.IoPrivilegeLevel,
398 Rflags.OverflowFlag ? "OF 1" : "OF 0",
399 Rflags.DirectionFlag ? "DF 1" : "DF 0",
400 Rflags.InterruptEnableFlag ? "IF 1" : "IF 0",
401 Rflags.SignFlag ? "SF 1" : "SF 0",
402 Rflags.ZeroFlag ? "ZF 1" : "ZF 0",
403 Rflags.ParityFlag ? "PF 1" : "PF 0",
404 Rflags.CarryFlag ? "CF 1" : "CF 0",
405 Rflags.AuxiliaryCarryFlag ? "AXF 1" : "AXF 0",
406 ExtraRegs.CS,
407 ExtraRegs.SS,
408 ExtraRegs.DS,
409 ExtraRegs.ES,
410 ExtraRegs.FS,
411 ExtraRegs.GS,
412 ExtraRegs.RFLAGS);
413
414 return TRUE;
415}
BOOLEAN HyperDbgReadAllRegisters(GUEST_REGS *GuestRegisters, GUEST_EXTRA_REGISTERS *ExtraRegisters)
Read all registers.
Definition r.cpp:175
UINT16 FS
Definition BasicTypes.h:211
UINT16 ES
Definition BasicTypes.h:213
UINT64 RFLAGS
Definition BasicTypes.h:215
UINT64 RIP
Definition BasicTypes.h:216
UINT16 DS
Definition BasicTypes.h:210
UINT16 SS
Definition BasicTypes.h:214
UINT16 GS
Definition BasicTypes.h:212
UINT16 CS
Definition BasicTypes.h:209
UINT64 rsp
Definition BasicTypes.h:145
UINT64 r14
Definition BasicTypes.h:155
UINT64 r15
Definition BasicTypes.h:156
UINT64 rdi
Definition BasicTypes.h:148
UINT64 rax
Definition BasicTypes.h:141
UINT64 r12
Definition BasicTypes.h:153
UINT64 r13
Definition BasicTypes.h:154
UINT64 r9
Definition BasicTypes.h:150
UINT64 r8
Definition BasicTypes.h:149
UINT64 rbp
Definition BasicTypes.h:146
UINT64 rbx
Definition BasicTypes.h:144
UINT64 r10
Definition BasicTypes.h:151
UINT64 rcx
Definition BasicTypes.h:142
UINT64 rsi
Definition BasicTypes.h:147
UINT64 r11
Definition BasicTypes.h:152
UINT64 rdx
Definition BasicTypes.h:143

◆ HyperDbgRegisterShowTargetRegister()

BOOLEAN HyperDbgRegisterShowTargetRegister ( REGS_ENUM RegisterId)

handler of r show the target register

Parameters
RegisterIdThe register ID
Returns
BOOLEAN Returns true if it was successful
425{
426 UINT64 TargetRegister = 0;
427
428 //
429 // Read target register
430 //
431 if (!HyperDbgReadTargetRegister(RegisterId, &TargetRegister))
432 {
433 return FALSE;
434 }
435
436 ShowMessages("%s=%016llx\n",
437 RegistersNames[RegisterId],
438 TargetRegister);
439
440 return TRUE;
441}
BOOLEAN HyperDbgReadTargetRegister(REGS_ENUM RegisterId, UINT64 *TargetRegister)
Read target register.
Definition r.cpp:268

◆ HyperDbgWriteMemory()

BOOLEAN HyperDbgWriteMemory ( PVOID DestinationAddress,
DEBUGGER_EDIT_MEMORY_TYPE MemoryType,
UINT32 ProcessId,
PVOID SourceAddress,
UINT32 NumberOfBytes )

API function for writing the memory content.

Parameters
AddressToEdit
MemoryType
ProcessId
SourceAddress
NumberOfBytes
Returns
BOOLEAN
201{
202 UINT32 RequiredBytes = 0;
204 UINT64 * TargetBuffer;
205 UINT32 FinalSize = 0;
206 BOOLEAN Result = FALSE;
207 BYTE * BufferToEdit = (BYTE *)SourceAddress;
208
209 //
210 // Set the byte size to byte granularity
211 //
212 ByteSize = EDIT_BYTE;
213
214 //
215 // Calculate the count of 64 chunks
216 //
217 RequiredBytes = NumberOfBytes * sizeof(UINT64);
218
219 //
220 // Allocate structure + buffer
221 //
222 TargetBuffer = (UINT64 *)malloc(RequiredBytes);
223
224 if (!TargetBuffer)
225 {
226 return FALSE;
227 }
228
229 //
230 // Zero the buffer
231 //
232 ZeroMemory(TargetBuffer, FinalSize);
233
234 //
235 // Copy requested memory in 64bit chunks
236 //
237 for (SIZE_T i = 0; i < NumberOfBytes; i++)
238 {
239 TargetBuffer[i] = BufferToEdit[i];
240 }
241
242 //
243 // Perform the write operation
244 //
245 Result = WriteMemoryContent((UINT64)DestinationAddress,
246 MemoryType,
247 ByteSize,
248 ProcessId,
250 TargetBuffer);
251
252 //
253 // Free the malloc buffer
254 //
255 free(TargetBuffer);
256
257 return Result;
258}
POOL_TYPE SIZE_T NumberOfBytes
Definition Hooks.h:88
unsigned char BYTE
Definition BasicTypes.h:40
@ EDIT_BYTE
Definition RequestStructures.h:492
enum _DEBUGGER_EDIT_MEMORY_BYTE_SIZE DEBUGGER_EDIT_MEMORY_BYTE_SIZE
size of editing memory
BOOLEAN WriteMemoryContent(UINT64 AddressToEdit, DEBUGGER_EDIT_MEMORY_TYPE MemoryType, DEBUGGER_EDIT_MEMORY_BYTE_SIZE ByteSize, UINT32 Pid, UINT32 CountOf64Chunks, UINT64 *BufferToEdit)
Perform writing the memory content.
Definition e.cpp:66

◆ HyperDbgWriteTargetRegister()

BOOLEAN HyperDbgWriteTargetRegister ( REGS_ENUM RegisterId,
UINT64 Value )

Write target register.

Parameters
RegisterIdThe register ID
ValueThe value of the target register
Returns
BOOLEAN Returns true if it was successful
323{
325
326 //
327 // Set the register ID
328 //
329 RegState.RegisterId = (UINT32)RegisterId;
330 RegState.Value = Value;
331
333 {
334 return FALSE;
335 }
336
338 {
339 return TRUE;
340 }
341 else
342 {
344 return FALSE;
345 }
346}
struct _DEBUGGEE_REGISTER_WRITE_DESCRIPTION DEBUGGEE_REGISTER_WRITE_DESCRIPTION
Register Descriptor Structure to write on registers.
BOOLEAN KdSendWriteRegisterPacketToDebuggee(PDEBUGGEE_REGISTER_WRITE_DESCRIPTION RegDes)
Send a write register packet to the debuggee.
Definition kd.cpp:562
UINT64 Value
Definition RequestStructures.h:1632
UINT32 RegisterId
Definition RequestStructures.h:1631
UINT32 KernelStatus
Definition RequestStructures.h:1633

◆ InterpretGeneralEventAndActionsFields()

BOOLEAN InterpretGeneralEventAndActionsFields ( vector< CommandToken > * CommandTokens,
VMM_EVENT_TYPE_ENUM EventType,
PDEBUGGER_GENERAL_EVENT_DETAIL * EventDetailsToFill,
PUINT32 EventBufferLength,
PDEBUGGER_GENERAL_ACTION * ActionDetailsToFillBreakToDebugger,
PUINT32 ActionBufferLengthBreakToDebugger,
PDEBUGGER_GENERAL_ACTION * ActionDetailsToFillCustomCode,
PUINT32 ActionBufferLengthCustomCode,
PDEBUGGER_GENERAL_ACTION * ActionDetailsToFillScript,
PUINT32 ActionBufferLengthScript,
PDEBUGGER_EVENT_PARSING_ERROR_CAUSE ReasonForErrorInParsing )

Interpret general event fields.

Parameters
CommandTokensthe command tokens
EventTypetype of event
EventDetailsToFilla pointer address that will be filled by event detail buffer
EventBufferLengtha pointer the receives the buffer length of the event
ActionDetailsToFilla pointer address that will be filled by action detail buffer
ActionBufferLengtha pointer the receives the buffer length of the action
ReasonForErrorInParsingreason that interpretation failed, null if the returns true
Returns
BOOLEAN If this function returns true then it means that there was no error in parsing the general event details
1748{
1749 BOOLEAN Result = FALSE;
1751 PDEBUGGER_GENERAL_ACTION TempActionBreak = NULL;
1752 PDEBUGGER_GENERAL_ACTION TempActionScript = NULL;
1753 PDEBUGGER_GENERAL_ACTION TempActionCustomCode = NULL;
1755 UINT32 LengthOfCustomCodeActionBuffer = 0;
1756 UINT32 LengthOfScriptActionBuffer = 0;
1757 UINT32 LengthOfBreakActionBuffer = 0;
1758 UINT64 ConditionBufferAddress;
1759 UINT32 ConditionBufferLength = 0;
1760 vector<string> ListOfOutputSources;
1761 UINT64 CodeBufferAddress;
1762 UINT32 CodeBufferLength = 0;
1763 UINT64 ScriptBufferAddress;
1764 UINT64 ScriptCodeBuffer = 0;
1765 BOOLEAN HasScriptSyntaxError = 0;
1766 UINT32 ScriptBufferLength = 0;
1767 UINT32 ScriptBufferPointer = 0;
1768 UINT32 LengthOfEventBuffer = 0;
1769 string CommandString;
1770 BOOLEAN IsAShortCircuitingEventByDefault = FALSE;
1771 BOOLEAN HasConditionBuffer = FALSE;
1772 BOOLEAN HasOutputPath = FALSE;
1773 BOOLEAN HasCodeBuffer = FALSE;
1774 BOOLEAN HasScript = FALSE;
1775 BOOLEAN IsNextCommandPid = FALSE;
1776 BOOLEAN IsNextCommandCoreId = FALSE;
1777 BOOLEAN IsNextCommandBufferSize = FALSE;
1778 BOOLEAN IsNextCommandImmediateMessaging = FALSE;
1779 BOOLEAN IsNextCommandExecutionStage = FALSE;
1780 BOOLEAN IsNextCommandSc = FALSE;
1781 BOOLEAN ImmediateMessagePassing = UseImmediateMessagingByDefaultOnEvents;
1782 UINT32 CoreId;
1783 UINT32 ProcessId;
1784 UINT32 IndexOfValidSourceTags;
1785 UINT32 RequestBuffer = 0;
1786 PLIST_ENTRY TempList;
1787 BOOLEAN OutputSourceFound;
1788 vector<INT> IndexesToRemove;
1789 vector<UINT64> ListOfValidSourceTags;
1790 INT NewIndexToRemove = 0;
1791 INT Index = 0;
1792
1793 //
1794 // Create a command string to show in the history
1795 //
1796 for (auto Section : *CommandTokens)
1797 {
1798 CommandString.append(GetCaseSensitiveStringFromCommandToken(Section));
1799 CommandString.append(" ");
1800 }
1801
1802 //
1803 // Compute the size of buffer + 1 null for the end of buffer
1804 //
1805 UINT64 BufferOfCommandStringLength = CommandString.size() + 1;
1806
1807 //
1808 // Allocate Buffer and zero for command to the buffer
1809 //
1810 PVOID BufferOfCommandString = malloc(BufferOfCommandStringLength);
1811
1812 PlatformZeroMemory(BufferOfCommandString, BufferOfCommandStringLength);
1813
1814 //
1815 // Copy the string to the buffer
1816 //
1817 memcpy(BufferOfCommandString, CommandString.c_str(), CommandString.size());
1818
1819 //
1820 // Check if there is a condition buffer in the command
1821 //
1822 if (!InterpretConditionsAndCodes(CommandTokens, TRUE, &ConditionBufferAddress, &ConditionBufferLength))
1823 {
1824 //
1825 // Indicate condition is not available
1826 //
1827 HasConditionBuffer = FALSE;
1828
1829 /* ShowMessages("\nNo condition!\n"); */
1830 }
1831 else
1832 {
1833 //
1834 // Indicate condition is available
1835 //
1836 HasConditionBuffer = TRUE;
1837
1838 /*
1839 ShowMessages(
1840 "\n========================= Condition =========================\n");
1841
1842 ShowMessages(
1843 "\nUINT64 DebuggerCheckForCondition(PGUEST_REGS Regs_RCX, PVOID "
1844 "Context_RDX)\n{\n");
1845
1846 //
1847 // Disassemble the buffer
1848 //
1849 HyperDbgDisassembler64((UCHAR *)ConditionBufferAddress, 0x0,
1850 ConditionBufferLength);
1851
1852 ShowMessages("}\n\n");
1853
1854 ShowMessages(
1855 "=============================================================\n");
1856 */
1857 }
1858
1859 //
1860 // Check if there is a code buffer in the command
1861 //
1862 if (!InterpretConditionsAndCodes(CommandTokens, FALSE, &CodeBufferAddress, &CodeBufferLength))
1863 {
1864 //
1865 // Indicate code is not available
1866 //
1867 HasCodeBuffer = FALSE;
1868 //
1869 // ShowMessages("\nNo custom code!\n");
1870 //
1871 }
1872 else
1873 {
1874 //
1875 // Indicate code is available
1876 //
1877 HasCodeBuffer = TRUE;
1878
1879 /*
1880 ShowMessages(
1881 "\n========================= Code =========================\n");
1882 ShowMessages("\nPVOID DebuggerRunCustomCodeFunc(PVOID "
1883 "PreAllocatedBufferAddress_RCX, "
1884 "PGUEST_REGS Regs_RDX, PVOID Context_R8)\n{\n");
1885
1886 //
1887 // Disassemble the buffer
1888 //
1889 HyperDbgDisassembler64((UCHAR *)CodeBufferAddress, 0x0,
1890 CodeBufferLength);
1891
1892 ShowMessages("}\n\n");
1893
1894 ShowMessages(
1895 "=============================================================\n");
1896 */
1897 }
1898
1899 //
1900 // Check if there is a Script block in the command
1901 //
1902 if (!InterpretScript(CommandTokens,
1903 &HasScriptSyntaxError,
1904 &ScriptBufferAddress,
1905 &ScriptBufferLength,
1906 &ScriptBufferPointer,
1907 &ScriptCodeBuffer))
1908 {
1909 //
1910 // Indicate code is not available
1911 //
1912 HasScript = FALSE;
1913 //
1914 // ShowMessages("\nNo script!\n");
1915 //
1916 }
1917 else
1918 {
1919 //
1920 // Check if there is a syntax error
1921 //
1922 if (HasScriptSyntaxError)
1923 {
1924 free(BufferOfCommandString);
1925
1927 return FALSE;
1928 }
1929
1930 //
1931 // Indicate code is available
1932 //
1933 HasScript = TRUE;
1934 }
1935
1936 //
1937 // Check if there is a output path in the command
1938 //
1939 if (!InterpretOutput(CommandTokens, ListOfOutputSources))
1940 {
1941 //
1942 // Indicate output is not available
1943 //
1944 HasOutputPath = FALSE;
1945
1946 //
1947 // ShowMessages("\nNo condition!\n");
1948 //
1949 }
1950 else
1951 {
1952 //
1953 // Check for empty input
1954 //
1955 if (ListOfOutputSources.size() == 0)
1956 {
1957 //
1958 // No input !
1959 //
1960 free(BufferOfCommandString);
1961
1962 ShowMessages("err, no input found\n");
1963 *ReasonForErrorInParsing = DEBUGGER_EVENT_PARSING_ERROR_CAUSE_NO_INPUT;
1964 return FALSE;
1965 }
1966
1967 //
1968 // Check whether the size exceed maximum size or not
1969 //
1970 if (ListOfOutputSources.size() > DebuggerOutputSourceMaximumRemoteSourceForSingleEvent)
1971 {
1972 free(BufferOfCommandString);
1973
1974 ShowMessages(
1975 "err, based on this build of HyperDbg, the maximum input sources for "
1976 "a single event is 0x%x sources but you entered 0x%x sources\n",
1978 ListOfOutputSources.size());
1980 return FALSE;
1981 }
1982
1983 //
1984 // Check whether the output source initialized or not
1985 //
1987 {
1988 free(BufferOfCommandString);
1989
1990 ShowMessages("err, the name you entered, not found. Did you use "
1991 "'output' command to create it?\n");
1993 return FALSE;
1994 }
1995
1996 //
1997 // Convert output sources to the corresponding tags
1998 //
1999 for (auto item : ListOfOutputSources)
2000 {
2001 TempList = 0;
2002 OutputSourceFound = FALSE;
2003
2004 //
2005 // Now we should find the corresponding object in the list
2006 // of output sources and save its tags
2007 //
2008 TempList = &g_OutputSources;
2009
2010 while (&g_OutputSources != TempList->Flink)
2011 {
2012 TempList = TempList->Flink;
2013
2014 PDEBUGGER_EVENT_FORWARDING CurrentOutputSourceDetails = CONTAINING_RECORD(TempList, DEBUGGER_EVENT_FORWARDING, OutputSourcesList);
2015
2016 if (strcmp(CurrentOutputSourceDetails->Name,
2017 RemoveSpaces(item).c_str()) == 0)
2018 {
2019 //
2020 // Check to see the source state, whether it is closed or not
2021 //
2022 if (CurrentOutputSourceDetails->State == EVENT_FORWARDING_CLOSED)
2023 {
2024 free(BufferOfCommandString);
2025
2026 ShowMessages("err, output source already closed\n");
2028 return FALSE;
2029 }
2030
2031 //
2032 // Check to see the source state, whether it is opened or not
2033 //
2034 if (CurrentOutputSourceDetails->State == EVENT_FORWARDING_STATE_NOT_OPENED)
2035 {
2036 //
2037 // Just show a message
2038 //
2039 ShowMessages("some of the output(s) are not opened, it's not an error, but please ensure "
2040 "to open the output using the 'output' command to forward the results to the "
2041 "target resource\n");
2042 }
2043
2044 //
2045 // Indicate that we found this item
2046 //
2047 OutputSourceFound = TRUE;
2048
2049 //
2050 // Save the tag into a list which will be used later
2051 //
2052 ListOfValidSourceTags.push_back(
2053 CurrentOutputSourceDetails->OutputUniqueTag);
2054
2055 //
2056 // No need to search through the list anymore
2057 //
2058 break;
2059 }
2060 }
2061
2062 if (!OutputSourceFound)
2063 {
2064 free(BufferOfCommandString);
2065
2066 ShowMessages("err, the name you entered, not found. Did you use "
2067 "'output' command to create it?\n");
2069 return FALSE;
2070 }
2071 }
2072 //
2073 // Indicate output is available
2074 //
2075 HasOutputPath = TRUE;
2076 }
2077
2078 //
2079 // Create action and event based on previously parsed buffers
2080 // (DEBUGGER_GENERAL_ACTION)
2081 //
2082 // Allocate the buffer (with ConditionBufferLength and CodeBufferLength)
2083 //
2084
2085 /*
2086
2087 Layout of Buffer :
2088
2089 ________________________________
2090 | |
2091 | DEBUGGER_GENERAL_EVENT_DETAIL |
2092 | |
2093 |________________________________|
2094 | |
2095 | Condition Buffer |
2096 | |
2097 |________________________________|
2098
2099 */
2100
2101 /*
2102 ________________________________
2103 | |
2104 | DEBUGGER_GENERAL_ACTION |
2105 | |
2106 |________________________________|
2107 | |
2108 | Condition Custom Code |
2109 | or Script Buffer |
2110 |________________________________|
2111
2112 */
2113
2114 LengthOfEventBuffer = sizeof(DEBUGGER_GENERAL_EVENT_DETAIL) + ConditionBufferLength;
2115
2116 TempEvent = (PDEBUGGER_GENERAL_EVENT_DETAIL)malloc(LengthOfEventBuffer);
2117 PlatformZeroMemory(TempEvent, LengthOfEventBuffer);
2118
2119 //
2120 // Check if buffer is available
2121 //
2122 if (TempEvent == NULL)
2123 {
2124 ShowMessages("err, allocation error\n");
2125 *ReasonForErrorInParsing = DEBUGGER_EVENT_PARSING_ERROR_CAUSE_ALLOCATION_ERROR;
2126 goto ReturnWithError;
2127 }
2128
2129 //
2130 // Event is enabled by default when created
2131 //
2132 TempEvent->IsEnabled = TRUE;
2133
2134 //
2135 // Get a new tag for it
2136 //
2137 TempEvent->Tag = GetNewDebuggerEventTag();
2138
2139 //
2140 // Set the core Id and Process Id to all cores and all
2141 // processes, next time we check whether the user needs
2142 // a special core or a special process then we change it
2143 //
2145
2146 if (g_ActiveProcessDebuggingState.IsActive)
2147 {
2148 ShowMessages("notice: as you're debugging a user-mode application, "
2149 "this event will only trigger on your current debugging process "
2150 "(pid:%x). If you want the event from the entire system, "
2151 "add 'pid all' to the event\n\n",
2153
2154 TempEvent->ProcessId = g_ActiveProcessDebuggingState.ProcessId;
2155 }
2156 else
2157 {
2159 }
2160
2161 //
2162 // Set the event type
2163 //
2164 TempEvent->EventType = EventType;
2165
2166 //
2167 // Set buffer string command
2168 //
2169 TempEvent->CommandStringBuffer = BufferOfCommandString;
2170
2171 //
2172 // Fill the buffer of condition for event
2173 //
2174 if (HasConditionBuffer)
2175 {
2176 memcpy((PVOID)((UINT64)TempEvent + sizeof(DEBUGGER_GENERAL_EVENT_DETAIL)),
2177 (PVOID)ConditionBufferAddress,
2178 ConditionBufferLength);
2179
2180 //
2181 // Set the size of the buffer for event condition
2182 //
2183 TempEvent->ConditionBufferSize = ConditionBufferLength;
2184 }
2185
2186 //
2187 // Fill the buffer of custom code for action
2188 //
2189 if (HasCodeBuffer)
2190 {
2191 //
2192 // Allocate the Action (THIS ACTION BUFFER WILL BE FREED WHEN WE SENT IT TO
2193 // THE KERNEL AND RETURNED FROM THE KERNEL AS WE DON'T NEED IT ANYMORE)
2194 //
2195 LengthOfCustomCodeActionBuffer = sizeof(DEBUGGER_GENERAL_ACTION) + CodeBufferLength;
2196
2197 TempActionCustomCode = (PDEBUGGER_GENERAL_ACTION)malloc(LengthOfCustomCodeActionBuffer);
2198
2199 PlatformZeroMemory(TempActionCustomCode, LengthOfCustomCodeActionBuffer);
2200
2201 memcpy(
2202 (PVOID)((UINT64)TempActionCustomCode + sizeof(DEBUGGER_GENERAL_ACTION)),
2203 (PVOID)CodeBufferAddress,
2204 CodeBufferLength);
2205 //
2206 // Set the action Tag
2207 //
2208 TempActionCustomCode->EventTag = TempEvent->Tag;
2209
2210 //
2211 // Set the action type
2212 //
2213 TempActionCustomCode->ActionType = RUN_CUSTOM_CODE;
2214
2215 //
2216 // Set the action buffer size
2217 //
2218 TempActionCustomCode->CustomCodeBufferSize = CodeBufferLength;
2219
2220 //
2221 // Increase the count of actions
2222 //
2223 TempEvent->CountOfActions = TempEvent->CountOfActions + 1;
2224 }
2225
2226 //
2227 // Fill the buffer of script for action
2228 //
2229 if (HasScript)
2230 {
2231 //
2232 // Allocate the Action (THIS ACTION BUFFER WILL BE FREED WHEN WE SENT IT TO
2233 // THE KERNEL AND RETURNED FROM THE KERNEL AS WE DON'T NEED IT ANYMORE)
2234 //
2235 LengthOfScriptActionBuffer = sizeof(DEBUGGER_GENERAL_ACTION) + ScriptBufferLength;
2236 TempActionScript = (PDEBUGGER_GENERAL_ACTION)malloc(LengthOfScriptActionBuffer);
2237
2238 PlatformZeroMemory(TempActionScript, LengthOfScriptActionBuffer);
2239
2240 memcpy((PVOID)((UINT64)TempActionScript + sizeof(DEBUGGER_GENERAL_ACTION)),
2241 (PVOID)ScriptBufferAddress,
2242 ScriptBufferLength);
2243 //
2244 // Set the action Tag
2245 //
2246 TempActionScript->EventTag = TempEvent->Tag;
2247
2248 //
2249 // Set the action type
2250 //
2251 TempActionScript->ActionType = RUN_SCRIPT;
2252
2253 //
2254 // Set the action buffer size and pointer
2255 //
2256 TempActionScript->ScriptBufferSize = ScriptBufferLength;
2257 TempActionScript->ScriptBufferPointer = ScriptBufferPointer;
2258
2259 //
2260 // Increase the count of actions
2261 //
2262 TempEvent->CountOfActions = TempEvent->CountOfActions + 1;
2263
2264 //
2265 // Free the buffer of script related functions
2266 //
2268 }
2269
2270 //
2271 // If this action didn't contain a buffer for custom code and
2272 // a buffer for script then it's a break to debugger
2273 //
2274 if (!HasCodeBuffer && !HasScript)
2275 {
2276 //
2277 // Allocate the Action (THIS ACTION BUFFER WILL BE FREED WHEN WE SENT IT TO
2278 // THE KERNEL AND RETURNED FROM THE KERNEL AS WE DON'T NEED IT ANYMORE)
2279 //
2280 LengthOfBreakActionBuffer = sizeof(DEBUGGER_GENERAL_ACTION);
2281
2282 TempActionBreak = (PDEBUGGER_GENERAL_ACTION)malloc(LengthOfBreakActionBuffer);
2283
2284 PlatformZeroMemory(TempActionBreak, LengthOfBreakActionBuffer);
2285
2286 //
2287 // Set the action Tag
2288 //
2289 TempActionBreak->EventTag = TempEvent->Tag;
2290
2291 //
2292 // Set the action type
2293 //
2294 TempActionBreak->ActionType = BREAK_TO_DEBUGGER;
2295
2296 //
2297 // Increase the count of actions
2298 //
2299 TempEvent->CountOfActions = TempEvent->CountOfActions + 1;
2300 }
2301
2302 //
2303 // Interpret rest of the command
2304 //
2305 for (auto Section : *CommandTokens)
2306 {
2307 Index++;
2308
2309 if (IsNextCommandBufferSize)
2310 {
2311 if (!ConvertTokenToUInt32(Section, &RequestBuffer))
2312 {
2313 ShowMessages("err, buffer size is invalid\n");
2314 *ReasonForErrorInParsing = DEBUGGER_EVENT_PARSING_ERROR_CAUSE_FORMAT_ERROR;
2315 goto ReturnWithError;
2316 }
2317 else
2318 {
2319 //
2320 // Set the specific requested buffer size
2321 //
2322 if (TempActionBreak != NULL)
2323 {
2324 TempActionBreak->PreAllocatedBuffer = RequestBuffer;
2325 }
2326 if (TempActionScript != NULL)
2327 {
2328 TempActionScript->PreAllocatedBuffer = RequestBuffer;
2329 }
2330 if (TempActionCustomCode != NULL)
2331 {
2332 TempActionCustomCode->PreAllocatedBuffer = RequestBuffer;
2333 }
2334 }
2335 IsNextCommandBufferSize = FALSE;
2336
2337 //
2338 // Add index to remove it from the command
2339 //
2340 IndexesToRemove.push_back(Index);
2341
2342 continue;
2343 }
2344
2345 if (IsNextCommandImmediateMessaging)
2346 {
2347 if (CompareLowerCaseStrings(Section, "yes"))
2348 {
2349 ImmediateMessagePassing = TRUE;
2350 }
2351 else if (CompareLowerCaseStrings(Section, "no"))
2352 {
2353 ImmediateMessagePassing = FALSE;
2354 }
2355 else
2356 {
2357 //
2358 // err, not token recognized error
2359 //
2360
2361 ShowMessages("err, immediate messaging token is invalid\n");
2362 *ReasonForErrorInParsing = DEBUGGER_EVENT_PARSING_ERROR_CAUSE_FORMAT_ERROR;
2363 goto ReturnWithError;
2364 }
2365
2366 IsNextCommandImmediateMessaging = FALSE;
2367
2368 //
2369 // Add index to remove it from the command
2370 //
2371 IndexesToRemove.push_back(Index);
2372
2373 continue;
2374 }
2375
2376 if (IsNextCommandExecutionStage)
2377 {
2378 if (CompareLowerCaseStrings(Section, "pre"))
2379 {
2381 }
2382 else if (CompareLowerCaseStrings(Section, "post"))
2383 {
2385 }
2386 else if (CompareLowerCaseStrings(Section, "all"))
2387 {
2389 }
2390 else
2391 {
2392 //
2393 // err, not token recognized error
2394 //
2395
2396 ShowMessages("err, the specified execution mode is invalid; you can either choose 'pre' or 'post'\n");
2397 *ReasonForErrorInParsing = DEBUGGER_EVENT_PARSING_ERROR_CAUSE_FORMAT_ERROR;
2398 goto ReturnWithError;
2399 }
2400
2401 IsNextCommandExecutionStage = FALSE;
2402
2403 //
2404 // Add index to remove it from the command
2405 //
2406 IndexesToRemove.push_back(Index);
2407
2408 continue;
2409 }
2410
2411 if (IsNextCommandSc)
2412 {
2413 if (CompareLowerCaseStrings(Section, "on"))
2414 {
2415 IsAShortCircuitingEventByDefault = TRUE;
2416 }
2417 else if (CompareLowerCaseStrings(Section, "off"))
2418 {
2419 IsAShortCircuitingEventByDefault = FALSE;
2420 }
2421 else
2422 {
2423 //
2424 // err, not token recognized error
2425 //
2426
2427 ShowMessages("err, the specified short-circuiting state is invalid; you can either choose 'on' or 'off'\n");
2428 *ReasonForErrorInParsing = DEBUGGER_EVENT_PARSING_ERROR_CAUSE_FORMAT_ERROR;
2429 goto ReturnWithError;
2430 }
2431
2432 IsNextCommandSc = FALSE;
2433
2434 //
2435 // Add index to remove it from the command
2436 //
2437 IndexesToRemove.push_back(Index);
2438
2439 continue;
2440 }
2441
2442 if (IsNextCommandPid)
2443 {
2444 if (CompareLowerCaseStrings(Section, "all"))
2445 {
2447 }
2448 else if (!ConvertTokenToUInt32(Section, &ProcessId))
2449 {
2450 ShowMessages("err, pid is invalid\n");
2451 *ReasonForErrorInParsing = DEBUGGER_EVENT_PARSING_ERROR_CAUSE_FORMAT_ERROR;
2452
2453 goto ReturnWithError;
2454 }
2455 else
2456 {
2457 //
2458 // Set the specific process id
2459 //
2460 TempEvent->ProcessId = ProcessId;
2461 }
2462
2463 IsNextCommandPid = FALSE;
2464
2465 //
2466 // Add index to remove it from the command
2467 //
2468 IndexesToRemove.push_back(Index);
2469
2470 continue;
2471 }
2472
2473 if (IsNextCommandCoreId)
2474 {
2475 if (!ConvertTokenToUInt32(Section, &CoreId))
2476 {
2477 ShowMessages("err, core id is invalid\n");
2478 *ReasonForErrorInParsing = DEBUGGER_EVENT_PARSING_ERROR_CAUSE_FORMAT_ERROR;
2479 goto ReturnWithError;
2480 }
2481 else
2482 {
2483 //
2484 // Set the specific core id
2485 //
2486 TempEvent->CoreId = CoreId;
2487 }
2488 IsNextCommandCoreId = FALSE;
2489
2490 //
2491 // Add index to remove it from the command
2492 //
2493 IndexesToRemove.push_back(Index);
2494
2495 continue;
2496 }
2497
2498 if (CompareLowerCaseStrings(Section, "pid"))
2499 {
2500 IsNextCommandPid = TRUE;
2501
2502 //
2503 // Add index to remove it from the command
2504 //
2505 IndexesToRemove.push_back(Index);
2506
2507 continue;
2508 }
2509 if (CompareLowerCaseStrings(Section, "core"))
2510 {
2511 IsNextCommandCoreId = TRUE;
2512
2513 //
2514 // Add index to remove it from the command
2515 //
2516 IndexesToRemove.push_back(Index);
2517
2518 continue;
2519 }
2520
2521 if (CompareLowerCaseStrings(Section, "imm"))
2522 {
2523 //
2524 // the next command is immediate messaging indicator
2525 //
2526 IsNextCommandImmediateMessaging = TRUE;
2527
2528 //
2529 // Add index to remove it from the command
2530 //
2531 IndexesToRemove.push_back(Index);
2532
2533 continue;
2534 }
2535
2536 if (CompareLowerCaseStrings(Section, "stage"))
2537 {
2538 //
2539 // the next command is execution mode (pre- and post-events)
2540 //
2541 IsNextCommandExecutionStage = TRUE;
2542
2543 //
2544 // Add index to remove it from the command
2545 //
2546 IndexesToRemove.push_back(Index);
2547
2548 continue;
2549 }
2550
2551 if (CompareLowerCaseStrings(Section, "sc"))
2552 {
2553 //
2554 // the next command is the default short-circuiting state
2555 //
2556 IsNextCommandSc = TRUE;
2557
2558 //
2559 // Add index to remove it from the command
2560 //
2561 IndexesToRemove.push_back(Index);
2562
2563 continue;
2564 }
2565
2566 if (CompareLowerCaseStrings(Section, "buffer"))
2567 {
2568 IsNextCommandBufferSize = TRUE;
2569
2570 //
2571 // Add index to remove it from the command
2572 //
2573 IndexesToRemove.push_back(Index);
2574
2575 continue;
2576 }
2577 }
2578
2579 //
2580 // Additional validation
2581 //
2582 if (IsNextCommandCoreId)
2583 {
2584 ShowMessages("err, please specify a value for 'core'\n");
2585
2586 *ReasonForErrorInParsing = DEBUGGER_EVENT_PARSING_ERROR_CAUSE_FORMAT_ERROR;
2587
2588 goto ReturnWithError;
2589 }
2590
2591 if (IsNextCommandPid)
2592 {
2593 ShowMessages("err, please specify a value for 'pid'\n");
2594
2595 *ReasonForErrorInParsing = DEBUGGER_EVENT_PARSING_ERROR_CAUSE_FORMAT_ERROR;
2596
2597 goto ReturnWithError;
2598 }
2599
2600 if (IsNextCommandBufferSize)
2601 {
2602 ShowMessages("err, please specify a value for 'buffer'\n");
2603
2604 *ReasonForErrorInParsing = DEBUGGER_EVENT_PARSING_ERROR_CAUSE_FORMAT_ERROR;
2605
2606 goto ReturnWithError;
2607 }
2608
2609 if (IsNextCommandImmediateMessaging)
2610 {
2611 ShowMessages("err, please specify a value for 'imm'\n");
2612
2613 *ReasonForErrorInParsing = DEBUGGER_EVENT_PARSING_ERROR_CAUSE_FORMAT_ERROR;
2614
2615 goto ReturnWithError;
2616 }
2617
2618 if (IsNextCommandExecutionStage)
2619 {
2620 ShowMessages("err, please specify a value for 'stage'\n");
2621
2622 *ReasonForErrorInParsing = DEBUGGER_EVENT_PARSING_ERROR_CAUSE_FORMAT_ERROR;
2623
2624 goto ReturnWithError;
2625 }
2626
2627 if (IsNextCommandSc)
2628 {
2629 ShowMessages("err, please specify a value for 'sc'\n");
2630
2631 *ReasonForErrorInParsing = DEBUGGER_EVENT_PARSING_ERROR_CAUSE_FORMAT_ERROR;
2632
2633 goto ReturnWithError;
2634 }
2635
2636 //
2637 // Check to make sure that short-circuiting is not used in post-events
2638 //
2641 IsAShortCircuitingEventByDefault)
2642 {
2643 ShowMessages(
2644 "err, using the short-circuiting mechanism with 'post' or 'all' stage events "
2645 "doesn't make sense; it's not supported!\n");
2646
2648
2649 goto ReturnWithError;
2650 }
2651
2652 //
2653 // It's not possible to break to debugger in VMI-mode
2654 //
2655 if (!g_IsSerialConnectedToRemoteDebuggee && TempActionBreak != NULL)
2656 {
2657 ShowMessages(
2658 "err, the script or assembly code is either not found or invalid. "
2659 "As a result, the default action is to break. "
2660 "However, breaking to the debugger is not possible in the VMI Mode. "
2661 "To achieve full control of the system, you can switch to the Debugger Mode. "
2662 "In the VMI Mode, you can still use scripts and run custom code for local debugging."
2663 "For more information, please check: https://docs.hyperdbg.org/using-hyperdbg/prerequisites/operation-modes\n");
2664
2666
2667 goto ReturnWithError;
2668 }
2669
2670 //
2671 // We do not support non-immediate message passing if the user
2672 // specified a special output
2673 //
2674 if (!ImmediateMessagePassing && HasOutputPath)
2675 {
2676 ShowMessages("err, non-immediate message passing is not supported in "
2677 "'output-forwarding mode'\n");
2678
2680
2681 goto ReturnWithError;
2682 }
2683
2684 //
2685 // Set the specific requested immediate message passing
2686 //
2687 if (TempActionBreak != NULL)
2688 {
2689 TempActionBreak->ImmediateMessagePassing = ImmediateMessagePassing;
2690 }
2691 if (TempActionScript != NULL)
2692 {
2693 TempActionScript->ImmediateMessagePassing = ImmediateMessagePassing;
2694 }
2695 if (TempActionCustomCode != NULL)
2696 {
2697 TempActionCustomCode->ImmediateMessagePassing = ImmediateMessagePassing;
2698 }
2699
2700 //
2701 // Set the tags into the event list
2702 //
2703 IndexOfValidSourceTags = 0;
2704 for (auto item : ListOfValidSourceTags)
2705 {
2706 TempEvent->OutputSourceTags[IndexOfValidSourceTags] = item;
2707
2708 //
2709 // Increase index
2710 //
2711 IndexOfValidSourceTags++;
2712 }
2713
2714 //
2715 // If it has output then we should indicate it in event's object
2716 //
2717 if (HasOutputPath)
2718 {
2719 TempEvent->HasCustomOutput = TRUE;
2720 }
2721
2722 //
2723 // Set the specific requested short-circuiting state
2724 //
2725 if (IsAShortCircuitingEventByDefault)
2726 {
2727 TempEvent->EnableShortCircuiting = TRUE;
2728 }
2729
2730 //
2731 // Set the specific event mode (calling stage)
2732 //
2733 TempEvent->EventStage = CallingStage;
2734
2735 //
2736 // Fill the address and length of event before release
2737 //
2738 *EventDetailsToFill = TempEvent;
2739 *EventBufferLength = LengthOfEventBuffer;
2740
2741 //
2742 // Fill the address and length of action before release
2743 //
2744 if (TempActionBreak != NULL)
2745 {
2746 *ActionDetailsToFillBreakToDebugger = TempActionBreak;
2747 *ActionBufferLengthBreakToDebugger = LengthOfBreakActionBuffer;
2748 }
2749 if (TempActionScript != NULL)
2750 {
2751 *ActionDetailsToFillScript = TempActionScript;
2752 *ActionBufferLengthScript = LengthOfScriptActionBuffer;
2753 }
2754 if (TempActionCustomCode != NULL)
2755 {
2756 *ActionDetailsToFillCustomCode = TempActionCustomCode;
2757 *ActionBufferLengthCustomCode = LengthOfCustomCodeActionBuffer;
2758 }
2759
2760 //
2761 // Remove the command that we interpreted above from the command
2762 //
2763 for (auto IndexToRemove : IndexesToRemove)
2764 {
2765 NewIndexToRemove++;
2766 CommandTokens->erase(CommandTokens->begin() + (IndexToRemove - NewIndexToRemove));
2767 }
2768
2769 //
2770 // Check if list is initialized or not
2771 //
2773 {
2774 InitializeListHead(&g_EventTrace);
2776 }
2777
2778 //
2779 // Add the event to the trace list
2780 // UPDATE : if we add it here, then if the event was not
2781 // successful then still the event shows this event, so
2782 // we have to add it lated
2783 //
2784 // InsertHeadList(&g_EventTrace, &(TempEvent->CommandsEventList));
2785
2786 //
2787 // Everything is ok, let's return TRUE
2788 //
2790 return TRUE;
2791
2792ReturnWithError:
2793
2794 if (BufferOfCommandString)
2795 {
2796 free(BufferOfCommandString);
2797 }
2798
2799 if (TempEvent)
2800 {
2801 free(TempEvent);
2802 }
2803
2804 if (TempActionBreak != NULL)
2805 {
2806 free(TempActionBreak);
2807 }
2808 if (TempActionScript != NULL)
2809 {
2810 free(TempActionScript);
2811 }
2812 if (TempActionCustomCode != NULL)
2813 {
2814 free(TempActionCustomCode);
2815 }
2816
2817 return FALSE;
2818}
#define UseImmediateMessagingByDefaultOnEvents
Use immediate messaging (means that it sends each message when they received and do not accumulate th...
Definition Configuration.h:57
VOID PlatformZeroMemory(PVOID Destination, SIZE_T Size)
Zeros a memory block.
Definition PlatformMem.c:155
int INT
Definition BasicTypes.h:43
#define DEBUGGER_EVENT_APPLY_TO_ALL_CORES
Apply the event to all the cores.
Definition Constants.h:739
#define DebuggerOutputSourceMaximumRemoteSourceForSingleEvent
Determines how many sources a debugger can have for a single event.
Definition Constants.h:251
#define DEBUGGER_EVENT_APPLY_TO_ALL_PROCESSES
Apply the event to all the processes.
Definition Constants.h:745
enum _VMM_CALLBACK_EVENT_CALLING_STAGE_TYPE VMM_CALLBACK_EVENT_CALLING_STAGE_TYPE
Type of calling the event.
@ VMM_CALLBACK_CALLING_STAGE_ALL_EVENT_EMULATION
Definition DataTypes.h:128
@ VMM_CALLBACK_CALLING_STAGE_PRE_EVENT_EMULATION
Definition DataTypes.h:126
@ VMM_CALLBACK_CALLING_STAGE_POST_EVENT_EMULATION
Definition DataTypes.h:127
@ RUN_CUSTOM_CODE
Definition Events.h:187
@ BREAK_TO_DEBUGGER
Definition Events.h:185
@ RUN_SCRIPT
Definition Events.h:186
struct _DEBUGGER_GENERAL_ACTION DEBUGGER_GENERAL_ACTION
Each event can have multiple actions.
struct _DEBUGGER_GENERAL_ACTION * PDEBUGGER_GENERAL_ACTION
std::string GetCaseSensitiveStringFromCommandToken(CommandToken TargetToken)
Get case sensitive string from command token.
Definition common.cpp:467
BOOLEAN CompareLowerCaseStrings(CommandToken TargetToken, const CHAR *StringToCompare)
Compare lower case strings.
Definition common.cpp:503
BOOLEAN ConvertTokenToUInt32(CommandToken TargetToken, PUINT32 Result)
check and convert command token to a 32 bit unsigned integer
Definition common.cpp:546
std::string RemoveSpaces(std::string str)
Remove all the spaces in a string.
Definition common.cpp:727
BOOLEAN InterpretOutput(vector< CommandToken > *CommandTokens, vector< string > &InputSources)
Interpret output (if an event has special output).
Definition debugger.cpp:1254
BOOLEAN InterpretConditionsAndCodes(vector< CommandToken > *CommandTokens, BOOLEAN IsConditionBuffer, PUINT64 BufferAddress, PUINT32 BufferLength)
Interpret conditions (if an event has condition) and custom code.
Definition debugger.cpp:1025
BOOLEAN InterpretScript(vector< CommandToken > *CommandTokens, PBOOLEAN ScriptSyntaxErrors, PUINT64 BufferAddress, PUINT32 BufferLength, PUINT32 Pointer, PUINT64 ScriptCodeBuffer)
Interpret script (if an event has script).
Definition debugger.cpp:867
UINT64 GetNewDebuggerEventTag()
Get the New Debugger Event Tag object and increase the global variable for tag.
Definition debugger.cpp:1676
struct _DEBUGGER_EVENT_FORWARDING DEBUGGER_EVENT_FORWARDING
structures hold the detail of event forwarding
@ EVENT_FORWARDING_CLOSED
Definition forwarding.h:55
@ EVENT_FORWARDING_STATE_NOT_OPENED
Definition forwarding.h:53
struct _DEBUGGER_EVENT_FORWARDING * PDEBUGGER_EVENT_FORWARDING
LIST_ENTRY g_OutputSources
Holds a list of output sources created by output command.
Definition globals.h:427
BOOLEAN g_OutputSourcesInitialized
it shows whether the debugger started using output sources or not or in other words,...
Definition globals.h:418
VOID ScriptEngineWrapperRemoveSymbolBuffer(PVOID SymbolBuffer)
wrapper for removing symbol buffer
Definition script-engine-wrapper.cpp:841
DEBUGGER_EVENT_FORWARDING_STATE State
Definition forwarding.h:82
CHAR Name[MAXIMUM_CHARACTERS_FOR_EVENT_FORWARDING_NAME]
Definition forwarding.h:89
UINT64 OutputUniqueTag
Definition forwarding.h:86
UINT32 CustomCodeBufferSize
Definition Events.h:419
UINT32 ScriptBufferSize
Definition Events.h:420
DEBUGGER_EVENT_ACTION_TYPE_ENUM ActionType
Definition Events.h:415
UINT32 ScriptBufferPointer
Definition Events.h:421
UINT32 PreAllocatedBuffer
Definition Events.h:417
BOOLEAN ImmediateMessagePassing
Definition Events.h:416
UINT64 EventTag
Definition Events.h:414
BOOLEAN EnableShortCircuiting
Definition Events.h:371
BOOLEAN IsEnabled
Definition Events.h:369
VMM_EVENT_TYPE_ENUM EventType
Definition Events.h:394
UINT32 CountOfActions
Definition Events.h:391
BOOLEAN HasCustomOutput
Definition Events.h:377
UINT64 OutputSourceTags[DebuggerOutputSourceMaximumRemoteSourceForSingleEvent]
Definition Events.h:382
VMM_CALLBACK_EVENT_CALLING_STAGE_TYPE EventStage
Definition Events.h:374
UINT32 ConditionBufferSize
Definition Events.h:400
UINT32 ProcessId
Definition Events.h:365
UINT32 CoreId
Definition Events.h:362

◆ IsConnectedToAnyInstanceOfDebuggerOrDebuggee()

BOOLEAN IsConnectedToAnyInstanceOfDebuggerOrDebuggee ( )

Shows whether the debugger is connected to a debugger or debuggee connected to a debugger.

we use this function to avoid connecting to a remote machine when debuggee or debugger is already connected to an instance

Returns
BOOLEAN
774{
775 if (g_DeviceHandle)
776 {
777 ShowMessages("err, the current system is already connected to the local "
778 "debugging, use '.disconnect' to disconnect\n");
779 return TRUE;
780 }
782 {
783 ShowMessages("err, the current system is already connected to remote "
784 "machine (debuggee), use '.disconnect' to disconnect from the "
785 "remote machine\n");
786 return TRUE;
787 }
789 {
790 ShowMessages("err, the current system is already connected to remote "
791 "machine (debugger), use '.disconnect' to disconnect from the "
792 "remote machine from debugger\n");
793 return TRUE;
794 }
796 {
797 ShowMessages(
798 "err, the current system is already connected to remote "
799 "machine (debuggee), use '.debug close' to disconnect from the "
800 "remote machine\n");
801 return TRUE;
802 }
804 {
805 ShowMessages(
806 "err, the current system is already connected to remote "
807 "machine (debugger), use '.debug close' to disconnect from the "
808 "remote machine from debugger\n");
809 return TRUE;
810 }
811
812 return FALSE;
813}
BOOLEAN g_IsConnectedToRemoteDebugger
Shows whether the current system is a guest (debuggee) and a remote debugger is connected to this sys...
Definition globals.h:103

◆ IsTagExist()

BOOLEAN IsTagExist ( UINT64 Tag)

Check whether the tag exists or not, if the tag is DEBUGGER_MODIFY_EVENTS_APPLY_TO_ALL_TAG then if we find just one event, it also means that the tag is found.

Parameters
Tag
Returns
BOOLEAN
825{
826 PLIST_ENTRY TempList = 0;
827 PDEBUGGER_GENERAL_EVENT_DETAIL CommandDetail = {0};
828
830 {
831 return FALSE;
832 }
833
834 TempList = &g_EventTrace;
835 while (&g_EventTrace != TempList->Blink)
836 {
837 TempList = TempList->Blink;
838
839 CommandDetail = CONTAINING_RECORD(TempList, DEBUGGER_GENERAL_EVENT_DETAIL, CommandsEventList);
840
841 if (CommandDetail->Tag == Tag || Tag == DEBUGGER_MODIFY_EVENTS_APPLY_TO_ALL_TAG)
842 {
843 return TRUE;
844 }
845 }
846
847 //
848 // Not found
849 //
850 return FALSE;
851}

◆ ListeningSerialPauseDebuggeeThread()

DWORD WINAPI ListeningSerialPauseDebuggeeThread ( PVOID Param)

Check if the remote debugger needs to pause the system.

Parameters
SerialHandle
Returns
BOOLEAN
1628{
1629 //
1630 // Create a listening thead in debuggee
1631 //
1633
1634 return 0;
1635}
BOOLEAN ListeningSerialPortInDebuggee()
Check if the remote debugger needs to pause the system.
Definition kernel-listening.cpp:1437

◆ ListeningSerialPauseDebuggerThread()

DWORD WINAPI ListeningSerialPauseDebuggerThread ( PVOID Param)

Check if the remote debuggee needs to pause the system.

Parameters
Param
Returns
BOOLEAN
1611{
1612 //
1613 // Create a listening thead in debugger
1614 //
1616
1617 return 0;
1618}
BOOLEAN ListeningSerialPortInDebugger()
Check if the remote debuggee needs to pause the system and also process the debuggee's messages.
Definition kernel-listening.cpp:42

◆ LogopenSaveToFile()

VOID LogopenSaveToFile ( const CHAR * Text)

Append text to the file object.

Parameters
Text
Returns
VOID
111{
112 g_LogOpenFile << Text;
113}
ofstream g_LogOpenFile
The object of log file ('.logopen' command).
Definition globals.h:494

◆ RegisterActionToEvent()

BOOLEAN RegisterActionToEvent ( PDEBUGGER_GENERAL_EVENT_DETAIL Event,
PDEBUGGER_GENERAL_ACTION ActionBreakToDebugger,
UINT32 ActionBreakToDebuggerLength,
PDEBUGGER_GENERAL_ACTION ActionCustomCode,
UINT32 ActionCustomCodeLength,
PDEBUGGER_GENERAL_ACTION ActionScript,
UINT32 ActionScriptLength )

Register the action to the event.

Parameters
Eventthe event instance buffer
ActionBreakToDebuggerthe action of breaking into the debugger
ActionBreakToDebuggerLengththe action of breaking into the debugger (length)
ActionCustomCodethe action of custom code
ActionCustomCodeLengththe action of custom code (length)
ActionScriptthe action of script buffer
ActionScriptLengththe action of script buffer (length)
Returns
BOOLEAN BOOLEAN if the request was successful then true if the request was not successful then false
1490{
1491 BOOL Status;
1492 ULONG ReturnedLength;
1493 DEBUGGER_EVENT_AND_ACTION_RESULT ReturnedBuffer = {0};
1494 PDEBUGGER_EVENT_AND_ACTION_RESULT TempAddingResult;
1495
1497 {
1498 //
1499 // It's action(s) in debugger mode
1500 //
1501
1502 //
1503 // Send Break to debugger packet to debuggee
1504 //
1505 if (ActionBreakToDebugger != NULL)
1506 {
1507 //
1508 // Send the add action to event from here
1509 //
1510 TempAddingResult = KdSendAddActionToEventPacketToDebuggee(
1511 ActionBreakToDebugger,
1512 ActionBreakToDebuggerLength);
1513
1514 //
1515 // Move the buffer to local buffer
1516 //
1517 memcpy(&ReturnedBuffer, TempAddingResult, sizeof(DEBUGGER_EVENT_AND_ACTION_RESULT));
1518 }
1519
1520 //
1521 // Send custom code packet to debuggee
1522 //
1523 if (ActionCustomCode != NULL)
1524 {
1525 //
1526 // Send the add action to event from here
1527 //
1528 TempAddingResult = KdSendAddActionToEventPacketToDebuggee(
1529 ActionCustomCode,
1530 ActionCustomCodeLength);
1531
1532 //
1533 // Move the buffer to local buffer
1534 //
1535 memcpy(&ReturnedBuffer, TempAddingResult, sizeof(DEBUGGER_EVENT_AND_ACTION_RESULT));
1536 }
1537
1538 //
1539 // Send custom code packet to debuggee
1540 //
1541 if (ActionScript != NULL)
1542 {
1543 //
1544 // Send the add action to event from here
1545 //
1546 TempAddingResult = KdSendAddActionToEventPacketToDebuggee(
1547 ActionScript,
1548 ActionScriptLength);
1549
1550 //
1551 // Move the buffer to local buffer
1552 //
1553 memcpy(&ReturnedBuffer, TempAddingResult, sizeof(DEBUGGER_EVENT_AND_ACTION_RESULT));
1554 }
1555 }
1556 else
1557 {
1558 //
1559 // It's either a local debugger to in vmi-mode remote connection
1560 //
1562
1563 //
1564 // Send IOCTLs
1565 //
1566
1567 //
1568 // Send Break to debugger ioctl
1569 //
1570 if (ActionBreakToDebugger != NULL)
1571 {
1572 Status = PlatformDeviceIoControl(
1573 g_DeviceHandle, // Handle to device
1574 IOCTL_DEBUGGER_ADD_ACTION_TO_EVENT, // IO Control Code (IOCTL)
1575 ActionBreakToDebugger, // Input Buffer to driver.
1576 ActionBreakToDebuggerLength, // Input buffer length
1577 &ReturnedBuffer, // Output Buffer from driver.
1578 sizeof(DEBUGGER_EVENT_AND_ACTION_RESULT), // Length
1579 // of
1580 // output
1581 // buffer
1582 // in
1583 // bytes.
1584 &ReturnedLength, // Bytes placed in buffer.
1585 NULL // synchronous call
1586 );
1587
1588 if (!Status)
1589 {
1590 ShowMessages("ioctl failed with code 0x%x\n", PlatformGetLastError());
1591 return FALSE;
1592 }
1593 }
1594
1595 //
1596 // Send custom code ioctl
1597 //
1598 if (ActionCustomCode != NULL)
1599 {
1600 Status = PlatformDeviceIoControl(
1601 g_DeviceHandle, // Handle to device
1602 IOCTL_DEBUGGER_ADD_ACTION_TO_EVENT, // IO Control Code (IOCTL)
1603 ActionCustomCode, // Input Buffer to driver.
1604 ActionCustomCodeLength, // Input buffer length
1605 &ReturnedBuffer, // Output Buffer from driver.
1606 sizeof(DEBUGGER_EVENT_AND_ACTION_RESULT), // Length
1607 // of
1608 // output
1609 // buffer
1610 // in
1611 // bytes.
1612 &ReturnedLength, // Bytes placed in buffer.
1613 NULL // synchronous call
1614 );
1615
1616 if (!Status)
1617 {
1618 ShowMessages("ioctl failed with code 0x%x\n", PlatformGetLastError());
1619 return FALSE;
1620 }
1621 }
1622
1623 //
1624 // Send custom code ioctl
1625 //
1626 if (ActionScript != NULL)
1627 {
1628 Status = PlatformDeviceIoControl(
1629 g_DeviceHandle, // Handle to device
1630 IOCTL_DEBUGGER_ADD_ACTION_TO_EVENT, // IO Control Code (IOCTL)
1631 ActionScript, // Input Buffer to driver.
1632 ActionScriptLength, // Input buffer length
1633 &ReturnedBuffer, // Output Buffer from driver.
1634 sizeof(DEBUGGER_EVENT_AND_ACTION_RESULT), // Length
1635 // of
1636 // output
1637 // buffer
1638 // in
1639 // bytes.
1640 &ReturnedLength, // Bytes placed in buffer.
1641 NULL // synchronous call
1642 );
1643
1644 if (!Status)
1645 {
1646 ShowMessages("ioctl failed with code 0x%x\n", PlatformGetLastError());
1647 return FALSE;
1648 }
1649 }
1650 }
1651
1652 //
1653 // As we're not needing any of action buffer, we'll free all of the
1654 // here in the case of a successful registration of action, however
1655 // event detail is needed for the 'event' command's list
1656 //
1657 FreeEventsAndActionsMemory(NULL, ActionBreakToDebugger, ActionCustomCode, ActionScript);
1658
1659 //
1660 // Now, we'll register the command as returned buffer shows that
1661 // this event was successful and now we can add it to the list of
1662 // events
1663 //
1664 InsertHeadList(&g_EventTrace, &(Event->CommandsEventList));
1665
1666 return TRUE;
1667}
struct _DEBUGGER_EVENT_AND_ACTION_RESULT * PDEBUGGER_EVENT_AND_ACTION_RESULT
struct _DEBUGGER_EVENT_AND_ACTION_RESULT DEBUGGER_EVENT_AND_ACTION_RESULT
Status of register buffers.
#define IOCTL_DEBUGGER_ADD_ACTION_TO_EVENT
ioctl, add action to event
Definition Ioctls.h:171
VOID FreeEventsAndActionsMemory(PDEBUGGER_GENERAL_EVENT_DETAIL Event, PDEBUGGER_GENERAL_ACTION ActionBreakToDebugger, PDEBUGGER_GENERAL_ACTION ActionCustomCode, PDEBUGGER_GENERAL_ACTION ActionScript)
Deallocate buffers relating to events and actions.
Definition debugger.cpp:1688
PDEBUGGER_EVENT_AND_ACTION_RESULT KdSendAddActionToEventPacketToDebuggee(PDEBUGGER_GENERAL_ACTION GeneralAction, UINT32 GeneralActionLength)
Send an add action to event request to the debuggee.
Definition kd.cpp:737
LIST_ENTRY CommandsEventList
Definition Events.h:359

◆ SendEventToKernel()

BOOLEAN SendEventToKernel ( PDEBUGGER_GENERAL_EVENT_DETAIL Event,
UINT32 EventBufferLength )

Register the event to the kernel.

Parameters
Eventthe event structure to send
EventBufferLengththe buffer length of event
Returns
BOOLEAN if the request was successful then true if the request was not successful then false
1369{
1370 BOOL Status;
1371 ULONG ReturnedLength;
1372 DEBUGGER_EVENT_AND_ACTION_RESULT ReturnedBuffer = {0};
1374
1376 {
1377 //
1378 // It's a debugger, we should send the events buffer directly
1379 // from here
1380 //
1381
1382 //
1383 // Send the buffer from here
1384 //
1385 TempRegResult = KdSendRegisterEventPacketToDebuggee(Event, EventBufferLength);
1386
1387 //
1388 // Move the buffer to local buffer
1389 //
1390 memcpy(&ReturnedBuffer, TempRegResult, sizeof(DEBUGGER_EVENT_AND_ACTION_RESULT));
1391 }
1392 else
1393 {
1394 //
1395 // It's either a debuggee or a local debugging instance
1396 //
1398
1399 //
1400 // Send IOCTL
1401 //
1402
1403 Status = PlatformDeviceIoControl(g_DeviceHandle, // Handle to device
1404 IOCTL_DEBUGGER_REGISTER_EVENT, // IO Control Code (IOCTL)
1405 Event, // Input Buffer to driver.
1406 EventBufferLength, // Input buffer length
1407 &ReturnedBuffer, // Output Buffer from driver.
1408 sizeof(DEBUGGER_EVENT_AND_ACTION_RESULT), // Length
1409 // of
1410 // output
1411 // buffer
1412 // in
1413 // bytes.
1414 &ReturnedLength, // Bytes placed in buffer.
1415 NULL // synchronous call
1416 );
1417
1418 if (!Status)
1419 {
1420 ShowMessages("ioctl failed with code 0x%x\n", PlatformGetLastError());
1421 return FALSE;
1422 }
1423 }
1424
1425 if (ReturnedBuffer.IsSuccessful && ReturnedBuffer.Error == 0)
1426 {
1427 //
1428 // Check for auto-unpause mode
1429 //
1431 {
1432 //
1433 // Allow debugger to show its contents
1434 //
1435
1436 //
1437 // Set the g_BreakPrintingOutput to FALSE
1438 //
1440
1441 //
1442 // If it's a remote debugger then we send the remote debuggee a 'g'
1443 //
1445 {
1446 RemoteConnectionSendCommand("g", (UINT32)strlen("g") + 1);
1447 }
1448
1449 ShowMessages("\n");
1450 }
1451 }
1452 else
1453 {
1454 //
1455 // Show the error
1456 //
1457 if (ReturnedBuffer.Error != 0)
1458 {
1459 ShowErrorMessage(ReturnedBuffer.Error);
1460 }
1461
1462 return FALSE;
1463 }
1464
1465 return TRUE;
1466}
#define IOCTL_DEBUGGER_REGISTER_EVENT
ioctl, register an event
Definition Ioctls.h:164
PDEBUGGER_EVENT_AND_ACTION_RESULT KdSendRegisterEventPacketToDebuggee(PDEBUGGER_GENERAL_EVENT_DETAIL Event, UINT32 EventBufferLength)
Send a register event request to the debuggee.
Definition kd.cpp:670
UINT32 Error
Definition Events.h:434
BOOLEAN IsSuccessful
Definition Events.h:433

◆ ShowErrorMessage()

BOOLEAN ShowErrorMessage ( UINT32 Error)

shows the error message

Parameters
Error
Returns
BOOLEAN
41{
42 switch (Error)
43 {
45 ShowMessages("err, tag not found (%x)\n",
46 Error);
47 break;
48
50 ShowMessages("err, invalid action type (%x)\n",
51 Error);
52 break;
53
55 ShowMessages("err, action buffer size is zero (%x)\n",
56 Error);
57 break;
58
60 ShowMessages("err, the event type is invalid (%x)\n",
61 Error);
62 break;
63
65 ShowMessages("err, unable to create event (%x)\n",
66 Error);
67 break;
68
70
71 ShowMessages("err, invalid address (%x)\n"
72 "address may be paged-out or unavailable on the page table due to 'demand paging'\n"
73 "please refer to https://docs.hyperdbg.org/tips-and-tricks/considerations/accessing-invalid-address for further information\n",
74 Error);
75 break;
76
78 ShowMessages("err, invalid core id (%x)\n",
79 Error);
80 break;
81
83 ShowMessages("err, exception index exceed first 32 entries (%x)\n",
84 Error);
85 break;
86
88 ShowMessages("err, interrupt index is not valid (%x)\n",
89 Error);
90 break;
91
93 ShowMessages("err, unable to hide or unhide debugger and entr the transparent mode (%x)\n",
94 Error);
95 break;
96
98 ShowMessages("err, debugger already hidden in the transparent mode (%x)\n",
99 Error);
100 break;
101
103 ShowMessages("err, edit memory request has invalid parameters (%x)\n",
104 Error);
105 break;
106
108 ShowMessages("err, edit memory request has invalid address based on "
109 "current process layout, the address might be valid but not "
110 "present in the ram (%x)\n"
111 "address may be paged-out or unavailable on the page table due to 'demand paging'\n"
112 "please refer to https://docs.hyperdbg.org/tips-and-tricks/considerations/accessing-invalid-address for further information\n",
113 Error);
114 break;
115
117 ShowMessages("err, edit memory request has invalid address based on other "
118 "process layout (%x)\n",
119 Error);
120 break;
121
123 ShowMessages("err, modify event with invalid tag (%x)\n",
124 Error);
125 break;
126
128 ShowMessages("err, modify event with invalid type of action (%x)\n",
129 Error);
130 break;
131
133 ShowMessages("err, invalid parameter passed to stepping core. (%x)\n",
134 Error);
135 break;
136
138 ShowMessages(
139 "err, the target thread not found or the thread is disabled (%x)\n",
140 Error);
141 break;
142
144 ShowMessages("err, invalid baud rate (%x)\n",
145 Error);
146 break;
147
149 ShowMessages("err, invalid serial port (%x)\n",
150 Error);
151 break;
152
154 ShowMessages("err, invalid core selected in switching cores (%x)\n",
155 Error);
156 break;
157
159 ShowMessages("err, unable to switch to the new process (%x)\n",
160 Error);
161 break;
162
164 ShowMessages("err, unable to run the script on remote debuggee (%x)\n",
165 Error);
166 break;
167
169 ShowMessages("err, invalid register number (%x)\n",
170 Error);
171 break;
172
174 ShowMessages("err, maximum number of breakpoints are used, you need to "
175 "send an ioctl to re-allocate new pre-allocated buffers or "
176 "configure HyperDbg to pre-allocated more buffers by "
177 "configuring MAXIMUM_BREAKPOINTS_WITHOUT_CONTINUE (%x)\n",
178 Error);
179 break;
180
182 ShowMessages("err, breakpoint already exists on target address, you can "
183 "use 'bl' command to view a list of breakpoints (%x)\n",
184 Error);
185 break;
186
188 ShowMessages("err, breakpoint id is invalid (%x)\n",
189 Error);
190 break;
191
193 ShowMessages("err, breakpoint already disabled (%x)\n",
194 Error);
195 break;
196
198 ShowMessages("err, breakpoint already enabled (%x)\n",
199 Error);
200 break;
201
203 ShowMessages("err, the memory type is invalid (%x)\n",
204 Error);
205 break;
206
208 ShowMessages("err, the process id is invalid, make sure to enter the "
209 "process id in hex format, or if you want to use it in decimal "
210 "format, add '0n' prefix to the number (%x)\n",
211 Error);
212 break;
213
215 ShowMessages("err, the event is not applied (%x)\n",
216 Error);
217 break;
218
220 ShowMessages("err, either the process id or the _EPROCESS is invalid or "
221 "cannot get the details based on the provided parameters (%x)\n",
222 Error);
223 break;
224
226 ShowMessages("err, either the thread id, _ETHREAD, or _EPROCESS is invalid or "
227 "cannot get the details based on the provided parameters (%x)\n",
228 Error);
229 break;
230
232 ShowMessages("err, the maximum breakpoint for a single page is hit, "
233 "you cannot apply more breakpoints in this page (%x)\n"
234 "please refer to https://docs.hyperdbg.org/tips-and-tricks/misc/customize-build/number-of-ept-hooks-in-one-page"
235 " for further information\n",
236 Error);
237 break;
238
240 ShowMessages("err, the pre-allocated buffer is empty, usually this buffer will be "
241 "filled at the next IOCTL when the debugger is continued (%x)\n"
242 "please visit the documentation for the 'prealloc' command or use "
243 "'.help prealloc' to to reserve more pre-allocated pools\n",
244 Error);
245 break;
246
248 ShowMessages("err, could not convert 2MB large page to 4KB pages "
249 "(maybe pre-allocated buffers are empty?) (%x)\n",
250 Error);
251 break;
252
254 ShowMessages("err, failed to get the PML1 entry of the target address (%x)\n",
255 Error);
256 break;
257
259 ShowMessages("err, the page modification is not applied, make sure that you don't "
260 "put multiple EPT Hooks or Monitors on a single page (%x)\n",
261 Error);
262 break;
263
265 ShowMessages("err, could not build the EPT hook (%x)\n",
266 Error);
267 break;
268
270 ShowMessages("err, could not find the allocation type (%x)\n",
271 Error);
272 break;
273
275 ShowMessages("err, invalid index specified for test query command (%x)\n",
276 Error);
277 break;
278
280 ShowMessages("err, unable to attach to the target process (%x)\n",
281 Error);
282 break;
283
285 ShowMessages("err, unable to remove hooks as the entrypoint of user-mode "
286 "process is not reached yet (%x)\n",
287 Error);
288 break;
289
291 ShowMessages("err, unable to remove hooks (%x)\n",
292 Error);
293 break;
294
296 ShowMessages("err, the routines for getting the PEB is not correctly "
297 "initialized (%x)\n",
298 Error);
299 break;
300
302 ShowMessages("err, unable to detect whether the process was 32-bit "
303 "or 64-bit (%x)\n",
304 Error);
305 break;
306
308 ShowMessages("err, unable to kill the process (%x)\n",
309 Error);
310 break;
311
313 ShowMessages("err, invalid thread debugging token (%x)\n",
314 Error);
315 break;
316
318 ShowMessages("err, unable to pause the threads of the process (%x)\n",
319 Error);
320 break;
321
323 ShowMessages("err, the user debugger is already attached to this "
324 "process, please use the '.switch' command to switch "
325 "to this process (%x)\n",
326 Error);
327 break;
328
330 ShowMessages("err, the user debugger is not already attached to "
331 "the process (%x)\n",
332 Error);
333 break;
334
336 ShowMessages("err, the user debugger is not able to detach from "
337 "this process as there are paused threads in the "
338 "target process, please make sure to remove all "
339 "the events and continue the target process, then "
340 "perform the detach again (%x)\n",
341 Error);
342 break;
343
345 ShowMessages("err, unable to switch to the process id or thread id "
346 "as the target process id or thread id is not found in "
347 "the attached threads list, please view the list of "
348 "processes and threads by using the '.switch list' command (%x)\n",
349 Error);
350 break;
351
353 ShowMessages("err, unable to switch to the process as the process doesn't "
354 "contain an active intercepted thread (%x)\n",
355 Error);
356 break;
357
359 ShowMessages("err, unable to get user-mode modules of the process (%x)\n",
360 Error);
361 break;
362
364 ShowMessages("err, unable to get the callstack (%x)\n",
365 Error);
366 break;
367
369 ShowMessages("err, unable to query count of processes or threads (%x)\n",
370 Error);
371 break;
372
374 ShowMessages("err, using short-circuiting event with post events is not possible (%x)\n",
375 Error);
376 break;
377
379 ShowMessages("err, unknown test query is received to the debugger (%x)\n",
380 Error);
381 break;
382
384 ShowMessages("err, invalid process or memory address (%x)\n",
385 Error);
386 break;
387
389 ShowMessages("err, unable to add the current thread/process to the list of trap flags. "
390 "Are you debugging multiple threads or stepping through different processes "
391 "simultaneously? (%x)\n",
392 Error);
393 break;
394
396 ShowMessages("err, process does not exists (already terminated?) (%x)\n",
397 Error);
398 break;
399
401 ShowMessages("err, the specified execution mode is invalid (%x)\n",
402 Error);
403 break;
404
406 ShowMessages("err, you cannot specify process id while the debugger is paused in the debugger mode. "
407 "You can use the '.process' or the '.thread' command to switch to the target process's "
408 "memory layout (%x)\n",
409 Error);
410 break;
411
413 ShowMessages("err, the requested buffer for storing event and conditions is larger than the pre-allocated "
414 "buffer size (%x)\nfor more information on how to resolve this issue, "
415 "please visit: https://docs.hyperdbg.org/tips-and-tricks/misc/instant-events\n",
416 Error);
417 break;
418
420 ShowMessages("err, not enough pre-allocated buffer exists for storing the event. You can use the 'prealloc' "
421 "command to fix this issue by pre-allocating more buffers (%x)\nfor more information "
422 "please visit: https://docs.hyperdbg.org/tips-and-tricks/misc/instant-events\n",
423 Error);
424 break;
425
427 ShowMessages("err, the requested event is considered as a \"big instant event\" and right now, there is no "
428 "pre-allocated buffer for storing it. You can use the 'prealloc' command to fix this issue by "
429 "pre-allocating big instant event buffers (%x)\nfor more information "
430 "please visit: https://docs.hyperdbg.org/tips-and-tricks/misc/instant-events\n",
431 Error);
432 break;
433
435 ShowMessages("err, unable to allocate buffer for the target action (%x)\n",
436 Error);
437 break;
438
440 ShowMessages("err, not enough pre-allocated buffer exists for storing the event's action. You can use the 'prealloc' "
441 "command to fix this issue by pre-allocating more buffers (%x)\nfor more information "
442 "please visit: https://docs.hyperdbg.org/tips-and-tricks/misc/instant-events\n",
443 Error);
444 break;
445
447 ShowMessages("err, the requested action is considered as a \"big instant event (action)\" and right now, there is no "
448 "pre-allocated buffer for storing it. You can use the 'prealloc' command to fix this issue by "
449 "pre-allocating big instant event's action buffers (%x)\nfor more information "
450 "please visit: https://docs.hyperdbg.org/tips-and-tricks/misc/instant-events\n",
451 Error);
452 break;
453
455 ShowMessages("err, the requested buffer for storing action is larger than the pre-allocated "
456 "buffer size (%x)\nfor more information on how to resolve this issue, "
457 "please visit: https://docs.hyperdbg.org/tips-and-tricks/misc/instant-events\n",
458 Error);
459 break;
460
462 ShowMessages("err, the requested optional buffer is bigger than the debuggers send/receive stack, "
463 "please select a smaller requested buffer for the target event (%x)\n",
464 Error);
465 break;
466
468 ShowMessages("err, by default HyperDbg won't allocate requested safe buffers for instant events in "
469 "the debugger mode. You can use the 'prealloc' command to allocate (regular) requested safe "
470 "buffers before running this command (%x)\nfor more information "
471 "please visit: https://docs.hyperdbg.org/tips-and-tricks/misc/instant-events\n",
472 Error);
473 break;
474
476 ShowMessages("err, the requested safe buffer is bigger than regular buffers. You can use the 'prealloc' "
477 "command to allocate (big) requested safe buffers before running this command (%x)\n"
478 "for more information "
479 "please visit: https://docs.hyperdbg.org/tips-and-tricks/misc/instant-events\n",
480 Error);
481 break;
482
484 ShowMessages("err, the requested buffer for storing safe buffers of the action is larger than the pre-allocated "
485 "buffer size (%x)\nfor more information on how to resolve this issue, "
486 "please visit: https://docs.hyperdbg.org/tips-and-tricks/misc/instant-events\n",
487 Error);
488 break;
489
491 ShowMessages("err, unable to allocate buffer for the target requested safe buffer (%x)\n",
492 Error);
493 break;
494
496 ShowMessages("err, invalid type is specified for preactivation (%x)\n",
497 Error);
498 break;
499
501 ShowMessages("err, for performance reasons, the '!mode' event command cannot be directly initialized in the Debugger Mode. "
502 "You can use the 'preactivate mode' command to preactivate this mechanism after that, "
503 "you can use the '!mode' event (%x)\n",
504 Error);
505 break;
506
508 ShowMessages("err, the event(s) that you've requested are disabled, yet HyperDbg cannot remove (clear) them in "
509 "the subsequent run due to the user-mode priority buffers being at full capacity. "
510 "This typically occurs when you attempt to clear numerous events without resuming the debuggee. "
511 "Since these unserviced events remain in the queue, HyperDbg is unable to clear them. "
512 "To address this issue, you can resume the debuggee, allowing all queued events to be cleared (usually 2 to 10 seconds). "
513 "Afterward, you can pause the debuggee again and request the removal of new events (%x)\n"
514 "for more information on how to resolve this issue "
515 "please visit: https://docs.hyperdbg.org/tips-and-tricks/misc/instant-events\n",
516 Error);
517 break;
518
520 ShowMessages("err, the event cannot be applied since not all cores are locked! "
521 "If you are using the instant-event mechanism or switching between cores, this will likely halt the system. "
522 "This may be caused by a race condition, but continuing and halting the debugger might resolve it. "
523 "If the problem persists, please open an issue and provide steps to reproduce it (%x)\n",
524 Error);
525 break;
526
528 ShowMessages("err, target core is not locked! "
529 "This may be caused by a race condition, continuing and halting the debugger might resolve it. "
530 "If the problem persists, please open an issue and provide steps to reproduce it (%x)\n",
531 Error);
532 break;
533
535 ShowMessages("err, invalid physical address (%x)\n",
536 Error);
537 break;
538
540 ShowMessages("err, could not perform APIC actions (%x)\n",
541 Error);
542 break;
543
545 ShowMessages("err, debugger was not in the hidden transparent-mode (%x)\n",
546 Error);
547 break;
548
550 ShowMessages("err, the user debugger cannot be initialized (%x)\n",
551 Error);
552 break;
553
555 ShowMessages("err, putting EPT hooks on physical address above 512 GB is not supported (%x)\n",
556 Error);
557 break;
558
560 ShowMessages("err, invalid SMI operation parameter(s) are specified (%x)\n",
561 Error);
562 break;
563
565 ShowMessages("err, unable to trigger SMI, are you running on a nested-virtualization environment? (%x)\n",
566 Error);
567 break;
568
570 ShowMessages("err, unable to apply command to the target thread (%x)\n",
571 Error);
572 break;
573
575 ShowMessages("err, the hypertrace module is not loaded and initialized, "
576 "use the 'load trace' command to load the hypertrace module (%x)\n",
577 Error);
578 break;
579
581 ShowMessages("err, invalid hypertrace operation type is specified (%x)\n",
582 Error);
583 break;
584
586 ShowMessages("err, LBR is already enabled, you can disable it using the '!lbr' command (%x)\n",
587 Error);
588 break;
589
591 ShowMessages("err, LBR is already disabled, you can enable it using the '!lbr' command (%x)\n",
592 Error);
593 break;
594
596 ShowMessages("err, LBR is not supported on this processor, this is likely caused by running inside "
597 "a nested virtualization (VM) environment that masks and removes LBR CPU flags (%x)\n",
598 Error);
599 break;
600
602 ShowMessages("err, LBR is not supported on VMCS (%x)\n",
603 Error);
604 break;
605
607 ShowMessages("err, PT is already enabled (%x)\n",
608 Error);
609 break;
610
612 ShowMessages("err, PT is already disabled (%x)\n",
613 Error);
614 break;
615
617 ShowMessages("err, PT is not supported on this processor (%x)\n",
618 Error);
619 break;
620
622 ShowMessages("err, hypertrace is already loaded, please unload hypertrace module using the "
623 "'unload' command and then load the 'VMM' module. Then you can load hypertrace "
624 "after loading the VMM as it is because hypertrace behaves differently to sync "
625 "with VMM modules; it needs to have this notion that it is running within the "
626 "hypervisor, so that is why it needs to be initialized again if the VMM module "
627 "is loaded (%x)\n",
628 Error);
629 break;
630
632 ShowMessages("err, the VMM module cannot be initialized because the debugger is not loaded (%x)\n",
633 Error);
634 break;
635
637 ShowMessages("err, cannot initialize the debugger (%x)\n",
638 Error);
639 break;
640
641 default:
642 ShowMessages("err, error not found (%x)\n",
643 Error);
644 return FALSE;
645 break;
646 }
647
648 return TRUE;
649}
#define DEBUGGER_ERROR_ACTION_BUFFER_SIZE_IS_ZERO
error, the action buffer size is invalid
Definition ErrorCodes.h:45
#define DEBUGGER_ERROR_INSTANT_EVENT_REGULAR_PREALLOCATED_BUFFER_NOT_FOUND
error, the regular preallocated buffer not found
Definition ErrorCodes.h:441
#define DEBUGGER_ERROR_EPT_FAILED_TO_GET_PML1_ENTRY_OF_TARGET_ADDRESS
error, failed to get PML1 entry of the target address
Definition ErrorCodes.h:264
#define DEBUGGER_ERROR_DEBUGGER_NOT_INITIALIZED
error, the user debugger cannot be initialized
Definition ErrorCodes.h:558
#define DEBUGGER_ERROR_UNABLE_TO_DETECT_32_BIT_OR_64_BIT_PROCESS
error, unable to get 32-bit or 64-bit of the target process
Definition ErrorCodes.h:320
#define DEBUGGER_ERROR_INSTANT_EVENT_BIG_REQUESTED_SAFE_BUFFER_NOT_FOUND
error, the requested safe buffer does not exists (big)
Definition ErrorCodes.h:489
#define DEBUGGER_ERROR_TAG_NOT_EXISTS
error, the tag not exist
Definition ErrorCodes.h:33
#define DEBUGGER_ERROR_DEBUGGER_ALREADY_HIDE
error, the debugger is already in transparent-mode
Definition ErrorCodes.h:93
#define DEBUGGER_ERROR_INTERRUPT_INDEX_IS_NOT_VALID
error, the index for !interrupt command is not between 32 to 256
Definition ErrorCodes.h:81
#define DEBUGGER_ERROR_APIC_ACTIONS_ERROR
error, could not perform APIC actions
Definition ErrorCodes.h:546
#define DEBUGGER_ERROR_UNABLE_TO_REMOVE_HOOKS
error, could not remove the previous hook
Definition ErrorCodes.h:308
#define DEBUGGER_ERROR_INSTANT_EVENT_PREALLOCATED_BUFFER_IS_NOT_ENOUGH_FOR_EVENT_AND_CONDITIONALS
error, the preallocated buffer is not enough for storing event+conditional buffer
Definition ErrorCodes.h:435
#define DEBUGGER_ERROR_INSTANT_EVENT_REQUESTED_OPTIONAL_BUFFER_IS_BIGGER_THAN_DEBUGGERS_SEND_RECEIVE_STACK
error, the requested optional buffer is bigger than send/receive stack of the debugger
Definition ErrorCodes.h:477
#define DEBUGGER_ERROR_UNABLE_TO_ALLOCATE_REQUESTED_SAFE_BUFFER
error, enable to create requested safe buffer (cannot allocate buffer)
Definition ErrorCodes.h:501
#define DEBUGGER_ERROR_MAXIMUM_BREAKPOINT_WITHOUT_CONTINUE
error, maximum pools were used without continuing debuggee
Definition ErrorCodes.h:184
#define DEBUGGER_ERROR_INSTANT_EVENT_PREALLOCATED_BUFFER_IS_NOT_ENOUGH_FOR_REQUESTED_SAFE_BUFFER
error, the preallocated buffer is not enough for storing safe requested buffer
Definition ErrorCodes.h:495
#define DEBUGGER_ERROR_READING_MEMORY_INVALID_PARAMETER
error, for reading from memory in case of invalid parameters
Definition ErrorCodes.h:405
#define DEBUGGER_ERROR_INVALID_TEST_QUERY_INDEX
error, could not find the index of test query
Definition ErrorCodes.h:288
#define DEBUGGER_ERROR_PRE_ALLOCATED_BUFFER_IS_EMPTY
error, there is no pre-allocated buffer
Definition ErrorCodes.h:251
#define DEBUGGER_ERROR_COULD_NOT_FIND_ALLOCATION_TYPE
error, could not find the type of allocation
Definition ErrorCodes.h:282
#define DEBUGGER_ERROR_MODIFY_EVENTS_INVALID_TYPE_OF_ACTION
error, type of action (enable/disable/clear) is wrong
Definition ErrorCodes.h:127
#define DEBUGGER_ERROR_BREAKPOINT_ALREADY_EXISTS_ON_THE_ADDRESS
error, breakpoint already exists on the target address
Definition ErrorCodes.h:190
#define DEBUGGER_ERROR_EDIT_MEMORY_STATUS_INVALID_ADDRESS_BASED_ON_OTHER_PROCESS
error, an invalid address is specified based on another process's cr3 in !e* or e* commands
Definition ErrorCodes.h:114
#define DEBUGGER_ERROR_INSTANT_EVENT_REGULAR_REQUESTED_SAFE_BUFFER_NOT_FOUND
error, the requested safe buffer does not exist (regular)
Definition ErrorCodes.h:483
#define DEBUGGER_ERROR_DEBUGGER_ALREADY_UNHIDE
error, debugger is already not in the transparent-mode
Definition ErrorCodes.h:552
#define DEBUGGER_ERROR_LBR_NOT_SUPPORTED_ON_VMCS
error, LBR not supported on VMCS
Definition ErrorCodes.h:618
#define DEBUGGER_ERROR_STEPPINGS_EITHER_THREAD_NOT_FOUND_OR_DISABLED
error, thread is invalid (not found) or disabled in stepping (step-in & step-out) requests
Definition ErrorCodes.h:140
#define DEBUGGER_ERROR_DETAILS_OR_SWITCH_THREAD_INVALID_PARAMETER
error, for thread switch or thread details, invalid parameter
Definition ErrorCodes.h:239
#define DEBUGGER_ERROR_UNABLE_TO_PAUSE_THE_PROCESS_THREADS
error, unable to pause the process's threads
Definition ErrorCodes.h:338
#define DEBUGGER_ERROR_UNABLE_TO_TRIGGER_SMI
error, unable to trigger SMI
Definition ErrorCodes.h:576
#define DEBUGGER_ERROR_INSTANT_EVENT_PREALLOCATED_BUFFER_IS_NOT_ENOUGH_FOR_ACTION_BUFFER
error, the preallocated buffer is not enough for storing action buffer
Definition ErrorCodes.h:471
#define DEBUGGER_ERROR_BREAKPOINT_ID_NOT_FOUND
error, breakpoint id not found
Definition ErrorCodes.h:196
#define DEBUGGER_ERROR_INVALID_CORE_ID
error, the core id is invalid
Definition ErrorCodes.h:69
#define DEBUGGER_ERROR_STEPPING_INVALID_PARAMETER
error, invalid parameters steppings actions
Definition ErrorCodes.h:133
#define DEBUGGER_ERROR_INVALID_REGISTER_NUMBER
error, invalid register number
Definition ErrorCodes.h:178
#define DEBUGGER_ERROR_UNABLE_TO_KILL_THE_PROCESS
error, unable to kill the target process
Definition ErrorCodes.h:326
#define DEBUGGER_ERROR_EDIT_MEMORY_STATUS_INVALID_ADDRESS_BASED_ON_CURRENT_PROCESS
error, an invalid address is specified based on current cr3 in !e* or e* commands
Definition ErrorCodes.h:106
#define DEBUGGER_ERROR_MODIFY_EVENTS_INVALID_TAG
error, invalid tag for 'events' command (tag id is unknown for kernel)
Definition ErrorCodes.h:121
#define DEBUGGER_ERROR_INVALID_HYPERTRACE_OPERATION_TYPE
error, invalid HyperTrace operation type is specified in the request
Definition ErrorCodes.h:594
#define DEBUGGER_ERROR_UNABLE_TO_GET_MODULES_OF_THE_PROCESS
error, unable to get modules
Definition ErrorCodes.h:374
#define DEBUGGER_ERROR_PREPARING_DEBUGGEE_INVALID_SERIAL_PORT
error, serial port address is invalid
Definition ErrorCodes.h:152
#define DEBUGGER_ERROR_THE_USER_DEBUGGER_NOT_ATTACHED_TO_THE_PROCESS
error, the user debugger is not attached to the target process
Definition ErrorCodes.h:350
#define DEBUGGER_ERROR_THE_TARGET_EVENT_IS_DISABLED_BUT_CANNOT_BE_CLEARED_PRIRITY_BUFFER_IS_FULL
error, the target event(s) is/are disabled but cannot clear them because the buffer of the user-mode ...
Definition ErrorCodes.h:520
#define DEBUGGER_ERROR_NOT_ALL_CORES_ARE_LOCKED_FOR_APPLYING_INSTANT_EVENT
error, not all cores are locked (probably due to a race condition in HyperDbg) in instant-event mecha...
Definition ErrorCodes.h:527
#define DEBUGGER_ERROR_DETAILS_OR_SWITCH_PROCESS_INVALID_PARAMETER
error, for process switch or process details, invalid parameter
Definition ErrorCodes.h:233
#define DEBUGGER_ERROR_UNABLE_TO_SWITCH_PROCESS_ID_OR_THREAD_ID_IS_INVALID
error, cannot switch to new thread as the process id or thread id is not found
Definition ErrorCodes.h:362
#define DEBUGGER_ERROR_LBR_ALREADY_DISABLED
error, LBR is already disabled
Definition ErrorCodes.h:606
#define DEBUGGER_ERROR_THE_TRAP_FLAG_LIST_IS_FULL
error, the list of threads/process trap flag is full
Definition ErrorCodes.h:411
#define DEBUGGER_ERROR_PT_ALREADY_ENABLED
error, PT is already enabled
Definition ErrorCodes.h:624
#define DEBUGGER_ERROR_LBR_ALREADY_ENABLED
error, LBR is already enabled
Definition ErrorCodes.h:600
#define DEBUGGER_ERROR_UNABLE_TO_ATTACH_TO_AN_ALREADY_ATTACHED_PROCESS
error, user debugger already attached to this process
Definition ErrorCodes.h:344
#define DEBUGGER_ERROR_CANNOT_PUT_EPT_HOOKS_ON_PHYSICAL_ADDRESS_ABOVE_512_GB
error, cannot put EPT hooks on addresses above 512 GB
Definition ErrorCodes.h:564
#define DEBUGGER_ERROR_UNABLE_TO_KILL_THE_PROCESS_DOES_NOT_EXISTS
error, unable to kill the target process. process does not exists
Definition ErrorCodes.h:417
#define DEBUGGER_ERROR_UNABLE_TO_GET_CALLSTACK
error, unable to get the callstack
Definition ErrorCodes.h:380
#define DEBUGGER_ERROR_PREPARING_DEBUGGEE_INVALID_CORE_IN_REMOTE_DEBUGGE
error, invalid core selected in changing core in remote debuggee
Definition ErrorCodes.h:158
#define DEBUGGER_ERROR_INVALID_THREAD_DEBUGGING_TOKEN
error, invalid thread debugging token
Definition ErrorCodes.h:332
#define DEBUGGER_ERROR_UNABLE_TO_DETACH_AS_THERE_ARE_PAUSED_THREADS
error, cannot detach from the process as there are paused threads
Definition ErrorCodes.h:356
#define DEBUGGER_ERROR_PT_ALREADY_DISABLED
error, PT is already disabled
Definition ErrorCodes.h:630
#define DEBUGGER_ERROR_EPT_MULTIPLE_HOOKS_IN_A_SINGLE_PAGE
error, multiple EPT Hooks or Monitors are applied on a single page
Definition ErrorCodes.h:270
#define DEBUGGER_ERROR_UNABLE_TO_CREATE_ACTION_CANNOT_ALLOCATE_BUFFER
error, enable to create action (cannot allocate buffer)
Definition ErrorCodes.h:453
#define DEBUGGER_ERROR_USING_SHORT_CIRCUITING_EVENT_WITH_POST_EVENT_MODE_IS_FORBIDDEDN
error, using short-circuiting event with post-event mode is not supported in HyperDbg
Definition ErrorCodes.h:393
#define DEBUGGER_ERROR_COULD_NOT_BUILD_THE_EPT_HOOK
error, could not build the EPT Hook
Definition ErrorCodes.h:276
#define DEBUGGER_ERROR_INVALID_SMI_OPERATION_PARAMETERS
error, invalid parameters for SMI operation request
Definition ErrorCodes.h:570
#define DEBUGGER_ERROR_EVENT_IS_NOT_APPLIED
error, for event specific reasons the event is not applied
Definition ErrorCodes.h:227
#define DEBUGGER_ERROR_BREAKPOINT_ALREADY_DISABLED
error, breakpoint already disabled
Definition ErrorCodes.h:202
#define DEBUGGER_ERROR_THE_MODE_EXEC_TRAP_IS_NOT_INITIALIZED
error, the mode exec trap is not already initialized
Definition ErrorCodes.h:513
#define DEBUGGER_ERROR_UNABLE_TO_ATTACH_TO_TARGET_USER_MODE_PROCESS
error, failed to attach to the target user-mode process
Definition ErrorCodes.h:294
#define DEBUGGER_ERROR_MEMORY_TYPE_INVALID
error, memory type is invalid
Definition ErrorCodes.h:214
#define DEBUGGER_ERROR_FUNCTIONS_FOR_INITIALIZING_PEB_ADDRESSES_ARE_NOT_INITIALIZED
error, the needed routines for debugging is not initialized
Definition ErrorCodes.h:314
#define DEBUGGER_ERROR_PT_NOT_SUPPORTED
error, PT is not supported by the processor
Definition ErrorCodes.h:636
#define DEBUGGER_ERROR_LBR_NOT_SUPPORTED
error, LBR is not supported by the processor
Definition ErrorCodes.h:612
#define DEBUGGER_ERROR_MODE_EXECUTION_IS_INVALID
error, the execution mode is incorrect
Definition ErrorCodes.h:423
#define DEBUGGER_ERROR_INSTANT_EVENT_ACTION_BIG_PREALLOCATED_BUFFER_NOT_FOUND
error, the big preallocated buffer not found (for action)
Definition ErrorCodes.h:465
#define DEBUGGER_ERROR_COULD_NOT_FIND_PREACTIVATION_TYPE
error, could not find the type of preactivation
Definition ErrorCodes.h:507
#define DEBUGGER_ERROR_PROCESS_ID_CANNOT_BE_SPECIFIED_WHILE_APPLYING_EVENT_FROM_VMX_ROOT_MODE
error, the process id cannot be specified while the debugger is in VMX-root mode
Definition ErrorCodes.h:429
#define DEBUGGER_ERROR_EVENT_TYPE_IS_INVALID
error, the event type is unknown
Definition ErrorCodes.h:51
#define DEBUGGER_ERROR_UNKNOWN_TEST_QUERY_RECEIVED
error, unknown test query is received
Definition ErrorCodes.h:399
#define DEBUGGER_ERROR_INVALID_PHYSICAL_ADDRESS
error, invalid physical address
Definition ErrorCodes.h:540
#define DEBUGGER_ERROR_INSTANT_EVENT_BIG_PREALLOCATED_BUFFER_NOT_FOUND
error, the big preallocated buffer not found
Definition ErrorCodes.h:447
#define DEBUGGER_ERROR_MAXIMUM_BREAKPOINT_FOR_A_SINGLE_PAGE_IS_HIT
error, maximum breakpoint for a single page is hit
Definition ErrorCodes.h:245
#define DEBUGGER_ERROR_TARGET_SWITCHING_CORE_IS_NOT_LOCKED
error, switching to the target core is not possible because core is not locked (probably due to a rac...
Definition ErrorCodes.h:534
#define DEBUGGER_ERROR_VMM_CANNOT_BE_INITIALIZED_IF_HYPERTRACE_IS_LOADED
error, VMM cannot be initialized while HyperTrace module is already loaded
Definition ErrorCodes.h:642
#define DEBUGGER_ERROR_EXCEPTION_INDEX_EXCEED_FIRST_32_ENTRIES
error, the index is greater than 32 in !exception command
Definition ErrorCodes.h:75
#define DEBUGGER_ERROR_INVALID_ADDRESS
error, invalid address specified for debugger
Definition ErrorCodes.h:63
#define DEBUGGER_ERROR_INSTANT_EVENT_ACTION_REGULAR_PREALLOCATED_BUFFER_NOT_FOUND
error, the regular preallocated buffer not found (for action)
Definition ErrorCodes.h:459
#define DEBUGGER_ERROR_UNABLE_TO_REMOVE_HOOKS_ENTRYPOINT_NOT_REACHED
error, failed to remove hooks as entrypoint is not reached yet
Definition ErrorCodes.h:302
#define DEBUGGER_ERROR_INVALID_ACTION_TYPE
error, invalid type of action
Definition ErrorCodes.h:39
#define DEBUGGER_ERROR_CANNOT_INITIALIZE_DEBUGGER
error, cannot initialize the debugger
Definition ErrorCodes.h:654
#define DEBUGGER_ERROR_HYPERTRACE_NOT_INITIALIZED
error, HyperTrace is not initialized
Definition ErrorCodes.h:588
#define DEBUGGER_ERROR_UNABLE_TO_CREATE_EVENT
error, enable to create event
Definition ErrorCodes.h:57
#define DEBUGGER_ERROR_INVALID_PROCESS_ID
error, the process id is invalid
Definition ErrorCodes.h:220
#define DEBUGGER_ERROR_PREPARING_DEBUGGEE_UNABLE_TO_SWITCH_TO_NEW_PROCESS
error, invalid process selected in changing process in remote debuggee
Definition ErrorCodes.h:165
#define DEBUGGER_ERROR_UNABLE_TO_SWITCH_THERE_IS_NO_THREAD_ON_THE_PROCESS
error, cannot switch to new thread the process doesn't contain an active thread
Definition ErrorCodes.h:368
#define DEBUGGER_ERROR_EDIT_MEMORY_STATUS_INVALID_PARAMETER
error, invalid parameters in !e* e* commands
Definition ErrorCodes.h:99
#define DEBUGGER_ERROR_BREAKPOINT_ALREADY_ENABLED
error, breakpoint already enabled
Definition ErrorCodes.h:208
#define DEBUGGER_ERROR_PREPARING_DEBUGGEE_INVALID_BAUDRATE
error, baud rate is invalid
Definition ErrorCodes.h:146
#define DEBUGGER_ERROR_UNABLE_TO_QUERY_COUNT_OF_PROCESSES_OR_THREADS
error, unable to query count of processes or threads
Definition ErrorCodes.h:386
#define DEBUGGER_ERROR_UNABLE_TO_APPLY_COMMAND_TO_THE_TARGET_THREAD
error, unable to apply the command to the target thread
Definition ErrorCodes.h:582
#define DEBUGGER_ERROR_EPT_COULD_NOT_SPLIT_THE_LARGE_PAGE_TO_4KB_PAGES
error, in the EPT handler, it could not split the 2MB pages to 512 entries of 4 KB pages
Definition ErrorCodes.h:258
#define DEBUGGER_ERROR_PREPARING_DEBUGGEE_TO_RUN_SCRIPT
error, unable to run script in remote debuggee
Definition ErrorCodes.h:172
#define DEBUGGER_ERROR_VMM_CANNOT_BE_INITIALIZED_IF_DEBUGGER_IS_NOT_LOADED
error, VMM cannot be initialized if the debugger is not loaded
Definition ErrorCodes.h:648