- Generated by
1.11.0
|
HyperDbg Debugger
|
Global Variables for user-mode interface. More...
Go to the source code of this file.
Variables | |
| BOOLEAN | g_RtmSupport = FALSE |
| check for RTM support | |
| UINT32 | g_VirtualAddressWidth = 0 |
| Virtual address width for x86 processors. | |
| BOOLEAN | g_IsInterpreterOnString = FALSE |
| shows whether the interpreter is currently on a string or not | |
| BOOLEAN | g_IsInterpreterPreviousCharacterABackSlash = FALSE |
| Is interpreter encountered a back slash at previous run. | |
| UINT32 | g_InterpreterCountOfOpenCurlyBrackets = 0 |
| Keeps the trace of curly brackets in the interpreter. | |
| BYTE | g_EndOfBufferCheckTcp [TCP_END_OF_BUFFER_CHARS_COUNT] |
| the buffer that we set at the end of buffers for tcp connection | |
| BOOLEAN | g_IsConnectedToHyperDbgLocally = FALSE |
| Shows whether the user is allowed to use 'load' command to load modules locally in VMI (virtual machine introspection) mode. | |
| BOOLEAN | g_IsConnectedToRemoteDebuggee = FALSE |
| Shows whether the current debugger is the host and connected to a remote debuggee (guest) | |
| BOOLEAN | g_IsConnectedToRemoteDebugger = FALSE |
| Shows whether the current system is a guest (debuggee) and a remote debugger is connected to this system. | |
| SOCKET | g_ClientConnectSocket = {0} |
| The socket object of host debugger (not debuggee) it is because in HyperDbg, debuggee is server and debugger is a client. | |
| SOCKET | g_SeverSocket = {0} |
| The socket object of guest debuggee (not debugger) it is because in HyperDbg, debugger is client and debuggee is a server. | |
| SOCKET | g_ServerListenSocket = {0} |
| Server in debuggee needs an extra socket. | |
| string | g_ServerPort = "" |
| In debugger (not debuggee), we save the port of server debuggee in this variable to use it later e.g, in signature. | |
| string | g_ServerIp = "" |
| In debugger (not debuggee), we save the port of server debuggee in this variable to use it later e.g, in signature. | |
| HANDLE | g_RemoteDebuggeeListeningThread = NULL |
| In debugger (not debuggee), we save the ip of server debuggee in this variable to use it later e.g, in signature. | |
| HANDLE | g_IsDriverLoadedSuccessfully = NULL |
| Handle to show that if the debugger is loaded successfully. | |
| HANDLE | g_EndOfMessageReceivedEvent = NULL |
| Handle to if the end of the message received (for showing signature) | |
| BOOLEAN | g_IsEndOfMessageReceived = FALSE |
| variable to keep track if the end of the message received (for showing signature) | |
| BOOLEAN | g_SerialConnectionAlreadyClosed = FALSE |
| In both debuggee and debugger we save the state of the closed connection to avoid double close. | |
| BOOLEAN | g_IgnorePauseRequests = FALSE |
| Show whether the pause request (CTRL+C or CTRL+BREAK) should be ignored or not. | |
| BOOLEAN | g_IsUserDebuggerInitialized = FALSE |
| Whether the user debugger is initialized or not. | |
| DEBUGGER_SYNCRONIZATION_EVENTS_STATE | g_UserSyncronizationObjectsHandleTable [DEBUGGER_MAXIMUM_SYNCRONIZATION_USER_DEBUGGER_OBJECTS] = {0} |
| In debugger (not debuggee), we save the handle of the user-mode listening thread for pauses here for user debugger. | |
| BYTE | g_EndOfBufferCheckSerial [SERIAL_END_OF_BUFFER_CHARS_COUNT] |
| the buffer that we set at the end of buffers for serial | |
| DEBUGGER_SYNCRONIZATION_EVENTS_STATE | g_KernelSyncronizationObjectsHandleTable [DEBUGGER_MAXIMUM_SYNCRONIZATION_KERNEL_DEBUGGER_OBJECTS] = {0} |
| In debugger (not debuggee), we save the handle of the user-mode listening thread for pauses here for kernel debugger. | |
| BYTE | g_CurrentRunningInstruction [MAXIMUM_INSTR_SIZE] = {0} |
| Current executing instructions. | |
| BOOLEAN | g_IsRunningInstruction32Bit = FALSE |
| whether the Current executing instructions is 32-bit or 64 bit | |
| HANDLE | g_SerialListeningThreadHandle = NULL |
| In debuggee and debugger, we save the handle of the user-mode listening thread for pauses here. | |
| HANDLE | g_SerialRemoteComPortHandle = NULL |
| In debugger (not debuggee), we save the handle of the user-mode listening thread for remote system here. | |
| BOOLEAN | g_IsSerialConnectedToRemoteDebuggee = FALSE |
| Shows if the debugger was connected to remote debuggee over (A remote guest) | |
| BOOLEAN | g_IsSerialConnectedToRemoteDebugger = FALSE |
| Shows if the debugger was connected to remote debugger (A remote host) | |
| BOOLEAN | g_IsDebuggeeInHandshakingPhase = FALSE |
| Shows if the debuggee is in the handshake phase or not. | |
| BOOLEAN | g_IsDebuggeeRunning = FALSE |
| Shows if the debuggee is running or not. | |
| BOOLEAN | g_IgnoreNewLoggingMessages = FALSE |
| Shows if the debugger should show debuggee's messages or not. | |
| ULONG | g_CurrentRemoteCore = DEBUGGER_DEBUGGEE_IS_RUNNING_NO_CORE |
| Current core that the debuggee is debugging. | |
| BOOLEAN | g_IsDebuggerConntectedToNamedPipe = FALSE |
| Shows if the debugger is connected to the guest using named pipe. | |
| HANDLE | g_DebuggeeStopCommandEventHandle = NULL |
| An event to make sure that the user won't give any command in debuggee and all the commands are coming from just the debugger. | |
| DEBUGGER_EVENT_AND_ACTION_RESULT | g_DebuggeeResultOfRegisteringEvent = {0} |
| Holds the result of registering events from the remote debuggee. | |
| DEBUGGER_EVENT_AND_ACTION_RESULT | g_DebuggeeResultOfAddingActionsToEvent |
| Holds the result of adding action to events from the remote debuggee. | |
| OVERLAPPED | g_OverlappedIoStructureForReadDebugger = {0} |
| This is an OVERLAPPED structure for managing simultaneous read and writes for debugger (in current design debuggee is not needed to write simultaneously but it's needed for write) | |
| OVERLAPPED | g_OverlappedIoStructureForWriteDebugger = {0} |
| OVERLAPPED | g_OverlappedIoStructureForReadDebuggee = {0} |
| BOOLEAN | g_SharedEventStatus = FALSE |
| Shows whether the queried event is enabled or disabled. | |
| BOOLEAN | g_ShouldPreviousCommandBeContinued |
| Shows whether the previous command should be continued or not. | |
| CommandType | g_CommandsList |
| List of command and attributes. | |
| UINT64 * | g_ScriptGlobalVariables |
| Holder of global variables for script engine. | |
| UINT64 * | g_ScriptLocalVariables |
| Holder of local variables for script engine. | |
| UINT64 * | g_ScriptTempVariables |
| Holder of temp variables for script engine. | |
| BOOLEAN | g_IsCommandListInitialized = FALSE |
| Is list of command initialized. | |
| BOOLEAN | g_IsDebuggerModulesLoaded = FALSE |
| this variable is used to indicate that modules are loaded so we make sure to later use a trace of loading in 'unload' command (used in Debugger VMM) | |
| ACTIVE_DEBUGGING_PROCESS | g_ActiveProcessDebuggingState = {0} |
| State of active debugging thread. | |
| UINT32 | g_ProcessIdOfLatestStartingProcess = NULL |
| The process id of the latest starting process. | |
| UINT64 | g_EventTag = DebuggerEventTagStartSeed |
| This variable holds the trace and generate numbers for new tags of events. | |
| UINT64 | g_OutputSourceTag = DebuggerOutputSourceTagStartSeed |
| This variable holds the trace and generate numbers for unique tag of the output resources. | |
| BOOLEAN | g_EventTraceInitialized = FALSE |
| it shows whether the debugger started using events or not or in other words, is g_EventTrace initialized with a variable or it is empty | |
| LIST_ENTRY | g_EventTrace = {0} |
| Holds a list of events in kernel and the state of events and the commands to show the state of each command (disabled/enabled) | |
| BOOLEAN | g_OutputSourcesInitialized = FALSE |
| it shows whether the debugger started using output sources or not or in other words, is g_OutputSources initialized with a variable or it is empty | |
| LIST_ENTRY | g_OutputSources = {0} |
| Holds a list of output sources created by output command. | |
| TCHAR | g_DriverLocation [MAX_PATH] = {0} |
| Holds the location driver to install it. | |
| TCHAR | g_DriverName [MAX_PATH] = {0} |
| Holds the name of the driver to install it. | |
| BOOLEAN | g_UseCustomDriverLocation = FALSE |
| Whether the user wants to use a custom driver location or not. | |
| TCHAR | g_TestLocation [MAX_PATH] = {0} |
| Holds the location test-hyperdbg.exe. | |
| PVOID | g_MessageHandler = 0 |
| The handler for ShowMessages function this is because the user might choose not to use printf and instead use his/her handler for showing messages. | |
| PVOID | g_MessageHandlerSharedBuffer = 0 |
| The shared buffer for the handler of ShowMessages function. | |
| BOOLEAN | g_IsVmxOffProcessStart |
| Shows whether the vmxoff process start or not. | |
| HANDLE | g_DeviceHandle |
| Holds the global handle of device which is used to send the request to the kernel by IOCTL, this handle is not used for IRP Pending of message tracing this handle is used in KD VMM. | |
| BOOLEAN | g_LogOpened = FALSE |
| Shows whether the '.logopen' command is executed and the log file is open or not. | |
| ofstream | g_LogOpenFile |
| The object of log file ('.logopen' command) | |
| BOOLEAN | g_ExecutingScript = FALSE |
| Shows whether the target is executing a script form '.script' command or executing script by an argument. | |
| BOOLEAN | g_BreakPrintingOutput = FALSE |
| Shows whether the pause command or CTRL+C or CTRL+Break is executed or not. | |
| BOOLEAN | g_IsExecutingSymbolLoadingRoutines = FALSE |
| Executing symbol reloading or downloading routines. | |
| std::map< UINT64, LOCAL_FUNCTION_DESCRIPTION > | g_DisassemblerSymbolMap |
| Symbol table for disassembler. | |
| BOOLEAN | g_TransparentResultsMeasured = FALSE |
| Shows whether the user executed and mesaured '!measure' command or not, it is because we want to use these measurements later in '!hide' command. | |
| UINT64 | g_CpuidAverage = 0 |
| The average calculated from the measurements of cpuid '!measure' command. | |
| UINT64 | g_CpuidStandardDeviation = 0 |
| The standard deviation calculated from the measurements of cpuid '!measure' command. | |
| UINT64 | g_CpuidMedian = 0 |
| The median calculated from the measurements of cpuid '!measure' command. | |
| UINT64 | g_RdtscAverage = 0 |
| The average calculated from the measurements of rdtsc/p '!measure' command. | |
| UINT64 | g_RdtscStandardDeviation = 0 |
| The standard deviation calculated from the measurements of rdtsc/p '!measure' command. | |
| UINT64 | g_RdtscMedian = 0 |
| The median calculated from the measurements of rdtsc/p '!measure' command. | |
| BOOLEAN | g_IsInstrumentingInstructions = FALSE |
| Shows whether the user is running 't', 'p', or 'i' command. | |
| UINT64 | g_KernelBaseAddress |
| Shows the kernel base address. | |
| BOOLEAN | g_AutoUnpause = TRUE |
| Whether auto-unpause mode is enabled or not enabled. | |
| BOOLEAN | g_AddressConversion = TRUE |
| Whether converting addresses to object names or not. | |
| BOOLEAN | g_AutoFlush = FALSE |
| Whether auto-flush mode is enabled or not enabled. | |
| UINT32 | g_DisassemblerSyntax = 1 |
| Shows the syntax used in !u !u2 u u2 commands. | |
| PMODULE_SYMBOL_DETAIL | g_SymbolTable = NULL |
| The buffer that stores the details of symbol table. | |
| UINT32 | g_SymbolTableSize = NULL |
| The buffer that stores size of the details of symbol table. | |
| UINT32 | g_SymbolTableCurrentIndex = NULL |
| The index to hold the track of added symbols. | |
| UINT64 | g_ResultOfEvaluatedExpression = NULL |
| Result of the expression that is evaluated in the debuggee. | |
| UINT32 | g_ErrorStateOfResultOfEvaluatedExpression = NULL |
| Shows the state of the evaluation of expression which whether contains error or not. | |
| std::wstring | g_StartCommandPath = L"" |
| the start path used in .start command | |
| std::wstring | g_StartCommandPathAndArguments = L"" |
| the start arguments used in .start command | |
| UINT64 | g_CurrentExprEvalResult |
| global variable to save the result of script-engine statement tests | |
| BOOLEAN | g_CurrentExprEvalResultHasError |
| global variable to detect if there was an error in the result of script-engine statement tests | |
| HWDBG_INSTANCE_INFORMATION | g_HwdbgInstanceInfo |
| Instance information of the current hwdbg debuggee. | |
| BOOLEAN | g_HwdbgInstanceInfoIsValid |
| Shows whether the instance info is valid (received) or not. | |
| std::vector< UINT32 > | g_HwdbgPortConfiguration |
| Ports configuration of hwdbg. | |
Global Variables for user-mode interface.
| ACTIVE_DEBUGGING_PROCESS g_ActiveProcessDebuggingState = {0} |
State of active debugging thread.
Whether converting addresses to object names or not.
it is enabled by default
Whether auto-flush mode is enabled or not enabled.
it is disabled by default
Whether auto-unpause mode is enabled or not enabled.
it is enabled by default
Shows whether the pause command or CTRL+C or CTRL+Break is executed or not.
| SOCKET g_ClientConnectSocket = {0} |
The socket object of host debugger (not debuggee) it is because in HyperDbg, debuggee is server and debugger is a client.
| CommandType g_CommandsList |
List of command and attributes.
| UINT64 g_CpuidAverage = 0 |
The average calculated from the measurements of cpuid '!measure' command.
| UINT64 g_CpuidMedian = 0 |
The median calculated from the measurements of cpuid '!measure' command.
| UINT64 g_CpuidStandardDeviation = 0 |
The standard deviation calculated from the measurements of cpuid '!measure' command.
| UINT64 g_CurrentExprEvalResult |
global variable to save the result of script-engine statement tests
| BOOLEAN g_CurrentExprEvalResultHasError |
global variable to detect if there was an error in the result of script-engine statement tests
| ULONG g_CurrentRemoteCore = DEBUGGER_DEBUGGEE_IS_RUNNING_NO_CORE |
Current core that the debuggee is debugging.
| BYTE g_CurrentRunningInstruction[MAXIMUM_INSTR_SIZE] = {0} |
Current executing instructions.
| DEBUGGER_EVENT_AND_ACTION_RESULT g_DebuggeeResultOfAddingActionsToEvent |
Holds the result of adding action to events from the remote debuggee.
| DEBUGGER_EVENT_AND_ACTION_RESULT g_DebuggeeResultOfRegisteringEvent = {0} |
Holds the result of registering events from the remote debuggee.
| HANDLE g_DebuggeeStopCommandEventHandle = NULL |
An event to make sure that the user won't give any command in debuggee and all the commands are coming from just the debugger.
| HANDLE g_DeviceHandle |
Holds the global handle of device which is used to send the request to the kernel by IOCTL, this handle is not used for IRP Pending of message tracing this handle is used in KD VMM.
| std::map<UINT64, LOCAL_FUNCTION_DESCRIPTION> g_DisassemblerSymbolMap |
Symbol table for disassembler.
| UINT32 g_DisassemblerSyntax = 1 |
Shows the syntax used in !u !u2 u u2 commands.
INTEL = 1, ATT = 2, MASM = 3
| TCHAR g_DriverLocation[MAX_PATH] = {0} |
Holds the location driver to install it.
| TCHAR g_DriverName[MAX_PATH] = {0} |
Holds the name of the driver to install it.
| BYTE g_EndOfBufferCheckSerial[SERIAL_END_OF_BUFFER_CHARS_COUNT] |
the buffer that we set at the end of buffers for serial
| BYTE g_EndOfBufferCheckTcp[TCP_END_OF_BUFFER_CHARS_COUNT] |
the buffer that we set at the end of buffers for tcp connection
| HANDLE g_EndOfMessageReceivedEvent = NULL |
Handle to if the end of the message received (for showing signature)
| UINT32 g_ErrorStateOfResultOfEvaluatedExpression = NULL |
Shows the state of the evaluation of expression which whether contains error or not.
| UINT64 g_EventTag = DebuggerEventTagStartSeed |
This variable holds the trace and generate numbers for new tags of events.
| LIST_ENTRY g_EventTrace = {0} |
Holds a list of events in kernel and the state of events and the commands to show the state of each command (disabled/enabled)
this list is not have any relation with the things that HyperDbg holds for each event in the kernel
it shows whether the debugger started using events or not or in other words, is g_EventTrace initialized with a variable or it is empty
Shows whether the target is executing a script form '.script' command or executing script by an argument.
| HWDBG_INSTANCE_INFORMATION g_HwdbgInstanceInfo |
Instance information of the current hwdbg debuggee.
| BOOLEAN g_HwdbgInstanceInfoIsValid |
Shows whether the instance info is valid (received) or not.
| std::vector<UINT32> g_HwdbgPortConfiguration |
Ports configuration of hwdbg.
Shows if the debugger should show debuggee's messages or not.
Show whether the pause request (CTRL+C or CTRL+BREAK) should be ignored or not.
| UINT32 g_InterpreterCountOfOpenCurlyBrackets = 0 |
Keeps the trace of curly brackets in the interpreter.
Shows whether the user is allowed to use 'load' command to load modules locally in VMI (virtual machine introspection) mode.
Shows whether the current debugger is the host and connected to a remote debuggee (guest)
Shows whether the current system is a guest (debuggee) and a remote debugger is connected to this system.
Shows if the debuggee is in the handshake phase or not.
Shows if the debugger is connected to the guest using named pipe.
this variable is used to indicate that modules are loaded so we make sure to later use a trace of loading in 'unload' command (used in Debugger VMM)
| HANDLE g_IsDriverLoadedSuccessfully = NULL |
Handle to show that if the debugger is loaded successfully.
variable to keep track if the end of the message received (for showing signature)
Executing symbol reloading or downloading routines.
Shows whether the user is running 't', 'p', or 'i' command.
shows whether the interpreter is currently on a string or not
Is interpreter encountered a back slash at previous run.
whether the Current executing instructions is 32-bit or 64 bit
Shows if the debugger was connected to remote debuggee over (A remote guest)
Shows if the debugger was connected to remote debugger (A remote host)
| BOOLEAN g_IsVmxOffProcessStart |
Shows whether the vmxoff process start or not.
| UINT64 g_KernelBaseAddress |
Shows the kernel base address.
| DEBUGGER_SYNCRONIZATION_EVENTS_STATE g_KernelSyncronizationObjectsHandleTable[DEBUGGER_MAXIMUM_SYNCRONIZATION_KERNEL_DEBUGGER_OBJECTS] = {0} |
In debugger (not debuggee), we save the handle of the user-mode listening thread for pauses here for kernel debugger.
Shows whether the '.logopen' command is executed and the log file is open or not.
| ofstream g_LogOpenFile |
The object of log file ('.logopen' command)
| PVOID g_MessageHandler = 0 |
The handler for ShowMessages function this is because the user might choose not to use printf and instead use his/her handler for showing messages.
| PVOID g_MessageHandlerSharedBuffer = 0 |
The shared buffer for the handler of ShowMessages function.
| LIST_ENTRY g_OutputSources = {0} |
Holds a list of output sources created by output command.
user-mode events and output sources are two separate things in HyperDbg
it shows whether the debugger started using output sources or not or in other words, is g_OutputSources initialized with a variable or it is empty
| UINT64 g_OutputSourceTag = DebuggerOutputSourceTagStartSeed |
This variable holds the trace and generate numbers for unique tag of the output resources.
| OVERLAPPED g_OverlappedIoStructureForReadDebuggee = {0} |
| OVERLAPPED g_OverlappedIoStructureForReadDebugger = {0} |
This is an OVERLAPPED structure for managing simultaneous read and writes for debugger (in current design debuggee is not needed to write simultaneously but it's needed for write)
| OVERLAPPED g_OverlappedIoStructureForWriteDebugger = {0} |
| UINT32 g_ProcessIdOfLatestStartingProcess = NULL |
The process id of the latest starting process.
| UINT64 g_RdtscAverage = 0 |
The average calculated from the measurements of rdtsc/p '!measure' command.
| UINT64 g_RdtscMedian = 0 |
The median calculated from the measurements of rdtsc/p '!measure' command.
| UINT64 g_RdtscStandardDeviation = 0 |
The standard deviation calculated from the measurements of rdtsc/p '!measure' command.
| HANDLE g_RemoteDebuggeeListeningThread = NULL |
In debugger (not debuggee), we save the ip of server debuggee in this variable to use it later e.g, in signature.
| UINT64 g_ResultOfEvaluatedExpression = NULL |
Result of the expression that is evaluated in the debuggee.
| UINT64* g_ScriptGlobalVariables |
Holder of global variables for script engine.
Holder of script engines global variables.
| UINT64* g_ScriptLocalVariables |
Holder of local variables for script engine.
| UINT64* g_ScriptTempVariables |
Holder of temp variables for script engine.
In both debuggee and debugger we save the state of the closed connection to avoid double close.
| HANDLE g_SerialListeningThreadHandle = NULL |
In debuggee and debugger, we save the handle of the user-mode listening thread for pauses here.
| HANDLE g_SerialRemoteComPortHandle = NULL |
In debugger (not debuggee), we save the handle of the user-mode listening thread for remote system here.
| string g_ServerIp = "" |
In debugger (not debuggee), we save the port of server debuggee in this variable to use it later e.g, in signature.
| SOCKET g_ServerListenSocket = {0} |
Server in debuggee needs an extra socket.
| string g_ServerPort = "" |
In debugger (not debuggee), we save the port of server debuggee in this variable to use it later e.g, in signature.
| SOCKET g_SeverSocket = {0} |
The socket object of guest debuggee (not debugger) it is because in HyperDbg, debugger is client and debuggee is a server.
| BOOLEAN g_ShouldPreviousCommandBeContinued |
Shows whether the previous command should be continued or not.
| std::wstring g_StartCommandPath = L"" |
the start path used in .start command
| std::wstring g_StartCommandPathAndArguments = L"" |
the start arguments used in .start command
| PMODULE_SYMBOL_DETAIL g_SymbolTable = NULL |
The buffer that stores the details of symbol table.
| UINT32 g_SymbolTableCurrentIndex = NULL |
The index to hold the track of added symbols.
| UINT32 g_SymbolTableSize = NULL |
The buffer that stores size of the details of symbol table.
| TCHAR g_TestLocation[MAX_PATH] = {0} |
Holds the location test-hyperdbg.exe.
Shows whether the user executed and mesaured '!measure' command or not, it is because we want to use these measurements later in '!hide' command.
Whether the user wants to use a custom driver location or not.
| DEBUGGER_SYNCRONIZATION_EVENTS_STATE g_UserSyncronizationObjectsHandleTable[DEBUGGER_MAXIMUM_SYNCRONIZATION_USER_DEBUGGER_OBJECTS] = {0} |
In debugger (not debuggee), we save the handle of the user-mode listening thread for pauses here for user debugger.
| UINT32 g_VirtualAddressWidth = 0 |
Virtual address width for x86 processors.
1.11.0