From 1b945b3feb9b62a037c1575587860c8e9723934a Mon Sep 17 00:00:00 2001 From: Admin <2762713521@qq.com> Date: Fri, 21 Jun 2024 17:32:14 +0800 Subject: [PATCH] TestMergeHeader --- gengo/bind/sdkMerge/bind_test.go | 63 +- gengo/bind/sdkMerge/merged_headers.h | 5971 +++++++++++++------------- 2 files changed, 3126 insertions(+), 2908 deletions(-) diff --git a/gengo/bind/sdkMerge/bind_test.go b/gengo/bind/sdkMerge/bind_test.go index 7fe9ed77d..7953c755b 100644 --- a/gengo/bind/sdkMerge/bind_test.go +++ b/gengo/bind/sdkMerge/bind_test.go @@ -19,7 +19,23 @@ import ( "github.com/ddkwork/golibrary/mylog" ) +const bugfix = ` +typedef unsigned short wchar_t; +typedef int bool ; +#define PVOID void* +#define HANDLE void* +#define MAX_PATH 260 +typedef unsigned __int64 SIZE_T; +typedef unsigned __int64 time_t; + +typedef struct _LIST_ENTRY { + struct _LIST_ENTRY *Flink; + struct _LIST_ENTRY *Blink; +} LIST_ENTRY, *PLIST_ENTRY, PRLIST_ENTRY; +` + func TestMergeHeader(t *testing.T) { + paths := new(maps.SliceMap[string, bool]) g := stream.NewGeneratedFile() filepath.Walk("../../../bin", func(path string, info fs.FileInfo, err error) error { if strings.Contains(path, "Examples") { @@ -30,13 +46,52 @@ func TestMergeHeader(t *testing.T) { return err } if filepath.Ext(path) == ".h" { - println(path) - g.P("//" + path) - g.P(stream.NewBuffer(path)) - g.P() + paths.Set(path, true) } return err }) + + Modules := new(maps.SliceMap[string, bool]) + for _, path := range paths.Keys() { + switch { + case strings.Contains(path, "BasicTypes"), strings.Contains(path, "Modules"): + Modules.Set(path, true) + paths.Delete(path) + } + } + + g.P("//bugfix.h") + g.P(bugfix) + g.P() + mylog.Trace("merge", "bugfix.h") + + BasicTypes := "" + for _, s := range Modules.Keys() { + if strings.Contains(s, "BasicTypes") { + BasicTypes = s + break + } + } + + g.P("//" + BasicTypes) + g.P(stream.NewBuffer(BasicTypes)) + g.P() + mylog.Trace("merge", BasicTypes) + + for _, s := range Modules.Keys() { + g.P("//" + s) + g.P(stream.NewBuffer(s)) + g.P() + mylog.Trace("merge", s) + } + + for _, s := range paths.Keys() { + g.P("//" + s) + g.P(stream.NewBuffer(s)) + g.P() + mylog.Trace("merge", s) + } + stream.WriteBinaryFile("merged_headers.h", g.Buffer) } diff --git a/gengo/bind/sdkMerge/merged_headers.h b/gengo/bind/sdkMerge/merged_headers.h index c050beda3..7a9a0ee01 100644 --- a/gengo/bind/sdkMerge/merged_headers.h +++ b/gengo/bind/sdkMerge/merged_headers.h @@ -1,3 +1,19 @@ +//bugfix.h + +typedef unsigned short wchar_t; +typedef int bool ; +#define PVOID void* +#define HANDLE void* +#define MAX_PATH 260 +typedef unsigned __int64 SIZE_T; +typedef unsigned __int64 time_t; + +typedef struct _LIST_ENTRY { + struct _LIST_ENTRY *Flink; + struct _LIST_ENTRY *Blink; +} LIST_ENTRY, *PLIST_ENTRY, PRLIST_ENTRY; + + //..\..\..\bin\debug\SDK\Headers\BasicTypes.h /** * @file BasicTypes.h @@ -145,931 +161,1524 @@ typedef struct _CR3_TYPE } CR3_TYPE, *PCR3_TYPE; -//..\..\..\bin\debug\SDK\Headers\Connection.h +//..\..\..\bin\debug\SDK\Modules\VMM.h /** - * @file Connection.h + * @file VMM.h * @author Sina Karvandi (sina@hyperdbg.org) - * @brief HyperDbg's SDK Headers For Native Structures, Enums and Constants - * @details These datatypes are used in all devices like HDL (FPGAs) + * @brief HyperDbg's SDK for VMM project + * @details This file contains definitions of HyperLog routines * @version 0.2 - * @date 2022-07-14 + * @date 2023-01-15 * * @copyright This project is released under the GNU Public License v3. * */ #pragma once +////////////////////////////////////////////////// +// Callback Types // +////////////////////////////////////////////////// + /** - * @brief enum for reasons why debuggee is paused + * @brief A function from the message tracer that send the inputs to the + * queue of the messages * */ -typedef enum _DEBUGGEE_PAUSING_REASON -{ - - // - // For both kernel & user debugger - // - DEBUGGEE_PAUSING_REASON_NOT_PAUSED = 0, - DEBUGGEE_PAUSING_REASON_PAUSE, - DEBUGGEE_PAUSING_REASON_REQUEST_FROM_DEBUGGER, - DEBUGGEE_PAUSING_REASON_DEBUGGEE_STEPPED, - DEBUGGEE_PAUSING_REASON_DEBUGGEE_TRACKING_STEPPED, - DEBUGGEE_PAUSING_REASON_DEBUGGEE_SOFTWARE_BREAKPOINT_HIT, - DEBUGGEE_PAUSING_REASON_DEBUGGEE_HARDWARE_DEBUG_REGISTER_HIT, - DEBUGGEE_PAUSING_REASON_DEBUGGEE_CORE_SWITCHED, - DEBUGGEE_PAUSING_REASON_DEBUGGEE_PROCESS_SWITCHED, - DEBUGGEE_PAUSING_REASON_DEBUGGEE_THREAD_SWITCHED, - DEBUGGEE_PAUSING_REASON_DEBUGGEE_COMMAND_EXECUTION_FINISHED, - DEBUGGEE_PAUSING_REASON_DEBUGGEE_EVENT_TRIGGERED, - DEBUGGEE_PAUSING_REASON_DEBUGGEE_STARTING_MODULE_LOADED, +typedef BOOLEAN (*LOG_CALLBACK_PREPARE_AND_SEND_MESSAGE_TO_QUEUE)(UINT32 OperationCode, + BOOLEAN IsImmediateMessage, + BOOLEAN ShowCurrentSystemTime, + BOOLEAN Priority, + const char * Fmt, + va_list ArgList); - // - // Only for user-debugger - // - DEBUGGEE_PAUSING_REASON_DEBUGGEE_GENERAL_DEBUG_BREAK, - DEBUGGEE_PAUSING_REASON_DEBUGGEE_GENERAL_THREAD_INTERCEPTED, +/** + * @brief A function that sends the messages to message tracer buffers + * + */ +typedef BOOLEAN (*LOG_CALLBACK_SEND_MESSAGE_TO_QUEUE)(UINT32 OperationCode, BOOLEAN IsImmediateMessage, CHAR * LogMessage, UINT32 BufferLen, BOOLEAN Priority); - // - // Only used for hardware debugging - // - DEBUGGEE_PAUSING_REASON_HARDWARE_BASED_DEBUGGEE_GENERAL_BREAK, +/** + * @brief A function that sends the messages to message tracer buffers + * + */ +typedef BOOLEAN (*LOG_CALLBACK_SEND_BUFFER)(_In_ UINT32 OperationCode, + _In_reads_bytes_(BufferLength) PVOID Buffer, + _In_ UINT32 BufferLength, + _In_ BOOLEAN Priority); -} DEBUGGEE_PAUSING_REASON; +/** + * @brief A function that checks whether the priority or regular buffer is full or not + * + */ +typedef BOOLEAN (*LOG_CALLBACK_CHECK_IF_BUFFER_IS_FULL)(BOOLEAN Priority); /** - * @brief enum for requested action for HyperDbg packet + * @brief A function that handles trigger events * */ -typedef enum _DEBUGGER_REMOTE_PACKET_REQUESTED_ACTION -{ +typedef VMM_CALLBACK_TRIGGERING_EVENT_STATUS_TYPE (*VMM_CALLBACK_TRIGGER_EVENTS)(VMM_EVENT_TYPE_ENUM EventType, + VMM_CALLBACK_EVENT_CALLING_STAGE_TYPE CallingStage, + PVOID Context, + BOOLEAN * PostEventRequired, + GUEST_REGS * Regs); - // - // Debugger to debuggee (user-mode execution) - // - DEBUGGER_REMOTE_PACKET_REQUESTED_ACTION_ON_USER_MODE_PAUSE = 1, - DEBUGGER_REMOTE_PACKET_REQUESTED_ACTION_ON_USER_MODE_DO_NOT_READ_ANY_PACKET, - DEBUGGER_REMOTE_PACKET_REQUESTED_ACTION_ON_USER_MODE_DEBUGGER_VERSION, +/** + * @brief A function that checks and handles breakpoints + * + */ +typedef BOOLEAN (*DEBUGGING_CALLBACK_HANDLE_BREAKPOINT_EXCEPTION)(UINT32 CoreId); - // - // Debuggee to debugger (user-mode execution) - // - DEBUGGER_REMOTE_PACKET_PING_AND_SEND_SUPPORTED_VERSION, +/** + * @brief A function that checks and handles debug breakpoints + * + */ +typedef BOOLEAN (*DEBUGGING_CALLBACK_HANDLE_DEBUG_BREAKPOINT_EXCEPTION)(UINT32 CoreId); - // - // Debugger to debuggee (vmx-root mode execution) - // - DEBUGGER_REMOTE_PACKET_REQUESTED_ACTION_ON_VMX_ROOT_MODE_STEP, - DEBUGGER_REMOTE_PACKET_REQUESTED_ACTION_ON_VMX_ROOT_MODE_CONTINUE, - DEBUGGER_REMOTE_PACKET_REQUESTED_ACTION_ON_VMX_ROOT_MODE_CLOSE_AND_UNLOAD_DEBUGGEE, - DEBUGGER_REMOTE_PACKET_REQUESTED_ACTION_ON_VMX_ROOT_MODE_CHANGE_CORE, - DEBUGGER_REMOTE_PACKET_REQUESTED_ACTION_ON_VMX_ROOT_MODE_FLUSH_BUFFERS, - DEBUGGER_REMOTE_PACKET_REQUESTED_ACTION_ON_VMX_ROOT_MODE_CALLSTACK, - DEBUGGER_REMOTE_PACKET_REQUESTED_ACTION_ON_VMX_ROOT_MODE_TEST_QUERY, - DEBUGGER_REMOTE_PACKET_REQUESTED_ACTION_ON_VMX_ROOT_MODE_CHANGE_PROCESS, - DEBUGGER_REMOTE_PACKET_REQUESTED_ACTION_ON_VMX_ROOT_MODE_CHANGE_THREAD, - DEBUGGER_REMOTE_PACKET_REQUESTED_ACTION_ON_VMX_ROOT_RUN_SCRIPT, - DEBUGGER_REMOTE_PACKET_REQUESTED_ACTION_ON_VMX_ROOT_USER_INPUT_BUFFER, - DEBUGGER_REMOTE_PACKET_REQUESTED_ACTION_ON_VMX_ROOT_SEARCH_QUERY, - DEBUGGER_REMOTE_PACKET_REQUESTED_ACTION_ON_VMX_ROOT_REGISTER_EVENT, - DEBUGGER_REMOTE_PACKET_REQUESTED_ACTION_ON_VMX_ROOT_ADD_ACTION_TO_EVENT, - DEBUGGER_REMOTE_PACKET_REQUESTED_ACTION_ON_VMX_ROOT_QUERY_AND_MODIFY_EVENT, - DEBUGGER_REMOTE_PACKET_REQUESTED_ACTION_ON_VMX_ROOT_READ_REGISTERS, - DEBUGGER_REMOTE_PACKET_REQUESTED_ACTION_ON_VMX_ROOT_READ_MEMORY, - DEBUGGER_REMOTE_PACKET_REQUESTED_ACTION_ON_VMX_ROOT_EDIT_MEMORY, - DEBUGGER_REMOTE_PACKET_REQUESTED_ACTION_ON_VMX_ROOT_BP, - DEBUGGER_REMOTE_PACKET_REQUESTED_ACTION_ON_VMX_ROOT_LIST_OR_MODIFY_BREAKPOINTS, - DEBUGGER_REMOTE_PACKET_REQUESTED_ACTION_ON_VMX_ROOT_SYMBOL_RELOAD, - DEBUGGER_REMOTE_PACKET_REQUESTED_ACTION_ON_VMX_ROOT_QUERY_PA2VA_AND_VA2PA, - DEBUGGER_REMOTE_PACKET_REQUESTED_ACTION_ON_VMX_ROOT_SYMBOL_QUERY_PTE, - DEBUGGER_REMOTE_PACKET_REQUESTED_ACTION_ON_VMX_ROOT_SET_SHORT_CIRCUITING_STATE, - DEBUGGER_REMOTE_PACKET_REQUESTED_ACTION_ON_VMX_ROOT_INJECT_PAGE_FAULT, +/** + * @brief Check for page-faults in user-debugger + * + */ +typedef BOOLEAN (*DEBUGGING_CALLBACK_CONDITIONAL_PAGE_FAULT_EXCEPTION)(UINT32 CoreId, + UINT64 Address, + UINT32 PageFaultErrorCode); - // - // Debuggee to debugger - // - DEBUGGER_REMOTE_PACKET_REQUESTED_ACTION_NO_ACTION, - DEBUGGER_REMOTE_PACKET_REQUESTED_ACTION_DEBUGGEE_STARTED, - DEBUGGER_REMOTE_PACKET_REQUESTED_ACTION_DEBUGGEE_LOGGING_MECHANISM, - DEBUGGER_REMOTE_PACKET_REQUESTED_ACTION_DEBUGGEE_PAUSED_AND_CURRENT_INSTRUCTION, - DEBUGGER_REMOTE_PACKET_REQUESTED_ACTION_DEBUGGEE_RESULT_OF_CHANGING_CORE, - DEBUGGER_REMOTE_PACKET_REQUESTED_ACTION_DEBUGGEE_RESULT_OF_CHANGING_PROCESS, - DEBUGGER_REMOTE_PACKET_REQUESTED_ACTION_DEBUGGEE_RESULT_OF_CHANGING_THREAD, - DEBUGGER_REMOTE_PACKET_REQUESTED_ACTION_DEBUGGEE_RESULT_OF_RUNNING_SCRIPT, - DEBUGGER_REMOTE_PACKET_REQUESTED_ACTION_DEBUGGEE_RESULT_OF_FORMATS, - DEBUGGER_REMOTE_PACKET_REQUESTED_ACTION_DEBUGGEE_RESULT_OF_FLUSH, - DEBUGGER_REMOTE_PACKET_REQUESTED_ACTION_DEBUGGEE_RESULT_OF_CALLSTACK, - DEBUGGER_REMOTE_PACKET_REQUESTED_ACTION_DEBUGGEE_RESULT_TEST_QUERY, - DEBUGGER_REMOTE_PACKET_REQUESTED_ACTION_DEBUGGEE_RESULT_OF_REGISTERING_EVENT, - DEBUGGER_REMOTE_PACKET_REQUESTED_ACTION_DEBUGGEE_RESULT_OF_ADDING_ACTION_TO_EVENT, - DEBUGGER_REMOTE_PACKET_REQUESTED_ACTION_DEBUGGEE_RESULT_OF_QUERY_AND_MODIFY_EVENT, - DEBUGGER_REMOTE_PACKET_REQUESTED_ACTION_DEBUGGEE_RESULT_OF_SHORT_CIRCUITING_EVENT, - DEBUGGER_REMOTE_PACKET_REQUESTED_ACTION_DEBUGGEE_RESULT_OF_READING_REGISTERS, - DEBUGGER_REMOTE_PACKET_REQUESTED_ACTION_DEBUGGEE_RESULT_OF_READING_MEMORY, - DEBUGGER_REMOTE_PACKET_REQUESTED_ACTION_DEBUGGEE_RESULT_OF_EDITING_MEMORY, - DEBUGGER_REMOTE_PACKET_REQUESTED_ACTION_DEBUGGEE_RESULT_OF_BP, - DEBUGGER_REMOTE_PACKET_REQUESTED_ACTION_DEBUGGEE_RESULT_OF_SHORT_CIRCUITING_STATE, - DEBUGGER_REMOTE_PACKET_REQUESTED_ACTION_DEBUGGEE_RESULT_OF_LIST_OR_MODIFY_BREAKPOINTS, - DEBUGGER_REMOTE_PACKET_REQUESTED_ACTION_DEBUGGEE_UPDATE_SYMBOL_INFO, - DEBUGGER_REMOTE_PACKET_REQUESTED_ACTION_DEBUGGEE_RELOAD_SYMBOL_FINISHED, - DEBUGGER_REMOTE_PACKET_REQUESTED_ACTION_DEBUGGEE_RELOAD_SEARCH_QUERY, - DEBUGGER_REMOTE_PACKET_REQUESTED_ACTION_DEBUGGEE_RESULT_OF_PTE, - DEBUGGER_REMOTE_PACKET_REQUESTED_ACTION_DEBUGGEE_RESULT_OF_VA2PA_AND_PA2VA, - DEBUGGER_REMOTE_PACKET_REQUESTED_ACTION_DEBUGGEE_RESULT_OF_BRINGING_PAGES_IN, +/** + * @brief Check for commands in user-debugger + * + */ +typedef BOOLEAN (*UD_CHECK_FOR_COMMAND)(); - // - // hardware debuggee to debugger - // +/** + * @brief Handle registered MTF callback + * + */ +typedef VOID (*VMM_CALLBACK_REGISTERED_MTF_HANDLER)(UINT32 CoreId); - // - // hardware debugger to debuggee - // +/** + * @brief Check for user-mode access for loaded module details + * + */ +typedef BOOLEAN (*VMM_CALLBACK_RESTORE_EPT_STATE)(UINT32 CoreId); -} DEBUGGER_REMOTE_PACKET_REQUESTED_ACTION; +/** + * @brief Check for unhandled EPT violations + * + */ +typedef BOOLEAN (*VMM_CALLBACK_CHECK_UNHANDLED_EPT_VIOLATION)(UINT32 CoreId, UINT64 ViolationQualification, UINT64 GuestPhysicalAddr); /** - * @brief enum for different packet types in HyperDbg packets - * @warning used in hwdbg + * @brief Handle cr3 process change callbacks * */ -typedef enum _DEBUGGER_REMOTE_PACKET_TYPE -{ +typedef VOID (*INTERCEPTION_CALLBACK_TRIGGER_CR3_CHANGE)(UINT32 CoreId); - // - // Debugger to debuggee (vmx-root) - // - DEBUGGER_REMOTE_PACKET_TYPE_DEBUGGER_TO_DEBUGGEE_EXECUTE_ON_VMX_ROOT = 1, +/** + * @brief Check for process or thread change callback + * + */ +typedef BOOLEAN (*INTERCEPTION_CALLBACK_TRIGGER_CLOCK_AND_IPI)(_In_ UINT32 CoreId); - // - // Debugger to debuggee (user-mode) - // - DEBUGGER_REMOTE_PACKET_TYPE_DEBUGGER_TO_DEBUGGEE_EXECUTE_ON_USER_MODE = 2, +/** + * @brief Check to handle cr3 events for thread interception + * + */ +typedef BOOLEAN (*ATTACHING_HANDLE_CR3_EVENTS_FOR_THREAD_INTERCEPTION)(UINT32 CoreId, CR3_TYPE NewCr3); - // - // Debuggee to debugger (user-mode and kernel-mode, vmx-root mode) - // - DEBUGGER_REMOTE_PACKET_TYPE_DEBUGGEE_TO_DEBUGGER = 3, +/** + * @brief Check and handle reapplying breakpoint + * + */ +typedef BOOLEAN (*BREAKPOINT_CHECK_AND_HANDLE_REAPPLYING_BREAKPOINT)(UINT32 CoreId); - // - // Debugger to debuggee (hardware), used in hwdbg - // - DEBUGGER_REMOTE_PACKET_TYPE_DEBUGGER_TO_DEBUGGEE_HARDWARE_LEVEL = 4, +/** + * @brief Handle NMI broadcast + * + */ +typedef VOID (*VMM_CALLBACK_NMI_BROADCAST_REQUEST_HANDLER)(UINT32 CoreId, BOOLEAN IsOnVmxNmiHandler); - // - // Debuggee to debugger (hardware), used in hwdbg - // - DEBUGGER_REMOTE_PACKET_TYPE_DEBUGGEE_TO_DEBUGGER_HARDWARE_LEVEL = 5, +/** + * @brief Check and handle NMI callbacks + * + */ +typedef BOOLEAN (*KD_CHECK_AND_HANDLE_NMI_CALLBACK)(UINT32 CoreId); -} DEBUGGER_REMOTE_PACKET_TYPE; +/** + * @brief Set the top-level driver's error status + * + */ +typedef VOID (*VMM_CALLBACK_SET_LAST_ERROR)(UINT32 LastError); /** - * @brief The structure of remote packets in HyperDbg + * @brief Check and modify the protected resources of the hypervisor * */ -typedef struct _DEBUGGER_REMOTE_PACKET -{ - BYTE Checksum; - UINT64 Indicator; /* Shows the type of the packet */ - DEBUGGER_REMOTE_PACKET_TYPE TypeOfThePacket; - DEBUGGER_REMOTE_PACKET_REQUESTED_ACTION RequestedActionOfThePacket; - -} DEBUGGER_REMOTE_PACKET, *PDEBUGGER_REMOTE_PACKET; - +typedef BOOLEAN (*VMM_CALLBACK_QUERY_TERMINATE_PROTECTED_RESOURCE)(UINT32 CoreId, + PROTECTED_HV_RESOURCES_TYPE ResourceType, + PVOID Context, + PROTECTED_HV_RESOURCES_PASSING_OVERS PassOver); -//..\..\..\bin\debug\SDK\Headers\Constants.h /** - * @file Constants.h - * @author Sina Karvandi (sina@hyperdbg.org) - * @brief HyperDbg's SDK constants - * @details This file contains definitions of constants - * used in HyperDbg - * @version 0.2 - * @date 2022-06-24 + * @brief Query debugger thread or process tracing details by core ID * - * @copyright This project is released under the GNU Public License v3. + */ +typedef BOOLEAN (*KD_QUERY_DEBUGGER_THREAD_OR_PROCESS_TRACING_DETAILS_BY_CORE_ID)(UINT32 CoreId, + DEBUGGER_THREAD_PROCESS_TRACING TracingType); +/** + * @brief Handler of debugger specific VMCALLs * */ -#pragma once +typedef BOOLEAN (*VMM_CALLBACK_VMCALL_HANDLER)(UINT32 CoreId, + UINT64 VmcallNumber, + UINT64 OptionalParam1, + UINT64 OptionalParam2, + UINT64 OptionalParam3); ////////////////////////////////////////////////// -// Version Information // +// Callback Structure // ////////////////////////////////////////////////// -#define VERSION_MAJOR 1 -#define VERSION_MINOR 0 -#define VERSION_PATCH 0 - -// -// Example of __DATE__ string: "Jul 27 2012" -// 01234567890 +/** + * @brief Prototype of each function needed by VMM module + * + */ +typedef struct _VMM_CALLBACKS +{ + // + // Log (Hyperlog) callbacks + // + LOG_CALLBACK_PREPARE_AND_SEND_MESSAGE_TO_QUEUE LogCallbackPrepareAndSendMessageToQueueWrapper; // Fixed + LOG_CALLBACK_SEND_MESSAGE_TO_QUEUE LogCallbackSendMessageToQueue; // Fixed + LOG_CALLBACK_SEND_BUFFER LogCallbackSendBuffer; // Fixed + LOG_CALLBACK_CHECK_IF_BUFFER_IS_FULL LogCallbackCheckIfBufferIsFull; // Fixed -#define BUILD_YEAR_CH0 (__DATE__[7]) -#define BUILD_YEAR_CH1 (__DATE__[8]) -#define BUILD_YEAR_CH2 (__DATE__[9]) -#define BUILD_YEAR_CH3 (__DATE__[10]) + // + // VMM callbacks + // + VMM_CALLBACK_TRIGGER_EVENTS VmmCallbackTriggerEvents; // Fixed + VMM_CALLBACK_SET_LAST_ERROR VmmCallbackSetLastError; // Fixed + VMM_CALLBACK_VMCALL_HANDLER VmmCallbackVmcallHandler; // Fixed + VMM_CALLBACK_NMI_BROADCAST_REQUEST_HANDLER VmmCallbackNmiBroadcastRequestHandler; // Fixed + VMM_CALLBACK_QUERY_TERMINATE_PROTECTED_RESOURCE VmmCallbackQueryTerminateProtectedResource; // Fixed + VMM_CALLBACK_RESTORE_EPT_STATE VmmCallbackRestoreEptState; // Fixed + VMM_CALLBACK_CHECK_UNHANDLED_EPT_VIOLATION VmmCallbackCheckUnhandledEptViolations; // Fixed -#define BUILD_MONTH_IS_JAN (__DATE__[0] == 'J' && __DATE__[1] == 'a' && __DATE__[2] == 'n') -#define BUILD_MONTH_IS_FEB (__DATE__[0] == 'F') -#define BUILD_MONTH_IS_MAR (__DATE__[0] == 'M' && __DATE__[1] == 'a' && __DATE__[2] == 'r') -#define BUILD_MONTH_IS_APR (__DATE__[0] == 'A' && __DATE__[1] == 'p') -#define BUILD_MONTH_IS_MAY (__DATE__[0] == 'M' && __DATE__[1] == 'a' && __DATE__[2] == 'y') -#define BUILD_MONTH_IS_JUN (__DATE__[0] == 'J' && __DATE__[1] == 'u' && __DATE__[2] == 'n') -#define BUILD_MONTH_IS_JUL (__DATE__[0] == 'J' && __DATE__[1] == 'u' && __DATE__[2] == 'l') -#define BUILD_MONTH_IS_AUG (__DATE__[0] == 'A' && __DATE__[1] == 'u') -#define BUILD_MONTH_IS_SEP (__DATE__[0] == 'S') -#define BUILD_MONTH_IS_OCT (__DATE__[0] == 'O') -#define BUILD_MONTH_IS_NOV (__DATE__[0] == 'N') -#define BUILD_MONTH_IS_DEC (__DATE__[0] == 'D') + // + // Debugging callbacks + // + DEBUGGING_CALLBACK_HANDLE_BREAKPOINT_EXCEPTION DebuggingCallbackHandleBreakpointException; // Fixed + DEBUGGING_CALLBACK_HANDLE_DEBUG_BREAKPOINT_EXCEPTION DebuggingCallbackHandleDebugBreakpointException; // Fixed + DEBUGGING_CALLBACK_CONDITIONAL_PAGE_FAULT_EXCEPTION DebuggingCallbackConditionalPageFaultException; // Fixed -#define BUILD_MONTH_CH0 \ - ((BUILD_MONTH_IS_OCT || BUILD_MONTH_IS_NOV || BUILD_MONTH_IS_DEC) ? '1' : '0') + // + // Interception callbacks + // + INTERCEPTION_CALLBACK_TRIGGER_CR3_CHANGE InterceptionCallbackTriggerCr3ProcessChange; // Fixed -#define BUILD_MONTH_CH1 \ - ( \ - (BUILD_MONTH_IS_JAN) ? '1' : (BUILD_MONTH_IS_FEB) ? '2' \ - : (BUILD_MONTH_IS_MAR) ? '3' \ - : (BUILD_MONTH_IS_APR) ? '4' \ - : (BUILD_MONTH_IS_MAY) ? '5' \ - : (BUILD_MONTH_IS_JUN) ? '6' \ - : (BUILD_MONTH_IS_JUL) ? '7' \ - : (BUILD_MONTH_IS_AUG) ? '8' \ - : (BUILD_MONTH_IS_SEP) ? '9' \ - : (BUILD_MONTH_IS_OCT) ? '0' \ - : (BUILD_MONTH_IS_NOV) ? '1' \ - : (BUILD_MONTH_IS_DEC) ? '2' \ - : /* error default */ '?') + // + // Callbacks to be removed + // + BREAKPOINT_CHECK_AND_HANDLE_REAPPLYING_BREAKPOINT BreakpointCheckAndHandleReApplyingBreakpoint; + UD_CHECK_FOR_COMMAND UdCheckForCommand; + KD_CHECK_AND_HANDLE_NMI_CALLBACK KdCheckAndHandleNmiCallback; + VMM_CALLBACK_REGISTERED_MTF_HANDLER VmmCallbackRegisteredMtfHandler; // Fixed but not good + INTERCEPTION_CALLBACK_TRIGGER_CLOCK_AND_IPI DebuggerCheckProcessOrThreadChange; + ATTACHING_HANDLE_CR3_EVENTS_FOR_THREAD_INTERCEPTION AttachingHandleCr3VmexitsForThreadInterception; + KD_QUERY_DEBUGGER_THREAD_OR_PROCESS_TRACING_DETAILS_BY_CORE_ID KdQueryDebuggerQueryThreadOrProcessTracingDetailsByCoreId; -#define BUILD_DAY_CH0 ((__DATE__[4] >= '0') ? (__DATE__[4]) : '0') -#define BUILD_DAY_CH1 (__DATE__[5]) +} VMM_CALLBACKS, *PVMM_CALLBACKS; -// -// Example of __TIME__ string: "21:06:19" -// 01234567 -#define BUILD_HOUR_CH0 (__TIME__[0]) -#define BUILD_HOUR_CH1 (__TIME__[1]) +//..\..\..\bin\debug\SDK\Modules\HyperLog.h +/** + * @file HyperLog.h + * @author Sina Karvandi (sina@hyperdbg.org) + * @brief HyperDbg's SDK for HyperLog project + * @details This file contains definitions of HyperLog routines + * @version 0.2 + * @date 2023-01-15 + * + * @copyright This project is released under the GNU Public License v3. + * + */ +#pragma once -#define BUILD_MIN_CH0 (__TIME__[3]) -#define BUILD_MIN_CH1 (__TIME__[4]) +////////////////////////////////////////////////// +// Callback Types // +////////////////////////////////////////////////// -#define BUILD_SEC_CH0 (__TIME__[6]) -#define BUILD_SEC_CH1 (__TIME__[7]) +/** + * @brief A function that checks whether the current operation + * is on vmx-root mode or not + * + */ +typedef BOOLEAN (*CHECK_VMX_OPERATION)(); -#if VERSION_MAJOR > 100 +/** + * @brief A function that checks whether the immediate message + * sending is needed or not + * + */ +typedef BOOLEAN (*CHECK_IMMEDIATE_MESSAGE_SENDING)(UINT32 OperationCode); -# define VERSION_MAJOR_INIT \ - ((VERSION_MAJOR / 100) + '0'), \ - (((VERSION_MAJOR % 100) / 10) + '0'), \ - ((VERSION_MAJOR % 10) + '0') +/** + * @brief A function that sends immediate messages + * + */ +typedef BOOLEAN (*SEND_IMMEDIATE_MESSAGE)(CHAR * OptionalBuffer, + UINT32 OptionalBufferLength, + UINT32 OperationCode); -#elif VERSION_MAJOR > 10 +////////////////////////////////////////////////// +// Callback Structure // +////////////////////////////////////////////////// -# define VERSION_MAJOR_INIT \ - ((VERSION_MAJOR / 10) + '0'), \ - ((VERSION_MAJOR % 10) + '0') +/** + * @brief Prototype of each function needed by message tracer + * + */ +typedef struct _MESSAGE_TRACING_CALLBACKS +{ + CHECK_VMX_OPERATION VmxOperationCheck; + CHECK_IMMEDIATE_MESSAGE_SENDING CheckImmediateMessageSending; + SEND_IMMEDIATE_MESSAGE SendImmediateMessage; -#else +} MESSAGE_TRACING_CALLBACKS, *PMESSAGE_TRACING_CALLBACKS; -# define VERSION_MAJOR_INIT \ - (VERSION_MAJOR + '0') -#endif +//..\..\..\bin\debug\SDK\Headers\BasicTypes.h +/** + * @file BasicTypes.h + * @author Sina Karvandi (sina@hyperdbg.org) + * @brief HyperDbg's SDK Headers For Basic Datatypes + * @details This file contains definitions of basic datatypes + * @version 0.2 + * @date 2022-06-28 + * + * @copyright This project is released under the GNU Public License v3. + * + */ +#pragma once -#if VERSION_MINOR > 100 +#pragma warning(disable : 4201) // Suppress nameless struct/union warning -# define VERSION_MINOR_INIT \ - ((VERSION_MINOR / 100) + '0'), \ - (((VERSION_MINOR % 100) / 10) + '0'), \ - ((VERSION_MINOR % 10) + '0') +////////////////////////////////////////////////// +// Basic Datatypes // +////////////////////////////////////////////////// -#elif VERSION_MINOR > 10 +typedef unsigned long long QWORD; +typedef unsigned __int64 UINT64, *PUINT64; +typedef unsigned long DWORD; +typedef int BOOL; +typedef unsigned char BYTE; +typedef unsigned short WORD; +typedef int INT; +typedef unsigned int UINT; +typedef unsigned int * PUINT; +typedef unsigned __int64 ULONG64, *PULONG64; +typedef unsigned __int64 DWORD64, *PDWORD64; +typedef char CHAR; +typedef wchar_t WCHAR; +#define VOID void -# define VERSION_MINOR_INIT \ - ((VERSION_MINOR / 10) + '0'), \ - ((VERSION_MINOR % 10) + '0') +typedef unsigned char UCHAR; +typedef unsigned short USHORT; +typedef unsigned long ULONG; -#else +typedef UCHAR BOOLEAN; // winnt +typedef BOOLEAN * PBOOLEAN; // winnt -# define VERSION_MINOR_INIT \ - (VERSION_MINOR + '0') +typedef signed char INT8, *PINT8; +typedef signed short INT16, *PINT16; +typedef signed int INT32, *PINT32; +typedef signed __int64 INT64, *PINT64; +typedef unsigned char UINT8, *PUINT8; +typedef unsigned short UINT16, *PUINT16; +typedef unsigned int UINT32, *PUINT32; +typedef unsigned __int64 UINT64, *PUINT64; -#endif +#define NULL_ZERO 0 +#define NULL64_ZERO 0ull -#if VERSION_PATCH > 100 +#define FALSE 0 +#define TRUE 1 -# define VERSION_PATCH_INIT \ - ((VERSION_PATCH / 100) + '0'), \ - (((VERSION_PATCH % 100) / 10) + '0'), \ - ((VERSION_PATCH % 10) + '0') +#define UPPER_56_BITS 0xffffffffffffff00 +#define UPPER_48_BITS 0xffffffffffff0000 +#define UPPER_32_BITS 0xffffffff00000000 +#define LOWER_32_BITS 0x00000000ffffffff +#define LOWER_16_BITS 0x000000000000ffff +#define LOWER_8_BITS 0x00000000000000ff +#define SECOND_LOWER_8_BITS 0x000000000000ff00 +#define UPPER_48_BITS_AND_LOWER_8_BITS 0xffffffffffff00ff + +// +// DO NOT FUCKING TOUCH THIS STRUCTURE WITHOUT COORDINATION WITH SINA +// +typedef struct GUEST_REGS +{ + // + // DO NOT FUCKING TOUCH THIS STRUCTURE WITHOUT COORDINATION WITH SINA + // + + UINT64 rax; // 0x00 + UINT64 rcx; // 0x08 + UINT64 rdx; // 0x10 + UINT64 rbx; // 0x18 + UINT64 rsp; // 0x20 + UINT64 rbp; // 0x28 + UINT64 rsi; // 0x30 + UINT64 rdi; // 0x38 + UINT64 r8; // 0x40 + UINT64 r9; // 0x48 + UINT64 r10; // 0x50 + UINT64 r11; // 0x58 + UINT64 r12; // 0x60 + UINT64 r13; // 0x68 + UINT64 r14; // 0x70 + UINT64 r15; // 0x78 + + // + // DO NOT FUCKING TOUCH THIS STRUCTURE WITHOUT COORDINATION WITH SINA + // + +} GUEST_REGS, *PGUEST_REGS; + +/** + * @brief struct for extra registers + * + */ +typedef struct GUEST_EXTRA_REGISTERS +{ + UINT16 CS; + UINT16 DS; + UINT16 FS; + UINT16 GS; + UINT16 ES; + UINT16 SS; + UINT64 RFLAGS; + UINT64 RIP; +} GUEST_EXTRA_REGISTERS, *PGUEST_EXTRA_REGISTERS; + +/** + * @brief List of different variables + */ +typedef struct _SCRIPT_ENGINE_VARIABLES_LIST +{ + UINT64 * TempList; + UINT64 * GlobalVariablesList; + UINT64 * LocalVariablesList; + +} SCRIPT_ENGINE_VARIABLES_LIST, *PSCRIPT_ENGINE_VARIABLES_LIST; + +/** + * @brief CR3 Structure + * + */ +typedef struct _CR3_TYPE +{ + union + { + UINT64 Flags; + + struct + { + UINT64 Pcid : 12; + UINT64 PageFrameNumber : 36; + UINT64 Reserved1 : 12; + UINT64 Reserved_2 : 3; + UINT64 PcidInvalidate : 1; + } Fields; + }; +} CR3_TYPE, *PCR3_TYPE; + + +//..\..\..\bin\debug\SDK\Headers\Connection.h +/** + * @file Connection.h + * @author Sina Karvandi (sina@hyperdbg.org) + * @brief HyperDbg's SDK Headers For Native Structures, Enums and Constants + * @details These datatypes are used in all devices like HDL (FPGAs) + * @version 0.2 + * @date 2022-07-14 + * + * @copyright This project is released under the GNU Public License v3. + * + */ +#pragma once + +/** + * @brief enum for reasons why debuggee is paused + * + */ +typedef enum _DEBUGGEE_PAUSING_REASON +{ + + // + // For both kernel & user debugger + // + DEBUGGEE_PAUSING_REASON_NOT_PAUSED = 0, + DEBUGGEE_PAUSING_REASON_PAUSE, + DEBUGGEE_PAUSING_REASON_REQUEST_FROM_DEBUGGER, + DEBUGGEE_PAUSING_REASON_DEBUGGEE_STEPPED, + DEBUGGEE_PAUSING_REASON_DEBUGGEE_TRACKING_STEPPED, + DEBUGGEE_PAUSING_REASON_DEBUGGEE_SOFTWARE_BREAKPOINT_HIT, + DEBUGGEE_PAUSING_REASON_DEBUGGEE_HARDWARE_DEBUG_REGISTER_HIT, + DEBUGGEE_PAUSING_REASON_DEBUGGEE_CORE_SWITCHED, + DEBUGGEE_PAUSING_REASON_DEBUGGEE_PROCESS_SWITCHED, + DEBUGGEE_PAUSING_REASON_DEBUGGEE_THREAD_SWITCHED, + DEBUGGEE_PAUSING_REASON_DEBUGGEE_COMMAND_EXECUTION_FINISHED, + DEBUGGEE_PAUSING_REASON_DEBUGGEE_EVENT_TRIGGERED, + DEBUGGEE_PAUSING_REASON_DEBUGGEE_STARTING_MODULE_LOADED, + + // + // Only for user-debugger + // + DEBUGGEE_PAUSING_REASON_DEBUGGEE_GENERAL_DEBUG_BREAK, + DEBUGGEE_PAUSING_REASON_DEBUGGEE_GENERAL_THREAD_INTERCEPTED, + + // + // Only used for hardware debugging + // + DEBUGGEE_PAUSING_REASON_HARDWARE_BASED_DEBUGGEE_GENERAL_BREAK, + +} DEBUGGEE_PAUSING_REASON; + +/** + * @brief enum for requested action for HyperDbg packet + * + */ +typedef enum _DEBUGGER_REMOTE_PACKET_REQUESTED_ACTION +{ + + // + // Debugger to debuggee (user-mode execution) + // + DEBUGGER_REMOTE_PACKET_REQUESTED_ACTION_ON_USER_MODE_PAUSE = 1, + DEBUGGER_REMOTE_PACKET_REQUESTED_ACTION_ON_USER_MODE_DO_NOT_READ_ANY_PACKET, + DEBUGGER_REMOTE_PACKET_REQUESTED_ACTION_ON_USER_MODE_DEBUGGER_VERSION, + + // + // Debuggee to debugger (user-mode execution) + // + DEBUGGER_REMOTE_PACKET_PING_AND_SEND_SUPPORTED_VERSION, + + // + // Debugger to debuggee (vmx-root mode execution) + // + DEBUGGER_REMOTE_PACKET_REQUESTED_ACTION_ON_VMX_ROOT_MODE_STEP, + DEBUGGER_REMOTE_PACKET_REQUESTED_ACTION_ON_VMX_ROOT_MODE_CONTINUE, + DEBUGGER_REMOTE_PACKET_REQUESTED_ACTION_ON_VMX_ROOT_MODE_CLOSE_AND_UNLOAD_DEBUGGEE, + DEBUGGER_REMOTE_PACKET_REQUESTED_ACTION_ON_VMX_ROOT_MODE_CHANGE_CORE, + DEBUGGER_REMOTE_PACKET_REQUESTED_ACTION_ON_VMX_ROOT_MODE_FLUSH_BUFFERS, + DEBUGGER_REMOTE_PACKET_REQUESTED_ACTION_ON_VMX_ROOT_MODE_CALLSTACK, + DEBUGGER_REMOTE_PACKET_REQUESTED_ACTION_ON_VMX_ROOT_MODE_TEST_QUERY, + DEBUGGER_REMOTE_PACKET_REQUESTED_ACTION_ON_VMX_ROOT_MODE_CHANGE_PROCESS, + DEBUGGER_REMOTE_PACKET_REQUESTED_ACTION_ON_VMX_ROOT_MODE_CHANGE_THREAD, + DEBUGGER_REMOTE_PACKET_REQUESTED_ACTION_ON_VMX_ROOT_RUN_SCRIPT, + DEBUGGER_REMOTE_PACKET_REQUESTED_ACTION_ON_VMX_ROOT_USER_INPUT_BUFFER, + DEBUGGER_REMOTE_PACKET_REQUESTED_ACTION_ON_VMX_ROOT_SEARCH_QUERY, + DEBUGGER_REMOTE_PACKET_REQUESTED_ACTION_ON_VMX_ROOT_REGISTER_EVENT, + DEBUGGER_REMOTE_PACKET_REQUESTED_ACTION_ON_VMX_ROOT_ADD_ACTION_TO_EVENT, + DEBUGGER_REMOTE_PACKET_REQUESTED_ACTION_ON_VMX_ROOT_QUERY_AND_MODIFY_EVENT, + DEBUGGER_REMOTE_PACKET_REQUESTED_ACTION_ON_VMX_ROOT_READ_REGISTERS, + DEBUGGER_REMOTE_PACKET_REQUESTED_ACTION_ON_VMX_ROOT_READ_MEMORY, + DEBUGGER_REMOTE_PACKET_REQUESTED_ACTION_ON_VMX_ROOT_EDIT_MEMORY, + DEBUGGER_REMOTE_PACKET_REQUESTED_ACTION_ON_VMX_ROOT_BP, + DEBUGGER_REMOTE_PACKET_REQUESTED_ACTION_ON_VMX_ROOT_LIST_OR_MODIFY_BREAKPOINTS, + DEBUGGER_REMOTE_PACKET_REQUESTED_ACTION_ON_VMX_ROOT_SYMBOL_RELOAD, + DEBUGGER_REMOTE_PACKET_REQUESTED_ACTION_ON_VMX_ROOT_QUERY_PA2VA_AND_VA2PA, + DEBUGGER_REMOTE_PACKET_REQUESTED_ACTION_ON_VMX_ROOT_SYMBOL_QUERY_PTE, + DEBUGGER_REMOTE_PACKET_REQUESTED_ACTION_ON_VMX_ROOT_SET_SHORT_CIRCUITING_STATE, + DEBUGGER_REMOTE_PACKET_REQUESTED_ACTION_ON_VMX_ROOT_INJECT_PAGE_FAULT, + + // + // Debuggee to debugger + // + DEBUGGER_REMOTE_PACKET_REQUESTED_ACTION_NO_ACTION, + DEBUGGER_REMOTE_PACKET_REQUESTED_ACTION_DEBUGGEE_STARTED, + DEBUGGER_REMOTE_PACKET_REQUESTED_ACTION_DEBUGGEE_LOGGING_MECHANISM, + DEBUGGER_REMOTE_PACKET_REQUESTED_ACTION_DEBUGGEE_PAUSED_AND_CURRENT_INSTRUCTION, + DEBUGGER_REMOTE_PACKET_REQUESTED_ACTION_DEBUGGEE_RESULT_OF_CHANGING_CORE, + DEBUGGER_REMOTE_PACKET_REQUESTED_ACTION_DEBUGGEE_RESULT_OF_CHANGING_PROCESS, + DEBUGGER_REMOTE_PACKET_REQUESTED_ACTION_DEBUGGEE_RESULT_OF_CHANGING_THREAD, + DEBUGGER_REMOTE_PACKET_REQUESTED_ACTION_DEBUGGEE_RESULT_OF_RUNNING_SCRIPT, + DEBUGGER_REMOTE_PACKET_REQUESTED_ACTION_DEBUGGEE_RESULT_OF_FORMATS, + DEBUGGER_REMOTE_PACKET_REQUESTED_ACTION_DEBUGGEE_RESULT_OF_FLUSH, + DEBUGGER_REMOTE_PACKET_REQUESTED_ACTION_DEBUGGEE_RESULT_OF_CALLSTACK, + DEBUGGER_REMOTE_PACKET_REQUESTED_ACTION_DEBUGGEE_RESULT_TEST_QUERY, + DEBUGGER_REMOTE_PACKET_REQUESTED_ACTION_DEBUGGEE_RESULT_OF_REGISTERING_EVENT, + DEBUGGER_REMOTE_PACKET_REQUESTED_ACTION_DEBUGGEE_RESULT_OF_ADDING_ACTION_TO_EVENT, + DEBUGGER_REMOTE_PACKET_REQUESTED_ACTION_DEBUGGEE_RESULT_OF_QUERY_AND_MODIFY_EVENT, + DEBUGGER_REMOTE_PACKET_REQUESTED_ACTION_DEBUGGEE_RESULT_OF_SHORT_CIRCUITING_EVENT, + DEBUGGER_REMOTE_PACKET_REQUESTED_ACTION_DEBUGGEE_RESULT_OF_READING_REGISTERS, + DEBUGGER_REMOTE_PACKET_REQUESTED_ACTION_DEBUGGEE_RESULT_OF_READING_MEMORY, + DEBUGGER_REMOTE_PACKET_REQUESTED_ACTION_DEBUGGEE_RESULT_OF_EDITING_MEMORY, + DEBUGGER_REMOTE_PACKET_REQUESTED_ACTION_DEBUGGEE_RESULT_OF_BP, + DEBUGGER_REMOTE_PACKET_REQUESTED_ACTION_DEBUGGEE_RESULT_OF_SHORT_CIRCUITING_STATE, + DEBUGGER_REMOTE_PACKET_REQUESTED_ACTION_DEBUGGEE_RESULT_OF_LIST_OR_MODIFY_BREAKPOINTS, + DEBUGGER_REMOTE_PACKET_REQUESTED_ACTION_DEBUGGEE_UPDATE_SYMBOL_INFO, + DEBUGGER_REMOTE_PACKET_REQUESTED_ACTION_DEBUGGEE_RELOAD_SYMBOL_FINISHED, + DEBUGGER_REMOTE_PACKET_REQUESTED_ACTION_DEBUGGEE_RELOAD_SEARCH_QUERY, + DEBUGGER_REMOTE_PACKET_REQUESTED_ACTION_DEBUGGEE_RESULT_OF_PTE, + DEBUGGER_REMOTE_PACKET_REQUESTED_ACTION_DEBUGGEE_RESULT_OF_VA2PA_AND_PA2VA, + DEBUGGER_REMOTE_PACKET_REQUESTED_ACTION_DEBUGGEE_RESULT_OF_BRINGING_PAGES_IN, + + // + // hardware debuggee to debugger + // + + // + // hardware debugger to debuggee + // + +} DEBUGGER_REMOTE_PACKET_REQUESTED_ACTION; + +/** + * @brief enum for different packet types in HyperDbg packets + * @warning used in hwdbg + * + */ +typedef enum _DEBUGGER_REMOTE_PACKET_TYPE +{ + + // + // Debugger to debuggee (vmx-root) + // + DEBUGGER_REMOTE_PACKET_TYPE_DEBUGGER_TO_DEBUGGEE_EXECUTE_ON_VMX_ROOT = 1, + + // + // Debugger to debuggee (user-mode) + // + DEBUGGER_REMOTE_PACKET_TYPE_DEBUGGER_TO_DEBUGGEE_EXECUTE_ON_USER_MODE = 2, + + // + // Debuggee to debugger (user-mode and kernel-mode, vmx-root mode) + // + DEBUGGER_REMOTE_PACKET_TYPE_DEBUGGEE_TO_DEBUGGER = 3, + + // + // Debugger to debuggee (hardware), used in hwdbg + // + DEBUGGER_REMOTE_PACKET_TYPE_DEBUGGER_TO_DEBUGGEE_HARDWARE_LEVEL = 4, + + // + // Debuggee to debugger (hardware), used in hwdbg + // + DEBUGGER_REMOTE_PACKET_TYPE_DEBUGGEE_TO_DEBUGGER_HARDWARE_LEVEL = 5, + +} DEBUGGER_REMOTE_PACKET_TYPE; + +/** + * @brief The structure of remote packets in HyperDbg + * + */ +typedef struct _DEBUGGER_REMOTE_PACKET +{ + BYTE Checksum; + UINT64 Indicator; /* Shows the type of the packet */ + DEBUGGER_REMOTE_PACKET_TYPE TypeOfThePacket; + DEBUGGER_REMOTE_PACKET_REQUESTED_ACTION RequestedActionOfThePacket; + +} DEBUGGER_REMOTE_PACKET, *PDEBUGGER_REMOTE_PACKET; + + +//..\..\..\bin\debug\SDK\Headers\ErrorCodes.h +/** + * @file ErrorCodes.h + * @author Sina Karvandi (sina@hyperdbg.org) + * @brief HyperDbg's SDK Error codes + * @details This file contains definitions of error codes used in HyperDbg + * @version 0.2 + * @date 2022-06-24 + * + * @copyright This project is released under the GNU Public License v3. + * + */ +#pragma once + +////////////////////////////////////////////////// +// Success Codes // +////////////////////////////////////////////////// + +/** + * @brief General value to indicate that the operation or + * request was successful + * + */ +#define DEBUGGER_OPERATION_WAS_SUCCESSFUL 0xFFFFFFFF + +////////////////////////////////////////////////// +// Error Codes // +////////////////////////////////////////////////// + +/** + * @brief error, the tag not exist + * + */ +#define DEBUGGER_ERROR_TAG_NOT_EXISTS 0xc0000000 + +/** + * @brief error, invalid type of action + * + */ +#define DEBUGGER_ERROR_INVALID_ACTION_TYPE 0xc0000001 + +/** + * @brief error, the action buffer size is invalid + * + */ +#define DEBUGGER_ERROR_ACTION_BUFFER_SIZE_IS_ZERO 0xc0000002 + +/** + * @brief error, the event type is unknown + * + */ +#define DEBUGGER_ERROR_EVENT_TYPE_IS_INVALID 0xc0000003 -#elif VERSION_PATCH > 10 +/** + * @brief error, enable to create event + * + */ +#define DEBUGGER_ERROR_UNABLE_TO_CREATE_EVENT 0xc0000004 -# define VERSION_PATCH_INIT \ - ((VERSION_PATCH / 10) + '0'), \ - ((VERSION_PATCH % 10) + '0') +/** + * @brief error, invalid address specified for debugger + * + */ +#define DEBUGGER_ERROR_INVALID_ADDRESS 0xc0000005 -#else +/** + * @brief error, the core id is invalid + * + */ +#define DEBUGGER_ERROR_INVALID_CORE_ID 0xc0000006 -# define VERSION_PATCH_INIT \ - (VERSION_PATCH + '0') +/** + * @brief error, the index is greater than 32 in !exception command + * + */ +#define DEBUGGER_ERROR_EXCEPTION_INDEX_EXCEED_FIRST_32_ENTRIES 0xc0000007 -#endif +/** + * @brief error, the index for !interrupt command is not between 32 to 256 + * + */ +#define DEBUGGER_ERROR_INTERRUPT_INDEX_IS_NOT_VALID 0xc0000008 -#ifndef HYPERDBG_KERNEL_MODE +/** + * @brief error, unable to hide the debugger and enter to transparent-mode + * + */ +#define DEBUGGER_ERROR_UNABLE_TO_HIDE_OR_UNHIDE_DEBUGGER 0xc0000009 -const unsigned char BuildDateTime[] = { - BUILD_YEAR_CH0, - BUILD_YEAR_CH1, - BUILD_YEAR_CH2, - BUILD_YEAR_CH3, - '-', - BUILD_MONTH_CH0, - BUILD_MONTH_CH1, - '-', - BUILD_DAY_CH0, - BUILD_DAY_CH1, - ' ', - BUILD_HOUR_CH0, - BUILD_HOUR_CH1, - ':', - BUILD_MIN_CH0, - BUILD_MIN_CH1, - ':', - BUILD_SEC_CH0, - BUILD_SEC_CH1, +/** + * @brief error, the debugger is already in transparent-mode + * + */ +#define DEBUGGER_ERROR_DEBUGGER_ALREADY_UHIDE 0xc000000a - '\0'}; +/** + * @brief error, invalid parameters in !e* e* commands + * + */ +#define DEBUGGER_ERROR_EDIT_MEMORY_STATUS_INVALID_PARAMETER 0xc000000b -const unsigned char CompleteVersion[] = { - 'v', - VERSION_MAJOR_INIT, - '.', - VERSION_MINOR_INIT, - '.', - VERSION_PATCH_INIT, - '\0'}; +/** + * @brief error, an invalid address is specified based on current cr3 + * in !e* or e* commands + * + */ +#define DEBUGGER_ERROR_EDIT_MEMORY_STATUS_INVALID_ADDRESS_BASED_ON_CURRENT_PROCESS \ + 0xc000000c -const unsigned char BuildVersion[] = { - BUILD_YEAR_CH0, - BUILD_YEAR_CH1, - BUILD_YEAR_CH2, - BUILD_YEAR_CH3, - BUILD_MONTH_CH0, - BUILD_MONTH_CH1, - BUILD_DAY_CH0, - BUILD_DAY_CH1, - '.', - BUILD_HOUR_CH0, - BUILD_HOUR_CH1, - BUILD_MIN_CH0, - BUILD_MIN_CH1, +/** + * @brief error, an invalid address is specified based on anotehr process's cr3 + * in !e* or e* commands + * + */ +#define DEBUGGER_ERROR_EDIT_MEMORY_STATUS_INVALID_ADDRESS_BASED_ON_OTHER_PROCESS \ + 0xc000000d - '\0'}; +/** + * @brief error, invalid tag for 'events' command (tag id is unknown for kernel) + * + */ +#define DEBUGGER_ERROR_MODIFY_EVENTS_INVALID_TAG 0xc000000e -const unsigned char BuildSignature[] = { - VERSION_MAJOR_INIT, - '.', - VERSION_MINOR_INIT, - '.', - VERSION_PATCH_INIT, - '-', - BUILD_YEAR_CH0, - BUILD_YEAR_CH1, - BUILD_YEAR_CH2, - BUILD_YEAR_CH3, - BUILD_MONTH_CH0, - BUILD_MONTH_CH1, - BUILD_DAY_CH0, - BUILD_DAY_CH1, - '.', - BUILD_HOUR_CH0, - BUILD_HOUR_CH1, - BUILD_MIN_CH0, - BUILD_MIN_CH1, +/** + * @brief error, type of action (enable/disable/clear) is wrong + * + */ +#define DEBUGGER_ERROR_MODIFY_EVENTS_INVALID_TYPE_OF_ACTION 0xc000000f + +/** + * @brief error, invalid parameters steppings actions + * + */ +#define DEBUGGER_ERROR_STEPPING_INVALID_PARAMETER 0xc0000010 + +/** + * @brief error, thread is invalid (not found) or disabled in + * stepping (step-in & step-out) requests + * + */ +#define DEBUGGER_ERROR_STEPPINGS_EITHER_THREAD_NOT_FOUND_OR_DISABLED 0xc0000011 + +/** + * @brief error, baud rate is invalid + * + */ +#define DEBUGGER_ERROR_PREPARING_DEBUGGEE_INVALID_BAUDRATE 0xc0000012 + +/** + * @brief error, serial port address is invalid + * + */ +#define DEBUGGER_ERROR_PREPARING_DEBUGGEE_INVALID_SERIAL_PORT 0xc0000013 + +/** + * @brief error, invalid core selected in changing core in remote debuggee + * + */ +#define DEBUGGER_ERROR_PREPARING_DEBUGGEE_INVALID_CORE_IN_REMOTE_DEBUGGE \ + 0xc0000014 + +/** + * @brief error, invalid process selected in changing process in remote debuggee + * + */ +#define DEBUGGER_ERROR_PREPARING_DEBUGGEE_UNABLE_TO_SWITCH_TO_NEW_PROCESS \ + 0xc0000015 + +/** + * @brief error, unable to run script in remote debuggee + * + */ +#define DEBUGGER_ERROR_PREPARING_DEBUGGEE_TO_RUN_SCRIPT 0xc0000016 + +/** + * @brief error, invalid register number + * + */ +#define DEBUGGER_ERROR_INVALID_REGISTER_NUMBER 0xc0000017 + +/** + * @brief error, maximum pools were used without continuing debuggee + * + */ +#define DEBUGGER_ERROR_MAXIMUM_BREAKPOINT_WITHOUT_CONTINUE 0xc0000018 + +/** + * @brief error, breakpoint already exists on the target address + * + */ +#define DEBUGGER_ERROR_BREAKPOINT_ALREADY_EXISTS_ON_THE_ADDRESS 0xc0000019 + +/** + * @brief error, breakpoint id not found + * + */ +#define DEBUGGER_ERROR_BREAKPOINT_ID_NOT_FOUND 0xc000001a + +/** + * @brief error, breakpoint already disabled + * + */ +#define DEBUGGER_ERROR_BREAKPOINT_ALREADY_DISABLED 0xc000001b + +/** + * @brief error, breakpoint already enabled + * + */ +#define DEBUGGER_ERROR_BREAKPOINT_ALREADY_ENABLED 0xc000001c + +/** + * @brief error, memory type is invalid + * + */ +#define DEBUGGER_ERROR_MEMORY_TYPE_INVALID 0xc000001d + +/** + * @brief error, the process id is invalid + * + */ +#define DEBUGGER_ERROR_INVALID_PROCESS_ID 0xc000001e + +/** + * @brief error, for event specific reasons the event is not + * applied + * + */ +#define DEBUGGER_ERROR_EVENT_IS_NOT_APPLIED 0xc000001f + +/** + * @brief error, for process switch or process details, invalid parameter + * + */ +#define DEBUGGER_ERROR_DETAILS_OR_SWITCH_PROCESS_INVALID_PARAMETER 0xc0000020 + +/** + * @brief error, for thread switch or thread details, invalid parameter + * + */ +#define DEBUGGER_ERROR_DETAILS_OR_SWITCH_THREAD_INVALID_PARAMETER 0xc0000021 + +/** + * @brief error, maximum breakpoint for a single page is hit + * + */ +#define DEBUGGER_ERROR_MAXIMUM_BREAKPOINT_FOR_A_SINGLE_PAGE_IS_HIT 0xc0000022 - '\0'}; +/** + * @brief error, there is no pre-allocated buffer + * + */ +#define DEBUGGER_ERROR_PRE_ALLOCATED_BUFFER_IS_EMPTY 0xc0000023 -#endif // SCRIPT_ENGINE_KERNEL_MODE +/** + * @brief error, in the EPT handler, it could not split the 2MB pages to + * 512 entries of 4 KB pages + * + */ +#define DEBUGGER_ERROR_EPT_COULD_NOT_SPLIT_THE_LARGE_PAGE_TO_4KB_PAGES 0xc0000024 -////////////////////////////////////////////////// -// Message Tracing // -////////////////////////////////////////////////// +/** + * @brief error, failed to get PML1 entry of the target address + * + */ +#define DEBUGGER_ERROR_EPT_FAILED_TO_GET_PML1_ENTRY_OF_TARGET_ADDRESS 0xc0000025 /** - * @brief Default buffer count of packets for message tracing - * @details number of packets storage for regular buffers + * @brief error, multiple EPT Hooks or Monitors are applied on a single page + * */ -#define MaximumPacketsCapacity 1000 +#define DEBUGGER_ERROR_EPT_MULTIPLE_HOOKS_IN_A_SINGLE_PAGE 0xc0000026 /** - * @brief Default buffer count of packets for message tracing - * @details number of packets storage for priority buffers + * @brief error, could not build the EPT Hook + * */ -#define MaximumPacketsCapacityPriority 50 +#define DEBUGGER_ERROR_COULD_NOT_BUILD_THE_EPT_HOOK 0xc0000027 /** - * @brief Size of normal OS (processor) pages + * @brief error, could not find the type of allocation + * */ -#define NORMAL_PAGE_SIZE 4096 // PAGE_SIZE +#define DEBUGGER_ERROR_COULD_NOT_FIND_ALLOCATION_TYPE 0xc0000028 /** - * @brief Size of each packet + * @brief error, could not find the index of test query + * */ -#define PacketChunkSize NORMAL_PAGE_SIZE +#define DEBUGGER_ERROR_INVALID_TEST_QUERY_INDEX 0xc0000029 /** - * @brief size of user-mode buffer - * @details Because of operation code at the start of the - * buffer + 1 for null-termminating + * @brief error, failed to attach to the target user-mode process * */ -#define UsermodeBufferSize sizeof(UINT32) + PacketChunkSize + 1 +#define DEBUGGER_ERROR_UNABLE_TO_ATTACH_TO_TARGET_USER_MODE_PROCESS 0xc000002a /** - * @brief size of buffer for serial - * @details the maximum packet size for sending over serial + * @brief error, failed to remove hooks as entrypoint is not reached yet + * @details The caller of this functionality should keep sending the previous + * IOCTL until the hook is remove successfully * */ -#define MaxSerialPacketSize 10 * NORMAL_PAGE_SIZE +#define DEBUGGER_ERROR_UNABLE_TO_REMOVE_HOOKS_ENTRYPOINT_NOT_REACHED 0xc000002b /** - * @brief Final storage size of message tracing + * @brief error, could not remove the previous hook * */ -#define LogBufferSize \ - MaximumPacketsCapacity *(PacketChunkSize + sizeof(BUFFER_HEADER)) +#define DEBUGGER_ERROR_UNABLE_TO_REMOVE_HOOKS 0xc000002c /** - * @brief Final storage size of message tracing + * @brief error, the needed routines for debugging is not initialized * */ -#define LogBufferSizePriority \ - MaximumPacketsCapacityPriority *(PacketChunkSize + sizeof(BUFFER_HEADER)) +#define DEBUGGER_ERROR_FUNCTIONS_FOR_INITIALIZING_PEB_ADDRESSES_ARE_NOT_INITIALIZED 0xc000002d /** - * @brief limitation of Windows DbgPrint message size - * @details currently is not functional + * @brief error, unable to get 32-bit or 64-bit of the target process * */ -#define DbgPrintLimitation 512 +#define DEBUGGER_ERROR_UNABLE_TO_DETECT_32_BIT_OR_64_BIT_PROCESS 0xc000002e /** - * @brief The seeds that user-mode codes use as the starter - * of their events' tag + * @brief error, unable to kill the target process * */ -#define DebuggerEventTagStartSeed 0x1000000 +#define DEBUGGER_ERROR_UNABLE_TO_KILL_THE_PROCESS 0xc000002f /** - * @brief The seeds that user-mode thread detail token start with it - * @details This seed should not start with zero (0), otherwise it's - * interpreted as error + * @brief error, invalid thread debugging token + * */ -#define DebuggerThreadDebuggingTagStartSeed 0x1000000 +#define DEBUGGER_ERROR_INVALID_THREAD_DEBUGGING_TOKEN 0xc0000030 /** - * @brief The seeds that user-mode codes use as the starter - * of their output source tag + * @brief error, unable to pause the process's threads * */ -#define DebuggerOutputSourceTagStartSeed 0x1 +#define DEBUGGER_ERROR_UNABLE_TO_PAUSE_THE_PROCESS_THREADS 0xc0000031 /** - * @brief Determines how many sources a debugger can have for - * a single event + * @brief error, user debugger already attached to this process * */ -#define DebuggerOutputSourceMaximumRemoteSourceForSingleEvent 0x5 +#define DEBUGGER_ERROR_UNABLE_TO_ATTACH_TO_AN_ALREADY_ATTACHED_PROCESS 0xc0000032 /** - * @brief The size of each chunk of memory used in the 'memcpy' function - * of the script engine for transferring buffers in the VMX-root mode + * @brief error, the user debugger is not attached to the target process * */ -#define DebuggerScriptEngineMemcpyMovingBufferSize 64 +#define DEBUGGER_ERROR_THE_USER_DEBUGGER_NOT_ATTACHED_TO_THE_PROCESS 0xc0000033 -////////////////////////////////////////////////// -// EPT Hook // -////////////////////////////////////////////////// +/** + * @brief error, cannot detach from the process as there are paused threads + * + */ +#define DEBUGGER_ERROR_UNABLE_TO_DETACH_AS_THERE_ARE_PAUSED_THREADS 0xc0000034 /** - * @brief Maximum number of initial pre-allocated EPT hooks + * @brief error, cannot switch to new thread as the process id or thread id is not found * */ -#define MAXIMUM_NUMBER_OF_INITIAL_PREALLOCATED_EPT_HOOKS 5 +#define DEBUGGER_ERROR_UNABLE_TO_SWITCH_PROCESS_ID_OR_THREAD_ID_IS_INVALID 0xc0000035 -////////////////////////////////////////////////// -// Instant Event Configs // -////////////////////////////////////////////////// +/** + * @brief error, cannot switch to new thread the process doesn't contain an active thread + * + */ +#define DEBUGGER_ERROR_UNABLE_TO_SWITCH_THERE_IS_NO_THREAD_ON_THE_PROCESS 0xc0000036 /** - * @brief Maximum number of (regular) instant events that are pre-allocated + * @brief error, unable to get modules * */ -#define MAXIMUM_REGULAR_INSTANT_EVENTS 20 +#define DEBUGGER_ERROR_UNABLE_TO_GET_MODULES_OF_THE_PROCESS 0xc0000037 /** - * @brief Maximum number of (big) instant events that are pre-allocated + * @brief error, unable to get the callstack * */ -#define MAXIMUM_BIG_INSTANT_EVENTS 0 +#define DEBUGGER_ERROR_UNABLE_TO_GET_CALLSTACK 0xc0000038 /** - * @brief Pre-allocated size for a regular event + conditions buffer + * @brief error, unable to query count of processes or threads * */ -#define REGULAR_INSTANT_EVENT_CONDITIONAL_BUFFER sizeof(DEBUGGER_EVENT) + 100 +#define DEBUGGER_ERROR_UNABLE_TO_QUERY_COUNT_OF_PROCESSES_OR_THREADS 0xc0000039 /** - * @brief Pre-allocated size for a big event + conditions buffer + * @brief error, using short-circuiting event with post-event mode is + * not supported in HyperDbg * */ -#define BIG_INSTANT_EVENT_CONDITIONAL_BUFFER sizeof(DEBUGGER_EVENT) + PAGE_SIZE +#define DEBUGGER_ERROR_USING_SHORT_CIRCUITING_EVENT_WITH_POST_EVENT_MODE_IS_FORBIDDEDN 0xc000003a /** - * @brief Pre-allocated size for a regular action + custom code or script buffer + * @brief error, unknown test query is received * */ -#define REGULAR_INSTANT_EVENT_ACTION_BUFFER sizeof(DEBUGGER_EVENT_ACTION) + (PAGE_SIZE * 2) +#define DEBUGGER_ERROR_UNKNOWN_TEST_QUERY_RECEIVED 0xc000003b /** - * @brief Pre-allocated size for a big action + custom code or script buffer + * @brief error, for reading from memory in case of invalid parameters * */ -#define BIG_INSTANT_EVENT_ACTION_BUFFER sizeof(DEBUGGER_EVENT_ACTION) + MaxSerialPacketSize +#define DEBUGGER_ERROR_READING_MEMORY_INVALID_PARAMETER 0xc000003c /** - * @brief Pre-allocated size for a regular requested safe buffer + * @brief error, the list of threads/process trap flag is full * */ -#define REGULAR_INSTANT_EVENT_REQUESTED_SAFE_BUFFER PAGE_SIZE +#define DEBUGGER_ERROR_THE_TRAP_FLAG_LIST_IS_FULL 0xc000003d /** - * @brief Pre-allocated size for a big requested safe buffer + * @brief error, unable to kill the target process. process does not exists * */ -#define BIG_INSTANT_EVENT_REQUESTED_SAFE_BUFFER MaxSerialPacketSize +#define DEBUGGER_ERROR_UNABLE_TO_KILL_THE_PROCESS_DOES_NOT_EXISTS 0xc000003e -////////////////////////////////////////////////// -// Remote Connection // -////////////////////////////////////////////////// +/** + * @brief error, the execution mode is incorrect + * + */ +#define DEBUGGER_ERROR_MODE_EXECUTION_IS_INVALID 0xc000003f /** - * @brief default port of HyperDbg for listening by - * debuggee (server, guest) + * @brief error, the process id cannot be specified while the debugger is in VMX-root mode * */ -#define DEFAULT_PORT "50000" +#define DEBUGGER_ERROR_PROCESS_ID_CANNOT_BE_SPECIFIED_WHILE_APPLYING_EVENT_FROM_VMX_ROOT_MODE 0xc0000040 /** - * @brief Packet size for TCP connections - * @details Note that we might add something to the kernel buffers - * that's why we add 0x100 to it + * @brief error, the preallocated buffer is not enough for storing event+conditional buffer + * */ -#define COMMUNICATION_BUFFER_SIZE PacketChunkSize + 0x100 +#define DEBUGGER_ERROR_INSTANT_EVENT_PREALLOCATED_BUFFER_IS_NOT_ENOUGH_FOR_EVENT_AND_CONDITIONALS 0xc0000041 -////////////////////////////////////////////////// -// VMCALL Numbers // -////////////////////////////////////////////////// +/** + * @brief error, the regular preallocated buffer not found + * + */ +#define DEBUGGER_ERROR_INSTANT_EVENT_REGULAR_PREALLOCATED_BUFFER_NOT_FOUND 0xc0000042 /** - * @brief The start number of VMCALL number allowed to be - * used by top-level drivers + * @brief error, the big preallocated buffer not found * */ -#define TOP_LEVEL_DRIVERS_VMCALL_STARTING_NUMBER 0x00000200 +#define DEBUGGER_ERROR_INSTANT_EVENT_BIG_PREALLOCATED_BUFFER_NOT_FOUND 0xc0000043 /** - * @brief The start number of VMCALL number allowed to be - * used by top-level drivers + * @brief error, enable to create action (cannot allocate buffer) * */ -#define TOP_LEVEL_DRIVERS_VMCALL_ENDING_NUMBER TOP_LEVEL_DRIVERS_VMCALL_STARTING_NUMBER + 0x100 +#define DEBUGGER_ERROR_UNABLE_TO_CREATE_ACTION_CANNOT_ALLOCATE_BUFFER 0xc0000044 -////////////////////////////////////////////////// -// Operation Codes // -////////////////////////////////////////////////// +/** + * @brief error, the regular preallocated buffer not found (for action) + * + */ +#define DEBUGGER_ERROR_INSTANT_EVENT_ACTION_REGULAR_PREALLOCATED_BUFFER_NOT_FOUND 0xc0000045 /** - * @brief If a operation use this bit in its Operation code, - * then it means that the operation should be performed - * mandatorily in debuggee and should not be sent to the debugger + * @brief error, the big preallocated buffer not found (for action) + * */ -#define OPERATION_MANDATORY_DEBUGGEE_BIT (1 << 31) +#define DEBUGGER_ERROR_INSTANT_EVENT_ACTION_BIG_PREALLOCATED_BUFFER_NOT_FOUND 0xc0000046 /** - * @brief Message logs id that comes from kernel-mode to - * user-mode - * @details Message area >= 0x5 + * @brief error, the preallocated buffer is not enough for storing action buffer + * */ -#define OPERATION_LOG_INFO_MESSAGE 1U -#define OPERATION_LOG_WARNING_MESSAGE 2U -#define OPERATION_LOG_ERROR_MESSAGE 3U -#define OPERATION_LOG_NON_IMMEDIATE_MESSAGE 4U -#define OPERATION_LOG_WITH_TAG 5U +#define DEBUGGER_ERROR_INSTANT_EVENT_PREALLOCATED_BUFFER_IS_NOT_ENOUGH_FOR_ACTION_BUFFER 0xc0000047 -#define OPERATION_COMMAND_FROM_DEBUGGER_CLOSE_AND_UNLOAD_VMM \ - 6U | OPERATION_MANDATORY_DEBUGGEE_BIT -#define OPERATION_DEBUGGEE_USER_INPUT 7U | OPERATION_MANDATORY_DEBUGGEE_BIT -#define OPERATION_DEBUGGEE_REGISTER_EVENT 8U | OPERATION_MANDATORY_DEBUGGEE_BIT -#define OPERATION_DEBUGGEE_ADD_ACTION_TO_EVENT \ - 9 | OPERATION_MANDATORY_DEBUGGEE_BIT -#define OPERATION_DEBUGGEE_CLEAR_EVENTS 10U | OPERATION_MANDATORY_DEBUGGEE_BIT -#define OPERATION_DEBUGGEE_CLEAR_EVENTS_WITHOUT_NOTIFYING_DEBUGGER 11U | OPERATION_MANDATORY_DEBUGGEE_BIT -#define OPERATION_HYPERVISOR_DRIVER_IS_SUCCESSFULLY_LOADED \ - 12U | OPERATION_MANDATORY_DEBUGGEE_BIT -#define OPERATION_HYPERVISOR_DRIVER_END_OF_IRPS \ - 13U | OPERATION_MANDATORY_DEBUGGEE_BIT -#define OPERATION_COMMAND_FROM_DEBUGGER_RELOAD_SYMBOL \ - 14U | OPERATION_MANDATORY_DEBUGGEE_BIT +/** + * @brief error, the requested optional buffer is bigger than send/receive stack of the debugger + * + */ +#define DEBUGGER_ERROR_INSTANT_EVENT_REQUESTED_OPTIONAL_BUFFER_IS_BIGGER_THAN_DEBUGGERS_SEND_RECEIVE_STACK 0xc0000048 -#define OPERATION_NOTIFICATION_FROM_USER_DEBUGGER_PAUSE \ - 15U | OPERATION_MANDATORY_DEBUGGEE_BIT +/** + * @brief error, the requested safe buffer does not exist (regular) + * + */ +#define DEBUGGER_ERROR_INSTANT_EVENT_REGULAR_REQUESTED_SAFE_BUFFER_NOT_FOUND 0xc0000049 -////////////////////////////////////////////////// -// Breakpoints & Debug Breakpoints // -////////////////////////////////////////////////// +/** + * @brief error, the requested safe buffer does not exists (big) + * + */ +#define DEBUGGER_ERROR_INSTANT_EVENT_BIG_REQUESTED_SAFE_BUFFER_NOT_FOUND 0xc000004a + +/** + * @brief error, the preallocated buffer is not enough for storing safe requested buffer + * + */ +#define DEBUGGER_ERROR_INSTANT_EVENT_PREALLOCATED_BUFFER_IS_NOT_ENOUGH_FOR_REQUESTED_SAFE_BUFFER 0xc000004b /** - * @brief maximum number of buffers to be allocated for a single - * breakpoint + * @brief error, enable to create requested safe buffer (cannot allocate buffer) + * */ -#define MAXIMUM_BREAKPOINTS_WITHOUT_CONTINUE 100 +#define DEBUGGER_ERROR_UNABLE_TO_ALLOCATE_REQUESTED_SAFE_BUFFER 0xc000004c /** - * @brief maximum number of thread/process ids to be allocated for a simultaneous - * debugging - * @details it shows the maximum number of threads/processes that HyperDbg sets - * trap flag for them + * @brief error, could not find the type of preactivation * */ -#define MAXIMUM_NUMBER_OF_THREAD_INFORMATION_FOR_TRAPS 200 - -////////////////////////////////////////////////// -// Pool tags used in HyperDbg // -////////////////////////////////////////////////// +#define DEBUGGER_ERROR_COULD_NOT_FIND_PREACTIVATION_TYPE 0xc000004d /** - * @brief Pool tag + * @brief error, the mode exec trap is not already initialized * */ -#define POOLTAG 0x48444247 // [H]yper[DBG] (HDBG) - -////////////////////////////////////////////////// -// End of Buffer Detection // -////////////////////////////////////////////////// +#define DEBUGGER_ERROR_THE_MODE_EXEC_TRAP_IS_NOT_INITIALIZED 0xc000004e /** - * @brief count of characters for serial end of buffer + * @brief error, the target event(s) is/are disabled but cannot clear them because the buffer of the user-mode + * priority is full + * */ -#define SERIAL_END_OF_BUFFER_CHARS_COUNT 0x4 +#define DEBUGGER_ERROR_THE_TARGET_EVENT_IS_DISABLED_BUT_CANNOT_BE_CLEARED_PRIRITY_BUFFER_IS_FULL 0xc000004f /** - * @brief characters of the buffer that we set at the end of - * buffers for serial + * @brief error, not all cores are locked (probably due to a race condition in HyperDbg) in + * instant-event mechanism + * */ -#define SERIAL_END_OF_BUFFER_CHAR_1 0x00 -#define SERIAL_END_OF_BUFFER_CHAR_2 0x80 -#define SERIAL_END_OF_BUFFER_CHAR_3 0xEE -#define SERIAL_END_OF_BUFFER_CHAR_4 0xFF +#define DEBUGGER_ERROR_NOT_ALL_CORES_ARE_LOCKED_FOR_APPLYING_INSTANT_EVENT 0xc0000050 /** - * @brief count of characters for tcp end of buffer + * @brief error, switching to the target core is not possible because core is not locked + * (probably due to a race condition in HyperDbg) + * */ -#define TCP_END_OF_BUFFER_CHARS_COUNT 0x4 +#define DEBUGGER_ERROR_TARGET_SWITCHING_CORE_IS_NOT_LOCKED 0xc0000051 /** - * @brief characters of the buffer that we set at the end of - * buffers for tcp + * @brief error, invalid physical address + * */ -#define TCP_END_OF_BUFFER_CHAR_1 0x10 -#define TCP_END_OF_BUFFER_CHAR_2 0x20 -#define TCP_END_OF_BUFFER_CHAR_3 0x33 -#define TCP_END_OF_BUFFER_CHAR_4 0x44 +#define DEBUGGER_ERROR_INVALID_PHYSICAL_ADDRESS 0xc0000052 + +// +// WHEN YOU ADD ANYTHING TO THIS LIST OF ERRORS, THEN +// MAKE SURE TO ADD AN ERROR MESSAGE TO ShowErrorMessage(UINT32 Error) +// FUNCTION +// -////////////////////////////////////////////////// -// Name of OS // -////////////////////////////////////////////////// +//..\..\..\bin\debug\SDK\Headers\HardwareDebugger.h /** - * @brief maximum name for OS name buffer + * @file HardwareDebugger.h + * @author Sina Karvandi (sina@hyperdbg.org) + * @brief HyperDbg's Hardware Debugger (hwdbg) types and constants + * @details This file contains definitions of hwdbg elements + * used in HyperDbg + * @version 0.9 + * @date 2024-04-28 + * + * @copyright This project is released under the GNU Public License v3. * */ -#define MAXIMUM_CHARACTER_FOR_OS_NAME 256 +#pragma once ////////////////////////////////////////////////// -// Processor Details // +// Definitions // ////////////////////////////////////////////////// /** - * @brief maximum instruction size in Intel + * @brief Initial debuggee to debugger offset + * */ -#define MAXIMUM_INSTR_SIZE 16 +#define DEFAULT_INITIAL_DEBUGGEE_TO_DEBUGGER_OFFSET 0x200 /** - * @brief maximum size for call instruction in Intel + * @brief Initial debugger to debuggee offset + * */ -#define MAXIMUM_CALL_INSTR_SIZE 7 +#define DEFAULT_INITIAL_DEBUGGER_TO_DEBUGGEE_OFFSET 0x0 ////////////////////////////////////////////////// -// Symbols Details // +// Enums // ////////////////////////////////////////////////// /** - * @brief maximum supported modules to load - * their symbol information + * @brief Different action of hwdbg + * @warning This file should be changed along with hwdbg files + * */ -#define MAXIMUM_SUPPORTED_SYMBOLS 1000 +typedef enum _HWDBG_ACTION_ENUMS +{ + hwdbgActionSendInstanceInfo = 1, + hwdbgActionConfigureScriptBuffer = 2, + +} HWDBG_ACTION_ENUMS; /** - * @brief maximum size for GUID and Age of PE - * @detail It seems that 33 bytes is enough but let's - * have more space because there might be sth that we - * missed :) + * @brief Different responses come from hwdbg + * @warning This file should be changed along with hwdbg files + * */ -#define MAXIMUM_GUID_AND_AGE_SIZE 60 +typedef enum _HWDBG_RESPONSE_ENUMS +{ + hwdbgResponseSuccessOrErrorMessage = 1, + hwdbgResponseInstanceInfo = 2, -////////////////////////////////////////////////// -// Debuggee Communication // -////////////////////////////////////////////////// +} HWDBG_RESPONSE_ENUMS; /** - * @brief constant indicator of a HyperDbg packet - * @warning used in hwdbg + * @brief Different success or error codes in hwdbg + * @warning This file should be changed along with hwdbg files * */ -#define INDICATOR_OF_HYPERDBG_PACKET \ - 0x4859504552444247 // HYPERDBG = 0x4859504552444247 +typedef enum _HWDBG_SUCCESS_OR_ERROR_ENUMS +{ + hwdbgOperationWasSuccessful = 0x7FFFFFFF, + hwdbgErrorInvalidPacket = 1, + +} HWDBG_SUCCESS_OR_ERROR_ENUMS; ////////////////////////////////////////////////// -// Command Details // +// Structures // ////////////////////////////////////////////////// /** - * @brief maximum results that will be returned by !s* s* - * command + * @brief The structure of port information (each item) in hwdbg * */ -#define MaximumSearchResults 0x1000 +typedef struct _HWDBG_PORT_INFORMATION_ITEMS +{ + UINT32 PortSize; -////////////////////////////////////////////////// -// Script Engine // -////////////////////////////////////////////////// +} HWDBG_PORT_INFORMATION_ITEMS, *PHWDBG_PORT_INFORMATION_ITEMS; /** - * @brief EFLAGS/RFLAGS + * @brief The structure of script capabilities information in hwdbg * */ -#define X86_FLAGS_CF (1 << 0) -#define X86_FLAGS_PF (1 << 2) -#define X86_FLAGS_AF (1 << 4) -#define X86_FLAGS_ZF (1 << 6) -#define X86_FLAGS_SF (1 << 7) -#define X86_FLAGS_TF (1 << 8) -#define X86_FLAGS_IF (1 << 9) -#define X86_FLAGS_DF (1 << 10) -#define X86_FLAGS_OF (1 << 11) -#define X86_FLAGS_STATUS_MASK (0xfff) -#define X86_FLAGS_IOPL_MASK (3 << 12) -#define X86_FLAGS_IOPL_SHIFT (12) -#define X86_FLAGS_IOPL_SHIFT_2ND_BIT (13) -#define X86_FLAGS_NT (1 << 14) -#define X86_FLAGS_RF (1 << 16) -#define X86_FLAGS_VM (1 << 17) -#define X86_FLAGS_AC (1 << 18) -#define X86_FLAGS_VIF (1 << 19) -#define X86_FLAGS_VIP (1 << 20) -#define X86_FLAGS_ID (1 << 21) -#define X86_FLAGS_RESERVED_ONES 0x2 -#define X86_FLAGS_RESERVED 0xffc0802a - -#define X86_FLAGS_RESERVED_BITS 0xffc38028 -#define X86_FLAGS_FIXED 0x00000002 - -#ifndef LOWORD -# define LOWORD(l) ((WORD)(l)) -#endif // !LOWORD - -#ifndef HIWORD -# define HIWORD(l) ((WORD)(((DWORD)(l) >> 16) & 0xFFFF)) -#endif // !HIWORD +typedef struct _HWDBG_INSTANCE_INFORMATION +{ + // + // ANY ADDITION TO THIS STRUCTURE SHOULD BE SYNCHRONIZED WITH SCALA AND INSTANCE INFO SENDER MODULE + // + UINT32 version; // Target version of HyperDbg (same as hwdbg) + UINT32 maximumNumberOfStages; // Number of stages that this instance of hwdbg supports (NumberOfSupportedStages == 0 means script engine is disabled) + UINT32 scriptVariableLength; // maximum length of variables (and other script elements) + UINT32 maximumNumberOfSupportedGetScriptOperators; // Maximum supported GET operators in a single func + UINT32 maximumNumberOfSupportedSetScriptOperators; // Maximum supported SET operators in a single func + UINT32 sharedMemorySize; // Size of shared memory + UINT32 debuggerAreaOffset; // The memory offset of debugger + UINT32 debuggeeAreaOffset; // The memory offset of debuggee + UINT32 numberOfPins; // Number of pins + UINT32 numberOfPorts; // Number of ports -#ifndef LOBYTE -# define LOBYTE(w) ((BYTE)(w)) -#endif // !LOBYTE + // + // ANY ADDITION TO THIS STRUCTURE SHOULD BE SYNCHRONIZED WITH SCALA AND INSTANCE INFO SENDER MODULE + // -#ifndef HIBYTE -# define HIBYTE(w) ((BYTE)(((WORD)(w) >> 8) & 0xFF)) -#endif // !HIBYTE + struct _HWDBG_SCRIPT_CAPABILITIES + { + // + // ANY ADDITION TO THIS MASK SHOULD BE ADDED TO HwdbgInterpreterShowScriptCapabilities + // and HwdbgInterpreterCheckScriptBufferWithScriptCapabilities as well Scala file + // + UINT64 func_or : 1; + UINT64 func_xor : 1; + UINT64 func_and : 1; + UINT64 func_asr : 1; + UINT64 func_asl : 1; + UINT64 func_add : 1; + UINT64 func_sub : 1; + UINT64 func_mul : 1; + UINT64 func_div : 1; + UINT64 func_mod : 1; + UINT64 func_gt : 1; + UINT64 func_lt : 1; + UINT64 func_egt : 1; + UINT64 func_elt : 1; + UINT64 func_equal : 1; + UINT64 func_neq : 1; + UINT64 func_jmp : 1; + UINT64 func_jz : 1; + UINT64 func_jnz : 1; + UINT64 func_mov : 1; + UINT64 func_printf : 1; -#define MAX_TEMP_COUNT 128 + // + // ANY ADDITION TO THIS MASK SHOULD BE ADDED TO HwdbgInterpreterShowScriptCapabilities + // and HwdbgInterpreterCheckScriptBufferWithScriptCapabilities as well Scala file + // -#define MAX_STACK_BUFFER_COUNT 128 + } scriptCapabilities; -// TODO: Extract number of variables from input of ScriptEngine -// and allocate variableList Dynamically. -#define MAX_VAR_COUNT 512 + UINT32 bramAddrWidth; // BRAM address width + UINT32 bramDataWidth; // BRAM data width -#define MAX_FUNCTION_NAME_LENGTH 32 + // + // Here the details of port arrangements are located (HWDBG_PORT_INFORMATION_ITEMS) + // As the following type: + // HWDBG_PORT_INFORMATION_ITEMS portsConfiguration[numberOfPorts] ; Port arrangement + // -////////////////////////////////////////////////// -// Debugger // -////////////////////////////////////////////////// +} HWDBG_INSTANCE_INFORMATION, *PHWDBG_INSTANCE_INFORMATION; /** - * @brief Apply event modifications to all tags + * @brief The structure of script buffer in hwdbg * */ -#define DEBUGGER_MODIFY_EVENTS_APPLY_TO_ALL_TAG 0xffffffffffffffff +typedef struct _HWDBG_SCRIPT_BUFFER +{ + UINT32 scriptNumberOfSymbols; // Number of symbols in the script -/** - * @brief Maximum length for a function (to be used in showing distance - * from symbol functions in the 'u' command) - * - */ -#define DISASSEMBLY_MAXIMUM_DISTANCE_FROM_OBJECT_NAME 0xffff + // + // Here the script buffer is located + // + // UINT8 scriptBuffer[scriptNumberOfSymbols]; // The script buffer + // + +} HWDBG_SCRIPT_BUFFER, *PHWDBG_SCRIPT_BUFFER; -/** - * @brief Read and write MSRs to all cores - * - */ -#define DEBUGGER_READ_AND_WRITE_ON_MSR_APPLY_ALL_CORES 0xffffffff +//..\..\..\bin\debug\SDK\Imports\HyperDbgHyperLogIntrinsics.h /** - * @brief Apply the event to all the cores + * @file HyperDbgHyperLogIntrinsics.h + * @author Sina Karvandi (sina@hyperdbg.org) + * @brief Headers relating exported functions from hyperlog project + * @version 0.1 + * @date 2023-01-15 + * + * @copyright This project is released under the GNU Public License v3. * */ -#define DEBUGGER_DEBUGGEE_IS_RUNNING_NO_CORE 0xffffffff +#pragma once + +////////////////////////////////////////////////// +// Enums // +////////////////////////////////////////////////// /** - * @brief Apply the event to all the cores + * @brief Types of log messages * */ -#define DEBUGGER_EVENT_APPLY_TO_ALL_CORES 0xffffffff +typedef enum _LOG_TYPE +{ + LOG_INFO, + LOG_WARNING, + LOG_ERROR + +} LOG_TYPE; + +////////////////////////////////////////////////// +// Logging // +////////////////////////////////////////////////// /** - * @brief Apply the event to all the processes + * @brief Define log variables * */ -#define DEBUGGER_EVENT_APPLY_TO_ALL_PROCESSES 0xffffffff +#if UseDbgPrintInsteadOfUsermodeMessageTracking +/* Use DbgPrint */ +# define Logformat, ...) \ + DbgPrint("[+] Information (%s:%d) | " format "\n", \ + __func__, \ + __LINE__, \ + __VA_ARGS__) + +# define LogWarning(format, ...) \ + DbgPrint("[-] Warning (%s:%d) | " format "\n", \ + __func__, \ + __LINE__, \ + __VA_ARGS__) + +# define LogError(format, ...) \ + DbgPrint("[!] Error (%s:%d) | " format "\n", \ + __func__, \ + __LINE__, \ + __VA_ARGS__); \ + DbgBreakPoint() /** - * @brief Apply to all Model Specific Registers + * @brief Log without any prefix * */ -#define DEBUGGER_EVENT_MSR_READ_OR_WRITE_ALL_MSRS 0xffffffff +# define Log(format, ...) \ + DbgPrint(format, __VA_ARGS__) + +#else /** - * @brief Apply to all first 32 exceptions + * @brief Log, general * */ -#define DEBUGGER_EVENT_EXCEPTIONS_ALL_FIRST_32_ENTRIES 0xffffffff +# define LogInfo(format, ...) \ + LogCallbackPrepareAndSendMessageToQueue(OPERATION_LOG_INFO_MESSAGE, \ + UseImmediateMessaging, \ + ShowSystemTimeOnDebugMessages, \ + FALSE, \ + "[+] Information (%s:%d) | " format "\n", \ + __func__, \ + __LINE__, \ + __VA_ARGS__) /** - * @brief Apply to all syscalls and sysrets + * @brief Log in the case of priority message * */ -#define DEBUGGER_EVENT_SYSCALL_ALL_SYSRET_OR_SYSCALLS 0xffffffff +# define LogInfoPriority(format, ...) \ + LogCallbackPrepareAndSendMessageToQueue(OPERATION_LOG_INFO_MESSAGE, \ + TRUE, \ + ShowSystemTimeOnDebugMessages, \ + TRUE, \ + "[+] Information (%s:%d) | " format "\n", \ + __func__, \ + __LINE__, \ + __VA_ARGS__) /** - * @brief Apply to all I/O ports + * @brief Log in the case of warning * */ -#define DEBUGGER_EVENT_ALL_IO_PORTS 0xffffffff +# define LogWarning(format, ...) \ + LogCallbackPrepareAndSendMessageToQueue(OPERATION_LOG_WARNING_MESSAGE, \ + UseImmediateMessaging, \ + ShowSystemTimeOnDebugMessages, \ + TRUE, \ + "[-] Warning (%s:%d) | " format "\n", \ + __func__, \ + __LINE__, \ + __VA_ARGS__) /** - * @brief The constant to apply to all cores for bp command + * @brief Log in the case of error * */ -#define DEBUGGEE_BP_APPLY_TO_ALL_CORES 0xffffffff +# define LogError(format, ...) \ + LogCallbackPrepareAndSendMessageToQueue(OPERATION_LOG_ERROR_MESSAGE, \ + UseImmediateMessaging, \ + ShowSystemTimeOnDebugMessages, \ + TRUE, \ + "[!] Error (%s:%d) | " format "\n", \ + __func__, \ + __LINE__, \ + __VA_ARGS__); \ + if (DebugMode) \ + DbgBreakPoint() /** - * @brief The constant to apply to all processes for bp command + * @brief Log without any prefix * */ -#define DEBUGGEE_BP_APPLY_TO_ALL_PROCESSES 0xffffffff +# define Log(format, ...) \ + LogCallbackPrepareAndSendMessageToQueue(OPERATION_LOG_INFO_MESSAGE, \ + TRUE, \ + FALSE, \ + FALSE, \ + format, \ + __VA_ARGS__) /** - * @brief The constant to apply to all threads for bp command + * @brief Log without any prefix and bypass the stack + * problem (getting two temporary stacks in preparing phase) * */ -#define DEBUGGEE_BP_APPLY_TO_ALL_THREADS 0xffffffff +# define LogSimpleWithTag(tag, isimmdte, buffer, len) \ + LogCallbackSendMessageToQueue(tag, \ + isimmdte, \ + buffer, \ + len, \ + FALSE) + +#endif // UseDbgPrintInsteadOfUsermodeMessageTracking /** - * @brief for reading all registers in r command. + * @brief Log, initialize boot information and debug information * */ -#define DEBUGGEE_SHOW_ALL_REGISTERS 0xffffffff +#define LogDebugInfo(format, ...) \ + if (DebugMode) \ + LogCallbackPrepareAndSendMessageToQueue(OPERATION_LOG_INFO_MESSAGE, \ + UseImmediateMessaging, \ + ShowSystemTimeOnDebugMessages, \ + FALSE, \ + "[+] Information (%s:%d) | " format "\n", \ + __func__, \ + __LINE__, \ + __VA_ARGS__) -//..\..\..\bin\debug\SDK\Headers\DataTypes.h +//..\..\..\bin\debug\SDK\Headers\Constants.h /** - * @file DataTypes.h + * @file Constants.h * @author Sina Karvandi (sina@hyperdbg.org) - * @brief HyperDbg's SDK data type definitions - * @details This file contains definitions of structures, enums, etc. + * @brief HyperDbg's SDK constants + * @details This file contains definitions of constants * used in HyperDbg * @version 0.2 - * @date 2022-06-22 + * @date 2022-06-24 * * @copyright This project is released under the GNU Public License v3. * @@ -1077,974 +1686,1151 @@ const unsigned char BuildSignature[] = { #pragma once ////////////////////////////////////////////////// -// Memory Stages // +// Version Information // ////////////////////////////////////////////////// -/** - * @brief Different levels of paging - * - */ -typedef enum _PAGING_LEVEL -{ - PagingLevelPageTable = 0, - PagingLevelPageDirectory, - PagingLevelPageDirectoryPointerTable, - PagingLevelPageMapLevel4 -} PAGING_LEVEL; +#define VERSION_MAJOR 1 +#define VERSION_MINOR 0 +#define VERSION_PATCH 0 -////////////////////////////////////////////////// -// Pool Manager // -////////////////////////////////////////////////// +// +// Example of __DATE__ string: "Jul 27 2012" +// 01234567890 -/** - * @brief Inum of intentions for buffers (buffer tag) - * - */ -typedef enum _POOL_ALLOCATION_INTENTION -{ - TRACKING_HOOKED_PAGES, - EXEC_TRAMPOLINE, - SPLIT_2MB_PAGING_TO_4KB_PAGE, - DETOUR_HOOK_DETAILS, - BREAKPOINT_DEFINITION_STRUCTURE, - PROCESS_THREAD_HOLDER, +#define BUILD_YEAR_CH0 (__DATE__[7]) +#define BUILD_YEAR_CH1 (__DATE__[8]) +#define BUILD_YEAR_CH2 (__DATE__[9]) +#define BUILD_YEAR_CH3 (__DATE__[10]) - // - // Instant event buffers - // - INSTANT_REGULAR_EVENT_BUFFER, - INSTANT_BIG_EVENT_BUFFER, - INSTANT_REGULAR_EVENT_ACTION_BUFFER, - INSTANT_BIG_EVENT_ACTION_BUFFER, +#define BUILD_MONTH_IS_JAN (__DATE__[0] == 'J' && __DATE__[1] == 'a' && __DATE__[2] == 'n') +#define BUILD_MONTH_IS_FEB (__DATE__[0] == 'F') +#define BUILD_MONTH_IS_MAR (__DATE__[0] == 'M' && __DATE__[1] == 'a' && __DATE__[2] == 'r') +#define BUILD_MONTH_IS_APR (__DATE__[0] == 'A' && __DATE__[1] == 'p') +#define BUILD_MONTH_IS_MAY (__DATE__[0] == 'M' && __DATE__[1] == 'a' && __DATE__[2] == 'y') +#define BUILD_MONTH_IS_JUN (__DATE__[0] == 'J' && __DATE__[1] == 'u' && __DATE__[2] == 'n') +#define BUILD_MONTH_IS_JUL (__DATE__[0] == 'J' && __DATE__[1] == 'u' && __DATE__[2] == 'l') +#define BUILD_MONTH_IS_AUG (__DATE__[0] == 'A' && __DATE__[1] == 'u') +#define BUILD_MONTH_IS_SEP (__DATE__[0] == 'S') +#define BUILD_MONTH_IS_OCT (__DATE__[0] == 'O') +#define BUILD_MONTH_IS_NOV (__DATE__[0] == 'N') +#define BUILD_MONTH_IS_DEC (__DATE__[0] == 'D') + +#define BUILD_MONTH_CH0 \ + ((BUILD_MONTH_IS_OCT || BUILD_MONTH_IS_NOV || BUILD_MONTH_IS_DEC) ? '1' : '0') + +#define BUILD_MONTH_CH1 \ + ( \ + (BUILD_MONTH_IS_JAN) ? '1' : (BUILD_MONTH_IS_FEB) ? '2' \ + : (BUILD_MONTH_IS_MAR) ? '3' \ + : (BUILD_MONTH_IS_APR) ? '4' \ + : (BUILD_MONTH_IS_MAY) ? '5' \ + : (BUILD_MONTH_IS_JUN) ? '6' \ + : (BUILD_MONTH_IS_JUL) ? '7' \ + : (BUILD_MONTH_IS_AUG) ? '8' \ + : (BUILD_MONTH_IS_SEP) ? '9' \ + : (BUILD_MONTH_IS_OCT) ? '0' \ + : (BUILD_MONTH_IS_NOV) ? '1' \ + : (BUILD_MONTH_IS_DEC) ? '2' \ + : /* error default */ '?') + +#define BUILD_DAY_CH0 ((__DATE__[4] >= '0') ? (__DATE__[4]) : '0') +#define BUILD_DAY_CH1 (__DATE__[5]) - // - // Use for request safe buffers of the event - // - INSTANT_REGULAR_SAFE_BUFFER_FOR_EVENTS, - INSTANT_BIG_SAFE_BUFFER_FOR_EVENTS, +// +// Example of __TIME__ string: "21:06:19" +// 01234567 -} POOL_ALLOCATION_INTENTION; +#define BUILD_HOUR_CH0 (__TIME__[0]) +#define BUILD_HOUR_CH1 (__TIME__[1]) -////////////////////////////////////////////////// -// Debug Registers Modifications // -////////////////////////////////////////////////// +#define BUILD_MIN_CH0 (__TIME__[3]) +#define BUILD_MIN_CH1 (__TIME__[4]) -typedef enum _DEBUG_REGISTER_TYPE -{ - BREAK_ON_INSTRUCTION_FETCH, - BREAK_ON_WRITE_ONLY, - BREAK_ON_IO_READ_OR_WRITE_NOT_SUPPORTED, - BREAK_ON_READ_AND_WRITE_BUT_NOT_FETCH -} DEBUG_REGISTER_TYPE; +#define BUILD_SEC_CH0 (__TIME__[6]) +#define BUILD_SEC_CH1 (__TIME__[7]) -////////////////////////////////////////////////// -// Execution Stages // -////////////////////////////////////////////////// +#if VERSION_MAJOR > 100 -typedef enum _VMX_EXECUTION_MODE -{ - VmxExecutionModeNonRoot = FALSE, - VmxExecutionModeRoot = TRUE -} VMX_EXECUTION_MODE; +# define VERSION_MAJOR_INIT \ + ((VERSION_MAJOR / 100) + '0'), \ + (((VERSION_MAJOR % 100) / 10) + '0'), \ + ((VERSION_MAJOR % 10) + '0') -/** - * @brief Type of calling the event - * - */ -typedef enum _VMM_CALLBACK_EVENT_CALLING_STAGE_TYPE -{ - VMM_CALLBACK_CALLING_STAGE_INVALID_EVENT_EMULATION = 0, - VMM_CALLBACK_CALLING_STAGE_PRE_EVENT_EMULATION = 1, - VMM_CALLBACK_CALLING_STAGE_POST_EVENT_EMULATION = 2, - VMM_CALLBACK_CALLING_STAGE_ALL_EVENT_EMULATION = 3 +#elif VERSION_MAJOR > 10 -} VMM_CALLBACK_EVENT_CALLING_STAGE_TYPE; +# define VERSION_MAJOR_INIT \ + ((VERSION_MAJOR / 10) + '0'), \ + ((VERSION_MAJOR % 10) + '0') -/** - * @brief enum to query different process and thread interception mechanisms - * - */ -typedef enum _DEBUGGER_THREAD_PROCESS_TRACING -{ +#else - DEBUGGER_THREAD_PROCESS_TRACING_INTERCEPT_CLOCK_INTERRUPTS_FOR_THREAD_CHANGE, - DEBUGGER_THREAD_PROCESS_TRACING_INTERCEPT_CLOCK_INTERRUPTS_FOR_PROCESS_CHANGE, - DEBUGGER_THREAD_PROCESS_TRACING_INTERCEPT_CLOCK_DEBUG_REGISTER_INTERCEPTION, - DEBUGGER_THREAD_PROCESS_TRACING_INTERCEPT_CLOCK_WAITING_FOR_MOV_CR3_VM_EXITS, +# define VERSION_MAJOR_INIT \ + (VERSION_MAJOR + '0') -} DEBUGGER_THREAD_PROCESS_TRACING; +#endif -////////////////////////////////////////////////// -// Callback Definitions // -////////////////////////////////////////////////// +#if VERSION_MINOR > 100 -/** - * @brief Callback type that can be used to be used - * as a custom ShowMessages function - * - */ -typedef int (*Callback)(const char * Text); +# define VERSION_MINOR_INIT \ + ((VERSION_MINOR / 100) + '0'), \ + (((VERSION_MINOR % 100) / 10) + '0'), \ + ((VERSION_MINOR % 10) + '0') -////////////////////////////////////////////////// -// Communications // -////////////////////////////////////////////////// +#elif VERSION_MINOR > 10 -/** - * @brief The structure of user-input packet in HyperDbg - * - */ -typedef struct _DEBUGGEE_USER_INPUT_PACKET -{ - UINT32 CommandLen; - BOOLEAN IgnoreFinishedSignal; - UINT32 Result; +# define VERSION_MINOR_INIT \ + ((VERSION_MINOR / 10) + '0'), \ + ((VERSION_MINOR % 10) + '0') - // - // The user's input is here - // +#else -} DEBUGGEE_USER_INPUT_PACKET, *PDEBUGGEE_USER_INPUT_PACKET; +# define VERSION_MINOR_INIT \ + (VERSION_MINOR + '0') -/** - * @brief The structure of user-input packet in HyperDbg - * - */ -typedef struct _DEBUGGEE_EVENT_AND_ACTION_HEADER_FOR_REMOTE_PACKET -{ - UINT32 Length; +#endif - // - // The buffer for event and action is here - // +#if VERSION_PATCH > 100 -} DEBUGGEE_EVENT_AND_ACTION_HEADER_FOR_REMOTE_PACKET, - *PDEBUGGEE_EVENT_AND_ACTION_HEADER_FOR_REMOTE_PACKET; +# define VERSION_PATCH_INIT \ + ((VERSION_PATCH / 100) + '0'), \ + (((VERSION_PATCH % 100) / 10) + '0'), \ + ((VERSION_PATCH % 10) + '0') -////////////////////////////////////////////////// -// Pausing // -////////////////////////////////////////////////// +#elif VERSION_PATCH > 10 -#define SIZEOF_DEBUGGER_PAUSE_PACKET_RECEIVED \ - sizeof(DEBUGGER_PAUSE_PACKET_RECEIVED) +# define VERSION_PATCH_INIT \ + ((VERSION_PATCH / 10) + '0'), \ + ((VERSION_PATCH % 10) + '0') -/** - * @brief request to pause and halt the system - * - */ -typedef struct _DEBUGGER_PAUSE_PACKET_RECEIVED -{ - UINT32 Result; // Result from kernel +#else -} DEBUGGER_PAUSE_PACKET_RECEIVED, *PDEBUGGER_PAUSE_PACKET_RECEIVED; +# define VERSION_PATCH_INIT \ + (VERSION_PATCH + '0') -/* ============================================================================================== - */ +#endif -/** - * @brief The structure of detail of a triggered event in HyperDbg - * @details This structure is also used for transferring breakpoint ids, RIP as the context, etc. - * - */ -typedef struct _DEBUGGER_TRIGGERED_EVENT_DETAILS -{ - UINT64 Tag; /* in breakpoints Tag is breakpoint id, not event tag */ - PVOID Context; - VMM_CALLBACK_EVENT_CALLING_STAGE_TYPE Stage; +#ifndef HYPERDBG_KERNEL_MODE -} DEBUGGER_TRIGGERED_EVENT_DETAILS, *PDEBUGGER_TRIGGERED_EVENT_DETAILS; +const unsigned char BuildDateTime[] = { + BUILD_YEAR_CH0, + BUILD_YEAR_CH1, + BUILD_YEAR_CH2, + BUILD_YEAR_CH3, + '-', + BUILD_MONTH_CH0, + BUILD_MONTH_CH1, + '-', + BUILD_DAY_CH0, + BUILD_DAY_CH1, + ' ', + BUILD_HOUR_CH0, + BUILD_HOUR_CH1, + ':', + BUILD_MIN_CH0, + BUILD_MIN_CH1, + ':', + BUILD_SEC_CH0, + BUILD_SEC_CH1, -/* ============================================================================================== - */ + '\0'}; -/** - * @brief The structure of pausing packet in kHyperDbg - * - */ -typedef struct _DEBUGGEE_KD_PAUSED_PACKET -{ - UINT64 Rip; - BOOLEAN IsProcessorOn32BitMode; // if true shows that the address should be interpreted in 32-bit mode - BOOLEAN IgnoreDisassembling; // if check if diassembling should be ignored or not - DEBUGGEE_PAUSING_REASON PausingReason; - ULONG CurrentCore; - UINT64 EventTag; - VMM_CALLBACK_EVENT_CALLING_STAGE_TYPE EventCallingStage; - UINT64 Rflags; - BYTE InstructionBytesOnRip[MAXIMUM_INSTR_SIZE]; - UINT16 ReadInstructionLen; +const unsigned char CompleteVersion[] = { + 'v', + VERSION_MAJOR_INIT, + '.', + VERSION_MINOR_INIT, + '.', + VERSION_PATCH_INIT, + '\0'}; -} DEBUGGEE_KD_PAUSED_PACKET, *PDEBUGGEE_KD_PAUSED_PACKET; +const unsigned char BuildVersion[] = { + BUILD_YEAR_CH0, + BUILD_YEAR_CH1, + BUILD_YEAR_CH2, + BUILD_YEAR_CH3, + BUILD_MONTH_CH0, + BUILD_MONTH_CH1, + BUILD_DAY_CH0, + BUILD_DAY_CH1, + '.', + BUILD_HOUR_CH0, + BUILD_HOUR_CH1, + BUILD_MIN_CH0, + BUILD_MIN_CH1, -/* ============================================================================================== - */ + '\0'}; -/** - * @brief The structure of pausing packet in uHyperDbg - * - */ -typedef struct _DEBUGGEE_UD_PAUSED_PACKET -{ - UINT64 Rip; - UINT64 ProcessDebuggingToken; - BOOLEAN Is32Bit; // if true shows that the address should be interpreted in 32-bit mode - DEBUGGEE_PAUSING_REASON PausingReason; - UINT32 ProcessId; - UINT32 ThreadId; - UINT64 Rflags; - UINT64 EventTag; - VMM_CALLBACK_EVENT_CALLING_STAGE_TYPE EventCallingStage; - BYTE InstructionBytesOnRip[MAXIMUM_INSTR_SIZE]; - UINT16 ReadInstructionLen; - GUEST_REGS GuestRegs; +const unsigned char BuildSignature[] = { + VERSION_MAJOR_INIT, + '.', + VERSION_MINOR_INIT, + '.', + VERSION_PATCH_INIT, + '-', + BUILD_YEAR_CH0, + BUILD_YEAR_CH1, + BUILD_YEAR_CH2, + BUILD_YEAR_CH3, + BUILD_MONTH_CH0, + BUILD_MONTH_CH1, + BUILD_DAY_CH0, + BUILD_DAY_CH1, + '.', + BUILD_HOUR_CH0, + BUILD_HOUR_CH1, + BUILD_MIN_CH0, + BUILD_MIN_CH1, -} DEBUGGEE_UD_PAUSED_PACKET, *PDEBUGGEE_UD_PAUSED_PACKET; + '\0'}; + +#endif // SCRIPT_ENGINE_KERNEL_MODE ////////////////////////////////////////////////// -// Message Tracing Enums // +// Message Tracing // ////////////////////////////////////////////////// /** - * @brief Type of transferring buffer between user-to-kernel - * + * @brief Default buffer count of packets for message tracing + * @details number of packets storage for regular buffers */ -typedef enum _NOTIFY_TYPE -{ - IRP_BASED, - EVENT_BASED -} NOTIFY_TYPE; - -////////////////////////////////////////////////// -// Structures // -////////////////////////////////////////////////// +#define MaximumPacketsCapacity 1000 /** - * @brief The structure of message packet in HyperDbg - * + * @brief Default buffer count of packets for message tracing + * @details number of packets storage for priority buffers */ -typedef struct _DEBUGGEE_MESSAGE_PACKET -{ - UINT32 OperationCode; - CHAR Message[PacketChunkSize]; - -} DEBUGGEE_MESSAGE_PACKET, *PDEBUGGEE_MESSAGE_PACKET; +#define MaximumPacketsCapacityPriority 50 /** - * @brief Used to register event for transferring buffer between user-to-kernel - * + * @brief Size of normal OS (processor) pages */ -typedef struct _REGISTER_NOTIFY_BUFFER -{ - NOTIFY_TYPE Type; - HANDLE hEvent; - -} REGISTER_NOTIFY_BUFFER, *PREGISTER_NOTIFY_BUFFER; +#define NORMAL_PAGE_SIZE 4096 // PAGE_SIZE -////////////////////////////////////////////////// -// Direct VMCALL // -////////////////////////////////////////////////// +/** + * @brief Size of each packet + */ +#define PacketChunkSize NORMAL_PAGE_SIZE /** - * @brief Used for sending direct VMCALLs on the VMX root-mode + * @brief size of user-mode buffer + * @details Because of operation code at the start of the + * buffer + 1 for null-termminating * */ -typedef struct _DIRECT_VMCALL_PARAMETERS -{ - UINT64 OptionalParam1; - UINT64 OptionalParam2; - UINT64 OptionalParam3; - -} DIRECT_VMCALL_PARAMETERS, *PDIRECT_VMCALL_PARAMETERS; - -////////////////////////////////////////////////// -// EPT Hook // -////////////////////////////////////////////////// +#define UsermodeBufferSize sizeof(UINT32) + PacketChunkSize + 1 /** - * @brief different type of memory addresses + * @brief size of buffer for serial + * @details the maximum packet size for sending over serial * */ -typedef enum _DEBUGGER_HOOK_MEMORY_TYPE -{ - DEBUGGER_MEMORY_HOOK_VIRTUAL_ADDRESS, - DEBUGGER_MEMORY_HOOK_PHYSICAL_ADDRESS -} DEBUGGER_HOOK_MEMORY_TYPE; +#define MaxSerialPacketSize 10 * NORMAL_PAGE_SIZE /** - * @brief Temporary $context used in some EPT hook commands + * @brief Final storage size of message tracing * */ -typedef struct _EPT_HOOKS_CONTEXT -{ - UINT64 HookingTag; // This is same as the event tag - UINT64 PhysicalAddress; - UINT64 VirtualAddress; -} EPT_HOOKS_CONTEXT, *PEPT_HOOKS_CONTEXT; +#define LogBufferSize \ + MaximumPacketsCapacity *(PacketChunkSize + sizeof(BUFFER_HEADER)) /** - * @brief Setting details for EPT Hooks (!monitor) + * @brief Final storage size of message tracing * */ -typedef struct _EPT_HOOKS_ADDRESS_DETAILS_FOR_MEMORY_MONITOR -{ - UINT64 StartAddress; - UINT64 EndAddress; - BOOLEAN SetHookForRead; - BOOLEAN SetHookForWrite; - BOOLEAN SetHookForExec; - DEBUGGER_HOOK_MEMORY_TYPE MemoryType; - UINT64 Tag; - -} EPT_HOOKS_ADDRESS_DETAILS_FOR_MEMORY_MONITOR, *PEPT_HOOKS_ADDRESS_DETAILS_FOR_MEMORY_MONITOR; +#define LogBufferSizePriority \ + MaximumPacketsCapacityPriority *(PacketChunkSize + sizeof(BUFFER_HEADER)) /** - * @brief Setting details for EPT Hooks (!epthook2) + * @brief limitation of Windows DbgPrint message size + * @details currently is not functional * */ -typedef struct _EPT_HOOKS_ADDRESS_DETAILS_FOR_EPTHOOK2 -{ - PVOID TargetAddress; - PVOID HookFunction; - -} EPT_HOOKS_ADDRESS_DETAILS_FOR_EPTHOOK2, *PEPT_HOOKS_ADDRESS_DETAILS_FOR_EPTHOOK2; +#define DbgPrintLimitation 512 /** - * @brief Details of unhooking single EPT hooks + * @brief The seeds that user-mode codes use as the starter + * of their events' tag * */ -typedef struct _EPT_SINGLE_HOOK_UNHOOKING_DETAILS -{ - BOOLEAN CallerNeedsToRestoreEntryAndInvalidateEpt; - BOOLEAN RemoveBreakpointInterception; - SIZE_T PhysicalAddress; - UINT64 /* EPT_PML1_ENTRY */ OriginalEntry; - -} EPT_SINGLE_HOOK_UNHOOKING_DETAILS, *PEPT_SINGLE_HOOK_UNHOOKING_DETAILS; +#define DebuggerEventTagStartSeed 0x1000000 -////////////////////////////////////////////////// -// Segment Types // -////////////////////////////////////////////////// +/** + * @brief The seeds that user-mode thread detail token start with it + * @details This seed should not start with zero (0), otherwise it's + * interpreted as error + */ +#define DebuggerThreadDebuggingTagStartSeed 0x1000000 /** - * @brief Describe segment selector in VMX - * @details This structure is copied from ia32.h to the SDK to - * be used as a data type for functions + * @brief The seeds that user-mode codes use as the starter + * of their output source tag * */ -typedef union -{ - struct - { - /** - * [Bits 3:0] Segment type. - */ - UINT32 Type : 4; - - /** - * [Bit 4] S - Descriptor type (0 = system; 1 = code or data). - */ - UINT32 DescriptorType : 1; - - /** - * [Bits 6:5] DPL - Descriptor privilege level. - */ - UINT32 DescriptorPrivilegeLevel : 2; - - /** - * [Bit 7] P - Segment present. - */ - UINT32 Present : 1; - - UINT32 Reserved1 : 4; - - /** - * [Bit 12] AVL - Available for use by system software. - */ - UINT32 AvailableBit : 1; - - /** - * [Bit 13] Reserved (except for CS). L - 64-bit mode active (for CS only). - */ - UINT32 LongMode : 1; - - /** - * [Bit 14] D/B - Default operation size (0 = 16-bit segment; 1 = 32-bit segment). - */ - UINT32 DefaultBig : 1; - - /** - * [Bit 15] G - Granularity. - */ - UINT32 Granularity : 1; - /** - * [Bit 16] Segment unusable (0 = usable; 1 = unusable). - */ - UINT32 Unusable : 1; - UINT32 Reserved2 : 15; - }; - - UINT32 AsUInt; -} VMX_SEGMENT_ACCESS_RIGHTS_TYPE; +#define DebuggerOutputSourceTagStartSeed 0x1 /** - * @brief Segment selector + * @brief Determines how many sources a debugger can have for + * a single event * */ -typedef struct _VMX_SEGMENT_SELECTOR -{ - UINT16 Selector; - VMX_SEGMENT_ACCESS_RIGHTS_TYPE Attributes; - UINT32 Limit; - UINT64 Base; -} VMX_SEGMENT_SELECTOR, *PVMX_SEGMENT_SELECTOR; - +#define DebuggerOutputSourceMaximumRemoteSourceForSingleEvent 0x5 -//..\..\..\bin\debug\SDK\Headers\ErrorCodes.h /** - * @file ErrorCodes.h - * @author Sina Karvandi (sina@hyperdbg.org) - * @brief HyperDbg's SDK Error codes - * @details This file contains definitions of error codes used in HyperDbg - * @version 0.2 - * @date 2022-06-24 - * - * @copyright This project is released under the GNU Public License v3. + * @brief The size of each chunk of memory used in the 'memcpy' function + * of the script engine for transferring buffers in the VMX-root mode * */ -#pragma once +#define DebuggerScriptEngineMemcpyMovingBufferSize 64 ////////////////////////////////////////////////// -// Success Codes // +// EPT Hook // ////////////////////////////////////////////////// /** - * @brief General value to indicate that the operation or - * request was successful + * @brief Maximum number of initial pre-allocated EPT hooks * */ -#define DEBUGGER_OPERATION_WAS_SUCCESSFUL 0xFFFFFFFF +#define MAXIMUM_NUMBER_OF_INITIAL_PREALLOCATED_EPT_HOOKS 5 ////////////////////////////////////////////////// -// Error Codes // +// Instant Event Configs // ////////////////////////////////////////////////// /** - * @brief error, the tag not exist + * @brief Maximum number of (regular) instant events that are pre-allocated * */ -#define DEBUGGER_ERROR_TAG_NOT_EXISTS 0xc0000000 +#define MAXIMUM_REGULAR_INSTANT_EVENTS 20 /** - * @brief error, invalid type of action + * @brief Maximum number of (big) instant events that are pre-allocated * */ -#define DEBUGGER_ERROR_INVALID_ACTION_TYPE 0xc0000001 +#define MAXIMUM_BIG_INSTANT_EVENTS 0 /** - * @brief error, the action buffer size is invalid + * @brief Pre-allocated size for a regular event + conditions buffer * */ -#define DEBUGGER_ERROR_ACTION_BUFFER_SIZE_IS_ZERO 0xc0000002 +#define REGULAR_INSTANT_EVENT_CONDITIONAL_BUFFER sizeof(DEBUGGER_EVENT) + 100 /** - * @brief error, the event type is unknown + * @brief Pre-allocated size for a big event + conditions buffer * */ -#define DEBUGGER_ERROR_EVENT_TYPE_IS_INVALID 0xc0000003 +#define BIG_INSTANT_EVENT_CONDITIONAL_BUFFER sizeof(DEBUGGER_EVENT) + PAGE_SIZE /** - * @brief error, enable to create event + * @brief Pre-allocated size for a regular action + custom code or script buffer * */ -#define DEBUGGER_ERROR_UNABLE_TO_CREATE_EVENT 0xc0000004 +#define REGULAR_INSTANT_EVENT_ACTION_BUFFER sizeof(DEBUGGER_EVENT_ACTION) + (PAGE_SIZE * 2) /** - * @brief error, invalid address specified for debugger + * @brief Pre-allocated size for a big action + custom code or script buffer * */ -#define DEBUGGER_ERROR_INVALID_ADDRESS 0xc0000005 +#define BIG_INSTANT_EVENT_ACTION_BUFFER sizeof(DEBUGGER_EVENT_ACTION) + MaxSerialPacketSize /** - * @brief error, the core id is invalid + * @brief Pre-allocated size for a regular requested safe buffer * */ -#define DEBUGGER_ERROR_INVALID_CORE_ID 0xc0000006 +#define REGULAR_INSTANT_EVENT_REQUESTED_SAFE_BUFFER PAGE_SIZE /** - * @brief error, the index is greater than 32 in !exception command + * @brief Pre-allocated size for a big requested safe buffer * */ -#define DEBUGGER_ERROR_EXCEPTION_INDEX_EXCEED_FIRST_32_ENTRIES 0xc0000007 +#define BIG_INSTANT_EVENT_REQUESTED_SAFE_BUFFER MaxSerialPacketSize + +////////////////////////////////////////////////// +// Remote Connection // +////////////////////////////////////////////////// /** - * @brief error, the index for !interrupt command is not between 32 to 256 + * @brief default port of HyperDbg for listening by + * debuggee (server, guest) * */ -#define DEBUGGER_ERROR_INTERRUPT_INDEX_IS_NOT_VALID 0xc0000008 +#define DEFAULT_PORT "50000" /** - * @brief error, unable to hide the debugger and enter to transparent-mode - * + * @brief Packet size for TCP connections + * @details Note that we might add something to the kernel buffers + * that's why we add 0x100 to it */ -#define DEBUGGER_ERROR_UNABLE_TO_HIDE_OR_UNHIDE_DEBUGGER 0xc0000009 +#define COMMUNICATION_BUFFER_SIZE PacketChunkSize + 0x100 + +////////////////////////////////////////////////// +// VMCALL Numbers // +////////////////////////////////////////////////// /** - * @brief error, the debugger is already in transparent-mode + * @brief The start number of VMCALL number allowed to be + * used by top-level drivers * */ -#define DEBUGGER_ERROR_DEBUGGER_ALREADY_UHIDE 0xc000000a +#define TOP_LEVEL_DRIVERS_VMCALL_STARTING_NUMBER 0x00000200 /** - * @brief error, invalid parameters in !e* e* commands + * @brief The start number of VMCALL number allowed to be + * used by top-level drivers * */ -#define DEBUGGER_ERROR_EDIT_MEMORY_STATUS_INVALID_PARAMETER 0xc000000b +#define TOP_LEVEL_DRIVERS_VMCALL_ENDING_NUMBER TOP_LEVEL_DRIVERS_VMCALL_STARTING_NUMBER + 0x100 + +////////////////////////////////////////////////// +// Operation Codes // +////////////////////////////////////////////////// /** - * @brief error, an invalid address is specified based on current cr3 - * in !e* or e* commands - * + * @brief If a operation use this bit in its Operation code, + * then it means that the operation should be performed + * mandatorily in debuggee and should not be sent to the debugger */ -#define DEBUGGER_ERROR_EDIT_MEMORY_STATUS_INVALID_ADDRESS_BASED_ON_CURRENT_PROCESS \ - 0xc000000c +#define OPERATION_MANDATORY_DEBUGGEE_BIT (1 << 31) /** - * @brief error, an invalid address is specified based on anotehr process's cr3 - * in !e* or e* commands - * + * @brief Message logs id that comes from kernel-mode to + * user-mode + * @details Message area >= 0x5 */ -#define DEBUGGER_ERROR_EDIT_MEMORY_STATUS_INVALID_ADDRESS_BASED_ON_OTHER_PROCESS \ - 0xc000000d +#define OPERATION_LOG_INFO_MESSAGE 1U +#define OPERATION_LOG_WARNING_MESSAGE 2U +#define OPERATION_LOG_ERROR_MESSAGE 3U +#define OPERATION_LOG_NON_IMMEDIATE_MESSAGE 4U +#define OPERATION_LOG_WITH_TAG 5U + +#define OPERATION_COMMAND_FROM_DEBUGGER_CLOSE_AND_UNLOAD_VMM \ + 6U | OPERATION_MANDATORY_DEBUGGEE_BIT +#define OPERATION_DEBUGGEE_USER_INPUT 7U | OPERATION_MANDATORY_DEBUGGEE_BIT +#define OPERATION_DEBUGGEE_REGISTER_EVENT 8U | OPERATION_MANDATORY_DEBUGGEE_BIT +#define OPERATION_DEBUGGEE_ADD_ACTION_TO_EVENT \ + 9 | OPERATION_MANDATORY_DEBUGGEE_BIT +#define OPERATION_DEBUGGEE_CLEAR_EVENTS 10U | OPERATION_MANDATORY_DEBUGGEE_BIT +#define OPERATION_DEBUGGEE_CLEAR_EVENTS_WITHOUT_NOTIFYING_DEBUGGER 11U | OPERATION_MANDATORY_DEBUGGEE_BIT +#define OPERATION_HYPERVISOR_DRIVER_IS_SUCCESSFULLY_LOADED \ + 12U | OPERATION_MANDATORY_DEBUGGEE_BIT +#define OPERATION_HYPERVISOR_DRIVER_END_OF_IRPS \ + 13U | OPERATION_MANDATORY_DEBUGGEE_BIT +#define OPERATION_COMMAND_FROM_DEBUGGER_RELOAD_SYMBOL \ + 14U | OPERATION_MANDATORY_DEBUGGEE_BIT + +#define OPERATION_NOTIFICATION_FROM_USER_DEBUGGER_PAUSE \ + 15U | OPERATION_MANDATORY_DEBUGGEE_BIT + +////////////////////////////////////////////////// +// Breakpoints & Debug Breakpoints // +////////////////////////////////////////////////// /** - * @brief error, invalid tag for 'events' command (tag id is unknown for kernel) - * + * @brief maximum number of buffers to be allocated for a single + * breakpoint */ -#define DEBUGGER_ERROR_MODIFY_EVENTS_INVALID_TAG 0xc000000e +#define MAXIMUM_BREAKPOINTS_WITHOUT_CONTINUE 100 /** - * @brief error, type of action (enable/disable/clear) is wrong + * @brief maximum number of thread/process ids to be allocated for a simultaneous + * debugging + * @details it shows the maximum number of threads/processes that HyperDbg sets + * trap flag for them * */ -#define DEBUGGER_ERROR_MODIFY_EVENTS_INVALID_TYPE_OF_ACTION 0xc000000f +#define MAXIMUM_NUMBER_OF_THREAD_INFORMATION_FOR_TRAPS 200 + +////////////////////////////////////////////////// +// Pool tags used in HyperDbg // +////////////////////////////////////////////////// /** - * @brief error, invalid parameters steppings actions + * @brief Pool tag * */ -#define DEBUGGER_ERROR_STEPPING_INVALID_PARAMETER 0xc0000010 +#define POOLTAG 0x48444247 // [H]yper[DBG] (HDBG) + +////////////////////////////////////////////////// +// End of Buffer Detection // +////////////////////////////////////////////////// /** - * @brief error, thread is invalid (not found) or disabled in - * stepping (step-in & step-out) requests - * + * @brief count of characters for serial end of buffer */ -#define DEBUGGER_ERROR_STEPPINGS_EITHER_THREAD_NOT_FOUND_OR_DISABLED 0xc0000011 +#define SERIAL_END_OF_BUFFER_CHARS_COUNT 0x4 /** - * @brief error, baud rate is invalid - * + * @brief characters of the buffer that we set at the end of + * buffers for serial */ -#define DEBUGGER_ERROR_PREPARING_DEBUGGEE_INVALID_BAUDRATE 0xc0000012 +#define SERIAL_END_OF_BUFFER_CHAR_1 0x00 +#define SERIAL_END_OF_BUFFER_CHAR_2 0x80 +#define SERIAL_END_OF_BUFFER_CHAR_3 0xEE +#define SERIAL_END_OF_BUFFER_CHAR_4 0xFF /** - * @brief error, serial port address is invalid - * + * @brief count of characters for tcp end of buffer */ -#define DEBUGGER_ERROR_PREPARING_DEBUGGEE_INVALID_SERIAL_PORT 0xc0000013 +#define TCP_END_OF_BUFFER_CHARS_COUNT 0x4 /** - * @brief error, invalid core selected in changing core in remote debuggee - * + * @brief characters of the buffer that we set at the end of + * buffers for tcp */ -#define DEBUGGER_ERROR_PREPARING_DEBUGGEE_INVALID_CORE_IN_REMOTE_DEBUGGE \ - 0xc0000014 +#define TCP_END_OF_BUFFER_CHAR_1 0x10 +#define TCP_END_OF_BUFFER_CHAR_2 0x20 +#define TCP_END_OF_BUFFER_CHAR_3 0x33 +#define TCP_END_OF_BUFFER_CHAR_4 0x44 + +////////////////////////////////////////////////// +// Name of OS // +////////////////////////////////////////////////// /** - * @brief error, invalid process selected in changing process in remote debuggee + * @brief maximum name for OS name buffer * */ -#define DEBUGGER_ERROR_PREPARING_DEBUGGEE_UNABLE_TO_SWITCH_TO_NEW_PROCESS \ - 0xc0000015 +#define MAXIMUM_CHARACTER_FOR_OS_NAME 256 + +////////////////////////////////////////////////// +// Processor Details // +////////////////////////////////////////////////// /** - * @brief error, unable to run script in remote debuggee - * + * @brief maximum instruction size in Intel */ -#define DEBUGGER_ERROR_PREPARING_DEBUGGEE_TO_RUN_SCRIPT 0xc0000016 +#define MAXIMUM_INSTR_SIZE 16 /** - * @brief error, invalid register number - * + * @brief maximum size for call instruction in Intel */ -#define DEBUGGER_ERROR_INVALID_REGISTER_NUMBER 0xc0000017 +#define MAXIMUM_CALL_INSTR_SIZE 7 + +////////////////////////////////////////////////// +// Symbols Details // +////////////////////////////////////////////////// /** - * @brief error, maximum pools were used without continuing debuggee - * + * @brief maximum supported modules to load + * their symbol information */ -#define DEBUGGER_ERROR_MAXIMUM_BREAKPOINT_WITHOUT_CONTINUE 0xc0000018 +#define MAXIMUM_SUPPORTED_SYMBOLS 1000 /** - * @brief error, breakpoint already exists on the target address - * + * @brief maximum size for GUID and Age of PE + * @detail It seems that 33 bytes is enough but let's + * have more space because there might be sth that we + * missed :) */ -#define DEBUGGER_ERROR_BREAKPOINT_ALREADY_EXISTS_ON_THE_ADDRESS 0xc0000019 +#define MAXIMUM_GUID_AND_AGE_SIZE 60 + +////////////////////////////////////////////////// +// Debuggee Communication // +////////////////////////////////////////////////// /** - * @brief error, breakpoint id not found + * @brief constant indicator of a HyperDbg packet + * @warning used in hwdbg * */ -#define DEBUGGER_ERROR_BREAKPOINT_ID_NOT_FOUND 0xc000001a +#define INDICATOR_OF_HYPERDBG_PACKET \ + 0x4859504552444247 // HYPERDBG = 0x4859504552444247 + +////////////////////////////////////////////////// +// Command Details // +////////////////////////////////////////////////// /** - * @brief error, breakpoint already disabled + * @brief maximum results that will be returned by !s* s* + * command * */ -#define DEBUGGER_ERROR_BREAKPOINT_ALREADY_DISABLED 0xc000001b +#define MaximumSearchResults 0x1000 + +////////////////////////////////////////////////// +// Script Engine // +////////////////////////////////////////////////// /** - * @brief error, breakpoint already enabled + * @brief EFLAGS/RFLAGS * */ -#define DEBUGGER_ERROR_BREAKPOINT_ALREADY_ENABLED 0xc000001c +#define X86_FLAGS_CF (1 << 0) +#define X86_FLAGS_PF (1 << 2) +#define X86_FLAGS_AF (1 << 4) +#define X86_FLAGS_ZF (1 << 6) +#define X86_FLAGS_SF (1 << 7) +#define X86_FLAGS_TF (1 << 8) +#define X86_FLAGS_IF (1 << 9) +#define X86_FLAGS_DF (1 << 10) +#define X86_FLAGS_OF (1 << 11) +#define X86_FLAGS_STATUS_MASK (0xfff) +#define X86_FLAGS_IOPL_MASK (3 << 12) +#define X86_FLAGS_IOPL_SHIFT (12) +#define X86_FLAGS_IOPL_SHIFT_2ND_BIT (13) +#define X86_FLAGS_NT (1 << 14) +#define X86_FLAGS_RF (1 << 16) +#define X86_FLAGS_VM (1 << 17) +#define X86_FLAGS_AC (1 << 18) +#define X86_FLAGS_VIF (1 << 19) +#define X86_FLAGS_VIP (1 << 20) +#define X86_FLAGS_ID (1 << 21) +#define X86_FLAGS_RESERVED_ONES 0x2 +#define X86_FLAGS_RESERVED 0xffc0802a + +#define X86_FLAGS_RESERVED_BITS 0xffc38028 +#define X86_FLAGS_FIXED 0x00000002 + +#ifndef LOWORD +# define LOWORD(l) ((WORD)(l)) +#endif // !LOWORD + +#ifndef HIWORD +# define HIWORD(l) ((WORD)(((DWORD)(l) >> 16) & 0xFFFF)) +#endif // !HIWORD + +#ifndef LOBYTE +# define LOBYTE(w) ((BYTE)(w)) +#endif // !LOBYTE + +#ifndef HIBYTE +# define HIBYTE(w) ((BYTE)(((WORD)(w) >> 8) & 0xFF)) +#endif // !HIBYTE + +#define MAX_TEMP_COUNT 128 + +#define MAX_STACK_BUFFER_COUNT 128 + +// TODO: Extract number of variables from input of ScriptEngine +// and allocate variableList Dynamically. +#define MAX_VAR_COUNT 512 + +#define MAX_FUNCTION_NAME_LENGTH 32 + +////////////////////////////////////////////////// +// Debugger // +////////////////////////////////////////////////// /** - * @brief error, memory type is invalid + * @brief Apply event modifications to all tags * */ -#define DEBUGGER_ERROR_MEMORY_TYPE_INVALID 0xc000001d +#define DEBUGGER_MODIFY_EVENTS_APPLY_TO_ALL_TAG 0xffffffffffffffff /** - * @brief error, the process id is invalid + * @brief Maximum length for a function (to be used in showing distance + * from symbol functions in the 'u' command) * */ -#define DEBUGGER_ERROR_INVALID_PROCESS_ID 0xc000001e +#define DISASSEMBLY_MAXIMUM_DISTANCE_FROM_OBJECT_NAME 0xffff /** - * @brief error, for event specific reasons the event is not - * applied + * @brief Read and write MSRs to all cores * */ -#define DEBUGGER_ERROR_EVENT_IS_NOT_APPLIED 0xc000001f +#define DEBUGGER_READ_AND_WRITE_ON_MSR_APPLY_ALL_CORES 0xffffffff /** - * @brief error, for process switch or process details, invalid parameter + * @brief Apply the event to all the cores * */ -#define DEBUGGER_ERROR_DETAILS_OR_SWITCH_PROCESS_INVALID_PARAMETER 0xc0000020 +#define DEBUGGER_DEBUGGEE_IS_RUNNING_NO_CORE 0xffffffff /** - * @brief error, for thread switch or thread details, invalid parameter + * @brief Apply the event to all the cores * */ -#define DEBUGGER_ERROR_DETAILS_OR_SWITCH_THREAD_INVALID_PARAMETER 0xc0000021 +#define DEBUGGER_EVENT_APPLY_TO_ALL_CORES 0xffffffff /** - * @brief error, maximum breakpoint for a single page is hit + * @brief Apply the event to all the processes * */ -#define DEBUGGER_ERROR_MAXIMUM_BREAKPOINT_FOR_A_SINGLE_PAGE_IS_HIT 0xc0000022 +#define DEBUGGER_EVENT_APPLY_TO_ALL_PROCESSES 0xffffffff /** - * @brief error, there is no pre-allocated buffer + * @brief Apply to all Model Specific Registers * */ -#define DEBUGGER_ERROR_PRE_ALLOCATED_BUFFER_IS_EMPTY 0xc0000023 +#define DEBUGGER_EVENT_MSR_READ_OR_WRITE_ALL_MSRS 0xffffffff /** - * @brief error, in the EPT handler, it could not split the 2MB pages to - * 512 entries of 4 KB pages + * @brief Apply to all first 32 exceptions * */ -#define DEBUGGER_ERROR_EPT_COULD_NOT_SPLIT_THE_LARGE_PAGE_TO_4KB_PAGES 0xc0000024 +#define DEBUGGER_EVENT_EXCEPTIONS_ALL_FIRST_32_ENTRIES 0xffffffff /** - * @brief error, failed to get PML1 entry of the target address + * @brief Apply to all syscalls and sysrets * */ -#define DEBUGGER_ERROR_EPT_FAILED_TO_GET_PML1_ENTRY_OF_TARGET_ADDRESS 0xc0000025 +#define DEBUGGER_EVENT_SYSCALL_ALL_SYSRET_OR_SYSCALLS 0xffffffff /** - * @brief error, multiple EPT Hooks or Monitors are applied on a single page + * @brief Apply to all I/O ports * */ -#define DEBUGGER_ERROR_EPT_MULTIPLE_HOOKS_IN_A_SINGLE_PAGE 0xc0000026 +#define DEBUGGER_EVENT_ALL_IO_PORTS 0xffffffff /** - * @brief error, could not build the EPT Hook + * @brief The constant to apply to all cores for bp command * */ -#define DEBUGGER_ERROR_COULD_NOT_BUILD_THE_EPT_HOOK 0xc0000027 +#define DEBUGGEE_BP_APPLY_TO_ALL_CORES 0xffffffff /** - * @brief error, could not find the type of allocation + * @brief The constant to apply to all processes for bp command * */ -#define DEBUGGER_ERROR_COULD_NOT_FIND_ALLOCATION_TYPE 0xc0000028 +#define DEBUGGEE_BP_APPLY_TO_ALL_PROCESSES 0xffffffff /** - * @brief error, could not find the index of test query + * @brief The constant to apply to all threads for bp command * */ -#define DEBUGGER_ERROR_INVALID_TEST_QUERY_INDEX 0xc0000029 +#define DEBUGGEE_BP_APPLY_TO_ALL_THREADS 0xffffffff /** - * @brief error, failed to attach to the target user-mode process + * @brief for reading all registers in r command. * */ -#define DEBUGGER_ERROR_UNABLE_TO_ATTACH_TO_TARGET_USER_MODE_PROCESS 0xc000002a +#define DEBUGGEE_SHOW_ALL_REGISTERS 0xffffffff -/** - * @brief error, failed to remove hooks as entrypoint is not reached yet - * @details The caller of this functionality should keep sending the previous - * IOCTL until the hook is remove successfully - * - */ -#define DEBUGGER_ERROR_UNABLE_TO_REMOVE_HOOKS_ENTRYPOINT_NOT_REACHED 0xc000002b +//..\..\..\bin\debug\SDK\Headers\DataTypes.h /** - * @brief error, could not remove the previous hook + * @file DataTypes.h + * @author Sina Karvandi (sina@hyperdbg.org) + * @brief HyperDbg's SDK data type definitions + * @details This file contains definitions of structures, enums, etc. + * used in HyperDbg + * @version 0.2 + * @date 2022-06-22 * - */ -#define DEBUGGER_ERROR_UNABLE_TO_REMOVE_HOOKS 0xc000002c - -/** - * @brief error, the needed routines for debugging is not initialized + * @copyright This project is released under the GNU Public License v3. * */ -#define DEBUGGER_ERROR_FUNCTIONS_FOR_INITIALIZING_PEB_ADDRESSES_ARE_NOT_INITIALIZED 0xc000002d +#pragma once -/** - * @brief error, unable to get 32-bit or 64-bit of the target process - * - */ -#define DEBUGGER_ERROR_UNABLE_TO_DETECT_32_BIT_OR_64_BIT_PROCESS 0xc000002e +////////////////////////////////////////////////// +// Memory Stages // +////////////////////////////////////////////////// /** - * @brief error, unable to kill the target process + * @brief Different levels of paging * */ -#define DEBUGGER_ERROR_UNABLE_TO_KILL_THE_PROCESS 0xc000002f +typedef enum _PAGING_LEVEL +{ + PagingLevelPageTable = 0, + PagingLevelPageDirectory, + PagingLevelPageDirectoryPointerTable, + PagingLevelPageMapLevel4 +} PAGING_LEVEL; -/** - * @brief error, invalid thread debugging token - * - */ -#define DEBUGGER_ERROR_INVALID_THREAD_DEBUGGING_TOKEN 0xc0000030 +////////////////////////////////////////////////// +// Pool Manager // +////////////////////////////////////////////////// /** - * @brief error, unable to pause the process's threads + * @brief Inum of intentions for buffers (buffer tag) * */ -#define DEBUGGER_ERROR_UNABLE_TO_PAUSE_THE_PROCESS_THREADS 0xc0000031 +typedef enum _POOL_ALLOCATION_INTENTION +{ + TRACKING_HOOKED_PAGES, + EXEC_TRAMPOLINE, + SPLIT_2MB_PAGING_TO_4KB_PAGE, + DETOUR_HOOK_DETAILS, + BREAKPOINT_DEFINITION_STRUCTURE, + PROCESS_THREAD_HOLDER, -/** - * @brief error, user debugger already attached to this process - * - */ -#define DEBUGGER_ERROR_UNABLE_TO_ATTACH_TO_AN_ALREADY_ATTACHED_PROCESS 0xc0000032 + // + // Instant event buffers + // + INSTANT_REGULAR_EVENT_BUFFER, + INSTANT_BIG_EVENT_BUFFER, + INSTANT_REGULAR_EVENT_ACTION_BUFFER, + INSTANT_BIG_EVENT_ACTION_BUFFER, -/** - * @brief error, the user debugger is not attached to the target process - * - */ -#define DEBUGGER_ERROR_THE_USER_DEBUGGER_NOT_ATTACHED_TO_THE_PROCESS 0xc0000033 + // + // Use for request safe buffers of the event + // + INSTANT_REGULAR_SAFE_BUFFER_FOR_EVENTS, + INSTANT_BIG_SAFE_BUFFER_FOR_EVENTS, -/** - * @brief error, cannot detach from the process as there are paused threads - * - */ -#define DEBUGGER_ERROR_UNABLE_TO_DETACH_AS_THERE_ARE_PAUSED_THREADS 0xc0000034 +} POOL_ALLOCATION_INTENTION; -/** - * @brief error, cannot switch to new thread as the process id or thread id is not found - * - */ -#define DEBUGGER_ERROR_UNABLE_TO_SWITCH_PROCESS_ID_OR_THREAD_ID_IS_INVALID 0xc0000035 +////////////////////////////////////////////////// +// Debug Registers Modifications // +////////////////////////////////////////////////// -/** - * @brief error, cannot switch to new thread the process doesn't contain an active thread - * - */ -#define DEBUGGER_ERROR_UNABLE_TO_SWITCH_THERE_IS_NO_THREAD_ON_THE_PROCESS 0xc0000036 +typedef enum _DEBUG_REGISTER_TYPE +{ + BREAK_ON_INSTRUCTION_FETCH, + BREAK_ON_WRITE_ONLY, + BREAK_ON_IO_READ_OR_WRITE_NOT_SUPPORTED, + BREAK_ON_READ_AND_WRITE_BUT_NOT_FETCH +} DEBUG_REGISTER_TYPE; -/** - * @brief error, unable to get modules - * - */ -#define DEBUGGER_ERROR_UNABLE_TO_GET_MODULES_OF_THE_PROCESS 0xc0000037 +////////////////////////////////////////////////// +// Execution Stages // +////////////////////////////////////////////////// + +typedef enum _VMX_EXECUTION_MODE +{ + VmxExecutionModeNonRoot = FALSE, + VmxExecutionModeRoot = TRUE +} VMX_EXECUTION_MODE; /** - * @brief error, unable to get the callstack + * @brief Type of calling the event * */ -#define DEBUGGER_ERROR_UNABLE_TO_GET_CALLSTACK 0xc0000038 +typedef enum _VMM_CALLBACK_EVENT_CALLING_STAGE_TYPE +{ + VMM_CALLBACK_CALLING_STAGE_INVALID_EVENT_EMULATION = 0, + VMM_CALLBACK_CALLING_STAGE_PRE_EVENT_EMULATION = 1, + VMM_CALLBACK_CALLING_STAGE_POST_EVENT_EMULATION = 2, + VMM_CALLBACK_CALLING_STAGE_ALL_EVENT_EMULATION = 3 + +} VMM_CALLBACK_EVENT_CALLING_STAGE_TYPE; /** - * @brief error, unable to query count of processes or threads + * @brief enum to query different process and thread interception mechanisms * */ -#define DEBUGGER_ERROR_UNABLE_TO_QUERY_COUNT_OF_PROCESSES_OR_THREADS 0xc0000039 +typedef enum _DEBUGGER_THREAD_PROCESS_TRACING +{ + + DEBUGGER_THREAD_PROCESS_TRACING_INTERCEPT_CLOCK_INTERRUPTS_FOR_THREAD_CHANGE, + DEBUGGER_THREAD_PROCESS_TRACING_INTERCEPT_CLOCK_INTERRUPTS_FOR_PROCESS_CHANGE, + DEBUGGER_THREAD_PROCESS_TRACING_INTERCEPT_CLOCK_DEBUG_REGISTER_INTERCEPTION, + DEBUGGER_THREAD_PROCESS_TRACING_INTERCEPT_CLOCK_WAITING_FOR_MOV_CR3_VM_EXITS, + +} DEBUGGER_THREAD_PROCESS_TRACING; + +////////////////////////////////////////////////// +// Callback Definitions // +////////////////////////////////////////////////// /** - * @brief error, using short-circuiting event with post-event mode is - * not supported in HyperDbg + * @brief Callback type that can be used to be used + * as a custom ShowMessages function * */ -#define DEBUGGER_ERROR_USING_SHORT_CIRCUITING_EVENT_WITH_POST_EVENT_MODE_IS_FORBIDDEDN 0xc000003a +typedef int (*Callback)(const char * Text); + +////////////////////////////////////////////////// +// Communications // +////////////////////////////////////////////////// /** - * @brief error, unknown test query is received + * @brief The structure of user-input packet in HyperDbg * */ -#define DEBUGGER_ERROR_UNKNOWN_TEST_QUERY_RECEIVED 0xc000003b +typedef struct _DEBUGGEE_USER_INPUT_PACKET +{ + UINT32 CommandLen; + BOOLEAN IgnoreFinishedSignal; + UINT32 Result; + + // + // The user's input is here + // + +} DEBUGGEE_USER_INPUT_PACKET, *PDEBUGGEE_USER_INPUT_PACKET; /** - * @brief error, for reading from memory in case of invalid parameters + * @brief The structure of user-input packet in HyperDbg * */ -#define DEBUGGER_ERROR_READING_MEMORY_INVALID_PARAMETER 0xc000003c +typedef struct _DEBUGGEE_EVENT_AND_ACTION_HEADER_FOR_REMOTE_PACKET +{ + UINT32 Length; + + // + // The buffer for event and action is here + // + +} DEBUGGEE_EVENT_AND_ACTION_HEADER_FOR_REMOTE_PACKET, + *PDEBUGGEE_EVENT_AND_ACTION_HEADER_FOR_REMOTE_PACKET; + +////////////////////////////////////////////////// +// Pausing // +////////////////////////////////////////////////// + +#define SIZEOF_DEBUGGER_PAUSE_PACKET_RECEIVED \ + sizeof(DEBUGGER_PAUSE_PACKET_RECEIVED) /** - * @brief error, the list of threads/process trap flag is full + * @brief request to pause and halt the system * */ -#define DEBUGGER_ERROR_THE_TRAP_FLAG_LIST_IS_FULL 0xc000003d +typedef struct _DEBUGGER_PAUSE_PACKET_RECEIVED +{ + UINT32 Result; // Result from kernel -/** - * @brief error, unable to kill the target process. process does not exists - * - */ -#define DEBUGGER_ERROR_UNABLE_TO_KILL_THE_PROCESS_DOES_NOT_EXISTS 0xc000003e +} DEBUGGER_PAUSE_PACKET_RECEIVED, *PDEBUGGER_PAUSE_PACKET_RECEIVED; -/** - * @brief error, the execution mode is incorrect - * +/* ============================================================================================== */ -#define DEBUGGER_ERROR_MODE_EXECUTION_IS_INVALID 0xc000003f /** - * @brief error, the process id cannot be specified while the debugger is in VMX-root mode + * @brief The structure of detail of a triggered event in HyperDbg + * @details This structure is also used for transferring breakpoint ids, RIP as the context, etc. * */ -#define DEBUGGER_ERROR_PROCESS_ID_CANNOT_BE_SPECIFIED_WHILE_APPLYING_EVENT_FROM_VMX_ROOT_MODE 0xc0000040 +typedef struct _DEBUGGER_TRIGGERED_EVENT_DETAILS +{ + UINT64 Tag; /* in breakpoints Tag is breakpoint id, not event tag */ + PVOID Context; + VMM_CALLBACK_EVENT_CALLING_STAGE_TYPE Stage; -/** - * @brief error, the preallocated buffer is not enough for storing event+conditional buffer - * - */ -#define DEBUGGER_ERROR_INSTANT_EVENT_PREALLOCATED_BUFFER_IS_NOT_ENOUGH_FOR_EVENT_AND_CONDITIONALS 0xc0000041 +} DEBUGGER_TRIGGERED_EVENT_DETAILS, *PDEBUGGER_TRIGGERED_EVENT_DETAILS; -/** - * @brief error, the regular preallocated buffer not found - * +/* ============================================================================================== */ -#define DEBUGGER_ERROR_INSTANT_EVENT_REGULAR_PREALLOCATED_BUFFER_NOT_FOUND 0xc0000042 /** - * @brief error, the big preallocated buffer not found + * @brief The structure of pausing packet in kHyperDbg * */ -#define DEBUGGER_ERROR_INSTANT_EVENT_BIG_PREALLOCATED_BUFFER_NOT_FOUND 0xc0000043 +typedef struct _DEBUGGEE_KD_PAUSED_PACKET +{ + UINT64 Rip; + BOOLEAN IsProcessorOn32BitMode; // if true shows that the address should be interpreted in 32-bit mode + BOOLEAN IgnoreDisassembling; // if check if diassembling should be ignored or not + DEBUGGEE_PAUSING_REASON PausingReason; + ULONG CurrentCore; + UINT64 EventTag; + VMM_CALLBACK_EVENT_CALLING_STAGE_TYPE EventCallingStage; + UINT64 Rflags; + BYTE InstructionBytesOnRip[MAXIMUM_INSTR_SIZE]; + UINT16 ReadInstructionLen; -/** - * @brief error, enable to create action (cannot allocate buffer) - * - */ -#define DEBUGGER_ERROR_UNABLE_TO_CREATE_ACTION_CANNOT_ALLOCATE_BUFFER 0xc0000044 +} DEBUGGEE_KD_PAUSED_PACKET, *PDEBUGGEE_KD_PAUSED_PACKET; -/** - * @brief error, the regular preallocated buffer not found (for action) - * +/* ============================================================================================== */ -#define DEBUGGER_ERROR_INSTANT_EVENT_ACTION_REGULAR_PREALLOCATED_BUFFER_NOT_FOUND 0xc0000045 /** - * @brief error, the big preallocated buffer not found (for action) + * @brief The structure of pausing packet in uHyperDbg * */ -#define DEBUGGER_ERROR_INSTANT_EVENT_ACTION_BIG_PREALLOCATED_BUFFER_NOT_FOUND 0xc0000046 +typedef struct _DEBUGGEE_UD_PAUSED_PACKET +{ + UINT64 Rip; + UINT64 ProcessDebuggingToken; + BOOLEAN Is32Bit; // if true shows that the address should be interpreted in 32-bit mode + DEBUGGEE_PAUSING_REASON PausingReason; + UINT32 ProcessId; + UINT32 ThreadId; + UINT64 Rflags; + UINT64 EventTag; + VMM_CALLBACK_EVENT_CALLING_STAGE_TYPE EventCallingStage; + BYTE InstructionBytesOnRip[MAXIMUM_INSTR_SIZE]; + UINT16 ReadInstructionLen; + GUEST_REGS GuestRegs; -/** - * @brief error, the preallocated buffer is not enough for storing action buffer - * - */ -#define DEBUGGER_ERROR_INSTANT_EVENT_PREALLOCATED_BUFFER_IS_NOT_ENOUGH_FOR_ACTION_BUFFER 0xc0000047 +} DEBUGGEE_UD_PAUSED_PACKET, *PDEBUGGEE_UD_PAUSED_PACKET; + +////////////////////////////////////////////////// +// Message Tracing Enums // +////////////////////////////////////////////////// /** - * @brief error, the requested optional buffer is bigger than send/receive stack of the debugger + * @brief Type of transferring buffer between user-to-kernel * */ -#define DEBUGGER_ERROR_INSTANT_EVENT_REQUESTED_OPTIONAL_BUFFER_IS_BIGGER_THAN_DEBUGGERS_SEND_RECEIVE_STACK 0xc0000048 +typedef enum _NOTIFY_TYPE +{ + IRP_BASED, + EVENT_BASED +} NOTIFY_TYPE; + +////////////////////////////////////////////////// +// Structures // +////////////////////////////////////////////////// /** - * @brief error, the requested safe buffer does not exist (regular) + * @brief The structure of message packet in HyperDbg * */ -#define DEBUGGER_ERROR_INSTANT_EVENT_REGULAR_REQUESTED_SAFE_BUFFER_NOT_FOUND 0xc0000049 +typedef struct _DEBUGGEE_MESSAGE_PACKET +{ + UINT32 OperationCode; + CHAR Message[PacketChunkSize]; + +} DEBUGGEE_MESSAGE_PACKET, *PDEBUGGEE_MESSAGE_PACKET; /** - * @brief error, the requested safe buffer does not exists (big) + * @brief Used to register event for transferring buffer between user-to-kernel * */ -#define DEBUGGER_ERROR_INSTANT_EVENT_BIG_REQUESTED_SAFE_BUFFER_NOT_FOUND 0xc000004a +typedef struct _REGISTER_NOTIFY_BUFFER +{ + NOTIFY_TYPE Type; + HANDLE hEvent; + +} REGISTER_NOTIFY_BUFFER, *PREGISTER_NOTIFY_BUFFER; + +////////////////////////////////////////////////// +// Direct VMCALL // +////////////////////////////////////////////////// /** - * @brief error, the preallocated buffer is not enough for storing safe requested buffer + * @brief Used for sending direct VMCALLs on the VMX root-mode * */ -#define DEBUGGER_ERROR_INSTANT_EVENT_PREALLOCATED_BUFFER_IS_NOT_ENOUGH_FOR_REQUESTED_SAFE_BUFFER 0xc000004b +typedef struct _DIRECT_VMCALL_PARAMETERS +{ + UINT64 OptionalParam1; + UINT64 OptionalParam2; + UINT64 OptionalParam3; + +} DIRECT_VMCALL_PARAMETERS, *PDIRECT_VMCALL_PARAMETERS; + +////////////////////////////////////////////////// +// EPT Hook // +////////////////////////////////////////////////// /** - * @brief error, enable to create requested safe buffer (cannot allocate buffer) + * @brief different type of memory addresses * */ -#define DEBUGGER_ERROR_UNABLE_TO_ALLOCATE_REQUESTED_SAFE_BUFFER 0xc000004c +typedef enum _DEBUGGER_HOOK_MEMORY_TYPE +{ + DEBUGGER_MEMORY_HOOK_VIRTUAL_ADDRESS, + DEBUGGER_MEMORY_HOOK_PHYSICAL_ADDRESS +} DEBUGGER_HOOK_MEMORY_TYPE; /** - * @brief error, could not find the type of preactivation + * @brief Temporary $context used in some EPT hook commands * */ -#define DEBUGGER_ERROR_COULD_NOT_FIND_PREACTIVATION_TYPE 0xc000004d +typedef struct _EPT_HOOKS_CONTEXT +{ + UINT64 HookingTag; // This is same as the event tag + UINT64 PhysicalAddress; + UINT64 VirtualAddress; +} EPT_HOOKS_CONTEXT, *PEPT_HOOKS_CONTEXT; /** - * @brief error, the mode exec trap is not already initialized + * @brief Setting details for EPT Hooks (!monitor) * */ -#define DEBUGGER_ERROR_THE_MODE_EXEC_TRAP_IS_NOT_INITIALIZED 0xc000004e +typedef struct _EPT_HOOKS_ADDRESS_DETAILS_FOR_MEMORY_MONITOR +{ + UINT64 StartAddress; + UINT64 EndAddress; + BOOLEAN SetHookForRead; + BOOLEAN SetHookForWrite; + BOOLEAN SetHookForExec; + DEBUGGER_HOOK_MEMORY_TYPE MemoryType; + UINT64 Tag; + +} EPT_HOOKS_ADDRESS_DETAILS_FOR_MEMORY_MONITOR, *PEPT_HOOKS_ADDRESS_DETAILS_FOR_MEMORY_MONITOR; /** - * @brief error, the target event(s) is/are disabled but cannot clear them because the buffer of the user-mode - * priority is full + * @brief Setting details for EPT Hooks (!epthook2) * */ -#define DEBUGGER_ERROR_THE_TARGET_EVENT_IS_DISABLED_BUT_CANNOT_BE_CLEARED_PRIRITY_BUFFER_IS_FULL 0xc000004f +typedef struct _EPT_HOOKS_ADDRESS_DETAILS_FOR_EPTHOOK2 +{ + PVOID TargetAddress; + PVOID HookFunction; + +} EPT_HOOKS_ADDRESS_DETAILS_FOR_EPTHOOK2, *PEPT_HOOKS_ADDRESS_DETAILS_FOR_EPTHOOK2; /** - * @brief error, not all cores are locked (probably due to a race condition in HyperDbg) in - * instant-event mechanism + * @brief Details of unhooking single EPT hooks * */ -#define DEBUGGER_ERROR_NOT_ALL_CORES_ARE_LOCKED_FOR_APPLYING_INSTANT_EVENT 0xc0000050 +typedef struct _EPT_SINGLE_HOOK_UNHOOKING_DETAILS +{ + BOOLEAN CallerNeedsToRestoreEntryAndInvalidateEpt; + BOOLEAN RemoveBreakpointInterception; + SIZE_T PhysicalAddress; + UINT64 /* EPT_PML1_ENTRY */ OriginalEntry; + +} EPT_SINGLE_HOOK_UNHOOKING_DETAILS, *PEPT_SINGLE_HOOK_UNHOOKING_DETAILS; + +////////////////////////////////////////////////// +// Segment Types // +////////////////////////////////////////////////// /** - * @brief error, switching to the target core is not possible because core is not locked - * (probably due to a race condition in HyperDbg) + * @brief Describe segment selector in VMX + * @details This structure is copied from ia32.h to the SDK to + * be used as a data type for functions * */ -#define DEBUGGER_ERROR_TARGET_SWITCHING_CORE_IS_NOT_LOCKED 0xc0000051 +typedef union +{ + struct + { + /** + * [Bits 3:0] Segment type. + */ + UINT32 Type : 4; + + /** + * [Bit 4] S - Descriptor type (0 = system; 1 = code or data). + */ + UINT32 DescriptorType : 1; + + /** + * [Bits 6:5] DPL - Descriptor privilege level. + */ + UINT32 DescriptorPrivilegeLevel : 2; + + /** + * [Bit 7] P - Segment present. + */ + UINT32 Present : 1; + + UINT32 Reserved1 : 4; + + /** + * [Bit 12] AVL - Available for use by system software. + */ + UINT32 AvailableBit : 1; + + /** + * [Bit 13] Reserved (except for CS). L - 64-bit mode active (for CS only). + */ + UINT32 LongMode : 1; + + /** + * [Bit 14] D/B - Default operation size (0 = 16-bit segment; 1 = 32-bit segment). + */ + UINT32 DefaultBig : 1; + + /** + * [Bit 15] G - Granularity. + */ + UINT32 Granularity : 1; + /** + * [Bit 16] Segment unusable (0 = usable; 1 = unusable). + */ + UINT32 Unusable : 1; + UINT32 Reserved2 : 15; + }; + + UINT32 AsUInt; +} VMX_SEGMENT_ACCESS_RIGHTS_TYPE; /** - * @brief error, invalid physical address + * @brief Segment selector * */ -#define DEBUGGER_ERROR_INVALID_PHYSICAL_ADDRESS 0xc0000052 - -// -// WHEN YOU ADD ANYTHING TO THIS LIST OF ERRORS, THEN -// MAKE SURE TO ADD AN ERROR MESSAGE TO ShowErrorMessage(UINT32 Error) -// FUNCTION -// +typedef struct _VMX_SEGMENT_SELECTOR +{ + UINT16 Selector; + VMX_SEGMENT_ACCESS_RIGHTS_TYPE Attributes; + UINT32 Limit; + UINT64 Base; +} VMX_SEGMENT_SELECTOR, *PVMX_SEGMENT_SELECTOR; //..\..\..\bin\debug\SDK\Headers\Events.h @@ -2479,176 +3265,204 @@ typedef struct _DEBUGGER_EVENT_AND_ACTION_RESULT #define SIZEOF_REGISTER_EVENT sizeof(REGISTER_NOTIFY_BUFFER) -//..\..\..\bin\debug\SDK\Headers\HardwareDebugger.h +//..\..\..\bin\debug\SDK\Imports\HyperDbgCtrlImports.h /** - * @file HardwareDebugger.h + * @file HyperDbgCtrlImports.h * @author Sina Karvandi (sina@hyperdbg.org) - * @brief HyperDbg's Hardware Debugger (hwdbg) types and constants - * @details This file contains definitions of hwdbg elements - * used in HyperDbg - * @version 0.9 - * @date 2024-04-28 + * @brief Headers relating exported functions from controller interface + * @version 0.2 + * @date 2023-02-02 * * @copyright This project is released under the GNU Public License v3. * */ #pragma once -////////////////////////////////////////////////// -// Definitions // -////////////////////////////////////////////////// - -/** - * @brief Initial debuggee to debugger offset - * - */ -#define DEFAULT_INITIAL_DEBUGGEE_TO_DEBUGGER_OFFSET 0x200 +#ifdef HYPERDBG_HPRDBGCTRL +# define IMPORT_EXPORT_CTRL __declspec(dllexport) +#else +# define IMPORT_EXPORT_CTRL __declspec(dllimport) +#endif -/** - * @brief Initial debugger to debuggee offset - * - */ -#define DEFAULT_INITIAL_DEBUGGER_TO_DEBUGGEE_OFFSET 0x0 +// +// Header file of HPRDBGCTRL +// Imports +// +#ifdef __cplusplus +extern "C" { +#endif -////////////////////////////////////////////////// -// Enums // -////////////////////////////////////////////////// +// +// Support Detection +// +IMPORT_EXPORT_CTRL bool HyperDbgVmxSupportDetection(); +IMPORT_EXPORT_CTRL void HyperDbgReadVendorString(char *); -/** - * @brief Different action of hwdbg - * @warning This file should be changed along with hwdbg files - * - */ -typedef enum _HWDBG_ACTION_ENUMS -{ - hwdbgActionSendInstanceInfo = 1, - hwdbgActionConfigureScriptBuffer = 2, +// +// VMM Module +// +IMPORT_EXPORT_CTRL int HyperDbgLoadVmm(); +IMPORT_EXPORT_CTRL int HyperDbgUnloadVmm(); +IMPORT_EXPORT_CTRL int HyperDbgInstallVmmDriver(); +IMPORT_EXPORT_CTRL int HyperDbgUninstallVmmDriver(); +IMPORT_EXPORT_CTRL int HyperDbgStopVmmDriver(); -} HWDBG_ACTION_ENUMS; +// +// General imports +// +IMPORT_EXPORT_CTRL int HyperDbgInterpreter(char * Command); +IMPORT_EXPORT_CTRL void HyperDbgShowSignature(); +IMPORT_EXPORT_CTRL void HyperDbgSetTextMessageCallback(Callback handler); +IMPORT_EXPORT_CTRL int HyperDbgScriptReadFileAndExecuteCommandline(int argc, char * argv[]); +IMPORT_EXPORT_CTRL bool HyperDbgContinuePreviousCommand(); +IMPORT_EXPORT_CTRL bool HyperDbgCheckMultilineCommand(char * CurrentCommand, bool Reset); -/** - * @brief Different responses come from hwdbg - * @warning This file should be changed along with hwdbg files - * - */ -typedef enum _HWDBG_RESPONSE_ENUMS -{ - hwdbgResponseSuccessOrErrorMessage = 1, - hwdbgResponseInstanceInfo = 2, +#ifdef __cplusplus +} +#endif -} HWDBG_RESPONSE_ENUMS; +//..\..\..\bin\debug\SDK\Imports\HyperDbgHyperLogImports.h /** - * @brief Different success or error codes in hwdbg - * @warning This file should be changed along with hwdbg files + * @file HyperDbgHyperLogImports.h + * @author Sina Karvandi (sina@hyperdbg.org) + * @brief Headers relating exported functions from hyperlog project + * @version 0.1 + * @date 2023-01-15 + * + * @copyright This project is released under the GNU Public License v3. * */ -typedef enum _HWDBG_SUCCESS_OR_ERROR_ENUMS -{ - hwdbgOperationWasSuccessful = 0x7FFFFFFF, - hwdbgErrorInvalidPacket = 1, +#pragma once -} HWDBG_SUCCESS_OR_ERROR_ENUMS; +#ifdef HYPERDBG_HYPER_LOG +# define IMPORT_EXPORT_HYPERLOG __declspec(dllexport) +#else +# define IMPORT_EXPORT_HYPERLOG __declspec(dllimport) +#endif ////////////////////////////////////////////////// -// Structures // +// Functions // ////////////////////////////////////////////////// -/** - * @brief The structure of port information (each item) in hwdbg - * - */ -typedef struct _HWDBG_PORT_INFORMATION_ITEMS -{ - UINT32 PortSize; +IMPORT_EXPORT_HYPERLOG BOOLEAN +LogInitialize(MESSAGE_TRACING_CALLBACKS * MsgTracingCallbacks); -} HWDBG_PORT_INFORMATION_ITEMS, *PHWDBG_PORT_INFORMATION_ITEMS; +IMPORT_EXPORT_HYPERLOG VOID +LogUnInitialize(); -/** - * @brief The structure of script capabilities information in hwdbg - * - */ -typedef struct _HWDBG_INSTANCE_INFORMATION -{ - // - // ANY ADDITION TO THIS STRUCTURE SHOULD BE SYNCHRONIZED WITH SCALA AND INSTANCE INFO SENDER MODULE - // - UINT32 version; // Target version of HyperDbg (same as hwdbg) - UINT32 maximumNumberOfStages; // Number of stages that this instance of hwdbg supports (NumberOfSupportedStages == 0 means script engine is disabled) - UINT32 scriptVariableLength; // maximum length of variables (and other script elements) - UINT32 maximumNumberOfSupportedGetScriptOperators; // Maximum supported GET operators in a single func - UINT32 maximumNumberOfSupportedSetScriptOperators; // Maximum supported SET operators in a single func - UINT32 sharedMemorySize; // Size of shared memory - UINT32 debuggerAreaOffset; // The memory offset of debugger - UINT32 debuggeeAreaOffset; // The memory offset of debuggee - UINT32 numberOfPins; // Number of pins - UINT32 numberOfPorts; // Number of ports +IMPORT_EXPORT_HYPERLOG UINT32 +LogMarkAllAsRead(BOOLEAN IsVmxRoot); - // - // ANY ADDITION TO THIS STRUCTURE SHOULD BE SYNCHRONIZED WITH SCALA AND INSTANCE INFO SENDER MODULE - // +IMPORT_EXPORT_HYPERLOG BOOLEAN +LogCallbackPrepareAndSendMessageToQueue(UINT32 OperationCode, + BOOLEAN IsImmediateMessage, + BOOLEAN ShowCurrentSystemTime, + BOOLEAN Priority, + const char * Fmt, + ...); - struct _HWDBG_SCRIPT_CAPABILITIES - { - // - // ANY ADDITION TO THIS MASK SHOULD BE ADDED TO HwdbgInterpreterShowScriptCapabilities - // and HwdbgInterpreterCheckScriptBufferWithScriptCapabilities as well Scala file - // - UINT64 func_or : 1; - UINT64 func_xor : 1; - UINT64 func_and : 1; - UINT64 func_asr : 1; - UINT64 func_asl : 1; - UINT64 func_add : 1; - UINT64 func_sub : 1; - UINT64 func_mul : 1; - UINT64 func_div : 1; - UINT64 func_mod : 1; - UINT64 func_gt : 1; - UINT64 func_lt : 1; - UINT64 func_egt : 1; - UINT64 func_elt : 1; - UINT64 func_equal : 1; - UINT64 func_neq : 1; - UINT64 func_jmp : 1; - UINT64 func_jz : 1; - UINT64 func_jnz : 1; - UINT64 func_mov : 1; - UINT64 func_printf : 1; +IMPORT_EXPORT_HYPERLOG BOOLEAN +LogCallbackPrepareAndSendMessageToQueueWrapper(UINT32 OperationCode, + BOOLEAN IsImmediateMessage, + BOOLEAN ShowCurrentSystemTime, + BOOLEAN Priority, + const char * Fmt, + va_list ArgList); - // - // ANY ADDITION TO THIS MASK SHOULD BE ADDED TO HwdbgInterpreterShowScriptCapabilities - // and HwdbgInterpreterCheckScriptBufferWithScriptCapabilities as well Scala file - // +IMPORT_EXPORT_HYPERLOG BOOLEAN +LogCallbackSendBuffer(_In_ UINT32 OperationCode, + _In_reads_bytes_(BufferLength) PVOID Buffer, + _In_ UINT32 BufferLength, + _In_ BOOLEAN Priority); - } scriptCapabilities; +IMPORT_EXPORT_HYPERLOG BOOLEAN +LogCallbackCheckIfBufferIsFull(BOOLEAN Priority); - UINT32 bramAddrWidth; // BRAM address width - UINT32 bramDataWidth; // BRAM data width +IMPORT_EXPORT_HYPERLOG BOOLEAN +LogCallbackSendMessageToQueue(UINT32 OperationCode, BOOLEAN IsImmediateMessage, CHAR * LogMessage, UINT32 BufferLen, BOOLEAN Priority); - // - // Here the details of port arrangements are located (HWDBG_PORT_INFORMATION_ITEMS) - // As the following type: - // HWDBG_PORT_INFORMATION_ITEMS portsConfiguration[numberOfPorts] ; Port arrangement - // +IMPORT_EXPORT_HYPERLOG NTSTATUS +LogRegisterEventBasedNotification(PDEVICE_OBJECT DeviceObject, PIRP Irp); + +IMPORT_EXPORT_HYPERLOG NTSTATUS +LogRegisterIrpBasedNotification(PDEVICE_OBJECT DeviceObject, PIRP Irp); -} HWDBG_INSTANCE_INFORMATION, *PHWDBG_INSTANCE_INFORMATION; +//..\..\..\bin\debug\SDK\Imports\HyperDbgSymImports.h /** - * @brief The structure of script buffer in hwdbg + * @file HyperDbgSymImports.h + * @author Sina Karvandi (sina@hyperdbg.org) + * @brief Headers relating exported functions from symbol parser + * @version 0.2 + * @date 2023-02-02 + * + * @copyright This project is released under the GNU Public License v3. * */ -typedef struct _HWDBG_SCRIPT_BUFFER -{ - UINT32 scriptNumberOfSymbols; // Number of symbols in the script +#pragma once - // - // Here the script buffer is located - // - // UINT8 scriptBuffer[scriptNumberOfSymbols]; // The script buffer - // +// +// Header file of symbol-parser +// Imports +// +#ifdef __cplusplus +extern "C" { +#endif + +__declspec(dllimport) VOID + SymSetTextMessageCallback(PVOID Handler); +__declspec(dllimport) VOID + SymbolAbortLoading(); +__declspec(dllimport) UINT64 + SymConvertNameToAddress(const char * FunctionOrVariableName, PBOOLEAN WasFound); +__declspec(dllimport) UINT32 + SymLoadFileSymbol(UINT64 BaseAddress, const char * PdbFileName, const char * CustomModuleName); +__declspec(dllimport) UINT32 + SymUnloadAllSymbols(); +__declspec(dllimport) UINT32 + SymUnloadModuleSymbol(char * ModuleName); +__declspec(dllimport) UINT32 + SymSearchSymbolForMask(const char * SearchMask); +__declspec(dllimport) BOOLEAN + SymGetFieldOffset(CHAR * TypeName, CHAR * FieldName, UINT32 * FieldOffset); +__declspec(dllimport) BOOLEAN + SymGetDataTypeSize(CHAR * TypeName, UINT64 * TypeSize); +__declspec(dllimport) BOOLEAN + SymCreateSymbolTableForDisassembler(void * CallbackFunction); +__declspec(dllimport) BOOLEAN + SymConvertFileToPdbPath(const char * LocalFilePath, char * ResultPath); +__declspec(dllimport) BOOLEAN + SymConvertFileToPdbFileAndGuidAndAgeDetails(const char * LocalFilePath, + char * PdbFilePath, + char * GuidAndAgeDetails, + BOOLEAN Is32BitModule); +__declspec(dllimport) BOOLEAN + SymbolInitLoad(PVOID BufferToStoreDetails, + UINT32 StoredLength, + BOOLEAN DownloadIfAvailable, + const char * SymbolPath, + BOOLEAN IsSilentLoad); +__declspec(dllimport) BOOLEAN + SymShowDataBasedOnSymbolTypes(const char * TypeName, + UINT64 Address, + BOOLEAN IsStruct, + PVOID BufferAddress, + const char * AdditionalParameters); +__declspec(dllimport) BOOLEAN + SymQuerySizeof(_In_ const char * StructNameOrTypeName, _Out_ UINT32 * SizeOfField); +__declspec(dllimport) BOOLEAN + SymCastingQueryForFiledsAndTypes(_In_ const char * StructName, + _In_ const char * FiledOfStructName, + _Out_ PBOOLEAN IsStructNamePointerOrNot, + _Out_ PBOOLEAN IsFiledOfStructNamePointerOrNot, + _Out_ char ** NewStructOrTypeName, + _Out_ UINT32 * OffsetOfFieldFromTop, + _Out_ UINT32 * SizeOfField); -} HWDBG_SCRIPT_BUFFER, *PHWDBG_SCRIPT_BUFFER; +#ifdef __cplusplus +} +#endif //..\..\..\bin\debug\SDK\Headers\Ioctls.h @@ -2834,1663 +3648,1372 @@ typedef struct _HWDBG_SCRIPT_BUFFER /** * @brief ioctl, pause and halt the system * - */ -#define IOCTL_PAUSE_PACKET_RECEIVED \ - CTL_CODE(FILE_DEVICE_UNKNOWN, 0x811, METHOD_BUFFERED, FILE_ANY_ACCESS) - -/** - * @brief ioctl, send a signal that execution of command finished - * - */ -#define IOCTL_SEND_SIGNAL_EXECUTION_IN_DEBUGGEE_FINISHED \ - CTL_CODE(FILE_DEVICE_UNKNOWN, 0x812, METHOD_BUFFERED, FILE_ANY_ACCESS) - -/** - * @brief ioctl, send user-mode messages to the debugger - * - */ -#define IOCTL_SEND_USERMODE_MESSAGES_TO_DEBUGGER \ - CTL_CODE(FILE_DEVICE_UNKNOWN, 0x813, METHOD_BUFFERED, FILE_ANY_ACCESS) - -/** - * @brief ioctl, send general buffer from debuggee to debugger - * - */ -#define IOCTL_SEND_GENERAL_BUFFER_FROM_DEBUGGEE_TO_DEBUGGER \ - CTL_CODE(FILE_DEVICE_UNKNOWN, 0x814, METHOD_BUFFERED, FILE_ANY_ACCESS) - -/** - * @brief ioctl, to perform kernel-side tests - * - */ -#define IOCTL_PERFROM_KERNEL_SIDE_TESTS \ - CTL_CODE(FILE_DEVICE_UNKNOWN, 0x815, METHOD_BUFFERED, FILE_ANY_ACCESS) - -/** - * @brief ioctl, to reserve pre-allocated pools - * - */ -#define IOCTL_RESERVE_PRE_ALLOCATED_POOLS \ - CTL_CODE(FILE_DEVICE_UNKNOWN, 0x816, METHOD_BUFFERED, FILE_ANY_ACCESS) - -/** - * @brief ioctl, to send user debugger commands - * - */ -#define IOCTL_SEND_USER_DEBUGGER_COMMANDS \ - CTL_CODE(FILE_DEVICE_UNKNOWN, 0x817, METHOD_BUFFERED, FILE_ANY_ACCESS) - -/** - * @brief ioctl, to get active threads/processes that are debugging - * - */ -#define IOCTL_GET_DETAIL_OF_ACTIVE_THREADS_AND_PROCESSES \ - CTL_CODE(FILE_DEVICE_UNKNOWN, 0x818, METHOD_BUFFERED, FILE_ANY_ACCESS) - -/** - * @brief ioctl, to get user mode modules details - * - */ -#define IOCTL_GET_USER_MODE_MODULE_DETAILS \ - CTL_CODE(FILE_DEVICE_UNKNOWN, 0x819, METHOD_BUFFERED, FILE_ANY_ACCESS) - -/** - * @brief ioctl, query count of active threads or processes - * - */ -#define IOCTL_QUERY_COUNT_OF_ACTIVE_PROCESSES_OR_THREADS \ - CTL_CODE(FILE_DEVICE_UNKNOWN, 0x81a, METHOD_BUFFERED, FILE_ANY_ACCESS) - -/** - * @brief ioctl, to get list threads/processes - * - */ -#define IOCTL_GET_LIST_OF_THREADS_AND_PROCESSES \ - CTL_CODE(FILE_DEVICE_UNKNOWN, 0x81b, METHOD_BUFFERED, FILE_ANY_ACCESS) - -/** - * @brief ioctl, query the current process details - * - */ -#define IOCTL_QUERY_CURRENT_PROCESS \ - CTL_CODE(FILE_DEVICE_UNKNOWN, 0x81c, METHOD_BUFFERED, FILE_ANY_ACCESS) - -/** - * @brief ioctl, query the current thread details - * - */ -#define IOCTL_QUERY_CURRENT_THREAD \ - CTL_CODE(FILE_DEVICE_UNKNOWN, 0x81d, METHOD_BUFFERED, FILE_ANY_ACCESS) - -/** - * @brief ioctl, request service from the reversing machine - * - */ -#define IOCTL_REQUEST_REV_MACHINE_SERVICE \ - CTL_CODE(FILE_DEVICE_UNKNOWN, 0x81e, METHOD_BUFFERED, FILE_ANY_ACCESS) - -/** - * @brief ioctl, request to bring pages in - * - */ -#define IOCTL_DEBUGGER_BRING_PAGES_IN \ - CTL_CODE(FILE_DEVICE_UNKNOWN, 0x81f, METHOD_BUFFERED, FILE_ANY_ACCESS) - -/** - * @brief ioctl, to preactivate a functionality - * - */ -#define IOCTL_PREACTIVATE_FUNCTIONALITY \ - CTL_CODE(FILE_DEVICE_UNKNOWN, 0x820, METHOD_BUFFERED, FILE_ANY_ACCESS) - - -//..\..\..\bin\debug\SDK\Headers\RequestStructures.h -/** - * @file RequestStructures.h - * @author Sina Karvandi (sina@hyperdbg.org) - * @brief HyperDbg's SDK Headers Request Packets - * @details This file contains definitions of request packets (enums, structs) - * @version 0.2 - * @date 2022-06-28 - * - * @copyright This project is released under the GNU Public License v3. - * - */ -#pragma once - -#define SIZEOF_DEBUGGER_READ_PAGE_TABLE_ENTRIES_DETAILS \ - sizeof(DEBUGGER_READ_PAGE_TABLE_ENTRIES_DETAILS) - -/** - * @brief request for !pte command - * - */ -typedef struct _DEBUGGER_READ_PAGE_TABLE_ENTRIES_DETAILS -{ - UINT64 VirtualAddress; - UINT32 ProcessId; - - UINT64 Pml4eVirtualAddress; - UINT64 Pml4eValue; - - UINT64 PdpteVirtualAddress; - UINT64 PdpteValue; - - UINT64 PdeVirtualAddress; - UINT64 PdeValue; - - UINT64 PteVirtualAddress; - UINT64 PteValue; - - UINT32 KernelStatus; - -} DEBUGGER_READ_PAGE_TABLE_ENTRIES_DETAILS, - *PDEBUGGER_READ_PAGE_TABLE_ENTRIES_DETAILS; - -/* ============================================================================================== - */ - -#define SIZEOF_DEBUGGER_VA2PA_AND_PA2VA_COMMANDS \ - sizeof(DEBUGGER_VA2PA_AND_PA2VA_COMMANDS) - -/** - * @brief requests for !va2pa and !pa2va commands - * - */ -typedef struct _DEBUGGER_VA2PA_AND_PA2VA_COMMANDS -{ - UINT64 VirtualAddress; - UINT64 PhysicalAddress; - UINT32 ProcessId; - BOOLEAN IsVirtual2Physical; - UINT32 KernelStatus; - -} DEBUGGER_VA2PA_AND_PA2VA_COMMANDS, *PDEBUGGER_VA2PA_AND_PA2VA_COMMANDS; - -/* ============================================================================================== - */ -#define SIZEOF_DEBUGGER_PAGE_IN_REQUEST \ - sizeof(DEBUGGER_PAGE_IN_REQUEST) - -/** - * @brief requests for the '.pagein' command - * - */ -typedef struct _DEBUGGER_PAGE_IN_REQUEST -{ - UINT64 VirtualAddressFrom; - UINT64 VirtualAddressTo; - UINT32 ProcessId; - UINT32 PageFaultErrorCode; - UINT32 KernelStatus; - -} DEBUGGER_PAGE_IN_REQUEST, *PDEBUGGER_PAGE_IN_REQUEST; - -/* ============================================================================================== - */ - -/** - * @brief different modes of reconstruct requests - * - */ -typedef enum _REVERSING_MACHINE_RECONSTRUCT_MEMORY_MODE -{ - REVERSING_MACHINE_RECONSTRUCT_MEMORY_MODE_UNKNOWN = 0, - REVERSING_MACHINE_RECONSTRUCT_MEMORY_MODE_USER_MODE, - REVERSING_MACHINE_RECONSTRUCT_MEMORY_MODE_KERNEL_MODE, -} REVERSING_MACHINE_RECONSTRUCT_MEMORY_MODE; + */ +#define IOCTL_PAUSE_PACKET_RECEIVED \ + CTL_CODE(FILE_DEVICE_UNKNOWN, 0x811, METHOD_BUFFERED, FILE_ANY_ACCESS) /** - * @brief different types of reconstruct requests + * @brief ioctl, send a signal that execution of command finished * */ -typedef enum _REVERSING_MACHINE_RECONSTRUCT_MEMORY_TYPE -{ - REVERSING_MACHINE_RECONSTRUCT_MEMORY_TYPE_UNKNOWN = 0, - REVERSING_MACHINE_RECONSTRUCT_MEMORY_TYPE_RECONSTRUCT, - REVERSING_MACHINE_RECONSTRUCT_MEMORY_TYPE_PATTERN, -} REVERSING_MACHINE_RECONSTRUCT_MEMORY_TYPE; - -#define SIZEOF_REVERSING_MACHINE_RECONSTRUCT_MEMORY_REQUEST \ - sizeof(REVERSING_MACHINE_RECONSTRUCT_MEMORY_REQUEST) +#define IOCTL_SEND_SIGNAL_EXECUTION_IN_DEBUGGEE_FINISHED \ + CTL_CODE(FILE_DEVICE_UNKNOWN, 0x812, METHOD_BUFFERED, FILE_ANY_ACCESS) /** - * @brief requests for !rev command + * @brief ioctl, send user-mode messages to the debugger * */ -typedef struct _REVERSING_MACHINE_RECONSTRUCT_MEMORY_REQUEST -{ - UINT32 ProcessId; - UINT32 Size; - REVERSING_MACHINE_RECONSTRUCT_MEMORY_MODE Mode; - REVERSING_MACHINE_RECONSTRUCT_MEMORY_TYPE Type; - UINT32 KernelStatus; - -} REVERSING_MACHINE_RECONSTRUCT_MEMORY_REQUEST, *PREVERSING_MACHINE_RECONSTRUCT_MEMORY_REQUEST; +#define IOCTL_SEND_USERMODE_MESSAGES_TO_DEBUGGER \ + CTL_CODE(FILE_DEVICE_UNKNOWN, 0x813, METHOD_BUFFERED, FILE_ANY_ACCESS) -/* ============================================================================================== +/** + * @brief ioctl, send general buffer from debuggee to debugger + * */ - -#define SIZEOF_DEBUGGER_DT_COMMAND_OPTIONS \ - sizeof(DEBUGGER_DT_COMMAND_OPTIONS) +#define IOCTL_SEND_GENERAL_BUFFER_FROM_DEBUGGEE_TO_DEBUGGER \ + CTL_CODE(FILE_DEVICE_UNKNOWN, 0x814, METHOD_BUFFERED, FILE_ANY_ACCESS) /** - * @brief requests options for dt and struct command + * @brief ioctl, to perform kernel-side tests * */ -typedef struct _DEBUGGER_DT_COMMAND_OPTIONS -{ - const char * TypeName; - UINT64 SizeOfTypeName; - UINT64 Address; - BOOLEAN IsStruct; - PVOID BufferAddress; - UINT32 TargetPid; - const char * AdditionalParameters; - -} DEBUGGER_DT_COMMAND_OPTIONS, *PDEBUGGER_DT_COMMAND_OPTIONS; +#define IOCTL_PERFROM_KERNEL_SIDE_TESTS \ + CTL_CODE(FILE_DEVICE_UNKNOWN, 0x815, METHOD_BUFFERED, FILE_ANY_ACCESS) -/* ============================================================================================== +/** + * @brief ioctl, to reserve pre-allocated pools + * */ +#define IOCTL_RESERVE_PRE_ALLOCATED_POOLS \ + CTL_CODE(FILE_DEVICE_UNKNOWN, 0x816, METHOD_BUFFERED, FILE_ANY_ACCESS) /** - * @brief different types of prealloc requests + * @brief ioctl, to send user debugger commands * */ -typedef enum _DEBUGGER_PREALLOC_COMMAND_TYPE -{ - DEBUGGER_PREALLOC_COMMAND_TYPE_THREAD_INTERCEPTION, - DEBUGGER_PREALLOC_COMMAND_TYPE_MONITOR, - DEBUGGER_PREALLOC_COMMAND_TYPE_EPTHOOK, - DEBUGGER_PREALLOC_COMMAND_TYPE_EPTHOOK2, - DEBUGGER_PREALLOC_COMMAND_TYPE_REGULAR_EVENT, - DEBUGGER_PREALLOC_COMMAND_TYPE_BIG_EVENT, - DEBUGGER_PREALLOC_COMMAND_TYPE_REGULAR_SAFE_BUFFER, - DEBUGGER_PREALLOC_COMMAND_TYPE_BIG_SAFE_BUFFER, - -} DEBUGGER_PREALLOC_COMMAND_TYPE; - -#define SIZEOF_DEBUGGER_PREALLOC_COMMAND \ - sizeof(DEBUGGER_PREALLOC_COMMAND) +#define IOCTL_SEND_USER_DEBUGGER_COMMANDS \ + CTL_CODE(FILE_DEVICE_UNKNOWN, 0x817, METHOD_BUFFERED, FILE_ANY_ACCESS) /** - * @brief requests for the 'prealloc' command + * @brief ioctl, to get active threads/processes that are debugging * */ -typedef struct _DEBUGGER_PREALLOC_COMMAND -{ - DEBUGGER_PREALLOC_COMMAND_TYPE Type; - UINT32 Count; - UINT32 KernelStatus; - -} DEBUGGER_PREALLOC_COMMAND, *PDEBUGGER_PREALLOC_COMMAND; +#define IOCTL_GET_DETAIL_OF_ACTIVE_THREADS_AND_PROCESSES \ + CTL_CODE(FILE_DEVICE_UNKNOWN, 0x818, METHOD_BUFFERED, FILE_ANY_ACCESS) -/* ============================================================================================== +/** + * @brief ioctl, to get user mode modules details + * */ +#define IOCTL_GET_USER_MODE_MODULE_DETAILS \ + CTL_CODE(FILE_DEVICE_UNKNOWN, 0x819, METHOD_BUFFERED, FILE_ANY_ACCESS) /** - * @brief different types of preactivate requests + * @brief ioctl, query count of active threads or processes * */ -typedef enum _DEBUGGER_PREACTIVATE_COMMAND_TYPE -{ - DEBUGGER_PREACTIVATE_COMMAND_TYPE_MODE, - -} DEBUGGER_PREACTIVATE_COMMAND_TYPE; - -#define SIZEOF_DEBUGGER_PREACTIVATE_COMMAND \ - sizeof(DEBUGGER_PREACTIVATE_COMMAND) +#define IOCTL_QUERY_COUNT_OF_ACTIVE_PROCESSES_OR_THREADS \ + CTL_CODE(FILE_DEVICE_UNKNOWN, 0x81a, METHOD_BUFFERED, FILE_ANY_ACCESS) /** - * @brief requests for the 'preactivate' command + * @brief ioctl, to get list threads/processes * */ -typedef struct _DEBUGGER_PREACTIVATE_COMMAND -{ - DEBUGGER_PREACTIVATE_COMMAND_TYPE Type; - UINT32 KernelStatus; - -} DEBUGGER_PREACTIVATE_COMMAND, *PDEBUGGER_PREACTIVATE_COMMAND; +#define IOCTL_GET_LIST_OF_THREADS_AND_PROCESSES \ + CTL_CODE(FILE_DEVICE_UNKNOWN, 0x81b, METHOD_BUFFERED, FILE_ANY_ACCESS) -/* ============================================================================================== +/** + * @brief ioctl, query the current process details + * */ - -#define SIZEOF_DEBUGGER_READ_MEMORY sizeof(DEBUGGER_READ_MEMORY) +#define IOCTL_QUERY_CURRENT_PROCESS \ + CTL_CODE(FILE_DEVICE_UNKNOWN, 0x81c, METHOD_BUFFERED, FILE_ANY_ACCESS) /** - * @brief different types of reading memory + * @brief ioctl, query the current thread details * */ -typedef enum _DEBUGGER_READ_READING_TYPE -{ - READ_FROM_KERNEL, - READ_FROM_VMX_ROOT -} DEBUGGER_READ_READING_TYPE; +#define IOCTL_QUERY_CURRENT_THREAD \ + CTL_CODE(FILE_DEVICE_UNKNOWN, 0x81d, METHOD_BUFFERED, FILE_ANY_ACCESS) /** - * @brief different type of addresses + * @brief ioctl, request service from the reversing machine * */ -typedef enum _DEBUGGER_READ_MEMORY_TYPE -{ - DEBUGGER_READ_PHYSICAL_ADDRESS, - DEBUGGER_READ_VIRTUAL_ADDRESS -} DEBUGGER_READ_MEMORY_TYPE; +#define IOCTL_REQUEST_REV_MACHINE_SERVICE \ + CTL_CODE(FILE_DEVICE_UNKNOWN, 0x81e, METHOD_BUFFERED, FILE_ANY_ACCESS) /** - * @brief the way that debugger should show - * the details of memory or disassemble them + * @brief ioctl, request to bring pages in * */ -typedef enum _DEBUGGER_SHOW_MEMORY_STYLE -{ - DEBUGGER_SHOW_COMMAND_DT = 1, - DEBUGGER_SHOW_COMMAND_DISASSEMBLE64, - DEBUGGER_SHOW_COMMAND_DISASSEMBLE32, - DEBUGGER_SHOW_COMMAND_DB, - DEBUGGER_SHOW_COMMAND_DC, - DEBUGGER_SHOW_COMMAND_DQ, - DEBUGGER_SHOW_COMMAND_DD, - DEBUGGER_SHOW_COMMAND_DUMP -} DEBUGGER_SHOW_MEMORY_STYLE; +#define IOCTL_DEBUGGER_BRING_PAGES_IN \ + CTL_CODE(FILE_DEVICE_UNKNOWN, 0x81f, METHOD_BUFFERED, FILE_ANY_ACCESS) /** - * @brief request for reading virtual and physical memory + * @brief ioctl, to preactivate a functionality * */ -typedef struct _DEBUGGER_READ_MEMORY -{ - UINT32 Pid; // Read from cr3 of what process - UINT64 Address; - UINT32 Size; - BOOLEAN IsForDisasm; // Debugger sets whether the read memory is for diassembler or not - BOOLEAN Is32BitAddress; // Debuggee sets the status of address - DEBUGGER_READ_MEMORY_TYPE MemoryType; - DEBUGGER_READ_READING_TYPE ReadingType; - PDEBUGGER_DT_COMMAND_OPTIONS DtDetails; - DEBUGGER_SHOW_MEMORY_STYLE Style; // not used in local debugging - UINT32 ReturnLength; // not used in local debugging - UINT32 KernelStatus; // not used in local debugging - - // - // Here is the target buffer (actual memory) - // +#define IOCTL_PREACTIVATE_FUNCTIONALITY \ + CTL_CODE(FILE_DEVICE_UNKNOWN, 0x820, METHOD_BUFFERED, FILE_ANY_ACCESS) -} DEBUGGER_READ_MEMORY, *PDEBUGGER_READ_MEMORY; -/* ============================================================================================== +//..\..\..\bin\debug\SDK\Headers\Symbols.h +/** + * @file Symbols.h + * @author Sina Karvandi (sina@hyperdbg.org) + * @brief HyperDbg's SDK Header Files For Symbol Parsing + * @details This file contains definitions of symbol parsers + * @version 0.2 + * @date 2022-06-24 + * + * @copyright This project is released under the GNU Public License v3. + * */ +#pragma once -#define SIZEOF_DEBUGGER_FLUSH_LOGGING_BUFFERS \ - sizeof(DEBUGGER_FLUSH_LOGGING_BUFFERS) +////////////////////////////////////////////////// +// Symbols Details // +////////////////////////////////////////////////// /** - * @brief request for flushing buffers + * @brief structures for sending and saving details + * about each module and symbols details * */ -typedef struct _DEBUGGER_FLUSH_LOGGING_BUFFERS +typedef struct _MODULE_SYMBOL_DETAIL { - UINT32 KernelStatus; - UINT32 CountOfMessagesThatSetAsReadFromVmxRoot; - UINT32 CountOfMessagesThatSetAsReadFromVmxNonRoot; + BOOLEAN IsSymbolDetailsFound; // TRUE if the details of symbols found, FALSE if not found + BOOLEAN IsLocalSymbolPath; // TRUE if the ModuleSymbolPath is a real path + // and FALSE if ModuleSymbolPath is just a module name + BOOLEAN IsSymbolPDBAvaliable; // TRUE if the module's pdb is available(if exists in the sympath) + BOOLEAN IsUserMode; // TRUE if the module is a user-mode module + BOOLEAN Is32Bit; // TRUE if the module is a 32-bit + UINT64 BaseAddress; + char FilePath[MAX_PATH]; + char ModuleSymbolPath[MAX_PATH]; + char ModuleSymbolGuidAndAge[MAXIMUM_GUID_AND_AGE_SIZE]; -} DEBUGGER_FLUSH_LOGGING_BUFFERS, *PDEBUGGER_FLUSH_LOGGING_BUFFERS; +} MODULE_SYMBOL_DETAIL, *PMODULE_SYMBOL_DETAIL; -/* ============================================================================================== - */ +typedef struct _USERMODE_LOADED_MODULE_SYMBOLS +{ + UINT64 BaseAddress; + UINT64 Entrypoint; + wchar_t FilePath[MAX_PATH]; -#define SIZEOF_DEBUGGER_TEST_QUERY_BUFFER \ - sizeof(DEBUGGER_TEST_QUERY_BUFFER) +} USERMODE_LOADED_MODULE_SYMBOLS, *PUSERMODE_LOADED_MODULE_SYMBOLS; -/** - * @brief test query used for test purposed - * - */ -typedef enum _DEBUGGER_TEST_QUERY_STATE +typedef struct _USERMODE_LOADED_MODULE_DETAILS { - TEST_QUERY_HALTING_CORE_STATUS = 1, // Query constant to show detail of halting of core - TEST_QUERY_PREALLOCATED_POOL_STATE = 2, // Query pre-allocated pool state - TEST_QUERY_TRAP_STATE = 3, // Query trap state - TEST_BREAKPOINT_TURN_OFF_BPS = 4, // Turn off the breakpoints (#BP) - TEST_BREAKPOINT_TURN_ON_BPS = 5, // Turn on the breakpoints (#BP) - TEST_BREAKPOINT_TURN_OFF_BPS_AND_EVENTS_FOR_COMMANDS_IN_REMOTE_COMPUTER = 6, // Turn off the breakpoints and events for executing the commands in the remote computer - TEST_BREAKPOINT_TURN_ON_BPS_AND_EVENTS_FOR_COMMANDS_IN_REMOTE_COMPUTER = 7, // Turn on the breakpoints and events for executing the commands in the remote computer - TEST_SETTING_TARGET_TASKS_ON_HALTED_CORES_SYNCHRONOUS = 8, // For testing synchronized event - TEST_SETTING_TARGET_TASKS_ON_HALTED_CORES_ASYNCHRONOUS = 9, // For testing unsynchronized event - TEST_SETTING_TARGET_TASKS_ON_TARGET_HALTED_CORES = 10, // Send the task to the halted core - TEST_BREAKPOINT_TURN_OFF_DBS = 11, // Turn off the debug breaks (#DB) - TEST_BREAKPOINT_TURN_ON_DBS = 12, // Turn on the debug breaks (#DB) + UINT32 ProcessId; + BOOLEAN OnlyCountModules; + BOOLEAN Is32Bit; + UINT32 ModulesCount; + UINT32 Result; + + // + // Here is a list of USERMODE_LOADED_MODULE_SYMBOLS (appended) + // -} DEBUGGER_TEST_QUERY_STATE; +} USERMODE_LOADED_MODULE_DETAILS, *PUSERMODE_LOADED_MODULE_DETAILS; /** - * @brief request for test query buffers + * @brief Callback type that should be used to add + * list of Addresses to ObjectNames * */ -typedef struct _DEBUGGER_DEBUGGER_TEST_QUERY_BUFFER -{ - DEBUGGER_TEST_QUERY_STATE RequestType; - UINT64 Context; - UINT32 KernelStatus; - -} DEBUGGER_DEBUGGER_TEST_QUERY_BUFFER, *PDEBUGGER_DEBUGGER_TEST_QUERY_BUFFER; - -/* ============================================================================================== - */ - -#define SIZEOF_DEBUGGER_PERFORM_KERNEL_TESTS \ - sizeof(DEBUGGER_PERFORM_KERNEL_TESTS) +typedef VOID (*SymbolMapCallback)(UINT64 Address, char * ModuleName, char * ObjectName, unsigned int ObjectSize); /** - * @brief request performing kernel tests + * @brief request to add new symbol detail or update a previous + * symbol table entry * */ -typedef struct _DEBUGGER_PERFORM_KERNEL_TESTS +typedef struct _DEBUGGER_UPDATE_SYMBOL_TABLE { - UINT32 KernelStatus; + UINT32 TotalSymbols; + UINT32 CurrentSymbolIndex; + MODULE_SYMBOL_DETAIL SymbolDetailPacket; -} DEBUGGER_PERFORM_KERNEL_TESTS, *PDEBUGGER_PERFORM_KERNEL_TESTS; +} DEBUGGER_UPDATE_SYMBOL_TABLE, *PDEBUGGER_UPDATE_SYMBOL_TABLE; -/* ============================================================================================== +/* +============================================================================================== */ -#define SIZEOF_DEBUGGER_SEND_COMMAND_EXECUTION_FINISHED_SIGNAL \ - sizeof(DEBUGGER_SEND_COMMAND_EXECUTION_FINISHED_SIGNAL) - /** - * @brief request for send a signal that command execution finished + * @brief request that shows, symbol reload process is finished * */ -typedef struct _DEBUGGER_SEND_COMMAND_EXECUTION_FINISHED_SIGNAL +typedef struct _DEBUGGEE_SYMBOL_UPDATE_RESULT { - UINT32 KernelStatus; + UINT64 KernelStatus; // Kernel put the status in this field -} DEBUGGER_SEND_COMMAND_EXECUTION_FINISHED_SIGNAL, - *PDEBUGGER_SEND_COMMAND_EXECUTION_FINISHED_SIGNAL; +} DEBUGGEE_SYMBOL_UPDATE_RESULT, *PDEBUGGEE_SYMBOL_UPDATE_RESULT; -/* ============================================================================================== +/* +============================================================================================== */ -#define SIZEOF_DEBUGGEE_SEND_GENERAL_PACKET_FROM_DEBUGGEE_TO_DEBUGGER \ - sizeof(DEBUGGEE_SEND_GENERAL_PACKET_FROM_DEBUGGEE_TO_DEBUGGER) +//..\..\..\bin\debug\SDK\Headers\RequestStructures.h /** - * @brief request for send general packets from debuggee to debugger + * @file RequestStructures.h + * @author Sina Karvandi (sina@hyperdbg.org) + * @brief HyperDbg's SDK Headers Request Packets + * @details This file contains definitions of request packets (enums, structs) + * @version 0.2 + * @date 2022-06-28 + * + * @copyright This project is released under the GNU Public License v3. * */ -typedef struct _DEBUGGEE_SEND_GENERAL_PACKET_FROM_DEBUGGEE_TO_DEBUGGER -{ - DEBUGGER_REMOTE_PACKET_REQUESTED_ACTION RequestedAction; - UINT32 LengthOfBuffer; - BOOLEAN PauseDebuggeeWhenSent; - UINT32 KernelResult; - - // - // The buffer for the general packet is here - // - -} DEBUGGEE_SEND_GENERAL_PACKET_FROM_DEBUGGEE_TO_DEBUGGER, - *PDEBUGGEE_SEND_GENERAL_PACKET_FROM_DEBUGGEE_TO_DEBUGGER; - -/* ============================================================================================== - */ +#pragma once -#define SIZEOF_DEBUGGER_SEND_USERMODE_MESSAGES_TO_DEBUGGER \ - sizeof(DEBUGGER_SEND_USERMODE_MESSAGES_TO_DEBUGGER) +#define SIZEOF_DEBUGGER_READ_PAGE_TABLE_ENTRIES_DETAILS \ + sizeof(DEBUGGER_READ_PAGE_TABLE_ENTRIES_DETAILS) /** - * @brief request for send a user-mode message to debugger + * @brief request for !pte command * */ -typedef struct _DEBUGGER_SEND_USERMODE_MESSAGES_TO_DEBUGGER +typedef struct _DEBUGGER_READ_PAGE_TABLE_ENTRIES_DETAILS { - UINT32 KernelStatus; - UINT32 Length; - - // - // Here is the messages - // + UINT64 VirtualAddress; + UINT32 ProcessId; -} DEBUGGER_SEND_USERMODE_MESSAGES_TO_DEBUGGER, - *PDEBUGGER_SEND_USERMODE_MESSAGES_TO_DEBUGGER; + UINT64 Pml4eVirtualAddress; + UINT64 Pml4eValue; -/* ============================================================================================== - */ + UINT64 PdpteVirtualAddress; + UINT64 PdpteValue; -#define SIZEOF_DEBUGGER_READ_AND_WRITE_ON_MSR \ - sizeof(DEBUGGER_READ_AND_WRITE_ON_MSR) + UINT64 PdeVirtualAddress; + UINT64 PdeValue; -/** - * @brief different types of actions on MSRs - * - */ -typedef enum _DEBUGGER_MSR_ACTION_TYPE -{ - DEBUGGER_MSR_READ, - DEBUGGER_MSR_WRITE -} DEBUGGER_MSR_ACTION_TYPE; + UINT64 PteVirtualAddress; + UINT64 PteValue; -/** - * @brief request to read or write on MSRs - * - */ -typedef struct _DEBUGGER_READ_AND_WRITE_ON_MSR -{ - UINT64 Msr; // It's actually a 32-Bit value but let's not mess with a register - UINT32 CoreNumber; // specifies the core to execute wrmsr or read the msr - // (DEBUGGER_READ_AND_WRITE_ON_MSR_APPLY_ALL_CORES mean all - // the cores) - DEBUGGER_MSR_ACTION_TYPE - ActionType; // Detects whether user needs wrmsr or rdmsr - UINT64 Value; + UINT32 KernelStatus; -} DEBUGGER_READ_AND_WRITE_ON_MSR, *PDEBUGGER_READ_AND_WRITE_ON_MSR; +} DEBUGGER_READ_PAGE_TABLE_ENTRIES_DETAILS, + *PDEBUGGER_READ_PAGE_TABLE_ENTRIES_DETAILS; /* ============================================================================================== */ -#define SIZEOF_DEBUGGER_EDIT_MEMORY sizeof(DEBUGGER_EDIT_MEMORY) +#define SIZEOF_DEBUGGER_VA2PA_AND_PA2VA_COMMANDS \ + sizeof(DEBUGGER_VA2PA_AND_PA2VA_COMMANDS) /** - * @brief different type of addresses for editing memory + * @brief requests for !va2pa and !pa2va commands * */ -typedef enum _DEBUGGER_EDIT_MEMORY_TYPE +typedef struct _DEBUGGER_VA2PA_AND_PA2VA_COMMANDS { - EDIT_PHYSICAL_MEMORY, - EDIT_VIRTUAL_MEMORY -} DEBUGGER_EDIT_MEMORY_TYPE; + UINT64 VirtualAddress; + UINT64 PhysicalAddress; + UINT32 ProcessId; + BOOLEAN IsVirtual2Physical; + UINT32 KernelStatus; -/** - * @brief size of editing memory - * +} DEBUGGER_VA2PA_AND_PA2VA_COMMANDS, *PDEBUGGER_VA2PA_AND_PA2VA_COMMANDS; + +/* ============================================================================================== */ -typedef enum _DEBUGGER_EDIT_MEMORY_BYTE_SIZE -{ - EDIT_BYTE, - EDIT_DWORD, - EDIT_QWORD -} DEBUGGER_EDIT_MEMORY_BYTE_SIZE; +#define SIZEOF_DEBUGGER_PAGE_IN_REQUEST \ + sizeof(DEBUGGER_PAGE_IN_REQUEST) /** - * @brief request for edit virtual and physical memory + * @brief requests for the '.pagein' command * */ -typedef struct _DEBUGGER_EDIT_MEMORY +typedef struct _DEBUGGER_PAGE_IN_REQUEST { - UINT32 Result; // Result from kernel - UINT64 Address; // Target address to modify - UINT32 ProcessId; // specifies the process id - DEBUGGER_EDIT_MEMORY_TYPE MemoryType; // Type of memory - DEBUGGER_EDIT_MEMORY_BYTE_SIZE ByteSize; // Modification size - UINT32 CountOf64Chunks; - UINT32 FinalStructureSize; - UINT32 KernelStatus; // not used in local debugging + UINT64 VirtualAddressFrom; + UINT64 VirtualAddressTo; + UINT32 ProcessId; + UINT32 PageFaultErrorCode; + UINT32 KernelStatus; -} DEBUGGER_EDIT_MEMORY, *PDEBUGGER_EDIT_MEMORY; +} DEBUGGER_PAGE_IN_REQUEST, *PDEBUGGER_PAGE_IN_REQUEST; /* ============================================================================================== */ -#define SIZEOF_DEBUGGER_SEARCH_MEMORY sizeof(DEBUGGER_SEARCH_MEMORY) - -/** - * @brief different types of address for searching on memory - * - */ -typedef enum _DEBUGGER_SEARCH_MEMORY_TYPE -{ - SEARCH_PHYSICAL_MEMORY, - SEARCH_VIRTUAL_MEMORY, - SEARCH_PHYSICAL_FROM_VIRTUAL_MEMORY, - -} DEBUGGER_SEARCH_MEMORY_TYPE; - /** - * @brief different sizes on searching memory + * @brief different modes of reconstruct requests * */ -typedef enum _DEBUGGER_SEARCH_MEMORY_BYTE_SIZE +typedef enum _REVERSING_MACHINE_RECONSTRUCT_MEMORY_MODE { - SEARCH_BYTE, - SEARCH_DWORD, - SEARCH_QWORD - -} DEBUGGER_SEARCH_MEMORY_BYTE_SIZE; + REVERSING_MACHINE_RECONSTRUCT_MEMORY_MODE_UNKNOWN = 0, + REVERSING_MACHINE_RECONSTRUCT_MEMORY_MODE_USER_MODE, + REVERSING_MACHINE_RECONSTRUCT_MEMORY_MODE_KERNEL_MODE, +} REVERSING_MACHINE_RECONSTRUCT_MEMORY_MODE; /** - * @brief request for searching memory + * @brief different types of reconstruct requests * */ -typedef struct _DEBUGGER_SEARCH_MEMORY +typedef enum _REVERSING_MACHINE_RECONSTRUCT_MEMORY_TYPE { - UINT64 Address; // Target address to start searching - UINT64 Length; // Length of bytes to search - UINT32 ProcessId; // specifies the process id - DEBUGGER_SEARCH_MEMORY_TYPE MemoryType; // Type of memory - DEBUGGER_SEARCH_MEMORY_BYTE_SIZE ByteSize; // Modification size - UINT32 CountOf64Chunks; - UINT32 FinalStructureSize; - -} DEBUGGER_SEARCH_MEMORY, *PDEBUGGER_SEARCH_MEMORY; - -/* ============================================================================================== - */ + REVERSING_MACHINE_RECONSTRUCT_MEMORY_TYPE_UNKNOWN = 0, + REVERSING_MACHINE_RECONSTRUCT_MEMORY_TYPE_RECONSTRUCT, + REVERSING_MACHINE_RECONSTRUCT_MEMORY_TYPE_PATTERN, +} REVERSING_MACHINE_RECONSTRUCT_MEMORY_TYPE; -#define SIZEOF_DEBUGGER_HIDE_AND_TRANSPARENT_DEBUGGER_MODE \ - sizeof(DEBUGGER_HIDE_AND_TRANSPARENT_DEBUGGER_MODE) +#define SIZEOF_REVERSING_MACHINE_RECONSTRUCT_MEMORY_REQUEST \ + sizeof(REVERSING_MACHINE_RECONSTRUCT_MEMORY_REQUEST) /** - * @brief request for enable or disable transparent-mode + * @brief requests for !rev command * */ -typedef struct _DEBUGGER_HIDE_AND_TRANSPARENT_DEBUGGER_MODE +typedef struct _REVERSING_MACHINE_RECONSTRUCT_MEMORY_REQUEST { - BOOLEAN IsHide; - - UINT64 CpuidAverage; - UINT64 CpuidStandardDeviation; - UINT64 CpuidMedian; - - UINT64 RdtscAverage; - UINT64 RdtscStandardDeviation; - UINT64 RdtscMedian; - - BOOLEAN TrueIfProcessIdAndFalseIfProcessName; - UINT32 ProcId; - UINT32 LengthOfProcessName; // in the case of !hide name xxx, this parameter - // shows the length of xxx - - UINT64 KernelStatus; /* DEBUGGER_OPERATION_WAS_SUCCESSFUL , - DEBUGGER_ERROR_UNABLE_TO_HIDE_OR_UNHIDE_DEBUGGER - */ + UINT32 ProcessId; + UINT32 Size; + REVERSING_MACHINE_RECONSTRUCT_MEMORY_MODE Mode; + REVERSING_MACHINE_RECONSTRUCT_MEMORY_TYPE Type; + UINT32 KernelStatus; -} DEBUGGER_HIDE_AND_TRANSPARENT_DEBUGGER_MODE, - *PDEBUGGER_HIDE_AND_TRANSPARENT_DEBUGGER_MODE; +} REVERSING_MACHINE_RECONSTRUCT_MEMORY_REQUEST, *PREVERSING_MACHINE_RECONSTRUCT_MEMORY_REQUEST; /* ============================================================================================== */ -#define SIZEOF_DEBUGGER_PREPARE_DEBUGGEE sizeof(DEBUGGER_PREPARE_DEBUGGEE) +#define SIZEOF_DEBUGGER_DT_COMMAND_OPTIONS \ + sizeof(DEBUGGER_DT_COMMAND_OPTIONS) /** - * @brief request to make this computer to a debuggee + * @brief requests options for dt and struct command * */ -typedef struct _DEBUGGER_PREPARE_DEBUGGEE +typedef struct _DEBUGGER_DT_COMMAND_OPTIONS { - UINT32 PortAddress; - UINT32 Baudrate; - UINT64 NtoskrnlBaseAddress; - UINT32 Result; // Result from the kernel - CHAR OsName[MAXIMUM_CHARACTER_FOR_OS_NAME]; + const char * TypeName; + UINT64 SizeOfTypeName; + UINT64 Address; + BOOLEAN IsStruct; + PVOID BufferAddress; + UINT32 TargetPid; + const char * AdditionalParameters; -} DEBUGGER_PREPARE_DEBUGGEE, *PDEBUGGER_PREPARE_DEBUGGEE; +} DEBUGGER_DT_COMMAND_OPTIONS, *PDEBUGGER_DT_COMMAND_OPTIONS; /* ============================================================================================== */ /** - * @brief The structure of changing core packet in HyperDbg + * @brief different types of prealloc requests * */ -typedef struct _DEBUGGEE_CHANGE_CORE_PACKET +typedef enum _DEBUGGER_PREALLOC_COMMAND_TYPE { - UINT32 NewCore; - UINT32 Result; + DEBUGGER_PREALLOC_COMMAND_TYPE_THREAD_INTERCEPTION, + DEBUGGER_PREALLOC_COMMAND_TYPE_MONITOR, + DEBUGGER_PREALLOC_COMMAND_TYPE_EPTHOOK, + DEBUGGER_PREALLOC_COMMAND_TYPE_EPTHOOK2, + DEBUGGER_PREALLOC_COMMAND_TYPE_REGULAR_EVENT, + DEBUGGER_PREALLOC_COMMAND_TYPE_BIG_EVENT, + DEBUGGER_PREALLOC_COMMAND_TYPE_REGULAR_SAFE_BUFFER, + DEBUGGER_PREALLOC_COMMAND_TYPE_BIG_SAFE_BUFFER, -} DEBUGGEE_CHANGE_CORE_PACKET, *PDEBUGGEE_CHANGE_CORE_PACKET; +} DEBUGGER_PREALLOC_COMMAND_TYPE; + +#define SIZEOF_DEBUGGER_PREALLOC_COMMAND \ + sizeof(DEBUGGER_PREALLOC_COMMAND) + +/** + * @brief requests for the 'prealloc' command + * + */ +typedef struct _DEBUGGER_PREALLOC_COMMAND +{ + DEBUGGER_PREALLOC_COMMAND_TYPE Type; + UINT32 Count; + UINT32 KernelStatus; + +} DEBUGGER_PREALLOC_COMMAND, *PDEBUGGER_PREALLOC_COMMAND; /* ============================================================================================== */ -#define SIZEOF_DEBUGGER_ATTACH_DETACH_USER_MODE_PROCESS \ - sizeof(DEBUGGER_ATTACH_DETACH_USER_MODE_PROCESS) /** - * @brief different actions of switchings + * @brief different types of preactivate requests * */ -typedef enum _DEBUGGER_ATTACH_DETACH_USER_MODE_PROCESS_ACTION_TYPE +typedef enum _DEBUGGER_PREACTIVATE_COMMAND_TYPE { - DEBUGGER_ATTACH_DETACH_USER_MODE_PROCESS_ACTION_ATTACH, - DEBUGGER_ATTACH_DETACH_USER_MODE_PROCESS_ACTION_DETACH, - DEBUGGER_ATTACH_DETACH_USER_MODE_PROCESS_ACTION_REMOVE_HOOKS, - DEBUGGER_ATTACH_DETACH_USER_MODE_PROCESS_ACTION_KILL_PROCESS, - DEBUGGER_ATTACH_DETACH_USER_MODE_PROCESS_ACTION_PAUSE_PROCESS, - DEBUGGER_ATTACH_DETACH_USER_MODE_PROCESS_ACTION_SWITCH_BY_PROCESS_OR_THREAD, - DEBUGGER_ATTACH_DETACH_USER_MODE_PROCESS_ACTION_QUERY_COUNT_OF_ACTIVE_DEBUGGING_THREADS, + DEBUGGER_PREACTIVATE_COMMAND_TYPE_MODE, -} DEBUGGER_ATTACH_DETACH_USER_MODE_PROCESS_ACTION_TYPE; +} DEBUGGER_PREACTIVATE_COMMAND_TYPE; + +#define SIZEOF_DEBUGGER_PREACTIVATE_COMMAND \ + sizeof(DEBUGGER_PREACTIVATE_COMMAND) /** - * @brief request for attaching user-mode process + * @brief requests for the 'preactivate' command * */ -typedef struct _DEBUGGER_ATTACH_DETACH_USER_MODE_PROCESS +typedef struct _DEBUGGER_PREACTIVATE_COMMAND { - BOOLEAN IsStartingNewProcess; - UINT32 ProcessId; - UINT32 ThreadId; - BOOLEAN CheckCallbackAtFirstInstruction; - BOOLEAN Is32Bit; - BOOLEAN IsPaused; // used in switching to threads - DEBUGGER_ATTACH_DETACH_USER_MODE_PROCESS_ACTION_TYPE Action; - UINT32 CountOfActiveDebuggingThreadsAndProcesses; // used in showing the list of active threads/processes - UINT64 Token; - UINT64 Result; + DEBUGGER_PREACTIVATE_COMMAND_TYPE Type; + UINT32 KernelStatus; -} DEBUGGER_ATTACH_DETACH_USER_MODE_PROCESS, - *PDEBUGGER_ATTACH_DETACH_USER_MODE_PROCESS; +} DEBUGGER_PREACTIVATE_COMMAND, *PDEBUGGER_PREACTIVATE_COMMAND; /* ============================================================================================== */ -#define SIZEOF_DEBUGGER_QUERY_ACTIVE_PROCESSES_OR_THREADS \ - sizeof(DEBUGGER_QUERY_ACTIVE_PROCESSES_OR_THREADS) + +#define SIZEOF_DEBUGGER_READ_MEMORY sizeof(DEBUGGER_READ_MEMORY) /** - * @brief different type of process or thread queries + * @brief different types of reading memory * */ -typedef enum _DEBUGGER_QUERY_ACTIVE_PROCESSES_OR_THREADS_TYPES +typedef enum _DEBUGGER_READ_READING_TYPE { - DEBUGGER_QUERY_ACTIVE_PROCESSES_OR_THREADS_QUERY_PROCESS_COUNT = 1, - DEBUGGER_QUERY_ACTIVE_PROCESSES_OR_THREADS_QUERY_THREAD_COUNT = 2, - DEBUGGER_QUERY_ACTIVE_PROCESSES_OR_THREADS_QUERY_PROCESS_LIST = 3, - DEBUGGER_QUERY_ACTIVE_PROCESSES_OR_THREADS_QUERY_THREAD_LIST = 4, - DEBUGGER_QUERY_ACTIVE_PROCESSES_OR_THREADS_QUERY_CURRENT_PROCESS = 5, - DEBUGGER_QUERY_ACTIVE_PROCESSES_OR_THREADS_QUERY_CURRENT_THREAD = 6, - -} DEBUGGER_QUERY_ACTIVE_PROCESSES_OR_THREADS_TYPES; + READ_FROM_KERNEL, + READ_FROM_VMX_ROOT +} DEBUGGER_READ_READING_TYPE; /** - * @brief different actions on showing or querying list of process or threads + * @brief different type of addresses * */ -typedef enum _DEBUGGER_QUERY_ACTIVE_PROCESSES_OR_THREADS_ACTIONS +typedef enum _DEBUGGER_READ_MEMORY_TYPE { - DEBUGGER_QUERY_ACTIVE_PROCESSES_OR_THREADS_ACTION_SHOW_INSTANTLY = 1, - DEBUGGER_QUERY_ACTIVE_PROCESSES_OR_THREADS_ACTION_QUERY_COUNT = 2, - DEBUGGER_QUERY_ACTIVE_PROCESSES_OR_THREADS_ACTION_QUERY_SAVE_DETAILS = 3, - -} DEBUGGER_QUERY_ACTIVE_PROCESSES_OR_THREADS_ACTIONS; + DEBUGGER_READ_PHYSICAL_ADDRESS, + DEBUGGER_READ_VIRTUAL_ADDRESS +} DEBUGGER_READ_MEMORY_TYPE; /** - * @brief The structure of needed information to get the details - * of the process from nt!_EPROCESS and location of needed variables + * @brief the way that debugger should show + * the details of memory or disassemble them * */ -typedef struct _DEBUGGEE_PROCESS_LIST_NEEDED_DETAILS +typedef enum _DEBUGGER_SHOW_MEMORY_STYLE { - UINT64 PsActiveProcessHead; // nt!PsActiveProcessHead - ULONG ImageFileNameOffset; // nt!_EPROCESS.ImageFileName - ULONG UniquePidOffset; // nt!_EPROCESS.UniqueProcessId - ULONG ActiveProcessLinksOffset; // nt!_EPROCESS.ActiveProcessLinks - -} DEBUGGEE_PROCESS_LIST_NEEDED_DETAILS, *PDEBUGGEE_PROCESS_LIST_NEEDED_DETAILS; + DEBUGGER_SHOW_COMMAND_DT = 1, + DEBUGGER_SHOW_COMMAND_DISASSEMBLE64, + DEBUGGER_SHOW_COMMAND_DISASSEMBLE32, + DEBUGGER_SHOW_COMMAND_DB, + DEBUGGER_SHOW_COMMAND_DC, + DEBUGGER_SHOW_COMMAND_DQ, + DEBUGGER_SHOW_COMMAND_DD, + DEBUGGER_SHOW_COMMAND_DUMP +} DEBUGGER_SHOW_MEMORY_STYLE; /** - * @brief The structure of needed information to get the details - * of the thread from nt!_ETHREAD and location of needed variables + * @brief request for reading virtual and physical memory * */ -typedef struct _DEBUGGEE_THREAD_LIST_NEEDED_DETAILS +typedef struct _DEBUGGER_READ_MEMORY { - UINT32 ThreadListHeadOffset; // nt!_EPROCESS.ThreadListHead - UINT32 ThreadListEntryOffset; // nt!_ETHREAD.ThreadListEntry - UINT32 CidOffset; // nt!_ETHREAD.Cid - UINT64 PsActiveProcessHead; // nt!PsActiveProcessHead - ULONG ActiveProcessLinksOffset; // nt!_EPROCESS.ActiveProcessLinks - UINT64 Process; + UINT32 Pid; // Read from cr3 of what process + UINT64 Address; + UINT32 Size; + BOOLEAN IsForDisasm; // Debugger sets whether the read memory is for diassembler or not + BOOLEAN Is32BitAddress; // Debuggee sets the status of address + DEBUGGER_READ_MEMORY_TYPE MemoryType; + DEBUGGER_READ_READING_TYPE ReadingType; + PDEBUGGER_DT_COMMAND_OPTIONS DtDetails; + DEBUGGER_SHOW_MEMORY_STYLE Style; // not used in local debugging + UINT32 ReturnLength; // not used in local debugging + UINT32 KernelStatus; // not used in local debugging -} DEBUGGEE_THREAD_LIST_NEEDED_DETAILS, *PDEBUGGEE_THREAD_LIST_NEEDED_DETAILS; + // + // Here is the target buffer (actual memory) + // + +} DEBUGGER_READ_MEMORY, *PDEBUGGER_READ_MEMORY; + +/* ============================================================================================== + */ + +#define SIZEOF_DEBUGGER_FLUSH_LOGGING_BUFFERS \ + sizeof(DEBUGGER_FLUSH_LOGGING_BUFFERS) /** - * @brief The structure showing list of processes (details of each - * entry) + * @brief request for flushing buffers * */ -typedef struct _DEBUGGEE_PROCESS_LIST_DETAILS_ENTRY +typedef struct _DEBUGGER_FLUSH_LOGGING_BUFFERS { - UINT64 Eprocess; - UINT32 ProcessId; - UINT64 Cr3; - UCHAR ImageFileName[15 + 1]; + UINT32 KernelStatus; + UINT32 CountOfMessagesThatSetAsReadFromVmxRoot; + UINT32 CountOfMessagesThatSetAsReadFromVmxNonRoot; -} DEBUGGEE_PROCESS_LIST_DETAILS_ENTRY, *PDEBUGGEE_PROCESS_LIST_DETAILS_ENTRY; +} DEBUGGER_FLUSH_LOGGING_BUFFERS, *PDEBUGGER_FLUSH_LOGGING_BUFFERS; + +/* ============================================================================================== + */ + +#define SIZEOF_DEBUGGER_TEST_QUERY_BUFFER \ + sizeof(DEBUGGER_TEST_QUERY_BUFFER) /** - * @brief The structure showing list of threads (details of each - * entry) + * @brief test query used for test purposed * */ -typedef struct _DEBUGGEE_THREAD_LIST_DETAILS_ENTRY +typedef enum _DEBUGGER_TEST_QUERY_STATE { - UINT64 Eprocess; - UINT64 Ethread; - UINT32 ProcessId; - UINT32 ThreadId; - UCHAR ImageFileName[15 + 1]; + TEST_QUERY_HALTING_CORE_STATUS = 1, // Query constant to show detail of halting of core + TEST_QUERY_PREALLOCATED_POOL_STATE = 2, // Query pre-allocated pool state + TEST_QUERY_TRAP_STATE = 3, // Query trap state + TEST_BREAKPOINT_TURN_OFF_BPS = 4, // Turn off the breakpoints (#BP) + TEST_BREAKPOINT_TURN_ON_BPS = 5, // Turn on the breakpoints (#BP) + TEST_BREAKPOINT_TURN_OFF_BPS_AND_EVENTS_FOR_COMMANDS_IN_REMOTE_COMPUTER = 6, // Turn off the breakpoints and events for executing the commands in the remote computer + TEST_BREAKPOINT_TURN_ON_BPS_AND_EVENTS_FOR_COMMANDS_IN_REMOTE_COMPUTER = 7, // Turn on the breakpoints and events for executing the commands in the remote computer + TEST_SETTING_TARGET_TASKS_ON_HALTED_CORES_SYNCHRONOUS = 8, // For testing synchronized event + TEST_SETTING_TARGET_TASKS_ON_HALTED_CORES_ASYNCHRONOUS = 9, // For testing unsynchronized event + TEST_SETTING_TARGET_TASKS_ON_TARGET_HALTED_CORES = 10, // Send the task to the halted core + TEST_BREAKPOINT_TURN_OFF_DBS = 11, // Turn off the debug breaks (#DB) + TEST_BREAKPOINT_TURN_ON_DBS = 12, // Turn on the debug breaks (#DB) -} DEBUGGEE_THREAD_LIST_DETAILS_ENTRY, *PDEBUGGEE_THREAD_LIST_DETAILS_ENTRY; +} DEBUGGER_TEST_QUERY_STATE; /** - * @brief request for query count of active processes and threads + * @brief request for test query buffers * */ -typedef struct _DEBUGGER_QUERY_ACTIVE_PROCESSES_OR_THREADS +typedef struct _DEBUGGER_DEBUGGER_TEST_QUERY_BUFFER { - DEBUGGEE_PROCESS_LIST_NEEDED_DETAILS ProcessListNeededDetails; - DEBUGGEE_THREAD_LIST_NEEDED_DETAILS ThreadListNeededDetails; - DEBUGGER_QUERY_ACTIVE_PROCESSES_OR_THREADS_TYPES QueryType; - DEBUGGER_QUERY_ACTIVE_PROCESSES_OR_THREADS_ACTIONS QueryAction; - UINT32 Count; - UINT64 Result; + DEBUGGER_TEST_QUERY_STATE RequestType; + UINT64 Context; + UINT32 KernelStatus; -} DEBUGGER_QUERY_ACTIVE_PROCESSES_OR_THREADS, - *PDEBUGGER_QUERY_ACTIVE_PROCESSES_OR_THREADS; +} DEBUGGER_DEBUGGER_TEST_QUERY_BUFFER, *PDEBUGGER_DEBUGGER_TEST_QUERY_BUFFER; /* ============================================================================================== */ +#define SIZEOF_DEBUGGER_PERFORM_KERNEL_TESTS \ + sizeof(DEBUGGER_PERFORM_KERNEL_TESTS) + /** - * @brief The structure for saving the callstack frame of one parameter + * @brief request performing kernel tests * */ -typedef struct _DEBUGGER_SINGLE_CALLSTACK_FRAME +typedef struct _DEBUGGER_PERFORM_KERNEL_TESTS { - BOOLEAN IsStackAddressValid; - BOOLEAN IsValidAddress; - BOOLEAN IsExecutable; - UINT64 Value; - BYTE InstructionBytesOnRip[MAXIMUM_CALL_INSTR_SIZE]; + UINT32 KernelStatus; + +} DEBUGGER_PERFORM_KERNEL_TESTS, *PDEBUGGER_PERFORM_KERNEL_TESTS; -} DEBUGGER_SINGLE_CALLSTACK_FRAME, *PDEBUGGER_SINGLE_CALLSTACK_FRAME; +/* ============================================================================================== + */ -#define SIZEOF_DEBUGGER_CALLSTACK_REQUEST \ - sizeof(DEBUGGER_CALLSTACK_REQUEST) +#define SIZEOF_DEBUGGER_SEND_COMMAND_EXECUTION_FINISHED_SIGNAL \ + sizeof(DEBUGGER_SEND_COMMAND_EXECUTION_FINISHED_SIGNAL) /** - * @brief callstack showing method + * @brief request for send a signal that command execution finished * */ -typedef enum _DEBUGGER_CALLSTACK_DISPLAY_METHOD +typedef struct _DEBUGGER_SEND_COMMAND_EXECUTION_FINISHED_SIGNAL { - DEBUGGER_CALLSTACK_DISPLAY_METHOD_WITHOUT_PARAMS, - DEBUGGER_CALLSTACK_DISPLAY_METHOD_WITH_PARAMS, + UINT32 KernelStatus; -} DEBUGGER_CALLSTACK_DISPLAY_METHOD; +} DEBUGGER_SEND_COMMAND_EXECUTION_FINISHED_SIGNAL, + *PDEBUGGER_SEND_COMMAND_EXECUTION_FINISHED_SIGNAL; + +/* ============================================================================================== + */ + +#define SIZEOF_DEBUGGEE_SEND_GENERAL_PACKET_FROM_DEBUGGEE_TO_DEBUGGER \ + sizeof(DEBUGGEE_SEND_GENERAL_PACKET_FROM_DEBUGGEE_TO_DEBUGGER) /** - * @brief request for callstack frames + * @brief request for send general packets from debuggee to debugger * */ -typedef struct _DEBUGGER_CALLSTACK_REQUEST +typedef struct _DEBUGGEE_SEND_GENERAL_PACKET_FROM_DEBUGGEE_TO_DEBUGGER { - BOOLEAN Is32Bit; - UINT32 KernelStatus; - DEBUGGER_CALLSTACK_DISPLAY_METHOD DisplayMethod; - UINT32 Size; - UINT32 FrameCount; - UINT64 BaseAddress; - UINT64 BufferSize; + DEBUGGER_REMOTE_PACKET_REQUESTED_ACTION RequestedAction; + UINT32 LengthOfBuffer; + BOOLEAN PauseDebuggeeWhenSent; + UINT32 KernelResult; // - // Here is the size of stack frames + // The buffer for the general packet is here // -} DEBUGGER_CALLSTACK_REQUEST, *PDEBUGGER_CALLSTACK_REQUEST; +} DEBUGGEE_SEND_GENERAL_PACKET_FROM_DEBUGGEE_TO_DEBUGGER, + *PDEBUGGEE_SEND_GENERAL_PACKET_FROM_DEBUGGEE_TO_DEBUGGER; /* ============================================================================================== */ -#define SIZEOF_USERMODE_DEBUGGING_THREAD_OR_PROCESS_STATE_DETAILS \ - sizeof(USERMODE_DEBUGGING_THREAD_OR_PROCESS_STATE_DETAILS) - -typedef struct _USERMODE_DEBUGGING_THREAD_OR_PROCESS_STATE_DETAILS -{ - UINT32 ProcessId; - UINT32 ThreadId; - BOOLEAN IsProcess; -} USERMODE_DEBUGGING_THREAD_OR_PROCESS_STATE_DETAILS, *PUSERMODE_DEBUGGING_THREAD_OR_PROCESS_STATE_DETAILS; - -/* ============================================================================================== - */ +#define SIZEOF_DEBUGGER_SEND_USERMODE_MESSAGES_TO_DEBUGGER \ + sizeof(DEBUGGER_SEND_USERMODE_MESSAGES_TO_DEBUGGER) /** - * @brief Used for run the script + * @brief request for send a user-mode message to debugger * */ -typedef struct _DEBUGGER_EVENT_ACTION_RUN_SCRIPT_CONFIGURATION +typedef struct _DEBUGGER_SEND_USERMODE_MESSAGES_TO_DEBUGGER { - UINT64 ScriptBuffer; - UINT32 ScriptLength; - UINT32 ScriptPointer; - UINT32 OptionalRequestedBufferSize; + UINT32 KernelStatus; + UINT32 Length; -} DEBUGGER_EVENT_ACTION_RUN_SCRIPT_CONFIGURATION, - *PDEBUGGER_EVENT_ACTION_RUN_SCRIPT_CONFIGURATION; + // + // Here is the messages + // + +} DEBUGGER_SEND_USERMODE_MESSAGES_TO_DEBUGGER, + *PDEBUGGER_SEND_USERMODE_MESSAGES_TO_DEBUGGER; + +/* ============================================================================================== + */ + +#define SIZEOF_DEBUGGER_READ_AND_WRITE_ON_MSR \ + sizeof(DEBUGGER_READ_AND_WRITE_ON_MSR) /** - * @brief used in the case of requesting a "request buffer" + * @brief different types of actions on MSRs * */ -typedef struct _DEBUGGER_EVENT_REQUEST_BUFFER +typedef enum _DEBUGGER_MSR_ACTION_TYPE { - BOOLEAN EnabledRequestBuffer; - UINT32 RequestBufferSize; - UINT64 RequstBufferAddress; - -} DEBUGGER_EVENT_REQUEST_BUFFER, *PDEBUGGER_EVENT_REQUEST_BUFFER; + DEBUGGER_MSR_READ, + DEBUGGER_MSR_WRITE +} DEBUGGER_MSR_ACTION_TYPE; /** - * @brief used in the case of custom code requests to the debugger + * @brief request to read or write on MSRs * */ -typedef struct _DEBUGGER_EVENT_REQUEST_CUSTOM_CODE +typedef struct _DEBUGGER_READ_AND_WRITE_ON_MSR { - UINT32 CustomCodeBufferSize; - PVOID CustomCodeBufferAddress; - UINT32 OptionalRequestedBufferSize; + UINT64 Msr; // It's actually a 32-Bit value but let's not mess with a register + UINT32 CoreNumber; // specifies the core to execute wrmsr or read the msr + // (DEBUGGER_READ_AND_WRITE_ON_MSR_APPLY_ALL_CORES mean all + // the cores) + DEBUGGER_MSR_ACTION_TYPE + ActionType; // Detects whether user needs wrmsr or rdmsr + UINT64 Value; -} DEBUGGER_EVENT_REQUEST_CUSTOM_CODE, *PDEBUGGER_EVENT_REQUEST_CUSTOM_CODE; +} DEBUGGER_READ_AND_WRITE_ON_MSR, *PDEBUGGER_READ_AND_WRITE_ON_MSR; /* ============================================================================================== */ +#define SIZEOF_DEBUGGER_EDIT_MEMORY sizeof(DEBUGGER_EDIT_MEMORY) + /** - * @brief User-mode debugging actions + * @brief different type of addresses for editing memory * */ -typedef enum _DEBUGGER_UD_COMMAND_ACTION_TYPE +typedef enum _DEBUGGER_EDIT_MEMORY_TYPE { - DEBUGGER_UD_COMMAND_ACTION_TYPE_NONE = 0, - DEBUGGER_UD_COMMAND_ACTION_TYPE_PAUSE, - DEBUGGER_UD_COMMAND_ACTION_TYPE_CONTINUE, - DEBUGGER_UD_COMMAND_ACTION_TYPE_REGULAR_STEP, - -} DEBUGGER_UD_COMMAND_ACTION_TYPE; + EDIT_PHYSICAL_MEMORY, + EDIT_VIRTUAL_MEMORY +} DEBUGGER_EDIT_MEMORY_TYPE; /** - * @brief Description of user-mode debugging actions + * @brief size of editing memory * */ -typedef struct _DEBUGGER_UD_COMMAND_ACTION +typedef enum _DEBUGGER_EDIT_MEMORY_BYTE_SIZE { - DEBUGGER_UD_COMMAND_ACTION_TYPE ActionType; - UINT64 OptionalParam1; - UINT64 OptionalParam2; - UINT64 OptionalParam3; - UINT64 OptionalParam4; - -} DEBUGGER_UD_COMMAND_ACTION, *PDEBUGGER_UD_COMMAND_ACTION; + EDIT_BYTE, + EDIT_DWORD, + EDIT_QWORD +} DEBUGGER_EDIT_MEMORY_BYTE_SIZE; /** - * @brief The structure of command packet in uHyperDbg + * @brief request for edit virtual and physical memory * */ -typedef struct _DEBUGGER_UD_COMMAND_PACKET +typedef struct _DEBUGGER_EDIT_MEMORY { - DEBUGGER_UD_COMMAND_ACTION UdAction; - UINT64 ProcessDebuggingDetailToken; - UINT32 TargetThreadId; - BOOLEAN ApplyToAllPausedThreads; - UINT32 Result; + UINT32 Result; // Result from kernel + UINT64 Address; // Target address to modify + UINT32 ProcessId; // specifies the process id + DEBUGGER_EDIT_MEMORY_TYPE MemoryType; // Type of memory + DEBUGGER_EDIT_MEMORY_BYTE_SIZE ByteSize; // Modification size + UINT32 CountOf64Chunks; + UINT32 FinalStructureSize; + UINT32 KernelStatus; // not used in local debugging -} DEBUGGER_UD_COMMAND_PACKET, *PDEBUGGER_UD_COMMAND_PACKET; +} DEBUGGER_EDIT_MEMORY, *PDEBUGGER_EDIT_MEMORY; /* ============================================================================================== */ +#define SIZEOF_DEBUGGER_SEARCH_MEMORY sizeof(DEBUGGER_SEARCH_MEMORY) + /** - * @brief Debugger process switch and process details + * @brief different types of address for searching on memory * */ -typedef enum _DEBUGGEE_DETAILS_AND_SWITCH_PROCESS_TYPE +typedef enum _DEBUGGER_SEARCH_MEMORY_TYPE { + SEARCH_PHYSICAL_MEMORY, + SEARCH_VIRTUAL_MEMORY, + SEARCH_PHYSICAL_FROM_VIRTUAL_MEMORY, - DEBUGGEE_DETAILS_AND_SWITCH_PROCESS_GET_PROCESS_DETAILS, - DEBUGGEE_DETAILS_AND_SWITCH_PROCESS_GET_PROCESS_LIST, - DEBUGGEE_DETAILS_AND_SWITCH_PROCESS_PERFORM_SWITCH, +} DEBUGGER_SEARCH_MEMORY_TYPE; -} DEBUGGEE_DETAILS_AND_SWITCH_PROCESS_TYPE; +/** + * @brief different sizes on searching memory + * + */ +typedef enum _DEBUGGER_SEARCH_MEMORY_BYTE_SIZE +{ + SEARCH_BYTE, + SEARCH_DWORD, + SEARCH_QWORD + +} DEBUGGER_SEARCH_MEMORY_BYTE_SIZE; /** - * @brief The structure of changing process and show process - * packet in HyperDbg + * @brief request for searching memory * */ -typedef struct _DEBUGGEE_DETAILS_AND_SWITCH_PROCESS_PACKET +typedef struct _DEBUGGER_SEARCH_MEMORY { - DEBUGGEE_DETAILS_AND_SWITCH_PROCESS_TYPE ActionType; - UINT32 ProcessId; - UINT64 Process; - BOOLEAN IsSwitchByClkIntr; - UCHAR ProcessName[16]; - DEBUGGEE_PROCESS_LIST_NEEDED_DETAILS ProcessListSymDetails; - UINT32 Result; + UINT64 Address; // Target address to start searching + UINT64 Length; // Length of bytes to search + UINT32 ProcessId; // specifies the process id + DEBUGGER_SEARCH_MEMORY_TYPE MemoryType; // Type of memory + DEBUGGER_SEARCH_MEMORY_BYTE_SIZE ByteSize; // Modification size + UINT32 CountOf64Chunks; + UINT32 FinalStructureSize; -} DEBUGGEE_DETAILS_AND_SWITCH_PROCESS_PACKET, *PDEBUGGEE_DETAILS_AND_SWITCH_PROCESS_PACKET; +} DEBUGGER_SEARCH_MEMORY, *PDEBUGGER_SEARCH_MEMORY; /* ============================================================================================== */ -/** - * @brief Debugger size of DEBUGGEE_DETAILS_AND_SWITCH_PROCESS_PACKET - * - */ -#define SIZEOF_DEBUGGEE_DETAILS_AND_SWITCH_PROCESS_PACKET \ - sizeof(DEBUGGEE_DETAILS_AND_SWITCH_PROCESS_PACKET) +#define SIZEOF_DEBUGGER_HIDE_AND_TRANSPARENT_DEBUGGER_MODE \ + sizeof(DEBUGGER_HIDE_AND_TRANSPARENT_DEBUGGER_MODE) /** - * @brief Debugger thread switch and thread details + * @brief request for enable or disable transparent-mode * */ -typedef enum _DEBUGGEE_DETAILS_AND_SWITCH_THREAD_TYPE +typedef struct _DEBUGGER_HIDE_AND_TRANSPARENT_DEBUGGER_MODE { + BOOLEAN IsHide; - DEBUGGEE_DETAILS_AND_SWITCH_THREAD_PERFORM_SWITCH, - DEBUGGEE_DETAILS_AND_SWITCH_THREAD_GET_THREAD_DETAILS, - DEBUGGEE_DETAILS_AND_SWITCH_THREAD_GET_THREAD_LIST, + UINT64 CpuidAverage; + UINT64 CpuidStandardDeviation; + UINT64 CpuidMedian; -} DEBUGGEE_DETAILS_AND_SWITCH_THREAD_TYPE; + UINT64 RdtscAverage; + UINT64 RdtscStandardDeviation; + UINT64 RdtscMedian; -/** - * @brief The structure of changing thead and show thread - * packet in HyperDbg + BOOLEAN TrueIfProcessIdAndFalseIfProcessName; + UINT32 ProcId; + UINT32 LengthOfProcessName; // in the case of !hide name xxx, this parameter + // shows the length of xxx + + UINT64 KernelStatus; /* DEBUGGER_OPERATION_WAS_SUCCESSFUL , + DEBUGGER_ERROR_UNABLE_TO_HIDE_OR_UNHIDE_DEBUGGER + */ + +} DEBUGGER_HIDE_AND_TRANSPARENT_DEBUGGER_MODE, + *PDEBUGGER_HIDE_AND_TRANSPARENT_DEBUGGER_MODE; + +/* ============================================================================================== */ -typedef struct _DEBUGGEE_DETAILS_AND_SWITCH_THREAD_PACKET -{ - DEBUGGEE_DETAILS_AND_SWITCH_THREAD_TYPE ActionType; - UINT32 ThreadId; - UINT32 ProcessId; - UINT64 Thread; - UINT64 Process; - BOOLEAN CheckByClockInterrupt; - UCHAR ProcessName[16]; - DEBUGGEE_THREAD_LIST_NEEDED_DETAILS ThreadListSymDetails; - UINT32 Result; -} DEBUGGEE_DETAILS_AND_SWITCH_THREAD_PACKET, *PDEBUGGEE_DETAILS_AND_SWITCH_THREAD_PACKET; +#define SIZEOF_DEBUGGER_PREPARE_DEBUGGEE sizeof(DEBUGGER_PREPARE_DEBUGGEE) /** - * @brief Debugger size of DEBUGGEE_DETAILS_AND_SWITCH_THREAD_PACKET + * @brief request to make this computer to a debuggee * */ -#define SIZEOF_DEBUGGEE_DETAILS_AND_SWITCH_THREAD_PACKET \ - sizeof(DEBUGGEE_DETAILS_AND_SWITCH_THREAD_PACKET) +typedef struct _DEBUGGER_PREPARE_DEBUGGEE +{ + UINT32 PortAddress; + UINT32 Baudrate; + UINT64 NtoskrnlBaseAddress; + UINT32 Result; // Result from the kernel + CHAR OsName[MAXIMUM_CHARACTER_FOR_OS_NAME]; + +} DEBUGGER_PREPARE_DEBUGGEE, *PDEBUGGER_PREPARE_DEBUGGEE; /* ============================================================================================== */ /** - * @brief stepping and tracking types + * @brief The structure of changing core packet in HyperDbg * */ -typedef enum _DEBUGGER_REMOTE_STEPPING_REQUEST +typedef struct _DEBUGGEE_CHANGE_CORE_PACKET { - DEBUGGER_REMOTE_STEPPING_REQUEST_STEP_IN, - DEBUGGER_REMOTE_STEPPING_REQUEST_INSTRUMENTATION_STEP_IN, - DEBUGGER_REMOTE_STEPPING_REQUEST_INSTRUMENTATION_STEP_IN_FOR_TRACKING, + UINT32 NewCore; + UINT32 Result; - DEBUGGER_REMOTE_STEPPING_REQUEST_STEP_OVER, - DEBUGGER_REMOTE_STEPPING_REQUEST_STEP_OVER_FOR_GU, - DEBUGGER_REMOTE_STEPPING_REQUEST_STEP_OVER_FOR_GU_LAST_INSTRUCTION, +} DEBUGGEE_CHANGE_CORE_PACKET, *PDEBUGGEE_CHANGE_CORE_PACKET; -} DEBUGGER_REMOTE_STEPPING_REQUEST; +/* ============================================================================================== + */ +#define SIZEOF_DEBUGGER_ATTACH_DETACH_USER_MODE_PROCESS \ + sizeof(DEBUGGER_ATTACH_DETACH_USER_MODE_PROCESS) /** - * @brief The structure of stepping packet in HyperDbg + * @brief different actions of switchings * */ -typedef struct _DEBUGGEE_STEP_PACKET +typedef enum _DEBUGGER_ATTACH_DETACH_USER_MODE_PROCESS_ACTION_TYPE { - DEBUGGER_REMOTE_STEPPING_REQUEST StepType; - - // - // Only in the case of call instructions - // the 'p' command - // - BOOLEAN IsCurrentInstructionACall; - UINT32 CallLength; + DEBUGGER_ATTACH_DETACH_USER_MODE_PROCESS_ACTION_ATTACH, + DEBUGGER_ATTACH_DETACH_USER_MODE_PROCESS_ACTION_DETACH, + DEBUGGER_ATTACH_DETACH_USER_MODE_PROCESS_ACTION_REMOVE_HOOKS, + DEBUGGER_ATTACH_DETACH_USER_MODE_PROCESS_ACTION_KILL_PROCESS, + DEBUGGER_ATTACH_DETACH_USER_MODE_PROCESS_ACTION_PAUSE_PROCESS, + DEBUGGER_ATTACH_DETACH_USER_MODE_PROCESS_ACTION_SWITCH_BY_PROCESS_OR_THREAD, + DEBUGGER_ATTACH_DETACH_USER_MODE_PROCESS_ACTION_QUERY_COUNT_OF_ACTIVE_DEBUGGING_THREADS, -} DEBUGGEE_STEP_PACKET, *PDEBUGGEE_STEP_PACKET; +} DEBUGGER_ATTACH_DETACH_USER_MODE_PROCESS_ACTION_TYPE; /** - * @brief default number of instructions used in tracking and stepping + * @brief request for attaching user-mode process * */ -#define DEBUGGER_REMOTE_TRACKING_DEFAULT_COUNT_OF_STEPPING 0xffffffff +typedef struct _DEBUGGER_ATTACH_DETACH_USER_MODE_PROCESS +{ + BOOLEAN IsStartingNewProcess; + UINT32 ProcessId; + UINT32 ThreadId; + BOOLEAN CheckCallbackAtFirstInstruction; + BOOLEAN Is32Bit; + BOOLEAN IsPaused; // used in switching to threads + DEBUGGER_ATTACH_DETACH_USER_MODE_PROCESS_ACTION_TYPE Action; + UINT32 CountOfActiveDebuggingThreadsAndProcesses; // used in showing the list of active threads/processes + UINT64 Token; + UINT64 Result; + +} DEBUGGER_ATTACH_DETACH_USER_MODE_PROCESS, + *PDEBUGGER_ATTACH_DETACH_USER_MODE_PROCESS; /* ============================================================================================== */ +#define SIZEOF_DEBUGGER_QUERY_ACTIVE_PROCESSES_OR_THREADS \ + sizeof(DEBUGGER_QUERY_ACTIVE_PROCESSES_OR_THREADS) /** - * @brief The structure of .formats result packet in HyperDbg + * @brief different type of process or thread queries * */ -typedef struct _DEBUGGEE_FORMATS_PACKET +typedef enum _DEBUGGER_QUERY_ACTIVE_PROCESSES_OR_THREADS_TYPES { - UINT64 Value; - UINT32 Result; + DEBUGGER_QUERY_ACTIVE_PROCESSES_OR_THREADS_QUERY_PROCESS_COUNT = 1, + DEBUGGER_QUERY_ACTIVE_PROCESSES_OR_THREADS_QUERY_THREAD_COUNT = 2, + DEBUGGER_QUERY_ACTIVE_PROCESSES_OR_THREADS_QUERY_PROCESS_LIST = 3, + DEBUGGER_QUERY_ACTIVE_PROCESSES_OR_THREADS_QUERY_THREAD_LIST = 4, + DEBUGGER_QUERY_ACTIVE_PROCESSES_OR_THREADS_QUERY_CURRENT_PROCESS = 5, + DEBUGGER_QUERY_ACTIVE_PROCESSES_OR_THREADS_QUERY_CURRENT_THREAD = 6, -} DEBUGGEE_FORMATS_PACKET, *PDEBUGGEE_FORMATS_PACKET; +} DEBUGGER_QUERY_ACTIVE_PROCESSES_OR_THREADS_TYPES; -/* ============================================================================================== +/** + * @brief different actions on showing or querying list of process or threads + * */ +typedef enum _DEBUGGER_QUERY_ACTIVE_PROCESSES_OR_THREADS_ACTIONS +{ + DEBUGGER_QUERY_ACTIVE_PROCESSES_OR_THREADS_ACTION_SHOW_INSTANTLY = 1, + DEBUGGER_QUERY_ACTIVE_PROCESSES_OR_THREADS_ACTION_QUERY_COUNT = 2, + DEBUGGER_QUERY_ACTIVE_PROCESSES_OR_THREADS_ACTION_QUERY_SAVE_DETAILS = 3, + +} DEBUGGER_QUERY_ACTIVE_PROCESSES_OR_THREADS_ACTIONS; /** - * @brief The structure of .sym reload packet in HyperDbg + * @brief The structure of needed information to get the details + * of the process from nt!_EPROCESS and location of needed variables * */ -typedef struct _DEBUGGEE_SYMBOL_REQUEST_PACKET +typedef struct _DEBUGGEE_PROCESS_LIST_NEEDED_DETAILS { - UINT32 ProcessId; + UINT64 PsActiveProcessHead; // nt!PsActiveProcessHead + ULONG ImageFileNameOffset; // nt!_EPROCESS.ImageFileName + ULONG UniquePidOffset; // nt!_EPROCESS.UniqueProcessId + ULONG ActiveProcessLinksOffset; // nt!_EPROCESS.ActiveProcessLinks -} DEBUGGEE_SYMBOL_REQUEST_PACKET, *PDEBUGGEE_SYMBOL_REQUEST_PACKET; +} DEBUGGEE_PROCESS_LIST_NEEDED_DETAILS, *PDEBUGGEE_PROCESS_LIST_NEEDED_DETAILS; -/* ============================================================================================== +/** + * @brief The structure of needed information to get the details + * of the thread from nt!_ETHREAD and location of needed variables + * */ +typedef struct _DEBUGGEE_THREAD_LIST_NEEDED_DETAILS +{ + UINT32 ThreadListHeadOffset; // nt!_EPROCESS.ThreadListHead + UINT32 ThreadListEntryOffset; // nt!_ETHREAD.ThreadListEntry + UINT32 CidOffset; // nt!_ETHREAD.Cid + UINT64 PsActiveProcessHead; // nt!PsActiveProcessHead + ULONG ActiveProcessLinksOffset; // nt!_EPROCESS.ActiveProcessLinks + UINT64 Process; + +} DEBUGGEE_THREAD_LIST_NEEDED_DETAILS, *PDEBUGGEE_THREAD_LIST_NEEDED_DETAILS; /** - * @brief The structure of bp command packet in HyperDbg + * @brief The structure showing list of processes (details of each + * entry) * */ -typedef struct _DEBUGGEE_BP_PACKET +typedef struct _DEBUGGEE_PROCESS_LIST_DETAILS_ENTRY { - UINT64 Address; - UINT32 Pid; - UINT32 Tid; - UINT32 Core; - BOOLEAN RemoveAfterHit; - BOOLEAN CheckForCallbacks; - UINT32 Result; + UINT64 Eprocess; + UINT32 ProcessId; + UINT64 Cr3; + UCHAR ImageFileName[15 + 1]; -} DEBUGGEE_BP_PACKET, *PDEBUGGEE_BP_PACKET; +} DEBUGGEE_PROCESS_LIST_DETAILS_ENTRY, *PDEBUGGEE_PROCESS_LIST_DETAILS_ENTRY; /** - * @brief breakpoint modification types + * @brief The structure showing list of threads (details of each + * entry) * */ -typedef enum _DEBUGGEE_BREAKPOINT_MODIFICATION_REQUEST +typedef struct _DEBUGGEE_THREAD_LIST_DETAILS_ENTRY { + UINT64 Eprocess; + UINT64 Ethread; + UINT32 ProcessId; + UINT32 ThreadId; + UCHAR ImageFileName[15 + 1]; - DEBUGGEE_BREAKPOINT_MODIFICATION_REQUEST_LIST_BREAKPOINTS, - DEBUGGEE_BREAKPOINT_MODIFICATION_REQUEST_ENABLE, - DEBUGGEE_BREAKPOINT_MODIFICATION_REQUEST_DISABLE, - DEBUGGEE_BREAKPOINT_MODIFICATION_REQUEST_CLEAR, - -} DEBUGGEE_BREAKPOINT_MODIFICATION_REQUEST; +} DEBUGGEE_THREAD_LIST_DETAILS_ENTRY, *PDEBUGGEE_THREAD_LIST_DETAILS_ENTRY; /** - * @brief The structure of breakpoint modification requests packet in HyperDbg + * @brief request for query count of active processes and threads * */ -typedef struct _DEBUGGEE_BP_LIST_OR_MODIFY_PACKET +typedef struct _DEBUGGER_QUERY_ACTIVE_PROCESSES_OR_THREADS { - UINT64 BreakpointId; - DEBUGGEE_BREAKPOINT_MODIFICATION_REQUEST Request; - UINT32 Result; + DEBUGGEE_PROCESS_LIST_NEEDED_DETAILS ProcessListNeededDetails; + DEBUGGEE_THREAD_LIST_NEEDED_DETAILS ThreadListNeededDetails; + DEBUGGER_QUERY_ACTIVE_PROCESSES_OR_THREADS_TYPES QueryType; + DEBUGGER_QUERY_ACTIVE_PROCESSES_OR_THREADS_ACTIONS QueryAction; + UINT32 Count; + UINT64 Result; -} DEBUGGEE_BP_LIST_OR_MODIFY_PACKET, *PDEBUGGEE_BP_LIST_OR_MODIFY_PACKET; +} DEBUGGER_QUERY_ACTIVE_PROCESSES_OR_THREADS, + *PDEBUGGER_QUERY_ACTIVE_PROCESSES_OR_THREADS; /* ============================================================================================== */ /** - * @brief Whether a jump is taken or not taken + * @brief The structure for saving the callstack frame of one parameter * */ -typedef enum _DEBUGGER_CONDITIONAL_JUMP_STATUS +typedef struct _DEBUGGER_SINGLE_CALLSTACK_FRAME { + BOOLEAN IsStackAddressValid; + BOOLEAN IsValidAddress; + BOOLEAN IsExecutable; + UINT64 Value; + BYTE InstructionBytesOnRip[MAXIMUM_CALL_INSTR_SIZE]; - DEBUGGER_CONDITIONAL_JUMP_STATUS_ERROR = 0, - DEBUGGER_CONDITIONAL_JUMP_STATUS_NOT_CONDITIONAL_JUMP, - DEBUGGER_CONDITIONAL_JUMP_STATUS_JUMP_IS_TAKEN, - DEBUGGER_CONDITIONAL_JUMP_STATUS_JUMP_IS_NOT_TAKEN, +} DEBUGGER_SINGLE_CALLSTACK_FRAME, *PDEBUGGER_SINGLE_CALLSTACK_FRAME; -} DEBUGGER_CONDITIONAL_JUMP_STATUS; +#define SIZEOF_DEBUGGER_CALLSTACK_REQUEST \ + sizeof(DEBUGGER_CALLSTACK_REQUEST) -/* ============================================================================================== +/** + * @brief callstack showing method + * */ +typedef enum _DEBUGGER_CALLSTACK_DISPLAY_METHOD +{ + DEBUGGER_CALLSTACK_DISPLAY_METHOD_WITHOUT_PARAMS, + DEBUGGER_CALLSTACK_DISPLAY_METHOD_WITH_PARAMS, + +} DEBUGGER_CALLSTACK_DISPLAY_METHOD; /** - * @brief The structure of script packet in HyperDbg + * @brief request for callstack frames * */ -typedef struct _DEBUGGEE_SCRIPT_PACKET +typedef struct _DEBUGGER_CALLSTACK_REQUEST { - UINT32 ScriptBufferSize; - UINT32 ScriptBufferPointer; - BOOLEAN IsFormat; - UINT32 Result; + BOOLEAN Is32Bit; + UINT32 KernelStatus; + DEBUGGER_CALLSTACK_DISPLAY_METHOD DisplayMethod; + UINT32 Size; + UINT32 FrameCount; + UINT64 BaseAddress; + UINT64 BufferSize; // - // The script buffer is here + // Here is the size of stack frames // -} DEBUGGEE_SCRIPT_PACKET, *PDEBUGGEE_SCRIPT_PACKET; +} DEBUGGER_CALLSTACK_REQUEST, *PDEBUGGER_CALLSTACK_REQUEST; + +/* ============================================================================================== + */ +#define SIZEOF_USERMODE_DEBUGGING_THREAD_OR_PROCESS_STATE_DETAILS \ + sizeof(USERMODE_DEBUGGING_THREAD_OR_PROCESS_STATE_DETAILS) + +typedef struct _USERMODE_DEBUGGING_THREAD_OR_PROCESS_STATE_DETAILS +{ + UINT32 ProcessId; + UINT32 ThreadId; + BOOLEAN IsProcess; + +} USERMODE_DEBUGGING_THREAD_OR_PROCESS_STATE_DETAILS, *PUSERMODE_DEBUGGING_THREAD_OR_PROCESS_STATE_DETAILS; /* ============================================================================================== */ /** - * @brief The structure of result of search packet in HyperDbg + * @brief Used for run the script * */ -typedef struct _DEBUGGEE_RESULT_OF_SEARCH_PACKET +typedef struct _DEBUGGER_EVENT_ACTION_RUN_SCRIPT_CONFIGURATION { - UINT32 CountOfResults; - UINT32 Result; + UINT64 ScriptBuffer; + UINT32 ScriptLength; + UINT32 ScriptPointer; + UINT32 OptionalRequestedBufferSize; -} DEBUGGEE_RESULT_OF_SEARCH_PACKET, *PDEBUGGEE_RESULT_OF_SEARCH_PACKET; +} DEBUGGER_EVENT_ACTION_RUN_SCRIPT_CONFIGURATION, + *PDEBUGGER_EVENT_ACTION_RUN_SCRIPT_CONFIGURATION; + +/** + * @brief used in the case of requesting a "request buffer" + * + */ +typedef struct _DEBUGGER_EVENT_REQUEST_BUFFER +{ + BOOLEAN EnabledRequestBuffer; + UINT32 RequestBufferSize; + UINT64 RequstBufferAddress; -/* ============================================================================================== - */ +} DEBUGGER_EVENT_REQUEST_BUFFER, *PDEBUGGER_EVENT_REQUEST_BUFFER; /** - * @brief Register Descriptor Structure to use in r command. + * @brief used in the case of custom code requests to the debugger * */ -typedef struct _DEBUGGEE_REGISTER_READ_DESCRIPTION +typedef struct _DEBUGGER_EVENT_REQUEST_CUSTOM_CODE { - UINT32 RegisterID; // the number is from REGS_ENUM - UINT64 Value; - UINT32 KernelStatus; + UINT32 CustomCodeBufferSize; + PVOID CustomCodeBufferAddress; + UINT32 OptionalRequestedBufferSize; -} DEBUGGEE_REGISTER_READ_DESCRIPTION, *PDEBUGGEE_REGISTER_READ_DESCRIPTION; +} DEBUGGER_EVENT_REQUEST_CUSTOM_CODE, *PDEBUGGER_EVENT_REQUEST_CUSTOM_CODE; /* ============================================================================================== */ - -//..\..\..\bin\debug\SDK\Headers\Symbols.h /** - * @file Symbols.h - * @author Sina Karvandi (sina@hyperdbg.org) - * @brief HyperDbg's SDK Header Files For Symbol Parsing - * @details This file contains definitions of symbol parsers - * @version 0.2 - * @date 2022-06-24 - * - * @copyright This project is released under the GNU Public License v3. + * @brief User-mode debugging actions * */ -#pragma once +typedef enum _DEBUGGER_UD_COMMAND_ACTION_TYPE +{ + DEBUGGER_UD_COMMAND_ACTION_TYPE_NONE = 0, + DEBUGGER_UD_COMMAND_ACTION_TYPE_PAUSE, + DEBUGGER_UD_COMMAND_ACTION_TYPE_CONTINUE, + DEBUGGER_UD_COMMAND_ACTION_TYPE_REGULAR_STEP, -////////////////////////////////////////////////// -// Symbols Details // -////////////////////////////////////////////////// +} DEBUGGER_UD_COMMAND_ACTION_TYPE; /** - * @brief structures for sending and saving details - * about each module and symbols details + * @brief Description of user-mode debugging actions * */ -typedef struct _MODULE_SYMBOL_DETAIL -{ - BOOLEAN IsSymbolDetailsFound; // TRUE if the details of symbols found, FALSE if not found - BOOLEAN IsLocalSymbolPath; // TRUE if the ModuleSymbolPath is a real path - // and FALSE if ModuleSymbolPath is just a module name - BOOLEAN IsSymbolPDBAvaliable; // TRUE if the module's pdb is available(if exists in the sympath) - BOOLEAN IsUserMode; // TRUE if the module is a user-mode module - BOOLEAN Is32Bit; // TRUE if the module is a 32-bit - UINT64 BaseAddress; - char FilePath[MAX_PATH]; - char ModuleSymbolPath[MAX_PATH]; - char ModuleSymbolGuidAndAge[MAXIMUM_GUID_AND_AGE_SIZE]; - -} MODULE_SYMBOL_DETAIL, *PMODULE_SYMBOL_DETAIL; - -typedef struct _USERMODE_LOADED_MODULE_SYMBOLS +typedef struct _DEBUGGER_UD_COMMAND_ACTION { - UINT64 BaseAddress; - UINT64 Entrypoint; - wchar_t FilePath[MAX_PATH]; + DEBUGGER_UD_COMMAND_ACTION_TYPE ActionType; + UINT64 OptionalParam1; + UINT64 OptionalParam2; + UINT64 OptionalParam3; + UINT64 OptionalParam4; -} USERMODE_LOADED_MODULE_SYMBOLS, *PUSERMODE_LOADED_MODULE_SYMBOLS; +} DEBUGGER_UD_COMMAND_ACTION, *PDEBUGGER_UD_COMMAND_ACTION; -typedef struct _USERMODE_LOADED_MODULE_DETAILS +/** + * @brief The structure of command packet in uHyperDbg + * + */ +typedef struct _DEBUGGER_UD_COMMAND_PACKET { - UINT32 ProcessId; - BOOLEAN OnlyCountModules; - BOOLEAN Is32Bit; - UINT32 ModulesCount; - UINT32 Result; - - // - // Here is a list of USERMODE_LOADED_MODULE_SYMBOLS (appended) - // + DEBUGGER_UD_COMMAND_ACTION UdAction; + UINT64 ProcessDebuggingDetailToken; + UINT32 TargetThreadId; + BOOLEAN ApplyToAllPausedThreads; + UINT32 Result; -} USERMODE_LOADED_MODULE_DETAILS, *PUSERMODE_LOADED_MODULE_DETAILS; +} DEBUGGER_UD_COMMAND_PACKET, *PDEBUGGER_UD_COMMAND_PACKET; -/** - * @brief Callback type that should be used to add - * list of Addresses to ObjectNames - * +/* ============================================================================================== */ -typedef VOID (*SymbolMapCallback)(UINT64 Address, char * ModuleName, char * ObjectName, unsigned int ObjectSize); /** - * @brief request to add new symbol detail or update a previous - * symbol table entry + * @brief Debugger process switch and process details * */ -typedef struct _DEBUGGER_UPDATE_SYMBOL_TABLE +typedef enum _DEBUGGEE_DETAILS_AND_SWITCH_PROCESS_TYPE { - UINT32 TotalSymbols; - UINT32 CurrentSymbolIndex; - MODULE_SYMBOL_DETAIL SymbolDetailPacket; -} DEBUGGER_UPDATE_SYMBOL_TABLE, *PDEBUGGER_UPDATE_SYMBOL_TABLE; + DEBUGGEE_DETAILS_AND_SWITCH_PROCESS_GET_PROCESS_DETAILS, + DEBUGGEE_DETAILS_AND_SWITCH_PROCESS_GET_PROCESS_LIST, + DEBUGGEE_DETAILS_AND_SWITCH_PROCESS_PERFORM_SWITCH, -/* -============================================================================================== - */ +} DEBUGGEE_DETAILS_AND_SWITCH_PROCESS_TYPE; /** - * @brief request that shows, symbol reload process is finished + * @brief The structure of changing process and show process + * packet in HyperDbg * */ -typedef struct _DEBUGGEE_SYMBOL_UPDATE_RESULT +typedef struct _DEBUGGEE_DETAILS_AND_SWITCH_PROCESS_PACKET { - UINT64 KernelStatus; // Kernel put the status in this field + DEBUGGEE_DETAILS_AND_SWITCH_PROCESS_TYPE ActionType; + UINT32 ProcessId; + UINT64 Process; + BOOLEAN IsSwitchByClkIntr; + UCHAR ProcessName[16]; + DEBUGGEE_PROCESS_LIST_NEEDED_DETAILS ProcessListSymDetails; + UINT32 Result; -} DEBUGGEE_SYMBOL_UPDATE_RESULT, *PDEBUGGEE_SYMBOL_UPDATE_RESULT; +} DEBUGGEE_DETAILS_AND_SWITCH_PROCESS_PACKET, *PDEBUGGEE_DETAILS_AND_SWITCH_PROCESS_PACKET; -/* -============================================================================================== +/* ============================================================================================== */ - -//..\..\..\bin\debug\SDK\Imports\HyperDbgCtrlImports.h /** - * @file HyperDbgCtrlImports.h - * @author Sina Karvandi (sina@hyperdbg.org) - * @brief Headers relating exported functions from controller interface - * @version 0.2 - * @date 2023-02-02 - * - * @copyright This project is released under the GNU Public License v3. + * @brief Debugger size of DEBUGGEE_DETAILS_AND_SWITCH_PROCESS_PACKET * */ -#pragma once - -#ifdef HYPERDBG_HPRDBGCTRL -# define IMPORT_EXPORT_CTRL __declspec(dllexport) -#else -# define IMPORT_EXPORT_CTRL __declspec(dllimport) -#endif - -// -// Header file of HPRDBGCTRL -// Imports -// -#ifdef __cplusplus -extern "C" { -#endif - -// -// Support Detection -// -IMPORT_EXPORT_CTRL bool HyperDbgVmxSupportDetection(); -IMPORT_EXPORT_CTRL void HyperDbgReadVendorString(char *); - -// -// VMM Module -// -IMPORT_EXPORT_CTRL int HyperDbgLoadVmm(); -IMPORT_EXPORT_CTRL int HyperDbgUnloadVmm(); -IMPORT_EXPORT_CTRL int HyperDbgInstallVmmDriver(); -IMPORT_EXPORT_CTRL int HyperDbgUninstallVmmDriver(); -IMPORT_EXPORT_CTRL int HyperDbgStopVmmDriver(); - -// -// General imports -// -IMPORT_EXPORT_CTRL int HyperDbgInterpreter(char * Command); -IMPORT_EXPORT_CTRL void HyperDbgShowSignature(); -IMPORT_EXPORT_CTRL void HyperDbgSetTextMessageCallback(Callback handler); -IMPORT_EXPORT_CTRL int HyperDbgScriptReadFileAndExecuteCommandline(int argc, char * argv[]); -IMPORT_EXPORT_CTRL bool HyperDbgContinuePreviousCommand(); -IMPORT_EXPORT_CTRL bool HyperDbgCheckMultilineCommand(char * CurrentCommand, bool Reset); - -#ifdef __cplusplus -} -#endif - +#define SIZEOF_DEBUGGEE_DETAILS_AND_SWITCH_PROCESS_PACKET \ + sizeof(DEBUGGEE_DETAILS_AND_SWITCH_PROCESS_PACKET) -//..\..\..\bin\debug\SDK\Imports\HyperDbgHyperLogImports.h /** - * @file HyperDbgHyperLogImports.h - * @author Sina Karvandi (sina@hyperdbg.org) - * @brief Headers relating exported functions from hyperlog project - * @version 0.1 - * @date 2023-01-15 - * - * @copyright This project is released under the GNU Public License v3. + * @brief Debugger thread switch and thread details * */ -#pragma once - -#ifdef HYPERDBG_HYPER_LOG -# define IMPORT_EXPORT_HYPERLOG __declspec(dllexport) -#else -# define IMPORT_EXPORT_HYPERLOG __declspec(dllimport) -#endif - -////////////////////////////////////////////////// -// Functions // -////////////////////////////////////////////////// - -IMPORT_EXPORT_HYPERLOG BOOLEAN -LogInitialize(MESSAGE_TRACING_CALLBACKS * MsgTracingCallbacks); - -IMPORT_EXPORT_HYPERLOG VOID -LogUnInitialize(); +typedef enum _DEBUGGEE_DETAILS_AND_SWITCH_THREAD_TYPE +{ -IMPORT_EXPORT_HYPERLOG UINT32 -LogMarkAllAsRead(BOOLEAN IsVmxRoot); + DEBUGGEE_DETAILS_AND_SWITCH_THREAD_PERFORM_SWITCH, + DEBUGGEE_DETAILS_AND_SWITCH_THREAD_GET_THREAD_DETAILS, + DEBUGGEE_DETAILS_AND_SWITCH_THREAD_GET_THREAD_LIST, -IMPORT_EXPORT_HYPERLOG BOOLEAN -LogCallbackPrepareAndSendMessageToQueue(UINT32 OperationCode, - BOOLEAN IsImmediateMessage, - BOOLEAN ShowCurrentSystemTime, - BOOLEAN Priority, - const char * Fmt, - ...); +} DEBUGGEE_DETAILS_AND_SWITCH_THREAD_TYPE; -IMPORT_EXPORT_HYPERLOG BOOLEAN -LogCallbackPrepareAndSendMessageToQueueWrapper(UINT32 OperationCode, - BOOLEAN IsImmediateMessage, - BOOLEAN ShowCurrentSystemTime, - BOOLEAN Priority, - const char * Fmt, - va_list ArgList); +/** + * @brief The structure of changing thead and show thread + * packet in HyperDbg + */ +typedef struct _DEBUGGEE_DETAILS_AND_SWITCH_THREAD_PACKET +{ + DEBUGGEE_DETAILS_AND_SWITCH_THREAD_TYPE ActionType; + UINT32 ThreadId; + UINT32 ProcessId; + UINT64 Thread; + UINT64 Process; + BOOLEAN CheckByClockInterrupt; + UCHAR ProcessName[16]; + DEBUGGEE_THREAD_LIST_NEEDED_DETAILS ThreadListSymDetails; + UINT32 Result; -IMPORT_EXPORT_HYPERLOG BOOLEAN -LogCallbackSendBuffer(_In_ UINT32 OperationCode, - _In_reads_bytes_(BufferLength) PVOID Buffer, - _In_ UINT32 BufferLength, - _In_ BOOLEAN Priority); +} DEBUGGEE_DETAILS_AND_SWITCH_THREAD_PACKET, *PDEBUGGEE_DETAILS_AND_SWITCH_THREAD_PACKET; -IMPORT_EXPORT_HYPERLOG BOOLEAN -LogCallbackCheckIfBufferIsFull(BOOLEAN Priority); +/** + * @brief Debugger size of DEBUGGEE_DETAILS_AND_SWITCH_THREAD_PACKET + * + */ +#define SIZEOF_DEBUGGEE_DETAILS_AND_SWITCH_THREAD_PACKET \ + sizeof(DEBUGGEE_DETAILS_AND_SWITCH_THREAD_PACKET) -IMPORT_EXPORT_HYPERLOG BOOLEAN -LogCallbackSendMessageToQueue(UINT32 OperationCode, BOOLEAN IsImmediateMessage, CHAR * LogMessage, UINT32 BufferLen, BOOLEAN Priority); +/* ============================================================================================== + */ -IMPORT_EXPORT_HYPERLOG NTSTATUS -LogRegisterEventBasedNotification(PDEVICE_OBJECT DeviceObject, PIRP Irp); +/** + * @brief stepping and tracking types + * + */ +typedef enum _DEBUGGER_REMOTE_STEPPING_REQUEST +{ + DEBUGGER_REMOTE_STEPPING_REQUEST_STEP_IN, + DEBUGGER_REMOTE_STEPPING_REQUEST_INSTRUMENTATION_STEP_IN, + DEBUGGER_REMOTE_STEPPING_REQUEST_INSTRUMENTATION_STEP_IN_FOR_TRACKING, -IMPORT_EXPORT_HYPERLOG NTSTATUS -LogRegisterIrpBasedNotification(PDEVICE_OBJECT DeviceObject, PIRP Irp); + DEBUGGER_REMOTE_STEPPING_REQUEST_STEP_OVER, + DEBUGGER_REMOTE_STEPPING_REQUEST_STEP_OVER_FOR_GU, + DEBUGGER_REMOTE_STEPPING_REQUEST_STEP_OVER_FOR_GU_LAST_INSTRUCTION, +} DEBUGGER_REMOTE_STEPPING_REQUEST; -//..\..\..\bin\debug\SDK\Imports\HyperDbgHyperLogIntrinsics.h /** - * @file HyperDbgHyperLogIntrinsics.h - * @author Sina Karvandi (sina@hyperdbg.org) - * @brief Headers relating exported functions from hyperlog project - * @version 0.1 - * @date 2023-01-15 + * @brief The structure of stepping packet in HyperDbg * - * @copyright This project is released under the GNU Public License v3. + */ +typedef struct _DEBUGGEE_STEP_PACKET +{ + DEBUGGER_REMOTE_STEPPING_REQUEST StepType; + + // + // Only in the case of call instructions + // the 'p' command + // + BOOLEAN IsCurrentInstructionACall; + UINT32 CallLength; + +} DEBUGGEE_STEP_PACKET, *PDEBUGGEE_STEP_PACKET; + +/** + * @brief default number of instructions used in tracking and stepping * */ -#pragma once +#define DEBUGGER_REMOTE_TRACKING_DEFAULT_COUNT_OF_STEPPING 0xffffffff -////////////////////////////////////////////////// -// Enums // -////////////////////////////////////////////////// +/* ============================================================================================== + */ /** - * @brief Types of log messages + * @brief The structure of .formats result packet in HyperDbg * */ -typedef enum _LOG_TYPE +typedef struct _DEBUGGEE_FORMATS_PACKET { - LOG_INFO, - LOG_WARNING, - LOG_ERROR + UINT64 Value; + UINT32 Result; -} LOG_TYPE; +} DEBUGGEE_FORMATS_PACKET, *PDEBUGGEE_FORMATS_PACKET; -////////////////////////////////////////////////// -// Logging // -////////////////////////////////////////////////// +/* ============================================================================================== + */ /** - * @brief Define log variables + * @brief The structure of .sym reload packet in HyperDbg * */ -#if UseDbgPrintInsteadOfUsermodeMessageTracking -/* Use DbgPrint */ -# define Logformat, ...) \ - DbgPrint("[+] Information (%s:%d) | " format "\n", \ - __func__, \ - __LINE__, \ - __VA_ARGS__) +typedef struct _DEBUGGEE_SYMBOL_REQUEST_PACKET +{ + UINT32 ProcessId; -# define LogWarning(format, ...) \ - DbgPrint("[-] Warning (%s:%d) | " format "\n", \ - __func__, \ - __LINE__, \ - __VA_ARGS__) +} DEBUGGEE_SYMBOL_REQUEST_PACKET, *PDEBUGGEE_SYMBOL_REQUEST_PACKET; -# define LogError(format, ...) \ - DbgPrint("[!] Error (%s:%d) | " format "\n", \ - __func__, \ - __LINE__, \ - __VA_ARGS__); \ - DbgBreakPoint() +/* ============================================================================================== + */ /** - * @brief Log without any prefix + * @brief The structure of bp command packet in HyperDbg * */ -# define Log(format, ...) \ - DbgPrint(format, __VA_ARGS__) +typedef struct _DEBUGGEE_BP_PACKET +{ + UINT64 Address; + UINT32 Pid; + UINT32 Tid; + UINT32 Core; + BOOLEAN RemoveAfterHit; + BOOLEAN CheckForCallbacks; + UINT32 Result; -#else +} DEBUGGEE_BP_PACKET, *PDEBUGGEE_BP_PACKET; /** - * @brief Log, general + * @brief breakpoint modification types * */ -# define LogInfo(format, ...) \ - LogCallbackPrepareAndSendMessageToQueue(OPERATION_LOG_INFO_MESSAGE, \ - UseImmediateMessaging, \ - ShowSystemTimeOnDebugMessages, \ - FALSE, \ - "[+] Information (%s:%d) | " format "\n", \ - __func__, \ - __LINE__, \ - __VA_ARGS__) +typedef enum _DEBUGGEE_BREAKPOINT_MODIFICATION_REQUEST +{ + + DEBUGGEE_BREAKPOINT_MODIFICATION_REQUEST_LIST_BREAKPOINTS, + DEBUGGEE_BREAKPOINT_MODIFICATION_REQUEST_ENABLE, + DEBUGGEE_BREAKPOINT_MODIFICATION_REQUEST_DISABLE, + DEBUGGEE_BREAKPOINT_MODIFICATION_REQUEST_CLEAR, + +} DEBUGGEE_BREAKPOINT_MODIFICATION_REQUEST; /** - * @brief Log in the case of priority message + * @brief The structure of breakpoint modification requests packet in HyperDbg * */ -# define LogInfoPriority(format, ...) \ - LogCallbackPrepareAndSendMessageToQueue(OPERATION_LOG_INFO_MESSAGE, \ - TRUE, \ - ShowSystemTimeOnDebugMessages, \ - TRUE, \ - "[+] Information (%s:%d) | " format "\n", \ - __func__, \ - __LINE__, \ - __VA_ARGS__) +typedef struct _DEBUGGEE_BP_LIST_OR_MODIFY_PACKET +{ + UINT64 BreakpointId; + DEBUGGEE_BREAKPOINT_MODIFICATION_REQUEST Request; + UINT32 Result; -/** - * @brief Log in the case of warning - * +} DEBUGGEE_BP_LIST_OR_MODIFY_PACKET, *PDEBUGGEE_BP_LIST_OR_MODIFY_PACKET; + +/* ============================================================================================== */ -# define LogWarning(format, ...) \ - LogCallbackPrepareAndSendMessageToQueue(OPERATION_LOG_WARNING_MESSAGE, \ - UseImmediateMessaging, \ - ShowSystemTimeOnDebugMessages, \ - TRUE, \ - "[-] Warning (%s:%d) | " format "\n", \ - __func__, \ - __LINE__, \ - __VA_ARGS__) /** - * @brief Log in the case of error + * @brief Whether a jump is taken or not taken * */ -# define LogError(format, ...) \ - LogCallbackPrepareAndSendMessageToQueue(OPERATION_LOG_ERROR_MESSAGE, \ - UseImmediateMessaging, \ - ShowSystemTimeOnDebugMessages, \ - TRUE, \ - "[!] Error (%s:%d) | " format "\n", \ - __func__, \ - __LINE__, \ - __VA_ARGS__); \ - if (DebugMode) \ - DbgBreakPoint() +typedef enum _DEBUGGER_CONDITIONAL_JUMP_STATUS +{ + + DEBUGGER_CONDITIONAL_JUMP_STATUS_ERROR = 0, + DEBUGGER_CONDITIONAL_JUMP_STATUS_NOT_CONDITIONAL_JUMP, + DEBUGGER_CONDITIONAL_JUMP_STATUS_JUMP_IS_TAKEN, + DEBUGGER_CONDITIONAL_JUMP_STATUS_JUMP_IS_NOT_TAKEN, + +} DEBUGGER_CONDITIONAL_JUMP_STATUS; + +/* ============================================================================================== + */ /** - * @brief Log without any prefix + * @brief The structure of script packet in HyperDbg * */ -# define Log(format, ...) \ - LogCallbackPrepareAndSendMessageToQueue(OPERATION_LOG_INFO_MESSAGE, \ - TRUE, \ - FALSE, \ - FALSE, \ - format, \ - __VA_ARGS__) +typedef struct _DEBUGGEE_SCRIPT_PACKET +{ + UINT32 ScriptBufferSize; + UINT32 ScriptBufferPointer; + BOOLEAN IsFormat; + UINT32 Result; + + // + // The script buffer is here + // + +} DEBUGGEE_SCRIPT_PACKET, *PDEBUGGEE_SCRIPT_PACKET; + +/* ============================================================================================== + */ /** - * @brief Log without any prefix and bypass the stack - * problem (getting two temporary stacks in preparing phase) + * @brief The structure of result of search packet in HyperDbg * */ -# define LogSimpleWithTag(tag, isimmdte, buffer, len) \ - LogCallbackSendMessageToQueue(tag, \ - isimmdte, \ - buffer, \ - len, \ - FALSE) +typedef struct _DEBUGGEE_RESULT_OF_SEARCH_PACKET +{ + UINT32 CountOfResults; + UINT32 Result; -#endif // UseDbgPrintInsteadOfUsermodeMessageTracking +} DEBUGGEE_RESULT_OF_SEARCH_PACKET, *PDEBUGGEE_RESULT_OF_SEARCH_PACKET; + +/* ============================================================================================== + */ /** - * @brief Log, initialize boot information and debug information + * @brief Register Descriptor Structure to use in r command. * */ -#define LogDebugInfo(format, ...) \ - if (DebugMode) \ - LogCallbackPrepareAndSendMessageToQueue(OPERATION_LOG_INFO_MESSAGE, \ - UseImmediateMessaging, \ - ShowSystemTimeOnDebugMessages, \ - FALSE, \ - "[+] Information (%s:%d) | " format "\n", \ - __func__, \ - __LINE__, \ - __VA_ARGS__) +typedef struct _DEBUGGEE_REGISTER_READ_DESCRIPTION +{ + UINT32 RegisterID; // the number is from REGS_ENUM + UINT64 Value; + UINT32 KernelStatus; + +} DEBUGGEE_REGISTER_READ_DESCRIPTION, *PDEBUGGEE_REGISTER_READ_DESCRIPTION; + +/* ============================================================================================== + */ //..\..\..\bin\debug\SDK\Imports\HyperDbgRevImports.h @@ -4601,82 +5124,6 @@ ScriptEngineShowDataBasedOnSymbolTypes(const char * TypeName, UINT64 Address, BO #endif -//..\..\..\bin\debug\SDK\Imports\HyperDbgSymImports.h -/** - * @file HyperDbgSymImports.h - * @author Sina Karvandi (sina@hyperdbg.org) - * @brief Headers relating exported functions from symbol parser - * @version 0.2 - * @date 2023-02-02 - * - * @copyright This project is released under the GNU Public License v3. - * - */ -#pragma once - -// -// Header file of symbol-parser -// Imports -// -#ifdef __cplusplus -extern "C" { -#endif - -__declspec(dllimport) VOID - SymSetTextMessageCallback(PVOID Handler); -__declspec(dllimport) VOID - SymbolAbortLoading(); -__declspec(dllimport) UINT64 - SymConvertNameToAddress(const char * FunctionOrVariableName, PBOOLEAN WasFound); -__declspec(dllimport) UINT32 - SymLoadFileSymbol(UINT64 BaseAddress, const char * PdbFileName, const char * CustomModuleName); -__declspec(dllimport) UINT32 - SymUnloadAllSymbols(); -__declspec(dllimport) UINT32 - SymUnloadModuleSymbol(char * ModuleName); -__declspec(dllimport) UINT32 - SymSearchSymbolForMask(const char * SearchMask); -__declspec(dllimport) BOOLEAN - SymGetFieldOffset(CHAR * TypeName, CHAR * FieldName, UINT32 * FieldOffset); -__declspec(dllimport) BOOLEAN - SymGetDataTypeSize(CHAR * TypeName, UINT64 * TypeSize); -__declspec(dllimport) BOOLEAN - SymCreateSymbolTableForDisassembler(void * CallbackFunction); -__declspec(dllimport) BOOLEAN - SymConvertFileToPdbPath(const char * LocalFilePath, char * ResultPath); -__declspec(dllimport) BOOLEAN - SymConvertFileToPdbFileAndGuidAndAgeDetails(const char * LocalFilePath, - char * PdbFilePath, - char * GuidAndAgeDetails, - BOOLEAN Is32BitModule); -__declspec(dllimport) BOOLEAN - SymbolInitLoad(PVOID BufferToStoreDetails, - UINT32 StoredLength, - BOOLEAN DownloadIfAvailable, - const char * SymbolPath, - BOOLEAN IsSilentLoad); -__declspec(dllimport) BOOLEAN - SymShowDataBasedOnSymbolTypes(const char * TypeName, - UINT64 Address, - BOOLEAN IsStruct, - PVOID BufferAddress, - const char * AdditionalParameters); -__declspec(dllimport) BOOLEAN - SymQuerySizeof(_In_ const char * StructNameOrTypeName, _Out_ UINT32 * SizeOfField); -__declspec(dllimport) BOOLEAN - SymCastingQueryForFiledsAndTypes(_In_ const char * StructName, - _In_ const char * FiledOfStructName, - _Out_ PBOOLEAN IsStructNamePointerOrNot, - _Out_ PBOOLEAN IsFiledOfStructNamePointerOrNot, - _Out_ char ** NewStructOrTypeName, - _Out_ UINT32 * OffsetOfFieldFromTop, - _Out_ UINT32 * SizeOfField); - -#ifdef __cplusplus -} -#endif - - //..\..\..\bin\debug\SDK\Imports\HyperDbgVmmImports.h /** * @file HyperDbgVmmImports.h @@ -5497,395 +5944,111 @@ SetGuestDr6(UINT64 value); IMPORT_EXPORT_VMM VOID SetGuestDr7(UINT64 value); -IMPORT_EXPORT_VMM BOOLEAN -SetDebugRegisters(UINT32 DebugRegNum, DEBUG_REGISTER_TYPE ActionType, BOOLEAN ApplyToVmcs, UINT64 TargetAddress); - -////////////////////////////////////////////////// -// Transparent Mode // -////////////////////////////////////////////////// - -IMPORT_EXPORT_VMM NTSTATUS -TransparentHideDebugger(PDEBUGGER_HIDE_AND_TRANSPARENT_DEBUGGER_MODE Measurements); - -IMPORT_EXPORT_VMM NTSTATUS -TransparentUnhideDebugger(); - -////////////////////////////////////////////////// -// Non-internal Broadcasting Functions // -////////////////////////////////////////////////// - -IMPORT_EXPORT_VMM VOID -BroadcastEnableBreakpointExitingOnExceptionBitmapAllCores(); - -IMPORT_EXPORT_VMM VOID -BroadcastDisableBreakpointExitingOnExceptionBitmapAllCores(); - -IMPORT_EXPORT_VMM VOID -BroadcastEnableDbAndBpExitingAllCores(); - -IMPORT_EXPORT_VMM VOID -BroadcastDisableDbAndBpExitingAllCores(); - -IMPORT_EXPORT_VMM VOID -BroadcastEnableRdtscExitingAllCores(); - -IMPORT_EXPORT_VMM VOID -BroadcastDisableRdtscExitingAllCores(); - -IMPORT_EXPORT_VMM VOID -BroadcastChangeAllMsrBitmapReadAllCores(UINT64 BitmapMask); - -IMPORT_EXPORT_VMM VOID -BroadcastResetChangeAllMsrBitmapReadAllCores(); - -IMPORT_EXPORT_VMM VOID -BroadcastChangeAllMsrBitmapWriteAllCores(UINT64 BitmapMask); - -IMPORT_EXPORT_VMM VOID -BroadcastResetAllMsrBitmapWriteAllCores(); - -IMPORT_EXPORT_VMM VOID -BroadcastDisableRdtscExitingForClearingEventsAllCores(); - -IMPORT_EXPORT_VMM VOID -BroadcastDisableMov2ControlRegsExitingForClearingEventsAllCores(PDEBUGGER_EVENT_OPTIONS BroadcastingOption); - -IMPORT_EXPORT_VMM VOID -BroadcastDisableMov2DebugRegsExitingForClearingEventsAllCores(); - -IMPORT_EXPORT_VMM VOID -BroadcastEnableRdpmcExitingAllCores(); - -IMPORT_EXPORT_VMM VOID -BroadcastDisableRdpmcExitingAllCores(); - -IMPORT_EXPORT_VMM VOID -BroadcastSetExceptionBitmapAllCores(UINT64 ExceptionIndex); - -IMPORT_EXPORT_VMM VOID -BroadcastUnsetExceptionBitmapAllCores(UINT64 ExceptionIndex); - -IMPORT_EXPORT_VMM VOID -BroadcastResetExceptionBitmapAllCores(); - -IMPORT_EXPORT_VMM VOID -BroadcastEnableMovControlRegisterExitingAllCores(PDEBUGGER_EVENT_OPTIONS BroadcastingOption); - -IMPORT_EXPORT_VMM VOID -BroadcastDisableMovToControlRegistersExitingAllCores(PDEBUGGER_EVENT_OPTIONS BroadcastingOption); - -IMPORT_EXPORT_VMM VOID -BroadcastEnableMovDebugRegistersExitingAllCores(); - -IMPORT_EXPORT_VMM VOID -BroadcastDisableMovDebugRegistersExitingAllCores(); - -IMPORT_EXPORT_VMM VOID -BroadcastSetExternalInterruptExitingAllCores(); - -IMPORT_EXPORT_VMM VOID -BroadcastUnsetExternalInterruptExitingOnlyOnClearingInterruptEventsAllCores(); - -IMPORT_EXPORT_VMM VOID -BroadcastIoBitmapChangeAllCores(UINT64 Port); - -IMPORT_EXPORT_VMM VOID -BroadcastIoBitmapResetAllCores(); - -IMPORT_EXPORT_VMM VOID -BroadcastEnableMovToCr3ExitingOnAllProcessors(); - -IMPORT_EXPORT_VMM VOID -BroadcastDisableMovToCr3ExitingOnAllProcessors(); - -IMPORT_EXPORT_VMM VOID -BroadcastEnableEferSyscallEventsOnAllProcessors(); - -IMPORT_EXPORT_VMM VOID -BroadcastDisableEferSyscallEventsOnAllProcessors(); - - -//..\..\..\bin\debug\SDK\Modules\HyperLog.h -/** - * @file HyperLog.h - * @author Sina Karvandi (sina@hyperdbg.org) - * @brief HyperDbg's SDK for HyperLog project - * @details This file contains definitions of HyperLog routines - * @version 0.2 - * @date 2023-01-15 - * - * @copyright This project is released under the GNU Public License v3. - * - */ -#pragma once - -////////////////////////////////////////////////// -// Callback Types // -////////////////////////////////////////////////// - -/** - * @brief A function that checks whether the current operation - * is on vmx-root mode or not - * - */ -typedef BOOLEAN (*CHECK_VMX_OPERATION)(); - -/** - * @brief A function that checks whether the immediate message - * sending is needed or not - * - */ -typedef BOOLEAN (*CHECK_IMMEDIATE_MESSAGE_SENDING)(UINT32 OperationCode); - -/** - * @brief A function that sends immediate messages - * - */ -typedef BOOLEAN (*SEND_IMMEDIATE_MESSAGE)(CHAR * OptionalBuffer, - UINT32 OptionalBufferLength, - UINT32 OperationCode); - -////////////////////////////////////////////////// -// Callback Structure // -////////////////////////////////////////////////// - -/** - * @brief Prototype of each function needed by message tracer - * - */ -typedef struct _MESSAGE_TRACING_CALLBACKS -{ - CHECK_VMX_OPERATION VmxOperationCheck; - CHECK_IMMEDIATE_MESSAGE_SENDING CheckImmediateMessageSending; - SEND_IMMEDIATE_MESSAGE SendImmediateMessage; - -} MESSAGE_TRACING_CALLBACKS, *PMESSAGE_TRACING_CALLBACKS; - - -//..\..\..\bin\debug\SDK\Modules\VMM.h -/** - * @file VMM.h - * @author Sina Karvandi (sina@hyperdbg.org) - * @brief HyperDbg's SDK for VMM project - * @details This file contains definitions of HyperLog routines - * @version 0.2 - * @date 2023-01-15 - * - * @copyright This project is released under the GNU Public License v3. - * - */ -#pragma once +IMPORT_EXPORT_VMM BOOLEAN +SetDebugRegisters(UINT32 DebugRegNum, DEBUG_REGISTER_TYPE ActionType, BOOLEAN ApplyToVmcs, UINT64 TargetAddress); ////////////////////////////////////////////////// -// Callback Types // +// Transparent Mode // ////////////////////////////////////////////////// -/** - * @brief A function from the message tracer that send the inputs to the - * queue of the messages - * - */ -typedef BOOLEAN (*LOG_CALLBACK_PREPARE_AND_SEND_MESSAGE_TO_QUEUE)(UINT32 OperationCode, - BOOLEAN IsImmediateMessage, - BOOLEAN ShowCurrentSystemTime, - BOOLEAN Priority, - const char * Fmt, - va_list ArgList); +IMPORT_EXPORT_VMM NTSTATUS +TransparentHideDebugger(PDEBUGGER_HIDE_AND_TRANSPARENT_DEBUGGER_MODE Measurements); -/** - * @brief A function that sends the messages to message tracer buffers - * - */ -typedef BOOLEAN (*LOG_CALLBACK_SEND_MESSAGE_TO_QUEUE)(UINT32 OperationCode, BOOLEAN IsImmediateMessage, CHAR * LogMessage, UINT32 BufferLen, BOOLEAN Priority); +IMPORT_EXPORT_VMM NTSTATUS +TransparentUnhideDebugger(); -/** - * @brief A function that sends the messages to message tracer buffers - * - */ -typedef BOOLEAN (*LOG_CALLBACK_SEND_BUFFER)(_In_ UINT32 OperationCode, - _In_reads_bytes_(BufferLength) PVOID Buffer, - _In_ UINT32 BufferLength, - _In_ BOOLEAN Priority); +////////////////////////////////////////////////// +// Non-internal Broadcasting Functions // +////////////////////////////////////////////////// -/** - * @brief A function that checks whether the priority or regular buffer is full or not - * - */ -typedef BOOLEAN (*LOG_CALLBACK_CHECK_IF_BUFFER_IS_FULL)(BOOLEAN Priority); +IMPORT_EXPORT_VMM VOID +BroadcastEnableBreakpointExitingOnExceptionBitmapAllCores(); -/** - * @brief A function that handles trigger events - * - */ -typedef VMM_CALLBACK_TRIGGERING_EVENT_STATUS_TYPE (*VMM_CALLBACK_TRIGGER_EVENTS)(VMM_EVENT_TYPE_ENUM EventType, - VMM_CALLBACK_EVENT_CALLING_STAGE_TYPE CallingStage, - PVOID Context, - BOOLEAN * PostEventRequired, - GUEST_REGS * Regs); +IMPORT_EXPORT_VMM VOID +BroadcastDisableBreakpointExitingOnExceptionBitmapAllCores(); -/** - * @brief A function that checks and handles breakpoints - * - */ -typedef BOOLEAN (*DEBUGGING_CALLBACK_HANDLE_BREAKPOINT_EXCEPTION)(UINT32 CoreId); +IMPORT_EXPORT_VMM VOID +BroadcastEnableDbAndBpExitingAllCores(); -/** - * @brief A function that checks and handles debug breakpoints - * - */ -typedef BOOLEAN (*DEBUGGING_CALLBACK_HANDLE_DEBUG_BREAKPOINT_EXCEPTION)(UINT32 CoreId); +IMPORT_EXPORT_VMM VOID +BroadcastDisableDbAndBpExitingAllCores(); -/** - * @brief Check for page-faults in user-debugger - * - */ -typedef BOOLEAN (*DEBUGGING_CALLBACK_CONDITIONAL_PAGE_FAULT_EXCEPTION)(UINT32 CoreId, - UINT64 Address, - UINT32 PageFaultErrorCode); +IMPORT_EXPORT_VMM VOID +BroadcastEnableRdtscExitingAllCores(); -/** - * @brief Check for commands in user-debugger - * - */ -typedef BOOLEAN (*UD_CHECK_FOR_COMMAND)(); +IMPORT_EXPORT_VMM VOID +BroadcastDisableRdtscExitingAllCores(); -/** - * @brief Handle registered MTF callback - * - */ -typedef VOID (*VMM_CALLBACK_REGISTERED_MTF_HANDLER)(UINT32 CoreId); +IMPORT_EXPORT_VMM VOID +BroadcastChangeAllMsrBitmapReadAllCores(UINT64 BitmapMask); -/** - * @brief Check for user-mode access for loaded module details - * - */ -typedef BOOLEAN (*VMM_CALLBACK_RESTORE_EPT_STATE)(UINT32 CoreId); +IMPORT_EXPORT_VMM VOID +BroadcastResetChangeAllMsrBitmapReadAllCores(); -/** - * @brief Check for unhandled EPT violations - * - */ -typedef BOOLEAN (*VMM_CALLBACK_CHECK_UNHANDLED_EPT_VIOLATION)(UINT32 CoreId, UINT64 ViolationQualification, UINT64 GuestPhysicalAddr); +IMPORT_EXPORT_VMM VOID +BroadcastChangeAllMsrBitmapWriteAllCores(UINT64 BitmapMask); -/** - * @brief Handle cr3 process change callbacks - * - */ -typedef VOID (*INTERCEPTION_CALLBACK_TRIGGER_CR3_CHANGE)(UINT32 CoreId); +IMPORT_EXPORT_VMM VOID +BroadcastResetAllMsrBitmapWriteAllCores(); -/** - * @brief Check for process or thread change callback - * - */ -typedef BOOLEAN (*INTERCEPTION_CALLBACK_TRIGGER_CLOCK_AND_IPI)(_In_ UINT32 CoreId); +IMPORT_EXPORT_VMM VOID +BroadcastDisableRdtscExitingForClearingEventsAllCores(); -/** - * @brief Check to handle cr3 events for thread interception - * - */ -typedef BOOLEAN (*ATTACHING_HANDLE_CR3_EVENTS_FOR_THREAD_INTERCEPTION)(UINT32 CoreId, CR3_TYPE NewCr3); +IMPORT_EXPORT_VMM VOID +BroadcastDisableMov2ControlRegsExitingForClearingEventsAllCores(PDEBUGGER_EVENT_OPTIONS BroadcastingOption); -/** - * @brief Check and handle reapplying breakpoint - * - */ -typedef BOOLEAN (*BREAKPOINT_CHECK_AND_HANDLE_REAPPLYING_BREAKPOINT)(UINT32 CoreId); +IMPORT_EXPORT_VMM VOID +BroadcastDisableMov2DebugRegsExitingForClearingEventsAllCores(); -/** - * @brief Handle NMI broadcast - * - */ -typedef VOID (*VMM_CALLBACK_NMI_BROADCAST_REQUEST_HANDLER)(UINT32 CoreId, BOOLEAN IsOnVmxNmiHandler); +IMPORT_EXPORT_VMM VOID +BroadcastEnableRdpmcExitingAllCores(); -/** - * @brief Check and handle NMI callbacks - * - */ -typedef BOOLEAN (*KD_CHECK_AND_HANDLE_NMI_CALLBACK)(UINT32 CoreId); +IMPORT_EXPORT_VMM VOID +BroadcastDisableRdpmcExitingAllCores(); -/** - * @brief Set the top-level driver's error status - * - */ -typedef VOID (*VMM_CALLBACK_SET_LAST_ERROR)(UINT32 LastError); +IMPORT_EXPORT_VMM VOID +BroadcastSetExceptionBitmapAllCores(UINT64 ExceptionIndex); -/** - * @brief Check and modify the protected resources of the hypervisor - * - */ -typedef BOOLEAN (*VMM_CALLBACK_QUERY_TERMINATE_PROTECTED_RESOURCE)(UINT32 CoreId, - PROTECTED_HV_RESOURCES_TYPE ResourceType, - PVOID Context, - PROTECTED_HV_RESOURCES_PASSING_OVERS PassOver); +IMPORT_EXPORT_VMM VOID +BroadcastUnsetExceptionBitmapAllCores(UINT64 ExceptionIndex); -/** - * @brief Query debugger thread or process tracing details by core ID - * - */ -typedef BOOLEAN (*KD_QUERY_DEBUGGER_THREAD_OR_PROCESS_TRACING_DETAILS_BY_CORE_ID)(UINT32 CoreId, - DEBUGGER_THREAD_PROCESS_TRACING TracingType); -/** - * @brief Handler of debugger specific VMCALLs - * - */ -typedef BOOLEAN (*VMM_CALLBACK_VMCALL_HANDLER)(UINT32 CoreId, - UINT64 VmcallNumber, - UINT64 OptionalParam1, - UINT64 OptionalParam2, - UINT64 OptionalParam3); +IMPORT_EXPORT_VMM VOID +BroadcastResetExceptionBitmapAllCores(); -////////////////////////////////////////////////// -// Callback Structure // -////////////////////////////////////////////////// +IMPORT_EXPORT_VMM VOID +BroadcastEnableMovControlRegisterExitingAllCores(PDEBUGGER_EVENT_OPTIONS BroadcastingOption); -/** - * @brief Prototype of each function needed by VMM module - * - */ -typedef struct _VMM_CALLBACKS -{ - // - // Log (Hyperlog) callbacks - // - LOG_CALLBACK_PREPARE_AND_SEND_MESSAGE_TO_QUEUE LogCallbackPrepareAndSendMessageToQueueWrapper; // Fixed - LOG_CALLBACK_SEND_MESSAGE_TO_QUEUE LogCallbackSendMessageToQueue; // Fixed - LOG_CALLBACK_SEND_BUFFER LogCallbackSendBuffer; // Fixed - LOG_CALLBACK_CHECK_IF_BUFFER_IS_FULL LogCallbackCheckIfBufferIsFull; // Fixed +IMPORT_EXPORT_VMM VOID +BroadcastDisableMovToControlRegistersExitingAllCores(PDEBUGGER_EVENT_OPTIONS BroadcastingOption); - // - // VMM callbacks - // - VMM_CALLBACK_TRIGGER_EVENTS VmmCallbackTriggerEvents; // Fixed - VMM_CALLBACK_SET_LAST_ERROR VmmCallbackSetLastError; // Fixed - VMM_CALLBACK_VMCALL_HANDLER VmmCallbackVmcallHandler; // Fixed - VMM_CALLBACK_NMI_BROADCAST_REQUEST_HANDLER VmmCallbackNmiBroadcastRequestHandler; // Fixed - VMM_CALLBACK_QUERY_TERMINATE_PROTECTED_RESOURCE VmmCallbackQueryTerminateProtectedResource; // Fixed - VMM_CALLBACK_RESTORE_EPT_STATE VmmCallbackRestoreEptState; // Fixed - VMM_CALLBACK_CHECK_UNHANDLED_EPT_VIOLATION VmmCallbackCheckUnhandledEptViolations; // Fixed +IMPORT_EXPORT_VMM VOID +BroadcastEnableMovDebugRegistersExitingAllCores(); - // - // Debugging callbacks - // - DEBUGGING_CALLBACK_HANDLE_BREAKPOINT_EXCEPTION DebuggingCallbackHandleBreakpointException; // Fixed - DEBUGGING_CALLBACK_HANDLE_DEBUG_BREAKPOINT_EXCEPTION DebuggingCallbackHandleDebugBreakpointException; // Fixed - DEBUGGING_CALLBACK_CONDITIONAL_PAGE_FAULT_EXCEPTION DebuggingCallbackConditionalPageFaultException; // Fixed +IMPORT_EXPORT_VMM VOID +BroadcastDisableMovDebugRegistersExitingAllCores(); - // - // Interception callbacks - // - INTERCEPTION_CALLBACK_TRIGGER_CR3_CHANGE InterceptionCallbackTriggerCr3ProcessChange; // Fixed +IMPORT_EXPORT_VMM VOID +BroadcastSetExternalInterruptExitingAllCores(); - // - // Callbacks to be removed - // - BREAKPOINT_CHECK_AND_HANDLE_REAPPLYING_BREAKPOINT BreakpointCheckAndHandleReApplyingBreakpoint; - UD_CHECK_FOR_COMMAND UdCheckForCommand; - KD_CHECK_AND_HANDLE_NMI_CALLBACK KdCheckAndHandleNmiCallback; - VMM_CALLBACK_REGISTERED_MTF_HANDLER VmmCallbackRegisteredMtfHandler; // Fixed but not good - INTERCEPTION_CALLBACK_TRIGGER_CLOCK_AND_IPI DebuggerCheckProcessOrThreadChange; - ATTACHING_HANDLE_CR3_EVENTS_FOR_THREAD_INTERCEPTION AttachingHandleCr3VmexitsForThreadInterception; - KD_QUERY_DEBUGGER_THREAD_OR_PROCESS_TRACING_DETAILS_BY_CORE_ID KdQueryDebuggerQueryThreadOrProcessTracingDetailsByCoreId; +IMPORT_EXPORT_VMM VOID +BroadcastUnsetExternalInterruptExitingOnlyOnClearingInterruptEventsAllCores(); -} VMM_CALLBACKS, *PVMM_CALLBACKS; +IMPORT_EXPORT_VMM VOID +BroadcastIoBitmapChangeAllCores(UINT64 Port); + +IMPORT_EXPORT_VMM VOID +BroadcastIoBitmapResetAllCores(); + +IMPORT_EXPORT_VMM VOID +BroadcastEnableMovToCr3ExitingOnAllProcessors(); + +IMPORT_EXPORT_VMM VOID +BroadcastDisableMovToCr3ExitingOnAllProcessors(); + +IMPORT_EXPORT_VMM VOID +BroadcastEnableEferSyscallEventsOnAllProcessors(); + +IMPORT_EXPORT_VMM VOID +BroadcastDisableEferSyscallEventsOnAllProcessors();