HyperDbg Debugger
Loading...
Searching...
No Matches
packets.h File Reference

headers for kernel packet functions More...

Go to the source code of this file.

Functions

VOID ReadIrpBasedBuffer ()
 Read kernel buffers using IRP Pending.
DWORD WINAPI IrpBasedBufferThread (void *data)
 Create a thread for pending buffers.

Detailed Description

headers for kernel packet functions

Author
Sina Karvandi (sina@.nosp@m.hype.nosp@m.rdbg..nosp@m.org)
Version
0.19
Date
2026-05-28

Function Documentation

◆ IrpBasedBufferThread()

DWORD WINAPI IrpBasedBufferThread ( PVOID Data)

Create a thread for pending buffers.

Parameters
Data
Returns
DWORD Device Handle
338{
339 //
340 // Do stuff. This will be the first function called on the new
341 // thread. When this function returns, the thread goes away. See
342 // MSDN for more details. Test Irp Based Notifications
343 //
345
346 return 0;
347}
VOID ReadIrpBasedBuffer()
Read kernel buffers using IRP Pending.
Definition packets.cpp:32

◆ ReadIrpBasedBuffer()

VOID ReadIrpBasedBuffer ( )

Read kernel buffers using IRP Pending.

Parameters
DeviceDriver handle
Returns
VOID

lpSecurityAttirbutes

lpTemplateFile

33{
34 BOOL Status;
35 ULONG ReturnedLength;
36 REGISTER_NOTIFY_BUFFER RegisterEvent;
37 DWORD ErrorNum;
38 HANDLE Handle;
39 UINT32 OperationCode;
40
41 RegisterEvent.hEvent = NULL;
42 RegisterEvent.Type = IRP_BASED;
43
44 //
45 // Keep the packet reader on a dedicated synchronous handle. It blocks on
46 // a pending IOCTL while the main debugger handle continues sending other
47 // synchronous IOCTLs.
48 //
49 Handle = CreateFileA(
50 "\\\\.\\HyperDbgDebuggerDevice",
51 GENERIC_READ | GENERIC_WRITE,
52 FILE_SHARE_READ | FILE_SHARE_WRITE,
53 NULL,
54 OPEN_EXISTING,
55 FILE_ATTRIBUTE_NORMAL,
56 NULL);
57
58 if (Handle == INVALID_HANDLE_VALUE)
59 {
60 ErrorNum = GetLastError();
61
62 if (ErrorNum == ERROR_ACCESS_DENIED)
63 {
64 ShowMessages("err, access denied\nare you sure you have administrator "
65 "rights?\n");
66 }
67 else if (ErrorNum == ERROR_GEN_FAILURE)
68 {
69 ShowMessages("err, a device attached to the system is not functioning\n"
70 "vmx feature might be disabled from BIOS or VBS/HVCI is active\n");
71 }
72 else
73 {
74 ShowMessages("err, CreateFile failed with (%x)\n", ErrorNum);
75 }
76
78 Handle = NULL;
79
80 return;
81 }
82
83 //
84 // allocate buffer for transferring messages
85 //
86 CHAR * OutputBuffer = (CHAR *)malloc(UsermodeBufferSize);
87
88 try
89 {
91 {
92 //
93 // Clear the buffer
94 //
95 ZeroMemory(OutputBuffer, UsermodeBufferSize);
96
97 Status = DeviceIoControl(
98 Handle, // Handle to device
99 IOCTL_REGISTER_EVENT, // IO Control Code (IOCTL)
100 &RegisterEvent, // Input Buffer to driver.
101 SIZEOF_REGISTER_EVENT * 2, // Length of input buffer in bytes. (x 2 is bcuz as the
102 // driver is x64 and has 64 bit values)
103 OutputBuffer, // Output Buffer from driver.
104 UsermodeBufferSize, // Length of output buffer in bytes.
105 &ReturnedLength, // Bytes placed in buffer.
106 NULL // synchronous call
107 );
108
109 if (!Status)
110 {
111 //
112 // Error occurred for second time, and we show the error message
113 //
114 // ShowMessages("ioctl failed with code 0x%x\n", GetLastError());
115
116 //
117 // if we reach here, the packet is probably failed, it might
118 // be because of using flush command
119 //
120 continue;
121 }
122
123 //
124 // Compute the received buffer's operation code
125 //
126 memcpy(&OperationCode, OutputBuffer, sizeof(UINT32));
127
128 // ShowMessages("Returned Length : 0x%x \n", ReturnedLength);
129 // ShowMessages("Operation Code : 0x%x \n", OperationCode);
130
131 //
132 // Check if the operation code contains mandatory debuggee bit
133 // If that's the case, we shouldn't wait (sleep) for new messages
134 //
135 if ((OperationCode & OPERATION_MANDATORY_DEBUGGEE_BIT) == 0)
136 {
137 Sleep(DefaultSpeedOfReadingKernelMessages); // we're not trying to eat all of the CPU ;)
138 }
139
140 switch (OperationCode)
141 {
143
145 {
146 //
147 // means that the user asserts a CTRL+C or CTRL+BREAK Signal
148 // we shouldn't show or save anything in this case
149 //
150 continue;
151 }
152
153 ShowMessages("%s", OutputBuffer + sizeof(UINT32));
154
155 break;
156
158
159 ShowMessages("%s", OutputBuffer + sizeof(UINT32));
160
161 break;
162
164
166 {
167 //
168 // means that the user asserts a CTRL+C or CTRL+BREAK Signal
169 // we shouldn't show or save anything in this case
170 //
171 continue;
172 }
173
174 ShowMessages("%s", OutputBuffer + sizeof(UINT32));
175
176 break;
177
180 {
181 //
182 // means that the user asserts a CTRL+C or CTRL+BREAK Signal
183 // we shouldn't show or save anything in this case
184 //
185 continue;
186 }
187
188 ShowMessages("%s", OutputBuffer + sizeof(UINT32));
189
190 break;
191
193
195 {
196 //
197 // means that the user asserts a CTRL+C or CTRL+BREAK Signal
198 // we shouldn't show or save anything in this case
199 //
200 continue;
201 }
202
203 ShowMessages("%s", OutputBuffer + sizeof(UINT32));
204
205 break;
206
208
210
211 break;
212
214
216
217 break;
218
220
222 (PDEBUGGER_GENERAL_EVENT_DETAIL)(OutputBuffer + sizeof(UINT32)),
223 ReturnedLength);
224
225 break;
226
228
230 (PDEBUGGER_GENERAL_ACTION)(OutputBuffer + sizeof(UINT32)),
231 ReturnedLength);
232
233 break;
234
236
238 (PDEBUGGER_MODIFY_EVENTS)(OutputBuffer + sizeof(UINT32)),
239 TRUE);
240
241 break;
242
244
246 (PDEBUGGER_MODIFY_EVENTS)(OutputBuffer + sizeof(UINT32)),
247 FALSE);
248
249 break;
250
252
253 //
254 // Indicate that driver (Hypervisor) is loaded successfully
255 //
257
258 break;
259
261
262 //
263 // End of receiving messages (IRPs), nothing to do
264 // it will just end the thread at next round because of the check of
265 // g_IsMessageLoggingWindowClosed at the beginning of the loop
266 //
267 break;
268
270
271 //
272 // Pause debugger after getting the results
273 //
275 ((PDEBUGGEE_SYMBOL_REQUEST_PACKET)(OutputBuffer + sizeof(UINT32)))->ProcessId);
276
277 break;
278
280
281 //
282 // handle pausing packet from user debugger
283 //
285 (PDEBUGGEE_UD_PAUSED_PACKET)(OutputBuffer + sizeof(UINT32)));
286
287 break;
288
289 default:
290
291 //
292 // Check if there are available output sources
293 //
295 OutputBuffer + sizeof(UINT32),
296 ReturnedLength - sizeof(UINT32) - 1))
297 {
299 {
300 //
301 // means that the user asserts a CTRL+C or CTRL+BREAK Signal
302 // we shouldn't show or save anything in this case
303 //
304 continue;
305 }
306
307 ShowMessages("%s", OutputBuffer + sizeof(UINT32));
308 }
309
310 break;
311 }
312 }
313 }
314 catch (const std::exception &)
315 {
316 ShowMessages("err, exception occurred in creating handle or parsing buffer\n");
317 }
318
319 free(OutputBuffer);
320
321 //
322 // close handle
323 //
324 if (!CloseHandle(Handle))
325 {
326 ShowMessages("err, closing handle 0x%x\n", GetLastError());
327 }
328}
#define DefaultSpeedOfReadingKernelMessages
The speed delay for showing messages from kernel-mode to user-mode in VMI-mode, using a lower value c...
Definition Definition.h:132
int BOOL
Definition BasicTypes.h:25
#define TRUE
Definition BasicTypes.h:114
#define FALSE
Definition BasicTypes.h:113
unsigned long DWORD
Definition BasicTypes.h:38
unsigned int UINT32
Definition BasicTypes.h:54
char CHAR
Definition BasicTypes.h:33
unsigned long ULONG
Definition BasicTypes.h:31
#define OPERATION_DEBUGGEE_USER_INPUT
Definition Constants.h:382
#define OPERATION_LOG_MESSAGE_MANDATORY
Definition Constants.h:380
#define OPERATION_HYPERVISOR_DRIVER_END_OF_IRPS
Definition Constants.h:388
#define OPERATION_LOG_ERROR_MESSAGE
Definition Constants.h:376
#define OPERATION_COMMAND_FROM_DEBUGGER_RELOAD_SYMBOL
Definition Constants.h:389
#define UsermodeBufferSize
size of user-mode buffer
Definition Constants.h:195
#define OPERATION_DEBUGGEE_ADD_ACTION_TO_EVENT
Definition Constants.h:384
#define OPERATION_MANDATORY_DEBUGGEE_BIT
If a operation use this bit in its Operation code, then it means that the operation should be perform...
Definition Constants.h:367
#define OPERATION_NOTIFICATION_FROM_USER_DEBUGGER_PAUSE
Definition Constants.h:390
#define OPERATION_LOG_WARNING_MESSAGE
Definition Constants.h:375
#define OPERATION_DEBUGGEE_REGISTER_EVENT
Definition Constants.h:383
#define OPERATION_HYPERVISOR_DRIVER_IS_SUCCESSFULLY_LOADED
Definition Constants.h:387
#define OPERATION_LOG_INFO_MESSAGE
Message logs id that comes from kernel-mode to user-mode.
Definition Constants.h:374
#define OPERATION_DEBUGGEE_CLEAR_EVENTS_WITHOUT_NOTIFYING_DEBUGGER
Definition Constants.h:386
#define OPERATION_DEBUGGEE_CLEAR_EVENTS
Definition Constants.h:385
#define OPERATION_LOG_NON_IMMEDIATE_MESSAGE
Definition Constants.h:377
#define OPERATION_COMMAND_FROM_DEBUGGER_CLOSE_AND_UNLOAD_VMM
Definition Constants.h:381
struct _DEBUGGEE_UD_PAUSED_PACKET * PDEBUGGEE_UD_PAUSED_PACKET
struct _REGISTER_NOTIFY_BUFFER REGISTER_NOTIFY_BUFFER
Used to register event for transferring buffer between user-to-kernel.
@ IRP_BASED
Definition DataTypes.h:287
struct _DEBUGGEE_USER_INPUT_PACKET DEBUGGEE_USER_INPUT_PACKET
The structure of user-input packet in HyperDbg.
#define SIZEOF_REGISTER_EVENT
Definition Events.h:438
struct _DEBUGGER_GENERAL_EVENT_DETAIL * PDEBUGGER_GENERAL_EVENT_DETAIL
struct _DEBUGGER_MODIFY_EVENTS * PDEBUGGER_MODIFY_EVENTS
struct _DEBUGGER_GENERAL_ACTION * PDEBUGGER_GENERAL_ACTION
#define IOCTL_REGISTER_EVENT
ioctl, register a new event
Definition Ioctls.h:114
struct _DEBUGGEE_SYMBOL_REQUEST_PACKET * PDEBUGGEE_SYMBOL_REQUEST_PACKET
BOOLEAN ForwardingCheckAndPerformEventForwarding(UINT32 OperationCode, CHAR *Message, UINT32 MessageLength)
Check and send the event result to the corresponding sources.
Definition forwarding.cpp:439
BOOLEAN KdRegisterEventInDebuggee(PDEBUGGER_GENERAL_EVENT_DETAIL EventRegBuffer, UINT32 Length)
Register an event in the debuggee.
Definition kd.cpp:3144
BOOLEAN KdSendModifyEventInDebuggee(PDEBUGGER_MODIFY_EVENTS ModifyEvent, BOOLEAN SendTheResultBackToDebugger)
Modify the event ioctl in the debuggee.
Definition kd.cpp:3248
BOOLEAN KdCloseConnection()
Send close packet to the debuggee and debugger.
Definition kd.cpp:3056
VOID KdHandleUserInputInDebuggee(DEBUGGEE_USER_INPUT_PACKET *Descriptor)
Handle user-input in debuggee.
Definition kd.cpp:3308
BOOLEAN KdReloadSymbolsInDebuggee(BOOLEAN PauseDebuggee, UINT32 UserProcessId)
Send the packets of reloading symbols to build a new symbol table to the debugger and send the finish...
Definition kd.cpp:3015
BOOLEAN KdAddActionToEventInDebuggee(PDEBUGGER_GENERAL_ACTION ActionAddingBuffer, UINT32 Length)
Add action to an event in the debuggee.
Definition kd.cpp:3198
HANDLE g_DeviceHandle
Holds the global handle of device which is used to send the request to the kernel by IOCTL,...
Definition globals.h:481
HANDLE g_IsDriverLoadedSuccessfully
Handle to show that if the debugger is loaded successfully.
Definition globals.h:152
BOOLEAN g_IsMessageLoggingWindowClosed
Shows whether the message logging window is closed or not.
Definition globals.h:472
NULL()
Definition test-case-generator.py:530
BOOLEAN g_OutputSourcesInitialized
it shows whether the debugger started using output sources or not or in other words,...
Definition globals.h:418
BOOLEAN g_BreakPrintingOutput
Shows whether the pause command or CTRL+C or CTRL+Break is executed or not.
Definition globals.h:509
NOTIFY_TYPE Type
Definition DataTypes.h:312
HANDLE hEvent
Definition DataTypes.h:313
VOID UdHandleUserDebuggerPausing(PDEBUGGEE_UD_PAUSED_PACKET PausePacket)
Handle pause packets from user debugger.
Definition user-listening.cpp:29