HyperDbg Debugger
Loading...
Searching...
No Matches
Functions
mode.cpp File Reference

!mode command More...

#include "pch.h"

Functions

VOID CommandModeHelp ()
 help of the !mode command
 
VOID CommandMode (vector< string > SplitCommand, string Command)
 !mode command handler
 

Detailed Description

!mode command

Author
Sina Karvandi (sina@.nosp@m.hype.nosp@m.rdbg..nosp@m.org)
Version
0.6
Date
2023-09-13
Copyright
This project is released under the GNU Public License v3.

Function Documentation

◆ CommandMode()

VOID CommandMode ( vector< string > SplitCommand,
string Command )

!mode command handler

Parameters
SplitCommand
Command
Returns
VOID
49{
50 PDEBUGGER_GENERAL_EVENT_DETAIL Event = NULL;
51 PDEBUGGER_GENERAL_ACTION ActionBreakToDebugger = NULL;
52 PDEBUGGER_GENERAL_ACTION ActionCustomCode = NULL;
53 PDEBUGGER_GENERAL_ACTION ActionScript = NULL;
54 UINT32 EventLength;
55 UINT32 ActionBreakToDebuggerLength = 0;
56 UINT32 ActionCustomCodeLength = 0;
57 UINT32 ActionScriptLength = 0;
58 vector<string> SplitCommandCaseSensitive {Split(Command, ' ')};
59 DEBUGGER_EVENT_PARSING_ERROR_CAUSE EventParsingErrorCause;
60 BOOLEAN SetMode = FALSE;
61 DEBUGGER_EVENT_MODE_TYPE TargetInterceptionMode = DEBUGGER_EVENT_MODE_TYPE_INVALID;
62
63 //
64 // Interpret and fill the general event and action fields
65 //
66 //
67 if (!InterpretGeneralEventAndActionsFields(
68 &SplitCommand,
69 &SplitCommandCaseSensitive,
70 TRAP_EXECUTION_MODE_CHANGED,
71 &Event,
72 &EventLength,
73 &ActionBreakToDebugger,
74 &ActionBreakToDebuggerLength,
75 &ActionCustomCode,
76 &ActionCustomCodeLength,
77 &ActionScript,
78 &ActionScriptLength,
79 &EventParsingErrorCause))
80 {
81 return;
82 }
83
84 //
85 // Check here to make sure that the user didn't specified the calling stages for this mode change execution trap
86 //
87 if (Event->EventStage != VMM_CALLBACK_CALLING_STAGE_PRE_EVENT_EMULATION)
88 {
89 ShowMessages("the utilization of 'post' or 'all' event calling stages is not meaningful "
90 "for the mode (user-mode/kernel-mode) change traps; therefore, this command does not support them\n");
91
92 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
93 return;
94 }
95
96 //
97 // Check for size
98 //
99 if (SplitCommand.size() > 2)
100 {
101 ShowMessages("incorrect use of the '!mode'\n");
102 CommandModeHelp();
103
104 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
105 return;
106 }
107
108 //
109 // Interpret command specific details (if any)
110 //
111 for (auto Section : SplitCommand)
112 {
113 if (!Section.compare("!mode"))
114 {
115 continue;
116 }
117 else if (!Section.compare("u") && !SetMode)
118 {
119 TargetInterceptionMode = DEBUGGER_EVENT_MODE_TYPE_USER_MODE;
120 SetMode = TRUE;
121 }
122 else if (!Section.compare("k") && !SetMode)
123 {
124 TargetInterceptionMode = DEBUGGER_EVENT_MODE_TYPE_KERNEL_MODE;
125 SetMode = TRUE;
126 }
127 else if ((!Section.compare("uk") || !Section.compare("ku")) && !SetMode)
128 {
129 TargetInterceptionMode = DEBUGGER_EVENT_MODE_TYPE_USER_MODE_AND_KERNEL_MODE;
130 SetMode = TRUE;
131 }
132 else
133 {
134 //
135 // Couldn't resolve or unknown parameter
136 //
137 ShowMessages("err, couldn't resolve error at '%s'\n\n",
138 Section.c_str());
139
140 CommandModeHelp();
141
142 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
143 }
144 }
145
146 //
147 // Check if user specified the execution mode or not
148 //
149 if (!SetMode)
150 {
151 ShowMessages("please specify the mode(s) that you want to intercept their execution (u, k, ku)\n");
152
153 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
154 return;
155 }
156
157 //
158 // Check if user specified the process id or not
159 //
160 if (Event->ProcessId == DEBUGGER_EVENT_APPLY_TO_ALL_PROCESSES)
161 {
162 ShowMessages("this event only applies to the selected process(es). please specify "
163 "the 'pid' or the process id of the target process that you want to trap its execution\n");
164
165 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
166 return;
167 }
168
169 //
170 // Set the first parameter to the required execution mode
171 //
172 Event->Options.OptionalParam1 = (UINT64)TargetInterceptionMode;
173
174 //
175 // Send the ioctl to the kernel for event registration
176 //
177 if (!SendEventToKernel(Event, EventLength))
178 {
179 //
180 // There was an error, probably the handle was not initialized
181 // we have to free the Action before exit, it is because, we
182 // already freed the Event and string buffers
183 //
184
185 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
186 return;
187 }
188
189 //
190 // Add the event to the kernel
191 //
192 if (!RegisterActionToEvent(Event,
193 ActionBreakToDebugger,
194 ActionBreakToDebuggerLength,
195 ActionCustomCode,
196 ActionCustomCodeLength,
197 ActionScript,
198 ActionScriptLength))
199 {
200 //
201 // There was an error
202 //
203
204 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
205 return;
206 }
207}
BOOLEAN
UCHAR BOOLEAN
Definition BasicTypes.h:39
TRUE
#define TRUE
Definition BasicTypes.h:55
FALSE
#define FALSE
Definition BasicTypes.h:54
UINT64
unsigned __int64 UINT64
Definition BasicTypes.h:21
UINT32
unsigned int UINT32
Definition BasicTypes.h:48
DEBUGGER_EVENT_APPLY_TO_ALL_PROCESSES
#define DEBUGGER_EVENT_APPLY_TO_ALL_PROCESSES
Apply the event to all the processes.
Definition Constants.h:617
VMM_CALLBACK_CALLING_STAGE_PRE_EVENT_EMULATION
@ VMM_CALLBACK_CALLING_STAGE_PRE_EVENT_EMULATION
Definition DataTypes.h:93
Split
const vector< string > Split(const string &s, const char &c)
general split command
Definition common.cpp:117
FreeEventsAndActionsMemory
VOID FreeEventsAndActionsMemory(PDEBUGGER_GENERAL_EVENT_DETAIL Event, PDEBUGGER_GENERAL_ACTION ActionBreakToDebugger, PDEBUGGER_GENERAL_ACTION ActionCustomCode, PDEBUGGER_GENERAL_ACTION ActionScript)
Deallocate buffers relating to events and actions.
Definition debugger.cpp:2292
InterpretGeneralEventAndActionsFields
BOOLEAN InterpretGeneralEventAndActionsFields(vector< string > *SplitCommand, vector< string > *SplitCommandCaseSensitive, VMM_EVENT_TYPE_ENUM EventType, PDEBUGGER_GENERAL_EVENT_DETAIL *EventDetailsToFill, PUINT32 EventBufferLength, PDEBUGGER_GENERAL_ACTION *ActionDetailsToFillBreakToDebugger, PUINT32 ActionBufferLengthBreakToDebugger, PDEBUGGER_GENERAL_ACTION *ActionDetailsToFillCustomCode, PUINT32 ActionBufferLengthCustomCode, PDEBUGGER_GENERAL_ACTION *ActionDetailsToFillScript, PUINT32 ActionBufferLengthScript, PDEBUGGER_EVENT_PARSING_ERROR_CAUSE ReasonForErrorInParsing)
Interpret general event fields.
Definition debugger.cpp:2342
SendEventToKernel
BOOLEAN SendEventToKernel(PDEBUGGER_GENERAL_EVENT_DETAIL Event, UINT32 EventBufferLength)
Register the event to the kernel.
Definition debugger.cpp:1969
RegisterActionToEvent
BOOLEAN RegisterActionToEvent(PDEBUGGER_GENERAL_EVENT_DETAIL Event, PDEBUGGER_GENERAL_ACTION ActionBreakToDebugger, UINT32 ActionBreakToDebuggerLength, PDEBUGGER_GENERAL_ACTION ActionCustomCode, UINT32 ActionCustomCodeLength, PDEBUGGER_GENERAL_ACTION ActionScript, UINT32 ActionScriptLength)
Register the action to the event.
Definition debugger.cpp:2086
TRAP_EXECUTION_MODE_CHANGED
@ TRAP_EXECUTION_MODE_CHANGED
Definition Events.h:169
DEBUGGER_EVENT_MODE_TYPE_KERNEL_MODE
@ DEBUGGER_EVENT_MODE_TYPE_KERNEL_MODE
Definition Events.h:207
DEBUGGER_EVENT_MODE_TYPE_USER_MODE_AND_KERNEL_MODE
@ DEBUGGER_EVENT_MODE_TYPE_USER_MODE_AND_KERNEL_MODE
Definition Events.h:205
DEBUGGER_EVENT_MODE_TYPE_INVALID
@ DEBUGGER_EVENT_MODE_TYPE_INVALID
Definition Events.h:208
DEBUGGER_EVENT_MODE_TYPE_USER_MODE
@ DEBUGGER_EVENT_MODE_TYPE_USER_MODE
Definition Events.h:206
DEBUGGER_EVENT_MODE_TYPE
enum _DEBUGGER_EVENT_MODE_TYPE DEBUGGER_EVENT_MODE_TYPE
Type of mode change traps.
DEBUGGER_EVENT_PARSING_ERROR_CAUSE
enum _DEBUGGER_EVENT_PARSING_ERROR_CAUSE DEBUGGER_EVENT_PARSING_ERROR_CAUSE
Reason for error in parsing commands.
ShowMessages
VOID ShowMessages(const char *Fmt,...)
Show messages.
Definition libhyperdbg.cpp:96
CommandModeHelp
VOID CommandModeHelp()
help of the !mode command
Definition mode.cpp:20
test-case-generator.NULL
NULL()
Definition test-case-generator.py:530
_DEBUGGER_EVENT_OPTIONS::OptionalParam1
UINT64 OptionalParam1
Definition Events.h:272
_DEBUGGER_GENERAL_ACTION
Each event can have multiple actions.
Definition Events.h:406
_DEBUGGER_GENERAL_EVENT_DETAIL
Each command is like the following struct, it also used for tracing works in user mode and sending it...
Definition Events.h:350
_DEBUGGER_GENERAL_EVENT_DETAIL::Options
DEBUGGER_EVENT_OPTIONS Options
Definition Events.h:391
_DEBUGGER_GENERAL_EVENT_DETAIL::EventStage
VMM_CALLBACK_EVENT_CALLING_STAGE_TYPE EventStage
Definition Events.h:369
_DEBUGGER_GENERAL_EVENT_DETAIL::ProcessId
UINT32 ProcessId
Definition Events.h:360

◆ CommandModeHelp()

VOID CommandModeHelp ( )

help of the !mode command

Returns
VOID
21{
22 ShowMessages("!mode : traps (and possibly blocks) the execution of user-mode/kernel-mode instructions.\n\n");
23
24 ShowMessages("syntax : \t!mode [Mode (string)] [pid ProcessId (hex)] [core CoreId (hex)] [imm IsImmediate (yesno)] "
25 "[sc EnableShortCircuiting (onoff)] [buffer PreAllocatedBuffer (hex)] [script { Script (string) }] "
26 "[asm condition { Condition (assembly/hex) }] [asm code { Code (assembly/hex) }] [output {OutputName (string)}]\n");
27
28 ShowMessages("\n");
29 ShowMessages("\t\te.g : !mode u pid 1c0\n");
30 ShowMessages("\t\te.g : !mode k pid 1c0\n");
31 ShowMessages("\t\te.g : !mode ku pid 1c0\n");
32 ShowMessages("\t\te.g : !mode ku core 2 pid 400\n");
33 ShowMessages("\t\te.g : !mode u pid 1c0 script { printf(\"kernel -> user transition occurred!\\n\"); }\n");
34 ShowMessages("\t\te.g : !mode ku pid 1c0 asm code { nop; nop; nop }\n");
35
36 ShowMessages("\n");
37 ShowMessages("note: this event applies to the target process; thus, you need to specify the process id\n");
38}