v0.7

v0.7

CHANGELOG.md

@@ -4,12 +4,11 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
-## [0.7.0.0] - 2023-XX-XX
+## [0.7.0.0] - 2023-11-22
 New release of the HyperDbg Debugger.
 
 ### Added
 - HyperDbg now applies events immediately as implemented in the "instant events" mechanism ([link](https://docs.hyperdbg.org/tips-and-tricks/misc/instant-events))
-- **!crwrite** - Control Register Modification Event ([link](https://docs.hyperdbg.org/commands/extension-commands/crwrite))
 - The Event Forwarding mechanism is now supported in the Debugger Mode ([link](https://docs.hyperdbg.org/tips-and-tricks/misc/event-forwarding))
 - The Event Forwarding mechanism now supports external modules (DLLs) ([link](https://docs.hyperdbg.org/tips-and-tricks/misc/event-forwarding))
 - **event_clear(EventId)** function in script engine ([link](https://docs.hyperdbg.org/commands/scripting-language/functions/events/event_clear))
@@ -18,6 +17,7 @@ New release of the HyperDbg Debugger.
 - **strlen** and **wcslen** functions now support string and wide-character string as the input ([link](https://docs.hyperdbg.org/commands/scripting-language/functions/strings/strlen))([link](https://docs.hyperdbg.org/commands/scripting-language/functions/strings/wcslen))
 - **strcmp(Str1, Str2)**, **wcscmp(WStr1, WStr2)** and **memcmp(Ptr1, Ptr2, Num)** functions in script engine thanks to [@xmaple555](https://github.com/xmaple555) ([link](https://docs.hyperdbg.org/commands/scripting-language/functions/strings/strcmp))([link](https://docs.hyperdbg.org/commands/scripting-language/functions/strings/wcscmp))([link](https://docs.hyperdbg.org/commands/scripting-language/functions/memory/memcmp))
 - The debug break interception (\#DB) manipulation option is added to the 'test' command ([link](https://docs.hyperdbg.org/commands/debugging-commands/test))
+- The '.pagein' command, now supports address ranges (length in bytes) to bring multiple pages into the RAM ([link](https://docs.hyperdbg.org/commands/meta-commands/.pagein))
 
 ### Changed
 - Fix the problem with the "less than" and the "greater than" operators for signed numbers thanks to [@xmaple555](https://github.com/xmaple555) ([link](https://github.com/HyperDbg/HyperDbg/pull/279))
@@ -33,6 +33,7 @@ New release of the HyperDbg Debugger.
 - Fix adding pseudo-registers with underscore in the script engine ([link](https://github.com/HyperDbg/HyperDbg/pull/313))
 - Fix the boolean expression interpretation in **if** conditions in the script engine ([link](https://github.com/HyperDbg/HyperDbg/issues/311))
 - HyperDbg now intercepts all debug breaks (\#DBs) if it's not explicitly asked not to by using the 'test' command ([link](https://docs.hyperdbg.org/commands/debugging-commands/test))
+- Fix '%d' bug in script engine ([link](https://github.com/HyperDbg/HyperDbg/pull/318))
 
 ## [0.6.0.0-beta] - 2023-09-25
 New release of the HyperDbg Debugger.

hyperdbg/hprdbgctrl/code/debugger/commands/meta-commands/pagein.cpp

@@ -27,20 +27,22 @@ CommandPageinHelp()
 {
  ShowMessages(".pagein : brings the page in, making it available in the RAM.\n\n");
 
- ShowMessages("syntax : \t.pagein [Mode (string)] [VirtualAddress (hex)]\n");
+ ShowMessages("syntax : \t.pagein [Mode (string)] [l Length (hex)]\n");
+ ShowMessages("syntax : \t.pagein [Mode (string)] [VirtualAddress (hex)] [l Length (hex)]\n");
 
  ShowMessages("\n");
  ShowMessages("\t\te.g : .pagein fffff801deadbeef\n");
+ ShowMessages("\t\te.g : .pagein 00007ff8349f2224 l 1a000\n");
  ShowMessages("\t\te.g : .pagein u 00007ff8349f2224\n");
  ShowMessages("\t\te.g : .pagein w 00007ff8349f2224\n");
  ShowMessages("\t\te.g : .pagein f 00007ff8349f2224\n");
  ShowMessages("\t\te.g : .pagein pw 00007ff8349f2224\n");
  ShowMessages("\t\te.g : .pagein wu 00007ff8349f2224\n");
- ShowMessages("\t\te.g : .pagein wu 00007ff8349f2224\n");
- ShowMessages("\t\te.g : .pagein wu 00007ff8349f2224\n");
+ ShowMessages("\t\te.g : .pagein wu 00007ff8349f2224 l 6000\n");
  ShowMessages("\t\te.g : .pagein pf @rax\n");
  ShowMessages("\t\te.g : .pagein uf @rip+@rcx\n");
  ShowMessages("\t\te.g : .pagein pwu @rax+5\n");
+ ShowMessages("\t\te.g : .pagein pwu @rax l 2000\n");
 
  ShowMessages("\n");
  ShowMessages("valid mode formats: \n");
@@ -158,12 +160,17 @@ CommandPageinCheckAndInterpretModeString(const std::string & ModeString,
 /**
  * @brief request to bring the page(s) in
  *
- * @param SplittedCommand
- * @param Command
+ * @param TargetVirtualAddrFrom
+ * @param TargetVirtualAddrTo
+ * @param PageFaultErrorCode
+ * @param Pid
+ * @param Length
+ *
  * @return VOID
  */
 VOID
-CommandPageinRequest(UINT64 TargetVirtualAddr,
+CommandPageinRequest(UINT64 TargetVirtualAddrFrom,
+ UINT64 TargetVirtualAddrTo,
  PAGE_FAULT_EXCEPTION PageFaultErrorCode,
  UINT32 Pid,
  UINT32 Length)
@@ -176,8 +183,9 @@ CommandPageinRequest(UINT64 TargetVirtualAddr,
  // Prepare the buffer
  // We use same buffer for input and output
  //
- PageFaultRequest.VirtualAddress = TargetVirtualAddr;
- PageFaultRequest.ProcessId = Pid; // null in debugger mode
+ PageFaultRequest.VirtualAddressFrom = TargetVirtualAddrFrom;
+ PageFaultRequest.VirtualAddressTo = TargetVirtualAddrTo;
+ PageFaultRequest.ProcessId = Pid; // null in debugger mode
 
  if (g_IsSerialConnectedToRemoteDebuggee)
  {
@@ -257,12 +265,13 @@ CommandPageinRequest(UINT64 TargetVirtualAddr,
 VOID
 CommandPagein(vector<string> SplittedCommand, string Command)
 {
- UINT32 Pid = 0;
- UINT32 Length = 0;
- UINT64 TargetAddress = 0;
- BOOLEAN IsNextProcessId = FALSE;
- BOOLEAN IsFirstCommand = TRUE;
- BOOLEAN IsNextLength = FALSE;
+ UINT32 Pid = 0;
+ UINT32 Length = 0;
+ UINT64 TargetAddressFrom = NULL;
+ UINT64 TargetAddressTo = NULL;
+ BOOLEAN IsNextProcessId = FALSE;
+ BOOLEAN IsFirstCommand = TRUE;
+ BOOLEAN IsNextLength = FALSE;
  vector<string> SplittedCommandCaseSensitive {Split(Command, ' ')};
  UINT32 IndexInCommandCaseSensitive = 0;
  PAGE_FAULT_EXCEPTION PageFaultErrorCode = {0};
@@ -337,10 +346,10 @@ CommandPagein(vector<string> SplittedCommand, string Command)
  {
  continue;
  }
- else if (TargetAddress == 0)
+ else if (TargetAddressFrom == 0)
  {
  if (!SymbolConvertNameOrExprToAddress(SplittedCommandCaseSensitive.at(IndexInCommandCaseSensitive - 1),
- &TargetAddress))
+ &TargetAddressFrom))
  {
  //
  // Couldn't resolve or unkonwn parameter
@@ -362,7 +371,7 @@ CommandPagein(vector<string> SplittedCommand, string Command)
  }
  }
 
- if (!TargetAddress)
+ if (!TargetAddressFrom)
  {
  //
  // User inserts two address
@@ -380,19 +389,33 @@ CommandPagein(vector<string> SplittedCommand, string Command)
  }
 
  //
- // Send the request
+ // If the user didn't specified a range, then only one page will be
+ // paged-in; so we use the same AddressFrom and AddressTo
  //
+ if (Length == 0)
+ {
+ TargetAddressTo = TargetAddressFrom;
+ }
+ else
+ {
+ TargetAddressTo = TargetAddressFrom + Length;
+ }
 
- // ShowMessages(".pagin address: %llx, page-fault code: 0x%x, pid: %x, length: 0x%x",
- // TargetAddress,
+ //
+ // Send the request
+ //
+ // ShowMessages(".pagin address from: %llx -> to %llx, page-fault code: 0x%x, pid: %x, length: 0x%x",
+ // TargetAddressFrom,
+ // TargetAddressTo,
  // PageFaultErrorCode.AsUInt,
  // Pid,
  // Length);
 
  //
  // Request the page-in
  //
- CommandPageinRequest(TargetAddress,
+ CommandPageinRequest(TargetAddressFrom,
+ TargetAddressTo,
  PageFaultErrorCode,
  Pid,
  Length);

hyperdbg/hprdbgctrl/code/debugger/kernel-level/kernel-listening.cpp

@@ -617,7 +617,7 @@ ListeningSerialPortInDebugger()
  case TEST_BREAKPOINT_TURN_OFF_DBS:
 
  ShowMessages("debug break interception (#DB) is deactivated\n"
- "from now, the breakpoints will be re-injected into the guest debuggee\n");
+ "from now, the debug breaks will be re-injected into the guest debuggee\n");
 
  break;
 

hyperdbg/hprdbghv/code/interface/Export.c

@@ -628,6 +628,26 @@ VmFuncEventInjectPageFaultWithCr2(UINT32 CoreId, UINT64 Address, UINT32 PageFaul
  EventInjectPageFaultWithCr2(&g_GuestState[CoreId], Address, PageFaultCode);
 }
 
+/**
+ * @brief Inject a range of page-faults
+ *
+ * @param CoreId Target core's ID
+ * @param AddressFrom Page-fault address (from)
+ * @param AddressTo Page-fault address (to)
+ * @param Address Page-fault address
+ * @param PageFaultCode Page-fault error code
+ *
+ * @return VOID
+ */
+VOID
+VmFuncEventInjectPageFaultRangeAddress(UINT32 CoreId,
+ UINT64 AddressFrom,
+ UINT64 AddressTo,
+ UINT32 PageFaultCode)
+{
+ EventInjectPageFaultRangeAddress(&g_GuestState[CoreId], AddressFrom, AddressTo, PageFaultCode);
+}
+
 /**
  * @brief Inject interrupt/faults/exceptions
  *

hyperdbg/hprdbghv/code/memory/MemoryMapper.c

@@ -171,7 +171,7 @@ MemoryMapperGetPteVaOnTargetProcess(PVOID Va, PAGING_LEVEL Level)
  * @return BOOLEAN Is present or not
  */
 _Use_decl_annotations_
-PVOID
+BOOLEAN
 MemoryMapperCheckPteIsPresentOnTargetProcess(PVOID Va, PAGING_LEVEL Level)
 {
  PPAGE_ENTRY PageEntry = NULL;
@@ -469,7 +469,7 @@ MemoryMapperCheckIfPageIsNxBitSetByCr3(PVOID Va, CR3_TYPE TargetCr3)
  *
  * @param Va Virtual Address
  * @param TargetCr3 kernel cr3 of target process
- * @return PPAGE_ENTRY virtual address of PTE based on cr3
+ * @return BOOLEAN
  */
 _Use_decl_annotations_
 BOOLEAN
@@ -513,6 +513,56 @@ MemoryMapperCheckIfPageIsNxBitSetOnTargetProcess(PVOID Va)
  return Result;
 }
 
+/**
+ * @brief This function checks target process to see
+ * if the PDE is a large page or not
+ *
+ * @param Va Virtual Address
+ * @param TargetCr3 kernel cr3 of target process
+ * @return BOOLEAN
+ */
+_Use_decl_annotations_
+BOOLEAN
+MemoryMapperCheckIfPdeIsLargePageOnTargetProcess(PVOID Va)
+{
+ BOOLEAN Result;
+ CR3_TYPE GuestCr3;
+ PPAGE_ENTRY PageEntry;
+ CR3_TYPE CurrentProcessCr3 = {0};
+
+ //
+ // Move to guest process as we're currently in system cr3
+ //
+
+ //
+ // Find the current process cr3
+ //
+ GuestCr3.Flags = LayoutGetCurrentProcessCr3().Flags;
+
+ CurrentProcessCr3 = SwitchToProcessMemoryLayoutByCr3(GuestCr3);
+
+ //
+ // Find the page table entry (PDE)
+ //
+ PageEntry = MemoryMapperGetPteVa(Va, PagingLevelPageDirectory);
+
+ if (PageEntry != NULL && PageEntry->Fields.LargePage)
+ {
+ Result = TRUE;
+ }
+ else
+ {
+ Result = FALSE;
+ }
+
+ //
+ // Restore the original process
+ //
+ SwitchToPreviousProcess(CurrentProcessCr3);
+
+ return Result;
+}
+
 /**
  * @brief This function reserve memory from system range (without physically allocating them)
  *
@@ -879,7 +929,7 @@ _Use_decl_annotations_
 UINT64
 MemoryMapperReadMemorySafeByPhysicalAddressWrapperAddressMaker(
  MEMORY_MAPPER_WRAPPER_FOR_MEMORY_READ TypeOfRead,
- UINT64  AddressToRead)
+ UINT64 AddressToRead)
 {
  PHYSICAL_ADDRESS PhysicalAddress = {0};
 
@@ -921,9 +971,9 @@ _Use_decl_annotations_
 BOOLEAN
 MemoryMapperReadMemorySafeByPhysicalAddressWrapper(
  MEMORY_MAPPER_WRAPPER_FOR_MEMORY_READ TypeOfRead,
- UINT64  AddressToRead,
- UINT64  BufferToSaveMemory,
- SIZE_T  SizeToRead)
+ UINT64 AddressToRead,
+ UINT64 BufferToSaveMemory,
+ SIZE_T SizeToRead)
 {
  ULONG ProcessorIndex = KeGetCurrentProcessorNumberEx(NULL);
  UINT64 AddressToCheck;

hyperdbg/hprdbghv/code/vmm/vmx/Events.c

@@ -28,6 +28,7 @@ EventInjectInterruption(INTERRUPT_TYPE InterruptionType, EXCEPTION_VECTORS Vecto
  Inject.Fields.InterruptType = InterruptionType;
  Inject.Fields.Vector = Vector;
  Inject.Fields.DeliverCode = DeliverErrorCode;
+
  __vmx_vmwrite(VMCS_CTRL_VMENTRY_INTERRUPTION_INFORMATION_FIELD, Inject.Flags);
 
  if (DeliverErrorCode)
@@ -205,7 +206,51 @@ EventInjectPageFaults(_Inout_ VIRTUAL_MACHINE_STATE * VCpu,
 }
 
 /**
- * @brief re-inject interrupt or exception to the guest
+ * @brief Inject a range of page-faults
+ *
+ * @param VCpu The virtual processor's state
+ * @param AddressFrom Page-fault address (from)
+ * @param AddressTo Page-fault address (to)
+ * @param Address Page-fault address
+ * @param PageFaultCode Page-fault error code
+ *
+ * @return VOID
+ */
+VOID
+EventInjectPageFaultRangeAddress(VIRTUAL_MACHINE_STATE * VCpu,
+ UINT64 AddressFrom,
+ UINT64 AddressTo,
+ UINT32 PageFaultCode)
+{
+ //
+ // Indicate that the VMM is waiting for interrupt-window to
+ // be openned to inject page-fault
+ //
+ g_WaitingForInterruptWindowToInjectPageFault = TRUE;
+
+ //
+ // Set the (from) address for page-fault injection
+ //
+ g_PageFaultInjectionAddressFrom = AddressFrom;
+
+ //
+ // Set the (to) address for page-fault injection
+ //
+ g_PageFaultInjectionAddressTo = AddressTo;
+
+ //
+ // Set the error code for page-fault injection
+ //
+ g_PageFaultInjectionErrorCode = PageFaultCode;
+
+ //
+ // Set interrupt-window exiting to TRUE
+ //
+ HvSetInterruptWindowExiting(TRUE);
+}
+
+/**
+ * @brief Inject page-fault with an address as cr2
  *
  * @param VCpu The virtual processor's state
  * @param Address Page-fault address

hyperdbg/hprdbghv/code/vmm/vmx/Hv.c

@@ -1368,6 +1368,11 @@ HvInitVmm(VMM_CALLBACKS * VmmCallbacks)
  //
  g_TransparentMode = FALSE;
 
+ //
+ // Not waiting for the interrupt-window to inject page-faults
+ //
+ g_WaitingForInterruptWindowToInjectPageFault = FALSE;
+
  //
  // Initializes VMX
  //