HyperDbg Debugger
Loading...
Searching...
No Matches
pt.cpp File Reference

!pt command More...

#include "pch.h"

Functions

VOID CommandPtHelp ()
 help of the !pt command
BOOLEAN CommandPtSendRequest (HYPERTRACE_PT_OPERATION_PACKETS *PtRequest)
 Send PT requests.
BOOLEAN HyperDbgPerformPtOperation (HYPERTRACE_PT_OPERATION_PACKETS *PtRequest)
 Request to perform an PT operation.
BOOLEAN HyperDbgPtMmapSendRequest (HYPERTRACE_PT_MMAP_PACKETS *MmapRequest)
 Map the per-CPU PT output buffers into the current process.
VOID CommandPt (vector< CommandToken > CommandTokens, string Command)
 !pt command handler

Variables

BOOLEAN g_IsHyperTraceModuleLoaded
 shows whether the HyperTrace module is loaded or not
BOOLEAN g_IsSerialConnectedToRemoteDebuggee
 Shows if the debugger was connected to remote debuggee over (A remote guest).

Detailed Description

!pt command

Author
Masoud Rahimi Jafari (Masoo.nosp@m.drah.nosp@m.imy13.nosp@m.79@g.nosp@m.mail..nosp@m.com)
Version
0.19
Date
2026-04-29

Function Documentation

◆ CommandPt()

VOID CommandPt ( vector< CommandToken > CommandTokens,
string Command )

!pt command handler

Parameters
CommandTokens
Command
Returns
VOID
322{
323 HYPERTRACE_PT_OPERATION_PACKETS PtRequest = {0};
324
325 if (CommandTokens.size() == 1)
326 {
327 ShowMessages("incorrect use of the '%s'\n\n",
328 GetCaseSensitiveStringFromCommandToken(CommandTokens.at(0)).c_str());
329
331 return;
332 }
333
334 if (CompareLowerCaseStrings(CommandTokens.at(1), "enable") && CommandTokens.size() == 2)
335 {
337 }
338 else if (CompareLowerCaseStrings(CommandTokens.at(1), "disable") && CommandTokens.size() == 2)
339 {
341 }
342 else if (CompareLowerCaseStrings(CommandTokens.at(1), "pause") && CommandTokens.size() == 2)
343 {
345 }
346 else if (CompareLowerCaseStrings(CommandTokens.at(1), "resume") && CommandTokens.size() == 2)
347 {
349 }
350 else if (CompareLowerCaseStrings(CommandTokens.at(1), "size") && CommandTokens.size() == 2)
351 {
353 }
354 else if (CompareLowerCaseStrings(CommandTokens.at(1), "dump") && CommandTokens.size() == 2)
355 {
357 }
358 else if (CompareLowerCaseStrings(CommandTokens.at(1), "flush") && CommandTokens.size() == 2)
359 {
361 }
362 else if (CompareLowerCaseStrings(CommandTokens.at(1), "filter"))
363 {
365
366 if (!CommandPtParseFilterOptions(CommandTokens, &PtRequest))
367 {
369 return;
370 }
371 }
372 else
373 {
374 ShowMessages("incorrect use of the '%s'\n\n",
375 GetCaseSensitiveStringFromCommandToken(CommandTokens.at(0)).c_str());
377 return;
378 }
379
380 //
381 // Send the PT operation request
382 //
383 if (CommandPtSendRequest(&PtRequest))
384 {
385 switch (PtRequest.PtOperationType)
386 {
388 ShowMessages("PT enabled successfully\n");
389 break;
391 ShowMessages("PT disabled successfully\n");
392 break;
394 ShowMessages("PT trace paused\n");
395 break;
397 ShowMessages("PT trace resumed\n");
398 break;
400 ShowMessages("PT buffer bytes-written per CPU:\n");
401 for (UINT32 i = 0; i < PtRequest.NumCpus; i++)
402 {
403 ShowMessages(" core %u : 0x%llx\n", i, PtRequest.BytesPerCpu[i]);
404 }
405 break;
407 ShowMessages("PT trace state is shown\n");
408 break;
410 ShowMessages("PT trace state is flushed\n");
411 break;
413 ShowMessages("PT filter / config updated successfully\n");
414 break;
415 default:
416 ShowMessages("unknown PT operation type\n");
417 break;
418 }
419 }
420 else
421 {
423 return;
424 }
425}
unsigned int UINT32
Definition BasicTypes.h:54
struct _HYPERTRACE_PT_OPERATION_PACKETS HYPERTRACE_PT_OPERATION_PACKETS
The structure of HyperTrace PT result packet in HyperDbg.
@ HYPERTRACE_PT_OPERATION_REQUEST_TYPE_PAUSE
Definition RequestStructures.h:1356
@ HYPERTRACE_PT_OPERATION_REQUEST_TYPE_DUMP
Definition RequestStructures.h:1359
@ HYPERTRACE_PT_OPERATION_REQUEST_TYPE_ENABLE
Definition RequestStructures.h:1354
@ HYPERTRACE_PT_OPERATION_REQUEST_TYPE_FILTER
Definition RequestStructures.h:1361
@ HYPERTRACE_PT_OPERATION_REQUEST_TYPE_RESUME
Definition RequestStructures.h:1357
@ HYPERTRACE_PT_OPERATION_REQUEST_TYPE_SIZE
Definition RequestStructures.h:1358
@ HYPERTRACE_PT_OPERATION_REQUEST_TYPE_FLUSH
Definition RequestStructures.h:1360
@ HYPERTRACE_PT_OPERATION_REQUEST_TYPE_DISABLE
Definition RequestStructures.h:1355
std::string GetCaseSensitiveStringFromCommandToken(CommandToken TargetToken)
Get case sensitive string from command token.
Definition common.cpp:467
BOOLEAN CompareLowerCaseStrings(CommandToken TargetToken, const CHAR *StringToCompare)
Compare lower case strings.
Definition common.cpp:503
BOOLEAN ShowErrorMessage(UINT32 Error)
shows the error message
Definition debugger.cpp:40
VOID CommandPtHelp()
help of the !pt command
Definition pt.cpp:26
BOOLEAN CommandPtSendRequest(HYPERTRACE_PT_OPERATION_PACKETS *PtRequest)
Send PT requests.
Definition pt.cpp:71
UINT32 NumCpus
Definition RequestStructures.h:1402
HYPERTRACE_PT_OPERATION_REQUEST_TYPE PtOperationType
Definition RequestStructures.h:1383
UINT64 BytesPerCpu[PT_MAX_CPUS_FOR_MMAP]
Definition RequestStructures.h:1404
UINT32 KernelStatus
Definition RequestStructures.h:1384

◆ CommandPtHelp()

VOID CommandPtHelp ( )

help of the !pt command

Returns
VOID
27{
28 ShowMessages("!pt : enables, disables and configures Intel Processor Trace (PT).\n");
29
30 ShowMessages("syntax : \t!pt [Function (string)]\n");
31 ShowMessages("syntax : \t!pt filter [user] [kernel] [cr3 <hex>] [buffer <hex>]\n");
32 ShowMessages("\t [range <start> <end>] [stoprange <start> <end>]\n");
33
34 ShowMessages("\n");
35 ShowMessages("\t\te.g : !pt enable\n");
36 ShowMessages("\t\te.g : !pt disable\n");
37 ShowMessages("\t\te.g : !pt pause\n");
38 ShowMessages("\t\te.g : !pt resume\n");
39 ShowMessages("\t\te.g : !pt size\n");
40 ShowMessages("\t\te.g : !pt dump\n");
41 ShowMessages("\t\te.g : !pt flush\n");
42
43 ShowMessages("\n");
44 ShowMessages("\t\te.g : !pt filter user\n");
45 ShowMessages("\t\te.g : !pt filter kernel\n");
46 ShowMessages("\t\te.g : !pt filter user kernel\n");
47 ShowMessages("\t\te.g : !pt filter user cr3 0x1aabb000\n");
48 ShowMessages("\t\te.g : !pt filter user buffer 0x100000\n");
49 ShowMessages("\t\te.g : !pt filter user range 0x140001000 0x140002000\n");
50 ShowMessages("\t\te.g : !pt filter user stoprange 0x140003000 0x140004000\n");
51
52 ShowMessages("\nlist of filter options: \n");
53 ShowMessages("\t user : trace CPL > 0\n");
54 ShowMessages("\t kernel : trace CPL == 0\n");
55 ShowMessages("\t cr3 <addr> : only trace when CR3 matches <addr> (0 = no filter)\n");
56 ShowMessages("\t buffer <bytes> : per-CPU output buffer size, must be 4KB * 2^N\n");
57 ShowMessages("\t (4KB, 8KB, ... up to 128MB; default 2MB)\n");
58 ShowMessages("\t range <start> <end> : keep trace inside [start..end] (up to 4 ranges)\n");
59 ShowMessages("\t stoprange <s> <e> : stop tracing when execution enters [s..e]\n");
60 ShowMessages("\t (no option) : trace user + kernel, no CR3 / IP filter (default)\n");
61}

◆ CommandPtSendRequest()

BOOLEAN CommandPtSendRequest ( HYPERTRACE_PT_OPERATION_PACKETS * PtRequest)

Send PT requests.

Parameters
PtRequest
Returns
VOID
72{
73 BOOL Status;
74 ULONG ReturnedLength;
75
77 {
78 //
79 // Send the request over serial kernel debugger
80 //
82 {
83 return FALSE;
84 }
85 else
86 {
87 return TRUE;
88 }
89 }
90 else
91 {
93
94 //
95 // Send IOCTL
96 //
97 Status = DeviceIoControl(
98 g_DeviceHandle, // Handle to device
99 IOCTL_PERFORM_HYPERTRACE_PT_OPERATION, // IO Control Code (IOCTL)
100 PtRequest, // Input Buffer to driver.
101 SIZEOF_HYPERTRACE_PT_OPERATION_PACKETS, // Input buffer length
102 PtRequest, // Output Buffer from driver.
103 SIZEOF_HYPERTRACE_PT_OPERATION_PACKETS, // Length of output buffer in bytes.
104 &ReturnedLength, // Bytes placed in buffer.
105 NULL // synchronous call
106 );
107
108 if (!Status)
109 {
110 ShowMessages("ioctl failed with code 0x%x\n", GetLastError());
111
112 return FALSE;
113 }
114
116 {
117 return TRUE;
118 }
119 else
120 {
121 return FALSE;
122 }
123 }
124}
BOOLEAN g_IsSerialConnectedToRemoteDebuggee
Shows if the debugger was connected to remote debuggee over (A remote guest).
Definition globals.h:253
int BOOL
Definition BasicTypes.h:25
#define TRUE
Definition BasicTypes.h:114
#define FALSE
Definition BasicTypes.h:113
unsigned long ULONG
Definition BasicTypes.h:31
#define DEBUGGER_OPERATION_WAS_SUCCESSFUL
General value to indicate that the operation or request was successful.
Definition ErrorCodes.h:23
#define IOCTL_PERFORM_HYPERTRACE_PT_OPERATION
ioctl, to perform HyperTrace PT operations
Definition Ioctls.h:421
#define SIZEOF_HYPERTRACE_PT_OPERATION_PACKETS
Debugger size of HYPERTRACE_PT_OPERATION_PACKETS.
Definition RequestStructures.h:1412
BOOLEAN KdSendHyperTracePtPacketsToDebuggee(PHYPERTRACE_PT_OPERATION_PACKETS HyperTracePtOperationRequest, UINT32 ExpectedRequestSize)
Send requests for HyperTrace PT operation packet to the debuggee.
Definition kd.cpp:1101
#define ASSERT_MESSAGE_HYPERTRACE_NOT_LOADED
Definition common.h:33
#define AssertShowMessageReturnStmt(expr1, expr2, message1, message2, rc)
Definition common.h:59
#define ASSERT_MESSAGE_DRIVER_NOT_LOADED
Definition common.h:27
#define AssertReturnFalse
Definition common.h:21
HANDLE g_DeviceHandle
Holds the global handle of device which is used to send the request to the kernel by IOCTL,...
Definition globals.h:481
BOOLEAN g_IsHyperTraceModuleLoaded
shows whether the HyperTrace module is loaded or not
Definition lbrdump.cpp:19

◆ HyperDbgPerformPtOperation()

BOOLEAN HyperDbgPerformPtOperation ( HYPERTRACE_PT_OPERATION_PACKETS * PtRequest)

Request to perform an PT operation.

Parameters
PtRequest
Returns
BOOLEAN
135{
136 return CommandPtSendRequest(PtRequest);
137}

◆ HyperDbgPtMmapSendRequest()

BOOLEAN HyperDbgPtMmapSendRequest ( HYPERTRACE_PT_MMAP_PACKETS * MmapRequest)

Map the per-CPU PT output buffers into the current process.

On success MmapRequest->Cpus[0..NumCpus) hold one { UserVa, Size } per CPU, valid in this process until PT is disabled / flushed. Only meaningful in local (VMI) mode.

Parameters
MmapRequest
Returns
BOOLEAN
152{
153 BOOL Status;
154 ULONG ReturnedLength;
155
157 {
158 //
159 // The mmap surface maps into the caller's address space, which only
160 // makes sense in local mode (no remote-debuggee transport for it).
161 //
162 ShowMessages("err, PT mmap is only available in local (VMI) mode\n");
163 return FALSE;
164 }
165
167
168 Status = DeviceIoControl(
169 g_DeviceHandle, // Handle to device
170 IOCTL_PERFORM_HYPERTRACE_PT_MMAP, // IO Control Code (IOCTL)
171 MmapRequest, // Input Buffer to driver.
172 SIZEOF_HYPERTRACE_PT_MMAP_PACKETS, // Input buffer length
173 MmapRequest, // Output Buffer from driver.
174 SIZEOF_HYPERTRACE_PT_MMAP_PACKETS, // Length of output buffer in bytes.
175 &ReturnedLength, // Bytes placed in buffer.
176 NULL // synchronous call
177 );
178
179 if (!Status)
180 {
181 ShowMessages("ioctl failed with code 0x%x\n", GetLastError());
182 return FALSE;
183 }
184
185 return MmapRequest->KernelStatus == DEBUGGER_OPERATION_WAS_SUCCESSFUL;
186}
#define IOCTL_PERFORM_HYPERTRACE_PT_MMAP
ioctl, to map per-CPU HyperTrace PT output buffers into the calling user-mode process....
Definition Ioctls.h:429
#define SIZEOF_HYPERTRACE_PT_MMAP_PACKETS
Debugger size of HYPERTRACE_PT_MMAP_PACKETS.
Definition RequestStructures.h:1448
UINT32 KernelStatus
Definition RequestStructures.h:1438

Variable Documentation

◆ g_IsHyperTraceModuleLoaded

BOOLEAN g_IsHyperTraceModuleLoaded
extern

shows whether the HyperTrace module is loaded or not

◆ g_IsSerialConnectedToRemoteDebuggee

BOOLEAN g_IsSerialConnectedToRemoteDebuggee
extern

Shows if the debugger was connected to remote debuggee over (A remote guest).