HyperDbg Debugger
Loading...
Searching...
No Matches
syscall-sysret.cpp File Reference

!syscall and !sysret commands More...

#include "pch.h"

Functions

VOID CommandSyscallHelp ()
 help of the !syscall command
VOID CommandSysretHelp ()
 help of the !sysret command
VOID CommandSyscallAndSysret (vector< CommandToken > CommandTokens, string Command)
 !syscall, !syscall2 and !sysret, !sysret2 commands handler

Detailed Description

!syscall and !sysret commands

Author
Sina Karvandi (sina@.nosp@m.hype.nosp@m.rdbg..nosp@m.org)
Version
0.1
Date
2020-05-27

Function Documentation

◆ CommandSyscallAndSysret()

VOID CommandSyscallAndSysret ( vector< CommandToken > CommandTokens,
string Command )

!syscall, !syscall2 and !sysret, !sysret2 commands handler

Parameters
CommandTokens
Command
Returns
VOID
86{
88 PDEBUGGER_GENERAL_ACTION ActionBreakToDebugger = NULL;
89 PDEBUGGER_GENERAL_ACTION ActionCustomCode = NULL;
90 PDEBUGGER_GENERAL_ACTION ActionScript = NULL;
91 UINT32 EventLength;
92 UINT32 ActionBreakToDebuggerLength = 0;
93 UINT32 ActionCustomCodeLength = 0;
94 UINT32 ActionScriptLength = 0;
96 BOOLEAN GetSyscallNumber = FALSE;
97 DEBUGGER_EVENT_PARSING_ERROR_CAUSE EventParsingErrorCause;
98 string Cmd;
99
100 //
101 // Interpret and fill the general event and action fields
102 //
103 //
104 Cmd = GetLowerStringFromCommandToken(CommandTokens.at(0));
105
106 if (!Cmd.compare("!syscall") || !Cmd.compare("!syscall2"))
107 {
109 &CommandTokens,
111 &Event,
112 &EventLength,
113 &ActionBreakToDebugger,
114 &ActionBreakToDebuggerLength,
115 &ActionCustomCode,
116 &ActionCustomCodeLength,
117 &ActionScript,
118 &ActionScriptLength,
119 &EventParsingErrorCause))
120 {
121 return;
122 }
123 }
124 else
125 {
127 &CommandTokens,
129 &Event,
130 &EventLength,
131 &ActionBreakToDebugger,
132 &ActionBreakToDebuggerLength,
133 &ActionCustomCode,
134 &ActionCustomCodeLength,
135 &ActionScript,
136 &ActionScriptLength,
137 &EventParsingErrorCause))
138 {
139 return;
140 }
141 }
142
143 //
144 // Interpret command specific details (if any)
145 //
146
147 //
148 // Currently we do not support any extra argument for !sysret command
149 // it is because we don't know how to find syscall number in sysret
150 // and we don't wanna deal with dynamic mapping of rcx (user stack)
151 // in vmx-root
152 //
153 if (!Cmd.compare("!syscall") || !Cmd.compare("!syscall2"))
154 {
155 for (auto Section : CommandTokens)
156 {
157 if (CompareLowerCaseStrings(Section, "!syscall") ||
158 CompareLowerCaseStrings(Section, "!syscall2") ||
159 CompareLowerCaseStrings(Section, "!sysret") ||
160 CompareLowerCaseStrings(Section, "!sysret2"))
161 {
162 continue;
163 }
164
165 else if (!GetSyscallNumber)
166 {
167 //
168 // It's probably a syscall address
169 //
172 &SpecialTarget))
173 {
174 //
175 // Unknown parameter
176 //
177 ShowMessages("unknown parameter '%s'\n\n",
179
180 if (!Cmd.compare("!syscall") || !Cmd.compare("!syscall2"))
181 {
183 }
184 else
185 {
187 }
188
189 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
190 return;
191 }
192 else
193 {
194 GetSyscallNumber = TRUE;
195 }
196 }
197 else
198 {
199 //
200 // Unknown parameter
201 //
202 ShowMessages("unknown parameter '%s'\n\n",
204
205 if (!Cmd.compare("!syscall") || !Cmd.compare("!syscall2"))
206 {
208 }
209 else
210 {
212 }
213
214 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
215 return;
216 }
217 }
218
219 //
220 // Set the target syscall
221 //
222 Event->Options.OptionalParam1 = SpecialTarget;
223 }
224
225 //
226 // Set whether it's !syscall or !syscall2 or !sysret or !sysret2
227 //
228 if (!Cmd.compare("!syscall2") || !Cmd.compare("!sysret2"))
229 {
230 //
231 // It's a !syscall2 or !sysret2
232 //
234 }
235 else
236 {
237 //
238 // It's a !syscall or !sysret
239 //
241 }
242
243 //
244 // Send the ioctl to the kernel for event registration
245 //
246 if (!SendEventToKernel(Event, EventLength))
247 {
248 //
249 // There was an error, probably the handle was not initialized
250 // we have to free the Action before exit, it is because, we
251 // already freed the Event and string buffers
252 //
253
254 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
255 return;
256 }
257
258 //
259 // Add the event to the kernel
260 //
261 if (!RegisterActionToEvent(Event,
262 ActionBreakToDebugger,
263 ActionBreakToDebuggerLength,
264 ActionCustomCode,
265 ActionCustomCodeLength,
266 ActionScript,
267 ActionScriptLength))
268 {
269 //
270 // There was an error
271 //
272
273 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
274 return;
275 }
276}
UCHAR BOOLEAN
Definition BasicTypes.h:35
#define TRUE
Definition BasicTypes.h:114
#define FALSE
Definition BasicTypes.h:113
unsigned int UINT32
Definition BasicTypes.h:54
#define DEBUGGER_EVENT_SYSCALL_ALL_SYSRET_OR_SYSCALLS
Apply to all syscalls and sysrets.
Definition Constants.h:763
@ SYSCALL_HOOK_EFER_SYSCALL
Definition Events.h:117
@ SYSCALL_HOOK_EFER_SYSRET
Definition Events.h:118
@ DEBUGGER_EVENT_SYSCALL_SYSRET_SAFE_ACCESS_MEMORY
Definition Events.h:197
@ DEBUGGER_EVENT_SYSCALL_SYSRET_HANDLE_ALL_UD
Definition Events.h:198
struct _DEBUGGER_GENERAL_EVENT_DETAIL * PDEBUGGER_GENERAL_EVENT_DETAIL
struct _DEBUGGER_GENERAL_ACTION * PDEBUGGER_GENERAL_ACTION
std::string GetCaseSensitiveStringFromCommandToken(CommandToken TargetToken)
Get case sensitive string from command token.
Definition common.cpp:467
std::string GetLowerStringFromCommandToken(CommandToken TargetToken)
Get lower case string from command token.
Definition common.cpp:484
BOOLEAN CompareLowerCaseStrings(CommandToken TargetToken, const CHAR *StringToCompare)
Compare lower case strings.
Definition common.cpp:503
VOID FreeEventsAndActionsMemory(PDEBUGGER_GENERAL_EVENT_DETAIL Event, PDEBUGGER_GENERAL_ACTION ActionBreakToDebugger, PDEBUGGER_GENERAL_ACTION ActionCustomCode, PDEBUGGER_GENERAL_ACTION ActionScript)
Deallocate buffers relating to events and actions.
Definition debugger.cpp:1688
BOOLEAN InterpretGeneralEventAndActionsFields(vector< CommandToken > *CommandTokens, VMM_EVENT_TYPE_ENUM EventType, PDEBUGGER_GENERAL_EVENT_DETAIL *EventDetailsToFill, PUINT32 EventBufferLength, PDEBUGGER_GENERAL_ACTION *ActionDetailsToFillBreakToDebugger, PUINT32 ActionBufferLengthBreakToDebugger, PDEBUGGER_GENERAL_ACTION *ActionDetailsToFillCustomCode, PUINT32 ActionBufferLengthCustomCode, PDEBUGGER_GENERAL_ACTION *ActionDetailsToFillScript, PUINT32 ActionBufferLengthScript, PDEBUGGER_EVENT_PARSING_ERROR_CAUSE ReasonForErrorInParsing)
Interpret general event fields.
Definition debugger.cpp:1736
BOOLEAN SendEventToKernel(PDEBUGGER_GENERAL_EVENT_DETAIL Event, UINT32 EventBufferLength)
Register the event to the kernel.
Definition debugger.cpp:1367
BOOLEAN RegisterActionToEvent(PDEBUGGER_GENERAL_EVENT_DETAIL Event, PDEBUGGER_GENERAL_ACTION ActionBreakToDebugger, UINT32 ActionBreakToDebuggerLength, PDEBUGGER_GENERAL_ACTION ActionCustomCode, UINT32 ActionCustomCodeLength, PDEBUGGER_GENERAL_ACTION ActionScript, UINT32 ActionScriptLength)
Register the action to the event.
Definition debugger.cpp:1483
enum _DEBUGGER_EVENT_PARSING_ERROR_CAUSE DEBUGGER_EVENT_PARSING_ERROR_CAUSE
Reason for error in parsing commands.
NULL()
Definition test-case-generator.py:530
UINT64 OptionalParam2
Definition Events.h:278
UINT64 OptionalParam1
Definition Events.h:277
DEBUGGER_EVENT_OPTIONS Options
Definition Events.h:396
BOOLEAN SymbolConvertNameOrExprToAddress(const string &TextToConvert, PUINT64 Result)
check and convert string to a 64 bit unsigned integer and also check for symbol object names and eval...
Definition symbol.cpp:359
VOID CommandSysretHelp()
help of the !sysret command
Definition syscall-sysret.cpp:54
VOID CommandSyscallHelp()
help of the !syscall command
Definition syscall-sysret.cpp:20

◆ CommandSyscallHelp()

VOID CommandSyscallHelp ( )

help of the !syscall command

Returns
VOID
21{
22 ShowMessages("!syscall : monitors and hooks all execution of syscall "
23 "instructions (by accessing memory and checking for instructions).\n\n");
24 ShowMessages("!syscall2 : monitors and hooks all execution of syscall "
25 "instructions (by emulating all #UDs).\n\n");
26
27 ShowMessages("syntax : \t!syscall [SyscallNumber (hex)] [pid ProcessId (hex)] [core CoreId (hex)] "
28 "[imm IsImmediate (yesno)] [sc EnableShortCircuiting (onoff)] [stage CallingStage (prepostall)] "
29 "[buffer PreAllocatedBuffer (hex)] [script { Script (string) }] [asm condition { Condition (assembly/hex) }] "
30 "[asm code { Code (assembly/hex) }] [output {OutputName (string)}]\n");
31 ShowMessages("syntax : \t!syscall2 [SyscallNumber (hex)] [pid ProcessId (hex)] [core CoreId (hex)] "
32 "[imm IsImmediate (yesno)] [sc EnableShortCircuiting (onoff)] [stage CallingStage (prepostall)] "
33 "[buffer PreAllocatedBuffer (hex)] [script { Script (string) }] [asm condition { Condition (assembly/hex) }] "
34 "[asm code { Code (assembly/hex) }] [output {OutputName (string)}]\n");
35
36 ShowMessages("\n");
37 ShowMessages("\t\te.g : !syscall\n");
38 ShowMessages("\t\te.g : !syscall2\n");
39 ShowMessages("\t\te.g : !syscall 0x55\n");
40 ShowMessages("\t\te.g : !syscall2 0x55\n");
41 ShowMessages("\t\te.g : !syscall 0x55 pid 400\n");
42 ShowMessages("\t\te.g : !syscall 0x55 core 2 pid 400\n");
43 ShowMessages("\t\te.g : !syscall2 0x55 core 2 pid 400\n");
44 ShowMessages("\t\te.g : !syscall script { printf(\"system-call num: %%llx, at process id: %%x\\n\", @rax, $pid); }\n");
45 ShowMessages("\t\te.g : !syscall asm code { nop; nop; nop }\n");
46}

◆ CommandSysretHelp()

VOID CommandSysretHelp ( )

help of the !sysret command

Returns
VOID
55{
56 ShowMessages("!sysret : monitors and hooks all execution of sysret "
57 "instructions (by accessing memory and checking for instructions).\n\n");
58 ShowMessages("!sysret2 : monitors and hooks all execution of sysret "
59 "instructions (by emulating all #UDs).\n\n");
60
61 ShowMessages("syntax : \t!sysret [pid ProcessId (hex)] [core CoreId (hex)] "
62 "[imm IsImmediate (yesno)] [sc EnableShortCircuiting (onoff)] [buffer PreAllocatedBuffer (hex)] "
63 "[script { Script (string) }] [asm condition { Condition (assembly/hex) }] [asm code { Code (assembly/hex) }]\n");
64
65 ShowMessages("\n");
66 ShowMessages("\t\te.g : !sysret\n");
67 ShowMessages("\t\te.g : !sysret2\n");
68 ShowMessages("\t\te.g : !sysret pid 400\n");
69 ShowMessages("\t\te.g : !sysret2 pid 400\n");
70 ShowMessages("\t\te.g : !sysret core 2 pid 400\n");
71 ShowMessages("\t\te.g : !sysret2 core 2 pid 400\n");
72 ShowMessages("\t\te.g : !sysret script { printf(\"SYSRET instruction is executed at process id: %%x\\n\", $pid); }\n");
73 ShowMessages("\t\te.g : !sysret asm code { nop; nop; nop }\n");
74}