HyperDbg Debugger
Loading...
Searching...
No Matches
pte.cpp File Reference

!pte command More...

#include "pch.h"

Functions

VOID CommandPteHelp ()
 help of the !pte command
VOID CommandPteShowResults (UINT64 TargetVa, PDEBUGGER_READ_PAGE_TABLE_ENTRIES_DETAILS PteRead)
 show results of !pte command
VOID CommandPte (vector< CommandToken > CommandTokens, string Command)
 !pte command handler

Variables

BOOLEAN g_IsKdModuleLoaded
 shows whether the kernel debugger (KD) module is loaded or not
BOOLEAN g_IsSerialConnectedToRemoteDebuggee
 Shows if the debugger was connected to remote debuggee over (A remote guest).
ACTIVE_DEBUGGING_PROCESS g_ActiveProcessDebuggingState
 State of active debugging thread.

Detailed Description

!pte command

Author
Sina Karvandi (sina@.nosp@m.hype.nosp@m.rdbg..nosp@m.org)
Version
0.1
Date
2020-05-27

Function Documentation

◆ CommandPte()

VOID CommandPte ( vector< CommandToken > CommandTokens,
string Command )

!pte command handler

Parameters
CommandTokens
Command
Returns
VOID
94{
95 BOOL Status;
96 ULONG ReturnedLength;
97 UINT64 TargetVa;
98 UINT32 Pid = 0;
100
101 if (CommandTokens.size() == 1 || CommandTokens.size() >= 5 ||
102 CommandTokens.size() == 3)
103 {
104 ShowMessages("incorrect use of the '%s'\n\n",
105 GetCaseSensitiveStringFromCommandToken(CommandTokens.at(0)).c_str());
107 return;
108 }
109
110 //
111 // By default if the user-debugger is active, we use these commands
112 // on the memory layout of the debuggee process
113 //
115 {
116 Pid = g_ActiveProcessDebuggingState.ProcessId;
117 }
118
119 if (CommandTokens.size() == 2)
120 {
121 //
122 // It's just an address for current process
123 //
125 {
126 //
127 // Couldn't resolve or unknown parameter
128 //
129 ShowMessages("err, couldn't resolve error at '%s'\n",
130 GetCaseSensitiveStringFromCommandToken(CommandTokens.at(1)).c_str());
131 return;
132 }
133 }
134 else
135 {
136 //
137 // It might be address + pid
138 //
139 if (CompareLowerCaseStrings(CommandTokens.at(1), "pid"))
140 {
141 if (!ConvertTokenToUInt32(CommandTokens.at(2), &Pid))
142 {
143 ShowMessages("incorrect address, please enter a valid process id\n");
144 return;
145 }
146
148 {
149 //
150 // Couldn't resolve or unknown parameter
151 //
152 ShowMessages("err, couldn't resolve error at '%s'\n",
153 GetCaseSensitiveStringFromCommandToken(CommandTokens.at(3)).c_str());
154 return;
155 }
156 }
157 else if (CompareLowerCaseStrings(CommandTokens.at(2), "pid"))
158 {
160 {
161 //
162 // Couldn't resolve or unknown parameter
163 //
164 ShowMessages("err, couldn't resolve error at '%s'\n\n",
165 GetCaseSensitiveStringFromCommandToken(CommandTokens.at(1)).c_str());
166 return;
167 }
168
169 if (!ConvertTokenToUInt32(CommandTokens.at(3), &Pid))
170 {
171 ShowMessages("incorrect address, please enter a valid process id\n");
172 return;
173 }
174 }
175 else
176 {
177 ShowMessages("incorrect use of the '%s'\n\n",
178 GetCaseSensitiveStringFromCommandToken(CommandTokens.at(0)).c_str());
180 return;
181 }
182 }
183
184 //
185 // Prepare the buffer
186 // We use same buffer for input and output
187 //
188 AddressDetails.VirtualAddress = TargetVa;
189 AddressDetails.ProcessId = Pid; // null in debugger mode
190
192 {
193 //
194 // Check to prevent using process id in !pte command
195 //
196 if (Pid != 0)
197 {
199 return;
200 }
201
202 //
203 // Send the request over serial kernel debugger
204 //
205
206 KdSendPtePacketToDebuggee(&AddressDetails);
207 }
208 else
209 {
211
212 if (Pid == 0)
213 {
214 Pid = GetCurrentProcessId();
215 AddressDetails.ProcessId = Pid;
216 }
217
218 //
219 // Send IOCTL
220 //
221 Status = DeviceIoControl(
222 g_DeviceHandle, // Handle to device
223 IOCTL_DEBUGGER_READ_PAGE_TABLE_ENTRIES_DETAILS, // IO Control Code (IOCTL)
224 &AddressDetails, // Input Buffer to driver.
226 &AddressDetails, // Output Buffer from driver.
228 // buffer in bytes.
229 &ReturnedLength, // Bytes placed in buffer.
230 NULL // synchronous call
231 );
232
233 if (!Status)
234 {
235 ShowMessages("ioctl failed with code 0x%x\n", GetLastError());
236 return;
237 }
238
240 {
241 ShowErrorMessage(AddressDetails.KernelStatus);
242 return;
243 }
244
245 //
246 // Show the results
247 //
248 CommandPteShowResults(TargetVa, &AddressDetails);
249 }
250}
BOOLEAN g_IsSerialConnectedToRemoteDebuggee
Shows if the debugger was connected to remote debuggee over (A remote guest).
Definition globals.h:253
ACTIVE_DEBUGGING_PROCESS g_ActiveProcessDebuggingState
State of active debugging thread.
Definition globals.h:372
int BOOL
Definition BasicTypes.h:25
unsigned int UINT32
Definition BasicTypes.h:54
unsigned long ULONG
Definition BasicTypes.h:31
#define DEBUGGER_OPERATION_WAS_SUCCESSFUL
General value to indicate that the operation or request was successful.
Definition ErrorCodes.h:23
#define IOCTL_DEBUGGER_READ_PAGE_TABLE_ENTRIES_DETAILS
ioctl, request to read page table entries
Definition Ioctls.h:157
#define SIZEOF_DEBUGGER_READ_PAGE_TABLE_ENTRIES_DETAILS
Definition RequestStructures.h:46
struct _DEBUGGER_READ_PAGE_TABLE_ENTRIES_DETAILS DEBUGGER_READ_PAGE_TABLE_ENTRIES_DETAILS
request for !pte command
std::string GetCaseSensitiveStringFromCommandToken(CommandToken TargetToken)
Get case sensitive string from command token.
Definition common.cpp:467
BOOLEAN CompareLowerCaseStrings(CommandToken TargetToken, const CHAR *StringToCompare)
Compare lower case strings.
Definition common.cpp:503
BOOLEAN ConvertTokenToUInt32(CommandToken TargetToken, PUINT32 Result)
check and convert command token to a 32 bit unsigned integer
Definition common.cpp:546
BOOLEAN ShowErrorMessage(UINT32 Error)
shows the error message
Definition debugger.cpp:40
BOOLEAN KdSendPtePacketToDebuggee(PDEBUGGER_READ_PAGE_TABLE_ENTRIES_DETAILS PtePacket)
Sends a PTE or '!pte' command packet to the debuggee.
Definition kd.cpp:907
#define ASSERT_MESSAGE_KD_NOT_LOADED
Definition common.h:29
#define ASSERT_MESSAGE_CANNOT_SPECIFY_PID
Definition common.h:39
#define AssertShowMessageReturnStmt(expr1, expr2, message1, message2, rc)
Definition common.h:59
#define AssertReturn
Definition common.h:19
#define ASSERT_MESSAGE_DRIVER_NOT_LOADED
Definition common.h:27
HANDLE g_DeviceHandle
Holds the global handle of device which is used to send the request to the kernel by IOCTL,...
Definition globals.h:481
BOOLEAN g_IsKdModuleLoaded
shows whether the kernel debugger (KD) module is loaded or not
Definition globals.h:22
VOID CommandPteHelp()
help of the !pte command
Definition pte.cpp:27
VOID CommandPteShowResults(UINT64 TargetVa, PDEBUGGER_READ_PAGE_TABLE_ENTRIES_DETAILS PteRead)
show results of !pte command
Definition pte.cpp:48
UINT64 VirtualAddress
Definition RequestStructures.h:55
UINT32 ProcessId
Definition RequestStructures.h:56
UINT32 KernelStatus
Definition RequestStructures.h:70
BOOLEAN SymbolConvertNameOrExprToAddress(const string &TextToConvert, PUINT64 Result)
check and convert string to a 64 bit unsigned integer and also check for symbol object names and eval...
Definition symbol.cpp:359

◆ CommandPteHelp()

VOID CommandPteHelp ( )

help of the !pte command

Returns
VOID
28{
29 ShowMessages("!pte : finds virtual addresses of different paging-levels.\n\n");
30
31 ShowMessages("syntax : \t!pte [VirtualAddress (hex)] [pid ProcessId (hex)]\n");
32
33 ShowMessages("\n");
34 ShowMessages("\t\te.g : !pte nt!ExAllocatePoolWithTag\n");
35 ShowMessages("\t\te.g : !pte nt!ExAllocatePoolWithTag+5\n");
36 ShowMessages("\t\te.g : !pte fffff801deadbeef\n");
37 ShowMessages("\t\te.g : !pte 0x400021000 pid 1c0\n");
38}

◆ CommandPteShowResults()

VOID CommandPteShowResults ( UINT64 TargetVa,
PDEBUGGER_READ_PAGE_TABLE_ENTRIES_DETAILS PteRead )

show results of !pte command

Parameters
TargetVa
PteRead
Returns
VOID
49{
50 /*
51 VA fffff8003abc9370
52 PXE at FFFF83C1E0F07F80 PPE at FFFF83C1E0FF0000 PDE at
53 FFFF83C1FE000EA8 PTE at FFFF83FC001D5E48 contains 0000000004108063
54 contains 0000000004109063 contains 00000000026008E3 contains
55 0000000000000000 pfn 4108 ---DA--KWEV pfn 4109 ---DA--KWEV pfn
56 2600 --LDA--KWEV LARGE PAGE pfn 27c9
57 */
58 ShowMessages("VA %llx\n", TargetVa);
59 ShowMessages("PML4E (PXE) at %016llx\tcontains %016llx\nPDPTE (PPE) at "
60 "%016llx\tcontains "
61 "%016llx\nPDE at %016llx\tcontains %016llx\n",
62 PteRead->Pml4eVirtualAddress,
63 PteRead->Pml4eValue,
64 PteRead->PdpteVirtualAddress,
65 PteRead->PdpteValue,
66 PteRead->PdeVirtualAddress,
67 PteRead->PdeValue);
68
69 //
70 // Check if it's a large PDE
71 //
72 if (PteRead->PdeVirtualAddress == PteRead->PteVirtualAddress)
73 {
74 ShowMessages("PDE is a large page, so it doesn't have a PTE\n");
75 }
76 else
77 {
78 ShowMessages("PTE at %016llx\tcontains %016llx\n",
79 PteRead->PteVirtualAddress,
80 PteRead->PteValue);
81 }
82}
UINT64 PdeValue
Definition RequestStructures.h:65
UINT64 PdpteValue
Definition RequestStructures.h:62
UINT64 PdpteVirtualAddress
Definition RequestStructures.h:61
UINT64 PteVirtualAddress
Definition RequestStructures.h:67
UINT64 Pml4eValue
Definition RequestStructures.h:59
UINT64 Pml4eVirtualAddress
Definition RequestStructures.h:58
UINT64 PteValue
Definition RequestStructures.h:68
UINT64 PdeVirtualAddress
Definition RequestStructures.h:64

Variable Documentation

◆ g_ActiveProcessDebuggingState

ACTIVE_DEBUGGING_PROCESS g_ActiveProcessDebuggingState
extern

State of active debugging thread.

372{0};

◆ g_IsKdModuleLoaded

BOOLEAN g_IsKdModuleLoaded
extern

shows whether the kernel debugger (KD) module is loaded or not

◆ g_IsSerialConnectedToRemoteDebuggee

BOOLEAN g_IsSerialConnectedToRemoteDebuggee
extern

Shows if the debugger was connected to remote debuggee over (A remote guest).