HyperDbg Debugger
Loading...
Searching...
No Matches
monitor.cpp File Reference

!monitor command More...

#include "pch.h"

Functions

VOID CommandMonitorHelp ()
 help of the !monitor command
VOID CommandMonitor (vector< CommandToken > CommandTokens, string Command)
 !monitor command handler

Detailed Description

!monitor command

Author
Sina Karvandi (sina@.nosp@m.hype.nosp@m.rdbg..nosp@m.org)
Version
0.1
Date
2020-05-27

Function Documentation

◆ CommandMonitor()

VOID CommandMonitor ( vector< CommandToken > CommandTokens,
string Command )

!monitor command handler

Parameters
CommandTokens
Command
Returns
VOID
63{
65 PDEBUGGER_GENERAL_ACTION ActionBreakToDebugger = NULL;
66 PDEBUGGER_GENERAL_ACTION ActionCustomCode = NULL;
67 PDEBUGGER_GENERAL_ACTION ActionScript = NULL;
68 UINT32 EventLength;
69 UINT32 ActionBreakToDebuggerLength = 0;
70 UINT32 ActionCustomCodeLength = 0;
71 UINT32 ActionScriptLength = 0;
72 UINT32 HookLength = 0;
73 UINT64 OptionalParam1 = 0; // Set the 'from' target address
74 UINT64 OptionalParam2 = 0; // Set the 'to' target address
75 BOOLEAN SetFrom = FALSE;
76 BOOLEAN SetTo = FALSE;
77 BOOLEAN IsNextLength = FALSE;
78 BOOLEAN LengthAlreadySet = FALSE;
79 BOOLEAN SetAttributes = FALSE;
80 BOOLEAN HookMemoryTypeSet = FALSE;
81 DEBUGGER_HOOK_MEMORY_TYPE HookMemoryType = DEBUGGER_MEMORY_HOOK_VIRTUAL_ADDRESS; // by default virtual address
82 DEBUGGER_EVENT_PARSING_ERROR_CAUSE EventParsingErrorCause;
83
84 if (CommandTokens.size() < 4)
85 {
86 ShowMessages("incorrect use of the '%s'\n\n",
87 GetCaseSensitiveStringFromCommandToken(CommandTokens.at(0)).c_str());
88
90 return;
91 }
92
93 //
94 // Interpret and fill the general event and action fields
95 //
96 // We use HIDDEN_HOOK_READ_AND_WRITE here but it might be changed to
97 // HIDDEN_HOOK_READ or HIDDEN_HOOK_WRITE or other events it is because
98 // we are not sure what kind event the user need
99 //
101 &CommandTokens,
103 &Event,
104 &EventLength,
105 &ActionBreakToDebugger,
106 &ActionBreakToDebuggerLength,
107 &ActionCustomCode,
108 &ActionCustomCodeLength,
109 &ActionScript,
110 &ActionScriptLength,
111 &EventParsingErrorCause))
112 {
113 return;
114 }
115
116 //
117 // Interpret command specific details (if any)
118 //
119 for (auto Section : CommandTokens)
120 {
121 if (CompareLowerCaseStrings(Section, "!monitor"))
122 {
123 continue;
124 }
125 else if (IsNextLength)
126 {
127 if (!ConvertTokenToUInt32(Section, &HookLength))
128 {
129 ShowMessages("err, you should enter a valid length\n\n");
130 return;
131 }
132
133 IsNextLength = FALSE;
134 LengthAlreadySet = TRUE;
135 SetTo = TRUE; // No longer need a second address
136 }
137 else if (CompareLowerCaseStrings(Section, "r") && !SetAttributes)
138 {
140 SetAttributes = TRUE;
141 }
142 else if (CompareLowerCaseStrings(Section, "w") && !SetAttributes)
143 {
145 SetAttributes = TRUE;
146 }
147 else if (CompareLowerCaseStrings(Section, "x") && !SetAttributes)
148 {
150 SetAttributes = TRUE;
151 }
152 else if ((CompareLowerCaseStrings(Section, "rw") || CompareLowerCaseStrings(Section, "wr")) && !SetAttributes)
153 {
155 SetAttributes = TRUE;
156 }
157 else if ((CompareLowerCaseStrings(Section, "rx") || CompareLowerCaseStrings(Section, "xr")) &&
158 !SetAttributes)
159 {
161 SetAttributes = TRUE;
162 }
163 else if ((CompareLowerCaseStrings(Section, "wx") || CompareLowerCaseStrings(Section, "xw")) &&
164 !SetAttributes)
165 {
167 SetAttributes = TRUE;
168 }
169 else if ((CompareLowerCaseStrings(Section, "rwx") ||
170 CompareLowerCaseStrings(Section, "rxw") ||
171 CompareLowerCaseStrings(Section, "wrx") ||
172 CompareLowerCaseStrings(Section, "wxr") ||
173 CompareLowerCaseStrings(Section, "xrw") ||
174 CompareLowerCaseStrings(Section, "xwr")) &&
175 !SetAttributes)
176 {
178 SetAttributes = TRUE;
179 }
180 else if (CompareLowerCaseStrings(Section, "l") && !SetTo && !LengthAlreadySet)
181 {
182 IsNextLength = TRUE;
183 continue;
184 }
185 else if (CompareLowerCaseStrings(Section, "va") && !HookMemoryTypeSet)
186 {
188 HookMemoryTypeSet = TRUE;
189 continue;
190 }
191 else if (CompareLowerCaseStrings(Section, "pa") && !HookMemoryTypeSet)
192 {
194 HookMemoryTypeSet = TRUE;
195 continue;
196 }
197 else
198 {
199 //
200 // It's probably address
201 //
202 if (!SetFrom)
203 {
206 &OptionalParam1))
207 {
208 //
209 // couldn't resolve or unknown parameter
210 //
211 ShowMessages("err, couldn't resolve error at '%s'\n\n",
214
215 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
216 return;
217 }
218 SetFrom = TRUE;
219 }
220 else if (!SetTo && !LengthAlreadySet)
221 {
224 &OptionalParam2))
225 {
226 //
227 // Couldn't resolve or unknown parameter
228 //
229 ShowMessages("err, couldn't resolve error at '%s'\n\n",
231
233
234 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
235 return;
236 }
237 SetTo = TRUE;
238 }
239 else
240 {
241 //
242 // Unknown parameter
243 //
244 ShowMessages("unknown parameter '%s'\n\n",
247
248 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
249 return;
250 }
251 }
252 }
253
254 //
255 // Check if all parameters are received
256 //
257 if (!SetFrom || !SetTo)
258 {
259 ShowMessages("please choose the 'from' or 'to' values or specify the length\n");
260 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
261 return;
262 }
263
264 //
265 // Check if user specified the 'l' rather than providing two addresses
266 //
267 if (LengthAlreadySet)
268 {
269 //
270 // Because when the user specifies length, the last byte should be ignored
271 //
272 OptionalParam2 = OptionalParam1 + HookLength - 1;
273 }
274
275 //
276 // Check for invalid order of address
277 //
278 if (OptionalParam1 > OptionalParam2)
279 {
280 //
281 // 'from' is greater than 'to'
282 //
283 ShowMessages("please choose the 'from' value first, then choose the 'to' "
284 "value\n");
285
286 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
287 return;
288 }
289
290 //
291 // Check if user set the attributes of !monitor or not
292 //
293 if (!SetAttributes)
294 {
295 ShowMessages("please specify the attribute(s) that you want to monitor (r, w, x, rw, rx, wx, rwx)\n");
296
297 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
298 return;
299 }
300
301 //
302 // Set the optional parameters
303 //
304 Event->Options.OptionalParam1 = OptionalParam1;
305 Event->Options.OptionalParam2 = OptionalParam2;
306 Event->Options.OptionalParam3 = HookMemoryType;
307
308 //
309 // Send the ioctl to the kernel for event registration
310 //
311 if (!SendEventToKernel(Event, EventLength))
312 {
313 //
314 // There was an error, probably the handle was not initialized
315 // we have to free the Action before exit, it is because, we
316 // already freed the Event and string buffers
317 //
318
319 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
320 return;
321 }
322
323 //
324 // Add the event to the kernel
325 //
326 if (!RegisterActionToEvent(Event,
327 ActionBreakToDebugger,
328 ActionBreakToDebuggerLength,
329 ActionCustomCode,
330 ActionCustomCodeLength,
331 ActionScript,
332 ActionScriptLength))
333 {
334 //
335 // There was an error
336 //
337
338 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
339 return;
340 }
341}
UCHAR BOOLEAN
Definition BasicTypes.h:35
#define TRUE
Definition BasicTypes.h:114
#define FALSE
Definition BasicTypes.h:113
unsigned int UINT32
Definition BasicTypes.h:54
@ DEBUGGER_MEMORY_HOOK_VIRTUAL_ADDRESS
Definition DataTypes.h:360
@ DEBUGGER_MEMORY_HOOK_PHYSICAL_ADDRESS
Definition DataTypes.h:361
enum _DEBUGGER_HOOK_MEMORY_TYPE DEBUGGER_HOOK_MEMORY_TYPE
different type of memory addresses
@ HIDDEN_HOOK_WRITE_AND_EXECUTE
Definition Events.h:103
@ HIDDEN_HOOK_READ_AND_WRITE
Definition Events.h:101
@ HIDDEN_HOOK_READ_AND_EXECUTE
Definition Events.h:102
@ HIDDEN_HOOK_READ
Definition Events.h:104
@ HIDDEN_HOOK_WRITE
Definition Events.h:105
@ HIDDEN_HOOK_READ_AND_WRITE_AND_EXECUTE
Definition Events.h:100
@ HIDDEN_HOOK_EXECUTE
Definition Events.h:106
struct _DEBUGGER_GENERAL_EVENT_DETAIL * PDEBUGGER_GENERAL_EVENT_DETAIL
struct _DEBUGGER_GENERAL_ACTION * PDEBUGGER_GENERAL_ACTION
std::string GetCaseSensitiveStringFromCommandToken(CommandToken TargetToken)
Get case sensitive string from command token.
Definition common.cpp:467
BOOLEAN CompareLowerCaseStrings(CommandToken TargetToken, const CHAR *StringToCompare)
Compare lower case strings.
Definition common.cpp:503
BOOLEAN ConvertTokenToUInt32(CommandToken TargetToken, PUINT32 Result)
check and convert command token to a 32 bit unsigned integer
Definition common.cpp:546
VOID FreeEventsAndActionsMemory(PDEBUGGER_GENERAL_EVENT_DETAIL Event, PDEBUGGER_GENERAL_ACTION ActionBreakToDebugger, PDEBUGGER_GENERAL_ACTION ActionCustomCode, PDEBUGGER_GENERAL_ACTION ActionScript)
Deallocate buffers relating to events and actions.
Definition debugger.cpp:1688
BOOLEAN InterpretGeneralEventAndActionsFields(vector< CommandToken > *CommandTokens, VMM_EVENT_TYPE_ENUM EventType, PDEBUGGER_GENERAL_EVENT_DETAIL *EventDetailsToFill, PUINT32 EventBufferLength, PDEBUGGER_GENERAL_ACTION *ActionDetailsToFillBreakToDebugger, PUINT32 ActionBufferLengthBreakToDebugger, PDEBUGGER_GENERAL_ACTION *ActionDetailsToFillCustomCode, PUINT32 ActionBufferLengthCustomCode, PDEBUGGER_GENERAL_ACTION *ActionDetailsToFillScript, PUINT32 ActionBufferLengthScript, PDEBUGGER_EVENT_PARSING_ERROR_CAUSE ReasonForErrorInParsing)
Interpret general event fields.
Definition debugger.cpp:1736
BOOLEAN SendEventToKernel(PDEBUGGER_GENERAL_EVENT_DETAIL Event, UINT32 EventBufferLength)
Register the event to the kernel.
Definition debugger.cpp:1367
BOOLEAN RegisterActionToEvent(PDEBUGGER_GENERAL_EVENT_DETAIL Event, PDEBUGGER_GENERAL_ACTION ActionBreakToDebugger, UINT32 ActionBreakToDebuggerLength, PDEBUGGER_GENERAL_ACTION ActionCustomCode, UINT32 ActionCustomCodeLength, PDEBUGGER_GENERAL_ACTION ActionScript, UINT32 ActionScriptLength)
Register the action to the event.
Definition debugger.cpp:1483
enum _DEBUGGER_EVENT_PARSING_ERROR_CAUSE DEBUGGER_EVENT_PARSING_ERROR_CAUSE
Reason for error in parsing commands.
VOID CommandMonitorHelp()
help of the !monitor command
Definition monitor.cpp:20
NULL()
Definition test-case-generator.py:530
UINT64 OptionalParam2
Definition Events.h:278
UINT64 OptionalParam3
Definition Events.h:279
UINT64 OptionalParam1
Definition Events.h:277
DEBUGGER_EVENT_OPTIONS Options
Definition Events.h:396
VMM_EVENT_TYPE_ENUM EventType
Definition Events.h:394
BOOLEAN SymbolConvertNameOrExprToAddress(const string &TextToConvert, PUINT64 Result)
check and convert string to a 64 bit unsigned integer and also check for symbol object names and eval...
Definition symbol.cpp:359

◆ CommandMonitorHelp()

VOID CommandMonitorHelp ( )

help of the !monitor command

Returns
VOID
21{
22 ShowMessages("!monitor : monitors address range for read and writes.\n\n");
23
24 ShowMessages("syntax : \t!monitor [MemoryType (vapa)] [Attribute (string)] [FromAddress (hex)] "
25 "[ToAddress (hex)] [pid ProcessId (hex)] [core CoreId (hex)] "
26 "[imm IsImmediate (yesno)] [sc EnableShortCircuiting (onoff)] [stage CallingStage (prepostall)] "
27 "[buffer PreAllocatedBuffer (hex)] [script { Script (string) }] [asm condition { Condition (assembly/hex) }] "
28 "[asm code { Code (assembly/hex) }] [output {OutputName (string)}]\n");
29
30 ShowMessages("syntax : \t!monitor [MemoryType (vapa)] [Attribute (string)] [FromAddress (hex)] "
31 "[l Length (hex)] [pid ProcessId (hex)] [core CoreId (hex)] "
32 "[imm IsImmediate (yesno)] [sc EnableShortCircuiting (onoff)] [stage CallingStage (prepostall)] "
33 "[buffer PreAllocatedBuffer (hex)] [script { Script (string) }] [asm condition { Condition (assembly/hex) }] "
34 "[asm code { Code (assembly/hex) }] [output {OutputName (string)}]\n");
35
36 ShowMessages("\n");
37 ShowMessages("\t\te.g : !monitor rw fffff801deadb000 fffff801deadbfff\n");
38 ShowMessages("\t\te.g : !monitor rw fffff801deadb000 l 1000\n");
39 ShowMessages("\t\te.g : !monitor pa rw c01000 l 1000\n");
40 ShowMessages("\t\te.g : !monitor rwx fffff801deadb000 fffff801deadbfff\n");
41 ShowMessages("\t\te.g : !monitor rwx fffff801deadb000 l 230d0\n");
42 ShowMessages("\t\te.g : !monitor rw nt!Kd_DEFAULT_Mask Kd_DEFAULT_Mask+5\n");
43 ShowMessages("\t\te.g : !monitor r fffff801deadb000 fffff801deadbfff pid 400\n");
44 ShowMessages("\t\te.g : !monitor w fffff801deadb000 fffff801deadbfff core 2 pid 400\n");
45 ShowMessages("\t\te.g : !monitor w c01000 c01000+2500 core 2 pid 400\n");
46 ShowMessages("\t\te.g : !monitor x fffff801deadb000 fffff801deadbfff core 2 pid 400\n");
47 ShowMessages("\t\te.g : !monitor x fffff801deadb000 l 500 core 2 pid 400\n");
48 ShowMessages("\t\te.g : !monitor wx fffff801deadb000 fffff801deadbfff core 2 pid 400\n");
49 ShowMessages("\t\te.g : !monitor rw fffff801deadb000 l 1000 script { printf(\"read/write occurred at the virtual address: %%llx\\n\", $context); }\n");
50 ShowMessages("\t\te.g : !monitor rw fffff801deadb000 l 1000 asm code { nop; nop; nop }\n");
51}