HyperDbg Debugger
Loading...
Searching...
No Matches
Functions
syscall-sysret.cpp File Reference

!syscall and !sysret commands More...

#include "pch.h"

Functions

VOID CommandSyscallHelp ()
 help of the !syscall command
 
VOID CommandSysretHelp ()
 help of the !sysret command
 
VOID CommandSyscallAndSysret (vector< string > SplitCommand, string Command)
 !syscall, !syscall2 and !sysret, !sysret2 commands handler
 

Detailed Description

!syscall and !sysret commands

Author
Sina Karvandi (sina@.nosp@m.hype.nosp@m.rdbg..nosp@m.org)
Version
0.1
Date
2020-05-27
Copyright
This project is released under the GNU Public License v3.

Function Documentation

◆ CommandSyscallAndSysret()

VOID CommandSyscallAndSysret ( vector< string > SplitCommand,
string Command )

!syscall, !syscall2 and !sysret, !sysret2 commands handler

Parameters
SplitCommand
Command
Returns
VOID
85{
86 PDEBUGGER_GENERAL_EVENT_DETAIL Event = NULL;
87 PDEBUGGER_GENERAL_ACTION ActionBreakToDebugger = NULL;
88 PDEBUGGER_GENERAL_ACTION ActionCustomCode = NULL;
89 PDEBUGGER_GENERAL_ACTION ActionScript = NULL;
90 UINT32 EventLength;
91 UINT32 ActionBreakToDebuggerLength = 0;
92 UINT32 ActionCustomCodeLength = 0;
93 UINT32 ActionScriptLength = 0;
94 UINT64 SpecialTarget = DEBUGGER_EVENT_SYSCALL_ALL_SYSRET_OR_SYSCALLS;
95 BOOLEAN GetSyscallNumber = FALSE;
96 vector<string> SplitCommandCaseSensitive {Split(Command, ' ')};
97 DEBUGGER_EVENT_PARSING_ERROR_CAUSE EventParsingErrorCause;
98 string Cmd;
99
100 //
101 // Interpret and fill the general event and action fields
102 //
103 //
104 Cmd = SplitCommand.at(0);
105 if (!Cmd.compare("!syscall") || !Cmd.compare("!syscall2"))
106 {
107 if (!InterpretGeneralEventAndActionsFields(
108 &SplitCommand,
109 &SplitCommandCaseSensitive,
110 SYSCALL_HOOK_EFER_SYSCALL,
111 &Event,
112 &EventLength,
113 &ActionBreakToDebugger,
114 &ActionBreakToDebuggerLength,
115 &ActionCustomCode,
116 &ActionCustomCodeLength,
117 &ActionScript,
118 &ActionScriptLength,
119 &EventParsingErrorCause))
120 {
121 return;
122 }
123 }
124 else
125 {
126 if (!InterpretGeneralEventAndActionsFields(
127 &SplitCommand,
128 &SplitCommandCaseSensitive,
129 SYSCALL_HOOK_EFER_SYSRET,
130 &Event,
131 &EventLength,
132 &ActionBreakToDebugger,
133 &ActionBreakToDebuggerLength,
134 &ActionCustomCode,
135 &ActionCustomCodeLength,
136 &ActionScript,
137 &ActionScriptLength,
138 &EventParsingErrorCause))
139 {
140 return;
141 }
142 }
143
144 //
145 // Interpret command specific details (if any)
146 //
147
148 //
149 // Currently we do not support any extra argument for !sysret command
150 // it is because we don't know how to find syscall number in sysret
151 // and we don't wanna deal with dynamic mapping of rcx (user stack)
152 // in vmx-root
153 //
154 if (!Cmd.compare("!syscall") || !Cmd.compare("!syscall2"))
155 {
156 for (auto Section : SplitCommand)
157 {
158 if (!Section.compare("!syscall") ||
159 !Section.compare("!syscall2") ||
160 !Section.compare("!sysret") ||
161 !Section.compare("!sysret2"))
162 {
163 continue;
164 }
165
166 else if (!GetSyscallNumber)
167 {
168 //
169 // It's probably a syscall address
170 //
171 if (!ConvertStringToUInt64(Section, &SpecialTarget))
172 {
173 //
174 // Unknown parameter
175 //
176 ShowMessages("unknown parameter '%s'\n\n", Section.c_str());
177
178 if (!Cmd.compare("!syscall") || !Cmd.compare("!syscall2"))
179 {
180 CommandSyscallHelp();
181 }
182 else
183 {
184 CommandSysretHelp();
185 }
186
187 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
188 return;
189 }
190 else
191 {
192 GetSyscallNumber = TRUE;
193 }
194 }
195 else
196 {
197 //
198 // Unknown parameter
199 //
200 ShowMessages("unknown parameter '%s'\n\n", Section.c_str());
201
202 if (!Cmd.compare("!syscall") || !Cmd.compare("!syscall2"))
203 {
204 CommandSyscallHelp();
205 }
206 else
207 {
208 CommandSysretHelp();
209 }
210
211 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
212 return;
213 }
214 }
215
216 //
217 // Set the target syscall
218 //
219 Event->Options.OptionalParam1 = SpecialTarget;
220 }
221
222 //
223 // Set whether it's !syscall or !syscall2 or !sysret or !sysret2
224 //
225 if (!Cmd.compare("!syscall2") || !Cmd.compare("!sysret2"))
226 {
227 //
228 // It's a !syscall2 or !sysret2
229 //
230 Event->Options.OptionalParam2 = DEBUGGER_EVENT_SYSCALL_SYSRET_HANDLE_ALL_UD;
231 }
232 else
233 {
234 //
235 // It's a !syscall or !sysret
236 //
237 Event->Options.OptionalParam2 = DEBUGGER_EVENT_SYSCALL_SYSRET_SAFE_ACCESS_MEMORY;
238 }
239
240 //
241 // Send the ioctl to the kernel for event registration
242 //
243 if (!SendEventToKernel(Event, EventLength))
244 {
245 //
246 // There was an error, probably the handle was not initialized
247 // we have to free the Action before exit, it is because, we
248 // already freed the Event and string buffers
249 //
250
251 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
252 return;
253 }
254
255 //
256 // Add the event to the kernel
257 //
258 if (!RegisterActionToEvent(Event,
259 ActionBreakToDebugger,
260 ActionBreakToDebuggerLength,
261 ActionCustomCode,
262 ActionCustomCodeLength,
263 ActionScript,
264 ActionScriptLength))
265 {
266 //
267 // There was an error
268 //
269
270 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
271 return;
272 }
273}
BOOLEAN
UCHAR BOOLEAN
Definition BasicTypes.h:39
TRUE
#define TRUE
Definition BasicTypes.h:55
FALSE
#define FALSE
Definition BasicTypes.h:54
UINT64
unsigned __int64 UINT64
Definition BasicTypes.h:21
UINT32
unsigned int UINT32
Definition BasicTypes.h:48
DEBUGGER_EVENT_SYSCALL_ALL_SYSRET_OR_SYSCALLS
#define DEBUGGER_EVENT_SYSCALL_ALL_SYSRET_OR_SYSCALLS
Apply to all syscalls and sysrets.
Definition Constants.h:635
Split
const vector< string > Split(const string &s, const char &c)
general split command
Definition common.cpp:117
ConvertStringToUInt64
BOOLEAN ConvertStringToUInt64(string TextToConvert, PUINT64 Result)
check and convert string to a 64 bit unsigned integer and also check for special notations like 0x,...
Definition common.cpp:240
FreeEventsAndActionsMemory
VOID FreeEventsAndActionsMemory(PDEBUGGER_GENERAL_EVENT_DETAIL Event, PDEBUGGER_GENERAL_ACTION ActionBreakToDebugger, PDEBUGGER_GENERAL_ACTION ActionCustomCode, PDEBUGGER_GENERAL_ACTION ActionScript)
Deallocate buffers relating to events and actions.
Definition debugger.cpp:2292
InterpretGeneralEventAndActionsFields
BOOLEAN InterpretGeneralEventAndActionsFields(vector< string > *SplitCommand, vector< string > *SplitCommandCaseSensitive, VMM_EVENT_TYPE_ENUM EventType, PDEBUGGER_GENERAL_EVENT_DETAIL *EventDetailsToFill, PUINT32 EventBufferLength, PDEBUGGER_GENERAL_ACTION *ActionDetailsToFillBreakToDebugger, PUINT32 ActionBufferLengthBreakToDebugger, PDEBUGGER_GENERAL_ACTION *ActionDetailsToFillCustomCode, PUINT32 ActionBufferLengthCustomCode, PDEBUGGER_GENERAL_ACTION *ActionDetailsToFillScript, PUINT32 ActionBufferLengthScript, PDEBUGGER_EVENT_PARSING_ERROR_CAUSE ReasonForErrorInParsing)
Interpret general event fields.
Definition debugger.cpp:2342
SendEventToKernel
BOOLEAN SendEventToKernel(PDEBUGGER_GENERAL_EVENT_DETAIL Event, UINT32 EventBufferLength)
Register the event to the kernel.
Definition debugger.cpp:1969
RegisterActionToEvent
BOOLEAN RegisterActionToEvent(PDEBUGGER_GENERAL_EVENT_DETAIL Event, PDEBUGGER_GENERAL_ACTION ActionBreakToDebugger, UINT32 ActionBreakToDebuggerLength, PDEBUGGER_GENERAL_ACTION ActionCustomCode, UINT32 ActionCustomCodeLength, PDEBUGGER_GENERAL_ACTION ActionScript, UINT32 ActionScriptLength)
Register the action to the event.
Definition debugger.cpp:2086
SYSCALL_HOOK_EFER_SYSCALL
@ SYSCALL_HOOK_EFER_SYSCALL
Definition Events.h:117
SYSCALL_HOOK_EFER_SYSRET
@ SYSCALL_HOOK_EFER_SYSRET
Definition Events.h:118
DEBUGGER_EVENT_SYSCALL_SYSRET_SAFE_ACCESS_MEMORY
@ DEBUGGER_EVENT_SYSCALL_SYSRET_SAFE_ACCESS_MEMORY
Definition Events.h:192
DEBUGGER_EVENT_SYSCALL_SYSRET_HANDLE_ALL_UD
@ DEBUGGER_EVENT_SYSCALL_SYSRET_HANDLE_ALL_UD
Definition Events.h:193
DEBUGGER_EVENT_PARSING_ERROR_CAUSE
enum _DEBUGGER_EVENT_PARSING_ERROR_CAUSE DEBUGGER_EVENT_PARSING_ERROR_CAUSE
Reason for error in parsing commands.
ShowMessages
VOID ShowMessages(const char *Fmt,...)
Show messages.
Definition libhyperdbg.cpp:96
test-case-generator.NULL
NULL()
Definition test-case-generator.py:530
_DEBUGGER_EVENT_OPTIONS::OptionalParam2
UINT64 OptionalParam2
Definition Events.h:273
_DEBUGGER_EVENT_OPTIONS::OptionalParam1
UINT64 OptionalParam1
Definition Events.h:272
_DEBUGGER_GENERAL_ACTION
Each event can have multiple actions.
Definition Events.h:406
_DEBUGGER_GENERAL_EVENT_DETAIL
Each command is like the following struct, it also used for tracing works in user mode and sending it...
Definition Events.h:350
_DEBUGGER_GENERAL_EVENT_DETAIL::Options
DEBUGGER_EVENT_OPTIONS Options
Definition Events.h:391
CommandSysretHelp
VOID CommandSysretHelp()
help of the !sysret command
Definition syscall-sysret.cpp:54
CommandSyscallHelp
VOID CommandSyscallHelp()
help of the !syscall command
Definition syscall-sysret.cpp:20

◆ CommandSyscallHelp()

VOID CommandSyscallHelp ( )

help of the !syscall command

Returns
VOID
21{
22 ShowMessages("!syscall : monitors and hooks all execution of syscall "
23 "instructions (by accessing memory and checking for instructions).\n\n");
24 ShowMessages("!syscall2 : monitors and hooks all execution of syscall "
25 "instructions (by emulating all #UDs).\n\n");
26
27 ShowMessages("syntax : \t!syscall [SyscallNumber (hex)] [pid ProcessId (hex)] [core CoreId (hex)] "
28 "[imm IsImmediate (yesno)] [sc EnableShortCircuiting (onoff)] [stage CallingStage (prepostall)] "
29 "[buffer PreAllocatedBuffer (hex)] [script { Script (string) }] [asm condition { Condition (assembly/hex) }] "
30 "[asm code { Code (assembly/hex) }] [output {OutputName (string)}]\n");
31 ShowMessages("syntax : \t!syscall2 [SyscallNumber (hex)] [pid ProcessId (hex)] [core CoreId (hex)] "
32 "[imm IsImmediate (yesno)] [sc EnableShortCircuiting (onoff)] [stage CallingStage (prepostall)] "
33 "[buffer PreAllocatedBuffer (hex)] [script { Script (string) }] [asm condition { Condition (assembly/hex) }] "
34 "[asm code { Code (assembly/hex) }] [output {OutputName (string)}]\n");
35
36 ShowMessages("\n");
37 ShowMessages("\t\te.g : !syscall\n");
38 ShowMessages("\t\te.g : !syscall2\n");
39 ShowMessages("\t\te.g : !syscall 0x55\n");
40 ShowMessages("\t\te.g : !syscall2 0x55\n");
41 ShowMessages("\t\te.g : !syscall 0x55 pid 400\n");
42 ShowMessages("\t\te.g : !syscall 0x55 core 2 pid 400\n");
43 ShowMessages("\t\te.g : !syscall2 0x55 core 2 pid 400\n");
44 ShowMessages("\t\te.g : !syscall script { printf(\"system-call num: %%llx, at process id: %%x\\n\", @rax, $pid); }\n");
45 ShowMessages("\t\te.g : !syscall asm code { nop; nop; nop }\n");
46}

◆ CommandSysretHelp()

VOID CommandSysretHelp ( )

help of the !sysret command

Returns
VOID
55{
56 ShowMessages("!sysret : monitors and hooks all execution of sysret "
57 "instructions (by accessing memory and checking for instructions).\n\n");
58 ShowMessages("!sysret2 : monitors and hooks all execution of sysret "
59 "instructions (by emulating all #UDs).\n\n");
60
61 ShowMessages("syntax : \t!sysret [pid ProcessId (hex)] [core CoreId (hex)] "
62 "[imm IsImmediate (yesno)] [sc EnableShortCircuiting (onoff)] [buffer PreAllocatedBuffer (hex)] "
63 "[script { Script (string) }] [asm condition { Condition (assembly/hex) }] [asm code { Code (assembly/hex) }]\n");
64
65 ShowMessages("\n");
66 ShowMessages("\t\te.g : !sysret\n");
67 ShowMessages("\t\te.g : !sysret2\n");
68 ShowMessages("\t\te.g : !sysret pid 400\n");
69 ShowMessages("\t\te.g : !sysret2 pid 400\n");
70 ShowMessages("\t\te.g : !sysret core 2 pid 400\n");
71 ShowMessages("\t\te.g : !sysret2 core 2 pid 400\n");
72 ShowMessages("\t\te.g : !sysret script { printf(\"SYSRET instruction is executed at process id: %%x\\n\", $pid); }\n");
73 ShowMessages("\t\te.g : !sysret asm code { nop; nop; nop }\n");
74}