HyperDbg Debugger
Loading...
Searching...
No Matches
Functions | Variables
process.cpp File Reference

show and change process More...

#include "pch.h"

Functions

VOID CommandProcessHelp ()
 help of the .process command
 
VOID CommandProcess (vector< string > SplitCommand, string Command)
 .process command handler
 

Variables

BOOLEAN g_IsSerialConnectedToRemoteDebuggee
 Shows if the debugger was connected to remote debuggee over (A remote guest)
 

Detailed Description

show and change process

Author
Sina Karvandi (sina@.nosp@m.hype.nosp@m.rdbg..nosp@m.org)
Version
0.1
Date
2021-02-02
Copyright
This project is released under the GNU Public License v3.

Function Documentation

◆ CommandProcess()

VOID CommandProcess ( vector< string > SplitCommand,
string Command )

.process command handler

Parameters
SplitCommand
Command
Returns
VOID
57{
58 UINT32 TargetProcessId = 0;
59 UINT64 TargetProcess = 0;
60 UINT64 AddressOfActiveProcessHead = 0; // nt!PsActiveProcessHead
61 UINT32 OffsetOfImageFileName = 0; // nt!_EPROCESS.ImageFileName
62 UINT32 OffsetOfUniqueProcessId = 0; // nt!_EPROCESS.UniqueProcessId
63 UINT32 OffsetOfActiveProcessLinks = 0; // nt!_EPROCESS.ActiveProcessLinks
64 BOOLEAN ResultOfGettingOffsets = FALSE;
65 BOOLEAN IsSetByClkIntr = FALSE;
66 DEBUGGEE_PROCESS_LIST_NEEDED_DETAILS ProcessListNeededItems = {0};
67
68 if (SplitCommand.size() >= 4)
69 {
70 ShowMessages("incorrect use of the '.process'\n\n");
71 CommandProcessHelp();
72 return;
73 }
74
75 if (SplitCommand.size() == 1)
76 {
77 //
78 // Check if it's connected to a remote debuggee or not
79 //
80 if (!g_IsSerialConnectedToRemoteDebuggee)
81 {
82 //
83 // Get the process details in VMI mode
84 //
85 ObjectShowProcessesOrThreadDetails(TRUE);
86 }
87 else
88 {
89 //
90 // Send the packet to get current process
91 //
92 KdSendSwitchProcessPacketToDebuggee(DEBUGGEE_DETAILS_AND_SWITCH_PROCESS_GET_PROCESS_DETAILS,
93 NULL,
94 NULL,
95 FALSE,
96 NULL);
97 }
98 }
99 else if (SplitCommand.size() == 2)
100 {
101 if (!SplitCommand.at(1).compare("list"))
102 {
103 //
104 // Query for nt!_EPROCESS.ImageFileName, nt!_EPROCESS.UniqueProcessId,
105 // nt!_EPROCESS.UniqueProcessId offset from the top of nt!_EPROCESS,
106 // and nt!PsActiveProcessHead address and check if we find them or not,
107 // otherwise, it means that the PDB for ntoskrnl.exe is not available
108 //
109 if (ScriptEngineGetFieldOffsetWrapper((CHAR *)"nt!_EPROCESS", (CHAR *)"ActiveProcessLinks", &OffsetOfActiveProcessLinks) &&
110 ScriptEngineGetFieldOffsetWrapper((CHAR *)"nt!_EPROCESS", (CHAR *)"ImageFileName", &OffsetOfImageFileName) &&
111 ScriptEngineGetFieldOffsetWrapper((CHAR *)"nt!_EPROCESS", (CHAR *)"UniqueProcessId", &OffsetOfUniqueProcessId) &&
112 SymbolConvertNameOrExprToAddress("nt!PsActiveProcessHead", &AddressOfActiveProcessHead))
113 {
114 //
115 // For test offsets and addresses
116 //
117
118 /*
119 ShowMessages("Address of ActiveProcessHead : %llx\n", AddressOfActiveProcessHead);
120 ShowMessages("Offset Of ActiveProcessLinks : 0x%x\n", OffsetOfActiveProcessLinks);
121 ShowMessages("Offset Of ImageFileName : 0x%x\n", OffsetOfImageFileName);
122 ShowMessages("Offset Of UniqueProcessId : 0x%x\n", OffsetOfUniqueProcessId);
123 */
124
125 ProcessListNeededItems.PsActiveProcessHead = AddressOfActiveProcessHead;
126 ProcessListNeededItems.ActiveProcessLinksOffset = OffsetOfActiveProcessLinks;
127 ProcessListNeededItems.ImageFileNameOffset = OffsetOfImageFileName;
128 ProcessListNeededItems.UniquePidOffset = OffsetOfUniqueProcessId;
129
130 if (!g_IsSerialConnectedToRemoteDebuggee)
131 {
132 //
133 // Get list of processes in VMI mode
134 //
135 ObjectShowProcessesOrThreadList(TRUE,
136 &ProcessListNeededItems,
137 NULL,
138 NULL);
139 }
140 else
141 {
142 //
143 // Send the packet to show list of process
144 //
145 KdSendSwitchProcessPacketToDebuggee(DEBUGGEE_DETAILS_AND_SWITCH_PROCESS_GET_PROCESS_LIST,
146 NULL,
147 NULL,
148 FALSE,
149 &ProcessListNeededItems);
150 }
151 }
152 else
153 {
154 ShowMessages("err, the need offset to iterate over processes not found, "
155 "make sure to load ntoskrnl.exe's PDB file. use '.help .sym' for "
156 "more information\n");
157 return;
158 }
159 }
160 else
161 {
162 ShowMessages(
163 "err, unknown parameter at '%s'\n\n",
164 SplitCommand.at(1).c_str());
165 CommandProcessHelp();
166 return;
167 }
168 }
169 else if (SplitCommand.size() == 3)
170 {
171 //
172 // Check if it's connected to a remote debuggee or not
173 //
174 if (!g_IsSerialConnectedToRemoteDebuggee)
175 {
176 ShowMessages("err, you're not connected to any debuggee in Debugger Mode, "
177 "you can use the '.attach', or the '.detach' commands if you're "
178 "operating in VMI Mode\n");
179 return;
180 }
181
182 if (!SplitCommand.at(1).compare("pid"))
183 {
184 if (!ConvertStringToUInt32(SplitCommand.at(2), &TargetProcessId))
185 {
186 ShowMessages(
187 "please specify a correct hex value for the process id that you "
188 "want to operate on it\n\n");
189 CommandProcessHelp();
190 return;
191 }
192 }
193 else if (!SplitCommand.at(1).compare("process"))
194 {
195 if (!SymbolConvertNameOrExprToAddress(SplitCommand.at(2), &TargetProcess))
196 {
197 ShowMessages(
198 "please specify a correct hex value for the process (nt!_EPROCESS) that you "
199 "want to operate on it\n\n");
200 CommandProcessHelp();
201 return;
202 }
203 }
204 else
205 {
206 ShowMessages(
207 "err, unknown parameter at '%s'\n\n",
208 SplitCommand.at(2).c_str());
209 CommandProcessHelp();
210 return;
211 }
212
213 //
214 // Check for switching method
215 //
216 if (!SplitCommand.at(0).compare(".process2"))
217 {
218 IsSetByClkIntr = FALSE;
219 }
220 else
221 {
222 IsSetByClkIntr = TRUE;
223 }
224
225 //
226 // Send the packet to change process
227 //
228 KdSendSwitchProcessPacketToDebuggee(DEBUGGEE_DETAILS_AND_SWITCH_PROCESS_PERFORM_SWITCH,
229 TargetProcessId,
230 TargetProcess,
231 IsSetByClkIntr,
232 NULL);
233 }
234 else
235 {
236 ShowMessages("invalid parameter\n\n");
237 CommandProcessHelp();
238 return;
239 }
240}
BOOLEAN
UCHAR BOOLEAN
Definition BasicTypes.h:39
TRUE
#define TRUE
Definition BasicTypes.h:55
FALSE
#define FALSE
Definition BasicTypes.h:54
UINT64
unsigned __int64 UINT64
Definition BasicTypes.h:21
UINT32
unsigned int UINT32
Definition BasicTypes.h:48
CHAR
char CHAR
Definition BasicTypes.h:31
DEBUGGEE_DETAILS_AND_SWITCH_PROCESS_GET_PROCESS_DETAILS
@ DEBUGGEE_DETAILS_AND_SWITCH_PROCESS_GET_PROCESS_DETAILS
Definition RequestStructures.h:912
DEBUGGEE_DETAILS_AND_SWITCH_PROCESS_GET_PROCESS_LIST
@ DEBUGGEE_DETAILS_AND_SWITCH_PROCESS_GET_PROCESS_LIST
Definition RequestStructures.h:913
DEBUGGEE_DETAILS_AND_SWITCH_PROCESS_PERFORM_SWITCH
@ DEBUGGEE_DETAILS_AND_SWITCH_PROCESS_PERFORM_SWITCH
Definition RequestStructures.h:914
ConvertStringToUInt32
BOOLEAN ConvertStringToUInt32(string TextToConvert, PUINT32 Result)
check and convert string to a 32 bit unsigned it and also check for special notations like 0x etc.
Definition common.cpp:347
KdSendSwitchProcessPacketToDebuggee
BOOLEAN KdSendSwitchProcessPacketToDebuggee(DEBUGGEE_DETAILS_AND_SWITCH_PROCESS_TYPE ActionType, UINT32 NewPid, UINT64 NewProcess, BOOLEAN SetChangeByClockInterrupt, PDEBUGGEE_PROCESS_LIST_NEEDED_DETAILS SymDetailsForProcessList)
Sends a change process or show process details packet to the debuggee.
Definition kd.cpp:805
ShowMessages
VOID ShowMessages(const char *Fmt,...)
Show messages.
Definition libhyperdbg.cpp:96
ObjectShowProcessesOrThreadList
BOOLEAN ObjectShowProcessesOrThreadList(BOOLEAN IsProcess, PDEBUGGEE_PROCESS_LIST_NEEDED_DETAILS SymDetailsForProcessList, UINT64 Eprocess, PDEBUGGEE_THREAD_LIST_NEEDED_DETAILS SymDetailsForThreadList)
Get details about processes or threads.
Definition objects.cpp:138
ObjectShowProcessesOrThreadDetails
BOOLEAN ObjectShowProcessesOrThreadDetails(BOOLEAN IsProcess)
Get details about processes or threads.
Definition objects.cpp:26
CommandProcessHelp
VOID CommandProcessHelp()
help of the .process command
Definition process.cpp:25
g_IsSerialConnectedToRemoteDebuggee
BOOLEAN g_IsSerialConnectedToRemoteDebuggee
Shows if the debugger was connected to remote debuggee over (A remote guest)
Definition globals.h:231
ScriptEngineGetFieldOffsetWrapper
BOOLEAN ScriptEngineGetFieldOffsetWrapper(CHAR *TypeName, CHAR *FieldName, UINT32 *FieldOffset)
ScriptEngineGetFieldOffset wrapper.
Definition script-engine-wrapper.cpp:131
_DEBUGGEE_PROCESS_LIST_NEEDED_DETAILS
The structure of needed information to get the details of the process from nt!_EPROCESS and location ...
Definition RequestStructures.h:684
_DEBUGGEE_PROCESS_LIST_NEEDED_DETAILS::UniquePidOffset
ULONG UniquePidOffset
Definition RequestStructures.h:687
_DEBUGGEE_PROCESS_LIST_NEEDED_DETAILS::ImageFileNameOffset
ULONG ImageFileNameOffset
Definition RequestStructures.h:686
_DEBUGGEE_PROCESS_LIST_NEEDED_DETAILS::ActiveProcessLinksOffset
ULONG ActiveProcessLinksOffset
Definition RequestStructures.h:688
_DEBUGGEE_PROCESS_LIST_NEEDED_DETAILS::PsActiveProcessHead
UINT64 PsActiveProcessHead
Definition RequestStructures.h:685
SymbolConvertNameOrExprToAddress
BOOLEAN SymbolConvertNameOrExprToAddress(const string &TextToConvert, PUINT64 Result)
check and convert string to a 64 bit unsigned integer and also check for symbol object names and eval...
Definition symbol.cpp:360

◆ CommandProcessHelp()

VOID CommandProcessHelp ( )

help of the .process command

Returns
VOID
26{
27 ShowMessages(".process, .process2 : shows and changes the processes. "
28 "This command needs public symbols for ntoskrnl.exe if "
29 "you want to see the processes list. Please visit the "
30 "documentation to know about the difference between '.process' "
31 "and '.process2'.\n\n");
32
33 ShowMessages("syntax : \t.process\n");
34 ShowMessages("syntax : \t.process [list]\n");
35 ShowMessages("syntax : \t.process [pid ProcessId (hex)]\n");
36 ShowMessages("syntax : \t.process [process Eprocess (hex)]\n");
37 ShowMessages("syntax : \t.process2 [pid ProcessId (hex)]\n");
38 ShowMessages("syntax : \t.process2 [process Eprocess (hex)]\n");
39
40 ShowMessages("\n");
41 ShowMessages("\t\te.g : .process\n");
42 ShowMessages("\t\te.g : .process list\n");
43 ShowMessages("\t\te.g : .process pid 4\n");
44 ShowMessages("\t\te.g : .process2 pid 4\n");
45 ShowMessages("\t\te.g : .process process ffff948c`c2349280\n");
46}

Variable Documentation

◆ g_IsSerialConnectedToRemoteDebuggee

BOOLEAN g_IsSerialConnectedToRemoteDebuggee
extern

Shows if the debugger was connected to remote debuggee over (A remote guest)