HyperDbg Debugger
Loading...
Searching...
No Matches
Functions
monitor.cpp File Reference

!monitor command More...

#include "pch.h"

Functions

VOID CommandMonitorHelp ()
 help of the !monitor command
 
VOID CommandMonitor (vector< string > SplitCommand, string Command)
 !monitor command handler
 

Detailed Description

!monitor command

Author
Sina Karvandi (sina@.nosp@m.hype.nosp@m.rdbg..nosp@m.org)
Version
0.1
Date
2020-05-27
Copyright
This project is released under the GNU Public License v3.

Function Documentation

◆ CommandMonitor()

VOID CommandMonitor ( vector< string > SplitCommand,
string Command )

!monitor command handler

Parameters
SplitCommand
Command
Returns
VOID
62{
63 PDEBUGGER_GENERAL_EVENT_DETAIL Event = NULL;
64 PDEBUGGER_GENERAL_ACTION ActionBreakToDebugger = NULL;
65 PDEBUGGER_GENERAL_ACTION ActionCustomCode = NULL;
66 PDEBUGGER_GENERAL_ACTION ActionScript = NULL;
67 UINT32 EventLength;
68 UINT32 ActionBreakToDebuggerLength = 0;
69 UINT32 ActionCustomCodeLength = 0;
70 UINT32 ActionScriptLength = 0;
71 UINT32 HookLength = 0;
72 UINT64 OptionalParam1 = 0; // Set the 'from' target address
73 UINT64 OptionalParam2 = 0; // Set the 'to' target address
74 BOOLEAN SetFrom = FALSE;
75 BOOLEAN SetTo = FALSE;
76 BOOLEAN IsNextLength = FALSE;
77 BOOLEAN LengthAlreadySet = FALSE;
78 BOOLEAN SetAttributes = FALSE;
79 BOOLEAN HookMemoryTypeSet = FALSE;
80 vector<string> SplitCommandCaseSensitive {Split(Command, ' ')};
81 DEBUGGER_HOOK_MEMORY_TYPE HookMemoryType = DEBUGGER_MEMORY_HOOK_VIRTUAL_ADDRESS; // by default virtual address
82 UINT32 IndexInCommandCaseSensitive = 0;
83 DEBUGGER_EVENT_PARSING_ERROR_CAUSE EventParsingErrorCause;
84
85 if (SplitCommand.size() < 4)
86 {
87 ShowMessages("incorrect use of the '!monitor'\n");
88 CommandMonitorHelp();
89 return;
90 }
91
92 //
93 // Interpret and fill the general event and action fields
94 //
95 // We use HIDDEN_HOOK_READ_AND_WRITE here but it might be changed to
96 // HIDDEN_HOOK_READ or HIDDEN_HOOK_WRITE or other events it is because
97 // we are not sure what kind event the user need
98 //
99 if (!InterpretGeneralEventAndActionsFields(
100 &SplitCommand,
101 &SplitCommandCaseSensitive,
102 HIDDEN_HOOK_READ_AND_WRITE_AND_EXECUTE,
103 &Event,
104 &EventLength,
105 &ActionBreakToDebugger,
106 &ActionBreakToDebuggerLength,
107 &ActionCustomCode,
108 &ActionCustomCodeLength,
109 &ActionScript,
110 &ActionScriptLength,
111 &EventParsingErrorCause))
112 {
113 return;
114 }
115
116 //
117 // Interpret command specific details (if any)
118 //
119 for (auto Section : SplitCommand)
120 {
121 IndexInCommandCaseSensitive++;
122
123 if (!Section.compare("!monitor"))
124 {
125 continue;
126 }
127 else if (IsNextLength)
128 {
129 if (!ConvertStringToUInt32(Section, &HookLength))
130 {
131 ShowMessages("err, you should enter a valid length\n\n");
132 return;
133 }
134
135 IsNextLength = FALSE;
136 LengthAlreadySet = TRUE;
137 SetTo = TRUE; // No longer need a second address
138 }
139 else if (!Section.compare("r") && !SetAttributes)
140 {
141 Event->EventType = HIDDEN_HOOK_READ;
142 SetAttributes = TRUE;
143 }
144 else if (!Section.compare("w") && !SetAttributes)
145 {
146 Event->EventType = HIDDEN_HOOK_WRITE;
147 SetAttributes = TRUE;
148 }
149 else if (!Section.compare("x") && !SetAttributes)
150 {
151 Event->EventType = HIDDEN_HOOK_EXECUTE;
152 SetAttributes = TRUE;
153 }
154 else if ((!Section.compare("rw") || !Section.compare("wr")) && !SetAttributes)
155 {
156 Event->EventType = HIDDEN_HOOK_READ_AND_WRITE;
157 SetAttributes = TRUE;
158 }
159 else if ((!Section.compare("rx") || !Section.compare("xr")) &&
160 !SetAttributes)
161 {
162 Event->EventType = HIDDEN_HOOK_READ_AND_EXECUTE;
163 SetAttributes = TRUE;
164 }
165 else if ((!Section.compare("wx") || !Section.compare("xw")) &&
166 !SetAttributes)
167 {
168 Event->EventType = HIDDEN_HOOK_WRITE_AND_EXECUTE;
169 SetAttributes = TRUE;
170 }
171 else if ((!Section.compare("rwx") ||
172 !Section.compare("rxw") ||
173 !Section.compare("wrx") ||
174 !Section.compare("wxr") ||
175 !Section.compare("xrw") ||
176 !Section.compare("xwr")) &&
177 !SetAttributes)
178 {
179 Event->EventType = HIDDEN_HOOK_READ_AND_WRITE_AND_EXECUTE;
180 SetAttributes = TRUE;
181 }
182 else if (!Section.compare("l") && !SetTo && !LengthAlreadySet)
183 {
184 IsNextLength = TRUE;
185 continue;
186 }
187 else if (!Section.compare("va") && !HookMemoryTypeSet)
188 {
189 HookMemoryType = DEBUGGER_MEMORY_HOOK_VIRTUAL_ADDRESS;
190 HookMemoryTypeSet = TRUE;
191 continue;
192 }
193 else if (!Section.compare("pa") && !HookMemoryTypeSet)
194 {
195 HookMemoryType = DEBUGGER_MEMORY_HOOK_PHYSICAL_ADDRESS;
196 HookMemoryTypeSet = TRUE;
197 continue;
198 }
199 else
200 {
201 //
202 // It's probably address
203 //
204 if (!SetFrom)
205 {
206 if (!SymbolConvertNameOrExprToAddress(
207 SplitCommandCaseSensitive.at(IndexInCommandCaseSensitive - 1),
208 &OptionalParam1))
209 {
210 //
211 // couldn't resolve or unknown parameter
212 //
213 ShowMessages("err, couldn't resolve error at '%s'\n\n",
214 SplitCommandCaseSensitive.at(IndexInCommandCaseSensitive - 1).c_str());
215 CommandMonitorHelp();
216
217 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
218 return;
219 }
220 SetFrom = TRUE;
221 }
222 else if (!SetTo && !LengthAlreadySet)
223 {
224 if (!SymbolConvertNameOrExprToAddress(
225 SplitCommandCaseSensitive.at(IndexInCommandCaseSensitive - 1),
226 &OptionalParam2))
227 {
228 //
229 // Couldn't resolve or unknown parameter
230 //
231 ShowMessages("err, couldn't resolve error at '%s'\n\n",
232 SplitCommandCaseSensitive.at(IndexInCommandCaseSensitive - 1).c_str());
233
234 CommandMonitorHelp();
235
236 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
237 return;
238 }
239 SetTo = TRUE;
240 }
241 else
242 {
243 //
244 // Unknown parameter
245 //
246 ShowMessages("unknown parameter '%s'\n\n", Section.c_str());
247 CommandMonitorHelp();
248
249 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
250 return;
251 }
252 }
253 }
254
255 //
256 // Check if all parameters are received
257 //
258 if (!SetFrom || !SetTo)
259 {
260 ShowMessages("please choose the 'from' or 'to' values or specify the length\n");
261 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
262 return;
263 }
264
265 //
266 // Check if user specified the 'l' rather than providing two addresses
267 //
268 if (LengthAlreadySet)
269 {
270 //
271 // Because when the user specifies length, the last byte should be ignored
272 //
273 OptionalParam2 = OptionalParam1 + HookLength - 1;
274 }
275
276 //
277 // Check for invalid order of address
278 //
279 if (OptionalParam1 > OptionalParam2)
280 {
281 //
282 // 'from' is greater than 'to'
283 //
284 ShowMessages("please choose the 'from' value first, then choose the 'to' "
285 "value\n");
286
287 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
288 return;
289 }
290
291 //
292 // Check if user set the attributes of !monitor or not
293 //
294 if (!SetAttributes)
295 {
296 ShowMessages("please specify the attribute(s) that you want to monitor (r, w, x, rw, rx, wx, rwx)\n");
297
298 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
299 return;
300 }
301
302 //
303 // Set the optional parameters
304 //
305 Event->Options.OptionalParam1 = OptionalParam1;
306 Event->Options.OptionalParam2 = OptionalParam2;
307 Event->Options.OptionalParam3 = HookMemoryType;
308
309 //
310 // Send the ioctl to the kernel for event registration
311 //
312 if (!SendEventToKernel(Event, EventLength))
313 {
314 //
315 // There was an error, probably the handle was not initialized
316 // we have to free the Action before exit, it is because, we
317 // already freed the Event and string buffers
318 //
319
320 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
321 return;
322 }
323
324 //
325 // Add the event to the kernel
326 //
327 if (!RegisterActionToEvent(Event,
328 ActionBreakToDebugger,
329 ActionBreakToDebuggerLength,
330 ActionCustomCode,
331 ActionCustomCodeLength,
332 ActionScript,
333 ActionScriptLength))
334 {
335 //
336 // There was an error
337 //
338
339 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
340 return;
341 }
342}
BOOLEAN
UCHAR BOOLEAN
Definition BasicTypes.h:39
TRUE
#define TRUE
Definition BasicTypes.h:55
FALSE
#define FALSE
Definition BasicTypes.h:54
UINT64
unsigned __int64 UINT64
Definition BasicTypes.h:21
UINT32
unsigned int UINT32
Definition BasicTypes.h:48
DEBUGGER_MEMORY_HOOK_VIRTUAL_ADDRESS
@ DEBUGGER_MEMORY_HOOK_VIRTUAL_ADDRESS
Definition DataTypes.h:311
DEBUGGER_MEMORY_HOOK_PHYSICAL_ADDRESS
@ DEBUGGER_MEMORY_HOOK_PHYSICAL_ADDRESS
Definition DataTypes.h:312
DEBUGGER_HOOK_MEMORY_TYPE
enum _DEBUGGER_HOOK_MEMORY_TYPE DEBUGGER_HOOK_MEMORY_TYPE
different type of memory addresses
Split
const vector< string > Split(const string &s, const char &c)
general split command
Definition common.cpp:117
ConvertStringToUInt32
BOOLEAN ConvertStringToUInt32(string TextToConvert, PUINT32 Result)
check and convert string to a 32 bit unsigned it and also check for special notations like 0x etc.
Definition common.cpp:347
FreeEventsAndActionsMemory
VOID FreeEventsAndActionsMemory(PDEBUGGER_GENERAL_EVENT_DETAIL Event, PDEBUGGER_GENERAL_ACTION ActionBreakToDebugger, PDEBUGGER_GENERAL_ACTION ActionCustomCode, PDEBUGGER_GENERAL_ACTION ActionScript)
Deallocate buffers relating to events and actions.
Definition debugger.cpp:2292
InterpretGeneralEventAndActionsFields
BOOLEAN InterpretGeneralEventAndActionsFields(vector< string > *SplitCommand, vector< string > *SplitCommandCaseSensitive, VMM_EVENT_TYPE_ENUM EventType, PDEBUGGER_GENERAL_EVENT_DETAIL *EventDetailsToFill, PUINT32 EventBufferLength, PDEBUGGER_GENERAL_ACTION *ActionDetailsToFillBreakToDebugger, PUINT32 ActionBufferLengthBreakToDebugger, PDEBUGGER_GENERAL_ACTION *ActionDetailsToFillCustomCode, PUINT32 ActionBufferLengthCustomCode, PDEBUGGER_GENERAL_ACTION *ActionDetailsToFillScript, PUINT32 ActionBufferLengthScript, PDEBUGGER_EVENT_PARSING_ERROR_CAUSE ReasonForErrorInParsing)
Interpret general event fields.
Definition debugger.cpp:2342
SendEventToKernel
BOOLEAN SendEventToKernel(PDEBUGGER_GENERAL_EVENT_DETAIL Event, UINT32 EventBufferLength)
Register the event to the kernel.
Definition debugger.cpp:1969
RegisterActionToEvent
BOOLEAN RegisterActionToEvent(PDEBUGGER_GENERAL_EVENT_DETAIL Event, PDEBUGGER_GENERAL_ACTION ActionBreakToDebugger, UINT32 ActionBreakToDebuggerLength, PDEBUGGER_GENERAL_ACTION ActionCustomCode, UINT32 ActionCustomCodeLength, PDEBUGGER_GENERAL_ACTION ActionScript, UINT32 ActionScriptLength)
Register the action to the event.
Definition debugger.cpp:2086
HIDDEN_HOOK_WRITE_AND_EXECUTE
@ HIDDEN_HOOK_WRITE_AND_EXECUTE
Definition Events.h:103
HIDDEN_HOOK_READ_AND_WRITE
@ HIDDEN_HOOK_READ_AND_WRITE
Definition Events.h:101
HIDDEN_HOOK_READ_AND_EXECUTE
@ HIDDEN_HOOK_READ_AND_EXECUTE
Definition Events.h:102
HIDDEN_HOOK_READ
@ HIDDEN_HOOK_READ
Definition Events.h:104
HIDDEN_HOOK_WRITE
@ HIDDEN_HOOK_WRITE
Definition Events.h:105
HIDDEN_HOOK_READ_AND_WRITE_AND_EXECUTE
@ HIDDEN_HOOK_READ_AND_WRITE_AND_EXECUTE
Definition Events.h:100
HIDDEN_HOOK_EXECUTE
@ HIDDEN_HOOK_EXECUTE
Definition Events.h:106
DEBUGGER_EVENT_PARSING_ERROR_CAUSE
enum _DEBUGGER_EVENT_PARSING_ERROR_CAUSE DEBUGGER_EVENT_PARSING_ERROR_CAUSE
Reason for error in parsing commands.
ShowMessages
VOID ShowMessages(const char *Fmt,...)
Show messages.
Definition libhyperdbg.cpp:96
CommandMonitorHelp
VOID CommandMonitorHelp()
help of the !monitor command
Definition monitor.cpp:20
test-case-generator.NULL
NULL()
Definition test-case-generator.py:530
_DEBUGGER_EVENT_OPTIONS::OptionalParam2
UINT64 OptionalParam2
Definition Events.h:273
_DEBUGGER_EVENT_OPTIONS::OptionalParam3
UINT64 OptionalParam3
Definition Events.h:274
_DEBUGGER_EVENT_OPTIONS::OptionalParam1
UINT64 OptionalParam1
Definition Events.h:272
_DEBUGGER_GENERAL_ACTION
Each event can have multiple actions.
Definition Events.h:406
_DEBUGGER_GENERAL_EVENT_DETAIL
Each command is like the following struct, it also used for tracing works in user mode and sending it...
Definition Events.h:350
_DEBUGGER_GENERAL_EVENT_DETAIL::Options
DEBUGGER_EVENT_OPTIONS Options
Definition Events.h:391
_DEBUGGER_GENERAL_EVENT_DETAIL::EventType
VMM_EVENT_TYPE_ENUM EventType
Definition Events.h:389
SymbolConvertNameOrExprToAddress
BOOLEAN SymbolConvertNameOrExprToAddress(const string &TextToConvert, PUINT64 Result)
check and convert string to a 64 bit unsigned integer and also check for symbol object names and eval...
Definition symbol.cpp:360

◆ CommandMonitorHelp()

VOID CommandMonitorHelp ( )

help of the !monitor command

Returns
VOID
21{
22 ShowMessages("!monitor : monitors address range for read and writes.\n\n");
23
24 ShowMessages("syntax : \t!monitor [MemoryType (vapa)] [Attribute (string)] [FromAddress (hex)] "
25 "[ToAddress (hex)] [pid ProcessId (hex)] [core CoreId (hex)] "
26 "[imm IsImmediate (yesno)] [sc EnableShortCircuiting (onoff)] [stage CallingStage (prepostall)] "
27 "[buffer PreAllocatedBuffer (hex)] [script { Script (string) }] [asm condition { Condition (assembly/hex) }] "
28 "[asm code { Code (assembly/hex) }] [output {OutputName (string)}]\n");
29
30 ShowMessages("syntax : \t!monitor [MemoryType (vapa)] [Attribute (string)] [FromAddress (hex)] "
31 "[l Length (hex)] [pid ProcessId (hex)] [core CoreId (hex)] "
32 "[imm IsImmediate (yesno)] [sc EnableShortCircuiting (onoff)] [stage CallingStage (prepostall)] "
33 "[buffer PreAllocatedBuffer (hex)] [script { Script (string) }] [asm condition { Condition (assembly/hex) }] "
34 "[asm code { Code (assembly/hex) }] [output {OutputName (string)}]\n");
35
36 ShowMessages("\n");
37 ShowMessages("\t\te.g : !monitor rw fffff801deadb000 fffff801deadbfff\n");
38 ShowMessages("\t\te.g : !monitor rw fffff801deadb000 l 1000\n");
39 ShowMessages("\t\te.g : !monitor pa rw c01000 l 1000\n");
40 ShowMessages("\t\te.g : !monitor rwx fffff801deadb000 fffff801deadbfff\n");
41 ShowMessages("\t\te.g : !monitor rwx fffff801deadb000 l 230d0\n");
42 ShowMessages("\t\te.g : !monitor rw nt!Kd_DEFAULT_Mask Kd_DEFAULT_Mask+5\n");
43 ShowMessages("\t\te.g : !monitor r fffff801deadb000 fffff801deadbfff pid 400\n");
44 ShowMessages("\t\te.g : !monitor w fffff801deadb000 fffff801deadbfff core 2 pid 400\n");
45 ShowMessages("\t\te.g : !monitor w c01000 c01000+2500 core 2 pid 400\n");
46 ShowMessages("\t\te.g : !monitor x fffff801deadb000 fffff801deadbfff core 2 pid 400\n");
47 ShowMessages("\t\te.g : !monitor x fffff801deadb000 l 500 core 2 pid 400\n");
48 ShowMessages("\t\te.g : !monitor wx fffff801deadb000 fffff801deadbfff core 2 pid 400\n");
49 ShowMessages("\t\te.g : !monitor rw fffff801deadb000 l 1000 script { printf(\"read/write occurred at the virtual address: %%llx\\n\", $context); }\n");
50 ShowMessages("\t\te.g : !monitor rw fffff801deadb000 l 1000 asm code { nop; nop; nop }\n");
51}