libhyperdbg.cpp File Reference

Main interface to connect applications to driver. More...

#include "pch.h"

Functions
VOID	SetTextMessageCallback (PVOID Handler)
	Set the function callback that will be called if any message needs to be shown.
PVOID	SetTextMessageCallbackUsingSharedBuffer (PVOID Handler)
	Set the function callback that will be called if any message needs to be shown.
VOID	UnsetTextMessageCallback ()
	Unset the function callback that will be called if any message needs to be shown.
VOID	ShowMessages (const char *Fmt,...)
	Show messages.
VOID	ReadIrpBasedBuffer ()
	Read kernel buffers using IRP Pending.
DWORD WINAPI	IrpBasedBufferThread (void *data)
	Create a thread for pending buffers.
INT	HyperDbgInstallVmmDriver ()
	Install VMM driver.
int	HyperDbgStopDriver (LPCTSTR DriverName)
	Stop the driver.
INT	HyperDbgStopVmmDriver ()
	Stop VMM driver.
int	HyperDbgUninstallDriver (LPCTSTR DriverName)
	Remove the driver.
INT	HyperDbgUninstallVmmDriver ()
	Remove the VMM driver.
INT	HyperDbgCreateHandleFromVmmModule ()
	Create handle from VMM module.
INT	HyperDbgUnloadVmm ()
	Unload VMM driver.
INT	HyperDbgLoadVmmModule ()
	load vmm module

Variables
HANDLE	g_DeviceHandle
	Holds the global handle of device which is used to send the request to the kernel by IOCTL, this handle is not used for IRP Pending of message tracing this handle is used in KD VMM.
HANDLE	g_IsDriverLoadedSuccessfully
	Handle to show that if the debugger is loaded successfully.
BOOLEAN	g_IsVmxOffProcessStart
	Shows whether the vmxoff process start or not.
PVOID	g_MessageHandler
	The handler for ShowMessages function this is because the user might choose not to use printf and instead use his/her handler for showing messages.
PVOID	g_MessageHandlerSharedBuffer
	The shared buffer for the handler of ShowMessages function.
TCHAR	g_DriverLocation [MAX_PATH]
	Holds the location driver to install it.
TCHAR	g_DriverName [MAX_PATH]
	Holds the name of the driver to install it.
BOOLEAN	g_UseCustomDriverLocation
	Whether the user wants to use a custom driver location or not.
LIST_ENTRY	g_EventTrace
	Holds a list of events in kernel and the state of events and the commands to show the state of each command (disabled/enabled)
BOOLEAN	g_LogOpened
	Shows whether the '.logopen' command is executed and the log file is open or not.
BOOLEAN	g_BreakPrintingOutput
	Shows whether the pause command or CTRL+C or CTRL+Break is executed or not.
BOOLEAN	g_IsConnectedToRemoteDebugger
	Shows whether the current system is a guest (debuggee) and a remote debugger is connected to this system.
BOOLEAN	g_OutputSourcesInitialized
	it shows whether the debugger started using output sources or not or in other words, is g_OutputSources initialized with a variable or it is empty
BOOLEAN	g_IsSerialConnectedToRemoteDebugger
	Shows if the debugger was connected to remote debugger (A remote host)
BOOLEAN	g_IsDebuggerModulesLoaded
	this variable is used to indicate that modules are loaded so we make sure to later use a trace of loading in 'unload' command (used in Debugger VMM)
BOOLEAN	g_IsReversingMachineModulesLoaded
LIST_ENTRY	g_OutputSources
	Holds a list of output sources created by output command.

Detailed Description

Main interface to connect applications to driver.

Author

Sina Karvandi (sina@.nosp@m.hype.nosp@m.rdbg..nosp@m.org)

Version

0.1

Date

2020-04-11

Copyright

This project is released under the GNU Public License v3.

Function Documentation

HyperDbgCreateHandleFromVmmModule()

INT HyperDbgCreateHandleFromVmmModule

(

)

Create handle from VMM module.

Returns

INT return zero if it was successful or non-zero if there was error

lpSecurityAttirbutes

lpTemplateFile

{
    DWORD ErrorNum;
    DWORD ThreadId;
 
    if (g_DeviceHandle)
    {
        ShowMessages("handle of the driver found, if you use 'load' before, please "
                     "unload it using 'unload'\n");
        return 1;
    }
 
    //
    // Make sure that this variable is false, because it might be set to
    // true as the result of a previous load
    //
    g_IsVmxOffProcessStart = FALSE;
 
    //
    // Init entering vmx
    //
    g_DeviceHandle = CreateFileA(
        "\\\\.\\HyperDbgDebuggerDevice",
        GENERIC_READ | GENERIC_WRITE,
        FILE_SHARE_READ | FILE_SHARE_WRITE,
        NULL, 
        OPEN_EXISTING,
        FILE_ATTRIBUTE_NORMAL | FILE_FLAG_OVERLAPPED,
        NULL); 
 
    if (g_DeviceHandle == INVALID_HANDLE_VALUE)
    {
        ErrorNum = GetLastError();
        if (ErrorNum == ERROR_ACCESS_DENIED)
        {
            ShowMessages("err, access denied\nare you sure you have administrator "
                         "rights?\n");
        }
        else if (ErrorNum == ERROR_GEN_FAILURE)
        {
            ShowMessages("err, a device attached to the system is not functioning\n"
                         "vmx feature might be disabled from BIOS or VBS/HVCI is active\n");
        }
        else
        {
            ShowMessages("err, CreateFile failed (%x)\n", ErrorNum);
        }
 
        g_DeviceHandle = NULL;
        return 1;
    }
 
    //
    // Initialize the list of events
    //
    InitializeListHead(&g_EventTrace);
 
#if !UseDbgPrintInsteadOfUsermodeMessageTracking
    HANDLE Thread = CreateThread(NULL, 0, IrpBasedBufferThread, NULL, 0, &ThreadId);
 
    // if (Thread)
    // {
    // ShowMessages("thread Created successfully\n");
    // }
 
#endif
 
    return 0;
}

HyperDbgInstallVmmDriver()

INT HyperDbgInstallVmmDriver

(

)

Install VMM driver.

Returns

INT return zero if it was successful or non-zero if there was error

{
    //
    // The driver is not started yet so let us the install driver
    // First setup full path to driver name
    //
 
    //
    // If the user has not specified a custom driver location, then we
    // need to find the driver in the same directory as the executable
    //
    if (!g_UseCustomDriverLocation)
    {
        if (!SetupPathForFileName(KERNEL_DEBUGGER_DRIVER_NAME_AND_EXTENSION, g_DriverLocation, sizeof(g_DriverLocation), TRUE))
        {
            return 1;
        }
 
        //
        // Use default driver name
        //
        strcpy_s(g_DriverName, KERNEL_DEBUGGER_DRIVER_NAME);
    }
 
    if (!ManageDriver(g_DriverName, g_DriverLocation, DRIVER_FUNC_INSTALL))
    {
        ShowMessages("unable to install VMM driver\n");
 
        //
        // Error - remove driver
        //
        ManageDriver(g_DriverName, g_DriverLocation, DRIVER_FUNC_REMOVE);
 
        return 1;
    }
 
    return 0;
}

HyperDbgLoadVmmModule()

INT HyperDbgLoadVmmModule

(

)

load vmm module

Returns

int return zero if it was successful or non-zero if there

{
    BOOL   Status;
    HANDLE hToken;
    char   CpuId[13] = {0};
 
    //
    // Enable Debug privilege
    //
    Status = OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &hToken);
    if (!Status)
    {
        ShowMessages("err, OpenProcessToken failed (%x)\n", GetLastError());
        return 1;
    }
 
    Status = SetPrivilege(hToken, SE_DEBUG_NAME, TRUE);
    if (!Status)
    {
        CloseHandle(hToken);
        return 1;
    }
 
    //
    // Read the vendor string
    //
    CpuReadVendorString(CpuId);
 
    ShowMessages("current processor vendor is : %s\n", CpuId);
 
    if (strcmp(CpuId, "GenuineIntel") == 0)
    {
        ShowMessages("virtualization technology is vt-x\n");
    }
    else
    {
        ShowMessages("this program is not designed to run in a non-VT-x "
                     "environment !\n");
        return 1;
    }
 
    if (VmxSupportDetection())
    {
        ShowMessages("vmx operation is supported by your processor\n");
    }
    else
    {
        ShowMessages("vmx operation is not supported by your processor\n");
        return 1;
    }
 
    //
    // Create event to show if the hypervisor is loaded or not
    //
    g_IsDriverLoadedSuccessfully = CreateEvent(NULL, FALSE, FALSE, NULL);
 
    if (HyperDbgCreateHandleFromVmmModule() == 1)
    {
        //
        // No need to handle anymore
        //
        CloseHandle(g_IsDriverLoadedSuccessfully);
        return 1;
    }
 
    //
    // Vmm module (Hypervisor) is loaded
    //
 
    //
    // We wait for the first message from the kernel debugger to continue
    //
    WaitForSingleObject(
        g_IsDriverLoadedSuccessfully,
        INFINITE);
 
    //
    // No need to handle anymore
    //
    CloseHandle(g_IsDriverLoadedSuccessfully);
 
    //
    // If we reach here so the module are loaded
    //
    g_IsDebuggerModulesLoaded = TRUE;
 
    ShowMessages("vmm module is running...\n");
 
    return 0;
}

HyperDbgStopDriver()

int HyperDbgStopDriver

(

LPCTSTR

DriverName

)

Stop the driver.

Returns

int return zero if it was successful or non-zero if there was error

{
    //
    // Unload the driver if loaded
    //
    if (g_DriverLocation[0] != (TCHAR)0 && ManageDriver(DriverName, g_DriverLocation, DRIVER_FUNC_STOP))
    {
        return 0;
    }
    else
    {
        return 1;
    }
}

HyperDbgStopVmmDriver()

INT HyperDbgStopVmmDriver

(

)

Stop VMM driver.

Returns

INT return zero if it was successful or non-zero if there was error

{
    return HyperDbgStopDriver(g_DriverName);
}

HyperDbgUninstallDriver()

int HyperDbgUninstallDriver

(

LPCTSTR

DriverName

)

Remove the driver.

Returns

int return zero if it was successful or non-zero if there was error

{
    //
    // Unload the driver if loaded.  Ignore any errors
    //
    if (g_DriverLocation[0] != (TCHAR)0 && ManageDriver(DriverName, g_DriverLocation, DRIVER_FUNC_REMOVE))
    {
        return 0;
    }
    else
    {
        return 1;
    }
}

HyperDbgUninstallVmmDriver()

INT HyperDbgUninstallVmmDriver

(

)

Remove the VMM driver.

Returns

INT return zero if it was successful or non-zero if there was error

{
    return HyperDbgUninstallDriver(g_DriverName);
}

HyperDbgUnloadVmm()

INT HyperDbgUnloadVmm

(

)

Unload VMM driver.

Returns

INT return zero if it was successful or non-zero if there was error

{
    BOOL Status;
 
    AssertShowMessageReturnStmt(g_DeviceHandle, ASSERT_MESSAGE_DRIVER_NOT_LOADED, AssertReturnOne);
 
    ShowMessages("start terminating...\n");
 
    //
    // Uninitialize the user debugger if it's initialized
    //
    UdUninitializeUserDebugger();
 
    //
    // Send IOCTL to mark complete all IRP Pending
    //
    Status = DeviceIoControl(g_DeviceHandle,      // Handle to device
                             IOCTL_TERMINATE_VMX, // IO Control Code (IOCTL)
                             NULL,                // Input Buffer to driver.
                             0,                   // Length of input buffer in bytes. (x 2 is bcuz
                                                  // as the driver is x64 and has 64 bit values)
                             NULL,                // Output Buffer from driver.
                             0,                   // Length of output buffer in bytes.
                             NULL,                // Bytes placed in buffer.
                             NULL                 // synchronous call
    );
 
    //
    // wait to make sure we don't use an invalid handle in another Ioctl
    //
    if (!Status)
    {
        ShowMessages("ioctl failed with code 0x%x\n", GetLastError());
        return 1;
    }
 
    //
    // Send IOCTL to mark complete all IRP Pending
    //
    Status = DeviceIoControl(
        g_DeviceHandle,                                      // Handle to device
        IOCTL_RETURN_IRP_PENDING_PACKETS_AND_DISALLOW_IOCTL, // IO
                                                             // Control
                                                             // code
        NULL,                                                // Input Buffer to driver.
        0,                                                   // Length of input buffer in bytes. (x 2 is bcuz as the
                                                             // driver is x64 and has 64 bit values)
        NULL,                                                // Output Buffer from driver.
        0,                                                   // Length of output buffer in bytes.
        NULL,                                                // Bytes placed in buffer.
        NULL                                                 // synchronous call
    );
 
    //
    // wait to make sure we don't use an invalid handle in another Ioctl
    //
    if (!Status)
    {
        ShowMessages("ioctl failed with code 0x%x\n", GetLastError());
        return 1;
    }
 
    //
    // Indicate that the finish process start or not
    //
    g_IsVmxOffProcessStart = TRUE;
 
    Sleep(1000); // Wait so next thread can return from IRP Pending
 
    //
    // Send IRP_MJ_CLOSE to driver to terminate Vmxs
    //
    if (!CloseHandle(g_DeviceHandle))
    {
        ShowMessages("err, closing handle 0x%x\n", GetLastError());
        return 1;
    };
 
    //
    // Null the handle to indicate that the driver's device is not ready
    // to use
    //
    g_DeviceHandle = NULL;
 
    //
    // Debugger module is not loaded anymore
    //
    g_IsDebuggerModulesLoaded = FALSE;
 
    //
    // Check if we found an already built symbol table
    //
    SymbolDeleteSymTable();
 
    ShowMessages("you're not on HyperDbg's hypervisor anymore!\n");
 
    return 0;
}

IrpBasedBufferThread()

DWORD WINAPI IrpBasedBufferThread

(

void *

data

)

Create a thread for pending buffers.

Parameters

Data

Returns

DWORD Device Handle

{
    //
    // Do stuff.  This will be the first function called on the new
    // thread. When this function returns, the thread goes away.  See
    // MSDN for more details. Test Irp Based Notifications
    //
    ReadIrpBasedBuffer();
 
    return 0;
}

ReadIrpBasedBuffer()

VOID ReadIrpBasedBuffer

(

)

Read kernel buffers using IRP Pending.

Parameters

Device

Driver handle

Returns

VOID

lpSecurityAttirbutes

lpTemplateFile

{
    BOOL                   Status;
    ULONG                  ReturnedLength;
    REGISTER_NOTIFY_BUFFER RegisterEvent;
    UINT32                 OperationCode;
    DWORD                  ErrorNum;
    HANDLE                 Handle;
 
    RegisterEvent.hEvent = NULL;
    RegisterEvent.Type   = IRP_BASED;
 
    //
    // Create another handle to be used in for reading kernel messages,
    // it is because I noticed that if I use a same handle for IRP Pending
    // and other IOCTLs then if I complete that IOCTL then both of the current
    // IOCTL and the Pending IRP are completed and return to user mode,
    // even if it's odd but that what happens, so this way we can solve it
    // if you know why this problem happens, then contact me !
    //
    Handle = CreateFileA(
        "\\\\.\\HyperDbgDebuggerDevice",
        GENERIC_READ | GENERIC_WRITE,
        FILE_SHARE_READ | FILE_SHARE_WRITE,
        NULL, 
        OPEN_EXISTING,
        FILE_ATTRIBUTE_NORMAL | FILE_FLAG_OVERLAPPED,
        NULL); 
 
    if (Handle == INVALID_HANDLE_VALUE)
    {
        ErrorNum = GetLastError();
 
        if (ErrorNum == ERROR_ACCESS_DENIED)
        {
            ShowMessages("err, access denied\nare you sure you have administrator "
                         "rights?\n");
        }
        else if (ErrorNum == ERROR_GEN_FAILURE)
        {
            ShowMessages("err, a device attached to the system is not functioning\n"
                         "vmx feature might be disabled from BIOS or VBS/HVCI is active\n");
        }
        else
        {
            ShowMessages("err, CreateFile failed with (%x)\n", ErrorNum);
        }
 
        g_DeviceHandle = NULL;
        Handle         = NULL;
 
        return;
    }
 
    //
    // allocate buffer for transferring messages
    //
    char * OutputBuffer = (char *)malloc(UsermodeBufferSize);
 
    try
    {
        while (TRUE)
        {
            if (!g_IsVmxOffProcessStart)
            {
                //
                // Clear the buffer
                //
                ZeroMemory(OutputBuffer, UsermodeBufferSize);
 
                Sleep(DefaultSpeedOfReadingKernelMessages); // we're not trying to eat all of the CPU ;)
 
                Status = DeviceIoControl(
                    Handle,                    // Handle to device
                    IOCTL_REGISTER_EVENT,      // IO Control Code (IOCTL)
                    &RegisterEvent,            // Input Buffer to driver.
                    SIZEOF_REGISTER_EVENT * 2, // Length of input buffer in bytes. (x 2 is bcuz as the
                                               // driver is x64 and has 64 bit values)
                    OutputBuffer,              // Output Buffer from driver.
                    UsermodeBufferSize,        // Length of output buffer in bytes.
                    &ReturnedLength,           // Bytes placed in buffer.
                    NULL                       // synchronous call
                );
 
                if (!Status)
                {
                    //
                    // Error occurred for second time, and we show the error message
                    //
                    // ShowMessages("ioctl failed with code 0x%x\n", GetLastError());
 
                    //
                    // if we reach here, the packet is probably failed, it might
                    // be because of using flush command
                    //
                    continue;
                }
 
                //
                // Compute the received buffer's operation code
                //
                OperationCode = 0;
                memcpy(&OperationCode, OutputBuffer, sizeof(UINT32));
 
                /*
        ShowMessages("Returned Length : 0x%x \n", ReturnedLength);
        ShowMessages("Operation Code : 0x%x \n", OperationCode);
                */
 
                switch (OperationCode)
                {
                case OPERATION_LOG_NON_IMMEDIATE_MESSAGE:
 
                    if (g_BreakPrintingOutput)
                    {
                        //
                        // means that the user asserts a CTRL+C or CTRL+BREAK Signal
                        // we shouldn't show or save anything in this case
                        //
                        continue;
                    }
 
                    ShowMessages("%s", OutputBuffer + sizeof(UINT32));
 
                    break;
                case OPERATION_LOG_INFO_MESSAGE:
 
                    if (g_BreakPrintingOutput)
                    {
                        //
                        // means that the user asserts a CTRL+C or CTRL+BREAK Signal
                        // we shouldn't show or save anything in this case
                        //
                        continue;
                    }
 
                    ShowMessages("%s", OutputBuffer + sizeof(UINT32));
 
                    break;
                case OPERATION_LOG_ERROR_MESSAGE:
                    if (g_BreakPrintingOutput)
                    {
                        //
                        // means that the user asserts a CTRL+C or CTRL+BREAK Signal
                        // we shouldn't show or save anything in this case
                        //
                        continue;
                    }
 
                    ShowMessages("%s", OutputBuffer + sizeof(UINT32));
 
                    break;
                case OPERATION_LOG_WARNING_MESSAGE:
 
                    if (g_BreakPrintingOutput)
                    {
                        //
                        // means that the user asserts a CTRL+C or CTRL+BREAK Signal
                        // we shouldn't show or save anything in this case
                        //
                        continue;
                    }
 
                    ShowMessages("%s", OutputBuffer + sizeof(UINT32));
 
                    break;
 
                case OPERATION_COMMAND_FROM_DEBUGGER_CLOSE_AND_UNLOAD_VMM:
 
                    KdCloseConnection();
 
                    break;
 
                case OPERATION_DEBUGGEE_USER_INPUT:
 
                    KdHandleUserInputInDebuggee((DEBUGGEE_USER_INPUT_PACKET *)(OutputBuffer + sizeof(UINT32)));
 
                    break;
 
                case OPERATION_DEBUGGEE_REGISTER_EVENT:
 
                    KdRegisterEventInDebuggee(
                        (PDEBUGGER_GENERAL_EVENT_DETAIL)(OutputBuffer + sizeof(UINT32)),
                        ReturnedLength);
 
                    break;
 
                case OPERATION_DEBUGGEE_ADD_ACTION_TO_EVENT:
 
                    KdAddActionToEventInDebuggee(
                        (PDEBUGGER_GENERAL_ACTION)(OutputBuffer + sizeof(UINT32)),
                        ReturnedLength);
 
                    break;
 
                case OPERATION_DEBUGGEE_CLEAR_EVENTS:
 
                    KdSendModifyEventInDebuggee(
                        (PDEBUGGER_MODIFY_EVENTS)(OutputBuffer + sizeof(UINT32)),
                        TRUE);
 
                    break;
 
                case OPERATION_DEBUGGEE_CLEAR_EVENTS_WITHOUT_NOTIFYING_DEBUGGER:
 
                    KdSendModifyEventInDebuggee(
                        (PDEBUGGER_MODIFY_EVENTS)(OutputBuffer + sizeof(UINT32)),
                        FALSE);
 
                    break;
 
                case OPERATION_HYPERVISOR_DRIVER_IS_SUCCESSFULLY_LOADED:
 
                    //
                    // Indicate that driver (Hypervisor) is loaded successfully
                    //
                    SetEvent(g_IsDriverLoadedSuccessfully);
 
                    break;
 
                case OPERATION_HYPERVISOR_DRIVER_END_OF_IRPS:
 
                    //
                    // End of receiving messages (IRPs), nothing to do
                    //
                    break;
 
                case OPERATION_COMMAND_FROM_DEBUGGER_RELOAD_SYMBOL:
 
                    //
                    // Pause debugger after getting the results
                    //
                    KdReloadSymbolsInDebuggee(TRUE,
                                              ((PDEBUGGEE_SYMBOL_REQUEST_PACKET)(OutputBuffer + sizeof(UINT32)))->ProcessId);
 
                    break;
 
                case OPERATION_NOTIFICATION_FROM_USER_DEBUGGER_PAUSE:
 
                    //
                    // handle pausing packet from user debugger
                    //
                    UdHandleUserDebuggerPausing(
                        (PDEBUGGEE_UD_PAUSED_PACKET)(OutputBuffer + sizeof(UINT32)));
 
                    break;
 
                default:
 
                    //
                    // Check if there are available output sources
                    //
                    if (!g_OutputSourcesInitialized || !ForwardingCheckAndPerformEventForwarding(OperationCode,
                                                                                                 OutputBuffer + sizeof(UINT32),
                                                                                                 ReturnedLength - sizeof(UINT32) - 1))
                    {
                        if (g_BreakPrintingOutput)
                        {
                            //
                            // means that the user asserts a CTRL+C or CTRL+BREAK Signal
                            // we shouldn't show or save anything in this case
                            //
                            continue;
                        }
 
                        ShowMessages("%s", OutputBuffer + sizeof(UINT32));
                    }
 
                    break;
                }
            }
            else
            {
                //
                // the thread should not work anymore
                //
                free(OutputBuffer);
 
                //
                // closeHandle
                //
                if (!CloseHandle(Handle))
                {
                    ShowMessages("err, closing handle 0x%x\n", GetLastError());
                }
 
                return;
            }
        }
    }
    catch (const std::exception &)
    {
        ShowMessages("err, exception occurred in creating handle or parsing buffer\n");
    }
 
    free(OutputBuffer);
 
    //
    // closeHandle
    //
    if (!CloseHandle(Handle))
    {
        ShowMessages("err, closing handle 0x%x\n", GetLastError());
    };
}

SetTextMessageCallback()

VOID SetTextMessageCallback

(

PVOID

Handler

)

Set the function callback that will be called if any message needs to be shown.

Parameters

Handler

Function that handles the messages

Returns

VOID

{
    g_MessageHandler = Handler;
}

SetTextMessageCallbackUsingSharedBuffer()

PVOID SetTextMessageCallbackUsingSharedBuffer

(

PVOID

Handler

)

Set the function callback that will be called if any message needs to be shown.

Parameters

Handler

Function that handles the messages

Returns

PVOID

{
    g_MessageHandler             = Handler;
    g_MessageHandlerSharedBuffer = malloc(COMMUNICATION_BUFFER_SIZE + TCP_END_OF_BUFFER_CHARS_COUNT);
 
    if (!g_MessageHandlerSharedBuffer)
    {
        g_MessageHandler = NULL;
        return NULL;
    }
 
    RtlZeroMemory(g_MessageHandlerSharedBuffer, COMMUNICATION_BUFFER_SIZE + TCP_END_OF_BUFFER_CHARS_COUNT);
 
    return g_MessageHandlerSharedBuffer;
}

ShowMessages()

VOID ShowMessages	(	const char *	Fmt,
			... )

Show messages.

Parameters

Fmt	format string message
...	arguments

Returns

VOID

{
    va_list ArgList;
    va_list Args;
    char    TempMessage[COMMUNICATION_BUFFER_SIZE + TCP_END_OF_BUFFER_CHARS_COUNT] = {0};
 
    if (g_MessageHandler == NULL && !g_IsConnectedToRemoteDebugger && !g_IsSerialConnectedToRemoteDebugger)
    {
        va_start(Args, Fmt);
 
        vprintf(Fmt, Args);
 
        va_end(Args);
 
        if (!g_LogOpened)
        {
            return;
        }
    }
 
    va_start(ArgList, Fmt);
 
    int SprintfResult = vsprintf_s(TempMessage, Fmt, ArgList);
 
    va_end(ArgList);
 
    if (SprintfResult != -1)
    {
        if (g_IsConnectedToRemoteDebugger)
        {
            //
            // vsprintf_s and vswprintf_s return the number of characters written,
            // not including the terminating null character, or a negative value
            // if an output error occurs.
            //
            RemoteConnectionSendResultsToHost(TempMessage, SprintfResult);
        }
        else if (g_IsSerialConnectedToRemoteDebugger)
        {
            KdSendUsermodePrints(TempMessage, SprintfResult);
        }
 
        if (g_LogOpened)
        {
            //
            // .logopen command executed
            //
            LogopenSaveToFile(TempMessage);
        }
        if (g_MessageHandler != NULL)
        {
            //
            // There is another handler
            //
            if (g_MessageHandlerSharedBuffer == NULL)
            {
                ((SendMessageWithParamCallback)g_MessageHandler)(TempMessage);
            }
            else
            {
                memcpy(g_MessageHandlerSharedBuffer, TempMessage, strlen(TempMessage) + 1);
                ((SendMessageWWithSharedBufferCallback)g_MessageHandler)();
            }
        }
    }
}

UnsetTextMessageCallback()

VOID UnsetTextMessageCallback

(

)

Unset the function callback that will be called if any message needs to be shown.

Returns

VOID

{
    g_MessageHandler = NULL;
    free(g_MessageHandlerSharedBuffer);
    g_MessageHandlerSharedBuffer = NULL;
}

Variable Documentation

g_BreakPrintingOutput

BOOLEAN g_BreakPrintingOutput

extern

Shows whether the pause command or CTRL+C or CTRL+Break is executed or not.

g_DeviceHandle

HANDLE g_DeviceHandle

extern

Holds the global handle of device which is used to send the request to the kernel by IOCTL, this handle is not used for IRP Pending of message tracing this handle is used in KD VMM.

g_DriverLocation

TCHAR g_DriverLocation[MAX_PATH]

extern

Holds the location driver to install it.

{0};

g_DriverName

TCHAR g_DriverName[MAX_PATH]

extern

Holds the name of the driver to install it.

{0};

g_EventTrace

LIST_ENTRY g_EventTrace

extern

Holds a list of events in kernel and the state of events and the commands to show the state of each command (disabled/enabled)

this list is not have any relation with the things that HyperDbg holds for each event in the kernel

{0};

g_IsConnectedToRemoteDebugger

BOOLEAN g_IsConnectedToRemoteDebugger

extern

Shows whether the current system is a guest (debuggee) and a remote debugger is connected to this system.

g_IsDebuggerModulesLoaded

BOOLEAN g_IsDebuggerModulesLoaded

extern

this variable is used to indicate that modules are loaded so we make sure to later use a trace of loading in 'unload' command (used in Debugger VMM)

g_IsDriverLoadedSuccessfully

HANDLE g_IsDriverLoadedSuccessfully

extern

Handle to show that if the debugger is loaded successfully.

g_IsReversingMachineModulesLoaded

BOOLEAN g_IsReversingMachineModulesLoaded

extern

g_IsSerialConnectedToRemoteDebugger

BOOLEAN g_IsSerialConnectedToRemoteDebugger

extern

Shows if the debugger was connected to remote debugger (A remote host)

g_IsVmxOffProcessStart

BOOLEAN g_IsVmxOffProcessStart

extern

Shows whether the vmxoff process start or not.

g_LogOpened

BOOLEAN g_LogOpened

extern

Shows whether the '.logopen' command is executed and the log file is open or not.

g_MessageHandler

PVOID g_MessageHandler

extern

The handler for ShowMessages function this is because the user might choose not to use printf and instead use his/her handler for showing messages.

g_MessageHandlerSharedBuffer

PVOID g_MessageHandlerSharedBuffer

extern

The shared buffer for the handler of ShowMessages function.

g_OutputSources

LIST_ENTRY g_OutputSources

extern

Holds a list of output sources created by output command.

user-mode events and output sources are two separate things in HyperDbg

{0};

g_OutputSourcesInitialized

BOOLEAN g_OutputSourcesInitialized

extern

it shows whether the debugger started using output sources or not or in other words, is g_OutputSources initialized with a variable or it is empty

g_UseCustomDriverLocation

BOOLEAN g_UseCustomDriverLocation

extern

Whether the user wants to use a custom driver location or not.