HyperDbg Debugger
Loading...
Searching...
No Matches
Functions
trace.cpp File Reference

!trace command More...

#include "pch.h"

Functions

VOID CommandTraceHelp ()
 help of the !trace command
 
VOID CommandTrace (vector< string > SplitCommand, string Command)
 !trace command handler
 

Detailed Description

!trace command

Author
Sina Karvandi (sina@.nosp@m.hype.nosp@m.rdbg..nosp@m.org)
Version
0.7
Date
2023-11-02
Copyright
This project is released under the GNU Public License v3.

Function Documentation

◆ CommandTrace()

VOID CommandTrace ( vector< string > SplitCommand,
string Command )

!trace command handler

Parameters
SplitCommand
Command
Returns
VOID
51{
52 PDEBUGGER_GENERAL_EVENT_DETAIL Event = NULL;
53 PDEBUGGER_GENERAL_ACTION ActionBreakToDebugger = NULL;
54 PDEBUGGER_GENERAL_ACTION ActionCustomCode = NULL;
55 PDEBUGGER_GENERAL_ACTION ActionScript = NULL;
56 UINT32 EventLength;
57 UINT32 ActionBreakToDebuggerLength = 0;
58 UINT32 ActionCustomCodeLength = 0;
59 UINT32 ActionScriptLength = 0;
60 vector<string> SplitCommandCaseSensitive {Split(Command, ' ')};
61 DEBUGGER_EVENT_PARSING_ERROR_CAUSE EventParsingErrorCause;
62 BOOLEAN SetTraceType = FALSE;
63 DEBUGGER_EVENT_TRACE_TYPE TargetTrace = DEBUGGER_EVENT_TRACE_TYPE_INVALID;
64
65 //
66 // Interpret and fill the general event and action fields
67 //
68 //
69 if (!InterpretGeneralEventAndActionsFields(
70 &SplitCommand,
71 &SplitCommandCaseSensitive,
72 TRAP_EXECUTION_INSTRUCTION_TRACE,
73 &Event,
74 &EventLength,
75 &ActionBreakToDebugger,
76 &ActionBreakToDebuggerLength,
77 &ActionCustomCode,
78 &ActionCustomCodeLength,
79 &ActionScript,
80 &ActionScriptLength,
81 &EventParsingErrorCause))
82 {
83 return;
84 }
85
86 //
87 // Check for size
88 //
89 if (SplitCommand.size() > 2)
90 {
91 ShowMessages("incorrect use of the '!trace'\n");
92 CommandTraceHelp();
93
94 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
95 return;
96 }
97
98 //
99 // Interpret command specific details (if any)
100 //
101 for (auto Section : SplitCommand)
102 {
103 if (!Section.compare("!trace"))
104 {
105 continue;
106 }
107 else if ((!Section.compare("step-in") || !Section.compare("stepin") || !Section.compare("step")) && !SetTraceType)
108 {
109 TargetTrace = DEBUGGER_EVENT_TRACE_TYPE_STEP_IN;
110 SetTraceType = TRUE;
111 }
112 else if ((!Section.compare("step-out") || !Section.compare("stepout")) && !SetTraceType)
113 {
114 TargetTrace = DEBUGGER_EVENT_TRACE_TYPE_STEP_OUT;
115 SetTraceType = TRUE;
116 }
117 else if ((!Section.compare("step-instrument") || !Section.compare("instrument-step") ||
118 !Section.compare("instrumentstep") ||
119 !Section.compare("instrument-step-in")) &&
120 !SetTraceType)
121 {
122 TargetTrace = DEBUGGER_EVENT_TRACE_TYPE_INSTRUMENTATION_STEP_IN;
123 SetTraceType = TRUE;
124 }
125 else
126 {
127 //
128 // Couldn't resolve or unknown parameter
129 //
130 ShowMessages("err, couldn't resolve error at '%s'\n\n",
131 Section.c_str());
132
133 CommandTraceHelp();
134
135 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
136 }
137 }
138
139 //
140 // Check if user specified the execution mode or not
141 //
142 if (!SetTraceType)
143 {
144 ShowMessages("please specify the trace type\n");
145
146 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
147 return;
148 }
149
150 //
151 // Set the first parameter to the required trace type
152 //
153 Event->Options.OptionalParam1 = (UINT64)SetTraceType;
154
155 //
156 // Send the ioctl to the kernel for event registration
157 //
158 if (!SendEventToKernel(Event, EventLength))
159 {
160 //
161 // There was an error, probably the handle was not initialized
162 // we have to free the Action before exit, it is because, we
163 // already freed the Event and string buffers
164 //
165
166 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
167 return;
168 }
169
170 //
171 // Add the event to the kernel
172 //
173 if (!RegisterActionToEvent(Event,
174 ActionBreakToDebugger,
175 ActionBreakToDebuggerLength,
176 ActionCustomCode,
177 ActionCustomCodeLength,
178 ActionScript,
179 ActionScriptLength))
180 {
181 //
182 // There was an error
183 //
184
185 FreeEventsAndActionsMemory(Event, ActionBreakToDebugger, ActionCustomCode, ActionScript);
186 return;
187 }
188}
BOOLEAN
UCHAR BOOLEAN
Definition BasicTypes.h:39
TRUE
#define TRUE
Definition BasicTypes.h:55
FALSE
#define FALSE
Definition BasicTypes.h:54
UINT64
unsigned __int64 UINT64
Definition BasicTypes.h:21
UINT32
unsigned int UINT32
Definition BasicTypes.h:48
Split
const vector< string > Split(const string &s, const char &c)
general split command
Definition common.cpp:117
FreeEventsAndActionsMemory
VOID FreeEventsAndActionsMemory(PDEBUGGER_GENERAL_EVENT_DETAIL Event, PDEBUGGER_GENERAL_ACTION ActionBreakToDebugger, PDEBUGGER_GENERAL_ACTION ActionCustomCode, PDEBUGGER_GENERAL_ACTION ActionScript)
Deallocate buffers relating to events and actions.
Definition debugger.cpp:2292
InterpretGeneralEventAndActionsFields
BOOLEAN InterpretGeneralEventAndActionsFields(vector< string > *SplitCommand, vector< string > *SplitCommandCaseSensitive, VMM_EVENT_TYPE_ENUM EventType, PDEBUGGER_GENERAL_EVENT_DETAIL *EventDetailsToFill, PUINT32 EventBufferLength, PDEBUGGER_GENERAL_ACTION *ActionDetailsToFillBreakToDebugger, PUINT32 ActionBufferLengthBreakToDebugger, PDEBUGGER_GENERAL_ACTION *ActionDetailsToFillCustomCode, PUINT32 ActionBufferLengthCustomCode, PDEBUGGER_GENERAL_ACTION *ActionDetailsToFillScript, PUINT32 ActionBufferLengthScript, PDEBUGGER_EVENT_PARSING_ERROR_CAUSE ReasonForErrorInParsing)
Interpret general event fields.
Definition debugger.cpp:2342
SendEventToKernel
BOOLEAN SendEventToKernel(PDEBUGGER_GENERAL_EVENT_DETAIL Event, UINT32 EventBufferLength)
Register the event to the kernel.
Definition debugger.cpp:1969
RegisterActionToEvent
BOOLEAN RegisterActionToEvent(PDEBUGGER_GENERAL_EVENT_DETAIL Event, PDEBUGGER_GENERAL_ACTION ActionBreakToDebugger, UINT32 ActionBreakToDebuggerLength, PDEBUGGER_GENERAL_ACTION ActionCustomCode, UINT32 ActionCustomCodeLength, PDEBUGGER_GENERAL_ACTION ActionScript, UINT32 ActionScriptLength)
Register the action to the event.
Definition debugger.cpp:2086
DEBUGGER_EVENT_TRACE_TYPE_INVALID
@ DEBUGGER_EVENT_TRACE_TYPE_INVALID
Definition Events.h:218
DEBUGGER_EVENT_TRACE_TYPE_INSTRUMENTATION_STEP_IN
@ DEBUGGER_EVENT_TRACE_TYPE_INSTRUMENTATION_STEP_IN
Definition Events.h:221
DEBUGGER_EVENT_TRACE_TYPE_STEP_IN
@ DEBUGGER_EVENT_TRACE_TYPE_STEP_IN
Definition Events.h:219
DEBUGGER_EVENT_TRACE_TYPE_STEP_OUT
@ DEBUGGER_EVENT_TRACE_TYPE_STEP_OUT
Definition Events.h:220
TRAP_EXECUTION_INSTRUCTION_TRACE
@ TRAP_EXECUTION_INSTRUCTION_TRACE
Definition Events.h:170
DEBUGGER_EVENT_TRACE_TYPE
enum _DEBUGGER_EVENT_TRACE_TYPE DEBUGGER_EVENT_TRACE_TYPE
Type of tracing events.
DEBUGGER_EVENT_PARSING_ERROR_CAUSE
enum _DEBUGGER_EVENT_PARSING_ERROR_CAUSE DEBUGGER_EVENT_PARSING_ERROR_CAUSE
Reason for error in parsing commands.
ShowMessages
VOID ShowMessages(const char *Fmt,...)
Show messages.
Definition libhyperdbg.cpp:96
test-case-generator.NULL
NULL()
Definition test-case-generator.py:530
_DEBUGGER_EVENT_OPTIONS::OptionalParam1
UINT64 OptionalParam1
Definition Events.h:272
_DEBUGGER_GENERAL_ACTION
Each event can have multiple actions.
Definition Events.h:406
_DEBUGGER_GENERAL_EVENT_DETAIL
Each command is like the following struct, it also used for tracing works in user mode and sending it...
Definition Events.h:350
_DEBUGGER_GENERAL_EVENT_DETAIL::Options
DEBUGGER_EVENT_OPTIONS Options
Definition Events.h:391
CommandTraceHelp
VOID CommandTraceHelp()
help of the !trace command
Definition trace.cpp:20

◆ CommandTraceHelp()

VOID CommandTraceHelp ( )

help of the !trace command

Returns
VOID
21{
22 ShowMessages("!trace : traces the execution of user-mode/kernel-mode instructions.\n\n");
23
24 ShowMessages("syntax : \t!trace [TraceType (string)] [pid ProcessId (hex)] [core CoreId (hex)] [imm IsImmediate (yesno)] "
25 "[sc EnableShortCircuiting (onoff)] [buffer PreAllocatedBuffer (hex)] [script { Script (string) }] "
26 "[asm condition { Condition (assembly/hex) }] [asm code { Code (assembly/hex) }] [output {OutputName (string)}]\n");
27
28 ShowMessages("\n");
29 ShowMessages("\t\te.g : !trace step-out\n");
30 ShowMessages("\t\te.g : !trace step-in pid 1c0\n");
31 ShowMessages("\t\te.g : !trace instrument-step core 2 pid 400\n");
32 ShowMessages("\t\te.g : !trace instrument-step asm code { nop; nop; nop }\n");
33
34 ShowMessages("\n");
35 ShowMessages("valid trace types: \n");
36
37 ShowMessages("\tstep-in : single step-in (regular)\n");
38 ShowMessages("\tstep-out : single step-out (regular)\n");
39 ShowMessages("\tinstrument-step : single step-in (instrumentation)\n");
40}