HyperDbg Debugger
Loading...
Searching...
No Matches
Functions | Variables
thread.cpp File Reference

show and change threads More...

#include "pch.h"

Functions

VOID CommandThreadHelp ()
 help of the .thread command
 
BOOLEAN CommandThreadListThreads (UINT64 Eprocess)
 
VOID CommandThread (vector< string > SplitCommand, string Command)
 .thread command handler
 

Variables

BOOLEAN g_IsSerialConnectedToRemoteDebuggee
 Shows if the debugger was connected to remote debuggee over (A remote guest)
 

Detailed Description

show and change threads

Author
Sina Karvandi (sina@.nosp@m.hype.nosp@m.rdbg..nosp@m.org)
Version
0.1
Date
2021-11-23
Copyright
This project is released under the GNU Public License v3.

Function Documentation

◆ CommandThread()

VOID CommandThread ( vector< string > SplitCommand,
string Command )

.thread command handler

Parameters
SplitCommand
Command
Returns
VOID
120{
121 UINT32 TargetThreadId = 0;
122 UINT64 TargetThread = 0;
123 UINT64 TargetProcess = 0;
124 BOOLEAN CheckByClkIntr = FALSE;
125
126 if (SplitCommand.size() >= 5)
127 {
128 ShowMessages("incorrect use of the '.thread'\n\n");
129 CommandThreadHelp();
130 return;
131 }
132
133 if (SplitCommand.size() == 1)
134 {
135 //
136 // Check if it's connected to a remote debuggee or not
137 //
138 if (!g_IsSerialConnectedToRemoteDebuggee)
139 {
140 ObjectShowProcessesOrThreadDetails(FALSE);
141 }
142 else
143 {
144 //
145 // Send the packet to get current thread
146 //
147 KdSendSwitchThreadPacketToDebuggee(DEBUGGEE_DETAILS_AND_SWITCH_THREAD_GET_THREAD_DETAILS,
148 NULL,
149 NULL,
150 FALSE,
151 NULL);
152 }
153 }
154 else if (SplitCommand.size() == 2)
155 {
156 if (!SplitCommand.at(1).compare("list"))
157 {
158 //
159 // Sending null as the nt!_EPROCESS indicates that the target process is
160 // the current process (Current nt!_EPROCESS)
161 //
162 if (!CommandThreadListThreads(NULL))
163 {
164 ShowMessages("err, the need offset to iterate over threads not found, "
165 "make sure to load ntoskrnl.exe's PDB file. use '.help .sym' for "
166 "more information\n");
167 return;
168 }
169 }
170 else
171 {
172 ShowMessages(
173 "err, unknown parameter at '%s'\n\n",
174 SplitCommand.at(1).c_str());
175 CommandThreadHelp();
176 return;
177 }
178 }
179 else if (SplitCommand.size() == 3)
180 {
181 //
182 // Check if it's connected to a remote debuggee or not
183 //
184 if (!g_IsSerialConnectedToRemoteDebuggee)
185 {
186 ShowMessages("err, you're not connected to any debuggee in Debugger Mode, "
187 "you can use the '.attach', or the '.detach' commands if you're "
188 "operating in VMI Mode\n");
189 return;
190 }
191
192 if (!SplitCommand.at(1).compare("tid"))
193 {
194 if (!ConvertStringToUInt32(SplitCommand.at(2), &TargetThreadId))
195 {
196 ShowMessages(
197 "please specify a correct hex value for the thread id that you "
198 "want to operate on it\n\n");
199 CommandThreadHelp();
200 return;
201 }
202 }
203 else if (!SplitCommand.at(1).compare("thread"))
204 {
205 if (!SymbolConvertNameOrExprToAddress(SplitCommand.at(2), &TargetThread))
206 {
207 ShowMessages(
208 "please specify a correct hex value for the thread (nt!_ETHREAD) that you "
209 "want to operate on it\n\n");
210 CommandThreadHelp();
211 return;
212 }
213 }
214 else if (!SplitCommand.at(1).compare("list") && !SplitCommand.at(2).compare("process"))
215 {
216 ShowMessages(
217 "please specify a hex value for the process\n\n");
218 CommandThreadHelp();
219 return;
220 }
221 else
222 {
223 ShowMessages(
224 "err, unknown parameter at '%s'\n\n",
225 SplitCommand.at(2).c_str());
226 CommandThreadHelp();
227 return;
228 }
229
230 if (!SplitCommand.at(0).compare(".thread2"))
231 {
232 //
233 // Check by changes to gs:[188]
234 //
235 CheckByClkIntr = FALSE;
236 }
237 else
238 {
239 //
240 // Check on clock interrupt changes
241 //
242 CheckByClkIntr = TRUE;
243 }
244
245 //
246 // Send the packet to change the thread
247 //
248 KdSendSwitchThreadPacketToDebuggee(DEBUGGEE_DETAILS_AND_SWITCH_THREAD_PERFORM_SWITCH,
249 TargetThreadId,
250 TargetThread,
251 CheckByClkIntr,
252 NULL);
253 }
254 else if (SplitCommand.size() == 4)
255 {
256 if (!SplitCommand.at(1).compare("list"))
257 {
258 if (!SplitCommand.at(2).compare("process"))
259 {
260 if (!SymbolConvertNameOrExprToAddress(SplitCommand.at(3), &TargetProcess))
261 {
262 ShowMessages(
263 "please specify a correct hex value for the process (nt!_EPROCESS) that you "
264 "want to see its threads\n\n");
265 CommandThreadHelp();
266 return;
267 }
268
269 //
270 // List the target process's threads
271 //
272 if (!CommandThreadListThreads(TargetProcess))
273 {
274 ShowMessages("err, the need offset to iterate over threads not found, "
275 "make sure to load ntoskrnl.exe's PDB file. use '.help .sym' for "
276 "more information\n");
277 return;
278 }
279 }
280 else
281 {
282 ShowMessages(
283 "err, unknown parameter at '%s'\n\n",
284 SplitCommand.at(2).c_str());
285 CommandThreadHelp();
286 return;
287 }
288 }
289 else
290 {
291 ShowMessages(
292 "err, unknown parameter at '%s'\n\n",
293 SplitCommand.at(1).c_str());
294 CommandThreadHelp();
295 return;
296 }
297 }
298 else
299 {
300 ShowMessages("invalid parameter\n\n");
301 CommandThreadHelp();
302 return;
303 }
304}
BOOLEAN
UCHAR BOOLEAN
Definition BasicTypes.h:39
TRUE
#define TRUE
Definition BasicTypes.h:55
FALSE
#define FALSE
Definition BasicTypes.h:54
UINT64
unsigned __int64 UINT64
Definition BasicTypes.h:21
UINT32
unsigned int UINT32
Definition BasicTypes.h:48
DEBUGGEE_DETAILS_AND_SWITCH_THREAD_PERFORM_SWITCH
@ DEBUGGEE_DETAILS_AND_SWITCH_THREAD_PERFORM_SWITCH
Definition RequestStructures.h:952
DEBUGGEE_DETAILS_AND_SWITCH_THREAD_GET_THREAD_DETAILS
@ DEBUGGEE_DETAILS_AND_SWITCH_THREAD_GET_THREAD_DETAILS
Definition RequestStructures.h:953
ConvertStringToUInt32
BOOLEAN ConvertStringToUInt32(string TextToConvert, PUINT32 Result)
check and convert string to a 32 bit unsigned it and also check for special notations like 0x etc.
Definition common.cpp:347
KdSendSwitchThreadPacketToDebuggee
BOOLEAN KdSendSwitchThreadPacketToDebuggee(DEBUGGEE_DETAILS_AND_SWITCH_THREAD_TYPE ActionType, UINT32 NewTid, UINT64 NewThread, BOOLEAN CheckByClockInterrupt, PDEBUGGEE_THREAD_LIST_NEEDED_DETAILS SymDetailsForThreadList)
Sends a change thread or show threads detail packet to the debuggee.
Definition kd.cpp:858
ShowMessages
VOID ShowMessages(const char *Fmt,...)
Show messages.
Definition libhyperdbg.cpp:96
ObjectShowProcessesOrThreadDetails
BOOLEAN ObjectShowProcessesOrThreadDetails(BOOLEAN IsProcess)
Get details about processes or threads.
Definition objects.cpp:26
SymbolConvertNameOrExprToAddress
BOOLEAN SymbolConvertNameOrExprToAddress(const string &TextToConvert, PUINT64 Result)
check and convert string to a 64 bit unsigned integer and also check for symbol object names and eval...
Definition symbol.cpp:360
CommandThreadHelp
VOID CommandThreadHelp()
help of the .thread command
Definition thread.cpp:25
CommandThreadListThreads
BOOLEAN CommandThreadListThreads(UINT64 Eprocess)
Definition thread.cpp:50
g_IsSerialConnectedToRemoteDebuggee
BOOLEAN g_IsSerialConnectedToRemoteDebuggee
Shows if the debugger was connected to remote debuggee over (A remote guest)
Definition globals.h:231

◆ CommandThreadHelp()

VOID CommandThreadHelp ( )

help of the .thread command

Returns
VOID
26{
27 ShowMessages(".thread, .thread2 : shows and changes the threads. "
28 "This command needs public symbols for 'ntoskrnl.exe' if "
29 "you want to see the threads list. Please visit the "
30 "documentation to know about the difference between '.thread' "
31 "and '.thread2'.\n\n");
32
33 ShowMessages("syntax : \t.thread\n");
34 ShowMessages("syntax : \t.thread [list] [process Eprocess (hex)]\n");
35 ShowMessages("syntax : \t.thread [tid ThreadId (hex)]\n");
36 ShowMessages("syntax : \t.thread [thread Ethread (hex)]\n");
37 ShowMessages("syntax : \t.thread2 [tid ThreadId (hex)]\n");
38 ShowMessages("syntax : \t.thread2 [thread Ethread (hex)]\n");
39
40 ShowMessages("\n");
41 ShowMessages("\t\te.g : .thread\n");
42 ShowMessages("\t\te.g : .thread tid 48a4\n");
43 ShowMessages("\t\te.g : .thread2 tid 48a4\n");
44 ShowMessages("\t\te.g : .thread thread ffff948c`c8970200\n");
45 ShowMessages("\t\te.g : .thread list\n");
46 ShowMessages("\t\te.g : .thread list process ffff948c`a1279880\n");
47}

◆ CommandThreadListThreads()

BOOLEAN CommandThreadListThreads ( UINT64 Eprocess)
51{
52 UINT32 ThreadListHeadOffset = 0; // nt!_EPROCESS.ThreadListHead
53 UINT32 ThreadListEntryOffset = 0; // nt!_ETHREAD.ThreadListEntry
54 UINT32 CidOffset = 0; // nt!_ETHREAD.Cid
55 UINT32 OffsetOfActiveProcessLinks = 0; // nt!_EPROCESS.ActiveProcessLinks
56 UINT64 AddressOfActiveProcessHead = 0; // nt!PsActiveProcessHead
57 DEBUGGEE_THREAD_LIST_NEEDED_DETAILS ThreadListNeededItems = {0};
58
59 //
60 // Query for nt!_EPROCESS.ThreadListHead, nt!_ETHREAD.ThreadListEntry,
61 // from the top of nt!_EPROCESS, and nt!_ETHREAD address and check if
62 // we find them or not, otherwise, it means that the PDB for ntoskrnl.exe
63 // is not available
64 //
65 if (ScriptEngineGetFieldOffsetWrapper((CHAR *)"nt!_EPROCESS", (CHAR *)"ThreadListHead", &ThreadListHeadOffset) &&
66 ScriptEngineGetFieldOffsetWrapper((CHAR *)"nt!_ETHREAD", (CHAR *)"ThreadListEntry", &ThreadListEntryOffset) &&
67 ScriptEngineGetFieldOffsetWrapper((CHAR *)"nt!_ETHREAD", (CHAR *)"Cid", &CidOffset) &&
68 ScriptEngineGetFieldOffsetWrapper((CHAR *)"nt!_EPROCESS", (CHAR *)"ActiveProcessLinks", &OffsetOfActiveProcessLinks) &&
69 SymbolConvertNameOrExprToAddress("nt!PsActiveProcessHead", &AddressOfActiveProcessHead))
70 {
71 ThreadListNeededItems.ThreadListHeadOffset = ThreadListHeadOffset;
72 ThreadListNeededItems.ThreadListEntryOffset = ThreadListEntryOffset;
73 ThreadListNeededItems.CidOffset = CidOffset;
74 ThreadListNeededItems.ActiveProcessLinksOffset = OffsetOfActiveProcessLinks;
75 ThreadListNeededItems.PsActiveProcessHead = AddressOfActiveProcessHead;
76 ThreadListNeededItems.Process = Eprocess;
77
78 //
79 // Check if it's connected to a remote debuggee or not
80 //
81 if (!g_IsSerialConnectedToRemoteDebuggee)
82 {
83 //
84 // Get the thread details in VMI mode
85 //
86 ObjectShowProcessesOrThreadList(FALSE,
87 NULL,
88 NULL,
89 &ThreadListNeededItems);
90 }
91 else
92 {
93 //
94 // Send the packet to list threads
95 //
96 KdSendSwitchThreadPacketToDebuggee(DEBUGGEE_DETAILS_AND_SWITCH_THREAD_GET_THREAD_LIST,
97 NULL,
98 NULL,
99 FALSE,
100 &ThreadListNeededItems);
101 }
102
103 return TRUE;
104 }
105 else
106 {
107 return FALSE;
108 }
109}
CHAR
char CHAR
Definition BasicTypes.h:31
DEBUGGEE_DETAILS_AND_SWITCH_THREAD_GET_THREAD_LIST
@ DEBUGGEE_DETAILS_AND_SWITCH_THREAD_GET_THREAD_LIST
Definition RequestStructures.h:954
ObjectShowProcessesOrThreadList
BOOLEAN ObjectShowProcessesOrThreadList(BOOLEAN IsProcess, PDEBUGGEE_PROCESS_LIST_NEEDED_DETAILS SymDetailsForProcessList, UINT64 Eprocess, PDEBUGGEE_THREAD_LIST_NEEDED_DETAILS SymDetailsForThreadList)
Get details about processes or threads.
Definition objects.cpp:138
ScriptEngineGetFieldOffsetWrapper
BOOLEAN ScriptEngineGetFieldOffsetWrapper(CHAR *TypeName, CHAR *FieldName, UINT32 *FieldOffset)
ScriptEngineGetFieldOffset wrapper.
Definition script-engine-wrapper.cpp:131
_DEBUGGEE_THREAD_LIST_NEEDED_DETAILS
The structure of needed information to get the details of the thread from nt!_ETHREAD and location of...
Definition RequestStructures.h:698
_DEBUGGEE_THREAD_LIST_NEEDED_DETAILS::ThreadListHeadOffset
UINT32 ThreadListHeadOffset
Definition RequestStructures.h:699
_DEBUGGEE_THREAD_LIST_NEEDED_DETAILS::CidOffset
UINT32 CidOffset
Definition RequestStructures.h:701
_DEBUGGEE_THREAD_LIST_NEEDED_DETAILS::ThreadListEntryOffset
UINT32 ThreadListEntryOffset
Definition RequestStructures.h:700
_DEBUGGEE_THREAD_LIST_NEEDED_DETAILS::PsActiveProcessHead
UINT64 PsActiveProcessHead
Definition RequestStructures.h:702
_DEBUGGEE_THREAD_LIST_NEEDED_DETAILS::Process
UINT64 Process
Definition RequestStructures.h:704
_DEBUGGEE_THREAD_LIST_NEEDED_DETAILS::ActiveProcessLinksOffset
ULONG ActiveProcessLinksOffset
Definition RequestStructures.h:703

Variable Documentation

◆ g_IsSerialConnectedToRemoteDebuggee

BOOLEAN g_IsSerialConnectedToRemoteDebuggee
extern

Shows if the debugger was connected to remote debuggee over (A remote guest)