HyperDbg Debugger
Loading...
Searching...
No Matches
s.cpp File Reference

s* command More...

#include "pch.h"

Functions

VOID CommandSearchMemoryHelp ()
 help of !s* s* commands
VOID CommandSearchSendRequest (UINT64 *BufferToSendAsIoctl, UINT32 BufferToSendAsIoctlSize)
 Send the request of search to the kernel.
VOID CommandSearchMemory (vector< CommandToken > CommandTokens, string Command)
 !s* s* commands handler

Variables

BOOLEAN g_IsSerialConnectedToRemoteDebuggee
 Shows if the debugger was connected to remote debuggee over (A remote guest).
BOOLEAN g_IsKdModuleLoaded
 shows whether the kernel debugger (KD) module is loaded or not
ACTIVE_DEBUGGING_PROCESS g_ActiveProcessDebuggingState
 State of active debugging thread.

Detailed Description

s* command

Author
Sina Karvandi (sina@.nosp@m.hype.nosp@m.rdbg..nosp@m.org)
Version
0.1
Date
2020-07-29

Function Documentation

◆ CommandSearchMemory()

VOID CommandSearchMemory ( vector< CommandToken > CommandTokens,
string Command )

!s* s* commands handler

Parameters
CommandTokens
Command
Returns
VOID
142{
143 UINT64 Address;
144 vector<UINT64> ValuesToEdit;
145 BOOL SetAddress = FALSE;
147 BOOL SetProcId = FALSE;
148 BOOL NextIsProcId = FALSE;
149 BOOL SetLength = FALSE;
150 BOOL NextIsLength = FALSE;
151 DEBUGGER_SEARCH_MEMORY SearchMemoryRequest = {0};
152 UINT64 Value = 0;
153 UINT64 Length = 0;
154 UINT32 ProcId = 0;
155 UINT32 CountOfValues = 0;
156 UINT32 FinalSize = 0;
157 UINT64 * FinalBuffer = NULL;
158 BOOLEAN IsFirstCommand = TRUE;
159
160 //
161 // By default if the user-debugger is active, we use these commands
162 // on the memory layout of the debuggee process
163 //
165 {
166 ProcId = g_ActiveProcessDebuggingState.ProcessId;
167 }
168
169 if (CommandTokens.size() <= 4)
170 {
171 ShowMessages("incorrect use of the '%s'\n\n",
172 GetCaseSensitiveStringFromCommandToken(CommandTokens.at(0)).c_str());
173
175 return;
176 }
177
178 for (auto Section : CommandTokens)
179 {
180 if (IsFirstCommand == TRUE)
181 {
182 std::string FirstCommand = GetLowerStringFromCommandToken(Section);
183
184 if (!FirstCommand.compare("!sb"))
185 {
186 SearchMemoryRequest.MemoryType = SEARCH_PHYSICAL_MEMORY;
187 SearchMemoryRequest.ByteSize = SEARCH_BYTE;
188 }
189 else if (!FirstCommand.compare("!sd"))
190 {
191 SearchMemoryRequest.MemoryType = SEARCH_PHYSICAL_MEMORY;
192 SearchMemoryRequest.ByteSize = SEARCH_DWORD;
193 }
194 else if (!FirstCommand.compare("!sq"))
195 {
196 SearchMemoryRequest.MemoryType = SEARCH_PHYSICAL_MEMORY;
197 SearchMemoryRequest.ByteSize = SEARCH_QWORD;
198 }
199 else if (!FirstCommand.compare("sb"))
200 {
201 SearchMemoryRequest.MemoryType = SEARCH_VIRTUAL_MEMORY;
202 SearchMemoryRequest.ByteSize = SEARCH_BYTE;
203 }
204 else if (!FirstCommand.compare("sd"))
205 {
206 SearchMemoryRequest.MemoryType = SEARCH_VIRTUAL_MEMORY;
207 SearchMemoryRequest.ByteSize = SEARCH_DWORD;
208 }
209 else if (!FirstCommand.compare("sq"))
210 {
211 SearchMemoryRequest.MemoryType = SEARCH_VIRTUAL_MEMORY;
212 SearchMemoryRequest.ByteSize = SEARCH_QWORD;
213 }
214 else
215 {
216 //
217 // What's this? :(
218 //
219 ShowMessages("unknown error happened!\n\n");
221 return;
222 }
223
224 IsFirstCommand = FALSE;
225
226 continue;
227 }
228
229 if (NextIsProcId)
230 {
231 //
232 // It's a process id
233 //
234 NextIsProcId = FALSE;
235
236 if (!ConvertTokenToUInt32(Section, &ProcId))
237 {
238 ShowMessages("please specify a correct hex process id\n\n");
240 return;
241 }
242 else
243 {
244 //
245 // Means that the proc id is set, next we should read value
246 //
247 continue;
248 }
249 }
250
251 if (NextIsLength)
252 {
253 //
254 // It's a length
255 //
256 NextIsLength = FALSE;
257
258 if (!ConvertTokenToUInt64(Section, &Length))
259 {
260 ShowMessages("please specify a correct hex length\n\n");
262 return;
263 }
264 else
265 {
266 //
267 // Means that the proc id is set, next we should read value
268 //
269 SetLength = TRUE;
270 continue;
271 }
272 }
273
274 //
275 // Check if it's a process id or not
276 //
277 if (!SetProcId && CompareLowerCaseStrings(Section, "pid"))
278 {
279 NextIsProcId = TRUE;
280 continue;
281 }
282
283 //
284 // Check if it's a length or not
285 //
286 if (!SetLength && CompareLowerCaseStrings(Section, "l"))
287 {
288 NextIsLength = TRUE;
289 continue;
290 }
291
292 if (!SetAddress)
293 {
295 {
296 ShowMessages("err, couldn't resolve error at '%s'\n\n",
299 return;
300 }
301 else
302 {
303 //
304 // Means that the address is set, next we should read value
305 //
306 SetAddress = TRUE;
307 continue;
308 }
309 }
310
311 if (SetAddress)
312 {
313 //
314 // Remove the hex notations
315 //
316 std::string TargetVal = GetCaseSensitiveStringFromCommandToken(Section);
317
318 if (TargetVal.rfind("0x", 0) == 0 || TargetVal.rfind("0X", 0) == 0 ||
319 TargetVal.rfind("\\x", 0) == 0 || TargetVal.rfind("\\X", 0) == 0)
320 {
321 TargetVal = TargetVal.erase(0, 2);
322 }
323 else if (TargetVal.rfind('x', 0) == 0 || TargetVal.rfind('X', 0) == 0)
324 {
325 TargetVal = TargetVal.erase(0, 1);
326 }
327
328 TargetVal.erase(remove(TargetVal.begin(), TargetVal.end(), '`'), TargetVal.end());
329
330 //
331 // Check if the value is valid based on byte counts
332 //
333 if (SearchMemoryRequest.ByteSize == SEARCH_BYTE && TargetVal.size() >= 3)
334 {
335 ShowMessages("please specify a byte (hex) value for 'sb' or '!sb'\n\n");
336 return;
337 }
338
339 if (SearchMemoryRequest.ByteSize == SEARCH_DWORD && TargetVal.size() >= 9)
340 {
341 ShowMessages("please specify a dword (hex) value for 'sd' or '!sd'\n\n");
342 return;
343 }
344
345 if (SearchMemoryRequest.ByteSize == SEARCH_QWORD && TargetVal.size() >= 17)
346 {
347 ShowMessages("please specify a qword (hex) value for 'sq' or '!sq'\n\n");
348 return;
349 }
350
351 //
352 // Qword is checked by the following function, no need to double
353 // check it above.
354 //
355 if (!ConvertStringToUInt64(TargetVal, &Value))
356 {
357 ShowMessages("please specify a correct hex value to search in the "
358 "memory content\n\n");
360 return;
361 }
362 else
363 {
364 //
365 // Add it to the list
366 //
367 ValuesToEdit.push_back(Value);
368
369 //
370 // Keep track of values to modify
371 //
372 CountOfValues++;
373
374 if (!SetValue)
375 {
376 //
377 // At least one value is there
378 //
379 SetValue = TRUE;
380 }
381 continue;
382 }
383 }
384 }
385
386 //
387 // Check to prevent using process id in s* commands
388 //
389 if (g_IsSerialConnectedToRemoteDebuggee && ProcId != 0)
390 {
392 return;
393 }
394
395 if (ProcId == 0)
396 {
397 ProcId = GetCurrentProcessId();
398 }
399
400 //
401 // Fill the structure
402 //
403 SearchMemoryRequest.ProcessId = ProcId;
404 SearchMemoryRequest.Address = Address;
405 SearchMemoryRequest.CountOf64Chunks = CountOfValues;
406
407 //
408 // Check if address and value are set or not
409 //
410 if (!SetAddress)
411 {
412 ShowMessages("please specify a correct hex address\n\n");
414 return;
415 }
416 if (!SetValue)
417 {
418 ShowMessages(
419 "please specify a correct hex value as the content to search\n\n");
421 return;
422 }
423 if (!SetLength)
424 {
425 ShowMessages("please specify a correct hex value as the length\n\n");
427 return;
428 }
429 if (NextIsProcId)
430 {
431 ShowMessages("please specify a correct hex value as the process id\n\n");
433 return;
434 }
435 if (NextIsLength)
436 {
437 ShowMessages("please specify a correct hex length\n\n");
439 return;
440 }
441
442 //
443 // Now it's time to put everything together in one structure
444 //
445 FinalSize = (CountOfValues * sizeof(UINT64)) + SIZEOF_DEBUGGER_SEARCH_MEMORY;
446
447 //
448 // Set the size
449 //
450 SearchMemoryRequest.FinalStructureSize = FinalSize;
451
452 //
453 // Set the length
454 //
455 SearchMemoryRequest.Length = Length;
456
458 {
460 }
461
462 //
463 // Allocate structure + buffer
464 //
465 FinalBuffer = (UINT64 *)malloc(FinalSize);
466
467 if (!FinalBuffer)
468 {
469 ShowMessages("unable to allocate memory\n\n");
470 return;
471 }
472
473 //
474 // Zero the buffer
475 //
476 ZeroMemory(FinalBuffer, FinalSize);
477
478 //
479 // Copy the structure on top of the allocated buffer
480 //
481 memcpy(FinalBuffer, &SearchMemoryRequest, SIZEOF_DEBUGGER_SEARCH_MEMORY);
482
483 //
484 // Put the values in 64 bit structures
485 //
486 std::copy(ValuesToEdit.begin(), ValuesToEdit.end(), (UINT64 *)((UINT64)FinalBuffer + SIZEOF_DEBUGGER_SEARCH_MEMORY));
487
488 //
489 // Check if it's a connection in debugger mode
490 //
492 {
493 //
494 // The buffer should be sent to the debugger
495 //
496 KdSendSearchRequestPacketToDebuggee(FinalBuffer, FinalSize);
497 }
498 else
499 {
500 //
501 // it's a local connection, send the buffer directly
502 //
503 CommandSearchSendRequest(FinalBuffer, FinalSize);
504 }
505
506 //
507 // Free the buffers
508 //
509 free(FinalBuffer);
510}
VOID SetValue(PGUEST_REGS GuestRegs, SCRIPT_ENGINE_GENERAL_REGISTERS *ScriptGeneralRegisters, PSYMBOL Symbol, UINT64 Value)
Set the value.
Definition ScriptEngineEval.c:185
BOOLEAN g_IsSerialConnectedToRemoteDebuggee
Shows if the debugger was connected to remote debuggee over (A remote guest).
Definition globals.h:253
ACTIVE_DEBUGGING_PROCESS g_ActiveProcessDebuggingState
State of active debugging thread.
Definition globals.h:372
int BOOL
Definition BasicTypes.h:25
UCHAR BOOLEAN
Definition BasicTypes.h:35
#define TRUE
Definition BasicTypes.h:114
#define FALSE
Definition BasicTypes.h:113
unsigned int UINT32
Definition BasicTypes.h:54
@ SEARCH_QWORD
Definition RequestStructures.h:537
@ SEARCH_BYTE
Definition RequestStructures.h:535
@ SEARCH_DWORD
Definition RequestStructures.h:536
@ SEARCH_PHYSICAL_MEMORY
Definition RequestStructures.h:523
@ SEARCH_VIRTUAL_MEMORY
Definition RequestStructures.h:524
#define SIZEOF_DEBUGGER_SEARCH_MEMORY
Definition RequestStructures.h:515
struct _DEBUGGER_SEARCH_MEMORY DEBUGGER_SEARCH_MEMORY
request for searching memory
std::string GetCaseSensitiveStringFromCommandToken(CommandToken TargetToken)
Get case sensitive string from command token.
Definition common.cpp:467
std::string GetLowerStringFromCommandToken(CommandToken TargetToken)
Get lower case string from command token.
Definition common.cpp:484
BOOLEAN CompareLowerCaseStrings(CommandToken TargetToken, const CHAR *StringToCompare)
Compare lower case strings.
Definition common.cpp:503
BOOLEAN ConvertTokenToUInt64(CommandToken TargetToken, PUINT64 Result)
add ` between 64 bit values and convert them to string
Definition common.cpp:447
BOOLEAN ConvertTokenToUInt32(CommandToken TargetToken, PUINT32 Result)
check and convert command token to a 32 bit unsigned integer
Definition common.cpp:546
RequestedActionOfThePacket Value(0x1) 00000000
BOOLEAN KdSendSearchRequestPacketToDebuggee(UINT64 *SearchRequestBuffer, UINT32 SearchRequestBufferSize)
Sends search query request packet to the debuggee.
Definition kd.cpp:1353
#define ASSERT_MESSAGE_KD_NOT_LOADED
Definition common.h:29
#define ASSERT_MESSAGE_CANNOT_SPECIFY_PID
Definition common.h:39
BOOLEAN ConvertStringToUInt64(string TextToConvert, PUINT64 Result)
#define AssertShowMessageReturnStmt(expr1, expr2, message1, message2, rc)
Definition common.h:59
#define AssertReturn
Definition common.h:19
#define ASSERT_MESSAGE_DRIVER_NOT_LOADED
Definition common.h:27
HANDLE g_DeviceHandle
Holds the global handle of device which is used to send the request to the kernel by IOCTL,...
Definition globals.h:481
BOOLEAN g_IsKdModuleLoaded
shows whether the kernel debugger (KD) module is loaded or not
Definition globals.h:22
NULL()
Definition test-case-generator.py:530
VOID CommandSearchSendRequest(UINT64 *BufferToSendAsIoctl, UINT32 BufferToSendAsIoctlSize)
Send the request of search to the kernel.
Definition s.cpp:63
VOID CommandSearchMemoryHelp()
help of !s* s* commands
Definition s.cpp:27
UINT64 Length
Definition RequestStructures.h:548
UINT32 ProcessId
Definition RequestStructures.h:549
UINT32 CountOf64Chunks
Definition RequestStructures.h:552
UINT32 FinalStructureSize
Definition RequestStructures.h:553
UINT64 Address
Definition RequestStructures.h:547
DEBUGGER_SEARCH_MEMORY_BYTE_SIZE ByteSize
Definition RequestStructures.h:551
DEBUGGER_SEARCH_MEMORY_TYPE MemoryType
Definition RequestStructures.h:550
BOOLEAN SymbolConvertNameOrExprToAddress(const string &TextToConvert, PUINT64 Result)
check and convert string to a 64 bit unsigned integer and also check for symbol object names and eval...
Definition symbol.cpp:359

◆ CommandSearchMemoryHelp()

VOID CommandSearchMemoryHelp ( )

help of !s* s* commands

Returns
VOID
28{
29 ShowMessages("sb !sb sd !sd sq !sq : searches a contiguous memory for a "
30 "special byte pattern\n");
31 ShowMessages("sb Byte and ASCII characters\n");
32 ShowMessages("sd Double-word values (4 bytes)\n");
33 ShowMessages("sq Quad-word values (8 bytes). \n");
34
35 ShowMessages(
36 "\n If you want to search in physical (address) memory then add '!' "
37 "at the start of the command\n");
38
39 ShowMessages("syntax : \tsb [StartAddress (hex)] [l Length (hex)] [BytePattern (hex)] [pid ProcessId (hex)]\n");
40 ShowMessages("syntax : \tsd [StartAddress (hex)] [l Length (hex)] [BytePattern (hex)] [pid ProcessId (hex)]\n");
41 ShowMessages("syntax : \tsq [StartAddress (hex)] [l Length (hex)] [BytePattern (hex)] [pid ProcessId (hex)]\n");
42
43 ShowMessages("\n");
44 ShowMessages("\t\te.g : sb nt!ExAllocatePoolWithTag 90 85 95 l ffff \n");
45 ShowMessages("\t\te.g : sb nt!ExAllocatePoolWithTag+5 90 85 95 l ffff \n");
46 ShowMessages("\t\te.g : sb @rcx+5 90 85 95 l ffff \n");
47 ShowMessages("\t\te.g : sb fffff8077356f010 90 85 95 l ffff \n");
48 ShowMessages("\t\te.g : sd fffff8077356f010 90423580 l ffff pid 1c0 \n");
49 ShowMessages("\t\te.g : !sq 100000 9090909090909090 l ffff\n");
50 ShowMessages("\t\te.g : !sq @rdx+r12 9090909090909090 l ffff\n");
51 ShowMessages("\t\te.g : !sq 100000 9090909090909090 9090909090909090 "
52 "9090909090909090 l ffffff\n");
53}

◆ CommandSearchSendRequest()

VOID CommandSearchSendRequest ( UINT64 * BufferToSendAsIoctl,
UINT32 BufferToSendAsIoctlSize )

Send the request of search to the kernel.

Parameters
BufferToSendAsIoctl
BufferToSendAsIoctlSize
Returns
VOID
64{
65 BOOL Status;
66 DWORD BytesReturned;
67 UINT64 CurrentValue;
68 PUINT64 ResultsBuffer = NULL;
69
70 //
71 // Allocate a buffer to store the results
72 //
73 ResultsBuffer = (PUINT64)malloc(MaximumSearchResults * sizeof(UINT64));
74
75 //
76 // Also it's better to Zero the memory; however it's not necessary
77 // as we zero the buffer in the search routines
78 //
79 ZeroMemory(ResultsBuffer, MaximumSearchResults * sizeof(UINT64));
80
81 //
82 // Fire the IOCTL
83 //
84 Status =
85 DeviceIoControl(g_DeviceHandle, // Handle to device
86 IOCTL_DEBUGGER_SEARCH_MEMORY, // IO Control Code (IOCTL)
87 BufferToSendAsIoctl, // Input Buffer to driver.
88 BufferToSendAsIoctlSize, // Input buffer length
89 ResultsBuffer, // Output Buffer from driver.
91 sizeof(UINT64), // Length of output buffer in bytes.
92 &BytesReturned, // Bytes placed in buffer.
93 NULL // synchronous call
94 );
95
96 if (!Status)
97 {
98 ShowMessages("ioctl failed with code 0x%x\n", GetLastError());
99
100 free(ResultsBuffer);
101 return;
102 }
103
104 //
105 // Show the results (if any)
106 //
107 for (SIZE_T i = 0; i < MaximumSearchResults; i++)
108 {
109 CurrentValue = ResultsBuffer[i];
110
111 if (CurrentValue == NULL)
112 {
113 //
114 // We ended up the buffer, nothing else to show,
115 // just check whether we found anything or not
116 //
117 if (i == 0)
118 {
119 ShowMessages("not found\n");
120 }
121 break;
122 }
123 ShowMessages("%llx\n", CurrentValue);
124 }
125
126 //
127 // Free buffer
128 //
129 free(ResultsBuffer);
130}
unsigned long DWORD
Definition BasicTypes.h:38
#define MaximumSearchResults
maximum results that will be returned by !s* s* command
Definition Constants.h:516
#define IOCTL_DEBUGGER_SEARCH_MEMORY
ioctl, request to search virtual and physical memory
Definition Ioctls.h:199

Variable Documentation

◆ g_ActiveProcessDebuggingState

ACTIVE_DEBUGGING_PROCESS g_ActiveProcessDebuggingState
extern

State of active debugging thread.

372{0};

◆ g_IsKdModuleLoaded

BOOLEAN g_IsKdModuleLoaded
extern

shows whether the kernel debugger (KD) module is loaded or not

◆ g_IsSerialConnectedToRemoteDebuggee

BOOLEAN g_IsSerialConnectedToRemoteDebuggee
extern

Shows if the debugger was connected to remote debuggee over (A remote guest).