HyperDbg Debugger
Loading...
Searching...
No Matches
Functions
msrread.cpp File Reference

!msrread command More...

#include "pch.h"

Functions

VOID CommandMsrreadHelp ()
 help of the !msrread command
 
VOID CommandMsrread (vector< string > SplitCommand, string Command)
 !msrread command handler
 

Detailed Description

!msrread command

Author
Sina Karvandi (sina@.nosp@m.hype.nosp@m.rdbg..nosp@m.org)
Version
0.1
Date
2020-06-01
Copyright
This project is released under the GNU Public License v3.

Function Documentation

◆ CommandMsrread()

VOID CommandMsrread ( vector< string > SplitCommand,
string Command )

!msrread command handler

Parameters
SplitCommand
Command
Returns
VOID
47{
48 PDEBUGGER_GENERAL_EVENT_DETAIL Event = NULL;
49 PDEBUGGER_GENERAL_ACTION ActionBreakToDebugger = NULL;
50 PDEBUGGER_GENERAL_ACTION ActionCustomCode = NULL;
51 PDEBUGGER_GENERAL_ACTION ActionScript = NULL;
52 UINT32 EventLength;
53 UINT32 ActionBreakToDebuggerLength = 0;
54 UINT32 ActionCustomCodeLength = 0;
55 UINT32 ActionScriptLength = 0;
56 UINT64 SpecialTarget = DEBUGGER_EVENT_MSR_READ_OR_WRITE_ALL_MSRS;
57 BOOLEAN GetAddress = FALSE;
58 vector<string> SplitCommandCaseSensitive {Split(Command, ' ')};
59 DEBUGGER_EVENT_PARSING_ERROR_CAUSE EventParsingErrorCause;
60
61 //
62 // Interpret and fill the general event and action fields
63 //
64 //
65 if (!InterpretGeneralEventAndActionsFields(
66 &SplitCommand,
67 &SplitCommandCaseSensitive,
68 RDMSR_INSTRUCTION_EXECUTION,
69 &Event,
70 &EventLength,
71 &ActionBreakToDebugger,
72 &ActionBreakToDebuggerLength,
73 &ActionCustomCode,
74 &ActionCustomCodeLength,
75 &ActionScript,
76 &ActionScriptLength,
77 &EventParsingErrorCause))
78 {
79 return;
80 }
81
82 //
83 // Interpret command specific details (if any), it is because we can use
84 // special msr bitmap here
85 //
86 for (auto Section : SplitCommand)
87 {
88 if (!Section.compare("!msrread") || !Section.compare("!msread"))
89 {
90 continue;
91 }
92 else if (!GetAddress)
93 {
94 //
95 // It's probably an msr
96 //
97 if (!ConvertStringToUInt64(Section, &SpecialTarget))
98 {
99 //
100 // Unknown parameter
101 //
102 ShowMessages("unknown parameter '%s'\n\n", Section.c_str());
103 CommandMsrreadHelp();
104
105 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
106 return;
107 }
108 else
109 {
110 GetAddress = TRUE;
111 }
112 }
113 else
114 {
115 //
116 // Unknown parameter
117 //
118 ShowMessages("unknown parameter '%s'\n\n", Section.c_str());
119 CommandMsrreadHelp();
120
121 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
122 return;
123 }
124 }
125
126 //
127 // Set the target msr (if not specific then it means all msrs)
128 //
129 Event->Options.OptionalParam1 = SpecialTarget;
130
131 //
132 // Send the ioctl to the kernel for event registration
133 //
134 if (!SendEventToKernel(Event, EventLength))
135 {
136 //
137 // There was an error, probably the handle was not initialized
138 // we have to free the Action before exit, it is because, we
139 // already freed the Event and string buffers
140 //
141
142 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
143 return;
144 }
145
146 //
147 // Add the event to the kernel
148 //
149 if (!RegisterActionToEvent(Event,
150 ActionBreakToDebugger,
151 ActionBreakToDebuggerLength,
152 ActionCustomCode,
153 ActionCustomCodeLength,
154 ActionScript,
155 ActionScriptLength))
156 {
157 //
158 // There was an error
159 //
160
161 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
162 return;
163 }
164}
BOOLEAN
UCHAR BOOLEAN
Definition BasicTypes.h:39
TRUE
#define TRUE
Definition BasicTypes.h:55
FALSE
#define FALSE
Definition BasicTypes.h:54
UINT64
unsigned __int64 UINT64
Definition BasicTypes.h:21
UINT32
unsigned int UINT32
Definition BasicTypes.h:48
DEBUGGER_EVENT_MSR_READ_OR_WRITE_ALL_MSRS
#define DEBUGGER_EVENT_MSR_READ_OR_WRITE_ALL_MSRS
Apply to all Model Specific Registers.
Definition Constants.h:623
Split
const vector< string > Split(const string &s, const char &c)
general split command
Definition common.cpp:117
ConvertStringToUInt64
BOOLEAN ConvertStringToUInt64(string TextToConvert, PUINT64 Result)
check and convert string to a 64 bit unsigned integer and also check for special notations like 0x,...
Definition common.cpp:240
FreeEventsAndActionsMemory
VOID FreeEventsAndActionsMemory(PDEBUGGER_GENERAL_EVENT_DETAIL Event, PDEBUGGER_GENERAL_ACTION ActionBreakToDebugger, PDEBUGGER_GENERAL_ACTION ActionCustomCode, PDEBUGGER_GENERAL_ACTION ActionScript)
Deallocate buffers relating to events and actions.
Definition debugger.cpp:2292
InterpretGeneralEventAndActionsFields
BOOLEAN InterpretGeneralEventAndActionsFields(vector< string > *SplitCommand, vector< string > *SplitCommandCaseSensitive, VMM_EVENT_TYPE_ENUM EventType, PDEBUGGER_GENERAL_EVENT_DETAIL *EventDetailsToFill, PUINT32 EventBufferLength, PDEBUGGER_GENERAL_ACTION *ActionDetailsToFillBreakToDebugger, PUINT32 ActionBufferLengthBreakToDebugger, PDEBUGGER_GENERAL_ACTION *ActionDetailsToFillCustomCode, PUINT32 ActionBufferLengthCustomCode, PDEBUGGER_GENERAL_ACTION *ActionDetailsToFillScript, PUINT32 ActionBufferLengthScript, PDEBUGGER_EVENT_PARSING_ERROR_CAUSE ReasonForErrorInParsing)
Interpret general event fields.
Definition debugger.cpp:2342
SendEventToKernel
BOOLEAN SendEventToKernel(PDEBUGGER_GENERAL_EVENT_DETAIL Event, UINT32 EventBufferLength)
Register the event to the kernel.
Definition debugger.cpp:1969
RegisterActionToEvent
BOOLEAN RegisterActionToEvent(PDEBUGGER_GENERAL_EVENT_DETAIL Event, PDEBUGGER_GENERAL_ACTION ActionBreakToDebugger, UINT32 ActionBreakToDebuggerLength, PDEBUGGER_GENERAL_ACTION ActionCustomCode, UINT32 ActionCustomCodeLength, PDEBUGGER_GENERAL_ACTION ActionScript, UINT32 ActionScriptLength)
Register the action to the event.
Definition debugger.cpp:2086
RDMSR_INSTRUCTION_EXECUTION
@ RDMSR_INSTRUCTION_EXECUTION
Definition Events.h:128
DEBUGGER_EVENT_PARSING_ERROR_CAUSE
enum _DEBUGGER_EVENT_PARSING_ERROR_CAUSE DEBUGGER_EVENT_PARSING_ERROR_CAUSE
Reason for error in parsing commands.
ShowMessages
VOID ShowMessages(const char *Fmt,...)
Show messages.
Definition libhyperdbg.cpp:96
CommandMsrreadHelp
VOID CommandMsrreadHelp()
help of the !msrread command
Definition msrread.cpp:20
test-case-generator.NULL
NULL()
Definition test-case-generator.py:530
_DEBUGGER_EVENT_OPTIONS::OptionalParam1
UINT64 OptionalParam1
Definition Events.h:272
_DEBUGGER_GENERAL_ACTION
Each event can have multiple actions.
Definition Events.h:406
_DEBUGGER_GENERAL_EVENT_DETAIL
Each command is like the following struct, it also used for tracing works in user mode and sending it...
Definition Events.h:350
_DEBUGGER_GENERAL_EVENT_DETAIL::Options
DEBUGGER_EVENT_OPTIONS Options
Definition Events.h:391

◆ CommandMsrreadHelp()

VOID CommandMsrreadHelp ( )

help of the !msrread command

Returns
VOID
21{
22 ShowMessages("!msrread : detects the execution of rdmsr instructions.\n\n");
23
24 ShowMessages("syntax : \t!msrread [Msr (hex)] [pid ProcessId (hex)] "
25 "[core CoreId (hex)] [imm IsImmediate (yesno)] [sc EnableShortCircuiting (onoff)] "
26 "[stage CallingStage (prepostall)] [buffer PreAllocatedBuffer (hex)] [script { Script (string) }] "
27 "[asm condition { Condition (assembly/hex) }] [asm code { Code (assembly/hex) }] [output {OutputName (string)}]\n");
28
29 ShowMessages("\n");
30 ShowMessages("\t\te.g : !msrread\n");
31 ShowMessages("\t\te.g : !msrread 0xc0000082\n");
32 ShowMessages("\t\te.g : !msread pid 400\n");
33 ShowMessages("\t\te.g : !msrread core 2 pid 400\n");
34 ShowMessages("\t\te.g : !msrread script { printf(\"msr read with the 'ecx' register equal to: %%llx\\n\", $context); }\n");
35 ShowMessages("\t\te.g : !msrread asm code { nop; nop; nop }\n");
36}